diff --git a/dist/api/detections.json b/dist/api/detections.json index 0d2db652b6..4b13213683 100644 --- a/dist/api/detections.json +++ b/dist/api/detections.json @@ -1 +1 @@ -{"detections": [{"name": "Detect New Login Attempts to Routers", "id": "bce3ed7c-9b1f-42a0-abdf-d8b123a34836", "version": 1, "date": "2017-09-12", "author": "Bhavin Patel, Splunk", "type": "TTP", "status": "experimental", "description": "The search queries the authentication logs for assets that are categorized as routers in the ES Assets and Identity Framework, to identify connections that have not been seen before in the last 30 days.", "data_source": [], "search": "| tstats `security_content_summariesonly` count earliest(_time) as earliest latest(_time) as latest from datamodel=Authentication where Authentication.dest_category=router by Authentication.dest Authentication.user| eval isOutlier=if(earliest >= relative_time(now(), \"-30d@d\"), 1, 0) | where isOutlier=1| `security_content_ctime(earliest)`| `security_content_ctime(latest)` | `drop_dm_object_name(\"Authentication\")` | `detect_new_login_attempts_to_routers_filter`", "how_to_implement": "To successfully implement this search, you must ensure the network router devices are categorized as \"router\" in the Assets and identity table. You must also populate the Authentication data model with logs related to users authenticating to routing infrastructure.", "known_false_positives": "Legitimate router connections may appear as new connections", "references": [], "tags": {"name": "Detect New Login Attempts to Routers", "analytic_story": ["Router and Infrastructure Security"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": [], "message": "tbd", "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Authentication.dest_category", "Authentication.dest", "Authentication.user"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "datamodel": ["Authentication"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_new_login_attempts_to_routers_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/application/detect_new_login_attempts_to_routers.yml", "source": "application", "nes_fields": "user,dest"}, {"name": "Detect Risky SPL using Pretrained ML Model", "id": "b4aefb5f-1037-410d-a149-1e091288ba33", "version": 1, "date": "2022-06-16", "author": "Abhinav Mishra, Kumar Sharad, Namratha Sreekanta and Xiao Lin, Splunk", "type": "Anomaly", "status": "experimental", "description": "The following analytic uses a pretrained machine learning text classifier to detect potentially risky commands. The model is trained independently and then the model file is packaged within ESCU for usage. A command is deemed risky based on the presence of certain trigger keywords, along with the context and the role of the user (please see references). The model uses custom features to predict whether a SPL is risky using text classification. The model takes as input the command text, user and search type and outputs a risk score between [0,1]. A high score indicates higher likelihood of a command being risky. This model is on-prem only.", "data_source": [], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Splunk_Audit.Search_Activity where Search_Activity.search_type=adhoc Search_Activity.user!=splunk-system-user by Search_Activity.search Search_Activity.user Search_Activity.search_type | eval spl_text = 'Search_Activity.search'. \" \" .'Search_Activity.user'. \" \" .'Search_Activity.search_type'| dedup spl_text | apply risky_spl_pre_trained_model | where risk_score > 0.5 | `drop_dm_object_name(Search_Activity)` | table search, user, search_type, risk_score | `detect_risky_spl_using_pretrained_ml_model_filter`", "how_to_implement": "This detection depends on the MLTK app which can be found here - https://splunkbase.splunk.com/app/2890/ and the Splunk Audit datamodel which can be found here - https://splunkbase.splunk.com/app/1621/. Additionally, you need to be ingesting logs which include Search_Activity.search, Search_Activity.user, Search_Activity.search_type from your endpoints. The risk score threshold should be adjusted based on the environment. The detection uses a custom MLTK model hence we need a few more steps for deployment, as outlined here - https://gist.github.com/ksharad-splunk/be2a62227966049047f5e5c4f2adcabb.", "known_false_positives": "False positives may be present if suspicious behavior is observed, as determined by frequent usage of risky keywords.", "references": ["https://docs.splunk.com/Documentation/Splunk/latest/Security/SPLsafeguards#Commands_that_trigger_the_warning"], "tags": {"name": "Detect Risky SPL using Pretrained ML Model", "analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Web Server", "cis20": ["CIS 10"], "confidence": 40, "impact": 50, "kill_chain_phases": ["Installation"], "message": "A potentially risky Splunk command has been run by $user$, kindly review.", "mitre_attack_id": ["T1059"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Search_Activity.search", "Search_Activity.user", "Search_Activity.search_type"], "risk_score": 20, "security_domain": "audit", "risk_severity": "low", "cve": ["CVE-2022-32154"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://github.com/splunk/attack_data/raw/master/datasets/attack_techniques/T1203/search_activity.txt", "source": "audittrail", "sourcetype": "audittrail", "update_timestamp": true}]}], "datamodel": ["Splunk_Audit"], "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_risky_spl_using_pretrained_ml_model_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2022-32154", "cvss": 4.0, "summary": "Dashboards in Splunk Enterprise versions before 9.0 might let an attacker inject risky search commands into a form token when the token is used in a query in a cross-origin request. The result bypasses SPL safeguards for risky commands. See New capabilities can limit access to some custom and potentially risky commands (https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/SPLsafeguards#New_capabilities_can_limit_access_to_some_custom_and_potentially_risky_commands) for more information. Note that the attack is browser-based and an attacker cannot exploit it at will."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/application/detect_risky_spl_using_pretrained_ml_model.yml", "source": "application"}, {"name": "Email Attachments With Lots Of Spaces", "id": "56e877a6-1455-4479-ada6-0550dc1e22f8", "version": 2, "date": "2023-04-14", "author": "David Dorsey, Splunk", "type": "Anomaly", "status": "experimental", "description": "Attackers often use spaces as a means to obfuscate an attachment's file extension. This search looks for messages with email attachments that have many spaces within the file names.", "data_source": [], "search": "| tstats `security_content_summariesonly` count values(All_Email.recipient) as recipient_address min(_time) as firstTime max(_time) as lastTime from datamodel=Email where All_Email.file_name=\"*\" by All_Email.src_user, All_Email.file_name All_Email.message_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(\"All_Email\")` | eval space_ratio = (mvcount(split(file_name,\" \"))-1)/len(file_name) | search space_ratio >= 0.1 | rex field=recipient_address \"(?.*)@\" | `email_attachments_with_lots_of_spaces_filter`", "how_to_implement": "You need to ingest data from emails. Specifically, the sender's address and the file names of any attachments must be mapped to the Email data model. The threshold ratio is set to 10%, but this value can be configured to suit each environment. \\\n **Splunk Phantom Playbook Integration**\\\nIf Splunk Phantom is also configured in your environment, a playbook called \"Suspicious Email Attachment Investigate and Delete\" can be configured to run when any results are found by this detection search. To use this integration, install the Phantom App for Splunk `https://splunkbase.splunk.com/app/3411/` and add the correct hostname to the \"Phantom Instance\" field in the Adaptive Response Actions when configuring this detection search. The notable event will be sent to Phantom and the playbook will gather further information about the file attachment and its network behaviors. If Phantom finds malicious behavior and an analyst approves of the results, the email will be deleted from the user's inbox.", "known_false_positives": "None at this time", "references": [], "tags": {"name": "Email Attachments With Lots Of Spaces", "analytic_story": ["Data Destruction", "Emotet Malware DHS Report TA18-201A ", "Hermetic Wiper", "Suspicious Emails"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": [], "message": "tbd", "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "All_Email.recipient", "All_Email.file_name", "All_Email.src_user", "All_Email.file_name", "All_Email.message_id"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "datamodel": ["Email"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "email_attachments_with_lots_of_spaces_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/application/email_attachments_with_lots_of_spaces.yml", "source": "application"}, {"name": "Email files written outside of the Outlook directory", "id": "8d52cf03-ba25-4101-aa78-07994aed4f74", "version": 3, "date": "2020-07-21", "author": "Bhavin Patel, Splunk", "type": "TTP", "status": "experimental", "description": "The search looks at the change-analysis data model and detects email files created outside the normal Outlook directory.", "data_source": ["Sysmon Event ID 11"], "search": "| tstats `security_content_summariesonly` count values(Filesystem.file_path) as file_path min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where (Filesystem.file_name=*.pst OR Filesystem.file_name=*.ost) Filesystem.file_path != \"C:\\\\Users\\\\*\\\\My Documents\\\\Outlook Files\\\\*\" Filesystem.file_path!=\"C:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\Outlook*\" by Filesystem.action Filesystem.process_id Filesystem.file_name Filesystem.dest | `drop_dm_object_name(\"Filesystem\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `email_files_written_outside_of_the_outlook_directory_filter` ", "how_to_implement": "To successfully implement this search, you must be ingesting data that records the file-system activity from your hosts to populate the Endpoint.Filesystem data model node. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or by other endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report file-system reads and writes.", "known_false_positives": "Administrators and users sometimes prefer backing up their email data by moving the email files into a different folder. These attempts will be detected by the search.", "references": [], "tags": {"name": "Email files written outside of the Outlook directory", "analytic_story": ["Collection and Staging"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "tbd", "mitre_attack_id": ["T1114", "T1114.001"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Filesystem.file_path", "Filesystem.file_name", "Filesystem.action", "Filesystem.process_id", "Filesystem.dest"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1114", "mitre_attack_technique": "Email Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["Magic Hound", "Silent Librarian"]}, {"mitre_attack_id": "T1114.001", "mitre_attack_technique": "Local Email Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "Chimera", "Magic Hound"]}]}, "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "email_files_written_outside_of_the_outlook_directory_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/application/email_files_written_outside_of_the_outlook_directory.yml", "source": "application", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Email servers sending high volume traffic to hosts", "id": "7f5fb3e1-4209-4914-90db-0ec21b556378", "version": 2, "date": "2020-07-21", "author": "Bhavin Patel, Splunk", "type": "Anomaly", "status": "experimental", "description": "This search looks for an increase of data transfers from your email server to your clients. This could be indicative of a malicious actor collecting data using your email server.", "data_source": [], "search": "| tstats `security_content_summariesonly` sum(All_Traffic.bytes_out) as bytes_out from datamodel=Network_Traffic where All_Traffic.src_category=email_server by All_Traffic.dest_ip _time span=1d | `drop_dm_object_name(\"All_Traffic\")` | eventstats avg(bytes_out) as avg_bytes_out stdev(bytes_out) as stdev_bytes_out | eventstats count as num_data_samples avg(eval(if(_time < relative_time(now(), \"@d\"), bytes_out, null))) as per_source_avg_bytes_out stdev(eval(if(_time < relative_time(now(), \"@d\"), bytes_out, null))) as per_source_stdev_bytes_out by dest_ip | eval minimum_data_samples = 4, deviation_threshold = 3 | where num_data_samples >= minimum_data_samples AND bytes_out > (avg_bytes_out + (deviation_threshold * stdev_bytes_out)) AND bytes_out > (per_source_avg_bytes_out + (deviation_threshold * per_source_stdev_bytes_out)) AND _time >= relative_time(now(), \"@d\") | eval num_standard_deviations_away_from_server_average = round(abs(bytes_out - avg_bytes_out) / stdev_bytes_out, 2), num_standard_deviations_away_from_client_average = round(abs(bytes_out - per_source_avg_bytes_out) / per_source_stdev_bytes_out, 2) | table dest_ip, _time, bytes_out, avg_bytes_out, per_source_avg_bytes_out, num_standard_deviations_away_from_server_average, num_standard_deviations_away_from_client_average | `email_servers_sending_high_volume_traffic_to_hosts_filter`", "how_to_implement": "This search requires you to be ingesting your network traffic and populating the Network_Traffic data model. Your email servers must be categorized as \"email_server\" for the search to work, as well. You may need to adjust the deviation_threshold and minimum_data_samples values based on the network traffic in your environment. The \"deviation_threshold\" field is a multiplying factor to control how much variation you're willing to tolerate. The \"minimum_data_samples\" field is the minimum number of connections of data samples required for the statistic to be valid.", "known_false_positives": "The false-positive rate will vary based on how you set the deviation_threshold and data_samples values. Our recommendation is to adjust these values based on your network traffic to and from your email servers.", "references": [], "tags": {"name": "Email servers sending high volume traffic to hosts", "analytic_story": ["Collection and Staging", "HAFNIUM Group"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "tbd", "mitre_attack_id": ["T1114", "T1114.002"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "All_Traffic.bytes_out", "All_Traffic.src_category", "All_Traffic.dest_ip"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1114", "mitre_attack_technique": "Email Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["Magic Hound", "Silent Librarian"]}, {"mitre_attack_id": "T1114.002", "mitre_attack_technique": "Remote Email Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "Chimera", "Dragonfly", "FIN4", "HAFNIUM", "Ke3chang", "Kimsuky", "Leafminer", "Magic Hound"]}]}, "datamodel": ["Network_Traffic"], "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "email_servers_sending_high_volume_traffic_to_hosts_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/application/email_servers_sending_high_volume_traffic_to_hosts.yml", "source": "application"}, {"name": "Monitor Email For Brand Abuse", "id": "b2ea1f38-3a3e-4b8a-9cf1-82760d86a6b8", "version": 2, "date": "2018-01-05", "author": "David Dorsey, Splunk", "type": "TTP", "status": "experimental", "description": "This search looks for emails claiming to be sent from a domain similar to one that you want to have monitored for abuse.", "data_source": [], "search": "| tstats `security_content_summariesonly` values(All_Email.recipient) as recipients, min(_time) as firstTime, max(_time) as lastTime from datamodel=Email by All_Email.src_user, All_Email.message_id | `drop_dm_object_name(\"All_Email\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | eval temp=split(src_user, \"@\") | eval email_domain=mvindex(temp, 1) | lookup update=true brandMonitoring_lookup domain as email_domain OUTPUT domain_abuse | search domain_abuse=true | table message_id, src_user, email_domain, recipients, firstTime, lastTime | `monitor_email_for_brand_abuse_filter`", "how_to_implement": "You need to ingest email header data. Specifically the sender's address (src_user) must be populated. You also need to have run the search \"ESCU - DNSTwist Domain Names\", which creates the permutations of the domain that will be checked for.", "known_false_positives": "None at this time", "references": [], "tags": {"name": "Monitor Email For Brand Abuse", "analytic_story": ["Brand Monitoring", "Suspicious Emails"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": [], "message": "tbd", "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "All_Email.recipient", "All_Email.src_user", "All_Email.message_id"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "datamodel": ["Email"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "monitor_email_for_brand_abuse_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "brandMonitoring_lookup", "description": "A file that contains look-a-like domains for brands that you want to monitor", "filename": "brand_monitoring.csv", "default_match": "false", "match_type": "WILDCARD(domain)", "min_matches": 1}], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/application/monitor_email_for_brand_abuse.yml", "source": "application", "nes_fields": "user,dest"}, {"name": "Multiple Okta Users With Invalid Credentials From The Same IP", "id": "19cba45f-cad3-4032-8911-0c09e0444552", "version": 3, "date": "2022-09-21", "author": "Michael Haag, Rico Valdez, Splunk", "type": "Hunting", "status": "experimental", "description": "This hunting analytic identifies multiple failed logon attempts from a single IP. Use this analytic to identify patterns of suspicious logins from a single source and filter as needed or use this to drive tuning for higher fidelity analytics.", "data_source": [], "search": "`okta` outcome.reason=INVALID_CREDENTIALS | rename client.geographicalContext.country as country, client.geographicalContext.state as state, client.geographicalContext.city as city | stats min(_time) as firstTime max(_time) as lastTime dc(src_user) as distinct_users values(src_user) as users by src_ip, displayMessage, outcome.reason, country, state, city | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | search distinct_users > 5| `multiple_okta_users_with_invalid_credentials_from_the_same_ip_filter` ", "how_to_implement": "This search is specific to Okta and requires Okta logs are being ingested in your Splunk deployment.", "known_false_positives": "A single public IP address servicing multiple legitmate users may trigger this search. In addition, the threshold of 5 distinct users may be too low for your needs. You may modify the included filter macro `multiple_okta_users_with_invalid_credentials_from_the_same_ip_filter` to raise the threshold or except specific IP adresses from triggering this search.", "references": ["https://developer.okta.com/docs/reference/api/event-types/?q=INVALID_CREDENTIALS"], "tags": {"name": "Multiple Okta Users With Invalid Credentials From The Same IP", "analytic_story": ["Suspicious Okta Activity"], "asset_type": "Infrastructure", "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "message": "Multple user accounts have failed to authenticate from a single IP.", "mitre_attack_id": ["T1078", "T1078.001"], "nist": ["DE.AE"], "observable": [{"name": "src_user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "outcome.reason", "client.geographicalContext.country", "client.geographicalContext.state", "client.geographicalContext.city", "user", "src_ip", "displayMessage"], "risk_score": 9, "security_domain": "access", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.001", "mitre_attack_technique": "Default Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Magic Hound"]}]}, "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "okta", "definition": "eventtype=okta_log", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "multiple_okta_users_with_invalid_credentials_from_the_same_ip_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/application/multiple_okta_users_with_invalid_credentials_from_the_same_ip.yml", "source": "application"}, {"name": "No Windows Updates in a time frame", "id": "1a77c08c-2f56-409c-a2d3-7d64617edd4f", "version": 1, "date": "2017-09-15", "author": "Bhavin Patel, Splunk", "type": "Hunting", "status": "experimental", "description": "This search looks for Windows endpoints that have not generated an event indicating a successful Windows update in the last 60 days. Windows updates are typically released monthly and applied shortly thereafter. An endpoint that has not successfully applied an update in this time frame indicates the endpoint is not regularly being patched for some reason.", "data_source": [], "search": "| tstats `security_content_summariesonly` max(_time) as lastTime from datamodel=Updates where Updates.status=Installed Updates.vendor_product=\"Microsoft Windows\" by Updates.dest Updates.status Updates.vendor_product | rename Updates.dest as Host | rename Updates.status as \"Update Status\" | rename Updates.vendor_product as Product | eval isOutlier=if(lastTime <= relative_time(now(), \"-60d@d\"), 1, 0) | `security_content_ctime(lastTime)` | search isOutlier=1 | rename lastTime as \"Last Update Time\", | table Host, \"Update Status\", Product, \"Last Update Time\" | `no_windows_updates_in_a_time_frame_filter`", "how_to_implement": "To successfully implement this search, it requires that the 'Update' data model is being populated. This can be accomplished by ingesting Windows events or the Windows Update log via a universal forwarder on the Windows endpoints you wish to monitor. The Windows add-on should be also be installed and configured to properly parse Windows events in Splunk. There may be other data sources which can populate this data model, including vulnerability management systems.", "known_false_positives": "None identified", "references": [], "tags": {"name": "No Windows Updates in a time frame", "analytic_story": ["Monitor for Updates"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": [], "message": "tbd", "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Updates.status", "Updates.vendor_product", "Updates.dest"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "datamodel": ["Updates"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "no_windows_updates_in_a_time_frame_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/application/no_windows_updates_in_a_time_frame.yml", "source": "application"}, {"name": "Okta Account Locked Out", "id": "d650c0ae-bdc5-400e-9f0f-f7aa0a010ef1", "version": 1, "date": "2022-09-21", "author": "Michael Haag, Splunk", "type": "Anomaly", "status": "experimental", "description": "The following analytic utilizes the user.acount.lock event to identify associates who are locked out of Okta. An adversary attempting to brute force or password spray account names may lock accounts out depending on the threshold.", "data_source": [], "search": "`okta` eventType=user.account.lock | stats count min(_time) as firstTime max(_time) as lastTime values(displayMessage) by src_user src_ip eventType status | where count >=3 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `okta_account_locked_out_filter`", "how_to_implement": "This analytic is specific to Okta and requires Okta logs to be ingested.", "known_false_positives": "False positives may be present. Tune Okta and tune the analytic to ensure proper fidelity. Modify risk score as needed. Drop to anomaly until tuning is complete.", "references": ["https://developer.okta.com/docs/reference/api/event-types/?q=user.acount.lock"], "tags": {"name": "Okta Account Locked Out", "analytic_story": ["Suspicious Okta Activity", "Okta MFA Exhaustion"], "asset_type": "Infrastructure", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "$src_user$ account has been locked out.", "mitre_attack_id": ["T1110"], "nist": ["DE.AE"], "observable": [{"name": "src_user", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "src_user", "src_ip", "eventType", "status"], "risk_score": 64, "security_domain": "access", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}]}, "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "okta", "definition": "eventtype=okta_log", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "okta_account_locked_out_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/application/okta_account_locked_out.yml", "source": "application"}, {"name": "Okta Account Lockout Events", "id": "62b70968-a0a5-4724-8ac4-67871e6f544d", "version": 2, "date": "2022-09-19", "author": "Michael Haag, Rico Valdez, Splunk", "type": "Anomaly", "status": "experimental", "description": "The following anomaly will generate based on account lockout events utilizing Okta eventTypes of user.account.lock.limit or user.account.lock. Per the Okta docs site, this event is fired when a user account has reached the lockout limit. The account will not auto-unlock and a user or client cannot gain access to the account. This event indicates an account that will not be able to log in until remedial action is taken by the account admin. This event can be used to understand the specifics of an account lockout. Often this indicates a client application that is repeatedly attempting to authenticate with invalid credentials such as an old password.", "data_source": [], "search": "`okta` eventType IN (user.account.lock.limit,user.account.lock) | rename client.geographicalContext.country as country, client.geographicalContext.state as state, client.geographicalContext.city as city | stats count min(_time) as firstTime max(_time) as lastTime values(src_user) by displayMessage, country, state, city, src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_account_lockout_events_filter`", "how_to_implement": "This analytic is specific to Okta and requires Okta logs to be ingested.", "known_false_positives": "None. Account lockouts should be followed up on to determine if the actual user was the one who caused the lockout, or if it was an unauthorized actor.", "references": ["https://developer.okta.com/docs/reference/api/event-types/#catalog", "https://developer.okta.com/docs/reference/api/event-types/?q=user.account.lock"], "tags": {"name": "Okta Account Lockout Events", "analytic_story": ["Suspicious Okta Activity"], "asset_type": "Infrastructure", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "message": "The following user $src_user$ has locked out their account within Okta.", "mitre_attack_id": ["T1078", "T1078.001"], "nist": ["DE.AE"], "observable": [{"name": "src_user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "displayMessage", "client.geographicalContext.country", "client.geographicalContext.state", "client.geographicalContext.city", "src_ip", "src_user"], "risk_score": 25, "security_domain": "access", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.001", "mitre_attack_technique": "Default Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Magic Hound"]}]}, "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "okta", "definition": "eventtype=okta_log", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "okta_account_lockout_events_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/application/okta_account_lockout_events.yml", "source": "application"}, {"name": "Okta Failed SSO Attempts", "id": "371a6545-2618-4032-ad84-93386b8698c5", "version": 3, "date": "2022-09-21", "author": "Michael Haag, Rico Valdez, Splunk", "type": "Anomaly", "status": "experimental", "description": "The following anomaly identifies failed Okta SSO events utilizing the legacy Okta event \"unauth app access attempt\".", "data_source": [], "search": "`okta` eventType=app.generic.unauth_app_access_attempt | stats min(_time) as firstTime max(_time) as lastTime values(app) as Apps count by src_user, result ,displayMessage, src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_failed_sso_attempts_filter` ", "how_to_implement": "This search is specific to Okta and requires Okta logs are being ingested in your Splunk deployment.", "known_false_positives": "There may be a faulty config preventing legitmate users from accessing apps they should have access to.", "references": ["https://developer.okta.com/docs/reference/api/event-types/?q=app.generic.unauth_app_access_attempt"], "tags": {"name": "Okta Failed SSO Attempts", "analytic_story": ["Suspicious Okta Activity"], "asset_type": "Infrastructure", "cis20": ["CIS 10"], "confidence": 40, "impact": 40, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "message": "$src_user$ failed SSO authentication to the app.", "mitre_attack_id": ["T1078", "T1078.001"], "nist": ["DE.AE"], "observable": [{"name": "src_user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "displayMessage", "app", "src_user", "result", "src_ip"], "risk_score": 16, "security_domain": "access", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.001", "mitre_attack_technique": "Default Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Magic Hound"]}]}, "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "okta", "definition": "eventtype=okta_log", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "okta_failed_sso_attempts_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/application/okta_failed_sso_attempts.yml", "source": "application"}, {"name": "Okta MFA Exhaustion Hunt", "id": "97e2fe57-3740-402c-988a-76b64ce04b8d", "version": 1, "date": "2022-09-27", "author": "Michael Haag, Marissa Bower, Splunk", "type": "Hunting", "status": "experimental", "description": "The following analytic identifies patterns within Okta data to determine the amount of successful and failed pushes. Based on that, eval statements determine a finding of whether this is suspicious or not. The events are within a window of time and may be tuned as needed.", "data_source": [], "search": "`okta` eventType=system.push.send_factor_verify_push OR ((legacyEventType=core.user.factor.attempt_success) AND (debugContext.debugData.factor=OKTA_VERIFY_PUSH)) OR ((legacyEventType=core.user.factor.attempt_fail) AND (debugContext.debugData.factor=OKTA_VERIFY_PUSH)) | stats count(eval(legacyEventType=\"core.user.factor.attempt_success\")) as successes count(eval(legacyEventType=\"core.user.factor.attempt_fail\")) as failures count(eval(eventType=\"system.push.send_factor_verify_push\")) as pushes by authenticationContext.externalSessionId,user,_time | stats latest(_time) as lasttime earliest(_time) as firsttime sum(successes) as successes sum(failures) as failures sum(pushes) as pushes by authenticationContext.externalSessionId,user | eval seconds=lasttime-firsttime | eval lasttime=strftime(lasttime, \"%c\") | search (pushes>1) | eval totalattempts=successes+failures | eval finding=\"Normal authentication pattern\" | eval finding=if(failures==pushes AND pushes>1,\"Authentication attempts not successful because multiple pushes denied\",finding) | eval finding=if(totalattempts==0,\"Multiple pushes sent and ignored\",finding) | eval finding=if(successes>0 AND pushes>3,\"Probably should investigate. Multiple pushes sent, eventual successful authentication!\",finding) | where seconds<600 AND finding=\"Multiple pushes sent, eventual successful authentication!\" AND totalattempts > 5 | sort - pushes, totalattempts | `okta_mfa_exhaustion_hunt_filter`", "how_to_implement": "This analytic is specific to Okta and requires Okta logs to be ingested.", "known_false_positives": "False positives may be present. Tune Okta and tune the analytic to ensure proper fidelity. Modify risk score as needed. Drop to anomaly until tuning is complete.", "references": ["https://developer.okta.com/docs/reference/api/event-types/?q=user.acount.lock", "https://sec.okta.com/everythingisyes"], "tags": {"name": "Okta MFA Exhaustion Hunt", "analytic_story": ["Suspicious Okta Activity", "Okta MFA Exhaustion"], "asset_type": "Infrastructure", "cis20": ["CIS 10"], "confidence": 60, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "$src_user$ account has rejected multiple Okta pushes.", "mitre_attack_id": ["T1110"], "nist": ["DE.AE"], "observable": [{"name": "src_user", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "src_user", "src_ip", "eventType", "status"], "risk_score": 18, "security_domain": "access", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}]}, "datamodel": ["Authentication"], "macros": [{"name": "okta", "definition": "eventtype=okta_log", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "okta_mfa_exhaustion_hunt_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/application/okta_mfa_exhaustion_hunt.yml", "source": "application"}, {"name": "Okta Mismatch Between Source and Response for Verify Push Request", "id": "8085b79b-9b85-4e67-ad63-351c9e9a5e9a", "version": 1, "date": "2023-03-17", "author": "John Murphy and Jordan Ruocco, Okta, Michael Haag, Splunk", "type": "TTP", "status": "experimental", "description": "The following analytic identifies variations in client-based values for source and response events to identify suspicious request behavior. The detection is enhanced if the org is evaluating behavior conditions in sign-on policies using Okta Behavior Detection. NOTE: This detection requires the use of Okta Identity Engine (OIE) and will not function on Okta Classic.\\\nFor each Okta Verify Push challenge, the following two events are recorded in Okta System Log \\\nSource of Push (Sign-In) \\\neventType eq \\\"system.push.send_factor_verify_push\\\" \\\nUser Push Response (Okta Verify client) \\\neventType eq \"user.authentication.auth_via_mfa\" AND debugContext.debugData.factor eq \"OKTA_VERIFY_PUSH\" \\\nIn sequence, the logic for the analytic - \\\n* Groups by SessionID and retrieves any system.push.send_factor_verify_push events (the source of the push) and user.authentication.auth_via_mfa events where the factor is OKTA_VERIFY_PUSH - (the user response to the push) \\\n* Counts the total number of push events, successful authentication events, and any push sources where the client is a new device. \\ * Creates a ratio of successful sign-ins to pushes. \\\n* If the ratio (currently tuned aggressively) indicates push spam, or if a user has rejected a push, the detection proceeds to evaluate whether there is more than one IP address used during the session (session roaming) and the presence of both a new IP and new device during the session.", "data_source": [], "search": "`okta` eventType IN (system.push.send_factor_verify_push) OR (eventType IN (user.authentication.auth_via_mfa) debugContext.debugData.factor=\"OKTA_VERIFY_PUSH\") | eval groupby=\"authenticationContext.externalSessionId\" | eval group_push_time=_time | bin span=2s group_push_time | fillnull value=NULL | stats min(_time) as _time by authenticationContext.externalSessionId eventType debugContext.debugData.factor outcome.result actor.alternateId client.device client.ipAddress client.userAgent.rawUserAgent debugContext.debugData.behaviors group_push_time groupby | iplocation client.ipAddress | fields - lat, lon, group_push_time | stats min(_time) as _time dc(client.ipAddress) as dc_ip sum(eval(if(eventType=\"system.push.send_factor_verify_push\" AND \"outcome.result\"=\"SUCCESS\",1,0))) as total_pushes sum(eval(if(eventType=\"user.authentication.auth_via_mfa\" AND \"outcome.result\"=\"SUCCESS\",1,0))) as total_successes sum(eval(if(eventType=\"user.authentication.auth_via_mfa\" AND \"outcome.result\"=\"FAILURE\",1,0))) as total_rejected sum(eval(if(eventType=\"system.push.send_factor_verify_push\" AND \"debugContext.debugData.behaviors\" LIKE \"%New Device=POSITIVE%\",1,0))) as suspect_device_from_source sum(eval(if(eventType=\"system.push.send_factor_verify_push\" AND \"debugContext.debugData.behaviors\" LIKE \"%New IP=POSITIVE%\",0,0))) as suspect_ip_from_source values(eval(if(eventType=\"system.push.send_factor_verify_push\",\"client.ipAddress\",\"\"))) as src values(eval(if(eventType=\"user.authentication.auth_via_mfa\",\"client.ipAddress\",\"\"))) as dest values(*) as * by groupby | eval ratio = round(total_successes/total_pushes,2) | search ((ratio < 0.5 AND total_pushes > 1) OR (total_rejected > 0)) AND dc_ip > 1 AND suspect_device_from_source > 0 AND suspect_ip_from_source > 0 | `okta_mismatch_between_source_and_response_for_verify_push_request_filter`", "how_to_implement": "This analytic is specific to Okta and requires Okta:im2 logs to be ingested.", "known_false_positives": "False positives may be present based on organization size and configuration of Okta. Monitor, tune and filter as needed.", "references": ["https://attack.mitre.org/techniques/T1621"], "tags": {"name": "Okta Mismatch Between Source and Response for Verify Push Request", "analytic_story": ["Suspicious Okta Activity", "Okta MFA Exhaustion"], "asset_type": "Infrastructure", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "A mismatch between source and response for verifying a push request has occurred for $actor.alternateId$", "mitre_attack_id": ["T1621"], "nist": ["DE.CM"], "observable": [{"name": "actor.alternateId", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "authenticationContext.externalSessionId", "eventType", "debugContext.debugData.factor", "outcome.result", "actor.alternateId", "client.device", "client.ipAddress", "client.userAgent.rawUserAgent", "debugContext.debugData.behaviors", "group_push_time"], "risk_score": 64, "security_domain": "access", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1621", "mitre_attack_technique": "Multi-Factor Authentication Request Generation", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "LAPSUS$"]}]}, "datamodel": [], "macros": [{"name": "okta", "definition": "eventtype=okta_log", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "okta_mismatch_between_source_and_response_for_verify_push_request_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/application/okta_mismatch_between_source_and_response_for_verify_push_request.yml", "source": "application", "nes_fields": "user,dest"}, {"name": "Okta Multiple Failed Requests to Access Applications", "id": "1c21fed1-7000-4a2e-9105-5aaafa437247", "version": 1, "date": "2023-03-17", "author": "John Murphy, Okta, Michael Haag, Splunk", "type": "Hunting", "status": "experimental", "description": "The following analytic identifies multiple failed app requests in an attempt to identify the reuse a stolen web session cookie. The logic of the analytic is as follows: \\ * Retrieves policy evaluation and SSO details in events that contain the Application requested \\\n* Formats target fields so we can aggregate specifically on Applications (AppInstances) \\\n* Groups by User, Session and IP \\\n* Creates a ratio of successful SSO events to total MFA challenges related to Application Sign On Policies \\\n* Alerts when more than half of app sign on events are unsuccessful, and challenges were unsatisfied for more than three apps.", "data_source": [], "search": "`okta` target{}.type=AppInstance (eventType=policy.evaluate_sign_on outcome.result=CHALLENGE) OR (eventType=user.authentication.sso outcome.result=SUCCESS) | eval targets=mvzip('target{}.type', 'target{}.displayName', \": \") | eval targets=mvfilter(targets LIKE \"AppInstance%\") | stats count min(_time) as _time values(outcome.result) as outcome.result dc(eval(if(eventType=\"policy.evaluate_sign_on\",targets,NULL))) as total_challenges sum(eval(if(eventType=\"user.authentication.sso\",1,0))) as total_successes by authenticationContext.externalSessionId targets actor.alternateId client.ipAddress | search total_challenges > 0 | stats min(_time) as _time values(*) as * sum(total_challenges) as total_challenges sum(total_successes) as total_successes values(eval(if(\"outcome.result\"=\"SUCCESS\",targets,NULL))) as success_apps values(eval(if(\":outcome.result\"!=\"SUCCESS\",targets,NULL))) as no_success_apps by authenticationContext.externalSessionId actor.alternateId client.ipAddress | fillnull | eval ratio=round(total_successes/total_challenges,2), severity=\"HIGH\", mitre_technique_id=\"T1538\", description=\"actor.alternateId\". \" from \" . \"client.ipAddress\" . \" seen opening \" . total_challenges . \" chiclets/apps with \" . total_successes . \" challenges successfully passed\" | fields - count, targets | search ratio < 0.5 total_challenges > 2 | `okta_multiple_failed_requests_to_access_applications_filter`", "how_to_implement": "This analytic is specific to Okta and requires Okta:im2 logs to be ingested.", "known_false_positives": "False positives may be present based on organization size and configuration of Okta.", "references": ["https://attack.mitre.org/techniques/T1538", "https://attack.mitre.org/techniques/T1550/004"], "tags": {"name": "Okta Multiple Failed Requests to Access Applications", "analytic_story": ["Suspicious Okta Activity"], "asset_type": "Infrastructure", "cis20": ["CIS 10"], "confidence": 70, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "Multiple Failed Requests to Access Applications via Okta for $actor.alternateId$.", "mitre_attack_id": ["T1550.004", "T1538"], "nist": ["DE.AE"], "observable": [{"name": "actor.alternateId", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "authenticationContext.externalSessionId", "targets", "actor.alternateId", "client.ipAddress", "eventType"], "risk_score": 56, "security_domain": "access", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1550.004", "mitre_attack_technique": "Web Session Cookie", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1538", "mitre_attack_technique": "Cloud Service Dashboard", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}]}, "datamodel": [], "macros": [{"name": "okta", "definition": "eventtype=okta_log", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "okta_multiple_failed_requests_to_access_applications_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/application/okta_multiple_failed_requests_to_access_applications.yml", "source": "application"}, {"name": "Okta New API Token Created", "id": "c3d22720-35d3-4da4-bd0a-740d37192bd4", "version": 1, "date": "2022-09-21", "author": "Michael Haag, Splunk", "type": "TTP", "status": "experimental", "description": "The following analytic identifies when a new API token is created. Adversaries who have gained access to a privileged account may add a new token for persistence. This analytic uses the eventType system.api_token.create.", "data_source": [], "search": "`okta` eventType=system.api_token.create | stats count min(_time) as firstTime max(_time) as lastTime values(displayMessage) by src_user src_ip eventType status | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_new_api_token_created_filter`", "how_to_implement": "This analytic is specific to Okta and requires Okta logs to be ingested.", "known_false_positives": "False positives may be present. Tune Okta and tune the analytic to ensure proper fidelity. Modify risk score as needed.", "references": ["https://developer.okta.com/docs/reference/api/event-types/?q=security.threat.detected"], "tags": {"name": "Okta New API Token Created", "analytic_story": ["Suspicious Okta Activity"], "asset_type": "Infrastructure", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "message": "$src_user$ has created a new API token within Okta.", "mitre_attack_id": ["T1078", "T1078.001"], "nist": ["DE.CM"], "observable": [{"name": "src_user", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "signature", "eventType", "displayMessage", "client.device", "city", "state", "country", "user_agent", "outcome.reason", "outcome.result", "severity"], "risk_score": 64, "security_domain": "access", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.001", "mitre_attack_technique": "Default Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Magic Hound"]}]}, "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "okta", "definition": "eventtype=okta_log", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "okta_new_api_token_created_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/application/okta_new_api_token_created.yml", "source": "application", "nes_fields": "user,dest"}, {"name": "Okta New Device Enrolled on Account", "id": "bb27cbce-d4de-432c-932f-2e206e9130fb", "version": 1, "date": "2022-09-21", "author": "Michael Haag, Splunk", "type": "Anomaly", "status": "experimental", "description": "The following anomaly will be generated when a new device is added to an account. Albeit not malicious, risk is set low, but should be monitored. This anomaly utilizes the legacy events from Okta.", "data_source": [], "search": "`okta` eventType=system.email.new_device_notification.sent_message displayMessage=\"Send user new device notification email\" | stats count min(_time) as firstTime max(_time) as lastTime values(displayMessage) by user eventType client.userAgent.rawUserAgent client.userAgent.browser client.geographicalContext.city client.geographicalContext.country | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_new_device_enrolled_on_account_filter`", "how_to_implement": "This analytic is specific to Okta and requires Okta logs to be ingested.", "known_false_positives": "Tune the risk score as needed based on your organization.", "references": ["https://developer.okta.com/docs/reference/api/event-types/?q=system.email.new_device_notification.sent_message"], "tags": {"name": "Okta New Device Enrolled on Account", "analytic_story": ["Suspicious Okta Activity"], "asset_type": "Infrastructure", "cis20": ["CIS 10"], "confidence": 60, "impact": 40, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "message": "$user$ has added a new device to their account.", "mitre_attack_id": ["T1078", "T1078.001"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "displayMessage", "user", "eventType", "client.userAgent.rawUserAgent", "client.userAgent.browser", "client.geographicalContext.city", "client.geographicalContext.country"], "risk_score": 24, "security_domain": "access", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.001", "mitre_attack_technique": "Default Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Magic Hound"]}]}, "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "okta", "definition": "eventtype=okta_log", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "okta_new_device_enrolled_on_account_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/application/okta_new_device_enrolled_on_account.yml", "source": "application"}, {"name": "Okta Phishing Detection with FastPass Origin Check", "id": "f4ca0057-cbf3-44f8-82ea-4e330ee901d3", "version": 1, "date": "2023-03-09", "author": "Okta, Inc, Michael Haag, Splunk", "type": "TTP", "status": "experimental", "description": "The following analytic identifies when Okta''s FastPass prevents known phishing sites. When your users are enrolled in FastPass, Okta can provide defenders a high-fidelity signal for when user applications are being targeted by attackers wielding real-time (AiTM) proxies. Okta''s Defensive Cyber Operations team routinely identifies phishing infrastructure configured to imitate an Okta sign-in page and proactively notify Okta customers when suspicious infrastructure we detect appears to be targeting their users. Since March 2020, we have delivered over 1000 notifications to customers.", "data_source": [], "search": "`okta` eventType=\"user.authentication.auth_via_mfa\" AND result=\"FAILURE\" AND outcome.reason=\"FastPass declined phishing attempt\" | stats count min(_time) as firstTime max(_time) as lastTime values(displayMessage) by user eventType client.userAgent.rawUserAgent client.userAgent.browser outcome.reason | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_phishing_detection_with_fastpass_origin_check_filter`", "how_to_implement": "This search is specific to Okta and requires Okta logs to be ingested in your Splunk deployment.", "known_false_positives": "Fidelity of this is high as Okta is specifying malicious infrastructure. Filter and modify as needed.", "references": ["https://sec.okta.com/fastpassphishingdetection"], "tags": {"name": "Okta Phishing Detection with FastPass Origin Check", "analytic_story": ["Suspicious Okta Activity"], "asset_type": "Infrastructure", "cis20": ["CIS 10"], "confidence": 100, "impact": 100, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "message": "Okta FastPass has prevented $user$ from authenticating to a malicious site.", "mitre_attack_id": ["T1078", "T1078.001", "T1556"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventType", "client.userAgent.rawUserAgent", "client.userAgent.browser", "outcome.reason", "displayMessage"], "risk_score": 100, "security_domain": "access", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.001", "mitre_attack_technique": "Default Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1556", "mitre_attack_technique": "Modify Authentication Process", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": []}]}, "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "okta", "definition": "eventtype=okta_log", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "okta_phishing_detection_with_fastpass_origin_check_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/application/okta_phishing_detection_with_fastpass_origin_check.yml", "source": "application", "nes_fields": "user,dest"}, {"name": "Okta Risk Threshold Exceeded", "id": "d8b967dd-657f-4d88-93b5-c588bcd7218c", "version": 1, "date": "2022-09-29", "author": "Michael Haag, Splunk", "type": "Correlation", "status": "production", "description": "The following correlation will take risk associated with the content from \"Suspicious Okta Activity\" and \"Okta MFA Exhaustion\" analytic stories and tally it up. Once it hits the threshold of 100 (may be changed), it will trigger an anomaly. As needed, reduce or raise the risk scores assocaited with the anomaly and TTP analytics tagged to these two stories.", "data_source": [], "search": "| tstats `security_content_summariesonly` sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count,values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk by All_Risk.risk_object,All_Risk.risk_object_type All_Risk.analyticstories | `drop_dm_object_name(\"All_Risk\")` | eval \"annotations.mitre_attack\"=\"annotations.mitre_attack.mitre_technique_id\", risk_threshold=100 | where All_Risk.analyticstories IN (\"Suspicious Okta Activity\", \"Okta MFA Exhaustion\") risk_score > risk_threshold | `get_risk_severity(risk_score)` | `okta_risk_threshold_exceeded_filter`", "how_to_implement": "Ensure \"Suspicious Okta Activity\" and \"Okta MFA Exhaustion\" analytic stories are enabled. TTP may be set to Notables for point detections, anomaly should not be notables but risk generators. The correlation relies on risk before generating a notable. Modify the value as needed. Default threshold is 100. This value may need to be increased based on activity in your environment.", "known_false_positives": "False positives will be limited to the amount of events generated by the analytics tied to the stories. Analytics will need to be tesetd and tuned, risk score reduced, as needed based on organization.", "references": ["https://developer.okta.com/docs/reference/api/event-types", "https://sec.okta.com/everythingisyes"], "tags": {"name": "Okta Risk Threshold Exceeded", "analytic_story": ["Suspicious Okta Activity", "Okta MFA Exhaustion"], "asset_type": "Infrastructure", "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "message": "Risk threshold exceeded for $risk_object_type$=$risk_object$ related to Okta events.", "mitre_attack_id": ["T1078", "T1110"], "nist": ["DE.AE"], "observable": [{"name": "risk_object", "type": "Other", "role": ["Victim"]}, {"name": "risk_object_type", "type": "Other", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["All_Risk.risk_object", "All_Risk.risk_object_type", "All_Risk.analyticstories"], "risk_score": 56, "security_domain": "access", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}]}, "datamodel": ["Risk"], "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "okta_risk_threshold_exceeded_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/application/okta_risk_threshold_exceeded.yml", "source": "application", "nes_fields": "user,dest"}, {"name": "Okta Suspicious Activity Reported", "id": "bfc840f5-c9c6-454c-aa13-b46fd0bf1e79", "version": 1, "date": "2022-09-21", "author": "Michael Haag, Splunk", "type": "TTP", "status": "experimental", "description": "The following event is generated when an associate receives an email from Okta asking if a login attempt was suspicious or not. If the associate identifies it as suspicious an event is generated and should be reviewed.", "data_source": [], "search": "`okta` eventType=user.account.report_suspicious_activity_by_enduser | stats count min(_time) as firstTime max(_time) as lastTime values(displayMessage) by user eventType client.userAgent.rawUserAgent client.userAgent.browser client.geographicalContext.city client.geographicalContext.country | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_suspicious_activity_reported_filter`", "how_to_implement": "This analytic is specific to Okta and requires Okta logs to be ingested. It also requires that suspicious activity reporting is enabled and associates are trained to submit.", "known_false_positives": "False positives should be limited as this is a high fidelity marker.", "references": ["https://help.okta.com/en-us/Content/Topics/Security/suspicious-activity-reporting.htm"], "tags": {"name": "Okta Suspicious Activity Reported", "analytic_story": ["Suspicious Okta Activity"], "asset_type": "Infrastructure", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "message": "The following $user$ has reported a suspicious login activity.", "mitre_attack_id": ["T1078", "T1078.001"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "displayMessage", "user", "eventType", "client.userAgent.rawUserAgent", "client.userAgent.browser", "client.geographicalContext.city", "client.geographicalContext.country"], "risk_score": 25, "security_domain": "access", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.001", "mitre_attack_technique": "Default Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Magic Hound"]}]}, "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "okta", "definition": "eventtype=okta_log", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "okta_suspicious_activity_reported_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/application/okta_suspicious_activity_reported.yml", "source": "application", "nes_fields": "user,dest"}, {"name": "Okta Suspicious Use of a Session Cookie", "id": "71ad47d1-d6bd-4e0a-b35c-020ad9a6959e", "version": 1, "date": "2023-03-17", "author": "Scott Dermott and Felicity Robson, Okta, Michael Haag, Splunk", "type": "Hunting", "status": "experimental", "description": "The following analytic looks for one or more policy evaluation events in which multiple client values (IP, User Agent, etc.) change associated to the same Device Token for a specific user. A detection opportunity arises when an adversary attempts to reuse a stolen web session cookie. \\\n* Retrieves policy evaluation events from successful authentication events. \\\n* Aggregates/Groups by Device Token and User, providing the first policy evaluation event in the search window. \\\n* Evaluates whether there is more than one IP and whether there is more than one OS or browser for each combination of User/Device Token.", "data_source": [], "search": "`okta` eventType IN (policy.evaluate_sign_on) outcome.result IN (ALLOW, SUCCESS) | stats earliest(_time) as _time values(client.ipAddress) as src_ip values(client.userAgent.rawUserAgent) as user_agent values(client.userAgent.os) as userAgentOS_list values(client.geographicalContext.city) as city values(client.userAgent.browser) as userAgentBrowser_list values(device.os_platform) as okta_device_os dc(client.userAgent.browser) as dc_userAgentBrowser dc(client.userAgent.os) as dc_userAgentOS dc(client.ipAddress) as dc_src_ip values(outcome.reason) as reason by debugContext.debugData.dtHash actor.alternateId | where dc_src_ip>1 AND (dc_userAgentOS>1 OR dc_userAgentBrowser>1) | `okta_suspicious_use_of_a_session_cookie_filter`", "how_to_implement": "This analytic is specific to Okta and requires Okta:im2 logs to be ingested.", "known_false_positives": "False positives may be present based on organization size and configuration of Okta.", "references": ["https://attack.mitre.org/techniques/T1539/"], "tags": {"name": "Okta Suspicious Use of a Session Cookie", "analytic_story": ["Suspicious Okta Activity"], "asset_type": "Infrastructure", "cis20": ["CIS 10"], "confidence": 70, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "A suspicious use of a session cookie was identified by user $actor.alternateId$.", "mitre_attack_id": ["T1539"], "nist": ["DE.AE"], "observable": [{"name": "actor.alternateId", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "client.ipAddress", "client.userAgent.rawUserAgent", "client.userAgent.os", "client.geographicalContext.city", "client.userAgent.browser", "device.os_platform", "debugContext.debugData.dtHash", "actor.alternateId"], "risk_score": 56, "security_domain": "access", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1539", "mitre_attack_technique": "Steal Web Session Cookie", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Evilnum", "LuminousMoth"]}]}, "datamodel": [], "macros": [{"name": "okta", "definition": "eventtype=okta_log", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "okta_suspicious_use_of_a_session_cookie_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/application/okta_suspicious_use_of_a_session_cookie.yml", "source": "application"}, {"name": "Okta ThreatInsight Login Failure with High Unknown users", "id": "632663b0-4562-4aad-abe9-9f621a049738", "version": 1, "date": "2023-03-09", "author": "Okta, Inc, Michael Haag, Splunk", "type": "TTP", "status": "experimental", "description": "The following analytic utilizes Okta's ThreatInsight to identify \"Login failures with high unknown users count\" and any included secondary outcome reasons. This event will trigger when a brute force attempt occurs with unknown usernames attempted.", "data_source": [], "search": "`okta` eventType=\"security.threat.detected\" AND outcome.reason=\"Login failures with high unknown users count*\" | stats count min(_time) as firstTime max(_time) as lastTime values(displayMessage) by user eventType client.userAgent.rawUserAgent client.userAgent.browser outcome.reason | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_threatinsight_login_failure_with_high_unknown_users_filter`", "how_to_implement": "This search is specific to Okta and requires Okta logs to be ingested in your Splunk deployment.", "known_false_positives": "Fidelity of this is high as it is Okta ThreatInsight. Filter and modify as needed.", "references": ["https://help.okta.com/en-us/Content/Topics/Security/threat-insight/configure-threatinsight-system-log.htm"], "tags": {"name": "Okta ThreatInsight Login Failure with High Unknown users", "analytic_story": ["Suspicious Okta Activity"], "asset_type": "Infrastructure", "cis20": ["CIS 10"], "confidence": 100, "impact": 50, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "message": "Okta ThreatInsight has detected or prevented a high number of login failures.", "mitre_attack_id": ["T1078", "T1078.001", "T1110.004"], "nist": ["DE.CM"], "observable": [{"name": "outcome.reason", "type": "Other", "role": ["Other"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventType", "client.userAgent.rawUserAgent", "client.userAgent.browser", "outcome.reason", "displayMessage"], "risk_score": 50, "security_domain": "access", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.001", "mitre_attack_technique": "Default Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1110.004", "mitre_attack_technique": "Credential Stuffing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Chimera"]}]}, "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "okta", "definition": "eventtype=okta_log", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "okta_threatinsight_login_failure_with_high_unknown_users_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/application/okta_threatinsight_login_failure_with_high_unknown_users.yml", "source": "application", "nes_fields": "user,dest"}, {"name": "Okta ThreatInsight Suspected PasswordSpray Attack", "id": "25dbad05-6682-4dd5-9ce9-8adecf0d9ae2", "version": 1, "date": "2023-03-09", "author": "Okta, Inc, Michael Haag, Splunk", "type": "TTP", "status": "experimental", "description": "The following analytic utilizes Okta's ThreatInsight to identify \"PasswordSpray\" and any included secondary outcome reasons. This event will trigger when a brute force attempt occurs with unknown usernames attempted.", "data_source": [], "search": "`okta` eventType=\"security.threat.detected\" AND outcome.reason=\"Password Spray\" | stats count min(_time) as firstTime max(_time) as lastTime values(displayMessage) by eventType client.userAgent.rawUserAgent client.userAgent.browser outcome.reason | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_threatinsight_suspected_passwordspray_attack_filter`", "how_to_implement": "This search is specific to Okta and requires Okta logs to be ingested in your Splunk deployment.", "known_false_positives": "Fidelity of this is high as it is Okta ThreatInsight. Filter and modify as needed.", "references": ["https://help.okta.com/en-us/Content/Topics/Security/threat-insight/configure-threatinsight-system-log.htm"], "tags": {"name": "Okta ThreatInsight Suspected PasswordSpray Attack", "analytic_story": ["Suspicious Okta Activity"], "asset_type": "Infrastructure", "cis20": ["CIS 10"], "confidence": 100, "impact": 60, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "message": "Okta ThreatInsight has detected or prevented a PasswordSpray attack.", "mitre_attack_id": ["T1078", "T1078.001", "T1110.003"], "nist": ["DE.CM"], "observable": [{"name": "outcome.reason", "type": "Other", "role": ["Other"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventType", "client.userAgent.rawUserAgent", "client.userAgent.browser", "outcome.reason", "displayMessage"], "risk_score": 60, "security_domain": "access", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.001", "mitre_attack_technique": "Default Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}]}, "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "okta", "definition": "eventtype=okta_log", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "okta_threatinsight_suspected_passwordspray_attack_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/application/okta_threatinsight_suspected_passwordspray_attack.yml", "source": "application", "nes_fields": "user,dest"}, {"name": "Okta ThreatInsight Threat Detected", "id": "140504ae-5fe2-4d65-b2bc-a211813fbca6", "version": 1, "date": "2022-09-21", "author": "Michael Haag, Splunk", "type": "Anomaly", "status": "experimental", "description": "The following anomaly relies on the Okta ThreatInsight identification of a threat. Use this to drive risk up by src_ip or add additional fields to track. Identification may include password spraying, login failures and Login failures with high unknown users count.", "data_source": [], "search": "`okta` eventType IN (security.threat.detected, security.internal.threat.detected) | rename client.geographicalContext.country as country, client.geographicalContext.state as state, client.geographicalContext.city as city | stats values(src_ip) count by signature eventType displayMessage client.device city state country user_agent outcome.reason outcome.result severity | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_threatinsight_threat_detected_filter`", "how_to_implement": "This analytic is specific to Okta and requires Okta logs to be ingested.", "known_false_positives": "False positives may be present. Tune Okta and tune the analytic to ensure proper fidelity. Modify risk score as needed.", "references": ["https://developer.okta.com/docs/reference/api/event-types/?q=security.threat.detected"], "tags": {"name": "Okta ThreatInsight Threat Detected", "analytic_story": ["Suspicious Okta Activity"], "asset_type": "Infrastructure", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "message": "The following $src_ip$ has been conisidered a threat by Okta ThreatInsight.", "mitre_attack_id": ["T1078", "T1078.001"], "nist": ["DE.AE"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "signature", "eventType", "displayMessage", "client.device", "city", "state", "country", "user_agent", "outcome.reason", "outcome.result", "severity"], "risk_score": 25, "security_domain": "access", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.001", "mitre_attack_technique": "Default Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Magic Hound"]}]}, "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "okta", "definition": "eventtype=okta_log", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "okta_threatinsight_threat_detected_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/application/okta_threatinsight_threat_detected.yml", "source": "application"}, {"name": "Okta Two or More Rejected Okta Pushes", "id": "d93f785e-4c2c-4262-b8c7-12b77a13fd39", "version": 1, "date": "2022-09-27", "author": "Michael Haag, Marissa Bower, Splunk", "type": "TTP", "status": "experimental", "description": "The following analytic identifies an account that has rejected more than 2 Push notifications in a 10 minute window. Modify this query for your environment by upping the count or time window.", "data_source": [], "search": "`okta` outcome.reason=\"User rejected Okta push verify\" OR (debugContext.debugData.factor=\"OKTA_VERIFY_PUSH\" outcome.result=FAILURE legacyEventType=\"core.user.factor.attempt_fail\" \"target{}.detailEntry.methodTypeUsed\"=\"Get a push notification\") | bin _time as bin_time span=10m | eval user=coalesce(actor.alternateId,user), user=mvindex(split(user, \"@\"), 0), event_time = _time | stats earliest(event_time) as event_time, min(_time) as firsttime max(_time) as lasttime values(client.ipAddress) as client.ipAddress, values(outcome.reason) as outcome, values(src_ip) AS src_ip, values(client.userAgent.rawUserAgent) as user_agent, values(eventType) as eventType, values(outcome.result) as action, values(legacyEventType) as legacyEventType values(index) as idx, values(sourcetype) as st count by bin_time user host | rename bin_time as timeWindow | convert ctime(*timeWindow) ctime(firsttime) ctime(lasttime) | where count >= 2 | `okta_two_or_more_rejected_okta_pushes_filter`", "how_to_implement": "This analytic is specific to Okta and requires Okta logs to be ingested.", "known_false_positives": "False positives may be present. Tune Okta and tune the analytic to ensure proper fidelity. Modify risk score as needed. Drop to anomaly until tuning is complete.", "references": ["https://developer.okta.com/docs/reference/api/event-types/?q=user.acount.lock"], "tags": {"name": "Okta Two or More Rejected Okta Pushes", "analytic_story": ["Suspicious Okta Activity", "Okta MFA Exhaustion"], "asset_type": "Infrastructure", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "$src_user$ account has rejected multiple Okta pushes.", "mitre_attack_id": ["T1110"], "nist": ["DE.CM"], "observable": [{"name": "src_user", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "src_user", "src_ip", "eventType", "status"], "risk_score": 64, "security_domain": "access", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}]}, "datamodel": [], "macros": [{"name": "okta", "definition": "eventtype=okta_log", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "okta_two_or_more_rejected_okta_pushes_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/application/okta_two_or_more_rejected_okta_pushes.yml", "source": "application", "nes_fields": "user,dest"}, {"name": "Okta User Logins From Multiple Cities", "id": "7594fa07-9f34-4d01-81cc-d6af6a5db9e8", "version": 2, "date": "2020-07-21", "author": "Rico Valdez, Splunk", "type": "Anomaly", "status": "experimental", "description": "This search detects logins from the same user from different cities in a 24 hour period.", "data_source": [], "search": "`okta` displayMessage=\"User login to Okta\" client.geographicalContext.city!=null | stats min(_time) as firstTime max(_time) as lastTime dc(client.geographicalContext.city) as locations values(client.geographicalContext.city) as cities values(client.geographicalContext.state) as states by user | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `okta_user_logins_from_multiple_cities_filter` | search locations > 1", "how_to_implement": "This search is specific to Okta and requires Okta logs are being ingested in your Splunk deployment.", "known_false_positives": "Users in your enviornment may legitmately be travelling and loggin in from different locations. This search is useful for those users that should *not* be travelling for some reason, such as the COVID-19 pandemic. The search also relies on the geographical information being populated in the Okta logs. It is also possible that a connection from another region may be attributed to a login from a remote VPN endpoint.", "references": [], "tags": {"name": "Okta User Logins From Multiple Cities", "analytic_story": ["Suspicious Okta Activity"], "asset_type": "Infrastructure", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "message": "tbd", "mitre_attack_id": ["T1078", "T1078.001"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "displayMessage", "client.geographicalContext.city", "client.geographicalContext.state", "user"], "risk_score": 25, "security_domain": "access", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.001", "mitre_attack_technique": "Default Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Magic Hound"]}]}, "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "okta", "definition": "eventtype=okta_log", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "okta_user_logins_from_multiple_cities_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/application/okta_user_logins_from_multiple_cities.yml", "source": "application"}, {"name": "Path traversal SPL injection", "id": "dfe55688-82ed-4d24-a21b-ed8f0e0fda99", "version": 1, "date": "2022-04-29", "author": "Rod Soto, Splunk", "type": "TTP", "status": "production", "description": "On May 3rd, 2022, Splunk published a security advisory for a Path traversal in search parameter that can potentiall allow SPL injection. An attacker can cause the application to load data from incorrect endpoints, urls leading to outcomes such as running arbitrary SPL queries.", "data_source": [], "search": " `path_traversal_spl_injection` | search \"\\/..\\/..\\/..\\/..\\/..\\/..\\/..\\/..\\/..\\/\" | stats count by status clientip method uri_path uri_query | `path_traversal_spl_injection_filter`", "how_to_implement": "This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index. This search will provide search UI requests with path traversal parameter (\"../../../../../../../../../\") which shows exploitation attempts. This detection is meant for on premise environments, and if executed on internet facing servers without a WAF may produce a lot of results. This detection will not work against obfuscated path traversal requests.", "known_false_positives": "This search may find additional path traversal exploitation attempts.", "references": ["https://www.splunk.com/en_us/product-security/announcements/svd-2022-0506.html"], "tags": {"name": "Path traversal SPL injection", "analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "Path traversal exploitation attempt from $clientip$", "mitre_attack_id": ["T1083"], "nist": ["DE.CM"], "observable": [{"name": "clientip", "type": "IP Address", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security"], "required_fields": ["status", "clientip", "method", "uri_path", "uri_query"], "risk_score": 40, "security_domain": "threat", "risk_severity": "low", "cve": ["CVE-2022-26889"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1083", "mitre_attack_technique": "File and Directory Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT18", "APT28", "APT3", "APT32", "APT38", "APT39", "APT41", "Aoqin Dragon", "BRONZE BUTLER", "Chimera", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "Fox Kitten", "Gamaredon Group", "HAFNIUM", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Leafminer", "LuminousMoth", "Magic Hound", "MuddyWater", "Mustang Panda", "Patchwork", "Sandworm Team", "Sidewinder", "Sowbug", "TeamTNT", "Tropic Trooper", "Turla", "Windigo", "Winnti Group", "admin@338", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://raw.githubusercontent.com/splunk/attack_data/master/datasets/attack_techniques/T1083/splunk/path_traversal_spl_injection.txt", "source": "splunkd_ui_access.log", "sourcetype": "splunkd_ui_access"}]}], "datamodel": [], "macros": [{"name": "path_traversal_spl_injection", "definition": "index=_internal sourcetype=splunkd_ui_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "path_traversal_spl_injection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2022-26889", "cvss": 5.1, "summary": "In Splunk Enterprise versions before 8.1.2, the uri path to load a relative resource within a web page is vulnerable to path traversal. It allows an attacker to potentially inject arbitrary content into the web page (e.g., HTML Injection, XSS) or bypass SPL safeguards for risky commands. The attack is browser-based. An attacker cannot exploit the attack at will and requires the attacker to initiate a request within the victim's browser (e.g., phishing)."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/application/path_traversal_spl_injection.yml", "source": "application", "nes_fields": "user,dest"}, {"name": "Splunk Account Discovery Drilldown Dashboard Disclosure", "id": "f844c3f6-fd99-43a2-ba24-93e35fe84be6", "version": 1, "date": "2022-08-02", "author": "Marissa Bower, Rod Soto, Splunk", "type": "TTP", "status": "experimental", "description": "Splunk drilldown vulnerability disclosure in Dashboard application that can potentially allow exposure of tokens from privilege users. An attacker can create dashboard and share it to privileged user (admin) and detokenize variables using external urls within dashboards drilldown function.", "data_source": [], "search": "| rest splunk_server=local /servicesNS/-/-/data/ui/views | search eai:data=\"*$env:*\" eai:data=\"*url*\" eai:data=\"*options*\" | rename author AS Author eai:acl.sharing AS Permissions eai:appName AS App eai:data AS \"Dashboard XML\" | fields Author Permissions App \"Dashboard XML\" | `splunk_account_discovery_drilldown_dashboard_disclosure_filter`", "how_to_implement": "This search uses REST function to query for dashboards with environment variables present in URL options.", "known_false_positives": "This search may reveal non malicious URLs with environment variables used in organizations.", "references": ["https://www.splunk.com/en_us/product-security.html"], "tags": {"name": "Splunk Account Discovery Drilldown Dashboard Disclosure", "analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "Potential exposure of environment variables from url embedded in dashboard", "mitre_attack_id": ["T1087"], "nist": ["DE.CM"], "observable": [{"name": "author", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["eai:data", "splunk_server", "author", "eai:acl.sharing", "eai:appName"], "risk_score": 40, "security_domain": "threat", "risk_severity": "low", "cve": ["CVE-2022-37438"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}]}, "datamodel": [], "macros": [{"name": "splunk_account_discovery_drilldown_dashboard_disclosure_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2022-37438", "cvss": null, "summary": "In Splunk Enterprise versions in the following table, an authenticated user can craft a dashboard that could potentially leak information (for example, username, email, and real name) about Splunk users, when visited by another user through the drilldown component. The vulnerability requires user access to create and share dashboards using Splunk Web."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/application/splunk_account_discovery_drilldown_dashboard_disclosure.yml", "source": "application", "nes_fields": "user,dest"}, {"name": "Splunk Code Injection via custom dashboard leading to RCE", "id": "b06b41d7-9570-4985-8137-0784f582a1b3", "version": 1, "date": "2022-10-11", "author": "Rod Soto", "type": "Hunting", "status": "experimental", "description": "This hunting search provides information about a vulnerability in Splunk Enterprise versions below 8.2.9, 8.1.12, 9.0.2, where an authenticated user can execute arbitrary code via the dashboard pdf generation component. Please review events with file=export in the _internal index for the potential targets of exploitation.", "data_source": [], "search": "`splunkd_ui` uri_path=*/data/ui/views/* OR uri_path=*saved/searches/* | dedup uri_path | eval URL=urldecode(\"uri_path\")| rex field=URL \"\\/saved\\/searches\\/(?[^\\/]*)\" | rex field=URL \"\\/data\\/ui\\/views\\/(?[^\\/]*)\" | eval NAME=NAME.\"( Saved Search )\",NAME1=NAME1.\"( Dashboard )\" | eval NAME=coalesce(NAME,NAME1) | eval STATUS=case(match(status,\"2\\d+\"),\"SUCCESS\",match(status,\"3\\d+\"),\"REDIRECTION\",match(status,\"4\\d+\") OR match(status,\"5\\d+\"),\"ERROR\") | stats list(NAME) as DASHBOARD_TITLE,list(method) as HTTP_METHOD,list(status) as Status_Code,list(STATUS) as STATUS by user | rename user as User | `splunk_code_injection_via_custom_dashboard_leading_to_rce_filter`", "how_to_implement": "This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index.", "known_false_positives": "Not all exports and downloads are malicious, special attention must be put as well on /en-US/splunkd/__raw/services/pdfgen/render in the context of this search.", "references": ["https://www.splunk.com/en_us/product-security.html"], "tags": {"name": "Splunk Code Injection via custom dashboard leading to RCE", "analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "Potential exploitation of Code Injection via Dashboard PDF generation.", "mitre_attack_id": ["T1210"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["user", "clientip", "uri", "uri_path", "method", "status"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "cve": ["CVE-2022-43571"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1210", "mitre_attack_technique": "Exploitation of Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "Dragonfly", "Earth Lusca", "FIN7", "Fox Kitten", "MuddyWater", "Threat Group-3390", "Tonto Team", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://raw.githubusercontent.com/splunk/attack_data/master/datasets/attack_techniques/T1210/splunk/splunk_code_injection_via_custom_dashboard_leading_to_rce.txt", "source": "/opt/splunk/var/log/splunk/splunkd_ui_access.log", "sourcetype": "splunkd_ui_access", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "splunkd_ui", "definition": "index=_internal sourcetype=splunkd_ui_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "splunk_code_injection_via_custom_dashboard_leading_to_rce_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2022-43571", "cvss": null, "summary": "In Splunk Enterprise versions below 8.2.9, 8.1.12, and 9.0.2, an authenticated user can execute arbitrary code through the dashboard PDF generation component."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/application/splunk_code_injection_via_custom_dashboard_leading_to_rce.yml", "source": "application"}, {"name": "Splunk Command and Scripting Interpreter Delete Usage", "id": "8d3d5d5e-ca43-42be-aa1f-bc64375f6b04", "version": 1, "date": "2022-05-27", "author": "Michael Haag, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies the use of the risky command - Delete - that may be utilized in Splunk to delete some or all data queried for. In order to use Delete in Splunk, one must be assigned the role. This is typically not used and should generate an anomaly if it is used.", "data_source": [], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Splunk_Audit.Search_Activity where Search_Activity.search IN (\"*| delete*\") Search_Activity.search_type=adhoc Search_Activity.user!=splunk-system-user by Search_Activity.search Search_Activity.info Search_Activity.total_run_time Search_Activity.user Search_Activity.search_type | `drop_dm_object_name(Search_Activity)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `splunk_command_and_scripting_interpreter_delete_usage_filter`", "how_to_implement": "To successfully implement this search acceleration is recommended against the Search_Activity datamodel that runs against the splunk _audit index. In addition, this analytic requires the Common Information Model App which includes the Splunk Audit Datamodel https://splunkbase.splunk.com/app/1621/.", "known_false_positives": "False positives may be present if this command is used as a common practice. Filter as needed.", "references": ["https://docs.splunk.com/Documentation/Splunk/latest/Security/SPLsafeguards#Commands_that_trigger_the_warning"], "tags": {"name": "Splunk Command and Scripting Interpreter Delete Usage", "analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Web Server", "cis20": ["CIS 10"], "confidence": 30, "impact": 90, "kill_chain_phases": ["Installation"], "message": "$user$ executed the 'delete' command, if this is unexpected it should be reviewed.", "mitre_attack_id": ["T1059"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Search_Activity.search", "Search_Activity.info", "Search_Activity.total_run_time", "Search_Activity.user", "Search_Activity.savedsearch_name", "Search_Activity.search_type"], "risk_score": 27, "security_domain": "audit", "risk_severity": "low", "cve": ["CVE-2022-32154"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1213/audittrail/audittrail.log", "source": "audittrail", "sourcetype": "audittrail", "update_timestamp": true}]}], "datamodel": ["Splunk_Audit"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "splunk_command_and_scripting_interpreter_delete_usage_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2022-32154", "cvss": 4.0, "summary": "Dashboards in Splunk Enterprise versions before 9.0 might let an attacker inject risky search commands into a form token when the token is used in a query in a cross-origin request. The result bypasses SPL safeguards for risky commands. See New capabilities can limit access to some custom and potentially risky commands (https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/SPLsafeguards#New_capabilities_can_limit_access_to_some_custom_and_potentially_risky_commands) for more information. Note that the attack is browser-based and an attacker cannot exploit it at will."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/application/splunk_command_and_scripting_interpreter_delete_usage.yml", "source": "application"}, {"name": "Splunk Command and Scripting Interpreter Risky Commands", "id": "1cf58ae1-9177-40b8-a26c-8966040f11ae", "version": 1, "date": "2022-05-23", "author": "Michael Haag, Splunk", "type": "Hunting", "status": "production", "description": "The Splunk platform contains built-in search processing language (SPL) safeguards to warn you when you are about to unknowingly run a search that contains commands that might be a security risk. This warning appears when you click a link or type a URL that loads a search that contains risky commands. The warning does not appear when you create ad hoc searches. This warning alerts you to the possibility of unauthorized actions by a malicious user. Unauthorized actions include - Copying or transferring data (data exfiltration), Deleting data and Overwriting data. All risky commands may be found here https://docs.splunk.com/Documentation/Splunk/latest/Security/SPLsafeguards#Commands_that_trigger_the_warninga. A possible scenario when this might occur is when a malicious actor creates a search that includes commands that exfiltrate or damage data. The malicious actor then sends an unsuspecting user a link to the search. The URL contains a query string (q) and a search identifier (sid), but the sid is not valid. The malicious actor hopes the user will use the link and the search will run. During analysis, pivot based on user name and filter any user or queries not needed. Queries ran from a dashboard are seen as adhoc queries. When a query runs from a dashboard it will not show in audittrail logs the source dashboard name. The query defaults to adhoc and no Splunk system user activity. In addition, modify this query by removing key commands that generate too much noise, or too little, and create separate queries with higher confidence to alert on.", "data_source": [], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Splunk_Audit.Search_Activity where Search_Activity.search IN (\"*| runshellscript *\", \"*| collect *\",\"*| delete *\", \"*| fit *\", \"*| outputcsv *\", \"*| outputlookup *\", \"*| run *\", \"*| script *\", \"*| sendalert *\", \"*| sendemail *\", \"*| tscolle*\") Search_Activity.search_type=adhoc Search_Activity.user!=splunk-system-user by Search_Activity.search Search_Activity.info Search_Activity.total_run_time Search_Activity.user Search_Activity.search_type | `drop_dm_object_name(Search_Activity)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `splunk_command_and_scripting_interpreter_risky_commands_filter`", "how_to_implement": "To successfully implement this search acceleration is recommended against the Search_Activity datamodel that runs against the splunk _audit index. In addition, this analytic requires the Common Information Model App which includes the Splunk Audit Datamodel https://splunkbase.splunk.com/app/1621/. Splunk SOAR customers can find a SOAR workbook that walks an analyst through the process of running these hunting searches in the references list of this detection. In order to use this workbook, a user will need to run a curl command to post the file to their SOAR instance such as \"curl -u username:password https://soar.instance.name/rest/rest/workbook_template -d @splunk_psa_0622.json\". A user should then create an empty container or case, attach the workbook, and begin working through the tasks.", "known_false_positives": "False positives will be present until properly filtered by Username and search name.", "references": ["https://docs.splunk.com/Documentation/Splunk/latest/Security/SPLsafeguards#Commands_that_trigger_the_warning", "https://www.github.com/splunk/security_content/blob/develop/workbooks/splunk_psa_0622.json"], "tags": {"name": "Splunk Command and Scripting Interpreter Risky Commands", "analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Web Server", "cis20": ["CIS 10"], "confidence": 40, "impact": 50, "kill_chain_phases": ["Installation"], "message": "A risky Splunk command has ran by $user$ and should be reviewed.", "mitre_attack_id": ["T1059"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Search_Activity.search", "Search_Activity.info", "Search_Activity.total_run_time", "Search_Activity.user", "Search_Activity.savedsearch_name", "Search_Activity.search_type"], "risk_score": 20, "security_domain": "audit", "risk_severity": "low", "cve": ["CVE-2022-32154"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1213/audittrail/audittrail.log", "source": "audittrail", "sourcetype": "audittrail", "update_timestamp": true}]}], "datamodel": ["Splunk_Audit"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "splunk_command_and_scripting_interpreter_risky_commands_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2022-32154", "cvss": 4.0, "summary": "Dashboards in Splunk Enterprise versions before 9.0 might let an attacker inject risky search commands into a form token when the token is used in a query in a cross-origin request. The result bypasses SPL safeguards for risky commands. See New capabilities can limit access to some custom and potentially risky commands (https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/SPLsafeguards#New_capabilities_can_limit_access_to_some_custom_and_potentially_risky_commands) for more information. Note that the attack is browser-based and an attacker cannot exploit it at will."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/application/splunk_command_and_scripting_interpreter_risky_commands.yml", "source": "application"}, {"name": "Splunk Command and Scripting Interpreter Risky SPL MLTK", "id": "19d0146c-2eae-4e53-8d39-1198a78fa9ca", "version": 1, "date": "2022-05-27", "author": "Abhinav Mishra, Kumar Sharad and Xiao Lin, Splunk", "type": "Anomaly", "status": "production", "description": "This detection utilizes machine learning model named \"risky_command_abuse\" trained from \"Splunk Command and Scripting Interpreter Risky SPL MLTK Baseline\". It should be scheduled to run hourly to detect whether a user has run searches containing risky SPL from this list https://docs.splunk.com/Documentation/Splunk/latest/Security/SPLsafeguards#Commands_that_trigger_the_warninga with abnormally long running time in the past one hour, comparing with his/her past seven days history. This search uses the trained baseline to infer whether a search is an outlier (isOutlier ~= 1.0) or not (isOutlier~= 0.0)", "data_source": [], "search": "| tstats sum(Search_Activity.total_run_time) AS run_time, values(Search_Activity.search) as searches, count FROM datamodel=Splunk_Audit.Search_Activity WHERE (Search_Activity.user!=\"\") AND (Search_Activity.total_run_time>1) AND (earliest=-1h@h latest=now) AND (Search_Activity.search IN (\"*| runshellscript *\", \"*| collect *\",\"*| delete *\", \"*| fit *\", \"*| outputcsv *\", \"*| outputlookup *\", \"*| run *\", \"*| script *\", \"*| sendalert *\", \"*| sendemail *\", \"*| tscolle*\")) AND (Search_Activity.search_type=adhoc) AND (Search_Activity.user!=splunk-system-user) BY _time, Search_Activity.user span=1h | apply risky_command_abuse | fields _time, Search_Activity.user, searches, run_time, IsOutlier(run_time) | rename IsOutlier(run_time) as isOutlier, _time as timestamp | where isOutlier>0.5 | `splunk_command_and_scripting_interpreter_risky_spl_mltk_filter`", "how_to_implement": "This detection depends on MLTK app which can be found here - https://splunkbase.splunk.com/app/2890/ and the Splunk Audit datamodel which can be found here - https://splunkbase.splunk.com/app/1621/. Baseline model needs to be built using \"Splunk Command and Scripting Interpreter Risky SPL MLTK Baseline\" before this search can run. Please note that the current search only finds matches exactly one space between separator bar and risky commands.", "known_false_positives": "If the run time of a search exceeds the boundaries of outlier defined by the fitted density function model, false positives can occur, incorrectly labeling a long running search as potentially risky.", "references": ["https://docs.splunk.com/Documentation/Splunk/latest/Security/SPLsafeguards#Commands_that_trigger_the_warning"], "tags": {"name": "Splunk Command and Scripting Interpreter Risky SPL MLTK", "analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Web Server", "cis20": ["CIS 10"], "confidence": 40, "impact": 50, "kill_chain_phases": ["Installation"], "message": "Abnormally long run time for risk SPL command seen by user $(Search_Activity.user).", "mitre_attack_id": ["T1059"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Search_Activity.search", "Search_Activity.total_run_time", "Search_Activity.user", "Search_Activity.search_type"], "risk_score": 20, "security_domain": "audit", "risk_severity": "low", "cve": ["CVE-2022-32154"], "manual_test": "This search has a baseline and timestamps hard coded into the search.", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://github.com/splunk/attack_data/raw/master/datasets/attack_techniques/T1203/search_activity.txt", "source": "audittrail", "sourcetype": "audittrail", "update_timestamp": true}]}], "datamodel": ["Splunk_Audit"], "macros": [{"name": "splunk_command_and_scripting_interpreter_risky_spl_mltk_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2022-32154", "cvss": 4.0, "summary": "Dashboards in Splunk Enterprise versions before 9.0 might let an attacker inject risky search commands into a form token when the token is used in a query in a cross-origin request. The result bypasses SPL safeguards for risky commands. See New capabilities can limit access to some custom and potentially risky commands (https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/SPLsafeguards#New_capabilities_can_limit_access_to_some_custom_and_potentially_risky_commands) for more information. Note that the attack is browser-based and an attacker cannot exploit it at will."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/application/splunk_command_and_scripting_interpreter_risky_spl_mltk.yml", "source": "application"}, {"name": "Splunk csrf in the ssg kvstore client endpoint", "id": "4742d5f7-ce00-45ce-9c79-5e98b43b4410", "version": 1, "date": "2023-02-14", "author": "Rod Soto", "type": "TTP", "status": "production", "description": "In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, a cross-site request forgery in the Splunk Secure Gateway (SSG) app in the kvstore_client endpoint allows for updating SSG KV store collections via a GET request. SSG is a Splunk Built app included by default with Splunk Enterprise. The vulnerability affects instances with SSG and Splunk Web enabled. This hunting search provides information on affected server specific method and post data that may reveal exploitation of this vulnerability.", "data_source": [], "search": "`splunkda` uri_path=\"/en-US/splunkd/__raw/services/ssg/kvstore_client\" method=\"GET\" delete_field_value=\"spacebridge_server\" status=\"200\" | table splunk_server status uri delete_field_value method post_data | `splunk_csrf_in_the_ssg_kvstore_client_endpoint_filter`", "how_to_implement": "Requires access to internal index.", "known_false_positives": "This hunting search only applies to the affected versions and setup mentioned in the description of this search, it does not extract payload so it requires manual investigation after executing search. This search will produce false positives.", "references": ["https://www.splunk.com/en_us/product-security.html"], "tags": {"name": "Splunk csrf in the ssg kvstore client endpoint", "analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Delivery"], "message": "Potential CSRF exploitation attempt from $host$", "mitre_attack_id": ["T1189"], "nist": ["DE.CM"], "observable": [{"name": "splunk_server", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["splunk_server", "status", "uri", "delete_field_value", "method", "post_data"], "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "cve": ["CVE-2023-22942"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1189", "mitre_attack_technique": "Drive-by Compromise", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT19", "APT28", "APT32", "APT37", "APT38", "Andariel", "Axiom", "BRONZE BUTLER", "Dark Caracal", "Darkhotel", "Dragonfly", "Earth Lusca", "Elderwood", "Lazarus Group", "Leafminer", "Leviathan", "Machete", "Magic Hound", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Threat Group-3390", "Transparent Tribe", "Turla", "Windigo", "Windshift"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1189/splunk/splunk_csrf_in_the_ssg_kvstore_client_endpoint_data.log", "source": "splunkd_access.log", "sourcetype": "splunkd_access"}]}], "datamodel": [], "macros": [{"name": "splunkda", "definition": "index=_internal sourcetype=splunkd_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "splunk_csrf_in_the_ssg_kvstore_client_endpoint_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2023-22942", "cvss": null, "summary": "In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, a cross-site request forgery in the Splunk Secure Gateway (SSG) app in the ‘kvstore_client’ REST endpoint lets a potential attacker update SSG [App Key Value Store (KV store)](https://docs.splunk.com/Documentation/Splunk/latest/Admin/AboutKVstore) collections using an HTTP GET request. SSG is a Splunk-built app that comes with Splunk Enterprise. The vulnerability affects instances with SSG and Splunk Web enabled."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/application/splunk_csrf_in_the_ssg_kvstore_client_endpoint.yml", "source": "application", "nes_fields": "user,dest"}, {"name": "Splunk Data exfiltration from Analytics Workspace using sid query", "id": "b6d77c6c-f011-4b03-8650-8f10edb7c4a8", "version": 1, "date": "2022-11-1", "author": "Rod Soto, Eric McGinnis", "type": "Hunting", "status": "production", "description": "This hunting search allows operator to discover attempts to exfiltrate data by executing a prepositioned malicious search ID in Analytic Workspace in Splunk Enterprise versions 8.2.9,8.1.12,9.0.2. The attack is browser-based. It requires the attacker to compel a victim to initiate a request within their browser (phishing). The attacker cannot exploit the vulnerability at will.", "data_source": [], "search": "`audit_searches` info=granted search NOT (\"audit_searches\") search NOT (\"security_content_summariesonly\") AND ((search=\"*mstats*[*]*\" AND provenance=\"N/A\") OR (search=\"*mstats*\\\\\\\"*[*]*\\\\\\\"*\"))| eval warning=if(match(search,\"\\\\\\\\\\\"\"), \"POTENTIAL INJECTION STAGING\", \"POTENTIAL INJECTION EXECUTION\") | table search, user, warning, timestamp | `splunk_data_exfiltration_from_analytics_workspace_using_sid_query_filter`", "how_to_implement": "The vulnerability affects only instances with Splunk Web Enabled. After running this search, please run \"Splunk Command and Scripting Interpreter Risky SPL MLTK\" to gain more insight into potentially risky commands which could lead to data exfiltration.", "known_false_positives": "This search may produce false positives. This detection does not require you to ingest any new data. The detection does require the ability to search the _audit index. Special attention must be paid to \"/en-US/app/search/analytics_workspace?sid=[sid]\" which is where the malicious code will be inserted to trigger attack at victim.", "references": ["https://www.splunk.com/en_us/product-security.html"], "tags": {"name": "Splunk Data exfiltration from Analytics Workspace using sid query", "analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Actions on Objectives"], "message": "Potential data exfiltration attack using SID query by $user$", "mitre_attack_id": ["T1567"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["action", "info", "user", "search_id", "metadata", "user", "_time"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "cve": ["CVE-2022-43566"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1567", "mitre_attack_technique": "Exfiltration Over Web Service", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT28", "Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://raw.githubusercontent.com/splunk/attack_data/master/datasets/attack_techniques/T1567/splunk/splunk_data_exfiltration_from_analytics_workspace_using_sid_query.txt", "source": "audittrail", "sourcetype": "audittrail", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "audit_searches", "definition": "index=_audit sourcetype=audittrail action=search", "description": "Macro to enable easy searching of audittrail logs for searches"}, {"name": "splunk_data_exfiltration_from_analytics_workspace_using_sid_query_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2022-43566", "cvss": null, "summary": "In Splunk Enterprise versions below 8.2.9, 8.1.12, and 9.0.2, an authenticated user can run risky commands using a more privileged user’s permissions to bypass SPL safeguards for risky commands https://docs.splunk.com/Documentation/SplunkCloud/latest/Security/SPLsafeguards in the Analytics Workspace. The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The attacker cannot exploit the vulnerability at will."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/application/splunk_data_exfiltration_from_analytics_workspace_using_sid_query.yml", "source": "application"}, {"name": "Splunk Digital Certificates Infrastructure Version", "id": "3c162281-7edb-4ebc-b9a4-5087aaf28fa7", "version": 1, "date": "2022-05-26", "author": "Lou Stella, Splunk", "type": "Hunting", "status": "production", "description": "This search will check the TLS validation is properly configured on the search head it is run from as well as its search peers after Splunk version 9. Other components such as additional search heads or anything this rest command cannot be distributed to will need to be manually checked.", "data_source": [], "search": "| rest /services/server/info | table splunk_server version server_roles | join splunk_server [| rest /servicesNS/nobody/search/configs/conf-server/ search=\"sslConfig\"| table splunk_server sslVerifyServerCert sslVerifyServerName serverCert] | fillnull value=\"Not Set\" | rename sslVerifyServerCert as \"Server.conf:SslConfig:sslVerifyServerCert\", sslVerifyServerName as \"Server.conf:SslConfig:sslVerifyServerName\", serverCert as \"Server.conf:SslConfig:serverCert\" | `splunk_digital_certificates_infrastructure_version_filter`", "how_to_implement": "The user running this search is required to have a permission allowing them to dispatch REST requests to indexers (the `dispatch_rest_to_indexers` capability) in some architectures. Splunk SOAR customers can find a SOAR workbook that walks an analyst through the process of running these hunting searches in the references list of this detection. In order to use this workbook, a user will need to run a curl command to post the file to their SOAR instance such as \"curl -u username:password https://soar.instance.name/rest/rest/workbook_template -d @splunk_psa_0622.json\". A user should then create an empty container or case, attach the workbook, and begin working through the tasks.", "known_false_positives": "No known at this time.", "references": ["https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/EnableTLSCertHostnameValidation#Configure_TLS_host_name_validation_for_Splunk-to-Splunk_communication", "https://www.splunk.com/en_us/product-security/announcements/svd-2022-0602.html", "https://www.github.com/splunk/security_content/blob/develop/workbooks/splunk_psa_0622.json"], "tags": {"name": "Splunk Digital Certificates Infrastructure Version", "analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 50, "kill_chain_phases": ["Weaponization"], "message": "$splunk_server$ may not be properly validating TLS Certificates", "mitre_attack_id": ["T1587.003"], "nist": ["DE.AE"], "observable": [{"name": "splunk_server", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["none"], "risk_score": 50, "security_domain": "threat", "risk_severity": "medium", "cve": ["CVE-2022-32153"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1587.003", "mitre_attack_technique": "Digital Certificates", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29", "PROMETHIUM"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1213/audittrail/audittrail.log", "source": "audittrail", "sourcetype": "audittrail", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "splunk_digital_certificates_infrastructure_version_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2022-32153", "cvss": 6.8, "summary": "Splunk Enterprise peers in Splunk Enterprise versions before 9.0 and Splunk Cloud Platform versions before 8.2.2203 did not validate the TLS certificates during Splunk-to-Splunk communications by default. Splunk peer communications configured properly with valid certificates were not vulnerable. However, an attacker with administrator credentials could add a peer without a valid certificate and connections from misconfigured nodes without valid certificates did not fail by default. For Splunk Enterprise, update to Splunk Enterprise version 9.0 and Configure TLS host name validation for Splunk-to-Splunk communications (https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/EnableTLSCertHostnameValidation) to enable the remediation."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/application/splunk_digital_certificates_infrastructure_version.yml", "source": "application"}, {"name": "Splunk Digital Certificates Lack of Encryption", "id": "386a7ebc-737b-48cf-9ca8-5405459ed508", "version": 1, "date": "2022-05-26", "author": "Lou Stella, Splunk", "type": "Anomaly", "status": "production", "description": "On June 14th, 2022, Splunk released a security advisory relating to the authentication that happens between Universal Forwarders and Deployment Servers. In some circumstances, an unauthenticated client can download forwarder bundles from the Deployment Server. In other circumstances, a client may be allowed to publish a forwarder bundle to other clients, which may allow for arbitrary code execution. The fixes for these require upgrading to at least Splunk 9.0 on the forwarder as well. This is a great opportunity to configure TLS across the environment. This search looks for forwarders that are not using TLS and adds risk to those entities.", "data_source": [], "search": "`splunkd` group=\"tcpin_connections\" ssl=\"false\" | stats values(sourceIp) latest(fwdType) latest(version) by hostname | `splunk_digital_certificates_lack_of_encryption_filter`", "how_to_implement": "This anomaly search looks for forwarder connections that are not currently using TLS. It then presents the source IP, the type of forwarder, and the version of the forwarder. You can also remove the \"ssl=false\" argument from the initial stanza in order to get a full list of all your forwarders that are sending data, and the version of Splunk software they are running, for audit purposes. Splunk SOAR customers can find a SOAR workbook that walks an analyst through the process of running these hunting searches in the references list of this detection. In order to use this workbook, a user will need to run a curl command to post the file to their SOAR instance such as \"curl -u username:password https://soar.instance.name/rest/rest/workbook_template -d @splunk_psa_0622.json\". A user should then create an empty container or case, attach the workbook, and begin working through the tasks.", "known_false_positives": "None at this time", "references": ["https://www.splunk.com/en_us/product-security/announcements/svd-2022-0607.html", "https://www.splunk.com/en_us/product-security/announcements/svd-2022-0601.html", "https://www.github.com/splunk/security_content/blob/develop/workbooks/splunk_psa_0622.json"], "tags": {"name": "Splunk Digital Certificates Lack of Encryption", "analytic_story": ["Splunk Vulnerabilities"], "asset_type": "endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 25, "kill_chain_phases": ["Weaponization"], "message": "$hostname$ is not using TLS when forwarding data", "mitre_attack_id": ["T1587.003"], "nist": ["DE.AE"], "observable": [{"name": "hostname", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["group", "ssl", "sourceIp", "fwdType", "version", "hostname"], "risk_score": 20, "security_domain": "threat", "risk_severity": "low", "cve": ["CVE-2022-32151"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1587.003", "mitre_attack_technique": "Digital Certificates", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29", "PROMETHIUM"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1587.003/splunk_fwder/splunkd.log", "source": "/opt/splunk/var/log/splunk/metrics.log", "sourcetype": "splunkd", "update_timestamp": false}]}], "datamodel": [], "macros": [{"name": "splunkd", "definition": "index=_internal sourcetype=splunkd", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "splunk_digital_certificates_lack_of_encryption_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2022-32151", "cvss": 6.4, "summary": "The httplib and urllib Python libraries that Splunk shipped with Splunk Enterprise did not validate certificates using the certificate authority (CA) certificate stores by default in Splunk Enterprise versions before 9.0 and Splunk Cloud Platform versions before 8.2.2203. Python 3 client libraries now verify server certificates by default and use the appropriate CA certificate stores for each library. Apps and add-ons that include their own HTTP libraries are not affected. For Splunk Enterprise, update to Splunk Enterprise version 9.0 and Configure TLS host name validation for Splunk-to-Splunk communications (https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/EnableTLSCertHostnameValidation) to enable the remediation."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/application/splunk_digital_certificates_lack_of_encryption.yml", "source": "application"}, {"name": "Splunk DOS Via Dump SPL Command", "id": "fb0e6823-365f-48ed-b09e-272ac4c1dad6", "version": 1, "date": "2023-05-10", "author": "Rod Soto", "type": "Hunting", "status": "production", "description": "In Splunk Enterprise versions below 9.0.5, 8.2.11, and 8.1.14, an attacker can exploit a vulnerability in the dump SPL command to cause a Denial of Service by crashing the Splunk daemon.", "data_source": ["splunkd.log"], "search": "`splunk_crash_log` \"*Segmentation fault*\" | stats count by host _time | `splunk_dos_via_dump_spl_command_filter`", "how_to_implement": "This search does not require additional ingestion of data. Requires the ability to search _internal index and monitor segmentation faults.", "known_false_positives": "Segmentation faults may occur due to other causes, so this search may produce false positives", "references": ["https://advisory.splunk.com/"], "tags": {"name": "Splunk DOS Via Dump SPL Command", "analytic_story": ["Splunk Vulnerabilities"], "asset_type": "endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 100, "kill_chain_phases": ["Actions on Objectives"], "message": "Possible denial of service attack with Victim $host$", "mitre_attack_id": ["T1499.004"], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise"], "required_fields": ["host", "source", "event_message", "status", "_time"], "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "atomic_guid": [], "mitre_attack_enrichments": [{"mitre_attack_id": "T1499.004", "mitre_attack_technique": "Application or System Exploitation", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1499.004/splunk/splunk_dos_via_dump_spl_command.log", "source": "/opt/splunk/var/log/splunk/splunkd.log", "sourcetype": "splunkd_crash_log"}]}], "datamodel": [], "macros": [{"name": "splunk_crash_log", "definition": "(index=_internal AND sourcetype=splunkd_crash_log)", "description": "Searches through the Splunk Crash Log for low-level errors and crashes"}, {"name": "splunk_dos_via_dump_spl_command_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/application/splunk_dos_via_dump_spl_command.yml", "source": "application"}, {"name": "Splunk DoS via Malformed S2S Request", "id": "fc246e56-953b-40c1-8634-868f9e474cbd", "version": 2, "date": "2022-03-24", "author": "Lou Stella, Splunk", "type": "TTP", "status": "production", "description": "On March 24th, 2022, Splunk published a security advisory for a possible Denial of Service stemming from the lack of validation in a specific key-value field in the Splunk-to-Splunk (S2S) protocol. This detection will alert on attempted exploitation in patched versions of Splunk.", "data_source": [], "search": "`splunkd` log_level=\"ERROR\" component=\"TcpInputProc\" thread_name=\"FwdDataReceiverThread\" \"Invalid _meta atom\" | table host, src | `splunk_dos_via_malformed_s2s_request_filter`", "how_to_implement": "This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index. This detection will only find attempted exploitation on versions of Splunk already patched for CVE-2021-3422.", "known_false_positives": "None.", "references": ["https://www.splunk.com/en_us/product-security/announcements/svd-2022-0301.html"], "tags": {"name": "Splunk DoS via Malformed S2S Request", "analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 50, "kill_chain_phases": ["Actions on Objectives"], "message": "An attempt to exploit CVE-2021-3422 was detected from $src$ against $host$", "mitre_attack_id": ["T1498"], "nist": ["DE.CM"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["host", "src", "log_level", "component", "thread_name"], "risk_score": 50, "security_domain": "threat", "risk_severity": "medium", "cve": ["CVE-2021-3422"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1498", "mitre_attack_technique": "Network Denial of Service", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT28"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1498/splunk_indexer_dos/splunkd.log", "source": "/opt/splunk/var/log/splunk/splunkd.log", "sourcetype": "splunkd", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "splunkd", "definition": "index=_internal sourcetype=splunkd", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "splunk_dos_via_malformed_s2s_request_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2021-3422", "cvss": 4.3, "summary": "The lack of validation of a key-value field in the Splunk-to-Splunk protocol results in a denial-of-service in Splunk Enterprise instances configured to index Universal Forwarder traffic. The vulnerability impacts Splunk Enterprise versions before 7.3.9, 8.0 versions before 8.0.9, and 8.1 versions before 8.1.3. It does not impact Universal Forwarders. When Splunk forwarding is secured using TLS or a Token, the attack requires compromising the certificate or token, or both. Implementation of either or both reduces the severity to Medium."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/application/splunk_dos_via_malformed_s2s_request.yml", "source": "application", "nes_fields": "user,dest"}, {"name": "Splunk Edit User Privilege Escalation", "id": "39e1c326-67d7-4c0d-8584-8056354f6593", "version": 1, "date": "2023-05-23", "author": "Rod Soto, Chase Franklin", "type": "Hunting", "status": "production", "description": "A low-privilege user who holds a role that has the edit_user capability assigned to it can escalate their privileges to that of the admin user by providing specially crafted web requests.", "data_source": ["audittrail"], "search": "`audittrail` action IN (\"change_own_password\",\"password_change\",\"edit_password\") AND info=\"granted\" AND NOT user IN (admin, splunk-system-user) | stats earliest(_time) as event_time values(index) as index values(sourcetype) as sourcetype values(action) as action values(info) as info by user | `splunk_edit_user_privilege_escalation_filter`", "how_to_implement": "This detection does not require you to ingest any new data. The detection does require the ability to search the _audit index. This detection may assist in efforts to discover abuse of edit_user privilege.", "known_false_positives": "This search may produce false positives as password changing actions may be part of normal behavior. Operator will need to investigate these actions in order to discern exploitation attempts.", "references": ["https://advisory.splunk.com/"], "tags": {"name": "Splunk Edit User Privilege Escalation", "analytic_story": ["Splunk Vulnerabilities"], "asset_type": "endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "Possible attempt to abuse edit_user function by $user$", "mitre_attack_id": ["T1548"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["user", "action", "info", "_time"], "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "cve": [], "atomic_guid": [], "mitre_attack_enrichments": [{"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/splunk/splunk_edit_user_privilege_escalation.log", "source": "audittrail", "sourcetype": "audittrail"}]}], "datamodel": [], "macros": [{"name": "audittrail", "definition": "index=_audit sourcetype=audittrail", "description": "Macro to enable easy searching of audittrail logs"}, {"name": "splunk_edit_user_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/application/splunk_edit_user_privilege_escalation.yml", "source": "application"}, {"name": "Splunk Endpoint Denial of Service DoS Zip Bomb", "id": "b237d393-2f57-4531-aad7-ad3c17c8b041", "version": 1, "date": "2022-08-02", "author": "Marissa Bower, Rod Soto, Splunk", "type": "TTP", "status": "production", "description": "This search allows operator to identify Splunk search app crashes resulting from specially crafted ZIP file using file monitoring that affects UF versions 8.1.11 and 8.2 versions below 8.2.7.1. It is not possible to detect Zip Bomb attack before crash. This search will provide Universal Forwarder errors from uploaded binary files (zip compression) which are used for this attack. If an analyst sees results from this search we suggest you investigate and triage what zip file was uploaded, zip compressed files may have different extensions.", "data_source": [], "search": "`splunkd` component=FileClassifierManager event_message=*invalid* event_message=*binary* |stats count by host component event_message | `splunk_endpoint_denial_of_service_dos_zip_bomb_filter`", "how_to_implement": "Need to monitor Splunkd data from Universal Forwarders.", "known_false_positives": "This search may reveal non malicious zip files causing errors as well.", "references": ["https://en.wikipedia.org/wiki/ZIP_(file_format)", "https://www.splunk.com/en_us/product-security.html"], "tags": {"name": "Splunk Endpoint Denial of Service DoS Zip Bomb", "analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 75, "impact": 100, "kill_chain_phases": ["Actions on Objectives"], "message": "Potential exposure of environment variables from url embedded in dashboard", "mitre_attack_id": ["T1499"], "nist": ["DE.CM"], "observable": [{"name": "host", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["source", "component", "event_message", "host"], "risk_score": 75, "security_domain": "threat", "risk_severity": "medium", "cve": ["CVE-2022-37439"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1499", "mitre_attack_technique": "Endpoint Denial of Service", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Sandworm Team"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1499/splunk/splunk_zip_bomb_vulnerability.log", "source": "/opt/splunkforwarder/var/log/splunk/splunkd.log", "sourcetype": "splunkd"}]}], "datamodel": [], "macros": [{"name": "splunkd", "definition": "index=_internal sourcetype=splunkd", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "splunk_endpoint_denial_of_service_dos_zip_bomb_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2022-37439", "cvss": null, "summary": "In Splunk Enterprise and Universal Forwarder versions in the following table, indexing a specially crafted ZIP file using the file monitoring input can result in a crash of the application. Attempts to restart the application would result in a crash and would require manually removing the malformed file."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/application/splunk_endpoint_denial_of_service_dos_zip_bomb.yml", "source": "application", "nes_fields": "user,dest"}, {"name": "Splunk HTTP Response Splitting Via Rest SPL Command", "id": "e615a0e1-a1b2-4196-9865-8aa646e1708c", "version": 1, "date": "2023-05-23", "author": "Rod Soto, Chase Franklin", "type": "Hunting", "status": "production", "description": "A low-privileged user, using a specially crafted search command, can trigger an HTTP response splitting vulnerability with the rest SPL command that lets them potentially access other REST endpoints in the system arbitrarily, including accessing restricted content such as password files. This is because the user is able to inject the rest SPL command into the q parameter of an HTTP GET web request. The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The attacker cannot exploit the vulnerability at will.", "data_source": ["audittrail"], "search": "`audit_searches` AND search IN (\"*|*rest*POST*\",\"*|*rest*PUT*\",\"*|*rest*PATCH*\",\"*|*rest*DELETE*\") AND NOT search=\"*audit_searches*\" | table user info has_error_msg search _time | `splunk_http_response_splitting_via_rest_spl_command_filter`", "how_to_implement": "This detection does not require you to ingest any new data. The detection does require the ability to search the _audit index. This search may assist in detecting possible http response splitting exploitation attemptss.", "known_false_positives": "This search may have produce false positives as malformed or erroneous requests made to this endpoint may be executed willingly or erroneously by operators.", "references": ["https://advisory.splunk.com/"], "tags": {"name": "Splunk HTTP Response Splitting Via Rest SPL Command", "analytic_story": ["Splunk Vulnerabilities"], "asset_type": "endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "Suspicious access by $user$", "mitre_attack_id": ["T1027.006"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "URL String", "role": ["Victim"]}], "product": ["Splunk Enterprise"], "required_fields": ["search", "testing_endpoint", "info", "has_error_msg"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "atomic_guid": [], "mitre_attack_enrichments": [{"mitre_attack_id": "T1027.006", "mitre_attack_technique": "HTML Smuggling", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1027.006/splunk/splunk_http_response_splitting_via_rest_spl_command.log", "source": "audittrail", "sourcetype": "audittrail"}]}], "datamodel": [], "macros": [{"name": "audit_searches", "definition": "index=_audit sourcetype=audittrail action=search", "description": "Macro to enable easy searching of audittrail logs for searches"}, {"name": "splunk_http_response_splitting_via_rest_spl_command_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/application/splunk_http_response_splitting_via_rest_spl_command.yml", "source": "application"}, {"name": "Splunk Improperly Formatted Parameter Crashes splunkd", "id": "08978eca-caff-44c1-84dc-53f17def4e14", "version": 1, "date": "2023-02-14", "author": "Chase Franklin, Rod Soto, Splunk", "type": "TTP", "status": "experimental", "description": "In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, when the INGEST\\\\_EVAL parameter is improperly formatted, it crashes splunkd. This hunting search provides the user, timing and number of times the crashing command was executed.", "data_source": [], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Splunk_Audit.Search_Activity where (Search_Activity.search=\"*makeresults*\"AND Search_Activity.search=\"*ingestpreview*transforms*\") Search_Activity.search_type=adhoc Search_Activity.search!=\"*splunk_improperly_formatted_parameter_crashes_splunkd_filter*\" Search_Activity.user!=splunk-system-user by Search_Activity.search, Search_Activity.info, Search_Activity.total_run_time, Search_Activity.user, Search_Activity.search_type | `drop_dm_object_name(Search_Activity)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `splunk_improperly_formatted_parameter_crashes_splunkd_filter`", "how_to_implement": "Requires access to audittrail and use of Splunk_Audit.Search_Activity datamodel.", "known_false_positives": "This is a hunting search it should be focused on affected products, otherwise it is likely to produce false positives.", "references": ["https://www.splunk.com/en_us/product-security.html"], "tags": {"name": "Splunk Improperly Formatted Parameter Crashes splunkd", "analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 100, "kill_chain_phases": ["Actions on Objectives"], "message": "An attempt to exploit ingest eval parameter was detected from $user$", "mitre_attack_id": ["T1499"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise"], "required_fields": ["user", "count", "info"], "risk_score": 100, "security_domain": "threat", "risk_severity": "high", "cve": ["CVE-2023-22941"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1499", "mitre_attack_technique": "Endpoint Denial of Service", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Sandworm Team"]}]}, "datamodel": ["Splunk_Audit"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "splunk_improperly_formatted_parameter_crashes_splunkd_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2023-22941", "cvss": null, "summary": "In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, an improperly-formatted ‘INGEST_EVAL’ parameter in a [Field Transformation](https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Managefieldtransforms) crashes the Splunk daemon (splunkd)."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/application/splunk_improperly_formatted_parameter_crashes_splunkd.yml", "source": "application", "nes_fields": "user,dest"}, {"name": "Splunk list all nonstandard admin accounts", "id": "401d689c-8596-4c6b-a710-7b6fdca296d3", "version": 1, "date": "2023-02-07", "author": "Rod Soto", "type": "Hunting", "status": "experimental", "description": "This search will enumerate all Splunk Accounts with administrative rights on this instance. It deliberately ignores the default admin account since this is assumed to be present. This search may help in a detection the Cross-Site Scripting Attack listed: In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, a View allows for Cross-Site Scripting in an XML View through the 'layoutPanel' attribute in the 'module' tag. The vulnerability affects instances with Splunk Web enabled.", "data_source": [], "search": "| rest splunk_server=local /services/authentication/users |search capabilities=admin* OR imported_capabilities=admin* title!=admin | table title roles capabilities splunk_server | `splunk_list_all_nonstandard_admin_accounts_filter`", "how_to_implement": "The user running this search is required to have a permission allowing them to dispatch REST requests to indexers (the `dispatch_rest_to_indexers` capability) in some architectures. If there have been admin account, in addition to the standard admin account, intentionally created on this server, then edit the filter macro to exclude them.", "known_false_positives": "It is not possible to discern from the user table whether or not users with admin rights have been created intentionally, accidentally, or as a result of exploitation. Each user with these rights should be investigated and, if legitimate, added to the filter macro above. If a user is not believed to be legitimate, then further investigation should take place.", "references": ["https://www.splunk.com/en_us/product-security.html"], "tags": {"name": "Splunk list all nonstandard admin accounts", "analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Delivery"], "message": "Potential stored XSS attempt from $host$", "mitre_attack_id": ["T1189"], "nist": ["DE.AE"], "observable": [{"name": "splunk_server", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["capabilities", "splunk_server", "title"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "cve": ["CVE-2023-22933"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1189", "mitre_attack_technique": "Drive-by Compromise", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT19", "APT28", "APT32", "APT37", "APT38", "Andariel", "Axiom", "BRONZE BUTLER", "Dark Caracal", "Darkhotel", "Dragonfly", "Earth Lusca", "Elderwood", "Lazarus Group", "Leafminer", "Leviathan", "Machete", "Magic Hound", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Threat Group-3390", "Transparent Tribe", "Turla", "Windigo", "Windshift"]}]}, "datamodel": [], "macros": [{"name": "splunk_list_all_nonstandard_admin_accounts_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2023-22933", "cvss": null, "summary": "In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, a View allows for Cross-Site Scripting (XSS) in an extensible mark-up language (XML) View through the ‘layoutPanel’ attribute in the ‘module’ tag’. The vulnerability affects instances with Splunk Web enabled."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/application/splunk_list_all_nonstandard_admin_accounts.yml", "source": "application"}, {"name": "Splunk Low Privilege User Can View Hashed Splunk Password", "id": "a1be424d-e59c-4583-b6f9-2dcc23be4875", "version": 1, "date": "2023-05-09", "author": "Rod Soto, Eric McGinnis, Chase Franklin", "type": "Hunting", "status": "production", "description": "In Splunk Enterprise versions below 9.0.5, 8.2.11, and 8.1.14, a low-privilege user who holds the user role can see the hashed version of the initial user name and password for the Splunk instance by using the rest SPL command against the conf-user-seed REST endpoint. This can lead to a privilege escalation that lets the user take over the admin account on the instance.", "data_source": ["splunk_web_access"], "search": "`splunkd_web` uri=\"*/servicesNS/nobody/system/configs/conf-user-seed*\" | stats earliest(_time) as event_time values(method) as method values(status) as status values(clientip) as clientip values(useragent) as useragent values(file) as file by user | convert ctime(*time) | `splunk_low_privilege_user_can_view_hashed_splunk_password_filter`", "how_to_implement": "This detection does not require you to ingest any new data. The detection does require the ability to search the _audit index. This detection may assist in efforts to discover attempts to access con-user-seed file content.", "known_false_positives": "This search may produce false positives as accounts with high privileges may access this file. Operator will need to investigate these actions in order to discern exploitation attempts.", "references": ["https://advisory.splunk.com/"], "tags": {"name": "Splunk Low Privilege User Can View Hashed Splunk Password", "analytic_story": ["Splunk Vulnerabilities"], "asset_type": "endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Exploitation"], "message": "Attempt to access Splunk hashed password file from $clientip$", "mitre_attack_id": ["T1212"], "nist": ["DE.AE"], "observable": [{"name": "clientip", "type": "IP Address", "role": ["Attacker"]}], "product": ["Splunk Enterprise"], "required_fields": ["_time", "clientip", "useragent", "file", "user", "method", "status"], "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "atomic_guid": [], "mitre_attack_enrichments": [{"mitre_attack_id": "T1212", "mitre_attack_technique": "Exploitation for Credential Access", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1212/splunk/splunk_low_privilege_user_can_view_hashed_splunk_password.log", "source": "/opt/splunk/var/log/splunk/web_access.log", "sourcetype": "splunk_web_access"}]}], "datamodel": [], "macros": [{"name": "splunkd_web", "definition": "index=_internal sourcetype=splunk_web_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "splunk_low_privilege_user_can_view_hashed_splunk_password_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/application/splunk_low_privilege_user_can_view_hashed_splunk_password.yml", "source": "application"}, {"name": "Splunk Path Traversal In Splunk App For Lookup File Edit", "id": "8ed58987-738d-4917-9e44-b8ef6ab948a6", "version": 1, "date": "2023-05-11", "author": "Rod Soto, Eric McGinnis", "type": "Hunting", "status": "production", "description": "In Splunk Enterprise versions below 9.0.5, 8.2.11, and 8.1.14, a low-privilege user with access to the Splunk App for Lookup File Editing can, with a specially crafted web request, trigger a path traversal exploit that can then be used to read and write to restricted areas of the Splunk installation directory, including but not limited to the password hash file for the instance.", "data_source": ["splunkd_access"], "search": "`splunkda` uri_query=*lookup_file* | table clientip uri_query lookup_file owner namespace version | stats count by clientip namespace lookup_file uri_query | `splunk_path_traversal_in_splunk_app_for_lookup_file_edit_filter`", "how_to_implement": "This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index. This detection is meant for on premise environments, and if executed on internet facing servers without a WAF may produce a lot of results. This detection will not work against obfuscated path traversal requests.", "known_false_positives": "This search may find additional path traversal exploitation attempts or malformed requests.", "references": ["https://advisory.splunk.com/"], "tags": {"name": "Splunk Path Traversal In Splunk App For Lookup File Edit", "analytic_story": ["Splunk Vulnerabilities"], "asset_type": "endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "Path traversal exploitation attempt from $clientip$", "mitre_attack_id": ["T1083"], "nist": ["DE.AE"], "observable": [{"name": "clientip", "type": "IP Address", "role": ["Attacker"]}], "product": ["Splunk Enterprise"], "required_fields": ["clientip", "uri_query", "event_message", "lookup_file", "owner", "method", "user"], "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "atomic_guid": [], "mitre_attack_enrichments": [{"mitre_attack_id": "T1083", "mitre_attack_technique": "File and Directory Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT18", "APT28", "APT3", "APT32", "APT38", "APT39", "APT41", "Aoqin Dragon", "BRONZE BUTLER", "Chimera", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "Fox Kitten", "Gamaredon Group", "HAFNIUM", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Leafminer", "LuminousMoth", "Magic Hound", "MuddyWater", "Mustang Panda", "Patchwork", "Sandworm Team", "Sidewinder", "Sowbug", "TeamTNT", "Tropic Trooper", "Turla", "Windigo", "Winnti Group", "admin@338", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1083/splunk/splunk_path_traversal_in_splunk_app_for_lookup_file_edit.log", "source": "splunkd_access", "sourcetype": "splunkd_access"}]}], "datamodel": [], "macros": [{"name": "splunkda", "definition": "index=_internal sourcetype=splunkd_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "splunk_path_traversal_in_splunk_app_for_lookup_file_edit_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/application/splunk_path_traversal_in_splunk_app_for_lookup_file_edit.yml", "source": "application"}, {"name": "Persistent XSS in RapidDiag through User Interface Views", "id": "ce6e1268-e01c-4df2-a617-0f034ed49a43", "version": 1, "date": "2023-02-14", "author": "Rod Soto, Splunk", "type": "TTP", "status": "production", "description": "In Splunk Enterprise 9.0 versions before 9.0.4, a View allows for Cross-Site Scripting through the error message in a Base64-encoded image. The vulnerability affects instances with Splunk Web enabled. It does not affect Splunk Enterprise versions below 9.0. This search provides information on what user may have potentially added a malicious payload and what users were exposed to it.", "data_source": [], "search": "`audit_searches` path=/opt/splunk/etc/users/*/search/local/data/ui/views/* action=* |table user action roles info roles path | dedup user action | `persistent_xss_in_rapiddiag_through_user_interface_views_filter`", "how_to_implement": "This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index", "known_false_positives": "This is a hunting search, it will not deobfuscate base64 payload, it provides however it will provide what user added the view artifact and what user opened it. It will require further investigation based on the information presented by this hunting search.", "references": ["https://www.splunk.com/en_us/product-security.html"], "tags": {"name": "Persistent XSS in RapidDiag through User Interface Views", "analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Delivery"], "message": "A potential XSS attempt has been detected from $user$", "mitre_attack_id": ["T1189"], "nist": ["DE.CM"], "observable": [{"name": "User", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["user", "action", "roles", "info", "roles", "path"], "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "cve": ["CVE-2023-22932"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1189", "mitre_attack_technique": "Drive-by Compromise", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT19", "APT28", "APT32", "APT37", "APT38", "Andariel", "Axiom", "BRONZE BUTLER", "Dark Caracal", "Darkhotel", "Dragonfly", "Earth Lusca", "Elderwood", "Lazarus Group", "Leafminer", "Leviathan", "Machete", "Magic Hound", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Threat Group-3390", "Transparent Tribe", "Turla", "Windigo", "Windshift"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1189/splunk/splunk_persistent_xss_in_rapiddiag_through_user_interface_views_data.log", "source": "audittrail", "sourcetype": "audittrail"}]}], "datamodel": [], "macros": [{"name": "audit_searches", "definition": "index=_audit sourcetype=audittrail action=search", "description": "Macro to enable easy searching of audittrail logs for searches"}, {"name": "persistent_xss_in_rapiddiag_through_user_interface_views_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2023-22932", "cvss": null, "summary": "In Splunk Enterprise 9.0 versions before 9.0.4, a View allows for Cross-Site Scripting (XSS) through the error message in a Base64-encoded image. The vulnerability affects instances with Splunk Web enabled. It does not affect Splunk Enterprise versions below 9.0."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/application/splunk_persistent_xss_in_rapiddiag_through_user_interface_views.yml", "source": "application", "nes_fields": "user,dest"}, {"name": "Splunk Persistent XSS Via URL Validation Bypass W Dashboard", "id": "8a43558f-a53c-4ee4-86c1-30b1e8ef3606", "version": 1, "date": "2023-05-09", "author": "Rod Soto", "type": "Hunting", "status": "production", "description": "In Splunk Enterprise versions below 9.0.4, 8.2.10, and 8.1.13, a low-privileged user can bypass URL validation to perform a path traversal and access restricted and confidential information by targeting other users on the instance, including the admin user. The only affected version of bootstrap which shipped with Splunk was version 2.3.1, so the search is targeted at that version alone.", "data_source": ["splunk_web_access"], "search": "`splunkd_web` method=GET uri_path=\"*bootstrap-2.3.1*\" file=\"*.js\" | table _time clientip uri_path file status | `splunk_persistent_xss_via_url_validation_bypass_w_dashboard_filter`", "how_to_implement": "This search does not require additional data to be ingested. This search requires ability to search _internal index. This search helps discover access to vulnerable bootstrap versions.", "known_false_positives": "This search will produce numerous false positives as it shows ANY accesses to vulnerable bootstrap Javascript files. Accesses to these files occur during normal Splunk usage. To reduce or eliminate false positives, update the a version of Splunk which has addressed the vulnerability.", "references": ["https://advisory.splunk.com/"], "tags": {"name": "Splunk Persistent XSS Via URL Validation Bypass W Dashboard", "analytic_story": ["Splunk Vulnerabilities"], "asset_type": "endpoint", "cis20": ["CIS 10"], "confidence": 20, "impact": 80, "kill_chain_phases": ["Delivery"], "message": "Attempted access to vulnerable bootstrap file by $clientip$", "mitre_attack_id": ["T1189"], "nist": ["DE.AE"], "observable": [{"name": "clientip", "type": "IP Address", "role": ["Attacker"]}], "product": ["Splunk Enterprise"], "required_fields": ["file", "uri", "clientip", "user"], "risk_score": 16, "security_domain": "endpoint", "risk_severity": "low", "cve": ["CVE-2019-8331"], "atomic_guid": [], "mitre_attack_enrichments": [{"mitre_attack_id": "T1189", "mitre_attack_technique": "Drive-by Compromise", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT19", "APT28", "APT32", "APT37", "APT38", "Andariel", "Axiom", "BRONZE BUTLER", "Dark Caracal", "Darkhotel", "Dragonfly", "Earth Lusca", "Elderwood", "Lazarus Group", "Leafminer", "Leviathan", "Machete", "Magic Hound", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Threat Group-3390", "Transparent Tribe", "Turla", "Windigo", "Windshift"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1189/splunk/splunk_persistent_xss_via_url_validation_bypass_w_dashboard.log", "source": "/opt/splunk/var/log/splunk/web_access.log", "sourcetype": "splunk_web_access"}]}], "datamodel": [], "macros": [{"name": "splunkd_web", "definition": "index=_internal sourcetype=splunk_web_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "splunk_persistent_xss_via_url_validation_bypass_w_dashboard_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2019-8331", "cvss": 4.3, "summary": "In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/application/splunk_persistent_xss_via_url_validation_bypass_w_dashboard.yml", "source": "application"}, {"name": "Splunk Process Injection Forwarder Bundle Downloads", "id": "8ea57d78-1aac-45d2-a913-0cd603fb6e9e", "version": 1, "date": "2022-05-26", "author": "Lou Stella, Splunk", "type": "Hunting", "status": "production", "description": "On June 14th, 2022, Splunk released a security advisory relating to the authentication that happens between Universal Forwarders and Deployment Servers. In some circumstances, an unauthenticated client can download forwarder bundles from the Deployment Server. This hunting search pulls a full list of forwarder bundle downloads where the peer column is the forwarder, the host column is the Deployment Server, and then you have a list of the apps downloaded and the serverclasses in which the peer is a member of. You should look for apps or clients that you do not recognize as being part of your environment.", "data_source": [], "search": "`splunkd` component=\"PackageDownloadRestHandler\" | stats values(app) values(serverclass) by peer, host | `splunk_process_injection_forwarder_bundle_downloads_filter`", "how_to_implement": "This hunting search uses native logs produced when a deployment server is within your environment. Splunk SOAR customers can find a SOAR workbook that walks an analyst through the process of running these hunting searches in the references list of this detection. In order to use this workbook, a user will need to run a curl command to post the file to their SOAR instance such as \"curl -u username:password https://soar.instance.name/rest/rest/workbook_template -d @splunk_psa_0622.json\". A user should then create an empty container or case, attach the workbook, and begin working through the tasks.", "known_false_positives": "None at this time.", "references": ["https://www.splunk.com/en_us/product-security/announcements/svd-2022-0607.html", "https://www.github.com/splunk/security_content/blob/develop/workbooks/splunk_psa_0622.json"], "tags": {"name": "Splunk Process Injection Forwarder Bundle Downloads", "analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "$peer$ downloaded apps from $host$", "mitre_attack_id": ["T1055"], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["component", "app", "serverclass", "peer", "host"], "risk_score": 35, "security_domain": "threat", "risk_severity": "low", "cve": ["CVE-2022-32157"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/splunk_ds/splunkd.log", "source": "/opt/splunk/var/log/splunk/splunkd.log", "sourcetype": "splunkd", "update_timestamp": false}]}], "datamodel": [], "macros": [{"name": "splunkd", "definition": "index=_internal sourcetype=splunkd", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "splunk_process_injection_forwarder_bundle_downloads_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2022-32157", "cvss": 5.0, "summary": "Splunk Enterprise deployment servers in versions before 9.0 allow unauthenticated downloading of forwarder bundles. Remediation requires you to update the deployment server to version 9.0 and Configure authentication for deployment servers and clients (https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/ConfigDSDCAuthEnhancements#Configure_authentication_for_deployment_servers_and_clients). Once enabled, deployment servers can manage only Universal Forwarder versions 9.0 and higher. Though the vulnerability does not directly affect Universal Forwarders, remediation requires updating all Universal Forwarders that the deployment server manages to version 9.0 or higher prior to enabling the remediation."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/application/splunk_process_injection_forwarder_bundle_downloads.yml", "source": "application"}, {"name": "Splunk Protocol Impersonation Weak Encryption Configuration", "id": "900892bf-70a9-4787-8c99-546dd98ce461", "version": 1, "date": "2022-05-25", "author": "Lou Stella, Splunk", "type": "Hunting", "status": "production", "description": "On June 14th, 2022, Splunk released a security advisory relating to TLS validation occuring within the httplib and urllib python libraries shipped with Splunk. In addition to upgrading to Splunk Enterprise 9.0 or later, several configuration settings need to be set. This search will check those configurations on the search head it is run from as well as its search peers. In addition to these settings, the PYTHONHTTPSVERIFY setting in $SPLUNK_HOME/etc/splunk-launch.conf needs to be enabled as well. Other components such as additional search heads or anything this rest command cannot be distributed to will need to be manually checked.", "data_source": [], "search": "| rest /services/server/info | table splunk_server version server_roles | join splunk_server [| rest /servicesNS/nobody/search/configs/conf-server/ search=\"PythonSslClientConfig\" | table splunk_server sslVerifyServerCert sslVerifyServerName] | join splunk_server [| rest /servicesNS/nobody/search/configs/conf-web/settings | table splunk_server serverCert sslVersions] | rename sslVerifyServerCert as \"Server.conf:PythonSSLClientConfig:sslVerifyServerCert\", sslVerifyServerName as \"Server.conf:PythonSSLClientConfig:sslVerifyServerName\", serverCert as \"Web.conf:Settings:serverCert\", sslVersions as \"Web.conf:Settings:sslVersions\" | `splunk_protocol_impersonation_weak_encryption_configuration_filter`", "how_to_implement": "The user running this search is required to have a permission allowing them to dispatch REST requests to indexers (The `dispatch_rest_to_indexers` capability). Splunk SOAR customers can find a SOAR workbook that walks an analyst through the process of running these hunting searches in the references list of this detection. In order to use this workbook, a user will need to run a curl command to post the file to their SOAR instance such as \"curl -u username:password https://soar.instance.name/rest/rest/workbook_template -d @splunk_psa_0622.json\". A user should then create an empty container or case, attach the workbook, and begin working through the tasks.", "known_false_positives": "While all of the settings on each device returned by this search may appear to be hardened, you will still need to verify the value of PYTHONHTTPSVERIFY in $SPLUNK_HOME/etc/splunk-launch.conf on each device in order to harden the python configuration.", "references": ["https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/EnableTLSCertHostnameValidation", "https://www.splunk.com/en_us/product-security/announcements/svd-2022-0601.html", "https://www.github.com/splunk/security_content/blob/develop/workbooks/splunk_psa_0622.json"], "tags": {"name": "Splunk Protocol Impersonation Weak Encryption Configuration", "analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 50, "kill_chain_phases": ["Command And Control"], "message": "$splunk_server$ may not be properly validating TLS Certificates", "mitre_attack_id": ["T1001.003"], "nist": ["DE.AE"], "observable": [{"name": "splunk_server", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["none"], "risk_score": 50, "security_domain": "threat", "risk_severity": "medium", "cve": ["CVE-2022-32151"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1001.003", "mitre_attack_technique": "Protocol Impersonation", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Higaisa", "Lazarus Group"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1213/audittrail/audittrail.log", "source": "audittrail", "sourcetype": "audittrail", "update_timestamp": true}]}], "datamodel": ["Web"], "macros": [{"name": "splunk_protocol_impersonation_weak_encryption_configuration_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2022-32151", "cvss": 6.4, "summary": "The httplib and urllib Python libraries that Splunk shipped with Splunk Enterprise did not validate certificates using the certificate authority (CA) certificate stores by default in Splunk Enterprise versions before 9.0 and Splunk Cloud Platform versions before 8.2.2203. Python 3 client libraries now verify server certificates by default and use the appropriate CA certificate stores for each library. Apps and add-ons that include their own HTTP libraries are not affected. For Splunk Enterprise, update to Splunk Enterprise version 9.0 and Configure TLS host name validation for Splunk-to-Splunk communications (https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/EnableTLSCertHostnameValidation) to enable the remediation."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/application/splunk_protocol_impersonation_weak_encryption_configuration.yml", "source": "application"}, {"name": "Splunk protocol impersonation weak encryption selfsigned", "id": "c76c7a2e-df49-414a-bb36-dce2683770de", "version": 1, "date": "2022-05-26", "author": "Rod Soto, Splunk", "type": "Hunting", "status": "production", "description": "On June 14th 2022, Splunk released vulnerability advisory addresing Python TLS validation which was not set before Splunk version 9. This search displays events showing WARNING of using Splunk issued default selfsigned certificates.", "data_source": [], "search": "`splunkd` certificate event_message=\"X509 certificate* should not be used*\" | stats count by host CN component log_level | `splunk_protocol_impersonation_weak_encryption_selfsigned_filter`", "how_to_implement": "Must upgrade to Splunk version 9 and Configure TLS in order to apply this search. Splunk SOAR customers can find a SOAR workbook that walks an analyst through the process of running these hunting searches in the references list of this detection. In order to use this workbook, a user will need to run a curl command to post the file to their SOAR instance such as \"curl -u username:password https://soar.instance.name/rest/rest/workbook_template -d @splunk_psa_0622.json\". A user should then create an empty container or case, attach the workbook, and begin working through the tasks.", "known_false_positives": "This searches finds self signed certificates issued by Splunk which are not recommended from Splunk version 9 forward.", "references": ["https://www.splunk.com/en_us/product-security", "https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/EnableTLSCertHostnameValidation", "https://www.github.com/splunk/security_content/blob/develop/workbooks/splunk_psa_0622.json"], "tags": {"name": "Splunk protocol impersonation weak encryption selfsigned", "analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 50, "kill_chain_phases": ["Weaponization"], "message": "Splunk default issued certificate at $host$", "mitre_attack_id": ["T1588.004"], "nist": ["DE.AE"], "observable": [{"name": "Hostname", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["host", "CN", "event_message"], "risk_score": 40, "security_domain": "threat", "risk_severity": "low", "cve": ["CVE-2022-32152"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1588.004", "mitre_attack_technique": "Digital Certificates", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["BlackTech", "Lazarus Group", "LuminousMoth", "Silent Librarian"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://raw.githubusercontent.com/splunk/attack_data/master/datasets/attack_techniques/T1558.004/splunk_protocol_impersonation_weak_encryption_selfsigned.txt", "source": "/opt/splun/var/log/splunk/splunkd.log", "sourcetype": "splunkd"}]}], "datamodel": [], "macros": [{"name": "splunkd", "definition": "index=_internal sourcetype=splunkd", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "splunk_protocol_impersonation_weak_encryption_selfsigned_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2022-32152", "cvss": 6.5, "summary": "Splunk Enterprise peers in Splunk Enterprise versions before 9.0 and Splunk Cloud Platform versions before 8.2.2203 did not validate the TLS certificates during Splunk-to-Splunk communications by default. Splunk peer communications configured properly with valid certificates were not vulnerable. However, an attacker with administrator credentials could add a peer without a valid certificate and connections from misconfigured nodes without valid certificates did not fail by default. For Splunk Enterprise, update to Splunk Enterprise version 9.0 and Configure TLS host name validation for Splunk-to-Splunk communications (https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/EnableTLSCertHostnameValidation) to enable the remediation."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/application/splunk_protocol_impersonation_weak_encryption_selfsigned.yml", "source": "application"}, {"name": "Splunk protocol impersonation weak encryption simplerequest", "id": "839d12a6-b119-4d44-ac4f-13eed95412c8", "version": 1, "date": "2022-05-24", "author": "Rod Soto, Splunk", "type": "Hunting", "status": "production", "description": "On Splunk version 9 on Python3 client libraries verify server certificates by default and use CA certificate store. This search warns a user about a failure to validate a certificate using python3 request.", "data_source": [], "search": "`splunk_python` \"simpleRequest SSL certificate validation is enabled without hostname verification\" | stats count by host path | `splunk_protocol_impersonation_weak_encryption_simplerequest_filter`", "how_to_implement": "Must upgrade to Splunk version 9 and Configure TLS host name validation for Splunk Python modules in order to apply this search. Splunk SOAR customers can find a SOAR workbook that walks an analyst through the process of running these hunting searches in the references list of this detection. In order to use this workbook, a user will need to run a curl command to post the file to their SOAR instance such as \"curl -u username:password https://soar.instance.name/rest/rest/workbook_template -d @splunk_psa_0622.json\". A user should then create an empty container or case, attach the workbook, and begin working through the tasks.", "known_false_positives": "This search tries to address validation of server and client certificates within Splunk infrastructure, it might produce results from accidental or unintended requests to port 8089.", "references": ["https://www.splunk.com/en_us/product-security", "https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/EnableTLSCertHostnameValidation", "https://www.github.com/splunk/security_content/blob/develop/workbooks/splunk_psa_0622.json"], "tags": {"name": "Splunk protocol impersonation weak encryption simplerequest", "analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 50, "kill_chain_phases": ["Weaponization"], "message": "Failed to validate certificate on $host$", "mitre_attack_id": ["T1588.004"], "nist": ["DE.AE"], "observable": [{"name": "Hostname", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["host", "event_message", "path"], "risk_score": 40, "security_domain": "threat", "risk_severity": "low", "cve": ["CVE-2022-32152"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1588.004", "mitre_attack_technique": "Digital Certificates", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["BlackTech", "Lazarus Group", "LuminousMoth", "Silent Librarian"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://raw.githubusercontent.com/splunk/attack_data/master/datasets/attack_techniques/T1558.004/splk_protocol_impersonation_weak_encryption_simplerequest.txt", "source": "/opt/splunk/var/log/splunk/splunkd.log", "sourcetype": "splunk_python"}]}], "datamodel": [], "macros": [{"name": "splunk_python", "definition": "index=_internal sourcetype=splunk_python", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "splunk_protocol_impersonation_weak_encryption_simplerequest_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2022-32152", "cvss": 6.5, "summary": "Splunk Enterprise peers in Splunk Enterprise versions before 9.0 and Splunk Cloud Platform versions before 8.2.2203 did not validate the TLS certificates during Splunk-to-Splunk communications by default. Splunk peer communications configured properly with valid certificates were not vulnerable. However, an attacker with administrator credentials could add a peer without a valid certificate and connections from misconfigured nodes without valid certificates did not fail by default. For Splunk Enterprise, update to Splunk Enterprise version 9.0 and Configure TLS host name validation for Splunk-to-Splunk communications (https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/EnableTLSCertHostnameValidation) to enable the remediation."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/application/splunk_protocol_impersonation_weak_encryption_simplerequest.yml", "source": "application"}, {"name": "Splunk RBAC Bypass On Indexing Preview REST Endpoint", "id": "bbe26f95-1655-471d-8abd-3d32fafa86f8", "version": 1, "date": "2023-05-10", "author": "Rod Soto", "type": "Hunting", "status": "production", "description": "An unauthorized user can use the /services/indexing/preview REST endpoint to overwrite search results if they know the search ID (SID) of an existing search job.", "data_source": ["splunkd_access.log"], "search": "`splunkda` method=\"POST\" uri=\"*/services/indexing/preview*\" | table host clientip status useragent user uri_path | `splunk_rbac_bypass_on_indexing_preview_rest_endpoint_filter`", "how_to_implement": "This search does not require additional data ingestion. It requires the ability to search _internal index.", "known_false_positives": "This is a hunting search which provides verbose results against this endpoint. Operator must consider things such as IP address, useragent and user(specially low privelege) and host to investigate possible attack.", "references": ["https://advisory.splunk.com/"], "tags": {"name": "Splunk RBAC Bypass On Indexing Preview REST Endpoint", "analytic_story": ["Splunk Vulnerabilities"], "asset_type": "endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "Review $clientip$ access to indexing preview endpoint from low privilege user", "mitre_attack_id": ["T1134"], "nist": ["DE.AE"], "observable": [{"name": "clientip", "type": "IP Address", "role": ["Attacker"]}], "product": ["Splunk Enterprise"], "required_fields": ["host", "clientip", "status", "useragent", "user", "uri_path"], "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "atomic_guid": [], "mitre_attack_enrichments": [{"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1134/splunk/splunk_rbac_bypass_on_indexing_preview_rest_endpoint.log", "source": "splunkd_access.log", "sourcetype": "splunkd_access"}]}], "datamodel": [], "macros": [{"name": "splunkda", "definition": "index=_internal sourcetype=splunkd_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "splunk_rbac_bypass_on_indexing_preview_rest_endpoint_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/application/splunk_rbac_bypass_on_indexing_preview_rest_endpoint.yml", "source": "application"}, {"name": "Splunk RCE via Splunk Secure Gateway Splunk Mobile alerts feature", "id": "baa41f09-df48-4375-8991-520beea161be", "version": 1, "date": "2022-10-11", "author": "Rod Soto", "type": "Hunting", "status": "production", "description": "This hunting search provides information on possible exploitation attempts against Splunk Secure Gateway App Mobile Alerts feature in Splunk versions 9.0, 8.2.x, 8.1.x. An authenticated user can run arbitrary operating system commands remotely through the use of specially crafted requests to the mobile alerts feature in the Splunk Secure Gateway app.", "data_source": [], "search": "`splunkda` uri_path=\"/servicesNS/nobody/splunk_secure_gateway/storage/collections/data/mobile_alerts*\" sort=\"notification.created_at:-1\" | table clientip file host method uri_query sort | `splunk_rce_via_splunk_secure_gateway__splunk_mobile_alerts_feature_filter`", "how_to_implement": "This search only applies if Splunk Mobile Gateway is deployed in the vulnerable Splunk versions.", "known_false_positives": "This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index. Focus of this search is \"uri_path=/servicesNS/nobody/splunk_secure_gateway/storage/collections/data/mobile_alerts*\" which is the injection point.", "references": ["https://www.splunk.com/en_us/product-security.html"], "tags": {"name": "Splunk RCE via Splunk Secure Gateway Splunk Mobile alerts feature", "analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Exploitation"], "message": "Possible exploitation attempt from $clientip$", "mitre_attack_id": ["T1210"], "nist": ["DE.AE"], "observable": [{"name": "clientip", "type": "IP Address", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["uri_path", "clientip", "file", "host", "method", "sort"], "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "cve": ["CVE-2022-43567"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1210", "mitre_attack_technique": "Exploitation of Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "Dragonfly", "Earth Lusca", "FIN7", "Fox Kitten", "MuddyWater", "Threat Group-3390", "Tonto Team", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://raw.githubusercontent.com/splunk/attack_data/master/datasets/attack_techniques/T1210/splunk/splunk_rce_via_secure_gateway_splunk_mobile_alerts_feature.txt", "source": "/opt/splunk/var/log/splunk/splunkd_access.log", "sourcetype": "splunkd_access", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "splunkda", "definition": "index=_internal sourcetype=splunkd_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "splunk_rce_via_splunk_secure_gateway__splunk_mobile_alerts_feature_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2022-43567", "cvss": null, "summary": "In Splunk Enterprise versions below 8.2.9, 8.1.12, and 9.0.2, an authenticated user can run arbitrary operating system commands remotely through the use of specially crafted requests to the mobile alerts feature in the Splunk Secure Gateway app."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/application/splunk_rce_via_splunk_secure_gateway__splunk_mobile_alerts_feature.yml", "source": "application"}, {"name": "Splunk Reflected XSS in the templates lists radio", "id": "d532d105-c63f-4049-a8c4-e249127ca425", "version": 1, "date": "2022-10-11", "author": "Rod Soto, Chase Franklin", "type": "Hunting", "status": "production", "description": "Splunk versions below 8.1.12,8.2.9 and 9.0.2 are vulnerable to reflected cross site scripting (XSS). A View allows for a Reflected Cross Site scripting via JavaScript Object Notation (JSON) in a query parameter when ouput_mode=radio.", "data_source": [], "search": "`splunkd_webx` user=admin status=200 uri=*/lists/entities/x/ui/views* uri_query!=null | stats count earliest(_time) as event_time values(status) as status values(clientip) as clientip by index, sourcetype, _time, host, user, uri | `splunk_reflected_xss_in_the_templates_lists_radio_filter`", "how_to_implement": "This vulnerability only affects instances with Splunk Web enabled. This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index.", "known_false_positives": "This search may produce false positives as it is difficult to pinpoint all possible XSS injection characters in a single search string. Special attention is required to \"en-US/list/entities/x/ui/views\" which is the vulnerable injection point.", "references": ["https://research.splunk.com/stories/splunk_vulnerabilities/"], "tags": {"name": "Splunk Reflected XSS in the templates lists radio", "analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Delivery"], "message": "Potential XSS exploitation against radio template by $user$", "mitre_attack_id": ["T1189"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["host", "clientip", "status", "user", "uri", "uri_query", "uri_path"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "cve": ["CVE-2022-43568"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1189", "mitre_attack_technique": "Drive-by Compromise", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT19", "APT28", "APT32", "APT37", "APT38", "Andariel", "Axiom", "BRONZE BUTLER", "Dark Caracal", "Darkhotel", "Dragonfly", "Earth Lusca", "Elderwood", "Lazarus Group", "Leafminer", "Leviathan", "Machete", "Magic Hound", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Threat Group-3390", "Transparent Tribe", "Turla", "Windigo", "Windshift"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://raw.githubusercontent.com/splunk/attack_data/master/datasets/attack_techniques/T1189/splunk/splunk_reflected_xss_in_templates_lists_radio.txt", "source": "/opt/splunk/var/log/splunk/web_access.log", "sourcetype": "splunk_web_access", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "splunkd_webx", "definition": "index=_internal sourcetype=splunk_web_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "splunk_reflected_xss_in_the_templates_lists_radio_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2022-43568", "cvss": null, "summary": "In Splunk Enterprise versions below 8.1.12, 8.2.9, and 9.0.2, a View allows for a Reflected Cross Site Scripting via JavaScript Object Notation (JSON) in a query parameter when output_mode=radio."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/application/splunk_reflected_xss_in_the_templates_lists_radio.yml", "source": "application"}, {"name": "Splunk risky Command Abuse disclosed february 2023", "id": "ee69374a-d27e-4136-adac-956a96ff60fd", "version": 1, "date": "2023-02-14", "author": "Chase Franklin, Rod Soto, Eric McGinnis, Splunk", "type": "Hunting", "status": "production", "description": "In February 2023, Splunk disclosed several vulnerabilities affecting Splunk Enterprise commands deemed risky. The following hunting search includes the following commands and versions. Command 'createrss' (versions 8.1.13, 8.2.10), pivot (8.1.13,8.2.10,9.0.4), display.page.search.patterns.sensitivity(versions below 8.1.13,8.2.10,9.0.4), search_listener, map, collect (8.1.13,8.2.10,9.0.4). For more information please review Splunk Vulnerabilities Disclosure, February 2023. Link can be found in reference.", "data_source": [], "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Splunk_Audit.Search_Activity where Search_Activity.search_type=adhoc Search_Activity.user!=splunk-system-user by Search_Activity.search Search_Activity.info Search_Activity.total_run_time Search_Activity.user Search_Activity.search_type | `drop_dm_object_name(Search_Activity)` | lookup splunk_risky_command splunk_risky_command as search output splunk_risky_command description vulnerable_versions CVE other_metadata | where splunk_risky_command != \"false\" | `splunk_risky_command_abuse_disclosed_february_2023_filter`", "how_to_implement": "Requires implementation of Splunk_Audit.Search_Activity datamodel.", "known_false_positives": "This search encompasses many commands.", "references": ["https://www.splunk.com/en_us/product-security.html"], "tags": {"name": "Splunk risky Command Abuse disclosed february 2023", "analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "Use of risky splunk command $splunk_risky_command$ detected by $user$", "mitre_attack_id": ["T1548"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}, {"name": "splunk_risky_command", "type": "Other", "role": ["Other"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["search", "info", "user", "search_type", "count"], "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "cve": ["CVE-2023-22931", "CVE-2023-22934", "CVE-2023-22935", "CVE-2023-22936", "CVE-2023-22939", "CVE-2023-22940"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "datamodel": ["Splunk_Audit"], "macros": [{"name": "splunk_risky_command_abuse_disclosed_february_2023_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "splunk_risky_command", "description": "A list of Risky Splunk Command that are candidates for abuse", "filename": "splunk_risky_command.csv", "default_match": "false", "match_type": "WILDCARD(splunk_risky_command)", "min_matches": 1, "case_sensitive_match": "false"}], "cve_enrichment": [{"id": "CVE-2023-22931", "cvss": null, "summary": "In Splunk Enterprise versions below 8.1.13 and 8.2.10, the ‘createrss’ external search command overwrites existing Resource Description Format Site Summary (RSS) feeds without verifying permissions. This feature has been deprecated and disabled by default."}, {"id": "CVE-2023-22934", "cvss": null, "summary": "In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, the ‘pivot’ search processing language (SPL) command lets a search bypass [SPL safeguards for risky commands](https://docs.splunk.com/Documentation/Splunk/latest/Security/SPLsafeguards) using a saved search job. The vulnerability requires an authenticated user to craft the saved job and a higher privileged user to initiate a request within their browser. The vulnerability affects instances with Splunk Web enabled."}, {"id": "CVE-2023-22935", "cvss": null, "summary": "In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, the ‘display.page.search.patterns.sensitivity’ search parameter lets a search bypass [SPL safeguards for risky commands](https://docs.splunk.com/Documentation/Splunk/latest/Security/SPLsafeguards). The vulnerability requires a higher privileged user to initiate a request within their browser and only affects instances with Splunk Web enabled."}, {"id": "CVE-2023-22936", "cvss": null, "summary": "In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, the ‘search_listener’ parameter in a search allows for a blind server-side request forgery (SSRF) by an authenticated user. The initiator of the request cannot see the response without the presence of an additional vulnerability within the environment."}, {"id": "CVE-2023-22939", "cvss": null, "summary": "In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, the ‘map’ search processing language (SPL) command lets a search [bypass SPL safeguards for risky commands](https://docs.splunk.com/Documentation/Splunk/latest/Security/SPLsafeguards). The vulnerability requires a higher privileged user to initiate a request within their browser and only affects instances with Splunk Web enabled."}, {"id": "CVE-2023-22940", "cvss": null, "summary": "In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, aliases of the ‘collect’ search processing language (SPL) command, including ‘summaryindex’, ‘sumindex’, ‘stash’,’ mcollect’, and ‘meventcollect’, were not designated as safeguarded commands. The commands could potentially allow for the exposing of data to a summary index that unprivileged users could access. The vulnerability requires a higher privileged user to initiate a request within their browser, and only affects instances with Splunk Web enabled."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/application/splunk_risky_command_abuse_disclosed_february_2023.yml", "source": "application"}, {"name": "Splunk Stored XSS via Data Model objectName field", "id": "062bff76-5f9c-496e-a386-cb1adcf69871", "version": 1, "date": "2022-10-11", "author": "Rod Soto", "type": "Hunting", "status": "production", "description": "Splunk Enterprise versions 8.1.12, 8.2.9, 9.0.2 are vulnerable to persistent cross site scripting via Data Model object name. An authenticated user can inject and store arbitrary scripts that can lead to persistent cross-site scripting (XSS) in the object name Data Model.", "data_source": [], "search": "`splunkd_webx` uri=/en-US/splunkd/__raw/servicesNS/*/launcher/datamodel/model* uri_query!=null | stats count by _time host status clientip user uri | `splunk_stored_xss_via_data_model_objectname_field_filter`", "how_to_implement": "This vulnerability only affects Splunk Web enabled instances. This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index.", "known_false_positives": "This search may produce false positives and does not cover exploitation attempts via code obfuscation, focus of search is suspicious requests against \"/en-US/splunkd/__raw/servicesNS/*/launcher/datamodel/model\" which is the injection point.", "references": ["https://www.splunk.com/en_us/product-security.html", "https://portswigger.net/web-security/cross-site-scripting/cheat-sheet"], "tags": {"name": "Splunk Stored XSS via Data Model objectName field", "analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Delivery"], "message": "A potential XSS attempt has been detected from $user$", "mitre_attack_id": ["T1189"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["uri", "uri_query", "host", "status", "clientip", "user", "uri_path"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "cve": ["CVE-2022-43569"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1189", "mitre_attack_technique": "Drive-by Compromise", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT19", "APT28", "APT32", "APT37", "APT38", "Andariel", "Axiom", "BRONZE BUTLER", "Dark Caracal", "Darkhotel", "Dragonfly", "Earth Lusca", "Elderwood", "Lazarus Group", "Leafminer", "Leviathan", "Machete", "Magic Hound", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Threat Group-3390", "Transparent Tribe", "Turla", "Windigo", "Windshift"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://raw.githubusercontent.com/splunk/attack_data/master/datasets/attack_techniques/T1189/splunk/splunk_stored_xss_via_data_model_objectname_field.txt", "source": "/opt/splunk/var/log/splunk/web_access.log", "sourcetype": "splunk_web_access", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "splunkd_webx", "definition": "index=_internal sourcetype=splunk_web_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "splunk_stored_xss_via_data_model_objectname_field_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2022-43569", "cvss": null, "summary": "In Splunk Enterprise versions below 8.1.12, 8.2.9, and 9.0.2, an authenticated user can inject and store arbitrary scripts that can lead to persistent cross-site scripting (XSS) in the object name of a Data Model."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/application/splunk_stored_xss_via_data_model_objectname_field.yml", "source": "application"}, {"name": "Splunk unnecessary file extensions allowed by lookup table uploads", "id": "b7d1293f-e78f-415e-b5f6-443df3480082", "version": 1, "date": "2023-02-14", "author": "Rod Soto, Splunk", "type": "TTP", "status": "production", "description": "In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, the lookup table uploads let a user upload lookup tables with unnecessary filename extensions. Lookup table file extensions may now only be one of .csv, .csv.gz, .kmz, .kml, .mmdb, or .mmdb.gz. This search provides user activity focus on uploads which aims to help hunt for malicious file uploads.", "data_source": [], "search": "`splunkda` method IN (\"POST\", \"DELETE\") uri_path=/servicesNS/*/ui/views/* | eval activity = case( method==\"POST\" AND like( uri_path , \"%/acl\" ) , \"Permissions Update\", method==\"POST\" AND NOT like( uri_path , \"%/acl\" ) , \"Edited\" , method==\"DELETE\" , \"Deleted\" ) | rex field=uri_path \"(?.*?)\\/ui\\/views/(?.*)\" | eval dashboard = urldecode( dashboard_encoded ) | table _time, uri_path, user, dashboard, activity, uri_path | `splunk_unnecessary_file_extensions_allowed_by_lookup_table_uploads_filter`", "how_to_implement": "Requires access to internal splunkd_access.", "known_false_positives": "This is a hunting search, the search provides information on upload, edit, and delete activity on Lookup Tables. Manual investigation is necessary after executing search. This search will produce false positives as payload cannot be directly discerned.", "references": ["https://www.splunk.com/en_us/product-security.html"], "tags": {"name": "Splunk unnecessary file extensions allowed by lookup table uploads", "analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Delivery"], "message": "Potential lookup template injection attempt from $user$ on lookup table at path $uri_path$", "mitre_attack_id": ["T1189"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "uri_path", "type": "Other", "role": ["Other"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["user", "method", "uri_path"], "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "cve": ["CVE-2023-22937"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1189", "mitre_attack_technique": "Drive-by Compromise", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT19", "APT28", "APT32", "APT37", "APT38", "Andariel", "Axiom", "BRONZE BUTLER", "Dark Caracal", "Darkhotel", "Dragonfly", "Earth Lusca", "Elderwood", "Lazarus Group", "Leafminer", "Leviathan", "Machete", "Magic Hound", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Threat Group-3390", "Transparent Tribe", "Turla", "Windigo", "Windshift"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1189/splunk/splunk_unnecesary_file_extensions_allowed_by_lookup_table_uploads.log", "source": "/opt/splunk/var/log/splunk/splunkd_access.log", "sourcetype": "splunkd_access"}]}], "datamodel": [], "macros": [{"name": "splunkda", "definition": "index=_internal sourcetype=splunkd_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "splunk_unnecessary_file_extensions_allowed_by_lookup_table_uploads_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2023-22937", "cvss": null, "summary": "In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, the lookup table upload feature let a user upload lookup tables with unnecessary filename extensions. Lookup table file extensions may now be one of the following only: .csv, .csv.gz, .kmz, .kml, .mmdb, or .mmdb.gzl. For more information on lookup table files, see [About lookups](https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Aboutlookupsandfieldactions)."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/application/splunk_unnecessary_file_extensions_allowed_by_lookup_table_uploads.yml", "source": "application", "nes_fields": "user,dest"}, {"name": "Splunk User Enumeration Attempt", "id": "25625cb4-1c4d-4463-b0f9-7cb462699cde", "version": 1, "date": "2022-04-29", "author": "Lou Stella, Splunk", "type": "TTP", "status": "production", "description": "On May 3rd, 2022, Splunk published a security advisory for username enumeration stemming from verbose login failure messages present on some REST endpoints. This detection will alert on attempted exploitation in patched versions of Splunk as well as actual exploitation in unpatched version of Splunk.", "data_source": [], "search": " `splunkd_failed_auths` | stats count(user) as auths by user, src | where auths>5 | stats values(user) as \"Users\", sum(auths) as TotalFailedAuths by src | `splunk_user_enumeration_attempt_filter`", "how_to_implement": "This detection does not require you to ingest any new data. The detection does require the ability to search the _audit index. This detection may assist in efforts to find password spraying or brute force authorization attempts in addition to someone enumerating usernames.", "known_false_positives": "Automation executing authentication attempts against your Splunk infrastructure with outdated credentials may cause false positives.", "references": ["https://www.splunk.com/en_us/product-security/announcements/svd-2022-0502.html"], "tags": {"name": "Splunk User Enumeration Attempt", "analytic_story": ["Splunk Vulnerabilities"], "asset_type": "endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 50, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "message": "$TotalFailedAuths$ failed authentication events to Splunk from $src$ detected.", "mitre_attack_id": ["T1078"], "nist": ["DE.CM"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["user", "src", "info", "action"], "risk_score": 40, "security_domain": "access", "risk_severity": "low", "cve": ["CVE-2021-33845"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/splunkd_auth/audittrail.log", "source": "audittrail", "sourcetype": "audittrail"}]}], "datamodel": [], "macros": [{"name": "splunkd_failed_auths", "definition": "index=_audit \"action=login attempt\" \"info=failed\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "splunk_user_enumeration_attempt_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2021-33845", "cvss": 5.0, "summary": "The Splunk Enterprise REST API allows enumeration of usernames via the lockout error message. The potential vulnerability impacts Splunk Enterprise instances before 8.1.7 when configured to repress verbose login errors."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/application/splunk_user_enumeration_attempt.yml", "source": "application", "nes_fields": "user,dest"}, {"name": "Splunk XSS in Monitoring Console", "id": "b11accac-6fa3-4103-8a1a-7210f1a67087", "version": 1, "date": "2022-04-27", "author": "Lou Stella, Splunk", "type": "TTP", "status": "experimental", "description": "On May 3rd, 2022, Splunk published a security advisory for a reflective Cross-Site Scripting (XSS) vulnerability stemming from the lack of input validation in the Distributed Monitoring Console app. This detection will alert on attempted exploitation in patched versions of Splunk as well as actual exploitation in unpatched version of Splunk.", "data_source": [], "search": " `splunkd_web` method=\"GET\" uri_query=\"description=%3C*\" | table _time host status clientip user uri | `splunk_xss_in_monitoring_console_filter`", "how_to_implement": "This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index. This detection will find attempted exploitation of CVE-2022-27183.", "known_false_positives": "Use of the monitoring console where the less-than sign (<) is the first character in the description field.", "references": ["https://www.splunk.com/en_us/product-security/announcements/svd-2022-0505.html"], "tags": {"name": "Splunk XSS in Monitoring Console", "analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 50, "kill_chain_phases": ["Delivery"], "message": "A potential XSS attempt has been detected from $user$", "mitre_attack_id": ["T1189"], "nist": ["DE.CM"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["method", "uri_query", "status", "clientip", "user", "uri"], "risk_score": 40, "security_domain": "threat", "risk_severity": "low", "cve": ["CVE-2022-27183"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1189", "mitre_attack_technique": "Drive-by Compromise", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT19", "APT28", "APT32", "APT37", "APT38", "Andariel", "Axiom", "BRONZE BUTLER", "Dark Caracal", "Darkhotel", "Dragonfly", "Earth Lusca", "Elderwood", "Lazarus Group", "Leafminer", "Leviathan", "Machete", "Magic Hound", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Threat Group-3390", "Transparent Tribe", "Turla", "Windigo", "Windshift"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1189/xss/splunk_web_access.log", "source": "/opt/splunk/var/log/splunk/web_access.log", "sourcetype": "splunk_web_access"}]}], "datamodel": [], "macros": [{"name": "splunkd_web", "definition": "index=_internal sourcetype=splunk_web_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "splunk_xss_in_monitoring_console_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2022-27183", "cvss": 4.3, "summary": "The Monitoring Console app configured in Distributed mode allows for a Reflected XSS in a query parameter in Splunk Enterprise versions before 8.1.4. The Monitoring Console app is a bundled app included in Splunk Enterprise, not for download on SplunkBase, and not installed on Splunk Cloud Platform instances. Note that the Cloud Monitoring Console is not impacted."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/application/splunk_xss_in_monitoring_console.yml", "source": "application", "nes_fields": "user,dest"}, {"name": "Splunk XSS in Save table dialog header in search page", "id": "a974d1ee-ddca-4837-b6ad-d55a8a239c20", "version": 1, "date": "2022-10-11", "author": "Rod Soto", "type": "Hunting", "status": "production", "description": "This is a hunting search to find persistent cross-site scripting XSS code that was included while inputing data in 'Save Table' dialog in Splunk Enterprise (8.1.12,8.2.9,9.0.2). A remote user with \"power\" Splunk role can store this code that can lead to persistent cross site scripting.", "data_source": [], "search": "`splunkd_webx` method=POST uri=/en-US/splunkd/__raw/servicesNS/nobody/search/datamodel/model | table _time host status clientip user uri | `splunk_xss_in_save_table_dialog_header_in_search_page_filter`", "how_to_implement": "Watch for POST requests combined with XSS script strings or obfuscation against the injection point /en-US/splunkd/__raw/servicesNS/nobody/search/datamodel/model.", "known_false_positives": "If host is vulnerable and XSS script strings are inputted they will show up in search. Not all Post requests are malicious as they will show when users create and save dashboards. This search may produce several results with non malicious POST requests. Only affects Splunk Web enabled instances.", "references": ["https://www.splunk.com/en_us/product-security.html", "https://portswigger.net/web-security/cross-site-scripting"], "tags": {"name": "Splunk XSS in Save table dialog header in search page", "analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Delivery"], "message": "Possible XSS exploitation attempt from $clientip$", "mitre_attack_id": ["T1189"], "nist": ["DE.AE"], "observable": [{"name": "clientip", "type": "IP Address", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["host", "_time", "status", "clientip", "user", "uri", "method"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "cve": ["CVE-2022-43561"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1189", "mitre_attack_technique": "Drive-by Compromise", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT19", "APT28", "APT32", "APT37", "APT38", "Andariel", "Axiom", "BRONZE BUTLER", "Dark Caracal", "Darkhotel", "Dragonfly", "Earth Lusca", "Elderwood", "Lazarus Group", "Leafminer", "Leviathan", "Machete", "Magic Hound", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Threat Group-3390", "Transparent Tribe", "Turla", "Windigo", "Windshift"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://raw.githubusercontent.com/splunk/attack_data/master/datasets/attack_techniques/T1189/splunk/splunk_xss_in_save_table_dialog_in_search_page.txt", "source": "/opt/splunk/var/log/splunk/web_access.log", "sourcetype": "splunk_web_access", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "splunkd_webx", "definition": "index=_internal sourcetype=splunk_web_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "splunk_xss_in_save_table_dialog_header_in_search_page_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2022-43561", "cvss": null, "summary": "In Splunk Enterprise versions below 8.1.12, 8.2.9, and 9.0.2, a remote user that holds the “power” Splunk role can store arbitrary scripts that can lead to persistent cross-site scripting (XSS). The vulnerability affects instances with Splunk Web enabled."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/application/splunk_xss_in_save_table_dialog_header_in_search_page.yml", "source": "application"}, {"name": "Splunk XSS via View", "id": "9ac2bfea-a234-4a18-9d37-6d747e85c2e4", "version": 1, "date": "2023-02-07", "author": "Rod Soto, Eric McGinnis, Splunk", "type": "Hunting", "status": "production", "description": "In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, a View allows for Cross-Site Scripting in an XML View through the 'layoutPanel' attribute in the 'module' tag. The vulnerability affects instances with Splunk Web enabled. This hunting search shows users action, application and role used for creating views related to this vulnerability.", "data_source": [], "search": "index = _internal sourcetype IN (\"splunk_web_service\", \"splunk_python\") message=\"*loadParams*\" | `security_content_ctime(_time)` | table _time message fileName | `splunk_xss_via_view_filter`", "how_to_implement": "This data is collected by default in Splunk. Upon first enabling this rule, a number of errors may be observed. Those that are due to improperly formatted, but non-nefarious, XML views should be be remedied in the corresponding view. Please take care investigating potential XSS as accessing an affected page could retrigger the exploit.", "known_false_positives": "The error detected above can be generated for a wide variety of improperly formatted XML views. There will be false positives as the search cannot extract the malicious payload and the view should be manually investigated.", "references": ["https://www.splunk.com/en_us/product-security.html"], "tags": {"name": "Splunk XSS via View", "analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Delivery"], "message": "Potential stored XSS attempt via $fileName$", "mitre_attack_id": ["T1189"], "nist": ["DE.AE"], "observable": [{"name": "fileName", "type": "URL String", "role": ["Target"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["message", "fileName"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "cve": ["CVE-2023-22933"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1189", "mitre_attack_technique": "Drive-by Compromise", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT19", "APT28", "APT32", "APT37", "APT38", "Andariel", "Axiom", "BRONZE BUTLER", "Dark Caracal", "Darkhotel", "Dragonfly", "Earth Lusca", "Elderwood", "Lazarus Group", "Leafminer", "Leviathan", "Machete", "Magic Hound", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Threat Group-3390", "Transparent Tribe", "Turla", "Windigo", "Windshift"]}]}, "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "splunk_xss_via_view_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2023-22933", "cvss": null, "summary": "In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, a View allows for Cross-Site Scripting (XSS) in an extensible mark-up language (XML) View through the ‘layoutPanel’ attribute in the ‘module’ tag’. The vulnerability affects instances with Splunk Web enabled."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/application/splunk_xss_via_view.yml", "source": "application"}, {"name": "Suspicious Email Attachment Extensions", "id": "473bd65f-06ca-4dfe-a2b8-ba04ab4a0084", "version": 3, "date": "2023-04-14", "author": "David Dorsey, Splunk", "type": "Anomaly", "status": "experimental", "description": "This search looks for emails that have attachments with suspicious file extensions.", "data_source": [], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Email where All_Email.file_name=\"*\" by All_Email.src_user, All_Email.file_name All_Email.message_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(\"All_Email\")` | `suspicious_email_attachments` | `suspicious_email_attachment_extensions_filter` ", "how_to_implement": "You need to ingest data from emails. Specifically, the sender's address and the file names of any attachments must be mapped to the Email data model. \\\n **Splunk Phantom Playbook Integration**\\\nIf Splunk Phantom is also configured in your environment, a Playbook called \"Suspicious Email Attachment Investigate and Delete\" can be configured to run when any results are found by this detection search. To use this integration, install the Phantom App for Splunk `https://splunkbase.splunk.com/app/3411/`, and add the correct hostname to the \"Phantom Instance\" field in the Adaptive Response Actions when configuring this detection search. The notable event will be sent to Phantom and the playbook will gather further information about the file attachment and its network behaviors. If Phantom finds malicious behavior and an analyst approves of the results, the email will be deleted from the user's inbox.", "known_false_positives": "None identified", "references": [], "tags": {"name": "Suspicious Email Attachment Extensions", "analytic_story": ["Data Destruction", "Emotet Malware DHS Report TA18-201A ", "Hermetic Wiper", "Suspicious Emails"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Delivery"], "message": "tbd", "mitre_attack_id": ["T1566.001", "T1566"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "All_Email.file_name", "All_Email.src_user", "All_Email.message_id"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}]}, "datamodel": ["Email"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "suspicious_email_attachments", "definition": "lookup update=true is_suspicious_file_extension_lookup file_name OUTPUT suspicious | search suspicious=true", "description": "This macro limits the output to email attachments that have suspicious extensions"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "suspicious_email_attachment_extensions_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/application/suspicious_email_attachment_extensions.yml", "source": "application"}, {"name": "Suspicious Java Classes", "id": "6ed33786-5e87-4f55-b62c-cb5f1168b831", "version": 1, "date": "2018-12-06", "author": "Jose Hernandez, Splunk", "type": "Anomaly", "status": "experimental", "description": "This search looks for suspicious Java classes that are often used to exploit remote command execution in common Java frameworks, such as Apache Struts.", "data_source": [], "search": "`stream_http` http_method=POST http_content_length>1 | regex form_data=\"(?i)java\\.lang\\.(?:runtime|processbuilder)\" | rename src_ip as src | stats count earliest(_time) as firstTime, latest(_time) as lastTime, values(url) as uri, values(status) as status, values(http_user_agent) as http_user_agent by src, dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_java_classes_filter`", "how_to_implement": "In order to properly run this search, Splunk needs to ingest data from your web-traffic appliances that serve or sit in the path of your Struts application servers. This can be accomplished by indexing data from a web proxy, or by using network traffic-analysis tools, such as Splunk Stream or Bro.", "known_false_positives": "There are no known false positives.", "references": [], "tags": {"name": "Suspicious Java Classes", "analytic_story": ["Apache Struts Vulnerability"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": [], "message": "tbd", "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "http_method", "http_content_length", "src_ip", "url", "status", "http_user_agent", "src", "dest"], "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "stream_http", "definition": "sourcetype=stream:http", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "suspicious_java_classes_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/application/suspicious_java_classes.yml", "source": "application"}, {"name": "Web Servers Executing Suspicious Processes", "id": "ec3b7601-689a-4463-94e0-c9f45638efb9", "version": 1, "date": "2019-04-01", "author": "David Dorsey, Splunk", "type": "TTP", "status": "experimental", "description": "This search looks for suspicious processes on all systems labeled as web servers.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.dest_category=\"web_server\" AND (Processes.process=\"*whoami*\" OR Processes.process=\"*ping*\" OR Processes.process=\"*iptables*\" OR Processes.process=\"*wget*\" OR Processes.process=\"*service*\" OR Processes.process=\"*curl*\") by Processes.process Processes.process_name, Processes.dest Processes.user| `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `web_servers_executing_suspicious_processes_filter`", "how_to_implement": "You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the \"process\" field in the Endpoint data model. In addition, web servers will need to be identified in the Assets and Identity Framework of Enterprise Security.", "known_false_positives": "Some of these processes may be used legitimately on web servers during maintenance or other administrative tasks.", "references": [], "tags": {"name": "Web Servers Executing Suspicious Processes", "analytic_story": ["Apache Struts Vulnerability"], "asset_type": "Web Server", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "tbd", "mitre_attack_id": ["T1082"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest_category", "Processes.process", "Processes.process_name", "Processes.dest", "Processes.user"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1082", "mitre_attack_technique": "System Information Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT18", "APT19", "APT3", "APT32", "APT37", "APT38", "Aquatic Panda", "Blue Mockingbird", "Chimera", "Confucius", "Darkhotel", "Gamaredon Group", "HEXANE", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Sowbug", "Stealth Falcon", "TeamTNT", "Tropic Trooper", "Turla", "Windigo", "Windshift", "Wizard Spider", "ZIRCONIUM", "admin@338"]}]}, "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "web_servers_executing_suspicious_processes_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/application/web_servers_executing_suspicious_processes.yml", "source": "application", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Abnormally High Number Of Cloud Infrastructure API Calls", "id": "0840ddf1-8c89-46ff-b730-c8d6722478c0", "version": 1, "date": "2020-09-07", "author": "David Dorsey, Splunk", "type": "Anomaly", "status": "experimental", "description": "This search will detect a spike in the number of API calls made to your cloud infrastructure environment by a user.", "data_source": [], "search": "| tstats count as api_calls values(All_Changes.command) as command from datamodel=Change where All_Changes.user!=unknown All_Changes.status=success by All_Changes.user _time span=1h | `drop_dm_object_name(\"All_Changes\")` | eval HourOfDay=strftime(_time, \"%H\") | eval HourOfDay=floor(HourOfDay/4)*4 | eval DayOfWeek=strftime(_time, \"%w\") | eval isWeekend=if(DayOfWeek >= 1 AND DayOfWeek <= 5, 0, 1) | join user HourOfDay isWeekend [ summary cloud_excessive_api_calls_v1] | where cardinality >=16 | apply cloud_excessive_api_calls_v1 threshold=0.005 | rename \"IsOutlier(api_calls)\" as isOutlier | where isOutlier=1 | eval expected_upper_threshold = mvindex(split(mvindex(BoundaryRanges, -1), \":\"), 0) | where api_calls > expected_upper_threshold | eval distance_from_threshold = api_calls - expected_upper_threshold | table _time, user, command, api_calls, expected_upper_threshold, distance_from_threshold | `abnormally_high_number_of_cloud_infrastructure_api_calls_filter`", "how_to_implement": "You must be ingesting your cloud infrastructure logs. You also must run the baseline search `Baseline Of Cloud Infrastructure API Calls Per User` to create the probability density function.", "known_false_positives": "", "references": [], "tags": {"name": "Abnormally High Number Of Cloud Infrastructure API Calls", "analytic_story": ["Suspicious Cloud User Activities", "Compromised User Account"], "asset_type": "AWS Instance", "cis20": ["CIS 13"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "message": "user $user$ has made $api_calls$ api calls, violating the dynamic threshold of $expected_upper_threshold$ with the following command $command$.", "mitre_attack_id": ["T1078.004", "T1078"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "All_Changes.command", "All_Changes.user", "All_Changes.status"], "risk_score": 15, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Ke3chang", "LAPSUS$"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail", "update_timestamp": true}]}], "datamodel": ["Change"], "macros": [{"name": "abnormally_high_number_of_cloud_infrastructure_api_calls_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/abnormally_high_number_of_cloud_infrastructure_api_calls.yml", "source": "cloud"}, {"name": "Abnormally High Number Of Cloud Instances Destroyed", "id": "ef629fc9-1583-4590-b62a-f2247fbf7bbf", "version": 1, "date": "2020-08-21", "author": "David Dorsey, Splunk", "type": "Anomaly", "status": "experimental", "description": "This search finds for the number successfully destroyed cloud instances for every 4 hour block. This is split up between weekdays and the weekend. It then applies the probability densitiy model previously created and alerts on any outliers.", "data_source": [], "search": "| tstats count as instances_destroyed values(All_Changes.object_id) as object_id from datamodel=Change where All_Changes.action=deleted AND All_Changes.status=success AND All_Changes.object_category=instance by All_Changes.user _time span=1h | `drop_dm_object_name(\"All_Changes\")` | eval HourOfDay=strftime(_time, \"%H\") | eval HourOfDay=floor(HourOfDay/4)*4 | eval DayOfWeek=strftime(_time, \"%w\") | eval isWeekend=if(DayOfWeek >= 1 AND DayOfWeek <= 5, 0, 1) | join HourOfDay isWeekend [summary cloud_excessive_instances_destroyed_v1] | where cardinality >=16 | apply cloud_excessive_instances_destroyed_v1 threshold=0.005 | rename \"IsOutlier(instances_destroyed)\" as isOutlier | where isOutlier=1 | eval expected_upper_threshold = mvindex(split(mvindex(BoundaryRanges, -1), \":\"), 0) | eval distance_from_threshold = instances_destroyed - expected_upper_threshold | table _time, user, instances_destroyed, expected_upper_threshold, distance_from_threshold, object_id | `abnormally_high_number_of_cloud_instances_destroyed_filter`", "how_to_implement": "You must be ingesting your cloud infrastructure logs. You also must run the baseline search `Baseline Of Cloud Instances Destroyed` to create the probability density function.", "known_false_positives": "Many service accounts configured within a cloud infrastructure are known to exhibit this behavior. Please adjust the threshold values and filter out service accounts from the output. Always verify if this search alerted on a human user.", "references": [], "tags": {"name": "Abnormally High Number Of Cloud Instances Destroyed", "analytic_story": ["Suspicious Cloud Instance Activities"], "asset_type": "Cloud Instance", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "message": "tbd", "mitre_attack_id": ["T1078.004", "T1078"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "All_Changes.object_id", "All_Changes.action", "All_Changes.status", "All_Changes.object_category", "All_Changes.user"], "risk_score": 25, "security_domain": "Cloud", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Ke3chang", "LAPSUS$"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}]}, "datamodel": ["Change"], "macros": [{"name": "abnormally_high_number_of_cloud_instances_destroyed_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/abnormally_high_number_of_cloud_instances_destroyed.yml", "source": "cloud"}, {"name": "Abnormally High Number Of Cloud Instances Launched", "id": "f2361e9f-3928-496c-a556-120cd4223a65", "version": 2, "date": "2020-08-21", "author": "David Dorsey, Splunk", "type": "Anomaly", "status": "experimental", "description": "This search finds for the number successfully created cloud instances for every 4 hour block. This is split up between weekdays and the weekend. It then applies the probability densitiy model previously created and alerts on any outliers.", "data_source": [], "search": "| tstats count as instances_launched values(All_Changes.object_id) as object_id from datamodel=Change where (All_Changes.action=created) AND All_Changes.status=success AND All_Changes.object_category=instance by All_Changes.user _time span=1h | `drop_dm_object_name(\"All_Changes\")` | eval HourOfDay=strftime(_time, \"%H\") | eval HourOfDay=floor(HourOfDay/4)*4 | eval DayOfWeek=strftime(_time, \"%w\") | eval isWeekend=if(DayOfWeek >= 1 AND DayOfWeek <= 5, 0, 1) | join HourOfDay isWeekend [summary cloud_excessive_instances_created_v1] | where cardinality >=16 | apply cloud_excessive_instances_created_v1 threshold=0.005 | rename \"IsOutlier(instances_launched)\" as isOutlier | where isOutlier=1 | eval expected_upper_threshold = mvindex(split(mvindex(BoundaryRanges, -1), \":\"), 0) | eval distance_from_threshold = instances_launched - expected_upper_threshold | table _time, user, instances_launched, expected_upper_threshold, distance_from_threshold, object_id | `abnormally_high_number_of_cloud_instances_launched_filter`", "how_to_implement": "You must be ingesting your cloud infrastructure logs. You also must run the baseline search `Baseline Of Cloud Instances Launched` to create the probability density function.", "known_false_positives": "Many service accounts configured within an AWS infrastructure are known to exhibit this behavior. Please adjust the threshold values and filter out service accounts from the output. Always verify if this search alerted on a human user.", "references": [], "tags": {"name": "Abnormally High Number Of Cloud Instances Launched", "analytic_story": ["Cloud Cryptomining", "Suspicious Cloud Instance Activities"], "asset_type": "Cloud Instance", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "message": "tbd", "mitre_attack_id": ["T1078.004", "T1078"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "All_Changes.object_id", "All_Changes.action", "All_Changes.status", "All_Changes.object_category", "All_Changes.user"], "risk_score": 25, "security_domain": "Cloud", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Ke3chang", "LAPSUS$"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}]}, "datamodel": ["Change"], "macros": [{"name": "abnormally_high_number_of_cloud_instances_launched_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/abnormally_high_number_of_cloud_instances_launched.yml", "source": "cloud"}, {"name": "Abnormally High Number Of Cloud Security Group API Calls", "id": "d4dfb7f3-7a37-498a-b5df-f19334e871af", "version": 1, "date": "2020-09-07", "author": "David Dorsey, Splunk", "type": "Anomaly", "status": "experimental", "description": "This search will detect a spike in the number of API calls made to your cloud infrastructure environment about security groups by a user.", "data_source": [], "search": "| tstats count as security_group_api_calls values(All_Changes.command) as command from datamodel=Change where All_Changes.object_category=firewall AND All_Changes.status=success by All_Changes.user _time span=1h | `drop_dm_object_name(\"All_Changes\")` | eval HourOfDay=strftime(_time, \"%H\") | eval HourOfDay=floor(HourOfDay/4)*4 | eval DayOfWeek=strftime(_time, \"%w\") | eval isWeekend=if(DayOfWeek >= 1 AND DayOfWeek <= 5, 0, 1) | join user HourOfDay isWeekend [ summary cloud_excessive_security_group_api_calls_v1] | where cardinality >=16 | apply cloud_excessive_security_group_api_calls_v1 threshold=0.005 | rename \"IsOutlier(security_group_api_calls)\" as isOutlier | where isOutlier=1 | eval expected_upper_threshold = mvindex(split(mvindex(BoundaryRanges, -1), \":\"), 0) | where security_group_api_calls > expected_upper_threshold | eval distance_from_threshold = security_group_api_calls - expected_upper_threshold | table _time, user, command, security_group_api_calls, expected_upper_threshold, distance_from_threshold | `abnormally_high_number_of_cloud_security_group_api_calls_filter`", "how_to_implement": "You must be ingesting your cloud infrastructure logs. You also must run the baseline search `Baseline Of Cloud Security Group API Calls Per User` to create the probability density function model.", "known_false_positives": "", "references": [], "tags": {"name": "Abnormally High Number Of Cloud Security Group API Calls", "analytic_story": ["Suspicious Cloud User Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 13"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "message": "user $user$ has made $api_calls$ api calls related to security groups, violating the dynamic threshold of $expected_upper_threshold$ with the following command $command$.", "mitre_attack_id": ["T1078.004", "T1078"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "All_Changes.command", "All_Changes.object_category", "All_Changes.status", "All_Changes.user"], "risk_score": 15, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Ke3chang", "LAPSUS$"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail", "update_timestamp": true}]}], "datamodel": ["Change"], "macros": [{"name": "abnormally_high_number_of_cloud_security_group_api_calls_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/abnormally_high_number_of_cloud_security_group_api_calls.yml", "source": "cloud"}, {"name": "Amazon EKS Kubernetes cluster scan detection", "id": "294c4686-63dd-4fe6-93a2-ca807626704a", "version": 1, "date": "2020-04-15", "author": "Rod Soto, Splunk", "type": "Hunting", "status": "experimental", "description": "This search provides information of unauthenticated requests via user agent, and authentication data against Kubernetes cluster in AWS", "data_source": [], "search": "`aws_cloudwatchlogs_eks` \"user.username\"=\"system:anonymous\" userAgent!=\"AWS Security Scanner\" | rename sourceIPs{} as src_ip | stats count min(_time) as firstTime max(_time) as lastTime values(responseStatus.reason) values(source) as cluster_name values(responseStatus.code) values(userAgent) as http_user_agent values(verb) values(requestURI) by src_ip user.username user.groups{} | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` |`amazon_eks_kubernetes_cluster_scan_detection_filter` ", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudWatch EKS Logs inputs.", "known_false_positives": "Not all unauthenticated requests are malicious, but frequency, UA and source IPs will provide context.", "references": [], "tags": {"name": "Amazon EKS Kubernetes cluster scan detection", "analytic_story": ["Kubernetes Scanning Activity"], "asset_type": "Amazon EKS Kubernetes cluster", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "tbd", "mitre_attack_id": ["T1526"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "user.username", "userAgent", "sourceIPs{}", "responseStatus.reason", "source", "responseStatus.code", "verb", "requestURI", "src_ip", "user.groups{}"], "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1526", "mitre_attack_technique": "Cloud Service Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}]}, "datamodel": [], "macros": [{"name": "aws_cloudwatchlogs_eks", "definition": "sourcetype=\"aws:cloudwatchlogs:eks\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "amazon_eks_kubernetes_cluster_scan_detection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/amazon_eks_kubernetes_cluster_scan_detection.yml", "source": "cloud"}, {"name": "Amazon EKS Kubernetes Pod scan detection", "id": "dbfca1dd-b8e5-4ba4-be0e-e565e5d62002", "version": 1, "date": "2020-04-15", "author": "Rod Soto, Splunk", "type": "Hunting", "status": "experimental", "description": "This search provides detection information on unauthenticated requests against Kubernetes' Pods API", "data_source": [], "search": "`aws_cloudwatchlogs_eks` \"user.username\"=\"system:anonymous\" verb=list objectRef.resource=pods requestURI=\"/api/v1/pods\" | rename source as cluster_name sourceIPs{} as src_ip | stats count min(_time) as firstTime max(_time) as lastTime values(responseStatus.reason) values(responseStatus.code) values(userAgent) values(verb) values(requestURI) by src_ip cluster_name user.username user.groups{} | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `amazon_eks_kubernetes_pod_scan_detection_filter` ", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on forAWS (version 4.4.0 or later), then configure your AWS CloudWatch EKS Logs.Please also customize the `kubernetes_pods_aws_scan_fingerprint_detection` macro to filter out the false positives.", "known_false_positives": "Not all unauthenticated requests are malicious, but frequency, UA and source IPs and direct request to API provide context.", "references": [], "tags": {"name": "Amazon EKS Kubernetes Pod scan detection", "analytic_story": ["Kubernetes Scanning Activity"], "asset_type": "Amazon EKS Kubernetes cluster Pod", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "tbd", "mitre_attack_id": ["T1526"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "user.username", "verb", "objectRef.resource", "requestURI", "source", "sourceIPs{}", "responseStatus.reason", "responseStatus.code", "userAgent", "src_ip", "user.groups{}"], "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1526", "mitre_attack_technique": "Cloud Service Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}]}, "datamodel": [], "macros": [{"name": "aws_cloudwatchlogs_eks", "definition": "sourcetype=\"aws:cloudwatchlogs:eks\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "amazon_eks_kubernetes_pod_scan_detection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/amazon_eks_kubernetes_pod_scan_detection.yml", "source": "cloud"}, {"name": "ASL AWS Concurrent Sessions From Different Ips", "id": "b3424bbe-3204-4469-887b-ec144483a336", "version": 1, "date": "2023-05-23", "author": "Patrick Bareiss, Splunk", "type": "Anomaly", "status": "experimental", "description": "The following analytic identifies an AWS IAM account with concurrent sessions coming from more than one unique IP address within the span of 5 minutes. This behavior could represent a session hijacking attack whereby an adversary has extracted cookies from a victims browser and is using them from a different location to access corporate online resources. When a user navigates the AWS Console after authentication, the API call with the event name `DescribeEventAggregates` is registered in the AWS CloudTrail logs. The Splunk Threat Research team leveraged this event name to identify 2 concurrent sessions. The presence of this event occurring from two different IP addresses is highly unlikely. As users may behave differently across organizations, security teams should test and customize this detection to fit their environments.", "data_source": [], "search": " `amazon_security_lake` api.operation=DescribeEventAggregates src_endpoint.domain!=\"AWS Internal\" | bin span=5m _time | stats values(src_endpoint.ip) as src_endpoint.ip dc(src_endpoint.ip) as distinct_ip_count by _time identity.user.credential_uid identity.user.name | where distinct_ip_count > 1 | `aws_concurrent_sessions_from_different_ips_filter`", "how_to_implement": "You must install Splunk Add-On for AWS Version v7.0.0 (https://splunkbase.splunk.com/app/1876) that includes includes a merge of all the capabilities of the Splunk Add-on for Amazon Security Lake. This search works with Amazon Security Lake logs which are parsed in the Open Cybersecurity Schema Framework (OCSF)format.", "known_false_positives": "A user with concurrent sessions from different Ips may also represent the legitimate use of more than one device. Filter as needed and/or customize the threshold to fit your environment.", "references": ["https://attack.mitre.org/techniques/T1185/", "https://breakdev.org/evilginx-2-next-generation-of-phishing-2fa-tokens/", "https://github.com/kgretzky/evilginx2"], "tags": {"name": "ASL AWS Concurrent Sessions From Different Ips", "analytic_story": ["Compromised User Account", "AWS Identity and Access Management Account"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "User $identity.user.name$ has concurrent sessions from more than one unique IP address $src_endpoint.ip$ in the span of 5 minutes.", "mitre_attack_id": ["T1185"], "nist": ["DE.AE"], "observable": [{"name": "identity.user.credential_uid", "type": "User", "role": ["Victim"]}, {"name": "src_endpoint.ip", "type": "IP Address", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "api.operation", "src_endpoint.domain", "src_endpoint.ip", "identity.user.credential_uid", "identity.user.name"], "risk_score": 42, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1185", "mitre_attack_technique": "Browser Session Hijacking", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": []}]}, "datamodel": [], "macros": [{"name": "amazon_security_lake", "definition": "sourcetype=aws:asl", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "asl_aws_concurrent_sessions_from_different_ips_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/asl_aws_concurrent_sessions_from_different_ips.yml", "source": "cloud"}, {"name": "ASL AWS CreateAccessKey", "id": "ccb3e4af-23d6-407f-9842-a26212816c9e", "version": 1, "date": "2022-05-23", "author": "Patrick Bareiss, Splunk", "type": "Hunting", "status": "experimental", "description": "This search looks for AWS CloudTrail events where a user A who has already permission to create access keys, makes an API call to create access keys for another user B. Attackers have been know to use this technique for Privilege Escalation in case new victim(user B) has more permissions than old victim(user B)", "data_source": [], "search": "`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null | rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value | eval keyjoin=mvzip(unmapped_key,unmapped_value) | mvexpand keyjoin | rex field=keyjoin \"^(?[^,]+),(?.*)$\" | eval {key} = value | search responseElements.accessKey.userName = * | rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName | eval match=if(identity_user_name=responseElements_accessKey_userName,1,0) | search match=0 | rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName | stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |`asl_aws_createaccesskey_filter`", "how_to_implement": "You must install Splunk Add-On for AWS Version v7.0.0 (https://splunkbase.splunk.com/app/1876) that includes includes a merge of all the capabilities of the Splunk Add-on for Amazon Security Lake. This search works with Amazon Security Lake logs which are parsed in the Open Cybersecurity Schema Framework (OCSF)format.", "known_false_positives": "While this search has no known false positives, it is possible that an AWS admin has legitimately created keys for another user.", "references": ["https://bishopfox.com/blog/privilege-escalation-in-aws", "https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation-part-2/"], "tags": {"name": "ASL AWS CreateAccessKey", "analytic_story": ["AWS IAM Privilege Escalation"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "message": "User $responseElements.accessKey.userName$ is attempting to create access keys for $responseElements.accessKey.userName$ from this IP $src_endpoint.ip$", "mitre_attack_id": ["T1078"], "nist": ["DE.AE"], "observable": [{"name": "src_endpoint.ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "identity.user.name", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["api.service.name", "api.operation", "identity.user.account_uid", "identity.user.credential_uid", "identity.user.name", "identity.user.type", "identity.user.uid", "identity.user.uuid", "http_request.user_agent", "src_endpoint.ip", "unmapped{}.key", "unmapped{}.value"], "risk_score": 63, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/amazon_security_lake.json", "source": "aws_asl", "sourcetype": "aws:asl", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "amazon_security_lake", "definition": "sourcetype=aws:asl", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "asl_aws_createaccesskey_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/asl_aws_createaccesskey.yml", "source": "cloud"}, {"name": "ASL AWS Defense Evasion Delete Cloudtrail", "id": "1f0b47e5-0134-43eb-851c-e3258638945e", "version": 1, "date": "2023-05-31", "author": "Patrick Bareiss, Splunk", "type": "TTP", "status": "experimental", "description": "This analytic identifies AWS `DeleteTrail` events within CloudTrail logs. Adversaries often try to impair their target's defenses by stopping their malicious activity from being logged, so that they may operate with stealth and avoid detection. When the adversary has the right type of permissions in the compromised AWS environment, they may delete the the entire cloudtrail that is logging activities in the environment.", "data_source": [], "search": "`amazon_security_lake` api.operation=DeleteTrail | stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `asl_aws_defense_evasion_delete_cloudtrail_filter`", "how_to_implement": "You must install Splunk Add-On for AWS Version v7.0.0 (https://splunkbase.splunk.com/app/1876) that includes includes a merge of all the capabilities of the Splunk Add-on for Amazon Security Lake. This search works with Amazon Security Lake logs which are parsed in the Open Cybersecurity Schema Framework (OCSF)format.", "known_false_positives": "While this search has no known false positives, it is possible that an AWS admin has stopped cloudTrail logging. Please investigate this activity.", "references": ["https://attack.mitre.org/techniques/T1562/008/"], "tags": {"name": "ASL AWS Defense Evasion Delete Cloudtrail", "analytic_story": ["AWS Defense Evasion"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "confidence": 90, "impact": 100, "kill_chain_phases": ["Exploitation"], "message": "User $identity.user.name$ has delete a CloudTrail logging for account id $identity.user.account_uid$", "mitre_attack_id": ["T1562.008", "T1562"], "nist": ["DE.CM"], "observable": [{"name": "src_endpoint.ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "identity.user.name", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["api.service.name", "api.operation", "identity.user.account_uid", "identity.user.credential_uid", "identity.user.name", "identity.user.type", "identity.user.uid", "identity.user.uuid", "http_request.user_agent", "src_endpoint.ip"], "risk_score": 90, "security_domain": "threat", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.008", "mitre_attack_technique": "Disable Cloud Logs", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.008/stop_delete_cloudtrail/amazon_security_lake.json", "source": "aws_asl", "sourcetype": "aws:asl"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "amazon_security_lake", "definition": "sourcetype=aws:asl", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "asl_aws_defense_evasion_delete_cloudtrail_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/asl_aws_defense_evasion_delete_cloudtrail.yml", "source": "cloud", "nes_fields": "user,dest"}, {"name": "ASL AWS Defense Evasion Delete CloudWatch Log Group", "id": "0f701b38-a0fb-43fd-a83d-d12265f71f33", "version": 1, "date": "2023-05-31", "author": "Patrick Bareiss, Splunk", "type": "TTP", "status": "experimental", "description": "This analytic identifies AWS `DeleteLogGroup` events in CloudTrail logs. Attackers may evade the logging capability by deleting the log group in CloudWatch. This will stop sending the logs and metrics to CloudWatch. When the adversary has the right type of permissions within the compromised AWS environment, they may delete the CloudWatch log group that is logging activities in the environment.", "data_source": [], "search": "`amazon_security_lake` api.operation=DeleteLogGroup | stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`", "how_to_implement": "You must install Splunk Add-On for AWS Version v7.0.0 (https://splunkbase.splunk.com/app/1876) that includes includes a merge of all the capabilities of the Splunk Add-on for Amazon Security Lake. This search works with Amazon Security Lake logs which are parsed in the Open Cybersecurity Schema Framework (OCSF)format.", "known_false_positives": "While this search has no known false positives, it is possible that an AWS admin has deleted CloudWatch logging. Please investigate this activity.", "references": ["https://attack.mitre.org/techniques/T1562/008/"], "tags": {"name": "ASL AWS Defense Evasion Delete CloudWatch Log Group", "analytic_story": ["AWS Defense Evasion"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "confidence": 90, "impact": 100, "kill_chain_phases": ["Exploitation"], "message": "User $identity.user.name$ has deleted a CloudWatch logging group for account id $identity.user.account_uid$", "mitre_attack_id": ["T1562", "T1562.008"], "nist": ["DE.CM"], "observable": [{"name": "src_endpoint.ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "identity.user.name", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["api.service.name", "api.operation", "identity.user.account_uid", "identity.user.credential_uid", "identity.user.name", "identity.user.type", "identity.user.uid", "identity.user.uuid", "http_request.user_agent", "src_endpoint.ip"], "risk_score": 90, "security_domain": "threat", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1562.008", "mitre_attack_technique": "Disable Cloud Logs", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.008/delete_cloudwatch_log_group/amazon_security_lake.json", "source": "aws_asl", "sourcetype": "aws:asl", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "amazon_security_lake", "definition": "sourcetype=aws:asl", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "asl_aws_defense_evasion_delete_cloudwatch_log_group_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/asl_aws_defense_evasion_delete_cloudwatch_log_group.yml", "source": "cloud", "nes_fields": "user,dest"}, {"name": "ASL AWS Defense Evasion Impair Security Services", "id": "5029b681-0462-47b7-82e7-f7e3d37f5a2d", "version": 1, "date": "2023-06-01", "author": "Patrick Bareiss, Bhavin Patel, Gowthamaraj Rajendran, Splunk", "type": "Hunting", "status": "experimental", "description": "This analytic looks for several delete specific API calls made to AWS Security Services like CloudWatch, GuardDuty and Web Application Firewalls. These API calls are often leveraged by adversaries to weaken existing security defenses by deleting logging configurations in the CloudWatch alarm, delete a set of detectors from your Guardduty environment or simply delete a bunch of CloudWatch alarms to remain stealthy and avoid detection.", "data_source": [], "search": "`amazon_security_lake` api.operation IN (\"DeleteLogStream\",\"DeleteDetector\",\"DeleteIPSet\",\"DeleteWebACL\",\"DeleteRule\",\"DeleteRuleGroup\",\"DeleteLoggingConfiguration\",\"DeleteAlarms\") | stats count min(_time) as firstTime max(_time) as lastTime by api.operation identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `asl_aws_defense_evasion_impair_security_services_filter`", "how_to_implement": "You must install Splunk Add-On for AWS Version v7.0.0 (https://splunkbase.splunk.com/app/1876) that includes includes a merge of all the capabilities of the Splunk Add-on for Amazon Security Lake. This search works with Amazon Security Lake logs which are parsed in the Open Cybersecurity Schema Framework (OCSF)format.", "known_false_positives": "While this search has no known false positives, it is possible that it is a legitimate admin activity. Please consider filtering out these noisy events using userAgent, user_arn field names.", "references": ["https://docs.aws.amazon.com/cli/latest/reference/guardduty/index.html", "https://docs.aws.amazon.com/cli/latest/reference/waf/index.html", "https://www.elastic.co/guide/en/security/current/prebuilt-rules.html"], "tags": {"name": "ASL AWS Defense Evasion Impair Security Services", "analytic_story": ["AWS Defense Evasion"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "User $identity.user.name$ has made potentially risky api calls $api.operation$ that could impair AWS security services for account id $identity.user.account_uid$", "mitre_attack_id": ["T1562.008", "T1562"], "nist": ["DE.AE"], "observable": [{"name": "src_endpoint.ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "identity.user.name", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["api.service.name", "api.operation", "identity.user.account_uid", "identity.user.credential_uid", "identity.user.name", "identity.user.type", "identity.user.uid", "identity.user.uuid", "http_request.user_agent", "src_endpoint.ip"], "risk_score": 42, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.008", "mitre_attack_technique": "Disable Cloud Logs", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.008/aws_delete_security_services/amazon_security_lake.json", "source": "aws_asl", "sourcetype": "aws:asl", "update_timestamp": true}]}], "datamodel": ["Web"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "amazon_security_lake", "definition": "sourcetype=aws:asl", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "asl_aws_defense_evasion_impair_security_services_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/asl_aws_defense_evasion_impair_security_services.yml", "source": "cloud"}, {"name": "ASL AWS Excessive Security Scanning", "id": "ff2bfdbc-65b7-4434-8f08-d55761d1d446", "version": 1, "date": "2023-06-01", "author": "Patrick Bareiss, Splunk", "type": "Anomaly", "status": "experimental", "description": "This search looks for AWS CloudTrail events and analyse the amount of eventNames which starts with Describe by a single user. This indicates that this user scans the configuration of your AWS cloud environment.", "data_source": [], "search": "`amazon_security_lake` api.operation=Describe* OR api.operation=List* OR api.operation=Get* | stats dc(api.operation) as dc_api_operations min(_time) as firstTime max(_time) as lastTime values(http_request.user_agent) as http_request.user_agent values(src_endpoint.ip) as src_endpoint.ip values(cloud.region) as cloud.region values(identity.user.account_uid) as identity.user.account_uid by identity.user.name | where dc_api_operations > 50 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`|`asl_aws_excessive_security_scanning_filter`", "how_to_implement": "You must install Splunk Add-On for AWS Version v7.0.0 (https://splunkbase.splunk.com/app/1876) that includes includes a merge of all the capabilities of the Splunk Add-on for Amazon Security Lake. This search works with Amazon Security Lake logs which are parsed in the Open Cybersecurity Schema Framework (OCSF)format.", "known_false_positives": "While this search has no known false positives.", "references": ["https://github.com/aquasecurity/cloudsploit"], "tags": {"name": "ASL AWS Excessive Security Scanning", "analytic_story": ["AWS User Monitoring"], "asset_type": "AWS Account", "cis20": ["CIS 13"], "confidence": 60, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "user $identity.user.name$ has excessive number of api calls.", "mitre_attack_id": ["T1526"], "nist": ["DE.AE"], "observable": [{"name": "src_endpoint.ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "identity.user.name", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["api.operation", "identity.user.account_uid", "identity.user.name", "http_request.user_agent", "src_endpoint.ip"], "risk_score": 18, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1526", "mitre_attack_technique": "Cloud Service Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}]}, "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "amazon_security_lake", "definition": "sourcetype=aws:asl", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "asl_aws_excessive_security_scanning_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/asl_aws_excessive_security_scanning.yml", "source": "cloud"}, {"name": "ASL AWS IAM Delete Policy", "id": "609ced68-d420-4ff7-8164-ae98b4b4018c", "version": 1, "date": "2023-06-02", "author": "Patrick Bareiss, Splunk", "type": "Hunting", "status": "experimental", "description": "The following detection identifes when a policy is deleted on AWS. This does not identify whether successful or failed, but the error messages tell a story of suspicious attempts. There is a specific process to follow when deleting a policy. First, detach the policy from all users, groups, and roles that the policy is attached to, using DetachUserPolicy , DetachGroupPolicy , or DetachRolePolicy.", "data_source": [], "search": "`amazon_security_lake` api.operation=DeletePolicy | stats count min(_time) as firstTime max(_time) as lastTime by api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_iam_delete_policy_filter`", "how_to_implement": "You must install Splunk Add-On for AWS Version v7.0.0 (https://splunkbase.splunk.com/app/1876) that includes includes a merge of all the capabilities of the Splunk Add-on for Amazon Security Lake. This search works with Amazon Security Lake logs which are parsed in the Open Cybersecurity Schema Framework (OCSF)format.", "known_false_positives": "This detection will require tuning to provide high fidelity detection capabilties. Tune based on src addresses (corporate offices, VPN terminations) or by groups of users. Not every user with AWS access should have permission to delete policies (least privilege). In addition, this may be saved seperately and tuned for failed or success attempts only.", "references": ["https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeletePolicy.html", "https://docs.aws.amazon.com/cli/latest/reference/iam/delete-policy.html"], "tags": {"name": "ASL AWS IAM Delete Policy", "analytic_story": ["AWS IAM Privilege Escalation"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "confidence": 50, "impact": 20, "kill_chain_phases": ["Installation"], "message": "User $user_arn$ has deleted AWS Policies from IP address $src$ by executing the following command $eventName$", "mitre_attack_id": ["T1098"], "nist": ["DE.AE"], "observable": [{"name": "src_endpoint.ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "identity.user.name", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["api.service.name", "api.operation", "identity.user.account_uid", "identity.user.credential_uid", "identity.user.name", "identity.user.type", "identity.user.uid", "identity.user.uuid", "http_request.user_agent", "src_endpoint.ip"], "risk_score": 10, "security_domain": "access", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT41", "Dragonfly", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/aws_iam_delete_policy/amazon_security_lake.json", "source": "aws_asl", "sourcetype": "aws:asl", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "amazon_security_lake", "definition": "sourcetype=aws:asl", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "asl_aws_iam_delete_policy_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/asl_aws_iam_delete_policy.yml", "source": "cloud"}, {"name": "ASL AWS Multi-Factor Authentication Disabled", "id": "4d2df5e0-1092-4817-88a8-79c7fa054668", "version": 1, "date": "2023-06-02", "author": "Patrick Bareiss, Splunk", "type": "TTP", "status": "experimental", "description": "The following analytic identifies an attempt to disable multi-factor authentication for an AWS IAM user. An adversary who has obtained access to an AWS tenant may disable multi-factor authentication as a way to plant a backdoor and maintain persistence using a valid account. This way the attackers can keep persistance in the environment without adding new users.", "data_source": [], "search": "`amazon_security_lake` (api.operation=DeleteVirtualMFADevice OR api.operation=DeactivateMFADevice) | stats count min(_time) as firstTime max(_time) as lastTime by api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_multi_factor_authentication_disabled_filter`", "how_to_implement": "You must install Splunk Add-On for AWS Version v7.0.0 (https://splunkbase.splunk.com/app/1876) that includes includes a merge of all the capabilities of the Splunk Add-on for Amazon Security Lake. This search works with Amazon Security Lake logs which are parsed in the Open Cybersecurity Schema Framework (OCSF)format.", "known_false_positives": "AWS Administrators may disable MFA but it is highly unlikely for this event to occur without prior notice to the company", "references": ["https://attack.mitre.org/techniques/T1621/", "https://aws.amazon.com/what-is/mfa/"], "tags": {"name": "ASL AWS Multi-Factor Authentication Disabled", "analytic_story": ["AWS Identity and Access Management Account Takeover"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Weaponization", "Exploitation", "Installation"], "message": "User $user_name$ has disabled Multi-Factor authentication for AWS account $aws_account_id$", "mitre_attack_id": ["T1586", "T1586.003", "T1621", "T1556", "T1556.006"], "nist": ["DE.CM"], "observable": [{"name": "identity.user.account_uid", "type": "Other", "role": ["Victim"]}, {"name": "identity.user.name", "type": "User", "role": ["Victim"]}, {"name": "src_endpoint.ip", "type": "IP Address", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["api.service.name", "api.operation", "identity.user.account_uid", "identity.user.credential_uid", "identity.user.name", "identity.user.type", "identity.user.uid", "identity.user.uuid", "http_request.user_agent", "src_endpoint.ip"], "risk_score": 64, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1621", "mitre_attack_technique": "Multi-Factor Authentication Request Generation", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "LAPSUS$"]}, {"mitre_attack_id": "T1556", "mitre_attack_technique": "Modify Authentication Process", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1556.006", "mitre_attack_technique": "Multi-Factor Authentication", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/aws_mfa_disabled/amazon_security_lake.json", "source": "aws_asl", "sourcetype": "aws:asl", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "amazon_security_lake", "definition": "sourcetype=aws:asl", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "asl_aws_multi_factor_authentication_disabled_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/asl_aws_multi_factor_authentication_disabled.yml", "source": "cloud", "nes_fields": "user,dest"}, {"name": "ASL AWS New MFA Method Registered For User", "id": "33ae0931-2a03-456b-b1d7-b016c5557fbd", "version": 1, "date": "2023-05-22", "author": "Patrick Bareiss, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the registration of a new Multi Factor authentication method for an AWS account logged through Amazon Secruity Lake (ASL). Adversaries who have obtained unauthorized access to an AWS account may register a new MFA method to maintain persistence.", "data_source": [], "search": " `amazon_security_lake` api.operation=CreateVirtualMFADevice | stats count min(_time) as firstTime max(_time) as lastTime by api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_new_mfa_method_registered_for_user_filter`", "how_to_implement": "You must install Splunk Add-On for AWS Version v7.0.0 (https://splunkbase.splunk.com/app/1876) that includes includes a merge of all the capabilities of the Splunk Add-on for Amazon Security Lake. This search works with Amazon Security Lake logs which are parsed in the Open Cybersecurity Schema Framework (OCSF)format.", "known_false_positives": "Newly onboarded users who are registering an MFA method for the first time will also trigger this detection.", "references": ["https://aws.amazon.com/blogs/security/you-can-now-assign-multiple-mfa-devices-in-iam/", "https://attack.mitre.org/techniques/T1556/", "https://attack.mitre.org/techniques/T1556/006/", "https://twitter.com/jhencinski/status/1618660062352007174"], "tags": {"name": "ASL AWS New MFA Method Registered For User", "analytic_story": ["Compromised User Account", "Azure Active Directory Account Takeover"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation", "Installation"], "message": "A new virtual device is added to user $identity.user.name$", "mitre_attack_id": ["T1556", "T1556.006"], "nist": ["DE.CM"], "observable": [{"name": "identity.user.name", "type": "User", "role": ["Victim"]}, {"name": "src_endpoint.ip", "type": "IP Address", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["api.service.name", "api.operation", "identity.user.account_uid", "identity.user.credential_uid", "identity.user.name", "identity.user.type", "identity.user.uid", "identity.user.uuid", "http_request.user_agent", "src_endpoint.ip"], "risk_score": 64, "security_domain": "identity", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1556", "mitre_attack_technique": "Modify Authentication Process", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1556.006", "mitre_attack_technique": "Multi-Factor Authentication", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556.006/aws_new_mfa_method_registered_for_user/amazon_security_lake.json", "source": "aws_asl", "sourcetype": "aws:asl", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "amazon_security_lake", "definition": "sourcetype=aws:asl", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "asl_aws_new_mfa_method_registered_for_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/asl_aws_new_mfa_method_registered_for_user.yml", "source": "cloud", "nes_fields": "user,dest"}, {"name": "ASL AWS Password Policy Changes", "id": "5ade5937-11a2-4363-ba6b-39a3ee8d5b1a", "version": 1, "date": "2023-05-22", "author": "Patrick Bareiss, Splunk", "type": "Hunting", "status": "production", "description": "This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.", "data_source": [], "search": "`amazon_security_lake` \"api.service.name\"=\"iam.amazonaws.com\" \"api.operation\" IN (\"UpdateAccountPasswordPolicy\",\"GetAccountPasswordPolicy\",\"DeleteAccountPasswordPolicy\") \"api.response.error\"=null | stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_password_policy_changes_filter`", "how_to_implement": "You must install Splunk Add-On for AWS Version v7.0.0 (https://splunkbase.splunk.com/app/1876) that includes includes a merge of all the capabilities of the Splunk Add-on for Amazon Security Lake. This search works with Amazon Security Lake logs which are parsed in the Open Cybersecurity Schema Framework (OCSF)format.", "known_false_positives": "While this search has no known false positives, it is possible that an AWS admin has legitimately triggered an AWS audit tool activity which may trigger this event.", "references": ["https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/IAM/password-policy.html"], "tags": {"name": "ASL AWS Password Policy Changes", "analytic_story": ["AWS IAM Privilege Escalation", "Compromised User Account"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "confidence": 80, "impact": 90, "kill_chain_phases": ["Exploitation"], "message": "User $identity.user.name$ is attempting to $api.operation$ the password policy for accounts", "mitre_attack_id": ["T1201"], "nist": ["DE.AE"], "observable": [{"name": "src_endpoint.ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "identity.user.name", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["api.service.name", "api.operation", "identity.user.account_uid", "identity.user.credential_uid", "identity.user.name", "identity.user.type", "identity.user.uid", "identity.user.uuid", "http_request.user_agent", "src_endpoint.ip"], "risk_score": 72, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1201", "mitre_attack_technique": "Password Policy Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "OilRig", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1201/aws_password_policy/amazon_security_lake.json", "source": "aws_asl", "sourcetype": "aws:asl", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "amazon_security_lake", "definition": "sourcetype=aws:asl", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "asl_aws_password_policy_changes_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/asl_aws_password_policy_changes.yml", "source": "cloud"}, {"name": "AWS AMI Atttribute Modification for Exfiltration", "id": "f2132d74-cf81-4c5e-8799-ab069e67dc9f", "version": 2, "date": "2023-03-31", "author": "BHavin Patel, Splunk", "type": "TTP", "status": "production", "description": "This search looks for suspicious AWS AMI attribute modifications, such as sharing it with another AWS account or making the full AMI image public. Adversaries are known to abuse these APIs to exfiltrate sensitive organization information stored in the AWS Resources, there by its very important to monitor these seemingly benign API activity in Cloudtrail logs.", "data_source": [], "search": "`cloudtrail` eventName=ModifyImageAttribute (requestParameters.launchPermission.add.items{}.userId = * OR requestParameters.launchPermission.add.items{}.group = all) | rename requestParameters.launchPermission.add.items{}.group as group_added | rename requestParameters.launchPermission.add.items{}.userId as accounts_added | eval ami_status=if(match(group_added,\"all\") ,\"Public AMI\", \"Not Public\") | stats count min(_time) as firstTime max(_time) as lastTime values(group_added) values(accounts_added) as accounts_added values(ami_status) by src_ip region eventName userAgent user_arn aws_account_id userIdentity.principalId | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `aws_ami_atttribute_modification_for_exfiltration_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "It is possible that an AWS admin has legitimately shared a snapshot with others for a specific purpose.", "references": ["https://labs.nettitude.com/blog/how-to-exfiltrate-aws-ec2-data/", "https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-share-ami/", "https://hackingthe.cloud/aws/enumeration/loot_public_ebs_snapshots/"], "tags": {"name": "AWS AMI Atttribute Modification for Exfiltration", "analytic_story": ["Suspicious Cloud Instance Activities", "Data Exfiltration"], "asset_type": "EC2 Snapshot", "cis20": ["CIS 10"], "confidence": 80, "impact": 100, "kill_chain_phases": ["Actions on Objectives"], "message": "AWS AMI from account $aws_account_id$ is shared externally with $accounts_added$ from $src_ip$ or AMI made is made Public.", "mitre_attack_id": ["T1537"], "nist": ["DE.CM"], "observable": [{"name": "user_arn", "type": "User", "role": ["Attacker"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "aws_account_id", "type": "Other", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventName", "user_arn", "src_ip", "requestParameters.attributeType", "aws_account_id", "vendor_region", "user_agent", "userIdentity.principalId"], "risk_score": 80, "security_domain": "threat", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1537", "mitre_attack_technique": "Transfer Data to Cloud Account", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1537/aws_ami_shared_public/aws_cloudtrail_events.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_ami_atttribute_modification_for_exfiltration_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/aws_ami_atttribute_modification_for_exfiltration.yml", "source": "cloud", "nes_fields": "user,dest", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "AWS Concurrent Sessions From Different Ips", "id": "51c04fdb-2746-465a-b86e-b413a09c9085", "version": 1, "date": "2023-02-01", "author": "Bhavin Patel, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies an AWS IAM account with concurrent sessions coming from more than one unique IP address within the span of 5 minutes. This behavior could represent a session hijacking attack whereby an adversary has extracted cookies from a victims browser and is using them from a different location to access corporate online resources. When a user navigates the AWS Console after authentication, the API call with the event name `DescribeEventAggregates` is registered in the AWS CloudTrail logs. The Splunk Threat Research team leveraged this event name to identify 2 concurrent sessions. The presence of this event occurring from two different IP addresses is highly unlikely. As users may behave differently across organizations, security teams should test and customize this detection to fit their environments.", "data_source": [], "search": " `cloudtrail` eventName = DescribeEventAggregates src_ip!=\"AWS Internal\" | bin span=5m _time | stats values(userAgent) values(eventName) values(src_ip) as src_ip dc(src_ip) as distinct_ip_count by _time user_arn | where distinct_ip_count > 1 | `aws_concurrent_sessions_from_different_ips_filter`", "how_to_implement": "You must install Splunk AWS Add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "A user with concurrent sessions from different Ips may also represent the legitimate use of more than one device. Filter as needed and/or customize the threshold to fit your environment.", "references": ["https://attack.mitre.org/techniques/T1185/", "https://breakdev.org/evilginx-2-next-generation-of-phishing-2fa-tokens/", "https://github.com/kgretzky/evilginx2"], "tags": {"name": "AWS Concurrent Sessions From Different Ips", "analytic_story": ["Compromised User Account", "AWS Identity and Access Management Account"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "User $user_arn$ has concurrent sessions from more than one unique IP address $src_ip$ in the span of 5 minutes.", "mitre_attack_id": ["T1185"], "nist": ["DE.CM"], "observable": [{"name": "user_arn", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventName", "userAgent", "errorCode", "user_arn", "aws_account_id", "src_ip"], "risk_score": 42, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1185", "mitre_attack_technique": "Browser Session Hijacking", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1185/aws_concurrent_sessions_from_different_ips/cloudtrail.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_concurrent_sessions_from_different_ips_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/aws_concurrent_sessions_from_different_ips.yml", "source": "cloud", "nes_fields": "user,dest", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "AWS Console Login Failed During MFA Challenge", "id": "55349868-5583-466f-98ab-d3beb321961e", "version": 1, "date": "2022-10-03", "author": "Bhavin Patel, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies an authentication attempt event against an AWS Console that fails during the Multi Factor Authentication challenge. AWS Cloudtrail logs provide a a very useful field called `additionalEventData` that logs information regarding usage of MFA. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", "data_source": [], "search": "`cloudtrail` eventName= ConsoleLogin errorMessage=\"Failed authentication\" additionalEventData.MFAUsed = \"Yes\" | stats count min(_time) as firstTime max(_time) as lastTime by src eventName eventSource aws_account_id errorCode errorMessage userAgent eventID awsRegion user_name userIdentity.arn | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `aws_console_login_failed_during_mfa_challenge_filter`", "how_to_implement": "The Splunk AWS Add-on is required to utilize this data. The search requires AWS Cloudtrail logs.", "known_false_positives": "Legitimate users may miss to reply the MFA challenge within the time window or deny it by mistake.", "references": ["https://attack.mitre.org/techniques/T1621/", "https://aws.amazon.com/what-is/mfa/"], "tags": {"name": "AWS Console Login Failed During MFA Challenge", "analytic_story": ["AWS Identity and Access Management Account Takeover", "Compromised User Account"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Weaponization", "Exploitation"], "message": "User $user_name$ failed to pass MFA challenge while logging into console from $src$", "mitre_attack_id": ["T1586", "T1586.003", "T1621"], "nist": ["DE.CM"], "observable": [{"name": "user_name", "type": "User", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["src", "eventName", "eventSource", "aws_account_id", "errorCode", "errorMessage", "userAgent", "eventID", "awsRegion", "user_name", "userIdentity.arn"], "risk_score": 64, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1621", "mitre_attack_technique": "Multi-Factor Authentication Request Generation", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "LAPSUS$"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/aws_failed_mfa/cloudtrail.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_console_login_failed_during_mfa_challenge_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/aws_console_login_failed_during_mfa_challenge.yml", "source": "cloud", "nes_fields": "user,dest", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "AWS Create Policy Version to allow all resources", "id": "2a9b80d3-6340-4345-b5ad-212bf3d0dac4", "version": 3, "date": "2022-05-17", "author": "Bhavin Patel, Splunk", "type": "TTP", "status": "production", "description": "This search looks for AWS CloudTrail events where a user created a policy version that allows them to access any resource in their account.", "data_source": [], "search": "`cloudtrail` eventName=CreatePolicyVersion eventSource = iam.amazonaws.com errorCode = success | spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} | mvexpand key_policy_statements | spath input=key_policy_statements output=key_policy_action_1 path=Action | where key_policy_action_1 = \"*\" | stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`|`aws_create_policy_version_to_allow_all_resources_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "While this search has no known false positives, it is possible that an AWS admin has legitimately created a policy to allow a user to access all resources. That said, AWS strongly advises against granting full control to all AWS resources and you must verify this activity.", "references": ["https://bishopfox.com/blog/privilege-escalation-in-aws", "https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation-part-2/"], "tags": {"name": "AWS Create Policy Version to allow all resources", "analytic_story": ["AWS IAM Privilege Escalation"], "asset_type": "AWS Account", "cis20": ["CIS 13"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "message": "User $user$ created a policy version that allows them to access any resource in their account.", "mitre_attack_id": ["T1078.004", "T1078"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventName", "userAgent", "errorCode", "eventSource", "requestParameters.userName", "requestParameters.policyDocument", "aws_account_id", "awsRegion", "eventID"], "risk_score": 49, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Ke3chang", "LAPSUS$"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/aws_create_policy_version/aws_cloudtrail_events.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_create_policy_version_to_allow_all_resources_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/aws_create_policy_version_to_allow_all_resources.yml", "source": "cloud", "nes_fields": "user,dest", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "AWS CreateAccessKey", "id": "2a9b80d3-6340-4345-11ad-212bf3d0d111", "version": 3, "date": "2022-03-03", "author": "Bhavin Patel, Splunk", "type": "Hunting", "status": "production", "description": "This search looks for AWS CloudTrail events where a user A who has already permission to create access keys, makes an API call to create access keys for another user B. Attackers have been know to use this technique for Privilege Escalation in case new victim(user B) has more permissions than old victim(user B)", "data_source": [], "search": "`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success | eval match=if(match(userIdentity.userName,requestParameters.userName),1,0) | search match=0 | stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |`aws_createaccesskey_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "While this search has no known false positives, it is possible that an AWS admin has legitimately created keys for another user.", "references": ["https://bishopfox.com/blog/privilege-escalation-in-aws", "https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation-part-2/"], "tags": {"name": "AWS CreateAccessKey", "analytic_story": ["AWS IAM Privilege Escalation"], "asset_type": "AWS Account", "cis20": ["CIS 13"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Installation"], "message": "User $user_arn$ is attempting to create access keys for $requestParameters.userName$ from this IP $src$", "mitre_attack_id": ["T1136.003", "T1136"], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "user_arn", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventName", "userAgent", "errorCode", "requestParameters.userName"], "risk_score": 63, "security_domain": "network", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1136.003", "mitre_attack_technique": "Cloud Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT29", "LAPSUS$"]}, {"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/aws_createaccesskey/aws_cloudtrail_events.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_createaccesskey_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/aws_createaccesskey.yml", "source": "cloud", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "AWS CreateLoginProfile", "id": "2a9b80d3-6340-4345-11ad-212bf444d111", "version": 2, "date": "2021-07-19", "author": "Bhavin Patel, Splunk", "type": "TTP", "status": "production", "description": "This search looks for AWS CloudTrail events where a user A(victim A) creates a login profile for user B, followed by a AWS Console login event from user B from the same src_ip as user B. This correlated event can be indicative of privilege escalation since both events happened from the same src_ip", "data_source": [], "search": "`cloudtrail` eventName = CreateLoginProfile | rename requestParameters.userName as new_login_profile | table src_ip eventName new_login_profile userIdentity.userName | join new_login_profile src_ip [| search `cloudtrail` eventName = ConsoleLogin | rename userIdentity.userName as new_login_profile | stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`] | `aws_createloginprofile_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "While this search has no known false positives, it is possible that an AWS admin has legitimately created a login profile for another user.", "references": ["https://bishopfox.com/blog/privilege-escalation-in-aws", "https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation-part-2/"], "tags": {"name": "AWS CreateLoginProfile", "analytic_story": ["AWS IAM Privilege Escalation"], "asset_type": "AWS Account", "cis20": ["CIS 13"], "confidence": 80, "impact": 90, "kill_chain_phases": ["Installation"], "message": "User $user_arn$ is attempting to create a login profile for $requestParameters.userName$ and did a console login from this IP $src_ip$", "mitre_attack_id": ["T1136.003", "T1136"], "nist": ["DE.CM"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "user_arn", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventName", "userAgent", "errorCode", "requestParameters.userName"], "risk_score": 72, "security_domain": "network", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1136.003", "mitre_attack_technique": "Cloud Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT29", "LAPSUS$"]}, {"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/aws_createloginprofile/aws_cloudtrail_events.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_createloginprofile_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/aws_createloginprofile.yml", "source": "cloud", "nes_fields": "user,dest", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "AWS Credential Access Failed Login", "id": "a19b354d-0d7f-47f3-8ea6-1a7c36434968", "version": 1, "date": "2022-08-07", "author": "Gowthamaraj Rajendran, Bhavin Patel, Splunk", "type": "TTP", "status": "production", "description": "It shows that there have been an unsuccessful attempt to log in using the user identity to the AWS management console. Since the user identity has access to AWS account services and resources, an attacker might try to brute force the password for that identity.", "data_source": [], "search": "| tstats count earliest(_time) as firstTime, latest(_time) as lastTime from datamodel=Authentication where Authentication.action = failure Authentication.app=AwsConsoleSignIn Authentication.signature=ConsoleLogin BY Authentication.app Authentication.signature Authentication.dest Authentication.user Authentication.action Authentication.user_id Authentication.src | `drop_dm_object_name(Authentication)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `aws_credential_access_failed_login_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "Users may genuinely mistype or forget the password.", "references": ["https://attack.mitre.org/techniques/T1110/001/"], "tags": {"name": "AWS Credential Access Failed Login", "analytic_story": ["AWS Identity and Access Management Account Takeover"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Weaponization", "Exploitation"], "message": "User $user$ has a login failure from IP $src$", "mitre_attack_id": ["T1586", "T1586.003", "T1110", "T1110.001"], "nist": ["DE.CM"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "app", "eventSource", "action", "signature", "dest", "user", "user_id"], "risk_score": 49, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1110.001", "mitre_attack_technique": "Password Guessing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.001/aws_login_failure/aws_cloudtrail_events.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail", "update_timestamp": true}]}], "datamodel": ["Authentication"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "aws_credential_access_failed_login_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/aws_credential_access_failed_login.yml", "source": "cloud", "nes_fields": "user,dest"}, {"name": "AWS Credential Access GetPasswordData", "id": "4d347c4a-306e-41db-8d10-b46baf71b3e2", "version": 1, "date": "2022-08-10", "author": "Bhavin Patel, Splunk", "type": "Anomaly", "status": "production", "description": "This detection analytic identifies more than 10 GetPasswordData API calls made to your AWS account with a time window of 5 minutes. Attackers can retrieve the encrypted administrator password for a running Windows instance.", "data_source": [], "search": "`cloudtrail` eventName=GetPasswordData eventSource = ec2.amazonaws.com | bin _time span=5m | stats count values(errorCode) as errorCode dc(requestParameters.instanceId) as distinct_instance_ids values(requestParameters.instanceId) as instance_ids by aws_account_id src_ip user_arn userAgent eventName _time | where distinct_instance_ids > 10 | `aws_credential_access_getpassworddata_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. We encourage the users to adjust the values of `distinct_instance_ids` and tweak the `span` value according to their environment.", "known_false_positives": "Administrator tooling or automated scripts may make these calls but it is highly unlikely to make several calls in a short period of time.", "references": ["https://attack.mitre.org/techniques/T1552/", "https://stratus-red-team.cloud/attack-techniques/AWS/aws.credential-access.ec2-get-password-data/"], "tags": {"name": "AWS Credential Access GetPasswordData", "analytic_story": ["AWS Identity and Access Management Account Takeover"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Weaponization", "Exploitation"], "message": "User $user_arn$ is seen to make mulitple `GetPasswordData` API calls to instance ids $instance_ids$ from IP $src_ip$", "mitre_attack_id": ["T1586", "T1586.003", "T1110", "T1110.001"], "nist": ["DE.AE"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "user_arn", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventName", "eventSource", "userIdentity.userName", "userAgent", "userIdentity.accountId", "sourceIPAddress", "awsRegion"], "risk_score": 49, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1110.001", "mitre_attack_technique": "Password Guessing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552/aws_getpassworddata/aws_cloudtrail_events.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_credential_access_getpassworddata_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/aws_credential_access_getpassworddata.yml", "source": "cloud", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "AWS Credential Access RDS Password reset", "id": "6153c5ea-ed30-4878-81e6-21ecdb198189", "version": 1, "date": "2022-08-07", "author": "Gowthamaraj Rajendran, Splunk", "type": "TTP", "status": "production", "description": "The master user password for Amazon RDS DB instance can be reset using the Amazon RDS console. Using this technique, the attacker can get access to the sensitive data from the DB. Usually, the production databases may have sensitive data like Credit card information, PII, Health care Data. This event should be investigated further.", "data_source": [], "search": "`cloudtrail` eventSource=\"rds.amazonaws.com\" eventName=ModifyDBInstance \"requestParameters.masterUserPassword\"=* | stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.dBInstanceIdentifier) as DB by sourceIPAddress awsRegion eventName userAgent| `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `aws_credential_access_rds_password_reset_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "Users may genuinely reset the RDS password.", "references": ["https://aws.amazon.com/premiumsupport/knowledge-center/reset-master-user-password-rds"], "tags": {"name": "AWS Credential Access RDS Password reset", "analytic_story": ["AWS Identity and Access Management Account Takeover"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Weaponization", "Exploitation"], "message": "$DB$ password has been reset from IP $sourceIPAddress$", "mitre_attack_id": ["T1586", "T1586.003", "T1110"], "nist": ["DE.CM"], "observable": [{"name": "sourceIPAddress", "type": "IP Address", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventName", "eventSource", "requestParameters.dBInstanceIdentifier", "userAgent", "sourceIPAddress", "awsRegion"], "risk_score": 49, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.002/aws_rds_password_reset/aws_cloudtrail_events.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_credential_access_rds_password_reset_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/aws_credential_access_rds_password_reset.yml", "source": "cloud", "nes_fields": "user,dest", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "AWS Cross Account Activity From Previously Unseen Account", "id": "21193641-cb96-4a2c-a707-d9b9a7f7792b", "version": 1, "date": "2020-05-28", "author": "Rico Valdez, Splunk", "type": "Anomaly", "status": "experimental", "description": "This search looks for AssumeRole events where an IAM role in a different account is requested for the first time.", "data_source": [], "search": "| tstats min(_time) as firstTime max(_time) as lastTime from datamodel=Authentication where Authentication.signature=AssumeRole by Authentication.vendor_account Authentication.user Authentication.src Authentication.user_role | `drop_dm_object_name(Authentication)` | rex field=user_role \"arn:aws:sts:*:(?.*):\" | where vendor_account != dest_account | rename vendor_account as requestingAccountId dest_account as requestedAccountId | lookup previously_seen_aws_cross_account_activity requestingAccountId, requestedAccountId, OUTPUTNEW firstTime | eval status = if(firstTime > relative_time(now(), \"-24h@h\"),\"New Cross Account Activity\",\"Previously Seen\") | where status = \"New Cross Account Activity\" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `aws_cross_account_activity_from_previously_unseen_account_filter`", "how_to_implement": "You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen AWS Cross Account Activity - Initial` to build the initial table of source IP address, geographic locations, and times. You must also enable the second baseline search `Previously Seen AWS Cross Account Activity - Update` to keep this table up to date and to age out old data. You can also provide additional filtering for this search by customizing the `aws_cross_account_activity_from_previously_unseen_account_filter` macro.", "known_false_positives": "Using multiple AWS accounts and roles is perfectly valid behavior. It's suspicious when an account requests privileges of an account it hasn't before. You should validate with the account owner that this is a legitimate request.", "references": [], "tags": {"name": "AWS Cross Account Activity From Previously Unseen Account", "analytic_story": ["Suspicious Cloud Authentication Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 13"], "confidence": 50, "impact": 30, "kill_chain_phases": [], "message": "AWS account $requestingAccountId$ is trying to access resource from some other account $requestedAccountId$, for the first time.", "nist": ["DE.AE"], "observable": [{"name": "requestingAccountId", "type": "Other", "role": ["Attacker"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Authentication.signature", "Authentication.vendor_account", "Authentication.user", "Authentication.user_role", "Authentication.src"], "risk_score": 15, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail", "update_timestamp": true}]}], "datamodel": ["Authentication"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "aws_cross_account_activity_from_previously_unseen_account_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "previously_seen_aws_cross_account_activity", "description": "A placeholder for a list of AWS accounts and assumed roles", "collection": "previously_seen_aws_cross_account_activity", "fields_list": "_key,firstTime,lastTime,requestingAccountId,requestedAccountId"}], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/aws_cross_account_activity_from_previously_unseen_account.yml", "source": "cloud"}, {"name": "AWS Defense Evasion Delete Cloudtrail", "id": "82092925-9ca1-4e06-98b8-85a2d3889552", "version": 1, "date": "2022-07-13", "author": "Bhavin Patel, Splunk", "type": "TTP", "status": "production", "description": "This analytic identifies AWS `DeleteTrail` events within CloudTrail logs. Adversaries often try to impair their target's defenses by stopping their malicious activity from being logged, so that they may operate with stealth and avoid detection. When the adversary has the right type of permissions in the compromised AWS environment, they may delete the the entire cloudtrail that is logging activities in the environment.", "data_source": [], "search": "`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `aws_defense_evasion_delete_cloudtrail_filter`", "how_to_implement": "You must install Splunk AWS Add on and enable CloudTrail logs in your AWS Environment.", "known_false_positives": "While this search has no known false positives, it is possible that an AWS admin has stopped cloudTrail logging. Please investigate this activity.", "references": ["https://attack.mitre.org/techniques/T1562/008/"], "tags": {"name": "AWS Defense Evasion Delete Cloudtrail", "analytic_story": ["AWS Defense Evasion"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "confidence": 90, "impact": 100, "kill_chain_phases": ["Exploitation"], "message": "User $user_arn$ has delete a CloudTrail logging for account id $aws_account_id$ from IP $src$", "mitre_attack_id": ["T1562.008", "T1562"], "nist": ["DE.CM"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "user_arn", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventName", "eventSource", "requestParameters.name", "userAgent", "aws_account_id", "src", "region"], "risk_score": 90, "security_domain": "threat", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.008", "mitre_attack_technique": "Disable Cloud Logs", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.008/stop_delete_cloudtrail/aws_cloudtrail_events.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_defense_evasion_delete_cloudtrail_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/aws_defense_evasion_delete_cloudtrail.yml", "source": "cloud", "nes_fields": "user,dest", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "AWS Defense Evasion Delete CloudWatch Log Group", "id": "d308b0f1-edb7-4a62-a614-af321160710f", "version": 1, "date": "2022-07-17", "author": "Gowthamaraj Rajendran, Splunk", "type": "TTP", "status": "production", "description": "This analytic identifies AWS `DeleteLogGroup` events in CloudTrail logs. Attackers may evade the logging capability by deleting the log group in CloudWatch. This will stop sending the logs and metrics to CloudWatch. When the adversary has the right type of permissions within the compromised AWS environment, they may delete the CloudWatch log group that is logging activities in the environment.", "data_source": [], "search": "`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `aws_defense_evasion_delete_cloudwatch_log_group_filter`", "how_to_implement": "You must install Splunk AWS Add on and enable CloudTrail logs in your AWS Environment.", "known_false_positives": "While this search has no known false positives, it is possible that an AWS admin has deleted CloudWatch logging. Please investigate this activity.", "references": ["https://attack.mitre.org/techniques/T1562/008/"], "tags": {"name": "AWS Defense Evasion Delete CloudWatch Log Group", "analytic_story": ["AWS Defense Evasion"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "confidence": 90, "impact": 100, "kill_chain_phases": ["Exploitation"], "message": "User $user_arn$ has deleted a CloudWatch logging group for account id $aws_account_id$ from IP $src$", "mitre_attack_id": ["T1562", "T1562.008"], "nist": ["DE.CM"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "user_arn", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventName", "eventSource", "requestParameters.name", "userAgent", "aws_account_id", "src", "region"], "risk_score": 90, "security_domain": "threat", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1562.008", "mitre_attack_technique": "Disable Cloud Logs", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.008/delete_cloudwatch_log_group/aws_cloudtrail_events.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_defense_evasion_delete_cloudwatch_log_group_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/aws_defense_evasion_delete_cloudwatch_log_group.yml", "source": "cloud", "nes_fields": "user,dest", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "AWS Defense Evasion Impair Security Services", "id": "b28c4957-96a6-47e0-a965-6c767aac1458", "version": 1, "date": "2022-07-26", "author": "Bhavin Patel, Gowthamaraj Rajendran, Splunk", "type": "Hunting", "status": "production", "description": "This analytic looks for several delete specific API calls made to AWS Security Services like CloudWatch, GuardDuty and Web Application Firewalls. These API calls are often leveraged by adversaries to weaken existing security defenses by deleting logging configurations in the CloudWatch alarm, delete a set of detectors from your Guardduty environment or simply delete a bunch of CloudWatch alarms to remain stealthy and avoid detection.", "data_source": [], "search": "`cloudtrail` eventName IN (\"DeleteLogStream\",\"DeleteDetector\",\"DeleteIPSet\",\"DeleteWebACL\",\"DeleteRule\",\"DeleteRuleGroup\",\"DeleteLoggingConfiguration\",\"DeleteAlarms\") | stats count min(_time) as firstTime max(_time) as lastTime values(eventName) as eventName values(eventSource) as eventSource values(requestParameters.*) as * by src region user_arn aws_account_id user_type user_agent errorCode| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `aws_defense_evasion_impair_security_services_filter`", "how_to_implement": "You must install Splunk AWS Add on and enable CloudTrail logs in your AWS Environment.", "known_false_positives": "While this search has no known false positives, it is possible that it is a legitimate admin activity. Please consider filtering out these noisy events using userAgent, user_arn field names.", "references": ["https://docs.aws.amazon.com/cli/latest/reference/guardduty/index.html", "https://docs.aws.amazon.com/cli/latest/reference/waf/index.html", "https://www.elastic.co/guide/en/security/current/prebuilt-rules.html"], "tags": {"name": "AWS Defense Evasion Impair Security Services", "analytic_story": ["AWS Defense Evasion"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "User $user_arn$ has made potentially risky api calls $eventName$ that could impair AWS security services for account id $aws_account_id$", "mitre_attack_id": ["T1562.008", "T1562"], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "user_arn", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventName", "eventSource", "user_agent", "user_type", "aws_account_id", "src", "region", "errorCode"], "risk_score": 42, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.008", "mitre_attack_technique": "Disable Cloud Logs", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.008/aws_delete_security_services/aws_cloudtrail_events.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail", "update_timestamp": true}]}], "datamodel": ["Web"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_defense_evasion_impair_security_services_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/aws_defense_evasion_impair_security_services.yml", "source": "cloud", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "AWS Defense Evasion PutBucketLifecycle", "id": "ce1c0e2b-9303-4903-818b-0d9002fc6ea4", "version": 1, "date": "2022-07-25", "author": "Bhavin Patel", "type": "Hunting", "status": "production", "description": "This analytic identifies `PutBucketLifecycle` events in CloudTrail logs where a user has created a new lifecycle rule for an S3 bucket with a short expiration period. Attackers may use this API call to impair the CloudTrail logging by removing logs from the S3 bucket by changing the object expiration day to 1 day, in which case the CloudTrail logs will be deleted.", "data_source": [], "search": "`cloudtrail` eventName=PutBucketLifecycle user_type=IAMUser errorCode=success | spath path=requestParameters{}.LifecycleConfiguration{}.Rule{}.Expiration{}.Days output=expiration_days | spath path=requestParameters{}.bucketName output=bucket_name | stats count min(_time) as firstTime max(_time) as lastTime by src region eventName userAgent user_arn aws_account_id expiration_days bucket_name user_type| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where expiration_days < 3 | `aws_defense_evasion_putbucketlifecycle_filter`", "how_to_implement": "You must install Splunk AWS Add on and enable CloudTrail logs in your AWS Environment. We recommend our users to set the expiration days value according to your company's log retention policies.", "known_false_positives": "While this search has no known false positives, it is possible that it is a legitimate admin activity. Please consider filtering out these noisy events using userAgent, user_arn field names.", "references": ["https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.cloudtrail-lifecycle-rule/"], "tags": {"name": "AWS Defense Evasion PutBucketLifecycle", "analytic_story": ["AWS Defense Evasion"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "confidence": 40, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "User $user_arn$ has created a new rule to on an S3 bucket $bucket_name$ with short expiration days", "mitre_attack_id": ["T1562.008", "T1562"], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "user_arn", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventName", "eventSource", "requestParameters.name", "userAgent", "aws_account_id", "src", "region", "requestParameters{}.LifecycleConfiguration{}.Rule{}.Expiration{}.Days", "requestParameters{}.bucketName"], "risk_score": 20, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.008", "mitre_attack_technique": "Disable Cloud Logs", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.008/put_bucketlifecycle/aws_cloudtrail_events.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_defense_evasion_putbucketlifecycle_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/aws_defense_evasion_putbucketlifecycle.yml", "source": "cloud", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "AWS Defense Evasion Stop Logging Cloudtrail", "id": "8a2f3ca2-4eb5-4389-a549-14063882e537", "version": 1, "date": "2022-07-12", "author": "Bhavin Patel, Splunk", "type": "TTP", "status": "production", "description": "This analytic identifies `StopLogging` events in CloudTrail logs. Adversaries often try to impair their target's defenses by stopping their macliious activity from being logged, so that they may operate with stealth and avoid detection. When the adversary has the right type of permissions in the compromised AWS environment, they may easily stop logging.", "data_source": [], "search": "`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `aws_defense_evasion_stop_logging_cloudtrail_filter`", "how_to_implement": "You must install Splunk AWS Add on and enable Cloudtrail logs in your AWS Environment.", "known_false_positives": "While this search has no known false positives, it is possible that an AWS admin has stopped cloudtrail logging. Please investigate this activity.", "references": ["https://attack.mitre.org/techniques/T1562/008/"], "tags": {"name": "AWS Defense Evasion Stop Logging Cloudtrail", "analytic_story": ["AWS Defense Evasion"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "confidence": 90, "impact": 100, "kill_chain_phases": ["Exploitation"], "message": "User $user_arn$ has stopped Cloudtrail logging for account id $aws_account_id$ from IP $src$", "mitre_attack_id": ["T1562.008", "T1562"], "nist": ["DE.CM"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "user_arn", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventName", "eventSource", "requestParameters.name", "userAgent", "aws_account_id", "src", "region"], "risk_score": 90, "security_domain": "threat", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.008", "mitre_attack_technique": "Disable Cloud Logs", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.008/stop_delete_cloudtrail/aws_cloudtrail_events.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_defense_evasion_stop_logging_cloudtrail_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/aws_defense_evasion_stop_logging_cloudtrail.yml", "source": "cloud", "nes_fields": "user,dest", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "AWS Defense Evasion Update Cloudtrail", "id": "7c921d28-ef48-4f1b-85b3-0af8af7697db", "version": 1, "date": "2022-07-17", "author": "Gowthamaraj Rajendran, Splunk", "type": "TTP", "status": "production", "description": "This analytic identifies `UpdateTrail` events in CloudTrail logs. Attackers may evade the logging capability by updating the settings and impairing them with wrong parameters. For example, Attackers may change the multi-regional log into a single region logs, which evades the logging for other regions. When the adversary has the right type of permissions in the compromised AWS environment, they may update the CloudTrail settings that is logging activities in your environment.", "data_source": [], "search": "`cloudtrail` eventName = UpdateTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as cloudtrail_name by src region eventName userAgent user_arn aws_account_id | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `aws_defense_evasion_update_cloudtrail_filter`", "how_to_implement": "You must install Splunk AWS Add on and enable CloudTrail logs in your AWS Environment.", "known_false_positives": "While this search has no known false positives, it is possible that an AWS admin has updated cloudtrail logging. Please investigate this activity.", "references": ["https://attack.mitre.org/techniques/T1562/008/"], "tags": {"name": "AWS Defense Evasion Update Cloudtrail", "analytic_story": ["AWS Defense Evasion"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "confidence": 90, "impact": 100, "kill_chain_phases": ["Exploitation"], "message": "User $user_arn$ has updated a cloudtrail logging for account id $aws_account_id$ from IP $src$", "mitre_attack_id": ["T1562", "T1562.008"], "nist": ["DE.CM"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "user_arn", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventName", "eventSource", "requestParameters.name", "userAgent", "aws_account_id", "src", "region"], "risk_score": 90, "security_domain": "threat", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1562.008", "mitre_attack_technique": "Disable Cloud Logs", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.008/update_cloudtrail/aws_cloudtrail_events.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_defense_evasion_update_cloudtrail_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/aws_defense_evasion_update_cloudtrail.yml", "source": "cloud", "nes_fields": "user,dest", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "aws detect attach to role policy", "id": "88fc31dd-f331-448c-9856-d3d51dd5d3a1", "version": 1, "date": "2020-07-27", "author": "Rod Soto, Splunk", "type": "Hunting", "status": "experimental", "description": "This search provides detection of an user attaching itself to a different role trust policy. This can be used for lateral movement and escalation of privileges.", "data_source": [], "search": "`aws_cloudwatchlogs_eks` attach policy| spath requestParameters.policyArn | table sourceIPAddress user_access_key userIdentity.arn userIdentity.sessionContext.sessionIssuer.arn eventName errorCode errorMessage status action requestParameters.policyArn userIdentity.sessionContext.attributes.mfaAuthenticated userIdentity.sessionContext.attributes.creationDate | `aws_detect_attach_to_role_policy_filter`", "how_to_implement": "You must install splunk AWS add-on and Splunk App for AWS. This search works with cloudwatch logs", "known_false_positives": "Attach to policy can create a lot of noise. This search can be adjusted to provide specific values to identify cases of abuse (i.e status=failure). The search can provide context for common users attaching themselves to higher privilege policies or even newly created policies.", "references": [], "tags": {"name": "aws detect attach to role policy", "analytic_story": ["AWS Cross Account Activity"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "message": "tbd", "mitre_attack_id": ["T1078"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "requestParameters.policyArn"], "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}]}, "datamodel": [], "macros": [{"name": "aws_cloudwatchlogs_eks", "definition": "sourcetype=\"aws:cloudwatchlogs:eks\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_detect_attach_to_role_policy_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/aws_detect_attach_to_role_policy.yml", "source": "cloud"}, {"name": "aws detect permanent key creation", "id": "12d6d713-3cb4-4ffc-a064-1dca3d1cca01", "version": 1, "date": "2020-07-27", "author": "Rod Soto, Splunk", "type": "Hunting", "status": "experimental", "description": "This search provides detection of accounts creating permanent keys. Permanent keys are not created by default and they are only needed for programmatic calls. Creation of Permanent key is an important event to monitor.", "data_source": [], "search": "`aws_cloudwatchlogs_eks` CreateAccessKey | spath eventName | search eventName=CreateAccessKey \"userIdentity.type\"=IAMUser | table sourceIPAddress userName userIdentity.type userAgent action status responseElements.accessKey.createDate responseElements.accessKey.status responseElements.accessKey.accessKeyId |`aws_detect_permanent_key_creation_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with cloudwatch logs", "known_false_positives": "Not all permanent key creations are malicious. If there is a policy of rotating keys this search can be adjusted to provide better context.", "references": [], "tags": {"name": "aws detect permanent key creation", "analytic_story": ["AWS Cross Account Activity"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "message": "tbd", "mitre_attack_id": ["T1078"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventName", "userIdentity.type", "sourceIPAddress", "userName userIdentity.type", "userAgent", "action", "status", "responseElements.accessKey.createDate", "esponseElements.accessKey.status", "responseElements.accessKey.accessKeyId"], "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}]}, "datamodel": [], "macros": [{"name": "aws_cloudwatchlogs_eks", "definition": "sourcetype=\"aws:cloudwatchlogs:eks\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_detect_permanent_key_creation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/aws_detect_permanent_key_creation.yml", "source": "cloud"}, {"name": "aws detect role creation", "id": "5f04081e-ddee-4353-afe4-504f288de9ad", "version": 1, "date": "2020-07-27", "author": "Rod Soto, Splunk", "type": "Hunting", "status": "experimental", "description": "This search provides detection of role creation by IAM users. Role creation is an event by itself if user is creating a new role with trust policies different than the available in AWS and it can be used for lateral movement and escalation of privileges.", "data_source": [], "search": "`aws_cloudwatchlogs_eks` event_name=CreateRole action=created userIdentity.type=AssumedRole requestParameters.description=Allows* | table sourceIPAddress userIdentity.principalId userIdentity.arn action event_name awsRegion http_user_agent mfa_auth msg requestParameters.roleName requestParameters.description responseElements.role.arn responseElements.role.createDate | `aws_detect_role_creation_filter`", "how_to_implement": "You must install splunk AWS add-on and Splunk App for AWS. This search works with cloudwatch logs", "known_false_positives": "CreateRole is not very common in common users. This search can be adjusted to provide specific values to identify cases of abuse. In general AWS provides plenty of trust policies that fit most use cases.", "references": [], "tags": {"name": "aws detect role creation", "analytic_story": ["AWS Cross Account Activity"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "message": "tbd", "mitre_attack_id": ["T1078"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "event_name", "action", "userIdentity.type", "requestParameters.description", "sourceIPAddress", "userIdentity.principalId", "userIdentity.arn", "action", "event_name", "awsRegion", "http_user_agent", "mfa_auth", "msg", "requestParameters.roleName", "requestParameters.description", "responseElements.role.arn", "responseElements.role.createDate"], "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}]}, "datamodel": [], "macros": [{"name": "aws_cloudwatchlogs_eks", "definition": "sourcetype=\"aws:cloudwatchlogs:eks\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_detect_role_creation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/aws_detect_role_creation.yml", "source": "cloud"}, {"name": "aws detect sts assume role abuse", "id": "8e565314-b6a2-46d8-9f05-1a34a176a662", "version": 1, "date": "2020-07-27", "author": "Rod Soto, Splunk", "type": "Hunting", "status": "experimental", "description": "This search provides detection of suspicious use of sts:AssumeRole. These tokens can be created on the go and used by attackers to move laterally and escalate privileges.", "data_source": [], "search": "`cloudtrail` user_type=AssumedRole userIdentity.sessionContext.sessionIssuer.type=Role | table sourceIPAddress userIdentity.arn user_agent user_access_key status action requestParameters.roleName responseElements.role.roleName responseElements.role.createDate | `aws_detect_sts_assume_role_abuse_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs", "known_false_positives": "Sts:AssumeRole can be very noisy as it is a standard mechanism to provide cross account and cross resources access. This search can be adjusted to provide specific values to identify cases of abuse.", "references": [], "tags": {"name": "aws detect sts assume role abuse", "analytic_story": ["AWS Cross Account Activity"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "message": "tbd", "mitre_attack_id": ["T1078"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "user_type", "userIdentity.sessionContext.sessionIssuer.type", "sourceIPAddress", "userIdentity.arn", "user_agent", "user_access_key", "status", "action", "requestParameters.roleName", "esponseElements.role.roleName", "esponseElements.role.createDate"], "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}]}, "datamodel": [], "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_detect_sts_assume_role_abuse_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/aws_detect_sts_assume_role_abuse.yml", "source": "cloud", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "aws detect sts get session token abuse", "id": "85d7b35f-b8b5-4b01-916f-29b81e7a0551", "version": 1, "date": "2020-07-27", "author": "Rod Soto, Splunk", "type": "Hunting", "status": "experimental", "description": "This search provides detection of suspicious use of sts:GetSessionToken. These tokens can be created on the go and used by attackers to move laterally and escalate privileges.", "data_source": [], "search": "`aws_cloudwatchlogs_eks` ASIA userIdentity.type=IAMUser| spath eventName | search eventName=GetSessionToken | table sourceIPAddress eventTime userIdentity.arn userName userAgent user_type status region | `aws_detect_sts_get_session_token_abuse_filter`", "how_to_implement": "You must install splunk AWS add-on and Splunk App for AWS. This search works with cloudwatch logs", "known_false_positives": "Sts:GetSessionToken can be very noisy as in certain environments numerous calls of this type can be executed. This search can be adjusted to provide specific values to identify cases of abuse. In specific environments the use of field requestParameters.serialNumber will need to be used.", "references": [], "tags": {"name": "aws detect sts get session token abuse", "analytic_story": ["AWS Cross Account Activity"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "tbd", "mitre_attack_id": ["T1550"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "userIdentity.type", "eventName", "sourceIPAddress", "eventTime", "userIdentity.arn", "userName", "userAgent", "user_type", "status", "region"], "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1550", "mitre_attack_technique": "Use Alternate Authentication Material", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": []}]}, "datamodel": [], "macros": [{"name": "aws_cloudwatchlogs_eks", "definition": "sourcetype=\"aws:cloudwatchlogs:eks\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_detect_sts_get_session_token_abuse_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/aws_detect_sts_get_session_token_abuse.yml", "source": "cloud"}, {"name": "AWS Detect Users creating keys with encrypt policy without MFA", "id": "c79c164f-4b21-4847-98f9-cf6a9f49179e", "version": 1, "date": "2021-01-11", "author": "Rod Soto, Patrick Bareiss Splunk", "type": "TTP", "status": "production", "description": "This search provides detection of KMS keys where action kms:Encrypt is accessible for everyone (also outside of your organization). This is an indicator that your account is compromised and the attacker uses the encryption key to compromise another company.", "data_source": [], "search": "`cloudtrail` eventName=CreateKey OR eventName=PutKeyPolicy | spath input=requestParameters.policy output=key_policy_statements path=Statement{} | mvexpand key_policy_statements | spath input=key_policy_statements output=key_policy_action_1 path=Action | spath input=key_policy_statements output=key_policy_action_2 path=Action{} | eval key_policy_action=mvappend(key_policy_action_1, key_policy_action_2) | spath input=key_policy_statements output=key_policy_principal path=Principal.AWS | search key_policy_action=\"kms:Encrypt\" AND key_policy_principal=\"*\" | stats count min(_time) as firstTime max(_time) as lastTime by eventName eventSource eventID awsRegion userIdentity.principalId | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` |`aws_detect_users_creating_keys_with_encrypt_policy_without_mfa_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs", "known_false_positives": "unknown", "references": ["https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/", "https://github.com/d1vious/git-wild-hunt", "https://www.youtube.com/watch?v=PgzNib37g0M"], "tags": {"name": "AWS Detect Users creating keys with encrypt policy without MFA", "analytic_story": ["Ransomware Cloud"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Actions on Objectives"], "message": "AWS account is potentially compromised and user $userIdentity.principalId$ is trying to compromise other accounts.", "mitre_attack_id": ["T1486"], "nist": ["DE.CM"], "observable": [{"name": "userIdentity.principalId", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventName", "eventSource", "eventID", "awsRegion", "requestParameters.policy", "userIdentity.principalId"], "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1486", "mitre_attack_technique": "Data Encrypted for Impact", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "APT41", "FIN7", "Indrik Spider", "Magic Hound", "Sandworm Team", "TA505"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1486/aws_kms_key/aws_cloudtrail_events.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_detect_users_creating_keys_with_encrypt_policy_without_mfa_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/aws_detect_users_creating_keys_with_encrypt_policy_without_mfa.yml", "source": "cloud", "nes_fields": "user,dest", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "AWS Detect Users with KMS keys performing encryption S3", "id": "884a5f59-eec7-4f4a-948b-dbde18225fdc", "version": 2, "date": "2022-11-11", "author": "Rod Soto, Patrick Bareiss Splunk", "type": "Anomaly", "status": "production", "description": "This search provides detection of users with KMS keys performing encryption specifically against S3 buckets.", "data_source": [], "search": "`cloudtrail` eventName=CopyObject requestParameters.x-amz-server-side-encryption=\"aws:kms\" | rename requestParameters.bucketName AS bucketName, requestParameters.x-amz-copy-source AS src_file, requestParameters.key AS dest_file | stats count min(_time) as firstTime max(_time) as lastTime values(bucketName) as bucketName values(src_file) AS src_file values(dest_file) AS dest_file values(userAgent) AS userAgent values(region) AS region values(src) AS src by user | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` |`aws_detect_users_with_kms_keys_performing_encryption_s3_filter`", "how_to_implement": "You must install Splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs", "known_false_positives": "There maybe buckets provisioned with S3 encryption", "references": ["https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/", "https://github.com/d1vious/git-wild-hunt", "https://www.youtube.com/watch?v=PgzNib37g0M"], "tags": {"name": "AWS Detect Users with KMS keys performing encryption S3", "analytic_story": ["Ransomware Cloud"], "asset_type": "S3 Bucket", "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Actions on Objectives"], "message": "User $user$ with KMS keys is performing encryption, against S3 buckets on these files $dest_file$", "mitre_attack_id": ["T1486"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}, {"name": "dest_file", "type": "File", "role": ["Target"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventName", "requestParameters.x-amz-server-side-encryption", "requestParameters.bucketName", "requestParameters.x-amz-copy-source", "requestParameters.key", "userAgent", "region"], "risk_score": 15, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1486", "mitre_attack_technique": "Data Encrypted for Impact", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "APT41", "FIN7", "Indrik Spider", "Magic Hound", "Sandworm Team", "TA505"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1486/s3_file_encryption/aws_cloudtrail_events.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_detect_users_with_kms_keys_performing_encryption_s3_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/aws_detect_users_with_kms_keys_performing_encryption_s3.yml", "source": "cloud", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "AWS Disable Bucket Versioning", "id": "657902a9-987d-4879-a1b2-e7a65512824b", "version": 1, "date": "2023-05-01", "author": "Bhavin Patel, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic detects AWS cloudtrail events where bucket versioning is suspended by a user. Versioning allows the AWS Administrators to maintain different version of the S3 bucket which can be used to recover deleted data. Adversaries have leveraged this technique in the wild during a ransomware incident to disable versioning so the client cannot recover the data.", "data_source": [], "search": "`cloudtrail` eventName= PutBucketVersioning \"requestParameters.VersioningConfiguration.Status\"=Suspended | stats count values(requestParameters.bucketName) as bucket_name values(resources{}.ARN) as resource_arn by src_ip aws_account_id awsRegion eventName userAgent user_arn userIdentity.principalId errorCode | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `aws_disable_bucket_versioning_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "It is possible that an AWS Administrator has legitimately disabled versioning on certain buckets to avoid costs.", "references": ["https://invictus-ir.medium.com/ransomware-in-the-cloud-7f14805bbe82", "https://bleemb.medium.com/data-exfiltration-with-native-aws-s3-features-c94ae4d13436"], "tags": {"name": "AWS Disable Bucket Versioning", "analytic_story": ["Suspicious AWS S3 Activities", "Data Exfiltration"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Actions on Objectives"], "message": "Bucket Versioning is suspended for S3 buckets- $bucket_name$ by user $user_arn$ from IP address $src_ip$", "mitre_attack_id": ["T1490"], "nist": ["DE.AE"], "observable": [{"name": "user_arn", "type": "User", "role": ["Attacker"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "aws_account_id", "type": "Other", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventName", "user_arn", "src_ip", "aws_account_id", "destinationLocationArn", "sourceLocationArn", "userAgent", "userIdentity.principalId"], "risk_score": 64, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1490/aws_bucket_version/cloudtrail.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_disable_bucket_versioning_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/aws_disable_bucket_versioning.yml", "source": "cloud", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "AWS EC2 Snapshot Shared Externally", "id": "2a9b80d3-6340-4345-b5ad-290bf3d222c4", "version": 3, "date": "2023-03-20", "author": "Bhavin Patel, Splunk", "type": "TTP", "status": "production", "description": "The following analytic utilizes AWS CloudTrail events to identify when an EC2 snapshot permissions are modified to be shared with a different AWS account. This method is used by adversaries to exfiltrate the EC2 snapshot.", "data_source": [], "search": "`cloudtrail` eventName=ModifySnapshotAttribute | rename requestParameters.createVolumePermission.add.items{}.userId as requested_account_id | search requested_account_id != NULL | eval match=if(requested_account_id==aws_account_id,\"Match\",\"No Match\") | table _time user_arn src_ip requestParameters.attributeType requested_account_id aws_account_id match vendor_region user_agent userIdentity.principalId | where match = \"No Match\" | `aws_ec2_snapshot_shared_externally_filter` ", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "It is possible that an AWS admin has legitimately shared a snapshot with others for a specific purpose.", "references": ["https://labs.nettitude.com/blog/how-to-exfiltrate-aws-ec2-data/", "https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-share-ebs-snapshot/", "https://hackingthe.cloud/aws/enumeration/loot_public_ebs_snapshots/"], "tags": {"name": "AWS EC2 Snapshot Shared Externally", "analytic_story": ["Suspicious Cloud Instance Activities", "Data Exfiltration"], "asset_type": "EC2 Snapshot", "cis20": ["CIS 10"], "confidence": 80, "impact": 60, "kill_chain_phases": ["Actions on Objectives"], "message": "AWS EC2 snapshot from account $aws_account_id$ is shared with $requested_account_id$ by user $user_arn$ from $src_ip$", "mitre_attack_id": ["T1537"], "nist": ["DE.CM"], "observable": [{"name": "user_arn", "type": "User", "role": ["Attacker"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "aws_account_id", "type": "Other", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventName", "user_arn", "src_ip", "requestParameters.attributeType", "aws_account_id", "vendor_region", "user_agent", "userIdentity.principalId"], "risk_score": 48, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1537", "mitre_attack_technique": "Transfer Data to Cloud Account", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1537/aws_snapshot_exfil/aws_cloudtrail_events.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_ec2_snapshot_shared_externally_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/aws_ec2_snapshot_shared_externally.yml", "source": "cloud", "nes_fields": "user,dest", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "AWS ECR Container Scanning Findings High", "id": "62721bd2-1d82-4623-b6e6-aac170014423", "version": 1, "date": "2022-06-21", "author": "Patrick Bareiss, Splunk", "type": "TTP", "status": "production", "description": "This search looks for AWS CloudTrail events from AWS Elastic Container Service (ECR). You need to activate image scanning in order to get the event DescribeImageScanFindings with the results.", "data_source": [], "search": "`cloudtrail` eventSource=ecr.amazonaws.com eventName=DescribeImageScanFindings | spath path=responseElements.imageScanFindings.findings{} output=findings | mvexpand findings | spath input=findings| search severity=HIGH | rename name as finding_name, description as finding_description, requestParameters.imageId.imageDigest as imageDigest, requestParameters.repositoryName as image | eval finding = finding_name.\", \".finding_description | eval phase=\"release\" | eval severity=\"high\" | stats min(_time) as firstTime max(_time) as lastTime by awsRegion, eventName, eventSource, imageDigest, image, userName, src_ip, finding, phase, severity | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_ecr_container_scanning_findings_high_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "unknown", "references": ["https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html"], "tags": {"name": "AWS ECR Container Scanning Findings High", "analytic_story": ["Dev Sec Ops"], "asset_type": "AWS Account", "cis20": ["CIS 13"], "confidence": 100, "impact": 70, "kill_chain_phases": ["Installation"], "message": "Vulnerabilities with severity high found in image $image$", "mitre_attack_id": ["T1204.003", "T1204"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["eventSource", "eventName", "responseElements.imageScanFindings.findings{}", "awsRegion", "requestParameters.imageId.imageDigest", "requestParameters.repositoryName", "user", "userName", "src_ip"], "risk_score": 70, "security_domain": "network", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1204.003", "mitre_attack_technique": "Malicious Image", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204.003/aws_ecr_image_scanning/aws_ecr_scanning_findings_events.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_ecr_container_scanning_findings_high_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/aws_ecr_container_scanning_findings_high.yml", "source": "cloud", "nes_fields": "user,dest", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "AWS ECR Container Scanning Findings Low Informational Unknown", "id": "cbc95e44-7c22-443f-88fd-0424478f5589", "version": 1, "date": "2022-08-25", "author": "Patrick Bareiss, Eric McGinnis Splunk", "type": "Hunting", "status": "production", "description": "This search looks for AWS CloudTrail events from AWS Elastic Container Service (ECR). You need to activate image scanning in order to get the event DescribeImageScanFindings with the results.", "data_source": [], "search": "`cloudtrail` eventSource=ecr.amazonaws.com eventName=DescribeImageScanFindings | spath path=responseElements.imageScanFindings.findings{} output=findings | mvexpand findings | spath input=findings| search severity IN (\"LOW\", \"INFORMATIONAL\", \"UNKNOWN\") | rename name as finding_name, description as finding_description, requestParameters.imageId.imageDigest as imageDigest, requestParameters.repositoryName as repositoryName | eval finding = finding_name.\", \".finding_description | eval phase=\"release\" | eval severity=\"low\" | stats min(_time) as firstTime max(_time) as lastTime by awsRegion, eventName, eventSource, imageDigest, repositoryName, userName, src_ip, finding, phase, severity | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_ecr_container_scanning_findings_low_informational_unknown_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "unknown", "references": ["https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html"], "tags": {"name": "AWS ECR Container Scanning Findings Low Informational Unknown", "analytic_story": ["Dev Sec Ops"], "asset_type": "AWS Account", "cis20": ["CIS 13"], "confidence": 70, "impact": 10, "kill_chain_phases": ["Installation"], "message": "Vulnerabilities with severity high found in repository $repositoryName$", "mitre_attack_id": ["T1204.003", "T1204"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["eventSource", "eventName", "responseElements.imageScanFindings.findings{}", "awsRegion", "requestParameters.imageId.imageDigest", "requestParameters.repositoryName", "user", "userName", "src_ip"], "risk_score": 7, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1204.003", "mitre_attack_technique": "Malicious Image", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204.003/aws_ecr_image_scanning/aws_ecr_scanning_findings_events.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_ecr_container_scanning_findings_low_informational_unknown_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/aws_ecr_container_scanning_findings_low_informational_unknown.yml", "source": "cloud", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "AWS ECR Container Scanning Findings Medium", "id": "0b80e2c8-c746-4ddb-89eb-9efd892220cf", "version": 1, "date": "2021-08-17", "author": "Patrick Bareiss, Splunk", "type": "Anomaly", "status": "production", "description": "This search looks for AWS CloudTrail events from AWS Elastic Container Service (ECR). You need to activate image scanning in order to get the event DescribeImageScanFindings with the results.", "data_source": [], "search": "`cloudtrail` eventSource=ecr.amazonaws.com eventName=DescribeImageScanFindings | spath path=responseElements.imageScanFindings.findings{} output=findings | mvexpand findings | spath input=findings| search severity=MEDIUM | rename name as finding_name, description as finding_description, requestParameters.imageId.imageDigest as imageDigest, requestParameters.repositoryName as image | eval finding = finding_name.\", \".finding_description | eval phase=\"release\" | eval severity=\"medium\" | stats min(_time) as firstTime max(_time) as lastTime by awsRegion, eventName, eventSource, imageDigest, image, userName, src_ip, finding, phase, severity | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_ecr_container_scanning_findings_medium_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "unknown", "references": ["https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html"], "tags": {"name": "AWS ECR Container Scanning Findings Medium", "analytic_story": ["Dev Sec Ops"], "asset_type": "AWS Account", "cis20": ["CIS 13"], "confidence": 70, "impact": 30, "kill_chain_phases": ["Installation"], "message": "Vulnerabilities with severity high found in image $image$", "mitre_attack_id": ["T1204.003", "T1204"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["eventSource", "eventName", "responseElements.imageScanFindings.findings{}", "awsRegion", "requestParameters.imageId.imageDigest", "requestParameters.repositoryName", "user", "userName", "src_ip"], "risk_score": 21, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1204.003", "mitre_attack_technique": "Malicious Image", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204.003/aws_ecr_image_scanning/aws_ecr_scanning_findings_events.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_ecr_container_scanning_findings_medium_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/aws_ecr_container_scanning_findings_medium.yml", "source": "cloud", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "AWS ECR Container Upload Outside Business Hours", "id": "d4c4d4eb-3994-41ca-a25e-a82d64e125bb", "version": 1, "date": "2021-08-19", "author": "Patrick Bareiss, Splunk", "type": "Anomaly", "status": "production", "description": "This search looks for AWS CloudTrail events from AWS Elastic Container Service (ECR). A upload of a new container is normally done during business hours. When done outside business hours, we want to take a look into it.", "data_source": [], "search": "`cloudtrail` eventSource=ecr.amazonaws.com eventName=PutImage date_hour>=20 OR date_hour<8 OR date_wday=saturday OR date_wday=sunday | rename requestParameters.* as * | rename repositoryName AS image | eval phase=\"release\" | eval severity=\"medium\" | stats min(_time) as firstTime max(_time) as lastTime by awsRegion, eventName, eventSource, user, userName, src_ip, imageTag, registryId, image, phase, severity | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_ecr_container_upload_outside_business_hours_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "When your development is spreaded in different time zones, applying this rule can be difficult.", "references": ["https://attack.mitre.org/techniques/T1204/003/"], "tags": {"name": "AWS ECR Container Upload Outside Business Hours", "analytic_story": ["Dev Sec Ops"], "asset_type": "AWS Account", "cis20": ["CIS 13"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Installation"], "message": "Container uploaded outside business hours from $user$", "mitre_attack_id": ["T1204.003", "T1204"], "nist": ["DE.AE"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "user", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["eventSource", "eventName", "awsRegion", "requestParameters.imageTag", "requestParameters.registryId", "requestParameters.repositoryName", "user", "userName", "src_ip"], "risk_score": 49, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1204.003", "mitre_attack_technique": "Malicious Image", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204.003/aws_ecr_container_upload/aws_ecr_container_upload.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_ecr_container_upload_outside_business_hours_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/aws_ecr_container_upload_outside_business_hours.yml", "source": "cloud", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "AWS ECR Container Upload Unknown User", "id": "300688e4-365c-4486-a065-7c884462b31d", "version": 1, "date": "2021-08-19", "author": "Patrick Bareiss, Splunk", "type": "Anomaly", "status": "production", "description": "This search looks for AWS CloudTrail events from AWS Elastic Container Service (ECR). A upload of a new container is normally done from only a few known users. When the user was never seen before, we should have a closer look into the event.", "data_source": [], "search": "`cloudtrail` eventSource=ecr.amazonaws.com eventName=PutImage NOT `aws_ecr_users` | rename requestParameters.* as * | rename repositoryName AS image | eval phase=\"release\" | eval severity=\"high\" | stats min(_time) as firstTime max(_time) as lastTime by awsRegion, eventName, eventSource, user, userName, src_ip, imageTag, registryId, image, phase, severity | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_ecr_container_upload_unknown_user_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "unknown", "references": ["https://attack.mitre.org/techniques/T1204/003/"], "tags": {"name": "AWS ECR Container Upload Unknown User", "analytic_story": ["Dev Sec Ops"], "asset_type": "AWS Account", "cis20": ["CIS 13"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Installation"], "message": "Container uploaded from unknown user $user$", "mitre_attack_id": ["T1204.003", "T1204"], "nist": ["DE.AE"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "user", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["eventSource", "eventName", "awsRegion", "requestParameters.imageTag", "requestParameters.registryId", "requestParameters.repositoryName", "user", "userName", "src_ip"], "risk_score": 49, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1204.003", "mitre_attack_technique": "Malicious Image", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204.003/aws_ecr_container_upload/aws_ecr_container_upload.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_ecr_users", "definition": "userName IN (user)", "description": "specify the user allowed to push Images to AWS ECR."}, {"name": "aws_ecr_container_upload_unknown_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/aws_ecr_container_upload_unknown_user.yml", "source": "cloud", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "AWS Excessive Security Scanning", "id": "1fdd164a-def8-4762-83a9-9ffe24e74d5a", "version": 1, "date": "2021-04-13", "author": "Patrick Bareiss, Splunk", "type": "TTP", "status": "production", "description": "This search looks for AWS CloudTrail events and analyse the amount of eventNames which starts with Describe by a single user. This indicates that this user scans the configuration of your AWS cloud environment.", "data_source": [], "search": "`cloudtrail` eventName=Describe* OR eventName=List* OR eventName=Get* | stats dc(eventName) as dc_events min(_time) as firstTime max(_time) as lastTime values(eventName) as eventName values(src) as src values(userAgent) as userAgent by user userIdentity.arn | where dc_events > 50 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`|`aws_excessive_security_scanning_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "While this search has no known false positives.", "references": ["https://github.com/aquasecurity/cloudsploit"], "tags": {"name": "AWS Excessive Security Scanning", "analytic_story": ["AWS User Monitoring"], "asset_type": "AWS Account", "cis20": ["CIS 13"], "confidence": 60, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "user $user$ has excessive number of api calls $dc_events$ from these IP addresses $src$, violating the threshold of 50, using the following commands $command$.", "mitre_attack_id": ["T1526"], "nist": ["DE.CM"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "user", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventName", "src", "userAgent", "user", "userIdentity.arn"], "risk_score": 18, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1526", "mitre_attack_technique": "Cloud Service Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1526/aws_security_scanner/aws_security_scanner.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_excessive_security_scanning_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/aws_excessive_security_scanning.yml", "source": "cloud", "nes_fields": "user,dest", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "AWS Exfiltration via Anomalous GetObject API Activity", "id": "e4384bbf-5835-4831-8d85-694de6ad2cc6", "version": 1, "date": "2023-04-10", "author": "Bhavin Patel, Splunk", "type": "Anomaly", "status": "production", "description": "This search uses built in Splunk command `| anomalydetection` to detect anomalies with respect to users making high number of GetObject API calls to download objects from S3 in a 10 minute time window. The field `probable_cause` is the name of the field that best explains why the event is anomalous. This command identifies anomalous events by computing a probability for each GetObject event by \"count\" \"user_type\" \"user_arn\" and detects anomaly based on the frequencies.", "data_source": [], "search": "`cloudtrail` eventName=GetObject | bin _time span=10m | stats count values(requestParameters.bucketName) as bucketName by _time src_ip aws_account_id user_type user_arn userIdentity.principalId | anomalydetection \"count\" \"user_type\" \"user_arn\" action=annotate | search probable_cause=* |`aws_exfiltration_via_anomalous_getobject_api_activity_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "It is possible that a user downloaded these files to use them locally and there are AWS services in configured that perform these activities for a legitimate reason. Filter is needed.", "references": ["https://labs.nettitude.com/blog/how-to-exfiltrate-aws-ec2-data/", "https://docs.splunk.com/Documentation/Splunk/9.0.4/SearchReference/Anomalydetection", "https://www.vectra.ai/blogpost/abusing-the-replicator-silently-exfiltrating-data-with-the-aws-s3-replication-service"], "tags": {"name": "AWS Exfiltration via Anomalous GetObject API Activity", "analytic_story": ["Data Exfiltration"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "Anomalous S3 activities detected by user $user_arn$ from $src_ip$", "mitre_attack_id": ["T1119"], "nist": ["DE.AE"], "observable": [{"name": "user_arn", "type": "User", "role": ["Attacker"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "aws_account_id", "type": "Other", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventName", "user_arn", "src_ip", "aws_account_id", "userAgent", "userIdentity.principalId"], "risk_score": 64, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1119", "mitre_attack_technique": "Automated Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "Chimera", "Confucius", "FIN5", "FIN6", "Gamaredon Group", "Ke3chang", "Mustang Panda", "OilRig", "Patchwork", "Sidewinder", "Threat Group-3390", "Tropic Trooper", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1530/aws_exfil_high_no_getobject/cloudtrail.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_exfiltration_via_anomalous_getobject_api_activity_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/aws_exfiltration_via_anomalous_getobject_api_activity.yml", "source": "cloud", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "AWS Exfiltration via Batch Service", "id": "04455dd3-ced7-480f-b8e6-5469b99e98e2", "version": 1, "date": "2023-04-24", "author": "", "type": "TTP", "status": "production", "description": "This search looks for events where AWS Batch Service is used for creating a job that could potentially abuse the AWS Bucket Replication feature on S3 buckets. This AWS service can used to transfer data between different AWS S3 buckets and an attacker can leverage this to exfiltrate data by creating a malicious batch job.", "data_source": [], "search": "`cloudtrail` eventName = JobCreated | stats count min(_time) as firstTime max(_time) as lastTime values(serviceEventDetails.jobArn) as job_arn values(serviceEventDetails.status) as status by src_ip aws_account_id eventName errorCode userAgent| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_exfiltration_via_datasync_task_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "It is possible that an AWS Administrator or a user has legitimately created this job for some tasks.", "references": ["https://hackingthe.cloud/aws/exploitation/s3-bucket-replication-exfiltration/", "https://bleemb.medium.com/data-exfiltration-with-native-aws-s3-features-c94ae4d13436"], "tags": {"name": "AWS Exfiltration via Batch Service", "analytic_story": ["Data Exfiltration"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "AWS Batch Job is created on account id - $aws_account_id$ by user $user_arn$ from src_ip $src_ip$", "mitre_attack_id": ["T1119"], "nist": ["DE.CM"], "observable": [{"name": "user_arn", "type": "User", "role": ["Attacker"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "aws_account_id", "type": "Other", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventName", "user_arn", "src_ip", "aws_account_id", "userAgent"], "risk_score": 64, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1119", "mitre_attack_technique": "Automated Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "Chimera", "Confucius", "FIN5", "FIN6", "Gamaredon Group", "Ke3chang", "Mustang Panda", "OilRig", "Patchwork", "Sidewinder", "Threat Group-3390", "Tropic Trooper", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1119/aws_exfil_datasync/cloudtrail.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_exfiltration_via_batch_service_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/aws_exfiltration_via_batch_service.yml", "source": "cloud", "nes_fields": "user,dest", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "AWS Exfiltration via Bucket Replication", "id": "eeb432d6-2212-43b6-9e89-fcd753f7da4c", "version": 1, "date": "2023-04-28", "author": "Bhavin Patel, Splunk", "type": "TTP", "status": "production", "description": "The following analytic detects API calls made to an S3 bucket when bucket replication services are enabled. S3 bucket replication is a feature offered by Amazon Web Services (AWS) that allows you to automatically and asynchronously copy data from one S3 bucket to another in the same or different region.\\\nS3 bucket replication can also be used for cross-account replication, where data is replicated from a source bucket owned by one AWS account to a destination bucket owned by a different AWS account.", "data_source": [], "search": "`cloudtrail` eventName = PutBucketReplication eventSource = s3.amazonaws.com | rename requestParameters.* as * | stats count values(bucketName) as source_bucket values(ReplicationConfiguration.Rule.ID) as rule_id values(ReplicationConfiguration.Rule.Destination.Bucket) as destination_bucket by _time user_arn userName user_type src_ip aws_account_id userIdentity.principalId user_agent | `aws_exfiltration_via_ec2_snapshot_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "It is possible that an AWS admin has legitimately implemented data replication to ensure data availability and improve data protection/backup strategies.", "references": ["https://hackingthe.cloud/aws/exploitation/s3-bucket-replication-exfiltration/"], "tags": {"name": "AWS Exfiltration via Bucket Replication", "analytic_story": ["Suspicious AWS S3 Activities", "Data Exfiltration"], "asset_type": "EC2 Snapshot", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Actions on Objectives"], "message": "AWS Bucket Replication rule $rule$ added on $source_bucket$ to $destination_bucket$ by user $user_arn$ from IP Address - $src_ip$", "mitre_attack_id": ["T1537"], "nist": ["DE.CM"], "observable": [{"name": "user_arn", "type": "User", "role": ["Attacker"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "aws_account_id", "type": "Other", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventName", "user_arn", "src_ip", "eventSource", "requestParameters.*", "aws_account_id", "vendor_region", "user_agent", "userIdentity.principalId"], "risk_score": 64, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1537", "mitre_attack_technique": "Transfer Data to Cloud Account", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1119/aws_exfil_datasync/cloudtrail.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_exfiltration_via_bucket_replication_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/aws_exfiltration_via_bucket_replication.yml", "source": "cloud", "nes_fields": "user,dest", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "AWS Exfiltration via DataSync Task", "id": "05c4b09f-ea28-4c7c-a7aa-a246f665c8a2", "version": 1, "date": "2023-04-10", "author": "Bhavin Patel, Splunk", "type": "TTP", "status": "production", "description": "This search looks for potential misuse of an AWS service known as DataSync. This AWS service is used to transfer data between different AWS cloud storage services, such as Amazon S3, Amazon EFS, and Amazon FSx for Windows File Server. Attackers can create a task in AWS to periodically copy data from a private AWS location to a public location resulting in the compromise of the data.", "data_source": [], "search": "`cloudtrail` eventName = CreateTask eventSource=\"datasync.amazonaws.com\" | rename requestParameters.* as * | stats count min(_time) as firstTime max(_time) as lastTime by src_ip aws_account_id awsRegion eventName destinationLocationArn sourceLocationArn userAgent user_arn userIdentity.principalId errorCode | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_exfiltration_via_datasync_task_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "It is possible that an AWS Administrator has legitimately created this task for creating backup. Please check the `sourceLocationArn` and `destinationLocationArn` of this task", "references": ["https://labs.nettitude.com/blog/how-to-exfiltrate-aws-ec2-data/", "https://www.shehackske.com/how-to/data-exfiltration-on-cloud-1606/"], "tags": {"name": "AWS Exfiltration via DataSync Task", "analytic_story": ["Suspicious AWS S3 Activities", "Data Exfiltration"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "DataSync task created on account id - $aws_account_id$ by user $user_arn$ from src_ip $src_ip$", "mitre_attack_id": ["T1119"], "nist": ["DE.CM"], "observable": [{"name": "user_arn", "type": "User", "role": ["Attacker"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "aws_account_id", "type": "Other", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventName", "user_arn", "src_ip", "aws_account_id", "destinationLocationArn", "sourceLocationArn", "userAgent", "userIdentity.principalId"], "risk_score": 64, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1119", "mitre_attack_technique": "Automated Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "Chimera", "Confucius", "FIN5", "FIN6", "Gamaredon Group", "Ke3chang", "Mustang Panda", "OilRig", "Patchwork", "Sidewinder", "Threat Group-3390", "Tropic Trooper", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1119/aws_exfil_datasync/cloudtrail.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_exfiltration_via_datasync_task_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/aws_exfiltration_via_datasync_task.yml", "source": "cloud", "nes_fields": "user,dest", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "AWS Exfiltration via EC2 Snapshot", "id": "ac90b339-13fc-4f29-a18c-4abbba1f2171", "version": 1, "date": "2023-03-22", "author": "Bhavin Patel, Splunk", "type": "TTP", "status": "production", "description": "This search detects a series of AWS API calls, made in a short time window, related to EC2 snapshots that can detect a potential exfiltration via EC2 Snapshot modifications. In this attack, the attacker typically proceeds by listing and creating EC2 snapshots of the available EC2 instances followed by modifying snapshot attributes such that it can be shared externally. Once this is done, the attacker can then load that EC2 snapshot and access all the sensitive information.", "data_source": [], "search": "`cloudtrail` eventName IN (\"CreateSnapshot\", \"DescribeSnapshotAttribute\", \"ModifySnapshotAttribute\", \"DeleteSnapshot\") src_ip !=\"guardduty.amazonaws.com\" | bin _time span=5m | stats count dc(eventName) as distinct_api_calls values(eventName) values(requestParameters.attributeType) as attributeType values(requestParameters.createVolumePermission.add.items{}.userId) as aws_account_id_added values(userAgent) as userAgent by _time userName src_ip aws_account_id | where distinct_api_calls >= 2 | `aws_exfiltration_via_ec2_snapshot_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. We have intentionally removed `guardduty.amazonaws.com` from src_ip to remove false positives caused by guard duty. We recommend you adjust the time window as per your environment.", "known_false_positives": "It is possible that an AWS admin has legitimately shared a snapshot with an other account for a specific purpose. Please check any recent change requests filed in your organization.", "references": ["https://labs.nettitude.com/blog/how-to-exfiltrate-aws-ec2-data/", "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifySnapshotAttribute.html", "https://bleemb.medium.com/data-exfiltration-with-native-aws-s3-features-c94ae4d13436", "https://stratus-red-team.cloud/attack-techniques/list/"], "tags": {"name": "AWS Exfiltration via EC2 Snapshot", "analytic_story": ["Suspicious Cloud Instance Activities", "Data Exfiltration"], "asset_type": "EC2 Snapshot", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Actions on Objectives"], "message": "Potential AWS EC2 Exfiltration detected on account id - $aws_account_id$ by user $user_arn$ from src_ip $src_ip$", "mitre_attack_id": ["T1537"], "nist": ["DE.CM"], "observable": [{"name": "user_arn", "type": "User", "role": ["Attacker"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "aws_account_id", "type": "Other", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventName", "user_arn", "src_ip", "requestParameters.attributeType", "aws_account_id", "vendor_region", "user_agent", "userIdentity.principalId", "requestParameters.createVolumePermission.add.items{}.userId"], "risk_score": 64, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1537", "mitre_attack_technique": "Transfer Data to Cloud Account", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1537/aws_snapshot_exfil/aws_cloudtrail_events.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_exfiltration_via_ec2_snapshot_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/aws_exfiltration_via_ec2_snapshot.yml", "source": "cloud", "nes_fields": "user,dest", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "AWS High Number Of Failed Authentications For User", "id": "e3236f49-daf3-4b70-b808-9290912ac64d", "version": 1, "date": "2023-01-27", "author": "Bhavin Patel, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies an AWS account with more than 20 failed authentication events in the span of 5 minutes. This behavior could represent a brute force attack against the account. As environments differ across organizations, security teams should customize the threshold of this detection.", "data_source": [], "search": "`cloudtrail` eventName=ConsoleLogin action=failure | bucket span=10m _time | stats dc(_raw) AS failed_attempts values(src_ip) as src_ip values(user_agent) by _time, user_name, eventName, eventSource aws_account_id | where failed_attempts > 20 | `aws_high_number_of_failed_authentications_for_user_filter`", "how_to_implement": "You must install Splunk AWS Add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "A user with more than 20 failed authentication attempts in the span of 5 minutes may also be triggered by a broken application.", "references": ["https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/IAM/password-policy.html"], "tags": {"name": "AWS High Number Of Failed Authentications For User", "analytic_story": ["Compromised User Account", "AWS Identity and Access Management Account Takeover"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "confidence": 70, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "User $user_name$ failed to authenticate more than 20 times in the span of 5 minutes for AWS Account $aws_account_id$", "mitre_attack_id": ["T1201"], "nist": ["DE.AE"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "user_arn", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventName", "userAgent", "errorCode", "requestParameters.userName", "eventSource", "user_arn", "aws_account_id", "src_ip"], "risk_score": 35, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1201", "mitre_attack_technique": "Password Policy Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "OilRig", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/aws_multiple_login_fail_per_user/cloudtrail.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_high_number_of_failed_authentications_for_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/aws_high_number_of_failed_authentications_for_user.yml", "source": "cloud", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "AWS High Number Of Failed Authentications From Ip", "id": "f75b7f1a-b8eb-4975-a214-ff3e0a944757", "version": 1, "date": "2023-01-30", "author": "Bhavin Patel, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies an IP address failing to authenticate 20 or more times to the AWS Web Console in the span of 5 minutes. This behavior could represent a brute force attack against an AWS tenant to obtain initial access or elevate privileges. As environments differ across organizations, security teams should customize the threshold of this detection.", "data_source": [], "search": "`cloudtrail` eventName=ConsoleLogin action=failure | bucket span=5m _time | stats dc(_raw) AS failed_attempts values(user_name) as tried_accounts values(user_agent) by _time, src_ip, eventName, eventSource aws_account_id | where failed_attempts > 20 | `aws_high_number_of_failed_authentications_from_ip_filter`", "how_to_implement": "You must install Splunk Add-on for AWS in order to ingest Cloudtrail. We recommend the users to try different combinations of the bucket span time and the tried account threshold to tune this search according to their environment.", "known_false_positives": "An Ip address with more than 20 failed authentication attempts in the span of 5 minutes may also be triggered by a broken application.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://www.whiteoaksecurity.com/blog/goawsconsolespray-password-spraying-tool/", "https://softwaresecuritydotblog.wordpress.com/2019/09/28/how-to-protect-against-credential-stuffing-on-aws/"], "tags": {"name": "AWS High Number Of Failed Authentications From Ip", "analytic_story": ["AWS Identity and Access Management Account Takeover", "Compromised User Account"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "confidence": 90, "impact": 60, "kill_chain_phases": ["Exploitation"], "message": "Multiple failed console login attempts against users $tried_accounts$ seen from $src_ip$", "mitre_attack_id": ["T1110", "T1110.003", "T1110.004"], "nist": ["DE.AE"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "tried_accounts", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "user", "action", "eventName", "src_ip"], "risk_score": 54, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1110.004", "mitre_attack_technique": "Credential Stuffing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Chimera"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/aws_mulitple_failed_console_login/aws_cloudtrail.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_high_number_of_failed_authentications_from_ip_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/aws_high_number_of_failed_authentications_from_ip.yml", "source": "cloud", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "AWS IAM AccessDenied Discovery Events", "id": "3e1f1568-9633-11eb-a69c-acde48001122", "version": 2, "date": "2021-11-12", "author": "Michael Haag, Splunk", "type": "Anomaly", "status": "production", "description": "The following detection identifies excessive AccessDenied events within an hour timeframe. It is possible that an access key to AWS may have been stolen and is being misused to perform discovery events. In these instances, the access is not available with the key stolen therefore these events will be generated.", "data_source": [], "search": "`cloudtrail` (errorCode = \"AccessDenied\") user_type=IAMUser (userAgent!=*.amazonaws.com) | bucket _time span=1h | stats count as failures min(_time) as firstTime max(_time) as lastTime, dc(eventName) as methods, dc(eventSource) as sources by src_ip, userIdentity.arn, _time | where failures >= 5 and methods >= 1 and sources >= 1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_iam_accessdenied_discovery_events_filter`", "how_to_implement": "The Splunk AWS Add-on and Splunk App for AWS is required to utilize this data. The search requires AWS Cloudtrail logs.", "known_false_positives": "It is possible to start this detection will need to be tuned by source IP or user. In addition, change the count values to an upper threshold to restrict false positives.", "references": ["https://aws.amazon.com/premiumsupport/knowledge-center/troubleshoot-iam-permission-errors/"], "tags": {"name": "AWS IAM AccessDenied Discovery Events", "analytic_story": ["Suspicious Cloud User Activities"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "confidence": 50, "impact": 20, "kill_chain_phases": ["Exploitation"], "message": "User $userIdentity.arn$ is seen to perform excessive number of discovery related api calls- $failures$, within an hour where the access was denied.", "mitre_attack_id": ["T1580"], "nist": ["DE.AE"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "userIdentity.arn", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventName", "eventSource", "userAgent", "errorCode", "userIdentity.type"], "risk_score": 10, "security_domain": "access", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1580", "mitre_attack_technique": "Cloud Infrastructure Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1580/aws_iam_accessdenied_discovery_events/aws_iam_accessdenied_discovery_events.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_iam_accessdenied_discovery_events_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/aws_iam_accessdenied_discovery_events.yml", "source": "cloud", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "AWS IAM Assume Role Policy Brute Force", "id": "f19e09b0-9308-11eb-b7ec-acde48001122", "version": 1, "date": "2021-04-01", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following detection identifies any malformed policy document exceptions with a status of `failure`. A malformed policy document exception occurs in instances where roles are attempted to be assumed, or brute forced. In a brute force attempt, using a tool like CloudSploit or Pacu, an attempt will look like `arn:aws:iam::111111111111:role/aws-service-role/rds.amazonaws.com/AWSServiceRoleForRDS`. Meaning, when an adversary is attempting to identify a role name, multiple failures will occur. This detection focuses on the errors of a remote attempt that is failing.", "data_source": [], "search": "`cloudtrail` (errorCode=MalformedPolicyDocumentException) status=failure (userAgent!=*.amazonaws.com) | stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.policyName) as policy_name by src eventName eventSource aws_account_id errorCode requestParameters.policyDocument userAgent eventID awsRegion userIdentity.principalId user_arn | where count >= 2 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_iam_assume_role_policy_brute_force_filter`", "how_to_implement": "The Splunk AWS Add-on and Splunk App for AWS is required to utilize this data. The search requires AWS Cloudtrail logs. Set the `where count` greater than a value to identify suspicious activity in your environment.", "known_false_positives": "This detection will require tuning to provide high fidelity detection capabilties. Tune based on src addresses (corporate offices, VPN terminations) or by groups of users.", "references": ["https://www.praetorian.com/blog/aws-iam-assume-role-vulnerabilities/", "https://rhinosecuritylabs.com/aws/assume-worst-aws-assume-role-enumeration/", "https://www.elastic.co/guide/en/security/current/aws-iam-brute-force-of-assume-role-policy.html"], "tags": {"name": "AWS IAM Assume Role Policy Brute Force", "analytic_story": ["AWS IAM Privilege Escalation"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "confidence": 70, "impact": 40, "kill_chain_phases": ["Exploitation"], "message": "User $user_arn$ has caused multiple failures with errorCode $errorCode$, which potentially means adversary is attempting to identify a role name.", "mitre_attack_id": ["T1580", "T1110"], "nist": ["DE.CM"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "user_arn", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventName", "userAgent", "errorCode", "requestParameters.policyName"], "risk_score": 28, "security_domain": "access", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1580", "mitre_attack_technique": "Cloud Infrastructure Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1580/aws_iam_assume_role_policy_brute_force/aws_iam_assume_role_policy_brute_force.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_iam_assume_role_policy_brute_force_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/aws_iam_assume_role_policy_brute_force.yml", "source": "cloud", "nes_fields": "user,dest", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "AWS IAM Delete Policy", "id": "ec3a9362-92fe-11eb-99d0-acde48001122", "version": 1, "date": "2021-04-01", "author": "Michael Haag, Splunk", "type": "Hunting", "status": "production", "description": "The following detection identifes when a policy is deleted on AWS. This does not identify whether successful or failed, but the error messages tell a story of suspicious attempts. There is a specific process to follow when deleting a policy. First, detach the policy from all users, groups, and roles that the policy is attached to, using DetachUserPolicy , DetachGroupPolicy , or DetachRolePolicy.", "data_source": [], "search": "`cloudtrail` eventName=DeletePolicy (userAgent!=*.amazonaws.com) | stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.policyArn) as policyArn by src eventName eventSource aws_account_id errorCode errorMessage userAgent eventID awsRegion userIdentity.principalId userIdentity.arn | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_iam_delete_policy_filter`", "how_to_implement": "The Splunk AWS Add-on and Splunk App for AWS is required to utilize this data. The search requires AWS Cloudtrail logs.", "known_false_positives": "This detection will require tuning to provide high fidelity detection capabilties. Tune based on src addresses (corporate offices, VPN terminations) or by groups of users. Not every user with AWS access should have permission to delete policies (least privilege). In addition, this may be saved seperately and tuned for failed or success attempts only.", "references": ["https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeletePolicy.html", "https://docs.aws.amazon.com/cli/latest/reference/iam/delete-policy.html"], "tags": {"name": "AWS IAM Delete Policy", "analytic_story": ["AWS IAM Privilege Escalation"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "confidence": 50, "impact": 20, "kill_chain_phases": ["Installation"], "message": "User $user_arn$ has deleted AWS Policies from IP address $src$ by executing the following command $eventName$", "mitre_attack_id": ["T1098"], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "user_arn", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventName", "userAgent", "errorCode", "requestParameters.policyArn"], "risk_score": 10, "security_domain": "access", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT41", "Dragonfly", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/aws_iam_delete_policy/aws_iam_delete_policy.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_iam_delete_policy_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/aws_iam_delete_policy.yml", "source": "cloud", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "AWS IAM Failure Group Deletion", "id": "723b861a-92eb-11eb-93b8-acde48001122", "version": 1, "date": "2021-04-01", "author": "Michael Haag, Splunk", "type": "Anomaly", "status": "production", "description": "This detection identifies failure attempts to delete groups. We want to identify when a group is attempting to be deleted, but either access is denied, there is a conflict or there is no group. This is indicative of administrators performing an action, but also could be suspicious behavior occurring. Review parallel IAM events - recently added users, new groups and so forth.", "data_source": [], "search": "`cloudtrail` eventSource=iam.amazonaws.com eventName=DeleteGroup errorCode IN (NoSuchEntityException,DeleteConflictException, AccessDenied) (userAgent!=*.amazonaws.com) | stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.groupName) as group_name by src eventName eventSource aws_account_id errorCode errorMessage userAgent eventID awsRegion userIdentity.principalId user_arn | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_iam_failure_group_deletion_filter`", "how_to_implement": "The Splunk AWS Add-on and Splunk App for AWS is required to utilize this data. The search requires AWS Cloudtrail logs.", "known_false_positives": "This detection will require tuning to provide high fidelity detection capabilties. Tune based on src addresses (corporate offices, VPN terminations) or by groups of users. Not every user with AWS access should have permission to delete groups (least privilege).", "references": ["https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/delete-group.html", "https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteGroup.html"], "tags": {"name": "AWS IAM Failure Group Deletion", "analytic_story": ["AWS IAM Privilege Escalation"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "confidence": 50, "impact": 10, "kill_chain_phases": ["Installation"], "message": "User $user_arn$ has had mulitple failures while attempting to delete groups from $src$", "mitre_attack_id": ["T1098"], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "user_arn", "type": "User", "role": ["Victim"]}, {"name": "group_name", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventName", "userAgent", "errorCode", "requestParameters.groupName"], "risk_score": 5, "security_domain": "cloud", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT41", "Dragonfly", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/aws_iam_failure_group_deletion/aws_iam_failure_group_deletion.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_iam_failure_group_deletion_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/aws_iam_failure_group_deletion.yml", "source": "cloud", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "AWS IAM Successful Group Deletion", "id": "e776d06c-9267-11eb-819b-acde48001122", "version": 1, "date": "2021-03-31", "author": "Michael Haag, Splunk", "type": "Hunting", "status": "production", "description": "The following query uses IAM events to track the success of a group being deleted on AWS. This is typically not indicative of malicious behavior, but a precurser to additional events thay may unfold. Review parallel IAM events - recently added users, new groups and so forth. Inversely, review failed attempts in a similar manner.", "data_source": [], "search": "`cloudtrail` eventSource=iam.amazonaws.com eventName=DeleteGroup errorCode=success (userAgent!=*.amazonaws.com) | stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.groupName) as group_deleted by src eventName eventSource errorCode user_agent awsRegion userIdentity.principalId user_arn | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_iam_successful_group_deletion_filter`", "how_to_implement": "The Splunk AWS Add-on and Splunk App for AWS is required to utilize this data. The search requires AWS Cloudtrail logs.", "known_false_positives": "This detection will require tuning to provide high fidelity detection capabilties. Tune based on src addresses (corporate offices, VPN terminations) or by groups of users. Not every user with AWS access should have permission to delete groups (least privilege).", "references": ["https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/delete-group.html", "https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteGroup.html"], "tags": {"name": "AWS IAM Successful Group Deletion", "analytic_story": ["AWS IAM Privilege Escalation"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "confidence": 50, "impact": 10, "kill_chain_phases": ["Exploitation", "Installation"], "message": "User $user_arn$ has sucessfully deleted mulitple groups $group_deleted$ from $src$", "mitre_attack_id": ["T1069.003", "T1098", "T1069"], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "user_arn", "type": "User", "role": ["Victim"]}, {"name": "group_deleted", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventName", "userAgent", "errorCode", "requestParameters.groupName"], "risk_score": 5, "security_domain": "cloud", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1069.003", "mitre_attack_technique": "Cloud Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT41", "Dragonfly", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}, {"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "TA505"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/aws_iam_successful_group_deletion/aws_iam_successful_group_deletion.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_iam_successful_group_deletion_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/aws_iam_successful_group_deletion.yml", "source": "cloud", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "AWS Lambda UpdateFunctionCode", "id": "211b80d3-6340-4345-11ad-212bf3d0d111", "version": 1, "date": "2022-02-24", "author": "Bhavin Patel, Splunk", "type": "Hunting", "status": "production", "description": "This analytic is designed to detect IAM users attempting to update/modify AWS lambda code via the AWS CLI to gain persistence, futher access into your AWS environment and to facilitate planting backdoors. In this instance, an attacker may upload malicious code/binary to a lambda function which will be executed automatically when the funnction is triggered.", "data_source": [], "search": "`cloudtrail` eventSource=lambda.amazonaws.com eventName=UpdateFunctionCode* errorCode = success user_type=IAMUser | stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.functionName) as function_updated by src_ip user_arn user_agent user_type eventName aws_account_id |`aws_lambda_updatefunctioncode_filter`", "how_to_implement": "You must install Splunk AWS Add on and enable Cloudtrail logs in your AWS Environment.", "known_false_positives": "While this search has no known false positives, it is possible that an AWS admin or an autorized IAM user has updated the lambda fuction code legitimately.", "references": ["http://detectioninthe.cloud/execution/modify_lambda_function_code/", "https://sysdig.com/blog/exploit-mitigate-aws-lambdas-mitre/"], "tags": {"name": "AWS Lambda UpdateFunctionCode", "analytic_story": ["Suspicious Cloud User Activities"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Installation"], "message": "User $user_arn$ is attempting to update the lambda function code of $function_updated$ from this IP $src_ip$", "mitre_attack_id": ["T1204"], "nist": ["DE.AE"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "user_arn", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventName", "userAgent", "errorCode"], "risk_score": 63, "security_domain": "cloud", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204/aws_updatelambdafunctioncode/aws_cloudtrail_events.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_lambda_updatefunctioncode_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/aws_lambda_updatefunctioncode.yml", "source": "cloud", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "AWS Multi-Factor Authentication Disabled", "id": "374832b1-3603-420c-b456-b373e24d34c0", "version": 1, "date": "2022-10-04", "author": "Bhavin Patel, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies an attempt to disable multi-factor authentication for an AWS IAM user. An adversary who has obtained access to an AWS tenant may disable multi-factor authentication as a way to plant a backdoor and maintain persistence using a valid account. This way the attackers can keep persistance in the environment without adding new users.", "data_source": [], "search": "`cloudtrail` (eventName= DeleteVirtualMFADevice OR eventName=DeactivateMFADevice) | stats count min(_time) as firstTime max(_time) as lastTime by src eventName eventSource aws_account_id userAgent eventID awsRegion user_name userIdentity.arn status | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_multi_factor_authentication_disabled_filter`", "how_to_implement": "The Splunk AWS Add-on is required to utilize this data. The search requires AWS Cloudtrail logs.", "known_false_positives": "AWS Administrators may disable MFA but it is highly unlikely for this event to occur without prior notice to the company", "references": ["https://attack.mitre.org/techniques/T1621/", "https://aws.amazon.com/what-is/mfa/"], "tags": {"name": "AWS Multi-Factor Authentication Disabled", "analytic_story": ["AWS Identity and Access Management Account Takeover"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Weaponization", "Exploitation", "Installation"], "message": "User $user_name$ has disabled Multi-Factor authentication for AWS account $aws_account_id$", "mitre_attack_id": ["T1586", "T1586.003", "T1621", "T1556", "T1556.006"], "nist": ["DE.CM"], "observable": [{"name": "aws_account_id", "type": "Other", "role": ["Victim"]}, {"name": "user_name", "type": "User", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["src", "eventName", "eventSource", "aws_account_id", "errorCode", "errorMessage", "userAgent", "eventID", "awsRegion", "user_name", "userIdentity.arn"], "risk_score": 64, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1621", "mitre_attack_technique": "Multi-Factor Authentication Request Generation", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "LAPSUS$"]}, {"mitre_attack_id": "T1556", "mitre_attack_technique": "Modify Authentication Process", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1556.006", "mitre_attack_technique": "Multi-Factor Authentication", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/aws_mfa_disabled/cloudtrail.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_multi_factor_authentication_disabled_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/aws_multi_factor_authentication_disabled.yml", "source": "cloud", "nes_fields": "user,dest", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "AWS Multiple Failed MFA Requests For User", "id": "1fece617-e614-4329-9e61-3ba228c0f353", "version": 1, "date": "2022-10-03", "author": "Bhavin Patel", "type": "Anomaly", "status": "production", "description": "The following analytic identifies multiple failed multi-factor authentication requests to an AWS Console for a single user. AWS Cloudtrail logs provide a a very useful field called `additionalEventData` that logs information regarding usage of MFA. Specifically, the analytic triggers when more than 10 MFA user prompts fail within 10 minutes. AWS Environments can be very different depending on the organization, Security teams should test this detection and customize these arbitrary thresholds. The detected behavior may represent an adversary who has obtained legitimate credentials for a user and continuously repeats login attempts in order to bombard users with MFA push notifications, SMS messages, and phone calls potentially resulting in the user finally accepting the authentication request. Threat actors like the Lapsus team and APT29 have leveraged this technique to bypass multi-factor authentication controls as reported by Mandiant and others.", "data_source": [], "search": "`cloudtrail` eventName= ConsoleLogin \"additionalEventData.MFAUsed\"=Yes errorMessage=\"Failed authentication\" | bucket span=5m _time | stats dc(_raw) as mfa_prompts values(userAgent) as userAgent values(src) as src by _time user_name user_arn aws_account_id eventName errorMessage | where mfa_prompts > 10| `aws_multiple_failed_mfa_requests_for_user_filter`", "how_to_implement": "The Splunk AWS Add-on is required to utilize this data. The search requires AWS Cloudtrail logs.", "known_false_positives": "Multiple Failed MFA requests may also be a sign of authentication or application issues. Filter as needed.", "references": ["https://attack.mitre.org/techniques/T1621/", "https://aws.amazon.com/what-is/mfa/"], "tags": {"name": "AWS Multiple Failed MFA Requests For User", "analytic_story": ["AWS Identity and Access Management Account Takeover"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Weaponization", "Exploitation"], "message": "User $user_name$ is seen to have high number of MFA prompt failures within a short period of time.", "mitre_attack_id": ["T1586", "T1586.003", "T1621"], "nist": ["DE.AE"], "observable": [{"name": "user_name", "type": "User", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["src", "eventName", "eventSource", "aws_account_id", "errorCode", "errorMessage", "userAgent", "eventID", "awsRegion", "user_name", "userIdentity.arn"], "risk_score": 64, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1621", "mitre_attack_technique": "Multi-Factor Authentication Request Generation", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "LAPSUS$"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/aws_failed_mfa/cloudtrail.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_multiple_failed_mfa_requests_for_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/aws_multiple_failed_mfa_requests_for_user.yml", "source": "cloud", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "AWS Multiple Users Failing To Authenticate From Ip", "id": "71e1fb89-dd5f-4691-8523-575420de4630", "version": 1, "date": "2022-09-27", "author": "Bhavin Patel", "type": "Anomaly", "status": "production", "description": "The following analytic identifies one source Ip failing to authenticate into the AWS Console with 30 unique valid users within 10 minutes. This behavior could represent an adversary performing a Password Spraying attack against an AWS environment tenant to obtain initial access or elevate privileges.", "data_source": [], "search": "`cloudtrail` eventName=ConsoleLogin action=failure | bucket span=10m _time | stats dc(user_name) AS unique_accounts values(user_name) as tried_accounts by _time, src_ip, eventName, action, user_agent | where unique_accounts > 30 |`aws_unusual_number_of_failed_authentications_from_ip_filter`", "how_to_implement": "You must install Splunk Add-on for AWS in order to ingest Cloudtrail. We recommend the users to try different combinations of the bucket span time and the tried account threshold to tune this search according to their environment.", "known_false_positives": "No known false postives for this detection. Please review this alert", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://www.whiteoaksecurity.com/blog/goawsconsolespray-password-spraying-tool/", "https://softwaresecuritydotblog.wordpress.com/2019/09/28/how-to-protect-against-credential-stuffing-on-aws/"], "tags": {"name": "AWS Multiple Users Failing To Authenticate From Ip", "analytic_story": ["AWS Identity and Access Management Account Takeover", "Compromised User Account"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "confidence": 90, "impact": 60, "kill_chain_phases": ["Exploitation"], "message": "Multiple failed console login attempts against users $tried_accounts$ seen from $src_ip$", "mitre_attack_id": ["T1110", "T1110.003", "T1110.004"], "nist": ["DE.AE"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "tried_accounts", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "user", "action", "eventName", "src_ip"], "risk_score": 54, "security_domain": "threat", "risk_severity": "medium", "manual_test": "This search needs a specific number of events in a time window for the alert to trigger and events split up in CI testing while updating timestamp.", "mitre_attack_enrichments": [{"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1110.004", "mitre_attack_technique": "Credential Stuffing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Chimera"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/aws_mulitple_failed_console_login/aws_cloudtrail.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail"}]}], "datamodel": [], "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_multiple_users_failing_to_authenticate_from_ip_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/aws_multiple_users_failing_to_authenticate_from_ip.yml", "source": "cloud", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "AWS Network Access Control List Created with All Open Ports", "id": "ada0f478-84a8-4641-a3f1-d82362d6bd75", "version": 2, "date": "2021-01-11", "author": "Bhavin Patel, Patrick Bareiss, Splunk", "type": "TTP", "status": "production", "description": "The search looks for AWS CloudTrail events to detect if any network ACLs were created with all the ports open to a specified CIDR.", "data_source": [], "search": "`cloudtrail` eventName=CreateNetworkAclEntry OR eventName=ReplaceNetworkAclEntry requestParameters.ruleAction=allow requestParameters.egress=false requestParameters.aclProtocol=-1 | append [search `cloudtrail` eventName=CreateNetworkAclEntry OR eventName=ReplaceNetworkAclEntry requestParameters.ruleAction=allow requestParameters.egress=false requestParameters.aclProtocol!=-1 | eval port_range='requestParameters.portRange.to' - 'requestParameters.portRange.from' | where port_range>1024] | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by userName userIdentity.principalId eventName requestParameters.ruleAction requestParameters.egress requestParameters.aclProtocol requestParameters.portRange.to requestParameters.portRange.from src userAgent requestParameters.cidrBlock | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `aws_network_access_control_list_created_with_all_open_ports_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS, version 4.4.0 or later, and configure your AWS CloudTrail inputs.", "known_false_positives": "It's possible that an admin has created this ACL with all ports open for some legitimate purpose however, this should be scoped and not allowed in production environment.", "references": [], "tags": {"name": "AWS Network Access Control List Created with All Open Ports", "analytic_story": ["AWS Network ACL Activity"], "asset_type": "AWS Instance", "cis20": ["CIS 13"], "confidence": 80, "impact": 60, "kill_chain_phases": ["Exploitation"], "message": "User $user_arn$ has created network ACLs with all the ports open to a specified CIDR $requestParameters.cidrBlock$", "mitre_attack_id": ["T1562.007", "T1562"], "nist": ["DE.CM"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "userName", "type": "User", "role": ["Victim"]}, {"name": "requestParameters.cidrBlock", "type": "IP Address", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventName", "requestParameters.ruleAction", "requestParameters.egress", "requestParameters.aclProtocol", "requestParameters.portRange.to", "requestParameters.portRange.from", "requestParameters.cidrBlock", "userName", "userIdentity.principalId", "userAgent"], "risk_score": 48, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.007", "mitre_attack_technique": "Disable or Modify Cloud Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.007/aws_create_acl/aws_cloudtrail_events.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_network_access_control_list_created_with_all_open_ports_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/aws_network_access_control_list_created_with_all_open_ports.yml", "source": "cloud", "nes_fields": "user,dest", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "AWS Network Access Control List Deleted", "id": "ada0f478-84a8-4641-a3f1-d82362d6fd75", "version": 2, "date": "2021-01-12", "author": "Bhavin Patel, Patrick Bareiss, Splunk", "type": "Anomaly", "status": "production", "description": "Enforcing network-access controls is one of the defensive mechanisms used by cloud administrators to restrict access to a cloud instance. After the attacker has gained control of the AWS console by compromising an admin account, they can delete a network ACL and gain access to the instance from anywhere. This search will query the AWS CloudTrail logs to detect users deleting network ACLs.", "data_source": [], "search": "`cloudtrail` eventName=DeleteNetworkAclEntry requestParameters.egress=false | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by userName userIdentity.principalId eventName requestParameters.egress src userAgent | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `aws_network_access_control_list_deleted_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs.", "known_false_positives": "It's possible that a user has legitimately deleted a network ACL.", "references": [], "tags": {"name": "AWS Network Access Control List Deleted", "analytic_story": ["AWS Network ACL Activity"], "asset_type": "AWS Instance", "cis20": ["CIS 13"], "confidence": 50, "impact": 10, "kill_chain_phases": ["Exploitation"], "message": "User $user_arn$ from $src$ has sucessfully deleted network ACLs entry (eventName= $eventName$), such that the instance is accessible from anywhere", "mitre_attack_id": ["T1562.007", "T1562"], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "user_arn", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventName", "requestParameters.egress", "userName", "userIdentity.principalId", "src", "userAgent"], "risk_score": 5, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.007", "mitre_attack_technique": "Disable or Modify Cloud Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.007/aws_delete_acl/aws_cloudtrail_events.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_network_access_control_list_deleted_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/aws_network_access_control_list_deleted.yml", "source": "cloud", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "AWS New MFA Method Registered For User", "id": "4e3c26f2-4fb9-4bd7-ab46-1b76ffa2a23b", "version": 1, "date": "2023-01-31", "author": "Bhavin Patel, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the registration of a new Multi Factor authentication method for an AWS account. Adversaries who have obtained unauthorized access to an AWS account may register a new MFA method to maintain persistence.", "data_source": [], "search": " `cloudtrail` eventName=CreateVirtualMFADevice | stats count values(requestParameters.virtualMFADeviceName) as virtualMFADeviceName min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_new_mfa_method_registered_for_user_filter`", "how_to_implement": "You must install Splunk AWS add on and Splunk App for AWS. This search works when AWS CloudTrail logs.", "known_false_positives": "Newly onboarded users who are registering an MFA method for the first time will also trigger this detection.", "references": ["https://aws.amazon.com/blogs/security/you-can-now-assign-multiple-mfa-devices-in-iam/", "https://attack.mitre.org/techniques/T1556/", "https://attack.mitre.org/techniques/T1556/006/", "https://twitter.com/jhencinski/status/1618660062352007174"], "tags": {"name": "AWS New MFA Method Registered For User", "analytic_story": ["Compromised User Account", "Azure Active Directory Account Takeover"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation", "Installation"], "message": "A new virtual device $virtualMFADeviceName$ is added to user $user_arn$", "mitre_attack_id": ["T1556", "T1556.006"], "nist": ["DE.CM"], "observable": [{"name": "user_name", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["src_ip", "eventName", "eventSource", "requestParameters.virtualMFADeviceName", "errorCode", "userIdentity.principalId", "userAgent", "awsRegion", "user_name", "userIdentity.arn", "_time"], "risk_score": 64, "security_domain": "identity", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1556", "mitre_attack_technique": "Modify Authentication Process", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1556.006", "mitre_attack_technique": "Multi-Factor Authentication", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556.006/aws_new_mfa_method_registered_for_user/cloudtrail.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_new_mfa_method_registered_for_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/aws_new_mfa_method_registered_for_user.yml", "source": "cloud", "nes_fields": "user,dest", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "AWS Password Policy Changes", "id": "aee4a575-7064-4e60-b511-246f9baf9895", "version": 1, "date": "2023-01-26", "author": "Bhavin Patel, Splunk", "type": "Hunting", "status": "production", "description": "This search looks for AWS CloudTrail events where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.", "data_source": [], "search": "`cloudtrail` eventName IN (\"UpdateAccountPasswordPolicy\",\"GetAccountPasswordPolicy\",\"DeleteAccountPasswordPolicy\") errorCode=success | stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_password_policy_changes_filter`", "how_to_implement": "You must install Splunk AWS Add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "While this search has no known false positives, it is possible that an AWS admin has legitimately triggered an AWS audit tool activity which may trigger this event.", "references": ["https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/IAM/password-policy.html"], "tags": {"name": "AWS Password Policy Changes", "analytic_story": ["AWS IAM Privilege Escalation", "Compromised User Account"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "confidence": 80, "impact": 90, "kill_chain_phases": ["Exploitation"], "message": "User $user_arn$ is attempting to $eventName$ the password policy for account id $aws_account_id$", "mitre_attack_id": ["T1201"], "nist": ["DE.AE"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "user_arn", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventName", "userAgent", "errorCode", "requestParameters.userName", "eventSource", "user_arn", "aws_account_id", "src_ip"], "risk_score": 72, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1201", "mitre_attack_technique": "Password Policy Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "OilRig", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1201/aws_password_policy/cloudtrail.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_password_policy_changes_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/aws_password_policy_changes.yml", "source": "cloud", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "AWS S3 Exfiltration Behavior Identified", "id": "85096389-a443-42df-b89d-200efbb1b560", "version": 1, "date": "2023-05-04", "author": "Bhavin Patel, Splunk", "type": "Correlation", "status": "production", "description": "This correlation search looks at the risk events created by the detection analytics related Collection and Exfiltration techniques used by adversaries. The rule is designed to identify instances where 2 or more analytics unique AWS analytics and 2 or more distinct mitre IDs has triggered for a particular risk object. This alert when triggered may indicate a potential exfiltration in progress. By aggregating these analytics, security teams can swiftly respond to and investigate any suspicious activities, enhancing their ability to protect critical assets and prevent unauthorized access to sensitive information.", "data_source": [], "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count values(All_Risk.risk_message) as risk_message from datamodel=Risk.All_Risk where All_Risk.annotations.mitre_attack.mitre_tactic = \"collection\" OR All_Risk.annotations.mitre_attack.mitre_tactic = \"exfiltration\" source = *AWS* by All_Risk.risk_object | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where source_count >= 2 and mitre_tactic_id_count>=2 | `aws_s3_exfiltration_behavior_identified_filter`", "how_to_implement": "You must enable all the detection searches in the Data Exfiltration Analytic story to create risk events in Enterprise Security.", "known_false_positives": "alse positives may be present based on automated tooling or system administrators. Filter as needed.", "references": ["https://labs.nettitude.com/blog/how-to-exfiltrate-aws-ec2-data/", "https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-share-ebs-snapshot/", "https://hackingthe.cloud/aws/enumeration/loot_public_ebs_snapshots/"], "tags": {"name": "AWS S3 Exfiltration Behavior Identified", "analytic_story": ["Suspicious Cloud Instance Activities", "Data Exfiltration"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Actions on Objectives"], "message": "Multiple AWS Exfiltration detections $source$ and techniques $All_Risk.annotations.mitre_attack.mitre_tactic_id$ trigged for risk object $risk_object$", "mitre_attack_id": ["T1537"], "nist": ["DE.AE"], "observable": [{"name": "risk_object", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["All_Risk.analyticstories", "All_Risk.risk_object_type", "All_Risk.risk_object", "All_Risk.annotations.mitre_attack.mitre_tactic", "All_Risk.calculated_risk_score", "source"], "risk_score": 81, "security_domain": "threat", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1537", "mitre_attack_technique": "Transfer Data to Cloud Account", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1537/aws_exfil_risk_events/aws_risk.log", "source": "aws_exfil", "sourcetype": "stash", "update_timestamp": true}]}], "datamodel": ["Risk"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "aws_s3_exfiltration_behavior_identified_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/aws_s3_exfiltration_behavior_identified.yml", "source": "cloud", "nes_fields": "user,dest"}, {"name": "AWS SAML Access by Provider User and Principal", "id": "bbe23980-6019-11eb-ae93-0242ac130002", "version": 1, "date": "2021-01-26", "author": "Rod Soto, Splunk", "type": "Anomaly", "status": "production", "description": "This search provides specific SAML access from specific Service Provider, user and targeted principal at AWS. This search provides specific information to detect abnormal access or potential credential hijack or forgery, specially in federated environments using SAML protocol inside the perimeter or cloud provider.", "data_source": [], "search": "`cloudtrail` eventName=Assumerolewithsaml | stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.principalArn requestParameters.roleArn requestParameters.roleSessionName recipientAccountId responseElements.issuer sourceIPAddress userAgent | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` |`aws_saml_access_by_provider_user_and_principal_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs", "known_false_positives": "Attacks using a Golden SAML or SAML assertion hijacks or forgeries are very difficult to detect as accessing cloud providers with these assertions looks exactly like normal access, however things such as source IP sourceIPAddress user, and principal targeted at receiving cloud provider along with endpoint credential access and abuse detection searches can provide the necessary context to detect these attacks.", "references": ["https://www.cisa.gov/uscert/ncas/alerts/aa21-008a", "https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html", "https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf", "https://www.cyberark.com/resources/threat-research-blog/golden-saml-newly-discovered-attack-technique-forges-authentication-to-cloud-apps"], "tags": {"name": "AWS SAML Access by Provider User and Principal", "analytic_story": ["Cloud Federated Credential Abuse"], "asset_type": "AWS Federated Account", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "message": "From IP address $sourceIPAddress$, user agent $userAgent$ has trigged an event $eventName$ for account ID $recipientAccountId$", "mitre_attack_id": ["T1078"], "nist": ["DE.AE"], "observable": [{"name": "sourceIPAddress", "type": "IP Address", "role": ["Attacker"]}, {"name": "recipientAccountId", "type": "Other", "role": ["Victim", "Target"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventName", "requestParameters.principalArn", "requestParameters.roleArn", "requestParameters.roleSessionName", "recipientAccountId", "responseElements.issuer", "sourceIPAddress", "userAgent"], "risk_score": 64, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/assume_role_with_saml/assume_role_with_saml.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_saml_access_by_provider_user_and_principal_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/aws_saml_access_by_provider_user_and_principal.yml", "source": "cloud", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "AWS SAML Update identity provider", "id": "2f0604c6-6030-11eb-ae93-0242ac130002", "version": 1, "date": "2021-01-26", "author": "Rod Soto, Splunk", "type": "TTP", "status": "production", "description": "This search provides detection of updates to SAML provider in AWS. Updates to SAML provider need to be monitored closely as they may indicate possible perimeter compromise of federated credentials, or backdoor access from another cloud provider set by attacker.", "data_source": [], "search": "`cloudtrail` eventName=UpdateSAMLProvider | stats count min(_time) as firstTime max(_time) as lastTime by eventType eventName requestParameters.sAMLProviderArn userIdentity.sessionContext.sessionIssuer.arn sourceIPAddress userIdentity.accessKeyId userIdentity.principalId | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` |`aws_saml_update_identity_provider_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "Updating a SAML provider or creating a new one may not necessarily be malicious however it needs to be closely monitored.", "references": ["https://www.cisa.gov/uscert/ncas/alerts/aa21-008a", "https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html", "https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf", "https://www.cyberark.com/resources/threat-research-blog/golden-saml-newly-discovered-attack-technique-forges-authentication-to-cloud-apps"], "tags": {"name": "AWS SAML Update identity provider", "analytic_story": ["Cloud Federated Credential Abuse"], "asset_type": "AWS Federated Account", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "message": "User $userIdentity.principalId$ from IP address $sourceIPAddress$ has trigged an event $eventName$ to update the SAML provider to $requestParameters.sAMLProviderArn$", "mitre_attack_id": ["T1078"], "nist": ["DE.CM"], "observable": [{"name": "sourceIPAddress", "type": "IP Address", "role": ["Attacker"]}, {"name": "userIdentity.principalId", "type": "User", "role": ["Victim", "Target"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventName", "eventType", "requestParameters.sAMLProviderArn", "userIdentity.sessionContext.sessionIssuer.arn", "sourceIPAddress", "userIdentity.accessKeyId", "userIdentity.principalId"], "risk_score": 64, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/update_saml_provider/update_saml_provider.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_saml_update_identity_provider_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/aws_saml_update_identity_provider.yml", "source": "cloud", "nes_fields": "user,dest", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "AWS SetDefaultPolicyVersion", "id": "2a9b80d3-6340-4345-11ad-212bf3d0dac4", "version": 1, "date": "2021-03-02", "author": "Bhavin Patel, Splunk", "type": "TTP", "status": "production", "description": "This search looks for AWS CloudTrail events where a user has set a default policy versions. Attackers have been know to use this technique for Privilege Escalation in case the previous versions of the policy had permissions to access more resources than the current version of the policy", "data_source": [], "search": "`cloudtrail` eventName=SetDefaultPolicyVersion eventSource = iam.amazonaws.com | stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.policyArn) as policy_arn by src requestParameters.versionId eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_setdefaultpolicyversion_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "While this search has no known false positives, it is possible that an AWS admin has legitimately set a default policy to allow a user to access all resources. That said, AWS strongly advises against granting full control to all AWS resources", "references": ["https://bishopfox.com/blog/privilege-escalation-in-aws", "https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation-part-2/"], "tags": {"name": "AWS SetDefaultPolicyVersion", "analytic_story": ["AWS IAM Privilege Escalation"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "confidence": 60, "impact": 50, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "message": "From IP address $sourceIPAddress$, user agent $userAgent$ has trigged an event $eventName$ for updating the the default policy version", "mitre_attack_id": ["T1078.004", "T1078"], "nist": ["DE.CM"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "user_arn", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventName", "userAgent", "errorCode", "requestParameters.userName", "eventSource"], "risk_score": 30, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Ke3chang", "LAPSUS$"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/aws_setdefaultpolicyversion/aws_cloudtrail_events.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_setdefaultpolicyversion_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/aws_setdefaultpolicyversion.yml", "source": "cloud", "nes_fields": "user,dest", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "AWS Successful Console Authentication From Multiple IPs", "id": "395e50e1-2b87-4fa3-8632-0dfbdcbcd2cb", "version": 1, "date": "2023-01-19", "author": "Bhavin Patel, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies an AWS account successfully authenticating from more than one unique Ip address in the span of 5 minutes. This behavior could represent an adversary who has stolen credentials via a phishing attack or some other method and using them to access corporate online resources around the same time as a legitimate user. As users may behave differently across organizations, security teams should test and customize this detection to fit their environments.", "data_source": [], "search": " `cloudtrail` eventName = ConsoleLogin | bin span=5m _time | stats values(userAgent) values(eventName) values(src_ip) dc(src_ip) as distinct_ip_count by _time user_arn | where distinct_ip_count>1 | `aws_successful_console_authentication_from_multiple_ips_filter`", "how_to_implement": "You must install Splunk AWS add on and Splunk App for AWS. This search works when AWS CloudTrail events are normalized use the Authentication datamodel.", "known_false_positives": "A user with successful authentication events from different Ips may also represent the legitimate use of more than one device. Filter as needed and/or customize the threshold to fit your environment.", "references": ["https://rhinosecuritylabs.com/aws/mfa-phishing-on-aws/"], "tags": {"name": "AWS Successful Console Authentication From Multiple IPs", "analytic_story": ["Suspicious AWS Login Activities", "Compromised User Account"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "confidence": 80, "impact": 90, "kill_chain_phases": ["Weaponization", "Exploitation"], "message": "User $user_arn$ has successfully logged into the AWS Console from different IP addresses $src$ within 5 mins", "mitre_attack_id": ["T1586", "T1535"], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Authentication.src", "Authentication.user", "Authentication.signature", "Authentication.user_agent", "Authentication.action", "Authentication.user_type"], "risk_score": 72, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1535", "mitre_attack_technique": "Unused/Unsupported Cloud Regions", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1586.003/aws_console_login_multiple_ips/cloudtrail.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_successful_console_authentication_from_multiple_ips_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/aws_successful_console_authentication_from_multiple_ips.yml", "source": "cloud", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "AWS Successful Single-Factor Authentication", "id": "a520b1fe-cc9e-4f56-b762-18354594c52f", "version": 1, "date": "2022-10-04", "author": "Bhavin Patel, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies a successful Console Login authentication event against an AWS IAM user for an account without Multi-Factor Authentication enabled. This could be evidence of a misconfiguration, a policy violation or an account take over attempt that should be investigated", "data_source": [], "search": "`cloudtrail` eventName= ConsoleLogin errorCode=success \"additionalEventData.MFAUsed\"=No | stats count min(_time) as firstTime max(_time) as lastTime by src eventName eventSource aws_account_id errorCode additionalEventData.MFAUsed userAgent eventID awsRegion user_name userIdentity.arn | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_successful_single_factor_authentication_filter`", "how_to_implement": "The Splunk AWS Add-on is required to utilize this data. The search requires AWS Cloudtrail logs.", "known_false_positives": "It is possible that some accounts do not have MFA enabled for the AWS account however its agaisnt the best practices of securing AWS.", "references": ["https://attack.mitre.org/techniques/T1621/", "https://attack.mitre.org/techniques/T1078/004/", "https://aws.amazon.com/what-is/mfa/"], "tags": {"name": "AWS Successful Single-Factor Authentication", "analytic_story": ["AWS Identity and Access Management Account Takeover"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Weaponization", "Exploitation", "Delivery", "Installation"], "message": "User $user_name$ has successfully logged into an AWS Console without Multi-Factor Authentication from $src$", "mitre_attack_id": ["T1586", "T1586.003", "T1078", "T1078.004"], "nist": ["DE.CM"], "observable": [{"name": "user_name", "type": "User", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["src", "eventName", "eventSource", "aws_account_id", "errorCode", "additionalEventData.MFAUsed", "userAgent", "eventID", "awsRegion", "user_name", "userIdentity.arn"], "risk_score": 64, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Ke3chang", "LAPSUS$"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.004/aws_login_sfa/cloudtrail.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_successful_single_factor_authentication_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/aws_successful_single_factor_authentication.yml", "source": "cloud", "nes_fields": "user,dest", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "AWS Unusual Number of Failed Authentications From Ip", "id": "0b5c9c2b-e2cb-4831-b4f1-af125ceb1386", "version": 1, "date": "2022-09-26", "author": "Bhavin Patel, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies one source IP failing to authenticate into the AWS Console with multiple valid users. This behavior could represent an adversary performing a Password Spraying attack against an AWS environment to obtain initial access or elevate privileges. The detection calculates the standard deviation for source IP and leverages the 3-sigma statistical rule to identify an unusual number of failed authentication attempts. To customize this analytic, users can try different combinations of the bucket span time and the calculation of the upperBound field. This logic can be used for real time security monitoring as well as threat hunting exercises. While looking for anomalies using statistical methods like the standard deviation can have benefits, we also recommend using threshold-based detections to complement coverage. A similar analytic following the threshold model is `AWS Multiple Users Failing To Authenticate From Ip`.", "data_source": [], "search": "`cloudtrail` eventName=ConsoleLogin action=failure | bucket span=10m _time | stats dc(_raw) AS unique_accounts values(user_name) as tried_accounts by _time, src_ip | eventstats avg(unique_accounts) as ip_avg , stdev(unique_accounts) as ip_std by _time | eval upperBound=(ip_avg+ip_std*3) | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0) | where isOutlier = 1 |`aws_unusual_number_of_failed_authentications_from_ip_filter`", "how_to_implement": "You must install Splunk Add-on for AWS in order to ingest Cloudtrail. We recommend the users to try different combinations of the bucket span time and the calculation of the upperBound field to tune this search according to their environment", "known_false_positives": "No known false postives for this detection. Please review this alert", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://www.whiteoaksecurity.com/blog/goawsconsolespray-password-spraying-tool/", "https://softwaresecuritydotblog.wordpress.com/2019/09/28/how-to-protect-against-credential-stuffing-on-aws/"], "tags": {"name": "AWS Unusual Number of Failed Authentications From Ip", "analytic_story": ["AWS Identity and Access Management Account Takeover"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "confidence": 90, "impact": 60, "kill_chain_phases": ["Weaponization", "Exploitation"], "message": "Unusual number of failed console login attempts against users $tried_accounts$ seen from $src_ip$", "mitre_attack_id": ["T1586", "T1586.003", "T1110", "T1110.003", "T1110.004"], "nist": ["DE.AE"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "tried_accounts", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "user", "action", "eventName", "src_ip"], "risk_score": 54, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1110.004", "mitre_attack_technique": "Credential Stuffing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Chimera"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/aws_mulitple_failed_console_login/aws_cloudtrail.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_unusual_number_of_failed_authentications_from_ip_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/aws_unusual_number_of_failed_authentications_from_ip.yml", "source": "cloud", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "AWS UpdateLoginProfile", "id": "2a9b80d3-6a40-4115-11ad-212bf3d0d111", "version": 3, "date": "2022-03-03", "author": "Bhavin Patel, Splunk", "type": "TTP", "status": "production", "description": "This search looks for AWS CloudTrail events where a user A who has already permission to update login profile, makes an API call to update login profile for another user B . Attackers have been know to use this technique for Privilege Escalation in case new victim(user B) has more permissions than old victim(user B)", "data_source": [], "search": " `cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success | eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0) | search match=0 | stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_updateloginprofile_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "While this search has no known false positives, it is possible that an AWS admin has legitimately created keys for another user.", "references": ["https://bishopfox.com/blog/privilege-escalation-in-aws", "https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation-part-2/"], "tags": {"name": "AWS UpdateLoginProfile", "analytic_story": ["AWS IAM Privilege Escalation"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "confidence": 60, "impact": 50, "kill_chain_phases": ["Installation"], "message": "From IP address $sourceIPAddress$, user agent $userAgent$ has trigged an event $eventName$ for updating the existing login profile, potentially giving user $user_arn$ more access privilleges", "mitre_attack_id": ["T1136.003", "T1136"], "nist": ["DE.CM"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "user_arn", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventName", "userAgent", "errorCode", "requestParameters.userName"], "risk_score": 30, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1136.003", "mitre_attack_technique": "Cloud Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT29", "LAPSUS$"]}, {"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/aws_updateloginprofile/aws_cloudtrail_events.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_updateloginprofile_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/aws_updateloginprofile.yml", "source": "cloud", "nes_fields": "user,dest", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "Azure Active Directory High Risk Sign-in", "id": "1ecff169-26d7-4161-9a7b-2ac4c8e61bea", "version": 1, "date": "2022-07-11", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic triggers on a high risk sign-in against Azure Active Directory identified by Azure Identity Protection. Identity Protection monitors sign-in events using heuristics and machine learning to identify potentially malicious events and categorizes them in three categories high, medium and low.", "data_source": [], "search": " `azuread` body.category=UserRiskEvents body.properties.riskLevel=high | rename body.properties.* as * | stats values(userPrincipalName) by _time, ipAddress, activity, riskLevel, riskEventType, additionalInfo | `azure_active_directory_high_risk_sign_in_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. You must be ingesting Azure Active Directory events in your Splunk environment. Specifically, this analytic leverages the RiskyUsers and UserRiskEvents log category.", "known_false_positives": "Details for the risk calculation algorithm used by Identity Protection are unknown and may be prone to false positives.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://docs.microsoft.com/en-us/security/compass/incident-response-playbook-password-spray", "https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection", "https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks"], "tags": {"name": "Azure Active Directory High Risk Sign-in", "analytic_story": ["Azure Active Directory Account Takeover"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "confidence": 90, "impact": 60, "kill_chain_phases": ["Weaponization", "Exploitation"], "message": "A high risk event was identified by Identify Protection for user $body.properties.userPrincipalName$", "mitre_attack_id": ["T1586", "T1586.003", "T1110", "T1110.003"], "nist": ["DE.CM"], "observable": [{"name": "userPrincipalName", "type": "User", "role": ["Victim"]}, {"name": "ipAddress", "type": "IP Address", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "body.category", "body.properties.riskLevel", "body.properties.userPrincipalName", "body.properties.ipAddress", "body.properties.activity", "body.properties.riskEventType", "body.properties.additionalInfo"], "risk_score": 54, "security_domain": "identity", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/azuread_highrisk/azure-audit.log", "source": "mscs:azure:eventhub", "sourcetype": "mscs:azure:eventhub", "update_timestamp": true}]}], "datamodel": ["Risk"], "macros": [{"name": "azuread", "definition": "sourcetype=mscs:azure:eventhub", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "azure_active_directory_high_risk_sign_in_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/azure_active_directory_high_risk_sign_in.yml", "source": "cloud", "nes_fields": "user,dest"}, {"name": "Azure AD Application Administrator Role Assigned", "id": "eac4de87-7a56-4538-a21b-277897af6d8d", "version": 1, "date": "2023-04-25", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the assignment of the Application Administrator role to an Azure AD user. Users in this role can create and manage all aspects of enterprise applications, application registrations, and application proxy settings. This role also grants the ability to manage application credentials. Users assigned this role can add credentials to an application, and use those credentials to impersonate the applications identity. If the applications identity has been granted access to a resource, such as the ability to create or update User or other objects, then a user assigned to this role could perform those actions while impersonating the application. This ability to impersonate the applications identity may be an elevation of privilege over what the user can do via their role assignments. Red teams and adversaries alike may abuse this role to escalate their privileges in an Azure AD tenant.", "data_source": [], "search": " `azuread` \"body.operationName\"=\"Add member to role\" \"body.properties.targetResources{}.modifiedProperties{}.newValue\"=\"\\\"Application Administrator\\\"\" | rename body.properties.* as * | rename targetResources{}.userPrincipalName as userPrincipalName | rename initiatedBy.user.userPrincipalName as initiatedBy | stats values(userPrincipalName) by _time, initiatedBy, result, body.operationName | `azure_ad_application_administrator_role_assigned_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. Specifically, this analytic leverages the AuditLogs log category.", "known_false_positives": "Administrators may legitimately assign the Application Administrator role to a user. Filter as needed.", "references": ["https://dirkjanm.io/azure-ad-privilege-escalation-application-admin/", "https://posts.specterops.io/azure-privilege-escalation-via-service-principal-abuse-210ae2be2a5", "https://docs.microsoft.com/en-us/azure/active-directory/roles/concept-understand-roles", "https://attack.mitre.org/techniques/T1098/003/", "https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#application-administrator"], "tags": {"name": "Azure AD Application Administrator Role Assigned", "analytic_story": ["Azure Active Directory Privilege Escalation"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Installation"], "message": "The privileged Azure AD role Application Administrator was assigned for User $userPrincipalName$ initiated by $initiatedBy$", "mitre_attack_id": ["T1098", "T1098.003"], "nist": ["DE.CM"], "observable": [{"name": "userPrincipalName", "type": "User", "role": ["Victim"]}, {"name": "initiatedBy", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "body.properties.targetResources{}.userPrincipalName", "body.properties.targetResources{}.type", "body.properties.initiatedBy.user.userPrincipalName", "body.properties.result"], "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "atomic_guid": [], "mitre_attack_enrichments": [{"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT41", "Dragonfly", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}, {"mitre_attack_id": "T1098.003", "mitre_attack_technique": "Additional Cloud Roles", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["LAPSUS$"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/azure_ad_assign_privileged_role/azure-audit.log", "source": "mscs:azure:eventhub", "sourcetype": "mscs:azure:eventhub", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "azuread", "definition": "sourcetype=mscs:azure:eventhub", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "azure_ad_application_administrator_role_assigned_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/azure_ad_application_administrator_role_assigned.yml", "source": "cloud", "nes_fields": "user,dest"}, {"name": "Azure AD Authentication Failed During MFA Challenge", "id": "e62c9c2e-bf51-4719-906c-3074618fcc1c", "version": 1, "date": "2022-07-14", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies an authentication attempt event against an Azure AD tenant that fails during the Multi Factor Authentication challenge. Error Code 500121 represents a failed attempt to authenticate using a second factor. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled. ", "data_source": [], "search": " `azuread` body.category=SignInLogs body.properties.status.errorCode=500121 | rename body.properties.* as * | stats values(userPrincipalName) by _time, ipAddress, status.additionalDetails, appDisplayName, userAgent | `azure_ad_authentication_failed_during_mfa_challenge_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events in your Splunk environment. Specifically, this analytic leverages the SignInLogs log category.", "known_false_positives": "Legitimate users may miss to reply the MFA challenge within the time window or deny it by mistake.", "references": ["https://attack.mitre.org/techniques/T1621/", "https://attack.mitre.org/techniques/T1078/004/", "https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-howitworks"], "tags": {"name": "Azure AD Authentication Failed During MFA Challenge", "analytic_story": ["Azure Active Directory Account Takeover"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "confidence": 90, "impact": 60, "kill_chain_phases": ["Weaponization", "Exploitation", "Delivery", "Installation"], "message": "User $body.properties.userPrincipalName$ failed to pass MFA challenge", "mitre_attack_id": ["T1586", "T1586.003", "T1078", "T1078.004", "T1621"], "nist": ["DE.CM"], "observable": [{"name": "userPrincipalName", "type": "User", "role": ["Victim"]}, {"name": "ipAddress", "type": "IP Address", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "body.category", "body.properties.status.errorCode", "body.properties.userPrincipalName", "body.properties.ipAddress", "body.properties.status.additionalDetails", "body.properties.appDisplayName", "body.properties.userAgent"], "risk_score": 54, "security_domain": "identity", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Ke3chang", "LAPSUS$"]}, {"mitre_attack_id": "T1621", "mitre_attack_technique": "Multi-Factor Authentication Request Generation", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "LAPSUS$"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/azuread/azure-audit.log", "source": "mscs:azure:eventhub", "sourcetype": "mscs:azure:eventhub", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "azuread", "definition": "sourcetype=mscs:azure:eventhub", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "azure_ad_authentication_failed_during_mfa_challenge_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/azure_ad_authentication_failed_during_mfa_challenge.yml", "source": "cloud", "nes_fields": "user,dest"}, {"name": "Azure AD Concurrent Sessions From Different Ips", "id": "a9126f73-9a9b-493d-96ec-0dd06695490d", "version": 1, "date": "2023-01-24", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies an Azure AD account with concurrent sessions coming from more than one unique Ip address within the span of 5 minutes. This behavior could represent a session hijacking attack whereby an adversary has extracted cookies from a victims browser and is using them from a different location to access corporate online resources. As users may behave differently across organizations, security teams should test and customize this detection to fit their environments.", "data_source": [], "search": " `azuread` properties.authenticationDetails{}.succeeded=true category=NonInteractiveUserSignInLogs | rename properties.* as * | bucket span=5m _time | stats dc(ipAddress) AS unique_ips values(ipAddress) values(appDisplayName) by _time, userPrincipalName | where unique_ips > 1 | `azure_ad_concurrent_sessions_from_different_ips_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. Specifically, this analytic leverages the SignInLogs log category.", "known_false_positives": "A user with concurrent sessions from different Ips may also represent the legitimate use of more than one device. Filter as needed and/or customize the threshold to fit your environment.", "references": ["https://attack.mitre.org/techniques/T1185/", "https://breakdev.org/evilginx-2-next-generation-of-phishing-2fa-tokens/", "https://github.com/kgretzky/evilginx2"], "tags": {"name": "Azure AD Concurrent Sessions From Different Ips", "analytic_story": ["Compromised User Account", "Azure Active Directory Account Takeover"], "asset_type": "Azure AD", "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "User $userPrincipalName$ has concurrent sessions from more than one unique IP address in the span of 5 minutes.", "mitre_attack_id": ["T1185"], "nist": ["DE.CM"], "observable": [{"name": "userPrincipalName", "type": "User", "role": ["Victim"]}, {"name": "ipAddress", "type": "IP Address", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "properties.status.errorCode", "category", "properties.authenticationDetails", "properties.userPrincipalName", "properties.ipAddress"], "risk_score": 42, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1185", "mitre_attack_technique": "Browser Session Hijacking", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1185/azure_ad_concurrent_sessions_from_different_ips/azuread.log", "source": "mscs:azure:eventhub", "sourcetype": "mscs:azure:eventhub", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "azuread", "definition": "sourcetype=mscs:azure:eventhub", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "azure_ad_concurrent_sessions_from_different_ips_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/azure_ad_concurrent_sessions_from_different_ips.yml", "source": "cloud", "nes_fields": "user,dest"}, {"name": "Azure AD External Guest User Invited", "id": "c1fb4edb-cab1-4359-9b40-925ffd797fb5", "version": 1, "date": "2022-08-18", "author": "Gowthamaraj Rajendran, Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the invitation of an external guest user within Azure AD. With Azure AD B2B collaboration, users and administrators can invite external users to collaborate with internal users. External guest account invitations should be monitored by security teams as they could potentially lead to unauthorized access. An example of this attack vector was described at BlackHat 2022 by security researcher Dirk-Jan during his tall `Backdooring and Hijacking Azure AD Accounts by Abusing External Identities`", "data_source": [], "search": "`azuread` \"body.operationName\"=\"Invite external user\" | rename body.properties.* as * | rename targetResources{}.userPrincipalName as userPrincipalName | rename initiatedBy.user.userPrincipalName as initiatedBy | rename targetResources{}.type as type | stats values(userPrincipalName) by _time, type, initiatedBy, result, body.operationName | `azure_ad_external_guest_user_invited_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. Specifically, this analytic leverages the AuditLogs log category.", "known_false_positives": "Administrator may legitimately invite external guest users. Filter as needed.", "references": ["https://dirkjanm.io/assets/raw/US-22-Mollema-Backdooring-and-hijacking-Azure-AD-accounts_final.pdf", "https://www.blackhat.com/us-22/briefings/schedule/#backdooring-and-hijacking-azure-ad-accounts-by-abusing-external-identities-26999", "https://attack.mitre.org/techniques/T1136/003/", "https://docs.microsoft.com/en-us/azure/active-directory/external-identities/b2b-quickstart-add-guest-users-portal"], "tags": {"name": "Azure AD External Guest User Invited", "analytic_story": ["Azure Active Directory Persistence"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "confidence": 90, "impact": 50, "kill_chain_phases": ["Installation"], "message": "External Guest User $userPrincipalName$ initiated by $initiatedBy$", "mitre_attack_id": ["T1136.003"], "nist": ["DE.CM"], "observable": [{"name": "userPrincipalName", "type": "User", "role": ["Victim"]}, {"name": "initiatedBy", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "body.properties.targetResources{}.userPrincipalName", "body.properties.targetResources{}.type", "body.properties.initiatedBy.user.userPrincipalName", "body.properties.result"], "risk_score": 45, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1136.003", "mitre_attack_technique": "Cloud Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT29", "LAPSUS$"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.003/azure_ad_external_guest_user_invited/azure-audit.log", "source": "mscs:azure:eventhub", "sourcetype": "mscs:azure:eventhub", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "azuread", "definition": "sourcetype=mscs:azure:eventhub", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "azure_ad_external_guest_user_invited_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/azure_ad_external_guest_user_invited.yml", "source": "cloud", "nes_fields": "user,dest"}, {"name": "Azure AD Global Administrator Role Assigned", "id": "825fed20-309d-4fd1-8aaf-cd49c1bb093c", "version": 2, "date": "2022-08-17", "author": "Gowthamaraj Rajendran, Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the assignment of the Azure AD Global Administrator role to an Azure AD user. The Global Administrator role is the most powerful administrator role in Azure AD and provides almost unlimited access to data, resources and settings. It is equivalent to the Domain Administrator group in an Active Directory environment. While Azure AD roles do not grant access to Azure services and resources, it is possible for a Global Administrator account to gain control of Azure resources. Adversaries and red teams alike may assign this role to a compromised account to establish Persistence or escalate their privileges in an Azure AD environment.", "data_source": [], "search": "`azuread` \"body.operationName\"=\"Add member to role\" \"body.properties.targetResources{}.modifiedProperties{}.newValue\"=\"\\\"Global Administrator\\\"\" | rename body.properties.* as * | rename targetResources{}.userPrincipalName as userPrincipalName | rename initiatedBy.user.userPrincipalName as initiatedBy | stats values(userPrincipalName) by _time, initiatedBy, result, body.operationName | `azure_ad_global_administrator_role_assigned_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. Specifically, this analytic leverages the AuditLogs log category.", "known_false_positives": "Administrators may legitimately assign the Global Administrator role to a user. Filter as needed.", "references": ["https://o365blog.com/post/admin/", "https://adsecurity.org/?p=4277", "https://www.mandiant.com/resources/detecting-microsoft-365-azure-active-directory-backdoors", "https://docs.microsoft.com/en-us/azure/active-directory/roles/security-planning", "https://docs.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin", "https://attack.mitre.org/techniques/T1098/003/"], "tags": {"name": "Azure AD Global Administrator Role Assigned", "analytic_story": ["Azure Active Directory Persistence", "Azure Active Directory Privilege Escalation"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "confidence": 90, "impact": 80, "kill_chain_phases": ["Installation"], "message": "Global Administrator Role assigned for User $userPrincipalName$ initiated by $initiatedBy$", "mitre_attack_id": ["T1098.003"], "nist": ["DE.CM"], "observable": [{"name": "userPrincipalName", "type": "User", "role": ["Victim"]}, {"name": "initiatedBy", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "body.properties.targetResources{}.userPrincipalName", "body.properties.targetResources{}.type", "body.properties.initiatedBy.user.userPrincipalName", "body.properties.result"], "risk_score": 72, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1098.003", "mitre_attack_technique": "Additional Cloud Roles", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["LAPSUS$"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/azure_ad_assign_global_administrator/azure-audit.log", "source": "mscs:azure:eventhub", "sourcetype": "mscs:azure:eventhub", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "azuread", "definition": "sourcetype=mscs:azure:eventhub", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "azure_ad_global_administrator_role_assigned_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/azure_ad_global_administrator_role_assigned.yml", "source": "cloud", "nes_fields": "user,dest"}, {"name": "Azure AD High Number Of Failed Authentications For User", "id": "630b1694-210a-48ee-a450-6f79e7679f2c", "version": 1, "date": "2023-01-23", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies an Azure AD account with more than 20 failed authentication events in the span of 5 minutes. This behavior could represent a brute force attack against the account. As environments differ across organizations, security teams should customize the threshold of this detection.", "data_source": [], "search": " `azuread` category= SignInLogs properties.status.errorCode=50126 properties.authenticationDetails{}.succeeded=false | rename properties.* as * | bucket span=5m _time | stats dc(_raw) AS failed_attempts values(ipAddress) by userPrincipalName, _time | where failed_attempts > 20 | `azure_ad_high_number_of_failed_authentications_for_user_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. Specifically, this analytic leverages the SignInLogs log category.", "known_false_positives": "A user with more than 20 failed authentication attempts in the span of 5 minutes may also be triggered by a broken application.", "references": ["https://attack.mitre.org/techniques/T1110/", "https://attack.mitre.org/techniques/T1110/001/"], "tags": {"name": "Azure AD High Number Of Failed Authentications For User", "analytic_story": ["Compromised User Account", "Azure Active Directory Account Takeover"], "asset_type": "Azure AD", "cis20": ["CIS 10"], "confidence": 70, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "User $userPrincipalName$ failed to authenticate more than 20 times in the span of 5 minutes.", "mitre_attack_id": ["T1110", "T1110.001"], "nist": ["DE.CM"], "observable": [{"name": "userPrincipalName", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "properties.status.errorCode", "category", "properties.authenticationDetails", "properties.userPrincipalName", "properties.ipAddress"], "risk_score": 35, "security_domain": "identity", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1110.001", "mitre_attack_technique": "Password Guessing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.001/azure_ad_high_number_of_failed_authentications_for_user/azuread.log", "source": "mscs:azure:eventhub", "sourcetype": "mscs:azure:eventhub", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "azuread", "definition": "sourcetype=mscs:azure:eventhub", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "azure_ad_high_number_of_failed_authentications_for_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/azure_ad_high_number_of_failed_authentications_for_user.yml", "source": "cloud", "nes_fields": "user,dest"}, {"name": "Azure AD High Number Of Failed Authentications From Ip", "id": "e5ab41bf-745d-4f72-a393-2611151afd8e", "version": 1, "date": "2023-01-23", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies an Ip address failing to authenticate 20 or more times to an Azure AD tenant in the span of 5 minutes. This behavior could represent a brute force attack againstan Azure AD to obtain initial access or elevate privileges. As environments differ across organizations, security teams should customize the threshold of this detection.", "data_source": [], "search": " `azuread` category= SignInLogs properties.status.errorCode=50126 properties.authenticationDetails{}.succeeded=false | rename properties.* as * | bucket span=5m _time | stats dc(_raw) AS failed_attempts values(userPrincipalName) by ipAddress, _time | where failed_attempts > 20 | `azure_ad_high_number_of_failed_authentications_from_ip_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. Specifically, this analytic leverages the SignInLogs log category.", "known_false_positives": "An Ip address with more than 20 failed authentication attempts in the span of 5 minutes may also be triggered by a broken application.", "references": ["https://attack.mitre.org/techniques/T1110/", "https://attack.mitre.org/techniques/T1110/001/", "https://attack.mitre.org/techniques/T1110/003/"], "tags": {"name": "Azure AD High Number Of Failed Authentications From Ip", "analytic_story": ["Compromised User Account", "Azure Active Directory Account Takeover"], "asset_type": "Azure AD", "cis20": ["CIS 10"], "confidence": 70, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "$ipAddress$ failed to authenticate more than 20 times in the span of 5 minutes.", "mitre_attack_id": ["T1110", "T1110.001", "T1110.003"], "nist": ["DE.CM"], "observable": [{"name": "userPrincipalName", "type": "User", "role": ["Victim"]}, {"name": "ipAddress", "type": "IP Address", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "properties.status.errorCode", "category", "properties.authenticationDetails", "properties.userPrincipalName", "properties.ipAddress"], "risk_score": 35, "security_domain": "identity", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1110.001", "mitre_attack_technique": "Password Guessing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29"]}, {"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.001/azure_ad_high_number_of_failed_authentications_for_user/azuread.log", "source": "mscs:azure:eventhub", "sourcetype": "mscs:azure:eventhub", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "azuread", "definition": "sourcetype=mscs:azure:eventhub", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "azure_ad_high_number_of_failed_authentications_from_ip_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/azure_ad_high_number_of_failed_authentications_from_ip.yml", "source": "cloud", "nes_fields": "user,dest"}, {"name": "Azure AD Multi-Factor Authentication Disabled", "id": "482dd42a-acfa-486b-a0bb-d6fcda27318e", "version": 1, "date": "2022-08-10", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies an attempt to disable multi-factor authentication for an Azure AD user. An adversary who has obtained access to an Azure AD tenant may disable multi-factor authentication as a way to plant a backdoor and maintain persistence using a valid account. This way the attackers can keep persistance in the environment without adding new users.", "data_source": [], "search": "`azuread` body.category=AuditLogs body.operationName=\"Disable Strong Authentication\" | rename body.properties.* as * | rename targetResources{}.userPrincipalName as userPrincipalName | rename targetResources{}.type as type | rename initiatedBy.user.userPrincipalName as initiatedBy | stats values(userPrincipalName) by _time, type, body.operationName, initiatedBy, result | `azure_ad_multi_factor_authentication_disabled_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. Specifically, this analytic leverages the AuditLogs log category.", "known_false_positives": "Legitimate use case may require for users to disable MFA. Filter as needed.", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-howitworks", "https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates", "https://attack.mitre.org/tactics/TA0005/", "https://attack.mitre.org/techniques/T1556/"], "tags": {"name": "Azure AD Multi-Factor Authentication Disabled", "analytic_story": ["Azure Active Directory Account Takeover"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "confidence": 90, "impact": 50, "kill_chain_phases": ["Weaponization", "Exploitation", "Installation"], "message": "MFA disabled for User $userPrincipalName$ initiated by $initiatedBy$", "mitre_attack_id": ["T1586", "T1586.003", "T1556", "T1556.006"], "nist": ["DE.CM"], "observable": [{"name": "userPrincipalName", "type": "User", "role": ["Victim"]}, {"name": "initiatedBy", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "body.properties.targetResources{}.userPrincipalName", "body.properties.targetResources{}.type", "body.properties.initiatedBy.user.userPrincipalName", "body.properties.result"], "risk_score": 45, "security_domain": "identity", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1556", "mitre_attack_technique": "Modify Authentication Process", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1556.006", "mitre_attack_technique": "Multi-Factor Authentication", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556/azuread/azure-audit.log", "source": "mscs:azure:eventhub", "sourcetype": "mscs:azure:eventhub", "update_timestamp": true}]}], "datamodel": ["Authentication"], "macros": [{"name": "azuread", "definition": "sourcetype=mscs:azure:eventhub", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "azure_ad_multi_factor_authentication_disabled_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/azure_ad_multi_factor_authentication_disabled.yml", "source": "cloud", "nes_fields": "user,dest"}, {"name": "Azure AD Multiple Failed MFA Requests For User", "id": "264ea131-ab1f-41b8-90e0-33ad1a1888ea", "version": 1, "date": "2022-08-25", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies multiple failed multi-factor authentication requests for a single user within an Azure AD tenant. Error Code 500121 represents a failed attempt to authenticate using a second factor. Specifically, the analytic triggers when more than 10 MFA user prompts fail within 10 minutes. Azure AD tenants can be very different depending on the organization, Security teams should test this detection and customize these arbitrary thresholds. The detected behavior may represent an adversary who has obtained legitimate credentials for a user and continuously repeats login attempts in order to bombard users with MFA push notifications, SMS messages, and phone calls potentially resulting in the user finally accepting the authentication request. Threat actors like the Lapsus team and APT29 have leveraged this technique to bypass multi-factor authentication controls as reported by Mandiant and others.", "data_source": [], "search": " `azuread` body.category=SignInLogs body.properties.status.errorCode=500121 | rename body.properties.* as * | bucket span=10m _time | stats dc(_raw) AS mfa_prompts values(userPrincipalName) by userPrincipalName, status.additionalDetails, appDisplayName, userAgent, _time | where mfa_prompts > 10 | `azure_ad_multiple_failed_mfa_requests_for_user_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. Specifically, this analytic leverages the SignInLogs log category.", "known_false_positives": "Multiple Failed MFA requests may also be a sign of authentication or application issues. Filter as needed.", "references": ["https://www.mandiant.com/resources/blog/russian-targeting-gov-business", "https://arstechnica.com/information-technology/2022/03/lapsus-and-solar-winds-hackers-both-use-the-same-old-trick-to-bypass-mfa/", "https://therecord.media/russian-hackers-bypass-2fa-by-annoying-victims-with-repeated-push-notifications/", "https://attack.mitre.org/techniques/T1621/", "https://attack.mitre.org/techniques/T1078/004/"], "tags": {"name": "Azure AD Multiple Failed MFA Requests For User", "analytic_story": ["Azure Active Directory Account Takeover"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "confidence": 90, "impact": 60, "kill_chain_phases": ["Weaponization", "Exploitation", "Delivery", "Installation"], "message": "Multiple Failed MFA requests for user $body.properties.userPrincipalName$", "mitre_attack_id": ["T1586", "T1586.003", "T1621", "T1078", "T1078.004"], "nist": ["DE.CM"], "observable": [{"name": "userPrincipalName", "type": "User", "role": ["Victim"]}, {"name": "ipAddress", "type": "IP Address", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "body.properties.status.errorCode", "body.category", "body.properties.authenticationDetails", "body.properties.userPrincipalName", "body.properties.ipAddress"], "risk_score": 54, "security_domain": "identity", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1621", "mitre_attack_technique": "Multi-Factor Authentication Request Generation", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "LAPSUS$"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Ke3chang", "LAPSUS$"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/multiple_failed_mfa_requests/azure-audit.log", "source": "mscs:azure:eventhub", "sourcetype": "mscs:azure:eventhub", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "azuread", "definition": "sourcetype=mscs:azure:eventhub", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "azure_ad_multiple_failed_mfa_requests_for_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/azure_ad_multiple_failed_mfa_requests_for_user.yml", "source": "cloud", "nes_fields": "user,dest"}, {"name": "Azure AD Multiple Users Failing To Authenticate From Ip", "id": "94481a6a-8f59-4c86-957f-55a71e3612a6", "version": 1, "date": "2022-07-12", "author": "Mauricio Velazco, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies one source Ip failing to authenticate with 30 unique valid users within 5 minutes. This behavior could represent an adversary performing a Password Spraying attack against an Azure Active Directory tenant to obtain initial access or elevate privileges. Error Code 50126 represents an invalid password. This logic can be used for real time security monitoring as well as threat hunting exercises.\\\nAzure AD tenants can be very different depending on the organization. Users should test this detection and customize the arbitrary threshold if needed.", "data_source": [], "search": " `azuread` body.category= SignInLogs body.properties.status.errorCode=50126 body.properties.authenticationDetails{}.succeeded= false | rename body.properties.* as * | bucket span=5m _time | stats dc(userPrincipalName) AS unique_accounts values(userPrincipalName) as tried_accounts by _time, ipAddress | where unique_accounts > 30 | `azure_ad_multiple_users_failing_to_authenticate_from_ip_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. Specifically, this analytic leverages the SignInLogs log category.", "known_false_positives": "A source Ip failing to authenticate with multiple users is not a common for legitimate behavior.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://docs.microsoft.com/en-us/security/compass/incident-response-playbook-password-spray", "https://www.cisa.gov/uscert/ncas/alerts/aa21-008a", "https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes"], "tags": {"name": "Azure AD Multiple Users Failing To Authenticate From Ip", "analytic_story": ["Azure Active Directory Account Takeover"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Weaponization", "Exploitation"], "message": "Source Ip $body.properties.ipAddress$ failed to authenticate with 30 users within 5 minutes.", "mitre_attack_id": ["T1586", "T1586.003", "T1110", "T1110.003", "T1110.004"], "nist": ["DE.AE"], "observable": [{"name": "userPrincipalName", "type": "User", "role": ["Victim"]}, {"name": "ipAddress", "type": "IP Address", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "body.properties.status.errorCode", "body.category", "body.properties.authenticationDetails", "body.properties.userPrincipalName", "body.properties.ipAddress"], "risk_score": 63, "security_domain": "identity", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1110.004", "mitre_attack_technique": "Credential Stuffing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Chimera"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/azuread/azure-audit.log", "source": "mscs:azure:eventhub", "sourcetype": "mscs:azure:eventhub", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "azuread", "definition": "sourcetype=mscs:azure:eventhub", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "azure_ad_multiple_users_failing_to_authenticate_from_ip_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/azure_ad_multiple_users_failing_to_authenticate_from_ip.yml", "source": "cloud"}, {"name": "Azure AD New Custom Domain Added", "id": "30c47f45-dd6a-4720-9963-0bca6c8686ef", "version": 1, "date": "2022-09-02", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the addition of a new custom domain within an Azure Active Directory tenant. Adding a custom domain is a step required to set up the Azure Active Directory identity federation backdoor technique discovered by security researcher Nestori Syynimaa. Similar to Active Directory, Azure AD uses the concept of domains to manage directories of identities. A new Azure AD tenant will initially contain a single domain that is commonly called the `cloud-only` onmicrosoft.com domain. Organizations can also add their registered custom domains to Azure AD for email addresses to match the organizations domain name. If the organization intends to use a third-party identity provider such as ADFS for authentication, the added custom domains can be configured as federated. An adversary who has obtained privileged access to an Azure AD tenant may leverage this technique to establish persistence and be able to authenticate to Azure AD impersonating any user and bypassing the requirement to have a valid password and/or perform MFA.", "data_source": [], "search": " `azuread` body.operationName=\"Add unverified domain\" \"body.properties.result\"=success | rename body.properties.* as * | rename body.callerIpAddress as callerIpAddress | rename initiatedBy.user.userPrincipalName as initiatedBy | rename targetResources{}.displayName as domain | stats values(domain) by _time, initiatedBy, result, body.operationName, callerIpAddress | `azure_ad_new_custom_domain_added_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. Specifically, this analytic leverages the AuditLogs log category.", "known_false_positives": "In most organizations, new customm domains will be updated infrequently. Filter as needed.", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/domains-manage", "https://www.mandiant.com/resources/remediation-and-hardening-strategies-microsoft-365-defend-against-apt29-v13", "https://o365blog.com/post/federation-vulnerability/", "https://www.inversecos.com/2021/11/how-to-detect-azure-active-directory.html", "https://www.mandiant.com/resources/blog/detecting-microsoft-365-azure-active-directory-backdoors", "https://attack.mitre.org/techniques/T1484/002/"], "tags": {"name": "Azure AD New Custom Domain Added", "analytic_story": ["Azure Active Directory Persistence"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "confidence": 90, "impact": 60, "kill_chain_phases": ["Exploitation"], "message": "A new custom domain, $domain$ , was added by $initiatedBy$", "mitre_attack_id": ["T1484", "T1484.002"], "nist": ["DE.CM"], "observable": [{"name": "initiatedBy", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "body.operationName", "body.properties.result", "body.callerIpAddress", "body.properties.targetResources{}.displayName", "body.properties.initiatedBy.user.userPrincipalName"], "risk_score": 54, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1484", "mitre_attack_technique": "Domain Policy Modification", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1484.002", "mitre_attack_technique": "Domain Trust Modification", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.002/new_federated_domain/azure-audit.log", "source": "mscs:azure:eventhub", "sourcetype": "mscs:azure:eventhub", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "azuread", "definition": "sourcetype=mscs:azure:eventhub", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "azure_ad_new_custom_domain_added_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/azure_ad_new_custom_domain_added.yml", "source": "cloud", "nes_fields": "user,dest"}, {"name": "Azure AD New Federated Domain Added", "id": "a87cd633-076d-4ab2-9047-977751a3c1a0", "version": 1, "date": "2022-09-02", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the addition of a new federated domain within an Azure Active Directory tenant. This event could represent the execution of the Azure Active Directory identity federation backdoor technique discovered by security researcher Nestori Syynimaa. Similar to Active Directory, Azure AD uses the concept of domains to manage directories of identities. A new Azure AD tenant will initially contain a single domain that is commonly called the `cloud-only` onmicrosoft.com domain. Organizations can also add their registered custom domains to Azure AD for email addresses to match the organizations domain name. If the organization intends to use a third-party identity provider such as ADFS for authentication, the added custom domains can be configured as federated. An adversary who has obtained privileged access to an Azure AD tenant may leverage this technique to establish persistence and be able to authenticate to Azure AD impersonating any user and bypassing the requirement to have a valid password and/or perform MFA.", "data_source": [], "search": " `azuread` body.operationName=\"Set domain authentication\" \"body.properties.result\"=success | rename body.properties.* as * | rename body.callerIpAddress as callerIpAddress | rename initiatedBy.user.userPrincipalName as initiatedBy | rename targetResources{}.displayName as domain | stats values(domain) by _time, initiatedBy, result, body.operationName, callerIpAddress | `azure_ad_new_federated_domain_added_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. Specifically, this analytic leverages the AuditLogs log category.", "known_false_positives": "In most organizations, domain federation settings will be updated infrequently. Filter as needed.", "references": ["https://www.mandiant.com/resources/remediation-and-hardening-strategies-microsoft-365-defend-against-apt29-v13", "https://o365blog.com/post/federation-vulnerability/", "https://www.inversecos.com/2021/11/how-to-detect-azure-active-directory.html", "https://www.mandiant.com/resources/blog/detecting-microsoft-365-azure-active-directory-backdoors", "https://attack.mitre.org/techniques/T1484/002/"], "tags": {"name": "Azure AD New Federated Domain Added", "analytic_story": ["Azure Active Directory Persistence"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Exploitation"], "message": "A new federated domain, $domain$ , was added by $initiatedBy$", "mitre_attack_id": ["T1484", "T1484.002"], "nist": ["DE.CM"], "observable": [{"name": "initiatedBy", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "body.operationName", "body.properties.result", "body.callerIpAddress", "body.properties.targetResources{}.displayName", "body.properties.initiatedBy.user.userPrincipalName"], "risk_score": 81, "security_domain": "threat", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1484", "mitre_attack_technique": "Domain Policy Modification", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1484.002", "mitre_attack_technique": "Domain Trust Modification", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.002/new_federated_domain/azure-audit.log", "source": "mscs:azure:eventhub", "sourcetype": "mscs:azure:eventhub", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "azuread", "definition": "sourcetype=mscs:azure:eventhub", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "azure_ad_new_federated_domain_added_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/azure_ad_new_federated_domain_added.yml", "source": "cloud", "nes_fields": "user,dest"}, {"name": "Azure AD New MFA Method Registered For User", "id": "2628b087-4189-403f-9044-87403f777a1b", "version": 1, "date": "2023-01-30", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the registration of a new Multi Factor authentication method for an Azure AD account. Adversaries who have obtained unauthorized access to an Azure AD account may register a new MFA method to maintain persistence.", "data_source": [], "search": " `azuread` category=AuditLogs operationName=\"User registered security info\" properties.operationType=Add | rename properties.* as * | rename targetResources{}.* as * | stats values(userPrincipalName) by _time, resultDescription, result, callerIpAddress | `azure_ad_new_mfa_method_registered_for_user_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. Specifically, this analytic leverages the AuditLogs log category.", "known_false_positives": "Newly onboarded users who are registering an MFA method for the first time will also trigger this detection.", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-howitworks", "https://attack.mitre.org/techniques/T1556/", "https://attack.mitre.org/techniques/T1556/006/", "https://twitter.com/jhencinski/status/1618660062352007174"], "tags": {"name": "Azure AD New MFA Method Registered For User", "analytic_story": ["Compromised User Account", "Azure Active Directory Account Takeover"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation", "Installation"], "message": "UPDATE message", "mitre_attack_id": ["T1556", "T1556.006"], "nist": ["DE.CM"], "observable": [{"name": "userPrincipalName", "type": "User", "role": ["Victim"]}, {"name": "callerIpAddress", "type": "IP Address", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "category", "operationName", "properties.operationType", "userPrincipalName", "resultDescription", "result", "callerIpAddress"], "risk_score": 64, "security_domain": "identity", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1556", "mitre_attack_technique": "Modify Authentication Process", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1556.006", "mitre_attack_technique": "Multi-Factor Authentication", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556.006/azure_ad_new_mfa_method_registered_for_user/azuread.log", "source": "mscs:azure:eventhub", "sourcetype": "mscs:azure:eventhub", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "azuread", "definition": "sourcetype=mscs:azure:eventhub", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "azure_ad_new_mfa_method_registered_for_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/azure_ad_new_mfa_method_registered_for_user.yml", "source": "cloud", "nes_fields": "user,dest"}, {"name": "Azure AD PIM Role Assigned", "id": "fcd6dfeb-191c-46a0-a29c-c306382145ab", "version": 1, "date": "2023-04-26", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the assignment of the Azure AD PIM role. Privileged Identity Management (PIM) is a service within Azure Azure AD that enables administrators to manage, control, and monitor access to sensitive resources. PIM provides time-based and approval-based role activation to mitigate the risks of excessive, unnecessary, or misused access permissions on resources. Once a user has been made eligible for an administrative role, she must activate this role assignment to perform the privileged actions. When a role is activated, Azure AD PIM temporarily adds active assignment for the role. While PIM can be leveraged as a powerful security control, it may also abused by adversaries to obtain privileged access. Security teams should monitor for the assignment and activation of PIM roles and validate their legitimacy.", "data_source": [], "search": " `azuread` operationName=\"Add eligible member to role in PIM completed*\" | rename properties.* as * | rename targetResources{}.userPrincipalName as userPrincipalName | stats values(userPrincipalName) values(targetResources{}.displayName) by _time, result, operationName, initiatedBy.user.displayName | `azure_ad_pim_role_assigned_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. Specifically, this analytic leverages the AuditLogs log category.", "known_false_positives": "As part of legitimate administrative behavior, users may be assigned PIM roles. Filter as needed", "references": ["https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure", "https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-activate-role", "https://microsoft.github.io/Azure-Threat-Research-Matrix/PrivilegeEscalation/AZT401/AZT401/"], "tags": {"name": "Azure AD PIM Role Assigned", "analytic_story": ["Azure Active Directory Privilege Escalation", "Azure Active Directory Persistence"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Installation"], "message": "An Azure AD PIM role assignment was assiged to $userPrincipalName$", "mitre_attack_id": ["T1098", "T1098.003"], "nist": ["DE.CM"], "observable": [{"name": "userPrincipalName", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "properties", "operationName", "userPrincipalName", "initiatedBy.user.userPrincipalName", "result"], "risk_score": 35, "security_domain": "identity", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT41", "Dragonfly", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}, {"mitre_attack_id": "T1098.003", "mitre_attack_technique": "Additional Cloud Roles", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["LAPSUS$"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/azure_ad_pim_role_activated/azure-audit.log", "source": "eventhub://researchhub1.servicebus.windows.net/azureadhub;", "sourcetype": "mscs:azure:eventhub"}]}], "datamodel": [], "macros": [{"name": "azuread", "definition": "sourcetype=mscs:azure:eventhub", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "azure_ad_pim_role_assigned_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/azure_ad_pim_role_assigned.yml", "source": "cloud", "nes_fields": "user,dest"}, {"name": "Azure AD PIM Role Assignment Activated", "id": "952e80d0-e343-439b-83f4-808c3e6fbf2e", "version": 1, "date": "2023-04-26", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the assignment of the Azure AD PIM role. Privileged Identity Management (PIM) is a service within Azure Azure AD that enables administrators to manage, control, and monitor access to sensitive resources. PIM provides time-based and approval-based role activation to mitigate the risks of excessive, unnecessary, or misused access permissions on resources. Once a user has been made eligible for an administrative role, she must activate this role assignment to perform the privileged actions. When a role is activated, Azure AD PIM temporarily adds active assignment for the role. While PIM can be leveraged as a powerful security control, it may also abused by adversaries to obtain privileged access. Security teams should monitor for the assignment and activation of PIM roles and validate their legitimacy.", "data_source": [], "search": " `azuread` operationName=\"Add member to role completed (PIM activation)\" | rename properties.* as * | rename targetResources{}.userPrincipalName as userPrincipalName | rename initiatedBy.user.userPrincipalName as initiatedBy | stats values(userPrincipalName) values(targetResources{}.displayName) by _time, initiatedBy, result, operationName, | `azure_ad_pim_role_assignment_activated_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. Specifically, this analytic leverages the AuditLogs log category.", "known_false_positives": "As part of legitimate administrative behavior, users may activate PIM roles. Filter as needed", "references": ["https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure", "https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-activate-role", "https://microsoft.github.io/Azure-Threat-Research-Matrix/PrivilegeEscalation/AZT401/AZT401/"], "tags": {"name": "Azure AD PIM Role Assignment Activated", "analytic_story": ["Azure Active Directory Privilege Escalation", "Azure Active Directory Persistence"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Installation"], "message": "An Azure AD PIM role assignment was activated by $initiatedBy$", "mitre_attack_id": ["T1098", "T1098.003"], "nist": ["DE.CM"], "observable": [{"name": "userPrincipalName", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "properties", "operationName", "userPrincipalName", "initiatedBy.user.userPrincipalName", "result"], "risk_score": 35, "security_domain": "identity", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT41", "Dragonfly", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}, {"mitre_attack_id": "T1098.003", "mitre_attack_technique": "Additional Cloud Roles", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["LAPSUS$"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/azure_ad_pim_role_activated/azure-audit.log", "source": "eventhub://researchhub1.servicebus.windows.net/azureadhub;", "sourcetype": "mscs:azure:eventhub"}]}], "datamodel": [], "macros": [{"name": "azuread", "definition": "sourcetype=mscs:azure:eventhub", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "azure_ad_pim_role_assignment_activated_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/azure_ad_pim_role_assignment_activated.yml", "source": "cloud", "nes_fields": "user,dest"}, {"name": "Azure AD Privileged Authentication Administrator Role Assigned", "id": "a7da845d-6fae-41cf-b823-6c0b8c55814a", "version": 1, "date": "2023-04-25", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the assignment of the Privileged Authentication Administrato role to an Azure AD user. Users in this role can set or reset authentication methods for any user in Azure Active Directory, including privileged roles like Global Administrators. Users with this role can change credentials for people who may have access to sensitive or private information or critical configuration inside and outside of Azure Active Directory. Changing the credentials of a user may mean the ability to assume that users identity and permissions. Red teams and adversaries alike may abuse this role to escalate their privileges.", "data_source": [], "search": " `azuread` \"body.operationName\"=\"Add member to role\" \"body.properties.targetResources{}.modifiedProperties{}.newValue\"=\"\\\"Privileged Authentication Administrator\\\"\" | rename body.properties.* as * | rename targetResources{}.userPrincipalName as userPrincipalName | rename initiatedBy.user.userPrincipalName as initiatedBy | stats values(userPrincipalName) by _time, initiatedBy, result, body.operationName | `azure_ad_privileged_authentication_administrator_role_assigned_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. Specifically, this analytic leverages the AuditLogs log category.", "known_false_positives": "Administrators may legitimately assign the Privileged Authentication Administrator role as part of administrative tasks. Filter as needed.", "references": ["https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#privileged-authentication-administrator", "https://posts.specterops.io/azure-privilege-escalation-via-azure-api-permissions-abuse-74aee1006f48", "https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference"], "tags": {"name": "Azure AD Privileged Authentication Administrator Role Assigned", "analytic_story": ["Azure Active Directory Privilege Escalation"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "confidence": 50, "impact": 100, "kill_chain_phases": ["Exploitation"], "message": "The privileged Azure AD role Privileged Authentication Administrator was assigned for User $userPrincipalName$ initiated by $initiatedBy$", "mitre_attack_id": ["T1003.002"], "nist": ["DE.CM"], "observable": [{"name": "userPrincipalName", "type": "User", "role": ["Victim"]}, {"name": "initiatedBy", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "body.properties.targetResources{}.userPrincipalName", "body.properties.targetResources{}.type", "body.properties.initiatedBy.user.userPrincipalName", "body.properties.result"], "risk_score": 50, "security_domain": "identity", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Dragonfly", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/azure_ad_assign_privileged_role/azure-audit.log", "source": "mscs:azure:eventhub", "sourcetype": "mscs:azure:eventhub", "update_timestamp": true}]}], "datamodel": ["Authentication"], "macros": [{"name": "azuread", "definition": "sourcetype=mscs:azure:eventhub", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "azure_ad_privileged_authentication_administrator_role_assigned_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/azure_ad_privileged_authentication_administrator_role_assigned.yml", "source": "cloud", "nes_fields": "user,dest"}, {"name": "Azure AD Privileged Role Assigned", "id": "a28f0bc3-3400-4a6e-a2da-89b9e95f0d2a", "version": 1, "date": "2022-08-29", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the assignment of sensitive and privileged Azure Active Directory roles to an Azure AD user. Adversaries and red teams alike may assign these roles to a compromised account to establish Persistence in an Azure AD environment.", "data_source": [], "search": " `azuread` \"body.operationName\"=\"Add member to role\" | rename body.properties.* as * | rename targetResources{}.userPrincipalName as userPrincipalName | rename initiatedBy.user.userPrincipalName as initiatedBy | rename targetResources{}.modifiedProperties{}.newValue as roles | eval role=mvindex(roles,1) | lookup privileged_azure_ad_roles azureadrole AS role OUTPUT isprvilegedadrole description | search isprvilegedadrole = True | stats values(userPrincipalName) by _time, initiatedBy, result, body.operationName, role, description | `azure_ad_privileged_role_assigned_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. Specifically, this analytic leverages the AuditLogs log category.", "known_false_positives": "Administrators will legitimately assign the privileged roles users as part of administrative tasks. Filter as needed.", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/roles/concept-understand-roles", "https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference", "https://adsecurity.org/?p=4277", "https://www.mandiant.com/resources/detecting-microsoft-365-azure-active-directory-backdoors", "https://docs.microsoft.com/en-us/azure/active-directory/roles/security-planning", "https://attack.mitre.org/techniques/T1098/003/"], "tags": {"name": "Azure AD Privileged Role Assigned", "analytic_story": ["Azure Active Directory Persistence"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Installation"], "message": "A privileged Azure AD role was assigned for User $userPrincipalName$ initiated by $initiatedBy$", "mitre_attack_id": ["T1098", "T1098.003"], "nist": ["DE.CM"], "observable": [{"name": "userPrincipalName", "type": "User", "role": ["Victim"]}, {"name": "initiatedBy", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "body.properties.targetResources{}.userPrincipalName", "body.properties.targetResources{}.type", "body.properties.initiatedBy.user.userPrincipalName", "body.properties.result"], "risk_score": 63, "security_domain": "audit", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT41", "Dragonfly", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}, {"mitre_attack_id": "T1098.003", "mitre_attack_technique": "Additional Cloud Roles", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["LAPSUS$"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/azure_ad_assign_privileged_role/azure-audit.log", "source": "mscs:azure:eventhub", "sourcetype": "mscs:azure:eventhub", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "azuread", "definition": "sourcetype=mscs:azure:eventhub", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "azure_ad_privileged_role_assigned_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "privileged_azure_ad_roles", "description": "A list of privileged Azure Active Directory roles.", "filename": "privileged_azure_ad_roles.csv", "default_match": "false", "match_type": "WILDCARD(azureadrole)", "min_matches": 1, "case_sensitive_match": "false"}], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/azure_ad_privileged_role_assigned.yml", "source": "cloud", "nes_fields": "user,dest"}, {"name": "Azure AD Privileged Role Assigned to Service Principal", "id": "5dfaa3d3-e2e4-4053-8252-16d9ee528c41", "version": 1, "date": "2023-04-28", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic", "data_source": [], "search": " `azuread` operationName=\"Add member to role\" | rename properties.* as * | search \"targetResources{}.type\"=ServicePrincipal | rename initiatedBy.user.userPrincipalName as initiatedBy | rename targetResources{}.modifiedProperties{}.newValue as roles | eval role=mvindex(roles,1) | rename targetResources{}.displayName as apps | eval displayName=mvindex(apps,0) | lookup privileged_azure_ad_roles azureadrole AS role OUTPUT isprvilegedadrole description | search isprvilegedadrole = True | stats values(displayName) by _time, initiatedBy, result, operationName, role | `azure_ad_privileged_role_assigned_to_service_principal_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. Specifically, this analytic leverages the AuditLogs log category.", "known_false_positives": "Administrators may legitimately assign the privileged roles to Service Principals as part of administrative tasks. Filter as needed.", "references": ["https://posts.specterops.io/azure-privilege-escalation-via-service-principal-abuse-210ae2be2a5"], "tags": {"name": "Azure AD Privileged Role Assigned to Service Principal", "analytic_story": ["Azure Active Directory Privilege Escalation"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Installation"], "message": "A privileged Azure AD role was assigned to the Service Principal $displayName$ initiated by $initiatedBy$", "mitre_attack_id": ["T1098", "T1098.003"], "nist": ["DE.CM"], "observable": [{"name": "initiatedBy", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "properties.targetResources{}.userPrincipalName", "properties.targetResources{}.type", "properties.initiatedBy.user.userPrincipalName", "properties.result"], "risk_score": 35, "security_domain": "identity", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT41", "Dragonfly", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}, {"mitre_attack_id": "T1098.003", "mitre_attack_technique": "Additional Cloud Roles", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["LAPSUS$"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/azure_ad_privileged_role_serviceprincipal/azure-audit.log", "source": "mscs:azure:eventhub", "sourcetype": "mscs:azure:eventhub", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "azuread", "definition": "sourcetype=mscs:azure:eventhub", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "azure_ad_privileged_role_assigned_to_service_principal_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "privileged_azure_ad_roles", "description": "A list of privileged Azure Active Directory roles.", "filename": "privileged_azure_ad_roles.csv", "default_match": "false", "match_type": "WILDCARD(azureadrole)", "min_matches": 1, "case_sensitive_match": "false"}], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/azure_ad_privileged_role_assigned_to_service_principal.yml", "source": "cloud", "nes_fields": "user,dest"}, {"name": "Azure AD Service Principal Created", "id": "f8ba49e7-ffd3-4b53-8f61-e73974583c5d", "version": 1, "date": "2022-08-17", "author": "Gowthamaraj Rajendran, Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the creation of a Service Principal in an Azure AD environment. An Azure Service Principal is an identity designed to be used with applications, services, and automated tools to access resources. It is similar to a service account within an Active Directory environment. Service Principal authentication does not support multi-factor authentication nor conditional access policies. Adversaries and red teams alike who have obtained administrative access may create a Service Principal to establish Persistence and obtain single-factor access to an Azure AD environment.", "data_source": [], "search": "`azuread` \"body.operationName\"=\"Add service principal\" \"body.properties.initiatedBy.user.id\"=* | rename body.properties.* as * | rename targetResources{}.displayName as displayName | rename initiatedBy.user.userPrincipalName as initiatedBy | rename targetResources{}.type as type | stats values(displayName) by _time, type, initiatedBy, result, body.operationName | `azure_ad_service_principal_created_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. Specifically, this analytic leverages the AuditLogs log category.", "known_false_positives": "Administrator may legitimately create Service Principal. Filter as needed.", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/develop/app-objects-and-service-principals", "https://docs.microsoft.com/en-us/powershell/azure/create-azure-service-principal-azureps?view=azps-8.2.0", "https://www.truesec.com/hub/blog/using-a-legitimate-application-to-create-persistence-and-initiate-email-campaigns", "https://www.inversecos.com/2021/10/how-to-backdoor-azure-applications-and.html", "https://attack.mitre.org/techniques/T1136/003/"], "tags": {"name": "Azure AD Service Principal Created", "analytic_story": ["Azure Active Directory Persistence"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "confidence": 90, "impact": 50, "kill_chain_phases": ["Installation"], "message": "Service Principal named $displayName$ created by $initiatedBy$", "mitre_attack_id": ["T1136.003"], "nist": ["DE.CM"], "observable": [{"name": "displayName", "type": "Other", "role": ["Victim"]}, {"name": "initiatedBy", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "body.properties.targetResources{}.displayName", "body.properties.targetResources{}.type", "body.properties.initiatedBy.user.userPrincipalName", "body.properties.result"], "risk_score": 45, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1136.003", "mitre_attack_technique": "Cloud Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT29", "LAPSUS$"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.003/azure_ad_add_service_principal/azure-audit.log", "source": "mscs:azure:eventhub", "sourcetype": "mscs:azure:eventhub", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "azuread", "definition": "sourcetype=mscs:azure:eventhub", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "azure_ad_service_principal_created_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/azure_ad_service_principal_created.yml", "source": "cloud", "nes_fields": "user,dest"}, {"name": "Azure AD Service Principal New Client Credentials", "id": "e3adc0d3-9e4b-4b5d-b662-12cec1adff2a", "version": 2, "date": "2022-08-17", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the addition of new credentials for Service Principals and Applications in addition to existing legitimate credentials in Azure AD. These credentials include both x509 certificates and passwords. With sufficient permissions, there are a variety of ways to add credentials including the Azure Portal, Azure command line interface, and Azure or Az PowerShell modules. Adversaries and red teams alike who have obtained privileged access to Azure AD may add credentials to Service Principals to maintain persistent access to victim accounts and other instances within the Azure environment. By compromising an account who is an Owner of an application with privileged access, attackers may also escalate their privileges in an Azure AD environment by adding new credentials and logging in as the service principal.", "data_source": [], "search": " `azuread` body.category=AuditLogs body.operationName=\"Update application*Certificates and secrets management \" | rename body.* as * | rename properties.* as * | rename targetResources{}.* as * | stats values(displayName) by _time, initiatedBy.user.userPrincipalName, modifiedProperties{}.newValue | `azure_ad_service_principal_new_client_credentials_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. Specifically, this analytic leverages the SignInLogs log category.", "known_false_positives": "Service Principal client credential modifications may be part of legitimate administrative operations. Filter as needed.", "references": ["https://attack.mitre.org/techniques/T1098/001/", "https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT501/AZT501-2/", "https://hausec.com/2021/10/26/attacking-azure-azure-ad-part-ii/", "https://www.inversecos.com/2021/10/how-to-backdoor-azure-applications-and.html", "https://www.mandiant.com/resources/blog/apt29-continues-targeting-microsoft", "https://microsoft.github.io/Azure-Threat-Research-Matrix/PrivilegeEscalation/AZT405/AZT405-3/"], "tags": {"name": "Azure AD Service Principal New Client Credentials", "analytic_story": ["Azure Active Directory Persistence", "Azure Active Directory Privilege Escalation"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Installation"], "message": "New credentials added for Service Principal $body.properties.targetResources{}.displayName$", "mitre_attack_id": ["T1098", "T1098.001"], "nist": ["DE.CM"], "observable": [{"name": "displayName", "type": "User", "role": ["Victim"]}, {"name": "initiatedBy.user.userPrincipalName", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "body.category", "body.operationName", "body.properties.initiatedBy.user.userPrincipalName", "body.properties.targetResources{}.displayName", "body.properties.targetResources{}.modifiedProperties{}.newValue"], "risk_score": 35, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT41", "Dragonfly", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}, {"mitre_attack_id": "T1098.001", "mitre_attack_technique": "Additional Cloud Credentials", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.001/azure_ad_service_principal_credentials/azure-audit.log", "source": "mscs:azure:eventhub", "sourcetype": "mscs:azure:eventhub", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "azuread", "definition": "sourcetype=mscs:azure:eventhub", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "azure_ad_service_principal_new_client_credentials_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/azure_ad_service_principal_new_client_credentials.yml", "source": "cloud", "nes_fields": "user,dest"}, {"name": "Azure AD Service Principal Owner Added", "id": "7ddf2084-6cf3-4a44-be83-474f7b73c701", "version": 2, "date": "2022-08-30", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the addition of a new owner for a Service Principal within an Azure AD tenant. An Azure Service Principal is an identity designed to be used with applications, services, and automated tools to access resources. It is similar to a service account within an Active Directory environment. Service Principal authentication does not support multi-factor authentication nor conditional access policies. Adversaries and red teams alike who have obtained administrative access may add a new owner for an existing Service Principal to establish Persistence and obtain single-factor access to an Azure AD environment. Attackers who are looking to escalate their privileges by leveraging a Service Principals permissions may also add a new owner.", "data_source": [], "search": " `azuread` body.operationName=\"Add owner to application\" | rename body.properties.* as * | rename initiatedBy.user.userPrincipalName as initiatedBy | rename targetResources{}.userPrincipalName as newOwner | rename targetResources{}.modifiedProperties{}.newValue as displayName | eval displayName = mvindex(displayName,1) | where initiatedBy!=newOwner | stats values(displayName) by _time, initiatedBy, result, body.operationName, newOwner | `azure_ad_service_principal_owner_added_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. Specifically, this analytic leverages the AuditLogs log category.", "known_false_positives": "Administrator may legitimately add new owners for Service Principals. Filter as needed.", "references": ["https://attack.mitre.org/techniques/T1098/"], "tags": {"name": "Azure AD Service Principal Owner Added", "analytic_story": ["Azure Active Directory Persistence", "Azure Active Directory Privilege Escalation"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "confidence": 90, "impact": 60, "kill_chain_phases": ["Installation"], "message": "A new owner was added for service principal $displayName$ by $initiatedBy$", "mitre_attack_id": ["T1098"], "nist": ["DE.CM"], "observable": [{"name": "displayName", "type": "Other", "role": ["Victim"]}, {"name": "initiatedBy", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "body.operationName", "body.properties.initiatedBy.user.userPrincipalName", "body.properties.targetResources{}.userPrincipalName", "body.properties.targetResources{}.modifiedProperties{}.newValue", "body.propertiesresult"], "risk_score": 54, "security_domain": "audit", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT41", "Dragonfly", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/azure_ad_add_serviceprincipal_owner/azure-audit.log", "source": "mscs:azure:eventhub", "sourcetype": "mscs:azure:eventhub", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "azuread", "definition": "sourcetype=mscs:azure:eventhub", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "azure_ad_service_principal_owner_added_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/azure_ad_service_principal_owner_added.yml", "source": "cloud", "nes_fields": "user,dest"}, {"name": "Azure AD Successful Authentication From Different Ips", "id": "be6d868d-33b6-4aaa-912e-724fb555b11a", "version": 1, "date": "2023-01-24", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies an Azure AD account successfully authenticating from more than one unique Ip address in the span of 5 minutes. This behavior could represent an adversary who has stolen credentials via a phishing attack or some other method and using them to access corporate online resources around the same time as a legitimate user. As users may behave differently across organizations, security teams should test and customize this detection to fit their environments.", "data_source": [], "search": " `azuread` properties.authenticationDetails{}.succeeded=true category=SignInLogs | rename properties.* as * | bucket span=5m _time | stats dc(ipAddress) AS unique_ips values(ipAddress) values(appDisplayName) by _time, userPrincipalName | where unique_ips > 1 | `azure_ad_successful_authentication_from_different_ips_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. Specifically, this analytic leverages the SignInLogs log category.", "known_false_positives": "A user with successful authentication events from different Ips may also represent the legitimate use of more than one device. Filter as needed and/or customize the threshold to fit your environment.", "references": ["T1110", "T1110.001", "T1110.003"], "tags": {"name": "Azure AD Successful Authentication From Different Ips", "analytic_story": ["Compromised User Account", "Azure Active Directory Account Takeover"], "asset_type": "Azure AD", "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "User $userPrincipalName$ has had successful authentication events from more than one unique IP address in the span of 5 minutes.", "mitre_attack_id": ["T1110", "T1110.001", "T1110.003"], "nist": ["DE.CM"], "observable": [{"name": "userPrincipalName", "type": "User", "role": ["Victim"]}, {"name": "ipAddress", "type": "IP Address", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "properties.status.errorCode", "category", "properties.authenticationDetails", "properties.userPrincipalName", "properties.ipAddress", "properties.appDisplayName"], "risk_score": 56, "security_domain": "identity", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1110.001", "mitre_attack_technique": "Password Guessing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29"]}, {"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.001/azure_ad_successful_authentication_from_different_ips/azuread.log", "source": "mscs:azure:eventhub", "sourcetype": "mscs:azure:eventhub", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "azuread", "definition": "sourcetype=mscs:azure:eventhub", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "azure_ad_successful_authentication_from_different_ips_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/azure_ad_successful_authentication_from_different_ips.yml", "source": "cloud", "nes_fields": "user,dest"}, {"name": "Azure AD Successful PowerShell Authentication", "id": "62f10052-d7b3-4e48-b57b-56f8e3ac7ceb", "version": 1, "date": "2022-07-13", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies a successful authentication event against an Azure AD tenant using PowerShell commandlets. This behavior is not common for regular, non administrative users. After compromising an account in Azure AD, attackers and red teams alike will perform enumeration and discovery techniques. One method of executing these techniques is leveraging the native PowerShell modules.", "data_source": [], "search": " `azuread` body.category=SignInLogs body.properties.authenticationDetails{}.succeeded=true body.properties.appDisplayName=\"Azure Active Directory PowerShell\" | rename body.properties.* as * | stats values(userPrincipalName) by _time, ipAddress, appDisplayName, userAgent | `azure_ad_successful_powershell_authentication_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events in your Splunk environment. Specifically, this analytic leverages the SignInLogs log category.", "known_false_positives": "Administrative users will likely use PowerShell commandlets to troubleshoot and maintain the environment. Filter as needed.", "references": ["https://attack.mitre.org/techniques/T1078/004/", "https://docs.microsoft.com/en-us/powershell/module/azuread/connect-azuread?view=azureadps-2.0", "https://securitycafe.ro/2022/04/29/pentesting-azure-recon-techniques/", "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Cloud%20-%20Azure%20Pentest.md"], "tags": {"name": "Azure AD Successful PowerShell Authentication", "analytic_story": ["Azure Active Directory Account Takeover"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "confidence": 90, "impact": 60, "kill_chain_phases": ["Weaponization", "Exploitation", "Delivery", "Installation"], "message": "Successful authentication for user $body.properties.userPrincipalName$ using PowerShell.", "mitre_attack_id": ["T1586", "T1586.003", "T1078", "T1078.004"], "nist": ["DE.CM"], "observable": [{"name": "userPrincipalName", "type": "User", "role": ["Victim"]}, {"name": "ipAddress", "type": "IP Address", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "body.properties.appDisplayName", "body.category", "body.properties.userPrincipalName", "body.properties.ipAddress", "body.properties.appDisplayName", "body.properties.userAgent"], "risk_score": 54, "security_domain": "identity", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Ke3chang", "LAPSUS$"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.004/azuread_pws/azure-audit.log", "source": "mscs:azure:eventhub", "sourcetype": "mscs:azure:eventhub", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "azuread", "definition": "sourcetype=mscs:azure:eventhub", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "azure_ad_successful_powershell_authentication_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/azure_ad_successful_powershell_authentication.yml", "source": "cloud", "nes_fields": "user,dest"}, {"name": "Azure AD Successful Single-Factor Authentication", "id": "a560e7f6-1711-4353-885b-40be53101fcd", "version": 1, "date": "2022-07-12", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies a successful authentication event against Azure Active Directory for an account without Multi-Factor Authentication enabled. This could be evidence of a missconfiguration, a policy violation or an account take over attempt that should be investigated", "data_source": [], "search": " `azuread` body.category=SignInLogs body.properties.authenticationRequirement=singleFactorAuthentication body.properties.authenticationDetails{}.succeeded=true | rename body.properties.* as * | stats values(userPrincipalName) by _time, ipAddress, appDisplayName, authenticationRequirement | `azure_ad_successful_single_factor_authentication_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events in your Splunk environment. Specifically, this analytic leverages the SignInLogs log category.", "known_false_positives": "Although not recommended, certain users may be required without multi-factor authentication. Filter as needed", "references": ["https://attack.mitre.org/techniques/T1078/004/", "https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-howitworks*", "https://www.forbes.com/sites/daveywinder/2020/07/08/new-dark-web-audit-reveals-15-billion-stolen-logins-from-100000-breaches-passwords-hackers-cybercrime/?sh=69927b2a180f"], "tags": {"name": "Azure AD Successful Single-Factor Authentication", "analytic_story": ["Azure Active Directory Account Takeover"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "confidence": 90, "impact": 50, "kill_chain_phases": ["Weaponization", "Exploitation", "Delivery", "Installation"], "message": "Successful authentication for user $body.properties.userPrincipalName$ without MFA", "mitre_attack_id": ["T1586", "T1586.003", "T1078", "T1078.004"], "nist": ["DE.CM"], "observable": [{"name": "userPrincipalName", "type": "User", "role": ["Victim"]}, {"name": "ipAddress", "type": "IP Address", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "body.category", "body.properties.authenticationRequirement", "body.properties.authenticationDetails", "body.properties.userPrincipalName", "body.properties.ipAddress", "body.properties.appDisplayName"], "risk_score": 45, "security_domain": "identity", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Ke3chang", "LAPSUS$"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.004/azuread/azure-audit.log", "source": "mscs:azure:eventhub", "sourcetype": "mscs:azure:eventhub", "update_timestamp": true}]}], "datamodel": ["Authentication"], "macros": [{"name": "azuread", "definition": "sourcetype=mscs:azure:eventhub", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "azure_ad_successful_single_factor_authentication_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/azure_ad_successful_single_factor_authentication.yml", "source": "cloud", "nes_fields": "user,dest"}, {"name": "Azure AD Unusual Number of Failed Authentications From Ip", "id": "3d8d3a36-93b8-42d7-8d91-c5f24cec223d", "version": 1, "date": "2022-07-11", "author": "Mauricio Velazco, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies one source Ip failing to authenticate with multiple valid users. This behavior could represent an adversary performing a Password Spraying attack against an Azure Active Directory tenant to obtain initial access or elevate privileges. Error Code 50126 represents an invalid password.\\\nThe detection calculates the standard deviation for source Ip and leverages the 3-sigma statistical rule to identify an unusual number of failed authentication attempts. To customize this analytic, users can try different combinations of the `bucket` span time and the calculation of the `upperBound` field. This logic can be used for real time security monitoring as well as threat hunting exercises.\\\nWhile looking for anomalies using statistical methods like the standard deviation can have benefits, we also recommend using threshold-based detections to complement coverage. A similar analytic following the threshold model is `Azure AD Multiple Users Failing To Authenticate From Ip`.", "data_source": [], "search": " `azuread` body.category=SignInLogs body.properties.status.errorCode=50126 body.properties.authenticationDetails{}.succeeded= false | rename body.properties.* as * | bucket span=5m _time | stats dc(userPrincipalName) AS unique_accounts values(userPrincipalName) as tried_accounts by _time, ipAddress | eventstats avg(unique_accounts) as ip_avg , stdev(unique_accounts) as ip_std by ipAddress | eval upperBound=(ip_avg+ip_std*3) | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0) | where isOutlier = 1 | `azure_ad_unusual_number_of_failed_authentications_from_ip_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events in your Splunk environment. Specifically, this analytic leverages the SignInLogs log category.", "known_false_positives": "A source Ip failing to authenticate with multiple users is not a common for legitimate behavior.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://docs.microsoft.com/en-us/security/compass/incident-response-playbook-password-spray", "https://www.cisa.gov/uscert/ncas/alerts/aa21-008a", "https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes"], "tags": {"name": "Azure AD Unusual Number of Failed Authentications From Ip", "analytic_story": ["Azure Active Directory Account Takeover"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "confidence": 90, "impact": 60, "kill_chain_phases": ["Weaponization", "Exploitation"], "message": "Possible Password Spraying attack against Azure AD from source ip $body.properties.ipAddress$", "mitre_attack_id": ["T1586", "T1586.003", "T1110", "T1110.003", "T1110.004"], "nist": ["DE.AE"], "observable": [{"name": "userPrincipalName", "type": "User", "role": ["Victim"]}, {"name": "ipAddress", "type": "IP Address", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "body.properties.status.errorCode", "body.category", "body.properties.authenticationDetails", "body.properties.userPrincipalName", "body.properties.ipAddress"], "risk_score": 54, "security_domain": "access", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1110.004", "mitre_attack_technique": "Credential Stuffing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Chimera"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/azuread/azure-audit.log", "source": "mscs:azure:eventhub", "sourcetype": "mscs:azure:eventhub", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "azuread", "definition": "sourcetype=mscs:azure:eventhub", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "azure_ad_unusual_number_of_failed_authentications_from_ip_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/azure_ad_unusual_number_of_failed_authentications_from_ip.yml", "source": "cloud"}, {"name": "Azure AD User Enabled And Password Reset", "id": "1347b9e8-2daa-4a6f-be73-b421d3d9e268", "version": 1, "date": "2022-08-29", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies an Azure AD user enabling a previously disabled account and resetting its password within 2 minutes. This behavior could represent an adversary who has obtained administrative access and is trying to establish a backdoor identity within an Azure AD tenant.", "data_source": [], "search": " `azuread` (body.operationName=\"Enable account\" OR body.operationName=\"Reset password (by admin)\" OR body.operationName=\"Update user\") | transaction body.properties.targetResources{}.userPrincipalName startsWith=(body.operationName=\"Enable account\") endsWith=(body.operationName=\"Reset password (by admin)\") maxspan=2m | rename body.properties.* as * | rename targetResources{}.userPrincipalName as userPrincipalName | rename initiatedBy.user.userPrincipalName as initiatedBy | stats values(body.operationName) values(initiatedBy) by _time, userPrincipalName, result | `azure_ad_user_enabled_and_password_reset_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. Specifically, this analytic leverages the AuditLogs log category.", "known_false_positives": "While not common, Administrators may enable accounts and reset their passwords for legitimate reasons. Filter as needed.", "references": ["https://attack.mitre.org/techniques/T1098/"], "tags": {"name": "Azure AD User Enabled And Password Reset", "analytic_story": ["Azure Active Directory Persistence"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "confidence": 90, "impact": 50, "kill_chain_phases": ["Installation"], "message": "A user account, $displayName$, was enabled and its password reset within 2 minutes by $initiatedBy$", "mitre_attack_id": ["T1098"], "nist": ["DE.CM"], "observable": [{"name": "displayName", "type": "Other", "role": ["Victim"]}, {"name": "initiatedBy", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "body.operationName", "body.properties.targetResources{}.userPrincipalName", "body.properties.initiatedBy.user.userPrincipalName", "body.properties.result"], "risk_score": 45, "security_domain": "identity", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT41", "Dragonfly", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/azure_ad_enable_and_reset/azure-audit.log", "source": "mscs:azure:eventhub", "sourcetype": "mscs:azure:eventhub", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "azuread", "definition": "sourcetype=mscs:azure:eventhub", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "azure_ad_user_enabled_and_password_reset_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/azure_ad_user_enabled_and_password_reset.yml", "source": "cloud", "nes_fields": "user,dest"}, {"name": "Azure AD User ImmutableId Attribute Updated", "id": "0c0badad-4536-4a84-a561-5ff760f3c00e", "version": 1, "date": "2022-09-02", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the modification of the SourceAnchor (also called ImmutableId) attribute for an Azure Active Directory user. Updating this attribute is a step required to set up the Azure Active Directory identity federation backdoor technique discovered by security researcher Nestori Syynimaa. Similar to Active Directory, Azure AD uses the concept of domains to manage directories of identities. A new Azure AD tenant will initially contain a single domain that is commonly called the `cloud-only` onmicrosoft.com domain. Organizations can also add their registered custom domains to Azure AD for email addresses to match the organizations domain name. If the organization intends to use a third-party identity provider such as ADFS for authentication, the added custom domains can be configured as federated. An adversary who has obtained privileged access to an Azure AD tenant may leverage this technique to establish persistence and be able to authenticate to Azure AD impersonating any user and bypassing the requirement to have a valid password and/or perform MFA.", "data_source": [], "search": " `azuread` body.operationName=\"Update user\" body.properties.targetResources{}.modifiedProperties{}.displayName=SourceAnchor | rename body.properties.* as * | rename targetResources{}.userPrincipalName as userPrincipalName | rename initiatedBy.user.userPrincipalName as initiatedBy | rename body.callerIpAddress as callerIpAddress | rename targetResources{}.modifiedProperties{}.newValue as modifiedProperties | stats values(userPrincipalName) values(modifiedProperties) by _time, initiatedBy, callerIpAddress, result, body.operationName | `azure_ad_user_immutableid_attribute_updated_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. Specifically, this analytic leverages the AuditLogs log category.", "known_false_positives": "The SourceAnchor (also called ImmutableId) Azure AD attribute has legitimate uses for directory synchronization. Investigate and filter as needed.", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/hybrid/plan-connect-design-concepts", "https://www.mandiant.com/resources/remediation-and-hardening-strategies-microsoft-365-defend-against-apt29-v13", "https://o365blog.com/post/federation-vulnerability/", "https://www.inversecos.com/2021/11/how-to-detect-azure-active-directory.html", "https://www.mandiant.com/resources/blog/detecting-microsoft-365-azure-active-directory-backdoors", "https://attack.mitre.org/techniques/T1098/"], "tags": {"name": "Azure AD User ImmutableId Attribute Updated", "analytic_story": ["Azure Active Directory Persistence"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "confidence": 90, "impact": 50, "kill_chain_phases": ["Installation"], "message": "The SourceAnchor or ImmutableID attribute has been modified for user $userPrincipalName$ by $initiatedBy$", "mitre_attack_id": ["T1098"], "nist": ["DE.CM"], "observable": [{"name": "userPrincipalName", "type": "User", "role": ["Victim"]}, {"name": "initiatedBy", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time"], "risk_score": 45, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT41", "Dragonfly", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/azure_ad_set_immutableid/azure-audit.log", "source": "mscs:azure:eventhub", "sourcetype": "mscs:azure:eventhub", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "azuread", "definition": "sourcetype=mscs:azure:eventhub", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "azure_ad_user_immutableid_attribute_updated_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/azure_ad_user_immutableid_attribute_updated.yml", "source": "cloud", "nes_fields": "user,dest"}, {"name": "Azure Automation Account Created", "id": "860902fd-2e76-46b3-b050-ba548dab576c", "version": 1, "date": "2022-08-18", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the creation of a new Azure Automation account within an Azure tenant. Azure Automation is a cloud-based automation platform that allows administrators to automate Azure management tasks and orchestrate actions across external systems within Azure using PowerShell and Python. Azure Automation can also be configured to automate tasks on on premise infrastructure using a component called a Hybrid Runbook Worker. Automation accounts serve as a container to isolate Automation resources, runbooks, assets, and configurations from the resources of other accounts. They allow administrators to separate resources into logical environments or delegated responsibilities. Adversaries or red teams who have obtained privileged access to an Azure tenant may create an Azure Automation account with elevated privileges to maintain persistence in the Azure tenant. A malicious Automation Runbook can be created to create Global Administrators in Azure AD, execute code on VMs, etc.", "data_source": [], "search": " `azure_audit` operationName.localizedValue=\"Create or Update an Azure Automation account\" status.value=Succeeded | dedup object | stats values(object) by _time, caller, claims.ipaddr, resourceGroupName, object_path | `azure_automation_account_created_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Audit events into your Splunk environment. Specifically, this analytic leverages the Azure Activity log category.", "known_false_positives": "Administrators may legitimately create Azure Automation accounts. Filter as needed.", "references": ["https://docs.microsoft.com/en-us/azure/automation/overview", "https://docs.microsoft.com/en-us/azure/automation/automation-create-standalone-account?tabs=azureportal", "https://docs.microsoft.com/en-us/azure/automation/automation-hybrid-runbook-worker", "https://www.inversecos.com/2021/12/how-to-detect-malicious-azure.html", "https://www.netspi.com/blog/technical/cloud-penetration-testing/maintaining-azure-persistence-via-automation-accounts/", "https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT503/AZT503-3/", "https://attack.mitre.org/techniques/T1136/003/"], "tags": {"name": "Azure Automation Account Created", "analytic_story": ["Azure Active Directory Persistence"], "asset_type": "Azure", "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Installation"], "message": "A new Azure Automation account $object$ was created by $caller$", "mitre_attack_id": ["T1136", "T1136.003"], "nist": ["DE.CM"], "observable": [{"name": "object", "type": "Other", "role": ["Victim"]}, {"name": "caller", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "operationName.localizedValue", "status.value", "object", "caller", "claims.ipaddr", "resourceGroupName", "object_path"], "risk_score": 63, "security_domain": "audit", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider"]}, {"mitre_attack_id": "T1136.003", "mitre_attack_technique": "Cloud Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT29", "LAPSUS$"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.003/azure_automation_account/azure-activity.log", "source": "mscs:azure:audit", "sourcetype": "mscs:azure:audit", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "azure_audit", "definition": "sourcetype=mscs:azure:audit", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "azure_automation_account_created_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/azure_automation_account_created.yml", "source": "cloud", "nes_fields": "user,dest"}, {"name": "Azure Automation Runbook Created", "id": "178d696d-6dc6-4ee8-9d25-93fee34eaf5b", "version": 1, "date": "2022-08-22", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the creation of a new Azure Automation Runbook within an Azure tenant. Azure Automation is a cloud-based automation platform that allows administrators to automate Azure management tasks and orchestrate actions across external systems within Azure. Azure Automation script files called Runbooks that can be written in PowerShell or Python. Adversaries or red teams who have obtained privileged access to an Azure tenant may create an Azure Automation Runbook that runs with elevated privileges to maintain persistence in the Azure tenant. A malicious Automation Runbook can be created to create Global Administrators in Azure AD, execute code on VMs, etc.", "data_source": [], "search": " `azure_audit` operationName.localizedValue=\"Create or Update an Azure Automation Runbook\" object!=AzureAutomationTutorial* status.value=Succeeded | dedup object | stats values(object) by _time, caller, claims.ipaddr, resourceGroupName, object_path | `azure_automation_runbook_created_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Audit events into your Splunk environment. Specifically, this analytic leverages the Azure Activity log category.", "known_false_positives": "Administrators may legitimately create Azure Automation Runbooks. Filter as needed.", "references": ["https://docs.microsoft.com/en-us/azure/automation/overview", "https://docs.microsoft.com/en-us/azure/automation/automation-runbook-types", "https://docs.microsoft.com/en-us/azure/automation/manage-runbooks", "https://www.inversecos.com/2021/12/how-to-detect-malicious-azure.html", "https://www.netspi.com/blog/technical/cloud-penetration-testing/maintaining-azure-persistence-via-automation-accounts/", "https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT503/AZT503-3/", "https://attack.mitre.org/techniques/T1136/003/"], "tags": {"name": "Azure Automation Runbook Created", "analytic_story": ["Azure Active Directory Persistence"], "asset_type": "Azure", "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Installation"], "message": "A new Azure Automation Runbook $object$ was created by $caller$", "mitre_attack_id": ["T1136", "T1136.003"], "nist": ["DE.CM"], "observable": [{"name": "object", "type": "Other", "role": ["Victim"]}, {"name": "caller", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "operationName.localizedValue", "status.value", "object", "caller", "claims.ipaddr", "resourceGroupName", "object_path"], "risk_score": 63, "security_domain": "audit", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider"]}, {"mitre_attack_id": "T1136.003", "mitre_attack_technique": "Cloud Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT29", "LAPSUS$"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.004/azure_automation_runbook/azure-activity.log", "source": "mscs:azure:audit", "sourcetype": "mscs:azure:audit", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "azure_audit", "definition": "sourcetype=mscs:azure:audit", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "azure_automation_runbook_created_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/azure_automation_runbook_created.yml", "source": "cloud", "nes_fields": "user,dest"}, {"name": "Azure Runbook Webhook Created", "id": "e98944a9-92e4-443c-81b8-a322e33ce75a", "version": 1, "date": "2022-08-23", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the creation of a new Automation Runbook Webhook within an Azure tenant. Azure Automation is a cloud-based automation platform that allows administrators to automate Azure management tasks and orchestrate actions across external systems within Azure. Azure Automation script files called Runbooks that can be written in PowerShell or Python. One of the ways administrators can configure a Runbook to be executed is through HTTP Webhooks. Webhooks leverage custom unauthenticated URLs that are exposed to the Internet. An adversary who has obtained privileged access to an Azure tenant may create a Webhook to trigger the execution of an Automation Runbook with malicious code that can create users or execute code on a VM. This provides a persistent foothold on the environment.", "data_source": [], "search": " `azure_audit` operationName.localizedValue=\"Create or Update an Azure Automation webhook\" status.value=Succeeded | stats values(object) by _time, caller, claims.ipaddr, resourceGroupName, object_path | `azure_runbook_webhook_created_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Audit events into your Splunk environment. Specifically, this analytic leverages the Azure Activity log category.", "known_false_positives": "Administrators may legitimately create Azure Runbook Webhooks. Filter as needed.", "references": ["https://docs.microsoft.com/en-us/azure/automation/overview", "https://docs.microsoft.com/en-us/azure/automation/automation-runbook-types", "https://docs.microsoft.com/en-us/azure/automation/automation-webhooks?tabs=portal", "https://www.inversecos.com/2021/12/how-to-detect-malicious-azure.html", "https://www.netspi.com/blog/technical/cloud-penetration-testing/maintaining-azure-persistence-via-automation-accounts/", "https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT503/AZT503-3/", "https://attack.mitre.org/techniques/T1078/004/"], "tags": {"name": "Azure Runbook Webhook Created", "analytic_story": ["Azure Active Directory Persistence"], "asset_type": "Azure", "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "message": "A new Azure Runbook Webhook $object$ was created by $caller$", "mitre_attack_id": ["T1078", "T1078.004"], "nist": ["DE.CM"], "observable": [{"name": "object", "type": "Other", "role": ["Victim"]}, {"name": "caller", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "operationName.localizedValue", "status.value", "object", "caller", "claims.ipaddr", "resourceGroupName", "object_path"], "risk_score": 63, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Ke3chang", "LAPSUS$"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.004/azure_runbook_webhook/azure-activity.log", "source": "mscs:azure:audit", "sourcetype": "mscs:azure:audit", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "azure_audit", "definition": "sourcetype=mscs:azure:audit", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "azure_runbook_webhook_created_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/azure_runbook_webhook_created.yml", "source": "cloud", "nes_fields": "user,dest"}, {"name": "Circle CI Disable Security Job", "id": "4a2fdd41-c578-4cd4-9ef7-980e352517f2", "version": 1, "date": "2021-09-02", "author": "Patrick Bareiss, Splunk", "type": "Anomaly", "status": "production", "description": "This search looks for disable security job in CircleCI pipeline.", "data_source": [], "search": "`circleci` | rename vcs.committer_name as user vcs.subject as commit_message vcs.url as url workflows.* as * | stats values(job_name) as job_names by workflow_id workflow_name user commit_message url branch | lookup mandatory_job_for_workflow workflow_name OUTPUTNEW job_name AS mandatory_job | search mandatory_job=* | eval mandatory_job_executed=if(like(job_names, \"%\".mandatory_job.\"%\"), 1, 0) | where mandatory_job_executed=0 | eval phase=\"build\" | rex field=url \"(?[^\\/]*\\/[^\\/]*)$\" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `circle_ci_disable_security_job_filter`", "how_to_implement": "You must index CircleCI logs.", "known_false_positives": "unknown", "references": [], "tags": {"name": "Circle CI Disable Security Job", "analytic_story": ["Dev Sec Ops"], "asset_type": "CircleCI", "cis20": ["CIS 13"], "confidence": 90, "impact": 80, "kill_chain_phases": ["Installation"], "message": "disable security job $mandatory_job$ in workflow $workflow_name$ from user $user$", "mitre_attack_id": ["T1554"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_times"], "risk_score": 72, "security_domain": "network", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1554", "mitre_attack_technique": "Compromise Client Software Binary", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1554/circle_ci_disable_security_job/circle_ci_disable_security_job.json", "source": "circleci", "sourcetype": "circleci"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "circleci", "definition": "sourcetype=circleci", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "circle_ci_disable_security_job_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "mandatory_job_for_workflow", "description": "A lookup file that will be used to define the mandatory job for workflow", "filename": "mandatory_job_for_workflow.csv"}], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/circle_ci_disable_security_job.yml", "source": "cloud"}, {"name": "Circle CI Disable Security Step", "id": "72cb9de9-e98b-4ac9-80b2-5331bba6ea97", "version": 1, "date": "2021-09-01", "author": "Patrick Bareiss, Splunk", "type": "Anomaly", "status": "experimental", "description": "This search looks for disable security step in CircleCI pipeline.", "data_source": [], "search": "`circleci` | rename workflows.job_id AS job_id | join job_id [ | search `circleci` | stats values(name) as step_names count by job_id job_name ] | stats count by step_names job_id job_name vcs.committer_name vcs.subject vcs.url owners{} | rename vcs.* as * , owners{} as user | lookup mandatory_step_for_job job_name OUTPUTNEW step_name AS mandatory_step | search mandatory_step=* | eval mandatory_step_executed=if(like(step_names, \"%\".mandatory_step.\"%\"), 1, 0) | where mandatory_step_executed=0 | rex field=url \"(?[^\\/]*\\/[^\\/]*)$\" | eval phase=\"build\" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `circle_ci_disable_security_step_filter`", "how_to_implement": "You must index CircleCI logs.", "known_false_positives": "unknown", "references": [], "tags": {"name": "Circle CI Disable Security Step", "analytic_story": ["Dev Sec Ops"], "asset_type": "CircleCI", "cis20": ["CIS 13"], "confidence": 90, "impact": 80, "kill_chain_phases": ["Installation"], "message": "disable security step $mandatory_step$ in job $job_name$ from user $user$", "mitre_attack_id": ["T1554"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_times"], "risk_score": 72, "security_domain": "network", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1554", "mitre_attack_technique": "Compromise Client Software Binary", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1554/circle_ci_disable_security_step/circle_ci_disable_security_step.json", "source": "circleci", "sourcetype": "circleci"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "circleci", "definition": "sourcetype=circleci", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "circle_ci_disable_security_step_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "mandatory_step_for_job", "description": "A lookup file that will be used to define the mandatory step for job", "filename": "mandatory_step_for_job.csv"}], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/circle_ci_disable_security_step.yml", "source": "cloud"}, {"name": "Cloud API Calls From Previously Unseen User Roles", "id": "2181ad1f-1e73-4d0c-9780-e8880482a08f", "version": 1, "date": "2020-09-04", "author": "David Dorsey, Splunk", "type": "Anomaly", "status": "experimental", "description": "This search looks for new commands from each user role.", "data_source": [], "search": "| tstats earliest(_time) as firstTime, latest(_time) as lastTime from datamodel=Change where All_Changes.user_type=AssumedRole AND All_Changes.status=success by All_Changes.user, All_Changes.command All_Changes.object | `drop_dm_object_name(\"All_Changes\")` | lookup previously_seen_cloud_api_calls_per_user_role user as user, command as command OUTPUT firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenUserApiCall=min(firstTimeSeen) | where isnull(firstTimeSeenUserApiCall) OR firstTimeSeenUserApiCall > relative_time(now(),\"-24h@h\") | table firstTime, user, object, command |`security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `cloud_api_calls_from_previously_unseen_user_roles_filter`", "how_to_implement": "You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud API Calls Per User Role - Initial` to build the initial table of user roles, commands, and times. You must also enable the second baseline search `Previously Seen Cloud API Calls Per User Role - Update` to keep this table up to date and to age out old data. You can adjust the time window for this search by updating the `cloud_api_calls_from_previously_unseen_user_roles_activity_window` macro. You can also provide additional filtering for this search by customizing the `cloud_api_calls_from_previously_unseen_user_roles_filter`", "known_false_positives": ".", "references": [], "tags": {"name": "Cloud API Calls From Previously Unseen User Roles", "analytic_story": ["Suspicious Cloud User Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "message": "User $user$ of type AssumedRole attempting to execute new API calls $command$ that have not been seen before", "mitre_attack_id": ["T1078"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "All_Changes.user", "All_Changes.user_type", "All_Changes.status", "All_Changes.command", "All_Changes.object"], "risk_score": 36, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail", "update_timestamp": true}]}], "datamodel": ["Change"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloud_api_calls_from_previously_unseen_user_roles_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "previously_seen_cloud_api_calls_per_user_role", "description": "A table of users, commands, and the first and last time that they have been seen", "collection": "previously_seen_cloud_api_calls_per_user_role", "fields_list": "_key, user, command, firstTimeSeen, lastTimeSeen, enough_data"}], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/cloud_api_calls_from_previously_unseen_user_roles.yml", "source": "cloud"}, {"name": "Cloud Compute Instance Created By Previously Unseen User", "id": "37a0ec8d-827e-4d6d-8025-cedf31f3a149", "version": 2, "date": "2021-07-13", "author": "Rico Valdez, Splunk", "type": "Anomaly", "status": "experimental", "description": "This search looks for cloud compute instances created by users who have not created them before.", "data_source": [], "search": "| tstats `security_content_summariesonly` count earliest(_time) as firstTime, latest(_time) as lastTime values(All_Changes.object) as dest from datamodel=Change where All_Changes.action=created by All_Changes.user All_Changes.vendor_region | `drop_dm_object_name(\"All_Changes\")` | lookup previously_seen_cloud_compute_creations_by_user user as user OUTPUTNEW firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenUser=min(firstTimeSeen) | where isnull(firstTimeSeenUser) OR firstTimeSeenUser > relative_time(now(), \"-24h@h\") | table firstTime, user, dest, count vendor_region | `security_content_ctime(firstTime)` | `cloud_compute_instance_created_by_previously_unseen_user_filter`", "how_to_implement": "You must be ingesting the appropriate cloud-infrastructure logs Run the \"Previously Seen Cloud Compute Creations By User\" support search to create of baseline of previously seen users.", "known_false_positives": "It's possible that a user will start to create compute instances for the first time, for any number of reasons. Verify with the user launching instances that this is the intended behavior.", "references": [], "tags": {"name": "Cloud Compute Instance Created By Previously Unseen User", "analytic_story": ["Cloud Cryptomining"], "asset_type": "Cloud Compute Instance", "cis20": ["CIS 10"], "confidence": 60, "impact": 30, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "message": "User $user$ is creating a new instance $dest$ for the first time", "mitre_attack_id": ["T1078.004", "T1078"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "All_Changes.object", "All_Changes.action", "All_Changes.user", "All_Changes.vendor_region"], "risk_score": 18, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Ke3chang", "LAPSUS$"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail", "update_timestamp": true}]}], "datamodel": ["Change"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "cloud_compute_instance_created_by_previously_unseen_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "previously_seen_cloud_compute_creations_by_user", "description": "A table of previously seen users creating cloud instances", "collection": "previously_seen_cloud_compute_creations_by_user", "fields_list": "_key, firstTimeSeen, lastTimeSeen, user, enough_data"}], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/cloud_compute_instance_created_by_previously_unseen_user.yml", "source": "cloud"}, {"name": "Cloud Compute Instance Created In Previously Unused Region", "id": "fa4089e2-50e3-40f7-8469-d2cc1564ca59", "version": 1, "date": "2020-09-02", "author": "David Dorsey, Splunk", "type": "Anomaly", "status": "experimental", "description": "This search looks at cloud-infrastructure events where an instance is created in any region within the last hour and then compares it to a lookup file of previously seen regions where instances have been created.", "data_source": [], "search": "| tstats earliest(_time) as firstTime latest(_time) as lastTime values(All_Changes.object_id) as dest, count from datamodel=Change where All_Changes.action=created by All_Changes.vendor_region, All_Changes.user | `drop_dm_object_name(\"All_Changes\")` | lookup previously_seen_cloud_regions vendor_region as vendor_region OUTPUTNEW firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenRegion=min(firstTimeSeen) | where isnull(firstTimeSeenRegion) OR firstTimeSeenRegion > relative_time(now(), \"-24h@h\") | table firstTime, user, dest, count , vendor_region | `security_content_ctime(firstTime)` | `cloud_compute_instance_created_in_previously_unused_region_filter`", "how_to_implement": "You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud Regions - Initial` to build the initial table of images observed and times. You must also enable the second baseline search `Previously Seen Cloud Regions - Update` to keep this table up to date and to age out old data. You can also provide additional filtering for this search by customizing the `cloud_compute_instance_created_in_previously_unused_region_filter` macro.", "known_false_positives": "It's possible that a user has unknowingly started an instance in a new region. Please verify that this activity is legitimate.", "references": [], "tags": {"name": "Cloud Compute Instance Created In Previously Unused Region", "analytic_story": ["Cloud Cryptomining"], "asset_type": "Cloud Compute Instance", "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "User $user$ is creating an instance $dest$ in a new region for the first time", "mitre_attack_id": ["T1535"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "All_Changes.object_id", "All_Changes.action", "All_Changes.vendor_region", "All_Changes.user"], "risk_score": 42, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1535", "mitre_attack_technique": "Unused/Unsupported Cloud Regions", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail", "update_timestamp": true}]}], "datamodel": ["Change"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloud_compute_instance_created_in_previously_unused_region_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "previously_seen_cloud_regions", "description": "A table of vendor_region values and the first and last time that they have been observed in cloud provisioning activities", "collection": "previously_seen_cloud_regions", "fields_list": "_key, firstTimeSeen, lastTimeSeen, vendor_region, enough_data"}], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/cloud_compute_instance_created_in_previously_unused_region.yml", "source": "cloud"}, {"name": "Cloud Compute Instance Created With Previously Unseen Image", "id": "bc24922d-987c-4645-b288-f8c73ec194c4", "version": 1, "date": "2018-10-12", "author": "David Dorsey, Splunk", "type": "Anomaly", "status": "experimental", "description": "This search looks for cloud compute instances being created with previously unseen image IDs.", "data_source": [], "search": "| tstats count earliest(_time) as firstTime, latest(_time) as lastTime values(All_Changes.object_id) as dest from datamodel=Change where All_Changes.action=created by All_Changes.Instance_Changes.image_id, All_Changes.user | `drop_dm_object_name(\"All_Changes\")` | `drop_dm_object_name(\"Instance_Changes\")` | where image_id != \"unknown\" | lookup previously_seen_cloud_compute_images image_id as image_id OUTPUT firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenImage=min(firstTimeSeen) | where isnull(firstTimeSeenImage) OR firstTimeSeenImage > relative_time(now(), \"-24h@h\") | table firstTime, user, image_id, count, dest | `security_content_ctime(firstTime)` | `cloud_compute_instance_created_with_previously_unseen_image_filter`", "how_to_implement": "You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud Compute Images - Initial` to build the initial table of images observed and times. You must also enable the second baseline search `Previously Seen Cloud Compute Images - Update` to keep this table up to date and to age out old data. You can also provide additional filtering for this search by customizing the `cloud_compute_instance_created_with_previously_unseen_image_filter` macro.", "known_false_positives": "After a new image is created, the first systems created with that image will cause this alert to fire. Verify that the image being used was created by a legitimate user.", "references": [], "tags": {"name": "Cloud Compute Instance Created With Previously Unseen Image", "analytic_story": ["Cloud Cryptomining"], "asset_type": "Cloud Compute Instance", "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": [], "message": "User $user$ is creating an instance $dest$ with an image that has not been previously seen.", "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "All_Changes.object_id", "All_Changes.action", "All_Changes.Instance_Changes.image_id", "All_Changes.user"], "risk_score": 36, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail", "update_timestamp": true}]}], "datamodel": ["Change"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloud_compute_instance_created_with_previously_unseen_image_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "previously_seen_cloud_compute_images", "description": "A table of previously seen Cloud image IDs", "collection": "previously_seen_cloud_compute_images", "fields_list": "_key, firstTimeSeen, lastTimeSeen, image_id, enough_data"}], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/cloud_compute_instance_created_with_previously_unseen_image.yml", "source": "cloud"}, {"name": "Cloud Compute Instance Created With Previously Unseen Instance Type", "id": "c6ddbf53-9715-49f3-bb4c-fb2e8a309cda", "version": 1, "date": "2020-09-12", "author": "David Dorsey, Splunk", "type": "Anomaly", "status": "experimental", "description": "Find EC2 instances being created with previously unseen instance types.", "data_source": [], "search": "| tstats earliest(_time) as firstTime, latest(_time) as lastTime values(All_Changes.object_id) as dest, count from datamodel=Change where All_Changes.action=created by All_Changes.Instance_Changes.instance_type, All_Changes.user | `drop_dm_object_name(\"All_Changes\")` | `drop_dm_object_name(\"Instance_Changes\")` | where instance_type != \"unknown\" | lookup previously_seen_cloud_compute_instance_types instance_type as instance_type OUTPUTNEW firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenInstanceType=min(firstTimeSeen) | where isnull(firstTimeSeenInstanceType) OR firstTimeSeenInstanceType > relative_time(now(), \"-24h@h\") | table firstTime, user, dest, count, instance_type | `security_content_ctime(firstTime)` | `cloud_compute_instance_created_with_previously_unseen_instance_type_filter`", "how_to_implement": "You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud Compute Instance Types - Initial` to build the initial table of instance types observed and times. You must also enable the second baseline search `Previously Seen Cloud Compute Instance Types - Update` to keep this table up to date and to age out old data. You can also provide additional filtering for this search by customizing the `cloud_compute_instance_created_with_previously_unseen_instance_type_filter` macro.", "known_false_positives": "It is possible that an admin will create a new system using a new instance type that has never been used before. Verify with the creator that they intended to create the system with the new instance type.", "references": [], "tags": {"name": "Cloud Compute Instance Created With Previously Unseen Instance Type", "analytic_story": ["Cloud Cryptomining"], "asset_type": "Cloud Compute Instance", "cis20": ["CIS 10"], "confidence": 60, "impact": 50, "kill_chain_phases": [], "message": "User $user$ is creating an instance $dest$ with an instance type $instance_type$ that has not been previously seen.", "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "All_Changes.object_id", "All_Changes.action", "All_Changes.Instance_Changes.instance_type", "All_Changes.user"], "risk_score": 30, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail", "update_timestamp": true}]}], "datamodel": ["Change"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloud_compute_instance_created_with_previously_unseen_instance_type_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "previously_seen_cloud_compute_instance_types", "description": "A place holder for a list of used cloud compute instance types", "collection": "previously_seen_cloud_compute_instance_types", "fields_list": "_key, firstTimeSeen, lastTimeSeen, instance_type, enough_data"}], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/cloud_compute_instance_created_with_previously_unseen_instance_type.yml", "source": "cloud"}, {"name": "Cloud Instance Modified By Previously Unseen User", "id": "7fb15084-b14e-405a-bd61-a6de15a40722", "version": 1, "date": "2020-07-29", "author": "Rico Valdez, Splunk", "type": "Anomaly", "status": "experimental", "description": "This search looks for cloud instances being modified by users who have not previously modified them.", "data_source": [], "search": "| tstats `security_content_summariesonly` count earliest(_time) as firstTime, latest(_time) as lastTime values(All_Changes.object_id) as object_id values(All_Changes.command) as command from datamodel=Change where All_Changes.action=modified All_Changes.change_type=EC2 All_Changes.status=success by All_Changes.user | `drop_dm_object_name(\"All_Changes\")` | lookup previously_seen_cloud_instance_modifications_by_user user as user OUTPUTNEW firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenUser=min(firstTimeSeen) | where isnull(firstTimeSeenUser) OR firstTimeSeenUser > relative_time(now(), \"-24h@h\") | table firstTime user command object_id count | `security_content_ctime(firstTime)` | `cloud_instance_modified_by_previously_unseen_user_filter`", "how_to_implement": "This search has a dependency on other searches to create and update a baseline of users observed to be associated with this activity. The search \"Previously Seen Cloud Instance Modifications By User - Update\" should be enabled for this detection to properly work.", "known_false_positives": "It's possible that a new user will start to modify EC2 instances when they haven't before for any number of reasons. Verify with the user that is modifying instances that this is the intended behavior.", "references": [], "tags": {"name": "Cloud Instance Modified By Previously Unseen User", "analytic_story": ["Suspicious Cloud Instance Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "message": "User $user$ is modifying an instance $dest$ for the first time.", "mitre_attack_id": ["T1078.004", "T1078"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "All_Changes.object_id", "All_Changes.command", "All_Changes.action", "All_Changes.change_type", "All_Changes.status", "All_Changes.user"], "risk_score": 42, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Ke3chang", "LAPSUS$"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail", "update_timestamp": true}]}], "datamodel": ["Change"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "cloud_instance_modified_by_previously_unseen_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "previously_seen_cloud_instance_modifications_by_user", "description": "A table of users seen making instance modifications, and the first and last time that the activity was observed", "collection": "previously_seen_cloud_instance_modifications_by_user", "fields_list": "_key, firstTimeSeen, lastTimeSeen, user, enough_data"}], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/cloud_instance_modified_by_previously_unseen_user.yml", "source": "cloud"}, {"name": "Cloud Provisioning Activity From Previously Unseen City", "id": "e7ecc5e0-88df-48b9-91af-51104c68f02f", "version": 1, "date": "2020-10-09", "author": "Rico Valdez, Bhavin Patel, Splunk", "type": "Anomaly", "status": "production", "description": "This search looks for cloud provisioning activities from previously unseen cities. Provisioning activities are defined broadly as any event that runs or creates something.", "data_source": [], "search": "| tstats earliest(_time) as firstTime, latest(_time) as lastTime from datamodel=Change where (All_Changes.action=started OR All_Changes.action=created) All_Changes.status=success by All_Changes.src, All_Changes.user, All_Changes.object, All_Changes.command | `drop_dm_object_name(\"All_Changes\")` | iplocation src | where isnotnull(City) | lookup previously_seen_cloud_provisioning_activity_sources City as City OUTPUT firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenCity=min(firstTimeSeen) | where isnull(firstTimeSeenCity) OR firstTimeSeenCity > relative_time(now(), `previously_unseen_cloud_provisioning_activity_window`) | table firstTime, src, City, user, object, command | `cloud_provisioning_activity_from_previously_unseen_city_filter` | `security_content_ctime(firstTime)`", "how_to_implement": "You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud Provisioning Activity Sources - Initial` to build the initial table of source IP address, geographic locations, and times. You must also enable the second baseline search `Previously Seen Cloud Provisioning Activity Sources - Update` to keep this table up to date and to age out old data. You can adjust the time window for this search by updating the `previously_unseen_cloud_provisioning_activity_window` macro. You can also provide additional filtering for this search by customizing the `cloud_provisioning_activity_from_previously_unseen_city_filter` macro.", "known_false_positives": "This is a strictly behavioral search, so we define \"false positive\" slightly differently. Every time this fires, it will accurately reflect the first occurrence in the time period you're searching within, plus what is stored in the cache feature. But while there are really no \"false positives\" in a traditional sense, there is definitely lots of noise.\\\n This search will fire any time a new IP address is seen in the **GeoIP** database for any kind of provisioning activity. If you typically do all provisioning from tools inside of your country, there should be few false positives. If you are located in countries where the free version of **MaxMind GeoIP** that ships by default with Splunk has weak resolution (particularly small countries in less economically powerful regions), this may be much less valuable to you.", "references": [], "tags": {"name": "Cloud Provisioning Activity From Previously Unseen City", "analytic_story": ["Suspicious Cloud Provisioning Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 10"], "confidence": 60, "impact": 30, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "message": "User $user$ is starting or creating an instance $dest$ for the first time in City $City$ from IP address $src$", "mitre_attack_id": ["T1078"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "All_Changes.action", "All_Changes.status", "All_Changes.src", "All_Changes.user", "All_Changes.object", "All_Changes.command"], "risk_score": 18, "security_domain": "threat", "risk_severity": "low", "manual_test": "This search needs the baseline to be run first to create a lookup", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail", "update_timestamp": true}]}], "datamodel": ["Change"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "previously_unseen_cloud_provisioning_activity_window", "definition": "\"-70m@m\"", "description": "Use this macro to determine how far back you should be checking for new provisioning activities"}, {"name": "cloud_provisioning_activity_from_previously_unseen_city_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "previously_seen_cloud_provisioning_activity_sources", "description": "A table of source IPs, geographic locations, and the first and last time that they have that done cloud provisioning activities", "collection": "previously_seen_cloud_provisioning_activity_sources", "fields_list": "_key, src, City, Country, Region, firstTimeSeen, lastTimeSeen, enough_data"}], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/cloud_provisioning_activity_from_previously_unseen_city.yml", "source": "cloud"}, {"name": "Cloud Provisioning Activity From Previously Unseen Country", "id": "94994255-3acf-4213-9b3f-0494df03bb31", "version": 1, "date": "2020-10-09", "author": "Rico Valdez, Bhavin Patel, Splunk", "type": "Anomaly", "status": "production", "description": "This search looks for cloud provisioning activities from previously unseen countries. Provisioning activities are defined broadly as any event that runs or creates something.", "data_source": [], "search": "| tstats earliest(_time) as firstTime, latest(_time) as lastTime from datamodel=Change where (All_Changes.action=started OR All_Changes.action=created) All_Changes.status=success by All_Changes.src, All_Changes.user, All_Changes.object, All_Changes.command | `drop_dm_object_name(\"All_Changes\")` | iplocation src | where isnotnull(Country) | lookup previously_seen_cloud_provisioning_activity_sources Country as Country OUTPUT firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenCountry=min(firstTimeSeen) | where isnull(firstTimeSeenCountry) OR firstTimeSeenCountry > relative_time(now(), \"-24h@h\") | table firstTime, src, Country, user, object, command | `cloud_provisioning_activity_from_previously_unseen_country_filter` | `security_content_ctime(firstTime)`", "how_to_implement": "You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud Provisioning Activity Sources - Initial` to build the initial table of source IP address, geographic locations, and times. You must also enable the second baseline search `Previously Seen Cloud Provisioning Activity Sources - Update` to keep this table up to date and to age out old data. You can adjust the time window for this search by updating the `previously_unseen_cloud_provisioning_activity_window` macro. You can also provide additional filtering for this search by customizing the `cloud_provisioning_activity_from_previously_unseen_country_filter` macro.", "known_false_positives": "This is a strictly behavioral search, so we define \"false positive\" slightly differently. Every time this fires, it will accurately reflect the first occurrence in the time period you're searching within, plus what is stored in the cache feature. But while there are really no \"false positives\" in a traditional sense, there is definitely lots of noise.\\\n This search will fire any time a new IP address is seen in the **GeoIP** database for any kind of provisioning activity. If you typically do all provisioning from tools inside of your country, there should be few false positives. If you are located in countries where the free version of **MaxMind GeoIP** that ships by default with Splunk has weak resolution (particularly small countries in less economically powerful regions), this may be much less valuable to you.", "references": [], "tags": {"name": "Cloud Provisioning Activity From Previously Unseen Country", "analytic_story": ["Suspicious Cloud Provisioning Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "message": "User $user$ is starting or creating an instance $object$ for the first time in Country $Country$ from IP address $src$", "mitre_attack_id": ["T1078"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "object", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "All_Changes.action", "All_Changes.status", "All_Changes.src", "All_Changes.user", "All_Changes.object", "All_Changes.command"], "risk_score": 42, "security_domain": "threat", "risk_severity": "low", "manual_test": "This search needs the baseline to be run first to create a lookup", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail", "update_timestamp": true}]}], "datamodel": ["Change"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloud_provisioning_activity_from_previously_unseen_country_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "previously_seen_cloud_provisioning_activity_sources", "description": "A table of source IPs, geographic locations, and the first and last time that they have that done cloud provisioning activities", "collection": "previously_seen_cloud_provisioning_activity_sources", "fields_list": "_key, src, City, Country, Region, firstTimeSeen, lastTimeSeen, enough_data"}], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/cloud_provisioning_activity_from_previously_unseen_country.yml", "source": "cloud"}, {"name": "Cloud Provisioning Activity From Previously Unseen IP Address", "id": "f86a8ec9-b042-45eb-92f4-e9ed1d781078", "version": 1, "date": "2020-08-16", "author": "Rico Valdez, Splunk", "type": "Anomaly", "status": "production", "description": "This search looks for cloud provisioning activities from previously unseen IP addresses. Provisioning activities are defined broadly as any event that runs or creates something.", "data_source": [], "search": "| tstats earliest(_time) as firstTime, latest(_time) as lastTime, values(All_Changes.object_id) as object_id from datamodel=Change where (All_Changes.action=started OR All_Changes.action=created) All_Changes.status=success by All_Changes.src, All_Changes.user, All_Changes.command | `drop_dm_object_name(\"All_Changes\")` | lookup previously_seen_cloud_provisioning_activity_sources src as src OUTPUT firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenSrc=min(firstTimeSeen) | where isnull(firstTimeSeenSrc) OR firstTimeSeenSrc > relative_time(now(), `previously_unseen_cloud_provisioning_activity_window`) | table firstTime, src, user, object_id, command | `cloud_provisioning_activity_from_previously_unseen_ip_address_filter` | `security_content_ctime(firstTime)`", "how_to_implement": "You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud Provisioning Activity Sources - Initial` to build the initial table of source IP address, geographic locations, and times. You must also enable the second baseline search `Previously Seen Cloud Provisioning Activity Sources - Update` to keep this table up to date and to age out old data. You can adjust the time window for this search by updating the `previously_unseen_cloud_provisioning_activity_window` macro. You can also provide additional filtering for this search by customizing the `cloud_provisioning_activity_from_previously_unseen_ip_address_filter` macro.", "known_false_positives": "This is a strictly behavioral search, so we define \"false positive\" slightly differently. Every time this fires, it will accurately reflect the first occurrence in the time period you're searching within, plus what is stored in the cache feature. But while there are really no \"false positives\" in a traditional sense, there is definitely lots of noise.\\\n This search will fire any time a new IP address is seen in the **GeoIP** database for any kind of provisioning activity. If you typically do all provisioning from tools inside of your country, there should be few false positives. If you are located in countries where the free version of **MaxMind GeoIP** that ships by default with Splunk has weak resolution (particularly small countries in less economically powerful regions), this may be much less valuable to you.", "references": [], "tags": {"name": "Cloud Provisioning Activity From Previously Unseen IP Address", "analytic_story": ["Suspicious Cloud Provisioning Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "message": "User $user$ is starting or creating an instance $object_id$ for the first time from IP address $src$", "mitre_attack_id": ["T1078"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "object_id", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "All_Changes.object_id", "All_Changes.action", "All_Changes.status", "All_Changes.src", "All_Changes.user", "All_Changes.command"], "risk_score": 42, "security_domain": "threat", "risk_severity": "low", "manual_test": "This search needs the baseline to be run first to create a lookup", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail", "update_timestamp": true}]}], "datamodel": ["Change"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "previously_unseen_cloud_provisioning_activity_window", "definition": "\"-70m@m\"", "description": "Use this macro to determine how far back you should be checking for new provisioning activities"}, {"name": "cloud_provisioning_activity_from_previously_unseen_ip_address_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "previously_seen_cloud_provisioning_activity_sources", "description": "A table of source IPs, geographic locations, and the first and last time that they have that done cloud provisioning activities", "collection": "previously_seen_cloud_provisioning_activity_sources", "fields_list": "_key, src, City, Country, Region, firstTimeSeen, lastTimeSeen, enough_data"}], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/cloud_provisioning_activity_from_previously_unseen_ip_address.yml", "source": "cloud"}, {"name": "Cloud Provisioning Activity From Previously Unseen Region", "id": "5aba1860-9617-4af9-b19d-aecac16fe4f2", "version": 1, "date": "2020-08-16", "author": "Rico Valdez, Bhavin Patel, Splunk", "type": "Anomaly", "status": "production", "description": "This search looks for cloud provisioning activities from previously unseen regions. Provisioning activities are defined broadly as any event that runs or creates something.", "data_source": [], "search": "| tstats earliest(_time) as firstTime, latest(_time) as lastTime from datamodel=Change where (All_Changes.action=started OR All_Changes.action=created) All_Changes.status=success by All_Changes.src, All_Changes.user, All_Changes.object, All_Changes.command | `drop_dm_object_name(\"All_Changes\")` | iplocation src | where isnotnull(Region) | lookup previously_seen_cloud_provisioning_activity_sources Region as Region OUTPUT firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenRegion=min(firstTimeSeen) | where isnull(firstTimeSeenRegion) OR firstTimeSeenRegion > relative_time(now(), `previously_unseen_cloud_provisioning_activity_window`) | table firstTime, src, Region, user, object, command | `cloud_provisioning_activity_from_previously_unseen_region_filter` | `security_content_ctime(firstTime)`", "how_to_implement": "You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud Provisioning Activity Sources - Initial` to build the initial table of source IP address, geographic locations, and times. You must also enable the second baseline search `Previously Seen Cloud Provisioning Activity Sources - Update` to keep this table up to date and to age out old data. You can adjust the time window for this search by updating the `previously_unseen_cloud_provisioning_activity_window` macro. You can also provide additional filtering for this search by customizing the `cloud_provisioning_activity_from_previously_unseen_region_filter` macro.", "known_false_positives": "This is a strictly behavioral search, so we define \"false positive\" slightly differently. Every time this fires, it will accurately reflect the first occurrence in the time period you're searching within, plus what is stored in the cache feature. But while there are really no \"false positives\" in a traditional sense, there is definitely lots of noise.\\\n This search will fire any time a new IP address is seen in the **GeoIP** database for any kind of provisioning activity. If you typically do all provisioning from tools inside of your country, there should be few false positives. If you are located in countries where the free version of **MaxMind GeoIP** that ships by default with Splunk has weak resolution (particularly small countries in less economically powerful regions), this may be much less valuable to you.", "references": [], "tags": {"name": "Cloud Provisioning Activity From Previously Unseen Region", "analytic_story": ["Suspicious Cloud Provisioning Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "message": "User $user$ is starting or creating an instance $object$ for the first time in region $Region$ from IP address $src$", "mitre_attack_id": ["T1078"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "object", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "All_Changes.action", "All_Changes.status", "All_Changes.src", "All_Changes.user", "All_Changes.object", "All_Changes.command"], "risk_score": 42, "security_domain": "threat", "risk_severity": "low", "manual_test": "This search needs the baseline to be run first to create a lookup", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail", "update_timestamp": true}]}], "datamodel": ["Change"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "previously_unseen_cloud_provisioning_activity_window", "definition": "\"-70m@m\"", "description": "Use this macro to determine how far back you should be checking for new provisioning activities"}, {"name": "cloud_provisioning_activity_from_previously_unseen_region_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "previously_seen_cloud_provisioning_activity_sources", "description": "A table of source IPs, geographic locations, and the first and last time that they have that done cloud provisioning activities", "collection": "previously_seen_cloud_provisioning_activity_sources", "fields_list": "_key, src, City, Country, Region, firstTimeSeen, lastTimeSeen, enough_data"}], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/cloud_provisioning_activity_from_previously_unseen_region.yml", "source": "cloud"}, {"name": "Correlation by Repository and Risk", "id": "8da9fdd9-6a1b-4ae0-8a34-8c25e6be9687", "version": 1, "date": "2021-09-06", "author": "Patrick Bareiss, Splunk", "type": "Correlation", "status": "production", "description": "This search correlations detections by repository and risk_score", "data_source": [], "search": "`risk_index` | fillnull | stats sum(risk_score) as risk_score values(source) as signals values(user) as user by repository | sort - risk_score | where risk_score > 80 | `correlation_by_repository_and_risk_filter`", "how_to_implement": "For Dev Sec Ops POC", "known_false_positives": "unknown", "references": [], "tags": {"name": "Correlation by Repository and Risk", "analytic_story": ["Dev Sec Ops"], "asset_type": "AWS Account", "cis20": ["CIS 13"], "confidence": 100, "impact": 70, "kill_chain_phases": ["Installation"], "message": "Correlation triggered for user $user$", "mitre_attack_id": ["T1204.003", "T1204"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time"], "risk_score": 70, "security_domain": "network", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1204.003", "mitre_attack_technique": "Malicious Image", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$"]}]}, "datamodel": [], "macros": [{"name": "risk_index", "definition": "index=risk", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "correlation_by_repository_and_risk_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/correlation_by_repository_and_risk.yml", "source": "cloud", "nes_fields": "user,dest"}, {"name": "Correlation by User and Risk", "id": "610e12dc-b6fa-4541-825e-4a0b3b6f6773", "version": 1, "date": "2021-09-06", "author": "Patrick Bareiss, Splunk", "type": "Correlation", "status": "production", "description": "This search correlations detections by user and risk_score", "data_source": [], "search": "`risk_index` | fillnull | stats sum(risk_score) as risk_score values(source) as signals values(repository) as repository by user | sort - risk_score | where risk_score > 80 | `correlation_by_user_and_risk_filter`", "how_to_implement": "For Dev Sec Ops POC", "known_false_positives": "unknown", "references": [], "tags": {"name": "Correlation by User and Risk", "analytic_story": ["Dev Sec Ops"], "asset_type": "AWS Account", "cis20": ["CIS 13"], "confidence": 100, "impact": 70, "kill_chain_phases": ["Installation"], "message": "Correlation triggered for user $user$", "mitre_attack_id": ["T1204.003", "T1204"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time"], "risk_score": 70, "security_domain": "network", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1204.003", "mitre_attack_technique": "Malicious Image", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$"]}]}, "datamodel": [], "macros": [{"name": "risk_index", "definition": "index=risk", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "correlation_by_user_and_risk_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/correlation_by_user_and_risk.yml", "source": "cloud", "nes_fields": "user,dest"}, {"name": "Detect AWS Console Login by New User", "id": "bc91a8cd-35e7-4bb2-6140-e756cc46fd71", "version": 3, "date": "2022-05-10", "author": "Rico Valdez, Splunk", "type": "Hunting", "status": "experimental", "description": "This search looks for AWS CloudTrail events wherein a console login event by a user was recorded within the last hour, then compares the event to a lookup file of previously seen users (by ARN values) who have logged into the console. The alert is fired if the user has logged into the console for the first time within the last hour", "data_source": [], "search": "| tstats earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Authentication where Authentication.signature=ConsoleLogin by Authentication.user | `drop_dm_object_name(Authentication)` | join user type=outer [ | inputlookup previously_seen_users_console_logins | stats min(firstTime) as earliestseen by user] | eval userStatus=if(earliestseen >= relative_time(now(), \"-24h@h\") OR isnull(earliestseen), \"First Time Logging into AWS Console\", \"Previously Seen User\") | where userStatus=\"First Time Logging into AWS Console\" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_aws_console_login_by_new_user_filter`", "how_to_implement": "You must install and configure the Splunk Add-on for AWS (version 5.1.0 or later) and Enterprise Security 6.2, which contains the required updates to the Authentication data model for cloud use cases. Run the `Previously Seen Users in CloudTrail - Initial` support search only once to create a baseline of previously seen IAM users within the last 30 days. Run `Previously Seen Users in CloudTrail - Update` hourly (or more frequently depending on how often you run the detection searches) to refresh the baselines.", "known_false_positives": "When a legitimate new user logins for the first time, this activity will be detected. Check how old the account is and verify that the user activity is legitimate.", "references": [], "tags": {"name": "Detect AWS Console Login by New User", "analytic_story": ["Suspicious Cloud Authentication Activities", "AWS Identity and Access Management Account Takeover"], "asset_type": "AWS Instance", "cis20": ["CIS 10"], "confidence": 60, "impact": 50, "kill_chain_phases": ["Weaponization", "Exploitation"], "message": "User $user$ is logging into the AWS console for the first time", "mitre_attack_id": ["T1586", "T1586.003", "T1552"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Authentication.signature", "Authentication.user"], "risk_score": 30, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1552", "mitre_attack_technique": "Unsecured Credentials", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail", "update_timestamp": true}]}], "datamodel": ["Authentication"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "detect_aws_console_login_by_new_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "previously_seen_users_console_logins", "description": "A table of users seen doing console logins, and the first and last time that the activity was observed", "collection": "previously_seen_users_console_logins", "fields_list": "_key, firstTime, lastTime, user, src, City, Region, Country"}], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/detect_aws_console_login_by_new_user.yml", "source": "cloud"}, {"name": "Detect AWS Console Login by User from New City", "id": "121b0b11-f8ac-4ed6-a132-3800ca4fc07a", "version": 2, "date": "2022-08-25", "author": "Bhavin Patel, Eric McGinnis Splunk", "type": "Hunting", "status": "production", "description": "This search looks for AWS CloudTrail events wherein a console login event by a user was recorded within the last hour, then compares the event to a lookup file of previously seen users (by ARN values) who have logged into the console. The alert is fired if the user has logged into the console for the first time within the last hour", "data_source": [], "search": "| tstats earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Authentication where Authentication.signature=ConsoleLogin by Authentication.user Authentication.src | iplocation Authentication.src | `drop_dm_object_name(Authentication)` | rename City as justSeenCity | table firstTime lastTime user justSeenCity | join user type=outer [| inputlookup previously_seen_users_console_logins | rename City as previouslySeenCity | stats min(firstTime) AS earliestseen by user previouslySeenCity | fields earliestseen user previouslySeenCity] | eval userCity=if(firstTime >= relative_time(now(), \"-24h@h\"), \"New City\",\"Previously Seen City\") | where userCity = \"New City\" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | table firstTime lastTime user previouslySeenCity justSeenCity userCity | `detect_aws_console_login_by_user_from_new_city_filter`", "how_to_implement": "You must install and configure the Splunk Add-on for AWS (version 5.1.0 or later) and Enterprise Security 6.2, which contains the required updates to the Authentication data model for cloud use cases. Run the `Previously Seen Users in AWS CloudTrail - Initial` support search only once to create a baseline of previously seen IAM users within the last 30 days. Run `Previously Seen Users in AWS CloudTrail - Update` hourly (or more frequently depending on how often you run the detection searches) to refresh the baselines. You can also provide additional filtering for this search by customizing the `detect_aws_console_login_by_user_from_new_city_filter` macro.", "known_false_positives": "When a legitimate new user logins for the first time, this activity will be detected. Check how old the account is and verify that the user activity is legitimate.", "references": [], "tags": {"name": "Detect AWS Console Login by User from New City", "analytic_story": ["Suspicious AWS Login Activities", "Suspicious Cloud Authentication Activities", "AWS Identity and Access Management Account Takeover", "Compromised User Account"], "asset_type": "AWS Instance", "cis20": ["CIS 10"], "confidence": 60, "impact": 30, "kill_chain_phases": ["Weaponization", "Exploitation"], "message": "User $user$ is logging into the AWS console from City $City$ for the first time", "mitre_attack_id": ["T1586", "T1586.003", "T1535"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Authentication.signature", "Authentication.user", "Authentication.src"], "risk_score": 18, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1535", "mitre_attack_technique": "Unused/Unsupported Cloud Regions", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail", "update_timestamp": true}]}], "datamodel": ["Authentication"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "detect_aws_console_login_by_user_from_new_city_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "previously_seen_users_console_logins", "description": "A table of users seen doing console logins, and the first and last time that the activity was observed", "collection": "previously_seen_users_console_logins", "fields_list": "_key, firstTime, lastTime, user, src, City, Region, Country"}], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/detect_aws_console_login_by_user_from_new_city.yml", "source": "cloud"}, {"name": "Detect AWS Console Login by User from New Country", "id": "67bd3def-c41c-4bf6-837b-ae196b4257c6", "version": 2, "date": "2022-08-25", "author": "Bhavin Patel, Eric McGinnis Splunk", "type": "Hunting", "status": "production", "description": "This search looks for AWS CloudTrail events wherein a console login event by a user was recorded within the last hour, then compares the event to a lookup file of previously seen users (by ARN values) who have logged into the console. The alert is fired if the user has logged into the console for the first time within the last hour", "data_source": [], "search": "| tstats earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Authentication where Authentication.signature=ConsoleLogin by Authentication.user Authentication.src | iplocation Authentication.src | `drop_dm_object_name(Authentication)` | rename Country as justSeenCountry | table firstTime lastTime user justSeenCountry | join user type=outer [| inputlookup previously_seen_users_console_logins | rename Country as previouslySeenCountry | stats min(firstTime) AS earliestseen by user previouslySeenCountry | fields earliestseen user previouslySeenCountry] | eval userCountry=if(firstTime >= relative_time(now(), \"-24h@h\"), \"New Country\",\"Previously Seen Country\") | where userCountry = \"New Country\" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | table firstTime lastTime user previouslySeenCountry justSeenCountry userCountry | `detect_aws_console_login_by_user_from_new_country_filter`", "how_to_implement": "You must install and configure the Splunk Add-on for AWS (version 5.1.0 or later) and Enterprise Security 6.2, which contains the required updates to the Authentication data model for cloud use cases. Run the `Previously Seen Users in AWS CloudTrail - Initial` support search only once to create a baseline of previously seen IAM users within the last 30 days. Run `Previously Seen Users in AWS CloudTrail - Update` hourly (or more frequently depending on how often you run the detection searches) to refresh the baselines. You can also provide additional filtering for this search by customizing the `detect_aws_console_login_by_user_from_new_country_filter` macro.", "known_false_positives": "When a legitimate new user logins for the first time, this activity will be detected. Check how old the account is and verify that the user activity is legitimate.", "references": [], "tags": {"name": "Detect AWS Console Login by User from New Country", "analytic_story": ["Suspicious AWS Login Activities", "Suspicious Cloud Authentication Activities", "AWS Identity and Access Management Account Takeover", "Compromised User Account"], "asset_type": "AWS Instance", "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Weaponization", "Exploitation"], "message": "User $user$ is logging into the AWS console from Country $Country$ for the first time", "mitre_attack_id": ["T1586", "T1586.003", "T1535"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Authentication.signature", "Authentication.user", "Authentication.src"], "risk_score": 42, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1535", "mitre_attack_technique": "Unused/Unsupported Cloud Regions", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail", "update_timestamp": true}]}], "datamodel": ["Authentication"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "detect_aws_console_login_by_user_from_new_country_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "previously_seen_users_console_logins", "description": "A table of users seen doing console logins, and the first and last time that the activity was observed", "collection": "previously_seen_users_console_logins", "fields_list": "_key, firstTime, lastTime, user, src, City, Region, Country"}], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/detect_aws_console_login_by_user_from_new_country.yml", "source": "cloud"}, {"name": "Detect AWS Console Login by User from New Region", "id": "9f31aa8e-e37c-46bc-bce1-8b3be646d026", "version": 2, "date": "2022-08-25", "author": "Bhavin Patel, Eric McGinnis Splunk", "type": "Hunting", "status": "production", "description": "This search looks for AWS CloudTrail events wherein a console login event by a user was recorded within the last hour, then compares the event to a lookup file of previously seen users (by ARN values) who have logged into the console. The alert is fired if the user has logged into the console for the first time within the last hour", "data_source": [], "search": "| tstats earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Authentication where Authentication.signature=ConsoleLogin by Authentication.user Authentication.src | iplocation Authentication.src | `drop_dm_object_name(Authentication)` | rename Region as justSeenRegion | table firstTime lastTime user justSeenRegion | join user type=outer [| inputlookup previously_seen_users_console_logins | rename Region as previouslySeenRegion | stats min(firstTime) AS earliestseen by user previouslySeenRegion | fields earliestseen user previouslySeenRegion] | eval userRegion=if(firstTime >= relative_time(now(), \"-24h@h\"), \"New Region\",\"Previously Seen Region\") | where userRegion= \"New Region\" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | table firstTime lastTime user previouslySeenRegion justSeenRegion userRegion | `detect_aws_console_login_by_user_from_new_region_filter`", "how_to_implement": "You must install and configure the Splunk Add-on for AWS (version 5.1.0 or later) and Enterprise Security 6.2, which contains the required updates to the Authentication data model for cloud use cases. Run the `Previously Seen Users in AWS CloudTrail - Initial` support search only once to create a baseline of previously seen IAM users within the last 30 days. Run `Previously Seen Users in AWS CloudTrail - Update` hourly (or more frequently depending on how often you run the detection searches) to refresh the baselines. You can also provide additional filtering for this search by customizing the `detect_aws_console_login_by_user_from_new_region_filter` macro.", "known_false_positives": "When a legitimate new user logins for the first time, this activity will be detected. Check how old the account is and verify that the user activity is legitimate.", "references": [], "tags": {"name": "Detect AWS Console Login by User from New Region", "analytic_story": ["Suspicious AWS Login Activities", "Suspicious Cloud Authentication Activities", "AWS Identity and Access Management Account Takeover", "Compromised User Account"], "asset_type": "AWS Instance", "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Weaponization", "Exploitation"], "message": "User $user$ is logging into the AWS console from Region $Region$ for the first time", "mitre_attack_id": ["T1586", "T1586.003", "T1535"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Authentication.signature", "Authentication.user", "Authentication.src"], "risk_score": 36, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1535", "mitre_attack_technique": "Unused/Unsupported Cloud Regions", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail", "update_timestamp": true}]}], "datamodel": ["Authentication"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "detect_aws_console_login_by_user_from_new_region_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "previously_seen_users_console_logins", "description": "A table of users seen doing console logins, and the first and last time that the activity was observed", "collection": "previously_seen_users_console_logins", "fields_list": "_key, firstTime, lastTime, user, src, City, Region, Country"}], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/detect_aws_console_login_by_user_from_new_region.yml", "source": "cloud"}, {"name": "Detect GCP Storage access from a new IP", "id": "ccc3246a-daa1-11ea-87d0-0242ac130022", "version": 1, "date": "2020-08-10", "author": "Shannon Davis, Splunk", "type": "Anomaly", "status": "experimental", "description": "This search looks at GCP Storage bucket-access logs and detects new or previously unseen remote IP addresses that have successfully accessed a GCP Storage bucket.", "data_source": [], "search": "`google_gcp_pubsub_message` | multikv | rename sc_status_ as status | rename cs_object_ as bucket_name | rename c_ip_ as remote_ip | rename cs_uri_ as request_uri | rename cs_method_ as operation | search status=\"\\\"200\\\"\" | stats earliest(_time) as firstTime latest(_time) as lastTime by bucket_name remote_ip operation request_uri | table firstTime, lastTime, bucket_name, remote_ip, operation, request_uri | inputlookup append=t previously_seen_gcp_storage_access_from_remote_ip | stats min(firstTime) as firstTime, max(lastTime) as lastTime by bucket_name remote_ip operation request_uri | outputlookup previously_seen_gcp_storage_access_from_remote_ip | eval newIP=if(firstTime >= relative_time(now(),\"-70m@m\"), 1, 0) | where newIP=1 | eval first_time=strftime(firstTime,\"%m/%d/%y %H:%M:%S\") | eval last_time=strftime(lastTime,\"%m/%d/%y %H:%M:%S\") | table first_time last_time bucket_name remote_ip operation request_uri | `detect_gcp_storage_access_from_a_new_ip_filter`", "how_to_implement": "This search relies on the Splunk Add-on for Google Cloud Platform, setting up a Cloud Pub/Sub input, along with the relevant GCP PubSub topics and logging sink to capture GCP Storage Bucket events (https://cloud.google.com/logging/docs/routing/overview). In order to capture public GCP Storage Bucket access logs, you must also enable storage bucket logging to your PubSub Topic as per https://cloud.google.com/storage/docs/access-logs. These logs are deposited into the nominated Storage Bucket on an hourly basis and typically show up by 15 minutes past the hour. It is recommended to configure any saved searches or correlation searches in Enterprise Security to run on an hourly basis at 30 minutes past the hour (cron definition of 30 * * * *). A lookup table (previously_seen_gcp_storage_access_from_remote_ip.csv) stores the previously seen access requests, and is used by this search to determine any newly seen IP addresses accessing the Storage Buckets.", "known_false_positives": "GCP Storage buckets can be accessed from any IP (if the ACLs are open to allow it), as long as it can make a successful connection. This will be a false postive, since the search is looking for a new IP within the past two hours.", "references": [], "tags": {"name": "Detect GCP Storage access from a new IP", "analytic_story": ["Suspicious GCP Storage Activities"], "asset_type": "GCP Storage Bucket", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "tbd", "mitre_attack_id": ["T1530"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Other", "role": ["Other"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "sc_status_", "cs_object_", "c_ip_", "cs_uri_", "cs_method_"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1530", "mitre_attack_technique": "Data from Cloud Storage", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["Fox Kitten"]}]}, "datamodel": [], "macros": [{"name": "google_gcp_pubsub_message", "definition": "sourcetype=\"google:gcp:pubsub:message\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_gcp_storage_access_from_a_new_ip_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "previously_seen_gcp_storage_access_from_remote_ip", "description": "A place holder for a list of GCP storage access from remote IPs", "collection": "previously_seen_gcp_storage_access_from_remote_ip", "fields_list": "_key, firstTime, lastTime, bucket_name, remote_ip, operation, request_uri"}, {"name": "previously_seen_gcp_storage_access_from_remote_ip", "description": "A place holder for a list of GCP storage access from remote IPs", "collection": "previously_seen_gcp_storage_access_from_remote_ip", "fields_list": "_key, firstTime, lastTime, bucket_name, remote_ip, operation, request_uri"}], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/detect_gcp_storage_access_from_a_new_ip.yml", "source": "cloud"}, {"name": "Detect New Open GCP Storage Buckets", "id": "f6ea3466-d6bb-11ea-87d0-0242ac130003", "version": 1, "date": "2020-08-05", "author": "Shannon Davis, Splunk", "type": "TTP", "status": "experimental", "description": "This search looks for GCP PubSub events where a user has created an open/public GCP Storage bucket.", "data_source": [], "search": "`google_gcp_pubsub_message` data.resource.type=gcs_bucket data.protoPayload.methodName=storage.setIamPermissions | spath output=action path=data.protoPayload.serviceData.policyDelta.bindingDeltas{}.action | spath output=user path=data.protoPayload.authenticationInfo.principalEmail | spath output=location path=data.protoPayload.resourceLocation.currentLocations{} | spath output=src path=data.protoPayload.requestMetadata.callerIp | spath output=bucketName path=data.protoPayload.resourceName | spath output=role path=data.protoPayload.serviceData.policyDelta.bindingDeltas{}.role | spath output=member path=data.protoPayload.serviceData.policyDelta.bindingDeltas{}.member | search (member=allUsers AND action=ADD) | table _time, bucketName, src, user, location, action, role, member | search `detect_new_open_gcp_storage_buckets_filter`", "how_to_implement": "This search relies on the Splunk Add-on for Google Cloud Platform, setting up a Cloud Pub/Sub input, along with the relevant GCP PubSub topics and logging sink to capture GCP Storage Bucket events (https://cloud.google.com/logging/docs/routing/overview).", "known_false_positives": "While this search has no known false positives, it is possible that a GCP admin has legitimately created a public bucket for a specific purpose. That said, GCP strongly advises against granting full control to the \"allUsers\" group.", "references": [], "tags": {"name": "Detect New Open GCP Storage Buckets", "analytic_story": ["Suspicious GCP Storage Activities"], "asset_type": "GCP Storage Bucket", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "tbd", "mitre_attack_id": ["T1530"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "data.resource.type", "data.protoPayload.methodName", "data.protoPayload.serviceData.policyDelta.bindingDeltas{}.action", "data.protoPayload.authenticationInfo.principalEmail", "data.protoPayload.resourceLocation.currentLocations{}", "data.protoPayload.requestMetadata.callerIp", "data.protoPayload.resourceName", "data.protoPayload.serviceData.policyDelta.bindingDeltas{}.role", "data.protoPayload.serviceData.policyDelta.bindingDeltas{}.member"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1530", "mitre_attack_technique": "Data from Cloud Storage", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["Fox Kitten"]}]}, "datamodel": ["Email"], "macros": [{"name": "google_gcp_pubsub_message", "definition": "sourcetype=\"google:gcp:pubsub:message\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_new_open_gcp_storage_buckets_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/detect_new_open_gcp_storage_buckets.yml", "source": "cloud", "nes_fields": "user,dest"}, {"name": "Detect New Open S3 buckets", "id": "2a9b80d3-6340-4345-b5ad-290bf3d0dac4", "version": 3, "date": "2021-07-19", "author": "Bhavin Patel, Patrick Bareiss, Splunk", "type": "TTP", "status": "production", "description": "This search looks for AWS CloudTrail events where a user has created an open/public S3 bucket.", "data_source": [], "search": "`cloudtrail` eventSource=s3.amazonaws.com eventName=PutBucketAcl | rex field=_raw \"(?{.+})\" | spath input=json_field output=grantees path=requestParameters.AccessControlPolicy.AccessControlList.Grant{} | search grantees=* | mvexpand grantees | spath input=grantees output=uri path=Grantee.URI | spath input=grantees output=permission path=Permission | search uri IN (\"http://acs.amazonaws.com/groups/global/AllUsers\",\"http://acs.amazonaws.com/groups/global/AuthenticatedUsers\") | search permission IN (\"READ\",\"READ_ACP\",\"WRITE\",\"WRITE_ACP\",\"FULL_CONTROL\") | rename requestParameters.bucketName AS bucketName | stats count min(_time) as firstTime max(_time) as lastTime by user_arn userIdentity.principalId userAgent uri permission bucketName | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_new_open_s3_buckets_filter` ", "how_to_implement": "You must install the AWS App for Splunk.", "known_false_positives": "While this search has no known false positives, it is possible that an AWS admin has legitimately created a public bucket for a specific purpose. That said, AWS strongly advises against granting full control to the \"All Users\" group.", "references": [], "tags": {"name": "Detect New Open S3 buckets", "analytic_story": ["Suspicious AWS S3 Activities"], "asset_type": "S3 Bucket", "cis20": ["CIS 10"], "confidence": 80, "impact": 60, "kill_chain_phases": ["Exploitation"], "message": "User $user_arn$ has created an open/public bucket $bucketName$ with the following permissions $permission$", "mitre_attack_id": ["T1530"], "nist": ["DE.CM"], "observable": [{"name": "user_arn", "type": "User", "role": ["Attacker"]}, {"name": "bucketName", "type": "Other", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventSource", "eventName", "requestParameters.bucketName", "user_arn", "userIdentity.principalId", "userAgent", "uri", "permission"], "risk_score": 48, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1530", "mitre_attack_technique": "Data from Cloud Storage", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["Fox Kitten"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1530/aws_s3_public_bucket/aws_cloudtrail_events.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_new_open_s3_buckets_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/detect_new_open_s3_buckets.yml", "source": "cloud", "nes_fields": "user,dest", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "Detect New Open S3 Buckets over AWS CLI", "id": "39c61d09-8b30-4154-922b-2d0a694ecc22", "version": 2, "date": "2021-07-19", "author": "Patrick Bareiss, Splunk", "type": "TTP", "status": "production", "description": "This search looks for AWS CloudTrail events where a user has created an open/public S3 bucket over the aws cli.", "data_source": [], "search": "`cloudtrail` eventSource=\"s3.amazonaws.com\" (userAgent=\"[aws-cli*\" OR userAgent=aws-cli* ) eventName=PutBucketAcl OR requestParameters.accessControlList.x-amz-grant-read-acp IN (\"*AuthenticatedUsers\",\"*AllUsers\") OR requestParameters.accessControlList.x-amz-grant-write IN (\"*AuthenticatedUsers\",\"*AllUsers\") OR requestParameters.accessControlList.x-amz-grant-write-acp IN (\"*AuthenticatedUsers\",\"*AllUsers\") OR requestParameters.accessControlList.x-amz-grant-full-control IN (\"*AuthenticatedUsers\",\"*AllUsers\") | rename requestParameters.bucketName AS bucketName | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by userIdentity.userName userIdentity.principalId userAgent bucketName requestParameters.accessControlList.x-amz-grant-read requestParameters.accessControlList.x-amz-grant-read-acp requestParameters.accessControlList.x-amz-grant-write requestParameters.accessControlList.x-amz-grant-write-acp requestParameters.accessControlList.x-amz-grant-full-control | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_new_open_s3_buckets_over_aws_cli_filter` ", "how_to_implement": "", "known_false_positives": "While this search has no known false positives, it is possible that an AWS admin has legitimately created a public bucket for a specific purpose. That said, AWS strongly advises against granting full control to the \"All Users\" group.", "references": [], "tags": {"name": "Detect New Open S3 Buckets over AWS CLI", "analytic_story": ["Suspicious AWS S3 Activities"], "asset_type": "S3 Bucket", "cis20": ["CIS 10"], "confidence": 80, "impact": 60, "kill_chain_phases": ["Exploitation"], "message": "User $userIdentity.userName$ has created an open/public bucket $bucketName$ using AWS CLI with the following permissions - $requestParameters.accessControlList.x-amz-grant-read$ $requestParameters.accessControlList.x-amz-grant-read-acp$ $requestParameters.accessControlList.x-amz-grant-write$ $requestParameters.accessControlList.x-amz-grant-write-acp$ $requestParameters.accessControlList.x-amz-grant-full-control$", "mitre_attack_id": ["T1530"], "nist": ["DE.CM"], "observable": [{"name": "userIdentity.userName", "type": "User", "role": ["Attacker"]}, {"name": "bucketName", "type": "Other", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventSource", "eventName", "requestParameters.accessControlList.x-amz-grant-read-acp", "requestParameters.accessControlList.x-amz-grant-write", "requestParameters.accessControlList.x-amz-grant-write-acp", "requestParameters.accessControlList.x-amz-grant-full-control", "requestParameters.bucketName", "userIdentity.userName", "userIdentity.principalId", "userAgent", "bucketName"], "risk_score": 48, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1530", "mitre_attack_technique": "Data from Cloud Storage", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["Fox Kitten"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1530/aws_s3_public_bucket/aws_cloudtrail_events.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_new_open_s3_buckets_over_aws_cli_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/detect_new_open_s3_buckets_over_aws_cli.yml", "source": "cloud", "nes_fields": "user,dest", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "Detect S3 access from a new IP", "id": "e6f1bb1b-f441-492b-9126-902acda217da", "version": 1, "date": "2018-06-28", "author": "Bhavin Patel, Splunk", "type": "Anomaly", "status": "experimental", "description": "This search looks at S3 bucket-access logs and detects new or previously unseen remote IP addresses that have successfully accessed an S3 bucket.", "data_source": [], "search": "`aws_s3_accesslogs` http_status=200 [search `aws_s3_accesslogs` http_status=200 | stats earliest(_time) as firstTime latest(_time) as lastTime by bucket_name remote_ip | inputlookup append=t previously_seen_S3_access_from_remote_ip | stats min(firstTime) as firstTime, max(lastTime) as lastTime by bucket_name remote_ip | outputlookup previously_seen_S3_access_from_remote_ip| eval newIP=if(firstTime >= relative_time(now(), \"-70m@m\"), 1, 0) | where newIP=1 | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | table bucket_name remote_ip]| iplocation remote_ip |rename remote_ip as src_ip | table _time bucket_name src_ip City Country operation request_uri | `detect_s3_access_from_a_new_ip_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your S3 access logs' inputs. This search works best when you run the \"Previously Seen S3 Bucket Access by Remote IP\" support search once to create a history of previously seen remote IPs and bucket names.", "known_false_positives": "S3 buckets can be accessed from any IP, as long as it can make a successful connection. This will be a false postive, since the search is looking for a new IP within the past hour", "references": [], "tags": {"name": "Detect S3 access from a new IP", "analytic_story": ["Suspicious AWS S3 Activities"], "asset_type": "S3 Bucket", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "tbd", "mitre_attack_id": ["T1530"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Other", "role": ["Other"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "http_status", "bucket_name", "remote_ip"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1530", "mitre_attack_technique": "Data from Cloud Storage", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["Fox Kitten"]}]}, "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "aws_s3_accesslogs", "definition": "sourcetype=aws:s3:accesslogs", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_s3_access_from_a_new_ip_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "previously_seen_S3_access_from_remote_ip", "description": "A placeholder for a list of IPs that have access S3", "collection": "previously_seen_S3_access_from_remote_ip", "fields_list": "_key, bucket_name,remote_ip,earliest,latest"}], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/detect_s3_access_from_a_new_ip.yml", "source": "cloud"}, {"name": "Detect Spike in AWS Security Hub Alerts for EC2 Instance", "id": "2a9b80d3-6340-4345-b5ad-290bf5d0d222", "version": 3, "date": "2021-01-26", "author": "Bhavin Patel, Splunk", "type": "Anomaly", "status": "production", "description": "This search looks for a spike in number of of AWS security Hub alerts for an EC2 instance in 4 hours intervals", "data_source": [], "search": "`aws_securityhub_finding` \"Resources{}.Type\"=AWSEC2Instance | bucket span=4h _time | stats count AS alerts values(Title) as Title values(Types{}) as Types values(vendor_account) as vendor_account values(vendor_region) as vendor_region values(severity) as severity by _time dest | eventstats avg(alerts) as total_alerts_avg, stdev(alerts) as total_alerts_stdev | eval threshold_value = 3 | eval isOutlier=if(alerts > total_alerts_avg+(total_alerts_stdev * threshold_value), 1, 0) | search isOutlier=1 | table _time dest alerts Title Types vendor_account vendor_region severity isOutlier total_alerts_avg | `detect_spike_in_aws_security_hub_alerts_for_ec2_instance_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your Security Hub inputs. The threshold_value should be tuned to your environment and schedule these searches according to the bucket span interval.", "known_false_positives": "None", "references": [], "tags": {"name": "Detect Spike in AWS Security Hub Alerts for EC2 Instance", "analytic_story": ["AWS Security Hub Alerts"], "asset_type": "AWS Instance", "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": [], "message": "Spike in AWS security Hub alerts with title $Title$ for EC2 instance $dest$", "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Resources{}.Type", "Title", "Types{}", "vendor_account", "vendor_region", "severity", "dest"], "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/security_hub_ec2_spike/security_hub_ec2_spike.json", "source": "aws_securityhub_finding", "sourcetype": "aws:securityhub:finding"}]}], "datamodel": [], "macros": [{"name": "aws_securityhub_finding", "definition": "sourcetype=\"aws:securityhub:finding\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_spike_in_aws_security_hub_alerts_for_ec2_instance_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/detect_spike_in_aws_security_hub_alerts_for_ec2_instance.yml", "source": "cloud"}, {"name": "Detect Spike in AWS Security Hub Alerts for User", "id": "2a9b80d3-6220-4345-b5ad-290bf5d0d222", "version": 3, "date": "2021-01-26", "author": "Bhavin Patel, Splunk", "type": "Anomaly", "status": "experimental", "description": "This search looks for a spike in number of of AWS security Hub alerts for an AWS IAM User in 4 hours intervals.", "data_source": [], "search": "`aws_securityhub_finding` \"findings{}.Resources{}.Type\"= AwsIamUser | rename findings{}.Resources{}.Id as user | bucket span=4h _time | stats count AS alerts by _time user | eventstats avg(alerts) as total_launched_avg, stdev(alerts) as total_launched_stdev | eval threshold_value = 2 | eval isOutlier=if(alerts > total_launched_avg+(total_launched_stdev * threshold_value), 1, 0) | search isOutlier=1 | table _time user alerts |`detect_spike_in_aws_security_hub_alerts_for_user_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your Security Hub inputs. The threshold_value should be tuned to your environment and schedule these searches according to the bucket span interval.", "known_false_positives": "None", "references": [], "tags": {"name": "Detect Spike in AWS Security Hub Alerts for User", "analytic_story": ["AWS Security Hub Alerts"], "asset_type": "AWS Instance", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": [], "message": "tbd", "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "findings{}.Resources{}.Type", "indings{}.Resources{}.Id", "user"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "datamodel": [], "macros": [{"name": "aws_securityhub_finding", "definition": "sourcetype=\"aws:securityhub:finding\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_spike_in_aws_security_hub_alerts_for_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/detect_spike_in_aws_security_hub_alerts_for_user.yml", "source": "cloud"}, {"name": "Detect Spike in blocked Outbound Traffic from your AWS", "id": "d3fffa37-492f-487b-a35d-c60fcb2acf01", "version": 1, "date": "2018-05-07", "author": "Bhavin Patel, Splunk", "type": "Anomaly", "status": "experimental", "description": "This search will detect spike in blocked outbound network connections originating from within your AWS environment. It will also update the cache file that factors in the latest data.", "data_source": [], "search": "`cloudwatchlogs_vpcflow` action=blocked (src_ip=10.0.0.0/8 OR src_ip=172.16.0.0/12 OR src_ip=192.168.0.0/16) ( dest_ip!=10.0.0.0/8 AND dest_ip!=172.16.0.0/12 AND dest_ip!=192.168.0.0/16) [search `cloudwatchlogs_vpcflow` action=blocked (src_ip=10.0.0.0/8 OR src_ip=172.16.0.0/12 OR src_ip=192.168.0.0/16) ( dest_ip!=10.0.0.0/8 AND dest_ip!=172.16.0.0/12 AND dest_ip!=192.168.0.0/16) | stats count as numberOfBlockedConnections by src_ip | inputlookup baseline_blocked_outbound_connections append=t | fields - latestCount | stats values(*) as * by src_ip | rename numberOfBlockedConnections as latestCount | eval newAvgBlockedConnections=avgBlockedConnections + (latestCount-avgBlockedConnections)/720 | eval newStdevBlockedConnections=sqrt(((pow(stdevBlockedConnections, 2)*719 + (latestCount-newAvgBlockedConnections)*(latestCount-avgBlockedConnections))/720)) | eval avgBlockedConnections=coalesce(newAvgBlockedConnections, avgBlockedConnections), stdevBlockedConnections=coalesce(newStdevBlockedConnections, stdevBlockedConnections), numDataPoints=if(isnull(latestCount), numDataPoints, numDataPoints+1) | table src_ip, latestCount, numDataPoints, avgBlockedConnections, stdevBlockedConnections | outputlookup baseline_blocked_outbound_connections | eval dataPointThreshold = 5, deviationThreshold = 3 | eval isSpike=if((latestCount > avgBlockedConnections+deviationThreshold*stdevBlockedConnections) AND numDataPoints > dataPointThreshold, 1, 0) | where isSpike=1 | table src_ip] | stats values(dest_ip) as \"Blocked Destination IPs\", values(interface_id) as \"resourceId\" count as numberOfBlockedConnections, dc(dest_ip) as uniqueDestConnections by src_ip | `detect_spike_in_blocked_outbound_traffic_from_your_aws_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your VPC Flow logs. You can modify `dataPointThreshold` and `deviationThreshold` to better fit your environment. The `dataPointThreshold` variable is the number of data points required to meet the definition of \"spike.\" The `deviationThreshold` variable is the number of standard deviations away from the mean that the value must be to be considered a spike. This search works best when you run the \"Baseline of Blocked Outbound Connection\" support search once to create a history of previously seen blocked outbound connections.", "known_false_positives": "The false-positive rate may vary based on the values of`dataPointThreshold` and `deviationThreshold`. Additionally, false positives may result when AWS administrators roll out policies enforcing network blocks, causing sudden increases in the number of blocked outbound connections.", "references": [], "tags": {"name": "Detect Spike in blocked Outbound Traffic from your AWS", "analytic_story": ["AWS Network ACL Activity", "Suspicious AWS Traffic", "Command And Control"], "asset_type": "AWS Instance", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": [], "message": "tbd", "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "action", "src_ip", "dest_ip"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "datamodel": [], "macros": [{"name": "cloudwatchlogs_vpcflow", "definition": "sourcetype=aws:cloudwatchlogs:vpcflow", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_spike_in_blocked_outbound_traffic_from_your_aws_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "baseline_blocked_outbound_connections", "description": "A lookup file that will contain the baseline information for number of blocked outbound connections", "filename": "baseline_blocked_outbound_connections.csv"}, {"name": "baseline_blocked_outbound_connections", "description": "A lookup file that will contain the baseline information for number of blocked outbound connections", "filename": "baseline_blocked_outbound_connections.csv"}], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/detect_spike_in_blocked_outbound_traffic_from_your_aws.yml", "source": "cloud"}, {"name": "Detect Spike in S3 Bucket deletion", "id": "e733a326-59d2-446d-b8db-14a17151aa68", "version": 1, "date": "2018-11-27", "author": "Bhavin Patel, Splunk", "type": "Anomaly", "status": "experimental", "description": "This search detects users creating spikes in API activity related to deletion of S3 buckets in your AWS environment. It will also update the cache file that factors in the latest data.", "data_source": [], "search": "`cloudtrail` eventName=DeleteBucket [search `cloudtrail` eventName=DeleteBucket | spath output=arn path=userIdentity.arn | stats count as apiCalls by arn | inputlookup s3_deletion_baseline append=t | fields - latestCount | stats values(*) as * by arn | rename apiCalls as latestCount | eval newAvgApiCalls=avgApiCalls + (latestCount-avgApiCalls)/720 | eval newStdevApiCalls=sqrt(((pow(stdevApiCalls, 2)*719 + (latestCount-newAvgApiCalls)*(latestCount-avgApiCalls))/720)) | eval avgApiCalls=coalesce(newAvgApiCalls, avgApiCalls), stdevApiCalls=coalesce(newStdevApiCalls, stdevApiCalls), numDataPoints=if(isnull(latestCount), numDataPoints, numDataPoints+1) | table arn, latestCount, numDataPoints, avgApiCalls, stdevApiCalls | outputlookup s3_deletion_baseline | eval dataPointThreshold = 15, deviationThreshold = 3 | eval isSpike=if((latestCount > avgApiCalls+deviationThreshold*stdevApiCalls) AND numDataPoints > dataPointThreshold, 1, 0) | where isSpike=1 | rename arn as userIdentity.arn | table userIdentity.arn] | spath output=user userIdentity.arn | spath output=bucketName path=requestParameters.bucketName | stats values(bucketName) as bucketName, count as numberOfApiCalls, dc(eventName) as uniqueApisCalled by user | `detect_spike_in_s3_bucket_deletion_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. You can modify `dataPointThreshold` and `deviationThreshold` to better fit your environment. The `dataPointThreshold` variable is the minimum number of data points required to have a statistically significant amount of data to determine. The `deviationThreshold` variable is the number of standard deviations away from the mean that the value must be to be considered a spike. This search works best when you run the \"Baseline of S3 Bucket deletion activity by ARN\" support search once to create a baseline of previously seen S3 bucket-deletion activity.", "known_false_positives": "Based on the values of`dataPointThreshold` and `deviationThreshold`, the false positive rate may vary. Please modify this according the your environment.", "references": [], "tags": {"name": "Detect Spike in S3 Bucket deletion", "analytic_story": ["Suspicious AWS S3 Activities"], "asset_type": "S3 Bucket", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "tbd", "mitre_attack_id": ["T1530"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventName", "userIdentity.arn"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1530", "mitre_attack_technique": "Data from Cloud Storage", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["Fox Kitten"]}]}, "datamodel": [], "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_spike_in_s3_bucket_deletion_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "s3_deletion_baseline", "description": "A placeholder for the baseline information for AWS S3 deletions", "collection": "s3_deletion_baseline", "fields_list": "_key, arn, latestCount, numDataPoints, avgApiCalls, stdevApiCalls"}, {"name": "s3_deletion_baseline", "description": "A placeholder for the baseline information for AWS S3 deletions", "collection": "s3_deletion_baseline", "fields_list": "_key, arn, latestCount, numDataPoints, avgApiCalls, stdevApiCalls"}], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/detect_spike_in_s3_bucket_deletion.yml", "source": "cloud", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "GCP Authentication Failed During MFA Challenge", "id": "345f7e1d-a3fe-4158-abd8-e630f9878323", "version": 1, "date": "2022-10-12", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies an authentication attempt event against a Google Cloud Platform tenant that fails during the Multi Factor Authentication challenge. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled. ", "data_source": [], "search": " `gws_reports_login` event.name=login_failure `gws_login_mfa_methods` | stats values(user) by _time, src_ip, login_challenge_method | `gcp_authentication_failed_during_mfa_challenge_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Google Workspace from Splunkbase (https://splunkbase.splunk.com/app/5556) which allows Splunk administrators to collect Google Workspace event data in Splunk using Google Workspace APIs. Specifically, this analytic leverages the User log events.", "known_false_positives": "Legitimate users may miss to reply the MFA challenge within the time window or deny it by mistake.", "references": ["https://attack.mitre.org/techniques/T1621/", "https://attack.mitre.org/techniques/T1078/004/"], "tags": {"name": "GCP Authentication Failed During MFA Challenge", "analytic_story": ["GCP Account Takeover"], "asset_type": "Google Cloud Platform tenant", "cis20": ["CIS 10"], "confidence": 90, "impact": 60, "kill_chain_phases": ["Weaponization", "Exploitation", "Delivery", "Installation"], "message": "User $user$ failed to pass MFA challenge", "mitre_attack_id": ["T1586", "T1586.003", "T1078", "T1078.004", "T1621"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "user", "src_ip", "login_challenge_method", "event.parameters{}.multiValue{}"], "risk_score": 54, "security_domain": "identity", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Ke3chang", "LAPSUS$"]}, {"mitre_attack_id": "T1621", "mitre_attack_technique": "Multi-Factor Authentication Request Generation", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "LAPSUS$"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/gcp_failed_mfa/gws_login.log", "source": "gws:reports:login", "sourcetype": "gws:reports:login", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "gws_login_mfa_methods", "definition": "event.parameters{}.multiValue{} IN (\"backup_code\", \"google_authenticator\", \"google_prompt\", \"idv_any_phone\", \"idv_preregistered_phone\", \"internal_two_factor\", \"knowledge_employee_id\", \"knowledge_preregistered_email\", \"login_location\", \"knowledge_preregistered_phone\", \"offline_otp\", \"security_key\", \"security_key_otp\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "gws_reports_login", "definition": "sourcetype=gws:reports:login", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "gcp_authentication_failed_during_mfa_challenge_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/gcp_authentication_failed_during_mfa_challenge.yml", "source": "cloud", "nes_fields": "user,dest"}, {"name": "GCP Detect gcploit framework", "id": "a1c5a85e-a162-410c-a5d9-99ff639e5a52", "version": 1, "date": "2020-10-08", "author": "Rod Soto, Splunk", "type": "TTP", "status": "experimental", "description": "This search provides detection of GCPloit exploitation framework. This framework can be used to escalate privileges and move laterally from compromised high privilege accounts.", "data_source": [], "search": "`google_gcp_pubsub_message` data.protoPayload.request.function.timeout=539s | table src src_user data.resource.labels.project_id data.protoPayload.request.function.serviceAccountEmail data.protoPayload.authorizationInfo{}.permission data.protoPayload.request.location http_user_agent | `gcp_detect_gcploit_framework_filter`", "how_to_implement": "You must install splunk GCP add-on. This search works with gcp:pubsub:message logs", "known_false_positives": "Payload.request.function.timeout value can possibly be match with other functions or requests however the source user and target request account may indicate an attempt to move laterally accross acounts or projects", "references": ["https://github.com/dxa4481/gcploit", "https://www.youtube.com/watch?v=Ml09R38jpok"], "tags": {"name": "GCP Detect gcploit framework", "analytic_story": ["GCP Cross Account Activity"], "asset_type": "GCP Account", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "message": "tbd", "mitre_attack_id": ["T1078"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "data.protoPayload.request.function.timeout", "src", "src_user", "data.resource.labels.project_id", "data.protoPayload.request.function.serviceAccountEmail", "data.protoPayload.authorizationInfo{}.permission", "data.protoPayload.request.location", "http_user_agent"], "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}]}, "datamodel": ["Email"], "macros": [{"name": "google_gcp_pubsub_message", "definition": "sourcetype=\"google:gcp:pubsub:message\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "gcp_detect_gcploit_framework_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/gcp_detect_gcploit_framework.yml", "source": "cloud", "nes_fields": "user,dest"}, {"name": "GCP Kubernetes cluster pod scan detection", "id": "19b53215-4a16-405b-8087-9e6acf619842", "version": 1, "date": "2020-07-17", "author": "Rod Soto, Splunk", "type": "Hunting", "status": "experimental", "description": "This search provides information of unauthenticated requests via user agent, and authentication data against Kubernetes cluster's pods", "data_source": [], "search": "`google_gcp_pubsub_message` category=kube-audit |spath input=properties.log |search responseStatus.code=401 |table sourceIPs{} userAgent verb requestURI responseStatus.reason properties.pod | `gcp_kubernetes_cluster_pod_scan_detection_filter`", "how_to_implement": "You must install the GCP App for Splunk (version 2.0.0 or later), then configure stackdriver and set a Pub/Sub subscription to be imported to Splunk.", "known_false_positives": "Not all unauthenticated requests are malicious, but frequency, User Agent, source IPs and pods will provide context.", "references": [], "tags": {"name": "GCP Kubernetes cluster pod scan detection", "analytic_story": ["Kubernetes Scanning Activity"], "asset_type": "GCP Kubernetes cluster", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "tbd", "mitre_attack_id": ["T1526"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "category", "responseStatus.code", "sourceIPs{}", "userAgent", "verb", "requestURI", "responseStatus.reason", "properties.pod"], "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1526", "mitre_attack_technique": "Cloud Service Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}]}, "datamodel": [], "macros": [{"name": "google_gcp_pubsub_message", "definition": "sourcetype=\"google:gcp:pubsub:message\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "gcp_kubernetes_cluster_pod_scan_detection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/gcp_kubernetes_cluster_pod_scan_detection.yml", "source": "cloud"}, {"name": "GCP Multi-Factor Authentication Disabled", "id": "b9bc5513-6fc1-4821-85a3-e1d81e451c83", "version": 1, "date": "2022-10-12", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies an attempt to disable multi-factor authentication for a GCP user. An adversary who has obtained access to an GCP tenant may disable multi-factor authentication as a way to plant a backdoor and maintain persistence using a valid account. This way the attackers can keep persistance in the environment without adding new users.", "data_source": [], "search": " `gws_reports_admin` command=UNENROLL_USER_FROM_STRONG_AUTH | stats values(user) by _time, command, actor.email, status | `gcp_multi_factor_authentication_disabled_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Google Workspace from Splunkbase (https://splunkbase.splunk.com/app/5556) which allows Splunk administrators to collect Google Workspace event data in Splunk using Google Workspace APIs. Specifically, this analytic leverages the Admin log events.", "known_false_positives": "Legitimate use case may require for users to disable MFA. Filter as needed.", "references": ["https://support.google.com/cloudidentity/answer/2537800?hl=en", "https://attack.mitre.org/tactics/TA0005/", "https://attack.mitre.org/techniques/T1556/"], "tags": {"name": "GCP Multi-Factor Authentication Disabled", "analytic_story": ["GCP Account Takeover"], "asset_type": "GCP", "cis20": ["CIS 10"], "confidence": 90, "impact": 50, "kill_chain_phases": ["Weaponization", "Exploitation", "Installation"], "message": "MFA disabled for User $user$ initiated by $actor.email$", "mitre_attack_id": ["T1586", "T1586.003", "T1556", "T1556.006"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "actor.email", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "actor.email", "user", "command", "status"], "risk_score": 45, "security_domain": "identity", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1556", "mitre_attack_technique": "Modify Authentication Process", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1556.006", "mitre_attack_technique": "Multi-Factor Authentication", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556/gcp_disable_mfa/gws_admin.log", "source": "gws:reports:admin", "sourcetype": "gws:reports:admin", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "gws_reports_admin", "definition": "sourcetype=gws:reports:admin", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "gcp_multi_factor_authentication_disabled_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/gcp_multi_factor_authentication_disabled.yml", "source": "cloud", "nes_fields": "user,dest"}, {"name": "GCP Multiple Failed MFA Requests For User", "id": "cbb3cb84-c06f-4393-adcc-5cb6195621f1", "version": 1, "date": "2022-10-14", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies multiple failed multi-factor authentication requests for a single user within a Google Cloud Platform tenant. Specifically, the analytic triggers when 10 or more MFA user prompts fail within 5 minutes. Google CLoud tenants can be very different depending on the organization, Security teams should test this detection and customize these arbitrary thresholds. The detected behavior may represent an adversary who has obtained legitimate credentials for a user and continuously repeats login attempts in order to bombard users with MFA push notifications, SMS messages, and phone calls potentially resulting in the user finally accepting the authentication request. Threat actors like the Lapsus team and APT29 have leveraged this technique to bypass multi-factor authentication controls as reported by Mandiant and others.", "data_source": [], "search": " `gws_reports_login` event.name=login_failure `gws_login_mfa_methods` | bucket span=5m _time | stats dc(_raw) AS mfa_prompts values(user) by src_ip, login_challenge_method, _time | where mfa_prompts >= 10 | `gcp_multiple_failed_mfa_requests_for_user_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Google Workspace from Splunkbase (https://splunkbase.splunk.com/app/5556) which allows Splunk administrators to collect Google Workspace event data in Splunk using Google Workspace APIs. We would also recommend tuning the detection by adjusting the window `span` and `mfa_prompts` threshold values according to your environment. Specifically, this analytic leverages the User log events.", "known_false_positives": "Multiple Failed MFA requests may also be a sign of authentication or application issues. Filter as needed.", "references": ["https://www.mandiant.com/resources/blog/russian-targeting-gov-business", "https://arstechnica.com/information-technology/2022/03/lapsus-and-solar-winds-hackers-both-use-the-same-old-trick-to-bypass-mfa/", "https://therecord.media/russian-hackers-bypass-2fa-by-annoying-victims-with-repeated-push-notifications/", "https://attack.mitre.org/techniques/T1621/", "https://attack.mitre.org/techniques/T1078/004/"], "tags": {"name": "GCP Multiple Failed MFA Requests For User", "analytic_story": ["GCP Account Takeover"], "asset_type": "Google Cloud Platform tenant", "cis20": ["CIS 10"], "confidence": 90, "impact": 60, "kill_chain_phases": ["Weaponization", "Exploitation", "Delivery", "Installation"], "message": "Multiple Failed MFA requests for user $user$", "mitre_attack_id": ["T1586", "T1586.003", "T1621", "T1078", "T1078.004"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": null, "type": "IP Address", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time"], "risk_score": 54, "security_domain": "identity", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1621", "mitre_attack_technique": "Multi-Factor Authentication Request Generation", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "LAPSUS$"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Ke3chang", "LAPSUS$"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/multiple_failed_mfa_gws/gws_login.log", "source": "gws:reports:login", "sourcetype": "gws:reports:login", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "gws_login_mfa_methods", "definition": "event.parameters{}.multiValue{} IN (\"backup_code\", \"google_authenticator\", \"google_prompt\", \"idv_any_phone\", \"idv_preregistered_phone\", \"internal_two_factor\", \"knowledge_employee_id\", \"knowledge_preregistered_email\", \"login_location\", \"knowledge_preregistered_phone\", \"offline_otp\", \"security_key\", \"security_key_otp\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "gws_reports_login", "definition": "sourcetype=gws:reports:login", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "gcp_multiple_failed_mfa_requests_for_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/gcp_multiple_failed_mfa_requests_for_user.yml", "source": "cloud", "nes_fields": "user,dest"}, {"name": "GCP Multiple Users Failing To Authenticate From Ip", "id": "da20828e-d6fb-4ee5-afb7-d0ac200923d5", "version": 1, "date": "2022-10-12", "author": "Bhavin Patel, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies one source Ip failing to authenticate into the Google Workspace user accounts with more than 20 unique valid users within 5 minutes. These user accounts may have other privileges with respect to access to other sensitive resources in the Google Cloud Platform. This behavior could represent an adversary performing a Password Spraying attack against an Google Workspace environment to obtain initial access or elevate privileges.", "data_source": [], "search": "`gws_reports_login` event.type = login event.name = login_failure | bucket span=5m _time | stats count dc(user) AS unique_accounts values(user) as tried_accounts values(authentication_method) AS authentication_method earliest(_time) as firstTime latest(_time) as lastTime by _time event.name src app id.applicationName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where unique_accounts > 20 | `gcp_multiple_users_failing_to_authenticate_from_ip_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Google Workspace from Splunkbase (https://splunkbase.splunk.com/app/5556) which allows Splunk administrators to collect Google Workspace event data in Splunk using Google Workspace APIs. We would also recommend tuning the detection by adjusting the window `span` and `unique_accounts` threshold values according to your environment. Specifically, this analytic leverages the User log events.", "known_false_positives": "No known false postives for this detection. Please review this alert.", "references": ["https://cloud.google.com/blog/products/identity-security/how-google-cloud-can-help-stop-credential-stuffing-attacks", "https://www.slideshare.net/dafthack/ok-google-how-do-i-red-team-gsuite", "https://attack.mitre.org/techniques/T1110/003/", "https://www.blackhillsinfosec.com/wp-content/uploads/2020/05/Breaching-the-Cloud-Perimeter-Slides.pdf"], "tags": {"name": "GCP Multiple Users Failing To Authenticate From Ip", "analytic_story": ["GCP Account Takeover"], "asset_type": "Google Cloud Platform tenant", "cis20": ["CIS 10"], "confidence": 90, "impact": 60, "kill_chain_phases": ["Weaponization", "Exploitation"], "message": "Multiple failed login attempts against users $tried_accounts$ seen from $src_ip$", "mitre_attack_id": ["T1586", "T1586.003", "T1110", "T1110.003", "T1110.004"], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "tried_accounts", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "event.name", "event.type", "authentication_method", "app", "id.applicationName", "src"], "risk_score": 54, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1110.004", "mitre_attack_technique": "Credential Stuffing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Chimera"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/gcp_gws_multiple_login_failure/gws_login.json", "source": "gws_login", "sourcetype": "gws:reports:login", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "gws_reports_login", "definition": "sourcetype=gws:reports:login", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "gcp_multiple_users_failing_to_authenticate_from_ip_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/gcp_multiple_users_failing_to_authenticate_from_ip.yml", "source": "cloud"}, {"name": "GCP Successful Single-Factor Authentication", "id": "40e17d88-87da-414e-b253-8dc1e4f9555b", "version": 1, "date": "2022-10-12", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies a successful authentication event against Google Cloud Platform for an account without Multi-Factor Authentication enabled. This could be evidence of a missconfiguration, a policy violation or an account take over attempt that should be investigated", "data_source": [], "search": " `gws_reports_login` event.name=login_success NOT `gws_login_mfa_methods` | stats values(user) by _time, src_ip, login_challenge_method | `gcp_successful_single_factor_authentication_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Google Workspace from Splunkbase (https://splunkbase.splunk.com/app/5556) which allows Splunk administrators to collect Google Workspace event data in Splunk using Google Workspace APIs. Specifically, this analytic leverages the User log events.", "known_false_positives": "Although not recommended, certain users may be required without multi-factor authentication. Filter as needed", "references": ["https://attack.mitre.org/techniques/T1078/004/", "https://support.google.com/a/answer/175197?hl=en", "https://www.forbes.com/sites/daveywinder/2020/07/08/new-dark-web-audit-reveals-15-billion-stolen-logins-from-100000-breaches-passwords-hackers-cybercrime/?sh=69927b2a180f"], "tags": {"name": "GCP Successful Single-Factor Authentication", "analytic_story": ["GCP Account Takeover"], "asset_type": "Google Cloud Platform tenant", "cis20": ["CIS 10"], "confidence": 90, "impact": 50, "kill_chain_phases": ["Weaponization", "Exploitation", "Delivery", "Installation"], "message": "Successful authentication for user $user$ without MFA", "mitre_attack_id": ["T1586", "T1586.003", "T1078", "T1078.004"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "event.name", "event.parameters{}.multiValue{}", "user", "src_ip", "login_challenge_method"], "risk_score": 45, "security_domain": "identity", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Ke3chang", "LAPSUS$"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.004/gcp_single_factor_auth/gws_login.log", "source": "gws:reports:login", "sourcetype": "gws:reports:login", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "gws_login_mfa_methods", "definition": "event.parameters{}.multiValue{} IN (\"backup_code\", \"google_authenticator\", \"google_prompt\", \"idv_any_phone\", \"idv_preregistered_phone\", \"internal_two_factor\", \"knowledge_employee_id\", \"knowledge_preregistered_email\", \"login_location\", \"knowledge_preregistered_phone\", \"offline_otp\", \"security_key\", \"security_key_otp\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "gws_reports_login", "definition": "sourcetype=gws:reports:login", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "gcp_successful_single_factor_authentication_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/gcp_successful_single_factor_authentication.yml", "source": "cloud", "nes_fields": "user,dest"}, {"name": "GCP Unusual Number of Failed Authentications From Ip", "id": "bd8097ed-958a-4873-87d9-44f2b4d85705", "version": 1, "date": "2022-10-13", "author": "Bhavin Patel, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies one source IP failing to authenticate into the Google Workspace with multiple valid users. This behavior could represent an adversary performing a Password Spraying attack against a Google Workspace enviroment to obtain initial access or elevate privileges. The detection calculates the standard deviation for source IP and leverages the 3-sigma statistical rule to identify an unusual number of failed authentication attempts. To customize this analytic, users can try different combinations of the bucket span time and the calculation of the upperBound field. This logic can be used for real time security monitoring as well as threat hunting exercises. While looking for anomalies using statistical methods like the standard deviation can have benefits, we also recommend using threshold-based detections to complement coverage. A similar analytic following the threshold model is `GCP Multiple Users Failing To Authenticate From Ip`", "data_source": [], "search": "`gws_reports_login` event.type = login event.name = login_failure| bucket span=5m _time | stats dc(user_name) AS unique_accounts values(user_name) as tried_accounts values(authentication_method) AS authentication_method by _time, src | eventstats avg(unique_accounts) as ip_avg , stdev(unique_accounts) as ip_std by _time | eval upperBound=(ip_avg+ip_std*3) | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0) | where isOutlier =1| `gcp_unusual_number_of_failed_authentications_from_ip_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Google Workspace from Splunkbase (https://splunkbase.splunk.com/app/5556) which allows Splunk administrators to collect Google Workspace event data in Splunk using Google Workspace APIs. We would also recommend tuning the detection by adjusting the window `span` and `unique_accounts` threshold values according to your environment. Specifically, this analytic leverages the User log events.", "known_false_positives": "No known false positives for this detection. Please review this alert", "references": ["https://cloud.google.com/blog/products/identity-security/how-google-cloud-can-help-stop-credential-stuffing-attacks", "https://www.slideshare.net/dafthack/ok-google-how-do-i-red-team-gsuite", "https://attack.mitre.org/techniques/T1110/003/", "https://www.blackhillsinfosec.com/wp-content/uploads/2020/05/Breaching-the-Cloud-Perimeter-Slides.pdf"], "tags": {"name": "GCP Unusual Number of Failed Authentications From Ip", "analytic_story": ["GCP Account Takeover"], "asset_type": "Google Cloud Platform tenant", "cis20": ["CIS 10"], "confidence": 90, "impact": 60, "kill_chain_phases": ["Weaponization", "Exploitation"], "message": "Unusual number of failed console login attempts against users $tried_accounts$ seen from $src_ip$", "mitre_attack_id": ["T1586", "T1586.003", "T1110", "T1110.003", "T1110.004"], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "tried_accounts", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "event.name", "src", "event.type", "user_name"], "risk_score": 54, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1110.004", "mitre_attack_technique": "Credential Stuffing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Chimera"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/gcp_gws_multiple_login_failure/gws_login.json", "source": "gws_login", "sourcetype": "gws:reports:login", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "gws_reports_login", "definition": "sourcetype=gws:reports:login", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "gcp_unusual_number_of_failed_authentications_from_ip_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/gcp_unusual_number_of_failed_authentications_from_ip.yml", "source": "cloud"}, {"name": "Gdrive suspicious file sharing", "id": "a7131dae-34e3-11ec-a2de-acde48001122", "version": 1, "date": "2021-10-24", "author": "Rod Soto, Teoderick Contreras", "type": "Hunting", "status": "experimental", "description": "This search can help the detection of compromised accounts or internal users sharing potentially malicious/classified documents with users outside your organization via GSuite file sharing .", "data_source": [], "search": "`gsuite_drive` name=change_user_access | rename parameters.* as * | search email = \"*@yourdomain.com\" target_user != \"*@yourdomain.com\" | stats count values(owner) as owner values(target_user) as target values(doc_type) as doc_type values(doc_title) as doc_title dc(target_user) as distinct_target by src_ip email | where distinct_target > 50 | `gdrive_suspicious_file_sharing_filter`", "how_to_implement": "Need to implement Gsuite logging targeting Google suite drive activity. In order for the search to work for your environment please update `yourdomain.com` value in the query with the domain relavant for your organization.", "known_false_positives": "This is an anomaly search, you must specify your domain in the parameters so it either filters outside domains or focus on internal domains. This search may also help investigate compromise of accounts. By looking at for example source ip addresses, document titles and abnormal number of shares and shared target users.", "references": ["https://www.splunk.com/en_us/blog/security/investigating-gsuite-phishing-attacks-with-splunk.html"], "tags": {"name": "Gdrive suspicious file sharing", "analytic_story": ["Spearphishing Attachments", "Data Exfiltration"], "asset_type": "GDrive", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Delivery"], "message": "tbd", "mitre_attack_id": ["T1566"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "src_ip", "parameters.owner", "parameters.target_user", "parameters.doc_title", "parameters.doc_type"], "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}]}, "datamodel": [], "macros": [{"name": "gsuite_drive", "definition": "sourcetype=gsuite:drive:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "gdrive_suspicious_file_sharing_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/gdrive_suspicious_file_sharing.yml", "source": "cloud"}, {"name": "GitHub Actions Disable Security Workflow", "id": "0459f1a5-c0ac-4987-82d6-65081209f854", "version": 1, "date": "2022-04-04", "author": "Patrick Bareiss, Splunk", "type": "Anomaly", "status": "production", "description": "This search detects a disabled security workflow in GitHub Actions. An attacker can disable a security workflow in GitHub actions to hide malicious code in it.", "data_source": [], "search": "`github` workflow_run.event=push OR workflow_run.event=pull_request | stats values(workflow_run.name) as workflow_run.name by workflow_run.head_commit.id workflow_run.event workflow_run.head_branch workflow_run.head_commit.author.email workflow_run.head_commit.author.name workflow_run.head_commit.message workflow_run.head_commit.timestamp workflow_run.head_repository.full_name workflow_run.head_repository.owner.id workflow_run.head_repository.owner.login workflow_run.head_repository.owner.type | rename workflow_run.head_commit.author.name as user, workflow_run.head_commit.author.email as user_email, workflow_run.head_repository.full_name as repository, workflow_run.head_branch as branch | search NOT workflow_run.name=*security-testing* | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `github_actions_disable_security_workflow_filter`", "how_to_implement": "You must index GitHub logs. You can follow the url in reference to onboard GitHub logs. Sometimes GitHub logs are truncated, make sure to disable it in props.conf. Replace *security-testing* with the name of your security testing workflow in GitHub Actions.", "known_false_positives": "unknown", "references": ["https://www.splunk.com/en_us/blog/tips-and-tricks/getting-github-data-with-webhooks.html"], "tags": {"name": "GitHub Actions Disable Security Workflow", "analytic_story": ["Dev Sec Ops"], "asset_type": "GitHub", "cis20": ["CIS 13"], "confidence": 90, "impact": 30, "kill_chain_phases": ["Delivery"], "message": "Security Workflow is disabled in branch $branch$ for repository $repository$", "mitre_attack_id": ["T1195.002", "T1195"], "nist": ["DE.AE"], "observable": [{"name": "repository", "type": "Unknown", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["workflow_run.event", "workflow_run.name", "workflow_run.head_commit.id", "workflow_run.event workflow_run.head_branch", "workflow_run.head_commit.author.email", "workflow_run.head_commit.author.name", "workflow_run.head_commit.message", "workflow_run.head_commit.timestamp", "workflow_run.head_repository.full_name", "workflow_run.head_repository.owner.id", "workflow_run.head_repository.owner.login", "workflow_run.head_repository.owner.type"], "risk_score": 27, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1195.002", "mitre_attack_technique": "Compromise Software Supply Chain", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT41", "Cobalt Group", "Dragonfly", "GOLD SOUTHFIELD", "Sandworm Team", "Threat Group-3390"]}, {"mitre_attack_id": "T1195", "mitre_attack_technique": "Supply Chain Compromise", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1195.002/github_actions_disable_security_workflow/github_actions_disable_security_workflow.log", "source": "github", "sourcetype": "aws:firehose:json"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "github", "definition": "sourcetype=aws:firehose:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "github_actions_disable_security_workflow_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/github_actions_disable_security_workflow.yml", "source": "cloud"}, {"name": "Github Commit Changes In Master", "id": "c9d2bfe2-019f-11ec-a8eb-acde48001122", "version": 1, "date": "2021-08-20", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This search is to detect a pushed or commit to master or main branch. This is to avoid unwanted modification to master without a review to the changes. Ideally in terms of devsecops the changes made in a branch and do a PR for review. of course in some cases admin of the project may did a changes directly to master branch", "data_source": [], "search": "`github` branches{}.name = main OR branches{}.name = master | stats count min(_time) as firstTime max(_time) as lastTime by commit.commit.author.email commit.author.login commit.commit.message repository.pushed_at commit.commit.committer.date repository.full_name | rename commit.author.login as user, repository.full_name as repository | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `github_commit_changes_in_master_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs related to github logs having the fork, commit, push metadata that can be use to monitor the changes in a github project.", "known_false_positives": "admin can do changes directly to master branch", "references": ["https://www.redhat.com/en/topics/devops/what-is-devsecops"], "tags": {"name": "Github Commit Changes In Master", "analytic_story": ["Dev Sec Ops"], "asset_type": "GitHub", "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Delivery"], "message": "suspicious commit by $commit.commit.author.email$ to main branch", "mitre_attack_id": ["T1199"], "nist": ["DE.AE"], "observable": [{"name": "commit.commit.author.email", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time"], "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1199", "mitre_attack_technique": "Trusted Relationship", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "GOLD SOUTHFIELD", "LAPSUS$", "POLONIUM", "Sandworm Team", "Threat Group-3390", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1199/github_push_master/github_push_master.log", "source": "github", "sourcetype": "aws:firehose:json"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "github", "definition": "sourcetype=aws:firehose:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "github_commit_changes_in_master_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/github_commit_changes_in_master.yml", "source": "cloud"}, {"name": "Github Commit In Develop", "id": "f3030cb6-0b02-11ec-8f22-acde48001122", "version": 1, "date": "2021-09-01", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This search is to detect a pushed or commit to develop branch. This is to avoid unwanted modification to develop without a review to the changes. Ideally in terms of devsecops the changes made in a branch and do a PR for review. of course in some cases admin of the project may did a changes directly to master branch", "data_source": [], "search": "`github` branches{}.name = main OR branches{}.name = develop | stats count min(_time) as firstTime max(_time) as lastTime by commit.author.html_url commit.commit.author.email commit.author.login commit.commit.message repository.pushed_at commit.commit.committer.date | eval phase=\"code\" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `github_commit_in_develop_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs related to github logs having the fork, commit, push metadata that can be use to monitor the changes in a github project.", "known_false_positives": "admin can do changes directly to develop branch", "references": ["https://www.redhat.com/en/topics/devops/what-is-devsecops"], "tags": {"name": "Github Commit In Develop", "analytic_story": ["Dev Sec Ops"], "asset_type": "GitHub", "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Delivery"], "message": "suspicious commit by $commit.commit.author.email$ to develop branch", "mitre_attack_id": ["T1199"], "nist": ["DE.AE"], "observable": [{"name": "commit.commit.author.email", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time"], "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1199", "mitre_attack_technique": "Trusted Relationship", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "GOLD SOUTHFIELD", "LAPSUS$", "POLONIUM", "Sandworm Team", "Threat Group-3390", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1199/github_push_master/github_push_develop.json", "source": "github", "sourcetype": "aws:firehose:json"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "github", "definition": "sourcetype=aws:firehose:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "github_commit_in_develop_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/github_commit_in_develop.yml", "source": "cloud"}, {"name": "GitHub Dependabot Alert", "id": "05032b04-4469-4034-9df7-05f607d75cba", "version": 1, "date": "2021-09-01", "author": "Patrick Bareiss, Splunk", "type": "Anomaly", "status": "production", "description": "This search looks for Dependabot Alerts in Github logs.", "data_source": [], "search": "`github` alert.id=* action=create | rename repository.full_name as repository, repository.html_url as repository_url sender.login as user | stats min(_time) as firstTime max(_time) as lastTime by action alert.affected_package_name alert.affected_range alert.created_at alert.external_identifier alert.external_reference alert.fixed_in alert.severity repository repository_url user | eval phase=\"code\" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `github_dependabot_alert_filter`", "how_to_implement": "You must index GitHub logs. You can follow the url in reference to onboard GitHub logs.", "known_false_positives": "unknown", "references": ["https://www.splunk.com/en_us/blog/tips-and-tricks/getting-github-data-with-webhooks.html"], "tags": {"name": "GitHub Dependabot Alert", "analytic_story": ["Dev Sec Ops"], "asset_type": "GitHub", "cis20": ["CIS 13"], "confidence": 90, "impact": 30, "kill_chain_phases": ["Delivery"], "message": "Vulnerabilities found in packages used by GitHub repository $repository$", "mitre_attack_id": ["T1195.001", "T1195"], "nist": ["DE.AE"], "observable": [{"name": "repository", "type": "Unknown", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "alert.id", "repository.full_name", "repository.html_url", "action", "alert.affected_package_name", "alert.affected_range", "alert.created_at", "alert.external_identifier", "alert.external_reference", "alert.fixed_in", "alert.severity"], "risk_score": 27, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1195.001", "mitre_attack_technique": "Compromise Software Dependencies and Development Tools", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1195", "mitre_attack_technique": "Supply Chain Compromise", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1195.001/github_security_advisor_alert/github_security_advisor_alert.json", "source": "github", "sourcetype": "aws:firehose:json"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "github", "definition": "sourcetype=aws:firehose:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "github_dependabot_alert_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/github_dependabot_alert.yml", "source": "cloud"}, {"name": "GitHub Pull Request from Unknown User", "id": "9d7b9100-8878-4404-914e-ca5e551a641e", "version": 1, "date": "2021-09-01", "author": "Patrick Bareiss, Splunk", "type": "Anomaly", "status": "production", "description": "This search looks for Pull Request from unknown user.", "data_source": [], "search": "`github` check_suite.pull_requests{}.id=* | stats count by check_suite.head_commit.author.name repository.full_name check_suite.pull_requests{}.head.ref check_suite.head_commit.message | rename check_suite.head_commit.author.name as user repository.full_name as repository check_suite.pull_requests{}.head.ref as ref_head check_suite.head_commit.message as commit_message | search NOT `github_known_users` | eval phase=\"code\" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `github_pull_request_from_unknown_user_filter`", "how_to_implement": "You must index GitHub logs. You can follow the url in reference to onboard GitHub logs.", "known_false_positives": "unknown", "references": ["https://www.splunk.com/en_us/blog/tips-and-tricks/getting-github-data-with-webhooks.html"], "tags": {"name": "GitHub Pull Request from Unknown User", "analytic_story": ["Dev Sec Ops"], "asset_type": "GitHub", "cis20": ["CIS 13"], "confidence": 90, "impact": 30, "kill_chain_phases": ["Delivery"], "message": "Vulnerabilities found in packages used by GitHub repository $repository$", "mitre_attack_id": ["T1195.001", "T1195"], "nist": ["DE.AE"], "observable": [{"name": "repository", "type": "Unknown", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "alert.id", "repository.full_name", "repository.html_url", "action", "alert.affected_package_name", "alert.affected_range", "alert.created_at", "alert.external_identifier", "alert.external_reference", "alert.fixed_in", "alert.severity"], "risk_score": 27, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1195.001", "mitre_attack_technique": "Compromise Software Dependencies and Development Tools", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1195", "mitre_attack_technique": "Supply Chain Compromise", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1195.001/github_pull_request/github_pull_request.json", "source": "github", "sourcetype": "aws:firehose:json"}]}], "datamodel": [], "macros": [{"name": "github_known_users", "definition": "user IN (user_names_here)", "description": "specify the user allowed to create PRs in Github projects."}, {"name": "github", "definition": "sourcetype=aws:firehose:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "github_pull_request_from_unknown_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/github_pull_request_from_unknown_user.yml", "source": "cloud"}, {"name": "Gsuite Drive Share In External Email", "id": "f6ee02d6-fea0-11eb-b2c2-acde48001122", "version": 1, "date": "2021-08-16", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "experimental", "description": "This search is to detect suspicious google drive or google docs files shared outside or externally. This behavior might be a good hunting query to monitor exfitration of data made by an attacker or insider to a targetted machine.", "data_source": [], "search": "`gsuite_drive` NOT (email IN(\"\", \"null\")) | rex field=parameters.owner \"[^@]+@(?[^@]+)\" | rex field=email \"[^@]+@(?[^@]+)\" | where src_domain = \"internal_test_email.com\" and not dest_domain = \"internal_test_email.com\" | eval phase=\"plan\" | eval severity=\"low\" | stats values(parameters.doc_title) as doc_title, values(parameters.doc_type) as doc_types, values(email) as dst_email_list, values(parameters.visibility) as visibility, values(parameters.doc_id) as doc_id, count min(_time) as firstTime max(_time) as lastTime by parameters.owner ip_address phase severity | rename parameters.owner as user ip_address as src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `gsuite_drive_share_in_external_email_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs related to gsuite having the file attachment metadata like file type, file extension, source email, destination email, num of attachment and etc. In order for the search to work for your environment, please edit the query to use your company specific email domain instead of `internal_test_email.com`.", "known_false_positives": "network admin or normal user may share files to customer and external team.", "references": ["https://www.redhat.com/en/topics/devops/what-is-devsecops"], "tags": {"name": "Gsuite Drive Share In External Email", "analytic_story": ["Dev Sec Ops", "Insider Threat"], "asset_type": "GSuite", "cis20": ["CIS 10"], "confidence": 90, "impact": 80, "kill_chain_phases": ["Actions on Objectives"], "message": "suspicious share gdrive from $parameters.owner$ to $email$ namely as $parameters.doc_title$", "mitre_attack_id": ["T1567.002", "T1567"], "nist": ["DE.AE"], "observable": [{"name": "parameters.owner", "type": "User", "role": ["Attacker"]}, {"name": "email", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "parameters.doc_title", "src_domain", "dest_domain", "email", "parameters.visibility", "parameters.owner", "parameters.doc_type"], "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1567.002", "mitre_attack_technique": "Exfiltration to Cloud Storage", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["Chimera", "Confucius", "Earth Lusca", "FIN7", "HAFNIUM", "HEXANE", "Kimsuky", "Leviathan", "LuminousMoth", "POLONIUM", "Threat Group-3390", "Turla", "ZIRCONIUM"]}, {"mitre_attack_id": "T1567", "mitre_attack_technique": "Exfiltration Over Web Service", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT28", "Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1567.002/gsuite_share_drive/gdrive_share_external.log", "source": "http:gsuite", "sourcetype": "gsuite:drive:json"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "gsuite_drive", "definition": "sourcetype=gsuite:drive:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "gsuite_drive_share_in_external_email_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/gsuite_drive_share_in_external_email.yml", "source": "cloud"}, {"name": "GSuite Email Suspicious Attachment", "id": "6d663014-fe92-11eb-ab07-acde48001122", "version": 1, "date": "2021-08-16", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This search is to detect a suspicious attachment file extension in Gsuite email that may related to spear phishing attack. This file type is commonly used by malware to lure user to click on it to execute malicious code to compromised targetted machine. But this search can also catch some normal files related to this file type that maybe send by employee or network admin.", "data_source": [], "search": "`gsuite_gmail` \"attachment{}.file_extension_type\" IN (\"pl\", \"py\", \"rb\", \"sh\", \"bat\", \"exe\", \"dll\", \"cpl\", \"com\", \"js\", \"vbs\", \"ps1\", \"reg\",\"swf\", \"cmd\", \"go\") | eval phase=\"plan\" | eval severity=\"medium\" | stats count min(_time) as firstTime max(_time) as lastTime values(attachment{}.file_extension_type) as email_attachments, values(attachment{}.sha256) as attachment_sha256, values(payload_size) as payload_size by destination{}.service num_message_attachments subject destination{}.address source.address phase severity | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `gsuite_email_suspicious_attachment_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs related to gsuite having the file attachment metadata like file type, file extension, source email, destination email, num of attachment and etc.", "known_false_positives": "network admin and normal user may send this file attachment as part of their day to day work. having a good protocol in attaching this file type to an e-mail may reduce the risk of having a spear phishing attack.", "references": ["https://www.redhat.com/en/topics/devops/what-is-devsecops"], "tags": {"name": "GSuite Email Suspicious Attachment", "analytic_story": ["Dev Sec Ops"], "asset_type": "GSuite", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Delivery"], "message": "suspicious email from $source.address$ to $destination{}.address$", "mitre_attack_id": ["T1566.001", "T1566"], "nist": ["DE.AE"], "observable": [{"name": "source.address", "type": "User", "role": ["Attacker"]}, {"name": "destination{}.address", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "attachment{}.file_extension_type", "attachment{}.sha256", "destination{}.service", "num_message_attachments", "payload_size", "subject", "destination{}.address", "source.address"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/gsuite_susp_attachment_ext/gsuite_gmail_file_ext.log", "source": "http:gsuite", "sourcetype": "gsuite:gmail:bigquery"}]}], "datamodel": [], "macros": [{"name": "gsuite_gmail", "definition": "sourcetype=gsuite:gmail:bigquery", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "gsuite_email_suspicious_attachment_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/gsuite_email_suspicious_attachment.yml", "source": "cloud"}, {"name": "Gsuite Email Suspicious Subject With Attachment", "id": "8ef3971e-00f2-11ec-b54f-acde48001122", "version": 1, "date": "2021-08-19", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This search is to detect a gsuite email contains suspicious subject having known file type used in spear phishing. This technique is a common and effective entry vector of attacker to compromise a network by luring the user to click or execute the suspicious attachment send from external email account because of the effective social engineering of subject related to delivery, bank and so on. On the other hand this detection may catch a normal email traffic related to legitimate transaction so better to check the email sender, spelling and etc. avoid click link or opening the attachment if you are not expecting this type of e-mail.", "data_source": [], "search": "`gsuite_gmail` num_message_attachments > 0 subject IN (\"*dhl*\", \"* ups *\", \"*delivery*\", \"*parcel*\", \"*label*\", \"*invoice*\", \"*postal*\", \"* fedex *\", \"* usps *\", \"* express *\", \"*shipment*\", \"*Banking/Tax*\",\"*shipment*\", \"*new order*\") attachment{}.file_extension_type IN (\"doc\", \"docx\", \"xls\", \"xlsx\", \"ppt\", \"pptx\", \"pdf\", \"zip\", \"rar\", \"html\",\"htm\",\"hta\") | rex field=source.from_header_address \"[^@]+@(?[^@]+)\" | rex field=destination{}.address \"[^@]+@(?[^@]+)\" | where not source_domain=\"internal_test_email.com\" and dest_domain=\"internal_test_email.com\" | eval phase=\"plan\" | eval severity=\"medium\" | stats count min(_time) as firstTime max(_time) as lastTime values(attachment{}.file_extension_type) as email_attachments, values(attachment{}.sha256) as attachment_sha256, values(payload_size) as payload_size by destination{}.service num_message_attachments subject destination{}.address source.address phase severity | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `gsuite_email_suspicious_subject_with_attachment_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs related to gsuite having the file attachment metadata like file type, file extension, source email, destination email, num of attachment and etc.", "known_false_positives": "normal user or normal transaction may contain the subject and file type attachment that this detection try to search.", "references": ["https://www.redhat.com/en/topics/devops/what-is-devsecops", "https://www.mandiant.com/resources/top-words-used-in-spear-phishing-attacks"], "tags": {"name": "Gsuite Email Suspicious Subject With Attachment", "analytic_story": ["Dev Sec Ops"], "asset_type": "GSuite", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Delivery"], "message": "suspicious email from $source.address$ to $destination{}.address$", "mitre_attack_id": ["T1566.001", "T1566"], "nist": ["DE.AE"], "observable": [{"name": "source.address", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/gsuite_susp_subj/gsuite_susp_subj_attach.log", "source": "http:gsuite", "sourcetype": "gsuite:gmail:bigquery"}]}], "datamodel": [], "macros": [{"name": "gsuite_gmail", "definition": "sourcetype=gsuite:gmail:bigquery", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "gsuite_email_suspicious_subject_with_attachment_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/gsuite_email_suspicious_subject_with_attachment.yml", "source": "cloud"}, {"name": "Gsuite Email With Known Abuse Web Service Link", "id": "8630aa22-042b-11ec-af39-acde48001122", "version": 1, "date": "2021-08-23", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This analytics is to detect a gmail containing a link that are known to be abused by malware or attacker like pastebin, telegram and discord to deliver malicious payload. This event can encounter some normal email traffic within organization and external email that normally using this application and services.", "data_source": [], "search": "`gsuite_gmail` \"link_domain{}\" IN (\"*pastebin.com*\", \"*discord*\", \"*telegram*\",\"t.me\") | rex field=source.from_header_address \"[^@]+@(?[^@]+)\" | rex field=destination{}.address \"[^@]+@(?[^@]+)\" | where not source_domain=\"internal_test_email.com\" and dest_domain=\"internal_test_email.com\" | eval phase=\"plan\" | eval severity=\"low\" |stats values(link_domain{}) as link_domains min(_time) as firstTime max(_time) as lastTime count by is_spam source.address source.from_header_address subject destination{}.address phase severity | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `gsuite_email_with_known_abuse_web_service_link_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs related to gsuite having the file attachment metadata like file type, file extension, source email, destination email, num of attachment and etc.", "known_false_positives": "normal email contains this link that are known application within the organization or network can be catched by this detection.", "references": ["https://news.sophos.com/en-us/2021/07/22/malware-increasingly-targets-discord-for-abuse/"], "tags": {"name": "Gsuite Email With Known Abuse Web Service Link", "analytic_story": ["Dev Sec Ops"], "asset_type": "GSuite", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Delivery"], "message": "suspicious email from $source.address$ to $destination{}.address$", "mitre_attack_id": ["T1566.001", "T1566"], "nist": ["DE.AE"], "observable": [{"name": "source.address", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/gsuite_susp_url/gsuite_susp_url.log", "source": "http:gsuite", "sourcetype": "gsuite:gmail:bigquery"}]}], "datamodel": [], "macros": [{"name": "gsuite_gmail", "definition": "sourcetype=gsuite:gmail:bigquery", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "gsuite_email_with_known_abuse_web_service_link_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/gsuite_email_with_known_abuse_web_service_link.yml", "source": "cloud"}, {"name": "Gsuite Outbound Email With Attachment To External Domain", "id": "dc4dc3a8-ff54-11eb-8bf7-acde48001122", "version": 1, "date": "2021-08-17", "author": "Teoderick Contreras, Stanislav Miskovic, Splunk", "type": "Anomaly", "status": "production", "description": "This search is to detect a suspicious outbound e-mail from internal email to external email domain. This can be a good hunting query to monitor insider or outbound email traffic for not common domain e-mail. The idea is to parse the domain of destination email check if there is a minimum outbound traffic < 20 with attachment.", "data_source": [], "search": "`gsuite_gmail` num_message_attachments > 0 | rex field=source.from_header_address \"[^@]+@(?[^@]+)\" | rex field=destination{}.address \"[^@]+@(?[^@]+)\" | where source_domain=\"internal_test_email.com\" and not dest_domain=\"internal_test_email.com\" | eval phase=\"plan\" | eval severity=\"low\" | stats values(subject) as subject, values(source.from_header_address) as src_domain_list, count as numEvents, dc(source.from_header_address) as numSrcAddresses, min(_time) as firstTime max(_time) as lastTime by dest_domain phase severity | where numSrcAddresses < 20 |sort - numSrcAddresses | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `gsuite_outbound_email_with_attachment_to_external_domain_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs related to gsuite having the file attachment metadata like file type, file extension, source email, destination email, num of attachment and etc.", "known_false_positives": "network admin and normal user may send this file attachment as part of their day to day work. having a good protocol in attaching this file type to an e-mail may reduce the risk of having a spear phishing attack.", "references": ["https://www.redhat.com/en/topics/devops/what-is-devsecops"], "tags": {"name": "Gsuite Outbound Email With Attachment To External Domain", "analytic_story": ["Dev Sec Ops", "Insider Threat"], "asset_type": "GSuite", "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Actions on Objectives"], "message": "suspicious email from $source.address$ to $destination{}.address$", "mitre_attack_id": ["T1048.003", "T1048"], "nist": ["DE.AE"], "observable": [{"name": "source.address", "type": "User", "role": ["Attacker"]}, {"name": "destination{}.address", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time"], "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1048.003", "mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT32", "APT33", "FIN6", "FIN8", "Lazarus Group", "OilRig", "Thrip", "Wizard Spider"]}, {"mitre_attack_id": "T1048", "mitre_attack_technique": "Exfiltration Over Alternative Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["TeamTNT"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/gsuite_outbound_email_to_external/gsuite_external_domain.log", "source": "http:gsuite", "sourcetype": "gsuite:gmail:bigquery"}]}], "datamodel": [], "macros": [{"name": "gsuite_gmail", "definition": "sourcetype=gsuite:gmail:bigquery", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "gsuite_outbound_email_with_attachment_to_external_domain_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/gsuite_outbound_email_with_attachment_to_external_domain.yml", "source": "cloud"}, {"name": "Gsuite suspicious calendar invite", "id": "03cdd68a-34fb-11ec-9bd3-acde48001122", "version": 1, "date": "2021-10-24", "author": "Rod Soto, Teoderick Contreras", "type": "Hunting", "status": "experimental", "description": "This search can help the detection of compromised accounts or internal users sending suspcious calendar invites via GSuite calendar. These invites may contain malicious links or attachments.", "data_source": [], "search": "`gsuite_calendar` |bin span=5m _time |rename parameters.* as * |search target_calendar_id!=null email=\"*yourdomain.com\"| stats count values(target_calendar_id) values(event_title) values(event_guest) by email _time | where count >100| `gsuite_suspicious_calendar_invite_filter`", "how_to_implement": "In order to successfully implement this search, you need to be ingesting logs related to gsuite (gsuite:calendar:json) having the file sharing metadata like file type, source owner, destination target user, description, etc. This search can also be made more specific by selecting specific emails, subdomains timeframe, organizational units, targeted user, etc. In order for the search to work for your environment please update `yourdomain.com` value in the query with the domain relavant for your organization.", "known_false_positives": "This search will also produce normal activity statistics. Fields such as email, ip address, name, parameters.organizer_calendar_id, parameters.target_calendar_id and parameters.event_title may give away phishing intent.For more specific results use email parameter.", "references": ["https://www.techrepublic.com/article/how-to-avoid-the-dreaded-google-calendar-malicious-invite-issue/", "https://gcn.com/cybersecurity/2012/09/the-20-most-common-words-in-phishing-attacks/280956/"], "tags": {"name": "Gsuite suspicious calendar invite", "analytic_story": ["Spearphishing Attachments"], "asset_type": "GSuite", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Delivery"], "message": "tbd", "mitre_attack_id": ["T1566"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Other", "role": ["Other"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "email", "parameters.event_title", "parameters.target_calendar_id", "parameters.event_title"], "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}]}, "datamodel": [], "macros": [{"name": "gsuite_calendar", "definition": "sourcetype=gsuite:calendar:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "gsuite_suspicious_calendar_invite_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/gsuite_suspicious_calendar_invite.yml", "source": "cloud"}, {"name": "Gsuite Suspicious Shared File Name", "id": "07eed200-03f5-11ec-98fb-acde48001122", "version": 1, "date": "2021-08-23", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This search is to detect a shared file in google drive with suspicious file name that are commonly used by spear phishing campaign. This technique is very popular to lure the user by running a malicious document or click a malicious link within the shared file that will redirected to malicious website. This detection can also catch some normal email communication between organization and its external customer.", "data_source": [], "search": "`gsuite_drive` parameters.owner_is_team_drive=false \"parameters.doc_title\" IN (\"*dhl*\", \"* ups *\", \"*delivery*\", \"*parcel*\", \"*label*\", \"*invoice*\", \"*postal*\", \"*fedex*\", \"* usps *\", \"* express *\", \"*shipment*\", \"*Banking/Tax*\",\"*shipment*\", \"*new order*\") parameters.doc_type IN (\"document\",\"pdf\", \"msexcel\", \"msword\", \"spreadsheet\", \"presentation\") | rex field=parameters.owner \"[^@]+@(?[^@]+)\" | rex field=parameters.target_user \"[^@]+@(?[^@]+)\" | where not source_domain=\"internal_test_email.com\" and dest_domain=\"internal_test_email.com\" | eval phase=\"plan\" | eval severity=\"low\" | stats count min(_time) as firstTime max(_time) as lastTime by email parameters.owner parameters.target_user parameters.doc_title parameters.doc_type phase severity | rename parameters.target_user AS user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `gsuite_suspicious_shared_file_name_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs related to gsuite having the file attachment metadata like file type, file extension, source email, destination email, num of attachment and etc. In order for the search to work for your environment, please edit the query to use your company specific email domain instead of `internal_test_email.com`.", "known_false_positives": "normal user or normal transaction may contain the subject and file type attachment that this detection try to search", "references": ["https://www.redhat.com/en/topics/devops/what-is-devsecops", "https://www.mandiant.com/resources/top-words-used-in-spear-phishing-attacks"], "tags": {"name": "Gsuite Suspicious Shared File Name", "analytic_story": ["Dev Sec Ops"], "asset_type": "GSuite", "cis20": ["CIS 10"], "confidence": 70, "impact": 30, "kill_chain_phases": ["Delivery"], "message": "suspicious share gdrive from $parameters.owner$ to $email$ namely as $parameters.doc_title$", "mitre_attack_id": ["T1566.001", "T1566"], "nist": ["DE.AE"], "observable": [{"name": "parameters.owner", "type": "User", "role": ["Attacker"]}, {"name": "email", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "parameters.doc_title", "src_domain", "dest_domain", "email", "parameters.visibility", "parameters.owner", "parameters.doc_type"], "risk_score": 21, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/gdrive_susp_file_share/gdrive_susp_attach.log", "source": "http:gsuite", "sourcetype": "gsuite:drive:json"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "gsuite_drive", "definition": "sourcetype=gsuite:drive:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "gsuite_suspicious_shared_file_name_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/gsuite_suspicious_shared_file_name.yml", "source": "cloud"}, {"name": "High Number of Login Failures from a single source", "id": "7f398cfb-918d-41f4-8db8-2e2474e02222", "version": 1, "date": "2020-12-16", "author": "Bhavin Patel, Splunk", "type": "Anomaly", "status": "experimental", "description": "This search will detect more than 5 login failures in Office365 Azure Active Directory from a single source IP address. Please adjust the threshold value of 5 as suited for your environment.", "data_source": [], "search": "`o365_management_activity` Operation=UserLoginFailed record_type=AzureActiveDirectoryStsLogon app=AzureActiveDirectory | stats count dc(user) as accounts_locked values(user) as user values(LogonError) as LogonError values(authentication_method) as authentication_method values(signature) as signature values(UserAgent) as UserAgent by src_ip record_type Operation app | search accounts_locked >= 5| `high_number_of_login_failures_from_a_single_source_filter`", "how_to_implement": "", "known_false_positives": "unknown", "references": [], "tags": {"name": "High Number of Login Failures from a single source", "analytic_story": ["Office 365 Detections"], "asset_type": "Office 365", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "tbd", "mitre_attack_id": ["T1110.001", "T1110"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Operation", "record_type", "app", "user", "LogonError", "authentication_method", "signature", "UserAgent", "src_ip", "record_type"], "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1110.001", "mitre_attack_technique": "Password Guessing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.001/high_number_of_login_failures_from_a_single_source.json", "source": "o365", "sourcetype": "o365:management:activity"}]}], "datamodel": [], "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "high_number_of_login_failures_from_a_single_source_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/high_number_of_login_failures_from_a_single_source.yml", "source": "cloud"}, {"name": "Kubernetes AWS detect suspicious kubectl calls", "id": "042a3d32-8318-4763-9679-09db2644a8f2", "version": 2, "date": "2022-11-11", "author": "Rod Soto, Splunk", "type": "Hunting", "status": "experimental", "description": "This search provides information on anonymous Kubectl calls with IP, verb namespace and object access context", "data_source": [], "search": "`aws_cloudwatchlogs_eks` userAgent=kubectl* sourceIPs{}!=127.0.0.1 sourceIPs{}!=::1 src_user=system:anonymous | stats count by src_ip src_user verb userAgent requestURI |`kubernetes_aws_detect_suspicious_kubectl_calls_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with cloudwatch logs.", "known_false_positives": "Kubectl calls are not malicious by nature. However source IP, verb and Object can reveal potential malicious activity, specially anonymous suspicious IPs and sensitive objects such as configmaps or secrets", "references": [], "tags": {"name": "Kubernetes AWS detect suspicious kubectl calls", "analytic_story": ["Kubernetes Sensitive Object Access Activity"], "asset_type": "Kubernetes", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": [], "message": "tbd", "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "userAgent", "sourceIPs{}", "src_user", "src_ip", "verb", "requestURI"], "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "datamodel": [], "macros": [{"name": "aws_cloudwatchlogs_eks", "definition": "sourcetype=\"aws:cloudwatchlogs:eks\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_aws_detect_suspicious_kubectl_calls_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/kubernetes_aws_detect_suspicious_kubectl_calls.yml", "source": "cloud"}, {"name": "Kubernetes Nginx Ingress LFI", "id": "0f83244b-425b-4528-83db-7a88c5f66e48", "version": 1, "date": "2021-08-20", "author": "Patrick Bareiss, Splunk", "type": "TTP", "status": "production", "description": "This search uses the Kubernetes logs from a nginx ingress controller to detect local file inclusion attacks.", "data_source": [], "search": "`kubernetes_container_controller` | rex field=_raw \"^(?\\S+)\\s+-\\s+-\\s+\\[(?[^\\]]*)\\]\\s\\\"(?[^\\\"]*)\\\"\\s(?\\S*)\\s(?\\S*)\\s\\\"(?[^\\\"]*)\\\"\\s\\\"(?[^\\\"]*)\\\"\\s(?\\S*)\\s(?\\S*)\\s\\[(?[^\\]]*)\\]\\s\\[(?[^\\]]*)\\]\\s(?\\S*)\\s(?\\S*)\\s(?\\S*)\\s(?\\S*)\\s(?\\S*)\" | lookup local_file_inclusion_paths local_file_inclusion_paths AS request OUTPUT lfi_path | search lfi_path=yes | rename remote_addr AS src_ip, upstream_status as status, proxy_upstream_name as proxy | rex field=request \"^(?\\S+)\\s(?\\S+)\\s\" | eval phase=\"operate\" | eval severity=\"high\" | stats count min(_time) as firstTime max(_time) as lastTime by src_ip, status, url, http_method, host, http_user_agent, proxy, phase, severity | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `kubernetes_nginx_ingress_lfi_filter`", "how_to_implement": "You must ingest Kubernetes logs through Splunk Connect for Kubernetes.", "known_false_positives": "unknown", "references": ["https://github.com/splunk/splunk-connect-for-kubernetes", "https://www.offensive-security.com/metasploit-unleashed/file-inclusion-vulnerabilities/"], "tags": {"name": "Kubernetes Nginx Ingress LFI", "analytic_story": ["Dev Sec Ops"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "Local File Inclusion Attack detected on $host$", "mitre_attack_id": ["T1212"], "nist": ["DE.CM"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["raw"], "risk_score": 49, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1212", "mitre_attack_technique": "Exploitation for Credential Access", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1212/kubernetes_nginx_lfi_attack/kubernetes_nginx_lfi_attack.log", "source": "kubernetes", "sourcetype": "kube:container:controller"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "kubernetes_container_controller", "definition": "sourcetype=kube:container:controller", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes data. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_nginx_ingress_lfi_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "local_file_inclusion_paths", "description": "A list of interesting files in a local file inclusion attack", "filename": "local_file_inclusion_paths.csv", "default_match": "false", "match_type": "WILDCARD(local_file_inclusion_paths)", "min_matches": 1, "case_sensitive_match": "false"}], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/kubernetes_nginx_ingress_lfi.yml", "source": "cloud", "nes_fields": "user,dest"}, {"name": "Kubernetes Nginx Ingress RFI", "id": "fc5531ae-62fd-4de6-9c36-b4afdae8ca95", "version": 1, "date": "2021-08-23", "author": "Patrick Bareiss, Splunk", "type": "TTP", "status": "production", "description": "This search uses the Kubernetes logs from a nginx ingress controller to detect remote file inclusion attacks.", "data_source": [], "search": "`kubernetes_container_controller` | rex field=_raw \"^(?\\S+)\\s+-\\s+-\\s+\\[(?[^\\]]*)\\]\\s\\\"(?[^\\\"]*)\\\"\\s(?\\S*)\\s(?\\S*)\\s\\\"(?[^\\\"]*)\\\"\\s\\\"(?[^\\\"]*)\\\"\\s(?\\S*)\\s(?\\S*)\\s\\[(?[^\\]]*)\\]\\s\\[(?[^\\]]*)\\]\\s(?\\S*)\\s(?\\S*)\\s(?\\S*)\\s(?\\S*)\\s(?\\S*)\" | rex field=request \"^(?\\S+)?\\s(?\\S+)\\s\" | rex field=url \"(?\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})\" | search dest_ip=* | rename remote_addr AS src_ip, upstream_status as status, proxy_upstream_name as proxy | eval phase=\"operate\" | eval severity=\"medium\" | stats count min(_time) as firstTime max(_time) as lastTime by src_ip, dest_ip status, url, http_method, host, http_user_agent, proxy, phase, severity | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `kubernetes_nginx_ingress_rfi_filter`", "how_to_implement": "You must ingest Kubernetes logs through Splunk Connect for Kubernetes.", "known_false_positives": "unknown", "references": ["https://github.com/splunk/splunk-connect-for-kubernetes", "https://www.invicti.com/blog/web-security/remote-file-inclusion-vulnerability/"], "tags": {"name": "Kubernetes Nginx Ingress RFI", "analytic_story": ["Dev Sec Ops"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "Remote File Inclusion Attack detected on $host$", "mitre_attack_id": ["T1212"], "nist": ["DE.CM"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["raw"], "risk_score": 49, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1212", "mitre_attack_technique": "Exploitation for Credential Access", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1212/kuberntest_nginx_rfi_attack/kubernetes_nginx_rfi_attack.log", "source": "kubernetes", "sourcetype": "kube:container:controller"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "kubernetes_container_controller", "definition": "sourcetype=kube:container:controller", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes data. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_nginx_ingress_rfi_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/kubernetes_nginx_ingress_rfi.yml", "source": "cloud", "nes_fields": "user,dest"}, {"name": "Kubernetes Scanner Image Pulling", "id": "4890cd6b-0112-4974-a272-c5c153aee551", "version": 1, "date": "2021-08-24", "author": "Patrick Bareiss, Splunk", "type": "TTP", "status": "production", "description": "This search uses the Kubernetes logs from Splunk Connect from Kubernetes to detect Kubernetes Security Scanner.", "data_source": [], "search": "`kube_objects_events` object.message IN (\"Pulling image *kube-hunter*\", \"Pulling image *kube-bench*\", \"Pulling image *kube-recon*\", \"Pulling image *kube-recon*\") | rename object.* AS * | rename involvedObject.* AS * | rename source.host AS host | eval phase=\"operate\" | eval severity=\"high\" | stats min(_time) as firstTime max(_time) as lastTime count by host, name, namespace, kind, reason, message, phase, severity | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `kubernetes_scanner_image_pulling_filter`", "how_to_implement": "You must ingest Kubernetes logs through Splunk Connect for Kubernetes.", "known_false_positives": "unknown", "references": ["https://github.com/splunk/splunk-connect-for-kubernetes"], "tags": {"name": "Kubernetes Scanner Image Pulling", "analytic_story": ["Dev Sec Ops"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Exploitation"], "message": "Kubernetes Scanner image pulled on host $host$", "mitre_attack_id": ["T1526"], "nist": ["DE.CM"], "observable": [{"name": "host", "type": "Hostname", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["object.message", "source.host", "object.involvedObject.name", "object.involvedObject.namespace", "object.involvedObject.kind", "object.message", "object.reason"], "risk_score": 81, "security_domain": "network", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1526", "mitre_attack_technique": "Cloud Service Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1526/kubernetes_kube_hunter/kubernetes_kube_hunter.json", "source": "kubernetes", "sourcetype": "kube:objects:events"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "kube_objects_events", "definition": "sourcetype=kube:objects:events", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_scanner_image_pulling_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/kubernetes_scanner_image_pulling.yml", "source": "cloud", "nes_fields": "user,dest"}, {"name": "O365 Add App Role Assignment Grant User", "id": "b2c81cc6-6040-11eb-ae93-0242ac130002", "version": 1, "date": "2021-01-26", "author": "Rod Soto, Splunk", "type": "TTP", "status": "production", "description": "This search detects the creation of a new Federation setting by alerting about an specific event related to its creation.", "data_source": [], "search": "`o365_management_activity` Workload=AzureActiveDirectory Operation=\"Add app role assignment grant to user.\" | stats count min(_time) as firstTime max(_time) as lastTime values(Actor{}.ID) as Actor.ID values(Actor{}.Type) as Actor.Type by ActorIpAddress dest ResultStatus | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `o365_add_app_role_assignment_grant_user_filter`", "how_to_implement": "You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity", "known_false_positives": "The creation of a new Federation is not necessarily malicious, however this events need to be followed closely, as it may indicate federated credential abuse or backdoor via federated identities at a different cloud provider.", "references": ["https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf", "https://www.cisa.gov/uscert/ncas/alerts/aa21-008a"], "tags": {"name": "O365 Add App Role Assignment Grant User", "analytic_story": ["Office 365 Detections", "Cloud Federated Credential Abuse"], "asset_type": "Office 365", "cis20": ["CIS 10"], "confidence": 60, "impact": 30, "kill_chain_phases": ["Installation"], "message": "User $Actor.ID$ has created a new federation setting on $dest$ from IP Address $ActorIpAddress$", "mitre_attack_id": ["T1136.003", "T1136"], "nist": ["DE.CM"], "observable": [{"name": "ActorIpAddress", "type": "IP Address", "role": ["Attacker"]}, {"name": "Actor.ID", "type": "User", "role": ["Attacker"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Workload", "Operation", "Actor{}.ID", "Actor{}.Type", "ActorIpAddress", "dest", "ResultStatus"], "risk_score": 18, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1136.003", "mitre_attack_technique": "Cloud Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT29", "LAPSUS$"]}, {"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.003/o365_new_federation/o365_new_federation.json", "source": "o365", "sourcetype": "o365:management:activity"}]}], "datamodel": [], "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "o365_add_app_role_assignment_grant_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/o365_add_app_role_assignment_grant_user.yml", "source": "cloud", "nes_fields": "user,dest"}, {"name": "O365 Added Service Principal", "id": "1668812a-6047-11eb-ae93-0242ac130002", "version": 1, "date": "2022-02-03", "author": "Rod Soto, Splunk", "type": "TTP", "status": "production", "description": "This search detects the creation of a new Federation setting by alerting about an specific event related to its creation.", "data_source": [], "search": "`o365_management_activity` Workload=AzureActiveDirectory Operation=\"Add service principal credentials.\" | stats min(_time) as firstTime max(_time) as lastTime values(Actor{}.ID) as Actor.ID values(ModifiedProperties{}.Name) as ModifiedProperties.Name values(ModifiedProperties{}.NewValue) as ModifiedProperties.NewValue values(Target{}.ID) as Target.ID by ActorIpAddress Operation | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `o365_added_service_principal_filter`", "how_to_implement": "You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity", "known_false_positives": "The creation of a new Federation is not necessarily malicious, however these events need to be followed closely, as it may indicate federated credential abuse or backdoor via federated identities at a different cloud provider.", "references": ["https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf", "https://www.cisa.gov/uscert/ncas/alerts/aa21-008a", "https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html", "https://blog.sygnia.co/detection-and-hunting-of-golden-saml-attack?hsLang=en"], "tags": {"name": "O365 Added Service Principal", "analytic_story": ["Office 365 Detections", "Cloud Federated Credential Abuse"], "asset_type": "Office 365", "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Installation"], "message": "User $Actor.ID$ created a new federation setting on $Target.ID$ and added service principal credentials from IP Address $ActorIpAddress$", "mitre_attack_id": ["T1136.003", "T1136"], "nist": ["DE.CM"], "observable": [{"name": "ActorIpAddress", "type": "IP Address", "role": ["Attacker"]}, {"name": "Target.ID", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Workload", "signature", "Actor{}.ID", "ModifiedProperties{}.Name", "ModifiedProperties{}.NewValue", "Target{}.ID", "ActorIpAddress"], "risk_score": 42, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1136.003", "mitre_attack_technique": "Cloud Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT29", "LAPSUS$"]}, {"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.003/o365_add_service_principal/o365_add_service_principal.json", "source": "o365", "sourcetype": "o365:management:activity"}]}], "datamodel": [], "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "o365_added_service_principal_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/o365_added_service_principal.yml", "source": "cloud", "nes_fields": "user,dest"}, {"name": "O365 Bypass MFA via Trusted IP", "id": "c783dd98-c703-4252-9e8a-f19d9f66949e", "version": 2, "date": "2022-02-03", "author": "Bhavin Patel, Splunk", "type": "TTP", "status": "production", "description": "This search detects newly added IP addresses/CIDR blocks to the list of MFA Trusted IPs to bypass multi factor authentication. Attackers are often known to use this technique so that they can bypass the MFA system.", "data_source": [], "search": "`o365_management_activity` Operation=\"Set Company Information.\" ModifiedProperties{}.Name=StrongAuthenticationPolicy | rex max_match=100 field=ModifiedProperties{}.NewValue \"(?\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\/\\d{1,2})\" | rex max_match=100 field=ModifiedProperties{}.OldValue \"(?\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\/\\d{1,2})\" | eval ip_addresses_old=if(isnotnull(ip_addresses_old),ip_addresses_old,\"0\") | mvexpand ip_addresses_new_added | where isnull(mvfind(ip_addresses_old,ip_addresses_new_added)) |stats count min(_time) as firstTime max(_time) as lastTime values(ip_addresses_old) as ip_addresses_old by user ip_addresses_new_added Operation Workload vendor_account status user_id action | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `o365_bypass_mfa_via_trusted_ip_filter`", "how_to_implement": "You must install Splunk Microsoft Office 365 add-on. This search works with o365:management:activity", "known_false_positives": "Unless it is a special case, it is uncommon to continually update Trusted IPs to MFA configuration.", "references": ["https://i.blackhat.com/USA-20/Thursday/us-20-Bienstock-My-Cloud-Is-APTs-Cloud-Investigating-And-Defending-Office-365.pdf", "https://attack.mitre.org/techniques/T1562/007/"], "tags": {"name": "O365 Bypass MFA via Trusted IP", "analytic_story": ["Office 365 Detections"], "asset_type": "Office 365", "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "User $user_id$ has added new IP addresses $ip_addresses_new_added$ to a list of trusted IPs to bypass MFA", "mitre_attack_id": ["T1562.007", "T1562"], "nist": ["DE.CM"], "observable": [{"name": "ip_addresses_new_added", "type": "IP Address", "role": ["Attacker"]}, {"name": "user_id", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "signature", "ModifiedProperties{}.Name", "ModifiedProperties{}.NewValue", "ModifiedProperties{}.OldValue", "user", "vendor_account", "status", "user_id", "action"], "risk_score": 42, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.007", "mitre_attack_technique": "Disable or Modify Cloud Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.007/o365_bypass_mfa_via_trusted_ip/o365_bypass_mfa_via_trusted_ip.json", "source": "o365", "sourcetype": "o365:management:activity"}]}], "datamodel": ["Authentication"], "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "o365_bypass_mfa_via_trusted_ip_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/o365_bypass_mfa_via_trusted_ip.yml", "source": "cloud", "nes_fields": "user,dest"}, {"name": "O365 Disable MFA", "id": "c783dd98-c703-4252-9e8a-f19d9f5c949e", "version": 1, "date": "2022-02-03", "author": "Rod Soto, Splunk", "type": "TTP", "status": "production", "description": "This search detects when multi factor authentication has been disabled, what entitiy performed the action and against what user", "data_source": [], "search": "`o365_management_activity` Operation=\"Disable Strong Authentication.\" | stats count earliest(_time) as firstTime latest(_time) as lastTime by UserType Operation UserId ResultStatus object | rename UserType AS user_type, Operation AS action, UserId AS src_user, object AS user, ResultStatus AS result | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_disable_mfa_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 add-on. This search works with o365:management:activity", "known_false_positives": "Unless it is a special case, it is uncommon to disable MFA or Strong Authentication", "references": ["https://attack.mitre.org/techniques/T1556/"], "tags": {"name": "O365 Disable MFA", "analytic_story": ["Office 365 Detections"], "asset_type": "Office 365", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation", "Installation"], "message": "User $user$ has executed an operation $Operation$ for this destination $dest$", "mitre_attack_id": ["T1556"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Operation", "UserType", "user", "status", "signature", "dest", "ResultStatus"], "risk_score": 64, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1556", "mitre_attack_technique": "Modify Authentication Process", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556/o365_disable_mfa/o365_disable_mfa.json", "source": "o365", "sourcetype": "o365:management:activity"}]}], "datamodel": ["Authentication"], "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "o365_disable_mfa_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/o365_disable_mfa.yml", "source": "cloud", "nes_fields": "user,dest"}, {"name": "O365 Excessive Authentication Failures Alert", "id": "d441364c-349c-453b-b55f-12eccab67cf9", "version": 2, "date": "2022-02-18", "author": "Rod Soto, Splunk", "type": "Anomaly", "status": "production", "description": "This search detects when an excessive number of authentication failures occur this search also includes attempts against MFA prompt codes", "data_source": [], "search": "`o365_management_activity` Workload=AzureActiveDirectory UserAuthenticationMethod=* status=failure | stats count earliest(_time) AS firstTime latest(_time) AS lastTime values(UserAuthenticationMethod) AS UserAuthenticationMethod values(UserAgent) AS UserAgent values(status) AS status values(src_ip) AS src_ip by user | where count > 10 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_excessive_authentication_failures_alert_filter`", "how_to_implement": "You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity", "known_false_positives": "The threshold for alert is above 10 attempts and this should reduce the number of false positives.", "references": ["https://attack.mitre.org/techniques/T1110/"], "tags": {"name": "O365 Excessive Authentication Failures Alert", "analytic_story": ["Office 365 Detections"], "asset_type": "Office 365", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "User $user$ has caused excessive number of authentication failures from $src_ip$ using UserAgent $UserAgent$.", "mitre_attack_id": ["T1110"], "nist": ["DE.AE"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Workload", "UserAuthenticationMethod", "status", "UserAgent", "src_ip", "user"], "risk_score": 64, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110/o365_brute_force_login/o365_brute_force_login.json", "source": "o365", "sourcetype": "o365:management:activity"}]}], "datamodel": ["Authentication"], "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "o365_excessive_authentication_failures_alert_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/o365_excessive_authentication_failures_alert.yml", "source": "cloud"}, {"name": "O365 Excessive SSO logon errors", "id": "8158ccc4-6038-11eb-ae93-0242ac130002", "version": 1, "date": "2021-01-26", "author": "Rod Soto, Splunk", "type": "Anomaly", "status": "production", "description": "This search detects accounts with high number of Single Sign ON (SSO) logon errors. Excessive logon errors may indicate attempts to bruteforce of password or single sign on token hijack or reuse.", "data_source": [], "search": "`o365_management_activity` Workload=AzureActiveDirectory LogonError=SsoArtifactInvalidOrExpired | stats count min(_time) as firstTime max(_time) as lastTime by LogonError ActorIpAddress UserAgent UserId | where count > 5 | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `o365_excessive_sso_logon_errors_filter`", "how_to_implement": "You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity", "known_false_positives": "Logon errors may not be malicious in nature however it may indicate attempts to reuse a token or password obtained via credential access attack.", "references": ["https://stealthbits.com/blog/bypassing-mfa-with-pass-the-cookie/"], "tags": {"name": "O365 Excessive SSO logon errors", "analytic_story": ["Office 365 Detections", "Cloud Federated Credential Abuse"], "asset_type": "Office 365", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation", "Installation"], "message": "User $UserId$ has caused excessive number of SSO logon errors from $ActorIpAddress$ using UserAgent $UserAgent$.", "mitre_attack_id": ["T1556"], "nist": ["DE.AE"], "observable": [{"name": "ActorIpAddress", "type": "IP Address", "role": ["Attacker"]}, {"name": "UserId", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Workload", "LogonError", "ActorIpAddress", "UserAgent", "UserId"], "risk_score": 64, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1556", "mitre_attack_technique": "Modify Authentication Process", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556/o365_sso_logon_errors/o365_sso_logon_errors.json", "source": "o365", "sourcetype": "o365:management:activity"}]}], "datamodel": [], "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "o365_excessive_sso_logon_errors_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/o365_excessive_sso_logon_errors.yml", "source": "cloud"}, {"name": "O365 New Federated Domain Added", "id": "e155876a-6048-11eb-ae93-0242ac130002", "version": 1, "date": "2021-01-26", "author": "Rod Soto, Splunk", "type": "TTP", "status": "production", "description": "This search detects the addition of a new Federated domain.", "data_source": [], "search": "`o365_management_activity` Workload=Exchange Operation=\"Add-FederatedDomain\" | stats count min(_time) as firstTime max(_time) as lastTime values(Parameters{}.Value) as Parameters.Value by ObjectId Operation OrganizationName OriginatingServer UserId UserKey | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_new_federated_domain_added_filter`", "how_to_implement": "You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity.", "known_false_positives": "The creation of a new Federated domain is not necessarily malicious, however these events need to be followed closely, as it may indicate federated credential abuse or backdoor via federated identities at a similar or different cloud provider.", "references": ["https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf", "https://www.cisa.gov/uscert/ncas/alerts/aa21-008a", "https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html", "https://blog.sygnia.co/detection-and-hunting-of-golden-saml-attack?hsLang=en", "https://o365blog.com/post/aadbackdoor/"], "tags": {"name": "O365 New Federated Domain Added", "analytic_story": ["Office 365 Detections", "Cloud Federated Credential Abuse"], "asset_type": "Office 365", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Installation"], "message": "User $UserId$ has added a new federated domaain $Parameters.Value$ for $OrganizationName$", "mitre_attack_id": ["T1136.003", "T1136"], "nist": ["DE.CM"], "observable": [{"name": "OrganizationName", "type": "Other", "role": ["Victim"]}, {"name": "UserId", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Workload", "Operation", "Parameters{}.Value", "ObjectId", "OrganizationName", "OriginatingServer", "UserId", "UserKey"], "risk_score": 64, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1136.003", "mitre_attack_technique": "Cloud Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT29", "LAPSUS$"]}, {"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.003/o365_new_federated_domain/o365_new_federated_domain.json", "source": "exchange", "sourcetype": "o365:management:activity", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "o365_new_federated_domain_added_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/o365_new_federated_domain_added.yml", "source": "cloud", "nes_fields": "user,dest"}, {"name": "O365 PST export alert", "id": "5f694cc4-a678-4a60-9410-bffca1b647dc", "version": 1, "date": "2020-12-16", "author": "Rod Soto, Splunk", "type": "TTP", "status": "production", "description": "This search detects when a user has performed an Ediscovery search or exported a PST file from the search. This PST file usually has sensitive information including email body content", "data_source": [], "search": "`o365_management_activity` Category=ThreatManagement Name=\"eDiscovery search started or exported\" | stats count earliest(_time) as firstTime latest(_time) as lastTime by Source Severity AlertEntityId Operation Name |`security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `o365_pst_export_alert_filter`", "how_to_implement": "You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity", "known_false_positives": "PST export can be done for legitimate purposes but due to the sensitive nature of its content it must be monitored.", "references": ["https://attack.mitre.org/techniques/T1114/"], "tags": {"name": "O365 PST export alert", "analytic_story": ["Office 365 Detections", "Data Exfiltration"], "asset_type": "Office 365", "cis20": ["CIS 10"], "confidence": 60, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "User $Source$ has exported a PST file from the search using this operation- $Operation$ with a severity of $Severity$", "mitre_attack_id": ["T1114"], "nist": ["DE.CM"], "observable": [{"name": "Source", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Category", "Name", "Source", "Severity", "AlertEntityId", "Operation"], "risk_score": 48, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1114", "mitre_attack_technique": "Email Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["Magic Hound", "Silent Librarian"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114/o365_export_pst_file/o365_export_pst_file.json", "source": "o365", "sourcetype": "o365:management:activity"}]}], "datamodel": [], "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "o365_pst_export_alert_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/o365_pst_export_alert.yml", "source": "cloud", "nes_fields": "user,dest"}, {"name": "O365 Suspicious Admin Email Forwarding", "id": "7f398cfb-918d-41f4-8db8-2e2474e02c28", "version": 1, "date": "2020-12-16", "author": "Patrick Bareiss, Splunk", "type": "Anomaly", "status": "production", "description": "This search detects when an admin configured a forwarding rule for multiple mailboxes to the same destination.", "data_source": [], "search": "`o365_management_activity` Operation=Set-Mailbox | spath input=Parameters | rename Identity AS src_user | search ForwardingAddress=* | stats dc(src_user) AS count_src_user earliest(_time) as firstTime latest(_time) as lastTime values(src_user) AS src_user values(user) AS user by ForwardingAddress | where count_src_user > 1 |`security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` |`o365_suspicious_admin_email_forwarding_filter`", "how_to_implement": "You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity", "known_false_positives": "unknown", "references": [], "tags": {"name": "O365 Suspicious Admin Email Forwarding", "analytic_story": ["Office 365 Detections", "Data Exfiltration"], "asset_type": "Office 365", "cis20": ["CIS 10"], "confidence": 60, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "User $user$ has configured a forwarding rule for multiple mailboxes to the same destination $ForwardingAddress$", "mitre_attack_id": ["T1114.003", "T1114"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Operation", "Parameters"], "risk_score": 48, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1114.003", "mitre_attack_technique": "Email Forwarding Rule", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["Kimsuky", "LAPSUS$", "Silent Librarian"]}, {"mitre_attack_id": "T1114", "mitre_attack_technique": "Email Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["Magic Hound", "Silent Librarian"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114.003/o365_email_forwarding_rule/o365_email_forwarding_rule.json", "source": "o365", "sourcetype": "o365:management:activity"}]}], "datamodel": [], "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "o365_suspicious_admin_email_forwarding_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/o365_suspicious_admin_email_forwarding.yml", "source": "cloud"}, {"name": "O365 Suspicious Rights Delegation", "id": "b25d2973-303e-47c8-bacd-52b61604c6a7", "version": 1, "date": "2020-12-15", "author": "Patrick Bareiss, Splunk", "type": "TTP", "status": "production", "description": "This search detects the assignment of rights to accesss content from another mailbox. This is usually only assigned to a service account.", "data_source": [], "search": "`o365_management_activity` Operation=Add-MailboxPermission | spath input=Parameters | rename User AS src_user, Identity AS dest_user | search AccessRights=FullAccess OR AccessRights=SendAs OR AccessRights=SendOnBehalf | stats count earliest(_time) as firstTime latest(_time) as lastTime by user src_user dest_user Operation AccessRights |`security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` |`o365_suspicious_rights_delegation_filter`", "how_to_implement": "You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity", "known_false_positives": "Service Accounts", "references": [], "tags": {"name": "O365 Suspicious Rights Delegation", "analytic_story": ["Office 365 Detections"], "asset_type": "Office 365", "cis20": ["CIS 10"], "confidence": 60, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "User $user$ has delegated suspicious rights $AccessRights$ to user $dest_user$ that allow access to sensitive", "mitre_attack_id": ["T1114.002", "T1114"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Operation", "Parameters"], "risk_score": 48, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1114.002", "mitre_attack_technique": "Remote Email Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "Chimera", "Dragonfly", "FIN4", "HAFNIUM", "Ke3chang", "Kimsuky", "Leafminer", "Magic Hound"]}, {"mitre_attack_id": "T1114", "mitre_attack_technique": "Email Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["Magic Hound", "Silent Librarian"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114.002/suspicious_rights_delegation/suspicious_rights_delegation.json", "source": "o365", "sourcetype": "o365:management:activity"}]}], "datamodel": [], "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "o365_suspicious_rights_delegation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/o365_suspicious_rights_delegation.yml", "source": "cloud", "nes_fields": "user,dest"}, {"name": "O365 Suspicious User Email Forwarding", "id": "f8dfe015-dbb3-4569-ba75-b13787e06aa4", "version": 1, "date": "2020-12-16", "author": "Patrick Bareiss, Splunk", "type": "Anomaly", "status": "production", "description": "This search detects when multiple user configured a forwarding rule to the same destination.", "data_source": [], "search": "`o365_management_activity` Operation=Set-Mailbox | spath input=Parameters | rename Identity AS src_user | search ForwardingSmtpAddress=* | stats dc(src_user) AS count_src_user earliest(_time) as firstTime latest(_time) as lastTime values(src_user) AS src_user values(user) AS user by ForwardingSmtpAddress | where count_src_user > 1 |`security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` |`o365_suspicious_user_email_forwarding_filter`", "how_to_implement": "You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity", "known_false_positives": "unknown", "references": [], "tags": {"name": "O365 Suspicious User Email Forwarding", "analytic_story": ["Office 365 Detections", "Data Exfiltration"], "asset_type": "Office 365", "cis20": ["CIS 10"], "confidence": 60, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "User $user$ configured multiple users $src_user$ with a count of $count_src_user$, a forwarding rule to same destination $ForwardingSmtpAddress$", "mitre_attack_id": ["T1114.003", "T1114"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}, {"name": "ForwardingSmtpAddress", "type": "Email Address", "role": ["Other"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Operation", "Parameters"], "risk_score": 48, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1114.003", "mitre_attack_technique": "Email Forwarding Rule", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["Kimsuky", "LAPSUS$", "Silent Librarian"]}, {"mitre_attack_id": "T1114", "mitre_attack_technique": "Email Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["Magic Hound", "Silent Librarian"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114.003/o365_email_forwarding_rule/o365_email_forwarding_rule.json", "source": "o365", "sourcetype": "o365:management:activity"}]}], "datamodel": [], "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "o365_suspicious_user_email_forwarding_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/o365_suspicious_user_email_forwarding.yml", "source": "cloud"}, {"name": "Abnormally High AWS Instances Launched by User", "id": "2a9b80d3-6340-4345-b5ad-290bf5d0dac4", "version": 2, "date": "2020-07-21", "author": "Bhavin Patel, Splunk", "type": "Anomaly", "status": "deprecated", "description": "This search looks for AWS CloudTrail events where a user successfully launches an abnormally high number of instances. This search is deprecated and have been translated to use the latest Change Datamodel", "data_source": [], "search": "`cloudtrail` eventName=RunInstances errorCode=success | bucket span=10m _time | stats count AS instances_launched by _time userName | eventstats avg(instances_launched) as total_launched_avg, stdev(instances_launched) as total_launched_stdev | eval threshold_value = 4 | eval isOutlier=if(instances_launched > total_launched_avg+(total_launched_stdev * threshold_value), 1, 0) | search isOutlier=1 AND _time >= relative_time(now(), \"-10m@m\") | eval num_standard_deviations_away = round(abs(instances_launched - total_launched_avg) / total_launched_stdev, 2) | table _time, userName, instances_launched, num_standard_deviations_away, total_launched_avg, total_launched_stdev | `abnormally_high_aws_instances_launched_by_user_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. The threshold value should be tuned to your environment.", "known_false_positives": "Many service accounts configured within an AWS infrastructure are known to exhibit this behavior. Please adjust the threshold values and filter out service accounts from the output. Always verify if this search alerted on a human user.", "references": [], "tags": {"name": "Abnormally High AWS Instances Launched by User", "analytic_story": ["AWS Cryptomining", "Suspicious AWS EC2 Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "message": "tbd", "mitre_attack_id": ["T1078.004"], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventName", "errorCode", "userName"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Ke3chang", "LAPSUS$"]}]}, "datamodel": [], "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "abnormally_high_aws_instances_launched_by_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/abnormally_high_aws_instances_launched_by_user.yml", "source": "deprecated", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "Abnormally High AWS Instances Launched by User - MLTK", "id": "dec41ad5-d579-42cb-b4c6-f5dbb778bbe5", "version": 2, "date": "2020-07-21", "author": "Jason Brewer, Splunk", "type": "Anomaly", "status": "deprecated", "description": "This search looks for AWS CloudTrail events where a user successfully launches an abnormally high number of instances. This search is deprecated and have been translated to use the latest Change Datamodel.", "data_source": [], "search": "`cloudtrail` eventName=RunInstances errorCode=success `abnormally_high_aws_instances_launched_by_user___mltk_filter` | bucket span=10m _time | stats count as instances_launched by _time src_user | apply ec2_excessive_runinstances_v1 | rename \"IsOutlier(instances_launched)\" as isOutlier | where isOutlier=1", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. The threshold value should be tuned to your environment.", "known_false_positives": "Many service accounts configured within an AWS infrastructure are known to exhibit this behavior. Please adjust the threshold values and filter out service accounts from the output. Always verify if this search alerted on a human user.", "references": [], "tags": {"name": "Abnormally High AWS Instances Launched by User - MLTK", "analytic_story": ["AWS Cryptomining", "Suspicious AWS EC2 Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "message": "tbd", "mitre_attack_id": ["T1078.004"], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventName", "errorCode", "src_user"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Ke3chang", "LAPSUS$"]}]}, "datamodel": [], "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "abnormally_high_aws_instances_launched_by_user___mltk_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/abnormally_high_aws_instances_launched_by_user___mltk.yml", "source": "deprecated", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "Abnormally High AWS Instances Terminated by User", "id": "8d301246-fccf-45e2-a8e7-3655fd14379c", "version": 2, "date": "2020-07-21", "author": "Bhavin Patel, Splunk", "type": "Anomaly", "status": "deprecated", "description": "This search looks for AWS CloudTrail events where an abnormally high number of instances were successfully terminated by a user in a 10-minute window. This search is deprecated and have been translated to use the latest Change Datamodel.", "data_source": [], "search": "`cloudtrail` eventName=TerminateInstances errorCode=success | bucket span=10m _time | stats count AS instances_terminated by _time userName | eventstats avg(instances_terminated) as total_terminations_avg, stdev(instances_terminated) as total_terminations_stdev | eval threshold_value = 4 | eval isOutlier=if(instances_terminated > total_terminations_avg+(total_terminations_stdev * threshold_value), 1, 0) | search isOutlier=1 AND _time >= relative_time(now(), \"-10m@m\")| eval num_standard_deviations_away = round(abs(instances_terminated - total_terminations_avg) / total_terminations_stdev, 2) |table _time, userName, instances_terminated, num_standard_deviations_away, total_terminations_avg, total_terminations_stdev | `abnormally_high_aws_instances_terminated_by_user_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs.", "known_false_positives": "Many service accounts configured with your AWS infrastructure are known to exhibit this behavior. Please adjust the threshold values and filter out service accounts from the output. Always verify whether this search alerted on a human user.", "references": [], "tags": {"name": "Abnormally High AWS Instances Terminated by User", "analytic_story": ["Suspicious AWS EC2 Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "message": "tbd", "mitre_attack_id": ["T1078.004"], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventName", "errorCode", "userName"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Ke3chang", "LAPSUS$"]}]}, "datamodel": [], "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "abnormally_high_aws_instances_terminated_by_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/abnormally_high_aws_instances_terminated_by_user.yml", "source": "deprecated", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "Abnormally High AWS Instances Terminated by User - MLTK", "id": "1c02b86a-cd85-473e-a50b-014a9ac8fe3e", "version": 2, "date": "2020-07-21", "author": "Jason Brewer, Splunk", "type": "Anomaly", "status": "deprecated", "description": "This search looks for AWS CloudTrail events where a user successfully terminates an abnormally high number of instances. This search is deprecated and have been translated to use the latest Change Datamodel.", "data_source": [], "search": "`cloudtrail` eventName=TerminateInstances errorCode=success `abnormally_high_aws_instances_terminated_by_user___mltk_filter` | bucket span=10m _time | stats count as instances_terminated by _time src_user | apply ec2_excessive_terminateinstances_v1 | rename \"IsOutlier(instances_terminated)\" as isOutlier | where isOutlier=1", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. The threshold value should be tuned to your environment.", "known_false_positives": "Many service accounts configured within an AWS infrastructure are known to exhibit this behavior. Please adjust the threshold values and filter out service accounts from the output. Always verify if this search alerted on a human user.", "references": [], "tags": {"name": "Abnormally High AWS Instances Terminated by User - MLTK", "analytic_story": ["Suspicious AWS EC2 Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "message": "tbd", "mitre_attack_id": ["T1078.004"], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventName", "errorCode", "src_user"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Ke3chang", "LAPSUS$"]}]}, "datamodel": [], "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "abnormally_high_aws_instances_terminated_by_user___mltk_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/abnormally_high_aws_instances_terminated_by_user___mltk.yml", "source": "deprecated", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "AWS Cloud Provisioning From Previously Unseen City", "id": "344a1778-0b25-490c-adb1-de8beddf59cd", "version": 1, "date": "2018-03-16", "author": "David Dorsey, Splunk", "type": "Anomaly", "status": "deprecated", "description": "This search looks for AWS provisioning activities from previously unseen cities. Provisioning activities are defined broadly as any event that begins with \"Run\" or \"Create.\" This search is deprecated and have been translated to use the latest Change Datamodel. ", "data_source": [], "search": "`cloudtrail` (eventName=Run* OR eventName=Create*) | iplocation sourceIPAddress | search City=* [search `cloudtrail` (eventName=Run* OR eventName=Create*) | iplocation sourceIPAddress | search City=* | stats earliest(_time) as firstTime, latest(_time) as lastTime by sourceIPAddress, City, Region, Country | inputlookup append=t previously_seen_provisioning_activity_src.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by sourceIPAddress, City, Region, Country | outputlookup previously_seen_provisioning_activity_src.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by City | eval newCity=if(firstTime >= relative_time(now(), \"-70m@m\"), 1, 0) | where newCity=1 | table City] | spath output=user userIdentity.arn | rename sourceIPAddress as src_ip | table _time, user, src_ip, City, eventName, errorCode | `aws_cloud_provisioning_from_previously_unseen_city_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. This search works best when you run the \"Previously Seen AWS Provisioning Activity Sources\" support search once to create a history of previously seen locations that have provisioned AWS resources.", "known_false_positives": "This is a strictly behavioral search, so we define \"false positive\" slightly differently. Every time this fires, it will accurately reflect the first occurrence in the time period you're searching within, plus what is stored in the cache feature. But while there are really no \"false positives\" in a traditional sense, there is definitely lots of noise.\\\n This search will fire any time a new city is seen in the **GeoIP** database for any kind of provisioning activity. If you typically do all provisioning from tools inside of your city, there should be few false positives. If you are located in countries where the free version of **MaxMind GeoIP** that ships by default with Splunk has weak resolution (particularly small countries in less economically powerful regions), this may be much less valuable to you.", "references": [], "tags": {"name": "AWS Cloud Provisioning From Previously Unseen City", "analytic_story": ["AWS Suspicious Provisioning Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "tbd", "mitre_attack_id": ["T1535"], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventName", "sourceIPAddress"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1535", "mitre_attack_technique": "Unused/Unsupported Cloud Regions", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}]}, "datamodel": [], "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_cloud_provisioning_from_previously_unseen_city_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/aws_cloud_provisioning_from_previously_unseen_city.yml", "source": "deprecated", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "AWS Cloud Provisioning From Previously Unseen Country", "id": "ceb8d3d8-06cb-49eb-beaf-829526e33ff0", "version": 1, "date": "2018-03-16", "author": "David Dorsey, Splunk", "type": "Anomaly", "status": "deprecated", "description": "This search looks for AWS provisioning activities from previously unseen countries. Provisioning activities are defined broadly as any event that begins with \"Run\" or \"Create.\" This search is deprecated and have been translated to use the latest Change Datamodel. ", "data_source": [], "search": "`cloudtrail` (eventName=Run* OR eventName=Create*) | iplocation sourceIPAddress | search Country=* [search `cloudtrail` (eventName=Run* OR eventName=Create*) | iplocation sourceIPAddress | search Country=* | stats earliest(_time) as firstTime, latest(_time) as lastTime by sourceIPAddress, City, Region, Country | inputlookup append=t previously_seen_provisioning_activity_src.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by sourceIPAddress, City, Region, Country | outputlookup previously_seen_provisioning_activity_src.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by Country | eval newCountry=if(firstTime >= relative_time(now(), \"-70m@m\"), 1, 0) | where newCountry=1 | table Country] | spath output=user userIdentity.arn | rename sourceIPAddress as src_ip | table _time, user, src_ip, Country, eventName, errorCode | `aws_cloud_provisioning_from_previously_unseen_country_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. This search works best when you run the \"Previously Seen AWS Provisioning Activity Sources\" support search once to create a history of previously seen locations that have provisioned AWS resources.", "known_false_positives": "This is a strictly behavioral search, so we define \"false positive\" slightly differently. Every time this fires, it will accurately reflect the first occurrence in the time period you're searching over plus what is stored in the cache feature. But while there are really no \"false positives\" in a traditional sense, there is definitely lots of noise.\\\n This search will fire any time a new country is seen in the **GeoIP** database for any kind of provisioning activity. If you typically do all provisioning from tools inside of your country, there should be few false positives. If you are located in countries where the free version of **MaxMind GeoIP** that ships by default with Splunk has weak resolution (particularly small countries in less economically powerful regions), this may be much less valuable to you.", "references": [], "tags": {"name": "AWS Cloud Provisioning From Previously Unseen Country", "analytic_story": ["AWS Suspicious Provisioning Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "tbd", "mitre_attack_id": ["T1535"], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventName", "sourceIPAddress"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1535", "mitre_attack_technique": "Unused/Unsupported Cloud Regions", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}]}, "datamodel": [], "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_cloud_provisioning_from_previously_unseen_country_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/aws_cloud_provisioning_from_previously_unseen_country.yml", "source": "deprecated", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "AWS Cloud Provisioning From Previously Unseen IP Address", "id": "42e15012-ac14-4801-94f4-f1acbe64880b", "version": 1, "date": "2018-03-16", "author": "David Dorsey, Splunk", "type": "Anomaly", "status": "deprecated", "description": "This search looks for AWS provisioning activities from previously unseen IP addresses. Provisioning activities are defined broadly as any event that begins with \"Run\" or \"Create.\" This search is deprecated and have been translated to use the latest Change Datamodel. ", "data_source": [], "search": "`cloudtrail` (eventName=Run* OR eventName=Create*) [search `cloudtrail` (eventName=Run* OR eventName=Create*) | iplocation sourceIPAddress | search Country=* | stats earliest(_time) as firstTime, latest(_time) as lastTime by sourceIPAddress, City, Region, Country | inputlookup append=t previously_seen_provisioning_activity_src.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by sourceIPAddress, City, Region, Country | outputlookup previously_seen_provisioning_activity_src.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by sourceIPAddress | eval newIP=if(firstTime >= relative_time(now(), \"-70m@m\"), 1, 0) | where newIP=1 | table sourceIPAddress] | spath output=user userIdentity.arn | rename sourceIPAddress as src_ip | table _time, user, src_ip, eventName, errorCode | `aws_cloud_provisioning_from_previously_unseen_ip_address_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. This search works best when you run the \"Previously Seen AWS Provisioning Activity Sources\" support search once to create a history of previously seen locations that have provisioned AWS resources.", "known_false_positives": "This is a strictly behavioral search, so we define \"false positive\" slightly differently. Every time this fires, it will accurately reflect the first occurrence in the time period you're searching within, plus what is stored in the cache feature. But while there are really no \"false positives\" in a traditional sense, there is definitely lots of noise.\\\n This search will fire any time a new IP address is seen in the **GeoIP** database for any kind of provisioning activity. If you typically do all provisioning from tools inside of your country, there should be few false positives. If you are located in countries where the free version of **MaxMind GeoIP** that ships by default with Splunk has weak resolution (particularly small countries in less economically powerful regions), this may be much less valuable to you.", "references": [], "tags": {"name": "AWS Cloud Provisioning From Previously Unseen IP Address", "analytic_story": ["AWS Suspicious Provisioning Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": [], "message": "tbd", "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventName", "sourceIPAddress"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "datamodel": [], "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_cloud_provisioning_from_previously_unseen_ip_address_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/aws_cloud_provisioning_from_previously_unseen_ip_address.yml", "source": "deprecated", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "AWS Cloud Provisioning From Previously Unseen Region", "id": "7971d3df-da82-4648-a6e5-b5637bea5253", "version": 1, "date": "2018-03-16", "author": "David Dorsey, Splunk", "type": "Anomaly", "status": "deprecated", "description": "This search looks for AWS provisioning activities from previously unseen regions. Region in this context is similar to a state in the United States. Provisioning activities are defined broadly as any event that begins with \"Run\" or \"Create.\" This search is deprecated and have been translated to use the latest Change Datamodel.", "data_source": [], "search": "`cloudtrail` (eventName=Run* OR eventName=Create*) | iplocation sourceIPAddress | search Region=* [search `cloudtrail` (eventName=Run* OR eventName=Create*) | iplocation sourceIPAddress | search Region=* | stats earliest(_time) as firstTime, latest(_time) as lastTime by sourceIPAddress, City, Region, Country | inputlookup append=t previously_seen_provisioning_activity_src.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by sourceIPAddress, City, Region, Country | outputlookup previously_seen_provisioning_activity_src.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by Region | eval newRegion=if(firstTime >= relative_time(now(), \"-70m@m\"), 1, 0) | where newRegion=1 | table Region] | spath output=user userIdentity.arn | rename sourceIPAddress as src_ip | table _time, user, src_ip, Region, eventName, errorCode | `aws_cloud_provisioning_from_previously_unseen_region_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. This search works best when you run the \"Previously Seen AWS Provisioning Activity Sources\" support search once to create a history of previously seen locations that have provisioned AWS resources.", "known_false_positives": "This is a strictly behavioral search, so we define \"false positive\" slightly differently. Every time this fires, it will accurately reflect the first occurrence in the time period you're searching within, plus what is stored in the cache feature. But while there are really no \"false positives\" in a traditional sense, there is definitely lots of noise.\\\n This search will fire any time a new region is seen in the **GeoIP** database for any kind of provisioning activity. If you typically do all provisioning from tools inside of your region, there should be few false positives. If you are located in regions where the free version of **MaxMind GeoIP** that ships by default with Splunk has weak resolution (particularly small countries in less economically powerful regions), this may be much less valuable to you.", "references": [], "tags": {"name": "AWS Cloud Provisioning From Previously Unseen Region", "analytic_story": ["AWS Suspicious Provisioning Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "tbd", "mitre_attack_id": ["T1535"], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventName", "sourceIPAddress"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1535", "mitre_attack_technique": "Unused/Unsupported Cloud Regions", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}]}, "datamodel": [], "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_cloud_provisioning_from_previously_unseen_region_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/aws_cloud_provisioning_from_previously_unseen_region.yml", "source": "deprecated", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "AWS EKS Kubernetes cluster sensitive object access", "id": "7f227943-2196-4d4d-8d6a-ac8cb308e61c", "version": 1, "date": "2020-06-23", "author": "Rod Soto, Splunk", "type": "Hunting", "status": "deprecated", "description": "This search provides information on Kubernetes accounts accessing sensitve objects such as configmaps or secrets", "data_source": [], "search": "`aws_cloudwatchlogs_eks` objectRef.resource=secrets OR configmaps sourceIPs{}!=::1 sourceIPs{}!=127.0.0.1 |table sourceIPs{} user.username user.groups{} objectRef.resource objectRef.namespace objectRef.name annotations.authorization.k8s.io/reason |dedup user.username user.groups{} |`aws_eks_kubernetes_cluster_sensitive_object_access_filter`", "how_to_implement": "You must install Splunk Add-on for Amazon Web Services and Splunk App for AWS. This search works with cloudwatch logs.", "known_false_positives": "Sensitive object access is not necessarily malicious but user and object context can provide guidance for detection.", "references": [], "tags": {"name": "AWS EKS Kubernetes cluster sensitive object access", "analytic_story": ["Kubernetes Sensitive Object Access Activity"], "asset_type": "AWS EKS Kubernetes cluster", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": [], "message": "tbd", "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time"], "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "datamodel": [], "macros": [{"name": "aws_cloudwatchlogs_eks", "definition": "sourcetype=\"aws:cloudwatchlogs:eks\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_eks_kubernetes_cluster_sensitive_object_access_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/aws_eks_kubernetes_cluster_sensitive_object_access.yml", "source": "deprecated"}, {"name": "Clients Connecting to Multiple DNS Servers", "id": "74ec6f18-604b-4202-a567-86b2066be3ce", "version": 3, "date": "2020-07-21", "author": "David Dorsey, Splunk", "type": "TTP", "status": "deprecated", "description": "This search allows you to identify the endpoints that have connected to more than five DNS servers and made DNS Queries over the time frame of the search.", "data_source": [], "search": "| tstats `security_content_summariesonly` count, values(DNS.dest) AS dest dc(DNS.dest) as dest_count from datamodel=Network_Resolution where DNS.message_type=QUERY by DNS.src | `drop_dm_object_name(\"Network_Resolution\")` |where dest_count > 5 | `clients_connecting_to_multiple_dns_servers_filter` ", "how_to_implement": "This search requires that DNS data is being ingested and populating the `Network_Resolution` data model. This data can come from DNS logs or from solutions that parse network traffic for this data, such as Splunk Stream or Bro.\\\nThis search produces fields (`dest_count`) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. These fields contribute additional context to the notable. To see the additional metadata, add the following fields, if not already present, to Incident Review - Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry):\\\\n1. **Label:** Distinct DNS Connections, **Field:** dest_count\\\nDetailed documentation on how to create a new field within Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details`", "known_false_positives": "It's possible that an enterprise has more than five DNS servers that are configured in a round-robin rotation. Please customize the search, as appropriate.", "references": [], "tags": {"name": "Clients Connecting to Multiple DNS Servers", "analytic_story": ["DNS Hijacking", "Suspicious DNS Traffic", "Host Redirection", "Command And Control"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Actions on Objectives"], "message": "tbd", "mitre_attack_id": ["T1048.003"], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "DNS.dest", "DNS.message_type", "DNS.src"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1048.003", "mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT32", "APT33", "FIN6", "FIN8", "Lazarus Group", "OilRig", "Thrip", "Wizard Spider"]}]}, "datamodel": ["Network_Resolution"], "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "clients_connecting_to_multiple_dns_servers_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/clients_connecting_to_multiple_dns_servers.yml", "source": "deprecated", "nes_fields": "user,dest"}, {"name": "Cloud Network Access Control List Deleted", "id": "021abc51-1862-41dd-ad43-43c739c0a983", "version": 1, "date": "2020-09-08", "author": "Peter Gael, Splunk", "type": "Anomaly", "status": "deprecated", "description": "Enforcing network-access controls is one of the defensive mechanisms used by cloud administrators to restrict access to a cloud instance. After the attacker has gained control of the console by compromising an admin account, they can delete a network ACL and gain access to the instance from anywhere. This search will query the Change datamodel to detect users deleting network ACLs. Deprecated because it's a duplicate", "data_source": [], "search": "`cloudtrail` eventName=DeleteNetworkAcl|rename userIdentity.arn as arn | stats count min(_time) as firstTime max(_time) as lastTime values(errorMessage) values(errorCode) values(userAgent) values(userIdentity.*) by src userName arn eventName | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `cloud_network_access_control_list_deleted_filter`", "how_to_implement": "You must be ingesting your cloud infrastructure logs from your cloud provider. You can also provide additional filtering for this search by customizing the `cloud_network_access_control_list_deleted_filter` macro.", "known_false_positives": "It's possible that a user has legitimately deleted a network ACL.", "references": [], "tags": {"name": "Cloud Network Access Control List Deleted", "analytic_story": ["Cloud Network ACL Activity"], "asset_type": "Instance", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": [], "message": "tbd", "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventName", "userIdentity.arn", "errorMessage", "errorCode", "userAgent", "src", "userName", "arn"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "cloud_network_access_control_list_deleted_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/cloud_network_access_control_list_deleted.yml", "source": "deprecated", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "Detect Activity Related to Pass the Hash Attacks", "id": "f5939373-8054-40ad-8c64-cec478a22a4b", "version": 6, "date": "2020-10-15", "author": "Bhavin Patel, Patrick Bareiss, Splunk", "type": "Hunting", "status": "deprecated", "description": "This search looks for specific authentication events from the Windows Security Event logs to detect potential attempts at using the Pass-the-Hash technique. This search is DEPRECATED as it is possible for event code 4624 to generate a high level of noise, as legitimate logon events may also trigger this event code. This can be especially true in environments with high levels of user activity, such as those with many concurrent logons or frequent logon attempts.", "data_source": ["Windows Security 4624"], "search": "`wineventlog_security` EventCode=4624 (Logon_Type=3 Logon_Process=NtLmSsp NOT AccountName=\"ANONYMOUS LOGON\") OR (Logon_Type=9 Logon_Process=seclogo) | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by EventCode, Logon_Type, WorkstationName, user, dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_activity_related_to_pass_the_hash_attacks_filter`", "how_to_implement": "To successfully implement this search, you must ingest your Windows Security Event logs and leverage the latest TA for Windows.", "known_false_positives": "Legitimate logon activity by authorized NTLM systems may be detected by this search. Please investigate as appropriate.", "references": [], "tags": {"name": "Detect Activity Related to Pass the Hash Attacks", "analytic_story": ["Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "The following $EventCode$ occurred on $dest$ by $user$ with Logon Type 3, which may be indicative of the pass the hash technique.", "mitre_attack_id": ["T1550", "T1550.002"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "EventCode", "type": "Other", "role": ["Other"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "Logon_Type", "Logon_Process", "WorkstationName", "user", "dest"], "risk_score": 49, "security_domain": "access", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1550", "mitre_attack_technique": "Use Alternate Authentication Material", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1550.002", "mitre_attack_technique": "Pass the Hash", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": ["APT1", "APT28", "APT32", "Chimera", "GALLIUM", "Kimsuky"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1550.002/atomic_red_team/windows-security.log", "source": "WinEventLog:Security", "sourcetype": "WinEventLog", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_activity_related_to_pass_the_hash_attacks_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/detect_activity_related_to_pass_the_hash_attacks.yml", "source": "deprecated", "providing_technologies": ["Microsoft Windows"]}, {"name": "Detect API activity from users without MFA", "id": "4d46e8bd-4072-48e4-92db-0325889ef894", "version": 1, "date": "2018-05-17", "author": "Bhavin Patel, Splunk", "type": "Hunting", "status": "deprecated", "description": "This search looks for AWS CloudTrail events where a user logged into the AWS account, is making API calls and has not enabled Multi Factor authentication. Multi factor authentication adds a layer of security by forcing the users to type a unique authentication code from an approved authentication device when they access AWS websites or services. AWS Best Practices recommend that you enable MFA for privileged IAM users.", "data_source": [], "search": "`cloudtrail` userIdentity.sessionContext.attributes.mfaAuthenticated=false | search NOT [| inputlookup aws_service_accounts | fields identity | rename identity as user]| stats count min(_time) as firstTime max(_time) as lastTime values(eventName) as eventName by userIdentity.arn userIdentity.type user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_api_activity_from_users_without_mfa_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. Leverage the support search `Create a list of approved AWS service accounts`: run it once every 30 days to create a list of service accounts and validate them.\\\nThis search produces fields (`eventName`,`userIdentity.type`,`userIdentity.arn`) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. These fields contribute additional context to the notable. To see the additional metadata, add the following fields, if not already present, to Incident Review - Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry):\\\\n1. **Label:** AWS Event Name, **Field:** eventName\\\n1. \\\n1. **Label:** AWS User ARN, **Field:** userIdentity.arn\\\n1. \\\n1. **Label:** AWS User Type, **Field:** userIdentity.type\\\nDetailed documentation on how to create a new field within Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details`", "known_false_positives": "Many service accounts configured within an AWS infrastructure do not have multi factor authentication enabled. Please ignore the service accounts, if triggered and instead add them to the aws_service_accounts.csv file to fine tune the detection. It is also possible that the search detects users in your environment using Single Sign-On systems, since the MFA is not handled by AWS.", "references": [], "tags": {"name": "Detect API activity from users without MFA", "analytic_story": ["AWS User Monitoring"], "asset_type": "AWS Instance", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": [], "message": "tbd", "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "userIdentity.sessionContext.attributes.mfaAuthenticated", "eventName", "userIdentity.arn", "userIdentity.type", "user"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_api_activity_from_users_without_mfa_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "aws_service_accounts", "description": "A lookup file that will contain AWS Service accounts", "filename": "aws_service_accounts.csv"}], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/detect_api_activity_from_users_without_mfa.yml", "source": "deprecated", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "Detect AWS API Activities From Unapproved Accounts", "id": "ada0f478-84a8-4641-a3f1-d82362d4bd55", "version": 2, "date": "2020-07-21", "author": "Bhavin Patel, Splunk", "type": "Hunting", "status": "deprecated", "description": "This search looks for successful AWS CloudTrail activity by user accounts that are not listed in the identity table or `aws_service_accounts.csv`. It returns event names and count, as well as the first and last time a specific user or service is detected, grouped by users. Deprecated because managing this list can be quite hard.", "data_source": [], "search": "`cloudtrail` errorCode=success | rename userName as identity | search NOT [| inputlookup identity_lookup_expanded | fields identity] | search NOT [| inputlookup aws_service_accounts | fields identity] | rename identity as user | stats count min(_time) as firstTime max(_time) as lastTime values(eventName) as eventName by user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_aws_api_activities_from_unapproved_accounts_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. You must also populate the `identity_lookup_expanded` lookup shipped with the Asset and Identity framework to be able to look up users in your identity table in Enterprise Security (ES). Leverage the support search called \"Create a list of approved AWS service accounts\": run it once every 30 days to create and validate a list of service accounts.\\\nThis search produces fields (`eventName`,`firstTime`,`lastTime`) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. These fields contribute additional context to the notable. To see the additional metadata, add the following fields, if not already present, to Incident Review - Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry):\\\\n1. **Label:** AWS Event Name, **Field:** eventName\\\n1. \\\n1. **Label:** First Time, **Field:** firstTime\\\n1. \\\n1. **Label:** Last Time, **Field:** lastTime\\\nDetailed documentation on how to create a new field within Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details`", "known_false_positives": "It's likely that you'll find activity detected by users/service accounts that are not listed in the `identity_lookup_expanded` or ` aws_service_accounts.csv` file. If the user is a legitimate service account, update the `aws_service_accounts.csv` table with that entry.", "references": [], "tags": {"name": "Detect AWS API Activities From Unapproved Accounts", "analytic_story": ["AWS User Monitoring"], "asset_type": "AWS Instance", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "message": "tbd", "mitre_attack_id": ["T1078.004"], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "errorCode", "userName", "eventName", "user"], "risk_score": 25, "security_domain": "access", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Ke3chang", "LAPSUS$"]}]}, "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_aws_api_activities_from_unapproved_accounts_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "aws_service_accounts", "description": "A lookup file that will contain AWS Service accounts", "filename": "aws_service_accounts.csv"}], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/detect_aws_api_activities_from_unapproved_accounts.yml", "source": "deprecated", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "Detect DNS requests to Phishing Sites leveraging EvilGinx2", "id": "24dd17b1-e2fb-4c31-878c-d4f226595bfa", "version": 2, "date": "2020-07-21", "author": "Bhavin Patel, Splunk", "type": "TTP", "status": "deprecated", "description": "This search looks for DNS requests for phishing domains that are leveraging EvilGinx tools to mimic websites.", "data_source": [], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(DNS.answer) as answer from datamodel=Network_Resolution.DNS by DNS.dest DNS.src DNS.query host | `drop_dm_object_name(DNS)`| rex field=query \".*?(?[^./:]+\\.(\\S{2,3}|\\S{2,3}.\\S{2,3}))$\" | stats count values(query) as query by domain dest src answer| search `evilginx_phishlets_amazon` OR `evilginx_phishlets_facebook` OR `evilginx_phishlets_github` OR `evilginx_phishlets_0365` OR `evilginx_phishlets_outlook` OR `evilginx_phishlets_aws` OR `evilginx_phishlets_google` | search NOT [ inputlookup legit_domains.csv | fields domain]| join domain type=outer [| tstats count `security_content_summariesonly` values(Web.url) as url from datamodel=Web.Web by Web.dest Web.site | rename \"Web.*\" as * | rex field=site \".*?(?[^./:]+\\.(\\S{2,3}|\\S{2,3}.\\S{2,3}))$\" | table dest domain url] | table count src dest query answer domain url | `detect_dns_requests_to_phishing_sites_leveraging_evilginx2_filter`", "how_to_implement": "You need to ingest data from your DNS logs in the Network_Resolution datamodel. Specifically you must ingest the domain that is being queried and the IP of the host originating the request. Ideally, you should also be ingesting the answer to the query and the query type. This approach allows you to also create your own localized passive DNS capability which can aid you in future investigations. You will have to add legitimate domain names to the `legit_domains.csv` file shipped with the app. \\\n **Splunk>Phantom Playbook Integration**\\\nIf Splunk>Phantom is also configured in your environment, a Playbook called `Lets Encrypt Domain Investigate` can be configured to run when any results are found by this detection search. To use this integration, install the Phantom App for Splunk `https://splunkbase.splunk.com/app/3411/`, add the correct hostname to the \"Phantom Instance\" field in the Adaptive Response Actions when configuring this detection search, and set the corresponding Playbook to active. \\\n(Playbook link:`https://my.phantom.us/4.2/playbook/lets-encrypt-domain-investigate/`).\\\n", "known_false_positives": "If a known good domain is not listed in the legit_domains.csv file, then the search could give you false postives. Please update that lookup file to filter out DNS requests to legitimate domains.", "references": [], "tags": {"name": "Detect DNS requests to Phishing Sites leveraging EvilGinx2", "analytic_story": ["Common Phishing Frameworks"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Delivery"], "message": "tbd", "mitre_attack_id": ["T1566.003"], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "DNS.answer", "DNS.dest", "DNS.src", "DNS.query", "host"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566.003", "mitre_attack_technique": "Spearphishing via Service", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT29", "Ajax Security Team", "CURIUM", "Dark Caracal", "EXOTIC LILY", "FIN6", "Lazarus Group", "Magic Hound", "OilRig", "Windshift"]}]}, "datamodel": ["Network_Resolution", "Web"], "macros": [{"name": "evilginx_phishlets_amazon", "definition": "(query=fls-na* AND query = www* AND query=images*)", "description": "This limits the query fields to domains that are associated with evilginx masquerading as Amazon"}, {"name": "evilginx_phishlets_outlook", "definition": "(query=outlook* AND query=login* AND query=account*)", "description": "This limits the query fields to domains that are associated with evilginx masquerading as Outlook"}, {"name": "evilginx_phishlets_github", "definition": "(query=api* AND query = github*)", "description": "This limits the query fields to domains that are associated with evilginx masquerading as GitHub"}, {"name": "evilginx_phishlets_facebook", "definition": "(query=www* AND query = m* AND query=static*)", "description": "This limits the query fields to domains that are associated with evilginx masquerading as FaceBook"}, {"name": "evilginx_phishlets_aws", "definition": "(query=www* AND query=aws* AND query=console.aws* AND query=signin.aws* AND api-northeast-1.console.aws* AND query=fls-na* AND query=images-na*)", "description": "This limits the query fields to domains that are associated with evilginx masquerading as an AWS console"}, {"name": "evilginx_phishlets_0365", "definition": "(query=login* AND query=www*)", "description": "This limits the query fields to domains that are associated with evilginx masquerading as Office 365"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "evilginx_phishlets_google", "definition": "(query=accounts* AND query=ssl* AND query=www*)", "description": "This limits the query fields to domains that are associated with evilginx masquerading as Google"}, {"name": "detect_dns_requests_to_phishing_sites_leveraging_evilginx2_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/detect_dns_requests_to_phishing_sites_leveraging_evilginx2.yml", "source": "deprecated", "nes_fields": "user,dest"}, {"name": "Detect Long DNS TXT Record Response", "id": "05437c07-62f5-452e-afdc-04dd44815bb9", "version": 2, "date": "2020-07-21", "author": "Rico Valdez, Splunk", "type": "TTP", "status": "deprecated", "description": "This search is used to detect attempts to use DNS tunneling, by calculating the length of responses to DNS TXT queries. Endpoints using DNS as a method of transmission for data exfiltration, Command And Control, or evasion of security controls can often be detected by noting unusually large volumes of DNS traffic. Deprecated because this detection should focus on DNS queries instead of DNS responses.", "data_source": [], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Resolution where DNS.message_type=response AND DNS.record_type=TXT by DNS.src DNS.dest DNS.answer DNS.record_type | `drop_dm_object_name(\"DNS\")` | eval anslen=len(answer) | search anslen>100 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename src as \"Source IP\", dest as \"Destination IP\", answer as \"DNS Answer\" anslen as \"Answer Length\" record_type as \"DNS Record Type\" firstTime as \"First Time\" lastTime as \"Last Time\" count as Count | table \"Source IP\" \"Destination IP\" \"DNS Answer\" \"DNS Record Type\" \"Answer Length\" Count \"First Time\" \"Last Time\" | `detect_long_dns_txt_record_response_filter`", "how_to_implement": "To successfully implement this search you need to ingest data from your DNS logs, or monitor DNS traffic using Stream, Bro or something similar. Specifically, this query requires that the DNS data model is populated with information regarding the DNS record type that is being returned as well as the data in the answer section of the protocol.", "known_false_positives": "It's possible that legitimate TXT record responses can be long enough to trigger this search. You can modify the packet threshold for this search to help mitigate false positives.", "references": [], "tags": {"name": "Detect Long DNS TXT Record Response", "analytic_story": ["Suspicious DNS Traffic", "Command And Control"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Actions on Objectives"], "message": "tbd", "mitre_attack_id": ["T1048.003"], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "DNS.message_type", "DNS.record_type", "DNS.src", "DNS.dest", "DNS.answer"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1048.003", "mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT32", "APT33", "FIN6", "FIN8", "Lazarus Group", "OilRig", "Thrip", "Wizard Spider"]}]}, "datamodel": ["Network_Resolution"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_long_dns_txt_record_response_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/detect_long_dns_txt_record_response.yml", "source": "deprecated", "nes_fields": "user,dest"}, {"name": "Detect Mimikatz Using Loaded Images", "id": "29e307ba-40af-4ab2-91b2-3c6b392bbba0", "version": 1, "date": "2019-12-03", "author": "Patrick Bareiss, Splunk", "type": "TTP", "status": "production", "description": "This search looks for reading loaded Images unique to credential dumping with Mimikatz. Deprecated because mimikatz libraries changed and very noisy sysmon Event Code.", "data_source": ["Sysmon Event ID 7"], "search": "`sysmon` EventCode=7 | stats values(ImageLoaded) as ImageLoaded values(ProcessId) as ProcessId by Computer, Image | search ImageLoaded=*WinSCard.dll ImageLoaded=*cryptdll.dll ImageLoaded=*hid.dll ImageLoaded=*samlib.dll ImageLoaded=*vaultcli.dll | rename Computer as dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_mimikatz_using_loaded_images_filter`", "how_to_implement": "This search needs Sysmon Logs and a sysmon configuration, which includes EventCode 7 with powershell.exe. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives.", "known_false_positives": "Other tools can import the same DLLs. These tools should be part of a whitelist. False positives may be present with any process that authenticates or uses credentials, PowerShell included. Filter based on parent process.", "references": ["https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html"], "tags": {"name": "Detect Mimikatz Using Loaded Images", "analytic_story": ["Credential Dumping", "Detect Zerologon Attack", "Cloud Federated Credential Abuse", "DarkSide Ransomware", "CISA AA22-257A", "CISA AA22-264A", "CISA AA22-320A", "Sandworm Tools"], "asset_type": "Windows", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "A process, $Image$, has loaded $ImageLoaded$ that are typically related to credential dumping on $Computer$. Review for further details.", "mitre_attack_id": ["T1003.001", "T1003"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "ImageLoaded", "type": "Process", "role": ["Other"]}, {"name": "Image", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "ImageLoaded", "ProcessId", "Computer", "Image"], "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "TEMP.Veles", "Threat Group-3390", "Whitefly"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_mimikatz_using_loaded_images_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/detect_mimikatz_using_loaded_images.yml", "source": "deprecated", "nes_fields": "user,dest"}, {"name": "Detect Mimikatz Via PowerShell And EventCode 4703", "id": "98917be2-bfc8-475a-8618-a9bb06575188", "version": 2, "date": "2019-02-27", "author": "Rico Valdez, Splunk", "type": "TTP", "status": "deprecated", "description": "This search looks for PowerShell requesting privileges consistent with credential dumping. Deprecated, looks like things changed from a logging perspective.", "data_source": [], "search": "`wineventlog_security` signature_id=4703 Process_Name=*powershell.exe | rex field=Message \"Enabled Privileges:\\s+(?\\w+)\\s+Disabled Privileges:\" | where privs=\"SeDebugPrivilege\" | stats count min(_time) as firstTime max(_time) as lastTime by dest, Process_Name, privs, Process_ID, Message | rename privs as \"Enabled Privilege\" | rename Process_Name as process | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_mimikatz_via_powershell_and_eventcode_4703_filter`", "how_to_implement": "You must be ingesting Windows Security logs. You must also enable the account change auditing here: http://docs.splunk.com/Documentation/Splunk/7.0.2/Data/MonitorWindowseventlogdata. Additionally, this search requires you to enable your Group Management Audit Logs in your Local Windows Security Policy and to be ingesting those logs. More information on how to enable them can be found here: http://whatevernetworks.com/auditing-group-membership-changes-in-active-directory/. Finally, please make sure that the local administrator group name is \"Administrators\" to be able to look for the right group membership changes.", "known_false_positives": "The activity may be legitimate. PowerShell is often used by administrators to perform various tasks, and it's possible this event could be generated in those cases. In these cases, false positives should be fairly obvious and you may need to tweak the search to eliminate noise.", "references": [], "tags": {"name": "Detect Mimikatz Via PowerShell And EventCode 4703", "analytic_story": ["Cloud Federated Credential Abuse"], "asset_type": "Windows", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "tbd", "mitre_attack_id": ["T1003.001"], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "signature_id", "Process_Name", "Message", "dest", "Process_ID"], "risk_score": 25, "security_domain": "access", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "TEMP.Veles", "Threat Group-3390", "Whitefly"]}]}, "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_mimikatz_via_powershell_and_eventcode_4703_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/detect_mimikatz_via_powershell_and_eventcode_4703.yml", "source": "deprecated", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Detect new API calls from user roles", "id": "22773e84-bac0-4595-b086-20d3f335b4f1", "version": 1, "date": "2018-04-16", "author": "Bhavin Patel, Splunk", "type": "Anomaly", "status": "deprecated", "description": "This search detects new API calls that have either never been seen before or that have not been seen in the previous hour, where the identity type is `AssumedRole`.", "data_source": [], "search": "`cloudtrail` eventType=AwsApiCall errorCode=success userIdentity.type=AssumedRole [search `cloudtrail` eventType=AwsApiCall errorCode=success userIdentity.type=AssumedRole | stats earliest(_time) as earliest latest(_time) as latest by userName eventName | inputlookup append=t previously_seen_api_calls_from_user_roles | stats min(earliest) as earliest, max(latest) as latest by userName eventName | outputlookup previously_seen_api_calls_from_user_roles| eval newApiCallfromUserRole=if(earliest>=relative_time(now(), \"-70m@m\"), 1, 0) | where newApiCallfromUserRole=1 | `security_content_ctime(earliest)` | `security_content_ctime(latest)` | table eventName userName] |rename userName as user| stats values(eventName) earliest(_time) as earliest latest(_time) as latest by user | `security_content_ctime(earliest)` | `security_content_ctime(latest)` | `detect_new_api_calls_from_user_roles_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. This search works best when you run the \"Previously seen API call per user roles in AWS CloudTrail\" support search once to create a history of previously seen user roles.", "known_false_positives": "It is possible that there are legitimate user roles making new or infrequently used API calls in your infrastructure, causing the search to trigger.", "references": [], "tags": {"name": "Detect new API calls from user roles", "analytic_story": ["AWS User Monitoring"], "asset_type": "AWS Instance", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "message": "tbd", "mitre_attack_id": ["T1078.004"], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventType", "errorCode", "userIdentity.type", "userName", "eventName"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Ke3chang", "LAPSUS$"]}]}, "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_new_api_calls_from_user_roles_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "previously_seen_api_calls_from_user_roles", "description": "A placeholder for a list of IPs that have access S3", "collection": "previously_seen_api_calls_from_user_roles", "fields_list": "_key,earliest,latest,userName,eventName"}], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/detect_new_api_calls_from_user_roles.yml", "source": "deprecated", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "Detect new user AWS Console Login", "id": "ada0f478-84a8-4641-a3f3-d82362dffd75", "version": 2, "date": "2020-07-21", "author": "Bhavin Patel, Splunk", "type": "Hunting", "status": "deprecated", "description": "This search looks for AWS CloudTrail events wherein a console login event by a user was recorded within the last hour, then compares the event to a lookup file of previously seen users (by ARN values) who have logged into the console. The alert is fired if the user has logged into the console for the first time within the last hour. Deprecated now this search is updated to use the Authentication datamodel.", "data_source": [], "search": "`cloudtrail` eventName=ConsoleLogin | rename userIdentity.arn as user | stats earliest(_time) as firstTime latest(_time) as lastTime by user | inputlookup append=t previously_seen_users_console_logins_cloudtrail | stats min(firstTime) as firstTime max(lastTime) as lastTime by user | eval userStatus=if(firstTime >= relative_time(now(), \"-70m@m\"), \"First Time Logging into AWS Console\",\"Previously Seen User\") | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)`| where userStatus =\"First Time Logging into AWS Console\" | `detect_new_user_aws_console_login_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. Run the \"Previously seen users in AWS CloudTrail\" support search only once to create a baseline of previously seen IAM users within the last 30 days. Run \"Update previously seen users in AWS CloudTrail\" hourly (or more frequently depending on how often you run the detection searches) to refresh the baselines.", "known_false_positives": "When a legitimate new user logins for the first time, this activity will be detected. Check how old the account is and verify that the user activity is legitimate.", "references": [], "tags": {"name": "Detect new user AWS Console Login", "analytic_story": ["Suspicious AWS Login Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "message": "tbd", "mitre_attack_id": ["T1078.004"], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventName", "userIdentity.arn"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Ke3chang", "LAPSUS$"]}]}, "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_new_user_aws_console_login_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/detect_new_user_aws_console_login.yml", "source": "deprecated", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "Detect Spike in AWS API Activity", "id": "ada0f478-84a8-4641-a3f1-d32362d4bd55", "version": 2, "date": "2020-07-21", "author": "David Dorsey, Splunk", "type": "Anomaly", "status": "deprecated", "description": "This search will detect users creating spikes of API activity in your AWS environment. It will also update the cache file that factors in the latest data. This search is deprecated and have been translated to use the latest Change Datamodel.", "data_source": [], "search": "`cloudtrail` eventType=AwsApiCall [search `cloudtrail` eventType=AwsApiCall | spath output=arn path=userIdentity.arn | stats count as apiCalls by arn | inputlookup api_call_by_user_baseline append=t | fields - latestCount | stats values(*) as * by arn | rename apiCalls as latestCount | eval newAvgApiCalls=avgApiCalls + (latestCount-avgApiCalls)/720 | eval newStdevApiCalls=sqrt(((pow(stdevApiCalls, 2)*719 + (latestCount-newAvgApiCalls)*(latestCount-avgApiCalls))/720)) | eval avgApiCalls=coalesce(newAvgApiCalls, avgApiCalls), stdevApiCalls=coalesce(newStdevApiCalls, stdevApiCalls), numDataPoints=if(isnull(latestCount), numDataPoints, numDataPoints+1) | table arn, latestCount, numDataPoints, avgApiCalls, stdevApiCalls | outputlookup api_call_by_user_baseline | eval dataPointThreshold = 15, deviationThreshold = 3 | eval isSpike=if((latestCount > avgApiCalls+deviationThreshold*stdevApiCalls) AND numDataPoints > dataPointThreshold, 1, 0) | where isSpike=1 | rename arn as userIdentity.arn | table userIdentity.arn] | spath output=user userIdentity.arn | stats values(eventName) as eventName, count as numberOfApiCalls, dc(eventName) as uniqueApisCalled by user | `detect_spike_in_aws_api_activity_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. You can modify `dataPointThreshold` and `deviationThreshold` to better fit your environment. The `dataPointThreshold` variable is the minimum number of data points required to have a statistically significant amount of data to determine. The `deviationThreshold` variable is the number of standard deviations away from the mean that the value must be to be considered a spike.\\\nThis search produces fields (`eventName`,`numberOfApiCalls`,`uniqueApisCalled`) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. These fields contribute additional context to the notable. To see the additional metadata, add the following fields, if not already present, to Incident Review - Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry):\\\\n1. **Label:** AWS Event Name, **Field:** eventName\\\n1. \\\n1. **Label:** Number of API Calls, **Field:** numberOfApiCalls\\\n1. \\\n1. **Label:** Unique API Calls, **Field:** uniqueApisCalled\\\nDetailed documentation on how to create a new field within Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details`", "known_false_positives": "", "references": [], "tags": {"name": "Detect Spike in AWS API Activity", "analytic_story": ["AWS User Monitoring"], "asset_type": "AWS Instance", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "message": "tbd", "mitre_attack_id": ["T1078.004"], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventType", "userIdentity.arn"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Ke3chang", "LAPSUS$"]}]}, "datamodel": [], "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_spike_in_aws_api_activity_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "api_call_by_user_baseline", "description": "A collection that will contain the baseline information for number of AWS API calls per user", "collection": "api_call_by_user_baseline", "fields_list": "arn, latestCount, numDataPoints, avgApiCalls, stdevApiCalls"}, {"name": "api_call_by_user_baseline", "description": "A collection that will contain the baseline information for number of AWS API calls per user", "collection": "api_call_by_user_baseline", "fields_list": "arn, latestCount, numDataPoints, avgApiCalls, stdevApiCalls"}], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/detect_spike_in_aws_api_activity.yml", "source": "deprecated", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "Detect Spike in Network ACL Activity", "id": "ada0f478-84a8-4641-a1f1-e32372d4bd53", "version": 1, "date": "2018-05-21", "author": "Bhavin Patel, Splunk", "type": "Anomaly", "status": "deprecated", "description": "This search will detect users creating spikes in API activity related to network access-control lists (ACLs)in your AWS environment. This search is deprecated and have been translated to use the latest Change Datamodel.", "data_source": [], "search": "`cloudtrail` `network_acl_events` [search `cloudtrail` `network_acl_events` | spath output=arn path=userIdentity.arn | stats count as apiCalls by arn | inputlookup network_acl_activity_baseline append=t | fields - latestCount | stats values(*) as * by arn | rename apiCalls as latestCount | eval newAvgApiCalls=avgApiCalls + (latestCount-avgApiCalls)/720 | eval newStdevApiCalls=sqrt(((pow(stdevApiCalls, 2)*719 + (latestCount-newAvgApiCalls)*(latestCount-avgApiCalls))/720)) | eval avgApiCalls=coalesce(newAvgApiCalls, avgApiCalls), stdevApiCalls=coalesce(newStdevApiCalls, stdevApiCalls), numDataPoints=if(isnull(latestCount), numDataPoints, numDataPoints+1) | table arn, latestCount, numDataPoints, avgApiCalls, stdevApiCalls | outputlookup network_acl_activity_baseline | eval dataPointThreshold = 15, deviationThreshold = 3 | eval isSpike=if((latestCount > avgApiCalls+deviationThreshold*stdevApiCalls) AND numDataPoints > dataPointThreshold, 1, 0) | where isSpike=1 | rename arn as userIdentity.arn | table userIdentity.arn] | spath output=user userIdentity.arn | stats values(eventName) as eventNames, count as numberOfApiCalls, dc(eventName) as uniqueApisCalled by user | `detect_spike_in_network_acl_activity_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. You can modify `dataPointThreshold` and `deviationThreshold` to better fit your environment. The `dataPointThreshold` variable is the minimum number of data points required to have a statistically significant amount of data to determine. The `deviationThreshold` variable is the number of standard deviations away from the mean that the value must be to be considered a spike. This search works best when you run the \"Baseline of Network ACL Activity by ARN\" support search once to create a lookup file of previously seen Network ACL Activity. To add or remove API event names related to network ACLs, edit the macro `network_acl_events`.", "known_false_positives": "The false-positive rate may vary based on the values of`dataPointThreshold` and `deviationThreshold`. Please modify this according the your environment.", "references": [], "tags": {"name": "Detect Spike in Network ACL Activity", "analytic_story": ["AWS Network ACL Activity"], "asset_type": "AWS Instance", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "tbd", "mitre_attack_id": ["T1562.007"], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "userIdentity.arn"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.007", "mitre_attack_technique": "Disable or Modify Cloud Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}]}, "datamodel": [], "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "network_acl_events", "definition": "(eventName = CreateNetworkAcl OR eventName = CreateNetworkAclEntry OR eventName = DeleteNetworkAcl OR eventName = DeleteNetworkAclEntry OR eventName = ReplaceNetworkAclEntry OR eventName = ReplaceNetworkAclAssociation)", "description": "This is a list of AWS event names that are associated with Network ACLs"}, {"name": "detect_spike_in_network_acl_activity_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "network_acl_activity_baseline", "description": "A lookup file that will contain the baseline information for number of AWS Network ACL Activity", "filename": "network_acl_activity_baseline.csv"}, {"name": "network_acl_activity_baseline", "description": "A lookup file that will contain the baseline information for number of AWS Network ACL Activity", "filename": "network_acl_activity_baseline.csv"}], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/detect_spike_in_network_acl_activity.yml", "source": "deprecated", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "Detect Spike in Security Group Activity", "id": "ada0f478-84a8-4641-a3f1-e32372d4bd53", "version": 1, "date": "2018-04-18", "author": "Bhavin Patel, Splunk", "type": "Anomaly", "status": "deprecated", "description": "This search will detect users creating spikes in API activity related to security groups in your AWS environment. It will also update the cache file that factors in the latest data. This search is deprecated and have been translated to use the latest Change Datamodel.", "data_source": [], "search": "`cloudtrail` `security_group_api_calls` [search `cloudtrail` `security_group_api_calls` | spath output=arn path=userIdentity.arn | stats count as apiCalls by arn | inputlookup security_group_activity_baseline append=t | fields - latestCount | stats values(*) as * by arn | rename apiCalls as latestCount | eval newAvgApiCalls=avgApiCalls + (latestCount-avgApiCalls)/720 | eval newStdevApiCalls=sqrt(((pow(stdevApiCalls, 2)*719 + (latestCount-newAvgApiCalls)*(latestCount-avgApiCalls))/720)) | eval avgApiCalls=coalesce(newAvgApiCalls, avgApiCalls), stdevApiCalls=coalesce(newStdevApiCalls, stdevApiCalls), numDataPoints=if(isnull(latestCount), numDataPoints, numDataPoints+1) | table arn, latestCount, numDataPoints, avgApiCalls, stdevApiCalls | outputlookup security_group_activity_baseline | eval dataPointThreshold = 15, deviationThreshold = 3 | eval isSpike=if((latestCount > avgApiCalls+deviationThreshold*stdevApiCalls) AND numDataPoints > dataPointThreshold, 1, 0) | where isSpike=1 | rename arn as userIdentity.arn | table userIdentity.arn] | spath output=user userIdentity.arn | stats values(eventName) as eventNames, count as numberOfApiCalls, dc(eventName) as uniqueApisCalled by user | `detect_spike_in_security_group_activity_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. You can modify `dataPointThreshold` and `deviationThreshold` to better fit your environment. The `dataPointThreshold` variable is the minimum number of data points required to have a statistically significant amount of data to determine. The `deviationThreshold` variable is the number of standard deviations away from the mean that the value must be to be considered a spike.This search works best when you run the \"Baseline of Security Group Activity by ARN\" support search once to create a history of previously seen Security Group Activity. To add or remove API event names for security groups, edit the macro `security_group_api_calls`.", "known_false_positives": "Based on the values of`dataPointThreshold` and `deviationThreshold`, the false positive rate may vary. Please modify this according the your environment.", "references": [], "tags": {"name": "Detect Spike in Security Group Activity", "analytic_story": ["AWS User Monitoring"], "asset_type": "AWS Instance", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "message": "tbd", "mitre_attack_id": ["T1078.004"], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "serIdentity.arn"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Ke3chang", "LAPSUS$"]}]}, "datamodel": [], "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_group_api_calls", "definition": "(eventName=AuthorizeSecurityGroupIngress OR eventName=CreateSecurityGroup OR eventName=DeleteSecurityGroup OR eventName=DescribeClusterSecurityGroups OR eventName=DescribeDBSecurityGroups OR eventName=DescribeSecurityGroupReferences OR eventName=DescribeSecurityGroups OR eventName=DescribeStaleSecurityGroups OR eventName=RevokeSecurityGroupIngress OR eventName=UpdateSecurityGroupRuleDescriptionsIngress)", "description": "This macro is a list of AWS event names associated with security groups"}, {"name": "detect_spike_in_security_group_activity_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "security_group_activity_baseline", "description": "A placeholder for the baseline information for AWS security groups", "collection": "security_group_activity_baseline", "fields_list": "_key, arn,latestCount,numDataPoints,avgApiCalls,stdevApiCalls"}, {"name": "security_group_activity_baseline", "description": "A placeholder for the baseline information for AWS security groups", "collection": "security_group_activity_baseline", "fields_list": "_key, arn,latestCount,numDataPoints,avgApiCalls,stdevApiCalls"}], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/detect_spike_in_security_group_activity.yml", "source": "deprecated", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "Detect USB device insertion", "id": "104658f4-afdc-499f-9719-17a43f9826f5", "version": 1, "date": "2017-11-27", "author": "Bhavin Patel, Splunk", "type": "TTP", "status": "deprecated", "description": "The search is used to detect hosts that generate Windows Event ID 4663 for successful attempts to write to or read from a removable storage and Event ID 4656 for failures, which occurs when a USB drive is plugged in. In this scenario we are querying the Change_Analysis data model to look for Windows Event ID 4656 or 4663 where the priority of the affected host is marked as high in the ES Assets and Identity Framework.", "data_source": [], "search": "| tstats `security_content_summariesonly` count earliest(_time) AS earliest latest(_time) AS latest from datamodel=Change_Analysis where (nodename = All_Changes) All_Changes.result=\"Removable Storage device\" (All_Changes.result_id=4663 OR All_Changes.result_id=4656) (All_Changes.src_priority=high) by All_Changes.dest | `drop_dm_object_name(\"All_Changes\")`| `security_content_ctime(earliest)`| `security_content_ctime(latest)` | `detect_usb_device_insertion_filter`", "how_to_implement": "To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663 and 4656. Ensure that the field from the event logs is being mapped to the result_id field in the Change_Analysis data model. To minimize the alert volume, this search leverages the Assets and Identity framework to filter out events from those assets not marked high priority in the Enterprise Security Assets and Identity Framework.", "known_false_positives": "Legitimate USB activity will also be detected. Please verify and investigate as appropriate.", "references": [], "tags": {"name": "Detect USB device insertion", "analytic_story": ["Data Protection"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": [], "message": "tbd", "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "All_Changes.result", "All_Changes.result_id", "All_Changes.src_priority", "All_Changes.dest"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "datamodel": ["Change", "Change_Analysis"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_usb_device_insertion_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/detect_usb_device_insertion.yml", "source": "deprecated", "nes_fields": "user,dest"}, {"name": "Detect web traffic to dynamic domain providers", "id": "134da869-e264-4a8f-8d7e-fcd01c18f301", "version": 2, "date": "2020-07-21", "author": "Bhavin Patel, Splunk", "type": "TTP", "status": "deprecated", "description": "This search looks for web connections to dynamic DNS providers.", "data_source": [], "search": "| tstats `security_content_summariesonly` count values(Web.url) as url min(_time) as firstTime from datamodel=Web where Web.status=200 by Web.src Web.dest Web.status | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `dynamic_dns_web_traffic` | `detect_web_traffic_to_dynamic_domain_providers_filter`", "how_to_implement": "This search requires you to be ingesting web-traffic logs. You can obtain these logs from indexing data from a web proxy or by using a network-traffic-analysis tool, such as Bro or Splunk Stream. The web data model must contain the URL being requested, the IP address of the host initiating the request, and the destination IP. This search also leverages a lookup file, `dynamic_dns_providers_default.csv`, which contains a non-exhaustive list of dynamic DNS providers. Consider periodically updating this local lookup file with new domains.\\\nThis search produces fields (`isDynDNS`) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. These fields contribute additional context to the notable. To see the additional metadata, add the following fields, if not already present, to Incident Review - Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry):\\\\n1. **Label:** IsDynamicDNS, **Field:** isDynDNS\\\nDetailed documentation on how to create a new field within Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details` Deprecated because duplicate.", "known_false_positives": "It is possible that list of dynamic DNS providers is outdated and/or that the URL being requested is legitimate.", "references": [], "tags": {"name": "Detect web traffic to dynamic domain providers", "analytic_story": ["Dynamic DNS"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Command And Control"], "message": "tbd", "mitre_attack_id": ["T1071.001"], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Web.url", "Web.status", "Web.src", "Web.dest"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1071.001", "mitre_attack_technique": "Web Protocols", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Chimera", "Cobalt Group", "Confucius", "Dark Caracal", "FIN4", "FIN8", "Gamaredon Group", "HAFNIUM", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LuminousMoth", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "OilRig", "Orangeworm", "Rancor", "Rocke", "Sandworm Team", "Sidewinder", "SilverTerrier", "Stealth Falcon", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "WIRTE", "Windshift", "Wizard Spider"]}]}, "datamodel": ["Web"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "dynamic_dns_web_traffic", "definition": "lookup update=true dynamic_dns_providers_default dynamic_dns_domains as url OUTPUTNEW isDynDNS_default | lookup update=true dynamic_dns_providers_local dynamic_dns_domains as url OUTPUTNEW isDynDNS_local| eval isDynDNS = coalesce(isDynDNS_default, isDynDNS_local)|fields - isDynDNS_default, isDynDNS_local| search isDynDNS=True", "description": "This is a description"}, {"name": "detect_web_traffic_to_dynamic_domain_providers_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/detect_web_traffic_to_dynamic_domain_providers.yml", "source": "deprecated", "nes_fields": "user,dest"}, {"name": "Detection of DNS Tunnels", "id": "104658f4-afdc-499f-9719-17a43f9826f4", "version": 2, "date": "2022-02-15", "author": "Bhavin Patel, Splunk", "type": "TTP", "status": "deprecated", "description": "This search is used to detect DNS tunneling, by calculating the sum of the length of DNS queries and DNS answers. The search also filters out potential false positives by filtering out queries made to internal systems and the queries originating from internal DNS, Web, and Email servers. Endpoints using DNS as a method of transmission for data exfiltration, Command And Control, or evasion of security controls can often be detected by noting an unusually large volume of DNS traffic. \\\nNOTE:Deprecated because existing detection is doing the same. This detection is replaced with two other variations, if you are using MLTK then you can use this search `ESCU - DNS Query Length Outliers - MLTK - Rule` or use the standard deviation version `ESCU - DNS Query Length With High Standard Deviation - Rule`, as an alternantive.", "data_source": [], "search": "| tstats `security_content_summariesonly` dc(\"DNS.query\") as count from datamodel=Network_Resolution where nodename=DNS \"DNS.message_type\"=\"QUERY\" NOT (`cim_corporate_web_domain_search(\"DNS.query\")`) NOT \"DNS.query\"=\"*.in-addr.arpa\" NOT (\"DNS.src_category\"=\"svc_infra_dns\" OR \"DNS.src_category\"=\"svc_infra_webproxy\" OR \"DNS.src_category\"=\"svc_infra_email*\" ) by \"DNS.src\",\"DNS.query\" | rename \"DNS.src\" as src \"DNS.query\" as message | eval length=len(message) | stats sum(length) as length by src | append [ tstats `security_content_summariesonly` dc(\"DNS.answer\") as count from datamodel=Network_Resolution where nodename=DNS \"DNS.message_type\"=\"QUERY\" NOT (`cim_corporate_web_domain_search(\"DNS.query\")`) NOT \"DNS.query\"=\"*.in-addr.arpa\" NOT (\"DNS.src_category\"=\"svc_infra_dns\" OR \"DNS.src_category\"=\"svc_infra_webproxy\" OR \"DNS.src_category\"=\"svc_infra_email*\" ) by \"DNS.src\",\"DNS.answer\" | rename \"DNS.src\" as src \"DNS.answer\" as message | eval message=if(message==\"unknown\",\"\", message) | eval length=len(message) | stats sum(length) as length by src ] | stats sum(length) as length by src | where length > 10000 | `detection_of_dns_tunnels_filter`", "how_to_implement": "To successfully implement this search, we must ensure that DNS data is being ingested and mapped to the appropriate fields in the Network_Resolution data model. Fields like src_category are automatically provided by the Assets and Identity Framework shipped with Splunk Enterprise Security. You will need to ensure you are using the Assets and Identity Framework and populating the src_category field. You will also need to enable the `cim_corporate_web_domain_search()` macro which will essentially filter out the DNS queries made to the corporate web domains to reduce alert fatigue.", "known_false_positives": "It's possible that normal DNS traffic will exhibit this behavior. If an alert is generated, please investigate and validate as appropriate. The threshold can also be modified to better suit your environment.", "references": [], "tags": {"name": "Detection of DNS Tunnels", "analytic_story": ["Data Protection", "Suspicious DNS Traffic", "Command And Control"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Actions on Objectives"], "message": "tbd", "mitre_attack_id": ["T1048.003"], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "DNS.query", "DNS.message_type", "DNS.src_category", "DNS.src"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1048.003", "mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT32", "APT33", "FIN6", "FIN8", "Lazarus Group", "OilRig", "Thrip", "Wizard Spider"]}]}, "datamodel": ["Network_Resolution"], "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detection_of_dns_tunnels_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/detection_of_dns_tunnels.yml", "source": "deprecated", "nes_fields": "user,dest"}, {"name": "DNS Query Requests Resolved by Unauthorized DNS Servers", "id": "1a67f15a-f4ff-4170-84e9-08cf6f75d6f6", "version": 3, "date": "2020-07-21", "author": "Bhavin Patel, Splunk", "type": "TTP", "status": "deprecated", "description": "This search will detect DNS requests resolved by unauthorized DNS servers. Legitimate DNS servers should be identified in the Enterprise Security Assets and Identity Framework.", "data_source": [], "search": "| tstats `security_content_summariesonly` count from datamodel=Network_Resolution where DNS.dest_category != dns_server AND DNS.src_category != dns_server by DNS.src DNS.dest | `drop_dm_object_name(\"DNS\")` | `dns_query_requests_resolved_by_unauthorized_dns_servers_filter` ", "how_to_implement": "To successfully implement this search you will need to ensure that DNS data is populating the Network_Resolution data model. It also requires that your DNS servers are identified correctly in the Assets and Identity table of Enterprise Security.", "known_false_positives": "Legitimate DNS activity can be detected in this search. Investigate, verify and update the list of authorized DNS servers as appropriate.", "references": [], "tags": {"name": "DNS Query Requests Resolved by Unauthorized DNS Servers", "analytic_story": ["DNS Hijacking", "Suspicious DNS Traffic", "Host Redirection", "Command And Control"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Command And Control"], "message": "tbd", "mitre_attack_id": ["T1071.004"], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "DNS.dest_category", "DNS.src_category", "DNS.src", "DNS.dest"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1071.004", "mitre_attack_technique": "DNS", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT18", "APT39", "APT41", "Chimera", "Cobalt Group", "FIN7", "Ke3chang", "LazyScripter", "OilRig", "Tropic Trooper"]}]}, "datamodel": ["Network_Resolution"], "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "dns_query_requests_resolved_by_unauthorized_dns_servers_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/dns_query_requests_resolved_by_unauthorized_dns_servers.yml", "source": "deprecated", "nes_fields": "user,dest"}, {"name": "DNS record changed", "id": "44d3a43e-dcd5-49f7-8356-5209bb369065", "version": 3, "date": "2020-07-21", "author": "Jose Hernandez, Splunk", "type": "TTP", "status": "deprecated", "description": "The search takes the DNS records and their answers results of the discovered_dns_records lookup and finds if any records have changed by searching DNS response from the Network_Resolution datamodel across the last day.", "data_source": [], "search": "| inputlookup discovered_dns_records | rename answer as discovered_answer | join domain[|tstats `security_content_summariesonly` count values(DNS.record_type) as type, values(DNS.answer) as current_answer values(DNS.src) as src from datamodel=Network_Resolution where DNS.message_type=RESPONSE DNS.answer!=\"unknown\" DNS.answer!=\"\" by DNS.query | rename DNS.query as query | where query!=\"unknown\" | rex field=query \"(?\\w+\\.\\w+?)(?:$|/)\"] | makemv delim=\" \" answer | makemv delim=\" \" type | sort -count | table count,src,domain,type,query,current_answer,discovered_answer | makemv current_answer | mvexpand current_answer | makemv discovered_answer | eval n=mvfind(discovered_answer, current_answer) | where isnull(n) | `dns_record_changed_filter`", "how_to_implement": "To successfully implement this search you will need to ensure that DNS data is populating the `Network_Resolution` data model. It also requires that the `discover_dns_record` lookup table be populated by the included support search \"Discover DNS record\". \\\n **Splunk>Phantom Playbook Integration**\\\nIf Splunk>Phantom is also configured in your environment, a Playbook called \"DNS Hijack Enrichment\" can be configured to run when any results are found by this detection search. The playbook takes in the DNS record changed and uses Geoip, whois, Censys and PassiveTotal to detect if DNS issuers changed. To use this integration, install the Phantom App for Splunk `https://splunkbase.splunk.com/app/3411/`, add the correct hostname to the \"Phantom Instance\" field in the Adaptive Response Actions when configuring this detection search, and set the corresponding Playbook to active. \\\n(Playbook Link:`https://my.phantom.us/4.2/playbook/dns-hijack-enrichment/`).\\\n", "known_false_positives": "Legitimate DNS changes can be detected in this search. Investigate, verify and update the list of provided current answers for the domains in question as appropriate.", "references": [], "tags": {"name": "DNS record changed", "analytic_story": ["DNS Hijacking"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Command And Control"], "message": "tbd", "mitre_attack_id": ["T1071.004"], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "DNS.record_type", "DNS.answer", "DNS.src", "DNS.message_type", "DNS.query"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1071.004", "mitre_attack_technique": "DNS", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT18", "APT39", "APT41", "Chimera", "Cobalt Group", "FIN7", "Ke3chang", "LazyScripter", "OilRig", "Tropic Trooper"]}]}, "datamodel": ["Network_Resolution"], "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "dns_record_changed_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "discovered_dns_records", "description": "A placeholder for a list of discovered DNS records generated by the baseline discover_dns_records", "filename": "discovered_dns_records.csv", "default_match": "false", "min_matches": 1}], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/dns_record_changed.yml", "source": "deprecated", "nes_fields": "user,dest"}, {"name": "Dump LSASS via procdump Rename", "id": "21276daa-663d-11eb-ae93-0242ac130002", "version": 1, "date": "2021-02-01", "author": "Michael Haag, Splunk", "type": "Hunting", "status": "deprecated", "description": "Detect a renamed instance of procdump.exe dumping the lsass process. This query looks for both -mm and -ma usage. -mm will produce a mini dump file and -ma will write a dump file with all process memory. Both are highly suspect and should be reviewed. Modify the query as needed.\\\nDuring triage, confirm this is procdump.exe executing. If it is the first time a Sysinternals utility has been ran, it is possible there will be a -accepteula on the command line. Review other endpoint data sources for cross process (injection) into lsass.exe.", "data_source": ["Sysmon Event ID 1"], "search": "`sysmon` OriginalFileName=procdump process_name!=procdump*.exe EventID=1 (CommandLine=*-ma* OR CommandLine=*-mm*) CommandLine=*lsass* | rename Computer as dest | stats count min(_time) as firstTime max(_time) as lastTime by dest, parent_process_name, process_name, OriginalFileName, CommandLine | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `dump_lsass_via_procdump_rename_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "None identified.", "references": ["https://attack.mitre.org/techniques/T1003/001/", "https://docs.microsoft.com/en-us/sysinternals/downloads/procdump", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md#atomic-test-2---dump-lsassexe-memory-using-procdump"], "tags": {"name": "Dump LSASS via procdump Rename", "analytic_story": ["Credential Dumping", "HAFNIUM Group", "CISA AA22-257A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "The following $process_name$ has been identified as renamed, spawning from $parent_process_name$ on $dest$, attempting to dump lsass.exe.", "mitre_attack_id": ["T1003.001"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "OriginalFileName", "process_name", "EventID", "CommandLine", "Computer", "parent_process_name"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "TEMP.Veles", "Threat Group-3390", "Whitefly"]}]}, "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "dump_lsass_via_procdump_rename_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/dump_lsass_via_procdump_rename.yml", "source": "deprecated"}, {"name": "EC2 Instance Modified With Previously Unseen User", "id": "56f91724-cf3f-4666-84e1-e3712fb41e76", "version": 3, "date": "2020-07-21", "author": "David Dorsey, Splunk", "type": "Anomaly", "status": "deprecated", "description": "This search looks for EC2 instances being modified by users who have not previously modified them. This search is deprecated and have been translated to use the latest Change Datamodel.", "data_source": [], "search": "`cloudtrail` `ec2_modification_api_calls` [search `cloudtrail` `ec2_modification_api_calls` errorCode=success | stats earliest(_time) as firstTime latest(_time) as lastTime by userIdentity.arn | rename userIdentity.arn as arn | inputlookup append=t previously_seen_ec2_modifications_by_user | stats min(firstTime) as firstTime, max(lastTime) as lastTime by arn | outputlookup previously_seen_ec2_modifications_by_user | eval newUser=if(firstTime >= relative_time(now(), \"-70m@m\"), 1, 0) | where newUser=1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename arn as userIdentity.arn | table userIdentity.arn] | spath output=dest responseElements.instancesSet.items{}.instanceId | spath output=user userIdentity.arn | table _time, user, dest | `ec2_instance_modified_with_previously_unseen_user_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. This search works best when you run the \"Previously Seen EC2 Launches By User\" support search once to create a history of previously seen ARNs. To add or remove APIs that modify an EC2 instance, edit the macro `ec2_modification_api_calls`.", "known_false_positives": "It's possible that a new user will start to modify EC2 instances when they haven't before for any number of reasons. Verify with the user that is modifying instances that this is the intended behavior.", "references": [], "tags": {"name": "EC2 Instance Modified With Previously Unseen User", "analytic_story": ["Unusual AWS EC2 Modifications"], "asset_type": "AWS Instance", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "message": "tbd", "mitre_attack_id": ["T1078.004"], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "errorCode", "userIdentity.arn"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Ke3chang", "LAPSUS$"]}]}, "datamodel": [], "macros": [{"name": "ec2_modification_api_calls", "definition": "(eventName=AssociateAddress OR eventName=AssociateIamInstanceProfile OR eventName=AttachClassicLinkVpc OR eventName=AttachNetworkInterface OR eventName=AttachVolume OR eventName=BundleInstance OR eventName=DetachClassicLinkVpc OR eventName=DetachVolume OR eventName=ModifyInstanceAttribute OR eventName=ModifyInstancePlacement OR eventName=MonitorInstances OR eventName=RebootInstances OR eventName=ResetInstanceAttribute OR eventName=StartInstances OR eventName=StopInstances OR eventName=TerminateInstances OR eventName=UnmonitorInstances)", "description": "This is a list of AWS event names that have to do with modifying Amazon EC2 instances"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "ec2_instance_modified_with_previously_unseen_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "previously_seen_ec2_modifications_by_user", "description": "A place holder for a list of AWS EC2 modifications done by each user", "filename": "previously_seen_ec2_modifications_by_user.csv"}, {"name": "previously_seen_ec2_modifications_by_user", "description": "A place holder for a list of AWS EC2 modifications done by each user", "filename": "previously_seen_ec2_modifications_by_user.csv"}], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/ec2_instance_modified_with_previously_unseen_user.yml", "source": "deprecated", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "EC2 Instance Started In Previously Unseen Region", "id": "ada0f478-84a8-4641-a3f3-d82362d6fd75", "version": 1, "date": "2018-02-23", "author": "Bhavin Patel, Splunk", "type": "Anomaly", "status": "deprecated", "description": "This search looks for AWS CloudTrail events where an instance is started in a particular region in the last one hour and then compares it to a lookup file of previously seen regions where an instance was started", "data_source": [], "search": "`cloudtrail` earliest=-1h StartInstances | stats earliest(_time) as earliest latest(_time) as latest by awsRegion | inputlookup append=t previously_seen_aws_regions.csv | stats min(earliest) as earliest max(latest) as latest by awsRegion | outputlookup previously_seen_aws_regions.csv | eval regionStatus=if(earliest >= relative_time(now(),\"-1d@d\"), \"Instance Started in a New Region\",\"Previously Seen Region\") | `security_content_ctime(earliest)` | `security_content_ctime(latest)` | where regionStatus=\"Instance Started in a New Region\" | `ec2_instance_started_in_previously_unseen_region_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. Run the \"Previously seen AWS Regions\" support search only once to create of baseline of previously seen regions. This search is deprecated and have been translated to use the latest Change Datamodel.", "known_false_positives": "It's possible that a user has unknowingly started an instance in a new region. Please verify that this activity is legitimate.", "references": [], "tags": {"name": "EC2 Instance Started In Previously Unseen Region", "analytic_story": ["AWS Cryptomining", "Suspicious AWS EC2 Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "tbd", "mitre_attack_id": ["T1535"], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "awsRegion"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1535", "mitre_attack_technique": "Unused/Unsupported Cloud Regions", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}]}, "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "ec2_instance_started_in_previously_unseen_region_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/ec2_instance_started_in_previously_unseen_region.yml", "source": "deprecated", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "EC2 Instance Started With Previously Unseen AMI", "id": "347ec301-601b-48b9-81aa-9ddf9c829dd3", "version": 1, "date": "2018-03-12", "author": "David Dorsey, Splunk", "type": "Anomaly", "status": "deprecated", "description": "This search looks for EC2 instances being created with previously unseen AMIs. This search is deprecated and have been translated to use the latest Change Datamodel.", "data_source": [], "search": "`cloudtrail` eventName=RunInstances [search `cloudtrail` eventName=RunInstances errorCode=success | stats earliest(_time) as firstTime latest(_time) as lastTime by requestParameters.instancesSet.items{}.imageId | rename requestParameters.instancesSet.items{}.imageId as amiID | inputlookup append=t previously_seen_ec2_amis.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by amiID | outputlookup previously_seen_ec2_amis.csv | eval newAMI=if(firstTime >= relative_time(now(), \"-70m@m\"), 1, 0) | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)` | where newAMI=1 | rename amiID as requestParameters.instancesSet.items{}.imageId | table requestParameters.instancesSet.items{}.imageId] | rename requestParameters.instanceType as instanceType, responseElements.instancesSet.items{}.instanceId as dest, userIdentity.arn as arn, requestParameters.instancesSet.items{}.imageId as amiID | table firstTime, lastTime, arn, amiID, dest, instanceType | `ec2_instance_started_with_previously_unseen_ami_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. This search works best when you run the \"Previously Seen EC2 AMIs\" support search once to create a history of previously seen AMIs.", "known_false_positives": "After a new AMI is created, the first systems created with that AMI will cause this alert to fire. Verify that the AMI being used was created by a legitimate user.", "references": [], "tags": {"name": "EC2 Instance Started With Previously Unseen AMI", "analytic_story": ["AWS Cryptomining"], "asset_type": "AWS Instance", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": [], "message": "tbd", "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventName", "errorCode", "requestParameters.instancesSet.items{}.imageId"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "ec2_instance_started_with_previously_unseen_ami_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/ec2_instance_started_with_previously_unseen_ami.yml", "source": "deprecated", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "EC2 Instance Started With Previously Unseen Instance Type", "id": "65541c80-03c7-4e05-83c8-1dcd57a2e1ad", "version": 2, "date": "2020-02-07", "author": "David Dorsey, Splunk", "type": "Anomaly", "status": "deprecated", "description": "This search looks for EC2 instances being created with previously unseen instance types. This search is deprecated and have been translated to use the latest Change Datamodel.", "data_source": [], "search": "`cloudtrail` eventName=RunInstances [search `cloudtrail` eventName=RunInstances errorCode=success | fillnull value=\"m1.small\" requestParameters.instanceType | stats earliest(_time) as earliest latest(_time) as latest by requestParameters.instanceType | rename requestParameters.instanceType as instanceType | inputlookup append=t previously_seen_ec2_instance_types.csv | stats min(earliest) as earliest max(latest) as latest by instanceType | outputlookup previously_seen_ec2_instance_types.csv | eval newType=if(earliest >= relative_time(now(), \"-70m@m\"), 1, 0) | `security_content_ctime(earliest)` | `security_content_ctime(latest)` | where newType=1 | rename instanceType as requestParameters.instanceType | table requestParameters.instanceType] | spath output=user userIdentity.arn | rename requestParameters.instanceType as instanceType, responseElements.instancesSet.items{}.instanceId as dest | table _time, user, dest, instanceType | `ec2_instance_started_with_previously_unseen_instance_type_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. This search works best when you run the \"Previously Seen EC2 Instance Types\" support search once to create a history of previously seen instance types.", "known_false_positives": "It is possible that an admin will create a new system using a new instance type never used before. Verify with the creator that they intended to create the system with the new instance type.", "references": [], "tags": {"name": "EC2 Instance Started With Previously Unseen Instance Type", "analytic_story": ["AWS Cryptomining"], "asset_type": "AWS Instance", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": [], "message": "tbd", "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventName", "errorCode", "requestParameters.instanceType"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "ec2_instance_started_with_previously_unseen_instance_type_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/ec2_instance_started_with_previously_unseen_instance_type.yml", "source": "deprecated", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "EC2 Instance Started With Previously Unseen User", "id": "22773e84-bac0-4595-b086-20d3f735b4f1", "version": 2, "date": "2020-07-21", "author": "David Dorsey, Splunk", "type": "Anomaly", "status": "deprecated", "description": "This search looks for EC2 instances being created by users who have not created them before. This search is deprecated and have been translated to use the latest Change Datamodel.", "data_source": [], "search": "`cloudtrail` eventName=RunInstances [search `cloudtrail` eventName=RunInstances errorCode=success | stats earliest(_time) as firstTime latest(_time) as lastTime by userIdentity.arn | rename userIdentity.arn as arn | inputlookup append=t previously_seen_ec2_launches_by_user.csv | stats min(firstTime) as firstTime, max(lastTime) as lastTime by arn | outputlookup previously_seen_ec2_launches_by_user.csv | eval newUser=if(firstTime >= relative_time(now(), \"-70m@m\"), 1, 0) | where newUser=1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename arn as userIdentity.arn | table userIdentity.arn] | rename requestParameters.instanceType as instanceType, responseElements.instancesSet.items{}.instanceId as dest, userIdentity.arn as user | table _time, user, dest, instanceType | `ec2_instance_started_with_previously_unseen_user_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. This search works best when you run the \"Previously Seen EC2 Launches By User\" support search once to create a history of previously seen ARNs.", "known_false_positives": "It's possible that a user will start to create EC2 instances when they haven't before for any number of reasons. Verify with the user that is launching instances that this is the intended behavior.", "references": [], "tags": {"name": "EC2 Instance Started With Previously Unseen User", "analytic_story": ["AWS Cryptomining", "Suspicious AWS EC2 Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "message": "tbd", "mitre_attack_id": ["T1078.004"], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventName", "errorCode", "userIdentity.arn"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Ke3chang", "LAPSUS$"]}]}, "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "ec2_instance_started_with_previously_unseen_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/ec2_instance_started_with_previously_unseen_user.yml", "source": "deprecated", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "Execution of File With Spaces Before Extension", "id": "ab0353e6-a956-420b-b724-a8b4846d5d5a", "version": 3, "date": "2020-11-19", "author": "Rico Valdez, Splunk", "type": "TTP", "status": "deprecated", "description": "This search looks for processes launched from files with at least five spaces in the name before the extension. This is typically done to obfuscate the file extension by pushing it outside of the default view.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count values(Processes.process_path) as process_path min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = \"* .*\" by Processes.dest Processes.user Processes.process Processes.process_name | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | `execution_of_file_with_spaces_before_extension_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting data that records process activity from your hosts to populate the endpoint data model in the processes node. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "None identified.", "references": [], "tags": {"name": "Execution of File With Spaces Before Extension", "analytic_story": ["Windows File Extension and Association Abuse", "Masquerading - Rename System Utilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "tbd", "mitre_attack_id": ["T1036.003"], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.process_path", "Processes.process", "Processes.dest", "Processes.user", "Processes.process_name"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}]}, "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "execution_of_file_with_spaces_before_extension_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/execution_of_file_with_spaces_before_extension.yml", "source": "deprecated", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Extended Period Without Successful Netbackup Backups", "id": "a34aae96-ccf8-4aef-952c-3ea214444440", "version": 1, "date": "2017-09-12", "author": "David Dorsey, Splunk", "type": "Hunting", "status": "deprecated", "description": "This search returns a list of hosts that have not successfully completed a backup in over a week. Deprecated because it's a infrastructure monitoring.", "data_source": [], "search": "`netbackup` MESSAGE=\"Disk/Partition backup completed successfully.\" | stats latest(_time) as latestTime by COMPUTERNAME | `security_content_ctime(latestTime)` | rename COMPUTERNAME as dest | eval isOutlier=if(latestTime <= relative_time(now(), \"-7d@d\"), 1, 0) | search isOutlier=1 | table latestTime, dest | `extended_period_without_successful_netbackup_backups_filter`", "how_to_implement": "To successfully implement this search you need to first obtain data from your backup solution, either from the backup logs on your hosts, or from a central server responsible for performing the backups. If you do not use Netbackup, you can modify this search for your backup solution. Depending on how often you backup your systems, you may want to modify how far in the past to look for a successful backup, other than the default of seven days.", "known_false_positives": "None identified", "references": [], "tags": {"name": "Extended Period Without Successful Netbackup Backups", "analytic_story": ["Monitor Backup Solution"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": [], "message": "tbd", "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "MESSAGE", "COMPUTERNAME"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "netbackup", "definition": "sourcetype=\"netbackup_logs\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "extended_period_without_successful_netbackup_backups_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/extended_period_without_successful_netbackup_backups.yml", "source": "deprecated"}, {"name": "First time seen command line argument", "id": "a1b6e73f-98d5-470f-99ac-77aacd578473", "version": 5, "date": "2020-07-21", "author": "Bhavin Patel, Splunk", "type": "Hunting", "status": "deprecated", "description": "This search looks for command-line arguments that use a `/c` parameter to execute a command that has not previously been seen.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = cmd.exe Processes.process = \"* /c *\" by Processes.process Processes.process_name Processes.parent_process_name Processes.dest| `drop_dm_object_name(Processes)`| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | search [| tstats `security_content_summariesonly` earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = cmd.exe Processes.process = \"* /c *\" by Processes.process | `drop_dm_object_name(Processes)` | inputlookup append=t previously_seen_cmd_line_arguments | stats min(firstTime) as firstTime, max(lastTime) as lastTime by process | outputlookup previously_seen_cmd_line_arguments | eval newCmdLineArgument=if(firstTime >= relative_time(now(), \"-70m@m\"), 1, 0) | where newCmdLineArgument=1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | table process] | `first_time_seen_command_line_argument_filter` ", "how_to_implement": "You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must be ingesting logs with both the process name and command line from your endpoints. The complete process name with command-line arguments are mapped to the \"process\" field in the Endpoint data model. Please make sure you run the support search \"Previously seen command line arguments,\"—which creates a lookup file called `previously_seen_cmd_line_arguments.csv`—a historical baseline of all command-line arguments. You must also validate this list. For the search to do accurate calculation, ensure the search scheduling is the same value as the `relative_time` evaluation function.", "known_false_positives": "Legitimate programs can also use command-line arguments to execute. Please verify the command-line arguments to check what command/program is being executed. We recommend customizing the `first_time_seen_cmd_line_filter` macro to exclude legitimate parent_process_name", "references": [], "tags": {"name": "First time seen command line argument", "analytic_story": ["DHS Report TA18-074A", "Suspicious Command-Line Executions", "Orangeworm Attack Group", "Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns", "Hidden Cobra Malware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "message": "tbd", "mitre_attack_id": ["T1059.001", "T1059.003"], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.process_name", "Processes.process", "Processes.parent_process_name", "Processes.dest"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}]}, "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "first_time_seen_command_line_argument_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "previously_seen_cmd_line_arguments", "description": "A placeholder for a list of cmd line arugments that been seen before", "filename": "previously_seen_cmd_line_arguments.csv"}, {"name": "previously_seen_cmd_line_arguments", "description": "A placeholder for a list of cmd line arugments that been seen before", "filename": "previously_seen_cmd_line_arguments.csv"}], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/first_time_seen_command_line_argument.yml", "source": "deprecated", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "GCP Detect accounts with high risk roles by project", "id": "27af8c15-38b0-4408-b339-920170724adb", "version": 1, "date": "2020-10-09", "author": "Rod Soto, Splunk", "type": "Hunting", "status": "deprecated", "description": "This search provides detection of accounts with high risk roles by projects. Compromised accounts with high risk roles can move laterally or even scalate privileges at different projects depending on organization schema.", "data_source": [], "search": "`google_gcp_pubsub_message` data.protoPayload.request.policy.bindings{}.role=roles/owner OR roles/editor OR roles/iam.serviceAccountUser OR roles/iam.serviceAccountAdmin OR roles/iam.serviceAccountTokenCreator OR roles/dataflow.developer OR roles/dataflow.admin OR roles/composer.admin OR roles/dataproc.admin OR roles/dataproc.editor | table data.resource.type data.protoPayload.authenticationInfo.principalEmail data.protoPayload.authorizationInfo{}.permission data.protoPayload.authorizationInfo{}.resource data.protoPayload.response.bindings{}.role data.protoPayload.response.bindings{}.members{} | `gcp_detect_accounts_with_high_risk_roles_by_project_filter`", "how_to_implement": "You must install splunk GCP add-on. This search works with gcp:pubsub:message logs", "known_false_positives": "Accounts with high risk roles should be reduced to the minimum number needed, however specific tasks and setups may be simply expected behavior within organization", "references": ["https://github.com/dxa4481/gcploit", "https://www.youtube.com/watch?v=Ml09R38jpok", "https://cloud.google.com/iam/docs/understanding-roles"], "tags": {"name": "GCP Detect accounts with high risk roles by project", "analytic_story": ["GCP Cross Account Activity"], "asset_type": "GCP Account", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "message": "tbd", "mitre_attack_id": ["T1078"], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "data.protoPayload.request.policy.bindings{}.role", "data.resource.type data.protoPayload.authenticationInfo.principalEmail", "data.protoPayload.authorizationInfo{}.permission", "data.protoPayload.authorizationInfo{}.resource", "data.protoPayload.response.bindings{}.role", "data.protoPayload.response.bindings{}.members{}"], "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}]}, "datamodel": ["Email"], "macros": [{"name": "google_gcp_pubsub_message", "definition": "sourcetype=\"google:gcp:pubsub:message\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "gcp_detect_accounts_with_high_risk_roles_by_project_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/gcp_detect_accounts_with_high_risk_roles_by_project.yml", "source": "deprecated"}, {"name": "GCP Detect high risk permissions by resource and account", "id": "2e70ef35-2187-431f-aedc-4503dc9b06ba", "version": 1, "date": "2020-10-09", "author": "Rod Soto, Splunk", "type": "Hunting", "status": "deprecated", "description": "This search provides detection of high risk permissions by resource and accounts. These are permissions that can allow attackers with compromised accounts to move laterally and escalate privileges.", "data_source": [], "search": "`google_gcp_pubsub_message` data.protoPayload.authorizationInfo{}.permission=iam.serviceAccounts.getaccesstoken OR iam.serviceAccounts.setIamPolicy OR iam.serviceAccounts.actas OR dataflow.jobs.create OR composer.environments.create OR dataproc.clusters.create |table data.protoPayload.requestMetadata.callerIp data.protoPayload.authenticationInfo.principalEmail data.protoPayload.authorizationInfo{}.permission data.protoPayload.response.bindings{}.members{} data.resource.labels.project_id | `gcp_detect_high_risk_permissions_by_resource_and_account_filter`", "how_to_implement": "You must install splunk GCP add-on. This search works with gcp:pubsub:message logs", "known_false_positives": "High risk permissions are part of any GCP environment, however it is important to track resource and accounts usage, this search may produce false positives.", "references": ["https://github.com/dxa4481/gcploit", "https://www.youtube.com/watch?v=Ml09R38jpok", "https://cloud.google.com/iam/docs/permissions-reference"], "tags": {"name": "GCP Detect high risk permissions by resource and account", "analytic_story": ["GCP Cross Account Activity"], "asset_type": "GCP Account", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "message": "tbd", "mitre_attack_id": ["T1078"], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "data.protoPayload.authorizationInfo{}.permission", "data.protoPayload.requestMetadata.callerIp", "data.protoPayload.authenticationInfo.principalEmail", "data.protoPayload.authorizationInfo{}.permission", "data.protoPayload.response.bindings{}.members{}", "data.resource.labels.project_id"], "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}]}, "datamodel": ["Email"], "macros": [{"name": "google_gcp_pubsub_message", "definition": "sourcetype=\"google:gcp:pubsub:message\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "gcp_detect_high_risk_permissions_by_resource_and_account_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/gcp_detect_high_risk_permissions_by_resource_and_account.yml", "source": "deprecated"}, {"name": "gcp detect oauth token abuse", "id": "a7e9f7bb-8901-4ad0-8d88-0a4ab07b1972", "version": 1, "date": "2020-09-01", "author": "Rod Soto, Splunk", "type": "Hunting", "status": "deprecated", "description": "This search provides detection of possible GCP Oauth token abuse. GCP Oauth token without time limit can be exfiltrated and reused for keeping access sessions alive without further control of authentication, allowing attackers to access and move laterally.", "data_source": [], "search": "`google_gcp_pubsub_message` type.googleapis.com/google.cloud.audit.AuditLog |table protoPayload.@type protoPayload.status.details{}.@type protoPayload.status.details{}.violations{}.callerIp protoPayload.status.details{}.violations{}.type protoPayload.status.message | `gcp_detect_oauth_token_abuse_filter`", "how_to_implement": "You must install splunk GCP add-on. This search works with gcp:pubsub:message logs", "known_false_positives": "GCP Oauth token abuse detection will only work if there are access policies in place along with audit logs.", "references": ["https://www.netskope.com/blog/gcp-oauth-token-hijacking-in-google-cloud-part-1", "https://www.netskope.com/blog/gcp-oauth-token-hijacking-in-google-cloud-part-2"], "tags": {"name": "gcp detect oauth token abuse", "analytic_story": ["GCP Cross Account Activity"], "asset_type": "GCP Account", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "message": "tbd", "mitre_attack_id": ["T1078"], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time"], "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}]}, "datamodel": [], "macros": [{"name": "google_gcp_pubsub_message", "definition": "sourcetype=\"google:gcp:pubsub:message\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "gcp_detect_oauth_token_abuse_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/gcp_detect_oauth_token_abuse.yml", "source": "deprecated"}, {"name": "GCP Kubernetes cluster scan detection", "id": "db5957ec-0144-4c56-b512-9dccbe7a2d26", "version": 1, "date": "2020-04-15", "author": "Rod Soto, Splunk", "type": "TTP", "status": "deprecated", "description": "This search provides information of unauthenticated requests via user agent, and authentication data against Kubernetes cluster", "data_source": [], "search": "`google_gcp_pubsub_message` data.protoPayload.requestMetadata.callerIp!=127.0.0.1 data.protoPayload.requestMetadata.callerIp!=::1 \"data.labels.authorization.k8s.io/decision\"=forbid \"data.protoPayload.status.message\"=PERMISSION_DENIED data.protoPayload.authenticationInfo.principalEmail=\"system:anonymous\" | rename data.protoPayload.requestMetadata.callerIp as src_ip | stats count min(_time) as firstTime max(_time) as lastTime values(data.protoPayload.methodName) as method_name values(data.protoPayload.resourceName) as resource_name values(data.protoPayload.requestMetadata.callerSuppliedUserAgent) as http_user_agent by src_ip data.resource.labels.cluster_name | rename data.resource.labels.cluster_name as cluster_name| `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `gcp_kubernetes_cluster_scan_detection_filter` ", "how_to_implement": "You must install the GCP App for Splunk (version 2.0.0 or later), then configure stackdriver and set a Pub/Sub subscription to be imported to Splunk. You must also install Cloud Infrastructure data model.Customize the macro kubernetes_gcp_scan_fingerprint_attack_detection to filter out FPs.", "known_false_positives": "Not all unauthenticated requests are malicious, but frequency, User Agent and source IPs will provide context.", "references": [], "tags": {"name": "GCP Kubernetes cluster scan detection", "analytic_story": ["Kubernetes Scanning Activity"], "asset_type": "GCP Kubernetes cluster", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "tbd", "mitre_attack_id": ["T1526"], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time"], "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1526", "mitre_attack_technique": "Cloud Service Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}]}, "datamodel": ["Email"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "google_gcp_pubsub_message", "definition": "sourcetype=\"google:gcp:pubsub:message\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "gcp_kubernetes_cluster_scan_detection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/gcp_kubernetes_cluster_scan_detection.yml", "source": "deprecated", "nes_fields": "user,dest"}, {"name": "Identify New User Accounts", "id": "475b9e27-17e4-46e2-b7e2-648221be3b89", "version": 1, "date": "2017-09-12", "author": "Bhavin Patel, Splunk", "type": "Hunting", "status": "deprecated", "description": "This detection search will help profile user accounts in your environment by identifying newly created accounts that have been added to your network in the past week.", "data_source": [], "search": "| from datamodel Identity_Management.All_Identities | eval empStatus=case((now()-startDate)<604800, \"Accounts created in last week\") | search empStatus=\"Accounts created in last week\"| `security_content_ctime(endDate)` | `security_content_ctime(startDate)`| table identity empStatus endDate startDate | `identify_new_user_accounts_filter`", "how_to_implement": "To successfully implement this search, you need to be populating the Enterprise Security Identity_Management data model in the assets and identity framework.", "known_false_positives": "If the Identity_Management data model is not updated regularly, this search could give you false positive alerts. Please consider this and investigate appropriately.", "references": [], "tags": {"name": "Identify New User Accounts", "analytic_story": ["Account Monitoring and Controls"], "asset_type": "Domain Server", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "message": "tbd", "mitre_attack_id": ["T1078.002"], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time"], "risk_score": 25, "security_domain": "access", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078.002", "mitre_attack_technique": "Domain Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "Chimera", "Indrik Spider", "Magic Hound", "Naikon", "Sandworm Team", "TA505", "Threat Group-1314", "Wizard Spider"]}]}, "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "identify_new_user_accounts_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/identify_new_user_accounts.yml", "source": "deprecated"}, {"name": "Kubernetes AWS detect most active service accounts by pod", "id": "5b30b25d-7d32-42d8-95ca-64dfcd9076e6", "version": 1, "date": "2020-06-23", "author": "Rod Soto, Splunk", "type": "Hunting", "status": "deprecated", "description": "This search provides information on Kubernetes service accounts,accessing pods by IP address, verb and decision", "data_source": [], "search": "`aws_cloudwatchlogs_eks` user.groups{}=system:serviceaccounts objectRef.resource=pods | table sourceIPs{} user.username userAgent verb annotations.authorization.k8s.io/decision | top sourceIPs{} user.username verb annotations.authorization.k8s.io/decision |`kubernetes_aws_detect_most_active_service_accounts_by_pod_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with cloudwatch logs", "known_false_positives": "Not all service accounts interactions are malicious. Analyst must consider IP, verb and decision context when trying to detect maliciousness.", "references": [], "tags": {"name": "Kubernetes AWS detect most active service accounts by pod", "analytic_story": ["Kubernetes Sensitive Role Activity"], "asset_type": "AWS EKS Kubernetes cluster", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": [], "message": "tbd", "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time"], "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "datamodel": [], "macros": [{"name": "aws_cloudwatchlogs_eks", "definition": "sourcetype=\"aws:cloudwatchlogs:eks\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_aws_detect_most_active_service_accounts_by_pod_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/kubernetes_aws_detect_most_active_service_accounts_by_pod.yml", "source": "deprecated"}, {"name": "Kubernetes AWS detect RBAC authorization by account", "id": "de7264ed-3ed9-4fef-bb01-6eefc87cefe8", "version": 1, "date": "2020-06-23", "author": "Rod Soto, Splunk", "type": "Hunting", "status": "deprecated", "description": "This search provides information on Kubernetes RBAC authorizations by accounts, this search can be modified by adding top to see both extremes of RBAC by accounts occurrences", "data_source": [], "search": "`aws_cloudwatchlogs_eks` annotations.authorization.k8s.io/reason=* | table sourceIPs{} user.username userAgent annotations.authorization.k8s.io/reason | stats count by user.username annotations.authorization.k8s.io/reason | rare user.username annotations.authorization.k8s.io/reason |`kubernetes_aws_detect_rbac_authorization_by_account_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with cloudwatch logs", "known_false_positives": "Not all RBAC Authorications are malicious. RBAC authorizations can uncover malicious activity specially if sensitive Roles have been granted.", "references": [], "tags": {"name": "Kubernetes AWS detect RBAC authorization by account", "analytic_story": ["Kubernetes Sensitive Role Activity"], "asset_type": "AWS EKS Kubernetes cluster", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": [], "message": "tbd", "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time"], "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "datamodel": [], "macros": [{"name": "aws_cloudwatchlogs_eks", "definition": "sourcetype=\"aws:cloudwatchlogs:eks\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_aws_detect_rbac_authorization_by_account_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/kubernetes_aws_detect_rbac_authorization_by_account.yml", "source": "deprecated"}, {"name": "Kubernetes AWS detect sensitive role access", "id": "b6013a7b-85e0-4a45-b051-10b252d69569", "version": 1, "date": "2020-06-23", "author": "Rod Soto, Splunk", "type": "Hunting", "status": "deprecated", "description": "This search provides information on Kubernetes accounts accessing sensitve objects such as configmpas or secrets", "data_source": [], "search": "`aws_cloudwatchlogs_eks` objectRef.resource=clusterroles OR clusterrolebindings sourceIPs{}!=::1 sourceIPs{}!=127.0.0.1 | table sourceIPs{} user.username user.groups{} objectRef.namespace requestURI annotations.authorization.k8s.io/reason | dedup user.username user.groups{} |`kubernetes_aws_detect_sensitive_role_access_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with cloudwatch logs.", "known_false_positives": "Sensitive role resource access is necessary for cluster operation, however source IP, namespace and user group may indicate possible malicious use. ", "references": [], "tags": {"name": "Kubernetes AWS detect sensitive role access", "analytic_story": ["Kubernetes Sensitive Role Activity"], "asset_type": "AWS EKS Kubernetes cluster", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": [], "message": "tbd", "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time"], "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "datamodel": [], "macros": [{"name": "aws_cloudwatchlogs_eks", "definition": "sourcetype=\"aws:cloudwatchlogs:eks\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_aws_detect_sensitive_role_access_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/kubernetes_aws_detect_sensitive_role_access.yml", "source": "deprecated"}, {"name": "Kubernetes AWS detect service accounts forbidden failure access", "id": "a6959c57-fa8f-4277-bb86-7c32fba579d5", "version": 1, "date": "2020-06-23", "author": "Rod Soto, Splunk", "type": "Hunting", "status": "deprecated", "description": "This search provides information on Kubernetes service accounts with failure or forbidden access status, this search can be extended by using top or rare operators to find trends or rarities in failure status, user agents, source IPs and request URI", "data_source": [], "search": "`aws_cloudwatchlogs_eks` user.groups{}=system:serviceaccounts responseStatus.status = Failure | table sourceIPs{} user.username userAgent verb responseStatus.status requestURI | `kubernetes_aws_detect_service_accounts_forbidden_failure_access_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with cloudwatch logs.", "known_false_positives": "This search can give false positives as there might be inherent issues with authentications and permissions at cluster.", "references": [], "tags": {"name": "Kubernetes AWS detect service accounts forbidden failure access", "analytic_story": ["Kubernetes Sensitive Object Access Activity"], "asset_type": "AWS EKS Kubernetes cluster", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": [], "message": "tbd", "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time"], "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "datamodel": [], "macros": [{"name": "aws_cloudwatchlogs_eks", "definition": "sourcetype=\"aws:cloudwatchlogs:eks\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_aws_detect_service_accounts_forbidden_failure_access_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/kubernetes_aws_detect_service_accounts_forbidden_failure_access.yml", "source": "deprecated"}, {"name": "Kubernetes Azure active service accounts by pod namespace", "id": "55a2264a-b7f0-45e5-addd-1e5ab3415c72", "version": 1, "date": "2020-05-26", "author": "Rod Soto, Splunk", "type": "Hunting", "status": "deprecated", "description": "This search provides information on Kubernetes service accounts,accessing pods and namespaces by IP address and verb", "data_source": [], "search": "`kubernetes_azure` category=kube-audit | spath input=properties.log | search user.groups{}=system:serviceaccounts* OR user.username=system.anonymous OR annotations.authorization.k8s.io/decision=allow | table sourceIPs{} user.username userAgent verb responseStatus.reason responseStatus.status properties.pod objectRef.namespace | top sourceIPs{} user.username verb responseStatus.status properties.pod objectRef.namespace |`kubernetes_azure_active_service_accounts_by_pod_namespace_filter`", "how_to_implement": "You must install the Add-on for Microsoft Cloud Services and Configure Kube-Audit data diagnostics", "known_false_positives": "Not all service accounts interactions are malicious. Analyst must consider IP and verb context when trying to detect maliciousness.", "references": [], "tags": {"name": "Kubernetes Azure active service accounts by pod namespace", "analytic_story": ["Kubernetes Sensitive Role Activity"], "asset_type": "Azure AKS Kubernetes cluster", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": [], "message": "tbd", "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time"], "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "datamodel": [], "macros": [{"name": "kubernetes_azure", "definition": "sourcetype=mscs:storage:blob:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes data from Azure. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_azure_active_service_accounts_by_pod_namespace_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/kubernetes_azure_active_service_accounts_by_pod_namespace.yml", "source": "deprecated"}, {"name": "Kubernetes Azure detect RBAC authorization by account", "id": "47af7d20-0607-4079-97d7-7a29af58b54e", "version": 1, "date": "2020-05-26", "author": "Rod Soto, Splunk", "type": "Hunting", "status": "deprecated", "description": "This search provides information on Kubernetes RBAC authorizations by accounts, this search can be modified by adding rare or top to see both extremes of RBAC by accounts occurrences", "data_source": [], "search": "`kubernetes_azure` category=kube-audit | spath input=properties.log | search annotations.authorization.k8s.io/reason=* | table sourceIPs{} user.username userAgent annotations.authorization.k8s.io/reason |stats count by user.username annotations.authorization.k8s.io/reason | rare user.username annotations.authorization.k8s.io/reason |`kubernetes_azure_detect_rbac_authorization_by_account_filter`", "how_to_implement": "You must install the Add-on for Microsoft Cloud Services and Configure Kube-Audit data diagnostics", "known_false_positives": "Not all RBAC Authorications are malicious. RBAC authorizations can uncover malicious activity specially if sensitive Roles have been granted.", "references": [], "tags": {"name": "Kubernetes Azure detect RBAC authorization by account", "analytic_story": ["Kubernetes Sensitive Role Activity"], "asset_type": "Azure AKS Kubernetes cluster", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": [], "message": "tbd", "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time"], "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "datamodel": [], "macros": [{"name": "kubernetes_azure", "definition": "sourcetype=mscs:storage:blob:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes data from Azure. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_azure_detect_rbac_authorization_by_account_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/kubernetes_azure_detect_rbac_authorization_by_account.yml", "source": "deprecated"}, {"name": "Kubernetes Azure detect sensitive object access", "id": "1bba382b-07fd-4ffa-b390-8002739b76e8", "version": 1, "date": "2020-05-20", "author": "Rod Soto, Splunk", "type": "Hunting", "status": "deprecated", "description": "This search provides information on Kubernetes accounts accessing sensitve objects such as configmpas or secrets", "data_source": [], "search": "`kubernetes_azure` category=kube-audit | spath input=properties.log| search objectRef.resource=secrets OR configmaps user.username=system.anonymous OR annotations.authorization.k8s.io/decision=allow |table user.username user.groups{} objectRef.resource objectRef.namespace objectRef.name annotations.authorization.k8s.io/reason |dedup user.username user.groups{} |`kubernetes_azure_detect_sensitive_object_access_filter`", "how_to_implement": "You must install the Add-on for Microsoft Cloud Services and Configure Kube-Audit data diagnostics", "known_false_positives": "Sensitive object access is not necessarily malicious but user and object context can provide guidance for detection.", "references": [], "tags": {"name": "Kubernetes Azure detect sensitive object access", "analytic_story": ["Kubernetes Sensitive Object Access Activity"], "asset_type": "Azure AKS Kubernetes cluster", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": [], "message": "tbd", "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time"], "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "datamodel": [], "macros": [{"name": "kubernetes_azure", "definition": "sourcetype=mscs:storage:blob:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes data from Azure. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_azure_detect_sensitive_object_access_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/kubernetes_azure_detect_sensitive_object_access.yml", "source": "deprecated"}, {"name": "Kubernetes Azure detect sensitive role access", "id": "f27349e5-1641-4f6a-9e68-30402be0ad4c", "version": 1, "date": "2020-05-20", "author": "Rod Soto, Splunk", "type": "Hunting", "status": "deprecated", "description": "This search provides information on Kubernetes accounts accessing sensitve objects such as configmpas or secrets", "data_source": [], "search": "`kubernetes_azure` category=kube-audit | spath input=properties.log| search objectRef.resource=clusterroles OR clusterrolebindings | table sourceIPs{} user.username user.groups{} objectRef.namespace requestURI annotations.authorization.k8s.io/reason | dedup user.username user.groups{} |`kubernetes_azure_detect_sensitive_role_access_filter`", "how_to_implement": "You must install the Add-on for Microsoft Cloud Services and Configure Kube-Audit data diagnostics", "known_false_positives": "Sensitive role resource access is necessary for cluster operation, however source IP, namespace and user group may indicate possible malicious use. ", "references": [], "tags": {"name": "Kubernetes Azure detect sensitive role access", "analytic_story": ["Kubernetes Sensitive Role Activity"], "asset_type": "Azure AKS Kubernetes cluster", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": [], "message": "tbd", "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time"], "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "datamodel": [], "macros": [{"name": "kubernetes_azure", "definition": "sourcetype=mscs:storage:blob:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes data from Azure. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_azure_detect_sensitive_role_access_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/kubernetes_azure_detect_sensitive_role_access.yml", "source": "deprecated"}, {"name": "Kubernetes Azure detect service accounts forbidden failure access", "id": "019690d7-420f-4da0-b320-f27b09961514", "version": 1, "date": "2020-05-20", "author": "Rod Soto, Splunk", "type": "Hunting", "status": "deprecated", "description": "This search provides information on Kubernetes service accounts with failure or forbidden access status", "data_source": [], "search": "`kubernetes_azure` category=kube-audit | spath input=properties.log | search user.groups{}=system:serviceaccounts* responseStatus.reason=Forbidden | table sourceIPs{} user.username userAgent verb responseStatus.reason responseStatus.status properties.pod objectRef.namespace |`kubernetes_azure_detect_service_accounts_forbidden_failure_access_filter`", "how_to_implement": "You must install the Add-on for Microsoft Cloud Services and Configure Kube-Audit data diagnostics", "known_false_positives": "This search can give false positives as there might be inherent issues with authentications and permissions at cluster.", "references": [], "tags": {"name": "Kubernetes Azure detect service accounts forbidden failure access", "analytic_story": ["Kubernetes Sensitive Object Access Activity"], "asset_type": "Azure AKS Kubernetes cluster", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": [], "message": "tbd", "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time"], "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "datamodel": [], "macros": [{"name": "kubernetes_azure", "definition": "sourcetype=mscs:storage:blob:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes data from Azure. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_azure_detect_service_accounts_forbidden_failure_access_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/kubernetes_azure_detect_service_accounts_forbidden_failure_access.yml", "source": "deprecated"}, {"name": "Kubernetes Azure detect suspicious kubectl calls", "id": "4b6d1ba8-0000-4cec-87e6-6cbbd71651b5", "version": 1, "date": "2020-05-26", "author": "Rod Soto, Splunk", "type": "Hunting", "status": "deprecated", "description": "This search provides information on rare Kubectl calls with IP, verb namespace and object access context", "data_source": [], "search": "`kubernetes_azure` category=kube-audit | spath input=properties.log | spath input=responseObject.metadata.annotations.kubectl.kubernetes.io/last-applied-configuration | search userAgent=kubectl* sourceIPs{}!=127.0.0.1 sourceIPs{}!=::1 | table sourceIPs{} verb userAgent user.groups{} objectRef.resource objectRef.namespace requestURI | rare sourceIPs{} verb userAgent user.groups{} objectRef.resource objectRef.namespace requestURI |`kubernetes_azure_detect_suspicious_kubectl_calls_filter`", "how_to_implement": "You must install the Add-on for Microsoft Cloud Services and Configure Kube-Audit data diagnostics", "known_false_positives": "Kubectl calls are not malicious by nature. However source IP, verb and Object can reveal potential malicious activity, specially suspicious IPs and sensitive objects such as configmaps or secrets", "references": [], "tags": {"name": "Kubernetes Azure detect suspicious kubectl calls", "analytic_story": ["Kubernetes Sensitive Object Access Activity"], "asset_type": "Azure AKS Kubernetes cluster", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": [], "message": "tbd", "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time"], "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "datamodel": [], "macros": [{"name": "kubernetes_azure", "definition": "sourcetype=mscs:storage:blob:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes data from Azure. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_azure_detect_suspicious_kubectl_calls_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/kubernetes_azure_detect_suspicious_kubectl_calls.yml", "source": "deprecated"}, {"name": "Kubernetes Azure pod scan fingerprint", "id": "86aad3e0-732f-4f66-bbbc-70df448e461d", "version": 1, "date": "2020-05-20", "author": "Rod Soto, Splunk", "type": "Hunting", "status": "deprecated", "description": "This search provides information of unauthenticated requests via source IP user agent, request URI and response status data against Kubernetes cluster pod in Azure", "data_source": [], "search": "`kubernetes_azure` category=kube-audit | spath input=properties.log | search responseStatus.code=401 | table sourceIPs{} userAgent verb requestURI responseStatus.reason properties.pod |`kubernetes_azure_pod_scan_fingerprint_filter`", "how_to_implement": "You must install the Add-on for Microsoft Cloud Services and Configure Kube-Audit data diagnostics", "known_false_positives": "Not all unauthenticated requests are malicious, but source IPs, userAgent, verb, request URI and response status will provide context.", "references": [], "tags": {"name": "Kubernetes Azure pod scan fingerprint", "analytic_story": ["Kubernetes Scanning Activity"], "asset_type": "Azure AKS Kubernetes cluster", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": [], "message": "tbd", "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time"], "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "datamodel": [], "macros": [{"name": "kubernetes_azure", "definition": "sourcetype=mscs:storage:blob:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes data from Azure. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_azure_pod_scan_fingerprint_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/kubernetes_azure_pod_scan_fingerprint.yml", "source": "deprecated"}, {"name": "Kubernetes Azure scan fingerprint", "id": "c5e5bd5c-1013-4841-8b23-e7b3253c840a", "version": 1, "date": "2020-05-19", "author": "Rod Soto, Splunk", "type": "Hunting", "status": "deprecated", "description": "This search provides information of unauthenticated requests via source IP user agent, request URI and response status data against Kubernetes cluster in Azure", "data_source": [], "search": "`kubernetes_azure` category=kube-audit | spath input=properties.log | search responseStatus.code=401 | table sourceIPs{} userAgent verb requestURI responseStatus.reason |`kubernetes_azure_scan_fingerprint_filter`", "how_to_implement": "You must install the Add-on for Microsoft Cloud Services and Configure Kube-Audit data diagnostics", "known_false_positives": "Not all unauthenticated requests are malicious, but source IPs, userAgent, verb, request URI and response status will provide context.", "references": [], "tags": {"name": "Kubernetes Azure scan fingerprint", "analytic_story": ["Kubernetes Scanning Activity"], "asset_type": "Azure AKS Kubernetes cluster", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "tbd", "mitre_attack_id": ["T1526"], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time"], "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1526", "mitre_attack_technique": "Cloud Service Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}]}, "datamodel": [], "macros": [{"name": "kubernetes_azure", "definition": "sourcetype=mscs:storage:blob:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes data from Azure. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_azure_scan_fingerprint_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/kubernetes_azure_scan_fingerprint.yml", "source": "deprecated"}, {"name": "Kubernetes GCP detect most active service accounts by pod", "id": "7f5c2779-88a0-4824-9caa-0f606c8f260f", "version": 1, "date": "2020-07-10", "author": "Rod Soto, Splunk", "type": "Hunting", "status": "deprecated", "description": "This search provides information on Kubernetes service accounts,accessing pods by IP address, verb and decision", "data_source": [], "search": "`google_gcp_pubsub_message` data.protoPayload.request.spec.group{}=system:serviceaccounts | table src_ip src_user http_user_agent data.protoPayload.request.spec.nonResourceAttributes.verb data.labels.authorization.k8s.io/decision data.protoPayload.response.spec.resourceAttributes.resource | top src_ip src_user http_user_agent data.labels.authorization.k8s.io/decision data.protoPayload.response.spec.resourceAttributes.resource |`kubernetes_gcp_detect_most_active_service_accounts_by_pod_filter`", "how_to_implement": "You must install splunk GCP add on. This search works with pubsub messaging service logs", "known_false_positives": "Not all service accounts interactions are malicious. Analyst must consider IP, verb and decision context when trying to detect maliciousness.", "references": [], "tags": {"name": "Kubernetes GCP detect most active service accounts by pod", "analytic_story": ["Kubernetes Sensitive Role Activity"], "asset_type": "GCP GKE Kubernetes cluster", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": [], "message": "tbd", "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time"], "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "datamodel": [], "macros": [{"name": "google_gcp_pubsub_message", "definition": "sourcetype=\"google:gcp:pubsub:message\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_gcp_detect_most_active_service_accounts_by_pod_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/kubernetes_gcp_detect_most_active_service_accounts_by_pod.yml", "source": "deprecated"}, {"name": "Kubernetes GCP detect RBAC authorizations by account", "id": "99487de3-7192-4b41-939d-fbe9acfb1340", "version": 1, "date": "2020-07-11", "author": "Rod Soto, Splunk", "type": "Hunting", "status": "deprecated", "description": "This search provides information on Kubernetes RBAC authorizations by accounts, this search can be modified by adding top to see both extremes of RBAC by accounts occurrences", "data_source": [], "search": "`google_gcp_pubsub_message` data.labels.authorization.k8s.io/reason=ClusterRoleBinding OR Clusterrole | table src_ip src_user data.labels.authorization.k8s.io/decision data.labels.authorization.k8s.io/reason | rare src_user data.labels.authorization.k8s.io/reason |`kubernetes_gcp_detect_rbac_authorizations_by_account_filter`", "how_to_implement": "You must install splunk AWS add on for GCP. This search works with pubsub messaging service logs", "known_false_positives": "Not all RBAC Authorications are malicious. RBAC authorizations can uncover malicious activity specially if sensitive Roles have been granted.", "references": [], "tags": {"name": "Kubernetes GCP detect RBAC authorizations by account", "analytic_story": ["Kubernetes Sensitive Role Activity"], "asset_type": "GCP GKE Kubernetes cluster", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": [], "message": "tbd", "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time"], "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "datamodel": [], "macros": [{"name": "google_gcp_pubsub_message", "definition": "sourcetype=\"google:gcp:pubsub:message\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_gcp_detect_rbac_authorizations_by_account_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/kubernetes_gcp_detect_rbac_authorizations_by_account.yml", "source": "deprecated"}, {"name": "Kubernetes GCP detect sensitive object access", "id": "bdb6d596-86a0-4aba-8369-418ae8b9963a", "version": 1, "date": "2020-07-11", "author": "Rod Soto, Splunk", "type": "Hunting", "status": "deprecated", "description": "This search provides information on Kubernetes accounts accessing sensitve objects such as configmaps or secrets", "data_source": [], "search": "`google_gcp_pubsub_message` data.protoPayload.authorizationInfo{}.resource=configmaps OR secrets | table data.protoPayload.requestMetadata.callerIp src_user data.resource.labels.cluster_name data.protoPayload.request.metadata.namespace data.labels.authorization.k8s.io/decision | dedup data.protoPayload.requestMetadata.callerIp src_user data.resource.labels.cluster_name |`kubernetes_gcp_detect_sensitive_object_access_filter`", "how_to_implement": "You must install splunk add on for GCP . This search works with pubsub messaging service logs.", "known_false_positives": "Sensitive object access is not necessarily malicious but user and object context can provide guidance for detection.", "references": [], "tags": {"name": "Kubernetes GCP detect sensitive object access", "analytic_story": ["Kubernetes Sensitive Object Access Activity"], "asset_type": "GCP GKE Kubernetes cluster", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": [], "message": "tbd", "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time"], "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "datamodel": [], "macros": [{"name": "google_gcp_pubsub_message", "definition": "sourcetype=\"google:gcp:pubsub:message\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_gcp_detect_sensitive_object_access_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/kubernetes_gcp_detect_sensitive_object_access.yml", "source": "deprecated"}, {"name": "Kubernetes GCP detect sensitive role access", "id": "a46923f6-36b9-4806-a681-31f314907c30", "version": 1, "date": "2020-07-11", "author": "Rod Soto, Splunk", "type": "Hunting", "status": "deprecated", "description": "This search provides information on Kubernetes accounts accessing sensitve objects such as configmpas or secrets", "data_source": [], "search": "`google_gcp_pubsub_message` data.labels.authorization.k8s.io/reason=ClusterRoleBinding OR Clusterrole dest=apis/rbac.authorization.k8s.io/v1 src_ip!=::1 | table src_ip src_user http_user_agent data.labels.authorization.k8s.io/decision data.labels.authorization.k8s.io/reason | dedup src_ip src_user |`kubernetes_gcp_detect_sensitive_role_access_filter`", "how_to_implement": "You must install splunk add on for GCP. This search works with pubsub messaging servicelogs.", "known_false_positives": "Sensitive role resource access is necessary for cluster operation, however source IP, user agent, decision and reason may indicate possible malicious use. ", "references": [], "tags": {"name": "Kubernetes GCP detect sensitive role access", "analytic_story": ["Kubernetes Sensitive Role Activity"], "asset_type": "GCP GKE EKS Kubernetes cluster", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": [], "message": "tbd", "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time"], "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "datamodel": [], "macros": [{"name": "google_gcp_pubsub_message", "definition": "sourcetype=\"google:gcp:pubsub:message\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_gcp_detect_sensitive_role_access_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/kubernetes_gcp_detect_sensitive_role_access.yml", "source": "deprecated"}, {"name": "Kubernetes GCP detect service accounts forbidden failure access", "id": "7094808d-432a-48e7-bb3c-77e96c894f3b", "version": 1, "date": "2020-06-23", "author": "Rod Soto, Splunk", "type": "Hunting", "status": "deprecated", "description": "This search provides information on Kubernetes service accounts with failure or forbidden access status, this search can be extended by using top or rare operators to find trends or rarities in failure status, user agents, source IPs and request URI", "data_source": [], "search": "`google_gcp_pubsub_message` system:serviceaccounts data.protoPayload.response.status.allowed!=* | table src_ip src_user http_user_agent data.protoPayload.response.spec.resourceAttributes.namespace data.resource.labels.cluster_name data.protoPayload.response.spec.resourceAttributes.verb data.protoPayload.request.status.allowed data.protoPayload.response.status.reason data.labels.authorization.k8s.io/decision | dedup src_ip src_user | `kubernetes_gcp_detect_service_accounts_forbidden_failure_access_filter`", "how_to_implement": "You must install splunk add on for GCP. This search works with pubsub messaging service logs.", "known_false_positives": "This search can give false positives as there might be inherent issues with authentications and permissions at cluster.", "references": [], "tags": {"name": "Kubernetes GCP detect service accounts forbidden failure access", "analytic_story": ["Kubernetes Sensitive Object Access Activity"], "asset_type": "GCP GKE Kubernetes cluster", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": [], "message": "tbd", "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time"], "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "datamodel": [], "macros": [{"name": "google_gcp_pubsub_message", "definition": "sourcetype=\"google:gcp:pubsub:message\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_gcp_detect_service_accounts_forbidden_failure_access_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/kubernetes_gcp_detect_service_accounts_forbidden_failure_access.yml", "source": "deprecated"}, {"name": "Kubernetes GCP detect suspicious kubectl calls", "id": "a5bed417-070a-41f2-a1e4-82b6aa281557", "version": 1, "date": "2020-07-11", "author": "Rod Soto, Splunk", "type": "Hunting", "status": "deprecated", "description": "This search provides information on anonymous Kubectl calls with IP, verb namespace and object access context", "data_source": [], "search": "`google_gcp_pubsub_message` data.protoPayload.requestMetadata.callerSuppliedUserAgent=kubectl* src_user=system:unsecured OR src_user=system:anonymous | table src_ip src_user data.protoPayload.requestMetadata.callerSuppliedUserAgent data.protoPayload.authorizationInfo{}.granted object_path |dedup src_ip src_user |`kubernetes_gcp_detect_suspicious_kubectl_calls_filter`", "how_to_implement": "You must install splunk add on for GCP. This search works with pubsub messaging logs.", "known_false_positives": "Kubectl calls are not malicious by nature. However source IP, source user, user agent, object path, and authorization context can reveal potential malicious activity, specially anonymous suspicious IPs and sensitive objects such as configmaps or secrets", "references": [], "tags": {"name": "Kubernetes GCP detect suspicious kubectl calls", "analytic_story": ["Kubernetes Sensitive Object Access Activity"], "asset_type": "GCP GKE Kubernetes cluster", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": [], "message": "tbd", "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time"], "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "datamodel": [], "macros": [{"name": "google_gcp_pubsub_message", "definition": "sourcetype=\"google:gcp:pubsub:message\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_gcp_detect_suspicious_kubectl_calls_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/kubernetes_gcp_detect_suspicious_kubectl_calls.yml", "source": "deprecated"}, {"name": "Monitor DNS For Brand Abuse", "id": "24dd17b1-e2fb-4c31-878c-d4f746595bfa", "version": 1, "date": "2017-09-23", "author": "David Dorsey, Splunk", "type": "TTP", "status": "deprecated", "description": "This search looks for DNS requests for faux domains similar to the domains that you want to have monitored for abuse.", "data_source": [], "search": "| tstats `security_content_summariesonly` values(DNS.answer) as IPs min(_time) as firstTime from datamodel=Network_Resolution by DNS.src, DNS.query | `drop_dm_object_name(\"DNS\")` | `security_content_ctime(firstTime)`| `brand_abuse_dns` | `monitor_dns_for_brand_abuse_filter`", "how_to_implement": "You need to ingest data from your DNS logs. Specifically you must ingest the domain that is being queried and the IP of the host originating the request. Ideally, you should also be ingesting the answer to the query and the query type. This approach allows you to also create your own localized passive DNS capability which can aid you in future investigations. You also need to have run the search \"ESCU - DNSTwist Domain Names\", which creates the permutations of the domain that will be checked for. You also need the [`dnstwist`](https://gist.github.com/d1vious/c4c2aae7fa7d5cbb1f24adc5f6303ac1) custom command.", "known_false_positives": "None at this time", "references": [], "tags": {"name": "Monitor DNS For Brand Abuse", "analytic_story": ["Brand Monitoring"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": [], "message": "tbd", "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "datamodel": ["Network_Resolution"], "macros": [{"name": "brand_abuse_dns", "definition": "lookup update=true brandMonitoring_lookup domain as query OUTPUT domain_abuse | search domain_abuse=true", "description": "This macro limits the output to only domains that are in the brand monitoring lookup file"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "monitor_dns_for_brand_abuse_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/monitor_dns_for_brand_abuse.yml", "source": "deprecated", "nes_fields": "user,dest"}, {"name": "Open Redirect in Splunk Web", "id": "d199fb99-2312-451a-9daa-e5efa6ed76a7", "version": 1, "date": "2017-09-19", "author": "Bhavin Patel, Splunk", "type": "TTP", "status": "deprecated", "description": "This search allows you to look for evidence of exploitation for CVE-2016-4859, the Splunk Open Redirect Vulnerability.", "data_source": [], "search": "index=_internal sourcetype=splunk_web_access return_to=\"/%09/*\" | `open_redirect_in_splunk_web_filter`", "how_to_implement": "No extra steps needed to implement this search.", "known_false_positives": "None identified", "references": [], "tags": {"name": "Open Redirect in Splunk Web", "analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Splunk Server", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": [], "message": "tbd", "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "cve": ["CVE-2016-4859"], "mitre_attack_enrichments": []}, "datamodel": [], "macros": [{"name": "open_redirect_in_splunk_web_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2016-4859", "cvss": 5.8, "summary": "Open redirect vulnerability in Splunk Enterprise 6.4.x prior to 6.4.3, Splunk Enterprise 6.3.x prior to 6.3.6, Splunk Enterprise 6.2.x prior to 6.2.10, Splunk Enterprise 6.1.x prior to 6.1.11, Splunk Enterprise 6.0.x prior to 6.0.12, Splunk Enterprise 5.0.x prior to 5.0.16 and Splunk Light prior to 6.4.3 allows to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/open_redirect_in_splunk_web.yml", "source": "deprecated", "nes_fields": "user,dest"}, {"name": "Osquery pack - ColdRoot detection", "id": "a6fffe5e-05c3-4c04-badc-887607fbb8dc", "version": 1, "date": "2019-01-29", "author": "Rico Valdez, Splunk", "type": "TTP", "status": "deprecated", "description": "This search looks for ColdRoot events from the osx-attacks osquery pack.", "data_source": [], "search": "| from datamodel Alerts.Alerts | search app=osquery:results (name=pack_osx-attacks_OSX_ColdRoot_RAT_Launchd OR name=pack_osx-attacks_OSX_ColdRoot_RAT_Files) | rename columns.path as path | bucket _time span=30s | stats count(path) by _time, host, user, path | `osquery_pack___coldroot_detection_filter`", "how_to_implement": "In order to properly run this search, Splunk needs to ingest data from your osquery deployed agents with the [osx-attacks.conf](https://github.com/facebook/osquery/blob/experimental/packs/osx-attacks.conf#L599) pack enabled. Also the [TA-OSquery](https://github.com/d1vious/TA-osquery) must be deployed across your indexers and universal forwarders in order to have the osquery data populate the Alerts data model", "known_false_positives": "There are no known false positives.", "references": [], "tags": {"name": "Osquery pack - ColdRoot detection", "analytic_story": ["ColdRoot MacOS RAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": [], "message": "tbd", "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time"], "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "datamodel": [], "macros": [{"name": "osquery_pack___coldroot_detection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/osquery_pack___coldroot_detection.yml", "source": "deprecated", "nes_fields": "user,dest"}, {"name": "Processes created by netsh", "id": "b89919ed-fe5f-492c-b139-95dbb162041e", "version": 5, "date": "2020-11-23", "author": "Bhavin Patel, Splunk", "type": "TTP", "status": "deprecated", "description": "This search looks for processes launching netsh.exe to execute various commands via the netsh command-line utility. Netsh.exe is a command-line scripting utility that allows you to, either locally or remotely, display or modify the network configuration of a computer that is currently running. Netsh can be used as a persistence proxy technique to execute a helper .dll when netsh.exe is executed. In this search, we are looking for processes spawned by netsh.exe that are executing commands via the command line. Deprecated because we have another detection of the same type.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=netsh.exe by Processes.user Processes.dest Processes.parent_process Processes.parent_process_name Processes.process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `processes_created_by_netsh_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting logs with the process name, command-line arguments, and parent processes from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "It is unusual for netsh.exe to have any child processes in most environments. It makes sense to investigate the child process and verify whether the process spawned is legitimate. We explicitely exclude \"C:\\Program Files\\rempl\\sedlauncher.exe\" process path since it is a legitimate process by Mircosoft.", "references": [], "tags": {"name": "Processes created by netsh", "analytic_story": ["Netsh Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "tbd", "mitre_attack_id": ["T1562.004"], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.004", "mitre_attack_technique": "Disable or Modify System Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "Carbanak", "Dragonfly", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "Rocke", "TeamTNT"]}]}, "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "processes_created_by_netsh_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/processes_created_by_netsh.yml", "source": "deprecated", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Prohibited Software On Endpoint", "id": "a51bfe1a-94f0-48cc-b4e4-b6ae50145893", "version": 2, "date": "2019-10-11", "author": "David Dorsey, Splunk", "type": "Hunting", "status": "deprecated", "description": "This search looks for applications on the endpoint that you have marked as prohibited.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes by Processes.dest Processes.user Processes.process_name | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | `prohibited_processes` | `prohibited_software_on_endpoint_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting data that records process activity from your hosts to populate the endpoint data model in the processes node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is usually generated via logs that report process tracking in your Windows audit settings. In addition, you must also have only the `process_name` (not the entire process path) marked as \"prohibited\" in the Enterprise Security `interesting processes` table. To include the process names marked as \"prohibited\", which is included with ES Content Updates, run the included search Add Prohibited Processes to Enterprise Security.", "known_false_positives": "None identified", "references": [], "tags": {"name": "Prohibited Software On Endpoint", "analytic_story": ["Monitor for Unauthorized Software", "Emotet Malware DHS Report TA18-201A ", "SamSam Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": [], "message": "tbd", "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_times"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "prohibited_software_on_endpoint_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/prohibited_software_on_endpoint.yml", "source": "deprecated", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Reg exe used to hide files directories via registry keys", "id": "61a7d1e6-f5d4-41d9-a9be-39a1ffe69459", "version": 2, "date": "2019-02-27", "author": "Bhavin Patel, Splunk", "type": "TTP", "status": "deprecated", "description": "The search looks for command-line arguments used to hide a file or directory using the reg add command.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = reg.exe Processes.process=\"*add*\" Processes.process=\"*Hidden*\" Processes.process=\"*REG_DWORD*\" by Processes.process_name Processes.parent_process_name Processes.dest Processes.user| `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)`| regex process = \"(/d\\s+2)\" | `reg_exe_used_to_hide_files_directories_via_registry_keys_filter`", "how_to_implement": "You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the \"process\" field in the Endpoint data model.", "known_false_positives": "None at the moment", "references": [], "tags": {"name": "Reg exe used to hide files directories via registry keys", "analytic_story": ["Windows Defense Evasion Tactics", "Suspicious Windows Registry Activities", "Windows Persistence Techniques"], "asset_type": "", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "tbd", "mitre_attack_id": ["T1564.001"], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1564.001", "mitre_attack_technique": "Hidden Files and Directories", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "HAFNIUM", "Lazarus Group", "LuminousMoth", "Mustang Panda", "Rocke", "Transparent Tribe", "Tropic Trooper"]}]}, "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "reg_exe_used_to_hide_files_directories_via_registry_keys_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/reg_exe_used_to_hide_files_directories_via_registry_keys.yml", "source": "deprecated", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Remote Registry Key modifications", "id": "c9f4b923-f8af-4155-b697-1354f5dcbc5e", "version": 3, "date": "2020-03-02", "author": "Bhavin Patel, Splunk", "type": "TTP", "status": "deprecated", "description": "This search monitors for remote modifications to registry keys.", "data_source": ["Sysmon Event ID 13"], "search": "| tstats `security_content_summariesonly` count values(Registry.registry_key_name) as registry_key_name values(Registry.registry_path) as registry_path min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path=\"\\\\\\\\*\" by Registry.dest , Registry.user | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `remote_registry_key_modifications_filter`", "how_to_implement": "To successfully implement this search, you must populate the `Endpoint` data model. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry. Deprecated because I don't think the logic is right.", "known_false_positives": "This technique may be legitimately used by administrators to modify remote registries, so it's important to filter these events out.", "references": [], "tags": {"name": "Remote Registry Key modifications", "analytic_story": ["Windows Defense Evasion Tactics", "Suspicious Windows Registry Activities", "Windows Persistence Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": [], "message": "tbd", "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "remote_registry_key_modifications_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/remote_registry_key_modifications.yml", "source": "deprecated", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Scheduled tasks used in BadRabbit ransomware", "id": "1297fb80-f42a-4b4a-9c8b-78c066437cf6", "version": 3, "date": "2020-07-21", "author": "Bhavin Patel, Splunk", "type": "TTP", "status": "deprecated", "description": "This search looks for flags passed to schtasks.exe on the command-line that indicate that task names related to the execution of Bad Rabbit ransomware were created or deleted. Deprecated because we already have a similar detection", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.process) as process from datamodel=Endpoint.Processes where Processes.process_name=schtasks.exe (Processes.process= \"*create*\" OR Processes.process= \"*delete*\") by Processes.parent_process Processes.process_name Processes.user | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)` | search (process=*rhaegal* OR process=*drogon* OR *viserion_*) | `scheduled_tasks_used_in_badrabbit_ransomware_filter`", "how_to_implement": "You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the \"process\" field in the Endpoint data model.", "known_false_positives": "No known false positives", "references": [], "tags": {"name": "Scheduled tasks used in BadRabbit ransomware", "analytic_story": ["Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation", "Exploitation"], "message": "tbd", "mitre_attack_id": ["T1053.005"], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TEMP.Veles", "Wizard Spider", "menuPass"]}]}, "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "scheduled_tasks_used_in_badrabbit_ransomware_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/scheduled_tasks_used_in_badrabbit_ransomware.yml", "source": "deprecated", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Spectre and Meltdown Vulnerable Systems", "id": "354be8e0-32cd-4da0-8c47-796de13b60ea", "version": 1, "date": "2017-01-07", "author": "David Dorsey, Splunk", "type": "TTP", "status": "deprecated", "description": "The search is used to detect systems that are still vulnerable to the Spectre and Meltdown vulnerabilities.", "data_source": [], "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Vulnerabilities where Vulnerabilities.cve =\"CVE-2017-5753\" OR Vulnerabilities.cve =\"CVE-2017-5715\" OR Vulnerabilities.cve =\"CVE-2017-5754\" by Vulnerabilities.dest | `drop_dm_object_name(Vulnerabilities)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `spectre_and_meltdown_vulnerable_systems_filter`", "how_to_implement": "The search requires that you are ingesting your vulnerability-scanner data and that it reports the CVE of the vulnerability identified.", "known_false_positives": "It is possible that your vulnerability scanner is not detecting that the patches have been applied.", "references": [], "tags": {"name": "Spectre and Meltdown Vulnerable Systems", "analytic_story": ["Spectre And Meltdown Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": [], "message": "tbd", "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "cve": ["CVE-2017-5753"], "mitre_attack_enrichments": []}, "datamodel": ["Vulnerabilities"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "spectre_and_meltdown_vulnerable_systems_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2017-5753", "cvss": 4.7, "summary": "Systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/spectre_and_meltdown_vulnerable_systems.yml", "source": "deprecated", "nes_fields": "user,dest"}, {"name": "Splunk Enterprise Information Disclosure", "id": "f6a26b7b-7e80-4963-a9a8-d836e7534ebd", "version": 1, "date": "2018-06-14", "author": "David Dorsey, Splunk", "type": "TTP", "status": "deprecated", "description": "This search allows you to look for evidence of exploitation for CVE-2018-11409, a Splunk Enterprise Information Disclosure Bug.", "data_source": [], "search": "index=_internal sourcetype=splunkd_ui_access server-info | search clientip!=127.0.0.1 uri_path=\"*raw/services/server/info/server-info\" | rename clientip as src_ip, splunk_server as dest | stats earliest(_time) as firstTime, latest(_time) as lastTime, values(uri) as uri, values(useragent) as http_user_agent, values(user) as user by src_ip, dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `splunk_enterprise_information_disclosure_filter`", "how_to_implement": "The REST endpoint that exposes system information is also necessary for the proper operation of Splunk clustering and instrumentation. Whitelisting your Splunk systems will reduce false positives.", "known_false_positives": "Retrieving server information may be a legitimate API request. Verify that the attempt is a valid request for information.", "references": [], "tags": {"name": "Splunk Enterprise Information Disclosure", "analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Splunk Server", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": [], "message": "tbd", "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "cve": ["CVE-2018-11409"], "mitre_attack_enrichments": []}, "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "splunk_enterprise_information_disclosure_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2018-11409", "cvss": 5.0, "summary": "Splunk through 7.0.1 allows information disclosure by appending __raw/services/server/info/server-info?output_mode=json to a query, as demonstrated by discovering a license key."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/splunk_enterprise_information_disclosure.yml", "source": "deprecated", "nes_fields": "user,dest"}, {"name": "Suspicious Changes to File Associations", "id": "1b989a0e-0129-4446-a695-f193a5b746fc", "version": 4, "date": "2020-07-22", "author": "Rico Valdez, Splunk", "type": "TTP", "status": "deprecated", "description": "This search looks for changes to registry values that control Windows file associations, executed by a process that is not typical for legitimate, routine changes to this area.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.process_name) as process_name values(Processes.parent_process_name) as parent_process_name FROM datamodel=Endpoint.Processes where Processes.process_name!=Explorer.exe AND Processes.process_name!=OpenWith.exe by Processes.process_id Processes.dest | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | join [| tstats `security_content_summariesonly` values(Registry.registry_path) as registry_path count from datamodel=Endpoint.Registry where Registry.registry_path=*\\\\Explorer\\\\FileExts* by Registry.process_id Registry.dest | `drop_dm_object_name(\"Registry\")` | table process_id dest registry_path]| `suspicious_changes_to_file_associations_filter` ", "how_to_implement": "To successfully implement this search you need to be ingesting information on registry changes that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` and `Registry` nodes.", "known_false_positives": "There may be other processes in your environment that users may legitimately use to modify file associations. If this is the case and you are finding false positives, you can modify the search to add those processes as exceptions.", "references": [], "tags": {"name": "Suspicious Changes to File Associations", "analytic_story": ["Suspicious Windows Registry Activities", "Windows File Extension and Association Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation", "Exploitation"], "message": "tbd", "mitre_attack_id": ["T1546.001"], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1546.001", "mitre_attack_technique": "Change Default File Association", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Kimsuky"]}]}, "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "suspicious_changes_to_file_associations_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/suspicious_changes_to_file_associations.yml", "source": "deprecated", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Suspicious Email - UBA Anomaly", "id": "56e877a6-1455-4479-ad16-0550dc1e33f8", "version": 3, "date": "2020-07-22", "author": "Bhavin Patel, Splunk", "type": "Anomaly", "status": "deprecated", "description": "This detection looks for emails that are suspicious because of their sender, domain rareness, or behavior differences. This is an anomaly generated by Splunk User Behavior Analytics (UBA).", "data_source": [], "search": "|tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(All_UEBA_Events.category) as category from datamodel=UEBA where nodename=All_UEBA_Events.UEBA_Anomalies All_UEBA_Events.UEBA_Anomalies.uba_model = \"SuspiciousEmailDetectionModel\" by All_UEBA_Events.description All_UEBA_Events.severity All_UEBA_Events.user All_UEBA_Events.uba_event_type All_UEBA_Events.link All_UEBA_Events.signature All_UEBA_Events.url All_UEBA_Events.UEBA_Anomalies.uba_model | `drop_dm_object_name(All_UEBA_Events)` | `drop_dm_object_name(UEBA_Anomalies)`| `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `suspicious_email___uba_anomaly_filter`", "how_to_implement": "You must be ingesting data from email logs and have Splunk integrated with UBA. This anomaly is raised by a UBA detection model called \"SuspiciousEmailDetectionModel.\" Ensure that this model is enabled on your UBA instance.", "known_false_positives": "This detection model will alert on any sender domain that is seen for the first time. This could be a potential false positive. The next step is to investigate and add the URL to an allow list if you determine that it is a legitimate sender.", "references": [], "tags": {"name": "Suspicious Email - UBA Anomaly", "analytic_story": ["Suspicious Emails"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Delivery"], "message": "tbd", "mitre_attack_id": ["T1566"], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time"], "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}]}, "datamodel": ["Email", "UEBA"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "suspicious_email___uba_anomaly_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/suspicious_email___uba_anomaly.yml", "source": "deprecated"}, {"name": "Suspicious File Write", "id": "57f76b8a-32f0-42ed-b358-d9fa3ca7bac8", "version": 3, "date": "2019-04-25", "author": "Rico Valdez, Splunk", "type": "Hunting", "status": "deprecated", "description": "The search looks for files created with names that have been linked to malicious activity.", "data_source": ["Sysmon Event ID 11"], "search": "| tstats `security_content_summariesonly` count values(Filesystem.action) as action values(Filesystem.file_path) as file_path min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem by Filesystem.file_name Filesystem.dest | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Filesystem)` | `suspicious_writes` | `suspicious_file_write_filter`", "how_to_implement": "You must be ingesting data that records the filesystem activity from your hosts to populate the Endpoint file-system data model node. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or via other endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report file system reads and writes. In addition, this search leverages an included lookup file that contains the names of the files to watch for, as well as a note to communicate why that file name is being monitored. This lookup file can be edited to add or remove file the file names you want to monitor.", "known_false_positives": "It's possible for a legitimate file to be created with the same name as one noted in the lookup file. Filenames listed in the lookup file should be unique enough that collisions are rare. Looking at the location of the file and the process responsible for the activity can help determine whether or not the activity is legitimate.", "references": [], "tags": {"name": "Suspicious File Write", "analytic_story": ["Hidden Cobra Malware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": [], "message": "tbd", "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "suspicious_writes", "definition": "lookup suspicious_writes_lookup file as file_name OUTPUT note as \"Reference\" | search \"Reference\" != False", "description": "This macro limites the output to file names that have been marked as suspicious"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "suspicious_file_write_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/suspicious_file_write.yml", "source": "deprecated", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Suspicious Powershell Command-Line Arguments", "id": "2cdb91d2-542c-497f-b252-be495e71f38c", "version": 6, "date": "2021-01-19", "author": "David Dorsey, Splunk", "type": "TTP", "status": "deprecated", "description": "This search looks for PowerShell processes started with a base64 encoded command-line passed to it, with parameters to modify the execution policy for the process, and those that prevent the display of an interactive prompt to the user. This combination of command-line options is suspicious because it overrides the default PowerShell execution policy, attempts to hide itself from the user, and passes an encoded script to be run on the command-line. Deprecated because almost the same as Malicious PowerShell Process - Encoded Command", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=powershell.exe by Processes.user Processes.process_name Processes.parent_process_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| search (process=*-EncodedCommand* OR process=*-enc*) process=*-Exec* | `suspicious_powershell_command_line_arguments_filter`", "how_to_implement": "You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the \"process\" field in the Endpoint data model.", "known_false_positives": "Legitimate process can have this combination of command-line options, but it's not common.", "references": [], "tags": {"name": "Suspicious Powershell Command-Line Arguments", "analytic_story": ["Malicious PowerShell", "Hermetic Wiper", "CISA AA22-320A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "message": "tbd", "mitre_attack_id": ["T1059.001"], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}]}, "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "suspicious_powershell_command_line_arguments_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/suspicious_powershell_command_line_arguments.yml", "source": "deprecated", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Suspicious Rundll32 Rename", "id": "7360137f-abad-473e-8189-acbdaa34d114", "version": 5, "date": "2022-04-07", "author": "Michael Haag, Splunk", "type": "Hunting", "status": "deprecated", "description": "The following hunting analytic identifies renamed instances of rundll32.exe executing. rundll32.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64. During investigation, validate it is the legitimate rundll32.exe executing and what script content it is loading. This query relies on the original filename or internal name from the PE meta data. Expand the query as needed by looking for specific command line arguments outlined in other analytics.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.original_file_name=RUNDLL32.exe AND Processes.process_name!=rundll32.exe by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_rundll32_rename_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Although unlikely, some legitimate applications may use a moved copy of rundll32, triggering a false positive.", "references": ["https://attack.mitre.org/techniques/T1218/011/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md", "https://lolbas-project.github.io/lolbas/Binaries/Rundll32/"], "tags": {"name": "Suspicious Rundll32 Rename", "analytic_story": ["Suspicious Rundll32 Activity", "Masquerading - Rename System Utilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "Suspicious renamed rundll32.exe binary ran on $dest$ by $user$", "mitre_attack_id": ["T1218", "T1036", "T1218.011", "T1036.003"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "User", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}]}, "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "suspicious_rundll32_rename_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/suspicious_rundll32_rename.yml", "source": "deprecated", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Suspicious writes to System Volume Information", "id": "cd6297cd-2bdd-4aa1-84aa-5d2f84228fac", "version": 2, "date": "2020-07-22", "author": "Rico Valdez, Splunk", "type": "Hunting", "status": "deprecated", "description": "This search detects writes to the 'System Volume Information' folder by something other than the System process.", "data_source": ["Sysmon Event ID 1"], "search": "(`sysmon` OR tag=process) EventCode=11 process_id!=4 file_path=*System\\ Volume\\ Information* | stats count min(_time) as firstTime max(_time) as lastTime by dest, Image, file_path | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `suspicious_writes_to_system_volume_information_filter`", "how_to_implement": "You need to be ingesting logs with both the process name and command-line from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "It is possible that other utilities or system processes may legitimately write to this folder. Investigate and modify the search to include exceptions as appropriate.", "references": [], "tags": {"name": "Suspicious writes to System Volume Information", "analytic_story": ["Collection and Staging"], "asset_type": "Windows", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "tbd", "mitre_attack_id": ["T1036"], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}]}, "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "suspicious_writes_to_system_volume_information_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/suspicious_writes_to_system_volume_information.yml", "source": "deprecated"}, {"name": "Uncommon Processes On Endpoint", "id": "29ccce64-a10c-4389-a45f-337cb29ba1f7", "version": 4, "date": "2020-07-22", "author": "David Dorsey, Splunk", "type": "Hunting", "status": "deprecated", "description": "This search looks for applications on the endpoint that you have marked as uncommon.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes by Processes.dest Processes.user Processes.process Processes.process_name | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | `uncommon_processes` |`uncommon_processes_on_endpoint_filter` ", "how_to_implement": "You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the \"process\" field in the Endpoint data model. This search uses a lookup file `uncommon_processes_default.csv` to track various features of process names that are usually uncommon in most environments. Please consider updating `uncommon_processes_local.csv` to hunt for processes that are uncommon in your environment.", "known_false_positives": "None identified", "references": [], "tags": {"name": "Uncommon Processes On Endpoint", "analytic_story": ["Windows Privilege Escalation", "Unusual Processes", "Hermetic Wiper"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "message": "tbd", "mitre_attack_id": ["T1204.002"], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1204.002", "mitre_attack_technique": "Malicious File", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "Ajax Security Team", "Andariel", "Aoqin Dragon", "BITTER", "BRONZE BUTLER", "BlackTech", "CURIUM", "Cobalt Group", "Confucius", "Dark Caracal", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "IndigoZebra", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Whitefly", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}]}, "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "uncommon_processes", "definition": "lookup update=true lookup_uncommon_processes_default process_name as process_name outputnew uncommon_default,category_default,analytic_story_default,kill_chain_phase_default,mitre_attack_default | lookup update=true lookup_uncommon_processes_local process_name as process_name outputnew uncommon_local,category_local,analytic_story_local,kill_chain_phase_local,mitre_attack_local | eval uncommon = coalesce(uncommon_default, uncommon_local), analytic_story = coalesce(analytic_story_default, analytic_story_local), category=coalesce(category_default, category_local), kill_chain_phase=coalesce(kill_chain_phase_default, kill_chain_phase_local), mitre_attack=coalesce(mitre_attack_default, mitre_attack_local) | fields - analytic_story_default, analytic_story_local, category_default, category_local, kill_chain_phase_default, kill_chain_phase_local, mitre_attack_default, mitre_attack_local, uncommon_default, uncommon_local | search uncommon=true", "description": "This macro limits the output to processes that have been marked as uncommon"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "uncommon_processes_on_endpoint_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/uncommon_processes_on_endpoint.yml", "source": "deprecated", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Unsigned Image Loaded by LSASS", "id": "56ef054c-76ef-45f9-af4a-a634695dcd65", "version": 1, "date": "2019-12-06", "author": "Patrick Bareiss, Splunk", "type": "TTP", "status": "deprecated", "description": "This search detects loading of unsigned images by LSASS. Deprecated because too noisy.", "data_source": ["Sysmon Event ID 7"], "search": "`sysmon` EventID=7 Image=*lsass.exe Signed=false | stats count min(_time) as firstTime max(_time) as lastTime by Computer, Image, ImageLoaded, Signed, SHA1 | rename Computer as dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `unsigned_image_loaded_by_lsass_filter` ", "how_to_implement": "This search needs Sysmon Logs with a sysmon configuration, which includes EventCode 7 with lsass.exe. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives.", "known_false_positives": "Other tools could load images into LSASS for legitimate reason. But enterprise tools should always use signed DLLs.", "references": ["https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf"], "tags": {"name": "Unsigned Image Loaded by LSASS", "analytic_story": ["Credential Dumping"], "asset_type": "Windows", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "tbd", "mitre_attack_id": ["T1003.001"], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "TEMP.Veles", "Threat Group-3390", "Whitefly"]}]}, "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "unsigned_image_loaded_by_lsass_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/unsigned_image_loaded_by_lsass.yml", "source": "deprecated", "nes_fields": "user,dest"}, {"name": "Unsuccessful Netbackup backups", "id": "a34aae96-ccf8-4aaa-952c-3ea21444444f", "version": 1, "date": "2017-09-12", "author": "David Dorsey, Splunk", "type": "Hunting", "status": "deprecated", "description": "This search gives you the hosts where a backup was attempted and then failed.", "data_source": [], "search": "`netbackup` | stats latest(_time) as latestTime by COMPUTERNAME, MESSAGE | search MESSAGE=\"An error occurred, failed to backup.\" | `security_content_ctime(latestTime)` | rename COMPUTERNAME as dest, MESSAGE as signature | table latestTime, dest, signature | `unsuccessful_netbackup_backups_filter`", "how_to_implement": "To successfully implement this search you need to obtain data from your backup solution, either from the backup logs on your endpoints or from a central server responsible for performing the backups. If you do not use Netbackup, you can modify this search for your specific backup solution.", "known_false_positives": "None identified", "references": [], "tags": {"name": "Unsuccessful Netbackup backups", "analytic_story": ["Monitor Backup Solution"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": [], "message": "tbd", "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "netbackup", "definition": "sourcetype=\"netbackup_logs\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "unsuccessful_netbackup_backups_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/unsuccessful_netbackup_backups.yml", "source": "deprecated"}, {"name": "Web Fraud - Account Harvesting", "id": "bf1d7b5c-df2f-4249-a401-c09fdc221ddf", "version": 1, "date": "2018-10-08", "author": "Jim Apger, Splunk", "type": "TTP", "status": "deprecated", "description": "This search is used to identify the creation of multiple user accounts using the same email domain name.", "data_source": [], "search": "`stream_http` http_content_type=text* uri=\"/magento2/customer/account/loginPost/\" | rex field=cookie \"form_key=(?\\w+)\" | rex field=form_data \"login\\[username\\]=(?[^&|^$]+)\" | search Username=* | rex field=Username \"@(?.*)\" | stats dc(Username) as UniqueUsernames list(Username) as src_user by email_domain | where UniqueUsernames> 25 | `web_fraud___account_harvesting_filter`", "how_to_implement": "We start with a dataset that provides visibility into the email address used for the account creation. In this example, we are narrowing our search down to the single web page that hosts the Magento2 e-commerce platform (via URI) used for account creation, the single http content-type to grab only the user's clicks, and the http field that provides the username (form_data), for performance reasons. After we have the username and email domain, we look for numerous account creations per email domain. Common data sources used for this detection are customized Apache logs or Splunk Stream.", "known_false_positives": "As is common with many fraud-related searches, we are usually looking to attribute risk or synthesize relevant context with loosely written detections that simply detect anamolous behavior. This search will need to be customized to fit your environment—improving its fidelity by counting based on something much more specific, such as a device ID that may be present in your dataset. Consideration for whether the large number of registrations are occuring from a first-time seen domain may also be important. Extending the search window to look further back in time, or even calculating the average per hour/day for each email domain to look for an anomalous spikes, will improve this search. You can also use Shannon entropy or Levenshtein Distance (both courtesy of URL Toolbox) to consider the randomness or similarity of the email name or email domain, as the names are often machine-generated.", "references": ["https://splunkbase.splunk.com/app/2734/", "https://splunkbase.splunk.com/app/1809/"], "tags": {"name": "Web Fraud - Account Harvesting", "analytic_story": ["Web Fraud Detection"], "asset_type": "Account", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "message": "tbd", "mitre_attack_id": ["T1136"], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "http_content_type", "uri", "cookie"], "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider"]}]}, "datamodel": [], "macros": [{"name": "stream_http", "definition": "sourcetype=stream:http", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "web_fraud___account_harvesting_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/web_fraud___account_harvesting.yml", "source": "deprecated", "nes_fields": "user,dest"}, {"name": "Web Fraud - Anomalous User Clickspeed", "id": "31337bbb-bc22-4752-b599-ef192df2dc7a", "version": 1, "date": "2018-10-08", "author": "Jim Apger, Splunk", "type": "Anomaly", "status": "deprecated", "description": "This search is used to examine web sessions to identify those where the clicks are occurring too quickly for a human or are occurring with a near-perfect cadence (high periodicity or low standard deviation), resembling a script driven session.", "data_source": [], "search": "`stream_http` http_content_type=text* | rex field=cookie \"form_key=(?\\w+)\" | streamstats window=2 current=1 range(_time) as TimeDelta by session_id | where TimeDelta>0 |stats count stdev(TimeDelta) as ClickSpeedStdDev avg(TimeDelta) as ClickSpeedAvg by session_id | where count>5 AND (ClickSpeedStdDev<.5 OR ClickSpeedAvg<.5) | `web_fraud___anomalous_user_clickspeed_filter`", "how_to_implement": "Start with a dataset that allows you to see clickstream data for each user click on the website. That data must have a time stamp and must contain a reference to the session identifier being used by the website. This ties the clicks together into clickstreams. This value is usually found in the http cookie. With a bit of tuning, a version of this search could be used in high-volume scenarios, such as scraping, crawling, application DDOS, credit-card testing, account takeover, etc. Common data sources used for this detection are customized Apache logs, customized IIS, and Splunk Stream.", "known_false_positives": "As is common with many fraud-related searches, we are usually looking to attribute risk or synthesize relevant context with loosly written detections that simply detect anamoluous behavior.", "references": ["https://en.wikipedia.org/wiki/Session_ID", "https://en.wikipedia.org/wiki/Session_(computer_science)", "https://en.wikipedia.org/wiki/HTTP_cookie", "https://splunkbase.splunk.com/app/1809/"], "tags": {"name": "Web Fraud - Anomalous User Clickspeed", "analytic_story": ["Web Fraud Detection"], "asset_type": "account", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "message": "tbd", "mitre_attack_id": ["T1078"], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "http_content_type", "cookie"], "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}]}, "datamodel": [], "macros": [{"name": "stream_http", "definition": "sourcetype=stream:http", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "web_fraud___anomalous_user_clickspeed_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/web_fraud___anomalous_user_clickspeed.yml", "source": "deprecated"}, {"name": "Web Fraud - Password Sharing Across Accounts", "id": "31337a1a-53b9-4e05-96e9-55c934cb71d3", "version": 1, "date": "2018-10-08", "author": "Jim Apger, Splunk", "type": "Anomaly", "status": "deprecated", "description": "This search is used to identify user accounts that share a common password.", "data_source": [], "search": "`stream_http` http_content_type=text* uri=/magento2/customer/account/loginPost* | rex field=form_data \"login\\[username\\]=(?[^&|^$]+)\" | rex field=form_data \"login\\[password\\]=(?[^&|^$]+)\" | stats dc(Username) as UniqueUsernames values(Username) as user list(src_ip) as src_ip by Password|where UniqueUsernames>5 | `web_fraud___password_sharing_across_accounts_filter`", "how_to_implement": "We need to start with a dataset that allows us to see the values of usernames and passwords that users are submitting to the website hosting the Magento2 e-commerce platform (commonly found in the HTTP form_data field). A tokenized or hashed value of a password is acceptable and certainly preferable to a clear-text password. Common data sources used for this detection are customized Apache logs, customized IIS, and Splunk Stream.", "known_false_positives": "As is common with many fraud-related searches, we are usually looking to attribute risk or synthesize relevant context with loosely written detections that simply detect anamoluous behavior.", "references": ["https://en.wikipedia.org/wiki/Session_ID", "https://en.wikipedia.org/wiki/Session_(computer_science)", "https://en.wikipedia.org/wiki/HTTP_cookie", "https://splunkbase.splunk.com/app/1809/"], "tags": {"name": "Web Fraud - Password Sharing Across Accounts", "analytic_story": ["Web Fraud Detection"], "asset_type": "account", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": [], "message": "tbd", "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "http_content_type", "uri"], "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "datamodel": [], "macros": [{"name": "stream_http", "definition": "sourcetype=stream:http", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "web_fraud___password_sharing_across_accounts_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/web_fraud___password_sharing_across_accounts.yml", "source": "deprecated"}, {"name": "Windows connhost exe started forcefully", "id": "c114aaca-68ee-41c2-ad8c-32bf21db8769", "version": 1, "date": "2020-11-06", "author": "Rod Soto, Jose Hernandez, Splunk", "type": "TTP", "status": "deprecated", "description": "The search looks for the Console Window Host process (connhost.exe) executed using the force flag -ForceV1. This is not regular behavior in the Windows OS and is often seen executed by the Ryuk Ransomware. DEPRECATED This event is actually seen in the windows 10 client of attack_range_local. After further testing we realized this is not specific to Ryuk. ", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes WHERE Processes.process=\"*C:\\\\Windows\\\\system32\\\\conhost.exe* 0xffffffff *-ForceV1*\" by Processes.user Processes.process_name Processes.process Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `windows_connhost_exe_started_forcefully_filter`", "how_to_implement": "You must be ingesting data that records the process-system activity from your hosts to populate the Endpoint Processes data-model object. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data.", "known_false_positives": "This process should not be ran forcefully, we have not see any false positives for this detection", "references": [], "tags": {"name": "Windows connhost exe started forcefully", "analytic_story": ["Ryuk Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "message": "tbd", "mitre_attack_id": ["T1059.003"], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}]}, "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_connhost_exe_started_forcefully_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/windows_connhost_exe_started_forcefully.yml", "source": "deprecated", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows hosts file modification", "id": "06a6fc63-a72d-41dc-8736-7e3dd9612116", "version": 1, "date": "2018-11-02", "author": "Rico Valdez, Splunk", "type": "TTP", "status": "deprecated", "description": "The search looks for modifications to the hosts file on all Windows endpoints across your environment.", "data_source": ["Sysmon Event ID 11"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem by Filesystem.file_name Filesystem.file_path Filesystem.dest | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | search Filesystem.file_name=hosts AND Filesystem.file_path=*Windows\\\\System32\\\\* | `drop_dm_object_name(Filesystem)` | `windows_hosts_file_modification_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting data that records the file-system activity from your hosts to populate the Endpoint.Filesystem data model node. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or by other endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report file-system reads and writes.", "known_false_positives": "There may be legitimate reasons for system administrators to add entries to this file.", "references": [], "tags": {"name": "Windows hosts file modification", "analytic_story": ["Host Redirection"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": [], "message": "tbd", "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_hosts_file_modification_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/windows_hosts_file_modification.yml", "source": "deprecated", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "3CX Supply Chain Attack Network Indicators", "id": "791b727c-deec-4fbe-a732-756131b3c5a1", "version": 1, "date": "2023-03-30", "author": "Michael Haag, Splunk", "type": "TTP", "status": "experimental", "description": "The analytic provided below employs the Network_Resolution datamodel to detect domain indicators associated with the 3CX supply chain attack. By leveraging this query, you can efficiently conduct retrospective analysis of your data to uncover potential compromises.", "data_source": [], "search": "| tstats `security_content_summariesonly` values(DNS.answer) as IPs min(_time) as firstTime from datamodel=Network_Resolution by DNS.src, DNS.query | `drop_dm_object_name(DNS)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | lookup 3cx_ioc_domains domain as query OUTPUT Description isIOC | search isIOC=true | `3cx_supply_chain_attack_network_indicators_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information into the `Network Resolution` datamodel in the `DNS` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA''s are installed.", "known_false_positives": "False positives will be present for accessing the 3cx[.]com website. Remove from the lookup as needed.", "references": ["https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/", "https://www.cisa.gov/news-events/alerts/2023/03/30/supply-chain-attack-against-3cxdesktopapp", "https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/", "https://www.3cx.com/community/threads/crowdstrike-endpoint-security-detection-re-3cx-desktop-app.119934/page-2#post-558898", "https://www.3cx.com/community/threads/3cx-desktopapp-security-alert.119951/"], "tags": {"name": "3CX Supply Chain Attack Network Indicators", "analytic_story": ["3CX Supply Chain Attack"], "asset_type": "Network", "cis20": ["CIS 13"], "confidence": 100, "impact": 100, "kill_chain_phases": ["Delivery"], "message": "Indicators related to 3CX supply chain attack have been identified on $src$.", "mitre_attack_id": ["T1195.002"], "nist": ["DE.CM"], "observable": [{"name": "src", "type": "Hostname", "role": ["Victim"]}, {"name": "query", "type": "URL String", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["DNS.src", "DNS.query", "_time"], "risk_score": 100, "security_domain": "network", "risk_severity": "high", "cve": ["CVE-2023-29059"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1195.002", "mitre_attack_technique": "Compromise Software Supply Chain", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT41", "Cobalt Group", "Dragonfly", "GOLD SOUTHFIELD", "Sandworm Team", "Threat Group-3390"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1195.002/3CX/3cx_network-windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Network_Resolution"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "3cx_supply_chain_attack_network_indicators_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "3cx_ioc_domains", "description": "A list of domains from the 3CX supply chain attack.", "filename": "3cx_ioc_domains.csv", "default_match": "false", "match_type": "WILDCARD(domain)", "min_matches": 1, "case_sensitive_match": "false"}], "cve_enrichment": [{"id": "CVE-2023-29059", "cvss": null, "summary": "3CX DesktopApp through 18.12.416 has embedded malicious code, as exploited in the wild in March 2023. This affects versions 18.12.407 and 18.12.416 of the 3CX DesktopApp Electron Windows application shipped in Update 7, and versions 18.11.1213, 18.12.402, 18.12.407, and 18.12.416 of the 3CX DesktopApp Electron macOS application."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/3cx_supply_chain_attack_network_indicators.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "7zip CommandLine To SMB Share Path", "id": "01d29b48-ff6f-11eb-b81e-acde48001122", "version": 1, "date": "2021-08-17", "author": "Teoderick Contreras, Splunk", "type": "Hunting", "status": "production", "description": "This search is to detect a suspicious 7z process with commandline pointing to SMB network share. This technique was seen in CONTI LEAK tools where it use 7z to archive a sensitive files and place it in network share tmp folder. This search is a good hunting query that may give analyst a hint why specific user try to archive a file pointing to SMB user which is un usual.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name =\"7z.exe\" OR Processes.process_name = \"7za.exe\" OR Processes.original_file_name = \"7z.exe\" OR Processes.original_file_name = \"7za.exe\") AND (Processes.process=\"*\\\\C$\\\\*\" OR Processes.process=\"*\\\\Admin$\\\\*\" OR Processes.process=\"*\\\\IPC$\\\\*\") by Processes.original_file_name Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.parent_process_id Processes.process_id Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `7zip_commandline_to_smb_share_path_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed 7z.exe may be used.", "known_false_positives": "unknown", "references": ["https://threadreaderapp.com/thread/1423361119926816776.html"], "tags": {"name": "7zip CommandLine To SMB Share Path", "analytic_story": ["Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "archive process $process_name$ with suspicious cmdline $process$ in host $dest$", "mitre_attack_id": ["T1560.001", "T1560"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "SourceImage", "type": "Process", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1560.001", "mitre_attack_technique": "Archive via Utility", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "CopyKittens", "Earth Lusca", "FIN8", "Fox Kitten", "GALLIUM", "Gallmaker", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "MuddyWater", "Mustang Panda", "Sowbug", "Turla", "menuPass"]}, {"mitre_attack_id": "T1560", "mitre_attack_technique": "Archive Collected Data", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT28", "APT32", "Axiom", "Dragonfly", "FIN6", "Ke3chang", "Lazarus Group", "Leviathan", "LuminousMoth", "Patchwork", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/conti/conti_leak/windows-sysmon_7z.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "7zip_commandline_to_smb_share_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/7zip_commandline_to_smb_share_path.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Access LSASS Memory for Dump Creation", "id": "fb4c31b0-13e8-4155-8aa5-24de4b8d6717", "version": 2, "date": "2019-12-06", "author": "Patrick Bareiss, Splunk", "type": "TTP", "status": "production", "description": "Detect memory dumping of the LSASS process.", "data_source": ["Sysmon Event ID 1"], "search": "`sysmon` EventCode=10 TargetImage=*lsass.exe CallTrace=*dbgcore.dll* OR CallTrace=*dbghelp.dll* | stats count min(_time) as firstTime max(_time) as lastTime by Computer, TargetImage, TargetProcessId, SourceImage, SourceProcessId | rename Computer as dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `access_lsass_memory_for_dump_creation_filter` ", "how_to_implement": "This search requires Sysmon Logs and a Sysmon configuration, which includes EventCode 10 for lsass.exe. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives.", "known_false_positives": "Administrators can create memory dumps for debugging purposes, but memory dumps of the LSASS process would be unusual.", "references": ["https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf"], "tags": {"name": "Access LSASS Memory for Dump Creation", "analytic_story": ["Credential Dumping"], "asset_type": "Windows", "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "process $SourceImage$ injected into $TargetImage$ and was attempted dump LSASS on $dest$. Adversaries tend to do this when trying to accesss credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS).", "mitre_attack_id": ["T1003.001", "T1003"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "TargetImage", "type": "Process", "role": ["Target"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "TargetImage", "CallTrace", "Computer", "TargetProcessId", "SourceImage", "SourceProcessId"], "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "TEMP.Veles", "Threat Group-3390", "Whitefly"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "access_lsass_memory_for_dump_creation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/access_lsass_memory_for_dump_creation.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Account Discovery With Net App", "id": "339805ce-ac30-11eb-b87d-acde48001122", "version": 4, "date": "2023-01-04", "author": "Teoderick Contreras, Splunk, TheLawsOfChaos, Github Community", "type": "TTP", "status": "production", "description": "This search is to detect a potential account discovery series of command used by several malware or attack to recon the target machine. This technique is also seen in some note worthy malware like trickbot where it runs a cmd process, or even drop its module that will execute the said series of net command. This series of command are good correlation search and indicator of attacker recon if seen in the machines within a none technical user or department (HR, finance, ceo and etc) network.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.parent_process) as parent_process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` AND (Processes.process=\"* user *\" OR Processes.process=\"*config*\" OR Processes.process=\"*view /all*\") by Processes.process_name Processes.dest Processes.user Processes.parent_process_name | where count >=4 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `account_discovery_with_net_app_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product..", "known_false_positives": "Admin or power user may used this series of command.", "references": ["https://labs.vipre.com/trickbot-and-its-modules/", "https://whitehat.eu/incident-response-case-study-featuring-ryuk-and-trickbot-part-2/", "https://app.any.run/tasks/48414a33-3d66-4a46-afe5-c2003bb55ccf/"], "tags": {"name": "Account Discovery With Net App", "analytic_story": ["Trickbot", "IcedID"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 10, "kill_chain_phases": ["Exploitation"], "message": "Suspicious $process_name$ usage detected on endpoint $dest$ by user $user$.", "mitre_attack_id": ["T1087.002", "T1087"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "process_name", "type": "Process Name", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 5, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["BRONZE BUTLER", "Chimera", "Dragonfly", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Turla", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/trickbot/infection/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_net", "definition": "(Processes.process_name=\"net.exe\" OR Processes.original_file_name=\"net.exe\" OR Processes.process_name=\"net1.exe\" OR Processes.original_file_name=\"net1.exe\")", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "account_discovery_with_net_app_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/account_discovery_with_net_app.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Active Directory Lateral Movement Identified", "id": "6aa6f9dd-adfe-45a8-8f74-c4c7a0d7d037", "version": 1, "date": "2023-04-19", "author": "Michael Haag, Splunk", "type": "Correlation", "status": "production", "description": "The primary objective of this correlation rule is to detect and alert on potential lateral movement activities within an organization's Active Directory (AD) environment. By identifying multiple analytics associated with the Active Directory Lateral Movement analytic story, security analysts can gain better insight into possible threats and respond accordingly to mitigate risks. The correlation rule will trigger an alert when multiple analytics from the Active Directory Lateral Movement analytic story are detected within a specified time frame. The rule will generate an alert if a predetermined threshold of correlated analytics is reached within the specified time frame. This threshold can be customized to suit the needs and risk appetite of the organization.", "data_source": [], "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where All_Risk.analyticstories=\"Active Directory Lateral Movement\" All_Risk.risk_object_type=\"system\" by All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where source_count >= 4 | `active_directory_lateral_movement_identified_filter`", "how_to_implement": "Splunk Enterprise Security is required to utilize this correlation. In addition, modify the source_count value to your environment. In our testing, a count of 4 or 5 was decent in a lab, but the number may need to be increased as the analytic story includes over 30 analytics. In addition, based on false positives, modify any analytics to be anomaly and lower or increase risk based on organization importance.", "known_false_positives": "False positives will most likely be present based on risk scoring and how the organization handles system to system communication. Filter, or modify as needed. In addition to count by analytics, adding a risk score may be useful. In our testing, with 22 events over 30 days, the risk scores ranged from 500 to 80,000. Your organization will be different, monitor and modify as needed.", "references": ["https://attack.mitre.org/tactics/TA0008/", "https://research.splunk.com/stories/active_directory_lateral_movement/"], "tags": {"name": "Active Directory Lateral Movement Identified", "analytic_story": ["Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "Activity related to lateral movement has been identified on $risk_object$.", "mitre_attack_id": ["T1210"], "nist": ["DE.AE"], "observable": [{"name": "risk_object", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["All_Risk.calculated_risk_score", "All_Risk.annotations.mitre_attack.mitre_tactic_id", "All_Risk.annotations.mitre_attack.mitre_technique_id", "All_Risk.tag", "All_Risk.analyticstories", "All_Risk.risk_object_type", "All_Risk.risk_object", "All_Risk.annotations.mitre_attack.mitre_tactic"], "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "atomic_guid": [], "mitre_attack_enrichments": [{"mitre_attack_id": "T1210", "mitre_attack_technique": "Exploitation of Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "Dragonfly", "Earth Lusca", "FIN7", "Fox Kitten", "MuddyWater", "Threat Group-3390", "Tonto Team", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://raw.githubusercontent.com/splunk/attack_data/master/datasets/attack_techniques/T1218/living_off_the_land/adlm_risk.log", "source": "adlm", "sourcetype": "stash"}]}], "datamodel": ["Risk"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "active_directory_lateral_movement_identified_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/active_directory_lateral_movement_identified.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Active Directory Privilege Escalation Identified", "id": "583e8a68-f2f7-45be-8fc9-bf725f0e22fd", "version": 1, "date": "2023-05-23", "author": "Mauricio Velazco, Splunk", "type": "Correlation", "status": "production", "description": "The primary objective of this correlation rule is to detect and alert on potential privilege escalation activities within an organization's Active Directory (AD) environment. By identifying multiple analytics associated with the Active Directory Privilege Escalation analytic story, security analysts can gain better insight into possible threats and respond accordingly to mitigate risks. The correlation rule will trigger an alert when multiple analytics from the Active Directory Privilege Escalation analytic story are detected within a specified time frame. The rule will generate an alert if a predetermined threshold of correlated analytics is reached within the specified time frame. This threshold can be customized to suit the needs and risk appetite of the organization.", "data_source": [], "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where All_Risk.analyticstories=\"Active Directory Privilege Escalation\" All_Risk.risk_object_type=\"system\" by All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where source_count >= 4 | `active_directory_privilege_escalation_identified_filter`", "how_to_implement": "Splunk Enterprise Security is required to utilize this correlation. In addition, modify the source_count value to your environment. In our testing, a count of 4 or 5 was decent in a lab, but the number may need to be increased as the analytic story includes over 30 analytics. In addition, based on false positives, modify any analytics to be anomaly and lower or increase risk based on organization importance.", "known_false_positives": "False positives will most likely be present based on risk scoring and how the organization handles system to system communication. Filter, or modify as needed. In addition to count by analytics, adding a risk score may be useful. In our testing, with 22 events over 30 days, the risk scores ranged from 500 to 80,000. Your organization will be different, monitor and modify as needed.", "references": ["https://attack.mitre.org/tactics/TA0004/", "https://research.splunk.com/stories/active_directory_privilege_escalation/"], "tags": {"name": "Active Directory Privilege Escalation Identified", "analytic_story": ["Active Directory Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "Activity related to privilege escalation has been identified on $risk_object$.", "mitre_attack_id": ["T1484"], "nist": ["DE.AE"], "observable": [{"name": "risk_object", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["All_Risk.calculated_risk_score", "All_Risk.annotations.mitre_attack.mitre_tactic_id", "All_Risk.annotations.mitre_attack.mitre_technique_id", "All_Risk.tag", "All_Risk.analyticstories", "All_Risk.risk_object_type", "All_Risk.risk_object", "All_Risk.annotations.mitre_attack.mitre_tactic"], "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "atomic_guid": [], "mitre_attack_enrichments": [{"mitre_attack_id": "T1484", "mitre_attack_technique": "Domain Policy Modification", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://raw.githubusercontent.com/splunk/attack_data/master/datasets/attack_techniques/T1484/privesc/priv_esc.log", "source": "adlm", "sourcetype": "stash"}]}], "datamodel": ["Risk"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "active_directory_privilege_escalation_identified_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/active_directory_privilege_escalation_identified.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Active Setup Registry Autostart", "id": "f64579c0-203f-11ec-abcc-acde48001122", "version": 4, "date": "2023-04-27", "author": "Steven Dick, Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This analytic is to detect a suspicious modification of the active setup registry for persistence and privilege escalation. This technique was seen in several malware (poisonIvy), adware and APT to gain persistence to the compromised machine upon boot up. This TTP is a good indicator to further check the process id that do the modification since modification of this registry is not commonly done. check the legitimacy of the file and process involve in this rules to check if it is a valid setup installer that creating or modifying this registry.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_value_name= \"StubPath\" Registry.registry_path = \"*\\\\SOFTWARE\\\\Microsoft\\\\Active Setup\\\\Installed Components*\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `active_setup_registry_autostart_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "Active setup installer may add or modify this registry.", "references": ["https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Backdoor%3AWin32%2FPoisonivy.E", "https://attack.mitre.org/techniques/T1547/014/"], "tags": {"name": "Active Setup Registry Autostart", "analytic_story": ["Data Destruction", "Windows Privilege Escalation", "Hermetic Wiper", "Windows Persistence Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "message": "modified/added/deleted registry entry $Registry.registry_path$ in $dest$", "mitre_attack_id": ["T1547.014", "T1547"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.dest", "Registry.registry_value_name", "Registry.registry_key_name", "Registry.registry_path", "Registry.registry_value_data", "Registry.process_guid"], "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1547.014", "mitre_attack_technique": "Active Setup", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/t1547.014/active_setup_stubpath/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "active_setup_registry_autostart_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/active_setup_registry_autostart.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Add DefaultUser And Password In Registry", "id": "d4a3eb62-0f1e-11ec-a971-acde48001122", "version": 4, "date": "2023-03-29", "author": "Steven Dick, Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "this search is to detect a suspicious registry modification to implement auto admin logon to a host. This technique was seen in BlackMatter ransomware to automatically logon to the compromise host after triggering a safemode boot to continue encrypting the whole network. This behavior is not a common practice and really a suspicious TTP or alert need to be consider if found within then network premise.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon*\" AND Registry.registry_value_name= DefaultPassword OR Registry.registry_value_name= DefaultUserName) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `add_defaultuser_and_password_in_registry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "unknown", "references": ["https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/"], "tags": {"name": "Add DefaultUser And Password In Registry", "analytic_story": ["BlackMatter Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "modified registry key $registry_key_name$ with registry value $registry_value_name$ to prepare autoadminlogon", "mitre_attack_id": ["T1552.002", "T1552"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.dest", "Registry.registry_value_name", "Registry.registry_key_name", "Registry.registry_path", "Registry.registry_value_data", "Registry.process_guid"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1552.002", "mitre_attack_technique": "Credentials in Registry", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT32"]}, {"mitre_attack_id": "T1552", "mitre_attack_technique": "Unsecured Credentials", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552.002/autoadminlogon/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "add_defaultuser_and_password_in_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/add_defaultuser_and_password_in_registry.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Add or Set Windows Defender Exclusion", "id": "773b66fe-4dd9-11ec-8289-acde48001122", "version": 1, "date": "2023-04-14", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This analytic will identify a suspicious process command-line related to Windows Defender exclusion feature. This command is abused by adversaries, malware authors and red teams to bypass Windows Defender Antivirus products by excluding folder path, file path, process and extensions. From its real time or schedule scan to execute their malicious code. This is a good indicator for defense evasion and to look further for events after this behavior.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process = \"*Add-MpPreference *\" OR Processes.process = \"*Set-MpPreference *\") AND Processes.process=\"*-exclusion*\" by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `add_or_set_windows_defender_exclusion_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.", "known_false_positives": "Admin or user may choose to use this windows features. Filter as needed.", "references": ["https://tccontre.blogspot.com/2020/01/remcos-rat-evading-windows-defender-av.html", "https://app.any.run/tasks/cf1245de-06a7-4366-8209-8e3006f2bfe5/", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/"], "tags": {"name": "Add or Set Windows Defender Exclusion", "analytic_story": ["CISA AA22-320A", "AgentTesla", "Remcos", "Windows Defense Evasion Tactics", "Data Destruction", "WhisperGate"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "exclusion command $process$ executed on $dest$", "mitre_attack_id": ["T1562.001", "T1562"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/defender_exclusion_sysmon/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "add_or_set_windows_defender_exclusion_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/add_or_set_windows_defender_exclusion.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "AdsiSearcher Account Discovery", "id": "de7fcadc-04f3-11ec-a241-acde48001122", "version": 2, "date": "2023-04-14", "author": "Teoderick Contreras, Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the `[Adsisearcher]` type accelerator being used to query Active Directory for domain groups. Red Teams and adversaries may leverage `[Adsisearcher]` to enumerate domain users for situational awareness and Active Directory Discovery.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 ScriptBlockText = \"*[adsisearcher]*\" ScriptBlockText = \"*objectcategory=user*\" ScriptBlockText = \"*.findAll()*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode Computer ScriptBlockText UserID | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `adsisearcher_account_discovery_filter`", "how_to_implement": "The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "references": ["https://attack.mitre.org/techniques/T1087/002/", "https://www.blackhillsinfosec.com/red-blue-purple/", "https://devblogs.microsoft.com/scripting/use-the-powershell-adsisearcher-type-accelerator-to-search-active-directory/"], "tags": {"name": "AdsiSearcher Account Discovery", "analytic_story": ["Data Destruction", "Active Directory Discovery", "Industroyer2"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "powershell process having commandline $Message$ for user enumeration", "mitre_attack_id": ["T1087.002", "T1087"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "UserID", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "Message", "ComputerName", "User"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["BRONZE BUTLER", "Chimera", "Dragonfly", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Turla", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/AD_discovery/adsisearcher_powershell.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "XmlWinEventLog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "adsisearcher_account_discovery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/adsisearcher_account_discovery.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Allow File And Printing Sharing In Firewall", "id": "ce27646e-d411-11eb-8a00-acde48001122", "version": 2, "date": "2021-06-23", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This search is to detect a suspicious modification of firewall to allow file and printer sharing. This technique was seen in ransomware to be able to discover more machine connected to the compromised host to encrypt more files", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_netsh` Processes.process= \"*firewall*\" Processes.process= \"*group=\\\"File and Printer Sharing\\\"*\" Processes.process=\"*enable=Yes*\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `allow_file_and_printing_sharing_in_firewall_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "network admin may modify this firewall feature that may cause this rule to be triggered.", "references": ["https://community.fortinet.com:443/t5/FortiEDR/How-FortiEDR-detects-and-blocks-Revil-Ransomware-aka-sodinokibi/ta-p/189638?externalID=FD52469", "https://app.any.run/tasks/c0f98850-af65-4352-9746-fbebadee4f05/"], "tags": {"name": "Allow File And Printing Sharing In Firewall", "analytic_story": ["Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "", "mitre_attack_id": ["T1562.007", "T1562"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.007", "mitre_attack_technique": "Disable or Modify Cloud Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/ransomware_ttp/data2/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "process_netsh", "definition": "(Processes.process_name=netsh.exe OR Processes.original_file_name=netsh.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "allow_file_and_printing_sharing_in_firewall_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/allow_file_and_printing_sharing_in_firewall.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Allow Inbound Traffic By Firewall Rule Registry", "id": "0a46537c-be02-11eb-92ca-acde48001122", "version": 5, "date": "2023-03-29", "author": "Steven Dick, Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This analytic detects a potential suspicious modification of firewall rule registry allowing inbound traffic in specific port with public profile. This technique was identified when an adversary wants to grant remote access to a machine by allowing the traffic in a firewall rule.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\System\\\\CurrentControlSet\\\\Services\\\\SharedAccess\\\\Parameters\\\\FirewallPolicy\\\\FirewallRules\\\\*\" Registry.registry_value_data = \"*|Action=Allow|*\" Registry.registry_value_data = \"*|Dir=In|*\" Registry.registry_value_data = \"*|LPort=*\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `allow_inbound_traffic_by_firewall_rule_registry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "network admin may add/remove/modify public inbound firewall rule that may cause this rule to be triggered.", "references": ["https://docs.microsoft.com/en-us/powershell/module/netsecurity/new-netfirewallrule?view=windowsserver2019-ps"], "tags": {"name": "Allow Inbound Traffic By Firewall Rule Registry", "analytic_story": ["Prohibited Traffic Allowed or Protocol Mismatch", "Windows Registry Abuse", "Azorult"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "Suspicious firewall allow rule modifications were detected via the registry on endpoint $dest$ by user $user$.", "mitre_attack_id": ["T1021.001", "T1021"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.dest", "Registry.registry_value_name", "Registry.registry_key_name", "Registry.registry_path", "Registry.registry_value_data", "Registry.process_guid"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1021.001", "mitre_attack_technique": "Remote Desktop Protocol", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT1", "APT3", "APT39", "APT41", "Axiom", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dragonfly", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "HEXANE", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "OilRig", "Patchwork", "Silence", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/honeypots/casper/datasets1/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "allow_inbound_traffic_by_firewall_rule_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/allow_inbound_traffic_by_firewall_rule_registry.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Allow Inbound Traffic In Firewall Rule", "id": "a5d85486-b89c-11eb-8267-acde48001122", "version": 1, "date": "2021-05-19", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies suspicious PowerShell command to allow inbound traffic inbound to a specific local port within the public profile. This technique was seen in some attacker want to have a remote access to a machine by allowing the traffic in firewall rule.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 Message = \"*firewall*\" Message = \"*Inbound*\" Message = \"*Allow*\" Message = \"*-LocalPort*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode Message ComputerName User | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `allow_inbound_traffic_in_firewall_rule_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the powershell logs from your endpoints. make sure you enable needed registry to monitor this event.", "known_false_positives": "administrator may allow inbound traffic in certain network or machine.", "references": ["https://docs.microsoft.com/en-us/powershell/module/netsecurity/new-netfirewallrule?view=windowsserver2019-ps"], "tags": {"name": "Allow Inbound Traffic In Firewall Rule", "analytic_story": ["Prohibited Traffic Allowed or Protocol Mismatch"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 30, "impact": 10, "kill_chain_phases": ["Exploitation"], "message": "Suspicious firewall modification detected on endpoint $ComputerName$ by user $user$.", "mitre_attack_id": ["T1021.001", "T1021"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "ComputerName", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "Message", "ComputerName", "User"], "risk_score": 3, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1021.001", "mitre_attack_technique": "Remote Desktop Protocol", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT1", "APT3", "APT39", "APT41", "Axiom", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dragonfly", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "HEXANE", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "OilRig", "Patchwork", "Silence", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/honeypots/casper/datasets1/windows-powershell.log", "source": "WinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "WinEventLog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "allow_inbound_traffic_in_firewall_rule_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/allow_inbound_traffic_in_firewall_rule.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Allow Network Discovery In Firewall", "id": "ccd6a38c-d40b-11eb-85a5-acde48001122", "version": 2, "date": "2021-06-23", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This search is to detect a suspicious modification to the firewall to allow network discovery on a machine. This technique was seen in couple of ransomware (revil, reddot) to discover other machine connected to the compromised host to encrypt more files.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_netsh` Processes.process= \"*firewall*\" Processes.process= \"*group=\\\"Network Discovery\\\"*\" Processes.process=\"*enable*\" Processes.process=\"*Yes*\" by Processes.dest Processes.user Processes.parent_process Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `allow_network_discovery_in_firewall_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "network admin may modify this firewall feature that may cause this rule to be triggered.", "references": ["https://community.fortinet.com:443/t5/FortiEDR/How-FortiEDR-detects-and-blocks-Revil-Ransomware-aka-sodinokibi/ta-p/189638?externalID=FD52469", "https://app.any.run/tasks/c0f98850-af65-4352-9746-fbebadee4f05/"], "tags": {"name": "Allow Network Discovery In Firewall", "analytic_story": ["Ransomware", "Revil Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "", "mitre_attack_id": ["T1562.007", "T1562"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.007", "mitre_attack_technique": "Disable or Modify Cloud Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/ransomware_ttp/data2/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "process_netsh", "definition": "(Processes.process_name=netsh.exe OR Processes.original_file_name=netsh.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "allow_network_discovery_in_firewall_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/allow_network_discovery_in_firewall.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Allow Operation with Consent Admin", "id": "7de17d7a-c9d8-11eb-a812-acde48001122", "version": 4, "date": "2023-03-29", "author": "Steven Dick, Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This analytic identifies a potential privilege escalation attempt to perform malicious task. This registry modification is designed to allow the `Consent Admin` to perform an operation that requires elevation without consent or credentials. We also found this in some attacker to gain privilege escalation to the compromise machine.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System*\" Registry.registry_value_name = ConsentPromptBehaviorAdmin Registry.registry_value_data = \"0x00000000\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `allow_operation_with_consent_admin_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "unknown", "references": ["https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-gpsb/341747f5-6b5d-4d30-85fc-fa1cc04038d4", "https://www.trendmicro.com/vinfo/no/threat-encyclopedia/malware/Ransom.Win32.MRDEC.MRA/"], "tags": {"name": "Allow Operation with Consent Admin", "analytic_story": ["Ransomware", "Windows Registry Abuse", "Azorult"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "Suspicious registry modification was performed on endpoint $dest$ by user $user$. This behavior is indicative of privilege escalation.", "mitre_attack_id": ["T1548"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.dest", "Registry.registry_value_name", "Registry.registry_key_name", "Registry.registry_path", "Registry.registry_value_data", "Registry.process_guid"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/ransomware_ttp/data1/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "allow_operation_with_consent_admin_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/allow_operation_with_consent_admin.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Anomalous usage of 7zip", "id": "9364ee8e-a39a-11eb-8f1d-acde48001122", "version": 1, "date": "2021-04-22", "author": "Michael Haag, Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "The following detection identifies a 7z.exe spawned from `Rundll32.exe` or `Dllhost.exe`. It is assumed that the adversary has brought in `7z.exe` and `7z.dll`. It has been observed where an adversary will rename `7z.exe`. Additional coverage may be required to identify the behavior of renamed instances of `7z.exe`. During triage, identify the source of injection into `Rundll32.exe` or `Dllhost.exe`. Capture any files written to disk and analyze as needed. Review parallel processes for additional behaviors. Typically, archiving files will result in exfiltration.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN (\"rundll32.exe\", \"dllhost.exe\") Processes.process_name=*7z* by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `anomalous_usage_of_7zip_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "False positives should be limited as this behavior is not normal for `rundll32.exe` or `dllhost.exe` to spawn and run 7zip.", "references": ["https://attack.mitre.org/techniques/T1560/001/", "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", "https://thedfirreport.com/2021/01/31/bazar-no-ryuk/"], "tags": {"name": "Anomalous usage of 7zip", "analytic_story": ["Cobalt Strike", "NOBELIUM Group"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$. This behavior is indicative of suspicious loading of 7zip.", "mitre_attack_id": ["T1560.001", "T1560"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.process_name", "Processes.process", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.parent_process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1560.001", "mitre_attack_technique": "Archive via Utility", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "CopyKittens", "Earth Lusca", "FIN8", "Fox Kitten", "GALLIUM", "Gallmaker", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "MuddyWater", "Mustang Panda", "Sowbug", "Turla", "menuPass"]}, {"mitre_attack_id": "T1560", "mitre_attack_technique": "Archive Collected Data", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT28", "APT32", "Axiom", "Dragonfly", "FIN6", "Ke3chang", "Lazarus Group", "Leviathan", "LuminousMoth", "Patchwork", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1560.001/archive_utility/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "anomalous_usage_of_7zip_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/anomalous_usage_of_7zip.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Any Powershell DownloadFile", "id": "1a93b7ea-7af7-11eb-adb5-acde48001122", "version": 3, "date": "2023-04-14", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the use of PowerShell downloading a file using `DownloadFile` method. This particular method is utilized in many different PowerShell frameworks to download files and output to disk. Identify the source (IP/domain) and destination file and triage appropriately. If AMSI logging or PowerShell transaction logs are available, review for further details of the implant.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` Processes.process=*DownloadFile* by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `any_powershell_downloadfile_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives may be present and filtering will need to occur by parent process or command line argument. It may be required to modify this query to an EDR product for more granular coverage.", "references": ["https://docs.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadfile?view=net-5.0", "https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md"], "tags": {"name": "Any Powershell DownloadFile", "analytic_story": ["DarkCrystal RAT", "Ingress Tool Transfer", "Hermetic Wiper", "Malicious PowerShell", "Data Destruction", "Log4Shell CVE-2021-44228"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 80, "kill_chain_phases": ["Installation", "Command And Control"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$. This behavior identifies the use of DownloadFile within PowerShell.", "mitre_attack_id": ["T1059", "T1059.001", "T1105"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "cve": ["CVE-2021-44228"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "ZIRCONIUM", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "process_powershell", "definition": "(Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "any_powershell_downloadfile_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2021-44228", "cvss": 9.3, "summary": "Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/any_powershell_downloadfile.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Any Powershell DownloadString", "id": "4d015ef2-7adf-11eb-95da-acde48001122", "version": 3, "date": "2023-04-05", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the use of PowerShell downloading a file using `DownloadString` method. This particular method is utilized in many different PowerShell frameworks to download files and output to disk. Identify the source (IP/domain) and destination file and triage appropriately. If AMSI logging or PowerShell transaction logs are available, review for further details of the implant.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` Processes.process=*.DownloadString* by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `any_powershell_downloadstring_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives may be present and filtering will need to occur by parent process or command line argument. It may be required to modify this query to an EDR product for more granular coverage.", "references": ["https://docs.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadstring?view=net-5.0", "https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md", "https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/"], "tags": {"name": "Any Powershell DownloadString", "analytic_story": ["Winter Vivern", "Ingress Tool Transfer", "Hermetic Wiper", "Malicious PowerShell", "HAFNIUM Group", "Data Destruction", "IcedID"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 80, "kill_chain_phases": ["Installation", "Command And Control"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$. This behavior identifies the use of DownloadString within PowerShell.", "mitre_attack_id": ["T1059", "T1059.001", "T1105"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "ZIRCONIUM", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "process_powershell", "definition": "(Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "any_powershell_downloadstring_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/any_powershell_downloadstring.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Attacker Tools On Endpoint", "id": "a51bfe1a-94f0-48cc-b4e4-16a110145893", "version": 2, "date": "2021-11-04", "author": "Bhavin Patel, Splunk", "type": "TTP", "status": "production", "description": "This search looks for execution of commonly used attacker tools on an endpoint.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.process) as process values(Processes.parent_process) as parent_process from datamodel=Endpoint.Processes where Processes.dest!=unknown Processes.user!=unknown by Processes.dest Processes.user Processes.process_name Processes.process | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | lookup attacker_tools attacker_tool_names AS process_name OUTPUT description | search description !=false| `attacker_tools_on_endpoint_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting data that records process activity from your hosts to populate the endpoint data model in the processes node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is usually generated via logs that report process tracking in your Windows audit settings.", "known_false_positives": "Some administrator activity can be potentially triggered, please add those users to the filter macro.", "references": [], "tags": {"name": "Attacker Tools On Endpoint", "analytic_story": ["Monitor for Unauthorized Software", "XMRig", "SamSam Ransomware", "Unusual Processes", "CISA AA22-264A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation", "Reconnaissance"], "message": "An attacker tool $process_name$,listed in attacker_tools.csv is executed on host $dest$ by User $user$. This process $process_name$ is known to do- $description$", "mitre_attack_id": ["T1036.005", "T1036", "T1003", "T1595"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process", "Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["Processes.dest", "Processes.user", "Processes.process_name", "Processes.parent_process"], "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1036.005", "mitre_attack_technique": "Match Legitimate Name or Location", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "APT32", "APT39", "APT41", "Aoqin Dragon", "BRONZE BUTLER", "BackdoorDiplomacy", "Blue Mockingbird", "Carbanak", "Chimera", "Darkhotel", "Earth Lusca", "FIN7", "Ferocious Kitten", "Fox Kitten", "Gamaredon Group", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Poseidon Group", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "Sowbug", "TEMP.Veles", "TeamTNT", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Whitefly", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1595", "mitre_attack_technique": "Active Scanning", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1595/attacker_scan_tools/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "attacker_tools_on_endpoint_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "attacker_tools", "description": "A list of tools used by attackers", "filename": "attacker_tools.csv", "default_match": "false", "match_type": "WILDCARD(attacker_tool_names)", "min_matches": 1, "case_sensitive_match": "false"}], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/attacker_tools_on_endpoint.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Attempt To Add Certificate To Untrusted Store", "id": "6bc5243e-ef36-45dc-9b12-f4a6be131159", "version": 7, "date": "2021-09-16", "author": "Patrick Bareiss, Rico Valdez, Splunk", "type": "TTP", "status": "production", "description": "Attempt To Add Certificate To Untrusted Store", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime values(Processes.process) as process max(_time) as lastTime from datamodel=Endpoint.Processes where `process_certutil` (Processes.process=*-addstore*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `attempt_to_add_certificate_to_untrusted_store_filter`", "how_to_implement": "You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the \"process\" field in the Endpoint data model.", "known_false_positives": "There may be legitimate reasons for administrators to add a certificate to the untrusted certificate store. In such cases, this will typically be done on a large number of systems.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"], "tags": {"name": "Attempt To Add Certificate To Untrusted Store", "analytic_story": ["Disabling Security Tools"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified attempting to add a certificate to the store on endpoint $dest$ by user $user$.", "mitre_attack_id": ["T1553.004", "T1553"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.parent_process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1553.004", "mitre_attack_technique": "Install Root Certificate", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1553", "mitre_attack_technique": "Subvert Trust Controls", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Axiom"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1553.004/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "process_certutil", "definition": "(Processes.process_name=certutil.exe OR Processes.original_file_name=CertUtil.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "attempt_to_add_certificate_to_untrusted_store_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/attempt_to_add_certificate_to_untrusted_store.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Attempt To Stop Security Service", "id": "c8e349c6-b97c-486e-8949-bd7bcd1f3910", "version": 4, "date": "2023-04-14", "author": "Rico Valdez, Splunk", "type": "TTP", "status": "production", "description": "This search looks for attempts to stop security-related services on the endpoint.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` OR Processes.process_name = sc.exe Processes.process=\"* stop *\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |lookup security_services_lookup service as process OUTPUTNEW category, description | search category=security | `attempt_to_stop_security_service_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "None identified. Attempts to disable security-related services should be identified and understood.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md#atomic-test-14---disable-arbitrary-security-windows-service", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/"], "tags": {"name": "Attempt To Stop Security Service", "analytic_story": ["Azorult", "Trickbot", "Disabling Security Tools", "Data Destruction", "WhisperGate"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 40, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified attempting to disable security services on endpoint $dest$ by user $user$.", "mitre_attack_id": ["T1562.001", "T1562"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 20, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_defend_service_stop/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_net", "definition": "(Processes.process_name=\"net.exe\" OR Processes.original_file_name=\"net.exe\" OR Processes.process_name=\"net1.exe\" OR Processes.original_file_name=\"net1.exe\")", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "attempt_to_stop_security_service_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "security_services_lookup", "description": "A list of services that deal with security", "filename": "security_services.csv", "default_match": "false", "match_type": "WILDCARD(service)", "min_matches": 1}], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/attempt_to_stop_security_service.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Attempted Credential Dump From Registry via Reg exe", "id": "e9fb4a59-c5fb-440a-9f24-191fbc6b2911", "version": 7, "date": "2023-04-14", "author": "Patrick Bareiss, Splunk", "type": "TTP", "status": "production", "description": "Monitor for execution of reg.exe with parameters specifying an export of keys that contain hashed credentials that attackers may try to crack offline.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=reg* OR Processes.process_name=cmd* Processes.process=*save* (Processes.process=*HKEY_LOCAL_MACHINE\\\\Security* OR Processes.process=*HKEY_LOCAL_MACHINE\\\\SAM* OR Processes.process=*HKEY_LOCAL_MACHINE\\\\System* OR Processes.process=*HKLM\\\\Security* OR Processes.process=*HKLM\\\\System* OR Processes.process=*HKLM\\\\SAM*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `attempted_credential_dump_from_registry_via_reg_exe_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "None identified.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md#atomic-test-1---registry-dump-of-sam-creds-and-secrets"], "tags": {"name": "Attempted Credential Dump From Registry via Reg exe", "analytic_story": ["Industroyer2", "Windows Registry Abuse", "Credential Dumping", "DarkSide Ransomware", "Data Destruction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 90, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to export the registry keys.", "mitre_attack_id": ["T1003.002", "T1003"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Dragonfly", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.002/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}, {"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.002/atomic_red_team/crowdstrike_falcon.log", "source": "crowdstrike", "sourcetype": "crowdstrike:events:sensor"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "attempted_credential_dump_from_registry_via_reg_exe_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/attempted_credential_dump_from_registry_via_reg_exe.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Auto Admin Logon Registry Entry", "id": "1379d2b8-0f18-11ec-8ca3-acde48001122", "version": 4, "date": "2023-04-11", "author": "Steven Dick, Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "this search is to detect a suspicious registry modification to implement auto admin logon to a host. This technique was seen in BlackMatter ransomware to automatically logon to the compromise host after triggering a safemode boot to continue encrypting the whole network. This behavior is not a common practice and really a suspicious TTP or alert need to be consider if found within then network premise.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon*\" AND Registry.registry_value_name=AutoAdminLogon AND Registry.registry_value_data=1) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `auto_admin_logon_registry_entry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "unknown", "references": ["https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/"], "tags": {"name": "Auto Admin Logon Registry Entry", "analytic_story": ["BlackMatter Ransomware", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "modified registry key $registry_key_name$ with registry value $registry_value_name$ to prepare autoadminlogon", "mitre_attack_id": ["T1552.002", "T1552"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.dest", "Registry.registry_value_name", "Registry.registry_key_name", "Registry.registry_path", "Registry.registry_value_data", "Registry.process_guid"], "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1552.002", "mitre_attack_technique": "Credentials in Registry", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT32"]}, {"mitre_attack_id": "T1552", "mitre_attack_technique": "Unsecured Credentials", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552.002/autoadminlogon/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "auto_admin_logon_registry_entry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/auto_admin_logon_registry_entry.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Batch File Write to System32", "id": "503d17cb-9eab-4cf8-a20e-01d5c6987ae3", "version": 4, "date": "2023-4-11", "author": "Steven Dick, Michael Haag, Rico Valdez, Splunk", "type": "TTP", "status": "production", "description": "The search looks for a batch file (.bat) written to the Windows system directory tree.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=* by _time span=1h Processes.process_guid Processes.process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | join process_guid [| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN (\"*\\\\system32\\\\*\", \"*\\\\syswow64\\\\*\") Filesystem.file_name=\"*.bat\" by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path Filesystem.process_guid | `drop_dm_object_name(Filesystem)`] | table dest user file_create_time, file_name, file_path, process_name, firstTime, lastTime | dedup file_create_time | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `batch_file_write_to_system32_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "It is possible for this search to generate a notable event for a batch file write to a path that includes the string \"system32\", but is not the actual Windows system directory. As such, you should confirm the path of the batch file identified by the search. In addition, a false positive may be generated by an administrator copying a legitimate batch file in this directory tree. You should confirm that the activity is legitimate and modify the search to add exclusions, as necessary.", "references": [], "tags": {"name": "Batch File Write to System32", "analytic_story": ["SamSam Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Installation"], "message": "A file - $file_name$ was written to system32 has occurred on endpoint $dest$ by user $user$.", "mitre_attack_id": ["T1204", "T1204.002"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "file_name", "type": "File Name", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Filesystem.dest", "Filesystem.file_create_time", "Filesystem.file_name", "Filesystem.user", "Filesystem.file_path", "Processes.process_name", "Processes.dest", "Filesystem.process_guid", "Processes.process_guid", "Processes.dest", "Processes.process_name"], "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$"]}, {"mitre_attack_id": "T1204.002", "mitre_attack_technique": "Malicious File", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "Ajax Security Team", "Andariel", "Aoqin Dragon", "BITTER", "BRONZE BUTLER", "BlackTech", "CURIUM", "Cobalt Group", "Confucius", "Dark Caracal", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "IndigoZebra", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Whitefly", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204.002/batch_file_in_system32/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "batch_file_write_to_system32_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/batch_file_write_to_system32.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Bcdedit Command Back To Normal Mode Boot", "id": "dc7a8004-0f18-11ec-8c54-acde48001122", "version": 1, "date": "2021-09-06", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This search is to detect a suspicious bcdedit commandline to configure the host from safe mode back to normal boot configuration. This technique was seen in blackMatter ransomware where it force the compromised host to boot in safe mode to continue its encryption and bring back to normal boot using bcdedit deletevalue command. This TTP can be a good alert for host that booted from safe mode forcefully since it need to modify the boot configuration to bring it back to normal.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = bcdedit.exe Processes.process=\"*/deletevalue*\" Processes.process=\"*{current}*\" Processes.process=\"*safeboot*\" by Processes.process_name Processes.process Processes.parent_process_name Processes.dest Processes.user |`drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `bcdedit_command_back_to_normal_mode_boot_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed rundll32.exe may be used.", "known_false_positives": "unknown", "references": ["https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/"], "tags": {"name": "Bcdedit Command Back To Normal Mode Boot", "analytic_story": ["BlackMatter Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 50, "kill_chain_phases": ["Actions on Objectives"], "message": "bcdedit process with commandline $process$ to bring back to normal boot configuration the $dest$", "mitre_attack_id": ["T1490"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.process_name", "Processes.process", "Processes.parent_process_name", "Processes.parent_process", "Processes.dest", "Processes.user"], "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552.002/autoadminlogon/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "bcdedit_command_back_to_normal_mode_boot_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/bcdedit_command_back_to_normal_mode_boot.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "BCDEdit Failure Recovery Modification", "id": "809b31d2-5462-11eb-ae93-0242ac130002", "version": 1, "date": "2020-12-21", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "This search looks for flags passed to bcdedit.exe modifications to the built-in Windows error recovery boot configurations. This is typically used by ransomware to prevent recovery.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = bcdedit.exe Processes.process=\"*recoveryenabled*\" (Processes.process=\"* no*\") by Processes.process_name Processes.process Processes.parent_process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `bcdedit_failure_recovery_modification_filter`", "how_to_implement": "You must be ingesting endpoint data that tracks process activity, including parent-child relationships from your endpoints to populate the Endpoint data model in the Processes node. Tune based on parent process names.", "known_false_positives": "Administrators may modify the boot configuration.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-4---windows---disable-windows-recovery-console-repair"], "tags": {"name": "BCDEdit Failure Recovery Modification", "analytic_story": ["Ryuk Ransomware", "Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 100, "kill_chain_phases": ["Actions on Objectives"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting disable the ability to recover the endpoint.", "mitre_attack_id": ["T1490"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.process_name", "Processes.process", "Processes.parent_process_name", "Processes.dest", "Processes.user"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1490/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "bcdedit_failure_recovery_modification_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/bcdedit_failure_recovery_modification.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "BITS Job Persistence", "id": "e97a5ffe-90bf-11eb-928a-acde48001122", "version": 2, "date": "2021-09-16", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following query identifies Microsoft Background Intelligent Transfer Service utility `bitsadmin.exe` scheduling a BITS job to persist on an endpoint. The query identifies the parameters used to create, resume or add a file to a BITS job. Typically seen combined in a oneliner or ran in sequence. If identified, review the BITS job created and capture any files written to disk. It is possible for BITS to be used to upload files and this may require further network data analysis to identify. You can use `bitsadmin /list /verbose` to list out the jobs during investigation.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_bitsadmin` Processes.process IN (*create*, *addfile*, *setnotifyflags*, *setnotifycmdline*, *setminretrydelay*, *setcustomheaders*, *resume* ) by Processes.dest Processes.user Processes.original_file_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `bits_job_persistence_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Limited false positives will be present. Typically, applications will use `BitsAdmin.exe`. Any filtering should be done based on command-line arguments (legitimate applications) or parent process.", "references": ["https://attack.mitre.org/techniques/T1197/", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/bitsadmin", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md#atomic-test-3---persist-download--execute", "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/"], "tags": {"name": "BITS Job Persistence", "analytic_story": ["BITS Jobs", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Exploitation", "Installation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to persist using BITS.", "mitre_attack_id": ["T1197"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1197", "mitre_attack_technique": "BITS Jobs", "mitre_attack_tactics": ["Defense Evasion", "Persistence"], "mitre_attack_groups": ["APT39", "APT41", "Leviathan", "Patchwork"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1197/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}, {"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1197/atomic_red_team/crowdstrike_falcon.log", "source": "crowdstrike", "sourcetype": "crowdstrike:events:sensor"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "process_bitsadmin", "definition": "(Processes.process_name=bitsadmin.exe OR Processes.original_file_name=bitsadmin.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "bits_job_persistence_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/bits_job_persistence.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "BITSAdmin Download File", "id": "80630ff4-8e4c-11eb-aab5-acde48001122", "version": 3, "date": "2022-11-29", "author": "Michael Haag, Sittikorn S", "type": "TTP", "status": "production", "description": "The following query identifies Microsoft Background Intelligent Transfer Service utility `bitsadmin.exe` using the `transfer` parameter to download a remote object. In addition, look for `download` or `upload` on the command-line, the switches are not required to perform a transfer. Capture any files downloaded. Review the reputation of the IP or domain used. Typically once executed, a follow on command will be used to execute the dropped file. Note that the network connection or file modification events related will not spawn or create from `bitsadmin.exe`, but the artifacts will appear in a parallel process of `svchost.exe` with a command-line similar to `svchost.exe -k netsvcs -s BITS`. It's important to review all parallel and child processes to capture any behaviors and artifacts. In some suspicious and malicious instances, BITS jobs will be created. You can use `bitsadmin /list /verbose` to list out the jobs during investigation.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_bitsadmin` Processes.process IN (\"*transfer*\", \"*addfile*\") by Processes.dest Processes.user Processes.parent_process Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `bitsadmin_download_file_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Limited false positives, however it may be required to filter based on parent process name or network connection.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/8eb52117b748d378325f7719554a896e37bccec7/atomics/T1105/T1105.md#atomic-test-9---windows---bitsadmin-bits-download", "https://github.com/redcanaryco/atomic-red-team/blob/bc705cb7aaa5f26f2d96585fac8e4c7052df0ff9/atomics/T1197/T1197.md", "https://docs.microsoft.com/en-us/windows/win32/bits/bitsadmin-tool", "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/"], "tags": {"name": "BITSAdmin Download File", "analytic_story": ["Ingress Tool Transfer", "BITS Jobs", "DarkSide Ransomware", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation", "Installation", "Command And Control"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to download a file.", "mitre_attack_id": ["T1197", "T1105"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1197", "mitre_attack_technique": "BITS Jobs", "mitre_attack_tactics": ["Defense Evasion", "Persistence"], "mitre_attack_groups": ["APT39", "APT41", "Leviathan", "Patchwork"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "ZIRCONIUM", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1197/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}, {"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1197/atomic_red_team/crowdstrike_falcon.log", "source": "crowdstrike", "sourcetype": "crowdstrike:events:sensor"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "process_bitsadmin", "definition": "(Processes.process_name=bitsadmin.exe OR Processes.original_file_name=bitsadmin.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "bitsadmin_download_file_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/bitsadmin_download_file.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "CertUtil Download With URLCache and Split Arguments", "id": "415b4306-8bfb-11eb-85c4-acde48001122", "version": 3, "date": "2022-02-03", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "Certutil.exe may download a file from a remote destination using `-urlcache`. This behavior does require a URL to be passed on the command-line. In addition, `-f` (force) and `-split` (Split embedded ASN.1 elements, and save to files) will be used. It is not entirely common for `certutil.exe` to contact public IP space. However, it is uncommon for `certutil.exe` to write files to world writeable paths.\\ During triage, capture any files on disk and review. Review the reputation of the remote IP or domain in question.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_certutil` (Processes.process=*urlcache* Processes.process=*split*) OR Processes.process=*urlcache* by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.original_file_name Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `certutil_download_with_urlcache_and_split_arguments_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Limited false positives in most environments, however tune as needed based on parent-child relationship or network connection.", "references": ["https://attack.mitre.org/techniques/T1105/", "https://www.avira.com/en/blog/certutil-abused-by-attackers-to-spread-threats", "https://web.archive.org/web/20210921110637/https://www.fireeye.com/blog/threat-research/2019/10/certutil-qualms-they-came-to-drop-fombs.html"], "tags": {"name": "CertUtil Download With URLCache and Split Arguments", "analytic_story": ["Ingress Tool Transfer", "DarkSide Ransomware", "Living Off The Land", "ProxyNotShell", "CISA AA22-277A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 90, "kill_chain_phases": ["Command And Control"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to download a file.", "mitre_attack_id": ["T1105"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "ZIRCONIUM", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "process_certutil", "definition": "(Processes.process_name=certutil.exe OR Processes.original_file_name=CertUtil.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "certutil_download_with_urlcache_and_split_arguments_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/certutil_download_with_urlcache_and_split_arguments.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "CertUtil Download With VerifyCtl and Split Arguments", "id": "801ad9e4-8bfb-11eb-8b31-acde48001122", "version": 3, "date": "2022-02-03", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "Certutil.exe may download a file from a remote destination using `-VerifyCtl`. This behavior does require a URL to be passed on the command-line. In addition, `-f` (force) and `-split` (Split embedded ASN.1 elements, and save to files) will be used. It is not entirely common for `certutil.exe` to contact public IP space. \\ During triage, capture any files on disk and review. Review the reputation of the remote IP or domain in question. Using `-VerifyCtl`, the file will either be written to the current working directory or `%APPDATA%\\..\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\`. ", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_certutil` (Processes.process=*verifyctl* Processes.process=*split*) OR Processes.process=*verifyctl* by Processes.dest Processes.user Processes.original_file_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `certutil_download_with_verifyctl_and_split_arguments_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Limited false positives in most environments, however tune as needed based on parent-child relationship or network connection.", "references": ["https://attack.mitre.org/techniques/T1105/", "https://www.hexacorn.com/blog/2020/08/23/certutil-one-more-gui-lolbin/", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc732443(v=ws.11)#-verifyctl", "https://www.avira.com/en/blog/certutil-abused-by-attackers-to-spread-threats"], "tags": {"name": "CertUtil Download With VerifyCtl and Split Arguments", "analytic_story": ["Ingress Tool Transfer", "DarkSide Ransomware", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 90, "kill_chain_phases": ["Command And Control"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to download a file.", "mitre_attack_id": ["T1105"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "ZIRCONIUM", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "process_certutil", "definition": "(Processes.process_name=certutil.exe OR Processes.original_file_name=CertUtil.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "certutil_download_with_verifyctl_and_split_arguments_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/certutil_download_with_verifyctl_and_split_arguments.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Certutil exe certificate extraction", "id": "337a46be-600f-11eb-ae93-0242ac130002", "version": 2, "date": "2022-07-15", "author": "Rod Soto, Splunk", "type": "TTP", "status": "production", "description": "This search looks for arguments to certutil.exe indicating the manipulation or extraction of Certificate. This certificate can then be used to sign new authentication tokens specially inside Federated environments such as Windows ADFS.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=certutil.exe Processes.process = \"*-exportPFX*\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `certutil_exe_certificate_extraction_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "Unless there are specific use cases, manipulating or exporting certificates using certutil is uncommon. Extraction of certificate has been observed during attacks such as Golden SAML and other campaigns targeting Federated services.", "references": ["https://blog.sygnia.co/detection-and-hunting-of-golden-saml-attack", "https://strontic.github.io/xcyclopedia/library/certutil.exe-09A8A29BAA3A451713FD3D07943B4A43.html"], "tags": {"name": "Certutil exe certificate extraction", "analytic_story": ["Windows Persistence Techniques", "Cloud Federated Credential Abuse", "Living Off The Land", "Windows Certificate Services"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 90, "kill_chain_phases": [], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting export a certificate.", "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/certutil_exe_certificate_extraction/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "certutil_exe_certificate_extraction_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/certutil_exe_certificate_extraction.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "CertUtil With Decode Argument", "id": "bfe94226-8c10-11eb-a4b3-acde48001122", "version": 2, "date": "2021-03-23", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "CertUtil.exe may be used to `encode` and `decode` a file, including PE and script code. Encoding will convert a file to base64 with `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----` tags. Malicious usage will include decoding a encoded file that was downloaded. Once decoded, it will be loaded by a parallel process. Note that there are two additional command switches that may be used - `encodehex` and `decodehex`. Similarly, the file will be encoded in HEX and later decoded for further execution. During triage, identify the source of the file being decoded. Review its contents or execution behavior for further analysis.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_certutil` Processes.process=*decode* by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `certutil_with_decode_argument_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Typically seen used to `encode` files, but it is possible to see legitimate use of `decode`. Filter based on parent-child relationship, file paths, endpoint or user.", "references": ["https://attack.mitre.org/techniques/T1140/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1140/T1140.md", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", "https://www.bleepingcomputer.com/news/security/certutilexe-could-allow-attackers-to-download-malware-while-bypassing-av/"], "tags": {"name": "CertUtil With Decode Argument", "analytic_story": ["Deobfuscate-Decode Files or Information", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to decode a file.", "mitre_attack_id": ["T1140"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1140", "mitre_attack_technique": "Deobfuscate/Decode Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT39", "BRONZE BUTLER", "Darkhotel", "Earth Lusca", "Gamaredon Group", "Gorgon Group", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "Molerats", "MuddyWater", "OilRig", "Rocke", "Sandworm Team", "TA505", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "WIRTE", "ZIRCONIUM", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1140/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "process_certutil", "definition": "(Processes.process_name=certutil.exe OR Processes.original_file_name=CertUtil.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "certutil_with_decode_argument_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/certutil_with_decode_argument.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Change Default File Association", "id": "462d17d8-1f71-11ec-ad07-acde48001122", "version": 1, "date": "2023-04-14", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This analytic is developed to detect suspicious registry modification to change the default file association of windows to malicious payload. This technique was seen in some APT where it modify the default process to run file association, like .txt to notepad.exe. Instead notepad.exe it will point to a Script or other payload that will load malicious commands to the compromised host.", "data_source": ["Sysmon Event ID 13"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path =\"*\\\\shell\\\\open\\\\command\\\\*\" Registry.registry_path = \"*HKCR\\\\*\" by Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `change_default_file_association_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry.", "known_false_positives": "unknown", "references": ["https://dmcxblue.gitbook.io/red-team-notes-2-0/red-team-techniques/privilege-escalation/untitled-3/accessibility-features"], "tags": {"name": "Change Default File Association", "analytic_story": ["Hermetic Wiper", "Windows Registry Abuse", "Prestige Ransomware", "Windows Privilege Escalation", "Windows Persistence Techniques", "Data Destruction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "message": "modified/added/deleted registry entry $Registry.registry_path$ in $dest$", "mitre_attack_id": ["T1546.001", "T1546"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.dest", "Registry.user", "Registry.registry_path", "Registry.registry_key_name", "Registry.registry_value_name"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1546.001", "mitre_attack_technique": "Change Default File Association", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Kimsuky"]}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.001/txtfile_reg/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "change_default_file_association_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/change_default_file_association.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Change To Safe Mode With Network Config", "id": "81f1dce0-0f18-11ec-a5d7-acde48001122", "version": 1, "date": "2021-09-06", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This search is to detect a suspicious bcdedit commandline to configure the host to boot in safe mode with network config. This technique was seen in blackMatter ransomware where it force the compromised host to boot in safe mode to continue its encryption and bring back to normal boot using bcdedit deletevalue command. This TTP can be a good alert for host that booted from safe mode forcefully since it need to modify the boot configuration to bring it back to normal.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = bcdedit.exe Processes.process=\"*/set*\" Processes.process=\"*{current}*\" Processes.process=\"*safeboot*\" Processes.process=\"*network*\" by Processes.process_name Processes.process Processes.parent_process_name Processes.dest Processes.user |`drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `change_to_safe_mode_with_network_config_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed rundll32.exe may be used.", "known_false_positives": "unknown", "references": ["https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/"], "tags": {"name": "Change To Safe Mode With Network Config", "analytic_story": ["BlackMatter Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Actions on Objectives"], "message": "bcdedit process with commandline $process$ to force safemode boot the $dest$", "mitre_attack_id": ["T1490"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.process_name", "Processes.process", "Processes.parent_process_name", "Processes.parent_process", "Processes.dest", "Processes.user"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552.002/autoadminlogon/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "change_to_safe_mode_with_network_config_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/change_to_safe_mode_with_network_config.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "CHCP Command Execution", "id": "21d236ec-eec1-11eb-b23e-acde48001122", "version": 1, "date": "2021-07-27", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This search is to detect execution of chcp.exe application. this utility is used to change the active code page of the console. This technique was seen in icedid malware to know the locale region/language/country of the compromise host.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=chcp.com Processes.parent_process_name = cmd.exe (Processes.parent_process=*/c* OR Processes.parent_process=*/k*) by Processes.process_name Processes.process Processes.parent_process_name Processes.parent_process Processes.process_id Processes.parent_process_id Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `chcp_command_execution_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed chcp.com may be used.", "known_false_positives": "other tools or script may used this to change code page to UTF-* or others", "references": ["https://ss64.com/nt/chcp.html", "https://twitter.com/tccontre18/status/1419941156633329665?s=20"], "tags": {"name": "CHCP Command Execution", "analytic_story": ["IcedID", "Azorult"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Installation"], "message": "parent process $parent_process_name$ spawning chcp process $process_name$ with parent command line $parent_process$", "mitre_attack_id": ["T1059"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "process_name", "process", "parent_process_name", "parent_process", "process_id", "parent_process_id", "dest", "user"], "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/simulated_icedid/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "chcp_command_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/chcp_command_execution.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Check Elevated CMD using whoami", "id": "a9079b18-1633-11ec-859c-acde48001122", "version": 1, "date": "2021-09-15", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This search is to detect a suspicious whoami execution to check if the cmd or shell instance process is with elevated privileges. This technique was seen in FIN7 js implant where it execute this as part of its data collection to the infected machine to check if the running shell cmd process is elevated or not. This TTP is really a good alert for known attacker that recon on the targetted host. This command is not so commonly executed by a normal user or even an admin to check if a process is elevated.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = \"*whoami*\" Processes.process = \"*/group*\" Processes.process = \"* find *\" Processes.process = \"*12288*\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `check_elevated_cmd_using_whoami_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed rundll32.exe may be used.", "known_false_positives": "unknown", "references": [], "tags": {"name": "Check Elevated CMD using whoami", "analytic_story": ["FIN7"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "Process name $process_name$ with commandline $process$ in $dest$", "mitre_attack_id": ["T1033"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.parent_process_name", "Processes.parent_process", "Processes.process_name", "Processes.process_id", "Processes.process", "Processes.dest", "Processes.user"], "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1033", "mitre_attack_technique": "System Owner/User Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT37", "APT38", "APT39", "APT41", "Chimera", "Dragonfly", "Earth Lusca", "FIN10", "GALLIUM", "Gamaredon Group", "HAFNIUM", "HEXANE", "Ke3chang", "Lazarus Group", "LuminousMoth", "Magic Hound", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "Stealth Falcon", "Threat Group-3390", "Tropic Trooper", "Windshift", "Wizard Spider", "ZIRCONIUM"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/fin7/fin7_js_2/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "check_elevated_cmd_using_whoami_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/check_elevated_cmd_using_whoami.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Child Processes of Spoolsv exe", "id": "aa0c4aeb-5b18-41c4-8c07-f1442d7599df", "version": 3, "date": "2023-04-14", "author": "Rico Valdez, Splunk", "type": "TTP", "status": "experimental", "description": "This search looks for child processes of spoolsv.exe. This activity is associated with a POC privilege-escalation exploit associated with CVE-2018-8440. Spoolsv.exe is the process associated with the Print Spooler service in Windows and typically runs as SYSTEM.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count values(Processes.process_name) as process_name values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=spoolsv.exe AND Processes.process_name!=regsvr32.exe by Processes.dest Processes.parent_process Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `child_processes_of_spoolsv_exe_filter` ", "how_to_implement": "You must be ingesting endpoint data that tracks process activity, including parent-child relationships from your endpoints to populate the Endpoint data model in the Processes node. The command-line arguments are mapped to the \"process\" field in the Endpoint data model. Update the `children_of_spoolsv_filter` macro to filter out legitimate child processes spawned by spoolsv.exe.", "known_false_positives": "Some legitimate printer-related processes may show up as children of spoolsv.exe. You should confirm that any activity as legitimate and may be added as exclusions in the search.", "references": [], "tags": {"name": "Child Processes of Spoolsv exe", "analytic_story": ["Data Destruction", "Hermetic Wiper", "Windows Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "tbd", "mitre_attack_id": ["T1068"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.process_name", "Processes.process", "Processes.parent_process_name", "Processes.process_name", "Processes.dest", "Processes.parent_process", "Processes.user"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "cve": ["CVE-2018-8440"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "PLATINUM", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}]}, "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "child_processes_of_spoolsv_exe_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2018-8440", "cvss": 7.2, "summary": "An elevation of privilege vulnerability exists when Windows improperly handles calls to Advanced Local Procedure Call (ALPC), aka \"Windows ALPC Elevation of Privilege Vulnerability.\" This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/child_processes_of_spoolsv_exe.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Clear Unallocated Sector Using Cipher App", "id": "cd80a6ac-c9d9-11eb-8839-acde48001122", "version": 1, "date": "2021-06-10", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "this search is to detect execution of `cipher.exe` to clear the unallocated sectors of a specific disk. This technique was seen in some ransomware to make it impossible to forensically recover deleted files.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"cipher.exe\" Processes.process = \"*/w:*\" by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.dest Processes.user Processes.process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `clear_unallocated_sector_using_cipher_app_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "administrator may execute this app to manage disk", "references": ["https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/3/", "https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/sophoslabs-ransomware-behavior-report.pdf"], "tags": {"name": "Clear Unallocated Sector Using Cipher App", "analytic_story": ["Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 100, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to clear the unallocated sectors of a specific disk.", "mitre_attack_id": ["T1070.004", "T1070"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1070.004", "mitre_attack_technique": "File Deletion", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT3", "APT32", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "Cobalt Group", "Dragonfly", "Evilnum", "FIN10", "FIN5", "FIN6", "FIN8", "Gamaredon Group", "Group5", "Kimsuky", "Lazarus Group", "Magic Hound", "Metador", "Mustang Panda", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "Silence", "TEMP.Veles", "TeamTNT", "The White Company", "Threat Group-3390", "Tropic Trooper", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/ransomware_ttp/data1/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "clear_unallocated_sector_using_cipher_app_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/clear_unallocated_sector_using_cipher_app.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Clop Common Exec Parameter", "id": "5a8a2a72-8322-11eb-9ee9-acde48001122", "version": 1, "date": "2021-03-17", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "The following analytics are designed to identifies some CLOP ransomware variant that using arguments to execute its main code or feature of its code. In this variant if the parameter is \"runrun\", CLOP ransomware will try to encrypt files in network shares and if it is \"temp.dat\", it will try to read from some stream pipe or file start encrypting files within the infected local machines. This technique can be also identified as an anti-sandbox technique to make its code non-responsive since it is waiting for some parameter to execute properly.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` values(Processes.process) as cmdline values(Processes.parent_process_name) as parent_process values(Processes.process_name) count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name != \"*temp.dat*\" Processes.process = \"*runrun*\" OR Processes.process = \"*temp.dat*\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `clop_common_exec_parameter_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "Operators can execute third party tools using these parameters.", "references": ["https://www.mandiant.com/resources/fin11-email-campaigns-precursor-for-ransomware-data-theft", "https://blog.virustotal.com/2020/11/keep-your-friends-close-keep-ransomware.html"], "tags": {"name": "Clop Common Exec Parameter", "analytic_story": ["Clop Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 100, "kill_chain_phases": ["Installation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting using arguments to execute its main code or feature of its code related to Clop ransomware.", "mitre_attack_id": ["T1204"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/clop/clop_b/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "clop_common_exec_parameter_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/clop_common_exec_parameter.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Clop Ransomware Known Service Name", "id": "07e08a12-870c-11eb-b5f9-acde48001122", "version": 1, "date": "2021-03-17", "author": "Teoderick Contreras", "type": "TTP", "status": "production", "description": "This detection is to identify the common service name created by the CLOP ransomware as part of its persistence and high privilege code execution in the infected machine. Ussually CLOP ransomware use StartServiceCtrlDispatcherW API in creating this service entry.", "data_source": ["Sysmon Event ID 7"], "search": "`wineventlog_system` EventCode=7045 Service_Name IN (\"SecurityCenterIBM\", \"WinCheckDRVs\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode Service_File_Name Service_Name Service_Start_Type Service_Type | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `clop_ransomware_known_service_name_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the Service name, Service File Name Service Start type, and Service Type from your endpoints.", "known_false_positives": "unknown", "references": ["https://www.mandiant.com/resources/fin11-email-campaigns-precursor-for-ransomware-data-theft", "https://blog.virustotal.com/2020/11/keep-your-friends-close-keep-ransomware.html"], "tags": {"name": "Clop Ransomware Known Service Name", "analytic_story": ["Clop Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 100, "kill_chain_phases": ["Installation", "Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ executing known Clop Ransomware service names.", "mitre_attack_id": ["T1543"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["EventCode", "cmdline", "_time", "parent_process_name", "process_name", "OriginalFileName", "process_path"], "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/clop/clop_a/windows-system.log", "source": "WinEventLog:System", "sourcetype": "WinEventLog"}]}], "datamodel": [], "macros": [{"name": "wineventlog_system", "definition": "eventtype=wineventlog_system", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "clop_ransomware_known_service_name_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/clop_ransomware_known_service_name.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "CMD Carry Out String Command Parameter", "id": "54a6ed00-3256-11ec-b031-acde48001122", "version": 3, "date": "2023-04-05", "author": "Teoderick Contreras, Bhavin Patel, Splunk", "type": "Hunting", "status": "production", "description": "The following analytic identifies command-line arguments where `cmd.exe /c` is used to execute a program. `cmd /c` is used to run commands in MS-DOS and terminate after command or process completion. This technique is commonly seen in adversaries and malware to execute batch command using different shell like PowerShell or different process other than `cmd.exe`. This is a good hunting query for suspicious command-line made by a script or relative process execute it.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_cmd` AND Processes.process=\"* /c *\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cmd_carry_out_string_command_parameter_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives may be high based on legitimate scripted code in any environment. Filter as needed.", "references": ["https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/"], "tags": {"name": "CMD Carry Out String Command Parameter", "analytic_story": ["ProxyNotShell", "Qakbot", "Winter Vivern", "DarkCrystal RAT", "AsyncRAT", "Log4Shell CVE-2021-44228", "Hermetic Wiper", "Chaos Ransomware", "IcedID", "WhisperGate", "Data Destruction", "Living Off The Land", "Azorult", "Data Destruction"], "asset_type": "Endpoint", "automated_detection_testing": "passed", "cis20": ["CIS 10"], "confidence": 50, "impact": 60, "kill_chain_phases": ["Installation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting spawn a new process.", "mitre_attack_id": ["T1059.003", "T1059"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.parent_process_name", "Processes.parent_process", "Processes.process_name", "Processes.process_id", "Processes.process", "Processes.dest", "Processes.user", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "cve": ["CVE-2021-44228"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/cmd_carry_str_param/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "process_cmd", "definition": "(Processes.process_name=cmd.exe OR Processes.original_file_name=Cmd.Exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "cmd_carry_out_string_command_parameter_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2021-44228", "cvss": 9.3, "summary": "Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/cmd_carry_out_string_command_parameter.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "CMD Echo Pipe - Escalation", "id": "eb277ba0-b96b-11eb-b00e-acde48001122", "version": 2, "date": "2021-05-20", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "This analytic identifies a common behavior by Cobalt Strike and other frameworks where the adversary will escalate privileges, either via `jump` (Cobalt Strike PTH) or `getsystem`, using named-pipe impersonation. A suspicious event will look like `cmd.exe /c echo 4sgryt3436 > \\\\.\\Pipe\\5erg53`.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_cmd` OR Processes.process=*%comspec%* (Processes.process=*echo* AND Processes.process=*pipe*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cmd_echo_pipe___escalation_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Unknown. It is possible filtering may be required to ensure fidelity.", "references": ["https://redcanary.com/threat-detection-report/threats/cobalt-strike/", "https://github.com/rapid7/meterpreter/blob/master/source/extensions/priv/server/elevate/namedpipe.c"], "tags": {"name": "CMD Echo Pipe - Escalation", "analytic_story": ["Cobalt Strike"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ potentially performing privilege escalation using named pipes related to Cobalt Strike and other frameworks.", "mitre_attack_id": ["T1059", "T1059.003", "T1543.003", "T1543"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/cobalt_strike/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "process_cmd", "definition": "(Processes.process_name=cmd.exe OR Processes.original_file_name=Cmd.Exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "cmd_echo_pipe___escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/cmd_echo_pipe___escalation.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Cmdline Tool Not Executed In CMD Shell", "id": "6c3f7dd8-153c-11ec-ac2d-acde48001122", "version": 2, "date": "2022-10-27", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = \"ipconfig.exe\" OR Processes.process_name = \"systeminfo.exe\" OR Processes.process_name = \"net.exe\" OR Processes.process_name = \"net1.exe\" OR Processes.process_name = \"arp.exe\" OR Processes.process_name = \"nslookup.exe\" OR Processes.process_name = \"route.exe\" OR Processes.process_name = \"netstat.exe\" OR Processes.process_name = \"whoami.exe\") AND NOT (Processes.parent_process_name = \"cmd.exe\" OR Processes.parent_process_name = \"powershell*\" OR Processes.parent_process_name=\"pwsh.exe\" OR Processes.parent_process_name = \"explorer.exe\") by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process_id Processes.process Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cmdline_tool_not_executed_in_cmd_shell_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "A network operator or systems administrator may utilize an automated host discovery application that may generate false positives. Filter as needed.", "references": ["https://www.mandiant.com/resources/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation", "https://attack.mitre.org/groups/G0046/", "https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/"], "tags": {"name": "Cmdline Tool Not Executed In CMD Shell", "analytic_story": ["FIN7", "Qakbot", "CISA AA22-277A", "Qakbot", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Installation"], "message": "A non-standard parent process $parent_process_name$ spawned child process $process_name$ to execute command-line tool on $dest$.", "mitre_attack_id": ["T1059", "T1059.007"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.007", "mitre_attack_technique": "JavaScript", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "Cobalt Group", "Earth Lusca", "Ember Bear", "Evilnum", "FIN6", "FIN7", "Higaisa", "Indrik Spider", "Kimsuky", "LazyScripter", "Leafminer", "Molerats", "MuddyWater", "Sidewinder", "Silence", "TA505", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/fin7/jssloader/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "cmdline_tool_not_executed_in_cmd_shell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/cmdline_tool_not_executed_in_cmd_shell.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "CMLUA Or CMSTPLUA UAC Bypass", "id": "f87b5062-b405-11eb-a889-acde48001122", "version": 1, "date": "2021-05-13", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This analytic detects a potential process using COM Object like CMLUA or CMSTPLUA to bypass UAC. This technique has been used by ransomware adversaries to gain administrative privileges to its running process.", "data_source": ["Sysmon Event ID 7"], "search": "`sysmon` EventCode=7 ImageLoaded IN (\"*\\\\CMLUA.dll\", \"*\\\\CMSTPLUA.dll\", \"*\\\\CMLUAUTIL.dll\") NOT(process_name IN(\"CMSTP.exe\", \"CMMGR32.exe\")) NOT(Image IN(\"*\\\\windows\\\\*\", \"*\\\\program files*\")) | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded process_name Computer EventCode Signed ProcessId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cmlua_or_cmstplua_uac_bypass_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name and imageloaded executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "Legitimate windows application that are not on the list loading this dll. Filter as needed.", "references": ["https://attack.mitre.org/techniques/T1218/003/"], "tags": {"name": "CMLUA Or CMSTPLUA UAC Bypass", "analytic_story": ["DarkSide Ransomware", "Ransomware", "LockBit Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "The following module $ImageLoaded$ was loaded by a non-standard application on endpoint $Computer$ by user $user$.", "mitre_attack_id": ["T1218", "T1218.003"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "ImageLoaded", "type": "Other", "role": ["Other"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Image", "ImageLoaded", "process_name", "Computer", "EventCode", "Signed", "ProcessId"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.003", "mitre_attack_technique": "CMSTP", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Cobalt Group", "MuddyWater"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/darkside_cmstp_com/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "cmlua_or_cmstplua_uac_bypass_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/cmlua_or_cmstplua_uac_bypass.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Cobalt Strike Named Pipes", "id": "5876d429-0240-4709-8b93-ea8330b411b5", "version": 2, "date": "2022-05-16", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the use of default or publicly known named pipes used with Cobalt Strike. A named pipe is a named, one-way or duplex pipe for communication between the pipe server and one or more pipe clients. Cobalt Strike uses named pipes in many ways and has default values used with the Artifact Kit and Malleable C2 Profiles. The following query assists with identifying these default named pipes. Each EDR product presents named pipes a little different. Consider taking the values and generating a query based on the product of choice. \\\nUpon triage, review the process performing the named pipe. If it is explorer.exe, It is possible it was injected into by another process. Review recent parallel processes to identify suspicious patterns or behaviors. A parallel process may have a network connection, review and follow the connection back to identify any file modifications.", "data_source": ["Sysmon Event ID 1"], "search": "`sysmon` EventID=17 OR EventID=18 PipeName IN (\\\\msagent_*, \\\\DserNamePipe*, \\\\srvsvc_*, \\\\postex_*, \\\\status_*, \\\\MSSE-*, \\\\spoolss_*, \\\\win_svc*, \\\\ntsvcs*, \\\\winsock*, \\\\UIA_PIPE*) | stats count min(_time) as firstTime max(_time) as lastTime by Computer, process_name, process_id process_path, PipeName | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cobalt_strike_named_pipes_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "The idea of using named pipes with Cobalt Strike is to blend in. Therefore, some of the named pipes identified and added may cause false positives. Filter by process name or pipe name to reduce false positives.", "references": ["https://attack.mitre.org/techniques/T1218/009/", "https://docs.microsoft.com/en-us/windows/win32/ipc/named-pipes", "https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/index.htm#cshid=1040", "https://www.cobaltstrike.com/blog/learn-pipe-fitting-for-all-of-your-offense-projects/", "https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752", "https://www.mandiant.com/resources/shining-a-light-on-darkside-ransomware-operations"], "tags": {"name": "Cobalt Strike Named Pipes", "analytic_story": ["Cobalt Strike", "Trickbot", "DarkSide Ransomware", "LockBit Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "An instance of $process_name$ was identified on endpoint $Computer$ by user $user$ accessing known suspicious named pipes related to Cobalt Strike.", "mitre_attack_id": ["T1055"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Parent Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventID", "PipeName", "Computer", "process_name", "process_path", "process_id"], "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/cobalt_strike/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "cobalt_strike_named_pipes_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/cobalt_strike_named_pipes.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Common Ransomware Extensions", "id": "a9e5c5db-db11-43ca-86a8-c852d1b2c0ec", "version": 5, "date": "2022-11-10", "author": "David Dorsey, Michael Haag, Splunk, Steven Dick", "type": "Hunting", "status": "production", "description": "The search looks for file modifications with extensions commonly used by Ransomware", "data_source": ["Sysmon Event ID 11"], "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime count latest(Filesystem.user) as user values(Filesystem.file_path) as file_path from datamodel=Endpoint.Filesystem by Filesystem.file_name Filesystem.dest _time span=1h | `drop_dm_object_name(Filesystem)` | rex field=file_name \"(?\\.[^\\.]+)$\" | rex field=file_path \"(?([^\\\\\\]*\\\\\\)*).*\" | stats min(firstTime) as firstTime max(lastTime) as lastTime latest(user) as user dc(true_file_path) as path_count dc(file_name) as file_count latest(file_name) as file_name latest(true_file_path) as file_path by dest file_extension | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `ransomware_extensions` | where path_count > 1 OR file_count > 20 | `common_ransomware_extensions_filter`", "how_to_implement": "You must be ingesting data that records the filesystem activity from your hosts to populate the Endpoint Filesystem data model node. To see the additional metadata, add the following fields, if not already present, please review the detailed documentation on how to create a new field within Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details`", "known_false_positives": "It is possible for a legitimate file with these extensions to be created. If this is a true ransomware attack, there will be a large number of files created with these extensions.", "references": ["https://github.com/splunk/security_content/issues/2448"], "tags": {"name": "Common Ransomware Extensions", "analytic_story": ["SamSam Ransomware", "Ryuk Ransomware", "Ransomware", "Clop Ransomware", "Prestige Ransomware", "LockBit Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 90, "kill_chain_phases": ["Actions on Objectives"], "message": "The device $dest$ wrote $file_count$ files to $path_count$ path(s) with the $file_extension$ extension. This extension and behavior may indicate a $Name$ ransomware attack.", "mitre_attack_id": ["T1485"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "file_name", "type": "File Name", "role": ["Victim"]}, {"name": "file_count", "type": "Other", "role": ["Other"]}, {"name": "path_count", "type": "Other", "role": ["Other"]}, {"name": "file_extension", "type": "Other", "role": ["Other"]}, {"name": "Name", "type": "Other", "role": ["Other"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Filesystem.user", "Filesystem.dest", "Filesystem.file_path", "Filesystem.file_name"], "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/ransomware_notes/ransom-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "ransomware_extensions", "definition": "lookup update=true ransomware_extensions_lookup Extensions AS file_extension OUTPUT Name | search Name !=False", "description": "This macro limits the output to files that have extensions associated with ransomware"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "common_ransomware_extensions_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/common_ransomware_extensions.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Common Ransomware Notes", "id": "ada0f478-84a8-4641-a3f1-d82362d6bd71", "version": 4, "date": "2020-11-09", "author": "David Dorsey, Splunk", "type": "Hunting", "status": "production", "description": "The search looks for files created with names matching those typically used in ransomware notes that tell the victim how to get their data back.", "data_source": ["Sysmon Event ID 11"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.user) as user values(Filesystem.dest) as dest values(Filesystem.file_path) as file_path from datamodel=Endpoint.Filesystem by Filesystem.file_name | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `ransomware_notes` | `common_ransomware_notes_filter`", "how_to_implement": "You must be ingesting data that records file-system activity from your hosts to populate the Endpoint Filesystem data-model node. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or via other endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report file-system reads and writes.", "known_false_positives": "It's possible that a legitimate file could be created with the same name used by ransomware note files.", "references": [], "tags": {"name": "Common Ransomware Notes", "analytic_story": ["SamSam Ransomware", "Ransomware", "Ryuk Ransomware", "Clop Ransomware", "Chaos Ransomware", "LockBit Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 90, "kill_chain_phases": ["Actions on Objectives"], "message": "A file - $file_name$ was written to disk on endpoint $dest$ by user $user$, this is indicative of a known ransomware note file and should be reviewed immediately.", "mitre_attack_id": ["T1485"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "file_name", "type": "File Name", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Filesystem.user", "Filesystem.dest", "Filesystem.file_path", "Filesystem.file_name"], "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/ransomware_notes/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "ransomware_notes", "definition": "lookup ransomware_notes_lookup ransomware_notes as file_name OUTPUT status as \"Known Ransomware Notes\" | search \"Known Ransomware Notes\"=True", "description": "This macro limits the output to files that have been identified as a ransomware note"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "common_ransomware_notes_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/common_ransomware_notes.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Conti Common Exec parameter", "id": "624919bc-c382-11eb-adcc-acde48001122", "version": 1, "date": "2021-06-02", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This search detects the suspicious commandline argument of revil ransomware to encrypt specific or all local drive and network shares of the compromised machine or host.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = \"*-m local*\" OR Processes.process = \"*-m net*\" OR Processes.process = \"*-m all*\" OR Processes.process = \"*-nomutex*\" by Processes.process_name Processes.process Processes.parent_process_name Processes.parent_process Processes.dest Processes.user Processes.process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `conti_common_exec_parameter_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "3rd party tool may have commandline parameter that can trigger this detection.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.conti"], "tags": {"name": "Conti Common Exec parameter", "analytic_story": ["Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Installation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ executing specific Conti Ransomware related parameters.", "mitre_attack_id": ["T1204"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/conti/inf1/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "conti_common_exec_parameter_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/conti_common_exec_parameter.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Control Loading from World Writable Directory", "id": "10423ac4-10c9-11ec-8dc4-acde48001122", "version": 1, "date": "2021-09-08", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following detection identifies control.exe loading either a .cpl or .inf from a writable directory. This is related to CVE-2021-40444. During triage, review parallel processes, parent and child, for further suspicious behaviors. In addition, capture file modifications and analyze.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=control.exe OR Processes.original_file_name=CONTROL.EXE) AND Processes.process IN (\"*\\\\appdata\\\\*\", \"*\\\\windows\\\\temp\\\\*\", \"*\\\\programdata\\\\*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `control_loading_from_world_writable_directory_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Limited false positives will be present as control.exe does not natively load from writable paths as defined. One may add .cpl or .inf to the command-line if there is any false positives. Tune as needed.", "references": ["https://strontic.github.io/xcyclopedia/library/rundll32.exe-111474C61232202B5B588D2B512CBB25.html", "https://app.any.run/tasks/36c14029-9df8-439c-bba0-45f2643b0c70/", "https://attack.mitre.org/techniques/T1218/011/", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.002/T1218.002.yaml"], "tags": {"name": "Control Loading from World Writable Directory", "analytic_story": ["Microsoft MSHTML Remote Code Execution CVE-2021-40444", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to load a suspicious file from disk.", "mitre_attack_id": ["T1218", "T1218.002"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "cve": ["CVE-2021-40444"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.002", "mitre_attack_technique": "Control Panel", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Ember Bear"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.002/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "control_loading_from_world_writable_directory_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2021-40444", "cvss": 6.8, "summary": "Microsoft MSHTML Remote Code Execution Vulnerability"}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/control_loading_from_world_writable_directory.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Create local admin accounts using net exe", "id": "b89919ed-fe5f-492c-b139-151bb162040e", "version": 6, "date": "2021-09-08", "author": "Bhavin Patel, Splunk", "type": "TTP", "status": "production", "description": "This search looks for the creation of local administrator accounts using net.exe .", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count values(Processes.user) as user values(Processes.parent_process) as parent_process values(parent_process_name) as parent_process_name min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=net.exe OR Processes.process_name=net1.exe) AND Processes.process=*/add* AND (Processes.process=*administrators* OR Processes.process=*administratoren* OR Processes.process=*administrateurs* OR Processes.process=*administrador* OR Processes.process=*amministratori* OR Processes.process=*administratorer*) by Processes.process Processes.process_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `create_local_admin_accounts_using_net_exe_filter`", "how_to_implement": "You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the \"process\" field in the Endpoint data model.", "known_false_positives": "Administrators often leverage net.exe to create admin accounts.", "references": [], "tags": {"name": "Create local admin accounts using net exe", "analytic_story": ["DHS Report TA18-074A", "Azorult", "CISA AA22-257A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 50, "kill_chain_phases": ["Installation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to add a user to the local Administrators group.", "mitre_attack_id": ["T1136.001", "T1136"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1136.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT39", "APT41", "Dragonfly", "Fox Kitten", "Kimsuky", "Leafminer", "Magic Hound", "TeamTNT"]}, {"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/atomic_red_team/windows-security.log", "source": "WinEventLog:Security", "sourcetype": "WinEventLog", "update_timestamp": true}, {"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/atomic_red_team/windows-system.log", "source": "WinEventLog:System", "sourcetype": "WinEventLog", "update_timestamp": true}, {"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "create_local_admin_accounts_using_net_exe_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/create_local_admin_accounts_using_net_exe.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Create or delete windows shares using net exe", "id": "743a322c-9a68-4a0f-9c17-85d9cce2a27c", "version": 6, "date": "2020-09-16", "author": "Bhavin Patel, Splunk", "type": "TTP", "status": "production", "description": "This search looks for the creation or deletion of hidden shares using net.exe.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count values(Processes.user) as user values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` by Processes.process Processes.process_name Processes.original_file_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | search process=*share* | `create_or_delete_windows_shares_using_net_exe_filter` ", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Administrators often leverage net.exe to create or delete network shares. You should verify that the activity was intentional and is legitimate.", "references": ["https://attack.mitre.org/techniques/T1070/005/"], "tags": {"name": "Create or delete windows shares using net exe", "analytic_story": ["Hidden Cobra Malware", "CISA AA22-277A", "Windows Post-Exploitation", "Prestige Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ enumerating Windows file shares.", "mitre_attack_id": ["T1070", "T1070.005"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1070.005", "mitre_attack_technique": "Network Share Connection Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Threat Group-3390"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1070.005/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_net", "definition": "(Processes.process_name=\"net.exe\" OR Processes.original_file_name=\"net.exe\" OR Processes.process_name=\"net1.exe\" OR Processes.original_file_name=\"net1.exe\")", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "create_or_delete_windows_shares_using_net_exe_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/create_or_delete_windows_shares_using_net_exe.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Create Remote Thread In Shell Application", "id": "10399c1e-f51e-11eb-b920-acde48001122", "version": 1, "date": "2021-08-04", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This search is to detect suspicious process injection in command shell. This technique was seen in IcedID where it execute cmd.exe process to inject its shellcode as part of its execution as banking trojan. It is really uncommon to have a create remote thread execution in the following application.", "data_source": ["Sysmon Event ID 8"], "search": "`sysmon` EventCode=8 TargetImage IN (\"*\\\\cmd.exe\", \"*\\\\powershell*\") | stats count min(_time) as firstTime max(_time) as lastTime by TargetImage TargetProcessId SourceProcessId EventCode StartAddress SourceImage Computer | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `create_remote_thread_in_shell_application_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "unknown", "references": ["https://thedfirreport.com/2021/07/19/icedid-and-cobalt-strike-vs-antivirus/"], "tags": {"name": "Create Remote Thread In Shell Application", "analytic_story": ["IcedID", "Qakbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "process $SourceImage$ create a remote thread to shell app process $TargetImage$ in host $Computer$", "mitre_attack_id": ["T1055"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "SourceImage", "type": "Process", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "SourceImage", "TargetImage", "TargetProcessId", "SourceProcessId", "StartAddress", "EventCode", "Computer"], "risk_score": 70, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/simulated_icedid/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "create_remote_thread_in_shell_application_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/create_remote_thread_in_shell_application.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Create Remote Thread into LSASS", "id": "67d4dbef-9564-4699-8da8-03a151529edc", "version": 1, "date": "2019-12-06", "author": "Patrick Bareiss, Splunk", "type": "TTP", "status": "production", "description": "Detect remote thread creation into LSASS consistent with credential dumping.", "data_source": ["Sysmon Event ID 8"], "search": "`sysmon` EventID=8 TargetImage=*lsass.exe | stats count min(_time) as firstTime max(_time) as lastTime by Computer, EventCode, TargetImage, TargetProcessId | rename Computer as dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `create_remote_thread_into_lsass_filter`", "how_to_implement": "This search needs Sysmon Logs with a Sysmon configuration, which includes EventCode 8 with lsass.exe. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives.", "known_false_positives": "Other tools can access LSASS for legitimate reasons and generate an event. In these cases, tweaking the search may help eliminate noise.", "references": ["https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf"], "tags": {"name": "Create Remote Thread into LSASS", "analytic_story": ["Credential Dumping"], "asset_type": "Windows", "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Exploitation"], "message": "A process has created a remote thread into $TargetImage$ on $dest$. This behavior is indicative of credential dumping and should be investigated.", "mitre_attack_id": ["T1003.001", "T1003"], "nist": ["DE.CM"], "observable": [{"name": "TargetImage", "type": "Other", "role": ["Other"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventID", "TargetImage", "Computer", "EventCode", "TargetImage", "TargetProcessId", "dest"], "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "TEMP.Veles", "Threat Group-3390", "Whitefly"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "create_remote_thread_into_lsass_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/create_remote_thread_into_lsass.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Creation of lsass Dump with Taskmgr", "id": "b2fbe95a-9c62-4c12-8a29-24b97e84c0cd", "version": 1, "date": "2020-02-03", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "Detect the hands on keyboard behavior of Windows Task Manager creating a process dump of lsass.exe. Upon this behavior occurring, a file write/modification will occur in the users profile under \\AppData\\Local\\Temp. The dump file, lsass.dmp, cannot be renamed, however if the dump occurs more than once, it will be named lsass (2).dmp.", "data_source": ["Sysmon Event ID 1"], "search": "`sysmon` EventID=11 process_name=taskmgr.exe TargetFilename=*lsass*.dmp | stats count min(_time) as firstTime max(_time) as lastTime by Computer, object_category, process_name, TargetFilename | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `creation_of_lsass_dump_with_taskmgr_filter`", "how_to_implement": "This search requires Sysmon Logs and a Sysmon configuration, which includes EventCode 11 for detecting file create of lsass.dmp. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives.", "known_false_positives": "Administrators can create memory dumps for debugging purposes, but memory dumps of the LSASS process would be unusual.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md#atomic-test-5---dump-lsassexe-memory-using-windows-task-manager", "https://attack.mitre.org/techniques/T1003/001/", "https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf"], "tags": {"name": "Creation of lsass Dump with Taskmgr", "analytic_story": ["Credential Dumping", "CISA AA22-257A"], "asset_type": "Windows", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "$process_name$ was identified on endpoint $Computer$ writing $TargetFilename$ to disk. This behavior is related to dumping credentials via Task Manager.", "mitre_attack_id": ["T1003.001", "T1003"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "TargetFilename", "type": "File Name", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventID", "process_name", "TargetFilename", "Computer", "object_category"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "TEMP.Veles", "Threat Group-3390", "Whitefly"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "creation_of_lsass_dump_with_taskmgr_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/creation_of_lsass_dump_with_taskmgr.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Creation of Shadow Copy", "id": "eb120f5f-b879-4a63-97c1-93352b5df844", "version": 1, "date": "2019-12-10", "author": "Patrick Bareiss, Splunk", "type": "TTP", "status": "production", "description": "Monitor for signs that Vssadmin or Wmic has been used to create a shadow copy.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=vssadmin.exe Processes.process=*create* Processes.process=*shadow*) OR (Processes.process_name=wmic.exe Processes.process=*shadowcopy* Processes.process=*create*) by Processes.dest Processes.user Processes.process_name Processes.process Processes.parent_process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `creation_of_shadow_copy_filter`", "how_to_implement": "You must be ingesting endpoint data that tracks process activity, including parent-child relationships from your endpoints, to populate the Endpoint data model in the Processes node. The command-line arguments are mapped to the \"process\" field in the Endpoint data model.", "known_false_positives": "Legitimate administrator usage of Vssadmin or Wmic will create false positives.", "references": ["https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf", "https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF"], "tags": {"name": "Creation of Shadow Copy", "analytic_story": ["Credential Dumping", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to create a shadow copy to perform offline password cracking.", "mitre_attack_id": ["T1003.003", "T1003"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.003", "mitre_attack_technique": "NTDS", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "Chimera", "Dragonfly", "FIN6", "Fox Kitten", "HAFNIUM", "Ke3chang", "LAPSUS$", "Mustang Panda", "Sandworm Team", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.003/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}, {"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.003/atomic_red_team/crowdstrike_falcon.log", "source": "crowdstrike", "sourcetype": "crowdstrike:events:sensor"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "creation_of_shadow_copy_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/creation_of_shadow_copy.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Creation of Shadow Copy with wmic and powershell", "id": "2ed8b538-d284-449a-be1d-82ad1dbd186b", "version": 3, "date": "2021-09-16", "author": "Patrick Bareiss, Splunk", "type": "TTP", "status": "production", "description": "This search detects the use of wmic and Powershell to create a shadow copy.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_wmic` OR `process_powershell` Processes.process=*shadowcopy* Processes.process=*create* by Processes.user Processes.process_name Processes.original_file_name Processes.process Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `creation_of_shadow_copy_with_wmic_and_powershell_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Legtimate administrator usage of wmic to create a shadow copy.", "references": ["https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf", "https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF"], "tags": {"name": "Creation of Shadow Copy with wmic and powershell", "analytic_story": ["Credential Dumping", "Living Off The Land", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to create a shadow copy to perform offline password cracking.", "mitre_attack_id": ["T1003.003", "T1003"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.003", "mitre_attack_technique": "NTDS", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "Chimera", "Dragonfly", "FIN6", "Fox Kitten", "HAFNIUM", "Ke3chang", "LAPSUS$", "Mustang Panda", "Sandworm Team", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.003/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "process_wmic", "definition": "(Processes.process_name=wmic.exe OR Processes.original_file_name=wmic.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "process_powershell", "definition": "(Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "creation_of_shadow_copy_with_wmic_and_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/creation_of_shadow_copy_with_wmic_and_powershell.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Credential Dumping via Copy Command from Shadow Copy", "id": "d8c406fe-23d2-45f3-a983-1abe7b83ff3b", "version": 2, "date": "2021-09-16", "author": "Patrick Bareiss, Splunk", "type": "TTP", "status": "production", "description": "This search detects credential dumping using copy command from a shadow copy.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_cmd` (Processes.process=*\\\\system32\\\\config\\\\sam* OR Processes.process=*\\\\system32\\\\config\\\\security* OR Processes.process=*\\\\system32\\\\config\\\\system* OR Processes.process=*\\\\windows\\\\ntds\\\\ntds.dit*) by Processes.dest Processes.user Processes.process_name Processes.process Processes.parent_process Processes.original_file_name Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `credential_dumping_via_copy_command_from_shadow_copy_filter` ", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "unknown", "references": ["https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf"], "tags": {"name": "Credential Dumping via Copy Command from Shadow Copy", "analytic_story": ["Credential Dumping"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to copy SAM and NTDS.dit for offline password cracking.", "mitre_attack_id": ["T1003.003", "T1003"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.003", "mitre_attack_technique": "NTDS", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "Chimera", "Dragonfly", "FIN6", "Fox Kitten", "HAFNIUM", "Ke3chang", "LAPSUS$", "Mustang Panda", "Sandworm Team", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.003/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "process_cmd", "definition": "(Processes.process_name=cmd.exe OR Processes.original_file_name=Cmd.Exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "credential_dumping_via_copy_command_from_shadow_copy_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/credential_dumping_via_copy_command_from_shadow_copy.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Credential Dumping via Symlink to Shadow Copy", "id": "c5eac648-fae0-4263-91a6-773df1f4c903", "version": 2, "date": "2021-09-16", "author": "Patrick Bareiss, Splunk", "type": "TTP", "status": "production", "description": "This search detects the creation of a symlink to a shadow copy.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_cmd` Processes.process=*mklink* Processes.process=*HarddiskVolumeShadowCopy* by Processes.dest Processes.user Processes.process_name Processes.process Processes.parent_process Processes.original_file_name Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `credential_dumping_via_symlink_to_shadow_copy_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "unknown", "references": ["https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf"], "tags": {"name": "Credential Dumping via Symlink to Shadow Copy", "analytic_story": ["Credential Dumping"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to create symlink to a shadow copy to grab credentials.", "mitre_attack_id": ["T1003.003", "T1003"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.003", "mitre_attack_technique": "NTDS", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "Chimera", "Dragonfly", "FIN6", "Fox Kitten", "HAFNIUM", "Ke3chang", "LAPSUS$", "Mustang Panda", "Sandworm Team", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.003/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "process_cmd", "definition": "(Processes.process_name=cmd.exe OR Processes.original_file_name=Cmd.Exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "credential_dumping_via_symlink_to_shadow_copy_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/credential_dumping_via_symlink_to_shadow_copy.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "CSC Net On The Fly Compilation", "id": "ea73128a-43ab-11ec-9753-acde48001122", "version": 1, "date": "2021-11-12", "author": "Teoderick Contreras, Splunk", "type": "Hunting", "status": "production", "description": "this analytic is to detect a suspicious compile before delivery approach of .net compiler csc.exe. This technique was seen in several adversaries, malware and even in red teams to take advantage the csc.exe .net compiler tool to compile on the fly a malicious .net code to evade detection from security product. This is a good hunting query to check further the file or process created after this event and check the file path that passed to csc.exe which is the .net code. Aside from that, powershell is capable of using this compiler in executing .net code in a powershell script so filter on that case is needed.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_csc` Processes.process = \"*/noconfig*\" Processes.process = \"*/fullpaths*\" Processes.process = \"*@*\" by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `csc_net_on_the_fly_compilation_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "A network operator or systems administrator may utilize an automated powershell script taht execute .net code that may generate false positive. filter is needed.", "references": ["https://app.any.run/tasks/ad4c3cda-41f2-4401-8dba-56cc2d245488/", "https://tccontre.blogspot.com/2019/06/maicious-macro-that-compile-c-code-as.html"], "tags": {"name": "CSC Net On The Fly Compilation", "analytic_story": ["Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "csc.exe with commandline $process$ to compile .net code on $dest$ by $user$", "mitre_attack_id": ["T1027.004", "T1027"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1027.004", "mitre_attack_technique": "Compile After Delivery", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Gamaredon Group", "MuddyWater", "Rocke"]}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT19", "APT28", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BITTER", "BackdoorDiplomacy", "BlackOasis", "Blue Mockingbird", "Dark Caracal", "Darkhotel", "Earth Lusca", "Elderwood", "Ember Bear", "Fox Kitten", "GALLIUM", "Gallmaker", "Gamaredon Group", "Group5", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "Metador", "Mofang", "Molerats", "Moses Staff", "Mustang Panda", "OilRig", "Putter Panda", "Rocke", "Sandworm Team", "Sidewinder", "TA505", "TeamTNT", "Threat Group-3390", "Transparent Tribe", "Tropic Trooper", "Whitefly", "Windshift", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/vilsel/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "process_csc", "definition": "(Processes.process_name=csc.exe OR Processes.original_file_name=csc.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "csc_net_on_the_fly_compilation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/csc_net_on_the_fly_compilation.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Curl Download and Bash Execution", "id": "900bc324-59f3-11ec-9fb4-acde48001122", "version": 1, "date": "2021-12-10", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the use of curl on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=curl (Processes.process=\"*-s *\") OR (Processes.process=\"*|*\" AND Processes.process=\"*bash*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `curl_download_and_bash_execution_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon for Linux, you will need to ensure mapping is occurring correctly. If the EDR is not parsing the pipe bash in the command-line, modifying the analytic will be required. Add parent process name (Processes.parent_process_name) as needed to filter.", "known_false_positives": "False positives should be limited, however filtering may be required.", "references": ["https://www.huntress.com/blog/rapid-response-critical-rce-vulnerability-is-affecting-java", "https://www.lunasec.io/docs/blog/log4j-zero-day/", "https://gist.github.com/nathanqthai/01808c569903f41a52e7e7b575caa890"], "tags": {"name": "Curl Download and Bash Execution", "analytic_story": ["Ingress Tool Transfer", "Log4Shell CVE-2021-44228", "Linux Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Command And Control"], "message": "An instance of $process_name$ was identified on endpoint $dest$ attempting to download a remote file and run it with bash.", "mitre_attack_id": ["T1105"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "cve": ["CVE-2021-44228"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "ZIRCONIUM", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/linux-sysmon_curlwget.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "curl_download_and_bash_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2021-44228", "cvss": 9.3, "summary": "Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/curl_download_and_bash_execution.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Delete ShadowCopy With PowerShell", "id": "5ee2bcd0-b2ff-11eb-bb34-acde48001122", "version": 2, "date": "2022-05-02", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This following analytic detects PowerShell command to delete shadow copy using the WMIC PowerShell module. This technique was seen used by a recent adversary to deploy DarkSide Ransomware where it executed a child process of PowerShell to execute a hex encoded command to delete shadow copy. This hex encoded command was able to be decrypted by PowerShell log.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 ScriptBlockText= \"*ShadowCopy*\" (ScriptBlockText = \"*Delete*\" OR ScriptBlockText = \"*Remove*\") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `delete_shadowcopy_with_powershell_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the powershell logs from your endpoints. make sure you enable needed registry to monitor this event.", "known_false_positives": "unknown", "references": ["https://www.mandiant.com/resources/shining-a-light-on-darkside-ransomware-operations", "https://www.techtarget.com/searchwindowsserver/tutorial/Set-up-PowerShell-script-block-logging-for-added-security"], "tags": {"name": "Delete ShadowCopy With PowerShell", "analytic_story": ["DarkSide Ransomware", "Ransomware", "Revil Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Actions on Objectives"], "message": "An attempt to delete ShadowCopy was performed using PowerShell on $Computer$ by $User$.", "mitre_attack_id": ["T1490"], "nist": ["DE.CM"], "observable": [{"name": "UserID", "type": "User", "role": ["Victim"]}, {"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "ScriptBlockText", "Opcode", "Computer", "UserID", "EventCode"], "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/sbl_xml.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "delete_shadowcopy_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/delete_shadowcopy_with_powershell.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Deleting Of Net Users", "id": "1c8c6f66-acce-11eb-aafb-acde48001122", "version": 2, "date": "2021-05-04", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This analytic will detect a suspicious net.exe/net1.exe command-line to delete a user on a system. This technique may be use by an administrator for legitimate purposes, however this behavior has been used in the wild to impair some user or deleting adversaries tracks created during its lateral movement additional systems. During triage, review parallel processes for additional behavior. Identify any other user accounts created before or after.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.parent_process) as parent_process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` AND Processes.process=\"*user*\" AND Processes.process=\"*/delete*\" by Processes.process_name Processes.original_file_name Processes.dest Processes.user Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `deleting_of_net_users_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "System administrators or scripts may delete user accounts via this technique. Filter as needed.", "references": ["https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/"], "tags": {"name": "Deleting Of Net Users", "analytic_story": ["XMRig"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Actions on Objectives"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to delete accounts.", "mitre_attack_id": ["T1531"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1531", "mitre_attack_technique": "Account Access Removal", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["LAPSUS$"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/xmrig_miner/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_net", "definition": "(Processes.process_name=\"net.exe\" OR Processes.original_file_name=\"net.exe\" OR Processes.process_name=\"net1.exe\" OR Processes.original_file_name=\"net1.exe\")", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "deleting_of_net_users_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/deleting_of_net_users.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Deleting Shadow Copies", "id": "b89919ed-ee5f-492c-b139-95dbb162039e", "version": 4, "date": "2020-11-09", "author": "David Dorsey, Splunk", "type": "TTP", "status": "production", "description": "The vssadmin.exe utility is used to interact with the Volume Shadow Copy Service. Wmic is an interface to the Windows Management Instrumentation. This search looks for either of these tools being used to delete shadow copies.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=vssadmin.exe OR Processes.process_name=wmic.exe) Processes.process=*delete* Processes.process=*shadow* by Processes.user Processes.process_name Processes.parent_process_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `deleting_shadow_copies_filter`", "how_to_implement": "You must be ingesting endpoint data that tracks process activity, including parent-child relationships from your endpoints to populate the Endpoint data model in the Processes node. The command-line arguments are mapped to the \"process\" field in the Endpoint data model.", "known_false_positives": "vssadmin.exe and wmic.exe are standard applications shipped with modern versions of windows. They may be used by administrators to legitimately delete old backup copies, although this is typically rare.", "references": ["https://blogs.vmware.com/security/2022/10/lockbit-3-0-also-known-as-lockbit-black.html"], "tags": {"name": "Deleting Shadow Copies", "analytic_story": ["Windows Log Manipulation", "SamSam Ransomware", "Ransomware", "Clop Ransomware", "CISA AA22-264A", "Prestige Ransomware", "Chaos Ransomware", "LockBit Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Actions on Objectives"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to delete shadow copies.", "mitre_attack_id": ["T1490"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1490/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "deleting_shadow_copies_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/deleting_shadow_copies.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Detect AzureHound Command-Line Arguments", "id": "26f02e96-c300-11eb-b611-acde48001122", "version": 1, "date": "2021-06-01", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the common command-line argument used by AzureHound `Invoke-AzureHound`. Being the script is FOSS, function names may be modified, but these changes are dependent upon the operator. In most instances the defaults are used. This analytic works to identify the common command-line attributes used. It does not cover the entirety of every argument in order to avoid false positives.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process IN (\"*invoke-azurehound*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_azurehound_command_line_arguments_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "Unknown.", "references": ["https://attack.mitre.org/software/S0521/", "https://github.com/BloodHoundAD/BloodHound/tree/master/Collectors", "https://posts.specterops.io/introducing-bloodhound-4-0-the-azure-update-9b2b26c5e350", "https://github.com/BloodHoundAD/BloodHound/blob/master/Collectors/AzureHound.ps1"], "tags": {"name": "Detect AzureHound Command-Line Arguments", "analytic_story": ["Discovery Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ using AzureHound to enumerate AzureAD.", "mitre_attack_id": ["T1087.002", "T1069.001", "T1482", "T1087.001", "T1087", "T1069.002", "T1069"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["BRONZE BUTLER", "Chimera", "Dragonfly", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Turla", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1069.001", "mitre_attack_technique": "Local Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "HEXANE", "OilRig", "Tonto Team", "Turla", "admin@338"]}, {"mitre_attack_id": "T1482", "mitre_attack_technique": "Domain Trust Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "Earth Lusca", "FIN8", "Magic Hound"]}, {"mitre_attack_id": "T1087.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "Chimera", "Fox Kitten", "Ke3chang", "Moses Staff", "OilRig", "Poseidon Group", "Threat Group-3390", "Turla", "admin@338"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1069.002", "mitre_attack_technique": "Domain Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Dragonfly", "Inception", "Ke3chang", "LAPSUS$", "OilRig", "Turla"]}, {"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "TA505"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/sharphound/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_azurehound_command_line_arguments_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/detect_azurehound_command_line_arguments.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Detect AzureHound File Modifications", "id": "1c34549e-c31b-11eb-996b-acde48001122", "version": 1, "date": "2021-06-01", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic is similar to SharpHound file modifications, but this instance covers the use of Invoke-AzureHound. AzureHound is the SharpHound equivilent but for Azure. It's possible this may never be seen in an environment as most attackers may execute this tool remotely. Once execution is complete, a zip file with a similar name will drop `20210601090751-azurecollection.zip`. In addition to the zip, multiple .json files will be written to disk, which are in the zip.", "data_source": ["Sysmon Event ID 11"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_name IN (\"*-azurecollection.zip\", \"*-azprivroleadminrights.json\", \"*-azglobaladminrights.json\", \"*-azcloudappadmins.json\", \"*-azapplicationadmins.json\") by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.file_path Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_azurehound_file_modifications_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on file modifications that include the name of the process, and file, responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node.", "known_false_positives": "False positives should be limited as the analytic is specific to a filename with extension .zip. Filter as needed.", "references": ["https://posts.specterops.io/introducing-bloodhound-4-0-the-azure-update-9b2b26c5e350", "https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Collectors/AzureHound.ps1"], "tags": {"name": "Detect AzureHound File Modifications", "analytic_story": ["Discovery Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "A file - $file_name$ was written to disk that is related to AzureHound, a AzureAD enumeration utility, has occurred on endpoint $dest$ by user $user$.", "mitre_attack_id": ["T1087.002", "T1069.001", "T1482", "T1087.001", "T1087", "T1069.002", "T1069"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "file_name", "type": "File Name", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "file_path", "dest", "file_name", "process_id", "file_create_time"], "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["BRONZE BUTLER", "Chimera", "Dragonfly", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Turla", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1069.001", "mitre_attack_technique": "Local Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "HEXANE", "OilRig", "Tonto Team", "Turla", "admin@338"]}, {"mitre_attack_id": "T1482", "mitre_attack_technique": "Domain Trust Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "Earth Lusca", "FIN8", "Magic Hound"]}, {"mitre_attack_id": "T1087.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "Chimera", "Fox Kitten", "Ke3chang", "Moses Staff", "OilRig", "Poseidon Group", "Threat Group-3390", "Turla", "admin@338"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1069.002", "mitre_attack_technique": "Domain Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Dragonfly", "Inception", "Ke3chang", "LAPSUS$", "OilRig", "Turla"]}, {"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "TA505"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/sharphound/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_azurehound_file_modifications_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/detect_azurehound_file_modifications.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Detect Baron Samedit CVE-2021-3156", "id": "93fbec4e-0375-440c-8db3-4508eca470c4", "version": 1, "date": "2021-01-27", "author": "Shannon Davis, Splunk", "type": "TTP", "status": "experimental", "description": "This search detects the heap-based buffer overflow of sudoedit", "data_source": [], "search": "`linux_hosts` | search \"sudoedit -s \\\\\" | `detect_baron_samedit_cve_2021_3156_filter`", "how_to_implement": "Splunk Universal Forwarder running on Linux systems, capturing logs from the /var/log directory. The vulnerability is exposed when a non privledged user tries passing in a single \\ character at the end of the command while using the shell and edit flags.", "known_false_positives": "unknown", "references": [], "tags": {"name": "Detect Baron Samedit CVE-2021-3156", "analytic_story": ["Baron Samedit CVE-2021-3156"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "tbd", "mitre_attack_id": ["T1068"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Other", "role": ["Other"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "cve": ["CVE-2021-3156"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "PLATINUM", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}]}, "datamodel": [], "macros": [{"name": "linux_hosts", "definition": "index=*", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_baron_samedit_cve_2021_3156_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2021-3156", "cvss": 7.2, "summary": "Sudo before 1.9.5p2 contains an off-by-one error that can result in a heap-based buffer overflow, which allows privilege escalation to root via \"sudoedit -s\" and a command-line argument that ends with a single backslash character."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/detect_baron_samedit_cve_2021_3156.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Detect Baron Samedit CVE-2021-3156 Segfault", "id": "10f2bae0-bbe6-4984-808c-37dc1c67980d", "version": 1, "date": "2021-01-29", "author": "Shannon Davis, Splunk", "type": "TTP", "status": "experimental", "description": "This search detects the heap-based buffer overflow of sudoedit", "data_source": [], "search": "`linux_hosts` | search sudoedit segfault | stats count min(_time) as firstTime max(_time) as lastTime by host | search count > 5 | `detect_baron_samedit_cve_2021_3156_segfault_filter`", "how_to_implement": "Splunk Universal Forwarder running on Linux systems (tested on Centos and Ubuntu), where segfaults are being logged. This also captures instances where the exploit has been compiled into a binary. The detection looks for greater than 5 instances of sudoedit combined with segfault over your search time period on a single host", "known_false_positives": "If sudoedit is throwing segfaults for other reasons this will pick those up too.", "references": [], "tags": {"name": "Detect Baron Samedit CVE-2021-3156 Segfault", "analytic_story": ["Baron Samedit CVE-2021-3156"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "tbd", "mitre_attack_id": ["T1068"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Other", "role": ["Other"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "host"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "cve": ["CVE-2021-3156"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "PLATINUM", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}]}, "datamodel": [], "macros": [{"name": "linux_hosts", "definition": "index=*", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_baron_samedit_cve_2021_3156_segfault_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2021-3156", "cvss": 7.2, "summary": "Sudo before 1.9.5p2 contains an off-by-one error that can result in a heap-based buffer overflow, which allows privilege escalation to root via \"sudoedit -s\" and a command-line argument that ends with a single backslash character."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/detect_baron_samedit_cve_2021_3156_segfault.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Detect Baron Samedit CVE-2021-3156 via OSQuery", "id": "1de31d5d-8fa6-4ee0-af89-17069134118a", "version": 1, "date": "2021-01-28", "author": "Shannon Davis, Splunk", "type": "TTP", "status": "experimental", "description": "This search detects the heap-based buffer overflow of sudoedit", "data_source": [], "search": "`osquery_process` | search \"columns.cmdline\"=\"sudoedit -s \\\\*\" | `detect_baron_samedit_cve_2021_3156_via_osquery_filter`", "how_to_implement": "OSQuery installed and configured to pick up process events (info at https://osquery.io) as well as using the Splunk OSQuery Add-on https://splunkbase.splunk.com/app/4402. The vulnerability is exposed when a non privledged user tries passing in a single \\ character at the end of the command while using the shell and edit flags.", "known_false_positives": "unknown", "references": [], "tags": {"name": "Detect Baron Samedit CVE-2021-3156 via OSQuery", "analytic_story": ["Baron Samedit CVE-2021-3156"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "tbd", "mitre_attack_id": ["T1068"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Other", "role": ["Other"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "columns.cmdline"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "cve": ["CVE-2021-3156"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "PLATINUM", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}]}, "datamodel": [], "macros": [{"name": "osquery_process", "definition": "eventtype=\"osquery-process\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_baron_samedit_cve_2021_3156_via_osquery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2021-3156", "cvss": 7.2, "summary": "Sudo before 1.9.5p2 contains an off-by-one error that can result in a heap-based buffer overflow, which allows privilege escalation to root via \"sudoedit -s\" and a command-line argument that ends with a single backslash character."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/detect_baron_samedit_cve_2021_3156_via_osquery.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Detect Computer Changed with Anonymous Account", "id": "1400624a-d42d-484d-8843-e6753e6e3645", "version": 1, "date": "2020-09-18", "author": "Rod Soto, Jose Hernandez, Splunk", "type": "Hunting", "status": "experimental", "description": "This search looks for Event Code 4742 (Computer Change) or EventCode 4624 (An account was successfully logged on) with an anonymous account.", "data_source": ["Windows Security 4624"], "search": "`wineventlog_security` EventCode=4624 OR EventCode=4742 TargetUserName=\"ANONYMOUS LOGON\" LogonType=3 | stats count values(host) as host, values(TargetDomainName) as Domain, values(user) as user | `detect_computer_changed_with_anonymous_account_filter`", "how_to_implement": "This search requires audit computer account management to be enabled on the system in order to generate Event ID 4742. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Event Logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives.", "known_false_positives": "None thus far found", "references": ["https://www.lares.com/blog/from-lares-labs-defensive-guidance-for-zerologon-cve-2020-1472/"], "tags": {"name": "Detect Computer Changed with Anonymous Account", "analytic_story": ["Detect Zerologon Attack"], "asset_type": "Windows", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "The following $EventCode$ occurred on $dest$ by $user$ with Logon Type 3, which may be indicative of the an account or group being changed by an anonymous account.", "mitre_attack_id": ["T1210"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "EventCode", "type": "Other", "role": ["Other"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "TargetUserName", "LogonType", "TargetDomainName", "user"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "cve": ["CVE-2020-1472"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1210", "mitre_attack_technique": "Exploitation of Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "Dragonfly", "Earth Lusca", "FIN7", "Fox Kitten", "MuddyWater", "Threat Group-3390", "Tonto Team", "Wizard Spider", "menuPass"]}]}, "datamodel": [], "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_computer_changed_with_anonymous_account_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2020-1472", "cvss": 9.3, "summary": "An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC), aka 'Netlogon Elevation of Privilege Vulnerability'."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/detect_computer_changed_with_anonymous_account.yml", "source": "endpoint", "providing_technologies": ["Microsoft Windows"]}, {"name": "Detect Copy of ShadowCopy with Script Block Logging", "id": "9251299c-ea5b-11eb-a8de-acde48001122", "version": 1, "date": "2021-07-21", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable on critical endpoints or all. \\\nThis analytic identifies `copy` or `[System.IO.File]::Copy` being used to capture the SAM, SYSTEM or SECURITY hives identified in script block. This will catch the most basic use cases for credentials being taken for offline cracking. \\\nDuring triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 Message IN (\"*copy*\",\"*[System.IO.File]::Copy*\") AND Message IN (\"*System32\\\\config\\\\SAM*\", \"*System32\\\\config\\\\SYSTEM*\",\"*System32\\\\config\\\\SECURITY*\") | stats count min(_time) as firstTime max(_time) as lastTime by OpCode ComputerName User EventCode Message | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_copy_of_shadowcopy_with_script_block_logging_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Limited false positives as the scope is limited to SAM, SYSTEM and SECURITY hives.", "references": ["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934", "https://github.com/GossiTheDog/HiveNightmare", "https://github.com/JumpsecLabs/Guidance-Advice/tree/main/SAM_Permissions"], "tags": {"name": "Detect Copy of ShadowCopy with Script Block Logging", "analytic_story": ["Credential Dumping"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "PowerShell was identified running a script to capture the SAM hive on endpoint $ComputerName$ by user $user$.", "mitre_attack_id": ["T1003.002", "T1003"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "ComputerName", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Message", "OpCode", "ComputerName", "User", "EventCode"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "cve": ["CVE-2021-36934"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Dragonfly", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.002/serioussam/windows-powershell.log", "source": "WinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "wineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_copy_of_shadowcopy_with_script_block_logging_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2021-36934", "cvss": 4.6, "summary": "Windows Elevation of Privilege Vulnerability"}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/detect_copy_of_shadowcopy_with_script_block_logging.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Detect Credential Dumping through LSASS access", "id": "2c365e57-4414-4540-8dc0-73ab10729996", "version": 3, "date": "2019-12-03", "author": "Patrick Bareiss, Splunk", "type": "TTP", "status": "production", "description": "This search looks for reading lsass memory consistent with credential dumping.", "data_source": ["Sysmon Event ID 1"], "search": "`sysmon` EventCode=10 TargetImage=*lsass.exe (GrantedAccess=0x1010 OR GrantedAccess=0x1410) | stats count min(_time) as firstTime max(_time) as lastTime by Computer, SourceImage, SourceProcessId, TargetImage, TargetProcessId, EventCode, GrantedAccess | rename Computer as dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_credential_dumping_through_lsass_access_filter` ", "how_to_implement": "This search needs Sysmon Logs and a sysmon configuration, which includes EventCode 10 with lsass.exe. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives.", "known_false_positives": "The activity may be legitimate. Other tools can access lsass for legitimate reasons, and it's possible this event could be generated in those cases. In these cases, false positives should be fairly obvious and you may need to tweak the search to eliminate noise.", "references": [], "tags": {"name": "Detect Credential Dumping through LSASS access", "analytic_story": ["Credential Dumping", "Detect Zerologon Attack"], "asset_type": "Windows", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "The $source_image$ has attempted access to read $TargetImage$ was identified on endpoint $Computer$, this is indicative of credential dumping and should be investigated.", "mitre_attack_id": ["T1003.001", "T1003"], "nist": ["DE.CM"], "observable": [{"name": "source_image", "type": "Other", "role": ["Victim"]}, {"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "TargetImage", "type": "Other", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "TargetImage", "GrantedAccess", "Computer", "SourceImage", "SourceProcessId", "TargetImage", "TargetProcessId"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "TEMP.Veles", "Threat Group-3390", "Whitefly"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_credential_dumping_through_lsass_access_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/detect_credential_dumping_through_lsass_access.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Detect Empire with PowerShell Script Block Logging", "id": "bc1dc6b8-c954-11eb-bade-acde48001122", "version": 2, "date": "2023-04-14", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable on critical endpoints or all. \\\nThis analytic identifies the common PowerShell stager used by PowerShell-Empire. Each stager that may use PowerShell all uses the same pattern. The initial HTTP will be base64 encoded and use `system.net.webclient`. Note that some obfuscation may evade the analytic. \\\nDuring triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 (ScriptBlockText=*system.net.webclient* AND ScriptBlockText=*frombase64string*) | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_empire_with_powershell_script_block_logging_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "False positives may only pertain to it not being related to Empire, but another framework. Filter as needed if any applications use the same pattern.", "references": ["https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", "https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf", "https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/", "https://github.com/BC-SECURITY/Empire", "https://www.splunk.com/en_us/blog/security/hunting-for-malicious-powershell-using-script-block-logging.html"], "tags": {"name": "Detect Empire with PowerShell Script Block Logging", "analytic_story": ["Malicious PowerShell", "Hermetic Wiper", "Data Destruction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Installation"], "message": "The following behavior was identified and typically related to PowerShell-Empire on $Computer$ by $UserID$.", "mitre_attack_id": ["T1059", "T1059.001"], "nist": ["DE.CM"], "observable": [{"name": "UserID", "type": "User", "role": ["Victim"]}, {"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "ScriptBlockText", "Opcode", "Computer", "UserID", "EventCode"], "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/empire.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_empire_with_powershell_script_block_logging_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/detect_empire_with_powershell_script_block_logging.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Detect Excessive Account Lockouts From Endpoint", "id": "c026e3dd-7e18-4abb-8f41-929e836efe74", "version": 6, "date": "2022-08-25", "author": "David Dorsey, Splunk", "type": "Anomaly", "status": "production", "description": "This search identifies endpoints that have caused a relatively high number of account lockouts in a short period.", "data_source": [], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(All_Changes.user) as user from datamodel=Change.All_Changes where All_Changes.result=\"*locked out*\" by All_Changes.dest All_Changes.result |`drop_dm_object_name(\"All_Changes\")` |`drop_dm_object_name(\"Account_Management\")`| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | search count > 5 | `detect_excessive_account_lockouts_from_endpoint_filter`", "how_to_implement": "You must ingest your Windows security event logs in the `Change` datamodel under the nodename is `Account_Management`, for this search to execute successfully. Please consider updating the cron schedule and the count of lockouts you want to monitor, according to your environment. \\\n **Splunk>Phantom Playbook Integration**\\\nIf Splunk>Phantom is also configured in your environment, a Playbook called \"Excessive Account Lockouts Enrichment and Response\" can be configured to run when any results are found by this detection search. The Playbook executes the Contextual and Investigative searches in this Story, conducts additional information gathering on Windows endpoints, and takes a response action to shut down the affected endpoint. To use this integration, install the Phantom App for Splunk `https://splunkbase.splunk.com/app/3411/`, add the correct hostname to the \"Phantom Instance\" field in the Adaptive Response Actions when configuring this detection search, and set the corresponding Playbook to active. \\\n(Playbook Link:`https://my.phantom.us/4.1/playbook/excessive-account-lockouts-enrichment-and-response/`).\\\n", "known_false_positives": "It's possible that a widely used system, such as a kiosk, could cause a large number of account lockouts.", "references": [], "tags": {"name": "Detect Excessive Account Lockouts From Endpoint", "analytic_story": ["Account Monitoring and Controls"], "asset_type": "Windows", "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "message": "Multiple accounts have been locked out. Review $dest$ and results related to $user$.", "mitre_attack_id": ["T1078", "T1078.002"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "All_Changes.user", "nodename", "All_Changes.result", "All_Changes.dest"], "risk_score": 36, "security_domain": "access", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.002", "mitre_attack_technique": "Domain Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "Chimera", "Indrik Spider", "Magic Hound", "Naikon", "Sandworm Team", "TA505", "Threat Group-1314", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.002/account_lockout/windows-security.log", "source": "WinEventLog:Security", "sourcetype": "WinEventLog", "update_timestamp": true}, {"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.002/account_lockout/windows-system.log", "source": "WinEventLog:System", "sourcetype": "WinEventLog", "update_timestamp": true}]}], "datamodel": ["Change"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_excessive_account_lockouts_from_endpoint_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/detect_excessive_account_lockouts_from_endpoint.yml", "source": "endpoint"}, {"name": "Detect Excessive User Account Lockouts", "id": "95a7f9a5-6096-437e-a19e-86f42ac609bd", "version": 4, "date": "2022-08-25", "author": "David Dorsey, Splunk", "type": "Anomaly", "status": "production", "description": "This search detects user accounts that have been locked out a relatively high number of times in a short period.", "data_source": [], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Change.All_Changes where All_Changes.result=\"*locked out*\" by All_Changes.user All_Changes.result |`drop_dm_object_name(\"All_Changes\")` |`drop_dm_object_name(\"Account_Management\")`| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | search count > 5 | `detect_excessive_user_account_lockouts_filter`", "how_to_implement": "ou must ingest your Windows security event logs in the `Change` datamodel under the nodename is `Account_Management`, for this search to execute successfully. Please consider updating the cron schedule and the count of lockouts you want to monitor, according to your environment.", "known_false_positives": "It is possible that a legitimate user is experiencing an issue causing multiple account login failures leading to lockouts.", "references": [], "tags": {"name": "Detect Excessive User Account Lockouts", "analytic_story": ["Account Monitoring and Controls"], "asset_type": "Windows", "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "message": "Multiple accounts have been locked out. Review $nodename$ and $result$ related to $user$.", "mitre_attack_id": ["T1078", "T1078.003"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "result", "type": "Other", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "All_Changes.result", "nodename", "All_Changes.user"], "risk_score": 36, "security_domain": "access", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.003", "mitre_attack_technique": "Local Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "FIN10", "HAFNIUM", "Kimsuky", "PROMETHIUM", "Tropic Trooper", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.002/account_lockout/windows-security.log", "source": "WinEventLog:Security", "sourcetype": "WinEventLog", "update_timestamp": true}, {"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.002/account_lockout/windows-system.log", "source": "WinEventLog:System", "sourcetype": "WinEventLog", "update_timestamp": true}]}], "datamodel": ["Change"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_excessive_user_account_lockouts_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/detect_excessive_user_account_lockouts.yml", "source": "endpoint"}, {"name": "Detect Exchange Web Shell", "id": "8c14eeee-2af1-4a4b-bda8-228da0f4862a", "version": 4, "date": "2022-09-30", "author": "Michael Haag, Shannon Davis, David Dorsey, Splunk", "type": "TTP", "status": "production", "description": "The following query identifies suspicious .aspx created in 3 paths identified by Microsoft as known drop locations for Exchange exploitation related to HAFNIUM group and recently disclosed vulnerablity named ProxyShell and ProxyNotShell. Paths include: `\\HttpProxy\\owa\\auth\\`, `\\inetpub\\wwwroot\\aspnet_client\\`, and `\\HttpProxy\\OAB\\`. Upon triage, the suspicious .aspx file will likely look obvious on the surface. inspect the contents for script code inside. Identify additional log sources, IIS included, to review source and other potential exploitation. It is often the case that a particular threat is only applicable to a specific subset of systems in your environment. Typically analytics to detect those threats are written without the benefit of being able to only target those systems as well. Writing analytics against all systems when those behaviors are limited to identifiable subsets of those systems is suboptimal. Consider the case ProxyShell vulnerability on Microsoft Exchange Servers. With asset information, a hunter can limit their analytics to systems that have been identified as Exchange servers. A hunter may start with the theory that the exchange server is communicating with new systems that it has not previously. If this theory is run against all publicly facing systems, the amount of noise it will generate will likely render this theory untenable. However, using the asset information to limit this analytic to just the Exchange servers will reduce the noise allowing the hunter to focus only on the systems where this behavioral change is relevant.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=System by _time span=1h Processes.process_id Processes.process_name Processes.dest | `drop_dm_object_name(Processes)` | join process_guid, _time [| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN (\"*\\\\HttpProxy\\\\owa\\\\auth\\\\*\", \"*\\\\inetpub\\\\wwwroot\\\\aspnet_client\\\\*\", \"*\\\\HttpProxy\\\\OAB\\\\*\") Filesystem.file_name IN( \"*.aspx\", \"*.ashx\") by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path | `drop_dm_object_name(Filesystem)` | fields _time dest file_create_time file_name file_path process_name process_path process] | dedup file_create_time | table dest file_create_time, file_name, file_path, process_name | `detect_exchange_web_shell_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node and `Filesystem` node.", "known_false_positives": "The query is structured in a way that `action` (read, create) is not defined. Review the results of this query, filter, and tune as necessary. It may be necessary to generate this query specific to your endpoint product.", "references": ["https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/MSTICIoCs-ExchangeServerVulnerabilitiesDisclosedMarch2021.csv", "https://www.zerodayinitiative.com/blog/2021/8/17/from-pwn2own-2021-a-new-attack-surface-on-microsoft-exchange-proxyshell", "https://www.youtube.com/watch?v=FC6iHw258RI", "https://www.huntress.com/blog/rapid-response-microsoft-exchange-servers-still-vulnerable-to-proxyshell-exploit#what-should-you-do"], "tags": {"name": "Detect Exchange Web Shell", "analytic_story": ["HAFNIUM Group", "ProxyShell", "CISA AA22-257A", "ProxyNotShell"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Installation", "Delivery"], "message": "A file - $file_name$ was written to disk that is related to IIS exploitation previously performed by HAFNIUM. Review further file modifications on endpoint $dest$ by user $user$.", "mitre_attack_id": ["T1505", "T1505.003", "T1190"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "file_name", "type": "File Name", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Filesystem.file_path", "Filesystem.process_id", "Filesystem.file_name", "Filesystem.file_hash", "Filesystem.user"], "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1505.003", "mitre_attack_technique": "Web Shell", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT38", "APT39", "BackdoorDiplomacy", "Deep Panda", "Dragonfly", "Fox Kitten", "GALLIUM", "HAFNIUM", "Kimsuky", "Leviathan", "Magic Hound", "Moses Staff", "OilRig", "Sandworm Team", "TEMP.Veles", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Volatile Cedar"]}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.003/windows-sysmon_proxylogon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_exchange_web_shell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/detect_exchange_web_shell.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Detect HTML Help Renamed", "id": "62fed254-513b-460e-953d-79771493a9f3", "version": 4, "date": "2022-04-07", "author": "Michael Haag, Splunk", "type": "Hunting", "status": "production", "description": "The following analytic identifies a renamed instance of hh.exe (HTML Help) executing a Compiled HTML Help (CHM). This particular technique will load Windows script code from a compiled help file. CHM files may contain nearly any file type embedded, but only execute html/htm. Upon a successful execution, the following script engines may be used for execution - JScript, VBScript, VBScript.Encode, JScript.Encode, JScript.Compact. Analyst may identify vbscript.dll or jscript.dll loading into hh.exe upon execution. The \"htm\" and \"html\" file extensions were the only extensions observed to be supported for the execution of Shortcut commands or WSH script code. During investigation, identify script content origination. Validate it is the legitimate version of hh.exe by reviewing the PE metadata. hh.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name!=hh.exe AND Processes.original_file_name=HH.EXE by Processes.dest Processes.user Processes.parent_process_name Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_html_help_renamed_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Although unlikely a renamed instance of hh.exe will be used legitimately, filter as needed.", "references": ["https://attack.mitre.org/techniques/T1218/001/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.001/T1218.001.md", "https://lolbas-project.github.io/lolbas/Binaries/Hh/"], "tags": {"name": "Detect HTML Help Renamed", "analytic_story": ["Suspicious Compiled HTML Activity", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "The following $process_name$ has been identified as renamed, spawning from $parent_process_name$.", "mitre_attack_id": ["T1218", "T1218.001"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.001", "mitre_attack_technique": "Compiled HTML File", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "APT41", "Dark Caracal", "OilRig", "Silence"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.001/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_html_help_renamed_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/detect_html_help_renamed.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Detect HTML Help Spawn Child Process", "id": "723716de-ee55-4cd4-9759-c44e7e55ba4b", "version": 1, "date": "2021-02-11", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies hh.exe (HTML Help) execution of a Compiled HTML Help (CHM) that spawns a child process. This particular technique will load Windows script code from a compiled help file. CHM files may contain nearly any file type embedded, but only execute html/htm. Upon a successful execution, the following script engines may be used for execution - JScript, VBScript, VBScript.Encode, JScript.Encode, JScript.Compact. Analyst may identify vbscript.dll or jscript.dll loading into hh.exe upon execution. The \"htm\" and \"html\" file extensions were the only extensions observed to be supported for the execution of Shortcut commands or WSH script code. During investigation, identify script content origination. Review child process events and investigate further. hh.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=hh.exe by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_html_help_spawn_child_process_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "Although unlikely, some legitimate applications (ex. web browsers) may spawn a child process. Filter as needed.", "references": ["https://attack.mitre.org/techniques/T1218/001/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.001/T1218.001.md", "https://lolbas-project.github.io/lolbas/Binaries/Hh/", "https://gist.github.com/mgeeky/cce31c8602a144d8f2172a73d510e0e7", "https://web.archive.org/web/20220119133748/https://cyberforensicator.com/2019/01/20/silence-dissecting-malicious-chm-files-and-performing-forensic-analysis/"], "tags": {"name": "Detect HTML Help Spawn Child Process", "analytic_story": ["Suspicious Compiled HTML Activity", "Living Off The Land", "AgentTesla"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ spawning a child process, typically not normal behavior.", "mitre_attack_id": ["T1218", "T1218.001"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.001", "mitre_attack_technique": "Compiled HTML File", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "APT41", "Dark Caracal", "OilRig", "Silence"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.001/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_html_help_spawn_child_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/detect_html_help_spawn_child_process.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Detect HTML Help URL in Command Line", "id": "8c5835b9-39d9-438b-817c-95f14c69a31e", "version": 2, "date": "2021-09-16", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies hh.exe (HTML Help) execution of a Compiled HTML Help (CHM) file from a remote url. This particular technique will load Windows script code from a compiled help file. CHM files may contain nearly any file type embedded, but only execute html/htm. Upon a successful execution, the following script engines may be used for execution - JScript, VBScript, VBScript.Encode, JScript.Encode, JScript.Compact. Analyst may identify vbscript.dll or jscript.dll loading into hh.exe upon execution. The \"htm\" and \"html\" file extensions were the only extensions observed to be supported for the execution of Shortcut commands or WSH script code. During investigation, identify script content origination. Review reputation of remote IP and domain. Some instances, it is worth decompiling the .chm file to review its original contents. hh.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_hh` Processes.process=*http* by Processes.dest Processes.user Processes.parent_process Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_html_help_url_in_command_line_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Although unlikely, some legitimate applications may retrieve a CHM remotely, filter as needed.", "references": ["https://attack.mitre.org/techniques/T1218/001/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.001/T1218.001.md", "https://lolbas-project.github.io/lolbas/Binaries/Hh/", "https://blog.sevagas.com/?Hacking-around-HTA-files", "https://gist.github.com/mgeeky/cce31c8602a144d8f2172a73d510e0e7", "https://web.archive.org/web/20220119133748/https://cyberforensicator.com/2019/01/20/silence-dissecting-malicious-chm-files-and-performing-forensic-analysis/"], "tags": {"name": "Detect HTML Help URL in Command Line", "analytic_story": ["Suspicious Compiled HTML Activity", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 90, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_proces_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ contacting a remote destination to potentally download a malicious payload.", "mitre_attack_id": ["T1218", "T1218.001"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.001", "mitre_attack_technique": "Compiled HTML File", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "APT41", "Dark Caracal", "OilRig", "Silence"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.001/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "process_hh", "definition": "(Processes.process_name=hh.exe OR Processes.original_file_name=HH.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_html_help_url_in_command_line_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/detect_html_help_url_in_command_line.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Detect HTML Help Using InfoTech Storage Handlers", "id": "0b2eefa5-5508-450d-b970-3dd2fb761aec", "version": 2, "date": "2021-09-16", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies hh.exe (HTML Help) execution of a Compiled HTML Help (CHM) file using InfoTech Storage Handlers. This particular technique will load Windows script code from a compiled help file, using InfoTech Storage Handlers. itss.dll will load upon execution. Three InfoTech Storage handlers are supported - ms-its, its, mk:@MSITStore. ITSS may be used to launch a specific html/htm file from within a CHM file. CHM files may contain nearly any file type embedded. Upon a successful execution, the following script engines may be used for execution - JScript, VBScript, VBScript.Encode, JScript.Encode, JScript.Compact. Analyst may identify vbscript.dll or jscript.dll loading into hh.exe upon execution. The \"htm\" and \"html\" file extensions were the only extensions observed to be supported for the execution of Shortcut commands or WSH script code. During investigation, identify script content origination. hh.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_hh` Processes.process IN (\"*its:*\", \"*mk:@MSITStore:*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_html_help_using_infotech_storage_handlers_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "It is rare to see instances of InfoTech Storage Handlers being used, but it does happen in some legitimate instances. Filter as needed.", "references": ["https://attack.mitre.org/techniques/T1218/001/", "https://www.kb.cert.org/vuls/id/851869", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.001/T1218.001.md", "https://lolbas-project.github.io/lolbas/Binaries/Hh/", "https://gist.github.com/mgeeky/cce31c8602a144d8f2172a73d510e0e7", "https://web.archive.org/web/20220119133748/https://cyberforensicator.com/2019/01/20/silence-dissecting-malicious-chm-files-and-performing-forensic-analysis/"], "tags": {"name": "Detect HTML Help Using InfoTech Storage Handlers", "analytic_story": ["Suspicious Compiled HTML Activity", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "$process_name$ has been identified using Infotech Storage Handlers to load a specific file within a CHM on $dest$ under user $user$.", "mitre_attack_id": ["T1218", "T1218.001"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.001", "mitre_attack_technique": "Compiled HTML File", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "APT41", "Dark Caracal", "OilRig", "Silence"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.001/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "process_hh", "definition": "(Processes.process_name=hh.exe OR Processes.original_file_name=HH.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_html_help_using_infotech_storage_handlers_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/detect_html_help_using_infotech_storage_handlers.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Detect Mimikatz With PowerShell Script Block Logging", "id": "8148c29c-c952-11eb-9255-acde48001122", "version": 2, "date": "2022-02-24", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. \\\nThis analytic identifies common Mimikatz functions that may be identified in the script block, including `mimikatz`. This will catch the most basic use cases for Pass the Ticket, Pass the Hash and `-DumprCreds`. \\\nDuring triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 ScriptBlockText IN (*mimikatz*, *-dumpcr*, *sekurlsa::pth*, *kerberos::ptt*, *kerberos::golden*) | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_mimikatz_with_powershell_script_block_logging_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "False positives should be limited as the commands being identifies are quite specific to EventCode 4104 and Mimikatz. Filter as needed.", "references": ["https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", "https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf", "https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/", "https://www.splunk.com/en_us/blog/security/hunting-for-malicious-powershell-using-script-block-logging.html"], "tags": {"name": "Detect Mimikatz With PowerShell Script Block Logging", "analytic_story": ["Hermetic Wiper", "Malicious PowerShell", "CISA AA22-264A", "CISA AA22-320A", "Sandworm Tools", "Data Destruction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 90, "kill_chain_phases": ["Exploitation", "Installation"], "message": "The following behavior was identified and typically related to MimiKatz being loaded within the context of PowerShell on $Computer$ by $UserID$.", "mitre_attack_id": ["T1003", "T1059.001"], "nist": ["DE.CM"], "observable": [{"name": "UserID", "type": "User", "role": ["Victim"]}, {"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "ScriptBlockText", "Opcode", "Computer", "UserID", "EventCode"], "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/credaccess-powershell.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_mimikatz_with_powershell_script_block_logging_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/detect_mimikatz_with_powershell_script_block_logging.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Detect mshta inline hta execution", "id": "a0873b32-5b68-11eb-ae93-0242ac130002", "version": 6, "date": "2021-09-16", "author": "Bhavin Patel, Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies \"mshta.exe\" execution with inline protocol handlers. \"JavaScript\", \"VBScript\", and \"About\" are the only supported options when invoking HTA content directly on the command-line. The search will return the first time and last time these command-line arguments were used for these executions, as well as the target system, the user, process \"mshta.exe\" and its parent process.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_mshta` (Processes.process=*vbscript* OR Processes.process=*javascript* OR Processes.process=*about*) by Processes.user Processes.process_name Processes.original_file_name Processes.parent_process_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_mshta_inline_hta_execution_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Although unlikely, some legitimate applications may exhibit this behavior, triggering a false positive.", "references": ["https://github.com/redcanaryco/AtomicTestHarnesses", "https://redcanary.com/blog/introducing-atomictestharnesses/", "https://docs.microsoft.com/en-us/windows/win32/search/-search-3x-wds-extidx-prot-implementing"], "tags": {"name": "Detect mshta inline hta execution", "analytic_story": ["Suspicious MSHTA Activity", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 90, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ executing with inline HTA, indicative of defense evasion.", "mitre_attack_id": ["T1218", "T1218.005"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.005", "mitre_attack_technique": "Mshta", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "APT32", "Confucius", "Earth Lusca", "FIN7", "Gamaredon Group", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "MuddyWater", "Mustang Panda", "SideCopy", "Sidewinder", "TA551"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.005/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_mshta", "definition": "(Processes.process_name=mshta.exe OR Processes.original_file_name=MSHTA.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "detect_mshta_inline_hta_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/detect_mshta_inline_hta_execution.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Detect mshta renamed", "id": "8f45fcf0-5b68-11eb-ae93-0242ac130002", "version": 3, "date": "2022-04-07", "author": "Michael Haag, Splunk", "type": "Hunting", "status": "production", "description": "The following analytic identifies renamed instances of mshta.exe executing. Mshta.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64. This analytic utilizes the internal name of the PE to identify if is the legitimate mshta binary. Further analysis should be performed to review the executed content and validation it is the real mshta.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name!=mshta.exe AND Processes.original_file_name=MSHTA.EXE by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_mshta_renamed_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Although unlikely, some legitimate applications may use a moved copy of mshta.exe, but never renamed, triggering a false positive.", "references": ["https://github.com/redcanaryco/AtomicTestHarnesses", "https://redcanary.com/blog/introducing-atomictestharnesses/"], "tags": {"name": "Detect mshta renamed", "analytic_story": ["Suspicious MSHTA Activity", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "The following $process_name$ has been identified as renamed, spawning from $parent_process_name$.", "mitre_attack_id": ["T1218", "T1218.005"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.005", "mitre_attack_technique": "Mshta", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "APT32", "Confucius", "Earth Lusca", "FIN7", "Gamaredon Group", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "MuddyWater", "Mustang Panda", "SideCopy", "Sidewinder", "TA551"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.005/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_mshta_renamed_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/detect_mshta_renamed.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Detect MSHTA Url in Command Line", "id": "9b3af1e6-5b68-11eb-ae93-0242ac130002", "version": 2, "date": "2021-09-16", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "This analytic identifies when Microsoft HTML Application Host (mshta.exe) utility is used to make remote http connections. Adversaries may use mshta.exe to proxy the download and execution of remote .hta files. The analytic identifies command line arguments of http and https being used. This technique is commonly used by malicious software to bypass preventative controls. The search will return the first time and last time these command-line arguments were used for these executions, as well as the target system, the user, process \"rundll32.exe\" and its parent process.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_mshta` (Processes.process=\"*http://*\" OR Processes.process=\"*https://*\") by Processes.user Processes.process_name Processes.parent_process_name Processes.original_file_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_mshta_url_in_command_line_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "It is possible legitimate applications may perform this behavior and will need to be filtered.", "references": ["https://github.com/redcanaryco/AtomicTestHarnesses", "https://redcanary.com/blog/introducing-atomictestharnesses/", "https://docs.microsoft.com/en-us/windows/win32/search/-search-3x-wds-extidx-prot-implementing"], "tags": {"name": "Detect MSHTA Url in Command Line", "analytic_story": ["Suspicious MSHTA Activity", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $est$ by user $user$ attempting to access a remote destination to download an additional payload.", "mitre_attack_id": ["T1218", "T1218.005"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.005", "mitre_attack_technique": "Mshta", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "APT32", "Confucius", "Earth Lusca", "FIN7", "Gamaredon Group", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "MuddyWater", "Mustang Panda", "SideCopy", "Sidewinder", "TA551"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.005/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_mshta", "definition": "(Processes.process_name=mshta.exe OR Processes.original_file_name=MSHTA.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "detect_mshta_url_in_command_line_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/detect_mshta_url_in_command_line.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Detect New Local Admin account", "id": "b25f6f62-0712-43c1-b203-083231ffd97d", "version": 2, "date": "2020-07-08", "author": "David Dorsey, Splunk", "type": "TTP", "status": "production", "description": "This search looks for newly created accounts that have been elevated to local administrators.", "data_source": [], "search": "`wineventlog_security` EventCode=4720 OR (EventCode=4732 Group_Name=Administrators) | transaction member_id connected=false maxspan=180m | rename member_id as user | stats count min(_time) as firstTime max(_time) as lastTime by user dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_new_local_admin_account_filter`", "how_to_implement": "You must be ingesting Windows event logs using the Splunk Windows TA and collecting event code 4720 and 4732", "known_false_positives": "The activity may be legitimate. For this reason, it's best to verify the account with an administrator and ask whether there was a valid service request for the account creation. If your local administrator group name is not \"Administrators\", this search may generate an excessive number of false positives", "references": [], "tags": {"name": "Detect New Local Admin account", "analytic_story": ["DHS Report TA18-074A", "HAFNIUM Group", "CISA AA22-257A"], "asset_type": "Windows", "cis20": ["CIS 10"], "confidence": 70, "impact": 60, "kill_chain_phases": ["Installation"], "message": "A $user$ on $dest$ was added recently. Identify if this was legitimate behavior or not.", "mitre_attack_id": ["T1136.001", "T1136"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "Group_Name", "member_id", "dest", "user"], "risk_score": 42, "security_domain": "access", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1136.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT39", "APT41", "Dragonfly", "Fox Kitten", "Kimsuky", "Leafminer", "Magic Hound", "TeamTNT"]}, {"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/atomic_red_team/windows-security.log", "source": "WinEventLog:Security", "sourcetype": "WinEventLog", "update_timestamp": true}, {"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/atomic_red_team/windows-system.log", "source": "WinEventLog:System", "sourcetype": "WinEventLog", "update_timestamp": true}, {"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_new_local_admin_account_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/detect_new_local_admin_account.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Detect Outlook exe writing a zip file", "id": "a51bfe1a-94f0-4822-b1e4-16ae10145893", "version": 4, "date": "2023-2-07", "author": "Bhavin Patel, Splunk", "type": "TTP", "status": "experimental", "description": "This search looks for execution of process `outlook.exe` where the process is writing a `.zip` file to the disk.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where Processes.process_name=outlook.exe by _time span=5m Processes.parent_process_id Processes.process_id Processes.dest Processes.process_name Processes.parent_process_name Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename process_id as malicious_id| rename parent_process_id as outlook_id| join malicious_id type=inner[| tstats `security_content_summariesonly` count values(Filesystem.file_path) as file_path values(Filesystem.file_name) as file_name FROM datamodel=Endpoint.Filesystem where (Filesystem.file_path=*.zip* OR Filesystem.file_name=*.lnk ) AND (Filesystem.file_path=C:\\\\Users* OR Filesystem.file_path=*Local\\\\Temp*) by _time span=5m Filesystem.process_id Filesystem.file_hash Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename process_id as malicious_id| fields malicious_id outlook_id dest file_path file_name file_hash count file_id] | table firstTime lastTime user malicious_id outlook_id process_name parent_process_name file_name file_path | where file_name != \"\" | `detect_outlook_exe_writing_a_zip_file_filter` ", "how_to_implement": "You must be ingesting data that records filesystem and process activity from your hosts to populate the Endpoint data model. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or endpoint data sources, such as Sysmon.", "known_false_positives": "It is not uncommon for outlook to write legitimate zip files to the disk.", "references": [], "tags": {"name": "Detect Outlook exe writing a zip file", "analytic_story": ["Spearphishing Attachments"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Delivery"], "message": "tbd", "mitre_attack_id": ["T1566", "T1566.001"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.process_name", "Processes.parent_process_id", "Processes.process_id", "Processes.dest", "Processes.parent_process_name", "Processes.user"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}]}, "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_outlook_exe_writing_a_zip_file_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/detect_outlook_exe_writing_a_zip_file.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Detect Path Interception By Creation Of program exe", "id": "cbef820c-e1ff-407f-887f-0a9240a2d477", "version": 3, "date": "2020-07-03", "author": "Patrick Bareiss, Splunk", "type": "TTP", "status": "production", "description": "The detection Detect Path Interception By Creation Of program exe is detecting the abuse of unquoted service paths, which is a popular technique for privilege escalation. ", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=services.exe by Processes.user Processes.process_name Processes.process Processes.dest | `drop_dm_object_name(Processes)` | rex field=process \"^.*?\\\\\\\\(?[^\\\\\\\\]*\\.(?:exe|bat|com|ps1))\" | eval process_name = lower(process_name) | eval service_process = lower(service_process) | where process_name != service_process | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_path_interception_by_creation_of_program_exe_filter`", "how_to_implement": "You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the \"process\" field in the Endpoint data model.", "known_false_positives": "unknown", "references": ["https://medium.com/@SumitVerma101/windows-privilege-escalation-part-1-unquoted-service-path-c7a011a8d8ae"], "tags": {"name": "Detect Path Interception By Creation Of program exe", "analytic_story": ["Windows Persistence Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation", "Installation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to perform privilege escalation by using unquoted service paths.", "mitre_attack_id": ["T1574.009", "T1574"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1574.009", "mitre_attack_technique": "Path Interception by Unquoted Path", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.009/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_path_interception_by_creation_of_program_exe_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/detect_path_interception_by_creation_of_program_exe.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Detect processes used for System Network Configuration Discovery", "id": "a51bfe1a-94f0-48cc-b1e4-16ae10145893", "version": 2, "date": "2020-11-10", "author": "Bhavin Patel, Splunk", "type": "TTP", "status": "production", "description": "This search looks for fast execution of processes used for system network configuration discovery on the endpoint.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where NOT Processes.user IN (\"\",\"unknown\") by Processes.dest Processes.process_name Processes.user _time | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | search `system_network_configuration_discovery_tools` | transaction dest connected=false maxpause=5m |where eventcount>=5 | table firstTime lastTime dest user process_name process parent_process eventcount | `detect_processes_used_for_system_network_configuration_discovery_filter`", "how_to_implement": "You must be ingesting data that records registry activity from your hosts to populate the Endpoint data model in the processes node. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or endpoint data sources, such as Sysmon. The data used for this search is usually generated via logs that report reads and writes to the registry or that are populated via Windows event logs, after enabling process tracking in your Windows audit settings.", "known_false_positives": "It is uncommon for normal users to execute a series of commands used for network discovery. System administrators often use scripts to execute these commands. These can generate false positives.", "references": [], "tags": {"name": "Detect processes used for System Network Configuration Discovery", "analytic_story": ["Unusual Processes"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 40, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning multiple $process_name$ was identified on endpoint $dest$ by user $user$ typically not a normal behavior of the process.", "mitre_attack_id": ["T1016"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 32, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1016", "mitre_attack_technique": "System Network Configuration Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT19", "APT3", "APT32", "APT41", "Chimera", "Darkhotel", "Dragonfly", "Earth Lusca", "GALLIUM", "HAFNIUM", "HEXANE", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "SideCopy", "Sidewinder", "Stealth Falcon", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1016/discovery_commands/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "system_network_configuration_discovery_tools", "definition": "(process_name= \"arp.exe\" OR process_name= \"at.exe\" OR process_name= \"attrib.exe\" OR process_name= \"cscript.exe\" OR process_name= \"dsquery.exe\" OR process_name= \"hostname.exe\" OR process_name= \"ipconfig.exe\" OR process_name= \"mimikatz.exe\" OR process_name= \"nbstat.exe\" OR process_name= \"net.exe\" OR process_name= \"netsh.exe\" OR process_name= \"nslookup.exe\" OR process_name= \"ping.exe\" OR process_name= \"quser.exe\" OR process_name= \"qwinsta.exe\" OR process_name= \"reg.exe\" OR process_name= \"runas.exe\" OR process_name= \"sc.exe\" OR process_name= \"schtasks.exe\" OR process_name= \"ssh.exe\" OR process_name= \"systeminfo.exe\" OR process_name= \"taskkill.exe\" OR process_name= \"telnet.exe\" OR process_name= \"tracert.exe\" OR process_name=\"wscript.exe\" OR process_name= \"xcopy.exe\")", "description": "This macro is a list of process that can be used to discover the network configuration"}, {"name": "detect_processes_used_for_system_network_configuration_discovery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/detect_processes_used_for_system_network_configuration_discovery.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Detect Prohibited Applications Spawning cmd exe", "id": "dcfd6b40-42f9-469d-a433-2e53f7486664", "version": 6, "date": "2020-11-10", "author": "Bhavin Patel, Splunk", "type": "Hunting", "status": "production", "description": "This search looks for executions of cmd.exe spawned by a process that is often abused by attackers and that does not typically launch cmd.exe.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_cmd` by Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.dest Processes.user| `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` |search [`prohibited_apps_launching_cmd`] | `detect_prohibited_applications_spawning_cmd_exe_filter`", "how_to_implement": "You must be ingesting data that records process activity from your hosts and populates the Endpoint data model with the resultant dataset. This search includes a lookup file, `prohibited_apps_launching_cmd.csv`, that contains a list of processes that should not be spawning cmd.exe. You can modify this lookup to better suit your environment. To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "There are circumstances where an application may legitimately execute and interact with the Windows command-line interface. Investigate and modify the lookup file, as appropriate.", "references": [], "tags": {"name": "Detect Prohibited Applications Spawning cmd exe", "analytic_story": ["Suspicious Command-Line Executions", "Suspicious MSHTA Activity", "Suspicious Zoom Child Processes", "NOBELIUM Group"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Installation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ running prohibited applications.", "mitre_attack_id": ["T1059", "T1059.003"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.003/powershell_spawn_cmd/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "prohibited_apps_launching_cmd", "definition": "| inputlookup prohibited_apps_launching_cmd | rename prohibited_applications as parent_process_name | eval parent_process_name=\"*\" . parent_process_name | table parent_process_name", "description": "This macro outputs a list of process that should not be the parent process of cmd.exe"}, {"name": "process_cmd", "definition": "(Processes.process_name=cmd.exe OR Processes.original_file_name=Cmd.Exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_prohibited_applications_spawning_cmd_exe_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/detect_prohibited_applications_spawning_cmd_exe.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Detect PsExec With accepteula Flag", "id": "27c3a83d-cada-47c6-9042-67baf19d2574", "version": 4, "date": "2021-09-16", "author": "Bhavin Patel, Splunk", "type": "TTP", "status": "production", "description": "This search looks for events where `PsExec.exe` is run with the `accepteula` flag in the command line. PsExec is a built-in Windows utility that enables you to execute processes on other systems. It is fully interactive for console applications. This tool is widely used for launching interactive command prompts on remote systems. Threat actors leverage this extensively for executing code on compromised systems. If an attacker is running PsExec for the first time, they will be prompted to accept the end-user license agreement (EULA), which can be passed as the argument `accepteula` within the command line.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_psexec` Processes.process=*accepteula* by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)`| `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_psexec_with_accepteula_flag_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Administrators can leverage PsExec for accessing remote systems and might pass `accepteula` as an argument if they are running this tool for the first time. However, it is not likely that you'd see multiple occurrences of this event on a machine", "references": ["https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF"], "tags": {"name": "Detect PsExec With accepteula Flag", "analytic_story": ["SamSam Ransomware", "DHS Report TA18-074A", "HAFNIUM Group", "DarkSide Ransomware", "Active Directory Lateral Movement", "CISA AA22-320A", "Sandworm Tools", "Volt Typhoon", "IcedID"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ running the utility for possibly the first time.", "mitre_attack_id": ["T1021", "T1021.002"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "Turla", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.002/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "process_psexec", "definition": "(Processes.process_name=psexec.exe OR Processes.process_name=psexec64.exe OR Processes.original_file_name=psexec.c)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_psexec_with_accepteula_flag_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/detect_psexec_with_accepteula_flag.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Detect Rare Executables", "id": "44fddcb2-8d3b-454c-874e-7c6de5a4f7ac", "version": 3, "date": "2022-11-10", "author": "Bhavin Patel, Splunk", "type": "Anomaly", "status": "experimental", "description": "This search will return a table of processes in the a given window, remove process names which are in the allowed list and list out the top 30 rare processes discovered on different hosts.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count values(Processes.dest) as dest values(Processes.user) as user min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes by Processes.process_name | rename Processes.process_name as process | `filter_rare_process_allow_list` | sort count | head 30 | rex field=user \"(?.*)\\\\\\\\(?.*)\" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_rare_executables_filter` ", "how_to_implement": "To successfully implement this search, you must be ingesting data that records process activity from your hosts and populating the `Endpoint` data model with the resultant dataset. The macro `filter_rare_process_allow_list` searches two lookup files for allowed processes. These consist of `rare_process_allow_list_default.csv` and `rare_process_allow_list_local.csv`. To add your own processes to the allow list, add them to `rare_process_allow_list_local.csv`. If you wish to remove an entry from the default lookup file, you will have to modify the macro itself to set the allow_list value for that process to false. You can modify the limit parameter and search scheduling to better suit your environment.", "known_false_positives": "Some legitimate processes may be only rarely executed in your environment. As these are identified, update `rare_process_allow_list_local.csv` to filter them out of your search results.", "references": [], "tags": {"name": "Detect Rare Executables", "analytic_story": ["Unusual Processes"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": [], "message": "tbd", "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.process_name"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "datamodel": ["Endpoint"], "macros": [{"name": "filter_rare_process_allow_list", "definition": "lookup update=true lookup_rare_process_allow_list_default process as process OUTPUTNEW allow_list | where allow_list=\"false\" | lookup update=true lookup_rare_process_allow_list_local process as process OUTPUT allow_list | where allow_list=\"false\"", "description": "This macro is intended to allow_list processes that have been definied as rare"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_rare_executables_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/detect_rare_executables.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Detect RClone Command-Line Usage", "id": "32e0baea-b3f1-11eb-a2ce-acde48001122", "version": 2, "date": "2021-11-29", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "This analytic identifies commonly used command-line arguments used by `rclone.exe` to initiate a file transfer. Some arguments were negated as they are specific to the configuration used by adversaries. In particular, an adversary may list the files or directories of the remote file share using `ls` or `lsd`, which is not indicative of malicious behavior. During triage, at this stage of a ransomware event, exfiltration is about to occur or has already. Isolate the endpoint and continue investigating by review file modifications and parallel processes.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rclone` Processes.process IN (\"*copy*\", \"*mega*\", \"*pcloud*\", \"*ftp*\", \"*--config*\", \"*--progress*\", \"*--no-check-certificate*\", \"*--ignore-existing*\", \"*--auto-confirm*\", \"*--transfers*\", \"*--multi-thread-streams*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_rclone_command_line_usage_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives should be limited as this is restricted to the Rclone process name. Filter or tune the analytic as needed.", "references": ["https://redcanary.com/blog/rclone-mega-extortion/", "https://www.mandiant.com/resources/shining-a-light-on-darkside-ransomware-operations", "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/"], "tags": {"name": "Detect RClone Command-Line Usage", "analytic_story": ["DarkSide Ransomware", "Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 50, "kill_chain_phases": ["Actions on Objectives"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to connect to a remote cloud service to move files or folders.", "mitre_attack_id": ["T1020"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id", "Processes.original_file_name"], "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1020", "mitre_attack_technique": "Automated Exfiltration", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["Gamaredon Group", "Ke3chang", "Sidewinder", "Tropic Trooper"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1020/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "process_rclone", "definition": "(Processes.original_file_name=rclone.exe OR Processes.process_name=rclone.exe)", "description": "Matches the process with its original file name."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_rclone_command_line_usage_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/detect_rclone_command_line_usage.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Detect Regasm Spawning a Process", "id": "72170ec5-f7d2-42f5-aefb-2b8be6aad15f", "version": 1, "date": "2021-02-12", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies regasm.exe spawning a process. This particular technique has been used in the wild to bypass application control products. Regasm.exe and Regsvcs.exe are signed by Microsoft. Spawning of a child process is rare from either process and should be investigated further. During investigation, identify and retrieve the content being loaded. Review parallel processes for additional suspicious behavior. Gather any other file modifications and review accordingly. regsvcs.exe and regasm.exe are natively found in C:\\Windows\\Microsoft.NET\\Framework\\v*\\regasm|regsvcs.exe and C:\\Windows\\Microsoft.NET\\Framework64\\v*\\regasm|regsvcs.exe.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=regasm.exe by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_regasm_spawning_a_process_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "Although unlikely, limited instances of regasm.exe or regsvcs.exe may cause a false positive. Filter based endpoint usage, command line arguments, or process lineage.", "references": ["https://attack.mitre.org/techniques/T1218/009/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md", "https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/", "https://lolbas-project.github.io/lolbas/Binaries/Regasm/"], "tags": {"name": "Detect Regasm Spawning a Process", "analytic_story": ["Suspicious Regsvcs Regasm Activity", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ spawning a child process, typically not normal behavior for $parent_process_name$.", "mitre_attack_id": ["T1218", "T1218.009"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.parent_process_name", "Processes.dest", "Processes.user", "Processes.parent_process", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.009", "mitre_attack_technique": "Regsvcs/Regasm", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.009/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_regasm_spawning_a_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/detect_regasm_spawning_a_process.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Detect Regasm with Network Connection", "id": "07921114-6db4-4e2e-ae58-3ea8a52ae93f", "version": 2, "date": "2022-02-18", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies regasm.exe with a network connection to a public IP address, exluding private IP space. This particular technique has been used in the wild to bypass application control products. Regasm.exe and Regsvcs.exe are signed by Microsoft. By contacting a remote Command And Control server, the adversary will have the ability to escalate privileges and complete the objectives. During investigation, identify and retrieve the content being loaded. Review parallel processes for additional suspicious behavior. Gather any other file modifications and review accordingly. Review the reputation of the remote IP or domain and block as needed. regsvcs.exe and regasm.exe are natively found in C:\\Windows\\Microsoft.NET\\Framework\\v*\\regasm|regsvcs.exe and C:\\Windows\\Microsoft.NET\\Framework64\\v*\\regasm|regsvcs.exe.", "data_source": ["Sysmon Event ID 3"], "search": "`sysmon` EventID=3 dest_ip!=10.0.0.0/12 dest_ip!=172.16.0.0/12 dest_ip!=192.168.0.0/16 process_name=regasm.exe | rename Computer as dest | stats count min(_time) as firstTime max(_time) as lastTime by dest, user, process_name, src_ip, dest_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_regasm_with_network_connection_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "Although unlikely, limited instances of regasm.exe with a network connection may cause a false positive. Filter based endpoint usage, command line arguments, or process lineage.", "references": ["https://attack.mitre.org/techniques/T1218/009/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md", "https://lolbas-project.github.io/lolbas/Binaries/Regasm/"], "tags": {"name": "Detect Regasm with Network Connection", "analytic_story": ["Suspicious Regsvcs Regasm Activity", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "An instance of $process_name$ contacting a remote destination was identified on endpoint $Computer$ by user $user$. This behavior is not normal for $process_name$.", "mitre_attack_id": ["T1218", "T1218.009"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventID", "dest_ip", "process_name", "Computer", "user", "src_ip", "dest_host", "dest_ip"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.009", "mitre_attack_technique": "Regsvcs/Regasm", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.009/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_regasm_with_network_connection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/detect_regasm_with_network_connection.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Detect Regasm with no Command Line Arguments", "id": "c3bc1430-04e7-4178-835f-047d8e6e97df", "version": 3, "date": "2022-03-15", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies regasm.exe with no command line arguments. This particular behavior occurs when another process injects into regasm.exe, no command line arguments will be present. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. Regasm.exe are natively found in `C:\\Windows\\Microsoft.NET\\Framework\\v*\\regasm|regsvcs.exe` and `C:\\Windows\\Microsoft.NET\\Framework64\\v*\\regasm|regsvcs.exe`.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where `process_regasm` by _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process=\"(?i)(regasm\\.exe.{0,4}$)\" | `detect_regasm_with_no_command_line_arguments_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Although unlikely, limited instances of regasm.exe or may cause a false positive. Filter based endpoint usage, command line arguments, or process lineage.", "references": ["https://attack.mitre.org/techniques/T1218/009/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md", "https://lolbas-project.github.io/lolbas/Binaries/Regasm/"], "tags": {"name": "Detect Regasm with no Command Line Arguments", "analytic_story": ["Suspicious Regsvcs Regasm Activity", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "The process $process_name$ was spawned by $parent_process_name$ without any command-line arguments on $dest$ by $user$.", "mitre_attack_id": ["T1218", "T1218.009"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.009", "mitre_attack_technique": "Regsvcs/Regasm", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.009/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "process_regasm", "definition": "(Processes.process_name=regasm.exe OR Processes.original_file_name=RegAsm.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_regasm_with_no_command_line_arguments_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/detect_regasm_with_no_command_line_arguments.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Detect Regsvcs Spawning a Process", "id": "bc477b57-5c21-4ab6-9c33-668772e7f114", "version": 1, "date": "2021-02-12", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies regsvcs.exe spawning a process. This particular technique has been used in the wild to bypass application control products. Regasm.exe and Regsvcs.exe are signed by Microsoft. Spawning of a child process is rare from either process and should be investigated further. During investigation, identify and retrieve the content being loaded. Review parallel processes for additional suspicious behavior. Gather any other file modifications and review accordingly. regsvcs.exe and regasm.exe are natively found in C:\\Windows\\Microsoft.NET\\Framework\\v*\\regasm|regsvcs.exe and C:\\Windows\\Microsoft.NET\\Framework64\\v*\\regasm|regsvcs.exe.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=regsvcs.exe by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_regsvcs_spawning_a_process_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "Although unlikely, limited instances of regasm.exe or regsvcs.exe may cause a false positive. Filter based endpoint usage, command line arguments, or process lineage.", "references": ["https://attack.mitre.org/techniques/T1218/009/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md", "https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/"], "tags": {"name": "Detect Regsvcs Spawning a Process", "analytic_story": ["Suspicious Regsvcs Regasm Activity", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ typically not normal for this process.", "mitre_attack_id": ["T1218", "T1218.009"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.parent_process_name", "Processes.dest", "Processes.user", "Processes.parent_process", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.009", "mitre_attack_technique": "Regsvcs/Regasm", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.009/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_regsvcs_spawning_a_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/detect_regsvcs_spawning_a_process.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Detect Regsvcs with Network Connection", "id": "e3e7a1c0-f2b9-445c-8493-f30a63522d1a", "version": 2, "date": "2022-02-18", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies Regsvcs.exe with a network connection to a public IP address, exluding private IP space. This particular technique has been used in the wild to bypass application control products. Regasm.exe and Regsvcs.exe are signed by Microsoft. By contacting a remote Command And Control server, the adversary will have the ability to escalate privileges and complete the objectives. During investigation, identify and retrieve the content being loaded. Review parallel processes for additional suspicious behavior. Gather any other file modifications and review accordingly. Review the reputation of the remote IP or domain and block as needed. regsvcs.exe and regasm.exe are natively found in C:\\Windows\\Microsoft.NET\\Framework\\v*\\regasm|regsvcs.exe and C:\\Windows\\Microsoft.NET\\Framework64\\v*\\regasm|regsvcs.exe.", "data_source": ["Sysmon Event ID 3"], "search": "`sysmon` EventID=3 dest_ip!=10.0.0.0/12 dest_ip!=172.16.0.0/12 dest_ip!=192.168.0.0/16 process_name=regsvcs.exe | rename Computer as dest | stats count min(_time) as firstTime max(_time) as lastTime by dest, user, process_name, src_ip, dest_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_regsvcs_with_network_connection_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "Although unlikely, limited instances of regsvcs.exe may cause a false positive. Filter based endpoint usage, command line arguments, or process lineage.", "references": ["https://attack.mitre.org/techniques/T1218/009/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md", "https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/"], "tags": {"name": "Detect Regsvcs with Network Connection", "analytic_story": ["Suspicious Regsvcs Regasm Activity", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "An instance of $process_name$ contacting a remote destination was identified on endpoint $Computer$ by user $user$. This behavior is not normal for $process_name$.", "mitre_attack_id": ["T1218", "T1218.009"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventID", "dest_ip", "process_name", "Computer", "user", "src_ip", "dest_host"], "risk_score": 80, "security_domain": "Endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.009", "mitre_attack_technique": "Regsvcs/Regasm", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.009/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_regsvcs_with_network_connection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/detect_regsvcs_with_network_connection.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Detect Regsvcs with No Command Line Arguments", "id": "6b74d578-a02e-4e94-a0d1-39440d0bf254", "version": 3, "date": "2022-03-15", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies regsvcs.exe with no command line arguments. This particular behavior occurs when another process injects into regsvcs.exe, no command line arguments will be present. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. Regasm.exe are natively found in C:\\Windows\\Microsoft.NET\\Framework\\v*\\regasm|regsvcs.exe and C:\\Windows\\Microsoft.NET\\Framework64\\v*\\regasm|regsvcs.exe.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where `process_regsvcs` by _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process=\"(?i)(regsvcs\\.exe.{0,4}$)\"| `detect_regsvcs_with_no_command_line_arguments_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Although unlikely, limited instances of regsvcs.exe may cause a false positive. Filter based endpoint usage, command line arguments, or process lineage.", "references": ["https://attack.mitre.org/techniques/T1218/009/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md", "https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/"], "tags": {"name": "Detect Regsvcs with No Command Line Arguments", "analytic_story": ["Suspicious Regsvcs Regasm Activity", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "The process $process_name$ was spawned by $parent_process_name$ without any command-line arguments on $dest$ by $user$.", "mitre_attack_id": ["T1218", "T1218.009"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.009", "mitre_attack_technique": "Regsvcs/Regasm", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.009/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "process_regsvcs", "definition": "(Processes.process_name=regsvcs.exe OR Processes.original_file_name=RegSvcs.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_regsvcs_with_no_command_line_arguments_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/detect_regsvcs_with_no_command_line_arguments.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Detect Regsvr32 Application Control Bypass", "id": "070e9b80-6252-11eb-ae93-0242ac130002", "version": 2, "date": "2021-01-28", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe is also a Microsoft signed binary.This variation of the technique is often referred to as a \"Squiblydoo\" attack. \\\nUpon investigating, look for network connections to remote destinations (internal or external). Be cautious to modify the query to look for \"scrobj.dll\", the \".dll\" is not required to load scrobj. \"scrobj.dll\" will be loaded by \"regsvr32.exe\" upon execution. ", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_regsvr32` Processes.process=*scrobj* by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_regsvr32_application_control_bypass_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Limited false positives related to third party software registering .DLL's.", "references": ["https://attack.mitre.org/techniques/T1218/010/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/T1218.010.md", "https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/", "https://support.microsoft.com/en-us/topic/how-to-use-the-regsvr32-tool-and-troubleshoot-regsvr32-error-messages-a98d960a-7392-e6fe-d90a-3f4e0cb543e5"], "tags": {"name": "Detect Regsvr32 Application Control Bypass", "analytic_story": ["Suspicious Regsvr32 Activity", "Cobalt Strike", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ in an attempt to bypass detection and preventative controls was identified on endpoint $dest$ by user $user$.", "mitre_attack_id": ["T1218", "T1218.010"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.010", "mitre_attack_technique": "Regsvr32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "Blue Mockingbird", "Cobalt Group", "Deep Panda", "Inception", "Kimsuky", "Leviathan", "TA551", "WIRTE"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.010/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "process_regsvr32", "definition": "(Processes.process_name=regsvr32.exe OR Processes.original_file_name=REGSVR32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_regsvr32_application_control_bypass_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/detect_regsvr32_application_control_bypass.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Detect Renamed 7-Zip", "id": "4057291a-b8cf-11eb-95fe-acde48001122", "version": 2, "date": "2021-09-16", "author": "Michael Haag, Splunk", "type": "Hunting", "status": "production", "description": "The following analytic identifies renamed 7-Zip usage using Sysmon. At this stage of an attack, review parallel processes and file modifications for data that is staged or potentially have been exfiltrated. This analytic utilizes the OriginalFileName to capture the renamed process. During triage, validate this is the legitimate version of `7zip` by reviewing the PE metadata. In addition, review parallel processes for further suspicious behavior.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.original_file_name=7z*.exe AND Processes.process_name!=7z*.exe) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_renamed_7_zip_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "Limited false positives, however this analytic will need to be modified for each environment if Sysmon is not used.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"], "tags": {"name": "Detect Renamed 7-Zip", "analytic_story": ["Collection and Staging"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "The following $process_name$ has been identified as renamed, spawning from $parent_process_name$ on $dest$ by $user$.", "mitre_attack_id": ["T1560.001", "T1560"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 27, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1560.001", "mitre_attack_technique": "Archive via Utility", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "CopyKittens", "Earth Lusca", "FIN8", "Fox Kitten", "GALLIUM", "Gallmaker", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "MuddyWater", "Mustang Panda", "Sowbug", "Turla", "menuPass"]}, {"mitre_attack_id": "T1560", "mitre_attack_technique": "Archive Collected Data", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT28", "APT32", "Axiom", "Dragonfly", "FIN6", "Ke3chang", "Lazarus Group", "Leviathan", "LuminousMoth", "Patchwork", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1560.001/archive_utility/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_renamed_7_zip_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/detect_renamed_7_zip.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Detect Renamed PSExec", "id": "683e6196-b8e8-11eb-9a79-acde48001122", "version": 4, "date": "2022-04-07", "author": "Michael Haag, Splunk", "type": "Hunting", "status": "production", "description": "The following analytic identifies renamed instances of `PsExec.exe` being utilized on an endpoint. Most instances, it is highly probable to capture `Psexec.exe` or other SysInternal utility usage with the command-line argument of `-accepteula`. During triage, validate this is the legitimate version of `PsExec` by reviewing the PE metadata. In addition, review parallel processes for further suspicious behavior.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name!=psexec.exe OR Processes.process_name!=psexec64.exe) AND Processes.original_file_name=psexec.c by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_renamed_psexec_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Limited false positives should be present. It is possible some third party applications may use older versions of PsExec, filter as needed.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.002/T1569.002.yaml", "https://redcanary.com/blog/threat-hunting-psexec-lateral-movement/"], "tags": {"name": "Detect Renamed PSExec", "analytic_story": ["SamSam Ransomware", "DHS Report TA18-074A", "HAFNIUM Group", "DarkSide Ransomware", "Active Directory Lateral Movement", "CISA AA22-320A", "Sandworm Tools"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 30, "kill_chain_phases": ["Installation"], "message": "The following $process_name$ has been identified as renamed, spawning from $parent_process_name$ on $dest$ by $user$.", "mitre_attack_id": ["T1569", "T1569.002"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 27, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1569.002/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_renamed_psexec_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/detect_renamed_psexec.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Detect Renamed RClone", "id": "6dca1124-b3ec-11eb-9328-acde48001122", "version": 2, "date": "2021-09-16", "author": "Michael Haag, Splunk", "type": "Hunting", "status": "production", "description": "The following analytic identifies the usage of `rclone.exe`, renamed, being used to exfiltrate data to a remote destination. RClone has been used by multiple ransomware groups to exfiltrate data. In many instances, it will be downloaded from the legitimate site and executed accordingly. During triage, isolate the endpoint and begin to review parallel processes for additional behavior. At this stage, the adversary may have staged data to be exfiltrated.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.original_file_name=rclone.exe AND Processes.process_name!=rclone.exe) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_renamed_rclone_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives should be limited as this analytic identifies renamed instances of `rclone.exe`. Filter as needed if there is a legitimate business use case.", "references": ["https://redcanary.com/blog/rclone-mega-extortion/", "https://www.mandiant.com/resources/shining-a-light-on-darkside-ransomware-operations", "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/"], "tags": {"name": "Detect Renamed RClone", "analytic_story": ["DarkSide Ransomware", "Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 30, "kill_chain_phases": ["Actions on Objectives"], "message": "The following $process_name$ has been identified as renamed, spawning from $parent_process_name$ on $dest$ by $user$.", "mitre_attack_id": ["T1020"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 27, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1020", "mitre_attack_technique": "Automated Exfiltration", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["Gamaredon Group", "Ke3chang", "Sidewinder", "Tropic Trooper"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1020/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_renamed_rclone_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/detect_renamed_rclone.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Detect Renamed WinRAR", "id": "1b7bfb2c-b8e6-11eb-99ac-acde48001122", "version": 3, "date": "2021-09-16", "author": "Michael Haag, Splunk", "type": "Hunting", "status": "production", "description": "The following analtyic identifies renamed instances of `WinRAR.exe`. In most cases, it is not common for WinRAR to be used renamed, however it is common to be installed by a third party application and executed from a non-standard path. During triage, validate additional metadata from the binary that this is `WinRAR`. Review parallel processes and file modifications.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.original_file_name=WinRAR.exe (Processes.process_name!=rar.exe OR Processes.process_name!=winrar.exe) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_renamed_winrar_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Unknown. It is possible third party applications use renamed instances of WinRAR.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"], "tags": {"name": "Detect Renamed WinRAR", "analytic_story": ["Collection and Staging", "CISA AA22-277A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "The following $process_name$ has been identified as renamed, spawning from $parent_process_name$ on $dest$ by $user$.", "mitre_attack_id": ["T1560.001", "T1560"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 27, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1560.001", "mitre_attack_technique": "Archive via Utility", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "CopyKittens", "Earth Lusca", "FIN8", "Fox Kitten", "GALLIUM", "Gallmaker", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "MuddyWater", "Mustang Panda", "Sowbug", "Turla", "menuPass"]}, {"mitre_attack_id": "T1560", "mitre_attack_technique": "Archive Collected Data", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT28", "APT32", "Axiom", "Dragonfly", "FIN6", "Ke3chang", "Lazarus Group", "Leviathan", "LuminousMoth", "Patchwork", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1560.001/archive_utility/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_renamed_winrar_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/detect_renamed_winrar.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Detect RTLO In File Name", "id": "468b7e11-d362-43b8-b6ec-7a2d3b246678", "version": 2, "date": "2023-04-26", "author": "Steven Dick", "type": "TTP", "status": "production", "description": "This search is used to detect the abuse of the right-to-left override (RTLO or RLO) character (U+202E) RTLO. This technique is used by adversaries to disguise a string and/or file name to make it appear benign. The RTLO character is a non-printing Unicode character that causes the text that follows it to be displayed in reverse.", "data_source": ["Sysmon Event ID 11", "Sysmon Event ID 23", "Sysmon Event ID 26"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.file_create_time) as file_create_time from datamodel=Endpoint.Filesystem where Filesystem.file_name!=unknown by Filesystem.dest Filesystem.user Filesystem.process_id Filesystem.file_name Filesystem.file_path | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex file_name = \"\\\\x{202E}\" | rex field=file_name \"(?.+)(?\\\\x{202E})(?.+)\" | eval file_name_with_RTLO=file_name | eval file_name=RTLO_file_1.RTLO_file_2 | fields - RTLO* | `detect_rtlo_in_file_name_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that includes the full command line of the process being launched on your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Implementation in regions that use right to left in native language.", "references": ["https://attack.mitre.org/techniques/T1036/002/", "https://resources.infosecinstitute.com/topic/spoof-using-right-to-left-override-rtlo-technique-2/", "https://www.trendmicro.com/en_us/research/17/f/following-trail-blacktech-cyber-espionage-campaigns.html"], "tags": {"name": "Detect RTLO In File Name", "analytic_story": ["Spearphishing Attachments"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "Suspicious RTLO detected in $file_name$ on endpoint $dest$ by user $user$.", "mitre_attack_id": ["T1036.002", "T1036"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "file_name", "type": "File Name", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Filesystem.dest", "Filesystem.user", "Filesystem.file_name", "Filesystem.file_path", "Filesystem.process_id"], "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1036.002", "mitre_attack_technique": "Right-to-Left Override", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["BRONZE BUTLER", "BlackTech", "Ferocious Kitten", "Ke3chang", "Scarlet Mimic"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036.002/outlook_attachment/rtlo_events.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_rtlo_in_file_name_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/detect_rtlo_in_file_name.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Detect RTLO In Process", "id": "22ac27b4-7189-4a4f-9375-b9017c9620d7", "version": 2, "date": "2023-04-26", "author": "Steven Dick", "type": "TTP", "status": "production", "description": "This search is used to detect the abuse of the right-to-left override (RTLO or RLO) character (U+202E) RTLO. This technique is used by adversaries to disguise a string and/or file name to make it appear benign. The RTLO character is a non-printing Unicode character that causes the text that follows it to be displayed in reverse.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process!=unknown AND Processes.action=allowed by Processes.dest Processes.user Processes.original_file_name Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | regex process=\"\\\\x{202E}\" | rex field=process \"(?.+)(?\\\\x{202E})(?.+)\" | eval process_with_RTLO=process | eval process=RTLO_command_1.RTLO_command_2 | fields - RTLO* | `detect_rtlo_in_process_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that includes the full command line of the process being launched on your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Implementation in regions that use right to left in native language.", "references": ["https://attack.mitre.org/techniques/T1036/002/", "https://resources.infosecinstitute.com/topic/spoof-using-right-to-left-override-rtlo-technique-2/", "https://www.trendmicro.com/en_us/research/17/f/following-trail-blacktech-cyber-espionage-campaigns.html"], "tags": {"name": "Detect RTLO In Process", "analytic_story": ["Spearphishing Attachments"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "Suspicious RTLO detected in $process_name$ on endpoint $dest$ by user $user$.", "mitre_attack_id": ["T1036.002", "T1036"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "process_name", "type": "Process Name", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.process_guid", "Processes.parent_process_id", "Processes.parent_process_name", "Processes.parent_process"], "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1036.002", "mitre_attack_technique": "Right-to-Left Override", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["BRONZE BUTLER", "BlackTech", "Ferocious Kitten", "Ke3chang", "Scarlet Mimic"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036.002/outlook_attachment/rtlo_events.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_rtlo_in_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/detect_rtlo_in_process.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Detect Rundll32 Application Control Bypass - advpack", "id": "4aefadfe-9abd-4bf8-b3fd-867e9ef95bf8", "version": 2, "date": "2021-02-04", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies rundll32.exe loading advpack.dll and ieadvpack.dll by calling the LaunchINFSection function on the command line. This particular technique will load script code from a file. Upon a successful execution, the following module loads may occur - clr.dll, jscript.dll and scrobj.dll. During investigation, identify script content origination. Generally, a child process will spawn from rundll32.exe, but that may be bypassed based on script code contents. Rundll32.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64. During investigation, review any network connections and obtain the script content executed. It's possible other files are on disk.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*advpack* by Processes.dest Processes.user Processes.parent_process_name Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_rundll32_application_control_bypass___advpack_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Although unlikely, some legitimate applications may use advpack.dll or ieadvpack.dll, triggering a false positive.", "references": ["https://attack.mitre.org/techniques/T1218/011/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md", "https://lolbas-project.github.io/lolbas/Binaries/Rundll32/", "https://lolbas-project.github.io/lolbas/Libraries/Advpack/", "https://bohops.com/2018/02/26/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence/"], "tags": {"name": "Detect Rundll32 Application Control Bypass - advpack", "analytic_story": ["Suspicious Rundll32 Activity", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ loading advpack.dll and ieadvpack.dll by calling the LaunchINFSection function on the command line was identified on endpoint $dest$ by user $user$.", "mitre_attack_id": ["T1218", "T1218.011"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.011/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "process_rundll32", "definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_rundll32_application_control_bypass___advpack_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/detect_rundll32_application_control_bypass___advpack.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Detect Rundll32 Application Control Bypass - setupapi", "id": "61e7b44a-6088-4f26-b788-9a96ba13b37a", "version": 2, "date": "2021-02-04", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies rundll32.exe loading setupapi.dll and iesetupapi.dll by calling the LaunchINFSection function on the command line. This particular technique will load script code from a file. Upon a successful execution, the following module loads may occur - clr.dll, jscript.dll and scrobj.dll. During investigation, identify script content origination. Generally, a child process will spawn from rundll32.exe, but that may be bypassed based on script code contents. Rundll32.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64. During investigation, review any network connections and obtain the script content executed. It's possible other files are on disk.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*setupapi* by Processes.dest Processes.user Processes.parent_process_name Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_rundll32_application_control_bypass___setupapi_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "Although unlikely, some legitimate applications may use setupapi triggering a false positive.", "references": ["https://attack.mitre.org/techniques/T1218/011/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md", "https://lolbas-project.github.io/lolbas/Binaries/Rundll32/", "https://lolbas-project.github.io/lolbas/Libraries/Setupapi/", "https://bohops.com/2018/02/26/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence/"], "tags": {"name": "Detect Rundll32 Application Control Bypass - setupapi", "analytic_story": ["Suspicious Rundll32 Activity", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ loading setupapi.dll and iesetupapi.dll by calling the LaunchINFSection function on the command line was identified on endpoint $dest$ by user $user$.", "mitre_attack_id": ["T1218", "T1218.011"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.011/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "process_rundll32", "definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_rundll32_application_control_bypass___setupapi_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/detect_rundll32_application_control_bypass___setupapi.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Detect Rundll32 Application Control Bypass - syssetup", "id": "71b9bf37-cde1-45fb-b899-1b0aa6fa1183", "version": 2, "date": "2021-02-04", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies rundll32.exe loading syssetup.dll by calling the LaunchINFSection function on the command line. This particular technique will load script code from a file. Upon a successful execution, the following module loads may occur - clr.dll, jscript.dll and scrobj.dll. During investigation, identify script content origination. Generally, a child process will spawn from rundll32.exe, but that may be bypassed based on script code contents. Rundll32.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64. During investigation, review any network connections and obtain the script content executed. It's possible other files are on disk.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*syssetup* by Processes.dest Processes.user Processes.parent_process_name Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_rundll32_application_control_bypass___syssetup_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Although unlikely, some legitimate applications may use syssetup.dll, triggering a false positive.", "references": ["https://attack.mitre.org/techniques/T1218/011/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md", "https://lolbas-project.github.io/lolbas/Binaries/Rundll32/", "https://lolbas-project.github.io/lolbas/Libraries/Syssetup/", "https://bohops.com/2018/02/26/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence/"], "tags": {"name": "Detect Rundll32 Application Control Bypass - syssetup", "analytic_story": ["Suspicious Rundll32 Activity", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ loading syssetup.dll by calling the LaunchINFSection function on the command line was identified on endpoint $dest$ by user $user$.", "mitre_attack_id": ["T1218", "T1218.011"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.011/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "process_rundll32", "definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_rundll32_application_control_bypass___syssetup_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/detect_rundll32_application_control_bypass___syssetup.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Detect Rundll32 Inline HTA Execution", "id": "91c79f14-5b41-11eb-ae93-0242ac130002", "version": 2, "date": "2021-01-20", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies \"rundll32.exe\" execution with inline protocol handlers. \"JavaScript\", \"VBScript\", and \"About\" are the only supported options when invoking HTA content directly on the command-line. This type of behavior is commonly observed with fileless malware or application whitelisting bypass techniques. The search will return the first time and last time these command-line arguments were used for these executions, as well as the target system, the user, process \"rundll32.exe\" and its parent process.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` (Processes.process=*vbscript* OR Processes.process=*javascript* OR Processes.process=*about*) by Processes.user Processes.process_name Processes.parent_process_name Processes.original_file_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_rundll32_inline_hta_execution_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Although unlikely, some legitimate applications may exhibit this behavior, triggering a false positive.", "references": ["https://github.com/redcanaryco/AtomicTestHarnesses", "https://redcanary.com/blog/introducing-atomictestharnesses/", "https://docs.microsoft.com/en-us/windows/win32/search/-search-3x-wds-extidx-prot-implementing"], "tags": {"name": "Detect Rundll32 Inline HTA Execution", "analytic_story": ["Suspicious MSHTA Activity", "NOBELIUM Group", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "Suspicious rundll32.exe inline HTA execution on $dest$", "mitre_attack_id": ["T1218", "T1218.005"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.005", "mitre_attack_technique": "Mshta", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "APT32", "Confucius", "Earth Lusca", "FIN7", "Gamaredon Group", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "MuddyWater", "Mustang Panda", "SideCopy", "Sidewinder", "TA551"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.005/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "process_rundll32", "definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_rundll32_inline_hta_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/detect_rundll32_inline_hta_execution.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Detect SharpHound Command-Line Arguments", "id": "a0bdd2f6-c2ff-11eb-b918-acde48001122", "version": 1, "date": "2021-06-01", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies common command-line arguments used by SharpHound `-collectionMethod` and `invoke-bloodhound`. Being the script is FOSS, function names may be modified, but these changes are dependent upon the operator. In most instances the defaults are used. This analytic works to identify the common command-line attributes used. It does not cover the entirety of every argument in order to avoid false positives.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process IN (\"*-collectionMethod*\",\"*invoke-bloodhound*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_sharphound_command_line_arguments_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "False positives should be limited as the arguments used are specific to SharpHound. Filter as needed or add more command-line arguments as needed.", "references": ["https://attack.mitre.org/software/S0521/", "https://thedfirreport.com/?s=bloodhound", "https://github.com/BloodHoundAD/BloodHound/tree/master/Collectors", "https://github.com/BloodHoundAD/SharpHound3", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md#atomic-test-2---run-bloodhound-from-local-disk"], "tags": {"name": "Detect SharpHound Command-Line Arguments", "analytic_story": ["Discovery Techniques", "Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "Possible SharpHound command-Line arguments identified on $dest$", "mitre_attack_id": ["T1087.002", "T1069.001", "T1482", "T1087.001", "T1087", "T1069.002", "T1069"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 24, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["BRONZE BUTLER", "Chimera", "Dragonfly", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Turla", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1069.001", "mitre_attack_technique": "Local Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "HEXANE", "OilRig", "Tonto Team", "Turla", "admin@338"]}, {"mitre_attack_id": "T1482", "mitre_attack_technique": "Domain Trust Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "Earth Lusca", "FIN8", "Magic Hound"]}, {"mitre_attack_id": "T1087.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "Chimera", "Fox Kitten", "Ke3chang", "Moses Staff", "OilRig", "Poseidon Group", "Threat Group-3390", "Turla", "admin@338"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1069.002", "mitre_attack_technique": "Domain Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Dragonfly", "Inception", "Ke3chang", "LAPSUS$", "OilRig", "Turla"]}, {"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "TA505"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/sharphound/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_sharphound_command_line_arguments_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/detect_sharphound_command_line_arguments.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Detect SharpHound File Modifications", "id": "42b4b438-beed-11eb-ba1d-acde48001122", "version": 2, "date": "2022-10-09", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "SharpHound is used as a reconnaissance collector, ingestor, for BloodHound. SharpHound will query the domain controller and begin gathering all the data related to the domain and trusts. For output, it will drop a .zip file upon completion following a typical pattern that is often not changed. This analytic focuses on the default file name scheme. Note that this may be evaded with different parameters within SharpHound, but that depends on the operator. `-randomizefilenames` and `-encryptzip` are two examples. In addition, executing SharpHound via .exe or .ps1 without any command-line arguments will still perform activity and dump output to the default filename. Example default filename `20210601181553_BloodHound.zip`. SharpHound creates multiple temp files following the same pattern `20210601182121_computers.json`, `domains.json`, `gpos.json`, `ous.json` and `users.json`. Tuning may be required, or remove these json's entirely if it is too noisy. During traige, review parallel processes for further suspicious behavior. Typically, the process executing the `.ps1` ingestor will be PowerShell.", "data_source": ["Sysmon Event ID 11"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_name IN (\"*bloodhound.zip\", \"*_computers.json\", \"*_gpos.json\", \"*_domains.json\", \"*_users.json\", \"*_groups.json\", \"*_ous.json\", \"*_containers.json\") by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.file_path Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_sharphound_file_modifications_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on file modifications that include the name of the process, and file, responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node.", "known_false_positives": "False positives should be limited as the analytic is specific to a filename with extension .zip. Filter as needed.", "references": ["https://attack.mitre.org/software/S0521/", "https://thedfirreport.com/?s=bloodhound", "https://github.com/BloodHoundAD/BloodHound/tree/master/Collectors", "https://github.com/BloodHoundAD/SharpHound3", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md#atomic-test-2---run-bloodhound-from-local-disk"], "tags": {"name": "Detect SharpHound File Modifications", "analytic_story": ["Discovery Techniques", "Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "Potential SharpHound file modifications identified on $dest$", "mitre_attack_id": ["T1087.002", "T1069.001", "T1482", "T1087.001", "T1087", "T1069.002", "T1069"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "User", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "file_path", "dest", "file_name", "process_id", "file_create_time"], "risk_score": 24, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["BRONZE BUTLER", "Chimera", "Dragonfly", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Turla", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1069.001", "mitre_attack_technique": "Local Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "HEXANE", "OilRig", "Tonto Team", "Turla", "admin@338"]}, {"mitre_attack_id": "T1482", "mitre_attack_technique": "Domain Trust Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "Earth Lusca", "FIN8", "Magic Hound"]}, {"mitre_attack_id": "T1087.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "Chimera", "Fox Kitten", "Ke3chang", "Moses Staff", "OilRig", "Poseidon Group", "Threat Group-3390", "Turla", "admin@338"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1069.002", "mitre_attack_technique": "Domain Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Dragonfly", "Inception", "Ke3chang", "LAPSUS$", "OilRig", "Turla"]}, {"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "TA505"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/sharphound/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_sharphound_file_modifications_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/detect_sharphound_file_modifications.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Detect SharpHound Usage", "id": "dd04b29a-beed-11eb-87bc-acde48001122", "version": 2, "date": "2021-05-27", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies SharpHound binary usage by using the original filena,e. In addition to renaming the PE, other coverage is available to detect command-line arguments. This particular analytic looks for the original_file_name of `SharpHound.exe` and the process name. It is possible older instances of SharpHound.exe have different original filenames. Dependent upon the operator, the code may be re-compiled and the attributes removed or changed to anything else. During triage, review the metadata of the binary in question. Review parallel processes for suspicious behavior. Identify the source of this binary.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=sharphound.exe OR Processes.original_file_name=SharpHound.exe) by Processes.dest Processes.user Processes.parent_process_name Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_sharphound_usage_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives should be limited as this is specific to a file attribute not used by anything else. Filter as needed.", "references": ["https://attack.mitre.org/software/S0521/", "https://thedfirreport.com/?s=bloodhound", "https://github.com/BloodHoundAD/BloodHound/tree/master/Collectors", "https://github.com/BloodHoundAD/SharpHound3", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md#atomic-test-2---run-bloodhound-from-local-disk"], "tags": {"name": "Detect SharpHound Usage", "analytic_story": ["Discovery Techniques", "Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "Potential SharpHound binary identified on $dest$", "mitre_attack_id": ["T1087.002", "T1069.001", "T1482", "T1087.001", "T1087", "T1069.002", "T1069"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 24, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["BRONZE BUTLER", "Chimera", "Dragonfly", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Turla", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1069.001", "mitre_attack_technique": "Local Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "HEXANE", "OilRig", "Tonto Team", "Turla", "admin@338"]}, {"mitre_attack_id": "T1482", "mitre_attack_technique": "Domain Trust Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "Earth Lusca", "FIN8", "Magic Hound"]}, {"mitre_attack_id": "T1087.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "Chimera", "Fox Kitten", "Ke3chang", "Moses Staff", "OilRig", "Poseidon Group", "Threat Group-3390", "Turla", "admin@338"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1069.002", "mitre_attack_technique": "Domain Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Dragonfly", "Inception", "Ke3chang", "LAPSUS$", "OilRig", "Turla"]}, {"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "TA505"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/sharphound/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_sharphound_usage_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/detect_sharphound_usage.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Detect suspicious processnames using pretrained model in DSDL", "id": "a15f8977-ad7d-4669-92ef-b59b97219bf5", "version": 1, "date": "2023-01-23", "author": "Abhinav Mishra, Kumar Sharad and Namratha Sreekanta, Splunk", "type": "Anomaly", "status": "experimental", "description": "The following analytic uses a pre-trained Deep Learning model to predict whether a processname is suspicious or not. Malwares and malicious programs such as ransomware often use tactics, techniques, and procedures (TTPs) such as copying malicious files to the local machine to propagate themselves across the network. A key indicator of compromise is that after a successful execution of the malware, it copies itself as an executable file with a randomly generated filename and places this file in one of the directories. Such techniques are seen in several malwares such as TrickBot. We develop machine learning model that uses a Recurrent Neural Network (RNN) to distinguish between malicious and benign processnames. The model is trained independently and is then made available for download. We use a character level RNN to classify malicious vs. benign processnames. The higher is_malicious_prob, the more likely is the processname to be suspicious (between [0,1]). The threshold for flagging a processname as suspicious is set as 0.5.", "data_source": ["Sysmon Event Code 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes by Processes.process_name Processes.parent_process_name Processes.process Processes.user Processes.dest | `drop_dm_object_name(Processes)` | rename process_name as text | fields text, parent_process_name, process, user, dest | apply detect_suspicious_processnames_using_pretrained_model_in_dsdl | rename predicted_label as is_suspicious_score | rename text as process_name | where is_suspicious_score > 0.5 | `detect_suspicious_processnames_using_pretrained_model_in_dsdl_filter`", "how_to_implement": "Steps to deploy detect suspicious processnames model into Splunk App DSDL. This detection depends on the Splunk app for Data Science and Deep Learning which can be found here - `https://splunkbase.splunk.com/app/4607/` and the Endpoint datamodel. The detection uses a pre-trained deep learning model that needs to be deployed in the DSDL app. Follow the steps for deployment here - `https://github.com/splunk/security_content/wiki/How-to-deploy-pre-trained-Deep-Learning-models-for-ESCU`.\\\n* Download the `artifacts .tar.gz` file from the link - `https://seal.splunkresearch.com/detect_suspicious_processnames_using_pretrained_model_in_dsdl.tar.gz`.\\\n* Download the `detect_suspicious_processnames_using_pretrained_model_in_dsdl.ipynb` Jupyter notebook from the link - `https://github.com/splunk/security_content/notebooks`.\\\n* Login to the Jupyter Lab assigned for `detect_suspicious_processnames_using_pretrained_model_in_dsdl` container. This container should be listed on Containers page for DSDL app.\\\n* Follow the steps below inside Jupyter Notebook:\\\n* Upload the `detect_suspicious_processnames_using_pretrained_model_in_dsdl.tar.gz` file into `app/model/data/detect_suspicious_processnames_using_pretrained_model_in_dsdl/` path using the upload option in the Jupyter Notebook.\\\n* Untar the artifact `detect_suspicious_processnames_using_pretrained_model_in_dsdl.tar.gz` using `tar -xf app/model/data/detect_suspicious_processnames_using_pretrained_model_in_dsdl.tar.gz -C app/model/data/detect_suspicious_processnames_using_pretrained_model_in_dsdl/`.\\\n* Upload `detect_suspicious_processnames_using_pretrained_model_in_dsdl.ipynb` into the Jupyter Notebooks folder using the upload option in Jupyter Notebook.\\\n* Save the notebook using the save option in Jupyter Notebook.\\\n* Upload `detect_suspicious_processnames_using_pretrained_model_in_dsdl.json` into `notebooks/data` folder.", "known_false_positives": "False positives may be present if a suspicious processname is similar to a benign processname.", "references": ["https://www.cisa.gov/uscert/ncas/alerts/aa20-302a", "https://www.splunk.com/en_us/blog/security/random-words-on-entropy-and-dns.html"], "tags": {"name": "Detect suspicious processnames using pretrained model in DSDL", "analytic_story": ["Suspicious Command-Line Executions"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 50, "kill_chain_phases": ["Installation"], "message": "The process $process$ is running from an unusual place by $user$ on $dest$ with a processname that appears to be randomly generated.", "mitre_attack_id": ["T1059"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.process", "Processes.parent_process_name", "Processes.process_name", "Processes.parent_process", "Processes.user", "Processes.dest"], "risk_score": 45, "security_domain": "Endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}]}, "datamodel": ["Endpoint"], "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_suspicious_processnames_using_pretrained_model_in_dsdl_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/detect_suspicious_processnames_using_pretrained_model_in_dsdl.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Detect Use of cmd exe to Launch Script Interpreters", "id": "b89919ed-fe5f-492c-b139-95dbb162039e", "version": 4, "date": "2020-07-21", "author": "Bhavin Patel, Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "This search looks for the execution of the cscript.exe or wscript.exe processes, with a parent of cmd.exe. The search will return the count, the first and last time this execution was seen on a machine, the user, and the destination of the machine", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count values(Processes.process) min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=\"cmd.exe\" (Processes.process_name=cscript.exe OR Processes.process_name =wscript.exe) by Processes.parent_process Processes.process_name Processes.user Processes.dest | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)` | `detect_use_of_cmd_exe_to_launch_script_interpreters_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting data that records process activity from your hosts to populate the endpoint data model in the processes node. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "Some legitimate applications may exhibit this behavior.", "references": [], "tags": {"name": "Detect Use of cmd exe to Launch Script Interpreters", "analytic_story": ["Emotet Malware DHS Report TA18-201A ", "Suspicious Command-Line Executions", "Azorult"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Installation"], "message": "cmd.exe launching script interpreters on $dest$", "mitre_attack_id": ["T1059", "T1059.003"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.process", "Processes.parent_process_name", "Processes.process_name", "Processes.parent_process", "Processes.user", "Processes.dest"], "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.003/cmd_spawns_cscript/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_use_of_cmd_exe_to_launch_script_interpreters_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/detect_use_of_cmd_exe_to_launch_script_interpreters.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Detect Webshell Exploit Behavior", "id": "22597426-6dbd-49bd-bcdc-4ec19857192f", "version": 2, "date": "2023-04-26", "author": "Steven Dick", "type": "TTP", "status": "production", "description": "This search is used to detect the abuse of web applications by adversaries. Adversaries may install a backdoor or script onto web servers by exploiting known vulnerabilities or misconfigruations. Web shells are used to establish persistent access to systems and provide a set of executable functions or a command-line interface on the system hosting the Web server.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count max(_time) as lastTime, min(_time) as firstTime from datamodel=Endpoint.Processes where (Processes.process_name IN (\"arp.exe\",\"at.exe\",\"bash.exe\",\"bitsadmin.exe\",\"certutil.exe\",\"cmd.exe\",\"cscript.exe\", \"dsget.exe\",\"dsquery.exe\",\"find.exe\",\"findstr.exe\",\"fsutil.exe\",\"hostname.exe\",\"ipconfig.exe\",\"ksh.exe\",\"nbstat.exe\", \"net.exe\",\"net1.exe\",\"netdom.exe\",\"netsh.exe\",\"netstat.exe\",\"nltest.exe\",\"nslookup.exe\",\"ntdsutil.exe\",\"pathping.exe\", \"ping.exe\",\"powershell.exe\",\"pwsh.exe\",\"qprocess.exe\",\"query.exe\",\"qwinsta.exe\",\"reg.exe\",\"rundll32.exe\",\"sc.exe\", \"scrcons.exe\",\"schtasks.exe\",\"sh.exe\",\"systeminfo.exe\",\"tasklist.exe\",\"tracert.exe\",\"ver.exe\",\"vssadmin.exe\", \"wevtutil.exe\",\"whoami.exe\",\"wmic.exe\",\"wscript.exe\",\"wusa.exe\",\"zsh.exe\") AND Processes.parent_process_name IN (\"w3wp.exe\", \"http*.exe\", \"nginx*.exe\", \"php*.exe\", \"php-cgi*.exe\",\"tomcat*.exe\")) by Processes.dest,Processes.user,Processes.parent_process,Processes.parent_process_name,Processes.process,Processes.process_name | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_webshell_exploit_behavior_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that includes the full command line of the process being launched on your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Legitimate OS functions called by vendor applications, baseline the environment and filter before enabling. Recommend throttle by dest/process_name", "references": ["https://attack.mitre.org/techniques/T1505/003/", "https://github.com/nsacyber/Mitigating-Web-Shells", "https://www.hackingarticles.in/multiple-ways-to-exploit-tomcat-manager/"], "tags": {"name": "Detect Webshell Exploit Behavior", "analytic_story": ["ProxyShell", "ProxyNotShell", "HAFNIUM Group", "CISA AA22-257A", "CISA AA22-264A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 100, "kill_chain_phases": ["Installation"], "message": "Webshell Exploit Behavior - $parent_process_name$ spawned $process_name$ on $dest$.", "mitre_attack_id": ["T1505", "T1505.003"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process", "Processes.parent_process_name", "Processes.process", "Processes.process_name"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "supported_tas": ["Splunk_TA_microsoft_sysmon"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1505.003", "mitre_attack_technique": "Web Shell", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT38", "APT39", "BackdoorDiplomacy", "Deep Panda", "Dragonfly", "Fox Kitten", "GALLIUM", "HAFNIUM", "Kimsuky", "Leviathan", "Magic Hound", "Moses Staff", "OilRig", "Sandworm Team", "TEMP.Veles", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Volatile Cedar"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.003/generic_webshell_exploit/generic_webshell_exploit.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_webshell_exploit_behavior_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [{"name": "Splunk Add-on for Sysmon", "url": "https://splunkbase.splunk.com/app/5709"}], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/detect_webshell_exploit_behavior.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Detect WMI Event Subscription Persistence", "id": "01d9a0c2-cece-11eb-ab46-acde48001122", "version": 1, "date": "2021-06-16", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the use of WMI Event Subscription to establish persistence or perform privilege escalation. WMI can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. WMI subscription execution is proxied by the WMI Provider Host process (WmiPrvSe.exe) and thus may result in elevated SYSTEM privileges. This analytic is restricted by commonly added process execution and a path. If the volume is low enough, remove the values and flag on any new subscriptions.\\\nAll event subscriptions have three components \\\n1. Filter - WQL Query for the events we want. EventID equals 19 \\\n1. Consumer - An action to take upon triggering the filter. EventID equals 20 \\\n1. Binding - Registers a filter to a consumer. EventID equals 21 \\\nMonitor for the creation of new WMI EventFilter, EventConsumer, and FilterToConsumerBinding. It may be pertinent to review all 3 to identify the flow of execution. In addition, EventCode 4104 may assist with any other PowerShell script usage that registered the subscription.", "data_source": ["Sysmon Event ID 20"], "search": "`sysmon` EventID=20 | stats count min(_time) as firstTime max(_time) as lastTime by Computer User Destination | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_wmi_event_subscription_persistence_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with that provide WMI Event Subscription from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA and have enabled EventID 19, 20 and 21. Tune and filter known good to limit the volume.", "known_false_positives": "It is possible some applications will create a consumer and may be required to be filtered. For tuning, add any additional LOLBin's for further depth of coverage.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.003/T1546.003.md", "https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/", "https://github.com/trustedsec/SysmonCommunityGuide/blob/master/chapters/WMI-events.md", "https://in.security/2019/04/03/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/"], "tags": {"name": "Detect WMI Event Subscription Persistence", "analytic_story": ["Suspicious WMI Use"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "message": "Possible malicious WMI Subscription created on $dest$", "mitre_attack_id": ["T1546.003", "T1546"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Destination", "Computer", "User"], "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1546.003", "mitre_attack_technique": "Windows Management Instrumentation Event Subscription", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT33", "Blue Mockingbird", "FIN8", "Leviathan", "Metador", "Mustang Panda", "Turla"]}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.003/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_wmi_event_subscription_persistence_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/detect_wmi_event_subscription_persistence.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Detection of tools built by NirSoft", "id": "3d8d201c-aa03-422d-b0ee-2e5ecf9718c0", "version": 3, "date": "2020-07-21", "author": "Bhavin Patel, Splunk", "type": "TTP", "status": "experimental", "description": "This search looks for specific command-line arguments that may indicate the execution of tools made by Nirsoft, which are legitimate, but may be abused by attackers.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) values(Processes.process) as process max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process=\"* /stext *\" OR Processes.process=\"* /scomma *\" ) by Processes.parent_process Processes.process_name Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `detection_of_tools_built_by_nirsoft_filter`", "how_to_implement": "You must be ingesting endpoint data that tracks process activity, including parent-child relationships from your endpoints to populate the Endpoint data model in the Processes node. The command-line arguments are mapped to the \"process\" field in the Endpoint data model.", "known_false_positives": "While legitimate, these NirSoft tools are prone to abuse. You should verfiy that the tool was used for a legitimate purpose.", "references": [], "tags": {"name": "Detection of tools built by NirSoft", "analytic_story": ["Emotet Malware DHS Report TA18-201A "], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation", "Exploitation"], "message": "tbd", "mitre_attack_id": ["T1072"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.process", "Processes.parent_process", "Processes.process_name", "Processes.user"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1072", "mitre_attack_technique": "Software Deployment Tools", "mitre_attack_tactics": ["Execution", "Lateral Movement"], "mitre_attack_groups": ["APT32", "Sandworm Team", "Silence", "Threat Group-1314"]}]}, "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detection_of_tools_built_by_nirsoft_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/detection_of_tools_built_by_nirsoft.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Disable AMSI Through Registry", "id": "9c27ec42-d338-11eb-9044-acde48001122", "version": 4, "date": "2023-04-11", "author": "Steven Dick, Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "this search is to identify modification in registry to disable AMSI windows feature to evade detections. This technique was seen in several ransomware, RAT and even APT to impaire defenses of the compromise machine and to be able to execute payload with minimal alert as much as possible.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows Script\\\\Settings\\\\AmsiEnable\" Registry.registry_value_data = \"0x00000000\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_amsi_through_registry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "network operator may disable this feature of windows but not so common.", "references": ["https://blog.f-secure.com/hunting-for-amsi-bypasses/", "https://gist.github.com/rxwx/8955e5abf18dc258fd6b43a3a7f4dbf9"], "tags": {"name": "Disable AMSI Through Registry", "analytic_story": ["Ransomware", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "Disable AMSI Through Registry", "mitre_attack_id": ["T1562.001", "T1562"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.dest", "Registry.registry_value_name", "Registry.registry_key_name", "Registry.registry_path", "Registry.registry_value_data", "Registry.process_guid"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/ransomware_ttp/data2/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "disable_amsi_through_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/disable_amsi_through_registry.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Disable Defender AntiVirus Registry", "id": "aa4f695a-3024-11ec-9987-acde48001122", "version": 4, "date": "2023-04-11", "author": "Steven Dick, Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This particular behavior is typically executed when an adversary or malware gains access to an endpoint and begins to perform execution and to evade detections. Usually, a batch (.bat) file will be executed and multiple registry and scheduled task modifications will occur. During triage, review parallel processes and identify any further file modifications. Endpoint should be isolated.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = \"*\\\\Policies\\\\Microsoft\\\\Windows Defender*\" Registry.registry_value_name IN (\"DisableAntiSpyware\",\"DisableAntiVirus\") Registry.registry_value_data = 0x00000001) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_defender_antivirus_registry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "admin or user may choose to disable windows defender product", "references": ["https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/"], "tags": {"name": "Disable Defender AntiVirus Registry", "analytic_story": ["IcedID", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "modified/added/deleted registry entry $registry_path$ in $dest$", "mitre_attack_id": ["T1562.001", "T1562"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.dest", "Registry.registry_value_name", "Registry.registry_key_name", "Registry.registry_path", "Registry.registry_value_data", "Registry.process_guid"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/disable_av/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "disable_defender_antivirus_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/disable_defender_antivirus_registry.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Disable Defender BlockAtFirstSeen Feature", "id": "2dd719ac-3021-11ec-97b4-acde48001122", "version": 4, "date": "2023-04-11", "author": "Steven Dick, Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This analytic is intended to detect a suspicious modification of the Windows registry to disable a Windows Defender feature. This technique is intended to bypass or evade detection from Windows Defender AV, specifically the BlockAtFirstSeen feature where it blocks suspicious files the first time seen on the host.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = \"*\\\\Microsoft\\\\Windows Defender\\\\SpyNet*\" Registry.registry_value_name = DisableBlockAtFirstSeen Registry.registry_value_data = 0x00000001) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_defender_blockatfirstseen_feature_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "admin or user may choose to disable windows defender product", "references": ["https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/"], "tags": {"name": "Disable Defender BlockAtFirstSeen Feature", "analytic_story": ["IcedID", "Windows Registry Abuse", "Azorult"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "modified/added/deleted registry entry $registry_path$ in $dest$", "mitre_attack_id": ["T1562.001", "T1562"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.dest", "Registry.registry_value_name", "Registry.registry_key_name", "Registry.registry_path", "Registry.registry_value_data", "Registry.process_guid"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/disable_av/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "disable_defender_blockatfirstseen_feature_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/disable_defender_blockatfirstseen_feature.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Disable Defender Enhanced Notification", "id": "dc65678c-301f-11ec-8e30-acde48001122", "version": 3, "date": "2022-11-14", "author": "Steven Dick, Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This analytic is intended to detect a suspicious modification of registry to disable windows defender features. This technique attempts to bypass or evade detection from Windows Defender AV, specifically the Enhanced Notification feature where a user or admin would receive alerts.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time) AS lastTime FROM datamodel=Endpoint.Processes BY _time span=1h Processes.user Processes.process_id Processes.process_name Processes.process Processes.process_path Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_guid | `drop_dm_object_name(Processes)` | join process_guid [ | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = \"*Microsoft\\\\Windows Defender\\\\Reporting*\" Registry.registry_value_name = DisableEnhancedNotifications Registry.registry_value_data = 0x00000001) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`] | fields firstTime lastTime dest user parent_process_name parent_process process_name process_path process registry_key_name registry_path registry_value_name registry_value_data process_guid | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_defender_antivirus_registry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "user may choose to disable windows defender AV", "references": ["https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/"], "tags": {"name": "Disable Defender Enhanced Notification", "analytic_story": ["IcedID", "Windows Registry Abuse", "Azorult"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "modified/added/deleted registry entry $registry_path$ in $dest$", "mitre_attack_id": ["T1562.001", "T1562"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.user", "Processes.dest", "Processes.process_id", "Processes.process_name", "Processes.process", "Processes.process_path", "Processes.parent_process_name", "Processes.parent_process", "Processes.process_guid", "Registry.dest", "Registry.registry_value_name", "Registry.registry_key_name", "Registry.registry_path", "Registry.registry_value_data", "Registry.process_guid"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/disable_av/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "disable_defender_enhanced_notification_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/disable_defender_enhanced_notification.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Disable Defender MpEngine Registry", "id": "cc391750-3024-11ec-955a-acde48001122", "version": 4, "date": "2023-04-11", "author": "Steven Dick, Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This particular behavior is typically executed when an adversary or malware gains access to an endpoint and begins to perform execution and to evade detections. Usually, a batch (.bat) file will be executed and multiple registry and scheduled task modifications will occur. During triage, review parallel processes and identify any further file modifications. Endpoint should be isolated.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = \"*\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\MpEngine*\" Registry.registry_value_name = MpEnablePus Registry.registry_value_data = 0x00000000) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_defender_mpengine_registry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "admin or user may choose to disable windows defender product", "references": ["https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/"], "tags": {"name": "Disable Defender MpEngine Registry", "analytic_story": ["IcedID", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "modified/added/deleted registry entry $registry_path$ in $dest$", "mitre_attack_id": ["T1562.001", "T1562"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.dest", "Registry.registry_value_name", "Registry.registry_key_name", "Registry.registry_path", "Registry.registry_value_data", "Registry.process_guid"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/disable_av/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "disable_defender_mpengine_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/disable_defender_mpengine_registry.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Disable Defender Spynet Reporting", "id": "898debf4-3021-11ec-ba7c-acde48001122", "version": 4, "date": "2023-04-27", "author": "Steven Dick, Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This analytic is intended to detect a suspicious modification of registry to disable Windows Defender feature. This technique is intended to bypass or evade detection from Windows Defender AV product, specifically the spynet reporting for Defender telemetry.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = \"*\\\\Microsoft\\\\Windows Defender\\\\SpyNet*\" Registry.registry_value_name = SpynetReporting Registry.registry_value_data = 0x00000000) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_defender_spynet_reporting_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "admin or user may choose to disable windows defender product", "references": ["https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/"], "tags": {"name": "Disable Defender Spynet Reporting", "analytic_story": ["IcedID", "Windows Registry Abuse", "Azorult", "Qakbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "modified/added/deleted registry entry $registry_path$ in $dest$", "mitre_attack_id": ["T1562.001", "T1562"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.dest", "Registry.registry_value_name", "Registry.registry_key_name", "Registry.registry_path", "Registry.registry_value_data", "Registry.process_guid"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/disable_av/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "disable_defender_spynet_reporting_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/disable_defender_spynet_reporting.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Disable Defender Submit Samples Consent Feature", "id": "73922ff8-3022-11ec-bf5e-acde48001122", "version": 4, "date": "2023-04-27", "author": "Steven Dick, Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This analytic is intended to detect a suspicious modification of the Windows registry to disable a Windows Defender feature. This technique is intended to bypass or evade detection from Windows Defender AV, specifically the feature that submits samples for further analysis.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = \"*\\\\Microsoft\\\\Windows Defender\\\\SpyNet*\" Registry.registry_value_name = SubmitSamplesConsent Registry.registry_value_data = 0x00000000) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_defender_submit_samples_consent_feature_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "admin or user may choose to disable windows defender product", "references": ["https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/"], "tags": {"name": "Disable Defender Submit Samples Consent Feature", "analytic_story": ["IcedID", "Windows Registry Abuse", "Azorult"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "modified/added/deleted registry entry $Registry.registry_path$ in $dest$", "mitre_attack_id": ["T1562.001", "T1562"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.dest", "Registry.registry_value_name", "Registry.registry_key_name", "Registry.registry_path", "Registry.registry_value_data", "Registry.process_guid"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/disable_av/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "disable_defender_submit_samples_consent_feature_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/disable_defender_submit_samples_consent_feature.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Disable ETW Through Registry", "id": "f0eacfa4-d33f-11eb-8f9d-acde48001122", "version": 4, "date": "2023-04-27", "author": "Steven Dick, Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "this search is to identify modification in registry to disable ETW windows feature to evade detections. This technique was seen in several ransomware, RAT and even APT to impaire defenses of the compromise machine and to be able to execute payload with minimal alert as much as possible.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\.NETFramework\\\\ETWEnabled\" Registry.registry_value_data = \"0x00000000\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_etw_through_registry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "network operator may disable this feature of windows but not so common.", "references": ["https://app.any.run/tasks/c0f98850-af65-4352-9746-fbebadee4f05/"], "tags": {"name": "Disable ETW Through Registry", "analytic_story": ["Ransomware", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "Disable ETW Through Registry", "mitre_attack_id": ["T1562.001", "T1562"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.dest", "Registry.registry_value_name", "Registry.registry_key_name", "Registry.registry_path", "Registry.registry_value_data", "Registry.process_guid"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/ransomware_ttp/data2/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "disable_etw_through_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/disable_etw_through_registry.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Disable Logs Using WevtUtil", "id": "236e7c8e-c9d9-11eb-a824-acde48001122", "version": 1, "date": "2021-06-10", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This search is to detect execution of wevtutil.exe to disable logs. This technique was seen in several ransomware to disable the event logs to evade alerts and detections.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"wevtutil.exe\" Processes.process = \"*sl*\" Processes.process = \"*/e:false*\" by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.dest Processes.user Processes.process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_logs_using_wevtutil_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "network operator may disable audit event logs for debugging purposes.", "references": ["https://www.bleepingcomputer.com/news/security/new-ransom-x-ransomware-used-in-texas-txdot-cyberattack/"], "tags": {"name": "Disable Logs Using WevtUtil", "analytic_story": ["Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "WevtUtil.exe used to disable Event Logging on $dest", "mitre_attack_id": ["T1070", "T1070.001"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.parent_process_name", "Processes.parent_process", "Processes.process_name", "Processes.process", "Processes.dest", "Processes.user", "Processes.process_id", "Processes.process_guid"], "risk_score": 24, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1070.001", "mitre_attack_technique": "Clear Windows Event Logs", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "APT38", "APT41", "Chimera", "Dragonfly", "FIN5", "FIN8", "Indrik Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/ransomware_ttp/data1/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "disable_logs_using_wevtutil_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/disable_logs_using_wevtutil.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Disable Registry Tool", "id": "cd2cf33c-9201-11eb-a10a-acde48001122", "version": 4, "date": "2023-04-27", "author": "Steven Dick, Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This search identifies modification of registry to disable the regedit or registry tools of the windows operating system. Since registry tool is a swiss knife in analyzing registry, malware such as RAT or trojan Spy disable this application to prevent the removal of their registry entry such as persistence, file less components and defense evasion.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\DisableRegistryTools\" Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_registry_tool_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "admin may disable this application for non technical user.", "references": ["https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry"], "tags": {"name": "Disable Registry Tool", "analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 40, "kill_chain_phases": ["Exploitation"], "message": "Disabled Registry Tools on $dest$", "mitre_attack_id": ["T1562.001", "T1562"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.dest", "Registry.registry_value_name", "Registry.registry_key_name", "Registry.registry_path", "Registry.registry_value_data", "Registry.process_guid"], "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-security.log", "source": "WinEventLog:Security", "sourcetype": "WinEventLog", "update_timestamp": true}, {"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-system.log", "source": "WinEventLog:System", "sourcetype": "WinEventLog", "update_timestamp": true}, {"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "disable_registry_tool_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/disable_registry_tool.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Disable Schedule Task", "id": "db596056-3019-11ec-a9ff-acde48001122", "version": 1, "date": "2021-10-18", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This analytic is to detect a suspicious commandline to disable existing schedule task. This technique is used by adversaries or commodity malware like IcedID to disable security application (AV products) in the targetted host to evade detections. This TTP is a good pivot to check further why and what other process run before and after this detection. check which process execute the commandline and what task is disabled. parent child process is quite valuable in this scenario too.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=schtasks.exe Processes.process=*/change* Processes.process=*/disable* by Processes.user Processes.process_name Processes.process Processes.parent_process_name Processes.parent_process Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_schedule_task_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "admin may disable problematic schedule task", "references": ["https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/"], "tags": {"name": "Disable Schedule Task", "analytic_story": ["IcedID", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "schtask process with commandline $process$ to disable schedule task in $dest$", "mitre_attack_id": ["T1562.001", "T1562"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.user", "Processes.process_name", "Processes.parent_process_name", "Processes.dest"], "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/disable_schtask/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "disable_schedule_task_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/disable_schedule_task.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Disable Security Logs Using MiniNt Registry", "id": "39ebdc68-25b9-11ec-aec7-acde48001122", "version": 4, "date": "2023-04-27", "author": "Steven Dick, Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This analytic is to detect a suspicious registry modification to disable security audit logs. This technique was shared by a researcher to disable Security logs of windows by adding this registry. The Windows will think it is WinPE and will not log any event to the Security Log", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=\"*\\\\Control\\\\MiniNt\\\\*\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_security_logs_using_minint_registry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "Unknown.", "references": ["https://twitter.com/0gtweet/status/1182516740955226112"], "tags": {"name": "Disable Security Logs Using MiniNt Registry", "analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "modified/added/deleted registry entry $Registry.registry_path$ in $dest$", "mitre_attack_id": ["T1112"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.dest", "Registry.registry_value_name", "Registry.registry_key_name", "Registry.registry_path", "Registry.registry_value_data", "Registry.process_guid"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/minint_reg/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "disable_security_logs_using_minint_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/disable_security_logs_using_minint_registry.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Disable Show Hidden Files", "id": "6f3ccfa2-91fe-11eb-8f9b-acde48001122", "version": 4, "date": "2023-04-27", "author": "Steven Dick, Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "The following analytic is to identify a modification in the Windows registry to prevent users from seeing all the files with hidden attributes. This event or techniques are known on some worm and trojan spy malware that will drop hidden files on the infected machine.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE ((Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\Hidden\" OR Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\HideFileExt\" Registry.registry_value_data = \"0x00000001\") OR (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\ShowSuperHidden\" Registry.registry_value_data = \"0x00000000\")) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_show_hidden_files_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "unknown", "references": ["https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/W32~Tiotua-P/detailed-analysis"], "tags": {"name": "Disable Show Hidden Files", "analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse", "Azorult"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 40, "kill_chain_phases": ["Exploitation"], "message": "Disabled 'Show Hidden Files' on $dest$", "mitre_attack_id": ["T1564.001", "T1562.001", "T1564", "T1562"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.dest", "Registry.registry_value_name", "Registry.registry_key_name", "Registry.registry_path", "Registry.registry_value_data", "Registry.process_guid"], "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1564.001", "mitre_attack_technique": "Hidden Files and Directories", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "HAFNIUM", "Lazarus Group", "LuminousMoth", "Mustang Panda", "Rocke", "Transparent Tribe", "Tropic Trooper"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1564", "mitre_attack_technique": "Hide Artifacts", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-security.log", "source": "WinEventLog:Security", "sourcetype": "WinEventLog", "update_timestamp": true}, {"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-system.log", "source": "WinEventLog:System", "sourcetype": "WinEventLog", "update_timestamp": true}, {"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "disable_show_hidden_files_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/disable_show_hidden_files.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Disable UAC Remote Restriction", "id": "9928b732-210e-11ec-b65e-acde48001122", "version": 4, "date": "2023-04-27", "author": "Steven Dick, Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This analytic is to detect a suspicious modification of registry to disable UAC remote restriction. This technique was well documented in Microsoft page where attacker may modify this registry value to bypassed UAC feature of windows host. This is a good indicator that some tries to bypassed UAC to suspicious process or gain privilege escalation.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=\"*\\\\CurrentVersion\\\\Policies\\\\System*\" Registry.registry_value_name=\"LocalAccountTokenFilterPolicy\" Registry.registry_value_data=\"0x00000001\" ) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_uac_remote_restriction_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "admin may set this policy for non-critical machine.", "references": ["https://docs.microsoft.com/en-us/troubleshoot/windows-server/windows-security/user-account-control-and-remote-restriction"], "tags": {"name": "Disable UAC Remote Restriction", "analytic_story": ["Windows Defense Evasion Tactics", "Suspicious Windows Registry Activities", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "modified/added/deleted registry entry $Registry.registry_path$ in $dest$", "mitre_attack_id": ["T1548.002", "T1548"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.dest", "Registry.registry_value_name", "Registry.registry_key_name", "Registry.registry_path", "Registry.registry_value_data", "Registry.process_guid"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.002", "mitre_attack_technique": "Bypass User Account Control", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT37", "BRONZE BUTLER", "Cobalt Group", "Earth Lusca", "Evilnum", "MuddyWater", "Patchwork", "Threat Group-3390"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.002/LocalAccountTokenFilterPolicy/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "disable_uac_remote_restriction_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/disable_uac_remote_restriction.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Disable Windows App Hotkeys", "id": "1490f224-ad8b-11eb-8c4f-acde48001122", "version": 4, "date": "2023-04-27", "author": "Steven Dick, Teoderick Contreras, Splunkk", "type": "TTP", "status": "production", "description": "This analytic detects a suspicious registry modification to disable Windows hotkey (shortcut keys) for native Windows applications. This technique is commonly used to disable certain or several Windows applications like `taskmgr.exe` and `cmd.exe`. This technique is used to impair the analyst in analyzing and removing the attacker implant in compromised systems.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=\"*\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*\" AND Registry.registry_value_data= \"HotKey Disabled\" AND Registry.registry_value_name = \"Debugger\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_windows_app_hotkeys_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "unknown", "references": ["https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/"], "tags": {"name": "Disable Windows App Hotkeys", "analytic_story": ["XMRig", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 40, "kill_chain_phases": ["Exploitation"], "message": "Disabled 'Windows App Hotkeys' on $dest$", "mitre_attack_id": ["T1562.001", "T1562"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.dest", "Registry.registry_value_name", "Registry.registry_key_name", "Registry.registry_path", "Registry.registry_value_data", "Registry.process_guidr"], "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/hotkey_disabled_hidden_user/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "disable_windows_app_hotkeys_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/disable_windows_app_hotkeys.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Disable Windows Behavior Monitoring", "id": "79439cae-9200-11eb-a4d3-acde48001122", "version": 4, "date": "2023-04-27", "author": "Steven Dick, Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This search is to identifies a modification in registry to disable the windows denfender real time behavior monitoring. This event or technique is commonly seen in RAT, bot, or Trojan to disable AV to evade detections.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableBehaviorMonitoring\" OR Registry.registry_path= \"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableOnAccessProtection\" OR Registry.registry_path= \"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableScanOnRealtimeEnable\" OR Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableRealtimeMonitoring\" OR Registry.registry_path= \"*\\\\Real-Time Protection\\\\DisableIntrusionPreventionSystem\" OR Registry.registry_path= \"*\\\\Real-Time Protection\\\\DisableIOAVProtection\" OR Registry.registry_path= \"*\\\\Real-Time Protection\\\\DisableScriptScanning\" AND Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_windows_behavior_monitoring_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "admin or user may choose to disable this windows features.", "references": ["https://tccontre.blogspot.com/2020/01/remcos-rat-evading-windows-defender-av.html"], "tags": {"name": "Disable Windows Behavior Monitoring", "analytic_story": ["Azorult", "Windows Registry Abuse", "Revil Ransomware", "RedLine Stealer", "Ransomware", "Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 40, "kill_chain_phases": ["Exploitation"], "message": "Windows Defender real time behavior monitoring disabled on $dest", "mitre_attack_id": ["T1562.001", "T1562"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.dest", "Registry.registry_value_name", "Registry.registry_key_name", "Registry.registry_path", "Registry.registry_value_data", "Registry.process_guid"], "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-security.log", "source": "WinEventLog:Security", "sourcetype": "WinEventLog", "update_timestamp": true}, {"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-system.log", "source": "WinEventLog:System", "sourcetype": "WinEventLog", "update_timestamp": true}, {"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "disable_windows_behavior_monitoring_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/disable_windows_behavior_monitoring.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Disable Windows SmartScreen Protection", "id": "664f0fd0-91ff-11eb-a56f-acde48001122", "version": 4, "date": "2023-04-27", "author": "Steven Dick, Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "The following search identifies a modification of registry to disable the smartscreen protection of windows machine. This is windows feature provide an early warning system against website that might engage in phishing attack or malware distribution. This modification are seen in RAT malware to cover their tracks upon downloading other of its component or other payload.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\SmartScreenEnabled\" Registry.registry_value_data= \"Off\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_windows_smartscreen_protection_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "admin or user may choose to disable this windows features.", "references": ["https://tccontre.blogspot.com/2020/01/remcos-rat-evading-windows-defender-av.html"], "tags": {"name": "Disable Windows SmartScreen Protection", "analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "The Windows Smartscreen was disabled on $dest$ by $user$.", "mitre_attack_id": ["T1562.001", "T1562"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.dest", "Registry.registry_value_name", "Registry.registry_key_name", "Registry.registry_path", "Registry.registry_value_data", "Registry.process_guid"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-security.log", "source": "WinEventLog:Security", "sourcetype": "WinEventLog", "update_timestamp": true}, {"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-system.log", "source": "WinEventLog:System", "sourcetype": "WinEventLog", "update_timestamp": true}, {"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "disable_windows_smartscreen_protection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/disable_windows_smartscreen_protection.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Disabled Kerberos Pre-Authentication Discovery With Get-ADUser", "id": "114c6bfe-9406-11ec-bcce-acde48001122", "version": 2, "date": "2022-05-03", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-ADUser` commandlet with specific parameters. `Get-ADUser` is part of the Active Directory PowerShell module used to manage Windows Active Directory networks. As the name suggests, `Get-ADUser` is used to query for domain users. With the appropiate parameters, Get-ADUser allows adversaries to discover domain accounts with Kerberos Pre Authentication disabled.\\ Red Teams and adversaries alike use may abuse Get-ADUSer to enumerate these accounts and attempt to crack their passwords offline.", "data_source": ["Powershell 4104"], "search": " `powershell` EventCode=4104 (ScriptBlockText = \"*Get-ADUser*\" AND ScriptBlockText=\"*4194304*\") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `disabled_kerberos_pre_authentication_discovery_with_get_aduser_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators or power users may use search for accounts with Kerberos Pre Authentication disabled for legitimate purposes.", "references": ["https://attack.mitre.org/techniques/T1558/004/", "https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html", "https://stealthbits.com/blog/cracking-active-directory-passwords-with-as-rep-roasting/"], "tags": {"name": "Disabled Kerberos Pre-Authentication Discovery With Get-ADUser", "analytic_story": ["Active Directory Kerberos Attacks"], "asset_type": "endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 60, "kill_chain_phases": ["Exploitation"], "message": "Disabled Kerberos Pre-Authentication Discovery With Get-ADUser from $dest$", "mitre_attack_id": ["T1558", "T1558.004"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "ScriptBlockText", "Opcode", "Computer", "UserID", "EventCode"], "risk_score": 54, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1558", "mitre_attack_technique": "Steal or Forge Kerberos Tickets", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1558.004", "mitre_attack_technique": "AS-REP Roasting", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1558.004/getaduser/get-aduser-powershell.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "disabled_kerberos_pre_authentication_discovery_with_get_aduser_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/disabled_kerberos_pre_authentication_discovery_with_get_aduser.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Disabled Kerberos Pre-Authentication Discovery With PowerView", "id": "b0b34e2c-90de-11ec-baeb-acde48001122", "version": 2, "date": "2022-05-03", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-DomainUser` commandlet with specific parameters. `Get-DomainUser` is part of PowerView, a PowerShell tool used to perform enumeration on Windows Active Directory networks. As the name suggests, `Get-DomainUser` is used to identify domain users and combining it with `-PreauthNotRequired` allows adversaries to discover domain accounts with Kerberos Pre Authentication disabled.\\ Red Teams and adversaries alike use may leverage PowerView to enumerate these accounts and attempt to crack their passwords offline.", "data_source": ["Powershell 4104"], "search": " `powershell` EventCode=4104 (ScriptBlockText = \"*Get-DomainUser*\" AND ScriptBlockText=\"*PreauthNotRequired*\") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `disabled_kerberos_pre_authentication_discovery_with_powerview_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators or power users may use PowerView for troubleshooting", "references": ["https://attack.mitre.org/techniques/T1558/004/", "https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html", "https://stealthbits.com/blog/cracking-active-directory-passwords-with-as-rep-roasting/"], "tags": {"name": "Disabled Kerberos Pre-Authentication Discovery With PowerView", "analytic_story": ["Active Directory Kerberos Attacks"], "asset_type": "endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 60, "kill_chain_phases": ["Exploitation"], "message": "Disabled Kerberos Pre-Authentication Discovery With PowerView from $dest$", "mitre_attack_id": ["T1558", "T1558.004"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "ScriptBlockText", "Opcode", "Computer", "UserID", "EventCode"], "risk_score": 54, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1558", "mitre_attack_technique": "Steal or Forge Kerberos Tickets", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1558.004", "mitre_attack_technique": "AS-REP Roasting", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/getdomainuser.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "disabled_kerberos_pre_authentication_discovery_with_powerview_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/disabled_kerberos_pre_authentication_discovery_with_powerview.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Disabling CMD Application", "id": "ff86077c-9212-11eb-a1e6-acde48001122", "version": 4, "date": "2023-04-27", "author": "Steven Dick, Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "this search is to identify modification in registry to disable cmd prompt application. This technique is commonly seen in RAT, Trojan or WORM to prevent triaging or deleting there samples through cmd application which is one of the tool of analyst to traverse on directory and files.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\DisableCMD\" Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_cmd_application_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "admin may disable this application for non technical user.", "references": ["https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry"], "tags": {"name": "Disabling CMD Application", "analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "The Windows command prompt was disabled on $dest$ by $user$.", "mitre_attack_id": ["T1562.001", "T1562"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.dest", "Registry.registry_value_name", "Registry.registry_key_name", "Registry.registry_path", "Registry.registry_value_data", "Registry.process_guid"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-security.log", "source": "WinEventLog:Security", "sourcetype": "WinEventLog", "update_timestamp": true}, {"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-system.log", "source": "WinEventLog:System", "sourcetype": "WinEventLog", "update_timestamp": true}, {"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "disabling_cmd_application_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/disabling_cmd_application.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Disabling ControlPanel", "id": "6ae0148e-9215-11eb-a94a-acde48001122", "version": 4, "date": "2023-04-27", "author": "Steven Dick, Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "this search is to identify registry modification to disable control panel window. This technique is commonly seen in malware to prevent their artifacts , persistence removed on the infected machine.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoControlPanel\" Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_controlpanel_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "admin may disable this application for non technical user.", "references": ["https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry"], "tags": {"name": "Disabling ControlPanel", "analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "The Windows Control Panel was disabled on $dest$ by $user$.", "mitre_attack_id": ["T1562.001", "T1562"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.dest", "Registry.registry_value_name", "Registry.registry_key_name", "Registry.registry_path", "Registry.registry_value_data", "Registry.process_guid"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-security.log", "source": "WinEventLog:Security", "sourcetype": "WinEventLog", "update_timestamp": true}, {"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-system.log", "source": "WinEventLog:System", "sourcetype": "WinEventLog", "update_timestamp": true}, {"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "disabling_controlpanel_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/disabling_controlpanel.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Disabling Defender Services", "id": "911eacdc-317f-11ec-ad30-acde48001122", "version": 4, "date": "2023-04-27", "author": "Steven Dick, Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This particular behavior is typically executed when an adversaries or malware gains access to an endpoint and beings to perform execution and to evade detections. Usually, a batch (.bat) will be executed and multiple registry and scheduled task modifications will occur. During triage, review parallel processes and identify any further file modifications. Endpoint should be isolated.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = \"*\\\\System\\\\CurrentControlSet\\\\Services\\\\*\" AND (Registry.registry_path IN(\"*WdBoot*\", \"*WdFilter*\", \"*WdNisDrv*\", \"*WdNisSvc*\",\"*WinDefend*\", \"*SecurityHealthService*\")) AND Registry.registry_value_name = Start Registry.registry_value_data = 0x00000004) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_defender_services_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "admin or user may choose to disable windows defender product", "references": ["https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/"], "tags": {"name": "Disabling Defender Services", "analytic_story": ["IcedID", "Windows Registry Abuse", "RedLine Stealer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "modified/added/deleted registry entry $registry_path$ in $dest$", "mitre_attack_id": ["T1562.001", "T1562"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.dest", "Registry.registry_value_name", "Registry.registry_key_name", "Registry.registry_path", "Registry.registry_value_data", "Registry.process_guid"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/disable_av/sysmon2.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "disabling_defender_services_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/disabling_defender_services.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Disabling Firewall with Netsh", "id": "6860a62c-9203-11eb-9e05-acde48001122", "version": 2, "date": "2021-03-31", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This search is to identifies suspicious firewall disabling using netsh application. this technique is commonly seen in malware that tries to communicate or download its component or other payload to its C2 server.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_netsh` Processes.process= \"*firewall*\" (Processes.process= \"*off*\" OR Processes.process= \"*disable*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_firewall_with_netsh_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "admin may disable firewall during testing or fixing network problem.", "references": ["https://tccontre.blogspot.com/2020/01/remcos-rat-evading-windows-defender-av.html"], "tags": {"name": "Disabling Firewall with Netsh", "analytic_story": ["Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "The Windows Firewall was disabled on $dest$ by $user$.", "mitre_attack_id": ["T1562.001", "T1562"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-security.log", "source": "WinEventLog:Security", "sourcetype": "WinEventLog", "update_timestamp": true}, {"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-system.log", "source": "WinEventLog:System", "sourcetype": "WinEventLog", "update_timestamp": true}, {"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "process_netsh", "definition": "(Processes.process_name=netsh.exe OR Processes.original_file_name=netsh.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "disabling_firewall_with_netsh_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/disabling_firewall_with_netsh.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Disabling FolderOptions Windows Feature", "id": "83776de4-921a-11eb-868a-acde48001122", "version": 4, "date": "2023-04-27", "author": "Steven Dick, Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This search is to identify registry modification to disable folder options feature of windows to show hidden files, file extension and etc. This technique used by malware in combination if disabling show hidden files feature to hide their files and also to hide the file extension to lure the user base on file icons or fake file extensions.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoFolderOptions\" Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_folderoptions_windows_feature_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "admin may disable this application for non technical user.", "references": ["https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry"], "tags": {"name": "Disabling FolderOptions Windows Feature", "analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "The Windows Folder Options, to hide files, was disabled on $dest$ by $user$.", "mitre_attack_id": ["T1562.001", "T1562"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.dest", "Registry.registry_value_name", "Registry.registry_key_name", "Registry.registry_path", "Registry.registry_value_data", "Registry.process_guid"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-security.log", "source": "WinEventLog:Security", "sourcetype": "WinEventLog", "update_timestamp": true}, {"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-system.log", "source": "WinEventLog:System", "sourcetype": "WinEventLog", "update_timestamp": true}, {"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "disabling_folderoptions_windows_feature_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/disabling_folderoptions_windows_feature.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Disabling Net User Account", "id": "c0325326-acd6-11eb-98c2-acde48001122", "version": 2, "date": "2021-05-04", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This analytic will identify a suspicious command-line that disables a user account using the `net.exe` utility native to Windows. This technique may used by the adversaries to interrupt availability of such users to do their malicious act.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.parent_process) as parent_process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` AND Processes.process=\"*user*\" AND Processes.process=\"*/active:no*\" by Processes.process_name Processes.original_file_name Processes.dest Processes.user Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_net_user_account_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "unknown", "references": ["https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/"], "tags": {"name": "Disabling Net User Account", "analytic_story": ["XMRig"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Actions on Objectives"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified disabling a user account on endpoint $dest$ by user $user$.", "mitre_attack_id": ["T1531"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1531", "mitre_attack_technique": "Account Access Removal", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["LAPSUS$"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/xmrig_miner/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_net", "definition": "(Processes.process_name=\"net.exe\" OR Processes.original_file_name=\"net.exe\" OR Processes.process_name=\"net1.exe\" OR Processes.original_file_name=\"net1.exe\")", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "disabling_net_user_account_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/disabling_net_user_account.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Disabling NoRun Windows App", "id": "de81bc46-9213-11eb-adc9-acde48001122", "version": 4, "date": "2023-04-27", "author": "Steven Dick, Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This search is to identify modification of registry to disable run application in window start menu. this application is known to be a helpful shortcut to windows OS user to run known application and also to execute some reg or batch script. This technique is used malware to make cleaning of its infection more harder by preventing known application run easily through run shortcut.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoRun\" Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_norun_windows_app_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "admin may disable this application for non technical user.", "references": ["https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry", "https://blog.malwarebytes.com/detections/pum-optional-norun/"], "tags": {"name": "Disabling NoRun Windows App", "analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "The Windows registry was modified to disable run application in window start menu on $dest$ by $user$.", "mitre_attack_id": ["T1562.001", "T1562"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.dest", "Registry.registry_value_name", "Registry.registry_key_name", "Registry.registry_path", "Registry.registry_value_data", "Registry.process_guid"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-security.log", "source": "WinEventLog:Security", "sourcetype": "WinEventLog", "update_timestamp": true}, {"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-system.log", "source": "WinEventLog:System", "sourcetype": "WinEventLog", "update_timestamp": true}, {"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "disabling_norun_windows_app_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/disabling_norun_windows_app.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Disabling Remote User Account Control", "id": "bbc644bc-37df-4e1a-9c88-ec9a53e2038c", "version": 4, "date": "2020-11-18", "author": "David Dorsey, Patrick Bareiss, Splunk", "type": "TTP", "status": "production", "description": "The search looks for modifications to registry keys that control the enforcement of Windows User Account Control (UAC).", "data_source": ["Sysmon Event ID 13"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path=*HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\EnableLUA* Registry.registry_value_data=\"0x00000000\" by Registry.dest, Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action | `drop_dm_object_name(Registry)` | `disabling_remote_user_account_control_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or via other endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report registry modifications.", "known_false_positives": "This registry key may be modified via administrators to implement a change in system policy. This type of change should be a very rare occurrence.", "references": [], "tags": {"name": "Disabling Remote User Account Control", "analytic_story": ["Windows Defense Evasion Tactics", "Suspicious Windows Registry Activities", "Remcos", "Windows Registry Abuse", "Azorult", "AgentTesla"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "The Windows registry keys that control the enforcement of Windows User Account Control (UAC) were modified on $dest$ by $user$.", "mitre_attack_id": ["T1548.002", "T1548"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.registry_path", "Registry.registry_value_name", "Registry.dest", "Registry.registry_key_name", "Registry.user", "Registry.action"], "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.002", "mitre_attack_technique": "Bypass User Account Control", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT37", "BRONZE BUTLER", "Cobalt Group", "Earth Lusca", "Evilnum", "MuddyWater", "Patchwork", "Threat Group-3390"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.002/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "disabling_remote_user_account_control_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/disabling_remote_user_account_control.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Disabling SystemRestore In Registry", "id": "f4f837e2-91fb-11eb-8bf6-acde48001122", "version": 4, "date": "2023-04-27", "author": "Steven Dick, Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "The following search identifies the modification of registry related in disabling the system restore of a machine. This event or behavior are seen in some RAT malware to make the restore of the infected machine difficult and keep their infection on the box.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SystemRestore\\\\DisableSR\" OR Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SystemRestore\\\\DisableConfig\" OR Registry.registry_path= \"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\SystemRestore\\\\DisableSR\" OR Registry.registry_path= \"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\SystemRestore\\\\DisableConfig\" Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_systemrestore_in_registry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "in some cases admin can disable systemrestore on a machine.", "references": ["https://tccontre.blogspot.com/2020/01/remcos-rat-evading-windows-defender-av.html"], "tags": {"name": "Disabling SystemRestore In Registry", "analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Actions on Objectives"], "message": "The Windows registry was modified to disable system restore on $dest$ by $user$.", "mitre_attack_id": ["T1490"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.dest", "Registry.registry_value_name", "Registry.registry_key_name", "Registry.registry_path", "Registry.registry_value_data", "Registry.process_guid"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-security.log", "source": "WinEventLog:Security", "sourcetype": "WinEventLog", "update_timestamp": true}, {"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-system.log", "source": "WinEventLog:System", "sourcetype": "WinEventLog", "update_timestamp": true}, {"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "disabling_systemrestore_in_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/disabling_systemrestore_in_registry.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Disabling Task Manager", "id": "dac279bc-9202-11eb-b7fb-acde48001122", "version": 4, "date": "2023-04-27", "author": "Steven Dick, Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This search is to identifies modification of registry to disable the task manager of windows operating system. this event or technique are commonly seen in malware such as RAT, Trojan, TrojanSpy or worm to prevent the user to terminate their process.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\DisableTaskMgr\" Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_task_manager_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "admin may disable this application for non technical user.", "references": ["https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry", "https://blog.talosintelligence.com/2020/05/threat-roundup-0424-0501.html"], "tags": {"name": "Disabling Task Manager", "analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "The Windows Task Manager was disabled on $dest$ by $user$.", "mitre_attack_id": ["T1562.001", "T1562"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["Registry.dest", "Registry.registry_value_name", "Registry.registry_key_name", "Registry.registry_path", "Registry.registry_value_data", "Registry.process_guid"], "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-security.log", "source": "WinEventLog:Security", "sourcetype": "WinEventLog", "update_timestamp": true}, {"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-system.log", "source": "WinEventLog:System", "sourcetype": "WinEventLog", "update_timestamp": true}, {"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "disabling_task_manager_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/disabling_task_manager.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Disabling Windows Local Security Authority Defences via Registry", "id": "45cd08f8-a2c9-4f4e-baab-e1a0c624b0ab", "version": 1, "date": "2022-09-09", "author": "Dean Luxton", "type": "TTP", "status": "production", "description": "This detection looks for the deletion of registry keys which disable LSA protection and MS Defender Device Guard.", "data_source": ["Sysmon Event ID 13"], "search": "| tstats `security_content_summariesonly` min(_time) as _time from datamodel=Endpoint.Registry where Registry.registry_path IN (\"*\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\LsaCfgFlags\", \"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\DeviceGuard\\\\*\", \"*\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\RunAsPPL\") Registry.action IN (deleted, unknown) by Registry.action Registry.registry_path Registry.process_guid | `drop_dm_object_name(Registry)` | join type=outer process_guid [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes by Processes.user Processes.process_name Processes.process Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_guid | `drop_dm_object_name(Processes)`] | table _time action dest user parent_process_name parent_process process_name process process_guid registry_path | `disabling_windows_local_security_authority_defences_via_registry_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry.", "known_false_positives": "Potential to be triggered by an administrator disabling protections for troubleshooting purposes.", "references": ["https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection", "https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-manage"], "tags": {"name": "Disabling Windows Local Security Authority Defences via Registry", "analytic_story": ["Windows Defence Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 60, "kill_chain_phases": ["Exploitation", "Installation"], "message": "An attempt to disable Windows LSA defences was detected on $dest$. The reg key $registry_path$ was deleted by $user$.", "mitre_attack_id": ["T1556"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.action", "Registry.registry_path", "Registry.dest", "Registry.user"], "risk_score": 60, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1556", "mitre_attack_technique": "Modify Authentication Process", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556/disable_lsa_protection/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "disabling_windows_local_security_authority_defences_via_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/disabling_windows_local_security_authority_defences_via_registry.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "DLLHost with no Command Line Arguments with Network", "id": "f1c07594-a141-11eb-8407-acde48001122", "version": 4, "date": "2022-03-15", "author": "Steven Dick, Michael Haag, Splunk", "type": "TTP", "status": "experimental", "description": "The following analytic identifies DLLHost.exe with no command line arguments with a network connection. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, triage any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where Processes.process_name=dllhost.exe Processes.action!=\"blocked\" by host _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name Processes.parent_process | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process=\"(?i)(dllhost\\.exe.{0,4}$)\" | rename dest as src | join host process_id [| tstats `security_content_summariesonly` count latest(All_Traffic.dest) as dest latest(All_Traffic.dest_ip) as dest_ip latest(All_Traffic.dest_port) as dest_port FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port != 0 by host All_Traffic.process_id | `drop_dm_object_name(All_Traffic)`] | `dllhost_with_no_command_line_arguments_with_network_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` and `port` node.", "known_false_positives": "Although unlikely, some legitimate third party applications may use a moved copy of dllhost, triggering a false positive.", "references": ["https://raw.githubusercontent.com/threatexpress/malleable-c2/c3385e481159a759f79b8acfe11acf240893b830/jquery-c2.4.2.profile", "https://www.cobaltstrike.com/blog/learn-pipe-fitting-for-all-of-your-offense-projects/"], "tags": {"name": "DLLHost with no Command Line Arguments with Network", "analytic_story": ["Cobalt Strike"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "The process $process_name$ was spawned by $parent_process_name$ without any command-line arguments on $src$ by $user$.", "mitre_attack_id": ["T1055"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_image", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventID", "process_name", "process_id", "parent_process_name", "dest_port", "process_path"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/cobalt_strike/windows-sysmon_dllhost.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint", "Network_Traffic"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "dllhost_with_no_command_line_arguments_with_network_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/dllhost_with_no_command_line_arguments_with_network.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "DNS Exfiltration Using Nslookup App", "id": "2452e632-9e0d-11eb-bacd-acde48001122", "version": 1, "date": "2021-04-15", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "this search is to detect potential DNS exfiltration using nslookup application. This technique are seen in couple of malware and APT group to exfiltrated collected data in a infected machine or infected network. This detection is looking for unique use of nslookup where it tries to use specific record type, TXT, A, AAAA, that are commonly used by attacker and also the retry parameter which is designed to query C2 DNS multiple tries.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.process_id) as process_id values(Processes.parent_process) as parent_process count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"nslookup.exe\" Processes.process = \"*-querytype=*\" OR Processes.process=\"*-qt=*\" OR Processes.process=\"*-q=*\" OR Processes.process=\"-type=*\" OR Processes.process=\"*-retry=*\" by Processes.dest Processes.user Processes.process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `dns_exfiltration_using_nslookup_app_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances of nslookup.exe may be used.", "known_false_positives": "admin nslookup usage", "references": ["https://www.mandiant.com/resources/fin7-spear-phishing-campaign-targets-personnel-involved-sec-filings", "https://www.varonis.com/blog/dns-tunneling", "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/"], "tags": {"name": "DNS Exfiltration Using Nslookup App", "analytic_story": ["Suspicious DNS Traffic", "Dynamic DNS", "Data Exfiltration", "Command And Control"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 90, "kill_chain_phases": ["Actions on Objectives"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ performing activity related to DNS exfiltration.", "mitre_attack_id": ["T1048"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1048", "mitre_attack_technique": "Exfiltration Over Alternative Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["TeamTNT"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1048.003/nslookup_exfil/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "dns_exfiltration_using_nslookup_app_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/dns_exfiltration_using_nslookup_app.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Domain Account Discovery with Dsquery", "id": "b1a8ce04-04c2-11ec-bea7-acde48001122", "version": 1, "date": "2021-08-24", "author": "Teoderick Contreras, Mauricio Velazco, Splunk", "type": "Hunting", "status": "production", "description": "This analytic looks for the execution of `dsquery.exe` with command-line arguments utilized to discover domain users. The `user` argument returns a list of all users registered in the domain. Red Teams and adversaries alike engage in remote system discovery for situational awareness and Active Directory Discovery.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=\"dsquery.exe\" AND Processes.process = \"*user*\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `domain_account_discovery_with_dsquery_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "references": ["https://jpcertcc.github.io/ToolAnalysisResultSheet/details/dsquery.htm", "https://attack.mitre.org/techniques/T1087/002/"], "tags": {"name": "Domain Account Discovery with Dsquery", "analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "an instance of process $process_name$ with commandline $process$ in $dest$", "mitre_attack_id": ["T1087.002", "T1087"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id", "Processes.parent_process_name"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["BRONZE BUTLER", "Chimera", "Dragonfly", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Turla", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/AD_discovery/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "domain_account_discovery_with_dsquery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/domain_account_discovery_with_dsquery.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Domain Account Discovery With Net App", "id": "98f6a534-04c2-11ec-96b2-acde48001122", "version": 1, "date": "2021-08-24", "author": "Teoderick Contreras, Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "This analytic looks for the execution of `net.exe` or `net1.exe` with command-line arguments utilized to query for domain users. Red Teams and adversaries alike may use net.exe to enumerate domain users for situational awareness and Active Directory Discovery.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` AND Processes.process = \"* user*\" AND Processes.process = \"*/do*\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `domain_account_discovery_with_net_app_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "references": ["https://docs.microsoft.com/en-us/defender-for-identity/playbook-domain-dominance", "https://attack.mitre.org/techniques/T1087/002/"], "tags": {"name": "Domain Account Discovery With Net App", "analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "an instance of process $process_name$ with commandline $process$ in $dest$", "mitre_attack_id": ["T1087.002", "T1087"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id", "Processes.parent_process_name"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["BRONZE BUTLER", "Chimera", "Dragonfly", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Turla", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/AD_discovery/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_net", "definition": "(Processes.process_name=\"net.exe\" OR Processes.original_file_name=\"net.exe\" OR Processes.process_name=\"net1.exe\" OR Processes.original_file_name=\"net1.exe\")", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "domain_account_discovery_with_net_app_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/domain_account_discovery_with_net_app.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Domain Account Discovery with Wmic", "id": "383572e0-04c5-11ec-bdcc-acde48001122", "version": 1, "date": "2021-08-24", "author": "Teoderick Contreras, Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "This analytic looks for the execution of `wmic.exe` with command-line arguments utilized to query for domain users. Red Teams and adversaries alike use wmic.exe to enumerate domain users for situational awareness and Active Directory Discovery.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=\"wmic.exe\" AND Processes.process = \"*/NAMESPACE:\\\\\\\\root\\\\directory\\\\ldap*\" AND Processes.process = \"*ds_user*\" AND Processes.process = \"*GET*\" AND Processes.process = \"*ds_samaccountname*\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `domain_account_discovery_with_wmic_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "references": ["https://attack.mitre.org/techniques/T1087/002/"], "tags": {"name": "Domain Account Discovery with Wmic", "analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "an instance of process $process_name$ with commandline $process$ in $dest$", "mitre_attack_id": ["T1087.002", "T1087"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id", "Processes.parent_process_name"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["BRONZE BUTLER", "Chimera", "Dragonfly", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Turla", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/AD_discovery/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "domain_account_discovery_with_wmic_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/domain_account_discovery_with_wmic.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Domain Controller Discovery with Nltest", "id": "41243735-89a7-4c83-bcdd-570aa78f00a1", "version": 1, "date": "2021-08-30", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "This analytic looks for the execution of `nltest.exe` with command-line arguments utilized to discover remote systems. The arguments `/dclist:` and '/dsgetdc:', can be used to return a list of all domain controllers. Red Teams and adversaries alike may use nltest.exe to identify domain controllers in a Windows Domain for situational awareness and Active Directory Discovery.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"nltest.exe\") (Processes.process=\"*/dclist:*\" OR Processes.process=\"*/dsgetdc:*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `domain_controller_discovery_with_nltest_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "references": ["https://attack.mitre.org/techniques/T1018/"], "tags": {"name": "Domain Controller Discovery with Nltest", "analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "Domain controller discovery on $dest$ by $user$", "mitre_attack_id": ["T1018"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 21, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1018", "mitre_attack_technique": "Remote System Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "BRONZE BUTLER", "Chimera", "Deep Panda", "Dragonfly", "Earth Lusca", "FIN5", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "HEXANE", "Indrik Spider", "Ke3chang", "Leafminer", "Magic Hound", "Naikon", "Rocke", "Sandworm Team", "Silence", "Threat Group-3390", "Turla", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1018/AD_discovery/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "domain_controller_discovery_with_nltest_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/domain_controller_discovery_with_nltest.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Domain Controller Discovery with Wmic", "id": "64c7adaa-48ee-483c-b0d6-7175bc65e6cc", "version": 1, "date": "2021-09-01", "author": "Mauricio Velazco, Splunk", "type": "Hunting", "status": "production", "description": "This analytic looks for the execution of `wmic.exe` with command-line arguments utilized to discover remote systems. The arguments utilized in this command line return a list of all domain controllers in a Windows domain. Red Teams and adversaries alike use *.exe to identify remote systems for situational awareness and Active Directory Discovery.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"wmic.exe\") (Processes.process=\"\" OR Processes.process=\"*DomainControllerAddress*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `domain_controller_discovery_with_wmic_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "references": ["https://attack.mitre.org/techniques/T1018/"], "tags": {"name": "Domain Controller Discovery with Wmic", "analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "Domain controller discovery on $dest$ by $user$", "mitre_attack_id": ["T1018"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 21, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1018", "mitre_attack_technique": "Remote System Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "BRONZE BUTLER", "Chimera", "Deep Panda", "Dragonfly", "Earth Lusca", "FIN5", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "HEXANE", "Indrik Spider", "Ke3chang", "Leafminer", "Magic Hound", "Naikon", "Rocke", "Sandworm Team", "Silence", "Threat Group-3390", "Turla", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1018/AD_discovery/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "domain_controller_discovery_with_wmic_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/domain_controller_discovery_with_wmic.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Domain Group Discovery with Adsisearcher", "id": "089c862f-5f83-49b5-b1c8-7e4ff66560c7", "version": 1, "date": "2021-08-25", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the `[Adsisearcher]` type accelerator being used to query Active Directory for domain groups. Red Teams and adversaries may leverage `[Adsisearcher]` to enumerate domain groups for situational awareness and Active Directory Discovery.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 (Message = \"*[adsisearcher]*\" AND Message = \"*(objectcategory=group)*\" AND Message = \"*findAll()*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode Message ComputerName User | `security_content_ctime(firstTime)` | `domain_group_discovery_with_adsisearcher_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators or power users may use Adsisearcher for troubleshooting.", "references": ["https://attack.mitre.org/techniques/T1069/002/", "https://devblogs.microsoft.com/scripting/use-the-powershell-adsisearcher-type-accelerator-to-search-active-directory/"], "tags": {"name": "Domain Group Discovery with Adsisearcher", "analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "Domain group discovery enumeration using PowerShell on $dest$ by $user$", "mitre_attack_id": ["T1069", "T1069.002"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "Message", "ComputerName", "User"], "risk_score": 18, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "TA505"]}, {"mitre_attack_id": "T1069.002", "mitre_attack_technique": "Domain Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Dragonfly", "Inception", "Ke3chang", "LAPSUS$", "OilRig", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.002/AD_discovery/windows-powershell.log", "source": "WinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "wineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "domain_group_discovery_with_adsisearcher_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/domain_group_discovery_with_adsisearcher.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Domain Group Discovery With Dsquery", "id": "f0c9d62f-a232-4edd-b17e-bc409fb133d4", "version": 1, "date": "2021-09-01", "author": "Mauricio Velazco, Splunk", "type": "Hunting", "status": "production", "description": "This analytic looks for the execution of `dsquery.exe` with command-line arguments utilized to query for domain groups. The argument `group`, returns a list of all domain groups. Red Teams and adversaries alike use may leverage dsquery.exe to enumerate domain groups for situational awareness and Active Directory Discovery.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"dsquery.exe\") (Processes.process=\"*group*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `domain_group_discovery_with_dsquery_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "references": ["https://attack.mitre.org/techniques/T1069/002/"], "tags": {"name": "Domain Group Discovery With Dsquery", "analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "Domain group discovery enumeration on $dest$ by $user$", "mitre_attack_id": ["T1069", "T1069.002"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "TA505"]}, {"mitre_attack_id": "T1069.002", "mitre_attack_technique": "Domain Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Dragonfly", "Inception", "Ke3chang", "LAPSUS$", "OilRig", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.002/AD_discovery/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "domain_group_discovery_with_dsquery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/domain_group_discovery_with_dsquery.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Domain Group Discovery With Net", "id": "f2f14ac7-fa81-471a-80d5-7eb65c3c7349", "version": 1, "date": "2021-08-25", "author": "Mauricio Velazco, Splunk", "type": "Hunting", "status": "production", "description": "This analytic looks for the execution of `net.exe` with command-line arguments utilized to query for domain groups. The argument `group /domain`, returns a list of all domain groups. Red Teams and adversaries alike use net.exe to enumerate domain groups for situational awareness and Active Directory Discovery.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"net.exe\" OR Processes.process_name=\"net1.exe\") (Processes.process=*group* AND Processes.process=*/do*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `domain_group_discovery_with_net_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "references": ["https://attack.mitre.org/techniques/T1069/002/"], "tags": {"name": "Domain Group Discovery With Net", "analytic_story": ["Active Directory Discovery", "Windows Post-Exploitation", "Prestige Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "Domain group discovery enumeration on $dest$ by $user$", "mitre_attack_id": ["T1069", "T1069.002"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "TA505"]}, {"mitre_attack_id": "T1069.002", "mitre_attack_technique": "Domain Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Dragonfly", "Inception", "Ke3chang", "LAPSUS$", "OilRig", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.002/AD_discovery/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "domain_group_discovery_with_net_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/domain_group_discovery_with_net.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Domain Group Discovery With Wmic", "id": "a87736a6-95cd-4728-8689-3c64d5026b3e", "version": 1, "date": "2021-08-25", "author": "Mauricio Velazco, Splunk", "type": "Hunting", "status": "production", "description": "This analytic looks for the execution of `wmic.exe` with command-line arguments utilized to query for domain groups. The arguments utilized in this command return a list of all domain groups. Red Teams and adversaries alike use wmic.exe to enumerate domain groups for situational awareness and Active Directory Discovery.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"wmic.exe\") (Processes.process=*/NAMESPACE:\\\\\\\\root\\\\directory\\\\ldap* AND Processes.process=*ds_group* AND Processes.process=\"*GET ds_samaccountname*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `domain_group_discovery_with_wmic_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "references": ["https://attack.mitre.org/techniques/T1069/002/"], "tags": {"name": "Domain Group Discovery With Wmic", "analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "Domain group discovery enumeration on $dest$ by $user$", "mitre_attack_id": ["T1069", "T1069.002"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "TA505"]}, {"mitre_attack_id": "T1069.002", "mitre_attack_technique": "Domain Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Dragonfly", "Inception", "Ke3chang", "LAPSUS$", "OilRig", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.002/AD_discovery/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "domain_group_discovery_with_wmic_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/domain_group_discovery_with_wmic.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Download Files Using Telegram", "id": "58194e28-ae5e-11eb-8912-acde48001122", "version": 1, "date": "2021-05-06", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "The following analytic will identify a suspicious download by the Telegram application on a Windows system. This behavior was identified on a honeypot where the adversary gained access, installed Telegram and followed through with downloading different network scanners (port, bruteforcer, masscan) to the system and later used to mapped the whole network and further move laterally.", "data_source": [], "search": "`sysmon` EventCode= 15 process_name = \"telegram.exe\" TargetFilename = \"*:Zone.Identifier\" |stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode Image process_id TargetFilename Hash | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `download_files_using_telegram_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name and TargetFilename from your endpoints or Events that monitor filestream events which is happened when process download something. (EventCode 15) If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "normal download of file in telegram app. (if it was a common app in network)", "references": ["https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/"], "tags": {"name": "Download Files Using Telegram", "analytic_story": ["XMRig"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Command And Control"], "message": "Suspicious files were downloaded with the Telegram application on $dest$ by $user$.", "mitre_attack_id": ["T1105"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Computer", "EventCode", "Image", "process_id", "TargetFilename", "Hash"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "ZIRCONIUM", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/minergate/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "download_files_using_telegram_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/download_files_using_telegram.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Drop IcedID License dat", "id": "b7a045fc-f14a-11eb-8e79-acde48001122", "version": 1, "date": "2021-07-30", "author": "Teoderick Contreras, Splunk", "type": "Hunting", "status": "production", "description": "This search is to detect dropping a suspicious file named as \"license.dat\" in %appdata%. This behavior seen in latest IcedID malware that contain the actual core bot that will be injected in other process to do banking stealing.", "data_source": [], "search": "`sysmon` EventCode= 11 TargetFilename = \"*\\\\license.dat\" AND (TargetFilename=\"*\\\\appdata\\\\*\" OR TargetFilename=\"*\\\\programdata\\\\*\") |stats count min(_time) as firstTime max(_time) as lastTime by TargetFilename EventCode process_id process_name Computer | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_icedid_license_dat_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "unknown", "references": ["https://www.cisecurity.org/insights/white-papers/security-primer-icedid"], "tags": {"name": "Drop IcedID License dat", "analytic_story": ["IcedID"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Installation"], "message": "process $SourceImage$ create a file $TargetImage$ in host $Computer$", "mitre_attack_id": ["T1204", "T1204.002"], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "SourceImage", "type": "Process", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time"], "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$"]}, {"mitre_attack_id": "T1204.002", "mitre_attack_technique": "Malicious File", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "Ajax Security Team", "Andariel", "Aoqin Dragon", "BITTER", "BRONZE BUTLER", "BlackTech", "CURIUM", "Cobalt Group", "Confucius", "Dark Caracal", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "IndigoZebra", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Whitefly", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/simulated_icedid/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "drop_icedid_license_dat_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/drop_icedid_license_dat.yml", "source": "endpoint"}, {"name": "DSQuery Domain Discovery", "id": "cc316032-924a-11eb-91a2-acde48001122", "version": 1, "date": "2021-03-31", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies \"dsquery.exe\" execution with arguments looking for `TrustedDomain` query directly on the command-line. This is typically indicative of an Administrator or adversary perform domain trust discovery. Note that this query does not identify any other variations of \"Dsquery.exe\" usage.\\\nWithin this detection, it is assumed `dsquery.exe` is not moved or renamed.\\\nThe search will return the first time and last time these command-line arguments were used for these executions, as well as the target system, the user, process \"dsquery.exe\" and its parent process.\\\nDSQuery.exe is natively found in `C:\\Windows\\system32` and `C:\\Windows\\syswow64` and only on Server operating system.\\\nThe following DLL(s) are loaded when DSQuery.exe is launched `dsquery.dll`. If found loaded by another process, it is possible dsquery is running within that process context in memory.\\\nIn addition to trust discovery, review parallel processes for additional behaviors performed. Identify the parent process and capture any files (batch files, for example) being used.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=dsquery.exe Processes.process=*trustedDomain* by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `dsquery_domain_discovery_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "Limited false positives. If there is a true false positive, filter based on command-line or parent process.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.md", "https://blog.harmj0y.net/redteaming/a-guide-to-attacking-domain-trusts/", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc732952(v=ws.11)", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc754232(v=ws.11)"], "tags": {"name": "DSQuery Domain Discovery", "analytic_story": ["Domain Trust Discovery", "Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified performing domain discovery on endpoint $dest$ by user $user$.", "mitre_attack_id": ["T1482"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1482", "mitre_attack_technique": "Domain Trust Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "Earth Lusca", "FIN8", "Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1482/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "dsquery_domain_discovery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/dsquery_domain_discovery.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Dump LSASS via comsvcs DLL", "id": "8943b567-f14d-4ee8-a0bb-2121d4ce3184", "version": 2, "date": "2023-04-14", "author": "Patrick Bareiss, Splunk", "type": "TTP", "status": "production", "description": "Detect the usage of comsvcs.dll for dumping the lsass process.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*comsvcs.dll* Processes.process=*MiniDump* by Processes.user Processes.process_name Processes.original_file_name Processes.process Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `dump_lsass_via_comsvcs_dll_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "None identified.", "references": ["https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/", "https://twitter.com/SBousseaden/status/1167417096374050817", "https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/"], "tags": {"name": "Dump LSASS via comsvcs DLL", "analytic_story": ["Industroyer2", "HAFNIUM Group", "CISA AA22-264A", "Prestige Ransomware", "Credential Dumping", "CISA AA22-257A", "Living Off The Land", "Suspicious Rundll32 Activity", "Data Destruction", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified accessing credentials using comsvcs.dll on endpoint $dest$ by user $user$.", "mitre_attack_id": ["T1003.001", "T1003"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "TEMP.Veles", "Threat Group-3390", "Whitefly"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "process_rundll32", "definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "dump_lsass_via_comsvcs_dll_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/dump_lsass_via_comsvcs_dll.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Dump LSASS via procdump", "id": "3742ebfe-64c2-11eb-ae93-0242ac130002", "version": 3, "date": "2022-08-31", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "Detect procdump.exe dumping the lsass process. This query looks for both -mm and -ma usage. -mm will produce a mini dump file and -ma will write a dump file with all process memory. Both are highly suspect and should be reviewed. This query does not monitor for the internal name (original_file_name=procdump) of the PE or look for procdump64.exe. Modify the query as needed.\\\nDuring triage, confirm this is procdump.exe executing. If it is the first time a Sysinternals utility has been ran, it is possible there will be a -accepteula on the command line. Review other endpoint data sources for cross process (injection) into lsass.exe.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_procdump` (Processes.process=*-ma* OR Processes.process=*-mm*) Processes.process=*lsass* by Processes.user Processes.process_name Processes.process Processes.original_file_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `dump_lsass_via_procdump_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "None identified.", "references": ["https://attack.mitre.org/techniques/T1003/001/", "https://docs.microsoft.com/en-us/sysinternals/downloads/procdump", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md#atomic-test-2---dump-lsassexe-memory-using-procdump", "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/"], "tags": {"name": "Dump LSASS via procdump", "analytic_story": ["Credential Dumping", "HAFNIUM Group", "CISA AA22-257A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified attempting to dump lsass.exe on endpoint $dest$ by user $user$.", "mitre_attack_id": ["T1003.001", "T1003"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "TEMP.Veles", "Threat Group-3390", "Whitefly"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}, {"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/crowdstrike_falcon.log", "source": "crowdstrike", "sourcetype": "crowdstrike:events:sensor"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "process_procdump", "definition": "(Processes.process_name=procdump.exe OR Processes.process_name=procdump64.exe OR Processes.original_file_name=procdump)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "dump_lsass_via_procdump_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/dump_lsass_via_procdump.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Elevated Group Discovery With Net", "id": "a23a0e20-0b1b-4a07-82e5-ec5f70811e7a", "version": 1, "date": "2021-08-25", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "This analytic looks for the execution of `net.exe` or `net1.exe` with command-line arguments utilized to query for specific elevated domain groups. Red Teams and adversaries alike use net.exe to enumerate elevated domain groups for situational awareness and Active Directory Discovery to identify high privileged users.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"net.exe\" OR Processes.process_name=\"net1.exe\") (Processes.process=\"*group*\" AND Processes.process=\"*/do*\") (Processes.process=\"*Domain Admins*\" OR Processes.process=\"*Enterprise Admins*\" OR Processes.process=\"*Schema Admins*\" OR Processes.process=\"*Account Operators*\" OR Processes.process=\"*Server Operators*\" OR Processes.process=\"*Protected Users*\" OR Processes.process=\"*Dns Admins*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `elevated_group_discovery_with_net_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "references": ["https://attack.mitre.org/techniques/T1069/002/", "https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-b--privileged-accounts-and-groups-in-active-directory", "https://adsecurity.org/?p=3658", "https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF"], "tags": {"name": "Elevated Group Discovery With Net", "analytic_story": ["Active Directory Discovery", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "Elevated domain group discovery enumeration on $dest$ by $user$", "mitre_attack_id": ["T1069", "T1069.002"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 21, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "TA505"]}, {"mitre_attack_id": "T1069.002", "mitre_attack_technique": "Domain Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Dragonfly", "Inception", "Ke3chang", "LAPSUS$", "OilRig", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.002/AD_discovery/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "elevated_group_discovery_with_net_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/elevated_group_discovery_with_net.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Elevated Group Discovery with PowerView", "id": "10d62950-0de5-4199-a710-cff9ea79b413", "version": 1, "date": "2021-08-25", "author": "Mauricio Velazco, Splunk", "type": "Hunting", "status": "production", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-DomainGroupMember` commandlet. `Get-DomainGroupMember` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. As the name suggests, `Get-DomainGroupMember` is used to list the members of an specific domain group. Red Teams and adversaries alike use PowerView to enumerate elevated domain groups for situational awareness and Active Directory Discovery to identify high privileged users.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 (Message = \"*Get-DomainGroupMember*\") AND Message IN (\"*Domain Admins*\",\"*Enterprise Admins*\", \"*Schema Admins*\", \"*Account Operators*\" , \"*Server Operators*\", \"*Protected Users*\", \"*Dns Admins*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode Message ComputerName User | `security_content_ctime(firstTime)` | `elevated_group_discovery_with_powerview_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators or power users may use this PowerView for troubleshooting.", "references": ["https://attack.mitre.org/techniques/T1069/002/", "https://powersploit.readthedocs.io/en/latest/Recon/Get-DomainGroupMember/", "https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-b--privileged-accounts-and-groups-in-active-directory", "https://attack.mitre.org/techniques/T1069/002/"], "tags": {"name": "Elevated Group Discovery with PowerView", "analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "Elevated group discovery using PowerView on $dest$ by $user$", "mitre_attack_id": ["T1069", "T1069.002"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "Message", "ComputerName", "User"], "risk_score": 21, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "TA505"]}, {"mitre_attack_id": "T1069.002", "mitre_attack_technique": "Domain Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Dragonfly", "Inception", "Ke3chang", "LAPSUS$", "OilRig", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.002/AD_discovery/windows-powershell.log", "source": "WinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "wineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "elevated_group_discovery_with_powerview_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/elevated_group_discovery_with_powerview.yml", "source": "endpoint", "providing_technologies": ["Microsoft Windows"]}, {"name": "Elevated Group Discovery With Wmic", "id": "3f6bbf22-093e-4cb4-9641-83f47b8444b6", "version": 1, "date": "2021-08-25", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "This analytic looks for the execution of `wmic.exe` with command-line arguments utilized to query for specific domain groups. Red Teams and adversaries alike use net.exe to enumerate elevated domain groups for situational awareness and Active Directory Discovery to identify high privileged users.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"wmic.exe\") (Processes.process=*/NAMESPACE:\\\\\\\\root\\\\directory\\\\ldap*) (Processes.process=\"*Domain Admins*\" OR Processes.process=\"*Enterprise Admins*\" OR Processes.process=\"*Schema Admins*\" OR Processes.process=\"*Account Operators*\" OR Processes.process=\"*Server Operators*\" OR Processes.process=\"*Protected Users*\" OR Processes.process=\"*Dns Admins*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `elevated_group_discovery_with_wmic_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "references": ["https://attack.mitre.org/techniques/T1069/002/", "https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-b--privileged-accounts-and-groups-in-active-directory", "https://adsecurity.org/?p=3658"], "tags": {"name": "Elevated Group Discovery With Wmic", "analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "Elevated domain group discovery enumeration on $dest$ by $user$", "mitre_attack_id": ["T1069", "T1069.002"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 21, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "TA505"]}, {"mitre_attack_id": "T1069.002", "mitre_attack_technique": "Domain Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Dragonfly", "Inception", "Ke3chang", "LAPSUS$", "OilRig", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.002/AD_discovery/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "elevated_group_discovery_with_wmic_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/elevated_group_discovery_with_wmic.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Enable RDP In Other Port Number", "id": "99495452-b899-11eb-96dc-acde48001122", "version": 4, "date": "2023-04-27", "author": "Steven Dick, Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This search is to detect a modification to registry to enable rdp to a machine with different port number. This technique was seen in some atttacker tries to do lateral movement and remote access to a compromised machine to gain control of it.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=\"*HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp*\" Registry.registry_value_name = \"PortNumber\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `enable_rdp_in_other_port_number_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "unknown", "references": ["https://www.mvps.net/docs/how-to-secure-remote-desktop-rdp/"], "tags": {"name": "Enable RDP In Other Port Number", "analytic_story": ["Prohibited Traffic Allowed or Protocol Mismatch", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "RDP was moved to a non-standard port on $dest$ by $user$.", "mitre_attack_id": ["T1021"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.dest", "Registry.registry_value_name", "Registry.registry_key_name", "Registry.registry_path", "Registry.registry_value_data", "Registry.process_guid"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/honeypots/casper/datasets1/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "enable_rdp_in_other_port_number_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/enable_rdp_in_other_port_number.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Enable WDigest UseLogonCredential Registry", "id": "0c7d8ffe-25b1-11ec-9f39-acde48001122", "version": 4, "date": "2023-04-27", "author": "Steven Dick, Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This analytic is to detect a suspicious registry modification to enable plain text credential feature of windows. This technique was used by several malware and also by mimikatz to be able to dumpe the a plain text credential to the compromised or target host. This TTP is really a good indicator that someone wants to dump the crendential of the host so it must be a good pivot for credential dumping techniques.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=\"*\\\\System\\\\CurrentControlSet\\\\Control\\\\SecurityProviders\\\\WDigest\\\\*\" Registry.registry_value_name = \"UseLogonCredential\" Registry.registry_value_data=0x00000001) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `enable_wdigest_uselogoncredential_registry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "unknown", "references": ["https://www.csoonline.com/article/3438824/how-to-detect-and-halt-credential-theft-via-windows-wdigest.html"], "tags": {"name": "Enable WDigest UseLogonCredential Registry", "analytic_story": ["Credential Dumping", "Windows Registry Abuse", "CISA AA22-320A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "wdigest registry $registry_path$ was modified in $dest$", "mitre_attack_id": ["T1112", "T1003"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.dest", "Registry.registry_value_name", "Registry.registry_key_name", "Registry.registry_path", "Registry.registry_value_data", "Registry.process_guid"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/atomic_red_team/wdigest_windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "enable_wdigest_uselogoncredential_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/enable_wdigest_uselogoncredential_registry.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Enumerate Users Local Group Using Telegram", "id": "fcd74532-ae54-11eb-a5ab-acde48001122", "version": 1, "date": "2021-05-06", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This analytic will detect a suspicious Telegram process enumerating all network users in a local group. This technique was seen in a Monero infected honeypot to mapped all the users on the compromised system. EventCode 4798 is generated when a process enumerates a user's security-enabled local groups on a computer or device.", "data_source": ["Windows Security 4798"], "search": "`wineventlog_security` EventCode=4798 Process_Name = \"*\\\\telegram.exe\" | stats count min(_time) as firstTime max(_time) as lastTime by ComputerName EventCode Process_Name Process_ID Account_Name Account_Domain Logon_ID Security_ID Message | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `enumerate_users_local_group_using_telegram_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the Task Schedule (Exa. Security Log EventCode 4798) endpoints. Tune and filter known instances of process like logonUI used in your environment.", "known_false_positives": "unknown", "references": ["https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4798"], "tags": {"name": "Enumerate Users Local Group Using Telegram", "analytic_story": ["XMRig"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "The Telegram application has been identified enumerating local groups on $ComputerName$ by $user$.", "mitre_attack_id": ["T1087"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "ComputerName", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "ComputerName", "EventCode", "Process_Name", "Process_ID", "Account_Name", "Account_Domain", "Logon_ID", "Security_ID", "Message"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/minergate/windows-security.log", "source": "WinEventLog:Security", "sourcetype": "WinEventLog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "enumerate_users_local_group_using_telegram_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/enumerate_users_local_group_using_telegram.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Esentutl SAM Copy", "id": "d372f928-ce4f-11eb-a762-acde48001122", "version": 1, "date": "2021-08-18", "author": "Michael Haag, Splunk", "type": "Hunting", "status": "production", "description": "The following analytic identifies the process - `esentutl.exe` - being used to capture credentials stored in ntds.dit or the SAM file on disk. During triage, review parallel processes and determine if legitimate activity. Upon determination of illegitimate activity, take further action to isolate and contain the threat.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_esentutl` Processes.process IN (\"*ntds*\", \"*SAM*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `esentutl_sam_copy_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives should be limited. Filter as needed.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/6a570c2a4630cf0c2bd41a2e8375b5d5ab92f700/atomics/T1003.002/T1003.002.md", "https://attack.mitre.org/software/S0404/"], "tags": {"name": "Esentutl SAM Copy", "analytic_story": ["Credential Dumping", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user user$ attempting to capture credentials for offline cracking or observability.", "mitre_attack_id": ["T1003.002", "T1003"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Dragonfly", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.002/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "process_esentutl", "definition": "(Processes.process_name=esentutl.exe OR Processes.original_file_name=esentutl.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "esentutl_sam_copy_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/esentutl_sam_copy.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "ETW Registry Disabled", "id": "8ed523ac-276b-11ec-ac39-acde48001122", "version": 4, "date": "2023-04-27", "author": "Steven Dick, Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This analytic is to detect a registry modification to disable ETW feature of windows. This technique is to evade EDR appliance to evade detections and hide its execution from audit logs.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=\"*\\\\SOFTWARE\\\\Microsoft\\\\.NETFramework*\" Registry.registry_value_name = ETWEnabled Registry.registry_value_data=0x00000000) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `etw_registry_disabled_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "unknown", "references": ["https://gist.github.com/Cyb3rWard0g/a4a115fd3ab518a0e593525a379adee3"], "tags": {"name": "ETW Registry Disabled", "analytic_story": ["Hermetic Wiper", "Windows Privilege Escalation", "Windows Persistence Techniques", "Windows Registry Abuse", "Data Destruction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 90, "kill_chain_phases": ["Exploitation"], "message": "modified/added/deleted registry entry $Registry.registry_path$ in $dest$", "mitre_attack_id": ["T1562.006", "T1127", "T1562"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.dest", "Registry.registry_value_name", "Registry.registry_key_name", "Registry.registry_path", "Registry.registry_value_data", "Registry.process_guid"], "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.006", "mitre_attack_technique": "Indicator Blocking", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1127", "mitre_attack_technique": "Trusted Developer Utilities Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1127/etw_disable/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "etw_registry_disabled_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/etw_registry_disabled.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Eventvwr UAC Bypass", "id": "9cf8fe08-7ad8-11eb-9819-acde48001122", "version": 3, "date": "2022-11-14", "author": "Steven Dick, Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following search identifies Eventvwr bypass by identifying the registry modification into a specific path that eventvwr.msc looks to (but is not valid) upon execution. A successful attack will include a suspicious command to be executed upon eventvwr.msc loading. Upon triage, review the parallel processes that have executed. Identify any additional registry modifications on the endpoint that may look suspicious. Remediate as necessary.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time) AS lastTime FROM datamodel=Endpoint.Processes BY _time span=1h Processes.user Processes.process_id Processes.process_name Processes.process Processes.process_path Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_guid | `drop_dm_object_name(Processes)` | join process_guid [ | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=\"*mscfile\\\\shell\\\\open\\\\command\\\\*\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`] | fields firstTime lastTime dest user parent_process_name parent_process process_name process_path process registry_key_name registry_path registry_value_name registry_value_data process_guid | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `eventvwr_uac_bypass_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "Some false positives may be present and will need to be filtered.", "references": ["https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.002/T1548.002.md", "https://attack.mitre.org/techniques/T1548/002/", "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/"], "tags": {"name": "Eventvwr UAC Bypass", "analytic_story": ["Windows Defense Evasion Tactics", "IcedID", "Living Off The Land", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "Registry values were modified to bypass UAC using Event Viewer on $dest$ by $user$.", "mitre_attack_id": ["T1548.002", "T1548"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.user", "Processes.dest", "Processes.process_id", "Processes.process_name", "Processes.process", "Processes.process_path", "Processes.parent_process_name", "Processes.parent_process", "Processes.process_guid", "Registry.dest", "Registry.registry_value_name", "Registry.registry_key_name", "Registry.registry_path", "Registry.registry_value_data", "Registry.process_guid"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.002", "mitre_attack_technique": "Bypass User Account Control", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT37", "BRONZE BUTLER", "Cobalt Group", "Earth Lusca", "Evilnum", "MuddyWater", "Patchwork", "Threat Group-3390"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.002/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "eventvwr_uac_bypass_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/eventvwr_uac_bypass.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Excel Spawning PowerShell", "id": "42d40a22-9be3-11eb-8f08-acde48001122", "version": 1, "date": "2021-04-12", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following detection identifies Microsoft Excel spawning PowerShell. Typically, this is not common behavior and not default with Excel.exe. Excel.exe will generally be found in the following path `C:\\Program Files\\Microsoft Office\\root\\Office16` (version will vary). PowerShell spawning from Excel.exe is common for a spearphishing attachment and is actively used. Albeit, the command executed will most likely be encoded and captured via another detection. During triage, review parallel processes and identify any files that may have been written.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count values(Processes.process) min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=\"excel.exe\" `process_powershell` by Processes.parent_process Processes.process_name Processes.user Processes.dest Processes.original_file_name | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)` | `excel_spawning_powershell_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives should be limited, but if any are present, filter as needed.", "references": ["https://redcanary.com/threat-detection-report/techniques/powershell/", "https://attack.mitre.org/techniques/T1566/001/"], "tags": {"name": "Excel Spawning PowerShell", "analytic_story": ["Spearphishing Attachments"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$, indicating potential suspicious macro execution.", "mitre_attack_id": ["T1003.002", "T1003"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Dragonfly", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/macro/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "process_powershell", "definition": "(Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "excel_spawning_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/excel_spawning_powershell.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Excel Spawning Windows Script Host", "id": "57fe880a-9be3-11eb-9bf3-acde48001122", "version": 1, "date": "2021-04-12", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following detection identifies Microsoft Excel spawning Windows Script Host - `cscript.exe` or `wscript.exe`. Typically, this is not common behavior and not default with Excel.exe. Excel.exe will generally be found in the following path `C:\\Program Files\\Microsoft Office\\root\\Office16` (version will vary). `cscript.exe` or `wscript.exe` default location is `c:\\windows\\system32\\` or c:windows\\syswow64`. `cscript.exe` or `wscript.exe` spawning from Excel.exe is common for a spearphishing attachment and is actively used. Albeit, the command-line executed will most likely be obfuscated and captured via another detection. During triage, review parallel processes and identify any files that may have been written. Review the reputation of the remote destination and block accordingly.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count values(Processes.process) min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=\"excel.exe\" Processes.process_name IN (\"cscript.exe\", \"wscript.exe\") by Processes.parent_process Processes.process_name Processes.user Processes.dest | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)` | `excel_spawning_windows_script_host_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "False positives should be limited, but if any are present, filter as needed. In some instances, `cscript.exe` is used for legitimate business practices.", "references": ["https://app.any.run/tasks/8ecfbc29-03d0-421c-a5bf-3905d29192a2/", "https://attack.mitre.org/techniques/T1566/001/"], "tags": {"name": "Excel Spawning Windows Script Host", "analytic_story": ["Spearphishing Attachments"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$, indicating potential suspicious macro execution.", "mitre_attack_id": ["T1003.002", "T1003"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "process_name", "process_id", "parent_process_name", "dest", "user", "parent_process_id"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Dragonfly", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/macro/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "excel_spawning_windows_script_host_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/excel_spawning_windows_script_host.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Excessive Attempt To Disable Services", "id": "8fa2a0f0-acd9-11eb-8994-acde48001122", "version": 1, "date": "2021-05-04", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic will identify suspicious series of command-line to disable several services. This technique is seen where the adversary attempts to disable security app services or other malware services to complete the objective on the compromised system.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"sc.exe\" AND Processes.process=\"*config*\" OR Processes.process=\"*Disabled*\" by Processes.process_name Processes.parent_process_name Processes.dest Processes.user _time span=1m | where count >=4 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_attempt_to_disable_services_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed sc.exe may be used.", "known_false_positives": "unknown", "references": ["https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/"], "tags": {"name": "Excessive Attempt To Disable Services", "analytic_story": ["XMRig", "Azorult"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Actions on Objectives"], "message": "An excessive amount of $process_name$ was executed on $dest$ attempting to disable services.", "mitre_attack_id": ["T1489"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.process", "Processes.process_id", "Processes.process_name", "Processes.parent_process_name", "Processes.dest", "Processes.user"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1489", "mitre_attack_technique": "Service Stop", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Indrik Spider", "Lazarus Group", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/xmrig_miner/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "excessive_attempt_to_disable_services_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/excessive_attempt_to_disable_services.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Excessive distinct processes from Windows Temp", "id": "23587b6a-c479-11eb-b671-acde48001122", "version": 2, "date": "2022-02-28", "author": "Michael Hart, Mauricio Velazco, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic will identify suspicious series of process executions. We have observed that post exploit framework tools like Koadic and Meterpreter will launch an excessive number of processes with distinct file paths from Windows\\Temp to execute actions on objective. This behavior is extremely anomalous compared to typical application behaviors that use Windows\\Temp.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` values(Processes.process) as process distinct_count(Processes.process) as distinct_process_count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_path = \"*\\\\Windows\\\\Temp\\\\*\" by Processes.dest Processes.user _time span=20m | where distinct_process_count > 37 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_distinct_processes_from_windows_temp_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the full process path in the process field of CIM's Process data model. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed sc.exe may be used.", "known_false_positives": "Many benign applications will create processes from executables in Windows\\Temp, although unlikely to exceed the given threshold. Filter as needed.", "references": ["https://www.offensive-security.com/metasploit-unleashed/about-meterpreter/"], "tags": {"name": "Excessive distinct processes from Windows Temp", "analytic_story": ["Meterpreter"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Installation"], "message": "Multiple processes were executed out of windows\\temp within a short amount of time on $dest$.", "mitre_attack_id": ["T1059"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.process", "Processes.dest", "Processes.user"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/meterpreter/windows_temp_processes/logExcessiveWindowsTemp.log", "source": "WinEventLog:Security", "sourcetype": "WinEventLog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "excessive_distinct_processes_from_windows_temp_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/excessive_distinct_processes_from_windows_temp.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Excessive File Deletion In WinDefender Folder", "id": "b5baa09a-7a05-11ec-8da4-acde48001122", "version": 1, "date": "2023-04-14", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This analytic will identify excessive file deletion events in the Windows Defender folder. This technique was seen in the WhisperGate malware campaign in which adversaries abused Nirsofts advancedrun.exe to gain administrative privilege to then execute PowerShell commands to delete files within the Windows Defender application folder. This behavior is a good indicator the offending process is trying to corrupt a Windows Defender installation.", "data_source": ["Sysmon Event ID 23"], "search": "`sysmon` EventCode=23 TargetFilename = \"*\\\\ProgramData\\\\Microsoft\\\\Windows Defender*\" | stats values(TargetFilename) as deleted_files min(_time) as firstTime max(_time) as lastTime count by user EventCode Image ProcessID Computer |where count >=50 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_file_deletion_in_windefender_folder_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, TargetFilename, and ProcessID executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "Windows Defender AV updates may cause this alert. Please update the filter macros to remove false positives.", "references": ["https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/"], "tags": {"name": "Excessive File Deletion In WinDefender Folder", "analytic_story": ["Data Destruction", "WhisperGate"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Actions on Objectives"], "message": "High frequency file deletion activity detected on host $Computer$", "mitre_attack_id": ["T1485"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "Computer", "type": "Endpoint", "role": ["Victim"]}, {"name": "deleted_files", "type": "File Name", "role": ["Target"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "TargetFilename", "Computer", "user", "Image", "ProcessID"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/excessive_file_del_in_windefender_dir/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "excessive_file_deletion_in_windefender_folder_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/excessive_file_deletion_in_windefender_folder.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Excessive number of service control start as disabled", "id": "77592bec-d5cc-11eb-9e60-acde48001122", "version": 1, "date": "2021-06-25", "author": "Michael Hart, Splunk", "type": "Anomaly", "status": "production", "description": "This detection targets behaviors observed when threat actors have used sc.exe to modify services. We observed malware in a honey pot spawning numerous sc.exe processes in a short period of time, presumably to impair defenses, possibly to block others from compromising the same machine. This detection will alert when we see both an excessive number of sc.exe processes launched with specific commandline arguments to disable the start of certain services.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` distinct_count(Processes.process) as distinct_cmdlines values(Processes.process_id) as process_ids min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes WHERE Processes.process_name = \"sc.exe\" AND Processes.process=\"*start= disabled*\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.parent_process_id, _time span=30m | where distinct_cmdlines >= 8 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_number_of_service_control_start_as_disabled_filter`", "how_to_implement": "You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must be ingesting logs with both the process name and command line from your endpoints. The complete process name with command-line arguments are mapped to the \"process\" field in the Endpoint data model.", "known_false_positives": "Legitimate programs and administrators will execute sc.exe with the start disabled flag. It is possible, but unlikely from the telemetry of normal Windows operation we observed, that sc.exe will be called more than seven times in a short period of time.", "references": ["https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/sc-create", "https://attack.mitre.org/techniques/T1562/001/"], "tags": {"name": "Excessive number of service control start as disabled", "analytic_story": ["Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "An excessive amount of $process_name$ was executed on $dest$ attempting to disable services.", "mitre_attack_id": ["T1562.001", "T1562"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/sc_service_start_disabled/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "excessive_number_of_service_control_start_as_disabled_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/excessive_number_of_service_control_start_as_disabled.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Excessive number of taskhost processes", "id": "f443dac2-c7cf-11eb-ab51-acde48001122", "version": 1, "date": "2021-06-07", "author": "Michael Hart", "type": "Anomaly", "status": "production", "description": "This detection targets behaviors observed in post exploit kits like Meterpreter and Koadic that are run in memory. We have observed that these tools must invoke an excessive number of taskhost.exe and taskhostex.exe processes to complete various actions (discovery, lateral movement, etc.). It is extremely uncommon in the course of normal operations to see so many distinct taskhost and taskhostex processes running concurrently in a short time frame.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` values(Processes.process_id) as process_ids min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes WHERE Processes.process_name = \"taskhost.exe\" OR Processes.process_name = \"taskhostex.exe\" BY Processes.dest Processes.process_name _time span=1h | `drop_dm_object_name(Processes)` | eval pid_count=mvcount(process_ids) | eval taskhost_count_=if(process_name == \"taskhost.exe\", pid_count, 0) | eval taskhostex_count_=if(process_name == \"taskhostex.exe\", pid_count, 0) | stats sum(taskhost_count_) as taskhost_count, sum(taskhostex_count_) as taskhostex_count by _time, dest, firstTime, lastTime | where taskhost_count > 10 and taskhostex_count > 10 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_number_of_taskhost_processes_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting events related to processes on the endpoints that include the name of the process and process id into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "Administrators, administrative actions or certain applications may run many instances of taskhost and taskhostex concurrently. Filter as needed.", "references": ["https://attack.mitre.org/software/S0250/"], "tags": {"name": "Excessive number of taskhost processes", "analytic_story": ["Meterpreter"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 80, "kill_chain_phases": ["Installation"], "message": "An excessive amount of $process_name$ was executed on $dest$ indicative of suspicious behavior.", "mitre_attack_id": ["T1059"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.process_id", "Processes.process_name", "Processes.dest", "Processes.user"], "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/meterpreter/taskhost_processes/logExcessiveTaskHost.log", "source": "WinEventLog:Security", "sourcetype": "WinEventLog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "excessive_number_of_taskhost_processes_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/excessive_number_of_taskhost_processes.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Excessive Service Stop Attempt", "id": "ae8d3f4a-acd7-11eb-8846-acde48001122", "version": 2, "date": "2021-05-04", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic identifies suspicious series of attempt to kill multiple services on a system using either `net.exe` or `sc.exe`. This technique is use by adversaries to terminate security services or other related services to continue there objective and evade detections.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` OR Processes.process_name = \"sc.exe\" OR Processes.process_name = \"net1.exe\" AND Processes.process=\"*stop*\" OR Processes.process=\"*delete*\" by Processes.process_name Processes.original_file_name Processes.parent_process_name Processes.dest Processes.user _time span=1m | where count >=5 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_service_stop_attempt_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "unknown", "references": ["https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/"], "tags": {"name": "Excessive Service Stop Attempt", "analytic_story": ["XMRig", "Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Actions on Objectives"], "message": "An excessive amount of $process_name$ was executed on $dest$ attempting to disable services.", "mitre_attack_id": ["T1489"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1489", "mitre_attack_technique": "Service Stop", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Indrik Spider", "Lazarus Group", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/xmrig_miner/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_net", "definition": "(Processes.process_name=\"net.exe\" OR Processes.original_file_name=\"net.exe\" OR Processes.process_name=\"net1.exe\" OR Processes.original_file_name=\"net1.exe\")", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "excessive_service_stop_attempt_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/excessive_service_stop_attempt.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Excessive Usage Of Cacls App", "id": "0bdf6092-af17-11eb-939a-acde48001122", "version": 1, "date": "2021-05-07", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies excessive usage of `cacls.exe`, `xcacls.exe` or `icacls.exe` application to change file or folder permission. This behavior is commonly seen where the adversary attempts to impair some users from deleting or accessing its malware components or artifact from the compromised system.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.process_id) as process_id values(Processes.process_name) as process_name count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"cacls.exe\" OR Processes.process_name = \"icacls.exe\" OR Processes.process_name = \"XCACLS.exe\" by Processes.parent_process_name Processes.parent_process Processes.dest Processes.user _time span=1m | where count >=10 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_usage_of_cacls_app_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "Administrators or administrative scripts may use this application. Filter as needed.", "references": ["https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/"], "tags": {"name": "Excessive Usage Of Cacls App", "analytic_story": ["XMRig", "Azorult", "Windows Post-Exploitation", "Prestige Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "An excessive amount of $process_name$ was executed on $dest$ attempting to modify permissions.", "mitre_attack_id": ["T1222"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.process", "Processes.process_id", "Processes.process_name", "Processes.parent_process_name", "Processes.dest", "Processes.user"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/xmrig_miner/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "excessive_usage_of_cacls_app_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/excessive_usage_of_cacls_app.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Excessive Usage Of Net App", "id": "45e52536-ae42-11eb-b5c6-acde48001122", "version": 2, "date": "2021-05-06", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic identifies excessive usage of `net.exe` or `net1.exe` within a bucket of time (1 minute). This behavior was seen in a Monero incident where the adversary attempts to create many users, delete and disable users as part of its malicious behavior.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` by Processes.process_name Processes.parent_process_name Processes.original_file_name Processes.dest Processes.user _time span=1m | where count >=10 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_usage_of_net_app_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "unknown. Filter as needed. Modify the time span as needed.", "references": ["https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/"], "tags": {"name": "Excessive Usage Of Net App", "analytic_story": ["XMRig", "Ransomware", "Azorult", "Windows Post-Exploitation", "Prestige Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 40, "kill_chain_phases": ["Actions on Objectives"], "message": "Excessive usage of net1.exe or net.exe within 1m, with command line $process$ has been detected on $dest$ by $user$", "mitre_attack_id": ["T1531"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 28, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1531", "mitre_attack_technique": "Account Access Removal", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["LAPSUS$"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/xmrig_miner/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_net", "definition": "(Processes.process_name=\"net.exe\" OR Processes.original_file_name=\"net.exe\" OR Processes.process_name=\"net1.exe\" OR Processes.original_file_name=\"net1.exe\")", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "excessive_usage_of_net_app_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/excessive_usage_of_net_app.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Excessive Usage of NSLOOKUP App", "id": "0a69fdaa-a2b8-11eb-b16d-acde48001122", "version": 2, "date": "2022-06-03", "author": "Teoderick Contreras, Stanislav Miskovic, Splunk", "type": "Anomaly", "status": "production", "description": "This search is to detect potential DNS exfiltration using nslookup application. This technique are seen in couple of malware and APT group to exfiltrated collected data in a infected machine or infected network. This detection is looking for unique use of nslookup where it tries to use specific record type (TXT, A, AAAA) that are commonly used by attacker and also the retry parameter which is designed to query C2 DNS multiple tries.", "data_source": [], "search": "`sysmon` EventCode = 1 process_name = \"nslookup.exe\" | bucket _time span=1m | stats count as numNsLookup by Computer, _time | eventstats avg(numNsLookup) as avgNsLookup, stdev(numNsLookup) as stdNsLookup, count as numSlots by Computer | eval upperThreshold=(avgNsLookup + stdNsLookup *3) | eval isOutlier=if(numNsLookup > 20 and numNsLookup >= upperThreshold, 1, 0) | search isOutlier=1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_usage_of_nslookup_app_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances of nslookup.exe may be used.", "known_false_positives": "unknown", "references": ["https://www.mandiant.com/resources/fin7-spear-phishing-campaign-targets-personnel-involved-sec-filings", "https://www.varonis.com/blog/dns-tunneling", "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/"], "tags": {"name": "Excessive Usage of NSLOOKUP App", "analytic_story": ["Suspicious DNS Traffic", "Dynamic DNS", "Data Exfiltration", "Command And Control"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 40, "kill_chain_phases": ["Actions on Objectives"], "message": "Excessive usage of nslookup.exe has been detected on $Computer$. This detection is triggered as as it violates the dynamic threshold", "mitre_attack_id": ["T1048"], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Computer", "process_name", "EventCode"], "risk_score": 28, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1048", "mitre_attack_technique": "Exfiltration Over Alternative Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["TeamTNT"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1048.003/nslookup_exfil/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "excessive_usage_of_nslookup_app_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/excessive_usage_of_nslookup_app.yml", "source": "endpoint"}, {"name": "Excessive Usage Of SC Service Utility", "id": "cb6b339e-d4c6-11eb-a026-acde48001122", "version": 1, "date": "2021-06-24", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This search is to detect a suspicious excessive usage of sc.exe in a host machine. This technique was seen in several ransomware , xmrig and other malware to create, modify, delete or disable a service may related to security application or to gain privilege escalation.", "data_source": [], "search": "`sysmon` EventCode = 1 process_name = \"sc.exe\" | bucket _time span=15m | stats values(process) as process count as numScExe by Computer, _time | eventstats avg(numScExe) as avgScExe, stdev(numScExe) as stdScExe, count as numSlots by Computer | eval upperThreshold=(avgScExe + stdScExe *3) | eval isOutlier=if(avgScExe > 5 and avgScExe >= upperThreshold, 1, 0) | search isOutlier=1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_usage_of_sc_service_utility_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed taskkill.exe may be used.", "known_false_positives": "excessive execution of sc.exe is quite suspicious since it can modify or execute app in high privilege permission.", "references": ["https://app.any.run/tasks/c0f98850-af65-4352-9746-fbebadee4f05/"], "tags": {"name": "Excessive Usage Of SC Service Utility", "analytic_story": ["Ransomware", "Azorult"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "message": "Excessive Usage Of SC Service Utility", "mitre_attack_id": ["T1569", "T1569.002"], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "process_name", "process"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/ransomware_ttp/data2/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "excessive_usage_of_sc_service_utility_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/excessive_usage_of_sc_service_utility.yml", "source": "endpoint"}, {"name": "Excessive Usage Of Taskkill", "id": "fe5bca48-accb-11eb-a67c-acde48001122", "version": 1, "date": "2021-05-04", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic identifies excessive usage of `taskkill.exe` application. This application is commonly used by adversaries to evade detections by killing security product processes or even other processes to evade detection.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"taskkill.exe\" by Processes.parent_process_name Processes.process_name Processes.dest Processes.user _time span=1m | where count >=10 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_usage_of_taskkill_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed taskkill.exe may be used.", "known_false_positives": "Unknown. Filter as needed.", "references": ["https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/", "https://www.joesandbox.com/analysis/702680/0/html"], "tags": {"name": "Excessive Usage Of Taskkill", "analytic_story": ["XMRig", "Azorult", "CISA AA22-264A", "AgentTesla", "CISA AA22-277A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 40, "kill_chain_phases": ["Exploitation"], "message": "Excessive usage of taskkill.exe with process id $process_id$ (more than 10 within 1m) has been detected on $dest$ with a parent process of $parent_process_name$.", "mitre_attack_id": ["T1562.001", "T1562"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process Name", "role": ["Parent Process", "Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.parent_process_name", "Processes.process_name", "Processes.dest", "Processes.user", "Processes.process", "Processes.process_id"], "risk_score": 28, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/xmrig_miner/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "excessive_usage_of_taskkill_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/excessive_usage_of_taskkill.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Exchange PowerShell Abuse via SSRF", "id": "29228ab4-0762-11ec-94aa-acde48001122", "version": 2, "date": "2022-10-02", "author": "Michael Haag, Splunk", "type": "TTP", "status": "experimental", "description": "This analytic identifies suspicious behavior related to ProxyShell against on-premise Microsoft Exchange servers. This analytic has been replaced by GUID d436f9e7-0ee7-4a47-864b-6dea2c4e2752 which utilizes the Web Datamodel. \\\nModification of this analytic is requried to ensure fields are mapped accordingly. \\\nA suspicious event will have `PowerShell`, the method `POST` and `autodiscover.json`. This is indicative of accessing PowerShell on the back end of Exchange with SSRF. \\\nAn event will look similar to `POST /autodiscover/autodiscover.json a=dsxvu@fnsso.flq/powershell/?X-Rps-CAT=VgEAVAdXaW5kb3d...` (abbreviated) \\\nReview the source attempting to perform this activity against your environment. In addition, review PowerShell logs and access recently granted to Exchange roles.", "data_source": [], "search": "`exchange` c_uri=\"*//autodiscover*\" cs_uri_query=\"*PowerShell*\" cs_method=\"POST\" | stats count min(_time) as firstTime max(_time) as lastTime by dest, cs_uri_query, cs_method, c_uri | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `exchange_powershell_abuse_via_ssrf_filter`", "how_to_implement": "The following analytic requires on-premise Exchange to be logging to Splunk using the TA - https://splunkbase.splunk.com/app/3225. Ensure logs are parsed correctly, or tune the analytic for your environment.", "known_false_positives": "Limited false positives, however, tune as needed.", "references": ["https://github.com/GossiTheDog/ThreatHunting/blob/master/AzureSentinel/Exchange-Powershell-via-SSRF", "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1"], "tags": {"name": "Exchange PowerShell Abuse via SSRF", "analytic_story": ["ProxyShell", "ProxyNotShell"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Delivery"], "message": "Activity related to ProxyShell has been identified on $dest$. Review events and take action accordingly.", "mitre_attack_id": ["T1190"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "dest", "cs_uri_query", "cs_method", "c_uri"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "menuPass"]}]}, "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "exchange", "definition": "sourcetype=\"MSWindows:IIS\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "exchange_powershell_abuse_via_ssrf_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/exchange_powershell_abuse_via_ssrf.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Exchange PowerShell Module Usage", "id": "2d10095e-05ae-11ec-8fdf-acde48001122", "version": 5, "date": "2022-11-21", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the usage of Exchange PowerShell modules that were recently used for a proof of concept related to ProxyShell. Adversaries may abuse a limited set of PwSh Modules related to Exchange once gained access via ProxyShell or ProxyNotShell.\\\nInherently, the usage of the modules is not malicious, but reviewing parallel processes, and user, of the session will assist with determining the intent. \\\nModule - New-MailboxExportRequest will begin the process of exporting contents of a primary mailbox or archive to a .pst file. \\\nModule - New-managementroleassignment can assign a management role to a management role group, management role assignment policy, user, or universal security group (USG). \\\nModule - New-MailboxSearch cmdlet to create a mailbox search and either get an estimate of search results, place search results on In-Place Hold or copy them to a Discovery mailbox. You can also place all contents in a mailbox on hold by not specifying a search query, which accomplishes similar results as Litigation Hold. \\ Module - Get-Recipient cmdlet to view existing recipient objects in your organization. This cmdlet returns all mail-enabled objects (for example, mailboxes, mail users, mail contacts, and distribution groups).", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 ScriptBlockText IN (\"*New-MailboxExportRequest*\", \"*New-ManagementRoleAssignment*\", \"*New-MailboxSearch*\", \"*Get-Recipient*\", \"Search-Mailbox\") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `exchange_powershell_module_usage_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators or power users may use this PowerShell commandlet for troubleshooting.", "references": ["https://docs.microsoft.com/en-us/powershell/module/exchange/new-mailboxexportrequest?view=exchange-ps", "https://docs.microsoft.com/en-us/powershell/module/exchange/new-managementroleassignment?view=exchange-ps", "https://blog.orange.tw/2021/08/proxyshell-a-new-attack-surface-on-ms-exchange-part-3.html", "https://www.zerodayinitiative.com/blog/2021/8/17/from-pwn2own-2021-a-new-attack-surface-on-microsoft-exchange-proxyshell", "https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/", "https://www.cisa.gov/uscert/ncas/alerts/aa22-264a", "https://learn.microsoft.com/en-us/powershell/module/exchange/new-mailboxsearch?view=exchange-ps", "https://learn.microsoft.com/en-us/powershell/module/exchange/get-recipient?view=exchange-ps", "https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/"], "tags": {"name": "Exchange PowerShell Module Usage", "analytic_story": ["ProxyShell", "CISA AA22-264A", "ProxyNotShell", "CISA AA22-277A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 40, "kill_chain_phases": ["Installation"], "message": "Suspicious Exchange PowerShell module usaged was identified on $dest$.", "mitre_attack_id": ["T1059", "T1059.001"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "ScriptBlockText", "Opcode", "Computer", "UserID", "EventCode"], "risk_score": 32, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/exchange/windows-powershell.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "XmlWinEventLog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "exchange_powershell_module_usage_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/exchange_powershell_module_usage.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Executable File Written in Administrative SMB Share", "id": "f63c34fe-a435-11eb-935a-acde48001122", "version": 2, "date": "2023-04-14", "author": "Teoderick Contreras, Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies executable files (.exe or .dll) being written to Windows administrative SMB shares (Admin$, IPC$, C$). This represents suspicious behavior as its commonly used by tools like PsExec/PaExec and others to stage service binaries before creating and starting a Windows service on remote endpoints. Red Teams and adversaries alike may abuse administrative shares for lateral movement and remote code execution. The Trickbot malware family also implements this behavior to try to infect other machines in the infected network.", "data_source": ["Windows Security 5145"], "search": "`wineventlog_security` EventCode=5145 Relative_Target_Name IN (\"*.exe\",\"*.dll\") Object_Type=File Share_Name IN (\"\\\\\\\\*\\\\C$\",\"\\\\\\\\*\\\\IPC$\",\"\\\\\\\\*\\\\admin$\") Access_Mask= \"0x2\" | stats min(_time) as firstTime max(_time) as lastTime count by EventCode Share_Name Relative_Target_Name Object_Type Access_Mask user src_port Source_Address | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `executable_file_written_in_administrative_smb_share_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Security Event Logs with 5145 EventCode enabled. The Windows TA is also required. Also enable the object Audit access success/failure in your group policy.", "known_false_positives": "System Administrators may use looks like PsExec for troubleshooting or administrations tasks. However, this will typically come only from certain users and certain systems that can be added to an allow list.", "references": ["https://attack.mitre.org/techniques/T1021/002/", "https://www.rapid7.com/blog/post/2013/03/09/psexec-demystified/", "https://labs.vipre.com/trickbot-and-its-modules/", "https://whitehat.eu/incident-response-case-study-featuring-ryuk-and-trickbot-part-2/", "https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/"], "tags": {"name": "Executable File Written in Administrative SMB Share", "analytic_story": ["Industroyer2", "Active Directory Lateral Movement", "Hermetic Wiper", "Trickbot", "Prestige Ransomware", "Data Destruction", "IcedID"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "$user$ dropped or created an executable file in known sensitive SMB share. Share name=$Share_Name$, Target name=$Relative_Target_Name$, and Access mask=$Access_Mask$", "mitre_attack_id": ["T1021", "T1021.002"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "Share_Name", "Relative_Target_Name", "Object_Type", "Access_Mask", "user", "src_port", "Source_Address"], "risk_score": 70, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "Turla", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/trickbot/exe_smbshare/windows-security.log", "source": "WinEventLog:Security", "sourcetype": "WinEventLog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "executable_file_written_in_administrative_smb_share_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/executable_file_written_in_administrative_smb_share.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Executables Or Script Creation In Suspicious Path", "id": "a7e3f0f0-ae42-11eb-b245-acde48001122", "version": 1, "date": "2023-04-25", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic will identify suspicious executable or scripts (known file extensions) in a list of suspicious file paths in Windows. This technique is used by adversaries to evade detection. The suspicious file path are known paths used in the wild and are not common to have executable or scripts.", "data_source": ["Sysmon Event ID 11"], "search": "|tstats `security_content_summariesonly` values(Filesystem.file_path) as file_path count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where (Filesystem.file_name = *.exe OR Filesystem.file_name = *.dll OR Filesystem.file_name = *.sys OR Filesystem.file_name = *.com OR Filesystem.file_name = *.vbs OR Filesystem.file_name = *.vbe OR Filesystem.file_name = *.js OR Filesystem.file_name = *.ps1 OR Filesystem.file_name = *.bat OR Filesystem.file_name = *.cmd OR Filesystem.file_name = *.pif) AND ( Filesystem.file_path = *\\\\windows\\\\fonts\\\\* OR Filesystem.file_path = *\\\\windows\\\\temp\\\\* OR Filesystem.file_path = *\\\\users\\\\public\\\\* OR Filesystem.file_path = *\\\\windows\\\\debug\\\\* OR Filesystem.file_path = *\\\\Users\\\\Administrator\\\\Music\\\\* OR Filesystem.file_path = *\\\\Windows\\\\servicing\\\\* OR Filesystem.file_path = *\\\\Users\\\\Default\\\\* OR Filesystem.file_path = *Recycle.bin* OR Filesystem.file_path = *\\\\Windows\\\\Media\\\\* OR Filesystem.file_path = *\\\\Windows\\\\repair\\\\* OR Filesystem.file_path = *\\\\AppData\\\\Local\\\\Temp* OR Filesystem.file_path = *\\\\PerfLogs\\\\*) by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.user | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `executables_or_script_creation_in_suspicious_path_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the Filesystem responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node.", "known_false_positives": "Administrators may allow creation of script or exe in the paths specified. Filter as needed.", "references": ["https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/", "https://twitter.com/pr0xylife/status/1590394227758104576", "https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/"], "tags": {"name": "Executables Or Script Creation In Suspicious Path", "analytic_story": ["Azorult", "AsyncRAT", "XMRig", "Swift Slicer", "DarkCrystal RAT", "Double Zero Destructor", "Trickbot", "Data Destruction", "LockBit Ransomware", "Industroyer2", "Remcos", "RedLine Stealer", "WhisperGate", "IcedID", "Hermetic Wiper", "AgentTesla", "Brute Ratel C4", "Qakbot", "Chaos Ransomware", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 40, "kill_chain_phases": ["Exploitation"], "message": "Suspicious executable or scripts with file name $file_name$, $file_path$ and process_id $process_id$ executed in suspicious file path in Windows by $user$", "mitre_attack_id": ["T1036"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "process_id", "type": "Process", "role": ["Attacker"]}, {"name": "file_name", "type": "File Name", "role": ["Other", "Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Filesystem.file_path", "Filesystem.file_create_time", "Filesystem.process_id", "Filesystem.file_name", "Filesystem.user"], "risk_score": 20, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/xmrig_miner/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "executables_or_script_creation_in_suspicious_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Execute Javascript With Jscript COM CLSID", "id": "dc64d064-d346-11eb-8588-acde48001122", "version": 1, "date": "2021-06-22", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This analytic will identify suspicious process of cscript.exe where it tries to execute javascript using jscript.encode CLSID (COM OBJ). This technique was seen in ransomware (reddot ransomware) where it execute javascript with this com object with combination of amsi disabling technique.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"cscript.exe\" Processes.process=\"*-e:{F414C262-6AC0-11CF-B6D1-00AA00BBBB58}*\" by Processes.parent_process_name Processes.process_name Processes.process Processes.parent_process Processes.process_id Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `execute_javascript_with_jscript_com_clsid_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the Filesystem responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node.", "known_false_positives": "unknown", "references": ["https://app.any.run/tasks/c0f98850-af65-4352-9746-fbebadee4f05/"], "tags": {"name": "Execute Javascript With Jscript COM CLSID", "analytic_story": ["Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 80, "kill_chain_phases": ["Installation"], "message": "Suspicious process of cscript.exe with a parent process $parent_process_name$ where it tries to execute javascript using jscript.encode CLSID (COM OBJ), detected on $dest$ by $user$", "mitre_attack_id": ["T1059", "T1059.005"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "process_id", "type": "Process", "role": ["Attacker"]}, {"name": "parent_process_name", "type": "Process Name", "role": ["Parent Process", "Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.parent_process", "Processes.process_id", "Processes.dest", "Processes.user"], "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.005", "mitre_attack_technique": "Visual Basic", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT32", "APT33", "APT37", "APT38", "APT39", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Earth Lusca", "FIN4", "FIN7", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "Transparent Tribe", "Turla", "WIRTE", "Windshift"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/ransomware_ttp/data2/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "execute_javascript_with_jscript_com_clsid_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/execute_javascript_with_jscript_com_clsid.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Execution of File with Multiple Extensions", "id": "b06a555e-dce0-417d-a2eb-28a5d8d66ef7", "version": 3, "date": "2020-11-18", "author": "Rico Valdez, Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This search looks for processes launched from files that have double extensions in the file name. This is typically done to obscure the \"real\" file extension and make it appear as though the file being accessed is a data file, as opposed to executable content.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process IN (\"*.doc.exe\", \"*.xls.exe\",\"*.ppt.exe\", \"*.htm.exe\", \"*.html.exe\", \"*.txt.exe\", \"*.pdf.exe\", \"*.docx.exe\", \"*.xlsx.exe\", \"*.pptx.exe\",\"*.one.exe\", \"*.bat.exe\", \"*rtf.exe\") by Processes.dest Processes.user Processes.process Processes.parent_process | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | `execution_of_file_with_multiple_extensions_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting data that records process activity from your hosts to populate the endpoint data model in the processes node.", "known_false_positives": "None identified.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat"], "tags": {"name": "Execution of File with Multiple Extensions", "analytic_story": ["Windows File Extension and Association Abuse", "Masquerading - Rename System Utilities", "AsyncRAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "process $process$ have double extensions in the file name is executed on $dest$ by $user$", "mitre_attack_id": ["T1036", "T1036.003"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "process", "type": "Process", "role": ["Parent Process", "Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.process", "Processes.dest", "Processes.user", "Processes.parent_process"], "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036.003/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "execution_of_file_with_multiple_extensions_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/execution_of_file_with_multiple_extensions.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Extraction of Registry Hives", "id": "8bbb7d58-b360-11eb-ba21-acde48001122", "version": 2, "date": "2021-09-09", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the use of `reg.exe` exporting Windows Registry hives containing credentials. Adversaries may use this technique to export registry hives for offline credential access attacks. Typically found executed from a untrusted process or script. Upon execution, a file will be written to disk.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_reg` (Processes.process=*save* OR Processes.process=*export*) AND (Processes.process=\"*\\sam *\" OR Processes.process=\"*\\system *\" OR Processes.process=\"*\\security *\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `extraction_of_registry_hives_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "It is possible some agent based products will generate false positives. Filter as needed.", "references": ["https://www.mandiant.com/resources/shining-a-light-on-darkside-ransomware-operations", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md", "https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF"], "tags": {"name": "Extraction of Registry Hives", "analytic_story": ["DarkSide Ransomware", "Credential Dumping", "CISA AA22-257A", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "Suspicious use of `reg.exe` exporting Windows Registry hives containing credentials executed on $dest$ by user $user$, with a parent process of $parent_process_id$", "mitre_attack_id": ["T1003.002", "T1003"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "parent_process_id", "type": "Process", "role": ["Parent Process", "Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Dragonfly", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.002/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "process_reg", "definition": "(Processes.process_name=reg.exe OR Processes.original_file_name=reg.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "extraction_of_registry_hives_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/extraction_of_registry_hives.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "File with Samsam Extension", "id": "02c6cfc2-ae66-4735-bfc7-6291da834cbf", "version": 1, "date": "2018-12-14", "author": "Rico Valdez, Splunk", "type": "TTP", "status": "production", "description": "The search looks for file writes with extensions consistent with a SamSam ransomware attack.", "data_source": ["Sysmon Event ID 11"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.user) as user values(Filesystem.dest) as dest values(Filesystem.file_path) as file_path from datamodel=Endpoint.Filesystem by Filesystem.file_name | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)`| rex field=file_name \"(?\\.[^\\.]+)$\" | search file_extension=.stubbin OR file_extension=.berkshire OR file_extension=.satoshi OR file_extension=.sophos OR file_extension=.keyxml | `file_with_samsam_extension_filter`", "how_to_implement": "You must be ingesting data that records file-system activity from your hosts to populate the Endpoint file-system data-model node. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data.", "known_false_positives": "Because these extensions are not typically used in normal operations, you should investigate all results.", "references": [], "tags": {"name": "File with Samsam Extension", "analytic_story": ["SamSam Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 100, "kill_chain_phases": [], "message": "File writes $file_name$ with extensions consistent with a SamSam ransomware attack seen on $dest$", "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "file_name", "type": "File Name", "role": ["Other", "Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Filesystem.user", "Filesystem.dest", "Filesystem.file_path", "Filesystem.file_name"], "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036.003/samsam_extension/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "file_with_samsam_extension_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/file_with_samsam_extension.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Firewall Allowed Program Enable", "id": "9a8f63a8-43ac-11ec-904c-acde48001122", "version": 1, "date": "2021-11-12", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic detects a potential suspicious modification of firewall rule allowing to execute specific application. This technique was identified when an adversary and red teams to bypassed firewall file execution restriction in a targetted host. Take note that this event or command can run by administrator during testing or allowing legitimate tool or application.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = \"*firewall*\" Processes.process = \"*allow*\" Processes.process = \"*add*\" Processes.process = \"*ENABLE*\" by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `firewall_allowed_program_enable_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "A network operator or systems administrator may utilize an automated or manual execution of this firewall rule that may generate false positives. Filter as needed.", "references": ["https://app.any.run/tasks/ad4c3cda-41f2-4401-8dba-56cc2d245488/"], "tags": {"name": "Firewall Allowed Program Enable", "analytic_story": ["Windows Defense Evasion Tactics", "Azorult"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "firewall allowed program commandline $process$ of $process_name$ on $dest$ by $user$", "mitre_attack_id": ["T1562.004", "T1562"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.004", "mitre_attack_technique": "Disable or Modify System Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "Carbanak", "Dragonfly", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/vilsel/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "firewall_allowed_program_enable_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/firewall_allowed_program_enable.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "First Time Seen Child Process of Zoom", "id": "e91bd102-d630-4e76-ab73-7e3ba22c5961", "version": 1, "date": "2020-05-20", "author": "David Dorsey, Splunk", "type": "Anomaly", "status": "experimental", "description": "This search looks for child processes spawned by zoom.exe or zoom.us that has not previously been seen.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` min(_time) as firstTime values(Processes.parent_process_name) as parent_process_name values(Processes.parent_process_id) as parent_process_id values(Processes.process_name) as process_name values(Processes.process) as process from datamodel=Endpoint.Processes where (Processes.parent_process_name=zoom.exe OR Processes.parent_process_name=zoom.us) by Processes.process_id Processes.dest | `drop_dm_object_name(Processes)` | lookup zoom_first_time_child_process dest as dest process_name as process_name OUTPUT firstTimeSeen | where isnull(firstTimeSeen) OR firstTimeSeen > relative_time(now(), \"`previously_seen_zoom_child_processes_window`\") | `security_content_ctime(firstTime)` | table firstTime dest, process_id, process_name, parent_process_id, parent_process_name |`first_time_seen_child_process_of_zoom_filter`", "how_to_implement": "You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You should run the baseline search `Previously Seen Zoom Child Processes - Initial` to build the initial table of child processes and hostnames for this search to work. You should also schedule at the same interval as this search the second baseline search `Previously Seen Zoom Child Processes - Update` to keep this table up to date and to age out old child processes. Please update the `previously_seen_zoom_child_processes_window` macro to adjust the time window.", "known_false_positives": "A new child process of zoom isn't malicious by that fact alone. Further investigation of the actions of the child process is needed to verify any malicious behavior is taken.", "references": [], "tags": {"name": "First Time Seen Child Process of Zoom", "analytic_story": ["Suspicious Zoom Child Processes"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "Child process $process_name$ with $process_id$ spawned by zoom.exe or zoom.us which has not been previously on host $dest$", "mitre_attack_id": ["T1068"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "process_name", "type": "Process Name", "role": ["Attacker", "Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.parent_process_name", "Processes.parent_process_id", "Processes.process_name", "Processes.process", "Processes.parent_process_name", "Processes.process_id", "Processes.dest"], "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "PLATINUM", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}]}, "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "previously_seen_zoom_child_processes_window", "definition": "\"-70m@m\"", "description": "Use this macro to determine how far back you should be checking for new zoom child processes"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "first_time_seen_child_process_of_zoom_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "zoom_first_time_child_process", "description": "A list of suspicious file names", "collection": "zoom_first_time_child_process", "fields_list": "_key, dest, process_name, firstTimeSeen, lastTimeSeen"}], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/first_time_seen_child_process_of_zoom.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "First Time Seen Running Windows Service", "id": "823136f2-d755-4b6d-ae04-372b486a5808", "version": 4, "date": "2020-07-21", "author": "David Dorsey, Splunk", "type": "Anomaly", "status": "experimental", "description": "This search looks for the first and last time a Windows service is seen running in your environment. This table is then cached.", "data_source": ["Sysmon Event ID 7"], "search": "`wineventlog_system` EventCode=7036 | rex field=Message \"The (?[-\\(\\)\\s\\w]+) service entered the (?\\w+) state\" | where state=\"running\" | lookup previously_seen_running_windows_services service as service OUTPUT firstTimeSeen | where isnull(firstTimeSeen) OR firstTimeSeen > relative_time(now(), `previously_seen_windows_services_window`) | table _time dest service | `first_time_seen_running_windows_service_filter`", "how_to_implement": "While this search does not require you to adhere to Splunk CIM, you must be ingesting your Windows system event logs in order for this search to execute successfully. You should run the baseline search `Previously Seen Running Windows Services - Initial` to build the initial table of child processes and hostnames for this search to work. You should also schedule at the same interval as this search the second baseline search `Previously Seen Running Windows Services - Update` to keep this table up to date and to age out old Windows Services. Please update the `previously_seen_windows_services_window` macro to adjust the time window. Please ensure that the Splunk Add-on for Microsoft Windows is version 8.0.0 or above.", "known_false_positives": "A previously unseen service is not necessarily malicious. Verify that the service is legitimate and that was installed by a legitimate process.", "references": [], "tags": {"name": "First Time Seen Running Windows Service", "analytic_story": ["Windows Service Abuse", "Orangeworm Attack Group", "NOBELIUM Group"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "message": "tbd", "mitre_attack_id": ["T1569", "T1569.002"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "Message", "dest"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}]}, "datamodel": [], "macros": [{"name": "wineventlog_system", "definition": "eventtype=wineventlog_system", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "previously_seen_windows_services_window", "definition": "\"-70m@m\"", "description": "Use this macro to determine how far back you should be checking for new Windows services"}, {"name": "first_time_seen_running_windows_service_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "previously_seen_running_windows_services", "description": "A placeholder for the list of Windows Services running", "collection": "previously_seen_running_windows_services", "fields_list": "_key, service, firstTimeSeen, lastTimeSeen"}], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/first_time_seen_running_windows_service.yml", "source": "endpoint"}, {"name": "FodHelper UAC Bypass", "id": "909f8fd8-7ac8-11eb-a1f3-acde48001122", "version": 1, "date": "2021-03-01", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "Fodhelper.exe has a known UAC bypass as it attempts to look for specific registry keys upon execution, that do not exist. Therefore, an attacker can write its malicious commands in these registry keys to be executed by fodhelper.exe with the highest privilege. \\\n1. `HKCU:\\Software\\Classes\\ms-settings\\shell\\open\\command`\\\n1. `HKCU:\\Software\\Classes\\ms-settings\\shell\\open\\command\\DelegateExecute`\\\n1. `HKCU:\\Software\\Classes\\ms-settings\\shell\\open\\command\\(default)`\\\nUpon triage, fodhelper.exe will have a child process and read access will occur on the registry keys. Isolate the endpoint and review parallel processes for additional behavior.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=fodhelper.exe by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `fodhelper_uac_bypass_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "Limited to no false positives are expected.", "references": ["https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.002/T1548.002.md", "https://github.com/gushmazuko/WinBypass/blob/master/FodhelperBypass.ps1", "https://attack.mitre.org/techniques/T1548/002/"], "tags": {"name": "FodHelper UAC Bypass", "analytic_story": ["Windows Defense Evasion Tactics", "IcedID"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Exploitation"], "message": "Suspcious registy keys added by process fodhelper.exe (process_id- $process_id), with a parent_process of $parent_process_name$ that has been executed on $dest$ by $user$.", "mitre_attack_id": ["T1112", "T1548.002", "T1548"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process Name", "role": ["Parent Process", "Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.parent_process_name", "Processes.dest", "Processes.user", "Processes.parent_process", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1548.002", "mitre_attack_technique": "Bypass User Account Control", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT37", "BRONZE BUTLER", "Cobalt Group", "Earth Lusca", "Evilnum", "MuddyWater", "Patchwork", "Threat Group-3390"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.002/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "fodhelper_uac_bypass_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/fodhelper_uac_bypass.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Fsutil Zeroing File", "id": "4e5e024e-fabb-11eb-8b8f-acde48001122", "version": 1, "date": "2021-08-11", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This search is to detect a suspicious fsutil process to zeroing a target file. This technique was seen in lockbit ransomware where it tries to zero out its malware path as part of its defense evasion after encrypting the compromised host.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=fsutil.exe Processes.process=\"*setzerodata*\" by Processes.user Processes.process_name Processes.parent_process_name Processes.dest Processes.process Processes.parent_process | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `fsutil_zeroing_file_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "unknown", "references": ["https://app.any.run/tasks/e0ac072d-58c9-4f53-8a3b-3e491c7ac5db/", "https://news.sophos.com/en-us/2020/04/24/lockbit-ransomware-borrows-tricks-to-keep-up-with-revil-and-maze/"], "tags": {"name": "Fsutil Zeroing File", "analytic_story": ["Ransomware", "LockBit Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 60, "kill_chain_phases": ["Exploitation"], "message": "Possible file data deletion on $dest$ using $process$", "mitre_attack_id": ["T1070"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.user", "Processes.process_name", "Processes.parent_process_name", "Processes.dest", "Processes.process", "Processes.parent_process"], "risk_score": 54, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1070/fsutil_file_zero/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "fsutil_zeroing_file_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/fsutil_zeroing_file.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Get ADDefaultDomainPasswordPolicy with Powershell", "id": "36e46ebe-065a-11ec-b4c7-acde48001122", "version": 1, "date": "2021-08-26", "author": "Teoderick Contreras, Splunk", "type": "Hunting", "status": "production", "description": "This analytic looks for the execution of `powershell.exe` executing the Get-ADDefaultDomainPasswordPolicy commandlet used to obtain the password policy in a Windows domain. Red Teams and adversaries alike may use PowerShell to enumerate domain policies for situational awareness and Active Directory Discovery.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"cmd.exe\" OR Processes.process_name=\"powershell*\") AND Processes.process = \"*Get-ADDefaultDomainPasswordPolicy*\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_addefaultdomainpasswordpolicy_with_powershell_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed rundll32.exe may be used.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "references": ["https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet", "https://attack.mitre.org/techniques/T1201/", "https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-addefaultdomainpasswordpolicy?view=windowsserver2019-ps"], "tags": {"name": "Get ADDefaultDomainPasswordPolicy with Powershell", "analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "an instance of process $process_name$ with commandline $process$ in $dest$", "mitre_attack_id": ["T1201"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id", "Processes.parent_process_name"], "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1201", "mitre_attack_technique": "Password Policy Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "OilRig", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1201/pwd_policy_discovery/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "get_addefaultdomainpasswordpolicy_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/get_addefaultdomainpasswordpolicy_with_powershell.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Get ADDefaultDomainPasswordPolicy with Powershell Script Block", "id": "1ff7ccc8-065a-11ec-91e4-acde48001122", "version": 2, "date": "2022-03-22", "author": "Teoderick Contreras, Mauricio Velazco, Splunk", "type": "Hunting", "status": "production", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-ADDefaultDomainPasswordPolicy` commandlet used to obtain the password policy in a Windows domain. Red Teams and adversaries alike may use PowerShell to enumerate domain policies for situational awareness and Active Directory Discovery.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 ScriptBlockText =\"*Get-ADDefaultDomainPasswordPolicy*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_addefaultdomainpasswordpolicy_with_powershell_script_block_filter`", "how_to_implement": "The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "references": ["https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet", "https://attack.mitre.org/techniques/T1201/", "https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-addefaultdomainpasswordpolicy?view=windowsserver2019-ps"], "tags": {"name": "Get ADDefaultDomainPasswordPolicy with Powershell Script Block", "analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "powershell process having commandline $Message$ to query domain password policy", "mitre_attack_id": ["T1201"], "nist": ["DE.AE"], "observable": [{"name": "ComputerName", "type": "Hostname", "role": ["Victim"]}, {"name": "User", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "Message", "ComputerName", "User"], "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1201", "mitre_attack_technique": "Password Policy Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "OilRig", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1201/pwd_policy_discovery/windows-powershell-xml.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "get_addefaultdomainpasswordpolicy_with_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/get_addefaultdomainpasswordpolicy_with_powershell_script_block.yml", "source": "endpoint", "providing_technologies": ["Microsoft Windows"]}, {"name": "Get ADUser with PowerShell", "id": "0b6ee3f4-04e3-11ec-a87d-acde48001122", "version": 1, "date": "2021-08-24", "author": "Teoderick Contreras, Mauricio Velazco, Splunk", "type": "Hunting", "status": "production", "description": "This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to enumerate domain users. The `Get-AdUser' commandlet returns a list of all domain users. Red Teams and adversaries alike may use this commandlet to identify remote systems for situational awareness and Active Directory Discovery.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"cmd.exe\" OR Processes.process_name=\"powershell*\") AND Processes.process = \"*Get-ADUser*\" AND Processes.process = \"*-filter*\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_aduser_with_powershell_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "references": ["https://www.blackhillsinfosec.com/red-blue-purple/", "https://attack.mitre.org/techniques/T1087/002/", "https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-aduser?view=windowsserver2019-ps"], "tags": {"name": "Get ADUser with PowerShell", "analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "an instance of process $process_name$ with commandline $process$ in $dest$", "mitre_attack_id": ["T1087.002", "T1087"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id", "Processes.parent_process_name"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["BRONZE BUTLER", "Chimera", "Dragonfly", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Turla", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/AD_discovery/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "get_aduser_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/get_aduser_with_powershell.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Get ADUser with PowerShell Script Block", "id": "21432e40-04f4-11ec-b7e6-acde48001122", "version": 2, "date": "2022-09-13", "author": "Teoderick Contreras, Mauricio Velazco, Splunk", "type": "Hunting", "status": "production", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-AdGUser` commandlet. The `Get-AdUser` commandlet is used to return a list of all domain users. Red Teams and adversaries may leverage this commandlet to enumerate domain groups for situational awareness and Active Directory Discovery.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 ScriptBlockText = \"*get-aduser*\" ScriptBlockText = \"*-filter*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_aduser_with_powershell_script_block_filter`", "how_to_implement": "The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "references": ["https://www.blackhillsinfosec.com/red-blue-purple/", "https://attack.mitre.org/techniques/T1087/002/", "https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-aduser?view=windowsserver2019-ps"], "tags": {"name": "Get ADUser with PowerShell Script Block", "analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "powershell process having commandline $Message$ for user enumeration", "mitre_attack_id": ["T1087.002", "T1087"], "nist": ["DE.AE"], "observable": [{"name": "ComputerName", "type": "Hostname", "role": ["Victim"]}, {"name": "User", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "Message", "ComputerName", "User"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["BRONZE BUTLER", "Chimera", "Dragonfly", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Turla", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/AD_discovery/aduser_powershell.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "XmlWinEventLog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "get_aduser_with_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/get_aduser_with_powershell_script_block.yml", "source": "endpoint", "providing_technologies": ["Microsoft Windows"]}, {"name": "Get ADUserResultantPasswordPolicy with Powershell", "id": "8b5ef342-065a-11ec-b0fc-acde48001122", "version": 1, "date": "2021-08-26", "author": "Teoderick Contreras, Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "This analytic looks for the execution of `powershell.exe` executing the Get ADUserResultantPasswordPolicy commandlet used to obtain the password policy in a Windows domain. Red Teams and adversaries alike may use PowerShell to enumerate domain policies for situational awareness and Active Directory Discovery.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"cmd.exe\" OR Processes.process_name=\"powershell*\") AND Processes.process = \"*Get-ADUserResultantPasswordPolicy*\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_aduserresultantpasswordpolicy_with_powershell_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed rundll32.exe may be used.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "references": ["https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet", "https://attack.mitre.org/techniques/T1201/", "https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-aduserresultantpasswordpolicy?view=windowsserver2019-ps"], "tags": {"name": "Get ADUserResultantPasswordPolicy with Powershell", "analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "an instance of process $process_name$ with commandline $process$ in $dest$", "mitre_attack_id": ["T1201"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id", "Processes.parent_process_name"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1201", "mitre_attack_technique": "Password Policy Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "OilRig", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1201/pwd_policy_discovery/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "get_aduserresultantpasswordpolicy_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/get_aduserresultantpasswordpolicy_with_powershell.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Get ADUserResultantPasswordPolicy with Powershell Script Block", "id": "737e1eb0-065a-11ec-921a-acde48001122", "version": 2, "date": "2022-05-02", "author": "Teoderick Contreras, Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-ADUserResultantPasswordPolicy` commandlet used to obtain the password policy in a Windows domain. Red Teams and adversaries alike may use PowerShell to enumerate domain policies for situational awareness and Active Directory Discovery.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 ScriptBlockText=\"*Get-ADUserResultantPasswordPolicy*\" | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_aduserresultantpasswordpolicy_with_powershell_script_block_filter`", "how_to_implement": "The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "references": ["https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet", "https://attack.mitre.org/techniques/T1201/", "https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-aduserresultantpasswordpolicy?view=windowsserver2019-ps"], "tags": {"name": "Get ADUserResultantPasswordPolicy with Powershell Script Block", "analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "powershell process having commandline $ScriptBlockText$ to query domain user password policy.", "mitre_attack_id": ["T1201"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "User", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "ScriptBlockText", "Opcode", "Computer", "UserID", "EventCode"], "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1201", "mitre_attack_technique": "Password Policy Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "OilRig", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/sbl_xml.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "get_aduserresultantpasswordpolicy_with_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/get_aduserresultantpasswordpolicy_with_powershell_script_block.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Get DomainPolicy with Powershell", "id": "b8f9947e-065a-11ec-aafb-acde48001122", "version": 1, "date": "2021-08-26", "author": "Teoderick Contreras, Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "This analytic looks for the execution of `powershell.exe` executing the `Get-DomainPolicy` commandlet used to obtain the password policy in a Windows domain. Red Teams and adversaries alike may use PowerShell to enumerate domain policies for situational awareness and Active Directory Discovery.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"cmd.exe\" OR Processes.process_name=\"powershell*\") AND Processes.process = \"*Get-DomainPolicy*\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_domainpolicy_with_powershell_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed rundll32.exe may be used.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "references": ["https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet", "https://powersploit.readthedocs.io/en/latest/Recon/Get-DomainPolicy/", "https://attack.mitre.org/techniques/T1201/"], "tags": {"name": "Get DomainPolicy with Powershell", "analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "an instance of process $process_name$ with commandline $process$ in $dest$", "mitre_attack_id": ["T1201"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id", "Processes.parent_process_name"], "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1201", "mitre_attack_technique": "Password Policy Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "OilRig", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1201/pwd_policy_discovery/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "get_domainpolicy_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/get_domainpolicy_with_powershell.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Get DomainPolicy with Powershell Script Block", "id": "a360d2b2-065a-11ec-b0bf-acde48001122", "version": 2, "date": "2022-05-02", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get DomainPolicy` commandlet used to obtain the password policy in a Windows domain. Red Teams and adversaries alike may use PowerShell to enumerate domain policies for situational awareness and Active Directory Discovery.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 ScriptBlockText =\"*Get-DomainPolicy*\" | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_domainpolicy_with_powershell_script_block_filter`", "how_to_implement": "The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "references": ["https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet", "https://powersploit.readthedocs.io/en/latest/Recon/Get-DomainPolicy/", "https://attack.mitre.org/techniques/T1201/"], "tags": {"name": "Get DomainPolicy with Powershell Script Block", "analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "powershell process having commandline $ScriptBlockText$ to query domain policy.", "mitre_attack_id": ["T1201"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "UserID", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "ScriptBlockText", "Opcode", "Computer", "UserID", "EventCode"], "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1201", "mitre_attack_technique": "Password Policy Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "OilRig", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/domainpolicy.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "get_domainpolicy_with_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/get_domainpolicy_with_powershell_script_block.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Get-DomainTrust with PowerShell", "id": "4fa7f846-054a-11ec-a836-acde48001122", "version": 1, "date": "2021-08-24", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "This analytic identifies Get-DomainTrust from PowerView in order to gather domain trust information. Typically, this is utilized within a script being executed and used to enumerate the domain trust information. This grants the adversary an understanding of how large or small the domain is. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=*get-domaintrust* by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_domaintrust_with_powershell_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Limited false positives as this requires an active Administrator or adversary to bring in, import, and execute.", "references": ["https://blog.harmj0y.net/redteaming/a-guide-to-attacking-domain-trusts/"], "tags": {"name": "Get-DomainTrust with PowerShell", "analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 40, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "Suspicious PowerShell Get-DomainTrust was identified on endpoint $dest$ by user $user$.", "mitre_attack_id": ["T1482"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 12, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1482", "mitre_attack_technique": "Domain Trust Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "Earth Lusca", "FIN8", "Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1482/discovery/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "get_domaintrust_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/get_domaintrust_with_powershell.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Get-DomainTrust with PowerShell Script Block", "id": "89275e7e-0548-11ec-bf75-acde48001122", "version": 2, "date": "2022-05-02", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable on critical endpoints or all. \\\nThis analytic identifies Get-DomainTrust from PowerView in order to gather domain trust information. \\\nDuring triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 ScriptBlockText = \"*get-domaintrust*\" | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_domaintrust_with_powershell_script_block_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "It is possible certain system management frameworks utilize this command to gather trust information.", "references": ["https://blog.harmj0y.net/redteaming/a-guide-to-attacking-domain-trusts/", "https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", "https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf", "https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/"], "tags": {"name": "Get-DomainTrust with PowerShell Script Block", "analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 40, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "Suspicious PowerShell Get-DomainTrust was identified on endpoint $Computer$ by user $UserID$.", "mitre_attack_id": ["T1482"], "nist": ["DE.CM"], "observable": [{"name": "UserID", "type": "User", "role": ["Victim"]}, {"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "ScriptBlockText", "Opcode", "Computer", "UserID", "EventCode"], "risk_score": 12, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1482", "mitre_attack_technique": "Domain Trust Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "Earth Lusca", "FIN8", "Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/domaintrust.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "get_domaintrust_with_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/get_domaintrust_with_powershell_script_block.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Get DomainUser with PowerShell", "id": "9a5a41d6-04e7-11ec-923c-acde48001122", "version": 1, "date": "2021-08-24", "author": "Teoderick Contreras, Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to enumerate domain users. `Get-DomainUser` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. Red Teams and adversaries alike may leverage PowerView to enumerate domain users for situational awareness and Active Directory Discovery.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"cmd.exe\" OR Processes.process_name=\"powershell*\") AND Processes.process = \"*Get-DomainUser*\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_domainuser_with_powershell_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "references": ["https://powersploit.readthedocs.io/en/latest/Recon/Get-DomainUser/"], "tags": {"name": "Get DomainUser with PowerShell", "analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "an instance of process $process_name$ with commandline $process$ in $dest$", "mitre_attack_id": ["T1087.002", "T1087"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id", "Processes.parent_process_name"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["BRONZE BUTLER", "Chimera", "Dragonfly", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Turla", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/AD_discovery/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "get_domainuser_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/get_domainuser_with_powershell.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Get DomainUser with PowerShell Script Block", "id": "61994268-04f4-11ec-865c-acde48001122", "version": 3, "date": "2022-11-13", "author": "Teoderick Contreras, Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-DomainUser` commandlet. `GetDomainUser` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. Red Teams and adversaries alike may use PowerView to enumerate domain users for situational awareness and Active Directory Discovery.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 ScriptBlockText = \"*Get-DomainUser*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_domainuser_with_powershell_script_block_filter`", "how_to_implement": "The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "references": ["https://powersploit.readthedocs.io/en/latest/Recon/Get-DomainUser/"], "tags": {"name": "Get DomainUser with PowerShell Script Block", "analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "powershell process having commandline $Message$ for user enumeration", "mitre_attack_id": ["T1087.002", "T1087"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "UserID", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "Message", "ComputerName", "User"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["BRONZE BUTLER", "Chimera", "Dragonfly", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Turla", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/AD_discovery/windows-powershell-xml.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "get_domainuser_with_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/get_domainuser_with_powershell_script_block.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Get-ForestTrust with PowerShell", "id": "584f4884-0bf1-11ec-a5ec-acde48001122", "version": 1, "date": "2021-09-02", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "This analytic identifies Get-ForestTrust from PowerSploit in order to gather domain trust information. Typically, this is utilized within a script being executed and used to enumerate the domain trust information. This grants the adversary an understanding of how large or small the domain is. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=powershell.exe OR Processes.process_name=cmd.exe Processes.process=*get-foresttrust* by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_foresttrust_with_powershell_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Limited false positives as this requires an active Administrator or adversary to bring in, import, and execute.", "references": ["https://powersploit.readthedocs.io/en/latest/Recon/Get-ForestTrust/"], "tags": {"name": "Get-ForestTrust with PowerShell", "analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 40, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "Suspicious PowerShell Get-ForestTrust was identified on endpoint $dest$ by user $user$.", "mitre_attack_id": ["T1482"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 12, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1482", "mitre_attack_technique": "Domain Trust Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "Earth Lusca", "FIN8", "Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1482/discovery/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "get_foresttrust_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/get_foresttrust_with_powershell.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Get-ForestTrust with PowerShell Script Block", "id": "70fac80e-0bf1-11ec-9ba0-acde48001122", "version": 2, "date": "2022-02-24", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable on critical endpoints or all. \\\nThis analytic identifies Get-ForestTrust from PowerSploit in order to gather domain trust information. \\\nDuring triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 ScriptBlockText = \"*get-foresttrust*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_foresttrust_with_powershell_script_block_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "False positives may be present. Tune as needed.", "references": ["https://powersploit.readthedocs.io/en/latest/Recon/Get-ForestTrust/", "https://www.splunk.com/en_us/blog/security/hunting-for-malicious-powershell-using-script-block-logging.html"], "tags": {"name": "Get-ForestTrust with PowerShell Script Block", "analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 40, "impact": 30, "kill_chain_phases": ["Exploitation", "Installation"], "message": "Suspicious PowerShell Get-ForestTrust was identified on endpoint $Computer$ by user $UserID$.", "mitre_attack_id": ["T1482", "T1059.001"], "nist": ["DE.CM"], "observable": [{"name": "UserID", "type": "User", "role": ["Victim"]}, {"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "ScriptBlockText", "Path", "Opcode", "Computer", "UserID"], "risk_score": 12, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1482", "mitre_attack_technique": "Domain Trust Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "Earth Lusca", "FIN8", "Magic Hound"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1482/discovery/windows-powershell-xml.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "get_foresttrust_with_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/get_foresttrust_with_powershell_script_block.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Get WMIObject Group Discovery", "id": "5434f670-155d-11ec-8cca-acde48001122", "version": 1, "date": "2021-09-14", "author": "Michael Haag, Splunk", "type": "Hunting", "status": "production", "description": "The following hunting analytic identifies the use of `Get-WMIObject Win32_Group` being used with PowerShell to identify local groups on the endpoint. \\ Typically, by itself, is not malicious but may raise suspicion based on time of day, endpoint and username. \\ During triage, review parallel processes and identify any further suspicious behavior.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=powershell.exe OR processes.process_name=cmd.exe) (Processes.process=\"*Get-WMIObject*\" AND Processes.process=\"*Win32_Group*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `get_wmiobject_group_discovery_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives may be present. Tune as needed.", "references": ["https://attack.mitre.org/techniques/T1069/001/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"], "tags": {"name": "Get WMIObject Group Discovery", "analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "System group discovery on $dest$ by $user$.", "mitre_attack_id": ["T1069", "T1069.001"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "TA505"]}, {"mitre_attack_id": "T1069.001", "mitre_attack_technique": "Local Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "HEXANE", "OilRig", "Tonto Team", "Turla", "admin@338"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.001/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "get_wmiobject_group_discovery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/get_wmiobject_group_discovery.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Get WMIObject Group Discovery with Script Block Logging", "id": "69df7f7c-155d-11ec-a055-acde48001122", "version": 2, "date": "2022-03-22", "author": "Michael Haag, Splunk", "type": "Hunting", "status": "production", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable on critical endpoints or all. \\\nThis analytic identifies the usage of `Get-WMIObject Win32_Group`, which is typically used as a way to identify groups on the endpoint. Typically, by itself, is not malicious but may raise suspicion based on time of day, endpoint and username. \\\nDuring triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 ScriptBlockText = \"*Get-WMIObject*\" AND ScriptBlockText = \"*Win32_Group*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_wmiobject_group_discovery_with_script_block_logging_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "False positives may be present. Tune as needed.", "references": ["https://www.splunk.com/en_us/blog/security/powershell-detections-threat-research-release-august-2021.html", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md", "https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", "https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf", "https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/"], "tags": {"name": "Get WMIObject Group Discovery with Script Block Logging", "analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "System group discovery enumeration on $dest$ by $user$.", "mitre_attack_id": ["T1069", "T1069.001"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "Message", "ComputerName", "User"], "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "TA505"]}, {"mitre_attack_id": "T1069.001", "mitre_attack_technique": "Local Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "HEXANE", "OilRig", "Tonto Team", "Turla", "admin@338"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.001/atomic_red_team/windows-powershell-xml.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "get_wmiobject_group_discovery_with_script_block_logging_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/get_wmiobject_group_discovery_with_script_block_logging.yml", "source": "endpoint", "providing_technologies": ["Microsoft Windows"]}, {"name": "GetAdComputer with PowerShell", "id": "c5a31f80-5888-4d81-9f78-1cc65026316e", "version": 1, "date": "2021-09-07", "author": "Mauricio Velazco, Splunk", "type": "Hunting", "status": "production", "description": "This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to discover remote systems. The `Get-AdComputer' commandlet returns a list of all domain computers. Red Teams and adversaries alike may use this commandlet to identify remote systems for situational awareness and Active Directory Discovery.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"powershell.exe\") (Processes.process=*Get-AdComputer*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getadcomputer_with_powershell_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "references": ["https://attack.mitre.org/techniques/T1018/"], "tags": {"name": "GetAdComputer with PowerShell", "analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "Remote system discovery enumeration on $dest$ by $user$", "mitre_attack_id": ["T1018"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1018", "mitre_attack_technique": "Remote System Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "BRONZE BUTLER", "Chimera", "Deep Panda", "Dragonfly", "Earth Lusca", "FIN5", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "HEXANE", "Indrik Spider", "Ke3chang", "Leafminer", "Magic Hound", "Naikon", "Rocke", "Sandworm Team", "Silence", "Threat Group-3390", "Turla", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1018/AD_discovery/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "getadcomputer_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/getadcomputer_with_powershell.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "GetAdComputer with PowerShell Script Block", "id": "a9a1da02-8e27-4bf7-a348-f4389c9da487", "version": 3, "date": "2022-05-02", "author": "Mauricio Velazco, Splunk", "type": "Hunting", "status": "production", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-AdGroup` commandlet. The `Get-AdGroup` commandlet is used to return a list of all domain computers. Red Teams and adversaries may leverage this commandlet to enumerate domain computers for situational awareness and Active Directory Discovery.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 (ScriptBlockText = \"*Get-AdComputer*\") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `getadcomputer_with_powershell_script_block_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators or power users may use this PowerShell commandlet for troubleshooting.", "references": ["https://attack.mitre.org/techniques/T1018/", "https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-adgroup?view=windowsserver2019-ps"], "tags": {"name": "GetAdComputer with PowerShell Script Block", "analytic_story": ["Active Directory Discovery", "CISA AA22-320A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "Remote system discovery enumeration on $Computer$ by $UserID$", "mitre_attack_id": ["T1018"], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "ScriptBlockText", "Opcode", "Computer", "UserID", "EventCode"], "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1018", "mitre_attack_technique": "Remote System Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "BRONZE BUTLER", "Chimera", "Deep Panda", "Dragonfly", "Earth Lusca", "FIN5", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "HEXANE", "Indrik Spider", "Ke3chang", "Leafminer", "Magic Hound", "Naikon", "Rocke", "Sandworm Team", "Silence", "Threat Group-3390", "Turla", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/sbl_xml.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "getadcomputer_with_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/getadcomputer_with_powershell_script_block.yml", "source": "endpoint", "providing_technologies": ["Microsoft Windows"]}, {"name": "GetAdGroup with PowerShell", "id": "872e3063-0fc4-4e68-b2f3-f2b99184a708", "version": 1, "date": "2021-08-25", "author": "Mauricio Velazco, Splunk", "type": "Hunting", "status": "production", "description": "This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to query for domain groups. The `Get-AdGroup` commandlnet is used to return a list of all groups available in a Windows Domain. Red Teams and adversaries alike may leverage this commandlet to enumerate domain groups for situational awareness and Active Directory Discovery.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"powershell.exe\") (Processes.process=*Get-AdGroup*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getadgroup_with_powershell_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "references": ["https://attack.mitre.org/techniques/T1069/002/", "https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-adgroup?view=windowsserver2019-ps"], "tags": {"name": "GetAdGroup with PowerShell", "analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "Domain group discovery enumeration on $dest$ by $user$", "mitre_attack_id": ["T1069", "T1069.002"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "TA505"]}, {"mitre_attack_id": "T1069.002", "mitre_attack_technique": "Domain Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Dragonfly", "Inception", "Ke3chang", "LAPSUS$", "OilRig", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.002/AD_discovery/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "getadgroup_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/getadgroup_with_powershell.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "GetAdGroup with PowerShell Script Block", "id": "e4c73d68-794b-468d-b4d0-dac1772bbae7", "version": 2, "date": "2022-03-22", "author": "Mauricio Velazco, Splunk", "type": "Hunting", "status": "production", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-AdGroup` commandlet. The `Get-AdGroup` commandlet is used to return a list of all domain groups. Red Teams and adversaries may leverage this commandlet to enumerate domain groups for situational awareness and Active Directory Discovery.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 ScriptBlockText = \"*Get-ADGroup*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getadgroup_with_powershell_script_block_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators or power users may use this PowerShell commandlet for troubleshooting.", "references": ["https://attack.mitre.org/techniques/T1069/002/", "https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-adgroup?view=windowsserver2019-ps"], "tags": {"name": "GetAdGroup with PowerShell Script Block", "analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "Domain group discovery enumeration using PowerShell on $dest$ by $user$", "mitre_attack_id": ["T1069", "T1069.002"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "Message", "ComputerName", "User"], "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "TA505"]}, {"mitre_attack_id": "T1069.002", "mitre_attack_technique": "Domain Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Dragonfly", "Inception", "Ke3chang", "LAPSUS$", "OilRig", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.002/AD_discovery/windows-powershell-xml.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "getadgroup_with_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/getadgroup_with_powershell_script_block.yml", "source": "endpoint", "providing_technologies": ["Microsoft Windows"]}, {"name": "GetCurrent User with PowerShell", "id": "7eb9c3d5-c98c-4088-acc5-8240bad15379", "version": 1, "date": "2021-09-13", "author": "Mauricio Velazco, Splunk", "type": "Hunting", "status": "production", "description": "This analytic looks for the execution of `powerhsell.exe` with command-line arguments that execute the `GetCurrent` method of the WindowsIdentity .NET class. This method returns an object that represents the current Windows user. Red Teams and adversaries may leverage this method to identify the logged user on a compromised endpoint for situational awareness and Active Directory Discovery.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"powershell.exe\") (Processes.process=*System.Security.Principal.WindowsIdentity* OR Processes.process=*GetCurrent()*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getcurrent_user_with_powershell_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "references": ["https://attack.mitre.org/techniques/T1033/"], "tags": {"name": "GetCurrent User with PowerShell", "analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "System user discovery on $dest$", "mitre_attack_id": ["T1033"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1033", "mitre_attack_technique": "System Owner/User Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT37", "APT38", "APT39", "APT41", "Chimera", "Dragonfly", "Earth Lusca", "FIN10", "GALLIUM", "Gamaredon Group", "HAFNIUM", "HEXANE", "Ke3chang", "Lazarus Group", "LuminousMoth", "Magic Hound", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "Stealth Falcon", "Threat Group-3390", "Tropic Trooper", "Windshift", "Wizard Spider", "ZIRCONIUM"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1033/AD_discovery/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "getcurrent_user_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/getcurrent_user_with_powershell.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "GetCurrent User with PowerShell Script Block", "id": "80879283-c30f-44f7-8471-d1381f6d437a", "version": 2, "date": "2022-03-22", "author": "Mauricio Velazco, Splunk", "type": "Hunting", "status": "production", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `GetCurrent` method of the WindowsIdentity .NET class. This method returns an object that represents the current Windows user. Red Teams and adversaries may leverage this method to identify the logged user on a compromised endpoint for situational awareness and Active Directory Discovery.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 ScriptBlockText = \"*[System.Security.Principal.WindowsIdentity]*\" ScriptBlockText = \"*GetCurrent()*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getcurrent_user_with_powershell_script_block_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators or power users may use this PowerShell commandlet for troubleshooting.", "references": ["https://attack.mitre.org/techniques/T1033/", "https://docs.microsoft.com/en-us/dotnet/api/system.security.principal.windowsidentity.getcurrent?view=net-6.0&viewFallbackFrom=net-5.0"], "tags": {"name": "GetCurrent User with PowerShell Script Block", "analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "System user discovery on $dest$", "mitre_attack_id": ["T1033"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Path", "Message", "OpCode", "ComputerName", "User", "EventCode"], "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1033", "mitre_attack_technique": "System Owner/User Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT37", "APT38", "APT39", "APT41", "Chimera", "Dragonfly", "Earth Lusca", "FIN10", "GALLIUM", "Gamaredon Group", "HAFNIUM", "HEXANE", "Ke3chang", "Lazarus Group", "LuminousMoth", "Magic Hound", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "Stealth Falcon", "Threat Group-3390", "Tropic Trooper", "Windshift", "Wizard Spider", "ZIRCONIUM"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1033/AD_discovery/windows-powershell-xml.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "getcurrent_user_with_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/getcurrent_user_with_powershell_script_block.yml", "source": "endpoint", "providing_technologies": ["Microsoft Windows"]}, {"name": "GetDomainComputer with PowerShell", "id": "ed550c19-712e-43f6-bd19-6f58f61b3a5e", "version": 1, "date": "2021-09-07", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to discover remote systems. `Get-DomainComputer` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. Red Teams and adversaries alike may leverage PowerView to enumerate domain groups for situational awareness and Active Directory Discovery.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"powershell.exe\") (Processes.process=*Get-DomainComputer*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getdomaincomputer_with_powershell_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "Administrators or power users may use PowerView for troubleshooting.", "references": ["https://attack.mitre.org/techniques/T1018/"], "tags": {"name": "GetDomainComputer with PowerShell", "analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "Remote system discovery enumeration on $dest$ by $user$", "mitre_attack_id": ["T1018"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 24, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1018", "mitre_attack_technique": "Remote System Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "BRONZE BUTLER", "Chimera", "Deep Panda", "Dragonfly", "Earth Lusca", "FIN5", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "HEXANE", "Indrik Spider", "Ke3chang", "Leafminer", "Magic Hound", "Naikon", "Rocke", "Sandworm Team", "Silence", "Threat Group-3390", "Turla", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1018/AD_discovery/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "getdomaincomputer_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/getdomaincomputer_with_powershell.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "GetDomainComputer with PowerShell Script Block", "id": "f64da023-b988-4775-8d57-38e512beb56e", "version": 2, "date": "2022-05-02", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-DomainComputer` commandlet. `GetDomainComputer` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. Red Teams and adversaries alike may use PowerView to enumerate domain computers for situational awareness and Active Directory Discovery.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 (ScriptBlockText = \"*Get-DomainComputer*\") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `getdomaincomputer_with_powershell_script_block_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators or power users may use PowerView for troubleshooting.", "references": ["https://attack.mitre.org/techniques/T1018/", "https://powersploit.readthedocs.io/en/latest/Recon/Get-DomainComputer/"], "tags": {"name": "GetDomainComputer with PowerShell Script Block", "analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "Remote system discovery with PowerView on $Computer$ by $user$", "mitre_attack_id": ["T1018"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "ScriptBlockText", "Opcode", "Computer", "UserID", "EventCode"], "risk_score": 24, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1018", "mitre_attack_technique": "Remote System Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "BRONZE BUTLER", "Chimera", "Deep Panda", "Dragonfly", "Earth Lusca", "FIN5", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "HEXANE", "Indrik Spider", "Ke3chang", "Leafminer", "Magic Hound", "Naikon", "Rocke", "Sandworm Team", "Silence", "Threat Group-3390", "Turla", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/sbl_xml.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "getdomaincomputer_with_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/getdomaincomputer_with_powershell_script_block.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "GetDomainController with PowerShell", "id": "868ee0e4-52ab-484a-833a-6d85b7c028d0", "version": 1, "date": "2021-09-07", "author": "Mauricio Velazco, Splunk", "type": "Hunting", "status": "production", "description": "This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to discover remote systems. `Get-DomainController` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. Red Teams and adversaries alike may leverage PowerView to enumerate domain groups for situational awareness and Active Directory Discovery.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"powershell.exe\") (Processes.process=*Get-DomainController*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getdomaincontroller_with_powershell_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "Administrators or power users may use PowerView for troubleshooting.", "references": ["https://attack.mitre.org/techniques/T1018/", "https://powersploit.readthedocs.io/en/latest/Recon/Get-DomainController/"], "tags": {"name": "GetDomainController with PowerShell", "analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "Remote system discovery using PowerView on $dest$ by $user$", "mitre_attack_id": ["T1018"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 24, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1018", "mitre_attack_technique": "Remote System Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "BRONZE BUTLER", "Chimera", "Deep Panda", "Dragonfly", "Earth Lusca", "FIN5", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "HEXANE", "Indrik Spider", "Ke3chang", "Leafminer", "Magic Hound", "Naikon", "Rocke", "Sandworm Team", "Silence", "Threat Group-3390", "Turla", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1018/AD_discovery/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "getdomaincontroller_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/getdomaincontroller_with_powershell.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "GetDomainController with PowerShell Script Block", "id": "676b600a-a94d-4951-b346-11329431e6c1", "version": 2, "date": "2022-05-02", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-DomainController` commandlet. `Get-DomainController` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. Red Teams and adversaries alike may use PowerView to enumerate domain computers for situational awareness and Active Directory Discovery.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 (ScriptBlockText = \"*Get-DomainController*\") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `getdomaincontroller_with_powershell_script_block_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators or power users may use this PowerShell commandlet for troubleshooting.", "references": ["https://attack.mitre.org/techniques/T1018/", "https://powersploit.readthedocs.io/en/latest/Recon/Get-DomainController/"], "tags": {"name": "GetDomainController with PowerShell Script Block", "analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "Remote system discovery with PowerView on $Computer$ by $UserID$", "mitre_attack_id": ["T1018"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "ScriptBlockText", "Opcode", "Computer", "UserID", "EventCode"], "risk_score": 24, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1018", "mitre_attack_technique": "Remote System Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "BRONZE BUTLER", "Chimera", "Deep Panda", "Dragonfly", "Earth Lusca", "FIN5", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "HEXANE", "Indrik Spider", "Ke3chang", "Leafminer", "Magic Hound", "Naikon", "Rocke", "Sandworm Team", "Silence", "Threat Group-3390", "Turla", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/getdc.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "getdomaincontroller_with_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/getdomaincontroller_with_powershell_script_block.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "GetDomainGroup with PowerShell", "id": "93c94be3-bead-4a60-860f-77ca3fe59903", "version": 1, "date": "2021-08-25", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to query for domain groups. `Get-DomainGroup` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. Red Teams and adversaries alike may leverage PowerView to enumerate domain groups for situational awareness and Active Directory Discovery.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"powershell.exe\") (Processes.process=*Get-DomainGroup*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getdomaingroup_with_powershell_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "references": ["https://attack.mitre.org/techniques/T1069/002/", "https://powersploit.readthedocs.io/en/latest/Recon/Get-DomainGroup/"], "tags": {"name": "GetDomainGroup with PowerShell", "analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "Domain group discovery with PowerView on $dest$ by $user$", "mitre_attack_id": ["T1069", "T1069.002"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "TA505"]}, {"mitre_attack_id": "T1069.002", "mitre_attack_technique": "Domain Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Dragonfly", "Inception", "Ke3chang", "LAPSUS$", "OilRig", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.002/AD_discovery/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "getdomaingroup_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/getdomaingroup_with_powershell.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "GetDomainGroup with PowerShell Script Block", "id": "09725404-a44f-4ed3-9efa-8ed5d69e4c53", "version": 2, "date": "2022-05-02", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-DomainGroup` commandlet. `Get-DomainGroup` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. As the name suggests, `Get-DomainGroup` is used to query domain groups. Red Teams and adversaries may leverage this function to enumerate domain groups for situational awareness and Active Directory Discovery.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 (ScriptBlockText = \"*Get-DomainGroup*\") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `getdomaingroup_with_powershell_script_block_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators or power users may use this PowerView functions for troubleshooting.", "references": ["https://attack.mitre.org/techniques/T1069/002/", "https://powersploit.readthedocs.io/en/latest/Recon/Get-DomainGroup/"], "tags": {"name": "GetDomainGroup with PowerShell Script Block", "analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "Domain group discovery enumeration using PowerView on $Computer$ by $UserID$", "mitre_attack_id": ["T1069", "T1069.002"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "ScriptBlockText", "Opcode", "Computer", "UserID", "EventCode"], "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "TA505"]}, {"mitre_attack_id": "T1069.002", "mitre_attack_technique": "Domain Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Dragonfly", "Inception", "Ke3chang", "LAPSUS$", "OilRig", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/domaingroup.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "getdomaingroup_with_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/getdomaingroup_with_powershell_script_block.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "GetLocalUser with PowerShell", "id": "85fae8fa-0427-11ec-8b78-acde48001122", "version": 1, "date": "2021-08-23", "author": "Mauricio Velazco, Splunk", "type": "Hunting", "status": "production", "description": "This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to query for local users. The `Get-LocalUser` commandlet is used to return a list of all local users. Red Teams and adversaries may leverage this commandlet to enumerate users for situational awareness and Active Directory Discovery.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"powershell.exe\") (Processes.process=*Get-LocalUser*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getlocaluser_with_powershell_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "Administrators or power users may use this PowerShell commandlet for troubleshooting.", "references": ["https://attack.mitre.org/techniques/T1087/001/"], "tags": {"name": "GetLocalUser with PowerShell", "analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "Local user discovery enumeration using PowerShell on $dest$ by $user$", "mitre_attack_id": ["T1087", "T1087.001"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time"], "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1087.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "Chimera", "Fox Kitten", "Ke3chang", "Moses Staff", "OilRig", "Poseidon Group", "Threat Group-3390", "Turla", "admin@338"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.001/AD_discovery/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "getlocaluser_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/getlocaluser_with_powershell.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "GetLocalUser with PowerShell Script Block", "id": "2e891cbe-0426-11ec-9c9c-acde48001122", "version": 2, "date": "2022-03-22", "author": "Mauricio Velazco, Splunk", "type": "Hunting", "status": "production", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-LocalUser` commandlet. The `Get-LocalUser` commandlet is used to return a list of all local users. Red Teams and adversaries may leverage this commandlet to enumerate users for situational awareness and Active Directory Discovery.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 (ScriptBlockText = \"*Get-LocalUser*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getlocaluser_with_powershell_script_block_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators or power users may use this PowerShell commandlet for troubleshooting.", "references": ["https://attack.mitre.org/techniques/T1087/001/", "https://www.splunk.com/en_us/blog/security/hunting-for-malicious-powershell-using-script-block-logging.html"], "tags": {"name": "GetLocalUser with PowerShell Script Block", "analytic_story": ["Active Directory Discovery", "Malicious PowerShell"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation", "Installation"], "message": "Local user discovery enumeration using PowerShell on $Computer$ by $user$", "mitre_attack_id": ["T1087", "T1087.001", "T1059.001"], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "ScriptBlockText", "Computer", "UserID"], "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1087.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "Chimera", "Fox Kitten", "Ke3chang", "Moses Staff", "OilRig", "Poseidon Group", "Threat Group-3390", "Turla", "admin@338"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.001/AD_discovery/windows-powershell-xml.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "getlocaluser_with_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/getlocaluser_with_powershell_script_block.yml", "source": "endpoint", "providing_technologies": ["Microsoft Windows"]}, {"name": "GetNetTcpconnection with PowerShell", "id": "e02af35c-1de5-4afe-b4be-f45aba57272b", "version": 1, "date": "2021-08-25", "author": "Mauricio Velazco, Splunk", "type": "Hunting", "status": "production", "description": "This analytic looks for the execution of `powershell.exe` with command-line utilized to get a listing of network connections on a compromised system. The `Get-NetTcpConnection` commandlet lists the current TCP connections. Red Teams and adversaries alike may use this commandlet for situational awareness and Active Directory Discovery.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"powershell.exe\") (Processes.process=*Get-NetTcpConnection*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getnettcpconnection_with_powershell_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "references": ["https://attack.mitre.org/techniques/T1049/", "https://docs.microsoft.com/en-us/powershell/module/nettcpip/get-nettcpconnection?view=windowsserver2019-ps"], "tags": {"name": "GetNetTcpconnection with PowerShell", "analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "Network Connection discovery on $dest$ by $user$", "mitre_attack_id": ["T1049"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1049", "mitre_attack_technique": "System Network Connections Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT38", "APT41", "Andariel", "BackdoorDiplomacy", "Chimera", "Earth Lusca", "GALLIUM", "HEXANE", "Ke3chang", "Lazarus Group", "Magic Hound", "MuddyWater", "Mustang Panda", "OilRig", "Poseidon Group", "Sandworm Team", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "admin@338", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1049/AD_discovery/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "getnettcpconnection_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/getnettcpconnection_with_powershell.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "GetNetTcpconnection with PowerShell Script Block", "id": "091712ff-b02a-4d43-82ed-34765515d95d", "version": 2, "date": "2022-04-02", "author": "Mauricio Velazco, Splunk", "type": "Hunting", "status": "production", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-NetTcpconnection ` commandlet. This commandlet is used to return a listing of network connections on a compromised system. Red Teams and adversaries alike may use this commandlet for situational awareness and Active Directory Discovery.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 (ScriptBlockText = \"*Get-NetTcpconnection*\") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `getnettcpconnection_with_powershell_script_block_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators or power users may use this PowerShell commandlet for troubleshooting.", "references": ["https://attack.mitre.org/techniques/T1049/", "https://docs.microsoft.com/en-us/powershell/module/nettcpip/get-nettcpconnection?view=windowsserver2019-ps"], "tags": {"name": "GetNetTcpconnection with PowerShell Script Block", "analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "Network Connection discovery on $Computer$ by $user$", "mitre_attack_id": ["T1049"], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "ScriptBlockText", "Opcode", "Computer", "UserID", "EventCode"], "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1049", "mitre_attack_technique": "System Network Connections Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT38", "APT41", "Andariel", "BackdoorDiplomacy", "Chimera", "Earth Lusca", "GALLIUM", "HEXANE", "Ke3chang", "Lazarus Group", "Magic Hound", "MuddyWater", "Mustang Panda", "OilRig", "Poseidon Group", "Sandworm Team", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "admin@338", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/nettcpconnection.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "getnettcpconnection_with_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/getnettcpconnection_with_powershell_script_block.yml", "source": "endpoint", "providing_technologies": ["Microsoft Windows"]}, {"name": "GetWmiObject Ds Computer with PowerShell", "id": "7141122c-3bc2-4aaa-ab3b-7a85a0bbefc3", "version": 1, "date": "2021-09-07", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to discover remote systems. The `Get-WmiObject` commandlet combined with the `DS_Computer` parameter can be used to return a list of all domain computers. Red Teams and adversaries alike may leverage WMI in this case, using PowerShell, to enumerate domain groups for situational awareness and Active Directory Discovery.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"powershell.exe\") (Processes.process=*Get-WmiObject* AND Processes.process=\"*namespace root\\\\directory\\\\ldap*\" AND Processes.process=\"*class ds_computer*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getwmiobject_ds_computer_with_powershell_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "references": ["https://attack.mitre.org/techniques/T1018/"], "tags": {"name": "GetWmiObject Ds Computer with PowerShell", "analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "Remote system discovery enumeration using WMI on $dest$ by $user$", "mitre_attack_id": ["T1018"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 21, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1018", "mitre_attack_technique": "Remote System Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "BRONZE BUTLER", "Chimera", "Deep Panda", "Dragonfly", "Earth Lusca", "FIN5", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "HEXANE", "Indrik Spider", "Ke3chang", "Leafminer", "Magic Hound", "Naikon", "Rocke", "Sandworm Team", "Silence", "Threat Group-3390", "Turla", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1018/AD_discovery/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "getwmiobject_ds_computer_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/getwmiobject_ds_computer_with_powershell.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "GetWmiObject Ds Computer with PowerShell Script Block", "id": "29b99201-723c-4118-847a-db2b3d3fb8ea", "version": 2, "date": "2022-05-02", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-WmiObject` commandlet. The `DS_Computer` class parameter leverages WMI to query for all domain computers. Red Teams and adversaries may leverage this commandlet to enumerate domain computers for situational awareness and Active Directory Discovery.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 (ScriptBlockText=*Get-WmiObject* AND ScriptBlockText=\"*namespace root\\\\directory\\\\ldap*\" AND ScriptBlockText=\"*class ds_computer*\") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `getwmiobject_ds_computer_with_powershell_script_block_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators or power users may use this PowerShell commandlet for troubleshooting.", "references": ["https://attack.mitre.org/techniques/T1018/", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1"], "tags": {"name": "GetWmiObject Ds Computer with PowerShell Script Block", "analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "Remote system discovery enumeration on $Computer$ by $UserID$", "mitre_attack_id": ["T1018"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "ScriptBlockText", "Opcode", "Computer", "UserID", "EventCode"], "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1018", "mitre_attack_technique": "Remote System Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "BRONZE BUTLER", "Chimera", "Deep Panda", "Dragonfly", "Earth Lusca", "FIN5", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "HEXANE", "Indrik Spider", "Ke3chang", "Leafminer", "Magic Hound", "Naikon", "Rocke", "Sandworm Team", "Silence", "Threat Group-3390", "Turla", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/sbl_xml.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "getwmiobject_ds_computer_with_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/getwmiobject_ds_computer_with_powershell_script_block.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "GetWmiObject Ds Group with PowerShell", "id": "df275a44-4527-443b-b884-7600e066e3eb", "version": 1, "date": "2021-08-25", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to query for domain groups. The `Get-WmiObject` commandlet combined with the `-class ds_group` parameter can be used to return the full list of groups in a Windows domain. Red Teams and adversaries alike may leverage WMI in this case, using PowerShell, to enumerate domain groups for situational awareness and Active Directory Discovery.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"powershell.exe\") (Processes.process=*Get-WmiObject* AND Processes.process=\"*namespace root\\\\directory\\\\ldap*\" AND Processes.process=\"*class ds_group*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getwmiobject_ds_group_with_powershell_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "references": ["https://attack.mitre.org/techniques/T1069/002/", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1"], "tags": {"name": "GetWmiObject Ds Group with PowerShell", "analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "Domain group discovery enumeration on $dest$ by $user$", "mitre_attack_id": ["T1069", "T1069.002"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "TA505"]}, {"mitre_attack_id": "T1069.002", "mitre_attack_technique": "Domain Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Dragonfly", "Inception", "Ke3chang", "LAPSUS$", "OilRig", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.002/AD_discovery/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "getwmiobject_ds_group_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/getwmiobject_ds_group_with_powershell.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "GetWmiObject Ds Group with PowerShell Script Block", "id": "67740bd3-1506-469c-b91d-effc322cc6e5", "version": 2, "date": "2022-05-02", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-WmiObject` commandlet used with specific parameters . The `DS_Group` parameter leverages WMI to query for all domain groups. Red Teams and adversaries may leverage this commandlet to enumerate domain groups for situational awareness and Active Directory Discovery.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 (ScriptBlockText=*Get-WmiObject* AND ScriptBlockText=\"*namespace root\\\\directory\\\\ldap*\" AND ScriptBlockText=\"*class ds_group*\") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `getwmiobject_ds_group_with_powershell_script_block_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators or power users may use this PowerShell commandlet for troubleshooting.", "references": ["https://attack.mitre.org/techniques/T1069/002/", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1"], "tags": {"name": "GetWmiObject Ds Group with PowerShell Script Block", "analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "Domain group discovery enumeration using PowerShell on $Computer$ by $UserID$", "mitre_attack_id": ["T1069", "T1069.002"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "ScriptBlockText", "Opcode", "Computer", "UserID", "EventCode"], "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "TA505"]}, {"mitre_attack_id": "T1069.002", "mitre_attack_technique": "Domain Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Dragonfly", "Inception", "Ke3chang", "LAPSUS$", "OilRig", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/sbl_xml.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "getwmiobject_ds_group_with_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/getwmiobject_ds_group_with_powershell_script_block.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "GetWmiObject DS User with PowerShell", "id": "22d3b118-04df-11ec-8fa3-acde48001122", "version": 1, "date": "2021-08-24", "author": "Teoderick Contreras, Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to query for domain users. The `Get-WmiObject` commandlet combined with the `-class ds_user` parameter can be used to return the full list of users in a Windows domain. Red Teams and adversaries alike may leverage WMI in this case, using PowerShell, to enumerate domain users for situational awareness and Active Directory Discovery.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"cmd.exe\" OR Processes.process_name=\"powershell*\") AND Processes.process = \"*get-wmiobject*\" AND Processes.process = \"*ds_user*\" AND Processes.process = \"*root\\\\directory\\\\ldap*\" AND Processes.process = \"*-namespace*\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getwmiobject_ds_user_with_powershell_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "references": ["https://jpcertcc.github.io/ToolAnalysisResultSheet/details/dsquery.htm"], "tags": {"name": "GetWmiObject DS User with PowerShell", "analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "an instance of process $process_name$ with commandline $process$ in $dest$", "mitre_attack_id": ["T1087.002", "T1087"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id", "Processes.parent_process_name"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["BRONZE BUTLER", "Chimera", "Dragonfly", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Turla", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/AD_discovery/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "getwmiobject_ds_user_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/getwmiobject_ds_user_with_powershell.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "GetWmiObject DS User with PowerShell Script Block", "id": "fabd364e-04f3-11ec-b34b-acde48001122", "version": 2, "date": "2022-05-02", "author": "Teoderick Contreras, Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-WmiObject` commandlet. The `DS_User` class parameter leverages WMI to query for all domain users. Red Teams and adversaries may leverage this commandlet to enumerate domain users for situational awareness and Active Directory Discovery.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 ScriptBlockText = \"*get-wmiobject*\" ScriptBlockText = \"*ds_user*\" ScriptBlockText = \"*-namespace*\" ScriptBlockText = \"*root\\\\directory\\\\ldap*\" | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getwmiobject_ds_user_with_powershell_script_block_filter`", "how_to_implement": "he following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "references": ["https://www.blackhillsinfosec.com/red-blue-purple/", "https://docs.microsoft.com/en-us/windows/win32/wmisdk/describing-the-ldap-namespace"], "tags": {"name": "GetWmiObject DS User with PowerShell Script Block", "analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "powershell process having commandline $ScriptBlockText$ for user enumeration", "mitre_attack_id": ["T1087.002", "T1087"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "User", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "ScriptBlockText", "Opcode", "Computer", "UserID", "EventCode"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["BRONZE BUTLER", "Chimera", "Dragonfly", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Turla", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/sbl_xml.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "getwmiobject_ds_user_with_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/getwmiobject_ds_user_with_powershell_script_block.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "GetWmiObject User Account with PowerShell", "id": "b44f6ac6-0429-11ec-87e9-acde48001122", "version": 1, "date": "2023-04-05", "author": "Mauricio Velazco, Splunk", "type": "Hunting", "status": "production", "description": "This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to query local users. The `Get-WmiObject` commandlet combined with the `Win32_UserAccount` parameter is used to return a list of all local users. Red Teams and adversaries may leverage this commandlet to enumerate users for situational awareness and Active Directory Discovery.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"powershell.exe\") (Processes.process=*Get-WmiObject* AND Processes.process=*Win32_UserAccount*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getwmiobject_user_account_with_powershell_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "Administrators or power users may use this PowerShell commandlet for troubleshooting.", "references": ["https://attack.mitre.org/techniques/T1087/001/"], "tags": {"name": "GetWmiObject User Account with PowerShell", "analytic_story": ["Winter Vivern", "Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "Local user discovery enumeration using PowerShell on $dest$ by $user$", "mitre_attack_id": ["T1087", "T1087.001"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time"], "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1087.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "Chimera", "Fox Kitten", "Ke3chang", "Moses Staff", "OilRig", "Poseidon Group", "Threat Group-3390", "Turla", "admin@338"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.001/AD_discovery/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "getwmiobject_user_account_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/getwmiobject_user_account_with_powershell.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "GetWmiObject User Account with PowerShell Script Block", "id": "640b0eda-0429-11ec-accd-acde48001122", "version": 2, "date": "2023-04-05", "author": "Mauricio Velazco, Splunk", "type": "Hunting", "status": "production", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-WmiObject` commandlet used with specific parameters. The `Win32_UserAccount` parameter is used to return a list of all local users. Red Teams and adversaries may leverage this commandlet to enumerate users for situational awareness and Active Directory Discovery.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 (ScriptBlockText=\"*Get-WmiObject*\" AND ScriptBlockText=\"*Win32_UserAccount*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | `security_content_ctime(firstTime)` | `getwmiobject_user_account_with_powershell_script_block_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators or power users may use this PowerShell commandlet for troubleshooting.", "references": ["https://attack.mitre.org/techniques/T1087/001/", "https://www.splunk.com/en_us/blog/security/hunting-for-malicious-powershell-using-script-block-logging.html"], "tags": {"name": "GetWmiObject User Account with PowerShell Script Block", "analytic_story": ["Winter Vivern", "Active Directory Discovery", "Malicious PowerShell"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation", "Installation"], "message": "Local user discovery enumeration using PowerShell on $Computer$ by $UserID$", "mitre_attack_id": ["T1087", "T1087.001", "T1059.001"], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "ScriptBlockText", "Computer", "UserID"], "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1087.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "Chimera", "Fox Kitten", "Ke3chang", "Moses Staff", "OilRig", "Poseidon Group", "Threat Group-3390", "Turla", "admin@338"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/sbl_xml.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "getwmiobject_user_account_with_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/getwmiobject_user_account_with_powershell_script_block.yml", "source": "endpoint", "providing_technologies": ["Microsoft Windows"]}, {"name": "GPUpdate with no Command Line Arguments with Network", "id": "2c853856-a140-11eb-a5b5-acde48001122", "version": 2, "date": "2022-03-15", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies gpupdate.exe with no command line arguments and with a network connection. It is unusual for gpupdate.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, triage any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. gpupdate.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=gpupdate.exe by _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process=\"(?i)(gpupdate\\.exe.{0,4}$)\"| join process_id [| tstats `security_content_summariesonly` count FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port != 0 by All_Traffic.process_id All_Traffic.dest All_Traffic.dest_port | `drop_dm_object_name(All_Traffic)` | rename dest as C2 ] | table _time dest parent_process_name process_name process_path process process_id dest_port C2 | `gpupdate_with_no_command_line_arguments_with_network_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "Limited false positives may be present in small environments. Tuning may be required based on parent process.", "references": ["https://raw.githubusercontent.com/xx0hcd/Malleable-C2-Profiles/0ef8cf4556e26f6d4190c56ba697c2159faa5822/crimeware/trick_ryuk.profile", "https://www.cobaltstrike.com/blog/learn-pipe-fitting-for-all-of-your-offense-projects/"], "tags": {"name": "GPUpdate with no Command Line Arguments with Network", "analytic_story": ["Cobalt Strike"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Exploitation"], "message": "Process gpupdate.exe with parent_process $parent_process_name$ is executed on $dest$ by user $user$, followed by an outbound network connection to $connection_to_CNC$ on port $dest_port$. This behaviour is seen with cobaltstrike.", "mitre_attack_id": ["T1055"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process Name", "role": ["Parent Process", "Attacker"]}, {"name": "connection_to_CNC", "type": "IP Address", "role": ["Other"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventID", "process_name", "process_id", "parent_process_name", "dest_port", "process_path"], "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/cobalt_strike/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint", "Network_Traffic"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "gpupdate_with_no_command_line_arguments_with_network_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/gpupdate_with_no_command_line_arguments_with_network.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Hide User Account From Sign-In Screen", "id": "834ba832-ad89-11eb-937d-acde48001122", "version": 4, "date": "2023-04-27", "author": "Steven Dick, Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This analytic identifies a suspicious registry modification to hide a user account on the Windows Login screen. This technique was seen in some tradecraft where the adversary will create a hidden user account with Admin privileges in login screen to avoid noticing by the user that they already compromise and to persist on that said machine.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=\"*\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\SpecialAccounts\\\\Userlist*\" AND Registry.registry_value_data = \"0x00000000\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `hide_user_account_from_sign_in_screen_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "Unknown. Filter as needed.", "references": ["https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/"], "tags": {"name": "Hide User Account From Sign-In Screen", "analytic_story": ["XMRig", "Windows Registry Abuse", "Azorult"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 90, "kill_chain_phases": ["Exploitation"], "message": "Suspicious registry modification ($registry_value_name$) which is used go hide a user account on the Windows Login screen detected on $dest$ executed by $user$", "mitre_attack_id": ["T1562.001", "T1562"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "registry_value_name", "type": "Other", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.dest", "Registry.registry_value_name", "Registry.registry_key_name", "Registry.registry_path", "Registry.registry_value_data", "Registry.process_guid"], "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/hotkey_disabled_hidden_user/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "hide_user_account_from_sign_in_screen_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/hide_user_account_from_sign_in_screen.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Hiding Files And Directories With Attrib exe", "id": "6e5a3ae4-90a3-462d-9aa6-0119f638c0f1", "version": 4, "date": "2020-07-21", "author": "Bhavin Patel, Splunk", "type": "TTP", "status": "production", "description": "Attackers leverage an existing Windows binary, attrib.exe, to mark specific as hidden by using specific flags so that the victim does not see the file. The search looks for specific command-line arguments to detect the use of attrib.exe to hide files.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) values(Processes.process) as process max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=attrib.exe (Processes.process=*+h*) by Processes.parent_process Processes.process_name Processes.user Processes.dest | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)`| `hiding_files_and_directories_with_attrib_exe_filter` ", "how_to_implement": "You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the \"process\" field in the Endpoint data model.", "known_false_positives": "Some applications and users may legitimately use attrib.exe to interact with the files. ", "references": [], "tags": {"name": "Hiding Files And Directories With Attrib exe", "analytic_story": ["Windows Defense Evasion Tactics", "Windows Persistence Techniques", "Azorult"], "asset_type": "", "cis20": ["CIS 10"], "confidence": 80, "impact": 90, "kill_chain_phases": ["Exploitation"], "message": "Attrib.exe with +h flag to hide files on $dest$ executed by $user$ is detected.", "mitre_attack_id": ["T1222", "T1222.001"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "parent_process", "type": "Other", "role": ["Attacker", "Parent Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.process", "Processes.process_name", "Processes.parent_process", "Processes.user", "Processes.dest"], "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1222.001", "mitre_attack_technique": "Windows File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1222.001/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "hiding_files_and_directories_with_attrib_exe_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/hiding_files_and_directories_with_attrib_exe.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "High Frequency Copy Of Files In Network Share", "id": "40925f12-4709-11ec-bb43-acde48001122", "version": 1, "date": "2021-11-16", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic is to detect a suspicious high frequency copying/moving of files in network share as part of information sabotage. This anomaly event can be a good indicator of insider trying to sabotage data by transfering classified or internal files within network share to exfitrate it after or to lure evidence of insider attack to other user. This behavior may catch several noise if network share is a common place for classified or internal document processing.", "data_source": ["Sysmon Event ID 5"], "search": "`wineventlog_security` EventCode=5145 Relative_Target_Name IN (\"*.doc\",\"*.docx\",\"*.xls\",\"*.xlsx\",\"*.ppt\",\"*.pptx\",\"*.log\",\"*.txt\",\"*.db\",\"*.7z\",\"*.zip\",\"*.rar\",\"*.tar\",\"*.gz\",\"*.jpg\",\"*.gif\",\"*.png\",\"*.bmp\",\"*.pdf\",\"*.rtf\",\"*.key\") Object_Type=File Share_Name IN (\"\\\\\\\\*\\\\C$\",\"\\\\\\\\*\\\\IPC$\",\"\\\\\\\\*\\\\admin$\") Access_Mask= \"0x2\" | bucket _time span=5m | stats values(Relative_Target_Name) as valRelativeTargetName, values(Share_Name) as valShareName, values(Object_Type) as valObjectType, values(Access_Mask) as valAccessmask, values(src_port) as valSrcPort, values(Source_Address) as valSrcAddress count as numShareName by dest, _time, EventCode, user | eventstats avg(numShareName) as avgShareName, stdev(numShareName) as stdShareName, count as numSlots by dest, _time, EventCode, user | eval upperThreshold=(avgShareName + stdShareName *3) | eval isOutlier=if(avgShareName > 20 and avgShareName >= upperThreshold, 1, 0) | search isOutlier=1 | `high_frequency_copy_of_files_in_network_share_filter`", "how_to_implement": "o successfully implement this search, you need to be ingesting Windows Security Event Logs with 5145 EventCode enabled. The Windows TA is also required. Also enable the object Audit access success/failure in your group policy.", "known_false_positives": "this behavior may seen in normal transfer of file within network if network share is common place for sharing documents.", "references": ["https://attack.mitre.org/techniques/T1537/"], "tags": {"name": "High Frequency Copy Of Files In Network Share", "analytic_story": ["Information Sabotage", "Insider Threat"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Actions on Objectives"], "message": "high frequency copy of document in network share $Share_Name$ from $Source_Address$ by $user$", "mitre_attack_id": ["T1537"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "Share_Name", "Relative_Target_Name", "Object_Type", "Access_Mask", "user", "src_port", "Source_Address"], "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1537", "mitre_attack_technique": "Transfer Data to Cloud Account", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1537/high_copy_files_in_net_share/security.log", "source": "WinEventLog:Security", "sourcetype": "WinEventLog"}]}], "datamodel": [], "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "high_frequency_copy_of_files_in_network_share_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/high_frequency_copy_of_files_in_network_share.yml", "source": "endpoint", "providing_technologies": ["Microsoft Windows"]}, {"name": "High Process Termination Frequency", "id": "17cd75b2-8666-11eb-9ab4-acde48001122", "version": 2, "date": "2022-09-14", "author": "Teoderick Contreras", "type": "Anomaly", "status": "production", "description": "This analytic is designed to identify a high frequency of process termination events on a computer in a short period of time, which is a common behavior of ransomware malware before encrypting files. This technique is designed to avoid an exception error while accessing (docs, images, database and etc..) in the infected machine for encryption.", "data_source": ["Sysmon Event ID 5"], "search": "`sysmon` EventCode=5 |bin _time span=3s |stats values(Image) as proc_terminated min(_time) as firstTime max(_time) as lastTime count by _time Computer EventCode ProcessID | where count >= 15 | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `high_process_termination_frequency_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the Image (process full path of terminated process) from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "admin or user tool that can terminate multiple process.", "references": ["https://www.mandiant.com/resources/fin11-email-campaigns-precursor-for-ransomware-data-theft", "https://blog.virustotal.com/2020/11/keep-your-friends-close-keep-ransomware.html"], "tags": {"name": "High Process Termination Frequency", "analytic_story": ["Clop Ransomware", "LockBit Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 90, "kill_chain_phases": ["Actions on Objectives"], "message": "High frequency process termination (more than 15 processes within 3s) detected on host $Computer$", "mitre_attack_id": ["T1486"], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}, {"name": "proc_terminated", "type": "Process", "role": ["Target"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["EventCode", "Image", "Computer", "_time", "ProcessID"], "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1486", "mitre_attack_technique": "Data Encrypted for Impact", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "APT41", "FIN7", "Indrik Spider", "Magic Hound", "Sandworm Team", "TA505"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/clop/clop_a/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "high_process_termination_frequency_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/high_process_termination_frequency.yml", "source": "endpoint"}, {"name": "Hunting 3CXDesktopApp Software", "id": "553d0429-1a1c-44bf-b3f5-a8513deb9ee5", "version": 1, "date": "2023-03-30", "author": "Michael Haag, Splunk", "type": "Hunting", "status": "production", "description": "The hunting analytic outlined below is designed to detect any version of the 3CXDesktopApp, also known as the 3CX Desktop App, operating on either Mac or Windows systems. It is important to note that this particular analytic employs the Endpoint datamodel Processes node, which means that the file version information is not provided. Recently, 3CX has identified a vulnerability specifically in versions 18.12.407 and 18.12.416 of the desktop app.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=3CXDesktopApp.exe OR Processes.process_name=\"3CX Desktop App\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `hunting_3cxdesktopapp_software_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "There may be false positives generated due to the reliance on version numbers for identification purposes. Despite this limitation, the primary goal of this approach is to aid in the detection of the software within the environment.", "references": ["https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/", "https://www.cisa.gov/news-events/alerts/2023/03/30/supply-chain-attack-against-3cxdesktopapp", "https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/", "https://www.3cx.com/community/threads/crowdstrike-endpoint-security-detection-re-3cx-desktop-app.119934/page-2#post-558898", "https://www.3cx.com/community/threads/3cx-desktopapp-security-alert.119951/"], "tags": {"name": "Hunting 3CXDesktopApp Software", "analytic_story": ["3CX Supply Chain Attack"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 80, "kill_chain_phases": ["Delivery"], "message": "An instance $process_name$ was identified on endpoint $dest$.", "mitre_attack_id": ["T1195.002"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "cve": ["CVE-2023-29059"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1195.002", "mitre_attack_technique": "Compromise Software Supply Chain", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT41", "Cobalt Group", "Dragonfly", "GOLD SOUTHFIELD", "Sandworm Team", "Threat Group-3390"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1195.002/3CX/3cx_windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "hunting_3cxdesktopapp_software_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2023-29059", "cvss": null, "summary": "3CX DesktopApp through 18.12.416 has embedded malicious code, as exploited in the wild in March 2023. This affects versions 18.12.407 and 18.12.416 of the 3CX DesktopApp Electron Windows application shipped in Update 7, and versions 18.11.1213, 18.12.402, 18.12.407, and 18.12.416 of the 3CX DesktopApp Electron macOS application."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/hunting_3cxdesktopapp_software.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Icacls Deny Command", "id": "cf8d753e-a8fe-11eb-8f58-acde48001122", "version": 1, "date": "2021-04-29", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This analytic identifies a potential adversary that changes the security permission of a specific file or directory. This technique is commonly seen in APT tradecraft or coinminer scripts. This behavior is meant to evade detection and prevent access to their component files.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"icacls.exe\" OR Processes.process_name = \"cacls.exe\" OR Processes.process_name = \"xcacls.exe\" AND Processes.process = \"*/deny*\" by Processes.parent_process_name Processes.process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `icacls_deny_command_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed icacls.exe may be used.", "known_false_positives": "Unknown. It is possible some administrative scripts use ICacls. Filter as needed.", "references": ["https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/"], "tags": {"name": "Icacls Deny Command", "analytic_story": ["XMRig", "Azorult", "Sandworm Tools"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 90, "kill_chain_phases": ["Exploitation"], "message": "Process name $process_name$ with deny argument executed by $user$ to change security permission of a specific file or directory on host $dest$", "mitre_attack_id": ["T1222"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.parent_process_name", "Processes.process_name", "Processes.dest", "Processes.user", "Processes.process_id", "Processes.process"], "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/xmrig_miner/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "icacls_deny_command_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/icacls_deny_command.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "ICACLS Grant Command", "id": "b1b1e316-accc-11eb-a9b4-acde48001122", "version": 1, "date": "2021-05-04", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This analytic identifies potential adversaries that modify the security permission of a specific file or directory. This technique is commonly seen in APT tradecraft and coinminer scripts to evade detections and restrict access to their component files.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"icacls.exe\" OR Processes.process_name = \"cacls.exe\" OR Processes.process_name = \"xcacls.exe\" AND Processes.process = \"*/grant*\" by Processes.parent_process_name Processes.process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `icacls_grant_command_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed icacls.exe may be used.", "known_false_positives": "Unknown. Filter as needed.", "references": ["https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/"], "tags": {"name": "ICACLS Grant Command", "analytic_story": ["XMRig", "Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "Process name $process_name$ with grant argument executed by $user$ to change security permission of a specific file or directory on host $dest$", "mitre_attack_id": ["T1222"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.parent_process_name", "Processes.process_name", "Processes.dest", "Processes.user", "Processes.process_id", "Processes.process"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/xmrig_miner/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "icacls_grant_command_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/icacls_grant_command.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "IcedID Exfiltrated Archived File Creation", "id": "0db4da70-f14b-11eb-8043-acde48001122", "version": 1, "date": "2021-07-30", "author": "Teoderick Contreras, Splunk", "type": "Hunting", "status": "production", "description": "This search is to detect a suspicious file creation namely passff.tar and cookie.tar. This files are possible archived of stolen browser information like history and cookies in a compromised machine with IcedID.", "data_source": [], "search": "`sysmon` EventCode= 11 (TargetFilename = \"*\\\\passff.tar\" OR TargetFilename = \"*\\\\cookie.tar\") |stats count min(_time) as firstTime max(_time) as lastTime by TargetFilename EventCode process_id process_name Computer | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `icedid_exfiltrated_archived_file_creation_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "unknown", "references": ["https://www.cisecurity.org/insights/white-papers/security-primer-icedid"], "tags": {"name": "IcedID Exfiltrated Archived File Creation", "analytic_story": ["IcedID"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "process $SourceImage$ create a file $TargetImage$ in host $Computer$", "mitre_attack_id": ["T1560.001", "T1560"], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "SourceImage", "type": "Process", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "TargetFilename", "EventCode", "process_id", "process_name", "Computer"], "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1560.001", "mitre_attack_technique": "Archive via Utility", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "CopyKittens", "Earth Lusca", "FIN8", "Fox Kitten", "GALLIUM", "Gallmaker", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "MuddyWater", "Mustang Panda", "Sowbug", "Turla", "menuPass"]}, {"mitre_attack_id": "T1560", "mitre_attack_technique": "Archive Collected Data", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT28", "APT32", "Axiom", "Dragonfly", "FIN6", "Ke3chang", "Lazarus Group", "Leviathan", "LuminousMoth", "Patchwork", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/simulated_icedid/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "icedid_exfiltrated_archived_file_creation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/icedid_exfiltrated_archived_file_creation.yml", "source": "endpoint"}, {"name": "Impacket Lateral Movement Commandline Parameters", "id": "8ce07472-496f-11ec-ab3b-3e22fbd008af", "version": 3, "date": "2023-04-14", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "This analytic looks for the presence of suspicious commandline parameters typically present when using Impacket tools. Impacket is a collection of python classes meant to be used with Microsoft network protocols. There are multiple scripts that leverage impacket libraries like `wmiexec.py`, `smbexec.py`, `dcomexec.py` and `atexec.py` used to execute commands on remote endpoints. By default, these scripts leverage administrative shares and hardcoded parameters that can be used as a signature to detect its use. Red Teams and adversaries alike may leverage Impackets tools for lateral movement and remote code execution.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=cmd.exe (Processes.process = \"*/Q /c * \\\\\\\\127.0.0.1\\\\*$*\" AND Processes.process IN (\"*2>&1*\",\"*2>&1*\")) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `impacket_lateral_movement_commandline_parameters_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints.", "known_false_positives": "Although uncommon, Administrators may leverage Impackets tools to start a process on remote systems for system administration or automation use cases.", "references": ["https://attack.mitre.org/techniques/T1021/002/", "https://attack.mitre.org/techniques/T1021/003/", "https://attack.mitre.org/techniques/T1047/", "https://attack.mitre.org/techniques/T1053/", "https://attack.mitre.org/techniques/T1053/005/", "https://github.com/SecureAuthCorp/impacket", "https://vk9-sec.com/impacket-remote-code-execution-rce-on-windows-from-linux/", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/", "https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/"], "tags": {"name": "Impacket Lateral Movement Commandline Parameters", "analytic_story": ["Industroyer2", "Active Directory Lateral Movement", "Prestige Ransomware", "CISA AA22-277A", "Data Destruction", "WhisperGate", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 90, "kill_chain_phases": ["Exploitation", "Installation"], "message": "Suspicious command line parameters on $dest$ may represent a lateral movement attack with Impackets tools", "mitre_attack_id": ["T1021", "T1021.002", "T1021.003", "T1047", "T1543.003"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1021.003", "mitre_attack_technique": "Distributed Component Object Model", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "Earth Lusca", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "Threat Group-3390", "Windshift", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.003/impacket/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "impacket_lateral_movement_commandline_parameters_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/impacket_lateral_movement_commandline_parameters.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Impacket Lateral Movement smbexec CommandLine Parameters", "id": "bb3c1bac-6bdf-4aa0-8dc9-068b8b712a76", "version": 1, "date": "2023-04-25", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "This analytic focuses on identifying suspicious command-line parameters commonly associated with the use of Impacket wmiexec.py. Impacket is a set of Python classes designed for working with Microsoft network protocols, and it includes several scripts like wmiexec.py, smbexec.py, dcomexec.py, and atexec.py that enable command execution on remote endpoints. These scripts typically utilize administrative shares and hardcoded parameters, which can serve as signatures to detect their usage. Both Red Teams and adversaries may employ Impacket tools for lateral movement and remote code execution purposes. By monitoring for these specific command-line indicators, the analytic aims to detect potentially malicious activities related to Impacket tool usage.", "data_source": ["Sysmon Event ID 1", "Windows Security 4688"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=cmd.exe by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | where match(process, \"(?i)cmd\\.exe\\s+\\/Q\\s+\\/c\") AND match(process,\"(?i)echo\\s+cd\") AND match(process, \"(?i)\\\\__output\") AND match(process, \"(?i)C:\\\\\\\\Windows\\\\\\\\[a-zA-Z]{1,8}\\\\.bat\") AND match(process, \"\\\\\\\\127\\.0\\.0\\.1\\\\.*\") | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `impacket_lateral_movement_smbexec_commandline_parameters_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Although uncommon, Administrators may leverage Impackets tools to start a process on remote systems for system administration or automation use cases.", "references": ["https://attack.mitre.org/techniques/T1021/002/", "https://attack.mitre.org/techniques/T1021/003/", "https://attack.mitre.org/techniques/T1047/", "https://attack.mitre.org/techniques/T1053/", "https://attack.mitre.org/techniques/T1053/005/", "https://github.com/SecureAuthCorp/impacket", "https://vk9-sec.com/impacket-remote-code-execution-rce-on-windows-from-linux/", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/", "https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/"], "tags": {"name": "Impacket Lateral Movement smbexec CommandLine Parameters", "analytic_story": ["Industroyer2", "Active Directory Lateral Movement", "Prestige Ransomware", "CISA AA22-277A", "Data Destruction", "WhisperGate", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 90, "kill_chain_phases": ["Exploitation", "Installation"], "message": "Suspicious command-line parameters on $dest$ may represent lateral movement using smbexec.", "mitre_attack_id": ["T1021", "T1021.002", "T1021.003", "T1047", "T1543.003"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["Processes.process_name", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "atomic_guid": [], "mitre_attack_enrichments": [{"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1021.003", "mitre_attack_technique": "Distributed Component Object Model", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "Earth Lusca", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "Threat Group-3390", "Windshift", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.002/atomic_red_team/smbexec_windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "impacket_lateral_movement_smbexec_commandline_parameters_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/impacket_lateral_movement_smbexec_commandline_parameters.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Impacket Lateral Movement WMIExec Commandline Parameters", "id": "d6e464e4-5c6a-474e-82d2-aed616a3a492", "version": 1, "date": "2023-04-21", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "This analytic looks for the presence of suspicious commandline parameters typically present when using Impacket tools. Impacket is a collection of python classes meant to be used with Microsoft network protocols. There are multiple scripts that leverage impacket libraries like `wmiexec.py`, `smbexec.py`, `dcomexec.py` and `atexec.py` used to execute commands on remote endpoints. By default, these scripts leverage administrative shares and hardcoded parameters that can be used as a signature to detect its use. Red Teams and adversaries alike may leverage Impackets tools for lateral movement and remote code execution.", "data_source": ["Sysmon Event ID 1", "Windows Security 4688"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=wmiprvse.exe by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | where match(process, \"(?i)cmd\\.exe\\s+\\/Q\\s+\\/c\") AND match(process, \"\\\\\\\\127\\.0\\.0\\.1\\\\.*\") AND match(process, \"__\\\\d{1,10}\\\\.\\\\d{1,10}\") | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `impacket_lateral_movement_wmiexec_commandline_parameters_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Although uncommon, Administrators may leverage Impackets tools to start a process on remote systems for system administration or automation use cases.", "references": ["https://attack.mitre.org/techniques/T1021/002/", "https://attack.mitre.org/techniques/T1021/003/", "https://attack.mitre.org/techniques/T1047/", "https://attack.mitre.org/techniques/T1053/", "https://attack.mitre.org/techniques/T1053/005/", "https://github.com/SecureAuthCorp/impacket", "https://vk9-sec.com/impacket-remote-code-execution-rce-on-windows-from-linux/", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/", "https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/"], "tags": {"name": "Impacket Lateral Movement WMIExec Commandline Parameters", "analytic_story": ["Industroyer2", "Active Directory Lateral Movement", "Prestige Ransomware", "CISA AA22-277A", "Data Destruction", "WhisperGate", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 90, "kill_chain_phases": ["Exploitation", "Installation"], "message": "Suspicious command-line parameters on $dest$ may represent lateral movement using wmiexec.", "mitre_attack_id": ["T1021", "T1021.002", "T1021.003", "T1047", "T1543.003"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["Processes.process_name", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "atomic_guid": [], "mitre_attack_enrichments": [{"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1021.003", "mitre_attack_technique": "Distributed Component Object Model", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "Earth Lusca", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "Threat Group-3390", "Windshift", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.002/atomic_red_team/wmiexec_windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "impacket_lateral_movement_wmiexec_commandline_parameters_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/impacket_lateral_movement_wmiexec_commandline_parameters.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Interactive Session on Remote Endpoint with PowerShell", "id": "a4e8f3a4-48b2-11ec-bcfc-3e22fbd008af", "version": 3, "date": "2022-03-22", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the usage of the `Enter-PSSession`. This commandlet can be used to open an interactive session on a remote endpoint leveraging the WinRM protocol. Red Teams and adversaries alike may abuse WinRM and `Enter-PSSession` for lateral movement and remote code execution.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 (ScriptBlockText=\"*Enter-PSSession*\" AND ScriptBlockText=\"*-ComputerName*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `interactive_session_on_remote_endpoint_with_powershell_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup instructions can be found https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators may leverage WinRM and `Enter-PSSession` for administrative and troubleshooting tasks. This activity is usually limited to a small set of hosts or users. In certain environments, tuning may not be possible.", "references": ["https://attack.mitre.org/techniques/T1021/006/", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enter-pssession?view=powershell-7.2"], "tags": {"name": "Interactive Session on Remote Endpoint with PowerShell", "analytic_story": ["Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 90, "kill_chain_phases": ["Exploitation"], "message": "An interactive session was opened on a remote endpoint from $ComputerName", "mitre_attack_id": ["T1021", "T1021.006"], "nist": ["DE.CM"], "observable": [{"name": "ComputerName", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "Message", "ComputerName", "User"], "risk_score": 45, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1021.006", "mitre_attack_technique": "Windows Remote Management", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Chimera", "Threat Group-3390", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.006/lateral_movement_pssession/windows-powershell-xml.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "interactive_session_on_remote_endpoint_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/interactive_session_on_remote_endpoint_with_powershell.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Java Class File download by Java User Agent", "id": "8281ce42-5c50-11ec-82d2-acde48001122", "version": 1, "date": "2021-12-13", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies a Java user agent performing a GET request for a .class file from the remote site. This is potentially indicative of exploitation of the Java application and may be related to current event CVE-2021-44228 (Log4Shell).", "data_source": [], "search": "| tstats count from datamodel=Web where Web.http_user_agent=\"*Java*\" Web.http_method=\"GET\" Web.url=\"*.class*\" by Web.http_user_agent Web.http_method, Web.url,Web.url_length Web.src, Web.dest | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `java_class_file_download_by_java_user_agent_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting web or proxy logs, or ensure it is being filled by a proxy like device, into the Web Datamodel. For additional filtering, allow list private IP space or restrict by known good.", "known_false_positives": "Filtering may be required in some instances, filter as needed.", "references": ["https://arstechnica.com/information-technology/2021/12/as-log4shell-wreaks-havoc-payroll-service-reports-ransomware-attack/"], "tags": {"name": "Java Class File download by Java User Agent", "analytic_story": ["Log4Shell CVE-2021-44228"], "asset_type": "Web Server", "cis20": ["CIS 13"], "confidence": 50, "impact": 80, "kill_chain_phases": ["Delivery"], "message": "A Java user agent $http_user_agent$ was performing a $http_method$ to retrieve a remote class file.", "mitre_attack_id": ["T1190"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "http_user_agent", "type": "Other", "role": ["Other"]}, {"name": "http_method", "type": "Other", "role": ["Other"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Web.http_method", "Web.url", "Web.url_length", "Web.src", "Web.dest", "Web.http_user_agent"], "risk_score": 40, "security_domain": "network", "risk_severity": "low", "cve": ["CVE-2021-44228"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/java/java.log", "source": "stream:http", "sourcetype": "stream:http"}]}], "datamodel": ["Web"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "java_class_file_download_by_java_user_agent_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2021-44228", "cvss": 9.3, "summary": "Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/java_class_file_download_by_java_user_agent.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Java Writing JSP File", "id": "eb65619c-4f8d-4383-a975-d352765d344b", "version": 2, "date": "2022-06-03", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the process java writing a .jsp to disk. This is potentially indicative of a web shell being written to disk. Modify and tune the analytic based on data ingested. For instance, it may be worth running a broad query for jsp file writes first before performing a join.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name IN (\"java\",\"java.exe\", \"javaw.exe\") by _time Processes.process_id Processes.process_name Processes.dest Processes.process_guid Processes.user | `drop_dm_object_name(Processes)` | join process_guid [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Filesystem where Filesystem.file_name=\"*.jsp*\" by _time Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path Filesystem.process_guid Filesystem.user | `drop_dm_object_name(Filesystem)` | fields _time process_guid file_path file_name file_create_time user dest process_name] | stats count min(_time) as firstTime max(_time) as lastTime by dest process_name process_guid file_name file_path file_create_time user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `java_writing_jsp_file_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` and `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives are possible and filtering may be required. Restrict by assets or filter known jsp files that are common for the environment.", "references": ["https://www.microsoft.com/security/blog/2022/04/04/springshell-rce-vulnerability-guidance-for-protecting-against-and-detecting-cve-2022-22965/", "https://github.com/TheGejr/SpringShell", "https://www.tenable.com/blog/spring4shell-faq-spring-framework-remote-code-execution-vulnerability"], "tags": {"name": "Java Writing JSP File", "analytic_story": ["Spring4Shell CVE-2022-22965", "Atlassian Confluence Server and Data Center CVE-2022-26134"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 60, "kill_chain_phases": ["Delivery"], "message": "An instance of $process_name$ was identified on endpoint $dest$ writing a jsp file to disk, potentially indicative of exploitation.", "mitre_attack_id": ["T1190"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id", "Filesystem.dest", "Filesystem.file_create_time", "Filesystem.file_name", "Filesystem.file_path", "Filesystem.process_guid", "Filesystem.user"], "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "cve": ["CVE-2022-22965"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/spring4shell/java_write_jsp-linux-sysmon.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "java_writing_jsp_file_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2022-22965", "cvss": 7.5, "summary": "A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/java_writing_jsp_file.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Jscript Execution Using Cscript App", "id": "002f1e24-146e-11ec-a470-acde48001122", "version": 1, "date": "2021-09-13", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This search is to detect a execution of jscript using cscript process. Commonly when a user run jscript file it was executed by wscript.exe application. This technique was seen in FIN7 js implant to execute its malicious script using cscript process. This behavior is uncommon and a good artifacts to check further anomalies within the network", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name = \"cscript.exe\" AND Processes.parent_process = \"*//e:jscript*\") OR (Processes.process_name = \"cscript.exe\" AND Processes.process = \"*//e:jscript*\") by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process_id Processes.process Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `jscript_execution_using_cscript_app_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "unknown", "references": ["https://www.mandiant.com/resources/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation", "https://attack.mitre.org/groups/G0046/"], "tags": {"name": "Jscript Execution Using Cscript App", "analytic_story": ["FIN7", "Remcos"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Installation"], "message": "Process name $process_name$ with commandline $process$ to execute jscript in $dest$", "mitre_attack_id": ["T1059", "T1059.007"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.parent_process_name", "Processes.parent_process", "Processes.process_name", "Processes.process_id", "Processes.process", "Processes.dest", "Processes.user"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.007", "mitre_attack_technique": "JavaScript", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "Cobalt Group", "Earth Lusca", "Ember Bear", "Evilnum", "FIN6", "FIN7", "Higaisa", "Indrik Spider", "Kimsuky", "LazyScripter", "Leafminer", "Molerats", "MuddyWater", "Sidewinder", "Silence", "TA505", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/fin7/fin7_macro_js_1/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "jscript_execution_using_cscript_app_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/jscript_execution_using_cscript_app.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Kerberoasting spn request with RC4 encryption", "id": "5cc67381-44fa-4111-8a37-7a230943f027", "version": 4, "date": "2023-04-14", "author": "Jose Hernandez, Patrick Bareiss, Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic leverages Kerberos Event 4769, A Kerberos service ticket was requested, to identify a potential kerberoasting attack against Active Directory networks. Kerberoasting allows an adversary to request kerberos tickets for domain accounts typically used as service accounts and attempt to crack them offline allowing them to obtain privileged access to the domain. This analytic looks for a specific combination of the Ticket_Options field based on common kerberoasting tools. Defenders should be aware that it may be possible for a Kerberoast attack to use different Ticket_Options.", "data_source": ["Windows Security 4769"], "search": "`wineventlog_security` EventCode=4769 Service_Name!=\"*$\" (Ticket_Options=0x40810000 OR Ticket_Options=0x40800000 OR Ticket_Options=0x40810010) Ticket_Encryption_Type=0x17 | stats count min(_time) as firstTime max(_time) as lastTime by dest, service, service_id, Ticket_Encryption_Type, Ticket_Options | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `kerberoasting_spn_request_with_rc4_encryption_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled.", "known_false_positives": "Older systems that support kerberos RC4 by default like NetApp may generate false positives. Filter as needed", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/4e3e9c8096dde00639a6b98845ec349135554ed5/atomics/T1208/T1208.md", "https://www.hub.trimarcsecurity.com/post/trimarc-research-detecting-kerberoasting-activity"], "tags": {"name": "Kerberoasting spn request with RC4 encryption", "analytic_story": ["Data Destruction", "Hermetic Wiper", "Windows Privilege Escalation", "Active Directory Kerberos Attacks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 90, "kill_chain_phases": ["Exploitation"], "message": "Potential kerberoasting attack via service principal name requests detected on $dest$", "mitre_attack_id": ["T1558", "T1558.003"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "Ticket_Options", "Ticket_Encryption_Type", "dest", "service", "service_id"], "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1558", "mitre_attack_technique": "Steal or Forge Kerberos Tickets", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1558.003", "mitre_attack_technique": "Kerberoasting", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["FIN7", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1558.003/rubeus/windows-security.log", "source": "WinEventLog:Security", "sourcetype": "WinEventLog", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kerberoasting_spn_request_with_rc4_encryption_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/kerberoasting_spn_request_with_rc4_encryption.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Kerberos Pre-Authentication Flag Disabled in UserAccountControl", "id": "0cb847ee-9423-11ec-b2df-acde48001122", "version": 1, "date": "2022-02-22", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic leverages Windows Security Event 4738, `A user account was changed`, to identify a change performed on a domain user object that disables Kerberos Pre-Authentication. Disabling the Pre Authentication flag in the UserAccountControl property allows an adversary to easily perform a brute force attack against the user's password offline leveraging the ASP REP Roasting technique. Red Teams and adversaries alike who have obtained privileges in an Active Directory network may use this technique as a backdoor or a way to escalate privileges.", "data_source": ["Windows Security 4738"], "search": " `wineventlog_security` EventCode=4738 MSADChangedAttributes=\"*Don't Require Preauth' - Enabled*\" | table EventCode, Account_Name, Security_ID, MSADChangedAttributes | `kerberos_pre_authentication_flag_disabled_in_useraccountcontrol_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller events. The Advanced Security Audit policy setting `User Account Management` within `Account Management` needs to be enabled.", "known_false_positives": "Unknown.", "references": ["https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties", "https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html", "https://stealthbits.com/blog/cracking-active-directory-passwords-with-as-rep-roasting/"], "tags": {"name": "Kerberos Pre-Authentication Flag Disabled in UserAccountControl", "analytic_story": ["Active Directory Kerberos Attacks"], "asset_type": "endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "Kerberos Pre Authentication was Disabled for $Account_Name$", "mitre_attack_id": ["T1558", "T1558.004"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "Account_Name", "Security_ID", "MSADChangedAttributes"], "risk_score": 45, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1558", "mitre_attack_technique": "Steal or Forge Kerberos Tickets", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1558.004", "mitre_attack_technique": "AS-REP Roasting", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1558.004/powershell/windows-security.log", "source": "WinEventLog:Security", "sourcetype": "WinEventLog", "update_timestamp": true}]}], "datamodel": ["Change"], "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kerberos_pre_authentication_flag_disabled_in_useraccountcontrol_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/kerberos_pre_authentication_flag_disabled_in_useraccountcontrol.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Kerberos Pre-Authentication Flag Disabled with PowerShell", "id": "59b51620-94c9-11ec-b3d5-acde48001122", "version": 2, "date": "2022-03-22", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Set-ADAccountControl` commandlet with specific parameters. `Set-ADAccountControl` is part of the Active Directory PowerShell module used to manage Windows Active Directory networks. As the name suggests, `Set-ADAccountControl` is used to modify User Account Control values for an Active Directory domain account. With the appropiate parameters, Set-ADAccountControl allows adversaries to disable Kerberos Pre-Authentication for an account to to easily perform a brute force attack against the user's password offline leveraging the ASP REP Roasting technique. Red Teams and adversaries alike who have obtained privileges in an Active Directory network may use this technique as a backdoor or a way to escalate privileges.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 (ScriptBlockText = \"*Set-ADAccountControl*\" AND ScriptBlockText=\"*DoesNotRequirePreAuth:$true*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `kerberos_pre_authentication_flag_disabled_with_powershell_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Although unlikely, Administrators may need to set this flag for legitimate purposes.", "references": ["https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties", "https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html", "https://stealthbits.com/blog/cracking-active-directory-passwords-with-as-rep-roasting/"], "tags": {"name": "Kerberos Pre-Authentication Flag Disabled with PowerShell", "analytic_story": ["Active Directory Kerberos Attacks"], "asset_type": "endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "Kerberos Pre Authentication was Disabled using PowerShell on $dest$", "mitre_attack_id": ["T1558", "T1558.004"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time"], "risk_score": 45, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1558", "mitre_attack_technique": "Steal or Forge Kerberos Tickets", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1558.004", "mitre_attack_technique": "AS-REP Roasting", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1558.004/powershell/windows-powershell-xml.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kerberos_pre_authentication_flag_disabled_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/kerberos_pre_authentication_flag_disabled_with_powershell.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Kerberos Service Ticket Request Using RC4 Encryption", "id": "7d90f334-a482-11ec-908c-acde48001122", "version": 1, "date": "2022-03-15", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic leverages Kerberos Event 4769, A Kerberos service ticket was requested, to identify a potential Kerberos Service Ticket request related to a Golden Ticket attack. Adversaries who have obtained the Krbtgt account NTLM password hash may forge a Kerberos Granting Ticket (TGT) to obtain unrestricted access to an Active Directory environment. Armed with a Golden Ticket, attackers can request service tickets to move laterally and execute code on remote systems. Looking for Kerberos Service Ticket requests using the legacy RC4 encryption mechanism could represent the second stage of a Golden Ticket attack. RC4 usage should be rare on a modern network since Windows Vista & Windows Sever 2008 and newer support AES Kerberos encryption.\\ Defenders should note that if an attacker does not leverage the NTLM password hash but rather the AES key to create a golden ticket, this detection may be bypassed.", "data_source": ["Windows Security 4769"], "search": " `wineventlog_security` EventCode=4769 Service_Name=\"*$\" (Ticket_Options=0x40810000 OR Ticket_Options=0x40800000 OR Ticket_Options=0x40810010) Ticket_Encryption_Type=0x17 | stats count min(_time) as firstTime max(_time) as lastTime by dest, service, service_id, Ticket_Encryption_Type, Ticket_Options | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `kerberos_service_ticket_request_using_rc4_encryption_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled.", "known_false_positives": "Based on Microsoft documentation, legacy systems or applications will use RC4-HMAC as the default encryption for Kerberos Service Ticket requests. Specifically, systems before Windows Server 2008 and Windows Vista. Newer systems will use AES128 or AES256.", "references": ["https://attack.mitre.org/techniques/T1558/001/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4769", "https://adsecurity.org/?p=1515", "https://gist.github.com/TarlogicSecurity/2f221924fef8c14a1d8e29f3cb5c5c4a", "https://en.hackndo.com/kerberos-silver-golden-tickets/"], "tags": {"name": "Kerberos Service Ticket Request Using RC4 Encryption", "analytic_story": ["Active Directory Kerberos Attacks", "Active Directory Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 90, "kill_chain_phases": ["Exploitation"], "message": "A Kerberos Service TTicket request with RC4 encryption was requested from $Client_Address$", "mitre_attack_id": ["T1558", "T1558.001"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "Ticket_Options", "Ticket_Encryption_Type", "dest", "service", "service_id"], "risk_score": 45, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1558", "mitre_attack_technique": "Steal or Forge Kerberos Tickets", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1558.001", "mitre_attack_technique": "Golden Ticket", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Ke3chang"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1558.001/impacket/windows-security.log", "source": "WinEventLog:Security", "sourcetype": "WinEventLog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kerberos_service_ticket_request_using_rc4_encryption_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/kerberos_service_ticket_request_using_rc4_encryption.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Kerberos TGT Request Using RC4 Encryption", "id": "18916468-9c04-11ec-bdc6-acde48001122", "version": 1, "date": "2022-03-04", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic leverages Event 4768, A Kerberos authentication ticket (TGT) was requested, to identify a TGT request with encryption type 0x17, or RC4-HMAC. This encryption type is no longer utilized by newer systems and could represent evidence of an OverPass The Hash attack. Similar to Pass The Hash, OverPass The Hash is a form of credential theft that allows adversaries to move laterally or consume resources in a target network. Leveraging this attack, an adversary who has stolen the NTLM hash of a valid domain account is able to authenticate to the Kerberos Distribution Center(KDC) on behalf of the legitimate account and obtain a Kerberos TGT ticket. Depending on the privileges of the compromised account, this ticket may be used to obtain unauthorized access to systems and other network resources.", "data_source": ["Windows Security 4768"], "search": " `wineventlog_security` EventCode=4768 Ticket_Encryption_Type=0x17 Account_Name!=*$ | `kerberos_tgt_request_using_rc4_encryption_filter` ", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled.", "known_false_positives": "Based on Microsoft documentation, legacy systems or applications will use RC4-HMAC as the default encryption for TGT requests. Specifically, systems before Windows Server 2008 and Windows Vista. Newer systems will use AES128 or AES256.", "references": ["https://stealthbits.com/blog/how-to-detect-overpass-the-hash-attacks/", "https://www.thehacker.recipes/ad/movement/kerberos/ptk", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768"], "tags": {"name": "Kerberos TGT Request Using RC4 Encryption", "analytic_story": ["Active Directory Kerberos Attacks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "A Kerberos TGT request with RC4 encryption was requested for $Account_Name$ from $Client_Address$", "mitre_attack_id": ["T1550"], "nist": ["DE.CM"], "observable": [{"name": "Client_Address", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "Ticket_Encryption_Type", "Account_Name", "Client_Address"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1550", "mitre_attack_technique": "Use Alternate Authentication Material", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1550/impacket/windows-security.log", "source": "WinEventLog:Security", "sourcetype": "WinEventLog"}]}], "datamodel": [], "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kerberos_tgt_request_using_rc4_encryption_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/kerberos_tgt_request_using_rc4_encryption.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Kerberos User Enumeration", "id": "d82d4af4-a0bd-11ec-9445-3e22fbd008af", "version": 1, "date": "2022-03-10", "author": "Mauricio Velazco, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic leverages Event Id 4768, A Kerberos authentication ticket (TGT) was requested, to identify one source endpoint trying to obtain an unusual number Kerberos TGT ticket for non existing users. This behavior could represent an adversary abusing the Kerberos protocol to perform a user enumeration attack against an Active Directory environment. When Kerberos is sent a TGT request with no preauthentication for an invalid username, it responds with KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN or 0x6. Red teams and adversaries alike may abuse the Kerberos protocol to validate a list of users use them to perform further attacks.\\ The detection calculates the standard deviation for each host and leverages the 3-sigma statistical rule to identify an unusual number requests. To customize this analytic, users can try different combinations of the `bucket` span time and the calculation of the `upperBound` field.", "data_source": ["Windows Security 4768"], "search": " `wineventlog_security` EventCode=4768 Result_Code=0x6 Account_Name!=\"*$\" | bucket span=2m _time | stats dc(Account_Name) AS unique_accounts values(Account_Name) as tried_accounts by _time, Client_Address | eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std by Client_Address | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0) | search isOutlier=1 | `kerberos_user_enumeration_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled.", "known_false_positives": "Possible false positive scenarios include but are not limited to vulnerability scanners and missconfigured systems.", "references": ["https://github.com/ropnop/kerbrute", "https://attack.mitre.org/techniques/T1589/002/", "https://redsiege.com/tools-techniques/2020/04/user-enumeration-part-3-windows/"], "tags": {"name": "Kerberos User Enumeration", "analytic_story": ["Active Directory Kerberos Attacks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 30, "kill_chain_phases": ["Reconnaissance"], "message": "Potential Kerberos based user enumeration attack $Client_Address$", "mitre_attack_id": ["T1589", "T1589.002"], "nist": ["DE.AE"], "observable": [{"name": "Client_Address", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "Result_Code", "Account_Name", "Client_Address"], "risk_score": 24, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1589", "mitre_attack_technique": "Gather Victim Identity Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["APT32", "HEXANE", "LAPSUS$", "Magic Hound"]}, {"mitre_attack_id": "T1589.002", "mitre_attack_technique": "Email Addresses", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["APT32", "EXOTIC LILY", "HAFNIUM", "HEXANE", "Kimsuky", "LAPSUS$", "Lazarus Group", "Magic Hound", "MuddyWater", "Sandworm Team", "Silent Librarian", "TA551"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1589.002/kerbrute/windows-security.log", "source": "WinEventLog:Security", "sourcetype": "WinEventLog"}]}], "datamodel": [], "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kerberos_user_enumeration_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/kerberos_user_enumeration.yml", "source": "endpoint", "providing_technologies": ["Microsoft Windows"]}, {"name": "Known Services Killed by Ransomware", "id": "3070f8e0-c528-11eb-b2a0-acde48001122", "version": 1, "date": "2021-06-04", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This search detects a suspicioous termination of known services killed by ransomware before encrypting files in a compromised machine. This technique is commonly seen in most of ransomware now a days to avoid exception error while accessing the targetted files it wants to encrypts because of the open handle of those services to the targetted file.", "data_source": ["Sysmon Event ID 7"], "search": "`wineventlog_system` EventCode=7036 Message IN (\"*Volume Shadow Copy*\",\"*VSS*\", \"*backup*\", \"*sophos*\", \"*sql*\", \"*memtas*\", \"*mepocs*\", \"*veeam*\", \"*svc$*\", \"DefWatch\", \"ccEvtMgr\", \"ccSetMgr\", \"SavRoam\", \"RTVscan\", \"QBFCService\", \"QBIDPService\", \"Intuit.QuickBooks.FCS\", \"QBCFMonitorService\" \"YooBackup\", \"YooIT\", \"*Veeam*\", \"PDVFSService\", \"BackupExecVSSProvider\", \"BackupExecAgentAccelerator\", \"BackupExec*\", \"WdBoot\", \"WdFilter\", \"WdNisDrv\", \"WdNisSvc\", \"WinDefend\", \"wscsvc\", \"Sense\", \"sppsvc\", \"SecurityHealthService\") Message=\"*service entered the stopped state*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode Message dest Type | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `known_services_killed_by_ransomware_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the 7036 EventCode ScManager in System audit Logs from your endpoints.", "known_false_positives": "Admin activities or installing related updates may do a sudden stop to list of services we monitor.", "references": ["https://krebsonsecurity.com/2021/05/a-closer-look-at-the-darkside-ransomware-gang/", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/", "https://news.sophos.com/en-us/2020/04/24/lockbit-ransomware-borrows-tricks-to-keep-up-with-revil-and-maze/", "https://blogs.vmware.com/security/2022/10/lockbit-3-0-also-known-as-lockbit-black.html"], "tags": {"name": "Known Services Killed by Ransomware", "analytic_story": ["Ransomware", "BlackMatter Ransomware", "LockBit Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 90, "kill_chain_phases": ["Actions on Objectives"], "message": "Known services $Message$ terminated by a potential ransomware on $dest$", "mitre_attack_id": ["T1490"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "Message", "type": "Other", "role": ["Other"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "Message", "dest", "Type"], "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/revil/inf3/windows-system.log", "source": "WinEventLog:System", "sourcetype": "WinEventLog"}]}], "datamodel": [], "macros": [{"name": "wineventlog_system", "definition": "eventtype=wineventlog_system", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "known_services_killed_by_ransomware_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/known_services_killed_by_ransomware.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Linux Account Manipulation Of SSH Config and Keys", "id": "73a56508-1cf5-4df7-b8d9-5737fbdc27d2", "version": 2, "date": "2023-04-27", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic is to detect a deletion of ssh key in a linux machine. attacker may delete or modify ssh key to impair some security features or act as defense evasion in compromised linux machine. This Anomaly can be also a good indicator of a malware trying to wipe or delete several files in a compromised host as part of its destructive payload like what acidrain malware does in linux or router machines. This detection can be a good pivot to check what process and user tries to delete this type of files which is not so common and need further investigation.", "data_source": ["Sysmon Event ID 11"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.action=deleted AND Filesystem.file_path IN (\"/etc/ssh/*\", \"~/.ssh/*\") by _time span=1h Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.process_guid Filesystem.action | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_account_manipulation_of_ssh_config_and_keys_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "Administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "references": ["https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/"], "tags": {"name": "Linux Account Manipulation Of SSH Config and Keys", "analytic_story": ["Acidrain"], "asset_type": "endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Actions on Objectives", "Exploitation"], "message": "a $process_name$ deleting a SSH key in $dest$", "mitre_attack_id": ["T1485", "T1070.004", "T1070"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Filesystem.dest", "Filesystem.file_create_time", "Filesystem.file_name", "Filesystem.process_guid", "Filesystem.file_path", "Filesystem.action"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1070.004", "mitre_attack_technique": "File Deletion", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT3", "APT32", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "Cobalt Group", "Dragonfly", "Evilnum", "FIN10", "FIN5", "FIN6", "FIN8", "Gamaredon Group", "Group5", "Kimsuky", "Lazarus Group", "Magic Hound", "Metador", "Mustang Panda", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "Silence", "TEMP.Veles", "TeamTNT", "The White Company", "Threat Group-3390", "Tropic Trooper", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/acidrain/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_account_manipulation_of_ssh_config_and_keys_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_account_manipulation_of_ssh_config_and_keys.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Add Files In Known Crontab Directories", "id": "023f3452-5f27-11ec-bf00-acde48001122", "version": 1, "date": "2021-12-17", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies a suspicious file creation in known cron table directories. This event is commonly abuse by malware, adversaries and red teamers to persist on the target or compromised host. crontab or cronjob is like a schedule task in windows environment where you can create an executable or script on the known crontab directories to run it base on its schedule. This Anomaly query is a good indicator to look further what file is added and who added the file if to consider it legitimate file.", "data_source": ["Sysmon Event ID 11"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN (\"*/etc/cron*\", \"*/var/spool/cron/*\") by Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.process_guid Filesystem.file_path | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `linux_add_files_in_known_crontab_directories_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the file name, file path, and process_guid executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "Administrator or network operator can create file in crontab folders for automation purposes. Please update the filter macros to remove false positives.", "references": ["https://www.sandflysecurity.com/blog/detecting-cronrat-malware-on-linux-instantly/", "https://www.cyberciti.biz/faq/how-do-i-add-jobs-to-cron-under-linux-or-unix-oses/"], "tags": {"name": "Linux Add Files In Known Crontab Directories", "analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation", "Exploitation"], "message": "a file $file_name$ is created in $file_path$ on $dest$", "mitre_attack_id": ["T1053.003", "T1053"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Filesystem.dest", "Filesystem.file_create_time", "Filesystem.file_name", "Filesystem.process_guid", "Filesystem.file_path"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1053.003", "mitre_attack_technique": "Cron", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT38", "Rocke"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.003/cronjobs_entry/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_add_files_in_known_crontab_directories_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_add_files_in_known_crontab_directories.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Add User Account", "id": "51fbcaf2-6259-11ec-b0f3-acde48001122", "version": 1, "date": "2021-12-21", "author": "Teoderick Contreras, Splunk", "type": "Hunting", "status": "production", "description": "This analytic looks for commands to create user accounts on the linux platform. This technique is commonly abuse by adversaries, malware author and red teamers to persist on the targeted or compromised host by creating new user with an elevated privilege. This Hunting query may catch normal creation of user by administrator so filter is needed.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count from datamodel=Endpoint.Processes where Processes.process_name IN (\"useradd\", \"adduser\") OR Processes.process IN (\"*useradd *\", \"*adduser *\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_add_user_account_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "Administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "references": ["https://linuxize.com/post/how-to-create-users-in-linux-using-the-useradd-command/"], "tags": {"name": "Linux Add User Account", "analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "message": "A commandline $process$ that may create user account on $dest$", "mitre_attack_id": ["T1136.001", "T1136"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1136.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT39", "APT41", "Dragonfly", "Fox Kitten", "Kimsuky", "Leafminer", "Magic Hound", "TeamTNT"]}, {"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/linux_adduser/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_add_user_account_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_add_user_account.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Adding Crontab Using List Parameter", "id": "52f6d751-1fd4-4c74-a4c9-777ecfeb5c58", "version": 1, "date": "2023-04-14", "author": "Teoderick Contreras, Splunk", "type": "Hunting", "status": "production", "description": "The following analytic identifies a suspicious cron jobs modification using crontab list parameters. This command line parameter can be abused by malware like industroyer2, adversaries, and red teamers to add a crontab entry to their malicious code to execute to the schedule they want. This event can also be executed by administrator or normal user for automation purposes so filter is needed.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"crontab\" Processes.process= \"* -l*\" by Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_adding_crontab_using_list_parameter_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives.", "references": ["https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/", "https://cert.gov.ua/article/39518"], "tags": {"name": "Linux Adding Crontab Using List Parameter", "analytic_story": ["Industroyer2", "Linux Privilege Escalation", "Linux Living Off The Land", "Data Destruction", "Linux Persistence Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation", "Exploitation"], "message": "A possible crontab list command $process$ executed on $dest$", "mitre_attack_id": ["T1053.003", "T1053"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1053.003", "mitre_attack_technique": "Cron", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT38", "Rocke"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.003/crontab_list_parameter/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_adding_crontab_using_list_parameter_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_adding_crontab_using_list_parameter.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux apt-get Privilege Escalation", "id": "d870ce3b-e796-402f-b2af-cab4da1223f2", "version": 1, "date": "2022-08-11", "author": "Gowthamaraj Rajendran, Splunk", "type": "Anomaly", "status": "production", "description": "The apt-get is a command line tool for interacting with the Advanced Package Tool (APT) library (a package management system for Linux distributions). It allows you to search for, install, manage, update, and remove software. The tool does not build software from the source code. If sudo right is given to the tool for user, then the user can run system commands as root and possibly get a root shell.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*apt-get*\" AND Processes.process=\"*APT::Update::Pre-Invoke::*\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_apt_get_privilege_escalation_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints into the Endpoint datamodel. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "False positives may be present, filter as needed.", "references": ["https://gtfobins.github.io/gtfobins/apt-get/", "https://phoenixnap.com/kb/how-to-use-apt-get-commands"], "tags": {"name": "Linux apt-get Privilege Escalation", "analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 20, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "mitre_attack_id": ["T1548.003", "T1548"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 10, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.003", "mitre_attack_technique": "Sudo and Sudo Caching", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/apt_get/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_apt_get_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_apt_get_privilege_escalation.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux APT Privilege Escalation", "id": "4d5a05fa-77d9-4fd0-af9c-05704f9f9a88", "version": 1, "date": "2022-08-11", "author": "Gowthamaraj Rajendran, Splunk", "type": "Anomaly", "status": "production", "description": "Advanced Package Tool, more commonly known as APT, is a collection of tools used to install, update, remove, and otherwise manage software packages on Debian and its derivative operating systems, including Ubuntu and Linux Mint. If sudo right is given to the tool for user, then the user can run system commands as root and possibly get a root shell.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*apt*\" AND Processes.process=\"*APT::Update::Pre-Invoke::*\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_apt_privilege_escalation_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints into the Endpoint datamodel. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "False positives may be present, filter as needed.", "references": ["https://gtfobins.github.io/gtfobins/apt/", "https://www.digitalocean.com/community/tutorials/what-is-apt"], "tags": {"name": "Linux APT Privilege Escalation", "analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 20, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "mitre_attack_id": ["T1548.003", "T1548"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 10, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.003", "mitre_attack_technique": "Sudo and Sudo Caching", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/apt/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_apt_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_apt_privilege_escalation.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux At Allow Config File Creation", "id": "977b3082-5f3d-11ec-b954-acde48001122", "version": 1, "date": "2021-12-17", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies a suspicious file creation of /etc/at.allow or /etc/at.deny. These 2 files are commonly abused by malware, adversaries or red teamers to persist on the targeted or compromised host. These config files can restrict or allow user to execute \"at\" application (another schedule task application in linux). attacker can create a user or add the compromised username to that config file to execute \"at\" to schedule it malicious code. This anomaly detection can be a good indicator to investigate further the entry in created config file and who created it to verify if it is a false positive.", "data_source": ["Sysmon Event ID 11"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN (\"*/etc/at.allow\", \"*/etc/at.deny\") by Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.process_guid Filesystem.file_path | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `linux_at_allow_config_file_creation_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the file name, file path, and process_guid executions from your endpoints into the Endpoint datamodel. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "Administrator or network operator can create this file for automation purposes. Please update the filter macros to remove false positives.", "references": ["https://linuxize.com/post/at-command-in-linux/"], "tags": {"name": "Linux At Allow Config File Creation", "analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation", "Exploitation"], "message": "A file $file_name$ is created in $file_path$ on $dest$", "mitre_attack_id": ["T1053.003", "T1053"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Filesystem.dest", "Filesystem.file_create_time", "Filesystem.file_name", "Filesystem.process_guid", "Filesystem.file_path"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1053.003", "mitre_attack_technique": "Cron", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT38", "Rocke"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.002/at_execution/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_at_allow_config_file_creation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_at_allow_config_file_creation.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux At Application Execution", "id": "bf0a378e-5f3c-11ec-a6de-acde48001122", "version": 2, "date": "2022-05-26", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies a suspicious process creation of At application. This process can be used by malware, adversaries and red teamers to create persistence entry to the targeted or compromised host with their malicious code. This anomaly detection can be a good indicator to investigate the event before and after this process execution, when it was executed and what schedule task it will execute.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count from datamodel=Endpoint.Processes where Processes.process_name IN (\"at\", \"atd\") OR Processes.parent_process_name IN (\"at\", \"atd\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_at_application_execution_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints into the Endpoint datamodel. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives.", "references": ["https://attack.mitre.org/techniques/T1053/001/", "https://www.linkedin.com/pulse/getting-attacker-ip-address-from-malicious-linux-job-craig-rowland/"], "tags": {"name": "Linux At Application Execution", "analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Installation", "Exploitation"], "message": "At application was executed in $dest$", "mitre_attack_id": ["T1053.002", "T1053"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1053.002", "mitre_attack_technique": "At", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "BRONZE BUTLER", "Threat Group-3390"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.002/at_execution/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_at_application_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_at_application_execution.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux AWK Privilege Escalation", "id": "4510cae0-96a2-4840-9919-91d262db210a", "version": 1, "date": "2022-07-31", "author": "Gowthamaraj Rajendran, Splunk", "type": "Anomaly", "status": "production", "description": "Awk is mostly used for processing and scanning patterns. It checks one or more files to determine whether any lines fit the specified patterns, and if so, it does the appropriate action. If sudo right is given to AWK binary for the user, then the user can run system commands as root and possibly get a root shell.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*sudo*\" AND Processes.process=\"*awk*\" AND Processes.process=\"*BEGIN*system*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_awk_privilege_escalation_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints into the Endpoint datamodel. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "False positives are present based on automated tooling or system administrative usage. Filter as needed.", "references": ["https://www.hacknos.com/awk-privilege-escalation/"], "tags": {"name": "Linux AWK Privilege Escalation", "analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 60, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "mitre_attack_id": ["T1548.003", "T1548"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.003", "mitre_attack_technique": "Sudo and Sudo Caching", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/awk/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_awk_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_awk_privilege_escalation.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Busybox Privilege Escalation", "id": "387c4e78-f4a4-413d-ad44-e9f7bc4642c9", "version": 1, "date": "2022-08-11", "author": "Gowthamaraj Rajendran, Splunk", "type": "Anomaly", "status": "production", "description": "BusyBox combines tiny versions of many common UNIX utilities into a single small executable. It provides minimalist replacements for most of the utilities you usually find in GNU coreutils, util-linux, etc. If sudo right is given to BusyBox application for the user, then the user can run system commands as root and possibly get a root shell.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*busybox*\" AND Processes.process=\"*sh*\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_busybox_privilege_escalation_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints into the Endpoint datamodel. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "False positives may be present, filter as needed.", "references": ["https://gtfobins.github.io/gtfobins/busybox/", "https://man.archlinux.org/man/busybox.1.en"], "tags": {"name": "Linux Busybox Privilege Escalation", "analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 20, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "mitre_attack_id": ["T1548.003", "T1548"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 10, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.003", "mitre_attack_technique": "Sudo and Sudo Caching", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/busybox/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_busybox_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_busybox_privilege_escalation.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux c89 Privilege Escalation", "id": "54c95f4d-3e5d-44be-9521-ea19ba62f7a8", "version": 1, "date": "2022-08-11", "author": "Gowthamaraj Rajendran, Splunk", "type": "Anomaly", "status": "production", "description": "The c89 and cc commands compile, assemble, and link-edit C programs; the cxx or c++ command does the same for C++ programs. The c89 command should be used when compiling C programs that are written according to Standard C. If sudo right is given to c89 application for the user, then the user can run system commands as root and possibly get a root shell.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*c89*\" AND Processes.process=\"*-wrapper*\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_c89_privilege_escalation_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints into the Endpoint datamodel. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "False positives may be present, filter as needed.", "references": ["https://gtfobins.github.io/gtfobins/c89/", "https://www.ibm.com/docs/en/zos/2.1.0?topic=guide-c89-compiler-invocation-using-host-environment-variables"], "tags": {"name": "Linux c89 Privilege Escalation", "analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 60, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "mitre_attack_id": ["T1548.003", "T1548"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.003", "mitre_attack_technique": "Sudo and Sudo Caching", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/c89/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_c89_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_c89_privilege_escalation.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux c99 Privilege Escalation", "id": "e1c6dec5-2249-442d-a1f9-99a4bd228183", "version": 1, "date": "2022-08-11", "author": "Gowthamaraj Rajendran, Splunk", "type": "Anomaly", "status": "production", "description": "The c99 utility is an interface to the standard C compilation system; it shall accept source code conforming to the ISO C standard. The system conceptually consists of a compiler and link editor. If sudo right is given to ruby application for the user, then the user can run system commands as root and possibly get a root shell.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*c99*\" AND Processes.process=\"*-wrapper*\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_c99_privilege_escalation_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints into the Endpoint datamodel. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "False positives may be present, filter as needed.", "references": ["https://gtfobins.github.io/gtfobins/c99/", "https://pubs.opengroup.org/onlinepubs/009604499/utilities/c99.html"], "tags": {"name": "Linux c99 Privilege Escalation", "analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 60, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "mitre_attack_id": ["T1548.003", "T1548"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.003", "mitre_attack_technique": "Sudo and Sudo Caching", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/c99/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_c99_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_c99_privilege_escalation.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Change File Owner To Root", "id": "c1400ea2-6257-11ec-ad49-acde48001122", "version": 1, "date": "2021-12-21", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic looks for a commandline that change the file owner to root using chown utility tool. This technique is commonly abuse by adversaries, malware author and red teamers to escalate privilege to the targeted or compromised host by changing the owner of their malicious file to root. This event is not so common in corporate network except from the administrator doing normal task that needs high privilege.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = chown OR Processes.process = \"*chown *\") AND Processes.process = \"* root *\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_change_file_owner_to_root_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "Administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "references": ["https://unix.stackexchange.com/questions/101073/how-to-change-permissions-from-root-user-to-all-users", "https://askubuntu.com/questions/617850/changing-from-user-to-superuser"], "tags": {"name": "Linux Change File Owner To Root", "analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "A commandline $process$ that may change ownership to root on $dest$", "mitre_attack_id": ["T1222.002", "T1222"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1222.002", "mitre_attack_technique": "Linux and Mac File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.001/chmod_uid/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_change_file_owner_to_root_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_change_file_owner_to_root.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Clipboard Data Copy", "id": "7173b2ad-6146-418f-85ae-c3479e4515fc", "version": 1, "date": "2022-07-28", "author": "Michael Haag, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies the use of Linux Xclip copying data out of the clipboard. Adversaries have utilized this technique to capture passwords, IP addresses, or store payloads.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=xclip Processes.process IN (\"*-o *\", \"*-sel *\", \"*-selection *\", \"*clip *\",\"*clipboard*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_clipboard_data_copy_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives may be present on Linux desktop as it may commonly be used by administrators or end users. Filter as needed.", "references": ["https://attack.mitre.org/techniques/T1115/", "https://linux.die.net/man/1/xclip"], "tags": {"name": "Linux Clipboard Data Copy", "analytic_story": ["Linux Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 40, "impact": 40, "kill_chain_phases": ["Exploitation"], "message": "An instance of $process_name$ was identified on endpoint $dest$ by user $user$ adding or removing content from the clipboard.", "mitre_attack_id": ["T1115"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 16, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1115", "mitre_attack_technique": "Clipboard Data", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT38", "APT39"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1115/atomic_red_team/linux-sysmon.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_clipboard_data_copy_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_clipboard_data_copy.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Common Process For Elevation Control", "id": "66ab15c0-63d0-11ec-9e70-acde48001122", "version": 1, "date": "2021-12-23", "author": "Teoderick Contreras, Splunk", "type": "Hunting", "status": "production", "description": "This analytic is to look for possible elevation control access using a common known process in linux platform to change the attribute and file ownership. This technique is commonly abused by adversaries, malware author and red teamers to gain persistence or privilege escalation on the target or compromised host. This common process is used to modify file attribute, file ownership or SUID. This tools can be used in legitimate purposes so filter is needed.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN (\"chmod\", \"chown\", \"fchmod\", \"fchmodat\", \"fchown\", \"fchownat\", \"fremovexattr\", \"fsetxattr\", \"lchown\", \"lremovexattr\", \"lsetxattr\", \"removexattr\", \"setuid\", \"setgid\", \"setreuid\", \"setregid\", \"chattr\") OR Processes.process IN (\"*chmod *\", \"*chown *\", \"*fchmod *\", \"*fchmodat *\", \"*fchown *\", \"*fchownat *\", \"*fremovexattr *\", \"*fsetxattr *\", \"*lchown *\", \"*lremovexattr *\", \"*lsetxattr *\", \"*removexattr *\", \"*setuid *\", \"*setgid *\", \"*setreuid *\", \"*setregid *\", \"*setcap *\", \"*chattr *\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_common_process_for_elevation_control_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "Administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "references": ["https://attack.mitre.org/techniques/T1548/001/", "https://github.com/Neo23x0/auditd/blob/master/audit.rules#L285-L297", "https://github.com/bfuzzy1/auditd-attack/blob/master/auditd-attack/auditd-attack.rules#L269-L270", "https://github.com/microsoft/MSTIC-Sysmon/blob/main/linux/configs/attack-based/privilege_escalation/T1548.001_ElevationControl_CommonProcesses.xml"], "tags": {"name": "Linux Common Process For Elevation Control", "analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "A commandline $process$ with process $process_name$ on $dest$", "mitre_attack_id": ["T1548.001", "T1548"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.001", "mitre_attack_technique": "Setuid and Setgid", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.001/chmod_uid/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_common_process_for_elevation_control_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_common_process_for_elevation_control.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Composer Privilege Escalation", "id": "a3bddf71-6ba3-42ab-a6b2-396929b16d92", "version": 1, "date": "2022-08-11", "author": "Gowthamaraj Rajendran, Splunk", "type": "Anomaly", "status": "production", "description": "Composer is a tool for dependency management in PHP. It allows you to declare the libraries your project depends on and it will manage (install/update) them for you. If sudo right is given to tool for the user, then the user can run system commands as root and possibly get a root shell.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*composer*\" AND Processes.process=\"*run-script*\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_composer_privilege_escalation_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints into the Endpoint datamodel. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "False positives may be present, filter as needed.", "references": ["https://gtfobins.github.io/gtfobins/composer/", "https://getcomposer.org/doc/00-intro.md"], "tags": {"name": "Linux Composer Privilege Escalation", "analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 20, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "mitre_attack_id": ["T1548.003", "T1548"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 10, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.003", "mitre_attack_technique": "Sudo and Sudo Caching", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/composer/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_composer_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_composer_privilege_escalation.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Cpulimit Privilege Escalation", "id": "d4e40b7e-aad3-4a7d-aac8-550ea5222be5", "version": 1, "date": "2022-08-11", "author": "Gowthamaraj Rajendran, Splunk", "type": "Anomaly", "status": "production", "description": "cpulimit is a simple program which attempts to limit the cpu usage of a process (expressed in percentage, not in cpu time). This is useful to control batch jobs, when you don't want them to eat too much cpu. If sudo right is given to the program for the user, then the user can run system commands as root and possibly get a root shell.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*cpulimit*\" AND Processes.process=\"*-l*\" AND Processes.process=\"*-f*\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_cpulimit_privilege_escalation_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints into the Endpoint datamodel. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "False positives may be present, filter as needed.", "references": ["https://gtfobins.github.io/gtfobins/cpulimit/", "http://cpulimit.sourceforge.net/"], "tags": {"name": "Linux Cpulimit Privilege Escalation", "analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 40, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "mitre_attack_id": ["T1548.003", "T1548"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 20, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.003", "mitre_attack_technique": "Sudo and Sudo Caching", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/cpulimit/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_cpulimit_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_cpulimit_privilege_escalation.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Csvtool Privilege Escalation", "id": "f8384f9e-1a5c-4c3a-96d6-8a7e5a38a8b8", "version": 1, "date": "2022-08-11", "author": "Gowthamaraj Rajendran, Splunk", "type": "Anomaly", "status": "production", "description": "csvtool is an easy to use command-line tool to work with .CSV files. If sudo right is given to the tool for the user, then the user can run system commands as root and possibly get a root shell.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*csvtool*\" AND Processes.process=\"*call*\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_csvtool_privilege_escalation_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints into the Endpoint datamodel. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "False positives may be present, filter as needed.", "references": ["https://gtfobins.github.io/gtfobins/csvtool/"], "tags": {"name": "Linux Csvtool Privilege Escalation", "analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 20, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "mitre_attack_id": ["T1548.003", "T1548"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 10, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.003", "mitre_attack_technique": "Sudo and Sudo Caching", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/csvtool/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_csvtool_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_csvtool_privilege_escalation.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Curl Upload File", "id": "c1de2d9a-0c02-4bb4-a49a-510c6e9cf2bf", "version": 1, "date": "2022-07-29", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies curl being utilized with the -F or --form, --upload-file, -T, -d, --data, --data-raw, -I and --head switches to upload AWS credentials or config to a remote destination. This enables uploading of binary files and so forth. To force the 'content' part to be a file, prefix the file name with an @ sign. To just get the content part from a file, prefix the file name with the symbol <. The difference between @ and < is then that @ makes a file get attached in the post as a file upload, while the < makes a text field and just get the contents for that text field from a file. This technique was utlized by the TeamTNT group to exfiltrate AWS credentials.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=curl Processes.process IN (\"*-F *\", \"*--form *\",\"*--upload-file *\",\"*-T *\",\"*-d *\",\"*--data *\",\"*--data-raw *\", \"*-I *\", \"*--head *\") AND Processes.process IN (\"*.aws/credentials*\". \"*.aws/config*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_curl_upload_file_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Filtering may be required. In addition to AWS credentials, add other important files and monitor. The inverse would be to look for _all_ -F behavior and tune from there.", "references": ["https://curl.se/docs/manpage.html", "https://www.cadosecurity.com/team-tnt-the-first-crypto-mining-worm-to-steal-aws-credentials/", "https://gtfobins.github.io/gtfobins/curl/"], "tags": {"name": "Linux Curl Upload File", "analytic_story": ["Linux Living Off The Land", "Data Exfiltration", "Ingress Tool Transfer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Command And Control"], "message": "An instance of $process_name$ was identified on endpoint $dest$ by user $user$ attempting to upload important files to a remote destination.", "mitre_attack_id": ["T1105"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "ZIRCONIUM", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/curl-linux-sysmon.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_curl_upload_file_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_curl_upload_file.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Data Destruction Command", "id": "b11d3979-b2f7-411b-bb1a-bd00e642173b", "version": 1, "date": "2023-04-14", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies a unix shell command that can wipe root folders of a linux host. This commandline is being abused by Awfulshred malware that wipes or corrupts files in a targeted Linux host. The shell command uses the rm command with force recursive deletion even in the root folder. This TTP can be a good indicator that a user or a process wants to wipe roots directory files in Linux host.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"rm\" AND Processes.process IN (\"* -rf*\", \"* -fr*\") AND Processes.process = \"* --no-preserve-root\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `linux_data_destruction_command_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "unknown", "references": ["https://cert.gov.ua/article/3718487", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/"], "tags": {"name": "Linux Data Destruction Command", "analytic_story": ["AwfulShred", "Data Destruction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 100, "kill_chain_phases": ["Actions on Objectives"], "message": "a $process_name$ execute rm command with --no-preserve-root parmeter that can wipe root files in $dest$", "mitre_attack_id": ["T1485"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/awfulshred/test1/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_data_destruction_command_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_data_destruction_command.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux DD File Overwrite", "id": "9b6aae5e-8d85-11ec-b2ae-acde48001122", "version": 1, "date": "2023-04-14", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This analytic is to look for dd command to overwrite file. This technique was abused by adversaries or threat actor to destroy files or data on specific system or in a large number of host within network to interrupt host avilability, services and many more. This is also used to destroy data where it make the file irrecoverable by forensic techniques through overwriting files, data or local and remote drives.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"dd\" AND Processes.process = \"*of=*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_dd_file_overwrite_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "Administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "references": ["https://gtfobins.github.io/gtfobins/dd/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"], "tags": {"name": "Linux DD File Overwrite", "analytic_story": ["Data Destruction", "Industroyer2"], "asset_type": "endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Actions on Objectives"], "message": "A commandline $process$ executed on $dest$", "mitre_attack_id": ["T1485"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/linux_dd_file_overwrite/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_dd_file_overwrite_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_dd_file_overwrite.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Decode Base64 to Shell", "id": "637b603e-1799-40fd-bf87-47ecbd551b66", "version": 1, "date": "2022-07-27", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies base64 being decoded and passed to a Linux shell.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process IN (\"*base64 -d*\",\"*base64 --decode*\") AND Processes.process=\"*|*\" `linux_shells` by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_decode_base64_to_shell_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives may be present based on legitimate software being utilized. Filter as needed.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md#atomic-test-1---decode-base64-data-into-script", "https://redcanary.com/blog/lateral-movement-with-secure-shell/", "https://linux.die.net/man/1/base64"], "tags": {"name": "Linux Decode Base64 to Shell", "analytic_story": ["Linux Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Installation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ decoding base64 and passing it to a shell.", "mitre_attack_id": ["T1027", "T1059.004"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT19", "APT28", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BITTER", "BackdoorDiplomacy", "BlackOasis", "Blue Mockingbird", "Dark Caracal", "Darkhotel", "Earth Lusca", "Elderwood", "Ember Bear", "Fox Kitten", "GALLIUM", "Gallmaker", "Gamaredon Group", "Group5", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "Metador", "Mofang", "Molerats", "Moses Staff", "Mustang Panda", "OilRig", "Putter Panda", "Rocke", "Sandworm Team", "Sidewinder", "TA505", "TeamTNT", "Threat Group-3390", "Transparent Tribe", "Tropic Trooper", "Whitefly", "Windshift", "menuPass"]}, {"mitre_attack_id": "T1059.004", "mitre_attack_technique": "Unix Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT41", "Rocke", "TeamTNT"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1027/atomic_red_team/linux-sysmon.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "linux_shells", "definition": "(Processes.process_name IN (\"sh\", \"ksh\", \"zsh\", \"bash\", \"dash\", \"rbash\", \"fish\", \"csh\", \"tcsh\", \"ion\", \"eshell\"))", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_decode_base64_to_shell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_decode_base64_to_shell.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Deleting Critical Directory Using RM Command", "id": "33f89303-cc6f-49ad-921d-2eaea38a6f7a", "version": 1, "date": "2023-04-14", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies a suspicious deletion of a critical folder in Linux machine using rm command. This technique was seen in industroyer2 campaign to wipe or destroy energy facilities of a targeted sector. Deletion in these list of folder is not so common since it need some elevated privileges to access some of it. We recommend to look further events specially in file access or file deletion, process commandline that may related to this technique.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name =rm AND Processes.process= \"* -rf *\" AND Processes.process IN (\"*/boot/*\", \"*/var/log/*\", \"*/etc/*\", \"*/dev/*\") by Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_deleting_critical_directory_using_rm_command_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives.", "references": ["https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/", "https://cert.gov.ua/article/39518"], "tags": {"name": "Linux Deleting Critical Directory Using RM Command", "analytic_story": ["AwfulShred", "Data Destruction", "Industroyer2"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Actions on Objectives"], "message": "A deletion in known critical list of folder using rm command $process$ executed on $dest$", "mitre_attack_id": ["T1485"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/rm_shred_critical_dir/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_deleting_critical_directory_using_rm_command_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_deleting_critical_directory_using_rm_command.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Deletion Of Cron Jobs", "id": "3b132a71-9335-4f33-9932-00bb4f6ac7e8", "version": 2, "date": "2023-04-27", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic is to detect a deletion of cron job in a linux machine. This technique can be related to an attacker, threat actor or malware to disable scheduled cron jobs that might be related to security or to evade some detections. We also saw that this technique can be a good indicator for malware that is trying to wipe or delete several files on the compromised host like the acidrain malware. This anomaly detection can be a good pivot detection to look for process and user doing it why they doing. Take note that this event can be done by administrator so filtering on those possible false positive event is needed.", "data_source": ["Sysmon Event ID 11"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.action=deleted Filesystem.file_path=\"/etc/cron.*\" by _time span=1h Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.process_guid Filesystem.action | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_deletion_of_cron_jobs_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "Administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "references": ["https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/"], "tags": {"name": "Linux Deletion Of Cron Jobs", "analytic_story": ["AcidRain", "Data Destruction"], "asset_type": "endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Actions on Objectives", "Exploitation"], "message": "a $process_name$ deleting cron jobs in $dest$", "mitre_attack_id": ["T1485", "T1070.004", "T1070"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Filesystem.dest", "Filesystem.file_create_time", "Filesystem.file_name", "Filesystem.process_guid", "Filesystem.file_path", "Filesystem.action"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1070.004", "mitre_attack_technique": "File Deletion", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT3", "APT32", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "Cobalt Group", "Dragonfly", "Evilnum", "FIN10", "FIN5", "FIN6", "FIN8", "Gamaredon Group", "Group5", "Kimsuky", "Lazarus Group", "Magic Hound", "Metador", "Mustang Panda", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "Silence", "TEMP.Veles", "TeamTNT", "The White Company", "Threat Group-3390", "Tropic Trooper", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/acidrain/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_deletion_of_cron_jobs_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_deletion_of_cron_jobs.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Deletion Of Init Daemon Script", "id": "729aab57-d26f-4156-b97f-ab8dda8f44b1", "version": 2, "date": "2023-04-27", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This analytic is to detect a deletion of init daemon script in a linux machine. daemon script that place in /etc/init.d/ is a directory that can start and stop some daemon services in linux machines. attacker may delete or modify daemon script to impair some security features or act as defense evasion in a compromised linux machine. This TTP can be also a good indicator of a malware trying to wipe or delete several files in compromised host as part of its destructive payload like what acidrain malware does in linux or router machines. This detection can be a good pivot to check what process and user tries to delete this type of files which is not so common and need further investigation.", "data_source": ["Sysmon Event ID 11"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.action=deleted Filesystem.file_path IN ( \"/etc/init.d/*\") by _time span=1h Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.process_guid Filesystem.action | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_deletion_of_init_daemon_script_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "Administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "references": ["https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/"], "tags": {"name": "Linux Deletion Of Init Daemon Script", "analytic_story": ["AcidRain", "Data Destruction"], "asset_type": "endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Actions on Objectives", "Exploitation"], "message": "a $process_name$ deleting a daemon script in $dest$", "mitre_attack_id": ["T1485", "T1070.004", "T1070"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Filesystem.dest", "Filesystem.file_create_time", "Filesystem.file_name", "Filesystem.process_guid", "Filesystem.file_path", "Filesystem.action"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1070.004", "mitre_attack_technique": "File Deletion", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT3", "APT32", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "Cobalt Group", "Dragonfly", "Evilnum", "FIN10", "FIN5", "FIN6", "FIN8", "Gamaredon Group", "Group5", "Kimsuky", "Lazarus Group", "Magic Hound", "Metador", "Mustang Panda", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "Silence", "TEMP.Veles", "TeamTNT", "The White Company", "Threat Group-3390", "Tropic Trooper", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/acidrain/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_deletion_of_init_daemon_script_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_deletion_of_init_daemon_script.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Deletion Of Services", "id": "b509bbd3-0331-4aaa-8e4a-d2affe100af6", "version": 2, "date": "2023-04-27", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This analytic is to detect a deletion of services in a linux machine. attacker may delete or modify services to impair some security features or act as defense evasion in a compromised linux machine. This TTP can be also a good indicator of a malware trying to wipe or delete several files in a compromised host as part of its destructive payload like what acidrain malware does in linux or router machines. This detection can be a good pivot to check what process and user tries to delete this type of files which is not so common and need further investigation.", "data_source": ["Sysmon Event ID 11"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.action=deleted Filesystem.file_path IN ( \"/etc/systemd/*\", \"*/lib/systemd/*\", \"*/run/systemd/*\") Filesystem.file_path = \"*.service\" by _time span=1h Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.process_guid Filesystem.action | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_deletion_of_services_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "Administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "references": ["https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/", "https://unix.stackexchange.com/questions/224992/where-do-i-put-my-systemd-unit-file", "https://cert.gov.ua/article/3718487"], "tags": {"name": "Linux Deletion Of Services", "analytic_story": ["AwfulShred", "AcidRain", "Data Destruction"], "asset_type": "endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Actions on Objectives", "Exploitation"], "message": "a $process_name$ deleting a services in $dest$", "mitre_attack_id": ["T1485", "T1070.004", "T1070"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Filesystem.dest", "Filesystem.file_create_time", "Filesystem.file_name", "Filesystem.process_guid", "Filesystem.file_path", "Filesystem.action"], "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1070.004", "mitre_attack_technique": "File Deletion", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT3", "APT32", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "Cobalt Group", "Dragonfly", "Evilnum", "FIN10", "FIN5", "FIN6", "FIN8", "Gamaredon Group", "Group5", "Kimsuky", "Lazarus Group", "Magic Hound", "Metador", "Mustang Panda", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "Silence", "TEMP.Veles", "TeamTNT", "The White Company", "Threat Group-3390", "Tropic Trooper", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/acidrain/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_deletion_of_services_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_deletion_of_services.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Deletion of SSL Certificate", "id": "839ab790-a60a-4f81-bfb3-02567063f615", "version": 2, "date": "2023-04-27", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic is to detect a deletion of ssl certificate in a linux machine. attacker may delete or modify ssl certificate to impair some security features or act as defense evasion in compromised linux machine. This Anomaly can be also a good indicator of a malware trying to wipe or delete several files in a compromised host as part of its destructive payload like what acidrain malware does in linux or router machines. This detection can be a good pivot to check what process and user tries to delete this type of files which is not so common and need further investigation.", "data_source": ["Sysmon Event ID 11"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.action=deleted Filesystem.file_path = \"/etc/ssl/certs/*\" Filesystem.file_path IN (\"*.pem\", \"*.crt\") by _time span=1h Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.process_guid Filesystem.action | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_deletion_of_ssl_certificate_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "Administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "references": ["https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/"], "tags": {"name": "Linux Deletion of SSL Certificate", "analytic_story": ["Acidrain"], "asset_type": "endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Actions on Objectives", "Exploitation"], "message": "a $process_name$ deleting a SSL certificate in $dest$", "mitre_attack_id": ["T1485", "T1070.004", "T1070"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Filesystem.dest", "Filesystem.file_create_time", "Filesystem.file_name", "Filesystem.process_guid", "Filesystem.file_path", "Filesystem.action"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1070.004", "mitre_attack_technique": "File Deletion", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT3", "APT32", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "Cobalt Group", "Dragonfly", "Evilnum", "FIN10", "FIN5", "FIN6", "FIN8", "Gamaredon Group", "Group5", "Kimsuky", "Lazarus Group", "Magic Hound", "Metador", "Mustang Panda", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "Silence", "TEMP.Veles", "TeamTNT", "The White Company", "Threat Group-3390", "Tropic Trooper", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/acidrain/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_deletion_of_ssl_certificate_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_deletion_of_ssl_certificate.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Disable Services", "id": "f2e08a38-6689-4df4-ad8c-b51c16262316", "version": 1, "date": "2023-04-14", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "The following analytic is to detect events that attempts to disable a service. This is typically identified in parallel with other instances of service enumeration of attempts to stop a service and then delete it. Adversaries utilize this technique like industroyer2 malware to terminate security services or other related services to continue there objective as a destructive payload.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN (\"systemctl\", \"service\", \"svcadm\") Processes.process = \"* disable*\" by Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_disable_services_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives.", "references": ["https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/", "https://cert.gov.ua/article/39518"], "tags": {"name": "Linux Disable Services", "analytic_story": ["AwfulShred", "Data Destruction", "Industroyer2"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Actions on Objectives"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified attempting to disable services on endpoint $dest$ by $user$.", "mitre_attack_id": ["T1489"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1489", "mitre_attack_technique": "Service Stop", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Indrik Spider", "Lazarus Group", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1489/linux_service_stop_disable/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_disable_services_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_disable_services.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Doas Conf File Creation", "id": "f6343e86-6e09-11ec-9376-acde48001122", "version": 1, "date": "2022-01-05", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic is to detect the creation of doas.conf file in linux host platform. This configuration file can be use by doas utility tool to allow or permit standard users to perform tasks as root, the same way sudo does. This tool is developed as a minimalistic alternative to sudo application. This tool can be abused advesaries, attacker or malware to gain elevated privileges to the targeted or compromised host. On the other hand this can also be executed by administrator for a certain task that needs admin rights. In this case filter is needed.", "data_source": ["Sysmon Event ID 11"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN (\"*/etc/doas.conf\") by Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.process_guid Filesystem.file_path | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `linux_doas_conf_file_creation_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "Administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "references": ["https://wiki.gentoo.org/wiki/Doas", "https://www.makeuseof.com/how-to-install-and-use-doas/"], "tags": {"name": "Linux Doas Conf File Creation", "analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "A file $file_name$ is created in $file_path$ on $dest$", "mitre_attack_id": ["T1548.003", "T1548"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Filesystem.dest", "Filesystem.file_create_time", "Filesystem.file_name", "Filesystem.process_guid", "Filesystem.file_path"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.003", "mitre_attack_technique": "Sudo and Sudo Caching", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/doas/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_doas_conf_file_creation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_doas_conf_file_creation.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Doas Tool Execution", "id": "d5a62490-6e09-11ec-884e-acde48001122", "version": 1, "date": "2022-01-05", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic is to detect the doas tool execution in linux host platform. This utility tool allow standard users to perform tasks as root, the same way sudo does. This tool is developed as a minimalistic alternative to sudo application. This tool can be abused advesaries, attacker or malware to gain elevated privileges to the targeted or compromised host. On the other hand this can also be executed by administrator for a certain task that needs admin rights. In this case filter is needed.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"doas\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_doas_tool_execution_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "Administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "references": ["https://wiki.gentoo.org/wiki/Doas", "https://www.makeuseof.com/how-to-install-and-use-doas/"], "tags": {"name": "Linux Doas Tool Execution", "analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "A doas $process_name$ with commandline $process$ was executed on $dest$", "mitre_attack_id": ["T1548.003", "T1548"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.003", "mitre_attack_technique": "Sudo and Sudo Caching", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/doas_exec/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_doas_tool_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_doas_tool_execution.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Docker Privilege Escalation", "id": "2e7bfb78-85f6-47b5-bc2f-15813a4ef2b3", "version": 1, "date": "2022-07-31", "author": "Gowthamaraj Rajendran, Splunk", "type": "Anomaly", "status": "production", "description": "Docker is an open source containerization platform. It helps programmers to bundle applications into containers, which are standardized executable parts that include the application source code along with the OS libraries and dependencies needed to run that code in any setting. The user can add mount the root directory into a container and edit the /etc/password file to add a super user. This requires the user to be privileged enough to run docker, i.e. being in the docker group or being root.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process IN(\"*docker*-v*/*:*\",\"*docker*--volume*/*:*\") OR Processes.process IN(\"*docker*exec*sh*\",\"*docker*exec*bash*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_docker_privilege_escalation_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints into the Endpoint datamodel. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "False positives are present based on automated tooling or system administrative usage. Filter as needed.", "references": ["https://gtfobins.github.io/gtfobins/docker/"], "tags": {"name": "Linux Docker Privilege Escalation", "analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 10, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "mitre_attack_id": ["T1548.003", "T1548"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 5, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.003", "mitre_attack_technique": "Sudo and Sudo Caching", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/docker/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_docker_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_docker_privilege_escalation.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Edit Cron Table Parameter", "id": "0d370304-5f26-11ec-a4bb-acde48001122", "version": 1, "date": "2021-12-17", "author": "Teoderick Contreras, Splunk", "type": "Hunting", "status": "production", "description": "The following analytic identifies a suspicious cronjobs modification using crontab edit parameter. This commandline parameter can be abuse by malware author, adversaries, and red red teamers to add cronjob entry to their malicious code to execute to the schedule they want. This event can also be executed by administrator or normal user for automation purposes so filter is needed.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = crontab Processes.process = \"*crontab *\" Processes.process = \"* -e*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_edit_cron_table_parameter_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives.", "references": ["https://attack.mitre.org/techniques/T1053/003/"], "tags": {"name": "Linux Edit Cron Table Parameter", "analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Installation", "Exploitation"], "message": "A possible crontab edit command $process$ executed on $dest$", "mitre_attack_id": ["T1053.003", "T1053"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1053.003", "mitre_attack_technique": "Cron", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT38", "Rocke"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.003/crontab_edit_parameter/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_edit_cron_table_parameter_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_edit_cron_table_parameter.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Emacs Privilege Escalation", "id": "92033cab-1871-483d-a03b-a7ce98665cfc", "version": 1, "date": "2022-08-09", "author": "Gowthamaraj Rajendran, Splunk", "type": "Anomaly", "status": "production", "description": "EMACS is a family of text editors that are characterized by their extensibility. The manual for the most widely used variant, GNU Emacs, describes it as \"the extensible, customizable, self-documenting, real-time display editor\". If sudo right is given to EMACS tool for the user, then the user can run special commands as root and possibly get a root shell.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*emacs*\" AND Processes.process=\"*--eval*\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_emacs_privilege_escalation_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints into the Endpoint datamodel. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "False positives may be present, filter as needed.", "references": ["https://gtfobins.github.io/gtfobins/emacs/", "https://en.wikipedia.org/wiki/Emacs"], "tags": {"name": "Linux Emacs Privilege Escalation", "analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 40, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "mitre_attack_id": ["T1548.003", "T1548"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 20, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.003", "mitre_attack_technique": "Sudo and Sudo Caching", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/emacs/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_emacs_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_emacs_privilege_escalation.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux File Created In Kernel Driver Directory", "id": "b85bbeec-6326-11ec-9311-acde48001122", "version": 1, "date": "2021-12-22", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic looks for suspicious file creation in kernel/driver directory in linux platform. This directory is known folder for all linux kernel module available within the system. so creation of file in this directory is a good indicator that there is a possible rootkit installation in the host machine. This technique was abuse by adversaries, malware author and red teamers to gain high privileges to their malicious code such us in kernel level. Even this event is not so common administrator or legitimate 3rd party tool may install driver or linux kernel module as part of its installation.", "data_source": ["Sysmon Event ID 11"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN (\"*/kernel/drivers/*\") by Filesystem.dest Filesystem.file_name Filesystem.process_guid Filesystem.file_path | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `linux_file_created_in_kernel_driver_directory_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the file name, file path, and process_guid executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "Administrator or network operator can create file in this folders for automation purposes. Please update the filter macros to remove false positives.", "references": ["https://docs.fedoraproject.org/en-US/fedora/rawhide/system-administrators-guide/kernel-module-driver-configuration/Working_with_Kernel_Modules/", "https://security.stackexchange.com/questions/175953/how-to-load-a-malicious-lkm-at-startup", "https://0x00sec.org/t/kernel-rootkits-getting-your-hands-dirty/1485"], "tags": {"name": "Linux File Created In Kernel Driver Directory", "analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Rootkit"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "message": "A file $file_name$ is created in $file_path$ on $dest$", "mitre_attack_id": ["T1547.006", "T1547"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Filesystem.dest", "Filesystem.file_create_time", "Filesystem.file_name", "Filesystem.process_guid", "Filesystem.file_path"], "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1547.006", "mitre_attack_technique": "Kernel Modules and Extensions", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.006/loading_linux_kernel_module/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_file_created_in_kernel_driver_directory_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_file_created_in_kernel_driver_directory.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux File Creation In Init Boot Directory", "id": "97d9cfb2-61ad-11ec-bb2d-acde48001122", "version": 1, "date": "2021-12-20", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic looks for suspicious file creation on init system directories for automatic execution of script or file upon boot up. This technique is commonly abuse by adversaries, malware author and red teamer to persist on the targeted or compromised host. This behavior can be executed or use by an administrator or network operator to add script files or binary files as part of a task or automation. filter is needed.", "data_source": ["Sysmon Event ID 11"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN (\"*/etc/init.d/*\", \"*/etc/rc.d/*\", \"*/sbin/init.d/*\", \"*/etc/rc.local*\") by Filesystem.dest Filesystem.file_name Filesystem.process_guid Filesystem.file_path | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `linux_file_creation_in_init_boot_directory_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the file name, file path, and process_guid executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase", "known_false_positives": "Administrator or network operator can create file in this folders for automation purposes. Please update the filter macros to remove false positives.", "references": ["https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/"], "tags": {"name": "Linux File Creation In Init Boot Directory", "analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "message": "A file $file_name$ is created in $file_path$ on $dest$", "mitre_attack_id": ["T1037.004", "T1037"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Filesystem.dest", "Filesystem.file_create_time", "Filesystem.file_name", "Filesystem.process_guid", "Filesystem.file_path"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1037.004", "mitre_attack_technique": "RC Scripts", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1037", "mitre_attack_technique": "Boot or Logon Initialization Scripts", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Rocke"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.004/linux_init_profile/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_file_creation_in_init_boot_directory_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_file_creation_in_init_boot_directory.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux File Creation In Profile Directory", "id": "46ba0082-61af-11ec-9826-acde48001122", "version": 1, "date": "2021-12-20", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic looks for suspicious file creation in /etc/profile.d directory to automatically execute scripts by shell upon boot up of a linux machine. This technique is commonly abused by adversaries, malware and red teamers as a persistence mechanism to the targeted or compromised host. This Anomaly detection is a good indicator that someone wants to run a code after boot up which can be done also by the administrator or network operator for automation purposes.", "data_source": ["Sysmon Event ID 11"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN (\"*/etc/profile.d/*\") by Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.process_guid Filesystem.file_path | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `linux_file_creation_in_profile_directory_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the file name, file path, and process_guid executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "Administrator or network operator can create file in profile.d folders for automation purposes. Please update the filter macros to remove false positives.", "references": ["https://attack.mitre.org/techniques/T1546/004/", "https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/"], "tags": {"name": "Linux File Creation In Profile Directory", "analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "message": "A file $file_name$ is created in $file_path$ on $dest$", "mitre_attack_id": ["T1546.004", "T1546"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Filesystem.dest", "Filesystem.file_create_time", "Filesystem.file_name", "Filesystem.process_guid", "Filesystem.file_path"], "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1546.004", "mitre_attack_technique": "Unix Shell Configuration Modification", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.004/linux_init_profile/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_file_creation_in_profile_directory_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_file_creation_in_profile_directory.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Find Privilege Escalation", "id": "2ff4e0c2-8256-4143-9c07-1e39c7231111", "version": 1, "date": "2022-08-09", "author": "Gowthamaraj Rajendran, Splunk", "type": "Anomaly", "status": "production", "description": "Find is a command-line utility that locates files based on some user-specified criteria and either prints the pathname of each matched object or, if another action is requested, performs that action on each matched object. If sudo right is given to find utility for the user, then the user can run system commands as root and possibly get a root shell.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*find*\" AND Processes.process=\"*-exec*\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_find_privilege_escalation_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints into the Endpoint datamodel. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "False positives are present based on automated tooling or system administrative usage. Filter as needed.", "references": ["https://gtfobins.github.io/gtfobins/find/", "https://en.wikipedia.org/wiki/Find_(Unix)"], "tags": {"name": "Linux Find Privilege Escalation", "analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 10, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "mitre_attack_id": ["T1548.003", "T1548"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 5, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.003", "mitre_attack_technique": "Sudo and Sudo Caching", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/find/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_find_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_find_privilege_escalation.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux GDB Privilege Escalation", "id": "310b7da2-ab52-437f-b1bf-0bd458674308", "version": 1, "date": "2022-08-09", "author": "Gowthamaraj Rajendran, Splunk", "type": "Anomaly", "status": "production", "description": "GDB is the acronym for GNU Debugger. This tool helps to debug the programs written in C, C++, Ada, Fortran, etc. The console can be opened using the gdb command on terminal. If sudo right is given to GDB tool for the user, then the user can run system commands as root and possibly get a root shell.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*gdb*\" AND Processes.process=\"*-nx*\" AND Processes.process=\"*-ex*!*\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_gdb_privilege_escalation_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints into the Endpoint datamodel. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "False positives may be present, filter as needed.", "references": ["https://gtfobins.github.io/gtfobins/gdb/"], "tags": {"name": "Linux GDB Privilege Escalation", "analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 20, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "mitre_attack_id": ["T1548.003", "T1548"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 10, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.003", "mitre_attack_technique": "Sudo and Sudo Caching", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/gdb/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_gdb_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_gdb_privilege_escalation.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Gem Privilege Escalation", "id": "0115482a-5dcb-4bb0-bcca-5d095d224236", "version": 1, "date": "2022-08-09", "author": "Gowthamaraj Rajendran, Splunk", "type": "Anomaly", "status": "production", "description": "RubyGems is a package manager for the Ruby programming language that provides a standard format for distributing Ruby programs and libraries (in a self-contained format called a \"gem\"), a tool designed to easily manage the installation of gems, and a server for distributing them. If sudo right is given to GEM utility for the user, then the user can run system commands as root and possibly get a root shell.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*gem*open*-e*\" AND Processes.process=\"*-c*\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_gem_privilege_escalation_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints into the Endpoint datamodel. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "False positives may be present, filter as needed.", "references": ["https://gtfobins.github.io/gtfobins/gem/", "https://en.wikipedia.org/wiki/RubyGems"], "tags": {"name": "Linux Gem Privilege Escalation", "analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 20, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "mitre_attack_id": ["T1548.003", "T1548"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 10, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.003", "mitre_attack_technique": "Sudo and Sudo Caching", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/gem/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_gem_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_gem_privilege_escalation.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux GNU Awk Privilege Escalation", "id": "0dcf43b9-50d8-42a6-acd9-d1c9201fe6ae", "version": 1, "date": "2022-08-09", "author": "Gowthamaraj Rajendran, Splunk", "type": "Anomaly", "status": "production", "description": "gawk command in Linux is used for pattern scanning and processing language. The awk command requires no compiling and allows the user to use variables, numeric functions, string functions, and logical operators. It is a utility that enables programmers to write tiny and effective programs in the form of statements that define text patterns that are to be searched for, in a text document and the action that is to be taken when a match is found within a line. If sudo right is given to gawk tool for the user, then the user can run system commands as root and possibly get a root shell.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*gawk*\" AND Processes.process=\"*BEGIN*{system*\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `linux_gnu_awk_privilege_escalation_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints into the Endpoint datamodel. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "False positives may be present, filter as needed.", "references": ["https://gtfobins.github.io/gtfobins/gawk/", "https://www.geeksforgeeks.org/gawk-command-in-linux-with-examples/"], "tags": {"name": "Linux GNU Awk Privilege Escalation", "analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 60, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "mitre_attack_id": ["T1548.003", "T1548"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.003", "mitre_attack_technique": "Sudo and Sudo Caching", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/gawk/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_gnu_awk_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_gnu_awk_privilege_escalation.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Hardware Addition SwapOff", "id": "c1eea697-99ed-44c2-9b70-d8935464c499", "version": 1, "date": "2023-04-14", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic looks for process execution to disable the swapping of paging devices. This technique was seen in Awfulshred malware that disables the swapping of the specified devices and files. This anomaly detection can be a good indicator that a process or a user tries to disable this Linux feature in a targeted host.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"swapoff\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `linux_hardware_addition_swapoff_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "administrator may disable swapping of devices in a linux host. Filter is needed.", "references": ["https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/"], "tags": {"name": "Linux Hardware Addition SwapOff", "analytic_story": ["AwfulShred", "Data Destruction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Delivery"], "message": "a $process_name$ swap off paging device in $dest$", "mitre_attack_id": ["T1200"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1200", "mitre_attack_technique": "Hardware Additions", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["DarkVishnya"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/awfulshred/test1/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_hardware_addition_swapoff_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_hardware_addition_swapoff.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux High Frequency Of File Deletion In Boot Folder", "id": "e27fbc5d-0445-4c4a-bc39-87f060d5c602", "version": 2, "date": "2023-04-27", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This analytic is to detect a high frequency of file deletion relative to process name and process id /boot/ folder. These events was seen in industroyer2 wiper malware where it tries to delete all files in a critical directory in linux directory. This detection already contains some filter that might cause false positive during our testing.", "data_source": ["Sysmon Event ID 11"], "search": "| tstats `security_content_summariesonly` values(Filesystem.file_name) as deletedFileNames values(Filesystem.file_path) as deletedFilePath dc(Filesystem.file_path) as numOfDelFilePath count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.action=deleted Filesystem.file_path = \"/boot/*\" by _time span=1h Filesystem.dest Filesystem.process_guid Filesystem.action | `drop_dm_object_name(Filesystem)` | where numOfDelFilePath >= 200 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_high_frequency_of_file_deletion_in_boot_folder_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "linux package installer/uninstaller may cause this event. Please update you filter macro to remove false positives.", "references": ["https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/", "https://cert.gov.ua/article/39518"], "tags": {"name": "Linux High Frequency Of File Deletion In Boot Folder", "analytic_story": ["Data Destruction", "Industroyer2"], "asset_type": "endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 100, "kill_chain_phases": ["Actions on Objectives", "Exploitation"], "message": "a $process_name$ deleting multiple files in /boot/ folder in $dest$", "mitre_attack_id": ["T1485", "T1070.004", "T1070"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Filesystem.dest", "Filesystem.file_create_time", "Filesystem.file_name", "Filesystem.process_guid", "Filesystem.file_path", "Filesystem.action"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1070.004", "mitre_attack_technique": "File Deletion", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT3", "APT32", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "Cobalt Group", "Dragonfly", "Evilnum", "FIN10", "FIN5", "FIN6", "FIN8", "Gamaredon Group", "Group5", "Kimsuky", "Lazarus Group", "Magic Hound", "Metador", "Mustang Panda", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "Silence", "TEMP.Veles", "TeamTNT", "The White Company", "Threat Group-3390", "Tropic Trooper", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/rm_boot_dir/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_high_frequency_of_file_deletion_in_boot_folder_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_high_frequency_of_file_deletion_in_boot_folder.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux High Frequency Of File Deletion In Etc Folder", "id": "9d867448-2aff-4d07-876c-89409a752ff8", "version": 2, "date": "2023-04-27", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic is to detect a high frequency of file deletion relative to process name and process id /etc/ folder. These events was seen in acidrain wiper malware where it tries to delete all files in a non-standard directory in linux directory. This detection already contains some filter that might cause false positive during our testing. But we recommend to add more filter if needed.", "data_source": ["Sysmon Event ID 11"], "search": "| tstats `security_content_summariesonly` values(Filesystem.file_name) as deletedFileNames values(Filesystem.file_path) as deletedFilePath dc(Filesystem.file_path) as numOfDelFilePath count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.action=deleted Filesystem.file_path = \"/etc/*\" by _time span=1h Filesystem.dest Filesystem.process_guid Filesystem.action | `drop_dm_object_name(Filesystem)` | where numOfDelFilePath >= 200 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_high_frequency_of_file_deletion_in_etc_folder_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "linux package installer/uninstaller may cause this event. Please update you filter macro to remove false positives.", "references": ["https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/"], "tags": {"name": "Linux High Frequency Of File Deletion In Etc Folder", "analytic_story": ["AcidRain", "Data Destruction"], "asset_type": "endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Actions on Objectives", "Exploitation"], "message": "a $process_name$ deleting multiple files in /etc/ folder in $dest$", "mitre_attack_id": ["T1485", "T1070.004", "T1070"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Filesystem.dest", "Filesystem.file_create_time", "Filesystem.file_name", "Filesystem.process_guid", "Filesystem.file_path", "Filesystem.action"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1070.004", "mitre_attack_technique": "File Deletion", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT3", "APT32", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "Cobalt Group", "Dragonfly", "Evilnum", "FIN10", "FIN5", "FIN6", "FIN8", "Gamaredon Group", "Group5", "Kimsuky", "Lazarus Group", "Magic Hound", "Metador", "Mustang Panda", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "Silence", "TEMP.Veles", "TeamTNT", "The White Company", "Threat Group-3390", "Tropic Trooper", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/acidrain/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_high_frequency_of_file_deletion_in_etc_folder_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_high_frequency_of_file_deletion_in_etc_folder.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Impair Defenses Process Kill", "id": "435c6b33-adf9-47fe-be87-8e29fd6654f5", "version": 1, "date": "2023-04-14", "author": "Teoderick Contreras, Splunk", "type": "Hunting", "status": "production", "description": "This analytic looks for PKILL process execution for possible termination of process. This technique is being used by several Threat actors, adversaries and red teamers to terminate processes in a targeted linux machine. This Hunting detection can be a good pivot to check a possible defense evasion technique or termination of security application in a linux host or wiper like Awfulshred that corrupt all files.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN ( \"pgrep\", \"pkill\") Processes.process = \"*pkill *\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `linux_impair_defenses_process_kill_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "network admin can terminate a process using this linux command. Filter is needed.", "references": ["https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/", "https://cert.gov.ua/article/3718487"], "tags": {"name": "Linux Impair Defenses Process Kill", "analytic_story": ["AwfulShred", "Data Destruction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "a $process_name$ tries to execute pkill commandline to terminate process in $dest$", "mitre_attack_id": ["T1562.001", "T1562"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/awfulshred/test1/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_impair_defenses_process_kill_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_impair_defenses_process_kill.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Indicator Removal Clear Cache", "id": "e0940505-0b73-4719-84e6-cb94c44a5245", "version": 1, "date": "2023-04-14", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This analytic looks for processes that clear or free page cache in Linux system host. This technique was seen in Awfulshred malware wiper that tries to clear the cache using kernel system request drop_caches while wiping all files in the targeted host. This TTP detection can be a good indicator of user or process tries to clear page cache to delete tracks or might be a wiper like Awfulshred.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN (\"dash\", \"sudo\", \"bash\") AND Processes.process IN(\"* echo 3 > *\", \"* echo 2 > *\",\"* echo 1 > *\") AND Processes.process = \"*/proc/sys/vm/drop_caches\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `linux_indicator_removal_clear_cache_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "unknown", "references": ["https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/", "https://cert.gov.ua/article/3718487"], "tags": {"name": "Linux Indicator Removal Clear Cache", "analytic_story": ["AwfulShred", "Data Destruction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "a $process_name$ clear cache using kernel drop cache system request in $dest$", "mitre_attack_id": ["T1070"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/awfulshred/test3/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_indicator_removal_clear_cache_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_indicator_removal_clear_cache.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Indicator Removal Service File Deletion", "id": "6c077f81-2a83-4537-afbc-0e62e3215d55", "version": 1, "date": "2023-04-14", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic looks for suspicious linux processes that delete service unit configuration files. This technique was seen in several malware to delete service configuration files to corrupt a services or security product as part of its defense evasion. This TTP detection can be a good indicator of possible malware try to kill several services or a wiper like AwfulShred shell script that wipes the targeted linux host", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"rm\" AND Processes.process = \"*rm *\" AND Processes.process = \"*.service\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `linux_indicator_removal_service_file_deletion_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "network admin can delete services unit configuration file as part of normal software installation. Filter is needed.", "references": ["https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/", "https://cert.gov.ua/article/3718487"], "tags": {"name": "Linux Indicator Removal Service File Deletion", "analytic_story": ["AwfulShred", "Data Destruction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Exploitation"], "message": "a $process_name$ has a commandline $process$ to delete service configuration file in $dest$", "mitre_attack_id": ["T1070.004", "T1070"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1070.004", "mitre_attack_technique": "File Deletion", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT3", "APT32", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "Cobalt Group", "Dragonfly", "Evilnum", "FIN10", "FIN5", "FIN6", "FIN8", "Gamaredon Group", "Group5", "Kimsuky", "Lazarus Group", "Magic Hound", "Metador", "Mustang Panda", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "Silence", "TEMP.Veles", "TeamTNT", "The White Company", "Threat Group-3390", "Tropic Trooper", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/awfulshred/test1/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_indicator_removal_service_file_deletion_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_indicator_removal_service_file_deletion.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Ingress Tool Transfer Hunting", "id": "52fd468b-cb6d-48f5-b16a-92f1c9bb10cf", "version": 1, "date": "2022-07-29", "author": "Michael Haag, Splunk", "type": "Hunting", "status": "production", "description": "The following analytic hunts for curl and wget being utilized in the environment. This is meant to help with identifying normal usage and potentially malicious. Utilize this query to tune other curl and wget analytics.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=curl OR Processes.process_name=wget) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_ingress_tool_transfer_hunting_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives will be present. This query is meant to help tune other curl and wget analytics.", "references": ["https://gtfobins.github.io/gtfobins/curl/", "https://curl.se/docs/manpage.html#-I", "https://gtfobins.github.io/gtfobins/curl/", "https://github.com/rapid7/metasploit-framework/search?q=curl"], "tags": {"name": "Linux Ingress Tool Transfer Hunting", "analytic_story": ["Linux Living Off The Land", "Ingress Tool Transfer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 10, "impact": 10, "kill_chain_phases": ["Command And Control"], "message": "An instance of $process_name$ was identified on endpoint $dest$ by user $user$ utilizing curl or wget.", "mitre_attack_id": ["T1105"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 1, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "ZIRCONIUM", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/curl-linux-sysmon.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_ingress_tool_transfer_hunting_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_ingress_tool_transfer_hunting.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Ingress Tool Transfer with Curl", "id": "8c1de57d-abc1-4b41-a727-a7a8fc5e0857", "version": 1, "date": "2022-07-29", "author": "Michael Haag, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies curl with the command-line switches that are commonly used to download, output, a remote script or binary. MetaSploit Framework will combine the -sO switch with | chmod +x to enable a simple one liner to download and set the execute bit to run the file immediately. During triage, review the remote domain and file being downloaded for legitimacy.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=curl by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where match(process, \"(?i)(-O|-sO|-ksO|--output)\") | `linux_ingress_tool_transfer_with_curl_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives will be present. Tune and then change type to TTP.", "references": ["https://gtfobins.github.io/gtfobins/curl/", "https://curl.se/docs/manpage.html#-I", "https://gtfobins.github.io/gtfobins/curl/", "https://github.com/rapid7/metasploit-framework/search?q=curl"], "tags": {"name": "Linux Ingress Tool Transfer with Curl", "analytic_story": ["Linux Living Off The Land", "Ingress Tool Transfer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 30, "impact": 40, "kill_chain_phases": ["Command And Control"], "message": "An instance of $process_name$ was identified on endpoint $dest$ by user $user$ to download a remote file. Review activity for further details.", "mitre_attack_id": ["T1105"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 12, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "ZIRCONIUM", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/curl-linux-sysmon.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_ingress_tool_transfer_with_curl_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_ingress_tool_transfer_with_curl.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Insert Kernel Module Using Insmod Utility", "id": "18b5a1a0-6326-11ec-943a-acde48001122", "version": 1, "date": "2021-12-22", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic looks for inserting of linux kernel module using insmod utility function. This event can detect a installation of rootkit or malicious kernel module to gain elevated privileges to their malicious code and bypassed detections. This Anomaly detection is a good indicator that someone installing kernel module in a linux host either admin or adversaries. filter is needed in this scenario", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN(\"kmod\", \"sudo\") AND Processes.process = *insmod* by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_insert_kernel_module_using_insmod_utility_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "Administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "references": ["https://docs.fedoraproject.org/en-US/fedora/rawhide/system-administrators-guide/kernel-module-driver-configuration/Working_with_Kernel_Modules/", "https://security.stackexchange.com/questions/175953/how-to-load-a-malicious-lkm-at-startup", "https://0x00sec.org/t/kernel-rootkits-getting-your-hands-dirty/1485"], "tags": {"name": "Linux Insert Kernel Module Using Insmod Utility", "analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Rootkit"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "message": "A commandline $process$ that may install kernel module on $dest$", "mitre_attack_id": ["T1547.006", "T1547"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1547.006", "mitre_attack_technique": "Kernel Modules and Extensions", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.006/loading_linux_kernel_module/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_insert_kernel_module_using_insmod_utility_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_insert_kernel_module_using_insmod_utility.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Install Kernel Module Using Modprobe Utility", "id": "387b278a-6326-11ec-aa2c-acde48001122", "version": 1, "date": "2021-12-22", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic looks for possible installing a linux kernel module using modprobe utility function. This event can detect a installation of rootkit or malicious kernel module to gain elevated privileges to their malicious code and bypassed detections. This Anomaly detection is a good indicator that someone installing kernel module in a linux host either admin or adversaries. filter is needed in this scenario", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN(\"kmod\", \"sudo\") AND Processes.process = *modprobe* by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_install_kernel_module_using_modprobe_utility_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "Administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "references": ["https://docs.fedoraproject.org/en-US/fedora/rawhide/system-administrators-guide/kernel-module-driver-configuration/Working_with_Kernel_Modules/", "https://security.stackexchange.com/questions/175953/how-to-load-a-malicious-lkm-at-startup", "https://0x00sec.org/t/kernel-rootkits-getting-your-hands-dirty/1485"], "tags": {"name": "Linux Install Kernel Module Using Modprobe Utility", "analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Rootkit"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "message": "A commandline $process$ that may install kernel module on $dest$", "mitre_attack_id": ["T1547.006", "T1547"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1547.006", "mitre_attack_technique": "Kernel Modules and Extensions", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.006/loading_linux_kernel_module/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_install_kernel_module_using_modprobe_utility_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_install_kernel_module_using_modprobe_utility.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Iptables Firewall Modification", "id": "309d59dc-1e1b-49b2-9800-7cf18d12f7b7", "version": 3, "date": "2023-04-12", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic looks for suspicious commandline that modify the iptables firewall setting of a linux machine. This technique was seen in cyclopsblink malware where it modifies the firewall setting of the compromised machine to allow traffic to its tcp port that will be used to communicate with its C2 server.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = \"*iptables *\" AND Processes.process = \"* --dport *\" AND Processes.process = \"* ACCEPT*\" AND Processes.process = \"*&>/dev/null*\" AND Processes.process = \"* tcp *\" AND NOT(Processes.parent_process_path IN(\"/bin/*\", \"/lib/*\", \"/usr/bin/*\", \"/sbin/*\")) by Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid Processes.dest _time span=10s Processes.user Processes.parent_process_name Processes.parent_process_path Processes.process_path | rex field=Processes.process \"--dport (?3269|636|989|994|995|8443)\" | stats values(Processes.process) as processes_exec values(port) as ports values(Processes.process_guid) as guids values(Processes.process_id) as pids dc(port) as port_count count by Processes.process_name Processes.parent_process_name Processes.parent_process_id Processes.dest Processes.user Processes.parent_process_path Processes.process_path | where port_count >=3 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_iptables_firewall_modification_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "administrator may do this commandline for auditing and testing purposes. In this scenario filter is needed.", "references": ["https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf", "https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html"], "tags": {"name": "Linux Iptables Firewall Modification", "analytic_story": ["Sandworm Tools", "CyclopsBLink"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "A commandline $process$ that may modify iptables firewall on $dest$", "mitre_attack_id": ["T1562.004", "T1562"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.004", "mitre_attack_technique": "Disable or Modify System Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "Carbanak", "Dragonfly", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/cyclopsblink/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_iptables_firewall_modification_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_iptables_firewall_modification.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Java Spawning Shell", "id": "7b09db8a-5c20-11ec-9945-acde48001122", "version": 1, "date": "2023-04-14", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the process name of Java, Apache, or Tomcat spawning a Linux shell. This is potentially indicative of exploitation of the Java application and may be related to current event CVE-2021-44228 (Log4Shell). The shells included in the macro are \"sh\", \"ksh\", \"zsh\", \"bash\", \"dash\", \"rbash\", \"fish\", \"csh', \"tcsh', \"ion\", \"eshell\". Upon triage, review parallel processes and command-line arguments to determine legitimacy.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=java OR Processes.parent_process_name=apache OR Processes.parent_process_name=tomcat `linux_shells` by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_java_spawning_shell_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon for Linux, you will need to ensure mapping is occurring correctly. Ensure EDR product is mapping OS Linux to the datamodel properly. Add any additional java process names for your environment to the analytic as needed.", "known_false_positives": "Filtering may be required on internal developer build systems or classify assets as web facing and restrict the analytic based on asset type.", "references": ["https://blog.netlab.360.com/ten-families-of-malicious-samples-are-spreading-using-the-log4j2-vulnerability-now/", "https://gist.github.com/olafhartong/916ebc673ba066537740164f7e7e1d72"], "tags": {"name": "Linux Java Spawning Shell", "analytic_story": ["Data Destruction", "Spring4Shell CVE-2022-22965", "Hermetic Wiper", "Log4Shell CVE-2021-44228"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 80, "kill_chain_phases": ["Delivery"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ spawning a Linux shell, potentially indicative of exploitation.", "mitre_attack_id": ["T1190"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "cve": ["CVE-2021-44228"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/java/java_spawn_shell_nix.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "linux_shells", "definition": "(Processes.process_name IN (\"sh\", \"ksh\", \"zsh\", \"bash\", \"dash\", \"rbash\", \"fish\", \"csh\", \"tcsh\", \"ion\", \"eshell\"))", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_java_spawning_shell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2021-44228", "cvss": 9.3, "summary": "Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_java_spawning_shell.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Kernel Module Enumeration", "id": "6df99886-0e04-4c11-8b88-325747419278", "version": 1, "date": "2022-07-27", "author": "Michael Haag, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies the process kmod being utilized to list kernel modules in use. Typically, this is not seen as malicious, however it may be a precurser to the use of insmod to install a module.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=kmod Processes.process IN (\"*lsmod*\", \"*list*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_kernel_module_enumeration_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives are present based on automated tooling or system administrative usage. Filter as needed.", "references": ["https://man7.org/linux/man-pages/man8/kmod.8.html"], "tags": {"name": "Linux Kernel Module Enumeration", "analytic_story": ["Linux Rootkit"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ enumeration kernel modules.", "mitre_attack_id": ["T1082", "T1014"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1082", "mitre_attack_technique": "System Information Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT18", "APT19", "APT3", "APT32", "APT37", "APT38", "Aquatic Panda", "Blue Mockingbird", "Chimera", "Confucius", "Darkhotel", "Gamaredon Group", "HEXANE", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Sowbug", "Stealth Falcon", "TeamTNT", "Tropic Trooper", "Turla", "Windigo", "Windshift", "Wizard Spider", "ZIRCONIUM", "admin@338"]}, {"mitre_attack_id": "T1014", "mitre_attack_technique": "Rootkit", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT41", "Rocke", "TeamTNT", "Winnti Group"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1082/atomic_red_team/linux-sysmon.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_kernel_module_enumeration_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_kernel_module_enumeration.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Kworker Process In Writable Process Path", "id": "1cefb270-74a5-4e27-aa0c-2b6fa7c5b4ed", "version": 2, "date": "2023-04-12", "author": "Teoderick Contreras, Splunk", "type": "Hunting", "status": "production", "description": "This analytic looks for suspicious process kworker commandline in a linux machine. kworker process name or thread are common names of kernel threads in linux process. This hunting detections can lead to investigate process contains process path in writable directory in linux like /home/, /var/log and /tmp/. This technique was seen in cyclopsblink malware to blend its core and other of its child process as normal kworker on the compromised machine. This detection might be a good pivot to look for other IOC related to cyclopsblink malware or attacks.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process = \"*[kworker/*\" Processes.parent_process_path IN (\"/home/*\", \"/tmp/*\", \"/var/log/*\") Processes.process=\"*iptables*\" by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_path Processes.process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_kworker_process_in_writable_process_path_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "unknown", "references": ["https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf", "https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html"], "tags": {"name": "Linux Kworker Process In Writable Process Path", "analytic_story": ["Sandworm Tools", "CyclopsBLink"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Exploitation"], "message": "a $process_name$ with kworker commandline in $dest$", "mitre_attack_id": ["T1036.004", "T1036"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id", "Processes.parent_process_path", "Processes.process_path"], "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1036.004", "mitre_attack_technique": "Masquerade Task or Service", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT32", "APT41", "BITTER", "BackdoorDiplomacy", "Carbanak", "FIN6", "FIN7", "Fox Kitten", "Higaisa", "Kimsuky", "Lazarus Group", "Magic Hound", "Naikon", "PROMETHIUM", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/cyclopsblink/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_kworker_process_in_writable_process_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_kworker_process_in_writable_process_path.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Make Privilege Escalation", "id": "80b22836-5091-4944-80ee-f733ac443f4f", "version": 1, "date": "2022-08-09", "author": "Gowthamaraj Rajendran, Splunk", "type": "Anomaly", "status": "production", "description": "The Linux make command is used to build and maintain groups of programs and files from the source code. In Linux, it is one of the most frequently used commands by the developers. It assists developers to install and compile many utilities from the terminal. If sudo right is given to make utility for the user, then the user can run system commands as root and possibly get a root shell.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*make*-s*\" AND Processes.process=\"*--eval*\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_make_privilege_escalation_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints into the Endpoint datamodel. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "False positives may be present, filter as needed.", "references": ["https://gtfobins.github.io/gtfobins/make/", "https://www.javatpoint.com/linux-make-command"], "tags": {"name": "Linux Make Privilege Escalation", "analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 40, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "mitre_attack_id": ["T1548.003", "T1548"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 20, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.003", "mitre_attack_technique": "Sudo and Sudo Caching", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/make/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_make_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_make_privilege_escalation.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux MySQL Privilege Escalation", "id": "c0d810f4-230c-44ea-b703-989da02ff145", "version": 1, "date": "2022-08-09", "author": "Gowthamaraj Rajendran, Splunk", "type": "Anomaly", "status": "production", "description": "MySQL is an open-source relational database management system. Its name is a combination of \"My\", the name of co-founder Michael Widenius's daughter My, and \"SQL\", the abbreviation for Structured Query Language. If sudo right is given to mysql utility for the user, then the user can run system commands as root and possibly get a root shell.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*mysql*-e*\" AND Processes.process=\"*\\!**\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_mysql_privilege_escalation_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints into the Endpoint datamodel. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "False positives are present based on automated tooling or system administrative usage. Filter as needed.", "references": ["https://gtfobins.github.io/gtfobins/mysql/"], "tags": {"name": "Linux MySQL Privilege Escalation", "analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 60, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "mitre_attack_id": ["T1548.003", "T1548"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.003", "mitre_attack_technique": "Sudo and Sudo Caching", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/mysql/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_mysql_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_mysql_privilege_escalation.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Ngrok Reverse Proxy Usage", "id": "bc84d574-708c-467d-b78a-4c1e20171f97", "version": 1, "date": "2023-01-12", "author": "Michael Haag, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies the use of Ngrok being utilized on the Linux operating system. Unfortunately, there is no original file name for Ngrok, so it may be worth an additional hunt to identify any command-line arguments. The sign of someone using Ngrok is not malicious, however, more recently it has become an adversary tool.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=ngrok Processes.process IN (\"*start*\", \"*--config*\",\"*http*\",\"*authtoken*\", \"*http*\", \"*tcp*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_ngrok_reverse_proxy_usage_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints into the Endpoint datamodel. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "False positives may be present if Ngrok is an authorized utility. Filter as needed.", "references": ["https://ngrok.com", "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf"], "tags": {"name": "Linux Ngrok Reverse Proxy Usage", "analytic_story": ["Reverse Network Proxy"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 50, "kill_chain_phases": ["Command And Control"], "message": "A reverse proxy was identified spawning from $parent_process_name$ - $process_name$ on endpoint $dest$ by user $user$.", "mitre_attack_id": ["T1572", "T1090", "T1102"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 50, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1572", "mitre_attack_technique": "Protocol Tunneling", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Chimera", "Cobalt Group", "FIN6", "Fox Kitten", "Leviathan", "Magic Hound", "OilRig"]}, {"mitre_attack_id": "T1090", "mitre_attack_technique": "Proxy", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "Blue Mockingbird", "CopyKittens", "Earth Lusca", "Fox Kitten", "LAPSUS$", "Magic Hound", "POLONIUM", "Sandworm Team", "Turla", "Windigo"]}, {"mitre_attack_id": "T1102", "mitre_attack_technique": "Web Service", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT32", "EXOTIC LILY", "Ember Bear", "FIN6", "FIN8", "Fox Kitten", "Gamaredon Group", "Inception", "LazyScripter", "Mustang Panda", "Rocke", "TeamTNT", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1572/ngrok/ngrok_linux-sysmon.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_ngrok_reverse_proxy_usage_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_ngrok_reverse_proxy_usage.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Node Privilege Escalation", "id": "2e58a4ff-398f-42f4-8fd0-e01ebfe2a8ce", "version": 1, "date": "2022-07-31", "author": "Gowthamaraj Rajendran, Splunk", "type": "Anomaly", "status": "production", "description": "Node.js is a back-end JavaScript runtime environment that is open-source, cross-platform, runs on the V8 engine, and executes JavaScript code outside of a web browser. It was created to help create scalable network applications. If the binary is allowed to run as superuser by sudo, it does not drop the elevated privileges and may be used to access the file system, escalate or maintain privileged access.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*sudo*node*\" AND Processes.process=\"*-e*\" AND Processes.process=\"*child_process.spawn*\" AND Processes.process=\"*stdio*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_node_privilege_escalation_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints into the Endpoint datamodel. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "False positives are present based on automated tooling or system administrative usage. Filter as needed.", "references": ["https://gtfobins.github.io/gtfobins/docker/", "https://en.wikipedia.org/wiki/Node.js"], "tags": {"name": "Linux Node Privilege Escalation", "analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "mitre_attack_id": ["T1548.003", "T1548"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.003", "mitre_attack_technique": "Sudo and Sudo Caching", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/node/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_node_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_node_privilege_escalation.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux NOPASSWD Entry In Sudoers File", "id": "ab1e0d52-624a-11ec-8e0b-acde48001122", "version": 1, "date": "2021-12-21", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic is to look for suspicious command lines that may add entry to /etc/sudoers with NOPASSWD attribute in linux platform. This technique is commonly abuse by adversaries, malware author and red teamers to gain elevated privilege to the targeted or compromised host. /etc/sudoers file controls who can run what commands users can execute on the machines and can also control whether user need a password to execute particular commands. This file is composed of aliases (basically variables) and user specifications.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = \"*NOPASSWD:*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_nopasswd_entry_in_sudoers_file_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "Administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "references": ["https://askubuntu.com/questions/334318/sudoers-file-enable-nopasswd-for-user-all-commands", "https://help.ubuntu.com/community/Sudoers"], "tags": {"name": "Linux NOPASSWD Entry In Sudoers File", "analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "a commandline $process$ executed on $dest$", "mitre_attack_id": ["T1548.003", "T1548"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.003", "mitre_attack_technique": "Sudo and Sudo Caching", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/nopasswd_sudoers/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_nopasswd_entry_in_sudoers_file_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_nopasswd_entry_in_sudoers_file.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Obfuscated Files or Information Base64 Decode", "id": "303b38b2-c03f-44e2-8f41-4594606fcfc7", "version": 1, "date": "2022-07-27", "author": "Michael Haag, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies the use of base64 decode on Linux being utilized to deobfuscate a file. Identify the source of the file and determine if legitimate. Review parallel processes for further behavior before and after.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process IN (\"*base64 -d*\",\"*base64 --decode*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_obfuscated_files_or_information_base64_decode_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives may be present and will require some tuning based on processes. Filter as needed.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md#atomic-test-1---decode-base64-data-into-script", "https://redcanary.com/blog/lateral-movement-with-secure-shell/", "https://linux.die.net/man/1/base64"], "tags": {"name": "Linux Obfuscated Files or Information Base64 Decode", "analytic_story": ["Linux Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ decoding base64.", "mitre_attack_id": ["T1027"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT19", "APT28", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BITTER", "BackdoorDiplomacy", "BlackOasis", "Blue Mockingbird", "Dark Caracal", "Darkhotel", "Earth Lusca", "Elderwood", "Ember Bear", "Fox Kitten", "GALLIUM", "Gallmaker", "Gamaredon Group", "Group5", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "Metador", "Mofang", "Molerats", "Moses Staff", "Mustang Panda", "OilRig", "Putter Panda", "Rocke", "Sandworm Team", "Sidewinder", "TA505", "TeamTNT", "Threat Group-3390", "Transparent Tribe", "Tropic Trooper", "Whitefly", "Windshift", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1027/atomic_red_team/linux-sysmon.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_obfuscated_files_or_information_base64_decode_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_obfuscated_files_or_information_base64_decode.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Octave Privilege Escalation", "id": "78f7487d-42ce-4f7f-8685-2159b25fb477", "version": 1, "date": "2022-08-11", "author": "Gowthamaraj Rajendran, Splunk", "type": "Anomaly", "status": "production", "description": "GNU Octave is a high-level programming language primarily intended for scientific computing and numerical computation. Octave helps in solving linear and nonlinear problems numerically, and for performing other numerical experiments using a language that is mostly compatible with MATLAB. If sudo right is given to the application for the user, then the user can run system commands as root and possibly get a root shell.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*octave-cli*\" AND Processes.process=\"*--eval*\" AND Processes.process=\"*system*\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_octave_privilege_escalation_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints into the Endpoint datamodel. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "False positives may be present, filter as needed.", "references": ["https://gtfobins.github.io/gtfobins/octave/", "https://en.wikipedia.org/wiki/GNU_Octave"], "tags": {"name": "Linux Octave Privilege Escalation", "analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 40, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "mitre_attack_id": ["T1548.003", "T1548"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 20, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.003", "mitre_attack_technique": "Sudo and Sudo Caching", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/octave/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_octave_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_octave_privilege_escalation.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux OpenVPN Privilege Escalation", "id": "d25feebe-fa1c-4754-8a1e-afb03bedc0f2", "version": 1, "date": "2022-08-11", "author": "Gowthamaraj Rajendran, Splunk", "type": "Anomaly", "status": "production", "description": "OpenVPN is a virtual private network system that implements techniques to create secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It implements both client and server applications. If sudo right is given to the OpenVPN application for the user, then the user can run system commands as root and possibly get a root shell.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*openvpn*\" AND Processes.process=\"*--dev*\" AND Processes.process=\"*--script-security*\" AND Processes.process=\"*--up*\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_openvpn_privilege_escalation_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints into the Endpoint datamodel. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "False positives may be present, filter as needed.", "references": ["https://gtfobins.github.io/gtfobins/openvpn/", "https://en.wikipedia.org/wiki/OpenVPN"], "tags": {"name": "Linux OpenVPN Privilege Escalation", "analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 60, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "mitre_attack_id": ["T1548.003", "T1548"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.003", "mitre_attack_technique": "Sudo and Sudo Caching", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/openvpn/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_openvpn_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_openvpn_privilege_escalation.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Persistence and Privilege Escalation Risk Behavior", "id": "ad5ac21b-3b1e-492c-8e19-ea5d5e8e5cf1", "version": 3, "date": "2022-08-30", "author": "Michael Haag, Splunk", "type": "Correlation", "status": "production", "description": "The following correlation is specific to Linux persistence and privilege escalation tactics and is tied to two analytic stories and any Linux analytic tied to persistence and privilege escalation. These techniques often overlap with Persistence techniques, as OS features that let an adversary persist can execute in an elevated context.", "data_source": [], "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where (All_Risk.analyticstories IN (\"Linux Privilege Escalation\", \"Linux Persistence Techniques\") OR source = \"*Linux*\") All_Risk.annotations.mitre_attack.mitre_tactic IN (\"persistence\", \"privilege-escalation\") All_Risk.risk_object_type=\"system\" by All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where source_count >= 4 | `linux_persistence_and_privilege_escalation_risk_behavior_filter`", "how_to_implement": "Ensure Linux anomaly and TTP analytics are enabled. TTP may be set to Notables for point detections, anomaly should not be notables but risk generators. The correlation relies on more than x amount of distict detection names generated before generating a notable. Modify the value as needed. Default value is set to 4. This value may need to be increased based on activity in your environment.", "known_false_positives": "False positives will be present based on many factors. Tune the correlation as needed to reduce too many triggers.", "references": ["https://attack.mitre.org/tactics/TA0004/"], "tags": {"name": "Linux Persistence and Privilege Escalation Risk Behavior", "analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "Privilege escalation and persistence behaviors have been identified on $risk_object$.", "mitre_attack_id": ["T1548"], "nist": ["DE.AE"], "observable": [{"name": "risk_object", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "All_Risk.analyticstories", "All_Risk.risk_object_type", "All_Risk.risk_object", "All_Risk.annotations.mitre_attack.mitre_tactic", "source"], "risk_score": 56, "security_domain": "audit", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/linux_risk/linuxrisk.log", "source": "linuxrisk", "sourcetype": "stash", "update_timestamp": true}]}], "datamodel": ["Risk"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_persistence_and_privilege_escalation_risk_behavior_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_persistence_and_privilege_escalation_risk_behavior.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Linux PHP Privilege Escalation", "id": "4fc4c031-e5be-4cc0-8cf9-49f9f507bcb5", "version": 1, "date": "2022-08-09", "author": "Gowthamaraj Rajendran, Splunk", "type": "Anomaly", "status": "production", "description": "PHP is a general-purpose scripting language geared toward web development. It was originally created by Danish-Canadian programmer Rasmus Lerdorf in 1994. The PHP reference implementation is now produced by The PHP Group. If sudo right is given to php application for the user, then the user can run system commands as root and possibly get a root shell.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*php*-r*\" AND Processes.process=\"*system*\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_php_privilege_escalation_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints into the Endpoint datamodel. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "False positives may be present, filter as needed.", "references": ["https://gtfobins.github.io/gtfobins/php/", "https://en.wikipedia.org/wiki/PHP"], "tags": {"name": "Linux PHP Privilege Escalation", "analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 60, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "mitre_attack_id": ["T1548.003", "T1548"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.003", "mitre_attack_technique": "Sudo and Sudo Caching", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/php/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_php_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_php_privilege_escalation.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux pkexec Privilege Escalation", "id": "03e22c1c-8086-11ec-ac2e-acde48001122", "version": 1, "date": "2022-01-28", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies `pkexec` spawning with no command-line arguments. A vulnerability in Polkit's pkexec component identified as CVE-2021-4034 (PwnKit) which is present in the default configuration of all major Linux distributions and can be exploited to gain full root privileges on the system.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=pkexec by _time Processes.dest Processes.process_id Processes.parent_process_name Processes.process_name Processes.process Processes.process_path | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process=\"(^.{1}$)\" | `linux_pkexec_privilege_escalation_filter`", "how_to_implement": "Depending on the EDR product in use, there are multiple ways to \"null\" the command-line field, Processes.process. Two that may be useful `process=\"(^.{0}$)\"` or `| where isnull(process)`. To generate data for this behavior, Sysmon for Linux was utilized. To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives may be present, filter as needed.", "references": ["https://www.reddit.com/r/crowdstrike/comments/sdfeig/20220126_cool_query_friday_hunting_pwnkit_local/", "https://linux.die.net/man/1/pkexec", "https://www.bleepingcomputer.com/news/security/linux-system-service-bug-gives-root-on-all-major-distros-exploit-released/", "https://access.redhat.com/security/security-updates/#/?q=polkit&p=1&sort=portal_publication_date%20desc&rows=10&portal_advisory_type=Security%20Advisory&documentKind=PortalProduct"], "tags": {"name": "Linux pkexec Privilege Escalation", "analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ related to a local privilege escalation in polkit pkexec.", "mitre_attack_id": ["T1068"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "cve": ["CVE-2021-4034"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "PLATINUM", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1068/pkexec/linux-sysmon.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_pkexec_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2021-4034", "cvss": 7.2, "summary": "A local privilege escalation vulnerability was found on polkit's pkexec utility. The pkexec application is a setuid tool designed to allow unprivileged users to run commands as privileged users according predefined policies. The current version of pkexec doesn't handle the calling parameters count correctly and ends trying to execute environment variables as commands. An attacker can leverage this by crafting environment variables in such a way it'll induce pkexec to execute arbitrary code. When successfully executed the attack can cause a local privilege escalation given unprivileged users administrative rights on the target machine."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_pkexec_privilege_escalation.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Possible Access Or Modification Of sshd Config File", "id": "7a85eb24-72da-11ec-ac76-acde48001122", "version": 1, "date": "2022-01-11", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic is to look for suspicious process command-line that might be accessing or modifying sshd_config. This file is the ssh configuration file that might be modify by threat actors or adversaries to redirect port connection, allow user using authorized key generated during attack. This anomaly detection might catch noise from administrator auditing or modifying ssh configuration file. In this scenario filter is needed", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN(\"cat\", \"nano*\",\"vim*\", \"vi*\") AND Processes.process IN(\"*/etc/ssh/sshd_config\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_possible_access_or_modification_of_sshd_config_file_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "Administrator or network operator can use this commandline for automation purposes. Please update the filter macros to remove false positives.", "references": ["https://www.hackingarticles.in/ssh-penetration-testing-port-22/", "https://attack.mitre.org/techniques/T1098/004/"], "tags": {"name": "Linux Possible Access Or Modification Of sshd Config File", "analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "message": "a commandline $process$ executed on $dest$", "mitre_attack_id": ["T1098.004", "T1098"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1098.004", "mitre_attack_technique": "SSH Authorized Keys", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Earth Lusca", "TeamTNT"]}, {"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT41", "Dragonfly", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.004/ssh_authorized_keys/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_possible_access_or_modification_of_sshd_config_file_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_possible_access_or_modification_of_sshd_config_file.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Possible Access To Credential Files", "id": "16107e0e-71fc-11ec-b862-acde48001122", "version": 1, "date": "2022-01-10", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic is to detect a possible attempt to dump or access the content of /etc/passwd and /etc/shadow to enable offline credential cracking. \"etc/passwd\" store user information within linux OS while \"etc/shadow\" contain the user passwords hash. Adversaries and threat actors may attempt to access this to gain persistence and/or privilege escalation. This anomaly detection can be a good indicator of possible credential dumping technique but it might catch some normal administrator automation scripts or during credential auditing. In this scenario filter is needed.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN(\"cat\", \"nano*\",\"vim*\", \"vi*\") AND Processes.process IN(\"*/etc/shadow*\", \"*/etc/passwd*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_possible_access_to_credential_files_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "Administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "references": ["https://askubuntu.com/questions/445361/what-is-difference-between-etc-shadow-and-etc-passwd", "https://attack.mitre.org/techniques/T1003/008/"], "tags": {"name": "Linux Possible Access To Credential Files", "analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "A commandline $process$ executed on $dest$", "mitre_attack_id": ["T1003.008", "T1003"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.008", "mitre_attack_technique": "/etc/passwd and /etc/shadow", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.008/copy_file_stdoutpipe/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_possible_access_to_credential_files_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_possible_access_to_credential_files.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Possible Access To Sudoers File", "id": "4479539c-71fc-11ec-b2e2-acde48001122", "version": 1, "date": "2022-01-10", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic is to detect a possible access or modification of /etc/sudoers file. \"/etc/sudoers\" file controls who can run what command as what users on what machine and can also control whether a specific user need a password for particular commands. adversaries and threat actors abuse this file to gain persistence and/or privilege escalation during attack on targeted host.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN(\"cat\", \"nano*\",\"vim*\", \"vi*\") AND Processes.process IN(\"*/etc/sudoers*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_possible_access_to_sudoers_file_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "references": ["https://attack.mitre.org/techniques/T1548/003/", "https://web.archive.org/web/20210708035426/https://www.cobaltstrike.com/downloads/csmanual43.pdf"], "tags": {"name": "Linux Possible Access To Sudoers File", "analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "A commandline $process$ executed on $dest$", "mitre_attack_id": ["T1548.003", "T1548"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.003", "mitre_attack_technique": "Sudo and Sudo Caching", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.008/copy_file_stdoutpipe/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_possible_access_to_sudoers_file_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_possible_access_to_sudoers_file.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Possible Append Command To At Allow Config File", "id": "7bc20606-5f40-11ec-a586-acde48001122", "version": 2, "date": "2022-05-26", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic looks for suspicious commandline that may use to append user entry to /etc/at.allow or /etc/at.deny. These 2 files are commonly abused by malware, adversaries or red teamers to persist on the targeted or compromised host. These config file can restrict user that can only execute at application (another schedule task application in linux). attacker can create a user or add the compromised username to that config file to execute at to schedule it malicious code. This anomaly detection can be a good indicator to investigate further the entry in created config file and who created it to verify if it is a false positive.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count from datamodel=Endpoint.Processes where Processes.process = \"*echo*\" AND Processes.process IN(\"*/etc/at.allow\", \"*/etc/at.deny\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_possible_append_command_to_at_allow_config_file_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "Administrator or network operator can use this commandline for automation purposes. Please update the filter macros to remove false positives.", "references": ["https://linuxize.com/post/at-command-in-linux/", "https://attack.mitre.org/techniques/T1053/001/"], "tags": {"name": "Linux Possible Append Command To At Allow Config File", "analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Installation", "Exploitation"], "message": "A commandline $process$ that may modify at allow config file in $dest$", "mitre_attack_id": ["T1053.002", "T1053"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1053.002", "mitre_attack_technique": "At", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "BRONZE BUTLER", "Threat Group-3390"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.002/at_execution/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_possible_append_command_to_at_allow_config_file_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_possible_append_command_to_at_allow_config_file.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Possible Append Command To Profile Config File", "id": "9c94732a-61af-11ec-91e3-acde48001122", "version": 1, "date": "2021-12-20", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic looks for suspicious command-lines that can be possibly used to modify user profile files to automatically execute scripts/executables by shell upon reboot of the machine. This technique is commonly abused by adversaries, malware and red teamers as persistence mechanism to the targeted or compromised host. This Anomaly detection is a good indicator that someone wants to run code after reboot which can be done also by the administrator or network operator for automation purposes.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = \"*echo*\" AND Processes.process IN(\"*~/.bashrc\", \"*~/.bash_profile\", \"*/etc/profile\", \"~/.bash_login\", \"*~/.profile\", \"~/.bash_logout\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_possible_append_command_to_profile_config_file_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "Administrator or network operator can use this commandline for automation purposes. Please update the filter macros to remove false positives.", "references": ["https://unix.stackexchange.com/questions/129143/what-is-the-purpose-of-bashrc-and-how-does-it-work", "https://attack.mitre.org/techniques/T1546/004/"], "tags": {"name": "Linux Possible Append Command To Profile Config File", "analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "message": "a commandline $process$ that may modify profile files in $dest$", "mitre_attack_id": ["T1546.004", "T1546"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1546.004", "mitre_attack_technique": "Unix Shell Configuration Modification", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.004/linux_init_profile/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_possible_append_command_to_profile_config_file_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_possible_append_command_to_profile_config_file.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Possible Append Cronjob Entry on Existing Cronjob File", "id": "b5b91200-5f27-11ec-bb4e-acde48001122", "version": 1, "date": "2021-12-17", "author": "Teoderick Contreras, Splunk", "type": "Hunting", "status": "production", "description": "This analytic looks for possible suspicious commandline that may use to append a code to any existing cronjob files for persistence or privilege escalation. This technique is commonly abused by malware, adversaries and red teamers to automatically execute their code within a existing or sometimes in normal cronjob script file.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count from datamodel=Endpoint.Processes where Processes.process = \"*echo*\" AND Processes.process IN(\"*/etc/cron*\", \"*/var/spool/cron/*\", \"*/etc/anacrontab*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_possible_append_cronjob_entry_on_existing_cronjob_file_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "Administrator or network operator can use this commandline for automation purposes. Please update the filter macros to remove false positives.", "references": ["https://attack.mitre.org/techniques/T1053/003/", "https://blog.aquasec.com/threat-alert-kinsing-malware-container-vulnerability", "https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/"], "tags": {"name": "Linux Possible Append Cronjob Entry on Existing Cronjob File", "analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "message": "A commandline $process$ that may modify cronjob file in $dest$", "mitre_attack_id": ["T1053.003", "T1053"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1053.003", "mitre_attack_technique": "Cron", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT38", "Rocke"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.003/cronjobs_entry/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_possible_append_cronjob_entry_on_existing_cronjob_file_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_possible_append_cronjob_entry_on_existing_cronjob_file.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Possible Cronjob Modification With Editor", "id": "dcc89bde-5f24-11ec-87ca-acde48001122", "version": 1, "date": "2021-12-17", "author": "Teoderick Contreras, Splunk", "type": "Hunting", "status": "production", "description": "This analytic looks for possible modification of cronjobs file using editor. This event is can be seen in normal user but can also be a good hunting indicator for unwanted user modifying cronjobs for possible persistence or privilege escalation.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name IN(\"nano\",\"vim.basic\") OR Processes.process IN (\"*nano *\", \"*vi *\", \"*vim *\")) AND Processes.process IN(\"*/etc/cron*\", \"*/var/spool/cron/*\", \"*/etc/anacrontab*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_possible_cronjob_modification_with_editor_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "Administrator or network operator can use this commandline for automation purposes. Please update the filter macros to remove false positives.", "references": ["https://attack.mitre.org/techniques/T1053/003/"], "tags": {"name": "Linux Possible Cronjob Modification With Editor", "analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 30, "impact": 20, "kill_chain_phases": ["Installation", "Exploitation"], "message": "A commandline $process$ that may modify cronjob file using editor in $dest$", "mitre_attack_id": ["T1053.003", "T1053"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 6, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1053.003", "mitre_attack_technique": "Cron", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT38", "Rocke"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.003/cronjobs_entry/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_possible_cronjob_modification_with_editor_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_possible_cronjob_modification_with_editor.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Possible Ssh Key File Creation", "id": "c04ef40c-72da-11ec-8eac-acde48001122", "version": 1, "date": "2022-01-11", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic is to look for possible ssh key file creation on ~/.ssh/ folder. This technique is commonly abused by threat actors and adversaries to gain persistence and privilege escalation to the targeted host. by creating ssh private and public key and passing the public key to the attacker server. threat actor can access remotely the machine using openssh daemon service.", "data_source": ["Sysmon Event ID 11"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN (\"*/.ssh*\") by Filesystem.dest Filesystem.file_name Filesystem.process_guid Filesystem.file_path | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `linux_possible_ssh_key_file_creation_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the file name, file path, and process_guid executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "Administrator or network operator can create file in ~/.ssh folders for automation purposes. Please update the filter macros to remove false positives.", "references": ["https://www.hackingarticles.in/ssh-penetration-testing-port-22/", "https://attack.mitre.org/techniques/T1098/004/"], "tags": {"name": "Linux Possible Ssh Key File Creation", "analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Installation"], "message": "A file $file_name$ is created in $file_path$ on $dest$", "mitre_attack_id": ["T1098.004", "T1098"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Filesystem.dest", "Filesystem.file_create_time", "Filesystem.file_name", "Filesystem.process_guid", "Filesystem.file_path"], "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1098.004", "mitre_attack_technique": "SSH Authorized Keys", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Earth Lusca", "TeamTNT"]}, {"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT41", "Dragonfly", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.004/ssh_authorized_keys/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_possible_ssh_key_file_creation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_possible_ssh_key_file_creation.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Preload Hijack Library Calls", "id": "cbe2ca30-631e-11ec-8670-acde48001122", "version": 1, "date": "2021-12-22", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This analytic is to detect a suspicious command that may hijack a library function in linux platform. This technique is commonly abuse by adversaries, malware author and red teamers to gain privileges and persist on the machine. This detection pertains to loading a dll to hijack or hook a library function of specific program using LD_PRELOAD command.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = \"*LD_PRELOAD*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_preload_hijack_library_calls_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase", "known_false_positives": "Administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "references": ["https://compilepeace.medium.com/memory-malware-part-0x2-writing-userland-rootkits-via-ld-preload-30121c8343d5"], "tags": {"name": "Linux Preload Hijack Library Calls", "analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation", "Installation"], "message": "A commandline $process$ that may hijack library function on $dest$", "mitre_attack_id": ["T1574.006", "T1574"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1574.006", "mitre_attack_technique": "Dynamic Linker Hijacking", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT41", "Rocke"]}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.006/lib_hijack/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_preload_hijack_library_calls_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_preload_hijack_library_calls.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Proxy Socks Curl", "id": "bd596c22-ad1e-44fc-b242-817253ce8b08", "version": 1, "date": "2022-07-29", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies curl being utilized with a proxy based on command-line arguments - -x, socks, --preproxy and --proxy. This behavior is built into the MetaSploit Framework as a auxiliary module. What does socks buy an adversary? SOCKS4a extends the SOCKS4 protocol to allow a client to specify a destination domain name rather than an IP address. The SOCKS5 protocol is defined in RFC 1928. It is an incompatible extension of the SOCKS4 protocol; it offers more choices for authentication and adds support for IPv6 and UDP, the latter of which can be used for DNS lookups. The protocols, and a proxy itself, allow an adversary to evade controls in place monitoring traffic, making it harder for the defender to identify and track activity.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=curl Processes.process IN (\"*-x *\", \"*socks4a://*\", \"*socks5h://*\", \"*socks4://*\",\"*socks5://*\", \"*--preproxy *\", \"--proxy*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_proxy_socks_curl_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives may be present based on proxy usage internally. Filter as needed.", "references": ["https://www.offensive-security.com/metasploit-unleashed/proxytunnels/", "https://curl.se/docs/manpage.html", "https://en.wikipedia.org/wiki/SOCKS", "https://oxylabs.io/blog/curl-with-proxy", "https://reqbin.com/req/c-ddxflki5/curl-proxy-server#:~:text=To%20use%20a%20proxy%20with,be%20URL%20decoded%20by%20Curl.", "https://gtfobins.github.io/gtfobins/curl/"], "tags": {"name": "Linux Proxy Socks Curl", "analytic_story": ["Linux Living Off The Land", "Ingress Tool Transfer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Command And Control"], "message": "An instance of $process_name$ was identified on endpoint $dest$ by user $user$ utilizing a proxy. Review activity for further details.", "mitre_attack_id": ["T1090", "T1095"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1090", "mitre_attack_technique": "Proxy", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "Blue Mockingbird", "CopyKittens", "Earth Lusca", "Fox Kitten", "LAPSUS$", "Magic Hound", "POLONIUM", "Sandworm Team", "Turla", "Windigo"]}, {"mitre_attack_id": "T1095", "mitre_attack_technique": "Non-Application Layer Protocol", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT3", "BITTER", "BackdoorDiplomacy", "FIN6", "HAFNIUM", "Metador", "PLATINUM"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/curl-linux-sysmon.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_proxy_socks_curl_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_proxy_socks_curl.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Puppet Privilege Escalation", "id": "1d19037f-466e-4d56-8d87-36fafd9aa3ce", "version": 1, "date": "2022-08-11", "author": "Gowthamaraj Rajendran, Splunk", "type": "Anomaly", "status": "production", "description": "In computing, Puppet is a software configuration management tool which includes its own declarative language to describe system configuration. It is a model-driven solution that requires limited programming knowledge to use. If sudo right is given to the tool for the user, then the user can run system commands as root and possibly get a root shell.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*puppet*\" AND Processes.process=\"*apply*\" AND Processes.process=\"*-e*\" AND Processes.process=\"*exec*\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_puppet_privilege_escalation_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints into the Endpoint datamodel. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "False positives may be present, filter as needed.", "references": ["https://gtfobins.github.io/gtfobins/puppet/", "https://en.wikipedia.org/wiki/Puppet_(software)"], "tags": {"name": "Linux Puppet Privilege Escalation", "analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 10, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "mitre_attack_id": ["T1548.003", "T1548"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 5, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.003", "mitre_attack_technique": "Sudo and Sudo Caching", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/puppet/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_puppet_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_puppet_privilege_escalation.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux RPM Privilege Escalation", "id": "f8e58a23-cecd-495f-9c65-6c76b4cb9774", "version": 1, "date": "2022-08-09", "author": "Gowthamaraj Rajendran, Splunk", "type": "Anomaly", "status": "production", "description": "RPM Package Manager is a free and open-source package management system. The name RPM refers to the .rpm file format and the package manager program itself. RPM was intended primarily for Linux distributions; the file format is the baseline package format of the Linux Standard Base. If sudo right is given to rpm utility for the user, then the user can run system commands as root and possibly get a root shell.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*rpm*--eval*\" AND Processes.process=\"*lua:os.execute*\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_rpm_privilege_escalation_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints into the Endpoint datamodel. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "False positives are present based on automated tooling or system administrative usage. Filter as needed.", "references": ["https://gtfobins.github.io/gtfobins/rpm/", "https://en.wikipedia.org/wiki/RPM_Package_Manager"], "tags": {"name": "Linux RPM Privilege Escalation", "analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 60, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "mitre_attack_id": ["T1548.003", "T1548"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.003", "mitre_attack_technique": "Sudo and Sudo Caching", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/rpm/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_rpm_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_rpm_privilege_escalation.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Ruby Privilege Escalation", "id": "097b28b5-7004-4d40-a715-7e390501788b", "version": 1, "date": "2022-08-09", "author": "Gowthamaraj Rajendran, Splunk", "type": "Anomaly", "status": "production", "description": "Ruby is one of the most used and easy to use programming languages. Ruby is an open-source, object-oriented interpreter that can be installed on a Linux system. If sudo right is given to ruby application for the user, then the user can run system commands as root and possibly get a root shell.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*ruby*-e*\" AND Processes.process=\"*exec*\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_ruby_privilege_escalation_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints into the Endpoint datamodel. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "False positives are present based on automated tooling or system administrative usage. Filter as needed.", "references": ["https://gtfobins.github.io/gtfobins/ruby/"], "tags": {"name": "Linux Ruby Privilege Escalation", "analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 60, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "mitre_attack_id": ["T1548.003", "T1548"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.003", "mitre_attack_technique": "Sudo and Sudo Caching", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/ruby/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_ruby_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_ruby_privilege_escalation.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Service File Created In Systemd Directory", "id": "c7495048-61b6-11ec-9a37-acde48001122", "version": 1, "date": "2021-12-20", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic looks for suspicious file creation in systemd timer directory in linux platform. systemd is a system and service manager for Linux distributions. From the Windows perspective, this process fulfills the duties of wininit.exe and services.exe combined. At the risk of simplifying the functionality of systemd, it initializes a Linux system and starts relevant services that are defined in service unit files. Adversaries, malware and red teamers may abuse this this feature by stashing systemd service file to persist on the targetted or compromised host.", "data_source": ["Sysmon Event ID 11"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_name = *.service Filesystem.file_path IN (\"*/etc/systemd/system*\", \"*/lib/systemd/system*\", \"*/usr/lib/systemd/system*\", \"*/run/systemd/system*\", \"*~/.config/systemd/*\", \"*~/.local/share/systemd/*\",\"*/etc/systemd/user*\", \"*/lib/systemd/user*\", \"*/usr/lib/systemd/user*\", \"*/run/systemd/user*\") by Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.process_guid Filesystem.file_path | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `linux_service_file_created_in_systemd_directory_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the file name, file path, and process_guid executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "Administrator or network operator can create file in systemd folders for automation purposes. Please update the filter macros to remove false positives.", "references": ["https://attack.mitre.org/techniques/T1053/006/", "https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/", "https://redcanary.com/blog/attck-t1501-understanding-systemd-service-persistence/", "https://github.com/microsoft/MSTIC-Sysmon/blob/main/linux/configs/attack-based/persistence/T1053.003_Cron_Activity.xml"], "tags": {"name": "Linux Service File Created In Systemd Directory", "analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "message": "A service file named as $file_path$ is created in systemd folder on $dest$", "mitre_attack_id": ["T1053.006", "T1053"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Filesystem.dest", "Filesystem.file_create_time", "Filesystem.file_name", "Filesystem.process_guid", "Filesystem.file_path"], "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1053.006", "mitre_attack_technique": "Systemd Timers", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.006/service_systemd/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_service_file_created_in_systemd_directory_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_service_file_created_in_systemd_directory.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Service Restarted", "id": "084275ba-61b8-11ec-8d64-acde48001122", "version": 1, "date": "2023-04-14", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic looks for restarted or re-enable services in the linux platform. This technique can be executed or performed using systemctl or service tool application. Adversaries may create or modify Linux services to repeatedly execute malicious payloads as part of persistence. When the linux host boots up, it starts programs or applications called services that perform background system functions. Administrator may also create a legitimated service for a specific tool or normal application as part of task or automation, in this scenario it is suggested to look for the service path of the actual script or executable that registered as service and who created the service for further verification.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name IN (\"systemctl\", \"service\") OR Processes.process IN (\"*systemctl *\", \"*service *\")) Processes.process IN (\"*restart*\", \"*reload*\", \"*reenable*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_service_restarted_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and commandline executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "Administrator or network operator can use this commandline for automation purposes. Please update the filter macros to remove false positives.", "references": ["https://attack.mitre.org/techniques/T1543/003/"], "tags": {"name": "Linux Service Restarted", "analytic_story": ["AwfulShred", "Linux Privilege Escalation", "Linux Living Off The Land", "Data Destruction", "Linux Persistence Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation", "Exploitation"], "message": "A commandline $process$ that may create or start a service on $dest$", "mitre_attack_id": ["T1053.006", "T1053"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1053.006", "mitre_attack_technique": "Systemd Timers", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.006/service_systemd/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_service_restarted_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_service_restarted.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Service Started Or Enabled", "id": "e0428212-61b7-11ec-88a3-acde48001122", "version": 1, "date": "2021-12-20", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic looks for created or enable services in linux platform. This technique can be executed or performed using systemctl or service tool application. Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions. Administrator may also create a legitimated service for a specific tool or normal application as part of task or automation, in this scenario it is suggested to look for the service path of the actual script or executable that register as service and who created the service for further verification.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name IN (\"systemctl\", \"service\") OR Processes.process IN (\"*systemctl *\", \"*service *\")) Processes.process IN (\"* start *\", \"* enable *\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_service_started_or_enabled_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "Administrator or network operator can use this commandline for automation purposes. Please update the filter macros to remove false positives.", "references": ["https://attack.mitre.org/techniques/T1543/003/"], "tags": {"name": "Linux Service Started Or Enabled", "analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 60, "kill_chain_phases": ["Installation", "Exploitation"], "message": "a commandline $process$ that may create or start a service on $dest", "mitre_attack_id": ["T1053.006", "T1053"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1053.006", "mitre_attack_technique": "Systemd Timers", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.006/service_systemd/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_service_started_or_enabled_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_service_started_or_enabled.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Setuid Using Chmod Utility", "id": "bf0304b6-6250-11ec-9d7c-acde48001122", "version": 1, "date": "2021-12-21", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic looks for suspicious chmod utility execution to enable SUID bit. This allows a user to temporarily gain root access, usually in order to run a program. For example, only the root account is allowed to change the password information contained in the password database; If the SUID bit appears as an s, the file's owner also has execute permission to the file; if it appears as an S, the file's owner does not have execute permission. The second specialty permission is the SGID, or set group id bit. It is similar to the SUID bit, except it can temporarily change group membership, usually to execute a program. The SGID bit is set if an s or an S appears in the group section of permissions.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes WHERE (Processes.process_name = chmod OR Processes.process = \"*chmod *\") AND Processes.process IN(\"* g+s *\", \"* u+s *\", \"* 4777 *\", \"* 4577 *\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_setuid_using_chmod_utility_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "Administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "references": ["https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/"], "tags": {"name": "Linux Setuid Using Chmod Utility", "analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "a commandline $process$ that may set suid or sgid on $dest$", "mitre_attack_id": ["T1548.001", "T1548"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.001", "mitre_attack_technique": "Setuid and Setgid", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.001/chmod_uid/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_setuid_using_chmod_utility_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_setuid_using_chmod_utility.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Setuid Using Setcap Utility", "id": "9d96022e-6250-11ec-9a19-acde48001122", "version": 1, "date": "2021-12-21", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic looks for suspicious setcap utility execution to enable SUID bit. This allows a user to temporarily gain root access, usually in order to run a program. For example, only the root account is allowed to change the password information contained in the password database; If the SUID bit appears as an s, the file's owner also has execute permission to the file; if it appears as an S, the file's owner does not have execute permission. The second specialty permission is the SGID, or set group id bit. It is similar to the SUID bit, except it can temporarily change group membership, usually to execute a program. The SGID bit is set if an s or an S appears in the group section of permissions.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = setcap OR Processes.process = \"*setcap *\") AND Processes.process IN (\"* cap_setuid=ep *\", \"* cap_setuid+ep *\", \"* cap_net_bind_service+p *\", \"* cap_net_raw+ep *\", \"* cap_dac_read_search+ep *\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_setuid_using_setcap_utility_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "Administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "references": ["https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/"], "tags": {"name": "Linux Setuid Using Setcap Utility", "analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "A commandline $process$ that may set suid or sgid on $dest$", "mitre_attack_id": ["T1548.001", "T1548"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.001", "mitre_attack_technique": "Setuid and Setgid", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.001/linux_setcap/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_setuid_using_setcap_utility_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_setuid_using_setcap_utility.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Shred Overwrite Command", "id": "c1952cf1-643c-4965-82de-11c067cbae76", "version": 1, "date": "2023-04-14", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This analytic is to detect a shred process to overwrite a files in a linux machine. Shred Linux application is designed to overwrite file to hide its contents or make the deleted file un-recoverable. Weve seen this technique in industroyer2 malware that tries to wipe energy facilities of targeted sector as part of its destructive attack. It might be some normal user may use this command for valid purposes but it is recommended to check what files, disk or folder it tries to shred that might be good pivot for incident response in this type of destructive malware.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name =shred AND Processes.process IN (\"*-n*\", \"*-u*\", \"*-z*\", \"*-s*\") by Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_shred_overwrite_command_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives.", "references": ["https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/", "https://cert.gov.ua/article/39518"], "tags": {"name": "Linux Shred Overwrite Command", "analytic_story": ["Industroyer2", "AwfulShred", "Linux Privilege Escalation", "Data Destruction", "Linux Persistence Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Actions on Objectives"], "message": "A possible shred overwrite command $process$ executed on $dest$", "mitre_attack_id": ["T1485"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/rm_shred_critical_dir/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_shred_overwrite_command_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_shred_overwrite_command.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Sqlite3 Privilege Escalation", "id": "ab75dbb7-c3ba-4689-9c1b-8d2717bdcba1", "version": 1, "date": "2022-08-11", "author": "Gowthamaraj Rajendran, Splunk", "type": "Anomaly", "status": "production", "description": "sqlite3 is a terminal-based front-end to the SQLite library that can evaluate queries interactively and display the results in multiple formats. sqlite3 can also be used within shell scripts and other applications to provide batch processing features. If sudo right is given to this application for the user, then the user can run system commands as root and possibly get a root shell.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*sqlite3*\" AND Processes.process=\"*.shell*\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_sqlite3_privilege_escalation_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints into the Endpoint datamodel. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "False positives may be present, filter as needed.", "references": ["https://gtfobins.github.io/gtfobins/sqlite3/", "https://manpages.ubuntu.com/manpages/trusty/en/man1/sqlite3.1.html"], "tags": {"name": "Linux Sqlite3 Privilege Escalation", "analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 60, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "mitre_attack_id": ["T1548.003", "T1548"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.003", "mitre_attack_technique": "Sudo and Sudo Caching", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/sqlite3/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_sqlite3_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_sqlite3_privilege_escalation.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux SSH Authorized Keys Modification", "id": "f5ab595e-28e5-4327-8077-5008ba97c850", "version": 1, "date": "2022-07-27", "author": "Michael Haag, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies based on process execution the modification of SSH Authorized Keys. Adversaries perform this behavior to persist on endpoints. During triage, review parallel processes and capture any additional file modifications for review.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN (\"bash\",\"cat\") Processes.process IN (\"*/authorized_keys*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_ssh_authorized_keys_modification_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Filtering will be required as system administrators will add and remove. One way to filter query is to add \"echo\".", "references": ["https://redcanary.com/blog/lateral-movement-with-secure-shell/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.004/T1098.004.md"], "tags": {"name": "Linux SSH Authorized Keys Modification", "analytic_story": ["Linux Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Installation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ modifying SSH Authorized Keys.", "mitre_attack_id": ["T1098.004"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1098.004", "mitre_attack_technique": "SSH Authorized Keys", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Earth Lusca", "TeamTNT"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.004/ssh_authorized_keys/authkey_linux-sysmon.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_ssh_authorized_keys_modification_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_ssh_authorized_keys_modification.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux SSH Remote Services Script Execute", "id": "aa1748dd-4a5c-457a-9cf6-ca7b4eb711b3", "version": 1, "date": "2023-03-03", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies SSH being utilized to move laterally and execute a script or file on the remote host.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=ssh Processes.process IN (\"*oStrictHostKeyChecking*\", \"*oConnectTimeout*\", \"*oBatchMode*\") AND Processes.process IN (\"*http:*\",\"*https:*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_ssh_remote_services_script_execute_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "This is not a common command to be executed. Filter as needed.", "references": ["https://redcanary.com/blog/lateral-movement-with-secure-shell/"], "tags": {"name": "Linux SSH Remote Services Script Execute", "analytic_story": ["Linux Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "An instance of $process_name$ was identified on endpoint $dest$ by user $user$ attempting to move laterally and download a file.", "mitre_attack_id": ["T1021.004"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1021.004", "mitre_attack_technique": "SSH", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT39", "BlackTech", "FIN7", "Fox Kitten", "GCMAN", "Lazarus Group", "Leviathan", "OilRig", "Rocke", "TEMP.Veles", "TeamTNT", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.004/atomic_red_team/linux-sysmon.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_ssh_remote_services_script_execute_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_ssh_remote_services_script_execute.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Stdout Redirection To Dev Null File", "id": "de62b809-a04d-46b5-9a15-8298d330f0c8", "version": 1, "date": "2023-04-14", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "experimental", "description": "This analytic looks for suspicious commandline that redirect the stdout or possible stderror to dev/null file. This technique was seen in cyclopsblink malware where it redirect the possible output or error while modify the iptables firewall setting of the compromised machine to hide its action from the user. This Anomaly detection is a good pivot to look further why process or user use this un common approach.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = \"*&>/dev/null*\" by Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid Processes.dest Processes.user Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_stdout_redirection_to_dev_null_file_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "unknown", "references": ["https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf", "https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html"], "tags": {"name": "Linux Stdout Redirection To Dev Null File", "analytic_story": ["CyclopsBLink", "Data Destruction", "Industroyer2"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Exploitation"], "message": "a commandline $process$ that redirect stdout to dev/null in $dest$", "mitre_attack_id": ["T1562.004", "T1562"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.004", "mitre_attack_technique": "Disable or Modify System Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "Carbanak", "Dragonfly", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/cyclopsblink/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_stdout_redirection_to_dev_null_file_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_stdout_redirection_to_dev_null_file.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Stop Services", "id": "d05204a5-9f1c-4946-a7f3-4fa58d76d5fd", "version": 1, "date": "2023-04-14", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "The following analytic is to detect events that attempt to stop or clear a service. This is typically identified in parallel with other instances of service enumeration of attempts to stop a service and then delete it. Adversaries utilize this technique like industroyer2 malware to terminate security services or other related services to continue there objective as a destructive payload.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN (\"systemctl\", \"service\", \"svcadm\") Processes.process =\"*stop*\" by Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_stop_services_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives.", "references": ["https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/", "https://cert.gov.ua/article/39518"], "tags": {"name": "Linux Stop Services", "analytic_story": ["AwfulShred", "Data Destruction", "Industroyer2"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Actions on Objectives"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified attempting to stop services on endpoint $dest$ by $user$.", "mitre_attack_id": ["T1489"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1489", "mitre_attack_technique": "Service Stop", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Indrik Spider", "Lazarus Group", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1489/linux_service_stop_disable/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_stop_services_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_stop_services.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Sudo OR Su Execution", "id": "4b00f134-6d6a-11ec-a90c-acde48001122", "version": 1, "date": "2022-01-04", "author": "Teoderick Contreras, Splunk", "type": "Hunting", "status": "production", "description": "This analytic is to detect the execution of sudo or su command in linux operating system. The \"sudo\" command allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments. This command is commonly abused by adversaries, malware author and red teamers to elevate privileges to the targeted host. This command can be executed by administrator for legitimate purposes or to execute process that need admin privileges, In this scenario filter is needed.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN (\"sudo\", \"su\") OR Processes.parent_process_name IN (\"sudo\", \"su\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_sudo_or_su_execution_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "Administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "references": ["https://attack.mitre.org/techniques/T1548/003/"], "tags": {"name": "Linux Sudo OR Su Execution", "analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "A commandline $process$ that execute sudo or su in $dest$", "mitre_attack_id": ["T1548.003", "T1548"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.003", "mitre_attack_technique": "Sudo and Sudo Caching", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/sudo_su/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_sudo_or_su_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_sudo_or_su_execution.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Sudoers Tmp File Creation", "id": "be254a5c-63e7-11ec-89da-acde48001122", "version": 1, "date": "2021-12-23", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic is to looks for file creation of sudoers.tmp file cause by editing /etc/sudoers using visudo or editor in linux platform. This technique may abuse by adversaries, malware author and red teamers to gain elevated privilege to targeted or compromised host. /etc/sudoers file controls who can run what commands as what users on what machines and can also control special things such as whether you need a password for particular commands. The file is composed of aliases (basically variables) and user specifications (which control who can run what).", "data_source": ["Sysmon Event ID 11"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN (\"*sudoers.tmp*\") by Filesystem.dest Filesystem.file_name Filesystem.process_guid Filesystem.file_path | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `linux_sudoers_tmp_file_creation_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "references": ["https://forum.ubuntuusers.de/topic/sudo-visudo-gibt-etc-sudoers-tmp/"], "tags": {"name": "Linux Sudoers Tmp File Creation", "analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "A file $file_name$ is created in $file_path$ on $dest$", "mitre_attack_id": ["T1548.003", "T1548"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Filesystem.dest", "Filesystem.file_create_time", "Filesystem.file_name", "Filesystem.process_guid", "Filesystem.file_path"], "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.003", "mitre_attack_technique": "Sudo and Sudo Caching", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/sudoers_temp/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_sudoers_tmp_file_creation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_sudoers_tmp_file_creation.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux System Network Discovery", "id": "535cb214-8b47-11ec-a2c7-acde48001122", "version": 1, "date": "2023-04-14", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic is to look for possible enumeration of local network configuration. This technique is commonly used as part of recon of adversaries or threat actor to know some network information for its next or further attack. This anomaly detections may capture normal event made by administrator during auditing or testing network connection of specific host or network to network.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count values(Processes.process_name) as process_name_list values(Processes.process) as process_list values(Processes.process_id) as process_id_list values(Processes.parent_process_id) as parent_process_id_list values(Processes.process_guid) as process_guid_list dc(Processes.process_name) as process_name_count from datamodel=Endpoint.Processes where Processes.process_name IN (\"arp\", \"ifconfig\", \"ip\", \"netstat\", \"firewall-cmd\", \"ufw\", \"iptables\", \"ss\", \"route\") by _time span=30m Processes.dest Processes.user | where process_name_count >=4 | `drop_dm_object_name(Processes)`| `linux_system_network_discovery_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "Administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md"], "tags": {"name": "Linux System Network Discovery", "analytic_story": ["Data Destruction", "Network Discovery", "Industroyer2"], "asset_type": "endpoint", "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "A commandline $process$ executed on $dest$", "mitre_attack_id": ["T1016"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1016", "mitre_attack_technique": "System Network Configuration Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT19", "APT3", "APT32", "APT41", "Chimera", "Darkhotel", "Dragonfly", "Earth Lusca", "GALLIUM", "HAFNIUM", "HEXANE", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "SideCopy", "Sidewinder", "Stealth Falcon", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1016/atomic_red_team/linux_net_discovery/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_system_network_discovery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_system_network_discovery.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux System Reboot Via System Request Key", "id": "e1912b58-ed9c-422c-bbb0-2dbc70398345", "version": 1, "date": "2023-04-14", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This analytic is to look for possible execution of SysReq hack to reboot the Linux system host. This technique was seen in Awfulshred malware wiper to reboot the compromised host by using the linux magic sysreq key. This kernel configuration can trigger reboot by piping out 'b' to /proc/sysrq-trigger after enabling all the functions of sysrq. This TTP detection can be a good indicator of possible suspicious processes running on the Linux host since this command is not a common way to reboot a system.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN (\"dash\", \"sudo\", \"bash\") Processes.process = \"* echo b > *\" Processes.process = \"*/proc/sysrq-trigger\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `linux_system_reboot_via_system_request_key_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "unknown", "references": ["https://www.kernel.org/doc/html/latest/admin-guide/sysrq.html", "https://cert.gov.ua/article/3718487", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/"], "tags": {"name": "Linux System Reboot Via System Request Key", "analytic_story": ["AwfulShred", "Data Destruction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Actions on Objectives"], "message": "a $process_name$ execute sysrq command $process$ to reboot $dest$", "mitre_attack_id": ["T1529"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.process_name", "Processes.process_path", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1529", "mitre_attack_technique": "System Shutdown/Reboot", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/awfulshred/test2/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_system_reboot_via_system_request_key_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_system_reboot_via_system_request_key.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Unix Shell Enable All SysRq Functions", "id": "e7a96937-3b58-4962-8dce-538e4763cf15", "version": 1, "date": "2023-04-14", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic is to look for possible execution of SysReq hack to enable all functions of kernel system requests of the Linux system host. This technique was seen in AwfulShred malware wiper to reboot the compromised host by using the linux magic sysreq key. This kernel configuration can be triggered by piping out bitmask '1' to /proc/sys/kernel/sysrq. This TTP detection can be a good indicator of possible suspicious processes running on the Linux host since this command is not so common shell commandline.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN (\"dash\", \"sudo\", \"bash\") Processes.process = \"* echo 1 > *\" Processes.process = \"*/proc/sys/kernel/sysrq\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `linux_unix_shell_enable_all_sysrq_functions_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "unknown", "references": ["https://www.kernel.org/doc/html/latest/admin-guide/sysrq.html", "https://cert.gov.ua/article/3718487", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/"], "tags": {"name": "Linux Unix Shell Enable All SysRq Functions", "analytic_story": ["AwfulShred", "Data Destruction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Installation"], "message": "a $process_name$ execute sysrq command $process$ to enable all function of system request in $dest$", "mitre_attack_id": ["T1059.004", "T1059"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.process_name", "Processes.process_path", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.004", "mitre_attack_technique": "Unix Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT41", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/awfulshred/test2/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_unix_shell_enable_all_sysrq_functions_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_unix_shell_enable_all_sysrq_functions.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Visudo Utility Execution", "id": "08c41040-624c-11ec-a71f-acde48001122", "version": 1, "date": "2021-12-21", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic is to looks for suspicious commandline that add entry to /etc/sudoers by using visudo utility tool in linux platform. This technique may abuse by adversaries, malware author and red teamers to gain elevated privilege to targeted or compromised host. /etc/sudoers file controls who can run what commands as what users on what machines and can also control special things such as whether you need a password for particular commands. The file is composed of aliases (basically variables) and user specifications (which control who can run what).", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = visudo by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_visudo_utility_execution_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "Administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "references": ["https://askubuntu.com/questions/334318/sudoers-file-enable-nopasswd-for-user-all-commands"], "tags": {"name": "Linux Visudo Utility Execution", "analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 40, "impact": 40, "kill_chain_phases": ["Exploitation"], "message": "A commandline $process$ executed on $dest$", "mitre_attack_id": ["T1548.003", "T1548"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 16, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.003", "mitre_attack_technique": "Sudo and Sudo Caching", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/visudo/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_visudo_utility_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_visudo_utility_execution.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Living Off The Land", "id": "1be30d80-3a39-4df9-9102-64a467b24abc", "version": 2, "date": "2022-09-09", "author": "Michael Haag, Splunk", "type": "Correlation", "status": "production", "description": "The following correlation identifies a distinct amount of analytics associated with the Living Off The Land analytic story that identify potentially suspicious behavior.", "data_source": [], "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where All_Risk.analyticstories=\"Living Off The Land\" All_Risk.risk_object_type=\"system\" by All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where source_count >= 5 | `living_off_the_land_filter`", "how_to_implement": "To implement this correlation search a user needs to enable all detections in the Living Off The Land Analytic Story and confirm it is generating risk events. A simple search `index=risk analyticstories=\"Living Off The Land\"` should contain events.", "known_false_positives": "There are no known false positive for this search, but it could contain false positives as multiple detections can trigger and not have successful exploitation. Modify the static value distinct_detection_name to a higher value. It is also required to tune analytics that are also tagged to ensure volume is never too much.", "references": ["https://www.splunk.com/en_us/blog/security/living-off-the-land-threat-research-february-2022-release.html", "https://research.splunk.com/stories/living_off_the_land/"], "tags": {"name": "Living Off The Land", "analytic_story": ["Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 90, "kill_chain_phases": ["Command And Control", "Delivery", "Installation"], "message": "An increase of Living Off The Land behavior has been detected on $affected_systems$", "mitre_attack_id": ["T1105", "T1190", "T1059"], "nist": ["DE.AE"], "observable": [{"name": "affected_systems", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "All_Risk.analyticstories", "All_Risk.risk_object_type", "All_Risk.risk_object", "All_Risk.annotations.mitre_attack.mitre_tactic", "source"], "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://raw.githubusercontent.com/splunk/attack_data/master/datasets/attack_techniques/T1218/living_off_the_land/lolbinrisk.log", "source": "lotl", "sourcetype": "stash"}]}], "datamodel": ["Risk"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "living_off_the_land_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/living_off_the_land.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Loading Of Dynwrapx Module", "id": "eac5e8ba-4857-11ec-9371-acde48001122", "version": 1, "date": "2021-11-18", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "DynamicWrapperX is an ActiveX component that can be used in a script to call Windows API functions, but it requires the dynwrapx.dll to be installed and registered. With that, registering or loading dynwrapx.dll to a host is highly suspicious. In most instances when it is used maliciously, the best way to triage is to review parallel processes and pivot on the process_guid. Review the registry for any suspicious modifications meant to load dynwrapx.dll. Identify any suspicious module loads of dynwrapx.dll. This detection will return and identify the processes that invoke vbs/wscript/cscript.", "data_source": ["Sysmon Event ID 7"], "search": "`sysmon` EventCode=7 (ImageLoaded = \"*\\\\dynwrapx.dll\" OR OriginalFileName = \"dynwrapx.dll\" OR Product = \"DynamicWrapperX\") | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded OriginalFileName Product process_name Computer EventCode Signed ProcessId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `loading_of_dynwrapx_module_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on processes that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` and `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives should be limited, however it is possible to filter by Processes.process_name and specific processes (ex. wscript.exe). Filter as needed. This may need modification based on EDR telemetry and how it brings in registry data. For example, removal of (Default).", "references": ["https://blog.f-secure.com/hunting-for-koadic-a-com-based-rootkit/", "https://www.script-coding.com/dynwrapx_eng.html", "https://bohops.com/2018/06/28/abusing-com-registry-structure-clsid-localserver32-inprocserver32/", "https://tria.ge/210929-ap75vsddan", "https://www.virustotal.com/gui/file/cb77b93150cb0f7fe65ce8a7e2a5781e727419451355a7736db84109fa215a89", "https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat"], "tags": {"name": "Loading Of Dynwrapx Module", "analytic_story": ["Remcos", "AsyncRAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "dynwrapx.dll loaded by process $process_name$ on $Computer$", "mitre_attack_id": ["T1055", "T1055.001"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Image", "ImageLoaded", "OriginalFileName", "Product", "process_name", "Computer", "EventCode", "Signed", "ProcessId"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "Turla"]}, {"mitre_attack_id": "T1055.001", "mitre_attack_technique": "Dynamic-link Library Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["BackdoorDiplomacy", "Lazarus Group", "Leviathan", "Putter Panda", "TA505", "Tropic Trooper", "Turla", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/remcos/remcos_dynwrapx/sysmon_dynwraper.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "loading_of_dynwrapx_module_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/loading_of_dynwrapx_module.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Local Account Discovery with Net", "id": "5d0d4830-0133-11ec-bae3-acde48001122", "version": 2, "date": "2021-09-16", "author": "Mauricio Velazco, Splunk", "type": "Hunting", "status": "production", "description": "This analytic looks for the execution of `net.exe` or `net1.exe` with command-line arguments utilized to query for local users. The two arguments `user` and 'users', return a list of all local users. Red Teams and adversaries alike use net.exe to enumerate users for situational awareness and Active Directory Discovery.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` (Processes.process=*user OR Processes.process=*users) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `local_account_discovery_with_net_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "references": ["https://attack.mitre.org/techniques/T1087/001/"], "tags": {"name": "Local Account Discovery with Net", "analytic_story": ["Active Directory Discovery", "Sandworm Tools"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "Local user discovery enumeration on $dest$ by $user$", "mitre_attack_id": ["T1087", "T1087.001"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time"], "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1087.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "Chimera", "Fox Kitten", "Ke3chang", "Moses Staff", "OilRig", "Poseidon Group", "Threat Group-3390", "Turla", "admin@338"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.001/AD_discovery/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_net", "definition": "(Processes.process_name=\"net.exe\" OR Processes.original_file_name=\"net.exe\" OR Processes.process_name=\"net1.exe\" OR Processes.original_file_name=\"net1.exe\")", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "local_account_discovery_with_net_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/local_account_discovery_with_net.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Local Account Discovery With Wmic", "id": "4902d7aa-0134-11ec-9d65-acde48001122", "version": 2, "date": "2021-09-16", "author": "Mauricio Velazco, Splunk", "type": "Hunting", "status": "production", "description": "This analytic looks for the execution of `wmic.exe` with command-line arguments utilized to query for local users. The argument `useraccount` is used to leverage WMI to return a list of all local users. Red Teams and adversaries alike use net.exe to enumerate users for situational awareness and Active Directory Discovery.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_wmic` (Processes.process=*useraccount*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `local_account_discovery_with_wmic_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "references": ["https://attack.mitre.org/techniques/T1087/001/"], "tags": {"name": "Local Account Discovery With Wmic", "analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "Local user discovery enumeration on $dest$ by $user$", "mitre_attack_id": ["T1087", "T1087.001"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time"], "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1087.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "Chimera", "Fox Kitten", "Ke3chang", "Moses Staff", "OilRig", "Poseidon Group", "Threat Group-3390", "Turla", "admin@338"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.001/AD_discovery/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "process_wmic", "definition": "(Processes.process_name=wmic.exe OR Processes.original_file_name=wmic.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "local_account_discovery_with_wmic_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/local_account_discovery_with_wmic.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Log4Shell CVE-2021-44228 Exploitation", "id": "9be30d80-3a39-4df9-9102-64a467b24eac", "version": 3, "date": "2022-09-09", "author": "Jose Hernandez, Splunk", "type": "Correlation", "status": "production", "description": "This correlation find exploitation of Log4Shell CVE-2021-44228 against systems using detections from Splunk Security Content Analytic Story. It does this by calculating the distinct count of MITRE ATT&CK tactics from Log4Shell detections fired. If the count is larger than 2 or more distinct MITRE ATT&CK tactics we assume high problability of exploitation. The Analytic story breaks down into 3 major phases of a Log4Shell exploitation, specifically> Initial Payload delivery eg. `${jndi:ldap://PAYLOAD_INJECTED}` Call back to malicious LDAP server eg. Exploit.class Post Exploitation Activity/Lateral Movement using Powershell or similar T1562.001 Each of these phases fall into different MITRE ATT&CK Tactics (Initial Access, Execution, Command And Control), by looking into 2 or more phases showing up in detections triggerd is how this correlation search finds exploitation. If we get a notable from this correlation search the best way to triage it is by investigating the affected systems against Log4Shell exploitation using Splunk SOAR playbooks.", "data_source": [], "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where All_Risk.analyticstories=\"Log4Shell CVE-2021-44228\" All_Risk.risk_object_type=\"system\" by All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where source_count >= 2 | `log4shell_cve_2021_44228_exploitation_filter`", "how_to_implement": "To implement this correlation search a user needs to enable all detections in the Log4Shell Analytic Story and confirm it is generation risk events. A simple search `index=risk analyticstories=\"Log4Shell CVE-2021-44228\"` should contain events.", "known_false_positives": "There are no known false positive for this search, but it could contain false positives as multiple detections can trigger and not have successful exploitation.", "references": ["https://research.splunk.com/stories/log4shell_cve-2021-44228/", "https://www.splunk.com/en_us/blog/security/simulating-detecting-and-responding-to-log4shell-with-splunk.html"], "tags": {"name": "Log4Shell CVE-2021-44228 Exploitation", "analytic_story": ["Log4Shell CVE-2021-44228", "CISA AA22-320A"], "asset_type": "endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 90, "kill_chain_phases": ["Command And Control", "Delivery", "Installation"], "message": "Log4Shell Exploitation detected against $risk_object$.", "mitre_attack_id": ["T1105", "T1190", "T1059"], "nist": ["DE.AE"], "observable": [{"name": "risk_object", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "All_Risk.analyticstories", "All_Risk.risk_object_type", "All_Risk.risk_object", "All_Risk.annotations.mitre_attack.mitre_tactic", "source"], "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://raw.githubusercontent.com/splunk/attack_data/master/datasets/suspicious_behaviour/log4shell_exploitation/log4shell_correlation.txt", "source": "log4shell", "sourcetype": "stash"}]}], "datamodel": ["Risk"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "log4shell_cve_2021_44228_exploitation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/log4shell_cve_2021_44228_exploitation.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Logon Script Event Trigger Execution", "id": "4c38c264-1f74-11ec-b5fa-acde48001122", "version": 1, "date": "2023-04-14", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This search is to detect a suspicious modification of registry entry to persist and gain privilege escalation upon booting up of compromised host. This technique was seen in several APT and malware where it modify UserInitMprLogonScript registry entry to its malicious payload to be executed upon boot up of the machine.", "data_source": ["Sysmon Event ID 13"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path IN (\"*\\\\Environment\\\\UserInitMprLogonScript\") by Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `logon_script_event_trigger_execution_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry.", "known_false_positives": "unknown", "references": ["https://attack.mitre.org/techniques/T1037/001/"], "tags": {"name": "Logon Script Event Trigger Execution", "analytic_story": ["Data Destruction", "Windows Privilege Escalation", "Hermetic Wiper", "Windows Persistence Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "message": "modified/added/deleted registry entry $Registry.registry_path$ in $dest$", "mitre_attack_id": ["T1037", "T1037.001"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.dest", "Registry.user", "Registry.registry_path", "Registry.registry_key_name", "Registry.registry_value_name"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1037", "mitre_attack_technique": "Boot or Logon Initialization Scripts", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Rocke"]}, {"mitre_attack_id": "T1037.001", "mitre_attack_technique": "Logon Script (Windows)", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "Cobalt Group"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1037.001/logonscript_reg/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "logon_script_event_trigger_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/logon_script_event_trigger_execution.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "LOLBAS With Network Traffic", "id": "2820f032-19eb-497e-8642-25b04a880359", "version": 1, "date": "2021-12-09", "author": "Steven Dick", "type": "TTP", "status": "production", "description": "The following analytic identifies LOLBAS with network traffic. When adversaries abuse LOLBAS they are often used to download malicious code or executables. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like downloading malicious code. Looking for these process can help defenders identify lateral movement, command-and-control, or exfiltration activies.", "data_source": [], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic.All_Traffic where (All_Traffic.app IN (\"*Regsvcs.exe\", \"*\\\\Ftp.exe\", \"*OfflineScannerShell.exe\", \"*Rasautou.exe\", \"*Schtasks.exe\", \"*Xwizard.exe\", \"*Pnputil.exe\", \"*Atbroker.exe\", \"*Pcwrun.exe\", \"*Ttdinject.exe\", \"*Mshta.exe\", \"*Bitsadmin.exe\", \"*Certoc.exe\", \"*Ieexec.exe\", \"*Microsoft.Workflow.Compiler.exe\", \"*Runscripthelper.exe\", \"*Forfiles.exe\", \"*Msbuild.exe\", \"*Register-cimprovider.exe\", \"*Tttracer.exe\", \"*Ie4uinit.exe\", \"*Bash.exe\", \"*Hh.exe\", \"*SettingSyncHost.exe\", \"*Cmstp.exe\", \"*Stordiag.exe\", \"*Scriptrunner.exe\", \"*Odbcconf.exe\", \"*Extexport.exe\", \"*Msdt.exe\", \"*WorkFolders.exe\", \"*Diskshadow.exe\", \"*Mavinject.exe\", \"*Regasm.exe\", \"*Gpscript.exe\", \"*Regsvr32.exe\", \"*Msiexec.exe\", \"*Wuauclt.exe\", \"*Presentationhost.exe\", \"*Wmic.exe\", \"*Runonce.exe\", \"*Syncappvpublishingserver.exe\", \"*Verclsid.exe\", \"*Infdefaultinstall.exe\", \"*Installutil.exe\", \"*Netsh.exe\", \"*Wab.exe\", \"*Dnscmd.exe\", \"*\\\\At.exe\", \"*Pcalua.exe\", \"*Msconfig.exe\", \"*makecab.exe\", \"*cscript.exe\", \"*notepad.exe\", \"*\\\\cmd.exe\", \"*certutil.exe\", \"*\\\\powershell.exe\", \"*powershell_ise.exe\")) by All_Traffic.app,All_Traffic.src,All_Traffic.src_ip,All_Traffic.user,All_Traffic.dest,All_Traffic.dest_ip | `drop_dm_object_name(All_Traffic)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rex field=app \".*\\\\\\(?.*)$\" | rename app as process | `lolbas_with_network_traffic_filter`", "how_to_implement": "To successfully implement this detection you must ingest events into the Network traffic data model that contain the source, destination, and communicating process in the app feild. Relevant processes must also be ingested in the Endpoint data model with matching process_id feild. Sysmon EID1 and EID3 are good examples of this type this data type.", "known_false_positives": "Legitmate usage of internal automation or scripting, espically powershell.exe internal to internal or logon scripts. It may be necessary to omit internal IP ranges if extremely noisy. ie NOT dest_ip IN (\"10.0.0.0/8\",\"172.16.0.0/12\",\"192.168.0.0/16\",\"170.98.0.0/16\",\"0:0:0:0:0:0:0:1\") ", "references": ["https://lolbas-project.github.io/#", "https://www.sans.org/presentations/lolbin-detection-methods-seven-common-attacks-revealed/"], "tags": {"name": "LOLBAS With Network Traffic", "analytic_story": ["Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Command And Control", "Actions on Objectives", "Exploitation"], "message": "The LOLBAS $process_name$ on device $src$ was seen communicating with $dest$.", "mitre_attack_id": ["T1105", "T1567", "T1218"], "nist": ["DE.CM"], "observable": [{"name": "src", "type": "Hostname", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.user", "Processes.process_id", "Processes.process_name", "Processes.process", "Processes.process_path", "Processes.dest", "Processes.parent_process_name", "Processes.parent_process", "Processes.process_guid", "All_Traffic.app", "All_Traffic.src", "All_Traffic.src_ip", "All_Traffic.dest", "All_Traffic.dest_ip", "All_Traffic.process_id"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1567", "mitre_attack_technique": "Exfiltration Over Web Service", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT28", "Magic Hound"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218/lolbas_with_network_traffic/lolbas_with_network_traffic.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Network_Traffic"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "lolbas_with_network_traffic_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/lolbas_with_network_traffic.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "MacOS - Re-opened Applications", "id": "40bb64f9-f619-4e3d-8732-328d40377c4b", "version": 1, "date": "2020-02-07", "author": "Jamie Windley, Splunk", "type": "TTP", "status": "experimental", "description": "This search looks for processes referencing the plist files that determine which applications are re-opened when a user reboots their machine.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*com.apple.loginwindow*\" by Processes.user Processes.process_name Processes.parent_process_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `macos___re_opened_applications_filter`", "how_to_implement": "In order to properly run this search, Splunk needs to ingest process data from your osquery deployed agents with the [splunk.conf](https://github.com/splunk/TA-osquery/blob/master/config/splunk.conf) pack enabled. Also the [TA-OSquery](https://github.com/splunk/TA-osquery) must be deployed across your indexers and universal forwarders in order to have the data populate the Endpoint data model.", "known_false_positives": "At this stage, there are no known false positives. During testing, no process events refering the com.apple.loginwindow.plist files were observed during normal operation of re-opening applications on reboot. Therefore, it can be asumed that any occurences of this in the process events would be worth investigating. In the event that the legitimate modification by the system of these files is in fact logged to the process log, then the process_name of that process can be added to an allow list.", "references": [], "tags": {"name": "MacOS - Re-opened Applications", "analytic_story": ["ColdRoot MacOS RAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": [], "message": "tbd", "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.process", "Processes.parent_process", "Processes.user", "Processes.process_name", "Processes.parent_process_name", "Processes.dest"], "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "macos___re_opened_applications_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/macos___re_opened_applications.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "MacOS LOLbin", "id": "58d270fb-5b39-418e-a855-4b8ac046805e", "version": 1, "date": "2022-03-04", "author": "Patrick Bareiss, Splunk", "type": "TTP", "status": "production", "description": "Detect multiple executions of Living off the Land (LOLbin) binaries in a short period of time.", "data_source": [], "search": "`osquery` name=es_process_events columns.cmdline IN (\"find*\", \"crontab*\", \"screencapture*\", \"openssl*\", \"curl*\", \"wget*\", \"killall*\", \"funzip*\") | rename columns.* as * | stats min(_time) as firstTime max(_time) as lastTime values(cmdline) as cmdline, values(pid) as pid, values(parent) as parent, values(path) as path, values(signing_id) as signing_id, dc(path) as dc_path by username host | rename username as User, cmdline as process, path as process_path | where dc_path > 3 | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `macos_lolbin_filter`", "how_to_implement": "This detection uses osquery and endpoint security on MacOS. Follow the link in references, which describes how to setup process auditing in MacOS with endpoint security and osquery.", "known_false_positives": "None identified.", "references": ["https://osquery.readthedocs.io/en/stable/deployment/process-auditing/"], "tags": {"name": "MacOS LOLbin", "analytic_story": ["Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "message": "Multiplle LOLbin are executed on host $host$ by user $user$", "mitre_attack_id": ["T1059.004", "T1059"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "process", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "columns.cmdline", "columns.pid", "columns.parent", "columns.path", "columns.signing_id", "columns.username", "host"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.004", "mitre_attack_technique": "Unix Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT41", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.004/macos_lolbin/osquery.log", "source": "osquery", "sourcetype": "osquery:results"}]}], "datamodel": [], "macros": [{"name": "osquery", "definition": "sourcetype=osquery:results", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "macos_lolbin_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/macos_lolbin.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "MacOS plutil", "id": "c11f2b57-92c1-4cd2-b46c-064eafb833ac", "version": 2, "date": "2022-05-26", "author": "Patrick Bareiss, Splunk", "type": "TTP", "status": "production", "description": "Detect usage of plutil to modify plist files. Adversaries can modiy plist files to executed binaries or add command line arguments. Plist files in auto-run locations are executed upon user logon or system startup.", "data_source": [], "search": "`osquery` name=es_process_events columns.path=/usr/bin/plutil | rename columns.* as * | stats count min(_time) as firstTime max(_time) as lastTime by username host cmdline pid path parent signing_id | rename username as User, cmdline as process, path as process_path | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `macos_plutil_filter`", "how_to_implement": "This detection uses osquery and endpoint security on MacOS. Follow the link in references, which describes how to setup process auditing in MacOS with endpoint security and osquery.", "known_false_positives": "Administrators using plutil to change plist files.", "references": ["https://osquery.readthedocs.io/en/stable/deployment/process-auditing/"], "tags": {"name": "MacOS plutil", "analytic_story": ["Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "plutil are executed on $host$ from $user$", "mitre_attack_id": ["T1647"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "process", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "columns.cmdline", "columns.pid", "columns.parent", "columns.path", "columns.signing_id", "columns.username", "host"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1647", "mitre_attack_technique": "Plist File Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1647/atomic_red_team/osquery.log", "source": "osquery", "sourcetype": "osquery:results"}]}], "datamodel": [], "macros": [{"name": "osquery", "definition": "sourcetype=osquery:results", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "macos_plutil_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/macos_plutil.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Mailsniper Invoke functions", "id": "a36972c8-b894-11eb-9f78-acde48001122", "version": 2, "date": "2022-05-02", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This search is to detect known mailsniper.ps1 functions executed in a machine. This technique was seen in some attacker to harvest some sensitive e-mail in a compromised exchange server.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 ScriptBlockText IN (\"*Invoke-GlobalO365MailSearch*\", \"*Invoke-GlobalMailSearch*\", \"*Invoke-SelfSearch*\", \"*Invoke-PasswordSprayOWA*\", \"*Invoke-PasswordSprayEWS*\",\"*Invoke-DomainHarvestOWA*\", \"*Invoke-UsernameHarvestOWA*\",\"*Invoke-OpenInboxFinder*\",\"*Invoke-InjectGEventAPI*\",\"*Invoke-InjectGEvent*\",\"*Invoke-SearchGmail*\", \"*Invoke-MonitorCredSniper*\", \"*Invoke-AddGmailRule*\",\"*Invoke-PasswordSprayEAS*\",\"*Invoke-UsernameHarvestEAS*\") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `mailsniper_invoke_functions_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the powershell logs from your endpoints. make sure you enable needed registry to monitor this event.", "known_false_positives": "unknown", "references": ["https://www.blackhillsinfosec.com/introducing-mailsniper-a-tool-for-searching-every-users-email-for-sensitive-data/"], "tags": {"name": "Mailsniper Invoke functions", "analytic_story": ["Data Exfiltration"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 90, "kill_chain_phases": ["Exploitation"], "message": "mailsniper.ps1 functions $ScriptBlockText$ executed on a $Computer$ by user $user$.", "mitre_attack_id": ["T1114", "T1114.001"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "ScriptBlockText", "Opcode", "Computer", "UserID", "EventCode"], "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1114", "mitre_attack_technique": "Email Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["Magic Hound", "Silent Librarian"]}, {"mitre_attack_id": "T1114.001", "mitre_attack_technique": "Local Email Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "Chimera", "Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/sbl_xml.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "mailsniper_invoke_functions_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/mailsniper_invoke_functions.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Malicious InProcServer32 Modification", "id": "127c8d08-25ff-11ec-9223-acde48001122", "version": 1, "date": "2021-10-05", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies a process modifying the registry with a known malicious CLSID under InProcServer32. Most COM classes are registered with the operating system and are identified by a GUID that represents the Class Identifier (CLSID) within the registry (usually under HKLM\\\\Software\\\\Classes\\\\CLSID or HKCU\\\\Software\\\\Classes\\\\CLSID). Behind the implementation of a COM class is the server (some binary) that is referenced within registry keys under the CLSID. The LocalServer32 key represents a path to an executable (exe) implementation, and the InprocServer32 key represents a path to a dynamic link library (DLL) implementation (Bohops). During triage, review parallel processes for suspicious activity. Pivot on the process GUID to see the full timeline of events. Analyze the value and look for file modifications. Being this is looking for inprocserver32, a DLL found in the value will most likely be loaded by a parallel process.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes by _time Processes.process_id Processes.process_name Processes.dest Processes.process_guid Processes.user | `drop_dm_object_name(Processes)` | join process_guid [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\CLSID\\\\{89565275-A714-4a43-912E-978B935EDCCC}\\\\InProcServer32\\\\(Default)\" by Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.dest Registry.process_guid Registry.user | `drop_dm_object_name(Registry)` | fields _time dest registry_path registry_key_name registry_value_name process_name process_path process process_guid user] | stats count min(_time) as firstTime max(_time) as lastTime by dest, process_name registry_path registry_key_name registry_value_name user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `malicious_inprocserver32_modification_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives should be limited, filter as needed. In our test case, Remcos used regsvr32.exe to modify the registry. It may be required, dependent upon the EDR tool producing registry events, to remove (Default) from the command-line.", "references": ["https://bohops.com/2018/06/28/abusing-com-registry-structure-clsid-localserver32-inprocserver32/", "https://tria.ge/210929-ap75vsddan", "https://www.virustotal.com/gui/file/cb77b93150cb0f7fe65ce8a7e2a5781e727419451355a7736db84109fa215a89"], "tags": {"name": "Malicious InProcServer32 Modification", "analytic_story": ["Suspicious Regsvr32 Activity", "Remcos"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "The $process_name$ was identified on endpoint $dest$ modifying the registry with a known malicious clsid under InProcServer32.", "mitre_attack_id": ["T1218.010", "T1112"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "dest", "process_name", "registry_path", "registry_key_name", "registry_value_name", "user"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218.010", "mitre_attack_technique": "Regsvr32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "Blue Mockingbird", "Cobalt Group", "Deep Panda", "Inception", "Kimsuky", "Leviathan", "TA551", "WIRTE"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/remcos/remcos/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "malicious_inprocserver32_modification_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/malicious_inprocserver32_modification.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Malicious Powershell Executed As A Service", "id": "8e204dfd-cae0-4ea8-a61d-e972a1ff2ff8", "version": 1, "date": "2021-04-07", "author": "Ryan Becwar", "type": "TTP", "status": "production", "description": "This detection is to identify the abuse the Windows SC.exe to execute malicious commands or payloads via PowerShell.", "data_source": ["Sysmon Event ID 7"], "search": " `wineventlog_system` EventCode=7045 | eval l_Service_File_Name=lower(Service_File_Name) | regex l_Service_File_Name=\"powershell[.\\s]|powershell_ise[.\\s]|pwsh[.\\s]|psexec[.\\s]\" | regex l_Service_File_Name=\"-nop[rofile\\s]+|-w[indowstyle]*\\s+hid[den]*|-noe[xit\\s]+|-enc[odedcommand\\s]+\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode Service_File_Name Service_Name Service_Start_Type Service_Type Service_Account user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `malicious_powershell_executed_as_a_service_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows System logs with the Service name, Service File Name Service Start type, and Service Type from your endpoints.", "known_false_positives": "Creating a hidden powershell service is rare and could key off of those instances.", "references": ["https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/dosfuscation-report.pdf", "http://az4n6.blogspot.com/2017/", "https://www.danielbohannon.com/blog-1/2017/3/12/powershell-execution-argument-obfuscation-how-it-can-make-detection-easier"], "tags": {"name": "Malicious Powershell Executed As A Service", "analytic_story": ["Malicious Powershell"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 90, "kill_chain_phases": ["Installation"], "message": "Identifies the abuse the Windows SC.exe to execute malicious powerShell as a service $Service_File_Name$ by $user$ on $dest$", "mitre_attack_id": ["T1569", "T1569.002"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["EventCode", "Service_File_Name", "Service_Type", "_time", "Service_Name", "Service_Start_Type", "Service_Account", "user"], "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1569.002/atomic_red_team/windows-system.log", "source": "WinEventLog:System", "sourcetype": "WinEventLog"}]}], "datamodel": [], "macros": [{"name": "wineventlog_system", "definition": "eventtype=wineventlog_system", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "malicious_powershell_executed_as_a_service_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/malicious_powershell_executed_as_a_service.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Malicious PowerShell Process - Encoded Command", "id": "c4db14d9-7909-48b4-a054-aa14d89dbb19", "version": 7, "date": "2022-01-18", "author": "David Dorsey, Michael Haag, Splunk", "type": "Hunting", "status": "production", "description": "The following analytic identifies the use of the EncodedCommand PowerShell parameter. This is typically used by Administrators to run complex scripts, but commonly used by adversaries to hide their code. \\\nThe analytic identifies all variations of EncodedCommand, as PowerShell allows the ability to shorten the parameter. For example enc, enco, encod and so forth. In addition, through our research it was identified that PowerShell will interpret different command switch types beyond the hyphen. We have added endash, emdash, horizontal bar, and forward slash. \\\nDuring triage, review parallel events to determine legitimacy. Tune as needed based on admin scripts in use. \\\nAlternatively, may use regex per matching here https://regexr.com/662ov.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` by Processes.user Processes.process_name Processes.process Processes.parent_process_name Processes.original_file_name Processes.dest Processes.process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where match(process,\"(?i)[\\-|\\/|–|—|―]e(nc*o*d*e*d*c*o*m*m*a*n*d*)*\\s+[^-]\") | `malicious_powershell_process___encoded_command_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "System administrators may use this option, but it's not common.", "references": ["https://regexr.com/662ov", "https://github.com/redcanaryco/AtomicTestHarnesses/blob/master/TestHarnesses/T1059.001_PowerShell/OutPowerShellCommandLineParameter.ps1", "https://ss64.com/ps/powershell.html", "https://twitter.com/M_haggis/status/1440758396534214658?s=20", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/", "https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/"], "tags": {"name": "Malicious PowerShell Process - Encoded Command", "analytic_story": ["Hermetic Wiper", "Malicious PowerShell", "NOBELIUM Group", "WhisperGate", "DarkCrystal RAT", "Qakbot", "CISA AA22-320A", "Sandworm Tools", "Data Destruction", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "Powershell.exe running potentially malicious encodede commands on $dest$", "mitre_attack_id": ["T1027"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.process_name", "Processes.process", "Processes.user", "Processes.parent_process_name", "Processes.dest", "Processes.process_id"], "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT19", "APT28", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BITTER", "BackdoorDiplomacy", "BlackOasis", "Blue Mockingbird", "Dark Caracal", "Darkhotel", "Earth Lusca", "Elderwood", "Ember Bear", "Fox Kitten", "GALLIUM", "Gallmaker", "Gamaredon Group", "Group5", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "Metador", "Mofang", "Molerats", "Moses Staff", "Mustang Panda", "OilRig", "Putter Panda", "Rocke", "Sandworm Team", "Sidewinder", "TA505", "TeamTNT", "Threat Group-3390", "Transparent Tribe", "Tropic Trooper", "Whitefly", "Windshift", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1027/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "process_powershell", "definition": "(Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "malicious_powershell_process___encoded_command_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/malicious_powershell_process___encoded_command.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Malicious PowerShell Process - Execution Policy Bypass", "id": "9be56c82-b1cc-4318-87eb-d138afaaca39", "version": 5, "date": "2020-07-21", "author": "Rico Valdez, Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "This search looks for PowerShell processes started with parameters used to bypass the local execution policy for scripts. These parameters are often observed in attacks leveraging PowerShell scripts as they override the default PowerShell execution policy.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` values(Processes.process_id) as process_id, values(Processes.parent_process_id) as parent_process_id values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` (Processes.process=\"* -ex*\" OR Processes.process=\"* bypass *\") by Processes.process_id, Processes.user, Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `malicious_powershell_process___execution_policy_bypass_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "There may be legitimate reasons to bypass the PowerShell execution policy. The PowerShell script being run with this parameter should be validated to ensure that it is legitimate.", "references": ["https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/"], "tags": {"name": "Malicious PowerShell Process - Execution Policy Bypass", "analytic_story": ["DHS Report TA18-074A", "HAFNIUM Group", "DarkCrystal RAT", "AsyncRAT", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Installation"], "message": "PowerShell local execution policy bypass attempt on $dest$", "mitre_attack_id": ["T1059", "T1059.001"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/encoded_powershell/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "process_powershell", "definition": "(Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "malicious_powershell_process___execution_policy_bypass_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/malicious_powershell_process___execution_policy_bypass.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Malicious PowerShell Process With Obfuscation Techniques", "id": "cde75cf6-3c7a-4dd6-af01-27cdb4511fd4", "version": 5, "date": "2023-04-14", "author": "David Dorsey, Splunk", "type": "TTP", "status": "production", "description": "This search looks for PowerShell processes launched with arguments that have characters indicative of obfuscation on the command-line.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` by Processes.user Processes.process_name Processes.original_file_name Processes.parent_process_name Processes.dest Processes.process | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| eval num_obfuscation = (mvcount(split(process,\"`\"))-1) + (mvcount(split(process, \"^\"))-1) + (mvcount(split(process, \"'\"))-1) | `malicious_powershell_process_with_obfuscation_techniques_filter` | search num_obfuscation > 10 ", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "These characters might be legitimately on the command-line, but it is not common.", "references": [], "tags": {"name": "Malicious PowerShell Process With Obfuscation Techniques", "analytic_story": ["Malicious PowerShell", "Hermetic Wiper", "Data Destruction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Installation"], "message": "Powershell.exe running with potential obfuscated arguments on $dest$", "mitre_attack_id": ["T1059", "T1059.001"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/obfuscated_powershell/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "process_powershell", "definition": "(Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "malicious_powershell_process_with_obfuscation_techniques_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/malicious_powershell_process_with_obfuscation_techniques.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Mimikatz PassTheTicket CommandLine Parameters", "id": "13bbd574-83ac-11ec-99d4-acde48001122", "version": 1, "date": "2022-02-01", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic looks for the use of Mimikatz command line parameters leveraged to execute pass the ticket attacks. Red teams and adversaries alike may use the pass the ticket technique using stolen Kerberos tickets to move laterally within an environment, bypassing normal system access controls. Defenders should be aware that adversaries may customize the source code of Mimikatz and modify the command line parameters. This would effectively bypass this analytic.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process = \"*sekurlsa::tickets /export*\" OR Processes.process = \"*kerberos::ptt*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `mimikatz_passtheticket_commandline_parameters_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "Although highly unlikely, legitimate applications may use the same command line parameters as Mimikatz.", "references": ["https://github.com/gentilkiwi/mimikatz", "https://attack.mitre.org/techniques/T1550/003/"], "tags": {"name": "Mimikatz PassTheTicket CommandLine Parameters", "analytic_story": ["Active Directory Kerberos Attacks", "CISA AA22-320A", "Sandworm Tools"], "asset_type": "endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Exploitation"], "message": "Mimikatz command line parameters for pass the ticket attacks were used on $dest$", "mitre_attack_id": ["T1550", "T1550.003"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id", "Processes.parent_process_name"], "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1550", "mitre_attack_technique": "Use Alternate Authentication Material", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1550.003", "mitre_attack_technique": "Pass the Ticket", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": ["APT29", "APT32", "BRONZE BUTLER"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1550.003/mimikatz/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "mimikatz_passtheticket_commandline_parameters_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/mimikatz_passtheticket_commandline_parameters.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Mmc LOLBAS Execution Process Spawn", "id": "f6601940-4c74-11ec-b9b7-3e22fbd008af", "version": 1, "date": "2021-11-23", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies `mmc.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the DCOM protocol and the MMC20 COM object, the executed command is spawned as a child processs of `mmc.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of mmc.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name=mmc.exe) (Processes.process_name IN (\"Regsvcs.exe\", \"Ftp.exe\", \"OfflineScannerShell.exe\", \"Rasautou.exe\", \"Schtasks.exe\", \"Xwizard.exe\", \"Dllhost.exe\", \"Pnputil.exe\", \"Atbroker.exe\", \"Pcwrun.exe\", \"Ttdinject.exe\",\"Mshta.exe\", \"Bitsadmin.exe\", \"Certoc.exe\", \"Ieexec.exe\", \"Microsoft.Workflow.Compiler.exe\", \"Runscripthelper.exe\", \"Forfiles.exe\", \"Msbuild.exe\", \"Register-cimprovider.exe\", \"Tttracer.exe\", \"Ie4uinit.exe\", \"Bash.exe\", \"Hh.exe\", \"SettingSyncHost.exe\", \"Cmstp.exe\", \"Mmc.exe\", \"Stordiag.exe\", \"Scriptrunner.exe\", \"Odbcconf.exe\", \"Extexport.exe\", \"Msdt.exe\", \"WorkFolders.exe\", \"Diskshadow.exe\", \"Mavinject.exe\", \"Regasm.exe\", \"Gpscript.exe\", \"Rundll32.exe\", \"Regsvr32.exe\", \"Msiexec.exe\", \"Wuauclt.exe\", \"Presentationhost.exe\", \"Wmic.exe\", \"Runonce.exe\", \"Syncappvpublishingserver.exe\", \"Verclsid.exe\", \"Infdefaultinstall.exe\", \"Explorer.exe\", \"Installutil.exe\", \"Netsh.exe\", \"Wab.exe\", \"Dnscmd.exe\", \"At.exe\", \"Pcalua.exe\", \"Msconfig.exe\")) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `mmc_lolbas_execution_process_spawn_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints.", "known_false_positives": "Legitimate applications may trigger this behavior, filter as needed.", "references": ["https://attack.mitre.org/techniques/T1021/003/", "https://www.cybereason.com/blog/dcom-lateral-movement-techniques", "https://lolbas-project.github.io/"], "tags": {"name": "Mmc LOLBAS Execution Process Spawn", "analytic_story": ["Active Directory Lateral Movement", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 90, "kill_chain_phases": ["Exploitation"], "message": "Mmc.exe spawned a LOLBAS process on $dest$.", "mitre_attack_id": ["T1021", "T1021.003", "T1218.014"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 54, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1021.003", "mitre_attack_technique": "Distributed Component Object Model", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1218.014", "mitre_attack_technique": "MMC", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.003/lateral_movement_lolbas/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "mmc_lolbas_execution_process_spawn_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/mmc_lolbas_execution_process_spawn.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Modification Of Wallpaper", "id": "accb0712-c381-11eb-8e5b-acde48001122", "version": 1, "date": "2021-06-02", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This analytic identifies suspicious modification of registry to deface or change the wallpaper of a compromised machines as part of its payload. This technique was commonly seen in ransomware like REVIL where it create a bitmap file contain a note that the machine was compromised and make it as a wallpaper.", "data_source": [], "search": "`sysmon` EventCode =13 (TargetObject= \"*\\\\Control Panel\\\\Desktop\\\\Wallpaper\" AND Image != \"*\\\\explorer.exe\") OR (TargetObject= \"*\\\\Control Panel\\\\Desktop\\\\Wallpaper\" AND Details = \"*\\\\temp\\\\*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode Image TargetObject Details Computer process_guid process_id user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `modification_of_wallpaper_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the Image, TargetObject registry key, registry Details from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "3rd party tool may used to changed the wallpaper of the machine", "references": ["https://krebsonsecurity.com/2021/05/a-closer-look-at-the-darkside-ransomware-gang/", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/", "https://news.sophos.com/en-us/2020/04/24/lockbit-ransomware-borrows-tricks-to-keep-up-with-revil-and-maze/"], "tags": {"name": "Modification Of Wallpaper", "analytic_story": ["Ransomware", "Revil Ransomware", "BlackMatter Ransomware", "Windows Registry Abuse", "Brute Ratel C4", "LockBit Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 60, "kill_chain_phases": ["Actions on Objectives"], "message": "Wallpaper modification on $dest$", "mitre_attack_id": ["T1491"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "Image", "TargetObject", "Details", "Computer", "process_guid", "process_id", "user_id"], "risk_score": 54, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1491", "mitre_attack_technique": "Defacement", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/revil/inf1/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "modification_of_wallpaper_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/modification_of_wallpaper.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Modify ACL permission To Files Or Folder", "id": "7e8458cc-acca-11eb-9e3f-acde48001122", "version": 2, "date": "2022-03-17", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic identifies suspicious modification of ACL permission to a files or folder to make it available to everyone. This technique may be used by the adversary to evade ACLs or protected files access. This changes is commonly configured by the file or directory owner with appropriate permission. This behavior is a good indicator if this command seen on a machine utilized by an account with no permission to do so.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = \"cacls.exe\" OR Processes.process_name = \"icacls.exe\" OR Processes.process_name = \"xcacls.exe\") AND Processes.process = \"*/G*\" AND (Processes.process = \"* everyone:*\" OR Processes.process = \"* SYSTEM:*\" OR Processes.process = \"* S-1-1-0:*\") by Processes.parent_process_name Processes.process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `modify_acl_permission_to_files_or_folder_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed cacls.exe may be used.", "known_false_positives": "administrators may use this command. Filter as needed.", "references": ["https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/"], "tags": {"name": "Modify ACL permission To Files Or Folder", "analytic_story": ["XMRig"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 40, "kill_chain_phases": ["Exploitation"], "message": "Suspicious ACL permission modification on $dest$", "mitre_attack_id": ["T1222"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.parent_process_name", "Processes.process_name", "Processes.dest", "Processes.user", "Processes.process", "Processes.process_id"], "risk_score": 32, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/xmrig_miner/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "modify_acl_permission_to_files_or_folder_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/modify_acl_permission_to_files_or_folder.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Monitor Registry Keys for Print Monitors", "id": "f5f6af30-7ba7-4295-bfe9-07de87c01bbc", "version": 5, "date": "2023-04-27", "author": "Steven Dick, Bhavin Patel, Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This search looks for registry activity associated with modifications to the registry key `HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Monitors`. In this scenario, an attacker can load an arbitrary .dll into the print-monitor registry by giving the full path name to the after.dll. The system will execute the .dll with elevated (SYSTEM) permissions and will persist after reboot.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.action=modified AND Registry.registry_path=\"*CurrentControlSet\\\\Control\\\\Print\\\\Monitors*\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `monitor_registry_keys_for_print_monitors_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "You will encounter noise from legitimate print-monitor registry entries.", "references": [], "tags": {"name": "Monitor Registry Keys for Print Monitors", "analytic_story": ["Suspicious Windows Registry Activities", "Windows Persistence Techniques", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "message": "New print monitor added on $dest$", "mitre_attack_id": ["T1547.010", "T1547"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.dest", "Registry.registry_value_name", "Registry.registry_key_name", "Registry.registry_path", "Registry.registry_value_data", "Registry.process_guid"], "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1547.010", "mitre_attack_technique": "Port Monitors", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.010/atomic_red_team/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "monitor_registry_keys_for_print_monitors_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/monitor_registry_keys_for_print_monitors.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "MS Exchange Mailbox Replication service writing Active Server Pages", "id": "985f322c-57a5-11ec-b9ac-acde48001122", "version": 1, "date": "2021-12-07", "author": "Michael Haag, Splunk", "type": "TTP", "status": "experimental", "description": "The following query identifies suspicious .aspx created in 3 paths identified by Microsoft as known drop locations for Exchange exploitation related to HAFNIUM group and recently disclosed vulnerablity named ProxyShell. Paths include: `\\HttpProxy\\owa\\auth\\`, `\\inetpub\\wwwroot\\aspnet_client\\`, and `\\HttpProxy\\OAB\\`. The analytic is limited to process name MSExchangeMailboxReplication.exe, which typically does not write .aspx files to disk. Upon triage, the suspicious .aspx file will likely look obvious on the surface. inspect the contents for script code inside. Identify additional log sources, IIS included, to review source and other potential exploitation. It is often the case that a particular threat is only applicable to a specific subset of systems in your environment. Typically analytics to detect those threats are written without the benefit of being able to only target those systems as well. Writing analytics against all systems when those behaviors are limited to identifiable subsets of those systems is suboptimal. Consider the case ProxyShell vulnerability on Microsoft Exchange Servers. With asset information, a hunter can limit their analytics to systems that have been identified as Exchange servers. A hunter may start with the theory that the exchange server is communicating with new systems that it has not previously. If this theory is run against all publicly facing systems, the amount of noise it will generate will likely render this theory untenable. However, using the asset information to limit this analytic to just the Exchange servers will reduce the noise allowing the hunter to focus only on the systems where this behavioral change is relevant.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=MSExchangeMailboxReplication.exe by _time span=1h Processes.process_id Processes.process_name Processes.process_guid Processes.dest | `drop_dm_object_name(Processes)` | join process_guid, _time [| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN (\"*\\\\HttpProxy\\\\owa\\\\auth\\\\*\", \"*\\\\inetpub\\\\wwwroot\\\\aspnet_client\\\\*\", \"*\\\\HttpProxy\\\\OAB\\\\*\") Filesystem.file_name=\"*.aspx\" by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path | `drop_dm_object_name(Filesystem)` | fields _time dest file_create_time file_name file_path process_name process_path process process_guid] | dedup file_create_time | table dest file_create_time, file_name, file_path, process_name | `ms_exchange_mailbox_replication_service_writing_active_server_pages_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node and `Filesystem` node.", "known_false_positives": "The query is structured in a way that `action` (read, create) is not defined. Review the results of this query, filter, and tune as necessary. It may be necessary to generate this query specific to your endpoint product.", "references": ["https://redcanary.com/blog/blackbyte-ransomware/"], "tags": {"name": "MS Exchange Mailbox Replication service writing Active Server Pages", "analytic_story": ["ProxyShell", "Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Installation", "Delivery"], "message": "A file - $file_name$ was written to disk that is related to IIS exploitation related to ProxyShell. Review further file modifications on endpoint $dest$ by user $user$.", "mitre_attack_id": ["T1505", "T1505.003", "T1190"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "file_name", "type": "File Name", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Filesystem.file_path", "Filesystem.process_id", "Filesystem.file_name", "Filesystem.file_hash", "Filesystem.user", "Filesystem.process_guid", "Processes.process_name", "Processes.process_id", "Processes.process_name", "Processes.process_guid"], "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1505.003", "mitre_attack_technique": "Web Shell", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT38", "APT39", "BackdoorDiplomacy", "Deep Panda", "Dragonfly", "Fox Kitten", "GALLIUM", "HAFNIUM", "Kimsuky", "Leviathan", "Magic Hound", "Moses Staff", "OilRig", "Sandworm Team", "TEMP.Veles", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Volatile Cedar"]}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "menuPass"]}]}, "datamodel": ["Endpoint"], "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "ms_exchange_mailbox_replication_service_writing_active_server_pages_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/ms_exchange_mailbox_replication_service_writing_active_server_pages.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "MS Scripting Process Loading Ldap Module", "id": "0b0c40dc-14a6-11ec-b267-acde48001122", "version": 1, "date": "2021-09-13", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This search is to detect a suspicious MS scripting process such as wscript.exe or cscript.exe that loading ldap module to process ldap query. This behavior was seen in FIN7 implant where it uses javascript to execute ldap query to parse host information that will send to its C2 server. this anomaly detections is a good initial step to hunt further a suspicious ldap query or ldap related events to the host that may give you good information regarding ldap or AD information processing or might be a attacker.", "data_source": [], "search": "`sysmon` EventCode =7 Image IN (\"*\\\\wscript.exe\", \"*\\\\cscript.exe\") ImageLoaded IN (\"*\\\\Wldap32.dll\", \"*\\\\adsldp.dll\", \"*\\\\adsldpc.dll\") | stats min(_time) as firstTime max(_time) as lastTime count by Image EventCode process_name ProcessId ProcessGuid Computer ImageLoaded | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `ms_scripting_process_loading_ldap_module_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed rundll32.exe may be used.", "known_false_positives": "automation scripting language may used by network operator to do ldap query.", "references": ["https://www.mandiant.com/resources/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation", "https://attack.mitre.org/groups/G0046/"], "tags": {"name": "MS Scripting Process Loading Ldap Module", "analytic_story": ["FIN7"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Installation"], "message": "$process_name$ loading ldap modules $ImageLoaded$ in $dest$", "mitre_attack_id": ["T1059", "T1059.007"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Image", "EventCode", "process_name", "ProcessId", "ProcessGuid", "Computer", "ImageLoaded"], "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.007", "mitre_attack_technique": "JavaScript", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "Cobalt Group", "Earth Lusca", "Ember Bear", "Evilnum", "FIN6", "FIN7", "Higaisa", "Indrik Spider", "Kimsuky", "LazyScripter", "Leafminer", "Molerats", "MuddyWater", "Sidewinder", "Silence", "TA505", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/fin7/fin7_js_2/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "ms_scripting_process_loading_ldap_module_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/ms_scripting_process_loading_ldap_module.yml", "source": "endpoint"}, {"name": "MS Scripting Process Loading WMI Module", "id": "2eba3d36-14a6-11ec-a682-acde48001122", "version": 1, "date": "2021-09-13", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This search is to detect a suspicious MS scripting process such as wscript.exe or cscript.exe that loading wmi module to process wmi query. This behavior was seen in FIN7 implant where it uses javascript to execute wmi query to parse host information that will send to its C2 server. this anomaly detections is a good initial step to hunt further a suspicious wmi query or wmi related events to the host that may give you good information regarding process that are commonly using wmi query or modules or might be an attacker using this technique.", "data_source": [], "search": "`sysmon` EventCode =7 Image IN (\"*\\\\wscript.exe\", \"*\\\\cscript.exe\") ImageLoaded IN (\"*\\\\fastprox.dll\", \"*\\\\wbemdisp.dll\", \"*\\\\wbemprox.dll\", \"*\\\\wbemsvc.dll\" , \"*\\\\wmiutils.dll\", \"*\\\\wbemcomn.dll\") | stats min(_time) as firstTime max(_time) as lastTime count by Image EventCode process_name ProcessId ProcessGuid Computer ImageLoaded | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `ms_scripting_process_loading_wmi_module_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed rundll32.exe may be used.", "known_false_positives": "automation scripting language may used by network operator to do ldap query.", "references": ["https://www.mandiant.com/resources/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation", "https://attack.mitre.org/groups/G0046/"], "tags": {"name": "MS Scripting Process Loading WMI Module", "analytic_story": ["FIN7"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Installation"], "message": "$process_name$ loading wmi modules $ImageLoaded$ in $dest$", "mitre_attack_id": ["T1059", "T1059.007"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Image", "EventCode", "process_name", "ProcessId", "ProcessGuid", "Computer", "ImageLoaded"], "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.007", "mitre_attack_technique": "JavaScript", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "Cobalt Group", "Earth Lusca", "Ember Bear", "Evilnum", "FIN6", "FIN7", "Higaisa", "Indrik Spider", "Kimsuky", "LazyScripter", "Leafminer", "Molerats", "MuddyWater", "Sidewinder", "Silence", "TA505", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/fin7/fin7_js_2/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "ms_scripting_process_loading_wmi_module_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/ms_scripting_process_loading_wmi_module.yml", "source": "endpoint"}, {"name": "MSBuild Suspicious Spawned By Script Process", "id": "213b3148-24ea-11ec-93a2-acde48001122", "version": 1, "date": "2021-10-04", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This analytic is to detect a suspicious child process of MSBuild spawned by Windows Script Host - cscript or wscript. This behavior or event are commonly seen and used by malware or adversaries to execute malicious msbuild process using malicious script in the compromised host. During triage, review parallel processes and identify any file modifications. MSBuild may load a script from the same path without having command-line arguments.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count values(Processes.process_name) as process_name values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN (\"wscript.exe\", \"cscript.exe\") AND `process_msbuild` by Processes.dest Processes.parent_process Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `msbuild_suspicious_spawned_by_script_process_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives should be limited as developers do not spawn MSBuild via a WSH.", "references": ["https://app.any.run/tasks/dc93ee63-050c-4ff8-b07e-8277af9ab939/"], "tags": {"name": "MSBuild Suspicious Spawned By Script Process", "analytic_story": ["Trusted Developer Utilities Proxy Execution MSBuild"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "Msbuild.exe process spawned by $parent_process_name$ on $dest$ executed by $user$", "mitre_attack_id": ["T1127.001", "T1127"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "User", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.parent_process", "Processes.parent_process_name", "Processes.process_name", "Processes.original_file_name", "Processes.user"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1127.001", "mitre_attack_technique": "MSBuild", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1127", "mitre_attack_technique": "Trusted Developer Utilities Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1127.001/regsvr32_silent/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "process_msbuild", "definition": "(Processes.process_name=msbuild.exe OR Processes.original_file_name=MSBuild.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "msbuild_suspicious_spawned_by_script_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/msbuild_suspicious_spawned_by_script_process.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Mshta spawning Rundll32 OR Regsvr32 Process", "id": "4aa5d062-e893-11eb-9eb2-acde48001122", "version": 2, "date": "2021-07-19", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This search is to detect a suspicious mshta.exe process that spawn rundll32 or regsvr32 child process. This technique was seen in several malware nowadays like trickbot to load its initial .dll stage loader to execute and download the the actual trickbot payload.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name = \"mshta.exe\" `process_rundll32` OR `process_regsvr32` by Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.process_guid Processes.user Processes.dest | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `mshta_spawning_rundll32_or_regsvr32_process_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "limitted. this anomaly behavior is not commonly seen in clean host.", "references": ["https://twitter.com/cyb3rops/status/1416050325870587910?s=21"], "tags": {"name": "Mshta spawning Rundll32 OR Regsvr32 Process", "analytic_story": ["Trickbot", "IcedID", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "a mshta parent process $parent_process_name$ spawn child process $process_name$ in host $dest$", "mitre_attack_id": ["T1218", "T1218.005"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.005", "mitre_attack_technique": "Mshta", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "APT32", "Confucius", "Earth Lusca", "FIN7", "Gamaredon Group", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "MuddyWater", "Mustang Panda", "SideCopy", "Sidewinder", "TA551"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/trickbot/spear_phish/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "process_regsvr32", "definition": "(Processes.process_name=regsvr32.exe OR Processes.original_file_name=REGSVR32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "process_rundll32", "definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "mshta_spawning_rundll32_or_regsvr32_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/mshta_spawning_rundll32_or_regsvr32_process.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "MSHTML Module Load in Office Product", "id": "5f1c168e-118b-11ec-84ff-acde48001122", "version": 5, "date": "2023-02-15", "author": "Michael Haag, Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following detection identifies the module load of mshtml.dll into an Office product. This behavior has been related to CVE-2021-40444, whereas the malicious document will load ActiveX, which activates the MSHTML component. The vulnerability resides in the MSHTML component. During triage, identify parallel processes and capture any file modifications for analysis.", "data_source": ["Sysmon Event ID 7"], "search": "`sysmon` EventID=7 parent_process_name IN (\"winword.exe\",\"excel.exe\",\"powerpnt.exe\",\"mspub.exe\",\"visio.exe\",\"wordpad.exe\",\"wordview.exe\",\"onenote.exe\",\"onenotem.exe\",\"onenoteviewer.exe\",\"onenoteim.exe\", \"msaccess.exe\") ImageLoaded IN (\"*\\\\mshtml.dll\", \"*\\\\Microsoft.mshtml.dll\",\"*\\\\IE.Interop.MSHTML.dll\",\"*\\\\MshtmlDac.dll\",\"*\\\\MshtmlDed.dll\",\"*\\\\MshtmlDer.dll\") | stats count min(_time) as firstTime max(_time) as lastTime by Computer, process_name, ImageLoaded, OriginalFileName, ProcessGuid | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `mshtml_module_load_in_office_product_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process names and image loads from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "Limited false positives will be present, however, tune as necessary.", "references": ["https://app.any.run/tasks/36c14029-9df8-439c-bba0-45f2643b0c70/", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444", "https://strontic.github.io/xcyclopedia/index-dll", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/"], "tags": {"name": "MSHTML Module Load in Office Product", "analytic_story": ["Spearphishing Attachments", "Microsoft MSHTML Remote Code Execution CVE-2021-40444"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Delivery"], "message": "An instance of $process_name$ was identified on endpoint $dest$ loading mshtml.dll.", "mitre_attack_id": ["T1566", "T1566.001"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "ImageLoaded", "process_name", "OriginalFileName", "process_id", "dest"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "cve": ["CVE-2021-40444"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/macro/windows-sysmon_mshtml.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "mshtml_module_load_in_office_product_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2021-40444", "cvss": 6.8, "summary": "Microsoft MSHTML Remote Code Execution Vulnerability"}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/mshtml_module_load_in_office_product.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "MSI Module Loaded by Non-System Binary", "id": "ccb98a66-5851-11ec-b91c-acde48001122", "version": 1, "date": "2023-04-14", "author": "Michael Haag, Splunk", "type": "Hunting", "status": "production", "description": "The following hunting analytic identifies `msi.dll` being loaded by a binary not located in `system32`, `syswow64`, `winsxs` or `windows` paths. This behavior is most recently related to InstallerFileTakeOver, or CVE-2021-41379, and DLL side-loading. CVE-2021-41379 requires a binary to be dropped and `msi.dll` to be loaded by it. To Successful exploitation of this issue happens in four parts \\\n1. Generation of an MSI that will trigger bad behavior. \\\n1. Preparing a directory for MSI installation. \\\n1. Inducing an error state. \\\n1. Racing to introduce a junction and a symlink to trick msiexec.exe to modify the attacker specified file. \\\nIn addition, `msi.dll` has been abused in DLL side-loading attacks by being loaded by non-system binaries.", "data_source": ["Sysmon Event ID 7"], "search": "`sysmon` EventCode=7 ImageLoaded=\"*\\\\msi.dll\" NOT (Image IN (\"*\\\\System32\\\\*\",\"*\\\\syswow64\\\\*\",\"*\\\\windows\\\\*\", \"*\\\\winsxs\\\\*\")) | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded process_name Computer EventCode ProcessId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `msi_module_loaded_by_non_system_binary_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name and imageloaded executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "It is possible some Administrative utilities will load msi.dll outside of normal system paths, filter as needed.", "references": ["https://attackerkb.com/topics/7LstI2clmF/cve-2021-41379/rapid7-analysis", "https://github.com/klinix5/InstallerFileTakeOver", "https://github.com/mandiant/red_team_tool_countermeasures/blob/master/rules/PGF/supplemental/hxioc/msi.dll%20Hijack%20(Methodology).ioc"], "tags": {"name": "MSI Module Loaded by Non-System Binary", "analytic_story": ["Data Destruction", "Hermetic Wiper", "Windows Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 80, "kill_chain_phases": ["Exploitation", "Installation"], "message": "The following module $ImageLoaded$ was loaded by $Image$ outside of the normal system paths on endpoint $Computer$, potentally related to DLL side-loading.", "mitre_attack_id": ["T1574.002", "T1574"], "nist": ["DE.AE"], "observable": [{"name": "process_name", "type": "Process Name", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Image", "ImageLoaded", "process_name", "Computer", "EventCode", "ProcessId"], "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "cve": ["CVE-2021-41379"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1574.002", "mitre_attack_technique": "DLL Side-Loading", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT41", "BRONZE BUTLER", "BlackTech", "Chimera", "Earth Lusca", "GALLIUM", "Higaisa", "Lazarus Group", "LuminousMoth", "MuddyWater", "Mustang Panda", "Naikon", "Patchwork", "SideCopy", "Sidewinder", "Threat Group-3390", "Tropic Trooper", "menuPass"]}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.002/msi_module_load/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "msi_module_loaded_by_non_system_binary_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2021-41379", "cvss": 4.6, "summary": "Windows Installer Elevation of Privilege Vulnerability"}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/msi_module_loaded_by_non_system_binary.yml", "source": "endpoint"}, {"name": "Msmpeng Application DLL Side Loading", "id": "8bb3f280-dd9b-11eb-84d5-acde48001122", "version": 3, "date": "2023-03-15", "author": "Teoderick Contreras, Splunk, Sanjay Govind", "type": "TTP", "status": "production", "description": "This search is to detect a suspicious creation of msmpeng.exe or mpsvc.dll in non default windows defender folder. This technique was seen couple days ago with revil ransomware in Kaseya Supply chain. The approach is to drop an old version of msmpeng.exe to load the actual payload name as mspvc.dll which will load the revil ransomware to the compromise machine", "data_source": ["Sysmon Event ID 11"], "search": "|tstats `security_content_summariesonly` values(Filesystem.file_path) as file_path count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where (Filesystem.file_name = \"msmpeng.exe\" OR Filesystem.file_name = \"mpsvc.dll\") AND NOT (Filesystem.file_path IN (\"*\\\\Program Files\\\\windows defender\\\\*\",\"*\\\\WinSxS\\\\*defender-service*\",\"*\\\\WinSxS\\\\Temp\\\\*defender-service*\")) by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.user | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `msmpeng_application_dll_side_loading_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the Filesystem responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node.", "known_false_positives": "quite minimal false positive expected.", "references": ["https://community.sophos.com/b/security-blog/posts/active-ransomware-attack-on-kaseya-customers"], "tags": {"name": "Msmpeng Application DLL Side Loading", "analytic_story": ["Ransomware", "Revil Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Installation"], "message": "", "mitre_attack_id": ["T1574.002", "T1574"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Filesystem.file_create_time", "Filesystem.process_id", "Filesystem.file_name", "Filesystem.user", "Filesystem.file_path"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1574.002", "mitre_attack_technique": "DLL Side-Loading", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT41", "BRONZE BUTLER", "BlackTech", "Chimera", "Earth Lusca", "GALLIUM", "Higaisa", "Lazarus Group", "LuminousMoth", "MuddyWater", "Mustang Panda", "Naikon", "Patchwork", "SideCopy", "Sidewinder", "Threat Group-3390", "Tropic Trooper", "menuPass"]}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets//malware/revil/msmpeng_side/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "msmpeng_application_dll_side_loading_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/msmpeng_application_dll_side_loading.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Net Localgroup Discovery", "id": "54f5201e-155b-11ec-a6e2-acde48001122", "version": 1, "date": "2021-09-14", "author": "Michael Haag, Splunk", "type": "Hunting", "status": "production", "description": "The following hunting analytic will identify the use of localgroup discovery using `net localgroup`. During triage, review parallel processes and identify any further suspicious behavior.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=net.exe OR Processes.process_name=net1.exe (Processes.process=\"*localgroup*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `net_localgroup_discovery_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives may be present. Tune as needed.", "references": ["https://attack.mitre.org/techniques/T1069/001/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md", "https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF", "https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/"], "tags": {"name": "Net Localgroup Discovery", "analytic_story": ["Active Directory Discovery", "Windows Discovery Techniques", "Azorult", "Windows Post-Exploitation", "Prestige Ransomware", "Volt Typhoon", "IcedID"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "Local group discovery on $dest$ by $user$.", "mitre_attack_id": ["T1069", "T1069.001"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "TA505"]}, {"mitre_attack_id": "T1069.001", "mitre_attack_technique": "Local Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "HEXANE", "OilRig", "Tonto Team", "Turla", "admin@338"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.001/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "net_localgroup_discovery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/net_localgroup_discovery.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "NET Profiler UAC bypass", "id": "0252ca80-e30d-11eb-8aa3-acde48001122", "version": 2, "date": "2022-02-18", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This search is to detect modification of registry to bypass UAC windows feature. This technique is to add a payload dll path on .NET COR file path that will be loaded by mmc.exe as soon it was executed. This detection rely on monitoring the registry key and values in the detection area. It may happened that windows update some dll related to mmc.exe and add dll path in this registry. In this case filtering is needed.", "data_source": ["Sysmon Event ID 13"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\Environment\\\\COR_PROFILER_PATH\" Registry.registry_value_data = \"*.dll\" by Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `net_profiler_uac_bypass_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.", "known_false_positives": "limited false positive. It may trigger by some windows update that will modify this registry.", "references": ["https://offsec.almond.consulting/UAC-bypass-dotnet.html"], "tags": {"name": "NET Profiler UAC bypass", "analytic_story": ["Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "Suspicious modification of registry $registry_path$ with possible payload path $registry_value_name$ in $dest$", "mitre_attack_id": ["T1548.002", "T1548"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.registry_path", "Registry.registry_key_name", "Registry.registry_value_name", "Registry.dest"], "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.002", "mitre_attack_technique": "Bypass User Account Control", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT37", "BRONZE BUTLER", "Cobalt Group", "Earth Lusca", "Evilnum", "MuddyWater", "Patchwork", "Threat Group-3390"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/uac_bypass/windows-sysmon2.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "net_profiler_uac_bypass_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/net_profiler_uac_bypass.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Network Connection Discovery With Arp", "id": "ae008c0f-83bd-4ed4-9350-98d4328e15d2", "version": 1, "date": "2021-09-10", "author": "Mauricio Velazco, Splunk", "type": "Hunting", "status": "production", "description": "This analytic looks for the execution of `arp.exe` utilized to get a listing of network connections on a compromised system. Red Teams and adversaries alike may use arp.exe for situational awareness and Active Directory Discovery.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"arp.exe\") (Processes.process=*-a*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `network_connection_discovery_with_arp_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "references": ["https://attack.mitre.org/techniques/T1049/", "https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/", "https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/"], "tags": {"name": "Network Connection Discovery With Arp", "analytic_story": ["Active Directory Discovery", "Qakbot", "Windows Post-Exploitation", "Prestige Ransomware", "Volt Typhoon", "IcedID"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "Network Connection discovery on $dest$ by $user$", "mitre_attack_id": ["T1049"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1049", "mitre_attack_technique": "System Network Connections Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT38", "APT41", "Andariel", "BackdoorDiplomacy", "Chimera", "Earth Lusca", "GALLIUM", "HEXANE", "Ke3chang", "Lazarus Group", "Magic Hound", "MuddyWater", "Mustang Panda", "OilRig", "Poseidon Group", "Sandworm Team", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "admin@338", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1049/AD_discovery/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "network_connection_discovery_with_arp_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/network_connection_discovery_with_arp.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Network Connection Discovery With Net", "id": "640337e5-6e41-4b7f-af06-9d9eab5e1e2d", "version": 1, "date": "2021-09-10", "author": "Mauricio Velazco, Splunk", "type": "Hunting", "status": "production", "description": "This analytic looks for the execution of `net.exe` with command-line arguments utilized to get a listing of network connections on a compromised system. Red Teams and adversaries alike may use net.exe for situational awareness and Active Directory Discovery.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"net.exe\" OR Processes.process_name=\"net1.exe\") (Processes.process=*use*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `network_connection_discovery_with_net_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "references": ["https://attack.mitre.org/techniques/T1049/"], "tags": {"name": "Network Connection Discovery With Net", "analytic_story": ["Active Directory Discovery", "Azorult", "Windows Post-Exploitation", "Prestige Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "Network Connection discovery on $dest$ by $user$", "mitre_attack_id": ["T1049"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1049", "mitre_attack_technique": "System Network Connections Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT38", "APT41", "Andariel", "BackdoorDiplomacy", "Chimera", "Earth Lusca", "GALLIUM", "HEXANE", "Ke3chang", "Lazarus Group", "Magic Hound", "MuddyWater", "Mustang Panda", "OilRig", "Poseidon Group", "Sandworm Team", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "admin@338", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1049/AD_discovery/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "network_connection_discovery_with_net_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/network_connection_discovery_with_net.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Network Connection Discovery With Netstat", "id": "2cf5cc25-f39a-436d-a790-4857e5995ede", "version": 1, "date": "2021-09-10", "author": "Mauricio Velazco, Splunk", "type": "Hunting", "status": "production", "description": "This analytic looks for the execution of `netstat.exe` with command-line arguments utilized to get a listing of network connections on a compromised system. Red Teams and adversaries alike may use netstat.exe for situational awareness and Active Directory Discovery.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"netstat.exe\") (Processes.process=*-a*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `network_connection_discovery_with_netstat_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "references": ["https://attack.mitre.org/techniques/T1049/", "https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/"], "tags": {"name": "Network Connection Discovery With Netstat", "analytic_story": ["Active Directory Discovery", "Qakbot", "CISA AA22-277A", "Windows Post-Exploitation", "Prestige Ransomware", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "Network Connection discovery on $dest$ by $user$", "mitre_attack_id": ["T1049"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1049", "mitre_attack_technique": "System Network Connections Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT38", "APT41", "Andariel", "BackdoorDiplomacy", "Chimera", "Earth Lusca", "GALLIUM", "HEXANE", "Ke3chang", "Lazarus Group", "Magic Hound", "MuddyWater", "Mustang Panda", "OilRig", "Poseidon Group", "Sandworm Team", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "admin@338", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1049/AD_discovery/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "network_connection_discovery_with_netstat_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/network_connection_discovery_with_netstat.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Network Discovery Using Route Windows App", "id": "dd83407e-439f-11ec-ab8e-acde48001122", "version": 1, "date": "2021-11-12", "author": "Teoderick Contreras, Splunk", "type": "Hunting", "status": "production", "description": "This analytic look for a spawned process of route.exe windows application. Adversaries and red teams alike abuse this application the recon or do a network discovery on a target host. but one possible false positive might be an automated tool used by a system administator or a powershell script in amazon ec2 config services.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_route` by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `network_discovery_using_route_windows_app_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "A network operator or systems administrator may utilize an automated host discovery application that may generate false positives or an amazon ec2 script that uses this application. Filter as needed.", "references": ["https://app.any.run/tasks/ad4c3cda-41f2-4401-8dba-56cc2d245488/"], "tags": {"name": "Network Discovery Using Route Windows App", "analytic_story": ["Active Directory Discovery", "Qakbot", "CISA AA22-277A", "Windows Post-Exploitation", "Prestige Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "Network Connection discovery on $dest$ by $user$", "mitre_attack_id": ["T1016", "T1016.001"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1016", "mitre_attack_technique": "System Network Configuration Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT19", "APT3", "APT32", "APT41", "Chimera", "Darkhotel", "Dragonfly", "Earth Lusca", "GALLIUM", "HAFNIUM", "HEXANE", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "SideCopy", "Sidewinder", "Stealth Falcon", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1016.001", "mitre_attack_technique": "Internet Connection Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Gamaredon Group", "HAFNIUM", "HEXANE", "Magic Hound", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/vilsel/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "WinEventLog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_route", "definition": "(Processes.process_name=route.exe OR Processes.original_file_name=route.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "network_discovery_using_route_windows_app_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/network_discovery_using_route_windows_app.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Network Share Discovery Via Dir Command", "id": "dc1457d0-1d9b-422e-b5a7-db46c184d9aa", "version": 1, "date": "2023-05-23", "author": "Teoderick Contreras, Splunk", "type": "Hunting", "status": "production", "description": "The following analytic identifies object access on Windows administrative SMB shares (Admin$, IPC$, C$). This represents suspicious behavior as its commonly used by tools like PsExec/PaExec and others to stage service binaries before creating and starting a Windows service on remote endpoints. Red Teams and adversaries alike may abuse administrative shares for lateral movement and remote code execution. The IcedID malware family also implements this behavior to try to infect other machines in the infected network.", "data_source": ["Windows Security 5140"], "search": "`wineventlog_security` EventCode=5140 ShareName IN(\"\\\\\\\\*\\\\ADMIN$\",\"\\\\\\\\*\\\\C$\",\"*\\\\\\\\*\\\\IPC$\") AccessMask= 0x1 | stats min(_time) as firstTime max(_time) as lastTime count by ShareName IpAddress ObjectType SubjectUserName SubjectDomainName IpPort AccessMask Computer | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `network_share_discovery_via_dir_command_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Security Event Logs with 5140 EventCode enabled. The Windows TA is also required. Also enable the object Audit access success/failure in your group policy.", "known_false_positives": "System Administrators may use looks like net.exe or \"dir commandline\" for troubleshooting or administrations tasks. However, this will typically come only from certain users and certain systems that can be added to an allow list.", "references": ["https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/"], "tags": {"name": "Network Share Discovery Via Dir Command", "analytic_story": ["IcedID"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "$user$ list executable files or directory in known sensitive SMB share. Share name=$Share_Name$, Access mask=$Access_Mask$", "mitre_attack_id": ["T1135"], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "ShareName", "IpAddress", "ObjectType", "SubjectUserName", "SubjectDomainName", "IpPort", "AccessMask", "Computer"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "atomic_guid": ["13daa2cf-195a-43df-a8bd-7dd5ffb607b5"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1135", "mitre_attack_technique": "Network Share Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT32", "APT38", "APT39", "APT41", "Chimera", "DarkVishnya", "Dragonfly", "Sowbug", "Tonto Team", "Tropic Trooper", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1135/net_share_discovery_via_dir/smb_access_security_xml.log", "source": "XmlWinEventLog:Security", "sourcetype": "XmlWinEventLog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "network_share_discovery_via_dir_command_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/network_share_discovery_via_dir_command.yml", "source": "endpoint", "providing_technologies": ["Microsoft Windows"]}, {"name": "Nishang PowershellTCPOneLine", "id": "1a382c6c-7c2e-11eb-ac69-acde48001122", "version": 2, "date": "2021-03-03", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "This query detects the Nishang Invoke-PowerShellTCPOneLine utility that spawns a call back to a remote Command And Control server. This is a powershell oneliner. In addition, this will capture on the command-line additional utilities used by Nishang. Triage the endpoint and identify any parallel processes that look suspicious. Review the reputation of the remote IP or domain contacted by the powershell process.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` (Processes.process=*Net.Sockets.TCPClient* AND Processes.process=*System.Text.ASCIIEncoding*) by Processes.dest Processes.user Processes.parent_process Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `nishang_powershelltcponeline_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Limited false positives may be present. Filter as needed based on initial analysis.", "references": ["https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcpOneLine.ps1", "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", "https://www.rapid7.com/blog/post/2021/03/03/rapid7s-insightidr-enables-detection-and-response-to-microsoft-exchange-0-day/"], "tags": {"name": "Nishang PowershellTCPOneLine", "analytic_story": ["HAFNIUM Group"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Installation"], "message": "Possible Nishang Invoke-PowerShellTCPOneLine behavior on $dest$", "mitre_attack_id": ["T1059", "T1059.001"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "process_powershell", "definition": "(Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "nishang_powershelltcponeline_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/nishang_powershelltcponeline.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "NLTest Domain Trust Discovery", "id": "c3e05466-5f22-11eb-ae93-0242ac130002", "version": 2, "date": "2022-04-18", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "This search looks for the execution of `nltest.exe` with command-line arguments utilized to query for Domain Trust information. Two arguments `/domain trusts`, returns a list of trusted domains, and `/all_trusts`, returns all trusted domains. Red Teams and adversaries alike use NLTest.exe to enumerate the current domain to assist with further understanding where to pivot next.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_nltest` (Processes.process=*/domain_trusts* OR Processes.process=*/all_trusts*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `nltest_domain_trust_discovery_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "Administrators may use nltest for troubleshooting purposes, otherwise, rarely used.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.md", "https://malware.news/t/lets-learn-trickbot-implements-network-collector-module-leveraging-cmd-wmi-ldap/19104", "https://attack.mitre.org/techniques/T1482/", "https://owasp.org/www-pdf-archive/Red_Team_Operating_in_a_Modern_Environment.pdf", "https://ss64.com/nt/nltest.html", "https://redcanary.com/threat-detection-report/techniques/domain-trust-discovery/", "https://thedfirreport.com/2020/10/08/ryuks-return/"], "tags": {"name": "NLTest Domain Trust Discovery", "analytic_story": ["Ryuk Ransomware", "Domain Trust Discovery", "IcedID", "Active Directory Discovery", "Qakbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "Domain trust discovery execution on $dest$", "mitre_attack_id": ["T1482"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.process_name", "Processes.process", "Processes.dest", "Processes.user", "Processes.parent_process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1482", "mitre_attack_technique": "Domain Trust Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "Earth Lusca", "FIN8", "Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1482/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "process_nltest", "definition": "(Processes.process_name=nltest.exe OR Processes.original_file_name=nltestrk.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "nltest_domain_trust_discovery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/nltest_domain_trust_discovery.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Non Chrome Process Accessing Chrome Default Dir", "id": "81263de4-160a-11ec-944f-acde48001122", "version": 1, "date": "2023-04-25", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This search is to detect an anomaly event of a non-chrome process accessing the files in chrome user default folder. This folder contains all the sqlite database of the chrome browser related to users login, history, cookies and etc. Most of the RAT, trojan spy as well as FIN7 jssloader try to parse the those sqlite database to collect information on the compromised host. This SACL Event (4663) need to be enabled to tthe firefox profile directory to be eable to use this. Since you monitoring this access to the folder, we observed noise that needs to be filter out and hence added sqlite db browser and explorer .exe to make this detection more stable.", "data_source": ["Windows Security 4663"], "search": "`wineventlog_security` EventCode=4663 NOT (process_name IN (\"*\\\\chrome.exe\", \"*\\\\explorer.exe\", \"*sql*\")) Object_Name=\"*\\\\Google\\\\Chrome\\\\User Data\\\\Default*\" | stats count min(_time) as firstTime max(_time) as lastTime by Object_Name Object_Type process_name Access_Mask Accesses process_id EventCode dest user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `non_chrome_process_accessing_chrome_default_dir_filter`", "how_to_implement": "To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable \"Audit Object Access\" in Group Policy. Then check the two boxes listed for both \"Success\" and \"Failure.\"", "known_false_positives": "other browser not listed related to firefox may catch by this rule.", "references": [], "tags": {"name": "Non Chrome Process Accessing Chrome Default Dir", "analytic_story": ["Remcos", "3CX Supply Chain Attack", "AgentTesla", "RedLine Stealer", "FIN7"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "a non firefox browser process $process_name$ accessing $Object_Name$", "mitre_attack_id": ["T1555", "T1555.003"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Object_Name", "Object_Type", "process_name", "Access_Mask", "Accesses", "process_id", "EventCode", "dest", "user"], "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1555", "mitre_attack_technique": "Credentials from Password Stores", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT33", "APT39", "Evilnum", "FIN6", "HEXANE", "Leafminer", "MuddyWater", "OilRig", "Stealth Falcon"]}, {"mitre_attack_id": "T1555.003", "mitre_attack_technique": "Credentials from Web Browsers", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT3", "APT33", "APT37", "Ajax Security Team", "FIN6", "HEXANE", "Inception", "Kimsuky", "LAPSUS$", "Leafminer", "Molerats", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Stealth Falcon", "TA505", "ZIRCONIUM"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/fin7/fin7_sacl/security2.log", "source": "WinEventLog:Security", "sourcetype": "WinEventLog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "non_chrome_process_accessing_chrome_default_dir_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/non_chrome_process_accessing_chrome_default_dir.yml", "source": "endpoint", "providing_technologies": ["Microsoft Windows"]}, {"name": "Non Firefox Process Access Firefox Profile Dir", "id": "e6fc13b0-1609-11ec-b533-acde48001122", "version": 1, "date": "2023-04-25", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This search is to detect an anomaly event of a non-firefox process accessing the files in the profile folder. This folder contains all the sqlite database of the firefox browser related to users login, history, cookies and etc. Most of the RAT, trojan spy as well as FIN7 jssloader try to parse the those sqlite database to collect information on the compromised host. This SACL Event (4663) needs to be enabled to the firefox profile directory to use this. Since this is monitoring the access to the folder, we have obsevered noise and hence added `sqlite db browser` and `explorer.exe` to make this detection more stable.", "data_source": ["Windows Security 4663"], "search": "`wineventlog_security` EventCode=4663 NOT (process_name IN (\"*\\\\firefox.exe\", \"*\\\\explorer.exe\", \"*sql*\")) Object_Name=\"*\\\\AppData\\\\Roaming\\\\Mozilla\\\\Firefox\\\\Profiles*\" | stats count min(_time) as firstTime max(_time) as lastTime by Object_Name Object_Type process_name Access_Mask Accesses process_id EventCode dest user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `non_firefox_process_access_firefox_profile_dir_filter`", "how_to_implement": "To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable \"Audit Object Access\" in Group Policy. Then check the two boxes listed for both \"Success\" and \"Failure.\"", "known_false_positives": "other browser not listed related to firefox may catch by this rule.", "references": [], "tags": {"name": "Non Firefox Process Access Firefox Profile Dir", "analytic_story": ["Azorult", "Remcos", "3CX Supply Chain Attack", "AgentTesla", "RedLine Stealer", "FIN7"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "a non firefox browser process $process_name$ accessing $Object_Name$", "mitre_attack_id": ["T1555", "T1555.003"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Object_Name", "Object_Type", "process_name", "Access_Mask", "Accesses", "process_id", "EventCode", "dest", "user"], "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1555", "mitre_attack_technique": "Credentials from Password Stores", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT33", "APT39", "Evilnum", "FIN6", "HEXANE", "Leafminer", "MuddyWater", "OilRig", "Stealth Falcon"]}, {"mitre_attack_id": "T1555.003", "mitre_attack_technique": "Credentials from Web Browsers", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT3", "APT33", "APT37", "Ajax Security Team", "FIN6", "HEXANE", "Inception", "Kimsuky", "LAPSUS$", "Leafminer", "Molerats", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Stealth Falcon", "TA505", "ZIRCONIUM"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/fin7/fin7_sacl/security.log", "source": "WinEventLog:Security", "sourcetype": "WinEventLog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "non_firefox_process_access_firefox_profile_dir_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/non_firefox_process_access_firefox_profile_dir.yml", "source": "endpoint", "providing_technologies": ["Microsoft Windows"]}, {"name": "Notepad with no Command Line Arguments", "id": "5adbc5f1-9a2f-41c1-a810-f37e015f8179", "version": 1, "date": "2023-02-22", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies behavior related to default SliverC2 framework where it will inject into Notepad.exe and spawn Notepad.exe with no command line arguments. In testing, this is a common procedure for SliverC2 usage, however may be modified or changed. From Microsoft, \"The Sideload, SpawnDll, and Execute-Assembly commands spawn and inject into notepad.exe by default. The following query finds process creation events where the same process creates and injects into notepad.exe within 10 seconds.\"", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where Processes.process_name=notepad.exe AND Processes.action!=\"blocked\" by host _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name Processes.parent_process | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process=\"(?i)(notepad\\.exe.{0,4}$)\" | `notepad_with_no_command_line_arguments_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives may be present and filtering may need to occur based on organization endpoint behavior.", "references": ["https://www.microsoft.com/en-us/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/", "https://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors#Purple-Team-Section"], "tags": {"name": "Notepad with no Command Line Arguments", "analytic_story": ["BishopFox Sliver Adversary Emulation Framework"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ with no command line arguments.", "mitre_attack_id": ["T1055"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/sliver/notepad_windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "notepad_with_no_command_line_arguments_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/notepad_with_no_command_line_arguments.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Ntdsutil Export NTDS", "id": "da63bc76-61ae-11eb-ae93-0242ac130002", "version": 1, "date": "2021-01-28", "author": "Michael Haag, Patrick Bareiss, Splunk", "type": "TTP", "status": "production", "description": "Monitor for signs that Ntdsutil is being used to Extract Active Directory database - NTDS.dit, typically used for offline password cracking. It may be used in normal circumstances with no command line arguments or shorthand variations of more common arguments. Ntdsutil.exe is typically seen run on a Windows Server. Typical command used to dump ntds.dit \\\nntdsutil \"ac i ntds\" \"ifm\" \"create full C:\\Temp\" q q \\\nThis technique uses \"Install from Media\" (IFM), which will extract a copy of the Active Directory database. A successful export of the Active Directory database will yield a file modification named ntds.dit to the destination.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=ntdsutil.exe Processes.process=*ntds* Processes.process=*create*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `ntdsutil_export_ntds_filter`", "how_to_implement": "You must be ingesting endpoint data that tracks process activity, including parent-child relationships from your endpoints, to populate the Endpoint data model in the Processes node. The command-line arguments are mapped to the \"process\" field in the Endpoint data model.", "known_false_positives": "Highly possible Server Administrators will troubleshoot with ntdsutil.exe, generating false positives.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.003/T1003.003.md#atomic-test-3---dump-active-directory-database-with-ntdsutil", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc753343(v=ws.11)", "https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf", "https://strontic.github.io/xcyclopedia/library/vss_ps.dll-97B15BDAE9777F454C9A6BA25E938DB3.html", "https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/"], "tags": {"name": "Ntdsutil Export NTDS", "analytic_story": ["Credential Dumping", "HAFNIUM Group", "Living Off The Land", "Prestige Ransomware", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 100, "kill_chain_phases": ["Exploitation"], "message": "Active Directory NTDS export on $dest$", "mitre_attack_id": ["T1003.003", "T1003"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.process_name", "Processes.process", "Processes.dest", "Processes.user", "Processes.parent_process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 50, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.003", "mitre_attack_technique": "NTDS", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "Chimera", "Dragonfly", "FIN6", "Fox Kitten", "HAFNIUM", "Ke3chang", "LAPSUS$", "Mustang Panda", "Sandworm Team", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.003/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "ntdsutil_export_ntds_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/ntdsutil_export_ntds.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Office Application Drop Executable", "id": "73ce70c4-146d-11ec-9184-acde48001122", "version": 4, "date": "2023-02-15", "author": "Teoderick Contreras, Michael Haag, Splunk, TheLawsOfChaos, Github", "type": "TTP", "status": "production", "description": "This search is to detect a suspicious MS office application that drops or creates executables or scripts in a Windows Operating System. This behavior is commonly seen in spear phishing office attachment where it drop malicious files or script to compromised the host. It might be some normal macro may drop script or tools as part of automation but still this behavior is reallly suspicious and not commonly seen in normal office application", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name IN (\"winword.exe\",\"excel.exe\",\"powerpnt.exe\",\"mspub.exe\",\"visio.exe\",\"wordpad.exe\",\"wordview.exe\",\"onenote.exe\",\"onenotem.exe\",\"onenoteviewer.exe\",\"onenoteim.exe\",\"msaccess.exe\") by _time span=1h Processes.process_id Processes.process_name Processes.process Processes.dest Processes.process_guid | `drop_dm_object_name(Processes)` |join process_guid, _time [| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_name IN (\"*.exe\",\"*.dll\",\"*.pif\",\"*.scr\",\"*.js\",\"*.vbs\",\"*.vbe\",\"*.ps1\") by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.process_guid Filesystem.file_path | `drop_dm_object_name(Filesystem)` | fields _time dest file_create_time file_name file_path process_name process_path process process_guid] | dedup file_create_time | table dest, process_name, process, file_create_time, file_name, file_path, process_guid | `office_application_drop_executable_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed rundll32.exe may be used.", "known_false_positives": "office macro for automation may do this behavior", "references": ["https://www.mandiant.com/resources/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation", "https://attack.mitre.org/groups/G0046/", "https://www.joesandbox.com/analysis/702680/0/html", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/"], "tags": {"name": "Office Application Drop Executable", "analytic_story": ["FIN7", "AgentTesla", "CVE-2023-21716 Word RTF Heap Corruption"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Delivery"], "message": "process $process_name$ drops a file $file_name$ in host $dest$", "mitre_attack_id": ["T1566", "T1566.001"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "process_name", "file_name", "process_guid", "dest", "user_id"], "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/fin7/fin7_macro_js_1/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "office_application_drop_executable_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/office_application_drop_executable.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Office Application Spawn Regsvr32 process", "id": "2d9fc90c-f11f-11eb-9300-acde48001122", "version": 4, "date": "2023-02-15", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "this detection was designed to identifies suspicious spawned process of known MS office application due to macro or malicious code. this technique can be seen in so many malware like IcedID that used MS office as its weapon or attack vector to initially infect the machines.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name = \"winword.exe\" OR Processes.parent_process_name = \"excel.exe\" OR Processes.parent_process_name = \"powerpnt.exe\" OR Processes.parent_process_name = \"outlook.exe\" OR Processes.parent_process_name = \"onenote.exe\" OR Processes.parent_process_name = \"onenotem.exe\" OR Processes.parent_process_name = \"onenoteviewer.exe\" OR Processes.parent_process_name = \"onenoteim.exe\" OR Processes.parent_process_name=\"msaccess.exe\") `process_regsvr32` by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.user Processes.dest | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `office_application_spawn_regsvr32_process_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "unknown", "references": ["https://www.joesandbox.com/analysis/380662/0/html", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/"], "tags": {"name": "Office Application Spawn Regsvr32 process", "analytic_story": ["IcedID", "Qakbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Delivery"], "message": "Office application spawning regsvr32.exe on $dest$", "mitre_attack_id": ["T1566", "T1566.001"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/phish_icedid/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "process_regsvr32", "definition": "(Processes.process_name=regsvr32.exe OR Processes.original_file_name=REGSVR32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "office_application_spawn_regsvr32_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/office_application_spawn_regsvr32_process.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Office Application Spawn rundll32 process", "id": "958751e4-9c5f-11eb-b103-acde48001122", "version": 4, "date": "2023-02-15", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This detection was designed to identify suspicious spawned processes of known MS office applications due to macro or malicious code. this technique can be seen in so many malware like trickbot that used MS office as its weapon or attack vector to initially infect the machines.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name = \"winword.exe\" OR Processes.parent_process_name = \"excel.exe\" OR Processes.parent_process_name = \"powerpnt.exe\" OR Processes.parent_process_name= \"onenote.exe\" OR Processes.parent_process_name = \"onenotem.exe\" OR Processes.parent_process_name = \"onenoteviewer.exe\" OR Processes.parent_process_name = \"onenoteim.exe\" OR Processes.parent_process_name = \"msaccess.exe\") AND `process_rundll32` by Processes.parent_process Processes.process_name Processes.process_id Processes.process_guid Processes.process Processes.user Processes.dest | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `office_application_spawn_rundll32_process_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "unknown", "references": ["https://any.run/malware-trends/trickbot", "https://any.run/report/47561b4e949041eff0a0f4693c59c81726591779fe21183ae9185b5eb6a69847/aba3722a-b373-4dae-8273-8730fb40cdbe", "https://www.joesandbox.com/analysis/702680/0/html", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/"], "tags": {"name": "Office Application Spawn rundll32 process", "analytic_story": ["Spearphishing Attachments", "Trickbot", "IcedID", "AgentTesla"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Delivery"], "message": "Office application spawning rundll32.exe on $dest$", "mitre_attack_id": ["T1566", "T1566.001"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/datasets/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "process_rundll32", "definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "office_application_spawn_rundll32_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/office_application_spawn_rundll32_process.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Office Document Creating Schedule Task", "id": "cc8b7b74-9d0f-11eb-8342-acde48001122", "version": 4, "date": "2023-02-15", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "this search detects a potential malicious office document that create schedule task entry through macro VBA api or through loading taskschd.dll. This technique was seen in so many malicious macro malware that create persistence , beaconing using task schedule malware entry The search will return the first time and last time the task was registered, as well as the `Command` to be executed, `Task Name`, `Author`, `Enabled`, and whether it is `Hidden` or not. schtasks.exe is natively found in `C:\\Windows\\system32` and `C:\\Windows\\syswow64`. The following DLL(s) are loaded when schtasks.exe or TaskService is launched -`taskschd.dll`. If found loaded by another process, it's possible a scheduled task is being registered within that process context in memory. Upon triage, identify the task scheduled source. Was it schtasks.exe or via TaskService? Review the job created and the Command to be executed. Capture any artifacts on disk and review. Identify any parallel processes within the same timeframe to identify source.'", "data_source": ["Sysmon Event ID 7"], "search": "`sysmon` EventCode=7 parent_process_name IN (\"WINWORD.EXE\", \"EXCEL.EXE\", \"POWERPNT.EXE\",\"onenote.exe\",\"onenotem.exe\",\"onenoteviewer.exe\",\"onenoteim.exe\", \"msaccess.exe\") ImageLoaded = \"*\\\\taskschd.dll\" | stats min(_time) as firstTime max(_time) as lastTime values(ImageLoaded) as AllImageLoaded count by Computer EventCode Image parent_process_name ProcessId ProcessGuid | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `office_document_creating_schedule_task_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name and ImageLoaded (Like sysmon EventCode 7) from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Also be sure to include those monitored dll to your own sysmon config.", "known_false_positives": "unknown", "references": ["https://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/", "https://redcanary.com/threat-detection-report/techniques/scheduled-task-job/", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/"], "tags": {"name": "Office Document Creating Schedule Task", "analytic_story": ["Spearphishing Attachments"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Delivery"], "message": "Office document creating a schedule task on $dest$", "mitre_attack_id": ["T1566", "T1566.001"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["ImageLoaded", "AllImageLoaded", "Computer", "EventCode", "Image", "process_name", "ProcessId", "ProcessGuid", "_time"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/datasets/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "office_document_creating_schedule_task_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/office_document_creating_schedule_task.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Office Document Executing Macro Code", "id": "b12c89bc-9d06-11eb-a592-acde48001122", "version": 4, "date": "2023-01-24", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "this detection was designed to identifies suspicious office documents that using macro code. Macro code is known to be one of the prevalent weaponization or attack vector of threat actor. This malicious macro code is embed to a office document as an attachment that may execute malicious payload, download malware payload or other malware component. It is really good practice to disable macro by default to avoid automatically execute macro code while opening or closing a office document files.", "data_source": ["Sysmon Event ID 7"], "search": "`sysmon` EventCode=7 parent_process_name IN (\"WINWORD.EXE\", \"EXCEL.EXE\", \"POWERPNT.EXE\",\"onenote.exe\",\"onenotem.exe\",\"onenoteviewer.exe\",\"onenoteim.exe\",\"msaccess.exe\") ImageLoaded IN (\"*\\\\VBE7INTL.DLL\",\"*\\\\VBE7.DLL\", \"*\\\\VBEUI.DLL\") | stats min(_time) as firstTime max(_time) as lastTime values(ImageLoaded) as AllImageLoaded count by Computer EventCode Image process_name ProcessId ProcessGuid | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `office_document_executing_macro_code_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name and ImageLoaded (Like sysmon EventCode 7) from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Also be sure to include those monitored dll to your own sysmon config.", "known_false_positives": "Normal Office Document macro use for automation", "references": ["https://www.joesandbox.com/analysis/386500/0/html", "https://www.joesandbox.com/analysis/702680/0/html", "https://bazaar.abuse.ch/sample/02cbc1ab80695fc12ff8822b926957c3a600247b9ca412a137f69cb5716c8781/", "https://www.fortinet.com/blog/threat-research/latest-remcos-rat-phishing", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/"], "tags": {"name": "Office Document Executing Macro Code", "analytic_story": ["Spearphishing Attachments", "Trickbot", "IcedID", "DarkCrystal RAT", "AgentTesla", "Qakbot", "Azorult", "Remcos"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Delivery"], "message": "Office document executing a macro on $dest$", "mitre_attack_id": ["T1566", "T1566.001"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["ImageLoaded", "AllImageLoaded", "Computer", "EventCode", "Image", "process_name", "ProcessId", "ProcessGuid", "_time"], "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/datasets/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "office_document_executing_macro_code_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/office_document_executing_macro_code.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Office Document Spawned Child Process To Download", "id": "6fed27d2-9ec7-11eb-8fe4-aa665a019aa3", "version": 5, "date": "2023-02-15", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This search is to detect potential malicious office document executing lolbin child process to download payload or other malware. Since most of the attacker abused the capability of office document to execute living on land application to blend it to the normal noise in the infected machine to cover its track.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN (\"winword.exe\",\"excel.exe\",\"powerpnt.exe\",\"mspub.exe\",\"visio.exe\",\"onenote.exe\",\"onenotem.exe\",\"onenoteviewer.exe\",\"onenoteim.exe\",\"msaccess.exe\") Processes.process IN (\"*http:*\",\"*https:*\") NOT (Processes.original_file_name IN(\"firefox.exe\", \"chrome.exe\",\"iexplore.exe\",\"msedge.exe\")) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `office_document_spawned_child_process_to_download_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances office application and browser may be used.", "known_false_positives": "Default browser not in the filter list.", "references": ["https://app.any.run/tasks/92d7ef61-bfd7-4c92-bc15-322172b4ebec/", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/"], "tags": {"name": "Office Document Spawned Child Process To Download", "analytic_story": ["Spearphishing Attachments"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Delivery"], "message": "Office document spawning suspicious child process on $dest$", "mitre_attack_id": ["T1566", "T1566.001"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/datasets2/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "office_document_spawned_child_process_to_download_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/office_document_spawned_child_process_to_download.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Office Product Spawn CMD Process", "id": "b8b19420-e892-11eb-9244-acde48001122", "version": 4, "date": "2022-02-15", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "this search is to detect a suspicious office product process that spawn cmd child process. This is commonly seen in a ms office product having macro to execute shell command to download or execute malicious lolbin relative to its malicious code. This is seen in trickbot spear phishing doc where it execute shell cmd to run mshta payload.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name = \"winword.exe\" OR Processes.parent_process_name= \"excel.exe\" OR Processes.parent_process_name = \"powerpnt.exe\" OR Processes.parent_process_name= \"onenote.exe\" OR Processes.parent_process_name = \"onenotem.exe\" OR Processes.parent_process_name = \"onenoteviewer.exe\" OR Processes.parent_process_name = \"onenoteim.exe\" OR Processes.parent_process_name = \"msaccess.exe\") `process_cmd` by Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.process_guid Processes.user Processes.dest Processes.original_file_name | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `office_product_spawn_cmd_process_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "IT or network admin may create an document automation that will run shell script.", "references": ["https://twitter.com/cyb3rops/status/1416050325870587910?s=21", "https://bazaar.abuse.ch/sample/02cbc1ab80695fc12ff8822b926957c3a600247b9ca412a137f69cb5716c8781/", "https://www.fortinet.com/blog/threat-research/latest-remcos-rat-phishing", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/"], "tags": {"name": "Office Product Spawn CMD Process", "analytic_story": ["Trickbot", "DarkCrystal RAT", "Azorult", "Remcos", "Qakbot", "AgentTesla", "CVE-2023-21716 Word RTF Heap Corruption"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Delivery"], "message": "an office product parent process $parent_process_name$ spawn child process $process_name$ in host $dest$", "mitre_attack_id": ["T1566", "T1566.001"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/trickbot/spear_phish/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "process_cmd", "definition": "(Processes.process_name=cmd.exe OR Processes.original_file_name=Cmd.Exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "office_product_spawn_cmd_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/office_product_spawn_cmd_process.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Office Product Spawning BITSAdmin", "id": "e8c591f4-a6d7-11eb-8cf7-acde48001122", "version": 4, "date": "2023-02-15", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following detection identifies the latest behavior utilized by different malware families (including TA551, IcedID). This detection identifies any Windows Office Product spawning `bitsadmin.exe`. In malicious instances, the command-line of `bitsadmin.exe` will contain a URL to a remote destination or similar command-line arguments as transfer, Download, priority, Foreground. In addition, Threat Research has released a detections identifying suspicious use of `bitsadmin.exe`. In this instance, we narrow our detection down to the Office suite as a parent process. During triage, review all file modifications. Capture and analyze any artifacts on disk. The Office Product, or `bitsadmin.exe` will have reached out to a remote destination, capture and block the IPs or domain. Review additional parallel processes for further activity.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN (\"winword.exe\",\"excel.exe\",\"powerpnt.exe\",\"mspub.exe\",\"visio.exe\",\"onenote.exe\",\"onenotem.exe\",\"onenoteviewer.exe\",\"onenoteim.exe\", \"msaccess.exe\") `process_bitsadmin` by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `office_product_spawning_bitsadmin_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "No false positives known. Filter as needed.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/"], "tags": {"name": "Office Product Spawning BITSAdmin", "analytic_story": ["Spearphishing Attachments"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Delivery"], "message": "office parent process $parent_process_name$ will execute a suspicious child process $process_name$ with process id $process_id$ in host $dest$", "mitre_attack_id": ["T1566", "T1566.001"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/macro/windows-sysmon_macros.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "process_bitsadmin", "definition": "(Processes.process_name=bitsadmin.exe OR Processes.original_file_name=bitsadmin.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "office_product_spawning_bitsadmin_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/office_product_spawning_bitsadmin.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Office Product Spawning CertUtil", "id": "6925fe72-a6d5-11eb-9e17-acde48001122", "version": 4, "date": "2023-02-15", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following detection identifies the latest behavior utilized by different malware families (including TA551, IcedID). This detection identifies any Windows Office Product spawning `certutil.exe`. In malicious instances, the command-line of `certutil.exe` will contain a URL to a remote destination. In addition, Threat Research has released a detections identifying suspicious use of `certutil.exe`. In this instance, we narrow our detection down to the Office suite as a parent process. During triage, review all file modifications. Capture and analyze any artifacts on disk. The Office Product, or `certutil.exe` will have reached out to a remote destination, capture and block the IPs or domain. Review additional parallel processes for further activity.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN (\"winword.exe\",\"excel.exe\",\"powerpnt.exe\",\"mspub.exe\",\"visio.exe\",\"onenote.exe\",\"onenotem.exe\",\"onenoteviewer.exe\",\"onenoteim.exe\",\"msaccess.exe\") `process_certutil` by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `office_product_spawning_certutil_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "No false positives known. Filter as needed.", "references": ["https://redcanary.com/threat-detection-report/threats/TA551/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/"], "tags": {"name": "Office Product Spawning CertUtil", "analytic_story": ["Spearphishing Attachments", "AgentTesla", "Trickbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Delivery"], "message": "office parent process $parent_process_name$ will execute a suspicious child process $process_name$ with process id $process_id$ in host $dest$", "mitre_attack_id": ["T1566", "T1566.001"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process Name", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/macro/windows-sysmon_macros.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "process_certutil", "definition": "(Processes.process_name=certutil.exe OR Processes.original_file_name=CertUtil.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "office_product_spawning_certutil_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/office_product_spawning_certutil.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Office Product Spawning MSHTA", "id": "6078fa20-a6d2-11eb-b662-acde48001122", "version": 3, "date": "2023-02-15", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following detection identifies the latest behavior utilized by different malware families (including TA551, IcedID). This detection identifies any Windows Office Product spawning `mshta.exe`. In malicious instances, the command-line of `mshta.exe` will contain the `hta` file locally, or a URL to the remote destination. In addition, Threat Research has released a detections identifying suspicious use of `mshta.exe`. In this instance, we narrow our detection down to the Office suite as a parent process. During triage, review all file modifications. Capture and analyze any artifacts on disk. The Office Product, or `mshta.exe` will have reached out to a remote destination, capture and block the IPs or domain. Review additional parallel processes for further activity.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN (\"winword.exe\",\"excel.exe\",\"powerpnt.exe\",\"mspub.exe\",\"visio.exe\", \"onenote.exe\",\"onenotem.exe\", \"msaccess.exe\") `process_mshta` by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `office_product_spawning_mshta_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "No false positives known. Filter as needed.", "references": ["https://redcanary.com/threat-detection-report/threats/TA551/"], "tags": {"name": "Office Product Spawning MSHTA", "analytic_story": ["Spearphishing Attachments", "IcedID", "Azorult"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Delivery"], "message": "office parent process $parent_process_name$ will execute a suspicious child process $process_name$ with process id $process_id$ in host $dest$", "mitre_attack_id": ["T1566", "T1566.001"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/macro/windows-sysmon_macros.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_mshta", "definition": "(Processes.process_name=mshta.exe OR Processes.original_file_name=MSHTA.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "office_product_spawning_mshta_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/office_product_spawning_mshta.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Office Product Spawning Rundll32 with no DLL", "id": "c661f6be-a38c-11eb-be57-acde48001122", "version": 4, "date": "2023-02-15", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following detection identifies the latest behavior utilized by IcedID malware family. This detection identifies any Windows Office Product spawning `rundll32.exe` without a `.dll` file extension. In malicious instances, the command-line of `rundll32.exe` will look like `rundll32 ..\\oepddl.igk2,DllRegisterServer`. In addition, Threat Research has released a detection identifying the use of `DllRegisterServer` on the command-line of `rundll32.exe`. In this instance, we narrow our detection down to the Office suite as a parent process. During triage, review all file modifications. Capture and analyze the `DLL` that was dropped to disk. The Office Product will have reached out to a remote destination, capture and block the IPs or domain. Review additional parallel processes for further activity.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN (\"winword.exe\",\"excel.exe\",\"powerpnt.exe\",\"mspub.exe\",\"visio.exe\",\"onenote.exe\",\"onenotem.exe\",\"onenoteviewer.exe\",\"onenoteim.exe\", \"msaccess.exe\") `process_rundll32` (Processes.process!=*.dll*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `office_product_spawning_rundll32_with_no_dll_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives should be limited, but if any are present, filter as needed.", "references": ["https://www.joesandbox.com/analysis/395471/0/html", "https://app.any.run/tasks/cef4b8ba-023c-4b3b-b2ef-6486a44f6ed9/", "https://any.run/malware-trends/icedid"], "tags": {"name": "Office Product Spawning Rundll32 with no DLL", "analytic_story": ["Spearphishing Attachments"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Delivery"], "message": "office parent process $parent_process_name$ will execute a suspicious child process $process_name$ with process id $process_id$ and no dll commandline $process$ in host $dest$", "mitre_attack_id": ["T1566", "T1566.001"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/macro/windows-sysmon_icedid.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "process_rundll32", "definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "office_product_spawning_rundll32_with_no_dll_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/office_product_spawning_rundll32_with_no_dll.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Office Product Spawning Windows Script Host", "id": "b3628a5b-8d02-42fa-a891-eebf2351cbe1", "version": 3, "date": "2023-02-15", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic will identify a Windows Office Product spawning WScript.exe or CScript.exe. Tuning may be required based on legitimate application usage that may spawn scripts from an Office product.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN (\"winword.exe\",\"excel.exe\",\"powerpnt.exe\",\"mspub.exe\",\"visio.exe\",\"onenote.exe\",\"onenotem.exe\",\"onenoteviewer.exe\",\"onenoteim.exe\", \"msaccess.exe\") Processes.process_name IN (\"wscript.exe\", \"cscript.exe\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `office_product_spawning_windows_script_host_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives may be present based on macro based approved documents in the organization. Filtering may be needed.", "references": ["https://blog.cluster25.duskrise.com/2022/09/23/in-the-footsteps-of-the-fancy-bear-powerpoint-graphite/", "https://www.fortinet.com/blog/threat-research/latest-remcos-rat-phishing", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/"], "tags": {"name": "Office Product Spawning Windows Script Host", "analytic_story": ["Spearphishing Attachments", "Remcos"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Delivery"], "message": "office parent process $parent_process_name$ will execute a suspicious child process $process_name$ on host $dest$.", "mitre_attack_id": ["T1566", "T1566.001"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.002/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "office_product_spawning_windows_script_host_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/office_product_spawning_windows_script_host.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Office Product Spawning Wmic", "id": "ffc236d6-a6c9-11eb-95f1-acde48001122", "version": 5, "date": "2023-02-15", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following detection identifies the latest behavior utilized by Ursnif malware family. This detection identifies any Windows Office Product spawning `wmic.exe`. In malicious instances, the command-line of `wmic.exe` will contain `wmic process call create`. In addition, Threat Research has released a detection identifying the use of `wmic process call create` on the command-line of `wmic.exe`. In this instance, we narrow our detection down to the Office suite as a parent process. During triage, review all file modifications. Capture and analyze any artifacts on disk. The Office Product, or `wmic.exe` will have reached out to a remote destination, capture and block the IPs or domain. Review additional parallel processes for further activity.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN (\"winword.exe\",\"excel.exe\",\"powerpnt.exe\",\"mspub.exe\",\"visio.exe\",\"onenote.exe\",\"onenotem.exe\",\"onenoteviewer.exe\",\"onenoteim.exe\",\"msaccess.exe\") `process_wmic` by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `office_product_spawning_wmic_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "No false positives known. Filter as needed.", "references": ["https://app.any.run/tasks/fb894ab8-a966-4b72-920b-935f41756afd/", "https://attack.mitre.org/techniques/T1047/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/T1047.md", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/"], "tags": {"name": "Office Product Spawning Wmic", "analytic_story": ["Spearphishing Attachments", "FIN7"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Delivery"], "message": "office parent process $parent_process_name$ will execute a suspicious child process $process_name$ with process id $process_id$ in host $dest$", "mitre_attack_id": ["T1566", "T1566.001"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process Name", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/macro/windows-sysmon_macros.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "process_wmic", "definition": "(Processes.process_name=wmic.exe OR Processes.original_file_name=wmic.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "office_product_spawning_wmic_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/office_product_spawning_wmic.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Office Product Writing cab or inf", "id": "f48cd1d4-125a-11ec-a447-acde48001122", "version": 4, "date": "2023-02-15", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies behavior related to CVE-2021-40444. Whereas the malicious document will load ActiveX and download the remote payload (.inf, .cab). During triage, review parallel processes and further activity on endpoint to identify additional patterns. Retrieve the file modifications and analyze further.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name IN (\"winword.exe\",\"excel.exe\",\"powerpnt.exe\",\"mspub.exe\",\"visio.exe\",\"wordpad.exe\",\"wordview.exe\",\"onenote.exe\",\"onenotem.exe\",\"onenoteviewer.exe\",\"onenoteim.exe\",\"msaccess.exe\") by _time span=1h Processes.process_id Processes.process_name Processes.process Processes.dest Processes.process_guid | `drop_dm_object_name(Processes)` |rename process_guid as proc_guid | join proc_guid, _time [ | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_name IN (\"*.inf\",\"*.cab\") by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path Filesystem.process_guid | `drop_dm_object_name(Filesystem)` |rename process_guid as proc_guid | fields _time dest file_create_time file_name file_path process_name process_path process proc_guid] | dedup file_create_time | table dest, process_name, process, file_create_time, file_name, file_path, proc_guid | `office_product_writing_cab_or_inf_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node and `Filesystem` node.", "known_false_positives": "The query is structured in a way that `action` (read, create) is not defined. Review the results of this query, filter, and tune as necessary. It may be necessary to generate this query specific to your endpoint product.", "references": ["https://twitter.com/vxunderground/status/1436326057179860992?s=20", "https://app.any.run/tasks/36c14029-9df8-439c-bba0-45f2643b0c70/", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444", "https://twitter.com/RonnyTNL/status/1436334640617373699?s=20", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/"], "tags": {"name": "Office Product Writing cab or inf", "analytic_story": ["Spearphishing Attachments", "Microsoft MSHTML Remote Code Execution CVE-2021-40444"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Delivery"], "message": "An instance of $process_name$ was identified on $dest$ writing an inf or cab file to this. This is not typical of $process_name$.", "mitre_attack_id": ["T1566", "T1566.001"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "dest", "process_name", "process", "file_create_time", "file_name", "file_path"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "cve": ["CVE-2021-40444"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/macro/windows-sysmon_cabinf.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "office_product_writing_cab_or_inf_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2021-40444", "cvss": 6.8, "summary": "Microsoft MSHTML Remote Code Execution Vulnerability"}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/office_product_writing_cab_or_inf.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Office Spawning Control", "id": "053e027c-10c7-11ec-8437-acde48001122", "version": 3, "date": "2023-02-15", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following detection identifies control.exe spawning from an office product. This detection identifies any Windows Office Product spawning `control.exe`. In malicious instances, the command-line of `control.exe` will contain a file path to a .cpl or .inf, related to CVE-2021-40444. In this instance, we narrow our detection down to the Office suite as a parent process. During triage, review all file modifications. Capture and analyze any artifacts on disk. review parallel and child processes to identify further suspicious behavior", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN (\"winword.exe\",\"excel.exe\",\"powerpnt.exe\",\"mspub.exe\",\"visio.exe\",\"wordpad.exe\",\"wordview.exe\",\"onenote.exe\",\"onenotem.exe\",\"onenoteviewer.exe\",\"onenoteim.exe\",\"msaccess.exe\") Processes.process_name=control.exe by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `office_spawning_control_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Limited false positives should be present.", "references": ["https://strontic.github.io/xcyclopedia/library/control.exe-1F13E714A0FEA8887707DFF49287996F.html", "https://app.any.run/tasks/36c14029-9df8-439c-bba0-45f2643b0c70/", "https://attack.mitre.org/techniques/T1218/011/", "https://www.echotrail.io/insights/search/control.exe/", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.002/T1218.002.yaml", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/"], "tags": {"name": "Office Spawning Control", "analytic_story": ["Spearphishing Attachments", "Microsoft MSHTML Remote Code Execution CVE-2021-40444"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Delivery"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ clicking a suspicious attachment.", "mitre_attack_id": ["T1566", "T1566.001"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "cve": ["CVE-2021-40444"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/macro/windows-sysmon_control.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "office_spawning_control_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2021-40444", "cvss": 6.8, "summary": "Microsoft MSHTML Remote Code Execution Vulnerability"}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/office_spawning_control.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Outbound Network Connection from Java Using Default Ports", "id": "d2c14d28-5c47-11ec-9892-acde48001122", "version": 2, "date": "2022-06-28", "author": "Mauricio Velazco, Lou Stella, Splunk", "type": "TTP", "status": "production", "description": "A required step while exploiting the CVE-2021-44228-Log4j vulnerability is that the victim server will perform outbound connections to attacker-controlled infrastructure. This is required as part of the JNDI lookup as well as for retrieving the second stage .class payload. The following analytic identifies the Java process reaching out to default ports used by the LDAP and RMI protocols. This behavior could represent successfull exploitation. Note that adversaries can easily decide to use arbitrary ports for these protocols and potentially bypass this detection.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where (Processes.process_name=\"java.exe\" OR Processes.process_name=javaw.exe OR Processes.process_name=javaw.exe) by _time Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | join process_id [| tstats `security_content_summariesonly` count FROM datamodel=Network_Traffic.All_Traffic where (All_Traffic.dest_port= 389 OR All_Traffic.dest_port= 636 OR All_Traffic.dest_port = 1389 OR All_Traffic.dest_port = 1099 ) by All_Traffic.process_id All_Traffic.dest All_Traffic.dest_port | `drop_dm_object_name(All_Traffic)` | rename dest as connection_to_CNC] | table _time dest parent_process_name process_name process_path process connection_to_CNC dest_port| `outbound_network_connection_from_java_using_default_ports_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "Legitimate Java applications may use perform outbound connections to these ports. Filter as needed", "references": ["https://www.lunasec.io/docs/blog/log4j-zero-day/", "https://www.govcert.admin.ch/blog/zero-day-exploit-targeting-popular-java-library-log4j/"], "tags": {"name": "Outbound Network Connection from Java Using Default Ports", "analytic_story": ["Log4Shell CVE-2021-44228"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 90, "kill_chain_phases": ["Delivery"], "message": "Java performed outbound connections to default ports of LDAP or RMI on $dest$", "mitre_attack_id": ["T1190"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.process_id", "Processes.process_name", "Processes.dest", "Processes.process_path", "Processes.process", "Processes.parent_process_name", "All_Traffic.process_id", "All_Traffic.dest", "All_Traffic.dest_port"], "risk_score": 54, "security_domain": "endpoint", "risk_severity": "medium", "cve": ["CVE-2021-44228"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/outbound_java/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint", "Network_Traffic"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "outbound_network_connection_from_java_using_default_ports_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2021-44228", "cvss": 9.3, "summary": "Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/outbound_network_connection_from_java_using_default_ports.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Overwriting Accessibility Binaries", "id": "13c2f6c3-10c5-4deb-9ba1-7c4460ebe4ae", "version": 4, "date": "2023-04-14", "author": "David Dorsey, Splunk", "type": "TTP", "status": "production", "description": "Microsoft Windows contains accessibility features that can be launched with a key combination before a user has logged in. An adversary can modify or replace these programs so they can get a command prompt or backdoor without logging in to the system. This search looks for modifications to these binaries.", "data_source": ["Sysmon Event ID 11"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.user) as user values(Filesystem.dest) as dest values(Filesystem.file_path) as file_path from datamodel=Endpoint.Filesystem where (Filesystem.file_path=*\\\\Windows\\\\System32\\\\sethc.exe* OR Filesystem.file_path=*\\\\Windows\\\\System32\\\\utilman.exe* OR Filesystem.file_path=*\\\\Windows\\\\System32\\\\osk.exe* OR Filesystem.file_path=*\\\\Windows\\\\System32\\\\Magnify.exe* OR Filesystem.file_path=*\\\\Windows\\\\System32\\\\Narrator.exe* OR Filesystem.file_path=*\\\\Windows\\\\System32\\\\DisplaySwitch.exe* OR Filesystem.file_path=*\\\\Windows\\\\System32\\\\AtBroker.exe*) by Filesystem.file_name Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `overwriting_accessibility_binaries_filter`", "how_to_implement": "You must be ingesting data that records the filesystem activity from your hosts to populate the Endpoint file-system data model node. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data.", "known_false_positives": "Microsoft may provide updates to these binaries. Verify that these changes do not correspond with your normal software update cycle.", "references": [], "tags": {"name": "Overwriting Accessibility Binaries", "analytic_story": ["Data Destruction", "Hermetic Wiper", "Windows Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "message": "A suspicious file modification or replace in $file_path$ in host $dest$", "mitre_attack_id": ["T1546", "T1546.008"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "file_path", "type": "File", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Filesystem.dest", "Filesystem.file_path", "Filesystem.file_name", "Filesystem.dest"], "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1546.008", "mitre_attack_technique": "Accessibility Features", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT3", "APT41", "Axiom", "Deep Panda", "Fox Kitten"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.008/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "overwriting_accessibility_binaries_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/overwriting_accessibility_binaries.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "PaperCut NG Suspicious Behavior Debug Log", "id": "395163b8-689b-444b-86c7-9fe9ad624734", "version": 1, "date": "2023-05-15", "author": "Michael Haag, Splunk", "type": "Hunting", "status": "experimental", "description": "The following hunting analytic is designed to monitor and detect potential exploitation attempts targeting a PaperCut NG server by analyzing its debug log data. By focusing on public IP addresses accessing the PaperCut NG instance, this analytic aims to identify unauthorized or suspicious access attempts. Furthermore, it searches for specific URIs that have been discovered in the proof of concept code, which are associated with known exploits or vulnerabilities. The analytic is focused on the user admin. Regex is used mainly because the log is not parsed by Splunk and there is no TA for this debug log.", "data_source": [], "search": "`papercutng` (loginType=Admin OR userName=admin) | eval uri_match=if(match(_raw, \"(?i)(\\/app\\?service=page\\/SetupCompleted|\\/app|\\/app\\?service=page\\/PrinterList|\\/app\\?service=direct\\/1\\/PrinterList\\/selectPrinter&sp=l1001|\\/app\\?service=direct\\/1\\/PrinterDetails\\/printerOptionsTab\\.tab)\"), \"URI matches\", null()) | eval ip_match=if(match(_raw, \"(?i)((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))\") AND NOT match(_raw, \"(?i)(10\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))|(172\\.(1[6-9]|2[0-9]|3[0-1])\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))|(192\\.168\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))\"), \"IP matches\", null()) | where (isnotnull(uri_match) OR isnotnull(ip_match)) | stats sparkline, count, values(uri_match) AS uri_match, values(ip_match) AS ip_match latest(_raw) BY host, index, sourcetype | `papercut_ng_suspicious_behavior_debug_log_filter`", "how_to_implement": "Debug logs must be enabled and shipped to Splunk in order to properly identify behavior with this analytic.", "known_false_positives": "False positives may be present, as this is based on the admin user accessing the Papercut NG instance from a public IP address. Filter as needed.", "references": ["https://www.papercut.com/kb/Main/HowToCollectApplicationServerDebugLogs", "https://github.com/inodee/threathunting-spl/blob/master/hunt-queries/HAFNIUM.md", "https://www.cisa.gov/news-events/alerts/2023/05/11/cisa-and-fbi-release-joint-advisory-response-active-exploitation-papercut-vulnerability", "https://www.papercut.com/kb/Main/PO-1216-and-PO-1219", "https://www.horizon3.ai/papercut-cve-2023-27350-deep-dive-and-indicators-of-compromise/", "https://www.bleepingcomputer.com/news/security/hackers-actively-exploit-critical-rce-bug-in-papercut-servers/", "https://www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software"], "tags": {"name": "PaperCut NG Suspicious Behavior Debug Log", "analytic_story": ["PaperCut MF NG Vulnerability"], "asset_type": "Web Server", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Delivery"], "message": "Behavior related to exploitation of PaperCut NG has been identified on $host$.", "mitre_attack_id": ["T1190"], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["uri_match", "ip_match", "index", "sourcetype", "host"], "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "atomic_guid": [], "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/papercut/server.log", "source": "papercutng", "sourcetype": "papercutng"}]}], "datamodel": [], "macros": [{"name": "papercutng", "definition": "sourcetype=\"papercutng\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "papercut_ng_suspicious_behavior_debug_log_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/papercut_ng_suspicious_behavior_debug_log.yml", "source": "endpoint"}, {"name": "Password Policy Discovery with Net", "id": "09336538-065a-11ec-8665-acde48001122", "version": 1, "date": "2021-08-26", "author": "Teoderick Contreras, Mauricio Velazco, Splunk", "type": "Hunting", "status": "production", "description": "This analytic looks for the execution of `net.exe` or `net1.exe` with command line arguments used to obtain the domain password policy. Red Teams and adversaries may leverage `net.exe` for situational awareness and Active Directory Discovery.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"net.exe\" OR Processes.process_name=\"net1.exe\") AND Processes.process = \"*accounts*\" AND Processes.process = \"*/domain*\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `password_policy_discovery_with_net_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed rundll32.exe may be used.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "references": ["https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet"], "tags": {"name": "Password Policy Discovery with Net", "analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "an instance of process $process_name$ with commandline $process$ in $dest$", "mitre_attack_id": ["T1201"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id", "Processes.parent_process_name"], "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1201", "mitre_attack_technique": "Password Policy Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "OilRig", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1201/pwd_policy_discovery/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "password_policy_discovery_with_net_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/password_policy_discovery_with_net.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Permission Modification using Takeown App", "id": "fa7ca5c6-c9d8-11eb-bce9-acde48001122", "version": 1, "date": "2021-06-10", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This search is to detect a modification of file or directory permission using takeown.exe windows app. This technique was seen in some ransomware that take the ownership of a folder or files to encrypt or delete it.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"takeown.exe\" Processes.process = \"*/f*\" by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.dest Processes.user Processes.process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `permission_modification_using_takeown_app_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "takeown.exe is a normal windows application that may used by network operator.", "references": ["https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/"], "tags": {"name": "Permission Modification using Takeown App", "analytic_story": ["Ransomware", "Sandworm Tools"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "A suspicious of execution of $process_name$ with process id $process_id$ and commandline $process$ to modify permission of directory or files in host $dest$", "mitre_attack_id": ["T1222"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.parent_process_name", "Processes.parent_process", "Processes.process_name", "Processes.process", "Processes.dest", "Processes.user", "Processes.process_id", "Processes.process_guid"], "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/ransomware_ttp/data1/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "permission_modification_using_takeown_app_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/permission_modification_using_takeown_app.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "PetitPotam Network Share Access Request", "id": "95b8061a-0a67-11ec-85ec-acde48001122", "version": 1, "date": "2021-08-31", "author": "Michael Haag, Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic utilizes Windows Event Code 5145, \"A network share object was checked to see whether client can be granted desired access\". During our research into PetitPotam, CVE-2021-36942, we identified the ocurrence of this event on the target host with specific values. \\\nTo enable 5145 events via Group Policy - Computer Configuration->Polices->Windows Settings->Security Settings->Advanced Audit Policy Configuration. Expand this node, go to Object Access (Audit Polices->Object Access), then select the Setting Audit Detailed File Share Audit \\\nIt is possible this is not enabled by default and may need to be reviewed and enabled. \\\nDuring triage, review parallel security events to identify further suspicious activity.", "data_source": ["Sysmon Event ID 5"], "search": "`wineventlog_security` Account_Name=\"ANONYMOUS LOGON\" EventCode=5145 Relative_Target_Name=lsarpc | stats count min(_time) as firstTime max(_time) as lastTime by dest, Security_ID, Share_Name, Source_Address, Accesses, Message | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `petitpotam_network_share_access_request_filter`", "how_to_implement": "Windows Event Code 5145 is required to utilize this analytic and it may not be enabled in most environments.", "known_false_positives": "False positives have been limited when the Anonymous Logon is used for Account Name.", "references": ["https://attack.mitre.org/techniques/T1187/", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5145", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5145"], "tags": {"name": "PetitPotam Network Share Access Request", "analytic_story": ["PetitPotam NTLM Relay on Active Directory Certificate Services"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "A remote host is enumerating a $dest$ to identify permissions. This is a precursor event to CVE-2021-36942, PetitPotam.", "mitre_attack_id": ["T1187"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "dest", "Security_ID", "Share_Name", "Source_Address", "Accesses", "Message"], "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "cve": ["CVE-2021-36942"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1187", "mitre_attack_technique": "Forced Authentication", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["DarkHydrus", "Dragonfly"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1187/petitpotam/windows-security.log", "source": "WinEventLog:Security", "sourcetype": "WinEventLog", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "petitpotam_network_share_access_request_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2021-36942", "cvss": 5.0, "summary": "Windows LSA Spoofing Vulnerability"}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/petitpotam_network_share_access_request.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "PetitPotam Suspicious Kerberos TGT Request", "id": "e3ef244e-0a67-11ec-abf2-acde48001122", "version": 1, "date": "2021-08-31", "author": "Michael Haag, Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifes Event Code 4768, A `Kerberos authentication ticket (TGT) was requested`, successfull occurs. This behavior has been identified to assist with detecting PetitPotam, CVE-2021-36942. Once an attacer obtains a computer certificate by abusing Active Directory Certificate Services in combination with PetitPotam, the next step would be to leverage the certificate for malicious purposes. One way of doing this is to request a Kerberos Ticket Granting Ticket using a tool like Rubeus. This request will generate a 4768 event with some unusual fields depending on the environment. This analytic will require tuning, we recommend filtering Account_Name to Domain Controllers for your environment.", "data_source": ["Windows Security 4768"], "search": "`wineventlog_security` EventCode=4768 Client_Address!=\"::1\" Certificate_Thumbprint!=\"\" Account_Name=*$ | stats count min(_time) as firstTime max(_time) as lastTime by dest, Account_Name, Client_Address, action, Message | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `petitpotam_suspicious_kerberos_tgt_request_filter`", "how_to_implement": "The following analytic requires Event Code 4768. Ensure that it is logging no Domain Controllers and appearing in Splunk.", "known_false_positives": "False positives are possible if the environment is using certificates for authentication.", "references": ["https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4768", "https://isc.sans.edu/forums/diary/Active+Directory+Certificate+Services+ADCS+PKI+domain+admin+vulnerability/27668/"], "tags": {"name": "PetitPotam Suspicious Kerberos TGT Request", "analytic_story": ["PetitPotam NTLM Relay on Active Directory Certificate Services", "Active Directory Kerberos Attacks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "A Kerberos TGT was requested in a non-standard manner against $dest$, potentially related to CVE-2021-36942, PetitPotam.", "mitre_attack_id": ["T1003"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "dest", "Account_Name", "Client_Address", "action", "Message"], "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "cve": ["CVE-2021-36942"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1187/petitpotam/windows-security.log", "source": "WinEventLog:Security", "sourcetype": "WinEventLog", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "petitpotam_suspicious_kerberos_tgt_request_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2021-36942", "cvss": 5.0, "summary": "Windows LSA Spoofing Vulnerability"}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/petitpotam_suspicious_kerberos_tgt_request.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Ping Sleep Batch Command", "id": "ce058d6c-79f2-11ec-b476-acde48001122", "version": 1, "date": "2023-04-14", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic will identify the possible execution of ping sleep batch commands. This technique was seen in several malware samples and is used to trigger sleep times without explicitly calling sleep functions or commandlets. The goal is to delay the execution of malicious code and bypass detection or sandbox analysis. This detection can be a good indicator of a process delaying its execution for malicious purposes.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_ping` (Processes.parent_process = \"*ping*\" Processes.parent_process = *-n* Processes.parent_process=\"* Nul*\"Processes.parent_process=\"*>*\") OR (Processes.process = \"*ping*\" Processes.process = *-n* Processes.process=\"* Nul*\"Processes.process=\"*>*\") by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.user Processes.dest | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `ping_sleep_batch_command_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "Administrator or network operator may execute this command. Please update the filter macros to remove false positives.", "references": ["https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/"], "tags": {"name": "Ping Sleep Batch Command", "analytic_story": ["Data Destruction", "WhisperGate"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Exploitation"], "message": "suspicious $process$ commandline run in $dest$", "mitre_attack_id": ["T1497", "T1497.003"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1497", "mitre_attack_technique": "Virtualization/Sandbox Evasion", "mitre_attack_tactics": ["Defense Evasion", "Discovery"], "mitre_attack_groups": ["Darkhotel"]}, {"mitre_attack_id": "T1497.003", "mitre_attack_technique": "Time Based Evasion", "mitre_attack_tactics": ["Defense Evasion", "Discovery"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1497.003/ping_sleep/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "process_ping", "definition": "(Processes.process_name=ping.exe OR Processes.original_file_name=ping.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "ping_sleep_batch_command_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/ping_sleep_batch_command.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Possible Browser Pass View Parameter", "id": "8ba484e8-4b97-11ec-b19a-acde48001122", "version": 1, "date": "2021-11-22", "author": "Teoderick Contreras, Splunk", "type": "Hunting", "status": "production", "description": "This analytic will detect if a suspicious process contains a commandline parameter related to a web browser credential dumper. This technique is used by Remcos RAT malware which uses the Nirsoft webbrowserpassview.exe application to dump web browser credentials. Remcos uses the \"/stext\" command line to dump the credentials in text format. This Hunting query is a good indicator of hosts suffering from possible Remcos RAT infection. Since the hunting query is based on the parameter command and the possible path where it will save the text credential information, it may catch normal tools that are using the same command and behavior.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process IN (\"*/stext *\", \"*/shtml *\", \"*/LoadPasswordsIE*\", \"*/LoadPasswordsFirefox*\", \"*/LoadPasswordsChrome*\", \"*/LoadPasswordsOpera*\", \"*/LoadPasswordsSafari*\" , \"*/UseOperaPasswordFile*\", \"*/OperaPasswordFile*\",\"*/stab*\", \"*/scomma*\", \"*/stabular*\", \"*/shtml*\", \"*/sverhtml*\", \"*/sxml*\", \"*/skeepass*\" ) AND Processes.process IN (\"*\\\\temp\\\\*\", \"*\\\\users\\\\public\\\\*\", \"*\\\\programdata\\\\*\") by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `possible_browser_pass_view_parameter_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "False positive is quite limited. Filter is needed", "references": ["https://www.nirsoft.net/utils/web_browser_password.html", "https://app.any.run/tasks/df0baf9f-8baf-4c32-a452-16562ecb19be/"], "tags": {"name": "Possible Browser Pass View Parameter", "analytic_story": ["Remcos"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 40, "impact": 40, "kill_chain_phases": ["Exploitation"], "message": "suspicious process $process_name$ contains commandline $process$ on $dest$", "mitre_attack_id": ["T1555.003", "T1555"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 16, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1555.003", "mitre_attack_technique": "Credentials from Web Browsers", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT3", "APT33", "APT37", "Ajax Security Team", "FIN6", "HEXANE", "Inception", "Kimsuky", "LAPSUS$", "Leafminer", "Molerats", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Stealth Falcon", "TA505", "ZIRCONIUM"]}, {"mitre_attack_id": "T1555", "mitre_attack_technique": "Credentials from Password Stores", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT33", "APT39", "Evilnum", "FIN6", "HEXANE", "Leafminer", "MuddyWater", "OilRig", "Stealth Falcon"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1555/web_browser_pass_view/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "possible_browser_pass_view_parameter_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/possible_browser_pass_view_parameter.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Possible Lateral Movement PowerShell Spawn", "id": "cb909b3e-512b-11ec-aa31-3e22fbd008af", "version": 1, "date": "2023-04-14", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name=wmiprvse.exe OR Processes.parent_process_name=services.exe OR Processes.parent_process_name=svchost.exe OR Processes.parent_process_name=wsmprovhost.exe OR Processes.parent_process_name=mmc.exe) (Processes.process_name=powershell.exe OR (Processes.process_name=cmd.exe AND Processes.process=*powershell.exe*) OR Processes.process_name=pwsh.exe OR (Processes.process_name=cmd.exe AND Processes.process=*pwsh.exe*)) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `possible_lateral_movement_powershell_spawn_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints.", "known_false_positives": "Legitimate applications may spawn PowerShell as a child process of the the identified processes. Filter as needed.", "references": ["https://attack.mitre.org/techniques/T1021/003/", "https://attack.mitre.org/techniques/T1021/006/", "https://attack.mitre.org/techniques/T1047/", "https://attack.mitre.org/techniques/T1053/005/", "https://attack.mitre.org/techniques/T1543/003/"], "tags": {"name": "Possible Lateral Movement PowerShell Spawn", "analytic_story": ["Active Directory Lateral Movement", "Malicious PowerShell", "Hermetic Wiper", "Data Destruction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 90, "kill_chain_phases": ["Exploitation", "Installation"], "message": "A PowerShell process was spawned as a child process of typically abused processes on $dest$", "mitre_attack_id": ["T1021", "T1021.003", "T1021.006", "T1047", "T1053.005", "T1543.003", "T1059.001", "T1218.014"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 45, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1021.003", "mitre_attack_technique": "Distributed Component Object Model", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1021.006", "mitre_attack_technique": "Windows Remote Management", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Chimera", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "Earth Lusca", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "Threat Group-3390", "Windshift", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1218.014", "mitre_attack_technique": "MMC", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1543.003/lateral_movement_powershell/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "possible_lateral_movement_powershell_spawn_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/possible_lateral_movement_powershell_spawn.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Potential password in username", "id": "5ced34b4-ab32-4bb0-8f22-3b8f186f0a38", "version": 1, "date": "2022-05-11", "author": "Mikael Bjerkeland, Splunk", "type": "Hunting", "status": "production", "description": "This search identifies users who have entered their passwords in username fields. This is done by looking for failed authentication attempts using usernames with a length longer than 7 characters and a high Shannon entropy, and looks for the next successful authentication attempt from the same source system to the same destination system as the failed attempt.", "data_source": [], "search": "| tstats `security_content_summariesonly` earliest(_time) AS starttime latest(_time) AS endtime latest(sourcetype) AS sourcetype values(Authentication.src) AS src values(Authentication.dest) AS dest count FROM datamodel=Authentication WHERE nodename=Authentication.Failed_Authentication BY \"Authentication.user\" | `drop_dm_object_name(Authentication)` | lookup ut_shannon_lookup word AS user | where ut_shannon>3 AND len(user)>=8 AND mvcount(src) == 1 | sort count, - ut_shannon | eval incorrect_cred=user | eval endtime=endtime+1000 | map maxsearches=70 search=\"| tstats `security_content_summariesonly` earliest(_time) AS starttime latest(_time) AS endtime latest(sourcetype) AS sourcetype values(Authentication.src) AS src values(Authentication.dest) AS dest count FROM datamodel=Authentication WHERE nodename=Authentication.Successful_Authentication Authentication.src=\\\"$src$\\\" Authentication.dest=\\\"$dest$\\\" sourcetype IN (\\\"$sourcetype$\\\") earliest=\\\"$starttime$\\\" latest=\\\"$endtime$\\\" BY \\\"Authentication.user\\\" | `drop_dm_object_name(\\\"Authentication\\\")` | `potential_password_in_username_false_positive_reduction` | eval incorrect_cred=\\\"$incorrect_cred$\\\" | eval ut_shannon=\\\"$ut_shannon$\\\" | sort count\" | where user!=incorrect_cred | outlier action=RM count | `potential_password_in_username_filter`", "how_to_implement": "To successfully implement this search, you need to have relevant authentication logs mapped to the Authentication data model. You also need to have the Splunk TA URL Toolbox (https://splunkbase.splunk.com/app/2734/) installed. The detection must run with a time interval shorter than endtime+1000.", "known_false_positives": "Valid usernames with high entropy or source/destination system pairs with multiple authenticating users will make it difficult to identify the real user authenticating.", "references": ["https://medium.com/@markmotig/search-for-passwords-accidentally-typed-into-the-username-field-975f1a389928"], "tags": {"name": "Potential password in username", "analytic_story": ["Credential Dumping", "Insider Threat"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 30, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "message": "Potential password in username ($user$) with Shannon entropy ($ut_shannon$)", "mitre_attack_id": ["T1078.003", "T1552.001"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["Authentication.user", "Authentication.src", "Authentication.dest", "sourcetype"], "risk_score": 21, "security_domain": "access", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078.003", "mitre_attack_technique": "Local Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "FIN10", "HAFNIUM", "Kimsuky", "PROMETHIUM", "Tropic Trooper", "Turla"]}, {"mitre_attack_id": "T1552.001", "mitre_attack_technique": "Credentials In Files", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT3", "APT33", "Fox Kitten", "Kimsuky", "Leafminer", "MuddyWater", "OilRig", "TA505", "TeamTNT"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552.001/password_in_username/linux_secure.log", "source": "/var/log/secure", "sourcetype": "linux_secure"}]}], "datamodel": ["Authentication"], "macros": [{"name": "potential_password_in_username_false_positive_reduction", "definition": "search *", "description": "Add customer specific known false positives to the map command used in detection - Potential password in username"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "potential_password_in_username_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/potential_password_in_username.yml", "source": "endpoint"}, {"name": "Potentially malicious code on commandline", "id": "9c53c446-757e-11ec-871d-acde48001122", "version": 1, "date": "2022-01-14", "author": "Michael Hart, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic uses a pretrained machine learning text classifier to detect potentially malicious commandlines. The model identifies unusual combinations of keywords found in samples of commandlines where adversaries executed powershell code, primarily for C2 communication. For example, adversaries will leverage IO capabilities such as \"streamreader\" and \"webclient\", threading capabilties such as \"mutex\" locks, programmatic constructs like \"function\" and \"catch\", and cryptographic operations like \"computehash\". Although observing one of these keywords in a commandline script is possible, combinations of keywords observed in attack data are not typically found in normal usage of the commandline. The model will output a score where all values above zero are suspicious, anything greater than one particularly so.", "data_source": [], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=\"Endpoint.Processes\" by Processes.parent_process_name Processes.process_name Processes.process Processes.user Processes.dest | `drop_dm_object_name(Processes)` | where len(process) > 200 | `potentially_malicious_code_on_cmdline_tokenize_score` | apply unusual_commandline_detection | eval score='predicted(unusual_cmdline_logits)', process=orig_process | fields - unusual_cmdline* predicted(unusual_cmdline_logits) orig_process | where score > 0.5 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `potentially_malicious_code_on_commandline_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. You will also need to install the Machine Learning Toolkit version 5.3 or above to apply the pretrained model.", "known_false_positives": "This model is an anomaly detector that identifies usage of APIs and scripting constructs that are correllated with malicious activity. These APIs and scripting constructs are part of the programming langauge and advanced scripts may generate false positives.", "references": ["https://attack.mitre.org/techniques/T1059/003/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md"], "tags": {"name": "Potentially malicious code on commandline", "analytic_story": ["Suspicious Command-Line Executions"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 20, "impact": 60, "kill_chain_phases": ["Installation"], "message": "Unusual command-line execution with hallmarks of malicious activity run by $user$ found on $dest$ with commandline $process$", "mitre_attack_id": ["T1059.003"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.process", "Processes.parent_process_name", "Processes.process_name", "Processes.parent_process", "Processes.user", "Processes.dest"], "risk_score": 12, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/malicious_cmd_line_samples/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "potentially_malicious_code_on_cmdline_tokenize_score", "definition": "eval orig_process=process, process=replace(lower(process), \"`\", \"\") | makemv tokenizer=\"([\\w\\d\\-]+)\" process | eval unusual_cmdline_feature_for=if(match(process, \"^for$\"), mvcount(mvfilter(match(process, \"^for$\"))), 0), unusual_cmdline_feature_netsh=if(match(process, \"^netsh$\"), mvcount(mvfilter(match(process, \"^netsh$\"))), 0), unusual_cmdline_feature_readbytes=if(match(process, \"^readbytes$\"), mvcount(mvfilter(match(process, \"^readbytes$\"))), 0), unusual_cmdline_feature_set=if(match(process, \"^set$\"), mvcount(mvfilter(match(process, \"^set$\"))), 0), unusual_cmdline_feature_unrestricted=if(match(process, \"^unrestricted$\"), mvcount(mvfilter(match(process, \"^unrestricted$\"))), 0), unusual_cmdline_feature_winstations=if(match(process, \"^winstations$\"), mvcount(mvfilter(match(process, \"^winstations$\"))), 0), unusual_cmdline_feature_-value=if(match(process, \"^-value$\"), mvcount(mvfilter(match(process, \"^-value$\"))), 0), unusual_cmdline_feature_compression=if(match(process, \"^compression$\"), mvcount(mvfilter(match(process, \"^compression$\"))), 0), unusual_cmdline_feature_server=if(match(process, \"^server$\"), mvcount(mvfilter(match(process, \"^server$\"))), 0), unusual_cmdline_feature_set-mppreference=if(match(process, \"^set-mppreference$\"), mvcount(mvfilter(match(process, \"^set-mppreference$\"))), 0), unusual_cmdline_feature_terminal=if(match(process, \"^terminal$\"), mvcount(mvfilter(match(process, \"^terminal$\"))), 0), unusual_cmdline_feature_-name=if(match(process, \"^-name$\"), mvcount(mvfilter(match(process, \"^-name$\"))), 0), unusual_cmdline_feature_catch=if(match(process, \"^catch$\"), mvcount(mvfilter(match(process, \"^catch$\"))), 0), unusual_cmdline_feature_get-wmiobject=if(match(process, \"^get-wmiobject$\"), mvcount(mvfilter(match(process, \"^get-wmiobject$\"))), 0), unusual_cmdline_feature_hklm=if(match(process, \"^hklm$\"), mvcount(mvfilter(match(process, \"^hklm$\"))), 0), unusual_cmdline_feature_streamreader=if(match(process, \"^streamreader$\"), mvcount(mvfilter(match(process, \"^streamreader$\"))), 0), unusual_cmdline_feature_system32=if(match(process, \"^system32$\"), mvcount(mvfilter(match(process, \"^system32$\"))), 0), unusual_cmdline_feature_username=if(match(process, \"^username$\"), mvcount(mvfilter(match(process, \"^username$\"))), 0), unusual_cmdline_feature_webrequest=if(match(process, \"^webrequest$\"), mvcount(mvfilter(match(process, \"^webrequest$\"))), 0), unusual_cmdline_feature_count=if(match(process, \"^count$\"), mvcount(mvfilter(match(process, \"^count$\"))), 0), unusual_cmdline_feature_webclient=if(match(process, \"^webclient$\"), mvcount(mvfilter(match(process, \"^webclient$\"))), 0), unusual_cmdline_feature_writeallbytes=if(match(process, \"^writeallbytes$\"), mvcount(mvfilter(match(process, \"^writeallbytes$\"))), 0), unusual_cmdline_feature_convert=if(match(process, \"^convert$\"), mvcount(mvfilter(match(process, \"^convert$\"))), 0), unusual_cmdline_feature_create=if(match(process, \"^create$\"), mvcount(mvfilter(match(process, \"^create$\"))), 0), unusual_cmdline_feature_function=if(match(process, \"^function$\"), mvcount(mvfilter(match(process, \"^function$\"))), 0), unusual_cmdline_feature_net=if(match(process, \"^net$\"), mvcount(mvfilter(match(process, \"^net$\"))), 0), unusual_cmdline_feature_com=if(match(process, \"^com$\"), mvcount(mvfilter(match(process, \"^com$\"))), 0), unusual_cmdline_feature_http=if(match(process, \"^http$\"), mvcount(mvfilter(match(process, \"^http$\"))), 0), unusual_cmdline_feature_io=if(match(process, \"^io$\"), mvcount(mvfilter(match(process, \"^io$\"))), 0), unusual_cmdline_feature_system=if(match(process, \"^system$\"), mvcount(mvfilter(match(process, \"^system$\"))), 0), unusual_cmdline_feature_new-object=if(match(process, \"^new-object$\"), mvcount(mvfilter(match(process, \"^new-object$\"))), 0), unusual_cmdline_feature_if=if(match(process, \"^if$\"), mvcount(mvfilter(match(process, \"^if$\"))), 0), unusual_cmdline_feature_threading=if(match(process, \"^threading$\"), mvcount(mvfilter(match(process, \"^threading$\"))), 0), unusual_cmdline_feature_mutex=if(match(process, \"^mutex$\"), mvcount(mvfilter(match(process, \"^mutex$\"))), 0), unusual_cmdline_feature_cryptography=if(match(process, \"^cryptography$\"), mvcount(mvfilter(match(process, \"^cryptography$\"))), 0), unusual_cmdline_feature_computehash=if(match(process, \"^computehash$\"), mvcount(mvfilter(match(process, \"^computehash$\"))), 0)", "description": "Performs the tokenization and application of the malicious commandline classifier"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "potentially_malicious_code_on_commandline_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/potentially_malicious_code_on_commandline.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "PowerShell 4104 Hunting", "id": "d6f2b006-0041-11ec-8885-acde48001122", "version": 3, "date": "2023-04-14", "author": "Michael Haag, Splunk", "type": "Hunting", "status": "production", "description": "The following Hunting analytic assists with identifying suspicious PowerShell execution using Script Block Logging, or EventCode 4104. This analytic is not meant to be ran hourly, but occasionally to identify malicious or suspicious PowerShell. This analytic is a combination of work completed by Alex Teixeira and Splunk Threat Research Team.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 | eval DoIt = if(match(ScriptBlockText,\"(?i)(\\$doit)\"), \"4\", 0) | eval enccom=if(match(ScriptBlockText,\"[A-Za-z0-9+\\/]{44,}([A-Za-z0-9+\\/]{4}|[A-Za-z0-9+\\/]{3}=|[A-Za-z0-9+\\/]{2}==)\") OR match(ScriptBlockText, \"(?i)[-]e(nc*o*d*e*d*c*o*m*m*a*n*d*)*\\s+[^-]\"),4,0) | eval suspcmdlet=if(match(ScriptBlockText, \"(?i)Add-Exfiltration|Add-Persistence|Add-RegBackdoor|Add-ScrnSaveBackdoor|Check-VM|Do-Exfiltration|Enabled-DuplicateToken|Exploit-Jboss|Find-Fruit|Find-GPOLocation|Find-TrustedDocuments|Get-ApplicationHost|Get-ChromeDump|Get-ClipboardContents|Get-FoxDump|Get-GPPPassword|Get-IndexedItem|Get-Keystrokes|LSASecret|Get-PassHash|Get-RegAlwaysInstallElevated|Get-RegAutoLogon|Get-RickAstley|Get-Screenshot|Get-SecurityPackages|Get-ServiceFilePermission|Get-ServicePermission|Get-ServiceUnquoted|Get-SiteListPassword|Get-System|Get-TimedScreenshot|Get-UnattendedInstallFile|Get-Unconstrained|Get-VaultCredential|Get-VulnAutoRun|Get-VulnSchTask|Gupt-Backdoor|HTTP-Login|Install-SSP|Install-ServiceBinary|Invoke-ACLScanner|Invoke-ADSBackdoor|Invoke-ARPScan|Invoke-AllChecks|Invoke-BackdoorLNK|Invoke-BypassUAC|Invoke-CredentialInjection|Invoke-DCSync|Invoke-DllInjection|Invoke-DowngradeAccount|Invoke-EgressCheck|Invoke-Inveigh|Invoke-InveighRelay|Invoke-Mimikittenz|Invoke-NetRipper|Invoke-NinjaCopy|Invoke-PSInject|Invoke-Paranoia|Invoke-PortScan|Invoke-PoshRat|Invoke-PostExfil|Invoke-PowerDump|Invoke-PowerShellTCP|Invoke-PsExec|Invoke-PsUaCme|Invoke-ReflectivePEInjection|Invoke-ReverseDNSLookup|Invoke-RunAs|Invoke-SMBScanner|Invoke-SSHCommand|Invoke-Service|Invoke-Shellcode|Invoke-Tater|Invoke-ThunderStruck|Invoke-Token|Invoke-UserHunter|Invoke-VoiceTroll|Invoke-WScriptBypassUAC|Invoke-WinEnum|MailRaider|New-HoneyHash|Out-Minidump|Port-Scan|PowerBreach|PowerUp|PowerView|Remove-Update|Set-MacAttribute|Set-Wallpaper|Show-TargetScreen|Start-CaptureServer|VolumeShadowCopyTools|NEEEEWWW|(Computer|User)Property|CachedRDPConnection|get-net\\S+|invoke-\\S+hunter|Install-Service|get-\\S+(credent|password)|remoteps|Kerberos.*(policy|ticket)|netfirewall|Uninstall-Windows|Verb\\s+Runas|AmsiBypass|nishang|Invoke-Interceptor|EXEonRemote|NetworkRelay|PowerShelludp|PowerShellIcmp|CreateShortcut|copy-vss|invoke-dll|invoke-mass|out-shortcut|Invoke-ShellCommand\"),1,0) | eval base64 = if(match(lower(ScriptBlockText),\"frombase64\"), \"4\", 0) | eval empire=if(match(lower(ScriptBlockText),\"system.net.webclient\") AND match(lower(ScriptBlockText), \"frombase64string\") ,5,0) | eval mimikatz=if(match(lower(ScriptBlockText),\"mimikatz\") OR match(lower(ScriptBlockText), \"-dumpcr\") OR match(lower(ScriptBlockText), \"SEKURLSA::Pth\") OR match(lower(ScriptBlockText), \"kerberos::ptt\") OR match(lower(ScriptBlockText), \"kerberos::golden\") ,5,0) | eval iex = if(match(lower(ScriptBlockText),\"iex\"), \"2\", 0) | eval webclient=if(match(lower(ScriptBlockText),\"http\") OR match(lower(ScriptBlockText),\"web(client|request)\") OR match(lower(ScriptBlockText),\"socket\") OR match(lower(ScriptBlockText),\"download(file|string)\") OR match(lower(ScriptBlockText),\"bitstransfer\") OR match(lower(ScriptBlockText),\"internetexplorer.application\") OR match(lower(ScriptBlockText),\"xmlhttp\"),5,0) | eval get = if(match(lower(ScriptBlockText),\"get-\"), \"1\", 0) | eval rundll32 = if(match(lower(ScriptBlockText),\"rundll32\"), \"4\", 0) | eval suspkeywrd=if(match(ScriptBlockText, \"(?i)(bitstransfer|mimik|metasp|AssemblyBuilderAccess|Reflection\\.Assembly|shellcode|injection|cnvert|shell\\.application|start-process|Rc4ByteStream|System\\.Security\\.Cryptography|lsass\\.exe|localadmin|LastLoggedOn|hijack|BackupPrivilege|ngrok|comsvcs|backdoor|brute.?force|Port.?Scan|Exfiltration|exploit|DisableRealtimeMonitoring|beacon)\"),1,0) | eval syswow64 = if(match(lower(ScriptBlockText),\"syswow64\"), \"3\", 0) | eval httplocal = if(match(lower(ScriptBlockText),\"http://127.0.0.1\"), \"4\", 0) | eval reflection = if(match(lower(ScriptBlockText),\"reflection\"), \"1\", 0) | eval invokewmi=if(match(lower(ScriptBlockText), \"(?i)(wmiobject|WMIMethod|RemoteWMI|PowerShellWmi|wmicommand)\"),5,0) | eval downgrade=if(match(ScriptBlockText, \"(?i)([-]ve*r*s*i*o*n*\\s+2)\") OR match(lower(ScriptBlockText),\"powershell -version\"),3,0) | eval compressed=if(match(ScriptBlockText, \"(?i)GZipStream|::Decompress|IO.Compression|write-zip|(expand|compress)-Archive\"),5,0) | eval invokecmd = if(match(lower(ScriptBlockText),\"invoke-command\"), \"4\", 0) | addtotals fieldname=Score DoIt, enccom, suspcmdlet, suspkeywrd, compressed, downgrade, mimikatz, iex, empire, rundll32, webclient, syswow64, httplocal, reflection, invokewmi, invokecmd, base64, get | stats values(Score) by DoIt, enccom, compressed, downgrade, iex, mimikatz, rundll32, empire, webclient, syswow64, httplocal, reflection, invokewmi, invokecmd, base64, get, suspcmdlet, suspkeywrd | `powershell_4104_hunting_filter`", "how_to_implement": "The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.", "known_false_positives": "Limited false positives. May filter as needed.", "references": ["https://github.com/inodee/threathunting-spl/blob/master/hunt-queries/powershell_qualifiers.md", "https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell", "https://github.com/marcurdy/dfir-toolset/blob/master/Powershell%20Blueteam.txt", "https://devblogs.microsoft.com/powershell/powershell-the-blue-team/", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging?view=powershell-5.1", "https://www.mandiant.com/resources/greater-visibilityt", "https://hurricanelabs.com/splunk-tutorials/how-to-use-powershell-transcription-logs-in-splunk/", "https://www.splunk.com/en_us/blog/security/hunting-for-malicious-powershell-using-script-block-logging.html"], "tags": {"name": "PowerShell 4104 Hunting", "analytic_story": ["Malicious PowerShell", "Hermetic Wiper", "Data Destruction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Installation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $Computer$ by user $user$ executing suspicious commands.", "mitre_attack_id": ["T1059", "T1059.001"], "nist": ["DE.AE"], "observable": [{"name": "UserID", "type": "User", "role": ["Victim"]}, {"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "ScriptBlockText", "Opcode", "Computer", "UserID", "EventCode"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/sbl_xml.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "powershell_4104_hunting_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/powershell_4104_hunting.yml", "source": "endpoint", "providing_technologies": ["Microsoft Windows"]}, {"name": "PowerShell - Connect To Internet With Hidden Window", "id": "ee18ed37-0802-4268-9435-b3b91aaa18db", "version": 8, "date": "2023-04-14", "author": "David Dorsey, Michael Haag Splunk", "type": "Hunting", "status": "production", "description": "The following hunting analytic identifies PowerShell commands utilizing the WindowStyle parameter to hide the window on the compromised endpoint. This combination of command-line options is suspicious because it is overriding the default PowerShell execution policy, attempts to hide its activity from the user, and connects to the Internet. Removed in this version of the query is New-Object. The analytic identifies all variations of WindowStyle, as PowerShell allows the ability to shorten the parameter. For example w, win, windowsty and so forth. In addition, through our research it was identified that PowerShell will interpret different command switch types beyond the hyphen. We have added endash, emdash, horizontal bar, and forward slash.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` by Processes.user Processes.process_name Processes.process Processes.parent_process_name Processes.original_file_name Processes.dest Processes.process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where match(process,\"(?i)[\\-|\\/|–|—|―]w(in*d*o*w*s*t*y*l*e*)*\\s+[^-]\") | `powershell___connect_to_internet_with_hidden_window_filter`", "how_to_implement": "You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the \"process\" field in the Endpoint data model.", "known_false_positives": "Legitimate process can have this combination of command-line options, but it's not common.", "references": ["https://regexr.com/663rr", "https://github.com/redcanaryco/AtomicTestHarnesses/blob/master/TestHarnesses/T1059.001_PowerShell/OutPowerShellCommandLineParameter.ps1", "https://ss64.com/ps/powershell.html", "https://twitter.com/M_haggis/status/1440758396534214658?s=20", "https://blog.netlab.360.com/ten-families-of-malicious-samples-are-spreading-using-the-log4j2-vulnerability-now/"], "tags": {"name": "PowerShell - Connect To Internet With Hidden Window", "analytic_story": ["AgentTesla", "HAFNIUM Group", "Hermetic Wiper", "Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns", "Malicious PowerShell", "Data Destruction", "Log4Shell CVE-2021-44228"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Installation"], "message": "PowerShell processes $process$ started with parameters to modify the execution policy of the run, run in a hidden window, and connect to the Internet on host $dest$ executed by user $user$.", "mitre_attack_id": ["T1059.001", "T1059"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "process", "type": "Process", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.process", "Processes.process_name", "Processes.user", "Processes.parent_process_name", "Processes.dest"], "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "cve": ["CVE-2021-44228"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/hidden_powershell/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "process_powershell", "definition": "(Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "powershell___connect_to_internet_with_hidden_window_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2021-44228", "cvss": 9.3, "summary": "Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/powershell___connect_to_internet_with_hidden_window.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Powershell COM Hijacking InprocServer32 Modification", "id": "ea61e291-af05-4716-932a-67faddb6ae6f", "version": 1, "date": "2022-09-26", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic utilizes PowerShell ScriptBlock Logging to identify a script that is attempting to modify or add a component object model to inprocserver32 path within the registry.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 ScriptBlockText = \"*Software\\\\Classes\\\\CLSID\\\\*\\\\InProcServer32*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_com_hijacking_inprocserver32_modification_filter`", "how_to_implement": "The following analytic requires PowerShell operational logs to be imported. Modify the PowerShell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.", "known_false_positives": "False positives will be present if any scripts are adding to inprocserver32. Filter as needed.", "references": ["https://attack.mitre.org/techniques/T1546/015/", "https://www.splunk.com/en_us/blog/security/hunting-for-malicious-powershell-using-script-block-logging.html", "https://blog.cluster25.duskrise.com/2022/09/23/in-the-footsteps-of-the-fancy-bear-powerpoint-graphite/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.015/T1546.015.md"], "tags": {"name": "Powershell COM Hijacking InprocServer32 Modification", "analytic_story": ["Malicious PowerShell"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "message": "A PowerShell script has been identified with InProcServer32 within the script code on $Computer$.", "mitre_attack_id": ["T1546.015", "T1059", "T1059.001"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "ScriptBlockText", "Opcode", "Computer", "UserID", "EventCode"], "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1546.015", "mitre_attack_technique": "Component Object Model Hijacking", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.015/atomic_red_team/windows-powershell.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "powershell_com_hijacking_inprocserver32_modification_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/powershell_com_hijacking_inprocserver32_modification.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Powershell Creating Thread Mutex", "id": "637557ec-ca08-11eb-bd0a-acde48001122", "version": 3, "date": "2022-05-02", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies suspicious PowerShell script execution via EventCode 4104 that is using the `mutex` function. This function is commonly seen in some obfuscated PowerShell scripts to make sure that only one instance of there process is running on a compromise machine. During triage, review parallel processes within the same timeframe. Review the full script block to identify other related artifacts.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 ScriptBlockText = \"*Threading.Mutex*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_creating_thread_mutex_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "powershell developer may used this function in their script for instance checking too.", "references": ["https://isc.sans.edu/forums/diary/Some+Powershell+Malicious+Code/22988/", "https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", "https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf", "https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/"], "tags": {"name": "Powershell Creating Thread Mutex", "analytic_story": ["Malicious PowerShell"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 50, "kill_chain_phases": ["Exploitation", "Installation"], "message": "A suspicious powershell script contains Thread Mutex in $ScriptBlockText$ with EventCode $EventCode$ in host $Computer$", "mitre_attack_id": ["T1027", "T1027.005", "T1059.001"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "UserID", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "ScriptBlockText", "Computer", "UserID"], "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT19", "APT28", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BITTER", "BackdoorDiplomacy", "BlackOasis", "Blue Mockingbird", "Dark Caracal", "Darkhotel", "Earth Lusca", "Elderwood", "Ember Bear", "Fox Kitten", "GALLIUM", "Gallmaker", "Gamaredon Group", "Group5", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "Metador", "Mofang", "Molerats", "Moses Staff", "Mustang Panda", "OilRig", "Putter Panda", "Rocke", "Sandworm Team", "Sidewinder", "TA505", "TeamTNT", "Threat Group-3390", "Transparent Tribe", "Tropic Trooper", "Whitefly", "Windshift", "menuPass"]}, {"mitre_attack_id": "T1027.005", "mitre_attack_technique": "Indicator Removal from Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT3", "Deep Panda", "GALLIUM", "OilRig", "Patchwork", "TEMP.Veles", "Turla"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/sbl_xml.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "powershell_creating_thread_mutex_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/powershell_creating_thread_mutex.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Powershell Disable Security Monitoring", "id": "c148a894-dd93-11eb-bf2a-acde48001122", "version": 3, "date": "2022-07-15", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "This search identifies a modification in registry to disable the windows defender real time behavior monitoring. This event or technique is commonly seen in RATs, bots, or Trojans to disable AV to evade detections.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` Processes.process=\"*set-mppreference*\" AND Processes.process IN (\"*disablerealtimemonitoring*\",\"*disableioavprotection*\",\"*disableintrusionpreventionsystem*\",\"*disablescriptscanning*\",\"*disableblockatfirstseen*\",\"*DisableBehaviorMonitoring*\",\"*drtm *\",\"*dioavp *\",\"*dscrptsc *\",\"*dbaf *\",\"*dbm *\") by Processes.dest Processes.user Processes.parent_process Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_disable_security_monitoring_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Limited false positives. However, tune based on scripts that may perform this action.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md#atomic-test-15---tamper-with-windows-defender-atp-powershell", "https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps"], "tags": {"name": "Powershell Disable Security Monitoring", "analytic_story": ["Ransomware", "Revil Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "Windows Defender Real-time Behavior Monitoring disabled on $dest$", "mitre_attack_id": ["T1562.001", "T1562"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/pwh_defender_disabling/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "process_powershell", "definition": "(Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "powershell_disable_security_monitoring_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/powershell_disable_security_monitoring.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "PowerShell Domain Enumeration", "id": "e1866ce2-ca22-11eb-8e44-acde48001122", "version": 2, "date": "2023-04-14", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable on critical endpoints or all. \\\nThis analytic identifies specific PowerShell modules typically used to enumerate an organizations domain or users. \\\nDuring triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 ScriptBlockText IN (*get-netdomaintrust*, *get-netforesttrust*, *get-addomain*, *get-adgroupmember*, *get-domainuser*) | stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_domain_enumeration_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "It is possible there will be false positives, filter as needed.", "references": ["https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", "https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf", "https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/", "https://www.splunk.com/en_us/blog/security/hunting-for-malicious-powershell-using-script-block-logging.html"], "tags": {"name": "PowerShell Domain Enumeration", "analytic_story": ["Malicious PowerShell", "Hermetic Wiper", "Data Destruction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 60, "kill_chain_phases": ["Installation"], "message": "A suspicious powershell script contains domain enumeration command in $ScriptBlockText$ with EventCode $EventCode$ in host $Computer$", "mitre_attack_id": ["T1059", "T1059.001"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "UserID", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "ScriptBlockText", "Opcode", "Computer", "UserID", "EventCode"], "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/enumeration.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "powershell_domain_enumeration_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/powershell_domain_enumeration.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "PowerShell Enable PowerShell Remoting", "id": "40e3b299-19a5-4460-96e9-e1467f714f8e", "version": 1, "date": "2023-03-22", "author": "Michael Haag, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic utilizes PowerShell Script Block Logging (EventCode 4104) to identify the use of Enable-PSRemoting cmdlet. This cmdlet allows users to enable PowerShell remoting on a local or remote computer, which allows other computers to run commands on the target computer. The ability to remotely execute commands can be abused by attackers to take control of compromised systems and pivot to other systems on the network. By detecting the use of Enable-PSRemoting cmdlet via script block logging, this analytic can help organizations identify potential malicious activity related to attackers attempting to gain remote control of compromised systems.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 ScriptBlockText=\"*Enable-PSRemoting*\" | stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `powershell_enable_powershell_remoting_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Note that false positives may occur due to the use of the Enable-PSRemoting cmdlet by legitimate users, such as system administrators. It is recommended to apply appropriate filters as needed to minimize the number of false positives.", "references": ["https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting?view=powershell-7.3"], "tags": {"name": "PowerShell Enable PowerShell Remoting", "analytic_story": ["Malicious PowerShell"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "message": "PowerShell was identified running a Invoke-PSremoting on $Computer$.", "mitre_attack_id": ["T1059.001", "T1059"], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "ScriptBlockText", "Computer"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/atomic_red_team/4104-psremoting-windows-powershell.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "powershell_enable_powershell_remoting_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/powershell_enable_powershell_remoting.yml", "source": "endpoint", "providing_technologies": ["Microsoft Windows"]}, {"name": "Powershell Enable SMB1Protocol Feature", "id": "afed80b2-d34b-11eb-a952-acde48001122", "version": 2, "date": "2023-04-14", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This search is to detect a suspicious enabling of smb1protocol through `powershell.exe`. This technique was seen in some ransomware (like reddot) where it enable smb share to do the lateral movement and encrypt other files within the compromise network system.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 ScriptBlockText = \"*Enable-WindowsOptionalFeature*\" ScriptBlockText = \"*SMB1Protocol*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_enable_smb1protocol_feature_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the powershell logs from your endpoints. make sure you enable needed registry to monitor this event.", "known_false_positives": "network operator may enable or disable this windows feature.", "references": ["https://app.any.run/tasks/c0f98850-af65-4352-9746-fbebadee4f05/", "https://www.splunk.com/en_us/blog/security/hunting-for-malicious-powershell-using-script-block-logging.html"], "tags": {"name": "Powershell Enable SMB1Protocol Feature", "analytic_story": ["Ransomware", "Malicious PowerShell", "Hermetic Wiper", "Data Destruction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "Powershell Enable SMB1Protocol Feature on $Computer$", "mitre_attack_id": ["T1027", "T1027.005"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "ScriptBlockText", "Computer", "UserID"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT19", "APT28", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BITTER", "BackdoorDiplomacy", "BlackOasis", "Blue Mockingbird", "Dark Caracal", "Darkhotel", "Earth Lusca", "Elderwood", "Ember Bear", "Fox Kitten", "GALLIUM", "Gallmaker", "Gamaredon Group", "Group5", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "Metador", "Mofang", "Molerats", "Moses Staff", "Mustang Panda", "OilRig", "Putter Panda", "Rocke", "Sandworm Team", "Sidewinder", "TA505", "TeamTNT", "Threat Group-3390", "Transparent Tribe", "Tropic Trooper", "Whitefly", "Windshift", "menuPass"]}, {"mitre_attack_id": "T1027.005", "mitre_attack_technique": "Indicator Removal from Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT3", "Deep Panda", "GALLIUM", "OilRig", "Patchwork", "TEMP.Veles", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/sbl_xml.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "powershell_enable_smb1protocol_feature_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/powershell_enable_smb1protocol_feature.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Powershell Execute COM Object", "id": "65711630-f9bf-11eb-8d72-acde48001122", "version": 2, "date": "2023-04-14", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This search is to detect a COM CLSID execution through powershell. This technique was seen in several adversaries and malware like ransomware conti where it has a feature to execute command using COM Object. This technique may use by network operator at some cases but a good indicator if some application want to gain privilege escalation or bypass uac.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 ScriptBlockText = \"*CreateInstance([type]::GetTypeFromCLSID*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_execute_com_object_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "network operrator may use this command.", "references": ["https://threadreaderapp.com/thread/1423361119926816776.html", "https://www.splunk.com/en_us/blog/security/hunting-for-malicious-powershell-using-script-block-logging.html"], "tags": {"name": "Powershell Execute COM Object", "analytic_story": ["Ransomware", "Malicious PowerShell", "Hermetic Wiper", "Data Destruction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 10, "kill_chain_phases": ["Installation", "Exploitation"], "message": "A suspicious powershell script contains COM CLSID command in $ScriptBlockText$ with EventCode $EventCode$ in host $Computer$", "mitre_attack_id": ["T1546.015", "T1546", "T1059.001"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "ScriptBlockText", "Computer", "EventCode"], "risk_score": 5, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1546.015", "mitre_attack_technique": "Component Object Model Hijacking", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28"]}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.015/pwh_com_object/windows-powershell-xml.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "powershell_execute_com_object_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/powershell_execute_com_object.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Powershell Fileless Process Injection via GetProcAddress", "id": "a26d9db4-c883-11eb-9d75-acde48001122", "version": 2, "date": "2023-04-14", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. \\\nThis analytic identifies `GetProcAddress` in the script block. This is not normal to be used by most PowerShell scripts and is typically unsafe/malicious. Many attack toolkits use GetProcAddress to obtain code execution. \\\nIn use, `$var_gpa = $var_unsafe_native_methods.GetMethod(GetProcAddress` and later referenced/executed elsewhere. \\\nDuring triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 ScriptBlockText=*getprocaddress* | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_fileless_process_injection_via_getprocaddress_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Limited false positives. Filter as needed.", "references": ["https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", "https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf", "https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/", "https://www.splunk.com/en_us/blog/security/hunting-for-malicious-powershell-using-script-block-logging.html"], "tags": {"name": "Powershell Fileless Process Injection via GetProcAddress", "analytic_story": ["Malicious PowerShell", "Hermetic Wiper", "Data Destruction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 60, "kill_chain_phases": ["Installation", "Exploitation"], "message": "A suspicious powershell script contains GetProcAddress API in $ScriptBlockText$ with EventCode $EventCode$ in host $Computer$", "mitre_attack_id": ["T1059", "T1055", "T1059.001"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "ScriptBlockText", "Opcode", "Computer", "UserID", "EventCode"], "risk_score": 48, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "Turla"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/sbl_xml.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "powershell_fileless_process_injection_via_getprocaddress_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/powershell_fileless_process_injection_via_getprocaddress.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Powershell Fileless Script Contains Base64 Encoded Content", "id": "8acbc04c-c882-11eb-b060-acde48001122", "version": 3, "date": "2023-04-05", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable on critical endpoints or all. \\\nThis analytic identifies `FromBase64String` within the script block. A typical malicious instance will include additional code. \\\nCommand example - `[Byte[]]$var_code = [System.Convert]::FromBase64String(38uqIyMjQ6rG....` \\\nDuring triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 ScriptBlockText = \"*frombase64string*\" OR ScriptBlockText = \"*gnirtS46esaBmorF*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_fileless_script_contains_base64_encoded_content_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "False positives should be limited. Filter as needed.", "references": ["https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", "https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf", "https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/", "https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/"], "tags": {"name": "Powershell Fileless Script Contains Base64 Encoded Content", "analytic_story": ["Hermetic Wiper", "Malicious PowerShell", "Winter Vivern", "AsyncRAT", "Data Destruction", "IcedID"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "message": "A suspicious powershell script contains base64 command in $ScriptBlockText$ with EventCode $EventCode$ in host $Computer$", "mitre_attack_id": ["T1059", "T1027", "T1059.001"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "ScriptBlockText", "Opcode", "Computer", "UserID", "EventCode"], "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT19", "APT28", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BITTER", "BackdoorDiplomacy", "BlackOasis", "Blue Mockingbird", "Dark Caracal", "Darkhotel", "Earth Lusca", "Elderwood", "Ember Bear", "Fox Kitten", "GALLIUM", "Gallmaker", "Gamaredon Group", "Group5", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "Metador", "Mofang", "Molerats", "Moses Staff", "Mustang Panda", "OilRig", "Putter Panda", "Rocke", "Sandworm Team", "Sidewinder", "TA505", "TeamTNT", "Threat Group-3390", "Transparent Tribe", "Tropic Trooper", "Whitefly", "Windshift", "menuPass"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/frombase64string.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "powershell_fileless_script_contains_base64_encoded_content_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/powershell_fileless_script_contains_base64_encoded_content.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "PowerShell Get LocalGroup Discovery", "id": "b71adfcc-155b-11ec-9413-acde48001122", "version": 1, "date": "2021-09-14", "author": "Michael Haag, Splunk", "type": "Hunting", "status": "production", "description": "The following hunting analytic identifies the use of `get-localgroup` being used with PowerShell to identify local groups on the endpoint. During triage, review parallel processes and identify any further suspicious behavior.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=powershell.exe OR Processes.process_name=cmd.exe) (Processes.process=\"*get-localgroup*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `powershell_get_localgroup_discovery_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives may be present. Tune as needed.", "references": ["https://attack.mitre.org/techniques/T1069/001/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"], "tags": {"name": "PowerShell Get LocalGroup Discovery", "analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "Local group discovery on $dest$ by $user$.", "mitre_attack_id": ["T1069", "T1069.001"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "TA505"]}, {"mitre_attack_id": "T1069.001", "mitre_attack_technique": "Local Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "HEXANE", "OilRig", "Tonto Team", "Turla", "admin@338"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.001/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "powershell_get_localgroup_discovery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/powershell_get_localgroup_discovery.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Powershell Get LocalGroup Discovery with Script Block Logging", "id": "d7c6ad22-155c-11ec-bb64-acde48001122", "version": 2, "date": "2022-04-26", "author": "Michael Haag, Splunk", "type": "Hunting", "status": "production", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable on critical endpoints or all. \\\nThis analytic identifies PowerShell cmdlet - `get-localgroup` being ran. Typically, by itself, is not malicious but may raise suspicion based on time of day, endpoint and username. \\\nDuring triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 ScriptBlockText = \"*get-localgroup*\" | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_get_localgroup_discovery_with_script_block_logging_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "False positives may be present. Tune as needed.", "references": ["https://www.splunk.com/en_us/blog/security/powershell-detections-threat-research-release-august-2021.html", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md", "https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell", "https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", "https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf", "https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/"], "tags": {"name": "Powershell Get LocalGroup Discovery with Script Block Logging", "analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "Local group discovery on $dest$ by $user$.", "mitre_attack_id": ["T1069", "T1069.001"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "ScriptBlockText", "Opcode", "Computer", "UserID", "EventCode"], "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "TA505"]}, {"mitre_attack_id": "T1069.001", "mitre_attack_technique": "Local Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "HEXANE", "OilRig", "Tonto Team", "Turla", "admin@338"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/getlocalgroup.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "powershell_get_localgroup_discovery_with_script_block_logging_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/powershell_get_localgroup_discovery_with_script_block_logging.yml", "source": "endpoint", "providing_technologies": ["Microsoft Windows"]}, {"name": "PowerShell Invoke CIMMethod CIMSession", "id": "651ee958-a433-471c-b264-39725b788b83", "version": 1, "date": "2023-03-22", "author": "Michael Haag, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic identifies the use of the New-CIMSession cmdlet being created along with the Invoke-CIMMethod cmdlet being used within PowerShell. This particular behavior is similar to the usage of the Invoke-WMIMethod cmdlet, which is known for executing WMI commands on targets using NTLMv2 pass-the-hash authentication. The New-CIMSession cmdlet allows users to create a new CIM session object for a specified computer system, which can then be used to execute CIM operations remotely. Similarly, the Invoke-CIMMethod cmdlet is used to invoke a specified method on one or more CIM objects. Therefore, the combination of New-CIMSession and Invoke-CIMMethod cmdlets in PowerShell can potentially indicate malicious behavior, and this analytic can help detect such activity.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 ScriptBlockText IN (\"*invoke-CIMMethod*\", \"*New-CimSession*\") | stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_invoke_cimmethod_cimsession_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "False positives may be present based on third-party applications or administrators using CIM. It is recommended to apply appropriate filters as needed to minimize the number of false positives.", "references": ["https://learn.microsoft.com/en-us/powershell/module/cimcmdlets/invoke-cimmethod?view=powershell-7.3"], "tags": {"name": "PowerShell Invoke CIMMethod CIMSession", "analytic_story": ["Malicious PowerShell", "Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "message": "PowerShell was identified running a Invoke-CIMMethod Invoke-CIMSession on $Computer$.", "mitre_attack_id": ["T1047"], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "ScriptBlockText", "Computer"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "Earth Lusca", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "Threat Group-3390", "Windshift", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1047/atomic_red_team/4104-cimmethod-windows-powershell.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "powershell_invoke_cimmethod_cimsession_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/powershell_invoke_cimmethod_cimsession.yml", "source": "endpoint", "providing_technologies": ["Microsoft Windows"]}, {"name": "PowerShell Invoke WmiExec Usage", "id": "0734bd21-2769-4972-a5f1-78bb1e011224", "version": 1, "date": "2023-03-22", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "This analytic detects the usage of the Invoke-WMIExec utility within PowerShell Script Block Logging (EventCode 4104). The utility is used for executing WMI commands on targets using NTLMv2 pass-the-hash authentication.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 ScriptBlockText IN (\"*invoke-wmiexec*\") | stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_invoke_wmiexec_usage_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "False positives should be limited as this analytic is designed to detect a specific utility. It is recommended to apply appropriate filters as needed to minimize the number of false positives.", "references": ["https://github.com/Kevin-Robertson/Invoke-TheHash/blob/master/Invoke-WMIExec.ps1"], "tags": {"name": "PowerShell Invoke WmiExec Usage", "analytic_story": ["Suspicious WMI Use"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 100, "kill_chain_phases": ["Installation"], "message": "PowerShell was identified running a Invoke-WmiExec on $Computer$.", "mitre_attack_id": ["T1047"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "ScriptBlockText", "Computer"], "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "Earth Lusca", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "Threat Group-3390", "Windshift", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1047/atomic_red_team/invokewmiexec_windows-powershell.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "powershell_invoke_wmiexec_usage_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/powershell_invoke_wmiexec_usage.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Powershell Load Module in Meterpreter", "id": "d5905da5-d050-48db-9259-018d8f034fcf", "version": 1, "date": "2022-11-22", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable on critical endpoints or all. \\\nThis analytic identifies \"MSF.Powershell\",\"MSF.Powershell.Meterpreter\",\"MSF.Powershell.Meterpreter.Kiwi\",\"MSF.Powershell.Meterpreter.Transport\" being used. This behavior is related to when a Meterpreter session is started and the operator runs load_kiwi. \\\nDuring triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 ScriptBlockText IN (\"*MSF.Powershell*\",\"*MSF.Powershell.Meterpreter*\",\"*MSF.Powershell.Meterpreter.Kiwi*\",\"*MSF.Powershell.Meterpreter.Transport*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_load_module_in_meterpreter_filter`", "how_to_implement": "The following analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.", "known_false_positives": "False positives should be very limited as this is strict to MetaSploit behavior.", "references": ["https://github.com/OJ/metasploit-payloads/blob/master/powershell/MSF.Powershell/Scripts.cs"], "tags": {"name": "Powershell Load Module in Meterpreter", "analytic_story": ["MetaSploit"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 100, "kill_chain_phases": ["Installation"], "message": "PowerShell was identified running a script utilized by Meterpreter from MetaSploit on endpoint $Computer$ by user $user_id$.", "mitre_attack_id": ["T1059", "T1059.001"], "nist": ["DE.CM"], "observable": [{"name": "user_id", "type": "User", "role": ["Victim"]}, {"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "ScriptBlockText", "Computer", "User_id"], "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/metasploit/msf.powershell.powershell.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "powershell_load_module_in_meterpreter_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/powershell_load_module_in_meterpreter.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "PowerShell Loading DotNET into Memory via Reflection", "id": "85bc3f30-ca28-11eb-bd21-acde48001122", "version": 3, "date": "2023-04-05", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. \\\nThis analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. \\\nDuring triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 ScriptBlockText IN (\"*[system.reflection.assembly]::load(*\",\"*[reflection.assembly]*\", \"*reflection.assembly*\") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_loading_dotnet_into_memory_via_reflection_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "False positives should be limited as day to day scripts do not use this method.", "references": ["https://docs.microsoft.com/en-us/dotnet/api/system.reflection.assembly?view=net-5.0", "https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", "https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf", "https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/"], "tags": {"name": "PowerShell Loading DotNET into Memory via Reflection", "analytic_story": ["Winter Vivern", "AgentTesla", "AsyncRAT", "Hermetic Wiper", "Malicious PowerShell", "Data Destruction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Installation"], "message": "A suspicious powershell script contains reflective class assembly command in $ScriptBlockText$ to load .net code in memory with EventCode $EventCode$ in host $Computer$", "mitre_attack_id": ["T1059", "T1059.001"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "UserID", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "ScriptBlockText", "Opcode", "Computer", "UserID", "EventCode"], "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/reflection.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "powershell_loading_dotnet_into_memory_via_reflection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Powershell Processing Stream Of Data", "id": "0d718b52-c9f1-11eb-bc61-acde48001122", "version": 2, "date": "2023-04-14", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies suspicious PowerShell script execution via EventCode 4104 that is processing compressed stream data. This is typically found in obfuscated PowerShell or PowerShell executing embedded .NET or binary files that are stream flattened and will be deflated durnig execution. During triage, review parallel processes within the same timeframe. Review the full script block to identify other related artifacts.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 ScriptBlockText = \"*IO.Compression.*\" OR ScriptBlockText = \"*IO.StreamReader*\" OR ScriptBlockText = \"*]::Decompress*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_processing_stream_of_data_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "powershell may used this function to process compressed data.", "references": ["https://medium.com/@ahmedjouini99/deobfuscating-emotets-powershell-payload-e39fb116f7b9", "https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell", "https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", "https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf", "https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/", "https://www.splunk.com/en_us/blog/security/hunting-for-malicious-powershell-using-script-block-logging.html", "https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/"], "tags": {"name": "Powershell Processing Stream Of Data", "analytic_story": ["Malicious PowerShell", "AsyncRAT", "Hermetic Wiper", "Data Destruction", "IcedID"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 50, "kill_chain_phases": ["Installation"], "message": "A suspicious powershell script contains stream command in $ScriptBlockText$ commonly for processing compressed or to decompressed binary file with EventCode $EventCode$ in host $Computer$", "mitre_attack_id": ["T1059", "T1059.001"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "UserID", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "ScriptBlockText", "Computer", "UserID", "Score"], "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/streamreader.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "powershell_processing_stream_of_data_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/powershell_processing_stream_of_data.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Powershell Remote Thread To Known Windows Process", "id": "ec102cb2-a0f5-11eb-9b38-acde48001122", "version": 2, "date": "2022-08-25", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "this search is designed to detect suspicious powershell process that tries to inject code and to known/critical windows process and execute it using CreateRemoteThread. This technique is seen in several malware like trickbot and offensive tooling like cobaltstrike where it load a shellcode to svchost.exe to execute reverse shell to c2 and download another payload", "data_source": [], "search": "`sysmon` EventCode = 8 parent_process_name IN (\"powershell_ise.exe\", \"powershell.exe\") TargetImage IN (\"*\\\\svchost.exe\",\"*\\\\csrss.exe\" \"*\\\\gpupdate.exe\", \"*\\\\explorer.exe\",\"*\\\\services.exe\",\"*\\\\winlogon.exe\",\"*\\\\smss.exe\",\"*\\\\wininit.exe\",\"*\\\\userinit.exe\",\"*\\\\spoolsv.exe\",\"*\\\\taskhost.exe\") | stats min(_time) as firstTime max(_time) as lastTime count by SourceImage process_name SourceProcessId SourceProcessGuid TargetImage TargetProcessId NewThreadId StartAddress Computer EventCode | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_remote_thread_to_known_windows_process_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, Create Remote thread from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances of create remote thread may be used.", "known_false_positives": "unknown", "references": ["https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/"], "tags": {"name": "Powershell Remote Thread To Known Windows Process", "analytic_story": ["Trickbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "A suspicious powershell process $process_name$ that tries to create a remote thread on target process $TargetImage$ with eventcode $EventCode$ in host $Computer$", "mitre_attack_id": ["T1055"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "SourceImage", "process_name", "SourceProcessId", "SourceProcessGuid", "TargetImage", "TargetProcessId", "NewThreadId", "StartAddress", "Computer", "EventCode"], "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/trickbot/infection/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "powershell_remote_thread_to_known_windows_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/powershell_remote_thread_to_known_windows_process.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Powershell Remove Windows Defender Directory", "id": "adf47620-79fa-11ec-b248-acde48001122", "version": 3, "date": "2023-04-14", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This analytic will identify a suspicious PowerShell command used to delete the Windows Defender folder. This technique was seen used by the WhisperGate malware campaign where it used Nirsofts advancedrun.exe to gain administrative privileges to then execute a PowerShell command to delete the Windows Defender folder. This is a good indicator the offending process is trying corrupt a Windows Defender installation.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 ScriptBlockText = \"*rmdir *\" AND ScriptBlockText = \"*\\\\Microsoft\\\\Windows Defender*\" | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_remove_windows_defender_directory_filter` ", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "unknown", "references": ["https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/"], "tags": {"name": "Powershell Remove Windows Defender Directory", "analytic_story": ["Data Destruction", "WhisperGate"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 100, "kill_chain_phases": ["Exploitation"], "message": "suspicious powershell script $ScriptBlockText$ was executed on the $Computer$", "mitre_attack_id": ["T1562.001", "T1562"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "UserID", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "ScriptBlockText", "Opcode", "Computer", "UserID", "EventCode"], "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/sbl_xml.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "powershell_remove_windows_defender_directory_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/powershell_remove_windows_defender_directory.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "PowerShell Start-BitsTransfer", "id": "39e2605a-90d8-11eb-899e-acde48001122", "version": 2, "date": "2021-03-29", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "Start-BitsTransfer is the PowerShell \"version\" of BitsAdmin.exe. Similar functionality is present. This technique variation is not as commonly used by adversaries, but has been abused in the past. Lesser known uses include the ability to set the `-TransferType` to `Upload` for exfiltration of files. In an instance where `Upload` is used, it is highly possible files will be archived. During triage, review parallel processes and process lineage. Capture any files on disk and review. For the remote domain or IP, what is the reputation?", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` Processes.process=*start-bitstransfer* by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.original_file_name Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_start_bitstransfer_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Limited false positives. It is possible administrators will utilize Start-BitsTransfer for administrative tasks, otherwise filter based parent process or command-line arguments.", "references": ["https://isc.sans.edu/diary/Investigating+Microsoft+BITS+Activity/23281", "https://docs.microsoft.com/en-us/windows/win32/bits/using-windows-powershell-to-create-bits-transfer-jobs"], "tags": {"name": "PowerShell Start-BitsTransfer", "analytic_story": ["BITS Jobs"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Exploitation", "Installation"], "message": "A suspicious process $process_name$ with commandline $process$ that are related to bittransfer functionality in host $dest$", "mitre_attack_id": ["T1197"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1197", "mitre_attack_technique": "BITS Jobs", "mitre_attack_tactics": ["Defense Evasion", "Persistence"], "mitre_attack_groups": ["APT39", "APT41", "Leviathan", "Patchwork"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1197/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "process_powershell", "definition": "(Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "powershell_start_bitstransfer_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/powershell_start_bitstransfer.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "PowerShell Start or Stop Service", "id": "04207f8a-e08d-4ee6-be26-1e0c4488b04a", "version": 1, "date": "2023-03-24", "author": "Michael Haag, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic identifies the use of PowerShell's Start-Service or Stop-Service cmdlets on an endpoint. These cmdlets allow users to start or stop a specified Windows service. The ability to manipulate services can be leveraged by attackers to disable or stop critical services, which can cause system instability or disrupt business operations. By detecting the use of Start-Service or Stop-Service cmdlets via PowerShell, this analytic can help organizations identify potential malicious activity related to attackers attempting to manipulate services on compromised systems. However, note that this behavior may be noisy, as these cmdlets are commonly used by system administrators or other legitimate users to manage services. Therefore, it is recommended not to enable this analytic as a direct notable or TTP. Instead, it should be used as part of a broader set of security controls to detect and investigate potential threats.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 ScriptBlockText IN (\"*start-service*\", \"*stop-service*\") | stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_start_or_stop_service_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "This behavior may be noisy, as these cmdlets are commonly used by system administrators or other legitimate users to manage services. Therefore, it is recommended not to enable this analytic as a direct notable or TTP. Instead, it should be used as part of a broader set of security controls to detect and investigate potential threats.", "references": ["https://learn-powershell.net/2012/01/15/startingstopping-and-restarting-remote-services-with-powershell/", "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/start-service?view=powershell-7.3"], "tags": {"name": "PowerShell Start or Stop Service", "analytic_story": ["Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 20, "impact": 50, "kill_chain_phases": ["Installation"], "message": "PowerShell was identified attempting to start or stop a service on $Computer$.", "mitre_attack_id": ["T1059.001"], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "ScriptBlockText", "Computer"], "risk_score": 10, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/atomic_red_team/start_stop_service_windows-powershell.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "powershell_start_or_stop_service_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/powershell_start_or_stop_service.yml", "source": "endpoint", "providing_technologies": ["Microsoft Windows"]}, {"name": "Powershell Using memory As Backing Store", "id": "c396a0c4-c9f2-11eb-b4f5-acde48001122", "version": 2, "date": "2023-04-14", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies suspicious PowerShell script execution via EventCode 4104 that is using memory stream as new object backstore. The malicious PowerShell script will contain stream flate data and will be decompressed in memory to run or drop the actual payload. During triage, review parallel processes within the same timeframe. Review the full script block to identify other related artifacts.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 ScriptBlockText = *New-Object* ScriptBlockText = *IO.MemoryStream* | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_using_memory_as_backing_store_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "powershell may used this function to store out object into memory.", "references": ["https://web.archive.org/web/20201112031711/https://www.carbonblack.com/blog/decoding-malicious-powershell-streams/", "https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", "https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf", "https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/", "https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/"], "tags": {"name": "Powershell Using memory As Backing Store", "analytic_story": ["Malicious PowerShell", "Hermetic Wiper", "Data Destruction", "IcedID"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 50, "kill_chain_phases": ["Installation"], "message": "A PowerShell script contains memorystream command in $ScriptBlockText$ as new object backstore with EventCode $EventCode$ on host $Computer$.", "mitre_attack_id": ["T1059.001", "T1059"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "UserID", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "ScriptBlockText", "Computer", "UserID"], "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/honeypots/pwsh/windows-powershell-xml.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "powershell_using_memory_as_backing_store_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/powershell_using_memory_as_backing_store.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Powershell Windows Defender Exclusion Commands", "id": "907ac95c-4dd9-11ec-ba2c-acde48001122", "version": 1, "date": "2023-04-14", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This analytic will detect a suspicious process commandline related to windows defender exclusion feature. This command is abused by adversaries, malware author and red teams to bypassed Windows Defender Anti-Virus product by excluding folder path, file path, process, extensions and etc. from its real time or schedule scan to execute their malicious code. This is a good indicator for defense evasion and to look further for events after this behavior.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 (Message = \"*Add-MpPreference *\" OR Message = \"*Set-MpPreference *\") AND Message = \"*-exclusion*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode Message ComputerName User | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_windows_defender_exclusion_commands_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.", "known_false_positives": "admin or user may choose to use this windows features.", "references": ["https://tccontre.blogspot.com/2020/01/remcos-rat-evading-windows-defender-av.html", "https://app.any.run/tasks/cf1245de-06a7-4366-8209-8e3006f2bfe5/", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/"], "tags": {"name": "Powershell Windows Defender Exclusion Commands", "analytic_story": ["CISA AA22-320A", "AgentTesla", "Remcos", "Windows Defense Evasion Tactics", "Data Destruction", "WhisperGate"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "exclusion command $Message$ executed on $ComputerName$", "mitre_attack_id": ["T1562.001", "T1562"], "nist": ["DE.CM"], "observable": [{"name": "User", "type": "User", "role": ["Victim"]}, {"name": "ComputerName", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "Message", "ComputerName", "User"], "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/defender_exclusion_powershell/powershell.log", "source": "WinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "WinEventLog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "powershell_windows_defender_exclusion_commands_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/powershell_windows_defender_exclusion_commands.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Prevent Automatic Repair Mode using Bcdedit", "id": "7742aa92-c9d9-11eb-bbfc-acde48001122", "version": 1, "date": "2021-06-10", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This search is to detect a suspicious bcdedit.exe execution to ignore all failures. This technique was used by ransomware to prevent the compromise machine automatically boot in repair mode.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"bcdedit.exe\" Processes.process = \"*bootstatuspolicy*\" Processes.process = \"*ignoreallfailures*\" by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.dest Processes.user Processes.process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `prevent_automatic_repair_mode_using_bcdedit_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed bcdedit.exe may be used.", "known_false_positives": "Administrators may modify the boot configuration ignore failure during testing and debugging.", "references": ["https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf"], "tags": {"name": "Prevent Automatic Repair Mode using Bcdedit", "analytic_story": ["Ransomware", "Chaos Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Actions on Objectives"], "message": "A suspicious process $process_name$ with process id $process_id$ contains commandline $process$ to ignore all bcdedit execution failure in host $dest$", "mitre_attack_id": ["T1490"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.parent_process_name", "Processes.parent_process", "Processes.process_name", "Processes.process", "Processes.dest", "Processes.user", "Processes.process_id", "Processes.process_guid"], "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/ransomware_ttp/data1/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "prevent_automatic_repair_mode_using_bcdedit_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/prevent_automatic_repair_mode_using_bcdedit.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Print Processor Registry Autostart", "id": "1f5b68aa-2037-11ec-898e-acde48001122", "version": 1, "date": "2023-04-14", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "experimental", "description": "This analytic is to detect a suspicious modification or new registry entry regarding print processor. This registry is known to be abuse by turla or other APT to gain persistence and privilege escalation to the compromised machine. This is done by adding the malicious dll payload on the new created key in this registry that will be executed as it restarted the spoolsv.exe process and services.", "data_source": ["Sysmon Event ID 13"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path =\"*\\\\Control\\\\Print\\\\Environments\\\\Windows x64\\\\Print Processors*\" by Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `print_processor_registry_autostart_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry.", "known_false_positives": "possible new printer installation may add driver component on this registry.", "references": ["https://attack.mitre.org/techniques/T1547/012/", "https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/"], "tags": {"name": "Print Processor Registry Autostart", "analytic_story": ["Data Destruction", "Windows Privilege Escalation", "Hermetic Wiper", "Windows Persistence Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "message": "modified/added/deleted registry entry $Registry.registry_path$ in $dest$", "mitre_attack_id": ["T1547.012", "T1547"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.dest", "Registry.user", "Registry.registry_path", "Registry.registry_key_name", "Registry.registry_value_name"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1547.012", "mitre_attack_technique": "Print Processors", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.012/print_reg/sysmon_print.log", "source": "WinEventLog:Microsoft-Windows-PrintService/Operational", "sourcetype": "WinEventLog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "print_processor_registry_autostart_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/print_processor_registry_autostart.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Print Spooler Adding A Printer Driver", "id": "313681a2-da8e-11eb-adad-acde48001122", "version": 1, "date": "2021-07-01", "author": "Mauricio Velazco, Michael Haag, Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies new printer drivers being load by utilizing the Windows PrintService operational logs, EventCode 316. This was identified during our testing of CVE-2021-34527 previously (CVE-2021-1675) or PrintNightmare. \\\nWithin the proof of concept code, the following event will occur - \"Printer driver 1234 for Windows x64 Version-3 was added or updated. Files:- UNIDRV.DLL, kernelbase.dll, evil.dll. No user action is required.\" \\\nDuring triage, isolate the endpoint and review for source of exploitation. Capture any additional file modification events and review the source of where the exploitation began.", "data_source": ["Sysmon Event ID 3"], "search": "`printservice` EventCode=316 category = \"Adding a printer driver\" Message = \"*kernelbase.dll,*\" Message = \"*UNIDRV.DLL,*\" Message = \"*.DLL.*\" | stats count min(_time) as firstTime max(_time) as lastTime by OpCode EventCode ComputerName Message | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `print_spooler_adding_a_printer_driver_filter`", "how_to_implement": "You will need to ensure PrintService Admin and Operational logs are being logged to Splunk from critical or all systems.", "known_false_positives": "Unknown. This may require filtering.", "references": ["https://twitter.com/MalwareJake/status/1410421445608476679?s=20", "https://www.truesec.com/hub/blog/fix-for-printnightmare-cve-2021-1675-exploit-to-keep-your-print-servers-running-while-a-patch-is-not-available", "https://www.truesec.com/hub/blog/exploitable-critical-rce-vulnerability-allows-regular-users-to-fully-compromise-active-directory-printnightmare-cve-2021-1675", "https://www.reddit.com/r/msp/comments/ob6y02/critical_vulnerability_printnightmare_exposes"], "tags": {"name": "Print Spooler Adding A Printer Driver", "analytic_story": ["PrintNightmare CVE-2021-34527"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "message": "Suspicious print driver was loaded on endpoint $ComputerName$.", "mitre_attack_id": ["T1547.012", "T1547"], "nist": ["DE.CM"], "observable": [{"name": "ComputerName", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "OpCode", "EventCode", "ComputerName", "Message"], "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "cve": ["CVE-2021-34527", "CVE-2021-1675"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1547.012", "mitre_attack_technique": "Print Processors", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.012/printnightmare/windows-printservice_operational.log", "source": "WinEventLog:Microsoft-Windows-PrintService/Operational", "sourcetype": "WinEventLog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "printservice", "definition": "source=\"wineventlog:microsoft-windows-printservice/operational\" OR source=\"WinEventLog:Microsoft-Windows-PrintService/Admin\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "print_spooler_adding_a_printer_driver_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2021-34527", "cvss": 9.0, "summary": "Windows Print Spooler Remote Code Execution Vulnerability"}, {"id": "CVE-2021-1675", "cvss": 9.3, "summary": "Windows Print Spooler Elevation of Privilege Vulnerability"}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/print_spooler_adding_a_printer_driver.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Print Spooler Failed to Load a Plug-in", "id": "1adc9548-da7c-11eb-8f13-acde48001122", "version": 1, "date": "2021-07-01", "author": "Mauricio Velazco, Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies driver load errors utilizing the Windows PrintService Admin logs. This was identified during our testing of CVE-2021-34527 previously (CVE-2021-1675) or PrintNightmare. \\\nWithin the proof of concept code, the following error will occur - \"The print spooler failed to load a plug-in module C:\\Windows\\system32\\spool\\DRIVERS\\x64\\3\\meterpreter.dll, error code 0x45A. See the event user data for context information.\" \\\nThe analytic is based on file path and failure to load the plug-in. \\\nDuring triage, isolate the endpoint and review for source of exploitation. Capture any additional file modification events.", "data_source": [], "search": "`printservice` ((ErrorCode=\"0x45A\" (EventCode=\"808\" OR EventCode=\"4909\")) OR (\"The print spooler failed to load a plug-in module\" OR \"\\\\drivers\\\\x64\\\\\")) | stats count min(_time) as firstTime max(_time) as lastTime by OpCode EventCode ComputerName Message | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `print_spooler_failed_to_load_a_plug_in_filter`", "how_to_implement": "You will need to ensure PrintService Admin and Operational logs are being logged to Splunk from critical or all systems.", "known_false_positives": "False positives are unknown and filtering may be required.", "references": ["https://www.truesec.com/hub/blog/fix-for-printnightmare-cve-2021-1675-exploit-to-keep-your-print-servers-running-while-a-patch-is-not-available", "https://www.truesec.com/hub/blog/exploitable-critical-rce-vulnerability-allows-regular-users-to-fully-compromise-active-directory-printnightmare-cve-2021-1675", "https://www.reddit.com/r/msp/comments/ob6y02/critical_vulnerability_printnightmare_exposes"], "tags": {"name": "Print Spooler Failed to Load a Plug-in", "analytic_story": ["PrintNightmare CVE-2021-34527"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "message": "Suspicious printer spooler errors have occured on endpoint $ComputerName$ with EventCode $EventCode$.", "mitre_attack_id": ["T1547.012", "T1547"], "nist": ["DE.CM"], "observable": [{"name": "ComputerName", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "OpCode", "EventCode", "ComputerName", "Message"], "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "cve": ["CVE-2021-34527", "CVE-2021-1675"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1547.012", "mitre_attack_technique": "Print Processors", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.012/printnightmare/windows-printservice_admin.log", "source": "WinEventLog:Microsoft-Windows-PrintService/Admin", "sourcetype": "WinEventLog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "printservice", "definition": "source=\"wineventlog:microsoft-windows-printservice/operational\" OR source=\"WinEventLog:Microsoft-Windows-PrintService/Admin\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "print_spooler_failed_to_load_a_plug_in_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2021-34527", "cvss": 9.0, "summary": "Windows Print Spooler Remote Code Execution Vulnerability"}, {"id": "CVE-2021-1675", "cvss": 9.3, "summary": "Windows Print Spooler Elevation of Privilege Vulnerability"}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/print_spooler_failed_to_load_a_plug_in.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Process Creating LNK file in Suspicious Location", "id": "5d814af1-1041-47b5-a9ac-d754e82e9a26", "version": 5, "date": "2021-08-26", "author": "Jose Hernandez, Splunk", "type": "TTP", "status": "production", "description": "This search looks for a process launching an `*.lnk` file under `C:\\User*` or `*\\Local\\Temp\\*`. This is common behavior used by various spear phishing tools.", "data_source": ["Sysmon Event ID 11"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_name=\"*.lnk\" AND (Filesystem.file_path=\"C:\\\\User\\\\*\" OR Filesystem.file_path=\"*\\\\Temp\\\\*\") by _time span=1h Filesystem.process_guid Filesystem.file_name Filesystem.file_path Filesystem.file_hash Filesystem.user | `drop_dm_object_name(Filesystem)` | rename process_guid as lnk_guid | join lnk_guid, _time [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=* by _time span=1h Processes.parent_process_guid Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process | `drop_dm_object_name(Processes)` | rename parent_process_guid as lnk_guid | fields _time lnk_guid process_id dest process_name process_path process] | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | table firstTime, lastTime, lnk_guid, process_id, user, dest, file_name, file_path, process_name, process, process_path, file_hash | `process_creating_lnk_file_in_suspicious_location_filter`", "how_to_implement": "You must be ingesting data that records filesystem and process activity from your hosts to populate the Endpoint data model. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or endpoint data sources, such as Sysmon.", "known_false_positives": "This detection should yield little or no false positive results. It is uncommon for LNK files to be executed from temporary or user directories.", "references": ["https://attack.mitre.org/techniques/T1566/001/", "https://www.trendmicro.com/en_us/research/17/e/rising-trend-attackers-using-lnk-files-download-malware.html", "https://twitter.com/pr0xylife/status/1590394227758104576"], "tags": {"name": "Process Creating LNK file in Suspicious Location", "analytic_story": ["Spearphishing Attachments", "Qakbot", "IcedID"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Delivery"], "message": "A process $process_name$ that launching .lnk file in $file_path$ in host $dest$", "mitre_attack_id": ["T1566", "T1566.002"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Filesystem.file_name", "Filesystem.file_path", "Filesystem.process_id", "Filesystem.file_name", "Filesystem.file_path", "Filesystem.file_hash", "Filesystem.user"], "risk_score": 63, "security_domain": "network", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.002", "mitre_attack_technique": "Spearphishing Link", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "APT3", "APT32", "APT33", "APT39", "BlackTech", "Cobalt Group", "Confucius", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "Evilnum", "FIN4", "FIN7", "FIN8", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "TA505", "Transparent Tribe", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.002/lnk_file_temp_folder/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_creating_lnk_file_in_suspicious_location_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/process_creating_lnk_file_in_suspicious_location.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Process Deleting Its Process File Path", "id": "f7eda4bc-871c-11eb-b110-acde48001122", "version": 2, "date": "2023-04-14", "author": "Teoderick Contreras", "type": "TTP", "status": "production", "description": "This detection is to identify a suspicious process that tries to delete the process file path related to its process. This technique is known to be defense evasion once a certain condition of malware is satisfied or not. Clop ransomware use this technique where it will try to delete its process file path using a .bat command if the keyboard layout is not the layout it tries to infect.", "data_source": ["Sysmon Event ID 1"], "search": "`sysmon` EventCode=1 CommandLine = \"* /c *\" CommandLine = \"* del*\" Image = \"*\\\\cmd.exe\" | eval result = if(like(process,\"%\".parent_process.\"%\"), \"Found\", \"Not Found\") | stats min(_time) as firstTime max(_time) as lastTime count by Computer user ParentImage ParentCommandLine Image CommandLine EventCode ProcessID result | where result = \"Found\" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `process_deleting_its_process_file_path_filter`", "how_to_implement": "You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the \"process\" field in the Endpoint data model.", "known_false_positives": "unknown", "references": ["https://www.mandiant.com/resources/fin11-email-campaigns-precursor-for-ransomware-data-theft", "https://blog.virustotal.com/2020/11/keep-your-friends-close-keep-ransomware.html", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/"], "tags": {"name": "Process Deleting Its Process File Path", "analytic_story": ["Clop Ransomware", "Data Destruction", "WhisperGate", "Remcos"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 60, "kill_chain_phases": ["Exploitation"], "message": "A process $Image$ tries to delete its process path in commandline $cmdline$ as part of defense evasion in host $Computer$", "mitre_attack_id": ["T1070"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["EventCode", "Computer", "user", "ParentImage", "ParentCommandLine", "Image", "cmdline", "ProcessID", "result", "_time"], "risk_score": 60, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/clop/clop_a/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "process_deleting_its_process_file_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/process_deleting_its_process_file_path.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Process Execution via WMI", "id": "24869767-8579-485d-9a4f-d9ddfd8f0cac", "version": 4, "date": "2020-03-16", "author": "Rico Valdez, Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies `WmiPrvSE.exe` spawning a process. This typically occurs when a process is instantiated from a local or remote process using `wmic.exe`. During triage, review parallel processes for suspicious behavior or commands executed. Review the process and command-line spawning from `wmiprvse.exe`. Contain and remediate the endpoint as necessary.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=WmiPrvSE.exe by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `process_execution_via_wmi_filter` ", "how_to_implement": "You must be ingesting endpoint data that tracks process activity, including parent-child relationships from your endpoints to populate the Endpoint data model in the Processes node. The command-line arguments are mapped to the \"process\" field in the Endpoint data model.", "known_false_positives": "Although unlikely, administrators may use wmi to execute commands for legitimate purposes.", "references": [], "tags": {"name": "Process Execution via WMI", "analytic_story": ["Suspicious WMI Use"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Installation"], "message": "A remote instance execution of wmic.exe that will spawn $parent_process_name$ in host $dest$", "mitre_attack_id": ["T1047"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.process", "Processes.parent_process_name", "Processes.user", "Processes.dest", "Processes.process_name"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "Earth Lusca", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "Threat Group-3390", "Windshift", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1047/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_execution_via_wmi_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/process_execution_via_wmi.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Process Kill Base On File Path", "id": "5ffaa42c-acdb-11eb-9ad3-acde48001122", "version": 2, "date": "2021-05-04", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the use of `wmic.exe` using `delete` to remove a executable path. This is typically ran via a batch file during beginning stages of an adversary setting up for mining on an endpoint.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_wmic` AND Processes.process=\"*process*\" AND Processes.process=\"*executablepath*\" AND Processes.process=\"*delete*\" by Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `process_kill_base_on_file_path_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Unknown.", "references": ["https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/"], "tags": {"name": "Process Kill Base On File Path", "analytic_story": ["XMRig"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "A process $process_name$ attempt to kill process by its file path using commandline $process$ in host $dest$", "mitre_attack_id": ["T1562.001", "T1562"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/xmrig_miner/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "process_wmic", "definition": "(Processes.process_name=wmic.exe OR Processes.original_file_name=wmic.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_kill_base_on_file_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/process_kill_base_on_file_path.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Process Writing DynamicWrapperX", "id": "b0a078e4-2601-11ec-9aec-acde48001122", "version": 1, "date": "2021-10-05", "author": "Michael Haag, Splunk", "type": "Hunting", "status": "production", "description": "DynamicWrapperX is an ActiveX component that can be used in a script to call Windows API functions, but it requires the dynwrapx.dll to be installed and registered. With that, a binary writing dynwrapx.dll to disk and registering it into the registry is highly suspect. Why is it needed? In most malicious instances, it will be written to disk at a non-standard location. During triage, review parallel processes and pivot on the process_guid. Review the registry for any suspicious modifications meant to load dynwrapx.dll. Identify any suspicious module loads of dynwrapx.dll. This will identify the process that will invoke vbs/wscript/cscript.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes by _time Processes.process_id Processes.process_name Processes.dest Processes.process_guid Processes.user | `drop_dm_object_name(Processes)` | join process_guid [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Filesystem where Filesystem.file_name=\"dynwrapx.dll\" by _time Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path Filesystem.process_guid Filesystem.user | `drop_dm_object_name(Filesystem)` | fields _time process_guid file_path file_name file_create_time user dest process_name] | stats count min(_time) as firstTime max(_time) as lastTime by dest process_name process_guid file_name file_path file_create_time user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `process_writing_dynamicwrapperx_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` and `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives should be limited, however it is possible to filter by Processes.process_name and specific processes (ex. wscript.exe). Filter as needed. This may need modification based on EDR telemetry and how it brings in registry data. For example, removal of (Default).", "references": ["https://blog.f-secure.com/hunting-for-koadic-a-com-based-rootkit/", "https://www.script-coding.com/dynwrapx_eng.html", "https://bohops.com/2018/06/28/abusing-com-registry-structure-clsid-localserver32-inprocserver32/", "https://tria.ge/210929-ap75vsddan", "https://www.virustotal.com/gui/file/cb77b93150cb0f7fe65ce8a7e2a5781e727419451355a7736db84109fa215a89"], "tags": {"name": "Process Writing DynamicWrapperX", "analytic_story": ["Remcos"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Installation"], "message": "An instance of $process_name$ was identified on endpoint $dest$ downloading the DynamicWrapperX dll.", "mitre_attack_id": ["T1059", "T1559.001"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "dest", "process_name", "process_guid", "file_name", "file_path", "file_create_time user"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1559.001", "mitre_attack_technique": "Component Object Model", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["Gamaredon Group", "MuddyWater"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/remcos/remcos/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_writing_dynamicwrapperx_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/process_writing_dynamicwrapperx.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Processes launching netsh", "id": "b89919ed-fe5f-492c-b139-95dbb162040e", "version": 4, "date": "2021-09-16", "author": "Michael Haag, Josef Kuepker, Splunk", "type": "Anomaly", "status": "production", "description": "This search looks for processes launching netsh.exe. Netsh is a command-line scripting utility that allows you to, either locally or remotely, display or modify the network configuration of a computer that is currently running. Netsh can be used as a persistence proxy technique to execute a helper DLL when netsh.exe is executed. In this search, we are looking for processes spawned by netsh.exe and executing commands via the command line.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count values(Processes.process) AS Processes.process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_netsh` by Processes.parent_process_name Processes.parent_process Processes.original_file_name Processes.process_name Processes.user Processes.dest |`drop_dm_object_name(\"Processes\")` |`security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` |`processes_launching_netsh_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Some VPN applications are known to launch netsh.exe. Outside of these instances, it is unusual for an executable to launch netsh.exe and run commands.", "references": ["https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/"], "tags": {"name": "Processes launching netsh", "analytic_story": ["Netsh Abuse", "Disabling Security Tools", "DHS Report TA18-074A", "Azorult", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 20, "kill_chain_phases": ["Exploitation"], "message": "A process $process_name$ has launched netsh with command-line $process$ on $dest$.", "mitre_attack_id": ["T1562.004", "T1562"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.process", "Processes.parent_process_name", "Processes.parent_process", "Processes.process_name", "Processes.user", "Processes.dest"], "risk_score": 14, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.004", "mitre_attack_technique": "Disable or Modify System Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "Carbanak", "Dragonfly", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.004/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "process_netsh", "definition": "(Processes.process_name=netsh.exe OR Processes.original_file_name=netsh.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "processes_launching_netsh_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/processes_launching_netsh.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Processes Tapping Keyboard Events", "id": "2a371608-331d-4034-ae2c-21dda8f1d0ec", "version": 1, "date": "2019-01-25", "author": "Jose Hernandez, Splunk", "type": "TTP", "status": "experimental", "description": "This search looks for processes in an MacOS system that is tapping keyboard events in MacOS, and essentially monitoring all keystrokes made by a user. This is a common technique used by RATs to log keystrokes from a victim, although it can also be used by legitimate processes like Siri to react on human input", "data_source": [], "search": "| from datamodel Alerts.Alerts | search app=osquery:results name=pack_osx-attacks_Keyboard_Event_Taps | rename columns.cmdline as cmd, columns.name as process_name, columns.pid as process_id| dedup host,process_name | table host,process_name, cmd, process_id | `processes_tapping_keyboard_events_filter`", "how_to_implement": "In order to properly run this search, Splunk needs to ingest data from your osquery deployed agents with the [osx-attacks.conf](https://github.com/facebook/osquery/blob/experimental/packs/osx-attacks.conf#L599) pack enabled. Also the [TA-OSquery](https://github.com/d1vious/TA-osquery) must be deployed across your indexers and universal forwarders in order to have the osquery data populate the Alerts data model.", "known_false_positives": "There might be some false positives as keyboard event taps are used by processes like Siri and Zoom video chat, for some good examples of processes to exclude please see [this](https://github.com/facebook/osquery/pull/5345#issuecomment-454639161) comment.", "references": [], "tags": {"name": "Processes Tapping Keyboard Events", "analytic_story": ["ColdRoot MacOS RAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": [], "message": "tbd", "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Other", "role": ["Other"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "app", "name", "columns.cmdline", "columns.name", "columns.pid", "host"], "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "datamodel": [], "macros": [{"name": "processes_tapping_keyboard_events_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/processes_tapping_keyboard_events.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Randomly Generated Scheduled Task Name", "id": "9d22a780-5165-11ec-ad4f-3e22fbd008af", "version": 1, "date": "2021-11-29", "author": "Mauricio Velazco, Splunk", "type": "Hunting", "status": "experimental", "description": "The following hunting analytic leverages Event ID 4698, `A scheduled task was created`, to identify the creation of a Scheduled Task with a suspicious, high entropy, Task Name. To achieve this, this analytic also leverages the `ut_shannon` function from the URL ToolBox Splunk application. Red teams and adversaries alike may abuse the Task Scheduler to create and start a remote Scheduled Task and obtain remote code execution. To achieve this goal, tools like Impacket or Crapmapexec, typically create a Scheduled Task with a random task name on the victim host. This hunting analytic may help defenders identify Scheduled Tasks created as part of a lateral movement attack. The entropy threshold `ut_shannon > 3` should be customized by users. The Command field can be used to determine if the task has malicious intent or not.", "data_source": ["Windows Security 4698"], "search": " `wineventlog_security` EventCode=4698 | xmlkv Message | lookup ut_shannon_lookup word as Task_Name | where ut_shannon > 3 | table _time, dest, Task_Name, ut_shannon, Command, Author, Enabled, Hidden | `randomly_generated_scheduled_task_name_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4698 EventCode enabled. The Windows TA as well as the URL ToolBox application are also required.", "known_false_positives": "Legitimate applications may use random Scheduled Task names.", "references": ["https://attack.mitre.org/techniques/T1053/005/", "https://splunkbase.splunk.com/app/2734/", "https://en.wikipedia.org/wiki/Entropy_(information_theory)"], "tags": {"name": "Randomly Generated Scheduled Task Name", "analytic_story": ["Active Directory Lateral Movement", "CISA AA22-257A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 90, "kill_chain_phases": ["Installation", "Exploitation"], "message": "A windows scheduled task with a suspicious task name was created on $dest$", "mitre_attack_id": ["T1053", "T1053.005"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "dest", "Task_Name", "Description", "Command"], "risk_score": 45, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TEMP.Veles", "Wizard Spider", "menuPass"]}]}, "datamodel": [], "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "randomly_generated_scheduled_task_name_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/randomly_generated_scheduled_task_name.yml", "source": "endpoint", "providing_technologies": ["Microsoft Windows"]}, {"name": "Randomly Generated Windows Service Name", "id": "2032a95a-5165-11ec-a2c3-3e22fbd008af", "version": 1, "date": "2021-11-29", "author": "Mauricio Velazco, Splunk", "type": "Hunting", "status": "experimental", "description": "The following hunting analytic leverages Event ID 7045, `A new service was installed in the system`, to identify the installation of a Windows Service with a suspicious, high entropy, Service Name. To achieve this, this analytic also leverages the `ut_shannon` function from the URL ToolBox Splunk application. Red teams and adversaries alike may abuse the Service Control Manager to create and start a remote Windows Service and obtain remote code execution. To achieve this goal, some tools like Metasploit, Cobalt Strike and Impacket, typically create a Windows Service with a random service name on the victim host. This hunting analytic may help defenders identify Windows Services installed as part of a lateral movement attack. The entropy threshold `ut_shannon > 3` should be customized by users. The Service_File_Name field can be used to determine if the Windows Service has malicious intent or not.", "data_source": ["Sysmon Event ID 7"], "search": " `wineventlog_system` EventCode=7045 | lookup ut_shannon_lookup word as Service_Name | where ut_shannon > 3 | table EventCode ComputerName Service_Name ut_shannon Service_Start_Type Service_Type Service_File_Name | `randomly_generated_windows_service_name_filter` ", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the Service name, Service File Name Service Start type, and Service Type from your endpoints. The Windows TA as well as the URL ToolBox application are also required.", "known_false_positives": "Legitimate applications may use random Windows Service names.", "references": ["https://attack.mitre.org/techniques/T1543/003/"], "tags": {"name": "Randomly Generated Windows Service Name", "analytic_story": ["Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 90, "kill_chain_phases": ["Installation", "Exploitation"], "message": "A Windows Service with a suspicious service name was installed on $ComputerName$", "mitre_attack_id": ["T1543", "T1543.003"], "nist": ["DE.AE"], "observable": [{"name": "Service_File_Name", "type": "Other", "role": ["Other"]}, {"name": "ComputerName", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "ComputerName", "Service_File_Name", "Service_Type", "Service_Name", "Service_Start_Type"], "risk_score": 45, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}]}, "datamodel": [], "macros": [{"name": "wineventlog_system", "definition": "eventtype=wineventlog_system", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "randomly_generated_windows_service_name_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/randomly_generated_windows_service_name.yml", "source": "endpoint"}, {"name": "Ransomware Notes bulk creation", "id": "eff7919a-8330-11eb-83f8-acde48001122", "version": 1, "date": "2021-03-12", "author": "Teoderick Contreras", "type": "Anomaly", "status": "production", "description": "The following analytics identifies a big number of instance of ransomware notes (filetype e.g .txt, .html, .hta) file creation to the infected machine. This behavior is a good sensor if the ransomware note filename is quite new for security industry or the ransomware note filename is not in your ransomware lookup table list for monitoring.", "data_source": ["Sysmon Event ID 1"], "search": "`sysmon` EventCode=11 file_name IN (\"*\\.txt\",\"*\\.html\",\"*\\.hta\") |bin _time span=10s | stats min(_time) as firstTime max(_time) as lastTime dc(TargetFilename) as unique_readme_path_count values(TargetFilename) as list_of_readme_path by Computer Image file_name | where unique_readme_path_count >= 15 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `ransomware_notes_bulk_creation_filter`", "how_to_implement": "You must be ingesting data that records the filesystem activity from your hosts to populate the Endpoint file-system data model node. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data.", "known_false_positives": "unknown", "references": ["https://www.mandiant.com/resources/fin11-email-campaigns-precursor-for-ransomware-data-theft", "https://blog.virustotal.com/2020/11/keep-your-friends-close-keep-ransomware.html"], "tags": {"name": "Ransomware Notes bulk creation", "analytic_story": ["Clop Ransomware", "DarkSide Ransomware", "BlackMatter Ransomware", "Chaos Ransomware", "LockBit Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Actions on Objectives"], "message": "A high frequency file creation of $file_name$ in different file path in host $Computer$", "mitre_attack_id": ["T1486"], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["EventCode", "file_name", "_time", "TargetFilename", "Computer", "Image", "user"], "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1486", "mitre_attack_technique": "Data Encrypted for Impact", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "APT41", "FIN7", "Indrik Spider", "Magic Hound", "Sandworm Team", "TA505"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/clop/clop_a/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "ransomware_notes_bulk_creation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/ransomware_notes_bulk_creation.yml", "source": "endpoint"}, {"name": "Recon AVProduct Through Pwh or WMI", "id": "28077620-c9f6-11eb-8785-acde48001122", "version": 2, "date": "2023-04-14", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies suspicious PowerShell script execution via EventCode 4104 performing checks to identify anti-virus products installed on the endpoint. This technique is commonly found in malware and APT events where the adversary will map all running security applications or services. During triage, review parallel processes within the same timeframe. Review the full script block to identify other related artifacts.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 (ScriptBlockText = \"*SELECT*\" OR ScriptBlockText = \"*WMIC*\") AND (ScriptBlockText = \"*AntiVirusProduct*\" OR ScriptBlockText = \"*AntiSpywareProduct*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `recon_avproduct_through_pwh_or_wmi_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "network administrator may used this command for checking purposes", "references": ["https://news.sophos.com/en-us/2020/05/12/maze-ransomware-1-year-counting/", "https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", "https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf", "https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/", "https://www.splunk.com/en_us/blog/security/hunting-for-malicious-powershell-using-script-block-logging.html"], "tags": {"name": "Recon AVProduct Through Pwh or WMI", "analytic_story": ["Qakbot", "Windows Post-Exploitation", "Hermetic Wiper", "Ransomware", "Prestige Ransomware", "Malicious PowerShell", "Data Destruction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Reconnaissance"], "message": "A suspicious powershell script contains AV recon command in $ScriptBlockText$ with EventCode $EventCode$ in host $Computer$", "mitre_attack_id": ["T1592"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "User", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "ScriptBlockText", "Computer", "UserID"], "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1592", "mitre_attack_technique": "Gather Victim Host Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/t1592/pwh_av_recon/windows-powershell-xml.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "recon_avproduct_through_pwh_or_wmi_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/recon_avproduct_through_pwh_or_wmi.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Recon Using WMI Class", "id": "018c1972-ca07-11eb-9473-acde48001122", "version": 2, "date": "2023-04-14", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies suspicious PowerShell via EventCode 4104, where WMI is performing an event query looking for running processes or running services. This technique is commonly found where the adversary will identify services and system information on the compromised machine. During triage, review parallel processes within the same timeframe. Review the full script block to identify other related artifacts.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 (ScriptBlockText= \"*SELECT*\" OR ScriptBlockText= \"*Get-WmiObject*\") AND (ScriptBlockText= \"*Win32_Bios*\" OR ScriptBlockText= \"*Win32_OperatingSystem*\" OR ScriptBlockText= \"*Win32_Processor*\" OR ScriptBlockText= \"*Win32_ComputerSystem*\" OR ScriptBlockText= \"*Win32_PnPEntity*\" OR ScriptBlockText= \"*Win32_ShadowCopy*\" OR ScriptBlockText= \"*Win32_DiskDrive*\" OR ScriptBlockText= \"*Win32_PhysicalMemory*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `recon_using_wmi_class_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "network administrator may used this command for checking purposes", "references": ["https://news.sophos.com/en-us/2020/05/12/maze-ransomware-1-year-counting/", "https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", "https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf", "https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/", "https://www.splunk.com/en_us/blog/security/hunting-for-malicious-powershell-using-script-block-logging.html", "https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/", "https://blogs.vmware.com/security/2022/10/lockbit-3-0-also-known-as-lockbit-black.html"], "tags": {"name": "Recon Using WMI Class", "analytic_story": ["AsyncRAT", "Qakbot", "Industroyer2", "Hermetic Wiper", "LockBit Ransomware", "Malicious PowerShell", "Data Destruction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 75, "kill_chain_phases": ["Reconnaissance", "Installation"], "message": "A suspicious powershell script contains host recon command in $ScriptBlockText$ with EventCode $EventCode$ in host $Computer$", "mitre_attack_id": ["T1592", "T1059.001"], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "User", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "ScriptBlockText", "Computer", "UserID"], "risk_score": 60, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1592", "mitre_attack_technique": "Gather Victim Host Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/reconusingwmi.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "recon_using_wmi_class_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/recon_using_wmi_class.yml", "source": "endpoint", "providing_technologies": ["Microsoft Windows"]}, {"name": "Recursive Delete of Directory In Batch CMD", "id": "ba570b3a-d356-11eb-8358-acde48001122", "version": 3, "date": "2022-11-12", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This search is to detect a suspicious commandline designed to delete files or directory recursive using batch command. This technique was seen in ransomware (reddot) where it it tries to delete the files in recycle bin to impaire user from recovering deleted files.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_cmd` Processes.process=*/c* Processes.process=\"* rd *\" Processes.process=\"*/s*\" Processes.process=\"*/q*\" by Processes.user Processes.process_name Processes.parent_process_name Processes.parent_process Processes.process Processes.process_id Processes.dest |`drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `recursive_delete_of_directory_in_batch_cmd_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "network operator may use this batch command to delete recursively a directory or files within directory", "references": ["https://app.any.run/tasks/c0f98850-af65-4352-9746-fbebadee4f05/"], "tags": {"name": "Recursive Delete of Directory In Batch CMD", "analytic_story": ["Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "Recursive Delete of Directory In Batch CMD by $user$ on $dest$", "mitre_attack_id": ["T1070.004", "T1070"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1070.004", "mitre_attack_technique": "File Deletion", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT3", "APT32", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "Cobalt Group", "Dragonfly", "Evilnum", "FIN10", "FIN5", "FIN6", "FIN8", "Gamaredon Group", "Group5", "Kimsuky", "Lazarus Group", "Magic Hound", "Metador", "Mustang Panda", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "Silence", "TEMP.Veles", "TeamTNT", "The White Company", "Threat Group-3390", "Tropic Trooper", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/ransomware_ttp/data2/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "process_cmd", "definition": "(Processes.process_name=cmd.exe OR Processes.original_file_name=Cmd.Exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "recursive_delete_of_directory_in_batch_cmd_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/recursive_delete_of_directory_in_batch_cmd.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Reg exe Manipulating Windows Services Registry Keys", "id": "8470d755-0c13-45b3-bd63-387a373c10cf", "version": 5, "date": "2020-11-26", "author": "Rico Valdez, Splunk", "type": "TTP", "status": "production", "description": "The search looks for reg.exe modifying registry keys that define Windows services and their configurations.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.process_name) as process_name values(Processes.parent_process_name) as parent_process_name values(Processes.user) as user FROM datamodel=Endpoint.Processes where Processes.process_name=reg.exe Processes.process=*reg* Processes.process=*add* Processes.process=*Services* by Processes.process_id Processes.dest Processes.process | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `reg_exe_manipulating_windows_services_registry_keys_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry.", "known_false_positives": "It is unusual for a service to be created or modified by directly manipulating the registry. However, there may be legitimate instances of this behavior. It is important to validate and investigate, as appropriate.", "references": [], "tags": {"name": "Reg exe Manipulating Windows Services Registry Keys", "analytic_story": ["Windows Service Abuse", "Windows Persistence Techniques", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 75, "kill_chain_phases": ["Exploitation", "Installation"], "message": "A reg.exe process $process_name$ with commandline $process$ in host $dest$", "mitre_attack_id": ["T1574.011", "T1574"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.process_name", "Processes.parent_process_name", "Processes.user", "Processes.process", "Processes.process_id", "Processes.dest"], "risk_score": 45, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1574.011", "mitre_attack_technique": "Services Registry Permissions Weakness", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.011/change_registry_path_service/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "reg_exe_manipulating_windows_services_registry_keys_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/reg_exe_manipulating_windows_services_registry_keys.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Registry Keys for Creating SHIM Databases", "id": "f5f6af30-7aa7-4295-bfe9-07fe87c01bbb", "version": 6, "date": "2023-04-27", "author": "Steven Dick, Bhavin Patel, Patrick Bareiss, Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This search looks for registry activity associated with application compatibility shims, which can be leveraged by attackers for various nefarious purposes.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=*CurrentVersion\\\\AppCompatFlags\\\\Custom* OR Registry.registry_path=*CurrentVersion\\\\AppCompatFlags\\\\InstalledSDB*) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `registry_keys_for_creating_shim_databases_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "There are many legitimate applications that leverage shim databases for compatibility purposes for legacy applications", "references": [], "tags": {"name": "Registry Keys for Creating SHIM Databases", "analytic_story": ["Suspicious Windows Registry Activities", "Windows Persistence Techniques", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "message": "A registry activity in $registry_path$ related to shim modication in host $dest$", "mitre_attack_id": ["T1546.011", "T1546"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.dest", "Registry.registry_value_name", "Registry.registry_key_name", "Registry.registry_path", "Registry.registry_value_data", "Registry.process_guid"], "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1546.011", "mitre_attack_technique": "Application Shimming", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["FIN7"]}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.011/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "registry_keys_for_creating_shim_databases_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/registry_keys_for_creating_shim_databases.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Registry Keys Used For Persistence", "id": "f5f6af30-7aa7-4295-bfe9-07fe87c01a4b", "version": 9, "date": "2022-09-19", "author": "Jose Hernandez, David Dorsey, Teoderick Contreras, Rod Soto, Splunk", "type": "TTP", "status": "production", "description": "The search looks for modifications to registry keys that can be used to launch an application or service at system startup.", "data_source": ["Sysmon Event ID 13"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where (Registry.registry_path=*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce OR Registry.registry_path=*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\StartupApproved\\\\Run OR Registry.registry_path=*\\\\currentversion\\\\run* OR Registry.registry_path=*\\\\currentVersion\\\\Windows\\\\Appinit_Dlls* OR Registry.registry_path=*\\\\CurrentVersion\\\\Winlogon\\\\Shell* OR Registry.registry_path=*\\\\CurrentVersion\\\\Winlogon\\\\Notify* OR Registry.registry_path=*\\\\CurrentVersion\\\\Winlogon\\\\Userinit* OR Registry.registry_path=*\\\\CurrentVersion\\\\Winlogon\\\\VmApplet* OR Registry.registry_path=*\\\\currentversion\\\\policies\\\\explorer\\\\run* OR Registry.registry_path=*\\\\currentversion\\\\runservices* OR Registry.registry_path=HKLM\\\\SOFTWARE\\\\Microsoft\\\\Netsh\\\\* OR Registry.registry_path= \"*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\Common Startup\" OR Registry.registry_path= *\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\SharedTaskScheduler OR Registry.registry_path= *\\\\Classes\\\\htmlfile\\\\shell\\\\open\\\\command OR (Registry.registry_path=\"*Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options*\" AND Registry.registry_key_name=Debugger) OR (Registry.registry_path=\"*\\\\CurrentControlSet\\\\Control\\\\Lsa\" AND Registry.registry_key_name=\"Security Packages\") OR (Registry.registry_path=\"*\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\OSConfig\" AND Registry.registry_key_name=\"Security Packages\") OR (Registry.registry_path=\"*\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\") OR (Registry.registry_path=\"*currentVersion\\\\Windows\" AND Registry.registry_key_name=\"Load\") OR (Registry.registry_path=\"*\\\\CurrentVersion\" AND Registry.registry_key_name=\"Svchost\") OR (Registry.registry_path=\"*\\\\CurrentControlSet\\Control\\Session Manager\"AND Registry.registry_key_name=\"BootExecute\") OR (Registry.registry_path=\"*\\\\Software\\\\Run\" AND Registry.registry_key_name=\"auto_update\")) by Registry.dest Registry.user Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `registry_keys_used_for_persistence_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry.", "known_false_positives": "There are many legitimate applications that must execute on system startup and will use these registry keys to accomplish that task.", "references": [], "tags": {"name": "Registry Keys Used For Persistence", "analytic_story": ["Suspicious Windows Registry Activities", "Suspicious MSHTA Activity", "DHS Report TA18-074A", "Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns", "Ransomware", "Windows Persistence Techniques", "Emotet Malware DHS Report TA18-201A ", "IcedID", "Remcos", "Windows Registry Abuse", "Azorult", "Qakbot", "Chaos Ransomware", "AsyncRAT", "Sneaky Active Directory Persistence Tricks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 95, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "message": "A registry activity in $registry_path$ related to persistence in host $dest$", "mitre_attack_id": ["T1547.001", "T1547"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.registry_key_name", "Registry.registry_path", "Registry.dest", "Registry.user"], "risk_score": 76, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.001/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "registry_keys_used_for_persistence_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/registry_keys_used_for_persistence.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Registry Keys Used For Privilege Escalation", "id": "c9f4b923-f8af-4155-b697-1354f5bcbc5e", "version": 7, "date": "2023-04-27", "author": "Steven Dick, David Dorsey, Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This search looks for modifications to registry keys that can be used to elevate privileges. The registry keys under \"Image File Execution Options\" are used to intercept calls to an executable and can be used to attach malicious binaries to benign system binaries.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE ((Registry.registry_path=\"*Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options*\") AND (Registry.registry_value_name=GlobalFlag OR Registry.registry_value_name=Debugger)) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `registry_keys_used_for_privilege_escalation_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "There are many legitimate applications that must execute upon system startup and will use these registry keys to accomplish that task.", "references": ["https://blog.malwarebytes.com/101/2015/12/an-introduction-to-image-file-execution-options/"], "tags": {"name": "Registry Keys Used For Privilege Escalation", "analytic_story": ["Cloud Federated Credential Abuse", "Hermetic Wiper", "Windows Privilege Escalation", "Windows Registry Abuse", "Data Destruction", "Suspicious Windows Registry Activities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 95, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "message": "A registry activity in $registry_path$ related to privilege escalation in host $dest$", "mitre_attack_id": ["T1546.012", "T1546"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.dest", "Registry.registry_value_name", "Registry.registry_key_name", "Registry.registry_path", "Registry.registry_value_data", "Registry.process_guid"], "risk_score": 76, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1546.012", "mitre_attack_technique": "Image File Execution Options Injection", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["TEMP.Veles"]}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.012/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "registry_keys_used_for_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/registry_keys_used_for_privilege_escalation.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Regsvr32 Silent and Install Param Dll Loading", "id": "f421c250-24e7-11ec-bc43-acde48001122", "version": 1, "date": "2023-04-14", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic is to detect a loading of dll using regsvr32 application with silent parameter and dllinstall execution. This technique was seen in several RAT malware similar to remcos, njrat and adversaries to load their malicious DLL on the compromised machine. This TTP may executed by normal 3rd party application so it is better to pivot by the parent process, parent command-line and command-line of the file that execute this regsvr32.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_regsvr32` AND Processes.process=\"*/i*\" by Processes.dest Processes.parent_process Processes.process Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where match(process,\"(?i)[\\-|\\/][Ss]{1}\") | `regsvr32_silent_and_install_param_dll_loading_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Other third part application may used this parameter but not so common in base windows environment.", "references": ["https://app.any.run/tasks/dc93ee63-050c-4ff8-b07e-8277af9ab939/", "https://attack.mitre.org/techniques/T1218/010/"], "tags": {"name": "Regsvr32 Silent and Install Param Dll Loading", "analytic_story": ["AsyncRAT", "Hermetic Wiper", "Living Off The Land", "Data Destruction", "Remcos", "Suspicious Regsvr32 Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to load a DLL using the silent and dllinstall parameter.", "mitre_attack_id": ["T1218", "T1218.010"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.010", "mitre_attack_technique": "Regsvr32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "Blue Mockingbird", "Cobalt Group", "Deep Panda", "Inception", "Kimsuky", "Leviathan", "TA551", "WIRTE"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.005/vbs_wscript/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "process_regsvr32", "definition": "(Processes.process_name=regsvr32.exe OR Processes.original_file_name=REGSVR32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "regsvr32_silent_and_install_param_dll_loading_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/regsvr32_silent_and_install_param_dll_loading.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Regsvr32 with Known Silent Switch Cmdline", "id": "c9ef7dc4-eeaf-11eb-b2b6-acde48001122", "version": 2, "date": "2021-07-27", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies Regsvr32.exe utilizing the silent switch to load DLLs. This technique has most recently been seen in IcedID campaigns to load its initial dll that will download the 2nd stage loader that will download and decrypt the config payload. The switch type may be either a hyphen `-` or forward slash `/`. This behavior is typically found with `-s`, and it is possible there are more switch types that may be used. \\ During triage, review parallel processes and capture any artifacts that may have landed on disk. Isolate and contain the endpoint as necessary.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_regsvr32` by Processes.user Processes.process_name Processes.process Processes.parent_process_name Processes.original_file_name Processes.dest Processes.process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where match(process,\"(?i)[\\-|\\/][Ss]{1}\") | `regsvr32_with_known_silent_switch_cmdline_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "minimal. but network operator can use this application to load dll.", "references": ["https://app.any.run/tasks/56680cba-2bbc-4b34-8633-5f7878ddf858/", "https://regexr.com/699e2"], "tags": {"name": "Regsvr32 with Known Silent Switch Cmdline", "analytic_story": ["IcedID", "Suspicious Regsvr32 Activity", "Remcos", "Living Off The Land", "Qakbot", "AsyncRAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to load a DLL using the silent parameter.", "mitre_attack_id": ["T1218", "T1218.010"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.010", "mitre_attack_technique": "Regsvr32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "Blue Mockingbird", "Cobalt Group", "Deep Panda", "Inception", "Kimsuky", "Leviathan", "TA551", "WIRTE"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/inf_icedid/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "process_regsvr32", "definition": "(Processes.process_name=regsvr32.exe OR Processes.original_file_name=REGSVR32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "regsvr32_with_known_silent_switch_cmdline_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/regsvr32_with_known_silent_switch_cmdline.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Remcos client registry install entry", "id": "f2a1615a-1d63-11ec-97d2-acde48001122", "version": 3, "date": "2022-11-14", "author": "Steven Dick, Bhavin Patel, Rod Soto, Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This search detects registry key license at host where Remcos RAT agent is installed.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time) AS lastTime FROM datamodel=Endpoint.Processes BY _time span=1h Processes.user Processes.process_id Processes.process_name Processes.process Processes.process_path Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_guid | `drop_dm_object_name(Processes)` | join process_guid [ | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_key_name=*\\\\Software\\\\Remcos*) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`] | fields firstTime lastTime dest user parent_process_name parent_process process_name process_path process registry_key_name registry_path registry_value_name registry_value_data process_guid | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |`remcos_client_registry_install_entry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/570", "known_false_positives": "unknown", "references": ["https://attack.mitre.org/software/S0332/"], "tags": {"name": "Remcos client registry install entry", "analytic_story": ["Remcos", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 90, "kill_chain_phases": ["Exploitation"], "message": "A registry entry $registry_path$ with registry keyname $registry_key_name$ related to Remcos RAT in host $dest$", "mitre_attack_id": ["T1112"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.user", "Processes.dest", "Processes.process_id", "Processes.process_name", "Processes.process", "Processes.process_path", "Processes.parent_process_name", "Processes.parent_process", "Processes.process_guid", "Registry.dest", "Registry.registry_value_name", "Registry.registry_key_name", "Registry.registry_path", "Registry.registry_value_data", "Registry.process_guid"], "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/remcos/remcos_registry/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "remcos_client_registry_install_entry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/remcos_client_registry_install_entry.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Remcos RAT File Creation in Remcos Folder", "id": "25ae862a-1ac3-11ec-94a1-acde48001122", "version": 2, "date": "2021-09-21", "author": "Teoderick Contreras, Splunk, Sanjay Govind", "type": "TTP", "status": "production", "description": "This search is to detect file creation in remcos folder in appdata which is the keylog and clipboard logs that will be send to its c2 server. This is really a good TTP indicator that there is a remcos rat in the system that do keylogging, clipboard grabbing and audio recording.", "data_source": ["Sysmon Event ID 11"], "search": "|tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_name IN (\"*.dat\") Filesystem.file_path = \"*\\\\remcos\\\\*\" by _time Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.file_create_time | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `remcos_rat_file_creation_in_remcos_folder_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "unknown", "references": ["https://success.trendmicro.com/dcx/s/solution/1123281-remcos-malware-information?language=en_US", "https://blog.malwarebytes.com/threat-intelligence/2021/07/remcos-rat-delivered-via-visual-basic/"], "tags": {"name": "Remcos RAT File Creation in Remcos Folder", "analytic_story": ["Remcos"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 100, "kill_chain_phases": ["Exploitation"], "message": "file $file_name$ created in $file_path$ of $dest$", "mitre_attack_id": ["T1113"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "dest", "file_create_time", "file_name", "file_path"], "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1113", "mitre_attack_technique": "Screen Capture", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT28", "APT39", "BRONZE BUTLER", "Dark Caracal", "Dragonfly", "FIN7", "GOLD SOUTHFIELD", "Gamaredon Group", "Group5", "Magic Hound", "MuddyWater", "OilRig", "Silence"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/remcos/remcos_agent/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "remcos_rat_file_creation_in_remcos_folder_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/remcos_rat_file_creation_in_remcos_folder.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Remote Desktop Process Running On System", "id": "f5939373-8054-40ad-8c64-cec478a22a4a", "version": 5, "date": "2020-07-21", "author": "David Dorsey, Splunk", "type": "Hunting", "status": "experimental", "description": "This search looks for the remote desktop process mstsc.exe running on systems upon which it doesn't typically run. This is accomplished by filtering out all systems that are noted in the `common_rdp_source category` in the Assets and Identity framework.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=*mstsc.exe AND Processes.dest_category!=common_rdp_source by Processes.dest Processes.user Processes.process | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | `remote_desktop_process_running_on_system_filter` ", "how_to_implement": "To successfully implement this search, you must be ingesting data that records process activity from your hosts to populate the endpoint data model in the processes node. The search requires you to identify systems that do not commonly use remote desktop. You can use the included support search \"Identify Systems Using Remote Desktop\" to identify these systems. After identifying them, you will need to add the \"common_rdp_source\" category to that system using the Enterprise Security Assets and Identities framework. This can be done by adding an entry in the assets.csv file located in `SA-IdentityManagement/lookups`.", "known_false_positives": "Remote Desktop may be used legitimately by users on the network.", "references": [], "tags": {"name": "Remote Desktop Process Running On System", "analytic_story": ["Hidden Cobra Malware", "Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "tbd", "mitre_attack_id": ["T1021.001", "T1021"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.process", "Processes.dest_category", "Processes.dest", "Processes.user"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1021.001", "mitre_attack_technique": "Remote Desktop Protocol", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT1", "APT3", "APT39", "APT41", "Axiom", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dragonfly", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "HEXANE", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "OilRig", "Patchwork", "Silence", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}]}, "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "remote_desktop_process_running_on_system_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/remote_desktop_process_running_on_system.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Remote Process Instantiation via DCOM and PowerShell", "id": "d4f42098-4680-11ec-ad07-3e22fbd008af", "version": 1, "date": "2021-11-15", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "This analytic looks for the execution of `powershell.exe` with arguments utilized to start a process on a remote endpoint by abusing the DCOM protocol. Specifically, this search looks for the abuse of ShellExecute and ExecuteShellCommand. Red Teams and adversaries alike may abuse DCOM and `powershell.exe` for lateral movement and remote code execution.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` (Processes.process=\"*Document.ActiveView.ExecuteShellCommand*\" OR Processes.process=\"*Document.Application.ShellExecute*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `remote_process_instantiation_via_dcom_and_powershell_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints.", "known_false_positives": "Administrators may leverage DCOM to start a process on remote systems, but this activity is usually limited to a small set of hosts or users.", "references": ["https://attack.mitre.org/techniques/T1021/003/", "https://www.cybereason.com/blog/dcom-lateral-movement-techniques"], "tags": {"name": "Remote Process Instantiation via DCOM and PowerShell", "analytic_story": ["Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 90, "kill_chain_phases": ["Exploitation"], "message": "A process was started on a remote endpoint from $dest by abusing DCOM using PowerShell.exe", "mitre_attack_id": ["T1021", "T1021.003"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1021.003", "mitre_attack_technique": "Distributed Component Object Model", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.003/lateral_movement/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "process_powershell", "definition": "(Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "remote_process_instantiation_via_dcom_and_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/remote_process_instantiation_via_dcom_and_powershell.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Remote Process Instantiation via DCOM and PowerShell Script Block", "id": "fa1c3040-4680-11ec-a618-3e22fbd008af", "version": 2, "date": "2022-03-22", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of PowerShell with arguments utilized to start a process on a remote endpoint by abusing the DCOM protocol. Specifically, this search looks for the abuse of ShellExecute and ExecuteShellCommand. Red Teams and adversaries alike may abuse DCOM for lateral movement and remote code execution.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 (ScriptBlockText=\"*Document.Application.ShellExecute*\" OR ScriptBlockText=\"*Document.ActiveView.ExecuteShellCommand*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `remote_process_instantiation_via_dcom_and_powershell_script_block_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup instructions can be found https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators may leverage DCOM to start a process on remote systems, but this activity is usually limited to a small set of hosts or users.", "references": ["https://attack.mitre.org/techniques/T1021/003/", "https://www.cybereason.com/blog/dcom-lateral-movement-techniques"], "tags": {"name": "Remote Process Instantiation via DCOM and PowerShell Script Block", "analytic_story": ["Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 90, "kill_chain_phases": ["Exploitation"], "message": "A process was started on a remote endpoint from $Computer$ by abusing WMI using PowerShell.exe", "mitre_attack_id": ["T1021", "T1021.003"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "ScriptBlockText", "Computer", "user_id"], "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1021.003", "mitre_attack_technique": "Distributed Component Object Model", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.006/lateral_movement_psh/windows-powershell-xml.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "remote_process_instantiation_via_dcom_and_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/remote_process_instantiation_via_dcom_and_powershell_script_block.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Remote Process Instantiation via WinRM and PowerShell", "id": "ba24cda8-4716-11ec-8009-3e22fbd008af", "version": 1, "date": "2021-11-16", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "This analytic looks for the execution of `powershell.exe` with arguments utilized to start a process on a remote endpoint by abusing the WinRM protocol. Specifically, this search looks for the abuse of the `Invoke-Command` commandlet. Red Teams and adversaries alike may abuse WinRM and `powershell.exe` for lateral movement and remote code execution.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` (Processes.process=\"*Invoke-Command*\" AND Processes.process=\"*-ComputerName*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `remote_process_instantiation_via_winrm_and_powershell_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints.", "known_false_positives": "Administrators may leverage WinRM and `Invoke-Command` to start a process on remote systems for system administration or automation use cases. However, this activity is usually limited to a small set of hosts or users.", "references": ["https://attack.mitre.org/techniques/T1021/006/", "https://pentestlab.blog/2018/05/15/lateral-movement-winrm/"], "tags": {"name": "Remote Process Instantiation via WinRM and PowerShell", "analytic_story": ["Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 90, "kill_chain_phases": ["Exploitation"], "message": "A process was started on a remote endpoint from $dest by abusing WinRM using PowerShell.exe", "mitre_attack_id": ["T1021", "T1021.006"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 45, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1021.006", "mitre_attack_technique": "Windows Remote Management", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Chimera", "Threat Group-3390", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.006/lateral_movement_psh/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "process_powershell", "definition": "(Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "remote_process_instantiation_via_winrm_and_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/remote_process_instantiation_via_winrm_and_powershell.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Remote Process Instantiation via WinRM and PowerShell Script Block", "id": "7d4c618e-4716-11ec-951c-3e22fbd008af", "version": 2, "date": "2022-03-22", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of PowerShell with arguments utilized to start a process on a remote endpoint by abusing the WinRM protocol. Specifically, this search looks for the abuse of the `Invoke-Command` commandlet. Red Teams and adversaries alike may abuse WinRM for lateral movement and remote code execution.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 (ScriptBlockText=\"*Invoke-Command*\" AND ScriptBlockText=\"*-ComputerName*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `remote_process_instantiation_via_winrm_and_powershell_script_block_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup instructions can be found https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators may leverage WinRM and `Invoke-Command` to start a process on remote systems for system administration or automation use cases. This activity is usually limited to a small set of hosts or users. In certain environments, tuning may not be possible.", "references": ["https://attack.mitre.org/techniques/T1021/006/", "https://pentestlab.blog/2018/05/15/lateral-movement-winrm/"], "tags": {"name": "Remote Process Instantiation via WinRM and PowerShell Script Block", "analytic_story": ["Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 90, "kill_chain_phases": ["Exploitation"], "message": "A process was started on a remote endpoint from $Computer$ by abusing WinRM using PowerShell.exe", "mitre_attack_id": ["T1021", "T1021.006"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "ScriptBlockText", "Opcode", "Computer", "UserID", "EventCode"], "risk_score": 45, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1021.006", "mitre_attack_technique": "Windows Remote Management", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Chimera", "Threat Group-3390", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.006/lateral_movement_psh/windows-powershell-xml.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "remote_process_instantiation_via_winrm_and_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/remote_process_instantiation_via_winrm_and_powershell_script_block.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Remote Process Instantiation via WinRM and Winrs", "id": "0dd296a2-4338-11ec-ba02-3e22fbd008af", "version": 1, "date": "2021-11-11", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "This analytic looks for the execution of `winrs.exe` with command-line arguments utilized to start a process on a remote endpoint. Red Teams and adversaries alike may abuse the WinRM protocol and this binary for lateral movement and remote code execution.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=winrs.exe OR Processes.original_file_name=winrs.exe) (Processes.process=\"*-r:*\" OR Processes.process=\"*-remote:*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `remote_process_instantiation_via_winrm_and_winrs_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints.", "known_false_positives": "Administrators may leverage WinRM and WinRs to start a process on remote systems, but this activity is usually limited to a small set of hosts or users.", "references": ["https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/winrs", "https://attack.mitre.org/techniques/T1021/006/"], "tags": {"name": "Remote Process Instantiation via WinRM and Winrs", "analytic_story": ["Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 90, "kill_chain_phases": ["Exploitation"], "message": "A process was started on a remote endpoint from $dest", "mitre_attack_id": ["T1021", "T1021.006"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 54, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1021.006", "mitre_attack_technique": "Windows Remote Management", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Chimera", "Threat Group-3390", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.006/lateral_movement/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "remote_process_instantiation_via_winrm_and_winrs_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/remote_process_instantiation_via_winrm_and_winrs.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Remote Process Instantiation via WMI", "id": "d25d2c3d-d9d8-40ec-8fdf-e86fe155a3da", "version": 7, "date": "2021-11-12", "author": "Rico Valdez, Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "This analytic identifies wmic.exe being launched with parameters to spawn a process on a remote system. Red Teams and adversaries alike may abuse WMI and this binary for lateral movement and remote code execution.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_wmic` (Processes.process=\"*/node:*\" AND Processes.process=\"*process*\" AND Processes.process=\"*call*\" AND Processes.process=\"*create*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `remote_process_instantiation_via_wmi_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "The wmic.exe utility is a benign Windows application. It may be used legitimately by Administrators with these parameters for remote system administration, but it's relatively uncommon.", "references": ["https://attack.mitre.org/techniques/T1047/", "https://docs.microsoft.com/en-us/windows/win32/cimwin32prov/create-method-in-class-win32-process"], "tags": {"name": "Remote Process Instantiation via WMI", "analytic_story": ["Ransomware", "Suspicious WMI Use", "Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Installation"], "message": "A wmic.exe process $process$ contain process spawn commandline $process$ in host $dest$", "mitre_attack_id": ["T1047"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "Earth Lusca", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "Threat Group-3390", "Windshift", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1047/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "process_wmic", "definition": "(Processes.process_name=wmic.exe OR Processes.original_file_name=wmic.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "remote_process_instantiation_via_wmi_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/remote_process_instantiation_via_wmi.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Remote Process Instantiation via WMI and PowerShell", "id": "112638b4-4634-11ec-b9ab-3e22fbd008af", "version": 1, "date": "2021-11-15", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "This analytic looks for the execution of `powershell.exe` leveraging the `Invoke-WmiMethod` commandlet complemented with arguments utilized to start a process on a remote endpoint by abusing WMI. Red Teams and adversaries alike may abuse WMI and `powershell.exe` for lateral movement and remote code execution.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` (Processes.process=\"*Invoke-WmiMethod*\" AND Processes.process=\"*-CN*\" AND Processes.process=\"*-Class Win32_Process*\" AND Processes.process=\"*-Name create*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `remote_process_instantiation_via_wmi_and_powershell_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints.", "known_false_positives": "Administrators may leverage WWMI and powershell.exe to start a process on remote systems, but this activity is usually limited to a small set of hosts or users.", "references": ["https://attack.mitre.org/techniques/T1047/", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/invoke-wmimethod?view=powershell-5.1"], "tags": {"name": "Remote Process Instantiation via WMI and PowerShell", "analytic_story": ["Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 90, "kill_chain_phases": ["Installation"], "message": "A process was started on a remote endpoint from $dest by abusing WMI using PowerShell.exe", "mitre_attack_id": ["T1047"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "Earth Lusca", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "Threat Group-3390", "Windshift", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1047/lateral_movement/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "process_powershell", "definition": "(Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "remote_process_instantiation_via_wmi_and_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/remote_process_instantiation_via_wmi_and_powershell.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Remote Process Instantiation via WMI and PowerShell Script Block", "id": "2a048c14-4634-11ec-a618-3e22fbd008af", "version": 2, "date": "2022-11-15", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Invoke-WmiMethod` commandlet with arguments utilized to start a process on a remote endpoint by abusing WMI. Red Teams and adversaries alike may abuse WMI and this commandlet for lateral movement and remote code execution.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 ScriptBlockText=\"*Invoke-WmiMethod*\" AND (ScriptBlockText=\"*-CN*\" OR ScriptBlockText=\"*-ComputerName*\") AND ScriptBlockText=\"*-Class Win32_Process*\" AND ScriptBlockText=\"*-Name create*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `remote_process_instantiation_via_wmi_and_powershell_script_block_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup instructions can be found https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators may leverage WWMI and powershell.exe to start a process on remote systems, but this activity is usually limited to a small set of hosts or users.", "references": ["https://attack.mitre.org/techniques/T1047/", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/invoke-wmimethod?view=powershell-5.1"], "tags": {"name": "Remote Process Instantiation via WMI and PowerShell Script Block", "analytic_story": ["Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 90, "kill_chain_phases": ["Installation"], "message": "A process was started on a remote endpoint from $Computer$ by abusing WMI using PowerShell.exe", "mitre_attack_id": ["T1047"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "Message", "Computer", "UserID"], "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "Earth Lusca", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "Threat Group-3390", "Windshift", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1047/lateral_movement/wmi_remote_process_powershell.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "XmlWinEventLog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "remote_process_instantiation_via_wmi_and_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/remote_process_instantiation_via_wmi_and_powershell_script_block.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Remote System Discovery with Adsisearcher", "id": "70803451-0047-4e12-9d63-77fa7eb8649c", "version": 2, "date": "2022-06-29", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the `[Adsisearcher]` type accelerator being used to query Active Directory for domain computers. Red Teams and adversaries may leverage `[Adsisearcher]` to enumerate domain computers for situational awareness and Active Directory Discovery.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 ScriptBlockText = \"*adsisearcher*\" AND ScriptBlockText = \"*objectcategory=computer*\" AND ScriptBlockText IN (\"*findAll()*\",\"*findOne()*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | `security_content_ctime(firstTime)` | `remote_system_discovery_with_adsisearcher_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators or power users may use Adsisearcher for troubleshooting.", "references": ["https://attack.mitre.org/techniques/T1018/", "https://devblogs.microsoft.com/scripting/use-the-powershell-adsisearcher-type-accelerator-to-search-active-directory/"], "tags": {"name": "Remote System Discovery with Adsisearcher", "analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "Remote system discovery enumeration on $Computer$ by $user$", "mitre_attack_id": ["T1018"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "ScriptBlockText", "Computer", "UserID"], "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1018", "mitre_attack_technique": "Remote System Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "BRONZE BUTLER", "Chimera", "Deep Panda", "Dragonfly", "Earth Lusca", "FIN5", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "HEXANE", "Indrik Spider", "Ke3chang", "Leafminer", "Magic Hound", "Naikon", "Rocke", "Sandworm Team", "Silence", "Threat Group-3390", "Turla", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/AD_discovery/adsisearcher-powershell.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "remote_system_discovery_with_adsisearcher_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/remote_system_discovery_with_adsisearcher.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Remote System Discovery with Dsquery", "id": "9fb562f4-42f8-4139-8e11-a82edf7ed718", "version": 1, "date": "2021-08-31", "author": "Mauricio Velazco, Splunk", "type": "Hunting", "status": "production", "description": "This analytic looks for the execution of `dsquery.exe` with command-line arguments utilized to discover remote systems. The `computer` argument returns a list of all computers registered in the domain. Red Teams and adversaries alike engage in remote system discovery for situational awareness and Active Directory Discovery.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"dsquery.exe\") (Processes.process=\"*computer*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `remote_system_discovery_with_dsquery_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "references": ["https://attack.mitre.org/techniques/T1018/", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc732952(v=ws.11)"], "tags": {"name": "Remote System Discovery with Dsquery", "analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "Remote system discovery enumeration on $dest$ by $user$", "mitre_attack_id": ["T1018"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1018", "mitre_attack_technique": "Remote System Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "BRONZE BUTLER", "Chimera", "Deep Panda", "Dragonfly", "Earth Lusca", "FIN5", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "HEXANE", "Indrik Spider", "Ke3chang", "Leafminer", "Magic Hound", "Naikon", "Rocke", "Sandworm Team", "Silence", "Threat Group-3390", "Turla", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1018/AD_discovery/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "remote_system_discovery_with_dsquery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/remote_system_discovery_with_dsquery.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Remote System Discovery with Net", "id": "9df16706-04a2-41e2-bbfe-9b38b34409d3", "version": 1, "date": "2021-08-30", "author": "Mauricio Velazco, Splunk", "type": "Hunting", "status": "production", "description": "This analytic looks for the execution of `net.exe` or `net1.exe` with command-line arguments utilized to discover remote systems. The argument `domain computers /domain` returns a list of all domain computers. Red Teams and adversaries alike use net.exe to identify remote systems for situational awareness and Active Directory Discovery.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"net.exe\" OR Processes.process_name=\"net1.exe\") (Processes.process=\"*domain computers*\" AND Processes.process=*/do*) OR (Processes.process=\"*view*\" AND Processes.process=*/do*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `remote_system_discovery_with_net_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "references": ["https://attack.mitre.org/techniques/T1018/", "https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/"], "tags": {"name": "Remote System Discovery with Net", "analytic_story": ["Active Directory Discovery", "IcedID"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "Remote system discovery enumeration on $dest$ by $user$", "mitre_attack_id": ["T1018"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1018", "mitre_attack_technique": "Remote System Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "BRONZE BUTLER", "Chimera", "Deep Panda", "Dragonfly", "Earth Lusca", "FIN5", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "HEXANE", "Indrik Spider", "Ke3chang", "Leafminer", "Magic Hound", "Naikon", "Rocke", "Sandworm Team", "Silence", "Threat Group-3390", "Turla", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1018/AD_discovery/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "remote_system_discovery_with_net_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/remote_system_discovery_with_net.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Remote System Discovery with Wmic", "id": "d82eced3-b1dc-42ab-859e-a2fc98827359", "version": 1, "date": "2021-09-01", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "This analytic looks for the execution of `wmic.exe` with command-line arguments utilized to discover remote systems. The arguments utilized in this command return a list of all the systems registered in the domain. Red Teams and adversaries alike may leverage WMI and wmic.exe to identify remote systems for situational awareness and Active Directory Discovery.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"wmic.exe\") (Processes.process=*/NAMESPACE:\\\\\\\\root\\\\directory\\\\ldap* AND Processes.process=*ds_computer* AND Processes.process=\"*GET ds_samaccountname*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `remote_system_discovery_with_wmic_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "references": ["https://attack.mitre.org/techniques/T1018/", "https://docs.microsoft.com/en-us/windows/win32/wmisdk/wmic"], "tags": {"name": "Remote System Discovery with Wmic", "analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "Remote system discovery enumeration on $dest$ by $user$", "mitre_attack_id": ["T1018"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1018", "mitre_attack_technique": "Remote System Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "BRONZE BUTLER", "Chimera", "Deep Panda", "Dragonfly", "Earth Lusca", "FIN5", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "HEXANE", "Indrik Spider", "Ke3chang", "Leafminer", "Magic Hound", "Naikon", "Rocke", "Sandworm Team", "Silence", "Threat Group-3390", "Turla", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1018/AD_discovery/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "remote_system_discovery_with_wmic_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/remote_system_discovery_with_wmic.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Remote WMI Command Attempt", "id": "272df6de-61f1-4784-877c-1fbc3e2d0838", "version": 4, "date": "2018-12-03", "author": "Rico Valdez, Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies usage of `wmic.exe` spawning a local or remote process, identified by the `node` switch. During triage, review parallel processes for additional commands executed. Look for any file modifications before and after `wmic.exe` execution. In addition, identify the remote endpoint and confirm execution or file modifications. Contain and isolate the endpoint as needed.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_wmic` Processes.process=*node* by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `remote_wmi_command_attempt_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. Deprecated because duplicate of Remote Process Instantiation via WMI.", "known_false_positives": "Administrators may use this legitimately to gather info from remote systems. Filter as needed.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/T1047.yaml", "https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/", "https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/"], "tags": {"name": "Remote WMI Command Attempt", "analytic_story": ["Suspicious WMI Use", "Living Off The Land", "Volt Typhoon", "IcedID"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Installation"], "message": "A wmic.exe process $process$ contain node commandline $process$ in host $dest$", "mitre_attack_id": ["T1047"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.user", "Processes.process_name", "Processes.parent_process_name", "Processes.dest", "Processes.parent_process", "Processes.parent_process_id", "Processes.process_id"], "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "Earth Lusca", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "Threat Group-3390", "Windshift", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1047/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "process_wmic", "definition": "(Processes.process_name=wmic.exe OR Processes.original_file_name=wmic.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "remote_wmi_command_attempt_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/remote_wmi_command_attempt.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Resize ShadowStorage volume", "id": "bc760ca6-8336-11eb-bcbb-acde48001122", "version": 1, "date": "2021-03-12", "author": "Teoderick Contreras", "type": "TTP", "status": "production", "description": "The following analytics identifies the resizing of shadowstorage by ransomware malware to avoid the shadow volumes being made again. this technique is an alternative by ransomware attacker than deleting the shadowstorage which is known alert in defensive team. one example of ransomware that use this technique is CLOP ransomware where it drops a .bat file that will resize the shadowstorage to minimum size as much as possible", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` values(Processes.process) as cmdline values(Processes.parent_process_name) as parent_process values(Processes.process_name) as process_name min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name = \"cmd.exe\" OR Processes.parent_process_name = \"powershell.exe\" OR Processes.parent_process_name = \"powershell_ise.exe\" OR Processes.parent_process_name = \"wmic.exe\" Processes.process_name = \"vssadmin.exe\" Processes.process=\"*resize*\" Processes.process=\"*shadowstorage*\" Processes.process=\"*/maxsize*\" by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.dest Processes.user Processes.process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `resize_shadowstorage_volume_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "network admin can resize the shadowstorage for valid purposes.", "references": ["https://www.mandiant.com/resources/fin11-email-campaigns-precursor-for-ransomware-data-theft", "https://blog.virustotal.com/2020/11/keep-your-friends-close-keep-ransomware.html", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md", "https://redcanary.com/blog/blackbyte-ransomware/", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/vssadmin-resize-shadowstorage"], "tags": {"name": "Resize ShadowStorage volume", "analytic_story": ["Clop Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 80, "kill_chain_phases": ["Actions on Objectives"], "message": "A process $parent_process_name$ attempt to resize shadow copy with commandline $process$ in host $dest$", "mitre_attack_id": ["T1490"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["Processes.process", "Processes.parent_process_name", "_time", "Processes.process_name", "Processes.parent_process", "Processes.dest", "Processes.user"], "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/clop/clop_a/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "resize_shadowstorage_volume_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/resize_shadowstorage_volume.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Revil Common Exec Parameter", "id": "85facebe-c382-11eb-9c3e-acde48001122", "version": 2, "date": "2021-06-02", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This analytic identifies suspicious commandline parameter that are commonly used by REVIL ransomware to encrypts the compromise machine.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = \"* -nolan *\" OR Processes.process = \"* -nolocal *\" OR Processes.process = \"* -fast *\" OR Processes.process = \"* -full *\" by Processes.process_name Processes.process Processes.parent_process_name Processes.parent_process Processes.dest Processes.user Processes.process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `revil_common_exec_parameter_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "third party tool may have same command line parameters as revil ransomware.", "references": ["https://krebsonsecurity.com/2021/05/a-closer-look-at-the-darkside-ransomware-gang/", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/"], "tags": {"name": "Revil Common Exec Parameter", "analytic_story": ["Ransomware", "Revil Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 60, "kill_chain_phases": ["Installation"], "message": "A process $process_name$ with commandline $process$ related to revil ransomware in host $dest$", "mitre_attack_id": ["T1204"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.process_name", "Processes.process", "Processes.parent_process_name", "Processes.parent_process", "Processes.dest", "Processes.user", "Processes.process_id", "Processes.process_guid"], "risk_score": 54, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/revil/inf1/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "revil_common_exec_parameter_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/revil_common_exec_parameter.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Revil Registry Entry", "id": "e3d3f57a-c381-11eb-9e35-acde48001122", "version": 3, "date": "2022-11-14", "author": "Steven Dick, Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This analytic identifies suspicious modification in registry entry to keep some malware data during its infection. This technique seen in several apt implant, malware and ransomware like REVIL where it keep some information like the random generated file extension it uses for all the encrypted files and ransomware notes file name in the compromised host.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time) AS lastTime FROM datamodel=Endpoint.Processes BY _time span=1h Processes.user Processes.process_id Processes.process_name Processes.process Processes.process_path Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_guid | `drop_dm_object_name(Processes)` | join process_guid [ | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=\"*\\\\SOFTWARE\\\\WOW6432Node\\\\Facebook_Assistant\\\\*\" OR Registry.registry_path=\"*\\\\SOFTWARE\\\\WOW6432Node\\\\BlackLivesMatter*\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`] | fields firstTime lastTime dest user parent_process_name parent_process process_name process_path process registry_key_name registry_path registry_value_name registry_value_data process_guid | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `revil_registry_entry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "unknown", "references": ["https://krebsonsecurity.com/2021/05/a-closer-look-at-the-darkside-ransomware-gang/", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/"], "tags": {"name": "Revil Registry Entry", "analytic_story": ["Ransomware", "Revil Ransomware", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 60, "kill_chain_phases": ["Exploitation"], "message": "A registry entry $registry_path$ with registry value $registry_value_name$ and $registry_value_name$ related to revil ransomware in host $dest$", "mitre_attack_id": ["T1112"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.user", "Processes.dest", "Processes.process_id", "Processes.process_name", "Processes.process", "Processes.process_path", "Processes.parent_process_name", "Processes.parent_process", "Processes.process_guid", "Registry.dest", "Registry.registry_value_name", "Registry.registry_key_name", "Registry.registry_path", "Registry.registry_value_data", "Registry.process_guid"], "risk_score": 60, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/revil/inf1/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "revil_registry_entry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/revil_registry_entry.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Rubeus Command Line Parameters", "id": "cca37478-8377-11ec-b59a-acde48001122", "version": 1, "date": "2022-02-01", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "Rubeus is a C# toolset for raw Kerberos interaction and abuses. It is heavily adapted from Benjamin Delpys Kekeo project and Vincent LE TOUXs MakeMeEnterpriseAdmin project. This analytic looks for the use of Rubeus command line arguments utilized in common Kerberos attacks like exporting and importing tickets, forging silver and golden tickets, requesting a TGT or TGS, kerberoasting, password spraying, etc. Red teams and adversaries alike use Rubeus for Kerberos attacks within Active Directory networks. Defenders should be aware that adversaries may customize the source code of Rubeus and modify the command line parameters. This would effectively bypass this analytic.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process = \"*ptt /ticket*\" OR Processes.process = \"* monitor /interval*\" OR Processes.process =\"* asktgt* /user:*\" OR Processes.process =\"* asktgs* /service:*\" OR Processes.process =\"* golden* /user:*\" OR Processes.process =\"* silver* /service:*\" OR Processes.process =\"* kerberoast*\" OR Processes.process =\"* asreproast*\" OR Processes.process = \"* renew* /ticket:*\" OR Processes.process = \"* brute* /password:*\" OR Processes.process = \"* brute* /passwords:*\" OR Processes.process =\"* harvest*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `rubeus_command_line_parameters_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "Although unlikely, legitimate applications may use the same command line parameters as Rubeus. Filter as needed.", "references": ["https://github.com/GhostPack/Rubeus", "https://web.archive.org/web/20210725005734/http://www.harmj0y.net/blog/redteaming/from-kekeo-to-rubeus/", "https://attack.mitre.org/techniques/T1550/003/", "https://en.hackndo.com/kerberos-silver-golden-tickets/"], "tags": {"name": "Rubeus Command Line Parameters", "analytic_story": ["Active Directory Kerberos Attacks", "Active Directory Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Exploitation"], "message": "Rubeus command line parameters were used on $dest$", "mitre_attack_id": ["T1550", "T1550.003", "T1558", "T1558.003", "T1558.004"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id", "Processes.parent_process_name"], "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1550", "mitre_attack_technique": "Use Alternate Authentication Material", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1550.003", "mitre_attack_technique": "Pass the Ticket", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": ["APT29", "APT32", "BRONZE BUTLER"]}, {"mitre_attack_id": "T1558", "mitre_attack_technique": "Steal or Forge Kerberos Tickets", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1558.003", "mitre_attack_technique": "Kerberoasting", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["FIN7", "Wizard Spider"]}, {"mitre_attack_id": "T1558.004", "mitre_attack_technique": "AS-REP Roasting", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1550.003/rubeus/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "rubeus_command_line_parameters_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/rubeus_command_line_parameters.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Rubeus Kerberos Ticket Exports Through Winlogon Access", "id": "5ed8c50a-8869-11ec-876f-acde48001122", "version": 1, "date": "2022-02-07", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic looks for a process accessing the winlogon.exe system process. The Splunk Threat Research team identified this behavior when using the Rubeus tool to monitor for and export kerberos tickets from memory. Before being able to export tickets. Rubeus will try to escalate privileges to SYSTEM by obtaining a handle to winlogon.exe before trying to monitor for kerberos tickets. Exporting tickets from memory is typically the first step for pass the ticket attacks. Red teams and adversaries alike may use the pass the ticket technique using stolen Kerberos tickets to move laterally within an environment, bypassing normal system access controls. Defenders should be aware that adversaries may customize the source code of Rubeus to potentially bypass this analytic.", "data_source": ["Sysmon Event ID 1"], "search": " `sysmon` EventCode=10 TargetImage=C:\\\\Windows\\\\system32\\\\winlogon.exe (GrantedAccess=0x1f3fff) (SourceImage!=C:\\\\Windows\\\\system32\\\\svchost.exe AND SourceImage!=C:\\\\Windows\\\\system32\\\\lsass.exe AND SourceImage!=C:\\\\Windows\\\\system32\\\\LogonUI.exe AND SourceImage!=C:\\\\Windows\\\\system32\\\\smss.exe AND SourceImage!=C:\\\\Windows\\\\system32\\\\wbem\\\\wmiprvse.exe) | stats count min(_time) as firstTime max(_time) as lastTime by Computer, SourceImage, SourceProcessId, TargetImage, TargetProcessId, EventCode, GrantedAccess | rename Computer as dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `rubeus_kerberos_ticket_exports_through_winlogon_access_filter`", "how_to_implement": "This search needs Sysmon Logs and a sysmon configuration, which includes EventCode 10. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment.", "known_false_positives": "Legitimate applications may obtain a handle for winlogon.exe. Filter as needed", "references": ["https://github.com/GhostPack/Rubeus", "https://web.archive.org/web/20210725005734/http://www.harmj0y.net/blog/redteaming/from-kekeo-to-rubeus/", "https://attack.mitre.org/techniques/T1550/003/"], "tags": {"name": "Rubeus Kerberos Ticket Exports Through Winlogon Access", "analytic_story": ["Active Directory Kerberos Attacks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Exploitation"], "message": "Winlogon.exe was accessed by $SourceImage$ on $dest$", "mitre_attack_id": ["T1550", "T1550.003"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "TargetImage", "type": "Process", "role": ["Target"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "TargetImage", "CallTrace", "Computer", "TargetProcessId", "SourceImage", "SourceProcessId"], "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1550", "mitre_attack_technique": "Use Alternate Authentication Material", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1550.003", "mitre_attack_technique": "Pass the Ticket", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": ["APT29", "APT32", "BRONZE BUTLER"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1550.003/rubeus/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "rubeus_kerberos_ticket_exports_through_winlogon_access_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/rubeus_kerberos_ticket_exports_through_winlogon_access.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Runas Execution in CommandLine", "id": "4807e716-43a4-11ec-a0e7-acde48001122", "version": 1, "date": "2023-04-14", "author": "Teoderick Contreras, Splunk", "type": "Hunting", "status": "production", "description": "This analytic look for a spawned runas.exe process with a administrator user option parameter. This parameter was abused by adversaries, malware author or even red teams to gain elevated privileges in target host. This is a good hunting query to figure out privilege escalation tactics that may used for different stages like lateral movement but take note that administrator may use this command in purpose so its better to see other event context before and after this analytic.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_runas` AND Processes.process = \"*/user:*\" AND Processes.process = \"*admin*\" by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `runas_execution_in_commandline_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "A network operator or systems administrator may utilize an automated or manual execute this command that may generate false positives. filter is needed.", "references": ["https://app.any.run/tasks/ad4c3cda-41f2-4401-8dba-56cc2d245488/"], "tags": {"name": "Runas Execution in CommandLine", "analytic_story": ["Data Destruction", "Hermetic Wiper", "Windows Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "elevated process using runas on $dest$ by $user$", "mitre_attack_id": ["T1134", "T1134.001"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}, {"mitre_attack_id": "T1134.001", "mitre_attack_technique": "Token Impersonation/Theft", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "FIN8"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/vilsel/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "process_runas", "definition": "(Processes.process_name=runas.exe OR Processes.original_file_name=runas.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "runas_execution_in_commandline_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/runas_execution_in_commandline.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Rundll32 Control RunDLL Hunt", "id": "c8e7ced0-10c5-11ec-8b03-acde48001122", "version": 1, "date": "2021-09-08", "author": "Michael Haag, Splunk", "type": "Hunting", "status": "production", "description": "The following hunting detection identifies rundll32.exe with `control_rundll` within the command-line, loading a .cpl or another file type. Developed in relation to CVE-2021-40444. Rundll32.exe can also be used to execute Control Panel Item files (.cpl) through the undocumented shell32.dll functions Control_RunDLL and Control_RunDLLAsUser. Double-clicking a .cpl file also causes rundll32.exe to execute. \\ This is written to be a bit more broad by not including .cpl. \\ During triage, review parallel processes to identify any further suspicious behavior.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*Control_RunDLL* by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `rundll32_control_rundll_hunt_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "This is a hunting detection, meant to provide a understanding of how voluminous control_rundll is within the environment.", "references": ["https://strontic.github.io/xcyclopedia/library/rundll32.exe-111474C61232202B5B588D2B512CBB25.html", "https://app.any.run/tasks/36c14029-9df8-439c-bba0-45f2643b0c70/", "https://attack.mitre.org/techniques/T1218/011/", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.002/T1218.002.yaml", "https://redcanary.com/blog/intelligence-insights-december-2021/"], "tags": {"name": "Rundll32 Control RunDLL Hunt", "analytic_story": ["Suspicious Rundll32 Activity", "Microsoft MSHTML Remote Code Execution CVE-2021-40444", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to load a suspicious file from disk.", "mitre_attack_id": ["T1218", "T1218.011"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "cve": ["CVE-2021-40444"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.002/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "process_rundll32", "definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "rundll32_control_rundll_hunt_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2021-40444", "cvss": 6.8, "summary": "Microsoft MSHTML Remote Code Execution Vulnerability"}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/rundll32_control_rundll_hunt.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Rundll32 Control RunDLL World Writable Directory", "id": "1adffe86-10c3-11ec-8ce6-acde48001122", "version": 1, "date": "2021-09-08", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following detection identifies rundll32.exe with `control_rundll` within the command-line, loading a .cpl or another file type from windows\\temp, programdata, or appdata. Developed in relation to CVE-2021-40444. Rundll32.exe can also be used to execute Control Panel Item files (.cpl) through the undocumented shell32.dll functions Control_RunDLL and Control_RunDLLAsUser. Double-clicking a .cpl file also causes rundll32.exe to execute. This is written to be a bit more broad by not including .cpl. The paths are specified, add more as needed. During triage, review parallel processes to identify any further suspicious behavior.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*Control_RunDLL* AND Processes.process IN (\"*\\\\appdata\\\\*\", \"*\\\\windows\\\\temp\\\\*\", \"*\\\\programdata\\\\*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `rundll32_control_rundll_world_writable_directory_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "This may be tuned, or a new one related, by adding .cpl to command-line. However, it's important to look for both. Tune/filter as needed.", "references": ["https://strontic.github.io/xcyclopedia/library/rundll32.exe-111474C61232202B5B588D2B512CBB25.html", "https://app.any.run/tasks/36c14029-9df8-439c-bba0-45f2643b0c70/", "https://attack.mitre.org/techniques/T1218/011/", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.002/T1218.002.yaml", "https://redcanary.com/blog/intelligence-insights-december-2021/"], "tags": {"name": "Rundll32 Control RunDLL World Writable Directory", "analytic_story": ["Suspicious Rundll32 Activity", "Microsoft MSHTML Remote Code Execution CVE-2021-40444", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to load a suspicious file from disk.", "mitre_attack_id": ["T1218", "T1218.011"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "cve": ["CVE-2021-40444"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.002/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "process_rundll32", "definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "rundll32_control_rundll_world_writable_directory_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2021-40444", "cvss": 6.8, "summary": "Microsoft MSHTML Remote Code Execution Vulnerability"}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/rundll32_control_rundll_world_writable_directory.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Rundll32 Create Remote Thread To A Process", "id": "2dbeee3a-f067-11eb-96c0-acde48001122", "version": 1, "date": "2021-07-29", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This analytic identifies the suspicious Remote Thread execution of rundll32.exe to any process. This technique was seen in IcedID malware to execute its malicious code in normal process for defense evasion and to steal sensitive information in the compromised host.", "data_source": ["Sysmon Event ID 8"], "search": "`sysmon` EventCode=8 SourceImage = \"*\\\\rundll32.exe\" TargetImage = \"*.exe\" | stats count min(_time) as firstTime max(_time) as lastTime by SourceImage TargetImage TargetProcessId SourceProcessId StartAddress EventCode Computer | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `rundll32_create_remote_thread_to_a_process_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the SourceImage, TargetImage, and EventCode executions from your endpoints related to create remote thread or injecting codes. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "unknown", "references": ["https://www.joesandbox.com/analysis/380662/0/html"], "tags": {"name": "Rundll32 Create Remote Thread To A Process", "analytic_story": ["IcedID", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "rundl32 process $SourceImage$ create a remote thread to process $TargetImage$ in host $Computer$", "mitre_attack_id": ["T1055"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "SourceImage", "type": "Process", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "SourceImage", "TargetImage", "TargetProcessId", "SourceProcessId", "StartAddress", "EventCode", "Computer"], "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/inf_icedid/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "rundll32_create_remote_thread_to_a_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/rundll32_create_remote_thread_to_a_process.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Rundll32 CreateRemoteThread In Browser", "id": "f8a22586-ee2d-11eb-a193-acde48001122", "version": 1, "date": "2021-07-26", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This analytic identifies the suspicious Remote Thread execution of rundll32.exe process to \"firefox.exe\" and \"chrome.exe\" browser. This technique was seen in IcedID malware where it hooks the browser to parse banking information as user used the targetted browser process.", "data_source": ["Sysmon Event ID 8"], "search": "`sysmon` EventCode=8 SourceImage = \"*\\\\rundll32.exe\" TargetImage IN (\"*\\\\firefox.exe\", \"*\\\\chrome.exe\", \"*\\\\iexplore.exe\",\"*\\\\microsoftedgecp.exe\") | stats count min(_time) as firstTime max(_time) as lastTime by SourceImage TargetImage TargetProcessId SourceProcessId StartAddress EventCode Computer | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `rundll32_createremotethread_in_browser_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the SourceImage, TargetImage, and EventCode executions from your endpoints related to create remote thread or injecting codes. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "unknown", "references": ["https://www.joesandbox.com/analysis/380662/0/html"], "tags": {"name": "Rundll32 CreateRemoteThread In Browser", "analytic_story": ["IcedID", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "rundl32 process $SourceImage$ create a remote thread to browser process $TargetImage$ in host $Computer$", "mitre_attack_id": ["T1055"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "SourceImage", "type": "Process", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "SourceImage", "TargetImage", "TargetProcessId", "SourceProcessId", "StartAddress", "EventCode", "Computer"], "risk_score": 70, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/inf_icedid/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "rundll32_createremotethread_in_browser_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/rundll32_createremotethread_in_browser.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Rundll32 DNSQuery", "id": "f1483f5e-ee29-11eb-9d23-acde48001122", "version": 2, "date": "2022-02-18", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This search is to detect a suspicious rundll32.exe process having a http connection and do a dns query in some web domain. This technique was seen in IcedID malware where the rundll32 that execute its payload will contact amazon.com to check internet connect and to communicate to its C&C server to download config and other file component.", "data_source": ["Sysmon Event ID 22"], "search": "`sysmon` EventCode=22 process_name=\"rundll32.exe\" | stats count min(_time) as firstTime max(_time) as lastTime by Image QueryName QueryStatus ProcessId Computer | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `rundll32_dnsquery_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name and eventcode = 22 dnsquery executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed rundll32.exe may be used.", "known_false_positives": "unknown", "references": ["https://any.run/malware-trends/icedid"], "tags": {"name": "Rundll32 DNSQuery", "analytic_story": ["IcedID", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "rundll32 process $process_name$ having a dns query to $QueryName$ in host $Computer$", "mitre_attack_id": ["T1218", "T1218.011"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Image", "QueryName", "QueryStatus", "ProcessId", "Computer"], "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/inf_icedid/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "rundll32_dnsquery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/rundll32_dnsquery.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Rundll32 LockWorkStation", "id": "fa90f372-f91d-11eb-816c-acde48001122", "version": 2, "date": "2021-08-09", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This search is to detect a suspicious rundll32 commandline to lock the workstation through command line. This technique was seen in CONTI leak tooling and script as part of its defense evasion. This technique is not a common practice to lock a screen and maybe a good indicator of compromise.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=rundll32.exe Processes.process= \"*user32.dll,LockWorkStation*\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `rundll32_lockworkstation_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed rundll32.exe may be used.", "known_false_positives": "unknown", "references": ["https://threadreaderapp.com/thread/1423361119926816776.html"], "tags": {"name": "Rundll32 LockWorkStation", "analytic_story": ["Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "process $process_name$ with cmdline $process$ in host $dest$", "mitre_attack_id": ["T1218", "T1218.011"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "SourceImage", "type": "Process Name", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/conti/conti_leak/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "rundll32_lockworkstation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/rundll32_lockworkstation.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Rundll32 Process Creating Exe Dll Files", "id": "6338266a-ee2a-11eb-bf68-acde48001122", "version": 1, "date": "2021-07-26", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This search is to detect a suspicious rundll32 process that drops executable (.exe or .dll) files. This behavior seen in rundll32 process of IcedID that tries to drop copy of itself in temp folder or download executable drop it either appdata or programdata as part of its execution.", "data_source": ["Sysmon Event ID 1"], "search": "`sysmon` EventCode=11 process_name=\"rundll32.exe\" TargetFilename IN (\"*.exe\", \"*.dll\",) | stats count min(_time) as firstTime max(_time) as lastTime by Image TargetFilename ProcessGuid dest user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `rundll32_process_creating_exe_dll_files_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, TargetFilename, and eventcode 11 executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed rundll32.exe may be used.", "known_false_positives": "unknown", "references": ["https://any.run/malware-trends/icedid"], "tags": {"name": "Rundll32 Process Creating Exe Dll Files", "analytic_story": ["IcedID", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "rundll32 process $process_name$ drops a file $TargetFilename$ in host $dest$", "mitre_attack_id": ["T1218", "T1218.011"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Image", "TargetFilename", "ProcessGuid", "dest", "user_id"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/inf_icedid/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "rundll32_process_creating_exe_dll_files_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/rundll32_process_creating_exe_dll_files.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Rundll32 Shimcache Flush", "id": "a913718a-25b6-11ec-96d3-acde48001122", "version": 1, "date": "2021-10-05", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This analytic is to detect a suspicious rundll32 commandline to clear shim cache. This technique is a anti-forensic technique to clear the cache taht are one important artifacts in terms of digital forensic during attacks or incident. This TTP is a good indicator that someone tries to evade some tools and clear foothold on the machine.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` AND Processes.process = \"*apphelp.dll,ShimFlushCache*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `rundll32_shimcache_flush_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "unknown", "references": ["https://blueteamops.medium.com/shimcache-flush-89daff28d15e"], "tags": {"name": "Rundll32 Shimcache Flush", "analytic_story": ["Unusual Processes", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "rundll32 process execute $process$ to clear shim cache in $dest$", "mitre_attack_id": ["T1112"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "User", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/shimcache_flush/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "process_rundll32", "definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "rundll32_shimcache_flush_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/rundll32_shimcache_flush.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Rundll32 with no Command Line Arguments with Network", "id": "35307032-a12d-11eb-835f-acde48001122", "version": 4, "date": "2022-03-15", "author": "Steven Dick, Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies rundll32.exe with no command line arguments and performing a network connection. It is unusual for rundll32.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, triage any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. Rundll32.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where `process_rundll32` AND Processes.action!=\"blocked\" by host _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name Processes.parent_process | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process=\"(?i)(rundll32\\.exe.{0,4}$)\" | rename dest as src | join host process_id [| tstats `security_content_summariesonly` count latest(All_Traffic.dest) as dest latest(All_Traffic.dest_ip) as dest_ip latest(All_Traffic.dest_port) as dest_port FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port != 0 by host All_Traffic.process_id | `drop_dm_object_name(All_Traffic)`] | `rundll32_with_no_command_line_arguments_with_network_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` and `port` node. To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Although unlikely, some legitimate applications may use a moved copy of rundll32, triggering a false positive.", "references": ["https://attack.mitre.org/techniques/T1218/011/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md", "https://lolbas-project.github.io/lolbas/Binaries/Rundll32/", "https://bohops.com/2018/02/26/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence/"], "tags": {"name": "Rundll32 with no Command Line Arguments with Network", "analytic_story": ["Suspicious Rundll32 Activity", "Cobalt Strike", "PrintNightmare CVE-2021-34527"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "A rundll32 process $process_name$ with no commandline argument like this process commandline $process$ in host $src$", "mitre_attack_id": ["T1218", "T1218.011"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process Name", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 70, "security_domain": "endpoint", "risk_severity": "medium", "cve": ["CVE-2021-34527"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/cobalt_strike/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint", "Network_Traffic"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "process_rundll32", "definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "rundll32_with_no_command_line_arguments_with_network_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2021-34527", "cvss": 9.0, "summary": "Windows Print Spooler Remote Code Execution Vulnerability"}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/rundll32_with_no_command_line_arguments_with_network.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "RunDLL Loading DLL By Ordinal", "id": "6c135f8d-5e60-454e-80b7-c56eed739833", "version": 6, "date": "2022-02-08", "author": "Michael Haag, David Dorsey, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies rundll32.exe loading an export function by ordinal value. Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly, may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Utilizing ordinal values makes it a bit more complicated for analysts to understand the behavior until the DLL is reviewed.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where match(process,\"rundll32.+\\#\\d+\") | `rundll_loading_dll_by_ordinal_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives are possible with native utilities and third party applications. Filtering may be needed based on command-line, or add world writeable paths to restrict query.", "references": ["https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/", "https://twitter.com/M_haggis/status/1491109262428635136", "https://twitter.com/pr0xylife/status/1590394227758104576"], "tags": {"name": "RunDLL Loading DLL By Ordinal", "analytic_story": ["Unusual Processes", "Suspicious Rundll32 Activity", "Living Off The Land", "IcedID"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "A rundll32 process $process_name$ with ordinal parameter like this process commandline $process$ on host $dest$.", "mitre_attack_id": ["T1218", "T1218.011"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.011/atomic_red_team/ordinal_windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "process_rundll32", "definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "rundll_loading_dll_by_ordinal_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/rundll_loading_dll_by_ordinal.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Ryuk Test Files Detected", "id": "57d44d70-28d9-4ed1-acf5-1c80ae2bbce3", "version": 1, "date": "2020-11-06", "author": "Rod Soto, Jose Hernandez, Splunk", "type": "TTP", "status": "production", "description": "The search looks for files that contain the key word *Ryuk* under any folder in the C drive, which is consistent with Ryuk propagation.", "data_source": ["Sysmon Event ID 11"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem WHERE \"Filesystem.file_path\"=C:\\\\*Ryuk* BY \"Filesystem.dest\", \"Filesystem.user\", \"Filesystem.file_path\" | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `ryuk_test_files_detected_filter`", "how_to_implement": "You must be ingesting data that records the filesystem activity from your hosts to populate the Endpoint Filesystem data-model object. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data.", "known_false_positives": "If there are files with this keywoord as file names it might trigger false possitives, please make use of our filters to tune out potential FPs.", "references": [], "tags": {"name": "Ryuk Test Files Detected", "analytic_story": ["Ryuk Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 70, "kill_chain_phases": ["Actions on Objectives"], "message": "A creation of ryuk test file $file_path$ in host $dest$", "mitre_attack_id": ["T1486"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Filesystem.file_path", "Filesystem.dest", "Filesystem.user"], "risk_score": 70, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1486", "mitre_attack_technique": "Data Encrypted for Impact", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "APT41", "FIN7", "Indrik Spider", "Magic Hound", "Sandworm Team", "TA505"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/ryuk/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "ryuk_test_files_detected_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/ryuk_test_files_detected.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Ryuk Wake on LAN Command", "id": "538d0152-7aaa-11eb-beaa-acde48001122", "version": 1, "date": "2021-03-01", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "This Splunk query identifies the use of Wake-on-LAN utilized by Ryuk ransomware. The Ryuk Ransomware uses the Wake-on-Lan feature to turn on powered off devices on a compromised network to have greater success encrypting them. This is a high fidelity indicator of Ryuk ransomware executing on an endpoint. Upon triage, isolate the endpoint. Additional file modification events will be within the users profile (\\appdata\\roaming) and in public directories (users\\public\\). Review all Scheduled Tasks on the isolated endpoint and across the fleet. Suspicious Scheduled Tasks will include a path to a unknown binary and those endpoints should be isolated until triaged.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process=\"*8 LAN*\" OR Processes.process=\"*9 REP*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `ryuk_wake_on_lan_command_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "Limited to no known false positives.", "references": ["https://www.bleepingcomputer.com/news/security/ryuk-ransomware-uses-wake-on-lan-to-encrypt-offline-devices/", "https://www.bleepingcomputer.com/news/security/ryuk-ransomware-now-self-spreads-to-other-windows-lan-devices/", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-006.pdf"], "tags": {"name": "Ryuk Wake on LAN Command", "analytic_story": ["Ryuk Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Installation"], "message": "A process $process_name$ with wake on LAN commandline $process$ in host $dest$", "mitre_attack_id": ["T1059", "T1059.003"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.process", "Processes.dest", "Processes.user", "Processes.parent_process", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.003/ryuk/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "ryuk_wake_on_lan_command_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/ryuk_wake_on_lan_command.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "SAM Database File Access Attempt", "id": "57551656-ebdb-11eb-afdf-acde48001122", "version": 1, "date": "2021-07-23", "author": "Michael Haag, Mauricio Velazco, Splunk", "type": "Hunting", "status": "production", "description": "The following analytic identifies access to SAM, SYSTEM or SECURITY databases' within the file path of `windows\\system32\\config` using Windows Security EventCode 4663. This particular behavior is related to credential access, an attempt to either use a Shadow Copy or recent CVE-2021-36934 to access the SAM database. The Security Account Manager (SAM) is a database file in Windows XP, Windows Vista, Windows 7, 8.1 and 10 that stores users' passwords.", "data_source": ["Windows Security 4663"], "search": "`wineventlog_security` (EventCode=4663) process_name!=*\\\\dllhost.exe Object_Name IN (\"*\\\\Windows\\\\System32\\\\config\\\\SAM*\",\"*\\\\Windows\\\\System32\\\\config\\\\SYSTEM*\",\"*\\\\Windows\\\\System32\\\\config\\\\SECURITY*\") | stats values(Accesses) count by process_name Object_Name dest user | `sam_database_file_access_attempt_filter`", "how_to_implement": "To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable \"Audit Object Access\" in Group Policy. Then check the two boxes listed for both \"Success\" and \"Failure.\"", "known_false_positives": "Natively, `dllhost.exe` will access the files. Every environment will have additional native processes that do as well. Filter by process_name. As an aside, one can remove process_name entirely and add `Object_Name=*ShadowCopy*`.", "references": ["https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4663", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4663", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934", "https://github.com/GossiTheDog/HiveNightmare", "https://github.com/JumpsecLabs/Guidance-Advice/tree/main/SAM_Permissions", "https://en.wikipedia.org/wiki/Security_Account_Manager"], "tags": {"name": "SAM Database File Access Attempt", "analytic_story": ["Credential Dumping"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "The following process $process_name$ accessed the object $Object_Name$ attempting to gain access to credentials on $dest$ by user $user$.", "mitre_attack_id": ["T1003.002", "T1003"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}, {"name": "Object_Name", "type": "File", "role": ["Other"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "process_name", "Object_Name", "dest", "user"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "cve": ["CVE-2021-36934"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Dragonfly", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.002/serioussam/windows-security.log", "source": "WinEventLog:Security", "sourcetype": "WinEventLog"}]}], "datamodel": [], "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "sam_database_file_access_attempt_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2021-36934", "cvss": 4.6, "summary": "Windows Elevation of Privilege Vulnerability"}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/sam_database_file_access_attempt.yml", "source": "endpoint", "providing_technologies": ["Microsoft Windows"]}, {"name": "Samsam Test File Write", "id": "493a879d-519d-428f-8f57-a06a0fdc107e", "version": 1, "date": "2018-12-14", "author": "Rico Valdez, Splunk", "type": "TTP", "status": "production", "description": "The search looks for a file named \"test.txt\" written to the windows system directory tree, which is consistent with Samsam propagation.", "data_source": ["Sysmon Event ID 11"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.user) as user values(Filesystem.dest) as dest values(Filesystem.file_name) as file_name from datamodel=Endpoint.Filesystem where Filesystem.file_path=*\\\\windows\\\\system32\\\\test.txt by Filesystem.file_path | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `samsam_test_file_write_filter`", "how_to_implement": "You must be ingesting data that records the file-system activity from your hosts to populate the Endpoint file-system data-model node. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data.", "known_false_positives": "No false positives have been identified.", "references": [], "tags": {"name": "Samsam Test File Write", "analytic_story": ["SamSam Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 20, "impact": 60, "kill_chain_phases": ["Actions on Objectives"], "message": "A samsam ransomware test file creation in $file_path$ in host $dest$", "mitre_attack_id": ["T1486"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Filesystem.user", "Filesystem.dest", "Filesystem.file_name", "Filesystem.file_path"], "risk_score": 12, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1486", "mitre_attack_technique": "Data Encrypted for Impact", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "APT41", "FIN7", "Indrik Spider", "Magic Hound", "Sandworm Team", "TA505"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1486/sam_sam_note/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "samsam_test_file_write_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/samsam_test_file_write.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Sc exe Manipulating Windows Services", "id": "f0c693d8-2a89-4ce7-80b4-98fea4c3ea6d", "version": 4, "date": "2020-07-21", "author": "Rico Valdez, Splunk", "type": "TTP", "status": "production", "description": "This search looks for arguments to sc.exe indicating the creation or modification of a Windows service.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = sc.exe (Processes.process=\"* create *\" OR Processes.process=\"* config *\") by Processes.process_name Processes.parent_process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `sc_exe_manipulating_windows_services_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "Using sc.exe to manipulate Windows services is uncommon. However, there may be legitimate instances of this behavior. It is important to validate and investigate as appropriate.", "references": ["https://www.secureworks.com/blog/drokbk-malware-uses-github-as-dead-drop-resolver"], "tags": {"name": "Sc exe Manipulating Windows Services", "analytic_story": ["Windows Service Abuse", "DHS Report TA18-074A", "Orangeworm Attack Group", "Windows Persistence Techniques", "Disabling Security Tools", "NOBELIUM Group", "Azorult", "Windows Drivers"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "message": "A sc process $process_name$ with commandline $process$ to create of configure services in host $dest$", "mitre_attack_id": ["T1543.003", "T1543"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.process_name", "Processes.process", "Processes.parent_process_name", "Processes.dest", "Processes.user"], "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1543.003/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "sc_exe_manipulating_windows_services_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/sc_exe_manipulating_windows_services.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "SchCache Change By App Connect And Create ADSI Object", "id": "991eb510-0fc6-11ec-82d3-acde48001122", "version": 1, "date": "2021-09-07", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic is to detect an application try to connect and create ADSI Object to do LDAP query. Every time an application connects to the directory and attempts to create an ADSI object, the Active Directory Schema is checked for changes. If it has changed since the last connection, the schema is downloaded and stored in a cache on the local computer either in %LOCALAPPDATA%\\Microsoft\\Windows\\SchCache or %systemroot%\\SchCache. We found this a good anomaly use case to detect suspicious application like blackmatter ransomware that use ADS object api to execute ldap query. having a good list of ldap or normal AD query tool used within the network is a good start to reduce the noise.", "data_source": ["Sysmon Event ID 1"], "search": "`sysmon` EventCode=11 TargetFilename = \"*\\\\Windows\\\\SchCache\\\\*\" TargetFilename = \"*.sch*\" NOT (Image IN (\"*\\\\Windows\\\\system32\\\\mmc.exe\")) |stats count min(_time) as firstTime max(_time) as lastTime by Image TargetFilename EventCode process_id process_name Computer | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `schcache_change_by_app_connect_and_create_adsi_object_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "normal application like mmc.exe and other ldap query tool may trigger this detections.", "references": ["https://docs.microsoft.com/en-us/windows/win32/adsi/adsi-and-uac", "https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/"], "tags": {"name": "SchCache Change By App Connect And Create ADSI Object", "analytic_story": ["blackMatter ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "process $Image$ create a file $TargetFilename$ in host $Computer$", "mitre_attack_id": ["T1087.002", "T1087"], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Image", "TargetFilename", "EventCode", "process_id", "process_name", "Computer"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["BRONZE BUTLER", "Chimera", "Dragonfly", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Turla", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/blackmatter_schcache/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "schcache_change_by_app_connect_and_create_adsi_object_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/schcache_change_by_app_connect_and_create_adsi_object.yml", "source": "endpoint"}, {"name": "Schedule Task with HTTP Command Arguments", "id": "523c2684-a101-11eb-916b-acde48001122", "version": 1, "date": "2023-04-05", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "The following query utilizes Windows Security EventCode 4698, `A scheduled task was created`, to identify suspicious tasks registered on Windows either via schtasks.exe OR TaskService with an arguments \"HTTP\" string that are unique entry of malware or attack that uses lolbin to download other file or payload to the infected machine. The search will return the first time and last time the task was registered, as well as the `Command` to be executed, `Task Name`, `Author`, `Enabled`, and whether it is `Hidden` or not. schtasks.exe is natively found in `C:\\Windows\\system32` and `C:\\Windows\\syswow64`. The following DLL(s) are loaded when schtasks.exe or TaskService is launched -`taskschd.dll`. If found loaded by another process, it is possible a scheduled task is being registered within that process context in memory. Upon triage, identify the task scheduled source. Was it schtasks.exe or via TaskService? Review the job created and the Command to be executed. Capture any artifacts on disk and review. Identify any parallel processes within the same timeframe to identify source.'", "data_source": ["Windows Security 4698"], "search": "`wineventlog_security` EventCode=4698 | xmlkv Message| search Arguments IN (\"*http*\") | stats count min(_time) as firstTime max(_time) as lastTime by dest, Task_Name, Command, Author, Enabled, Hidden, Arguments | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `schedule_task_with_http_command_arguments_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the task schedule (Exa. Security Log EventCode 4698) endpoints. Tune and filter known instances of Task schedule used in your environment.", "known_false_positives": "unknown", "references": ["https://app.any.run/tasks/92d7ef61-bfd7-4c92-bc15-322172b4ebec/"], "tags": {"name": "Schedule Task with HTTP Command Arguments", "analytic_story": ["Living Off The Land", "Winter Vivern", "Windows Persistence Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "message": "A schedule task process commandline arguments $Arguments$ with http string on it in host $dest$", "mitre_attack_id": ["T1053"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "dest", "Task_Name", "Command", "Author", "Enabled", "Hidden", "Arguments"], "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/tasksched/windows-security.log", "source": "WinEventLog:Security", "sourcetype": "WinEventLog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "schedule_task_with_http_command_arguments_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/schedule_task_with_http_command_arguments.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Schedule Task with Rundll32 Command Trigger", "id": "75b00fd8-a0ff-11eb-8b31-acde48001122", "version": 1, "date": "2021-04-19", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "The following query utilizes Windows Security EventCode 4698, `A scheduled task was created`, to identify suspicious tasks registered on Windows either via schtasks.exe OR TaskService with a command to be executed with a Rundll32. This technique is common in new trickbot that uses rundll32 to load is trickbot downloader. The search will return the first time and last time the task was registered, as well as the `Command` to be executed, `Task Name`, `Author`, `Enabled`, and whether it is `Hidden` or not. schtasks.exe is natively found in `C:\\Windows\\system32` and `C:\\Windows\\syswow64`. The following DLL(s) are loaded when schtasks.exe or TaskService is launched -`taskschd.dll`. If found loaded by another process, it is possible a scheduled task is being registered within that process context in memory. Upon triage, identify the task scheduled source. Was it schtasks.exe or via TaskService? Review the job created and the Command to be executed. Capture any artifacts on disk and review. Identify any parallel processes within the same timeframe to identify source.'", "data_source": ["Windows Security 4698"], "search": "`wineventlog_security` EventCode=4698 | xmlkv Message | search Command IN (\"*rundll32*\") | stats count min(_time) as firstTime max(_time) as lastTime by dest, Task_Name, Command, Author, Enabled, Hidden, Arguments | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `schedule_task_with_rundll32_command_trigger_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the task schedule (Exa. Security Log EventCode 4698) endpoints. Tune and filter known instances of Task schedule used in your environment.", "known_false_positives": "unknown", "references": ["https://labs.vipre.com/trickbot-and-its-modules/", "https://whitehat.eu/incident-response-case-study-featuring-ryuk-and-trickbot-part-2/"], "tags": {"name": "Schedule Task with Rundll32 Command Trigger", "analytic_story": ["Windows Persistence Techniques", "Trickbot", "IcedID", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "message": "A schedule task process commandline rundll32 arguments $Arguments$ in host $dest$", "mitre_attack_id": ["T1053"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "dest", "Task_Name", "Command", "Author", "Enabled", "Hidden", "Arguments"], "risk_score": 70, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/trickbot/tasksched/windows-security.log", "source": "WinEventLog:Security", "sourcetype": "WinEventLog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "schedule_task_with_rundll32_command_trigger_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/schedule_task_with_rundll32_command_trigger.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Scheduled Task Creation on Remote Endpoint using At", "id": "4be54858-432f-11ec-8209-3e22fbd008af", "version": 1, "date": "2021-11-11", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "This analytic looks for the execution of `at.exe` with command-line arguments utilized to create a Scheduled Task on a remote endpoint. Red Teams and adversaries alike may abuse the Task Scheduler for lateral movement and remote code execution. The `at.exe` binary internally leverages the AT protocol which was deprecated starting with Windows 8 and Windows Server 2012 but may still work on previous versions of Windows. Furthermore, attackers may enable this protocol on demand by changing a sytem registry key.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=at.exe OR Processes.original_file_name=at.exe) (Processes.process=*\\\\\\\\*) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `scheduled_task_creation_on_remote_endpoint_using_at_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints.", "known_false_positives": "Administrators may create scheduled tasks on remote systems, but this activity is usually limited to a small set of hosts or users.", "references": ["https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/at", "https://docs.microsoft.com/en-us/windows/win32/cimwin32prov/win32-scheduledjob?redirectedfrom=MSDN"], "tags": {"name": "Scheduled Task Creation on Remote Endpoint using At", "analytic_story": ["Active Directory Lateral Movement", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 90, "kill_chain_phases": ["Installation", "Exploitation"], "message": "A Windows Scheduled Task was created on a remote endpoint from $dest", "mitre_attack_id": ["T1053", "T1053.002"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 54, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1053.002", "mitre_attack_technique": "At", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "BRONZE BUTLER", "Threat Group-3390"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.002/lateral_movement/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "scheduled_task_creation_on_remote_endpoint_using_at_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/scheduled_task_creation_on_remote_endpoint_using_at.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Scheduled Task Deleted Or Created via CMD", "id": "d5af132c-7c17-439c-9d31-13d55340f36c", "version": 6, "date": "2023-04-05", "author": "Bhavin Patel, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the creation or deletion of a scheduled task using schtasks.exe with flags - create or delete being passed on the command-line. This has been associated with the Dragonfly threat actor, and the SUNBURST attack against Solarwinds. This analytic replaces \"Scheduled Task used in BadRabbit Ransomware\".", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=schtasks.exe (Processes.process=*delete* OR Processes.process=*create*) by Processes.user Processes.process_name Processes.parent_process_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `scheduled_task_deleted_or_created_via_cmd_filter` ", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "It is possible scripts or administrators may trigger this analytic. Filter as needed based on parent process, application.", "references": ["https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", "https://www.joesandbox.com/analysis/691823/0/html"], "tags": {"name": "Scheduled Task Deleted Or Created via CMD", "analytic_story": ["Qakbot", "NOBELIUM Group", "Windows Persistence Techniques", "Winter Vivern", "Prestige Ransomware", "DarkCrystal RAT", "AgentTesla", "Trickbot", "AsyncRAT", "Sandworm Tools", "Living Off The Land", "CISA AA22-257A", "DHS Report TA18-074A", "Azorult"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "message": "A schedule task process $process_name$ with create or delete commandline $process$ in host $dest$", "mitre_attack_id": ["T1053.005", "T1053"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.process", "Processes.parent_process", "Processes.process_name", "Processes.user", "Processes.parent_process_name", "Processes.dest"], "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "scheduled_task_deleted_or_created_via_cmd_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Scheduled Task Initiation on Remote Endpoint", "id": "95cf4608-4302-11ec-8194-3e22fbd008af", "version": 1, "date": "2021-11-11", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "This analytic looks for the execution of `schtasks.exe` with command-line arguments utilized to start a Scheduled Task on a remote endpoint. Red Teams and adversaries alike may abuse the Task Scheduler for lateral movement and remote code execution.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=schtasks.exe OR Processes.original_file_name=schtasks.exe) (Processes.process=*/s* AND Processes.process=*/run*) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `scheduled_task_initiation_on_remote_endpoint_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints.", "known_false_positives": "Administrators may start scheduled tasks on remote systems, but this activity is usually limited to a small set of hosts or users.", "references": ["https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks", "https://attack.mitre.org/techniques/T1053/005/"], "tags": {"name": "Scheduled Task Initiation on Remote Endpoint", "analytic_story": ["Active Directory Lateral Movement", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 90, "kill_chain_phases": ["Installation", "Exploitation"], "message": "A Windows Scheduled Task was ran on a remote endpoint from $dest", "mitre_attack_id": ["T1053", "T1053.005"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 54, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TEMP.Veles", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/lateral_movement/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "scheduled_task_initiation_on_remote_endpoint_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/scheduled_task_initiation_on_remote_endpoint.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Schtasks Run Task On Demand", "id": "bb37061e-af1f-11eb-a159-acde48001122", "version": 1, "date": "2023-04-14", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This analytic identifies an on demand run of a Windows Schedule Task through shell or command-line. This technique has been used by adversaries that force to run their created Schedule Task as their persistence mechanism or for lateral movement as part of their malicious attack to the compromised machine.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"schtasks.exe\" Processes.process = \"*/run*\" by Processes.process_name Processes.parent_process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `schtasks_run_task_on_demand_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed schtasks.exe may be used.", "known_false_positives": "Administrators may use to debug Schedule Task entries. Filter as needed.", "references": ["https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/"], "tags": {"name": "Schtasks Run Task On Demand", "analytic_story": ["Qakbot", "Industroyer2", "XMRig", "CISA AA22-257A", "Data Destruction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 60, "kill_chain_phases": ["Installation", "Exploitation"], "message": "A \"on demand\" execution of schedule task process $process_name$ using commandline $process$ in host $dest$", "mitre_attack_id": ["T1053"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.process", "Processes.process_id", "Processes.process_name", "Processes.parent_process_name", "Processes.dest", "Processes.user"], "risk_score": 48, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/xmrig_miner/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "schtasks_run_task_on_demand_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/schtasks_run_task_on_demand.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Schtasks scheduling job on remote system", "id": "1297fb80-f42a-4b4a-9c8a-88c066237cf6", "version": 6, "date": "2022-05-23", "author": "David Dorsey, Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "This analytic looks for the execution of `schtasks.exe` with command-line arguments utilized to create a Scheduled Task on a remote endpoint. Red Teams and adversaries alike may abuse the Task Scheduler for lateral movement and remote code execution.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = schtasks.exe OR Processes.original_file_name=schtasks.exe) (Processes.process=\"*/create*\" AND Processes.process=\"*/s*\") by Processes.process_name Processes.process Processes.parent_process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `schtasks_scheduling_job_on_remote_system_filter`", "how_to_implement": "You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the \"process\" field in the Endpoint data model.", "known_false_positives": "Administrators may create scheduled tasks on remote systems, but this activity is usually limited to a small set of hosts or users. It is important to validate and investigate as appropriate.", "references": [], "tags": {"name": "Schtasks scheduling job on remote system", "analytic_story": ["Active Directory Lateral Movement", "NOBELIUM Group", "Living Off The Land", "Prestige Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "message": "A schedule task process $process_name$ with remote job command-line $process$ in host $dest$ by $user$.", "mitre_attack_id": ["T1053.005", "T1053"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.process_name", "Processes.process", "Processes.parent_process_name", "Processes.dest", "Processes.user"], "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "schtasks_scheduling_job_on_remote_system_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/schtasks_scheduling_job_on_remote_system.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Schtasks used for forcing a reboot", "id": "1297fb80-f42a-4b4a-9c8a-88c066437cf6", "version": 4, "date": "2020-12-07", "author": "Bhavin Patel, Splunk", "type": "TTP", "status": "production", "description": "This search looks for flags passed to schtasks.exe on the command-line that indicate that a forced reboot of system is scheduled.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=schtasks.exe Processes.process=\"*shutdown*\" Processes.process=\"*/create *\" by Processes.process_name Processes.parent_process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `schtasks_used_for_forcing_a_reboot_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Administrators may create jobs on systems forcing reboots to perform updates, maintenance, etc.", "references": [], "tags": {"name": "Schtasks used for forcing a reboot", "analytic_story": ["Windows Persistence Techniques", "Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "message": "A schedule task process $process_name$ with force reboot commandline $process$ in host $dest$", "mitre_attack_id": ["T1053.005", "T1053"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.process", "Processes.process_name", "Processes.parent_process_name", "Processes.dest", "Processes.user"], "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/schtask_shutdown/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "schtasks_used_for_forcing_a_reboot_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/schtasks_used_for_forcing_a_reboot.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Screensaver Event Trigger Execution", "id": "58cea3ec-1f6d-11ec-8560-acde48001122", "version": 1, "date": "2023-04-14", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This analytic is developed to detect possible event trigger execution through screensaver registry entry modification for persistence or privilege escalation. This technique was seen in several APT and malware where they put the malicious payload path to the SCRNSAVE.EXE registry key to redirect the execution to their malicious payload path. This TTP is a good indicator that some attacker may modify this entry for their persistence and privilege escalation.", "data_source": ["Sysmon Event ID 13"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where (Registry.registry_path=\"*\\\\Control Panel\\\\Desktop\\\\SCRNSAVE.EXE*\") by Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `screensaver_event_trigger_execution_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry.", "known_false_positives": "unknown", "references": ["https://attack.mitre.org/techniques/T1546/002/", "https://dmcxblue.gitbook.io/red-team-notes-2-0/red-team-techniques/privilege-escalation/untitled-3/screensaver"], "tags": {"name": "Screensaver Event Trigger Execution", "analytic_story": ["Hermetic Wiper", "Windows Privilege Escalation", "Windows Persistence Techniques", "Windows Registry Abuse", "Data Destruction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "message": "modified/added/deleted registry entry $Registry.registry_path$ in $dest$", "mitre_attack_id": ["T1546", "T1546.002"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.dest", "Registry.user", "Registry.registry_path", "Registry.registry_key_name", "Registry.registry_value_name"], "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1546.002", "mitre_attack_technique": "Screensaver", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.002/scrnsave_reg/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "screensaver_event_trigger_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/screensaver_event_trigger_execution.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Script Execution via WMI", "id": "aa73f80d-d728-4077-b226-81ea0c8be589", "version": 4, "date": "2020-03-16", "author": "Rico Valdez, Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "This search looks for scripts launched via WMI.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=scrcons.exe by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `script_execution_via_wmi_filter` ", "how_to_implement": "You must be ingesting endpoint data that tracks process activity, including parent-child relationships from your endpoints to populate the Endpoint data model in the Processes node. The command-line arguments are mapped to the \"process\" field in the Endpoint data model.", "known_false_positives": "Although unlikely, administrators may use wmi to launch scripts for legitimate purposes. Filter as needed.", "references": ["https://redcanary.com/blog/child-processes/"], "tags": {"name": "Script Execution via WMI", "analytic_story": ["Suspicious WMI Use"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Installation"], "message": "A wmic.exe process $process_name$ taht execute script in host $dest$", "mitre_attack_id": ["T1047"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.process_name", "Processes.user", "Processes.dest"], "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "Earth Lusca", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "Threat Group-3390", "Windshift", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1047/execution_scrcons/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "script_execution_via_wmi_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/script_execution_via_wmi.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Sdclt UAC Bypass", "id": "d71efbf6-da63-11eb-8c6e-acde48001122", "version": 3, "date": "2022-11-14", "author": "Steven Dick, Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This search is to detect a suspicious sdclt.exe registry modification. This technique is commonly seen when attacker try to bypassed UAC by using sdclt.exe application by modifying some registry that sdclt.exe tries to open or query with payload file path on it to be executed.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time) AS lastTime FROM datamodel=Endpoint.Processes BY _time span=1h Processes.user Processes.process_id Processes.process_name Processes.process Processes.process_path Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_guid | `drop_dm_object_name(Processes)` | join process_guid [ | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE ((Registry.registry_path= \"*\\\\Windows\\\\CurrentVersion\\\\App Paths\\\\control.exe*\" OR Registry.registry_path= \"*\\\\exefile\\\\shell\\\\runas\\\\command\\\\*\") (Registry.registry_value_name = \"(Default)\" OR Registry.registry_value_name = \"IsolatedCommand\")) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`] | fields firstTime lastTime dest user parent_process_name parent_process process_name process_path process registry_key_name registry_path registry_value_name registry_value_data process_guid | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `sdclt_uac_bypass_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "Limited to no false positives are expected.", "references": ["https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/", "https://github.com/hfiref0x/UACME", "https://www.cyborgsecurity.com/cyborg-labs/threat-hunt-deep-dives-user-account-control-bypass-via-registry-modification/"], "tags": {"name": "Sdclt UAC Bypass", "analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "Suspicious modification of registry $registry_path$ with possible payload path $registry_value_name$ in $dest$", "mitre_attack_id": ["T1548.002", "T1548"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.user", "Processes.dest", "Processes.process_id", "Processes.process_name", "Processes.process", "Processes.process_path", "Processes.parent_process_name", "Processes.parent_process", "Processes.process_guid", "Registry.dest", "Registry.registry_value_name", "Registry.registry_key_name", "Registry.registry_path", "Registry.registry_value_data", "Registry.process_guid"], "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.002", "mitre_attack_technique": "Bypass User Account Control", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT37", "BRONZE BUTLER", "Cobalt Group", "Earth Lusca", "Evilnum", "MuddyWater", "Patchwork", "Threat Group-3390"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/uac_bypass/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "sdclt_uac_bypass_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/sdclt_uac_bypass.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Sdelete Application Execution", "id": "31702fc0-2682-11ec-85c3-acde48001122", "version": 1, "date": "2021-10-06", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This analytic is to detect the execution of sdelete.exe application sysinternal tools. This tool is one of the most use tool of malware and adversaries to remove or clear their tracks and artifact in the targetted host. This tool is designed to delete securely a file in file system that remove the forensic evidence on the machine. A good TTP query to check why user execute this application which is not a common practice.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.parent_process) as parent_process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_sdelete` by Processes.process_name Processes.original_file_name Processes.dest Processes.user Processes.parent_process_name Processes.parent_process | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `sdelete_application_execution_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "user may execute and use this application", "references": ["https://app.any.run/tasks/956f50be-2c13-465a-ac00-6224c14c5f89/"], "tags": {"name": "Sdelete Application Execution", "analytic_story": ["Masquerading - Rename System Utilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Actions on Objectives", "Exploitation"], "message": "sdelete process $process_name$ executed in $dest$", "mitre_attack_id": ["T1485", "T1070.004", "T1070"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1070.004", "mitre_attack_technique": "File Deletion", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT3", "APT32", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "Cobalt Group", "Dragonfly", "Evilnum", "FIN10", "FIN5", "FIN6", "FIN8", "Gamaredon Group", "Group5", "Kimsuky", "Lazarus Group", "Magic Hound", "Metador", "Mustang Panda", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "Silence", "TEMP.Veles", "TeamTNT", "The White Company", "Threat Group-3390", "Tropic Trooper", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/sdelete/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "process_sdelete", "definition": "(Processes.process_name=sdelete.exe OR Processes.original_file_name=sdelete.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "sdelete_application_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/sdelete_application_execution.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "SearchProtocolHost with no Command Line with Network", "id": "b690df8c-a145-11eb-a38b-acde48001122", "version": 3, "date": "2022-03-15", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies searchprotocolhost.exe with no command line arguments and with a network connection. It is unusual for searchprotocolhost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. searchprotocolhost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=searchprotocolhost.exe by _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process=\"(?i)(searchprotocolhost\\.exe.{0,4}$)\" | join process_id [| tstats `security_content_summariesonly` count FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port != 0 by All_Traffic.process_id All_Traffic.dest All_Traffic.dest_port | `drop_dm_object_name(All_Traffic)` | rename dest as C2 ] | table _time dest parent_process_name process_name process_path process process_id dest_port C2 | `searchprotocolhost_with_no_command_line_with_network_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` and `ports` node.", "known_false_positives": "Limited false positives may be present in small environments. Tuning may be required based on parent process.", "references": ["https://github.com/mandiant/red_team_tool_countermeasures/blob/master/rules/PGF/supplemental/hxioc/SUSPICIOUS%20EXECUTION%20OF%20SEARCHPROTOCOLHOST%20(METHODOLOGY).ioc"], "tags": {"name": "SearchProtocolHost with no Command Line with Network", "analytic_story": ["Cobalt Strike"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "A searchprotocolhost.exe process $process_name$ with no commandline in host $dest$", "mitre_attack_id": ["T1055"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process Name", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "process_name", "process_id", "parent_process_name", "dest_port", "process_path"], "risk_score": 70, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/cobalt_strike/windows-sysmon_searchprotocolhost.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint", "Network_Traffic"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "searchprotocolhost_with_no_command_line_with_network_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/searchprotocolhost_with_no_command_line_with_network.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "SecretDumps Offline NTDS Dumping Tool", "id": "5672819c-be09-11eb-bbfb-acde48001122", "version": 1, "date": "2021-05-26", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This analytic detects a potential usage of secretsdump.py tool for dumping credentials (ntlm hash) from a copy of ntds.dit and SAM.Security,SYSTEM registrry hive. This technique was seen in some attacker that dump ntlm hashes offline after having a copy of ntds.dit and SAM/SYSTEM/SECURITY registry hive.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"python*.exe\" Processes.process = \"*.py*\" Processes.process = \"*-ntds*\" (Processes.process = \"*-system*\" OR Processes.process = \"*-sam*\" OR Processes.process = \"*-security*\" OR Processes.process = \"*-bootkey*\") by Processes.process_name Processes.process Processes.parent_process_name Processes.parent_process Processes.dest Processes.user Processes.process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `secretdumps_offline_ntds_dumping_tool_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "unknown", "references": ["https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py"], "tags": {"name": "SecretDumps Offline NTDS Dumping Tool", "analytic_story": ["Credential Dumping"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "A secretdump process $process_name$ with secretdump commandline $process$ to dump credentials in host $dest$", "mitre_attack_id": ["T1003.003", "T1003"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.process_name", "Processes.process", "Processes.parent_process_name", "Processes.parent_process", "Processes.dest", "Processes.user", "Processes.process_id", "Processes.process_guid"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.003", "mitre_attack_technique": "NTDS", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "Chimera", "Dragonfly", "FIN6", "Fox Kitten", "HAFNIUM", "Ke3chang", "LAPSUS$", "Mustang Panda", "Sandworm Team", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/honeypots/casper/datasets1/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "secretdumps_offline_ntds_dumping_tool_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/secretdumps_offline_ntds_dumping_tool.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "ServicePrincipalNames Discovery with PowerShell", "id": "13243068-2d38-11ec-8908-acde48001122", "version": 2, "date": "2022-02-26", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies `powershell.exe` usage, using Script Block Logging EventCode 4104, related to querying the domain for Service Principle Names. typically, this is a precursor activity related to kerberoasting or the silver ticket attack. \\\nWhat is a ServicePrincipleName? \\\nA service principal name (SPN) is a unique identifier of a service instance. SPNs are used by Kerberos authentication to associate a service instance with a service logon account. This allows a client application to request that the service authenticate an account even if the client does not have the account name.\\\nThe following analytic identifies the use of KerberosRequestorSecurityToken class within the script block. Using .NET System.IdentityModel.Tokens.KerberosRequestorSecurityToken class in PowerShell is the equivelant of using setspn.exe. \\\nDuring triage, review parallel processes for further suspicious activity.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 ScriptBlockText=\"*KerberosRequestorSecurityToken*\" | stats count min(_time) as firstTime max(_time) as lastTime by ScriptBlockText Opcode Computer UserID EventCode | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `serviceprincipalnames_discovery_with_powershell_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "False positives should be limited, however filter as needed.", "references": ["https://docs.microsoft.com/en-us/windows/win32/ad/service-principal-names", "https://docs.microsoft.com/en-us/dotnet/api/system.identitymodel.tokens.kerberosrequestorsecuritytoken?view=netframework-4.8", "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/t1208-kerberoasting", "https://strontic.github.io/xcyclopedia/library/setspn.exe-5C184D581524245DAD7A0A02B51FD2C2.html", "https://attack.mitre.org/techniques/T1558/003/", "https://social.technet.microsoft.com/wiki/contents/articles/717.service-principal-names-spn-setspn-syntax.aspx", "https://web.archive.org/web/20220212163642/https://www.harmj0y.net/blog/powershell/kerberoasting-without-mimikatz/", "https://blog.zsec.uk/paving-2-da-wholeset/", "https://msitpros.com/?p=3113", "https://adsecurity.org/?p=3466", "https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", "https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf", "https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/"], "tags": {"name": "ServicePrincipalNames Discovery with PowerShell", "analytic_story": ["Active Directory Discovery", "Active Directory Kerberos Attacks", "Malicious PowerShell", "Active Directory Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $Computer$ by user $UserID$ attempting to identify service principle names.", "mitre_attack_id": ["T1558.003"], "nist": ["DE.CM"], "observable": [{"name": "UserID", "type": "User", "role": ["Victim"]}, {"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "ScriptBlockText", "Opcode", "Computer", "UserID", "EventCode"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1558.003", "mitre_attack_technique": "Kerberoasting", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["FIN7", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/sbl_xml.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "serviceprincipalnames_discovery_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/serviceprincipalnames_discovery_with_powershell.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "ServicePrincipalNames Discovery with SetSPN", "id": "ae8b3efc-2d2e-11ec-8b57-acde48001122", "version": 1, "date": "2021-10-14", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies `setspn.exe` usage related to querying the domain for Service Principle Names. typically, this is a precursor activity related to kerberoasting or the silver ticket attack. \\\nWhat is a ServicePrincipleName? \\\nA service principal name (SPN) is a unique identifier of a service instance. SPNs are used by Kerberos authentication to associate a service instance with a service logon account. This allows a client application to request that the service authenticate an account even if the client does not have the account name.\\\nExample usage includes the following \\\n1. setspn -T offense -Q */* 1. setspn -T attackrange.local -F -Q MSSQLSvc/* 1. setspn -Q */* > allspns.txt 1. setspn -q \\\nValues \\\n1. -F = perform queries at the forest, rather than domain level 1. -T = perform query on the specified domain or forest (when -F is also used) 1. -Q = query for existence of SPN \\\nDuring triage, review parallel processes for further suspicious activity.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_setspn` (Processes.process=\"*-t*\" AND Processes.process=\"*-f*\") OR (Processes.process=\"*-q*\" AND Processes.process=\"**/**\") OR (Processes.process=\"*-q*\") OR (Processes.process=\"*-s*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `serviceprincipalnames_discovery_with_setspn_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives may be caused by Administrators resetting SPNs or querying for SPNs. Filter as needed.", "references": ["https://docs.microsoft.com/en-us/windows/win32/ad/service-principal-names", "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/t1208-kerberoasting", "https://strontic.github.io/xcyclopedia/library/setspn.exe-5C184D581524245DAD7A0A02B51FD2C2.html", "https://attack.mitre.org/techniques/T1558/003/", "https://social.technet.microsoft.com/wiki/contents/articles/717.service-principal-names-spn-setspn-syntax.aspx", "https://web.archive.org/web/20220212163642/https://www.harmj0y.net/blog/powershell/kerberoasting-without-mimikatz/", "https://blog.zsec.uk/paving-2-da-wholeset/", "https://msitpros.com/?p=3113", "https://adsecurity.org/?p=3466"], "tags": {"name": "ServicePrincipalNames Discovery with SetSPN", "analytic_story": ["Active Directory Discovery", "Active Directory Kerberos Attacks", "Active Directory Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to identify service principle names.", "mitre_attack_id": ["T1558.003"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1558.003", "mitre_attack_technique": "Kerberoasting", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["FIN7", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1558.003/atomic_red_team/windows-sysmon_setspn.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "process_setspn", "definition": "(Processes.process_name=setspn.exe OR Processes.original_file_name=setspn.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "serviceprincipalnames_discovery_with_setspn_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/serviceprincipalnames_discovery_with_setspn.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Services Escalate Exe", "id": "c448488c-b7ec-11eb-8253-acde48001122", "version": 1, "date": "2021-05-18", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the use of `svc-exe` with Cobalt Strike. The behavior typically follows after an adversary has already gained initial access and is escalating privileges. Using `svc-exe`, a randomly named binary will be downloaded from the remote Teamserver and placed on disk within `C:\\Windows\\400619a.exe`. Following, the binary will be added to the registry under key `HKLM\\System\\CurrentControlSet\\Services\\400619a\\` with multiple keys and values added to look like a legitimate service. Upon loading, `services.exe` will spawn the randomly named binary from `\\\\127.0.0.1\\ADMIN$\\400619a.exe`. The process lineage is completed with `400619a.exe` spawning rundll32.exe, which is the default `spawnto_` value for Cobalt Strike. The `spawnto_` value is arbitrary and may be any process on disk (typically system32/syswow64 binary). The `spawnto_` process will also contain a network connection. During triage, review parallel procesess and identify any additional file modifications.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=services.exe Processes.process_path=*admin$* by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `services_escalate_exe_filter`", "how_to_implement": "To successfully implement this search, you will need to ensure that DNS data is populating the Network_Resolution data model.", "known_false_positives": "False positives should be limited as `services.exe` should never spawn a process from `ADMIN$`. Filter as needed.", "references": ["https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://attack.mitre.org/techniques/T1548/", "https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/index.htm#cshid=1085"], "tags": {"name": "Services Escalate Exe", "analytic_story": ["Cobalt Strike"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 95, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "A service process $parent_process_name$ with process path $process_path$ in host $dest$", "mitre_attack_id": ["T1548"], "nist": ["DE.CM"], "observable": [{"name": "Processes.dest", "type": "Hostname", "role": ["Victim"]}, {"name": "Processes.user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 76, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/cobalt_strike/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "services_escalate_exe_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/services_escalate_exe.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Services LOLBAS Execution Process Spawn", "id": "ba9e1954-4c04-11ec-8b74-3e22fbd008af", "version": 1, "date": "2021-11-22", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies `services.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Service Control Manager and creating a remote malicious service, the executed command is spawned as a child process of `services.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of services.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name=services.exe) (Processes.process_name IN (\"Regsvcs.exe\", \"Ftp.exe\", \"OfflineScannerShell.exe\", \"Rasautou.exe\", \"Schtasks.exe\", \"Xwizard.exe\", \"Dllhost.exe\", \"Pnputil.exe\", \"Atbroker.exe\", \"Pcwrun.exe\", \"Ttdinject.exe\",\"Mshta.exe\", \"Bitsadmin.exe\", \"Certoc.exe\", \"Ieexec.exe\", \"Microsoft.Workflow.Compiler.exe\", \"Runscripthelper.exe\", \"Forfiles.exe\", \"Msbuild.exe\", \"Register-cimprovider.exe\", \"Tttracer.exe\", \"Ie4uinit.exe\", \"Bash.exe\", \"Hh.exe\", \"SettingSyncHost.exe\", \"Cmstp.exe\", \"Mmc.exe\", \"Stordiag.exe\", \"Scriptrunner.exe\", \"Odbcconf.exe\", \"Extexport.exe\", \"Msdt.exe\", \"WorkFolders.exe\", \"Diskshadow.exe\", \"Mavinject.exe\", \"Regasm.exe\", \"Gpscript.exe\", \"Rundll32.exe\", \"Regsvr32.exe\", \"Msiexec.exe\", \"Wuauclt.exe\", \"Presentationhost.exe\", \"Wmic.exe\", \"Runonce.exe\", \"Syncappvpublishingserver.exe\", \"Verclsid.exe\", \"Infdefaultinstall.exe\", \"Explorer.exe\", \"Installutil.exe\", \"Netsh.exe\", \"Wab.exe\", \"Dnscmd.exe\", \"At.exe\", \"Pcalua.exe\", \"Msconfig.exe\")) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `services_lolbas_execution_process_spawn_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints.", "known_false_positives": "Legitimate applications may trigger this behavior, filter as needed.", "references": ["https://attack.mitre.org/techniques/T1543/003/", "https://pentestlab.blog/2020/07/21/lateral-movement-services/", "https://lolbas-project.github.io/"], "tags": {"name": "Services LOLBAS Execution Process Spawn", "analytic_story": ["Active Directory Lateral Movement", "Living Off The Land", "Qakbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 90, "kill_chain_phases": ["Installation", "Exploitation"], "message": "Services.exe spawned a LOLBAS process on $dest", "mitre_attack_id": ["T1543", "T1543.003"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 54, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1543.003/lateral_movement_lolbas/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "services_lolbas_execution_process_spawn_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/services_lolbas_execution_process_spawn.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Set Default PowerShell Execution Policy To Unrestricted or Bypass", "id": "c2590137-0b08-4985-9ec5-6ae23d92f63d", "version": 8, "date": "2023-04-14", "author": "Steven Dick, Patrick Bareiss, Splunk", "type": "TTP", "status": "production", "description": "Monitor for changes of the ExecutionPolicy in the registry to the values \"unrestricted\" or \"bypass,\" which allows the execution of malicious scripts.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time) AS lastTime FROM datamodel=Endpoint.Processes BY _time span=1h Processes.user Processes.process_id Processes.process_name Processes.process Processes.process_path Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_guid | `drop_dm_object_name(Processes)` | join process_guid [ | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=*Software\\\\Microsoft\\\\Powershell\\\\1\\\\ShellIds\\\\Microsoft.PowerShell* Registry.registry_value_name=ExecutionPolicy (Registry.registry_value_data=Unrestricted OR Registry.registry_value_data=Bypass)) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`] | fields firstTime lastTime dest user parent_process_name parent_process process_name process_path process registry_key_name registry_path registry_value_name registry_value_data process_guid | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `set_default_powershell_execution_policy_to_unrestricted_or_bypass_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "Administrators may attempt to change the default execution policy on a system for a variety of reasons. However, setting the policy to \"unrestricted\" or \"bypass\" as this search is designed to identify, would be unusual. Hits should be reviewed and investigated as appropriate.", "references": [], "tags": {"name": "Set Default PowerShell Execution Policy To Unrestricted or Bypass", "analytic_story": ["HAFNIUM Group", "Hermetic Wiper", "Credential Dumping", "Malicious PowerShell", "Data Destruction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 60, "kill_chain_phases": ["Installation"], "message": "A registry modification in $registry_path$ with reg key $registry_key_name$ and reg value $registry_value_name$ in host $dest$", "mitre_attack_id": ["T1059", "T1059.001"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "registry_path", "type": "Unknown", "role": ["Other"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.user", "Processes.dest", "Processes.process_id", "Processes.process_name", "Processes.process", "Processes.process_path", "Processes.parent_process_name", "Processes.parent_process", "Processes.process_guid", "Registry.dest", "Registry.registry_value_name", "Registry.registry_key_name", "Registry.registry_path", "Registry.registry_value_data", "Registry.process_guid"], "risk_score": 48, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_execution_policy/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "set_default_powershell_execution_policy_to_unrestricted_or_bypass_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/set_default_powershell_execution_policy_to_unrestricted_or_bypass.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Shim Database File Creation", "id": "6e4c4588-ba2f-42fa-97e6-9f6f548eaa33", "version": 3, "date": "2020-12-08", "author": "David Dorsey, Splunk", "type": "TTP", "status": "production", "description": "This search looks for shim database files being written to default directories. The sdbinst.exe application is used to install shim database files (.sdb). According to Microsoft, a shim is a small library that transparently intercepts an API, changes the parameters passed, handles the operation itself, or redirects the operation elsewhere.", "data_source": ["Sysmon Event ID 11"], "search": "| tstats `security_content_summariesonly` count values(Filesystem.action) values(Filesystem.file_hash) as file_hash values(Filesystem.file_path) as file_path min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path=*Windows\\\\AppPatch\\\\Custom* by Filesystem.file_name Filesystem.dest | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` |`drop_dm_object_name(Filesystem)` | `shim_database_file_creation_filter`", "how_to_implement": "You must be ingesting data that records the filesystem activity from your hosts to populate the Endpoint file-system data model node. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data.", "known_false_positives": "Because legitimate shim files are created and used all the time, this event, in itself, is not suspicious. However, if there are other correlating events, it may warrant further investigation.", "references": [], "tags": {"name": "Shim Database File Creation", "analytic_story": ["Windows Persistence Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "message": "A process that possibly write shim database in $file_path$ in host $dest$", "mitre_attack_id": ["T1546.011", "T1546"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "file_path", "type": "File", "role": ["Other"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Filesystem.file_hash", "Filesystem.file_path", "Filesystem.file_name", "Filesystem.dest"], "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1546.011", "mitre_attack_technique": "Application Shimming", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["FIN7"]}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.011/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "shim_database_file_creation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/shim_database_file_creation.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Shim Database Installation With Suspicious Parameters", "id": "404620de-46d8-48b6-90cc-8a8d7b0876a3", "version": 4, "date": "2020-11-23", "author": "David Dorsey, Splunk", "type": "TTP", "status": "production", "description": "This search detects the process execution and arguments required to silently create a shim database. The sdbinst.exe application is used to install shim database files (.sdb). A shim is a small library which transparently intercepts an API, changes the parameters passed, handles the operation itself, or redirects the operation elsewhere.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = sdbinst.exe by Processes.process_name Processes.parent_process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `shim_database_installation_with_suspicious_parameters_filter`", "how_to_implement": "You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the \"process\" field in the Endpoint data model.", "known_false_positives": "None identified", "references": [], "tags": {"name": "Shim Database Installation With Suspicious Parameters", "analytic_story": ["Windows Persistence Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "message": "A process $process_name$ that possible create a shim db silently in host $dest$", "mitre_attack_id": ["T1546.011", "T1546"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.process_name", "Processes.parent_process_name", "Processes.dest", "Processes.user"], "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1546.011", "mitre_attack_technique": "Application Shimming", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["FIN7"]}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.011/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "shim_database_installation_with_suspicious_parameters_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/shim_database_installation_with_suspicious_parameters.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Short Lived Scheduled Task", "id": "6fa31414-546e-11ec-adfa-acde48001122", "version": 1, "date": "2021-12-03", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic leverages Windows Security EventCode 4698, `A scheduled task was created` and Windows Security EventCode 4699, `A scheduled task was deleted` to identify scheduled tasks created and deleted in less than 30 seconds. This behavior may represent a lateral movement attack abusing the Task Scheduler to obtain code execution. Red Teams and adversaries alike may abuse the Task Scheduler for lateral movement and remote code execution.", "data_source": ["Windows Security 4698"], "search": " `wineventlog_security` EventCode=4698 OR EventCode=4699 | xmlkv Message | transaction Task_Name startswith=(EventCode=4698) endswith=(EventCode=4699) | eval short_lived=case((duration<30),\"TRUE\") | search short_lived = TRUE | table _time, ComputerName, Account_Name, Command, Task_Name, short_lived | `short_lived_scheduled_task_filter` ", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4698 EventCode enabled. The Windows TA is also required.", "known_false_positives": "Although uncommon, legitimate applications may create and delete a Scheduled Task within 30 seconds. Filter as needed.", "references": ["https://attack.mitre.org/techniques/T1053/005/", "https://docs.microsoft.com/en-us/windows/win32/taskschd/about-the-task-scheduler"], "tags": {"name": "Short Lived Scheduled Task", "analytic_story": ["Active Directory Lateral Movement", "CISA AA22-257A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Installation", "Exploitation"], "message": "A windows scheduled task was created and deleted in 30 seconds on $ComputerName$", "mitre_attack_id": ["T1053.005"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "dest", "ComputerName", "Account_Name", "Task_Name", "Description", "Command"], "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TEMP.Veles", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/lateral_movement/windows-security.log", "source": "WinEventLog:Security", "sourcetype": "WinEventLog"}]}], "datamodel": [], "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "short_lived_scheduled_task_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/short_lived_scheduled_task.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Short Lived Windows Accounts", "id": "b25f6f62-0782-43c1-b403-083231ffd97d", "version": 2, "date": "2020-07-06", "author": "David Dorsey, Splunk", "type": "TTP", "status": "production", "description": "This search detects accounts that were created and deleted in a short time period.", "data_source": [], "search": "| tstats `security_content_summariesonly` values(All_Changes.result_id) as result_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Change where All_Changes.result_id=4720 OR All_Changes.result_id=4726 by _time span=4h All_Changes.user All_Changes.dest | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(\"All_Changes\")` | search result_id = 4720 result_id=4726 | transaction user connected=false maxspan=240m | table firstTime lastTime count user dest result_id | `short_lived_windows_accounts_filter`", "how_to_implement": "This search requires you to have enabled your Group Management Audit Logs in your Local Windows Security Policy and be ingesting those logs. More information on how to enable them can be found here: http://whatevernetworks.com/auditing-group-membership-changes-in-active-directory/", "known_false_positives": "It is possible that an administrator created and deleted an account in a short time period. Verifying activity with an administrator is advised.", "references": [], "tags": {"name": "Short Lived Windows Accounts", "analytic_story": ["Account Monitoring and Controls"], "asset_type": "Windows", "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Installation"], "message": "A user account created or delete shortly in host $dest$", "mitre_attack_id": ["T1136.001", "T1136"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "All_Changes.result_id", "All_Changes.user", "All_Changes.dest"], "risk_score": 63, "security_domain": "access", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1136.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT39", "APT41", "Dragonfly", "Fox Kitten", "Kimsuky", "Leafminer", "Magic Hound", "TeamTNT"]}, {"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/atomic_red_team/windows-security.log", "source": "WinEventLog:Security", "sourcetype": "WinEventLog", "update_timestamp": true}, {"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/atomic_red_team/windows-system.log", "source": "WinEventLog:System", "sourcetype": "WinEventLog", "update_timestamp": true}, {"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Change"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "short_lived_windows_accounts_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/short_lived_windows_accounts.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "SilentCleanup UAC Bypass", "id": "56d7cfcc-da63-11eb-92d4-acde48001122", "version": 3, "date": "2022-11-14", "author": "Steven Dick, Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This search is to detect a suspicious modification of registry that may related to UAC bypassed. This registry will be trigger once the attacker abuse the silentcleanup task schedule to gain high privilege execution that will bypass User control account.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time) AS lastTime FROM datamodel=Endpoint.Processes BY _time span=1h Processes.user Processes.process_id Processes.process_name Processes.process Processes.process_path Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_guid | `drop_dm_object_name(Processes)` | join process_guid [ | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\Environment\\\\windir\" Registry.registry_value_data = \"*.exe*\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`] | fields firstTime lastTime dest user parent_process_name parent_process process_name process_path process registry_key_name registry_path registry_value_name registry_value_data process_guid | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `silentcleanup_uac_bypass_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "unknown", "references": ["https://github.com/hfiref0x/UACME", "https://www.intezer.com/blog/malware-analysis/klingon-rat-holding-on-for-dear-life/"], "tags": {"name": "SilentCleanup UAC Bypass", "analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "Suspicious modification of registry $registry_path$ with possible payload path $registry_value_name$ in $dest$", "mitre_attack_id": ["T1548.002", "T1548"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.user", "Processes.dest", "Processes.process_id", "Processes.process_name", "Processes.process", "Processes.process_path", "Processes.parent_process_name", "Processes.parent_process", "Processes.process_guid", "Registry.dest", "Registry.registry_value_name", "Registry.registry_key_name", "Registry.registry_path", "Registry.registry_value_data", "Registry.process_guid"], "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.002", "mitre_attack_technique": "Bypass User Account Control", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT37", "BRONZE BUTLER", "Cobalt Group", "Earth Lusca", "Evilnum", "MuddyWater", "Patchwork", "Threat Group-3390"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/uac_bypass/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "silentcleanup_uac_bypass_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/silentcleanup_uac_bypass.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Single Letter Process On Endpoint", "id": "a4214f0b-e01c-41bc-8cc4-d2b71e3056b4", "version": 3, "date": "2020-12-08", "author": "David Dorsey, Splunk", "type": "TTP", "status": "production", "description": "This search looks for process names that consist only of a single letter.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes by Processes.dest, Processes.user, Processes.process, Processes.process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | eval process_name_length = len(process_name), endExe = if(substr(process_name, -4) == \".exe\", 1, 0) | search process_name_length=5 AND endExe=1 | table count, firstTime, lastTime, dest, user, process, process_name | `single_letter_process_on_endpoint_filter`", "how_to_implement": "You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the \"process\" field in the Endpoint data model.", "known_false_positives": "Single-letter executables are not always malicious. Investigate this activity with your normal incident-response process.", "references": [], "tags": {"name": "Single Letter Process On Endpoint", "analytic_story": ["DHS Report TA18-074A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Installation"], "message": "A suspicious process $process_name$ with single letter in host $dest$", "mitre_attack_id": ["T1204", "T1204.002"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.process", "Processes.process_name"], "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$"]}, {"mitre_attack_id": "T1204.002", "mitre_attack_technique": "Malicious File", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "Ajax Security Team", "Andariel", "Aoqin Dragon", "BITTER", "BRONZE BUTLER", "BlackTech", "CURIUM", "Cobalt Group", "Confucius", "Dark Caracal", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "IndigoZebra", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Whitefly", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204.002/single_letter_exe/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "single_letter_process_on_endpoint_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/single_letter_process_on_endpoint.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "SLUI RunAs Elevated", "id": "8d124810-b3e4-11eb-96c7-acde48001122", "version": 1, "date": "2021-05-13", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the Microsoft Software Licensing User Interface Tool, `slui.exe`, elevating access using the `-verb runas` function. This particular bypass utilizes a registry key/value. Identified by two sources, the registry keys are `HKCU\\Software\\Classes\\exefile\\shell` and `HKCU\\Software\\Classes\\launcher.Systemsettings\\Shell\\open\\command`. To simulate this behavior, multiple POC are available. The analytic identifies the use of `runas` by `slui.exe`.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=slui.exe (Processes.process=*-verb* Processes.process=*runas*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `slui_runas_elevated_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "Limited false positives should be present as this is not commonly used by legitimate applications.", "references": ["https://www.exploit-db.com/exploits/46998", "https://mattharr0ey.medium.com/privilege-escalation-uac-bypass-in-changepk-c40b92818d1b", "https://gist.github.com/r00t-3xp10it/0c92cd554d3156fd74f6c25660ccc466", "https://www.rapid7.com/db/modules/exploit/windows/local/bypassuac_sluihijack/", "https://www.mandiant.com/resources/shining-a-light-on-darkside-ransomware-operations"], "tags": {"name": "SLUI RunAs Elevated", "analytic_story": ["DarkSide Ransomware", "Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "A slui process $process_name$ with elevated commandline $process$ in host $dest$", "mitre_attack_id": ["T1548.002", "T1548"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.002", "mitre_attack_technique": "Bypass User Account Control", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT37", "BRONZE BUTLER", "Cobalt Group", "Earth Lusca", "Evilnum", "MuddyWater", "Patchwork", "Threat Group-3390"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.002/slui/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "slui_runas_elevated_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/slui_runas_elevated.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "SLUI Spawning a Process", "id": "879c4330-b3e0-11eb-b1b1-acde48001122", "version": 1, "date": "2021-05-13", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the Microsoft Software Licensing User Interface Tool, `slui.exe`, spawning a child process. This behavior is associated with publicly known UAC bypass. `slui.exe` is commonly associated with software updates and is most often spawned by `svchost.exe`. The `slui.exe` process should not have child processes, and any processes spawning from it will be running with elevated privileges. During triage, review the child process and additional parallel processes. Identify any file modifications that may have lead to the bypass.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=slui.exe by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `slui_spawning_a_process_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "Certain applications may spawn from `slui.exe` that are legitimate. Filtering will be needed to ensure proper monitoring.", "references": ["https://www.exploit-db.com/exploits/46998", "https://www.rapid7.com/db/modules/exploit/windows/local/bypassuac_sluihijack/", "https://www.mandiant.com/resources/shining-a-light-on-darkside-ransomware-operations"], "tags": {"name": "SLUI Spawning a Process", "analytic_story": ["DarkSide Ransomware", "Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "A slui process $parent_process_name$ spawning child process $process_name$ in host $dest$", "mitre_attack_id": ["T1548.002", "T1548"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.002", "mitre_attack_technique": "Bypass User Account Control", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT37", "BRONZE BUTLER", "Cobalt Group", "Earth Lusca", "Evilnum", "MuddyWater", "Patchwork", "Threat Group-3390"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.002/slui/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "slui_spawning_a_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/slui_spawning_a_process.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Spike in File Writes", "id": "fdb0f805-74e4-4539-8c00-618927333aae", "version": 3, "date": "2020-03-16", "author": "David Dorsey, Splunk", "type": "Anomaly", "status": "experimental", "description": "The search looks for a sharp increase in the number of files written to a particular host", "data_source": ["Sysmon Event ID 11"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Filesystem where Filesystem.action=created by _time span=1h, Filesystem.dest | `drop_dm_object_name(Filesystem)` | eventstats max(_time) as maxtime | stats count as num_data_samples max(eval(if(_time >= relative_time(maxtime, \"-1d@d\"), count, null))) as \"count\" avg(eval(if(_time upperBound) AND num_data_samples >=20, 1, 0) | search isOutlier=1 | `spike_in_file_writes_filter` ", "how_to_implement": "In order to implement this search, you must populate the Endpoint file-system data model node. This is typically populated via endpoint detection and response product, such as Carbon Black or endpoint data sources such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the file system.", "known_false_positives": "It is important to understand that if you happen to install any new applications on your hosts or are copying a large number of files, you can expect to see a large increase of file modifications.", "references": [], "tags": {"name": "Spike in File Writes", "analytic_story": ["SamSam Ransomware", "Ryuk Ransomware", "Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": [], "message": "tbd", "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Filesystem.action", "Filesystem.dest"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "datamodel": ["Endpoint"], "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "spike_in_file_writes_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/spike_in_file_writes.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Spoolsv Spawning Rundll32", "id": "15d905f6-da6b-11eb-ab82-acde48001122", "version": 2, "date": "2021-07-01", "author": "Mauricio Velazco, Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies a suspicious child process, `rundll32.exe`, with no command-line arguments being spawned from `spoolsv.exe`. This was identified during our testing of CVE-2021-34527 previously (CVE-2021-1675) or PrintNightmare. Typically, this is not normal behavior for `spoolsv.exe` to spawn a process. During triage, isolate the endpoint and review for source of exploitation. Capture any additional file modification events.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=spoolsv.exe `process_rundll32` by Processes.dest Processes.user Processes.parent_process Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `spoolsv_spawning_rundll32_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Limited false positives have been identified. There are limited instances where `rundll32.exe` may be spawned by a legitimate print driver.", "references": ["https://www.truesec.com/hub/blog/fix-for-printnightmare-cve-2021-1675-exploit-to-keep-your-print-servers-running-while-a-patch-is-not-available", "https://www.truesec.com/hub/blog/exploitable-critical-rce-vulnerability-allows-regular-users-to-fully-compromise-active-directory-printnightmare-cve-2021-1675", "https://www.reddit.com/r/msp/comments/ob6y02/critical_vulnerability_printnightmare_exposes"], "tags": {"name": "Spoolsv Spawning Rundll32", "analytic_story": ["PrintNightmare CVE-2021-34527"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "message": "$parent_process$ has spawned $process_name$ on endpoint $ComputerName$. This behavior is suspicious and related to PrintNightmare.", "mitre_attack_id": ["T1547.012", "T1547"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "parent_process_id", "type": "Process", "role": ["Parent Process", "Attacker"]}, {"name": "process_id", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "cve": ["CVE-2021-34527"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1547.012", "mitre_attack_technique": "Print Processors", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.012/printnightmare/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "process_rundll32", "definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "spoolsv_spawning_rundll32_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2021-34527", "cvss": 9.0, "summary": "Windows Print Spooler Remote Code Execution Vulnerability"}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/spoolsv_spawning_rundll32.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Spoolsv Suspicious Loaded Modules", "id": "a5e451f8-da81-11eb-b245-acde48001122", "version": 2, "date": "2021-07-01", "author": "Mauricio Velazco, Michael Haag, Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This search is to detect suspicious loading of dll in specific path relative to printnightmare exploitation. In this search we try to detect the loaded modules made by spoolsv.exe after the exploitation.", "data_source": ["Sysmon Event ID 7"], "search": "`sysmon` EventCode=7 Image =\"*\\\\spoolsv.exe\" ImageLoaded=\"*\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\*\" ImageLoaded = \"*.dll\" | stats dc(ImageLoaded) as countImgloaded values(ImageLoaded) as ImgLoaded count min(_time) as firstTime max(_time) as lastTime by Image Computer ProcessId EventCode | where countImgloaded >= 3 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `spoolsv_suspicious_loaded_modules_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name and imageloaded executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "unknown", "references": ["https://raw.githubusercontent.com/hieuttmmo/sigma/dceb13fe3f1821b119ae495b41e24438bd97e3d0/rules/windows/image_load/sysmon_cve_2021_1675_print_nightmare.yml"], "tags": {"name": "Spoolsv Suspicious Loaded Modules", "analytic_story": ["PrintNightmare CVE-2021-34527"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "message": "$Image$ with process id $process_id$ has loaded a driver from $ImageLoaded$ on endpoint $Computer$. This behavior is suspicious and related to PrintNightmare.", "mitre_attack_id": ["T1547.012", "T1547"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}, {"name": "process_id", "type": "Process Name", "role": ["Parent Process", "Attacker"]}, {"name": "ImageLoaded", "type": "File", "role": ["Other"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Image", "Computer", "EventCode", "ImageLoaded"], "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "cve": ["CVE-2021-34527"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1547.012", "mitre_attack_technique": "Print Processors", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.012/printnightmare/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "spoolsv_suspicious_loaded_modules_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2021-34527", "cvss": 9.0, "summary": "Windows Print Spooler Remote Code Execution Vulnerability"}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/spoolsv_suspicious_loaded_modules.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Spoolsv Suspicious Process Access", "id": "799b606e-da81-11eb-93f8-acde48001122", "version": 1, "date": "2021-07-01", "author": "Mauricio Velazco, Michael Haag, Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This analytic identifies a suspicious behavior related to PrintNightmare, or CVE-2021-34527 previously (CVE-2021-1675), to gain privilege escalation on the vulnerable machine. This exploit attacks a critical Windows Print Spooler Vulnerability to elevate privilege. This detection is to look for suspicious process access made by the spoolsv.exe that may related to the attack.", "data_source": ["Sysmon Event ID 1"], "search": "`sysmon` EventCode=10 SourceImage = \"*\\\\spoolsv.exe\" CallTrace = \"*\\\\Windows\\\\system32\\\\spool\\\\DRIVERS\\\\x64\\\\*\" TargetImage IN (\"*\\\\rundll32.exe\", \"*\\\\spoolsv.exe\") GrantedAccess = 0x1fffff | stats count min(_time) as firstTime max(_time) as lastTime by Computer SourceImage TargetImage GrantedAccess CallTrace EventCode ProcessID| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `spoolsv_suspicious_process_access_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with process access event where SourceImage, TargetImage, GrantedAccess and CallTrace executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances of spoolsv.exe.", "known_false_positives": "Unknown. Filter as needed.", "references": ["https://github.com/cube0x0/impacket/commit/73b9466c17761384ece11e1028ec6689abad6818", "https://www.truesec.com/hub/blog/fix-for-printnightmare-cve-2021-1675-exploit-to-keep-your-print-servers-running-while-a-patch-is-not-available", "https://www.truesec.com/hub/blog/exploitable-critical-rce-vulnerability-allows-regular-users-to-fully-compromise-active-directory-printnightmare-cve-2021-1675", "https://www.reddit.com/r/msp/comments/ob6y02/critical_vulnerability_printnightmare_exposes"], "tags": {"name": "Spoolsv Suspicious Process Access", "analytic_story": ["PrintNightmare CVE-2021-34527"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "$SourceImage$ was GrantedAccess open access to $TargetImage$ on endpoint $Computer$. This behavior is suspicious and related to PrintNightmare.", "mitre_attack_id": ["T1068"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}, {"name": "ProcessID", "type": "Process", "role": ["Parent Process"]}, {"name": "TargetImage", "type": "Process Name", "role": ["Target"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "SourceImage", "TargetImage", "GrantedAccess", "CallTrace", "EventCode"], "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "cve": ["CVE-2021-34527"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "PLATINUM", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.012/printnightmare/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "spoolsv_suspicious_process_access_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2021-34527", "cvss": 9.0, "summary": "Windows Print Spooler Remote Code Execution Vulnerability"}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/spoolsv_suspicious_process_access.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Spoolsv Writing a DLL", "id": "d5bf5cf2-da71-11eb-92c2-acde48001122", "version": 1, "date": "2021-07-01", "author": "Mauricio Velazco, Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies a `.dll` being written by `spoolsv.exe`. This was identified during our testing of CVE-2021-34527 previously (CVE-2021-1675) or PrintNightmare. Typically, this is not normal behavior for `spoolsv.exe` to write a `.dll`. Current POC code used will write the suspicious DLL to disk within a path of `\\spool\\drivers\\x64\\`. During triage, isolate the endpoint and review for source of exploitation. Capture any additional file modification events.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=spoolsv.exe by _time Processes.process_id Processes.process_name Processes.dest | `drop_dm_object_name(Processes)` | join process_guid, _time [| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path=\"*\\\\spool\\\\drivers\\\\x64\\\\*\" Filesystem.file_name=\"*.dll\" by _time Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path | `drop_dm_object_name(Filesystem)` | fields _time dest file_create_time file_name file_path process_name process_path process] | dedup file_create_time | table dest file_create_time, file_name, file_path, process_name | `spoolsv_writing_a_dll_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node and `Filesystem` node.", "known_false_positives": "Unknown.", "references": ["https://www.truesec.com/hub/blog/fix-for-printnightmare-cve-2021-1675-exploit-to-keep-your-print-servers-running-while-a-patch-is-not-available", "https://www.truesec.com/hub/blog/exploitable-critical-rce-vulnerability-allows-regular-users-to-fully-compromise-active-directory-printnightmare-cve-2021-1675", "https://www.reddit.com/r/msp/comments/ob6y02/critical_vulnerability_printnightmare_exposes"], "tags": {"name": "Spoolsv Writing a DLL", "analytic_story": ["PrintNightmare CVE-2021-34527"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "message": "$process_name$ has been identified writing dll's to $file_path$ on endpoint $dest$. This behavior is suspicious and related to PrintNightmare.", "mitre_attack_id": ["T1547.012", "T1547"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "process_id", "type": "Process", "role": ["Child Process"]}, {"name": "file_path", "type": "File", "role": ["Other"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Filesystem.dest", "Filesystem.file_create_time", "Filesystem.file_name", "Filesystem.file_path", "Processes.process_name", "Processes.process_id", "Processes.process_name", "Processes.dest"], "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "cve": ["CVE-2021-34527"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1547.012", "mitre_attack_technique": "Print Processors", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.012/printnightmare/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "spoolsv_writing_a_dll_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2021-34527", "cvss": 9.0, "summary": "Windows Print Spooler Remote Code Execution Vulnerability"}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/spoolsv_writing_a_dll.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Spoolsv Writing a DLL - Sysmon", "id": "347fd388-da87-11eb-836d-acde48001122", "version": 1, "date": "2021-07-01", "author": "Mauricio Velazco, Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies a `.dll` being written by `spoolsv.exe`. This was identified during our testing of CVE-2021-34527 previously(CVE-2021-1675) or PrintNightmare. Typically, this is not normal behavior for `spoolsv.exe` to write a `.dll`. Current POC code used will write the suspicious DLL to disk within a path of `\\spool\\drivers\\x64\\`. During triage, isolate the endpoint and review for source of exploitation. Capture any additional file modification events.", "data_source": ["Sysmon Event ID 1"], "search": "`sysmon` EventID=11 process_name=spoolsv.exe file_path=\"*\\\\spool\\\\drivers\\\\x64\\\\*\" file_name=*.dll | stats count min(_time) as firstTime max(_time) as lastTime by dest, UserID, process_name, file_path, file_name, TargetFilename, process_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `spoolsv_writing_a_dll___sysmon_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed rundll32.exe may be used.", "known_false_positives": "Limited false positives. Filter as needed.", "references": ["https://github.com/cube0x0/impacket/commit/73b9466c17761384ece11e1028ec6689abad6818", "https://www.truesec.com/hub/blog/fix-for-printnightmare-cve-2021-1675-exploit-to-keep-your-print-servers-running-while-a-patch-is-not-available", "https://www.truesec.com/hub/blog/exploitable-critical-rce-vulnerability-allows-regular-users-to-fully-compromise-active-directory-printnightmare-cve-2021-1675", "https://www.reddit.com/r/msp/comments/ob6y02/critical_vulnerability_printnightmare_exposes"], "tags": {"name": "Spoolsv Writing a DLL - Sysmon", "analytic_story": ["PrintNightmare CVE-2021-34527"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "message": "$process_name$ has been identified writing dll's to $file_path$ on endpoint $dest$. This behavior is suspicious and related to PrintNightmare.", "mitre_attack_id": ["T1547.012", "T1547"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "process_id", "type": "Process", "role": ["Child Process"]}, {"name": "file_path", "type": "File", "role": ["Other"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "dest", "UserID", "process_name", "file_path", "file_name", "TargetFilename"], "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "cve": ["CVE-2021-34527"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1547.012", "mitre_attack_technique": "Print Processors", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.012/printnightmare/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "spoolsv_writing_a_dll___sysmon_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2021-34527", "cvss": 9.0, "summary": "Windows Print Spooler Remote Code Execution Vulnerability"}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/spoolsv_writing_a_dll___sysmon.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Sqlite Module In Temp Folder", "id": "0f216a38-f45f-11eb-b09c-acde48001122", "version": 1, "date": "2021-08-03", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This search is to detect a suspicious file creation of sqlite3.dll in %temp% folder. This behavior was seen in IcedID malware where it download sqlite module to parse browser database like for chrome or firefox to stole browser information related to bank, credit card or credentials.", "data_source": ["Sysmon Event ID 1"], "search": "`sysmon` EventCode=11 (TargetFilename = \"*\\\\sqlite32.dll\" OR TargetFilename = \"*\\\\sqlite64.dll\") (TargetFilename = \"*\\\\temp\\\\*\") |stats count min(_time) as firstTime max(_time) as lastTime by process_name TargetFilename EventCode ProcessId Image | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `sqlite_module_in_temp_folder_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "unknown", "references": ["https://www.cisecurity.org/insights/white-papers/security-primer-icedid"], "tags": {"name": "Sqlite Module In Temp Folder", "analytic_story": ["IcedID"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "process $SourceImage$ create a file $TargetImage$ in host $Computer$", "mitre_attack_id": ["T1005"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "SourceImage", "type": "Process", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "process_name", "TargetFilename", "EventCode", "ProcessId", "Image"], "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1005", "mitre_attack_technique": "Data from Local System", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT37", "APT38", "APT39", "APT41", "Andariel", "Axiom", "BRONZE BUTLER", "CURIUM", "Dark Caracal", "Dragonfly", "FIN6", "FIN7", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HAFNIUM", "Inception", "Ke3chang", "Kimsuky", "LAPSUS$", "Lazarus Group", "LuminousMoth", "Magic Hound", "Patchwork", "Sandworm Team", "Stealth Falcon", "Threat Group-3390", "Turla", "Windigo", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/simulated_icedid/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "sqlite_module_in_temp_folder_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/sqlite_module_in_temp_folder.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Steal or Forge Authentication Certificates Behavior Identified", "id": "87ac670e-bbfd-44ca-b566-44e9f835518d", "version": 1, "date": "2023-05-01", "author": "Michael Haag, Splunk", "type": "Correlation", "status": "production", "description": "This correlation rule focuses on detecting potential threats associated with MITRE ATT&CK T1649 (Steal or Forge Authentication Certificates). The rule is designed to identify instances where 5 or more analytics related to Windows Certificate Services analytic story that are triggered within a specified time frame, which may indicate a potential attack in progress. By aggregating these analytics, security teams can swiftly respond to and investigate any suspicious activities, enhancing their ability to protect critical assets and prevent unauthorized access to sensitive information.", "data_source": [], "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where All_Risk.analyticstories=\"Windows Certificate Services\" All_Risk.risk_object_type=\"system\" by All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where source_count >= 5 | `steal_or_forge_authentication_certificates_behavior_identified_filter`", "how_to_implement": "The Windows Certificate Services analytic story must have 5 or more analytics enabled. In addition, ensure data is being logged that is required. Modify the correlation as needed based on volume of noise related to the other analytics.", "known_false_positives": "False positives may be present based on automated tooling or system administrators. Filter as needed.", "references": ["https://research.splunk.com/stories/windows_certificate_services/", "https://attack.mitre.org/techniques/T1649/"], "tags": {"name": "Steal or Forge Authentication Certificates Behavior Identified", "analytic_story": ["Windows Certificate Services"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "Steal or Forge Authentication Certificates Behavior Identified on $risk_object$.", "mitre_attack_id": ["T1649"], "nist": ["DE.AE"], "observable": [{"name": "risk_object", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["All_Risk.analyticstories", "All_Risk.risk_object_type", "All_Risk.risk_object", "All_Risk.annotations.mitre_attack.mitre_tactic", "source"], "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "atomic_guid": ["290df60e-4b5d-4a5e-b0c7-dc5348ea0c86", "78b274f8-acb0-428b-b1f7-7b0d0e73330a", "7617f689-bbd8-44bc-adcd-6f8968897848"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1649", "mitre_attack_technique": "Steal or Forge Authentication Certificates", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/atomic_red_team/risk_certificate_services.log", "source": "certs", "sourcetype": "stash"}]}], "datamodel": ["Risk"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "steal_or_forge_authentication_certificates_behavior_identified_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/steal_or_forge_authentication_certificates_behavior_identified.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Sunburst Correlation DLL and Network Event", "id": "701a8740-e8db-40df-9190-5516d3819787", "version": 1, "date": "2020-12-14", "author": "Patrick Bareiss, Splunk", "type": "TTP", "status": "experimental", "description": "The malware sunburst will load the malicious dll by SolarWinds.BusinessLayerHost.exe. After a period of 12-14 days, the malware will attempt to resolve a subdomain of avsvmcloud.com. This detections will correlate both events.", "data_source": ["Sysmon Event ID 7"], "search": "(`sysmon` EventCode=7 ImageLoaded=*SolarWinds.Orion.Core.BusinessLayer.dll) OR (`sysmon` EventCode=22 QueryName=*avsvmcloud.com) | eventstats dc(EventCode) AS dc_events | where dc_events=2 | stats min(_time) as firstTime max(_time) as lastTime values(ImageLoaded) AS ImageLoaded values(QueryName) AS QueryName by host | rename host as dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `sunburst_correlation_dll_and_network_event_filter` ", "how_to_implement": "This detection relies on sysmon logs with the Event ID 7, Driver loaded. Please tune your sysmon config that you DriverLoad event for SolarWinds.Orion.Core.BusinessLayer.dll is captured by Sysmon. Additionally, you need sysmon logs for Event ID 22, DNS Query. We suggest to run this detection at least once a day over the last 14 days.", "known_false_positives": "unknown", "references": ["https://www.mandiant.com/resources/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor"], "tags": {"name": "Sunburst Correlation DLL and Network Event", "analytic_story": ["NOBELIUM Group"], "asset_type": "Windows", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "message": "tbd", "mitre_attack_id": ["T1203"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "ImageLoaded", "QueryName"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1203", "mitre_attack_technique": "Exploitation for Client Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT12", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT41", "Andariel", "Aoqin Dragon", "Axiom", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "Higaisa", "Inception", "Lazarus Group", "Leviathan", "MuddyWater", "Mustang Panda", "Patchwork", "Sandworm Team", "Sidewinder", "TA459", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "admin@338"]}]}, "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "sunburst_correlation_dll_and_network_event_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/sunburst_correlation_dll_and_network_event.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Suspicious Computer Account Name Change", "id": "35a61ed8-61c4-11ec-bc1e-acde48001122", "version": 1, "date": "2021-12-20", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "As part of the sAMAccountName Spoofing (CVE-2021-42278) and Domain Controller Impersonation (CVE-2021-42287) exploitation chain, adversaries need to create a new computer account name and rename it to match the name of a domain controller account without the ending '$'. In Windows Active Directory environments, computer account names always end with `$`. This analytic leverages Event Id 4781, `The name of an account was changed`, to identify a computer account rename event with a suspicious name that does not terminate with `$`. This behavior could represent an exploitation attempt of CVE-2021-42278 and CVE-2021-42287 for privilege escalation.", "data_source": ["Windows Security 4781"], "search": "`wineventlog_security` EventCode=4781 Old_Account_Name=\"*$\" New_Account_Name!=\"*$\" | table _time, ComputerName, Account_Name, Old_Account_Name, New_Account_Name | `suspicious_computer_account_name_change_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows event logs from your hosts. In addition, the Splunk Windows TA is needed.", "known_false_positives": "Renaming a computer account name to a name that not end with '$' is highly unsual and may not have any legitimate scenarios.", "references": ["https://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42278", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42287"], "tags": {"name": "Suspicious Computer Account Name Change", "analytic_story": ["sAMAccountName Spoofing and Domain Controller Impersonation", "Active Directory Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 100, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "message": "A computer account $Old_Account_Name$ was renamed with a suspicious computer name", "mitre_attack_id": ["T1078", "T1078.002"], "nist": ["DE.CM"], "observable": [{"name": "ComputerName", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "ComputerName", "Account_Name", "Old_Account_Name", "New_Account_Name"], "risk_score": 70, "security_domain": "endpoint", "risk_severity": "medium", "cve": ["CVE-2021-42287", "CVE-2021-42278"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.002", "mitre_attack_technique": "Domain Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "Chimera", "Indrik Spider", "Magic Hound", "Naikon", "Sandworm Team", "TA505", "Threat Group-1314", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.002/samaccountname_spoofing/windows-security.log", "source": "WinEventLog:Security", "sourcetype": "WinEventLog", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "suspicious_computer_account_name_change_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2021-42287", "cvss": 6.5, "summary": "Active Directory Domain Services Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-42278, CVE-2021-42282, CVE-2021-42291."}, {"id": "CVE-2021-42278", "cvss": 6.5, "summary": "Active Directory Domain Services Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-42282, CVE-2021-42287, CVE-2021-42291."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/suspicious_computer_account_name_change.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Suspicious Copy on System32", "id": "ce633e56-25b2-11ec-9e76-acde48001122", "version": 1, "date": "2021-10-05", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This analytic is to detect a suspicious copy of file from systemroot folder of the windows OS. This technique is commonly used by APT or other malware as part of execution (LOLBIN) to run its malicious code using the available legitimate tool in OS. this type of event may seen or may execute of normal user in some instance but this is really a anomaly that needs to be check within the network.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN(\"cmd.exe\", \"powershell*\",\"pwsh.exe\", \"sqlps.exe\", \"sqltoolsps.exe\", \"powershell_ise.exe\") AND `process_copy` AND Processes.process IN(\"*\\\\Windows\\\\System32\\*\", \"*\\\\Windows\\\\SysWow64\\\\*\") AND Processes.process = \"*copy*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `suspicious_copy_on_system32_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "every user may do this event but very un-ussual.", "references": ["https://www.hybrid-analysis.com/sample/8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd?environmentId=120", "https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/"], "tags": {"name": "Suspicious Copy on System32", "analytic_story": ["Unusual Processes", "Qakbot", "IcedID", "AsyncRAT", "Sandworm Tools", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "execution of copy exe to copy file from $process$ in $dest$", "mitre_attack_id": ["T1036.003", "T1036"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "User", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036.003/copy_sysmon/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "process_copy", "definition": "(Processes.process_name=copy.exe OR Processes.original_file_name=copy.exe OR Processes.process_name=xcopy.exe OR Processes.original_file_name=xcopy.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "suspicious_copy_on_system32_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/suspicious_copy_on_system32.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Suspicious Curl Network Connection", "id": "3f613dc0-21f2-4063-93b1-5d3c15eef22f", "version": 1, "date": "2021-02-22", "author": "Michael Haag, Splunk", "type": "TTP", "status": "experimental", "description": "The following analytic identifies the use of a curl contacting suspicious remote domains to checkin to Command And Control servers or download further implants. In the context of Silver Sparrow, curl is identified contacting s3.amazonaws.com. This particular behavior is common with MacOS adware-malicious software.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=curl Processes.process=s3.amazonaws.com by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `suspicious_curl_network_connection_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "Unknown. Filter as needed.", "references": ["https://redcanary.com/blog/clipping-silver-sparrows-wings/", "https://www.marcosantadev.com/manage-plist-files-plistbuddy/"], "tags": {"name": "Suspicious Curl Network Connection", "analytic_story": ["Silver Sparrow", "Ingress Tool Transfer", "Linux Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Command And Control"], "message": "tbd", "mitre_attack_id": ["T1105"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.process_name", "Processes.process", "Processes.dest", "Processes.user", "Processes.parent_process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "ZIRCONIUM", "menuPass"]}]}, "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "suspicious_curl_network_connection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/suspicious_curl_network_connection.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Suspicious DLLHost no Command Line Arguments", "id": "ff61e98c-0337-4593-a78f-72a676c56f26", "version": 4, "date": "2023-03-08", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where `process_dllhost` by _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process=\"(?i)(dllhost\\.exe.{0,4}$)\" | `suspicious_dllhost_no_command_line_arguments_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Limited false positives may be present in small environments. Tuning may be required based on parent process.", "references": ["https://raw.githubusercontent.com/threatexpress/malleable-c2/c3385e481159a759f79b8acfe11acf240893b830/jquery-c2.4.2.profile", "https://www.cobaltstrike.com/blog/learn-pipe-fitting-for-all-of-your-offense-projects/"], "tags": {"name": "Suspicious DLLHost no Command Line Arguments", "analytic_story": ["Cobalt Strike"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "Suspicious dllhost.exe process with no command line arguments executed on $dest$ by $user$", "mitre_attack_id": ["T1055"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "User", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/cobalt_strike/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "process_dllhost", "definition": "(Processes.process_name=dllhost.exe OR Processes.original_file_name=dllhost.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "suspicious_dllhost_no_command_line_arguments_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/suspicious_dllhost_no_command_line_arguments.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Suspicious Driver Loaded Path", "id": "f880acd4-a8f1-11eb-a53b-acde48001122", "version": 1, "date": "2021-04-29", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This analytic will detect suspicious driver loaded paths. This technique is commonly used by malicious software like coin miners (xmrig) to register its malicious driver from notable directories where executable or drivers do not commonly exist. During triage, validate this driver is for legitimate business use. Review the metadata and certificate information. Unsigned drivers from non-standard paths is not normal, but occurs. In addition, review driver loads into `ntoskrnl.exe` for possible other drivers of interest. Long tail analyze drivers by path (outside of default, and in default) for further review.", "data_source": ["Sysmon Event ID 6"], "search": "`sysmon` EventCode=6 ImageLoaded = \"*.sys\" NOT (ImageLoaded IN(\"*\\\\WINDOWS\\\\inf\",\"*\\\\WINDOWS\\\\System32\\\\drivers\\\\*\", \"*\\\\WINDOWS\\\\System32\\\\DriverStore\\\\FileRepository\\\\*\")) | stats min(_time) as firstTime max(_time) as lastTime count by Computer ImageLoaded Hashes IMPHASH Signature Signed | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_driver_loaded_path_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the driver loaded and Signature from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "Limited false positives will be present. Some applications do load drivers", "references": ["https://www.trendmicro.com/vinfo/hk/threat-encyclopedia/malware/trojan.ps1.powtran.a/", "https://redcanary.com/blog/tracking-driver-inventory-to-expose-rootkits/"], "tags": {"name": "Suspicious Driver Loaded Path", "analytic_story": ["XMRig", "CISA AA22-320A", "AgentTesla"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "message": "Suspicious driver $ImageLoaded$ on $Computer$", "mitre_attack_id": ["T1543.003", "T1543"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}, {"name": "ImageLoaded", "type": "File Name", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Computer", "ImageLoaded", "Hashes", "IMPHASH", "Signature", "Signed"], "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/xmrig_miner/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "suspicious_driver_loaded_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/suspicious_driver_loaded_path.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Suspicious Event Log Service Behavior", "id": "2b85aa3d-f5f6-4c2e-a081-a09f6e1c2e40", "version": 1, "date": "2021-06-17", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic utilizes Windows Event ID 1100 to identify when Windows event log service is shutdown. Note that this is a voluminous analytic that will require tuning or restricted to specific endpoints based on criticality. This event generates every time Windows Event Log service has shut down. It also generates during normal system shutdown. During triage, based on time of day and user, determine if this was planned. If not planned, follow through with reviewing parallel alerts and other data sources to determine what else may have occurred.", "data_source": ["Sysmon Event ID 1"], "search": "(`wineventlog_security` EventCode=1100) | stats count min(_time) as firstTime max(_time) as lastTime by dest Message EventCode | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_event_log_service_behavior_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows event logs from your hosts. In addition, the Splunk Windows TA is needed.", "known_false_positives": "It is possible the Event Logging service gets shut down due to system errors or legitimately administration tasks. Filter as needed.", "references": ["https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-1100", "https://www.ired.team/offensive-security/defense-evasion/disabling-windows-event-logs-by-suspending-eventlog-service-threads", "https://attack.mitre.org/techniques/T1070/001/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.001/T1070.001.md"], "tags": {"name": "Suspicious Event Log Service Behavior", "analytic_story": ["Windows Log Manipulation", "Ransomware", "Clop Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "The Windows Event Log Service shutdown on $ComputerName$", "mitre_attack_id": ["T1070", "T1070.001"], "nist": ["DE.CM"], "observable": [{"name": "ComputerName", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "dest"], "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1070.001", "mitre_attack_technique": "Clear Windows Event Logs", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "APT38", "APT41", "Chimera", "Dragonfly", "FIN5", "FIN8", "Indrik Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1070.001/atomic_red_team/windows-security.log", "source": "WinEventLog:Security", "sourcetype": "WinEventLog", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "suspicious_event_log_service_behavior_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/suspicious_event_log_service_behavior.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Suspicious GPUpdate no Command Line Arguments", "id": "f308490a-473a-40ef-ae64-dd7a6eba284a", "version": 3, "date": "2022-03-15", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies gpupdate.exe with no command line arguments. It is unusual for gpupdate.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. gpupdate.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where `process_gpupdate` by _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process=\"(?i)(gpupdate\\.exe.{0,4}$)\" | `suspicious_gpupdate_no_command_line_arguments_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "Limited false positives may be present in small environments. Tuning may be required based on parent process.", "references": ["https://raw.githubusercontent.com/xx0hcd/Malleable-C2-Profiles/0ef8cf4556e26f6d4190c56ba697c2159faa5822/crimeware/trick_ryuk.profile", "https://www.cobaltstrike.com/blog/learn-pipe-fitting-for-all-of-your-offense-projects/"], "tags": {"name": "Suspicious GPUpdate no Command Line Arguments", "analytic_story": ["Cobalt Strike"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "Suspicious gpupdate.exe process with no command line arguments executed on $dest$ by $user$", "mitre_attack_id": ["T1055"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "User", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/cobalt_strike/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "process_gpupdate", "definition": "(Processes.process_name=gpupdate.exe OR Processes.original_file_name=GPUpdate.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "suspicious_gpupdate_no_command_line_arguments_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/suspicious_gpupdate_no_command_line_arguments.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Suspicious IcedID Rundll32 Cmdline", "id": "bed761f8-ee29-11eb-8bf3-acde48001122", "version": 2, "date": "2021-07-26", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This search is to detect a suspicious rundll32.exe commandline to execute dll file. This technique was seen in IcedID malware to load its payload dll with the following parameter to load encrypted dll payload which is the license.dat.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*/i:* by Processes.process_name Processes.process Processes.parent_process_name Processes.parent_process Processes.process_id Processes.parent_process_id Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_icedid_rundll32_cmdline_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "limitted. this parameter is not commonly used by windows application but can be used by the network operator.", "references": ["https://threatpost.com/icedid-banking-trojan-surges-emotet/165314/"], "tags": {"name": "Suspicious IcedID Rundll32 Cmdline", "analytic_story": ["IcedID", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "rundll32 process $process_name$ with commandline $process$ in host $dest$", "mitre_attack_id": ["T1218", "T1218.011"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/inf_icedid/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "process_rundll32", "definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "suspicious_icedid_rundll32_cmdline_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/suspicious_icedid_rundll32_cmdline.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Suspicious Image Creation In Appdata Folder", "id": "f6f904c4-1ac0-11ec-806b-acde48001122", "version": 2, "date": "2022-07-07", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This search is to detect a suspicious creation of image in appdata folder made by process that also has a file reference in appdata folder. This technique was seen in remcos rat that capture screenshot of the compromised machine and place it in the appdata and will be send to its C2 server. This TTP is really a good indicator to check that process because it is in suspicious folder path and image files are not commonly created by user in this folder path.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=*.exe Processes.process_path=\"*\\\\appdata\\\\Roaming\\\\*\" by _time span=1h Processes.process_id Processes.process_name Processes.process Processes.dest Processes.process_guid | `drop_dm_object_name(Processes)` |rename process_guid as proc_guid |join proc_guid, _time [| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_name IN (\"*.png\",\"*.jpg\",\"*.bmp\",\"*.gif\",\"*.tiff\") Filesystem.file_path= \"*\\\\appdata\\\\Roaming\\\\*\" by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path Filesystem.process_guid | `drop_dm_object_name(Filesystem)` |rename process_guid as proc_guid | fields _time dest file_create_time file_name file_path process_name process_path process proc_guid] | `suspicious_image_creation_in_appdata_folder_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "unknown", "references": ["https://success.trendmicro.com/dcx/s/solution/1123281-remcos-malware-information?language=en_US", "https://blog.malwarebytes.com/threat-intelligence/2021/07/remcos-rat-delivered-via-visual-basic/"], "tags": {"name": "Suspicious Image Creation In Appdata Folder", "analytic_story": ["Remcos"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "process $process_name$ creating image file $file_path$ in $dest$", "mitre_attack_id": ["T1113"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "dest", "file_create_time", "file_name", "file_path", "process_name", "process_path", "process"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1113", "mitre_attack_technique": "Screen Capture", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT28", "APT39", "BRONZE BUTLER", "Dark Caracal", "Dragonfly", "FIN7", "GOLD SOUTHFIELD", "Gamaredon Group", "Group5", "Magic Hound", "MuddyWater", "OilRig", "Silence"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/remcos/remcos_agent/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "suspicious_image_creation_in_appdata_folder_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/suspicious_image_creation_in_appdata_folder.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Suspicious Kerberos Service Ticket Request", "id": "8b1297bc-6204-11ec-b7c4-acde48001122", "version": 1, "date": "2021-12-20", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "As part of the sAMAccountName Spoofing (CVE-2021-42278) and Domain Controller Impersonation (CVE-2021-42287) exploitation chain, adversaries will request and obtain a Kerberos Service Ticket (TGS) with a domain controller computer account as the Service Name. This Service Ticket can be then used to take control of the domain controller on the final part of the attack. This analytic leverages Event Id 4769, `A Kerberos service ticket was requested`, to identify an unusual TGS request where the Account_Name requesting the ticket matches the Service_Name field. This behavior could represent an exploitation attempt of CVE-2021-42278 and CVE-2021-42287 for privilege escalation.", "data_source": ["Windows Security 4769"], "search": " `wineventlog_security` EventCode=4769 | eval isSuspicious = if(lower(Service_Name) = lower(mvindex(split(Account_Name,\"@\"),0)+\"$\"),1,0) | where isSuspicious = 1 | table _time, Client_Address, Account_Name, Service_Name, Failure_Code, isSuspicious | `suspicious_kerberos_service_ticket_request_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled.", "known_false_positives": "We have tested this detection logic with ~2 million 4769 events and did not identify false positives. However, they may be possible in certain environments. Filter as needed.", "references": ["https://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42278", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42287", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-sfu/02636893-7a1f-4357-af9a-b672e3e3de13"], "tags": {"name": "Suspicious Kerberos Service Ticket Request", "analytic_story": ["sAMAccountName Spoofing and Domain Controller Impersonation", "Active Directory Kerberos Attacks", "Active Directory Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 100, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "message": "A suspicious Kerberos Service Ticket was requested by $Account_Name$", "mitre_attack_id": ["T1078", "T1078.002"], "nist": ["DE.CM"], "observable": [{"name": "ComputerName", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "Service_Name", "Account_Name", "Client_Address", "Failure_Code"], "risk_score": 60, "security_domain": "endpoint", "risk_severity": "medium", "cve": ["CVE-2021-42287", "CVE-2021-42278"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.002", "mitre_attack_technique": "Domain Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "Chimera", "Indrik Spider", "Magic Hound", "Naikon", "Sandworm Team", "TA505", "Threat Group-1314", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.002/samaccountname_spoofing/windows-security.log", "source": "WinEventLog:Security", "sourcetype": "WinEventLog", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "suspicious_kerberos_service_ticket_request_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2021-42287", "cvss": 6.5, "summary": "Active Directory Domain Services Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-42278, CVE-2021-42282, CVE-2021-42291."}, {"id": "CVE-2021-42278", "cvss": 6.5, "summary": "Active Directory Domain Services Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-42282, CVE-2021-42287, CVE-2021-42291."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/suspicious_kerberos_service_ticket_request.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Suspicious Linux Discovery Commands", "id": "0edd5112-56c9-11ec-b990-acde48001122", "version": 1, "date": "2021-12-06", "author": "Bhavin Patel, Splunk", "type": "TTP", "status": "production", "description": "This search, detects execution of suspicious bash commands from various commonly leveraged bash scripts like (AutoSUID, LinEnum, LinPeas) to perform discovery of possible paths of privilege execution, password files, vulnerable directories, executables and file permissions on a Linux host.\\\nThe search logic specifically looks for high number of distinct commands run in a short period of time.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count values(Processes.process) values(Processes.process_name) values(Processes.parent_process_name) dc(Processes.process) as distinct_commands dc(Processes.process_name) as distinct_process_names min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where [|inputlookup linux_tool_discovery_process.csv | rename process as Processes.process |table Processes.process] by _time span=5m Processes.user Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| where distinct_commands > 40 AND distinct_process_names > 3| `suspicious_linux_discovery_commands_filter`", "how_to_implement": "This detection search is based on Splunk add-on for Microsoft Sysmon-Linux.(https://splunkbase.splunk.com/app/6176/). Please install this add-on to parse fields correctly and execute detection search. Consider customizing the time window and threshold values according to your environment.", "known_false_positives": "Unless an administrator is using these commands to troubleshoot or audit a system, the execution of these commands should be monitored.", "references": ["https://attack.mitre.org/matrices/enterprise/linux/", "https://attack.mitre.org/techniques/T1059/004/", "https://github.com/IvanGlinkin/AutoSUID", "https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS", "https://github.com/rebootuser/LinEnum"], "tags": {"name": "Suspicious Linux Discovery Commands", "analytic_story": ["Linux Post-Exploitation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Installation"], "message": "Suspicious Linux Discovery Commands detected on $dest$", "mitre_attack_id": ["T1059.004"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.process", "Processes.parent_process_name", "Processes.user", "Processes.process_name"], "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.004", "mitre_attack_technique": "Unix Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT41", "Rocke", "TeamTNT"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.004/linux_discovery_tools/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "suspicious_linux_discovery_commands_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/suspicious_linux_discovery_commands.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Suspicious microsoft workflow compiler rename", "id": "f0db4464-55d9-11eb-ae93-0242ac130002", "version": 4, "date": "2022-04-07", "author": "Michael Haag, Splunk", "type": "Hunting", "status": "production", "description": "The following analytic identifies a renamed instance of microsoft.workflow.compiler.exe. Microsoft.workflow.compiler.exe is natively found in C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319 and is rarely utilized. When investigating, identify the executed code on disk and review. A spawned child process from microsoft.workflow.compiler.exe is uncommon. In any instance, microsoft.workflow.compiler.exe spawning from an Office product or any living off the land binary is highly suspect.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name!=microsoft.workflow.compiler.exe AND Processes.original_file_name=Microsoft.Workflow.Compiler.exe by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_microsoft_workflow_compiler_rename_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Although unlikely, some legitimate applications may use a moved copy of microsoft.workflow.compiler.exe, triggering a false positive.", "references": ["https://lolbas-project.github.io/lolbas/Binaries/Microsoft.Workflow.Compiler/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md#atomic-test-6---microsoftworkflowcompilerexe-payload-execution"], "tags": {"name": "Suspicious microsoft workflow compiler rename", "analytic_story": ["Trusted Developer Utilities Proxy Execution", "Cobalt Strike", "Masquerading - Rename System Utilities", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "Suspicious renamed microsoft.workflow.compiler.exe binary ran on $dest$ by $user$", "mitre_attack_id": ["T1036", "T1127", "T1036.003"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "User", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1127", "mitre_attack_technique": "Trusted Developer Utilities Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1127/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "suspicious_microsoft_workflow_compiler_rename_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/suspicious_microsoft_workflow_compiler_rename.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Suspicious microsoft workflow compiler usage", "id": "9bbc62e8-55d8-11eb-ae93-0242ac130002", "version": 2, "date": "2021-01-12", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies microsoft.workflow.compiler.exe usage. microsoft.workflow.compiler.exe is natively found in C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319 and is rarely utilized. When investigating, identify the executed code on disk and review. It is not a commonly used process by many applications.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_microsoftworkflowcompiler` by Processes.dest Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_microsoft_workflow_compiler_usage_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Although unlikely, limited instances have been identified coming from native Microsoft utilities similar to SCCM.", "references": ["https://lolbas-project.github.io/lolbas/Binaries/Msbuild/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md#atomic-test-6---microsoftworkflowcompilerexe-payload-execution"], "tags": {"name": "Suspicious microsoft workflow compiler usage", "analytic_story": ["Trusted Developer Utilities Proxy Execution", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "Suspicious microsoft.workflow.compiler.exe process ran on $dest$ by $user$", "mitre_attack_id": ["T1127"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "User", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1127", "mitre_attack_technique": "Trusted Developer Utilities Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1127/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_microsoftworkflowcompiler", "definition": "(Processes.process_name=microsoft.workflow.compiler.exe OR Processes.original_file_name=Microsoft.Workflow.Compiler.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "suspicious_microsoft_workflow_compiler_usage_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/suspicious_microsoft_workflow_compiler_usage.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Suspicious msbuild path", "id": "f5198224-551c-11eb-ae93-0242ac130002", "version": 3, "date": "2022-03-08", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies msbuild.exe executing from a non-standard path. Msbuild.exe is natively found in C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319 and C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319. Instances of Visual Studio will run a copy of msbuild.exe. A moved instance of MSBuild is suspicious, however there are instances of build applications that will move or use a copy of MSBuild.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count values(Processes.process_name) as process_name values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_msbuild` AND (Processes.process_path!=*\\\\framework*\\\\v*\\\\*) by Processes.dest Processes.original_file_name Processes.parent_process Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `suspicious_msbuild_path_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Some legitimate applications may use a moved copy of msbuild.exe, triggering a false positive. Baselining of MSBuild.exe usage is recommended to better understand it's path usage. Visual Studio runs an instance out of a path that will need to be filtered on.", "references": ["https://lolbas-project.github.io/lolbas/Binaries/Msbuild/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md"], "tags": {"name": "Suspicious msbuild path", "analytic_story": ["Trusted Developer Utilities Proxy Execution MSBuild", "Cobalt Strike", "Masquerading - Rename System Utilities", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "Msbuild.exe ran from an uncommon path on $dest$ execyted by $user$", "mitre_attack_id": ["T1036", "T1127", "T1036.003", "T1127.001"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "User", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1127", "mitre_attack_technique": "Trusted Developer Utilities Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1127.001", "mitre_attack_technique": "MSBuild", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1127.001/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "process_msbuild", "definition": "(Processes.process_name=msbuild.exe OR Processes.original_file_name=MSBuild.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "suspicious_msbuild_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/suspicious_msbuild_path.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Suspicious MSBuild Rename", "id": "4006adac-5937-11eb-ae93-0242ac130002", "version": 3, "date": "2022-04-07", "author": "Michael Haag, Splunk", "type": "Hunting", "status": "production", "description": "The following analytic identifies renamed instances of msbuild.exe executing. Msbuild.exe is natively found in C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319 and C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319. During investigation, identify the code executed and what is executing a renamed instance of MSBuild.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name!=msbuild.exe AND Processes.original_file_name=MSBuild.exe by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_msbuild_rename_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Although unlikely, some legitimate applications may use a moved copy of msbuild, triggering a false positive.", "references": ["https://lolbas-project.github.io/lolbas/Binaries/Msbuild/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md", "https://github.com/infosecn1nja/MaliciousMacroMSBuild/"], "tags": {"name": "Suspicious MSBuild Rename", "analytic_story": ["Trusted Developer Utilities Proxy Execution MSBuild", "Cobalt Strike", "Masquerading - Rename System Utilities", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "Suspicious renamed msbuild.exe binary ran on $dest$ by $user$", "mitre_attack_id": ["T1036", "T1127", "T1036.003", "T1127.001"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "User", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1127", "mitre_attack_technique": "Trusted Developer Utilities Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1127.001", "mitre_attack_technique": "MSBuild", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1127.001/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "suspicious_msbuild_rename_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/suspicious_msbuild_rename.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Suspicious MSBuild Spawn", "id": "a115fba6-5514-11eb-ae93-0242ac130002", "version": 2, "date": "2021-01-12", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies wmiprvse.exe spawning msbuild.exe. This behavior is indicative of a COM object being utilized to spawn msbuild from wmiprvse.exe. It is common for MSBuild.exe to be spawned from devenv.exe while using Visual Studio. In this instance, there will be command line arguments and file paths. In a malicious instance, MSBuild.exe will spawn from non-standard processes and have no command line arguments. For example, MSBuild.exe spawning from explorer.exe, powershell.exe is far less common and should be investigated.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count values(Processes.process_name) as process_name values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=wmiprvse.exe AND `process_msbuild` by Processes.dest Processes.parent_process Processes.original_file_name Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_msbuild_spawn_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Although unlikely, some legitimate applications may exhibit this behavior, triggering a false positive.", "references": ["https://lolbas-project.github.io/lolbas/Binaries/Msbuild/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md"], "tags": {"name": "Suspicious MSBuild Spawn", "analytic_story": ["Trusted Developer Utilities Proxy Execution MSBuild", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "Suspicious msbuild.exe process executed on $dest$ by $user$", "mitre_attack_id": ["T1127", "T1127.001"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "User", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1127", "mitre_attack_technique": "Trusted Developer Utilities Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1127.001", "mitre_attack_technique": "MSBuild", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1127.001/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "process_msbuild", "definition": "(Processes.process_name=msbuild.exe OR Processes.original_file_name=MSBuild.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "suspicious_msbuild_spawn_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/suspicious_msbuild_spawn.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Suspicious mshta child process", "id": "60023bb6-5500-11eb-ae93-0242ac130002", "version": 1, "date": "2021-01-12", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies child processes spawning from \"mshta.exe\". The search will return the first time and last time these command-line arguments were used for these executions, as well as the target system, the user, parent process \"mshta.exe\" and its child process.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count values(Processes.process_name) as process_name values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=mshta.exe AND (Processes.process_name=powershell.exe OR Processes.process_name=colorcpl.exe OR Processes.process_name=msbuild.exe OR Processes.process_name=microsoft.workflow.compiler.exe OR Processes.process_name=searchprotocolhost.exe OR Processes.process_name=scrcons.exe OR Processes.process_name=cscript.exe OR Processes.process_name=wscript.exe OR Processes.process_name=powershell.exe OR Processes.process_name=cmd.exe) by Processes.dest Processes.parent_process Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_mshta_child_process_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "Although unlikely, some legitimate applications may exhibit this behavior, triggering a false positive.", "references": ["https://github.com/redcanaryco/AtomicTestHarnesses", "https://redcanary.com/blog/introducing-atomictestharnesses/"], "tags": {"name": "Suspicious mshta child process", "analytic_story": ["Suspicious MSHTA Activity", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "suspicious mshta child process detected on host $dest$ by user $user$.", "mitre_attack_id": ["T1218", "T1218.005"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "parent_process", "type": "Process Name", "role": ["Parent Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.process_name", "Processes.process", "Processes.parent_process_name", "Processes.dest", "Processes.parent_process", "Processes.user"], "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.005", "mitre_attack_technique": "Mshta", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "APT32", "Confucius", "Earth Lusca", "FIN7", "Gamaredon Group", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "MuddyWater", "Mustang Panda", "SideCopy", "Sidewinder", "TA551"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.005/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "suspicious_mshta_child_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/suspicious_mshta_child_process.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Suspicious mshta spawn", "id": "4d33a488-5b5f-11eb-ae93-0242ac130002", "version": 2, "date": "2021-01-20", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies wmiprvse.exe spawning mshta.exe. This behavior is indicative of a DCOM object being utilized to spawn mshta from wmiprvse.exe or svchost.exe. In this instance, adversaries may use LethalHTA that will spawn mshta.exe from svchost.exe.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count values(Processes.process_name) as process_name values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name=svchost.exe OR Processes.parent_process_name=wmiprvse.exe) AND `process_mshta` by Processes.dest Processes.parent_process Processes.user Processes.original_file_name| `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_mshta_spawn_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Although unlikely, some legitimate applications may exhibit this behavior, triggering a false positive.", "references": ["https://codewhitesec.blogspot.com/2018/07/lethalhta.html", "https://github.com/redcanaryco/AtomicTestHarnesses", "https://redcanary.com/blog/introducing-atomictestharnesses/"], "tags": {"name": "Suspicious mshta spawn", "analytic_story": ["Suspicious MSHTA Activity", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "mshta.exe spawned by wmiprvse.exe on $dest$", "mitre_attack_id": ["T1218", "T1218.005"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.005", "mitre_attack_technique": "Mshta", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "APT32", "Confucius", "Earth Lusca", "FIN7", "Gamaredon Group", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "MuddyWater", "Mustang Panda", "SideCopy", "Sidewinder", "TA551"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.005/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_mshta", "definition": "(Processes.process_name=mshta.exe OR Processes.original_file_name=MSHTA.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "suspicious_mshta_spawn_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/suspicious_mshta_spawn.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Suspicious PlistBuddy Usage", "id": "c3194009-e0eb-4f84-87a9-4070f8688f00", "version": 1, "date": "2021-02-22", "author": "Michael Haag, Splunk", "type": "TTP", "status": "experimental", "description": "The following analytic identifies the use of a native MacOS utility, PlistBuddy, creating or modifying a properly list (.plist) file. In the instance of Silver Sparrow, the following commands were executed:\\\n- PlistBuddy -c \"Add :Label string init_verx\" ~/Library/Launchagents/init_verx.plist \\\n- PlistBuddy -c \"Add :RunAtLoad bool true\" ~/Library/Launchagents/init_verx.plist \\\n- PlistBuddy -c \"Add :StartInterval integer 3600\" ~/Library/Launchagents/init_verx.plist \\\n- PlistBuddy -c \"Add :ProgramArguments array\" ~/Library/Launchagents/init_verx.plist \\\n- PlistBuddy -c \"Add :ProgramArguments:0 string /bin/sh\" ~/Library/Launchagents/init_verx.plist \\\n- PlistBuddy -c \"Add :ProgramArguments:1 string -c\" ~/Library/Launchagents/init_verx.plist \\\nUpon triage, capture the property list file being written to disk and review for further indicators. Contain the endpoint and triage further.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=PlistBuddy (Processes.process=*LaunchAgents* OR Processes.process=*RunAtLoad* OR Processes.process=*true*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `suspicious_plistbuddy_usage_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "Some legitimate applications may use PlistBuddy to create or modify property lists and possibly generate false positives. Review the property list being modified or created to confirm.", "references": ["https://www.marcosantadev.com/manage-plist-files-plistbuddy/"], "tags": {"name": "Suspicious PlistBuddy Usage", "analytic_story": ["Silver Sparrow"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation", "Exploitation"], "message": "tbd", "mitre_attack_id": ["T1543.001", "T1543"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.process_name", "Processes.process", "Processes.dest", "Processes.user", "Processes.parent_process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1543.001", "mitre_attack_technique": "Launch Agent", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "suspicious_plistbuddy_usage_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/suspicious_plistbuddy_usage.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Suspicious PlistBuddy Usage via OSquery", "id": "20ba6c32-c733-4a32-b64e-2688cf231399", "version": 1, "date": "2021-02-22", "author": "Michael Haag, Splunk", "type": "TTP", "status": "experimental", "description": "The following analytic identifies the use of a native MacOS utility, PlistBuddy, creating or modifying a properly list (.plist) file. In the instance of Silver Sparrow, the following commands were executed:\\\n- PlistBuddy -c \"Add :Label string init_verx\" ~/Library/Launchagents/init_verx.plist \\\n- PlistBuddy -c \"Add :RunAtLoad bool true\" ~/Library/Launchagents/init_verx.plist \\\n- PlistBuddy -c \"Add :StartInterval integer 3600\" ~/Library/Launchagents/init_verx.plist \\\n- PlistBuddy -c \"Add :ProgramArguments array\" ~/Library/Launchagents/init_verx.plist \\\n- PlistBuddy -c \"Add :ProgramArguments:0 string /bin/sh\" ~/Library/Launchagents/init_verx.plist \\\n- PlistBuddy -c \"Add :ProgramArguments:1 string -c\" ~/Library/Launchagents/init_verx.plist \\\nUpon triage, capture the property list file being written to disk and review for further indicators. Contain the endpoint and triage further.", "data_source": [], "search": "`osquery_process` \"columns.cmdline\"=\"*LaunchAgents*\" OR \"columns.cmdline\"=\"*RunAtLoad*\" OR \"columns.cmdline\"=\"*true*\" | `suspicious_plistbuddy_usage_via_osquery_filter`", "how_to_implement": "OSQuery must be installed and configured to pick up process events (info at https://osquery.io) as well as using the Splunk OSQuery Add-on https://splunkbase.splunk.com/app/4402. Modify the macro and validate fields are correct.", "known_false_positives": "Some legitimate applications may use PlistBuddy to create or modify property lists and possibly generate false positives. Review the property list being modified or created to confirm.", "references": ["https://www.marcosantadev.com/manage-plist-files-plistbuddy/"], "tags": {"name": "Suspicious PlistBuddy Usage via OSquery", "analytic_story": ["Silver Sparrow"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation", "Exploitation"], "message": "tbd", "mitre_attack_id": ["T1543.001", "T1543"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Other", "role": ["Other"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "columns.cmdline"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1543.001", "mitre_attack_technique": "Launch Agent", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "datamodel": [], "macros": [{"name": "osquery_process", "definition": "eventtype=\"osquery-process\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "suspicious_plistbuddy_usage_via_osquery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/suspicious_plistbuddy_usage_via_osquery.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Suspicious Process DNS Query Known Abuse Web Services", "id": "3cf0dc36-484d-11ec-a6bc-acde48001122", "version": 2, "date": "2023-04-14", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This analytic detects a suspicious process making a DNS query via known, abused text-paste web services, VoIP, instant messaging, and digital distribution platforms used to download external files. This technique is abused by adversaries, malware actors, and red teams to download a malicious file on the target host. This is a good TTP indicator for possible initial access techniques. A user will experience false positives if the following instant messaging is allowed or common applications like telegram or discord are allowed in the corporate network.", "data_source": ["Sysmon Event ID 22"], "search": "`sysmon` EventCode=22 QueryName IN (\"*pastebin*\", \"*discord*\", \"*telegram*\", \"*t.me*\") process_name IN (\"cmd.exe\", \"*powershell*\", \"pwsh.exe\", \"wscript.exe\", \"cscript.exe\") | stats count min(_time) as firstTime max(_time) as lastTime by Image QueryName QueryStatus process_name QueryResults Computer | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_process_dns_query_known_abuse_web_services_filter`", "how_to_implement": "This detection relies on sysmon logs with the Event ID 22, DNS Query. We suggest you run this detection at least once a day over the last 14 days.", "known_false_positives": "Noise and false positive can be seen if the following instant messaging is allowed to use within corporate network. In this case, a filter is needed.", "references": ["https://urlhaus.abuse.ch/url/1798923/", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/"], "tags": {"name": "Suspicious Process DNS Query Known Abuse Web Services", "analytic_story": ["Data Destruction", "WhisperGate", "Remcos"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Installation"], "message": "suspicious process $process_name$ has a dns query in $QueryName$ on $Computer$", "mitre_attack_id": ["T1059.005", "T1059"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Image", "QueryName", "QueryStatus", "process_name", "QueryResults", "Computer"], "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.005", "mitre_attack_technique": "Visual Basic", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT32", "APT33", "APT37", "APT38", "APT39", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Earth Lusca", "FIN4", "FIN7", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "Transparent Tribe", "Turla", "WIRTE", "Windshift"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/remcos/remcos_pastebin_download/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "suspicious_process_dns_query_known_abuse_web_services_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/suspicious_process_dns_query_known_abuse_web_services.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Suspicious Process File Path", "id": "9be25988-ad82-11eb-a14f-acde48001122", "version": 1, "date": "2023-04-25", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "The following analytic will detect a suspicious process running in a file path where a process is not commonly seen and is most commonly used by malicious software. This behavior has been used by adversaries where they drop and run an exe in a path that is accessible without admin privileges.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count values(Processes.process_name) as process_name values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_path = \"*\\\\windows\\\\fonts\\\\*\" OR Processes.process_path = \"*\\\\windows\\\\temp\\\\*\" OR Processes.process_path = \"*\\\\users\\\\public\\\\*\" OR Processes.process_path = \"*\\\\windows\\\\debug\\\\*\" OR Processes.process_path = \"*\\\\Users\\\\Administrator\\\\Music\\\\*\" OR Processes.process_path = \"*\\\\Windows\\\\servicing\\\\*\" OR Processes.process_path = \"*\\\\Users\\\\Default\\\\*\" OR Processes.process_path = \"*Recycle.bin*\" OR Processes.process_path = \"*\\\\Windows\\\\Media\\\\*\" OR Processes.process_path = \"\\\\Windows\\\\repair\\\\*\" OR Processes.process_path = \"*\\\\temp\\\\*\" OR Processes.process_path = \"*\\\\PerfLogs\\\\*\" by Processes.parent_process_name Processes.parent_process Processes.process_path Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_process_file_path_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "Administrators may allow execution of specific binaries in non-standard paths. Filter as needed.", "references": ["https://www.trendmicro.com/vinfo/hk/threat-encyclopedia/malware/trojan.ps1.powtran.a/", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/", "https://twitter.com/pr0xylife/status/1590394227758104576", "https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat", "https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/"], "tags": {"name": "Suspicious Process File Path", "analytic_story": ["Azorult", "AsyncRAT", "XMRig", "Swift Slicer", "DarkCrystal RAT", "Double Zero Destructor", "Trickbot", "Data Destruction", "LockBit Ransomware", "Prestige Ransomware", "Industroyer2", "Remcos", "RedLine Stealer", "WhisperGate", "IcedID", "Hermetic Wiper", "AgentTesla", "Brute Ratel C4", "Qakbot", "Chaos Ransomware", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "message": "Suspicious process $process_name$ running from a suspicious process path- $process_path$ on host- $dest$", "mitre_attack_id": ["T1543"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "process_path", "type": "Process Name", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.process_name", "Processes.process", "Processes.parent_process_name", "Processes.parent_process", "Processes.process_path", "Processes.dest", "Processes.user"], "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/xmrig_miner/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "suspicious_process_file_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/suspicious_process_file_path.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Suspicious Process With Discord DNS Query", "id": "4d4332ae-792c-11ec-89c1-acde48001122", "version": 2, "date": "2023-04-14", "author": "Teoderick Contreras, Mauricio Velazco, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic identifies a process making a DNS query to Discord, a well known instant messaging and digital distribution platform. Discord can be abused by adversaries, as seen in the WhisperGate campaign, to host and download malicious. external files. A process resolving a Discord DNS name could be an indicator of malware trying to download files from Discord for further execution.", "data_source": ["Sysmon Event ID 22"], "search": "`sysmon` EventCode=22 QueryName IN (\"*discord*\") Image != \"*\\\\AppData\\\\Local\\\\Discord\\\\*\" AND Image != \"*\\\\Program Files*\" AND Image != \"discord.exe\" | stats count min(_time) as firstTime max(_time) as lastTime by Image QueryName QueryStatus process_name QueryResults Computer | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_process_with_discord_dns_query_filter`", "how_to_implement": "his detection relies on sysmon logs with the Event ID 22, DNS Query.", "known_false_positives": "Noise and false positive can be seen if the following instant messaging is allowed to use within corporate network. In this case, a filter is needed.", "references": ["https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/", "https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/"], "tags": {"name": "Suspicious Process With Discord DNS Query", "analytic_story": ["Data Destruction", "WhisperGate"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Installation"], "message": "suspicious process $process_name$ has a dns query in $QueryName$ on $Computer$", "mitre_attack_id": ["T1059.005", "T1059"], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process Name", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Image", "QueryName", "QueryStatus", "process_name", "QueryResults", "Computer"], "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.005", "mitre_attack_technique": "Visual Basic", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT32", "APT33", "APT37", "APT38", "APT39", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Earth Lusca", "FIN4", "FIN7", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "Transparent Tribe", "Turla", "WIRTE", "Windshift"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.005/discord_dnsquery/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "suspicious_process_with_discord_dns_query_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/suspicious_process_with_discord_dns_query.yml", "source": "endpoint"}, {"name": "Suspicious Reg exe Process", "id": "a6b3ab4e-dd77-4213-95fa-fc94701995e0", "version": 4, "date": "2020-07-22", "author": "David Dorsey, Splunk", "type": "Anomaly", "status": "production", "description": "This search looks for reg.exe being launched from a command prompt not started by the user. When a user launches cmd.exe, the parent process is usually explorer.exe. This search filters out those instances.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where Processes.parent_process_name != explorer.exe Processes.process_name =cmd.exe by Processes.user Processes.process_name Processes.parent_process_name Processes.dest Processes.process_id Processes.parent_process_id | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | search [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.parent_process_name=cmd.exe Processes.process_name= reg.exe by Processes.parent_process_id Processes.dest Processes.process_name | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename parent_process_id as process_id |dedup process_id| table process_id dest] | `suspicious_reg_exe_process_filter` ", "how_to_implement": "You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the \"process\" field in the Endpoint data model.", "known_false_positives": "It's possible for system administrators to write scripts that exhibit this behavior. If this is the case, the search will need to be modified to filter them out.", "references": ["https://car.mitre.org/wiki/CAR-2013-03-001/"], "tags": {"name": "Suspicious Reg exe Process", "analytic_story": ["Windows Defense Evasion Tactics", "Disabling Security Tools", "DHS Report TA18-074A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to add a registry entry.", "mitre_attack_id": ["T1112"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.parent_process_name", "Processes.process_name", "Processes.user", "Processes.parent_process_name", "Processes.dest", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "suspicious_reg_exe_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/suspicious_reg_exe_process.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Suspicious Regsvr32 Register Suspicious Path", "id": "62732736-6250-11eb-ae93-0242ac130002", "version": 3, "date": "2023-03-02", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "Adversaries may abuse Regsvr32.exe to proxy execution of malicious code by using non-standard file extensions to load DLLs. Upon investigating, look for network connections to remote destinations (internal or external). Review additional parrallel processes and child processes for additional activity.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_regsvr32` Processes.process IN (\"*\\\\appdata\\\\*\", \"*\\\\programdata\\\\*\",\"*\\\\windows\\\\temp\\\\*\") NOT (Processes.process IN (\"*.dll*\", \"*.ax*\", \"*.ocx*\")) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `suspicious_regsvr32_register_suspicious_path_filter`", "how_to_implement": "You must be ingesting endpoint data that tracks process activity, including parent-child relationships from your endpoints, to populate the Endpoint data model in the Processes node. The command-line arguments are mapped to the \"process\" field in the Endpoint data model. Tune the query by filtering additional extensions found to be used by legitimate processes. To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Limited false positives with the query restricted to specified paths. Add more world writeable paths as tuning continues.", "references": ["https://attack.mitre.org/techniques/T1218/010/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/T1218.010.md", "https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/", "https://support.microsoft.com/en-us/topic/how-to-use-the-regsvr32-tool-and-troubleshoot-regsvr32-error-messages-a98d960a-7392-e6fe-d90a-3f4e0cb543e5", "https://any.run/report/f29a7d2ecd3585e1e4208e44bcc7156ab5388725f1d29d03e7699da0d4598e7c/0826458b-5367-45cf-b841-c95a33a01718"], "tags": {"name": "Suspicious Regsvr32 Register Suspicious Path", "analytic_story": ["Suspicious Regsvr32 Activity", "Icedid", "Living Off The Land", "Qakbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to evade detection by using a non-standard file extension.", "mitre_attack_id": ["T1218", "T1218.010"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.010", "mitre_attack_technique": "Regsvr32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "Blue Mockingbird", "Cobalt Group", "Deep Panda", "Inception", "Kimsuky", "Leviathan", "TA551", "WIRTE"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.010/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "process_regsvr32", "definition": "(Processes.process_name=regsvr32.exe OR Processes.original_file_name=REGSVR32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "suspicious_regsvr32_register_suspicious_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/suspicious_regsvr32_register_suspicious_path.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Suspicious Rundll32 dllregisterserver", "id": "8c00a385-9b86-4ac0-8932-c9ec3713b159", "version": 2, "date": "2021-02-09", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies rundll32.exe using dllregisterserver on the command line to load a DLL. When a DLL is registered, the DllRegisterServer method entry point in the DLL is invoked. This is typically seen when a DLL is being registered on the system. Not every instance is considered malicious, but it will capture malicious use of it. During investigation, review the parent process and parrellel processes executing. Capture the DLL being loaded and inspect further. Rundll32.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*dllregisterserver* by Processes.dest Processes.user Processes.parent_process Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_rundll32_dllregisterserver_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "This is likely to produce false positives and will require some filtering. Tune the query by adding command line paths to known good DLLs, or filtering based on parent process names.", "references": ["https://attack.mitre.org/techniques/T1218/011/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md", "https://lolbas-project.github.io/lolbas/Binaries/Rundll32/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/seedworm-apt-iran-middle-east", "https://github.com/pan-unit42/tweets/blob/master/2020-12-10-IOCs-from-Ursnif-infection-with-Delf-variant.txt", "https://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-qakbot-zip-based-campaign/", "https://docs.microsoft.com/en-us/windows/win32/api/olectl/nf-olectl-dllregisterserver?redirectedfrom=MSDN"], "tags": {"name": "Suspicious Rundll32 dllregisterserver", "analytic_story": ["Suspicious Rundll32 Activity", "Living Off The Land", "IcedID"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to register a DLL. code", "mitre_attack_id": ["T1218", "T1218.011"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.011/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "process_rundll32", "definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "suspicious_rundll32_dllregisterserver_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/suspicious_rundll32_dllregisterserver.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Suspicious Rundll32 no Command Line Arguments", "id": "e451bd16-e4c5-4109-8eb1-c4c6ecf048b4", "version": 3, "date": "2022-03-15", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies rundll32.exe with no command line arguments. It is unusual for rundll32.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. Rundll32.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where `process_rundll32` by _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process=\"(?i)(rundll32\\.exe.{0,4}$)\" | `suspicious_rundll32_no_command_line_arguments_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Although unlikely, some legitimate applications may use a moved copy of rundll32, triggering a false positive.", "references": ["https://attack.mitre.org/techniques/T1218/011/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md", "https://lolbas-project.github.io/lolbas/Binaries/Rundll32/", "https://bohops.com/2018/02/26/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence/"], "tags": {"name": "Suspicious Rundll32 no Command Line Arguments", "analytic_story": ["Suspicious Rundll32 Activity", "Cobalt Strike", "PrintNightmare CVE-2021-34527"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "Suspicious rundll32.exe process with no command line arguments executed on $dest$ by $user$", "mitre_attack_id": ["T1218", "T1218.011"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "User", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "cve": ["CVE-2021-34527"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.011/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "process_rundll32", "definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "suspicious_rundll32_no_command_line_arguments_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2021-34527", "cvss": 9.0, "summary": "Windows Print Spooler Remote Code Execution Vulnerability"}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/suspicious_rundll32_no_command_line_arguments.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Suspicious Rundll32 PluginInit", "id": "92d51712-ee29-11eb-b1ae-acde48001122", "version": 2, "date": "2021-07-26", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This search is to detect a suspicious rundll32.exe process with plugininit parameter. This technique is commonly seen in IcedID malware to execute its initial dll stager to download another payload to the compromised machine.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*PluginInit* by Processes.process_name Processes.process Processes.parent_process_name Processes.original_file_name Processes.parent_process Processes.process_id Processes.parent_process_id Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_rundll32_plugininit_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "third party application may used this dll export name to execute function.", "references": ["https://threatpost.com/icedid-banking-trojan-surges-emotet/165314/"], "tags": {"name": "Suspicious Rundll32 PluginInit", "analytic_story": ["IcedID"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 60, "kill_chain_phases": ["Exploitation"], "message": "rundll32 process $process_name$ with commandline $process$ in host $dest$", "mitre_attack_id": ["T1218", "T1218.011"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/inf_icedid/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "process_rundll32", "definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "suspicious_rundll32_plugininit_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/suspicious_rundll32_plugininit.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Suspicious Rundll32 StartW", "id": "9319dda5-73f2-4d43-a85a-67ce961bddb7", "version": 3, "date": "2021-02-04", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies rundll32.exe executing a DLL function name, Start and StartW, on the command line that is commonly observed with Cobalt Strike x86 and x64 DLL payloads. Rundll32.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64. Typically, the DLL will be written and loaded from a world writeable path or user location. In most instances it will not have a valid certificate (Unsigned). During investigation, review the parent process and other parallel application execution. Capture and triage the DLL in question. In the instance of Cobalt Strike, rundll32.exe is the default process it opens and injects shellcode into. This default process can be changed, but typically is not.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*start* by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_rundll32_startw_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Although unlikely, some legitimate applications may use Start as a function and call it via the command line. Filter as needed.", "references": ["https://attack.mitre.org/techniques/T1218/011/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md", "https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/index.htm#cshid=1036", "https://lolbas-project.github.io/lolbas/Binaries/Rundll32/", "https://bohops.com/2018/02/26/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence/"], "tags": {"name": "Suspicious Rundll32 StartW", "analytic_story": ["Suspicious Rundll32 Activity", "Cobalt Strike", "Trickbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "rundll32.exe running with suspicious parameters on $dest$", "mitre_attack_id": ["T1218", "T1218.011"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "User", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.011/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "process_rundll32", "definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "suspicious_rundll32_startw_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/suspicious_rundll32_startw.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Suspicious Scheduled Task from Public Directory", "id": "7feb7972-7ac3-11eb-bac8-acde48001122", "version": 1, "date": "2021-03-01", "author": "Michael Haag, Splunk", "type": "Anomaly", "status": "production", "description": "The following detection identifies Scheduled Tasks registering (creating a new task) a binary or script to run from a public directory which includes users\\public, \\programdata\\ and \\windows\\temp. Upon triage, review the binary or script in the command line for legitimacy, whether an approved binary/script or not. In addition, capture the binary or script in question and analyze for further behaviors. Identify the source and contain the endpoint.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=schtasks.exe (Processes.process=*\\\\users\\\\public\\\\* OR Processes.process=*\\\\programdata\\\\* OR Processes.process=*windows\\\\temp*) Processes.process=*/create* by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `suspicious_scheduled_task_from_public_directory_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "Limited false positives may be present. Filter as needed by parent process or command line argument.", "references": ["https://attack.mitre.org/techniques/T1053/005/"], "tags": {"name": "Suspicious Scheduled Task from Public Directory", "analytic_story": ["Ransomware", "Ryuk Ransomware", "Windows Persistence Techniques", "Living Off The Land", "Azorult", "DarkCrystal RAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "message": "Suspicious scheduled task registered on $dest$", "mitre_attack_id": ["T1053.005", "T1053"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "User", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.process_name", "Processes.process", "Processes.dest", "Processes.user", "Processes.parent_process", "Processes.process_name", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/schtasks/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "suspicious_scheduled_task_from_public_directory_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/suspicious_scheduled_task_from_public_directory.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Suspicious SearchProtocolHost no Command Line Arguments", "id": "f52d2db8-31f9-4aa7-a176-25779effe55c", "version": 3, "date": "2022-03-15", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies searchprotocolhost.exe with no command line arguments. It is unusual for searchprotocolhost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. searchprotocolhost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=searchprotocolhost.exe by _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process=\"(?i)(searchprotocolhost\\.exe.{0,4}$)\" | `suspicious_searchprotocolhost_no_command_line_arguments_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Limited false positives may be present in small environments. Tuning may be required based on parent process.", "references": ["https://github.com/mandiant/red_team_tool_countermeasures/blob/master/rules/PGF/supplemental/hxioc/SUSPICIOUS%20EXECUTION%20OF%20SEARCHPROTOCOLHOST%20(METHODOLOGY).ioc"], "tags": {"name": "Suspicious SearchProtocolHost no Command Line Arguments", "analytic_story": ["Cobalt Strike"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "Suspicious searchprotocolhost.exe process with no command line arguments executed on $dest$ by $user$", "mitre_attack_id": ["T1055"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "User", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/cobalt_strike/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "suspicious_searchprotocolhost_no_command_line_arguments_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/suspicious_searchprotocolhost_no_command_line_arguments.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Suspicious SQLite3 LSQuarantine Behavior", "id": "e1997b2e-655f-4561-82fd-aeba8e1c1a86", "version": 1, "date": "2021-02-22", "author": "Michael Haag, Splunk", "type": "TTP", "status": "experimental", "description": "The following analytic identifies the use of a SQLite3 querying the MacOS preferences to identify the original URL the pkg was downloaded from. This particular behavior is common with MacOS adware-malicious software. Upon triage, review other processes in parallel for suspicious activity. Identify any recent package installations.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=sqlite3 Processes.process=*LSQuarantine* by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `suspicious_sqlite3_lsquarantine_behavior_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "Unknown.", "references": ["https://redcanary.com/blog/clipping-silver-sparrows-wings/", "https://www.marcosantadev.com/manage-plist-files-plistbuddy/"], "tags": {"name": "Suspicious SQLite3 LSQuarantine Behavior", "analytic_story": ["Silver Sparrow"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "tbd", "mitre_attack_id": ["T1074"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.process_name", "Processes.process", "Processes.dest", "Processes.user", "Processes.parent_process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1074", "mitre_attack_technique": "Data Staged", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["Wizard Spider"]}]}, "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "suspicious_sqlite3_lsquarantine_behavior_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/suspicious_sqlite3_lsquarantine_behavior.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Suspicious Ticket Granting Ticket Request", "id": "d77d349e-6269-11ec-9cfe-acde48001122", "version": 1, "date": "2021-12-21", "author": "Mauricio Velazco, Splunk", "type": "Hunting", "status": "production", "description": "As part of the sAMAccountName Spoofing (CVE-2021-42278) and Domain Controller Impersonation (CVE-2021-42287) exploitation chain, adversaries will need to request a Kerberos Ticket Granting Ticket (TGT) on behalf of the newly created and renamed computer account. The TGT request will be preceded by a computer account name event. This analytic leverages Event Id 4781, `The name of an account was changed` and event Id 4768 `A Kerberos authentication ticket (TGT) was requested` to correlate a sequence of events where the new computer account on event id 4781 matches the request account on event id 4768. This behavior could represent an exploitation attempt of CVE-2021-42278 and CVE-2021-42287 for privilege escalation.", "data_source": ["Windows Security 4768"], "search": " `wineventlog_security` (EventCode=4781 Old_Account_Name=\"*$\" New_Account_Name!=\"*$\") OR (EventCode=4768 Account_Name!=\"*$\") | eval RenamedComputerAccount = coalesce(New_Account_Name, mvindex(Account_Name,0)) | transaction RenamedComputerAccount startswith=(EventCode=4781) endswith=(EventCode=4768) | eval short_lived=case((duration<2),\"TRUE\") | search short_lived = TRUE | table _time, ComputerName, EventCode, Account_Name,RenamedComputerAccount, short_lived |`suspicious_ticket_granting_ticket_request_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled.", "known_false_positives": "A computer account name change event inmediately followed by a kerberos TGT request with matching fields is unsual. However, legitimate behavior may trigger it. Filter as needed.", "references": ["https://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42278", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42287"], "tags": {"name": "Suspicious Ticket Granting Ticket Request", "analytic_story": ["sAMAccountName Spoofing and Domain Controller Impersonation", "Active Directory Kerberos Attacks", "Active Directory Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 100, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "message": "A suspicious TGT was requested was requested", "mitre_attack_id": ["T1078", "T1078.002"], "nist": ["DE.AE"], "observable": [{"name": "ComputerName", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "Old_Account_Name", "New_Account_Name", "Account_Name", "ComputerName"], "risk_score": 60, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.002", "mitre_attack_technique": "Domain Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "Chimera", "Indrik Spider", "Magic Hound", "Naikon", "Sandworm Team", "TA505", "Threat Group-1314", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.002/samaccountname_spoofing/windows-security.log", "source": "WinEventLog:Security", "sourcetype": "WinEventLog", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "suspicious_ticket_granting_ticket_request_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/suspicious_ticket_granting_ticket_request.yml", "source": "endpoint", "providing_technologies": ["Microsoft Windows"]}, {"name": "Suspicious WAV file in Appdata Folder", "id": "5be109e6-1ac5-11ec-b421-acde48001122", "version": 2, "date": "2022-07-07", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This analytic is to detect a suspicious creation of .wav file in appdata folder. This behavior was seen in Remcos RAT malware where it put the audio recording in the appdata\\audio folde as part of data collection. this recording can be send to its C2 server as part of its exfiltration to the compromised machine. creation of wav files in this folder path is not a ussual disk place used by user to save audio format file.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=*.exe Processes.process_path=\"*\\\\appdata\\\\Roaming\\\\*\" by _time span=1h Processes.process_id Processes.process_name Processes.process Processes.dest Processes.process_guid | `drop_dm_object_name(Processes)` |rename process_guid as proc_guid | join proc_guid, _time [ | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_name IN (\"*.wav\") Filesystem.file_path = \"*\\\\appdata\\\\Roaming\\\\*\" by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path Filesystem.process_guid | `drop_dm_object_name(Filesystem)` |rename process_guid as proc_guid | fields file_name file_path process_name process_path process dest file_create_time _time proc_guid] | `suspicious_wav_file_in_appdata_folder_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, file_name, file_path and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "unknown", "references": ["https://success.trendmicro.com/dcx/s/solution/1123281-remcos-malware-information?language=en_US", "https://blog.malwarebytes.com/threat-intelligence/2021/07/remcos-rat-delivered-via-visual-basic/"], "tags": {"name": "Suspicious WAV file in Appdata Folder", "analytic_story": ["Remcos"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "process $process_name$ creating image file $file_path$ in $dest$", "mitre_attack_id": ["T1113"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "dest", "file_create_time", "file_name", "file_path", "process_name", "process_path", "process"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1113", "mitre_attack_technique": "Screen Capture", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT28", "APT39", "BRONZE BUTLER", "Dark Caracal", "Dragonfly", "FIN7", "GOLD SOUTHFIELD", "Gamaredon Group", "Group5", "Magic Hound", "MuddyWater", "OilRig", "Silence"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/remcos/remcos_agent/sysmon_wav.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "suspicious_wav_file_in_appdata_folder_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/suspicious_wav_file_in_appdata_folder.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Suspicious wevtutil Usage", "id": "2827c0fd-e1be-4868-ae25-59d28e0f9d4f", "version": 4, "date": "2021-10-11", "author": "David Dorsey, Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The wevtutil.exe application is the windows event log utility. This searches for wevtutil.exe with parameters for clearing the application, security, setup, trace or system event logs.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=wevtutil.exe Processes.process IN (\"* cl *\", \"*clear-log*\") (Processes.process=\"*System*\" OR Processes.process=\"*Security*\" OR Processes.process=\"*Setup*\" OR Processes.process=\"*Application*\" OR Processes.process=\"*trace*\") by Processes.process_name Processes.parent_process_name Processes.dest Processes.user| `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `suspicious_wevtutil_usage_filter`", "how_to_implement": "You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the \"process\" field in the Endpoint data model.", "known_false_positives": "The wevtutil.exe application is a legitimate Windows event log utility. Administrators may use it to manage Windows event logs.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.001/T1070.001.md"], "tags": {"name": "Suspicious wevtutil Usage", "analytic_story": ["Windows Log Manipulation", "Ransomware", "Clop Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 40, "kill_chain_phases": ["Exploitation"], "message": "Wevtutil.exe being used to clear Event Logs on $dest$ by $user$", "mitre_attack_id": ["T1070.001", "T1070"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "User", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.process", "Processes.process_name", "Processes.parent_process_name", "Processes.dest", "Processes.user"], "risk_score": 28, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1070.001", "mitre_attack_technique": "Clear Windows Event Logs", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "APT38", "APT41", "Chimera", "Dragonfly", "FIN5", "FIN8", "Indrik Spider"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1070.001/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "suspicious_wevtutil_usage_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/suspicious_wevtutil_usage.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Suspicious writes to windows Recycle Bin", "id": "b5541828-8ffd-4070-9d95-b3da4de924cb", "version": 4, "date": "2020-07-22", "author": "Rico Valdez, Splunk", "type": "TTP", "status": "production", "description": "This search detects writes to the recycle bin by a process other than explorer.exe.", "data_source": ["Sysmon Event ID 11"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.file_path) as file_path values(Filesystem.file_name) as file_name FROM datamodel=Endpoint.Filesystem where Filesystem.file_path = \"*$Recycle.Bin*\" by Filesystem.process_id Filesystem.dest | `drop_dm_object_name(\"Filesystem\")`| search [| tstats `security_content_summariesonly` values(Processes.user) as user values(Processes.process_name) as process_name values(Processes.parent_process_name) as parent_process_name FROM datamodel=Endpoint.Processes where Processes.process_name != \"explorer.exe\" by Processes.process_id Processes.dest| `drop_dm_object_name(\"Processes\")` | table process_id dest] | `suspicious_writes_to_windows_recycle_bin_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on filesystem and process logs responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` and `Filesystem` nodes.", "known_false_positives": "Because the Recycle Bin is a hidden folder in modern versions of Windows, it would be unusual for a process other than explorer.exe to write to it. Incidents should be investigated as appropriate.", "references": [], "tags": {"name": "Suspicious writes to windows Recycle Bin", "analytic_story": ["Collection and Staging"], "asset_type": "Windows", "cis20": ["CIS 10"], "confidence": 70, "impact": 40, "kill_chain_phases": ["Exploitation"], "message": "Suspicious writes to windows Recycle Bin process $Processes.process_name$", "mitre_attack_id": ["T1036"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "Processes.process_name", "type": "Process", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Filesystem.file_path", "Filesystem.file_name", "Filesystem.process_id", "Filesystem.dest", "Processes.user", "Processes.process_name", "Processes.parent_process_name", "Processes.process_id", "Processes.dest"], "risk_score": 28, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036/write_to_recycle_bin/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "suspicious_writes_to_windows_recycle_bin_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/suspicious_writes_to_windows_recycle_bin.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Svchost LOLBAS Execution Process Spawn", "id": "09e5c72a-4c0d-11ec-aa29-3e22fbd008af", "version": 2, "date": "2021-11-22", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name=svchost.exe) (Processes.process_name IN (\"Regsvcs.exe\", \"Ftp.exe\", \"OfflineScannerShell.exe\", \"Rasautou.exe\", \"Schtasks.exe\", \"Xwizard.exe\", \"Pnputil.exe\", \"Atbroker.exe\", \"Pcwrun.exe\", \"Ttdinject.exe\",\"Mshta.exe\", \"Bitsadmin.exe\", \"Certoc.exe\", \"Ieexec.exe\", \"Microsoft.Workflow.Compiler.exe\", \"Runscripthelper.exe\", \"Forfiles.exe\", \"Msbuild.exe\", \"Register-cimprovider.exe\", \"Tttracer.exe\", \"Ie4uinit.exe\", \"Bash.exe\", \"Hh.exe\", \"SettingSyncHost.exe\", \"Cmstp.exe\", \"Stordiag.exe\", \"Scriptrunner.exe\", \"Odbcconf.exe\", \"Extexport.exe\", \"Msdt.exe\", \"WorkFolders.exe\", \"Diskshadow.exe\", \"Mavinject.exe\", \"Regasm.exe\", \"Gpscript.exe\", \"Regsvr32.exe\", \"Msiexec.exe\", \"Wuauclt.exe\", \"Presentationhost.exe\", \"Wmic.exe\", \"Runonce.exe\", \"Syncappvpublishingserver.exe\", \"Verclsid.exe\", \"Infdefaultinstall.exe\", \"Installutil.exe\", \"Netsh.exe\", \"Wab.exe\", \"Dnscmd.exe\", \"At.exe\", \"Pcalua.exe\", \"Msconfig.exe\")) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `svchost_lolbas_execution_process_spawn_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints.", "known_false_positives": "Legitimate applications may trigger this behavior, filter as needed.", "references": ["https://attack.mitre.org/techniques/T1053/005/", "https://www.ired.team/offensive-security/persistence/t1053-schtask", "https://lolbas-project.github.io/"], "tags": {"name": "Svchost LOLBAS Execution Process Spawn", "analytic_story": ["Active Directory Lateral Movement", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 90, "kill_chain_phases": ["Installation", "Exploitation"], "message": "Svchost.exe spawned a LOLBAS process on $dest$", "mitre_attack_id": ["T1053", "T1053.005"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 54, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TEMP.Veles", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/lateral_movement_lolbas/windows-security.log", "source": "WinEventLog:Security", "sourcetype": "WinEventLog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "svchost_lolbas_execution_process_spawn_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/svchost_lolbas_execution_process_spawn.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "System Info Gathering Using Dxdiag Application", "id": "f92d74f2-4921-11ec-b685-acde48001122", "version": 1, "date": "2021-11-19", "author": "Teoderick Contreras, Splunk", "type": "Hunting", "status": "production", "description": "This analytic is to detect a suspicious dxdiag.exe process command-line execution. Dxdiag is used to collect the system info of the target host. This technique has been used by Remcos RATS, various actors, and other malware to collect information as part of the recon or collection phase of an attack. This behavior should rarely be seen in a corporate network, but this command line can be used by a network administrator to audit host machine specifications. Thus in some rare cases, this detection will contain false positives in its results. To triage further, analyze what commands were passed after it pipes out the result to a file for further processing.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_dxdiag` AND Processes.process = \"* /t *\" by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `system_info_gathering_using_dxdiag_application_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` and `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "This commandline can be used by a network administrator to audit host machine specifications. Thus, a filter is needed.", "references": ["https://app.any.run/tasks/df0baf9f-8baf-4c32-a452-16562ecb19be/"], "tags": {"name": "System Info Gathering Using Dxdiag Application", "analytic_story": ["Remcos"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Reconnaissance"], "message": "dxdiag.exe process with commandline $process$ on $dest$", "mitre_attack_id": ["T1592"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1592", "mitre_attack_technique": "Gather Victim Host Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/t1592/host_info_dxdiag/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "process_dxdiag", "definition": "(Processes.process_name=dxdiag.exe OR Processes.original_file_name=dxdiag.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "system_info_gathering_using_dxdiag_application_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/system_info_gathering_using_dxdiag_application.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "System Information Discovery Detection", "id": "8e99f89e-ae58-4ebc-bf52-ae0b1a277e72", "version": 2, "date": "2021-09-07", "author": "Patrick Bareiss, Splunk", "type": "TTP", "status": "production", "description": "Detect system information discovery techniques used by attackers to understand configurations of the system to further exploit it.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process=\"*wmic* qfe*\" OR Processes.process=*systeminfo* OR Processes.process=*hostname*) by Processes.user Processes.process_name Processes.process Processes.dest Processes.parent_process_name | `drop_dm_object_name(Processes)` | eventstats dc(process) as dc_processes_by_dest by dest | where dc_processes_by_dest > 2 | stats values(process) as process min(firstTime) as firstTime max(lastTime) as lastTime by user, dest parent_process_name | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `system_information_discovery_detection_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "Administrators debugging servers", "references": ["https://web.archive.org/web/20210119205146/https://oscp.infosecsanyam.in/priv-escalation/windows-priv-escalation"], "tags": {"name": "System Information Discovery Detection", "analytic_story": ["Discovery Techniques"], "asset_type": "Windows", "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "Potential system information discovery behavior on $dest$ by $User$", "mitre_attack_id": ["T1082"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "User", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.process", "Processes.user", "Processes.process_name", "Processes.dest"], "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1082", "mitre_attack_technique": "System Information Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT18", "APT19", "APT3", "APT32", "APT37", "APT38", "Aquatic Panda", "Blue Mockingbird", "Chimera", "Confucius", "Darkhotel", "Gamaredon Group", "HEXANE", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Sowbug", "Stealth Falcon", "TeamTNT", "Tropic Trooper", "Turla", "Windigo", "Windshift", "Wizard Spider", "ZIRCONIUM", "admin@338"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1082/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "system_information_discovery_detection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/system_information_discovery_detection.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "System Processes Run From Unexpected Locations", "id": "a34aae96-ccf8-4aef-952c-3ea21444444d", "version": 6, "date": "2020-12-08", "author": "David Dorsey, Michael Haag, Splunk", "type": "Anomaly", "status": "production", "description": "This search looks for system processes that typically execute from `C:\\Windows\\System32\\` or `C:\\Windows\\SysWOW64`. This may indicate a malicious process that is trying to hide as a legitimate process.\\\nThis detection utilizes a lookup that is deduped `system32` and `syswow64` directories from Server 2016 and Windows 10.\\\nDuring triage, review the parallel processes - what process moved the native Windows binary? identify any artifacts on disk and review. If a remote destination is contacted, what is the reputation?", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where Processes.process_path !=\"C:\\\\Windows\\\\System32*\" Processes.process_path !=\"C:\\\\Windows\\\\SysWOW64*\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_hash | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `is_windows_system_file` | `system_processes_run_from_unexpected_locations_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "This detection may require tuning based on third party applications utilizing native Windows binaries in non-standard paths.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.yaml", "https://attack.mitre.org/techniques/T1036/003/"], "tags": {"name": "System Processes Run From Unexpected Locations", "analytic_story": ["Suspicious Command-Line Executions", "Unusual Processes", "Ransomware", "Masquerading - Rename System Utilities", "Qakbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 60, "kill_chain_phases": ["Exploitation"], "message": "A System process $process_name$ is running from $process_path$ on $dest$, potentially non-standard.", "mitre_attack_id": ["T1036", "T1036.003"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}, {"name": "process_path", "type": "Other", "role": ["Other"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.process_path", "Processes.user", "Processes.dest", "Processes.process_name", "Processes.process_id", "Processes.parent_process_name", "Processes.process_hash"], "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036.003/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "is_windows_system_file", "definition": "lookup update=true is_windows_system_file filename as process_name OUTPUT systemFile | search systemFile=true", "description": "This macro limits the output to process names that are in the Windows System directory"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "system_processes_run_from_unexpected_locations_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/system_processes_run_from_unexpected_locations.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "System User Discovery With Query", "id": "ad03bfcf-8a91-4bc2-a500-112993deba87", "version": 1, "date": "2021-09-13", "author": "Mauricio Velazco, Splunk", "type": "Hunting", "status": "production", "description": "This analytic looks for the execution of `query.exe` with command-line arguments utilized to discover the logged user. Red Teams and adversaries alike may leverage `query.exe` to identify system users on a compromised endpoint for situational awareness and Active Directory Discovery.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"query.exe\") (Processes.process=*user*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `system_user_discovery_with_query_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "references": ["https://attack.mitre.org/techniques/T1033/"], "tags": {"name": "System User Discovery With Query", "analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "System user discovery on $dest$", "mitre_attack_id": ["T1033"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1033", "mitre_attack_technique": "System Owner/User Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT37", "APT38", "APT39", "APT41", "Chimera", "Dragonfly", "Earth Lusca", "FIN10", "GALLIUM", "Gamaredon Group", "HAFNIUM", "HEXANE", "Ke3chang", "Lazarus Group", "LuminousMoth", "Magic Hound", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "Stealth Falcon", "Threat Group-3390", "Tropic Trooper", "Windshift", "Wizard Spider", "ZIRCONIUM"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1033/AD_discovery/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "system_user_discovery_with_query_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/system_user_discovery_with_query.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "System User Discovery With Whoami", "id": "894fc43e-6f50-47d5-a68b-ee9ee23e18f4", "version": 1, "date": "2023-04-05", "author": "Mauricio Velazco, Splunk", "type": "Hunting", "status": "production", "description": "This analytic looks for the execution of `whoami.exe` without any arguments. This windows native binary prints out the current logged user. Red Teams and adversaries alike may leverage `whoami.exe` to identify system users on a compromised endpoint for situational awareness and Active Directory Discovery.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"whoami.exe\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `system_user_discovery_with_whoami_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "references": ["https://attack.mitre.org/techniques/T1033/"], "tags": {"name": "System User Discovery With Whoami", "analytic_story": ["Winter Vivern", "Active Directory Discovery", "Qakbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "System user discovery on $dest$", "mitre_attack_id": ["T1033"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1033", "mitre_attack_technique": "System Owner/User Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT37", "APT38", "APT39", "APT41", "Chimera", "Dragonfly", "Earth Lusca", "FIN10", "GALLIUM", "Gamaredon Group", "HAFNIUM", "HEXANE", "Ke3chang", "Lazarus Group", "LuminousMoth", "Magic Hound", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "Stealth Falcon", "Threat Group-3390", "Tropic Trooper", "Windshift", "Wizard Spider", "ZIRCONIUM"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1033/AD_discovery/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "system_user_discovery_with_whoami_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/system_user_discovery_with_whoami.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Time Provider Persistence Registry", "id": "5ba382c4-2105-11ec-8d8f-acde48001122", "version": 4, "date": "2023-04-27", "author": "Steven Dick, Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This analytic is to detect a suspicious modification of time provider registry for persistence and autostart. This technique can allow the attacker to persist on the compromised host and autostart as soon as the machine boot up. This TTP can be a good indicator of suspicious behavior since this registry is not commonly modified by normal user or even an admin.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=\"*\\\\CurrentControlSet\\\\Services\\\\W32Time\\\\TimeProviders*\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `time_provider_persistence_registry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "unknown", "references": ["https://pentestlab.blog/2019/10/22/persistence-time-providers/", "https://attack.mitre.org/techniques/T1547/003/"], "tags": {"name": "Time Provider Persistence Registry", "analytic_story": ["Hermetic Wiper", "Windows Privilege Escalation", "Windows Persistence Techniques", "Windows Registry Abuse", "Data Destruction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "message": "modified/added/deleted registry entry $Registry.registry_path$ in $dest$", "mitre_attack_id": ["T1547.003", "T1547"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.dest", "Registry.registry_value_name", "Registry.registry_key_name", "Registry.registry_path", "Registry.registry_value_data", "Registry.process_guid"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1547.003", "mitre_attack_technique": "Time Providers", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.003/timeprovider_reg/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "time_provider_persistence_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/time_provider_persistence_registry.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Trickbot Named Pipe", "id": "1804b0a4-a682-11eb-8f68-acde48001122", "version": 1, "date": "2021-04-26", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "this search is to detect potential trickbot infection through the create/connected named pipe to the system. This technique is used by trickbot to communicate to its c2 to post or get command during infection.", "data_source": [], "search": "`sysmon` EventCode IN (17,18) PipeName=\"\\\\pipe\\\\*lacesomepipe\" | stats min(_time) as firstTime max(_time) as lastTime count by Computer user_id EventCode PipeName signature Image process_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `trickbot_named_pipe_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name and pipename from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. .", "known_false_positives": "unknown", "references": ["https://labs.vipre.com/trickbot-and-its-modules/", "https://whitehat.eu/incident-response-case-study-featuring-ryuk-and-trickbot-part-2/"], "tags": {"name": "Trickbot Named Pipe", "analytic_story": ["Trickbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "Possible Trickbot namedpipe created on $Computer$ by $Image$", "mitre_attack_id": ["T1055"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}, {"name": "Image", "type": "Process", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Computer", "user_id", "EventCode", "PipeName", "signature", "Image", "process_id"], "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/trickbot/namedpipe/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "trickbot_named_pipe_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/trickbot_named_pipe.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "UAC Bypass MMC Load Unsigned Dll", "id": "7f04349c-e30d-11eb-bc7f-acde48001122", "version": 1, "date": "2021-07-12", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This search is to detect a suspicious loaded unsigned dll by MMC.exe application. This technique is commonly seen in attacker that tries to bypassed UAC feature or gain privilege escalation. This is done by modifying some CLSID registry that will trigger the mmc.exe to load the dll path", "data_source": ["Sysmon Event ID 7"], "search": "`sysmon` EventCode=7 ImageLoaded = \"*.dll\" Image = \"*\\\\mmc.exe\" Signed=false Company != \"Microsoft Corporation\" | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded Signed ProcessId OriginalFileName Computer EventCode Company | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `uac_bypass_mmc_load_unsigned_dll_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name and imageloaded executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "unknown. all of the dll loaded by mmc.exe is microsoft signed dll.", "references": ["https://offsec.almond.consulting/UAC-bypass-dotnet.html"], "tags": {"name": "UAC Bypass MMC Load Unsigned Dll", "analytic_story": ["Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "Suspicious unsigned $ImageLoaded$ loaded by $Image$ on endpoint $Computer$ with EventCode $EventCode$", "mitre_attack_id": ["T1548.002", "T1548", "T1218.014"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Image", "ImageLoaded", "Signed", "ProcessId", "OriginalFileName", "Computer", "EventCode", "Company"], "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.002", "mitre_attack_technique": "Bypass User Account Control", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT37", "BRONZE BUTLER", "Cobalt Group", "Earth Lusca", "Evilnum", "MuddyWater", "Patchwork", "Threat Group-3390"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1218.014", "mitre_attack_technique": "MMC", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/uac_bypass/windows-sysmon2.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "uac_bypass_mmc_load_unsigned_dll_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/uac_bypass_mmc_load_unsigned_dll.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "UAC Bypass With Colorui COM Object", "id": "2bcccd20-fc2b-11eb-8d22-acde48001122", "version": 1, "date": "2021-08-13", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This search is to detect a possible uac bypass using the colorui.dll COM Object. this technique was seen in so many malware and ransomware like lockbit where it make use of the colorui.dll COM CLSID to bypass UAC.", "data_source": ["Sysmon Event ID 7"], "search": "`sysmon` EventCode=7 ImageLoaded=\"*\\\\colorui.dll\" process_name != \"colorcpl.exe\" NOT(Image IN(\"*\\\\windows\\\\*\", \"*\\\\program files*\")) | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded process_name Computer EventCode Signed ProcessId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `uac_bypass_with_colorui_com_object_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "not so common. but 3rd part app may load this dll.", "references": ["https://news.sophos.com/en-us/2020/04/24/lockbit-ransomware-borrows-tricks-to-keep-up-with-revil-and-maze/"], "tags": {"name": "UAC Bypass With Colorui COM Object", "analytic_story": ["Ransomware", "LockBit Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 60, "kill_chain_phases": ["Exploitation"], "message": "The following module $ImageLoaded$ was loaded by a non-standard application on endpoint $Computer$ by user $user$.", "mitre_attack_id": ["T1218", "T1218.003"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "ImageLoaded", "type": "Other", "role": ["Other"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Image", "ImageLoaded", "process_name", "Computer", "EventCode", "Signed", "ProcessId"], "risk_score": 48, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.003", "mitre_attack_technique": "CMSTP", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Cobalt Group", "MuddyWater"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.015/uac_colorui/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "uac_bypass_with_colorui_com_object_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/uac_bypass_with_colorui_com_object.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Uninstall App Using MsiExec", "id": "1fca2b28-f922-11eb-b2dd-acde48001122", "version": 1, "date": "2021-08-09", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This search is to detect a suspicious un-installation of application using msiexec. This technique was seen in conti leak tool and script where it tries to uninstall AV product using this commandline. This commandline to uninstall product is not a common practice in enterprise network.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=msiexec.exe Processes.process= \"* /qn *\" Processes.process= \"*/X*\" Processes.process= \"*REBOOT=*\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `uninstall_app_using_msiexec_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "unknown.", "references": ["https://threadreaderapp.com/thread/1423361119926816776.html"], "tags": {"name": "Uninstall App Using MsiExec", "analytic_story": ["Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "process $process_name$ with a cmdline $process$ in host $dest$", "mitre_attack_id": ["T1218.007", "T1218"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218.007", "mitre_attack_technique": "Msiexec", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Machete", "Molerats", "Rancor", "TA505", "ZIRCONIUM"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/conti/conti_leak/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "uninstall_app_using_msiexec_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/uninstall_app_using_msiexec.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Unknown Process Using The Kerberos Protocol", "id": "c91a0852-9fbb-11ec-af44-acde48001122", "version": 1, "date": "2022-03-09", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies a process performing an outbound connection on port 88 used by default by the network authentication protocol Kerberos. Typically, on a regular Windows endpoint, only the lsass.exe process is the one tasked with connecting to the Kerberos Distribution Center to obtain Kerberos tickets. Identifying an unknown process using this protocol may be evidence of an adversary abusing the Kerberos protocol.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name!=lsass.exe by _time Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | join process_id [| tstats `security_content_summariesonly` count FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port = 88 by All_Traffic.process_id All_Traffic.dest All_Traffic.dest_port | `drop_dm_object_name(All_Traffic)` ] | table _time dest parent_process_name process_name process_path process process_id dest_port | `unknown_process_using_the_kerberos_protocol_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting your endpoint events and populating the Endpoint and Network data models.", "known_false_positives": "Custom applications may leverage the Kerberos protocol. Filter as needed.", "references": ["https://stealthbits.com/blog/how-to-detect-overpass-the-hash-attacks/", "https://www.thehacker.recipes/ad/movement/kerberos/ptk"], "tags": {"name": "Unknown Process Using The Kerberos Protocol", "analytic_story": ["Active Directory Kerberos Attacks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Exploitation"], "message": "", "mitre_attack_id": ["T1550"], "nist": ["DE.CM"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "dest_ip", "type": "IP Address", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "All_Traffic.dest_ip", "All_Traffic.dest_port", "All_Traffic.src_ip", "Processes.process_id", "Processes.process_name", "Processes.dest", "Processes.process_path", "Processes.process", "Processes.parent_process_name"], "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1550", "mitre_attack_technique": "Use Alternate Authentication Material", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1550/rubeus/windows-security.log", "source": "WinEventLog:Security", "sourcetype": "WinEventLog"}, {"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1550/rubeus/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint", "Network_Traffic"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "unknown_process_using_the_kerberos_protocol_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/unknown_process_using_the_kerberos_protocol.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Unload Sysmon Filter Driver", "id": "e5928ff3-23eb-4d8b-b8a4-dcbc844fdfbe", "version": 4, "date": "2022-06-01", "author": "Bhavin Patel, Splunk", "type": "TTP", "status": "production", "description": "Attackers often disable security tools to avoid detection. This search looks for the usage of process `fltMC.exe` to unload a Sysmon Driver that will stop sysmon from collecting the data.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime values(Processes.process) as process max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=fltMC.exe AND Processes.process=*unload* AND Processes.process=*SysmonDrv* by Processes.process_name Processes.process_id Processes.parent_process_name Processes.process Processes.dest Processes.user | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)` |`unload_sysmon_filter_driver_filter`| table firstTime lastTime dest user count process_name process_id parent_process_name process", "how_to_implement": "You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the \"process\" field in the Endpoint data model. This search is also shipped with `unload_sysmon_filter_driver_filter` macro, update this macro to filter out false positives.", "known_false_positives": "Unknown at the moment", "references": ["https://www.ired.team/offensive-security/defense-evasion/unloading-sysmon-driver"], "tags": {"name": "Unload Sysmon Filter Driver", "analytic_story": ["Disabling Security Tools"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "Possible Sysmon filter driver unloading on $dest$", "mitre_attack_id": ["T1562.001", "T1562"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_name", "Processes.dest", "Processes.user"], "risk_score": 45, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/unload_sysmon/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "unload_sysmon_filter_driver_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/unload_sysmon_filter_driver.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Unloading AMSI via Reflection", "id": "a21e3484-c94d-11eb-b55b-acde48001122", "version": 1, "date": "2023-04-14", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable on critical endpoints or all. \\\nThis analytic identifies the behavior of AMSI being tampered with. Implemented natively in many frameworks, the command will look similar to `SEtValuE($Null,(New-OBJEct COLlECtionS.GenerIC.HAshSEt{[StrINg]))}$ReF=[ReF].AsSeMbLY.GeTTyPe(\"System.Management.Automation.Amsi\"+\"Utils\")` taken from Powershell-Empire. \\\nDuring triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 ScriptBlockText = *system.management.automation.amsi* | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `unloading_amsi_via_reflection_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Potential for some third party applications to disable AMSI upon invocation. Filter as needed.", "references": ["https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", "https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf", "https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/"], "tags": {"name": "Unloading AMSI via Reflection", "analytic_story": ["Malicious PowerShell", "Hermetic Wiper", "Data Destruction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation", "Installation"], "message": "Possible AMSI Unloading via Reflection using PowerShell on $Computer$", "mitre_attack_id": ["T1562", "T1059.001", "T1059"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "ScriptBlockText", "Opcode", "Computer", "UserID", "EventCode"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/windows-powershell-xml.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "unloading_amsi_via_reflection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/unloading_amsi_via_reflection.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Unusual Number of Computer Service Tickets Requested", "id": "ac3b81c0-52f4-11ec-ac44-acde48001122", "version": 1, "date": "2021-12-01", "author": "Mauricio Velazco, Splunk", "type": "Hunting", "status": "experimental", "description": "The following hunting analytic leverages Event ID 4769, `A Kerberos service ticket was requested`, to identify an unusual number of computer service ticket requests from one source. When a domain joined endpoint connects to a remote endpoint, it first will request a Kerberos Ticket with the computer name as the Service Name. An endpoint requesting a large number of computer service tickets for different endpoints could represent malicious behavior like lateral movement, malware staging, reconnaissance, etc.\\\nThe detection calculates the standard deviation for each host and leverages the 3-sigma statistical rule to identify an unusual number of service requests. To customize this analytic, users can try different combinations of the `bucket` span time, the calculation of the `upperBound` field as well as the Outlier calculation. This logic can be used for real time security monitoring as well as threat hunting exercises.\\", "data_source": ["Windows Security 4769"], "search": " `wineventlog_security` EventCode=4769 Service_Name=\"*$\" Account_Name!=\"*$*\" | bucket span=2m _time | stats dc(Service_Name) AS unique_targets values(Service_Name) as host_targets by _time, Client_Address, Account_Name | eventstats avg(unique_targets) as comp_avg , stdev(unique_targets) as comp_std by Client_Address, Account_Name | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_targets >10 and unique_targets >= upperBound, 1, 0) | `unusual_number_of_computer_service_tickets_requested_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled.", "known_false_positives": "An single endpoint requesting a large number of computer service tickets is not common behavior. Possible false positive scenarios include but are not limited to vulnerability scanners, administration systeams and missconfigured systems.", "references": ["https://attack.mitre.org/techniques/T1078/"], "tags": {"name": "Unusual Number of Computer Service Tickets Requested", "analytic_story": ["Active Directory Lateral Movement", "Active Directory Kerberos Attacks", "Active Directory Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "message": "", "mitre_attack_id": ["T1078"], "nist": ["DE.AE"], "observable": [{"name": "Client_Address", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "Ticket_Options", "Ticket_Encryption_Type", "dest", "service", "service_id"], "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}]}, "datamodel": [], "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "unusual_number_of_computer_service_tickets_requested_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/unusual_number_of_computer_service_tickets_requested.yml", "source": "endpoint", "providing_technologies": ["Microsoft Windows"]}, {"name": "Unusual Number of Kerberos Service Tickets Requested", "id": "eb3e6702-8936-11ec-98fe-acde48001122", "version": 1, "date": "2022-02-08", "author": "Mauricio Velazco, Splunk", "type": "Anomaly", "status": "production", "description": "The following hunting analytic leverages Kerberos Event 4769, A Kerberos service ticket was requested, to identify a potential kerberoasting attack against Active Directory networks. Kerberoasting allows an adversary to request kerberos tickets for domain accounts typically used as service accounts and attempt to crack them offline allowing them to obtain privileged access to the domain.\\\nThe detection calculates the standard deviation for each host and leverages the 3-sigma statistical rule to identify an unusual number service ticket requests. To customize this analytic, users can try different combinations of the `bucket` span time and the calculation of the `upperBound` field.", "data_source": ["Windows Security 4769"], "search": " `wineventlog_security` EventCode=4769 Service_Name!=\"*$\" Ticket_Encryption_Type=0x17 | bucket span=2m _time | stats dc(Service_Name) AS unique_services values(Service_Name) as requested_services by _time, Client_Address | eventstats avg(unique_services) as comp_avg , stdev(unique_services) as comp_std by Client_Address | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_services > 2 and unique_services >= upperBound, 1, 0) | search isOutlier=1 | `unusual_number_of_kerberos_service_tickets_requested_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled.", "known_false_positives": "An single endpoint requesting a large number of kerberos service tickets is not common behavior. Possible false positive scenarios include but are not limited to vulnerability scanners, administration systems and missconfigured systems.", "references": ["https://attack.mitre.org/techniques/T1558/003/", "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/t1208-kerberoasting"], "tags": {"name": "Unusual Number of Kerberos Service Tickets Requested", "analytic_story": ["Active Directory Kerberos Attacks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Exploitation"], "message": "tbd", "mitre_attack_id": ["T1558", "T1558.003"], "nist": ["DE.AE"], "observable": [{"name": "Client_Address", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "Ticket_Options", "Ticket_Encryption_Type", "dest", "Service_Name", "service_id", "Client_Address"], "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1558", "mitre_attack_technique": "Steal or Forge Kerberos Tickets", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1558.003", "mitre_attack_technique": "Kerberoasting", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["FIN7", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1558.003/rubeus/windows-security.log", "source": "WinEventLog:Security", "sourcetype": "WinEventLog"}]}], "datamodel": [], "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "unusual_number_of_kerberos_service_tickets_requested_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/unusual_number_of_kerberos_service_tickets_requested.yml", "source": "endpoint", "providing_technologies": ["Microsoft Windows"]}, {"name": "Unusual Number of Remote Endpoint Authentication Events", "id": "acb5dc74-5324-11ec-a36d-acde48001122", "version": 1, "date": "2021-12-01", "author": "Mauricio Velazco, Splunk", "type": "Hunting", "status": "experimental", "description": "The following hunting analytic leverages Event ID 4624, `An account was successfully logged on`, to identify an unusual number of remote authentication attempts coming from one source. An endpoint authenticating to a large number of remote endpoints could represent malicious behavior like lateral movement, malware staging, reconnaissance, etc.\\\nThe detection calculates the standard deviation for each host and leverages the 3-sigma statistical rule to identify an unusual high number of authentication events. To customize this analytic, users can try different combinations of the `bucket` span time, the calculation of the `upperBound` field as well as the Outlier calculation. This logic can be used for real time security monitoring as well as threat hunting exercises.\\", "data_source": ["Windows Security 4624"], "search": " `wineventlog_security` EventCode=4624 Logon_Type=3 Account_Name!=\"*$\" | eval Source_Account = mvindex(Account_Name, 1) | bucket span=2m _time | stats dc(ComputerName) AS unique_targets values(ComputerName) as target_hosts by _time, Source_Network_Address, Source_Account | eventstats avg(unique_targets) as comp_avg , stdev(unique_targets) as comp_std by Source_Network_Address, Source_Account | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_targets >10 and unique_targets >= upperBound, 1, 0) | `unusual_number_of_remote_endpoint_authentication_events_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Event Logs from domain controllers as well as member servers and workstations. The Advanced Security Audit policy setting `Audit Logon` within `Logon/Logoff` needs to be enabled.", "known_false_positives": "An single endpoint authenticating to a large number of hosts is not common behavior. Possible false positive scenarios include but are not limited to vulnerability scanners, jump servers and missconfigured systems.", "references": ["https://attack.mitre.org/techniques/T1078/"], "tags": {"name": "Unusual Number of Remote Endpoint Authentication Events", "analytic_story": ["Active Directory Lateral Movement", "Active Directory Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "message": "", "mitre_attack_id": ["T1078"], "nist": ["DE.AE"], "observable": [{"name": "ComputerName", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "Logon_Type", "Caller_Process_Name", "Security_ID", "Account_Name", "ComputerName"], "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}]}, "datamodel": [], "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "unusual_number_of_remote_endpoint_authentication_events_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/unusual_number_of_remote_endpoint_authentication_events.yml", "source": "endpoint", "providing_technologies": ["Microsoft Windows"]}, {"name": "Unusually Long Command Line", "id": "c77162d3-f93c-45cc-80c8-22f6a4264e7f", "version": 5, "date": "2020-12-08", "author": "David Dorsey, Splunk", "type": "Anomaly", "status": "experimental", "description": "Command lines that are extremely long may be indicative of malicious activity on your hosts.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes by Processes.user Processes.dest Processes.process_name Processes.process | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| eval processlen=len(process) | eventstats stdev(processlen) as stdev, avg(processlen) as avg by dest | stats max(processlen) as maxlen, values(stdev) as stdevperhost, values(avg) as avgperhost by dest, user, process_name, process | `unusually_long_command_line_filter` |eval threshold = 3 | where maxlen > ((threshold*stdevperhost) + avgperhost)", "how_to_implement": "You must be ingesting endpoint data that tracks process activity, including parent-child relationships, from your endpoints to populate the Endpoint data model in the Processes node. The command-line arguments are mapped to the process field in the Endpoint data model.", "known_false_positives": "Some legitimate applications start with long command lines.", "references": [], "tags": {"name": "Unusually Long Command Line", "analytic_story": ["Suspicious Command-Line Executions", "Unusual Processes", "Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns", "Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": [], "message": "Unusually long command line $Processes.process_name$ on $dest$", "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "Processes.process_name", "type": "Process", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.user", "Processes.dest", "Processes.process_name", "Processes.process"], "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "unusually_long_command_line_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/unusually_long_command_line.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Unusually Long Command Line - MLTK", "id": "57edaefa-a73b-45e5-bbae-f39c1473f941", "version": 1, "date": "2019-05-08", "author": "Rico Valdez, Splunk", "type": "Anomaly", "status": "experimental", "description": "Command lines that are extremely long may be indicative of malicious activity on your hosts. This search leverages the Machine Learning Toolkit (MLTK) to help identify command lines with lengths that are unusual for a given user.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes by Processes.user Processes.dest Processes.process_name Processes.process | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| eval processlen=len(process) | search user!=unknown | apply cmdline_pdfmodel threshold=0.01 | rename \"IsOutlier(processlen)\" as isOutlier | search isOutlier > 0 | table firstTime lastTime user dest process_name process processlen count | `unusually_long_command_line___mltk_filter`", "how_to_implement": "You must be ingesting endpoint data that monitors command lines and populates the Endpoint data model in the Processes node. The command-line arguments are mapped to the \"process\" field in the Endpoint data model. In addition, MLTK version >= 4.2 must be installed on your search heads, along with any required dependencies. Finally, the support search \"Baseline of Command Line Length - MLTK\" must be executed before this detection search, as it builds an ML model over the historical data used by this search. It is important that this search is run in the same app context as the associated support search, so that the model created by the support search is available for use. You should periodically re-run the support search to rebuild the model with the latest data available in your environment.", "known_false_positives": "Some legitimate applications use long command lines for installs or updates. You should review identified command lines for legitimacy. You may modify the first part of the search to omit legitimate command lines from consideration. If you are seeing more results than desired, you may consider changing the value of threshold in the search to a smaller value. You should also periodically re-run the support search to re-build the ML model on the latest data. You may get unexpected results if the user identified in the results is not present in the data used to build the associated model.", "references": [], "tags": {"name": "Unusually Long Command Line - MLTK", "analytic_story": ["Suspicious Command-Line Executions", "Unusual Processes", "Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns", "Ransomware"], "asset_type": "", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": [], "message": "tbd", "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.user", "Processes.dest", "Processes.process_name", "Processes.process"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "unusually_long_command_line___mltk_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/unusually_long_command_line___mltk.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "User Discovery With Env Vars PowerShell", "id": "0cdf318b-a0dd-47d7-b257-c621c0247de8", "version": 1, "date": "2021-09-13", "author": "Mauricio Velazco, Splunk", "type": "Hunting", "status": "production", "description": "This analytic looks for the execution of `powershell.exe` with command-line arguments that leverage PowerShell environment variables to identify the current logged user. Red Teams and adversaries may leverage this method to identify the logged user on a compromised endpoint for situational awareness and Active Directory Discovery.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"powershell.exe\") (Processes.process=\"*$env:UserName*\" OR Processes.process=\"*[System.Environment]::UserName*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `user_discovery_with_env_vars_powershell_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "references": ["https://attack.mitre.org/techniques/T1033/"], "tags": {"name": "User Discovery With Env Vars PowerShell", "analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "System user discovery on $dest$", "mitre_attack_id": ["T1033"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1033", "mitre_attack_technique": "System Owner/User Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT37", "APT38", "APT39", "APT41", "Chimera", "Dragonfly", "Earth Lusca", "FIN10", "GALLIUM", "Gamaredon Group", "HAFNIUM", "HEXANE", "Ke3chang", "Lazarus Group", "LuminousMoth", "Magic Hound", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "Stealth Falcon", "Threat Group-3390", "Tropic Trooper", "Windshift", "Wizard Spider", "ZIRCONIUM"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1033/AD_discovery/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "user_discovery_with_env_vars_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/user_discovery_with_env_vars_powershell.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "User Discovery With Env Vars PowerShell Script Block", "id": "77f41d9e-b8be-47e3-ab35-5776f5ec1d20", "version": 2, "date": "2022-03-22", "author": "Mauricio Velazco, Splunk", "type": "Hunting", "status": "production", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the use of PowerShell environment variables to identify the current logged user. Red Teams and adversaries may leverage this method to identify the logged user on a compromised endpoint for situational awareness and Active Directory Discovery.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 (ScriptBlockText = \"*$env:UserName*\" OR ScriptBlockText = \"*[System.Environment]::UserName*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `user_discovery_with_env_vars_powershell_script_block_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators or power users may use this PowerShell commandlet for troubleshooting.", "references": ["https://attack.mitre.org/techniques/T1033/"], "tags": {"name": "User Discovery With Env Vars PowerShell Script Block", "analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "System user discovery on $dest$", "mitre_attack_id": ["T1033"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Path", "Message", "OpCode", "ComputerName", "User", "EventCode"], "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1033", "mitre_attack_technique": "System Owner/User Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT37", "APT38", "APT39", "APT41", "Chimera", "Dragonfly", "Earth Lusca", "FIN10", "GALLIUM", "Gamaredon Group", "HAFNIUM", "HEXANE", "Ke3chang", "Lazarus Group", "LuminousMoth", "Magic Hound", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "Stealth Falcon", "Threat Group-3390", "Tropic Trooper", "Windshift", "Wizard Spider", "ZIRCONIUM"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1033/AD_discovery/windows-powershell-xml.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "user_discovery_with_env_vars_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/user_discovery_with_env_vars_powershell_script_block.yml", "source": "endpoint", "providing_technologies": ["Microsoft Windows"]}, {"name": "USN Journal Deletion", "id": "b6e0ff70-b122-4227-9368-4cf322ab43c3", "version": 2, "date": "2018-12-03", "author": "David Dorsey, Splunk", "type": "TTP", "status": "production", "description": "The fsutil.exe application is a legitimate Windows utility used to perform tasks related to the file allocation table (FAT) and NTFS file systems. The update sequence number (USN) change journal provides a log of all changes made to the files on the disk. This search looks for fsutil.exe deleting the USN journal.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=fsutil.exe by Processes.user Processes.process_name Processes.parent_process_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | search process=\"*deletejournal*\" AND process=\"*usn*\" | `usn_journal_deletion_filter`", "how_to_implement": "You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the \"process\" field in the Endpoint data model.", "known_false_positives": "None identified", "references": [], "tags": {"name": "USN Journal Deletion", "analytic_story": ["Windows Log Manipulation", "Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "Possible USN journal deletion on $dest$", "mitre_attack_id": ["T1070"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.process", "Processes.parent_process", "Processes.process_name", "Processes.user", "Processes.parent_process_name", "Processes.dest"], "risk_score": 45, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1070/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "usn_journal_deletion_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/usn_journal_deletion.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Vbscript Execution Using Wscript App", "id": "35159940-228f-11ec-8a49-acde48001122", "version": 1, "date": "2021-10-01", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This analytic is to detect a suspicious wscript commandline to execute vbscript. This technique was seen in several malware to execute malicious vbs file using wscript application. commonly vbs script is associated to cscript process and this can be a technique to evade process parent child detections or even some av script emulation system.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name = \"wscript.exe\" AND Processes.parent_process = \"*//e:vbscript*\") OR (Processes.process_name = \"wscript.exe\" AND Processes.process = \"*//e:vbscript*\") by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process_id Processes.process Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `vbscript_execution_using_wscript_app_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "unknown", "references": ["https://www.joesandbox.com/analysis/369332/0/html", "https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat"], "tags": {"name": "Vbscript Execution Using Wscript App", "analytic_story": ["FIN7", "Remcos", "AsyncRAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Installation"], "message": "Process name $process_name$ with commandline $process$ to execute vbsscript", "mitre_attack_id": ["T1059.005", "T1059"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.005", "mitre_attack_technique": "Visual Basic", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT32", "APT33", "APT37", "APT38", "APT39", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Earth Lusca", "FIN4", "FIN7", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "Transparent Tribe", "Turla", "WIRTE", "Windshift"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.005/vbs_wscript/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "vbscript_execution_using_wscript_app_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/vbscript_execution_using_wscript_app.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Verclsid CLSID Execution", "id": "61e9a56a-20fa-11ec-8ba3-acde48001122", "version": 1, "date": "2021-09-29", "author": "Teoderick Contreras, Splunk", "type": "Hunting", "status": "production", "description": "This analytic is to detect a possible abuse of verclsid to execute malicious file through generate CLSID. This process is a normal application of windows to verify the CLSID COM object before it is instantiated by Windows Explorer. This hunting query can be a good pivot point to analyze what is he CLSID or COM object pointing too to check if it is a valid application or not.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.parent_process) as parent_process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_verclsid` AND Processes.process=\"*/S*\" Processes.process=\"*/C*\" AND Processes.process=\"*{*\" AND Processes.process=\"*}*\" by Processes.process_name Processes.original_file_name Processes.dest Processes.user Processes.parent_process_name Processes.parent_process | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `verclsid_clsid_execution_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "windows can used this application for its normal COM object validation.", "references": ["https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5", "https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/"], "tags": {"name": "Verclsid CLSID Execution", "analytic_story": ["Unusual Processes"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "process $process_name$ to execute possible clsid commandline $process$ in $dest$", "mitre_attack_id": ["T1218.012", "T1218"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218.012", "mitre_attack_technique": "Verclsid", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.012/verclsid_exec/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "process_verclsid", "definition": "(Processes.process_name=verclsid.exe OR Processes.original_file_name=verclsid.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "verclsid_clsid_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/verclsid_clsid_execution.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "W3WP Spawning Shell", "id": "0f03423c-7c6a-11eb-bc47-acde48001122", "version": 2, "date": "2023-04-14", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "This query identifies a shell, PowerShell.exe or Cmd.exe, spawning from W3WP.exe, or IIS. In addition to IIS logs, this behavior with an EDR product will capture potential webshell activity, similar to the HAFNIUM Group abusing CVEs, on publicly available Exchange mail servers. During triage, review the parent process and child process of the shell being spawned. Review the command-line arguments and any file modifications that may occur. Identify additional parallel process, child processes, that may highlight further commands executed. After triaging, work to contain the threat and patch the system that is vulnerable.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count values(Processes.process_name) as process_name values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=w3wp.exe AND `process_cmd` OR `process_powershell` by Processes.dest Processes.parent_process Processes.original_file_name Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `w3wp_spawning_shell_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Baseline your environment before production. It is possible build systems using IIS will spawn cmd.exe to perform a software build. Filter as needed.", "references": ["https://www.microsoft.com/security/blog/2020/02/04/ghost-in-the-shell-investigating-web-shell-attacks/", "https://www.zerodayinitiative.com/blog/2021/8/17/from-pwn2own-2021-a-new-attack-surface-on-microsoft-exchange-proxyshell", "https://www.youtube.com/watch?v=FC6iHw258RI", "https://www.huntress.com/blog/rapid-response-microsoft-exchange-servers-still-vulnerable-to-proxyshell-exploit#what-should-you-do"], "tags": {"name": "W3WP Spawning Shell", "analytic_story": ["HAFNIUM Group", "CISA AA22-264A", "Hermetic Wiper", "ProxyNotShell", "ProxyShell", "CISA AA22-257A", "Data Destruction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Installation"], "message": "Possible Web Shell execution on $dest$", "mitre_attack_id": ["T1505", "T1505.003"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "cve": ["CVE-2021-34473", "CVE-2021-34523", "CVE-2021-31207"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1505.003", "mitre_attack_technique": "Web Shell", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT38", "APT39", "BackdoorDiplomacy", "Deep Panda", "Dragonfly", "Fox Kitten", "GALLIUM", "HAFNIUM", "Kimsuky", "Leviathan", "Magic Hound", "Moses Staff", "OilRig", "Sandworm Team", "TEMP.Veles", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Volatile Cedar"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.003/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "process_powershell", "definition": "(Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "process_cmd", "definition": "(Processes.process_name=cmd.exe OR Processes.original_file_name=Cmd.Exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "w3wp_spawning_shell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2021-34473", "cvss": 10.0, "summary": "Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-31196, CVE-2021-31206."}, {"id": "CVE-2021-34523", "cvss": 7.5, "summary": "Microsoft Exchange Server Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-33768, CVE-2021-34470."}, {"id": "CVE-2021-31207", "cvss": 6.5, "summary": "Microsoft Exchange Server Security Feature Bypass Vulnerability"}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/w3wp_spawning_shell.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "WBAdmin Delete System Backups", "id": "cd5aed7e-5cea-11eb-ae93-0242ac130002", "version": 1, "date": "2021-01-22", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "This search looks for flags passed to wbadmin.exe (Windows Backup Administrator Tool) that delete backup files. This is typically used by ransomware to prevent recovery.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=wbadmin.exe Processes.process=\"*delete*\" AND (Processes.process=\"*catalog*\" OR Processes.process=\"*systemstatebackup*\") by Processes.process_name Processes.process Processes.parent_process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `wbadmin_delete_system_backups_filter`", "how_to_implement": "You must be ingesting endpoint data that tracks process activity, including parent-child relationships from your endpoints to populate the Endpoint data model in the Processes node. Tune based on parent process names.", "known_false_positives": "Administrators may modify the boot configuration.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md", "https://thedfirreport.com/2020/10/08/ryuks-return/", "https://attack.mitre.org/techniques/T1490/", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin"], "tags": {"name": "WBAdmin Delete System Backups", "analytic_story": ["Ryuk Ransomware", "Ransomware", "Prestige Ransomware", "Chaos Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Actions on Objectives"], "message": "System backups deletion on $dest$", "mitre_attack_id": ["T1490"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.process_name", "Processes.process", "Processes.parent_process_name", "Processes.dest", "Processes.user"], "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1490/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "wbadmin_delete_system_backups_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/wbadmin_delete_system_backups.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Wbemprox COM Object Execution", "id": "9d911ce0-c3be-11eb-b177-acde48001122", "version": 1, "date": "2021-06-02", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies a potential suspicious process loading a COM object from wbemprox.dll or faskprox.dll. The Microsoft Component Object Model (COM) is a platform-independent, distributed, object-oriented system for creating binary software components that can interact. This feature is being abused by several threat actors, adversaries or even red teamers to gain privilege escalation or even to evade detections. This TTP is a good indicator that a process is loading possible known .dll modules that were known for its COM object.", "data_source": ["Sysmon Event ID 7"], "search": "`sysmon` EventCode=7 ImageLoaded IN (\"*\\\\fastprox.dll\", \"*\\\\wbemprox.dll\", \"*\\\\wbemcomn.dll\") NOT (process_name IN (\"wmiprvse.exe\", \"WmiApSrv.exe\", \"unsecapp.exe\")) NOT(Image IN(\"*\\\\windows\\\\*\",\"*\\\\program files*\", \"*\\\\wbem\\\\*\")) | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded process_name Computer EventCode Signed ProcessId Hashes IMPHASH | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `wbemprox_com_object_execution_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name and imageloaded executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "legitimate process that are not in the exception list may trigger this event.", "references": ["https://krebsonsecurity.com/2021/05/a-closer-look-at-the-darkside-ransomware-gang/", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/"], "tags": {"name": "Wbemprox COM Object Execution", "analytic_story": ["Ransomware", "Revil Ransomware", "LockBit Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "Suspicious COM Object Execution on $Computer$", "mitre_attack_id": ["T1218", "T1218.003"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Image", "ImageLoaded", "process_name", "Computer", "EventCode", "Signed", "ProcessId", "Hashes", "IMPHASH"], "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.003", "mitre_attack_technique": "CMSTP", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Cobalt Group", "MuddyWater"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/revil/inf2/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "wbemprox_com_object_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/wbemprox_com_object_execution.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Wermgr Process Connecting To IP Check Web Services", "id": "ed313326-a0f9-11eb-a89c-acde48001122", "version": 2, "date": "2022-06-01", "author": "Teoderick Contreras, Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "this search is designed to detect suspicious wermgr.exe process that tries to connect to known IP web services. This technique is know for trickbot and other trojan spy malware to recon the infected machine and look for its ip address without so much finger print on the commandline process. Since wermgr.exe is designed for error handling process of windows it is really suspicious that this process is trying to connect to this IP web services cause that maybe cause of some malicious code injection.", "data_source": [], "search": "`sysmon` EventCode =22 process_name = wermgr.exe QueryName IN (\"*wtfismyip.com\", \"*checkip.amazonaws.com\", \"*ipecho.net\", \"*ipinfo.io\", \"*api.ipify.org\", \"*icanhazip.com\", \"*ip.anysrc.com\",\"*api.ip.sb\", \"ident.me\", \"www.myexternalip.com\", \"*zen.spamhaus.org\", \"*cbl.abuseat.org\", \"*b.barracudacentral.org\",\"*dnsbl-1.uceprotect.net\", \"*spam.dnsbl.sorbs.net\") | stats min(_time) as firstTime max(_time) as lastTime count by Image process_name ProcessId QueryName QueryStatus QueryResults Computer EventCode | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `wermgr_process_connecting_to_ip_check_web_services_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, dns query name process path , and query ststus from your endpoints like EventCode 22. If you are using Sysmon, you must have at least version 12 of the Sysmon TA.", "known_false_positives": "unknown", "references": ["https://labs.vipre.com/trickbot-and-its-modules/", "https://whitehat.eu/incident-response-case-study-featuring-ryuk-and-trickbot-part-2/"], "tags": {"name": "Wermgr Process Connecting To IP Check Web Services", "analytic_story": ["Trickbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Reconnaissance"], "message": "Wermgr.exe process connecting IP location web services on $ComputerName$", "mitre_attack_id": ["T1590", "T1590.005"], "nist": ["DE.CM"], "observable": [{"name": "ComputerName", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "process_path", "process_name", "process_id", "QueryName", "QueryStatus", "QueryResults", "Computer", "EventCode"], "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1590", "mitre_attack_technique": "Gather Victim Network Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["HAFNIUM"]}, {"mitre_attack_id": "T1590.005", "mitre_attack_technique": "IP Addresses", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["Andariel", "HAFNIUM", "Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/trickbot/infection/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "wermgr_process_connecting_to_ip_check_web_services_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/wermgr_process_connecting_to_ip_check_web_services.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Wermgr Process Create Executable File", "id": "ab3bcce0-a105-11eb-973c-acde48001122", "version": 1, "date": "2021-04-19", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "this search is designed to detect potential malicious wermgr.exe process that drops or create executable file. Since wermgr.exe is an application trigger when error encountered in a process, it is really un ussual to this process to drop executable file. This technique is commonly seen in trickbot malware where it injects it code to this process to execute it malicious behavior like downloading other payload", "data_source": ["Sysmon Event ID 1"], "search": "`sysmon` EventCode=11 process_name = \"wermgr.exe\" TargetFilename = \"*.exe\" | stats min(_time) as firstTime max(_time) as lastTime count by Image TargetFilename process_name dest EventCode ProcessId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `wermgr_process_create_executable_file_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances of wermgr.exe may be used.", "known_false_positives": "unknown", "references": ["https://labs.vipre.com/trickbot-and-its-modules/", "https://whitehat.eu/incident-response-case-study-featuring-ryuk-and-trickbot-part-2/"], "tags": {"name": "Wermgr Process Create Executable File", "analytic_story": ["Trickbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "Wermgr.exe writing executable files on $dest$", "mitre_attack_id": ["T1027"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Image", "TargetFilename", "process_name", "dest", "EventCode", "ProcessId"], "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT19", "APT28", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BITTER", "BackdoorDiplomacy", "BlackOasis", "Blue Mockingbird", "Dark Caracal", "Darkhotel", "Earth Lusca", "Elderwood", "Ember Bear", "Fox Kitten", "GALLIUM", "Gallmaker", "Gamaredon Group", "Group5", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "Metador", "Mofang", "Molerats", "Moses Staff", "Mustang Panda", "OilRig", "Putter Panda", "Rocke", "Sandworm Team", "Sidewinder", "TA505", "TeamTNT", "Threat Group-3390", "Transparent Tribe", "Tropic Trooper", "Whitefly", "Windshift", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/trickbot/infection/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "wermgr_process_create_executable_file_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/wermgr_process_create_executable_file.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Wermgr Process Spawned CMD Or Powershell Process", "id": "e8fc95bc-a107-11eb-a978-acde48001122", "version": 2, "date": "2021-04-19", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This search is designed to detect suspicious cmd and powershell process spawned by wermgr.exe process. This suspicious behavior are commonly seen in code injection technique technique like trickbot to execute a shellcode, dll modules to run malicious behavior.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` values(Processes.process) as cmdline min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name = \"wermgr.exe\" `process_cmd` OR `process_powershell` by Processes.parent_process_name Processes.original_file_name Processes.parent_process_id Processes.process_name Processes.process Processes.process_id Processes.process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `wermgr_process_spawned_cmd_or_powershell_process_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "unknown", "references": ["https://labs.vipre.com/trickbot-and-its-modules/", "https://whitehat.eu/incident-response-case-study-featuring-ryuk-and-trickbot-part-2/"], "tags": {"name": "Wermgr Process Spawned CMD Or Powershell Process", "analytic_story": ["Trickbot", "Qakbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Installation"], "message": "Wermgr.exe spawning suspicious processes on $dest$", "mitre_attack_id": ["T1059"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/trickbot/infection/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "process_powershell", "definition": "(Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "process_cmd", "definition": "(Processes.process_name=cmd.exe OR Processes.original_file_name=Cmd.Exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "wermgr_process_spawned_cmd_or_powershell_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/wermgr_process_spawned_cmd_or_powershell_process.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Wget Download and Bash Execution", "id": "35682718-5a85-11ec-b8f7-acde48001122", "version": 1, "date": "2021-12-11", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=wget (Processes.process=\"*-q *\" OR Processes.process=\"*--quiet*\" AND Processes.process=\"*-O- *\") OR (Processes.process=\"*|*\" AND Processes.process=\"*bash*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `wget_download_and_bash_execution_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon for Linux, you will need to ensure mapping is occurring correctly. If the EDR is not parsing the pipe bash in the command-line, modifying the analytic will be required. Add parent process name (Processes.parent_process_name) as needed to filter.", "known_false_positives": "False positives should be limited, however filtering may be required.", "references": ["https://www.huntress.com/blog/rapid-response-critical-rce-vulnerability-is-affecting-java", "https://www.lunasec.io/docs/blog/log4j-zero-day/", "https://gist.github.com/nathanqthai/01808c569903f41a52e7e7b575caa890"], "tags": {"name": "Wget Download and Bash Execution", "analytic_story": ["Ingress Tool Transfer", "Log4Shell CVE-2021-44228"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Command And Control"], "message": "An instance of $process_name$ was identified on endpoint $dest$ attempting to download a remote file and run it with bash.", "mitre_attack_id": ["T1105"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "cve": ["CVE-2021-44228"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "ZIRCONIUM", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/linux-sysmon_curlwget.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "wget_download_and_bash_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2021-44228", "cvss": 9.3, "summary": "Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/wget_download_and_bash_execution.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Access Token Manipulation SeDebugPrivilege", "id": "6ece9ed0-5f92-4315-889d-48560472b188", "version": 1, "date": "2022-08-24", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies a suspicious process enabling the \"SeDebugPrivilege\" privilege token. SeDebugPrivilege allows a process to inspect and adjust the memory of other processes, and has long been a security concern. SeDebugPrivilege allows the token bearer to access any process or thread, regardless of security descriptors, per Palantir. This technique is abused by adversaries to gain debug privileges with their malicious software to be able to access or debug a process to dump credentials or to inject malicious code.", "data_source": ["Windows Security 4703"], "search": "`wineventlog_security` EventCode=4703 EnabledPrivilegeList = \"*SeDebugPrivilege*\" AND NOT(ProcessName IN (\"*\\\\Program File*\", \"*\\\\System32\\\\lsass.exe*\", \"*\\\\SysWOW64\\\\lsass.exe*\", \"*\\\\SysWOW64\\\\svchost.exe*\", \"*\\\\System32\\\\svchost.exe*\")) | stats count min(_time) as firstTime max(_time) as lastTime by Computer ProcessName ProcessId SubjectDomainName SubjectUserName SubjectUserSid TargetUserName TargetLogonId TargetDomainName EnabledPrivilegeList action | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_access_token_manipulation_sedebugprivilege_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4703 EventCode enabled. The Windows TA is also required.", "known_false_positives": "Some native binaries and browser applications may request SeDebugPrivilege. Filter as needed.", "references": ["https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4703", "https://devblogs.microsoft.com/oldnewthing/20080314-00/?p=23113", "https://blog.palantir.com/windows-privilege-abuse-auditing-detection-and-defense-3078a403d74e", "https://atomicredteam.io/privilege-escalation/T1134.001/#atomic-test-2---%60sedebugprivilege%60-token-duplication", "https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat"], "tags": {"name": "Windows Access Token Manipulation SeDebugPrivilege", "analytic_story": ["Brute Ratel C4", "AsyncRAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Exploitation"], "message": "A process $ProcessName$ adjust its privileges with SeDebugPrivilege on $Computer$.", "mitre_attack_id": ["T1134.002", "T1134"], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "ProcessName", "Security_ID", "action", "result", "Process_ID", "Message", "member_dn", "ComputerName", "user"], "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1134.002", "mitre_attack_technique": "Create Process with Token", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Lazarus Group", "Turla"]}, {"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/sedebugprivilege_token/security-xml.log", "source": "XmlWinEventLog:Security", "sourcetype": "XmlWinEventLog", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_access_token_manipulation_sedebugprivilege_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_access_token_manipulation_sedebugprivilege.yml", "source": "endpoint", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows Access Token Manipulation Winlogon Duplicate Token Handle", "id": "dda126d7-1d99-4f0b-b72a-4c14031f9398", "version": 1, "date": "2022-08-24", "author": "Teoderick Contreras, Splunk", "type": "Hunting", "status": "production", "description": "The following analytic identifies a process requesting access to winlogon.exe attempting to duplicate its handle. This technique was seen in several adversaries to gain privileges for their process. Winlogon.exe is the common targeted process of this technique because it contains high privileges and security tokens.", "data_source": ["Sysmon Event ID 1"], "search": "`sysmon` EventCode=10 TargetImage IN(\"*\\\\system32\\\\winlogon.exe*\", \"*\\\\SysWOW64\\\\winlogon.exe*\") GrantedAccess = 0x1040 | stats count min(_time) as firstTime max(_time) as lastTime by SourceImage TargetImage SourceProcessGUID TargetProcessGUID SourceProcessId TargetProcessId GrantedAccess CallTrace Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_access_token_manipulation_winlogon_duplicate_token_handle_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting data that records process activity from your hosts to populate the endpoint data model in the processes node. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "It is possible legitimate applications will request access to winlogon, filter as needed.", "references": ["https://docs.microsoft.com/en-us/windows/win32/api/handleapi/nf-handleapi-duplicatehandle", "https://attack.mitre.org/techniques/T1134/001/"], "tags": {"name": "Windows Access Token Manipulation Winlogon Duplicate Token Handle", "analytic_story": ["Brute Ratel C4"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Exploitation"], "message": "A process $SourceImage$ is duplicating the handle token of winlogon.exe in $Computer$", "mitre_attack_id": ["T1134.001", "T1134"], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}, {"name": "SourceImage", "type": "Process Name", "role": ["Parent Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "SourceImage", "TargetImage", "SourceProcessGUID", "TargetProcessGUID", "SourceProcessId", "TargetProcessId", "GrantedAccess", "CallTrace", "Computer", "user_id"], "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1134.001", "mitre_attack_technique": "Token Impersonation/Theft", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "FIN8"]}, {"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/brute_duplicate_token/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_access_token_manipulation_winlogon_duplicate_token_handle_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_access_token_manipulation_winlogon_duplicate_token_handle.yml", "source": "endpoint"}, {"name": "Windows Access Token Winlogon Duplicate Handle In Uncommon Path", "id": "b8f7ed6b-0556-4c84-bffd-839c262b0278", "version": 1, "date": "2022-08-24", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies a process requesting access in winlogon.exe to duplicate its handle with a non-common or public process source path. This technique was seen where adversaries attempt to gain privileges to their process. This duplicate handle access technique, may refer to a malicious process duplicating the process token of winlogon.exe and using it to a new process instance. Winlogon.exe is the common targeted process of this technique because it contains high privileges and security tokens.", "data_source": ["Sysmon Event ID 1"], "search": "`sysmon` EventCode=10 TargetImage IN(\"*\\\\system32\\\\winlogon.exe*\", \"*\\\\SysWOW64\\\\winlogon.exe*\") AND GrantedAccess = 0x1040 AND NOT (SourceImage IN(\"C:\\\\Windows\\\\*\", \"C:\\\\Program File*\", \"%systemroot%\\\\*\")) | stats count min(_time) as firstTime max(_time) as lastTime by SourceImage TargetImage SourceProcessGUID TargetProcessGUID SourceProcessId TargetProcessId GrantedAccess CallTrace | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_access_token_winlogon_duplicate_handle_in_uncommon_path_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting data that records process activity from your hosts to populate the endpoint data model in the processes node. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "It is possible legitimate applications will request access to winlogon, filter as needed.", "references": ["https://docs.microsoft.com/en-us/windows/win32/api/handleapi/nf-handleapi-duplicatehandle", "https://attack.mitre.org/techniques/T1134/001/"], "tags": {"name": "Windows Access Token Winlogon Duplicate Handle In Uncommon Path", "analytic_story": ["Brute Ratel C4"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "a process $SourceImage$ is duplicating the handle token of winlogon.exe in $Computer$", "mitre_attack_id": ["T1134.001", "T1134"], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}, {"name": "SourceImage", "type": "Process Name", "role": ["Parent Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "SourceImage", "TargetImage", "SourceProcessGUID", "TargetProcessGUID", "SourceProcessId", "TargetProcessId", "GrantedAccess", "CallTrace", "Computer", "user_id"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1134.001", "mitre_attack_technique": "Token Impersonation/Theft", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "FIN8"]}, {"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/brute_duplicate_token/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_access_token_winlogon_duplicate_handle_in_uncommon_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_access_token_winlogon_duplicate_handle_in_uncommon_path.yml", "source": "endpoint"}, {"name": "Windows AD AdminSDHolder ACL Modified", "id": "00d877c3-7b7b-443d-9562-6b231e2abab9", "version": 1, "date": "2022-11-15", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the modification of the Access Control List for the AdminSDHolder object within a Windows domain. Specifically, the detection triggers on the addition of a new rule to the existing ACL. AdminSDHolder is an object located in the System Partition in Active Directory and is used as a security template for objects that are members of certain privileged groups. Objects in these groups are enumerated and any objects with security descriptors that dont match the AdminSDHolder ACL are flagged for updating. The Security Descriptor propagator (SDProp) process runs every 60 minutes on the PDC Emulator and re-stamps the object Access Control List (ACL) with the security permissions set on the AdminSDHolder. An adversary who has obtained privileged access to a Windows Domain may modify the AdminSDHolder ACL to establish persistence and allow an unprivileged user to take control of a domain.", "data_source": ["Windows Security 5136"], "search": " `wineventlog_security` EventCode=5136 AttributeLDAPDisplayName=nTSecurityDescriptor OperationType=\"%%14674\" ObjectDN=\"CN=AdminSDHolder,CN=System*\" | rex field=AttributeValue max_match=10000 \"A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;(?PS-1-[0-59]-\\d{2}-\\d{8,10}-\\d{8,10}-\\d{8,10}-[1-9]\\d{3})\\)\" | stats values(added_user_sid) by _time, Computer, SubjectUserName, ObjectDN | `windows_ad_adminsdholder_acl_modified_filter`", "how_to_implement": "To successfully implement this search, you ned to be ingesting eventcode `5136`. The Advanced Security Audit policy setting `Audit Directory Services Changes` within `DS Access` needs to be enabled. Additionally, a SACL needs to be created for the AdminSDHolder object in order to log modifications.", "known_false_positives": "Adding new users or groups to the AdminSDHolder ACL is not usual. Filter as needed", "references": ["https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-c--protected-accounts-and-groups-in-active-directory", "https://social.technet.microsoft.com/wiki/contents/articles/22331.adminsdholder-protected-groups-and-security-descriptor-propagator.aspx", "https://adsecurity.org/?p=1906", "https://pentestlab.blog/2022/01/04/domain-persistence-adminsdholder/", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136", "https://learn.microsoft.com/en-us/windows/win32/secauthz/access-control-lists", "https://medium.com/@cryps1s/detecting-windows-endpoint-compromise-with-sacls-cd748e10950"], "tags": {"name": "Windows AD AdminSDHolder ACL Modified", "analytic_story": ["Sneaky Active Directory Persistence Tricks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "message": "The AdminSDHolder domain object has been modified on $Computer$ by $SubjectUserName$", "mitre_attack_id": ["T1546"], "nist": ["DE.CM"], "observable": [{"name": "SubjectUserName", "type": "User", "role": ["Attacker"]}, {"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "AttributeLDAPDisplayName", "OperationType", "ObjectDN", "Computer", "SubjectUserName", "AttributeValue"], "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546/adminsdholder_modified/windows-security.log", "source": "XmlWinEventLog:Security", "sourcetype": "XmlWinEventLog"}]}], "datamodel": [], "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_ad_adminsdholder_acl_modified_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_ad_adminsdholder_acl_modified.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows AD Cross Domain SID History Addition", "id": "41bbb371-28ba-439c-bb5c-d9930c28365d", "version": 1, "date": "2022-11-17", "author": "Dean Luxton", "type": "TTP", "status": "production", "description": "The following analytic looks for changes to the sIDHistory AD attribute of user or computer objects within different domains. The SID history AD attribute allows users to inherit permissions from a separate AD account without group changes. Initially developed for access continuity when migrating user accounts to different domains, this attribute can also be abused by adversaries for inter-domain privilege escalation and persistence.", "data_source": ["Windows Security 4742", "Windows Security 4738"], "search": "`wineventlog_security` (EventCode=4742 OR EventCode=4738) NOT SidHistory IN (\"%%1793\", -) | rex field=SidHistory \"(^%{|^)(?P.*)(\\-|\\\\\\)\" | rex field=TargetSid \"^(?P.*)(\\-|\\\\\\)\" | where SidHistoryMatch!=TargetSidmatch AND SidHistoryMatch!=TargetDomainName | rename TargetSid as userSid | table _time action status host user userSid SidHistory Logon_ID src_user | `windows_ad_cross_domain_sid_history_addition_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting eventcodes `4738` and `4742`. The Advanced Security Audit policy settings `Audit User Account Management` and `Audit Computer Account Management` within `Account Management` all need to be enabled.", "known_false_positives": "Domain mergers and migrations may generate large volumes of false positives for this analytic.", "references": ["https://adsecurity.org/?p=1772", "https://learn.microsoft.com/en-us/windows/win32/adschema/a-sidhistory?redirectedfrom=MSDN", "https://learn.microsoft.com/en-us/defender-for-identity/security-assessment-unsecure-sid-history-attribute"], "tags": {"name": "Windows AD Cross Domain SID History Addition", "analytic_story": ["Sneaky Active Directory Persistence Tricks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 100, "kill_chain_phases": ["Exploitation"], "message": "Active Directory SID History Attribute was added to $user$ by $src_user$", "mitre_attack_id": ["T1134.005", "T1134"], "nist": ["DE.CM"], "observable": [{"name": "src_user", "type": "User", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "SidHistory", "TargetSid", "TargetDomainName", "user", "src_user", "Logon_ID"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1134.005", "mitre_attack_technique": "SID-History Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1134.005/mimikatz/windows-security-xml.log", "source": "XmlWinEventLog:Security", "sourcetype": "XmlWinEventLog"}]}], "datamodel": [], "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_ad_cross_domain_sid_history_addition_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_ad_cross_domain_sid_history_addition.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows AD Domain Controller Audit Policy Disabled", "id": "fc3ccef1-60a4-4239-bd66-b279511b4d14", "version": 1, "date": "2023-01-26", "author": "Dean Luxton", "type": "TTP", "status": "production", "description": "This analytic looks for audit policies being disabled on a domain controller.", "data_source": ["Windows Security 4719"], "search": "`wineventlog_security` EventCode=4719 (AuditPolicyChanges IN (\"%%8448\",\"%%8450\",\"%%8448, %%8450\") OR Changes IN (\"Failure removed\",\"Success removed\",\"Success removed, Failure removed\")) dest_category=\"domain_controller\"| replace \"%%8448\" with \"Success removed\", \"%%8450\" with \"Failure removed\", \"%%8448, %%8450\" with \"Success removed, Failure removed\" in AuditPolicyChanges | eval AuditPolicyChanges=coalesce(AuditPolicyChanges,Changes), SubcategoryGuid=coalesce(SubcategoryGuid,Subcategory_GUID) | stats min(_time) as _time values(host) as dest by AuditPolicyChanges SubcategoryGuid | lookup advanced_audit_policy_guids GUID as SubcategoryGuid OUTPUT Category SubCategory | `windows_ad_domain_controller_audit_policy_disabled_filter`", "how_to_implement": "Ensure you are ingesting EventCode `4719` from your domain controllers, the category domain_controller exists in assets and identities, and that assets and identities is enabled. If A&I is not configured, you will need to manually filter the results within the base search.", "known_false_positives": "Unknown", "references": ["https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4719"], "tags": {"name": "Windows AD Domain Controller Audit Policy Disabled", "analytic_story": ["Sneaky Active Directory Persistence Tricks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 100, "kill_chain_phases": ["Exploitation"], "message": "GPO $SubCategory$ of $Category$ was disabled on $dest$", "mitre_attack_id": ["T1562.001"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "AuditPolicyChanges", "SubcategoryGuid"], "risk_score": 60, "security_domain": "endpoint", "risk_severity": "medium", "manual_test": "This search uses a lookup provided by Enterprise Security and needs to be manually tested", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable_gpo/windows-security-xml.log", "source": "XmlWinEventLog:Security", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Change"], "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_ad_domain_controller_audit_policy_disabled_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "advanced_audit_policy_guids", "description": "List of GUIDs associated with Windows advanced audit policies", "filename": "advanced_audit_policy_guids.csv", "default_match": "false", "match_type": "WILDCARD(GUID)", "min_matches": 1, "case_sensitive_match": "false"}], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_ad_domain_controller_audit_policy_disabled.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows AD Domain Controller Promotion", "id": "e633a0ef-2a6e-4ed7-b925-5ff999e5d1f0", "version": 1, "date": "2023-01-26", "author": "Dean Luxton", "type": "TTP", "status": "production", "description": "This analytic identifies a genuine DC promotion event. Identifying when a computer assigns itself the necessary SPNs to function as a domain controller. Note these events are triggered on the existing domain controllers, not the newly joined domain controller. This detection will serve to identify rogue DCs added to the network. There are 2x detections within this analytic story which identify DCShadow attacks, if you do not currently possess the logging for these detections, remove the where clause within this detection to identify DCShadow activity.", "data_source": ["Windows Security 4742"], "search": "`wineventlog_security` EventCode=4742 ServicePrincipalNames IN (\"*E3514235-4B06-11D1-AB04-00C04FC2DCD2/*\",\"*GC/*\")| stats min(_time) as _time latest(ServicePrincipalNames) as ServicePrincipalNames,values(signature) as signature, values(src_user) as src_user, values(user) as user by Logon_ID, dvc| where src_user=user| rename Logon_ID as TargetLogonId, user as dest | appendpipe [| map search=\"search `wineventlog_security` EventCode=4624 TargetLogonId=$TargetLogonId$\" | fields - dest, dvc, signature]| stats min(_time) as _time, values(TargetUserSid) as TargetUserSid, values(Target_Domain) as Target_Domain, values(user) as user, values(status) as status, values(src_category) as src_category, values(src_ip) as src_ip values(ServicePrincipalNames) as ServicePrincipalNames values(signature) as signature values(dest) as dest values(dvc) as dvc by TargetLogonId | eval dest=trim(dest,\"$\") | `windows_ad_domain_controller_promotion_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting eventcode `4742`. The Advanced Security Audit policy setting `Audit Computer Account Management` within `Account Management` needs to be enabled.", "known_false_positives": "None.", "references": ["https://attack.mitre.org/techniques/T1207/"], "tags": {"name": "Windows AD Domain Controller Promotion", "analytic_story": ["Sneaky Active Directory Persistence Tricks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "AD Domain Controller Promotion Event Detected for $dest$", "mitre_attack_id": ["T1207"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "ServicePrincipalNames", "src_user", "user", "Logon_ID", "dvc"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1207", "mitre_attack_technique": "Rogue Domain Controller", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1207/dc_promo/windows-security-xml.log", "source": "XmlWinEventLog:Security", "sourcetype": "XmlWinEventLog"}]}], "datamodel": [], "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_ad_domain_controller_promotion_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_ad_domain_controller_promotion.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows AD Domain Replication ACL Addition", "id": "8c372853-f459-4995-afdc-280c114d33ab", "version": 1, "date": "2022-11-18", "author": "Dean Luxton", "type": "TTP", "status": "experimental", "description": "This analytic detects the addition of the permissions necessary to perform a DCSync attack. In order to replicate AD objects, the initiating user or computer must have the following permissions on the domain. - DS-Replication-Get-Changes - DS-Replication-Get-Changes-All Certain Sync operations may require the additional permission of DS-Replication-Get-Changes-In-Filtered-Set. By default, adding DCSync permissions via the Powerview Add-ObjectACL operation adds all 3. This alert identifies where this trifecta has been met, and also where just the base level requirements have been met.", "data_source": [], "search": "`wineventlog_security` | rex field=AttributeValue max_match=10000 \\\"OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;(?PS-1-[0-59]-\\d{2}-\\d{8,10}-\\d{8,10}-\\d{8,10}-[1-9]\\d{3})\\)\\\"| table _time dest src_user DSRGetChanges_user_sid DSRGetChangesAll_user_sid DSRGetChangesFiltered_user_sid| mvexpand DSRGetChanges_user_sid| eval minDCSyncPermissions=if(DSRGetChanges_user_sid=DSRGetChangesAll_user_sid,\\\"true\\\",\\\"false\\\"), fullSet=if(DSRGetChanges_user_sid=DSRGetChangesAll_user_sid AND DSRGetChanges_user_sid=DSRGetChangesFiltered_user_sid,\\\"true\\\",\\\"false\\\")| where minDCSyncPermissions=\\\"true\\\" | lookup identity_lookup_expanded objectSid as DSRGetChanges_user_sid OUTPUT sAMAccountName as user | rename DSRGetChanges_user_sid as userSid | stats min(_time) as _time values(user) as user by dest src_user userSid minDCSyncPermissions fullSet| `windows_ad_domain_replication_acl_addition_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting the eventcode 5136. The Advanced Security Audit policy setting `Audit Directory Services Changes` within `DS Access` needs to be enabled, alongside a SACL for `everybody` to `Write All Properties` applied to the domain root and all descendant objects. Once the necessary logging has been enabled, enumerate the domain policy to verify if existing accounts with access need to be whitelisted, or revoked. Assets and Identities is also leveraged to automatically translate the objectSid into username. Ensure your identities lookup is configured with the sAMAccountName and objectSid of all AD user and computer objects.", "known_false_positives": "When there is a change to nTSecurityDescriptor, Windows logs the entire ACL with the newly added components. If existing accounts are present with this permission, they will raise an alert each time the nTSecurityDescriptor is updated unless whitelisted.", "references": ["https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/1522b774-6464-41a3-87a5-1e5633c3fbbb", "https://github.com/SigmaHQ/sigma/blob/29a5c62784faf986dc03952ae3e90e3df3294284/rules/windows/builtin/security/win_security_account_backdoor_dcsync_rights.yml"], "tags": {"name": "Windows AD Domain Replication ACL Addition", "analytic_story": ["Sneaky Active Directory Persistence Tricks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 100, "kill_chain_phases": ["Exploitation"], "message": "$src_user$ has granted $user$ permission to replicate AD objects", "mitre_attack_id": ["T1484"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "dest", "src_user", "AttributeLDAPDisplayName", "AttributeValue", "ObjectClass"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "manual_test": "This search uses a lookup provided by Enterprise Security and needs to be manually tested.", "mitre_attack_enrichments": [{"mitre_attack_id": "T1484", "mitre_attack_technique": "Domain Policy Modification", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484/aclmodification/windows-security-xml.log", "source": "XmlWinEventLog:Security", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Change"], "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_ad_domain_replication_acl_addition_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_ad_domain_replication_acl_addition.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows AD DSRM Account Changes", "id": "08cb291e-ea77-48e8-a95a-0799319bf056", "version": 1, "date": "2022-09-08", "author": "Dean Luxton", "type": "TTP", "status": "production", "description": "Aside from being used to promote genuine domain controllers, the DSRM (Directory Services Restore Mode) account can be used to persist within a Domain. A DC can be configured to allow the DSRM account to logon & be used in the same way as a local administrator account. This detection is looking for alterations to the behaviour of the account via registry.", "data_source": ["Sysmon Event ID 13"], "search": "| tstats `security_content_summariesonly` min(_time) as _time from datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\DSRMAdminLogonBehavior\" Registry.registry_value_data IN (\"*1\",\"*2\") by Registry.action Registry.registry_path Registry.registry_value_data Registry.registry_value_type Registry.process_guid | `drop_dm_object_name(Registry)` | join type=outer process_guid [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes by Processes.user Processes.process_name Processes.process Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_guid | `drop_dm_object_name(Processes)`] | table _time action dest user parent_process_name parent_process process_name process process_guid registry_path registry_value_data registry_value_type | `windows_ad_dsrm_account_changes_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry.", "known_false_positives": "Disaster recovery events.", "references": ["https://adsecurity.org/?p=1714"], "tags": {"name": "Windows AD DSRM Account Changes", "analytic_story": ["Sneaky Active Directory Persistence Tricks", "Windows Registry Abuse", "Windows Persistence Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 100, "kill_chain_phases": ["Installation"], "message": "DSRM Account Changes Initiated on $dest$ by $user$", "mitre_attack_id": ["T1098"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.registry_value_data", "Registry.registry_path", "Registry.dest", "Registry.user"], "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT41", "Dragonfly", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/dsrm_account/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_ad_dsrm_account_changes_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_ad_dsrm_account_changes.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows AD DSRM Password Reset", "id": "d1ab841c-36a6-46cf-b50f-b2b04b31182a", "version": 1, "date": "2022-09-08", "author": "Dean Luxton", "type": "TTP", "status": "production", "description": "Aside from being used to promote genuine domain controllers, the DSRM (Directory Services Restore Mode) account can be used to persist within a Domain. A DC can be configured to allow the DSRM account to logon & be used in the same way as a local administrator account. This detection is looking for any password reset attempts against that account.", "data_source": ["Windows Security 4794"], "search": "| tstats `security_content_summariesonly` min(_time) as _time from datamodel=Change where All_Changes.result_id=\"4794\" AND All_Changes.result=\"An attempt was made to set the Directory Services Restore Mode administrator password\" by All_Changes.action, All_Changes.dest, All_Changes.src, All_Changes.user | `drop_dm_object_name(All_Changes)` | `windows_ad_dsrm_password_reset_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting eventcode `4794` and have the Advanced Security Audit policy `Audit User Account Management` within `Account Management` enabled.", "known_false_positives": "Resetting the DSRM password for legitamate reasons, i.e. forgot the password. Disaster recovery. Deploying AD backdoor deliberately.", "references": ["https://adsecurity.org/?p=1714"], "tags": {"name": "Windows AD DSRM Password Reset", "analytic_story": ["Sneaky Active Directory Persistence Tricks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 100, "kill_chain_phases": ["Installation"], "message": "DSRM Account Password was reset on $dest$ by $user$", "mitre_attack_id": ["T1098"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "All_Changes.result_id", "All_Changes.result", "All_Changes.action", "All_Changes.dest", "All_Changes.src", "All_Changes.user"], "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT41", "Dragonfly", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/dsrm_account/windows-security-xml.log", "source": "XmlWinEventLog:Security", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Change"], "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_ad_dsrm_password_reset_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_ad_dsrm_password_reset.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Windows AD Privileged Account SID History Addition", "id": "6b521149-b91c-43aa-ba97-c2cac59ec830", "version": 1, "date": "2022-09-12", "author": "Dean Luxton", "type": "TTP", "status": "production", "description": "This detection identifies when the SID of a privileged user is added to the SID History attribute of another user. Useful for tracking SID history abuse across multiple domains. This detection leverages the Asset and Identities framework. See the implementation section for further details on configuration.", "data_source": ["Windows Security 4742", "Windows Security 4738"], "search": "`wineventlog_security` (EventCode=4742 OR EventCode=4738) NOT SidHistory IN (\"%%1793\", -) | rex field=SidHistory \"(^%{|^)(?P.*?)(}$|$)\" | eval category=\"privileged\" | lookup identity_lookup_expanded category, identity as SidHistory OUTPUT identity_tag as match | where isnotnull(match) | rename TargetSid as userSid | table _time action status host user userSid SidHistory Logon_ID src_user | `windows_ad_privileged_account_sid_history_addition_filter`", "how_to_implement": "Ensure you have objectSid and the Down Level Logon Name `DOMAIN\\sAMACountName` added to the identity field of your Asset and Identities lookup, along with the category of privileged for the applicable users. Ensure you are ingesting eventcodes 4742 and 4738. Two advanced audit policies `Audit User Account Management` and `Audit Computer Account Management` under `Account Management` are required to generate these event codes.", "known_false_positives": "Migration of privileged accounts.", "references": ["https://adsecurity.org/?p=1772"], "tags": {"name": "Windows AD Privileged Account SID History Addition", "analytic_story": ["Sneaky Active Directory Persistence Tricks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 100, "kill_chain_phases": ["Exploitation"], "message": "A Privileged User Account SID History Attribute was added to $user$ by $src_user$", "mitre_attack_id": ["T1134.005", "T1134"], "nist": ["DE.CM"], "observable": [{"name": "src_user", "type": "User", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "SidHistory", "TargetSid", "TargetDomainName", "user", "src_user", "Logon_ID"], "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "manual_test": "This search uses a lookup provided by Enterprise Security and needs to be manually tested.", "mitre_attack_enrichments": [{"mitre_attack_id": "T1134.005", "mitre_attack_technique": "SID-History Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1134.005/mimikatz/windows-security-xml.log", "source": "XmlWinEventLog:Security", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_ad_privileged_account_sid_history_addition_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_ad_privileged_account_sid_history_addition.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows AD Replication Request Initiated by User Account", "id": "51307514-1236-49f6-8686-d46d93cc2821", "version": 1, "date": "2022-09-08", "author": "Dean Luxton", "type": "TTP", "status": "production", "description": "This alert was written to detect activity associated with the DCSync attack. When a domain controller receives a replication request, the user account permissions are validated, however no checks are performed to validate the request was initiated by a Domain Controller. Once an attacker gains control of an account with the necessary privileges, they can request password hashes for any or all users within the domain. This alert detects when a user account creates a handle to domainDNS with the necessary replication permissions.", "data_source": ["Windows Security 4662"], "search": "`wineventlog_security` EventCode=4662 ObjectType IN (\"%{19195a5b-6da0-11d0-afd3-00c04fd930c9}\", \"domainDNS\") AND Properties IN (\"*Replicating Directory Changes All*\", \"*{1131f6ad-9c07-11d1-f79f-00c04fc2dcd2}*\", \"*{9923a32a-3607-11d2-b9be-0000f87a36b2}*\",\"*{1131f6ac-9c07-11d1-f79f-00c04fc2dcd2}*\") AND AccessMask=\"0x100\" AND NOT (SubjectUserSid=\"NT AUT*\" OR SubjectUserSid=\"S-1-5-18\" OR SubjectDomainName=\"Window Manager\" OR SubjectUserName=\"*$\") | stats min(_time) as _time, count by SubjectDomainName, SubjectUserName, Computer, Logon_ID, ObjectName, ObjectServer, ObjectType, OperationType, status | rename SubjectDomainName as Target_Domain, SubjectUserName as user, Logon_ID as TargetLogonId, _time as attack_time | appendpipe [| map search=\"search `wineventlog_security` EventCode=4624 TargetLogonId=$TargetLogonId$\"] | table attack_time, AuthenticationPackageName, LogonProcessName, LogonType, TargetUserSid, Target_Domain, user, Computer, TargetLogonId, status, src_ip, src_category, ObjectName, ObjectServer, ObjectType, OperationType | stats min(attack_time) as _time values(TargetUserSid) as TargetUserSid, values(Target_Domain) as Target_Domain, values(user) as user, values(Computer) as Computer, values(status) as status, values(src_category) as src_category, values(src_ip) as src_ip by TargetLogonId | `windows_ad_replication_request_initiated_by_user_account_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting eventcode `4662`. The Advanced Security Audit policy settings `Audit Directory Services Access` within `DS Access` needs to be enabled, as well as the following SACLs applied to the domain root and all descendant objects. The principals `everybody`, `Domain Computers`, and `Domain Controllers` auditing the permissions `Replicating Directory Changes`, `Replicating Directory Changes All`, and `Replicating Directory Changes In Filtered Set`", "known_false_positives": "Azure AD Connect syncing operations.", "references": ["https://adsecurity.org/?p=1729", "https://www.linkedin.com/pulse/mimikatz-dcsync-event-log-detections-john-dwyer", "https://github.com/SigmaHQ/sigma/blob/0.22-699-g29a5c6278/rules/windows/builtin/security/win_security_dcsync.yml"], "tags": {"name": "Windows AD Replication Request Initiated by User Account", "analytic_story": ["Sneaky Active Directory Persistence Tricks", "Credential Dumping"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 100, "kill_chain_phases": ["Exploitation"], "message": "Windows Active Directory Replication Request Initiated by User Account $user$ at $src_ip$", "mitre_attack_id": ["T1003.006", "T1003"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "ObjectType", "Properties", "AccessMask", "SubjectDomainName", "SubjectUserName", "SubjectUserSid", "Computer", "Logon_ID", "ObjectName", "ObjectServer", "ObjectType", "OperationType", "status"], "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.006", "mitre_attack_technique": "DCSync", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Earth Lusca", "LAPSUS$"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.006/impacket/windows-security-xml.log", "source": "XmlWinEventLog:Security", "sourcetype": "XmlWinEventLog"}]}], "datamodel": ["Authentication", "Change"], "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_ad_replication_request_initiated_by_user_account_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_ad_replication_request_initiated_by_user_account.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows AD Replication Request Initiated from Unsanctioned Location", "id": "50998483-bb15-457b-a870-965080d9e3d3", "version": 1, "date": "2022-11-17", "author": "Dean Luxton", "type": "TTP", "status": "production", "description": "This alert was written to detect activity associated with the DCSync attack performed by computer accounts. When a domain controller receives a replication request, the account permissions are validated, however no checks are performed to validate the request was initiated by a Domain Controller. Once an attacker gains control of an account with the necessary privileges, they can request password hashes for any or all users within the domain. This alert detects when a computer account account creates a handle to domainDNS with the necessary replication permissions. These requests are then filtered to exclude where the events originate from a known domain controller IP address.", "data_source": ["Windows Security 4662", "Windows Security 4624"], "search": "`wineventlog_security` EventCode=4662 ObjectType IN (\"%{19195a5b-6da0-11d0-afd3-00c04fd930c9}\", \"domainDNS\") AND Properties IN (\"*Replicating Directory Changes All*\", \"*{1131f6ad-9c07-11d1-f79f-00c04fc2dcd2}*\", \"*{9923a32a-3607-11d2-b9be-0000f87a36b2}*\",\"*{1131f6ac-9c07-11d1-f79f-00c04fc2dcd2}*\") AND AccessMask=\"0x100\" AND (SubjectUserSid=\"NT AUT*\" OR SubjectUserSid=\"S-1-5-18\" OR SubjectDomainName=\"Window Manager\" OR SubjectUserName=\"*$\") | stats min(_time) as attack_time, count by SubjectDomainName, SubjectUserName, Computer, Logon_ID, ObjectName, ObjectServer, ObjectType, OperationType, status | rename SubjectDomainName as Target_Domain, SubjectUserName as user, Logon_ID as TargetLogonId | appendpipe [| map search=\"search `wineventlog_security` EventCode=4624 TargetLogonId=$TargetLogonId$\"] | table attack_time, AuthenticationPackageName, LogonProcessName, LogonType, TargetUserSid, Target_Domain, user, Computer, TargetLogonId, status, src_ip, src_category, ObjectName, ObjectServer, ObjectType, OperationType | stats min(attack_time) as _time, values(TargetUserSid) as TargetUserSid, values(Target_Domain) as Target_Domain, values(user) as user, values(Computer) as Computer, values(status) as status, values(src_category) as src_category, values(src_ip) as src_ip by TargetLogonId | search NOT src_category=\"domain_controller\" | `windows_ad_replication_request_initiated_from_unsanctioned_location_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting eventcode `4662`. The Advanced Security Audit policy settings `Audit Directory Services Access` within `DS Access` needs to be enabled, as well as the following SACLs applied to the domain root and all descendant objects. The principals `everybody`, `Domain Computers`, and `Domain Controllers` auditing the permissions `Replicating Directory Changes`, `Replicating Directory Changes All`, and `Replicating Directory Changes In Filtered Set` Assets and Identities will also need to be configured, with the category of domain_controller added for domain controllers.", "known_false_positives": "Genuine DC promotion may trigger this alert.", "references": ["https://adsecurity.org/?p=1729", "https://www.linkedin.com/pulse/mimikatz-dcsync-event-log-detections-john-dwyer", "https://github.com/SigmaHQ/sigma/blob/0.22-699-g29a5c6278/rules/windows/builtin/security/win_security_dcsync.yml"], "tags": {"name": "Windows AD Replication Request Initiated from Unsanctioned Location", "analytic_story": ["Sneaky Active Directory Persistence Tricks", "Credential Dumping"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 100, "kill_chain_phases": ["Exploitation"], "message": "Windows Active Directory Replication Request Initiated from Unsanctioned Location $src_ip$ by $user$", "mitre_attack_id": ["T1003.006", "T1003"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "ObjectType", "Properties", "AccessMask", "SubjectDomainName", "SubjectUserName", "SubjectUserSid", "Computer", "Logon_ID", "ObjectName", "ObjectServer", "ObjectType", "OperationType", "status"], "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.006", "mitre_attack_technique": "DCSync", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Earth Lusca", "LAPSUS$"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.006/impacket/windows-security-xml.log", "source": "XmlWinEventLog:Security", "sourcetype": "XmlWinEventLog"}]}], "datamodel": ["Authentication", "Change"], "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_ad_replication_request_initiated_from_unsanctioned_location_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_ad_replication_request_initiated_from_unsanctioned_location.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows AD Same Domain SID History Addition", "id": "5fde0b7c-df7a-40b1-9b3a-294c00f0289d", "version": 2, "date": "2022-09-09", "author": "Dean Luxton", "type": "TTP", "status": "production", "description": "The following analytic looks for changes to the sIDHistory AD attribute of user or computer objects which exist within the same domain. The SID history AD attribute allows users to inherit permissions from a separate AD account without group changes. Initially developed for access continuity when migrating user accounts to different domains, this attribute can also be abused by adversaries to stealthily grant access to a backdoor account within the same domain. This analytic was written to pick up on activity via Mimikatz sid::patch. Please note there are additional avenues to abuse SID history such as DCShadow & Golden / Diamond tickets which won't be detected using these event codes.", "data_source": ["Windows Security 4742", "Windows Security 4738"], "search": "`wineventlog_security` (EventCode=4742 OR EventCode=4738) NOT SidHistory IN (\"%%1793\", -) | rex field=SidHistory \"(^%{|^)(?P.*)(\\-|\\\\\\)\" | rex field=TargetSid \"^(?P.*)(\\-|\\\\\\)\" | where SidHistoryMatch=TargetSidmatch OR SidHistoryMatch=TargetDomainName | rename TargetSid as userSid, TargetDomainName as userDomainName | table _time action status host user userSid userDomainName SidHistory Logon_ID src_user | `windows_ad_same_domain_sid_history_addition_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting eventcodes `4738` and `4742`. The Advanced Security Audit policy settings `Audit User Account Management` and `Audit Computer Account Management` within `Account Management` all need to be enabled. SID resolution is not required..", "known_false_positives": "Unknown", "references": ["https://adsecurity.org/?p=1772", "https://learn.microsoft.com/en-us/windows/win32/adschema/a-sidhistory?redirectedfrom=MSDN", "https://learn.microsoft.com/en-us/defender-for-identity/security-assessment-unsecure-sid-history-attribute", "https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/sid-history-injection"], "tags": {"name": "Windows AD Same Domain SID History Addition", "analytic_story": ["Sneaky Active Directory Persistence Tricks", "Windows Persistence Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 100, "kill_chain_phases": ["Exploitation"], "message": "Active Directory SID History Attribute was added to $user$ by $src_user$", "mitre_attack_id": ["T1134.005", "T1134"], "nist": ["DE.CM"], "observable": [{"name": "src_user", "type": "User", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "SidHistory", "TargetSid", "TargetDomainName", "user", "src_user", "Logon_ID"], "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1134.005", "mitre_attack_technique": "SID-History Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1134.005/mimikatz/windows-security-xml.log", "source": "XmlWinEventLog:Security", "sourcetype": "XmlWinEventLog"}]}], "datamodel": [], "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_ad_same_domain_sid_history_addition_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_ad_same_domain_sid_history_addition.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows AD ServicePrincipalName Added To Domain Account", "id": "8a1259cb-0ea7-409c-8bfe-74bad89259f9", "version": 1, "date": "2022-11-17", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the addition of a Service Principal Name to a domain account. While this event may be part of a legitimate action part of certain administrative operations, it may also be evidence of a persistence attack. Domain accounts with Servce Principal Names are vulnerable to a technique called Kerberoasting that enables attackers to potentially obtain the cleartext password of the account by performing offline cracking. An adversary who has obtained privileged access to a domain environment may add an SPN to a privileged account to then leverage the Kerberoasting technique and attempt to obtain its clertext password.", "data_source": ["Windows Security 5136"], "search": " `wineventlog_security` EventCode=5136 AttributeLDAPDisplayName=servicePrincipalName OperationType=\"%%14674\" | stats values(ObjectDN) by _time, Computer, SubjectUserName, AttributeValue | `windows_ad_serviceprincipalname_added_to_domain_account_filter`", "how_to_implement": "To successfully implement this search, you ned to be ingesting eventcode `5136`. The Advanced Security Audit policy setting `Audit Directory Services Changes` within `DS Access` needs to be enabled. Additionally, a SACL needs to be created for AD objects in order to ingest attribute modifications.", "known_false_positives": "A Service Principal Name should only be added to an account when an application requires it. While infrequent, this detection may trigger on legitimate actions. Filter as needed.", "references": ["https://adsecurity.org/?p=3466", "https://www.thehacker.recipes/ad/movement/dacl/targeted-kerberoasting", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136", "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/t1208-kerberoasting"], "tags": {"name": "Windows AD ServicePrincipalName Added To Domain Account", "analytic_story": ["https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/service_principal_name_added/windows-security.log"], "asset_type": "endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 60, "kill_chain_phases": ["Installation"], "message": "A Servince Principal Name for $ObjectDN$ was set by $SubjectUserName$", "mitre_attack_id": ["T1098"], "nist": ["DE.CM"], "observable": [{"name": "SubjectUserName", "type": "User", "role": ["Attacker"]}, {"name": "ObjectDN", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "ObjectDN", "signature", "SubjectUserName", "Computer"], "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT41", "Dragonfly", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/service_principal_name_added/windows-security.log", "source": "XmlWinEventLog:Security", "sourcetype": "XmlWinEventLog"}]}], "datamodel": [], "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_ad_serviceprincipalname_added_to_domain_account_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_ad_serviceprincipalname_added_to_domain_account.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows AD Short Lived Domain Account ServicePrincipalName", "id": "b681977c-d90c-4efc-81a5-c58f945fb541", "version": 1, "date": "2022-11-18", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the addition of a Service Principal Name to a domain account that is quickly deleted within 5 minutes or less. While this event may be part of a legitimate action part of certain administrative operations, it may also be evidence of a persistence attack. Domain accounts with Service Principal Names are vulnerable to a technique called Kerberoasting that enables attackers to potentially obtain the cleartext password of the account by performing offline cracking. An adversary who has obtained privileged access to a domain environment may add an SPN to a privileged account to then leverage the Kerberoasting technique and attempt to obtain its clertext password. To clean things up, the adversary may delete the SPN which will trigger this detection.", "data_source": ["Windows Security 5136"], "search": " `wineventlog_security` EventCode=5136 AttributeLDAPDisplayName=servicePrincipalName | transaction ObjectDN AttributeValue startswith=(EventCode=5136 OperationType=\"%%14674\") endswith=(EventCode=5136 OperationType=\"%%14675\") | eval short_lived=case((duration<300),\"TRUE\") | search short_lived = TRUE | `windows_ad_short_lived_domain_account_serviceprincipalname_filter`", "how_to_implement": "To successfully implement this search, you ned to be ingesting eventcode `5136`. The Advanced Security Audit policy setting `Audit Directory Services Changes` within `DS Access` needs to be enabled. Additionally, a SACL needs to be created for AD objects in order to ingest attribute modifications.", "known_false_positives": "A Service Principal Name should only be added to an account when an application requires it. Adding an SPN and quickly deleting it is less common but may be part of legitimate action. Filter as needed.", "references": ["https://adsecurity.org/?p=3466", "https://www.thehacker.recipes/ad/movement/dacl/targeted-kerberoasting", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136", "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/t1208-kerberoasting"], "tags": {"name": "Windows AD Short Lived Domain Account ServicePrincipalName", "analytic_story": ["Sneaky Active Directory Persistence Tricks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 50, "kill_chain_phases": ["Installation"], "message": "A Servince Principal Name for $ObjectDN$ was set and shortly deleted", "mitre_attack_id": ["T1098"], "nist": ["DE.CM"], "observable": [{"name": "SubjectUserName", "type": "User", "role": ["Attacker"]}, {"name": "ObjectDN", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "ObjectDN", "signature", "SubjectUserName", "Computer"], "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT41", "Dragonfly", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/short_lived_service_principal_name/windows-security.log", "source": "XmlWinEventLog:Security", "sourcetype": "XmlWinEventLog"}]}], "datamodel": [], "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_ad_short_lived_domain_account_serviceprincipalname_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_ad_short_lived_domain_account_serviceprincipalname.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows AD Short Lived Domain Controller SPN Attribute", "id": "57e27f27-369c-4df8-af08-e8c7ee8373d4", "version": 2, "date": "2022-09-02", "author": "Dean Luxton", "type": "TTP", "status": "production", "description": "The following analytic identifies when either a global catalog SPN or a DRS RPC SPN are temporarily added to an Active Directory computer object, both of which can be evidence of a DCShadow attack. DCShadow allows an attacker who has obtained privileged access to register a rogue Domain Controller (DC). Once registered, the rogue DC may be able to inject and replicate changes into the AD infrastructure for any domain object, including credentials and keys. This technique was initially released in 2018 by security researchers Benjamin Delpy and Vincent Le Toux. No event logs are written for changes to AD attributes, allowing for stealthy backdoors to be implanted in the domain, or metadata such as timestamps overwritten to cover tracks.", "data_source": ["Windows Security 5136", "Windows Security 4624"], "search": "`wineventlog_security` EventCode=5136 AttributeLDAPDisplayName=servicePrincipalName (AttributeValue=\"GC/*\" OR AttributeValue=\"E3514235-4B06-11D1-AB04-00C04FC2DCD2/*\") | stats min(_time) as _time range(_time) as duration values(OperationType) as OperationType values(src_nt_domain) as src_nt_domain values(src_user) as src_user values(Computer) as Computer, values(ObjectDN) as ObjectDN by Logon_ID | eval short_lived=case((duration<30),\"TRUE\") | where short_lived=\"TRUE\" AND mvcount(OperationType)>1 | replace \"%%14674\" with \"Value Added\", \"%%14675\" with \"Value Deleted\" in OperationType | rename Logon_ID as TargetLogonId | appendpipe [| map search=\"search `wineventlog_security` EventCode=4624 TargetLogonId=$TargetLogonId$\"] | stats min(_time) as _time, values(TargetUserSid) as TargetUserSid, values(Target_Domain) as Target_Domain, values(user) as user, values(Computer) as Computer, values(status) as status, values(src_category) as src_category, values(src_ip) as src_ip values(ObjectDN) as ObjectDN values(OperationType) as OperationType by TargetLogonId | `windows_ad_short_lived_domain_controller_spn_attribute_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting eventcode `5136`. The Advanced Security Audit policy setting `Audit Directory Services Changes` within `DS Access` needs to be enabled, alongside a SACL for `everybody` to `Write All Properties` applied to the domain root and all descendant objects.", "known_false_positives": "None.", "references": ["https://www.dcshadow.com/", "https://blog.netwrix.com/2022/09/28/dcshadow_attack/", "https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2", "https://attack.mitre.org/techniques/T1207/", "https://blog.alsid.eu/dcshadow-explained-4510f52fc19d"], "tags": {"name": "Windows AD Short Lived Domain Controller SPN Attribute", "analytic_story": ["Sneaky Active Directory Persistence Tricks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 100, "kill_chain_phases": ["Exploitation"], "message": "Short Lived Domain Controller SPN AD Attribute Triggered by $user$ from $src_ip$", "mitre_attack_id": ["T1207"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "AttributeLDAPDisplayName", "AttributeValue", "src_nt_domain", "src_user", "Computer", "ObjectDN", "Logon_ID", "signature"], "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1207", "mitre_attack_technique": "Rogue Domain Controller", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1207/mimikatz/windows-security-xml.log", "source": "XmlWinEventLog:Security", "sourcetype": "XmlWinEventLog"}]}], "datamodel": [], "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_ad_short_lived_domain_controller_spn_attribute_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_ad_short_lived_domain_controller_spn_attribute.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows AD Short Lived Server Object", "id": "193769d3-1e33-43a9-970e-ad4a88256cdb", "version": 1, "date": "2022-10-17", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies a change in an Active Directory environment that could represent evidence of the DCShadow attack. DCShadow allows an attacker who has obtained privileged access to register a rogue Domain Controller (DC). Once registered, the rogue DC may be able to inject and replicate changes in the AD infrastructure for any domain object, including credentials and keys. This technique was initially released in 2018 by security researchers Benjamin Delpy and Vincent Le Toux. Specifically, the detection will trigger when a possible rogue Domain Controller computer object is created and quickly deleted within 30 seconds or less in an Active Directory domain. This behavior was identfied by simulating the DCShadow attack with Mimikatz.", "data_source": ["Windows Security 5137", "Windows Security 5141"], "search": " `wineventlog_security` EventCode=5137 OR EventCode=5141 ObjectDN=\"*CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration*\" | transaction ObjectDN startswith=(EventCode=5137) endswith=(EventCode=5141) | eval short_lived=case((duration<30),\"TRUE\") | search short_lived = TRUE | stats values(ObjectDN) values(signature) values(EventCode) by _time, Computer, SubjectUserName | `windows_ad_short_lived_server_object_filter`", "how_to_implement": "To successfully implement this search, you ned to be ingesting Event codes `5137` and `5141`. The Advanced Security Audit policy setting `Audit Directory Services Changes` within `DS Access` needs to be enabled. For these event codes to be generated, specific SACLs are required.", "known_false_positives": "Creating and deleting a server object within 30 seconds or less is unusual but not impossible in a production environment. Filter as needed.", "references": ["https://www.dcshadow.com/", "https://attack.mitre.org/techniques/T1207/", "https://stealthbits.com/blog/detecting-dcshadow-with-event-logs/", "https://pentestlab.blog/2018/04/16/dcshadow/", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5137", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5141"], "tags": {"name": "Windows AD Short Lived Server Object", "analytic_story": ["Sneaky Active Directory Persistence Tricks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "Potential DCShadow Attack Detected on $Computer$", "mitre_attack_id": ["T1207"], "nist": ["DE.CM"], "observable": [{"name": "SubjectUserName", "type": "User", "role": ["Attacker"]}, {"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "ObjectDN", "signature", "SubjectUserName", "Computer"], "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1207", "mitre_attack_technique": "Rogue Domain Controller", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1207/short_lived_server_object/windows-security.log", "source": "XmlWinEventLog:Security", "sourcetype": "XmlWinEventLog"}]}], "datamodel": [], "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_ad_short_lived_server_object_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_ad_short_lived_server_object.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows AD SID History Attribute Modified", "id": "1155e47d-307f-4247-beab-71071e3a458c", "version": 1, "date": "2022-11-16", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic leverages event code `5136` to identify a modification of the SID History AD attribute. The SID history AD attribute allows users to inherit permissions from a separate AD account without group changes. Initially developed for access continuity when migrating user accounts to different domains, this attribute can also be abused by adversaries to stealthily grant access to a backdoor account within the same domain.", "data_source": ["Windows Security 5136"], "search": " `wineventlog_security` EventCode=5136 AttributeLDAPDisplayName=sIDHistory OperationType=\"%%14674\" | stats values(ObjectDN) by _time, Computer, SubjectUserName, AttributeValue | `windows_ad_sid_history_attribute_modified_filter`", "how_to_implement": "To successfully implement this search, you ned to be ingesting eventcode `5136`. The Advanced Security Audit policy setting `Audit Directory Services Changes` within `DS Access` needs to be enabled. Additionally, a SACL needs to be created for AD objects in order to ingest attribute modifications.", "known_false_positives": "Domain mergers and migrations may generate large volumes of false positives for this analytic.", "references": ["https://adsecurity.org/?p=1772", "https://learn.microsoft.com/en-us/windows/win32/adschema/a-sidhistory?redirectedfrom=MSDN", "https://learn.microsoft.com/en-us/defender-for-identity/security-assessment-unsecure-sid-history-attribute", "https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/sid-history-injection"], "tags": {"name": "Windows AD SID History Attribute Modified", "analytic_story": ["Sneaky Active Directory Persistence Tricks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "SID History AD attribute modified by $SubjectUserName$ for $ObjectDN$", "mitre_attack_id": ["T1134", "T1134.005"], "nist": ["DE.CM"], "observable": [{"name": "SubjectUserName", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "AttributeLDAPDisplayName", "OperationType=", "ObjectDN", "Computer", "SubjectUserName", "AttributeValue"], "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}, {"mitre_attack_id": "T1134.005", "mitre_attack_technique": "SID-History Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1134.005/sid_history2/windows-security.log", "source": "XmlWinEventLog:Security", "sourcetype": "XmlWinEventLog"}]}], "datamodel": [], "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_ad_sid_history_attribute_modified_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_ad_sid_history_attribute_modified.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows AdFind Exe", "id": "bd3b0187-189b-46c0-be45-f52da2bae67f", "version": 3, "date": "2023-05-15", "author": "Jose Hernandez, Bhavin Patel, Splunk", "type": "TTP", "status": "production", "description": "This search looks for the execution of `adfind.exe` with command-line arguments that it uses by default specifically the filter or search functions. It also considers the arguments necessary like objectcategory, see readme for more details: https://www.joeware.net/freetools/tools/adfind/usage.htm. AdFind.exe is a powerful tool that is commonly used for querying and retrieving information from Active Directory (AD). While it is primarily designed for AD administration and management, it has been seen used before by Wizard Spider, FIN6 and actors whom also launched SUNBURST.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process=\"* -f *\" OR Processes.process=\"* -b *\") AND (Processes.process=*objectcategory* OR Processes.process=\"* -gcb *\" OR Processes.process=\"* -sc *\") by Processes.dest Processes.user Processes.process_name Processes.process Processes.parent_process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_adfind_exe_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "ADfind is a command-line tool for AD administration and management that is seen to be leveraged by various adversaries. Filter out legitimate administrator usage using the filter macro.", "references": ["https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/", "https://www.mandiant.com/resources/a-nasty-trick-from-credential-theft-malware-to-business-disruption", "https://www.joeware.net/freetools/tools/adfind/index.htm", "https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/"], "tags": {"name": "Windows AdFind Exe", "analytic_story": ["NOBELIUM Group", "Domain Trust Discovery", "IcedID"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "Windows AdFind Exe", "mitre_attack_id": ["T1018"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.process", "Processes.dest", "Processes.user", "Processes.process_name", "Processes.parent_process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1018", "mitre_attack_technique": "Remote System Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "BRONZE BUTLER", "Chimera", "Deep Panda", "Dragonfly", "Earth Lusca", "FIN5", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "HEXANE", "Indrik Spider", "Ke3chang", "Leafminer", "Magic Hound", "Naikon", "Rocke", "Sandworm Team", "Silence", "Threat Group-3390", "Turla", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1018/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_adfind_exe_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_adfind_exe.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Administrative Shares Accessed On Multiple Hosts", "id": "d92f2d95-05fb-48a7-910f-4d3d61ab8655", "version": 1, "date": "2023-03-23", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic leverages Event IDs 5140 or 5145 to identify a source computer accessing windows administrative shares (C$, Admin$ and IPC$ ) across a large number remote endpoints. Specifically, the logic will trigger when a source endpoint accesses administrative shares across 30 or more target computers within a 5 minute timespan. This behavior could represent an adversary who is enumerating network shares across an Active Directory environment in the search for sensitive files, a common technique leveraged by red teamers and threat actors. As environments differ across organizations, security teams should customize the thresholds of this detection as needed.", "data_source": [], "search": " `wineventlog_security` EventCode=5140 OR EventCode=5145 (ShareName=\"\\\\\\\\*\\\\ADMIN$\" OR ShareName=\"\\\\\\\\*\\\\IPC$\" OR ShareName=\"\\\\\\\\*\\\\C$\") | bucket span=5m _time | stats dc(Computer) AS unique_targets values(Computer) as host_targets values(ShareName) as shares by _time, IpAddress, SubjectUserName, EventCode | where unique_targets > 30 | `windows_administrative_shares_accessed_on_multiple_hosts_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting file share events. The Advanced Security Audit policy setting `Audit Detailed File Share` or `Audit File Share` within `Object Access` need to be enabled.", "known_false_positives": "An single endpoint accessing windows administrative shares across a large number of endpoints is not common behavior. Possible false positive scenarios include but are not limited to vulnerability scanners, administration systems and missconfigured systems.", "references": ["https://attack.mitre.org/techniques/T1135/", "https://en.wikipedia.org/wiki/Administrative_share", "https://thedfirreport.com/2023/01/23/sharefinder-how-threat-actors-discover-file-shares/", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5140", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5145"], "tags": {"name": "Windows Administrative Shares Accessed On Multiple Hosts", "analytic_story": ["Active Directory Privilege Escalation", "Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "$IpAddress$ accessed the IPC share on more than 30 endpoints in a timespan of 5 minutes.", "mitre_attack_id": ["T1135"], "nist": ["DE.CM"], "observable": [{"name": "host_targets", "type": "Endpoint", "role": ["Victim"]}, {"name": "IpAddress", "type": "Endpoint", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "ShareName", "Computer", "IpAddress", "SubjectUserName"], "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1135", "mitre_attack_technique": "Network Share Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT32", "APT38", "APT39", "APT41", "Chimera", "DarkVishnya", "Dragonfly", "Sowbug", "Tonto Team", "Tropic Trooper", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1135/ipc_share_accessed/windows-security.log", "source": "XmlWinEventLog:Security", "sourcetype": "XmlWinEventLog"}]}], "datamodel": [], "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_administrative_shares_accessed_on_multiple_hosts_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_administrative_shares_accessed_on_multiple_hosts.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows Admon Default Group Policy Object Modified", "id": "83458004-db60-4170-857d-8572f16f070b", "version": 1, "date": "2023-03-29", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic leverages Splunks Admon to identify the modification of a default Group Policy Object. A fresh installation of an Active Directory network will typically contain two default group policy objects `Default Domain Controllers Policy` and `Default Domain Policy`. The default domain controllers policy is used to enforce and set policies to all the domain controllers within the domain environment. The default domain policy is linked to all users and computers by default. An adversary who has obtained privileged access to an Active Directory network may modify the default group policy objects to obtain further access, deploy persistence or execute malware across a large number of hosts. Security teams should monitor the modification of the default GPOs.", "data_source": [], "search": " `admon` admonEventType=Update objectCategory=\"CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=*\" (displayName=\"Default Domain Policy\" OR displayName=\"Default Domain Controllers Policy\") | stats min(_time) as firstTime max(_time) as lastTime values(gPCFileSysPath) by dcName, displayName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_admon_default_group_policy_object_modified_filter`", "how_to_implement": "To successfully implement this search, you need to be monitoring Active Directory logs using Admon. Details can be found here https://docs.splunk.com/Documentation/SplunkCloud/8.1.2101/Data/MonitorActiveDirectory", "known_false_positives": "The default Group Policy Objects within an AD network may be legitimately updated for administrative operations, filter as needed.", "references": ["https://attack.mitre.org/techniques/T1484/", "https://attack.mitre.org/techniques/T1484/001", "https://www.trustedsec.com/blog/weaponizing-group-policy-objects-access/", "https://adsecurity.org/?p=2716", "https://docs.splunk.com/Documentation/SplunkCloud/8.1.2101/Data/MonitorActiveDirectory"], "tags": {"name": "Windows Admon Default Group Policy Object Modified", "analytic_story": ["Active Directory Privilege Escalation", "Sneaky Active Directory Persistence Tricks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 100, "kill_chain_phases": ["Exploitation"], "message": "A default domain group policy was updated on $dcName$", "mitre_attack_id": ["T1484", "T1484.001"], "nist": ["DE.CM"], "observable": [{"name": "dcName", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "admonEventType", "objectCategory", "displayName", "gPCFileSysPath", "dcName"], "risk_score": 50, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1484", "mitre_attack_technique": "Domain Policy Modification", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1484.001", "mitre_attack_technique": "Group Policy Modification", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Indrik Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/default_domain_policy_modified/windows-security.log", "source": "ActiveDirectory", "sourcetype": "ActiveDirectory"}]}], "datamodel": [], "macros": [{"name": "admon", "definition": "source=ActiveDirectory", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_admon_default_group_policy_object_modified_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_admon_default_group_policy_object_modified.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Windows Admon Group Policy Object Created", "id": "69201633-30d9-48ef-b1b6-e680805f0582", "version": 1, "date": "2023-04-06", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic leverages Splunks Admon to identify the creation of a new Group Policy Object. With GPOs, system administrators can manage and configure applications, software operations, and user settings throughout an entire organization. GPOs can be abused and leveraged by adversaries to escalate privileges or deploy malware across an Active Directory network. As an example, the Lockbit ransomware malware will create new group policies on the domain controller that are then pushed out to every device on the network. Security teams should monitor the creation of new Group Policy Objects.", "data_source": [], "search": " `admon` admonEventType=Update objectCategory=\"CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=*\" versionNumber=0 displayName!=\"New Group Policy Object\" | stats min(_time) as firstTime max(_time) as lastTime values(gPCFileSysPath) by dcName, displayName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_admon_group_policy_object_created_filter`", "how_to_implement": "To successfully implement this search, you need to be monitoring Active Directory logs using Admon. Details can be found here https://docs.splunk.com/Documentation/SplunkCloud/8.1.2101/Data/MonitorActiveDirectory", "known_false_positives": "Group Policy Objects are created as part of regular administrative operations, filter as needed.", "references": ["https://attack.mitre.org/techniques/T1484/", "https://attack.mitre.org/techniques/T1484/001", "https://www.trustedsec.com/blog/weaponizing-group-policy-objects-access/", "https://adsecurity.org/?p=2716", "https://docs.splunk.com/Documentation/SplunkCloud/8.1.2101/Data/MonitorActiveDirectory"], "tags": {"name": "Windows Admon Group Policy Object Created", "analytic_story": ["Active Directory Privilege Escalation", "Sneaky Active Directory Persistence Tricks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 100, "kill_chain_phases": ["Exploitation"], "message": "A new group policy objected was created on $dcName$", "mitre_attack_id": ["T1484", "T1484.001"], "nist": ["DE.CM"], "observable": [{"name": "dcName", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "admonEventType", "objectCategory", "displayName", "gPCFileSysPath", "dcName"], "risk_score": 50, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1484", "mitre_attack_technique": "Domain Policy Modification", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1484.001", "mitre_attack_technique": "Group Policy Modification", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Indrik Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/group_policy_created/windows-admon.log", "source": "ActiveDirectory", "sourcetype": "ActiveDirectory"}]}], "datamodel": [], "macros": [{"name": "admon", "definition": "source=ActiveDirectory", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_admon_group_policy_object_created_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_admon_group_policy_object_created.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Windows Apache Benchmark Binary", "id": "894f48ea-8d85-4dcd-9132-c66cdb407c9b", "version": 1, "date": "2022-11-21", "author": "Michael Haag, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies a default behavior of a MetaSploit payload. MetaSploit uses Apache Benchmark to generate payloads. The payloads contain standard artifacts including \"Apache Benchmark\" and the original file name is always ab.exe. During triage, review the process and it's path. It is possible network connections spawned from it. Review parallel processes for further behaviors.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.original_file_name=ab.exe by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_apache_benchmark_binary_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives should be limited as there is a small subset of binaries that contain the original file name of ab.exe. Filter as needed.", "references": ["https://seclists.org/metasploit/2013/q3/13"], "tags": {"name": "Windows Apache Benchmark Binary", "analytic_story": ["MetaSploit"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 100, "kill_chain_phases": ["Installation"], "message": "A known MetaSploit default payload has been identified on $dest$ ran by $user$, $parent_process_name$ spawning $process_name$.", "mitre_attack_id": ["T1059"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/metasploit/apachebench_windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_apache_benchmark_binary_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_apache_benchmark_binary.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows App Layer Protocol Qakbot NamedPipe", "id": "63a2c15e-9448-43c5-a4a8-9852266aaada", "version": 1, "date": "2022-11-10", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies a suspicious process creating or connecting to a possible Qakbot named pipe . This technique was seen in Qakbot malware that creates named pipe after injecting its code in legitimate process to communicate on other process that also has an injected code to steal information on the compromised host. This Anomaly detection can be a good pivot for possible Qakbot infection. This detection looks for possible random generated named pipe (in GUID form) created by known process being abused by Qakbot.", "data_source": [], "search": "`sysmon` EventCode IN (17, 18) EventType IN ( \"CreatePipe\", \"ConnectPipe\") Image IN (\"*\\\\calc.exe\", \"*\\\\notepad.exe\", \"*\\\\rdpclip.exe\", \"*\\\\explorer.exe\", \"*\\\\wermgr.exe\", \"*\\\\ping.exe\", \"*\\\\OneDriveSetup.exe\", \"*\\\\dxdiag.exe\", \"*\\\\mobsync.exe\", \"*\\\\msra.exe\", \"*\\\\xwizard.exe\") | regex PipeName=\"^\\\\\\{[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{8}\" | stats min(_time) as firstTime max(_time) as lastTime count by Image EventType ProcessGuid ProcessId PipeName SecurityID EventCode Computer UserID | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_app_layer_protocol_qakbot_namedpipe_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, pipename, processguid and named pipe event type from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "unknown", "references": ["https://strontic.github.io/xcyclopedia/library/wermgr.exe-0F652BF7ADA772981E8AAB0D108FCC92.html", "https://www.trellix.com/en-us/about/newsroom/stories/research/demystifying-qbot-malware.html", "https://www.elastic.co/security-labs/qbot-malware-analysis"], "tags": {"name": "Windows App Layer Protocol Qakbot NamedPipe", "analytic_story": ["Qakbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Command And Control"], "message": "$Image$ is creating or connecting to a named pipe $PipeName$ in $Computer$", "mitre_attack_id": ["T1071"], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Image", "EventType", "ProcessGuid", "ProcessId", "PipeName", "Computer", "UserID", "SecurityID"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1071", "mitre_attack_technique": "Application Layer Protocol", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Dragonfly", "Magic Hound", "Rocke", "TeamTNT"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/qakbot/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_app_layer_protocol_qakbot_namedpipe_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_app_layer_protocol_qakbot_namedpipe.yml", "source": "endpoint"}, {"name": "Windows App Layer Protocol Wermgr Connect To NamedPipe", "id": "2f3a4092-548b-421c-9caa-84918e1787ef", "version": 1, "date": "2022-10-28", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies a suspicious wermgr.exe process creating or connecting to a named pipe. Wermgr.exe is part of Windows OS Problem reporting application responsible for reporting problems, fault or error happen on the Windows OS. This file is being abused by several Threat actors and malware such as Trickbot and Qakbot to execute their malicious code. This anomaly detection can be a good pivot on possible wermgr.exe processes having injected malicious code that might be related to qakbot infection that communicates via named pipe.", "data_source": [], "search": "`sysmon` EventCode IN (17, 18) Image= \"*\\\\wermgr.exe\" EventType IN ( \"CreatePipe\", \"ConnectPipe\") | stats min(_time) as firstTime max(_time) as lastTime count by Image EventType ProcessGuid ProcessId PipeName SecurityID EventCode Computer UserID | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_app_layer_protocol_wermgr_connect_to_namedpipe_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, pipename, processguid and named pipe event type from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "unknown", "references": ["https://strontic.github.io/xcyclopedia/library/wermgr.exe-0F652BF7ADA772981E8AAB0D108FCC92.html", "https://www.trellix.com/en-us/about/newsroom/stories/research/demystifying-qbot-malware.html"], "tags": {"name": "Windows App Layer Protocol Wermgr Connect To NamedPipe", "analytic_story": ["Qakbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Command And Control"], "message": "wermgr.exe process is creating or connecting to a named pipe $PipeName$ in $Computer$", "mitre_attack_id": ["T1071"], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Image", "EventType", "ProcessGuid", "ProcessId", "PipeName", "Computer", "UserID", "SecurityID"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1071", "mitre_attack_technique": "Application Layer Protocol", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Dragonfly", "Magic Hound", "Rocke", "TeamTNT"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/qakbot/qbot_wermgr2/sysmon_wermgr2.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_app_layer_protocol_wermgr_connect_to_namedpipe_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_app_layer_protocol_wermgr_connect_to_namedpipe.yml", "source": "endpoint"}, {"name": "Windows Application Layer Protocol RMS Radmin Tool Namedpipe", "id": "b62a6040-49f4-47c8-b3f6-fc1adb952a33", "version": 1, "date": "2022-06-24", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the use of default or publicly known named pipes used by RMX remote admin tool. A named pipe is a named, one-way or duplex pipe for communication between the pipe server and one or more pipe clients. RMX Tool uses named pipes in many way as part of its communication for its server and client component. This tool was abuse by several adversaries and malware like Azorult to collect data to the targeted host. This TTP is a good indicator that this tool was install in production premise and need to check if the user has a valid reason why it need to install this legitimate application.", "data_source": [], "search": "`sysmon` EventCode IN (17, 18) EventType IN ( \"CreatePipe\", \"ConnectPipe\") PipeName IN (\"\\\\RManFUSServerNotify32\", \"\\\\RManFUSCallbackNotify32\", \"\\\\RMSPrint*\") | stats min(_time) as firstTime max(_time) as lastTime count by Image EventType ProcessId PipeName Computer UserID | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_application_layer_protocol_rms_radmin_tool_namedpipe_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "False positives may be present. Filter based on pipe name or process.", "references": ["https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/", "https://attack.mitre.org/techniques/T1071/"], "tags": {"name": "Windows Application Layer Protocol RMS Radmin Tool Namedpipe", "analytic_story": ["Azorult"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Command And Control"], "message": "possible RMS admin tool named pipe was created in $dest$", "mitre_attack_id": ["T1071"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Image", "EventType", "ProcessId", "PipeName", "Computer", "UserID"], "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1071", "mitre_attack_technique": "Application Layer Protocol", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Dragonfly", "Magic Hound", "Rocke", "TeamTNT"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_application_layer_protocol_rms_radmin_tool_namedpipe_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_application_layer_protocol_rms_radmin_tool_namedpipe.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Windows Autostart Execution LSASS Driver Registry Modification", "id": "57fb8656-141e-4d8a-9f51-62cff4ecb82a", "version": 1, "date": "2022-08-22", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the abuse of two undocumented registry keys that allow for a DLL to load into lsass.exe to potentially capture credentials. Upon successful modification of \\CurrentControlSet\\Services\\NTDS\\DirectoryServiceExtPt or \\CurrentControlSet\\Services\\NTDS\\LsaDbExtPt, a DLL either remote or local will be set as the value and load up into lsass.exe. Based on POC code a text file may be written to disk with credentials.", "data_source": ["Sysmon Event ID 13"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path IN (\"*\\\\CurrentControlSet\\\\Services\\\\NTDS\\\\DirectoryServiceExtPt\",\"*\\\\CurrentControlSet\\\\Services\\\\NTDS\\\\LsaDbExtPt\") by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest Registry.process_guid | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_autostart_execution_lsass_driver_registry_modification_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives may be present on recent Windows Operating Systems. Filtering may be required based on process_name. In addition, look for non-standard, unsigned, module loads into LSASS. If query is too noisy, modify by adding Endpoint.processes process_name to query to identify the process making the modification.", "references": ["https://blog.xpnsec.com/exploring-mimikatz-part-1/", "https://github.com/oxfemale/LogonCredentialsSteal/tree/master/lsass_lib"], "tags": {"name": "Windows Autostart Execution LSASS Driver Registry Modification", "analytic_story": ["Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "message": "The registry values for DirectoryServiceExtPt or LsaDbExtPt were modified on $dest$.", "mitre_attack_id": ["T1547.008"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.registry_key_name", "Registry.registry_path", "Registry.user", "Registry.dest", "Registry.registry_value_name", "Registry.action"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1547.008", "mitre_attack_technique": "LSASS Driver", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.008/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_autostart_execution_lsass_driver_registry_modification_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_autostart_execution_lsass_driver_registry_modification.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Binary Proxy Execution Mavinject DLL Injection", "id": "ccf4b61b-1b26-4f2e-a089-f2009c569c57", "version": 1, "date": "2022-07-07", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "Adversaries may abuse mavinject.exe to inject malicious DLLs into running processes (i.e. Dynamic-link Library Injection), allowing for arbitrary code execution (ex. C:\\Windows\\system32\\mavinject.exe PID /INJECTRUNNING PATH_DLL). In addition to Dynamic-link Library Injection, Mavinject.exe can also be abused to perform import descriptor injection via its /HMODULE command-line parameter (ex. mavinject.exe PID /HMODULE=BASE_ADDRESS PATH_DLL ORDINAL_NUMBER). This command would inject an import table entry consisting of the specified DLL into the module at the given base address. During triage, review file modifcations and parallel processes.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=mavinject.exe Processes.process IN (\"*injectrunning*\", \"*hmodule=0x*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_binary_proxy_execution_mavinject_dll_injection_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives may be present, filter on DLL name or parent process.", "references": ["https://attack.mitre.org/techniques/T1218/013/", "https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md#atomic-test-1---mavinject---inject-dll-into-running-process"], "tags": {"name": "Windows Binary Proxy Execution Mavinject DLL Injection", "analytic_story": ["Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting load a DLL.", "mitre_attack_id": ["T1218.013", "T1218"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process Name", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218.013", "mitre_attack_technique": "Mavinject", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.013/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_binary_proxy_execution_mavinject_dll_injection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_binary_proxy_execution_mavinject_dll_injection.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Boot or Logon Autostart Execution In Startup Folder", "id": "99d157cb-923f-4a00-aee9-1f385412146f", "version": 1, "date": "2023-01-12", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic will identify suspicious files dropped or created in the Windows %startup% folder. This technique is a common way to gain persistence on a targeted host. Threat actor, adversaries and red teamer abuse this folder path to automatically execute their malicious sample upon boot or restart of the infected host. This TTP detection is a good indicator that a suspicious process wants to gain persistence on the targeted host. We suggest to verify the process name by using the process guid field, the file created and also the user and the computer name for further investigation.", "data_source": ["Sysmon Event ID 11"], "search": "|tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_path = \"*\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\*\" by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.user Filesystem.file_path Filesystem.process_guid Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_boot_or_logon_autostart_execution_in_startup_folder_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the Filesystem responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node.", "known_false_positives": "Administrators may allow creation of script or exe in this path.", "references": ["https://attack.mitre.org/techniques/T1204/002/", "https://www.fortinet.com/blog/threat-research/chaos-ransomware-variant-sides-with-russia"], "tags": {"name": "Windows Boot or Logon Autostart Execution In Startup Folder", "analytic_story": ["Chaos Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Installation", "Exploitation"], "message": "a process dropped a file in %startup% folder in $dest$", "mitre_attack_id": ["T1547.001", "T1547"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Filesystem.file_create_time", "Filesystem.process_id", "Filesystem.file_name", "Filesystem.user", "Filesystem.file_path", "Filesystem.process_guid", "Filesystem.dest"], "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/chaos_ransomware/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_boot_or_logon_autostart_execution_in_startup_folder_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_boot_or_logon_autostart_execution_in_startup_folder.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows BootLoader Inventory", "id": "4f7e3913-4db3-4ccd-afe4-31198982305d", "version": 1, "date": "2023-04-14", "author": "Michael Haag, Splunk", "type": "Hunting", "status": "experimental", "description": "The following hunting query utilizes a PowerShell Scripted input that captures the bootloader paths for each Windows endpoint it is deployed to. The template inputs.conf is located in the references link. By default, it only captures the path, but may be modified to capture everything that BCDedit provides. It can be verbose, but may be worth it.", "data_source": [], "search": "`bootloader_inventory` | stats count min(_time) as firstTime max(_time) as lastTime values(_raw) by host | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_bootloader_inventory_filter`", "how_to_implement": "To implement this analytic, a new stanza will need to be added to a inputs.conf and deployed to all or some Windows endpoints. https://gist.github.com/MHaggis/26518cd2844b0e03de6126660bb45707 provides the stanza. If modifying the sourcetype, be sure to update the Macro for this analytic. Recommend running it daily, or weekly, depending on threat model.", "known_false_positives": "No false positives here, only bootloaders. Filter as needed or create a lookup as a baseline.", "references": ["https://gist.github.com/MHaggis/26518cd2844b0e03de6126660bb45707", "https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/"], "tags": {"name": "Windows BootLoader Inventory", "analytic_story": ["BlackLotus Campaign", "Windows BootKits"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Exploitation", "Installation"], "message": "A list of BootLoaders are present on $dest$", "mitre_attack_id": ["T1542.001", "T1542"], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "_raw"], "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "atomic_guid": [], "mitre_attack_enrichments": [{"mitre_attack_id": "T1542.001", "mitre_attack_technique": "System Firmware", "mitre_attack_tactics": ["Defense Evasion", "Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1542", "mitre_attack_technique": "Pre-OS Boot", "mitre_attack_tactics": ["Defense Evasion", "Persistence"], "mitre_attack_groups": []}]}, "datamodel": [], "macros": [{"name": "bootloader_inventory", "definition": "sourcetype = PwSh:bootloader", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_bootloader_inventory_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_bootloader_inventory.yml", "source": "endpoint"}, {"name": "Windows Cached Domain Credentials Reg Query", "id": "40ccb8e0-1785-466e-901e-6a8b75c04ecd", "version": 1, "date": "2022-11-30", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies a process command line related to the discovery of cache domain credential logon count in the registry. This Technique was being abused by several post exploitation tool like Winpeas where it query CachedLogonsCount registry value in Winlogon registry. This value can be good information about the login caching setting on the Windows OS target host. A value of 0 means login caching is disable and values > 50 caches only 50 login attempts. By default all versions of Windows 10 save cached logins except Windows Server 2008.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_reg` AND Processes.process = \"* query *\" AND Processes.process = \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon*\" AND Processes.process = \"*CACHEDLOGONSCOUNT*\" by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_cached_domain_credentials_reg_query_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances of wermgr.exe may be used.", "known_false_positives": "unknown", "references": ["https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/", "https://learn.microsoft.com/de-de/troubleshoot/windows-server/user-profiles-and-logon/cached-domain-logon-information", "https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS"], "tags": {"name": "Windows Cached Domain Credentials Reg Query", "analytic_story": ["Windows Post-Exploitation", "Prestige Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "a process with commandline $process$ tries to retrieve cache domain credential logon count in $dest$", "mitre_attack_id": ["T1003.005", "T1003"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id", "Processes.parent_process_guid", "Processes.process_guid"], "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.005", "mitre_attack_technique": "Cached Domain Credentials", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT33", "Leafminer", "MuddyWater", "OilRig"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "process_reg", "definition": "(Processes.process_name=reg.exe OR Processes.original_file_name=reg.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_cached_domain_credentials_reg_query_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_cached_domain_credentials_reg_query.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Change Default File Association For No File Ext", "id": "dbdf52ad-d6a1-4b68-975f-0a10939d8e38", "version": 1, "date": "2022-11-30", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This analytic is developed to detect suspicious process commandline to change or set the default file association of a file without file extension with notepad.exe. This technique was seen in some APT and ransomware Prestige where it set/modify the default process to run file association, like .txt to notepad.exe.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_reg` AND Processes.process=\"* add *\" AND Processes.process=\"* HKCR\\\\*\" AND Processes.process=\"*\\\\shell\\\\open\\\\command*\" AND Processes.process= *Notepad.exe* by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | rex field=process \"Notepad\\.exe (?.*$)\" | rex field=file_name_association \"\\.(?[^\\.]*$)\" | where isnull(extension) and isnotnull(file_name_association) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_change_default_file_association_for_no_file_ext_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry.", "known_false_positives": "unknown", "references": ["https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"], "tags": {"name": "Windows Change Default File Association For No File Ext", "analytic_story": ["Prestige Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "message": "process with commandline $process$ set or change the file association of a file with no file extension in $dest$", "mitre_attack_id": ["T1546.001", "T1546"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1546.001", "mitre_attack_technique": "Change Default File Association", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Kimsuky"]}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/prestige_ransomware/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "process_reg", "definition": "(Processes.process_name=reg.exe OR Processes.original_file_name=reg.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_change_default_file_association_for_no_file_ext_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_change_default_file_association_for_no_file_ext.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows ClipBoard Data via Get-ClipBoard", "id": "ab73289e-2246-4de0-a14b-67006c72a893", "version": 1, "date": "2022-11-30", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies a powershell script command to retrieve clipboard data. This technique was seen in several post exploitation tools like WINPEAS to steal sensitive information that was saved in clipboard. Using the Get-Clipboard powershell commandlet, adversaries can be able collect data stored in clipboard that might be a copied user name, password or other sensitive information.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 ScriptBlockText = \"*Get-Clipboard*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_clipboard_data_via_get_clipboard_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "It is possible there will be false positives, filter as needed.", "references": ["https://attack.mitre.org/techniques/T1115/", "https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS", "https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"], "tags": {"name": "Windows ClipBoard Data via Get-ClipBoard", "analytic_story": ["Windows Post-Exploitation", "Prestige Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "powershell script $ScriptBlockText$ execute Get-Clipboard commandlet in $dest$", "mitre_attack_id": ["T1115"], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "UserID", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "ScriptBlockText", "Opcode", "Computer", "UserID", "EventCode"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1115", "mitre_attack_technique": "Clipboard Data", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT38", "APT39"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/powershell/windows-powershell-xml2.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_clipboard_data_via_get_clipboard_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_clipboard_data_via_get_clipboard.yml", "source": "endpoint", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows COM Hijacking InprocServer32 Modification", "id": "b7bd83c0-92b5-4fc7-b286-23eccfa2c561", "version": 1, "date": "2022-09-26", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the use of reg.exe performing an add to the InProcServer32, which may be related to COM hijacking. Adversaries can use the COM system to insert malicious code that can be executed in place of legitimate software through hijacking the COM references and relationships as a means for persistence. Hijacking a COM object requires a change in the Registry to replace a reference to a legitimate system component which may cause that component to not work when executed. When that system component is executed through normal system operation the adversary's code will be executed instead.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_reg` Processes.process=*inprocserver32* by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_com_hijacking_inprocserver32_modification_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives may be present and some filtering may be required.", "references": ["https://attack.mitre.org/techniques/T1546/015/", "https://blog.cluster25.duskrise.com/2022/09/23/in-the-footsteps-of-the-fancy-bear-powerpoint-graphite/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.015/T1546.015.md"], "tags": {"name": "Windows COM Hijacking InprocServer32 Modification", "analytic_story": ["Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to modify InProcServer32 within the registry.", "mitre_attack_id": ["T1546.015", "T1546"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["UPDATE"], "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1546.015", "mitre_attack_technique": "Component Object Model Hijacking", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28"]}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.015/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "process_reg", "definition": "(Processes.process_name=reg.exe OR Processes.original_file_name=reg.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_com_hijacking_inprocserver32_modification_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_com_hijacking_inprocserver32_modification.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Command and Scripting Interpreter Hunting Path Traversal", "id": "d0026380-b3c4-4da0-ac8e-02790063ff6b", "version": 1, "date": "2022-06-01", "author": "Teoderick Contreras, Michael Haag, Splunk", "type": "Hunting", "status": "production", "description": "The following analytic identifies path traversal command-line execution and should be used to tune and driver other more higher fidelity analytics. This technique was seen in malicious document that execute malicious code using msdt.exe and path traversal technique that serve as defense evasion. This Hunting query is a good pivot to look for possible suspicious process and command-line that runs execute path traversal technique to run malicious code. This may help you to find possible downloaded malware or other lolbin execution.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes by Processes.original_file_name Processes.process_id Processes.parent_process_id Processes.process_hash Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | eval count_of_pattern1 = (mvcount(split(process,\"/..\"))-1) | eval count_of_pattern2 = (mvcount(split(process,\"\\..\"))-1) | eval count_of_pattern3 = (mvcount(split(process,\"\\\\..\"))-1) | eval count_of_pattern4 = (mvcount(split(process,\"//..\"))-1) | search count_of_pattern1 > 1 OR count_of_pattern2 > 1 OR count_of_pattern3 > 1 OR count_of_pattern4 > 1 | `windows_command_and_scripting_interpreter_hunting_path_traversal_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product", "known_false_positives": "false positive may vary depends on the score you want to check. The bigger number of path traversal string count the better.", "references": ["https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/"], "tags": {"name": "Windows Command and Scripting Interpreter Hunting Path Traversal", "analytic_story": ["Windows Defense Evasion Tactics", "Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Installation"], "message": "A parent process $parent_process_name$ has spawned a child $process_name$ with path traversal commandline $process$ in $dest$", "mitre_attack_id": ["T1059"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/path_traversal/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_command_and_scripting_interpreter_hunting_path_traversal_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_command_and_scripting_interpreter_hunting_path_traversal.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Command and Scripting Interpreter Path Traversal Exec", "id": "58fcdeb1-728d-415d-b0d7-3ab18a275ec2", "version": 2, "date": "2022-06-01", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies path traversal command-line execution. This technique was seen in malicious document that execute malicious code using msdt.exe and path traversal technique that serve as defense evasion. This TTP is a good pivot to look for more suspicious process and command-line that runs before and after this execution. This may help you to find possible downloaded malware or other lolbin execution.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where Processes.process=\"*\\/..\\/..\\/..\\/*\" OR Processes.process=\"*\\\\..\\\\..\\\\..\\\\*\" OR Processes.process=\"*\\/\\/..\\/\\/..\\/\\/..\\/\\/*\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_id Processes.process_hash | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_command_and_scripting_interpreter_path_traversal_exec_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product", "known_false_positives": "Not known at this moment.", "references": ["https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/"], "tags": {"name": "Windows Command and Scripting Interpreter Path Traversal Exec", "analytic_story": ["Windows Defense Evasion Tactics", "Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 90, "kill_chain_phases": ["Installation"], "message": "A parent process $parent_process_name$ has spawned a child $process_name$ with path traversal commandline $process$ in $dest$", "mitre_attack_id": ["T1059"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/path_traversal/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_command_and_scripting_interpreter_path_traversal_exec_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_command_and_scripting_interpreter_path_traversal_exec.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Command Shell DCRat ForkBomb Payload", "id": "2bb1a362-7aa8-444a-92ed-1987e8da83e1", "version": 1, "date": "2022-07-28", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies DCRat \"forkbomb\" payload feature. This technique was seen in dark crystal RAT backdoor capabilities where it will execute several cmd child process executing \"notepad.exe & pause\". This analytic detects the multiple cmd.exe and child process notepad.exe execution using batch script in the targeted host within 30s timeframe. this TTP can be a good pivot to check DCRat infection.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.parent_process) as parent_process values(Processes.parent_process_id) as parent_process_id values(Processes.process_id) as process_id dc(Processes.parent_process_id) as parent_process_id_count dc(Processes.process_id) as process_id_count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name= \"cmd.exe\" (Processes.process_name = \"notepad.exe\" OR Processes.original_file_name= \"notepad.exe\") Processes.parent_process = \"*.bat*\" by Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.parent_process Processes.dest Processes.user _time span=30s | where parent_process_id_count>= 10 AND process_id_count >=10 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_command_shell_dcrat_forkbomb_payload_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "unknown", "references": ["https://cert.gov.ua/article/405538", "https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat", "https://www.mandiant.com/resources/analyzing-dark-crystal-rat-backdoor"], "tags": {"name": "Windows Command Shell DCRat ForkBomb Payload", "analytic_story": ["DarkCrystal RAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Installation"], "message": "Multiple cmd.exe processes with child process of notepad.exe executed on $dest$", "mitre_attack_id": ["T1059.003", "T1059"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/dcrat/dcrat_forkbomb/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_command_shell_dcrat_forkbomb_payload_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_command_shell_dcrat_forkbomb_payload.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Command Shell Fetch Env Variables", "id": "048839e4-1eaa-43ff-8a22-86d17f6fcc13", "version": 1, "date": "2022-10-27", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies a suspicious process command line fetching the environment variables with a non-shell parent process. This technique was seen in qakbot malware where it fetches the environment variable in the target or compromised host. This TTP detection is a good pivot of possible malicious behavior since the command line is executed by a common non-shell process like cmd.exe , powershell.exe and many more. This can also be a good sign that the parent process has a malicious code injected to it to execute this command.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = \"*cmd /c set\" OR Processes.process = \"*cmd.exe /c set\" AND NOT (Processes.parent_process_name = \"cmd.exe\" OR Processes.parent_process_name = \"powershell*\" OR Processes.parent_process_name=\"pwsh.exe\" OR Processes.parent_process_name = \"explorer.exe\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_command_shell_fetch_env_variables_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "shell process that are not included in this search may cause False positive. Filter is needed.", "references": ["https://twitter.com/pr0xylife/status/1585612370441031680?s=46&t=Dc3CJi4AnM-8rNoacLbScg"], "tags": {"name": "Windows Command Shell Fetch Env Variables", "analytic_story": ["Qakbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "non-shell parent process has a child process $process_name$ with a commandline $process$ to fetch env variables in $dest$", "mitre_attack_id": ["T1055"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/qakbot/qbot_wermgr/sysmon_wermgr.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_command_shell_fetch_env_variables_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_command_shell_fetch_env_variables.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Computer Account Created by Computer Account", "id": "97a8dc5f-8a7c-4fed-9e3e-ec407fd0268a", "version": 1, "date": "2022-04-27", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifes a Computer Account creating a new Computer Account with specific a Service Principle Name - \"RestrictedKrbHost\". The RestrictedKrbHost service class allows client applications to use Kerberos authentication when they do not have the identity of the service but have the server name.", "data_source": ["Windows Security 4741"], "search": "`wineventlog_security` EventCode=4741 user_type=computer Subject_Account_Domain!=\"NT AUTHORITY\" Message=*RestrictedKrbHost* | stats count min(_time) as firstTime max(_time) as lastTime by dest, subject, action ,src_user, user, Account_Name, Subject_Account_Name,Subject_Account_Domain | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_computer_account_created_by_computer_account_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4741 EventCode enabled. The Windows TA is also required.", "known_false_positives": "It is possible third party applications may have a computer account that adds computer accounts, filtering may be required.", "references": ["https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-kile/445e4499-7e49-4f2a-8d82-aaf2d1ee3c47", "https://github.com/Dec0ne/KrbRelayUp"], "tags": {"name": "Windows Computer Account Created by Computer Account", "analytic_story": ["Active Directory Kerberos Attacks", "Local Privilege Escalation With KrbRelayUp"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "A Computer Account created a Computer Account on $dest$, possibly indicative of Kerberos relay attack.", "mitre_attack_id": ["T1558"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "dest", "subject", "action", "src_user", "user", "Account_Name", "Subject_Account_Name", "Subject_Account_Domain"], "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1558", "mitre_attack_technique": "Steal or Forge Kerberos Tickets", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1558/krbrelayup/krbrelayup.log", "source": "WinEventLog:Security", "sourcetype": "WinEventLog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_computer_account_created_by_computer_account_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_computer_account_created_by_computer_account.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows Computer Account Requesting Kerberos Ticket", "id": "fb3b2bb3-75a4-4279-848a-165b42624770", "version": 1, "date": "2022-04-27", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies a ComputerAccount requesting a Kerberos Ticket. typically, a user account requests a Kerberos ticket. This behavior was identified with KrbUpRelay, but additional Kerberos attacks have exhibited similar behavior.", "data_source": ["Windows Security 4768"], "search": "`wineventlog_security` EventCode=4768 Account_Name=\"*$\" src_ip!=\"::1\" | stats count min(_time) as firstTime max(_time) as lastTime by dest, subject, action, Supplied_Realm_Name, user, Account_Name, src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_computer_account_requesting_kerberos_ticket_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4768 EventCode enabled. The Windows TA is also required.", "known_false_positives": "It is possible false positives will be present based on third party applications. Filtering may be needed.", "references": ["https://github.com/Dec0ne/KrbRelayUp"], "tags": {"name": "Windows Computer Account Requesting Kerberos Ticket", "analytic_story": ["Active Directory Kerberos Attacks", "Local Privilege Escalation With KrbRelayUp"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "A Computer Account requested a Kerberos ticket on $dest$, possibly indicative of Kerberos relay attack.", "mitre_attack_id": ["T1558"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "dest", "subject", "action", "Supplied_Realm_Name", "user", "Account_Name", "src_ip"], "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1558", "mitre_attack_technique": "Steal or Forge Kerberos Tickets", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1558/krbrelayup/krbrelayup.log", "source": "WinEventLog:Security", "sourcetype": "WinEventLog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_computer_account_requesting_kerberos_ticket_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_computer_account_requesting_kerberos_ticket.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows Computer Account With SPN", "id": "9a3e57e7-33f4-470e-b25d-165baa6e8357", "version": 1, "date": "2022-04-28", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies two SPNs, HOST and RestrictedKrbHost, added using the KrbRelayUp behavior. This particular behavior has been found in other Kerberos based attacks.", "data_source": ["Windows Security 4741"], "search": "`wineventlog_security` EventCode=4741 MSADChangedAttributes IN (\"*HOST/*\",\"*RestrictedKrbHost/*\") AND New_UAC_Value=0x80 | eval Effecting_Account=mvindex(Security_ID,1) | eval New_Computer_Account_Name=mvindex(Security_ID,0) | stats count min(_time) as firstTime max(_time) as lastTime values(EventCode),values(Account_Domain),values(Security_ID), values(Effecting_Account), values(New_Computer_Account_Name),values(SAM_Account_Name),values(DNS_Host_Name),values(MSADChangedAttributes) by dest Logon_ID subject | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_computer_account_with_spn_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4741 EventCode enabled. The Windows TA is also required.", "known_false_positives": "It is possible third party applications may add these SPNs to Computer Accounts, filtering may be needed.", "references": ["https://www.trustedsec.com/blog/an-attack-path-mapping-approach-to-cves-2021-42287-and-2021-42278", "https://github.com/Dec0ne/KrbRelayUp"], "tags": {"name": "Windows Computer Account With SPN", "analytic_story": ["Active Directory Kerberos Attacks", "Local Privilege Escalation With KrbRelayUp"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "A Computer Account was created with SPNs related to Kerberos on $dest$, possibly indicative of Kerberos relay attack.", "mitre_attack_id": ["T1558"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "MSADChangedAttributes", "New_UAC_Value", "Security_ID", "Account_Domain", "SAM_Account_Name", "DNS_Host_Name", "Logon_Id"], "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1558", "mitre_attack_technique": "Steal or Forge Kerberos Tickets", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1558/krbrelayup/krbrelayup.log", "source": "WinEventLog:Security", "sourcetype": "WinEventLog"}]}], "datamodel": ["Change"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_computer_account_with_spn_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_computer_account_with_spn.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows Create Local Account", "id": "3fb2e8e3-7bc0-4567-9722-c5ab9f8595eb", "version": 1, "date": "2022-10-05", "author": "Michael Haag, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies a new local user account added to a computer. Note that, this should be restricted to critical assets.", "data_source": [], "search": "| tstats `security_content_summariesonly` values(All_Changes.result_id) as result_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Change where All_Changes.result_id=4720 by All_Changes.user All_Changes.dest All_Changes.result All_Changes.action | `drop_dm_object_name(\"All_Changes\")` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_create_local_account_filter`", "how_to_implement": "This search requires you to have enabled your Group Management Audit Logs in your Local Windows Security Policy and be ingesting those logs. More information on how to enable them can be found here: http://whatevernetworks.com/auditing-group-membership-changes-in-active-directory/", "known_false_positives": "It is possible that an administrator created the account. Verifying activity with an administrator is advised. This analytic is set to anomaly to allow for risk to be added. Filter and tune as needed. Restrict to critical infrastructure to reduce any volume.", "references": ["https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/"], "tags": {"name": "Windows Create Local Account", "analytic_story": ["Account Monitoring and Controls"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 20, "kill_chain_phases": ["Installation"], "message": "The following $user$ was added to $dest$ as a local account.", "mitre_attack_id": ["T1136.001", "T1136"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["All_Changes.user", "All_Changes.dest", "All_Changes.result", "All_Changes.action"], "risk_score": 18, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1136.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT39", "APT41", "Dragonfly", "Fox Kitten", "Kimsuky", "Leafminer", "Magic Hound", "TeamTNT"]}, {"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/atomic_red_team/4720.log", "source": "XmlWinEventLog:Security", "sourcetype": "XmlWinEventLog", "update_timestamp": true}]}], "datamodel": ["Change"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_create_local_account_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_create_local_account.yml", "source": "endpoint"}, {"name": "Windows Credential Dumping LSASS Memory Createdump", "id": "b3b7ce35-fce5-4c73-85f4-700aeada81a9", "version": 1, "date": "2023-01-23", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the use of CreateDump.exe being used to perform a process dump. This particular binary is not native to Windows, but is found to be brought in my many different third party applications including PowerShell 7.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=createdump.exe OR Processes.original_file_name=\"FX_VER_INTERNALNAME_STR\" Processes.process=\"*-u *\" AND Processes.process=\"*-f *\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_credential_dumping_lsass_memory_createdump_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives may be present if an application is dumping processes, filter as needed. Recommend reviewing createdump.exe usage across the fleet to better understand all usage and by what.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md#atomic-test-11---dump-lsass-with-createdumpexe-from-net-v5"], "tags": {"name": "Windows Credential Dumping LSASS Memory Createdump", "analytic_story": ["Credential Dumping"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 100, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to dump a process.", "mitre_attack_id": ["T1003.001"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 70, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "TEMP.Veles", "Threat Group-3390", "Whitefly"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/createdump_windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_credential_dumping_lsass_memory_createdump_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_credential_dumping_lsass_memory_createdump.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Credentials from Password Stores Chrome Extension Access", "id": "2e65afe0-9a75-4487-bd87-ada9a9f1b9af", "version": 1, "date": "2023-04-26", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies a non-chrome process accessing Chrome extensions file. This file stores various settings and information related to the browser's extensions on your computer. Threat actor, adversaries and malware author also abused this file to attempt to extract sensitive information from the chrome browser of the target host. This anomaly detection can be a good pivot of analysis for suspicious process aside from chrome.exe and explorer.exe executable.", "data_source": ["Security Event ID 4663"], "search": "`wineventlog_security` EventCode=4663 object_file_path=\"*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\User Data\\\\Default\\\\Local Extension Settings\\\\*\" AND NOT (process_path IN (\"*:\\\\Windows\\\\explorer.exe\", \"*\\\\chrome.exe\")) | stats count min(_time) as firstTime max(_time) as lastTime by object_file_name object_file_path process_name process_path process_id EventCode dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_credentials_from_password_stores_chrome_extension_access_filter`", "how_to_implement": "To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable \"Audit Object Access\" in Group Policy. Then check the two boxes listed for both \"Success\" and \"Failure.\"", "known_false_positives": "Uninstall chrome browser extension application may access this file and folder path to removed chrome installation in the target host. Filter is needed.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer"], "tags": {"name": "Windows Credentials from Password Stores Chrome Extension Access", "analytic_story": ["RedLine Stealer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "A non-chrome process $process_name$ accessing chrome browser extension folder files on $dest$", "mitre_attack_id": ["T1012"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "object_file_name", "object_file_path", "process_name", "process_path", "process_id", "EventCode", "dest"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1012", "mitre_attack_technique": "Query Registry", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT32", "APT39", "Chimera", "Dragonfly", "Fox Kitten", "Kimsuky", "Lazarus Group", "OilRig", "Stealth Falcon", "Threat Group-3390", "Turla", "ZIRCONIUM"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/redline/browser_ext_access/security-ext-raw.log", "source": "XmlWinEventLog:Security", "sourcetype": "XmlWinEventLog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_credentials_from_password_stores_chrome_extension_access_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_credentials_from_password_stores_chrome_extension_access.yml", "source": "endpoint", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows Credentials from Password Stores Chrome LocalState Access", "id": "3b1d09a8-a26f-473e-a510-6c6613573657", "version": 1, "date": "2023-04-26", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies a non-chrome process accessing Chrome user data \"local state\" file. This file stores various settings and information related to the browser's operation on your computer. Threat actor, adversaries and malware author also abused this file to attempt to extract the encrypted master key to decrypt password saved in chrome browser. This anomaly detection can be a good pivot of analysis for suspicious process aside from chrome.exe and explorer.exe executable.", "data_source": ["Security Event ID 4663"], "search": "`wineventlog_security` EventCode=4663 object_file_path=\"*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\User Data\\\\Local State\" NOT (process_name IN (\"*\\\\chrome.exe\",\"*:\\\\Windows\\\\explorer.exe\")) | stats count min(_time) as firstTime max(_time) as lastTime by object_file_name object_file_path process_name process_path process_id EventCode dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_credentials_from_password_stores_chrome_localstate_access_filter`", "how_to_implement": "To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable \"Audit Object Access\" in Group Policy. Then check the two boxes listed for both \"Success\" and \"Failure.\"", "known_false_positives": "Uninstall chrome application may access this file and folder path to removed chrome installation in target host. Filter is needed.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer"], "tags": {"name": "Windows Credentials from Password Stores Chrome LocalState Access", "analytic_story": ["RedLine Stealer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "A non-chrome process $process_name$ accessing \"Chrome\\\\User Data\\\\Local State\" file on $dest$", "mitre_attack_id": ["T1012"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "object_file_name", "object_file_path", "process_name", "process_path", "process_id", "EventCode", "dest"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1012", "mitre_attack_technique": "Query Registry", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT32", "APT39", "Chimera", "Dragonfly", "Fox Kitten", "Kimsuky", "Lazarus Group", "OilRig", "Stealth Falcon", "Threat Group-3390", "Turla", "ZIRCONIUM"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/redline/chrome_local_state_simulate_access/redline-local-state-security-xml.log", "source": "XmlWinEventLog:Security", "sourcetype": "XmlWinEventLog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_credentials_from_password_stores_chrome_localstate_access_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_credentials_from_password_stores_chrome_localstate_access.yml", "source": "endpoint", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows Credentials from Password Stores Chrome Login Data Access", "id": "0d32ba37-80fc-4429-809c-0ba15801aeaf", "version": 1, "date": "2023-04-27", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies a non-chrome process accessing Chrome user data \"login data\" file. This sqlite db file stores various information related to the browser's operation on your computer. Threat actor, adversaries and malware author also abused this file to attempt to extract and decrypt password saved in chrome browser. This anomaly detection can be a good pivot of analysis for suspicious process aside from chrome.exe and explorer.exe executable.", "data_source": ["Security Event ID 4663"], "search": "`wineventlog_security` EventCode=4663 object_file_path=\"*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\User Data\\\\Default\\\\Login Data\" AND NOT (process_path IN (\"*:\\\\Windows\\\\explorer.exe\", \"*:\\\\Windows\\\\System32\\\\dllhost.exe\", \"*\\\\chrome.exe\")) | stats count min(_time) as firstTime max(_time) as lastTime by object_file_name object_file_path process_name process_path process_id EventCode dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_credentials_from_password_stores_chrome_login_data_access_filter`", "how_to_implement": "To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable \"Audit Object Access\" in Group Policy. Then check the two boxes listed for both \"Success\" and \"Failure.\"", "known_false_positives": "Uninstall application may access this registry to remove the entry of the target application. filter is needed.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer"], "tags": {"name": "Windows Credentials from Password Stores Chrome Login Data Access", "analytic_story": ["RedLine Stealer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "A non-chrome process $process_name$ accessing Chrome \"Login Data\" file on $dest$", "mitre_attack_id": ["T1012"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "object_file_name", "object_file_path", "process_name", "process_path", "process_id", "EventCode", "dest"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1012", "mitre_attack_technique": "Query Registry", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT32", "APT39", "Chimera", "Dragonfly", "Fox Kitten", "Kimsuky", "Lazarus Group", "OilRig", "Stealth Falcon", "Threat Group-3390", "Turla", "ZIRCONIUM"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/redline/chrome_login_data_simulate_access/redline-login-data-security-xml.log", "source": "XmlWinEventLog:Security", "sourcetype": "XmlWinEventLog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_credentials_from_password_stores_chrome_login_data_access_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_credentials_from_password_stores_chrome_login_data_access.yml", "source": "endpoint", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows Credentials from Password Stores Query", "id": "db02d6b4-5d5b-4c33-8d8f-f0577516a8c7", "version": 1, "date": "2022-11-30", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies a process execution of Windows OS cmdkey.exe tool. This tool is being abused or used by several post exploitation tool such as winpeas that being used by ransomware prestige to list stored user names, passwords or credentials in the targeted Windows OS host. This information can be used by the attacker to gain privilege escalation and persistence in the targeted hosts for further attacks.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=\"cmdkey.exe\" OR Processes.original_file_name = \"cmdkey.exe\" AND Processes.process = \"*/list*\" by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_credentials_from_password_stores_query_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances of wermgr.exe may be used.", "known_false_positives": "network administrator can use this tool for auditing process.", "references": ["https://ss64.com/nt/cmdkey.html", "https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS", "https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"], "tags": {"name": "Windows Credentials from Password Stores Query", "analytic_story": ["Windows Post-Exploitation", "Prestige Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "a process $process_name$ was executed in $dest$ to display stored username and credentials.", "mitre_attack_id": ["T1555"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id", "Processes.parent_process_guid", "Processes.process_guid"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1555", "mitre_attack_technique": "Credentials from Password Stores", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT33", "APT39", "Evilnum", "FIN6", "HEXANE", "Leafminer", "MuddyWater", "OilRig", "Stealth Falcon"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/winpeas_cmdkeylist/cmdkey-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_credentials_from_password_stores_query_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_credentials_from_password_stores_query.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Credentials in Registry Reg Query", "id": "a8b3124e-2278-4b73-ae9c-585117079fb2", "version": 1, "date": "2022-11-30", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies a process command line related to the discovery of possible password or credentials in the registry. This technique is being abused by adversaries or post exploitation tools like winpeas to steal credentials in the registry in the targeted host. Registry can contain several sensitive information like username and credentials that can be used for privilege escalation, persistence or even in lateral movement. This Anomaly detection can be a good pivot to detect a suspicious process querying a registry related to password or private keys.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_reg` AND Processes.process = \"* query *\" AND Processes.process IN (\"*\\\\Software\\\\ORL\\\\WinVNC3\\\\Password*\", \"*\\\\SOFTWARE\\\\RealVNC\\\\WinVNC4 /v password*\", \"*\\\\CurrentControlSet\\\\Services\\\\SNMP*\", \"*\\\\Software\\\\TightVNC\\\\Server*\", \"*\\\\Software\\\\SimonTatham\\\\PuTTY\\\\Sessions*\", \"*\\\\Software\\\\OpenSSH\\\\Agent\\\\Keys*\", \"*password*\") by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_credentials_in_registry_reg_query_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances of wermgr.exe may be used.", "known_false_positives": "unknown", "references": ["https://attack.mitre.org/techniques/T1552/002/", "https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS", "https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"], "tags": {"name": "Windows Credentials in Registry Reg Query", "analytic_story": ["Windows Post-Exploitation", "Prestige Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "reg query commandline $process$ in $dest$", "mitre_attack_id": ["T1552.002", "T1552"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id", "Processes.parent_process_guid", "Processes.process_guid"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1552.002", "mitre_attack_technique": "Credentials in Registry", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT32"]}, {"mitre_attack_id": "T1552", "mitre_attack_technique": "Unsecured Credentials", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/winpeas_search_pwd/query-putty-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "process_reg", "definition": "(Processes.process_name=reg.exe OR Processes.original_file_name=reg.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_credentials_in_registry_reg_query_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_credentials_in_registry_reg_query.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Curl Download to Suspicious Path", "id": "c32f091e-30db-11ec-8738-acde48001122", "version": 1, "date": "2021-10-19", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the use of Windows Curl.exe downloading a file to a suspicious location. \\\n-O or --output is used when a file is to be downloaded and placed in a specified location. \\\nDuring triage, review parallel processes for further behavior. In addition, identify if the download was successful. If a file was downloaded, capture and analyze.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_curl` Processes.process IN (\"*-O *\",\"*--output*\") Processes.process IN (\"*\\\\appdata\\\\*\",\"*\\\\programdata\\\\*\",\"*\\\\public\\\\*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_curl_download_to_suspicious_path_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "It is possible Administrators or super users will use Curl for legitimate purposes. Filter as needed.", "references": ["https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://attack.mitre.org/techniques/T1105/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md"], "tags": {"name": "Windows Curl Download to Suspicious Path", "analytic_story": ["IcedID", "Ingress Tool Transfer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Command And Control"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ to download a file to a suspicious directory.", "mitre_attack_id": ["T1105"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "ZIRCONIUM", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/windows-sysmon_curl.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "process_curl", "definition": "(Processes.process_name=curl.exe OR Processes.original_file_name=Curl.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_curl_download_to_suspicious_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_curl_download_to_suspicious_path.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Curl Upload to Remote Destination", "id": "42f8f1a2-4228-11ec-aade-acde48001122", "version": 1, "date": "2021-11-10", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the use of Windows Curl.exe uploading a file to a remote destination. \\\n`-T` or `--upload-file` is used when a file is to be uploaded to a remotge destination. \\\n`-d` or `--data` POST is the HTTP method that was invented to send data to a receiving web application, and it is, for example, how most common HTML forms on the web work. \\\nHTTP multipart formposts are done with `-F`, but this appears to not be compatible with the Windows version of Curl. Will update if identified adversary tradecraft. \\\nAdversaries may use one of the three methods based on the remote destination and what they are attempting to upload (zip vs txt). During triage, review parallel processes for further behavior. In addition, identify if the upload was successful in network logs. If a file was uploaded, isolate the endpoint and review.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_curl` Processes.process IN (\"*-T *\",\"*--upload-file *\", \"*-d *\", \"*--data *\", \"*-F *\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_curl_upload_to_remote_destination_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives may be limited to source control applications and may be required to be filtered out.", "references": ["https://everything.curl.dev/usingcurl/uploads", "https://techcommunity.microsoft.com/t5/containers/tar-and-curl-come-to-windows/ba-p/382409", "https://twitter.com/d1r4c/status/1279042657508081664?s=20"], "tags": {"name": "Windows Curl Upload to Remote Destination", "analytic_story": ["Ingress Tool Transfer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Command And Control"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ uploading a file to a remote destination.", "mitre_attack_id": ["T1105"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "ZIRCONIUM", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/windows-sysmon_curl_upload.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "process_curl", "definition": "(Processes.process_name=curl.exe OR Processes.original_file_name=Curl.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_curl_upload_to_remote_destination_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_curl_upload_to_remote_destination.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Data Destruction Recursive Exec Files Deletion", "id": "3596a799-6320-4a2f-8772-a9e98ddb2960", "version": 1, "date": "2023-04-14", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies a suspicious process recursively deleting files in a compromised host. This behavior was seen in several destructive malware, wiper like caddy wiper, doublezero, and now swiftslicer that delete or overwrite files with random generated strings to make it unrecoverable. This analytic can also catch a possible recursive file write on multiple files using Sysmon Event 23. Sysmon treats the modified file as a deleted one as soon as it was overwritten. This analytic can be a good indicator that a possible destructive malware is running in a host machine or a big software application is being uninstalled.", "data_source": ["Sysmon Event ID 23"], "search": "`sysmon` EventCode=23 TargetFilename IN (\"*.exe\", \"*.sys\", \"*.dll\") | bin _time span=2m | stats values(TargetFilename) as deleted_files min(_time) as firstTime max(_time) as lastTime count by Computer user EventCode Image ProcessID | where count >=500 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_data_destruction_recursive_exec_files_deletion_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the deleted target file name, process name and process id from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "uninstall a big software application may trigger this detection. Filter is needed.", "references": ["https://www.welivesecurity.com/2023/01/27/swiftslicer-new-destructive-wiper-malware-ukraine/"], "tags": {"name": "Windows Data Destruction Recursive Exec Files Deletion", "analytic_story": ["Swift Slicer", "Data Destruction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Actions on Objectives"], "message": "a big number of executable files being deleted in $Computer$", "mitre_attack_id": ["T1485"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "Computer", "type": "Endpoint", "role": ["Victim"]}, {"name": "deleted_files", "type": "File Name", "role": ["Target"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["EventCode", "TargetFilename", "Computer", "user", "Image", "ProcessID", "_time"], "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/swift_slicer/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_data_destruction_recursive_exec_files_deletion_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_data_destruction_recursive_exec_files_deletion.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Windows Defacement Modify Transcodedwallpaper File", "id": "e11c3d90-5bc7-42ad-94cd-ba75db10d897", "version": 1, "date": "2022-08-25", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies a modification to the Transcodedwallpaper file in the wallpaper theme directory to change the wallpaper of the host machine. This technique was seen in adversaries attempting to deface or change the desktop wallpaper of the targeted host. During our testing, the common process that affects or changes the wallpaper if a user changes it via desktop personalized setting is explorer.exe.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_path !=\"*\\\\Windows\\\\Explorer.EXE\" by _time span=1h Processes.process_id Processes.process_name Processes.process Processes.dest Processes.process_guid Processes.original_file_name | `drop_dm_object_name(Processes)` |rename process_guid as proc_guid | join proc_guid, _time [ | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Filesystem where Filesystem.file_path = \"*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Themes\\\\TranscodedWallpaper\" by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path Filesystem.process_guid | `drop_dm_object_name(Filesystem)` |rename process_guid as proc_guid | fields file_name file_path process_name process_path process dest file_create_time _time proc_guid] | `windows_defacement_modify_transcodedwallpaper_file_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "3rd part software application can change the wallpaper. Filter is needed.", "references": ["https://forums.ivanti.com/s/article/Wallpaper-Windows-Settings-Desktop-Settings-and-the-transcodedwallpaper-jpg?language=en_US", "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ransom_sifreli.a"], "tags": {"name": "Windows Defacement Modify Transcodedwallpaper File", "analytic_story": ["Brute Ratel C4"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Actions on Objectives"], "message": "modification or creation of transcodedwallpaper file by $process_name$ in $dest$", "mitre_attack_id": ["T1491"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "dest", "file_create_time", "file_name", "file_path", "process_name", "process_path", "process"], "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1491", "mitre_attack_technique": "Defacement", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/wallpaper_via_transcodedwallpaper/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_defacement_modify_transcodedwallpaper_file_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_defacement_modify_transcodedwallpaper_file.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Default Group Policy Object Modified", "id": "fe6a6cc4-9e0d-4d66-bcf4-2c7f44860876", "version": 1, "date": "2023-03-28", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic leverages Event ID 5136 to identify the modification of a default Group Policy Object. A fresh installation of an Active Directory network will typically contain two default group policy objects `Default Domain Controllers Policy` and `Default Domain Policy`. The default domain controllers policy is used to enforce and set policies to all the domain controllers within the domain environment. The default domain policy is linked to all users and computers by default. An adversary who has obtained privileged access to an Active Directory network may modify the default group policy objects to obtain further access, deploy persistence or execute malware across a large number of hosts. Security teams should monitor the modification of the default GPOs.", "data_source": [], "search": " `wineventlog_security` EventCode=5136 ObjectClass=groupPolicyContainer AttributeLDAPDisplayName=versionNumber (ObjectDN=\"CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=POLICIES,CN=SYSTEM,DC=*\" OR ObjectDN=\"CN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=POLICIES,CN=SYSTEM,DC=*\") | stats min(_time) as firstTime max(_time) as lastTime by ObjectDN SubjectUserSid AttributeValue Computer DSName | rename AttributeValue as versionNumber | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_default_group_policy_object_modified_filter`", "how_to_implement": "To successfully implement this search, the Advanced Security Audit policy setting `Audit Directory Service Changes` within `DS Access` needs to be enabled. Furthermore, the appropriate system access control lists (SACL) need to be created as the used events are not logged by default. A good guide to accomplish this can be found here https://jgspiers.com/audit-group-policy-changes/.", "known_false_positives": "The default Group Policy Objects within an AD network may be legitimately updated for administrative operations, filter as needed.", "references": ["https://attack.mitre.org/techniques/T1484/", "https://attack.mitre.org/techniques/T1484/001", "https://www.trustedsec.com/blog/weaponizing-group-policy-objects-access/", "https://adsecurity.org/?p=2716"], "tags": {"name": "Windows Default Group Policy Object Modified", "analytic_story": ["Active Directory Privilege Escalation", "Sneaky Active Directory Persistence Tricks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 100, "kill_chain_phases": ["Exploitation"], "message": "A default group policy object was modified on $Computer$ by $SubjectUserSid$", "mitre_attack_id": ["T1484", "T1484.001"], "nist": ["DE.CM"], "observable": [{"name": "SubjectUserSid", "type": "User", "role": ["Attacker"]}, {"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["EventCode", "ObjectClass", "AttributeLDAPDisplayName", "ObjectDN", "Computer", "DSName", "AttributeValue", "SubjectUserSid"], "risk_score": 50, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1484", "mitre_attack_technique": "Domain Policy Modification", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1484.001", "mitre_attack_technique": "Group Policy Modification", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Indrik Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/default_domain_policy_modified/windows-security.log", "source": "XmlWinEventLog:Security", "sourcetype": "XmlWinEventLog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_default_group_policy_object_modified_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_default_group_policy_object_modified.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows Default Group Policy Object Modified with GPME", "id": "eaf688b3-bb8f-454d-b105-920a862cd8cb", "version": 1, "date": "2023-04-24", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic leverages the Endpoint datamodel to identify the potential edition of a default Group Policy Object. A fresh installation of an Active Directory network will typically contain two default group policy objects `Default Domain Controllers Policy` and `Default Domain Policy`. The default domain controllers policy is used to enforce and set policies to all the domain controllers within the domain environment. The default domain policy is linked to all users and computers by default. An adversary who has obtained privileged access to an Active Directory network may modify the default group policy objects to obtain further access, deploy persistence or execute malware across a large number of hosts. Security teams should monitor the edition of the default GPOs.", "data_source": [], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=mmc.exe (Processes.process =*gpme.msc*) AND (Processes.process = \"*31B2F340-016D-11D2-945F-00C04FB984F9*\" OR Processes.process = \"*6AC1786C-016F-11D2-945F-00C04fB984F9*\" ) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_default_group_policy_object_modified_with_gpme_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "The default Group Policy Objects within an AD network may be legitimately updated for administrative operations, filter as needed.", "references": ["https://attack.mitre.org/techniques/T1484/", "https://attack.mitre.org/techniques/T1484/001", "https://www.trustedsec.com/blog/weaponizing-group-policy-objects-access/", "https://adsecurity.org/?p=2716", "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn265969(v=ws.11)"], "tags": {"name": "Windows Default Group Policy Object Modified with GPME", "analytic_story": ["Active Directory Privilege Escalation", "Sneaky Active Directory Persistence Tricks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 100, "kill_chain_phases": ["Exploitation"], "message": "A default group policy object was opened with Group Policy Manage Editor on $dest$", "mitre_attack_id": ["T1484", "T1484.001"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 50, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1484", "mitre_attack_technique": "Domain Policy Modification", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1484.001", "mitre_attack_technique": "Group Policy Modification", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Indrik Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/default_domain_policy_modified/windows-security.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_default_group_policy_object_modified_with_gpme_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_default_group_policy_object_modified_with_gpme.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Defender Exclusion Registry Entry", "id": "13395a44-4dd9-11ec-9df7-acde48001122", "version": 3, "date": "2023-04-27", "author": "Steven Dick, Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This analytic will detect a suspicious process that modify a registry related to windows defender exclusion feature. This registry is abused by adversaries, malware author and red teams to bypassed Windows Defender Anti-Virus product by excluding folder path, file path, process, extensions and etc. from its real time or schedule scan to execute their malicious code. This is a good indicator for a defense evasion and to look further for events after this behavior.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = \"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Exclusions\\\\*\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_defender_exclusion_registry_entry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "admin or user may choose to use this windows features.", "references": ["https://tccontre.blogspot.com/2020/01/remcos-rat-evading-windows-defender-av.html", "https://app.any.run/tasks/cf1245de-06a7-4366-8209-8e3006f2bfe5/", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/"], "tags": {"name": "Windows Defender Exclusion Registry Entry", "analytic_story": ["Remcos", "Windows Defense Evasion Tactics", "Azorult", "Qakbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "exclusion registry $registry_path$ modified or added on $dest$", "mitre_attack_id": ["T1562.001", "T1562"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["Registry.dest", "Registry.registry_value_name", "Registry.registry_key_name", "Registry.registry_path", "Registry.registry_value_data", "Registry.process_guid"], "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/defender_exclusion_sysmon/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_defender_exclusion_registry_entry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_defender_exclusion_registry_entry.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Deleted Registry By A Non Critical Process File Path", "id": "15e70689-f55b-489e-8a80-6d0cd6d8aad2", "version": 2, "date": "2023-04-14", "author": "Steven Dick, Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic is to detect deletion of registry with suspicious process file path. This technique was seen in Double Zero wiper malware where it will delete all the subkey in HKLM, HKCU and HKU registry hive as part of its destructive payload to the targeted hosts. This anomaly detections can catch possible malware or advesaries deleting registry as part of defense evasion or even payload impact but can also catch for third party application updates or installation. In this scenario false positive filter is needed.", "data_source": ["Sysmon Event ID 13"], "search": "| tstats `security_content_summariesonly` count from datamodel=Endpoint.Registry WHERE Registry.action=deleted BY _time span=1h Registry.dest Registry.registry_path Registry.registry_value_name Registry.registry_key_name Registry.process_guid Registry.registry_value_data Registry.action | `drop_dm_object_name(Registry)` | join process_guid [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes WHERE NOT (Processes.process_path IN (\"*\\\\windows\\\\*\", \"*\\\\program files*\")) by _time span=1h Processes.process_id Processes.process_name Processes.process Processes.user Processes.parent_process_name Processes.parent_process Processes.process_path Processes.process_guid | `drop_dm_object_name(Processes)`] | fields _time parent_process_name parent_process process_name process_path process process_guid registry_path registry_value_name registry_value_data registry_key_name action dest user | `windows_deleted_registry_by_a_non_critical_process_file_path_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "This detection can catch for third party application updates or installation. In this scenario false positive filter is needed.", "references": ["https://blog.talosintelligence.com/2022/03/threat-advisory-doublezero.html"], "tags": {"name": "Windows Deleted Registry By A Non Critical Process File Path", "analytic_story": ["Data Destruction", "Double Zero Destructor"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Exploitation"], "message": "registry was deleted by a suspicious $process_name$ with proces path $process_path in $dest$", "mitre_attack_id": ["T1112"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["Processes.user", "Processes.dest", "Processes.process_id", "Processes.process_name", "Processes.process", "Processes.process_path", "Processes.parent_process_name", "Processes.parent_process", "Processes.process_guid", "Registry.dest", "Registry.registry_value_name", "Registry.registry_key_name", "Registry.registry_path", "Registry.registry_value_data", "Registry.process_guid"], "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/doublezero_wiper/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_deleted_registry_by_a_non_critical_process_file_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_deleted_registry_by_a_non_critical_process_file_path.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Disable Change Password Through Registry", "id": "0df33e1a-9ef6-11ec-a1ad-acde48001122", "version": 3, "date": "2023-04-27", "author": "Steven Dick, Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic is to detect a suspicious registry modification to disable change password feature of the windows host. This registry modification may disables the Change Password button on the Windows Security dialog box (which appears when you press Ctrl+Alt+Del). As a result, users cannot change their Windows password on demand. This technique was seen in some malware family like ransomware to prevent the user to change the password after ownning the network or a system during attack. This windows feature may implemented by administrator to prevent normal user to change the password of a critical host or server, In this type of scenario filter is needed to minimized false positive.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\DisableChangePassword\" Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_change_password_through_registry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "This windows feature may implemented by administrator to prevent normal user to change the password of a critical host or server, In this type of scenario filter is needed to minimized false positive.", "references": ["https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ransom_heartbleed.thdobah"], "tags": {"name": "Windows Disable Change Password Through Registry", "analytic_story": ["Ransomware", "Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "Registry modification in \"DisableChangePassword\" on $dest$", "mitre_attack_id": ["T1112"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.dest", "Registry.registry_value_name", "Registry.registry_key_name", "Registry.registry_path", "Registry.registry_value_data", "Registry.process_guid"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/ransomware_disable_reg/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Change", "Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_disable_change_password_through_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_disable_change_password_through_registry.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Disable Lock Workstation Feature Through Registry", "id": "c82adbc6-9f00-11ec-a81f-acde48001122", "version": 3, "date": "2023-04-27", "author": "Steven Dick, Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic is to detect a suspicious registry modification to disable Lock Computer windows features. This registry modification prevent the user from locking its screen or computer that are being abused by several malware for example ransomware. This technique was used by threat actor to make its payload more impactful to the compromised host.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\DisableLockWorkstation\" Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_lock_workstation_feature_through_registry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "unknown", "references": ["https://www.bleepingcomputer.com/news/security/in-dev-ransomware-forces-you-do-to-survey-before-unlocking-computer/", "https://heimdalsecurity.com/blog/fatalrat-targets-telegram/"], "tags": {"name": "Windows Disable Lock Workstation Feature Through Registry", "analytic_story": ["Ransomware", "Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "Registry modification in \"DisableLockWorkstation\" on $dest$", "mitre_attack_id": ["T1112"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.dest", "Registry.registry_value_name", "Registry.registry_key_name", "Registry.registry_path", "Registry.registry_value_data", "Registry.process_guid"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/ransomware_disable_reg/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_disable_lock_workstation_feature_through_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_disable_lock_workstation_feature_through_registry.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Disable LogOff Button Through Registry", "id": "b2fb6830-9ed1-11ec-9fcb-acde48001122", "version": 3, "date": "2023-04-27", "author": "Steven Dick, Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic is to detect a suspicious registry modification to disable logoff feature in windows host. This registry when enable will prevent users to log off of the system by using any method, including programs run from the command line, such as scripts. It also disables or removes all menu items and buttons that log the user off of the system. This technique was seen abused by ransomware malware to make the compromised host un-useful and hard to remove other registry modification made on the machine that needs restart to take effect. This windows feature may implement by administrator in some server where shutdown is critical. In that scenario filter of machine and users that can modify this registry is needed.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\*\" Registry.registry_value_name IN (\"NoLogOff\", \"StartMenuLogOff\") Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_logoff_button_through_registry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "This windows feature may implement by administrator in some server where shutdown is critical. In that scenario filter of machine and users that can modify this registry is needed.", "references": ["https://www.hybrid-analysis.com/sample/e2d4018fd3bd541c153af98ef7c25b2bf4a66bc3bfb89e437cde89fd08a9dd7b/5b1f4d947ca3e10f22714774", "https://malwiki.org/index.php?title=DigiPop.xp", "https://www.trendmicro.com/vinfo/be/threat-encyclopedia/search/js_noclose.e/2"], "tags": {"name": "Windows Disable LogOff Button Through Registry", "analytic_story": ["Ransomware", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "Registry modification in \"NoLogOff\" on $dest$", "mitre_attack_id": ["T1112"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.dest", "Registry.registry_value_name", "Registry.registry_key_name", "Registry.registry_path", "Registry.registry_value_data", "Registry.process_guid"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/ransomware_disable_reg/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_disable_logoff_button_through_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_disable_logoff_button_through_registry.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Disable Memory Crash Dump", "id": "59e54602-9680-11ec-a8a6-acde48001122", "version": 2, "date": "2023-04-27", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies a process that is attempting to disable the ability on Windows to generate a memory crash dump. This was recently identified being utilized by HermeticWiper. To disable crash dumps, the value must be set to 0. This feature is typically modified to perform a memory crash dump when a computer stops unexpectedly because of a Stop error (also known as a blue screen, system crash, or bug check).", "data_source": ["Sysmon Event ID 13"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry where (Registry.registry_path=\"*\\\\CurrentControlSet\\\\Control\\\\CrashControl\\\\CrashDumpEnabled\") AND Registry.registry_value_data=\"0x00000000\" by _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_memory_crash_dump_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the Filesystem responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` and `Registry` node.", "known_false_positives": "unknown", "references": ["https://blog.talosintelligence.com/2022/02/threat-advisory-hermeticwiper.html", "https://docs.microsoft.com/en-us/troubleshoot/windows-server/performance/memory-dump-file-options"], "tags": {"name": "Windows Disable Memory Crash Dump", "analytic_story": ["Ransomware", "Data Destruction", "Windows Registry Abuse", "Hermetic Wiper"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 90, "kill_chain_phases": ["Actions on Objectives"], "message": "A process $process_name$ was identified attempting to disable memory crash dumps on $dest$.", "mitre_attack_id": ["T1485"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.dest", "Registry.registry_value_name", "Registry.registry_key_name", "Registry.registry_path", "Registry.registry_value_data", "Registry.process_guid"], "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/hermetic_wiper/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_disable_memory_crash_dump_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_disable_memory_crash_dump.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Disable Notification Center", "id": "1cd983c8-8fd6-11ec-a09d-acde48001122", "version": 3, "date": "2023-04-27", "author": "Steven Dick, Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "The following search identifies a modification of registry to disable the windows notification center feature in a windows host machine. This registry modification removes notification and action center from the notification area on the task bar. This modification are seen in RAT malware to cover their tracks upon downloading other of its component or other payload.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_value_name= \"DisableNotificationCenter\" Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_notification_center_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "admin or user may choose to disable this windows features.", "references": ["https://tccontre.blogspot.com/2020/01/remcos-rat-evading-windows-defender-av.html"], "tags": {"name": "Windows Disable Notification Center", "analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 60, "kill_chain_phases": ["Exploitation"], "message": "The Windows notification center was disabled on $dest$ by $user$.", "mitre_attack_id": ["T1112"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["Registry.dest", "Registry.registry_value_name", "Registry.registry_key_name", "Registry.registry_path", "Registry.registry_value_data", "Registry.process_guid"], "risk_score": 48, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/disable_notif_center/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_disable_notification_center_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_disable_notification_center.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Disable Shutdown Button Through Registry", "id": "55fb2958-9ecd-11ec-a06a-acde48001122", "version": 3, "date": "2023-04-27", "author": "Steven Dick, Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic is to detect a suspicious registry modification to disable shutdown button on the logon user. This technique was seen in several malware especially in ransomware family like killdisk malware variant to make the compromised host un-useful and hard to remove other registry modification made on the machine that needs restart to take effect. This windows feature may implement by administrator in some server where shutdown is critical. In that scenario filter of machine and users that can modify this registry is needed.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE ((Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\shutdownwithoutlogon\" Registry.registry_value_data = \"0x00000000\") OR (Registry.registry_path=\"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoClose\" Registry.registry_value_data = \"0x00000001\")) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_shutdown_button_through_registry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "This windows feature may implement by administrator in some server where shutdown is critical. In that scenario filter of machine and users that can modify this registry is needed.", "references": ["https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ransom.msil.screenlocker.a/"], "tags": {"name": "Windows Disable Shutdown Button Through Registry", "analytic_story": ["Ransomware", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "Registry modification in \"shutdownwithoutlogon\" on $dest$", "mitre_attack_id": ["T1112"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.dest", "Registry.registry_value_name", "Registry.registry_key_name", "Registry.registry_path", "Registry.registry_value_data", "Registry.process_guid"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/ransomware_disable_reg/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_disable_shutdown_button_through_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_disable_shutdown_button_through_registry.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Disable Windows Event Logging Disable HTTP Logging", "id": "23fb6787-255f-4d5b-9a66-9fd7504032b5", "version": 1, "date": "2022-12-21", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies AppCmd.exe being utilized to disable HTTP logging on IIS. Adversaries may perform this action to disable logging and delete the logs so remove any trace or events on disk.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where NOT (Processes.parent_process_name IN (\"msiexec.exe\", \"iissetup.exe\")) Processes.process_name=appcmd.exe Processes.process IN (\"*set config*\", \"*httplogging*\",\"*dontlog:true*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_windows_event_logging_disable_http_logging_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives may be present only if scripts or Administrators are disabling logging. Filter as needed by parent process or other.", "references": ["https://www.crowdstrike.com/wp-content/uploads/2022/05/crowdstrike-iceapple-a-novel-internet-information-services-post-exploitation-framework-1.pdf", "https://unit42.paloaltonetworks.com/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/", "https://www.secureworks.com/research/bronze-union", "https://strontic.github.io/xcyclopedia/library/appcmd.exe-055B2B09409F980BF9B5A3969D01E5B2.html"], "tags": {"name": "Windows Disable Windows Event Logging Disable HTTP Logging", "analytic_story": ["IIS Components", "Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation", "Installation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to disable IIS HTTP Logging.", "mitre_attack_id": ["T1562.002", "T1562", "T1505", "T1505.004"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.002", "mitre_attack_technique": "Disable Windows Event Logging", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound", "Threat Group-3390"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1505.004", "mitre_attack_technique": "IIS Components", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.004/disable_http_logging_windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_disable_windows_event_logging_disable_http_logging_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_disable_windows_event_logging_disable_http_logging.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Disable Windows Group Policy Features Through Registry", "id": "63a449ae-9f04-11ec-945e-acde48001122", "version": 4, "date": "2023-04-27", "author": "Steven Dick, Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic is to detect a suspicious registry modification to disable windows features. These techniques are seen in several ransomware malware to impair the compromised host to make it hard for analyst to mitigate or response from the attack. Disabling these known features make the analysis and forensic response more hard. Disabling these feature is not so common but can still be implemented by the administrator for security purposes. In this scenario filters for users that are allowed doing this is needed.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\*\" OR Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\*\" Registry.registry_value_name IN (\"NoDesktop\", \"NoFind\", \"NoControlPanel\", \"NoFileMenu\", \"NoSetTaskbar\", \"NoTrayContextMenu\", \"TaskbarLockAll\", \"NoThemesTab\",\"NoPropertiesMyDocuments\",\"NoVisualStyleChoice\",\"NoColorChoice\",\"NoPropertiesMyDocuments\") Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_windows_group_policy_features_through_registry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "Disabling these features for legitimate purposes is not a common use case but can still be implemented by the administrators. Filter as needed.", "references": ["https://hybrid-analysis.com/sample/ef1c427394c205580576d18ba68d5911089c7da0386f19d1ca126929d3e671ab?environmentId=120&lang=en", "https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Krotten-N/detailed-analysis", "https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details"], "tags": {"name": "Windows Disable Windows Group Policy Features Through Registry", "analytic_story": ["Ransomware", "Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "Registry modification to disable windows features on $dest$", "mitre_attack_id": ["T1112"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.dest", "Registry.registry_value_name", "Registry.registry_key_name", "Registry.registry_path", "Registry.registry_value_data", "Registry.process_guid"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/ransomware_disable_reg/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_disable_windows_group_policy_features_through_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_disable_windows_group_policy_features_through_registry.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows DisableAntiSpyware Registry", "id": "23150a40-9301-4195-b802-5bb4f43067fb", "version": 2, "date": "2023-04-25", "author": "Rod Soto, Jose Hernandez, Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The search looks for the Registry Key DisableAntiSpyware set to disable. This is consistent with Ryuk infections across a fleet of endpoints. This particular behavior is typically executed when an ransomware actor gains access to an endpoint and beings to perform execution. Usually, a batch (.bat) will be executed and multiple registry and scheduled task modifications will occur. During triage, review parallel processes and identify any further file modifications. Endpoint should be isolated.", "data_source": ["Sysmon Event ID 13"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_value_name=\"DisableAntiSpyware\" AND Registry.registry_value_data=\"0x00000001\" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_disableantispyware_registry_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.", "known_false_positives": "It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search.", "references": ["https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/"], "tags": {"name": "Windows DisableAntiSpyware Registry", "analytic_story": ["Azorult", "Windows Registry Abuse", "CISA AA22-264A", "RedLine Stealer", "Windows Defense Evasion Tactics", "Ryuk Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "Windows DisableAntiSpyware registry key set to 'disabled' on $dest$", "mitre_attack_id": ["T1562.001", "T1562"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.registry_key_name", "Registry.registry_value_name", "Registry.dest", "Registry.user", "Registry.registry_path"], "risk_score": 24, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_disableantispyware_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_disableantispyware_registry.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows DiskCryptor Usage", "id": "d56fe0c8-4650-11ec-a8fa-acde48001122", "version": 1, "date": "2021-11-15", "author": "Michael Haag, Splunk", "type": "Hunting", "status": "production", "description": "The following analytic identifies DiskCryptor process name of dcrypt.exe or internal name dcinst.exe. This utility has been utilized by adversaries to encrypt disks manually during an operation. In addition, during install, a dcrypt.sys driver is installed and requires a reboot in order to take effect. There are no command-line arguments used.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"dcrypt.exe\" OR Processes.original_file_name=dcinst.exe) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_diskcryptor_usage_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "It is possible false positives may be present based on the internal name dcinst.exe, filter as needed. It may be worthy to alert on the service name.", "references": ["https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/", "https://github.com/DavidXanatos/DiskCryptor"], "tags": {"name": "Windows DiskCryptor Usage", "analytic_story": ["Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Actions on Objectives"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to encrypt disks.", "mitre_attack_id": ["T1486"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1486", "mitre_attack_technique": "Data Encrypted for Impact", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "APT41", "FIN7", "Indrik Spider", "Magic Hound", "Sandworm Team", "TA505"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1486/dcrypt/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_diskcryptor_usage_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_diskcryptor_usage.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Diskshadow Proxy Execution", "id": "58adae9e-8ea3-11ec-90f6-acde48001122", "version": 1, "date": "2022-02-15", "author": "Lou Stella, Splunk", "type": "TTP", "status": "production", "description": "DiskShadow.exe is a Microsoft Signed binary present on Windows Server. It has a scripting mode intended for complex scripted backup operations. This feature also allows for execution of arbitrary unsigned code. This analytic looks for the usage of the scripting mode flags in executions of DiskShadow. During triage, compare to known backup behavior in your environment and then review the scripts called by diskshadow.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_diskshadow` (Processes.process=*-s* OR Processes.process=*/s*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_diskshadow_proxy_execution_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on processes that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition,confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Administrators using the DiskShadow tool in their infrastructure as a main backup tool with scripts will cause false positives that can be filtered with `windows_diskshadow_proxy_execution_filter`", "references": ["https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/"], "tags": {"name": "Windows Diskshadow Proxy Execution", "analytic_story": ["Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "Possible Signed Binary Proxy Execution on $dest$", "mitre_attack_id": ["T1218"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.process", "Porcesses.dest", "Processes.user", "Processes.parent_process", "Processes.process_name", "Processes.process_id", "Processes.parent_process_id", "Processes.original_file_name"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218/diskshadow/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_diskshadow", "definition": "(Processes.process_name=diskshadow.exe OR Processes.original_file_name=diskshadow.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "windows_diskshadow_proxy_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_diskshadow_proxy_execution.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows DISM Remove Defender", "id": "8567da9e-47f0-11ec-99a9-acde48001122", "version": 1, "date": "2021-11-17", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the use of the Windows Disk Image Utility, `dism.exe`, to remove Windows Defender. Adversaries may use `dism.exe` to disable Defender before completing their objective.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=dism.exe (Processes.process=\"*/online*\" AND Processes.process=\"*/disable-feature*\" AND Processes.process=\"*Windows-Defender*\" AND Processes.process=\"*/remove*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_dism_remove_defender_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Some legitimate administrative tools leverage `dism.exe` to manipulate packages and features of the operating system. Filter as needed.", "references": ["https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/"], "tags": {"name": "Windows DISM Remove Defender", "analytic_story": ["Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to disable Windows Defender.", "mitre_attack_id": ["T1562.001", "T1562"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 80, "security_domain": "access", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/atomic_red_team/windows-sysmon_dism.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_dism_remove_defender_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_dism_remove_defender.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows DLL Search Order Hijacking Hunt", "id": "79c7d0fc-60c7-41be-a616-ccda752efe89", "version": 2, "date": "2022-12-31", "author": "Michael Haag, Splunk", "type": "Hunting", "status": "production", "description": "The following hunting analytic is an experimental query built against a accidental feature using the latest Sysmon TA 3.0 (https://splunkbase.splunk.com/app/5709/) which maps the module load (ImageLoaded) to process_name. This analytic will deprecate once this is fixed. This hunting analytic identifies known libraries in Windows that may be used in a DLL search order hijack or DLL Sideloading setting. This may require recompiling the DLL, moving the DLL or moving the vulnerable process. The query looks for any running out of system32 or syswow64. Some libraries natively run out of other application paths and will need to be added to the exclusion as needed. The lookup is comprised of Microsoft native libraries identified within the Hijacklibs.net project.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.process_name) as process_name from datamodel=Endpoint.Processes where Processes.dest!=unknown Processes.user!=unknown NOT (Processes.process_path IN (\"*\\\\system32\\\\*\", \"*\\\\syswow64\\\\*\",\"*\\\\winsxs\\\\*\",\"*\\\\wbem\\\\*\")) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process_path | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | lookup hijacklibs library AS process_name OUTPUT islibrary | search islibrary = True | rename parent_process_name as \"Process Name\" process_name AS ImageLoaded process_path AS Module_Path | `windows_dll_search_order_hijacking_hunt_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. This may only with with Sysmon data and the Sysmon TA. Your mileage may vary.", "known_false_positives": "False positives will be present based on paths. Filter or add other paths to the exclusion as needed.", "references": ["https://hijacklibs.net"], "tags": {"name": "Windows DLL Search Order Hijacking Hunt", "analytic_story": ["Living Off The Land", "Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 10, "impact": 10, "kill_chain_phases": ["Exploitation", "Installation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to perform DLL search order hijacking.", "mitre_attack_id": ["T1574.001", "T1574"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process_path"], "risk_score": 1, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1574.001", "mitre_attack_technique": "DLL Search Order Hijacking", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT41", "Aquatic Panda", "BackdoorDiplomacy", "Evilnum", "RTM", "Threat Group-3390", "Tonto Team", "Whitefly", "menuPass"]}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.001/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_dll_search_order_hijacking_hunt_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "hijacklibs", "description": "A list of potentially abused libraries in Windows", "filename": "hijacklibs.csv", "default_match": "false", "match_type": "WILDCARD(library)", "min_matches": 1, "case_sensitive_match": "false"}], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_dll_search_order_hijacking_hunt.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows DLL Search Order Hijacking Hunt with Sysmon", "id": "79c7d1fc-64c7-91be-a616-ccda752efe81", "version": 2, "date": "2022-12-31", "author": "Michael Haag, Splunk", "type": "Hunting", "status": "production", "description": "The following hunting analytic is an experimental query built against a accidental feature using the latest Sysmon TA 3.0 (https://splunkbase.splunk.com/app/5709/) which maps the module load (ImageLoaded) to process_name. This analytic will deprecate once this is fixed. This hunting analytic identifies known libraries in Windows that may be used in a DLL search order hijack or DLL Sideloading setting. This may require recompiling the DLL, moving the DLL or moving the vulnerable process. The query looks for any running out of system32 or syswow64. Some libraries natively run out of other application paths and will need to be added to the exclusion as needed. The lookup is comprised of Microsoft native libraries identified within the Hijacklibs.net project.", "data_source": ["Sysmon Event ID 7"], "search": "`sysmon` EventCode=7 NOT (process_path IN (\"*\\\\system32\\\\*\", \"*\\\\syswow64\\\\*\",\"*\\\\winsxs\\\\*\",\"*\\\\wbem\\\\*\")) | lookup hijacklibs library AS process_name OUTPUT islibrary | search islibrary = True | rename Computer as dest process_name AS ImageLoaded process_path AS Module_Path | stats values(parent_process_name) count by _time dest ImageLoaded Module_Path | `windows_dll_search_order_hijacking_hunt_with_sysmon_filter`", "how_to_implement": "The latest Sysmon TA 3.0 https://splunkbase.splunk.com/app/5709 will add the ImageLoaded name to the process_name field, allowing this query to work. Use as an example and implement for other products.", "known_false_positives": "False positives will be present based on paths. Filter or add other paths to the exclusion as needed.", "references": ["https://hijacklibs.net"], "tags": {"name": "Windows DLL Search Order Hijacking Hunt with Sysmon", "analytic_story": ["Living Off The Land", "Windows Defense Evasion Tactics", "Qakbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 10, "impact": 10, "kill_chain_phases": ["Exploitation", "Installation"], "message": "An instance of $parent_process_name$ loading $process_name$ was identified on endpoint $dest$.", "mitre_attack_id": ["T1574.001", "T1574"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "dest", "ImageLoaded", "Module_Path"], "risk_score": 1, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1574.001", "mitre_attack_technique": "DLL Search Order Hijacking", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT41", "Aquatic Panda", "BackdoorDiplomacy", "Evilnum", "RTM", "Threat Group-3390", "Tonto Team", "Whitefly", "menuPass"]}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.001/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_dll_search_order_hijacking_hunt_with_sysmon_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "hijacklibs", "description": "A list of potentially abused libraries in Windows", "filename": "hijacklibs.csv", "default_match": "false", "match_type": "WILDCARD(library)", "min_matches": 1, "case_sensitive_match": "false"}], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_dll_search_order_hijacking_hunt_with_sysmon.yml", "source": "endpoint"}, {"name": "Windows DLL Search Order Hijacking with iscsicpl", "id": "f39ee679-3b1e-4f47-841c-5c3c580acda2", "version": 1, "date": "2022-07-29", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies a recently disclosed search ordler DLL hijack in iscsicpl.exe. The malicious DLL must be in a new path and iscsicpl.exe, upon load, will execute the payload. The analytic is restricted to Windows shells. Two proof of concepts were identified and utilized to determine the behavior. The command-line is an option to go after, but most likely identifying a child process off iscsicpl.exe will be more effective. Monitoring for suspicious DLL loads is also an option.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=iscsicpl.exe `windows_shells` by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_dll_search_order_hijacking_with_iscsicpl_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives may be present, filtering may be required. Remove the Windows Shells macro to determine if other utilities are using iscsicpl.exe.", "references": ["https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC", "https://github.com/422926799/csplugin/tree/master/bypassUAC"], "tags": {"name": "Windows DLL Search Order Hijacking with iscsicpl", "analytic_story": ["Windows Defense Evasion Tactics", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation", "Installation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to elevate access.", "mitre_attack_id": ["T1574.001"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1574.001", "mitre_attack_technique": "DLL Search Order Hijacking", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT41", "Aquatic Panda", "BackdoorDiplomacy", "Evilnum", "RTM", "Threat Group-3390", "Tonto Team", "Whitefly", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.001/iscsicpl/iscsicpl-windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "windows_shells", "definition": "(Processes.process_name=cmd.exe OR Processes.process_name=powershell.exe OR Processes.process_name=pwsh.exe OR Processes.process_name=sh.exe OR Processes.process_name=bash.exe OR Processes.process_name=wscript.exe OR Processes.process_name=cscript.exe)", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_dll_search_order_hijacking_with_iscsicpl_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_dll_search_order_hijacking_with_iscsicpl.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows DLL Side-Loading In Calc", "id": "af01f6db-26ac-440e-8d89-2793e303f137", "version": 1, "date": "2022-10-24", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies suspicious DLL modules loaded by calc.exe that are not in windows %systemroot%\\system32 or %systemroot%\\sysWoW64 folder. This technique is well used by Qakbot malware to execute its malicious DLL file via dll side loading technique in calc process execution. This TTP detection is a good indicator that a suspicious dll was loaded in a public or non-common installation folder of Windows Operating System that needs further investigation.", "data_source": ["Sysmon Event ID 7"], "search": "`sysmon` EventCode=7 Image = \"*\\calc.exe\" AND NOT (Image IN (\"*:\\\\windows\\\\system32\\\\*\", \"*:\\\\windows\\\\sysWow64\\\\*\")) AND NOT(ImageLoaded IN(\"*:\\\\windows\\\\system32\\\\*\", \"*:\\\\windows\\\\sysWow64\\\\*\", \"*:\\\\windows\\\\WinSXS\\\\*\")) | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded OriginalFileName Product process_name Computer EventCode Signed ProcessId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_dll_side_loading_in_calc_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on processes that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` and `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "unknown", "references": ["https://www.bitdefender.com/blog/hotforsecurity/new-qakbot-malware-strain-replaces-windows-calculator-dll-to-infected-pcs/"], "tags": {"name": "Windows DLL Side-Loading In Calc", "analytic_story": ["Qakbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 90, "kill_chain_phases": ["Exploitation", "Installation"], "message": "a dll modules is loaded by calc.exe in $ImageLoaded$ that are not in common windows OS installation folder in $Computer$", "mitre_attack_id": ["T1574.002", "T1574"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Image", "ImageLoaded", "OriginalFileName", "Product", "process_name", "Computer", "EventCode", "Signed", "ProcessId"], "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1574.002", "mitre_attack_technique": "DLL Side-Loading", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT41", "BRONZE BUTLER", "BlackTech", "Chimera", "Earth Lusca", "GALLIUM", "Higaisa", "Lazarus Group", "LuminousMoth", "MuddyWater", "Mustang Panda", "Naikon", "Patchwork", "SideCopy", "Sidewinder", "Threat Group-3390", "Tropic Trooper", "menuPass"]}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/qakbot/qbot2/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_dll_side_loading_in_calc_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_dll_side_loading_in_calc.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Windows DLL Side-Loading Process Child Of Calc", "id": "295ca9ed-e97b-4520-90f7-dfb6469902e1", "version": 1, "date": "2022-10-20", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies the suspicious child process of calc.exe due to dll side loading technique to execute another executable. This technique was seen in qakbot malware that uses dll side loading technique to calc applications to load its malicious dll code. The malicious dll that abuses dll side loading technique will load the actual qakbot loader dll using regsvr32.exe application. This TTP is a good indicator of qakbot since the calc.exe will not load other child processes aside from win32calc.exe.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name = \"calc.exe\") AND Processes.process_name != \"win32calc.exe\" by Processes.parent_process Processes.process_name Processes.process_id Processes.process_guid Processes.process Processes.user Processes.dest | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_dll_side_loading_process_child_of_calc_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "unknown", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot"], "tags": {"name": "Windows DLL Side-Loading Process Child Of Calc", "analytic_story": ["Qakbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Exploitation", "Installation"], "message": "calc.exe has a child process $process_name$ in $dest$", "mitre_attack_id": ["T1574.002", "T1574"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1574.002", "mitre_attack_technique": "DLL Side-Loading", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT41", "BRONZE BUTLER", "BlackTech", "Chimera", "Earth Lusca", "GALLIUM", "Higaisa", "Lazarus Group", "LuminousMoth", "MuddyWater", "Mustang Panda", "Naikon", "Patchwork", "SideCopy", "Sidewinder", "Threat Group-3390", "Tropic Trooper", "menuPass"]}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/qakbot/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_dll_side_loading_process_child_of_calc_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_dll_side_loading_process_child_of_calc.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows DNS Gather Network Info", "id": "347e0892-e8f3-4512-afda-dc0e3fa996f3", "version": 1, "date": "2023-04-05", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies a process command line used to enumerate DNS records. Adversaries, threat actors, or red teamers may employ this technique to gather information about a victim's DNS, which can be utilized during targeting. This method was also observed as part of a tool used by the Sandworm APT group in a geopolitical cyber warfare attack. By using the dnscmd.exe Windows application, an attacker can enumerate DNS records for specific domains within the targeted network, potentially aiding in further attacks. This anomaly detection can serve as a valuable starting point for identifying users and hostnames that may be compromised or targeted by adversaries seeking to collect data information.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"dnscmd.exe\" Processes.process = \"* /enumrecords *\" by Processes.parent_process Processes.process_name Processes.process_id Processes.process_guid Processes.process Processes.user Processes.dest | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_dns_gather_network_info_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "network administrator can execute this command to enumerate DNS record. Filter or add other paths to the exclusion as needed.", "references": ["https://cert.gov.ua/article/3718487", "https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF"], "tags": {"name": "Windows DNS Gather Network Info", "analytic_story": ["Sandworm Tools", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Reconnaissance"], "message": "A process commandline $process$ to enumerate dns record in $dest$", "mitre_attack_id": ["T1590.002"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1590.002", "mitre_attack_technique": "DNS", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1590.002/enum_dns_record/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_dns_gather_network_info_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_dns_gather_network_info.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows DnsAdmins New Member Added", "id": "27e600aa-77f8-4614-bc80-2662a67e2f48", "version": 1, "date": "2023-04-06", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic leverages Event ID 4732 to identify the addition of a new member to the DnsAdmins group within Active Directory. . Members of the DnsAdmin group can manage the DNS service which most of the times runs on the Domain Controller. By abusing legitimate DNS management functionality, a member of the DnsAdmins group can escalate privileges by executing malicious code on a Domain Controller as SYSTEM. Security teams should monitor the modification of the DnsAdmins group and validate the changes are legitimate.", "data_source": ["Windows_Security_4732.yml"], "search": " `wineventlog_security` EventCode=4732 TargetUserName=DnsAdmins | stats min(_time) as firstTime max(_time) as lastTime values(SubjectUserName) values(Computer) by MemberSid, TargetUserName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_dnsadmins_new_member_added_filter`", "how_to_implement": "To successfully implement this search, Domain Controller events need to be ingested. The Advanced Security Audit policy setting `Audit Security Group Management` within `Account Management` needs to be enabled.", "known_false_positives": "New members can be added to the DnsAdmins group as part of legitimate administrative tasks. Filter as needed.", "references": ["https://attack.mitre.org/techniques/T1098/", "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/from-dnsadmins-to-system-to-domain-compromise", "https://www.hackingarticles.in/windows-privilege-escalation-dnsadmins-to-domainadmin/", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4732"], "tags": {"name": "Windows DnsAdmins New Member Added", "analytic_story": ["Active Directory Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 80, "kill_chain_phases": ["Installation"], "message": "A new member was added to the DnsAdmins group by $SubjectUserName$", "mitre_attack_id": ["T1098"], "nist": ["DE.CM"], "observable": [{"name": "SubjectUserName", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "TargetUserName", "SubjectUserName", "Computer", "MemberSid", "TargetUserName"], "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT41", "Dragonfly", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/dnsadmins_member_added/windows-security.log", "source": "XmlWinEventLog:Security", "sourcetype": "XmlWinEventLog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_dnsadmins_new_member_added_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_dnsadmins_new_member_added.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows DotNet Binary in Non Standard Path", "id": "fddf3b56-7933-11ec-98a6-acde48001122", "version": 1, "date": "2023-04-14", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies native .net binaries within the Windows operating system that may be abused by adversaries by moving it to a new directory. The analytic identifies the .net binary by using a lookup and compares the process name and original file name (internal name). The analytic utilizes a lookup with the is_net_windows_file macro to identify the binary process name and original file name. if one or the other matches an alert will be generated. Adversaries abuse these binaries as they are native to windows and native DotNet. Note that not all SDK (post install of Windows) are captured in the lookup.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where NOT (Processes.process_path IN (\"*\\\\Windows\\\\ADWS\\\\*\",\"*\\\\Windows\\\\SysWOW64*\", \"*\\\\Windows\\\\system32*\", \"*\\\\Windows\\\\NetworkController\\\\*\", \"*\\\\Windows\\\\SystemApps\\\\*\", \"*\\\\WinSxS\\\\*\", \"*\\\\Windows\\\\Microsoft.NET\\\\*\")) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.original_file_name Processes.process_path Processes.process_id Processes.parent_process_id | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `is_net_windows_file` | `windows_dotnet_binary_in_non_standard_path_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives may be present and filtering may be required. Certain utilities will run from non-standard paths based on the third-party application in use.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.yaml", "https://attack.mitre.org/techniques/T1036/003/", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md"], "tags": {"name": "Windows DotNet Binary in Non Standard Path", "analytic_story": ["Masquerading - Rename System Utilities", "Ransomware", "Unusual Processes", "Signed Binary Proxy Execution InstallUtil", "Data Destruction", "WhisperGate"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ from a non-standard path was identified on endpoint $dest$ by user $user$.", "mitre_attack_id": ["T1036", "T1036.003", "T1218", "T1218.004"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.004", "mitre_attack_technique": "InstallUtil", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Mustang Panda", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.004/atomic_red_team/windows-sysmon_installutil_path.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "is_net_windows_file", "definition": "lookup update=true is_net_windows_file filename as process_name OUTPUT netFile | lookup update=true is_net_windows_file originalFileName as original_file_name OUTPUT netFile | search netFile=true", "description": "This macro limits the output to process names that are .net binaries on Windows Server 2016 and Windows 11."}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_dotnet_binary_in_non_standard_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_dotnet_binary_in_non_standard_path.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Driver Inventory", "id": "f87aa96b-369b-4a3e-9021-1bbacbfcb8fb", "version": 1, "date": "2023-02-03", "author": "Michael Haag, Splunk", "type": "Hunting", "status": "experimental", "description": "The following hunting / inventory query assists defenders in identifying Drivers being loaded across the fleet. This query relies upon a PowerShell script input to be deployed to critical systems and beyond. If capturing all via the input, this will provide retrospection into drivers persisting. Note, that this is not perfect across a large fleet. Modify the query as you need to view the data differently.", "data_source": [], "search": "`driverinventory` | stats values(Path) min(_time) as firstTime max(_time) as lastTime count by host DriverType | rename host as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_driver_inventory_filter`", "how_to_implement": "To capture the drivers by host, utilize the referenced Gist to create the inputs, props and transforms. Otherwise, this hunt query will not work.", "known_false_positives": "Filter and modify the analytic as you'd like. Filter based on path. Remove the system32\\drivers and look for non-standard paths.", "references": ["https://gist.github.com/MHaggis/3e4dc85c69b3f7a4595a06c8a692f244"], "tags": {"name": "Windows Driver Inventory", "analytic_story": ["Windows Drivers"], "asset_type": "endpoint", "cis20": ["CIS 10"], "confidence": 10, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "Drivers have been identified on $dest$.", "mitre_attack_id": ["T1068"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Path", "host", "DriverType"], "risk_score": 5, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "PLATINUM", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1068/drivers/driver_inventory.log", "source": "PwSh:DriverInventory", "sourcetype": "PwSh:DriverInventory", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "driverinventory", "definition": "sourcetype=PwSh:DriverInventory", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_driver_inventory_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_driver_inventory.yml", "source": "endpoint"}, {"name": "Windows Driver Load Non-Standard Path", "id": "9216ef3d-066a-4958-8f27-c84589465e62", "version": 2, "date": "2023-02-24", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic uses Windows EventCode 7045 to identify new Kernel Mode Drivers being loaded in Windows from a non-standard path. Note that, adversaries may move malicious or vulnerable drivers into these paths and load up. The idea is that this analytic provides visibility into drivers loading in non-standard file paths.", "data_source": ["Sysmon Event ID 7"], "search": "`wineventlog_system` EventCode=7045 ServiceType=\"kernel mode driver\" NOT (ImagePath IN (\"*\\\\Windows\\\\*\", \"*\\\\Program File*\", \"*\\\\systemroot\\\\*\",\"%SystemRoot%*\", \"system32\\*\")) | stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode ImagePath ServiceName ServiceType | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_driver_load_non_standard_path_filter`", "how_to_implement": "To implement this analytic, the Windows EventCode 7045 will need to be logged. The Windows TA for Splunk is also recommended.", "known_false_positives": "False positives may be present based on legitimate third party applications needing to install drivers. Filter, or allow list known good drivers consistently being installed in these paths.", "references": ["https://redcanary.com/blog/tracking-driver-inventory-to-expose-rootkits/", "https://attack.mitre.org/techniques/T1014/", "https://www.fuzzysecurity.com/tutorials/28.html"], "tags": {"name": "Windows Driver Load Non-Standard Path", "analytic_story": ["Windows Drivers", "CISA AA22-320A", "AgentTesla"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Exploitation"], "message": "A kernel mode driver was loaded from a non-standard path on $ComputerName$.", "mitre_attack_id": ["T1014", "T1068"], "nist": ["DE.CM"], "observable": [{"name": "ComputerName", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Computer", "EventCode", "ImagePath", "ServiceName", "ServiceType"], "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1014", "mitre_attack_technique": "Rootkit", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT41", "Rocke", "TeamTNT", "Winnti Group"]}, {"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "PLATINUM", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1068/drivers/xml7045_windows-system.log", "source": "XmlWinEventLog:System", "sourcetype": "XmlWinEventLog", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "wineventlog_system", "definition": "eventtype=wineventlog_system", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_driver_load_non_standard_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_driver_load_non_standard_path.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Windows Drivers Loaded by Signature", "id": "d2d4af6a-6c2b-4d79-80c5-fc2cf12a2f68", "version": 1, "date": "2022-03-30", "author": "Michael Haag, Splunk", "type": "Hunting", "status": "production", "description": "The following analytic assists with viewing all drivers being loaded by using Sysmon EventCode 6 (Driver Load). Sysmon provides some simple fields to assist with identifying suspicious drivers. Use this analytic to look at prevalence of driver (count), path of driver, signature status and hash. Review these fields with scrutiny until the ability to prove the driver is legitimate and has a purpose in the environment.", "data_source": ["Sysmon Event ID 6"], "search": "`sysmon` EventCode=6 | stats min(_time) as firstTime max(_time) as lastTime values(ImageLoaded) count by Computer Signed Signature service_signature_verified service_signature_exists Hashes | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_drivers_loaded_by_signature_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have the latest version of the Sysmon TA. Most EDR products provide the ability to review driver loads, or module loads, and using a query as such help with hunting for malicious drivers.", "known_false_positives": "This analytic is meant to assist with identifying drivers loaded in the environment and not to be setup for notables off the bat.", "references": ["https://redcanary.com/blog/tracking-driver-inventory-to-expose-rootkits/", "https://attack.mitre.org/techniques/T1014/", "https://www.fuzzysecurity.com/tutorials/28.html"], "tags": {"name": "Windows Drivers Loaded by Signature", "analytic_story": ["Windows Drivers", "CISA AA22-320A", "AgentTesla"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 60, "kill_chain_phases": ["Exploitation"], "message": "A driver has loaded on $Computer$.", "mitre_attack_id": ["T1014", "T1068"], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "ImageLoaded", "Computer", "Signed", "Signature", "service_signature_verified", "service_signature_exists", "Hashes"], "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1014", "mitre_attack_technique": "Rootkit", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT41", "Rocke", "TeamTNT", "Winnti Group"]}, {"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "PLATINUM", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1014/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_drivers_loaded_by_signature_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_drivers_loaded_by_signature.yml", "source": "endpoint"}, {"name": "Windows Enable Win32 ScheduledJob via Registry", "id": "12c80db8-ef62-4456-92df-b23e1b3219f6", "version": 1, "date": "2023-03-27", "author": "Michael Haag, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic searches for a registry modification that enables the use of the at.exe or wmi Win32_ScheduledJob command to add scheduled tasks on a Windows endpoint. Specifically, it looks for the creation of a new DWORD value named \"EnableAt\" in the following registry path: \"HKLM:\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Configuration\". If this value is set to 1, it enables the at.exe and wmi Win32_ScheduledJob commands to schedule tasks on the system. Detecting this registry modification is important because it may indicate that an attacker has enabled the ability to add scheduled tasks to the system, which can be used to execute malicious code at specific times or intervals.", "data_source": ["Sysmon Event ID 13"], "search": "| tstats `security_content_summariesonly` count values(Registry.registry_key_name) as registry_key_name values(Registry.registry_path) as registry_path min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path=\"*\\\\CurrentVersion\\\\Schedule\\\\Configuration*\" Registry.registry_value_name=EnableAt by Registry.dest, Registry.user, Registry.registry_value_name, Registry.registry_value_type | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `windows_enable_win32_scheduledjob_via_registry_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "In some cases, an automated script or system may enable this setting continuously, leading to false positives. To avoid such situations, it is recommended to monitor the frequency and context of the registry modification and modify or filter the detection rules as needed. This can help to reduce the number of false positives and ensure that only genuine threats are identified. Additionally, it is important to investigate any detected instances of this modification and analyze them in the broader context of the system and network to determine if further action is necessary.", "references": ["https://securityonline.info/wmiexec-regout-get-outputdata-response-from-registry/", "https://learn.microsoft.com/en-us/windows/win32/cimwin32prov/win32-scheduledjob"], "tags": {"name": "Windows Enable Win32 ScheduledJob via Registry", "analytic_story": ["Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation", "Exploitation"], "message": "A process has modified the schedule task registry value - EnableAt - on endpoint $dest$ by user $user$.", "mitre_attack_id": ["T1053.005"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.registry_path", "Registry.dest", "Registry.user", "Registry.registry_value_name", "Registry.registry_value_type"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TEMP.Veles", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/atomic_red_team/enableat_windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_enable_win32_scheduledjob_via_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_enable_win32_scheduledjob_via_registry.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Event For Service Disabled", "id": "9c2620a8-94a1-11ec-b40c-acde48001122", "version": 2, "date": "2023-04-25", "author": "Teoderick Contreras, Splunk", "type": "Hunting", "status": "production", "description": "This analytic will identify suspicious system event of services that was modified from start to disabled. This technique is seen where the adversary attempts to disable security app services, other malware services to evade the defense systems on the compromised host", "data_source": ["Sysmon Event ID 7"], "search": "`wineventlog_system` EventCode=7040 Message = \"*service was changed from demand start to disabled.\" | stats count min(_time) as firstTime max(_time) as lastTime by ComputerName EventCode Message User Sid service service_name | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_event_for_service_disabled_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the Service name, Service File Name Service Start type, and Service Type from your endpoints.", "known_false_positives": "Windows service update may cause this event. In that scenario, filtering is needed.", "references": ["https://blog.talosintelligence.com/2018/02/olympic-destroyer.html"], "tags": {"name": "Windows Event For Service Disabled", "analytic_story": ["Windows Defense Evasion Tactics", "RedLine Stealer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Exploitation"], "message": "Service was disabled on $Computer$", "mitre_attack_id": ["T1562.001", "T1562"], "nist": ["DE.AE"], "observable": [{"name": "ComputerName", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "ComputerName", "EventCode", "Message", "User", "Sid"], "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/olympic_destroyer/system.log", "source": "WinEventLog:System", "sourcetype": "WinEventLog"}]}], "datamodel": [], "macros": [{"name": "wineventlog_system", "definition": "eventtype=wineventlog_system", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_event_for_service_disabled_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_event_for_service_disabled.yml", "source": "endpoint"}, {"name": "Windows Event Log Cleared", "id": "ad517544-aff9-4c96-bd99-d6eb43bfbb6a", "version": 6, "date": "2020-07-06", "author": "Rico Valdez, Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic utilizes Windows Security Event ID 1102 or System log event 104 to identify when a Windows event log is cleared. Note that this analytic will require tuning or restricted to specific endpoints based on criticality. During triage, based on time of day and user, determine if this was planned. If not planned, follow through with reviewing parallel alerts and other data sources to determine what else may have occurred.", "data_source": ["Sysmon Event ID 1"], "search": "(`wineventlog_security` EventCode=1102) OR (`wineventlog_system` EventCode=104) | stats count min(_time) as firstTime max(_time) as lastTime by dest Message EventCode | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_event_log_cleared_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows event logs from your hosts. In addition, the Splunk Windows TA is needed.", "known_false_positives": "It is possible that these logs may be legitimately cleared by Administrators. Filter as needed.", "references": ["https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-1102", "https://www.ired.team/offensive-security/defense-evasion/disabling-windows-event-logs-by-suspending-eventlog-service-threads", "https://attack.mitre.org/techniques/T1070/001/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.001/T1070.001.md"], "tags": {"name": "Windows Event Log Cleared", "analytic_story": ["Windows Log Manipulation", "Ransomware", "Clop Ransomware", "CISA AA22-264A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "Windows event logs cleared on $dest$ via EventCode $EventCode$", "mitre_attack_id": ["T1070", "T1070.001"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "dest"], "risk_score": 70, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1070.001", "mitre_attack_technique": "Clear Windows Event Logs", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "APT38", "APT41", "Chimera", "Dragonfly", "FIN5", "FIN8", "Indrik Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1070.001/atomic_red_team/windows-security.log", "source": "WinEventLog:Security", "sourcetype": "WinEventLog", "update_timestamp": true}, {"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1070.001/atomic_red_team/windows-system.log", "source": "WinEventLog:System", "sourcetype": "WinEventLog", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "wineventlog_system", "definition": "eventtype=wineventlog_system", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_event_log_cleared_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_event_log_cleared.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows Event Triggered Image File Execution Options Injection", "id": "f7abfab9-12ea-44e8-8745-475f9ca6e0a4", "version": 1, "date": "2022-09-08", "author": "Michael Haag, Splunk", "type": "Hunting", "status": "production", "description": "The following hunting analytic identifies EventCode 3000 in Application channel indicating a process exit. This behavior is based on process names being added to the Image File Execution Options under HKLM \\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\ and \\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit. Once these are set for a process, an eventcode 3000 will generate. The example used is from Thinkst Canary where a CanaryToken is setup to monitor for a commonly abused living off the land binary (ex. Klist.exe) and generate an event when it occurs. This can be seen as settings traps to monitor for suspicious behavior. Monitor and tune this hunting analytic and setup traps across your organization and begin monitoring.", "data_source": ["Sysmon Event ID 3"], "search": "`wineventlog_application` EventCode=3000 | rename param1 AS \"Process\" param2 AS \"Exit_Code\" | stats count min(_time) as firstTime max(_time) as lastTime by Process Exit_Code dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_event_triggered_image_file_execution_options_injection_filter`", "how_to_implement": "This analytic requires capturing the Windows Event Log Application channel in XML.", "known_false_positives": "False positives may be present and tuning will be required before turning into a TTP or notable.", "references": ["https://blog.thinkst.com/2022/09/sensitive-command-token-so-much-offense.html", "https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/registry-entries-for-silent-process-exit"], "tags": {"name": "Windows Event Triggered Image File Execution Options Injection", "analytic_story": ["Windows Persistence Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation", "Exploitation"], "message": "Windows eventcode 3000 triggered on $dest$ potentially indicating persistence or a monitoring of a process has occurred.", "mitre_attack_id": ["T1546.012"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Process", "Exit_Code", "dest", "EventCode"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1546.012", "mitre_attack_technique": "Image File Execution Options Injection", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["TEMP.Veles"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.012/atomic_red_team/windows-application.log", "source": "XmlWinEventLog:Application", "sourcetype": "XmlWinEventLog", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_application", "definition": "eventtype=wineventlog_application OR source=\"XmlWinEventLog:Application\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_event_triggered_image_file_execution_options_injection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_event_triggered_image_file_execution_options_injection.yml", "source": "endpoint"}, {"name": "Windows Excessive Disabled Services Event", "id": "c3f85976-94a5-11ec-9a58-acde48001122", "version": 1, "date": "2022-02-23", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This analytic will identify suspicious excessive number of system events of services that was modified from start to disabled. This technique is seen where the adversary attempts to disable security app services, other malware services oer serve as an destructive impact to complete the objective on the compromised system. One good example for this scenario is Olympic destroyer where it disable all active services in the compromised host as part of its destructive impact and defense evasion.", "data_source": ["Sysmon Event ID 7"], "search": "`wineventlog_system` EventCode=7040 Message = \"*service was changed from demand start to disabled.\" | stats count values(Message) as MessageList dc(Message) as MessageCount min(_time) as firstTime max(_time) as lastTime by ComputerName EventCode User Sid | where MessageCount >=10 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_excessive_disabled_services_event_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the Service name, Service File Name Service Start type, and Service Type from your endpoints.", "known_false_positives": "Unknown", "references": ["https://blog.talosintelligence.com/2018/02/olympic-destroyer.html"], "tags": {"name": "Windows Excessive Disabled Services Event", "analytic_story": ["Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Exploitation"], "message": "Service was disabled in $Computer$", "mitre_attack_id": ["T1562.001", "T1562"], "nist": ["DE.CM"], "observable": [{"name": "ComputerName", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "ComputerName", "EventCode", "Message", "User", "Sid"], "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/olympic_destroyer/system.log", "source": "WinEventLog:System", "sourcetype": "WinEventLog"}]}], "datamodel": [], "macros": [{"name": "wineventlog_system", "definition": "eventtype=wineventlog_system", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_excessive_disabled_services_event_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_excessive_disabled_services_event.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Windows Execute Arbitrary Commands with MSDT", "id": "e1d5145f-38fe-42b9-a5d5-457796715f97", "version": 3, "date": "2022-06-29", "author": "Michael Haag, Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies a recently disclosed arbitraty command execution using Windows msdt.exe - a Diagnostics Troubleshooting Wizard. The sample identified will use the ms-msdt:/ protocol handler to load msdt.exe to retrieve a remote payload. During triage, review file modifications for html. Identify parallel process execution that may be related, including an Office Product.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=msdt.exe Processes.process IN (\"*msdt*\",\"*ms-msdt:*\",\"*ms-msdt:/id*\",\"*ms-msdt:-id*\",\"*/id*\") AND (Processes.process=\"*IT_BrowseForFile=*\" OR Processes.process=\"*IT_RebrowseForFile=*\" OR Processes.process=\"*.xml*\") AND Processes.process=\"*PCWDiagnostic*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_execute_arbitrary_commands_with_msdt_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives may be present, filter as needed. Added .xml to potentially capture any answer file usage. Remove as needed.", "references": ["https://isc.sans.edu/diary/rss/28694", "https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e", "https://twitter.com/nao_sec/status/1530196847679401984?s=20&t=ZiXYI4dQuA-0_dzQzSUb3A", "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", "https://www.virustotal.com/gui/file/4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784/detection", "https://strontic.github.io/xcyclopedia/library/msdt.exe-152D4C9F63EFB332CCB134C6953C0104.html"], "tags": {"name": "Windows Execute Arbitrary Commands with MSDT", "analytic_story": ["Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 100, "kill_chain_phases": ["Exploitation"], "message": "A parent process $parent_process_name$ has spawned a child process $process_name$ on host $dest$ possibly indicative of indirect command execution.", "mitre_attack_id": ["T1218"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "cve": ["CVE-2022-30190"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/macro/msdt.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_execute_arbitrary_commands_with_msdt_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2022-30190", "cvss": 9.3, "summary": "Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_execute_arbitrary_commands_with_msdt.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Exfiltration Over C2 Via Invoke RestMethod", "id": "06ade821-f6fa-40d0-80af-15bc1d45b3ba", "version": 1, "date": "2023-04-05", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the potential exfiltration of data using PowerShell's Invoke-RestMethod. This technique was observed in the Winter-Vivern malware, which uploads desktop screenshots and files from compromised or targeted hosts. Detecting this TTP can serve as a valuable indicator that a process is attempting to upload files to an external or internal URI link. We recommend examining the process, the files it is trying to upload, and the URL link or C2 destination where the data is being uploaded.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 ScriptBlockText = \"*Invoke-RestMethod *\" AND ScriptBlockText = \"* -Uri *\" AND ScriptBlockText = \"* -Method *\" AND ScriptBlockText = \"* Post *\" AND ScriptBlockText = \"* -InFile *\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_exfiltration_over_c2_via_invoke_restmethod_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "False positives should be limited. Filter as needed.", "references": ["https://twitter.com/_CERT_UA/status/1620781684257091584", "https://cert.gov.ua/article/3761104"], "tags": {"name": "Windows Exfiltration Over C2 Via Invoke RestMethod", "analytic_story": ["Winter Vivern"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Actions on Objectives"], "message": "A PowerShell script on $Computer$ is attempting to transfer files to a remote URL.", "mitre_attack_id": ["T1041"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "ScriptBlockText", "Computer", "UserID", "EventCode"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1041", "mitre_attack_technique": "Exfiltration Over C2 Channel", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "Chimera", "Confucius", "GALLIUM", "Gamaredon Group", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "LuminousMoth", "MuddyWater", "Sandworm Team", "Stealth Falcon", "Wizard Spider", "ZIRCONIUM"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winter-vivern/pwh_exfiltration/windows-powershell-xml.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_exfiltration_over_c2_via_invoke_restmethod_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_exfiltration_over_c2_via_invoke_restmethod.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows Exfiltration Over C2 Via Powershell UploadString", "id": "59e8bf41-7472-412a-90d3-00f3afa452e9", "version": 1, "date": "2023-04-05", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies potential data exfiltration using the PowerShell net.webclient command. This technique was observed in the Winter-Vivern malware, which uploads desktop screenshots and files from compromised or targeted hosts. Detecting this TTP can serve as a valuable indicator that a process is attempting to upload files to an external or internal URI link. We recommend examining the process, the files it is trying to upload, and the URL link or C2 destination where the data is being uploaded.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 ScriptBlockText = \"*Net.webclient*\" AND ScriptBlockText = \"*.UploadString*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_exfiltration_over_c2_via_powershell_uploadstring_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "False positives should be limited. Filter as needed.", "references": ["https://twitter.com/_CERT_UA/status/1620781684257091584", "https://cert.gov.ua/article/3761104"], "tags": {"name": "Windows Exfiltration Over C2 Via Powershell UploadString", "analytic_story": ["Winter Vivern"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Actions on Objectives"], "message": "A PowerShell script on $Computer$ is attempting to transfer files to a remote URL.", "mitre_attack_id": ["T1041"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "ScriptBlockText", "Computer", "UserID", "EventCode"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1041", "mitre_attack_technique": "Exfiltration Over C2 Channel", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "Chimera", "Confucius", "GALLIUM", "Gamaredon Group", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "LuminousMoth", "MuddyWater", "Sandworm Team", "Stealth Falcon", "Wizard Spider", "ZIRCONIUM"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winter-vivern/pwh_uploadstring/windows-powershell-xml.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_exfiltration_over_c2_via_powershell_uploadstring_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_exfiltration_over_c2_via_powershell_uploadstring.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows Export Certificate", "id": "d8ddfa9b-b724-4df9-9dbe-f34cc0936714", "version": 2, "date": "2023-02-11", "author": "Michael Haag, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies when a certificate is exported from the Windows Certificate Store. This analytic utilizes the Certificates Lifecycle log channel event ID 1007. EventID 1007 is focused on the Export of a certificate from the local certificate store. In addition, review the ProcessName field as it will help to determine automation/Admin or adversary extracting the certificate. Depending on the organization, the certificate may be used for authentication to the VPN or private resources.", "data_source": ["Sysmon Event ID 1"], "search": "`certificateservices_lifecycle` EventCode=1007 | xmlkv UserData_Xml | stats count min(_time) as firstTime max(_time) as lastTime by Computer, SubjectName, UserData_Xml | rename Computer as dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `windows_export_certificate_filter`", "how_to_implement": "To implement this analytic, you must collect Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational or Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational.", "known_false_positives": "False positives may be generated based on an automated process or service that exports certificates on the regular. Review is required before setting to alert. Monitor for abnormal processes performing an export.", "references": ["https://atomicredteam.io/defense-evasion/T1553.004/#atomic-test-4---install-root-ca-on-windows"], "tags": {"name": "Windows Export Certificate", "analytic_story": ["Windows Certificate Services"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Exploitation"], "message": "An certificate was exported on $dest$ from the Windows Certificate Store.", "mitre_attack_id": ["T1552.004", "T1552", "T1649"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "dest", "SubjectName", "UserData_Xml"], "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1552.004", "mitre_attack_technique": "Private Keys", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1552", "mitre_attack_technique": "Unsecured Credentials", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1649", "mitre_attack_technique": "Steal or Forge Authentication Certificates", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/atomic_red_team/certificateservices-lifecycle.log", "source": "XmlWinEventLog:Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational", "sourcetype": "XmlWinEventLog", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "certificateservices_lifecycle", "definition": "(source=XmlWinEventLog:Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational OR source=XmlWinEventLog:Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational)", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_export_certificate_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_export_certificate.yml", "source": "endpoint"}, {"name": "Windows File Share Discovery With Powerview", "id": "a44c0be1-d7ab-41e4-92fd-aa9af4fe232c", "version": 1, "date": "2023-03-20", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the use of the Invoke-ShareFinder PowerShell commandlet part of PowerView. This module obtains the list of all active domain computers and lists the active shares on each computer. Network file shares in Active Directory environments may contain sensitive information like backups, scripts, credentials, etc. Adversaries who have obtained a foothold in an AD network may leverage PowerView to identify secrets and leverage them for Privilege Escalation or Lateral Movement.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 (ScriptBlockText=Invoke-ShareFinder*) | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_file_share_discovery_with_powerview_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.=", "known_false_positives": "Security teams may leverage PowerView proactively to identify and remediate sensitive file shares. Filter as needed.", "references": ["https://github.com/PowerShellEmpire/PowerTools/blob/master/PowerView/powerview.ps1", "https://thedfirreport.com/2023/01/23/sharefinder-how-threat-actors-discover-file-shares/", "https://attack.mitre.org/techniques/T1135/"], "tags": {"name": "Windows File Share Discovery With Powerview", "analytic_story": ["Active Directory Privilege Escalation", "Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 60, "kill_chain_phases": ["Exploitation"], "message": "Invoke-ShareFinder commandlet was executed on $Computer$", "mitre_attack_id": ["T1135"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "UserID", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "ScriptBlockText", "Opcode", "Computer", "UserID"], "risk_score": 48, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1135", "mitre_attack_technique": "Network Share Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT32", "APT38", "APT39", "APT41", "Chimera", "DarkVishnya", "Dragonfly", "Sowbug", "Tonto Team", "Tropic Trooper", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1135/powerview_sharefinder/windows-powershell.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "XmlWinEventLog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_file_share_discovery_with_powerview_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_file_share_discovery_with_powerview.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows File Transfer Protocol In Non-Common Process Path", "id": "0f43758f-1fe9-470a-a9e4-780acc4d5407", "version": 1, "date": "2022-09-16", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies a possible windows application having a FTP connection in a non common installation path in windows operating system.This network protocol is being used by adversaries, threat actors and malware like AgentTesla as a Command And Control communication to transfer its collected stolen information like the desktop screenshots, browser information and system information of a targeted or compromised host.", "data_source": ["Sysmon Event ID 3"], "search": "`sysmon` EventCode=3 NOT(Image IN(\"*\\\\program files*\", \"*\\\\windows\\\\system32\\\\*\",\"*\\\\windows\\\\SysWOW64\\\\*\")) (DestinationPortName=\"ftp\" OR DestinationPort=21) | stats count min(_time) as firstTime max(_time) as lastTime by Image DestinationPort DestinationPortName DestinationHostname DestinationIp SourcePort SourcePortName Protocol SourceHostname Computer user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_file_transfer_protocol_in_non_common_process_path_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name and sysmon eventcode = 3 connection events from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "third party application may use this network protocol as part of its feature. Filter is needed.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla"], "tags": {"name": "Windows File Transfer Protocol In Non-Common Process Path", "analytic_story": ["AgentTesla"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Command And Control"], "message": "a process $Image$ is having a FTP connection to $DestinationHostname$ in $Computer$", "mitre_attack_id": ["T1071.003", "T1071"], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Image", "DestinationPort", "DestinationPortName", "DestinationHostname", "SourceHostname", "SourcePort", "SourcePortName", "Protocol", "DestinationIp", "Computer", "user"], "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1071.003", "mitre_attack_technique": "Mail Protocols", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT28", "APT32", "Kimsuky", "SilverTerrier", "Turla"]}, {"mitre_attack_id": "T1071", "mitre_attack_technique": "Application Layer Protocol", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Dragonfly", "Magic Hound", "Rocke", "TeamTNT"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/agent_tesla/agent_tesla_ftp/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_file_transfer_protocol_in_non_common_process_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_file_transfer_protocol_in_non_common_process_path.yml", "source": "endpoint"}, {"name": "Windows File Without Extension In Critical Folder", "id": "0dbcac64-963c-11ec-bf04-acde48001122", "version": 1, "date": "2023-04-14", "author": "Teoderick Contreras, Bhavin Patel, Splunk", "type": "TTP", "status": "production", "description": "This analytic is to look for suspicious file creation in the critical folder like \"System32\\Drivers\" folder without file extension. This artifacts was seen in latest hermeticwiper where it drops its driver component in Driver Directory both the compressed(without file extension) and the actual driver component (with .sys file extension). This TTP is really a good indication that a host might be compromised by this destructive malware that wipes the boot sector of the system.", "data_source": ["Sysmon Event ID 11"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN (\"*\\\\System32\\\\drivers\\\\*\", \"*\\\\syswow64\\\\drivers\\\\*\") by _time span=5m Filesystem.dest Filesystem.user Filesystem.file_name Filesystem.file_path Filesystem.process_guid Filesystem.file_create_time | `drop_dm_object_name(Filesystem)` | rex field=\"file_name\" \"\\.(?[^\\.]*$)\" | where isnull(extension) | join process_guid [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes by _time span=5m Processes.process_name Processes.dest Processes.process_guid Processes.user | `drop_dm_object_name(Processes)`] | stats count min(_time) as firstTime max(_time) as lastTime by dest process_name process_guid file_name file_path file_create_time user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_file_without_extension_in_critical_folder_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the Filesystem responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node.", "known_false_positives": "Unknown at this point", "references": ["https://blog.talosintelligence.com/2022/02/threat-advisory-hermeticwiper.html"], "tags": {"name": "Windows File Without Extension In Critical Folder", "analytic_story": ["Data Destruction", "Hermetic Wiper"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 90, "kill_chain_phases": ["Actions on Objectives"], "message": "Driver file with out file extension drop in $file_path$ in $dest$", "mitre_attack_id": ["T1485"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Filesystem.file_create_time", "Filesystem.process_id", "Filesystem.file_name", "Filesystem.user", "Filesystem.file_path", "Filesystem.dest", "Processes.process_name", "Processes.dest", "Processes.process_guid", "Processes.user"], "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/hermetic_wiper/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_file_without_extension_in_critical_folder_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_file_without_extension_in_critical_folder.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Findstr GPP Discovery", "id": "1631ac2d-f2a9-42fa-8a59-d6e210d472f5", "version": 1, "date": "2023-03-16", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the use of the findstr command employed to search for unsecured credentials Group Policy Preferences (GPP). GPP are tools that allow administrators to create domain policies with embedded credentials. These policies allow administrators to set local accounts. These group policies are stored in SYSVOL on a domain controller. This means that any domain user can view the SYSVOL share and decrypt the password (using the AES key that has been made public). While Microsoft released a patch that impedes Administrators to create unsecure credentials, existing Group Policy Preferences files with passwords are not removed from SYSVOL.", "data_source": [], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=findstr.exe AND Processes.process=*sysvol* AND Processes.process=*cpassword*) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_findstr_gpp_discovery_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Administrators may leverage findstr to find passwords in GPO to validate exposure. Filter as needed.", "references": ["https://attack.mitre.org/techniques/T1552/006/", "https://pentestlab.blog/2017/03/20/group-policy-preferences/", "https://adsecurity.org/?p=2288", "https://www.hackingarticles.in/credential-dumping-group-policy-preferences-gpp/", "https://support.microsoft.com/en-us/topic/ms14-025-vulnerability-in-group-policy-preferences-could-allow-elevation-of-privilege-may-13-2014-60734e15-af79-26ca-ea53-8cd617073c30"], "tags": {"name": "Windows Findstr GPP Discovery", "analytic_story": ["Active Directory Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "Findstr was executed to discover GPP credentials on $dest$", "mitre_attack_id": ["T1552", "T1552.006"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.user", "Processes.dest", "Processes.process_name", "Processes.process", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process_id", "Processes.parent_process_id", "Processes.original_file_name"], "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1552", "mitre_attack_technique": "Unsecured Credentials", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1552.006", "mitre_attack_technique": "Group Policy Preferences", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT33"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552.006/findstr_gpp_discovery/windows-security.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_findstr_gpp_discovery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_findstr_gpp_discovery.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Gather Victim Host Information Camera", "id": "e4df4676-ea41-4397-b160-3ee0140dc332", "version": 1, "date": "2022-07-28", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic detects a powershell script that enumerate camera mounted to the targeted host. This technique was seen in DCRat malware, where it runs a powershell command to look for camera information that will be pass on to its C2 server. This anomaly detection can be a good pivot to check who and why this enumeration is needed and what parent process execute this powershell script command.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 ScriptBlockText= \"* Win32_PnPEntity *\" ScriptBlockText= \"*SELECT*\" ScriptBlockText= \"*WHERE*\" ScriptBlockText = \"*PNPClass*\" ScriptBlockText IN (\"*Image*\", \"*Camera*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_gather_victim_host_information_camera_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators may execute this powershell command to get hardware information related to camera.", "references": ["https://cert.gov.ua/article/405538", "https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat", "https://www.mandiant.com/resources/analyzing-dark-crystal-rat-backdoor"], "tags": {"name": "Windows Gather Victim Host Information Camera", "analytic_story": ["DarkCrystal RAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 60, "kill_chain_phases": ["Reconnaissance"], "message": "powershell script $ScriptBlockText$ to enumerate camera in $Computer$", "mitre_attack_id": ["T1592.001", "T1592"], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "User", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "ScriptBlockText", "Computer", "EventCode"], "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1592.001", "mitre_attack_technique": "Hardware", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1592", "mitre_attack_technique": "Gather Victim Host Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/dcrat/dcrat_enum_camera/windows-powershell-xml.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_gather_victim_host_information_camera_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_gather_victim_host_information_camera.yml", "source": "endpoint", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows Gather Victim Identity SAM Info", "id": "a18e85d7-8b98-4399-820c-d46a1ca3516f", "version": 1, "date": "2022-08-24", "author": "Teoderick Contreras, Splunk", "type": "Hunting", "status": "production", "description": "The following analytic identifies a process that loads the samlib.dll module. This module is being abused by adversaries, threat actors and red teamers to access information of SAM objects or access credentials information in DC. This hunting query can be a good indicator that a process is capable of accessing the SAM object.", "data_source": ["Sysmon Event ID 7"], "search": "`sysmon` EventCode=7 (ImageLoaded = \"*\\\\samlib.dll\" AND OriginalFileName = \"samlib.dll\") OR (ImageLoaded = \"*\\\\samcli.dll\" AND OriginalFileName = \"SAMCLI.DLL\") AND NOT (Image IN(\"C:\\\\Windows\\\\*\", \"C:\\\\Program File*\", \"%systemroot%\\\\*\")) | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded process_name Computer EventCode Signed ProcessId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_gather_victim_identity_sam_info_filter`", "how_to_implement": "The latest Sysmon TA 3.0 https://splunkbase.splunk.com/app/5709 will add the ImageLoaded name to the process_name field, allowing this query to work. Use as an example and implement for other products.", "known_false_positives": "this module can be loaded by a third party application. Filter is needed.", "references": ["https://redcanary.com/blog/active-breach-evading-defenses/", "https://strontic.github.io/xcyclopedia/library/samlib.dll-0BDF6351009F6EBA5BA7E886F23263B1.html"], "tags": {"name": "Windows Gather Victim Identity SAM Info", "analytic_story": ["Brute Ratel C4"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Reconnaissance"], "message": "An instance of $Computer$ that loads $ImageLoaded$ that are related to accessing to SAM object information.", "mitre_attack_id": ["T1589.001", "T1589"], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Image", "ImageLoaded", "Computer", "EventCode", "Signed", "ProcessId"], "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1589.001", "mitre_attack_technique": "Credentials", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["APT28", "Chimera", "LAPSUS$", "Leviathan", "Magic Hound"]}, {"mitre_attack_id": "T1589", "mitre_attack_technique": "Gather Victim Identity Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["APT32", "HEXANE", "LAPSUS$", "Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/loading_samlib/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_gather_victim_identity_sam_info_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_gather_victim_identity_sam_info.yml", "source": "endpoint"}, {"name": "Windows Gather Victim Network Info Through Ip Check Web Services", "id": "70f7c952-0758-46d6-9148-d8969c4481d1", "version": 1, "date": "2022-06-21", "author": "Teoderick Contreras, Splunk", "type": "Hunting", "status": "production", "description": "The following analytic identifies process that attempts to connect to a known IP web services. This technique is commonly used by trickbot and other malware to perform reconnaissance against the infected machine and look for its IP address.", "data_source": ["Sysmon Event ID 22"], "search": "`sysmon` EventCode=22 QueryName IN (\"*wtfismyip.com\", \"*checkip.amazonaws.com\", \"*ipecho.net\", \"*ipinfo.io\", \"*api.ipify.org\", \"*icanhazip.com\", \"*ip.anysrc.com\",\"*api.ip.sb\", \"ident.me\", \"www.myexternalip.com\", \"*zen.spamhaus.org\", \"*cbl.abuseat.org\", \"*b.barracudacentral.org\", \"*dnsbl-1.uceprotect.net\", \"*spam.dnsbl.sorbs.net\", \"*iplogger.org*\", \"*ip-api.com*\") | stats min(_time) as firstTime max(_time) as lastTime count by Image ProcessId QueryName QueryStatus QueryResults Computer EventCode | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_gather_victim_network_info_through_ip_check_web_services_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, dns query name process path , and query ststus from your endpoints like EventCode 22. If you are using Sysmon, you must have at least version 12 of the Sysmon TA.", "known_false_positives": "Filter internet browser application to minimize the false positive of this detection.", "references": ["https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/"], "tags": {"name": "Windows Gather Victim Network Info Through Ip Check Web Services", "analytic_story": ["Azorult", "DarkCrystal RAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Reconnaissance"], "message": "process connecting IP location web services on $Computer$", "mitre_attack_id": ["T1590.005", "T1590"], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Image", "ProcessId", "QueryName", "QueryStatus", "QueryResults", "Computer", "EventCode"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1590.005", "mitre_attack_technique": "IP Addresses", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["Andariel", "HAFNIUM", "Magic Hound"]}, {"mitre_attack_id": "T1590", "mitre_attack_technique": "Gather Victim Network Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["HAFNIUM"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_gather_victim_network_info_through_ip_check_web_services_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_gather_victim_network_info_through_ip_check_web_services.yml", "source": "endpoint"}, {"name": "Windows Get-AdComputer Unconstrained Delegation Discovery", "id": "c8640777-469f-4638-ab44-c34a3233ffac", "version": 1, "date": "2022-03-28", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the Get-ADComputer commandlet used with specific parameters to discover Windows endpoints with Kerberos Unconstrained Delegation. Red Teams and adversaries alike may leverage use this technique for situational awareness and Active Directory Discovery.", "data_source": ["Powershell 4104"], "search": " `powershell` EventCode=4104 (Message = \"*Get-ADComputer*\" AND Message = \"*TrustedForDelegation*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode Message ComputerName User | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_get_adcomputer_unconstrained_delegation_discovery_filter`", "how_to_implement": "The following analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.", "known_false_positives": "Administrators or power users may leverage PowerView for system management or troubleshooting.", "references": ["https://attack.mitre.org/techniques/T1018/", "https://adsecurity.org/?p=1667", "https://docs.microsoft.com/en-us/defender-for-identity/cas-isp-unconstrained-kerberos", "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/domain-compromise-via-unrestricted-kerberos-delegation", "https://www.cyberark.com/resources/threat-research-blog/weakness-within-kerberos-delegation"], "tags": {"name": "Windows Get-AdComputer Unconstrained Delegation Discovery", "analytic_story": ["Active Directory Kerberos Attacks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "Suspicious PowerShell Get-ADComputer was identified on endpoint $ComputerName$", "mitre_attack_id": ["T1018"], "nist": ["DE.CM"], "observable": [{"name": "ComputerName", "type": "Hostname", "role": ["Victim"]}, {"name": "User", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "Message", "ComputerName", "User"], "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1018", "mitre_attack_technique": "Remote System Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "BRONZE BUTLER", "Chimera", "Deep Panda", "Dragonfly", "Earth Lusca", "FIN5", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "HEXANE", "Indrik Spider", "Ke3chang", "Leafminer", "Magic Hound", "Naikon", "Rocke", "Sandworm Team", "Silence", "Threat Group-3390", "Turla", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1018/unconstrained2/windows-powershell.log", "source": "WinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "WinEventLog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_get_adcomputer_unconstrained_delegation_discovery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_get_adcomputer_unconstrained_delegation_discovery.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows Group Policy Object Created", "id": "23add2a8-ea22-4fd4-8bc0-8c0b822373a1", "version": 1, "date": "2023-03-27", "author": "Mauricio Velazco", "type": "TTP", "status": "production", "description": "The following analytic leverages Event IDs 5136 and 51137 to identify the creation of a new Group Policy Object. With GPOs, system administrators can manage and configure applications, software operations, and user settings throughout an entire organization. GPOs can be abused and leveraged by adversaries to escalate privileges or deploy malware across an Active Directory network. As an example, the Lockbit ransomware malware will create new group policies on the domain controller that are then pushed out to every device on the network. Security teams should monitor the creation of new Group Policy Objects.", "data_source": [], "search": " `wineventlog_security` EventCode=5137 OR (EventCode=5136 AttributeValue!=\"New Group Policy Object\" AND (AttributeLDAPDisplayName=displayName OR AttributeLDAPDisplayName=gPCFileSysPath) ) ObjectClass=groupPolicyContainer | stats values(AttributeValue) as details values(SubjectUserSid) as User values(ObjectDN) as ObjectDN by ObjectGUID Computer | eval GPO_Name = mvindex(details, 0) | eval GPO_Path = mvindex(details, 1) | fields - details | `windows_group_policy_object_created_filter`", "how_to_implement": "To successfully implement this search, the Advanced Security Audit policy setting `Audit Directory Service Changes` within `DS Access` needs to be enabled. Furthermore, the appropriate system access control lists (SACL) need to be created as the used events are not logged by default. A good guide to accomplish this can be found here https://jgspiers.com/audit-group-policy-changes/.", "known_false_positives": "Group Policy Objects are created as part of regular administrative operations, filter as needed.", "references": ["https://attack.mitre.org/techniques/T1484/", "https://attack.mitre.org/techniques/T1484/001", "https://www.trustedsec.com/blog/weaponizing-group-policy-objects-access/", "https://adsecurity.org/?p=2716", "https://www.bleepingcomputer.com/news/security/lockbit-ransomware-now-encrypts-windows-domains-using-group-policies/", "https://www.varonis.com/blog/group-policy-objects"], "tags": {"name": "Windows Group Policy Object Created", "analytic_story": ["Active Directory Privilege Escalation", "Sneaky Active Directory Persistence Tricks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 80, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "message": "A new group policy objected was created by $User$", "mitre_attack_id": ["T1484", "T1484.001", "T1078.002"], "nist": ["DE.CM"], "observable": [{"name": "User", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "AttributeValue", "AttributeLDAPDisplayName", "ObjectClass", "SubjectUserSid", "ObjectDN", "ObjectGUID", "Computer"], "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1484", "mitre_attack_technique": "Domain Policy Modification", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1484.001", "mitre_attack_technique": "Group Policy Modification", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Indrik Spider"]}, {"mitre_attack_id": "T1078.002", "mitre_attack_technique": "Domain Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "Chimera", "Indrik Spider", "Magic Hound", "Naikon", "Sandworm Team", "TA505", "Threat Group-1314", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/group_policy_created/windows-security.log", "source": "XmlWinEventLog:Security", "sourcetype": "XmlWinEventLog"}]}], "datamodel": [], "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_group_policy_object_created_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_group_policy_object_created.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows Hidden Schedule Task Settings", "id": "0b730470-5fe8-4b13-93a7-fe0ad014d0cc", "version": 1, "date": "2023-04-14", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "The following query utilizes Windows Security EventCode 4698, A scheduled task was created, to identify suspicious tasks registered on Windows either via schtasks.exe OR TaskService with a hidden settings that are unique entry of malware like industroyer2 or attack that uses lolbin to download other file or payload to the infected machine.", "data_source": ["Windows Security 4698"], "search": "`wineventlog_security` EventCode=4698 | xmlkv Message | search Hidden = true | stats count min(_time) as firstTime max(_time) as lastTime by Task_Name, Command, Author, Hidden, dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_hidden_schedule_task_settings_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the task schedule (Exa. Security Log EventCode 4698) endpoints. Tune and filter known instances of Task schedule used in your environment.", "known_false_positives": "unknown", "references": ["https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/", "https://cert.gov.ua/article/39518"], "tags": {"name": "Windows Hidden Schedule Task Settings", "analytic_story": ["CISA AA22-257A", "Active Directory Discovery", "Industroyer2", "Data Destruction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "message": "A schedule task with hidden setting enable in host $dest$", "mitre_attack_id": ["T1053"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "dest", "Task_Name", "Command", "Author", "Enabled", "Hidden", "Arguments"], "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053/hidden_schedule_task/security.log", "source": "WinEventLog:Security", "sourcetype": "WinEventLog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_hidden_schedule_task_settings_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_hidden_schedule_task_settings.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows Hide Notification Features Through Registry", "id": "cafa4bce-9f06-11ec-a7b2-acde48001122", "version": 3, "date": "2023-04-27", "author": "Steven Dick, Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic is to detect a suspicious registry modification to hide common windows notification feature from compromised host. This technique was seen in some ransomware family to add more impact to its payload that are visually seen by user aside from the encrypted files and ransomware notes. Even this a good anomaly detection, administrator may implement this changes for auditing or security reason. In this scenario filter is needed.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\*\" Registry.registry_value_name IN (\"HideClock\", \"HideSCAHealth\", \"HideSCANetwork\", \"HideSCAPower\", \"HideSCAVolume\") Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_hide_notification_features_through_registry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "unknown", "references": ["https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/Ransom.Win32.ONALOCKER.A/"], "tags": {"name": "Windows Hide Notification Features Through Registry", "analytic_story": ["Ransomware", "Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "Registry modification to hide windows notification on $dest$", "mitre_attack_id": ["T1112"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.dest", "Registry.registry_value_name", "Registry.registry_key_name", "Registry.registry_path", "Registry.registry_value_data", "Registry.process_guid"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/ransomware_disable_reg/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_hide_notification_features_through_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_hide_notification_features_through_registry.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows High File Deletion Frequency", "id": "45b125c4-866f-11eb-a95a-acde48001122", "version": 1, "date": "2023-04-14", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This search looks for high frequency of file deletion relative to process name and process id. These events usually happen when the ransomware tries to encrypt the files with the ransomware file extensions and sysmon treat the original files to be deleted as soon it was replace as encrypted data.", "data_source": ["Sysmon Event ID 23"], "search": "`sysmon` EventCode=23 TargetFilename IN (\"*.cmd\", \"*.ini\",\"*.gif\", \"*.jpg\", \"*.jpeg\", \"*.db\", \"*.ps1\", \"*.doc*\", \"*.xls*\", \"*.ppt*\", \"*.bmp\",\"*.zip\", \"*.rar\", \"*.7z\", \"*.chm\", \"*.png\", \"*.log\", \"*.vbs\", \"*.js\", \"*.vhd\", \"*.bak\", \"*.wbcat\", \"*.bkf\" , \"*.backup*\", \"*.dsk\", \"*.win\") | stats values(TargetFilename) as deleted_files min(_time) as firstTime max(_time) as lastTime count by Computer user EventCode Image ProcessID |where count >=100 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_high_file_deletion_frequency_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the deleted target file name, process name and process id from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "user may delete bunch of pictures or files in a folder.", "references": ["https://www.mandiant.com/resources/fin11-email-campaigns-precursor-for-ransomware-data-theft", "https://blog.virustotal.com/2020/11/keep-your-friends-close-keep-ransomware.html", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/"], "tags": {"name": "Windows High File Deletion Frequency", "analytic_story": ["Clop Ransomware", "DarkCrystal RAT", "Swift Slicer", "Data Destruction", "WhisperGate"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 90, "kill_chain_phases": ["Actions on Objectives"], "message": "High frequency file deletion activity detected on host $Computer$", "mitre_attack_id": ["T1485"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "Computer", "type": "Endpoint", "role": ["Victim"]}, {"name": "deleted_files", "type": "File Name", "role": ["Target"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["EventCode", "TargetFilename", "Computer", "user", "Image", "ProcessID", "_time"], "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/clop/clop_a/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_high_file_deletion_frequency_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_high_file_deletion_frequency.yml", "source": "endpoint"}, {"name": "Windows Hijack Execution Flow Version Dll Side Load", "id": "8351340b-ac0e-41ec-8b07-dd01bf32d6ea", "version": 1, "date": "2022-08-24", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic is to detect a process loading version.dll that is not in %windir%\\\\system32 or %windir%\\\\syswow64 dir path. This event is seen in ransomware and APT malware that executes malicious version.dll placed in the same folder of onedrive application that will execute that module. This technique is known to be DLL side loading. This technique was used to execute an agent of Brute Ratel C4 red teaming tools to serve as remote admin tool to collect and compromise target host.", "data_source": ["Sysmon Event ID 7"], "search": "`sysmon` EventCode=7 ImageLoaded = \"*\\\\version.dll\" AND (Signed = \"false\" OR NOT(ImageLoaded IN(\"*\\\\windows\\\\system32*\", \"*\\\\windows\\\\syswow64\\\\*\"))) | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded process_name Computer EventCode Signed ProcessId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_hijack_execution_flow_version_dll_side_load_filter`", "how_to_implement": "The latest Sysmon TA 3.0 https://splunkbase.splunk.com/app/5709 will add the ImageLoaded name to the process_name field, allowing this query to work. Use as an example and implement for other products.", "known_false_positives": "unknown", "references": ["https://www.mdsec.co.uk/2022/08/part-3-how-i-met-your-beacon-brute-ratel/"], "tags": {"name": "Windows Hijack Execution Flow Version Dll Side Load", "analytic_story": ["Brute Ratel C4"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 50, "kill_chain_phases": ["Exploitation", "Installation"], "message": "a process $Image$ loading $ImageLoaded$ as a side load dll in $Computer$", "mitre_attack_id": ["T1574.001", "T1574"], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Image", "ImageLoaded", "process_name", "Computer", "EventCode", "Signed", "ProcessId"], "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1574.001", "mitre_attack_technique": "DLL Search Order Hijacking", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT41", "Aquatic Panda", "BackdoorDiplomacy", "Evilnum", "RTM", "Threat Group-3390", "Tonto Team", "Whitefly", "menuPass"]}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/iso_version_dll_campaign/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_hijack_execution_flow_version_dll_side_load_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_hijack_execution_flow_version_dll_side_load.yml", "source": "endpoint"}, {"name": "Windows Hunting System Account Targeting Lsass", "id": "1c6abb08-73d1-11ec-9ca0-acde48001122", "version": 1, "date": "2022-01-12", "author": "Michael Haag, Splunk", "type": "Hunting", "status": "production", "description": "The following hunting analytic identifies all processes requesting access into Lsass.exe. his behavior may be related to credential dumping or applications requiring access to credentials. Triaging this event will require understanding the GrantedAccess from the SourceImage. In addition, whether the account is privileged or not. Review the process requesting permissions and review parallel processes.", "data_source": ["Sysmon Event ID 1"], "search": "`sysmon` EventCode=10 TargetImage=*lsass.exe | stats count min(_time) as firstTime max(_time) as lastTime by Computer, TargetImage, GrantedAccess, SourceImage, SourceProcessId, SourceUser, TargetUser | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_hunting_system_account_targeting_lsass_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Enabling EventCode 10 TargetProcess lsass.exe is required.", "known_false_positives": "False positives will occur based on GrantedAccess and SourceUser, filter based on source image as needed. Utilize this hunting analytic to tune out false positives in TTP or anomaly analytics.", "references": ["https://en.wikipedia.org/wiki/Local_Security_Authority_Subsystem_Service", "https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump", "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", "https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1", "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights?redirectedfrom=MSDN"], "tags": {"name": "Windows Hunting System Account Targeting Lsass", "analytic_story": ["Credential Dumping"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "A process, $SourceImage$, has requested access to LSASS on $dest$. Review for further details.", "mitre_attack_id": ["T1003.001", "T1003"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "SourceImage", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Computer", "TargetImage", "GrantedAccess", "SourceImage", "SourceProcessId", "SourceUser", "TargetUser"], "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "TEMP.Veles", "Threat Group-3390", "Whitefly"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/windows-sysmon_creddump.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_hunting_system_account_targeting_lsass_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_hunting_system_account_targeting_lsass.yml", "source": "endpoint"}, {"name": "Windows Identify Protocol Handlers", "id": "bd5c311e-a6ea-48ae-a289-19a3398e3648", "version": 2, "date": "2022-09-13", "author": "Michael Haag, Splunk", "type": "Hunting", "status": "production", "description": "The following hunting analytic will identify any protocol handlers utilized on the command-line. A protocol handler is an application that knows how to handle particular types of links: for example, a mail client is a protocol handler for \"mailto:\" links. When the user clicks a \"mailto:\" link, the browser opens the application selected as the handler for the \"mailto:\" protocol (or offers them a choice of handlers, depending on their settings). To identify protocol handlers we can use NirSoft https://www.nirsoft.net/utils/url_protocol_view.html URLProtocolView or query the registry using PowerShell.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.process) as process values(Processes.parent_process) as parent_process from datamodel=Endpoint.Processes by Processes.dest Processes.user Processes.process_name Processes.process | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | lookup windows_protocol_handlers handler AS process OUTPUT handler ishandler | where ishandler=\"TRUE\" | `windows_identify_protocol_handlers_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives will be found. https and http is a URL Protocol handler that will trigger this analytic. Tune based on process or command-line.", "references": ["https://gist.github.com/MHaggis/a0d3edb57d36e0916c94c0a464b2722e", "https://www.oreilly.com/library/view/learning-java/1565927184/apas02.html", "https://blogs.windows.com/msedgedev/2022/01/20/getting-started-url-protocol-handlers-microsoft-edge/", "https://github.com/Mr-Un1k0d3r/PoisonHandler", "https://www.mdsec.co.uk/2021/03/phishing-users-to-take-a-test/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md#atomic-test-5---protocolhandlerexe-downloaded-a-suspicious-file", "https://techcommunity.microsoft.com/t5/windows-it-pro-blog/disabling-the-msix-ms-appinstaller-protocol-handler/ba-p/3119479", "https://www.huntress.com/blog/microsoft-office-remote-code-execution-follina-msdt-bug", "https://parsiya.net/blog/2021-03-17-attack-surface-analysis-part-2-custom-protocol-handlers/"], "tags": {"name": "Windows Identify Protocol Handlers", "analytic_story": ["Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 20, "impact": 30, "kill_chain_phases": ["Installation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ utilizing a protocol handler.", "mitre_attack_id": ["T1059"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process Name", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 6, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/protocol_handlers/protocolhandlers.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_identify_protocol_handlers_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "windows_protocol_handlers", "description": "A list of Windows Protocol Handlers", "filename": "windows_protocol_handlers.csv", "default_match": "false", "match_type": "WILDCARD(handler)", "min_matches": 1, "case_sensitive_match": "false"}], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_identify_protocol_handlers.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows IIS Components Add New Module", "id": "38fe731c-1f13-43d4-b878-a5bbe44807e3", "version": 1, "date": "2022-12-19", "author": "Michael Haag, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies the process AppCmd.exe installing a new module into IIS. AppCmd is a utility to manage IIS web sites and App Pools. An adversary may run this command to install a webshell or backdoor. This has been found to be used for credit card scraping, persistence, and further post-exploitation. An administrator may run this to install new modules for a web site or during IIS updates.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where NOT (Processes.parent_process_name IN (\"msiexec.exe\", \"iissetup.exe\")) Processes.process_name=appcmd.exe Processes.process IN (\"*install *\", \"*module *\") AND Processes.process=\"*image*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_iis_components_add_new_module_filter`", "how_to_implement": "Tune the analytic for your environment by filtering by known good modules or processes. Enable as TTP once the volume is low enough. To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives may be present until properly tuned. Filter as needed.", "references": ["https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/", "https://www.crowdstrike.com/wp-content/uploads/2022/05/crowdstrike-iceapple-a-novel-internet-information-services-post-exploitation-framework-1.pdf", "https://unit42.paloaltonetworks.com/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/", "https://www.secureworks.com/research/bronze-union", "https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1505.004", "https://strontic.github.io/xcyclopedia/library/appcmd.exe-055B2B09409F980BF9B5A3969D01E5B2.html"], "tags": {"name": "Windows IIS Components Add New Module", "analytic_story": ["IIS Components"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Installation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to install a new IIS module.", "mitre_attack_id": ["T1505", "T1505.004"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1505.004", "mitre_attack_technique": "IIS Components", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.004/appcmd_install-windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_iis_components_add_new_module_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_iis_components_add_new_module.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows IIS Components Get-WebGlobalModule Module Query", "id": "20db5f70-34b4-4e83-8926-fa26119de173", "version": 1, "date": "2022-12-20", "author": "Michael Haag, Splunk", "type": "Hunting", "status": "production", "description": "The following analytic requires the use of PowerShell inputs to run Get-WebGlobalModule to list out all the IIS Modules installed. The output is a list of Module names and the Image path of the DLL.", "data_source": [], "search": "`iis_get_webglobalmodule` | stats count min(_time) as firstTime max(_time) as lastTime by host name image | rename host as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_iis_components_get_webglobalmodule_module_query_filter`", "how_to_implement": "You must ingest the PwSh cmdlet Get-WebGlobalModule in order to utilize this analytic. Follow https://gist.github.com/MHaggis/64396dfd9fc3734e1d1901a8f2f07040", "known_false_positives": "This analytic is meant to assist with hunting modules across a fleet of IIS servers. Filter and modify as needed.", "references": ["https://docs.splunk.com/Documentation/Splunk/9.0.2/Data/MonitorWindowsdatawithPowerShellscripts", "https://gist.github.com/MHaggis/64396dfd9fc3734e1d1901a8f2f07040", "https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1505.004"], "tags": {"name": "Windows IIS Components Get-WebGlobalModule Module Query", "analytic_story": ["IIS Components"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 10, "impact": 10, "kill_chain_phases": ["Installation"], "message": "IIS Modules have been listed on $dest$.", "mitre_attack_id": ["T1505.004", "T1505"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "host", "name", "image"], "risk_score": 1, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1505.004", "mitre_attack_technique": "IIS Components", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.004/pwsh_installediismodules.log", "source": "powershell://AppCmdModules", "sourcetype": "Pwsh:InstalledIISModules", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "iis_get_webglobalmodule", "definition": "sourcetype=\"Pwsh:InstalledIISModules\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_iis_components_get_webglobalmodule_module_query_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_iis_components_get_webglobalmodule_module_query.yml", "source": "endpoint"}, {"name": "Windows IIS Components Module Failed to Load", "id": "40c2ba5b-dd6a-496b-9e6e-c9524d0be167", "version": 1, "date": "2022-12-20", "author": "Michael Haag, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic utilizes EventCode 2282 which generates when a Module DLL could not be loaded due to a configuration problem. This typically occurs when a IIS module is installed but is failing to load. This typically results in thousands of events until the issue is resolved. Review the module that is failing and determine if it is legitimate or not.", "data_source": ["Sysmon Event ID 22"], "search": "`wineventlog_application` EventCode=2282 | stats count min(_time) as firstTime max(_time) as lastTime by EventCode dest Name ModuleDll | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_iis_components_module_failed_to_load_filter`", "how_to_implement": "IIS must be installed and Application event logs must be collected in order to utilize this analytic.", "known_false_positives": "False positives will be present until all module failures are resolved or reviewed.", "references": ["https://social.technet.microsoft.com/wiki/contents/articles/21757.event-id-2282-iis-worker-process-availability.aspx", "https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/", "https://www.crowdstrike.com/wp-content/uploads/2022/05/crowdstrike-iceapple-a-novel-internet-information-services-post-exploitation-framework-1.pdf", "https://unit42.paloaltonetworks.com/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/", "https://www.secureworks.com/research/bronze-union", "https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1505.004", "https://strontic.github.io/xcyclopedia/library/appcmd.exe-055B2B09409F980BF9B5A3969D01E5B2.html"], "tags": {"name": "Windows IIS Components Module Failed to Load", "analytic_story": ["IIS Components"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "message": "A new IIS Module has been loaded and should be reviewed on $dest$.", "mitre_attack_id": ["T1505", "T1505.004"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "OpCode", "EventCode", "ComputerName", "Message"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1505.004", "mitre_attack_technique": "IIS Components", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.004/2282_windows-application.log", "source": "XmlWinEventLog:Application", "sourcetype": "XmlWinEventLog", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_application", "definition": "eventtype=wineventlog_application OR source=\"XmlWinEventLog:Application\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_iis_components_module_failed_to_load_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_iis_components_module_failed_to_load.yml", "source": "endpoint"}, {"name": "Windows IIS Components New Module Added", "id": "55f22929-cfd3-4388-ba5c-4d01fac7ee7e", "version": 1, "date": "2022-12-19", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic uses the Windows Event log - Microsoft-IIS-Configuration/Operational - which must be enabled and logged on Windows IIS servers before it can be Splunked. The following analytic identifies newly installed IIS modules. Per Microsoft, IIS modules are not commonly added to a production IIS server, so alerting on this event ID should be enabled.IIS modules can be installed at a global level or at a site level. In detecting malicious IIS modules, it is important to check both the global and site level for unauthorized modules. Regular monitoring of these locations for such modules and comparing against a known good list can help detect and identify malicious IIS modules.", "data_source": [], "search": "`iis_operational_logs` EventCode=29 | stats count min(_time) as firstTime max(_time) as lastTime by OpCode EventCode ComputerName Message | rename ComputerName AS dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_iis_components_new_module_added_filter`", "how_to_implement": "You must enabled the IIS Configuration Operational log before ingesting in Splunk. Setup and inputs may be found here https://gist.github.com/MHaggis/64396dfd9fc3734e1d1901a8f2f07040.", "known_false_positives": "False positives may be present when updates or an administrator adds a new module to IIS. Monitor and filter as needed.", "references": ["https://gist.github.com/MHaggis/64396dfd9fc3734e1d1901a8f2f07040", "https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/", "https://www.crowdstrike.com/wp-content/uploads/2022/05/crowdstrike-iceapple-a-novel-internet-information-services-post-exploitation-framework-1.pdf", "https://unit42.paloaltonetworks.com/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/", "https://www.secureworks.com/research/bronze-union", "https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1505.004", "https://strontic.github.io/xcyclopedia/library/appcmd.exe-055B2B09409F980BF9B5A3969D01E5B2.html"], "tags": {"name": "Windows IIS Components New Module Added", "analytic_story": ["IIS Components"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 60, "kill_chain_phases": ["Installation"], "message": "A new IIS Module has been loaded and should be reviewed on $dest$.", "mitre_attack_id": ["T1505", "T1505.004"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "OpCode", "EventCode", "ComputerName", "Message"], "risk_score": 48, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1505.004", "mitre_attack_technique": "IIS Components", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.004/IIS-Configuration-Operational.log", "source": "IIS:Configuration:Operational", "sourcetype": "IIS:Configuration:Operational", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "iis_operational_logs", "definition": "sourcetype=\"IIS:Configuration:Operational\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_iis_components_new_module_added_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_iis_components_new_module_added.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Windows Impair Defense Add Xml Applocker Rules", "id": "467ed9d9-8035-470e-ad5e-ae5189283033", "version": 1, "date": "2022-06-24", "author": "Teoderick Contreras, Splunk", "type": "Hunting", "status": "production", "description": "The following analytic is to identify a process that imports applocker xml policy using PowerShell commandlet. This technique was seen in Azorult malware where it drop an xml Applocker policy that will deny several AV products and further executed the PowerShell Applocker commandlet.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` AND Processes.process=\"*Import-Module Applocker*\" AND Processes.process=\"*Set-AppLockerPolicy *\" AND Processes.process=\"* -XMLPolicy *\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_add_xml_applocker_rules_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Administrators may execute this command that may cause some false positive.", "references": ["https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/"], "tags": {"name": "Windows Impair Defense Add Xml Applocker Rules", "analytic_story": ["Azorult"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "Applocker importing xml policy command was executed in $dest$", "mitre_attack_id": ["T1562.001", "T1562"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.registry_key_name", "Registry.registry_path", "Registry.user", "Registry.dest", "Registry.registry_value_name", "Registry.action"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "process_powershell", "definition": "(Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_impair_defense_add_xml_applocker_rules_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_impair_defense_add_xml_applocker_rules.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Impair Defense Delete Win Defender Context Menu", "id": "395ed5fe-ad13-4366-9405-a228427bdd91", "version": 1, "date": "2022-06-07", "author": "Teoderick Contreras, Splunk", "type": "Hunting", "status": "production", "description": "The search looks for the deletion of Windows Defender context menu within the registry. This is consistent behavior with RAT malware across a fleet of endpoints. This particular behavior is executed when an adversary gains access to an endpoint and begins to perform execution. Usually, a batch (.bat) will be executed and multiple registry and scheduled task modifications will occur. During triage, review parallel processes and identify any further file modifications.", "data_source": ["Sysmon Event ID 13"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path = \"*\\\\shellex\\\\ContextMenuHandlers\\\\EPP\" Registry.action = deleted by Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.action Registry.dest Registry.user | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_delete_win_defender_context_menu_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.", "known_false_positives": "It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search.", "references": ["https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/", "https://app.any.run/tasks/45f5d114-91ea-486c-ab01-41c4093d2861/"], "tags": {"name": "Windows Impair Defense Delete Win Defender Context Menu", "analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "Windows Defender context menu registry key deleted on $dest$.", "mitre_attack_id": ["T1562.001", "T1562"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.registry_key_name", "Registry.registry_value_name", "Registry.dest", "Registry.user", "Registry.registry_path", "Registry.action"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/delete_win_defender_context_menu/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_impair_defense_delete_win_defender_context_menu_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_impair_defense_delete_win_defender_context_menu.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Impair Defense Delete Win Defender Profile Registry", "id": "65d4b105-ec52-48ec-ac46-289d0fbf7d96", "version": 1, "date": "2022-06-07", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "The search looks for the deletion of Windows Defender main profile within the registry. This was used by RAT malware across a fleet of endpoints. This particular behavior is typically executed when an adversary gains access to an endpoint and beings to perform execution. Usually, a batch (.bat) will be executed and multiple registry and scheduled task modifications will occur. During triage, review parallel processes and identify any further file modifications.", "data_source": ["Sysmon Event ID 13"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path = \"*\\\\Policies\\\\Microsoft\\\\Windows Defender\" Registry.action = deleted by Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.action Registry.user Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_delete_win_defender_profile_registry_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.", "known_false_positives": "It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search.", "references": ["https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/", "https://app.any.run/tasks/45f5d114-91ea-486c-ab01-41c4093d2861/"], "tags": {"name": "Windows Impair Defense Delete Win Defender Profile Registry", "analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "Windows Defender Logger registry key set to 'disabled' on $dest$.", "mitre_attack_id": ["T1562.001", "T1562"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.registry_key_name", "Registry.registry_value_name", "Registry.dest", "Registry.user", "Registry.registry_path", "Registry.action"], "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/delete_win_defender_context_menu/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_impair_defense_delete_win_defender_profile_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_impair_defense_delete_win_defender_profile_registry.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Impair Defense Deny Security Software With Applocker", "id": "e0b6ca60-9e29-4450-b51a-bba0abae2313", "version": 1, "date": "2022-06-24", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies a modification in the Windows registry by the Applocker utility that contains details or registry data values related to denying the execution of several security products. This technique was seen in Azorult malware where it drops an xml Applocker policy that will deny several AV products and then loaded by using PowerShell Applocker commandlet.", "data_source": ["Sysmon Event ID 13"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Group Policy Objects\\\\*\" AND Registry.registry_path= \"*}Machine\\\\Software\\\\Policies\\\\Microsoft\\\\Windows\\\\SrpV2*\") OR Registry.registry_path=\"*\\\\Software\\\\Policies\\\\Microsoft\\\\Windows\\\\SrpV2*\" AND Registry.registry_value_data = \"*Action\\=\\\"Deny\\\"*\" AND Registry.registry_value_data IN(\"*O=SYMANTEC*\",\"*O=MCAFEE*\",\"*O=KASPERSKY*\",\"*O=BLEEPING COMPUTER*\", \"*O=PANDA SECURITY*\",\"*O=SYSTWEAK SOFTWARE*\", \"*O=TREND MICRO*\", \"*O=AVAST*\", \"*O=GRIDINSOFT*\", \"*O=MICROSOFT*\", \"*O=NANO SECURITY*\", \"*O=SUPERANTISPYWARE.COM*\", \"*O=DOCTOR WEB*\", \"*O=MALWAREBYTES*\", \"*O=ESET*\", \"*O=AVIRA*\", \"*O=WEBROOT*\") by Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.registry_key_name Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_deny_security_software_with_applocker_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.", "known_false_positives": "False positives may be present based on organization use of Applocker. Filter as needed.", "references": ["https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/", "https://www.microsoftpressstore.com/articles/article.aspx?p=2228450&seqNum=11"], "tags": {"name": "Windows Impair Defense Deny Security Software With Applocker", "analytic_story": ["Azorult"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 100, "kill_chain_phases": ["Exploitation"], "message": "Applocker registry modification to deny the action of several AV products on $dest$.", "mitre_attack_id": ["T1562.001", "T1562"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_impair_defense_deny_security_software_with_applocker_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_impair_defense_deny_security_software_with_applocker.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Impair Defenses Disable HVCI", "id": "b061dfcc-f0aa-42cc-a6d4-a87f172acb79", "version": 1, "date": "2023-04-13", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic refers to a detection mechanism designed to identify when the Hypervisor-protected Code Integrity (HVCI) feature is disabled within the Windows registry. HVCI is a security feature in Windows 10 and Windows Server 2016 that helps protect the kernel and system processes from being tampered with by malicious code. HVCI relies on hardware-assisted virtualization and Microsoft's Hyper-V hypervisor to ensure that only kernel-mode code that has been signed by Microsoft or the system's hardware manufacturer can be executed. This prevents attackers from exploiting vulnerabilities to run unsigned code, like kernel-mode rootkits or other malicious software, at the kernel level. Disabling HVCI may expose the system to security risks and could be an indicator of a potential compromise or unauthorized activity. The analytic aims to detect and report events or configurations that lead to the disabling of HVCI.", "data_source": ["Sysmon Event ID 13"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path = \"*\\\\CurrentControlSet\\\\Control\\\\DeviceGuard\\\\Scenarios\\\\HypervisorEnforcedCodeIntegrity\\\\Enabled\" Registry.registry_value_data=\"0x00000000\" by Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.action Registry.user Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defenses_disable_hvci_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives will be limited to administrative scripts disabling HVCI. Filter as needed.", "references": ["https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/"], "tags": {"name": "Windows Impair Defenses Disable HVCI", "analytic_story": ["BlackLotus Campaign", "Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "HVCI has been disabled on $dest$.", "mitre_attack_id": ["T1562.001", "T1562"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["Registry.registry_path", "Registry.registry_value_data", "Registry.registry_value_name", "Registry.process_guid", "Registry.action", "Registry.user", "Registry.dest"], "risk_score": 70, "security_domain": "endpoint", "risk_severity": "medium", "atomic_guid": ["70bd71e6-eba4-4e00-92f7-617911dbe020"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/atomic_red_team/hvci_windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_impair_defenses_disable_hvci_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_impair_defenses_disable_hvci.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Impair Defenses Disable Win Defender Auto Logging", "id": "76406a0f-f5e0-4167-8e1f-337fdc0f1b0c", "version": 1, "date": "2022-06-07", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "The search looks for the Registry Key DefenderApiLogger or DefenderAuditLogger set to disable. This is consistent with RAT malware across a fleet of endpoints. This particular behavior is typically executed when an adversary gains access to an endpoint and beings to perform execution. Usually, a batch (.bat) will be executed and multiple registry and scheduled task modifications will occur. During triage, review parallel processes and identify any further file modifications.", "data_source": ["Sysmon Event ID 13"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where (Registry.registry_path = \"*WMI\\\\Autologger\\\\DefenderApiLogger\\\\Start\" OR Registry.registry_path = \"*WMI\\\\Autologger\\\\DefenderAuditLogger\\\\Start\") Registry.registry_value_data =\"0x00000000\" by Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.action Registry.dest Registry.user | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defenses_disable_win_defender_auto_logging_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.", "known_false_positives": "It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search.", "references": ["https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/", "https://app.any.run/tasks/45f5d114-91ea-486c-ab01-41c4093d2861/"], "tags": {"name": "Windows Impair Defenses Disable Win Defender Auto Logging", "analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "Windows Defender Logger registry key set to 'disabled' on $dest$.", "mitre_attack_id": ["T1562.001", "T1562"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.registry_key_name", "Registry.registry_value_name", "Registry.dest", "Registry.user", "Registry.registry_path", "Registry.action"], "risk_score": 24, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable_defender_logging/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_impair_defenses_disable_win_defender_auto_logging_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_impair_defenses_disable_win_defender_auto_logging.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Indirect Command Execution Via forfiles", "id": "1fdf31c9-ff4d-4c48-b799-0e8666e08787", "version": 1, "date": "2022-04-05", "author": "Eric McGinnis, Splunk", "type": "TTP", "status": "production", "description": "The following analytic detects programs that have been started by forfiles.exe. According to Microsoft, the 'The forfiles command lets you run a command on or pass arguments to multiple files'. While this tool can be used to start legitimate programs, usually within the context of a batch script, it has been observed being used to evade protections on command line execution.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process=\"*forfiles* /c *\" by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_path | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_indirect_command_execution_via_forfiles_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the full process path in the process field of CIM's Process data model. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where forfiles.exe may be used.", "known_false_positives": "Some legacy applications may be run using pcalua.exe. Similarly, forfiles.exe may be used in legitimate batch scripts. Filter these results as needed.", "references": ["https://twitter.com/KyleHanslovan/status/912659279806640128", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/forfiles"], "tags": {"name": "Windows Indirect Command Execution Via forfiles", "analytic_story": ["Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "The Program Compatability Assistant (pcalua.exe) launched the process $process_name$", "mitre_attack_id": ["T1202"], "nist": ["DE.CM"], "observable": [{"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.dest", "Processes.user", "Processes.parent_process", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id", "Processes.process_path"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1202", "mitre_attack_technique": "Indirect Command Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1202/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_indirect_command_execution_via_forfiles_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_indirect_command_execution_via_forfiles.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Indirect Command Execution Via pcalua", "id": "3428ac18-a410-4823-816c-ce697d26f7a8", "version": 1, "date": "2022-04-05", "author": "Eric McGinnis, Splunk", "type": "TTP", "status": "production", "description": "The following analytic detects programs that have been started by pcalua.exe. pcalua.exe is the Microsoft Windows Program Compatability Assistant. While this tool can be used to start legitimate programs, it has been observed being used to evade protections on command line execution.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process=\"*pcalua* -a*\" by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_path | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_indirect_command_execution_via_pcalua_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the full process path in the process field of CIM's Process data model. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where pcalua.exe may be used.", "known_false_positives": "Some legacy applications may be run using pcalua.exe. Filter these results as needed.", "references": ["https://twitter.com/KyleHanslovan/status/912659279806640128", "https://lolbas-project.github.io/lolbas/Binaries/Pcalua/"], "tags": {"name": "Windows Indirect Command Execution Via pcalua", "analytic_story": ["Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "The Program Compatability Assistant (pcalua.exe) launched the process $process_name$", "mitre_attack_id": ["T1202"], "nist": ["DE.CM"], "observable": [{"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.dest", "Processes.user", "Processes.parent_process", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id", "Processes.process_path"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1202", "mitre_attack_technique": "Indirect Command Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1202/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_indirect_command_execution_via_pcalua_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_indirect_command_execution_via_pcalua.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Indirect Command Execution Via Series Of Forfiles", "id": "bfdaabe7-3db8-48c5-80c1-220f9b8f22be", "version": 1, "date": "2022-11-30", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic is developed to detect suspicious excessive usage of forfiles.exe process. This event was seen in post exploitation tool WINPEAS that was used by Ransomware Prestige. Forfiles command lets you run a command on or pass arguments to multiple files. This Windows OS built-in tool being abused to list all files in specific directory or drive.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.process_guid) as process_guid values(Processes.process_name) as process_name count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"forfiles.exe\" OR Processes.original_file_name = \"forfiles.exe\" by Processes.parent_process_name Processes.parent_process Processes.dest Processes.user _time span=1m | where count >=20 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_indirect_command_execution_via_series_of_forfiles_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry.", "known_false_positives": "unknown", "references": ["https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/forfiles", "https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS", "https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"], "tags": {"name": "Windows Indirect Command Execution Via Series Of Forfiles", "analytic_story": ["Windows Post-Exploitation", "Prestige Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "excessive forfiles process execution in $dest$", "mitre_attack_id": ["T1202"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1202", "mitre_attack_technique": "Indirect Command Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_indirect_command_execution_via_series_of_forfiles_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_indirect_command_execution_via_series_of_forfiles.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Information Discovery Fsutil", "id": "2181f261-93e6-4166-a5a9-47deac58feff", "version": 1, "date": "2022-11-30", "author": "Teoderick Contreras, Splunk", "type": "Hunting", "status": "production", "description": "The following analytic identifies a process execution of Windows OS built-in tool FSUTIL to discover file system information. This tool is being abused or used by several adversaries or threat actor to query/list all drives, drive type, volume information or volume statistics by using the FSINFO parameter of this tool. This technique was seen in WINPEAS post exploitation tool that is being used by ransomware prestige to gain privilege and persistence to the targeted host.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=\"fsutil.exe\" OR Processes.original_file_name = \"fsutil.exe\" AND Processes.process = \"*fsinfo*\" by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_information_discovery_fsutil_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances of wermgr.exe may be used.", "known_false_positives": "unknown", "references": ["https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil", "https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS", "https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"], "tags": {"name": "Windows Information Discovery Fsutil", "analytic_story": ["Windows Post-Exploitation", "Prestige Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "process $process_name$ with commandline $process$ is executed in $dest$", "mitre_attack_id": ["T1082"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id", "Processes.parent_process_guid", "Processes.process_guid"], "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1082", "mitre_attack_technique": "System Information Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT18", "APT19", "APT3", "APT32", "APT37", "APT38", "Aquatic Panda", "Blue Mockingbird", "Chimera", "Confucius", "Darkhotel", "Gamaredon Group", "HEXANE", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Sowbug", "Stealth Falcon", "TeamTNT", "Tropic Trooper", "Turla", "Windigo", "Windshift", "Wizard Spider", "ZIRCONIUM", "admin@338"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/winpeas_fsutil/fsutil-fsinfo-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_information_discovery_fsutil_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_information_discovery_fsutil.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Ingress Tool Transfer Using Explorer", "id": "76753bab-f116-4ea3-8fb9-89b638be58a9", "version": 2, "date": "2022-08-30", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies the Windows Explorer process with a URL within the command-line. Explorer.exe is known Windows process that handles start menu, taskbar, desktop and file manager. Many adversaries abuse this process, like DCRat malware, where it attempts to open the URL with the default browser application on the target host by putting the URL as a parameter on explorer.exe process. This anomaly detection might be a good pivot to check which user and how this process was executed, what is the parent process and what is the URL link. This technique is not commonly used to open an URL.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = explorer.exe OR Processes.original_file_name = explorer.exe) AND NOT (Processes.parent_process_name IN(\"userinit.exe\", \"svchost.exe\")) Processes.process IN (\"* http://*\", \"* https://*\") by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_ingress_tool_transfer_using_explorer_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives may be present based on legitimate applications or third party utilities. Filter out any additional parent process names.", "references": ["https://www.mandiant.com/resources/analyzing-dark-crystal-rat-backdoor"], "tags": {"name": "Windows Ingress Tool Transfer Using Explorer", "analytic_story": ["DarkCrystal RAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Command And Control"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to download a remote payload.", "mitre_attack_id": ["T1105"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "ZIRCONIUM", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/dcrat/dcrat_explorer_url/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_ingress_tool_transfer_using_explorer_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_ingress_tool_transfer_using_explorer.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Input Capture Using Credential UI Dll", "id": "406c21d6-6c75-4e9f-9ca9-48049a1dd90e", "version": 1, "date": "2022-08-24", "author": "Teoderick Contreras, Splunk", "type": "Hunting", "status": "production", "description": "The following analytic identifies a process that loads the credui.dll module. This legitimate module is typically abused by adversaries, threat actors and red teamers to create a credential UI prompt dialog box to lure users for possible credential theft or can be used to dump the credentials of a targeted host. This hunting query is a good pivot to check why the process loaded this dll and if it is a legitimate file. This hunting query may hit false positive for a third party application that uses a credential login UI for user login.", "data_source": ["Sysmon Event ID 7"], "search": "`sysmon` EventCode=7 (ImageLoaded = \"*\\\\credui.dll\" AND OriginalFileName = \"credui.dll\") OR (ImageLoaded = \"*\\\\wincredui.dll\" AND OriginalFileName = \"wincredui.dll\") AND NOT(Image IN(\"*\\\\windows\\\\explorer.exe\", \"*\\\\windows\\\\system32\\\\*\", \"*\\\\windows\\\\sysWow64\\\\*\", \"*:\\\\program files*\")) | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded OriginalFileName Computer EventCode Signed ProcessId ProcessGuid | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_input_capture_using_credential_ui_dll_filter`", "how_to_implement": "The latest Sysmon TA 3.0 https://splunkbase.splunk.com/app/5709 will add the ImageLoaded name to the process_name field, allowing this query to work. Use as an example and implement for other products.", "known_false_positives": "this module can be loaded by a third party application. Filter is needed.", "references": ["https://docs.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md#atomic-test-2---powershell---prompt-user-for-password"], "tags": {"name": "Windows Input Capture Using Credential UI Dll", "analytic_story": ["Brute Ratel C4"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "a process $Image$ loaded $ImageLoaded$ in $Computer$", "mitre_attack_id": ["T1056.002", "T1056"], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Image", "ImageLoaded", "process_name", "Computer", "EventCode", "Signed", "ProcessId"], "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1056.002", "mitre_attack_technique": "GUI Input Capture", "mitre_attack_tactics": ["Collection", "Credential Access"], "mitre_attack_groups": ["FIN4"]}, {"mitre_attack_id": "T1056", "mitre_attack_technique": "Input Capture", "mitre_attack_tactics": ["Collection", "Credential Access"], "mitre_attack_groups": ["APT39"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/iso_version_dll_campaign/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_input_capture_using_credential_ui_dll_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_input_capture_using_credential_ui_dll.yml", "source": "endpoint"}, {"name": "Windows InstallUtil Credential Theft", "id": "ccfeddec-43ec-11ec-b494-acde48001122", "version": 3, "date": "2022-08-25", "author": "Michael Haag, Mauricio Velazo, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the Windows InstallUtil.exe binary loading `vaultcli.dll` and Samlib.dll`. This technique may be used to execute code to bypassing application control and capture credentials by utilizing a tool like MimiKatz. \\\nWhen `InstallUtil.exe` is used in a malicous manner, the path to an executable on the filesystem is typically specified. Take note of the parent process. In a suspicious instance, this will be spawned from a non-standard process like `Cmd.exe`, `PowerShell.exe` or `Explorer.exe`. \\\nIf used by a developer, typically this will be found with multiple command-line switches/arguments and spawn from Visual Studio. \\\nDuring triage review resulting network connections, file modifications, and parallel processes. Capture any artifacts and review further.", "data_source": ["Sysmon Event ID 7"], "search": "`sysmon` EventCode=7 parent_process_name=installutil.exe ImageLoaded IN (\"*\\\\samlib.dll\", \"*\\\\vaultcli.dll\") | stats count min(_time) as firstTime max(_time) as lastTime by Computer, parent_process_name, ImageLoaded, OriginalFileName, ProcessId | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_installutil_credential_theft_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and module loads from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "Typically this will not trigger as by it's very nature InstallUtil does not need credentials. Filter as needed.", "references": ["https://gist.github.com/xorrior/bbac3919ca2aef8d924bdf3b16cce3d0"], "tags": {"name": "Windows InstallUtil Credential Theft", "analytic_story": ["Signed Binary Proxy Execution InstallUtil"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ loading samlib.dll and vaultcli.dll to potentially capture credentials in memory.", "mitre_attack_id": ["T1218.004", "T1218"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218.004", "mitre_attack_technique": "InstallUtil", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Mustang Panda", "menuPass"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.004/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_installutil_credential_theft_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_installutil_credential_theft.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Windows InstallUtil in Non Standard Path", "id": "dcf74b22-7933-11ec-857c-acde48001122", "version": 1, "date": "2023-04-14", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the Windows binary InstallUtil.exe running from a non-standard location. The analytic utilizes a macro for InstallUtil and identifies both the process_name and original_file_name.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where `process_installutil` NOT (Processes.process_path IN (\"*\\\\Windows\\\\ADWS\\\\*\",\"*\\\\Windows\\\\SysWOW64*\", \"*\\\\Windows\\\\system32*\", \"*\\\\Windows\\\\NetworkController\\\\*\", \"*\\\\Windows\\\\SystemApps\\\\*\", \"*\\\\WinSxS\\\\*\", \"*\\\\Windows\\\\Microsoft.NET\\\\*\")) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_id Processes.process_hash | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_installutil_in_non_standard_path_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives may be present and filtering may be required. Certain utilities will run from non-standard paths based on the third-party application in use.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.yaml", "https://attack.mitre.org/techniques/T1036/003/", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md"], "tags": {"name": "Windows InstallUtil in Non Standard Path", "analytic_story": ["Masquerading - Rename System Utilities", "Ransomware", "Unusual Processes", "Signed Binary Proxy Execution InstallUtil", "Living Off The Land", "Data Destruction", "WhisperGate"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ from a non-standard path was identified on endpoint $dest$ by user $user$.", "mitre_attack_id": ["T1036", "T1036.003", "T1218", "T1218.004"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.004", "mitre_attack_technique": "InstallUtil", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Mustang Panda", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.004/atomic_red_team/windows-sysmon_installutil_path.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "process_installutil", "definition": "(Processes.process_name=installutil.exe OR Processes.original_file_name=InstallUtil.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_installutil_in_non_standard_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_installutil_in_non_standard_path.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows InstallUtil Remote Network Connection", "id": "4fbf9270-43da-11ec-9486-acde48001122", "version": 2, "date": "2022-03-16", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the Windows InstallUtil.exe binary making a remote network connection. This technique may be used to download and execute code while bypassing application control. \\\nWhen `InstallUtil.exe` is used in a malicous manner, the path to an executable on the filesystem is typically specified. Take note of the parent process. In a suspicious instance, this will be spawned from a non-standard process like `Cmd.exe`, `PowerShell.exe` or `Explorer.exe`. \\\nIf used by a developer, typically this will be found with multiple command-line switches/arguments and spawn from Visual Studio. \\\nDuring triage review resulting network connections, file modifications, and parallel processes. Capture any artifacts and review further.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where `process_installutil` by _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | join process_id [| tstats `security_content_summariesonly` count FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port != 0 by All_Traffic.process_id All_Traffic.dest All_Traffic.dest_port | `drop_dm_object_name(All_Traffic)` | rename dest as C2 ] | table _time dest parent_process_name process_name process_path process process_id dest_port C2 | `windows_installutil_remote_network_connection_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` and `Ports` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Limited false positives should be present as InstallUtil is not typically used to download remote files. Filter as needed based on Developers requirements.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md"], "tags": {"name": "Windows InstallUtil Remote Network Connection", "analytic_story": ["Signed Binary Proxy Execution InstallUtil", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ generating a remote download.", "mitre_attack_id": ["T1218.004", "T1218"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id", "Ports.process_guid", "Ports.dest", "Ports.dest_port"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218.004", "mitre_attack_technique": "InstallUtil", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Mustang Panda", "menuPass"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.004/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint", "Network_Traffic"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "process_installutil", "definition": "(Processes.process_name=installutil.exe OR Processes.original_file_name=InstallUtil.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_installutil_remote_network_connection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_installutil_remote_network_connection.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows InstallUtil Uninstall Option", "id": "cfa7b9ac-43f0-11ec-9b48-acde48001122", "version": 1, "date": "2021-11-12", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the Windows InstallUtil.exe binary. This will execute code while bypassing application control using the `/u` (uninstall) switch. \\\nInstallUtil uses the functions install and uninstall within the System.Configuration.Install namespace to process .net assembly. Install function requires admin privileges, however, uninstall function can be run as an unprivileged user.\\\nWhen `InstallUtil.exe` is used in a malicous manner, the path to an executable on the filesystem is typically specified. Take note of the parent process. In a suspicious instance, this will be spawned from a non-standard process like `Cmd.exe`, `PowerShell.exe` or `Explorer.exe`. \\\nIf used by a developer, typically this will be found with multiple command-line switches/arguments and spawn from Visual Studio. \\\nDuring triage review resulting network connections, file modifications, and parallel processes. Capture any artifacts and review further.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_installutil` Processes.process IN (\"*/u*\", \"*uninstall*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_installutil_uninstall_option_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Limited false positives should be present. Filter as needed by parent process or application.", "references": ["https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_12", "https://github.com/api0cradle/UltimateAppLockerByPassList/blob/master/md/Installutil.exe.md", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md"], "tags": {"name": "Windows InstallUtil Uninstall Option", "analytic_story": ["Signed Binary Proxy Execution InstallUtil", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ performing an uninstall.", "mitre_attack_id": ["T1218.004", "T1218"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218.004", "mitre_attack_technique": "InstallUtil", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Mustang Panda", "menuPass"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.004/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "process_installutil", "definition": "(Processes.process_name=installutil.exe OR Processes.original_file_name=InstallUtil.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_installutil_uninstall_option_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_installutil_uninstall_option.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows InstallUtil Uninstall Option with Network", "id": "1a52c836-43ef-11ec-a36c-acde48001122", "version": 2, "date": "2022-03-16", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the Windows InstallUtil.exe binary making a remote network connection. This technique may be used to download and execute code while bypassing application control using the `/u` (uninstall) switch. \\\nInstallUtil uses the functions install and uninstall within the System.Configuration.Install namespace to process .net assembly. Install function requires admin privileges, however, uninstall function can be run as an unprivileged user.\\\nWhen `InstallUtil.exe` is used in a malicous manner, the path to an executable on the filesystem is typically specified. Take note of the parent process. In a suspicious instance, this will be spawned from a non-standard process like `Cmd.exe`, `PowerShell.exe` or `Explorer.exe`. \\\nIf used by a developer, typically this will be found with multiple command-line switches/arguments and spawn from Visual Studio. \\\nDuring triage review resulting network connections, file modifications, and parallel processes. Capture any artifacts and review further.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where `process_installutil` Processes.process IN (\"*/u*\", \"*uninstall*\") by _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | join process_id [| tstats `security_content_summariesonly` count FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port != 0 by All_Traffic.process_id All_Traffic.dest All_Traffic.dest_port | `drop_dm_object_name(All_Traffic)` | rename dest as C2 ] | table _time dest parent_process_name process_name process_path process process_id dest_port C2 | `windows_installutil_uninstall_option_with_network_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` and `Ports` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Limited false positives should be present as InstallUtil is not typically used to download remote files. Filter as needed based on Developers requirements.", "references": ["https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_12", "https://github.com/api0cradle/UltimateAppLockerByPassList/blob/master/md/Installutil.exe.md", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md"], "tags": {"name": "Windows InstallUtil Uninstall Option with Network", "analytic_story": ["Signed Binary Proxy Execution InstallUtil", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ performing an uninstall.", "mitre_attack_id": ["T1218.004", "T1218"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id", "Ports.process_guid", "Ports.dest", "Ports.dest_port"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218.004", "mitre_attack_technique": "InstallUtil", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Mustang Panda", "menuPass"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.004/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint", "Network_Traffic"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "process_installutil", "definition": "(Processes.process_name=installutil.exe OR Processes.original_file_name=InstallUtil.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_installutil_uninstall_option_with_network_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_installutil_uninstall_option_with_network.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows InstallUtil URL in Command Line", "id": "28e06670-43df-11ec-a569-acde48001122", "version": 1, "date": "2021-11-12", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the Windows InstallUtil.exe binary passing a HTTP request on the command-line. This technique may be used to download and execute code while bypassing application control. \\\nWhen `InstallUtil.exe` is used in a malicous manner, the path to an executable on the filesystem is typically specified. Take note of the parent process. In a suspicious instance, this will be spawned from a non-standard process like `Cmd.exe`, `PowerShell.exe` or `Explorer.exe`. \\\nIf used by a developer, typically this will be found with multiple command-line switches/arguments and spawn from Visual Studio. \\\nDuring triage review resulting network connections, file modifications, and parallel processes. Capture any artifacts and review further.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_installutil` Processes.process IN (\"*http://*\",\"*https://*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_installutil_url_in_command_line_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Limited false positives should be present as InstallUtil is not typically used to download remote files. Filter as needed based on Developers requirements.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md", "https://gist.github.com/DanielRTeixeira/0fd06ec8f041f34a32bf5623c6dd479d"], "tags": {"name": "Windows InstallUtil URL in Command Line", "analytic_story": ["Signed Binary Proxy Execution InstallUtil", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ passing a URL on the command-line.", "mitre_attack_id": ["T1218.004", "T1218"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218.004", "mitre_attack_technique": "InstallUtil", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Mustang Panda", "menuPass"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.004/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "process_installutil", "definition": "(Processes.process_name=installutil.exe OR Processes.original_file_name=InstallUtil.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_installutil_url_in_command_line_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_installutil_url_in_command_line.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows ISO LNK File Creation", "id": "d7c2c09b-9569-4a9e-a8b6-6a39a99c1d32", "version": 2, "date": "2022-09-19", "author": "Michael Haag, Teoderick Contreras, Splunk", "type": "Hunting", "status": "production", "description": "The following analytic identifies the use of a delivered ISO file that has been mounted and the afformention lnk or file opened within it. When the ISO file is opened, the files are saved in the %USER%\\AppData\\Local\\Temp\\\\ path. The analytic identifies .iso.lnk written to the path. The name of the ISO file is prepended.", "data_source": ["Sysmon Event ID 11"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN (\"*\\\\Microsoft\\\\Windows\\\\Recent\\\\*\") Filesystem.file_name IN (\"*.iso.lnk\", \"*.img.lnk\", \"*.vhd.lnk\", \"*vhdx.lnk\") by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.file_path Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_iso_lnk_file_creation_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives may be high depending on the environment and consistent use of ISOs mounting. Restrict to servers, or filter out based on commonly used ISO names. Filter as needed.", "references": ["https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/", "https://github.com/MHaggis/notes/blob/master/utilities/ISOBuilder.ps1", "https://isc.sans.edu/diary/Recent+AZORult+activity/25120", "https://tccontre.blogspot.com/2020/01/remcos-rat-evading-windows-defender-av.html"], "tags": {"name": "Windows ISO LNK File Creation", "analytic_story": ["Spearphishing Attachments", "Brute Ratel C4", "AgentTesla", "Qakbot", "IcedID", "Azorult", "Remcos"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 80, "kill_chain_phases": ["Delivery", "Installation"], "message": "An ISO file was mounted on $dest$ and should be reviewed and filtered as needed.", "mitre_attack_id": ["T1566.001", "T1566", "T1204.001", "T1204"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["Filesystem.file_create_time", "Filesystem.process_id", "Filesystem.file_name", "Filesystem.file_path", "Filesystem.dest"], "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1204.001", "mitre_attack_technique": "Malicious Link", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT28", "APT29", "APT3", "APT32", "APT33", "APT39", "BlackTech", "Cobalt Group", "Confucius", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "Evilnum", "FIN4", "FIN7", "FIN8", "Kimsuky", "LazyScripter", "Leviathan", "LuminousMoth", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "TA505", "Transparent Tribe", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556.001/atomic_red_team/iso_windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_iso_lnk_file_creation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_iso_lnk_file_creation.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Java Spawning Shells", "id": "28c81306-5c47-11ec-bfea-acde48001122", "version": 2, "date": "2023-01-23", "author": "Michael Haag, Splunk", "type": "TTP", "status": "experimental", "description": "The following analytic identifies the process name of java.exe and w3wp.exe spawning a Windows shell. This is potentially indicative of exploitation of the Java application and may be related to current event CVE-2021-44228 (Log4Shell). The shells included in the macro are \"cmd.exe\", \"powershell.exe\". Upon triage, review parallel processes and command-line arguments to determine legitimacy.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=java.exe OR Processes.parent_process_name=w3wp.exe `windows_shells` by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_java_spawning_shells_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. Restrict the analytic to publicly facing endpoints to reduce false positives. Add any additional identified web application process name to the query. Add any further Windows process names to the macro (ex. LOLBins) to further expand this query.", "known_false_positives": "Filtering may be required on internal developer build systems or classify assets as web facing and restrict the analytic based on that.", "references": ["https://blog.netlab.360.com/ten-families-of-malicious-samples-are-spreading-using-the-log4j2-vulnerability-now/", "https://gist.github.com/olafhartong/916ebc673ba066537740164f7e7e1d72", "https://www.horizon3.ai/manageengine-cve-2022-47966-technical-deep-dive/", "https://github.com/horizon3ai/CVE-2022-47966/blob/3a51c6b72ebbd87392babd955a8fbeaee2090b35/CVE-2022-47966.py", "https://blog.viettelcybersecurity.com/saml-show-stopper/", "https://www.horizon3.ai/manageengine-cve-2022-47966-iocs/"], "tags": {"name": "Windows Java Spawning Shells", "analytic_story": ["Log4Shell CVE-2021-44228"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 80, "kill_chain_phases": ["Delivery"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ spawning a Windows shell, potentially indicative of exploitation.", "mitre_attack_id": ["T1190"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "cve": ["CVE-2021-44228", "CVE-2022-47966"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "menuPass"]}]}, "datamodel": ["Endpoint"], "macros": [{"name": "windows_shells", "definition": "(Processes.process_name=cmd.exe OR Processes.process_name=powershell.exe OR Processes.process_name=pwsh.exe OR Processes.process_name=sh.exe OR Processes.process_name=bash.exe OR Processes.process_name=wscript.exe OR Processes.process_name=cscript.exe)", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_java_spawning_shells_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2021-44228", "cvss": 9.3, "summary": "Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects."}, {"id": "CVE-2022-47966", "cvss": null, "summary": "Multiple Zoho ManageEngine on-premise products, such as ServiceDesk Plus through 14003, allow remote code execution due to use of Apache xmlsec (aka XML Security for Java) 1.4.1, because the xmlsec XSLT features, by design in that version, make the application responsible for certain security protections, and the ManageEngine applications did not provide those protections."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_java_spawning_shells.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Kerberos Local Successful Logon", "id": "8309c3a8-4d34-48ae-ad66-631658214653", "version": 1, "date": "2022-04-27", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies a local successful authentication event on a Windows endpoint using the Kerberos package. The target user security identified will be set to the built-in local Administrator account, along with the remote address as localhost - 127.0.0.1. This may be indicative of a kerberos relay attack. Upon triage, review for recently ran binaries on disk. In addition, look for new computer accounts added to Active Directory and other anomolous AD events.", "data_source": ["Windows Security 4624"], "search": "`wineventlog_security` EventCode=4624 Logon_Type=3 Authentication_Package=Kerberos action=success src_ip=127.0.0.1 | stats count min(_time) as firstTime max(_time) as lastTime by dest, subject, action, Security_ID, user, Account_Name, src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_kerberos_local_successful_logon_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4624 EventCode enabled. The Windows TA is also required.", "known_false_positives": "False positives are possible, filtering may be required to restrict to workstations vs domain controllers. Filter as needed.", "references": ["https://github.com/Dec0ne/KrbRelayUp"], "tags": {"name": "Windows Kerberos Local Successful Logon", "analytic_story": ["Active Directory Kerberos Attacks", "Local Privilege Escalation With KrbRelayUp"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "A successful localhost Kerberos authentication event occurred on $dest$, possibly indicative of Kerberos relay attack.", "mitre_attack_id": ["T1558"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "dest", "subject", "action", "Security_ID", "user", "Account_Name", "src_ip"], "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1558", "mitre_attack_technique": "Steal or Forge Kerberos Tickets", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1558/krbrelayup/krbrelayup.log", "source": "WinEventLog:Security", "sourcetype": "WinEventLog"}]}], "datamodel": ["Authentication"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_kerberos_local_successful_logon_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_kerberos_local_successful_logon.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows KrbRelayUp Service Creation", "id": "e40ef542-8241-4419-9af4-6324582ea60a", "version": 1, "date": "2022-05-02", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the default service name created by KrbRelayUp. Defenders should be aware that attackers could change the hardcoded service name of the KrbRelayUp tool and bypass this detection.", "data_source": ["Sysmon Event ID 7"], "search": "`wineventlog_system` EventCode=7045 Service_Name IN (\"KrbSCM\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode Service_File_Name Service_Name Service_Start_Type Service_Type | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_krbrelayup_service_creation_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows System Event Logs with 7045 EventCode enabled. The Windows TA is also required.", "known_false_positives": "False positives should be limited as this is specific to KrbRelayUp based attack. Filter as needed.", "references": ["https://github.com/Dec0ne/KrbRelayUp"], "tags": {"name": "Windows KrbRelayUp Service Creation", "analytic_story": ["Local Privilege Escalation With KrbRelayUp"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "message": "A service was created on $dest$, related to KrbRelayUp.", "mitre_attack_id": ["T1543.003"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "Service_File_Name", "Service_Name", "Service_Start_Type", "Service_Type"], "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1543.003/krbrelayup/windows-system.log", "source": "WinEventLog:System", "sourcetype": "WinEventLog"}]}], "datamodel": [], "macros": [{"name": "wineventlog_system", "definition": "eventtype=wineventlog_system", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_krbrelayup_service_creation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_krbrelayup_service_creation.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Windows Large Number of Computer Service Tickets Requested", "id": "386ad394-c9a7-4b4f-b66f-586252de20f0", "version": 1, "date": "2023-03-20", "author": "Mauricio Velazco, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic leverages Event ID 4769, `A Kerberos service ticket was requested`, to identify more than 30 computer service ticket requests from one source. When a domain joined endpoint connects to other remote endpoint, it will first request a Kerberos Service Ticket with the computer name as the Service Name. A user requesting a large number of computer service tickets for different endpoints could represent malicious behavior like lateral movement, malware staging, reconnaissance, etc.\\\nActive Directory environments can be very different depending on the organization. Users should test this detection and customize the arbitrary threshold as needed.", "data_source": ["Windows Security 4769"], "search": " `wineventlog_security` EventCode=4769 ServiceName=\"*$\" TargetUserName!=\"*$\" | bucket span=5m _time | stats dc(ServiceName) AS unique_targets values(ServiceName) as host_targets by _time, IpAddress, TargetUserName | where unique_targets > 30 | `windows_large_number_of_computer_service_tickets_requested_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled.", "known_false_positives": "An single endpoint requesting a large number of kerberos service tickets is not common behavior. Possible false positive scenarios include but are not limited to vulnerability scanners, administration systems and missconfigured systems.", "references": ["https://thedfirreport.com/2023/01/23/sharefinder-how-threat-actors-discover-file-shares/", "https://attack.mitre.org/techniques/T1135/", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4769"], "tags": {"name": "Windows Large Number of Computer Service Tickets Requested", "analytic_story": ["Active Directory Privilege Escalation", "Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 60, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "message": "A large number of kerberos computer service tickets were requested by $IpAddress$ within 5 minutes.", "mitre_attack_id": ["T1135", "T1078"], "nist": ["DE.AE"], "observable": [{"name": "IpAddress", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "ServiceName", "TargetUserName", "IpAddress"], "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1135", "mitre_attack_technique": "Network Share Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT32", "APT38", "APT39", "APT41", "Chimera", "DarkVishnya", "Dragonfly", "Sowbug", "Tonto Team", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1135/large_number_computer_service_tickets/windows-security.log", "source": "XmlWinEventLog:Security", "sourcetype": "XmlWinEventLog"}]}], "datamodel": [], "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_large_number_of_computer_service_tickets_requested_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_large_number_of_computer_service_tickets_requested.yml", "source": "endpoint", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows Lateral Tool Transfer RemCom", "id": "e373a840-5bdc-47ef-b2fd-9cc7aaf387f0", "version": 1, "date": "2023-03-20", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "This analytic identifies the use of RemCom.exe - The open source psexec. This utility provides the ability to move laterally and run scripts or commands remotely.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=remcom.exe OR Processes.original_file_name=RemCom.exe) Processes.process=\"*\\\\*\" Processes.process IN (\"*/user:*\", \"*/pwd:*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_lateral_tool_transfer_remcom_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives may be present based on Administrative use. Filter as needed.", "references": ["https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/", "https://github.com/kavika13/RemCom"], "tags": {"name": "Windows Lateral Tool Transfer RemCom", "analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to move laterally.", "mitre_attack_id": ["T1570"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1570", "mitre_attack_technique": "Lateral Tool Transfer", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT32", "Aoqin Dragon", "Chimera", "FIN10", "GALLIUM", "Magic Hound", "Sandworm Team", "Turla", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1570/remcom/remcom_windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_lateral_tool_transfer_remcom_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_lateral_tool_transfer_remcom.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Ldifde Directory Object Behavior", "id": "35cd29ca-f08c-4489-8815-f715c45460d3", "version": 1, "date": "2023-05-25", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the use of Ldifde.exe, which provides the ability to create, modify, or delete LDAP directory objects. Natively, the binary is only installed on a domain controller. However, adversaries or administrators may install the Windows Remote Server Admin Tools for ldifde.exe. Ldifde.exe is a Microsoft Windows command-line utility used to import or export LDAP directory entries. LDAP stands for Lightweight Directory Access Protocol, which is a protocol used for accessing and managing directory information services over an IP network. LDIF, on the other hand, stands for LDAP Data Interchange Format, a standard plain-text data interchange format for representing LDAP directory entries. -i This is a flag used with Ldifde.exe to denote import mode. In import mode, Ldifde.exe takes an LDIF file and imports its contents into the LDAP directory. The data in the LDIF file might include new objects to be created, or modifications or deletions to existing objects. -f This flag is used to specify the filename of the LDIF file that Ldifde.exe will import from (in the case of the -i flag) or export to (without the -i flag). For example, if you wanted to import data from a file called data.ldif, you would use the command ldifde -i -f data.ldif. Keep in mind that while the use of Ldifde.exe is legitimate in many contexts, it can also be used maliciously. For instance, an attacker who has gained access to a domain controller could potentially use Ldifde.exe to export sensitive data or make unauthorized changes to the directory. Therefore, it's important to monitor for unusual or unauthorized use of this tool.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=ldifde.exe Processes.process IN (\"*-i *\", \"*-f *\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_ldifde_directory_object_behavior_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives may be present, filter as needed.", "references": ["https://lolbas-project.github.io/lolbas/Binaries/Ldifde/", "https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF", "https://twitter.com/0gtweet/status/1564968845726580736?s=20", "https://strontic.github.io/xcyclopedia/library/ldifde.exe-45D28FB47E9B6ACC5DCA9FDA3E790210.html"], "tags": {"name": "Windows Ldifde Directory Object Behavior", "analytic_story": ["Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 80, "kill_chain_phases": ["Command And Control", "Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ utilizing ldifde on a domain controller.", "mitre_attack_id": ["T1105", "T1069.002"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "atomic_guid": ["22cf8cb9-adb1-4e8c-80ca-7c723dfc8784"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1069.002", "mitre_attack_technique": "Domain Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Dragonfly", "Inception", "Ke3chang", "LAPSUS$", "OilRig", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.002/AD_discovery/ldifde_windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_ldifde_directory_object_behavior_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_ldifde_directory_object_behavior.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Linked Policies In ADSI Discovery", "id": "510ea428-4731-4d2f-8829-a28293e427aa", "version": 1, "date": "2023-04-14", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the `[Adsisearcher]` type accelerator being used to query Active Directory for domain groups. Red Teams and adversaries may leverage `[Adsisearcher]` to enumerate domain organizational unit for situational awareness and Active Directory Discovery.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 ScriptBlockText = \"*[adsisearcher]*\" ScriptBlockText = \"*objectcategory=organizationalunit*\" ScriptBlockText = \"*findAll()*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_linked_policies_in_adsi_discovery_filter`", "how_to_implement": "The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "references": ["https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/", "https://medium.com/@pentesttas/discover-hidden-gpo-s-on-active-directory-using-ps-adsi-a284b6814c81"], "tags": {"name": "Windows Linked Policies In ADSI Discovery", "analytic_story": ["Data Destruction", "Active Directory Discovery", "Industroyer2"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "powershell process having commandline $Message$ for user enumeration", "mitre_attack_id": ["T1087.002", "T1087"], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "ScriptBlockText", "Computer", "user_id"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["BRONZE BUTLER", "Chimera", "Dragonfly", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Turla", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/adsi_discovery/windows-powershell-xml2.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_linked_policies_in_adsi_discovery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_linked_policies_in_adsi_discovery.yml", "source": "endpoint", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows Local Administrator Credential Stuffing", "id": "09555511-aca6-484a-b6ab-72cd03d73c34", "version": 1, "date": "2023-03-22", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic leverages events 4625 and 4624 to identify an endpoint using the builtin local Administrator account to authenticate to a large numbers of endpoints. Specifically, the logic will trigger when an endpoints attempts to authenticate to more than 30 target computers within a 5 minute timespan. This behavior could represent an adversary who has obtained access to local credentials and is trying to validate if these credentials work on other hosts to escalate their privileges. As environments differ across organizations, security teams should customize the thresholds of this detection as needed.", "data_source": ["Windows Security 4624"], "search": " `wineventlog_security` EventCode=4625 OR EventCode=4624 Logon_Type=3 TargetUserName=Administrator | bucket span=5m _time | stats dc(Computer) AS unique_targets values(Computer) as host_targets by _time, IpAddress, TargetUserName, EventCode | where unique_targets > 30 | `windows_local_administrator_credential_stuffing_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Event Logs from domain controllers as well as member servers and workstations. The Advanced Security Audit policy setting `Audit Logon` within `Logon/Logoff` needs to be enabled.", "known_false_positives": "Vulnerability scanners or system administration tools may also trigger this detection. Filter as needed.", "references": ["https://attack.mitre.org/techniques/T1110/004/", "https://attack.mitre.org/techniques/T1110/", "https://www.blackhillsinfosec.com/wide-spread-local-admin-testing/", "https://www.pentestpartners.com/security-blog/admin-password-re-use-dont-do-it/", "https://www.praetorian.com/blog/microsofts-local-administrator-password-solution-laps/", "https://wiki.porchetta.industries/smb-protocol/password-spraying"], "tags": {"name": "Windows Local Administrator Credential Stuffing", "analytic_story": ["Active Directory Privilege Escalation", "Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "Local Administrator credential stuffing attack coming from $IpAddress$", "mitre_attack_id": ["T1110", "T1110.004"], "nist": ["DE.CM"], "observable": [{"name": "host_targets", "type": "Endpoint", "role": ["Victim"]}, {"name": "IpAddress", "type": "Endpoint", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "Logon_Type", "TargetUserName", "Computer", "IpAddress"], "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1110.004", "mitre_attack_technique": "Credential Stuffing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Chimera"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.004/local_administrator_cred_stuffing/windows-security.log", "source": "XmlWinEventLog:Security", "sourcetype": "XmlWinEventLog"}]}], "datamodel": [], "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_local_administrator_credential_stuffing_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_local_administrator_credential_stuffing.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows Mail Protocol In Non-Common Process Path", "id": "ac3311f5-661d-4e99-bd1f-3ec665b05441", "version": 1, "date": "2022-09-16", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies a possible windows application having a SMTP connection in a non common installation path in windows operating system.This network protocol is being used by adversaries, threat actors and malware like AgentTesla as a Command And Control communication to transfer its collected stolen information like the desktop screenshots, browser information and system information of a targeted or compromised host.", "data_source": ["Sysmon Event ID 3"], "search": "`sysmon` EventCode=3 NOT(Image IN(\"*\\\\program files*\", \"*\\\\thunderbird.exe\",\"*\\\\outlook.exe\")) (DestinationPortName=\"smtp\" OR DestinationPort=25 OR DestinationPort=587) | stats count min(_time) as firstTime max(_time) as lastTime by Image DestinationPort DestinationPortName DestinationHostname SourceHostname SourcePort SourcePortName Protocol DestinationIp Computer user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_mail_protocol_in_non_common_process_path_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name and sysmon eventcode = 3 connection events from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "third party application may use this network protocol as part of its feature. Filter is needed.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla"], "tags": {"name": "Windows Mail Protocol In Non-Common Process Path", "analytic_story": ["AgentTesla"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Command And Control"], "message": "a process $Image$ is having a SMTP connection to $DestinationHostname$ in $Computer$", "mitre_attack_id": ["T1071.003", "T1071"], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Image", "DestinationPort", "DestinationPortName", "DestinationHostname", "SourceHostname", "SourcePort", "SourcePortName", "Protocol", "DestinationIp", "Computer", "user"], "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1071.003", "mitre_attack_technique": "Mail Protocols", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT28", "APT32", "Kimsuky", "SilverTerrier", "Turla"]}, {"mitre_attack_id": "T1071", "mitre_attack_technique": "Application Layer Protocol", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Dragonfly", "Magic Hound", "Rocke", "TeamTNT"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/agent_tesla/agent_tesla_smtp/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_mail_protocol_in_non_common_process_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_mail_protocol_in_non_common_process_path.yml", "source": "endpoint"}, {"name": "Windows Masquerading Explorer As Child Process", "id": "61490da9-52a1-4855-a0c5-28233c88c481", "version": 1, "date": "2022-10-20", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies a suspicious parent process of explorer.exe. Explorer is usually executed by userinit.exe that will exit after execution that causes the main explorer.exe no parent process. Some malware like qakbot spawn another explorer.exe to inject its code. This TTP detection is a good indicator that a process spawning explorer.exe might inject code or masquerading its parent child process to evade detections.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN(\"cmd.exe\", \"powershell.exe\", \"regsvr32.exe\") AND Processes.process_name = \"explorer.exe\" by Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process_id Processes.process_guid Processes.process Processes.user Processes.dest Processes.parent_process_id | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `windows_masquerading_explorer_as_child_process_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "unknown", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot"], "tags": {"name": "Windows Masquerading Explorer As Child Process", "analytic_story": ["Qakbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Exploitation", "Installation"], "message": "explorer.exe hash a suspicious parent process $parent_process_name$ in $dest$", "mitre_attack_id": ["T1574.002", "T1574"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1574.002", "mitre_attack_technique": "DLL Side-Loading", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT41", "BRONZE BUTLER", "BlackTech", "Chimera", "Earth Lusca", "GALLIUM", "Higaisa", "Lazarus Group", "LuminousMoth", "MuddyWater", "Mustang Panda", "Naikon", "Patchwork", "SideCopy", "Sidewinder", "Threat Group-3390", "Tropic Trooper", "menuPass"]}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/qakbot/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_masquerading_explorer_as_child_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_masquerading_explorer_as_child_process.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Mimikatz Binary Execution", "id": "a9e0d6d3-9676-4e26-994d-4e0406bb4467", "version": 1, "date": "2022-11-16", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "As simple as it sounds, this analytic identifies when the native mimikatz.exe binary executes on Windows. It does look for the original file name as well, just in case the binary is renamed. Adversaries sometimes bring in the default binary and run it directly. Benjamin Delpy originally created Mimikatz as a proof of concept to show Microsoft that its authentication protocols were vulnerable to an attack. Instead, he inadvertently created one of the most widely used and downloaded threat actor tools of the past 20 years. Mimikatz is an open-source application that allows users to view and save authentication credentials such as Kerberos tickets.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=mimikatz.exe OR Processes.original_file_name=mimikatz.exe) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_mimikatz_binary_execution_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives should be limited as this is directly looking for Mimikatz, the credential dumping utility.", "references": ["https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf", "https://www.varonis.com/blog/what-is-mimikatz", "https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF"], "tags": {"name": "Windows Mimikatz Binary Execution", "analytic_story": ["Credential Dumping", "CISA AA22-320A", "Sandworm Tools", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 100, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting dump credentials.", "mitre_attack_id": ["T1003"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003/credential_extraction/mimikatzwindows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_mimikatz_binary_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_mimikatz_binary_execution.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Mimikatz Crypto Export File Extensions", "id": "3a9a6806-16a8-4cda-8d73-b49d10a05b16", "version": 1, "date": "2023-02-07", "author": "Michael Haag, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies hardcoded extensions related to the Crypo module within Mimikatz. Moving certificates or downloading them is not malicious, however with Mimikatz having hardcoded names it helps to identify potential usage of certificates being exported.", "data_source": ["Sysmon Event ID 11"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_name IN (\"*.keyx.rsa.pvk\",\"*sign.rsa.pvk\",\"*sign.dsa.pvk\",\"*dsa.ec.p8k\",\"*dh.ec.p8k\", \"*.pfx\", \"*.der\") by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Filesystem)` | `windows_mimikatz_crypto_export_file_extensions_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives may be present and may need to be reviewed before this can be turned into a TTP. In addition, remove .pfx (standalone) if it's too much volume.", "references": ["https://github.com/gentilkiwi/mimikatz/blob/master/mimikatz/modules/kuhl_m_crypto.c#L628-L645"], "tags": {"name": "Windows Mimikatz Crypto Export File Extensions", "analytic_story": ["Windows Certificate Services", "Sandworm Tools"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 40, "kill_chain_phases": ["Exploitation"], "message": "Certificate file extensions realted to Mimikatz were identified on disk on $dest$.", "mitre_attack_id": ["T1649"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Filesystem.dest", "Filesystem.file_create_time", "Filesystem.file_name", "Filesystem.file_path"], "risk_score": 28, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1649", "mitre_attack_technique": "Steal or Forge Authentication Certificates", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/atomic_red_team/certwrite_windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_mimikatz_crypto_export_file_extensions_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_mimikatz_crypto_export_file_extensions.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Modify Registry Auto Minor Updates", "id": "be498b9f-d804-4bbf-9fc0-d5448466b313", "version": 1, "date": "2023-04-21", "author": "Teoderick Contreras, Splunk", "type": "Hunting", "status": "production", "description": "The following analytic identifies a suspicious registry modification of Windows auto update configuration. This technique was being abused by several adversaries, malware authors and also red-teamers to bypass detection or to be able to compromise the target host with zero day exploit or as an additional defense evasion technique. RedLine Stealer is one of the malware we've seen that uses this technique to evade detection and add more payload on the target host. This detection looks for registry modification that will \"Treat minor updates like other updates\".", "data_source": ["Sysmon EventID 12", "Sysmon EventID 13", "Sysmon EventID 14"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path=\"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WindowsUpdate\\\\AU\\\\AutoInstallMinorUpdates\" AND Registry.registry_value_data=\"0x00000000\" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_auto_minor_updates_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "administrators may enable or disable this feature that may cause some false positive.", "references": ["https://learn.microsoft.com/de-de/security-updates/windowsupdateservices/18127499"], "tags": {"name": "Windows Modify Registry Auto Minor Updates", "analytic_story": ["RedLine Stealer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "A registry modification in Windows auto update configuration on $dest$", "mitre_attack_id": ["T1112"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.registry_key_name", "Registry.registry_path", "Registry.user", "Registry.dest", "Registry.registry_value_name", "Registry.action", "Registry.registry_value_data"], "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/redline/modify_registry/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint", "Updates"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_auto_minor_updates_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_modify_registry_auto_minor_updates.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Modify Registry Auto Update Notif", "id": "4d1409df-40c7-4b11-aec4-bd0e709dfc12", "version": 1, "date": "2023-04-21", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies a suspicious registry modification of Windows auto update notification. This technique was being abused by several adversaries, malware authors and also red-teamers to bypass detection or to be able to compromise the target host with zero day exploit or as an additional defense evasion technique. RedLine Stealer is one of the malware we've seen that uses this technique to evade detection and add more payload on the target host. This detection looks for registry modification that will switch the automatic windows update to \"Notify before download\".", "data_source": ["Sysmon EventID 12", "Sysmon EventID 13", "Sysmon EventID 14"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path=\"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WindowsUpdate\\\\AU\\\\AUOptions\" AND Registry.registry_value_data=\"0x00000002\" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_auto_update_notif_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "administrators may enable or disable this feature that may cause some false positive.", "references": ["https://learn.microsoft.com/de-de/security-updates/windowsupdateservices/18127499"], "tags": {"name": "Windows Modify Registry Auto Update Notif", "analytic_story": ["RedLine Stealer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "A registry modification in Windows auto update notification on $dest$", "mitre_attack_id": ["T1112"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.registry_key_name", "Registry.registry_path", "Registry.user", "Registry.dest", "Registry.registry_value_name", "Registry.action", "Registry.registry_value_data"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "atomic_guid": ["12e03af7-79f9-4f95-af48-d3f12f28a260"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/redline/modify_registry/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_auto_update_notif_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_modify_registry_auto_update_notif.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Modify Registry Default Icon Setting", "id": "a7a7afdb-3c58-45b6-9bff-63e5acfd9d40", "version": 1, "date": "2023-01-16", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic is developed to detect suspicious registry modification to change the default icon association of windows to ransomware . This technique was seen in Lockbit ransomware where it modified the default icon association of the compromised Windows OS host with its dropped ransomware icon file as part of its defacement payload. This registry is not commonly modified by a normal user so having this anomaly detection may help to catch possible lockbit ransomware infection or other malware.", "data_source": ["Sysmon Event ID 13"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path =\"*\\\\defaultIcon\\\\(Default)*\" Registry.registry_path = \"*HKCR\\\\*\" by Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.action Registry.dest Registry.user | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `windows_modify_registry_default_icon_setting_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry.", "known_false_positives": "unknown", "references": ["https://blogs.vmware.com/security/2022/10/lockbit-3-0-also-known-as-lockbit-black.html", "https://news.sophos.com/en-us/2020/04/24/lockbit-ransomware-borrows-tricks-to-keep-up-with-revil-and-maze/"], "tags": {"name": "Windows Modify Registry Default Icon Setting", "analytic_story": ["LockBit Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "a registry $Registry.registry_path$ was modified or created to modify defaulticon settings of the $dest$", "mitre_attack_id": ["T1112"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.dest", "Registry.user", "Registry.registry_path", "Registry.registry_key_name", "Registry.registry_value_name", "Registry.action"], "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/lockbit_ransomware/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_default_icon_setting_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_modify_registry_default_icon_setting.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Modify Registry Disable Toast Notifications", "id": "ed4eeacb-8d5a-488e-bc97-1ce6ded63b84", "version": 1, "date": "2022-06-22", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic is to identify a modification in the Windows registry to disable toast notifications. This Windows Operating System feature is responsible for alerting or notifying user if application or OS need some updates. Adversaries and malwares like Azorult abuse this technique to disable important update notification in compromised host. This anomaly detection is a good pivot to look for further events related to defense evasion and execution.", "data_source": ["Sysmon Event ID 13"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\PushNotifications\\\\ToastEnabled*\" Registry.registry_value_data=\"0x00000000\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_disable_toast_notifications_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.", "known_false_positives": "administrators may enable or disable this feature that may cause some false positive.", "references": ["https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-remoteassistance-exe-fallowtogethelp", "https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/"], "tags": {"name": "Windows Modify Registry Disable Toast Notifications", "analytic_story": ["Azorult"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "the registry for DisallowRun settings was modified to enable in $dest$", "mitre_attack_id": ["T1112"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.registry_key_name", "Registry.registry_path", "Registry.user", "Registry.dest", "Registry.registry_value_name", "Registry.action"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_disable_toast_notifications_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_modify_registry_disable_toast_notifications.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Modify Registry Disable Win Defender Raw Write Notif", "id": "0e5e25c3-32f4-46f7-ba4a-5b95c3b90f5b", "version": 1, "date": "2022-06-23", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies a modification in the Windows registry to disable Windows Defender raw write notification feature. This policy controls whether raw volume write notifications are sent to behavior monitoring or not. This registry was recently identified in Azorult malware to bypass Windows Defender detections or behavior monitoring in terms of volume write.", "data_source": ["Sysmon Event ID 13"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\Windows Defender\\\\Real-Time Protection\\\\DisableRawWriteNotification*\" Registry.registry_value_data=\"0x00000001\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_disable_win_defender_raw_write_notif_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.", "known_false_positives": "Administrators may enable or disable this feature that may cause some false positive. Filter as needed.", "references": ["https://admx.help/?Category=SystemCenterEndpointProtection&Policy=Microsoft.Policies.Antimalware::real-time_protection_disablerawwritenotification", "https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/"], "tags": {"name": "Windows Modify Registry Disable Win Defender Raw Write Notif", "analytic_story": ["Azorult"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "The registry for raw write notification settings was modified to disable in $dest$.", "mitre_attack_id": ["T1112"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.registry_key_name", "Registry.registry_path", "Registry.user", "Registry.dest", "Registry.registry_value_name", "Registry.action"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_disable_win_defender_raw_write_notif_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_modify_registry_disable_win_defender_raw_write_notif.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Modify Registry Disable WinDefender Notifications", "id": "8e207707-ad40-4eb3-b865-3a52aec91f26", "version": 1, "date": "2023-04-21", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies a suspicious registry modification to disable Windows Defender notification. This technique was being abused by several adversaries, malware authors and also red-teamers to evade detection on the targeted machine. RedLine Stealer is one of the malware we've seen that uses this technique to bypass Windows defender detection.", "data_source": ["Sysmon EventID 12", "Sysmon EventID 13", "Sysmon EventID 14"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path=\"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender Security Center\\\\Notifications\\\\DisableNotifications\" AND Registry.registry_value_data=\"0x00000001\" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_disable_windefender_notifications_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "administrators may enable or disable this feature that may cause some false positive.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer"], "tags": {"name": "Windows Modify Registry Disable WinDefender Notifications", "analytic_story": ["RedLine Stealer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "A registry modification to disable Windows Defender notification on $dest$", "mitre_attack_id": ["T1112"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.registry_key_name", "Registry.registry_path", "Registry.user", "Registry.dest", "Registry.registry_value_name", "Registry.action", "Registry.registry_value_data"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "atomic_guid": ["12e03af7-79f9-4f95-af48-d3f12f28a260"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/redline/modify_registry/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_disable_windefender_notifications_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_modify_registry_disable_windefender_notifications.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Modify Registry Disable Windows Security Center Notif", "id": "27ed3e79-6d86-44dd-b9ab-524451c97a7b", "version": 1, "date": "2022-06-22", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic is to identify a modification in the Windows registry to disable windows center notifications. This Windows Operating System feature is responsible for alerting or notifying user if application or OS need some updates. Adversaries and malwares like Azorult abuse this technique to disable important update notification in compromised host. This anomaly detection is a good pivot to look for further events related to defense evasion and execution.", "data_source": ["Sysmon Event ID 13"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\Windows\\\\CurrentVersion\\\\ImmersiveShell\\\\UseActionCenterExperience*\" Registry.registry_value_data=\"0x00000000\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_disable_windows_security_center_notif_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.", "known_false_positives": "administrators may enable or disable this feature that may cause some false positive.", "references": ["https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-remoteassistance-exe-fallowtogethelp", "https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/"], "tags": {"name": "Windows Modify Registry Disable Windows Security Center Notif", "analytic_story": ["Azorult"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "the registry for security center notification settings was modified to disable mode in $dest$", "mitre_attack_id": ["T1112"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.registry_key_name", "Registry.registry_path", "Registry.user", "Registry.dest", "Registry.registry_value_name", "Registry.action"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_disable_windows_security_center_notif_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_modify_registry_disable_windows_security_center_notif.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Modify Registry Disabling WER Settings", "id": "21cbcaf1-b51f-496d-a0c1-858ff3070452", "version": 1, "date": "2022-06-22", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies a modification in the Windows registry to disable Windows error reporting settings. This Windows feature allows the user to report bugs, errors, failure or problems encountered in specific application or processes. Adversaries use this technique to hide any error or failure that some of its malicious components trigger.", "data_source": ["Sysmon Event ID 13"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\Windows Error Reporting\\\\disable*\" Registry.registry_value_data=\"0x00000001\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_disabling_wer_settings_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.", "known_false_positives": "Administrators may enable or disable this feature that may cause some false positive, however is not common. Filter as needed.", "references": ["https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-remoteassistance-exe-fallowtogethelp", "https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/"], "tags": {"name": "Windows Modify Registry Disabling WER Settings", "analytic_story": ["Azorult"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "the registry for WER settings was modified to be disabled on $dest$.", "mitre_attack_id": ["T1112"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.registry_key_name", "Registry.registry_path", "Registry.user", "Registry.dest", "Registry.registry_value_name", "Registry.action"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_disabling_wer_settings_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_modify_registry_disabling_wer_settings.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Modify Registry DisAllow Windows App", "id": "4bc788d3-c83a-48c5-a4e2-e0c6dba57889", "version": 1, "date": "2022-06-22", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies modification in the Windows registry to prevent user running specific computer programs that could aid them in manually removing malware or detecting it using security products. This technique was recently identified in Azorult malware where it uses this registry value to prevent several AV products to execute on the compromised host machine.", "data_source": ["Sysmon Event ID 13"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\DisallowRun*\" Registry.registry_value_data=\"0x00000001\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_disallow_windows_app_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.", "known_false_positives": "Administrators may enable or disable this feature that may cause some false positive. Filter as needed.", "references": ["https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/"], "tags": {"name": "Windows Modify Registry DisAllow Windows App", "analytic_story": ["Azorult"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "The registry for DisallowRun settings was modified to enable in $dest$.", "mitre_attack_id": ["T1112"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.registry_key_name", "Registry.registry_path", "Registry.user", "Registry.dest", "Registry.registry_value_name", "Registry.action"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_disallow_windows_app_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_modify_registry_disallow_windows_app.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Modify Registry Do Not Connect To Win Update", "id": "e09c598e-8dd0-4e73-b740-4b96b689199e", "version": 1, "date": "2023-04-21", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies a suspicious registry modification of Windows auto update configuration. This technique was being abused by several adversaries, malware authors and also red-teamers to bypass detection or to be able to compromise the target host with zero day exploit or as an additional defense evasion technique. RedLine Stealer is one of the malware we've seen that uses this technique to evade detection and add more payload on the target host. This detection looks for registry modification that will disable Windos update functionality, and may cause connection to public services such as the Windows Store to stop working. This policy applies only when this PC is configured to connect to an intranet update service using the \"Specify intranet Microsoft update service location\" policy.", "data_source": ["Sysmon EventID 12", "Sysmon EventID 13", "Sysmon EventID 14"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path=\"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WindowsUpdate\\\\DoNotConnectToWindowsUpdateInternetLocations\" AND Registry.registry_value_data=\"0x00000001\" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_do_not_connect_to_win_update_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "administrators may enable or disable this feature that may cause some false positive.", "references": ["https://learn.microsoft.com/de-de/security-updates/windowsupdateservices/18127499", "https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsUpdate::DoNotConnectToWindowsUpdateInternetLocations"], "tags": {"name": "Windows Modify Registry Do Not Connect To Win Update", "analytic_story": ["RedLine Stealer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "a registry modification in Windows auto update configuration in $dest$", "mitre_attack_id": ["T1112"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.registry_key_name", "Registry.registry_path", "Registry.user", "Registry.dest", "Registry.registry_value_name", "Registry.action", "Registry.registry_value_data"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "atomic_guid": ["12e03af7-79f9-4f95-af48-d3f12f28a260"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/redline/modify_registry/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_do_not_connect_to_win_update_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_modify_registry_do_not_connect_to_win_update.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Modify Registry No Auto Reboot With Logon User", "id": "6a12fa9f-580d-4627-8c7f-313e359bdc6a", "version": 1, "date": "2023-04-21", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies a suspicious registry modification of Windows auto update configuration. This technique was being abused by several adversaries, malware authors and also red-teamers to bypass detection or to be able to compromise the target host with zero day exploit or as an additional defense evasion technique. RedLine Stealer is one of the malware we've seen that uses this technique to evade detection and add more payload on the target host. This detection looks for registry modification that will allow \"Logged-on user gets to choose whether or not to restart his or her compute\".", "data_source": ["Sysmon EventID 12", "Sysmon EventID 13", "Sysmon EventID 14"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path=\"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WindowsUpdate\\\\AU\\\\NoAutoRebootWithLoggedOnUsers\" AND Registry.registry_value_data=\"0x00000001\" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_no_auto_reboot_with_logon_user_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Administrators may enable or disable this feature that may cause some false positive.", "references": ["https://learn.microsoft.com/de-de/security-updates/windowsupdateservices/18127499"], "tags": {"name": "Windows Modify Registry No Auto Reboot With Logon User", "analytic_story": ["RedLine Stealer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "A registry modification in Windows auto update configuration on $dest$", "mitre_attack_id": ["T1112"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.registry_key_name", "Registry.registry_path", "Registry.user", "Registry.dest", "Registry.registry_value_name", "Registry.action", "Registry.registry_value_data"], "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "atomic_guid": ["12e03af7-79f9-4f95-af48-d3f12f28a260"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/redline/modify_registry/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_no_auto_reboot_with_logon_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_modify_registry_no_auto_reboot_with_logon_user.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Modify Registry No Auto Update", "id": "fbd4f333-17bb-4eab-89cb-860fa2e0600e", "version": 1, "date": "2023-04-21", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies a suspicious registry modification of Windows auto update configuration. This technique was being abused by several adversaries, malware authors and also red-teamers to bypass detection or to be able to compromise the target host with zero day exploit or as an additional defense evasion technique. RedLine Stealer is one of the malware we've seen that uses this technique to evade detection and add more payload on the target host. This detection looks for registry modification that will \"Disable Automatic Updates\".", "data_source": ["Sysmon EventID 12", "Sysmon EventID 13", "Sysmon EventID 14"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path=\"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WindowsUpdate\\\\AU\\\\NoAutoUpdate\" AND Registry.registry_value_data=\"0x00000001\" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_no_auto_update_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Administrators may enable or disable this feature that may cause some false positive.", "references": ["https://learn.microsoft.com/de-de/security-updates/windowsupdateservices/18127499"], "tags": {"name": "Windows Modify Registry No Auto Update", "analytic_story": ["RedLine Stealer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "A registry modification in Windows auto update configuration on $dest$", "mitre_attack_id": ["T1112"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.registry_key_name", "Registry.registry_path", "Registry.user", "Registry.dest", "Registry.registry_value_name", "Registry.action", "Registry.registry_value_data"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "atomic_guid": ["12e03af7-79f9-4f95-af48-d3f12f28a260"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/redline/modify_registry/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_no_auto_update_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_modify_registry_no_auto_update.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Modify Registry Qakbot Binary Data Registry", "id": "2e768497-04e0-4188-b800-70dd2be0e30d", "version": 1, "date": "2022-11-10", "author": "Teoderick Contreras, Bhavin Patel, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies a suspicious registry entry created by Qakbot malware as part of its malicious execution. This \"Binary Data\" Registry was created by newly spawn explorer.exe where its malicious code is injected to it. The registry consist of 8 random registry value name with encrypted binary data on its registry value data. This anomaly detections can be a good pivot for possible Qakbot malware infection or other malware that uses registry to save or store there config or malicious code on the registry data stream.", "data_source": ["Sysmon Event ID 13"], "search": "| tstats `security_content_summariesonly` count dc(registry_value_name) as registry_value_name_count FROM datamodel=Endpoint.Registry where Registry.registry_path=\"*\\\\SOFTWARE\\\\Microsoft\\\\*\" AND Registry.registry_value_data = \"Binary Data\" by _time span=1m Registry.dest Registry.user Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.process_id Registry.registry_key_name | `drop_dm_object_name(Registry)` | rename process_guid as proc_guid | eval registry_key_name_len = len(registry_key_name) | eval registry_value_name_len = len(registry_value_name) | regex registry_value_name=\"^[0-9a-fA-F]{8}\" | where registry_key_name_len < 80 AND registry_value_name_len == 8 | join proc_guid, _time [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name IN (\"explorer.exe\", \"wermgr.exe\",\"dxdiag.exe\", \"OneDriveSetup.exe\", \"mobsync.exe\", \"msra.exe\", \"xwizard.exe\") by _time span=1m Processes.process_id Processes.process_name Processes.process Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_guid Processes.process_path | `drop_dm_object_name(Processes)` | rename process_guid as proc_guid | fields _time dest user parent_process_name parent_process process_name process_path process proc_guid registry_path registry_value_name registry_value_data process_id registry_key_name registry_value_name_count] | stats min(_time) as firstTime max(_time) as lastTime values(registry_value_name) as registry_value_name dc(registry_value_name) as registry_value_name_count by process_path registry_key_name registry_value_data proc_guid registry_key_name_len registry_value_name_len | where registry_value_name_count >= 5 | `windows_modify_registry_qakbot_binary_data_registry_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.", "known_false_positives": "unknown", "references": ["https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/decrypting-qakbots-encrypted-registry-keys/"], "tags": {"name": "Windows Modify Registry Qakbot Binary Data Registry", "analytic_story": ["Qakbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "registry with binary data $registry_path$ created by $process_name$ in $dest$", "mitre_attack_id": ["T1112"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "dest", "user", "parent_process_name", "parent_process", "process_name", "process_path", "process", "proc_guid", "registry_path", "registry_value_name", "registry_value_data", "process_id", "registry_key_name", "registry_key_name_len", "registry_value_name_len"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/qakbot/qbot2/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_qakbot_binary_data_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_modify_registry_qakbot_binary_data_registry.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Modify Registry Reg Restore", "id": "d0072bd2-6d73-4c1b-bc77-ded6d2da3a4e", "version": 1, "date": "2022-12-12", "author": "Teoderick Contreras, Splunk", "type": "Hunting", "status": "production", "description": "The following analytic identifies a process execution of reg.exe with \"restore\" parameter. This reg.exe parameter is commonly used to restore registry backup data in a targeted host. This approach or technique was also seen in post-exploitation tool like winpeas where it uses \"reg save\" and \"reg restore\" to check the registry modification restriction in targeted host after gaining access to it.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_reg` AND Processes.process = \"* restore *\" by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_reg_restore_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances of wermgr.exe may be used.", "known_false_positives": "network administrator can use this command tool to backup registry before updates or modifying critical registries.", "references": ["https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/quser", "https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS", "https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"], "tags": {"name": "Windows Modify Registry Reg Restore", "analytic_story": ["Windows Post-Exploitation", "Prestige Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "execution of process $process_name$ in $dest$", "mitre_attack_id": ["T1012"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id", "Processes.parent_process_guid", "Processes.process_guid"], "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1012", "mitre_attack_technique": "Query Registry", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT32", "APT39", "Chimera", "Dragonfly", "Fox Kitten", "Kimsuky", "Lazarus Group", "OilRig", "Stealth Falcon", "Threat Group-3390", "Turla", "ZIRCONIUM"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "process_reg", "definition": "(Processes.process_name=reg.exe OR Processes.original_file_name=reg.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_reg_restore_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_modify_registry_reg_restore.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Modify Registry Regedit Silent Reg Import", "id": "824dd598-71be-4203-bc3b-024f4cda340e", "version": 1, "date": "2022-06-24", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies modification of Windows registry using regedit.exe application with silent mode parameter. regedit.exe windows application is commonly used as GUI app to check or modify registry. This application is also has undocumented command-line parameter and one of those are silent mode parameter that performs action without stopping for confirmation with dialog box. Importing registry from .reg files need to monitor in a production environment since it can be used adversaries to import RMS registry in compromised host.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"regedit.exe\" OR Processes.original_file_name=\"regedit.exe\") AND Processes.process=\"* /s *\" AND Processes.process=\"*.reg*\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_regedit_silent_reg_import_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Administrators may execute this command that may cause some false positive. Filter as needed.", "references": ["https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/", "https://www.techtarget.com/searchwindowsserver/tip/Command-line-options-for-Regeditexe"], "tags": {"name": "Windows Modify Registry Regedit Silent Reg Import", "analytic_story": ["Azorult"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "The regedit app was executed with silet mode parameter to import .reg file on $dest$.", "mitre_attack_id": ["T1112"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_regedit_silent_reg_import_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_modify_registry_regedit_silent_reg_import.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Modify Registry Suppress Win Defender Notif", "id": "e3b42daf-fff4-429d-bec8-2a199468cea9", "version": 1, "date": "2022-06-22", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic is to identify a modification in the Windows registry to suppress windows defender notification. This technique was abuse by adversaries and threat actor to bypassed windows defender on the targeted host. Azorult malware is one of the malware use this technique that also disable toast notification and other windows features as part of its malicious behavior.", "data_source": ["Sysmon Event ID 13"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\Windows Defender\\\\UX Configuration\\\\Notification_Suppress*\" Registry.registry_value_data=\"0x00000001\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_suppress_win_defender_notif_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.", "known_false_positives": "administrators may enable or disable this feature that may cause some false positive.", "references": ["https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-remoteassistance-exe-fallowtogethelp", "https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/"], "tags": {"name": "Windows Modify Registry Suppress Win Defender Notif", "analytic_story": ["Azorult"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "the registry for suppresing windows fdefender notification settings was modified to disabled in $dest$", "mitre_attack_id": ["T1112"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.registry_key_name", "Registry.registry_path", "Registry.user", "Registry.dest", "Registry.registry_value_name", "Registry.action"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_suppress_win_defender_notif_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_modify_registry_suppress_win_defender_notif.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Modify Registry Tamper Protection", "id": "12094335-88fc-4c3a-b55f-e62dd8c93c23", "version": 1, "date": "2023-04-21", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies a suspicious registry modification to tamper Windows Defender protection. This technique was being abused by several adversaries, malware authors and also red-teamers to evade detection on the targeted machine. RedLine Stealer is one of the malware we've seen that uses this technique to bypass Windows defender detection.", "data_source": ["Sysmon EventID 12", "Sysmon EventID 13", "Sysmon EventID 14"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path=\"*\\\\SOFTWARE\\\\Microsoft\\\\Windows Defender\\\\Features\\\\TamperProtection\" AND Registry.registry_value_data=\"0x00000000\" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_tamper_protection_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Administrators may enable or disable this feature that may cause some false positive.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer"], "tags": {"name": "Windows Modify Registry Tamper Protection", "analytic_story": ["RedLine Stealer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "A registry modification to tamper Windows Defender protection on $dest$", "mitre_attack_id": ["T1112"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.registry_key_name", "Registry.registry_path", "Registry.user", "Registry.dest", "Registry.registry_value_name", "Registry.action", "Registry.registry_value_data"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "atomic_guid": ["12e03af7-79f9-4f95-af48-d3f12f28a260"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/redline/modify_registry/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_tamper_protection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_modify_registry_tamper_protection.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Modify Registry UpdateServiceUrlAlternate", "id": "ca4e94fb-7969-4d63-8630-3625809a1f70", "version": 1, "date": "2023-04-21", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies a suspicious registry modification of Windows auto update configuration. This technique was being abused by several adversaries, malware authors and also red-teamers to bypass detection or to be able to compromise the target host with zero day exploit or as an additional defense evasion technique. RedLine Stealer is one of the malware we've seen that uses this technique to evade detection and add more payload on the target host. This detection looks for registry modification that specifies an intranet server to host updates from Microsoft Update.", "data_source": ["Sysmon EventID 12", "Sysmon EventID 13", "Sysmon EventID 14"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path=\"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WindowsUpdate\\\\UpdateServiceUrlAlternate\" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_updateserviceurlalternate_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Administrators may enable or disable this feature that may cause some false positive.", "references": ["https://learn.microsoft.com/de-de/security-updates/windowsupdateservices/18127499"], "tags": {"name": "Windows Modify Registry UpdateServiceUrlAlternate", "analytic_story": ["RedLine Stealer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "A registry modification in Windows auto update configuration on $dest$", "mitre_attack_id": ["T1112"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.registry_key_name", "Registry.registry_path", "Registry.user", "Registry.dest", "Registry.registry_value_name", "Registry.action", "Registry.registry_value_data"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/redline/modify_registry/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_updateserviceurlalternate_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_modify_registry_updateserviceurlalternate.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Modify Registry USeWuServer", "id": "c427bafb-0b2c-4b18-ad85-c03c6fed9e75", "version": 1, "date": "2023-04-21", "author": "Teoderick Contreras, Splunk", "type": "Hunting", "status": "production", "description": "The following analytic identifies a suspicious registry modification of Windows auto update configuration. This technique was being abused by several adversaries, malware authors and also red-teamers to bypass detection or to be able to compromise the target host with zero day exploit or as an additional defense evasion technique. RedLine Stealer is one of the malware we've seen that uses this technique to evade detection and add more payload on the target host. This detection looks for registry modification that will use \"The WUServer value unless this key is set\".", "data_source": ["Sysmon EventID 12", "Sysmon EventID 13", "Sysmon EventID 14"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path=\"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WindowsUpdate\\\\AU\\\\UseWUServer\" AND Registry.registry_value_data=\"0x00000001\" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_usewuserver_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "administrators may enable or disable this feature that may cause some false positive.", "references": ["https://learn.microsoft.com/de-de/security-updates/windowsupdateservices/18127499"], "tags": {"name": "Windows Modify Registry USeWuServer", "analytic_story": ["RedLine Stealer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "a registry modification in Windows auto update configuration in $dest$", "mitre_attack_id": ["T1112"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.registry_key_name", "Registry.registry_path", "Registry.user", "Registry.dest", "Registry.registry_value_name", "Registry.action", "Registry.registry_value_data"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/redline/modify_registry/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_usewuserver_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_modify_registry_usewuserver.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Modify Registry WuServer", "id": "a02ad386-e26d-44ce-aa97-6a46cee31439", "version": 1, "date": "2023-04-21", "author": "Teoderick Contreras, Splunk", "type": "Hunting", "status": "production", "description": "The following analytic identifies a suspicious registry modification of Windows auto update configuration. This technique was being abused by several adversaries, malware authors and also red-teamers to bypass detection or to be able to compromise the target host with zero day exploit or as an additional defense evasion technique. RedLine Stealer is one of the malware we've seen that uses this technique to evade detection and add more payload on the target host. This detection looks for registry modification related to the WSUS server used by Automatic Updates and (by default) API callers. This policy is paired with WUStatusServer; both must be set to the same value in order for them to be valid.", "data_source": ["Sysmon EventID 12", "Sysmon EventID 13", "Sysmon EventID 14"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path=\"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WindowsUpdate\\\\WUServer\" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_wuserver_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Administrators may enable or disable this feature that may cause some false positive.", "references": ["https://learn.microsoft.com/de-de/security-updates/windowsupdateservices/18127499"], "tags": {"name": "Windows Modify Registry WuServer", "analytic_story": ["RedLine Stealer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "A registry modification in Windows auto update configuration on $dest$", "mitre_attack_id": ["T1112"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.registry_key_name", "Registry.registry_path", "Registry.user", "Registry.dest", "Registry.registry_value_name", "Registry.action", "Registry.registry_value_data"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/redline/modify_registry/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_wuserver_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_modify_registry_wuserver.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Modify Registry wuStatusServer", "id": "073e69d0-68b2-4142-aa90-a7ee6f590676", "version": 1, "date": "2023-04-21", "author": "Teoderick Contreras, Splunk", "type": "Hunting", "status": "production", "description": "The following analytic identifies a suspicious registry modification of Windows auto update configuration. This technique was being abused by several adversaries, malware authors and also red-teamers to bypass detection or to be able to compromise the target host with zero day exploit or as an additional defense evasion technique. RedLine Stealer is one of the malware we've seen that uses this technique to evade detection and add more payload on the target host. This detection looks for registry modification related to the server to which reporting information will be sent for client computers that use the WSUS server configured by the WUServer key. This policy is paired with WUServer; both must be set to the same value in order for them to be valid.", "data_source": ["Sysmon EventID 12", "Sysmon EventID 13", "Sysmon EventID 14"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path=\"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WindowsUpdate\\\\WUStatusServer\" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_wustatusserver_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "administrators may enable or disable this feature that may cause some false positive.", "references": ["https://learn.microsoft.com/de-de/security-updates/windowsupdateservices/18127499"], "tags": {"name": "Windows Modify Registry wuStatusServer", "analytic_story": ["RedLine Stealer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "a registry modification in Windows auto update configuration in $dest$", "mitre_attack_id": ["T1112"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.registry_key_name", "Registry.registry_path", "Registry.user", "Registry.dest", "Registry.registry_value_name", "Registry.action", "Registry.registry_value_data"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/redline/modify_registry/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_wustatusserver_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_modify_registry_wustatusserver.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Modify Show Compress Color And Info Tip Registry", "id": "b7548c2e-9a10-11ec-99e3-acde48001122", "version": 3, "date": "2023-04-27", "author": "Steven Dick, Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This analytic is to look for suspicious registry modification related to file compression color and information tips. This IOC was seen in hermetic wiper where it has a thread that will create this registry entry to change the color of compressed or encrypted files in NTFS file system as well as the pop up information tips. This is a good indicator that a process tries to modified one of the registry GlobalFolderOptions related to file compression attribution in terms of color in NTFS file system.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = \"*\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced*\" AND Registry.registry_value_name IN(\"ShowCompColor\", \"ShowInfoTip\")) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_show_compress_color_and_info_tip_registry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "unknown", "references": ["https://blog.talosintelligence.com/2022/02/threat-advisory-hermeticwiper.html"], "tags": {"name": "Windows Modify Show Compress Color And Info Tip Registry", "analytic_story": ["Data Destruction", "Windows Defense Evasion Tactics", "Windows Registry Abuse", "Hermetic Wiper"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "Registry modification in \"ShowCompColor\" and \"ShowInfoTips\" on $dest$", "mitre_attack_id": ["T1112"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.dest", "Registry.registry_value_name", "Registry.registry_key_name", "Registry.registry_path", "Registry.registry_value_data", "Registry.process_guid"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/hermetic_wiper/globalfolderoptions_reg/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_modify_show_compress_color_and_info_tip_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_modify_show_compress_color_and_info_tip_registry.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows MOF Event Triggered Execution via WMI", "id": "e59b5a73-32bf-4467-a585-452c36ae10c1", "version": 1, "date": "2022-07-15", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following anaytic identifies MOFComp.exe loading a MOF file. The Managed Object Format (MOF) compiler parses a file containing MOF statements and adds the classes and class instances defined in the file to the WMI repository. Typically, MOFComp.exe does not reach out to the public internet or load a MOF file from User Profile paths. A filter and consumer is typically registered in WMI. Review parallel processes and query WMI subscriptions to gather artifacts. The default path of mofcomp.exe is C:\\Windows\\System32\\wbem.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name IN (\"cmd.exe\", \"powershell.exe\") Processes.process_name=mofcomp.exe) OR (Processes.process_name=mofcomp.exe Processes.process IN (\"*\\\\AppData\\\\Local\\\\*\",\"*\\\\Users\\\\Public\\\\*\", \"*\\\\WINDOWS\\\\Temp\\\\*\")) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_mof_event_triggered_execution_via_wmi_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives may be present from automation based applications (SCCM), filtering may be required. In addition, break the query out based on volume of usage. Filter process names or f", "references": ["https://attack.mitre.org/techniques/T1546/003/", "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", "https://docs.microsoft.com/en-us/windows/win32/wmisdk/mofcomp", "https://pentestlab.blog/2020/01/21/persistence-wmi-event-subscription/", "https://www.sakshamdixit.com/wmi-events/"], "tags": {"name": "Windows MOF Event Triggered Execution via WMI", "analytic_story": ["Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ loading a MOF file.", "mitre_attack_id": ["T1546.003"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1546.003", "mitre_attack_technique": "Windows Management Instrumentation Event Subscription", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT33", "Blue Mockingbird", "FIN8", "Leviathan", "Metador", "Mustang Panda", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.003/atomic_red_team/mofcomp.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_mof_event_triggered_execution_via_wmi_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_mof_event_triggered_execution_via_wmi.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows MOVEit Transfer Writing ASPX", "id": "c0ed2aca-5666-45b3-813f-ddfac3f3eda0", "version": 1, "date": "2023-06-01", "author": "Michael Haag, Splunk", "type": "TTP", "status": "experimental", "description": "This analytic detects the creation of new ASPX files in the MOVEit Transfer application's \"wwwroot\" directory. This activity is indicative of the recent critical vulnerability found in MOVEit Transfer, where threat actors have been observed exploiting a zero-day vulnerability to install a malicious ASPX file (e.g., \"human2.aspx\") in the wwwroot directory. The injected file could then be used to exfiltrate sensitive data, including user credentials and file metadata. The vulnerability affects the MOVEit Transfer managed file transfer software developed by Progress, a subsidiary of US-based Progress Software Corporation. This analytic requires endpoint data reflecting process and filesystem activity. The identified process must be responsible for the creation of new ASPX or ASHX files in the specified directory.", "data_source": ["Sysmon Event ID 11"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=System by _time span=1h Processes.process_id Processes.process_name Processes.dest | `drop_dm_object_name(Processes)` | join process_guid, _time [| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN (\"*\\\\MOVEitTransfer\\\\wwwroot\\\\*\") Filesystem.file_name IN(\"*.aspx\", \"*.ashx\", \"*.asp*\") OR Filesystem.file_name IN (\"human2.aspx\",\"_human2.aspx\") by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path | `drop_dm_object_name(Filesystem)` | fields _time dest file_create_time file_name file_path process_name process_path process] | dedup file_create_time | table dest file_create_time, file_name, file_path, process_name | `windows_moveit_transfer_writing_aspx_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node and `Filesystem` node.", "known_false_positives": "The query is structured in a way that `action` (read, create) is not defined. Review the results of this query, filter, and tune as necessary. It may be necessary to generate this query specific to your endpoint product.", "references": ["https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023", "https://www.reddit.com/r/sysadmin/comments/13wxuej/critical_vulnerability_moveit_file_transfer/", "https://www.bleepingcomputer.com/news/security/new-moveit-transfer-zero-day-mass-exploited-in-data-theft-attacks/", "https://www.reddit.com/r/sysadmin/comments/13wxuej/critical_vulnerability_moveit_file_transfer/", "https://www.mandiant.com/resources/blog/zero-day-moveit-data-theft"], "tags": {"name": "Windows MOVEit Transfer Writing ASPX", "analytic_story": ["MOVEit Transfer Critical Vulnerability"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 100, "kill_chain_phases": ["Delivery", "Installation"], "message": "The MOVEit application on $dest$ has written a new ASPX file to disk.", "mitre_attack_id": ["T1190", "T1133"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Filesystem.file_path", "Filesystem.process_id", "Filesystem.file_name", "Filesystem.file_hash", "Filesystem.user", "Filesystem.file_create_time", "Processes.process_id", "Processes.process_name", "Processes.dest"], "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "atomic_guid": [], "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Chimera", "Dragonfly", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.003/moveit_windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_moveit_transfer_writing_aspx_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_moveit_transfer_writing_aspx.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows MSExchange Management Mailbox Cmdlet Usage", "id": "396de86f-25e7-4b0e-be09-a330be35249d", "version": 1, "date": "2022-11-21", "author": "Michael Haag, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic uses the Exchange Management logs, that are enabled by default, to identify suspicious Cmdlet usage related to ProxyShell and ProxyNotShell abuse.", "data_source": ["Sysmon Event ID 1"], "search": "`msexchange_management` EventCode=1 Message IN (\"*New-MailboxExportRequest*\", \"*New-ManagementRoleAssignment*\", \"*New-MailboxSearch*\", \"*Get-Recipient*\", \"*Search-Mailbox*\") | stats count min(_time) as firstTime max(_time) as lastTime by host Message | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename host AS dest | `windows_msexchange_management_mailbox_cmdlet_usage_filter`", "how_to_implement": "The following analytic requires collecting the Exchange Management logs via a input. An example inputs is here https://gist.github.com/MHaggis/f66f1d608ea046efb9157020cd34c178. We used multiline as the XML format of the logs will require props/transforms. Multiline gives us everything we need in Message for now. Update the macro with your correct sourcetype.", "known_false_positives": "False positives may be present when an Administrator utilizes the cmdlets in the query. Filter or monitor as needed.", "references": ["https://gist.github.com/MHaggis/f66f1d608ea046efb9157020cd34c178"], "tags": {"name": "Windows MSExchange Management Mailbox Cmdlet Usage", "analytic_story": ["ProxyShell", "ProxyNotShell"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 40, "kill_chain_phases": ["Installation"], "message": "Cmdlets related to ProxyShell and ProxyNotShell have been identified on $dest$.", "mitre_attack_id": ["T1059", "T1059.001"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Message", "dest"], "risk_score": 32, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/exchange/msexchangemanagement.log", "source": "WinEventLog:MSExchange Management", "sourcetype": "MSExchange:management", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "msexchange_management", "definition": "sourcetype=MSExchange:management", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_msexchange_management_mailbox_cmdlet_usage_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_msexchange_management_mailbox_cmdlet_usage.yml", "source": "endpoint"}, {"name": "Windows Mshta Execution In Registry", "id": "e13ceade-b673-4d34-adc4-4d9c01729753", "version": 1, "date": "2022-10-14", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the usage of mshta.exe Windows binary in registry to execute malicious script. This technique was seen in kovter malware where it create several registry entry which is a encoded javascript and will be executed by another registry containing mshta and javascript activexobject to execute the encoded script using wscript.shell. This TTP is a good indication of kovter malware or other adversaries or threat actors leveraging fileless detection that survive system reboot.", "data_source": ["Sysmon Event ID 13"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_value_data = \"*mshta*\" OR Registry.registry_value_data IN (\"*javascript:*\", \"*vbscript:*\",\"*WScript.Shell*\") by Registry.registry_key_name Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_mshta_execution_in_registry_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry.", "known_false_positives": "unknown", "references": ["https://redcanary.com/threat-detection-report/techniques/mshta/", "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/fileless-threats?view=o365-worldwide"], "tags": {"name": "Windows Mshta Execution In Registry", "analytic_story": ["Suspicious Windows Registry Activities", "Windows Persistence Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "a registry $registry_path$ contains mshta $registry_value_data$ in $dest$", "mitre_attack_id": ["T1218.005"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.registry_key_name", "Registry.registry_path", "Registry.dest", "Registry.registry_value_data", "Registry.action"], "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218.005", "mitre_attack_technique": "Mshta", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "APT32", "Confucius", "Earth Lusca", "FIN7", "Gamaredon Group", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "MuddyWater", "Mustang Panda", "SideCopy", "Sidewinder", "TA551"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.005/mshta_in_registry/sysmon3.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_mshta_execution_in_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_mshta_execution_in_registry.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows MSIExec DLLRegisterServer", "id": "fdb59aef-d88f-4909-8369-ec2afbd2c398", "version": 1, "date": "2022-06-14", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the usage of msiexec.exe using the /y switch parameter, which grants the ability for msiexec to load DLLRegisterServer. Upon triage, review parent process and capture any artifacts for further review.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_msiexec` Processes.process IN (\"*/y*\", \"*-y*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_msiexec_dllregisterserver_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "This analytic will need to be tuned for your environment based on legitimate usage of msiexec.exe. Filter as needed.", "references": ["https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md"], "tags": {"name": "Windows MSIExec DLLRegisterServer", "analytic_story": ["Windows System Binary Proxy Execution MSIExec"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to register a file.", "mitre_attack_id": ["T1218.007"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process Name", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218.007", "mitre_attack_technique": "Msiexec", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Machete", "Molerats", "Rancor", "TA505", "ZIRCONIUM"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.007/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "process_msiexec", "definition": "(Processes.process_name=msiexec.exe OR Processes.original_file_name=msiexec.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_msiexec_dllregisterserver_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_msiexec_dllregisterserver.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows MSIExec Remote Download", "id": "6aa49ff2-3c92-4586-83e0-d83eb693dfda", "version": 1, "date": "2022-06-16", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies msiexec.exe with http in the command-line. This procedure will utilize msiexec.exe to download a remote file and load it. During triage, review parallel processes and capture any artifacts on disk for review.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_msiexec` Processes.process IN (\"*http://*\", \"*https://*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_msiexec_remote_download_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives may be present, filter by destination or parent process as needed.", "references": ["https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md"], "tags": {"name": "Windows MSIExec Remote Download", "analytic_story": ["Windows System Binary Proxy Execution MSIExec"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to download a remote file.", "mitre_attack_id": ["T1218.007"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process Name", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218.007", "mitre_attack_technique": "Msiexec", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Machete", "Molerats", "Rancor", "TA505", "ZIRCONIUM"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.007/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "process_msiexec", "definition": "(Processes.process_name=msiexec.exe OR Processes.original_file_name=msiexec.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_msiexec_remote_download_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_msiexec_remote_download.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows MSIExec Spawn Discovery Command", "id": "e9d05aa2-32f0-411b-930c-5b8ca5c4fcee", "version": 1, "date": "2022-06-13", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies MSIExec spawning multiple discovery commands, including spawning Cmd.exe or PowerShell.exe. Typically, child processes are not common from MSIExec other than MSIExec spawning itself.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=msiexec.exe Processes.process_name IN (\"powershell.exe\",\"cmd.exe\", \"nltest.exe\",\"ipconfig.exe\",\"systeminfo.exe\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_msiexec_spawn_discovery_command_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives will be present with MSIExec spawning Cmd or PowerShell. Filtering will be needed. In addition, add other known discovery processes to enhance query.", "references": ["https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md"], "tags": {"name": "Windows MSIExec Spawn Discovery Command", "analytic_story": ["Windows System Binary Proxy Execution MSIExec"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ running different discovery commands.", "mitre_attack_id": ["T1218.007"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process Name", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218.007", "mitre_attack_technique": "Msiexec", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Machete", "Molerats", "Rancor", "TA505", "ZIRCONIUM"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.007/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_msiexec_spawn_discovery_command_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_msiexec_spawn_discovery_command.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows MSIExec Unregister DLLRegisterServer", "id": "a27db3c5-1a9a-46df-a577-765d3f1a3c24", "version": 1, "date": "2022-06-14", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the usage of msiexec.exe using the /z switch parameter, which grants the ability for msiexec to unload DLLRegisterServer. Upon triage, review parent process and capture any artifacts for further review.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_msiexec` Processes.process IN (\"*/z*\", \"*-z*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_msiexec_unregister_dllregisterserver_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "This analytic will need to be tuned for your environment based on legitimate usage of msiexec.exe. Filter as needed.", "references": ["https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md"], "tags": {"name": "Windows MSIExec Unregister DLLRegisterServer", "analytic_story": ["Windows System Binary Proxy Execution MSIExec"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to unregister a file.", "mitre_attack_id": ["T1218.007"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process Name", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218.007", "mitre_attack_technique": "Msiexec", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Machete", "Molerats", "Rancor", "TA505", "ZIRCONIUM"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.007/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "process_msiexec", "definition": "(Processes.process_name=msiexec.exe OR Processes.original_file_name=msiexec.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_msiexec_unregister_dllregisterserver_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_msiexec_unregister_dllregisterserver.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows MSIExec With Network Connections", "id": "827409a1-5393-4d8d-8da4-bbb297c262a7", "version": 1, "date": "2022-06-16", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies MSIExec with any network connection over port 443 or 80. Typically, MSIExec does not perform network communication to the internet.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where `process_msiexec` by _time Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | join process_id [| tstats `security_content_summariesonly` count FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port IN (\"80\",\"443\") by All_Traffic.process_id All_Traffic.dest All_Traffic.dest_port All_Traffic.dest_ip | `drop_dm_object_name(All_Traffic)` ] | table _time dest parent_process_name process_name process_path process process_id dest_port dest_ip | `windows_msiexec_with_network_connections_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. Add parent process as a filter, filter known good processes. This may be voluminous due to the join on process_id. All_Traffic does not have process_guid, yet.", "known_false_positives": "False positives will be present and filtering is required.", "references": ["https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md"], "tags": {"name": "Windows MSIExec With Network Connections", "analytic_story": ["Windows System Binary Proxy Execution MSIExec"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "An instance of $process_name$ was identified on endpoint $dest$ contacting a remote destination.", "mitre_attack_id": ["T1218.007"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process Name", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.process_id", "Processes.process_name", "Processes.dest", "Processes.process_path", "Processes.process", "Processes.parent_process_name", "All_Traffic.process_id", "All_Traffic.dest", "All_Traffic.dest_port", "All_Traffic.dest_ip"], "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218.007", "mitre_attack_technique": "Msiexec", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Machete", "Molerats", "Rancor", "TA505", "ZIRCONIUM"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.007/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint", "Network_Traffic"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "process_msiexec", "definition": "(Processes.process_name=msiexec.exe OR Processes.original_file_name=msiexec.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_msiexec_with_network_connections_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_msiexec_with_network_connections.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Multi hop Proxy TOR Website Query", "id": "4c2d198b-da58-48d7-ba27-9368732d0054", "version": 1, "date": "2022-09-16", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies a dns query to a known TOR proxy website. This technique was seen in several adversaries, threat actors and malware like AgentTesla to To disguise the source of its malicious traffic. adversaries may chain together multiple proxies. This Anomaly detection might be a good pivot for a process trying to download or use TOR proxies in a compromised host machine.", "data_source": ["Sysmon Event ID 22"], "search": "`sysmon` EventCode=22 QueryName IN (\"*.torproject.org\", \"www.theonionrouter.com\") | stats count min(_time) as firstTime max(_time) as lastTime by Image QueryName QueryStatus ProcessId Computer | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_multi_hop_proxy_tor_website_query_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name and sysmon eventcode = 22 dns query events from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "third party application may use this proxies if allowed in production environment. Filter is needed.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla"], "tags": {"name": "Windows Multi hop Proxy TOR Website Query", "analytic_story": ["AgentTesla"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Command And Control"], "message": "a process $Image$ is having a dns query in a tor domain $QueryName$ in $Computer$", "mitre_attack_id": ["T1071.003", "T1071"], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Image", "QueryName", "QueryStatus", "ProcessId", "Computer"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1071.003", "mitre_attack_technique": "Mail Protocols", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT28", "APT32", "Kimsuky", "SilverTerrier", "Turla"]}, {"mitre_attack_id": "T1071", "mitre_attack_technique": "Application Layer Protocol", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Dragonfly", "Magic Hound", "Rocke", "TeamTNT"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/agent_tesla/agent_tesla_tor_dns_query/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_multi_hop_proxy_tor_website_query_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_multi_hop_proxy_tor_website_query.yml", "source": "endpoint"}, {"name": "Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos", "id": "98f22d82-9d62-11eb-9fcf-acde48001122", "version": 2, "date": "2021-04-14", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies one source endpoint failing to authenticate with 30 unique disabled domain users using the Kerberos protocol within 5 minutes. This behavior could represent an adversary performing a Password Spraying attack against an Active Directory environment using Kerberos to obtain initial access or elevate privileges. Active Directory environments can be very different depending on the organization. Users should test this detection and customize the arbitrary threshold when needed. As attackers progress in a breach, mistakes will be made. In certain scenarios, adversaries may execute a password spraying attack against disabled users. Event 4768 is generated every time the Key Distribution Center issues a Kerberos Ticket Granting Ticket (TGT). Failure code `0x12` stands for `clients credentials have been revoked` (account disabled, expired or locked out).\\\nThis logic can be used for real time security monitoring as well as threat hunting exercises. This detection will only trigger on domain controllers, not on member servers or workstations.\\\nThe analytics returned fields allow analysts to investigate the event further by providing fields like source ip and attempted user accounts.", "data_source": ["Windows Security 4768"], "search": "`wineventlog_security` EventCode=4768 TargetUserName!=*$ Status=0x12 | bucket span=5m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as tried_accounts by _time, IpAddress | where unique_accounts > 30 | `windows_multiple_disabled_users_failed_to_authenticate_wth_kerberos_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled.", "known_false_positives": "A host failing to authenticate with multiple disabled domain users is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners, multi-user systems missconfigured systems.", "references": ["https://attack.mitre.org/techniques/T1110/003/"], "tags": {"name": "Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos", "analytic_story": ["Active Directory Password Spraying", "Active Directory Kerberos Attacks", "Volt Typhoon", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "Potential Kerberos based password spraying attack from $IpAddress$", "mitre_attack_id": ["T1110.003", "T1110"], "nist": ["DE.CM"], "observable": [{"name": "IpAddress", "role": ["Attacker"], "type": "Endpoint"}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "Status", "TargetUserName", "IpAddress"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_disabled_users_kerberos_xml/windows-security.log", "source": "XmlWinEventLog:Security", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_multiple_disabled_users_failed_to_authenticate_wth_kerberos_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_multiple_disabled_users_failed_to_authenticate_wth_kerberos.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows Multiple Invalid Users Fail To Authenticate Using Kerberos", "id": "001266a6-9d5b-11eb-829b-acde48001122", "version": 2, "date": "2021-04-14", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies one source endpoint failing to authenticate with 30 unique invalid domain users using the Kerberos protocol. This behavior could represent an adversary performing a Password Spraying attack against an Active Directory environment using Kerberos to obtain initial access or elevate privileges. Active Directory environments can be very different depending on the organization. Users should test this detection and customize the arbitrary threshold when needed. As attackers progress in a breach, mistakes will be made. In certain scenarios, adversaries may execute a password spraying attack using an invalid list of users. Event 4768 is generated every time the Key Distribution Center issues a Kerberos Ticket Granting Ticket (TGT). Failure code 0x6 stands for `client not found in Kerberos database` (the attempted user is not a valid domain user).\\\nThis logic can be used for real time security monitoring as well as threat hunting exercises. This detection will only trigger on domain controllers, not on member servers or workstations.\\\nThe analytics returned fields allow analysts to investigate the event further by providing fields like source ip and attempted user accounts.", "data_source": ["Windows Security 4768"], "search": "`wineventlog_security` EventCode=4768 TargetUserName!=*$ Status=0x6 | bucket span=5m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as tried_accounts by _time, IpAddress | where unique_accounts > 30 | `windows_multiple_invalid_users_fail_to_authenticate_using_kerberos_filter` ", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled.", "known_false_positives": "A host failing to authenticate with multiple invalid domain users is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners, multi-user systems and missconfigured systems.", "references": ["https://attack.mitre.org/techniques/T1110/003/"], "tags": {"name": "Windows Multiple Invalid Users Fail To Authenticate Using Kerberos", "analytic_story": ["Active Directory Password Spraying", "Active Directory Kerberos Attacks", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "Potential Kerberos based password spraying attack from $IpAddress$", "mitre_attack_id": ["T1110.003", "T1110"], "nist": ["DE.CM"], "observable": [{"name": "IpAddress", "role": ["Attacker"], "type": "Endpoint"}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "Status", "TargetUserName", "IpAddress"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_invalid_users_kerberos_xml/windows-security.log", "source": "XmlWinEventLog:Security", "sourcetype": "XmlWinEventLog"}]}], "datamodel": [], "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_multiple_invalid_users_fail_to_authenticate_using_kerberos_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_multiple_invalid_users_fail_to_authenticate_using_kerberos.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows Multiple Invalid Users Failed To Authenticate Using NTLM", "id": "57ad5a64-9df7-11eb-a290-acde48001122", "version": 2, "date": "2021-04-15", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies one source endpoint failing to authenticate with 30 unique invalid users using the NTLM protocol. This behavior could represent an adversary performing a Password Spraying attack against an Active Directory environment using NTLM to obtain initial access or elevate privileges. Active Directory environments can be very different depending on the organization. Users should test this detection and customize the arbitrary threshold when needed. As attackers progress in a breach, mistakes will be made. In certain scenarios, adversaries may execute a password spraying attack using an invalid list of users. Event 4776 is generated on the computer that is authoritative for the provided credentials. For domain accounts, the domain controller is authoritative. For local accounts, the local computer is authoritative. Error code 0xC0000064 stands for `The username you typed does not exist` (the attempted user is a legitimate domain user).\\\nThis logic can be used for real time security monitoring as well as threat hunting exercises. This detection will only trigger on domain controllers, not on member servers or workstations.\\\nThe analytics returned fields allow analysts to investigate the event further by providing fields like source workstation name and attempted user accounts.", "data_source": ["Windows Security 4776"], "search": " `wineventlog_security` EventCode=4776 TargetUserName!=*$ Status=0xc0000064 | bucket span=5m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as tried_accounts by _time, Workstation | where unique_accounts > 30 | `windows_multiple_invalid_users_failed_to_authenticate_using_ntlm_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller events. The Advanced Security Audit policy setting `Audit Credential Validation' within `Account Logon` needs to be enabled.", "known_false_positives": "A host failing to authenticate with multiple invalid domain users is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners and missconfigured systems. If this detection triggers on a host other than a Domain Controller, the behavior could represent a password spraying attack against the host's local accounts.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-credential-validation", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776"], "tags": {"name": "Windows Multiple Invalid Users Failed To Authenticate Using NTLM", "analytic_story": ["Active Directory Password Spraying", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "Potential NTLM based password spraying attack from $Workstation$", "mitre_attack_id": ["T1110.003", "T1110"], "nist": ["DE.CM"], "observable": [{"name": "Workstation", "role": ["Attacker"], "type": "Endpoint"}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "TargetUserName", "Workstation", "Status"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_invalid_users_ntlm_xml/windows-security.log", "source": "XmlWinEventLog:Security", "sourcetype": "XmlWinEventLog"}]}], "datamodel": [], "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_multiple_invalid_users_failed_to_authenticate_using_ntlm_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_multiple_invalid_users_failed_to_authenticate_using_ntlm.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials", "id": "e61918fa-9ca4-11eb-836c-acde48001122", "version": 2, "date": "2021-04-13", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies a source user failing to authenticate with 30 unique users using explicit credentials on a host. This behavior could represent an adversary performing a Password Spraying attack against an Active Directory environment to obtain initial access or elevate privileges. Active Directory environments can be very different depending on the organization. Users should test this detection and customize the arbitrary threshold when needed. Event 4648 is generated when a process attempts an account logon by explicitly specifying that accounts credentials. This event generates on domain controllers, member servers, and workstations.\\\nThis logic can be used for real time security monitoring as well as threat hunting exercises. This detection will trigger on the potenfially malicious host, perhaps controlled via a trojan or operated by an insider threat, from where a password spraying attack is being executed.\\\nThe analytics returned fields allow analysts to investigate the event further by providing fields like source account, attempted user accounts and the endpoint were the behavior was identified.", "data_source": ["Windows Security 4648"], "search": " `wineventlog_security` EventCode=4648 Caller_User_Name!=*$ Target_User_Name!=*$ | bucket span=5m _time | stats dc(Target_User_Name) AS unique_accounts values(Target_User_Name) as tried_account by _time, Computer, Caller_User_Name | where unique_accounts > 30 | `windows_multiple_users_fail_to_authenticate_wth_explicitcredentials_filter` ", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Event Logs from domain controllers as well as member servers and workstations. The Advanced Security Audit policy setting `Audit Logon` within `Logon/Logoff` needs to be enabled.", "known_false_positives": "A source user failing attempting to authenticate multiple users on a host is not a common behavior for regular systems. Some applications, however, may exhibit this behavior in which case sets of users hosts can be added to an allow list. Possible false positive scenarios include systems where several users connect to like Mail servers, identity providers, remote desktop services, Citrix, etc.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4648", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events"], "tags": {"name": "Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials", "analytic_story": ["Active Directory Password Spraying", "Insider Threat", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "Potential password spraying attack from $Computer$", "mitre_attack_id": ["T1110.003", "T1110"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "role": ["Victim"], "type": "Endpoint"}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "Target_User_Name", "Caller_User_Name", "Computer"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_explicit_credential_spray_xml/windows-security.log", "source": "XmlWinEventLog:Security", "sourcetype": "XmlWinEventLog"}]}], "datamodel": [], "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_multiple_users_fail_to_authenticate_wth_explicitcredentials_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_multiple_users_fail_to_authenticate_wth_explicitcredentials.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows Multiple Users Failed To Authenticate From Host Using NTLM", "id": "7ed272a4-9c77-11eb-af22-acde48001122", "version": 2, "date": "2021-04-13", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies one source endpoint failing to authenticate with 30 unique valid users using the NTLM protocol. This behavior could represent an adversary performing a Password Spraying attack against an Active Directory environment using NTLM to obtain initial access or elevate privileges. Active Directory environments can be very different depending on the organization. Users should test this detection and customize the arbitrary threshold when needed. Event 4776 is generated on the computer that is authoritative for the provided credentials. For domain accounts, the domain controller is authoritative. For local accounts, the local computer is authoritative. Error code 0xC000006A means: misspelled or bad password (the attempted user is a legitimate domain user).\\\nThis logic can be used for real time security monitoring as well as threat hunting exercises. This detection will only trigger on domain controllers, not on member servers or workstations.\\\nThe analytics returned fields allow analysts to investigate the event further by providing fields like source workstation name and attempted user accounts.", "data_source": ["Windows Security 4776"], "search": " `wineventlog_security` EventCode=4776 TargetUserName!=*$ Status=0xC000006A | bucket span=5m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as tried_accounts by _time, Workstation | where unique_accounts > 30 | `windows_multiple_users_failed_to_authenticate_from_host_using_ntlm_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller events. The Advanced Security Audit policy setting `Audit Credential Validation` within `Account Logon` needs to be enabled.", "known_false_positives": "A host failing to authenticate with multiple valid domain users is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners and missconfigured systems. If this detection triggers on a host other than a Domain Controller, the behavior could represent a password spraying attack against the host's local accounts.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-credential-validation", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776"], "tags": {"name": "Windows Multiple Users Failed To Authenticate From Host Using NTLM", "analytic_story": ["Active Directory Password Spraying", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "Potential NTLM based password spraying attack from $Workstation$", "mitre_attack_id": ["T1110.003", "T1110"], "nist": ["DE.CM"], "observable": [{"name": "Workstation", "role": ["Attacker"], "type": "Endpoint"}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "Status", "TargetUserName", "Workstation"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_valid_users_ntlm_xml/windows-security.log", "source": "XmlWinEventLog:Security", "sourcetype": "XmlWinEventLog"}]}], "datamodel": [], "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_multiple_users_failed_to_authenticate_from_host_using_ntlm_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_multiple_users_failed_to_authenticate_from_host_using_ntlm.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows Multiple Users Failed To Authenticate From Process", "id": "9015385a-9c84-11eb-bef2-acde48001122", "version": 2, "date": "2021-04-13", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies a source process name failing to authenticate with 30 uniquer users. This behavior could represent an adversary performing a Password Spraying attack against an Active Directory environment to obtain initial access or elevate privileges. Active Directory environments can be very different depending on the organization. Users should test this detection and customize the arbitrary threshold when needed. Event 4625 generates on domain controllers, member servers, and workstations when an account fails to logon. Logon Type 2 describes an iteractive logon attempt.\\\nThis logic can be used for real time security monitoring as well as threat hunting exercises. This detection will trigger on the potenfially malicious host, perhaps controlled via a trojan or operated by an insider threat, from where a password spraying attack is being executed. This could be a domain controller as well as a member server or workstation.\\\nThe analytics returned fields allow analysts to investigate the event further by providing fields like source process name, source account and attempted user accounts.", "data_source": ["Windows Security 4625"], "search": " `wineventlog_security` EventCode=4625 Logon_Type=2 ProcessName!=\"-\" | bucket span=5m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as tried_accounts by _time, ProcessName, SubjectUserName, Computer | where unique_accounts > 30 | `windows_multiple_users_failed_to_authenticate_from_process_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Event Logs from domain controllers aas well as member servers and workstations. The Advanced Security Audit policy setting `Audit Logon` within `Logon/Logoff` needs to be enabled.", "known_false_positives": "A process failing to authenticate with multiple users is not a common behavior for legitimate user sessions. Possible false positive scenarios include but are not limited to vulnerability scanners and missconfigured systems.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4625", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events"], "tags": {"name": "Windows Multiple Users Failed To Authenticate From Process", "analytic_story": ["Active Directory Password Spraying", "Insider Threat", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "Potential password spraying attack from $Computer$", "mitre_attack_id": ["T1110.003", "T1110"], "nist": ["DE.CM"], "observable": [{"name": "ComputerName", "role": ["Victim"], "type": "Endpoint"}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "Logon_Type", "ProcessName", "SubjectUserName", "TargetUserName", "Computer"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_multiple_users_from_process_xml/windows-security.log", "source": "XmlWinEventLog:Security", "sourcetype": "XmlWinEventLog"}]}], "datamodel": [], "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_multiple_users_failed_to_authenticate_from_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_multiple_users_failed_to_authenticate_from_process.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows Multiple Users Failed To Authenticate Using Kerberos", "id": "3a91a212-98a9-11eb-b86a-acde48001122", "version": 2, "date": "2021-04-08", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies one source endpoint failing to authenticate with 30 unique users using the Kerberos protocol. This behavior could represent an adversary performing a Password Spraying attack against an Active Directory environment using Kerberos to obtain initial access or elevate privileges. Active Directory environments can be very different depending on the organization. Users should test this detection and customize the arbitrary threshold when needed. Event 4771 is generated when the Key Distribution Center fails to issue a Kerberos Ticket Granting Ticket (TGT). Failure code 0x18 stands for `wrong password provided` (the attempted user is a legitimate domain user).\\\nThis logic can be used for real time security monitoring as well as threat hunting exercises. This detection will only trigger on domain controllers, not on member servers or workstations.\\\nThe analytics returned fields allow analysts to investigate the event further by providing fields like source ip and attempted user accounts.", "data_source": ["Windows Security 4771"], "search": "`wineventlog_security` EventCode=4771 TargetUserName!=\"*$\" Status=0x18 | bucket span=5m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as tried_accounts by _time, IpAddress | where unique_accounts > 30 | `windows_multiple_users_failed_to_authenticate_using_kerberos_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled.", "known_false_positives": "A host failing to authenticate with multiple valid domain users is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners, missconfigured systems and multi-user systems like Citrix farms.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn319109(v=ws.11)", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4771"], "tags": {"name": "Windows Multiple Users Failed To Authenticate Using Kerberos", "analytic_story": ["Active Directory Password Spraying", "Active Directory Kerberos Attacks", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "Potential Kerberos based password spraying attack from $IpAddress$", "mitre_attack_id": ["T1110.003", "T1110"], "nist": ["DE.CM"], "observable": [{"name": "IpAddress", "role": ["Attacker"], "type": "Endpoint"}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "Status", "TargetUserName", "IpAddress"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_valid_users_kerberos_xml/windows-security.log", "source": "XmlWinEventLog:Security", "sourcetype": "XmlWinEventLog"}]}], "datamodel": [], "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_multiple_users_failed_to_authenticate_using_kerberos_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_multiple_users_failed_to_authenticate_using_kerberos.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows Multiple Users Remotely Failed To Authenticate From Host", "id": "80f9d53e-9ca1-11eb-b0d6-acde48001122", "version": 2, "date": "2021-04-13", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies a source host failing to authenticate against a remote host with 30 unique users. This behavior could represent an adversary performing a Password Spraying attack against an Active Directory environment to obtain initial access or elevate privileges. Active Directory environments can be very different depending on the organization. Users should test this detection and customize the arbitrary threshold when needed. Event 4625 documents each and every failed attempt to logon to the local computer. This event generates on domain controllers, member servers, and workstations. Logon Type 3 describes an remote authentication attempt.\\\nThis logic can be used for real time security monitoring as well as threat hunting exercises. This detection will trigger on the host that is the target of the password spraying attack. This could be a domain controller as well as a member server or workstation.\\\nThe analytics returned fields allow analysts to investigate the event further by providing fields like source process name, source account and attempted user accounts.", "data_source": ["Windows Security 4625"], "search": " `wineventlog_security` EventCode=4625 Logon_Type=3 IpAddress!=\"-\" | bucket span=5m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as tried_accounts by _time, IpAddress, Computer | where unique_accounts > 30 | `windows_multiple_users_remotely_failed_to_authenticate_from_host_filter` ", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Event Logs from domain controllers as as well as member servers and workstations. The Advanced Security Audit policy setting `Audit Logon` within `Logon/Logoff` needs to be enabled.", "known_false_positives": "A host failing to authenticate with multiple valid users against a remote host is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners, remote administration tools, missconfigyred systems, etc.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4625", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events"], "tags": {"name": "Windows Multiple Users Remotely Failed To Authenticate From Host", "analytic_story": ["Active Directory Password Spraying", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "Potential password spraying attack on $ComputerName$", "mitre_attack_id": ["T1110.003", "T1110"], "nist": ["DE.CM"], "observable": [{"name": "ComputerName", "role": ["Victim"], "type": "Endpoint"}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "Logon_Type", "TargetUserName", "Computer", "IpAddress"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_remote_spray_xml/windows-security.log", "source": "XmlWinEventLog:Security", "sourcetype": "XmlWinEventLog"}]}], "datamodel": [], "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_multiple_users_remotely_failed_to_authenticate_from_host_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_multiple_users_remotely_failed_to_authenticate_from_host.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows Ngrok Reverse Proxy Usage", "id": "e2549f2c-0aef-408a-b0c1-e0f270623436", "version": 2, "date": "2023-01-12", "author": "Michael Haag, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies the use of ngrok.exe being utilized on the Windows operating system. Unfortunately, there is no original file name for Ngrok, so it may be worth an additional hunt to identify any command-line arguments. The sign of someone using Ngrok is not malicious, however, more recently it has become an adversary tool.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=ngrok.exe Processes.process IN (\"*start*\", \"*--config*\",\"*http*\",\"*authtoken*\", \"*http*\", \"*tcp*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_ngrok_reverse_proxy_usage_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives will be present based on organizations that allow the use of Ngrok. Filter or monitor as needed.", "references": ["https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf"], "tags": {"name": "Windows Ngrok Reverse Proxy Usage", "analytic_story": ["Reverse Network Proxy", "CISA AA22-320A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 50, "kill_chain_phases": ["Command And Control"], "message": "A reverse proxy was identified spawning from $parent_process_name$ - $process_name$ on endpoint $dest$ by user $user$.", "mitre_attack_id": ["T1572", "T1090", "T1102"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 50, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1572", "mitre_attack_technique": "Protocol Tunneling", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Chimera", "Cobalt Group", "FIN6", "Fox Kitten", "Leviathan", "Magic Hound", "OilRig"]}, {"mitre_attack_id": "T1090", "mitre_attack_technique": "Proxy", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "Blue Mockingbird", "CopyKittens", "Earth Lusca", "Fox Kitten", "LAPSUS$", "Magic Hound", "POLONIUM", "Sandworm Team", "Turla", "Windigo"]}, {"mitre_attack_id": "T1102", "mitre_attack_technique": "Web Service", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT32", "EXOTIC LILY", "Ember Bear", "FIN6", "FIN8", "Fox Kitten", "Gamaredon Group", "Inception", "LazyScripter", "Mustang Panda", "Rocke", "TeamTNT", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1572/ngrok/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_ngrok_reverse_proxy_usage_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_ngrok_reverse_proxy_usage.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows NirSoft AdvancedRun", "id": "bb4f3090-7ae4-11ec-897f-acde48001122", "version": 1, "date": "2023-04-14", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the use of AdvancedRun.exe. AdvancedRun.exe has similar capabilities as other remote programs like psexec. AdvancedRun may also ingest a configuration file with all settings defined and perform its activity. The analytic is written in a way to identify a renamed binary and also the common command-line arguments.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=advancedrun.exe OR Processes.original_file_name=advancedrun.exe) Processes.process IN (\"*EXEFilename*\",\"*/cfg*\",\"*RunAs*\", \"*WindowState*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `windows_nirsoft_advancedrun_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives should be limited as it is specific to AdvancedRun. Filter as needed based on legitimate usage.", "references": ["http://www.nirsoft.net/utils/advanced_run.html", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/"], "tags": {"name": "Windows NirSoft AdvancedRun", "analytic_story": ["Ransomware", "Unusual Processes", "Data Destruction", "WhisperGate"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 60, "kill_chain_phases": ["Weaponization"], "message": "An instance of advancedrun.exe, $process_name$, was spawned by $parent_process_name$ on $dest$ by $user$.", "mitre_attack_id": ["T1588.002"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 60, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1588.002", "mitre_attack_technique": "Tool", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT19", "APT28", "APT29", "APT32", "APT33", "APT38", "APT39", "APT41", "Aoqin Dragon", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Carbanak", "Chimera", "Cleaver", "Cobalt Group", "CopyKittens", "DarkHydrus", "DarkVishnya", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN5", "FIN6", "Ferocious Kitten", "GALLIUM", "Gorgon Group", "HEXANE", "Inception", "IndigoZebra", "Ke3chang", "Kimsuky", "LAPSUS$", "Lazarus Group", "Leafminer", "LuminousMoth", "Magic Hound", "Metador", "Moses Staff", "MuddyWater", "POLONIUM", "Patchwork", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "TA505", "TEMP.Veles", "Threat Group-3390", "Thrip", "Turla", "WIRTE", "Whitefly", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1588.002/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_nirsoft_advancedrun_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_nirsoft_advancedrun.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows NirSoft Utilities", "id": "5b2f4596-7d4c-11ec-88a7-acde48001122", "version": 1, "date": "2023-04-14", "author": "Michael Haag, Splunk", "type": "Hunting", "status": "production", "description": "The following hunting analytic assists with identifying the proces execution of commonly used utilities from NirSoft. Potentially not adversary behavior, but worth identifying to know if the software is present and being used.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.original_file_name Processes.process_path Processes.process_id Processes.parent_process_id | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `is_nirsoft_software` | `windows_nirsoft_utilities_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives may be present. Filtering may be required before setting to alert.", "references": ["https://www.cisa.gov/uscert/ncas/alerts/TA18-201A", "http://www.nirsoft.net/", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/"], "tags": {"name": "Windows NirSoft Utilities", "analytic_story": ["Data Destruction", "WhisperGate"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Weaponization"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ related to NiRSoft software usage.", "mitre_attack_id": ["T1588.002"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1588.002", "mitre_attack_technique": "Tool", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT19", "APT28", "APT29", "APT32", "APT33", "APT38", "APT39", "APT41", "Aoqin Dragon", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Carbanak", "Chimera", "Cleaver", "Cobalt Group", "CopyKittens", "DarkHydrus", "DarkVishnya", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN5", "FIN6", "Ferocious Kitten", "GALLIUM", "Gorgon Group", "HEXANE", "Inception", "IndigoZebra", "Ke3chang", "Kimsuky", "LAPSUS$", "Lazarus Group", "Leafminer", "LuminousMoth", "Magic Hound", "Metador", "Moses Staff", "MuddyWater", "POLONIUM", "Patchwork", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "TA505", "TEMP.Veles", "Threat Group-3390", "Thrip", "Turla", "WIRTE", "Whitefly", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1588.002/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "is_nirsoft_software", "definition": "lookup update=true is_nirsoft_software filename as process_name OUTPUT nirsoftFile | search nirsoftFile=true", "description": "This macro is related to potentially identifiable software related to NirSoft. Remove or filter as needed based."}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_nirsoft_utilities_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_nirsoft_utilities.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Non-System Account Targeting Lsass", "id": "b1ce9a72-73cf-11ec-981b-acde48001122", "version": 2, "date": "2022-07-30", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies non SYSTEM accounts requesting access to lsass.exe. This behavior may be related to credential dumping or applications requiring access to credentials. Triaging this event will require understanding the GrantedAccess from the SourceImage. In addition, whether the account is privileged or not. Review the process requesting permissions and review parallel processes.", "data_source": ["Sysmon Event ID 1"], "search": "`sysmon` EventCode=10 TargetImage=*lsass.exe NOT (SourceUser=\"NT AUTHORITY\\\\*\") | stats count min(_time) as firstTime max(_time) as lastTime by Computer, TargetImage, GrantedAccess, SourceImage, SourceProcessId, SourceUser, TargetUser | rename Computer as dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `windows_non_system_account_targeting_lsass_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Enabling EventCode 10 TargetProcess lsass.exe is required.", "known_false_positives": "False positives will occur based on legitimate application requests, filter based on source image as needed.", "references": ["https://en.wikipedia.org/wiki/Local_Security_Authority_Subsystem_Service", "https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump", "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", "https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1", "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights?redirectedfrom=MSDN"], "tags": {"name": "Windows Non-System Account Targeting Lsass", "analytic_story": ["Credential Dumping"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "A process, $SourceImage$, has loaded $ImageLoaded$ that are typically related to credential dumping on $dest$. Review for further details.", "mitre_attack_id": ["T1003.001", "T1003"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "ImageLoaded", "type": "Process", "role": ["Other"]}, {"name": "SourceImage", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Computer", "TargetImage", "GrantedAccess", "SourceImage", "SourceProcessId", "SourceUser", "TargetUser"], "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "TEMP.Veles", "Threat Group-3390", "Whitefly"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/windows-sysmon_creddump.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_non_system_account_targeting_lsass_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_non_system_account_targeting_lsass.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Windows Odbcconf Hunting", "id": "0562ad4b-fdaa-4882-b12f-7b8e0034cd72", "version": 1, "date": "2022-06-30", "author": "Michael Haag, Splunk", "type": "Hunting", "status": "production", "description": "The following analytic identifies Odbcconf.exe running in the environment to assist with identifying tuning higher fidelity analytics related to Odbcconf.exe.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=odbcconf.exe by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_odbcconf_hunting_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives will be present as this is meant to assist with filtering and tuning.", "references": ["https://strontic.github.io/xcyclopedia/library/odbcconf.exe-07FBA12552331355C103999806627314.html", "https://twitter.com/redcanary/status/1541838407894171650?s=20&t=kp3WBPtfnyA3xW7D7wx0uw"], "tags": {"name": "Windows Odbcconf Hunting", "analytic_story": ["Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 20, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to circumvent controls.", "mitre_attack_id": ["T1218.008"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process Name", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 6, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218.008", "mitre_attack_technique": "Odbcconf", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Cobalt Group"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.008/atomic_red_team/windows-sysmon-odbc-regsvr.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_odbcconf_hunting_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_odbcconf_hunting.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Odbcconf Load DLL", "id": "141e7fca-a9f0-40fd-a539-9aac8be41f1b", "version": 1, "date": "2022-06-28", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies odbcconf.exe, Windows Open Database Connectivity utility, utilizing the action function of regsvr to load a DLL. An example will look like - odbcconf.exe /A { REGSVR T1218-2.dll }. During triage, review parent process, parallel procesess and file modifications.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=odbcconf.exe Processes.process IN (\"*/a *\", \"*-a*\") Processes.process=\"*regsvr*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_odbcconf_load_dll_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives may be present and filtering may need to occur based on legitimate application usage. Filter as needed.", "references": ["https://strontic.github.io/xcyclopedia/library/odbcconf.exe-07FBA12552331355C103999806627314.html", "https://twitter.com/redcanary/status/1541838407894171650?s=20&t=kp3WBPtfnyA3xW7D7wx0uw"], "tags": {"name": "Windows Odbcconf Load DLL", "analytic_story": ["Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 60, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to circumvent controls.", "mitre_attack_id": ["T1218.008"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process Name", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218.008", "mitre_attack_technique": "Odbcconf", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Cobalt Group"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.008/atomic_red_team/windows-sysmon-odbc-regsvr.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_odbcconf_load_dll_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_odbcconf_load_dll.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Odbcconf Load Response File", "id": "1acafff9-1347-4b40-abae-f35aa4ba85c1", "version": 1, "date": "2022-06-30", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the odbcconf.exe, Windows Open Database Connectivity utility, loading up a resource file. The file extension is arbitrary and may be named anything. The resource file itself may have different commands supported by Odbcconf to load up a DLL (REGSVR) on disk or additional commands. During triage, review file modifications and parallel processes.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=odbcconf.exe Processes.process IN (\"*-f *\",\"*/f *\") Processes.process=\"*.rsp*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_odbcconf_load_response_file_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives may be present and filtering may need to occur based on legitimate application usage. Filter as needed.", "references": ["https://strontic.github.io/xcyclopedia/library/odbcconf.exe-07FBA12552331355C103999806627314.html", "https://twitter.com/redcanary/status/1541838407894171650?s=20&t=kp3WBPtfnyA3xW7D7wx0uw"], "tags": {"name": "Windows Odbcconf Load Response File", "analytic_story": ["Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 60, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to circumvent controls.", "mitre_attack_id": ["T1218.008"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process Name", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218.008", "mitre_attack_technique": "Odbcconf", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Cobalt Group"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.008/atomic_red_team/windows-sysmon-odbc-rsp.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_odbcconf_load_response_file_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_odbcconf_load_response_file.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Office Product Spawning MSDT", "id": "127eba64-c981-40bf-8589-1830638864a7", "version": 3, "date": "2023-02-15", "author": "Michael Haag, Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies a Microsoft Office product spawning the Windows msdt.exe process. MSDT is a Diagnostics Troubleshooting Wizard native to Windows. This behavior is related to a recently identified sample utilizing protocol handlers to evade preventative controls, including if macros are disabled in the document. During triage, review file modifications for html. In addition, parallel processes including PowerShell and CertUtil.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN (\"winword.exe\",\"excel.exe\",\"powerpnt.exe\",\"outlook.exe\",\"mspub.exe\",\"visio.exe\",\"onenote.exe\",\"onenotem.exe\",\"onenoteviewer.exe\",\"onenoteim.exe\",\"msaccess.exe\") Processes.process_name=msdt.exe by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `windows_office_product_spawning_msdt_filter`", "how_to_implement": "how To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives should be limited, however filter as needed.", "references": ["https://isc.sans.edu/diary/rss/28694", "https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e", "https://twitter.com/nao_sec/status/1530196847679401984?s=20&t=ZiXYI4dQuA-0_dzQzSUb3A", "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", "https://www.virustotal.com/gui/file/4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784/detection", "https://strontic.github.io/xcyclopedia/library/msdt.exe-152D4C9F63EFB332CCB134C6953C0104.html", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/"], "tags": {"name": "Windows Office Product Spawning MSDT", "analytic_story": ["Spearphishing Attachments", "Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 100, "kill_chain_phases": ["Delivery"], "message": "Office parent process $parent_process_name$ has spawned a child process $process_name$ on host $dest$.", "mitre_attack_id": ["T1566", "T1566.001"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "cve": ["CVE-2022-30190"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/macro/msdt.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_office_product_spawning_msdt_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2022-30190", "cvss": 9.3, "summary": "Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_office_product_spawning_msdt.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows PaperCut NG Spawn Shell", "id": "a602d9a2-aaea-45f8-bf0f-d851168d61ca", "version": 1, "date": "2023-05-15", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic is designed to detect instances where the PaperCut NG application (pc-app.exe) spawns a Windows shell, specifically cmd.exe or PowerShell. This behavior may indicate potential malicious activity, such as an attacker attempting to gain unauthorized access or execute harmful commands on the affected system.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=pc-app.exe `process_cmd` OR `process_powershell` OR Processes.process_name=java.exe by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_papercut_ng_spawn_shell_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives may be present, but most likely not. Filter as needed.", "references": ["https://www.cisa.gov/news-events/alerts/2023/05/11/cisa-and-fbi-release-joint-advisory-response-active-exploitation-papercut-vulnerability", "https://www.papercut.com/kb/Main/PO-1216-and-PO-1219"], "tags": {"name": "Windows PaperCut NG Spawn Shell", "analytic_story": ["PaperCut MF NG Vulnerability"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 100, "kill_chain_phases": ["Installation", "Delivery"], "message": "The PaperCut NG application has spawned a shell $process_name$ on endpoint $dest$ by $user$.", "mitre_attack_id": ["T1059", "T1190"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "atomic_guid": [], "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/papercut/papercutng-app-spawn_windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "process_powershell", "definition": "(Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "process_cmd", "definition": "(Processes.process_name=cmd.exe OR Processes.original_file_name=Cmd.Exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_papercut_ng_spawn_shell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_papercut_ng_spawn_shell.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Password Managers Discovery", "id": "a3b3bc96-1c4f-4eba-8218-027cac739a48", "version": 1, "date": "2022-11-30", "author": "Teoderick Contreras, Splunk", "type": "Hunting", "status": "production", "description": "The following analytic identifies a process command line that retrieves information related to password manager software. This technique was seen in several post exploitation tools like winpeas that are being used by Ransomware Prestige to gather this type of information. Password Managers applications are designed to store user credentials, normally in an encrypted database. Credentials are typically accessible after a user provides a master password that unlocks the database. After the database is unlocked, these credentials may be copied to memory. These databases can be stored as files on disk. Due to this password manager software designed adversaries may find or look for keywords related to the Password Manager databases that can be stolen or extracted for further attacks.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = \"*dir *\" OR Processes.process = \"*findstr*\" AND Processes.process IN ( \"*.kdbx*\", \"*credential*\", \"*key3.db*\",\"*pass*\", \"*cred*\", \"*key4.db*\", \"*accessTokens*\", \"*access_tokens*\", \"*.htpasswd*\", \"*Ntds.dit*\") by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_password_managers_discovery_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances of wermgr.exe may be used.", "known_false_positives": "unknown", "references": ["https://attack.mitre.org/techniques/T1555/005/", "https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS", "https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"], "tags": {"name": "Windows Password Managers Discovery", "analytic_story": ["Windows Post-Exploitation", "Prestige Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "a process with commandline $process$ that can retrieve information related to password manager databases in $dest$", "mitre_attack_id": ["T1555.005"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id", "Processes.parent_process_guid", "Processes.process_guid"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1555.005", "mitre_attack_technique": "Password Managers", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Fox Kitten", "Threat Group-3390"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/winpeas_search_pwd_db/dir-db-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_password_managers_discovery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_password_managers_discovery.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Phishing PDF File Executes URL Link", "id": "2fa9dec8-9d8e-46d3-96c1-202c06f0e6e1", "version": 1, "date": "2023-01-18", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic is developed to detect suspicious pdf viewer processes that have a browser application child processes. This event was seen in a pdf spear phishing attachment containing a malicious URL link to download the actual payload. When a user clicks the malicious link the pdf viewer application will execute a process of the host default browser to connect to the malicious site. This anomaly detection can be a good indicator that a possible pdf file has a link executed by a user. The pdf viewer and browser list in this detection is still in progress, add the common browser and pdf viewer you use in opening pdf in your network.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN (\"AcroRd32.exe\", \"FoxitPDFReader.exe\") Processes.process_name IN (\"firefox.exe\", \"chrome.exe\", \"iexplore.exe\") by Processes.user Processes.parent_process_name Processes.process_name Processes.parent_process Processes.process Processes.process_id Processes.dest |`drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_phishing_pdf_file_executes_url_link_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives in PDF file opened PDF Viewer having legitimate URL link, however filter as needed.", "references": ["https://twitter.com/pr0xylife/status/1615382907446767616?s=20"], "tags": {"name": "Windows Phishing PDF File Executes URL Link", "analytic_story": ["Spearphishing Attachments"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Delivery"], "message": "a pdf file opened in pdf viewer process $parent_process_name$ has a child process of a browser $process_name$ in $dest$", "mitre_attack_id": ["T1566.001", "T1566"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/phishing_pdf_uri/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_phishing_pdf_file_executes_url_link_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_phishing_pdf_file_executes_url_link.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Phishing Recent ISO Exec Registry", "id": "cb38ee66-8ae5-47de-bd66-231c7bbc0b2c", "version": 2, "date": "2022-09-19", "author": "Teoderick Contreras, Splunk", "type": "Hunting", "status": "production", "description": "The following hunting analytic identifies registry artifacts when an ISO container is opened, clicked or mounted on the Windows operating system. As Microsoft makes changes to macro based document execution, adversaries have begun to utilize container based initial access based phishing campaigns to evade preventative controls. Once the ISO is clicked or mounted it will create a registry artifact related to this event as a recent application executed or opened.", "data_source": ["Sysmon Event ID 13"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_key_name= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\RecentDocs\\\\.iso\" OR Registry.registry_key_name= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\RecentDocs\\\\.img\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_phishing_recent_iso_exec_registry_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives may be high depending on the environment and consistent use of ISOs. Restrict to servers, or filter out based on commonly used ISO names. Filter as needed.", "references": ["https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/", "https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/", "https://isc.sans.edu/diary/Recent+AZORult+activity/25120", "https://tccontre.blogspot.com/2020/01/remcos-rat-evading-windows-defender-av.html"], "tags": {"name": "Windows Phishing Recent ISO Exec Registry", "analytic_story": ["Brute Ratel C4", "AgentTesla", "Qakbot", "IcedID", "Azorult", "Remcos"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 50, "kill_chain_phases": ["Delivery"], "message": "An ISO file was mounted on $dest$ and should be reviewed and filtered as needed.", "mitre_attack_id": ["T1566.001", "T1566"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.registry_key_name", "Registry.user", "Registry.registry_path", "Registry.registry_value_data", "Registry.action", "Registry.dest"], "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/iso_version_dll_campaign/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_phishing_recent_iso_exec_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_phishing_recent_iso_exec_registry.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Possible Credential Dumping", "id": "e4723b92-7266-11ec-af45-acde48001122", "version": 3, "date": "2022-08-24", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic is an enhanced version of two previous analytics that identifies common GrantedAccess permission requests and CallTrace DLLs in order to detect credential dumping. \\\nGrantedAccess is the requested permissions by the SourceImage into the TargetImage. \\\nCallTrace Stack trace of where open process is called. Included is the DLL and the relative virtual address of the functions in the call stack right before the open process call. \\\ndbgcore.dll or dbghelp.dll are two core Windows debug DLLs that have minidump functions which provide a way for applications to produce crashdump files that contain a useful subset of the entire process context. \\\nThe idea behind using ntdll.dll is to blend in by using native api of ntdll.dll. For example in sekurlsa module there are many ntdll exported api, like RtlCopyMemory, used to execute this module which is related to lsass dumping.", "data_source": ["Sysmon Event ID 1"], "search": "`sysmon` EventCode=10 TargetImage=*\\\\lsass.exe GrantedAccess IN (\"0x01000\", \"0x1010\", \"0x1038\", \"0x40\", \"0x1400\", \"0x1fffff\", \"0x1410\", \"0x143a\", \"0x1438\", \"0x1000\") CallTrace IN (\"*dbgcore.dll*\", \"*dbghelp.dll*\", \"*ntdll.dll*\", \"*kernelbase.dll*\", \"*kernel32.dll*\") NOT SourceUser IN (\"NT AUTHORITY\\\\SYSTEM\", \"NT AUTHORITY\\\\NETWORK SERVICE\")| stats count min(_time) as firstTime max(_time) as lastTime by, Computer, SourceImage, GrantedAccess, TargetImage, SourceProcessId, SourceUser, TargetUser | rename Computer as dest | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)` | `windows_possible_credential_dumping_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Enabling EventCode 10 TargetProcess lsass.exe is required.", "known_false_positives": "False positives will occur based on GrantedAccess 0x1010 and 0x1400, filter based on source image as needed or remove them. Concern is Cobalt Strike usage of Mimikatz will generate 0x1010 initially, but later be caught.", "references": ["https://en.wikipedia.org/wiki/Local_Security_Authority_Subsystem_Service", "https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump", "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", "https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1", "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights?redirectedfrom=MSDN", "https://github.com/redcanaryco/AtomicTestHarnesses/blob/master/TestHarnesses/T1003.001_DumpLSASS/DumpLSASS.ps1"], "tags": {"name": "Windows Possible Credential Dumping", "analytic_story": ["Credential Dumping", "Detect Zerologon Attack", "DarkSide Ransomware", "CISA AA22-257A", "CISA AA22-264A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "A process, $SourceImage$, has loaded $ImageLoaded$ that are typically related to credential dumping on $dest$. Review for further details.", "mitre_attack_id": ["T1003.001", "T1003"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "ImageLoaded", "type": "Process", "role": ["Other"]}, {"name": "SourceImage", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Computer", "TargetImage", "GrantedAccess", "SourceImage", "SourceProcessId", "SourceUser", "TargetUser"], "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "TEMP.Veles", "Threat Group-3390", "Whitefly"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/windows-sysmon_creddump.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_possible_credential_dumping_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_possible_credential_dumping.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Windows PowerShell Add Module to Global Assembly Cache", "id": "3fc16961-97e5-4a5b-a079-e4ab0d9763eb", "version": 1, "date": "2023-01-18", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following PowerShell Script Block analytic identifies the native ability to add a DLL to the Windows Global Assembly Cache. Each computer where the Common Language Runtime is installed has a machine-wide code cache called the Global Assembly Cache. The Global Assembly Cache stores assemblies specifically designated to be shared by several applications on the computer. By adding a DLL to the GAC, this allows an adversary to call it via any other means across the operating systems. This is native and built into Windows. Per the Microsoft blog, the more high fidelity method may be to look for W3WP.exe spawning PowerShell that includes the same CommandLine as identified in this analytic.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 ScriptBlockText IN(\"*system.enterpriseservices.internal.publish*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powershell_add_module_to_global_assembly_cache_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "False positives may be present based on developers or third party utilities adding items to the GAC.", "references": ["https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/", "https://www.microsoft.com/en-us/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/"], "tags": {"name": "Windows PowerShell Add Module to Global Assembly Cache", "analytic_story": ["IIS Components"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Installation"], "message": "PowerShell was used to install a module to the Global Assembly Cache on $Computer$.", "mitre_attack_id": ["T1505", "T1505.004"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "ScriptBlockText", "Computer", "EventCode"], "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1505.004", "mitre_attack_technique": "IIS Components", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.004/pwsh_publish_powershell.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_powershell_add_module_to_global_assembly_cache_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_powershell_add_module_to_global_assembly_cache.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows Powershell Cryptography Namespace", "id": "f8b482f4-6d62-49fa-a905-dfa15698317b", "version": 1, "date": "2023-01-26", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies suspicious PowerShell script execution via EventCode 4104 that is processing cryptography namespace library. This technique was seen in several powershell malware, loader, downloader and stager that will decrypt or decode the next malicious stager or the actual payload. This Anomaly detection can be a good indicator that a powershell process to decrypt code. We recommend to further check the parent_process_name, the file or data it tries to decrypt, network connection and user who execute the script.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 ScriptBlockText = \"*System.Security.Cryptography*\" AND NOT(ScriptBlockText IN (\"*SHA*\", \"*MD5*\", \"*DeriveBytes*\")) | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powershell_cryptography_namespace_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "False positives should be limited. Filter as needed.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat"], "tags": {"name": "Windows Powershell Cryptography Namespace", "analytic_story": ["AsyncRAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "message": "A suspicious powershell script contains cryptography command in $ScriptBlockText$ with EventCode $EventCode$ in host $Computer$", "mitre_attack_id": ["T1059.001", "T1059"], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "User", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "ScriptBlockText", "Opcode", "Computer", "UserID", "EventCodes"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/asyncrat_crypto_pwh_namespace/windows-powershell-xml.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_powershell_cryptography_namespace_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_powershell_cryptography_namespace.yml", "source": "endpoint", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows PowerShell Disable HTTP Logging", "id": "27958de0-2857-43ca-9d4c-b255cf59dcab", "version": 1, "date": "2022-12-21", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analtyic identifies the use of get-WebConfigurationProperty and Set-ItemProperty attempting to disable HTTP logging on windows via PowerShell. Adversaries may perform this action to disable HTTP logging to cover tracks and delete logs on disk.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 ScriptBlockText IN(\"*get-WebConfigurationProperty*\",\"*Set-ItemProperty*\") AND ScriptBlockText IN (\"*httpLogging*\",\"*Logfile.enabled*\") AND ScriptBlockText IN (\"*dontLog*\", \"*false*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powershell_disable_http_logging_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "It is possible administrators or scripts may run these commands, filtering may be required.", "references": ["https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/", "https://www.crowdstrike.com/wp-content/uploads/2022/05/crowdstrike-iceapple-a-novel-internet-information-services-post-exploitation-framework-1.pdf", "https://unit42.paloaltonetworks.com/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/", "https://www.secureworks.com/research/bronze-union"], "tags": {"name": "Windows PowerShell Disable HTTP Logging", "analytic_story": ["IIS Components", "Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation", "Installation"], "message": "A PowerShell Cmdlet related to disable or modifying a IIS HTTP logging has occurred on $Computer$.", "mitre_attack_id": ["T1562", "T1562.002", "T1505", "T1505.004"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "ScriptBlockText", "Computer", "EventCode"], "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1562.002", "mitre_attack_technique": "Disable Windows Event Logging", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound", "Threat Group-3390"]}, {"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1505.004", "mitre_attack_technique": "IIS Components", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.004/4104_disable_http_logging_windows-powershell.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Web"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_powershell_disable_http_logging_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_powershell_disable_http_logging.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows PowerShell Export Certificate", "id": "5e38ded4-c964-41f4-8cb6-4a1a53c6929f", "version": 1, "date": "2023-02-01", "author": "Michael Haag, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies the PowerShell Cmdlet export-certificate utilizing Script Block Logging. This particular behavior is related to an adversary attempting to steal certificates local to the Windows endpoint within the Certificate Store.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 ScriptBlockText IN (\"*export-certificate*\") | rename Computer as dest | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText dest user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powershell_export_certificate_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "It is possible administrators or scripts may run these commands, filtering may be required.", "references": ["https://dev.to/iamthecarisma/managing-windows-pfx-certificates-through-powershell-3pj", "https://learn.microsoft.com/en-us/powershell/module/pki/export-certificate?view=windowsserver2022-ps"], "tags": {"name": "Windows PowerShell Export Certificate", "analytic_story": ["Windows Certificate Services"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Exploitation"], "message": "A PowerShell Cmdlet related to exporting a Certificate was ran on $dest$, attempting to export a certificate.", "mitre_attack_id": ["T1552.004", "T1552", "T1649"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "ScriptBlockText", "dest", "EventCode"], "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1552.004", "mitre_attack_technique": "Private Keys", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1552", "mitre_attack_technique": "Unsecured Credentials", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1649", "mitre_attack_technique": "Steal or Forge Authentication Certificates", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29"]}]}, "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_powershell_export_certificate_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_powershell_export_certificate.yml", "source": "endpoint", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows PowerShell Export PfxCertificate", "id": "ed06725f-6da6-439f-9dcc-ab30e891297c", "version": 1, "date": "2023-02-01", "author": "Michael Haag, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies the PowerShell Cmdlet export-pfxcertificate utilizing Script Block Logging. This particular behavior is related to an adversary attempting to steal certificates local to the Windows endpoint within the Certificate Store.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 ScriptBlockText IN (\"*export-pfxcertificate*\") | rename Computer as dest | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText dest user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powershell_export_pfxcertificate_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "It is possible administrators or scripts may run these commands, filtering may be required.", "references": ["https://dev.to/iamthecarisma/managing-windows-pfx-certificates-through-powershell-3pj", "https://learn.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate?view=windowsserver2022-ps"], "tags": {"name": "Windows PowerShell Export PfxCertificate", "analytic_story": ["Windows Certificate Services"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Exploitation"], "message": "A PowerShell Cmdlet related to exporting a PFX Certificate was ran on $dest$, attempting to export a certificate.", "mitre_attack_id": ["T1552.004", "T1552", "T1649"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "ScriptBlockText", "dest", "EventCode"], "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1552.004", "mitre_attack_technique": "Private Keys", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1552", "mitre_attack_technique": "Unsecured Credentials", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1649", "mitre_attack_technique": "Steal or Forge Authentication Certificates", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/atomic_red_team/4104_export_pfxcertificate.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_powershell_export_pfxcertificate_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_powershell_export_pfxcertificate.yml", "source": "endpoint", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows PowerShell Get CIMInstance Remote Computer", "id": "d8c972eb-ed84-431a-8869-ca4bd83257d1", "version": 1, "date": "2023-03-27", "author": "Michael Haag, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic identifies the use of Get-CimInstance cmdlet with the -ComputerName parameter, which indicates that the cmdlet is being used to retrieve information from a remote computer. This can be useful for detecting instances of remote access, such as when an attacker uses PowerShell to connect to a remote system and gather information. By monitoring for this cmdlet with the -ComputerName parameter, security analysts can identify potential malicious activity on remote systems and take appropriate action to mitigate any threats.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 ScriptBlockText=\"*get-ciminstance*\" AND ScriptBlockText=\"*computername*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powershell_get_ciminstance_remote_computer_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "This is meant to be a low risk RBA anomaly analytic or to be used for hunting. Enable this with a low risk score and let it generate risk in the risk index.", "references": ["https://learn.microsoft.com/en-us/powershell/module/cimcmdlets/get-ciminstance?view=powershell-7.3"], "tags": {"name": "Windows PowerShell Get CIMInstance Remote Computer", "analytic_story": ["Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Installation"], "message": "A PowerShell Cmdlet Get-CIMInstnace was ran on $Computer$, attempting to connect to a remote host.", "mitre_attack_id": ["T1059.001"], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "ScriptBlockText", "Computer", "EventCode"], "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/atomic_red_team/get_ciminstance_windows-powershell.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_powershell_get_ciminstance_remote_computer_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_powershell_get_ciminstance_remote_computer.yml", "source": "endpoint", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows PowerShell IIS Components WebGlobalModule Usage", "id": "33fc9f6f-0ce7-4696-924e-a69ec61a3d57", "version": 1, "date": "2022-12-21", "author": "Michael Haag, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies the usage of PowerShell Cmdlets - New-WebGlobalModule, Enable-WebGlobalModule and Set-WebGlobalModule being utilized to create (new), enable (start) or modify a current IIS Module. These commands are equivalent to AppCmd.exe parameters. Adversaries may utilize these cmdlets as they are lesser known and perform the same activity as AppCmd.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 ScriptBlockText IN(\"*New-WebGlobalModule*\",\"*Enable-WebGlobalModule*\",\"*Set-WebGlobalModule*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powershell_iis_components_webglobalmodule_usage_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "It is possible administrators or scripts may run these commands, filtering may be required.", "references": ["https://learn.microsoft.com/en-us/powershell/module/webadministration/new-webglobalmodule?view=windowsserver2022-ps", "https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/", "https://www.crowdstrike.com/wp-content/uploads/2022/05/crowdstrike-iceapple-a-novel-internet-information-services-post-exploitation-framework-1.pdf", "https://unit42.paloaltonetworks.com/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/", "https://www.secureworks.com/research/bronze-union", "https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1505.004"], "tags": {"name": "Windows PowerShell IIS Components WebGlobalModule Usage", "analytic_story": ["IIS Components"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Installation"], "message": "A PowerShell Cmdlet related to enabling, creating or modifying a IIS module has occurred on $Computer$.", "mitre_attack_id": ["T1505", "T1505.004"], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "ScriptBlockText", "Computer", "EventCode"], "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1505.004", "mitre_attack_technique": "IIS Components", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.004/4104_windows-powershell.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Web"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_powershell_iis_components_webglobalmodule_usage_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_powershell_iis_components_webglobalmodule_usage.yml", "source": "endpoint", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows Powershell Import Applocker Policy", "id": "102af98d-0ca3-4aa4-98d6-7ab2b98b955a", "version": 1, "date": "2022-06-30", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "The following analytic is to identify the imports of Windows PowerShell Applocker commandlets. This technique was seen in Azorult malware where it drops an xml Applocker policy that will deny several AV product and then loaded using PowerShell Applocker commandlet.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 ScriptBlockText=\"*Import-Module Applocker*\" ScriptBlockText=\"*Set-AppLockerPolicy *\" ScriptBlockText=\"* -XMLPolicy *\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powershell_import_applocker_policy_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "administrators may execute this command that may cause some false positive.", "references": ["https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/"], "tags": {"name": "Windows Powershell Import Applocker Policy", "analytic_story": ["Azorult"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "message": "A PowerShell script contains Import Applocker Policy command $ScriptBlockText$ with EventCode $EventCode$ in host $Computer$", "mitre_attack_id": ["T1059.001", "T1059", "T1562.001", "T1562"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "User", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "ScriptBlockText", "Computer", "EventCode"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/import_applocker_policy/windows-powershell-xml2.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_powershell_import_applocker_policy_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_powershell_import_applocker_policy.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows PowerShell WMI Win32 ScheduledJob", "id": "47c69803-2c09-408b-b40a-063c064cbb16", "version": 1, "date": "2023-03-27", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic detects the use of the PowerShell script block logging mechanism to detect the use of the Win32_ScheduledJob WMI class. This class allows the creation and management of scheduled tasks on Windows systems. However, due to security concerns, the class has been disabled by default in Windows systems, and its use must be explicitly enabled by modifying the registry. As a result, the detection of the use of this class may indicate malicious activity, especially if the class was enabled on the system by the attacker. Therefore, it is recommended to monitor the use of Win32_ScheduledJob through PowerShell script block logging and to investigate any suspicious activity.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 ScriptBlockText=\"*win32_scheduledjob*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powershell_wmi_win32_scheduledjob_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "False positives may be present based on legacy applications or utilities. Win32_ScheduledJob uses the Remote Procedure Call (RPC) protocol to create scheduled tasks on remote computers. It uses the DCOM (Distributed Component Object Model) infrastructure to establish a connection with the remote computer and invoke the necessary methods. The RPC service needs to be running on both the local and remote computers for the communication to take place.", "references": ["https://securityonline.info/wmiexec-regout-get-outputdata-response-from-registry/", "https://learn.microsoft.com/en-us/windows/win32/cimwin32prov/win32-scheduledjob"], "tags": {"name": "Windows PowerShell WMI Win32 ScheduledJob", "analytic_story": ["Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 80, "kill_chain_phases": ["Installation"], "message": "PowerShell attempting to create a task via WMI - Win32_ScheduledJob, was ran on $dest$.", "mitre_attack_id": ["T1059.001", "T1059"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "ScriptBlockText", "dest", "EventCode"], "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/atomic_red_team/win32_scheduledjob_windows-powershell.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_powershell_wmi_win32_scheduledjob_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_powershell_wmi_win32_scheduledjob.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows PowerSploit GPP Discovery", "id": "0130a0df-83a1-4647-9011-841e950ff302", "version": 1, "date": "2023-03-16", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the use of the Get-GPPPassword PowerShell commandlet employed to search for unsecured credentials Group Policy Preferences (GPP). GPP are tools that allow administrators to create domain policies with embedded credentials. These policies allow administrators to set local accounts. These group policies are stored in SYSVOL on a domain controller. This means that any domain user can view the SYSVOL share and decrypt the password (using the AES key that has been made public). While Microsoft released a patch that impedes Administrators to create unsecure credentials, existing Group Policy Preferences files with passwords are not removed from SYSVOL.", "data_source": ["Powershell 4104"], "search": " `powershell` EventCode=4104 (ScriptBlockText=Get-GPPPassword OR ScriptBlockText=Get-CachedGPPPassword) | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powersploit_gpp_discovery_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Unknown", "references": ["https://attack.mitre.org/techniques/T1552/006/", "https://pentestlab.blog/2017/03/20/group-policy-preferences/", "https://adsecurity.org/?p=2288", "https://www.hackingarticles.in/credential-dumping-group-policy-preferences-gpp/", "https://adsecurity.org/?p=2288", "https://support.microsoft.com/en-us/topic/ms14-025-vulnerability-in-group-policy-preferences-could-allow-elevation-of-privilege-may-13-2014-60734e15-af79-26ca-ea53-8cd617073c30"], "tags": {"name": "Windows PowerSploit GPP Discovery", "analytic_story": ["Active Directory Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "Commandlets leveraged to discover GPP credentials were executed on $Computer$", "mitre_attack_id": ["T1552", "T1552.006"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "UserID", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "ScriptBlockText", "Opcode", "Computer", "UserID"], "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1552", "mitre_attack_technique": "Unsecured Credentials", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1552.006", "mitre_attack_technique": "Group Policy Preferences", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT33"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552.006/powershell_gpp_discovery/win-powershell.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "XmlWinEventLog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_powersploit_gpp_discovery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_powersploit_gpp_discovery.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows PowerView AD Access Control List Enumeration", "id": "39405650-c364-4e1e-a740-32a63ef042a6", "version": 1, "date": "2023-04-20", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic leverages Event ID 4104 to identify the execution of the PowerView powershell commandlets `Get-ObjectAcl` or `Get-DomainObjectAcl`. This commandlets are used to enumerate Access Control List permissions given to Active Directory objects. In an active directory environment, an object is an entity that represents an available resource within the organizations network, such as domain controllers, users, groups, computers, shares, etc. Maintaining Active Directory permissions is complicated and hard to manage, especially in complex and large environments with multiple domains. Weak permissions may allow adversaries and red teamers to escalate their privileges in Active Directory. PowerView is a common tool leveraged by attackers to identify and exploit configuration weaknesses.", "data_source": ["Powershell 4104"], "search": " `powershell` EventCode=4104 (ScriptBlockText=*get-objectacl* OR ScriptBlockText=*Get-DomainObjectAcl* ) | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powerview_ad_access_control_list_enumeration_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.=", "known_false_positives": "Administrators may leverage PowerView for legitimate purposes, filter as needed.", "references": ["https://attack.mitre.org/techniques/T1078/002/", "https://medium.com/r3d-buck3t/enumerating-access-controls-in-active-directory-c06e2efa8b89", "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-acls-aces", "https://powersploit.readthedocs.io/en/latest/Recon/Get-DomainObjectAcl/"], "tags": {"name": "Windows PowerView AD Access Control List Enumeration", "analytic_story": ["Active Directory Discovery", "Active Directory Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 40, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "message": "PowerView AD acccess control list enumeration detected on $Computer$", "mitre_attack_id": ["T1078.002", "T1069"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "ScriptBlockText", "Opcode", "UserID"], "risk_score": 20, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078.002", "mitre_attack_technique": "Domain Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "Chimera", "Indrik Spider", "Magic Hound", "Naikon", "Sandworm Team", "TA505", "Threat Group-1314", "Wizard Spider"]}, {"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "TA505"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.002/powerview_acl_enumeration/windows-powershell.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "XmlWinEventLog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_powerview_ad_access_control_list_enumeration_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_powerview_ad_access_control_list_enumeration.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows PowerView Constrained Delegation Discovery", "id": "86dc8176-6e6c-42d6-9684-5444c6557ab3", "version": 1, "date": "2022-03-31", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify commandlets used by the PowerView hacking tool leveraged to discover Windows endpoints with Kerberos Constrained Delegation. Red Teams and adversaries alike may leverage use this technique for situational awareness and Active Directory Discovery.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 (Message = \"*Get-DomainComputer*\" OR Message = \"*Get-NetComputer*\") AND (Message = \"*-TrustedToAuth*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode Message ComputerName User | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powerview_constrained_delegation_discovery_filter`", "how_to_implement": "The following analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.", "known_false_positives": "Administrators or power users may leverage PowerView for system management or troubleshooting.", "references": ["https://attack.mitre.org/techniques/T1018/", "https://adsecurity.org/?p=1667", "https://docs.microsoft.com/en-us/defender-for-identity/cas-isp-unconstrained-kerberos", "https://www.guidepointsecurity.com/blog/delegating-like-a-boss-abusing-kerberos-delegation-in-active-directory/", "https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/constrained-delegation", "https://www.cyberark.com/resources/threat-research-blog/weakness-within-kerberos-delegation"], "tags": {"name": "Windows PowerView Constrained Delegation Discovery", "analytic_story": ["Active Directory Kerberos Attacks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "Suspicious PowerShell Get-DomainComputer was identified on endpoint $ComputerName$", "mitre_attack_id": ["T1018"], "nist": ["DE.CM"], "observable": [{"name": "ComputerName", "type": "Hostname", "role": ["Victim"]}, {"name": "User", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "Message", "ComputerName", "User"], "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1018", "mitre_attack_technique": "Remote System Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "BRONZE BUTLER", "Chimera", "Deep Panda", "Dragonfly", "Earth Lusca", "FIN5", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "HEXANE", "Indrik Spider", "Ke3chang", "Leafminer", "Magic Hound", "Naikon", "Rocke", "Sandworm Team", "Silence", "Threat Group-3390", "Turla", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1018/constrained/windows-powershell.log", "source": "WinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "WinEventLog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_powerview_constrained_delegation_discovery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_powerview_constrained_delegation_discovery.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows PowerView Kerberos Service Ticket Request", "id": "970455a1-4ac2-47e1-a9a5-9e75443ddcb9", "version": 1, "date": "2022-06-22", "author": "Gowthamaraj Rajendran, Splunk", "type": "TTP", "status": "production", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-DomainSPNTicket` commandlets with specific parameters. This commandlet is a part of PowerView, a PowerShell tool used to perform enumeration and discovery on Windows Active Directory networks. As the name suggests, this commandlet is used to request the kerberos ticket for a specified service principal name (SPN). Once the ticket is received, it may be cracked using password cracking tools like hashcat to extract the password of the SPN account. Red Teams and adversaries alike may leverage PowerView and these commandlets to identify accounts that can be attacked with the Kerberoasting technique.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 ScriptBlockText=*Get-DomainSPNTicket* | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powerview_kerberos_service_ticket_request_filter`", "how_to_implement": "The following analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.", "known_false_positives": "False positive may include Administrators using PowerView for troubleshooting and management.", "references": ["https://powersploit.readthedocs.io/en/latest/Recon/Get-DomainSPNTicket/", "https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/kerberoast", "https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1", "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/t1208-kerberoasting", "https://attack.mitre.org/techniques/T1558/003"], "tags": {"name": "Windows PowerView Kerberos Service Ticket Request", "analytic_story": ["Active Directory Kerberos Attacks"], "asset_type": "endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "PowerView commandlets used for requesting SPN service ticket executed on $Computer$", "mitre_attack_id": ["T1558", "T1558.003"], "nist": ["DE.CM"], "observable": [{"name": "Client_Address", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "Computer", "ScriptBlockText"], "risk_score": 27, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1558", "mitre_attack_technique": "Steal or Forge Kerberos Tickets", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1558.003", "mitre_attack_technique": "Kerberoasting", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["FIN7", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1558.003/powerview/windows-powershell-xml.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "XmlWinEventLog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_powerview_kerberos_service_ticket_request_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_powerview_kerberos_service_ticket_request.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows PowerView SPN Discovery", "id": "a7093c28-796c-4ebb-9997-e2c18b870837", "version": 1, "date": "2022-06-22", "author": "Gowthamaraj Rajendran, Splunk", "type": "TTP", "status": "production", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-DomainUser` or `Get-NetUSer` commandlets with specific parameters. These commandlets are part of PowerView, a PowerShell tool used to perform enumeration and discovery on Windows Active Directory networks. As the names suggest, these commandlets are used to identify domain users in a network and combining them with the `-SPN` parameter allows adversaries to discover domain accounts associated with a Service Principal Name (SPN). Red Teams and adversaries alike may leverage PowerView and these commandlets to identify accounts that can be attacked with the Kerberoasting technique.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 (ScriptBlockText =*Get-NetUser* OR ScriptBlockText=*Get-DomainUser*) ScriptBlockText= *-SPN* | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_powerview_spn_discovery_filter`", "how_to_implement": "The following analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.", "known_false_positives": "False positive may include Administrators using PowerView for troubleshooting and management.", "references": ["https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/kerberoast", "https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1", "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/t1208-kerberoasting", "https://attack.mitre.org/techniques/T1558/003"], "tags": {"name": "Windows PowerView SPN Discovery", "analytic_story": ["Active Directory Kerberos Attacks"], "asset_type": "endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "PowerView commandlets used for SPN discovery executed on $Computer$", "mitre_attack_id": ["T1558", "T1558.003"], "nist": ["DE.CM"], "observable": [{"name": "Client_Address", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "Computer", "ScriptBlockText"], "risk_score": 27, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1558", "mitre_attack_technique": "Steal or Forge Kerberos Tickets", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1558.003", "mitre_attack_technique": "Kerberoasting", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["FIN7", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1558.003/powerview-2/windows-powershell.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "XmlWinEventLog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_powerview_spn_discovery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_powerview_spn_discovery.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows PowerView Unconstrained Delegation Discovery", "id": "fbf9e47f-e531-4fea-942d-5c95af7ed4d6", "version": 1, "date": "2022-03-28", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify commandlets used by the PowerView hacking tool leveraged to discover Windows endpoints with Kerberos Unconstrained Delegation. Red Teams and adversaries alike may leverage use this technique for situational awareness and Active Directory Discovery.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 (Message = \"*Get-DomainComputer*\" OR Message = \"*Get-NetComputer*\") AND (Message = \"*-Unconstrained*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode Message ComputerName User | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powerview_unconstrained_delegation_discovery_filter`", "how_to_implement": "The following analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.", "known_false_positives": "Administrators or power users may leverage PowerView for system management or troubleshooting.", "references": ["https://attack.mitre.org/techniques/T1018/", "https://adsecurity.org/?p=1667", "https://docs.microsoft.com/en-us/defender-for-identity/cas-isp-unconstrained-kerberos", "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/domain-compromise-via-unrestricted-kerberos-delegation", "https://www.cyberark.com/resources/threat-research-blog/weakness-within-kerberos-delegation"], "tags": {"name": "Windows PowerView Unconstrained Delegation Discovery", "analytic_story": ["Active Directory Kerberos Attacks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "Suspicious PowerShell Get-DomainComputer was identified on endpoint $ComputerName$", "mitre_attack_id": ["T1018"], "nist": ["DE.CM"], "observable": [{"name": "ComputerName", "type": "Hostname", "role": ["Victim"]}, {"name": "User", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "Message", "ComputerName", "User"], "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1018", "mitre_attack_technique": "Remote System Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "BRONZE BUTLER", "Chimera", "Deep Panda", "Dragonfly", "Earth Lusca", "FIN5", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "HEXANE", "Indrik Spider", "Ke3chang", "Leafminer", "Magic Hound", "Naikon", "Rocke", "Sandworm Team", "Silence", "Threat Group-3390", "Turla", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1018/unconstrained/windows-powershell.log", "source": "WinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "WinEventLog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_powerview_unconstrained_delegation_discovery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_powerview_unconstrained_delegation_discovery.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows Private Keys Discovery", "id": "5c1c2877-06c0-40ee-a1a2-db71f1372b5b", "version": 1, "date": "2022-11-30", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies a process command line that retrieves information related to private keys files. This technique was seen in several post exploitation tools like winpeas that are being used by Ransomware Prestige to search for private key certificates on the compromised host for insecurely stored credentials. This files can be used by adversaries to gain privileges, persistence or remote service authentication to collect more sensitive information. Some private keys required password for operation, so in this case adversaries may need to have that passphrase either via keylogging or brute force attack.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = \"*dir *\" OR Processes.process = \"*findstr*\" AND Processes.process IN ( \"*.rdg*\", \"*.gpg*\", \"*.pgp*\", \"*.p12*\", \"*.der*\", \"*.csr*\", \"*.cer*\", \"*.ovpn*\", \"*.key*\", \"*.ppk*\", \"*.p12*\", \"*.pem*\", \"*.pfx*\", \"*.p7b*\", \"*.asc*\") by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_private_keys_discovery_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances of wermgr.exe may be used.", "known_false_positives": "unknown", "references": ["https://attack.mitre.org/techniques/T1552/004/", "https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS", "https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"], "tags": {"name": "Windows Private Keys Discovery", "analytic_story": ["Windows Post-Exploitation", "Prestige Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "a process with commandline $process$ that can retrieve information related to private keys in $dest$", "mitre_attack_id": ["T1552.004", "T1552"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id", "Processes.parent_process_guid", "Processes.process_guid"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1552.004", "mitre_attack_technique": "Private Keys", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1552", "mitre_attack_technique": "Unsecured Credentials", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/winpeas_search_private_key/dir-private-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_private_keys_discovery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_private_keys_discovery.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Process Injection into Notepad", "id": "b8340d0f-ba48-4391-bea7-9e793c5aae36", "version": 1, "date": "2023-02-22", "author": "Michael Haag, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic utilizes Sysmon to identify process injection into Notepad.exe, based on GrantedAccess requests - 0x40 and 0x1fffff. This particular behavior is attributed to the defaults of the SliverC2 framework by BishopFox. By default, the analytic filters out any SourceImage paths of System32, Syswow64 and program files. Add more as needed, or remove and monitor what is consistently injecting into notepad.exe. This particular behavior will occur from a source image that is the initial payload dropped.", "data_source": ["Sysmon Event ID 10"], "search": "`sysmon` EventCode=10 TargetImage IN (*\\\\notepad.exe) NOT (SourceImage IN (\"*\\\\system32\\\\*\",\"*\\\\syswow64\\\\*\",\"*\\\\Program Files\\\\*\")) GrantedAccess IN (\"0x40\",\"0x1fffff\") | stats count min(_time) as firstTime max(_time) as lastTime by dest SourceImage TargetImage GrantedAccess CallTrace | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_process_injection_into_notepad_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "False positives may be present based on SourceImage paths. If removing the paths is important, realize svchost and many native binaries inject into notepad consistently. Restrict or tune as needed.", "references": ["https://dominicbreuker.com/post/learning_sliver_c2_08_implant_basics/", "https://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors"], "tags": {"name": "Windows Process Injection into Notepad", "analytic_story": ["BishopFox Sliver Adversary Emulation Framework"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 40, "kill_chain_phases": ["Exploitation"], "message": "An instance of $SourceImage$ injecting into $TargetImage$ was identified on endpoint $dest$.", "mitre_attack_id": ["T1055", "T1055.002"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "SourceImage", "type": "Process", "role": ["Parent Process"]}, {"name": "TargetImage", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "dest", "SourceImage", "TargetImage", "GrantedAccess", "CallTrace"], "risk_score": 32, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "Turla"]}, {"mitre_attack_id": "T1055.002", "mitre_attack_technique": "Portable Executable Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Gorgon Group", "Rocke"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/sliver/T1055_windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_process_injection_into_notepad_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_process_injection_into_notepad.yml", "source": "endpoint"}, {"name": "Windows Process Injection Of Wermgr to Known Browser", "id": "aec755a5-3a2c-4be0-ab34-6540e68644e9", "version": 1, "date": "2022-10-28", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This analytic identifies the suspicious Remote Thread execution of wermgr.exe process to \"firefox.exe\", \"chrome.exe\" and other known browsers. This technique was seen in Qakbot malware that executes its malicious code by injecting its code in legitimate Windows Operating System processes such as wermgr.exe to steal information in the compromised host. This TTP detection can be a good pivot to detect wermgr.exe process injected with qakbot code that tries to remote thread code execution in known browsers like firefox and edge which is not a common behavior of this wermgr.exe application.", "data_source": ["Sysmon Event ID 8"], "search": "`sysmon` EventCode=8 SourceImage = \"*\\\\wermgr.exe\" TargetImage IN (\"*\\\\firefox.exe\", \"*\\\\chrome.exe\", \"*\\\\iexplore.exe\",\"*\\\\microsoftedgecp.exe\") | stats count min(_time) as firstTime max(_time) as lastTime by SourceImage TargetImage SourceProcessGuid SourceProcessId StartAddress StartFunction TargetProcessGuid TargetProcessId EventCode Computer | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_process_injection_of_wermgr_to_known_browser_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the SourceImage, TargetImage, and EventCode executions from your endpoints related to create remote thread or injecting codes. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "unknown", "references": ["https://news.sophos.com/en-us/2022/03/10/qakbot-decoded/", "https://www.trellix.com/en-us/about/newsroom/stories/research/demystifying-qbot-malware.html"], "tags": {"name": "Windows Process Injection Of Wermgr to Known Browser", "analytic_story": ["Qakbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "wermgr.exe process $SourceImage$ create a remote thread to a browser process $TargetImage$ in host $Computer$", "mitre_attack_id": ["T1055.001", "T1055"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "SourceImage", "TargetImage", "SourceProcessGuid", "SourceProcessId", "StartAddress", "StartFunction", "TargetProcessGuid", "TargetProcessId", "EventCode", "Computer"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1055.001", "mitre_attack_technique": "Dynamic-link Library Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["BackdoorDiplomacy", "Lazarus Group", "Leviathan", "Putter Panda", "TA505", "Tropic Trooper", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/qakbot/remote_thread/sysmon_wermgr_remote.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_process_injection_of_wermgr_to_known_browser_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_process_injection_of_wermgr_to_known_browser.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Windows Process Injection Remote Thread", "id": "8a618ade-ca8f-4d04-b972-2d526ba59924", "version": 1, "date": "2022-11-10", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies a suspicious remote thread execution in some process being abused by threat actor and malware like qakbot. Qakbot is one of the malware using this technique to load its malicious dll module or malicious code in the targeted host. This TTP can be a good pivot to verify what is the behavior of the targeted Image process after this detection trigger. look for network connection, child process execution, file access and many more that helps to verify the indication of malware infection.", "data_source": ["Sysmon Event ID 8"], "search": "`sysmon` EventCode=8 TargetImage IN (\"*\\\\Taskmgr.exe\", \"*\\\\calc.exe\", \"*\\\\notepad.exe\", \"*\\\\rdpclip.exe\", \"*\\\\explorer.exe\", \"*\\\\wermgr.exe\", \"*\\\\ping.exe\", \"*\\\\OneDriveSetup.exe\", \"*\\\\dxdiag.exe\", \"*\\\\mobsync.exe\", \"*\\\\msra.exe\", \"*\\\\xwizard.exe\") | stats count min(_time) as firstTime max(_time) as lastTime by TargetImage TargetProcessId SourceProcessId EventCode StartAddress SourceImage Computer | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_process_injection_remote_thread_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting data that records process activity from your hosts like remote thread EventCode=8 of sysmon. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "unknown", "references": ["https://twitter.com/pr0xylife/status/1585612370441031680?s=46&t=Dc3CJi4AnM-8rNoacLbScg"], "tags": {"name": "Windows Process Injection Remote Thread", "analytic_story": ["Qakbot"], "asset_type": "80", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "process $SourceImage$ create a remote thread to process $TargetImage$ on host $Computer$", "mitre_attack_id": ["T1055", "T1055.002"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "SourceImage", "type": "Process", "role": ["Attacker"]}, {"name": "TargetImage", "type": "Process", "role": ["Target"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "SourceImage", "TargetImage", "TargetProcessId", "SourceProcessId", "StartAddress", "EventCode", "Computer", "signature", "TargetProcessGuid", "SourceProcessGuid", "StartAddress"], "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "Turla"]}, {"mitre_attack_id": "T1055.002", "mitre_attack_technique": "Portable Executable Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Gorgon Group", "Rocke"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/qakbot/qbot_wermgr2/sysmon_wermgr2.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_process_injection_remote_thread_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_process_injection_remote_thread.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Windows Process Injection Wermgr Child Process", "id": "360ae6b0-38b5-4328-9e2b-bc9436cddb17", "version": 1, "date": "2022-10-27", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies a suspicious wermgr.exe parent process having a child process not related to error, fault or windows werfault event. This technique was seen in Qakbot malware where it inject its malicious code in wermgr to evade detections and hide from the analyst to execute its recon and its malicious behavior. This Anomaly detection can be a good pivot to start investigating a possible qakbot infection in the network. The Wermgr.exe process is not known to have other child processes aside from itself or werfault.exe", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name = \"wermgr.exe\" AND NOT (Processes.process_name IN (\"WerFaultSecure.exe\", \"wermgr.exe\", \"WerFault.exe\")) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_process_injection_wermgr_child_process_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "unknown", "references": ["https://twitter.com/pr0xylife/status/1585612370441031680?s=46&t=Dc3CJi4AnM-8rNoacLbScg"], "tags": {"name": "Windows Process Injection Wermgr Child Process", "analytic_story": ["Qakbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "wermgr parent process has a child process $process_name$ in $dest$", "mitre_attack_id": ["T1055"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/qakbot/qbot_wermgr/sysmon_wermgr.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_process_injection_wermgr_child_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_process_injection_wermgr_child_process.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Process Injection With Public Source Path", "id": "492f09cf-5d60-4d87-99dd-0bc325532dda", "version": 1, "date": "2022-08-24", "author": "Teoderick Contreras, Splunk", "type": "Hunting", "status": "production", "description": "The following analytic identifies a process in a non-standard file path on Windows attempting to create a remote thread into a process. This Windows API,CreateRemoteThread, is commonly used by adversaries for process injection to evade detections or gain privilege escalation.", "data_source": ["Sysmon Event ID 8"], "search": "`sysmon` EventCode=8 TargetImage = \"*.exe\" AND NOT(SourceImage IN(\"C:\\\\Windows\\\\*\", \"C:\\\\Program File*\", \"%systemroot%\\\\*\")) | stats count min(_time) as firstTime max(_time) as lastTime by SourceImage TargetImage signature TargetProcessGuid SourceProcessGuid TargetProcessId SourceProcessId StartAddress EventCode Computer | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_process_injection_with_public_source_path_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting data that records process activity from your hosts to populate the endpoint data model in the processes node. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "Some security products or third party applications may utilize CreateRemoteThread, filter as needed before enabling as a notable.", "references": ["https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/"], "tags": {"name": "Windows Process Injection With Public Source Path", "analytic_story": ["Brute Ratel C4"], "asset_type": "80", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "process $SourceImage$ create a remote thread to process $TargetImage$ on host $Computer$", "mitre_attack_id": ["T1055", "T1055.002"], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "SourceImage", "type": "Process", "role": ["Attacker"]}, {"name": "TargetImage", "type": "Process", "role": ["Target"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "SourceImage", "TargetImage", "TargetProcessId", "SourceProcessId", "StartAddress", "EventCode", "Computer", "signature", "TargetProcessGuid", "SourceProcessGuid", "StartAddress"], "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "Turla"]}, {"mitre_attack_id": "T1055.002", "mitre_attack_technique": "Portable Executable Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Gorgon Group", "Rocke"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/create_remote_thread/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_process_injection_with_public_source_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_process_injection_with_public_source_path.yml", "source": "endpoint"}, {"name": "Windows Process With NamedPipe CommandLine", "id": "e64399d4-94a8-11ec-a9da-acde48001122", "version": 1, "date": "2022-02-23", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic is to look for process commandline that contains named pipe. This technique was seen in some adversaries, threat actor and malware like olympic destroyer to communicate to its other child processes after process injection that serve as defense evasion and privilege escalation. On the other hand this analytic may catch some normal process that using this technique for example browser application. In that scenario we include common process path we've seen during testing that cause false positive which is the program files. False positive may still be arise if the normal application is in other folder path.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = \"*\\\\\\\\.\\\\pipe\\\\*\" NOT (Processes.process_path IN (\"*\\\\program files*\")) by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_path Processes.process_guid Processes.parent_process_id Processes.dest Processes.user Processes.process_path | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_process_with_namedpipe_commandline_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "Normal browser application may use this technique. Please update the filter macros to remove false positives.", "references": ["https://blog.talosintelligence.com/2018/02/olympic-destroyer.html"], "tags": {"name": "Windows Process With NamedPipe CommandLine", "analytic_story": ["Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "Process with named pipe in $process$ on $dest$", "mitre_attack_id": ["T1055"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id", "Processes.process_guid"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/olympic_destroyer/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_process_with_namedpipe_commandline_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_process_with_namedpipe_commandline.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Processes Killed By Industroyer2 Malware", "id": "d8bea5ca-9d4a-4249-8b56-64a619109835", "version": 1, "date": "2023-04-14", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic is to look for known processes killed by industroyer2 malware. This technique was seen in the industroyer2 malware attack that tries to kill several processes of windows host machines related to the energy facility network. This anomaly might be a good indicator to check which process kill these processes or why the process was killed.", "data_source": ["Sysmon Event ID 5"], "search": "`sysmon` EventCode=5 process_name IN (\"PServiceControl.exe\", \"PService_PPD.exe\") | stats min(_time) as firstTime max(_time) as lastTime count by process_name process process_path process_guid process_id EventCode dest user_id | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `windows_processes_killed_by_industroyer2_malware_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4698 EventCode enabled. The Windows TA is also required.", "known_false_positives": "False positives are possible if legitimate applications are allowed to terminate this process during testing or updates. Filter as needed based on paths that are used legitimately.", "references": ["https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/"], "tags": {"name": "Windows Processes Killed By Industroyer2 Malware", "analytic_story": ["Data Destruction", "Industroyer2"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Actions on Objectives"], "message": "process was terminated $process_name$ in $dest$", "mitre_attack_id": ["T1489"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id", "Processes.process_guid"], "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1489", "mitre_attack_technique": "Service Stop", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Indrik Spider", "Lazarus Group", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/industroyer2/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_processes_killed_by_industroyer2_malware_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_processes_killed_by_industroyer2_malware.yml", "source": "endpoint"}, {"name": "Windows Protocol Tunneling with Plink", "id": "8aac5e1e-0fab-4437-af0b-c6e60af23eed", "version": 1, "date": "2022-09-15", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the use of Plink being utilized to proxy egress or laterally in an organization. The analytic is limited to specific Plink options on the command-line, including -R -L and -D which will have the remote and local IP address or port and -l for a username. Modify the options as seen fit for your organization.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=plink.exe OR Processes.original_file_name=Plink Processes.process IN (\"*-R *\", \"*-L *\", \"*-D *\", \"*-l *\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_protocol_tunneling_with_plink_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives may be present if the organization allows for SSH tunneling outbound or internally. Filter as needed.", "references": ["https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/", "https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html", "https://attack.mitre.org/techniques/T1572/", "https://documentation.help/PuTTY/using-cmdline-portfwd.html#S3.8.3.5"], "tags": {"name": "Windows Protocol Tunneling with Plink", "analytic_story": ["CISA AA22-257A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Command And Control", "Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to tunnel to a remote destination.", "mitre_attack_id": ["T1572", "T1021.004"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1572", "mitre_attack_technique": "Protocol Tunneling", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Chimera", "Cobalt Group", "FIN6", "Fox Kitten", "Leviathan", "Magic Hound", "OilRig"]}, {"mitre_attack_id": "T1021.004", "mitre_attack_technique": "SSH", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT39", "BlackTech", "FIN7", "Fox Kitten", "GCMAN", "Lazarus Group", "Leviathan", "OilRig", "Rocke", "TEMP.Veles", "TeamTNT", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1572/plink/plink-windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_protocol_tunneling_with_plink_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_protocol_tunneling_with_plink.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Proxy Via Netsh", "id": "c137bfe8-6036-4cff-b77b-4e327dd0a1cf", "version": 1, "date": "2023-05-25", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This search looks for processes launching netsh.exe for connection proxy. Netsh is a command-line scripting utility that allows you to, either locally or remotely, display or modify the network configuration of a computer that is currently running. Netsh can be used as a persistence proxy technique to execute a helper DLL when netsh.exe is executed. In this search, we are looking for processes spawned by netsh.exe and executing commands via the command line.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_netsh` Processes.process = \"* portproxy *\" Processes.process = \"* v4tov4 *\" by Processes.parent_process_name Processes.parent_process Processes.original_file_name Processes.process_name Processes.process Processes.user Processes.dest |`drop_dm_object_name(\"Processes\")` |`security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `windows_proxy_via_netsh_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Some VPN applications are known to launch netsh.exe. Outside of these instances, it is unusual for an executable to launch netsh.exe and run commands.", "references": ["https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/"], "tags": {"name": "Windows Proxy Via Netsh", "analytic_story": ["Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Command And Control"], "message": "A process $process_name$ has launched netsh with command-line $process$ on $dest$.", "mitre_attack_id": ["T1090.001", "T1090"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.process", "Processes.parent_process_name", "Processes.parent_process", "Processes.process_name", "Processes.user", "Processes.dest"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "atomic_guid": ["b8223ea9-4be2-44a6-b50a-9657a3d4e72a"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1090.001", "mitre_attack_technique": "Internal Proxy", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT39", "Higaisa", "Lazarus Group", "Strider", "Turla"]}, {"mitre_attack_id": "T1090", "mitre_attack_technique": "Proxy", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "Blue Mockingbird", "CopyKittens", "Earth Lusca", "Fox Kitten", "LAPSUS$", "Magic Hound", "POLONIUM", "Sandworm Team", "Turla", "Windigo"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1090.001/netsh_portproxy/volt_sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "process_netsh", "definition": "(Processes.process_name=netsh.exe OR Processes.original_file_name=netsh.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_proxy_via_netsh_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_proxy_via_netsh.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Proxy Via Registry", "id": "0270455b-1385-4579-9ac5-e77046c508ae", "version": 1, "date": "2023-05-25", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This search looks for processes launching netsh.exe for connection proxy. Netsh is a command-line scripting utility that allows you to, either locally or remotely, display or modify the network configuration of a computer that is currently running. Netsh can be used as a persistence proxy technique to execute a helper DLL when netsh.exe is executed. In this search, we are looking for processes spawned by netsh.exe and executing commands via the command line.", "data_source": ["Sysmon EventID 12", "Sysmon EventID 13", "Sysmon EventID 14"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path =\"*\\\\System\\\\CurrentControlSet\\\\Services\\\\PortProxy\\\\v4tov4\\\\tcp*\" by Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.action Registry.dest Registry.user | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `windows_proxy_via_registry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "unknown", "references": ["https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/"], "tags": {"name": "Windows Proxy Via Registry", "analytic_story": ["Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Command And Control"], "message": "A registry modification for port proxy in$dest$", "mitre_attack_id": ["T1090.001", "T1090"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.registry_key_name", "Registry.registry_path", "Registry.user", "Registry.dest", "Registry.registry_value_name", "Registry.action", "Registry.registry_value_data"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "atomic_guid": ["b8223ea9-4be2-44a6-b50a-9657a3d4e72a"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1090.001", "mitre_attack_technique": "Internal Proxy", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT39", "Higaisa", "Lazarus Group", "Strider", "Turla"]}, {"mitre_attack_id": "T1090", "mitre_attack_technique": "Proxy", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "Blue Mockingbird", "CopyKittens", "Earth Lusca", "Fox Kitten", "LAPSUS$", "Magic Hound", "POLONIUM", "Sandworm Team", "Turla", "Windigo"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1090.001/netsh_portproxy/volt_sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_proxy_via_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_proxy_via_registry.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Query Registry Browser List Application", "id": "45ebd21c-f4bf-4ced-bd49-d25b6526cebb", "version": 1, "date": "2023-04-25", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies a suspicious process accessing default internet browsers registry entry. This registry is used by Windows to store information about default internet browsers installed on a system. Malware, adversaries or red-teamers can abuse this registry key to collect data about the installed internet browsers and their associated settings. This information can be used to steal sensitive data such as login credentials, browsing history, and saved passwords. We observed noise that needs to be filter out so we add several known path of Windows Application to make this detection more stable.", "data_source": ["Security Event ID 4663"], "search": "`wineventlog_security` EventCode=4663 object_file_path IN (\"*\\\\SOFTWARE\\\\Clients\\\\StartMenuInternet\\\\*\", \"*\\\\SOFTWARE\\\\Clients\\\\StartMenuInternet\\\\*\") AND NOT (process_path IN (\"*:\\\\Windows\\\\System32\\\\*\", \"*:\\\\Windows\\\\SysWow64\\\\*\", \"*:\\\\Program Files*\", \"*:\\\\Windows\\\\*\")) | stats count min(_time) as firstTime max(_time) as lastTime by object_file_name object_file_path process_name process_path process_id EventCode dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_query_registry_browser_list_application_filter`", "how_to_implement": "To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable \"Audit Object Access\" in Group Policy. Then check the two boxes listed for both \"Success\" and \"Failure.\"", "known_false_positives": "uninstall application may access this registry to remove the entry of the target application. filter is needed.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer"], "tags": {"name": "Windows Query Registry Browser List Application", "analytic_story": ["RedLine Stealer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "A suspicious process accessing installed default browser registry on $dest$", "mitre_attack_id": ["T1012"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "object_file_name", "object_file_path", "process_name", "process_path", "process_id", "EventCode", "dest"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1012", "mitre_attack_technique": "Query Registry", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT32", "APT39", "Chimera", "Dragonfly", "Fox Kitten", "Kimsuky", "Lazarus Group", "OilRig", "Stealth Falcon", "Threat Group-3390", "Turla", "ZIRCONIUM"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/redline/browser_list/ar3_4663_redline_reg.log", "source": "XmlWinEventLog:Security", "sourcetype": "XmlWinEventLog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_query_registry_browser_list_application_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_query_registry_browser_list_application.yml", "source": "endpoint", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows Query Registry Reg Save", "id": "cbee60c1-b776-456f-83c2-faa56bdbe6c6", "version": 1, "date": "2022-12-12", "author": "Teoderick Contreras, Splunk", "type": "Hunting", "status": "production", "description": "The following analytic identifies a process execution of reg.exe with \"save\" parameter. This reg.exe parameter is commonly being abused by threat actors, adversaries and red-teamers to dump credentials or to check the registry modification capabilities of certain users or administrators in targeted hosts. This approach was seen in post-exploitation tool like winpeas where it uses \"reg save\" and \"reg restore\" to check registry modification restriction in targeted host after gaining access to it.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_reg` AND Processes.process = \"* save *\" by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_query_registry_reg_save_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances of wermgr.exe may be used.", "known_false_positives": "network administrator can use this command tool to backup registry before updates or modifying critical registries.", "references": ["https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/quser", "https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS", "https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"], "tags": {"name": "Windows Query Registry Reg Save", "analytic_story": ["Windows Post-Exploitation", "Prestige Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "execution of process $process_name$ in $dest$", "mitre_attack_id": ["T1012"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id", "Processes.parent_process_guid", "Processes.process_guid"], "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1012", "mitre_attack_technique": "Query Registry", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT32", "APT39", "Chimera", "Dragonfly", "Fox Kitten", "Kimsuky", "Lazarus Group", "OilRig", "Stealth Falcon", "Threat Group-3390", "Turla", "ZIRCONIUM"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "process_reg", "definition": "(Processes.process_name=reg.exe OR Processes.original_file_name=reg.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_query_registry_reg_save_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_query_registry_reg_save.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Query Registry UnInstall Program List", "id": "535fd4fc-7151-4062-9d7e-e896bea77bf6", "version": 1, "date": "2023-04-25", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies a suspicious query on uninstall application list in Windows OS registry. This registry is commonly used by legitimate software to store information about installed applications on a Windows system, such as their name, version, publisher, and installation path. However, malware, adversaries or even red-teamers can abuse this registry key to retrieve information stored in the \"Uninstall\" key to gather data about installed applications in the target host. This Anomaly detection can be a good pivot to detect a possible suspicious process accessing this registry which is not commonly accessed by a normal user.", "data_source": ["Security Event ID 4663"], "search": "`wineventlog_security` EventCode=4663 object_file_path=\"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Uninstall\\\\*\" | stats count min(_time) as firstTime max(_time) as lastTime by object_file_name object_file_path process_name process_path process_id EventCode dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_query_registry_uninstall_program_list_filter`", "how_to_implement": "To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable \"Audit Object Access\" in Group Policy. Then check the two boxes listed for both \"Success\" and \"Failure.\"", "known_false_positives": "Uninstall application may access this registry to remove the entry of the target application. Filter is needed.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer"], "tags": {"name": "Windows Query Registry UnInstall Program List", "analytic_story": ["RedLine Stealer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "A suspicious process $process_name$ accessing uninstall registry on $dest$", "mitre_attack_id": ["T1012"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "object_file_name", "object_file_path", "process_name", "process_path", "process_id", "EventCode", "dest"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1012", "mitre_attack_technique": "Query Registry", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT32", "APT39", "Chimera", "Dragonfly", "Fox Kitten", "Kimsuky", "Lazarus Group", "OilRig", "Stealth Falcon", "Threat Group-3390", "Turla", "ZIRCONIUM"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/redline/recon_registry/recon-reg-redline-security-xml.log", "source": "XmlWinEventLog:Security", "sourcetype": "XmlWinEventLog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_query_registry_uninstall_program_list_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_query_registry_uninstall_program_list.yml", "source": "endpoint", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows Raccine Scheduled Task Deletion", "id": "c9f010da-57ab-11ec-82bd-acde48001122", "version": 1, "date": "2021-12-07", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the Raccine Rules Updater scheduled task being deleted. Adversaries may attempt to remove this task in order to prevent the update of Raccine. Raccine is a \"ransomware vaccine\" created by security researcher Florian Roth, designed to intercept and prevent precursors and active ransomware behavior.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=schtasks.exe Processes.process=\"*delete*\" AND Processes.process=\"*Raccine*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_raccine_scheduled_task_deletion_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives should be limited, however filter as needed.", "references": ["https://redcanary.com/blog/blackbyte-ransomware/", "https://github.com/Neo23x0/Raccine"], "tags": {"name": "Windows Raccine Scheduled Task Deletion", "analytic_story": ["Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user user$ attempting to disable Raccines scheduled task.", "mitre_attack_id": ["T1562.001"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/atomic_red_team/windows-sysmon_raccine.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_raccine_scheduled_task_deletion_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_raccine_scheduled_task_deletion.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Rapid Authentication On Multiple Hosts", "id": "62606c77-d53d-4182-9371-b02cdbbbcef7", "version": 1, "date": "2023-03-23", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic leverages Event ID 4624 to identify a source computer authenticating to a large number of remote endpoints within an Active Directory network. Specifically, the logic will trigger when a source endpoint authenticates to 30 or more target computers within a 5 minute timespan. This behavior could represent an adversary who is moving laterally across the environment or enumerating network shares in the search for sensitive files. As environments differ across organizations, security teams should customize the thresholds of this detection as needed.", "data_source": ["Windows Security 4624"], "search": " `wineventlog_security` EventCode=4624 LogonType=3 TargetUserName!=\"ANONYMOUS LOGON\" TargetUserName!=\"*$\" | bucket span=5m _time | stats dc(Computer) AS unique_targets values(Computer) as host_targets by _time, IpAddress, TargetUserName | where unique_targets > 30 | `windows_rapid_authentication_on_multiple_hosts_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Event Logs from domain controllers as well as member servers and workstations. The Advanced Security Audit policy setting `Audit Logon` within `Logon/Logoff` needs to be enabled.", "known_false_positives": "Vulnerability scanners or system administration tools may also trigger this detection. Filter as needed.", "references": ["https://attack.mitre.org/techniques/T1135/", "https://thedfirreport.com/2023/01/23/sharefinder-how-threat-actors-discover-file-shares/", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624"], "tags": {"name": "Windows Rapid Authentication On Multiple Hosts", "analytic_story": ["Active Directory Privilege Escalation", "Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 60, "kill_chain_phases": ["Exploitation"], "message": "The source computer with ip address $IpAddress$ authenticated to a large number of remote endpoints within 5 minutes.", "mitre_attack_id": ["T1003.002"], "nist": ["DE.CM"], "observable": [{"name": "host_targets", "type": "Endpoint", "role": ["Victim"]}, {"name": "IpAddress", "type": "Endpoint", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "Logon_Type", "TargetUserName", "Computer", "IpAddress"], "risk_score": 48, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Dragonfly", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1135/rapid_authentication_multiple_hosts/windows-security.log", "source": "XmlWinEventLog:Security", "sourcetype": "XmlWinEventLog"}]}], "datamodel": [], "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_rapid_authentication_on_multiple_hosts_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_rapid_authentication_on_multiple_hosts.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows Rasautou DLL Execution", "id": "6f42b8be-8e96-11ec-ad5a-acde48001122", "version": 1, "date": "2022-02-15", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the Windows Windows Remote Auto Dialer, rasautou.exe executing an arbitrary DLL. This technique is used to execute arbitrary shellcode or DLLs via the rasautou.exe LOLBin capability. During triage, review parent and child process behavior including file and image loads.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=rasautou.exe Processes.process=\"* -d *\"AND Processes.process=\"* -p *\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_rasautou_dll_execution_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives will be limited to applications that require Rasautou.exe to load a DLL from disk. Filter as needed.", "references": ["https://github.com/mandiant/DueDLLigence", "https://github.com/MHaggis/notes/blob/master/utilities/Invoke-SPLDLLigence.ps1", "https://gist.github.com/NickTyrer/c6043e4b302d5424f701f15baf136513", "https://www.mandiant.com/resources/staying-hidden-on-the-endpoint-evading-detection-with-shellcode"], "tags": {"name": "Windows Rasautou DLL Execution", "analytic_story": ["Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ attempting to load a DLL in a suspicious manner.", "mitre_attack_id": ["T1055.001", "T1218", "T1055"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1055.001", "mitre_attack_technique": "Dynamic-link Library Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["BackdoorDiplomacy", "Lazarus Group", "Leviathan", "Putter Panda", "TA505", "Tropic Trooper", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055.001/rasautou/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_rasautou_dll_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_rasautou_dll_execution.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Raw Access To Disk Volume Partition", "id": "a85aa37e-9647-11ec-90c5-acde48001122", "version": 1, "date": "2023-04-14", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic is to look for suspicious raw access read to device disk partition of the host machine. This technique was seen in several attacks by adversaries or threat actor to wipe, encrypt or overwrite the boot sector of each partition as part of their impact payload for example the \"hermeticwiper\" malware. This detection is a good indicator that there is a process try to read or write on boot sector.", "data_source": ["Sysmon Event ID 9"], "search": "`sysmon` EventCode=9 Device = \\\\Device\\\\HarddiskVolume* NOT (Image IN(\"*\\\\Windows\\\\System32\\\\*\", \"*\\\\Windows\\\\SysWOW64\\\\*\")) | stats count min(_time) as firstTime max(_time) as lastTime by Image Device ProcessGuid ProcessId EventDescription EventCode Computer | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_raw_access_to_disk_volume_partition_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the raw access read event (like sysmon eventcode 9), process name and process guid from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "This event is really notable but we found minimal number of normal application from system32 folder like svchost.exe accessing it too. In this case we used 'system32' and 'syswow64' path as a filter for this detection.", "references": ["https://blog.talosintelligence.com/2022/02/threat-advisory-hermeticwiper.html"], "tags": {"name": "Windows Raw Access To Disk Volume Partition", "analytic_story": ["CISA AA22-264A", "Data Destruction", "Caddy Wiper", "Hermetic Wiper"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 90, "kill_chain_phases": ["Actions on Objectives"], "message": "Process accessing disk partition $device$ in $dest$", "mitre_attack_id": ["T1561.002", "T1561"], "nist": ["DE.AE"], "observable": [{"name": "ComputerName", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Computer", "Image", "Device", "ProcessGuid", "ProcessId", "EventDescription", "EventCode"], "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1561.002", "mitre_attack_technique": "Disk Structure Wipe", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1561", "mitre_attack_technique": "Disk Wipe", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/hermetic_wiper/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_raw_access_to_disk_volume_partition_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_raw_access_to_disk_volume_partition.yml", "source": "endpoint"}, {"name": "Windows Raw Access To Master Boot Record Drive", "id": "7b83f666-900c-11ec-a2d9-acde48001122", "version": 1, "date": "2023-04-14", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This analytic is to look for suspicious raw access read to drive where the master boot record is placed. This technique was seen in several attacks by adversaries or threat actor to wipe, encrypt or overwrite the master boot record code as part of their impact payload. This detection is a good indicator that there is a process try to read or write on MBR sector.", "data_source": ["Sysmon Event ID 9"], "search": "`sysmon` EventCode=9 Device = \\\\Device\\\\Harddisk0\\\\DR0 NOT (Image IN(\"*\\\\Windows\\\\System32\\\\*\", \"*\\\\Windows\\\\SysWOW64\\\\*\")) | stats count min(_time) as firstTime max(_time) as lastTime by Computer Image Device ProcessGuid ProcessId EventDescription EventCode | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_raw_access_to_master_boot_record_drive_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the raw access read event (like sysmon eventcode 9), process name and process guid from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "This event is really notable but we found minimal number of normal application from system32 folder like svchost.exe accessing it too. In this case we used 'system32' and 'syswow64' path as a filter for this detection.", "references": ["https://www.splunk.com/en_us/blog/security/threat-advisory-strt-ta02-destructive-software.html", "https://www.crowdstrike.com/blog/technical-analysis-of-whispergate-malware/", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/"], "tags": {"name": "Windows Raw Access To Master Boot Record Drive", "analytic_story": ["Caddy Wiper", "CISA AA22-264A", "Hermetic Wiper", "Data Destruction", "WhisperGate"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 90, "kill_chain_phases": ["Actions on Objectives"], "message": "process accessing MBR $device$ in $dest$", "mitre_attack_id": ["T1561.002", "T1561"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Computer", "Image", "Device", "ProcessGuid", "ProcessId", "EventDescription", "EventCode"], "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1561.002", "mitre_attack_technique": "Disk Structure Wipe", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1561", "mitre_attack_technique": "Disk Wipe", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1561.002/mbr_raw_access/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_raw_access_to_master_boot_record_drive_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_raw_access_to_master_boot_record_drive.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Windows RDP Connection Successful", "id": "ceaed840-56b3-4a70-b8e1-d762b1c5c08c", "version": 1, "date": "2023-04-17", "author": "Michael Haag, Splunk", "type": "Hunting", "status": "production", "description": "The following analytic identifies successful remote desktop connections. Utilize this analytic to hunt for successful attempts. In addition, the query may be modified for EventCode=1148 to potentially identify failed attempts. In testing, 1148 would not generate based on a failed logon attempt. Note this analytic requires enabling and a stanza in a inputs.conf.", "data_source": [], "search": "`remoteconnectionmanager` EventCode=1149 | stats count min(_time) as firstTime max(_time) as lastTime by ComputerName, Source_Network_Address, User, Message | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename ComputerName as dest | `windows_rdp_connection_successful_filter`", "how_to_implement": "The following analyic requires the WIndows TerminalServices RemoteConnectionManager Operational log to be enabled and ingested into Splunk. For the inputs, review https://gist.github.com/MHaggis/138c6bf563bacbda4a2524f089773706.", "known_false_positives": "False positives will be present, filter as needed or restrict to critical assets on the perimeter.", "references": ["https://gist.github.com/MHaggis/138c6bf563bacbda4a2524f089773706", "https://doublepulsar.com/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6"], "tags": {"name": "Windows RDP Connection Successful", "analytic_story": ["Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "A successful RDP connection on $dest$ occurred.", "mitre_attack_id": ["T1563.002"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "Source_Network_Address", "type": "IP Address", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["EventCode", "ComputerName", "Source_Network_Address", "User", "Message"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "atomic_guid": [], "mitre_attack_enrichments": [{"mitre_attack_id": "T1563.002", "mitre_attack_technique": "RDP Hijacking", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Axiom"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1563.002/rdphijack/remoteconnectionmanager.log", "source": "WinEventLog:Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational", "sourcetype": "wineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "remoteconnectionmanager", "definition": "source=\"WinEventLog:Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_rdp_connection_successful_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_rdp_connection_successful.yml", "source": "endpoint"}, {"name": "Windows Registry BootExecute Modification", "id": "eabbac3a-45aa-4659-920f-6b8cff383fb8", "version": 1, "date": "2023-05-03", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "This analytic monitors the BootExecute registry key for any modifications from its default value, which could indicate potential malicious activity. The BootExecute registry key, located at HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager, manages the list of applications and services that are executed during system boot. By default, the BootExecute value is set to \"autocheck autochk *\". Attackers might attempt to modify this value to achieve persistence, load malicious code, or tamper with the system's boot process.", "data_source": ["Sysmon Event ID 13"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE Registry.registry_path=\"HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Session Manager\\\\BootExecute\" BY _time span=1h Registry.dest Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid, Registry.action | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_registry_bootexecute_modification_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on Windows Registry that include the name of the path and key responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives may be present and will need to be filtered.", "references": ["https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/"], "tags": {"name": "Windows Registry BootExecute Modification", "analytic_story": ["Windows BootKits"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 100, "kill_chain_phases": ["Exploitation", "Installation"], "message": "The Registry BootExecute value was modified on $dest$ and should be reviewed immediately.", "mitre_attack_id": ["T1542", "T1547.001"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.dest", "Registry.registry_path", "Registry.registry_key_name", "Registry.registry_value_name", "Registry.registry_value_data", "Registry.process_guid", "Registry.action"], "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "atomic_guid": [], "mitre_attack_enrichments": [{"mitre_attack_id": "T1542", "mitre_attack_technique": "Pre-OS Boot", "mitre_attack_tactics": ["Defense Evasion", "Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.001/atomic_red_team/bootexecute-windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_registry_bootexecute_modification_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_registry_bootexecute_modification.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Registry Certificate Added", "id": "5ee98b2f-8b9e-457a-8bdc-dd41aaba9e87", "version": 2, "date": "2023-04-27", "author": "Michael Haag, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies installation of a root CA certificate by monitoring the registry. The base paths may be found [here](https://gist.github.com/mattifestation/75d6117707bcf8c26845b3cbb6ad2b6b/raw/ae65ef15c706140ffc2e165615204e20f2903028/RootCAInstallationDetection.xml). In short, there are specific certificate registry paths that will be written to (SetValue) when a new certificate is added. The high-fidelity events to pay attention to are SetValue events where the TargetObject property ends with \"\\Blob\" as this indicates the direct installation or modification of a root certificate binary blob. The other high fidelity reference will be which process is making the registry modifications. There are very few processes that modify these day to day, therefore monitoring for all to start (hunting) provides a great beginning.", "data_source": ["Sysmon Event ID 13"], "search": "| tstats `security_content_summariesonly` count from datamodel=Endpoint.Registry where Registry.registry_path IN (\"*\\\\certificates\\\\*\") AND Registry.registry_value_name=\"Blob\" by _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_value_name Registry.process_guid Registry.registry_key_name Registry.registry_value_data | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_registry_certificate_added_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` and `Registry` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives will be limited to a legitimate business applicating consistently adding new root certificates to the endpoint. Filter by user, process, or thumbprint.", "references": ["https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec", "https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1553.004"], "tags": {"name": "Windows Registry Certificate Added", "analytic_story": ["Windows Drivers", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 60, "kill_chain_phases": ["Exploitation"], "message": "A root certificate was added on $dest$.", "mitre_attack_id": ["T1553.004", "T1553"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.registry_path", "Registry.registry_key_name", "Registry.registry_value_name", "Registry.dest"], "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1553.004", "mitre_attack_technique": "Install Root Certificate", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1553", "mitre_attack_technique": "Subvert Trust Controls", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Axiom"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1587.002/atomic_red_team/certblob_windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_registry_certificate_added_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_registry_certificate_added.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Registry Delete Task SD", "id": "ffeb7893-ff06-446f-815b-33ca73224e92", "version": 1, "date": "2022-04-13", "author": "Michael Haag, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies a process attempting to delete a scheduled task SD (Security Descriptor) from within the registry path of that task. This may occur from a non-standard process running and may not come from reg.exe. This particular behavior will remove the actual Task Name from the Task Scheduler GUI and from the command-line query - schtasks.exe /query. In addition, in order to perform this action, the user context will need to be SYSTEM.", "data_source": ["Sysmon Event ID 13"], "search": "| tstats `security_content_summariesonly` count from datamodel=Endpoint.Registry where Registry.registry_path IN (\"*\\\\Schedule\\\\TaskCache\\\\Tree\\\\*\") Registry.user=\"SYSTEM\" Registry.registry_value_name=\"SD\" (Registry.action=Deleted OR Registry.action=modified) by _time Registry.dest Registry.process_guid Registry.user Registry.registry_path Registry.registry_value_name Registry.registry_key_name Registry.registry_value_data Registry.status Registry.action | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_registry_delete_task_sd_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives should be limited as the activity is not common to delete ONLY the SD from the registry. Filter as needed. Update the analytic Modified or Deleted values based on product that is in the datamodel.", "references": ["https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/", "https://gist.github.com/MHaggis/5f7fd6745915166fc6da863d685e2728", "https://gist.github.com/MHaggis/b246e2fae6213e762a6e694cabaf0c17"], "tags": {"name": "Windows Registry Delete Task SD", "analytic_story": ["Windows Registry Abuse", "Windows Persistence Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "message": "A scheduled task security descriptor was deleted from the registry on $dest$.", "mitre_attack_id": ["T1053.005", "T1562"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.registry_path", "Registry.registry_key_name", "Registry.registry_value_name", "Registry.dest", "Processes.process_id", "Processes.process_name", "Processes.process", "Processes.dest", "Processes.process_guid"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/taskschedule/sd_delete_windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_registry_delete_task_sd_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_registry_delete_task_sd.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Registry Modification for Safe Mode Persistence", "id": "c6149154-c9d8-11eb-9da7-acde48001122", "version": 4, "date": "2023-04-27", "author": "Teoderick Contreras, Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies a modification or registry add to the safeboot registry as an autostart mechanism. This technique is utilized by adversaries to persist a driver or service into Safe Mode. Two keys are monitored in this analytic, Minimal and Network. adding values to Minimal will load into Safe Mode and by adding into Network it will provide the service or drive the ability to perform network connections in Safe Mode.", "data_source": ["Sysmon Event ID 13"], "search": "| tstats `security_content_summariesonly` count from datamodel=Endpoint.Registry where Registry.registry_path IN (\"*SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Minimal\\\\*\",\"*SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Network\\\\*\") by _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_value_name Registry.process_guid Registry.registry_key_name Registry.registry_value_data | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_registry_modification_for_safe_mode_persistence_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry.", "known_false_positives": "updated windows application needed in safe boot may used this registry", "references": ["https://malware.news/t/threat-analysis-unit-tau-threat-intelligence-notification-snatch-ransomware/36365", "https://redcanary.com/blog/tracking-driver-inventory-to-expose-rootkits/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1112/T1112.md", "https://blog.didierstevens.com/2007/03/26/playing-with-safe-mode/"], "tags": {"name": "Windows Registry Modification for Safe Mode Persistence", "analytic_story": ["Ransomware", "Windows Registry Abuse", "Windows Drivers"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 60, "kill_chain_phases": ["Installation", "Exploitation"], "message": "Safeboot registry $registry_path$ was added or modified with a new value $registry_value_name$ on $dest$", "mitre_attack_id": ["T1547.001", "T1547"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.registry_path", "Registry.registry_key_name", "Registry.registry_value_name", "Registry.dest"], "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/ransomware_ttp/data1/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_registry_modification_for_safe_mode_persistence_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_registry_modification_for_safe_mode_persistence.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Regsvr32 Renamed Binary", "id": "7349a9e9-3cf6-4171-bb0c-75607a8dcd1a", "version": 1, "date": "2022-10-27", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "The following hunting analytic identifies renamed instances of regsv32.exe executing. regsv32.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64. During investigation, validate if it is the legitimate regsv32.exe executing and what dll module content it is loading. This query relies on the original filename or internal name from the PE meta data. Expand the query as needed by looking for specific command line arguments outlined in other analytics.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name != regsvr32.exe AND Processes.original_file_name=regsvr32.exe by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_regsvr32_renamed_binary_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "unknown", "references": ["https://twitter.com/pr0xylife/status/1585612370441031680?s=46&t=Dc3CJi4AnM-8rNoacLbScg"], "tags": {"name": "Windows Regsvr32 Renamed Binary", "analytic_story": ["Qakbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "regsvr32 was renamed as $process_name$ in $dest$", "mitre_attack_id": ["T1218.010", "T1218"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218.010", "mitre_attack_technique": "Regsvr32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "Blue Mockingbird", "Cobalt Group", "Deep Panda", "Inception", "Kimsuky", "Leviathan", "TA551", "WIRTE"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/qakbot/qbot_3/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_regsvr32_renamed_binary_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_regsvr32_renamed_binary.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Remote Access Software BRC4 Loaded Dll", "id": "73cf5dcb-cf36-4167-8bbe-384fe5384d05", "version": 1, "date": "2022-08-24", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "The following anomaly detection identifies the behavior related to 4 native Windows DLLs being loaded by a non-standard process. Identified by MDSec during their research into Brute Ratel, MDSec identified a high signal analytic by calling out these 4 DLLs being loaded into a process. LogonCLI.dll is the Net Logon Client DLL and is related to users and other domain services to get authenticated. Credui.dll is Credential Manager User Interface. Credential managers receive notifications when authentication information changes. For example, credential managers are notified when a user logs on or an account password changes. Samcli.dll is the Security Accounts Manager Client DLL. Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through in-memory techniques or through the Windows Registry where the SAM database is stored. Dbghelp.dll is Windows Image Helper. Windows Image Helper is commonly seen in credential dumping due to native functions. All of these modules are important to monitor and track and combined may lead to credentail access or dumping.", "data_source": ["Sysmon Event ID 7"], "search": "`sysmon` EventCode=7 |bin _time span=30s | eval BRC4_AnomalyLoadedDll=case(OriginalFileName==\"credui.dll\", 1, OriginalFileName==\"DBGHELP.DLL\", 1, OriginalFileName==\"SAMCLI.DLL\", 1, OriginalFileName==\"winhttp.dll\", 1, 1=1, 0) | eval BRC4_LoadedDllPath=case(match(ImageLoaded, \"credui.dll\"), 1, match(ImageLoaded, \"dbghelp.dll\"), 1, match(ImageLoaded, \"samcli.dll\"), 1, match(ImageLoaded, \"winhttp.dll\"), 1, 1=1, 0) | stats count min(_time) as firstTime max(_time) as lastTime values(ImageLoaded) as ImageLoaded values(OriginalFileName) as OriginalFileName dc(ImageLoaded) as ImageLoadedCount by Image BRC4_LoadedDllPath BRC4_AnomalyLoadedDll Computer EventCode Signed | where ImageLoadedCount == 4 AND (BRC4_LoadedDllPath == 1 OR BRC4_AnomalyLoadedDll == 1) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_remote_access_software_brc4_loaded_dll_filter`", "how_to_implement": "The latest Sysmon TA 3.0 https://splunkbase.splunk.com/app/5709 will add the ImageLoaded name to the process_name field, allowing this query to work. Use as an example and implement for other products.", "known_false_positives": "This module can be loaded by a third party application. Filter is needed.", "references": ["https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/", "https://www.mdsec.co.uk/2022/08/part-3-how-i-met-your-beacon-brute-ratel/", "https://strontic.github.io/xcyclopedia/library/logoncli.dll-138871DBE68D0696D3D7FA91BC2873B1.html", "https://strontic.github.io/xcyclopedia/library/credui.dll-A5BD797BBC2DD55231B9DE99837E5461.html", "https://docs.microsoft.com/en-us/windows/win32/secauthn/credential-manager", "https://strontic.github.io/xcyclopedia/library/samcli.dll-522D6D616EF142CDE965BD3A450A9E4C.html", "https://strontic.github.io/xcyclopedia/library/dbghelp.dll-15A55EAB307EF8C190FE6135C0A86F7C.html"], "tags": {"name": "Windows Remote Access Software BRC4 Loaded Dll", "analytic_story": ["Brute Ratel C4"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Command And Control", "Exploitation"], "message": "a process $Image$ loaded several modules $ImageLoaded$ that might related to credential access on $Computer$.", "mitre_attack_id": ["T1219", "T1003"], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Image", "ImageLoaded", "process_name", "Computer", "EventCode", "Signed", "ProcessId"], "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1219", "mitre_attack_technique": "Remote Access Software", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Carbanak", "Cobalt Group", "DarkVishnya", "Evilnum", "GOLD SOUTHFIELD", "Kimsuky", "MuddyWater", "Mustang Panda", "RTM", "Sandworm Team", "TeamTNT", "Thrip"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/iso_version_dll_campaign/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_remote_access_software_brc4_loaded_dll_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_remote_access_software_brc4_loaded_dll.yml", "source": "endpoint"}, {"name": "Windows Remote Access Software Hunt", "id": "8bd22c9f-05a2-4db1-b131-29271f28cb0a", "version": 1, "date": "2022-08-22", "author": "Michael Haag, Splunk", "type": "Hunting", "status": "production", "description": "The following hunting analytic is meant to help organizations understand what remote access software is being used in the environment. When reviewing this hunt, confirm the software identified is authorized to be utilized. Based on fidelity, create a new analytic for specific utilities banned within the organization. Adversaries use these utilities to retain remote access capabilities to the environment. Utilities in the lookup include AnyDesk, GoToMyPC, LogMeIn, TeamViewer and much more. Review the lookup for the entire list and add any others.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.process) as process values(Processes.parent_process) as parent_process from datamodel=Endpoint.Processes where Processes.dest!=unknown Processes.user!=unknown by Processes.dest Processes.user Processes.process_name Processes.process | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | lookup remote_access_software remote_utility AS process_name OUTPUT isutility | search isutility = True | `windows_remote_access_software_hunt_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives will be found. Filter as needed and create higher fidelity analytics based off banned remote access software.", "references": ["https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md", "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/"], "tags": {"name": "Windows Remote Access Software Hunt", "analytic_story": ["Insider Threat", "Command And Control", "Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 10, "impact": 10, "kill_chain_phases": ["Command And Control"], "message": "The following Remote Access Software $process_name$ was identified on $dest$.", "mitre_attack_id": ["T1219"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 1, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1219", "mitre_attack_technique": "Remote Access Software", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Carbanak", "Cobalt Group", "DarkVishnya", "Evilnum", "GOLD SOUTHFIELD", "Kimsuky", "MuddyWater", "Mustang Panda", "RTM", "Sandworm Team", "TeamTNT", "Thrip"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1219/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_remote_access_software_hunt_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "remote_access_software", "description": "A list of Remote Access Software", "filename": "remote_access_software.csv", "default_match": "false", "match_type": "WILDCARD(remote_software)", "min_matches": 1, "case_sensitive_match": "false"}], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_remote_access_software_hunt.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Remote Access Software RMS Registry", "id": "e5b7b5a9-e471-4be8-8c5d-4083983ba329", "version": 1, "date": "2022-06-22", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "The following analytic is to identify a modification or creation of Windows registry related to the Remote Manipulator System (RMS) Remote Admin tool. RMS is a legitimate tool developed by russian organization TektonIT and has been observed being abused by adversaries to gain remote access to the targeted host. Azorult malware utilized RMS to gain remote access.", "data_source": ["Sysmon Event ID 13"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\SYSTEM\\\\Remote Manipulator System*\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_remote_access_software_rms_registry_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.", "known_false_positives": "administrators may enable or disable this feature that may cause some false positive.", "references": ["https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/", "https://malpedia.caad.fkie.fraunhofer.de/details/win.rms"], "tags": {"name": "Windows Remote Access Software RMS Registry", "analytic_story": ["Azorult"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 100, "kill_chain_phases": ["Command And Control"], "message": "the registry related to RMS tool is created in $dest$", "mitre_attack_id": ["T1219"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.registry_key_name", "Registry.registry_path", "Registry.user", "Registry.dest", "Registry.registry_value_name", "Registry.action"], "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1219", "mitre_attack_technique": "Remote Access Software", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Carbanak", "Cobalt Group", "DarkVishnya", "Evilnum", "GOLD SOUTHFIELD", "Kimsuky", "MuddyWater", "Mustang Panda", "RTM", "Sandworm Team", "TeamTNT", "Thrip"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_remote_access_software_rms_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_remote_access_software_rms_registry.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Remote Assistance Spawning Process", "id": "ced50492-8849-11ec-9f68-acde48001122", "version": 1, "date": "2022-02-07", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the use of Microsoft Remote Assistance, msra.exe, spawning PowerShell.exe or cmd.exe as a child process. Msra.exe by default has no command-line arguments and typically spawns itself. It will generate a network connection to the remote system that is connected. This behavior is indicative of another process injected into msra.exe. Review the parent process or cross process events to identify source.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=msra.exe `windows_shells` by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_remote_assistance_spawning_process_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives should be limited, filter as needed. Add additional shells as needed.", "references": ["https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/", "https://app.any.run/tasks/ca1616de-89a1-4afc-a3e4-09d428df2420/"], "tags": {"name": "Windows Remote Assistance Spawning Process", "analytic_story": ["Unusual Processes"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$, generating behavior not common with msra.exe.", "mitre_attack_id": ["T1055"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/msra/msra-windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "windows_shells", "definition": "(Processes.process_name=cmd.exe OR Processes.process_name=powershell.exe OR Processes.process_name=pwsh.exe OR Processes.process_name=sh.exe OR Processes.process_name=bash.exe OR Processes.process_name=wscript.exe OR Processes.process_name=cscript.exe)", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_remote_assistance_spawning_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_remote_assistance_spawning_process.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Remote Create Service", "id": "0dc44d03-8c00-482d-ba7c-796ba7ab18c9", "version": 1, "date": "2023-03-20", "author": "Michael Haag, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic identifies an endpoint that remotely connects to another endpoint to create a new service using sc.exe. On the remote endpoint, the new service will be created and this action will trigger the creation of EventCode 7045 along with all the resulting service information.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=sc.exe Processes.process IN (\"*create*\") Processes.process=\"*\\\\\\\\*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_remote_create_service_filter`", "how_to_implement": "To implement this search, it is necessary to ingest information on processes that include the name of the process responsible for the changes from your endpoints into the Endpoint data model within the Processes node. Additionally, it is recommended to confirm that the latest version of CIM App (4.20 or higher) and the latest TA for the endpoint product are installed.", "known_false_positives": "Note that false positives may occur, and filtering may be necessary, especially when it comes to remote service creation by administrators or software management utilities.", "references": ["https://attack.mitre.org/techniques/T1543/003/"], "tags": {"name": "Windows Remote Create Service", "analytic_story": ["Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation", "Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to create a remote service.", "mitre_attack_id": ["T1543", "T1543.003"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1543.003/atomic_red_team/remote_service_create_windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_remote_create_service_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_remote_create_service.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Remote Service Rdpwinst Tool Execution", "id": "c8127f87-c7c9-4036-89ed-8fe4b30e678c", "version": 1, "date": "2022-06-24", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies RDPWInst.exe tool, which is a RDP wrapper library tool designed to enable remote desktop host support and concurrent RDP session on reduced functionality system. Unfortunately, this open project was abused by adversaries to enable RDP connection to the targeted host for remote access and potentially be for lateral movement.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"RDPWInst.exe\" OR Processes.original_file_name=\"RDPWInst.exe\") AND Processes.process IN (\"* -i*\", \"* -s*\", \"* -o*\", \"* -w*\", \"* -r*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_remote_service_rdpwinst_tool_execution_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "This tool was designed for home usage and not commonly seen in production environment. Filter as needed.", "references": ["https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/"], "tags": {"name": "Windows Remote Service Rdpwinst Tool Execution", "analytic_story": ["Azorult"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Exploitation"], "message": "Rdpwinst.exe executed on $dest$.", "mitre_attack_id": ["T1021.001", "T1021"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1021.001", "mitre_attack_technique": "Remote Desktop Protocol", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT1", "APT3", "APT39", "APT41", "Axiom", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dragonfly", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "HEXANE", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "OilRig", "Patchwork", "Silence", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_remote_service_rdpwinst_tool_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_remote_service_rdpwinst_tool_execution.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Remote Services Allow Rdp In Firewall", "id": "9170cb54-ea15-41e1-9dfc-9f3363ce9b02", "version": 1, "date": "2022-06-21", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic is to identify a modification in the Windows firewall to enable remote desktop protocol on a targeted machine. This technique was seen in several adversaries, malware or red teamer to remotely access the compromised or targeted host by allowing this protocol in firewall. Even this protocol might be allowed in some production environment, This TTP behavior is a good pivot to check who and why the user want to enable this feature through firewall which is also common traits of attack to start lateral movement.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` values(Processes.process) as cmdline values(Processes.parent_process_name) as parent_process values(Processes.process_name) count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = \"netsh.exe\" OR Processes.original_file_name= \"netsh.exe\") AND Processes.process = \"*firewall*\" AND Processes.process = \"*add*\" AND Processes.process = \"*protocol=TCP*\" AND Processes.process = \"*localport=3389*\" AND Processes.process = \"*action=allow*\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_remote_services_allow_rdp_in_firewall_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting data that records process activity from your hosts to populate the endpoint data model in the processes node. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "administrators may enable or disable this feature that may cause some false positive.", "references": ["https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/"], "tags": {"name": "Windows Remote Services Allow Rdp In Firewall", "analytic_story": ["Azorult"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "new firewall rules was added to allow rdp connection to $dest$", "mitre_attack_id": ["T1021.001", "T1021"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.process_name", "Processes.process", "Processes.parent_process_name", "Processes.parent_process", "Processes.process_id", "Processes.parent_process_id", "Processes.dest", "Processes.user"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1021.001", "mitre_attack_technique": "Remote Desktop Protocol", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT1", "APT3", "APT39", "APT41", "Axiom", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dragonfly", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "HEXANE", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "OilRig", "Patchwork", "Silence", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_remote_services_allow_rdp_in_firewall_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_remote_services_allow_rdp_in_firewall.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Remote Services Allow Remote Assistance", "id": "9bce3a97-bc97-4e89-a1aa-ead151c82fbb", "version": 1, "date": "2022-06-21", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic is to identify a modification in the Windows registry to enable remote desktop assistance on a targeted machine. This technique was seen in several adversaries, malware or red teamer like azorult to remotely access the compromised or targeted host by enabling this protocol in registry. Even this protocol might be allowed in some production environment, This Anomaly behavior is a good pivot to check who and why the user want to enable this feature through registry which is un-common. And as per stated in microsoft documentation the default value of this registry is false that makes this a good indicator of suspicious behavior.", "data_source": ["Sysmon Event ID 13"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\Control\\\\Terminal Server\\\\fAllowToGetHelp*\" Registry.registry_value_data=\"0x00000001\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_remote_services_allow_remote_assistance_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.", "known_false_positives": "administrators may enable or disable this feature that may cause some false positive.", "references": ["https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-remoteassistance-exe-fallowtogethelp", "https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/"], "tags": {"name": "Windows Remote Services Allow Remote Assistance", "analytic_story": ["Azorult"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "the registry for rdp protocol was modified to enable in $dest$", "mitre_attack_id": ["T1021.001", "T1021"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.registry_key_name", "Registry.registry_path", "Registry.user", "Registry.dest", "Registry.registry_value_name", "Registry.action"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1021.001", "mitre_attack_technique": "Remote Desktop Protocol", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT1", "APT3", "APT39", "APT41", "Axiom", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dragonfly", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "HEXANE", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "OilRig", "Patchwork", "Silence", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_remote_services_allow_remote_assistance_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_remote_services_allow_remote_assistance.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Remote Services Rdp Enable", "id": "8fbd2e88-4ea5-40b9-9217-fd0855e08cc0", "version": 1, "date": "2022-06-21", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "The following analytic is to identify a modification in the Windows registry to enable remote desktop protocol on a targeted machine. This technique was seen in several adversaries, malware or red teamer to remotely access the compromised or targeted host by enabling this protocol in registry. Even this protocol might be allowed in some production environment, This TTP behavior is a good pivot to check who and why the user want to enable this feature through registry which is un-common.", "data_source": ["Sysmon Event ID 13"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\Control\\\\Terminal Server\\\\fDenyTSConnections*\" Registry.registry_value_data=\"0x00000000\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_remote_services_rdp_enable_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.", "known_false_positives": "administrators may enable or disable this feature that may cause some false positive.", "references": ["https://www.hybrid-analysis.com/sample/9d6611c2779316f1ef4b4a6edcfdfb5e770fe32b31ec2200df268c3bd236ed75?environmentId=100"], "tags": {"name": "Windows Remote Services Rdp Enable", "analytic_story": ["Azorult"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "the registry for rdp protocol was modified to enable in $dest$", "mitre_attack_id": ["T1021.001", "T1021"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.registry_key_name", "Registry.registry_path", "Registry.user", "Registry.dest", "Registry.registry_value_name", "Registry.action"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1021.001", "mitre_attack_technique": "Remote Desktop Protocol", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT1", "APT3", "APT39", "APT41", "Axiom", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dragonfly", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "HEXANE", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "OilRig", "Patchwork", "Silence", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_remote_services_rdp_enable_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_remote_services_rdp_enable.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Replication Through Removable Media", "id": "60df805d-4605-41c8-bbba-57baa6a4eb97", "version": 1, "date": "2023-01-17", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This analytic is developed to detect suspicious executable or script files created or dropped in the root drive of a targeted host. This technique is commonly used by threat actors, adversaries or even red teamers to replicate or spread in possible removable drives. Back then, WORM malware was popular for this technique where it would drop a copy of itself in the root drive to be able to spread or to have a lateral movement in other network machines. Nowadays, Ransomware like CHAOS ransomware also use this technique to spread its malicious code in possible removable drives. This TTP detection can be a good indicator that a process might create a persistence technique or lateral movement of a targeted machine. We suggest checking the process name that creates this event, the file created, user type, and the reason why that executable or scripts are dropped in the root drive.", "data_source": ["Sysmon Event ID 11"], "search": "|tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where (Filesystem.file_name = *.exe OR Filesystem.file_name = *.dll OR Filesystem.file_name = *.sys OR Filesystem.file_name = *.com OR Filesystem.file_name = *.vbs OR Filesystem.file_name = *.vbe OR Filesystem.file_name = *.js OR Filesystem.file_name= *.bat OR Filesystem.file_name = *.cmd OR Filesystem.file_name = *.pif) by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.file_path Filesystem.user | `drop_dm_object_name(Filesystem)` | eval dropped_file_path = split(file_path, \"\\\\\") | eval dropped_file_path_split_count = mvcount(dropped_file_path) | eval root_drive = mvindex(dropped_file_path,0) | where LIKE(root_drive, \"%:\") AND dropped_file_path_split_count = 2 AND root_drive!= \"C:\" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_replication_through_removable_media_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the Filesystem responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node.", "known_false_positives": "Administrators may allow creation of script or exe in the paths specified. Filter as needed.", "references": ["https://attack.mitre.org/techniques/T1204/002/", "https://www.fortinet.com/blog/threat-research/chaos-ransomware-variant-sides-with-russia"], "tags": {"name": "Windows Replication Through Removable Media", "analytic_story": ["Chaos Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Delivery", "Exploitation"], "message": "executable or script $file_path$ was drop in root drive $root_drive$ in $dest$", "mitre_attack_id": ["T1091"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "process_id", "type": "Process", "role": ["Attacker"]}, {"name": "file_name", "type": "File Name", "role": ["Other", "Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Filesystem.file_path", "Filesystem.file_create_time", "Filesystem.process_id", "Filesystem.file_name", "Filesystem.user"], "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1091", "mitre_attack_technique": "Replication Through Removable Media", "mitre_attack_tactics": ["Initial Access", "Lateral Movement"], "mitre_attack_groups": ["APT28", "Aoqin Dragon", "Darkhotel", "FIN7", "LuminousMoth", "Mustang Panda", "Tropic Trooper"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/chaos_ransomware/spread_in_root_drives/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_replication_through_removable_media_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_replication_through_removable_media.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Root Domain linked policies Discovery", "id": "80ffaede-1f12-49d5-a86e-b4b599b68b3c", "version": 1, "date": "2023-04-14", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the `[Adsisearcher]` type accelerator being used to query Active Directory for domain groups. Red Teams and adversaries may leverage `[Adsisearcher]` to enumerate root domain linked policies for situational awareness and Active Directory Discovery.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 ScriptBlockText = \"*[adsisearcher]*\" ScriptBlockText = \"*.SearchRooT*\" ScriptBlockText = \"*.gplink*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_root_domain_linked_policies_discovery_filter`", "how_to_implement": "The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "references": ["https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/", "https://medium.com/@pentesttas/discover-hidden-gpo-s-on-active-directory-using-ps-adsi-a284b6814c81"], "tags": {"name": "Windows Root Domain linked policies Discovery", "analytic_story": ["Data Destruction", "Active Directory Discovery", "Industroyer2"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "powershell process having commandline $Message$ for user enumeration", "mitre_attack_id": ["T1087.002", "T1087"], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "ScriptBlockText", "Computer", "user_id"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["BRONZE BUTLER", "Chimera", "Dragonfly", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Turla", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/adsi_discovery/windows-powershell-xml1.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_root_domain_linked_policies_discovery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_root_domain_linked_policies_discovery.yml", "source": "endpoint", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows Rundll32 WebDAV Request", "id": "320099b7-7eb1-4153-a2b4-decb53267de2", "version": 1, "date": "2023-03-15", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies rundll32.exe with the commandline arguments loading davclnt.dll function - davsetcookie - to be used to access a remote WebDav instance. This particular behavior was recently showcased in CVE-2023-23397.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=rundll32.exe Processes.process IN (\"*\\\\windows\\\\system32\\\\davclnt.dll,*davsetcookie*\",\"*\\\\windows\\\\syswow64\\\\davclnt.dll,*davsetcookie*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_rundll32_webdav_request_filter`", "how_to_implement": "In addition to getting the correct data, adding a join with network connection will assist with making this higher fidelity. We removed the parent_process_name=svchost.exe to look more broad, this will need to be tuned. To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives will be present based on legitimate software, filtering may need to occur.", "references": ["https://strontic.github.io/xcyclopedia/library/davclnt.dll-0EA3050E7CC710526E330C413C165DA0.html", "https://twitter.com/ACEResponder/status/1636116096506818562?s=20", "https://twitter.com/domchell/status/1635999068282408962?s=20", "https://msrc.microsoft.com/blog/2023/03/microsoft-mitigates-outlook-elevation-of-privilege-vulnerability/", "https://www.pwndefend.com/2023/03/15/the-long-game-persistent-hash-theft/"], "tags": {"name": "Windows Rundll32 WebDAV Request", "analytic_story": ["CVE-2023-23397 Outlook Elevation of Privilege"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 80, "kill_chain_phases": ["Actions on Objectives"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to contact a remote WebDav server.", "mitre_attack_id": ["T1048.003"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 48, "security_domain": "endpoint", "risk_severity": "low", "cve": ["CVE-2023-23397"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1048.003", "mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT32", "APT33", "FIN6", "FIN8", "Lazarus Group", "OilRig", "Thrip", "Wizard Spider"]}]}, "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_rundll32_webdav_request_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2023-23397", "cvss": null, "summary": "Microsoft Outlook Elevation of Privilege Vulnerability"}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_rundll32_webdav_request.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Rundll32 WebDav With Network Connection", "id": "f03355e0-28b5-4e9b-815a-6adffc63b38c", "version": 1, "date": "2023-03-16", "author": "Michael Haag, Splunk", "type": "TTP", "status": "experimental", "description": "The following analytic identifies rundll32.exe with the commandline arguments loading davclnt.dll function - davsetcookie - to be used to access a remote WebDav instance. The analytic attempts to use join from Processes and All_Traffic to identify the network connection. This particular behavior was recently showcased in CVE-2023-23397.", "data_source": [], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where Processes.parent_process_name=svchost.exe `process_rundll32` Processes.process IN (\"*\\\\windows\\\\system32\\\\davclnt.dll,*davsetcookie*\", \"*\\\\windows\\\\syswow64\\\\davclnt.dll,*davsetcookie*\") by host _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name Processes.parent_process | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename dest as src | join host process_id [ | tstats `security_content_summariesonly` count latest(All_Traffic.dest) as dest latest(All_Traffic.dest_ip) as dest_ip latest(All_Traffic.dest_port) as dest_port FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port!=0 NOT (All_Traffic.dest_ip IN (10.0.0.0/12, 172.16.0.0/12, 192.168.0.0/16)) by host All_Traffic.process_id | `drop_dm_object_name(All_Traffic)`] | `windows_rundll32_webdav_with_network_connection_filter`", "how_to_implement": "We removed the parent_process_name=svchost.exe to look more broad, this will need to be tuned. To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node and the All_Traffic Datamodel. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives will be present based on legitimate software, filtering may need to occur.", "references": ["https://strontic.github.io/xcyclopedia/library/davclnt.dll-0EA3050E7CC710526E330C413C165DA0.html", "https://twitter.com/ACEResponder/status/1636116096506818562?s=20", "https://twitter.com/domchell/status/1635999068282408962?s=20", "https://msrc.microsoft.com/blog/2023/03/microsoft-mitigates-outlook-elevation-of-privilege-vulnerability/", "https://www.pwndefend.com/2023/03/15/the-long-game-persistent-hash-theft/"], "tags": {"name": "Windows Rundll32 WebDav With Network Connection", "analytic_story": ["CVE-2023-23397 Outlook Elevation of Privilege"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 80, "kill_chain_phases": ["Actions on Objectives"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to contact a remote WebDav server.", "mitre_attack_id": ["T1048.003"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id", "All_Traffic.dest_port", "All_Traffic.dest_ip", "All_Traffic.dest"], "risk_score": 48, "security_domain": "endpoint", "risk_severity": "low", "cve": ["CVE-2023-23397"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1048.003", "mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT32", "APT33", "FIN6", "FIN8", "Lazarus Group", "OilRig", "Thrip", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1048.003/cve-2023-23397/webdav_windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint", "Network_Traffic"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "process_rundll32", "definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_rundll32_webdav_with_network_connection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2023-23397", "cvss": null, "summary": "Microsoft Outlook Elevation of Privilege Vulnerability"}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_rundll32_webdav_with_network_connection.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Scheduled Task Created Via XML", "id": "7e03b682-3965-4598-8e91-a60a40a3f7e4", "version": 1, "date": "2023-04-05", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the creation of a scheduled task using schtasks.exe, with the flags -create being passed on the command-line along with an XML parameter. This technique has been associated with threat actors, adversaries, and red teamers seeking to gain persistence or achieve privilege escalation on targeted hosts. Notably, the Trickbot and Winter-Vivern malware have been observed employing this method, utilizing an XML file to create scheduled tasks. It is important to monitor and investigate such activity in order to mitigate potential security risks.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=schtasks.exe Processes.process=*create* Processes.process=\"* /xml *\" by Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_guid Processes.process_id Processes.parent_process_guid Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_scheduled_task_created_via_xml_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "It is possible scripts or administrators may trigger this analytic. Filter as needed based on parent process, application.", "references": ["https://twitter.com/_CERT_UA/status/1620781684257091584", "https://cert.gov.ua/article/3761104"], "tags": {"name": "Windows Scheduled Task Created Via XML", "analytic_story": ["Winter Vivern"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "message": "A scheduled task process, $process_name$, with 'create' or 'delete' commands present in the command line.", "mitre_attack_id": ["T1053.005", "T1053"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.parent_process_name", "Processes.parent_process", "Processes.process_name", "Processes.process_id", "Processes.process", "Processes.dest", "Processes.user", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winter-vivern/scheduledtask/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_scheduled_task_created_via_xml_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_scheduled_task_created_via_xml.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Scheduled Task with Highest Privileges", "id": "2f15e1a4-0fc2-49dd-919e-cbbe60699218", "version": 1, "date": "2023-01-26", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies Schtasks.exe creating a new task with highest privilege execution. This techniques was seen in asyncrat where it uses the scheduled task as part of it persistence and privilege escalation. AsyncRAT will setup a scheduled task with parameter '/rl' and 'highest' to trigger this technique. This TTP detection can be a good indicator of malware or adversaries trying to gain persistence and privilege escalation through scheduled task. We recommend to always check and monitoring this type of events even filtering is needed.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"schtasks.exe\" Processes.process = \"*/rl *\" Processes.process = \"* highest *\" by Processes.process_name Processes.parent_process_name Processes.parent_process Processes.process Processes.process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_scheduled_task_with_highest_privileges_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances of wermgr.exe may be used.", "known_false_positives": "False positives will be limited to legitimate applications creating a task to run as SYSTEM. Filter as needed based on parent process, or modify the query to have world writeable paths to restrict it.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat"], "tags": {"name": "Windows Scheduled Task with Highest Privileges", "analytic_story": ["AsyncRAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "message": "a $process_name$ creating a schedule task $process$ with highest run level privilege in $dest$", "mitre_attack_id": ["T1053", "T1053.005"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TEMP.Veles", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/asyncrat_highest_priv_schtasks/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_scheduled_task_with_highest_privileges_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_scheduled_task_with_highest_privileges.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Schtasks Create Run As System", "id": "41a0e58e-884c-11ec-9976-acde48001122", "version": 1, "date": "2022-02-07", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies Schtasks.exe creating a new task to start and run as an elevated user - SYSTEM. This is commonly used by adversaries to spawn a process in an elevated state.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_schtasks` Processes.process=\"*/create *\" AND Processes.process=\"*/ru *\" AND Processes.process=\"*system*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_schtasks_create_run_as_system_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives will be limited to legitimate applications creating a task to run as SYSTEM. Filter as needed based on parent process, or modify the query to have world writeable paths to restrict it.", "references": ["https://pentestlab.blog/2019/11/04/persistence-scheduled-tasks/", "https://www.ired.team/offensive-security/persistence/t1053-schtask", "https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/"], "tags": {"name": "Windows Schtasks Create Run As System", "analytic_story": ["Windows Persistence Techniques", "Qakbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "message": "An $process_name$ was created on endpoint $dest$ attempting to spawn as SYSTEM.", "mitre_attack_id": ["T1053.005", "T1053"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 48, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/schtask_system/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "process_schtasks", "definition": "(Processes.process_name=schtasks.exe OR Processes.original_file_name=schtasks.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_schtasks_create_run_as_system_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_schtasks_create_run_as_system.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Screen Capture Via Powershell", "id": "5e0b1936-8f99-4399-8ee2-9edc5b32e170", "version": 1, "date": "2023-04-05", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies a potential PowerShell script that captures screen images on compromised or targeted hosts. This technique was observed in the Winter-Vivern malware, which attempts to capture desktop screens using a PowerShell script and send the images to its C2 server as part of its exfiltration strategy. This TTP serves as a useful indicator that a PowerShell process may be gathering desktop screenshots from a host system, potentially signaling malicious activity.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 ScriptBlockText = \"*[Drawing.Graphics]::FromImage(*\" AND ScriptBlockText = \"*New-Object Drawing.Bitmap*\" AND ScriptBlockText = \"*.CopyFromScreen*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_screen_capture_via_powershell_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "unknown", "references": ["https://twitter.com/_CERT_UA/status/1620781684257091584", "https://cert.gov.ua/article/3761104"], "tags": {"name": "Windows Screen Capture Via Powershell", "analytic_story": ["Winter Vivern"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "A PowerShell script was identified possibly performing screen captures on $Computer$.", "mitre_attack_id": ["T1113"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "ScriptBlockText", "Computer", "UserID", "EventCode"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1113", "mitre_attack_technique": "Screen Capture", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT28", "APT39", "BRONZE BUTLER", "Dark Caracal", "Dragonfly", "FIN7", "GOLD SOUTHFIELD", "Gamaredon Group", "Group5", "Magic Hound", "MuddyWater", "OilRig", "Silence"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winter-vivern/pwh_exfiltration/windows-powershell-xml.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_screen_capture_via_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_screen_capture_via_powershell.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows Security Account Manager Stopped", "id": "69c12d59-d951-431e-ab77-ec426b8d65e6", "version": 1, "date": "2020-11-06", "author": "Rod Soto, Jose Hernandez, Splunk", "type": "TTP", "status": "production", "description": "The search looks for a Windows Security Account Manager (SAM) was stopped via command-line. This is consistent with Ryuk infections across a fleet of endpoints.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes WHERE (\"Processes.process_name\"=\"net*.exe\" \"Processes.process\"=\"*stop \\\"samss\\\"*\") BY \"Processes.dest\", \"Processes.user\", \"Processes.process\" | `drop_dm_object_name(Processes)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_security_account_manager_stopped_filter`", "how_to_implement": "You must be ingesting data that records the process-system activity from your hosts to populate the Endpoint Processes data-model object. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data.", "known_false_positives": "SAM is a critical windows service, stopping it would cause major issues on an endpoint this makes false positive rare. AlthoughNo false positives have been identified.", "references": [], "tags": {"name": "Windows Security Account Manager Stopped", "analytic_story": ["Ryuk Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 70, "kill_chain_phases": ["Actions on Objectives"], "message": "The Windows Security Account Manager (SAM) was stopped via cli by $user$ on $dest$ by this command: $processs$", "mitre_attack_id": ["T1489"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "process", "type": "Process", "role": ["Target"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.process_name", "Processes.process", "Processes.dest", "Processes.user"], "risk_score": 70, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1489", "mitre_attack_technique": "Service Stop", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Indrik Spider", "Lazarus Group", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/ryuk/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_security_account_manager_stopped_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_security_account_manager_stopped.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Security Support Provider Reg Query", "id": "31302468-93c9-4eca-9ae3-2d41f53a4e2b", "version": 1, "date": "2022-11-30", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies a process command line related to the discovery of possible Security Support Providers in the registry. This technique is being abused by adversaries or post exploitation tools like winpeas to gather LSA protection and configuration in the registry in the targeted host. This registry entry can contain several information related to LSA that validates users for local and remote sign-ins and enforces local security policies. Understanding LSA protection may give a good information in accessing LSA content in memory which is commonly attack by adversaries and tool like mimikatz to scrape password hashes or clear plain text passwords.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_reg` AND Processes.process = \"* query *\" AND Processes.process = \"*\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\LSA*\" Processes.process IN (\"*RunAsPPL*\" , \"*LsaCfgFlags*\") by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_security_support_provider_reg_query_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances of wermgr.exe may be used.", "known_false_positives": "unknown", "references": ["https://blog.netwrix.com/2022/01/11/understanding-lsa-protection/", "https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS", "https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"], "tags": {"name": "Windows Security Support Provider Reg Query", "analytic_story": ["Windows Post-Exploitation", "Prestige Ransomware", "Sneaky Active Directory Persistence Tricks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Installation", "Exploitation"], "message": "process with reg query command line $process$ in $dest$", "mitre_attack_id": ["T1547.005", "T1547"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id", "Processes.parent_process_guid", "Processes.process_guid"], "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1547.005", "mitre_attack_technique": "Security Support Provider", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "process_reg", "definition": "(Processes.process_name=reg.exe OR Processes.original_file_name=reg.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_security_support_provider_reg_query_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_security_support_provider_reg_query.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Server Software Component GACUtil Install to GAC", "id": "7c025ef0-9e65-4c57-be39-1c13dbb1613e", "version": 1, "date": "2023-01-17", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the Windows SDK utility - GACUtil.exe, being utilized to add a DLL into the Global Assembly Cache (GAC). Each computer where the Common Language Runtime is installed has a machine-wide code cache called the Global Assembly Cache. The Global Assembly Cache stores assemblies specifically designated to be shared by several applications on the computer. By adding a DLL to the GAC, this allows an adversary to call it via any other means across the operating systems. As outlined by Microsoft in their blog, it is not common to see this spawning from W3WP.exe, however, in a non-development environment it may not be common at all. Note that in order to utilize GACutil.exe, The Windows SDK must be installed, this is not a native binary.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=gacutil.exe Processes.process IN (\"*-i *\",\"*/i *\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_server_software_component_gacutil_install_to_gac_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives may be present if gacutil.exe is utilized day to day by developers. Filter as needed.", "references": ["https://strontic.github.io/xcyclopedia/library/gacutil.exe-F2FE4DF74BD214EDDC1A658043828089.html", "https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/", "https://www.microsoft.com/en-us/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/", "https://learn.microsoft.com/en-us/dotnet/framework/app-domains/gac"], "tags": {"name": "Windows Server Software Component GACUtil Install to GAC", "analytic_story": ["IIS Components"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Installation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to add a module to the global assembly cache.", "mitre_attack_id": ["T1505", "T1505.004"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1505.004", "mitre_attack_technique": "IIS Components", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.004/gacutil_windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_server_software_component_gacutil_install_to_gac_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_server_software_component_gacutil_install_to_gac.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Service Create Kernel Mode Driver", "id": "0b4e3b06-1b2b-4885-b752-cf06d12a90cb", "version": 1, "date": "2022-05-05", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifes a new kernel driver being added to Windows using sc.exe. Adding a Kernel driver is not common day to day and should be investigated to further understand the source.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=sc.exe Processes.process=\"*kernel*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_create_kernel_mode_driver_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives may be present based on common applications adding new drivers, however, filter as needed.", "references": ["https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/"], "tags": {"name": "Windows Service Create Kernel Mode Driver", "analytic_story": ["Windows Drivers", "CISA AA22-320A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 60, "kill_chain_phases": ["Installation", "Exploitation"], "message": "Service control, $process_name$, loaded a new kernel mode driver on $dest$ by $user$.", "mitre_attack_id": ["T1543.003", "T1543", "T1068"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 48, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "PLATINUM", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1068/drivers/sc_kernel.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_service_create_kernel_mode_driver_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_service_create_kernel_mode_driver.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Service Create RemComSvc", "id": "0be4b5d6-c449-4084-b945-2392b519c33b", "version": 1, "date": "2023-03-20", "author": "Michael Haag, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies RemComSvc installed on an endpoint. This typically occurs when someone is moving laterally with RemCom.exe.", "data_source": ["Windows System 7045"], "search": "`wineventlog_system` EventCode=7045 ServiceName=\"RemCom Service\" | stats count min(_time) as firstTime max(_time) as lastTime by dest ImagePath ServiceName ServiceType | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_create_remcomsvc_filter`", "how_to_implement": "To implement this analytic, the Windows EventCode 7045 will need to be logged. The Windows TA for Splunk is also recommended.", "known_false_positives": "False positives may be present, filter as needed based on administrative activity.", "references": ["https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/", "https://github.com/kavika13/RemCom"], "tags": {"name": "Windows Service Create RemComSvc", "analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 40, "kill_chain_phases": ["Installation", "Exploitation"], "message": "A new service was created related to RemCom on $dest$.", "mitre_attack_id": ["T1543.003", "T1543"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "dest", "EventCode", "ImagePath", "ServiceName", "ServiceType"], "risk_score": 32, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1543.003/atomic_red_team/remcom_windows-system.log", "source": "XmlWinEventLog:System", "sourcetype": "XmlWinEventLog", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "wineventlog_system", "definition": "eventtype=wineventlog_system", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_service_create_remcomsvc_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_service_create_remcomsvc.yml", "source": "endpoint"}, {"name": "Windows Service Create SliverC2", "id": "89dad3ee-57ec-43dc-9044-131c4edd663f", "version": 1, "date": "2023-03-03", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "When an adversary utilizes SliverC2 to laterally move with the Psexec module, it will create a service with the name and description of \"Sliver\" and \"Sliver Implant\". Note that these may be easily changed and are specific to only SliverC2. We have also created the same regex as Microsoft has outlined to attempt to capture the suspicious service path (regex101 reference).", "data_source": ["Windows System 7045"], "search": "`wineventlog_system` EventCode=7045 ServiceName=\"sliver\" | stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode ImagePath ServiceName ServiceType | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_create_sliverc2_filter`", "how_to_implement": "To implement this analytic, the Windows EventCode 7045 will need to be logged from the System Event log. The Windows TA for Splunk is also recommended.", "known_false_positives": "False positives should be limited, but if another service out there is named Sliver, filtering may be needed.", "references": ["https://github.com/BishopFox/sliver/blob/71f94928bf36c1557ea5fbeffa161b71116f56b2/client/command/exec/psexec.go#LL61C5-L61C16", "https://www.microsoft.com/en-us/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/", "https://regex101.com/r/DWkkXm/1"], "tags": {"name": "Windows Service Create SliverC2", "analytic_story": ["BishopFox Sliver Adversary Emulation Framework"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 90, "kill_chain_phases": ["Installation"], "message": "A user mode service was created on $ComputerName$ related to SliverC2.", "mitre_attack_id": ["T1569", "T1569.002"], "nist": ["DE.CM"], "observable": [{"name": "ComputerName", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["EventCode", "Computer", "ServiceName", "ImagePath", "ServiceType"], "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/sliver/sliver_windows-system.log", "source": "XmlWinEventLog:System", "sourcetype": "XmlWinEventLog"}]}], "datamodel": [], "macros": [{"name": "wineventlog_system", "definition": "eventtype=wineventlog_system", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_service_create_sliverc2_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_service_create_sliverc2.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Windows Service Create with Tscon", "id": "c13b3d74-6b63-4db5-a841-4206f0370077", "version": 1, "date": "2023-03-29", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic detects potential RDP Hijacking attempts by monitoring a series of actions taken by an attacker to gain unauthorized access to a remote system. The attacker first runs the quser command to query the remote host for disconnected user sessions. Upon identifying a disconnected session, they use the sc.exe command to create a new Windows service with a binary path that launches tscon.exe. By specifying the disconnected session ID and a destination ID, the attacker can transfer the disconnected session to a new RDP session, effectively hijacking the user's session. This analytic allows security teams to detect and respond to RDP Hijacking attempts, mitigating potential risks and impacts on targeted systems.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=sc.exe Processes.process=\"*/dest:rdp-tcp*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_create_with_tscon_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives may arise in the RDP Hijacking analytic when legitimate administrators access remote sessions for maintenance or troubleshooting purposes. These activities might resemble an attacker''s attempt to hijack a disconnected session, leading to false alarms. To mitigate the risk of false positives and improve the overall security posture, organizations can implement Group Policy to automatically disconnect RDP sessions when they are complete. By enforcing this policy, administrators ensure that disconnected sessions are promptly terminated, reducing the window of opportunity for an attacker to hijack a session. Additionally, organizations can also implement access control mechanisms and monitor the behavior of privileged accounts to further enhance security and reduce the chances of false positives in RDP Hijacking detection.", "references": ["https://doublepulsar.com/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563.002/T1563.002.md"], "tags": {"name": "Windows Service Create with Tscon", "analytic_story": ["Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation", "Installation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to hijack a RDP session.", "mitre_attack_id": ["T1563.002", "T1563", "T1543.003"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1563.002", "mitre_attack_technique": "RDP Hijacking", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Axiom"]}, {"mitre_attack_id": "T1563", "mitre_attack_technique": "Remote Service Session Hijacking", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1563.002/rdphijack/tscon_windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_service_create_with_tscon_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_service_create_with_tscon.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Service Created with Suspicious Service Path", "id": "429141be-8311-11eb-adb6-acde48001122", "version": 3, "date": "2022-11-14", "author": "Teoderick Contreras, Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytics uses Windows Event Id 7045, `New Service Was Installed`, to identify the creation of a Windows Service where the service binary path path is located in a non-common Service folder in Windows. Red Teams and adversaries alike may create malicious Services for lateral movement or remote code execution as well as persistence and execution. The Clop ransomware has also been seen in the wild abusing Windows services.", "data_source": ["Sysmon Event ID 7"], "search": " `wineventlog_system` EventCode=7045 Service_File_Name = \"*.exe\" NOT (Service_File_Name IN (\"*:\\\\Windows\\\\*\", \"*:\\\\Program File*\", \"*:\\\\Programdata\\\\*\", \"*%systemroot%\\\\*\")) | stats count min(_time) as firstTime max(_time) as lastTime by EventCode Service_File_Name Service_Name Service_Start_Type Service_Type dest user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_created_with_suspicious_service_path_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the Service name, Service File Name Service Start type, and Service Type from your endpoints.", "known_false_positives": "Legitimate applications may install services with uncommon services paths.", "references": ["https://www.mandiant.com/resources/fin11-email-campaigns-precursor-for-ransomware-data-theft", "https://blog.virustotal.com/2020/11/keep-your-friends-close-keep-ransomware.html"], "tags": {"name": "Windows Service Created with Suspicious Service Path", "analytic_story": ["Clop Ransomware", "Active Directory Lateral Movement", "Brute Ratel C4", "Qakbot", "Snake Malware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Installation"], "message": "A service $Service_File_Name$ was created from a non-standard path using $Service_Name$", "mitre_attack_id": ["T1569", "T1569.002"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "Service_File_Name", "type": "Other", "role": ["Other"]}, {"name": "Service_Name", "type": "Other", "role": ["Other"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["EventCode", "Service_File_Name", "Service_Type", "_time", "Service_Name", "Service_Start_Type", "dest"], "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/clop/clop_a/windows-system.log", "source": "WinEventLog:System", "sourcetype": "WinEventLog"}]}], "datamodel": [], "macros": [{"name": "wineventlog_system", "definition": "eventtype=wineventlog_system", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_service_created_with_suspicious_service_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_service_created_with_suspicious_service_path.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Windows Service Created Within Public Path", "id": "3abb2eda-4bb8-11ec-9ae4-3e22fbd008af", "version": 1, "date": "2021-11-22", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytc uses Windows Event Id 7045, `New Service Was Installed`, to identify the creation of a Windows Service where the service binary path is located in public paths. This behavior could represent the installation of a malicious service. Red Teams and adversaries alike may create malicious Services for lateral movement or remote code execution", "data_source": ["Sysmon Event ID 7"], "search": "`wineventlog_system` EventCode=7045 Service_File_Name = \"*\\.exe\" NOT (Service_File_Name IN (\"C:\\\\Windows\\\\*\", \"C:\\\\Program File*\", \"C:\\\\Programdata\\\\*\", \"%systemroot%\\\\*\")) | stats count min(_time) as firstTime max(_time) as lastTime by ComputerName EventCode Service_File_Name Service_Name Service_Start_Type Service_Type | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_created_within_public_path_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the Service name, Service File Name Service Start type, and Service Type from your endpoints.", "known_false_positives": "Legitimate applications may install services with uncommon services paths.", "references": ["https://docs.microsoft.com/en-us/windows/win32/services/service-control-manager", "https://pentestlab.blog/2020/07/21/lateral-movement-services/"], "tags": {"name": "Windows Service Created Within Public Path", "analytic_story": ["Active Directory Lateral Movement", "Snake Malware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 90, "kill_chain_phases": ["Installation", "Exploitation"], "message": "A Windows Service $Service_File_Name$ with a public path was created on $ComputerName", "mitre_attack_id": ["T1543", "T1543.003"], "nist": ["DE.CM"], "observable": [{"name": "Service_File_Name", "type": "Other", "role": ["Other"]}, {"name": "ComputerName", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["EventCode", "Service_File_Name", "Service_Type", "_time", "Service_Name", "Service_Start_Type"], "risk_score": 54, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1543.003/lateral_movement_suspicious_path/windows-system.log", "source": "WinEventLog:System", "sourcetype": "WinEventLog"}]}], "datamodel": [], "macros": [{"name": "wineventlog_system", "definition": "eventtype=wineventlog_system", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_service_created_within_public_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_service_created_within_public_path.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Windows Service Creation on Remote Endpoint", "id": "e0eea4fa-4274-11ec-882b-3e22fbd008af", "version": 1, "date": "2021-11-10", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "This analytic looks for the execution of `sc.exe` with command-line arguments utilized to create a Windows Service on a remote endpoint. Red Teams and adversaries alike may abuse the Service Control Manager for lateral movement and remote code execution.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=sc.exe OR Processes.original_file_name=sc.exe) (Processes.process=*\\\\\\\\* AND Processes.process=*create* AND Processes.process=*binpath*) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `windows_service_creation_on_remote_endpoint_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints.", "known_false_positives": "Administrators may create Windows Services on remote systems, but this activity is usually limited to a small set of hosts or users.", "references": ["https://docs.microsoft.com/en-us/windows/win32/services/service-control-manager", "https://docs.microsoft.com/en-us/windows/win32/services/controlling-a-service-using-sc", "https://attack.mitre.org/techniques/T1543/003/"], "tags": {"name": "Windows Service Creation on Remote Endpoint", "analytic_story": ["Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 90, "kill_chain_phases": ["Installation", "Exploitation"], "message": "A Windows Service was created on a remote endpoint from $dest", "mitre_attack_id": ["T1543", "T1543.003"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 54, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1543.003/lateral_movement/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_service_creation_on_remote_endpoint_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_service_creation_on_remote_endpoint.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Service Creation Using Registry Entry", "id": "25212358-948e-11ec-ad47-acde48001122", "version": 3, "date": "2023-04-27", "author": "Steven Dick, Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This analytic is to look for suspicious modification or creation of registry to have service entry. This technique is abused by adversaries or threat actor to persist, gain privileges in the machine or even lateral movement. This technique can be executed using reg.exe application or using windows API like for example the CrashOveride malware. This detection is a good indicator that a process is trying to create a service entry using registry ImagePath.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=\"*\\\\SYSTEM\\\\CurrentControlSet\\\\Services*\" Registry.registry_value_name = ImagePath) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_creation_using_registry_entry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "Third party tools may used this technique to create services but not so common.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/36d49de4c8b00bf36054294b4a1fcbab3917d7c5/atomics/T1574.011/T1574.011.md"], "tags": {"name": "Windows Service Creation Using Registry Entry", "analytic_story": ["Active Directory Lateral Movement", "Suspicious Windows Registry Activities", "Windows Persistence Techniques", "Windows Registry Abuse", "Brute Ratel C4"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation", "Installation"], "message": "A Windows Service was created on a endpoint from $dest$", "mitre_attack_id": ["T1574.011"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.dest", "Registry.registry_value_name", "Registry.registry_key_name", "Registry.registry_path", "Registry.registry_value_data", "Registry.process_guid"], "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1574.011", "mitre_attack_technique": "Services Registry Permissions Weakness", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.011/change_registry_path_service/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_service_creation_using_registry_entry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_service_creation_using_registry_entry.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Service Deletion In Registry", "id": "daed6823-b51c-4843-a6ad-169708f1323e", "version": 1, "date": "2022-08-24", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies a service being deleted from the Windows Registry under CurrentControlSet\\Services. Adversaries may delete a service as part of defense evasion.", "data_source": ["Sysmon Event ID 13"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\SYSTEM\\\\CurrentControlSet\\\\Services*\" AND (Registry.action = deleted OR (Registry.registry_value_name = DeleteFlag AND Registry.registry_value_data = 0x00000001 AND Registry.action=modified)) by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_value_name Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_deletion_in_registry_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.", "known_false_positives": "This event can be seen when administrator delete a service or uninstall/reinstall a software that creates service entry, but it is still recommended to check this alert with high priority.", "references": ["https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/"], "tags": {"name": "Windows Service Deletion In Registry", "analytic_story": ["Brute Ratel C4"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 30, "impact": 60, "kill_chain_phases": ["Actions on Objectives"], "message": "A service was deleted on $dest$ within the Windows registry.", "mitre_attack_id": ["T1489"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.registry_key_name", "Registry.registry_path", "Registry.user", "Registry.dest", "Registry.registry_value_name", "Processes.process_id", "Processes.process_name", "Processes.process", "Processes.dest", "Processes.parent_process_name", "Processes.parent_process", "Processes.process_guid"], "risk_score": 18, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1489", "mitre_attack_technique": "Service Stop", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Indrik Spider", "Lazarus Group", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/service_deletion/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_service_deletion_in_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_service_deletion_in_registry.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Service Initiation on Remote Endpoint", "id": "3f519894-4276-11ec-ab02-3e22fbd008af", "version": 1, "date": "2021-11-10", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "This analytic looks for the execution of `sc.exe` with command-line arguments utilized to start a Windows Service on a remote endpoint. Red Teams and adversaries alike may abuse the Service Control Manager for lateral movement and remote code execution.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=sc.exe OR Processes.original_file_name=sc.exe) (Processes.process=*\\\\\\\\* AND Processes.process=*start*) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `windows_service_initiation_on_remote_endpoint_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints.", "known_false_positives": "Administrators may start Windows Services on remote systems, but this activity is usually limited to a small set of hosts or users.", "references": ["https://docs.microsoft.com/en-us/windows/win32/services/controlling-a-service-using-sc", "https://attack.mitre.org/techniques/T1543/003/"], "tags": {"name": "Windows Service Initiation on Remote Endpoint", "analytic_story": ["Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 90, "kill_chain_phases": ["Installation", "Exploitation"], "message": "A Windows Service was started on a remote endpoint from $dest", "mitre_attack_id": ["T1543", "T1543.003"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 54, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1543.003/lateral_movement/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_service_initiation_on_remote_endpoint_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_service_initiation_on_remote_endpoint.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Service Stop By Deletion", "id": "196ff536-58d9-4d1b-9686-b176b04e430b", "version": 1, "date": "2022-06-21", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies Windows Service Control, `sc.exe`, attempting to delete a service. This is typically identified in parallel with other instances of service enumeration of attempts to stop a service and then delete it. Adversaries utilize this technique to terminate security services or other related services to continue there objective and evade detections.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = sc.exe OR Processes.original_file_name = sc.exe) Processes.process=\"* delete *\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_stop_by_deletion_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "It is possible administrative scripts may start/stop/delete services. Filter as needed.", "references": ["https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/", "https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.003/T1543.003.md"], "tags": {"name": "Windows Service Stop By Deletion", "analytic_story": ["Azorult"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Actions on Objectives"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ attempting to delete a service.", "mitre_attack_id": ["T1489"], "nist": ["DE.CM"], "observable": [{"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.process_name", "Processes.process", "Processes.parent_process_name", "Processes.parent_process", "Processes.process_id", "Processes.parent_process_id", "Processes.dest", "Processes.user"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1489", "mitre_attack_technique": "Service Stop", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Indrik Spider", "Lazarus Group", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_service_stop_by_deletion_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_service_stop_by_deletion.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Service Stop Via Net and SC Application", "id": "827af04b-0d08-479b-9b84-b7d4644e4b80", "version": 1, "date": "2022-11-30", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic identifies suspicious attempts to stop services on a system using either `net.exe` or `sc.exe`. This technique is used by adversaries to terminate security services or other related services to continue their objective and evade detections. This technique is also commonly used by ransomware threat actors to successfully encrypt databases or files being processed or used by Windows OS Services.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` OR Processes.process_name = \"sc.exe\" OR Processes.original_file_name= \"sc.exe\" AND Processes.process=\"*stop*\" by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_stop_via_net__and_sc_application_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Windows OS or software may stop and restart services due to some critical update.", "references": ["https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"], "tags": {"name": "Windows Service Stop Via Net and SC Application", "analytic_story": ["Prestige Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Actions on Objectives"], "message": "$process$ was executed on $dest$ attempting to stop service.", "mitre_attack_id": ["T1489"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1489", "mitre_attack_technique": "Service Stop", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Indrik Spider", "Lazarus Group", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/prestige_ransomware/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_net", "definition": "(Processes.process_name=\"net.exe\" OR Processes.original_file_name=\"net.exe\" OR Processes.process_name=\"net1.exe\" OR Processes.original_file_name=\"net1.exe\")", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "windows_service_stop_via_net__and_sc_application_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_service_stop_via_net__and_sc_application.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Service Stop Win Updates", "id": "0dc25c24-6fcf-456f-b08b-dd55a183e4de", "version": 1, "date": "2023-04-21", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies a windows update service being disabled in Windows OS. This technique is being abused by adversaries or threat actors to add defense mechanisms to their malware implant in the targeted host. Disabling windows update will put the compromised host vulnerable in some zero day exploit or even some update features against threats. RedLine Stealer kills this service as part of its defense evasion mechanism.", "data_source": ["System Event ID 7040"], "search": "`wineventlog_system` EventCode=7040 (service_name IN (\"Update Orchestrator Service for Windows Update\", \"WaaSMedicSvc\", \"Windows Update\") OR param1 IN (\"UsoSvc\", \"WaaSMedicSvc\", \"wuauserv\")) AND (param3=disabled OR start_mode = disabled) | stats count min(_time) as firstTime max(_time) as lastTime by Computer Error_Code service_name start_mode param1 param2 param3 param4 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_stop_win_updates_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the Service name, Service File Name Service Start type, and Service Type from your endpoints (like Windows system.log Event ID 7040)", "known_false_positives": "Network administrator may disable this services as part of its audit process within the network. Filter is needed.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer"], "tags": {"name": "Windows Service Stop Win Updates", "analytic_story": ["RedLine Stealer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Actions on Objectives"], "message": "Windows update services $service_name$ was being disabled on $dest$", "mitre_attack_id": ["T1489"], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Computer", "EventCode", "Error_Code", "service_name", "start_mode", "param1", "param2", "param3", "param4"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1489", "mitre_attack_technique": "Service Stop", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Indrik Spider", "Lazarus Group", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/redline/win_update_services_stop/system.log", "source": "XmlWinEventLog:System", "sourcetype": "XmlWinEventLog"}]}], "datamodel": [], "macros": [{"name": "wineventlog_system", "definition": "eventtype=wineventlog_system", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_service_stop_win_updates_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_service_stop_win_updates.yml", "source": "endpoint"}, {"name": "Windows Snake Malware File Modification Crmlog", "id": "27187e0e-c221-471d-a7bd-04f698985ff6", "version": 1, "date": "2023-05-10", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identfies a .crmlog written to windows\\registration. Per the report, typically, this file has been found within the %windows%\\Registration directory with the format of ..crmlog and is decrypted by Snake's kernel driver.", "data_source": ["Sysmon Event ID 11"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_path=\"*\\\\windows\\\\registration\\\\*\" AND Filesystem.file_name=\"*.crmlog\" by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.file_path Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_snake_malware_file_modification_crmlog_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives may be present as the file pattern does match legitimate files on disk. It is possible other native tools write the same file name scheme.", "references": ["https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF"], "tags": {"name": "Windows Snake Malware File Modification Crmlog", "analytic_story": ["Snake Malware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "A file related to Snake Malware has been identified on $dest$.", "mitre_attack_id": ["T1027"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Filesystem.file_create_time", "Filesystem.process_id", "Filesystem.file_name", "Filesystem.file_path", "Filesystem.dest"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "atomic_guid": ["7e47ee60-9dd1-4269-9c4f-97953b183268"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT19", "APT28", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BITTER", "BackdoorDiplomacy", "BlackOasis", "Blue Mockingbird", "Dark Caracal", "Darkhotel", "Earth Lusca", "Elderwood", "Ember Bear", "Fox Kitten", "GALLIUM", "Gallmaker", "Gamaredon Group", "Group5", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "Metador", "Mofang", "Molerats", "Moses Staff", "Mustang Panda", "OilRig", "Putter Panda", "Rocke", "Sandworm Team", "Sidewinder", "TA505", "TeamTNT", "Threat Group-3390", "Transparent Tribe", "Tropic Trooper", "Whitefly", "Windshift", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/snakemalware/snake_crmlog-windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_snake_malware_file_modification_crmlog_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_snake_malware_file_modification_crmlog.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Snake Malware Kernel Driver Comadmin", "id": "628d9c7c-3242-43b5-9620-7234c080a726", "version": 1, "date": "2023-05-11", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the comadmin.dat file written to disk, which is related to Snake Malware. From the report, Snakes installer drops the kernel driver and a custom DLL which is used to load the driver into a single AES encrypted file on disk. Typically, this file is named comadmin.dat and is stored in the %windows%\\system32\\Com directory.", "data_source": ["Sysmon Event ID 13"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_path=\"*\\\\windows\\\\system32\\\\com\\\\*\" AND Filesystem.file_name=\"comadmin.dat\" by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.file_path Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_snake_malware_kernel_driver_comadmin_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives may be present, filter as needed.", "references": ["https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF"], "tags": {"name": "Windows Snake Malware Kernel Driver Comadmin", "analytic_story": ["Snake Malware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "message": "A kernel driver comadmin.dat related to Snake Malware was written to disk on $dest$.", "mitre_attack_id": ["T1547.006"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Filesystem.file_create_time", "Filesystem.process_id", "Filesystem.file_name", "Filesystem.file_path", "Filesystem.dest"], "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "atomic_guid": ["e5cb5564-cc7b-4050-86e8-f2d9eec1941f"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1547.006", "mitre_attack_technique": "Kernel Modules and Extensions", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/snakemalware/comadmin_windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_snake_malware_kernel_driver_comadmin_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_snake_malware_kernel_driver_comadmin.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Snake Malware Registry Modification wav OpenWithProgIds", "id": "13cf8b79-805d-443c-bf52-f55bd7610dfd", "version": 1, "date": "2023-05-10", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The follow analytic identifies the registry being modified at .wav\\\\OpenWithProgIds\\, which is related to the Snake Malware campaign. Upon execution, Snake's WerFault.exe will attempt to decrypt an encrypted blob within the Windows registry that is typically found at HKLM:\\SOFTWARE\\Classes\\.wav\\OpenWithProgIds. The encrypted data includes the AES key, IV, and path that is used to find and decrypt the file containing Snake's kernel driver and kernel driver loader.", "data_source": ["Sysmon Event ID 13"], "search": "| tstats `security_content_summariesonly` count values(Registry.registry_key_name) as registry_key_name values(Registry.registry_path) as registry_path min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path=\"*\\\\.wav\\\\OpenWithProgIds\\\\*\" by Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `windows_snake_malware_registry_modification_wav_openwithprogids_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives may be present and will require tuning based on program Ids in large organizations.", "references": ["https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF"], "tags": {"name": "Windows Snake Malware Registry Modification wav OpenWithProgIds", "analytic_story": ["Snake Malware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "A registry modification related to Snake Malware has been identified on $dest$.", "mitre_attack_id": ["T1112"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.dest", "Registry.user", "Registry.registry_path", "Registry.registry_key_name", "Registry.registry_value_name"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "atomic_guid": ["8318ad20-0488-4a64-98f4-72525a012f6b"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/snakemalware/snake_malware_regblob-windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_snake_malware_registry_modification_wav_openwithprogids_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_snake_malware_registry_modification_wav_openwithprogids.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Snake Malware Service Create", "id": "64eb091f-8cab-4b41-9b09-8fb4942377df", "version": 1, "date": "2023-05-11", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies a new service WerFaultSvc being created with a binary path located in the windows winsxs path. Per the report, the Snake version primarily discussed in this advisory registers a service to maintain persistence on a system. Typically this service is named WerFaultSvc which we assess was used to blend in with the legitimate Windows service WerSvc. On boot, this service will execute Snakes WerFault.exe, which Snake developers chose to hide among the numerous valid Windows WerFault.exe files in the windows WinSxS directory. Executing WerFault.exe will start the process of decrypting Snakes components and loading them into memory.", "data_source": ["Windows System 7045"], "search": "`wineventlog_system` EventCode=7045 ImagePath=\"*\\\\windows\\\\winSxS\\\\*\" ImagePath=\"*\\Werfault.exe\" | stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode ImagePath ServiceName ServiceType | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_snake_malware_service_create_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows System logs with the Service name, Service File Name Service Start type, and Service Type from your endpoints.", "known_false_positives": "False positives should be limited as this is a strict primary indicator used by Snake Malware.", "references": ["https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF"], "tags": {"name": "Windows Snake Malware Service Create", "analytic_story": ["Snake Malware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "message": "A service, WerFaultSvc, was created on $dest$ and is related to Snake Malware.", "mitre_attack_id": ["T1547.006", "T1569.002"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["EventCode", "Service_File_Name", "Service_Type", "_time", "Service_Name", "Service_Start_Type", "Service_Account", "user"], "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "atomic_guid": ["b8db787e-dbea-493c-96cb-9272296ddc49"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1547.006", "mitre_attack_technique": "Kernel Modules and Extensions", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/snakemalware/snake-service-windows-system.log", "source": "XmlWinEventLog:System", "sourcetype": "XmlWinEventLog"}]}], "datamodel": [], "macros": [{"name": "wineventlog_system", "definition": "eventtype=wineventlog_system", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_snake_malware_service_create_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_snake_malware_service_create.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Windows Spearphishing Attachment Connect To None MS Office Domain", "id": "1cb40e15-cffa-45cc-abbd-e35884a49766", "version": 2, "date": "2023-02-15", "author": "Teoderick Contreras, Splunk", "type": "Hunting", "status": "production", "description": "this detection was designed to identifies suspicious office documents that connect to a website aside from Microsoft Office Domain. This technique was seen in several malicious documents that abuses .rels xml properties of MS office to connect or download malicious files. This hunting query can be a good pivot or guide to check what URL link it tries to connect, what domain, where the documents came from and how the connection happens.", "data_source": ["Sysmon Event ID 22"], "search": "`sysmon` EventCode=22 Image IN (\"*\\\\winword.exe\",\"*\\\\excel.exe\",\"*\\\\powerpnt.exe\",\"*\\\\mspub.exe\",\"*\\\\visio.exe\",\"*\\\\wordpad.exe\",\"*\\\\wordview.exe\",\"*\\\\onenote.exe\", \"*\\\\onenotem.exe\",\"*\\\\onenoteviewer.exe\",\"*\\\\onenoteim.exe\", \"*\\\\msaccess.exe\") AND NOT(QueryName IN (\"*.office.com\", \"*.office.net\")) | stats count min(_time) as firstTime max(_time) as lastTime by Image QueryName QueryResults QueryStatus Computer | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_spearphishing_attachment_connect_to_none_ms_office_domain_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "Windows Office document may contain legitimate url link other than MS office Domain. filter is needed", "references": ["https://www.netskope.com/blog/asyncrat-using-fully-undetected-downloader", "https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat"], "tags": {"name": "Windows Spearphishing Attachment Connect To None MS Office Domain", "analytic_story": ["Spearphishing Attachments", "AsyncRAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Delivery"], "message": "a office document process $Image$ connect to an URL link $QueryName$ in $Computer$", "mitre_attack_id": ["T1566.001", "T1566"], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Image", "QueryName", "QueryResults", "QueryStatus", "Computer"], "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/office_doc_abuses_rels/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_spearphishing_attachment_connect_to_none_ms_office_domain_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_spearphishing_attachment_connect_to_none_ms_office_domain.yml", "source": "endpoint"}, {"name": "Windows Spearphishing Attachment Onenote Spawn Mshta", "id": "35aeb0e7-7de5-444a-ac45-24d6788796ec", "version": 1, "date": "2023-01-24", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "The following detection identifies the latest behavior utilized by different malware families (including TA551, AsyncRat, Redline and DCRAT). This detection identifies onenote Office Product spawning `mshta.exe`. In malicious instances, the command-line of `mshta.exe` will contain the `hta` file locally, or a URL to the remote destination. In addition, Threat Research has released a detections identifying suspicious use of `mshta.exe`. In this instance, we narrow our detection down to the Office suite as a parent process. During triage, review all file modifications. Capture and analyze any artifacts on disk. The Office Product, or `mshta.exe` will have reached out to a remote destination, capture and block the IPs or domain. Review additional parallel processes for further activity.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN (\"onenote.exe\", \"onenotem.exe\") `process_mshta` by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_spearphishing_attachment_onenote_spawn_mshta_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "No false positives known. Filter as needed.", "references": ["https://www.bleepingcomputer.com/news/security/hackers-now-use-microsoft-onenote-attachments-to-spread-malware/", "https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat"], "tags": {"name": "Windows Spearphishing Attachment Onenote Spawn Mshta", "analytic_story": ["Spearphishing Attachments", "AsyncRAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Delivery"], "message": "office parent process $parent_process_name$ will execute a suspicious child process $process_name$ with process id $process_id$ in host $dest$", "mitre_attack_id": ["T1566.001", "T1566"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/onenote_spear_phishing/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_mshta", "definition": "(Processes.process_name=mshta.exe OR Processes.original_file_name=MSHTA.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "windows_spearphishing_attachment_onenote_spawn_mshta_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_spearphishing_attachment_onenote_spawn_mshta.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Special Privileged Logon On Multiple Hosts", "id": "4c461f5a-c2cc-4e86-b132-c262fc9edca7", "version": 1, "date": "2023-03-27", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic leverages Event ID 4672 to identify a source user authenticating with special privileges across a large number remote endpoints. Specifically, the logic will trigger when a source user obtains special privileges across 30 or more target computers within a 5 minute timespan. Special privileges are assigned to a new logon session when sensitive privileges like SeDebugPrivilege and SeImpersonatePrivilege are assigned. This behavior could represent an adversary who is moving laterally and executing remote code across the network. It can also be triggered by other behavior like an adversary enumerating network shares. As environments differ across organizations, security teams should customize the thresholds of this detection as needed.", "data_source": [], "search": " `wineventlog_security` EventCode=4672 AND NOT(Caller_User_Name IN (\"DWM-1\",\"DWM-2\",\"DWM-3\",\"LOCAL SERVICE\",\"NETWORK SERVICE\",\"SYSTEM\",\"*$\")) | bucket span=5m _time | stats dc(Computer) AS unique_targets values(Computer) as host_targets values(PrivilegeList) as privileges by _time, Caller_User_Name | where unique_targets > 30 | `windows_special_privileged_logon_on_multiple_hosts_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting special logon events. The Advanced Security Audit policy setting `Audit Special Logon` within `Logon/Logoff` need to be enabled.", "known_false_positives": "Vulnerability scanners or system administration tools may also trigger this detection. Filter as needed.", "references": ["https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4672", "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn319113(v=ws.11)", "https://thedfirreport.com/2023/01/23/sharefinder-how-threat-actors-discover-file-shares/", "https://attack.mitre.org/tactics/TA0008/"], "tags": {"name": "Windows Special Privileged Logon On Multiple Hosts", "analytic_story": ["Active Directory Privilege Escalation", "Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "A source user $Caller_User_Name$ obtained special privileges on a large number of endpoints within 5 minutes.", "mitre_attack_id": ["T1087", "T1021.002", "T1135"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "Caller_User_Name", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "Caller_User_Name", "Computer", "PrivilegeList"], "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1135", "mitre_attack_technique": "Network Share Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT32", "APT38", "APT39", "APT41", "Chimera", "DarkVishnya", "Dragonfly", "Sowbug", "Tonto Team", "Tropic Trooper", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/special_logon_on_mulitple_hosts/windows-security.log", "source": "XmlWinEventLog:Security", "sourcetype": "XmlWinEventLog"}]}], "datamodel": [], "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_special_privileged_logon_on_multiple_hosts_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_special_privileged_logon_on_multiple_hosts.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows Steal Authentication Certificates Certificate Issued", "id": "9b1a5385-0c31-4c39-9753-dc26b8ce64c2", "version": 1, "date": "2023-02-06", "author": "Michael Haag, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies when a new certificate is issued against the Certificate Services - AD CS. By its very nature this is not malicious, but should be tracked and correlated with other events related to certificates being issued. When the CA issues the certificate, it creates EID 4887 'Certificate Services approved a certificate request and issued a certificate\". The event supplies the requester user context, the DNS hostname of the machine they requested the certificate from, and the time they requested the certificate. The attributes fields in these event commonly has values for CDC, RMD, and CCM which correspond to Client DC, Request Machine DNS name, and Cert Client Machine, respectively.", "data_source": [], "search": "`wineventlog_security` EventCode=4887 | stats count min(_time) as firstTime max(_time) as lastTime by dest, name, Requester, action, Attributes, Subject | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_steal_authentication_certificates_certificate_issued_filter`", "how_to_implement": "To implement this analytic, enhanced Audit Logging must be enabled on AD CS and within Group Policy Management for CS server. See Page 115 of first reference.", "known_false_positives": "False positives will be generated based on normal certificates issued. Leave enabled to generate Risk, as this is meant to be an anomaly analytic.", "references": ["https://specterops.io/wp-content/uploads/sites/3/2022/06/Certified_Pre-Owned.pdf"], "tags": {"name": "Windows Steal Authentication Certificates Certificate Issued", "analytic_story": ["Windows Certificate Services"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 10, "kill_chain_phases": ["Exploitation"], "message": "A certificate was issued to $dest$.", "mitre_attack_id": ["T1649"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "dest", "name", "Requester", "action", "Attributes"], "risk_score": 8, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1649", "mitre_attack_technique": "Steal or Forge Authentication Certificates", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/atomic_red_team/4887_windows-security.log", "source": "XmlWinEventLog:Security", "sourcetype": "XmlWinEventLog", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_steal_authentication_certificates_certificate_issued_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_steal_authentication_certificates_certificate_issued.yml", "source": "endpoint", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows Steal Authentication Certificates Certificate Request", "id": "747d7800-2eaa-422d-b994-04d8bb9e06d0", "version": 1, "date": "2023-02-06", "author": "Michael Haag, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies when a new certificate is requested against the Certificate Services - AD CS. By its very nature this is not malicious, but should be tracked and correlated with other events related to certificate requests. When an account requests a certificate, the CA generates event ID (EID) 4886 \"Certificate Services received a certificate request\".", "data_source": [], "search": "`wineventlog_security` EventCode=4886 | stats count min(_time) as firstTime max(_time) as lastTime by dest, name, Requester, action, Attributes | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_steal_authentication_certificates_certificate_request_filter`", "how_to_implement": "To implement this analytic, enhanced Audit Logging must be enabled on AD CS and within Group Policy Management for CS server. See Page 115 of first reference.", "known_false_positives": "False positives will be generated based on normal certificate requests. Leave enabled to generate Risk, as this is meant to be an anomaly analytic.", "references": ["https://specterops.io/wp-content/uploads/sites/3/2022/06/Certified_Pre-Owned.pdf"], "tags": {"name": "Windows Steal Authentication Certificates Certificate Request", "analytic_story": ["Windows Certificate Services"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 10, "kill_chain_phases": ["Exploitation"], "message": "A certificate was requested by $dest$.", "mitre_attack_id": ["T1649"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "dest", "name", "Requester", "action", "Attributes"], "risk_score": 8, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1649", "mitre_attack_technique": "Steal or Forge Authentication Certificates", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/atomic_red_team/4886_windows-security.log", "source": "XmlWinEventLog:Security", "sourcetype": "XmlWinEventLog", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_steal_authentication_certificates_certificate_request_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_steal_authentication_certificates_certificate_request.yml", "source": "endpoint", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows Steal Authentication Certificates CertUtil Backup", "id": "bac85b56-0b65-4ce5-aad5-d94880df0967", "version": 1, "date": "2023-02-06", "author": "Michael Haag, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic is focused on CertUtil.exe performing a backup of the Certificate Store. Typically, administrators may perform this task to migrate or perform backups of the store, however it may be found uncommon in most organizations.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_certutil` Processes.process IN (\"*-backupdb *\", \"*-backup *\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_steal_authentication_certificates_certutil_backup_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives will be generated based on normal certificate store backups. Leave enabled to generate Risk, as this is meant to be an anomaly analytic. If CS backups are not normal, enable as TTP.", "references": ["https://specterops.io/wp-content/uploads/sites/3/2022/06/Certified_Pre-Owned.pdf"], "tags": {"name": "Windows Steal Authentication Certificates CertUtil Backup", "analytic_story": ["Windows Certificate Services"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to backup the Certificate Store.", "mitre_attack_id": ["T1649"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1649", "mitre_attack_technique": "Steal or Forge Authentication Certificates", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/atomic_red_team/backupdb_certutil_windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "process_certutil", "definition": "(Processes.process_name=certutil.exe OR Processes.original_file_name=CertUtil.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_steal_authentication_certificates_certutil_backup_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_steal_authentication_certificates_certutil_backup.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Steal Authentication Certificates CryptoAPI", "id": "905d5692-6d7c-432f-bc7e-a6b4f464d40e", "version": 1, "date": "2023-02-08", "author": "Michael Haag, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic utilizes a Windows Event Log - CAPI2 - or CryptoAPI 2, to identify suspicious certificate extraction. Typically, this event log is meant for diagnosing PKI issues, however is a great source to identify certificate exports. Note that this event log is noisy as it captures common PKI requests from many different processes. EventID 70 is generated anytime a certificate is exported. The description for EventID 70 is \"Acquire Certificate Private Key\". STRT tested this analytic using Mimikatz binary and the implementation of Mimikatz in Cobalt Strike.", "data_source": ["Sysmon Event ID 7"], "search": "`capi2_operational` EventCode=70 | xmlkv UserData_Xml | stats count min(_time) as firstTime max(_time) as lastTime by Computer, UserData_Xml | rename Computer as dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `windows_steal_authentication_certificates_cryptoapi_filter`", "how_to_implement": "To implement this analytic, one will need to enable the Microsoft-Windows-CAPI2/Operational log within the Windows Event Log. Note this is a debug log for many purposes, and the analytic only focuses in on EventID 70. Review the following gist for additional enabling information.", "known_false_positives": "False positives may be present in some instances of legitimate applications requiring to export certificates. Filter as needed.", "references": ["https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-vista/cc749296(v=ws.10)"], "tags": {"name": "Windows Steal Authentication Certificates CryptoAPI", "analytic_story": ["Windows Certificate Services"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "Certificates were exported via the CryptoAPI 2 on $dest$.", "mitre_attack_id": ["T1649"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Computer", "UserData_Xml"], "risk_score": 24, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1649", "mitre_attack_technique": "Steal or Forge Authentication Certificates", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/atomic_red_team/capi2-operational.log", "source": "XmlWinEventLog:Microsoft-Windows-CAPI2/Operational", "sourcetype": "XmlWinEventLog", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "capi2_operational", "definition": "(source=XmlWinEventLog:Microsoft-Windows-CAPI2/Operational)", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_steal_authentication_certificates_cryptoapi_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_steal_authentication_certificates_cryptoapi.yml", "source": "endpoint"}, {"name": "Windows Steal Authentication Certificates CS Backup", "id": "a2f4cc7f-6503-4078-b206-f83a29f408a7", "version": 1, "date": "2023-02-06", "author": "Michael Haag, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies when the Active Directory Certificate Services store is backed up utilizing Event ID 4876. This event triggers whenever the backup occurs in the UI of CertSrv.msc or via CertUtil.exe -BackupDB occurs.", "data_source": [], "search": "`wineventlog_security` EventCode=4876| stats count min(_time) as firstTime max(_time) as lastTime by dest, name, action, Caller_Domain ,Caller_User_Name | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_steal_authentication_certificates_cs_backup_filter`", "how_to_implement": "To implement this analytic, enhanced Audit Logging must be enabled on AD CS and within Group Policy Management for CS server. See Page 128 of first reference.", "known_false_positives": "False positives will be generated based on normal certificate store backups. Leave enabled to generate Risk, as this is meant to be an anomaly analytic. If CS backups are not normal, enable as TTP.", "references": ["https://specterops.io/wp-content/uploads/sites/3/2022/06/Certified_Pre-Owned.pdf"], "tags": {"name": "Windows Steal Authentication Certificates CS Backup", "analytic_story": ["Windows Certificate Services"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "The Active Directory Certiciate Services was backed up on $dest$.", "mitre_attack_id": ["T1649"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "dest", "name", "action", "Caller_Domain", "Caller_User_Name"], "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1649", "mitre_attack_technique": "Steal or Forge Authentication Certificates", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/atomic_red_team/4876_windows-security.log", "source": "XmlWinEventLog:Security", "sourcetype": "XmlWinEventLog", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_steal_authentication_certificates_cs_backup_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_steal_authentication_certificates_cs_backup.yml", "source": "endpoint", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows Steal Authentication Certificates Export Certificate", "id": "e39dc429-c2a5-4f1f-9c3c-6b211af6b332", "version": 1, "date": "2023-02-01", "author": "Michael Haag, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies the use of export-certificate, the PowerShell cmdlet, being utilized on the command-line in an attempt to export the certifcate from the local Windows Certificate Store.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*export-certificate*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_steal_authentication_certificates_export_certificate_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "Filtering may be requried based on automated utilities and third party applications that may export certificates.", "references": ["https://dev.to/iamthecarisma/managing-windows-pfx-certificates-through-powershell-3pj", "https://learn.microsoft.com/en-us/powershell/module/pki/export-certificate?view=windowsserver2022-ps"], "tags": {"name": "Windows Steal Authentication Certificates Export Certificate", "analytic_story": ["Windows Certificate Services"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to export a certificate from the local Windows Certificate Store.", "mitre_attack_id": ["T1649"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1649", "mitre_attack_technique": "Steal or Forge Authentication Certificates", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/atomic_red_team/export_certificate_windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_steal_authentication_certificates_export_certificate_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_steal_authentication_certificates_export_certificate.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Steal Authentication Certificates Export PfxCertificate", "id": "391329f3-c14b-4b8d-8b37-ac5012637360", "version": 1, "date": "2023-02-01", "author": "Michael Haag, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies the use of export-pfxcertificate, the PowerShell cmdlet, being utilized on the command-line in an attempt to export the certifcate from the local Windows Certificate Store.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*export-pfxcertificate*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_steal_authentication_certificates_export_pfxcertificate_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "Filtering may be requried based on automated utilities and third party applications that may export certificates.", "references": ["https://dev.to/iamthecarisma/managing-windows-pfx-certificates-through-powershell-3pj", "https://learn.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate?view=windowsserver2022-ps"], "tags": {"name": "Windows Steal Authentication Certificates Export PfxCertificate", "analytic_story": ["Windows Certificate Services"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to export a certificate from the local Windows Certificate Store.", "mitre_attack_id": ["T1649"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1649", "mitre_attack_technique": "Steal or Forge Authentication Certificates", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/atomic_red_team/export_pfxcertificate_windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_steal_authentication_certificates_export_pfxcertificate_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_steal_authentication_certificates_export_pfxcertificate.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Steal or Forge Kerberos Tickets Klist", "id": "09d88404-1e29-46cb-806c-1eedbc85ad5d", "version": 1, "date": "2022-11-30", "author": "Teoderick Contreras, Splunk", "type": "Hunting", "status": "production", "description": "The following analytic identifies a process execution of Windows OS klist.exe tool. This tool is being abused or used by several post exploitation tool such as winpeas that being used by ransomware prestige to display or gather list of currently cached kerberos ticket. This cahced data can be used for lateral movement or even privilege escalation on the targeted host. This hunting query can be a good pivot in possible kerberos attack or pass the hash technique.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=\"klist.exe\" OR Processes.original_file_name = \"klist.exe\" Processes.parent_process_name IN (\"cmd.exe\", \"powershell*\") by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_steal_or_forge_kerberos_tickets_klist_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances of wermgr.exe may be used.", "known_false_positives": "unknown", "references": ["https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS", "https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"], "tags": {"name": "Windows Steal or Forge Kerberos Tickets Klist", "analytic_story": ["Windows Post-Exploitation", "Prestige Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "process klist.exe executed in $dest$", "mitre_attack_id": ["T1558"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id", "Processes.parent_process_guid", "Processes.process_guid"], "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1558", "mitre_attack_technique": "Steal or Forge Kerberos Tickets", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_steal_or_forge_kerberos_tickets_klist_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_steal_or_forge_kerberos_tickets_klist.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows System Binary Proxy Execution Compiled HTML File Decompile", "id": "2acf0e19-4149-451c-a3f3-39cd3c77e37d", "version": 1, "date": "2022-08-31", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the decompile parameter with the HTML Help application, HH.exe. This is a uncommon command to see ran and behavior. Most recently this was seen in a APT41 campaign where a CHM file was delivered and a script inside used a technique for running an arbitrary command in a CHM file via an ActiveX object. This unpacks an HTML help file to a specified path for launching the next stage.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_hh` Processes.process=*-decompile* by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_system_binary_proxy_execution_compiled_html_file_decompile_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives should be limited, filter as needed.", "references": ["https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", "https://redcanary.com/blog/introducing-atomictestharnesses/", "https://attack.mitre.org/techniques/T1218/001/", "https://docs.microsoft.com/en-us/windows/win32/api/htmlhelp/nf-htmlhelp-htmlhelpa"], "tags": {"name": "Windows System Binary Proxy Execution Compiled HTML File Decompile", "analytic_story": ["Suspicious Compiled HTML Activity", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 100, "kill_chain_phases": ["Exploitation"], "message": "$process_name$ has been identified using decompile against a CHM on $dest$ under user $user$.", "mitre_attack_id": ["T1218.001", "T1218"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218.001", "mitre_attack_technique": "Compiled HTML File", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "APT41", "Dark Caracal", "OilRig", "Silence"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.001/atomic_red_team/hh_decom_windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "process_hh", "definition": "(Processes.process_name=hh.exe OR Processes.original_file_name=HH.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_system_binary_proxy_execution_compiled_html_file_decompile_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_system_binary_proxy_execution_compiled_html_file_decompile.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows System Discovery Using ldap Nslookup", "id": "2418780f-7c3e-4c45-b8b4-996ea850cd49", "version": 1, "date": "2022-10-21", "author": "Teoderick Contreras, Splunk", "type": "Hunting", "status": "production", "description": "The following analytic identifies the execution of nslookup.exe tool to get domain information. Nslookup.exe is a command-line tool that can display information to diagnose domain name systems. This Nslookup feature is being abused by Qakbot malware to gather domain information such as SRV service location records, server name and many more.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = \"nslookup.exe\" OR Processes.original_file_name = \"nslookup.exe\") AND Processes.process = \"*_ldap._tcp.dc._msdcs*\" by Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process_id Processes.process_guid Processes.process Processes.user Processes.dest Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `windows_system_discovery_using_ldap_nslookup_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "dministrator may execute this commandline tool for auditing purposes. Filter as needed.", "references": ["https://securelist.com/qakbot-technical-analysis/103931/", "https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/verify-srv-dns-records-have-been-created"], "tags": {"name": "Windows System Discovery Using ldap Nslookup", "analytic_story": ["Qakbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "System nslookup domain discovery on $dest$", "mitre_attack_id": ["T1033"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1033", "mitre_attack_technique": "System Owner/User Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT37", "APT38", "APT39", "APT41", "Chimera", "Dragonfly", "Earth Lusca", "FIN10", "GALLIUM", "Gamaredon Group", "HAFNIUM", "HEXANE", "Ke3chang", "Lazarus Group", "LuminousMoth", "Magic Hound", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "Stealth Falcon", "Threat Group-3390", "Tropic Trooper", "Windshift", "Wizard Spider", "ZIRCONIUM"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1033/qakbot_discovery_cmdline/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_system_discovery_using_ldap_nslookup_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_system_discovery_using_ldap_nslookup.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows System Discovery Using Qwinsta", "id": "2e765c1b-144a-49f0-93d0-1df4287cca04", "version": 1, "date": "2022-10-21", "author": "Teoderick Contreras, Splunk", "type": "Hunting", "status": "production", "description": "The following analytic identifies the execution of qwinsta.exe executable in Windows Operating System. This Windows executable file can display information about sessions on a remote desktop session host server. The information includes servername, sessionname, username and many more. This tool is being abused of Qakbot malware to gather information to the targeted or compromised host that will be send back to its Command And Control server.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"qwinsta.exe\" OR Processes.original_file_name = \"qwinsta.exe\" by Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process_id Processes.process_guid Processes.process Processes.user Processes.dest Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `windows_system_discovery_using_qwinsta_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Administrator may execute this commandline tool for auditing purposes. Filter as needed.", "references": ["https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/qwinsta", "https://securelist.com/qakbot-technical-analysis/103931/"], "tags": {"name": "Windows System Discovery Using Qwinsta", "analytic_story": ["Qakbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "System qwinsta domain discovery on $dest$", "mitre_attack_id": ["T1033"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1033", "mitre_attack_technique": "System Owner/User Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT37", "APT38", "APT39", "APT41", "Chimera", "Dragonfly", "Earth Lusca", "FIN10", "GALLIUM", "Gamaredon Group", "HAFNIUM", "HEXANE", "Ke3chang", "Lazarus Group", "LuminousMoth", "Magic Hound", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "Stealth Falcon", "Threat Group-3390", "Tropic Trooper", "Windshift", "Wizard Spider", "ZIRCONIUM"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1033/qakbot_discovery_cmdline/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_system_discovery_using_qwinsta_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_system_discovery_using_qwinsta.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows System File on Disk", "id": "993ce99d-9cdd-42c7-a2cf-733d5954e5a6", "version": 2, "date": "2022-05-16", "author": "Michael Haag, Splunk", "type": "Hunting", "status": "production", "description": "The following hunting analytic will assist with identifying new .sys files introduced in the environment. This query is meant to identify sys file creates on disk. There will be noise, but reducing common process names or applications should help to limit any volume. The idea is to identify new sys files written to disk and identify them before they're added as a new kernel mode driver.", "data_source": ["Sysmon Event ID 11"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_name=\"*.sys*\" by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path Filesystem.file_hash | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_system_file_on_disk_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on files from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. In addition, filtering may occur by adding NOT (Filesystem.file_path IN (\"*\\\\Windows\\\\*\", \"*\\\\Program File*\", \"*\\\\systemroot\\\\*\",\"%SystemRoot%*\", \"system32\\*\")). This will level out the noise generated to potentally lead to generating notables.", "known_false_positives": "False positives will be present. Filter as needed.", "references": ["https://redcanary.com/blog/tracking-driver-inventory-to-expose-rootkits/"], "tags": {"name": "Windows System File on Disk", "analytic_story": ["Windows Drivers", "CISA AA22-264A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 20, "kill_chain_phases": ["Exploitation"], "message": "A new driver is present on $dest$.", "mitre_attack_id": ["T1068"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 10, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "PLATINUM", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1068/drivers/sysmon_sys_filemod.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_system_file_on_disk_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_system_file_on_disk.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows System LogOff Commandline", "id": "74a8133f-93e7-4b71-9bd3-13a66124fd57", "version": 1, "date": "2022-07-27", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies Windows commandline to logoff a windows host machine. This technique was seen in several APT, RAT like dcrat and other commodity malware to shutdown the machine to add more impact, interrupt access, aid destruction of the system like wiping disk or inhibit system recovery. This TTP is a good pivot to check why application trigger this commandline which is not so common way to logoff a machine.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = shutdown.exe OR Processes.original_file_name = shutdown.exe) Processes.process=\"*shutdown*\" Processes.process=\"* /l*\" Processes.process=\"* /t*\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_system_logoff_commandline_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Administrator may execute this commandline to trigger shutdown, logoff or restart the host machine.", "references": ["https://attack.mitre.org/techniques/T1529/", "https://www.mandiant.com/resources/analyzing-dark-crystal-rat-backdoor"], "tags": {"name": "Windows System LogOff Commandline", "analytic_story": ["DarkCrystal RAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Actions on Objectives"], "message": "Process name $process_name$ is seen to execute logoff commandline on $dest$", "mitre_attack_id": ["T1529"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1529", "mitre_attack_technique": "System Shutdown/Reboot", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/dcrat/reboot_logoff_commandline/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_system_logoff_commandline_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_system_logoff_commandline.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows System Network Config Discovery Display DNS", "id": "e24f0a0e-41a9-419f-9999-eacab15efc36", "version": 1, "date": "2022-11-30", "author": "Teoderick Contreras, Splunk", "type": "Hunting", "status": "production", "description": "The following analytic identifies a process command line that retrieves dns reply information using Windows OS built-in tool IPConfig. This technique is being abused by threat actors, adversaries and post exploitation tools like WINPEAS to retrieve DNS information for the targeted host. This IPConfig parameter (/displaydns) can show dns server resource record, record name, record type, time to live data length and dns reply. This hunting detection can be a good pivot to check which process is executing this command line in specific host system that may lead to malware or adversaries gathering network information.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=\"ipconfig.exe\" OR Processes.original_file_name = \"ipconfig.exe\" AND Processes.process = \"*/displaydns*\" by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_system_network_config_discovery_display_dns_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances of wermgr.exe may be used.", "known_false_positives": "unknown", "references": ["https://superuser.com/questions/230308/explain-output-of-ipconfig-displaydns", "https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS", "https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"], "tags": {"name": "Windows System Network Config Discovery Display DNS", "analytic_story": ["Windows Post-Exploitation", "Prestige Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "process $process_name$ with commandline $process$ is executed in $dest$", "mitre_attack_id": ["T1016"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id", "Processes.parent_process_guid", "Processes.process_guid"], "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1016", "mitre_attack_technique": "System Network Configuration Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT19", "APT3", "APT32", "APT41", "Chimera", "Darkhotel", "Dragonfly", "Earth Lusca", "GALLIUM", "HAFNIUM", "HEXANE", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "SideCopy", "Sidewinder", "Stealth Falcon", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_system_network_config_discovery_display_dns_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_system_network_config_discovery_display_dns.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows System Network Connections Discovery Netsh", "id": "abfb7cc5-c275-4a97-9029-62cd8d4ffeca", "version": 1, "date": "2022-11-30", "author": "Teoderick Contreras, Splunk", "type": "Hunting", "status": "production", "description": "The following analytic identifies a process execution of Windows OS built-in tool netsh.exe to show state, configuration and profile of host firewall. This tool is being used or abused by several adversaries or even post exploitation tool to bypass firewall rules or to discover firewall settings. This hunting detection can help to detect a possible suspicious usage of netsh.exe to retrieve firewall settings or even firewall wlan profile. We recommend checking which parent process and process name execute this command. Also check the process file path for verification that may lead to further TTP's threat behavior.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_netsh`AND Processes.process = \"* show *\" Processes.process IN (\"*state*\", \"*config*\", \"*wlan*\", \"*profile*\") by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_system_network_connections_discovery_netsh_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances of wermgr.exe may be used.", "known_false_positives": "network administrator can use this tool for auditing process.", "references": ["https://attack.mitre.org/techniques/T1049/", "https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS", "https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"], "tags": {"name": "Windows System Network Connections Discovery Netsh", "analytic_story": ["Windows Post-Exploitation", "Prestige Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "netsh process with command line $process$ in $dest$", "mitre_attack_id": ["T1049"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id", "Processes.parent_process_guid", "Processes.process_guid"], "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1049", "mitre_attack_technique": "System Network Connections Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT38", "APT41", "Andariel", "BackdoorDiplomacy", "Chimera", "Earth Lusca", "GALLIUM", "HEXANE", "Ke3chang", "Lazarus Group", "Magic Hound", "MuddyWater", "Mustang Panda", "OilRig", "Poseidon Group", "Sandworm Team", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "admin@338", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "process_netsh", "definition": "(Processes.process_name=netsh.exe OR Processes.original_file_name=netsh.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_system_network_connections_discovery_netsh_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_system_network_connections_discovery_netsh.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows System Reboot CommandLine", "id": "97fc2b60-c8eb-4711-93f7-d26fade3686f", "version": 1, "date": "2022-07-27", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies Windows commandline to reboot a windows host machine. This technique was seen in several APT, RAT like dcrat and other commodity malware to shutdown the machine to add more impact, interrupt access, aid destruction of the system like wiping disk or inhibit system recovery. This TTP is a good pivot to check why application trigger this commandline which is not so common way to reboot a machine. Compare to shutdown and logoff shutdown.exe feature, reboot seen in some automation script like ansible to reboot the machine.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = shutdown.exe OR Processes.original_file_name = shutdown.exe) Processes.process=\"*shutdown*\" Processes.process=\"* /r*\" Processes.process=\"* /t*\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_system_reboot_commandline_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Administrator may execute this commandline to trigger shutdown or restart the host machine.", "references": ["https://attack.mitre.org/techniques/T1529/", "https://www.mandiant.com/resources/analyzing-dark-crystal-rat-backdoor"], "tags": {"name": "Windows System Reboot CommandLine", "analytic_story": ["DarkCrystal RAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 60, "kill_chain_phases": ["Actions on Objectives"], "message": "Process $process_name$ that executed reboot via commandline on $dest$", "mitre_attack_id": ["T1529"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1529", "mitre_attack_technique": "System Shutdown/Reboot", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/dcrat/reboot_logoff_commandline/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_system_reboot_commandline_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_system_reboot_commandline.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows System Script Proxy Execution Syncappvpublishingserver", "id": "8dd73f89-682d-444c-8b41-8e679966ad3c", "version": 1, "date": "2022-09-26", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the abuse of Syncappvpublishingserver.vbs, which is a native script on Windows that may be utilized to download remote files or perform privilege escalation.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN (\"wscript.exe\",\"cscript.exe\") Processes.process=\"*syncappvpublishingserver.vbs*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_system_script_proxy_execution_syncappvpublishingserver_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives may be present if the vbscript syncappvpublishingserver is used for legitimate purposes. Filter as needed. Adding a n; to the command-line arguments may help reduce any noise.", "references": ["https://lolbas-project.github.io/lolbas/Scripts/Syncappvpublishingserver/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216/T1216.md#atomic-test-1---syncappvpublishingserver-signed-script-powershell-command-execution"], "tags": {"name": "Windows System Script Proxy Execution Syncappvpublishingserver", "analytic_story": ["Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 60, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to download files or evade critical controls.", "mitre_attack_id": ["T1216", "T1218"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1216", "mitre_attack_technique": "System Script Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1216/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_system_script_proxy_execution_syncappvpublishingserver_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_system_script_proxy_execution_syncappvpublishingserver.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows System Shutdown CommandLine", "id": "4fee57b8-d825-4bf3-9ea8-bf405cdb614c", "version": 1, "date": "2022-07-27", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies Windows commandline to shutdown a windows host machine. This technique was seen in several APT, RAT like dcrat and other commodity malware to shutdown the machine to add more impact, interrupt access, aid destruction of the system like wiping disk or inhibit system recovery. This TTP is a good pivot to check why application trigger this commandline which is not so common way to shutdown a machine.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = shutdown.exe OR Processes.original_file_name = shutdown.exe) Processes.process=\"*shutdown*\" Processes.process=\"* /s*\" Processes.process=\"* /t*\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_system_shutdown_commandline_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Administrator may execute this commandline to trigger shutdown or restart the host machine.", "references": ["https://attack.mitre.org/techniques/T1529/", "https://www.mandiant.com/resources/analyzing-dark-crystal-rat-backdoor"], "tags": {"name": "Windows System Shutdown CommandLine", "analytic_story": ["DarkCrystal RAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Actions on Objectives"], "message": "Process $process_name$ seen to execute shutdown via commandline on $dest$", "mitre_attack_id": ["T1529"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1529", "mitre_attack_technique": "System Shutdown/Reboot", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/dcrat/shutdown_commandline/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_system_shutdown_commandline_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_system_shutdown_commandline.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows System Time Discovery W32tm Delay", "id": "b2cc69e7-11ba-42dc-a269-59c069a48870", "version": 1, "date": "2022-07-28", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies DCRat delay time tactics using w32tm. This technique was seen in DCRAT malware where it uses stripchart function of w32tm.exe application to delay the execution of its payload like c2 communication , beaconing and execution. This anomaly detection may help the analyst to check other possible event like the process who execute this command that may lead to DCRat attack.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = w32tm.exe Processes.process= \"* /stripchart *\" Processes.process= \"* /computer:localhost *\" Processes.process= \"* /period:*\" Processes.process= \"* /dataonly *\" Processes.process= \"* /samples:*\" by Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_system_time_discovery_w32tm_delay_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "unknown", "references": ["https://cert.gov.ua/article/405538", "https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat", "https://www.mandiant.com/resources/analyzing-dark-crystal-rat-backdoor"], "tags": {"name": "Windows System Time Discovery W32tm Delay", "analytic_story": ["DarkCrystal RAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Exploitation"], "message": "Process name w32tm.exe is using suspcicious command line arguments $process$ on host $dest$.", "mitre_attack_id": ["T1124"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1124", "mitre_attack_technique": "System Time Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["BRONZE BUTLER", "Chimera", "Darkhotel", "Higaisa", "Lazarus Group", "Sidewinder", "The White Company", "Turla", "ZIRCONIUM"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/dcrat/dcrat_delay_execution/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_system_time_discovery_w32tm_delay_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_system_time_discovery_w32tm_delay.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows System User Discovery Via Quser", "id": "0c3f3e09-e47a-410e-856f-a02a5c5fafb0", "version": 1, "date": "2022-11-30", "author": "Teoderick Contreras, Splunk", "type": "Hunting", "status": "production", "description": "The following analytic identifies a process execution of Windows OS quser.exe tool. This tool is being abused or used by several post exploitation tool such as winpeas that being used by ransomware prestige to display or gather information about user sessions on a Remote Desktop Session Host server. This command can find out if a specific user is logged on to a specific Remote Desktop Session Host server. This tool can retrieve some RDP information that can be use by attacker for further attack like Name of the user , Name of the session on the Remote Desktop Session Host server, Session ID, State of the session (active or disconnected), Idle time (the number of minutes since the last keystroke or mouse movement at the session) and Date and time the user logged on.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=\"quser.exe\" OR Processes.original_file_name = \"quser.exe\" by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_system_user_discovery_via_quser_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances of wermgr.exe may be used.", "known_false_positives": "network administrator can use this command tool to audit RDP access of user in specific network or host.", "references": ["https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/quser", "https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS", "https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"], "tags": {"name": "Windows System User Discovery Via Quser", "analytic_story": ["Windows Post-Exploitation", "Prestige Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "execution of process $process_name$ in $dest$", "mitre_attack_id": ["T1033"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id", "Processes.parent_process_guid", "Processes.process_guid"], "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1033", "mitre_attack_technique": "System Owner/User Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT37", "APT38", "APT39", "APT41", "Chimera", "Dragonfly", "Earth Lusca", "FIN10", "GALLIUM", "Gamaredon Group", "HAFNIUM", "HEXANE", "Ke3chang", "Lazarus Group", "LuminousMoth", "Magic Hound", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "Stealth Falcon", "Threat Group-3390", "Tropic Trooper", "Windshift", "Wizard Spider", "ZIRCONIUM"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_system_user_discovery_via_quser_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_system_user_discovery_via_quser.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Terminating Lsass Process", "id": "7ab3c319-a4e7-4211-9e8c-40a049d0dba6", "version": 1, "date": "2023-04-14", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic is to detect a suspicious process terminating Lsass process. Lsass process is known to be a critical process that is responsible for enforcing security policy system. This process was commonly targetted by threat actor or red teamer to gain privilege escalation or persistence in the targeted machine because it handles credentials of the logon users. In this analytic we tried to detect a suspicious process having a granted access PROCESS_TERMINATE to lsass process to modify or delete protected registrys. This technique was seen in doublezero malware that tries to wipe files and registry in compromised hosts. This anomaly detection can be a good pivot of incident response for possible credential dumping or evading security policy in a host or network environment.", "data_source": ["Sysmon Event ID 1"], "search": "`sysmon` EventCode=10 TargetImage=*lsass.exe GrantedAccess = 0x1 | stats count min(_time) as firstTime max(_time) as lastTime by SourceImage, TargetImage, TargetProcessId, SourceProcessId, GrantedAccess CallTrace, Computer | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_terminating_lsass_process_filter`", "how_to_implement": "This search requires Sysmon Logs and a Sysmon configuration, which includes EventCode 10 for lsass.exe. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives.", "known_false_positives": "unknown", "references": ["https://blog.talosintelligence.com/2022/03/threat-advisory-doublezero.html"], "tags": {"name": "Windows Terminating Lsass Process", "analytic_story": ["Data Destruction", "Double Zero Destructor"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "a process $SourceImage$ terminates Lsass process in $dest$", "mitre_attack_id": ["T1562.001", "T1562"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "TargetImage", "type": "Process", "role": ["Target"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "TargetImage", "CallTrace", "Computer", "TargetProcessId", "SourceImage", "SourceProcessId", "GrantedAccess"], "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/doublezero_wiper/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_terminating_lsass_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_terminating_lsass_process.yml", "source": "endpoint"}, {"name": "Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos", "id": "f65aa026-b811-42ab-b4b9-d9088137648f", "version": 1, "date": "2022-09-22", "author": "Mauricio Velazco, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies one source endpoint failing to authenticate with multiple disabled domain users using the Kerberos protocol. This behavior could represent an adversary performing a Password Spraying attack against an Active Directory environment using Kerberos to obtain initial access or elevate privileges. As attackers progress in a breach, mistakes will be made. In certain scenarios, adversaries may execute a password spraying attack against disabled users. Event 4768 is generated every time the Key Distribution Center issues a Kerberos Ticket Granting Ticket (TGT). Failure code `0x12` stands for `clients credentials have been revoked` (account disabled, expired or locked out).\\\nThe detection calculates the standard deviation for each host and leverages the 3-sigma statistical rule to identify an unusual number of users. To customize this analytic, users can try different combinations of the `bucket` span time and the calculation of the `upperBound` field. This logic can be used for real time security monitoring as well as threat hunting exercises.\\\nThis detection will only trigger on domain controllers, not on member servers or workstations.\\\nThe analytics returned fields allow analysts to investigate the event further by providing fields like source ip and attempted user accounts.", "data_source": ["Windows Security 4768"], "search": "`wineventlog_security` EventCode=4768 TargetUserName!=*$ Status=0x12 | bucket span=5m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as tried_accounts by _time, IpAddress | eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std by IpAddress | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0) | search isOutlier=1 | `windows_unusual_count_of_disabled_users_failed_auth_using_kerberos_filter` ", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled.", "known_false_positives": "A host failing to authenticate with multiple disabled domain users is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners, multi-user systems missconfigured systems.", "references": ["https://attack.mitre.org/techniques/T1110/003/"], "tags": {"name": "Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos", "analytic_story": ["Active Directory Password Spraying", "Active Directory Kerberos Attacks", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "Potential Kerberos based password spraying attack from $IpAddress$", "mitre_attack_id": ["T1110.003", "T1110"], "nist": ["DE.AE"], "observable": [{"name": "IpAddress", "role": ["Attacker"], "type": "Endpoint"}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "Status", "TargetUserName", "IpAddress"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_disabled_users_kerberos_xml/windows-security.log", "source": "XmlWinEventLog:Security", "sourcetype": "XmlWinEventLog"}]}], "datamodel": [], "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_unusual_count_of_disabled_users_failed_auth_using_kerberos_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_unusual_count_of_disabled_users_failed_to_auth_using_kerberos.yml", "source": "endpoint", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos", "id": "f122cb2e-d773-4f11-8399-62a3572d8dd7", "version": 1, "date": "2022-09-22", "author": "Mauricio Velazco, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies one source endpoint failing to authenticate with multiple invalid domain users using the Kerberos protocol. This behavior could represent an adversary performing a Password Spraying attack against an Active Directory environment using Kerberos to obtain initial access or elevate privileges. As attackers progress in a breach, mistakes will be made. In certain scenarios, adversaries may execute a password spraying attack using an invalid list of users. Event 4768 is generated every time the Key Distribution Center issues a Kerberos Ticket Granting Ticket (TGT). Failure code 0x6 stands for `client not found in Kerberos database` (the attempted user is not a valid domain user).\\\nThe detection calculates the standard deviation for each host and leverages the 3-sigma statistical rule to identify an unusual number of users. To customize this analytic, users can try different combinations of the `bucket` span time and the calculation of the `upperBound` field. This logic can be used for real time security monitoring as well as threat hunting exercises.\\\nThis detection will only trigger on domain controllers, not on member servers or workstations.\\\nThe analytics returned fields allow analysts to investigate the event further by providing fields like source ip and attempted user accounts.", "data_source": ["Windows Security 4768"], "search": "`wineventlog_security` EventCode=4768 TargetUserName!=*$ Status=0x6 | bucket span=5m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as tried_accounts by _time, IpAddress | eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std by IpAddress | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0) | search isOutlier=1 | `windows_unusual_count_of_invalid_users_fail_to_auth_using_kerberos_filter` ", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled.", "known_false_positives": "A host failing to authenticate with multiple invalid domain users is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners, multi-user systems and missconfigured systems.", "references": ["https://attack.mitre.org/techniques/T1110/003/"], "tags": {"name": "Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos", "analytic_story": ["Active Directory Password Spraying", "Active Directory Kerberos Attacks", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "Potential Kerberos based password spraying attack from $IpAddress$", "mitre_attack_id": ["T1110.003", "T1110"], "nist": ["DE.AE"], "observable": [{"name": "IpAddress", "role": ["Attacker"], "type": "Endpoint"}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "Status", "TargetUserName", "IpAddress"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_invalid_users_kerberos_xml/windows-security.log", "source": "XmlWinEventLog:Security", "sourcetype": "XmlWinEventLog"}]}], "datamodel": [], "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_unusual_count_of_invalid_users_fail_to_auth_using_kerberos_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_unusual_count_of_invalid_users_fail_to_auth_using_kerberos.yml", "source": "endpoint", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM", "id": "15603165-147d-4a6e-9778-bd0ff39e668f", "version": 1, "date": "2022-09-22", "author": "Mauricio Velazco, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies one source endpoint failing to authenticate with multiple invalid users using the NTLM protocol. This behavior could represent an adversary performing a Password Spraying attack against an Active Directory environment using NTLM to obtain initial access or elevate privileges. As attackers progress in a breach, mistakes will be made. In certain scenarios, adversaries may execute a password spraying attack using an invalid list of users. Event 4776 is generated on the computer that is authoritative for the provided credentials. For domain accounts, the domain controller is authoritative. For local accounts, the local computer is authoritative. Error code 0xC0000064 stands for `The username you typed does not exist` (the attempted user is a legitimate domain user).\\\nThe detection calculates the standard deviation for each host and leverages the 3-sigma statistical rule to identify an unusual number of users. To customize this analytic, users can try different combinations of the `bucket` span time and the calculation of the `upperBound` field. This logic can be used for real time security monitoring as well as threat hunting exercises.\\\nThis detection will only trigger on domain controllers, not on member servers or workstations.\\\nThe analytics returned fields allow analysts to investigate the event further by providing fields like source workstation name and attempted user accounts.", "data_source": ["Windows Security 4776"], "search": " `wineventlog_security` EventCode=4776 TargetUserName!=*$ Status=0xc0000064 | bucket span=2m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as tried_accounts by _time, Workstation | eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std by Workstation | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0) | search isOutlier=1 | `windows_unusual_count_of_invalid_users_failed_to_auth_using_ntlm_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller events. The Advanced Security Audit policy setting `Audit Credential Validation' within `Account Logon` needs to be enabled.", "known_false_positives": "A host failing to authenticate with multiple invalid domain users is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners and missconfigured systems. If this detection triggers on a host other than a Domain Controller, the behavior could represent a password spraying attack against the host's local accounts.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-credential-validation", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776"], "tags": {"name": "Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM", "analytic_story": ["Active Directory Password Spraying", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "Potential NTLM based password spraying attack from $Source_Workstation$", "mitre_attack_id": ["T1110.003", "T1110"], "nist": ["DE.AE"], "observable": [{"name": "Workstation", "role": ["Attacker"], "type": "Endpoint"}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "TargetUserName", "Workstation", "Status"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_invalid_users_ntlm_xml/windows-security.log", "source": "XmlWinEventLog:Security", "sourcetype": "XmlWinEventLog"}]}], "datamodel": [], "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_unusual_count_of_invalid_users_failed_to_auth_using_ntlm_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_unusual_count_of_invalid_users_failed_to_auth_using_ntlm.yml", "source": "endpoint", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials", "id": "14f414cf-3080-4b9b-aaf6-55a4ce947b93", "version": 1, "date": "2022-09-22", "author": "Mauricio Velazco, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies a source user failing to authenticate with multiple users using explicit credentials on a host. This behavior could represent an adversary performing a Password Spraying attack against an Active Directory environment to obtain initial access or elevate privileges. Event 4648 is generated when a process attempts an account logon by explicitly specifying that accounts credentials. This event generates on domain controllers, member servers, and workstations.\\\nThe detection calculates the standard deviation for each host and leverages the 3-sigma statistical rule to identify an unusual number of users. To customize this analytic, users can try different combinations of the `bucket` span time and the calculation of the `upperBound` field. This logic can be used for real time security monitoring as well as threat hunting exercises.\\\nThis detection will trigger on the potenfially malicious host, perhaps controlled via a trojan or operated by an insider threat, from where a password spraying attack is being executed.\\\nThe analytics returned fields allow analysts to investigate the event further by providing fields like source account, attempted user accounts and the endpoint were the behavior was identified.", "data_source": ["Windows Security 4648"], "search": " `wineventlog_security` EventCode=4648 Caller_User_Name!=*$ Target_User_Name!=*$ | bucket span=5m _time | stats dc(Target_User_Name) AS unique_accounts values(Target_User_Name) as tried_account by _time, Computer, Caller_User_Name | eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std by Computer | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0) | search isOutlier=1 | `windows_unusual_count_of_users_fail_to_auth_wth_explicitcredentials_filter` ", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Event Logs from domain controllers as well as member servers and workstations. The Advanced Security Audit policy setting `Audit Logon` within `Logon/Logoff` needs to be enabled.", "known_false_positives": "A source user failing attempting to authenticate multiple users on a host is not a common behavior for regular systems. Some applications, however, may exhibit this behavior in which case sets of users hosts can be added to an allow list. Possible false positive scenarios include systems where several users connect to like Mail servers, identity providers, remote desktop services, Citrix, etc.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4648", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events"], "tags": {"name": "Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials", "analytic_story": ["Active Directory Password Spraying", "Insider Threat", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "Potential password spraying attack from $Computer$", "mitre_attack_id": ["T1110.003", "T1110"], "nist": ["DE.AE"], "observable": [{"name": "Computer", "role": ["Attacker"], "type": "Endpoint"}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "Target_User_Name", "Caller_User_Name", "Computer"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_explicit_credential_spray_xml/windows-security.log", "source": "XmlWinEventLog:Security", "sourcetype": "XmlWinEventLog"}]}], "datamodel": [], "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_unusual_count_of_users_fail_to_auth_wth_explicitcredentials_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_unusual_count_of_users_fail_to_auth_wth_explicitcredentials.yml", "source": "endpoint", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows Unusual Count Of Users Failed To Auth Using Kerberos", "id": "bc9cb715-08ba-40c3-9758-6e2b26e455cb", "version": 1, "date": "2022-09-22", "author": "Mauricio Velazco, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies one source endpoint failing to authenticate with multiple valid users using the Kerberos protocol. This behavior could represent an adversary performing a Password Spraying attack against an Active Directory environment using Kerberos to obtain initial access or elevate privileges. Event 4771 is generated when the Key Distribution Center fails to issue a Kerberos Ticket Granting Ticket (TGT). Failure code 0x18 stands for `wrong password provided` (the attempted user is a legitimate domain user).\\\nThe detection calculates the standard deviation for each host and leverages the 3-sigma statistical rule to identify an unusual number of users. To customize this analytic, users can try different combinations of the `bucket` span time and the calculation of the `upperBound` field. This logic can be used for real time security monitoring as well as threat hunting exercises.\\\nThis detection will only trigger on domain controllers, not on member servers or workstations.\\\nThe analytics returned fields allow analysts to investigate the event further by providing fields like source ip and attempted user accounts.", "data_source": ["Windows Security 4771"], "search": "`wineventlog_security` EventCode=4771 TargetUserName!=\"*$\" Status=0x18 | bucket span=5m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as tried_accounts by _time, IpAddress | eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std by IpAddress | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0) | search isOutlier=1 | `windows_unusual_count_of_users_failed_to_auth_using_kerberos_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled.", "known_false_positives": "A host failing to authenticate with multiple valid domain users is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners, missconfigured systems and multi-user systems like Citrix farms.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn319109(v=ws.11)", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4771"], "tags": {"name": "Windows Unusual Count Of Users Failed To Auth Using Kerberos", "analytic_story": ["Active Directory Password Spraying", "Active Directory Kerberos Attacks", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "Potential Kerberos based password spraying attack from $IpAddress$", "mitre_attack_id": ["T1110.003", "T1110"], "nist": ["DE.AE"], "observable": [{"name": "IpAddress", "role": ["Attacker"], "type": "Endpoint"}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "Status", "TargetUserName", "IpAddress"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_valid_users_kerberos_xml/windows-security.log", "source": "XmlWinEventLog:Security", "sourcetype": "XmlWinEventLog"}]}], "datamodel": [], "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_unusual_count_of_users_failed_to_auth_using_kerberos_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_unusual_count_of_users_failed_to_auth_using_kerberos.yml", "source": "endpoint", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows Unusual Count Of Users Failed To Authenticate From Process", "id": "25bdb6cb-2e49-4d34-a93c-d6c567c122fe", "version": 1, "date": "2022-09-22", "author": "Mauricio Velazco, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies a source process name failing to authenticate with multiple users. This behavior could represent an adversary performing a Password Spraying attack against an Active Directory environment to obtain initial access or elevate privileges. Event 4625 generates on domain controllers, member servers, and workstations when an account fails to logon. Logon Type 2 describes an iteractive logon attempt.\\\nThe detection calculates the standard deviation for each host and leverages the 3-sigma statistical rule to identify an unusual number of users. To customize this analytic, users can try different combinations of the `bucket` span time and the calculation of the `upperBound` field. This logic can be used for real time security monitoring as well as threat hunting exercises.\\\nThis detection will trigger on the potenfially malicious host, perhaps controlled via a trojan or operated by an insider threat, from where a password spraying attack is being executed. This could be a domain controller as well as a member server or workstation.\\\nThe analytics returned fields allow analysts to investigate the event further by providing fields like source process name, source account and attempted user accounts.", "data_source": ["Windows Security 4625"], "search": " `wineventlog_security` EventCode=4625 Logon_Type=2 ProcessName!=\"-\" | bucket span=2m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as tried_accounts by _time, ProcessName, SubjectUserName, Computer | eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std by ProcessName, SubjectUserName, Computer | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0) | search isOutlier=1 | `windows_unusual_count_of_users_failed_to_authenticate_from_process_filter` ", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Event Logs from domain controllers aas well as member servers and workstations. The Advanced Security Audit policy setting `Audit Logon` within `Logon/Logoff` needs to be enabled.", "known_false_positives": "A process failing to authenticate with multiple users is not a common behavior for legitimate user sessions. Possible false positive scenarios include but are not limited to vulnerability scanners and missconfigured systems.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4625", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events"], "tags": {"name": "Windows Unusual Count Of Users Failed To Authenticate From Process", "analytic_story": ["Active Directory Password Spraying", "Insider Threat", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "Potential password spraying attack from $Computer$", "mitre_attack_id": ["T1110.003", "T1110"], "nist": ["DE.AE"], "observable": [{"name": "Computer", "role": ["Attacker"], "type": "Endpoint"}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "Logon_Type", "ProcessName", "SubjectUserName", "TargetUserName", "Computer"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_multiple_users_from_process_xml/windows-security.log", "source": "XmlWinEventLog:Security", "sourcetype": "XmlWinEventLog"}]}], "datamodel": [], "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_unusual_count_of_users_failed_to_authenticate_from_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_unusual_count_of_users_failed_to_authenticate_from_process.yml", "source": "endpoint", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows Unusual Count Of Users Failed To Authenticate Using NTLM", "id": "6f6c8fd7-6a6b-4af9-a0e9-57cfc47a58b4", "version": 1, "date": "2022-09-22", "author": "Mauricio Velazco, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies one source endpoint failing to authenticate with multiple valid users using the NTLM protocol. This behavior could represent an adversary performing a Password Spraying attack against an Active Directory environment using NTLM to obtain initial access or elevate privileges. Event 4776 is generated on the computer that is authoritative for the provided credentials. For domain accounts, the domain controller is authoritative. For local accounts, the local computer is authoritative. Error code 0xC000006A means: misspelled or bad password (the attempted user is a legitimate domain user).\\\nThe detection calculates the standard deviation for each host and leverages the 3-sigma statistical rule to identify an unusual number of users. To customize this analytic, users can try different combinations of the `bucket` span time and the calculation of the `upperBound` field. This logic can be used for real time security monitoring as well as threat hunting exercises.\\\nThis detection will only trigger on domain controllers, not on member servers or workstations.\\\nThe analytics returned fields allow analysts to investigate the event further by providing fields like source workstation name and attempted user accounts.", "data_source": ["Windows Security 4776"], "search": " `wineventlog_security` EventCode=4776 TargetUserName!=*$ Status=0xC000006A | bucket span=2m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as tried_accounts by _time, Workstation | eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std by Workstation | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0) | search isOutlier=1 | `windows_unusual_count_of_users_failed_to_authenticate_using_ntlm_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller events. The Advanced Security Audit policy setting `Audit Credential Validation` within `Account Logon` needs to be enabled.", "known_false_positives": "A host failing to authenticate with multiple valid domain users is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners and missconfigured systems. If this detection triggers on a host other than a Domain Controller, the behavior could represent a password spraying attack against the host's local accounts.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-credential-validation", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776"], "tags": {"name": "Windows Unusual Count Of Users Failed To Authenticate Using NTLM", "analytic_story": ["Active Directory Password Spraying", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "Potential NTLM based password spraying attack from $Workstation$", "mitre_attack_id": ["T1110.003", "T1110"], "nist": ["DE.AE"], "observable": [{"name": "Workstation", "role": ["Attacker"], "type": "Endpoint"}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "Status", "TargetUserName", "Workstation"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_valid_users_ntlm_xml/windows-security.log", "source": "XmlWinEventLog:Security", "sourcetype": "XmlWinEventLog"}]}], "datamodel": [], "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_unusual_count_of_users_failed_to_authenticate_using_ntlm_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_unusual_count_of_users_failed_to_authenticate_using_ntlm.yml", "source": "endpoint", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows Unusual Count Of Users Remotely Failed To Auth From Host", "id": "cf06a0ee-ffa9-4ed3-be77-0670ed9bab52", "version": 1, "date": "2022-09-22", "author": "Mauricio Velazco, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies a source host failing to authenticate against a remote host with multiple users. This behavior could represent an adversary performing a Password Spraying attack against an Active Directory environment to obtain initial access or elevate privileges. Event 4625 documents each and every failed attempt to logon to the local computer. This event generates on domain controllers, member servers, and workstations. Logon Type 3 describes an remote authentication attempt.\\\nThe detection calculates the standard deviation for each host and leverages the 3-sigma statistical rule to identify an unusual number of users. To customize this analytic, users can try different combinations of the `bucket` span time and the calculation of the `upperBound` field. This logic can be used for real time security monitoring as well as threat hunting exercises.\\\nThis detection will trigger on the host that is the target of the password spraying attack. This could be a domain controller as well as a member server or workstation.\\\nThe analytics returned fields allow analysts to investigate the event further by providing fields like source process name, source account and attempted user accounts.", "data_source": ["Windows Security 4625"], "search": " `wineventlog_security` EventCode=4625 Logon_Type=3 IpAddress!=\"-\" | bucket span=2m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as tried_accounts by _time, IpAddress, Computer | eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std by IpAddress, Computer | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0) | search isOutlier=1 | `windows_unusual_count_of_users_remotely_failed_to_auth_from_host_filter` ", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Event Logs from domain controllers as as well as member servers and workstations. The Advanced Security Audit policy setting `Audit Logon` within `Logon/Logoff` needs to be enabled.", "known_false_positives": "A host failing to authenticate with multiple valid users against a remote host is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners, remote administration tools, missconfigyred systems, etc.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4625", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events"], "tags": {"name": "Windows Unusual Count Of Users Remotely Failed To Auth From Host", "analytic_story": ["Active Directory Password Spraying", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "Potential password spraying attack on $Computer$", "mitre_attack_id": ["T1110.003", "T1110"], "nist": ["DE.AE"], "observable": [{"name": "Computer", "role": ["Attacker"], "type": "Endpoint"}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "Logon_Type", "TargetUserName", "Computer", "IpAddress"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_remote_spray_xml/windows-security.log", "source": "XmlWinEventLog:Security", "sourcetype": "XmlWinEventLog"}]}], "datamodel": [], "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_unusual_count_of_users_remotely_failed_to_auth_from_host_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_unusual_count_of_users_remotely_failed_to_auth_from_host.yml", "source": "endpoint", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows User Execution Malicious URL Shortcut File", "id": "5c7ee6ad-baf4-44fb-b2f0-0cfeddf82dbc", "version": 1, "date": "2023-01-12", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This analytic will identify suspicious creation of URL shortcut link files. This technique was seen in CHAOS ransomware where it will drop this .url link file in %startup% folder that contains the path of its malicious dropped file to execute upon the reboot of the targeted host. The creation of this file can be created by a normal application or software but it is a good practice to verify this type of file specially the resource it tries to execute which is commonly a website.", "data_source": ["Sysmon Event ID 11"], "search": "|tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where NOT(Filesystem.file_path IN (\"*\\\\Program Files*\")) Filesystem.file_name = *.url by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.user Filesystem.file_path Filesystem.process_guid Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_user_execution_malicious_url_shortcut_file_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the Filesystem responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node.", "known_false_positives": "Administrators may allow creation of script or exe in this path.", "references": ["https://attack.mitre.org/techniques/T1204/002/", "https://www.fortinet.com/blog/threat-research/chaos-ransomware-variant-sides-with-russia"], "tags": {"name": "Windows User Execution Malicious URL Shortcut File", "analytic_story": ["Chaos Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Installation"], "message": "a process created URL shortcut file in $file_path$ of $dest$", "mitre_attack_id": ["T1204.002", "T1204"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Filesystem.file_create_time", "Filesystem.process_id", "Filesystem.file_name", "Filesystem.user", "Filesystem.file_path", "Filesystem.process_guid", "Filesystem.dest"], "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1204.002", "mitre_attack_technique": "Malicious File", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "Ajax Security Team", "Andariel", "Aoqin Dragon", "BITTER", "BRONZE BUTLER", "BlackTech", "CURIUM", "Cobalt Group", "Confucius", "Dark Caracal", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "IndigoZebra", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Whitefly", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/chaos_ransomware/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_user_execution_malicious_url_shortcut_file_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_user_execution_malicious_url_shortcut_file.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Valid Account With Never Expires Password", "id": "73a931db-1830-48b3-8296-cd9cfa09c3c8", "version": 1, "date": "2022-06-23", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies net.exe updating user account policies for password requirement with non-expiring password. This technique was seen in several adversaries and malware like Azorult to maintain the foothold (persistence), gaining privilege escalation, defense evasion and possible for lateral movement for specific users or created user account on the targeted host. This TTP detections is a good pivot to see further what other events that users executes on the machines.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` AND Processes.process=\"* accounts *\" AND Processes.process=\"* /maxpwage:unlimited\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_valid_account_with_never_expires_password_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "This behavior is not commonly seen in production environment and not advisable, filter as needed.", "references": ["https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/", "https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/net-commands-on-operating-systems"], "tags": {"name": "Windows Valid Account With Never Expires Password", "analytic_story": ["Azorult"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 100, "kill_chain_phases": ["Actions on Objectives"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ attempting to make non-expiring password on host user accounts.", "mitre_attack_id": ["T1489"], "nist": ["DE.CM"], "observable": [{"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1489", "mitre_attack_technique": "Service Stop", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Indrik Spider", "Lazarus Group", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_net", "definition": "(Processes.process_name=\"net.exe\" OR Processes.original_file_name=\"net.exe\" OR Processes.process_name=\"net1.exe\" OR Processes.original_file_name=\"net1.exe\")", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "windows_valid_account_with_never_expires_password_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_valid_account_with_never_expires_password.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Vulnerable 3CX Software", "id": "f2cc1584-46ee-485b-b905-977c067f36de", "version": 1, "date": "2023-03-30", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic leverages Sysmon, a powerful system monitoring and logging tool, to pinpoint instances of the 3CXDesktopApp.exe with a FileVersion of 18.12.x.Recently, 3CX has discovered a vulnerability specifically in versions 18.12.407 and 18.12.416 of the desktop app.", "data_source": ["Sysmon Event Code 1"], "search": "`sysmon` (process_name=3CXDesktopApp.exe OR OriginalFileName=3CXDesktopApp.exe) FileVersion=18.12.* | rename Computer as dest | stats count min(_time) as firstTime max(_time) as lastTime by dest, parent_process_name,process_name, OriginalFileName, CommandLine | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_vulnerable_3cx_software_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "False positives may be present based on file version, modify the analytic to only look for version between 18.12.407 and 18.12.416 as needed.", "references": ["https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/", "https://www.cisa.gov/news-events/alerts/2023/03/30/supply-chain-attack-against-3cxdesktopapp", "https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/", "https://www.3cx.com/community/threads/crowdstrike-endpoint-security-detection-re-3cx-desktop-app.119934/page-2#post-558898", "https://www.3cx.com/community/threads/3cx-desktopapp-security-alert.119951/"], "tags": {"name": "Windows Vulnerable 3CX Software", "analytic_story": ["3CX Supply Chain Attack"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 100, "kill_chain_phases": ["Delivery"], "message": "A known vulnerable instance of 3CX Software $process_name$ ran on $dest$, related to a supply chain attack.", "mitre_attack_id": ["T1195.002"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "OriginalFileName", "process_name", "EventID", "CommandLine", "Computer", "parent_process_name"], "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "cve": ["CVE-2023-29059"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1195.002", "mitre_attack_technique": "Compromise Software Supply Chain", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT41", "Cobalt Group", "Dragonfly", "GOLD SOUTHFIELD", "Sandworm Team", "Threat Group-3390"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1195.002/3CX/3cx_windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_vulnerable_3cx_software_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2023-29059", "cvss": null, "summary": "3CX DesktopApp through 18.12.416 has embedded malicious code, as exploited in the wild in March 2023. This affects versions 18.12.407 and 18.12.416 of the 3CX DesktopApp Electron Windows application shipped in Update 7, and versions 18.11.1213, 18.12.402, 18.12.407, and 18.12.416 of the 3CX DesktopApp Electron macOS application."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_vulnerable_3cx_software.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Windows Vulnerable Driver Loaded", "id": "a2b1f1ef-221f-4187-b2a4-d4b08ec745f4", "version": 1, "date": "2022-12-12", "author": "Michael Haag, Splunk", "type": "Hunting", "status": "experimental", "description": "The following analytic utilizes a known list of vulnerable Windows drivers to help defenders find potential persistence or privelege escalation via a vulnerable driver. This analytic uses Sysmon EventCode 6, driver loading. A known gap with this lookup is that it does not use the hash or known signer of the vulnerable driver therefore it is up to the defender to identify version and signing info and confirm it is a vulnerable driver.", "data_source": ["Sysmon Event ID 6"], "search": "`sysmon` EventCode=6 | lookup loldrivers driver_name AS ImageLoaded OUTPUT is_driver driver_description | search is_driver = TRUE | stats min(_time) as firstTime max(_time) as lastTime count by dest ImageLoaded driver_description | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_vulnerable_driver_loaded_filter`", "how_to_implement": "Sysmon collects driver loads via EventID 6, however you may modify the query to utilize this lookup to identify potentially persistent drivers that are known to be vulnerable.", "known_false_positives": "False positives will be present. Drill down into the driver further by version number and cross reference by signer. Review the reference material in the lookup. In addition, modify the query to look within specific paths, which will remove a lot of \"normal\" drivers.", "references": ["https://github.com/SigmaHQ/sigma/blob/master/rules/windows/driver_load/driver_load_vuln_drivers_names.yml", "https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md", "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", "https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/", "https://github.com/jbaines-r7/dellicious", "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/public/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md", "https://github.com/namazso/physmem_drivers", "https://github.com/stong/CVE-2020-15368", "https://github.com/CaledoniaProject/drivers-binaries", "https://github.com/Chigusa0w0/AsusDriversPrivEscala", "https://www.welivesecurity.com/2022/01/11/signed-kernel-drivers-unguarded-gateway-windows-core/", "https://eclypsium.com/2019/11/12/mother-of-all-drivers/", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37969"], "tags": {"name": "Windows Vulnerable Driver Loaded", "analytic_story": ["Windows Drivers"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation", "Exploitation"], "message": "An process has loaded a possible vulnerable driver on $dest$. Review and escalate as needed.", "mitre_attack_id": ["T1543.003"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "dest", "ImageLoaded"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1014/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_vulnerable_driver_loaded_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "loldrivers", "description": "A list of known vulnerable drivers", "filename": "loldrivers.csv", "default_match": "false", "match_type": "WILDCARD(driver_name)", "min_matches": 1, "case_sensitive_match": "false"}], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_vulnerable_driver_loaded.yml", "source": "endpoint"}, {"name": "Windows WinLogon with Public Network Connection", "id": "65615b3a-62ea-4d65-bb9f-6f07c17df4ea", "version": 1, "date": "2023-05-03", "author": "Michael Haag, Splunk", "type": "Hunting", "status": "experimental", "description": "The following analytic is designed to detect anomalous behavior associated with the BlackLotus Campaign, a sophisticated bootkit attack reported by ESET and further investigated in a blog by Microsoft, which provided hunting queries for security analysts. The primary focus of this analytic is to identify instances of Winlogon.exe, a critical Windows process, connecting to public IP space, which is indicative of potential malicious activity.\\ The BlackLotus Campaign is a bootkit-based attack that compromises system integrity by infecting the Master Boot Record (MBR) and Volume Boot Record (VBR). This malware variant can bypass traditional security measures, load before the operating system, and maintain persistence on the target system.\\\nWinlogon.exe is a critical Windows process responsible for managing user logon and logoff processes. Under normal circumstances, Winlogon.exe should not be connecting to public IP addresses. However, if it does, it may indicate that the process has been compromised as part of the BlackLotus Campaign or another malicious operation.\\\nThis analytic monitors network connections made by Winlogon.exe and triggers an alert if it detects connections to public IP space. By identifying such anomalous behavior, security analysts can investigate further and respond swiftly to potential threats.", "data_source": ["Sysmon Event ID 1", "Sysmon Event ID 3"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN (winlogon.exe) Processes.process!=unknown by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | join process_id [| tstats `security_content_summariesonly` count FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port != 0 NOT (All_Traffic.dest IN (127.0.0.1,10.0.0.0/12,172.16.0.0/12, 192.168.0.0/16, 0:0:0:0:0:0:0:1)) by All_Traffic.process_id All_Traffic.dest All_Traffic.dest_port | `drop_dm_object_name(All_Traffic)` | rename dest as publicIp ] | table dest parent_process_name process_name process_path process process_id dest_port publicIp | `windows_winlogon_with_public_network_connection_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node and Network_Traffic datamodel under All Traffic. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives will be present and filtering will be required. Legitimate IPs will be present and need to be filtered.", "references": ["https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/"], "tags": {"name": "Windows WinLogon with Public Network Connection", "analytic_story": ["BlackLotus Campaign"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Installation"], "message": "Winlogon.exe has generated a network connection to a remote destination on endpoint $dest$.", "mitre_attack_id": ["T1542.003"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["dest", "parent_process_name", "process_name", "process_path", "process", "process_id", "dest_port", "publicIp"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "atomic_guid": [], "mitre_attack_enrichments": [{"mitre_attack_id": "T1542.003", "mitre_attack_technique": "Bootkit", "mitre_attack_tactics": ["Defense Evasion", "Persistence"], "mitre_attack_groups": ["APT28", "APT41", "Lazarus Group"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1542.003/bootkits/network-winlogon-windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint", "Network_Traffic"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_winlogon_with_public_network_connection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_winlogon_with_public_network_connection.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows WMI Impersonate Token", "id": "cf192860-2d94-40db-9a51-c04a2e8a8f8b", "version": 1, "date": "2022-10-24", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies a possible wmi token impersonation activities in a process or command. This technique was seen in Qakbot malware where it will execute a vbscript code contains wmi impersonation object to gain privilege escalation or as defense evasion. This Anomaly detection looks for wmiprvse.exe SourceImage having a duplicate handle or full granted access in a target process.", "data_source": ["Sysmon Event ID 1"], "search": "`sysmon` EventCode=10 SourceImage = \"*\\\\wmiprvse.exe\" GrantedAccess IN (\"0x1478\", \"0x1fffff\") | stats count min(_time) as firstTime max(_time) as lastTime by SourceImage TargetImage SourceProcessGUID TargetProcessGUID SourceProcessId TargetProcessId GrantedAccess CallTrace Computer | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_wmi_impersonate_token_filter`", "how_to_implement": "This search requires Sysmon Logs and a Sysmon configuration, which includes EventCode 10. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives.", "known_false_positives": "administrator may execute impersonate wmi object script for auditing. Filter is needed.", "references": ["https://github.com/trustedsec/SysmonCommunityGuide/blob/master/chapters/process-access.md", "https://www.joesandbox.com/analysis/278341/0/html"], "tags": {"name": "Windows WMI Impersonate Token", "analytic_story": ["Qakbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "message": "wmiprvse.exe process having a duplicate or full Granted Access $GrantedAccess$ to $TargetImage$ process in $dest$", "mitre_attack_id": ["T1047"], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "SourceImage", "TargetImage", "SourceProcessGUID", "TargetProcessGUID", "SourceProcessId", "TargetProcessId", "GrantedAccess", "CallTrace", "Computer"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "Earth Lusca", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "Threat Group-3390", "Windshift", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1047/wmi_impersonate/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_wmi_impersonate_token_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_wmi_impersonate_token.yml", "source": "endpoint"}, {"name": "Windows WMI Process And Service List", "id": "ef3c5ef2-3f6d-4087-aa75-49bf746dc907", "version": 1, "date": "2022-11-30", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies suspicious process command line, where WMI is performing an event query looking for running processes or running services. This technique is commonly found where the adversary will identify services and system information on the compromised machine. During triage, review parallel processes within the same timeframe. Review the full script block to identify other related artifacts.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_wmic` Processes.process IN (\"*process list*\", \"*service list*\") by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_wmi_process_and_service_list_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances of wermgr.exe may be used.", "known_false_positives": "netowrk administrator or IT may execute this command for auditing processes and services.", "references": ["https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS", "https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"], "tags": {"name": "Windows WMI Process And Service List", "analytic_story": ["Windows Post-Exploitation", "Prestige Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 20, "impact": 20, "kill_chain_phases": ["Installation"], "message": "wmi command $process$ to list processes and services in $dest$", "mitre_attack_id": ["T1047"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id", "Processes.parent_process_guid", "Processes.process_guid"], "risk_score": 4, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "Earth Lusca", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "Threat Group-3390", "Windshift", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "process_wmic", "definition": "(Processes.process_name=wmic.exe OR Processes.original_file_name=wmic.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_wmi_process_and_service_list_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_wmi_process_and_service_list.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows WMI Process Call Create", "id": "0661c2de-93de-11ec-9833-acde48001122", "version": 1, "date": "2022-02-22", "author": "Teoderick Contreras, Splunk", "type": "Hunting", "status": "production", "description": "This analytic is to look for wmi commandlines to execute or create process. This technique was used by adversaries or threat actor to execute their malicious payload in local or remote host. This hunting query is a good pivot to start to look further which process trigger the wmi or what process it execute locally or remotely.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_wmic` Processes.process = \"* process *\" Processes.process = \"* call *\" Processes.process = \"* create *\" by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_path Processes.process_guid Processes.parent_process_id Processes.dest Processes.user Processes.process_path | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_wmi_process_call_create_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "Administrators may execute this command for testing or auditing.", "references": ["https://github.com/NVISOsecurity/sigma-public/blob/master/rules/windows/process_creation/win_susp_wmi_execution.yml", "https://github.com/redcanaryco/atomic-red-team/blob/2b804d25418004a5f1ba50e9dc637946ab8733c7/atomics/T1047/T1047.md", "https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/", "https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/"], "tags": {"name": "Windows WMI Process Call Create", "analytic_story": ["Suspicious WMI Use", "Qakbot", "Volt Typhoon", "IcedID"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "message": "process with $process$ commandline executed in $dest$", "mitre_attack_id": ["T1047"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id", "Processes.process_guid"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "Earth Lusca", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "Threat Group-3390", "Windshift", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1047/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "process_wmic", "definition": "(Processes.process_name=wmic.exe OR Processes.original_file_name=wmic.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_wmi_process_call_create_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_wmi_process_call_create.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "WinEvent Scheduled Task Created to Spawn Shell", "id": "203ef0ea-9bd8-11eb-8201-acde48001122", "version": 2, "date": "2023-04-05", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following query utilizes Windows Security EventCode 4698, `A scheduled task was created`, to identify suspicious tasks registered on Windows either via schtasks.exe OR TaskService with a command to be executed with a native Windows shell (PowerShell, Cmd, Wscript, Cscript).\\ The search will return the first time and last time the task was registered, as well as the `Command` to be executed, `Task Name`, `Author`, `Enabled`, and whether it is `Hidden` or not.\\ schtasks.exe is natively found in `C:\\Windows\\system32` and `C:\\Windows\\syswow64`.\\ The following DLL(s) are loaded when schtasks.exe or TaskService is launched -`taskschd.dll`. If found loaded by another process, it is possible a scheduled task is being registered within that process context in memory.\\ Upon triage, identify the task scheduled source. Was it schtasks.exe or via TaskService? Review the job created and the Command to be executed. Capture any artifacts on disk and review. Identify any parallel processes within the same timeframe to identify source.", "data_source": ["Windows Security 4698"], "search": "`wineventlog_security` EventCode=4698 | xmlkv Message | search Command IN (\"*powershell.exe*\", \"*wscript.exe*\", \"*cscript.exe*\", \"*cmd.exe*\", \"*sh.exe*\", \"*ksh.exe*\", \"*zsh.exe*\", \"*bash.exe*\", \"*scrcons.exe*\", \"*pwsh.exe*\") | stats count min(_time) as firstTime max(_time) as lastTime by dest, Task_Name, Command, Author, Enabled, Hidden | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `winevent_scheduled_task_created_to_spawn_shell_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4698 EventCode enabled. The Windows TA is also required.", "known_false_positives": "False positives are possible if legitimate applications are allowed to register tasks that call a shell to be spawned. Filter as needed based on command-line or processes that are used legitimately.", "references": ["https://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4698", "https://redcanary.com/threat-detection-report/techniques/scheduled-task-job/", "https://docs.microsoft.com/en-us/windows/win32/taskschd/time-trigger-example--scripting-?redirectedfrom=MSDN"], "tags": {"name": "WinEvent Scheduled Task Created to Spawn Shell", "analytic_story": ["Ransomware", "Windows Persistence Techniques", "Winter Vivern", "Ryuk Ransomware", "CISA AA22-257A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "message": "A windows scheduled task was created (task name=$Task_Name$) on $dest$ by the following command: $Command$", "mitre_attack_id": ["T1053.005", "T1053"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "Command", "type": "Unknown", "role": ["Target"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "dest", "Task_Name", "Description", "Command"], "risk_score": 70, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/atomic_red_team/windows-security.log", "source": "WinEventLog:Security", "sourcetype": "WinEventLog", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "winevent_scheduled_task_created_to_spawn_shell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/winevent_scheduled_task_created_to_spawn_shell.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "WinEvent Scheduled Task Created Within Public Path", "id": "5d9c6eee-988c-11eb-8253-acde48001122", "version": 1, "date": "2023-04-05", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following query utilizes Windows Security EventCode 4698, `A scheduled task was created`, to identify suspicious tasks registered on Windows either via schtasks.exe OR TaskService with a command to be executed from a user writeable file path.\\ The search will return the first time and last time the task was registered, as well as the `Command` to be executed, `Task Name`, `Author`, `Enabled`, and whether it is `Hidden` or not.\\ schtasks.exe is natively found in `C:\\Windows\\system32` and `C:\\Windows\\syswow64`.\\ The following DLL(s) are loaded when schtasks.exe or TaskService is launched -`taskschd.dll`. If found loaded by another process, it is possible a scheduled task is being registered within that process context in memory.\\ Upon triage, identify the task scheduled source. Was it schtasks.exe or was it via TaskService. Review the job created and the Command to be executed. Capture any artifacts on disk and review. Identify any parallel processes within the same timeframe to identify source.", "data_source": ["Windows Security 4698"], "search": "`wineventlog_security` EventCode=4698 | xmlkv Message | search Command IN (\"*\\\\users\\\\public\\\\*\", \"*\\\\programdata\\\\*\", \"*\\\\temp\\\\*\", \"*\\\\Windows\\\\Tasks\\\\*\", \"*\\\\appdata\\\\*\", \"*\\\\perflogs\\\\*\") | stats count min(_time) as firstTime max(_time) as lastTime by dest, Task_Name, Command, Author, Enabled, Hidden | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `winevent_scheduled_task_created_within_public_path_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4698 EventCode enabled. The Windows TA is also required.", "known_false_positives": "False positives are possible if legitimate applications are allowed to register tasks in public paths. Filter as needed based on paths that are used legitimately.", "references": ["https://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4698", "https://redcanary.com/threat-detection-report/techniques/scheduled-task-job/", "https://docs.microsoft.com/en-us/windows/win32/taskschd/time-trigger-example--scripting-?redirectedfrom=MSDN", "https://app.any.run/tasks/e26f1b2e-befa-483b-91d2-e18636e2faf3/"], "tags": {"name": "WinEvent Scheduled Task Created Within Public Path", "analytic_story": ["Ransomware", "Windows Persistence Techniques", "Winter Vivern", "Prestige Ransomware", "AsyncRAT", "Ryuk Ransomware", "IcedID", "CISA AA22-257A", "Industroyer2", "Active Directory Lateral Movement", "Data Destruction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "message": "A windows scheduled task was created (task name=$Task_Name$) on $dest$ by the following command: $Command$", "mitre_attack_id": ["T1053.005", "T1053"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "Command", "type": "Unknown", "role": ["Target"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "dest", "Task_Name", "Description", "Command"], "risk_score": 70, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/taskschedule/windows-security.log", "source": "WinEventLog:Security", "sourcetype": "WinEventLog", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "winevent_scheduled_task_created_within_public_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/winevent_scheduled_task_created_within_public_path.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "id": "b3632472-310b-11ec-9aab-acde48001122", "version": 1, "date": "2023-04-05", "author": "Michael Haag, Splunk", "type": "Hunting", "status": "production", "description": "The following hunting analytic assists with identifying suspicious tasks that have been registered and ran in Windows using EventID 200 (action run) and 201 (action completed). It is recommended to filter based on ActionName by specifying specific paths not used in your environment. After some basic tuning, this may be effective in capturing evasive ways to register tasks on Windows. Review parallel events related to tasks being scheduled. EventID 106 will generate when a new task is generated, however, that does not mean it ran. Capture any files on disk and analyze.", "data_source": [], "search": "`wineventlog_task_scheduler` EventCode IN (\"200\",\"201\") | rename ComputerName as dest | stats count min(_time) as firstTime max(_time) as lastTime by Message dest EventCode category | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `winevent_windows_task_scheduler_event_action_started_filter`", "how_to_implement": "Task Scheduler logs are required to be collected. Enable logging with inputs.conf by adding a stanza for [WinEventLog://Microsoft-Windows-TaskScheduler/Operational] and renderXml=false. Note, not translating it in XML may require a proper extraction of specific items in the Message.", "known_false_positives": "False positives will be present. Filter based on ActionName paths or specify keywords of interest.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md", "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/"], "tags": {"name": "WinEvent Windows Task Scheduler Event Action Started", "analytic_story": ["Qakbot", "Windows Persistence Techniques", "Winter Vivern", "Prestige Ransomware", "DarkCrystal RAT", "AsyncRAT", "Winter Vivern", "IcedID", "CISA AA22-257A", "Industroyer2", "Sandworm Tools", "Data Destruction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "message": "A Scheduled Task was scheduled and ran on $dest$.", "mitre_attack_id": ["T1053.005"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "TaskName", "ActionName", "EventID", "dest", "ProcessID"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TEMP.Veles", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/windows_taskschedule/windows-taskschedule.log", "source": "WinEventLog:Microsoft-Windows-TaskScheduler/Operational", "sourcetype": "wineventlog"}]}], "datamodel": [], "macros": [{"name": "wineventlog_task_scheduler", "definition": "source=\"WinEventLog:Microsoft-Windows-TaskScheduler/Operational\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "winevent_windows_task_scheduler_event_action_started_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/winevent_windows_task_scheduler_event_action_started.yml", "source": "endpoint"}, {"name": "Winhlp32 Spawning a Process", "id": "d17dae9e-2618-11ec-b9f5-acde48001122", "version": 1, "date": "2021-10-05", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies winhlp32.exe, found natively in `c:\\windows\\`, spawning a child process that loads a file out of appdata, programdata, or temp. Winhlp32.exe has a rocky past in that multiple vulnerabilities were found and added to MetaSploit. WinHlp32.exe is required to display 32-bit Help files that have the \".hlp\" file name extension. This particular instance is related to a Remcos sample where dynwrapx.dll is added to the registry under inprocserver32, and later module loaded by winhlp32.exe to spawn wscript.exe and load a vbs or file from disk. During triage, review parallel processes to identify further suspicious behavior. Review module loads for unsuspecting unsigned modules. Capture any file modifications and analyze.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=winhlp32.exe Processes.process IN (\"*\\\\appdata\\\\*\",\"*\\\\programdata\\\\*\", \"*\\\\temp\\\\*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `winhlp32_spawning_a_process_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives should be limited as winhlp32.exe is typically not used with the latest flavors of Windows OS. However, filter as needed.", "references": ["https://www.exploit-db.com/exploits/16541", "https://tria.ge/210929-ap75vsddan", "https://www.virustotal.com/gui/file/cb77b93150cb0f7fe65ce8a7e2a5781e727419451355a7736db84109fa215a89"], "tags": {"name": "Winhlp32 Spawning a Process", "analytic_story": ["Remcos"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$, and is not typical activity for this process.", "mitre_attack_id": ["T1055"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/remcos/remcos/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "winhlp32_spawning_a_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/winhlp32_spawning_a_process.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "WinRM Spawning a Process", "id": "a081836a-ba4d-11eb-8593-acde48001122", "version": 1, "date": "2021-05-21", "author": "Drew Church, Michael Haag, Splunk", "type": "TTP", "status": "experimental", "description": "The following analytic identifies suspicious processes spawning from WinRM (wsmprovhost.exe). This analytic is related to potential exploitation of CVE-2021-31166. which is a kernel-mode device driver http.sys vulnerability. Current proof of concept code will blue-screen the operating system. However, http.sys used by many different Windows processes, including WinRM. In this case, identifying suspicious process create (child processes) from `wsmprovhost.exe` is what this analytic is identifying.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=wsmprovhost.exe Processes.process_name IN (\"cmd.exe\",\"sh.exe\",\"bash.exe\",\"powershell.exe\",\"pwsh.exe\",\"schtasks.exe\",\"certutil.exe\",\"whoami.exe\",\"bitsadmin.exe\",\"scp.exe\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `winrm_spawning_a_process_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "Unknown. Add new processes or filter as needed. It is possible system management software may spawn processes from `wsmprovhost.exe`.", "references": ["https://github.com/SigmaHQ/sigma/blob/9b7fb0c0f3af2e53ed483e29e0d0f88ccf1c08ca/rules/windows/process_access/win_susp_shell_spawn_from_winrm.yml", "https://www.zerodayinitiative.com/blog/2021/5/17/cve-2021-31166-a-wormable-code-execution-bug-in-httpsys", "https://github.com/0vercl0k/CVE-2021-31166/blob/main/cve-2021-31166.py"], "tags": {"name": "WinRM Spawning a Process", "analytic_story": ["Unusual Processes"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Delivery"], "message": "tbd", "mitre_attack_id": ["T1190"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "cve": ["CVE-2021-31166"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "menuPass"]}]}, "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "winrm_spawning_a_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2021-31166", "cvss": 7.5, "summary": "HTTP Protocol Stack Remote Code Execution Vulnerability"}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/winrm_spawning_a_process.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Winword Spawning Cmd", "id": "6fcbaedc-a37b-11eb-956b-acde48001122", "version": 2, "date": "2021-04-22", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following detection identifies Microsoft Word spawning `cmd.exe`. Typically, this is not common behavior and not default with winword.exe. Winword.exe will generally be found in the following path `C:\\Program Files\\Microsoft Office\\root\\Office16` (version will vary). Cmd.exe spawning from winword.exe is common for a spearphishing attachment and is actively used. Albeit, the command-line will indicate what is being executed. During triage, review parallel processes and identify any files that may have been written. It is possible that COM is utilized to trampoline the child process to `explorer.exe` or `wmiprvse.exe`.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=winword.exe `process_cmd` by Processes.dest Processes.user Processes.parent_process Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `winword_spawning_cmd_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives should be limited, but if any are present, filter as needed.", "references": ["https://app.any.run/tasks/73af0064-a785-4c0a-ab0d-cde593fe16ef/"], "tags": {"name": "Winword Spawning Cmd", "analytic_story": ["Spearphishing Attachments", "DarkCrystal RAT", "CVE-2023-21716 Word RTF Heap Corruption"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 70, "kill_chain_phases": ["Delivery"], "message": "$parent_process_name$ on $dest$ by $user$ launched command: $process_name$ which is very common in spearphishing attacks.", "mitre_attack_id": ["T1566", "T1566.001"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Target"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 70, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/macro/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "process_cmd", "definition": "(Processes.process_name=cmd.exe OR Processes.original_file_name=Cmd.Exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "winword_spawning_cmd_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/winword_spawning_cmd.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Winword Spawning PowerShell", "id": "b2c950b8-9be2-11eb-8658-acde48001122", "version": 2, "date": "2021-04-12", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following detection identifies Microsoft Word spawning PowerShell. Typically, this is not common behavior and not default with winword.exe. Winword.exe will generally be found in the following path `C:\\Program Files\\Microsoft Office\\root\\Office16` (version will vary). PowerShell spawning from winword.exe is common for a spearphishing attachment and is actively used. Albeit, the command executed will most likely be encoded and captured via another detection. During triage, review parallel processes and identify any files that may have been written.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=\"winword.exe\" `process_powershell` by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `winword_spawning_powershell_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives should be limited, but if any are present, filter as needed.", "references": ["https://redcanary.com/threat-detection-report/techniques/powershell/", "https://attack.mitre.org/techniques/T1566/001/", "https://app.any.run/tasks/b79fa381-f35c-4b3e-8d02-507e7ee7342f/", "https://app.any.run/tasks/181ac90b-0898-4631-8701-b778a30610ad/"], "tags": {"name": "Winword Spawning PowerShell", "analytic_story": ["Spearphishing Attachments", "DarkCrystal RAT", "CVE-2023-21716 Word RTF Heap Corruption"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 70, "kill_chain_phases": ["Delivery"], "message": "$parent_process_name$ on $dest$ by $user$ launched the following powershell process: $process_name$ which is very common in spearphishing attacks", "mitre_attack_id": ["T1566", "T1566.001"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Target"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 70, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/macro/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "process_powershell", "definition": "(Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "winword_spawning_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/winword_spawning_powershell.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Winword Spawning Windows Script Host", "id": "637e1b5c-9be1-11eb-9c32-acde48001122", "version": 1, "date": "2021-04-12", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following detection identifies Microsoft Winword.exe spawning Windows Script Host - `cscript.exe` or `wscript.exe`. Typically, this is not common behavior and not default with Winword.exe. Winword.exe will generally be found in the following path `C:\\Program Files\\Microsoft Office\\root\\Office16` (version will vary). `cscript.exe` or `wscript.exe` default location is `c:\\windows\\system32\\` or c:windows\\syswow64\\`. `cscript.exe` or `wscript.exe` spawning from Winword.exe is common for a spearphishing attachment and is actively used. Albeit, the command-line executed will most likely be obfuscated and captured via another detection. During triage, review parallel processes and identify any files that may have been written. Review the reputation of the remote destination and block accordingly.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=\"winword.exe\" Processes.process_name IN (\"cscript.exe\", \"wscript.exe\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `winword_spawning_windows_script_host_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "There will be limited false positives and it will be different for every environment. Tune by child process or command-line as needed.", "references": ["https://attack.mitre.org/techniques/T1566/001/"], "tags": {"name": "Winword Spawning Windows Script Host", "analytic_story": ["Spearphishing Attachments", "CVE-2023-21716 Word RTF Heap Corruption"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 70, "kill_chain_phases": ["Delivery"], "message": "User $user$ on $dest$ spawned Windows Script Host from Winword.exe", "mitre_attack_id": ["T1566", "T1566.001"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Target"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "process_name", "process_id", "parent_process_name", "dest", "user", "parent_process_id"], "risk_score": 70, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/macro/windows-sysmon_wsh.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "winword_spawning_windows_script_host_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/winword_spawning_windows_script_host.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "WMI Permanent Event Subscription", "id": "71bfdb13-f200-4c6c-b2c9-a2e07adf437d", "version": 1, "date": "2018-10-23", "author": "Rico Valdez, Splunk", "type": "TTP", "status": "experimental", "description": "This search looks for the creation of WMI permanent event subscriptions.", "data_source": ["Sysmon Event ID 5"], "search": "`wmi` EventCode=5861 Binding | rex field=Message \"Consumer =\\s+(?[^;|^$]+)\" | search consumer!=\"NTEventLogEventConsumer=\\\"SCM Event Log Consumer\\\"\" | stats count min(_time) as firstTime max(_time) as lastTime by ComputerName, consumer, Message | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | rename ComputerName as dest | `wmi_permanent_event_subscription_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting the Windows WMI activity logs. This can be done by adding a stanza to inputs.conf on the system generating logs with a title of [WinEventLog://Microsoft-Windows-WMI-Activity/Operational].", "known_false_positives": "Although unlikely, administrators may use event subscriptions for legitimate purposes.", "references": [], "tags": {"name": "WMI Permanent Event Subscription", "analytic_story": ["Suspicious WMI Use"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "message": "tbd", "mitre_attack_id": ["T1047"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "Message", "consumer", "ComputerName"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "Earth Lusca", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "Threat Group-3390", "Windshift", "Wizard Spider", "menuPass"]}]}, "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wmi", "definition": "sourcetype=\"wineventlog:microsoft-windows-wmi-activity/operational\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "wmi_permanent_event_subscription_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/wmi_permanent_event_subscription.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "WMI Permanent Event Subscription - Sysmon", "id": "ad05aae6-3b2a-4f73-af97-57bd26cee3b9", "version": 3, "date": "2020-12-08", "author": "Rico Valdez, Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "This analytic looks for the creation of WMI permanent event subscriptions. The following analytic identifies the use of WMI Event Subscription to establish persistence or perform privilege escalation. WMI can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. WMI subscription execution is proxied by the WMI Provider Host process (WmiPrvSe.exe) and thus may result in elevated SYSTEM privileges. This analytic is restricted by commonly added process execution and a path. If the volume is low enough, remove the values and flag on any new subscriptions.\\\nAll event subscriptions have three components \\\n1. Filter - WQL Query for the events we want. EventID = 19 \\\n1. Consumer - An action to take upon triggering the filter. EventID = 20 \\\n1. Binding - Registers a filter to a consumer. EventID = 21 \\\nMonitor for the creation of new WMI EventFilter, EventConsumer, and FilterToConsumerBinding. It may be pertinent to review all 3 to identify the flow of execution. In addition, EventCode 4104 may assist with any other PowerShell script usage that registered the subscription.", "data_source": ["Sysmon Event ID 21"], "search": "`sysmon` EventCode=21 | rename host as dest | table _time, dest, user, Operation, EventType, Query, Consumer, Filter | `wmi_permanent_event_subscription___sysmon_filter`", "how_to_implement": "To successfully implement this search, you must be collecting Sysmon data using Sysmon version 6.1 or greater and have Sysmon configured to generate alerts for WMI activity (eventID= 19, 20, 21). In addition, you must have at least version 6.0.4 of the Sysmon TA installed to properly parse the fields.", "known_false_positives": "Although unlikely, administrators may use event subscriptions for legitimate purposes.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.003/T1546.003.md", "https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/", "https://github.com/trustedsec/SysmonCommunityGuide/blob/master/chapters/WMI-events.md", "https://in.security/2019/04/03/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/"], "tags": {"name": "WMI Permanent Event Subscription - Sysmon", "analytic_story": ["Suspicious WMI Use"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 30, "kill_chain_phases": ["Installation", "Exploitation"], "message": "User $user$ on $host$ executed the following suspicious WMI query: $Query$. Filter: $filter$. Consumer: $Consumer$. EventCode: $EventCode$", "mitre_attack_id": ["T1546.003", "T1546"], "nist": ["DE.CM"], "observable": [{"name": "host", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "host", "user", "Operation", "EventType", "Query", "Consumer", "Filter"], "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1546.003", "mitre_attack_technique": "Windows Management Instrumentation Event Subscription", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT33", "Blue Mockingbird", "FIN8", "Leviathan", "Metador", "Mustang Panda", "Turla"]}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.003/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "wmi_permanent_event_subscription___sysmon_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/wmi_permanent_event_subscription___sysmon.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "WMI Recon Running Process Or Services", "id": "b5cd5526-cce7-11eb-b3bd-acde48001122", "version": 2, "date": "2023-04-14", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies suspicious PowerShell script execution via EventCode 4104, where WMI is performing an event query looking for running processes or running services. This technique is commonly found in malware and APT events where the adversary will map all running security applications or services on the compromised machine. During triage, review parallel processes within the same timeframe. Review the full script block to identify other related artifacts.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 ScriptBlockText= \"*SELECT*\" AND (ScriptBlockText=\"*Win32_Process*\" OR ScriptBlockText=\"*Win32_Service*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `wmi_recon_running_process_or_services_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Network administrator may used this command for checking purposes", "references": ["https://news.sophos.com/en-us/2020/05/12/maze-ransomware-1-year-counting/", "https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/", "https://github.com/trustedsec/SysmonCommunityGuide/blob/master/chapters/WMI-events.md", "https://in.security/2019/04/03/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/"], "tags": {"name": "WMI Recon Running Process Or Services", "analytic_story": ["Malicious PowerShell", "Hermetic Wiper", "Data Destruction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 20, "kill_chain_phases": ["Reconnaissance"], "message": "Suspicious powerShell script execution by $user$ on $Computer$ via EventCode 4104, where WMI is performing an event query looking for running processes or running services", "mitre_attack_id": ["T1592"], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}, {"name": "User", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "ScriptBlockText", "Opcode", "Computer", "UserID", "EventCode"], "risk_score": 20, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1592", "mitre_attack_technique": "Gather Victim Host Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/win32process.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "wmi_recon_running_process_or_services_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/wmi_recon_running_process_or_services.yml", "source": "endpoint", "providing_technologies": ["Microsoft Windows"]}, {"name": "WMI Temporary Event Subscription", "id": "38cbd42c-1098-41bb-99cf-9d6d2b296d83", "version": 1, "date": "2018-10-23", "author": "Rico Valdez, Splunk", "type": "TTP", "status": "experimental", "description": "This search looks for the creation of WMI temporary event subscriptions.", "data_source": ["Sysmon Event ID 5"], "search": "`wmi` EventCode=5860 Temporary | rex field=Message \"NotificationQuery =\\s+(?[^;|^$]+)\" | search query!=\"SELECT * FROM Win32_ProcessStartTrace WHERE ProcessName = 'wsmprovhost.exe'\" AND query!=\"SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'\" | stats count min(_time) as firstTime max(_time) as lastTime by ComputerName, query | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `wmi_temporary_event_subscription_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting the Windows WMI activity logs. This can be done by adding a stanza to inputs.conf on the system generating logs with a title of [WinEventLog://Microsoft-Windows-WMI-Activity/Operational].", "known_false_positives": "Some software may create WMI temporary event subscriptions for various purposes. The included search contains an exception for two of these that occur by default on Windows 10 systems. You may need to modify the search to create exceptions for other legitimate events.", "references": [], "tags": {"name": "WMI Temporary Event Subscription", "analytic_story": ["Suspicious WMI Use"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "message": "tbd", "mitre_attack_id": ["T1047"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Other", "role": ["Other"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "Message", "query"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "Earth Lusca", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "Threat Group-3390", "Windshift", "Wizard Spider", "menuPass"]}]}, "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wmi", "definition": "sourcetype=\"wineventlog:microsoft-windows-wmi-activity/operational\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "wmi_temporary_event_subscription_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/wmi_temporary_event_subscription.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Wmic Group Discovery", "id": "83317b08-155b-11ec-8e00-acde48001122", "version": 1, "date": "2021-09-14", "author": "Michael Haag, Splunk", "type": "Hunting", "status": "production", "description": "The following hunting analytic identifies the use of `wmic.exe` enumerating local groups on the endpoint. \\\nTypically, by itself, is not malicious but may raise suspicion based on time of day, endpoint and username. \\\nDuring triage, review parallel processes and identify any further suspicious behavior.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=wmic.exe (Processes.process=\"*group get name*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `wmic_group_discovery_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "references": ["https://attack.mitre.org/techniques/T1069/001/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"], "tags": {"name": "Wmic Group Discovery", "analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "Local group discovery on $dest$ by $user$.", "mitre_attack_id": ["T1069", "T1069.001"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "TA505"]}, {"mitre_attack_id": "T1069.001", "mitre_attack_technique": "Local Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "HEXANE", "OilRig", "Tonto Team", "Turla", "admin@338"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.001/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "wmic_group_discovery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/wmic_group_discovery.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Wmic NonInteractive App Uninstallation", "id": "bff0e7a0-317f-11ec-ab4e-acde48001122", "version": 2, "date": "2022-07-19", "author": "Teoderick Contreras, Splunk", "type": "Hunting", "status": "production", "description": "This analytic indentifies WMIC command-line attempting to uninstall application non-interactively. This technique was seen in IcedID to uninstall AV products on the compromised host to evade detection. This Hunting query maybe a good indicator that some process tries to uninstall application using wmic which is not a common behavior. This approach may seen in some script or third part appication to uninstall their application but it is a good thing to check what it uninstall and why.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=wmic.exe Processes.process=\"* product *\" Processes.process=\"*where name*\" Processes.process=\"*call uninstall*\" Processes.process=\"*/nointeractive*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `wmic_noninteractive_app_uninstallation_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Third party application may use this approach to uninstall applications.", "references": ["https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/"], "tags": {"name": "Wmic NonInteractive App Uninstallation", "analytic_story": ["IcedID", "Azorult"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "Wmic $process_name$ with command-line $process$ on $dest$ attempting to uninstall software.", "mitre_attack_id": ["T1562.001", "T1562"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Target"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/disable_av/sysmon2.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "wmic_noninteractive_app_uninstallation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/wmic_noninteractive_app_uninstallation.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "WMIC XSL Execution via URL", "id": "787e9dd0-4328-11ec-a029-acde48001122", "version": 1, "date": "2021-11-11", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies `wmic.exe` loading a remote XSL (eXtensible Stylesheet Language) script. This originally was identified by Casey Smith, dubbed Squiblytwo, as an application control bypass. Many adversaries will utilize this technique to invoke JScript or VBScript within an XSL file. This technique can also execute local/remote scripts and, similar to its Regsvr32 \"Squiblydoo\" counterpart, leverages a trusted, built-in Windows tool. Adversaries may abuse any alias in Windows Management Instrumentation provided they utilize the /FORMAT switch. Upon identifying a suspicious execution, review for confirmed network connnection and script download.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_wmic` Processes.process IN (\"*http://*\", \"*https://*\") Processes.process=\"*/format:*\" by Processes.parent_process_name Processes.original_file_name Processes.parent_process Processes.process_name Processes.process_id Processes.process Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `wmic_xsl_execution_via_url_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives are limited as legitimate applications typically do not download files or xsl using WMIC. Filter as needed.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.md", "https://web.archive.org/web/20190814201250/https://subt0x11.blogspot.com/2018/04/wmicexe-whitelisting-bypass-hacking.html", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.md#atomic-test-4---wmic-bypass-using-remote-xsl-file"], "tags": {"name": "WMIC XSL Execution via URL", "analytic_story": ["Suspicious WMI Use"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ utilizing wmic to download a remote XSL script.", "mitre_attack_id": ["T1220"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1220", "mitre_attack_technique": "XSL Script Processing", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Cobalt Group", "Higaisa"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1220/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "process_wmic", "definition": "(Processes.process_name=wmic.exe OR Processes.original_file_name=wmic.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "wmic_xsl_execution_via_url_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/wmic_xsl_execution_via_url.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Wmiprsve LOLBAS Execution Process Spawn", "id": "95a455f0-4c04-11ec-b8ac-3e22fbd008af", "version": 1, "date": "2021-11-22", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies `wmiprsve.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing Windows Management Instrumentation (WMI), the executed command is spawned as a child process of `wmiprvse.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of wmiprvse.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name=wmiprvse.exe) (Processes.process_name IN (\"Regsvcs.exe\", \"Ftp.exe\", \"OfflineScannerShell.exe\", \"Rasautou.exe\", \"Schtasks.exe\", \"Xwizard.exe\", \"Dllhost.exe\", \"Pnputil.exe\", \"Atbroker.exe\", \"Pcwrun.exe\", \"Ttdinject.exe\",\"Mshta.exe\", \"Bitsadmin.exe\", \"Certoc.exe\", \"Ieexec.exe\", \"Microsoft.Workflow.Compiler.exe\", \"Runscripthelper.exe\", \"Forfiles.exe\", \"Msbuild.exe\", \"Register-cimprovider.exe\", \"Tttracer.exe\", \"Ie4uinit.exe\", \"Bash.exe\", \"Hh.exe\", \"SettingSyncHost.exe\", \"Cmstp.exe\", \"Mmc.exe\", \"Stordiag.exe\", \"Scriptrunner.exe\", \"Odbcconf.exe\", \"Extexport.exe\", \"Msdt.exe\", \"WorkFolders.exe\", \"Diskshadow.exe\", \"Mavinject.exe\", \"Regasm.exe\", \"Gpscript.exe\", \"Rundll32.exe\", \"Regsvr32.exe\", \"Msiexec.exe\", \"Wuauclt.exe\", \"Presentationhost.exe\", \"Wmic.exe\", \"Runonce.exe\", \"Syncappvpublishingserver.exe\", \"Verclsid.exe\", \"Infdefaultinstall.exe\", \"Explorer.exe\", \"Installutil.exe\", \"Netsh.exe\", \"Wab.exe\", \"Dnscmd.exe\", \"At.exe\", \"Pcalua.exe\", \"Msconfig.exe\")) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `wmiprsve_lolbas_execution_process_spawn_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints.", "known_false_positives": "Legitimate applications may trigger this behavior, filter as needed.", "references": ["https://attack.mitre.org/techniques/T1047/", "https://www.ired.team/offensive-security/lateral-movement/t1047-wmi-for-lateral-movement", "https://lolbas-project.github.io/"], "tags": {"name": "Wmiprsve LOLBAS Execution Process Spawn", "analytic_story": ["Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 90, "kill_chain_phases": ["Installation"], "message": "Wmiprsve.exe spawned a LOLBAS process on $dest$.", "mitre_attack_id": ["T1047"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 54, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "Earth Lusca", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "Threat Group-3390", "Windshift", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1047/lateral_movement_lolbas/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "wmiprsve_lolbas_execution_process_spawn_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/wmiprsve_lolbas_execution_process_spawn.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Wscript Or Cscript Suspicious Child Process", "id": "1f35e1da-267b-11ec-90a9-acde48001122", "version": 1, "date": "2023-04-14", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This analytic identifies a suspicious spawned process by WScript or CScript process. This technique was a common technique used by adversaries and malware to execute different LOLBIN, other scripts like PowerShell or spawn a suspended process to inject its code as a defense evasion. This TTP may detect some normal script that using several application tool that are in the list of the child process it detects but a good pivot and indicator that a script is may execute suspicious code.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN (\"cscript.exe\", \"wscript.exe\") Processes.process_name IN (\"regsvr32.exe\", \"rundll32.exe\",\"winhlp32.exe\",\"certutil.exe\",\"msbuild.exe\",\"cmd.exe\",\"powershell*\",\"wmic.exe\",\"mshta.exe\") by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `wscript_or_cscript_suspicious_child_process_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "Administrators may create vbs or js script that use several tool as part of its execution. Filter as needed.", "references": ["https://www.hybrid-analysis.com/sample/8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd?environmentId=120", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/"], "tags": {"name": "Wscript Or Cscript Suspicious Child Process", "analytic_story": ["Remcos", "FIN7", "Unusual Processes", "Data Destruction", "WhisperGate"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation", "Installation"], "message": "wscript or cscript parent process spawned $process_name$ in $dest$", "mitre_attack_id": ["T1055", "T1543", "T1134.004", "T1134"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "Turla"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1134.004", "mitre_attack_technique": "Parent PID Spoofing", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.005/vbs_wscript/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "wscript_or_cscript_suspicious_child_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/wscript_or_cscript_suspicious_child_process.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Wsmprovhost LOLBAS Execution Process Spawn", "id": "2eed004c-4c0d-11ec-93e8-3e22fbd008af", "version": 1, "date": "2021-11-22", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies `Wsmprovhost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Windows Remote Management (WinRm) protocol, the executed command is spawned as a child processs of `Wsmprovhost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of Wsmprovhost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name=wsmprovhost.exe) (Processes.process_name IN (\"Regsvcs.exe\", \"Ftp.exe\", \"OfflineScannerShell.exe\", \"Rasautou.exe\", \"Schtasks.exe\", \"Xwizard.exe\", \"Dllhost.exe\", \"Pnputil.exe\", \"Atbroker.exe\", \"Pcwrun.exe\", \"Ttdinject.exe\",\"Mshta.exe\", \"Bitsadmin.exe\", \"Certoc.exe\", \"Ieexec.exe\", \"Microsoft.Workflow.Compiler.exe\", \"Runscripthelper.exe\", \"Forfiles.exe\", \"Msbuild.exe\", \"Register-cimprovider.exe\", \"Tttracer.exe\", \"Ie4uinit.exe\", \"Bash.exe\", \"Hh.exe\", \"SettingSyncHost.exe\", \"Cmstp.exe\", \"Mmc.exe\", \"Stordiag.exe\", \"Scriptrunner.exe\", \"Odbcconf.exe\", \"Extexport.exe\", \"Msdt.exe\", \"WorkFolders.exe\", \"Diskshadow.exe\", \"Mavinject.exe\", \"Regasm.exe\", \"Gpscript.exe\", \"Rundll32.exe\", \"Regsvr32.exe\", \"Msiexec.exe\", \"Wuauclt.exe\", \"Presentationhost.exe\", \"Wmic.exe\", \"Runonce.exe\", \"Syncappvpublishingserver.exe\", \"Verclsid.exe\", \"Infdefaultinstall.exe\", \"Explorer.exe\", \"Installutil.exe\", \"Netsh.exe\", \"Wab.exe\", \"Dnscmd.exe\", \"At.exe\", \"Pcalua.exe\", \"Msconfig.exe\")) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `wsmprovhost_lolbas_execution_process_spawn_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints.", "known_false_positives": "Legitimate applications may trigger this behavior, filter as needed.", "references": ["https://attack.mitre.org/techniques/T1021/006/", "https://lolbas-project.github.io/", "https://pentestlab.blog/2018/05/15/lateral-movement-winrm/"], "tags": {"name": "Wsmprovhost LOLBAS Execution Process Spawn", "analytic_story": ["Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 90, "kill_chain_phases": ["Exploitation"], "message": "Wsmprovhost.exe spawned a LOLBAS process on $dest$.", "mitre_attack_id": ["T1021", "T1021.006"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 54, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1021.006", "mitre_attack_technique": "Windows Remote Management", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Chimera", "Threat Group-3390", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.006/lateral_movement_lolbas/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "wsmprovhost_lolbas_execution_process_spawn_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/wsmprovhost_lolbas_execution_process_spawn.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "WSReset UAC Bypass", "id": "8b5901bc-da63-11eb-be43-acde48001122", "version": 3, "date": "2022-11-14", "author": "Steven Dick, Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This search is to detect a suspicious modification of registry related to UAC bypass. This technique is to modify the registry in this detection, create a registry value with the path of the payload and run WSreset.exe to bypass User account Control.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time) AS lastTime FROM datamodel=Endpoint.Processes BY _time span=1h Processes.user Processes.process_id Processes.process_name Processes.process Processes.process_path Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_guid | `drop_dm_object_name(Processes)` | join process_guid [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE Registry.registry_path= \"*\\\\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\\\\Shell\\\\open\\\\command*\" AND (Registry.registry_value_name = \"(Default)\" OR Registry.registry_value_name = \"DelegateExecute\") by _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`] | fields firstTime lastTime dest user parent_process_name parent_process process_name process_path process registry_key_name registry_path registry_value_name registry_value_data process_guid | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `wsreset_uac_bypass_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "unknown", "references": ["https://github.com/hfiref0x/UACME", "https://blog.morphisec.com/trickbot-uses-a-new-windows-10-uac-bypass"], "tags": {"name": "WSReset UAC Bypass", "analytic_story": ["Windows Defense Evasion Tactics", "Living Off The Land", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "Suspicious modification of registry $registry_path$ with possible payload path $registry_value_name$ in $dest$", "mitre_attack_id": ["T1548.002", "T1548"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.user", "Processes.dest", "Processes.process_id", "Processes.process_name", "Processes.process", "Processes.process_path", "Processes.parent_process_name", "Processes.parent_process", "Processes.process_guid", "Registry.dest", "Registry.registry_value_name", "Registry.registry_key_name", "Registry.registry_path", "Registry.registry_value_data", "Registry.process_guid"], "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.002", "mitre_attack_technique": "Bypass User Account Control", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT37", "BRONZE BUTLER", "Cobalt Group", "Earth Lusca", "Evilnum", "MuddyWater", "Patchwork", "Threat Group-3390"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/uac_bypass/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "wsreset_uac_bypass_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/wsreset_uac_bypass.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "XMRIG Driver Loaded", "id": "90080fa6-a8df-11eb-91e4-acde48001122", "version": 1, "date": "2021-04-29", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This analytic identifies XMRIG coinminer driver installation on the system. The XMRIG driver name by default is `WinRing0x64.sys`. This cpu miner is an open source project that is commonly abused by adversaries to infect and mine bitcoin.", "data_source": ["Sysmon Event ID 6"], "search": "`sysmon` EventCode=6 Signature=\"Noriyuki MIYAZAKI\" OR ImageLoaded= \"*\\\\WinRing0x64.sys\" | stats min(_time) as firstTime max(_time) as lastTime count by Computer ImageLoaded Hashes IMPHASH Signature Signed | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `xmrig_driver_loaded_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the driver loaded and Signature from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "False positives should be limited.", "references": ["https://www.trendmicro.com/vinfo/hk/threat-encyclopedia/malware/trojan.ps1.powtran.a/"], "tags": {"name": "XMRIG Driver Loaded", "analytic_story": ["XMRig", "CISA AA22-320A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "message": "A driver $ImageLoaded$ related to xmrig crytominer loaded in host $Computer$", "mitre_attack_id": ["T1543.003", "T1543"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Computer", "ImageLoaded", "Hashes", "IMPHASH", "Signature", "Signed"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/xmrig_miner/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "xmrig_driver_loaded_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/xmrig_driver_loaded.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "XSL Script Execution With WMIC", "id": "004e32e2-146d-11ec-a83f-acde48001122", "version": 1, "date": "2021-09-13", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This search is to detect a suspicious wmic.exe process or renamed wmic process to execute malicious xsl file. This technique was seen in FIN7 to execute its malicous jscript using the .xsl as the loader with the help of wmic.exe process. This TTP is really a good indicator for you to hunt further for FIN7 or other attacker that known to used this technique.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_wmic` Processes.process = \"*os get*\" Processes.process=\"*/format:*\" Processes.process = \"*.xsl*\" by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process_id Processes.process Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `xsl_script_execution_with_wmic_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "unknown", "references": ["https://www.mandiant.com/resources/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation", "https://attack.mitre.org/groups/G0046/", "https://web.archive.org/web/20190814201250/https://subt0x11.blogspot.com/2018/04/wmicexe-whitelisting-bypass-hacking.html", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.md#atomic-test-3---wmic-bypass-using-local-xsl-file"], "tags": {"name": "XSL Script Execution With WMIC", "analytic_story": ["FIN7", "Suspicious WMI Use"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ utilizing wmic to load a XSL script.", "mitre_attack_id": ["T1220"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.parent_process_name", "Processes.parent_process", "Processes.process_name", "Processes.process_id", "Processes.process", "Processes.dest", "Processes.user"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1220", "mitre_attack_technique": "XSL Script Processing", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Cobalt Group", "Higaisa"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/fin7/fin7_macro_js_1/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "process_wmic", "definition": "(Processes.process_name=wmic.exe OR Processes.original_file_name=wmic.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "xsl_script_execution_with_wmic_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/xsl_script_execution_with_wmic.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Detect ARP Poisoning", "id": "b44bebd6-bd39-467b-9321-73971bcd7aac", "version": 1, "date": "2020-08-11", "author": "Mikael Bjerkeland, Splunk", "type": "TTP", "status": "experimental", "description": "By enabling Dynamic ARP Inspection as a Layer 2 Security measure on the organization's network devices, we will be able to detect ARP Poisoning attacks in the Infrastructure.", "data_source": [], "search": "`cisco_networks` facility=\"PM\" mnemonic=\"ERR_DISABLE\" disable_cause=\"arp-inspection\" | eval src_interface=src_int_prefix_long+src_int_suffix | stats min(_time) AS firstTime max(_time) AS lastTime count BY host src_interface | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)`| `detect_arp_poisoning_filter`", "how_to_implement": "This search uses a standard SPL query on logs from Cisco Network devices. The network devices must be configured with DHCP Snooping (see https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960x/software/15-0_2_EX/security/configuration_guide/b_sec_152ex_2960-x_cg/b_sec_152ex_2960-x_cg_chapter_01101.html) and Dynamic ARP Inspection (see https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960x/software/15-2_2_e/security/configuration_guide/b_sec_1522e_2960x_cg/b_sec_1522e_2960x_cg_chapter_01111.html) and log with a severity level of minimum \"5 - notification\". The search also requires that the Cisco Networks Add-on for Splunk (https://splunkbase.splunk.com/app/1467) is used to parse the logs from the Cisco network devices.", "known_false_positives": "This search might be prone to high false positives if DHCP Snooping or ARP inspection has been incorrectly configured, or if a device normally sends many ARP packets (unlikely).", "references": [], "tags": {"name": "Detect ARP Poisoning", "analytic_story": ["Router and Infrastructure Security"], "asset_type": "Infrastructure", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Delivery", "Actions on Objectives", "Exploitation"], "message": "tbd", "mitre_attack_id": ["T1200", "T1498", "T1557", "T1557.002"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Other", "role": ["Other"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "facility", "mnemonic", "disable_cause", "src_int_prefix_long", "src_int_suffix", "host", "src_interface"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1200", "mitre_attack_technique": "Hardware Additions", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["DarkVishnya"]}, {"mitre_attack_id": "T1498", "mitre_attack_technique": "Network Denial of Service", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT28"]}, {"mitre_attack_id": "T1557", "mitre_attack_technique": "Adversary-in-the-Middle", "mitre_attack_tactics": ["Collection", "Credential Access"], "mitre_attack_groups": ["Kimsuky"]}, {"mitre_attack_id": "T1557.002", "mitre_attack_technique": "ARP Cache Poisoning", "mitre_attack_tactics": ["Collection", "Credential Access"], "mitre_attack_groups": ["Cleaver", "LuminousMoth"]}]}, "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cisco_networks", "definition": "eventtype=cisco_ios", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_arp_poisoning_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/network/detect_arp_poisoning.yml", "source": "network", "nes_fields": "user,dest"}, {"name": "Detect DGA domains using pretrained model in DSDL", "id": "92e24f32-9b9a-4060-bba2-2a0eb31f3493", "version": 1, "date": "2023-01-18", "author": "Abhinav Mishra, Kumar Sharad and Namratha Sreekanta, Splunk", "type": "Anomaly", "status": "experimental", "description": "The following analytic uses a pre trained deep learning model to detect Domain Generation Algorithm (DGA) generated domains. The model is trained independently and is then made available for download. One of the prominent indicators of a domain being DGA generated is if the domain name consists of unusual character sequences or concatenated dictionary words. Adversaries often use clever techniques to obfuscate machine generated domain names as human generated. Predicting DGA generated domain names requires analysis and building a model based on carefully chosen features. The deep learning model we have developed uses the domain name to analyze patterns of character sequences along with carefully chosen custom features to predict if a domain is DGA generated. The model takes a domain name consisting of second-level and top-level domain names as input and outputs a dga_score. Higher the dga_score, the more likely the input domain is a DGA domain. The threshold for flagging a domain as DGA is set at 0.5.", "data_source": [], "search": "| tstats `security_content_summariesonly` values(DNS.answer) as IPs min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Resolution by DNS.src, DNS.query | `drop_dm_object_name(DNS)` | rename query AS domain | fields IPs, src, domain, firstTime, lastTime | apply pretrained_dga_model_dsdl | rename pred_dga_proba AS dga_score | where dga_score>0.5 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | table src, domain, IPs, firstTime, lastTime, dga_score | `detect_dga_domains_using_pretrained_model_in_dsdl_filter`", "how_to_implement": "Steps to deploy DGA detection model into Splunk App DSDL.\\ This detection depends on the Splunk app for Data Science and Deep Learning which can be found here - https://splunkbase.splunk.com/app/4607/ and the Network Resolution datamodel which can be found here - https://splunkbase.splunk.com/app/1621/. The detection uses a pre-trained deep learning model that needs to be deployed in DSDL app. Follow the steps for deployment here - https://github.com/splunk/security_content/wiki/How-to-deploy-pre-trained-Deep-Learning-models-for-ESCU.\\ * Download the artifacts .tar.gz file from the link `https://seal.splunkresearch.com/pretrained_dga_model_dsdl.tar.gz`\\\n* Download the pretrained_dga_model_dsdl.ipynb Jupyter notebook from `https://github.com/splunk/security_content/notebooks`\\\n* Login to the Jupyter Lab for pretrained_dga_model_dsdl container. This container should be listed on Containers page for DSDL app.\\\n* Below steps need to be followed inside Jupyter lab \\\n* Upload the pretrained_dga_model_dsdl.tar.gz file into `app/model/data` path using the upload option in the jupyter notebook.\\\n* Untar the artifact `pretrained_dga_model_dsdl.tar.gz` using `tar -xf app/model/data/pretrained_dga_model_dsdl.tar.gz -C app/model/data`\\\n* Upload `pretrained_dga_model_dsdl.pynb` into Jupyter lab notebooks folder using the upload option in Jupyter lab\\\n* Save the notebook using the save option in jupyter notebook.\\\n* Upload `pretrained_dga_model_dsdl.json` into `notebooks/data` folder.", "known_false_positives": "False positives may be present if domain name is similar to dga generated domains.", "references": ["https://attack.mitre.org/techniques/T1568/002/", "https://unit42.paloaltonetworks.com/threat-brief-understanding-domain-generation-algorithms-dga/", "https://en.wikipedia.org/wiki/Domain_generation_algorithm"], "tags": {"name": "Detect DGA domains using pretrained model in DSDL", "analytic_story": ["Data Exfiltration", "DNS Hijacking", "Suspicious DNS Traffic", "Dynamic DNS", "Command And Control"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Command And Control"], "message": "A potential connection to a DGA domain $domain$ was detected from host $src$, kindly review.", "mitre_attack_id": ["T1568.002"], "nist": ["DE.AE"], "observable": [{"name": "domain", "type": "URL String", "role": ["Attacker"]}, {"name": "src", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["IPs", "src", "domain", "firstTime", "lastTime"], "risk_score": 63, "security_domain": "Network", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1568.002", "mitre_attack_technique": "Domain Generation Algorithms", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "TA551"]}]}, "datamodel": ["Network_Resolution"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_dga_domains_using_pretrained_model_in_dsdl_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/network/detect_dga_domains_using_pretrained_model_in_dsdl.yml", "source": "network"}, {"name": "Detect DNS Data Exfiltration using pretrained model in DSDL", "id": "92f65c3a-168c-11ed-71eb-0242ac120012", "version": 1, "date": "2023-04-27", "author": "Abhinav Mishra, Kumar Sharad and Namratha Sreekanta, Splunk", "type": "Anomaly", "status": "experimental", "description": "The following analytic uses a pre trained deep learning model to detect DNS data exfiltration. The model is trained on the data we collected and is inferred on live data. This detection detects low throughput DNS Tunneling (data exfiltration) using features computed from past events between the same src and domain. The search uses macros from URL ToolBox app to generate features used by the model. The model is a deep learning model that accepts DNS request as input along with a few custom features to generate a pred_is_exfiltration_proba score. The higher the pred_is_exfiltration_proba, the more likely the DNS request is data exfiltration. The threshold for flagging a request as DNS exfiltration is set at 0.5.", "data_source": [], "search": "| tstats `security_content_summariesonly` count from datamodel=Network_Resolution by DNS.src _time DNS.query | `drop_dm_object_name(\"DNS\")` | sort - _time,src, query | streamstats count as rank by src query | where rank < 10 | table src,query,rank,_time | apply detect_dns_data_exfiltration_using_pretrained_model_in_dsdl | table src,_time,query,rank,pred_is_dns_data_exfiltration_proba,pred_is_dns_data_exfiltration | where rank == 1 | rename pred_is_dns_data_exfiltration_proba as is_exfiltration_score | rename pred_is_dns_data_exfiltration as is_exfiltration | where is_exfiltration_score > 0.5 | `security_content_ctime(_time)` | table src, _time,query,is_exfiltration_score,is_exfiltration | `detect_dns_data_exfiltration_using_pretrained_model_in_dsdl_filter`", "how_to_implement": "Steps to deploy detect DNS data exfiltration model into Splunk App DSDL. This detection depends on the Splunk app for Data Science and Deep Learning which can be found here - https://splunkbase.splunk.com/app/4607/ and the Network Resolution datamodel which can be found here - https://splunkbase.splunk.com/app/1621/. The detection uses a pre-trained deep learning model that needs to be deployed in DSDL app. Follow the steps for deployment here - `https://github.com/splunk/security_content/wiki/How-to-deploy-pre-trained-Deep-Learning-models-for-ESCU`.\\\n* Download the `artifacts .tar.gz` file from the link - https://seal.splunkresearch.com/detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.tar.gz Download the `detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.ipynb` Jupyter notebook from https://github.com/splunk/security_content/notebooks\\\n* Login to the Jupyter Lab assigned for detect_dns_data_exfiltration_using_pretrained_model_in_dsdl container. This container should be listed on Containers page for DSDL app.\\\n* Below steps need to be followed inside Jupyter lab \\\n* Upload the detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.tar.gz file into `app/model/data` path using the upload option in the jupyter notebook.\\\n* Untar the artifact detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.tar.gz using `tar -xf app/model/data/detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.tar.gz -C app/model/data`\\\n* Upload detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.pynb into Jupyter lab notebooks folder using the upload option in Jupyter lab \\\n* Save the notebook using the save option in jupyter notebook. \\\n* Upload `detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.json` into `notebooks/data` folder.", "known_false_positives": "False positives may be present if DNS data exfiltration request look very similar to benign DNS requests.", "references": ["https://attack.mitre.org/techniques/T1048/003/", "https://unit42.paloaltonetworks.com/dns-tunneling-how-dns-can-be-abused-by-malicious-actors/", "https://en.wikipedia.org/wiki/Data_exfiltration"], "tags": {"name": "Detect DNS Data Exfiltration using pretrained model in DSDL", "analytic_story": ["DNS Hijacking", "Suspicious DNS Traffic", "Command and Control"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "confidence": 90, "impact": 50, "kill_chain_phases": ["Actions on Objectives"], "message": "A DNS data exfiltration request was sent by this host $src$ , kindly review.", "mitre_attack_id": ["T1048.003"], "nist": ["DE.AE"], "observable": [{"name": "query", "type": "Other", "role": ["Attacker"]}, {"name": "src", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "DNS.message_type", "DNS.record_type", "DNS.src", "DNS.dest", "DNS.answer"], "risk_score": 45, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1048.003", "mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT32", "APT33", "FIN6", "FIN8", "Lazarus Group", "OilRig", "Thrip", "Wizard Spider"]}]}, "datamodel": ["Network_Resolution"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_dns_data_exfiltration_using_pretrained_model_in_dsdl_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/network/detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.yml", "source": "network"}, {"name": "Detect hosts connecting to dynamic domain providers", "id": "a1e761ac-1344-4dbd-88b2-3f34c912d359", "version": 3, "date": "2021-01-14", "author": "Bhavin Patel, Splunk", "type": "TTP", "status": "production", "description": "Malicious actors often abuse legitimate Dynamic DNS services to host malicious payloads or interactive Command And Control nodes. Attackers will automate domain resolution changes by routing dynamic domains to countless IP addresses to circumvent firewall blocks, block lists as well as frustrate a network defenders analytic and investigative processes. This search will look for DNS queries made from within your infrastructure to suspicious dynamic domains.", "data_source": [], "search": "| tstats `security_content_summariesonly` count values(DNS.answer) as answer min(_time) as firstTime from datamodel=Network_Resolution by DNS.query host | `drop_dm_object_name(\"DNS\")` | `security_content_ctime(firstTime)` | `dynamic_dns_providers` | `detect_hosts_connecting_to_dynamic_domain_providers_filter`", "how_to_implement": "First, you'll need to ingest data from your DNS operations. This can be done by ingesting logs from your server or data, collected passively by Splunk Stream or a similar solution. Specifically, data that contains the domain that is being queried and the IP of the host originating the request must be populating the `Network_Resolution` data model. This search also leverages a lookup file, `dynamic_dns_providers_default.csv`, which contains a non-exhaustive list of Dynamic DNS providers. Please consider updating the local lookup periodically by adding new domains to the list of `dynamic_dns_providers_local.csv`.\\\nThis search produces fields (query, answer, isDynDNS) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. These fields contribute additional context to the notable event. To see the additional metadata, add the following fields, if not already present, to Incident Review. Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry):\\\\n1. **Label:** DNS Query, **Field:** query\\\n1. \\\n1. **Label:** DNS Answer, **Field:** answer\\\n1. \\\n1. **Label:** IsDynamicDNS, **Field:** isDynDNS\\\nDetailed documentation on how to create a new field within Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details`", "known_false_positives": "Some users and applications may leverage Dynamic DNS to reach out to some domains on the Internet since dynamic DNS by itself is not malicious, however this activity must be verified.", "references": [], "tags": {"name": "Detect hosts connecting to dynamic domain providers", "analytic_story": ["Data Protection", "Prohibited Traffic Allowed or Protocol Mismatch", "DNS Hijacking", "Suspicious DNS Traffic", "Dynamic DNS", "Command And Control"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Delivery"], "message": "A dns query $query$ from your infra connecting to suspicious domain in host $host$", "mitre_attack_id": ["T1189"], "nist": ["DE.CM"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "DNS.answer", "DNS.query", "host"], "risk_score": 56, "security_domain": "network", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1189", "mitre_attack_technique": "Drive-by Compromise", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT19", "APT28", "APT32", "APT37", "APT38", "Andariel", "Axiom", "BRONZE BUTLER", "Dark Caracal", "Darkhotel", "Dragonfly", "Earth Lusca", "Elderwood", "Lazarus Group", "Leafminer", "Leviathan", "Machete", "Magic Hound", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Threat Group-3390", "Transparent Tribe", "Turla", "Windigo", "Windshift"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1189/dyn_dns_site/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Network_Resolution"], "macros": [{"name": "dynamic_dns_providers", "definition": "lookup update=true dynamic_dns_providers_default dynamic_dns_domains as query OUTPUTNEW isDynDNS_default | lookup update=true dynamic_dns_providers_local dynamic_dns_domains as query OUTPUTNEW isDynDNS_local| eval isDynDNS = coalesce(isDynDNS_default, isDynDNS_local)|fields - isDynDNS_default, isDynDNS_local| search isDynDNS=True", "description": "This macro limits the output of the query field to dynamic dns domains. It looks up the domains in a file provided by Splunk and one intended to be updated by the end user."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_hosts_connecting_to_dynamic_domain_providers_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/network/detect_hosts_connecting_to_dynamic_domain_providers.yml", "source": "network", "nes_fields": "user,dest"}, {"name": "Detect IPv6 Network Infrastructure Threats", "id": "c3be767e-7959-44c5-8976-0e9c12a91ad2", "version": 1, "date": "2020-10-28", "author": "Mikael Bjerkeland, Splunk", "type": "TTP", "status": "experimental", "description": "By enabling IPv6 First Hop Security as a Layer 2 Security measure on the organization's network devices, we will be able to detect various attacks such as packet forging in the Infrastructure.", "data_source": [], "search": "`cisco_networks` facility=\"SISF\" mnemonic IN (\"IP_THEFT\",\"MAC_THEFT\",\"MAC_AND_IP_THEFT\",\"PAK_DROP\") | eval src_interface=src_int_prefix_long+src_int_suffix | eval dest_interface=dest_int_prefix_long+dest_int_suffix | stats min(_time) AS firstTime max(_time) AS lastTime values(src_mac) AS src_mac values(src_vlan) AS src_vlan values(mnemonic) AS mnemonic values(vendor_explanation) AS vendor_explanation values(src_ip) AS src_ip values(dest_ip) AS dest_ip values(dest_interface) AS dest_interface values(action) AS action count BY host src_interface | table host src_interface dest_interface src_mac src_ip dest_ip src_vlan mnemonic vendor_explanation action count | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `detect_ipv6_network_infrastructure_threats_filter`", "how_to_implement": "This search uses a standard SPL query on logs from Cisco Network devices. The network devices must be configured with one or more First Hop Security measures such as RA Guard, DHCP Guard and/or device tracking. See References for more information. The search also requires that the Cisco Networks Add-on for Splunk (https://splunkbase.splunk.com/app/1467) is used to parse the logs from the Cisco network devices.", "known_false_positives": "None currently known", "references": ["https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2019/pdf/BRKSEC-3200.pdf", "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6_fhsec/configuration/xe-16-12/ip6f-xe-16-12-book/ip6-ra-guard.html", "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6_fhsec/configuration/xe-16-12/ip6f-xe-16-12-book/ip6-snooping.html", "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6_fhsec/configuration/xe-16-12/ip6f-xe-16-12-book/ip6-dad-proxy.html", "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6_fhsec/configuration/xe-16-12/ip6f-xe-16-12-book/ip6-nd-mcast-supp.html", "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6_fhsec/configuration/xe-16-12/ip6f-xe-16-12-book/ip6-dhcpv6-guard.html", "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6_fhsec/configuration/xe-16-12/ip6f-xe-16-12-book/ip6-src-guard.html", "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6_fhsec/configuration/xe-16-12/ip6f-xe-16-12-book/ipv6-dest-guard.html"], "tags": {"name": "Detect IPv6 Network Infrastructure Threats", "analytic_story": ["Router and Infrastructure Security"], "asset_type": "Infrastructure", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Delivery", "Actions on Objectives", "Exploitation"], "message": "tbd", "mitre_attack_id": ["T1200", "T1498", "T1557", "T1557.002"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "facility", "mnemonic", "src_int_prefix_long", "src_int_suffix", "dest_int_prefix_long", "dest_int_suffix", "src_mac", "src_vlan", "vendor_explanation", "action"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1200", "mitre_attack_technique": "Hardware Additions", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["DarkVishnya"]}, {"mitre_attack_id": "T1498", "mitre_attack_technique": "Network Denial of Service", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT28"]}, {"mitre_attack_id": "T1557", "mitre_attack_technique": "Adversary-in-the-Middle", "mitre_attack_tactics": ["Collection", "Credential Access"], "mitre_attack_groups": ["Kimsuky"]}, {"mitre_attack_id": "T1557.002", "mitre_attack_technique": "ARP Cache Poisoning", "mitre_attack_tactics": ["Collection", "Credential Access"], "mitre_attack_groups": ["Cleaver", "LuminousMoth"]}]}, "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cisco_networks", "definition": "eventtype=cisco_ios", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_ipv6_network_infrastructure_threats_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/network/detect_ipv6_network_infrastructure_threats.yml", "source": "network", "nes_fields": "user,dest"}, {"name": "Detect Large Outbound ICMP Packets", "id": "e9c102de-4d43-42a7-b1c8-8062ea297419", "version": 2, "date": "2018-06-01", "author": "Rico Valdez, Splunk", "type": "TTP", "status": "experimental", "description": "This search looks for outbound ICMP packets with a packet size larger than 1,000 bytes. Various threat actors have been known to use ICMP as a command and control channel for their attack infrastructure. Large ICMP packets from an endpoint to a remote host may be indicative of this activity.", "data_source": [], "search": "| tstats `security_content_summariesonly` count earliest(_time) as firstTime latest(_time) as lastTime values(All_Traffic.action) values(All_Traffic.bytes) from datamodel=Network_Traffic where All_Traffic.action !=blocked All_Traffic.dest_category !=internal (All_Traffic.protocol=icmp OR All_Traffic.transport=icmp) All_Traffic.bytes > 1000 by All_Traffic.src_ip All_Traffic.dest_ip | `drop_dm_object_name(\"All_Traffic\")` | search ( dest_ip!=10.0.0.0/8 AND dest_ip!=172.16.0.0/12 AND dest_ip!=192.168.0.0/16) | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)` | `detect_large_outbound_icmp_packets_filter`", "how_to_implement": "In order to run this search effectively, we highly recommend that you leverage the Assets and Identity framework. It is important that you have a good understanding of how your network segments are designed and that you are able to distinguish internal from external address space. Add a category named `internal` to the CIDRs that host the company's assets in the `assets_by_cidr.csv` lookup file, which is located in `$SPLUNK_HOME/etc/apps/SA-IdentityManagement/lookups/`. More information on updating this lookup can be found here: https://docs.splunk.com/Documentation/ES/5.0.0/Admin/Addassetandidentitydata. This search also requires you to be ingesting your network traffic and populating the Network_Traffic data model", "known_false_positives": "ICMP packets are used in a variety of ways to help troubleshoot networking issues and ensure the proper flow of traffic. As such, it is possible that a large ICMP packet could be perfectly legitimate. If large ICMP packets are associated with Command And Control traffic, there will typically be a large number of these packets observed over time. If the search is providing a large number of false positives, you can modify the macro `detect_large_outbound_icmp_packets_filter` to adjust the byte threshold or add specific IP addresses to an allow list.", "references": [], "tags": {"name": "Detect Large Outbound ICMP Packets", "analytic_story": ["Command And Control"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Command And Control"], "message": "tbd", "mitre_attack_id": ["T1095"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "All_Traffic.action", "All_Traffic.bytes", "All_Traffic.dest_category", "All_Traffic.protocol", "All_Traffic.transport", "All_Traffic.src_ip", "All_Traffic.dest_ip"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1095", "mitre_attack_technique": "Non-Application Layer Protocol", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT3", "BITTER", "BackdoorDiplomacy", "FIN6", "HAFNIUM", "Metador", "PLATINUM"]}]}, "datamodel": ["Network_Traffic"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_large_outbound_icmp_packets_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/network/detect_large_outbound_icmp_packets.yml", "source": "network", "nes_fields": "user,dest"}, {"name": "Detect Outbound LDAP Traffic", "id": "5e06e262-d7cd-4216-b2f8-27b437e18458", "version": 1, "date": "2021-12-13", "author": "Bhavin Patel, Johan Bjerke, Splunk", "type": "Hunting", "status": "production", "description": "Malicious actors often abuse misconfigured LDAP servers or applications that use the LDAP servers in organizations. Outbound LDAP traffic should not be allowed outbound through your perimeter firewall. This search will help determine if you have any LDAP connections to IP addresses outside of private (RFC1918) address space.", "data_source": [], "search": "| tstats earliest(_time) as earliest_time latest(_time) as latest_time values(All_Traffic.dest_ip) as dest_ip from datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port = 389 OR All_Traffic.dest_port = 636 AND NOT (All_Traffic.dest_ip = 10.0.0.0/8 OR All_Traffic.dest_ip=192.168.0.0/16 OR All_Traffic.dest_ip = 172.16.0.0/12) by All_Traffic.src_ip All_Traffic.dest_ip |`drop_dm_object_name(\"All_Traffic\")` | where src_ip != dest_ip | `security_content_ctime(latest_time)` | `security_content_ctime(earliest_time)` |`detect_outbound_ldap_traffic_filter`", "how_to_implement": "You must be ingesting Zeek DNS and Zeek Conn data into Splunk. Zeek data should also be getting ingested in JSON format and should be mapped to the Network Traffic datamodels that are in use for this search.", "known_false_positives": "Unknown at this moment. Outbound LDAP traffic should not be allowed outbound through your perimeter firewall. Please check those servers to verify if the activity is legitimate.", "references": ["https://www.govcert.ch/blog/zero-day-exploit-targeting-popular-java-library-log4j/"], "tags": {"name": "Detect Outbound LDAP Traffic", "analytic_story": ["Log4Shell CVE-2021-44228"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Delivery", "Installation"], "message": "An outbound LDAP connection from $src_ip$ in your infrastructure connecting to dest ip $dest_ip$", "mitre_attack_id": ["T1190", "T1059"], "nist": ["DE.AE"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Victim"]}, {"name": "dest_ip", "type": "IP Address", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "All_Traffic.dest_ip", "All_Traffic.dest_port", "All_Traffic.src_ip"], "risk_score": 56, "security_domain": "network", "risk_severity": "medium", "cve": ["CVE-2021-44228"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/outbound_ldap/bro_conn.json", "source": "/opt/malware/conn.log", "sourcetype": "bro:conn:json"}]}], "datamodel": ["Network_Traffic"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "detect_outbound_ldap_traffic_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2021-44228", "cvss": 9.3, "summary": "Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/network/detect_outbound_ldap_traffic.yml", "source": "network"}, {"name": "Detect Outbound SMB Traffic", "id": "1bed7774-304a-4e8f-9d72-d80e45ff492b", "version": 3, "date": "2020-07-21", "author": "Bhavin Patel, Stuart Hopkins from Splunk", "type": "TTP", "status": "experimental", "description": "This search looks for outbound SMB connections made by hosts within your network to the Internet. SMB traffic is used for Windows file-sharing activity. One of the techniques often used by attackers involves retrieving the credential hash using an SMB request made to a compromised server controlled by the threat actor.", "data_source": [], "search": "| tstats `security_content_summariesonly` earliest(_time) as start_time latest(_time) as end_time values(All_Traffic.action) as action values(All_Traffic.app) as app values(All_Traffic.dest_ip) as dest_ip values(All_Traffic.dest_port) as dest_port values(sourcetype) as sourcetype count from datamodel=Network_Traffic where ((All_Traffic.dest_port=139 OR All_Traffic.dest_port=445 OR All_Traffic.app=\"smb\") AND NOT (All_Traffic.action=\"blocked\" OR All_Traffic.dest_category=\"internal\" OR All_Traffic.dest_ip=10.0.0.0/8 OR All_Traffic.dest_ip=172.16.0.0/12 OR All_Traffic.dest_ip=192.168.0.0/16 OR All_Traffic.dest_ip=100.64.0.0/10)) by All_Traffic.src_ip | `drop_dm_object_name(\"All_Traffic\")` | `security_content_ctime(start_time)` | `security_content_ctime(end_time)` | `detect_outbound_smb_traffic_filter`", "how_to_implement": "In order to run this search effectively, we highly recommend that you leverage the Assets and Identity framework. It is important that you have good understanding of how your network segments are designed, and be able to distinguish internal from external address space. Add a category named `internal` to the CIDRs that host the companys assets in `assets_by_cidr.csv` lookup file, which is located in `$SPLUNK_HOME/etc/apps/SA-IdentityManagement/lookups/`. More information on updating this lookup can be found here: https://docs.splunk.com/Documentation/ES/5.0.0/Admin/Addassetandidentitydata. This search also requires you to be ingesting your network traffic and populating the Network_Traffic data model", "known_false_positives": "It is likely that the outbound Server Message Block (SMB) traffic is legitimate, if the company's internal networks are not well-defined in the Assets and Identity Framework. Categorize the internal CIDR blocks as `internal` in the lookup file to avoid creating notable events for traffic destined to those CIDR blocks. Any other network connection that is going out to the Internet should be investigated and blocked. Best practices suggest preventing external communications of all SMB versions and related protocols at the network boundary.", "references": [], "tags": {"name": "Detect Outbound SMB Traffic", "analytic_story": ["Hidden Cobra Malware", "DHS Report TA18-074A", "NOBELIUM Group"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Command And Control"], "message": "tbd", "mitre_attack_id": ["T1071.002", "T1071"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "All_Traffic.action", "All_Traffic.app", "All_Traffic.dest_ip", "All_Traffic.dest_port", "sourcetype", "All_Traffic.dest_category", "All_Traffic.src_ip"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1071.002", "mitre_attack_technique": "File Transfer Protocols", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "Kimsuky", "SilverTerrier"]}, {"mitre_attack_id": "T1071", "mitre_attack_technique": "Application Layer Protocol", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Dragonfly", "Magic Hound", "Rocke", "TeamTNT"]}]}, "datamodel": ["Network_Traffic"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_outbound_smb_traffic_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/network/detect_outbound_smb_traffic.yml", "source": "network", "nes_fields": "user,dest"}, {"name": "Detect Port Security Violation", "id": "2de3d5b8-a4fa-45c5-8540-6d071c194d24", "version": 1, "date": "2020-10-28", "author": "Mikael Bjerkeland, Splunk", "type": "TTP", "status": "experimental", "description": "By enabling Port Security on a Cisco switch you can restrict input to an interface by limiting and identifying MAC addresses of the workstations that are allowed to access the port. When you assign secure MAC addresses to a secure port, the port does not forward packets with source addresses outside the group of defined addresses. If you limit the number of secure MAC addresses to one and assign a single secure MAC address, the workstation attached to that port is assured the full bandwidth of the port. If a port is configured as a secure port and the maximum number of secure MAC addresses is reached, when the MAC address of a workstation attempting to access the port is different from any of the identified secure MAC addresses, a security violation occurs.", "data_source": [], "search": "`cisco_networks` (facility=\"PM\" mnemonic=\"ERR_DISABLE\" disable_cause=\"psecure-violation\") OR (facility=\"PORT_SECURITY\" mnemonic=\"PSECURE_VIOLATION\" OR mnemonic=\"PSECURE_VIOLATION_VLAN\") | eval src_interface=src_int_prefix_long+src_int_suffix | stats min(_time) AS firstTime max(_time) AS lastTime values(disable_cause) AS disable_cause values(src_mac) AS src_mac values(src_vlan) AS src_vlan values(action) AS action count by host src_interface | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_port_security_violation_filter`", "how_to_implement": "This search uses a standard SPL query on logs from Cisco Network devices. The network devices must be configured with Port Security and Error Disable for this to work (see https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/25ew/configuration/guide/conf/port_sec.html) and log with a severity level of minimum \"5 - notification\". The search also requires that the Cisco Networks Add-on for Splunk (https://splunkbase.splunk.com/app/1467) is used to parse the logs from the Cisco network devices.", "known_false_positives": "This search might be prone to high false positives if you have malfunctioning devices connected to your ethernet ports or if end users periodically connect physical devices to the network.", "references": [], "tags": {"name": "Detect Port Security Violation", "analytic_story": ["Router and Infrastructure Security"], "asset_type": "Infrastructure", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Delivery", "Actions on Objectives", "Exploitation"], "message": "tbd", "mitre_attack_id": ["T1200", "T1498", "T1557", "T1557.002"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Other", "role": ["Other"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "facility", "mnemonic", "disable_cause", "src_int_prefix_long", "src_int_suffix", "src_mac", "src_vlan", "action", "host", "src_interface"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1200", "mitre_attack_technique": "Hardware Additions", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["DarkVishnya"]}, {"mitre_attack_id": "T1498", "mitre_attack_technique": "Network Denial of Service", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT28"]}, {"mitre_attack_id": "T1557", "mitre_attack_technique": "Adversary-in-the-Middle", "mitre_attack_tactics": ["Collection", "Credential Access"], "mitre_attack_groups": ["Kimsuky"]}, {"mitre_attack_id": "T1557.002", "mitre_attack_technique": "ARP Cache Poisoning", "mitre_attack_tactics": ["Collection", "Credential Access"], "mitre_attack_groups": ["Cleaver", "LuminousMoth"]}]}, "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cisco_networks", "definition": "eventtype=cisco_ios", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_port_security_violation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/network/detect_port_security_violation.yml", "source": "network", "nes_fields": "user,dest"}, {"name": "Detect Rogue DHCP Server", "id": "6e1ada88-7a0d-4ac1-92c6-03d354686079", "version": 1, "date": "2020-08-11", "author": "Mikael Bjerkeland, Splunk", "type": "TTP", "status": "experimental", "description": "By enabling DHCP Snooping as a Layer 2 Security measure on the organization's network devices, we will be able to detect unauthorized DHCP servers handing out DHCP leases to devices on the network (Man in the Middle attack).", "data_source": [], "search": "`cisco_networks` facility=\"DHCP_SNOOPING\" mnemonic=\"DHCP_SNOOPING_UNTRUSTED_PORT\" | stats min(_time) AS firstTime max(_time) AS lastTime count values(message_type) AS message_type values(src_mac) AS src_mac BY host | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)`| `detect_rogue_dhcp_server_filter`", "how_to_implement": "This search uses a standard SPL query on logs from Cisco Network devices. The network devices must be configured with DHCP Snooping enabled (see https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960x/software/15-0_2_EX/security/configuration_guide/b_sec_152ex_2960-x_cg/b_sec_152ex_2960-x_cg_chapter_01101.html) and log with a severity level of minimum \"5 - notification\". The search also requires that the Cisco Networks Add-on for Splunk (https://splunkbase.splunk.com/app/1467) is used to parse the logs from the Cisco network devices.", "known_false_positives": "This search might be prone to high false positives if DHCP Snooping has been incorrectly configured or in the unlikely event that the DHCP server has been moved to another network interface.", "references": [], "tags": {"name": "Detect Rogue DHCP Server", "analytic_story": ["Router and Infrastructure Security"], "asset_type": "Infrastructure", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Delivery", "Actions on Objectives", "Exploitation"], "message": "tbd", "mitre_attack_id": ["T1200", "T1498", "T1557"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Other", "role": ["Other"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "facility", "mnemonic", "message_type", "src_mac", "host"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1200", "mitre_attack_technique": "Hardware Additions", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["DarkVishnya"]}, {"mitre_attack_id": "T1498", "mitre_attack_technique": "Network Denial of Service", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT28"]}, {"mitre_attack_id": "T1557", "mitre_attack_technique": "Adversary-in-the-Middle", "mitre_attack_tactics": ["Collection", "Credential Access"], "mitre_attack_groups": ["Kimsuky"]}]}, "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cisco_networks", "definition": "eventtype=cisco_ios", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_rogue_dhcp_server_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/network/detect_rogue_dhcp_server.yml", "source": "network", "nes_fields": "user,dest"}, {"name": "Detect SNICat SNI Exfiltration", "id": "82d06410-134c-11eb-adc1-0242ac120002", "version": 1, "date": "2020-10-21", "author": "Shannon Davis, Splunk", "type": "TTP", "status": "experimental", "description": "This search looks for commands that the SNICat tool uses in the TLS SNI field.", "data_source": [], "search": "`zeek_ssl` | rex field=server_name \"(?(LIST|LS|SIZE|LD|CB|CD|EX|ALIVE|EXIT|WHERE|finito)-[A-Za-z0-9]{16}\\.)\" | stats count by src_ip dest_ip server_name snicat | where count>0 | table src_ip dest_ip server_name snicat | `detect_snicat_sni_exfiltration_filter`", "how_to_implement": "You must be ingesting Zeek SSL data into Splunk. Zeek data should also be getting ingested in JSON format. We are detecting when any of the predefined SNICat commands are found within the server_name (SNI) field. These commands are LIST, LS, SIZE, LD, CB, EX, ALIVE, EXIT, WHERE, and finito. You can go further once this has been detected, and run other searches to decode the SNI data to prove or disprove if any data exfiltration has taken place.", "known_false_positives": "Unknown", "references": ["https://www.mnemonic.io/resources/blog/introducing-snicat/", "https://github.com/mnemonic-no/SNIcat", "https://attack.mitre.org/techniques/T1041/"], "tags": {"name": "Detect SNICat SNI Exfiltration", "analytic_story": ["Data Exfiltration"], "asset_type": "Network", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Actions on Objectives"], "message": "tbd", "mitre_attack_id": ["T1041"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "server_name", "src_ip", "dest_ip"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1041", "mitre_attack_technique": "Exfiltration Over C2 Channel", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "Chimera", "Confucius", "GALLIUM", "Gamaredon Group", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "LuminousMoth", "MuddyWater", "Sandworm Team", "Stealth Falcon", "Wizard Spider", "ZIRCONIUM"]}]}, "datamodel": [], "macros": [{"name": "zeek_ssl", "definition": "index=zeek sourcetype=\"zeek:ssl:json\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_snicat_sni_exfiltration_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/network/detect_snicat_sni_exfiltration.yml", "source": "network", "nes_fields": "user,dest"}, {"name": "Detect Software Download To Network Device", "id": "cc590c66-f65f-48f2-986a-4797244762f8", "version": 1, "date": "2020-10-28", "author": "Mikael Bjerkeland, Splunk", "type": "TTP", "status": "experimental", "description": "Adversaries may abuse netbooting to load an unauthorized network device operating system from a Trivial File Transfer Protocol (TFTP) server. TFTP boot (netbooting) is commonly used by network administrators to load configuration-controlled network device images from a centralized management server. Netbooting is one option in the boot sequence and can be used to centralize, manage, and control device images.", "data_source": [], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where (All_Traffic.transport=udp AND All_Traffic.dest_port=69) OR (All_Traffic.transport=tcp AND All_Traffic.dest_port=21) OR (All_Traffic.transport=tcp AND All_Traffic.dest_port=22) AND All_Traffic.dest_category!=common_software_repo_destination AND All_Traffic.src_category=network OR All_Traffic.src_category=router OR All_Traffic.src_category=switch by All_Traffic.src All_Traffic.dest All_Traffic.dest_port | `drop_dm_object_name(\"All_Traffic\")` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_software_download_to_network_device_filter`", "how_to_implement": "This search looks for Network Traffic events to TFTP, FTP or SSH/SCP ports from network devices. Make sure to tag any network devices as network, router or switch in order for this detection to work. If the TFTP traffic doesn't traverse a firewall nor packet inspection, these events will not be logged. This is typically an issue if the TFTP server is on the same subnet as the network device. There is also a chance of the network device loading software using a DHCP assigned IP address (netboot) which is not in the Asset inventory.", "known_false_positives": "This search will also report any legitimate attempts of software downloads to network devices as well as outbound SSH sessions from network devices.", "references": [], "tags": {"name": "Detect Software Download To Network Device", "analytic_story": ["Router and Infrastructure Security"], "asset_type": "Infrastructure", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Installation"], "message": "tbd", "mitre_attack_id": ["T1542.005", "T1542"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "All_Traffic.transport", "All_Traffic.dest_port", "All_Traffic.dest_category", "All_Traffic.src_category", "All_Traffic.src", "All_Traffic.dest"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1542.005", "mitre_attack_technique": "TFTP Boot", "mitre_attack_tactics": ["Defense Evasion", "Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1542", "mitre_attack_technique": "Pre-OS Boot", "mitre_attack_tactics": ["Defense Evasion", "Persistence"], "mitre_attack_groups": []}]}, "datamodel": ["Network_Traffic"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_software_download_to_network_device_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/network/detect_software_download_to_network_device.yml", "source": "network", "nes_fields": "user,dest"}, {"name": "Detect suspicious DNS TXT records using pretrained model in DSDL", "id": "92f65c3a-968c-11ed-a1eb-0242ac120002", "version": 1, "date": "2023-01-15", "author": "Abhinav Mishra, Kumar Sharad and Namratha Sreekanta, Splunk", "type": "Anomaly", "status": "experimental", "description": "The following analytic uses a pre trained deep learning model to detect suspicious DNS TXT records. The model is trained independently and is then made available for download. The DNS TXT records are categorized into commonly identified types like email, verification, http using regular expressions https://www.tide-project.nl/blog/wtmc2020/. The TXT records that do not match regular expressions for well known types are labeled as 1 for \"unknown/suspicious\" and otherwise 0 for \"not suspicious\". The deep learning model we have developed uses DNS TXT responses to analyze patterns of character sequences to predict if a DNS TXT is suspicious or not. The higher the pred_is_unknown_proba, the more likely the DNS TXT record is suspicious. The threshold for flagging a domain as suspicious is set at 0.5.", "data_source": [], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Resolution where DNS.message_type=response AND DNS.record_type=TXT by DNS.src DNS.dest DNS.answer DNS.record_type | `drop_dm_object_name(\"DNS\")` | rename answer as text | fields firstTime, lastTime, message_type,record_type,src,dest, text | apply detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl | rename predicted_is_unknown as is_suspicious_score | where is_suspicious_score > 0.5 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | table src,dest,text,record_type, firstTime, lastTime,is_suspicious_score | `detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl_filter`", "how_to_implement": "Steps to deploy detect suspicious DNS TXT records model into Splunk App DSDL. This detection depends on the Splunk app for Data Science and Deep Learning which can be found here - `https://splunkbase.splunk.com/app/4607/` and the Network Resolution datamodel which can be found here - `https://splunkbase.splunk.com/app/1621/`. The detection uses a pre-trained deep learning model that needs to be deployed in DSDL app. Follow the steps for deployment here - `https://github.com/splunk/security_content/wiki/How-to-deploy-pre-trained-Deep-Learning-models-for-ESCU`.\\\n* Download the `artifacts .tar.gz` file from the link - `https://seal.splunkresearch.com/detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.tar.gz`.\\\n* Download the `detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.ipynb` Jupyter notebook from `https://github.com/splunk/security_content/notebooks`.\\\n* Login to the Jupyter Lab assigned for `detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl` container. This container should be listed on Containers page for DSDL app.\\\n* Below steps need to be followed inside Jupyter lab.\\\n* Upload the `detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.tar.gz` file into `app/model/data` path using the upload option in the jupyter notebook.\\\n* Untar the artifact `detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.tar.gz` using `tar -xf app/model/data/detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.tar.gz -C app/model/data`.\\\n* Upload detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.ipynb` into Jupyter lab notebooks folder using the upload option in Jupyter lab.\\\n* Save the notebook using the save option in Jupyter notebook.\\\n* Upload `detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.json` into `notebooks/data` folder.", "known_false_positives": "False positives may be present if DNS TXT record contents are similar to benign DNS TXT record contents.", "references": ["https://attack.mitre.org/techniques/T1071/004/", "https://unit42.paloaltonetworks.com/dns-tunneling-how-dns-can-be-abused-by-malicious-actors/", "https://en.wikipedia.org/wiki/TXT_record"], "tags": {"name": "Detect suspicious DNS TXT records using pretrained model in DSDL", "analytic_story": ["DNS Hijacking", "Suspicious DNS Traffic", "Command and Control"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "confidence": 90, "impact": 50, "kill_chain_phases": ["Command And Control"], "message": "A suspicious DNS TXT response was detected on host $src$ , kindly review.", "mitre_attack_id": ["T1568.002"], "nist": ["DE.AE"], "observable": [{"name": "answer", "type": "Other", "role": ["Attacker"]}, {"name": "src", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "DNS.message_type", "DNS.record_type", "DNS.src", "DNS.dest", "DNS.answer"], "risk_score": 45, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1568.002", "mitre_attack_technique": "Domain Generation Algorithms", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "TA551"]}]}, "datamodel": ["Network_Resolution"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/network/detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.yml", "source": "network"}, {"name": "Detect Traffic Mirroring", "id": "42b3b753-5925-49c5-9742-36fa40a73990", "version": 1, "date": "2020-10-28", "author": "Mikael Bjerkeland, Splunk", "type": "TTP", "status": "experimental", "description": "Adversaries may leverage traffic mirroring in order to automate data exfiltration over compromised network infrastructure. Traffic mirroring is a native feature for some network devices and used for network analysis and may be configured to duplicate traffic and forward to one or more destinations for analysis by a network analyzer or other monitoring device.", "data_source": [], "search": "`cisco_networks` (facility=\"MIRROR\" mnemonic=\"ETH_SPAN_SESSION_UP\") OR (facility=\"SPAN\" mnemonic=\"SESSION_UP\") OR (facility=\"SPAN\" mnemonic=\"PKTCAP_START\") OR (mnemonic=\"CFGLOG_LOGGEDCMD\" command=\"monitor session*\") | stats min(_time) AS firstTime max(_time) AS lastTime count BY host facility mnemonic | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)` | `detect_traffic_mirroring_filter`", "how_to_implement": "This search uses a standard SPL query on logs from Cisco Network devices. The network devices must log with a severity level of minimum \"5 - notification\". The search also requires that the Cisco Networks Add-on for Splunk (https://splunkbase.splunk.com/app/1467) is used to parse the logs from the Cisco network devices and that the devices have been configured according to the documentation of the Cisco Networks Add-on. Also note that an attacker may disable logging from the device prior to enabling traffic mirroring.", "known_false_positives": "This search will return false positives for any legitimate traffic captures by network administrators.", "references": [], "tags": {"name": "Detect Traffic Mirroring", "analytic_story": ["Router and Infrastructure Security"], "asset_type": "Infrastructure", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Delivery", "Actions on Objectives"], "message": "tbd", "mitre_attack_id": ["T1200", "T1020", "T1498", "T1020.001"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Other", "role": ["Other"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "facility", "mnemonic", "host"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1200", "mitre_attack_technique": "Hardware Additions", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["DarkVishnya"]}, {"mitre_attack_id": "T1020", "mitre_attack_technique": "Automated Exfiltration", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["Gamaredon Group", "Ke3chang", "Sidewinder", "Tropic Trooper"]}, {"mitre_attack_id": "T1498", "mitre_attack_technique": "Network Denial of Service", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT28"]}, {"mitre_attack_id": "T1020.001", "mitre_attack_technique": "Traffic Duplication", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": []}]}, "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cisco_networks", "definition": "eventtype=cisco_ios", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_traffic_mirroring_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/network/detect_traffic_mirroring.yml", "source": "network", "nes_fields": "user,dest"}, {"name": "Detect Unauthorized Assets by MAC address", "id": "dcfd6b40-42f9-469d-a433-2e53f7489ff4", "version": 2, "date": "2017-09-13", "author": "Bhavin Patel, Splunk", "type": "TTP", "status": "experimental", "description": "By populating the organization's assets within the assets_by_str.csv, we will be able to detect unauthorized devices that are trying to connect with the organization's network by inspecting DHCP request packets, which are issued by devices when they attempt to obtain an IP address from the DHCP server. The MAC address associated with the source of the DHCP request is checked against the list of known devices, and reports on those that are not found.", "data_source": [], "search": "| tstats `security_content_summariesonly` count from datamodel=Network_Sessions where nodename=All_Sessions.DHCP All_Sessions.tag=dhcp by All_Sessions.dest_ip All_Sessions.dest_mac | dedup All_Sessions.dest_mac| `drop_dm_object_name(\"Network_Sessions\")`|`drop_dm_object_name(\"All_Sessions\")` | search NOT [| inputlookup asset_lookup_by_str |rename mac as dest_mac | fields + dest_mac] | `detect_unauthorized_assets_by_mac_address_filter`", "how_to_implement": "This search uses the Network_Sessions data model shipped with Enterprise Security. It leverages the Assets and Identity framework to populate the assets_by_str.csv file located in SA-IdentityManagement, which will contain a list of known authorized organizational assets including their MAC addresses. Ensure that all inventoried systems have their MAC address populated.", "known_false_positives": "This search might be prone to high false positives. Please consider this when conducting analysis or investigations. Authorized devices may be detected as unauthorized. If this is the case, verify the MAC address of the system responsible for the false positive and add it to the Assets and Identity framework with the proper information.", "references": [], "tags": {"name": "Detect Unauthorized Assets by MAC address", "analytic_story": ["Asset Tracking"], "asset_type": "Infrastructure", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": [], "message": "tbd", "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "All_Sessions.signature", "All_Sessions.src_ip", "All_Sessions.dest_mac"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "datamodel": ["Network_Sessions"], "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_unauthorized_assets_by_mac_address_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/network/detect_unauthorized_assets_by_mac_address.yml", "source": "network", "nes_fields": "user,dest"}, {"name": "Detect Windows DNS SIGRed via Splunk Stream", "id": "babd8d10-d073-11ea-87d0-0242ac130003", "version": 1, "date": "2020-07-28", "author": "Shannon Davis, Splunk", "type": "TTP", "status": "experimental", "description": "This search detects SIGRed via Splunk Stream.", "data_source": [], "search": "`stream_dns` | spath \"query_type{}\" | search \"query_type{}\" IN (SIG,KEY) | spath protocol_stack | search protocol_stack=\"ip:tcp:dns\" | append [search `stream_tcp` bytes_out>65000] | `detect_windows_dns_sigred_via_splunk_stream_filter` | stats count by flow_id | where count>1 | fields - count", "how_to_implement": "You must be ingesting Splunk Stream DNS and Splunk Stream TCP. We are detecting SIG and KEY records via stream:dns and TCP payload over 65KB in size via stream:tcp. Replace the macro definitions ('stream:dns' and 'stream:tcp') with configurations for your Splunk environment.", "known_false_positives": "unknown", "references": [], "tags": {"name": "Detect Windows DNS SIGRed via Splunk Stream", "analytic_story": ["Windows DNS SIGRed CVE-2020-1350"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "message": "tbd", "mitre_attack_id": ["T1203"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Other", "role": ["Other"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "cve": ["CVE-2020-1350"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1203", "mitre_attack_technique": "Exploitation for Client Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT12", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT41", "Andariel", "Aoqin Dragon", "Axiom", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "Higaisa", "Inception", "Lazarus Group", "Leviathan", "MuddyWater", "Mustang Panda", "Patchwork", "Sandworm Team", "Sidewinder", "TA459", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "admin@338"]}]}, "datamodel": [], "macros": [{"name": "stream_dns", "definition": "sourcetype=stream:dns", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "stream_tcp", "definition": "sourcetype=stream:tcp", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_windows_dns_sigred_via_splunk_stream_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2020-1350", "cvss": 10.0, "summary": "A remote code execution vulnerability exists in Windows Domain Name System servers when they fail to properly handle requests, aka 'Windows DNS Server Remote Code Execution Vulnerability'."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/network/detect_windows_dns_sigred_via_splunk_stream.yml", "source": "network", "nes_fields": "user,dest"}, {"name": "Detect Windows DNS SIGRed via Zeek", "id": "c5c622e4-d073-11ea-87d0-0242ac130003", "version": 1, "date": "2020-07-28", "author": "Shannon Davis, Splunk", "type": "TTP", "status": "experimental", "description": "This search detects SIGRed via Zeek DNS and Zeek Conn data.", "data_source": [], "search": "| tstats `security_content_summariesonly` count from datamodel=Network_Resolution where DNS.query_type IN (SIG,KEY) by DNS.flow_id | rename DNS.flow_id as flow_id | append [| tstats `security_content_summariesonly` count from datamodel=Network_Traffic where All_Traffic.bytes_in>65000 by All_Traffic.flow_id | rename All_Traffic.flow_id as flow_id] | `detect_windows_dns_sigred_via_zeek_filter` | stats count by flow_id | where count>1 | fields - count ", "how_to_implement": "You must be ingesting Zeek DNS and Zeek Conn data into Splunk. Zeek data should also be getting ingested in JSON format. We are detecting SIG and KEY records via bro:dns:json and TCP payload over 65KB in size via bro:conn:json. The Network Resolution and Network Traffic datamodels are in use for this search.", "known_false_positives": "unknown", "references": [], "tags": {"name": "Detect Windows DNS SIGRed via Zeek", "analytic_story": ["Windows DNS SIGRed CVE-2020-1350"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "message": "tbd", "mitre_attack_id": ["T1203"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Other", "role": ["Other"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "DNS.query_type", "DNS.flow_id", "All_Traffic.bytes_in", "All_Traffic.flow_id"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "cve": ["CVE-2020-1350"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1203", "mitre_attack_technique": "Exploitation for Client Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT12", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT41", "Andariel", "Aoqin Dragon", "Axiom", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "Higaisa", "Inception", "Lazarus Group", "Leviathan", "MuddyWater", "Mustang Panda", "Patchwork", "Sandworm Team", "Sidewinder", "TA459", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "admin@338"]}]}, "datamodel": ["Network_Resolution", "Network_Traffic"], "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_windows_dns_sigred_via_zeek_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2020-1350", "cvss": 10.0, "summary": "A remote code execution vulnerability exists in Windows Domain Name System servers when they fail to properly handle requests, aka 'Windows DNS Server Remote Code Execution Vulnerability'."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/network/detect_windows_dns_sigred_via_zeek.yml", "source": "network", "nes_fields": "user,dest"}, {"name": "Detect Zerologon via Zeek", "id": "bf7a06ec-f703-11ea-adc1-0242ac120002", "version": 1, "date": "2020-09-15", "author": "Shannon Davis, Splunk", "type": "TTP", "status": "experimental", "description": "This search detects attempts to run exploits for the Zerologon CVE-2020-1472 vulnerability via Zeek RPC", "data_source": [], "search": "`zeek_rpc` operation IN (NetrServerPasswordSet2,NetrServerReqChallenge,NetrServerAuthenticate3) | bin span=5m _time | stats values(operation) dc(operation) as opscount count(eval(operation==\"NetrServerReqChallenge\")) as challenge count(eval(operation==\"NetrServerAuthenticate3\")) as authcount count(eval(operation==\"NetrServerPasswordSet2\")) as passcount count as totalcount by _time,src_ip,dest_ip | search opscount=3 authcount>4 passcount>0 | search `detect_zerologon_via_zeek_filter`", "how_to_implement": "You must be ingesting Zeek DCE-RPC data into Splunk. Zeek data should also be getting ingested in JSON format. We are detecting when all three RPC operations (NetrServerReqChallenge, NetrServerAuthenticate3, NetrServerPasswordSet2) are splunk_security_essentials_app via bro:rpc:json. These three operations are then correlated on the Zeek UID field.", "known_false_positives": "unknown", "references": ["https://www.secura.com/blog/zero-logon", "https://github.com/SecuraBV/CVE-2020-1472", "https://msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472"], "tags": {"name": "Detect Zerologon via Zeek", "analytic_story": ["Detect Zerologon Attack"], "asset_type": "Network", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Delivery"], "message": "tbd", "mitre_attack_id": ["T1190"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "operation"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "cve": ["CVE-2020-1472"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "menuPass"]}]}, "datamodel": [], "macros": [{"name": "zeek_rpc", "definition": "index=zeek sourcetype=\"zeek:rpc:json\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_zerologon_via_zeek_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2020-1472", "cvss": 9.3, "summary": "An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC), aka 'Netlogon Elevation of Privilege Vulnerability'."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/network/detect_zerologon_via_zeek.yml", "source": "network", "nes_fields": "user,dest"}, {"name": "DNS Query Length Outliers - MLTK", "id": "85fbcfe8-9718-4911-adf6-7000d077a3a9", "version": 2, "date": "2020-01-22", "author": "Rico Valdez, Splunk", "type": "Anomaly", "status": "experimental", "description": "This search allows you to identify DNS requests that are unusually large for the record type being requested in your environment.", "data_source": [], "search": "| tstats `security_content_summariesonly` count min(_time) as start_time max(_time) as end_time values(DNS.src) as src values(DNS.dest) as dest from datamodel=Network_Resolution by DNS.query DNS.record_type | search DNS.record_type=* | `drop_dm_object_name(DNS)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | eval query_length = len(query) | apply dns_query_pdfmodel threshold=0.01 | rename \"IsOutlier(query_length)\" as isOutlier | search isOutlier > 0 | sort -query_length | table start_time end_time query record_type count src dest query_length | `dns_query_length_outliers___mltk_filter` ", "how_to_implement": "To successfully implement this search, you will need to ensure that DNS data is populating the Network_Resolution data model. In addition, the Machine Learning Toolkit (MLTK) version 4.2 or greater must be installed on your search heads, along with any required dependencies. Finally, the support search \"Baseline of DNS Query Length - MLTK\" must be executed before this detection search, because it builds a machine-learning (ML) model over the historical data used by this search. It is important that this search is run in the same app context as the associated support search, so that the model created by the support search is available for use. You should periodically re-run the support search to rebuild the model with the latest data available in your environment.\\\nThis search produces fields (`query`,`query_length`,`count`) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. These fields contribute additional context to the notable. To see the additional metadata, add the following fields, if not already present, to Incident Review - Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry):\\\\n1. **Label:** DNS Query, **Field:** query\\\n1. \\\n1. **Label:** DNS Query Length, **Field:** query_length\\\n1. \\\n1. **Label:** Number of events, **Field:** count\\\nDetailed documentation on how to create a new field within Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details`", "known_false_positives": "If you are seeing more results than desired, you may consider reducing the value for threshold in the search. You should also periodically re-run the support search to re-build the ML model on the latest data.", "references": [], "tags": {"name": "DNS Query Length Outliers - MLTK", "analytic_story": ["Hidden Cobra Malware", "Suspicious DNS Traffic", "Command And Control"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Command And Control"], "message": "tbd", "mitre_attack_id": ["T1071.004", "T1071"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "DNS.src", "DNS.dest", "DNS.query", "DNS.record_type"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1071.004", "mitre_attack_technique": "DNS", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT18", "APT39", "APT41", "Chimera", "Cobalt Group", "FIN7", "Ke3chang", "LazyScripter", "OilRig", "Tropic Trooper"]}, {"mitre_attack_id": "T1071", "mitre_attack_technique": "Application Layer Protocol", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Dragonfly", "Magic Hound", "Rocke", "TeamTNT"]}]}, "datamodel": ["Network_Resolution"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "dns_query_length_outliers___mltk_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/network/dns_query_length_outliers___mltk.yml", "source": "network"}, {"name": "DNS Query Length With High Standard Deviation", "id": "1a67f15a-f4ff-4170-84e9-08cf6f75d6f5", "version": 4, "date": "2021-10-06", "author": "Bhavin Patel, Splunk", "type": "Anomaly", "status": "production", "description": "This search allows you to identify DNS requests and compute the standard deviation on the length of the names being resolved, then filter on two times the standard deviation to show you those queries that are unusually large for your environment.", "data_source": [], "search": "| tstats `security_content_summariesonly` count from datamodel=Network_Resolution where NOT DNS.message_type IN(\"Pointer\",\"PTR\") by DNS.query host| `drop_dm_object_name(\"DNS\")` | eval tlds=split(query,\".\") | eval tld=mvindex(tlds,-1) | eval tld_len=len(tld) | search tld_len<=24 | eval query_length = len(query) | table host query query_length record_type count | eventstats stdev(query_length) AS stdev avg(query_length) AS avg p50(query_length) AS p50| where query_length>(avg+stdev*2) | eval z_score=(query_length-avg)/stdev | `dns_query_length_with_high_standard_deviation_filter`", "how_to_implement": "To successfully implement this search, you will need to ensure that DNS data is populating the Network_Resolution data model.", "known_false_positives": "It's possible there can be long domain names that are legitimate.", "references": [], "tags": {"name": "DNS Query Length With High Standard Deviation", "analytic_story": ["Hidden Cobra Malware", "Suspicious DNS Traffic", "Command And Control"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Actions on Objectives"], "message": "A dns query $query$ with 2 time standard deviation of name len of the dns query in host $host$", "mitre_attack_id": ["T1048.003", "T1048"], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "DNS.query"], "risk_score": 56, "security_domain": "network", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1048.003", "mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT32", "APT33", "FIN6", "FIN8", "Lazarus Group", "OilRig", "Thrip", "Wizard Spider"]}, {"mitre_attack_id": "T1048", "mitre_attack_technique": "Exfiltration Over Alternative Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["TeamTNT"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1048.003/long_dns_queries/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Network_Resolution"], "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "dns_query_length_with_high_standard_deviation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/network/dns_query_length_with_high_standard_deviation.yml", "source": "network"}, {"name": "Excessive DNS Failures", "id": "104658f4-afdc-499e-9719-17243f9826f1", "version": 3, "date": "2022-12-21", "author": "bowesmana, Bhavin Patel, Splunk", "type": "Anomaly", "status": "experimental", "description": "This search identifies DNS query failures by counting the number of DNS responses that do not indicate success, and trigger on more than 50 occurrences.", "data_source": [], "search": "| tstats `security_content_summariesonly` count from datamodel=Network_Resolution where nodename=DNS \"DNS.reply_code\"!=\"No Error\" \"DNS.reply_code\"!=\"NoError\" DNS.reply_code!=\"unknown\" NOT \"DNS.query\"=\"*.arpa\" \"DNS.query\"=\"*.*\" by \"DNS.src\" \"DNS.query\" \"DNS.reply_code\" | `drop_dm_object_name(\"DNS\")` | lookup cim_corporate_web_domain_lookup domain as query OUTPUT domain | where isnull(domain) | lookup update=true alexa_lookup_by_str domain as query OUTPUT rank | where isnull(rank) | eventstats max(count) as mc by src reply_code | eval mode_query=if(count=mc, query, null()) | stats sum(count) as count values(mode_query) as query values(mc) as max_query_count by src reply_code | where count>50 | `get_asset(src)` | `excessive_dns_failures_filter` ", "how_to_implement": "To successfully implement this search you must ensure that DNS data is populating the Network_Resolution data model.", "known_false_positives": "It is possible legitimate traffic can trigger this rule. Please investigate as appropriate. The threshold for generating an event can also be customized to better suit your environment.", "references": [], "tags": {"name": "Excessive DNS Failures", "analytic_story": ["Suspicious DNS Traffic", "Command And Control"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Command And Control"], "message": "Excessive DNS failures detected on $src$", "mitre_attack_id": ["T1071.004", "T1071"], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "DNS.query", "DNS.reply_code", "DNS.src"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1071.004", "mitre_attack_technique": "DNS", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT18", "APT39", "APT41", "Chimera", "Cobalt Group", "FIN7", "Ke3chang", "LazyScripter", "OilRig", "Tropic Trooper"]}, {"mitre_attack_id": "T1071", "mitre_attack_technique": "Application Layer Protocol", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Dragonfly", "Magic Hound", "Rocke", "TeamTNT"]}]}, "datamodel": ["Network_Resolution"], "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "excessive_dns_failures_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/network/excessive_dns_failures.yml", "source": "network"}, {"name": "F5 BIG-IP iControl REST Vulnerability CVE-2022-1388", "id": "bb1c2c30-107a-4e56-a4b9-1f7022867bfe", "version": 1, "date": "2022-05-10", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies a recent unauthenticated remote code execution vulnerablity against the F5 BIG-IP iControl REST API. The analytic identifies the URI path found in the POCs and the HTTP Method of POST. In addition, the request header will have the commands that may be executed in fields utilcmdargs and the auth field of X-F5-Auth-Token, which may have a random base64 encoded value.", "data_source": [], "search": "| tstats count from datamodel=Web where Web.url=\"*/mgmt/tm/util/bash*\" Web.http_method=\"POST\" by Web.http_user_agent Web.http_method, Web.url,Web.url_length Web.src, Web.dest | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `f5_big_ip_icontrol_rest_vulnerability_cve_2022_1388_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting web or proxy logs, or ensure it is being filled by a proxy like device, into the Web Datamodel. For additional filtering, allow list private IP space or restrict by known good.", "known_false_positives": "False positives may be present if the activity is blocked or was not successful. Filter known vulnerablity scanners. Filter as needed.", "references": ["https://github.com/dk4trin/templates-nuclei/blob/main/CVE-2022-1388.yaml", "https://www.randori.com/blog/vulnerability-analysis-cve-2022-1388/", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1388", "https://twitter.com/da_667/status/1523770267327250438?s=20&t=-JnB_aNWuJFsmcOmxGUWLQ", "https://github.com/horizon3ai/CVE-2022-1388/blob/main/CVE-2022-1388.py"], "tags": {"name": "F5 BIG-IP iControl REST Vulnerability CVE-2022-1388", "analytic_story": ["F5 BIG-IP Vulnerability CVE-2022-1388"], "asset_type": "Web Server", "cis20": ["CIS 13"], "confidence": 70, "impact": 100, "kill_chain_phases": ["Delivery"], "message": "An attempt to exploit CVE-2022-1388 against an F5 appliance $dest$ has occurred.", "mitre_attack_id": ["T1190"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["Web.http_method", "Web.url", "Web.url_length", "Web.src", "Web.dest", "Web.http_user_agent"], "risk_score": 70, "security_domain": "network", "risk_severity": "medium", "cve": ["CVE-2022-1388"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/f5/f5.log", "source": "pan:threat", "sourcetype": "pan:threat", "update_timestamp": true}]}], "datamodel": ["Web"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "f5_big_ip_icontrol_rest_vulnerability_cve_2022_1388_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2022-1388", "cvss": 7.5, "summary": "On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all 12.1.x and 11.6.x versions, undisclosed requests may bypass iControl REST authentication. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated"}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/network/f5_big_ip_icontrol_rest_vulnerability_cve_2022_1388.yml", "source": "network", "nes_fields": "user,dest"}, {"name": "Hosts receiving high volume of network traffic from email server", "id": "7f5fb3e1-4209-4914-90db-0ec21b556368", "version": 2, "date": "2020-07-21", "author": "Bhavin Patel, Splunk", "type": "Anomaly", "status": "experimental", "description": "This search looks for an increase of data transfers from your email server to your clients. This could be indicative of a malicious actor collecting data using your email server.", "data_source": [], "search": "| tstats `security_content_summariesonly` sum(All_Traffic.bytes_in) as bytes_in from datamodel=Network_Traffic where All_Traffic.dest_category=email_server by All_Traffic.src_ip _time span=1d | `drop_dm_object_name(\"All_Traffic\")` | eventstats avg(bytes_in) as avg_bytes_in stdev(bytes_in) as stdev_bytes_in | eventstats count as num_data_samples avg(eval(if(_time < relative_time(now(), \"@d\"), bytes_in, null))) as per_source_avg_bytes_in stdev(eval(if(_time < relative_time(now(), \"@d\"), bytes_in, null))) as per_source_stdev_bytes_in by src_ip | eval minimum_data_samples = 4, deviation_threshold = 3 | where num_data_samples >= minimum_data_samples AND bytes_in > (avg_bytes_in + (deviation_threshold * stdev_bytes_in)) AND bytes_in > (per_source_avg_bytes_in + (deviation_threshold * per_source_stdev_bytes_in)) AND _time >= relative_time(now(), \"@d\") | eval num_standard_deviations_away_from_server_average = round(abs(bytes_in - avg_bytes_in) / stdev_bytes_in, 2), num_standard_deviations_away_from_client_average = round(abs(bytes_in - per_source_avg_bytes_in) / per_source_stdev_bytes_in, 2) | table src_ip, _time, bytes_in, avg_bytes_in, per_source_avg_bytes_in, num_standard_deviations_away_from_server_average, num_standard_deviations_away_from_client_average | `hosts_receiving_high_volume_of_network_traffic_from_email_server_filter`", "how_to_implement": "This search requires you to be ingesting your network traffic and populating the Network_Traffic data model. Your email servers must be categorized as \"email_server\" for the search to work, as well. You may need to adjust the deviation_threshold and minimum_data_samples values based on the network traffic in your environment. The \"deviation_threshold\" field is a multiplying factor to control how much variation you're willing to tolerate. The \"minimum_data_samples\" field is the minimum number of connections of data samples required for the statistic to be valid.", "known_false_positives": "The false-positive rate will vary based on how you set the deviation_threshold and data_samples values. Our recommendation is to adjust these values based on your network traffic to and from your email servers.", "references": [], "tags": {"name": "Hosts receiving high volume of network traffic from email server", "analytic_story": ["Collection and Staging"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "tbd", "mitre_attack_id": ["T1114.002", "T1114"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "All_Traffic.bytes_in", "All_Traffic.dest_category", "All_Traffic.src_ip"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1114.002", "mitre_attack_technique": "Remote Email Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "Chimera", "Dragonfly", "FIN4", "HAFNIUM", "Ke3chang", "Kimsuky", "Leafminer", "Magic Hound"]}, {"mitre_attack_id": "T1114", "mitre_attack_technique": "Email Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["Magic Hound", "Silent Librarian"]}]}, "datamodel": ["Network_Traffic"], "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "hosts_receiving_high_volume_of_network_traffic_from_email_server_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/network/hosts_receiving_high_volume_of_network_traffic_from_email_server.yml", "source": "network"}, {"name": "Large Volume of DNS ANY Queries", "id": "8fa891f7-a533-4b3c-af85-5aa2e7c1f1eb", "version": 1, "date": "2017-09-20", "author": "Bhavin Patel, Splunk", "type": "Anomaly", "status": "experimental", "description": "The search is used to identify attempts to use your DNS Infrastructure for DDoS purposes via a DNS amplification attack leveraging ANY queries.", "data_source": [], "search": "| tstats `security_content_summariesonly` count from datamodel=Network_Resolution where nodename=DNS \"DNS.message_type\"=\"QUERY\" \"DNS.record_type\"=\"ANY\" by \"DNS.dest\" | `drop_dm_object_name(\"DNS\")` | where count>200 | `large_volume_of_dns_any_queries_filter`", "how_to_implement": "To successfully implement this search you must ensure that DNS data is populating the Network_Resolution data model.", "known_false_positives": "Legitimate ANY requests may trigger this search, however it is unusual to see a large volume of them under typical circumstances. You may modify the threshold in the search to better suit your environment.", "references": [], "tags": {"name": "Large Volume of DNS ANY Queries", "analytic_story": ["DNS Amplification Attacks"], "asset_type": "DNS Servers", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Actions on Objectives"], "message": "tbd", "mitre_attack_id": ["T1498", "T1498.002"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "DNS.message_type", "DNS.record_type", "DNS.dest"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1498", "mitre_attack_technique": "Network Denial of Service", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT28"]}, {"mitre_attack_id": "T1498.002", "mitre_attack_technique": "Reflection Amplification", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}]}, "datamodel": ["Network_Resolution"], "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "large_volume_of_dns_any_queries_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/network/large_volume_of_dns_any_queries.yml", "source": "network"}, {"name": "Multiple Archive Files Http Post Traffic", "id": "4477f3ea-a28f-11eb-b762-acde48001122", "version": 1, "date": "2021-04-21", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This search is designed to detect high frequency of archive files data exfiltration through HTTP POST method protocol. This are one of the common techniques used by APT or trojan spy after doing the data collection like screenshot, recording, sensitive data to the infected machines. The attacker may execute archiving command to the collected data, save it a temp folder with a hidden attribute then send it to its C2 through HTTP POST. Sometimes adversaries will rename the archive files or encode/encrypt to cover their tracks. This detection can detect a renamed archive files transfer to HTTP POST since it checks the request body header. Unfortunately this detection cannot support archive that was encrypted or encoded before doing the exfiltration.", "data_source": [], "search": "`stream_http` http_method=POST |eval archive_hdr1=substr(form_data,1,2) | eval archive_hdr2 = substr(form_data,1,4) |stats values(form_data) as http_request_body min(_time) as firstTime max(_time) as lastTime count by http_method http_user_agent uri_path url bytes_in bytes_out archive_hdr1 archive_hdr2 |where count >20 AND (archive_hdr1 = \"7z\" OR archive_hdr1 = \"PK\" OR archive_hdr2=\"Rar!\") | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `multiple_archive_files_http_post_traffic_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the stream HTTP logs or network logs that catch network traffic. Make sure that the http-request-body, payload, or request field is enabled in stream http configuration.", "known_false_positives": "Normal archive transfer via HTTP protocol may trip this detection.", "references": ["https://attack.mitre.org/techniques/T1560/001/", "https://www.mandiant.com/resources/apt39-iranian-cyber-espionage-group-focused-on-personal-information", "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/"], "tags": {"name": "Multiple Archive Files Http Post Traffic", "analytic_story": ["Data Exfiltration", "Command And Control"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Actions on Objectives"], "message": "A http post $http_method$ sending packet with possible archive bytes header 4form_data$ in uri path $uri_path$", "mitre_attack_id": ["T1048.003", "T1048"], "nist": ["DE.CM"], "observable": [{"name": "uri_path", "type": "URL String", "role": ["Attacker"]}, {"name": "form_data", "type": "Other", "role": ["Other"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "http_method", "http_user_agent", "uri_path", "url", "bytes_in", "bytes_out", "archive_hdr1", "archive_hdr2", "form_data"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1048.003", "mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT32", "APT33", "FIN6", "FIN8", "Lazarus Group", "OilRig", "Thrip", "Wizard Spider"]}, {"mitre_attack_id": "T1048", "mitre_attack_technique": "Exfiltration Over Alternative Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["TeamTNT"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1048.003/archive_http_post/stream_http_events.log", "source": "stream", "sourcetype": "stream:http"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "stream_http", "definition": "sourcetype=stream:http", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "multiple_archive_files_http_post_traffic_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/network/multiple_archive_files_http_post_traffic.yml", "source": "network", "nes_fields": "user,dest"}, {"name": "Ngrok Reverse Proxy on Network", "id": "5790a766-53b8-40d3-a696-3547b978fcf0", "version": 1, "date": "2022-11-16", "author": "Michael Haag, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies the 4 most common Ngrok used domains based on DNS queries under the Network Resolution datamodel. It's possible these domains may be ran against the Web datamodel or ran with a direct query across network/proxy traffic. The sign of someone using Ngrok is not malicious, however, more recenctly it has become an adversary tool.", "data_source": [], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Resolution where DNS.query IN (\"*.ngrok.com\",\"*.ngrok.io\", \"ngrok.*.tunnel.com\", \"korgn.*.lennut.com\") by DNS.src DNS.query DNS.answer | `drop_dm_object_name(\"DNS\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `ngrok_reverse_proxy_on_network_filter`", "how_to_implement": "The Network Resolution Datamodel will need to have data mapped to it regarding DNS queries. Modify query as needed to use another source.", "known_false_positives": "False positives will be present based on organizations that allow the use of Ngrok. Filter or monitor as needed.", "references": ["https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf"], "tags": {"name": "Ngrok Reverse Proxy on Network", "analytic_story": ["Reverse Network Proxy", "CISA AA22-320A"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "confidence": 100, "impact": 50, "kill_chain_phases": ["Command And Control"], "message": "An endpoint, $src$, is beaconing out to the reverse proxy service of Ngrok.", "mitre_attack_id": ["T1572", "T1090", "T1102"], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["DNS.src", "DNS.query", "DNS.answer"], "risk_score": 50, "security_domain": "network", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1572", "mitre_attack_technique": "Protocol Tunneling", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Chimera", "Cobalt Group", "FIN6", "Fox Kitten", "Leviathan", "Magic Hound", "OilRig"]}, {"mitre_attack_id": "T1090", "mitre_attack_technique": "Proxy", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "Blue Mockingbird", "CopyKittens", "Earth Lusca", "Fox Kitten", "LAPSUS$", "Magic Hound", "POLONIUM", "Sandworm Team", "Turla", "Windigo"]}, {"mitre_attack_id": "T1102", "mitre_attack_technique": "Web Service", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT32", "EXOTIC LILY", "Ember Bear", "FIN6", "FIN8", "Fox Kitten", "Gamaredon Group", "Inception", "LazyScripter", "Mustang Panda", "Rocke", "TeamTNT", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1572/ngrok/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Network_Resolution"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "ngrok_reverse_proxy_on_network_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/network/ngrok_reverse_proxy_on_network.yml", "source": "network"}, {"name": "Plain HTTP POST Exfiltrated Data", "id": "e2b36208-a364-11eb-8909-acde48001122", "version": 1, "date": "2021-04-22", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This search is to detect potential plain HTTP POST method data exfiltration. This network traffic is commonly used by trickbot, trojanspy, keylogger or APT adversary where arguments or commands are sent in plain text to the remote C2 server using HTTP POST method as part of data exfiltration.", "data_source": [], "search": "`stream_http` http_method=POST form_data IN (\"*wermgr.exe*\",\"*svchost.exe*\", \"*name=\\\"proclist\\\"*\",\"*ipconfig*\", \"*name=\\\"sysinfo\\\"*\", \"*net view*\") |stats values(form_data) as http_request_body min(_time) as firstTime max(_time) as lastTime count by http_method http_user_agent uri_path url bytes_in bytes_out | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `plain_http_post_exfiltrated_data_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the stream HTTP logs or network logs that catch network traffic. Make sure that the http-request-body, payload, or request field is enabled.", "known_false_positives": "unknown", "references": ["https://blog.talosintelligence.com/2020/03/trickbot-primer.html"], "tags": {"name": "Plain HTTP POST Exfiltrated Data", "analytic_story": ["Data Exfiltration", "Command And Control"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Actions on Objectives"], "message": "A http post $http_method$ sending packet with plain text of information $form_data$ in uri path $uri_path$", "mitre_attack_id": ["T1048.003", "T1048"], "nist": ["DE.CM"], "observable": [{"name": "uri_path", "type": "URL String", "role": ["Attacker"]}, {"name": "form_data", "type": "Other", "role": ["Other"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "http_method", "http_user_agent", "uri_path", "url", "bytes_in", "bytes_out"], "risk_score": 63, "security_domain": "network", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1048.003", "mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT32", "APT33", "FIN6", "FIN8", "Lazarus Group", "OilRig", "Thrip", "Wizard Spider"]}, {"mitre_attack_id": "T1048", "mitre_attack_technique": "Exfiltration Over Alternative Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["TeamTNT"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1048.003/plain_exfil_data/stream_http_events.log", "source": "stream", "sourcetype": "stream:http"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "stream_http", "definition": "sourcetype=stream:http", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "plain_http_post_exfiltrated_data_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/network/plain_http_post_exfiltrated_data.yml", "source": "network", "nes_fields": "user,dest"}, {"name": "Prohibited Network Traffic Allowed", "id": "ce5a0962-849f-4720-a678-753fe6674479", "version": 2, "date": "2020-07-21", "author": "Rico Valdez, Splunk", "type": "TTP", "status": "experimental", "description": "This search looks for network traffic defined by port and transport layer protocol in the Enterprise Security lookup table \"lookup_interesting_ports\", that is marked as prohibited, and has an associated 'allow' action in the Network_Traffic data model. This could be indicative of a misconfigured network device.", "data_source": [], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where All_Traffic.action = allowed by All_Traffic.src_ip All_Traffic.dest_ip All_Traffic.dest_port All_Traffic.action | lookup update=true interesting_ports_lookup dest_port as All_Traffic.dest_port OUTPUT app is_prohibited note transport | search is_prohibited=true | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(\"All_Traffic\")` | `prohibited_network_traffic_allowed_filter`", "how_to_implement": "In order to properly run this search, Splunk needs to ingest data from firewalls or other network control devices that mediate the traffic allowed into an environment. This is necessary so that the search can identify an 'action' taken on the traffic of interest. The search requires the Network_Traffic data model be populated.", "known_false_positives": "None identified", "references": [], "tags": {"name": "Prohibited Network Traffic Allowed", "analytic_story": ["Prohibited Traffic Allowed or Protocol Mismatch", "Ransomware", "Command And Control"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Actions on Objectives"], "message": "tbd", "mitre_attack_id": ["T1048"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "All_Traffic.action", "All_Traffic.src_ip", "All_Traffic.dest_ip", "All_Traffic.dest_port"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1048", "mitre_attack_technique": "Exfiltration Over Alternative Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["TeamTNT"]}]}, "datamodel": ["Network_Traffic"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "prohibited_network_traffic_allowed_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/network/prohibited_network_traffic_allowed.yml", "source": "network", "nes_fields": "user,dest"}, {"name": "Protocol or Port Mismatch", "id": "54dc1265-2f74-4b6d-b30d-49eb506a31b3", "version": 2, "date": "2020-07-21", "author": "Rico Valdez, Splunk", "type": "Anomaly", "status": "experimental", "description": "This search looks for network traffic on common ports where a higher layer protocol does not match the port that is being used. For example, this search should identify cases where protocols other than HTTP are running on TCP port 80. This can be used by attackers to circumvent firewall restrictions, or as an attempt to hide malicious communications over ports and protocols that are typically allowed and not well inspected.", "data_source": [], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where (All_Traffic.app=dns NOT All_Traffic.dest_port=53) OR ((All_Traffic.app=web-browsing OR All_Traffic.app=http) NOT (All_Traffic.dest_port=80 OR All_Traffic.dest_port=8080 OR All_Traffic.dest_port=8000)) OR (All_Traffic.app=ssl NOT (All_Traffic.dest_port=443 OR All_Traffic.dest_port=8443)) OR (All_Traffic.app=smtp NOT All_Traffic.dest_port=25) by All_Traffic.src_ip, All_Traffic.dest_ip, All_Traffic.app, All_Traffic.dest_port |`security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(\"All_Traffic\")` | `protocol_or_port_mismatch_filter`", "how_to_implement": "Running this search properly requires a technology that can inspect network traffic and identify common protocols. Technologies such as Bro and Palo Alto Networks firewalls are two examples that will identify protocols via inspection, and not just assume a specific protocol based on the transport protocol and ports.", "known_false_positives": "None identified", "references": [], "tags": {"name": "Protocol or Port Mismatch", "analytic_story": ["Prohibited Traffic Allowed or Protocol Mismatch", "Command And Control"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Actions on Objectives"], "message": "tbd", "mitre_attack_id": ["T1048.003", "T1048"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "All_Traffic.app", "All_Traffic.dest_port", "All_Traffic.src_ip", "All_Traffic.dest_ip"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1048.003", "mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT32", "APT33", "FIN6", "FIN8", "Lazarus Group", "OilRig", "Thrip", "Wizard Spider"]}, {"mitre_attack_id": "T1048", "mitre_attack_technique": "Exfiltration Over Alternative Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["TeamTNT"]}]}, "datamodel": ["Network_Traffic"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "protocol_or_port_mismatch_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/network/protocol_or_port_mismatch.yml", "source": "network"}, {"name": "Protocols passing authentication in cleartext", "id": "6923cd64-17a0-453c-b945-81ac2d8c6db9", "version": 3, "date": "2021-08-19", "author": "Rico Valdez, Splunk", "type": "TTP", "status": "experimental", "description": "The following analytic identifies cleartext protocols at risk of leaking sensitive information. Currently, this consists of legacy protocols such as telnet (port 23), POP3 (port 110), IMAP (port 143), and non-anonymous FTP (port 21) sessions. While some of these protocols may be used over SSL, they typically are found on different assigned ports in those instances.", "data_source": [], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where All_Traffic.action!=blocked AND All_Traffic.transport=\"tcp\" AND (All_Traffic.dest_port=\"23\" OR All_Traffic.dest_port=\"143\" OR All_Traffic.dest_port=\"110\" OR (All_Traffic.dest_port=\"21\" AND All_Traffic.user != \"anonymous\")) by All_Traffic.user All_Traffic.src All_Traffic.dest All_Traffic.dest_port | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(\"All_Traffic\")` | `protocols_passing_authentication_in_cleartext_filter`", "how_to_implement": "This search requires you to be ingesting your network traffic, and populating the Network_Traffic data model. For more accurate result it's better to limit destination to organization private and public IP range, like All_Traffic.dest IN(192.168.0.0/16,172.16.0.0/12,10.0.0.0/8, x.x.x.x/22)", "known_false_positives": "Some networks may use kerberized FTP or telnet servers, however, this is rare.", "references": ["https://www.rackaid.com/blog/secure-your-email-and-file-transfers/", "https://www.infosecmatter.com/capture-passwords-using-wireshark/"], "tags": {"name": "Protocols passing authentication in cleartext", "analytic_story": ["Use of Cleartext Protocols"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": [], "message": "tbd", "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "All_Traffic.transport", "All_Traffic.dest_port", "All_Traffic.user", "All_Traffic.src", "All_Traffic.dest", "All_Traffic.action"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "datamodel": ["Network_Traffic"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "protocols_passing_authentication_in_cleartext_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/network/protocols_passing_authentication_in_cleartext.yml", "source": "network", "nes_fields": "user,dest"}, {"name": "Remote Desktop Network Bruteforce", "id": "a98727cc-286b-4ff2-b898-41df64695923", "version": 2, "date": "2020-07-21", "author": "Jose Hernandez, Splunk", "type": "TTP", "status": "experimental", "description": "This search looks for RDP application network traffic and filters any source/destination pair generating more than twice the standard deviation of the average traffic.", "data_source": [], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where All_Traffic.app=rdp by All_Traffic.src All_Traffic.dest All_Traffic.dest_port | eventstats stdev(count) AS stdev avg(count) AS avg p50(count) AS p50 | where count>(avg + stdev*2) | rename All_Traffic.src AS src All_Traffic.dest AS dest | table firstTime lastTime src dest count avg p50 stdev | `remote_desktop_network_bruteforce_filter`", "how_to_implement": "You must ensure that your network traffic data is populating the Network_Traffic data model.", "known_false_positives": "RDP gateways may have unusually high amounts of traffic from all other hosts' RDP applications in the network.", "references": [], "tags": {"name": "Remote Desktop Network Bruteforce", "analytic_story": ["SamSam Ransomware", "Ryuk Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "$dest$ may be the target of an RDP Bruteforce", "mitre_attack_id": ["T1021.001", "T1021"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "All_Traffic.app", "All_Traffic.src", "All_Traffic.dest", "All_Traffic.dest_port"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1021.001", "mitre_attack_technique": "Remote Desktop Protocol", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT1", "APT3", "APT39", "APT41", "Axiom", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dragonfly", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "HEXANE", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "OilRig", "Patchwork", "Silence", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}]}, "datamodel": ["Network_Traffic"], "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "remote_desktop_network_bruteforce_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/network/remote_desktop_network_bruteforce.yml", "source": "network", "nes_fields": "user,dest"}, {"name": "Remote Desktop Network Traffic", "id": "272b8407-842d-4b3d-bead-a704584003d3", "version": 3, "date": "2020-07-07", "author": "David Dorsey, Splunk", "type": "Anomaly", "status": "experimental", "description": "This search looks for network traffic on TCP/3389, the default port used by remote desktop. While remote desktop traffic is not uncommon on a network, it is usually associated with known hosts. This search will ignore common RDP sources and common RDP destinations so you can focus on the uncommon uses of remote desktop on your network.", "data_source": [], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where All_Traffic.dest_port=3389 AND All_Traffic.dest_category!=common_rdp_destination AND All_Traffic.src_category!=common_rdp_source AND all_Traffic.action=\"allowed\" by All_Traffic.src All_Traffic.dest All_Traffic.dest_port | `drop_dm_object_name(\"All_Traffic\")` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `remote_desktop_network_traffic_filter` ", "how_to_implement": "To successfully implement this search you need to identify systems that commonly originate remote desktop traffic and that commonly receive remote desktop traffic. You can use the included support search \"Identify Systems Creating Remote Desktop Traffic\" to identify systems that originate the traffic and the search \"Identify Systems Receiving Remote Desktop Traffic\" to identify systems that receive a lot of remote desktop traffic. After identifying these systems, you will need to add the \"common_rdp_source\" or \"common_rdp_destination\" category to that system depending on the usage, using the Enterprise Security Assets and Identities framework. This can be done by adding an entry in the assets.csv file located in SA-IdentityManagement/lookups.", "known_false_positives": "Remote Desktop may be used legitimately by users on the network.", "references": [], "tags": {"name": "Remote Desktop Network Traffic", "analytic_story": ["SamSam Ransomware", "Ryuk Ransomware", "Hidden Cobra Malware", "Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "tbd", "mitre_attack_id": ["T1021.001", "T1021"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "All_Traffic.dest_port", "All_Traffic.dest_category", "All_Traffic.src_category", "All_Traffic.src", "All_Traffic.dest", "All_Traffic.dest_port"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1021.001", "mitre_attack_technique": "Remote Desktop Protocol", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT1", "APT3", "APT39", "APT41", "Axiom", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dragonfly", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "HEXANE", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "OilRig", "Patchwork", "Silence", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}]}, "datamodel": ["Network_Traffic"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "remote_desktop_network_traffic_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/network/remote_desktop_network_traffic.yml", "source": "network"}, {"name": "SMB Traffic Spike", "id": "7f5fb3e1-4209-4914-90db-0ec21b936378", "version": 3, "date": "2020-07-22", "author": "David Dorsey, Splunk", "type": "Anomaly", "status": "experimental", "description": "This search looks for spikes in the number of Server Message Block (SMB) traffic connections.", "data_source": [], "search": "| tstats `security_content_summariesonly` count from datamodel=Network_Traffic where All_Traffic.dest_port=139 OR All_Traffic.dest_port=445 OR All_Traffic.app=smb by _time span=1h, All_Traffic.src | `drop_dm_object_name(\"All_Traffic\")` | eventstats max(_time) as maxtime | stats count as num_data_samples max(eval(if(_time >= relative_time(maxtime, \"-70m@m\"), count, null))) as count avg(eval(if(_time upperBound AND num_data_samples >=50, 1, 0) | where isOutlier=1 | table src count | `smb_traffic_spike_filter` ", "how_to_implement": "This search requires you to be ingesting your network traffic logs and populating the `Network_Traffic` data model.", "known_false_positives": "A file server may experience high-demand loads that could cause this analytic to trigger.", "references": [], "tags": {"name": "SMB Traffic Spike", "analytic_story": ["Emotet Malware DHS Report TA18-201A ", "Hidden Cobra Malware", "Ransomware", "DHS Report TA18-074A"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "tbd", "mitre_attack_id": ["T1021.002", "T1021"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "All_Traffic.dest_port", "All_Traffic.app", "All_Traffic.src"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}]}, "datamodel": ["Network_Traffic"], "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "smb_traffic_spike_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/network/smb_traffic_spike.yml", "source": "network"}, {"name": "SMB Traffic Spike - MLTK", "id": "d25773ba-9ad8-48d1-858e-07ad0bbeb828", "version": 3, "date": "2020-07-22", "author": "Rico Valdez, Splunk", "type": "Anomaly", "status": "experimental", "description": "This search uses the Machine Learning Toolkit (MLTK) to identify spikes in the number of Server Message Block (SMB) connections.", "data_source": [], "search": "| tstats `security_content_summariesonly` count values(All_Traffic.dest_ip) as dest values(All_Traffic.dest_port) as port from datamodel=Network_Traffic where All_Traffic.dest_port=139 OR All_Traffic.dest_port=445 OR All_Traffic.app=smb by _time span=1h, All_Traffic.src | eval HourOfDay=strftime(_time, \"%H\") | eval DayOfWeek=strftime(_time, \"%A\") | `drop_dm_object_name(All_Traffic)` | apply smb_pdfmodel threshold=0.001 | rename \"IsOutlier(count)\" as isOutlier | search isOutlier > 0 | sort -count | table _time src dest port count | `smb_traffic_spike___mltk_filter` ", "how_to_implement": "To successfully implement this search, you will need to ensure that DNS data is populating the Network_Resolution data model. In addition, the Machine Learning Toolkit (MLTK) version 4.2 or greater must be installed on your search heads, along with any required dependencies. Finally, the support search \"Baseline of SMB Traffic - MLTK\" must be executed before this detection search, because it builds a machine-learning (ML) model over the historical data used by this search. It is important that this search is run in the same app context as the associated support search, so that the model created by the support search is available for use. You should periodically re-run the support search to rebuild the model with the latest data available in your environment.\\\nThis search produces a field (Number of events,count) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. This field contributes additional context to the notable. To see the additional metadata, add the following field, if not already present, to Incident Review - Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry): \\\n1. **Label:** Number of events, **Field:** count\\\nDetailed documentation on how to create a new field within Incident Review is found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details`", "known_false_positives": "If you are seeing more results than desired, you may consider reducing the value of the threshold in the search. You should also periodically re-run the support search to re-build the ML model on the latest data. Please update the `smb_traffic_spike_mltk_filter` macro to filter out false positive results", "references": [], "tags": {"name": "SMB Traffic Spike - MLTK", "analytic_story": ["Emotet Malware DHS Report TA18-201A ", "Hidden Cobra Malware", "Ransomware", "DHS Report TA18-074A"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "tbd", "mitre_attack_id": ["T1021.002", "T1021"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "All_Traffic.dest_ip", "All_Traffic.dest_port", "All_Traffic.app", "All_Traffic.src"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}]}, "datamodel": ["Network_Traffic"], "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "smb_traffic_spike___mltk_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/network/smb_traffic_spike___mltk.yml", "source": "network"}, {"name": "Splunk Identified SSL TLS Certificates", "id": "620fbb89-86fd-4e2e-925f-738374277586", "version": 1, "date": "2022-05-25", "author": "Michael Haag, Splunk", "type": "Hunting", "status": "production", "description": "The following analytic uses tags of SSL, TLS and certificate to identify the usage of the Splunk default certificates being utilized in the environment. Recommended guidance is to utilize valid TLS certificates which documentation may be found in Splunk Docs - https://docs.splunk.com/Documentation/Splunk/8.2.6/Security/AboutsecuringyourSplunkconfigurationwithSSL.", "data_source": [], "search": "tag IN (ssl, tls, certificate) ssl_issuer_common_name=*splunk* | stats values(src) AS \"Host(s) with Default Cert\" count by ssl_issuer ssl_subject_common_name ssl_subject_organization ssl_subject host sourcetype | `splunk_identified_ssl_tls_certificates_filter`", "how_to_implement": "Ingestion of SSL/TLS data is needed and to be tagged properly as ssl, tls or certificate. This data may come from a proxy, zeek, or Splunk Streams. Splunk SOAR customers can find a SOAR workbook that walks an analyst through the process of running these hunting searches in the references list of this detection. In order to use this workbook, a user will need to run a curl command to post the file to their SOAR instance such as \"curl -u username:password https://soar.instance.name/rest/rest/workbook_template -d @splunk_psa_0622.json\". A user should then create an empty container or case, attach the workbook, and begin working through the tasks.", "known_false_positives": "False positives will not be present as it is meant to assist with identifying default certificates being utilized.", "references": ["https://docs.splunk.com/Documentation/Splunk/8.2.6/Security/AboutsecuringyourSplunkconfigurationwithSSL", "https://www.github.com/splunk/security_content/blob/develop/workbooks/splunk_psa_0622.json"], "tags": {"name": "Splunk Identified SSL TLS Certificates", "analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Proxy", "cis20": ["CIS 13"], "confidence": 70, "impact": 60, "kill_chain_phases": ["Exploitation"], "message": "The following $dest$ is using the self signed Splunk certificate.", "mitre_attack_id": ["T1040"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["ssl_issuer", "ssl_subject_common_name", "ssl_subject_organization", "ssl_subject", "host", "sourcetype"], "risk_score": 42, "security_domain": "network", "risk_severity": "low", "cve": ["CVE-2022-32151", "CVE-2022-32152"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1040", "mitre_attack_technique": "Network Sniffing", "mitre_attack_tactics": ["Credential Access", "Discovery"], "mitre_attack_groups": ["APT28", "APT33", "DarkVishnya", "Kimsuky", "Sandworm Team"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1040/ssltls/ssl_splunk.log", "source": "stream:tcp", "sourcetype": "stream:tcp", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "splunk_identified_ssl_tls_certificates_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2022-32151", "cvss": 6.4, "summary": "The httplib and urllib Python libraries that Splunk shipped with Splunk Enterprise did not validate certificates using the certificate authority (CA) certificate stores by default in Splunk Enterprise versions before 9.0 and Splunk Cloud Platform versions before 8.2.2203. Python 3 client libraries now verify server certificates by default and use the appropriate CA certificate stores for each library. Apps and add-ons that include their own HTTP libraries are not affected. For Splunk Enterprise, update to Splunk Enterprise version 9.0 and Configure TLS host name validation for Splunk-to-Splunk communications (https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/EnableTLSCertHostnameValidation) to enable the remediation."}, {"id": "CVE-2022-32152", "cvss": 6.5, "summary": "Splunk Enterprise peers in Splunk Enterprise versions before 9.0 and Splunk Cloud Platform versions before 8.2.2203 did not validate the TLS certificates during Splunk-to-Splunk communications by default. Splunk peer communications configured properly with valid certificates were not vulnerable. However, an attacker with administrator credentials could add a peer without a valid certificate and connections from misconfigured nodes without valid certificates did not fail by default. For Splunk Enterprise, update to Splunk Enterprise version 9.0 and Configure TLS host name validation for Splunk-to-Splunk communications (https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/EnableTLSCertHostnameValidation) to enable the remediation."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/network/splunk_identified_ssl_tls_certificates.yml", "source": "network"}, {"name": "SSL Certificates with Punycode", "id": "696694df-5706-495a-81f2-79501fa11b90", "version": 1, "date": "2022-11-01", "author": "Michael Haag, Splunk", "type": "Hunting", "status": "experimental", "description": "The following analytic utilizes the Certificates Datamodel to look for punycode domains, starting with xn--, found in the SSL issuer email domain. The presence of punycode here does not equate to evil, therefore we need to decode the punycode to determine what it translates to. Remove the CyberChef recipe as needed and decode manually. Note that this is not the exact location of the malicious punycode to trip CVE-2022-3602, but a method to at least identify fuzzing occurring on these email paths. What does evil look like? it will start with", "data_source": [], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Certificates.All_Certificates by All_Certificates.SSL.ssl_issuer_email_domain All_Certificates.SSL.ssl_issuer All_Certificates.SSL.ssl_subject_email All_Certificates.SSL.dest All_Certificates.SSL.src All_Certificates.SSL.sourcetype All_Certificates.SSL.ssl_subject_email_domain | `drop_dm_object_name(\"All_Certificates.SSL\")` | eval punycode=if(like(ssl_issuer_email_domain,\"%xn--%\"),1,0) | where punycode=1 | cyberchef infield=\"ssl_issuer_email_domain\" outfield=\"convertedPuny\" jsonrecipe=\"[{\"op\":\"From Punycode\",\"args\":[true]}]\" | table ssl_issuer_email_domain convertedPuny ssl_issuer ssl_subject_email dest src sourcetype ssl_subject_email_domain | `ssl_certificates_with_punycode_filter`", "how_to_implement": "Ensure data is properly being ingested into the Certificates datamodel. If decoding the of interest, the CyberChef app is needed https://splunkbase.splunk.com/app/5348. If decoding is not needed, remove the cyberchef lines.", "known_false_positives": "False positives may be present if the organization works with international businesses. Filter as needed.", "references": ["https://www.splunk.com/en_us/blog/security/nothing-puny-about-cve-2022-3602.html", "https://www.openssl.org/blog/blog/2022/11/01/email-address-overflows/", "https://community.emergingthreats.net/t/out-of-band-ruleset-update-summary-2022-11-01/117", "https://github.com/corelight/CVE-2022-3602/tree/master/scripts"], "tags": {"name": "SSL Certificates with Punycode", "analytic_story": ["OpenSSL CVE-2022-3602"], "asset_type": "Network", "cis20": ["CIS 13"], "confidence": 30, "impact": 50, "kill_chain_phases": ["Command And Control"], "message": "A x509 certificate has been identified to have punycode in the SSL issuer email domain on $dest$.", "mitre_attack_id": ["T1573"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["All_Certificates.SSL.ssl_issuer_email_domain", "All_Certificates.SSL.ssl_issuer", "All_Certificates.SSL.ssl_subject_email", "All_Certificates.SSL.dest", "All_Certificates.SSL.src", "All_Certificates.SSL.sourcetype", "All_Certificates.SSL.ssl_subject_email_domain"], "risk_score": 15, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1573", "mitre_attack_technique": "Encrypted Channel", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT29", "BITTER", "Magic Hound", "Tropic Trooper"]}]}, "datamodel": [], "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "ssl_certificates_with_punycode_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/network/ssl_certificates_with_punycode.yml", "source": "network"}, {"name": "TOR Traffic", "id": "ea688274-9c06-4473-b951-e4cb7a5d7a45", "version": 2, "date": "2020-07-22", "author": "David Dorsey, Splunk", "type": "TTP", "status": "experimental", "description": "This search looks for network traffic identified as The Onion Router (TOR), a benign anonymity network which can be abused for a variety of nefarious purposes.", "data_source": [], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where All_Traffic.app=tor AND All_Traffic.action=allowed by All_Traffic.src_ip All_Traffic.dest_ip All_Traffic.dest_port All_Traffic.action | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(\"All_Traffic\")` | `tor_traffic_filter`", "how_to_implement": "In order to properly run this search, Splunk needs to ingest data from firewalls or other network control devices that mediate the traffic allowed into an environment. This is necessary so that the search can identify an 'action' taken on the traffic of interest. The search requires the Network_Traffic data model be populated.", "known_false_positives": "None at this time", "references": [], "tags": {"name": "TOR Traffic", "analytic_story": ["Prohibited Traffic Allowed or Protocol Mismatch", "Ransomware", "NOBELIUM Group", "Command And Control"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Command And Control"], "message": "tbd", "mitre_attack_id": ["T1071", "T1071.001"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "All_Traffic.app", "All_Traffic.action", "All_Traffic.src_ip", "All_Traffic.dest_ip", "All_Traffic.dest_port"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1071", "mitre_attack_technique": "Application Layer Protocol", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Dragonfly", "Magic Hound", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1071.001", "mitre_attack_technique": "Web Protocols", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Chimera", "Cobalt Group", "Confucius", "Dark Caracal", "FIN4", "FIN8", "Gamaredon Group", "HAFNIUM", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LuminousMoth", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "OilRig", "Orangeworm", "Rancor", "Rocke", "Sandworm Team", "Sidewinder", "SilverTerrier", "Stealth Falcon", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "WIRTE", "Windshift", "Wizard Spider"]}]}, "datamodel": ["Network_Traffic"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "tor_traffic_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/network/tor_traffic.yml", "source": "network", "nes_fields": "user,dest"}, {"name": "Unusually Long Content-Type Length", "id": "57a0a2bf-353f-40c1-84dc-29293f3c35b7", "version": 1, "date": "2017-10-13", "author": "Bhavin Patel, Splunk", "type": "Anomaly", "status": "experimental", "description": "This search looks for unusually long strings in the Content-Type http header that the client sends the server.", "data_source": [], "search": "`stream_http` | eval cs_content_type_length = len(cs_content_type) | where cs_content_type_length > 100 | table endtime src_ip dest_ip cs_content_type_length cs_content_type url | `unusually_long_content_type_length_filter`", "how_to_implement": "This particular search leverages data extracted from Stream:HTTP. You must configure the http stream using the Splunk Stream App on your Splunk Stream deployment server to extract the cs_content_type field.", "known_false_positives": "Very few legitimate Content-Type fields will have a length greater than 100 characters.", "references": [], "tags": {"name": "Unusually Long Content-Type Length", "analytic_story": ["Apache Struts Vulnerability"], "asset_type": "Web Server", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": [], "message": "tbd", "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "cs_content_type", "endtime", "src_ip", "dest_ip", "url"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "datamodel": [], "macros": [{"name": "stream_http", "definition": "sourcetype=stream:http", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "unusually_long_content_type_length_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/network/unusually_long_content_type_length.yml", "source": "network"}, {"name": "Windows AD Replication Service Traffic", "id": "c6e24183-a5f4-4b2a-ad01-2eb456d09b67", "version": 1, "date": "2022-11-26", "author": "Steven Dick", "type": "TTP", "status": "experimental", "description": "This search looks for evidence of Active Directory replication traffic [MS-DRSR] from unexpected sources. This traffic is often seen exclusively between Domain Controllers for AD database replication. Any detections from non-domain controller source to a domain controller may indicate the usage of DCSync or DCShadow credential dumping techniques.", "data_source": [], "search": "| tstats `security_content_summariesonly` count values(All_Traffic.transport) as transport values(All_Traffic.user) as user values(All_Traffic.src_category) as src_category values(All_Traffic.dest_category) as dest_category min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where All_Traffic.app IN (\"ms-dc-replication\",\"*drsr*\",\"ad drs\") by All_Traffic.src All_Traffic.dest All_Traffic.app | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(\"All_Traffic\")` | `windows_ad_replication_service_traffic_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting application aware firewall or proxy logs into the Network Datamodel. Categorize all known domain controller Assets servers with an appropriate category for filtering.", "known_false_positives": "New domain controllers or certian scripts run by administrators.", "references": ["https://adsecurity.org/?p=1729", "https://attack.mitre.org/techniques/T1003/006/", "https://attack.mitre.org/techniques/T1207/"], "tags": {"name": "Windows AD Replication Service Traffic", "analytic_story": ["Sneaky Active Directory Persistence Tricks"], "asset_type": "endpoint", "cis20": ["CIS 13"], "confidence": 100, "impact": 100, "kill_chain_phases": ["Exploitation"], "message": "Active Directory Replication Traffic from Unknown Source - $src$", "mitre_attack_id": ["T1003", "T1003.006", "T1207"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "IP Address", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["All_Traffic.src", "All_Traffic.dest", "All_Traffic.app"], "risk_score": 100, "security_domain": "network", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1003.006", "mitre_attack_technique": "DCSync", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Earth Lusca", "LAPSUS$"]}, {"mitre_attack_id": "T1207", "mitre_attack_technique": "Rogue Domain Controller", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}]}, "datamodel": ["Network_Traffic"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_ad_replication_service_traffic_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/network/windows_ad_replication_service_traffic.yml", "source": "network", "nes_fields": "user,dest"}, {"name": "Windows AD Rogue Domain Controller Network Activity", "id": "c4aeeeef-da7f-4338-b3ba-553cbcbe2138", "version": 1, "date": "2022-09-08", "author": "Dean Luxton", "type": "TTP", "status": "experimental", "description": "This detection is looking at zeek wiredata for specific replication RPC calls being performed from a device which is not a domain controller. If you would like to capture these RPC calls using Splunk Stream, please vote for my idea here https://ideas.splunk.com/ideas/APPSID-I-619 ;)", "data_source": [], "search": "`zeek_rpc` DrsReplicaAdd OR DRSGetNCChanges | where NOT (dest_category=\"Domain Controller\") OR NOT (src_category=\"Domain Controller\") | fillnull value=\"Unknown\" src_category, dest_category | table _time endpoint operation src src_category dest dest_category | `windows_ad_rogue_domain_controller_network_activity_filter`", "how_to_implement": "Run zeek on domain controllers to capture the DCE RPC calls, ensure the domain controller categories are defined in Assets and Identities.", "known_false_positives": "None.", "references": ["https://adsecurity.org/?p=1729"], "tags": {"name": "Windows AD Rogue Domain Controller Network Activity", "analytic_story": ["Sneaky Active Directory Persistence Tricks"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "confidence": 100, "impact": 100, "kill_chain_phases": ["Exploitation"], "message": "Rogue DC Activity Detected from $src_category$ device $src$ to $dest$ ($dest_category$)", "mitre_attack_id": ["T1207"], "nist": ["DE.CM"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "dest", "type": "IP Address", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "src", "dest"], "risk_score": 100, "security_domain": "network", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1207", "mitre_attack_technique": "Rogue Domain Controller", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}]}, "datamodel": ["Change"], "macros": [{"name": "zeek_rpc", "definition": "index=zeek sourcetype=\"zeek:rpc:json\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_ad_rogue_domain_controller_network_activity_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/network/windows_ad_rogue_domain_controller_network_activity.yml", "source": "network", "nes_fields": "user,dest"}, {"name": "Zeek x509 Certificate with Punycode", "id": "029d6fe4-a5fe-43af-827e-c78c50e81d81", "version": 1, "date": "2022-11-03", "author": "Michael Haag, Splunk", "type": "Hunting", "status": "experimental", "description": "The following analytic utilizes the Zeek x509 log. Modify the zeek_x509 macro with your index and sourcetype as needed. You will need to ensure the full x509 is logged as the potentially malicious punycode is nested under subject alternative names. In this particular analytic, it will identify punycode within the subject alternative name email and other fields. Note, that OtherFields is meant to be BOOL (true,false), therefore we may never see xn-- in that field. Upon identifying punycode, manually copy and paste, or add CyberChef recipe to query, and decode the punycode manually.", "data_source": [], "search": "`zeek_x509` | rex field=san.email{} \"\\@(?xn--.*)\" | rex field=san.other_fields{} \"\\@(?xn--.*)\" | stats values(domain_detected) by basic_constraints.ca source host | `zeek_x509_certificate_with_punycode_filter`", "how_to_implement": "The following analytic requires x509 certificate data to be logged entirely. In particular, for CVE-2022-3602, the punycode will be within the leaf certificate. The analytic may be modified to look for all xn--, or utilize a network IDS/monitoring tool like Zeek or Suricata to drill down into cert captured. Note for Suricata, the certificate is base64 encoded and will need to be decoded to capture the punycode (punycode will need to be decoded after).", "known_false_positives": "False positives may be present if the organization works with international businesses. Filter as needed.", "references": ["https://community.emergingthreats.net/t/out-of-band-ruleset-update-summary-2022-11-01/117", "https://github.com/corelight/CVE-2022-3602/tree/master/scripts", "https://docs.zeek.org/en/master/logs/x509.html", "https://www.splunk.com/en_us/blog/security/nothing-puny-about-cve-2022-3602.html", "https://www.openssl.org/blog/blog/2022/11/01/email-address-overflows/", "https://docs.zeek.org/en/master/scripts/base/init-bare.zeek.html#type-X509::SubjectAlternativeName"], "tags": {"name": "Zeek x509 Certificate with Punycode", "analytic_story": ["OpenSSL CVE-2022-3602"], "asset_type": "Network", "cis20": ["CIS 13"], "confidence": 30, "impact": 50, "kill_chain_phases": ["Command And Control"], "message": "A x509 certificate has been identified to have punycode in the subject alternative name on $dest$.", "mitre_attack_id": ["T1573"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["domain_detected", "basic_constraints.ca", "source", "host"], "risk_score": 15, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1573", "mitre_attack_technique": "Encrypted Channel", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT29", "BITTER", "Magic Hound", "Tropic Trooper"]}]}, "datamodel": [], "macros": [{"name": "zeek_x509", "definition": "sourcetype=\"zeek:x509:json\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "zeek_x509_certificate_with_punycode_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/network/zeek_x509_certificate_with_punycode.yml", "source": "network"}, {"name": "Confluence Unauthenticated Remote Code Execution CVE-2022-26134", "id": "fcf4bd3f-a79f-4b7a-83bf-2692d60b859c", "version": 1, "date": "2022-06-03", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic assists with identifying CVE-2022-26134 based exploitation utilizing the Web datamodel to cover network and CIM compliant web logs. The parameters were captured from live scanning and the POC provided by Rapid7. This analytic is written against multiple proof of concept codes released and seen in the wild (scanning). During triage, review any endpoint based logs for further activity including writing a jsp file to disk and commands/processes spawning running as root from the Confluence process.", "data_source": [], "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN (\"*${*\", \"*%2F%7B*\") (Web.url=\"*org.apache.commons.io.IOUtils*\" Web.url=\"*java.lang.Runtime@getRuntime().exec*\") OR (Web.url=\"*java.lang.Runtime%40getRuntime%28%29.exec*\") OR (Web.url=\"*getEngineByName*\" AND Web.url=\"*nashorn*\" AND Web.url=\"*ProcessBuilder*\") by Web.http_user_agent Web.http_method, Web.url,Web.url_length Web.src, Web.dest sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `confluence_unauthenticated_remote_code_execution_cve_2022_26134_filter`", "how_to_implement": "This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache or Splunk for Nginx. In addition, network based logs or event data like PAN Threat.", "known_false_positives": "Tune based on assets if possible, or restrict to known Confluence servers. Remove the ${ for a more broad query. To identify more exec, remove everything up to the last parameter (Runtime().exec) for a broad query.", "references": ["https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html", "https://www.splunk.com/en_us/blog/security/atlassian-confluence-vulnerability-cve-2022-26134.html", "https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/", "https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/"], "tags": {"name": "Confluence Unauthenticated Remote Code Execution CVE-2022-26134", "analytic_story": ["Atlassian Confluence Server and Data Center CVE-2022-26134"], "asset_type": "Web Server", "cis20": ["CIS 13"], "confidence": 100, "impact": 100, "kill_chain_phases": ["Installation", "Delivery"], "message": "A URL was requested related to CVE-2022-26134, a unauthenticated remote code execution vulnerability, on $dest$ by $src$.", "mitre_attack_id": ["T1505", "T1190"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "IP Address", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Web.http_method", "Web.url", "Web.url_length", "Web.src", "Web.dest", "Web.http_user_agent"], "risk_score": 100, "security_domain": "network", "risk_severity": "high", "cve": ["CVE-2022-26134"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/java/confluence.log", "source": "pan:threat", "sourcetype": "pan:threat", "update_timestamp": true}]}], "datamodel": ["Web"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "confluence_unauthenticated_remote_code_execution_cve_2022_26134_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2022-26134", "cvss": 7.5, "summary": "In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are from 1.3.0 before 7.4.17, from 7.13.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and from 7.18.0 before 7.18.1."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/web/confluence_unauthenticated_remote_code_execution_cve_2022_26134.yml", "source": "web", "nes_fields": "user,dest"}, {"name": "Detect attackers scanning for vulnerable JBoss servers", "id": "104658f4-afdc-499e-9719-17243f982681", "version": 1, "date": "2017-09-23", "author": "Bhavin Patel, Splunk", "type": "TTP", "status": "experimental", "description": "This search looks for specific GET or HEAD requests to web servers that are indicative of reconnaissance attempts to identify vulnerable JBoss servers. JexBoss is described as the exploit tool of choice for this malicious activity.", "data_source": [], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where (Web.http_method=\"GET\" OR Web.http_method=\"HEAD\") AND (Web.url=\"*/web-console/ServerInfo.jsp*\" OR Web.url=\"*web-console*\" OR Web.url=\"*jmx-console*\" OR Web.url = \"*invoker*\") by Web.http_method, Web.url, Web.src, Web.dest | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_attackers_scanning_for_vulnerable_jboss_servers_filter`", "how_to_implement": "You must be ingesting data from the web server or network traffic that contains web specific information, and populating the Web data model.", "known_false_positives": "It's possible for legitimate HTTP requests to be made to URLs containing the suspicious paths.", "references": [], "tags": {"name": "Detect attackers scanning for vulnerable JBoss servers", "analytic_story": ["JBoss Vulnerability", "SamSam Ransomware"], "asset_type": "Web Server", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "tbd", "mitre_attack_id": ["T1082"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Web.http_method", "Web.url", "Web.src", "Web.dest"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1082", "mitre_attack_technique": "System Information Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT18", "APT19", "APT3", "APT32", "APT37", "APT38", "Aquatic Panda", "Blue Mockingbird", "Chimera", "Confucius", "Darkhotel", "Gamaredon Group", "HEXANE", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Sowbug", "Stealth Falcon", "TeamTNT", "Tropic Trooper", "Turla", "Windigo", "Windshift", "Wizard Spider", "ZIRCONIUM", "admin@338"]}]}, "datamodel": ["Web"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_attackers_scanning_for_vulnerable_jboss_servers_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/web/detect_attackers_scanning_for_vulnerable_jboss_servers.yml", "source": "web", "nes_fields": "user,dest"}, {"name": "Detect F5 TMUI RCE CVE-2020-5902", "id": "810e4dbc-d46e-11ea-87d0-0242ac130003", "version": 1, "date": "2020-08-02", "author": "Shannon Davis, Splunk", "type": "TTP", "status": "experimental", "description": "This search detects remote code exploit attempts on F5 BIG-IP, BIG-IQ, and Traffix SDC devices", "data_source": [], "search": "`f5_bigip_rogue` | regex _raw=\"(hsqldb;|.*\\\\.\\\\.;.*)\" | search `detect_f5_tmui_rce_cve_2020_5902_filter`", "how_to_implement": "To consistently detect exploit attempts on F5 devices using the vulnerabilities contained within CVE-2020-5902 it is recommended to ingest logs via syslog. As many BIG-IP devices will have SSL enabled on their management interfaces, detections via wire data may not pick anything up unless you are decrypting SSL traffic in order to inspect it. I am using a regex string from a Cloudflare mitigation technique to try and always catch the offending string (..;), along with the other exploit of using (hsqldb;).", "known_false_positives": "unknown", "references": ["https://www.ptsecurity.com/ww-en/about/news/f5-fixes-critical-vulnerability-discovered-by-positive-technologies-in-big-ip-application-delivery-controller/", "https://support.f5.com/csp/article/K52145254"], "tags": {"name": "Detect F5 TMUI RCE CVE-2020-5902", "analytic_story": ["F5 TMUI RCE CVE-2020-5902"], "asset_type": "Network", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Delivery"], "message": "tbd", "mitre_attack_id": ["T1190"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Other", "role": ["Other"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "cve": ["CVE-2020-5902"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "menuPass"]}]}, "datamodel": [], "macros": [{"name": "f5_bigip_rogue", "definition": "index=netops sourcetype=\"f5:bigip:rogue\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_f5_tmui_rce_cve_2020_5902_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2020-5902", "cvss": 10.0, "summary": "In BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has a Remote Code Execution (RCE) vulnerability in undisclosed pages."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/web/detect_f5_tmui_rce_cve_2020_5902.yml", "source": "web", "nes_fields": "user,dest"}, {"name": "Detect malicious requests to exploit JBoss servers", "id": "c8bff7a4-11ea-4416-a27d-c5bca472913d", "version": 1, "date": "2017-09-23", "author": "Bhavin Patel, Splunk", "type": "TTP", "status": "experimental", "description": "This search is used to detect malicious HTTP requests crafted to exploit jmx-console in JBoss servers. The malicious requests have a long URL length, as the payload is embedded in the URL.", "data_source": [], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where (Web.http_method=\"GET\" OR Web.http_method=\"HEAD\") by Web.http_method, Web.url,Web.url_length Web.src, Web.dest | search Web.url=\"*jmx-console/HtmlAdaptor?action=invokeOpByName&name=jboss.admin*import*\" AND Web.url_length > 200 | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | table src, dest_ip, http_method, url, firstTime, lastTime | `detect_malicious_requests_to_exploit_jboss_servers_filter`", "how_to_implement": "You must ingest data from the web server or capture network data that contains web specific information with solutions such as Bro or Splunk Stream, and populating the Web data model", "known_false_positives": "No known false positives for this detection.", "references": [], "tags": {"name": "Detect malicious requests to exploit JBoss servers", "analytic_story": ["JBoss Vulnerability", "SamSam Ransomware"], "asset_type": "Web Server", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": [], "message": "tbd", "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Web.http_method", "Web.url", "Web.url_length", "Web.src", "Web.dest"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "datamodel": ["Web"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_malicious_requests_to_exploit_jboss_servers_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/web/detect_malicious_requests_to_exploit_jboss_servers.yml", "source": "web", "nes_fields": "user,dest"}, {"name": "Exploit Public Facing Application via Apache Commons Text", "id": "19a481e0-c97c-4d14-b1db-75a708eb592e", "version": 2, "date": "2023-01-23", "author": "Michael Haag, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies activity related to Text4Shell, or the critical vulnerability CVE-2022-42889 in Apache Commons Text Library. Apache Commons Text versions 1.5 through 1.9 are affected, but it has been patched in version 1.10. The analytic may need to be tuned for your environment before enabling as a TTP, or direct Notable. Apache Commons Text is a Java library described as a library focused on algorithms working on strings. We can see it as a general-purpose text manipulation toolkit. This vulnerability affects the StringSubstitutor interpolator class, which is included in the Commons Text library. A default interpolator allows for string lookups that can lead to Remote Code Execution. This is due to a logic flaw that makes the script, dns, and url lookup keys interpolated by default, as opposed to what it should be, according to the documentation of the StringLookupFactory class. Those keys allow an attacker to execute arbitrary code via lookups.", "data_source": [], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.http_method IN (POST, GET) by Web.src Web.status Web.uri_path Web.dest Web.http_method Web.uri_query Web.http_user_agent | `drop_dm_object_name(\"Web\")` | eval utf=if(like(lower(uri_query),\"%:utf-8:http%\"),2,0) | eval lookup = if(like(lower(uri_query), \"%url%\") OR like(lower(uri_query), \"%dns%\") OR like(lower(uri_query), \"%script%\"),2,0) | eval other_lookups = if(like(lower(uri_query), \"%env%\") OR like(lower(uri_query), \"%file%\") OR like(lower(uri_query), \"%getRuntime%\") OR like(lower(uri_query), \"%java%\") OR like(lower(uri_query), \"%localhost%\") OR like(lower(uri_query), \"%properties%\") OR like(lower(uri_query), \"%resource%\") OR like(lower(uri_query), \"%sys%\") OR like(lower(uri_query), \"%xml%\") OR like(lower(uri_query), \"%base%\"),1,0) | addtotals fieldname=Score utf lookup other_lookups | fields Score, src, dest, status, uri_query, uri_path, http_method, http_user_agent firstTime lastTime | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where Score >= 4 | `exploit_public_facing_application_via_apache_commons_text_filter`", "how_to_implement": "To implement, one must be collecting network traffic that is normalized in CIM and able to be queried via the Web datamodel. Or, take the chunks out needed and tie to a specific network source type to hunt in. Tune as needed, or remove the other_lookups statement.", "known_false_positives": "False positives are present when the values are set to 1 for utf and lookup. It's possible to raise this to TTP (direct notable) if removal of other_lookups occur and Score is raised to 2 (down from 4).", "references": ["https://sysdig.com/blog/cve-2022-42889-text4shell/", "https://nvd.nist.gov/vuln/detail/CVE-2022-42889", "https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om", "https://www.rapid7.com/blog/post/2022/10/17/cve-2022-42889-keep-calm-and-stop-saying-4shell/", "https://github.com/kljunowsky/CVE-2022-42889-text4shell", "https://medium.com/geekculture/text4shell-exploit-walkthrough-ebc02a01f035"], "tags": {"name": "Exploit Public Facing Application via Apache Commons Text", "analytic_story": ["Text4Shell CVE-2022-42889"], "asset_type": "Web Server", "cis20": ["CIS 13"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Installation", "Delivery"], "message": "A URL was requested related to Text4Shell on $dest$ by $src$.", "mitre_attack_id": ["T1505.003", "T1505", "T1190"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "IP Address", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Web.http_method", "Web.src", "Web.dest", "Web.http_user_agent", "Web.status", "Web.uri_query", "Web.uri_path"], "risk_score": 49, "security_domain": "network", "risk_severity": "low", "cve": ["CVE-2022-42889"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1505.003", "mitre_attack_technique": "Web Shell", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT38", "APT39", "BackdoorDiplomacy", "Deep Panda", "Dragonfly", "Fox Kitten", "GALLIUM", "HAFNIUM", "Kimsuky", "Leviathan", "Magic Hound", "Moses Staff", "OilRig", "Sandworm Team", "TEMP.Veles", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Volatile Cedar"]}, {"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/text4shell/text4shell.log", "source": "bro:http:json", "sourcetype": "bro:http:json", "update_timestamp": true}]}], "datamodel": ["Web"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "exploit_public_facing_application_via_apache_commons_text_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2022-42889", "cvss": null, "summary": "Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is \"${prefix:name}\", where \"prefix\" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - \"script\" - execute expressions using the JVM script execution engine (javax.script) - \"dns\" - resolve dns records - \"url\" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Text 1.10.0, which disables the problematic interpolators by default."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/web/exploit_public_facing_application_via_apache_commons_text.yml", "source": "web"}, {"name": "Exploit Public-Facing Fortinet FortiNAC CVE-2022-39952", "id": "2038f5c6-5aba-4221-8ae2-ca76e2ca8b97", "version": 1, "date": "2023-02-21", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies a recent CVE-2022-39952 released publicly where the URI configWizard/keyUpload.jsp recieves a POST with the payload.zip, from there the POC script will schedule a cron to run the payload and contact the remote C2.", "data_source": [], "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN (\"*configWizard/keyUpload.jsp*\") by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `exploit_public_facing_fortinet_fortinac_cve_2022_39952_filter`", "how_to_implement": "This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto.", "known_false_positives": "False positives may be present. Modify the query as needed to POST, or add additional filtering (based on log source).", "references": ["https://github.com/horizon3ai/CVE-2022-39952", "https://www.horizon3.ai/fortinet-fortinac-cve-2022-39952-deep-dive-and-iocs/", "https://viz.greynoise.io/tag/fortinac-rce-attempt?days=30"], "tags": {"name": "Exploit Public-Facing Fortinet FortiNAC CVE-2022-39952", "analytic_story": ["Fortinet FortiNAC CVE-2022-39952"], "asset_type": "Network", "cis20": ["CIS 13"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Delivery"], "message": "Potential CVE-2022-39952 against a Fortinet NAC may be occurring against $dest$.", "mitre_attack_id": ["T1190"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["Web.http_user_agent", "Web.http_method", "Web.url", "Web.url_length", "Web.src", "Web.dest", "sourcetype"], "risk_score": 64, "security_domain": "network", "risk_severity": "medium", "cve": ["CVE-2022-39952"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/fortigate/web_fortinetnac.log", "source": "pan:threat", "sourcetype": "pan:threat", "update_timestamp": true}]}], "datamodel": ["Web"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "exploit_public_facing_fortinet_fortinac_cve_2022_39952_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2022-39952", "cvss": null, "summary": "A external control of file name or path in Fortinet FortiNAC versions 9.4.0, 9.2.0 through 9.2.5, 9.1.0 through 9.1.7, 8.8.0 through 8.8.11, 8.7.0 through 8.7.6, 8.6.0 through 8.6.5, 8.5.0 through 8.5.4, 8.3.7 may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP request."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/web/exploit_public_facing_fortinet_fortinac_cve_2022_39952.yml", "source": "web", "nes_fields": "user,dest"}, {"name": "Fortinet Appliance Auth bypass", "id": "a83122f2-fa09-4868-a230-544dbc54bc1c", "version": 1, "date": "2022-10-14", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "CVE-2022-40684 is a Fortinet appliance auth bypass that is actively being exploited and a POC is released publicy. The POC adds a SSH key to the appliance. Note that the exploit can be used with any HTTP method (GET, POST, PUT, DELETE, etc). The REST API request failing is not an indication that an attacker was unsuccessful. Horizon3 was able to modify the admin SSH keys though a REST API request that reportedly failed. The collection /api/v2/ endpoints can be used to configure the system and modify the administrator user. Any logs found that meet the above conditions and also have a URL containing /api/v2/ should be cause for concern. Further investigation of any matching log entries can reveal any damage an attack has done. Additionally, an attacker may perform the following actions to further compromise a system Modify the admin SSH key to enable the attacker to login to the compromised system. \\\nAdd new local users. \\\nUpdate networking configurations to reroute traffic. \\\nDownload the system configuration. \\\nInitiate packet captures to capture other sensitive system information. Reference Horizon3.ai", "data_source": [], "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN (\"*/api/v2/cmdb/system/admin*\") Web.http_method IN (\"GET\", \"PUT\") by Web.http_user_agent, Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `fortinet_appliance_auth_bypass_filter`", "how_to_implement": "This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache. Splunk for Nginx, or Splunk for Palo Alto.", "known_false_positives": "GET requests will be noisy and need to be filtered out or removed from the query based on volume. Restrict analytic to known publically facing Fortigates, or run analytic as a Hunt until properly tuned. It is also possible the user agent may be filtered on Report Runner or Node.js only for the exploit, however, it is unknown at this if other user agents may be used.", "references": ["https://www.wordfence.com/blog/2022/10/threat-advisory-cve-2022-40684-fortinet-appliance-auth-bypass/", "https://www.horizon3.ai/fortios-fortiproxy-and-fortiswitchmanager-authentication-bypass-technical-deep-dive-cve-2022-40684/", "https://github.com/horizon3ai/CVE-2022-40684", "https://www.horizon3.ai/fortinet-iocs-cve-2022-40684/", "https://attackerkb.com/topics/QWOxGIKkGx/cve-2022-40684/rapid7-analysis", "https://github.com/rapid7/metasploit-framework/pull/17143"], "tags": {"name": "Fortinet Appliance Auth bypass", "analytic_story": ["CVE-2022-40684 Fortinet Appliance Auth bypass"], "asset_type": "Network", "cis20": ["CIS 13"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Delivery"], "message": "Potential CVE-2022-40684 against a Fortinet appliance may be occurring against $dest$.", "mitre_attack_id": ["T1190"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["Web.http_user_agent", "Web.http_method", "Web.url", "Web.url_length", "Web.src", "Web.dest", "sourcetype"], "risk_score": 81, "security_domain": "network", "risk_severity": "high", "cve": ["CVE-2022-40684"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/fortigate/fortinetcve202240684.log", "source": "pan:threat", "sourcetype": "pan:threat", "update_timestamp": true}]}], "datamodel": ["Web"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "fortinet_appliance_auth_bypass_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2022-40684", "cvss": null, "summary": "An authentication bypass using an alternate path or channel [CWE-288] in Fortinet FortiOS version 7.2.0 through 7.2.1 and 7.0.0 through 7.0.6, FortiProxy version 7.2.0 and version 7.0.0 through 7.0.6 and FortiSwitchManager version 7.2.0 and 7.0.0 allows an unauthenticated atttacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/web/fortinet_appliance_auth_bypass.yml", "source": "web", "nes_fields": "user,dest"}, {"name": "Hunting for Log4Shell", "id": "158b68fa-5d1a-11ec-aac8-acde48001122", "version": 1, "date": "2021-12-14", "author": "Michael Haag, Splunk", "type": "Hunting", "status": "production", "description": "The following hunting query assists with quickly assessing CVE-2021-44228, or Log4Shell, activity mapped to the Web Datamodel. This is a combination query attempting to identify, score and dashboard. Because the Log4Shell vulnerability requires the string to be in the logs, this will work to identify the activity anywhere in the HTTP headers using _raw. Modify the first line to use the same pattern matching against other log sources. Scoring is based on a simple rubric of 0-5. 5 being the best match, and less than 5 meant to identify additional patterns that will equate to a higher total score. \\\nThe first jndi match identifies the standard pattern of `{jndi:` \\\njndi_fastmatch is meant to identify any jndi in the logs. The score is set low and is meant to be the \"base\" score used later. \\\njndi_proto is a protocol match that identifies `jndi` and one of `ldap, ldaps, rmi, dns, nis, iiop, corba, nds, http, https.` \\\nall_match is a very well written regex by https://gist.github.com/Schvenn that identifies nearly all patterns of this attack behavior. \\\nenv works to identify environment variables in the header, meant to capture `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY` and `env`. \\\nuri_detect is string match looking for the common uri paths currently being scanned/abused in the wild. \\\nkeywords matches on enumerated values that, like `$ctx:loginId`, that may be found in the header used by the adversary. \\\nlookup matching is meant to catch some basic obfuscation that has been identified using upper, lower and date. \\\nScoring will then occur based on any findings. The base score is meant to be 2 , created by jndi_fastmatch. Everything else is meant to increase that score. \\\nFinally, a simple table is created to show the scoring and the _raw field. Sort based on score or columns of interest.", "data_source": [], "search": "| from datamodel Web.Web | eval jndi=if(match(_raw, \"(\\{|%7B)[jJnNdDiI]{4}:\"),4,0) | eval jndi_fastmatch=if(match(_raw, \"[jJnNdDiI]{4}\"),2,0) | eval jndi_proto=if(match(_raw,\"(?i)jndi:(ldap[s]?|rmi|dns|nis|iiop|corba|nds|http|https):\"),5,0) | eval all_match = if(match(_raw, \"(?i)(%(25){0,}20|\\s)*(%(25){0,}24|\\$)(%(25){0,}20|\\s)*(%(25){0,}7B|{)(%(25){0,}20|\\s)*(%(25){0,}(6A|4A)|J)(%(25){0,}(6E|4E)|N)(%(25){0,}(64|44)|D)(%(25){0,}(69|49)|I)(%(25){0,}20|\\s)*(%(25){0,}3A|:)[\\w\\%]+(%(25){1,}3A|:)(%(25){1,}2F|\\/)[^\\n]+\"),5,0) | eval env_var = if(match(_raw, \"env:\") OR match(_raw, \"env:AWS_ACCESS_KEY_ID\") OR match(_raw, \"env:AWS_SECRET_ACCESS_KEY\"),5,0) | eval uridetect = if(match(_raw, \"(?i)Basic\\/Command\\/Base64|Basic\\/ReverseShell|Basic\\/TomcatMemshell|Basic\\/JBossMemshell|Basic\\/WebsphereMemshell|Basic\\/SpringMemshell|Basic\\/Command|Deserialization\\/CommonsCollectionsK|Deserialization\\/CommonsBeanutils|Deserialization\\/Jre8u20\\/TomcatMemshell|Deserialization\\/CVE_2020_2555\\/WeblogicMemshell|TomcatBypass|GroovyBypass|WebsphereBypass\"),4,0) | eval keywords = if(match(_raw,\"(?i)\\$\\{ctx\\:loginId\\}|\\$\\{map\\:type\\}|\\$\\{filename\\}|\\$\\{date\\:MM-dd-yyyy\\}|\\$\\{docker\\:containerId\\}|\\$\\{docker\\:containerName\\}|\\$\\{docker\\:imageName\\}|\\$\\{env\\:USER\\}|\\$\\{event\\:Marker\\}|\\$\\{mdc\\:UserId\\}|\\$\\{java\\:runtime\\}|\\$\\{java\\:vm\\}|\\$\\{java\\:os\\}|\\$\\{jndi\\:logging/context-name\\}|\\$\\{hostName\\}|\\$\\{docker\\:containerId\\}|\\$\\{k8s\\:accountName\\}|\\$\\{k8s\\:clusterName\\}|\\$\\{k8s\\:containerId\\}|\\$\\{k8s\\:containerName\\}|\\$\\{k8s\\:host\\}|\\$\\{k8s\\:labels.app\\}|\\$\\{k8s\\:labels.podTemplateHash\\}|\\$\\{k8s\\:masterUrl\\}|\\$\\{k8s\\:namespaceId\\}|\\$\\{k8s\\:namespaceName\\}|\\$\\{k8s\\:podId\\}|\\$\\{k8s\\:podIp\\}|\\$\\{k8s\\:podName\\}|\\$\\{k8s\\:imageId\\}|\\$\\{k8s\\:imageName\\}|\\$\\{log4j\\:configLocation\\}|\\$\\{log4j\\:configParentLocation\\}|\\$\\{spring\\:spring.application.name\\}|\\$\\{main\\:myString\\}|\\$\\{main\\:0\\}|\\$\\{main\\:1\\}|\\$\\{main\\:2\\}|\\$\\{main\\:3\\}|\\$\\{main\\:4\\}|\\$\\{main\\:bar\\}|\\$\\{name\\}|\\$\\{marker\\}|\\$\\{marker\\:name\\}|\\$\\{spring\\:profiles.active[0]|\\$\\{sys\\:logPath\\}|\\$\\{web\\:rootDir\\}|\\$\\{sys\\:user.name\\}\"),4,0) | eval obf = if(match(_raw, \"(\\$|%24)[^ /]*({|%7b)[^ /]*(j|%6a)[^ /]*(n|%6e)[^ /]*(d|%64)[^ /]*(i|%69)[^ /]*(:|%3a)[^ /]*(:|%3a)[^ /]*(/|%2f)\"),5,0) | eval lookups = if(match(_raw, \"(?i)({|%7b)(main|sys|k8s|spring|lower|upper|env|date|sd)\"),4,0) | addtotals fieldname=Score, jndi, jndi_proto, env_var, uridetect, all_match, jndi_fastmatch, keywords, obf, lookups | where Score > 2 | stats values(Score) by jndi, jndi_proto, env_var, uridetect, all_match, jndi_fastmatch, keywords, lookups, obf, _raw | `hunting_for_log4shell_filter`", "how_to_implement": "Out of the box, the Web datamodel is required to be pre-filled. However, tested was performed against raw httpd access logs. Change the first line to any dataset to pass the regex's against.", "known_false_positives": "It is highly possible you will find false positives, however, the base score is set to 2 for _any_ jndi found in raw logs. tune and change as needed, include any filtering.", "references": ["https://gist.github.com/olafhartong/916ebc673ba066537740164f7e7e1d72", "https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b#gistcomment-3994449", "https://regex101.com/r/OSrm0q/1/", "https://github.com/Neo23x0/signature-base/blob/master/yara/expl_log4j_cve_2021_44228.yar", "https://news.sophos.com/en-us/2021/12/12/log4shell-hell-anatomy-of-an-exploit-outbreak/", "https://gist.github.com/MHaggis/1899b8554f38c8692a9fb0ceba60b44c", "https://twitter.com/sasi2103/status/1469764719850442760?s=20"], "tags": {"name": "Hunting for Log4Shell", "analytic_story": ["Log4Shell CVE-2021-44228", "CISA AA22-320A"], "asset_type": "Web Server", "cis20": ["CIS 13"], "confidence": 50, "impact": 80, "kill_chain_phases": ["Delivery"], "message": "Hunting for Log4Shell exploitation has occurred.", "mitre_attack_id": ["T1190"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "http_method", "type": "Other", "role": ["Other"]}, {"name": "src", "type": "Other", "role": ["Other"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "_raw"], "risk_score": 40, "security_domain": "network", "risk_severity": "low", "cve": ["CVE-2021-44228"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/java/log4shell-nginx.log", "source": "/var/log/nginx/access.log", "sourcetype": "nginx:plus:kv"}]}], "datamodel": ["Web"], "macros": [{"name": "hunting_for_log4shell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2021-44228", "cvss": 9.3, "summary": "Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/web/hunting_for_log4shell.yml", "source": "web"}, {"name": "Log4Shell JNDI Payload Injection Attempt", "id": "c184f12e-5c90-11ec-bf1f-497c9a704a72", "version": 1, "date": "2021-12-13", "author": "Jose Hernandez", "type": "Anomaly", "status": "production", "description": "CVE-2021-44228 Log4Shell payloads can be injected via various methods, but on of the most common vectors injection is via Web calls. Many of the vulnerable java web applications that are using log4j have a web component to them are specially targets of this injection, specifically projects like Apache Struts, Flink, Druid, and Solr. The exploit is triggered by a LDAP lookup function in the log4j package, its invocation is similar to `${jndi:ldap://PAYLOAD_INJECTED}`, when executed against vulnerable web applications the invocation can be seen in various part of web logs. Specifically it has been successfully exploited via headers like X-Forwarded-For, User-Agent, Referer, and X-Api-Version. In this detection we first limit the scope of our search to the Web Datamodel and use the `| from datamodel` function to benefit from schema accelerated searching capabilities, mainly because the second part of the detection is pretty heavy, it runs a regex across all _raw events that looks for `${jndi:ldap://` pattern across all potential web fields available to the raw data, like http headers for example. If you see results for this detection, it means that there was a attempt at a injection, which could be a reconnaissance activity or a valid expliotation attempt, but this does not exactly mean that the host was indeed successfully exploited.", "data_source": [], "search": "| from datamodel Web.Web | regex _raw=\"[jJnNdDiI]{4}(\\:|\\%3A|\\/|\\%2F)\\w+(\\:\\/\\/|\\%3A\\%2F\\%2F)(\\$\\{.*?\\}(\\.)?)?\" | fillnull | stats count by action, category, dest, dest_port, http_content_type, http_method, http_referrer, http_user_agent, site, src, url, url_domain, user | `log4shell_jndi_payload_injection_attempt_filter`", "how_to_implement": "This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache or Splunk for Nginx.", "known_false_positives": "If there is a vulnerablility scannner looking for log4shells this will trigger, otherwise likely to have low false positives.", "references": ["https://www.lunasec.io/docs/blog/log4j-zero-day/"], "tags": {"name": "Log4Shell JNDI Payload Injection Attempt", "analytic_story": ["Log4Shell CVE-2021-44228", "CISA AA22-257A", "CISA AA22-320A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 30, "impact": 50, "kill_chain_phases": ["Delivery"], "message": "CVE-2021-44228 Log4Shell triggered for host $dest$", "mitre_attack_id": ["T1190"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["action", "category", "dest", "dest_port", "http_content_type", "http_method", "http_referrer", "http_user_agent", "site", "src", "url", "url_domain", "user"], "risk_score": 15, "security_domain": "threat", "risk_severity": "low", "cve": ["CVE-2021-44228"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/log4j_proxy_logs/log4j_proxy_logs.log", "source": "nginx", "sourcetype": "nginx:plus:kv"}]}], "datamodel": ["Web"], "macros": [{"name": "log4shell_jndi_payload_injection_attempt_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2021-44228", "cvss": 9.3, "summary": "Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/web/log4shell_jndi_payload_injection_attempt.yml", "source": "web"}, {"name": "Log4Shell JNDI Payload Injection with Outbound Connection", "id": "69afee44-5c91-11ec-bf1f-497c9a704a72", "version": 1, "date": "2021-12-13", "author": "Jose Hernandez", "type": "Anomaly", "status": "production", "description": "CVE-2021-44228 Log4Shell payloads can be injected via various methods, but on of the most common vectors injection is via Web calls. Many of the vulnerable java web applications that are using log4j have a web component to them are specially targets of this injection, specifically projects like Apache Struts, Flink, Druid, and Solr. The exploit is triggered by a LDAP lookup function in the log4j package, its invocation is similar to `${jndi:ldap://PAYLOAD_INJECTED}`, when executed against vulnerable web applications the invocation can be seen in various part of web logs. Specifically it has been successfully exploited via headers like X-Forwarded-For, User-Agent, Referer, and X-Api-Version. In this detection we match the invocation function with a network connection to a malicious ip address.", "data_source": [], "search": "| from datamodel Web.Web | rex field=_raw max_match=0 \"[jJnNdDiI]{4}(\\:|\\%3A|\\/|\\%2F)(?\\w+)(\\:\\/\\/|\\%3A\\%2F\\%2F)(\\$\\{.*?\\}(\\.)?)?(?[a-zA-Z0-9\\.\\-\\_\\$]+)\" | join affected_host type=inner [| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic.All_Traffic by All_Traffic.dest | `drop_dm_object_name(All_Traffic)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename dest AS affected_host] | fillnull | stats count by action, category, dest, dest_port, http_content_type, http_method, http_referrer, http_user_agent, site, src, url, url_domain, user | `log4shell_jndi_payload_injection_with_outbound_connection_filter`", "how_to_implement": "This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache or Splunk for Nginx.", "known_false_positives": "If there is a vulnerablility scannner looking for log4shells this will trigger, otherwise likely to have low false positives.", "references": ["https://www.lunasec.io/docs/blog/log4j-zero-day/"], "tags": {"name": "Log4Shell JNDI Payload Injection with Outbound Connection", "analytic_story": ["Log4Shell CVE-2021-44228", "CISA AA22-320A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 30, "impact": 50, "kill_chain_phases": ["Delivery"], "message": "CVE-2021-44228 Log4Shell triggered for host $dest$", "mitre_attack_id": ["T1190"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["action", "category", "dest", "dest_port", "http_content_type", "http_method", "http_referrer", "http_user_agent", "site", "src", "url", "url_domain", "user"], "risk_score": 15, "security_domain": "threat", "risk_severity": "low", "cve": ["CVE-2021-44228"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/log4j_proxy_logs/log4j_proxy_logs.log", "source": "nginx", "sourcetype": "nginx:plus:kv"}, {"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/log4j_network_logs/log4j_network_logs.log", "source": "stream:Splunk_IP", "sourcetype": "stream:ip"}]}], "datamodel": ["Network_Traffic", "Web"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "log4shell_jndi_payload_injection_with_outbound_connection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2021-44228", "cvss": 9.3, "summary": "Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/web/log4shell_jndi_payload_injection_with_outbound_connection.yml", "source": "web"}, {"name": "Monitor Web Traffic For Brand Abuse", "id": "134da869-e264-4a8f-8d7e-fcd0ec88f301", "version": 1, "date": "2017-09-23", "author": "David Dorsey, Splunk", "type": "TTP", "status": "experimental", "description": "This search looks for Web requests to faux domains similar to the one that you want to have monitored for abuse.", "data_source": [], "search": "| tstats `security_content_summariesonly` values(Web.url) as urls min(_time) as firstTime from datamodel=Web by Web.src | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `brand_abuse_web` | `monitor_web_traffic_for_brand_abuse_filter`", "how_to_implement": "You need to ingest data from your web traffic. This can be accomplished by indexing data from a web proxy, or using a network traffic analysis tool, such as Bro or Splunk Stream. You also need to have run the search \"ESCU - DNSTwist Domain Names\", which creates the permutations of the domain that will be checked for.", "known_false_positives": "None at this time", "references": [], "tags": {"name": "Monitor Web Traffic For Brand Abuse", "analytic_story": ["Brand Monitoring"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": [], "message": "tbd", "nist": ["DE.CM"], "observable": [{"name": "src", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Web.url", "Web.src"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "datamodel": ["Web"], "macros": [{"name": "brand_abuse_web", "definition": "lookup update=true brandMonitoring_lookup domain as urls OUTPUT domain_abuse | search domain_abuse=true", "description": "This macro limits the output to only domains that are in the brand monitoring lookup file"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "monitor_web_traffic_for_brand_abuse_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/web/monitor_web_traffic_for_brand_abuse.yml", "source": "web", "nes_fields": "user,dest"}, {"name": "PaperCut NG Remote Web Access Attempt", "id": "9fcb214a-dc42-4ce7-a650-f1d2cab16a6a", "version": 1, "date": "2023-05-15", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic is designed to detect potential exploitation attempts on publicly accessible PaperCut NG servers. It identifies connections from public IP addresses to the server and specifically monitors for URI paths commonly found in proof-of-concept (POC) scripts for exploiting PaperCut NG vulnerabilities. These URI paths have been observed in both Metasploit modules and standalone scripts used for attacking PaperCut NG servers. When a public IP address is detected accessing one or more of these suspicious URI paths, an alert may be generated to notify the security team of the potential threat. The team can then investigate the source IP address, the targeted PaperCut NG server, and any other relevant information to determine the nature of the activity and take appropriate actions to mitigate the risk.", "data_source": [], "search": "| tstats count from datamodel=Web where Web.url IN (\"/app?service=page/SetupCompleted\", \"/app\", \"/app?service=page/PrinterList\", \"/app?service=direct/1/PrinterList/selectPrinter&sp=*\", \"/app?service=direct/1/PrinterDetails/printerOptionsTab.tab\") NOT (src IN (\"10.*.*.*\",\"172.16.*.*\", \"192.168.*.*\", \"169.254.*.*\", \"127.*.*.*\", \"fc00::*\", \"fd00::*\", \"fe80::*\")) by Web.http_user_agent Web.http_method, Web.url,Web.url_length Web.src, Web.dest Web.dest_port sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `papercut_ng_remote_web_access_attempt_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on Web traffic that include fields relavent for traffic into the `Web` datamodel.", "known_false_positives": "False positives may be present, filter as needed.", "references": ["https://www.cisa.gov/news-events/alerts/2023/05/11/cisa-and-fbi-release-joint-advisory-response-active-exploitation-papercut-vulnerability", "https://www.papercut.com/kb/Main/PO-1216-and-PO-1219", "https://www.horizon3.ai/papercut-cve-2023-27350-deep-dive-and-indicators-of-compromise/", "https://www.bleepingcomputer.com/news/security/hackers-actively-exploit-critical-rce-bug-in-papercut-servers/", "https://www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software"], "tags": {"name": "PaperCut NG Remote Web Access Attempt", "analytic_story": ["PaperCut MF NG Vulnerability"], "asset_type": "Web Server", "cis20": ["CIS 13"], "confidence": 70, "impact": 90, "kill_chain_phases": ["Delivery"], "message": "URIs specific to PaperCut NG have been access by a public IP against $dest$.", "mitre_attack_id": ["T1190"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Web.http_user_agent", "Web.http_method", "Web.url", "Web.url_length", "Web.src", "Web.dest", "sourcetype"], "risk_score": 63, "security_domain": "network", "risk_severity": "medium", "atomic_guid": [], "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/papercut/papercutng-suricata.log", "source": "suricata", "sourcetype": "suricata"}]}], "datamodel": ["Web"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "papercut_ng_remote_web_access_attempt_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/web/papercut_ng_remote_web_access_attempt.yml", "source": "web", "nes_fields": "user,dest"}, {"name": "ProxyShell ProxyNotShell Behavior Detected", "id": "c32fab32-6aaf-492d-bfaf-acbed8e50cdf", "version": 1, "date": "2022-10-03", "author": "Michael Haag, Splunk", "type": "Correlation", "status": "production", "description": "The following correlation will identify activity related to Windows Exchange being actively exploited by adversaries related to ProxyShell or ProxyNotShell. In addition, the analytic correlates post-exploitation Cobalt Strike analytic story. Common post-exploitation behavior has been seen in the wild includes adversaries running nltest, Cobalt Strike, Mimikatz and adding a new user. The correlation specifically looks for 5 distinct analyticstories to trigger. Modify or tune as needed for your organization. 5 analytics is an arbitrary number but was chosen to reduce the amount of noise but also require the 2 analytic stories or a ProxyShell and CobaltStrike to fire. Adversaries will exploit the vulnerable Exchange server, abuse SSRF, drop a web shell, utilize the PowerShell Exchange modules and begin post-exploitation.", "data_source": [], "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.analyticstories) as analyticstories values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count dc(All_Risk.analyticstories) as dc_analyticstories from datamodel=Risk.All_Risk where All_Risk.analyticstories IN (\"ProxyNotShell\",\"ProxyShell\") OR (All_Risk.analyticstories IN (\"ProxyNotShell\",\"ProxyShell\") AND All_Risk.analyticstories=\"Cobalt Strike\") All_Risk.risk_object_type=\"system\" by _time span=1h All_Risk.risk_object All_Risk.risk_object_type | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| where source_count >=5 | `proxyshell_proxynotshell_behavior_detected_filter`", "how_to_implement": "To implement this correlation, you will need to enable ProxyShell, ProxyNotShell and Cobalt Strike analytic stories (the anaytics themselves) and ensure proper data is being collected for Web and Endpoint datamodels. Run the correlation rule seperately to validate it is not triggering too much or generating incorrectly. Validate by running ProxyShell POC code and Cobalt Strike behavior.", "known_false_positives": "False positives will be limited, however tune or modify the query as needed.", "references": ["https://www.gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html", "https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/"], "tags": {"name": "ProxyShell ProxyNotShell Behavior Detected", "analytic_story": ["ProxyShell", "ProxyNotShell"], "asset_type": "Web Server", "cis20": ["CIS 13"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Delivery"], "message": "ProxyShell or ProxyNotShell activity has been identified on $risk_object$.", "mitre_attack_id": ["T1190"], "nist": ["DE.AE"], "observable": [{"name": "risk_object", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["All_Risk.analyticstories", "All_Risk.risk_object_type", "All_Risk.risk_object", "All_Risk.annotations.mitre_attack.mitre_tactic", "source"], "risk_score": 81, "security_domain": "network", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/proxyshell/proxyshell-risk.log", "source": "proxyshell", "sourcetype": "stash", "update_timestamp": true}]}], "datamodel": ["Risk"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "proxyshell_proxynotshell_behavior_detected_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/web/proxyshell_proxynotshell_behavior_detected.yml", "source": "web", "nes_fields": "user,dest"}, {"name": "Spring4Shell Payload URL Request", "id": "9d44d649-7d67-4559-95c1-8022ff49420b", "version": 1, "date": "2022-07-12", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic is static indicators related to CVE-2022-22963, Spring4Shell. The 3 indicators provide an amount of fidelity that source IP is attemping to exploit a web shell on the destination. The filename and cmd are arbitrary in this exploitation. Java will write a JSP to disk and a process will spawn from Java based on the cmd passed. This is indicative of typical web shell activity.", "data_source": [], "search": "| tstats count from datamodel=Web where Web.http_method IN (\"GET\") Web.url IN (\"*tomcatwar.jsp*\",\"*poc.jsp*\",\"*shell.jsp*\") by Web.http_user_agent Web.http_method, Web.url,Web.url_length Web.src, Web.dest sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `spring4shell_payload_url_request_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on Web traffic that include fields relavent for traffic into the `Web` datamodel.", "known_false_positives": "The jsp file names are static names used in current proof of concept code. =", "references": ["https://www.microsoft.com/security/blog/2022/04/04/springshell-rce-vulnerability-guidance-for-protecting-against-and-detecting-cve-2022-22965/", "https://github.com/TheGejr/SpringShell", "https://www.tenable.com/blog/spring4shell-faq-spring-framework-remote-code-execution-vulnerability"], "tags": {"name": "Spring4Shell Payload URL Request", "analytic_story": ["Spring4Shell CVE-2022-22965"], "asset_type": "Web Server", "cis20": ["CIS 13"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Installation", "Delivery"], "message": "A URL was requested related to Spring4Shell POC code on $dest$ by $src$.", "mitre_attack_id": ["T1505.003", "T1505", "T1190"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "IP Address", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Web.http_method", "Web.url", "Web.url_length", "Web.src", "Web.dest", "Web.http_user_agent"], "risk_score": 36, "security_domain": "network", "risk_severity": "low", "cve": ["CVE-2022-22965"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1505.003", "mitre_attack_technique": "Web Shell", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT38", "APT39", "BackdoorDiplomacy", "Deep Panda", "Dragonfly", "Fox Kitten", "GALLIUM", "HAFNIUM", "Kimsuky", "Leviathan", "Magic Hound", "Moses Staff", "OilRig", "Sandworm Team", "TEMP.Veles", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Volatile Cedar"]}, {"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/spring4shell/spring4shell_nginx.log", "source": "/var/log/nginx/access.log", "sourcetype": "nginx:plus:kv"}]}], "datamodel": ["Web"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "spring4shell_payload_url_request_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2022-22965", "cvss": 7.5, "summary": "A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/web/spring4shell_payload_url_request.yml", "source": "web", "nes_fields": "user,dest"}, {"name": "SQL Injection with Long URLs", "id": "e0aad4cf-0790-423b-8328-7564d0d938f9", "version": 3, "date": "2022-03-28", "author": "Bhavin Patel, Splunk", "type": "TTP", "status": "experimental", "description": "This search looks for long URLs that have several SQL commands visible within them.", "data_source": [], "search": "| tstats `security_content_summariesonly` count from datamodel=Web where Web.dest_category=web_server AND (Web.url_length > 1024 OR Web.http_user_agent_length > 200) by Web.src Web.dest Web.url Web.url_length Web.http_user_agent | `drop_dm_object_name(\"Web\")` | eval url=lower(url) | eval num_sql_cmds=mvcount(split(url, \"alter%20table\")) + mvcount(split(url, \"between\")) + mvcount(split(url, \"create%20table\")) + mvcount(split(url, \"create%20database\")) + mvcount(split(url, \"create%20index\")) + mvcount(split(url, \"create%20view\")) + mvcount(split(url, \"delete\")) + mvcount(split(url, \"drop%20database\")) + mvcount(split(url, \"drop%20index\")) + mvcount(split(url, \"drop%20table\")) + mvcount(split(url, \"exists\")) + mvcount(split(url, \"exec\")) + mvcount(split(url, \"group%20by\")) + mvcount(split(url, \"having\")) + mvcount(split(url, \"insert%20into\")) + mvcount(split(url, \"inner%20join\")) + mvcount(split(url, \"left%20join\")) + mvcount(split(url, \"right%20join\")) + mvcount(split(url, \"full%20join\")) + mvcount(split(url, \"select\")) + mvcount(split(url, \"distinct\")) + mvcount(split(url, \"select%20top\")) + mvcount(split(url, \"union\")) + mvcount(split(url, \"xp_cmdshell\")) - 24 | where num_sql_cmds > 3 | `sql_injection_with_long_urls_filter`", "how_to_implement": "To successfully implement this search, you need to be monitoring network communications to your web servers or ingesting your HTTP logs and populating the Web data model. You must also identify your web servers in the Enterprise Security assets table.", "known_false_positives": "It's possible that legitimate traffic will have long URLs or long user agent strings and that common SQL commands may be found within the URL. Please investigate as appropriate.", "references": [], "tags": {"name": "SQL Injection with Long URLs", "analytic_story": ["SQL Injection"], "asset_type": "Database Server", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Delivery"], "message": "SQL injection attempt with url $url$ detected on $dest$", "mitre_attack_id": ["T1190"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Web.dest_category", "Web.url_length", "Web.http_user_agent_length", "Web.src", "Web.dest", "Web.url", "Web.http_user_agent"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "menuPass"]}]}, "datamodel": ["Web"], "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "sql_injection_with_long_urls_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/web/sql_injection_with_long_urls.yml", "source": "web", "nes_fields": "user,dest"}, {"name": "Supernova Webshell", "id": "2ec08a09-9ff1-4dac-b59f-1efd57972ec1", "version": 1, "date": "2021-01-06", "author": "John Stoner, Splunk", "type": "TTP", "status": "experimental", "description": "This search aims to detect the Supernova webshell used in the SUNBURST attack.", "data_source": [], "search": "| tstats `security_content_summariesonly` count from datamodel=Web.Web where web.url=*logoimagehandler.ashx*codes* OR Web.url=*logoimagehandler.ashx*clazz* OR Web.url=*logoimagehandler.ashx*method* OR Web.url=*logoimagehandler.ashx*args* by Web.src Web.dest Web.url Web.vendor_product Web.user Web.http_user_agent _time span=1s | `supernova_webshell_filter`", "how_to_implement": "To successfully implement this search, you need to be monitoring web traffic to your Solarwinds Orion. The logs should be ingested into splunk and populating/mapped to the Web data model.", "known_false_positives": "There might be false positives associted with this detection since items like args as a web argument is pretty generic.", "references": ["https://www.splunk.com/en_us/blog/security/detecting-supernova-malware-solarwinds-continued.html", "https://www.guidepointsecurity.com/blog/supernova-solarwinds-net-webshell-analysis/"], "tags": {"name": "Supernova Webshell", "analytic_story": ["NOBELIUM Group"], "asset_type": "Web Server", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "message": "tbd", "mitre_attack_id": ["T1505.003"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Web.url", "Web.src", "Web.dest", "Web.vendor_product", "Web.user", "Web.http_user_agent"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1505.003", "mitre_attack_technique": "Web Shell", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT38", "APT39", "BackdoorDiplomacy", "Deep Panda", "Dragonfly", "Fox Kitten", "GALLIUM", "HAFNIUM", "Kimsuky", "Leviathan", "Magic Hound", "Moses Staff", "OilRig", "Sandworm Team", "TEMP.Veles", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Volatile Cedar"]}]}, "datamodel": ["Web"], "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "supernova_webshell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/web/supernova_webshell.yml", "source": "web", "nes_fields": "user,dest"}, {"name": "VMWare Aria Operations Exploit Attempt", "id": "d5d865e4-03e6-43da-98f4-28a4f42d4df7", "version": 1, "date": "2023-06-21", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic is designed to detect potential exploitation attempts against VMWare vRealize Network Insight that align with the characteristics of CVE-2023-20887. This specific vulnerability is a critical security flaw that, if exploited, could allow an attacker to execute arbitrary code on the affected system.\\\nThe analytic operates by monitoring web traffic, specifically HTTP POST requests, directed towards a specific URL endpoint (\"/saas./resttosaasservlet\"). This endpoint is known to be vulnerable and is a common target for attackers exploiting this vulnerability.\\\nThe behavior this analytic detects is the sending of HTTP POST requests to the vulnerable endpoint. This is a significant indicator of an attempted exploit as it is the primary method used to trigger the vulnerability. The analytic detects this behavior by analyzing web traffic data and identifying HTTP POST requests directed at the vulnerable endpoint.\\\nIdentifying this behavior is crucial for a Security Operations Center (SOC) as it can indicate an active attempt to exploit a known vulnerability within the network. If the identified behavior is a true positive, it suggests an attacker is attempting to exploit the CVE-2023-20887 vulnerability in VMWare vRealize Network Insight. The impact of such an attack could be severe, potentially allowing the attacker to execute arbitrary code on the affected system, leading to unauthorized access, data theft, or further propagation within the network.", "data_source": [], "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN (\"*/saas./resttosaasservlet*\") Web.http_method=POST Web.status IN (\"unknown\", \"200\") by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `vmware_aria_operations_exploit_attempt_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting web or proxy logs, or ensure it is being filled by a proxy like device, into the Web Datamodel. Restrict to specific dest assets to reduce false positives.", "known_false_positives": "False positives will be present based on gateways in use, modify the status field as needed.", "references": ["https://nvd.nist.gov/vuln/detail/CVE-2023-20887", "https://viz.greynoise.io/tag/vmware-aria-operations-for-networks-rce-attempt?days=30", "https://github.com/sinsinology/CVE-2023-20887", "https://summoning.team/blog/vmware-vrealize-network-insight-rce-cve-2023-20887/"], "tags": {"name": "VMWare Aria Operations Exploit Attempt", "analytic_story": ["VMware Aria Operations vRealize CVE-2023-20887"], "asset_type": "Web Server", "cis20": ["CIS 13"], "confidence": 80, "impact": 90, "kill_chain_phases": ["Delivery", "Installation", "Exploitation"], "message": "An exploitation attempt has occurred against $dest$ from $src$ related to CVE-2023-20887", "mitre_attack_id": ["T1133", "T1190", "T1210", "T1068"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["Web.http_method", "Web.url", "Web.url_length", "Web.src", "Web.dest", "Web.http_user_agent"], "risk_score": 72, "security_domain": "network", "risk_severity": "medium", "atomic_guid": [], "mitre_attack_enrichments": [{"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Chimera", "Dragonfly", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "menuPass"]}, {"mitre_attack_id": "T1210", "mitre_attack_technique": "Exploitation of Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "Dragonfly", "Earth Lusca", "FIN7", "Fox Kitten", "MuddyWater", "Threat Group-3390", "Tonto Team", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "PLATINUM", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/vmware/vmware_aria.log", "source": "pan:threat", "sourcetype": "pan:threat"}]}], "datamodel": ["Web"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "vmware_aria_operations_exploit_attempt_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/web/vmware_aria_operations_exploit_attempt.yml", "source": "web", "nes_fields": "user,dest"}, {"name": "VMware Server Side Template Injection Hunt", "id": "5796b570-ad12-44df-b1b5-b7e6ae3aabb0", "version": 1, "date": "2022-05-19", "author": "Michael Haag, Splunk", "type": "Hunting", "status": "production", "description": "The following hunting analytic identifies the server side template injection related to CVE-2022-22954, however is a variation found within the same endpoint of the URL scheme.", "data_source": [], "search": "| tstats count from datamodel=Web where Web.http_method IN (\"GET\") Web.url=\"*deviceudid=*\" AND Web.url IN (\"*java.lang.ProcessBuilder*\",\"*freemarker.template.utility.ObjectConstructor*\") by Web.http_user_agent Web.http_method, Web.url,Web.url_length Web.src, Web.dest sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `vmware_server_side_template_injection_hunt_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting web or proxy logs, or ensure it is being filled by a proxy like device, into the Web Datamodel. For additional filtering, allow list private IP space or restrict by known good.", "known_false_positives": "False positives may be present if the activity is blocked or was not successful. Filter known vulnerablity scanners. Filter as needed.", "references": ["https://www.cisa.gov/uscert/ncas/alerts/aa22-138b", "https://github.com/wvu/metasploit-framework/blob/master/modules/exploits/linux/http/vmware_workspace_one_access_cve_2022_22954.rb", "https://github.com/sherlocksecurity/VMware-CVE-2022-22954", "https://www.vmware.com/security/advisories/VMSA-2022-0011.html", "https://attackerkb.com/topics/BDXyTqY1ld/cve-2022-22954/rapid7-analysis", "https://twitter.com/wvuuuuuuuuuuuuu/status/1519476924757778433"], "tags": {"name": "VMware Server Side Template Injection Hunt", "analytic_story": ["VMware Server Side Injection and Privilege Escalation"], "asset_type": "Web Server", "cis20": ["CIS 13"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Delivery"], "message": "An attempt to exploit a VMware Server Side Injection CVE-2022-22954 on $dest$ has occurred.", "mitre_attack_id": ["T1190"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["Web.http_method", "Web.url", "Web.url_length", "Web.src", "Web.dest", "Web.http_user_agent"], "risk_score": 35, "security_domain": "network", "risk_severity": "low", "cve": ["CVE-2022-22954"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/vmware/vmware_scanning_pan_threat.log", "source": "pan:threat", "sourcetype": "pan:threat", "update_timestamp": true}]}], "datamodel": ["Web"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "vmware_server_side_template_injection_hunt_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2022-22954", "cvss": 10.0, "summary": "VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability due to server-side template injection. A malicious actor with network access can trigger a server-side template injection that may result in remote code execution."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/web/vmware_server_side_template_injection_hunt.yml", "source": "web"}, {"name": "VMware Workspace ONE Freemarker Server-side Template Injection", "id": "9e5726fe-8fde-460e-bd74-cddcf6c86113", "version": 1, "date": "2022-05-19", "author": "Michael Haag, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies the server side template injection related to CVE-2022-22954. Based on the scanning activity across the internet and proof of concept code available the template injection occurs at catalog-portal/ui/oauth/verify?error=&deviceudid=. Upon triage, review parallel processes and VMware logs. Following the deviceudid= may be a command to be executed. Capture any file creates and review modified files on disk.", "data_source": [], "search": "| tstats count from datamodel=Web where Web.http_method IN (\"GET\") Web.url=\"*/catalog-portal/ui/oauth/verify?error=&deviceudid=*\" AND Web.url=\"*freemarker.template.utility.Execute*\" by Web.http_user_agent Web.http_method, Web.url,Web.url_length Web.src, Web.dest sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `vmware_workspace_one_freemarker_server_side_template_injection_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting web or proxy logs, or ensure it is being filled by a proxy like device, into the Web Datamodel. For additional filtering, allow list private IP space or restrict by known good.", "known_false_positives": "False positives may be present if the activity is blocked or was not successful. Filter known vulnerablity scanners. Filter as needed.", "references": ["https://www.cisa.gov/uscert/ncas/alerts/aa22-138b", "https://github.com/wvu/metasploit-framework/blob/master/modules/exploits/linux/http/vmware_workspace_one_access_cve_2022_22954.rb", "https://github.com/sherlocksecurity/VMware-CVE-2022-22954", "https://www.vmware.com/security/advisories/VMSA-2022-0011.html", "https://attackerkb.com/topics/BDXyTqY1ld/cve-2022-22954/rapid7-analysis"], "tags": {"name": "VMware Workspace ONE Freemarker Server-side Template Injection", "analytic_story": ["VMware Server Side Injection and Privilege Escalation"], "asset_type": "Web Server", "cis20": ["CIS 13"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Delivery"], "message": "An attempt to exploit a VMware Server Side Injection CVE-2022-22954 on $dest$ has occurred.", "mitre_attack_id": ["T1190"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["Web.http_method", "Web.url", "Web.url_length", "Web.src", "Web.dest", "Web.http_user_agent"], "risk_score": 49, "security_domain": "network", "risk_severity": "low", "cve": ["CVE-2022-22954"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/vmware/vmware_scanning_pan_threat.log", "source": "pan:threat", "sourcetype": "pan:threat", "update_timestamp": true}]}], "datamodel": ["Web"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "vmware_workspace_one_freemarker_server_side_template_injection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2022-22954", "cvss": 10.0, "summary": "VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability due to server-side template injection. A malicious actor with network access can trigger a server-side template injection that may result in remote code execution."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/web/vmware_workspace_one_freemarker_server_side_template_injection.yml", "source": "web"}, {"name": "Web JSP Request via URL", "id": "2850c734-2d44-4431-8139-1a56f6f54c01", "version": 1, "date": "2022-04-05", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the common URL requests used by a recent CVE - CVE-2022-22965, or Spring4Shell, to access a webshell on the remote webserver. The filename and cmd are arbitrary in this exploitation. Java will write a JSP to disk and a process will spawn from Java based on the cmd passed. This is indicative of typical web shell activity.", "data_source": [], "search": "| tstats count from datamodel=Web where Web.http_method IN (\"GET\") Web.url IN (\"*.jsp?cmd=*\",\"*j&cmd=*\") by Web.http_user_agent Web.http_method, Web.url,Web.url_length Web.src, Web.dest sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `web_jsp_request_via_url_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on Web traffic that include fields relavent for traffic into the `Web` datamodel.", "known_false_positives": "False positives may be present with legitimate applications. Attempt to filter by dest IP or use Asset groups to restrict to servers.", "references": ["https://www.microsoft.com/security/blog/2022/04/04/springshell-rce-vulnerability-guidance-for-protecting-against-and-detecting-cve-2022-22965/", "https://github.com/TheGejr/SpringShell", "https://www.tenable.com/blog/spring4shell-faq-spring-framework-remote-code-execution-vulnerability"], "tags": {"name": "Web JSP Request via URL", "analytic_story": ["Spring4Shell CVE-2022-22965"], "asset_type": "Web Server", "cis20": ["CIS 13"], "confidence": 80, "impact": 90, "kill_chain_phases": ["Installation", "Delivery"], "message": "A suspicious URL has been requested against $dest$ by $src$, related to web shell activity.", "mitre_attack_id": ["T1505.003", "T1505", "T1190"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Web.http_method", "Web.url", "Web.url_length", "Web.src", "Web.dest", "Web.http_user_agent"], "risk_score": 72, "security_domain": "network", "risk_severity": "medium", "cve": ["CVE-2022-22965"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1505.003", "mitre_attack_technique": "Web Shell", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT38", "APT39", "BackdoorDiplomacy", "Deep Panda", "Dragonfly", "Fox Kitten", "GALLIUM", "HAFNIUM", "Kimsuky", "Leviathan", "Magic Hound", "Moses Staff", "OilRig", "Sandworm Team", "TEMP.Veles", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Volatile Cedar"]}, {"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/spring4shell/spring4shell_nginx.log", "source": "/var/log/nginx/access.log", "sourcetype": "nginx:plus:kv"}]}], "datamodel": ["Web"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "web_jsp_request_via_url_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2022-22965", "cvss": 7.5, "summary": "A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/web/web_jsp_request_via_url.yml", "source": "web", "nes_fields": "user,dest"}, {"name": "Web Spring4Shell HTTP Request Class Module", "id": "fcdfd69d-0ca3-4476-920e-9b633cb4593e", "version": 1, "date": "2022-04-06", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the payload related to Spring4Shell, CVE-2022-22965. This analytic uses Splunk Stream HTTP to view the http request body, form data. STRT reviewed all the current proof of concept code and determined the commonality with the payloads being passed used the same fields \"class.module.classLoader.resources.context.parent.pipeline.first\".", "data_source": [], "search": "`stream_http` http_method IN (\"POST\") | stats values(form_data) as http_request_body min(_time) as firstTime max(_time) as lastTime count by http_method http_user_agent uri_path url bytes_in bytes_out | search http_request_body IN (\"*class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat=_*\", \"*class.module.classLoader.resources.context.parent.pipeline.first.pattern*\",\"*suffix=.jsp*\") | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `web_spring4shell_http_request_class_module_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the stream HTTP logs or network logs that catch network traffic. Make sure that the http-request-body, payload, or request field is enabled.", "known_false_positives": "False positives may occur and filtering may be required. Restrict analytic to asset type.", "references": ["https://github.com/DDuarte/springshell-rce-poc/blob/master/poc.py"], "tags": {"name": "Web Spring4Shell HTTP Request Class Module", "analytic_story": ["Spring4Shell CVE-2022-22965"], "asset_type": "Web Server", "cis20": ["CIS 13"], "confidence": 80, "impact": 90, "kill_chain_phases": ["Delivery"], "message": "A http body request related to Spring4Shell has been sent to $dest$ by $src$.", "mitre_attack_id": ["T1190"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "http_request_body", "http_method", "http_user_agent", "uri_path", "url", "bytes_in", "bytes_out"], "risk_score": 72, "security_domain": "network", "risk_severity": "medium", "cve": ["CVE-2022-22965"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/spring4shell/http_request_body_streams.log", "source": "stream:http", "sourcetype": "stream:http"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "stream_http", "definition": "sourcetype=stream:http", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "web_spring4shell_http_request_class_module_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2022-22965", "cvss": 7.5, "summary": "A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/web/web_spring4shell_http_request_class_module.yml", "source": "web", "nes_fields": "user,dest"}, {"name": "Web Spring Cloud Function FunctionRouter", "id": "89dddbad-369a-4f8a-ace2-2439218735bc", "version": 1, "date": "2022-04-05", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies activity related to the web application Spring Cloud Function that was recently idenfied as vulnerable. This is CVE-2022-22963. Multiple proof of concept code was released. The URI that is hit includes `functionrouter`. The specifics of the exploit include a status of 500. In this query we did not include it, but for filtering you can add Web.status=500. The exploit data itself (based on all the POCs) is located in the form_data field. This field will include all class.modules being called.", "data_source": [], "search": "| tstats count from datamodel=Web where Web.http_method IN (\"POST\") Web.url=\"*/functionRouter*\" by Web.http_user_agent Web.http_method, Web.url,Web.url_length Web.src, Web.dest Web.status sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `web_spring_cloud_function_functionrouter_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on Web traffic that include fields relavent for traffic into the `Web` datamodel.", "known_false_positives": "False positives may be present with legitimate applications. Attempt to filter by dest IP or use Asset groups to restrict to servers.", "references": ["https://github.com/rapid7/metasploit-framework/pull/16395", "https://github.com/hktalent/spring-spel-0day-poc"], "tags": {"name": "Web Spring Cloud Function FunctionRouter", "analytic_story": ["Spring4Shell CVE-2022-22965"], "asset_type": "Web Server", "cis20": ["CIS 13"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Delivery"], "message": "A suspicious URL has been requested against $dest$ by $src$, related to a vulnerability in Spring Cloud.", "mitre_attack_id": ["T1190"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Web.http_method", "Web.url", "Web.url_length", "Web.src", "Web.dest", "Web.http_user_agent"], "risk_score": 42, "security_domain": "network", "risk_severity": "low", "cve": ["CVE-2022-22963"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/spring4shell/all_functionrouter_http_streams.log", "source": "stream:http", "sourcetype": "stream:http"}]}], "datamodel": ["Web"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "web_spring_cloud_function_functionrouter_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2022-22963", "cvss": 7.5, "summary": "In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/web/web_spring_cloud_function_functionrouter.yml", "source": "web", "nes_fields": "user,dest"}, {"name": "Windows Exchange Autodiscover SSRF Abuse", "id": "d436f9e7-0ee7-4a47-864b-6dea2c4e2752", "version": 1, "date": "2022-10-03", "author": "Michael Haag, Nathaniel Stearns, Splunk", "type": "TTP", "status": "production", "description": "The following analytic utilizes the Web datamodel and identifies the ProxyShell or ProxyNotShell abuse. This vulnerability is a Server Side Request Forgery (SSRF) vulnerability, which is a web vulnerability that allows an adversary to exploit vulnerable functionality to access server side or local network services by affectively traversing the external firewall using vulnerable web functionality. This analytic looks for the URI path and query of autodiscover, powershell and mapi along with a POST occurring. It will tally a simple score and show the output of the events that match. This analytic may be added to by simply creating a new eval statement and modifying the hardcode digit for Score.", "data_source": [], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where (Web.status=200 OR Web.status=302 OR Web.status=401) AND Web.http_method=POST by Web.src Web.status Web.uri_path Web.dest Web.http_method Web.uri_query | `drop_dm_object_name(\"Web\")` | eval is_autodiscover=if(like(lower(uri_path),\"%autodiscover%\"),1,0) | eval powershell = if(match(lower(uri_query),\"powershell\"), \"1\",0) | eval mapi=if(like(uri_query,\"%/mapi/%\"),1,0) | addtotals fieldname=Score is_autodiscover, powershell, mapi | fields Score, src,dest, status, uri_query,uri_path,http_method | where Score >= 2 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_exchange_autodiscover_ssrf_abuse_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on Web traffic, Exchange OR IIS logs, mapped to `Web` datamodel in the `Web` node. In addition, confirm the latest CIM App 4.20 or higher is installed.", "known_false_positives": "False positives are limited.", "references": ["https://www.gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html", "https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/", "https://twitter.com/GossiTheDog/status/1575762721353916417?s=20&t=67gq9xCWuyPm1VEm8ydfyA", "https://twitter.com/cglyer/status/1575793769814728705?s=20&t=67gq9xCWuyPm1VEm8ydfyA", "https://www.gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html", "https://research.splunk.com/stories/proxyshell/", "https://docs.splunk.com/Documentation/AddOns/released/MSIIS", "https://highon.coffee/blog/ssrf-cheat-sheet/", "https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29/"], "tags": {"name": "Windows Exchange Autodiscover SSRF Abuse", "analytic_story": ["ProxyShell", "ProxyNotShell"], "asset_type": "Web server", "cis20": ["CIS 13"], "confidence": 80, "impact": 90, "kill_chain_phases": ["Delivery"], "message": "Activity related to ProxyShell or ProxyNotShell has been identified on $dest$. Review events and take action accordingly.", "mitre_attack_id": ["T1190"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Web.src", "Web.status", "Web.uri_path", "Web.dest", "Web.http_method", "Web.uri_query"], "risk_score": 72, "security_domain": "network", "risk_severity": "medium", "cve": ["CVE-2021-34523", "CVE-2021-34473", "CVE-2021-31207", "CVE-2022-41040", "CVE-2022-41082"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/proxyshell/proxyshell.log", "source": "ms:iis:splunk", "sourcetype": "ms:iis:splunk", "update_timestamp": true}]}], "datamodel": ["Web"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_exchange_autodiscover_ssrf_abuse_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2021-34523", "cvss": 7.5, "summary": "Microsoft Exchange Server Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-33768, CVE-2021-34470."}, {"id": "CVE-2021-34473", "cvss": 10.0, "summary": "Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-31196, CVE-2021-31206."}, {"id": "CVE-2021-31207", "cvss": 6.5, "summary": "Microsoft Exchange Server Security Feature Bypass Vulnerability"}, {"id": "CVE-2022-41040", "cvss": null, "summary": "Microsoft Exchange Server Elevation of Privilege Vulnerability."}, {"id": "CVE-2022-41082", "cvss": null, "summary": "Microsoft Exchange Server Remote Code Execution Vulnerability."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/web/windows_exchange_autodiscover_ssrf_abuse.yml", "source": "web", "nes_fields": "user,dest"}]} \ No newline at end of file +{"detections": [{"name": "Detect New Login Attempts to Routers", "id": "bce3ed7c-9b1f-42a0-abdf-d8b123a34836", "version": 1, "date": "2017-09-12", "author": "Bhavin Patel, Splunk", "type": "TTP", "status": "experimental", "description": "The search queries the authentication logs for assets that are categorized as routers in the ES Assets and Identity Framework, to identify connections that have not been seen before in the last 30 days.", "data_source": [], "search": "| tstats `security_content_summariesonly` count earliest(_time) as earliest latest(_time) as latest from datamodel=Authentication where Authentication.dest_category=router by Authentication.dest Authentication.user| eval isOutlier=if(earliest >= relative_time(now(), \"-30d@d\"), 1, 0) | where isOutlier=1| `security_content_ctime(earliest)`| `security_content_ctime(latest)` | `drop_dm_object_name(\"Authentication\")` | `detect_new_login_attempts_to_routers_filter`", "how_to_implement": "To successfully implement this search, you must ensure the network router devices are categorized as \"router\" in the Assets and identity table. You must also populate the Authentication data model with logs related to users authenticating to routing infrastructure.", "known_false_positives": "Legitimate router connections may appear as new connections", "references": [], "tags": {"name": "Detect New Login Attempts to Routers", "analytic_story": ["Router and Infrastructure Security"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": [], "message": "tbd", "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Authentication.dest_category", "Authentication.dest", "Authentication.user"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "datamodel": ["Authentication"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_new_login_attempts_to_routers_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/application/detect_new_login_attempts_to_routers.yml", "source": "application", "nes_fields": "user,dest"}, {"name": "Detect Risky SPL using Pretrained ML Model", "id": "b4aefb5f-1037-410d-a149-1e091288ba33", "version": 1, "date": "2022-06-16", "author": "Abhinav Mishra, Kumar Sharad, Namratha Sreekanta and Xiao Lin, Splunk", "type": "Anomaly", "status": "experimental", "description": "The following analytic uses a pretrained machine learning text classifier to detect potentially risky commands. The model is trained independently and then the model file is packaged within ESCU for usage. A command is deemed risky based on the presence of certain trigger keywords, along with the context and the role of the user (please see references). The model uses custom features to predict whether a SPL is risky using text classification. The model takes as input the command text, user and search type and outputs a risk score between [0,1]. A high score indicates higher likelihood of a command being risky. This model is on-prem only.", "data_source": [], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Splunk_Audit.Search_Activity where Search_Activity.search_type=adhoc Search_Activity.user!=splunk-system-user by Search_Activity.search Search_Activity.user Search_Activity.search_type | eval spl_text = 'Search_Activity.search'. \" \" .'Search_Activity.user'. \" \" .'Search_Activity.search_type'| dedup spl_text | apply risky_spl_pre_trained_model | where risk_score > 0.5 | `drop_dm_object_name(Search_Activity)` | table search, user, search_type, risk_score | `detect_risky_spl_using_pretrained_ml_model_filter`", "how_to_implement": "This detection depends on the MLTK app which can be found here - https://splunkbase.splunk.com/app/2890/ and the Splunk Audit datamodel which can be found here - https://splunkbase.splunk.com/app/1621/. Additionally, you need to be ingesting logs which include Search_Activity.search, Search_Activity.user, Search_Activity.search_type from your endpoints. The risk score threshold should be adjusted based on the environment. The detection uses a custom MLTK model hence we need a few more steps for deployment, as outlined here - https://gist.github.com/ksharad-splunk/be2a62227966049047f5e5c4f2adcabb.", "known_false_positives": "False positives may be present if suspicious behavior is observed, as determined by frequent usage of risky keywords.", "references": ["https://docs.splunk.com/Documentation/Splunk/latest/Security/SPLsafeguards#Commands_that_trigger_the_warning"], "tags": {"name": "Detect Risky SPL using Pretrained ML Model", "analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Web Server", "cis20": ["CIS 10"], "confidence": 40, "impact": 50, "kill_chain_phases": ["Installation"], "message": "A potentially risky Splunk command has been run by $user$, kindly review.", "mitre_attack_id": ["T1059"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Search_Activity.search", "Search_Activity.user", "Search_Activity.search_type"], "risk_score": 20, "security_domain": "audit", "risk_severity": "low", "cve": ["CVE-2022-32154"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://github.com/splunk/attack_data/raw/master/datasets/attack_techniques/T1203/search_activity.txt", "source": "audittrail", "sourcetype": "audittrail", "update_timestamp": true}]}], "datamodel": ["Splunk_Audit"], "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_risky_spl_using_pretrained_ml_model_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2022-32154", "cvss": 4.0, "summary": "Dashboards in Splunk Enterprise versions before 9.0 might let an attacker inject risky search commands into a form token when the token is used in a query in a cross-origin request. The result bypasses SPL safeguards for risky commands. See New capabilities can limit access to some custom and potentially risky commands (https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/SPLsafeguards#New_capabilities_can_limit_access_to_some_custom_and_potentially_risky_commands) for more information. Note that the attack is browser-based and an attacker cannot exploit it at will."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/application/detect_risky_spl_using_pretrained_ml_model.yml", "source": "application"}, {"name": "Email Attachments With Lots Of Spaces", "id": "56e877a6-1455-4479-ada6-0550dc1e22f8", "version": 2, "date": "2023-04-14", "author": "David Dorsey, Splunk", "type": "Anomaly", "status": "experimental", "description": "Attackers often use spaces as a means to obfuscate an attachment's file extension. This search looks for messages with email attachments that have many spaces within the file names.", "data_source": [], "search": "| tstats `security_content_summariesonly` count values(All_Email.recipient) as recipient_address min(_time) as firstTime max(_time) as lastTime from datamodel=Email where All_Email.file_name=\"*\" by All_Email.src_user, All_Email.file_name All_Email.message_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(\"All_Email\")` | eval space_ratio = (mvcount(split(file_name,\" \"))-1)/len(file_name) | search space_ratio >= 0.1 | rex field=recipient_address \"(?.*)@\" | `email_attachments_with_lots_of_spaces_filter`", "how_to_implement": "You need to ingest data from emails. Specifically, the sender's address and the file names of any attachments must be mapped to the Email data model. The threshold ratio is set to 10%, but this value can be configured to suit each environment. \\\n **Splunk Phantom Playbook Integration**\\\nIf Splunk Phantom is also configured in your environment, a playbook called \"Suspicious Email Attachment Investigate and Delete\" can be configured to run when any results are found by this detection search. To use this integration, install the Phantom App for Splunk `https://splunkbase.splunk.com/app/3411/` and add the correct hostname to the \"Phantom Instance\" field in the Adaptive Response Actions when configuring this detection search. The notable event will be sent to Phantom and the playbook will gather further information about the file attachment and its network behaviors. If Phantom finds malicious behavior and an analyst approves of the results, the email will be deleted from the user's inbox.", "known_false_positives": "None at this time", "references": [], "tags": {"name": "Email Attachments With Lots Of Spaces", "analytic_story": ["Data Destruction", "Emotet Malware DHS Report TA18-201A ", "Hermetic Wiper", "Suspicious Emails"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": [], "message": "tbd", "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "All_Email.recipient", "All_Email.file_name", "All_Email.src_user", "All_Email.file_name", "All_Email.message_id"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "datamodel": ["Email"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "email_attachments_with_lots_of_spaces_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/application/email_attachments_with_lots_of_spaces.yml", "source": "application"}, {"name": "Email files written outside of the Outlook directory", "id": "8d52cf03-ba25-4101-aa78-07994aed4f74", "version": 3, "date": "2020-07-21", "author": "Bhavin Patel, Splunk", "type": "TTP", "status": "experimental", "description": "The search looks at the change-analysis data model and detects email files created outside the normal Outlook directory.", "data_source": ["Sysmon Event ID 11"], "search": "| tstats `security_content_summariesonly` count values(Filesystem.file_path) as file_path min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where (Filesystem.file_name=*.pst OR Filesystem.file_name=*.ost) Filesystem.file_path != \"C:\\\\Users\\\\*\\\\My Documents\\\\Outlook Files\\\\*\" Filesystem.file_path!=\"C:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\Outlook*\" by Filesystem.action Filesystem.process_id Filesystem.file_name Filesystem.dest | `drop_dm_object_name(\"Filesystem\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `email_files_written_outside_of_the_outlook_directory_filter` ", "how_to_implement": "To successfully implement this search, you must be ingesting data that records the file-system activity from your hosts to populate the Endpoint.Filesystem data model node. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or by other endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report file-system reads and writes.", "known_false_positives": "Administrators and users sometimes prefer backing up their email data by moving the email files into a different folder. These attempts will be detected by the search.", "references": [], "tags": {"name": "Email files written outside of the Outlook directory", "analytic_story": ["Collection and Staging"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "tbd", "mitre_attack_id": ["T1114", "T1114.001"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Filesystem.file_path", "Filesystem.file_name", "Filesystem.action", "Filesystem.process_id", "Filesystem.dest"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1114", "mitre_attack_technique": "Email Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["Magic Hound", "Silent Librarian"]}, {"mitre_attack_id": "T1114.001", "mitre_attack_technique": "Local Email Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "Chimera", "Magic Hound"]}]}, "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "email_files_written_outside_of_the_outlook_directory_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/application/email_files_written_outside_of_the_outlook_directory.yml", "source": "application", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Email servers sending high volume traffic to hosts", "id": "7f5fb3e1-4209-4914-90db-0ec21b556378", "version": 2, "date": "2020-07-21", "author": "Bhavin Patel, Splunk", "type": "Anomaly", "status": "experimental", "description": "This search looks for an increase of data transfers from your email server to your clients. This could be indicative of a malicious actor collecting data using your email server.", "data_source": [], "search": "| tstats `security_content_summariesonly` sum(All_Traffic.bytes_out) as bytes_out from datamodel=Network_Traffic where All_Traffic.src_category=email_server by All_Traffic.dest_ip _time span=1d | `drop_dm_object_name(\"All_Traffic\")` | eventstats avg(bytes_out) as avg_bytes_out stdev(bytes_out) as stdev_bytes_out | eventstats count as num_data_samples avg(eval(if(_time < relative_time(now(), \"@d\"), bytes_out, null))) as per_source_avg_bytes_out stdev(eval(if(_time < relative_time(now(), \"@d\"), bytes_out, null))) as per_source_stdev_bytes_out by dest_ip | eval minimum_data_samples = 4, deviation_threshold = 3 | where num_data_samples >= minimum_data_samples AND bytes_out > (avg_bytes_out + (deviation_threshold * stdev_bytes_out)) AND bytes_out > (per_source_avg_bytes_out + (deviation_threshold * per_source_stdev_bytes_out)) AND _time >= relative_time(now(), \"@d\") | eval num_standard_deviations_away_from_server_average = round(abs(bytes_out - avg_bytes_out) / stdev_bytes_out, 2), num_standard_deviations_away_from_client_average = round(abs(bytes_out - per_source_avg_bytes_out) / per_source_stdev_bytes_out, 2) | table dest_ip, _time, bytes_out, avg_bytes_out, per_source_avg_bytes_out, num_standard_deviations_away_from_server_average, num_standard_deviations_away_from_client_average | `email_servers_sending_high_volume_traffic_to_hosts_filter`", "how_to_implement": "This search requires you to be ingesting your network traffic and populating the Network_Traffic data model. Your email servers must be categorized as \"email_server\" for the search to work, as well. You may need to adjust the deviation_threshold and minimum_data_samples values based on the network traffic in your environment. The \"deviation_threshold\" field is a multiplying factor to control how much variation you're willing to tolerate. The \"minimum_data_samples\" field is the minimum number of connections of data samples required for the statistic to be valid.", "known_false_positives": "The false-positive rate will vary based on how you set the deviation_threshold and data_samples values. Our recommendation is to adjust these values based on your network traffic to and from your email servers.", "references": [], "tags": {"name": "Email servers sending high volume traffic to hosts", "analytic_story": ["Collection and Staging", "HAFNIUM Group"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "tbd", "mitre_attack_id": ["T1114", "T1114.002"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "All_Traffic.bytes_out", "All_Traffic.src_category", "All_Traffic.dest_ip"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1114", "mitre_attack_technique": "Email Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["Magic Hound", "Silent Librarian"]}, {"mitre_attack_id": "T1114.002", "mitre_attack_technique": "Remote Email Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "Chimera", "Dragonfly", "FIN4", "HAFNIUM", "Ke3chang", "Kimsuky", "Leafminer", "Magic Hound"]}]}, "datamodel": ["Network_Traffic"], "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "email_servers_sending_high_volume_traffic_to_hosts_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/application/email_servers_sending_high_volume_traffic_to_hosts.yml", "source": "application"}, {"name": "Monitor Email For Brand Abuse", "id": "b2ea1f38-3a3e-4b8a-9cf1-82760d86a6b8", "version": 2, "date": "2018-01-05", "author": "David Dorsey, Splunk", "type": "TTP", "status": "experimental", "description": "This search looks for emails claiming to be sent from a domain similar to one that you want to have monitored for abuse.", "data_source": [], "search": "| tstats `security_content_summariesonly` values(All_Email.recipient) as recipients, min(_time) as firstTime, max(_time) as lastTime from datamodel=Email by All_Email.src_user, All_Email.message_id | `drop_dm_object_name(\"All_Email\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | eval temp=split(src_user, \"@\") | eval email_domain=mvindex(temp, 1) | lookup update=true brandMonitoring_lookup domain as email_domain OUTPUT domain_abuse | search domain_abuse=true | table message_id, src_user, email_domain, recipients, firstTime, lastTime | `monitor_email_for_brand_abuse_filter`", "how_to_implement": "You need to ingest email header data. Specifically the sender's address (src_user) must be populated. You also need to have run the search \"ESCU - DNSTwist Domain Names\", which creates the permutations of the domain that will be checked for.", "known_false_positives": "None at this time", "references": [], "tags": {"name": "Monitor Email For Brand Abuse", "analytic_story": ["Brand Monitoring", "Suspicious Emails"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": [], "message": "tbd", "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "All_Email.recipient", "All_Email.src_user", "All_Email.message_id"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "datamodel": ["Email"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "monitor_email_for_brand_abuse_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "brandMonitoring_lookup", "description": "A file that contains look-a-like domains for brands that you want to monitor", "filename": "brand_monitoring.csv", "default_match": "false", "match_type": "WILDCARD(domain)", "min_matches": 1}], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/application/monitor_email_for_brand_abuse.yml", "source": "application", "nes_fields": "user,dest"}, {"name": "Multiple Okta Users With Invalid Credentials From The Same IP", "id": "19cba45f-cad3-4032-8911-0c09e0444552", "version": 3, "date": "2022-09-21", "author": "Michael Haag, Rico Valdez, Splunk", "type": "Hunting", "status": "experimental", "description": "This hunting analytic identifies multiple failed logon attempts from a single IP. Use this analytic to identify patterns of suspicious logins from a single source and filter as needed or use this to drive tuning for higher fidelity analytics.", "data_source": [], "search": "`okta` outcome.reason=INVALID_CREDENTIALS | rename client.geographicalContext.country as country, client.geographicalContext.state as state, client.geographicalContext.city as city | stats min(_time) as firstTime max(_time) as lastTime dc(src_user) as distinct_users values(src_user) as users by src_ip, displayMessage, outcome.reason, country, state, city | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | search distinct_users > 5| `multiple_okta_users_with_invalid_credentials_from_the_same_ip_filter` ", "how_to_implement": "This search is specific to Okta and requires Okta logs are being ingested in your Splunk deployment.", "known_false_positives": "A single public IP address servicing multiple legitmate users may trigger this search. In addition, the threshold of 5 distinct users may be too low for your needs. You may modify the included filter macro `multiple_okta_users_with_invalid_credentials_from_the_same_ip_filter` to raise the threshold or except specific IP adresses from triggering this search.", "references": ["https://developer.okta.com/docs/reference/api/event-types/?q=INVALID_CREDENTIALS"], "tags": {"name": "Multiple Okta Users With Invalid Credentials From The Same IP", "analytic_story": ["Suspicious Okta Activity"], "asset_type": "Infrastructure", "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "message": "Multple user accounts have failed to authenticate from a single IP.", "mitre_attack_id": ["T1078", "T1078.001"], "nist": ["DE.AE"], "observable": [{"name": "src_user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "outcome.reason", "client.geographicalContext.country", "client.geographicalContext.state", "client.geographicalContext.city", "user", "src_ip", "displayMessage"], "risk_score": 9, "security_domain": "access", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.001", "mitre_attack_technique": "Default Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Magic Hound"]}]}, "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "okta", "definition": "eventtype=okta_log", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "multiple_okta_users_with_invalid_credentials_from_the_same_ip_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/application/multiple_okta_users_with_invalid_credentials_from_the_same_ip.yml", "source": "application"}, {"name": "No Windows Updates in a time frame", "id": "1a77c08c-2f56-409c-a2d3-7d64617edd4f", "version": 1, "date": "2017-09-15", "author": "Bhavin Patel, Splunk", "type": "Hunting", "status": "experimental", "description": "This search looks for Windows endpoints that have not generated an event indicating a successful Windows update in the last 60 days. Windows updates are typically released monthly and applied shortly thereafter. An endpoint that has not successfully applied an update in this time frame indicates the endpoint is not regularly being patched for some reason.", "data_source": [], "search": "| tstats `security_content_summariesonly` max(_time) as lastTime from datamodel=Updates where Updates.status=Installed Updates.vendor_product=\"Microsoft Windows\" by Updates.dest Updates.status Updates.vendor_product | rename Updates.dest as Host | rename Updates.status as \"Update Status\" | rename Updates.vendor_product as Product | eval isOutlier=if(lastTime <= relative_time(now(), \"-60d@d\"), 1, 0) | `security_content_ctime(lastTime)` | search isOutlier=1 | rename lastTime as \"Last Update Time\", | table Host, \"Update Status\", Product, \"Last Update Time\" | `no_windows_updates_in_a_time_frame_filter`", "how_to_implement": "To successfully implement this search, it requires that the 'Update' data model is being populated. This can be accomplished by ingesting Windows events or the Windows Update log via a universal forwarder on the Windows endpoints you wish to monitor. The Windows add-on should be also be installed and configured to properly parse Windows events in Splunk. There may be other data sources which can populate this data model, including vulnerability management systems.", "known_false_positives": "None identified", "references": [], "tags": {"name": "No Windows Updates in a time frame", "analytic_story": ["Monitor for Updates"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": [], "message": "tbd", "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Updates.status", "Updates.vendor_product", "Updates.dest"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "datamodel": ["Updates"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "no_windows_updates_in_a_time_frame_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/application/no_windows_updates_in_a_time_frame.yml", "source": "application"}, {"name": "Okta Account Locked Out", "id": "d650c0ae-bdc5-400e-9f0f-f7aa0a010ef1", "version": 1, "date": "2022-09-21", "author": "Michael Haag, Splunk", "type": "Anomaly", "status": "experimental", "description": "The following analytic utilizes the user.acount.lock event to identify associates who are locked out of Okta. An adversary attempting to brute force or password spray account names may lock accounts out depending on the threshold.", "data_source": [], "search": "`okta` eventType=user.account.lock | stats count min(_time) as firstTime max(_time) as lastTime values(displayMessage) by src_user src_ip eventType status | where count >=3 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `okta_account_locked_out_filter`", "how_to_implement": "This analytic is specific to Okta and requires Okta logs to be ingested.", "known_false_positives": "False positives may be present. Tune Okta and tune the analytic to ensure proper fidelity. Modify risk score as needed. Drop to anomaly until tuning is complete.", "references": ["https://developer.okta.com/docs/reference/api/event-types/?q=user.acount.lock"], "tags": {"name": "Okta Account Locked Out", "analytic_story": ["Suspicious Okta Activity", "Okta MFA Exhaustion"], "asset_type": "Infrastructure", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "$src_user$ account has been locked out.", "mitre_attack_id": ["T1110"], "nist": ["DE.AE"], "observable": [{"name": "src_user", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "src_user", "src_ip", "eventType", "status"], "risk_score": 64, "security_domain": "access", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}]}, "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "okta", "definition": "eventtype=okta_log", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "okta_account_locked_out_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/application/okta_account_locked_out.yml", "source": "application"}, {"name": "Okta Account Lockout Events", "id": "62b70968-a0a5-4724-8ac4-67871e6f544d", "version": 2, "date": "2022-09-19", "author": "Michael Haag, Rico Valdez, Splunk", "type": "Anomaly", "status": "experimental", "description": "The following anomaly will generate based on account lockout events utilizing Okta eventTypes of user.account.lock.limit or user.account.lock. Per the Okta docs site, this event is fired when a user account has reached the lockout limit. The account will not auto-unlock and a user or client cannot gain access to the account. This event indicates an account that will not be able to log in until remedial action is taken by the account admin. This event can be used to understand the specifics of an account lockout. Often this indicates a client application that is repeatedly attempting to authenticate with invalid credentials such as an old password.", "data_source": [], "search": "`okta` eventType IN (user.account.lock.limit,user.account.lock) | rename client.geographicalContext.country as country, client.geographicalContext.state as state, client.geographicalContext.city as city | stats count min(_time) as firstTime max(_time) as lastTime values(src_user) by displayMessage, country, state, city, src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_account_lockout_events_filter`", "how_to_implement": "This analytic is specific to Okta and requires Okta logs to be ingested.", "known_false_positives": "None. Account lockouts should be followed up on to determine if the actual user was the one who caused the lockout, or if it was an unauthorized actor.", "references": ["https://developer.okta.com/docs/reference/api/event-types/#catalog", "https://developer.okta.com/docs/reference/api/event-types/?q=user.account.lock"], "tags": {"name": "Okta Account Lockout Events", "analytic_story": ["Suspicious Okta Activity"], "asset_type": "Infrastructure", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "message": "The following user $src_user$ has locked out their account within Okta.", "mitre_attack_id": ["T1078", "T1078.001"], "nist": ["DE.AE"], "observable": [{"name": "src_user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "displayMessage", "client.geographicalContext.country", "client.geographicalContext.state", "client.geographicalContext.city", "src_ip", "src_user"], "risk_score": 25, "security_domain": "access", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.001", "mitre_attack_technique": "Default Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Magic Hound"]}]}, "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "okta", "definition": "eventtype=okta_log", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "okta_account_lockout_events_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/application/okta_account_lockout_events.yml", "source": "application"}, {"name": "Okta Failed SSO Attempts", "id": "371a6545-2618-4032-ad84-93386b8698c5", "version": 3, "date": "2022-09-21", "author": "Michael Haag, Rico Valdez, Splunk", "type": "Anomaly", "status": "experimental", "description": "The following anomaly identifies failed Okta SSO events utilizing the legacy Okta event \"unauth app access attempt\".", "data_source": [], "search": "`okta` eventType=app.generic.unauth_app_access_attempt | stats min(_time) as firstTime max(_time) as lastTime values(app) as Apps count by src_user, result ,displayMessage, src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_failed_sso_attempts_filter` ", "how_to_implement": "This search is specific to Okta and requires Okta logs are being ingested in your Splunk deployment.", "known_false_positives": "There may be a faulty config preventing legitmate users from accessing apps they should have access to.", "references": ["https://developer.okta.com/docs/reference/api/event-types/?q=app.generic.unauth_app_access_attempt"], "tags": {"name": "Okta Failed SSO Attempts", "analytic_story": ["Suspicious Okta Activity"], "asset_type": "Infrastructure", "cis20": ["CIS 10"], "confidence": 40, "impact": 40, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "message": "$src_user$ failed SSO authentication to the app.", "mitre_attack_id": ["T1078", "T1078.001"], "nist": ["DE.AE"], "observable": [{"name": "src_user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "displayMessage", "app", "src_user", "result", "src_ip"], "risk_score": 16, "security_domain": "access", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.001", "mitre_attack_technique": "Default Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Magic Hound"]}]}, "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "okta", "definition": "eventtype=okta_log", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "okta_failed_sso_attempts_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/application/okta_failed_sso_attempts.yml", "source": "application"}, {"name": "Okta MFA Exhaustion Hunt", "id": "97e2fe57-3740-402c-988a-76b64ce04b8d", "version": 1, "date": "2022-09-27", "author": "Michael Haag, Marissa Bower, Splunk", "type": "Hunting", "status": "experimental", "description": "The following analytic identifies patterns within Okta data to determine the amount of successful and failed pushes. Based on that, eval statements determine a finding of whether this is suspicious or not. The events are within a window of time and may be tuned as needed.", "data_source": [], "search": "`okta` eventType=system.push.send_factor_verify_push OR ((legacyEventType=core.user.factor.attempt_success) AND (debugContext.debugData.factor=OKTA_VERIFY_PUSH)) OR ((legacyEventType=core.user.factor.attempt_fail) AND (debugContext.debugData.factor=OKTA_VERIFY_PUSH)) | stats count(eval(legacyEventType=\"core.user.factor.attempt_success\")) as successes count(eval(legacyEventType=\"core.user.factor.attempt_fail\")) as failures count(eval(eventType=\"system.push.send_factor_verify_push\")) as pushes by authenticationContext.externalSessionId,user,_time | stats latest(_time) as lasttime earliest(_time) as firsttime sum(successes) as successes sum(failures) as failures sum(pushes) as pushes by authenticationContext.externalSessionId,user | eval seconds=lasttime-firsttime | eval lasttime=strftime(lasttime, \"%c\") | search (pushes>1) | eval totalattempts=successes+failures | eval finding=\"Normal authentication pattern\" | eval finding=if(failures==pushes AND pushes>1,\"Authentication attempts not successful because multiple pushes denied\",finding) | eval finding=if(totalattempts==0,\"Multiple pushes sent and ignored\",finding) | eval finding=if(successes>0 AND pushes>3,\"Probably should investigate. Multiple pushes sent, eventual successful authentication!\",finding) | where seconds<600 AND finding=\"Multiple pushes sent, eventual successful authentication!\" AND totalattempts > 5 | sort - pushes, totalattempts | `okta_mfa_exhaustion_hunt_filter`", "how_to_implement": "This analytic is specific to Okta and requires Okta logs to be ingested.", "known_false_positives": "False positives may be present. Tune Okta and tune the analytic to ensure proper fidelity. Modify risk score as needed. Drop to anomaly until tuning is complete.", "references": ["https://developer.okta.com/docs/reference/api/event-types/?q=user.acount.lock", "https://sec.okta.com/everythingisyes"], "tags": {"name": "Okta MFA Exhaustion Hunt", "analytic_story": ["Suspicious Okta Activity", "Okta MFA Exhaustion"], "asset_type": "Infrastructure", "cis20": ["CIS 10"], "confidence": 60, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "$src_user$ account has rejected multiple Okta pushes.", "mitre_attack_id": ["T1110"], "nist": ["DE.AE"], "observable": [{"name": "src_user", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "src_user", "src_ip", "eventType", "status"], "risk_score": 18, "security_domain": "access", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}]}, "datamodel": ["Authentication"], "macros": [{"name": "okta", "definition": "eventtype=okta_log", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "okta_mfa_exhaustion_hunt_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/application/okta_mfa_exhaustion_hunt.yml", "source": "application"}, {"name": "Okta Mismatch Between Source and Response for Verify Push Request", "id": "8085b79b-9b85-4e67-ad63-351c9e9a5e9a", "version": 1, "date": "2023-03-17", "author": "John Murphy and Jordan Ruocco, Okta, Michael Haag, Splunk", "type": "TTP", "status": "experimental", "description": "The following analytic identifies variations in client-based values for source and response events to identify suspicious request behavior. The detection is enhanced if the org is evaluating behavior conditions in sign-on policies using Okta Behavior Detection. NOTE: This detection requires the use of Okta Identity Engine (OIE) and will not function on Okta Classic.\\\nFor each Okta Verify Push challenge, the following two events are recorded in Okta System Log \\\nSource of Push (Sign-In) \\\neventType eq \\\"system.push.send_factor_verify_push\\\" \\\nUser Push Response (Okta Verify client) \\\neventType eq \"user.authentication.auth_via_mfa\" AND debugContext.debugData.factor eq \"OKTA_VERIFY_PUSH\" \\\nIn sequence, the logic for the analytic - \\\n* Groups by SessionID and retrieves any system.push.send_factor_verify_push events (the source of the push) and user.authentication.auth_via_mfa events where the factor is OKTA_VERIFY_PUSH - (the user response to the push) \\\n* Counts the total number of push events, successful authentication events, and any push sources where the client is a new device. \\ * Creates a ratio of successful sign-ins to pushes. \\\n* If the ratio (currently tuned aggressively) indicates push spam, or if a user has rejected a push, the detection proceeds to evaluate whether there is more than one IP address used during the session (session roaming) and the presence of both a new IP and new device during the session.", "data_source": [], "search": "`okta` eventType IN (system.push.send_factor_verify_push) OR (eventType IN (user.authentication.auth_via_mfa) debugContext.debugData.factor=\"OKTA_VERIFY_PUSH\") | eval groupby=\"authenticationContext.externalSessionId\" | eval group_push_time=_time | bin span=2s group_push_time | fillnull value=NULL | stats min(_time) as _time by authenticationContext.externalSessionId eventType debugContext.debugData.factor outcome.result actor.alternateId client.device client.ipAddress client.userAgent.rawUserAgent debugContext.debugData.behaviors group_push_time groupby | iplocation client.ipAddress | fields - lat, lon, group_push_time | stats min(_time) as _time dc(client.ipAddress) as dc_ip sum(eval(if(eventType=\"system.push.send_factor_verify_push\" AND \"outcome.result\"=\"SUCCESS\",1,0))) as total_pushes sum(eval(if(eventType=\"user.authentication.auth_via_mfa\" AND \"outcome.result\"=\"SUCCESS\",1,0))) as total_successes sum(eval(if(eventType=\"user.authentication.auth_via_mfa\" AND \"outcome.result\"=\"FAILURE\",1,0))) as total_rejected sum(eval(if(eventType=\"system.push.send_factor_verify_push\" AND \"debugContext.debugData.behaviors\" LIKE \"%New Device=POSITIVE%\",1,0))) as suspect_device_from_source sum(eval(if(eventType=\"system.push.send_factor_verify_push\" AND \"debugContext.debugData.behaviors\" LIKE \"%New IP=POSITIVE%\",0,0))) as suspect_ip_from_source values(eval(if(eventType=\"system.push.send_factor_verify_push\",\"client.ipAddress\",\"\"))) as src values(eval(if(eventType=\"user.authentication.auth_via_mfa\",\"client.ipAddress\",\"\"))) as dest values(*) as * by groupby | eval ratio = round(total_successes/total_pushes,2) | search ((ratio < 0.5 AND total_pushes > 1) OR (total_rejected > 0)) AND dc_ip > 1 AND suspect_device_from_source > 0 AND suspect_ip_from_source > 0 | `okta_mismatch_between_source_and_response_for_verify_push_request_filter`", "how_to_implement": "This analytic is specific to Okta and requires Okta:im2 logs to be ingested.", "known_false_positives": "False positives may be present based on organization size and configuration of Okta. Monitor, tune and filter as needed.", "references": ["https://attack.mitre.org/techniques/T1621"], "tags": {"name": "Okta Mismatch Between Source and Response for Verify Push Request", "analytic_story": ["Suspicious Okta Activity", "Okta MFA Exhaustion"], "asset_type": "Infrastructure", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "A mismatch between source and response for verifying a push request has occurred for $actor.alternateId$", "mitre_attack_id": ["T1621"], "nist": ["DE.CM"], "observable": [{"name": "actor.alternateId", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "authenticationContext.externalSessionId", "eventType", "debugContext.debugData.factor", "outcome.result", "actor.alternateId", "client.device", "client.ipAddress", "client.userAgent.rawUserAgent", "debugContext.debugData.behaviors", "group_push_time"], "risk_score": 64, "security_domain": "access", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1621", "mitre_attack_technique": "Multi-Factor Authentication Request Generation", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "LAPSUS$"]}]}, "datamodel": [], "macros": [{"name": "okta", "definition": "eventtype=okta_log", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "okta_mismatch_between_source_and_response_for_verify_push_request_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/application/okta_mismatch_between_source_and_response_for_verify_push_request.yml", "source": "application", "nes_fields": "user,dest"}, {"name": "Okta Multiple Failed Requests to Access Applications", "id": "1c21fed1-7000-4a2e-9105-5aaafa437247", "version": 1, "date": "2023-03-17", "author": "John Murphy, Okta, Michael Haag, Splunk", "type": "Hunting", "status": "experimental", "description": "The following analytic identifies multiple failed app requests in an attempt to identify the reuse a stolen web session cookie. The logic of the analytic is as follows: \\ * Retrieves policy evaluation and SSO details in events that contain the Application requested \\\n* Formats target fields so we can aggregate specifically on Applications (AppInstances) \\\n* Groups by User, Session and IP \\\n* Creates a ratio of successful SSO events to total MFA challenges related to Application Sign On Policies \\\n* Alerts when more than half of app sign on events are unsuccessful, and challenges were unsatisfied for more than three apps.", "data_source": [], "search": "`okta` target{}.type=AppInstance (eventType=policy.evaluate_sign_on outcome.result=CHALLENGE) OR (eventType=user.authentication.sso outcome.result=SUCCESS) | eval targets=mvzip('target{}.type', 'target{}.displayName', \": \") | eval targets=mvfilter(targets LIKE \"AppInstance%\") | stats count min(_time) as _time values(outcome.result) as outcome.result dc(eval(if(eventType=\"policy.evaluate_sign_on\",targets,NULL))) as total_challenges sum(eval(if(eventType=\"user.authentication.sso\",1,0))) as total_successes by authenticationContext.externalSessionId targets actor.alternateId client.ipAddress | search total_challenges > 0 | stats min(_time) as _time values(*) as * sum(total_challenges) as total_challenges sum(total_successes) as total_successes values(eval(if(\"outcome.result\"=\"SUCCESS\",targets,NULL))) as success_apps values(eval(if(\":outcome.result\"!=\"SUCCESS\",targets,NULL))) as no_success_apps by authenticationContext.externalSessionId actor.alternateId client.ipAddress | fillnull | eval ratio=round(total_successes/total_challenges,2), severity=\"HIGH\", mitre_technique_id=\"T1538\", description=\"actor.alternateId\". \" from \" . \"client.ipAddress\" . \" seen opening \" . total_challenges . \" chiclets/apps with \" . total_successes . \" challenges successfully passed\" | fields - count, targets | search ratio < 0.5 total_challenges > 2 | `okta_multiple_failed_requests_to_access_applications_filter`", "how_to_implement": "This analytic is specific to Okta and requires Okta:im2 logs to be ingested.", "known_false_positives": "False positives may be present based on organization size and configuration of Okta.", "references": ["https://attack.mitre.org/techniques/T1538", "https://attack.mitre.org/techniques/T1550/004"], "tags": {"name": "Okta Multiple Failed Requests to Access Applications", "analytic_story": ["Suspicious Okta Activity"], "asset_type": "Infrastructure", "cis20": ["CIS 10"], "confidence": 70, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "Multiple Failed Requests to Access Applications via Okta for $actor.alternateId$.", "mitre_attack_id": ["T1550.004", "T1538"], "nist": ["DE.AE"], "observable": [{"name": "actor.alternateId", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "authenticationContext.externalSessionId", "targets", "actor.alternateId", "client.ipAddress", "eventType"], "risk_score": 56, "security_domain": "access", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1550.004", "mitre_attack_technique": "Web Session Cookie", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1538", "mitre_attack_technique": "Cloud Service Dashboard", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}]}, "datamodel": [], "macros": [{"name": "okta", "definition": "eventtype=okta_log", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "okta_multiple_failed_requests_to_access_applications_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/application/okta_multiple_failed_requests_to_access_applications.yml", "source": "application"}, {"name": "Okta New API Token Created", "id": "c3d22720-35d3-4da4-bd0a-740d37192bd4", "version": 1, "date": "2022-09-21", "author": "Michael Haag, Splunk", "type": "TTP", "status": "experimental", "description": "The following analytic identifies when a new API token is created. Adversaries who have gained access to a privileged account may add a new token for persistence. This analytic uses the eventType system.api_token.create.", "data_source": [], "search": "`okta` eventType=system.api_token.create | stats count min(_time) as firstTime max(_time) as lastTime values(displayMessage) by src_user src_ip eventType status | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_new_api_token_created_filter`", "how_to_implement": "This analytic is specific to Okta and requires Okta logs to be ingested.", "known_false_positives": "False positives may be present. Tune Okta and tune the analytic to ensure proper fidelity. Modify risk score as needed.", "references": ["https://developer.okta.com/docs/reference/api/event-types/?q=security.threat.detected"], "tags": {"name": "Okta New API Token Created", "analytic_story": ["Suspicious Okta Activity"], "asset_type": "Infrastructure", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "message": "$src_user$ has created a new API token within Okta.", "mitre_attack_id": ["T1078", "T1078.001"], "nist": ["DE.CM"], "observable": [{"name": "src_user", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "signature", "eventType", "displayMessage", "client.device", "city", "state", "country", "user_agent", "outcome.reason", "outcome.result", "severity"], "risk_score": 64, "security_domain": "access", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.001", "mitre_attack_technique": "Default Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Magic Hound"]}]}, "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "okta", "definition": "eventtype=okta_log", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "okta_new_api_token_created_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/application/okta_new_api_token_created.yml", "source": "application", "nes_fields": "user,dest"}, {"name": "Okta New Device Enrolled on Account", "id": "bb27cbce-d4de-432c-932f-2e206e9130fb", "version": 1, "date": "2022-09-21", "author": "Michael Haag, Splunk", "type": "Anomaly", "status": "experimental", "description": "The following anomaly will be generated when a new device is added to an account. Albeit not malicious, risk is set low, but should be monitored. This anomaly utilizes the legacy events from Okta.", "data_source": [], "search": "`okta` eventType=system.email.new_device_notification.sent_message displayMessage=\"Send user new device notification email\" | stats count min(_time) as firstTime max(_time) as lastTime values(displayMessage) by user eventType client.userAgent.rawUserAgent client.userAgent.browser client.geographicalContext.city client.geographicalContext.country | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_new_device_enrolled_on_account_filter`", "how_to_implement": "This analytic is specific to Okta and requires Okta logs to be ingested.", "known_false_positives": "Tune the risk score as needed based on your organization.", "references": ["https://developer.okta.com/docs/reference/api/event-types/?q=system.email.new_device_notification.sent_message"], "tags": {"name": "Okta New Device Enrolled on Account", "analytic_story": ["Suspicious Okta Activity"], "asset_type": "Infrastructure", "cis20": ["CIS 10"], "confidence": 60, "impact": 40, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "message": "$user$ has added a new device to their account.", "mitre_attack_id": ["T1078", "T1078.001"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "displayMessage", "user", "eventType", "client.userAgent.rawUserAgent", "client.userAgent.browser", "client.geographicalContext.city", "client.geographicalContext.country"], "risk_score": 24, "security_domain": "access", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.001", "mitre_attack_technique": "Default Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Magic Hound"]}]}, "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "okta", "definition": "eventtype=okta_log", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "okta_new_device_enrolled_on_account_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/application/okta_new_device_enrolled_on_account.yml", "source": "application"}, {"name": "Okta Phishing Detection with FastPass Origin Check", "id": "f4ca0057-cbf3-44f8-82ea-4e330ee901d3", "version": 1, "date": "2023-03-09", "author": "Okta, Inc, Michael Haag, Splunk", "type": "TTP", "status": "experimental", "description": "The following analytic identifies when Okta''s FastPass prevents known phishing sites. When your users are enrolled in FastPass, Okta can provide defenders a high-fidelity signal for when user applications are being targeted by attackers wielding real-time (AiTM) proxies. Okta''s Defensive Cyber Operations team routinely identifies phishing infrastructure configured to imitate an Okta sign-in page and proactively notify Okta customers when suspicious infrastructure we detect appears to be targeting their users. Since March 2020, we have delivered over 1000 notifications to customers.", "data_source": [], "search": "`okta` eventType=\"user.authentication.auth_via_mfa\" AND result=\"FAILURE\" AND outcome.reason=\"FastPass declined phishing attempt\" | stats count min(_time) as firstTime max(_time) as lastTime values(displayMessage) by user eventType client.userAgent.rawUserAgent client.userAgent.browser outcome.reason | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_phishing_detection_with_fastpass_origin_check_filter`", "how_to_implement": "This search is specific to Okta and requires Okta logs to be ingested in your Splunk deployment.", "known_false_positives": "Fidelity of this is high as Okta is specifying malicious infrastructure. Filter and modify as needed.", "references": ["https://sec.okta.com/fastpassphishingdetection"], "tags": {"name": "Okta Phishing Detection with FastPass Origin Check", "analytic_story": ["Suspicious Okta Activity"], "asset_type": "Infrastructure", "cis20": ["CIS 10"], "confidence": 100, "impact": 100, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "message": "Okta FastPass has prevented $user$ from authenticating to a malicious site.", "mitre_attack_id": ["T1078", "T1078.001", "T1556"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventType", "client.userAgent.rawUserAgent", "client.userAgent.browser", "outcome.reason", "displayMessage"], "risk_score": 100, "security_domain": "access", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.001", "mitre_attack_technique": "Default Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1556", "mitre_attack_technique": "Modify Authentication Process", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": []}]}, "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "okta", "definition": "eventtype=okta_log", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "okta_phishing_detection_with_fastpass_origin_check_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/application/okta_phishing_detection_with_fastpass_origin_check.yml", "source": "application", "nes_fields": "user,dest"}, {"name": "Okta Risk Threshold Exceeded", "id": "d8b967dd-657f-4d88-93b5-c588bcd7218c", "version": 1, "date": "2022-09-29", "author": "Michael Haag, Splunk", "type": "Correlation", "status": "production", "description": "The following correlation will take risk associated with the content from \"Suspicious Okta Activity\" and \"Okta MFA Exhaustion\" analytic stories and tally it up. Once it hits the threshold of 100 (may be changed), it will trigger an anomaly. As needed, reduce or raise the risk scores assocaited with the anomaly and TTP analytics tagged to these two stories.", "data_source": [], "search": "| tstats `security_content_summariesonly` sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count,values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk by All_Risk.risk_object,All_Risk.risk_object_type All_Risk.analyticstories | `drop_dm_object_name(\"All_Risk\")` | eval \"annotations.mitre_attack\"=\"annotations.mitre_attack.mitre_technique_id\", risk_threshold=100 | where All_Risk.analyticstories IN (\"Suspicious Okta Activity\", \"Okta MFA Exhaustion\") risk_score > risk_threshold | `get_risk_severity(risk_score)` | `okta_risk_threshold_exceeded_filter`", "how_to_implement": "Ensure \"Suspicious Okta Activity\" and \"Okta MFA Exhaustion\" analytic stories are enabled. TTP may be set to Notables for point detections, anomaly should not be notables but risk generators. The correlation relies on risk before generating a notable. Modify the value as needed. Default threshold is 100. This value may need to be increased based on activity in your environment.", "known_false_positives": "False positives will be limited to the amount of events generated by the analytics tied to the stories. Analytics will need to be tesetd and tuned, risk score reduced, as needed based on organization.", "references": ["https://developer.okta.com/docs/reference/api/event-types", "https://sec.okta.com/everythingisyes"], "tags": {"name": "Okta Risk Threshold Exceeded", "analytic_story": ["Suspicious Okta Activity", "Okta MFA Exhaustion"], "asset_type": "Infrastructure", "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "message": "Risk threshold exceeded for $risk_object_type$=$risk_object$ related to Okta events.", "mitre_attack_id": ["T1078", "T1110"], "nist": ["DE.AE"], "observable": [{"name": "risk_object", "type": "Other", "role": ["Victim"]}, {"name": "risk_object_type", "type": "Other", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["All_Risk.risk_object", "All_Risk.risk_object_type", "All_Risk.analyticstories"], "risk_score": 56, "security_domain": "access", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}]}, "datamodel": ["Risk"], "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "okta_risk_threshold_exceeded_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/application/okta_risk_threshold_exceeded.yml", "source": "application", "nes_fields": "user,dest"}, {"name": "Okta Suspicious Activity Reported", "id": "bfc840f5-c9c6-454c-aa13-b46fd0bf1e79", "version": 1, "date": "2022-09-21", "author": "Michael Haag, Splunk", "type": "TTP", "status": "experimental", "description": "The following event is generated when an associate receives an email from Okta asking if a login attempt was suspicious or not. If the associate identifies it as suspicious an event is generated and should be reviewed.", "data_source": [], "search": "`okta` eventType=user.account.report_suspicious_activity_by_enduser | stats count min(_time) as firstTime max(_time) as lastTime values(displayMessage) by user eventType client.userAgent.rawUserAgent client.userAgent.browser client.geographicalContext.city client.geographicalContext.country | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_suspicious_activity_reported_filter`", "how_to_implement": "This analytic is specific to Okta and requires Okta logs to be ingested. It also requires that suspicious activity reporting is enabled and associates are trained to submit.", "known_false_positives": "False positives should be limited as this is a high fidelity marker.", "references": ["https://help.okta.com/en-us/Content/Topics/Security/suspicious-activity-reporting.htm"], "tags": {"name": "Okta Suspicious Activity Reported", "analytic_story": ["Suspicious Okta Activity"], "asset_type": "Infrastructure", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "message": "The following $user$ has reported a suspicious login activity.", "mitre_attack_id": ["T1078", "T1078.001"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "displayMessage", "user", "eventType", "client.userAgent.rawUserAgent", "client.userAgent.browser", "client.geographicalContext.city", "client.geographicalContext.country"], "risk_score": 25, "security_domain": "access", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.001", "mitre_attack_technique": "Default Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Magic Hound"]}]}, "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "okta", "definition": "eventtype=okta_log", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "okta_suspicious_activity_reported_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/application/okta_suspicious_activity_reported.yml", "source": "application", "nes_fields": "user,dest"}, {"name": "Okta Suspicious Use of a Session Cookie", "id": "71ad47d1-d6bd-4e0a-b35c-020ad9a6959e", "version": 1, "date": "2023-03-17", "author": "Scott Dermott and Felicity Robson, Okta, Michael Haag, Splunk", "type": "Hunting", "status": "experimental", "description": "The following analytic looks for one or more policy evaluation events in which multiple client values (IP, User Agent, etc.) change associated to the same Device Token for a specific user. A detection opportunity arises when an adversary attempts to reuse a stolen web session cookie. \\\n* Retrieves policy evaluation events from successful authentication events. \\\n* Aggregates/Groups by Device Token and User, providing the first policy evaluation event in the search window. \\\n* Evaluates whether there is more than one IP and whether there is more than one OS or browser for each combination of User/Device Token.", "data_source": [], "search": "`okta` eventType IN (policy.evaluate_sign_on) outcome.result IN (ALLOW, SUCCESS) | stats earliest(_time) as _time values(client.ipAddress) as src_ip values(client.userAgent.rawUserAgent) as user_agent values(client.userAgent.os) as userAgentOS_list values(client.geographicalContext.city) as city values(client.userAgent.browser) as userAgentBrowser_list values(device.os_platform) as okta_device_os dc(client.userAgent.browser) as dc_userAgentBrowser dc(client.userAgent.os) as dc_userAgentOS dc(client.ipAddress) as dc_src_ip values(outcome.reason) as reason by debugContext.debugData.dtHash actor.alternateId | where dc_src_ip>1 AND (dc_userAgentOS>1 OR dc_userAgentBrowser>1) | `okta_suspicious_use_of_a_session_cookie_filter`", "how_to_implement": "This analytic is specific to Okta and requires Okta:im2 logs to be ingested.", "known_false_positives": "False positives may be present based on organization size and configuration of Okta.", "references": ["https://attack.mitre.org/techniques/T1539/"], "tags": {"name": "Okta Suspicious Use of a Session Cookie", "analytic_story": ["Suspicious Okta Activity"], "asset_type": "Infrastructure", "cis20": ["CIS 10"], "confidence": 70, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "A suspicious use of a session cookie was identified by user $actor.alternateId$.", "mitre_attack_id": ["T1539"], "nist": ["DE.AE"], "observable": [{"name": "actor.alternateId", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "client.ipAddress", "client.userAgent.rawUserAgent", "client.userAgent.os", "client.geographicalContext.city", "client.userAgent.browser", "device.os_platform", "debugContext.debugData.dtHash", "actor.alternateId"], "risk_score": 56, "security_domain": "access", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1539", "mitre_attack_technique": "Steal Web Session Cookie", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Evilnum", "LuminousMoth"]}]}, "datamodel": [], "macros": [{"name": "okta", "definition": "eventtype=okta_log", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "okta_suspicious_use_of_a_session_cookie_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/application/okta_suspicious_use_of_a_session_cookie.yml", "source": "application"}, {"name": "Okta ThreatInsight Login Failure with High Unknown users", "id": "632663b0-4562-4aad-abe9-9f621a049738", "version": 1, "date": "2023-03-09", "author": "Okta, Inc, Michael Haag, Splunk", "type": "TTP", "status": "experimental", "description": "The following analytic utilizes Okta's ThreatInsight to identify \"Login failures with high unknown users count\" and any included secondary outcome reasons. This event will trigger when a brute force attempt occurs with unknown usernames attempted.", "data_source": [], "search": "`okta` eventType=\"security.threat.detected\" AND outcome.reason=\"Login failures with high unknown users count*\" | stats count min(_time) as firstTime max(_time) as lastTime values(displayMessage) by user eventType client.userAgent.rawUserAgent client.userAgent.browser outcome.reason | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_threatinsight_login_failure_with_high_unknown_users_filter`", "how_to_implement": "This search is specific to Okta and requires Okta logs to be ingested in your Splunk deployment.", "known_false_positives": "Fidelity of this is high as it is Okta ThreatInsight. Filter and modify as needed.", "references": ["https://help.okta.com/en-us/Content/Topics/Security/threat-insight/configure-threatinsight-system-log.htm"], "tags": {"name": "Okta ThreatInsight Login Failure with High Unknown users", "analytic_story": ["Suspicious Okta Activity"], "asset_type": "Infrastructure", "cis20": ["CIS 10"], "confidence": 100, "impact": 50, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "message": "Okta ThreatInsight has detected or prevented a high number of login failures.", "mitre_attack_id": ["T1078", "T1078.001", "T1110.004"], "nist": ["DE.CM"], "observable": [{"name": "outcome.reason", "type": "Other", "role": ["Other"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventType", "client.userAgent.rawUserAgent", "client.userAgent.browser", "outcome.reason", "displayMessage"], "risk_score": 50, "security_domain": "access", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.001", "mitre_attack_technique": "Default Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1110.004", "mitre_attack_technique": "Credential Stuffing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Chimera"]}]}, "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "okta", "definition": "eventtype=okta_log", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "okta_threatinsight_login_failure_with_high_unknown_users_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/application/okta_threatinsight_login_failure_with_high_unknown_users.yml", "source": "application", "nes_fields": "user,dest"}, {"name": "Okta ThreatInsight Suspected PasswordSpray Attack", "id": "25dbad05-6682-4dd5-9ce9-8adecf0d9ae2", "version": 1, "date": "2023-03-09", "author": "Okta, Inc, Michael Haag, Splunk", "type": "TTP", "status": "experimental", "description": "The following analytic utilizes Okta's ThreatInsight to identify \"PasswordSpray\" and any included secondary outcome reasons. This event will trigger when a brute force attempt occurs with unknown usernames attempted.", "data_source": [], "search": "`okta` eventType=\"security.threat.detected\" AND outcome.reason=\"Password Spray\" | stats count min(_time) as firstTime max(_time) as lastTime values(displayMessage) by eventType client.userAgent.rawUserAgent client.userAgent.browser outcome.reason | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_threatinsight_suspected_passwordspray_attack_filter`", "how_to_implement": "This search is specific to Okta and requires Okta logs to be ingested in your Splunk deployment.", "known_false_positives": "Fidelity of this is high as it is Okta ThreatInsight. Filter and modify as needed.", "references": ["https://help.okta.com/en-us/Content/Topics/Security/threat-insight/configure-threatinsight-system-log.htm"], "tags": {"name": "Okta ThreatInsight Suspected PasswordSpray Attack", "analytic_story": ["Suspicious Okta Activity"], "asset_type": "Infrastructure", "cis20": ["CIS 10"], "confidence": 100, "impact": 60, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "message": "Okta ThreatInsight has detected or prevented a PasswordSpray attack.", "mitre_attack_id": ["T1078", "T1078.001", "T1110.003"], "nist": ["DE.CM"], "observable": [{"name": "outcome.reason", "type": "Other", "role": ["Other"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventType", "client.userAgent.rawUserAgent", "client.userAgent.browser", "outcome.reason", "displayMessage"], "risk_score": 60, "security_domain": "access", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.001", "mitre_attack_technique": "Default Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}]}, "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "okta", "definition": "eventtype=okta_log", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "okta_threatinsight_suspected_passwordspray_attack_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/application/okta_threatinsight_suspected_passwordspray_attack.yml", "source": "application", "nes_fields": "user,dest"}, {"name": "Okta ThreatInsight Threat Detected", "id": "140504ae-5fe2-4d65-b2bc-a211813fbca6", "version": 1, "date": "2022-09-21", "author": "Michael Haag, Splunk", "type": "Anomaly", "status": "experimental", "description": "The following anomaly relies on the Okta ThreatInsight identification of a threat. Use this to drive risk up by src_ip or add additional fields to track. Identification may include password spraying, login failures and Login failures with high unknown users count.", "data_source": [], "search": "`okta` eventType IN (security.threat.detected, security.internal.threat.detected) | rename client.geographicalContext.country as country, client.geographicalContext.state as state, client.geographicalContext.city as city | stats values(src_ip) count by signature eventType displayMessage client.device city state country user_agent outcome.reason outcome.result severity | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_threatinsight_threat_detected_filter`", "how_to_implement": "This analytic is specific to Okta and requires Okta logs to be ingested.", "known_false_positives": "False positives may be present. Tune Okta and tune the analytic to ensure proper fidelity. Modify risk score as needed.", "references": ["https://developer.okta.com/docs/reference/api/event-types/?q=security.threat.detected"], "tags": {"name": "Okta ThreatInsight Threat Detected", "analytic_story": ["Suspicious Okta Activity"], "asset_type": "Infrastructure", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "message": "The following $src_ip$ has been conisidered a threat by Okta ThreatInsight.", "mitre_attack_id": ["T1078", "T1078.001"], "nist": ["DE.AE"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "signature", "eventType", "displayMessage", "client.device", "city", "state", "country", "user_agent", "outcome.reason", "outcome.result", "severity"], "risk_score": 25, "security_domain": "access", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.001", "mitre_attack_technique": "Default Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Magic Hound"]}]}, "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "okta", "definition": "eventtype=okta_log", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "okta_threatinsight_threat_detected_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/application/okta_threatinsight_threat_detected.yml", "source": "application"}, {"name": "Okta Two or More Rejected Okta Pushes", "id": "d93f785e-4c2c-4262-b8c7-12b77a13fd39", "version": 1, "date": "2022-09-27", "author": "Michael Haag, Marissa Bower, Splunk", "type": "TTP", "status": "experimental", "description": "The following analytic identifies an account that has rejected more than 2 Push notifications in a 10 minute window. Modify this query for your environment by upping the count or time window.", "data_source": [], "search": "`okta` outcome.reason=\"User rejected Okta push verify\" OR (debugContext.debugData.factor=\"OKTA_VERIFY_PUSH\" outcome.result=FAILURE legacyEventType=\"core.user.factor.attempt_fail\" \"target{}.detailEntry.methodTypeUsed\"=\"Get a push notification\") | bin _time as bin_time span=10m | eval user=coalesce(actor.alternateId,user), user=mvindex(split(user, \"@\"), 0), event_time = _time | stats earliest(event_time) as event_time, min(_time) as firsttime max(_time) as lasttime values(client.ipAddress) as client.ipAddress, values(outcome.reason) as outcome, values(src_ip) AS src_ip, values(client.userAgent.rawUserAgent) as user_agent, values(eventType) as eventType, values(outcome.result) as action, values(legacyEventType) as legacyEventType values(index) as idx, values(sourcetype) as st count by bin_time user host | rename bin_time as timeWindow | convert ctime(*timeWindow) ctime(firsttime) ctime(lasttime) | where count >= 2 | `okta_two_or_more_rejected_okta_pushes_filter`", "how_to_implement": "This analytic is specific to Okta and requires Okta logs to be ingested.", "known_false_positives": "False positives may be present. Tune Okta and tune the analytic to ensure proper fidelity. Modify risk score as needed. Drop to anomaly until tuning is complete.", "references": ["https://developer.okta.com/docs/reference/api/event-types/?q=user.acount.lock"], "tags": {"name": "Okta Two or More Rejected Okta Pushes", "analytic_story": ["Suspicious Okta Activity", "Okta MFA Exhaustion"], "asset_type": "Infrastructure", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "$src_user$ account has rejected multiple Okta pushes.", "mitre_attack_id": ["T1110"], "nist": ["DE.CM"], "observable": [{"name": "src_user", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "src_user", "src_ip", "eventType", "status"], "risk_score": 64, "security_domain": "access", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}]}, "datamodel": [], "macros": [{"name": "okta", "definition": "eventtype=okta_log", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "okta_two_or_more_rejected_okta_pushes_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/application/okta_two_or_more_rejected_okta_pushes.yml", "source": "application", "nes_fields": "user,dest"}, {"name": "Okta User Logins From Multiple Cities", "id": "7594fa07-9f34-4d01-81cc-d6af6a5db9e8", "version": 2, "date": "2020-07-21", "author": "Rico Valdez, Splunk", "type": "Anomaly", "status": "experimental", "description": "This search detects logins from the same user from different cities in a 24 hour period.", "data_source": [], "search": "`okta` displayMessage=\"User login to Okta\" client.geographicalContext.city!=null | stats min(_time) as firstTime max(_time) as lastTime dc(client.geographicalContext.city) as locations values(client.geographicalContext.city) as cities values(client.geographicalContext.state) as states by user | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `okta_user_logins_from_multiple_cities_filter` | search locations > 1", "how_to_implement": "This search is specific to Okta and requires Okta logs are being ingested in your Splunk deployment.", "known_false_positives": "Users in your enviornment may legitmately be travelling and loggin in from different locations. This search is useful for those users that should *not* be travelling for some reason, such as the COVID-19 pandemic. The search also relies on the geographical information being populated in the Okta logs. It is also possible that a connection from another region may be attributed to a login from a remote VPN endpoint.", "references": [], "tags": {"name": "Okta User Logins From Multiple Cities", "analytic_story": ["Suspicious Okta Activity"], "asset_type": "Infrastructure", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "message": "tbd", "mitre_attack_id": ["T1078", "T1078.001"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "displayMessage", "client.geographicalContext.city", "client.geographicalContext.state", "user"], "risk_score": 25, "security_domain": "access", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.001", "mitre_attack_technique": "Default Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Magic Hound"]}]}, "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "okta", "definition": "eventtype=okta_log", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "okta_user_logins_from_multiple_cities_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/application/okta_user_logins_from_multiple_cities.yml", "source": "application"}, {"name": "Path traversal SPL injection", "id": "dfe55688-82ed-4d24-a21b-ed8f0e0fda99", "version": 1, "date": "2022-04-29", "author": "Rod Soto, Splunk", "type": "TTP", "status": "production", "description": "On May 3rd, 2022, Splunk published a security advisory for a Path traversal in search parameter that can potentiall allow SPL injection. An attacker can cause the application to load data from incorrect endpoints, urls leading to outcomes such as running arbitrary SPL queries.", "data_source": [], "search": " `path_traversal_spl_injection` | search \"\\/..\\/..\\/..\\/..\\/..\\/..\\/..\\/..\\/..\\/\" | stats count by status clientip method uri_path uri_query | `path_traversal_spl_injection_filter`", "how_to_implement": "This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index. This search will provide search UI requests with path traversal parameter (\"../../../../../../../../../\") which shows exploitation attempts. This detection is meant for on premise environments, and if executed on internet facing servers without a WAF may produce a lot of results. This detection will not work against obfuscated path traversal requests.", "known_false_positives": "This search may find additional path traversal exploitation attempts.", "references": ["https://www.splunk.com/en_us/product-security/announcements/svd-2022-0506.html"], "tags": {"name": "Path traversal SPL injection", "analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "Path traversal exploitation attempt from $clientip$", "mitre_attack_id": ["T1083"], "nist": ["DE.CM"], "observable": [{"name": "clientip", "type": "IP Address", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security"], "required_fields": ["status", "clientip", "method", "uri_path", "uri_query"], "risk_score": 40, "security_domain": "threat", "risk_severity": "low", "cve": ["CVE-2022-26889"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1083", "mitre_attack_technique": "File and Directory Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT18", "APT28", "APT3", "APT32", "APT38", "APT39", "APT41", "Aoqin Dragon", "BRONZE BUTLER", "Chimera", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "Fox Kitten", "Gamaredon Group", "HAFNIUM", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Leafminer", "LuminousMoth", "Magic Hound", "MuddyWater", "Mustang Panda", "Patchwork", "Sandworm Team", "Sidewinder", "Sowbug", "TeamTNT", "Tropic Trooper", "Turla", "Windigo", "Winnti Group", "admin@338", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://raw.githubusercontent.com/splunk/attack_data/master/datasets/attack_techniques/T1083/splunk/path_traversal_spl_injection.txt", "source": "splunkd_ui_access.log", "sourcetype": "splunkd_ui_access"}]}], "datamodel": [], "macros": [{"name": "path_traversal_spl_injection", "definition": "index=_internal sourcetype=splunkd_ui_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "path_traversal_spl_injection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2022-26889", "cvss": 5.1, "summary": "In Splunk Enterprise versions before 8.1.2, the uri path to load a relative resource within a web page is vulnerable to path traversal. It allows an attacker to potentially inject arbitrary content into the web page (e.g., HTML Injection, XSS) or bypass SPL safeguards for risky commands. The attack is browser-based. An attacker cannot exploit the attack at will and requires the attacker to initiate a request within the victim's browser (e.g., phishing)."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/application/path_traversal_spl_injection.yml", "source": "application", "nes_fields": "user,dest"}, {"name": "Splunk Account Discovery Drilldown Dashboard Disclosure", "id": "f844c3f6-fd99-43a2-ba24-93e35fe84be6", "version": 1, "date": "2022-08-02", "author": "Marissa Bower, Rod Soto, Splunk", "type": "TTP", "status": "experimental", "description": "Splunk drilldown vulnerability disclosure in Dashboard application that can potentially allow exposure of tokens from privilege users. An attacker can create dashboard and share it to privileged user (admin) and detokenize variables using external urls within dashboards drilldown function.", "data_source": [], "search": "| rest splunk_server=local /servicesNS/-/-/data/ui/views | search eai:data=\"*$env:*\" eai:data=\"*url*\" eai:data=\"*options*\" | rename author AS Author eai:acl.sharing AS Permissions eai:appName AS App eai:data AS \"Dashboard XML\" | fields Author Permissions App \"Dashboard XML\" | `splunk_account_discovery_drilldown_dashboard_disclosure_filter`", "how_to_implement": "This search uses REST function to query for dashboards with environment variables present in URL options.", "known_false_positives": "This search may reveal non malicious URLs with environment variables used in organizations.", "references": ["https://www.splunk.com/en_us/product-security.html"], "tags": {"name": "Splunk Account Discovery Drilldown Dashboard Disclosure", "analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "Potential exposure of environment variables from url embedded in dashboard", "mitre_attack_id": ["T1087"], "nist": ["DE.CM"], "observable": [{"name": "author", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["eai:data", "splunk_server", "author", "eai:acl.sharing", "eai:appName"], "risk_score": 40, "security_domain": "threat", "risk_severity": "low", "cve": ["CVE-2022-37438"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}]}, "datamodel": [], "macros": [{"name": "splunk_account_discovery_drilldown_dashboard_disclosure_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2022-37438", "cvss": null, "summary": "In Splunk Enterprise versions in the following table, an authenticated user can craft a dashboard that could potentially leak information (for example, username, email, and real name) about Splunk users, when visited by another user through the drilldown component. The vulnerability requires user access to create and share dashboards using Splunk Web."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/application/splunk_account_discovery_drilldown_dashboard_disclosure.yml", "source": "application", "nes_fields": "user,dest"}, {"name": "Splunk Code Injection via custom dashboard leading to RCE", "id": "b06b41d7-9570-4985-8137-0784f582a1b3", "version": 1, "date": "2022-10-11", "author": "Rod Soto", "type": "Hunting", "status": "experimental", "description": "This hunting search provides information about a vulnerability in Splunk Enterprise versions below 8.2.9, 8.1.12, 9.0.2, where an authenticated user can execute arbitrary code via the dashboard pdf generation component. Please review events with file=export in the _internal index for the potential targets of exploitation.", "data_source": [], "search": "`splunkd_ui` uri_path=*/data/ui/views/* OR uri_path=*saved/searches/* | dedup uri_path | eval URL=urldecode(\"uri_path\")| rex field=URL \"\\/saved\\/searches\\/(?[^\\/]*)\" | rex field=URL \"\\/data\\/ui\\/views\\/(?[^\\/]*)\" | eval NAME=NAME.\"( Saved Search )\",NAME1=NAME1.\"( Dashboard )\" | eval NAME=coalesce(NAME,NAME1) | eval STATUS=case(match(status,\"2\\d+\"),\"SUCCESS\",match(status,\"3\\d+\"),\"REDIRECTION\",match(status,\"4\\d+\") OR match(status,\"5\\d+\"),\"ERROR\") | stats list(NAME) as DASHBOARD_TITLE,list(method) as HTTP_METHOD,list(status) as Status_Code,list(STATUS) as STATUS by user | rename user as User | `splunk_code_injection_via_custom_dashboard_leading_to_rce_filter`", "how_to_implement": "This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index.", "known_false_positives": "Not all exports and downloads are malicious, special attention must be put as well on /en-US/splunkd/__raw/services/pdfgen/render in the context of this search.", "references": ["https://www.splunk.com/en_us/product-security.html"], "tags": {"name": "Splunk Code Injection via custom dashboard leading to RCE", "analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "Potential exploitation of Code Injection via Dashboard PDF generation.", "mitre_attack_id": ["T1210"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["user", "clientip", "uri", "uri_path", "method", "status"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "cve": ["CVE-2022-43571"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1210", "mitre_attack_technique": "Exploitation of Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "Dragonfly", "Earth Lusca", "FIN7", "Fox Kitten", "MuddyWater", "Threat Group-3390", "Tonto Team", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://raw.githubusercontent.com/splunk/attack_data/master/datasets/attack_techniques/T1210/splunk/splunk_code_injection_via_custom_dashboard_leading_to_rce.txt", "source": "/opt/splunk/var/log/splunk/splunkd_ui_access.log", "sourcetype": "splunkd_ui_access", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "splunkd_ui", "definition": "index=_internal sourcetype=splunkd_ui_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "splunk_code_injection_via_custom_dashboard_leading_to_rce_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2022-43571", "cvss": null, "summary": "In Splunk Enterprise versions below 8.2.9, 8.1.12, and 9.0.2, an authenticated user can execute arbitrary code through the dashboard PDF generation component."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/application/splunk_code_injection_via_custom_dashboard_leading_to_rce.yml", "source": "application"}, {"name": "Splunk Command and Scripting Interpreter Delete Usage", "id": "8d3d5d5e-ca43-42be-aa1f-bc64375f6b04", "version": 1, "date": "2022-05-27", "author": "Michael Haag, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies the use of the risky command - Delete - that may be utilized in Splunk to delete some or all data queried for. In order to use Delete in Splunk, one must be assigned the role. This is typically not used and should generate an anomaly if it is used.", "data_source": [], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Splunk_Audit.Search_Activity where Search_Activity.search IN (\"*| delete*\") Search_Activity.search_type=adhoc Search_Activity.user!=splunk-system-user by Search_Activity.search Search_Activity.info Search_Activity.total_run_time Search_Activity.user Search_Activity.search_type | `drop_dm_object_name(Search_Activity)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `splunk_command_and_scripting_interpreter_delete_usage_filter`", "how_to_implement": "To successfully implement this search acceleration is recommended against the Search_Activity datamodel that runs against the splunk _audit index. In addition, this analytic requires the Common Information Model App which includes the Splunk Audit Datamodel https://splunkbase.splunk.com/app/1621/.", "known_false_positives": "False positives may be present if this command is used as a common practice. Filter as needed.", "references": ["https://docs.splunk.com/Documentation/Splunk/latest/Security/SPLsafeguards#Commands_that_trigger_the_warning"], "tags": {"name": "Splunk Command and Scripting Interpreter Delete Usage", "analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Web Server", "cis20": ["CIS 10"], "confidence": 30, "impact": 90, "kill_chain_phases": ["Installation"], "message": "$user$ executed the 'delete' command, if this is unexpected it should be reviewed.", "mitre_attack_id": ["T1059"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Search_Activity.search", "Search_Activity.info", "Search_Activity.total_run_time", "Search_Activity.user", "Search_Activity.savedsearch_name", "Search_Activity.search_type"], "risk_score": 27, "security_domain": "audit", "risk_severity": "low", "cve": ["CVE-2022-32154"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1213/audittrail/audittrail.log", "source": "audittrail", "sourcetype": "audittrail", "update_timestamp": true}]}], "datamodel": ["Splunk_Audit"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "splunk_command_and_scripting_interpreter_delete_usage_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2022-32154", "cvss": 4.0, "summary": "Dashboards in Splunk Enterprise versions before 9.0 might let an attacker inject risky search commands into a form token when the token is used in a query in a cross-origin request. The result bypasses SPL safeguards for risky commands. See New capabilities can limit access to some custom and potentially risky commands (https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/SPLsafeguards#New_capabilities_can_limit_access_to_some_custom_and_potentially_risky_commands) for more information. Note that the attack is browser-based and an attacker cannot exploit it at will."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/application/splunk_command_and_scripting_interpreter_delete_usage.yml", "source": "application"}, {"name": "Splunk Command and Scripting Interpreter Risky Commands", "id": "1cf58ae1-9177-40b8-a26c-8966040f11ae", "version": 1, "date": "2022-05-23", "author": "Michael Haag, Splunk", "type": "Hunting", "status": "production", "description": "The Splunk platform contains built-in search processing language (SPL) safeguards to warn you when you are about to unknowingly run a search that contains commands that might be a security risk. This warning appears when you click a link or type a URL that loads a search that contains risky commands. The warning does not appear when you create ad hoc searches. This warning alerts you to the possibility of unauthorized actions by a malicious user. Unauthorized actions include - Copying or transferring data (data exfiltration), Deleting data and Overwriting data. All risky commands may be found here https://docs.splunk.com/Documentation/Splunk/latest/Security/SPLsafeguards#Commands_that_trigger_the_warninga. A possible scenario when this might occur is when a malicious actor creates a search that includes commands that exfiltrate or damage data. The malicious actor then sends an unsuspecting user a link to the search. The URL contains a query string (q) and a search identifier (sid), but the sid is not valid. The malicious actor hopes the user will use the link and the search will run. During analysis, pivot based on user name and filter any user or queries not needed. Queries ran from a dashboard are seen as adhoc queries. When a query runs from a dashboard it will not show in audittrail logs the source dashboard name. The query defaults to adhoc and no Splunk system user activity. In addition, modify this query by removing key commands that generate too much noise, or too little, and create separate queries with higher confidence to alert on.", "data_source": [], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Splunk_Audit.Search_Activity where Search_Activity.search IN (\"*| runshellscript *\", \"*| collect *\",\"*| delete *\", \"*| fit *\", \"*| outputcsv *\", \"*| outputlookup *\", \"*| run *\", \"*| script *\", \"*| sendalert *\", \"*| sendemail *\", \"*| tscolle*\") Search_Activity.search_type=adhoc Search_Activity.user!=splunk-system-user by Search_Activity.search Search_Activity.info Search_Activity.total_run_time Search_Activity.user Search_Activity.search_type | `drop_dm_object_name(Search_Activity)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `splunk_command_and_scripting_interpreter_risky_commands_filter`", "how_to_implement": "To successfully implement this search acceleration is recommended against the Search_Activity datamodel that runs against the splunk _audit index. In addition, this analytic requires the Common Information Model App which includes the Splunk Audit Datamodel https://splunkbase.splunk.com/app/1621/. Splunk SOAR customers can find a SOAR workbook that walks an analyst through the process of running these hunting searches in the references list of this detection. In order to use this workbook, a user will need to run a curl command to post the file to their SOAR instance such as \"curl -u username:password https://soar.instance.name/rest/rest/workbook_template -d @splunk_psa_0622.json\". A user should then create an empty container or case, attach the workbook, and begin working through the tasks.", "known_false_positives": "False positives will be present until properly filtered by Username and search name.", "references": ["https://docs.splunk.com/Documentation/Splunk/latest/Security/SPLsafeguards#Commands_that_trigger_the_warning", "https://www.github.com/splunk/security_content/blob/develop/workbooks/splunk_psa_0622.json"], "tags": {"name": "Splunk Command and Scripting Interpreter Risky Commands", "analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Web Server", "cis20": ["CIS 10"], "confidence": 40, "impact": 50, "kill_chain_phases": ["Installation"], "message": "A risky Splunk command has ran by $user$ and should be reviewed.", "mitre_attack_id": ["T1059"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Search_Activity.search", "Search_Activity.info", "Search_Activity.total_run_time", "Search_Activity.user", "Search_Activity.savedsearch_name", "Search_Activity.search_type"], "risk_score": 20, "security_domain": "audit", "risk_severity": "low", "cve": ["CVE-2022-32154"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1213/audittrail/audittrail.log", "source": "audittrail", "sourcetype": "audittrail", "update_timestamp": true}]}], "datamodel": ["Splunk_Audit"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "splunk_command_and_scripting_interpreter_risky_commands_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2022-32154", "cvss": 4.0, "summary": "Dashboards in Splunk Enterprise versions before 9.0 might let an attacker inject risky search commands into a form token when the token is used in a query in a cross-origin request. The result bypasses SPL safeguards for risky commands. See New capabilities can limit access to some custom and potentially risky commands (https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/SPLsafeguards#New_capabilities_can_limit_access_to_some_custom_and_potentially_risky_commands) for more information. Note that the attack is browser-based and an attacker cannot exploit it at will."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/application/splunk_command_and_scripting_interpreter_risky_commands.yml", "source": "application"}, {"name": "Splunk Command and Scripting Interpreter Risky SPL MLTK", "id": "19d0146c-2eae-4e53-8d39-1198a78fa9ca", "version": 1, "date": "2022-05-27", "author": "Abhinav Mishra, Kumar Sharad and Xiao Lin, Splunk", "type": "Anomaly", "status": "production", "description": "This detection utilizes machine learning model named \"risky_command_abuse\" trained from \"Splunk Command and Scripting Interpreter Risky SPL MLTK Baseline\". It should be scheduled to run hourly to detect whether a user has run searches containing risky SPL from this list https://docs.splunk.com/Documentation/Splunk/latest/Security/SPLsafeguards#Commands_that_trigger_the_warninga with abnormally long running time in the past one hour, comparing with his/her past seven days history. This search uses the trained baseline to infer whether a search is an outlier (isOutlier ~= 1.0) or not (isOutlier~= 0.0)", "data_source": [], "search": "| tstats sum(Search_Activity.total_run_time) AS run_time, values(Search_Activity.search) as searches, count FROM datamodel=Splunk_Audit.Search_Activity WHERE (Search_Activity.user!=\"\") AND (Search_Activity.total_run_time>1) AND (earliest=-1h@h latest=now) AND (Search_Activity.search IN (\"*| runshellscript *\", \"*| collect *\",\"*| delete *\", \"*| fit *\", \"*| outputcsv *\", \"*| outputlookup *\", \"*| run *\", \"*| script *\", \"*| sendalert *\", \"*| sendemail *\", \"*| tscolle*\")) AND (Search_Activity.search_type=adhoc) AND (Search_Activity.user!=splunk-system-user) BY _time, Search_Activity.user span=1h | apply risky_command_abuse | fields _time, Search_Activity.user, searches, run_time, IsOutlier(run_time) | rename IsOutlier(run_time) as isOutlier, _time as timestamp | where isOutlier>0.5 | `splunk_command_and_scripting_interpreter_risky_spl_mltk_filter`", "how_to_implement": "This detection depends on MLTK app which can be found here - https://splunkbase.splunk.com/app/2890/ and the Splunk Audit datamodel which can be found here - https://splunkbase.splunk.com/app/1621/. Baseline model needs to be built using \"Splunk Command and Scripting Interpreter Risky SPL MLTK Baseline\" before this search can run. Please note that the current search only finds matches exactly one space between separator bar and risky commands.", "known_false_positives": "If the run time of a search exceeds the boundaries of outlier defined by the fitted density function model, false positives can occur, incorrectly labeling a long running search as potentially risky.", "references": ["https://docs.splunk.com/Documentation/Splunk/latest/Security/SPLsafeguards#Commands_that_trigger_the_warning"], "tags": {"name": "Splunk Command and Scripting Interpreter Risky SPL MLTK", "analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Web Server", "cis20": ["CIS 10"], "confidence": 40, "impact": 50, "kill_chain_phases": ["Installation"], "message": "Abnormally long run time for risk SPL command seen by user $(Search_Activity.user).", "mitre_attack_id": ["T1059"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Search_Activity.search", "Search_Activity.total_run_time", "Search_Activity.user", "Search_Activity.search_type"], "risk_score": 20, "security_domain": "audit", "risk_severity": "low", "cve": ["CVE-2022-32154"], "manual_test": "This search has a baseline and timestamps hard coded into the search.", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://github.com/splunk/attack_data/raw/master/datasets/attack_techniques/T1203/search_activity.txt", "source": "audittrail", "sourcetype": "audittrail", "update_timestamp": true}]}], "datamodel": ["Splunk_Audit"], "macros": [{"name": "splunk_command_and_scripting_interpreter_risky_spl_mltk_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2022-32154", "cvss": 4.0, "summary": "Dashboards in Splunk Enterprise versions before 9.0 might let an attacker inject risky search commands into a form token when the token is used in a query in a cross-origin request. The result bypasses SPL safeguards for risky commands. See New capabilities can limit access to some custom and potentially risky commands (https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/SPLsafeguards#New_capabilities_can_limit_access_to_some_custom_and_potentially_risky_commands) for more information. Note that the attack is browser-based and an attacker cannot exploit it at will."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/application/splunk_command_and_scripting_interpreter_risky_spl_mltk.yml", "source": "application"}, {"name": "Splunk csrf in the ssg kvstore client endpoint", "id": "4742d5f7-ce00-45ce-9c79-5e98b43b4410", "version": 1, "date": "2023-02-14", "author": "Rod Soto", "type": "TTP", "status": "production", "description": "In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, a cross-site request forgery in the Splunk Secure Gateway (SSG) app in the kvstore_client endpoint allows for updating SSG KV store collections via a GET request. SSG is a Splunk Built app included by default with Splunk Enterprise. The vulnerability affects instances with SSG and Splunk Web enabled. This hunting search provides information on affected server specific method and post data that may reveal exploitation of this vulnerability.", "data_source": [], "search": "`splunkda` uri_path=\"/en-US/splunkd/__raw/services/ssg/kvstore_client\" method=\"GET\" delete_field_value=\"spacebridge_server\" status=\"200\" | table splunk_server status uri delete_field_value method post_data | `splunk_csrf_in_the_ssg_kvstore_client_endpoint_filter`", "how_to_implement": "Requires access to internal index.", "known_false_positives": "This hunting search only applies to the affected versions and setup mentioned in the description of this search, it does not extract payload so it requires manual investigation after executing search. This search will produce false positives.", "references": ["https://www.splunk.com/en_us/product-security.html"], "tags": {"name": "Splunk csrf in the ssg kvstore client endpoint", "analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Delivery"], "message": "Potential CSRF exploitation attempt from $host$", "mitre_attack_id": ["T1189"], "nist": ["DE.CM"], "observable": [{"name": "splunk_server", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["splunk_server", "status", "uri", "delete_field_value", "method", "post_data"], "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "cve": ["CVE-2023-22942"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1189", "mitre_attack_technique": "Drive-by Compromise", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT19", "APT28", "APT32", "APT37", "APT38", "Andariel", "Axiom", "BRONZE BUTLER", "Dark Caracal", "Darkhotel", "Dragonfly", "Earth Lusca", "Elderwood", "Lazarus Group", "Leafminer", "Leviathan", "Machete", "Magic Hound", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Threat Group-3390", "Transparent Tribe", "Turla", "Windigo", "Windshift"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1189/splunk/splunk_csrf_in_the_ssg_kvstore_client_endpoint_data.log", "source": "splunkd_access.log", "sourcetype": "splunkd_access"}]}], "datamodel": [], "macros": [{"name": "splunkda", "definition": "index=_internal sourcetype=splunkd_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "splunk_csrf_in_the_ssg_kvstore_client_endpoint_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2023-22942", "cvss": null, "summary": "In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, a cross-site request forgery in the Splunk Secure Gateway (SSG) app in the ‘kvstore_client’ REST endpoint lets a potential attacker update SSG [App Key Value Store (KV store)](https://docs.splunk.com/Documentation/Splunk/latest/Admin/AboutKVstore) collections using an HTTP GET request. SSG is a Splunk-built app that comes with Splunk Enterprise. The vulnerability affects instances with SSG and Splunk Web enabled."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/application/splunk_csrf_in_the_ssg_kvstore_client_endpoint.yml", "source": "application", "nes_fields": "user,dest"}, {"name": "Splunk Data exfiltration from Analytics Workspace using sid query", "id": "b6d77c6c-f011-4b03-8650-8f10edb7c4a8", "version": 1, "date": "2022-11-1", "author": "Rod Soto, Eric McGinnis", "type": "Hunting", "status": "production", "description": "This hunting search allows operator to discover attempts to exfiltrate data by executing a prepositioned malicious search ID in Analytic Workspace in Splunk Enterprise versions 8.2.9,8.1.12,9.0.2. The attack is browser-based. It requires the attacker to compel a victim to initiate a request within their browser (phishing). The attacker cannot exploit the vulnerability at will.", "data_source": [], "search": "`audit_searches` info=granted search NOT (\"audit_searches\") search NOT (\"security_content_summariesonly\") AND ((search=\"*mstats*[*]*\" AND provenance=\"N/A\") OR (search=\"*mstats*\\\\\\\"*[*]*\\\\\\\"*\"))| eval warning=if(match(search,\"\\\\\\\\\\\"\"), \"POTENTIAL INJECTION STAGING\", \"POTENTIAL INJECTION EXECUTION\") | table search, user, warning, timestamp | `splunk_data_exfiltration_from_analytics_workspace_using_sid_query_filter`", "how_to_implement": "The vulnerability affects only instances with Splunk Web Enabled. After running this search, please run \"Splunk Command and Scripting Interpreter Risky SPL MLTK\" to gain more insight into potentially risky commands which could lead to data exfiltration.", "known_false_positives": "This search may produce false positives. This detection does not require you to ingest any new data. The detection does require the ability to search the _audit index. Special attention must be paid to \"/en-US/app/search/analytics_workspace?sid=[sid]\" which is where the malicious code will be inserted to trigger attack at victim.", "references": ["https://www.splunk.com/en_us/product-security.html"], "tags": {"name": "Splunk Data exfiltration from Analytics Workspace using sid query", "analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Actions on Objectives"], "message": "Potential data exfiltration attack using SID query by $user$", "mitre_attack_id": ["T1567"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["action", "info", "user", "search_id", "metadata", "user", "_time"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "cve": ["CVE-2022-43566"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1567", "mitre_attack_technique": "Exfiltration Over Web Service", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT28", "Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://raw.githubusercontent.com/splunk/attack_data/master/datasets/attack_techniques/T1567/splunk/splunk_data_exfiltration_from_analytics_workspace_using_sid_query.txt", "source": "audittrail", "sourcetype": "audittrail", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "audit_searches", "definition": "index=_audit sourcetype=audittrail action=search", "description": "Macro to enable easy searching of audittrail logs for searches"}, {"name": "splunk_data_exfiltration_from_analytics_workspace_using_sid_query_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2022-43566", "cvss": null, "summary": "In Splunk Enterprise versions below 8.2.9, 8.1.12, and 9.0.2, an authenticated user can run risky commands using a more privileged user’s permissions to bypass SPL safeguards for risky commands https://docs.splunk.com/Documentation/SplunkCloud/latest/Security/SPLsafeguards in the Analytics Workspace. The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The attacker cannot exploit the vulnerability at will."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/application/splunk_data_exfiltration_from_analytics_workspace_using_sid_query.yml", "source": "application"}, {"name": "Splunk Digital Certificates Infrastructure Version", "id": "3c162281-7edb-4ebc-b9a4-5087aaf28fa7", "version": 1, "date": "2022-05-26", "author": "Lou Stella, Splunk", "type": "Hunting", "status": "production", "description": "This search will check the TLS validation is properly configured on the search head it is run from as well as its search peers after Splunk version 9. Other components such as additional search heads or anything this rest command cannot be distributed to will need to be manually checked.", "data_source": [], "search": "| rest /services/server/info | table splunk_server version server_roles | join splunk_server [| rest /servicesNS/nobody/search/configs/conf-server/ search=\"sslConfig\"| table splunk_server sslVerifyServerCert sslVerifyServerName serverCert] | fillnull value=\"Not Set\" | rename sslVerifyServerCert as \"Server.conf:SslConfig:sslVerifyServerCert\", sslVerifyServerName as \"Server.conf:SslConfig:sslVerifyServerName\", serverCert as \"Server.conf:SslConfig:serverCert\" | `splunk_digital_certificates_infrastructure_version_filter`", "how_to_implement": "The user running this search is required to have a permission allowing them to dispatch REST requests to indexers (the `dispatch_rest_to_indexers` capability) in some architectures. Splunk SOAR customers can find a SOAR workbook that walks an analyst through the process of running these hunting searches in the references list of this detection. In order to use this workbook, a user will need to run a curl command to post the file to their SOAR instance such as \"curl -u username:password https://soar.instance.name/rest/rest/workbook_template -d @splunk_psa_0622.json\". A user should then create an empty container or case, attach the workbook, and begin working through the tasks.", "known_false_positives": "No known at this time.", "references": ["https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/EnableTLSCertHostnameValidation#Configure_TLS_host_name_validation_for_Splunk-to-Splunk_communication", "https://www.splunk.com/en_us/product-security/announcements/svd-2022-0602.html", "https://www.github.com/splunk/security_content/blob/develop/workbooks/splunk_psa_0622.json"], "tags": {"name": "Splunk Digital Certificates Infrastructure Version", "analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 50, "kill_chain_phases": ["Weaponization"], "message": "$splunk_server$ may not be properly validating TLS Certificates", "mitre_attack_id": ["T1587.003"], "nist": ["DE.AE"], "observable": [{"name": "splunk_server", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["none"], "risk_score": 50, "security_domain": "threat", "risk_severity": "medium", "cve": ["CVE-2022-32153"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1587.003", "mitre_attack_technique": "Digital Certificates", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29", "PROMETHIUM"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1213/audittrail/audittrail.log", "source": "audittrail", "sourcetype": "audittrail", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "splunk_digital_certificates_infrastructure_version_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2022-32153", "cvss": 6.8, "summary": "Splunk Enterprise peers in Splunk Enterprise versions before 9.0 and Splunk Cloud Platform versions before 8.2.2203 did not validate the TLS certificates during Splunk-to-Splunk communications by default. Splunk peer communications configured properly with valid certificates were not vulnerable. However, an attacker with administrator credentials could add a peer without a valid certificate and connections from misconfigured nodes without valid certificates did not fail by default. For Splunk Enterprise, update to Splunk Enterprise version 9.0 and Configure TLS host name validation for Splunk-to-Splunk communications (https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/EnableTLSCertHostnameValidation) to enable the remediation."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/application/splunk_digital_certificates_infrastructure_version.yml", "source": "application"}, {"name": "Splunk Digital Certificates Lack of Encryption", "id": "386a7ebc-737b-48cf-9ca8-5405459ed508", "version": 1, "date": "2022-05-26", "author": "Lou Stella, Splunk", "type": "Anomaly", "status": "production", "description": "On June 14th, 2022, Splunk released a security advisory relating to the authentication that happens between Universal Forwarders and Deployment Servers. In some circumstances, an unauthenticated client can download forwarder bundles from the Deployment Server. In other circumstances, a client may be allowed to publish a forwarder bundle to other clients, which may allow for arbitrary code execution. The fixes for these require upgrading to at least Splunk 9.0 on the forwarder as well. This is a great opportunity to configure TLS across the environment. This search looks for forwarders that are not using TLS and adds risk to those entities.", "data_source": [], "search": "`splunkd` group=\"tcpin_connections\" ssl=\"false\" | stats values(sourceIp) latest(fwdType) latest(version) by hostname | `splunk_digital_certificates_lack_of_encryption_filter`", "how_to_implement": "This anomaly search looks for forwarder connections that are not currently using TLS. It then presents the source IP, the type of forwarder, and the version of the forwarder. You can also remove the \"ssl=false\" argument from the initial stanza in order to get a full list of all your forwarders that are sending data, and the version of Splunk software they are running, for audit purposes. Splunk SOAR customers can find a SOAR workbook that walks an analyst through the process of running these hunting searches in the references list of this detection. In order to use this workbook, a user will need to run a curl command to post the file to their SOAR instance such as \"curl -u username:password https://soar.instance.name/rest/rest/workbook_template -d @splunk_psa_0622.json\". A user should then create an empty container or case, attach the workbook, and begin working through the tasks.", "known_false_positives": "None at this time", "references": ["https://www.splunk.com/en_us/product-security/announcements/svd-2022-0607.html", "https://www.splunk.com/en_us/product-security/announcements/svd-2022-0601.html", "https://www.github.com/splunk/security_content/blob/develop/workbooks/splunk_psa_0622.json"], "tags": {"name": "Splunk Digital Certificates Lack of Encryption", "analytic_story": ["Splunk Vulnerabilities"], "asset_type": "endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 25, "kill_chain_phases": ["Weaponization"], "message": "$hostname$ is not using TLS when forwarding data", "mitre_attack_id": ["T1587.003"], "nist": ["DE.AE"], "observable": [{"name": "hostname", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["group", "ssl", "sourceIp", "fwdType", "version", "hostname"], "risk_score": 20, "security_domain": "threat", "risk_severity": "low", "cve": ["CVE-2022-32151"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1587.003", "mitre_attack_technique": "Digital Certificates", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29", "PROMETHIUM"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1587.003/splunk_fwder/splunkd.log", "source": "/opt/splunk/var/log/splunk/metrics.log", "sourcetype": "splunkd", "update_timestamp": false}]}], "datamodel": [], "macros": [{"name": "splunkd", "definition": "index=_internal sourcetype=splunkd", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "splunk_digital_certificates_lack_of_encryption_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2022-32151", "cvss": 6.4, "summary": "The httplib and urllib Python libraries that Splunk shipped with Splunk Enterprise did not validate certificates using the certificate authority (CA) certificate stores by default in Splunk Enterprise versions before 9.0 and Splunk Cloud Platform versions before 8.2.2203. Python 3 client libraries now verify server certificates by default and use the appropriate CA certificate stores for each library. Apps and add-ons that include their own HTTP libraries are not affected. For Splunk Enterprise, update to Splunk Enterprise version 9.0 and Configure TLS host name validation for Splunk-to-Splunk communications (https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/EnableTLSCertHostnameValidation) to enable the remediation."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/application/splunk_digital_certificates_lack_of_encryption.yml", "source": "application"}, {"name": "Splunk DOS Via Dump SPL Command", "id": "fb0e6823-365f-48ed-b09e-272ac4c1dad6", "version": 1, "date": "2023-05-10", "author": "Rod Soto", "type": "Hunting", "status": "production", "description": "In Splunk Enterprise versions below 9.0.5, 8.2.11, and 8.1.14, an attacker can exploit a vulnerability in the dump SPL command to cause a Denial of Service by crashing the Splunk daemon.", "data_source": ["splunkd.log"], "search": "`splunk_crash_log` \"*Segmentation fault*\" | stats count by host _time | `splunk_dos_via_dump_spl_command_filter`", "how_to_implement": "This search does not require additional ingestion of data. Requires the ability to search _internal index and monitor segmentation faults.", "known_false_positives": "Segmentation faults may occur due to other causes, so this search may produce false positives", "references": ["https://advisory.splunk.com/"], "tags": {"name": "Splunk DOS Via Dump SPL Command", "analytic_story": ["Splunk Vulnerabilities"], "asset_type": "endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 100, "kill_chain_phases": ["Actions on Objectives"], "message": "Possible denial of service attack with Victim $host$", "mitre_attack_id": ["T1499.004"], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise"], "required_fields": ["host", "source", "event_message", "status", "_time"], "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "atomic_guid": [], "mitre_attack_enrichments": [{"mitre_attack_id": "T1499.004", "mitre_attack_technique": "Application or System Exploitation", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1499.004/splunk/splunk_dos_via_dump_spl_command.log", "source": "/opt/splunk/var/log/splunk/splunkd.log", "sourcetype": "splunkd_crash_log"}]}], "datamodel": [], "macros": [{"name": "splunk_crash_log", "definition": "(index=_internal AND sourcetype=splunkd_crash_log)", "description": "Searches through the Splunk Crash Log for low-level errors and crashes"}, {"name": "splunk_dos_via_dump_spl_command_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/application/splunk_dos_via_dump_spl_command.yml", "source": "application"}, {"name": "Splunk DoS via Malformed S2S Request", "id": "fc246e56-953b-40c1-8634-868f9e474cbd", "version": 2, "date": "2022-03-24", "author": "Lou Stella, Splunk", "type": "TTP", "status": "production", "description": "On March 24th, 2022, Splunk published a security advisory for a possible Denial of Service stemming from the lack of validation in a specific key-value field in the Splunk-to-Splunk (S2S) protocol. This detection will alert on attempted exploitation in patched versions of Splunk.", "data_source": [], "search": "`splunkd` log_level=\"ERROR\" component=\"TcpInputProc\" thread_name=\"FwdDataReceiverThread\" \"Invalid _meta atom\" | table host, src | `splunk_dos_via_malformed_s2s_request_filter`", "how_to_implement": "This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index. This detection will only find attempted exploitation on versions of Splunk already patched for CVE-2021-3422.", "known_false_positives": "None.", "references": ["https://www.splunk.com/en_us/product-security/announcements/svd-2022-0301.html"], "tags": {"name": "Splunk DoS via Malformed S2S Request", "analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 50, "kill_chain_phases": ["Actions on Objectives"], "message": "An attempt to exploit CVE-2021-3422 was detected from $src$ against $host$", "mitre_attack_id": ["T1498"], "nist": ["DE.CM"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["host", "src", "log_level", "component", "thread_name"], "risk_score": 50, "security_domain": "threat", "risk_severity": "medium", "cve": ["CVE-2021-3422"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1498", "mitre_attack_technique": "Network Denial of Service", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT28"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1498/splunk_indexer_dos/splunkd.log", "source": "/opt/splunk/var/log/splunk/splunkd.log", "sourcetype": "splunkd", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "splunkd", "definition": "index=_internal sourcetype=splunkd", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "splunk_dos_via_malformed_s2s_request_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2021-3422", "cvss": 4.3, "summary": "The lack of validation of a key-value field in the Splunk-to-Splunk protocol results in a denial-of-service in Splunk Enterprise instances configured to index Universal Forwarder traffic. The vulnerability impacts Splunk Enterprise versions before 7.3.9, 8.0 versions before 8.0.9, and 8.1 versions before 8.1.3. It does not impact Universal Forwarders. When Splunk forwarding is secured using TLS or a Token, the attack requires compromising the certificate or token, or both. Implementation of either or both reduces the severity to Medium."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/application/splunk_dos_via_malformed_s2s_request.yml", "source": "application", "nes_fields": "user,dest"}, {"name": "Splunk Edit User Privilege Escalation", "id": "39e1c326-67d7-4c0d-8584-8056354f6593", "version": 1, "date": "2023-05-23", "author": "Rod Soto, Chase Franklin", "type": "Hunting", "status": "production", "description": "A low-privilege user who holds a role that has the edit_user capability assigned to it can escalate their privileges to that of the admin user by providing specially crafted web requests.", "data_source": ["audittrail"], "search": "`audittrail` action IN (\"change_own_password\",\"password_change\",\"edit_password\") AND info=\"granted\" AND NOT user IN (admin, splunk-system-user) | stats earliest(_time) as event_time values(index) as index values(sourcetype) as sourcetype values(action) as action values(info) as info by user | `splunk_edit_user_privilege_escalation_filter`", "how_to_implement": "This detection does not require you to ingest any new data. The detection does require the ability to search the _audit index. This detection may assist in efforts to discover abuse of edit_user privilege.", "known_false_positives": "This search may produce false positives as password changing actions may be part of normal behavior. Operator will need to investigate these actions in order to discern exploitation attempts.", "references": ["https://advisory.splunk.com/"], "tags": {"name": "Splunk Edit User Privilege Escalation", "analytic_story": ["Splunk Vulnerabilities"], "asset_type": "endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "Possible attempt to abuse edit_user function by $user$", "mitre_attack_id": ["T1548"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["user", "action", "info", "_time"], "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "cve": [], "atomic_guid": [], "mitre_attack_enrichments": [{"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/splunk/splunk_edit_user_privilege_escalation.log", "source": "audittrail", "sourcetype": "audittrail"}]}], "datamodel": [], "macros": [{"name": "audittrail", "definition": "index=_audit sourcetype=audittrail", "description": "Macro to enable easy searching of audittrail logs"}, {"name": "splunk_edit_user_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/application/splunk_edit_user_privilege_escalation.yml", "source": "application"}, {"name": "Splunk Endpoint Denial of Service DoS Zip Bomb", "id": "b237d393-2f57-4531-aad7-ad3c17c8b041", "version": 1, "date": "2022-08-02", "author": "Marissa Bower, Rod Soto, Splunk", "type": "TTP", "status": "production", "description": "This search allows operator to identify Splunk search app crashes resulting from specially crafted ZIP file using file monitoring that affects UF versions 8.1.11 and 8.2 versions below 8.2.7.1. It is not possible to detect Zip Bomb attack before crash. This search will provide Universal Forwarder errors from uploaded binary files (zip compression) which are used for this attack. If an analyst sees results from this search we suggest you investigate and triage what zip file was uploaded, zip compressed files may have different extensions.", "data_source": [], "search": "`splunkd` component=FileClassifierManager event_message=*invalid* event_message=*binary* |stats count by host component event_message | `splunk_endpoint_denial_of_service_dos_zip_bomb_filter`", "how_to_implement": "Need to monitor Splunkd data from Universal Forwarders.", "known_false_positives": "This search may reveal non malicious zip files causing errors as well.", "references": ["https://en.wikipedia.org/wiki/ZIP_(file_format)", "https://www.splunk.com/en_us/product-security.html"], "tags": {"name": "Splunk Endpoint Denial of Service DoS Zip Bomb", "analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 75, "impact": 100, "kill_chain_phases": ["Actions on Objectives"], "message": "Potential exposure of environment variables from url embedded in dashboard", "mitre_attack_id": ["T1499"], "nist": ["DE.CM"], "observable": [{"name": "host", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["source", "component", "event_message", "host"], "risk_score": 75, "security_domain": "threat", "risk_severity": "medium", "cve": ["CVE-2022-37439"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1499", "mitre_attack_technique": "Endpoint Denial of Service", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Sandworm Team"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1499/splunk/splunk_zip_bomb_vulnerability.log", "source": "/opt/splunkforwarder/var/log/splunk/splunkd.log", "sourcetype": "splunkd"}]}], "datamodel": [], "macros": [{"name": "splunkd", "definition": "index=_internal sourcetype=splunkd", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "splunk_endpoint_denial_of_service_dos_zip_bomb_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2022-37439", "cvss": null, "summary": "In Splunk Enterprise and Universal Forwarder versions in the following table, indexing a specially crafted ZIP file using the file monitoring input can result in a crash of the application. Attempts to restart the application would result in a crash and would require manually removing the malformed file."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/application/splunk_endpoint_denial_of_service_dos_zip_bomb.yml", "source": "application", "nes_fields": "user,dest"}, {"name": "Splunk HTTP Response Splitting Via Rest SPL Command", "id": "e615a0e1-a1b2-4196-9865-8aa646e1708c", "version": 1, "date": "2023-05-23", "author": "Rod Soto, Chase Franklin", "type": "Hunting", "status": "production", "description": "A low-privileged user, using a specially crafted search command, can trigger an HTTP response splitting vulnerability with the rest SPL command that lets them potentially access other REST endpoints in the system arbitrarily, including accessing restricted content such as password files. This is because the user is able to inject the rest SPL command into the q parameter of an HTTP GET web request. The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The attacker cannot exploit the vulnerability at will.", "data_source": ["audittrail"], "search": "`audit_searches` AND search IN (\"*|*rest*POST*\",\"*|*rest*PUT*\",\"*|*rest*PATCH*\",\"*|*rest*DELETE*\") AND NOT search=\"*audit_searches*\" | table user info has_error_msg search _time | `splunk_http_response_splitting_via_rest_spl_command_filter`", "how_to_implement": "This detection does not require you to ingest any new data. The detection does require the ability to search the _audit index. This search may assist in detecting possible http response splitting exploitation attemptss.", "known_false_positives": "This search may have produce false positives as malformed or erroneous requests made to this endpoint may be executed willingly or erroneously by operators.", "references": ["https://advisory.splunk.com/"], "tags": {"name": "Splunk HTTP Response Splitting Via Rest SPL Command", "analytic_story": ["Splunk Vulnerabilities"], "asset_type": "endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "Suspicious access by $user$", "mitre_attack_id": ["T1027.006"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "URL String", "role": ["Victim"]}], "product": ["Splunk Enterprise"], "required_fields": ["search", "testing_endpoint", "info", "has_error_msg"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "atomic_guid": [], "mitre_attack_enrichments": [{"mitre_attack_id": "T1027.006", "mitre_attack_technique": "HTML Smuggling", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1027.006/splunk/splunk_http_response_splitting_via_rest_spl_command.log", "source": "audittrail", "sourcetype": "audittrail"}]}], "datamodel": [], "macros": [{"name": "audit_searches", "definition": "index=_audit sourcetype=audittrail action=search", "description": "Macro to enable easy searching of audittrail logs for searches"}, {"name": "splunk_http_response_splitting_via_rest_spl_command_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/application/splunk_http_response_splitting_via_rest_spl_command.yml", "source": "application"}, {"name": "Splunk Improperly Formatted Parameter Crashes splunkd", "id": "08978eca-caff-44c1-84dc-53f17def4e14", "version": 1, "date": "2023-02-14", "author": "Chase Franklin, Rod Soto, Splunk", "type": "TTP", "status": "experimental", "description": "In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, when the INGEST\\\\_EVAL parameter is improperly formatted, it crashes splunkd. This hunting search provides the user, timing and number of times the crashing command was executed.", "data_source": [], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Splunk_Audit.Search_Activity where (Search_Activity.search=\"*makeresults*\"AND Search_Activity.search=\"*ingestpreview*transforms*\") Search_Activity.search_type=adhoc Search_Activity.search!=\"*splunk_improperly_formatted_parameter_crashes_splunkd_filter*\" Search_Activity.user!=splunk-system-user by Search_Activity.search, Search_Activity.info, Search_Activity.total_run_time, Search_Activity.user, Search_Activity.search_type | `drop_dm_object_name(Search_Activity)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `splunk_improperly_formatted_parameter_crashes_splunkd_filter`", "how_to_implement": "Requires access to audittrail and use of Splunk_Audit.Search_Activity datamodel.", "known_false_positives": "This is a hunting search it should be focused on affected products, otherwise it is likely to produce false positives.", "references": ["https://www.splunk.com/en_us/product-security.html"], "tags": {"name": "Splunk Improperly Formatted Parameter Crashes splunkd", "analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 100, "kill_chain_phases": ["Actions on Objectives"], "message": "An attempt to exploit ingest eval parameter was detected from $user$", "mitre_attack_id": ["T1499"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise"], "required_fields": ["user", "count", "info"], "risk_score": 100, "security_domain": "threat", "risk_severity": "high", "cve": ["CVE-2023-22941"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1499", "mitre_attack_technique": "Endpoint Denial of Service", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Sandworm Team"]}]}, "datamodel": ["Splunk_Audit"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "splunk_improperly_formatted_parameter_crashes_splunkd_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2023-22941", "cvss": null, "summary": "In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, an improperly-formatted ‘INGEST_EVAL’ parameter in a [Field Transformation](https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Managefieldtransforms) crashes the Splunk daemon (splunkd)."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/application/splunk_improperly_formatted_parameter_crashes_splunkd.yml", "source": "application", "nes_fields": "user,dest"}, {"name": "Splunk list all nonstandard admin accounts", "id": "401d689c-8596-4c6b-a710-7b6fdca296d3", "version": 1, "date": "2023-02-07", "author": "Rod Soto", "type": "Hunting", "status": "experimental", "description": "This search will enumerate all Splunk Accounts with administrative rights on this instance. It deliberately ignores the default admin account since this is assumed to be present. This search may help in a detection the Cross-Site Scripting Attack listed: In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, a View allows for Cross-Site Scripting in an XML View through the 'layoutPanel' attribute in the 'module' tag. The vulnerability affects instances with Splunk Web enabled.", "data_source": [], "search": "| rest splunk_server=local /services/authentication/users |search capabilities=admin* OR imported_capabilities=admin* title!=admin | table title roles capabilities splunk_server | `splunk_list_all_nonstandard_admin_accounts_filter`", "how_to_implement": "The user running this search is required to have a permission allowing them to dispatch REST requests to indexers (the `dispatch_rest_to_indexers` capability) in some architectures. If there have been admin account, in addition to the standard admin account, intentionally created on this server, then edit the filter macro to exclude them.", "known_false_positives": "It is not possible to discern from the user table whether or not users with admin rights have been created intentionally, accidentally, or as a result of exploitation. Each user with these rights should be investigated and, if legitimate, added to the filter macro above. If a user is not believed to be legitimate, then further investigation should take place.", "references": ["https://www.splunk.com/en_us/product-security.html"], "tags": {"name": "Splunk list all nonstandard admin accounts", "analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Delivery"], "message": "Potential stored XSS attempt from $host$", "mitre_attack_id": ["T1189"], "nist": ["DE.AE"], "observable": [{"name": "splunk_server", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["capabilities", "splunk_server", "title"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "cve": ["CVE-2023-22933"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1189", "mitre_attack_technique": "Drive-by Compromise", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT19", "APT28", "APT32", "APT37", "APT38", "Andariel", "Axiom", "BRONZE BUTLER", "Dark Caracal", "Darkhotel", "Dragonfly", "Earth Lusca", "Elderwood", "Lazarus Group", "Leafminer", "Leviathan", "Machete", "Magic Hound", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Threat Group-3390", "Transparent Tribe", "Turla", "Windigo", "Windshift"]}]}, "datamodel": [], "macros": [{"name": "splunk_list_all_nonstandard_admin_accounts_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2023-22933", "cvss": null, "summary": "In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, a View allows for Cross-Site Scripting (XSS) in an extensible mark-up language (XML) View through the ‘layoutPanel’ attribute in the ‘module’ tag’. The vulnerability affects instances with Splunk Web enabled."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/application/splunk_list_all_nonstandard_admin_accounts.yml", "source": "application"}, {"name": "Splunk Low Privilege User Can View Hashed Splunk Password", "id": "a1be424d-e59c-4583-b6f9-2dcc23be4875", "version": 1, "date": "2023-05-09", "author": "Rod Soto, Eric McGinnis, Chase Franklin", "type": "Hunting", "status": "production", "description": "In Splunk Enterprise versions below 9.0.5, 8.2.11, and 8.1.14, a low-privilege user who holds the user role can see the hashed version of the initial user name and password for the Splunk instance by using the rest SPL command against the conf-user-seed REST endpoint. This can lead to a privilege escalation that lets the user take over the admin account on the instance.", "data_source": ["splunk_web_access"], "search": "`splunkd_web` uri=\"*/servicesNS/nobody/system/configs/conf-user-seed*\" | stats earliest(_time) as event_time values(method) as method values(status) as status values(clientip) as clientip values(useragent) as useragent values(file) as file by user | convert ctime(*time) | `splunk_low_privilege_user_can_view_hashed_splunk_password_filter`", "how_to_implement": "This detection does not require you to ingest any new data. The detection does require the ability to search the _audit index. This detection may assist in efforts to discover attempts to access con-user-seed file content.", "known_false_positives": "This search may produce false positives as accounts with high privileges may access this file. Operator will need to investigate these actions in order to discern exploitation attempts.", "references": ["https://advisory.splunk.com/"], "tags": {"name": "Splunk Low Privilege User Can View Hashed Splunk Password", "analytic_story": ["Splunk Vulnerabilities"], "asset_type": "endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Exploitation"], "message": "Attempt to access Splunk hashed password file from $clientip$", "mitre_attack_id": ["T1212"], "nist": ["DE.AE"], "observable": [{"name": "clientip", "type": "IP Address", "role": ["Attacker"]}], "product": ["Splunk Enterprise"], "required_fields": ["_time", "clientip", "useragent", "file", "user", "method", "status"], "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "atomic_guid": [], "mitre_attack_enrichments": [{"mitre_attack_id": "T1212", "mitre_attack_technique": "Exploitation for Credential Access", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1212/splunk/splunk_low_privilege_user_can_view_hashed_splunk_password.log", "source": "/opt/splunk/var/log/splunk/web_access.log", "sourcetype": "splunk_web_access"}]}], "datamodel": [], "macros": [{"name": "splunkd_web", "definition": "index=_internal sourcetype=splunk_web_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "splunk_low_privilege_user_can_view_hashed_splunk_password_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/application/splunk_low_privilege_user_can_view_hashed_splunk_password.yml", "source": "application"}, {"name": "Splunk Path Traversal In Splunk App For Lookup File Edit", "id": "8ed58987-738d-4917-9e44-b8ef6ab948a6", "version": 1, "date": "2023-05-11", "author": "Rod Soto, Eric McGinnis", "type": "Hunting", "status": "production", "description": "In Splunk Enterprise versions below 9.0.5, 8.2.11, and 8.1.14, a low-privilege user with access to the Splunk App for Lookup File Editing can, with a specially crafted web request, trigger a path traversal exploit that can then be used to read and write to restricted areas of the Splunk installation directory, including but not limited to the password hash file for the instance.", "data_source": ["splunkd_access"], "search": "`splunkda` uri_query=*lookup_file* | table clientip uri_query lookup_file owner namespace version | stats count by clientip namespace lookup_file uri_query | `splunk_path_traversal_in_splunk_app_for_lookup_file_edit_filter`", "how_to_implement": "This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index. This detection is meant for on premise environments, and if executed on internet facing servers without a WAF may produce a lot of results. This detection will not work against obfuscated path traversal requests.", "known_false_positives": "This search may find additional path traversal exploitation attempts or malformed requests.", "references": ["https://advisory.splunk.com/"], "tags": {"name": "Splunk Path Traversal In Splunk App For Lookup File Edit", "analytic_story": ["Splunk Vulnerabilities"], "asset_type": "endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "Path traversal exploitation attempt from $clientip$", "mitre_attack_id": ["T1083"], "nist": ["DE.AE"], "observable": [{"name": "clientip", "type": "IP Address", "role": ["Attacker"]}], "product": ["Splunk Enterprise"], "required_fields": ["clientip", "uri_query", "event_message", "lookup_file", "owner", "method", "user"], "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "atomic_guid": [], "mitre_attack_enrichments": [{"mitre_attack_id": "T1083", "mitre_attack_technique": "File and Directory Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT18", "APT28", "APT3", "APT32", "APT38", "APT39", "APT41", "Aoqin Dragon", "BRONZE BUTLER", "Chimera", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "Fox Kitten", "Gamaredon Group", "HAFNIUM", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Leafminer", "LuminousMoth", "Magic Hound", "MuddyWater", "Mustang Panda", "Patchwork", "Sandworm Team", "Sidewinder", "Sowbug", "TeamTNT", "Tropic Trooper", "Turla", "Windigo", "Winnti Group", "admin@338", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1083/splunk/splunk_path_traversal_in_splunk_app_for_lookup_file_edit.log", "source": "splunkd_access", "sourcetype": "splunkd_access"}]}], "datamodel": [], "macros": [{"name": "splunkda", "definition": "index=_internal sourcetype=splunkd_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "splunk_path_traversal_in_splunk_app_for_lookup_file_edit_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/application/splunk_path_traversal_in_splunk_app_for_lookup_file_edit.yml", "source": "application"}, {"name": "Persistent XSS in RapidDiag through User Interface Views", "id": "ce6e1268-e01c-4df2-a617-0f034ed49a43", "version": 1, "date": "2023-02-14", "author": "Rod Soto, Splunk", "type": "TTP", "status": "production", "description": "In Splunk Enterprise 9.0 versions before 9.0.4, a View allows for Cross-Site Scripting through the error message in a Base64-encoded image. The vulnerability affects instances with Splunk Web enabled. It does not affect Splunk Enterprise versions below 9.0. This search provides information on what user may have potentially added a malicious payload and what users were exposed to it.", "data_source": [], "search": "`audit_searches` path=/opt/splunk/etc/users/*/search/local/data/ui/views/* action=* |table user action roles info roles path | dedup user action | `persistent_xss_in_rapiddiag_through_user_interface_views_filter`", "how_to_implement": "This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index", "known_false_positives": "This is a hunting search, it will not deobfuscate base64 payload, it provides however it will provide what user added the view artifact and what user opened it. It will require further investigation based on the information presented by this hunting search.", "references": ["https://www.splunk.com/en_us/product-security.html"], "tags": {"name": "Persistent XSS in RapidDiag through User Interface Views", "analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Delivery"], "message": "A potential XSS attempt has been detected from $user$", "mitre_attack_id": ["T1189"], "nist": ["DE.CM"], "observable": [{"name": "User", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["user", "action", "roles", "info", "roles", "path"], "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "cve": ["CVE-2023-22932"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1189", "mitre_attack_technique": "Drive-by Compromise", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT19", "APT28", "APT32", "APT37", "APT38", "Andariel", "Axiom", "BRONZE BUTLER", "Dark Caracal", "Darkhotel", "Dragonfly", "Earth Lusca", "Elderwood", "Lazarus Group", "Leafminer", "Leviathan", "Machete", "Magic Hound", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Threat Group-3390", "Transparent Tribe", "Turla", "Windigo", "Windshift"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1189/splunk/splunk_persistent_xss_in_rapiddiag_through_user_interface_views_data.log", "source": "audittrail", "sourcetype": "audittrail"}]}], "datamodel": [], "macros": [{"name": "audit_searches", "definition": "index=_audit sourcetype=audittrail action=search", "description": "Macro to enable easy searching of audittrail logs for searches"}, {"name": "persistent_xss_in_rapiddiag_through_user_interface_views_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2023-22932", "cvss": null, "summary": "In Splunk Enterprise 9.0 versions before 9.0.4, a View allows for Cross-Site Scripting (XSS) through the error message in a Base64-encoded image. The vulnerability affects instances with Splunk Web enabled. It does not affect Splunk Enterprise versions below 9.0."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/application/splunk_persistent_xss_in_rapiddiag_through_user_interface_views.yml", "source": "application", "nes_fields": "user,dest"}, {"name": "Splunk Persistent XSS Via URL Validation Bypass W Dashboard", "id": "8a43558f-a53c-4ee4-86c1-30b1e8ef3606", "version": 1, "date": "2023-05-09", "author": "Rod Soto", "type": "Hunting", "status": "production", "description": "In Splunk Enterprise versions below 9.0.4, 8.2.10, and 8.1.13, a low-privileged user can bypass URL validation to perform a path traversal and access restricted and confidential information by targeting other users on the instance, including the admin user. The only affected version of bootstrap which shipped with Splunk was version 2.3.1, so the search is targeted at that version alone.", "data_source": ["splunk_web_access"], "search": "`splunkd_web` method=GET uri_path=\"*bootstrap-2.3.1*\" file=\"*.js\" | table _time clientip uri_path file status | `splunk_persistent_xss_via_url_validation_bypass_w_dashboard_filter`", "how_to_implement": "This search does not require additional data to be ingested. This search requires ability to search _internal index. This search helps discover access to vulnerable bootstrap versions.", "known_false_positives": "This search will produce numerous false positives as it shows ANY accesses to vulnerable bootstrap Javascript files. Accesses to these files occur during normal Splunk usage. To reduce or eliminate false positives, update the a version of Splunk which has addressed the vulnerability.", "references": ["https://advisory.splunk.com/"], "tags": {"name": "Splunk Persistent XSS Via URL Validation Bypass W Dashboard", "analytic_story": ["Splunk Vulnerabilities"], "asset_type": "endpoint", "cis20": ["CIS 10"], "confidence": 20, "impact": 80, "kill_chain_phases": ["Delivery"], "message": "Attempted access to vulnerable bootstrap file by $clientip$", "mitre_attack_id": ["T1189"], "nist": ["DE.AE"], "observable": [{"name": "clientip", "type": "IP Address", "role": ["Attacker"]}], "product": ["Splunk Enterprise"], "required_fields": ["file", "uri", "clientip", "user"], "risk_score": 16, "security_domain": "endpoint", "risk_severity": "low", "cve": ["CVE-2019-8331"], "atomic_guid": [], "mitre_attack_enrichments": [{"mitre_attack_id": "T1189", "mitre_attack_technique": "Drive-by Compromise", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT19", "APT28", "APT32", "APT37", "APT38", "Andariel", "Axiom", "BRONZE BUTLER", "Dark Caracal", "Darkhotel", "Dragonfly", "Earth Lusca", "Elderwood", "Lazarus Group", "Leafminer", "Leviathan", "Machete", "Magic Hound", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Threat Group-3390", "Transparent Tribe", "Turla", "Windigo", "Windshift"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1189/splunk/splunk_persistent_xss_via_url_validation_bypass_w_dashboard.log", "source": "/opt/splunk/var/log/splunk/web_access.log", "sourcetype": "splunk_web_access"}]}], "datamodel": [], "macros": [{"name": "splunkd_web", "definition": "index=_internal sourcetype=splunk_web_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "splunk_persistent_xss_via_url_validation_bypass_w_dashboard_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2019-8331", "cvss": 4.3, "summary": "In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/application/splunk_persistent_xss_via_url_validation_bypass_w_dashboard.yml", "source": "application"}, {"name": "Splunk Process Injection Forwarder Bundle Downloads", "id": "8ea57d78-1aac-45d2-a913-0cd603fb6e9e", "version": 1, "date": "2022-05-26", "author": "Lou Stella, Splunk", "type": "Hunting", "status": "production", "description": "On June 14th, 2022, Splunk released a security advisory relating to the authentication that happens between Universal Forwarders and Deployment Servers. In some circumstances, an unauthenticated client can download forwarder bundles from the Deployment Server. This hunting search pulls a full list of forwarder bundle downloads where the peer column is the forwarder, the host column is the Deployment Server, and then you have a list of the apps downloaded and the serverclasses in which the peer is a member of. You should look for apps or clients that you do not recognize as being part of your environment.", "data_source": [], "search": "`splunkd` component=\"PackageDownloadRestHandler\" | stats values(app) values(serverclass) by peer, host | `splunk_process_injection_forwarder_bundle_downloads_filter`", "how_to_implement": "This hunting search uses native logs produced when a deployment server is within your environment. Splunk SOAR customers can find a SOAR workbook that walks an analyst through the process of running these hunting searches in the references list of this detection. In order to use this workbook, a user will need to run a curl command to post the file to their SOAR instance such as \"curl -u username:password https://soar.instance.name/rest/rest/workbook_template -d @splunk_psa_0622.json\". A user should then create an empty container or case, attach the workbook, and begin working through the tasks.", "known_false_positives": "None at this time.", "references": ["https://www.splunk.com/en_us/product-security/announcements/svd-2022-0607.html", "https://www.github.com/splunk/security_content/blob/develop/workbooks/splunk_psa_0622.json"], "tags": {"name": "Splunk Process Injection Forwarder Bundle Downloads", "analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "$peer$ downloaded apps from $host$", "mitre_attack_id": ["T1055"], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["component", "app", "serverclass", "peer", "host"], "risk_score": 35, "security_domain": "threat", "risk_severity": "low", "cve": ["CVE-2022-32157"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/splunk_ds/splunkd.log", "source": "/opt/splunk/var/log/splunk/splunkd.log", "sourcetype": "splunkd", "update_timestamp": false}]}], "datamodel": [], "macros": [{"name": "splunkd", "definition": "index=_internal sourcetype=splunkd", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "splunk_process_injection_forwarder_bundle_downloads_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2022-32157", "cvss": 5.0, "summary": "Splunk Enterprise deployment servers in versions before 9.0 allow unauthenticated downloading of forwarder bundles. Remediation requires you to update the deployment server to version 9.0 and Configure authentication for deployment servers and clients (https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/ConfigDSDCAuthEnhancements#Configure_authentication_for_deployment_servers_and_clients). Once enabled, deployment servers can manage only Universal Forwarder versions 9.0 and higher. Though the vulnerability does not directly affect Universal Forwarders, remediation requires updating all Universal Forwarders that the deployment server manages to version 9.0 or higher prior to enabling the remediation."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/application/splunk_process_injection_forwarder_bundle_downloads.yml", "source": "application"}, {"name": "Splunk Protocol Impersonation Weak Encryption Configuration", "id": "900892bf-70a9-4787-8c99-546dd98ce461", "version": 1, "date": "2022-05-25", "author": "Lou Stella, Splunk", "type": "Hunting", "status": "production", "description": "On June 14th, 2022, Splunk released a security advisory relating to TLS validation occuring within the httplib and urllib python libraries shipped with Splunk. In addition to upgrading to Splunk Enterprise 9.0 or later, several configuration settings need to be set. This search will check those configurations on the search head it is run from as well as its search peers. In addition to these settings, the PYTHONHTTPSVERIFY setting in $SPLUNK_HOME/etc/splunk-launch.conf needs to be enabled as well. Other components such as additional search heads or anything this rest command cannot be distributed to will need to be manually checked.", "data_source": [], "search": "| rest /services/server/info | table splunk_server version server_roles | join splunk_server [| rest /servicesNS/nobody/search/configs/conf-server/ search=\"PythonSslClientConfig\" | table splunk_server sslVerifyServerCert sslVerifyServerName] | join splunk_server [| rest /servicesNS/nobody/search/configs/conf-web/settings | table splunk_server serverCert sslVersions] | rename sslVerifyServerCert as \"Server.conf:PythonSSLClientConfig:sslVerifyServerCert\", sslVerifyServerName as \"Server.conf:PythonSSLClientConfig:sslVerifyServerName\", serverCert as \"Web.conf:Settings:serverCert\", sslVersions as \"Web.conf:Settings:sslVersions\" | `splunk_protocol_impersonation_weak_encryption_configuration_filter`", "how_to_implement": "The user running this search is required to have a permission allowing them to dispatch REST requests to indexers (The `dispatch_rest_to_indexers` capability). Splunk SOAR customers can find a SOAR workbook that walks an analyst through the process of running these hunting searches in the references list of this detection. In order to use this workbook, a user will need to run a curl command to post the file to their SOAR instance such as \"curl -u username:password https://soar.instance.name/rest/rest/workbook_template -d @splunk_psa_0622.json\". A user should then create an empty container or case, attach the workbook, and begin working through the tasks.", "known_false_positives": "While all of the settings on each device returned by this search may appear to be hardened, you will still need to verify the value of PYTHONHTTPSVERIFY in $SPLUNK_HOME/etc/splunk-launch.conf on each device in order to harden the python configuration.", "references": ["https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/EnableTLSCertHostnameValidation", "https://www.splunk.com/en_us/product-security/announcements/svd-2022-0601.html", "https://www.github.com/splunk/security_content/blob/develop/workbooks/splunk_psa_0622.json"], "tags": {"name": "Splunk Protocol Impersonation Weak Encryption Configuration", "analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 50, "kill_chain_phases": ["Command And Control"], "message": "$splunk_server$ may not be properly validating TLS Certificates", "mitre_attack_id": ["T1001.003"], "nist": ["DE.AE"], "observable": [{"name": "splunk_server", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["none"], "risk_score": 50, "security_domain": "threat", "risk_severity": "medium", "cve": ["CVE-2022-32151"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1001.003", "mitre_attack_technique": "Protocol Impersonation", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Higaisa", "Lazarus Group"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1213/audittrail/audittrail.log", "source": "audittrail", "sourcetype": "audittrail", "update_timestamp": true}]}], "datamodel": ["Web"], "macros": [{"name": "splunk_protocol_impersonation_weak_encryption_configuration_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2022-32151", "cvss": 6.4, "summary": "The httplib and urllib Python libraries that Splunk shipped with Splunk Enterprise did not validate certificates using the certificate authority (CA) certificate stores by default in Splunk Enterprise versions before 9.0 and Splunk Cloud Platform versions before 8.2.2203. Python 3 client libraries now verify server certificates by default and use the appropriate CA certificate stores for each library. Apps and add-ons that include their own HTTP libraries are not affected. For Splunk Enterprise, update to Splunk Enterprise version 9.0 and Configure TLS host name validation for Splunk-to-Splunk communications (https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/EnableTLSCertHostnameValidation) to enable the remediation."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/application/splunk_protocol_impersonation_weak_encryption_configuration.yml", "source": "application"}, {"name": "Splunk protocol impersonation weak encryption selfsigned", "id": "c76c7a2e-df49-414a-bb36-dce2683770de", "version": 1, "date": "2022-05-26", "author": "Rod Soto, Splunk", "type": "Hunting", "status": "production", "description": "On June 14th 2022, Splunk released vulnerability advisory addresing Python TLS validation which was not set before Splunk version 9. This search displays events showing WARNING of using Splunk issued default selfsigned certificates.", "data_source": [], "search": "`splunkd` certificate event_message=\"X509 certificate* should not be used*\" | stats count by host CN component log_level | `splunk_protocol_impersonation_weak_encryption_selfsigned_filter`", "how_to_implement": "Must upgrade to Splunk version 9 and Configure TLS in order to apply this search. Splunk SOAR customers can find a SOAR workbook that walks an analyst through the process of running these hunting searches in the references list of this detection. In order to use this workbook, a user will need to run a curl command to post the file to their SOAR instance such as \"curl -u username:password https://soar.instance.name/rest/rest/workbook_template -d @splunk_psa_0622.json\". A user should then create an empty container or case, attach the workbook, and begin working through the tasks.", "known_false_positives": "This searches finds self signed certificates issued by Splunk which are not recommended from Splunk version 9 forward.", "references": ["https://www.splunk.com/en_us/product-security", "https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/EnableTLSCertHostnameValidation", "https://www.github.com/splunk/security_content/blob/develop/workbooks/splunk_psa_0622.json"], "tags": {"name": "Splunk protocol impersonation weak encryption selfsigned", "analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 50, "kill_chain_phases": ["Weaponization"], "message": "Splunk default issued certificate at $host$", "mitre_attack_id": ["T1588.004"], "nist": ["DE.AE"], "observable": [{"name": "Hostname", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["host", "CN", "event_message"], "risk_score": 40, "security_domain": "threat", "risk_severity": "low", "cve": ["CVE-2022-32152"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1588.004", "mitre_attack_technique": "Digital Certificates", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["BlackTech", "Lazarus Group", "LuminousMoth", "Silent Librarian"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://raw.githubusercontent.com/splunk/attack_data/master/datasets/attack_techniques/T1558.004/splunk_protocol_impersonation_weak_encryption_selfsigned.txt", "source": "/opt/splun/var/log/splunk/splunkd.log", "sourcetype": "splunkd"}]}], "datamodel": [], "macros": [{"name": "splunkd", "definition": "index=_internal sourcetype=splunkd", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "splunk_protocol_impersonation_weak_encryption_selfsigned_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2022-32152", "cvss": 6.5, "summary": "Splunk Enterprise peers in Splunk Enterprise versions before 9.0 and Splunk Cloud Platform versions before 8.2.2203 did not validate the TLS certificates during Splunk-to-Splunk communications by default. Splunk peer communications configured properly with valid certificates were not vulnerable. However, an attacker with administrator credentials could add a peer without a valid certificate and connections from misconfigured nodes without valid certificates did not fail by default. For Splunk Enterprise, update to Splunk Enterprise version 9.0 and Configure TLS host name validation for Splunk-to-Splunk communications (https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/EnableTLSCertHostnameValidation) to enable the remediation."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/application/splunk_protocol_impersonation_weak_encryption_selfsigned.yml", "source": "application"}, {"name": "Splunk protocol impersonation weak encryption simplerequest", "id": "839d12a6-b119-4d44-ac4f-13eed95412c8", "version": 1, "date": "2022-05-24", "author": "Rod Soto, Splunk", "type": "Hunting", "status": "production", "description": "On Splunk version 9 on Python3 client libraries verify server certificates by default and use CA certificate store. This search warns a user about a failure to validate a certificate using python3 request.", "data_source": [], "search": "`splunk_python` \"simpleRequest SSL certificate validation is enabled without hostname verification\" | stats count by host path | `splunk_protocol_impersonation_weak_encryption_simplerequest_filter`", "how_to_implement": "Must upgrade to Splunk version 9 and Configure TLS host name validation for Splunk Python modules in order to apply this search. Splunk SOAR customers can find a SOAR workbook that walks an analyst through the process of running these hunting searches in the references list of this detection. In order to use this workbook, a user will need to run a curl command to post the file to their SOAR instance such as \"curl -u username:password https://soar.instance.name/rest/rest/workbook_template -d @splunk_psa_0622.json\". A user should then create an empty container or case, attach the workbook, and begin working through the tasks.", "known_false_positives": "This search tries to address validation of server and client certificates within Splunk infrastructure, it might produce results from accidental or unintended requests to port 8089.", "references": ["https://www.splunk.com/en_us/product-security", "https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/EnableTLSCertHostnameValidation", "https://www.github.com/splunk/security_content/blob/develop/workbooks/splunk_psa_0622.json"], "tags": {"name": "Splunk protocol impersonation weak encryption simplerequest", "analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 50, "kill_chain_phases": ["Weaponization"], "message": "Failed to validate certificate on $host$", "mitre_attack_id": ["T1588.004"], "nist": ["DE.AE"], "observable": [{"name": "Hostname", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["host", "event_message", "path"], "risk_score": 40, "security_domain": "threat", "risk_severity": "low", "cve": ["CVE-2022-32152"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1588.004", "mitre_attack_technique": "Digital Certificates", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["BlackTech", "Lazarus Group", "LuminousMoth", "Silent Librarian"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://raw.githubusercontent.com/splunk/attack_data/master/datasets/attack_techniques/T1558.004/splk_protocol_impersonation_weak_encryption_simplerequest.txt", "source": "/opt/splunk/var/log/splunk/splunkd.log", "sourcetype": "splunk_python"}]}], "datamodel": [], "macros": [{"name": "splunk_python", "definition": "index=_internal sourcetype=splunk_python", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "splunk_protocol_impersonation_weak_encryption_simplerequest_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2022-32152", "cvss": 6.5, "summary": "Splunk Enterprise peers in Splunk Enterprise versions before 9.0 and Splunk Cloud Platform versions before 8.2.2203 did not validate the TLS certificates during Splunk-to-Splunk communications by default. Splunk peer communications configured properly with valid certificates were not vulnerable. However, an attacker with administrator credentials could add a peer without a valid certificate and connections from misconfigured nodes without valid certificates did not fail by default. For Splunk Enterprise, update to Splunk Enterprise version 9.0 and Configure TLS host name validation for Splunk-to-Splunk communications (https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/EnableTLSCertHostnameValidation) to enable the remediation."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/application/splunk_protocol_impersonation_weak_encryption_simplerequest.yml", "source": "application"}, {"name": "Splunk RBAC Bypass On Indexing Preview REST Endpoint", "id": "bbe26f95-1655-471d-8abd-3d32fafa86f8", "version": 1, "date": "2023-05-10", "author": "Rod Soto", "type": "Hunting", "status": "production", "description": "An unauthorized user can use the /services/indexing/preview REST endpoint to overwrite search results if they know the search ID (SID) of an existing search job.", "data_source": ["splunkd_access.log"], "search": "`splunkda` method=\"POST\" uri=\"*/services/indexing/preview*\" | table host clientip status useragent user uri_path | `splunk_rbac_bypass_on_indexing_preview_rest_endpoint_filter`", "how_to_implement": "This search does not require additional data ingestion. It requires the ability to search _internal index.", "known_false_positives": "This is a hunting search which provides verbose results against this endpoint. Operator must consider things such as IP address, useragent and user(specially low privelege) and host to investigate possible attack.", "references": ["https://advisory.splunk.com/"], "tags": {"name": "Splunk RBAC Bypass On Indexing Preview REST Endpoint", "analytic_story": ["Splunk Vulnerabilities"], "asset_type": "endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "Review $clientip$ access to indexing preview endpoint from low privilege user", "mitre_attack_id": ["T1134"], "nist": ["DE.AE"], "observable": [{"name": "clientip", "type": "IP Address", "role": ["Attacker"]}], "product": ["Splunk Enterprise"], "required_fields": ["host", "clientip", "status", "useragent", "user", "uri_path"], "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "atomic_guid": [], "mitre_attack_enrichments": [{"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1134/splunk/splunk_rbac_bypass_on_indexing_preview_rest_endpoint.log", "source": "splunkd_access.log", "sourcetype": "splunkd_access"}]}], "datamodel": [], "macros": [{"name": "splunkda", "definition": "index=_internal sourcetype=splunkd_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "splunk_rbac_bypass_on_indexing_preview_rest_endpoint_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/application/splunk_rbac_bypass_on_indexing_preview_rest_endpoint.yml", "source": "application"}, {"name": "Splunk RCE via Splunk Secure Gateway Splunk Mobile alerts feature", "id": "baa41f09-df48-4375-8991-520beea161be", "version": 1, "date": "2022-10-11", "author": "Rod Soto", "type": "Hunting", "status": "production", "description": "This hunting search provides information on possible exploitation attempts against Splunk Secure Gateway App Mobile Alerts feature in Splunk versions 9.0, 8.2.x, 8.1.x. An authenticated user can run arbitrary operating system commands remotely through the use of specially crafted requests to the mobile alerts feature in the Splunk Secure Gateway app.", "data_source": [], "search": "`splunkda` uri_path=\"/servicesNS/nobody/splunk_secure_gateway/storage/collections/data/mobile_alerts*\" sort=\"notification.created_at:-1\" | table clientip file host method uri_query sort | `splunk_rce_via_splunk_secure_gateway__splunk_mobile_alerts_feature_filter`", "how_to_implement": "This search only applies if Splunk Mobile Gateway is deployed in the vulnerable Splunk versions.", "known_false_positives": "This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index. Focus of this search is \"uri_path=/servicesNS/nobody/splunk_secure_gateway/storage/collections/data/mobile_alerts*\" which is the injection point.", "references": ["https://www.splunk.com/en_us/product-security.html"], "tags": {"name": "Splunk RCE via Splunk Secure Gateway Splunk Mobile alerts feature", "analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Exploitation"], "message": "Possible exploitation attempt from $clientip$", "mitre_attack_id": ["T1210"], "nist": ["DE.AE"], "observable": [{"name": "clientip", "type": "IP Address", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["uri_path", "clientip", "file", "host", "method", "sort"], "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "cve": ["CVE-2022-43567"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1210", "mitre_attack_technique": "Exploitation of Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "Dragonfly", "Earth Lusca", "FIN7", "Fox Kitten", "MuddyWater", "Threat Group-3390", "Tonto Team", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://raw.githubusercontent.com/splunk/attack_data/master/datasets/attack_techniques/T1210/splunk/splunk_rce_via_secure_gateway_splunk_mobile_alerts_feature.txt", "source": "/opt/splunk/var/log/splunk/splunkd_access.log", "sourcetype": "splunkd_access", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "splunkda", "definition": "index=_internal sourcetype=splunkd_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "splunk_rce_via_splunk_secure_gateway__splunk_mobile_alerts_feature_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2022-43567", "cvss": null, "summary": "In Splunk Enterprise versions below 8.2.9, 8.1.12, and 9.0.2, an authenticated user can run arbitrary operating system commands remotely through the use of specially crafted requests to the mobile alerts feature in the Splunk Secure Gateway app."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/application/splunk_rce_via_splunk_secure_gateway__splunk_mobile_alerts_feature.yml", "source": "application"}, {"name": "Splunk Reflected XSS in the templates lists radio", "id": "d532d105-c63f-4049-a8c4-e249127ca425", "version": 1, "date": "2022-10-11", "author": "Rod Soto, Chase Franklin", "type": "Hunting", "status": "production", "description": "Splunk versions below 8.1.12,8.2.9 and 9.0.2 are vulnerable to reflected cross site scripting (XSS). A View allows for a Reflected Cross Site scripting via JavaScript Object Notation (JSON) in a query parameter when ouput_mode=radio.", "data_source": [], "search": "`splunkd_webx` user=admin status=200 uri=*/lists/entities/x/ui/views* uri_query!=null | stats count earliest(_time) as event_time values(status) as status values(clientip) as clientip by index, sourcetype, _time, host, user, uri | `splunk_reflected_xss_in_the_templates_lists_radio_filter`", "how_to_implement": "This vulnerability only affects instances with Splunk Web enabled. This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index.", "known_false_positives": "This search may produce false positives as it is difficult to pinpoint all possible XSS injection characters in a single search string. Special attention is required to \"en-US/list/entities/x/ui/views\" which is the vulnerable injection point.", "references": ["https://research.splunk.com/stories/splunk_vulnerabilities/"], "tags": {"name": "Splunk Reflected XSS in the templates lists radio", "analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Delivery"], "message": "Potential XSS exploitation against radio template by $user$", "mitre_attack_id": ["T1189"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["host", "clientip", "status", "user", "uri", "uri_query", "uri_path"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "cve": ["CVE-2022-43568"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1189", "mitre_attack_technique": "Drive-by Compromise", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT19", "APT28", "APT32", "APT37", "APT38", "Andariel", "Axiom", "BRONZE BUTLER", "Dark Caracal", "Darkhotel", "Dragonfly", "Earth Lusca", "Elderwood", "Lazarus Group", "Leafminer", "Leviathan", "Machete", "Magic Hound", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Threat Group-3390", "Transparent Tribe", "Turla", "Windigo", "Windshift"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://raw.githubusercontent.com/splunk/attack_data/master/datasets/attack_techniques/T1189/splunk/splunk_reflected_xss_in_templates_lists_radio.txt", "source": "/opt/splunk/var/log/splunk/web_access.log", "sourcetype": "splunk_web_access", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "splunkd_webx", "definition": "index=_internal sourcetype=splunk_web_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "splunk_reflected_xss_in_the_templates_lists_radio_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2022-43568", "cvss": null, "summary": "In Splunk Enterprise versions below 8.1.12, 8.2.9, and 9.0.2, a View allows for a Reflected Cross Site Scripting via JavaScript Object Notation (JSON) in a query parameter when output_mode=radio."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/application/splunk_reflected_xss_in_the_templates_lists_radio.yml", "source": "application"}, {"name": "Splunk risky Command Abuse disclosed february 2023", "id": "ee69374a-d27e-4136-adac-956a96ff60fd", "version": 1, "date": "2023-02-14", "author": "Chase Franklin, Rod Soto, Eric McGinnis, Splunk", "type": "Hunting", "status": "production", "description": "In February 2023, Splunk disclosed several vulnerabilities affecting Splunk Enterprise commands deemed risky. The following hunting search includes the following commands and versions. Command 'createrss' (versions 8.1.13, 8.2.10), pivot (8.1.13,8.2.10,9.0.4), display.page.search.patterns.sensitivity(versions below 8.1.13,8.2.10,9.0.4), search_listener, map, collect (8.1.13,8.2.10,9.0.4). For more information please review Splunk Vulnerabilities Disclosure, February 2023. Link can be found in reference.", "data_source": [], "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Splunk_Audit.Search_Activity where Search_Activity.search_type=adhoc Search_Activity.user!=splunk-system-user by Search_Activity.search Search_Activity.info Search_Activity.total_run_time Search_Activity.user Search_Activity.search_type | `drop_dm_object_name(Search_Activity)` | lookup splunk_risky_command splunk_risky_command as search output splunk_risky_command description vulnerable_versions CVE other_metadata | where splunk_risky_command != \"false\" | `splunk_risky_command_abuse_disclosed_february_2023_filter`", "how_to_implement": "Requires implementation of Splunk_Audit.Search_Activity datamodel.", "known_false_positives": "This search encompasses many commands.", "references": ["https://www.splunk.com/en_us/product-security.html"], "tags": {"name": "Splunk risky Command Abuse disclosed february 2023", "analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "Use of risky splunk command $splunk_risky_command$ detected by $user$", "mitre_attack_id": ["T1548"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}, {"name": "splunk_risky_command", "type": "Other", "role": ["Other"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["search", "info", "user", "search_type", "count"], "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "cve": ["CVE-2023-22931", "CVE-2023-22934", "CVE-2023-22935", "CVE-2023-22936", "CVE-2023-22939", "CVE-2023-22940"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "datamodel": ["Splunk_Audit"], "macros": [{"name": "splunk_risky_command_abuse_disclosed_february_2023_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "splunk_risky_command", "description": "A list of Risky Splunk Command that are candidates for abuse", "filename": "splunk_risky_command.csv", "default_match": "false", "match_type": "WILDCARD(splunk_risky_command)", "min_matches": 1, "case_sensitive_match": "false"}], "cve_enrichment": [{"id": "CVE-2023-22931", "cvss": null, "summary": "In Splunk Enterprise versions below 8.1.13 and 8.2.10, the ‘createrss’ external search command overwrites existing Resource Description Format Site Summary (RSS) feeds without verifying permissions. This feature has been deprecated and disabled by default."}, {"id": "CVE-2023-22934", "cvss": null, "summary": "In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, the ‘pivot’ search processing language (SPL) command lets a search bypass [SPL safeguards for risky commands](https://docs.splunk.com/Documentation/Splunk/latest/Security/SPLsafeguards) using a saved search job. The vulnerability requires an authenticated user to craft the saved job and a higher privileged user to initiate a request within their browser. The vulnerability affects instances with Splunk Web enabled."}, {"id": "CVE-2023-22935", "cvss": null, "summary": "In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, the ‘display.page.search.patterns.sensitivity’ search parameter lets a search bypass [SPL safeguards for risky commands](https://docs.splunk.com/Documentation/Splunk/latest/Security/SPLsafeguards). The vulnerability requires a higher privileged user to initiate a request within their browser and only affects instances with Splunk Web enabled."}, {"id": "CVE-2023-22936", "cvss": null, "summary": "In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, the ‘search_listener’ parameter in a search allows for a blind server-side request forgery (SSRF) by an authenticated user. The initiator of the request cannot see the response without the presence of an additional vulnerability within the environment."}, {"id": "CVE-2023-22939", "cvss": null, "summary": "In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, the ‘map’ search processing language (SPL) command lets a search [bypass SPL safeguards for risky commands](https://docs.splunk.com/Documentation/Splunk/latest/Security/SPLsafeguards). The vulnerability requires a higher privileged user to initiate a request within their browser and only affects instances with Splunk Web enabled."}, {"id": "CVE-2023-22940", "cvss": null, "summary": "In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, aliases of the ‘collect’ search processing language (SPL) command, including ‘summaryindex’, ‘sumindex’, ‘stash’,’ mcollect’, and ‘meventcollect’, were not designated as safeguarded commands. The commands could potentially allow for the exposing of data to a summary index that unprivileged users could access. The vulnerability requires a higher privileged user to initiate a request within their browser, and only affects instances with Splunk Web enabled."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/application/splunk_risky_command_abuse_disclosed_february_2023.yml", "source": "application"}, {"name": "Splunk Stored XSS via Data Model objectName field", "id": "062bff76-5f9c-496e-a386-cb1adcf69871", "version": 1, "date": "2022-10-11", "author": "Rod Soto", "type": "Hunting", "status": "production", "description": "Splunk Enterprise versions 8.1.12, 8.2.9, 9.0.2 are vulnerable to persistent cross site scripting via Data Model object name. An authenticated user can inject and store arbitrary scripts that can lead to persistent cross-site scripting (XSS) in the object name Data Model.", "data_source": [], "search": "`splunkd_webx` uri=/en-US/splunkd/__raw/servicesNS/*/launcher/datamodel/model* uri_query!=null | stats count by _time host status clientip user uri | `splunk_stored_xss_via_data_model_objectname_field_filter`", "how_to_implement": "This vulnerability only affects Splunk Web enabled instances. This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index.", "known_false_positives": "This search may produce false positives and does not cover exploitation attempts via code obfuscation, focus of search is suspicious requests against \"/en-US/splunkd/__raw/servicesNS/*/launcher/datamodel/model\" which is the injection point.", "references": ["https://www.splunk.com/en_us/product-security.html", "https://portswigger.net/web-security/cross-site-scripting/cheat-sheet"], "tags": {"name": "Splunk Stored XSS via Data Model objectName field", "analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Delivery"], "message": "A potential XSS attempt has been detected from $user$", "mitre_attack_id": ["T1189"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["uri", "uri_query", "host", "status", "clientip", "user", "uri_path"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "cve": ["CVE-2022-43569"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1189", "mitre_attack_technique": "Drive-by Compromise", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT19", "APT28", "APT32", "APT37", "APT38", "Andariel", "Axiom", "BRONZE BUTLER", "Dark Caracal", "Darkhotel", "Dragonfly", "Earth Lusca", "Elderwood", "Lazarus Group", "Leafminer", "Leviathan", "Machete", "Magic Hound", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Threat Group-3390", "Transparent Tribe", "Turla", "Windigo", "Windshift"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://raw.githubusercontent.com/splunk/attack_data/master/datasets/attack_techniques/T1189/splunk/splunk_stored_xss_via_data_model_objectname_field.txt", "source": "/opt/splunk/var/log/splunk/web_access.log", "sourcetype": "splunk_web_access", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "splunkd_webx", "definition": "index=_internal sourcetype=splunk_web_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "splunk_stored_xss_via_data_model_objectname_field_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2022-43569", "cvss": null, "summary": "In Splunk Enterprise versions below 8.1.12, 8.2.9, and 9.0.2, an authenticated user can inject and store arbitrary scripts that can lead to persistent cross-site scripting (XSS) in the object name of a Data Model."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/application/splunk_stored_xss_via_data_model_objectname_field.yml", "source": "application"}, {"name": "Splunk unnecessary file extensions allowed by lookup table uploads", "id": "b7d1293f-e78f-415e-b5f6-443df3480082", "version": 1, "date": "2023-02-14", "author": "Rod Soto, Splunk", "type": "TTP", "status": "production", "description": "In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, the lookup table uploads let a user upload lookup tables with unnecessary filename extensions. Lookup table file extensions may now only be one of .csv, .csv.gz, .kmz, .kml, .mmdb, or .mmdb.gz. This search provides user activity focus on uploads which aims to help hunt for malicious file uploads.", "data_source": [], "search": "`splunkda` method IN (\"POST\", \"DELETE\") uri_path=/servicesNS/*/ui/views/* | eval activity = case( method==\"POST\" AND like( uri_path , \"%/acl\" ) , \"Permissions Update\", method==\"POST\" AND NOT like( uri_path , \"%/acl\" ) , \"Edited\" , method==\"DELETE\" , \"Deleted\" ) | rex field=uri_path \"(?.*?)\\/ui\\/views/(?.*)\" | eval dashboard = urldecode( dashboard_encoded ) | table _time, uri_path, user, dashboard, activity, uri_path | `splunk_unnecessary_file_extensions_allowed_by_lookup_table_uploads_filter`", "how_to_implement": "Requires access to internal splunkd_access.", "known_false_positives": "This is a hunting search, the search provides information on upload, edit, and delete activity on Lookup Tables. Manual investigation is necessary after executing search. This search will produce false positives as payload cannot be directly discerned.", "references": ["https://www.splunk.com/en_us/product-security.html"], "tags": {"name": "Splunk unnecessary file extensions allowed by lookup table uploads", "analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Delivery"], "message": "Potential lookup template injection attempt from $user$ on lookup table at path $uri_path$", "mitre_attack_id": ["T1189"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "uri_path", "type": "Other", "role": ["Other"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["user", "method", "uri_path"], "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "cve": ["CVE-2023-22937"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1189", "mitre_attack_technique": "Drive-by Compromise", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT19", "APT28", "APT32", "APT37", "APT38", "Andariel", "Axiom", "BRONZE BUTLER", "Dark Caracal", "Darkhotel", "Dragonfly", "Earth Lusca", "Elderwood", "Lazarus Group", "Leafminer", "Leviathan", "Machete", "Magic Hound", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Threat Group-3390", "Transparent Tribe", "Turla", "Windigo", "Windshift"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1189/splunk/splunk_unnecesary_file_extensions_allowed_by_lookup_table_uploads.log", "source": "/opt/splunk/var/log/splunk/splunkd_access.log", "sourcetype": "splunkd_access"}]}], "datamodel": [], "macros": [{"name": "splunkda", "definition": "index=_internal sourcetype=splunkd_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "splunk_unnecessary_file_extensions_allowed_by_lookup_table_uploads_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2023-22937", "cvss": null, "summary": "In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, the lookup table upload feature let a user upload lookup tables with unnecessary filename extensions. Lookup table file extensions may now be one of the following only: .csv, .csv.gz, .kmz, .kml, .mmdb, or .mmdb.gzl. For more information on lookup table files, see [About lookups](https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Aboutlookupsandfieldactions)."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/application/splunk_unnecessary_file_extensions_allowed_by_lookup_table_uploads.yml", "source": "application", "nes_fields": "user,dest"}, {"name": "Splunk User Enumeration Attempt", "id": "25625cb4-1c4d-4463-b0f9-7cb462699cde", "version": 1, "date": "2022-04-29", "author": "Lou Stella, Splunk", "type": "TTP", "status": "production", "description": "On May 3rd, 2022, Splunk published a security advisory for username enumeration stemming from verbose login failure messages present on some REST endpoints. This detection will alert on attempted exploitation in patched versions of Splunk as well as actual exploitation in unpatched version of Splunk.", "data_source": [], "search": " `splunkd_failed_auths` | stats count(user) as auths by user, src | where auths>5 | stats values(user) as \"Users\", sum(auths) as TotalFailedAuths by src | `splunk_user_enumeration_attempt_filter`", "how_to_implement": "This detection does not require you to ingest any new data. The detection does require the ability to search the _audit index. This detection may assist in efforts to find password spraying or brute force authorization attempts in addition to someone enumerating usernames.", "known_false_positives": "Automation executing authentication attempts against your Splunk infrastructure with outdated credentials may cause false positives.", "references": ["https://www.splunk.com/en_us/product-security/announcements/svd-2022-0502.html"], "tags": {"name": "Splunk User Enumeration Attempt", "analytic_story": ["Splunk Vulnerabilities"], "asset_type": "endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 50, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "message": "$TotalFailedAuths$ failed authentication events to Splunk from $src$ detected.", "mitre_attack_id": ["T1078"], "nist": ["DE.CM"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["user", "src", "info", "action"], "risk_score": 40, "security_domain": "access", "risk_severity": "low", "cve": ["CVE-2021-33845"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/splunkd_auth/audittrail.log", "source": "audittrail", "sourcetype": "audittrail"}]}], "datamodel": [], "macros": [{"name": "splunkd_failed_auths", "definition": "index=_audit \"action=login attempt\" \"info=failed\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "splunk_user_enumeration_attempt_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2021-33845", "cvss": 5.0, "summary": "The Splunk Enterprise REST API allows enumeration of usernames via the lockout error message. The potential vulnerability impacts Splunk Enterprise instances before 8.1.7 when configured to repress verbose login errors."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/application/splunk_user_enumeration_attempt.yml", "source": "application", "nes_fields": "user,dest"}, {"name": "Splunk XSS in Monitoring Console", "id": "b11accac-6fa3-4103-8a1a-7210f1a67087", "version": 1, "date": "2022-04-27", "author": "Lou Stella, Splunk", "type": "TTP", "status": "experimental", "description": "On May 3rd, 2022, Splunk published a security advisory for a reflective Cross-Site Scripting (XSS) vulnerability stemming from the lack of input validation in the Distributed Monitoring Console app. This detection will alert on attempted exploitation in patched versions of Splunk as well as actual exploitation in unpatched version of Splunk.", "data_source": [], "search": " `splunkd_web` method=\"GET\" uri_query=\"description=%3C*\" | table _time host status clientip user uri | `splunk_xss_in_monitoring_console_filter`", "how_to_implement": "This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index. This detection will find attempted exploitation of CVE-2022-27183.", "known_false_positives": "Use of the monitoring console where the less-than sign (<) is the first character in the description field.", "references": ["https://www.splunk.com/en_us/product-security/announcements/svd-2022-0505.html"], "tags": {"name": "Splunk XSS in Monitoring Console", "analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 50, "kill_chain_phases": ["Delivery"], "message": "A potential XSS attempt has been detected from $user$", "mitre_attack_id": ["T1189"], "nist": ["DE.CM"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["method", "uri_query", "status", "clientip", "user", "uri"], "risk_score": 40, "security_domain": "threat", "risk_severity": "low", "cve": ["CVE-2022-27183"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1189", "mitre_attack_technique": "Drive-by Compromise", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT19", "APT28", "APT32", "APT37", "APT38", "Andariel", "Axiom", "BRONZE BUTLER", "Dark Caracal", "Darkhotel", "Dragonfly", "Earth Lusca", "Elderwood", "Lazarus Group", "Leafminer", "Leviathan", "Machete", "Magic Hound", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Threat Group-3390", "Transparent Tribe", "Turla", "Windigo", "Windshift"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1189/xss/splunk_web_access.log", "source": "/opt/splunk/var/log/splunk/web_access.log", "sourcetype": "splunk_web_access"}]}], "datamodel": [], "macros": [{"name": "splunkd_web", "definition": "index=_internal sourcetype=splunk_web_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "splunk_xss_in_monitoring_console_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2022-27183", "cvss": 4.3, "summary": "The Monitoring Console app configured in Distributed mode allows for a Reflected XSS in a query parameter in Splunk Enterprise versions before 8.1.4. The Monitoring Console app is a bundled app included in Splunk Enterprise, not for download on SplunkBase, and not installed on Splunk Cloud Platform instances. Note that the Cloud Monitoring Console is not impacted."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/application/splunk_xss_in_monitoring_console.yml", "source": "application", "nes_fields": "user,dest"}, {"name": "Splunk XSS in Save table dialog header in search page", "id": "a974d1ee-ddca-4837-b6ad-d55a8a239c20", "version": 1, "date": "2022-10-11", "author": "Rod Soto", "type": "Hunting", "status": "production", "description": "This is a hunting search to find persistent cross-site scripting XSS code that was included while inputing data in 'Save Table' dialog in Splunk Enterprise (8.1.12,8.2.9,9.0.2). A remote user with \"power\" Splunk role can store this code that can lead to persistent cross site scripting.", "data_source": [], "search": "`splunkd_webx` method=POST uri=/en-US/splunkd/__raw/servicesNS/nobody/search/datamodel/model | table _time host status clientip user uri | `splunk_xss_in_save_table_dialog_header_in_search_page_filter`", "how_to_implement": "Watch for POST requests combined with XSS script strings or obfuscation against the injection point /en-US/splunkd/__raw/servicesNS/nobody/search/datamodel/model.", "known_false_positives": "If host is vulnerable and XSS script strings are inputted they will show up in search. Not all Post requests are malicious as they will show when users create and save dashboards. This search may produce several results with non malicious POST requests. Only affects Splunk Web enabled instances.", "references": ["https://www.splunk.com/en_us/product-security.html", "https://portswigger.net/web-security/cross-site-scripting"], "tags": {"name": "Splunk XSS in Save table dialog header in search page", "analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Delivery"], "message": "Possible XSS exploitation attempt from $clientip$", "mitre_attack_id": ["T1189"], "nist": ["DE.AE"], "observable": [{"name": "clientip", "type": "IP Address", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["host", "_time", "status", "clientip", "user", "uri", "method"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "cve": ["CVE-2022-43561"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1189", "mitre_attack_technique": "Drive-by Compromise", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT19", "APT28", "APT32", "APT37", "APT38", "Andariel", "Axiom", "BRONZE BUTLER", "Dark Caracal", "Darkhotel", "Dragonfly", "Earth Lusca", "Elderwood", "Lazarus Group", "Leafminer", "Leviathan", "Machete", "Magic Hound", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Threat Group-3390", "Transparent Tribe", "Turla", "Windigo", "Windshift"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://raw.githubusercontent.com/splunk/attack_data/master/datasets/attack_techniques/T1189/splunk/splunk_xss_in_save_table_dialog_in_search_page.txt", "source": "/opt/splunk/var/log/splunk/web_access.log", "sourcetype": "splunk_web_access", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "splunkd_webx", "definition": "index=_internal sourcetype=splunk_web_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "splunk_xss_in_save_table_dialog_header_in_search_page_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2022-43561", "cvss": null, "summary": "In Splunk Enterprise versions below 8.1.12, 8.2.9, and 9.0.2, a remote user that holds the “power” Splunk role can store arbitrary scripts that can lead to persistent cross-site scripting (XSS). The vulnerability affects instances with Splunk Web enabled."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/application/splunk_xss_in_save_table_dialog_header_in_search_page.yml", "source": "application"}, {"name": "Splunk XSS via View", "id": "9ac2bfea-a234-4a18-9d37-6d747e85c2e4", "version": 1, "date": "2023-02-07", "author": "Rod Soto, Eric McGinnis, Splunk", "type": "Hunting", "status": "production", "description": "In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, a View allows for Cross-Site Scripting in an XML View through the 'layoutPanel' attribute in the 'module' tag. The vulnerability affects instances with Splunk Web enabled. This hunting search shows users action, application and role used for creating views related to this vulnerability.", "data_source": [], "search": "index = _internal sourcetype IN (\"splunk_web_service\", \"splunk_python\") message=\"*loadParams*\" | `security_content_ctime(_time)` | table _time message fileName | `splunk_xss_via_view_filter`", "how_to_implement": "This data is collected by default in Splunk. Upon first enabling this rule, a number of errors may be observed. Those that are due to improperly formatted, but non-nefarious, XML views should be be remedied in the corresponding view. Please take care investigating potential XSS as accessing an affected page could retrigger the exploit.", "known_false_positives": "The error detected above can be generated for a wide variety of improperly formatted XML views. There will be false positives as the search cannot extract the malicious payload and the view should be manually investigated.", "references": ["https://www.splunk.com/en_us/product-security.html"], "tags": {"name": "Splunk XSS via View", "analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Delivery"], "message": "Potential stored XSS attempt via $fileName$", "mitre_attack_id": ["T1189"], "nist": ["DE.AE"], "observable": [{"name": "fileName", "type": "URL String", "role": ["Target"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["message", "fileName"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "cve": ["CVE-2023-22933"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1189", "mitre_attack_technique": "Drive-by Compromise", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT19", "APT28", "APT32", "APT37", "APT38", "Andariel", "Axiom", "BRONZE BUTLER", "Dark Caracal", "Darkhotel", "Dragonfly", "Earth Lusca", "Elderwood", "Lazarus Group", "Leafminer", "Leviathan", "Machete", "Magic Hound", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Threat Group-3390", "Transparent Tribe", "Turla", "Windigo", "Windshift"]}]}, "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "splunk_xss_via_view_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2023-22933", "cvss": null, "summary": "In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, a View allows for Cross-Site Scripting (XSS) in an extensible mark-up language (XML) View through the ‘layoutPanel’ attribute in the ‘module’ tag’. The vulnerability affects instances with Splunk Web enabled."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/application/splunk_xss_via_view.yml", "source": "application"}, {"name": "Suspicious Email Attachment Extensions", "id": "473bd65f-06ca-4dfe-a2b8-ba04ab4a0084", "version": 3, "date": "2023-04-14", "author": "David Dorsey, Splunk", "type": "Anomaly", "status": "experimental", "description": "This search looks for emails that have attachments with suspicious file extensions.", "data_source": [], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Email where All_Email.file_name=\"*\" by All_Email.src_user, All_Email.file_name All_Email.message_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(\"All_Email\")` | `suspicious_email_attachments` | `suspicious_email_attachment_extensions_filter` ", "how_to_implement": "You need to ingest data from emails. Specifically, the sender's address and the file names of any attachments must be mapped to the Email data model. \\\n **Splunk Phantom Playbook Integration**\\\nIf Splunk Phantom is also configured in your environment, a Playbook called \"Suspicious Email Attachment Investigate and Delete\" can be configured to run when any results are found by this detection search. To use this integration, install the Phantom App for Splunk `https://splunkbase.splunk.com/app/3411/`, and add the correct hostname to the \"Phantom Instance\" field in the Adaptive Response Actions when configuring this detection search. The notable event will be sent to Phantom and the playbook will gather further information about the file attachment and its network behaviors. If Phantom finds malicious behavior and an analyst approves of the results, the email will be deleted from the user's inbox.", "known_false_positives": "None identified", "references": [], "tags": {"name": "Suspicious Email Attachment Extensions", "analytic_story": ["Data Destruction", "Emotet Malware DHS Report TA18-201A ", "Hermetic Wiper", "Suspicious Emails"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Delivery"], "message": "tbd", "mitre_attack_id": ["T1566.001", "T1566"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "All_Email.file_name", "All_Email.src_user", "All_Email.message_id"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}]}, "datamodel": ["Email"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "suspicious_email_attachments", "definition": "lookup update=true is_suspicious_file_extension_lookup file_name OUTPUT suspicious | search suspicious=true", "description": "This macro limits the output to email attachments that have suspicious extensions"}, {"name": "suspicious_email_attachment_extensions_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/application/suspicious_email_attachment_extensions.yml", "source": "application"}, {"name": "Suspicious Java Classes", "id": "6ed33786-5e87-4f55-b62c-cb5f1168b831", "version": 1, "date": "2018-12-06", "author": "Jose Hernandez, Splunk", "type": "Anomaly", "status": "experimental", "description": "This search looks for suspicious Java classes that are often used to exploit remote command execution in common Java frameworks, such as Apache Struts.", "data_source": [], "search": "`stream_http` http_method=POST http_content_length>1 | regex form_data=\"(?i)java\\.lang\\.(?:runtime|processbuilder)\" | rename src_ip as src | stats count earliest(_time) as firstTime, latest(_time) as lastTime, values(url) as uri, values(status) as status, values(http_user_agent) as http_user_agent by src, dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_java_classes_filter`", "how_to_implement": "In order to properly run this search, Splunk needs to ingest data from your web-traffic appliances that serve or sit in the path of your Struts application servers. This can be accomplished by indexing data from a web proxy, or by using network traffic-analysis tools, such as Splunk Stream or Bro.", "known_false_positives": "There are no known false positives.", "references": [], "tags": {"name": "Suspicious Java Classes", "analytic_story": ["Apache Struts Vulnerability"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": [], "message": "tbd", "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "http_method", "http_content_length", "src_ip", "url", "status", "http_user_agent", "src", "dest"], "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "datamodel": [], "macros": [{"name": "stream_http", "definition": "sourcetype=stream:http", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "suspicious_java_classes_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/application/suspicious_java_classes.yml", "source": "application"}, {"name": "Web Servers Executing Suspicious Processes", "id": "ec3b7601-689a-4463-94e0-c9f45638efb9", "version": 1, "date": "2019-04-01", "author": "David Dorsey, Splunk", "type": "TTP", "status": "experimental", "description": "This search looks for suspicious processes on all systems labeled as web servers.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.dest_category=\"web_server\" AND (Processes.process=\"*whoami*\" OR Processes.process=\"*ping*\" OR Processes.process=\"*iptables*\" OR Processes.process=\"*wget*\" OR Processes.process=\"*service*\" OR Processes.process=\"*curl*\") by Processes.process Processes.process_name, Processes.dest Processes.user| `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `web_servers_executing_suspicious_processes_filter`", "how_to_implement": "You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the \"process\" field in the Endpoint data model. In addition, web servers will need to be identified in the Assets and Identity Framework of Enterprise Security.", "known_false_positives": "Some of these processes may be used legitimately on web servers during maintenance or other administrative tasks.", "references": [], "tags": {"name": "Web Servers Executing Suspicious Processes", "analytic_story": ["Apache Struts Vulnerability"], "asset_type": "Web Server", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "tbd", "mitre_attack_id": ["T1082"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest_category", "Processes.process", "Processes.process_name", "Processes.dest", "Processes.user"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1082", "mitre_attack_technique": "System Information Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT18", "APT19", "APT3", "APT32", "APT37", "APT38", "Aquatic Panda", "Blue Mockingbird", "Chimera", "Confucius", "Darkhotel", "Gamaredon Group", "HEXANE", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Sowbug", "Stealth Falcon", "TeamTNT", "Tropic Trooper", "Turla", "Windigo", "Windshift", "Wizard Spider", "ZIRCONIUM", "admin@338"]}]}, "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "web_servers_executing_suspicious_processes_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/application/web_servers_executing_suspicious_processes.yml", "source": "application", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Abnormally High Number Of Cloud Infrastructure API Calls", "id": "0840ddf1-8c89-46ff-b730-c8d6722478c0", "version": 1, "date": "2020-09-07", "author": "David Dorsey, Splunk", "type": "Anomaly", "status": "experimental", "description": "This search will detect a spike in the number of API calls made to your cloud infrastructure environment by a user.", "data_source": [], "search": "| tstats count as api_calls values(All_Changes.command) as command from datamodel=Change where All_Changes.user!=unknown All_Changes.status=success by All_Changes.user _time span=1h | `drop_dm_object_name(\"All_Changes\")` | eval HourOfDay=strftime(_time, \"%H\") | eval HourOfDay=floor(HourOfDay/4)*4 | eval DayOfWeek=strftime(_time, \"%w\") | eval isWeekend=if(DayOfWeek >= 1 AND DayOfWeek <= 5, 0, 1) | join user HourOfDay isWeekend [ summary cloud_excessive_api_calls_v1] | where cardinality >=16 | apply cloud_excessive_api_calls_v1 threshold=0.005 | rename \"IsOutlier(api_calls)\" as isOutlier | where isOutlier=1 | eval expected_upper_threshold = mvindex(split(mvindex(BoundaryRanges, -1), \":\"), 0) | where api_calls > expected_upper_threshold | eval distance_from_threshold = api_calls - expected_upper_threshold | table _time, user, command, api_calls, expected_upper_threshold, distance_from_threshold | `abnormally_high_number_of_cloud_infrastructure_api_calls_filter`", "how_to_implement": "You must be ingesting your cloud infrastructure logs. You also must run the baseline search `Baseline Of Cloud Infrastructure API Calls Per User` to create the probability density function.", "known_false_positives": "", "references": [], "tags": {"name": "Abnormally High Number Of Cloud Infrastructure API Calls", "analytic_story": ["Suspicious Cloud User Activities", "Compromised User Account"], "asset_type": "AWS Instance", "cis20": ["CIS 13"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "message": "user $user$ has made $api_calls$ api calls, violating the dynamic threshold of $expected_upper_threshold$ with the following command $command$.", "mitre_attack_id": ["T1078.004", "T1078"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "All_Changes.command", "All_Changes.user", "All_Changes.status"], "risk_score": 15, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Ke3chang", "LAPSUS$"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail", "update_timestamp": true}]}], "datamodel": ["Change"], "macros": [{"name": "abnormally_high_number_of_cloud_infrastructure_api_calls_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/abnormally_high_number_of_cloud_infrastructure_api_calls.yml", "source": "cloud"}, {"name": "Abnormally High Number Of Cloud Instances Destroyed", "id": "ef629fc9-1583-4590-b62a-f2247fbf7bbf", "version": 1, "date": "2020-08-21", "author": "David Dorsey, Splunk", "type": "Anomaly", "status": "experimental", "description": "This search finds for the number successfully destroyed cloud instances for every 4 hour block. This is split up between weekdays and the weekend. It then applies the probability densitiy model previously created and alerts on any outliers.", "data_source": [], "search": "| tstats count as instances_destroyed values(All_Changes.object_id) as object_id from datamodel=Change where All_Changes.action=deleted AND All_Changes.status=success AND All_Changes.object_category=instance by All_Changes.user _time span=1h | `drop_dm_object_name(\"All_Changes\")` | eval HourOfDay=strftime(_time, \"%H\") | eval HourOfDay=floor(HourOfDay/4)*4 | eval DayOfWeek=strftime(_time, \"%w\") | eval isWeekend=if(DayOfWeek >= 1 AND DayOfWeek <= 5, 0, 1) | join HourOfDay isWeekend [summary cloud_excessive_instances_destroyed_v1] | where cardinality >=16 | apply cloud_excessive_instances_destroyed_v1 threshold=0.005 | rename \"IsOutlier(instances_destroyed)\" as isOutlier | where isOutlier=1 | eval expected_upper_threshold = mvindex(split(mvindex(BoundaryRanges, -1), \":\"), 0) | eval distance_from_threshold = instances_destroyed - expected_upper_threshold | table _time, user, instances_destroyed, expected_upper_threshold, distance_from_threshold, object_id | `abnormally_high_number_of_cloud_instances_destroyed_filter`", "how_to_implement": "You must be ingesting your cloud infrastructure logs. You also must run the baseline search `Baseline Of Cloud Instances Destroyed` to create the probability density function.", "known_false_positives": "Many service accounts configured within a cloud infrastructure are known to exhibit this behavior. Please adjust the threshold values and filter out service accounts from the output. Always verify if this search alerted on a human user.", "references": [], "tags": {"name": "Abnormally High Number Of Cloud Instances Destroyed", "analytic_story": ["Suspicious Cloud Instance Activities"], "asset_type": "Cloud Instance", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "message": "tbd", "mitre_attack_id": ["T1078.004", "T1078"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "All_Changes.object_id", "All_Changes.action", "All_Changes.status", "All_Changes.object_category", "All_Changes.user"], "risk_score": 25, "security_domain": "Cloud", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Ke3chang", "LAPSUS$"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}]}, "datamodel": ["Change"], "macros": [{"name": "abnormally_high_number_of_cloud_instances_destroyed_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/abnormally_high_number_of_cloud_instances_destroyed.yml", "source": "cloud"}, {"name": "Abnormally High Number Of Cloud Instances Launched", "id": "f2361e9f-3928-496c-a556-120cd4223a65", "version": 2, "date": "2020-08-21", "author": "David Dorsey, Splunk", "type": "Anomaly", "status": "experimental", "description": "This search finds for the number successfully created cloud instances for every 4 hour block. This is split up between weekdays and the weekend. It then applies the probability densitiy model previously created and alerts on any outliers.", "data_source": [], "search": "| tstats count as instances_launched values(All_Changes.object_id) as object_id from datamodel=Change where (All_Changes.action=created) AND All_Changes.status=success AND All_Changes.object_category=instance by All_Changes.user _time span=1h | `drop_dm_object_name(\"All_Changes\")` | eval HourOfDay=strftime(_time, \"%H\") | eval HourOfDay=floor(HourOfDay/4)*4 | eval DayOfWeek=strftime(_time, \"%w\") | eval isWeekend=if(DayOfWeek >= 1 AND DayOfWeek <= 5, 0, 1) | join HourOfDay isWeekend [summary cloud_excessive_instances_created_v1] | where cardinality >=16 | apply cloud_excessive_instances_created_v1 threshold=0.005 | rename \"IsOutlier(instances_launched)\" as isOutlier | where isOutlier=1 | eval expected_upper_threshold = mvindex(split(mvindex(BoundaryRanges, -1), \":\"), 0) | eval distance_from_threshold = instances_launched - expected_upper_threshold | table _time, user, instances_launched, expected_upper_threshold, distance_from_threshold, object_id | `abnormally_high_number_of_cloud_instances_launched_filter`", "how_to_implement": "You must be ingesting your cloud infrastructure logs. You also must run the baseline search `Baseline Of Cloud Instances Launched` to create the probability density function.", "known_false_positives": "Many service accounts configured within an AWS infrastructure are known to exhibit this behavior. Please adjust the threshold values and filter out service accounts from the output. Always verify if this search alerted on a human user.", "references": [], "tags": {"name": "Abnormally High Number Of Cloud Instances Launched", "analytic_story": ["Cloud Cryptomining", "Suspicious Cloud Instance Activities"], "asset_type": "Cloud Instance", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "message": "tbd", "mitre_attack_id": ["T1078.004", "T1078"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "All_Changes.object_id", "All_Changes.action", "All_Changes.status", "All_Changes.object_category", "All_Changes.user"], "risk_score": 25, "security_domain": "Cloud", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Ke3chang", "LAPSUS$"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}]}, "datamodel": ["Change"], "macros": [{"name": "abnormally_high_number_of_cloud_instances_launched_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/abnormally_high_number_of_cloud_instances_launched.yml", "source": "cloud"}, {"name": "Abnormally High Number Of Cloud Security Group API Calls", "id": "d4dfb7f3-7a37-498a-b5df-f19334e871af", "version": 1, "date": "2020-09-07", "author": "David Dorsey, Splunk", "type": "Anomaly", "status": "experimental", "description": "This search will detect a spike in the number of API calls made to your cloud infrastructure environment about security groups by a user.", "data_source": [], "search": "| tstats count as security_group_api_calls values(All_Changes.command) as command from datamodel=Change where All_Changes.object_category=firewall AND All_Changes.status=success by All_Changes.user _time span=1h | `drop_dm_object_name(\"All_Changes\")` | eval HourOfDay=strftime(_time, \"%H\") | eval HourOfDay=floor(HourOfDay/4)*4 | eval DayOfWeek=strftime(_time, \"%w\") | eval isWeekend=if(DayOfWeek >= 1 AND DayOfWeek <= 5, 0, 1) | join user HourOfDay isWeekend [ summary cloud_excessive_security_group_api_calls_v1] | where cardinality >=16 | apply cloud_excessive_security_group_api_calls_v1 threshold=0.005 | rename \"IsOutlier(security_group_api_calls)\" as isOutlier | where isOutlier=1 | eval expected_upper_threshold = mvindex(split(mvindex(BoundaryRanges, -1), \":\"), 0) | where security_group_api_calls > expected_upper_threshold | eval distance_from_threshold = security_group_api_calls - expected_upper_threshold | table _time, user, command, security_group_api_calls, expected_upper_threshold, distance_from_threshold | `abnormally_high_number_of_cloud_security_group_api_calls_filter`", "how_to_implement": "You must be ingesting your cloud infrastructure logs. You also must run the baseline search `Baseline Of Cloud Security Group API Calls Per User` to create the probability density function model.", "known_false_positives": "", "references": [], "tags": {"name": "Abnormally High Number Of Cloud Security Group API Calls", "analytic_story": ["Suspicious Cloud User Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 13"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "message": "user $user$ has made $api_calls$ api calls related to security groups, violating the dynamic threshold of $expected_upper_threshold$ with the following command $command$.", "mitre_attack_id": ["T1078.004", "T1078"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "All_Changes.command", "All_Changes.object_category", "All_Changes.status", "All_Changes.user"], "risk_score": 15, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Ke3chang", "LAPSUS$"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail", "update_timestamp": true}]}], "datamodel": ["Change"], "macros": [{"name": "abnormally_high_number_of_cloud_security_group_api_calls_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/abnormally_high_number_of_cloud_security_group_api_calls.yml", "source": "cloud"}, {"name": "Amazon EKS Kubernetes cluster scan detection", "id": "294c4686-63dd-4fe6-93a2-ca807626704a", "version": 1, "date": "2020-04-15", "author": "Rod Soto, Splunk", "type": "Hunting", "status": "experimental", "description": "This search provides information of unauthenticated requests via user agent, and authentication data against Kubernetes cluster in AWS", "data_source": [], "search": "`aws_cloudwatchlogs_eks` \"user.username\"=\"system:anonymous\" userAgent!=\"AWS Security Scanner\" | rename sourceIPs{} as src_ip | stats count min(_time) as firstTime max(_time) as lastTime values(responseStatus.reason) values(source) as cluster_name values(responseStatus.code) values(userAgent) as http_user_agent values(verb) values(requestURI) by src_ip user.username user.groups{} | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` |`amazon_eks_kubernetes_cluster_scan_detection_filter` ", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudWatch EKS Logs inputs.", "known_false_positives": "Not all unauthenticated requests are malicious, but frequency, UA and source IPs will provide context.", "references": [], "tags": {"name": "Amazon EKS Kubernetes cluster scan detection", "analytic_story": ["Kubernetes Scanning Activity"], "asset_type": "Amazon EKS Kubernetes cluster", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "tbd", "mitre_attack_id": ["T1526"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "user.username", "userAgent", "sourceIPs{}", "responseStatus.reason", "source", "responseStatus.code", "verb", "requestURI", "src_ip", "user.groups{}"], "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1526", "mitre_attack_technique": "Cloud Service Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}]}, "datamodel": [], "macros": [{"name": "aws_cloudwatchlogs_eks", "definition": "sourcetype=\"aws:cloudwatchlogs:eks\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "amazon_eks_kubernetes_cluster_scan_detection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/amazon_eks_kubernetes_cluster_scan_detection.yml", "source": "cloud"}, {"name": "Amazon EKS Kubernetes Pod scan detection", "id": "dbfca1dd-b8e5-4ba4-be0e-e565e5d62002", "version": 1, "date": "2020-04-15", "author": "Rod Soto, Splunk", "type": "Hunting", "status": "experimental", "description": "This search provides detection information on unauthenticated requests against Kubernetes' Pods API", "data_source": [], "search": "`aws_cloudwatchlogs_eks` \"user.username\"=\"system:anonymous\" verb=list objectRef.resource=pods requestURI=\"/api/v1/pods\" | rename source as cluster_name sourceIPs{} as src_ip | stats count min(_time) as firstTime max(_time) as lastTime values(responseStatus.reason) values(responseStatus.code) values(userAgent) values(verb) values(requestURI) by src_ip cluster_name user.username user.groups{} | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `amazon_eks_kubernetes_pod_scan_detection_filter` ", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on forAWS (version 4.4.0 or later), then configure your AWS CloudWatch EKS Logs.Please also customize the `kubernetes_pods_aws_scan_fingerprint_detection` macro to filter out the false positives.", "known_false_positives": "Not all unauthenticated requests are malicious, but frequency, UA and source IPs and direct request to API provide context.", "references": [], "tags": {"name": "Amazon EKS Kubernetes Pod scan detection", "analytic_story": ["Kubernetes Scanning Activity"], "asset_type": "Amazon EKS Kubernetes cluster Pod", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "tbd", "mitre_attack_id": ["T1526"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "user.username", "verb", "objectRef.resource", "requestURI", "source", "sourceIPs{}", "responseStatus.reason", "responseStatus.code", "userAgent", "src_ip", "user.groups{}"], "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1526", "mitre_attack_technique": "Cloud Service Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}]}, "datamodel": [], "macros": [{"name": "aws_cloudwatchlogs_eks", "definition": "sourcetype=\"aws:cloudwatchlogs:eks\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "amazon_eks_kubernetes_pod_scan_detection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/amazon_eks_kubernetes_pod_scan_detection.yml", "source": "cloud"}, {"name": "ASL AWS Concurrent Sessions From Different Ips", "id": "b3424bbe-3204-4469-887b-ec144483a336", "version": 1, "date": "2023-05-23", "author": "Patrick Bareiss, Splunk", "type": "Anomaly", "status": "experimental", "description": "The following analytic identifies an AWS IAM account with concurrent sessions coming from more than one unique IP address within the span of 5 minutes. This behavior could represent a session hijacking attack whereby an adversary has extracted cookies from a victims browser and is using them from a different location to access corporate online resources. When a user navigates the AWS Console after authentication, the API call with the event name `DescribeEventAggregates` is registered in the AWS CloudTrail logs. The Splunk Threat Research team leveraged this event name to identify 2 concurrent sessions. The presence of this event occurring from two different IP addresses is highly unlikely. As users may behave differently across organizations, security teams should test and customize this detection to fit their environments.", "data_source": [], "search": " `amazon_security_lake` api.operation=DescribeEventAggregates src_endpoint.domain!=\"AWS Internal\" | bin span=5m _time | stats values(src_endpoint.ip) as src_endpoint.ip dc(src_endpoint.ip) as distinct_ip_count by _time identity.user.credential_uid identity.user.name | where distinct_ip_count > 1 | `aws_concurrent_sessions_from_different_ips_filter`", "how_to_implement": "You must install Splunk Add-On for AWS Version v7.0.0 (https://splunkbase.splunk.com/app/1876) that includes includes a merge of all the capabilities of the Splunk Add-on for Amazon Security Lake. This search works with Amazon Security Lake logs which are parsed in the Open Cybersecurity Schema Framework (OCSF)format.", "known_false_positives": "A user with concurrent sessions from different Ips may also represent the legitimate use of more than one device. Filter as needed and/or customize the threshold to fit your environment.", "references": ["https://attack.mitre.org/techniques/T1185/", "https://breakdev.org/evilginx-2-next-generation-of-phishing-2fa-tokens/", "https://github.com/kgretzky/evilginx2"], "tags": {"name": "ASL AWS Concurrent Sessions From Different Ips", "analytic_story": ["Compromised User Account", "AWS Identity and Access Management Account"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "User $identity.user.name$ has concurrent sessions from more than one unique IP address $src_endpoint.ip$ in the span of 5 minutes.", "mitre_attack_id": ["T1185"], "nist": ["DE.AE"], "observable": [{"name": "identity.user.credential_uid", "type": "User", "role": ["Victim"]}, {"name": "src_endpoint.ip", "type": "IP Address", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "api.operation", "src_endpoint.domain", "src_endpoint.ip", "identity.user.credential_uid", "identity.user.name"], "risk_score": 42, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1185", "mitre_attack_technique": "Browser Session Hijacking", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": []}]}, "datamodel": [], "macros": [{"name": "amazon_security_lake", "definition": "sourcetype=aws:asl", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "asl_aws_concurrent_sessions_from_different_ips_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/asl_aws_concurrent_sessions_from_different_ips.yml", "source": "cloud"}, {"name": "ASL AWS CreateAccessKey", "id": "ccb3e4af-23d6-407f-9842-a26212816c9e", "version": 1, "date": "2022-05-23", "author": "Patrick Bareiss, Splunk", "type": "Hunting", "status": "experimental", "description": "This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it's important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don't typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.", "data_source": [], "search": "`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null | rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value | eval keyjoin=mvzip(unmapped_key,unmapped_value) | mvexpand keyjoin | rex field=keyjoin \"^(?[^,]+),(?.*)$\" | eval {key} = value | search responseElements.accessKey.userName = * | rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName | eval match=if(identity_user_name=responseElements_accessKey_userName,1,0) | search match=0 | rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName | stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |`asl_aws_createaccesskey_filter`", "how_to_implement": "You must install Splunk Add-On for AWS Version v7.0.0 (https://splunkbase.splunk.com/app/1876) that includes includes a merge of all the capabilities of the Splunk Add-on for Amazon Security Lake. This search works with Amazon Security Lake logs which are parsed in the Open Cybersecurity Schema Framework (OCSF)format.", "known_false_positives": "While this search has no known false positives, it is possible that an AWS admin has legitimately created keys for another user.", "references": ["https://bishopfox.com/blog/privilege-escalation-in-aws", "https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation-part-2/"], "tags": {"name": "ASL AWS CreateAccessKey", "analytic_story": ["AWS IAM Privilege Escalation"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "message": "User $responseElements.accessKey.userName$ is attempting to create access keys for $responseElements.accessKey.userName$ from this IP $src_endpoint.ip$", "mitre_attack_id": ["T1078"], "nist": ["DE.AE"], "observable": [{"name": "src_endpoint.ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "identity.user.name", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["api.service.name", "api.operation", "identity.user.account_uid", "identity.user.credential_uid", "identity.user.name", "identity.user.type", "identity.user.uid", "identity.user.uuid", "http_request.user_agent", "src_endpoint.ip", "unmapped{}.key", "unmapped{}.value"], "risk_score": 63, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/amazon_security_lake.json", "source": "aws_asl", "sourcetype": "aws:asl", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "amazon_security_lake", "definition": "sourcetype=aws:asl", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "asl_aws_createaccesskey_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/asl_aws_createaccesskey.yml", "source": "cloud"}, {"name": "ASL AWS Defense Evasion Delete Cloudtrail", "id": "1f0b47e5-0134-43eb-851c-e3258638945e", "version": 1, "date": "2023-05-31", "author": "Patrick Bareiss, Splunk", "type": "TTP", "status": "experimental", "description": "This analytic identifies AWS `DeleteTrail` events within CloudTrail logs. Adversaries often try to impair their target's defenses by stopping their malicious activity from being logged, so that they may operate with stealth and avoid detection. When the adversary has the right type of permissions in the compromised AWS environment, they may delete the the entire cloudtrail that is logging activities in the environment.", "data_source": [], "search": "`amazon_security_lake` api.operation=DeleteTrail | stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `asl_aws_defense_evasion_delete_cloudtrail_filter`", "how_to_implement": "You must install Splunk Add-On for AWS Version v7.0.0 (https://splunkbase.splunk.com/app/1876) that includes includes a merge of all the capabilities of the Splunk Add-on for Amazon Security Lake. This search works with Amazon Security Lake logs which are parsed in the Open Cybersecurity Schema Framework (OCSF)format.", "known_false_positives": "While this search has no known false positives, it is possible that an AWS admin has stopped cloudTrail logging. Please investigate this activity.", "references": ["https://attack.mitre.org/techniques/T1562/008/"], "tags": {"name": "ASL AWS Defense Evasion Delete Cloudtrail", "analytic_story": ["AWS Defense Evasion"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "confidence": 90, "impact": 100, "kill_chain_phases": ["Exploitation"], "message": "User $identity.user.name$ has delete a CloudTrail logging for account id $identity.user.account_uid$", "mitre_attack_id": ["T1562.008", "T1562"], "nist": ["DE.CM"], "observable": [{"name": "src_endpoint.ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "identity.user.name", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["api.service.name", "api.operation", "identity.user.account_uid", "identity.user.credential_uid", "identity.user.name", "identity.user.type", "identity.user.uid", "identity.user.uuid", "http_request.user_agent", "src_endpoint.ip"], "risk_score": 90, "security_domain": "threat", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.008", "mitre_attack_technique": "Disable Cloud Logs", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.008/stop_delete_cloudtrail/amazon_security_lake.json", "source": "aws_asl", "sourcetype": "aws:asl"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "amazon_security_lake", "definition": "sourcetype=aws:asl", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "asl_aws_defense_evasion_delete_cloudtrail_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/asl_aws_defense_evasion_delete_cloudtrail.yml", "source": "cloud", "nes_fields": "user,dest"}, {"name": "ASL AWS Defense Evasion Delete CloudWatch Log Group", "id": "0f701b38-a0fb-43fd-a83d-d12265f71f33", "version": 1, "date": "2023-05-31", "author": "Patrick Bareiss, Splunk", "type": "TTP", "status": "experimental", "description": "This analytic identifies AWS `DeleteLogGroup` events in CloudTrail logs. Attackers may evade the logging capability by deleting the log group in CloudWatch. This will stop sending the logs and metrics to CloudWatch. When the adversary has the right type of permissions within the compromised AWS environment, they may delete the CloudWatch log group that is logging activities in the environment.", "data_source": [], "search": "`amazon_security_lake` api.operation=DeleteLogGroup | stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`", "how_to_implement": "You must install Splunk Add-On for AWS Version v7.0.0 (https://splunkbase.splunk.com/app/1876) that includes includes a merge of all the capabilities of the Splunk Add-on for Amazon Security Lake. This search works with Amazon Security Lake logs which are parsed in the Open Cybersecurity Schema Framework (OCSF)format.", "known_false_positives": "While this search has no known false positives, it is possible that an AWS admin has deleted CloudWatch logging. Please investigate this activity.", "references": ["https://attack.mitre.org/techniques/T1562/008/"], "tags": {"name": "ASL AWS Defense Evasion Delete CloudWatch Log Group", "analytic_story": ["AWS Defense Evasion"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "confidence": 90, "impact": 100, "kill_chain_phases": ["Exploitation"], "message": "User $identity.user.name$ has deleted a CloudWatch logging group for account id $identity.user.account_uid$", "mitre_attack_id": ["T1562", "T1562.008"], "nist": ["DE.CM"], "observable": [{"name": "src_endpoint.ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "identity.user.name", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["api.service.name", "api.operation", "identity.user.account_uid", "identity.user.credential_uid", "identity.user.name", "identity.user.type", "identity.user.uid", "identity.user.uuid", "http_request.user_agent", "src_endpoint.ip"], "risk_score": 90, "security_domain": "threat", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1562.008", "mitre_attack_technique": "Disable Cloud Logs", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.008/delete_cloudwatch_log_group/amazon_security_lake.json", "source": "aws_asl", "sourcetype": "aws:asl", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "amazon_security_lake", "definition": "sourcetype=aws:asl", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "asl_aws_defense_evasion_delete_cloudwatch_log_group_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/asl_aws_defense_evasion_delete_cloudwatch_log_group.yml", "source": "cloud", "nes_fields": "user,dest"}, {"name": "ASL AWS Defense Evasion Impair Security Services", "id": "5029b681-0462-47b7-82e7-f7e3d37f5a2d", "version": 1, "date": "2023-06-01", "author": "Patrick Bareiss, Bhavin Patel, Gowthamaraj Rajendran, Splunk", "type": "Hunting", "status": "experimental", "description": "This analytic looks for several delete specific API calls made to AWS Security Services like CloudWatch, GuardDuty and Web Application Firewalls. These API calls are often leveraged by adversaries to weaken existing security defenses by deleting logging configurations in the CloudWatch alarm, delete a set of detectors from your Guardduty environment or simply delete a bunch of CloudWatch alarms to remain stealthy and avoid detection.", "data_source": [], "search": "`amazon_security_lake` api.operation IN (\"DeleteLogStream\",\"DeleteDetector\",\"DeleteIPSet\",\"DeleteWebACL\",\"DeleteRule\",\"DeleteRuleGroup\",\"DeleteLoggingConfiguration\",\"DeleteAlarms\") | stats count min(_time) as firstTime max(_time) as lastTime by api.operation identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `asl_aws_defense_evasion_impair_security_services_filter`", "how_to_implement": "You must install Splunk Add-On for AWS Version v7.0.0 (https://splunkbase.splunk.com/app/1876) that includes includes a merge of all the capabilities of the Splunk Add-on for Amazon Security Lake. This search works with Amazon Security Lake logs which are parsed in the Open Cybersecurity Schema Framework (OCSF)format.", "known_false_positives": "While this search has no known false positives, it is possible that it is a legitimate admin activity. Please consider filtering out these noisy events using userAgent, user_arn field names.", "references": ["https://docs.aws.amazon.com/cli/latest/reference/guardduty/index.html", "https://docs.aws.amazon.com/cli/latest/reference/waf/index.html", "https://www.elastic.co/guide/en/security/current/prebuilt-rules.html"], "tags": {"name": "ASL AWS Defense Evasion Impair Security Services", "analytic_story": ["AWS Defense Evasion"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "User $identity.user.name$ has made potentially risky api calls $api.operation$ that could impair AWS security services for account id $identity.user.account_uid$", "mitre_attack_id": ["T1562.008", "T1562"], "nist": ["DE.AE"], "observable": [{"name": "src_endpoint.ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "identity.user.name", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["api.service.name", "api.operation", "identity.user.account_uid", "identity.user.credential_uid", "identity.user.name", "identity.user.type", "identity.user.uid", "identity.user.uuid", "http_request.user_agent", "src_endpoint.ip"], "risk_score": 42, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.008", "mitre_attack_technique": "Disable Cloud Logs", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.008/aws_delete_security_services/amazon_security_lake.json", "source": "aws_asl", "sourcetype": "aws:asl", "update_timestamp": true}]}], "datamodel": ["Web"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "amazon_security_lake", "definition": "sourcetype=aws:asl", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "asl_aws_defense_evasion_impair_security_services_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/asl_aws_defense_evasion_impair_security_services.yml", "source": "cloud"}, {"name": "ASL AWS Excessive Security Scanning", "id": "ff2bfdbc-65b7-4434-8f08-d55761d1d446", "version": 1, "date": "2023-06-01", "author": "Patrick Bareiss, Splunk", "type": "Anomaly", "status": "experimental", "description": "This search looks for AWS CloudTrail events and analyse the amount of eventNames which starts with Describe by a single user. This indicates that this user scans the configuration of your AWS cloud environment.", "data_source": [], "search": "`amazon_security_lake` api.operation=Describe* OR api.operation=List* OR api.operation=Get* | stats dc(api.operation) as dc_api_operations min(_time) as firstTime max(_time) as lastTime values(http_request.user_agent) as http_request.user_agent values(src_endpoint.ip) as src_endpoint.ip values(cloud.region) as cloud.region values(identity.user.account_uid) as identity.user.account_uid by identity.user.name | where dc_api_operations > 50 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`|`asl_aws_excessive_security_scanning_filter`", "how_to_implement": "You must install Splunk Add-On for AWS Version v7.0.0 (https://splunkbase.splunk.com/app/1876) that includes includes a merge of all the capabilities of the Splunk Add-on for Amazon Security Lake. This search works with Amazon Security Lake logs which are parsed in the Open Cybersecurity Schema Framework (OCSF)format.", "known_false_positives": "While this search has no known false positives.", "references": ["https://github.com/aquasecurity/cloudsploit"], "tags": {"name": "ASL AWS Excessive Security Scanning", "analytic_story": ["AWS User Monitoring"], "asset_type": "AWS Account", "cis20": ["CIS 13"], "confidence": 60, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "user $identity.user.name$ has excessive number of api calls.", "mitre_attack_id": ["T1526"], "nist": ["DE.AE"], "observable": [{"name": "src_endpoint.ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "identity.user.name", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["api.operation", "identity.user.account_uid", "identity.user.name", "http_request.user_agent", "src_endpoint.ip"], "risk_score": 18, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1526", "mitre_attack_technique": "Cloud Service Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}]}, "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "amazon_security_lake", "definition": "sourcetype=aws:asl", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "asl_aws_excessive_security_scanning_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/asl_aws_excessive_security_scanning.yml", "source": "cloud"}, {"name": "ASL AWS IAM Delete Policy", "id": "609ced68-d420-4ff7-8164-ae98b4b4018c", "version": 1, "date": "2023-06-02", "author": "Patrick Bareiss, Splunk", "type": "Hunting", "status": "experimental", "description": "The following detection identifes when a policy is deleted on AWS. This does not identify whether successful or failed, but the error messages tell a story of suspicious attempts. There is a specific process to follow when deleting a policy. First, detach the policy from all users, groups, and roles that the policy is attached to, using DetachUserPolicy , DetachGroupPolicy , or DetachRolePolicy.", "data_source": [], "search": "`amazon_security_lake` api.operation=DeletePolicy | stats count min(_time) as firstTime max(_time) as lastTime by api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_iam_delete_policy_filter`", "how_to_implement": "You must install Splunk Add-On for AWS Version v7.0.0 (https://splunkbase.splunk.com/app/1876) that includes includes a merge of all the capabilities of the Splunk Add-on for Amazon Security Lake. This search works with Amazon Security Lake logs which are parsed in the Open Cybersecurity Schema Framework (OCSF)format.", "known_false_positives": "This detection will require tuning to provide high fidelity detection capabilties. Tune based on src addresses (corporate offices, VPN terminations) or by groups of users. Not every user with AWS access should have permission to delete policies (least privilege). In addition, this may be saved seperately and tuned for failed or success attempts only.", "references": ["https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeletePolicy.html", "https://docs.aws.amazon.com/cli/latest/reference/iam/delete-policy.html"], "tags": {"name": "ASL AWS IAM Delete Policy", "analytic_story": ["AWS IAM Privilege Escalation"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "confidence": 50, "impact": 20, "kill_chain_phases": ["Installation"], "message": "User $user_arn$ has deleted AWS Policies from IP address $src$ by executing the following command $eventName$", "mitre_attack_id": ["T1098"], "nist": ["DE.AE"], "observable": [{"name": "src_endpoint.ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "identity.user.name", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["api.service.name", "api.operation", "identity.user.account_uid", "identity.user.credential_uid", "identity.user.name", "identity.user.type", "identity.user.uid", "identity.user.uuid", "http_request.user_agent", "src_endpoint.ip"], "risk_score": 10, "security_domain": "access", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT41", "Dragonfly", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/aws_iam_delete_policy/amazon_security_lake.json", "source": "aws_asl", "sourcetype": "aws:asl", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "amazon_security_lake", "definition": "sourcetype=aws:asl", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "asl_aws_iam_delete_policy_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/asl_aws_iam_delete_policy.yml", "source": "cloud"}, {"name": "ASL AWS Multi-Factor Authentication Disabled", "id": "4d2df5e0-1092-4817-88a8-79c7fa054668", "version": 1, "date": "2023-06-02", "author": "Patrick Bareiss, Splunk", "type": "TTP", "status": "experimental", "description": "The following analytic identifies an attempt to disable multi-factor authentication for an AWS IAM user. An adversary who has obtained access to an AWS tenant may disable multi-factor authentication as a way to plant a backdoor and maintain persistence using a valid account. This way the attackers can keep persistance in the environment without adding new users.", "data_source": [], "search": "`amazon_security_lake` (api.operation=DeleteVirtualMFADevice OR api.operation=DeactivateMFADevice) | stats count min(_time) as firstTime max(_time) as lastTime by api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_multi_factor_authentication_disabled_filter`", "how_to_implement": "You must install Splunk Add-On for AWS Version v7.0.0 (https://splunkbase.splunk.com/app/1876) that includes includes a merge of all the capabilities of the Splunk Add-on for Amazon Security Lake. This search works with Amazon Security Lake logs which are parsed in the Open Cybersecurity Schema Framework (OCSF)format.", "known_false_positives": "AWS Administrators may disable MFA but it is highly unlikely for this event to occur without prior notice to the company", "references": ["https://attack.mitre.org/techniques/T1621/", "https://aws.amazon.com/what-is/mfa/"], "tags": {"name": "ASL AWS Multi-Factor Authentication Disabled", "analytic_story": ["AWS Identity and Access Management Account Takeover"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Weaponization", "Exploitation", "Installation"], "message": "User $user_name$ has disabled Multi-Factor authentication for AWS account $aws_account_id$", "mitre_attack_id": ["T1586", "T1586.003", "T1621", "T1556", "T1556.006"], "nist": ["DE.CM"], "observable": [{"name": "identity.user.account_uid", "type": "Other", "role": ["Victim"]}, {"name": "identity.user.name", "type": "User", "role": ["Victim"]}, {"name": "src_endpoint.ip", "type": "IP Address", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["api.service.name", "api.operation", "identity.user.account_uid", "identity.user.credential_uid", "identity.user.name", "identity.user.type", "identity.user.uid", "identity.user.uuid", "http_request.user_agent", "src_endpoint.ip"], "risk_score": 64, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1621", "mitre_attack_technique": "Multi-Factor Authentication Request Generation", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "LAPSUS$"]}, {"mitre_attack_id": "T1556", "mitre_attack_technique": "Modify Authentication Process", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1556.006", "mitre_attack_technique": "Multi-Factor Authentication", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/aws_mfa_disabled/amazon_security_lake.json", "source": "aws_asl", "sourcetype": "aws:asl", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "amazon_security_lake", "definition": "sourcetype=aws:asl", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "asl_aws_multi_factor_authentication_disabled_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/asl_aws_multi_factor_authentication_disabled.yml", "source": "cloud", "nes_fields": "user,dest"}, {"name": "ASL AWS New MFA Method Registered For User", "id": "33ae0931-2a03-456b-b1d7-b016c5557fbd", "version": 1, "date": "2023-05-22", "author": "Patrick Bareiss, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the registration of a new Multi Factor authentication method for an AWS account logged through Amazon Secruity Lake (ASL). Adversaries who have obtained unauthorized access to an AWS account may register a new MFA method to maintain persistence.", "data_source": [], "search": " `amazon_security_lake` api.operation=CreateVirtualMFADevice | stats count min(_time) as firstTime max(_time) as lastTime by api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_new_mfa_method_registered_for_user_filter`", "how_to_implement": "You must install Splunk Add-On for AWS Version v7.0.0 (https://splunkbase.splunk.com/app/1876) that includes includes a merge of all the capabilities of the Splunk Add-on for Amazon Security Lake. This search works with Amazon Security Lake logs which are parsed in the Open Cybersecurity Schema Framework (OCSF)format.", "known_false_positives": "Newly onboarded users who are registering an MFA method for the first time will also trigger this detection.", "references": ["https://aws.amazon.com/blogs/security/you-can-now-assign-multiple-mfa-devices-in-iam/", "https://attack.mitre.org/techniques/T1556/", "https://attack.mitre.org/techniques/T1556/006/", "https://twitter.com/jhencinski/status/1618660062352007174"], "tags": {"name": "ASL AWS New MFA Method Registered For User", "analytic_story": ["Compromised User Account", "Azure Active Directory Account Takeover"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation", "Installation"], "message": "A new virtual device is added to user $identity.user.name$", "mitre_attack_id": ["T1556", "T1556.006"], "nist": ["DE.CM"], "observable": [{"name": "identity.user.name", "type": "User", "role": ["Victim"]}, {"name": "src_endpoint.ip", "type": "IP Address", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["api.service.name", "api.operation", "identity.user.account_uid", "identity.user.credential_uid", "identity.user.name", "identity.user.type", "identity.user.uid", "identity.user.uuid", "http_request.user_agent", "src_endpoint.ip"], "risk_score": 64, "security_domain": "identity", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1556", "mitre_attack_technique": "Modify Authentication Process", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1556.006", "mitre_attack_technique": "Multi-Factor Authentication", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556.006/aws_new_mfa_method_registered_for_user/amazon_security_lake.json", "source": "aws_asl", "sourcetype": "aws:asl", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "amazon_security_lake", "definition": "sourcetype=aws:asl", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "asl_aws_new_mfa_method_registered_for_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/asl_aws_new_mfa_method_registered_for_user.yml", "source": "cloud", "nes_fields": "user,dest"}, {"name": "ASL AWS Password Policy Changes", "id": "5ade5937-11a2-4363-ba6b-39a3ee8d5b1a", "version": 1, "date": "2023-05-22", "author": "Patrick Bareiss, Splunk", "type": "Hunting", "status": "production", "description": "This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.", "data_source": [], "search": "`amazon_security_lake` \"api.service.name\"=\"iam.amazonaws.com\" \"api.operation\" IN (\"UpdateAccountPasswordPolicy\",\"GetAccountPasswordPolicy\",\"DeleteAccountPasswordPolicy\") \"api.response.error\"=null | stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_password_policy_changes_filter`", "how_to_implement": "You must install Splunk Add-On for AWS Version v7.0.0 (https://splunkbase.splunk.com/app/1876) that includes includes a merge of all the capabilities of the Splunk Add-on for Amazon Security Lake. This search works with Amazon Security Lake logs which are parsed in the Open Cybersecurity Schema Framework (OCSF)format.", "known_false_positives": "While this search has no known false positives, it is possible that an AWS admin has legitimately triggered an AWS audit tool activity which may trigger this event.", "references": ["https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/IAM/password-policy.html"], "tags": {"name": "ASL AWS Password Policy Changes", "analytic_story": ["AWS IAM Privilege Escalation", "Compromised User Account"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "confidence": 80, "impact": 90, "kill_chain_phases": ["Exploitation"], "message": "User $identity.user.name$ is attempting to $api.operation$ the password policy for accounts", "mitre_attack_id": ["T1201"], "nist": ["DE.AE"], "observable": [{"name": "src_endpoint.ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "identity.user.name", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["api.service.name", "api.operation", "identity.user.account_uid", "identity.user.credential_uid", "identity.user.name", "identity.user.type", "identity.user.uid", "identity.user.uuid", "http_request.user_agent", "src_endpoint.ip"], "risk_score": 72, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1201", "mitre_attack_technique": "Password Policy Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "OilRig", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1201/aws_password_policy/amazon_security_lake.json", "source": "aws_asl", "sourcetype": "aws:asl", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "amazon_security_lake", "definition": "sourcetype=aws:asl", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "asl_aws_password_policy_changes_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/asl_aws_password_policy_changes.yml", "source": "cloud"}, {"name": "AWS AMI Atttribute Modification for Exfiltration", "id": "f2132d74-cf81-4c5e-8799-ab069e67dc9f", "version": 2, "date": "2023-03-31", "author": "BHavin Patel, Splunk", "type": "TTP", "status": "production", "description": "This search looks for suspicious AWS AMI attribute modifications, such as sharing it with another AWS account or making the full AMI image public. Adversaries are known to abuse these APIs to exfiltrate sensitive organization information stored in the AWS Resources, there by its very important to monitor these seemingly benign API activity in Cloudtrail logs.", "data_source": [], "search": "`cloudtrail` eventName=ModifyImageAttribute (requestParameters.launchPermission.add.items{}.userId = * OR requestParameters.launchPermission.add.items{}.group = all) | rename requestParameters.launchPermission.add.items{}.group as group_added | rename requestParameters.launchPermission.add.items{}.userId as accounts_added | eval ami_status=if(match(group_added,\"all\") ,\"Public AMI\", \"Not Public\") | stats count min(_time) as firstTime max(_time) as lastTime values(group_added) values(accounts_added) as accounts_added values(ami_status) by src_ip region eventName userAgent user_arn aws_account_id userIdentity.principalId | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `aws_ami_atttribute_modification_for_exfiltration_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "It is possible that an AWS admin has legitimately shared a snapshot with others for a specific purpose.", "references": ["https://labs.nettitude.com/blog/how-to-exfiltrate-aws-ec2-data/", "https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-share-ami/", "https://hackingthe.cloud/aws/enumeration/loot_public_ebs_snapshots/"], "tags": {"name": "AWS AMI Atttribute Modification for Exfiltration", "analytic_story": ["Suspicious Cloud Instance Activities", "Data Exfiltration"], "asset_type": "EC2 Snapshot", "cis20": ["CIS 10"], "confidence": 80, "impact": 100, "kill_chain_phases": ["Actions on Objectives"], "message": "AWS AMI from account $aws_account_id$ is shared externally with $accounts_added$ from $src_ip$ or AMI made is made Public.", "mitre_attack_id": ["T1537"], "nist": ["DE.CM"], "observable": [{"name": "user_arn", "type": "User", "role": ["Attacker"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "aws_account_id", "type": "Other", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventName", "user_arn", "src_ip", "requestParameters.attributeType", "aws_account_id", "vendor_region", "user_agent", "userIdentity.principalId"], "risk_score": 80, "security_domain": "threat", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1537", "mitre_attack_technique": "Transfer Data to Cloud Account", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1537/aws_ami_shared_public/aws_cloudtrail_events.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_ami_atttribute_modification_for_exfiltration_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/aws_ami_atttribute_modification_for_exfiltration.yml", "source": "cloud", "nes_fields": "user,dest", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "AWS Concurrent Sessions From Different Ips", "id": "51c04fdb-2746-465a-b86e-b413a09c9085", "version": 1, "date": "2023-02-01", "author": "Bhavin Patel, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies an AWS IAM account with concurrent sessions coming from more than one unique IP address within the span of 5 minutes. This behavior could represent a session hijacking attack whereby an adversary has extracted cookies from a victims browser and is using them from a different location to access corporate online resources. When a user navigates the AWS Console after authentication, the API call with the event name `DescribeEventAggregates` is registered in the AWS CloudTrail logs. The Splunk Threat Research team leveraged this event name to identify 2 concurrent sessions. The presence of this event occurring from two different IP addresses is highly unlikely. As users may behave differently across organizations, security teams should test and customize this detection to fit their environments.", "data_source": [], "search": " `cloudtrail` eventName = DescribeEventAggregates src_ip!=\"AWS Internal\" | bin span=5m _time | stats values(userAgent) values(eventName) values(src_ip) as src_ip dc(src_ip) as distinct_ip_count by _time user_arn | where distinct_ip_count > 1 | `aws_concurrent_sessions_from_different_ips_filter`", "how_to_implement": "You must install Splunk AWS Add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "A user with concurrent sessions from different Ips may also represent the legitimate use of more than one device. Filter as needed and/or customize the threshold to fit your environment.", "references": ["https://attack.mitre.org/techniques/T1185/", "https://breakdev.org/evilginx-2-next-generation-of-phishing-2fa-tokens/", "https://github.com/kgretzky/evilginx2"], "tags": {"name": "AWS Concurrent Sessions From Different Ips", "analytic_story": ["Compromised User Account", "AWS Identity and Access Management Account"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "User $user_arn$ has concurrent sessions from more than one unique IP address $src_ip$ in the span of 5 minutes.", "mitre_attack_id": ["T1185"], "nist": ["DE.CM"], "observable": [{"name": "user_arn", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventName", "userAgent", "errorCode", "user_arn", "aws_account_id", "src_ip"], "risk_score": 42, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1185", "mitre_attack_technique": "Browser Session Hijacking", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1185/aws_concurrent_sessions_from_different_ips/cloudtrail.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_concurrent_sessions_from_different_ips_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/aws_concurrent_sessions_from_different_ips.yml", "source": "cloud", "nes_fields": "user,dest", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "AWS Console Login Failed During MFA Challenge", "id": "55349868-5583-466f-98ab-d3beb321961e", "version": 1, "date": "2022-10-03", "author": "Bhavin Patel, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies an authentication attempt event against an AWS Console that fails during the Multi Factor Authentication challenge. AWS Cloudtrail logs provide a a very useful field called `additionalEventData` that logs information regarding usage of MFA. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled.", "data_source": [], "search": "`cloudtrail` eventName= ConsoleLogin errorMessage=\"Failed authentication\" additionalEventData.MFAUsed = \"Yes\" | stats count min(_time) as firstTime max(_time) as lastTime by src eventName eventSource aws_account_id errorCode errorMessage userAgent eventID awsRegion user_name userIdentity.arn | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `aws_console_login_failed_during_mfa_challenge_filter`", "how_to_implement": "The Splunk AWS Add-on is required to utilize this data. The search requires AWS Cloudtrail logs.", "known_false_positives": "Legitimate users may miss to reply the MFA challenge within the time window or deny it by mistake.", "references": ["https://attack.mitre.org/techniques/T1621/", "https://aws.amazon.com/what-is/mfa/"], "tags": {"name": "AWS Console Login Failed During MFA Challenge", "analytic_story": ["AWS Identity and Access Management Account Takeover", "Compromised User Account"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Weaponization", "Exploitation"], "message": "User $user_name$ failed to pass MFA challenge while logging into console from $src$", "mitre_attack_id": ["T1586", "T1586.003", "T1621"], "nist": ["DE.CM"], "observable": [{"name": "user_name", "type": "User", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["src", "eventName", "eventSource", "aws_account_id", "errorCode", "errorMessage", "userAgent", "eventID", "awsRegion", "user_name", "userIdentity.arn"], "risk_score": 64, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1621", "mitre_attack_technique": "Multi-Factor Authentication Request Generation", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "LAPSUS$"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/aws_failed_mfa/cloudtrail.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_console_login_failed_during_mfa_challenge_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/aws_console_login_failed_during_mfa_challenge.yml", "source": "cloud", "nes_fields": "user,dest", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "AWS Create Policy Version to allow all resources", "id": "2a9b80d3-6340-4345-b5ad-212bf3d0dac4", "version": 3, "date": "2022-05-17", "author": "Bhavin Patel, Splunk", "type": "TTP", "status": "production", "description": "This search looks for AWS CloudTrail events where a user created a policy version that allows them to access any resource in their account.", "data_source": [], "search": "`cloudtrail` eventName=CreatePolicyVersion eventSource = iam.amazonaws.com errorCode = success | spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} | mvexpand key_policy_statements | spath input=key_policy_statements output=key_policy_action_1 path=Action | where key_policy_action_1 = \"*\" | stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`|`aws_create_policy_version_to_allow_all_resources_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "While this search has no known false positives, it is possible that an AWS admin has legitimately created a policy to allow a user to access all resources. That said, AWS strongly advises against granting full control to all AWS resources and you must verify this activity.", "references": ["https://bishopfox.com/blog/privilege-escalation-in-aws", "https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation-part-2/"], "tags": {"name": "AWS Create Policy Version to allow all resources", "analytic_story": ["AWS IAM Privilege Escalation"], "asset_type": "AWS Account", "cis20": ["CIS 13"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "message": "User $user$ created a policy version that allows them to access any resource in their account.", "mitre_attack_id": ["T1078.004", "T1078"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventName", "userAgent", "errorCode", "eventSource", "requestParameters.userName", "requestParameters.policyDocument", "aws_account_id", "awsRegion", "eventID"], "risk_score": 49, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Ke3chang", "LAPSUS$"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/aws_create_policy_version/aws_cloudtrail_events.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_create_policy_version_to_allow_all_resources_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/aws_create_policy_version_to_allow_all_resources.yml", "source": "cloud", "nes_fields": "user,dest", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "AWS CreateAccessKey", "id": "2a9b80d3-6340-4345-11ad-212bf3d0d111", "version": 3, "date": "2022-03-03", "author": "Bhavin Patel, Splunk", "type": "Hunting", "status": "production", "description": "This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it's important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don't typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.", "data_source": [], "search": "`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success | eval match=if(match(userIdentity.userName,requestParameters.userName),1,0) | search match=0 | stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |`aws_createaccesskey_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "While this search has no known false positives, it is possible that an AWS admin has legitimately created keys for another user.", "references": ["https://bishopfox.com/blog/privilege-escalation-in-aws", "https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation-part-2/"], "tags": {"name": "AWS CreateAccessKey", "analytic_story": ["AWS IAM Privilege Escalation"], "asset_type": "AWS Account", "cis20": ["CIS 13"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Installation"], "message": "User $user_arn$ is attempting to create access keys for $requestParameters.userName$ from this IP $src$", "mitre_attack_id": ["T1136.003", "T1136"], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "user_arn", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventName", "userAgent", "errorCode", "requestParameters.userName"], "risk_score": 63, "security_domain": "network", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1136.003", "mitre_attack_technique": "Cloud Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT29", "LAPSUS$"]}, {"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/aws_createaccesskey/aws_cloudtrail_events.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_createaccesskey_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/aws_createaccesskey.yml", "source": "cloud", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "AWS CreateLoginProfile", "id": "2a9b80d3-6340-4345-11ad-212bf444d111", "version": 2, "date": "2021-07-19", "author": "Bhavin Patel, Splunk", "type": "TTP", "status": "production", "description": "This search looks for AWS CloudTrail events where a user A(victim A) creates a login profile for user B, followed by a AWS Console login event from user B from the same src_ip as user B. This correlated event can be indicative of privilege escalation since both events happened from the same src_ip", "data_source": [], "search": "`cloudtrail` eventName = CreateLoginProfile | rename requestParameters.userName as new_login_profile | table src_ip eventName new_login_profile userIdentity.userName | join new_login_profile src_ip [| search `cloudtrail` eventName = ConsoleLogin | rename userIdentity.userName as new_login_profile | stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`] | `aws_createloginprofile_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "While this search has no known false positives, it is possible that an AWS admin has legitimately created a login profile for another user.", "references": ["https://bishopfox.com/blog/privilege-escalation-in-aws", "https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation-part-2/"], "tags": {"name": "AWS CreateLoginProfile", "analytic_story": ["AWS IAM Privilege Escalation"], "asset_type": "AWS Account", "cis20": ["CIS 13"], "confidence": 80, "impact": 90, "kill_chain_phases": ["Installation"], "message": "User $user_arn$ is attempting to create a login profile for $requestParameters.userName$ and did a console login from this IP $src_ip$", "mitre_attack_id": ["T1136.003", "T1136"], "nist": ["DE.CM"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "user_arn", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventName", "userAgent", "errorCode", "requestParameters.userName"], "risk_score": 72, "security_domain": "network", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1136.003", "mitre_attack_technique": "Cloud Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT29", "LAPSUS$"]}, {"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/aws_createloginprofile/aws_cloudtrail_events.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_createloginprofile_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/aws_createloginprofile.yml", "source": "cloud", "nes_fields": "user,dest", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "AWS Credential Access Failed Login", "id": "a19b354d-0d7f-47f3-8ea6-1a7c36434968", "version": 1, "date": "2022-08-07", "author": "Gowthamaraj Rajendran, Bhavin Patel, Splunk", "type": "TTP", "status": "production", "description": "It shows that there have been an unsuccessful attempt to log in using the user identity to the AWS management console. Since the user identity has access to AWS account services and resources, an attacker might try to brute force the password for that identity.", "data_source": [], "search": "| tstats count earliest(_time) as firstTime, latest(_time) as lastTime from datamodel=Authentication where Authentication.action = failure Authentication.app=AwsConsoleSignIn Authentication.signature=ConsoleLogin BY Authentication.app Authentication.signature Authentication.dest Authentication.user Authentication.action Authentication.user_id Authentication.src | `drop_dm_object_name(Authentication)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `aws_credential_access_failed_login_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "Users may genuinely mistype or forget the password.", "references": ["https://attack.mitre.org/techniques/T1110/001/"], "tags": {"name": "AWS Credential Access Failed Login", "analytic_story": ["AWS Identity and Access Management Account Takeover"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Weaponization", "Exploitation"], "message": "User $user$ has a login failure from IP $src$", "mitre_attack_id": ["T1586", "T1586.003", "T1110", "T1110.001"], "nist": ["DE.CM"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "app", "eventSource", "action", "signature", "dest", "user", "user_id"], "risk_score": 49, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1110.001", "mitre_attack_technique": "Password Guessing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.001/aws_login_failure/aws_cloudtrail_events.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail", "update_timestamp": true}]}], "datamodel": ["Authentication"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "aws_credential_access_failed_login_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/aws_credential_access_failed_login.yml", "source": "cloud", "nes_fields": "user,dest"}, {"name": "AWS Credential Access GetPasswordData", "id": "4d347c4a-306e-41db-8d10-b46baf71b3e2", "version": 1, "date": "2022-08-10", "author": "Bhavin Patel, Splunk", "type": "Anomaly", "status": "production", "description": "This detection analytic identifies more than 10 GetPasswordData API calls made to your AWS account with a time window of 5 minutes. Attackers can retrieve the encrypted administrator password for a running Windows instance.", "data_source": [], "search": "`cloudtrail` eventName=GetPasswordData eventSource = ec2.amazonaws.com | bin _time span=5m | stats count values(errorCode) as errorCode dc(requestParameters.instanceId) as distinct_instance_ids values(requestParameters.instanceId) as instance_ids by aws_account_id src_ip user_arn userAgent eventName _time | where distinct_instance_ids > 10 | `aws_credential_access_getpassworddata_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. We encourage the users to adjust the values of `distinct_instance_ids` and tweak the `span` value according to their environment.", "known_false_positives": "Administrator tooling or automated scripts may make these calls but it is highly unlikely to make several calls in a short period of time.", "references": ["https://attack.mitre.org/techniques/T1552/", "https://stratus-red-team.cloud/attack-techniques/AWS/aws.credential-access.ec2-get-password-data/"], "tags": {"name": "AWS Credential Access GetPasswordData", "analytic_story": ["AWS Identity and Access Management Account Takeover"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Weaponization", "Exploitation"], "message": "User $user_arn$ is seen to make mulitple `GetPasswordData` API calls to instance ids $instance_ids$ from IP $src_ip$", "mitre_attack_id": ["T1586", "T1586.003", "T1110", "T1110.001"], "nist": ["DE.AE"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "user_arn", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventName", "eventSource", "userIdentity.userName", "userAgent", "userIdentity.accountId", "sourceIPAddress", "awsRegion"], "risk_score": 49, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1110.001", "mitre_attack_technique": "Password Guessing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552/aws_getpassworddata/aws_cloudtrail_events.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_credential_access_getpassworddata_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/aws_credential_access_getpassworddata.yml", "source": "cloud", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "AWS Credential Access RDS Password reset", "id": "6153c5ea-ed30-4878-81e6-21ecdb198189", "version": 1, "date": "2022-08-07", "author": "Gowthamaraj Rajendran, Splunk", "type": "TTP", "status": "production", "description": "The master user password for Amazon RDS DB instance can be reset using the Amazon RDS console. Using this technique, the attacker can get access to the sensitive data from the DB. Usually, the production databases may have sensitive data like Credit card information, PII, Health care Data. This event should be investigated further.", "data_source": [], "search": "`cloudtrail` eventSource=\"rds.amazonaws.com\" eventName=ModifyDBInstance \"requestParameters.masterUserPassword\"=* | stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.dBInstanceIdentifier) as DB by sourceIPAddress awsRegion eventName userAgent| `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `aws_credential_access_rds_password_reset_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "Users may genuinely reset the RDS password.", "references": ["https://aws.amazon.com/premiumsupport/knowledge-center/reset-master-user-password-rds"], "tags": {"name": "AWS Credential Access RDS Password reset", "analytic_story": ["AWS Identity and Access Management Account Takeover"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Weaponization", "Exploitation"], "message": "$DB$ password has been reset from IP $sourceIPAddress$", "mitre_attack_id": ["T1586", "T1586.003", "T1110"], "nist": ["DE.CM"], "observable": [{"name": "sourceIPAddress", "type": "IP Address", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventName", "eventSource", "requestParameters.dBInstanceIdentifier", "userAgent", "sourceIPAddress", "awsRegion"], "risk_score": 49, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.002/aws_rds_password_reset/aws_cloudtrail_events.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_credential_access_rds_password_reset_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/aws_credential_access_rds_password_reset.yml", "source": "cloud", "nes_fields": "user,dest", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "AWS Cross Account Activity From Previously Unseen Account", "id": "21193641-cb96-4a2c-a707-d9b9a7f7792b", "version": 1, "date": "2020-05-28", "author": "Rico Valdez, Splunk", "type": "Anomaly", "status": "experimental", "description": "This search looks for AssumeRole events where an IAM role in a different account is requested for the first time.", "data_source": [], "search": "| tstats min(_time) as firstTime max(_time) as lastTime from datamodel=Authentication where Authentication.signature=AssumeRole by Authentication.vendor_account Authentication.user Authentication.src Authentication.user_role | `drop_dm_object_name(Authentication)` | rex field=user_role \"arn:aws:sts:*:(?.*):\" | where vendor_account != dest_account | rename vendor_account as requestingAccountId dest_account as requestedAccountId | lookup previously_seen_aws_cross_account_activity requestingAccountId, requestedAccountId, OUTPUTNEW firstTime | eval status = if(firstTime > relative_time(now(), \"-24h@h\"),\"New Cross Account Activity\",\"Previously Seen\") | where status = \"New Cross Account Activity\" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `aws_cross_account_activity_from_previously_unseen_account_filter`", "how_to_implement": "You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen AWS Cross Account Activity - Initial` to build the initial table of source IP address, geographic locations, and times. You must also enable the second baseline search `Previously Seen AWS Cross Account Activity - Update` to keep this table up to date and to age out old data. You can also provide additional filtering for this search by customizing the `aws_cross_account_activity_from_previously_unseen_account_filter` macro.", "known_false_positives": "Using multiple AWS accounts and roles is perfectly valid behavior. It's suspicious when an account requests privileges of an account it hasn't before. You should validate with the account owner that this is a legitimate request.", "references": [], "tags": {"name": "AWS Cross Account Activity From Previously Unseen Account", "analytic_story": ["Suspicious Cloud Authentication Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 13"], "confidence": 50, "impact": 30, "kill_chain_phases": [], "message": "AWS account $requestingAccountId$ is trying to access resource from some other account $requestedAccountId$, for the first time.", "nist": ["DE.AE"], "observable": [{"name": "requestingAccountId", "type": "Other", "role": ["Attacker"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Authentication.signature", "Authentication.vendor_account", "Authentication.user", "Authentication.user_role", "Authentication.src"], "risk_score": 15, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail", "update_timestamp": true}]}], "datamodel": ["Authentication"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "aws_cross_account_activity_from_previously_unseen_account_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "previously_seen_aws_cross_account_activity", "description": "A placeholder for a list of AWS accounts and assumed roles", "collection": "previously_seen_aws_cross_account_activity", "fields_list": "_key,firstTime,lastTime,requestingAccountId,requestedAccountId"}], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/aws_cross_account_activity_from_previously_unseen_account.yml", "source": "cloud"}, {"name": "AWS Defense Evasion Delete Cloudtrail", "id": "82092925-9ca1-4e06-98b8-85a2d3889552", "version": 1, "date": "2022-07-13", "author": "Bhavin Patel, Splunk", "type": "TTP", "status": "production", "description": "This analytic identifies AWS `DeleteTrail` events within CloudTrail logs. Adversaries often try to impair their target's defenses by stopping their malicious activity from being logged, so that they may operate with stealth and avoid detection. When the adversary has the right type of permissions in the compromised AWS environment, they may delete the the entire cloudtrail that is logging activities in the environment.", "data_source": [], "search": "`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `aws_defense_evasion_delete_cloudtrail_filter`", "how_to_implement": "You must install Splunk AWS Add on and enable CloudTrail logs in your AWS Environment.", "known_false_positives": "While this search has no known false positives, it is possible that an AWS admin has stopped cloudTrail logging. Please investigate this activity.", "references": ["https://attack.mitre.org/techniques/T1562/008/"], "tags": {"name": "AWS Defense Evasion Delete Cloudtrail", "analytic_story": ["AWS Defense Evasion"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "confidence": 90, "impact": 100, "kill_chain_phases": ["Exploitation"], "message": "User $user_arn$ has delete a CloudTrail logging for account id $aws_account_id$ from IP $src$", "mitre_attack_id": ["T1562.008", "T1562"], "nist": ["DE.CM"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "user_arn", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventName", "eventSource", "requestParameters.name", "userAgent", "aws_account_id", "src", "region"], "risk_score": 90, "security_domain": "threat", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.008", "mitre_attack_technique": "Disable Cloud Logs", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.008/stop_delete_cloudtrail/aws_cloudtrail_events.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_defense_evasion_delete_cloudtrail_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/aws_defense_evasion_delete_cloudtrail.yml", "source": "cloud", "nes_fields": "user,dest", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "AWS Defense Evasion Delete CloudWatch Log Group", "id": "d308b0f1-edb7-4a62-a614-af321160710f", "version": 1, "date": "2022-07-17", "author": "Gowthamaraj Rajendran, Splunk", "type": "TTP", "status": "production", "description": "This analytic identifies AWS `DeleteLogGroup` events in CloudTrail logs. Attackers may evade the logging capability by deleting the log group in CloudWatch. This will stop sending the logs and metrics to CloudWatch. When the adversary has the right type of permissions within the compromised AWS environment, they may delete the CloudWatch log group that is logging activities in the environment.", "data_source": [], "search": "`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `aws_defense_evasion_delete_cloudwatch_log_group_filter`", "how_to_implement": "You must install Splunk AWS Add on and enable CloudTrail logs in your AWS Environment.", "known_false_positives": "While this search has no known false positives, it is possible that an AWS admin has deleted CloudWatch logging. Please investigate this activity.", "references": ["https://attack.mitre.org/techniques/T1562/008/"], "tags": {"name": "AWS Defense Evasion Delete CloudWatch Log Group", "analytic_story": ["AWS Defense Evasion"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "confidence": 90, "impact": 100, "kill_chain_phases": ["Exploitation"], "message": "User $user_arn$ has deleted a CloudWatch logging group for account id $aws_account_id$ from IP $src$", "mitre_attack_id": ["T1562", "T1562.008"], "nist": ["DE.CM"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "user_arn", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventName", "eventSource", "requestParameters.name", "userAgent", "aws_account_id", "src", "region"], "risk_score": 90, "security_domain": "threat", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1562.008", "mitre_attack_technique": "Disable Cloud Logs", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.008/delete_cloudwatch_log_group/aws_cloudtrail_events.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_defense_evasion_delete_cloudwatch_log_group_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/aws_defense_evasion_delete_cloudwatch_log_group.yml", "source": "cloud", "nes_fields": "user,dest", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "AWS Defense Evasion Impair Security Services", "id": "b28c4957-96a6-47e0-a965-6c767aac1458", "version": 1, "date": "2022-07-26", "author": "Bhavin Patel, Gowthamaraj Rajendran, Splunk", "type": "Hunting", "status": "production", "description": "This analytic looks for several delete specific API calls made to AWS Security Services like CloudWatch, GuardDuty and Web Application Firewalls. These API calls are often leveraged by adversaries to weaken existing security defenses by deleting logging configurations in the CloudWatch alarm, delete a set of detectors from your Guardduty environment or simply delete a bunch of CloudWatch alarms to remain stealthy and avoid detection.", "data_source": [], "search": "`cloudtrail` eventName IN (\"DeleteLogStream\",\"DeleteDetector\",\"DeleteIPSet\",\"DeleteWebACL\",\"DeleteRule\",\"DeleteRuleGroup\",\"DeleteLoggingConfiguration\",\"DeleteAlarms\") | stats count min(_time) as firstTime max(_time) as lastTime values(eventName) as eventName values(eventSource) as eventSource values(requestParameters.*) as * by src region user_arn aws_account_id user_type user_agent errorCode| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `aws_defense_evasion_impair_security_services_filter`", "how_to_implement": "You must install Splunk AWS Add on and enable CloudTrail logs in your AWS Environment.", "known_false_positives": "While this search has no known false positives, it is possible that it is a legitimate admin activity. Please consider filtering out these noisy events using userAgent, user_arn field names.", "references": ["https://docs.aws.amazon.com/cli/latest/reference/guardduty/index.html", "https://docs.aws.amazon.com/cli/latest/reference/waf/index.html", "https://www.elastic.co/guide/en/security/current/prebuilt-rules.html"], "tags": {"name": "AWS Defense Evasion Impair Security Services", "analytic_story": ["AWS Defense Evasion"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "User $user_arn$ has made potentially risky api calls $eventName$ that could impair AWS security services for account id $aws_account_id$", "mitre_attack_id": ["T1562.008", "T1562"], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "user_arn", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventName", "eventSource", "user_agent", "user_type", "aws_account_id", "src", "region", "errorCode"], "risk_score": 42, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.008", "mitre_attack_technique": "Disable Cloud Logs", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.008/aws_delete_security_services/aws_cloudtrail_events.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail", "update_timestamp": true}]}], "datamodel": ["Web"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_defense_evasion_impair_security_services_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/aws_defense_evasion_impair_security_services.yml", "source": "cloud", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "AWS Defense Evasion PutBucketLifecycle", "id": "ce1c0e2b-9303-4903-818b-0d9002fc6ea4", "version": 1, "date": "2022-07-25", "author": "Bhavin Patel", "type": "Hunting", "status": "production", "description": "This analytic identifies `PutBucketLifecycle` events in CloudTrail logs where a user has created a new lifecycle rule for an S3 bucket with a short expiration period. Attackers may use this API call to impair the CloudTrail logging by removing logs from the S3 bucket by changing the object expiration day to 1 day, in which case the CloudTrail logs will be deleted.", "data_source": [], "search": "`cloudtrail` eventName=PutBucketLifecycle user_type=IAMUser errorCode=success | spath path=requestParameters{}.LifecycleConfiguration{}.Rule{}.Expiration{}.Days output=expiration_days | spath path=requestParameters{}.bucketName output=bucket_name | stats count min(_time) as firstTime max(_time) as lastTime by src region eventName userAgent user_arn aws_account_id expiration_days bucket_name user_type| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where expiration_days < 3 | `aws_defense_evasion_putbucketlifecycle_filter`", "how_to_implement": "You must install Splunk AWS Add on and enable CloudTrail logs in your AWS Environment. We recommend our users to set the expiration days value according to your company's log retention policies.", "known_false_positives": "While this search has no known false positives, it is possible that it is a legitimate admin activity. Please consider filtering out these noisy events using userAgent, user_arn field names.", "references": ["https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.cloudtrail-lifecycle-rule/"], "tags": {"name": "AWS Defense Evasion PutBucketLifecycle", "analytic_story": ["AWS Defense Evasion"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "confidence": 40, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "User $user_arn$ has created a new rule to on an S3 bucket $bucket_name$ with short expiration days", "mitre_attack_id": ["T1562.008", "T1562"], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "user_arn", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventName", "eventSource", "requestParameters.name", "userAgent", "aws_account_id", "src", "region", "requestParameters{}.LifecycleConfiguration{}.Rule{}.Expiration{}.Days", "requestParameters{}.bucketName"], "risk_score": 20, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.008", "mitre_attack_technique": "Disable Cloud Logs", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.008/put_bucketlifecycle/aws_cloudtrail_events.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_defense_evasion_putbucketlifecycle_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/aws_defense_evasion_putbucketlifecycle.yml", "source": "cloud", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "AWS Defense Evasion Stop Logging Cloudtrail", "id": "8a2f3ca2-4eb5-4389-a549-14063882e537", "version": 1, "date": "2022-07-12", "author": "Bhavin Patel, Splunk", "type": "TTP", "status": "production", "description": "This analytic identifies `StopLogging` events in CloudTrail logs. Adversaries often try to impair their target's defenses by stopping their macliious activity from being logged, so that they may operate with stealth and avoid detection. When the adversary has the right type of permissions in the compromised AWS environment, they may easily stop logging.", "data_source": [], "search": "`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `aws_defense_evasion_stop_logging_cloudtrail_filter`", "how_to_implement": "You must install Splunk AWS Add on and enable Cloudtrail logs in your AWS Environment.", "known_false_positives": "While this search has no known false positives, it is possible that an AWS admin has stopped cloudtrail logging. Please investigate this activity.", "references": ["https://attack.mitre.org/techniques/T1562/008/"], "tags": {"name": "AWS Defense Evasion Stop Logging Cloudtrail", "analytic_story": ["AWS Defense Evasion"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "confidence": 90, "impact": 100, "kill_chain_phases": ["Exploitation"], "message": "User $user_arn$ has stopped Cloudtrail logging for account id $aws_account_id$ from IP $src$", "mitre_attack_id": ["T1562.008", "T1562"], "nist": ["DE.CM"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "user_arn", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventName", "eventSource", "requestParameters.name", "userAgent", "aws_account_id", "src", "region"], "risk_score": 90, "security_domain": "threat", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.008", "mitre_attack_technique": "Disable Cloud Logs", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.008/stop_delete_cloudtrail/aws_cloudtrail_events.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_defense_evasion_stop_logging_cloudtrail_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/aws_defense_evasion_stop_logging_cloudtrail.yml", "source": "cloud", "nes_fields": "user,dest", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "AWS Defense Evasion Update Cloudtrail", "id": "7c921d28-ef48-4f1b-85b3-0af8af7697db", "version": 1, "date": "2022-07-17", "author": "Gowthamaraj Rajendran, Splunk", "type": "TTP", "status": "production", "description": "This analytic identifies `UpdateTrail` events in CloudTrail logs. Attackers may evade the logging capability by updating the settings and impairing them with wrong parameters. For example, Attackers may change the multi-regional log into a single region logs, which evades the logging for other regions. When the adversary has the right type of permissions in the compromised AWS environment, they may update the CloudTrail settings that is logging activities in your environment.", "data_source": [], "search": "`cloudtrail` eventName = UpdateTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as cloudtrail_name by src region eventName userAgent user_arn aws_account_id | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `aws_defense_evasion_update_cloudtrail_filter`", "how_to_implement": "You must install Splunk AWS Add on and enable CloudTrail logs in your AWS Environment.", "known_false_positives": "While this search has no known false positives, it is possible that an AWS admin has updated cloudtrail logging. Please investigate this activity.", "references": ["https://attack.mitre.org/techniques/T1562/008/"], "tags": {"name": "AWS Defense Evasion Update Cloudtrail", "analytic_story": ["AWS Defense Evasion"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "confidence": 90, "impact": 100, "kill_chain_phases": ["Exploitation"], "message": "User $user_arn$ has updated a cloudtrail logging for account id $aws_account_id$ from IP $src$", "mitre_attack_id": ["T1562", "T1562.008"], "nist": ["DE.CM"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "user_arn", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventName", "eventSource", "requestParameters.name", "userAgent", "aws_account_id", "src", "region"], "risk_score": 90, "security_domain": "threat", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1562.008", "mitre_attack_technique": "Disable Cloud Logs", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.008/update_cloudtrail/aws_cloudtrail_events.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_defense_evasion_update_cloudtrail_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/aws_defense_evasion_update_cloudtrail.yml", "source": "cloud", "nes_fields": "user,dest", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "aws detect attach to role policy", "id": "88fc31dd-f331-448c-9856-d3d51dd5d3a1", "version": 1, "date": "2020-07-27", "author": "Rod Soto, Splunk", "type": "Hunting", "status": "experimental", "description": "This search provides detection of an user attaching itself to a different role trust policy. This can be used for lateral movement and escalation of privileges.", "data_source": [], "search": "`aws_cloudwatchlogs_eks` attach policy| spath requestParameters.policyArn | table sourceIPAddress user_access_key userIdentity.arn userIdentity.sessionContext.sessionIssuer.arn eventName errorCode errorMessage status action requestParameters.policyArn userIdentity.sessionContext.attributes.mfaAuthenticated userIdentity.sessionContext.attributes.creationDate | `aws_detect_attach_to_role_policy_filter`", "how_to_implement": "You must install splunk AWS add-on and Splunk App for AWS. This search works with cloudwatch logs", "known_false_positives": "Attach to policy can create a lot of noise. This search can be adjusted to provide specific values to identify cases of abuse (i.e status=failure). The search can provide context for common users attaching themselves to higher privilege policies or even newly created policies.", "references": [], "tags": {"name": "aws detect attach to role policy", "analytic_story": ["AWS Cross Account Activity"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "message": "tbd", "mitre_attack_id": ["T1078"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "requestParameters.policyArn"], "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}]}, "datamodel": [], "macros": [{"name": "aws_cloudwatchlogs_eks", "definition": "sourcetype=\"aws:cloudwatchlogs:eks\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_detect_attach_to_role_policy_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/aws_detect_attach_to_role_policy.yml", "source": "cloud"}, {"name": "aws detect permanent key creation", "id": "12d6d713-3cb4-4ffc-a064-1dca3d1cca01", "version": 1, "date": "2020-07-27", "author": "Rod Soto, Splunk", "type": "Hunting", "status": "experimental", "description": "This search provides detection of accounts creating permanent keys. Permanent keys are not created by default and they are only needed for programmatic calls. Creation of Permanent key is an important event to monitor.", "data_source": [], "search": "`aws_cloudwatchlogs_eks` CreateAccessKey | spath eventName | search eventName=CreateAccessKey \"userIdentity.type\"=IAMUser | table sourceIPAddress userName userIdentity.type userAgent action status responseElements.accessKey.createDate responseElements.accessKey.status responseElements.accessKey.accessKeyId |`aws_detect_permanent_key_creation_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with cloudwatch logs", "known_false_positives": "Not all permanent key creations are malicious. If there is a policy of rotating keys this search can be adjusted to provide better context.", "references": [], "tags": {"name": "aws detect permanent key creation", "analytic_story": ["AWS Cross Account Activity"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "message": "tbd", "mitre_attack_id": ["T1078"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventName", "userIdentity.type", "sourceIPAddress", "userName userIdentity.type", "userAgent", "action", "status", "responseElements.accessKey.createDate", "esponseElements.accessKey.status", "responseElements.accessKey.accessKeyId"], "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}]}, "datamodel": [], "macros": [{"name": "aws_cloudwatchlogs_eks", "definition": "sourcetype=\"aws:cloudwatchlogs:eks\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_detect_permanent_key_creation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/aws_detect_permanent_key_creation.yml", "source": "cloud"}, {"name": "aws detect role creation", "id": "5f04081e-ddee-4353-afe4-504f288de9ad", "version": 1, "date": "2020-07-27", "author": "Rod Soto, Splunk", "type": "Hunting", "status": "experimental", "description": "This search provides detection of role creation by IAM users. Role creation is an event by itself if user is creating a new role with trust policies different than the available in AWS and it can be used for lateral movement and escalation of privileges.", "data_source": [], "search": "`aws_cloudwatchlogs_eks` event_name=CreateRole action=created userIdentity.type=AssumedRole requestParameters.description=Allows* | table sourceIPAddress userIdentity.principalId userIdentity.arn action event_name awsRegion http_user_agent mfa_auth msg requestParameters.roleName requestParameters.description responseElements.role.arn responseElements.role.createDate | `aws_detect_role_creation_filter`", "how_to_implement": "You must install splunk AWS add-on and Splunk App for AWS. This search works with cloudwatch logs", "known_false_positives": "CreateRole is not very common in common users. This search can be adjusted to provide specific values to identify cases of abuse. In general AWS provides plenty of trust policies that fit most use cases.", "references": [], "tags": {"name": "aws detect role creation", "analytic_story": ["AWS Cross Account Activity"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "message": "tbd", "mitre_attack_id": ["T1078"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "event_name", "action", "userIdentity.type", "requestParameters.description", "sourceIPAddress", "userIdentity.principalId", "userIdentity.arn", "action", "event_name", "awsRegion", "http_user_agent", "mfa_auth", "msg", "requestParameters.roleName", "requestParameters.description", "responseElements.role.arn", "responseElements.role.createDate"], "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}]}, "datamodel": [], "macros": [{"name": "aws_cloudwatchlogs_eks", "definition": "sourcetype=\"aws:cloudwatchlogs:eks\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_detect_role_creation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/aws_detect_role_creation.yml", "source": "cloud"}, {"name": "aws detect sts assume role abuse", "id": "8e565314-b6a2-46d8-9f05-1a34a176a662", "version": 1, "date": "2020-07-27", "author": "Rod Soto, Splunk", "type": "Hunting", "status": "experimental", "description": "This search provides detection of suspicious use of sts:AssumeRole. These tokens can be created on the go and used by attackers to move laterally and escalate privileges.", "data_source": [], "search": "`cloudtrail` user_type=AssumedRole userIdentity.sessionContext.sessionIssuer.type=Role | table sourceIPAddress userIdentity.arn user_agent user_access_key status action requestParameters.roleName responseElements.role.roleName responseElements.role.createDate | `aws_detect_sts_assume_role_abuse_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs", "known_false_positives": "Sts:AssumeRole can be very noisy as it is a standard mechanism to provide cross account and cross resources access. This search can be adjusted to provide specific values to identify cases of abuse.", "references": [], "tags": {"name": "aws detect sts assume role abuse", "analytic_story": ["AWS Cross Account Activity"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "message": "tbd", "mitre_attack_id": ["T1078"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "user_type", "userIdentity.sessionContext.sessionIssuer.type", "sourceIPAddress", "userIdentity.arn", "user_agent", "user_access_key", "status", "action", "requestParameters.roleName", "esponseElements.role.roleName", "esponseElements.role.createDate"], "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}]}, "datamodel": [], "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_detect_sts_assume_role_abuse_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/aws_detect_sts_assume_role_abuse.yml", "source": "cloud", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "aws detect sts get session token abuse", "id": "85d7b35f-b8b5-4b01-916f-29b81e7a0551", "version": 1, "date": "2020-07-27", "author": "Rod Soto, Splunk", "type": "Hunting", "status": "experimental", "description": "This search provides detection of suspicious use of sts:GetSessionToken. These tokens can be created on the go and used by attackers to move laterally and escalate privileges.", "data_source": [], "search": "`aws_cloudwatchlogs_eks` ASIA userIdentity.type=IAMUser| spath eventName | search eventName=GetSessionToken | table sourceIPAddress eventTime userIdentity.arn userName userAgent user_type status region | `aws_detect_sts_get_session_token_abuse_filter`", "how_to_implement": "You must install splunk AWS add-on and Splunk App for AWS. This search works with cloudwatch logs", "known_false_positives": "Sts:GetSessionToken can be very noisy as in certain environments numerous calls of this type can be executed. This search can be adjusted to provide specific values to identify cases of abuse. In specific environments the use of field requestParameters.serialNumber will need to be used.", "references": [], "tags": {"name": "aws detect sts get session token abuse", "analytic_story": ["AWS Cross Account Activity"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "tbd", "mitre_attack_id": ["T1550"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "userIdentity.type", "eventName", "sourceIPAddress", "eventTime", "userIdentity.arn", "userName", "userAgent", "user_type", "status", "region"], "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1550", "mitre_attack_technique": "Use Alternate Authentication Material", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": []}]}, "datamodel": [], "macros": [{"name": "aws_cloudwatchlogs_eks", "definition": "sourcetype=\"aws:cloudwatchlogs:eks\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_detect_sts_get_session_token_abuse_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/aws_detect_sts_get_session_token_abuse.yml", "source": "cloud"}, {"name": "AWS Detect Users creating keys with encrypt policy without MFA", "id": "c79c164f-4b21-4847-98f9-cf6a9f49179e", "version": 1, "date": "2021-01-11", "author": "Rod Soto, Patrick Bareiss Splunk", "type": "TTP", "status": "production", "description": "This search provides detection of KMS keys where action kms:Encrypt is accessible for everyone (also outside of your organization). This is an indicator that your account is compromised and the attacker uses the encryption key to compromise another company.", "data_source": [], "search": "`cloudtrail` eventName=CreateKey OR eventName=PutKeyPolicy | spath input=requestParameters.policy output=key_policy_statements path=Statement{} | mvexpand key_policy_statements | spath input=key_policy_statements output=key_policy_action_1 path=Action | spath input=key_policy_statements output=key_policy_action_2 path=Action{} | eval key_policy_action=mvappend(key_policy_action_1, key_policy_action_2) | spath input=key_policy_statements output=key_policy_principal path=Principal.AWS | search key_policy_action=\"kms:Encrypt\" AND key_policy_principal=\"*\" | stats count min(_time) as firstTime max(_time) as lastTime by eventName eventSource eventID awsRegion userIdentity.principalId | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` |`aws_detect_users_creating_keys_with_encrypt_policy_without_mfa_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs", "known_false_positives": "unknown", "references": ["https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/", "https://github.com/d1vious/git-wild-hunt", "https://www.youtube.com/watch?v=PgzNib37g0M"], "tags": {"name": "AWS Detect Users creating keys with encrypt policy without MFA", "analytic_story": ["Ransomware Cloud"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Actions on Objectives"], "message": "AWS account is potentially compromised and user $userIdentity.principalId$ is trying to compromise other accounts.", "mitre_attack_id": ["T1486"], "nist": ["DE.CM"], "observable": [{"name": "userIdentity.principalId", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventName", "eventSource", "eventID", "awsRegion", "requestParameters.policy", "userIdentity.principalId"], "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1486", "mitre_attack_technique": "Data Encrypted for Impact", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "APT41", "FIN7", "Indrik Spider", "Magic Hound", "Sandworm Team", "TA505"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1486/aws_kms_key/aws_cloudtrail_events.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_detect_users_creating_keys_with_encrypt_policy_without_mfa_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/aws_detect_users_creating_keys_with_encrypt_policy_without_mfa.yml", "source": "cloud", "nes_fields": "user,dest", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "AWS Detect Users with KMS keys performing encryption S3", "id": "884a5f59-eec7-4f4a-948b-dbde18225fdc", "version": 2, "date": "2022-11-11", "author": "Rod Soto, Patrick Bareiss Splunk", "type": "Anomaly", "status": "production", "description": "This search provides detection of users with KMS keys performing encryption specifically against S3 buckets.", "data_source": [], "search": "`cloudtrail` eventName=CopyObject requestParameters.x-amz-server-side-encryption=\"aws:kms\" | rename requestParameters.bucketName AS bucketName, requestParameters.x-amz-copy-source AS src_file, requestParameters.key AS dest_file | stats count min(_time) as firstTime max(_time) as lastTime values(bucketName) as bucketName values(src_file) AS src_file values(dest_file) AS dest_file values(userAgent) AS userAgent values(region) AS region values(src) AS src by user | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` |`aws_detect_users_with_kms_keys_performing_encryption_s3_filter`", "how_to_implement": "You must install Splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs", "known_false_positives": "There maybe buckets provisioned with S3 encryption", "references": ["https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/", "https://github.com/d1vious/git-wild-hunt", "https://www.youtube.com/watch?v=PgzNib37g0M"], "tags": {"name": "AWS Detect Users with KMS keys performing encryption S3", "analytic_story": ["Ransomware Cloud"], "asset_type": "S3 Bucket", "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Actions on Objectives"], "message": "User $user$ with KMS keys is performing encryption, against S3 buckets on these files $dest_file$", "mitre_attack_id": ["T1486"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}, {"name": "dest_file", "type": "File", "role": ["Target"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventName", "requestParameters.x-amz-server-side-encryption", "requestParameters.bucketName", "requestParameters.x-amz-copy-source", "requestParameters.key", "userAgent", "region"], "risk_score": 15, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1486", "mitre_attack_technique": "Data Encrypted for Impact", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "APT41", "FIN7", "Indrik Spider", "Magic Hound", "Sandworm Team", "TA505"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1486/s3_file_encryption/aws_cloudtrail_events.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_detect_users_with_kms_keys_performing_encryption_s3_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/aws_detect_users_with_kms_keys_performing_encryption_s3.yml", "source": "cloud", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "AWS Disable Bucket Versioning", "id": "657902a9-987d-4879-a1b2-e7a65512824b", "version": 1, "date": "2023-05-01", "author": "Bhavin Patel, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic detects AWS cloudtrail events where bucket versioning is suspended by a user. Versioning allows the AWS Administrators to maintain different version of the S3 bucket which can be used to recover deleted data. Adversaries have leveraged this technique in the wild during a ransomware incident to disable versioning so the client cannot recover the data.", "data_source": [], "search": "`cloudtrail` eventName= PutBucketVersioning \"requestParameters.VersioningConfiguration.Status\"=Suspended | stats count values(requestParameters.bucketName) as bucket_name values(resources{}.ARN) as resource_arn by src_ip aws_account_id awsRegion eventName userAgent user_arn userIdentity.principalId errorCode | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `aws_disable_bucket_versioning_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "It is possible that an AWS Administrator has legitimately disabled versioning on certain buckets to avoid costs.", "references": ["https://invictus-ir.medium.com/ransomware-in-the-cloud-7f14805bbe82", "https://bleemb.medium.com/data-exfiltration-with-native-aws-s3-features-c94ae4d13436"], "tags": {"name": "AWS Disable Bucket Versioning", "analytic_story": ["Suspicious AWS S3 Activities", "Data Exfiltration"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Actions on Objectives"], "message": "Bucket Versioning is suspended for S3 buckets- $bucket_name$ by user $user_arn$ from IP address $src_ip$", "mitre_attack_id": ["T1490"], "nist": ["DE.AE"], "observable": [{"name": "user_arn", "type": "User", "role": ["Attacker"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "aws_account_id", "type": "Other", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventName", "user_arn", "src_ip", "aws_account_id", "destinationLocationArn", "sourceLocationArn", "userAgent", "userIdentity.principalId"], "risk_score": 64, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1490/aws_bucket_version/cloudtrail.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_disable_bucket_versioning_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/aws_disable_bucket_versioning.yml", "source": "cloud", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "AWS EC2 Snapshot Shared Externally", "id": "2a9b80d3-6340-4345-b5ad-290bf3d222c4", "version": 3, "date": "2023-03-20", "author": "Bhavin Patel, Splunk", "type": "TTP", "status": "production", "description": "The following analytic utilizes AWS CloudTrail events to identify when an EC2 snapshot permissions are modified to be shared with a different AWS account. This method is used by adversaries to exfiltrate the EC2 snapshot.", "data_source": [], "search": "`cloudtrail` eventName=ModifySnapshotAttribute | rename requestParameters.createVolumePermission.add.items{}.userId as requested_account_id | search requested_account_id != NULL | eval match=if(requested_account_id==aws_account_id,\"Match\",\"No Match\") | table _time user_arn src_ip requestParameters.attributeType requested_account_id aws_account_id match vendor_region user_agent userIdentity.principalId | where match = \"No Match\" | `aws_ec2_snapshot_shared_externally_filter` ", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "It is possible that an AWS admin has legitimately shared a snapshot with others for a specific purpose.", "references": ["https://labs.nettitude.com/blog/how-to-exfiltrate-aws-ec2-data/", "https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-share-ebs-snapshot/", "https://hackingthe.cloud/aws/enumeration/loot_public_ebs_snapshots/"], "tags": {"name": "AWS EC2 Snapshot Shared Externally", "analytic_story": ["Suspicious Cloud Instance Activities", "Data Exfiltration"], "asset_type": "EC2 Snapshot", "cis20": ["CIS 10"], "confidence": 80, "impact": 60, "kill_chain_phases": ["Actions on Objectives"], "message": "AWS EC2 snapshot from account $aws_account_id$ is shared with $requested_account_id$ by user $user_arn$ from $src_ip$", "mitre_attack_id": ["T1537"], "nist": ["DE.CM"], "observable": [{"name": "user_arn", "type": "User", "role": ["Attacker"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "aws_account_id", "type": "Other", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventName", "user_arn", "src_ip", "requestParameters.attributeType", "aws_account_id", "vendor_region", "user_agent", "userIdentity.principalId"], "risk_score": 48, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1537", "mitre_attack_technique": "Transfer Data to Cloud Account", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1537/aws_snapshot_exfil/aws_cloudtrail_events.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_ec2_snapshot_shared_externally_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/aws_ec2_snapshot_shared_externally.yml", "source": "cloud", "nes_fields": "user,dest", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "AWS ECR Container Scanning Findings High", "id": "62721bd2-1d82-4623-b6e6-aac170014423", "version": 1, "date": "2022-06-21", "author": "Patrick Bareiss, Splunk", "type": "TTP", "status": "production", "description": "This search looks for AWS CloudTrail events from AWS Elastic Container Service (ECR). You need to activate image scanning in order to get the event DescribeImageScanFindings with the results.", "data_source": [], "search": "`cloudtrail` eventSource=ecr.amazonaws.com eventName=DescribeImageScanFindings | spath path=responseElements.imageScanFindings.findings{} output=findings | mvexpand findings | spath input=findings| search severity=HIGH | rename name as finding_name, description as finding_description, requestParameters.imageId.imageDigest as imageDigest, requestParameters.repositoryName as image | eval finding = finding_name.\", \".finding_description | eval phase=\"release\" | eval severity=\"high\" | stats min(_time) as firstTime max(_time) as lastTime by awsRegion, eventName, eventSource, imageDigest, image, userName, src_ip, finding, phase, severity | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_ecr_container_scanning_findings_high_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "unknown", "references": ["https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html"], "tags": {"name": "AWS ECR Container Scanning Findings High", "analytic_story": ["Dev Sec Ops"], "asset_type": "AWS Account", "cis20": ["CIS 13"], "confidence": 100, "impact": 70, "kill_chain_phases": ["Installation"], "message": "Vulnerabilities with severity high found in image $image$", "mitre_attack_id": ["T1204.003", "T1204"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["eventSource", "eventName", "responseElements.imageScanFindings.findings{}", "awsRegion", "requestParameters.imageId.imageDigest", "requestParameters.repositoryName", "user", "userName", "src_ip"], "risk_score": 70, "security_domain": "network", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1204.003", "mitre_attack_technique": "Malicious Image", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204.003/aws_ecr_image_scanning/aws_ecr_scanning_findings_events.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_ecr_container_scanning_findings_high_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/aws_ecr_container_scanning_findings_high.yml", "source": "cloud", "nes_fields": "user,dest", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "AWS ECR Container Scanning Findings Low Informational Unknown", "id": "cbc95e44-7c22-443f-88fd-0424478f5589", "version": 1, "date": "2022-08-25", "author": "Patrick Bareiss, Eric McGinnis Splunk", "type": "Hunting", "status": "production", "description": "This search looks for AWS CloudTrail events from AWS Elastic Container Service (ECR). You need to activate image scanning in order to get the event DescribeImageScanFindings with the results.", "data_source": [], "search": "`cloudtrail` eventSource=ecr.amazonaws.com eventName=DescribeImageScanFindings | spath path=responseElements.imageScanFindings.findings{} output=findings | mvexpand findings | spath input=findings| search severity IN (\"LOW\", \"INFORMATIONAL\", \"UNKNOWN\") | rename name as finding_name, description as finding_description, requestParameters.imageId.imageDigest as imageDigest, requestParameters.repositoryName as repositoryName | eval finding = finding_name.\", \".finding_description | eval phase=\"release\" | eval severity=\"low\" | stats min(_time) as firstTime max(_time) as lastTime by awsRegion, eventName, eventSource, imageDigest, repositoryName, userName, src_ip, finding, phase, severity | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_ecr_container_scanning_findings_low_informational_unknown_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "unknown", "references": ["https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html"], "tags": {"name": "AWS ECR Container Scanning Findings Low Informational Unknown", "analytic_story": ["Dev Sec Ops"], "asset_type": "AWS Account", "cis20": ["CIS 13"], "confidence": 70, "impact": 10, "kill_chain_phases": ["Installation"], "message": "Vulnerabilities with severity high found in repository $repositoryName$", "mitre_attack_id": ["T1204.003", "T1204"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["eventSource", "eventName", "responseElements.imageScanFindings.findings{}", "awsRegion", "requestParameters.imageId.imageDigest", "requestParameters.repositoryName", "user", "userName", "src_ip"], "risk_score": 7, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1204.003", "mitre_attack_technique": "Malicious Image", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204.003/aws_ecr_image_scanning/aws_ecr_scanning_findings_events.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_ecr_container_scanning_findings_low_informational_unknown_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/aws_ecr_container_scanning_findings_low_informational_unknown.yml", "source": "cloud", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "AWS ECR Container Scanning Findings Medium", "id": "0b80e2c8-c746-4ddb-89eb-9efd892220cf", "version": 1, "date": "2021-08-17", "author": "Patrick Bareiss, Splunk", "type": "Anomaly", "status": "production", "description": "This search looks for AWS CloudTrail events from AWS Elastic Container Service (ECR). You need to activate image scanning in order to get the event DescribeImageScanFindings with the results.", "data_source": [], "search": "`cloudtrail` eventSource=ecr.amazonaws.com eventName=DescribeImageScanFindings | spath path=responseElements.imageScanFindings.findings{} output=findings | mvexpand findings | spath input=findings| search severity=MEDIUM | rename name as finding_name, description as finding_description, requestParameters.imageId.imageDigest as imageDigest, requestParameters.repositoryName as image | eval finding = finding_name.\", \".finding_description | eval phase=\"release\" | eval severity=\"medium\" | stats min(_time) as firstTime max(_time) as lastTime by awsRegion, eventName, eventSource, imageDigest, image, userName, src_ip, finding, phase, severity | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_ecr_container_scanning_findings_medium_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "unknown", "references": ["https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html"], "tags": {"name": "AWS ECR Container Scanning Findings Medium", "analytic_story": ["Dev Sec Ops"], "asset_type": "AWS Account", "cis20": ["CIS 13"], "confidence": 70, "impact": 30, "kill_chain_phases": ["Installation"], "message": "Vulnerabilities with severity high found in image $image$", "mitre_attack_id": ["T1204.003", "T1204"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["eventSource", "eventName", "responseElements.imageScanFindings.findings{}", "awsRegion", "requestParameters.imageId.imageDigest", "requestParameters.repositoryName", "user", "userName", "src_ip"], "risk_score": 21, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1204.003", "mitre_attack_technique": "Malicious Image", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204.003/aws_ecr_image_scanning/aws_ecr_scanning_findings_events.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_ecr_container_scanning_findings_medium_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/aws_ecr_container_scanning_findings_medium.yml", "source": "cloud", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "AWS ECR Container Upload Outside Business Hours", "id": "d4c4d4eb-3994-41ca-a25e-a82d64e125bb", "version": 1, "date": "2021-08-19", "author": "Patrick Bareiss, Splunk", "type": "Anomaly", "status": "production", "description": "This search looks for AWS CloudTrail events from AWS Elastic Container Service (ECR). A upload of a new container is normally done during business hours. When done outside business hours, we want to take a look into it.", "data_source": [], "search": "`cloudtrail` eventSource=ecr.amazonaws.com eventName=PutImage date_hour>=20 OR date_hour<8 OR date_wday=saturday OR date_wday=sunday | rename requestParameters.* as * | rename repositoryName AS image | eval phase=\"release\" | eval severity=\"medium\" | stats min(_time) as firstTime max(_time) as lastTime by awsRegion, eventName, eventSource, user, userName, src_ip, imageTag, registryId, image, phase, severity | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_ecr_container_upload_outside_business_hours_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "When your development is spreaded in different time zones, applying this rule can be difficult.", "references": ["https://attack.mitre.org/techniques/T1204/003/"], "tags": {"name": "AWS ECR Container Upload Outside Business Hours", "analytic_story": ["Dev Sec Ops"], "asset_type": "AWS Account", "cis20": ["CIS 13"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Installation"], "message": "Container uploaded outside business hours from $user$", "mitre_attack_id": ["T1204.003", "T1204"], "nist": ["DE.AE"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "user", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["eventSource", "eventName", "awsRegion", "requestParameters.imageTag", "requestParameters.registryId", "requestParameters.repositoryName", "user", "userName", "src_ip"], "risk_score": 49, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1204.003", "mitre_attack_technique": "Malicious Image", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204.003/aws_ecr_container_upload/aws_ecr_container_upload.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_ecr_container_upload_outside_business_hours_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/aws_ecr_container_upload_outside_business_hours.yml", "source": "cloud", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "AWS ECR Container Upload Unknown User", "id": "300688e4-365c-4486-a065-7c884462b31d", "version": 1, "date": "2021-08-19", "author": "Patrick Bareiss, Splunk", "type": "Anomaly", "status": "production", "description": "This search looks for AWS CloudTrail events from AWS Elastic Container Service (ECR). A upload of a new container is normally done from only a few known users. When the user was never seen before, we should have a closer look into the event.", "data_source": [], "search": "`cloudtrail` eventSource=ecr.amazonaws.com eventName=PutImage NOT `aws_ecr_users` | rename requestParameters.* as * | rename repositoryName AS image | eval phase=\"release\" | eval severity=\"high\" | stats min(_time) as firstTime max(_time) as lastTime by awsRegion, eventName, eventSource, user, userName, src_ip, imageTag, registryId, image, phase, severity | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_ecr_container_upload_unknown_user_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "unknown", "references": ["https://attack.mitre.org/techniques/T1204/003/"], "tags": {"name": "AWS ECR Container Upload Unknown User", "analytic_story": ["Dev Sec Ops"], "asset_type": "AWS Account", "cis20": ["CIS 13"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Installation"], "message": "Container uploaded from unknown user $user$", "mitre_attack_id": ["T1204.003", "T1204"], "nist": ["DE.AE"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "user", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["eventSource", "eventName", "awsRegion", "requestParameters.imageTag", "requestParameters.registryId", "requestParameters.repositoryName", "user", "userName", "src_ip"], "risk_score": 49, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1204.003", "mitre_attack_technique": "Malicious Image", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204.003/aws_ecr_container_upload/aws_ecr_container_upload.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "aws_ecr_users", "definition": "userName IN (user)", "description": "specify the user allowed to push Images to AWS ECR."}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_ecr_container_upload_unknown_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/aws_ecr_container_upload_unknown_user.yml", "source": "cloud", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "AWS Excessive Security Scanning", "id": "1fdd164a-def8-4762-83a9-9ffe24e74d5a", "version": 1, "date": "2021-04-13", "author": "Patrick Bareiss, Splunk", "type": "TTP", "status": "production", "description": "This search looks for AWS CloudTrail events and analyse the amount of eventNames which starts with Describe by a single user. This indicates that this user scans the configuration of your AWS cloud environment.", "data_source": [], "search": "`cloudtrail` eventName=Describe* OR eventName=List* OR eventName=Get* | stats dc(eventName) as dc_events min(_time) as firstTime max(_time) as lastTime values(eventName) as eventName values(src) as src values(userAgent) as userAgent by user userIdentity.arn | where dc_events > 50 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`|`aws_excessive_security_scanning_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "While this search has no known false positives.", "references": ["https://github.com/aquasecurity/cloudsploit"], "tags": {"name": "AWS Excessive Security Scanning", "analytic_story": ["AWS User Monitoring"], "asset_type": "AWS Account", "cis20": ["CIS 13"], "confidence": 60, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "user $user$ has excessive number of api calls $dc_events$ from these IP addresses $src$, violating the threshold of 50, using the following commands $command$.", "mitre_attack_id": ["T1526"], "nist": ["DE.CM"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "user", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventName", "src", "userAgent", "user", "userIdentity.arn"], "risk_score": 18, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1526", "mitre_attack_technique": "Cloud Service Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1526/aws_security_scanner/aws_security_scanner.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_excessive_security_scanning_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/aws_excessive_security_scanning.yml", "source": "cloud", "nes_fields": "user,dest", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "AWS Exfiltration via Anomalous GetObject API Activity", "id": "e4384bbf-5835-4831-8d85-694de6ad2cc6", "version": 1, "date": "2023-04-10", "author": "Bhavin Patel, Splunk", "type": "Anomaly", "status": "production", "description": "This search uses built in Splunk command `| anomalydetection` to detect anomalies with respect to users making high number of GetObject API calls to download objects from S3 in a 10 minute time window. The field `probable_cause` is the name of the field that best explains why the event is anomalous. This command identifies anomalous events by computing a probability for each GetObject event by \"count\" \"user_type\" \"user_arn\" and detects anomaly based on the frequencies.", "data_source": [], "search": "`cloudtrail` eventName=GetObject | bin _time span=10m | stats count values(requestParameters.bucketName) as bucketName by _time src_ip aws_account_id user_type user_arn userIdentity.principalId | anomalydetection \"count\" \"user_type\" \"user_arn\" action=annotate | search probable_cause=* |`aws_exfiltration_via_anomalous_getobject_api_activity_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "It is possible that a user downloaded these files to use them locally and there are AWS services in configured that perform these activities for a legitimate reason. Filter is needed.", "references": ["https://labs.nettitude.com/blog/how-to-exfiltrate-aws-ec2-data/", "https://docs.splunk.com/Documentation/Splunk/9.0.4/SearchReference/Anomalydetection", "https://www.vectra.ai/blogpost/abusing-the-replicator-silently-exfiltrating-data-with-the-aws-s3-replication-service"], "tags": {"name": "AWS Exfiltration via Anomalous GetObject API Activity", "analytic_story": ["Data Exfiltration"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "Anomalous S3 activities detected by user $user_arn$ from $src_ip$", "mitre_attack_id": ["T1119"], "nist": ["DE.AE"], "observable": [{"name": "user_arn", "type": "User", "role": ["Attacker"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "aws_account_id", "type": "Other", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventName", "user_arn", "src_ip", "aws_account_id", "userAgent", "userIdentity.principalId"], "risk_score": 64, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1119", "mitre_attack_technique": "Automated Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "Chimera", "Confucius", "FIN5", "FIN6", "Gamaredon Group", "Ke3chang", "Mustang Panda", "OilRig", "Patchwork", "Sidewinder", "Threat Group-3390", "Tropic Trooper", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1530/aws_exfil_high_no_getobject/cloudtrail.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_exfiltration_via_anomalous_getobject_api_activity_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/aws_exfiltration_via_anomalous_getobject_api_activity.yml", "source": "cloud", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "AWS Exfiltration via Batch Service", "id": "04455dd3-ced7-480f-b8e6-5469b99e98e2", "version": 1, "date": "2023-04-24", "author": "", "type": "TTP", "status": "production", "description": "This search looks for events where AWS Batch Service is used for creating a job that could potentially abuse the AWS Bucket Replication feature on S3 buckets. This AWS service can used to transfer data between different AWS S3 buckets and an attacker can leverage this to exfiltrate data by creating a malicious batch job.", "data_source": [], "search": "`cloudtrail` eventName = JobCreated | stats count min(_time) as firstTime max(_time) as lastTime values(serviceEventDetails.jobArn) as job_arn values(serviceEventDetails.status) as status by src_ip aws_account_id eventName errorCode userAgent| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_exfiltration_via_datasync_task_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "It is possible that an AWS Administrator or a user has legitimately created this job for some tasks.", "references": ["https://hackingthe.cloud/aws/exploitation/s3-bucket-replication-exfiltration/", "https://bleemb.medium.com/data-exfiltration-with-native-aws-s3-features-c94ae4d13436"], "tags": {"name": "AWS Exfiltration via Batch Service", "analytic_story": ["Data Exfiltration"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "AWS Batch Job is created on account id - $aws_account_id$ by user $user_arn$ from src_ip $src_ip$", "mitre_attack_id": ["T1119"], "nist": ["DE.CM"], "observable": [{"name": "user_arn", "type": "User", "role": ["Attacker"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "aws_account_id", "type": "Other", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventName", "user_arn", "src_ip", "aws_account_id", "userAgent"], "risk_score": 64, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1119", "mitre_attack_technique": "Automated Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "Chimera", "Confucius", "FIN5", "FIN6", "Gamaredon Group", "Ke3chang", "Mustang Panda", "OilRig", "Patchwork", "Sidewinder", "Threat Group-3390", "Tropic Trooper", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1119/aws_exfil_datasync/cloudtrail.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_exfiltration_via_batch_service_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/aws_exfiltration_via_batch_service.yml", "source": "cloud", "nes_fields": "user,dest", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "AWS Exfiltration via Bucket Replication", "id": "eeb432d6-2212-43b6-9e89-fcd753f7da4c", "version": 1, "date": "2023-04-28", "author": "Bhavin Patel, Splunk", "type": "TTP", "status": "production", "description": "The following analytic detects API calls made to an S3 bucket when bucket replication services are enabled. S3 bucket replication is a feature offered by Amazon Web Services (AWS) that allows you to automatically and asynchronously copy data from one S3 bucket to another in the same or different region.\\\nS3 bucket replication can also be used for cross-account replication, where data is replicated from a source bucket owned by one AWS account to a destination bucket owned by a different AWS account.", "data_source": [], "search": "`cloudtrail` eventName = PutBucketReplication eventSource = s3.amazonaws.com | rename requestParameters.* as * | stats count values(bucketName) as source_bucket values(ReplicationConfiguration.Rule.ID) as rule_id values(ReplicationConfiguration.Rule.Destination.Bucket) as destination_bucket by _time user_arn userName user_type src_ip aws_account_id userIdentity.principalId user_agent | `aws_exfiltration_via_ec2_snapshot_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "It is possible that an AWS admin has legitimately implemented data replication to ensure data availability and improve data protection/backup strategies.", "references": ["https://hackingthe.cloud/aws/exploitation/s3-bucket-replication-exfiltration/"], "tags": {"name": "AWS Exfiltration via Bucket Replication", "analytic_story": ["Suspicious AWS S3 Activities", "Data Exfiltration"], "asset_type": "EC2 Snapshot", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Actions on Objectives"], "message": "AWS Bucket Replication rule $rule$ added on $source_bucket$ to $destination_bucket$ by user $user_arn$ from IP Address - $src_ip$", "mitre_attack_id": ["T1537"], "nist": ["DE.CM"], "observable": [{"name": "user_arn", "type": "User", "role": ["Attacker"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "aws_account_id", "type": "Other", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventName", "user_arn", "src_ip", "eventSource", "requestParameters.*", "aws_account_id", "vendor_region", "user_agent", "userIdentity.principalId"], "risk_score": 64, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1537", "mitre_attack_technique": "Transfer Data to Cloud Account", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1119/aws_exfil_datasync/cloudtrail.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_exfiltration_via_bucket_replication_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/aws_exfiltration_via_bucket_replication.yml", "source": "cloud", "nes_fields": "user,dest", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "AWS Exfiltration via DataSync Task", "id": "05c4b09f-ea28-4c7c-a7aa-a246f665c8a2", "version": 1, "date": "2023-04-10", "author": "Bhavin Patel, Splunk", "type": "TTP", "status": "production", "description": "This search looks for potential misuse of an AWS service known as DataSync. This AWS service is used to transfer data between different AWS cloud storage services, such as Amazon S3, Amazon EFS, and Amazon FSx for Windows File Server. Attackers can create a task in AWS to periodically copy data from a private AWS location to a public location resulting in the compromise of the data.", "data_source": [], "search": "`cloudtrail` eventName = CreateTask eventSource=\"datasync.amazonaws.com\" | rename requestParameters.* as * | stats count min(_time) as firstTime max(_time) as lastTime by src_ip aws_account_id awsRegion eventName destinationLocationArn sourceLocationArn userAgent user_arn userIdentity.principalId errorCode | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_exfiltration_via_datasync_task_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "It is possible that an AWS Administrator has legitimately created this task for creating backup. Please check the `sourceLocationArn` and `destinationLocationArn` of this task", "references": ["https://labs.nettitude.com/blog/how-to-exfiltrate-aws-ec2-data/", "https://www.shehackske.com/how-to/data-exfiltration-on-cloud-1606/"], "tags": {"name": "AWS Exfiltration via DataSync Task", "analytic_story": ["Suspicious AWS S3 Activities", "Data Exfiltration"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "DataSync task created on account id - $aws_account_id$ by user $user_arn$ from src_ip $src_ip$", "mitre_attack_id": ["T1119"], "nist": ["DE.CM"], "observable": [{"name": "user_arn", "type": "User", "role": ["Attacker"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "aws_account_id", "type": "Other", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventName", "user_arn", "src_ip", "aws_account_id", "destinationLocationArn", "sourceLocationArn", "userAgent", "userIdentity.principalId"], "risk_score": 64, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1119", "mitre_attack_technique": "Automated Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "Chimera", "Confucius", "FIN5", "FIN6", "Gamaredon Group", "Ke3chang", "Mustang Panda", "OilRig", "Patchwork", "Sidewinder", "Threat Group-3390", "Tropic Trooper", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1119/aws_exfil_datasync/cloudtrail.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_exfiltration_via_datasync_task_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/aws_exfiltration_via_datasync_task.yml", "source": "cloud", "nes_fields": "user,dest", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "AWS Exfiltration via EC2 Snapshot", "id": "ac90b339-13fc-4f29-a18c-4abbba1f2171", "version": 1, "date": "2023-03-22", "author": "Bhavin Patel, Splunk", "type": "TTP", "status": "production", "description": "This search detects a series of AWS API calls, made in a short time window, related to EC2 snapshots that can detect a potential exfiltration via EC2 Snapshot modifications. In this attack, the attacker typically proceeds by listing and creating EC2 snapshots of the available EC2 instances followed by modifying snapshot attributes such that it can be shared externally. Once this is done, the attacker can then load that EC2 snapshot and access all the sensitive information.", "data_source": [], "search": "`cloudtrail` eventName IN (\"CreateSnapshot\", \"DescribeSnapshotAttribute\", \"ModifySnapshotAttribute\", \"DeleteSnapshot\") src_ip !=\"guardduty.amazonaws.com\" | bin _time span=5m | stats count dc(eventName) as distinct_api_calls values(eventName) values(requestParameters.attributeType) as attributeType values(requestParameters.createVolumePermission.add.items{}.userId) as aws_account_id_added values(userAgent) as userAgent by _time userName src_ip aws_account_id | where distinct_api_calls >= 2 | `aws_exfiltration_via_ec2_snapshot_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. We have intentionally removed `guardduty.amazonaws.com` from src_ip to remove false positives caused by guard duty. We recommend you adjust the time window as per your environment.", "known_false_positives": "It is possible that an AWS admin has legitimately shared a snapshot with an other account for a specific purpose. Please check any recent change requests filed in your organization.", "references": ["https://labs.nettitude.com/blog/how-to-exfiltrate-aws-ec2-data/", "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifySnapshotAttribute.html", "https://bleemb.medium.com/data-exfiltration-with-native-aws-s3-features-c94ae4d13436", "https://stratus-red-team.cloud/attack-techniques/list/"], "tags": {"name": "AWS Exfiltration via EC2 Snapshot", "analytic_story": ["Suspicious Cloud Instance Activities", "Data Exfiltration"], "asset_type": "EC2 Snapshot", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Actions on Objectives"], "message": "Potential AWS EC2 Exfiltration detected on account id - $aws_account_id$ by user $user_arn$ from src_ip $src_ip$", "mitre_attack_id": ["T1537"], "nist": ["DE.CM"], "observable": [{"name": "user_arn", "type": "User", "role": ["Attacker"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "aws_account_id", "type": "Other", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventName", "user_arn", "src_ip", "requestParameters.attributeType", "aws_account_id", "vendor_region", "user_agent", "userIdentity.principalId", "requestParameters.createVolumePermission.add.items{}.userId"], "risk_score": 64, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1537", "mitre_attack_technique": "Transfer Data to Cloud Account", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1537/aws_snapshot_exfil/aws_cloudtrail_events.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_exfiltration_via_ec2_snapshot_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/aws_exfiltration_via_ec2_snapshot.yml", "source": "cloud", "nes_fields": "user,dest", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "AWS High Number Of Failed Authentications For User", "id": "e3236f49-daf3-4b70-b808-9290912ac64d", "version": 1, "date": "2023-01-27", "author": "Bhavin Patel, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies an AWS account with more than 20 failed authentication events in the span of 5 minutes. This behavior could represent a brute force attack against the account. As environments differ across organizations, security teams should customize the threshold of this detection.", "data_source": [], "search": "`cloudtrail` eventName=ConsoleLogin action=failure | bucket span=10m _time | stats dc(_raw) AS failed_attempts values(src_ip) as src_ip values(user_agent) by _time, user_name, eventName, eventSource aws_account_id | where failed_attempts > 20 | `aws_high_number_of_failed_authentications_for_user_filter`", "how_to_implement": "You must install Splunk AWS Add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "A user with more than 20 failed authentication attempts in the span of 5 minutes may also be triggered by a broken application.", "references": ["https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/IAM/password-policy.html"], "tags": {"name": "AWS High Number Of Failed Authentications For User", "analytic_story": ["Compromised User Account", "AWS Identity and Access Management Account Takeover"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "confidence": 70, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "User $user_name$ failed to authenticate more than 20 times in the span of 5 minutes for AWS Account $aws_account_id$", "mitre_attack_id": ["T1201"], "nist": ["DE.AE"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "user_arn", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventName", "userAgent", "errorCode", "requestParameters.userName", "eventSource", "user_arn", "aws_account_id", "src_ip"], "risk_score": 35, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1201", "mitre_attack_technique": "Password Policy Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "OilRig", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/aws_multiple_login_fail_per_user/cloudtrail.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_high_number_of_failed_authentications_for_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/aws_high_number_of_failed_authentications_for_user.yml", "source": "cloud", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "AWS High Number Of Failed Authentications From Ip", "id": "f75b7f1a-b8eb-4975-a214-ff3e0a944757", "version": 1, "date": "2023-01-30", "author": "Bhavin Patel, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies an IP address failing to authenticate 20 or more times to the AWS Web Console in the span of 5 minutes. This behavior could represent a brute force attack against an AWS tenant to obtain initial access or elevate privileges. As environments differ across organizations, security teams should customize the threshold of this detection.", "data_source": [], "search": "`cloudtrail` eventName=ConsoleLogin action=failure | bucket span=5m _time | stats dc(_raw) AS failed_attempts values(user_name) as tried_accounts values(user_agent) by _time, src_ip, eventName, eventSource aws_account_id | where failed_attempts > 20 | `aws_high_number_of_failed_authentications_from_ip_filter`", "how_to_implement": "You must install Splunk Add-on for AWS in order to ingest Cloudtrail. We recommend the users to try different combinations of the bucket span time and the tried account threshold to tune this search according to their environment.", "known_false_positives": "An Ip address with more than 20 failed authentication attempts in the span of 5 minutes may also be triggered by a broken application.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://www.whiteoaksecurity.com/blog/goawsconsolespray-password-spraying-tool/", "https://softwaresecuritydotblog.wordpress.com/2019/09/28/how-to-protect-against-credential-stuffing-on-aws/"], "tags": {"name": "AWS High Number Of Failed Authentications From Ip", "analytic_story": ["AWS Identity and Access Management Account Takeover", "Compromised User Account"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "confidence": 90, "impact": 60, "kill_chain_phases": ["Exploitation"], "message": "Multiple failed console login attempts against users $tried_accounts$ seen from $src_ip$", "mitre_attack_id": ["T1110", "T1110.003", "T1110.004"], "nist": ["DE.AE"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "tried_accounts", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "user", "action", "eventName", "src_ip"], "risk_score": 54, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1110.004", "mitre_attack_technique": "Credential Stuffing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Chimera"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/aws_mulitple_failed_console_login/aws_cloudtrail.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_high_number_of_failed_authentications_from_ip_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/aws_high_number_of_failed_authentications_from_ip.yml", "source": "cloud", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "AWS IAM AccessDenied Discovery Events", "id": "3e1f1568-9633-11eb-a69c-acde48001122", "version": 2, "date": "2021-11-12", "author": "Michael Haag, Splunk", "type": "Anomaly", "status": "production", "description": "The following detection identifies excessive AccessDenied events within an hour timeframe. It is possible that an access key to AWS may have been stolen and is being misused to perform discovery events. In these instances, the access is not available with the key stolen therefore these events will be generated.", "data_source": [], "search": "`cloudtrail` (errorCode = \"AccessDenied\") user_type=IAMUser (userAgent!=*.amazonaws.com) | bucket _time span=1h | stats count as failures min(_time) as firstTime max(_time) as lastTime, dc(eventName) as methods, dc(eventSource) as sources by src_ip, userIdentity.arn, _time | where failures >= 5 and methods >= 1 and sources >= 1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_iam_accessdenied_discovery_events_filter`", "how_to_implement": "The Splunk AWS Add-on and Splunk App for AWS is required to utilize this data. The search requires AWS Cloudtrail logs.", "known_false_positives": "It is possible to start this detection will need to be tuned by source IP or user. In addition, change the count values to an upper threshold to restrict false positives.", "references": ["https://aws.amazon.com/premiumsupport/knowledge-center/troubleshoot-iam-permission-errors/"], "tags": {"name": "AWS IAM AccessDenied Discovery Events", "analytic_story": ["Suspicious Cloud User Activities"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "confidence": 50, "impact": 20, "kill_chain_phases": ["Exploitation"], "message": "User $userIdentity.arn$ is seen to perform excessive number of discovery related api calls- $failures$, within an hour where the access was denied.", "mitre_attack_id": ["T1580"], "nist": ["DE.AE"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "userIdentity.arn", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventName", "eventSource", "userAgent", "errorCode", "userIdentity.type"], "risk_score": 10, "security_domain": "access", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1580", "mitre_attack_technique": "Cloud Infrastructure Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1580/aws_iam_accessdenied_discovery_events/aws_iam_accessdenied_discovery_events.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_iam_accessdenied_discovery_events_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/aws_iam_accessdenied_discovery_events.yml", "source": "cloud", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "AWS IAM Assume Role Policy Brute Force", "id": "f19e09b0-9308-11eb-b7ec-acde48001122", "version": 1, "date": "2021-04-01", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following detection identifies any malformed policy document exceptions with a status of `failure`. A malformed policy document exception occurs in instances where roles are attempted to be assumed, or brute forced. In a brute force attempt, using a tool like CloudSploit or Pacu, an attempt will look like `arn:aws:iam::111111111111:role/aws-service-role/rds.amazonaws.com/AWSServiceRoleForRDS`. Meaning, when an adversary is attempting to identify a role name, multiple failures will occur. This detection focuses on the errors of a remote attempt that is failing.", "data_source": [], "search": "`cloudtrail` (errorCode=MalformedPolicyDocumentException) status=failure (userAgent!=*.amazonaws.com) | stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.policyName) as policy_name by src eventName eventSource aws_account_id errorCode requestParameters.policyDocument userAgent eventID awsRegion userIdentity.principalId user_arn | where count >= 2 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_iam_assume_role_policy_brute_force_filter`", "how_to_implement": "The Splunk AWS Add-on and Splunk App for AWS is required to utilize this data. The search requires AWS Cloudtrail logs. Set the `where count` greater than a value to identify suspicious activity in your environment.", "known_false_positives": "This detection will require tuning to provide high fidelity detection capabilties. Tune based on src addresses (corporate offices, VPN terminations) or by groups of users.", "references": ["https://www.praetorian.com/blog/aws-iam-assume-role-vulnerabilities/", "https://rhinosecuritylabs.com/aws/assume-worst-aws-assume-role-enumeration/", "https://www.elastic.co/guide/en/security/current/aws-iam-brute-force-of-assume-role-policy.html"], "tags": {"name": "AWS IAM Assume Role Policy Brute Force", "analytic_story": ["AWS IAM Privilege Escalation"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "confidence": 70, "impact": 40, "kill_chain_phases": ["Exploitation"], "message": "User $user_arn$ has caused multiple failures with errorCode $errorCode$, which potentially means adversary is attempting to identify a role name.", "mitre_attack_id": ["T1580", "T1110"], "nist": ["DE.CM"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "user_arn", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventName", "userAgent", "errorCode", "requestParameters.policyName"], "risk_score": 28, "security_domain": "access", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1580", "mitre_attack_technique": "Cloud Infrastructure Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1580/aws_iam_assume_role_policy_brute_force/aws_iam_assume_role_policy_brute_force.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_iam_assume_role_policy_brute_force_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/aws_iam_assume_role_policy_brute_force.yml", "source": "cloud", "nes_fields": "user,dest", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "AWS IAM Delete Policy", "id": "ec3a9362-92fe-11eb-99d0-acde48001122", "version": 1, "date": "2021-04-01", "author": "Michael Haag, Splunk", "type": "Hunting", "status": "production", "description": "The following detection identifes when a policy is deleted on AWS. This does not identify whether successful or failed, but the error messages tell a story of suspicious attempts. There is a specific process to follow when deleting a policy. First, detach the policy from all users, groups, and roles that the policy is attached to, using DetachUserPolicy , DetachGroupPolicy , or DetachRolePolicy.", "data_source": [], "search": "`cloudtrail` eventName=DeletePolicy (userAgent!=*.amazonaws.com) | stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.policyArn) as policyArn by src eventName eventSource aws_account_id errorCode errorMessage userAgent eventID awsRegion userIdentity.principalId userIdentity.arn | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_iam_delete_policy_filter`", "how_to_implement": "The Splunk AWS Add-on and Splunk App for AWS is required to utilize this data. The search requires AWS Cloudtrail logs.", "known_false_positives": "This detection will require tuning to provide high fidelity detection capabilties. Tune based on src addresses (corporate offices, VPN terminations) or by groups of users. Not every user with AWS access should have permission to delete policies (least privilege). In addition, this may be saved seperately and tuned for failed or success attempts only.", "references": ["https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeletePolicy.html", "https://docs.aws.amazon.com/cli/latest/reference/iam/delete-policy.html"], "tags": {"name": "AWS IAM Delete Policy", "analytic_story": ["AWS IAM Privilege Escalation"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "confidence": 50, "impact": 20, "kill_chain_phases": ["Installation"], "message": "User $user_arn$ has deleted AWS Policies from IP address $src$ by executing the following command $eventName$", "mitre_attack_id": ["T1098"], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "user_arn", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventName", "userAgent", "errorCode", "requestParameters.policyArn"], "risk_score": 10, "security_domain": "access", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT41", "Dragonfly", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/aws_iam_delete_policy/aws_iam_delete_policy.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_iam_delete_policy_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/aws_iam_delete_policy.yml", "source": "cloud", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "AWS IAM Failure Group Deletion", "id": "723b861a-92eb-11eb-93b8-acde48001122", "version": 1, "date": "2021-04-01", "author": "Michael Haag, Splunk", "type": "Anomaly", "status": "production", "description": "This detection identifies failure attempts to delete groups. We want to identify when a group is attempting to be deleted, but either access is denied, there is a conflict or there is no group. This is indicative of administrators performing an action, but also could be suspicious behavior occurring. Review parallel IAM events - recently added users, new groups and so forth.", "data_source": [], "search": "`cloudtrail` eventSource=iam.amazonaws.com eventName=DeleteGroup errorCode IN (NoSuchEntityException,DeleteConflictException, AccessDenied) (userAgent!=*.amazonaws.com) | stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.groupName) as group_name by src eventName eventSource aws_account_id errorCode errorMessage userAgent eventID awsRegion userIdentity.principalId user_arn | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_iam_failure_group_deletion_filter`", "how_to_implement": "The Splunk AWS Add-on and Splunk App for AWS is required to utilize this data. The search requires AWS Cloudtrail logs.", "known_false_positives": "This detection will require tuning to provide high fidelity detection capabilties. Tune based on src addresses (corporate offices, VPN terminations) or by groups of users. Not every user with AWS access should have permission to delete groups (least privilege).", "references": ["https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/delete-group.html", "https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteGroup.html"], "tags": {"name": "AWS IAM Failure Group Deletion", "analytic_story": ["AWS IAM Privilege Escalation"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "confidence": 50, "impact": 10, "kill_chain_phases": ["Installation"], "message": "User $user_arn$ has had mulitple failures while attempting to delete groups from $src$", "mitre_attack_id": ["T1098"], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "user_arn", "type": "User", "role": ["Victim"]}, {"name": "group_name", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventName", "userAgent", "errorCode", "requestParameters.groupName"], "risk_score": 5, "security_domain": "cloud", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT41", "Dragonfly", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/aws_iam_failure_group_deletion/aws_iam_failure_group_deletion.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_iam_failure_group_deletion_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/aws_iam_failure_group_deletion.yml", "source": "cloud", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "AWS IAM Successful Group Deletion", "id": "e776d06c-9267-11eb-819b-acde48001122", "version": 1, "date": "2021-03-31", "author": "Michael Haag, Splunk", "type": "Hunting", "status": "production", "description": "The following query uses IAM events to track the success of a group being deleted on AWS. This is typically not indicative of malicious behavior, but a precurser to additional events thay may unfold. Review parallel IAM events - recently added users, new groups and so forth. Inversely, review failed attempts in a similar manner.", "data_source": [], "search": "`cloudtrail` eventSource=iam.amazonaws.com eventName=DeleteGroup errorCode=success (userAgent!=*.amazonaws.com) | stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.groupName) as group_deleted by src eventName eventSource errorCode user_agent awsRegion userIdentity.principalId user_arn | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_iam_successful_group_deletion_filter`", "how_to_implement": "The Splunk AWS Add-on and Splunk App for AWS is required to utilize this data. The search requires AWS Cloudtrail logs.", "known_false_positives": "This detection will require tuning to provide high fidelity detection capabilties. Tune based on src addresses (corporate offices, VPN terminations) or by groups of users. Not every user with AWS access should have permission to delete groups (least privilege).", "references": ["https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/delete-group.html", "https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteGroup.html"], "tags": {"name": "AWS IAM Successful Group Deletion", "analytic_story": ["AWS IAM Privilege Escalation"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "confidence": 50, "impact": 10, "kill_chain_phases": ["Exploitation", "Installation"], "message": "User $user_arn$ has sucessfully deleted mulitple groups $group_deleted$ from $src$", "mitre_attack_id": ["T1069.003", "T1098", "T1069"], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "user_arn", "type": "User", "role": ["Victim"]}, {"name": "group_deleted", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventName", "userAgent", "errorCode", "requestParameters.groupName"], "risk_score": 5, "security_domain": "cloud", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1069.003", "mitre_attack_technique": "Cloud Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT41", "Dragonfly", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}, {"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "TA505"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/aws_iam_successful_group_deletion/aws_iam_successful_group_deletion.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_iam_successful_group_deletion_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/aws_iam_successful_group_deletion.yml", "source": "cloud", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "AWS Lambda UpdateFunctionCode", "id": "211b80d3-6340-4345-11ad-212bf3d0d111", "version": 1, "date": "2022-02-24", "author": "Bhavin Patel, Splunk", "type": "Hunting", "status": "production", "description": "This analytic is designed to detect IAM users attempting to update/modify AWS lambda code via the AWS CLI to gain persistence, futher access into your AWS environment and to facilitate planting backdoors. In this instance, an attacker may upload malicious code/binary to a lambda function which will be executed automatically when the funnction is triggered.", "data_source": [], "search": "`cloudtrail` eventSource=lambda.amazonaws.com eventName=UpdateFunctionCode* errorCode = success user_type=IAMUser | stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.functionName) as function_updated by src_ip user_arn user_agent user_type eventName aws_account_id |`aws_lambda_updatefunctioncode_filter`", "how_to_implement": "You must install Splunk AWS Add on and enable Cloudtrail logs in your AWS Environment.", "known_false_positives": "While this search has no known false positives, it is possible that an AWS admin or an autorized IAM user has updated the lambda fuction code legitimately.", "references": ["http://detectioninthe.cloud/execution/modify_lambda_function_code/", "https://sysdig.com/blog/exploit-mitigate-aws-lambdas-mitre/"], "tags": {"name": "AWS Lambda UpdateFunctionCode", "analytic_story": ["Suspicious Cloud User Activities"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Installation"], "message": "User $user_arn$ is attempting to update the lambda function code of $function_updated$ from this IP $src_ip$", "mitre_attack_id": ["T1204"], "nist": ["DE.AE"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "user_arn", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventName", "userAgent", "errorCode"], "risk_score": 63, "security_domain": "cloud", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204/aws_updatelambdafunctioncode/aws_cloudtrail_events.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_lambda_updatefunctioncode_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/aws_lambda_updatefunctioncode.yml", "source": "cloud", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "AWS Multi-Factor Authentication Disabled", "id": "374832b1-3603-420c-b456-b373e24d34c0", "version": 1, "date": "2022-10-04", "author": "Bhavin Patel, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies an attempt to disable multi-factor authentication for an AWS IAM user. An adversary who has obtained access to an AWS tenant may disable multi-factor authentication as a way to plant a backdoor and maintain persistence using a valid account. This way the attackers can keep persistance in the environment without adding new users.", "data_source": [], "search": "`cloudtrail` (eventName= DeleteVirtualMFADevice OR eventName=DeactivateMFADevice) | stats count min(_time) as firstTime max(_time) as lastTime by src eventName eventSource aws_account_id userAgent eventID awsRegion user_name userIdentity.arn status | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_multi_factor_authentication_disabled_filter`", "how_to_implement": "The Splunk AWS Add-on is required to utilize this data. The search requires AWS Cloudtrail logs.", "known_false_positives": "AWS Administrators may disable MFA but it is highly unlikely for this event to occur without prior notice to the company", "references": ["https://attack.mitre.org/techniques/T1621/", "https://aws.amazon.com/what-is/mfa/"], "tags": {"name": "AWS Multi-Factor Authentication Disabled", "analytic_story": ["AWS Identity and Access Management Account Takeover"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Weaponization", "Exploitation", "Installation"], "message": "User $user_name$ has disabled Multi-Factor authentication for AWS account $aws_account_id$", "mitre_attack_id": ["T1586", "T1586.003", "T1621", "T1556", "T1556.006"], "nist": ["DE.CM"], "observable": [{"name": "aws_account_id", "type": "Other", "role": ["Victim"]}, {"name": "user_name", "type": "User", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["src", "eventName", "eventSource", "aws_account_id", "errorCode", "errorMessage", "userAgent", "eventID", "awsRegion", "user_name", "userIdentity.arn"], "risk_score": 64, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1621", "mitre_attack_technique": "Multi-Factor Authentication Request Generation", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "LAPSUS$"]}, {"mitre_attack_id": "T1556", "mitre_attack_technique": "Modify Authentication Process", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1556.006", "mitre_attack_technique": "Multi-Factor Authentication", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/aws_mfa_disabled/cloudtrail.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_multi_factor_authentication_disabled_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/aws_multi_factor_authentication_disabled.yml", "source": "cloud", "nes_fields": "user,dest", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "AWS Multiple Failed MFA Requests For User", "id": "1fece617-e614-4329-9e61-3ba228c0f353", "version": 1, "date": "2022-10-03", "author": "Bhavin Patel", "type": "Anomaly", "status": "production", "description": "The following analytic identifies multiple failed multi-factor authentication requests to an AWS Console for a single user. AWS Cloudtrail logs provide a a very useful field called `additionalEventData` that logs information regarding usage of MFA. Specifically, the analytic triggers when more than 10 MFA user prompts fail within 10 minutes. AWS Environments can be very different depending on the organization, Security teams should test this detection and customize these arbitrary thresholds. The detected behavior may represent an adversary who has obtained legitimate credentials for a user and continuously repeats login attempts in order to bombard users with MFA push notifications, SMS messages, and phone calls potentially resulting in the user finally accepting the authentication request. Threat actors like the Lapsus team and APT29 have leveraged this technique to bypass multi-factor authentication controls as reported by Mandiant and others.", "data_source": [], "search": "`cloudtrail` eventName= ConsoleLogin \"additionalEventData.MFAUsed\"=Yes errorMessage=\"Failed authentication\" | bucket span=5m _time | stats dc(_raw) as mfa_prompts values(userAgent) as userAgent values(src) as src by _time user_name user_arn aws_account_id eventName errorMessage | where mfa_prompts > 10| `aws_multiple_failed_mfa_requests_for_user_filter`", "how_to_implement": "The Splunk AWS Add-on is required to utilize this data. The search requires AWS Cloudtrail logs.", "known_false_positives": "Multiple Failed MFA requests may also be a sign of authentication or application issues. Filter as needed.", "references": ["https://attack.mitre.org/techniques/T1621/", "https://aws.amazon.com/what-is/mfa/"], "tags": {"name": "AWS Multiple Failed MFA Requests For User", "analytic_story": ["AWS Identity and Access Management Account Takeover"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Weaponization", "Exploitation"], "message": "User $user_name$ is seen to have high number of MFA prompt failures within a short period of time.", "mitre_attack_id": ["T1586", "T1586.003", "T1621"], "nist": ["DE.AE"], "observable": [{"name": "user_name", "type": "User", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["src", "eventName", "eventSource", "aws_account_id", "errorCode", "errorMessage", "userAgent", "eventID", "awsRegion", "user_name", "userIdentity.arn"], "risk_score": 64, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1621", "mitre_attack_technique": "Multi-Factor Authentication Request Generation", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "LAPSUS$"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/aws_failed_mfa/cloudtrail.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_multiple_failed_mfa_requests_for_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/aws_multiple_failed_mfa_requests_for_user.yml", "source": "cloud", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "AWS Multiple Users Failing To Authenticate From Ip", "id": "71e1fb89-dd5f-4691-8523-575420de4630", "version": 1, "date": "2022-09-27", "author": "Bhavin Patel", "type": "Anomaly", "status": "production", "description": "The following analytic identifies one source Ip failing to authenticate into the AWS Console with 30 unique valid users within 10 minutes. This behavior could represent an adversary performing a Password Spraying attack against an AWS environment tenant to obtain initial access or elevate privileges.", "data_source": [], "search": "`cloudtrail` eventName=ConsoleLogin action=failure | bucket span=10m _time | stats dc(user_name) AS unique_accounts values(user_name) as tried_accounts by _time, src_ip, eventName, action, user_agent | where unique_accounts > 30 |`aws_unusual_number_of_failed_authentications_from_ip_filter`", "how_to_implement": "You must install Splunk Add-on for AWS in order to ingest Cloudtrail. We recommend the users to try different combinations of the bucket span time and the tried account threshold to tune this search according to their environment.", "known_false_positives": "No known false postives for this detection. Please review this alert", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://www.whiteoaksecurity.com/blog/goawsconsolespray-password-spraying-tool/", "https://softwaresecuritydotblog.wordpress.com/2019/09/28/how-to-protect-against-credential-stuffing-on-aws/"], "tags": {"name": "AWS Multiple Users Failing To Authenticate From Ip", "analytic_story": ["AWS Identity and Access Management Account Takeover", "Compromised User Account"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "confidence": 90, "impact": 60, "kill_chain_phases": ["Exploitation"], "message": "Multiple failed console login attempts against users $tried_accounts$ seen from $src_ip$", "mitre_attack_id": ["T1110", "T1110.003", "T1110.004"], "nist": ["DE.AE"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "tried_accounts", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "user", "action", "eventName", "src_ip"], "risk_score": 54, "security_domain": "threat", "risk_severity": "medium", "manual_test": "This search needs a specific number of events in a time window for the alert to trigger and events split up in CI testing while updating timestamp.", "mitre_attack_enrichments": [{"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1110.004", "mitre_attack_technique": "Credential Stuffing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Chimera"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/aws_mulitple_failed_console_login/aws_cloudtrail.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail"}]}], "datamodel": [], "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_multiple_users_failing_to_authenticate_from_ip_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/aws_multiple_users_failing_to_authenticate_from_ip.yml", "source": "cloud", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "AWS Network Access Control List Created with All Open Ports", "id": "ada0f478-84a8-4641-a3f1-d82362d6bd75", "version": 2, "date": "2021-01-11", "author": "Bhavin Patel, Patrick Bareiss, Splunk", "type": "TTP", "status": "production", "description": "The search looks for AWS CloudTrail events to detect if any network ACLs were created with all the ports open to a specified CIDR.", "data_source": [], "search": "`cloudtrail` eventName=CreateNetworkAclEntry OR eventName=ReplaceNetworkAclEntry requestParameters.ruleAction=allow requestParameters.egress=false requestParameters.aclProtocol=-1 | append [search `cloudtrail` eventName=CreateNetworkAclEntry OR eventName=ReplaceNetworkAclEntry requestParameters.ruleAction=allow requestParameters.egress=false requestParameters.aclProtocol!=-1 | eval port_range='requestParameters.portRange.to' - 'requestParameters.portRange.from' | where port_range>1024] | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by userName userIdentity.principalId eventName requestParameters.ruleAction requestParameters.egress requestParameters.aclProtocol requestParameters.portRange.to requestParameters.portRange.from src userAgent requestParameters.cidrBlock | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `aws_network_access_control_list_created_with_all_open_ports_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS, version 4.4.0 or later, and configure your AWS CloudTrail inputs.", "known_false_positives": "It's possible that an admin has created this ACL with all ports open for some legitimate purpose however, this should be scoped and not allowed in production environment.", "references": [], "tags": {"name": "AWS Network Access Control List Created with All Open Ports", "analytic_story": ["AWS Network ACL Activity"], "asset_type": "AWS Instance", "cis20": ["CIS 13"], "confidence": 80, "impact": 60, "kill_chain_phases": ["Exploitation"], "message": "User $user_arn$ has created network ACLs with all the ports open to a specified CIDR $requestParameters.cidrBlock$", "mitre_attack_id": ["T1562.007", "T1562"], "nist": ["DE.CM"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "userName", "type": "User", "role": ["Victim"]}, {"name": "requestParameters.cidrBlock", "type": "IP Address", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventName", "requestParameters.ruleAction", "requestParameters.egress", "requestParameters.aclProtocol", "requestParameters.portRange.to", "requestParameters.portRange.from", "requestParameters.cidrBlock", "userName", "userIdentity.principalId", "userAgent"], "risk_score": 48, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.007", "mitre_attack_technique": "Disable or Modify Cloud Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.007/aws_create_acl/aws_cloudtrail_events.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_network_access_control_list_created_with_all_open_ports_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/aws_network_access_control_list_created_with_all_open_ports.yml", "source": "cloud", "nes_fields": "user,dest", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "AWS Network Access Control List Deleted", "id": "ada0f478-84a8-4641-a3f1-d82362d6fd75", "version": 2, "date": "2021-01-12", "author": "Bhavin Patel, Patrick Bareiss, Splunk", "type": "Anomaly", "status": "production", "description": "Enforcing network-access controls is one of the defensive mechanisms used by cloud administrators to restrict access to a cloud instance. After the attacker has gained control of the AWS console by compromising an admin account, they can delete a network ACL and gain access to the instance from anywhere. This search will query the AWS CloudTrail logs to detect users deleting network ACLs.", "data_source": [], "search": "`cloudtrail` eventName=DeleteNetworkAclEntry requestParameters.egress=false | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by userName userIdentity.principalId eventName requestParameters.egress src userAgent | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `aws_network_access_control_list_deleted_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs.", "known_false_positives": "It's possible that a user has legitimately deleted a network ACL.", "references": [], "tags": {"name": "AWS Network Access Control List Deleted", "analytic_story": ["AWS Network ACL Activity"], "asset_type": "AWS Instance", "cis20": ["CIS 13"], "confidence": 50, "impact": 10, "kill_chain_phases": ["Exploitation"], "message": "User $user_arn$ from $src$ has sucessfully deleted network ACLs entry (eventName= $eventName$), such that the instance is accessible from anywhere", "mitre_attack_id": ["T1562.007", "T1562"], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "user_arn", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventName", "requestParameters.egress", "userName", "userIdentity.principalId", "src", "userAgent"], "risk_score": 5, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.007", "mitre_attack_technique": "Disable or Modify Cloud Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.007/aws_delete_acl/aws_cloudtrail_events.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_network_access_control_list_deleted_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/aws_network_access_control_list_deleted.yml", "source": "cloud", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "AWS New MFA Method Registered For User", "id": "4e3c26f2-4fb9-4bd7-ab46-1b76ffa2a23b", "version": 1, "date": "2023-01-31", "author": "Bhavin Patel, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the registration of a new Multi Factor authentication method for an AWS account. Adversaries who have obtained unauthorized access to an AWS account may register a new MFA method to maintain persistence.", "data_source": [], "search": " `cloudtrail` eventName=CreateVirtualMFADevice | stats count values(requestParameters.virtualMFADeviceName) as virtualMFADeviceName min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_new_mfa_method_registered_for_user_filter`", "how_to_implement": "You must install Splunk AWS add on and Splunk App for AWS. This search works when AWS CloudTrail logs.", "known_false_positives": "Newly onboarded users who are registering an MFA method for the first time will also trigger this detection.", "references": ["https://aws.amazon.com/blogs/security/you-can-now-assign-multiple-mfa-devices-in-iam/", "https://attack.mitre.org/techniques/T1556/", "https://attack.mitre.org/techniques/T1556/006/", "https://twitter.com/jhencinski/status/1618660062352007174"], "tags": {"name": "AWS New MFA Method Registered For User", "analytic_story": ["Compromised User Account", "Azure Active Directory Account Takeover"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation", "Installation"], "message": "A new virtual device $virtualMFADeviceName$ is added to user $user_arn$", "mitre_attack_id": ["T1556", "T1556.006"], "nist": ["DE.CM"], "observable": [{"name": "user_name", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["src_ip", "eventName", "eventSource", "requestParameters.virtualMFADeviceName", "errorCode", "userIdentity.principalId", "userAgent", "awsRegion", "user_name", "userIdentity.arn", "_time"], "risk_score": 64, "security_domain": "identity", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1556", "mitre_attack_technique": "Modify Authentication Process", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1556.006", "mitre_attack_technique": "Multi-Factor Authentication", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556.006/aws_new_mfa_method_registered_for_user/cloudtrail.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_new_mfa_method_registered_for_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/aws_new_mfa_method_registered_for_user.yml", "source": "cloud", "nes_fields": "user,dest", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "AWS Password Policy Changes", "id": "aee4a575-7064-4e60-b511-246f9baf9895", "version": 1, "date": "2023-01-26", "author": "Bhavin Patel, Splunk", "type": "Hunting", "status": "production", "description": "This search looks for AWS CloudTrail events where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.", "data_source": [], "search": "`cloudtrail` eventName IN (\"UpdateAccountPasswordPolicy\",\"GetAccountPasswordPolicy\",\"DeleteAccountPasswordPolicy\") errorCode=success | stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion userIdentity.principalId user_arn src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_password_policy_changes_filter`", "how_to_implement": "You must install Splunk AWS Add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "While this search has no known false positives, it is possible that an AWS admin has legitimately triggered an AWS audit tool activity which may trigger this event.", "references": ["https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/IAM/password-policy.html"], "tags": {"name": "AWS Password Policy Changes", "analytic_story": ["AWS IAM Privilege Escalation", "Compromised User Account"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "confidence": 80, "impact": 90, "kill_chain_phases": ["Exploitation"], "message": "User $user_arn$ is attempting to $eventName$ the password policy for account id $aws_account_id$", "mitre_attack_id": ["T1201"], "nist": ["DE.AE"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "user_arn", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventName", "userAgent", "errorCode", "requestParameters.userName", "eventSource", "user_arn", "aws_account_id", "src_ip"], "risk_score": 72, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1201", "mitre_attack_technique": "Password Policy Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "OilRig", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1201/aws_password_policy/cloudtrail.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_password_policy_changes_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/aws_password_policy_changes.yml", "source": "cloud", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "AWS S3 Exfiltration Behavior Identified", "id": "85096389-a443-42df-b89d-200efbb1b560", "version": 1, "date": "2023-05-04", "author": "Bhavin Patel, Splunk", "type": "Correlation", "status": "production", "description": "This correlation search looks at the risk events created by the detection analytics related Collection and Exfiltration techniques used by adversaries. The rule is designed to identify instances where 2 or more analytics unique AWS analytics and 2 or more distinct mitre IDs has triggered for a particular risk object. This alert when triggered may indicate a potential exfiltration in progress. By aggregating these analytics, security teams can swiftly respond to and investigate any suspicious activities, enhancing their ability to protect critical assets and prevent unauthorized access to sensitive information.", "data_source": [], "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count values(All_Risk.risk_message) as risk_message from datamodel=Risk.All_Risk where All_Risk.annotations.mitre_attack.mitre_tactic = \"collection\" OR All_Risk.annotations.mitre_attack.mitre_tactic = \"exfiltration\" source = *AWS* by All_Risk.risk_object | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where source_count >= 2 and mitre_tactic_id_count>=2 | `aws_s3_exfiltration_behavior_identified_filter`", "how_to_implement": "You must enable all the detection searches in the Data Exfiltration Analytic story to create risk events in Enterprise Security.", "known_false_positives": "alse positives may be present based on automated tooling or system administrators. Filter as needed.", "references": ["https://labs.nettitude.com/blog/how-to-exfiltrate-aws-ec2-data/", "https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-share-ebs-snapshot/", "https://hackingthe.cloud/aws/enumeration/loot_public_ebs_snapshots/"], "tags": {"name": "AWS S3 Exfiltration Behavior Identified", "analytic_story": ["Suspicious Cloud Instance Activities", "Data Exfiltration"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Actions on Objectives"], "message": "Multiple AWS Exfiltration detections $source$ and techniques $All_Risk.annotations.mitre_attack.mitre_tactic_id$ trigged for risk object $risk_object$", "mitre_attack_id": ["T1537"], "nist": ["DE.AE"], "observable": [{"name": "risk_object", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["All_Risk.analyticstories", "All_Risk.risk_object_type", "All_Risk.risk_object", "All_Risk.annotations.mitre_attack.mitre_tactic", "All_Risk.calculated_risk_score", "source"], "risk_score": 81, "security_domain": "threat", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1537", "mitre_attack_technique": "Transfer Data to Cloud Account", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1537/aws_exfil_risk_events/aws_risk.log", "source": "aws_exfil", "sourcetype": "stash", "update_timestamp": true}]}], "datamodel": ["Risk"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "aws_s3_exfiltration_behavior_identified_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/aws_s3_exfiltration_behavior_identified.yml", "source": "cloud", "nes_fields": "user,dest"}, {"name": "AWS SAML Access by Provider User and Principal", "id": "bbe23980-6019-11eb-ae93-0242ac130002", "version": 1, "date": "2021-01-26", "author": "Rod Soto, Splunk", "type": "Anomaly", "status": "production", "description": "This search provides specific SAML access from specific Service Provider, user and targeted principal at AWS. This search provides specific information to detect abnormal access or potential credential hijack or forgery, specially in federated environments using SAML protocol inside the perimeter or cloud provider.", "data_source": [], "search": "`cloudtrail` eventName=Assumerolewithsaml | stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.principalArn requestParameters.roleArn requestParameters.roleSessionName recipientAccountId responseElements.issuer sourceIPAddress userAgent | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` |`aws_saml_access_by_provider_user_and_principal_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs", "known_false_positives": "Attacks using a Golden SAML or SAML assertion hijacks or forgeries are very difficult to detect as accessing cloud providers with these assertions looks exactly like normal access, however things such as source IP sourceIPAddress user, and principal targeted at receiving cloud provider along with endpoint credential access and abuse detection searches can provide the necessary context to detect these attacks.", "references": ["https://www.cisa.gov/uscert/ncas/alerts/aa21-008a", "https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html", "https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf", "https://www.cyberark.com/resources/threat-research-blog/golden-saml-newly-discovered-attack-technique-forges-authentication-to-cloud-apps"], "tags": {"name": "AWS SAML Access by Provider User and Principal", "analytic_story": ["Cloud Federated Credential Abuse"], "asset_type": "AWS Federated Account", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "message": "From IP address $sourceIPAddress$, user agent $userAgent$ has trigged an event $eventName$ for account ID $recipientAccountId$", "mitre_attack_id": ["T1078"], "nist": ["DE.AE"], "observable": [{"name": "sourceIPAddress", "type": "IP Address", "role": ["Attacker"]}, {"name": "recipientAccountId", "type": "Other", "role": ["Victim", "Target"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventName", "requestParameters.principalArn", "requestParameters.roleArn", "requestParameters.roleSessionName", "recipientAccountId", "responseElements.issuer", "sourceIPAddress", "userAgent"], "risk_score": 64, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/assume_role_with_saml/assume_role_with_saml.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_saml_access_by_provider_user_and_principal_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/aws_saml_access_by_provider_user_and_principal.yml", "source": "cloud", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "AWS SAML Update identity provider", "id": "2f0604c6-6030-11eb-ae93-0242ac130002", "version": 1, "date": "2021-01-26", "author": "Rod Soto, Splunk", "type": "TTP", "status": "production", "description": "This search provides detection of updates to SAML provider in AWS. Updates to SAML provider need to be monitored closely as they may indicate possible perimeter compromise of federated credentials, or backdoor access from another cloud provider set by attacker.", "data_source": [], "search": "`cloudtrail` eventName=UpdateSAMLProvider | stats count min(_time) as firstTime max(_time) as lastTime by eventType eventName requestParameters.sAMLProviderArn userIdentity.sessionContext.sessionIssuer.arn sourceIPAddress userIdentity.accessKeyId userIdentity.principalId | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` |`aws_saml_update_identity_provider_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "Updating a SAML provider or creating a new one may not necessarily be malicious however it needs to be closely monitored.", "references": ["https://www.cisa.gov/uscert/ncas/alerts/aa21-008a", "https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html", "https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf", "https://www.cyberark.com/resources/threat-research-blog/golden-saml-newly-discovered-attack-technique-forges-authentication-to-cloud-apps"], "tags": {"name": "AWS SAML Update identity provider", "analytic_story": ["Cloud Federated Credential Abuse"], "asset_type": "AWS Federated Account", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "message": "User $userIdentity.principalId$ from IP address $sourceIPAddress$ has trigged an event $eventName$ to update the SAML provider to $requestParameters.sAMLProviderArn$", "mitre_attack_id": ["T1078"], "nist": ["DE.CM"], "observable": [{"name": "sourceIPAddress", "type": "IP Address", "role": ["Attacker"]}, {"name": "userIdentity.principalId", "type": "User", "role": ["Victim", "Target"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventName", "eventType", "requestParameters.sAMLProviderArn", "userIdentity.sessionContext.sessionIssuer.arn", "sourceIPAddress", "userIdentity.accessKeyId", "userIdentity.principalId"], "risk_score": 64, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/update_saml_provider/update_saml_provider.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_saml_update_identity_provider_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/aws_saml_update_identity_provider.yml", "source": "cloud", "nes_fields": "user,dest", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "AWS SetDefaultPolicyVersion", "id": "2a9b80d3-6340-4345-11ad-212bf3d0dac4", "version": 1, "date": "2021-03-02", "author": "Bhavin Patel, Splunk", "type": "TTP", "status": "production", "description": "This search looks for AWS CloudTrail events where a user has set a default policy versions. Attackers have been know to use this technique for Privilege Escalation in case the previous versions of the policy had permissions to access more resources than the current version of the policy", "data_source": [], "search": "`cloudtrail` eventName=SetDefaultPolicyVersion eventSource = iam.amazonaws.com | stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.policyArn) as policy_arn by src requestParameters.versionId eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_setdefaultpolicyversion_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "While this search has no known false positives, it is possible that an AWS admin has legitimately set a default policy to allow a user to access all resources. That said, AWS strongly advises against granting full control to all AWS resources", "references": ["https://bishopfox.com/blog/privilege-escalation-in-aws", "https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation-part-2/"], "tags": {"name": "AWS SetDefaultPolicyVersion", "analytic_story": ["AWS IAM Privilege Escalation"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "confidence": 60, "impact": 50, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "message": "From IP address $sourceIPAddress$, user agent $userAgent$ has trigged an event $eventName$ for updating the the default policy version", "mitre_attack_id": ["T1078.004", "T1078"], "nist": ["DE.CM"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "user_arn", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventName", "userAgent", "errorCode", "requestParameters.userName", "eventSource"], "risk_score": 30, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Ke3chang", "LAPSUS$"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/aws_setdefaultpolicyversion/aws_cloudtrail_events.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_setdefaultpolicyversion_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/aws_setdefaultpolicyversion.yml", "source": "cloud", "nes_fields": "user,dest", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "AWS Successful Console Authentication From Multiple IPs", "id": "395e50e1-2b87-4fa3-8632-0dfbdcbcd2cb", "version": 1, "date": "2023-01-19", "author": "Bhavin Patel, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies an AWS account successfully authenticating from more than one unique Ip address in the span of 5 minutes. This behavior could represent an adversary who has stolen credentials via a phishing attack or some other method and using them to access corporate online resources around the same time as a legitimate user. As users may behave differently across organizations, security teams should test and customize this detection to fit their environments.", "data_source": [], "search": " `cloudtrail` eventName = ConsoleLogin | bin span=5m _time | stats values(userAgent) values(eventName) values(src_ip) dc(src_ip) as distinct_ip_count by _time user_arn | where distinct_ip_count>1 | `aws_successful_console_authentication_from_multiple_ips_filter`", "how_to_implement": "You must install Splunk AWS add on and Splunk App for AWS. This search works when AWS CloudTrail events are normalized use the Authentication datamodel.", "known_false_positives": "A user with successful authentication events from different Ips may also represent the legitimate use of more than one device. Filter as needed and/or customize the threshold to fit your environment.", "references": ["https://rhinosecuritylabs.com/aws/mfa-phishing-on-aws/"], "tags": {"name": "AWS Successful Console Authentication From Multiple IPs", "analytic_story": ["Suspicious AWS Login Activities", "Compromised User Account"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "confidence": 80, "impact": 90, "kill_chain_phases": ["Weaponization", "Exploitation"], "message": "User $user_arn$ has successfully logged into the AWS Console from different IP addresses $src$ within 5 mins", "mitre_attack_id": ["T1586", "T1535"], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Authentication.src", "Authentication.user", "Authentication.signature", "Authentication.user_agent", "Authentication.action", "Authentication.user_type"], "risk_score": 72, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1535", "mitre_attack_technique": "Unused/Unsupported Cloud Regions", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1586.003/aws_console_login_multiple_ips/cloudtrail.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_successful_console_authentication_from_multiple_ips_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/aws_successful_console_authentication_from_multiple_ips.yml", "source": "cloud", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "AWS Successful Single-Factor Authentication", "id": "a520b1fe-cc9e-4f56-b762-18354594c52f", "version": 1, "date": "2022-10-04", "author": "Bhavin Patel, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies a successful Console Login authentication event against an AWS IAM user for an account without Multi-Factor Authentication enabled. This could be evidence of a misconfiguration, a policy violation or an account take over attempt that should be investigated", "data_source": [], "search": "`cloudtrail` eventName= ConsoleLogin errorCode=success \"additionalEventData.MFAUsed\"=No | stats count min(_time) as firstTime max(_time) as lastTime by src eventName eventSource aws_account_id errorCode additionalEventData.MFAUsed userAgent eventID awsRegion user_name userIdentity.arn | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_successful_single_factor_authentication_filter`", "how_to_implement": "The Splunk AWS Add-on is required to utilize this data. The search requires AWS Cloudtrail logs.", "known_false_positives": "It is possible that some accounts do not have MFA enabled for the AWS account however its agaisnt the best practices of securing AWS.", "references": ["https://attack.mitre.org/techniques/T1621/", "https://attack.mitre.org/techniques/T1078/004/", "https://aws.amazon.com/what-is/mfa/"], "tags": {"name": "AWS Successful Single-Factor Authentication", "analytic_story": ["AWS Identity and Access Management Account Takeover"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Weaponization", "Exploitation", "Delivery", "Installation"], "message": "User $user_name$ has successfully logged into an AWS Console without Multi-Factor Authentication from $src$", "mitre_attack_id": ["T1586", "T1586.003", "T1078", "T1078.004"], "nist": ["DE.CM"], "observable": [{"name": "user_name", "type": "User", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["src", "eventName", "eventSource", "aws_account_id", "errorCode", "additionalEventData.MFAUsed", "userAgent", "eventID", "awsRegion", "user_name", "userIdentity.arn"], "risk_score": 64, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Ke3chang", "LAPSUS$"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.004/aws_login_sfa/cloudtrail.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_successful_single_factor_authentication_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/aws_successful_single_factor_authentication.yml", "source": "cloud", "nes_fields": "user,dest", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "AWS Unusual Number of Failed Authentications From Ip", "id": "0b5c9c2b-e2cb-4831-b4f1-af125ceb1386", "version": 1, "date": "2022-09-26", "author": "Bhavin Patel, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies one source IP failing to authenticate into the AWS Console with multiple valid users. This behavior could represent an adversary performing a Password Spraying attack against an AWS environment to obtain initial access or elevate privileges. The detection calculates the standard deviation for source IP and leverages the 3-sigma statistical rule to identify an unusual number of failed authentication attempts. To customize this analytic, users can try different combinations of the bucket span time and the calculation of the upperBound field. This logic can be used for real time security monitoring as well as threat hunting exercises. While looking for anomalies using statistical methods like the standard deviation can have benefits, we also recommend using threshold-based detections to complement coverage. A similar analytic following the threshold model is `AWS Multiple Users Failing To Authenticate From Ip`.", "data_source": [], "search": "`cloudtrail` eventName=ConsoleLogin action=failure | bucket span=10m _time | stats dc(_raw) AS unique_accounts values(user_name) as tried_accounts by _time, src_ip | eventstats avg(unique_accounts) as ip_avg , stdev(unique_accounts) as ip_std by _time | eval upperBound=(ip_avg+ip_std*3) | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0) | where isOutlier = 1 |`aws_unusual_number_of_failed_authentications_from_ip_filter`", "how_to_implement": "You must install Splunk Add-on for AWS in order to ingest Cloudtrail. We recommend the users to try different combinations of the bucket span time and the calculation of the upperBound field to tune this search according to their environment", "known_false_positives": "No known false postives for this detection. Please review this alert", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://www.whiteoaksecurity.com/blog/goawsconsolespray-password-spraying-tool/", "https://softwaresecuritydotblog.wordpress.com/2019/09/28/how-to-protect-against-credential-stuffing-on-aws/"], "tags": {"name": "AWS Unusual Number of Failed Authentications From Ip", "analytic_story": ["AWS Identity and Access Management Account Takeover"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "confidence": 90, "impact": 60, "kill_chain_phases": ["Weaponization", "Exploitation"], "message": "Unusual number of failed console login attempts against users $tried_accounts$ seen from $src_ip$", "mitre_attack_id": ["T1586", "T1586.003", "T1110", "T1110.003", "T1110.004"], "nist": ["DE.AE"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "tried_accounts", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "user", "action", "eventName", "src_ip"], "risk_score": 54, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1110.004", "mitre_attack_technique": "Credential Stuffing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Chimera"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/aws_mulitple_failed_console_login/aws_cloudtrail.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_unusual_number_of_failed_authentications_from_ip_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/aws_unusual_number_of_failed_authentications_from_ip.yml", "source": "cloud", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "AWS UpdateLoginProfile", "id": "2a9b80d3-6a40-4115-11ad-212bf3d0d111", "version": 3, "date": "2022-03-03", "author": "Bhavin Patel, Splunk", "type": "TTP", "status": "production", "description": "This search looks for AWS CloudTrail events where a user A who has already permission to update login profile, makes an API call to update login profile for another user B . Attackers have been know to use this technique for Privilege Escalation in case new victim(user B) has more permissions than old victim(user B)", "data_source": [], "search": " `cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success | eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0) | search match=0 | stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_updateloginprofile_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.", "known_false_positives": "While this search has no known false positives, it is possible that an AWS admin has legitimately created keys for another user.", "references": ["https://bishopfox.com/blog/privilege-escalation-in-aws", "https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation-part-2/"], "tags": {"name": "AWS UpdateLoginProfile", "analytic_story": ["AWS IAM Privilege Escalation"], "asset_type": "AWS Account", "cis20": ["CIS 10"], "confidence": 60, "impact": 50, "kill_chain_phases": ["Installation"], "message": "From IP address $sourceIPAddress$, user agent $userAgent$ has trigged an event $eventName$ for updating the existing login profile, potentially giving user $user_arn$ more access privilleges", "mitre_attack_id": ["T1136.003", "T1136"], "nist": ["DE.CM"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "user_arn", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventName", "userAgent", "errorCode", "requestParameters.userName"], "risk_score": 30, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1136.003", "mitre_attack_technique": "Cloud Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT29", "LAPSUS$"]}, {"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/aws_updateloginprofile/aws_cloudtrail_events.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_updateloginprofile_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/aws_updateloginprofile.yml", "source": "cloud", "nes_fields": "user,dest", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "Azure Active Directory High Risk Sign-in", "id": "1ecff169-26d7-4161-9a7b-2ac4c8e61bea", "version": 1, "date": "2022-07-11", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic triggers on a high risk sign-in against Azure Active Directory identified by Azure Identity Protection. Identity Protection monitors sign-in events using heuristics and machine learning to identify potentially malicious events and categorizes them in three categories high, medium and low.", "data_source": [], "search": " `azuread` body.category=UserRiskEvents body.properties.riskLevel=high | rename body.properties.* as * | stats values(userPrincipalName) by _time, ipAddress, activity, riskLevel, riskEventType, additionalInfo | `azure_active_directory_high_risk_sign_in_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. You must be ingesting Azure Active Directory events in your Splunk environment. Specifically, this analytic leverages the RiskyUsers and UserRiskEvents log category.", "known_false_positives": "Details for the risk calculation algorithm used by Identity Protection are unknown and may be prone to false positives.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://docs.microsoft.com/en-us/security/compass/incident-response-playbook-password-spray", "https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection", "https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks"], "tags": {"name": "Azure Active Directory High Risk Sign-in", "analytic_story": ["Azure Active Directory Account Takeover"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "confidence": 90, "impact": 60, "kill_chain_phases": ["Weaponization", "Exploitation"], "message": "A high risk event was identified by Identify Protection for user $body.properties.userPrincipalName$", "mitre_attack_id": ["T1586", "T1586.003", "T1110", "T1110.003"], "nist": ["DE.CM"], "observable": [{"name": "userPrincipalName", "type": "User", "role": ["Victim"]}, {"name": "ipAddress", "type": "IP Address", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "body.category", "body.properties.riskLevel", "body.properties.userPrincipalName", "body.properties.ipAddress", "body.properties.activity", "body.properties.riskEventType", "body.properties.additionalInfo"], "risk_score": 54, "security_domain": "identity", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/azuread_highrisk/azure-audit.log", "source": "mscs:azure:eventhub", "sourcetype": "mscs:azure:eventhub", "update_timestamp": true}]}], "datamodel": ["Risk"], "macros": [{"name": "azuread", "definition": "sourcetype=mscs:azure:eventhub", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "azure_active_directory_high_risk_sign_in_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/azure_active_directory_high_risk_sign_in.yml", "source": "cloud", "nes_fields": "user,dest"}, {"name": "Azure AD Application Administrator Role Assigned", "id": "eac4de87-7a56-4538-a21b-277897af6d8d", "version": 1, "date": "2023-04-25", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the assignment of the Application Administrator role to an Azure AD user. Users in this role can create and manage all aspects of enterprise applications, application registrations, and application proxy settings. This role also grants the ability to manage application credentials. Users assigned this role can add credentials to an application, and use those credentials to impersonate the applications identity. If the applications identity has been granted access to a resource, such as the ability to create or update User or other objects, then a user assigned to this role could perform those actions while impersonating the application. This ability to impersonate the applications identity may be an elevation of privilege over what the user can do via their role assignments. Red teams and adversaries alike may abuse this role to escalate their privileges in an Azure AD tenant.", "data_source": [], "search": " `azuread` \"body.operationName\"=\"Add member to role\" \"body.properties.targetResources{}.modifiedProperties{}.newValue\"=\"\\\"Application Administrator\\\"\" | rename body.properties.* as * | rename targetResources{}.userPrincipalName as userPrincipalName | rename initiatedBy.user.userPrincipalName as initiatedBy | stats values(userPrincipalName) by _time, initiatedBy, result, body.operationName | `azure_ad_application_administrator_role_assigned_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. Specifically, this analytic leverages the AuditLogs log category.", "known_false_positives": "Administrators may legitimately assign the Application Administrator role to a user. Filter as needed.", "references": ["https://dirkjanm.io/azure-ad-privilege-escalation-application-admin/", "https://posts.specterops.io/azure-privilege-escalation-via-service-principal-abuse-210ae2be2a5", "https://docs.microsoft.com/en-us/azure/active-directory/roles/concept-understand-roles", "https://attack.mitre.org/techniques/T1098/003/", "https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#application-administrator"], "tags": {"name": "Azure AD Application Administrator Role Assigned", "analytic_story": ["Azure Active Directory Privilege Escalation"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Installation"], "message": "The privileged Azure AD role Application Administrator was assigned for User $userPrincipalName$ initiated by $initiatedBy$", "mitre_attack_id": ["T1098", "T1098.003"], "nist": ["DE.CM"], "observable": [{"name": "userPrincipalName", "type": "User", "role": ["Victim"]}, {"name": "initiatedBy", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "body.properties.targetResources{}.userPrincipalName", "body.properties.targetResources{}.type", "body.properties.initiatedBy.user.userPrincipalName", "body.properties.result"], "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "atomic_guid": [], "mitre_attack_enrichments": [{"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT41", "Dragonfly", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}, {"mitre_attack_id": "T1098.003", "mitre_attack_technique": "Additional Cloud Roles", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["LAPSUS$"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/azure_ad_assign_privileged_role/azure-audit.log", "source": "mscs:azure:eventhub", "sourcetype": "mscs:azure:eventhub", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "azuread", "definition": "sourcetype=mscs:azure:eventhub", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "azure_ad_application_administrator_role_assigned_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/azure_ad_application_administrator_role_assigned.yml", "source": "cloud", "nes_fields": "user,dest"}, {"name": "Azure AD Authentication Failed During MFA Challenge", "id": "e62c9c2e-bf51-4719-906c-3074618fcc1c", "version": 1, "date": "2022-07-14", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies an authentication attempt event against an Azure AD tenant that fails during the Multi Factor Authentication challenge. Error Code 500121 represents a failed attempt to authenticate using a second factor. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled. ", "data_source": [], "search": " `azuread` body.category=SignInLogs body.properties.status.errorCode=500121 | rename body.properties.* as * | stats values(userPrincipalName) by _time, ipAddress, status.additionalDetails, appDisplayName, userAgent | `azure_ad_authentication_failed_during_mfa_challenge_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events in your Splunk environment. Specifically, this analytic leverages the SignInLogs log category.", "known_false_positives": "Legitimate users may miss to reply the MFA challenge within the time window or deny it by mistake.", "references": ["https://attack.mitre.org/techniques/T1621/", "https://attack.mitre.org/techniques/T1078/004/", "https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-howitworks"], "tags": {"name": "Azure AD Authentication Failed During MFA Challenge", "analytic_story": ["Azure Active Directory Account Takeover"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "confidence": 90, "impact": 60, "kill_chain_phases": ["Weaponization", "Exploitation", "Delivery", "Installation"], "message": "User $body.properties.userPrincipalName$ failed to pass MFA challenge", "mitre_attack_id": ["T1586", "T1586.003", "T1078", "T1078.004", "T1621"], "nist": ["DE.CM"], "observable": [{"name": "userPrincipalName", "type": "User", "role": ["Victim"]}, {"name": "ipAddress", "type": "IP Address", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "body.category", "body.properties.status.errorCode", "body.properties.userPrincipalName", "body.properties.ipAddress", "body.properties.status.additionalDetails", "body.properties.appDisplayName", "body.properties.userAgent"], "risk_score": 54, "security_domain": "identity", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Ke3chang", "LAPSUS$"]}, {"mitre_attack_id": "T1621", "mitre_attack_technique": "Multi-Factor Authentication Request Generation", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "LAPSUS$"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/azuread/azure-audit.log", "source": "mscs:azure:eventhub", "sourcetype": "mscs:azure:eventhub", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "azuread", "definition": "sourcetype=mscs:azure:eventhub", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "azure_ad_authentication_failed_during_mfa_challenge_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/azure_ad_authentication_failed_during_mfa_challenge.yml", "source": "cloud", "nes_fields": "user,dest"}, {"name": "Azure AD Concurrent Sessions From Different Ips", "id": "a9126f73-9a9b-493d-96ec-0dd06695490d", "version": 1, "date": "2023-01-24", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies an Azure AD account with concurrent sessions coming from more than one unique Ip address within the span of 5 minutes. This behavior could represent a session hijacking attack whereby an adversary has extracted cookies from a victims browser and is using them from a different location to access corporate online resources. As users may behave differently across organizations, security teams should test and customize this detection to fit their environments.", "data_source": [], "search": " `azuread` properties.authenticationDetails{}.succeeded=true category=NonInteractiveUserSignInLogs | rename properties.* as * | bucket span=5m _time | stats dc(ipAddress) AS unique_ips values(ipAddress) values(appDisplayName) by _time, userPrincipalName | where unique_ips > 1 | `azure_ad_concurrent_sessions_from_different_ips_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. Specifically, this analytic leverages the SignInLogs log category.", "known_false_positives": "A user with concurrent sessions from different Ips may also represent the legitimate use of more than one device. Filter as needed and/or customize the threshold to fit your environment.", "references": ["https://attack.mitre.org/techniques/T1185/", "https://breakdev.org/evilginx-2-next-generation-of-phishing-2fa-tokens/", "https://github.com/kgretzky/evilginx2"], "tags": {"name": "Azure AD Concurrent Sessions From Different Ips", "analytic_story": ["Compromised User Account", "Azure Active Directory Account Takeover"], "asset_type": "Azure AD", "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "User $userPrincipalName$ has concurrent sessions from more than one unique IP address in the span of 5 minutes.", "mitre_attack_id": ["T1185"], "nist": ["DE.CM"], "observable": [{"name": "userPrincipalName", "type": "User", "role": ["Victim"]}, {"name": "ipAddress", "type": "IP Address", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "properties.status.errorCode", "category", "properties.authenticationDetails", "properties.userPrincipalName", "properties.ipAddress"], "risk_score": 42, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1185", "mitre_attack_technique": "Browser Session Hijacking", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1185/azure_ad_concurrent_sessions_from_different_ips/azuread.log", "source": "mscs:azure:eventhub", "sourcetype": "mscs:azure:eventhub", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "azuread", "definition": "sourcetype=mscs:azure:eventhub", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "azure_ad_concurrent_sessions_from_different_ips_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/azure_ad_concurrent_sessions_from_different_ips.yml", "source": "cloud", "nes_fields": "user,dest"}, {"name": "Azure AD External Guest User Invited", "id": "c1fb4edb-cab1-4359-9b40-925ffd797fb5", "version": 1, "date": "2022-08-18", "author": "Gowthamaraj Rajendran, Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the invitation of an external guest user within Azure AD. With Azure AD B2B collaboration, users and administrators can invite external users to collaborate with internal users. External guest account invitations should be monitored by security teams as they could potentially lead to unauthorized access. An example of this attack vector was described at BlackHat 2022 by security researcher Dirk-Jan during his tall `Backdooring and Hijacking Azure AD Accounts by Abusing External Identities`", "data_source": [], "search": "`azuread` \"body.operationName\"=\"Invite external user\" | rename body.properties.* as * | rename targetResources{}.userPrincipalName as userPrincipalName | rename initiatedBy.user.userPrincipalName as initiatedBy | rename targetResources{}.type as type | stats values(userPrincipalName) by _time, type, initiatedBy, result, body.operationName | `azure_ad_external_guest_user_invited_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. Specifically, this analytic leverages the AuditLogs log category.", "known_false_positives": "Administrator may legitimately invite external guest users. Filter as needed.", "references": ["https://dirkjanm.io/assets/raw/US-22-Mollema-Backdooring-and-hijacking-Azure-AD-accounts_final.pdf", "https://www.blackhat.com/us-22/briefings/schedule/#backdooring-and-hijacking-azure-ad-accounts-by-abusing-external-identities-26999", "https://attack.mitre.org/techniques/T1136/003/", "https://docs.microsoft.com/en-us/azure/active-directory/external-identities/b2b-quickstart-add-guest-users-portal"], "tags": {"name": "Azure AD External Guest User Invited", "analytic_story": ["Azure Active Directory Persistence"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "confidence": 90, "impact": 50, "kill_chain_phases": ["Installation"], "message": "External Guest User $userPrincipalName$ initiated by $initiatedBy$", "mitre_attack_id": ["T1136.003"], "nist": ["DE.CM"], "observable": [{"name": "userPrincipalName", "type": "User", "role": ["Victim"]}, {"name": "initiatedBy", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "body.properties.targetResources{}.userPrincipalName", "body.properties.targetResources{}.type", "body.properties.initiatedBy.user.userPrincipalName", "body.properties.result"], "risk_score": 45, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1136.003", "mitre_attack_technique": "Cloud Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT29", "LAPSUS$"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.003/azure_ad_external_guest_user_invited/azure-audit.log", "source": "mscs:azure:eventhub", "sourcetype": "mscs:azure:eventhub", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "azuread", "definition": "sourcetype=mscs:azure:eventhub", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "azure_ad_external_guest_user_invited_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/azure_ad_external_guest_user_invited.yml", "source": "cloud", "nes_fields": "user,dest"}, {"name": "Azure AD Global Administrator Role Assigned", "id": "825fed20-309d-4fd1-8aaf-cd49c1bb093c", "version": 2, "date": "2022-08-17", "author": "Gowthamaraj Rajendran, Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the assignment of the Azure AD Global Administrator role to an Azure AD user. The Global Administrator role is the most powerful administrator role in Azure AD and provides almost unlimited access to data, resources and settings. It is equivalent to the Domain Administrator group in an Active Directory environment. While Azure AD roles do not grant access to Azure services and resources, it is possible for a Global Administrator account to gain control of Azure resources. Adversaries and red teams alike may assign this role to a compromised account to establish Persistence or escalate their privileges in an Azure AD environment.", "data_source": [], "search": "`azuread` \"body.operationName\"=\"Add member to role\" \"body.properties.targetResources{}.modifiedProperties{}.newValue\"=\"\\\"Global Administrator\\\"\" | rename body.properties.* as * | rename targetResources{}.userPrincipalName as userPrincipalName | rename initiatedBy.user.userPrincipalName as initiatedBy | stats values(userPrincipalName) by _time, initiatedBy, result, body.operationName | `azure_ad_global_administrator_role_assigned_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. Specifically, this analytic leverages the AuditLogs log category.", "known_false_positives": "Administrators may legitimately assign the Global Administrator role to a user. Filter as needed.", "references": ["https://o365blog.com/post/admin/", "https://adsecurity.org/?p=4277", "https://www.mandiant.com/resources/detecting-microsoft-365-azure-active-directory-backdoors", "https://docs.microsoft.com/en-us/azure/active-directory/roles/security-planning", "https://docs.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin", "https://attack.mitre.org/techniques/T1098/003/"], "tags": {"name": "Azure AD Global Administrator Role Assigned", "analytic_story": ["Azure Active Directory Persistence", "Azure Active Directory Privilege Escalation"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "confidence": 90, "impact": 80, "kill_chain_phases": ["Installation"], "message": "Global Administrator Role assigned for User $userPrincipalName$ initiated by $initiatedBy$", "mitre_attack_id": ["T1098.003"], "nist": ["DE.CM"], "observable": [{"name": "userPrincipalName", "type": "User", "role": ["Victim"]}, {"name": "initiatedBy", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "body.properties.targetResources{}.userPrincipalName", "body.properties.targetResources{}.type", "body.properties.initiatedBy.user.userPrincipalName", "body.properties.result"], "risk_score": 72, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1098.003", "mitre_attack_technique": "Additional Cloud Roles", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["LAPSUS$"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/azure_ad_assign_global_administrator/azure-audit.log", "source": "mscs:azure:eventhub", "sourcetype": "mscs:azure:eventhub", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "azuread", "definition": "sourcetype=mscs:azure:eventhub", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "azure_ad_global_administrator_role_assigned_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/azure_ad_global_administrator_role_assigned.yml", "source": "cloud", "nes_fields": "user,dest"}, {"name": "Azure AD High Number Of Failed Authentications For User", "id": "630b1694-210a-48ee-a450-6f79e7679f2c", "version": 1, "date": "2023-01-23", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies an Azure AD account with more than 20 failed authentication events in the span of 5 minutes. This behavior could represent a brute force attack against the account. As environments differ across organizations, security teams should customize the threshold of this detection.", "data_source": [], "search": " `azuread` category= SignInLogs properties.status.errorCode=50126 properties.authenticationDetails{}.succeeded=false | rename properties.* as * | bucket span=5m _time | stats dc(_raw) AS failed_attempts values(ipAddress) by userPrincipalName, _time | where failed_attempts > 20 | `azure_ad_high_number_of_failed_authentications_for_user_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. Specifically, this analytic leverages the SignInLogs log category.", "known_false_positives": "A user with more than 20 failed authentication attempts in the span of 5 minutes may also be triggered by a broken application.", "references": ["https://attack.mitre.org/techniques/T1110/", "https://attack.mitre.org/techniques/T1110/001/"], "tags": {"name": "Azure AD High Number Of Failed Authentications For User", "analytic_story": ["Compromised User Account", "Azure Active Directory Account Takeover"], "asset_type": "Azure AD", "cis20": ["CIS 10"], "confidence": 70, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "User $userPrincipalName$ failed to authenticate more than 20 times in the span of 5 minutes.", "mitre_attack_id": ["T1110", "T1110.001"], "nist": ["DE.CM"], "observable": [{"name": "userPrincipalName", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "properties.status.errorCode", "category", "properties.authenticationDetails", "properties.userPrincipalName", "properties.ipAddress"], "risk_score": 35, "security_domain": "identity", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1110.001", "mitre_attack_technique": "Password Guessing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.001/azure_ad_high_number_of_failed_authentications_for_user/azuread.log", "source": "mscs:azure:eventhub", "sourcetype": "mscs:azure:eventhub", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "azuread", "definition": "sourcetype=mscs:azure:eventhub", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "azure_ad_high_number_of_failed_authentications_for_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/azure_ad_high_number_of_failed_authentications_for_user.yml", "source": "cloud", "nes_fields": "user,dest"}, {"name": "Azure AD High Number Of Failed Authentications From Ip", "id": "e5ab41bf-745d-4f72-a393-2611151afd8e", "version": 1, "date": "2023-01-23", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies an Ip address failing to authenticate 20 or more times to an Azure AD tenant in the span of 5 minutes. This behavior could represent a brute force attack againstan Azure AD to obtain initial access or elevate privileges. As environments differ across organizations, security teams should customize the threshold of this detection.", "data_source": [], "search": " `azuread` category= SignInLogs properties.status.errorCode=50126 properties.authenticationDetails{}.succeeded=false | rename properties.* as * | bucket span=5m _time | stats dc(_raw) AS failed_attempts values(userPrincipalName) by ipAddress, _time | where failed_attempts > 20 | `azure_ad_high_number_of_failed_authentications_from_ip_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. Specifically, this analytic leverages the SignInLogs log category.", "known_false_positives": "An Ip address with more than 20 failed authentication attempts in the span of 5 minutes may also be triggered by a broken application.", "references": ["https://attack.mitre.org/techniques/T1110/", "https://attack.mitre.org/techniques/T1110/001/", "https://attack.mitre.org/techniques/T1110/003/"], "tags": {"name": "Azure AD High Number Of Failed Authentications From Ip", "analytic_story": ["Compromised User Account", "Azure Active Directory Account Takeover"], "asset_type": "Azure AD", "cis20": ["CIS 10"], "confidence": 70, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "$ipAddress$ failed to authenticate more than 20 times in the span of 5 minutes.", "mitre_attack_id": ["T1110", "T1110.001", "T1110.003"], "nist": ["DE.CM"], "observable": [{"name": "userPrincipalName", "type": "User", "role": ["Victim"]}, {"name": "ipAddress", "type": "IP Address", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "properties.status.errorCode", "category", "properties.authenticationDetails", "properties.userPrincipalName", "properties.ipAddress"], "risk_score": 35, "security_domain": "identity", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1110.001", "mitre_attack_technique": "Password Guessing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29"]}, {"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.001/azure_ad_high_number_of_failed_authentications_for_user/azuread.log", "source": "mscs:azure:eventhub", "sourcetype": "mscs:azure:eventhub", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "azuread", "definition": "sourcetype=mscs:azure:eventhub", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "azure_ad_high_number_of_failed_authentications_from_ip_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/azure_ad_high_number_of_failed_authentications_from_ip.yml", "source": "cloud", "nes_fields": "user,dest"}, {"name": "Azure AD Multi-Factor Authentication Disabled", "id": "482dd42a-acfa-486b-a0bb-d6fcda27318e", "version": 1, "date": "2022-08-10", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies an attempt to disable multi-factor authentication for an Azure AD user. An adversary who has obtained access to an Azure AD tenant may disable multi-factor authentication as a way to plant a backdoor and maintain persistence using a valid account. This way the attackers can keep persistance in the environment without adding new users.", "data_source": [], "search": "`azuread` body.category=AuditLogs body.operationName=\"Disable Strong Authentication\" | rename body.properties.* as * | rename targetResources{}.userPrincipalName as userPrincipalName | rename targetResources{}.type as type | rename initiatedBy.user.userPrincipalName as initiatedBy | stats values(userPrincipalName) by _time, type, body.operationName, initiatedBy, result | `azure_ad_multi_factor_authentication_disabled_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. Specifically, this analytic leverages the AuditLogs log category.", "known_false_positives": "Legitimate use case may require for users to disable MFA. Filter as needed.", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-howitworks", "https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates", "https://attack.mitre.org/tactics/TA0005/", "https://attack.mitre.org/techniques/T1556/"], "tags": {"name": "Azure AD Multi-Factor Authentication Disabled", "analytic_story": ["Azure Active Directory Account Takeover"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "confidence": 90, "impact": 50, "kill_chain_phases": ["Weaponization", "Exploitation", "Installation"], "message": "MFA disabled for User $userPrincipalName$ initiated by $initiatedBy$", "mitre_attack_id": ["T1586", "T1586.003", "T1556", "T1556.006"], "nist": ["DE.CM"], "observable": [{"name": "userPrincipalName", "type": "User", "role": ["Victim"]}, {"name": "initiatedBy", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "body.properties.targetResources{}.userPrincipalName", "body.properties.targetResources{}.type", "body.properties.initiatedBy.user.userPrincipalName", "body.properties.result"], "risk_score": 45, "security_domain": "identity", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1556", "mitre_attack_technique": "Modify Authentication Process", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1556.006", "mitre_attack_technique": "Multi-Factor Authentication", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556/azuread/azure-audit.log", "source": "mscs:azure:eventhub", "sourcetype": "mscs:azure:eventhub", "update_timestamp": true}]}], "datamodel": ["Authentication"], "macros": [{"name": "azuread", "definition": "sourcetype=mscs:azure:eventhub", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "azure_ad_multi_factor_authentication_disabled_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/azure_ad_multi_factor_authentication_disabled.yml", "source": "cloud", "nes_fields": "user,dest"}, {"name": "Azure AD Multiple Failed MFA Requests For User", "id": "264ea131-ab1f-41b8-90e0-33ad1a1888ea", "version": 1, "date": "2022-08-25", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies multiple failed multi-factor authentication requests for a single user within an Azure AD tenant. Error Code 500121 represents a failed attempt to authenticate using a second factor. Specifically, the analytic triggers when more than 10 MFA user prompts fail within 10 minutes. Azure AD tenants can be very different depending on the organization, Security teams should test this detection and customize these arbitrary thresholds. The detected behavior may represent an adversary who has obtained legitimate credentials for a user and continuously repeats login attempts in order to bombard users with MFA push notifications, SMS messages, and phone calls potentially resulting in the user finally accepting the authentication request. Threat actors like the Lapsus team and APT29 have leveraged this technique to bypass multi-factor authentication controls as reported by Mandiant and others.", "data_source": [], "search": " `azuread` body.category=SignInLogs body.properties.status.errorCode=500121 | rename body.properties.* as * | bucket span=10m _time | stats dc(_raw) AS mfa_prompts values(userPrincipalName) by userPrincipalName, status.additionalDetails, appDisplayName, userAgent, _time | where mfa_prompts > 10 | `azure_ad_multiple_failed_mfa_requests_for_user_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. Specifically, this analytic leverages the SignInLogs log category.", "known_false_positives": "Multiple Failed MFA requests may also be a sign of authentication or application issues. Filter as needed.", "references": ["https://www.mandiant.com/resources/blog/russian-targeting-gov-business", "https://arstechnica.com/information-technology/2022/03/lapsus-and-solar-winds-hackers-both-use-the-same-old-trick-to-bypass-mfa/", "https://therecord.media/russian-hackers-bypass-2fa-by-annoying-victims-with-repeated-push-notifications/", "https://attack.mitre.org/techniques/T1621/", "https://attack.mitre.org/techniques/T1078/004/"], "tags": {"name": "Azure AD Multiple Failed MFA Requests For User", "analytic_story": ["Azure Active Directory Account Takeover"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "confidence": 90, "impact": 60, "kill_chain_phases": ["Weaponization", "Exploitation", "Delivery", "Installation"], "message": "Multiple Failed MFA requests for user $body.properties.userPrincipalName$", "mitre_attack_id": ["T1586", "T1586.003", "T1621", "T1078", "T1078.004"], "nist": ["DE.CM"], "observable": [{"name": "userPrincipalName", "type": "User", "role": ["Victim"]}, {"name": "ipAddress", "type": "IP Address", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "body.properties.status.errorCode", "body.category", "body.properties.authenticationDetails", "body.properties.userPrincipalName", "body.properties.ipAddress"], "risk_score": 54, "security_domain": "identity", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1621", "mitre_attack_technique": "Multi-Factor Authentication Request Generation", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "LAPSUS$"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Ke3chang", "LAPSUS$"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/multiple_failed_mfa_requests/azure-audit.log", "source": "mscs:azure:eventhub", "sourcetype": "mscs:azure:eventhub", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "azuread", "definition": "sourcetype=mscs:azure:eventhub", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "azure_ad_multiple_failed_mfa_requests_for_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/azure_ad_multiple_failed_mfa_requests_for_user.yml", "source": "cloud", "nes_fields": "user,dest"}, {"name": "Azure AD Multiple Users Failing To Authenticate From Ip", "id": "94481a6a-8f59-4c86-957f-55a71e3612a6", "version": 1, "date": "2022-07-12", "author": "Mauricio Velazco, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies one source Ip failing to authenticate with 30 unique valid users within 5 minutes. This behavior could represent an adversary performing a Password Spraying attack against an Azure Active Directory tenant to obtain initial access or elevate privileges. Error Code 50126 represents an invalid password. This logic can be used for real time security monitoring as well as threat hunting exercises.\\\nAzure AD tenants can be very different depending on the organization. Users should test this detection and customize the arbitrary threshold if needed.", "data_source": [], "search": " `azuread` body.category= SignInLogs body.properties.status.errorCode=50126 body.properties.authenticationDetails{}.succeeded= false | rename body.properties.* as * | bucket span=5m _time | stats dc(userPrincipalName) AS unique_accounts values(userPrincipalName) as tried_accounts by _time, ipAddress | where unique_accounts > 30 | `azure_ad_multiple_users_failing_to_authenticate_from_ip_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. Specifically, this analytic leverages the SignInLogs log category.", "known_false_positives": "A source Ip failing to authenticate with multiple users is not a common for legitimate behavior.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://docs.microsoft.com/en-us/security/compass/incident-response-playbook-password-spray", "https://www.cisa.gov/uscert/ncas/alerts/aa21-008a", "https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes"], "tags": {"name": "Azure AD Multiple Users Failing To Authenticate From Ip", "analytic_story": ["Azure Active Directory Account Takeover"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Weaponization", "Exploitation"], "message": "Source Ip $body.properties.ipAddress$ failed to authenticate with 30 users within 5 minutes.", "mitre_attack_id": ["T1586", "T1586.003", "T1110", "T1110.003", "T1110.004"], "nist": ["DE.AE"], "observable": [{"name": "userPrincipalName", "type": "User", "role": ["Victim"]}, {"name": "ipAddress", "type": "IP Address", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "body.properties.status.errorCode", "body.category", "body.properties.authenticationDetails", "body.properties.userPrincipalName", "body.properties.ipAddress"], "risk_score": 63, "security_domain": "identity", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1110.004", "mitre_attack_technique": "Credential Stuffing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Chimera"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/azuread/azure-audit.log", "source": "mscs:azure:eventhub", "sourcetype": "mscs:azure:eventhub", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "azuread", "definition": "sourcetype=mscs:azure:eventhub", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "azure_ad_multiple_users_failing_to_authenticate_from_ip_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/azure_ad_multiple_users_failing_to_authenticate_from_ip.yml", "source": "cloud"}, {"name": "Azure AD New Custom Domain Added", "id": "30c47f45-dd6a-4720-9963-0bca6c8686ef", "version": 1, "date": "2022-09-02", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the addition of a new custom domain within an Azure Active Directory tenant. Adding a custom domain is a step required to set up the Azure Active Directory identity federation backdoor technique discovered by security researcher Nestori Syynimaa. Similar to Active Directory, Azure AD uses the concept of domains to manage directories of identities. A new Azure AD tenant will initially contain a single domain that is commonly called the `cloud-only` onmicrosoft.com domain. Organizations can also add their registered custom domains to Azure AD for email addresses to match the organizations domain name. If the organization intends to use a third-party identity provider such as ADFS for authentication, the added custom domains can be configured as federated. An adversary who has obtained privileged access to an Azure AD tenant may leverage this technique to establish persistence and be able to authenticate to Azure AD impersonating any user and bypassing the requirement to have a valid password and/or perform MFA.", "data_source": [], "search": " `azuread` body.operationName=\"Add unverified domain\" \"body.properties.result\"=success | rename body.properties.* as * | rename body.callerIpAddress as callerIpAddress | rename initiatedBy.user.userPrincipalName as initiatedBy | rename targetResources{}.displayName as domain | stats values(domain) by _time, initiatedBy, result, body.operationName, callerIpAddress | `azure_ad_new_custom_domain_added_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. Specifically, this analytic leverages the AuditLogs log category.", "known_false_positives": "In most organizations, new customm domains will be updated infrequently. Filter as needed.", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/domains-manage", "https://www.mandiant.com/resources/remediation-and-hardening-strategies-microsoft-365-defend-against-apt29-v13", "https://o365blog.com/post/federation-vulnerability/", "https://www.inversecos.com/2021/11/how-to-detect-azure-active-directory.html", "https://www.mandiant.com/resources/blog/detecting-microsoft-365-azure-active-directory-backdoors", "https://attack.mitre.org/techniques/T1484/002/"], "tags": {"name": "Azure AD New Custom Domain Added", "analytic_story": ["Azure Active Directory Persistence"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "confidence": 90, "impact": 60, "kill_chain_phases": ["Exploitation"], "message": "A new custom domain, $domain$ , was added by $initiatedBy$", "mitre_attack_id": ["T1484", "T1484.002"], "nist": ["DE.CM"], "observable": [{"name": "initiatedBy", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "body.operationName", "body.properties.result", "body.callerIpAddress", "body.properties.targetResources{}.displayName", "body.properties.initiatedBy.user.userPrincipalName"], "risk_score": 54, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1484", "mitre_attack_technique": "Domain Policy Modification", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1484.002", "mitre_attack_technique": "Domain Trust Modification", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.002/new_federated_domain/azure-audit.log", "source": "mscs:azure:eventhub", "sourcetype": "mscs:azure:eventhub", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "azuread", "definition": "sourcetype=mscs:azure:eventhub", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "azure_ad_new_custom_domain_added_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/azure_ad_new_custom_domain_added.yml", "source": "cloud", "nes_fields": "user,dest"}, {"name": "Azure AD New Federated Domain Added", "id": "a87cd633-076d-4ab2-9047-977751a3c1a0", "version": 1, "date": "2022-09-02", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the addition of a new federated domain within an Azure Active Directory tenant. This event could represent the execution of the Azure Active Directory identity federation backdoor technique discovered by security researcher Nestori Syynimaa. Similar to Active Directory, Azure AD uses the concept of domains to manage directories of identities. A new Azure AD tenant will initially contain a single domain that is commonly called the `cloud-only` onmicrosoft.com domain. Organizations can also add their registered custom domains to Azure AD for email addresses to match the organizations domain name. If the organization intends to use a third-party identity provider such as ADFS for authentication, the added custom domains can be configured as federated. An adversary who has obtained privileged access to an Azure AD tenant may leverage this technique to establish persistence and be able to authenticate to Azure AD impersonating any user and bypassing the requirement to have a valid password and/or perform MFA.", "data_source": [], "search": " `azuread` body.operationName=\"Set domain authentication\" \"body.properties.result\"=success | rename body.properties.* as * | rename body.callerIpAddress as callerIpAddress | rename initiatedBy.user.userPrincipalName as initiatedBy | rename targetResources{}.displayName as domain | stats values(domain) by _time, initiatedBy, result, body.operationName, callerIpAddress | `azure_ad_new_federated_domain_added_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. Specifically, this analytic leverages the AuditLogs log category.", "known_false_positives": "In most organizations, domain federation settings will be updated infrequently. Filter as needed.", "references": ["https://www.mandiant.com/resources/remediation-and-hardening-strategies-microsoft-365-defend-against-apt29-v13", "https://o365blog.com/post/federation-vulnerability/", "https://www.inversecos.com/2021/11/how-to-detect-azure-active-directory.html", "https://www.mandiant.com/resources/blog/detecting-microsoft-365-azure-active-directory-backdoors", "https://attack.mitre.org/techniques/T1484/002/"], "tags": {"name": "Azure AD New Federated Domain Added", "analytic_story": ["Azure Active Directory Persistence"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Exploitation"], "message": "A new federated domain, $domain$ , was added by $initiatedBy$", "mitre_attack_id": ["T1484", "T1484.002"], "nist": ["DE.CM"], "observable": [{"name": "initiatedBy", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "body.operationName", "body.properties.result", "body.callerIpAddress", "body.properties.targetResources{}.displayName", "body.properties.initiatedBy.user.userPrincipalName"], "risk_score": 81, "security_domain": "threat", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1484", "mitre_attack_technique": "Domain Policy Modification", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1484.002", "mitre_attack_technique": "Domain Trust Modification", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.002/new_federated_domain/azure-audit.log", "source": "mscs:azure:eventhub", "sourcetype": "mscs:azure:eventhub", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "azuread", "definition": "sourcetype=mscs:azure:eventhub", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "azure_ad_new_federated_domain_added_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/azure_ad_new_federated_domain_added.yml", "source": "cloud", "nes_fields": "user,dest"}, {"name": "Azure AD New MFA Method Registered For User", "id": "2628b087-4189-403f-9044-87403f777a1b", "version": 1, "date": "2023-01-30", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the registration of a new Multi Factor authentication method for an Azure AD account. Adversaries who have obtained unauthorized access to an Azure AD account may register a new MFA method to maintain persistence.", "data_source": [], "search": " `azuread` category=AuditLogs operationName=\"User registered security info\" properties.operationType=Add | rename properties.* as * | rename targetResources{}.* as * | stats values(userPrincipalName) by _time, resultDescription, result, callerIpAddress | `azure_ad_new_mfa_method_registered_for_user_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. Specifically, this analytic leverages the AuditLogs log category.", "known_false_positives": "Newly onboarded users who are registering an MFA method for the first time will also trigger this detection.", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-howitworks", "https://attack.mitre.org/techniques/T1556/", "https://attack.mitre.org/techniques/T1556/006/", "https://twitter.com/jhencinski/status/1618660062352007174"], "tags": {"name": "Azure AD New MFA Method Registered For User", "analytic_story": ["Compromised User Account", "Azure Active Directory Account Takeover"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation", "Installation"], "message": "UPDATE message", "mitre_attack_id": ["T1556", "T1556.006"], "nist": ["DE.CM"], "observable": [{"name": "userPrincipalName", "type": "User", "role": ["Victim"]}, {"name": "callerIpAddress", "type": "IP Address", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "category", "operationName", "properties.operationType", "userPrincipalName", "resultDescription", "result", "callerIpAddress"], "risk_score": 64, "security_domain": "identity", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1556", "mitre_attack_technique": "Modify Authentication Process", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1556.006", "mitre_attack_technique": "Multi-Factor Authentication", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556.006/azure_ad_new_mfa_method_registered_for_user/azuread.log", "source": "mscs:azure:eventhub", "sourcetype": "mscs:azure:eventhub", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "azuread", "definition": "sourcetype=mscs:azure:eventhub", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "azure_ad_new_mfa_method_registered_for_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/azure_ad_new_mfa_method_registered_for_user.yml", "source": "cloud", "nes_fields": "user,dest"}, {"name": "Azure AD PIM Role Assigned", "id": "fcd6dfeb-191c-46a0-a29c-c306382145ab", "version": 1, "date": "2023-04-26", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the assignment of the Azure AD PIM role. Privileged Identity Management (PIM) is a service within Azure Azure AD that enables administrators to manage, control, and monitor access to sensitive resources. PIM provides time-based and approval-based role activation to mitigate the risks of excessive, unnecessary, or misused access permissions on resources. Once a user has been made eligible for an administrative role, she must activate this role assignment to perform the privileged actions. When a role is activated, Azure AD PIM temporarily adds active assignment for the role. While PIM can be leveraged as a powerful security control, it may also abused by adversaries to obtain privileged access. Security teams should monitor for the assignment and activation of PIM roles and validate their legitimacy.", "data_source": [], "search": " `azuread` operationName=\"Add eligible member to role in PIM completed*\" | rename properties.* as * | rename targetResources{}.userPrincipalName as userPrincipalName | stats values(userPrincipalName) values(targetResources{}.displayName) by _time, result, operationName, initiatedBy.user.displayName | `azure_ad_pim_role_assigned_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. Specifically, this analytic leverages the AuditLogs log category.", "known_false_positives": "As part of legitimate administrative behavior, users may be assigned PIM roles. Filter as needed", "references": ["https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure", "https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-activate-role", "https://microsoft.github.io/Azure-Threat-Research-Matrix/PrivilegeEscalation/AZT401/AZT401/"], "tags": {"name": "Azure AD PIM Role Assigned", "analytic_story": ["Azure Active Directory Privilege Escalation", "Azure Active Directory Persistence"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Installation"], "message": "An Azure AD PIM role assignment was assiged to $userPrincipalName$", "mitre_attack_id": ["T1098", "T1098.003"], "nist": ["DE.CM"], "observable": [{"name": "userPrincipalName", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "properties", "operationName", "userPrincipalName", "initiatedBy.user.userPrincipalName", "result"], "risk_score": 35, "security_domain": "identity", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT41", "Dragonfly", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}, {"mitre_attack_id": "T1098.003", "mitre_attack_technique": "Additional Cloud Roles", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["LAPSUS$"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/azure_ad_pim_role_activated/azure-audit.log", "source": "eventhub://researchhub1.servicebus.windows.net/azureadhub;", "sourcetype": "mscs:azure:eventhub"}]}], "datamodel": [], "macros": [{"name": "azuread", "definition": "sourcetype=mscs:azure:eventhub", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "azure_ad_pim_role_assigned_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/azure_ad_pim_role_assigned.yml", "source": "cloud", "nes_fields": "user,dest"}, {"name": "Azure AD PIM Role Assignment Activated", "id": "952e80d0-e343-439b-83f4-808c3e6fbf2e", "version": 1, "date": "2023-04-26", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the assignment of the Azure AD PIM role. Privileged Identity Management (PIM) is a service within Azure Azure AD that enables administrators to manage, control, and monitor access to sensitive resources. PIM provides time-based and approval-based role activation to mitigate the risks of excessive, unnecessary, or misused access permissions on resources. Once a user has been made eligible for an administrative role, she must activate this role assignment to perform the privileged actions. When a role is activated, Azure AD PIM temporarily adds active assignment for the role. While PIM can be leveraged as a powerful security control, it may also abused by adversaries to obtain privileged access. Security teams should monitor for the assignment and activation of PIM roles and validate their legitimacy.", "data_source": [], "search": " `azuread` operationName=\"Add member to role completed (PIM activation)\" | rename properties.* as * | rename targetResources{}.userPrincipalName as userPrincipalName | rename initiatedBy.user.userPrincipalName as initiatedBy | stats values(userPrincipalName) values(targetResources{}.displayName) by _time, initiatedBy, result, operationName, | `azure_ad_pim_role_assignment_activated_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. Specifically, this analytic leverages the AuditLogs log category.", "known_false_positives": "As part of legitimate administrative behavior, users may activate PIM roles. Filter as needed", "references": ["https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure", "https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-activate-role", "https://microsoft.github.io/Azure-Threat-Research-Matrix/PrivilegeEscalation/AZT401/AZT401/"], "tags": {"name": "Azure AD PIM Role Assignment Activated", "analytic_story": ["Azure Active Directory Privilege Escalation", "Azure Active Directory Persistence"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Installation"], "message": "An Azure AD PIM role assignment was activated by $initiatedBy$", "mitre_attack_id": ["T1098", "T1098.003"], "nist": ["DE.CM"], "observable": [{"name": "userPrincipalName", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "properties", "operationName", "userPrincipalName", "initiatedBy.user.userPrincipalName", "result"], "risk_score": 35, "security_domain": "identity", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT41", "Dragonfly", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}, {"mitre_attack_id": "T1098.003", "mitre_attack_technique": "Additional Cloud Roles", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["LAPSUS$"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/azure_ad_pim_role_activated/azure-audit.log", "source": "eventhub://researchhub1.servicebus.windows.net/azureadhub;", "sourcetype": "mscs:azure:eventhub"}]}], "datamodel": [], "macros": [{"name": "azuread", "definition": "sourcetype=mscs:azure:eventhub", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "azure_ad_pim_role_assignment_activated_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/azure_ad_pim_role_assignment_activated.yml", "source": "cloud", "nes_fields": "user,dest"}, {"name": "Azure AD Privileged Authentication Administrator Role Assigned", "id": "a7da845d-6fae-41cf-b823-6c0b8c55814a", "version": 1, "date": "2023-04-25", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the assignment of the Privileged Authentication Administrato role to an Azure AD user. Users in this role can set or reset authentication methods for any user in Azure Active Directory, including privileged roles like Global Administrators. Users with this role can change credentials for people who may have access to sensitive or private information or critical configuration inside and outside of Azure Active Directory. Changing the credentials of a user may mean the ability to assume that users identity and permissions. Red teams and adversaries alike may abuse this role to escalate their privileges.", "data_source": [], "search": " `azuread` \"body.operationName\"=\"Add member to role\" \"body.properties.targetResources{}.modifiedProperties{}.newValue\"=\"\\\"Privileged Authentication Administrator\\\"\" | rename body.properties.* as * | rename targetResources{}.userPrincipalName as userPrincipalName | rename initiatedBy.user.userPrincipalName as initiatedBy | stats values(userPrincipalName) by _time, initiatedBy, result, body.operationName | `azure_ad_privileged_authentication_administrator_role_assigned_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. Specifically, this analytic leverages the AuditLogs log category.", "known_false_positives": "Administrators may legitimately assign the Privileged Authentication Administrator role as part of administrative tasks. Filter as needed.", "references": ["https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#privileged-authentication-administrator", "https://posts.specterops.io/azure-privilege-escalation-via-azure-api-permissions-abuse-74aee1006f48", "https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference"], "tags": {"name": "Azure AD Privileged Authentication Administrator Role Assigned", "analytic_story": ["Azure Active Directory Privilege Escalation"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "confidence": 50, "impact": 100, "kill_chain_phases": ["Exploitation"], "message": "The privileged Azure AD role Privileged Authentication Administrator was assigned for User $userPrincipalName$ initiated by $initiatedBy$", "mitre_attack_id": ["T1003.002"], "nist": ["DE.CM"], "observable": [{"name": "userPrincipalName", "type": "User", "role": ["Victim"]}, {"name": "initiatedBy", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "body.properties.targetResources{}.userPrincipalName", "body.properties.targetResources{}.type", "body.properties.initiatedBy.user.userPrincipalName", "body.properties.result"], "risk_score": 50, "security_domain": "identity", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Dragonfly", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/azure_ad_assign_privileged_role/azure-audit.log", "source": "mscs:azure:eventhub", "sourcetype": "mscs:azure:eventhub", "update_timestamp": true}]}], "datamodel": ["Authentication"], "macros": [{"name": "azuread", "definition": "sourcetype=mscs:azure:eventhub", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "azure_ad_privileged_authentication_administrator_role_assigned_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/azure_ad_privileged_authentication_administrator_role_assigned.yml", "source": "cloud", "nes_fields": "user,dest"}, {"name": "Azure AD Privileged Role Assigned", "id": "a28f0bc3-3400-4a6e-a2da-89b9e95f0d2a", "version": 1, "date": "2022-08-29", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the assignment of sensitive and privileged Azure Active Directory roles to an Azure AD user. Adversaries and red teams alike may assign these roles to a compromised account to establish Persistence in an Azure AD environment.", "data_source": [], "search": " `azuread` \"body.operationName\"=\"Add member to role\" | rename body.properties.* as * | rename targetResources{}.userPrincipalName as userPrincipalName | rename initiatedBy.user.userPrincipalName as initiatedBy | rename targetResources{}.modifiedProperties{}.newValue as roles | eval role=mvindex(roles,1) | lookup privileged_azure_ad_roles azureadrole AS role OUTPUT isprvilegedadrole description | search isprvilegedadrole = True | stats values(userPrincipalName) by _time, initiatedBy, result, body.operationName, role, description | `azure_ad_privileged_role_assigned_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. Specifically, this analytic leverages the AuditLogs log category.", "known_false_positives": "Administrators will legitimately assign the privileged roles users as part of administrative tasks. Filter as needed.", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/roles/concept-understand-roles", "https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference", "https://adsecurity.org/?p=4277", "https://www.mandiant.com/resources/detecting-microsoft-365-azure-active-directory-backdoors", "https://docs.microsoft.com/en-us/azure/active-directory/roles/security-planning", "https://attack.mitre.org/techniques/T1098/003/"], "tags": {"name": "Azure AD Privileged Role Assigned", "analytic_story": ["Azure Active Directory Persistence"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Installation"], "message": "A privileged Azure AD role was assigned for User $userPrincipalName$ initiated by $initiatedBy$", "mitre_attack_id": ["T1098", "T1098.003"], "nist": ["DE.CM"], "observable": [{"name": "userPrincipalName", "type": "User", "role": ["Victim"]}, {"name": "initiatedBy", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "body.properties.targetResources{}.userPrincipalName", "body.properties.targetResources{}.type", "body.properties.initiatedBy.user.userPrincipalName", "body.properties.result"], "risk_score": 63, "security_domain": "audit", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT41", "Dragonfly", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}, {"mitre_attack_id": "T1098.003", "mitre_attack_technique": "Additional Cloud Roles", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["LAPSUS$"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/azure_ad_assign_privileged_role/azure-audit.log", "source": "mscs:azure:eventhub", "sourcetype": "mscs:azure:eventhub", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "azuread", "definition": "sourcetype=mscs:azure:eventhub", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "azure_ad_privileged_role_assigned_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "privileged_azure_ad_roles", "description": "A list of privileged Azure Active Directory roles.", "filename": "privileged_azure_ad_roles.csv", "default_match": "false", "match_type": "WILDCARD(azureadrole)", "min_matches": 1, "case_sensitive_match": "false"}], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/azure_ad_privileged_role_assigned.yml", "source": "cloud", "nes_fields": "user,dest"}, {"name": "Azure AD Privileged Role Assigned to Service Principal", "id": "5dfaa3d3-e2e4-4053-8252-16d9ee528c41", "version": 1, "date": "2023-04-28", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic is geared towards detecting potential privilege escalation threats in Azure Active Directory (AD). It identifies instances where privileged roles, which hold elevated permissions, are assigned to Service Principals. These non-human entities that can access Azure resources could be exploited in an attack scenario, leading to unauthorized access or malicious activities. The analytic runs a specific search within the ingested Azure AD events, specifically leveraging the AuditLogs log category. Keep in mind, however, that there could be false positives, as administrators may legitimately assign privileged roles to Service Principals.", "data_source": [], "search": " `azuread` operationName=\"Add member to role\" | rename properties.* as * | search \"targetResources{}.type\"=ServicePrincipal | rename initiatedBy.user.userPrincipalName as initiatedBy | rename targetResources{}.modifiedProperties{}.newValue as roles | eval role=mvindex(roles,1) | rename targetResources{}.displayName as apps | eval displayName=mvindex(apps,0) | lookup privileged_azure_ad_roles azureadrole AS role OUTPUT isprvilegedadrole description | search isprvilegedadrole = True | stats values(displayName) by _time, initiatedBy, result, operationName, role | `azure_ad_privileged_role_assigned_to_service_principal_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. Specifically, this analytic leverages the AuditLogs log category.", "known_false_positives": "Administrators may legitimately assign the privileged roles to Service Principals as part of administrative tasks. Filter as needed.", "references": ["https://posts.specterops.io/azure-privilege-escalation-via-service-principal-abuse-210ae2be2a5"], "tags": {"name": "Azure AD Privileged Role Assigned to Service Principal", "analytic_story": ["Azure Active Directory Privilege Escalation"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Installation"], "message": "A privileged Azure AD role was assigned to the Service Principal $displayName$ initiated by $initiatedBy$", "mitre_attack_id": ["T1098", "T1098.003"], "nist": ["DE.CM"], "observable": [{"name": "initiatedBy", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "properties.targetResources{}.userPrincipalName", "properties.targetResources{}.type", "properties.initiatedBy.user.userPrincipalName", "properties.result"], "risk_score": 35, "security_domain": "identity", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT41", "Dragonfly", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}, {"mitre_attack_id": "T1098.003", "mitre_attack_technique": "Additional Cloud Roles", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["LAPSUS$"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/azure_ad_privileged_role_serviceprincipal/azure-audit.log", "source": "mscs:azure:eventhub", "sourcetype": "mscs:azure:eventhub", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "azuread", "definition": "sourcetype=mscs:azure:eventhub", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "azure_ad_privileged_role_assigned_to_service_principal_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "privileged_azure_ad_roles", "description": "A list of privileged Azure Active Directory roles.", "filename": "privileged_azure_ad_roles.csv", "default_match": "false", "match_type": "WILDCARD(azureadrole)", "min_matches": 1, "case_sensitive_match": "false"}], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/azure_ad_privileged_role_assigned_to_service_principal.yml", "source": "cloud", "nes_fields": "user,dest"}, {"name": "Azure AD Service Principal Created", "id": "f8ba49e7-ffd3-4b53-8f61-e73974583c5d", "version": 1, "date": "2022-08-17", "author": "Gowthamaraj Rajendran, Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the creation of a Service Principal in an Azure AD environment. An Azure Service Principal is an identity designed to be used with applications, services, and automated tools to access resources. It is similar to a service account within an Active Directory environment. Service Principal authentication does not support multi-factor authentication nor conditional access policies. Adversaries and red teams alike who have obtained administrative access may create a Service Principal to establish Persistence and obtain single-factor access to an Azure AD environment.", "data_source": [], "search": "`azuread` \"body.operationName\"=\"Add service principal\" \"body.properties.initiatedBy.user.id\"=* | rename body.properties.* as * | rename targetResources{}.displayName as displayName | rename initiatedBy.user.userPrincipalName as initiatedBy | rename targetResources{}.type as type | stats values(displayName) by _time, type, initiatedBy, result, body.operationName | `azure_ad_service_principal_created_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. Specifically, this analytic leverages the AuditLogs log category.", "known_false_positives": "Administrator may legitimately create Service Principal. Filter as needed.", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/develop/app-objects-and-service-principals", "https://docs.microsoft.com/en-us/powershell/azure/create-azure-service-principal-azureps?view=azps-8.2.0", "https://www.truesec.com/hub/blog/using-a-legitimate-application-to-create-persistence-and-initiate-email-campaigns", "https://www.inversecos.com/2021/10/how-to-backdoor-azure-applications-and.html", "https://attack.mitre.org/techniques/T1136/003/"], "tags": {"name": "Azure AD Service Principal Created", "analytic_story": ["Azure Active Directory Persistence"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "confidence": 90, "impact": 50, "kill_chain_phases": ["Installation"], "message": "Service Principal named $displayName$ created by $initiatedBy$", "mitre_attack_id": ["T1136.003"], "nist": ["DE.CM"], "observable": [{"name": "displayName", "type": "Other", "role": ["Victim"]}, {"name": "initiatedBy", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "body.properties.targetResources{}.displayName", "body.properties.targetResources{}.type", "body.properties.initiatedBy.user.userPrincipalName", "body.properties.result"], "risk_score": 45, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1136.003", "mitre_attack_technique": "Cloud Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT29", "LAPSUS$"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.003/azure_ad_add_service_principal/azure-audit.log", "source": "mscs:azure:eventhub", "sourcetype": "mscs:azure:eventhub", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "azuread", "definition": "sourcetype=mscs:azure:eventhub", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "azure_ad_service_principal_created_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/azure_ad_service_principal_created.yml", "source": "cloud", "nes_fields": "user,dest"}, {"name": "Azure AD Service Principal New Client Credentials", "id": "e3adc0d3-9e4b-4b5d-b662-12cec1adff2a", "version": 2, "date": "2022-08-17", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the addition of new credentials for Service Principals and Applications in addition to existing legitimate credentials in Azure AD. These credentials include both x509 certificates and passwords. With sufficient permissions, there are a variety of ways to add credentials including the Azure Portal, Azure command line interface, and Azure or Az PowerShell modules. Adversaries and red teams alike who have obtained privileged access to Azure AD may add credentials to Service Principals to maintain persistent access to victim accounts and other instances within the Azure environment. By compromising an account who is an Owner of an application with privileged access, attackers may also escalate their privileges in an Azure AD environment by adding new credentials and logging in as the service principal.", "data_source": [], "search": " `azuread` body.category=AuditLogs body.operationName=\"Update application*Certificates and secrets management \" | rename body.* as * | rename properties.* as * | rename targetResources{}.* as * | stats values(displayName) by _time, initiatedBy.user.userPrincipalName, modifiedProperties{}.newValue | `azure_ad_service_principal_new_client_credentials_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. Specifically, this analytic leverages the SignInLogs log category.", "known_false_positives": "Service Principal client credential modifications may be part of legitimate administrative operations. Filter as needed.", "references": ["https://attack.mitre.org/techniques/T1098/001/", "https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT501/AZT501-2/", "https://hausec.com/2021/10/26/attacking-azure-azure-ad-part-ii/", "https://www.inversecos.com/2021/10/how-to-backdoor-azure-applications-and.html", "https://www.mandiant.com/resources/blog/apt29-continues-targeting-microsoft", "https://microsoft.github.io/Azure-Threat-Research-Matrix/PrivilegeEscalation/AZT405/AZT405-3/"], "tags": {"name": "Azure AD Service Principal New Client Credentials", "analytic_story": ["Azure Active Directory Persistence", "Azure Active Directory Privilege Escalation"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Installation"], "message": "New credentials added for Service Principal $body.properties.targetResources{}.displayName$", "mitre_attack_id": ["T1098", "T1098.001"], "nist": ["DE.CM"], "observable": [{"name": "displayName", "type": "User", "role": ["Victim"]}, {"name": "initiatedBy.user.userPrincipalName", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "body.category", "body.operationName", "body.properties.initiatedBy.user.userPrincipalName", "body.properties.targetResources{}.displayName", "body.properties.targetResources{}.modifiedProperties{}.newValue"], "risk_score": 35, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT41", "Dragonfly", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}, {"mitre_attack_id": "T1098.001", "mitre_attack_technique": "Additional Cloud Credentials", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.001/azure_ad_service_principal_credentials/azure-audit.log", "source": "mscs:azure:eventhub", "sourcetype": "mscs:azure:eventhub", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "azuread", "definition": "sourcetype=mscs:azure:eventhub", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "azure_ad_service_principal_new_client_credentials_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/azure_ad_service_principal_new_client_credentials.yml", "source": "cloud", "nes_fields": "user,dest"}, {"name": "Azure AD Service Principal Owner Added", "id": "7ddf2084-6cf3-4a44-be83-474f7b73c701", "version": 2, "date": "2022-08-30", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the addition of a new owner for a Service Principal within an Azure AD tenant. An Azure Service Principal is an identity designed to be used with applications, services, and automated tools to access resources. It is similar to a service account within an Active Directory environment. Service Principal authentication does not support multi-factor authentication nor conditional access policies. Adversaries and red teams alike who have obtained administrative access may add a new owner for an existing Service Principal to establish Persistence and obtain single-factor access to an Azure AD environment. Attackers who are looking to escalate their privileges by leveraging a Service Principals permissions may also add a new owner.", "data_source": [], "search": " `azuread` body.operationName=\"Add owner to application\" | rename body.properties.* as * | rename initiatedBy.user.userPrincipalName as initiatedBy | rename targetResources{}.userPrincipalName as newOwner | rename targetResources{}.modifiedProperties{}.newValue as displayName | eval displayName = mvindex(displayName,1) | where initiatedBy!=newOwner | stats values(displayName) by _time, initiatedBy, result, body.operationName, newOwner | `azure_ad_service_principal_owner_added_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. Specifically, this analytic leverages the AuditLogs log category.", "known_false_positives": "Administrator may legitimately add new owners for Service Principals. Filter as needed.", "references": ["https://attack.mitre.org/techniques/T1098/"], "tags": {"name": "Azure AD Service Principal Owner Added", "analytic_story": ["Azure Active Directory Persistence", "Azure Active Directory Privilege Escalation"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "confidence": 90, "impact": 60, "kill_chain_phases": ["Installation"], "message": "A new owner was added for service principal $displayName$ by $initiatedBy$", "mitre_attack_id": ["T1098"], "nist": ["DE.CM"], "observable": [{"name": "displayName", "type": "Other", "role": ["Victim"]}, {"name": "initiatedBy", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "body.operationName", "body.properties.initiatedBy.user.userPrincipalName", "body.properties.targetResources{}.userPrincipalName", "body.properties.targetResources{}.modifiedProperties{}.newValue", "body.propertiesresult"], "risk_score": 54, "security_domain": "audit", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT41", "Dragonfly", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/azure_ad_add_serviceprincipal_owner/azure-audit.log", "source": "mscs:azure:eventhub", "sourcetype": "mscs:azure:eventhub", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "azuread", "definition": "sourcetype=mscs:azure:eventhub", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "azure_ad_service_principal_owner_added_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/azure_ad_service_principal_owner_added.yml", "source": "cloud", "nes_fields": "user,dest"}, {"name": "Azure AD Successful Authentication From Different Ips", "id": "be6d868d-33b6-4aaa-912e-724fb555b11a", "version": 1, "date": "2023-01-24", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies an Azure AD account successfully authenticating from more than one unique Ip address in the span of 5 minutes. This behavior could represent an adversary who has stolen credentials via a phishing attack or some other method and using them to access corporate online resources around the same time as a legitimate user. As users may behave differently across organizations, security teams should test and customize this detection to fit their environments.", "data_source": [], "search": " `azuread` properties.authenticationDetails{}.succeeded=true category=SignInLogs | rename properties.* as * | bucket span=5m _time | stats dc(ipAddress) AS unique_ips values(ipAddress) values(appDisplayName) by _time, userPrincipalName | where unique_ips > 1 | `azure_ad_successful_authentication_from_different_ips_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. Specifically, this analytic leverages the SignInLogs log category.", "known_false_positives": "A user with successful authentication events from different Ips may also represent the legitimate use of more than one device. Filter as needed and/or customize the threshold to fit your environment.", "references": ["T1110", "T1110.001", "T1110.003"], "tags": {"name": "Azure AD Successful Authentication From Different Ips", "analytic_story": ["Compromised User Account", "Azure Active Directory Account Takeover"], "asset_type": "Azure AD", "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "User $userPrincipalName$ has had successful authentication events from more than one unique IP address in the span of 5 minutes.", "mitre_attack_id": ["T1110", "T1110.001", "T1110.003"], "nist": ["DE.CM"], "observable": [{"name": "userPrincipalName", "type": "User", "role": ["Victim"]}, {"name": "ipAddress", "type": "IP Address", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "properties.status.errorCode", "category", "properties.authenticationDetails", "properties.userPrincipalName", "properties.ipAddress", "properties.appDisplayName"], "risk_score": 56, "security_domain": "identity", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1110.001", "mitre_attack_technique": "Password Guessing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29"]}, {"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.001/azure_ad_successful_authentication_from_different_ips/azuread.log", "source": "mscs:azure:eventhub", "sourcetype": "mscs:azure:eventhub", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "azuread", "definition": "sourcetype=mscs:azure:eventhub", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "azure_ad_successful_authentication_from_different_ips_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/azure_ad_successful_authentication_from_different_ips.yml", "source": "cloud", "nes_fields": "user,dest"}, {"name": "Azure AD Successful PowerShell Authentication", "id": "62f10052-d7b3-4e48-b57b-56f8e3ac7ceb", "version": 1, "date": "2022-07-13", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies a successful authentication event against an Azure AD tenant using PowerShell commandlets. This behavior is not common for regular, non administrative users. After compromising an account in Azure AD, attackers and red teams alike will perform enumeration and discovery techniques. One method of executing these techniques is leveraging the native PowerShell modules.", "data_source": [], "search": " `azuread` body.category=SignInLogs body.properties.authenticationDetails{}.succeeded=true body.properties.appDisplayName=\"Azure Active Directory PowerShell\" | rename body.properties.* as * | stats values(userPrincipalName) by _time, ipAddress, appDisplayName, userAgent | `azure_ad_successful_powershell_authentication_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events in your Splunk environment. Specifically, this analytic leverages the SignInLogs log category.", "known_false_positives": "Administrative users will likely use PowerShell commandlets to troubleshoot and maintain the environment. Filter as needed.", "references": ["https://attack.mitre.org/techniques/T1078/004/", "https://docs.microsoft.com/en-us/powershell/module/azuread/connect-azuread?view=azureadps-2.0", "https://securitycafe.ro/2022/04/29/pentesting-azure-recon-techniques/", "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Cloud%20-%20Azure%20Pentest.md"], "tags": {"name": "Azure AD Successful PowerShell Authentication", "analytic_story": ["Azure Active Directory Account Takeover"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "confidence": 90, "impact": 60, "kill_chain_phases": ["Weaponization", "Exploitation", "Delivery", "Installation"], "message": "Successful authentication for user $body.properties.userPrincipalName$ using PowerShell.", "mitre_attack_id": ["T1586", "T1586.003", "T1078", "T1078.004"], "nist": ["DE.CM"], "observable": [{"name": "userPrincipalName", "type": "User", "role": ["Victim"]}, {"name": "ipAddress", "type": "IP Address", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "body.properties.appDisplayName", "body.category", "body.properties.userPrincipalName", "body.properties.ipAddress", "body.properties.appDisplayName", "body.properties.userAgent"], "risk_score": 54, "security_domain": "identity", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Ke3chang", "LAPSUS$"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.004/azuread_pws/azure-audit.log", "source": "mscs:azure:eventhub", "sourcetype": "mscs:azure:eventhub", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "azuread", "definition": "sourcetype=mscs:azure:eventhub", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "azure_ad_successful_powershell_authentication_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/azure_ad_successful_powershell_authentication.yml", "source": "cloud", "nes_fields": "user,dest"}, {"name": "Azure AD Successful Single-Factor Authentication", "id": "a560e7f6-1711-4353-885b-40be53101fcd", "version": 1, "date": "2022-07-12", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies a successful authentication event against Azure Active Directory for an account without Multi-Factor Authentication enabled. This could be evidence of a missconfiguration, a policy violation or an account take over attempt that should be investigated", "data_source": [], "search": " `azuread` body.category=SignInLogs body.properties.authenticationRequirement=singleFactorAuthentication body.properties.authenticationDetails{}.succeeded=true | rename body.properties.* as * | stats values(userPrincipalName) by _time, ipAddress, appDisplayName, authenticationRequirement | `azure_ad_successful_single_factor_authentication_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events in your Splunk environment. Specifically, this analytic leverages the SignInLogs log category.", "known_false_positives": "Although not recommended, certain users may be required without multi-factor authentication. Filter as needed", "references": ["https://attack.mitre.org/techniques/T1078/004/", "https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-howitworks*", "https://www.forbes.com/sites/daveywinder/2020/07/08/new-dark-web-audit-reveals-15-billion-stolen-logins-from-100000-breaches-passwords-hackers-cybercrime/?sh=69927b2a180f"], "tags": {"name": "Azure AD Successful Single-Factor Authentication", "analytic_story": ["Azure Active Directory Account Takeover"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "confidence": 90, "impact": 50, "kill_chain_phases": ["Weaponization", "Exploitation", "Delivery", "Installation"], "message": "Successful authentication for user $body.properties.userPrincipalName$ without MFA", "mitre_attack_id": ["T1586", "T1586.003", "T1078", "T1078.004"], "nist": ["DE.CM"], "observable": [{"name": "userPrincipalName", "type": "User", "role": ["Victim"]}, {"name": "ipAddress", "type": "IP Address", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "body.category", "body.properties.authenticationRequirement", "body.properties.authenticationDetails", "body.properties.userPrincipalName", "body.properties.ipAddress", "body.properties.appDisplayName"], "risk_score": 45, "security_domain": "identity", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Ke3chang", "LAPSUS$"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.004/azuread/azure-audit.log", "source": "mscs:azure:eventhub", "sourcetype": "mscs:azure:eventhub", "update_timestamp": true}]}], "datamodel": ["Authentication"], "macros": [{"name": "azuread", "definition": "sourcetype=mscs:azure:eventhub", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "azure_ad_successful_single_factor_authentication_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/azure_ad_successful_single_factor_authentication.yml", "source": "cloud", "nes_fields": "user,dest"}, {"name": "Azure AD Unusual Number of Failed Authentications From Ip", "id": "3d8d3a36-93b8-42d7-8d91-c5f24cec223d", "version": 1, "date": "2022-07-11", "author": "Mauricio Velazco, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies one source Ip failing to authenticate with multiple valid users. This behavior could represent an adversary performing a Password Spraying attack against an Azure Active Directory tenant to obtain initial access or elevate privileges. Error Code 50126 represents an invalid password.\\\nThe detection calculates the standard deviation for source Ip and leverages the 3-sigma statistical rule to identify an unusual number of failed authentication attempts. To customize this analytic, users can try different combinations of the `bucket` span time and the calculation of the `upperBound` field. This logic can be used for real time security monitoring as well as threat hunting exercises.\\\nWhile looking for anomalies using statistical methods like the standard deviation can have benefits, we also recommend using threshold-based detections to complement coverage. A similar analytic following the threshold model is `Azure AD Multiple Users Failing To Authenticate From Ip`.", "data_source": [], "search": " `azuread` body.category=SignInLogs body.properties.status.errorCode=50126 body.properties.authenticationDetails{}.succeeded= false | rename body.properties.* as * | bucket span=5m _time | stats dc(userPrincipalName) AS unique_accounts values(userPrincipalName) as tried_accounts by _time, ipAddress | eventstats avg(unique_accounts) as ip_avg , stdev(unique_accounts) as ip_std by ipAddress | eval upperBound=(ip_avg+ip_std*3) | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0) | where isOutlier = 1 | `azure_ad_unusual_number_of_failed_authentications_from_ip_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events in your Splunk environment. Specifically, this analytic leverages the SignInLogs log category.", "known_false_positives": "A source Ip failing to authenticate with multiple users is not a common for legitimate behavior.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://docs.microsoft.com/en-us/security/compass/incident-response-playbook-password-spray", "https://www.cisa.gov/uscert/ncas/alerts/aa21-008a", "https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes"], "tags": {"name": "Azure AD Unusual Number of Failed Authentications From Ip", "analytic_story": ["Azure Active Directory Account Takeover"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "confidence": 90, "impact": 60, "kill_chain_phases": ["Weaponization", "Exploitation"], "message": "Possible Password Spraying attack against Azure AD from source ip $body.properties.ipAddress$", "mitre_attack_id": ["T1586", "T1586.003", "T1110", "T1110.003", "T1110.004"], "nist": ["DE.AE"], "observable": [{"name": "userPrincipalName", "type": "User", "role": ["Victim"]}, {"name": "ipAddress", "type": "IP Address", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "body.properties.status.errorCode", "body.category", "body.properties.authenticationDetails", "body.properties.userPrincipalName", "body.properties.ipAddress"], "risk_score": 54, "security_domain": "access", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1110.004", "mitre_attack_technique": "Credential Stuffing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Chimera"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/azuread/azure-audit.log", "source": "mscs:azure:eventhub", "sourcetype": "mscs:azure:eventhub", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "azuread", "definition": "sourcetype=mscs:azure:eventhub", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "azure_ad_unusual_number_of_failed_authentications_from_ip_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/azure_ad_unusual_number_of_failed_authentications_from_ip.yml", "source": "cloud"}, {"name": "Azure AD User Enabled And Password Reset", "id": "1347b9e8-2daa-4a6f-be73-b421d3d9e268", "version": 1, "date": "2022-08-29", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies an Azure AD user enabling a previously disabled account and resetting its password within 2 minutes. This behavior could represent an adversary who has obtained administrative access and is trying to establish a backdoor identity within an Azure AD tenant.", "data_source": [], "search": " `azuread` (body.operationName=\"Enable account\" OR body.operationName=\"Reset password (by admin)\" OR body.operationName=\"Update user\") | transaction body.properties.targetResources{}.userPrincipalName startsWith=(body.operationName=\"Enable account\") endsWith=(body.operationName=\"Reset password (by admin)\") maxspan=2m | rename body.properties.* as * | rename targetResources{}.userPrincipalName as userPrincipalName | rename initiatedBy.user.userPrincipalName as initiatedBy | stats values(body.operationName) values(initiatedBy) by _time, userPrincipalName, result | `azure_ad_user_enabled_and_password_reset_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. Specifically, this analytic leverages the AuditLogs log category.", "known_false_positives": "While not common, Administrators may enable accounts and reset their passwords for legitimate reasons. Filter as needed.", "references": ["https://attack.mitre.org/techniques/T1098/"], "tags": {"name": "Azure AD User Enabled And Password Reset", "analytic_story": ["Azure Active Directory Persistence"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "confidence": 90, "impact": 50, "kill_chain_phases": ["Installation"], "message": "A user account, $displayName$, was enabled and its password reset within 2 minutes by $initiatedBy$", "mitre_attack_id": ["T1098"], "nist": ["DE.CM"], "observable": [{"name": "displayName", "type": "Other", "role": ["Victim"]}, {"name": "initiatedBy", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "body.operationName", "body.properties.targetResources{}.userPrincipalName", "body.properties.initiatedBy.user.userPrincipalName", "body.properties.result"], "risk_score": 45, "security_domain": "identity", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT41", "Dragonfly", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/azure_ad_enable_and_reset/azure-audit.log", "source": "mscs:azure:eventhub", "sourcetype": "mscs:azure:eventhub", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "azuread", "definition": "sourcetype=mscs:azure:eventhub", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "azure_ad_user_enabled_and_password_reset_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/azure_ad_user_enabled_and_password_reset.yml", "source": "cloud", "nes_fields": "user,dest"}, {"name": "Azure AD User ImmutableId Attribute Updated", "id": "0c0badad-4536-4a84-a561-5ff760f3c00e", "version": 1, "date": "2022-09-02", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the modification of the SourceAnchor (also called ImmutableId) attribute for an Azure Active Directory user. Updating this attribute is a step required to set up the Azure Active Directory identity federation backdoor technique discovered by security researcher Nestori Syynimaa. Similar to Active Directory, Azure AD uses the concept of domains to manage directories of identities. A new Azure AD tenant will initially contain a single domain that is commonly called the `cloud-only` onmicrosoft.com domain. Organizations can also add their registered custom domains to Azure AD for email addresses to match the organizations domain name. If the organization intends to use a third-party identity provider such as ADFS for authentication, the added custom domains can be configured as federated. An adversary who has obtained privileged access to an Azure AD tenant may leverage this technique to establish persistence and be able to authenticate to Azure AD impersonating any user and bypassing the requirement to have a valid password and/or perform MFA.", "data_source": [], "search": " `azuread` body.operationName=\"Update user\" body.properties.targetResources{}.modifiedProperties{}.displayName=SourceAnchor | rename body.properties.* as * | rename targetResources{}.userPrincipalName as userPrincipalName | rename initiatedBy.user.userPrincipalName as initiatedBy | rename body.callerIpAddress as callerIpAddress | rename targetResources{}.modifiedProperties{}.newValue as modifiedProperties | stats values(userPrincipalName) values(modifiedProperties) by _time, initiatedBy, callerIpAddress, result, body.operationName | `azure_ad_user_immutableid_attribute_updated_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. Specifically, this analytic leverages the AuditLogs log category.", "known_false_positives": "The SourceAnchor (also called ImmutableId) Azure AD attribute has legitimate uses for directory synchronization. Investigate and filter as needed.", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/hybrid/plan-connect-design-concepts", "https://www.mandiant.com/resources/remediation-and-hardening-strategies-microsoft-365-defend-against-apt29-v13", "https://o365blog.com/post/federation-vulnerability/", "https://www.inversecos.com/2021/11/how-to-detect-azure-active-directory.html", "https://www.mandiant.com/resources/blog/detecting-microsoft-365-azure-active-directory-backdoors", "https://attack.mitre.org/techniques/T1098/"], "tags": {"name": "Azure AD User ImmutableId Attribute Updated", "analytic_story": ["Azure Active Directory Persistence"], "asset_type": "Azure Active Directory", "cis20": ["CIS 10"], "confidence": 90, "impact": 50, "kill_chain_phases": ["Installation"], "message": "The SourceAnchor or ImmutableID attribute has been modified for user $userPrincipalName$ by $initiatedBy$", "mitre_attack_id": ["T1098"], "nist": ["DE.CM"], "observable": [{"name": "userPrincipalName", "type": "User", "role": ["Victim"]}, {"name": "initiatedBy", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time"], "risk_score": 45, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT41", "Dragonfly", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/azure_ad_set_immutableid/azure-audit.log", "source": "mscs:azure:eventhub", "sourcetype": "mscs:azure:eventhub", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "azuread", "definition": "sourcetype=mscs:azure:eventhub", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "azure_ad_user_immutableid_attribute_updated_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/azure_ad_user_immutableid_attribute_updated.yml", "source": "cloud", "nes_fields": "user,dest"}, {"name": "Azure Automation Account Created", "id": "860902fd-2e76-46b3-b050-ba548dab576c", "version": 1, "date": "2022-08-18", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the creation of a new Azure Automation account within an Azure tenant. Azure Automation is a cloud-based automation platform that allows administrators to automate Azure management tasks and orchestrate actions across external systems within Azure using PowerShell and Python. Azure Automation can also be configured to automate tasks on on premise infrastructure using a component called a Hybrid Runbook Worker. Automation accounts serve as a container to isolate Automation resources, runbooks, assets, and configurations from the resources of other accounts. They allow administrators to separate resources into logical environments or delegated responsibilities. Adversaries or red teams who have obtained privileged access to an Azure tenant may create an Azure Automation account with elevated privileges to maintain persistence in the Azure tenant. A malicious Automation Runbook can be created to create Global Administrators in Azure AD, execute code on VMs, etc.", "data_source": [], "search": " `azure_audit` operationName.localizedValue=\"Create or Update an Azure Automation account\" status.value=Succeeded | dedup object | stats values(object) by _time, caller, claims.ipaddr, resourceGroupName, object_path | `azure_automation_account_created_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Audit events into your Splunk environment. Specifically, this analytic leverages the Azure Activity log category.", "known_false_positives": "Administrators may legitimately create Azure Automation accounts. Filter as needed.", "references": ["https://docs.microsoft.com/en-us/azure/automation/overview", "https://docs.microsoft.com/en-us/azure/automation/automation-create-standalone-account?tabs=azureportal", "https://docs.microsoft.com/en-us/azure/automation/automation-hybrid-runbook-worker", "https://www.inversecos.com/2021/12/how-to-detect-malicious-azure.html", "https://www.netspi.com/blog/technical/cloud-penetration-testing/maintaining-azure-persistence-via-automation-accounts/", "https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT503/AZT503-3/", "https://attack.mitre.org/techniques/T1136/003/"], "tags": {"name": "Azure Automation Account Created", "analytic_story": ["Azure Active Directory Persistence"], "asset_type": "Azure", "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Installation"], "message": "A new Azure Automation account $object$ was created by $caller$", "mitre_attack_id": ["T1136", "T1136.003"], "nist": ["DE.CM"], "observable": [{"name": "object", "type": "Other", "role": ["Victim"]}, {"name": "caller", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "operationName.localizedValue", "status.value", "object", "caller", "claims.ipaddr", "resourceGroupName", "object_path"], "risk_score": 63, "security_domain": "audit", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider"]}, {"mitre_attack_id": "T1136.003", "mitre_attack_technique": "Cloud Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT29", "LAPSUS$"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.003/azure_automation_account/azure-activity.log", "source": "mscs:azure:audit", "sourcetype": "mscs:azure:audit", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "azure_audit", "definition": "sourcetype=mscs:azure:audit", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "azure_automation_account_created_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/azure_automation_account_created.yml", "source": "cloud", "nes_fields": "user,dest"}, {"name": "Azure Automation Runbook Created", "id": "178d696d-6dc6-4ee8-9d25-93fee34eaf5b", "version": 1, "date": "2022-08-22", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the creation of a new Azure Automation Runbook within an Azure tenant. Azure Automation is a cloud-based automation platform that allows administrators to automate Azure management tasks and orchestrate actions across external systems within Azure. Azure Automation script files called Runbooks that can be written in PowerShell or Python. Adversaries or red teams who have obtained privileged access to an Azure tenant may create an Azure Automation Runbook that runs with elevated privileges to maintain persistence in the Azure tenant. A malicious Automation Runbook can be created to create Global Administrators in Azure AD, execute code on VMs, etc.", "data_source": [], "search": " `azure_audit` operationName.localizedValue=\"Create or Update an Azure Automation Runbook\" object!=AzureAutomationTutorial* status.value=Succeeded | dedup object | stats values(object) by _time, caller, claims.ipaddr, resourceGroupName, object_path | `azure_automation_runbook_created_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Audit events into your Splunk environment. Specifically, this analytic leverages the Azure Activity log category.", "known_false_positives": "Administrators may legitimately create Azure Automation Runbooks. Filter as needed.", "references": ["https://docs.microsoft.com/en-us/azure/automation/overview", "https://docs.microsoft.com/en-us/azure/automation/automation-runbook-types", "https://docs.microsoft.com/en-us/azure/automation/manage-runbooks", "https://www.inversecos.com/2021/12/how-to-detect-malicious-azure.html", "https://www.netspi.com/blog/technical/cloud-penetration-testing/maintaining-azure-persistence-via-automation-accounts/", "https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT503/AZT503-3/", "https://attack.mitre.org/techniques/T1136/003/"], "tags": {"name": "Azure Automation Runbook Created", "analytic_story": ["Azure Active Directory Persistence"], "asset_type": "Azure", "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Installation"], "message": "A new Azure Automation Runbook $object$ was created by $caller$", "mitre_attack_id": ["T1136", "T1136.003"], "nist": ["DE.CM"], "observable": [{"name": "object", "type": "Other", "role": ["Victim"]}, {"name": "caller", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "operationName.localizedValue", "status.value", "object", "caller", "claims.ipaddr", "resourceGroupName", "object_path"], "risk_score": 63, "security_domain": "audit", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider"]}, {"mitre_attack_id": "T1136.003", "mitre_attack_technique": "Cloud Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT29", "LAPSUS$"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.004/azure_automation_runbook/azure-activity.log", "source": "mscs:azure:audit", "sourcetype": "mscs:azure:audit", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "azure_audit", "definition": "sourcetype=mscs:azure:audit", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "azure_automation_runbook_created_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/azure_automation_runbook_created.yml", "source": "cloud", "nes_fields": "user,dest"}, {"name": "Azure Runbook Webhook Created", "id": "e98944a9-92e4-443c-81b8-a322e33ce75a", "version": 1, "date": "2022-08-23", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the creation of a new Automation Runbook Webhook within an Azure tenant. Azure Automation is a cloud-based automation platform that allows administrators to automate Azure management tasks and orchestrate actions across external systems within Azure. Azure Automation script files called Runbooks that can be written in PowerShell or Python. One of the ways administrators can configure a Runbook to be executed is through HTTP Webhooks. Webhooks leverage custom unauthenticated URLs that are exposed to the Internet. An adversary who has obtained privileged access to an Azure tenant may create a Webhook to trigger the execution of an Automation Runbook with malicious code that can create users or execute code on a VM. This provides a persistent foothold on the environment.", "data_source": [], "search": " `azure_audit` operationName.localizedValue=\"Create or Update an Azure Automation webhook\" status.value=Succeeded | stats values(object) by _time, caller, claims.ipaddr, resourceGroupName, object_path | `azure_runbook_webhook_created_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Audit events into your Splunk environment. Specifically, this analytic leverages the Azure Activity log category.", "known_false_positives": "Administrators may legitimately create Azure Runbook Webhooks. Filter as needed.", "references": ["https://docs.microsoft.com/en-us/azure/automation/overview", "https://docs.microsoft.com/en-us/azure/automation/automation-runbook-types", "https://docs.microsoft.com/en-us/azure/automation/automation-webhooks?tabs=portal", "https://www.inversecos.com/2021/12/how-to-detect-malicious-azure.html", "https://www.netspi.com/blog/technical/cloud-penetration-testing/maintaining-azure-persistence-via-automation-accounts/", "https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT503/AZT503-3/", "https://attack.mitre.org/techniques/T1078/004/"], "tags": {"name": "Azure Runbook Webhook Created", "analytic_story": ["Azure Active Directory Persistence"], "asset_type": "Azure", "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "message": "A new Azure Runbook Webhook $object$ was created by $caller$", "mitre_attack_id": ["T1078", "T1078.004"], "nist": ["DE.CM"], "observable": [{"name": "object", "type": "Other", "role": ["Victim"]}, {"name": "caller", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "operationName.localizedValue", "status.value", "object", "caller", "claims.ipaddr", "resourceGroupName", "object_path"], "risk_score": 63, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Ke3chang", "LAPSUS$"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.004/azure_runbook_webhook/azure-activity.log", "source": "mscs:azure:audit", "sourcetype": "mscs:azure:audit", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "azure_audit", "definition": "sourcetype=mscs:azure:audit", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "azure_runbook_webhook_created_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/azure_runbook_webhook_created.yml", "source": "cloud", "nes_fields": "user,dest"}, {"name": "Circle CI Disable Security Job", "id": "4a2fdd41-c578-4cd4-9ef7-980e352517f2", "version": 1, "date": "2021-09-02", "author": "Patrick Bareiss, Splunk", "type": "Anomaly", "status": "production", "description": "This search looks for disable security job in CircleCI pipeline.", "data_source": [], "search": "`circleci` | rename vcs.committer_name as user vcs.subject as commit_message vcs.url as url workflows.* as * | stats values(job_name) as job_names by workflow_id workflow_name user commit_message url branch | lookup mandatory_job_for_workflow workflow_name OUTPUTNEW job_name AS mandatory_job | search mandatory_job=* | eval mandatory_job_executed=if(like(job_names, \"%\".mandatory_job.\"%\"), 1, 0) | where mandatory_job_executed=0 | eval phase=\"build\" | rex field=url \"(?[^\\/]*\\/[^\\/]*)$\" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `circle_ci_disable_security_job_filter`", "how_to_implement": "You must index CircleCI logs.", "known_false_positives": "unknown", "references": [], "tags": {"name": "Circle CI Disable Security Job", "analytic_story": ["Dev Sec Ops"], "asset_type": "CircleCI", "cis20": ["CIS 13"], "confidence": 90, "impact": 80, "kill_chain_phases": ["Installation"], "message": "disable security job $mandatory_job$ in workflow $workflow_name$ from user $user$", "mitre_attack_id": ["T1554"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_times"], "risk_score": 72, "security_domain": "network", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1554", "mitre_attack_technique": "Compromise Client Software Binary", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1554/circle_ci_disable_security_job/circle_ci_disable_security_job.json", "source": "circleci", "sourcetype": "circleci"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "circleci", "definition": "sourcetype=circleci", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "circle_ci_disable_security_job_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "mandatory_job_for_workflow", "description": "A lookup file that will be used to define the mandatory job for workflow", "filename": "mandatory_job_for_workflow.csv"}], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/circle_ci_disable_security_job.yml", "source": "cloud"}, {"name": "Circle CI Disable Security Step", "id": "72cb9de9-e98b-4ac9-80b2-5331bba6ea97", "version": 1, "date": "2021-09-01", "author": "Patrick Bareiss, Splunk", "type": "Anomaly", "status": "experimental", "description": "This search looks for disable security step in CircleCI pipeline.", "data_source": [], "search": "`circleci` | rename workflows.job_id AS job_id | join job_id [ | search `circleci` | stats values(name) as step_names count by job_id job_name ] | stats count by step_names job_id job_name vcs.committer_name vcs.subject vcs.url owners{} | rename vcs.* as * , owners{} as user | lookup mandatory_step_for_job job_name OUTPUTNEW step_name AS mandatory_step | search mandatory_step=* | eval mandatory_step_executed=if(like(step_names, \"%\".mandatory_step.\"%\"), 1, 0) | where mandatory_step_executed=0 | rex field=url \"(?[^\\/]*\\/[^\\/]*)$\" | eval phase=\"build\" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `circle_ci_disable_security_step_filter`", "how_to_implement": "You must index CircleCI logs.", "known_false_positives": "unknown", "references": [], "tags": {"name": "Circle CI Disable Security Step", "analytic_story": ["Dev Sec Ops"], "asset_type": "CircleCI", "cis20": ["CIS 13"], "confidence": 90, "impact": 80, "kill_chain_phases": ["Installation"], "message": "disable security step $mandatory_step$ in job $job_name$ from user $user$", "mitre_attack_id": ["T1554"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_times"], "risk_score": 72, "security_domain": "network", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1554", "mitre_attack_technique": "Compromise Client Software Binary", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1554/circle_ci_disable_security_step/circle_ci_disable_security_step.json", "source": "circleci", "sourcetype": "circleci"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "circleci", "definition": "sourcetype=circleci", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "circle_ci_disable_security_step_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "mandatory_step_for_job", "description": "A lookup file that will be used to define the mandatory step for job", "filename": "mandatory_step_for_job.csv"}], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/circle_ci_disable_security_step.yml", "source": "cloud"}, {"name": "Cloud API Calls From Previously Unseen User Roles", "id": "2181ad1f-1e73-4d0c-9780-e8880482a08f", "version": 1, "date": "2020-09-04", "author": "David Dorsey, Splunk", "type": "Anomaly", "status": "experimental", "description": "This search looks for new commands from each user role.", "data_source": [], "search": "| tstats earliest(_time) as firstTime, latest(_time) as lastTime from datamodel=Change where All_Changes.user_type=AssumedRole AND All_Changes.status=success by All_Changes.user, All_Changes.command All_Changes.object | `drop_dm_object_name(\"All_Changes\")` | lookup previously_seen_cloud_api_calls_per_user_role user as user, command as command OUTPUT firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenUserApiCall=min(firstTimeSeen) | where isnull(firstTimeSeenUserApiCall) OR firstTimeSeenUserApiCall > relative_time(now(),\"-24h@h\") | table firstTime, user, object, command |`security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `cloud_api_calls_from_previously_unseen_user_roles_filter`", "how_to_implement": "You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud API Calls Per User Role - Initial` to build the initial table of user roles, commands, and times. You must also enable the second baseline search `Previously Seen Cloud API Calls Per User Role - Update` to keep this table up to date and to age out old data. You can adjust the time window for this search by updating the `cloud_api_calls_from_previously_unseen_user_roles_activity_window` macro. You can also provide additional filtering for this search by customizing the `cloud_api_calls_from_previously_unseen_user_roles_filter`", "known_false_positives": ".", "references": [], "tags": {"name": "Cloud API Calls From Previously Unseen User Roles", "analytic_story": ["Suspicious Cloud User Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "message": "User $user$ of type AssumedRole attempting to execute new API calls $command$ that have not been seen before", "mitre_attack_id": ["T1078"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "All_Changes.user", "All_Changes.user_type", "All_Changes.status", "All_Changes.command", "All_Changes.object"], "risk_score": 36, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail", "update_timestamp": true}]}], "datamodel": ["Change"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloud_api_calls_from_previously_unseen_user_roles_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "previously_seen_cloud_api_calls_per_user_role", "description": "A table of users, commands, and the first and last time that they have been seen", "collection": "previously_seen_cloud_api_calls_per_user_role", "fields_list": "_key, user, command, firstTimeSeen, lastTimeSeen, enough_data"}], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/cloud_api_calls_from_previously_unseen_user_roles.yml", "source": "cloud"}, {"name": "Cloud Compute Instance Created By Previously Unseen User", "id": "37a0ec8d-827e-4d6d-8025-cedf31f3a149", "version": 2, "date": "2021-07-13", "author": "Rico Valdez, Splunk", "type": "Anomaly", "status": "experimental", "description": "This search looks for cloud compute instances created by users who have not created them before.", "data_source": [], "search": "| tstats `security_content_summariesonly` count earliest(_time) as firstTime, latest(_time) as lastTime values(All_Changes.object) as dest from datamodel=Change where All_Changes.action=created by All_Changes.user All_Changes.vendor_region | `drop_dm_object_name(\"All_Changes\")` | lookup previously_seen_cloud_compute_creations_by_user user as user OUTPUTNEW firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenUser=min(firstTimeSeen) | where isnull(firstTimeSeenUser) OR firstTimeSeenUser > relative_time(now(), \"-24h@h\") | table firstTime, user, dest, count vendor_region | `security_content_ctime(firstTime)` | `cloud_compute_instance_created_by_previously_unseen_user_filter`", "how_to_implement": "You must be ingesting the appropriate cloud-infrastructure logs Run the \"Previously Seen Cloud Compute Creations By User\" support search to create of baseline of previously seen users.", "known_false_positives": "It's possible that a user will start to create compute instances for the first time, for any number of reasons. Verify with the user launching instances that this is the intended behavior.", "references": [], "tags": {"name": "Cloud Compute Instance Created By Previously Unseen User", "analytic_story": ["Cloud Cryptomining"], "asset_type": "Cloud Compute Instance", "cis20": ["CIS 10"], "confidence": 60, "impact": 30, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "message": "User $user$ is creating a new instance $dest$ for the first time", "mitre_attack_id": ["T1078.004", "T1078"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "All_Changes.object", "All_Changes.action", "All_Changes.user", "All_Changes.vendor_region"], "risk_score": 18, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Ke3chang", "LAPSUS$"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail", "update_timestamp": true}]}], "datamodel": ["Change"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "cloud_compute_instance_created_by_previously_unseen_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "previously_seen_cloud_compute_creations_by_user", "description": "A table of previously seen users creating cloud instances", "collection": "previously_seen_cloud_compute_creations_by_user", "fields_list": "_key, firstTimeSeen, lastTimeSeen, user, enough_data"}], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/cloud_compute_instance_created_by_previously_unseen_user.yml", "source": "cloud"}, {"name": "Cloud Compute Instance Created In Previously Unused Region", "id": "fa4089e2-50e3-40f7-8469-d2cc1564ca59", "version": 1, "date": "2020-09-02", "author": "David Dorsey, Splunk", "type": "Anomaly", "status": "experimental", "description": "This search looks at cloud-infrastructure events where an instance is created in any region within the last hour and then compares it to a lookup file of previously seen regions where instances have been created.", "data_source": [], "search": "| tstats earliest(_time) as firstTime latest(_time) as lastTime values(All_Changes.object_id) as dest, count from datamodel=Change where All_Changes.action=created by All_Changes.vendor_region, All_Changes.user | `drop_dm_object_name(\"All_Changes\")` | lookup previously_seen_cloud_regions vendor_region as vendor_region OUTPUTNEW firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenRegion=min(firstTimeSeen) | where isnull(firstTimeSeenRegion) OR firstTimeSeenRegion > relative_time(now(), \"-24h@h\") | table firstTime, user, dest, count , vendor_region | `security_content_ctime(firstTime)` | `cloud_compute_instance_created_in_previously_unused_region_filter`", "how_to_implement": "You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud Regions - Initial` to build the initial table of images observed and times. You must also enable the second baseline search `Previously Seen Cloud Regions - Update` to keep this table up to date and to age out old data. You can also provide additional filtering for this search by customizing the `cloud_compute_instance_created_in_previously_unused_region_filter` macro.", "known_false_positives": "It's possible that a user has unknowingly started an instance in a new region. Please verify that this activity is legitimate.", "references": [], "tags": {"name": "Cloud Compute Instance Created In Previously Unused Region", "analytic_story": ["Cloud Cryptomining"], "asset_type": "Cloud Compute Instance", "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "User $user$ is creating an instance $dest$ in a new region for the first time", "mitre_attack_id": ["T1535"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "All_Changes.object_id", "All_Changes.action", "All_Changes.vendor_region", "All_Changes.user"], "risk_score": 42, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1535", "mitre_attack_technique": "Unused/Unsupported Cloud Regions", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail", "update_timestamp": true}]}], "datamodel": ["Change"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloud_compute_instance_created_in_previously_unused_region_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "previously_seen_cloud_regions", "description": "A table of vendor_region values and the first and last time that they have been observed in cloud provisioning activities", "collection": "previously_seen_cloud_regions", "fields_list": "_key, firstTimeSeen, lastTimeSeen, vendor_region, enough_data"}], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/cloud_compute_instance_created_in_previously_unused_region.yml", "source": "cloud"}, {"name": "Cloud Compute Instance Created With Previously Unseen Image", "id": "bc24922d-987c-4645-b288-f8c73ec194c4", "version": 1, "date": "2018-10-12", "author": "David Dorsey, Splunk", "type": "Anomaly", "status": "experimental", "description": "This search looks for cloud compute instances being created with previously unseen image IDs.", "data_source": [], "search": "| tstats count earliest(_time) as firstTime, latest(_time) as lastTime values(All_Changes.object_id) as dest from datamodel=Change where All_Changes.action=created by All_Changes.Instance_Changes.image_id, All_Changes.user | `drop_dm_object_name(\"All_Changes\")` | `drop_dm_object_name(\"Instance_Changes\")` | where image_id != \"unknown\" | lookup previously_seen_cloud_compute_images image_id as image_id OUTPUT firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenImage=min(firstTimeSeen) | where isnull(firstTimeSeenImage) OR firstTimeSeenImage > relative_time(now(), \"-24h@h\") | table firstTime, user, image_id, count, dest | `security_content_ctime(firstTime)` | `cloud_compute_instance_created_with_previously_unseen_image_filter`", "how_to_implement": "You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud Compute Images - Initial` to build the initial table of images observed and times. You must also enable the second baseline search `Previously Seen Cloud Compute Images - Update` to keep this table up to date and to age out old data. You can also provide additional filtering for this search by customizing the `cloud_compute_instance_created_with_previously_unseen_image_filter` macro.", "known_false_positives": "After a new image is created, the first systems created with that image will cause this alert to fire. Verify that the image being used was created by a legitimate user.", "references": [], "tags": {"name": "Cloud Compute Instance Created With Previously Unseen Image", "analytic_story": ["Cloud Cryptomining"], "asset_type": "Cloud Compute Instance", "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": [], "message": "User $user$ is creating an instance $dest$ with an image that has not been previously seen.", "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "All_Changes.object_id", "All_Changes.action", "All_Changes.Instance_Changes.image_id", "All_Changes.user"], "risk_score": 36, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail", "update_timestamp": true}]}], "datamodel": ["Change"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloud_compute_instance_created_with_previously_unseen_image_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "previously_seen_cloud_compute_images", "description": "A table of previously seen Cloud image IDs", "collection": "previously_seen_cloud_compute_images", "fields_list": "_key, firstTimeSeen, lastTimeSeen, image_id, enough_data"}], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/cloud_compute_instance_created_with_previously_unseen_image.yml", "source": "cloud"}, {"name": "Cloud Compute Instance Created With Previously Unseen Instance Type", "id": "c6ddbf53-9715-49f3-bb4c-fb2e8a309cda", "version": 1, "date": "2020-09-12", "author": "David Dorsey, Splunk", "type": "Anomaly", "status": "experimental", "description": "Find EC2 instances being created with previously unseen instance types.", "data_source": [], "search": "| tstats earliest(_time) as firstTime, latest(_time) as lastTime values(All_Changes.object_id) as dest, count from datamodel=Change where All_Changes.action=created by All_Changes.Instance_Changes.instance_type, All_Changes.user | `drop_dm_object_name(\"All_Changes\")` | `drop_dm_object_name(\"Instance_Changes\")` | where instance_type != \"unknown\" | lookup previously_seen_cloud_compute_instance_types instance_type as instance_type OUTPUTNEW firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenInstanceType=min(firstTimeSeen) | where isnull(firstTimeSeenInstanceType) OR firstTimeSeenInstanceType > relative_time(now(), \"-24h@h\") | table firstTime, user, dest, count, instance_type | `security_content_ctime(firstTime)` | `cloud_compute_instance_created_with_previously_unseen_instance_type_filter`", "how_to_implement": "You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud Compute Instance Types - Initial` to build the initial table of instance types observed and times. You must also enable the second baseline search `Previously Seen Cloud Compute Instance Types - Update` to keep this table up to date and to age out old data. You can also provide additional filtering for this search by customizing the `cloud_compute_instance_created_with_previously_unseen_instance_type_filter` macro.", "known_false_positives": "It is possible that an admin will create a new system using a new instance type that has never been used before. Verify with the creator that they intended to create the system with the new instance type.", "references": [], "tags": {"name": "Cloud Compute Instance Created With Previously Unseen Instance Type", "analytic_story": ["Cloud Cryptomining"], "asset_type": "Cloud Compute Instance", "cis20": ["CIS 10"], "confidence": 60, "impact": 50, "kill_chain_phases": [], "message": "User $user$ is creating an instance $dest$ with an instance type $instance_type$ that has not been previously seen.", "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "All_Changes.object_id", "All_Changes.action", "All_Changes.Instance_Changes.instance_type", "All_Changes.user"], "risk_score": 30, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail", "update_timestamp": true}]}], "datamodel": ["Change"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloud_compute_instance_created_with_previously_unseen_instance_type_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "previously_seen_cloud_compute_instance_types", "description": "A place holder for a list of used cloud compute instance types", "collection": "previously_seen_cloud_compute_instance_types", "fields_list": "_key, firstTimeSeen, lastTimeSeen, instance_type, enough_data"}], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/cloud_compute_instance_created_with_previously_unseen_instance_type.yml", "source": "cloud"}, {"name": "Cloud Instance Modified By Previously Unseen User", "id": "7fb15084-b14e-405a-bd61-a6de15a40722", "version": 1, "date": "2020-07-29", "author": "Rico Valdez, Splunk", "type": "Anomaly", "status": "experimental", "description": "This search looks for cloud instances being modified by users who have not previously modified them.", "data_source": [], "search": "| tstats `security_content_summariesonly` count earliest(_time) as firstTime, latest(_time) as lastTime values(All_Changes.object_id) as object_id values(All_Changes.command) as command from datamodel=Change where All_Changes.action=modified All_Changes.change_type=EC2 All_Changes.status=success by All_Changes.user | `drop_dm_object_name(\"All_Changes\")` | lookup previously_seen_cloud_instance_modifications_by_user user as user OUTPUTNEW firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenUser=min(firstTimeSeen) | where isnull(firstTimeSeenUser) OR firstTimeSeenUser > relative_time(now(), \"-24h@h\") | table firstTime user command object_id count | `security_content_ctime(firstTime)` | `cloud_instance_modified_by_previously_unseen_user_filter`", "how_to_implement": "This search has a dependency on other searches to create and update a baseline of users observed to be associated with this activity. The search \"Previously Seen Cloud Instance Modifications By User - Update\" should be enabled for this detection to properly work.", "known_false_positives": "It's possible that a new user will start to modify EC2 instances when they haven't before for any number of reasons. Verify with the user that is modifying instances that this is the intended behavior.", "references": [], "tags": {"name": "Cloud Instance Modified By Previously Unseen User", "analytic_story": ["Suspicious Cloud Instance Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "message": "User $user$ is modifying an instance $dest$ for the first time.", "mitre_attack_id": ["T1078.004", "T1078"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "All_Changes.object_id", "All_Changes.command", "All_Changes.action", "All_Changes.change_type", "All_Changes.status", "All_Changes.user"], "risk_score": 42, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Ke3chang", "LAPSUS$"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail", "update_timestamp": true}]}], "datamodel": ["Change"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "cloud_instance_modified_by_previously_unseen_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "previously_seen_cloud_instance_modifications_by_user", "description": "A table of users seen making instance modifications, and the first and last time that the activity was observed", "collection": "previously_seen_cloud_instance_modifications_by_user", "fields_list": "_key, firstTimeSeen, lastTimeSeen, user, enough_data"}], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/cloud_instance_modified_by_previously_unseen_user.yml", "source": "cloud"}, {"name": "Cloud Provisioning Activity From Previously Unseen City", "id": "e7ecc5e0-88df-48b9-91af-51104c68f02f", "version": 1, "date": "2020-10-09", "author": "Rico Valdez, Bhavin Patel, Splunk", "type": "Anomaly", "status": "production", "description": "This search looks for cloud provisioning activities from previously unseen cities. Provisioning activities are defined broadly as any event that runs or creates something.", "data_source": [], "search": "| tstats earliest(_time) as firstTime, latest(_time) as lastTime from datamodel=Change where (All_Changes.action=started OR All_Changes.action=created) All_Changes.status=success by All_Changes.src, All_Changes.user, All_Changes.object, All_Changes.command | `drop_dm_object_name(\"All_Changes\")` | iplocation src | where isnotnull(City) | lookup previously_seen_cloud_provisioning_activity_sources City as City OUTPUT firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenCity=min(firstTimeSeen) | where isnull(firstTimeSeenCity) OR firstTimeSeenCity > relative_time(now(), `previously_unseen_cloud_provisioning_activity_window`) | table firstTime, src, City, user, object, command | `cloud_provisioning_activity_from_previously_unseen_city_filter` | `security_content_ctime(firstTime)`", "how_to_implement": "You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud Provisioning Activity Sources - Initial` to build the initial table of source IP address, geographic locations, and times. You must also enable the second baseline search `Previously Seen Cloud Provisioning Activity Sources - Update` to keep this table up to date and to age out old data. You can adjust the time window for this search by updating the `previously_unseen_cloud_provisioning_activity_window` macro. You can also provide additional filtering for this search by customizing the `cloud_provisioning_activity_from_previously_unseen_city_filter` macro.", "known_false_positives": "This is a strictly behavioral search, so we define \"false positive\" slightly differently. Every time this fires, it will accurately reflect the first occurrence in the time period you're searching within, plus what is stored in the cache feature. But while there are really no \"false positives\" in a traditional sense, there is definitely lots of noise.\\\n This search will fire any time a new IP address is seen in the **GeoIP** database for any kind of provisioning activity. If you typically do all provisioning from tools inside of your country, there should be few false positives. If you are located in countries where the free version of **MaxMind GeoIP** that ships by default with Splunk has weak resolution (particularly small countries in less economically powerful regions), this may be much less valuable to you.", "references": [], "tags": {"name": "Cloud Provisioning Activity From Previously Unseen City", "analytic_story": ["Suspicious Cloud Provisioning Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 10"], "confidence": 60, "impact": 30, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "message": "User $user$ is starting or creating an instance $dest$ for the first time in City $City$ from IP address $src$", "mitre_attack_id": ["T1078"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "All_Changes.action", "All_Changes.status", "All_Changes.src", "All_Changes.user", "All_Changes.object", "All_Changes.command"], "risk_score": 18, "security_domain": "threat", "risk_severity": "low", "manual_test": "This search needs the baseline to be run first to create a lookup", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail", "update_timestamp": true}]}], "datamodel": ["Change"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "previously_unseen_cloud_provisioning_activity_window", "definition": "\"-70m@m\"", "description": "Use this macro to determine how far back you should be checking for new provisioning activities"}, {"name": "cloud_provisioning_activity_from_previously_unseen_city_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "previously_seen_cloud_provisioning_activity_sources", "description": "A table of source IPs, geographic locations, and the first and last time that they have that done cloud provisioning activities", "collection": "previously_seen_cloud_provisioning_activity_sources", "fields_list": "_key, src, City, Country, Region, firstTimeSeen, lastTimeSeen, enough_data"}], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/cloud_provisioning_activity_from_previously_unseen_city.yml", "source": "cloud"}, {"name": "Cloud Provisioning Activity From Previously Unseen Country", "id": "94994255-3acf-4213-9b3f-0494df03bb31", "version": 1, "date": "2020-10-09", "author": "Rico Valdez, Bhavin Patel, Splunk", "type": "Anomaly", "status": "production", "description": "This search looks for cloud provisioning activities from previously unseen countries. Provisioning activities are defined broadly as any event that runs or creates something.", "data_source": [], "search": "| tstats earliest(_time) as firstTime, latest(_time) as lastTime from datamodel=Change where (All_Changes.action=started OR All_Changes.action=created) All_Changes.status=success by All_Changes.src, All_Changes.user, All_Changes.object, All_Changes.command | `drop_dm_object_name(\"All_Changes\")` | iplocation src | where isnotnull(Country) | lookup previously_seen_cloud_provisioning_activity_sources Country as Country OUTPUT firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenCountry=min(firstTimeSeen) | where isnull(firstTimeSeenCountry) OR firstTimeSeenCountry > relative_time(now(), \"-24h@h\") | table firstTime, src, Country, user, object, command | `cloud_provisioning_activity_from_previously_unseen_country_filter` | `security_content_ctime(firstTime)`", "how_to_implement": "You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud Provisioning Activity Sources - Initial` to build the initial table of source IP address, geographic locations, and times. You must also enable the second baseline search `Previously Seen Cloud Provisioning Activity Sources - Update` to keep this table up to date and to age out old data. You can adjust the time window for this search by updating the `previously_unseen_cloud_provisioning_activity_window` macro. You can also provide additional filtering for this search by customizing the `cloud_provisioning_activity_from_previously_unseen_country_filter` macro.", "known_false_positives": "This is a strictly behavioral search, so we define \"false positive\" slightly differently. Every time this fires, it will accurately reflect the first occurrence in the time period you're searching within, plus what is stored in the cache feature. But while there are really no \"false positives\" in a traditional sense, there is definitely lots of noise.\\\n This search will fire any time a new IP address is seen in the **GeoIP** database for any kind of provisioning activity. If you typically do all provisioning from tools inside of your country, there should be few false positives. If you are located in countries where the free version of **MaxMind GeoIP** that ships by default with Splunk has weak resolution (particularly small countries in less economically powerful regions), this may be much less valuable to you.", "references": [], "tags": {"name": "Cloud Provisioning Activity From Previously Unseen Country", "analytic_story": ["Suspicious Cloud Provisioning Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "message": "User $user$ is starting or creating an instance $object$ for the first time in Country $Country$ from IP address $src$", "mitre_attack_id": ["T1078"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "object", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "All_Changes.action", "All_Changes.status", "All_Changes.src", "All_Changes.user", "All_Changes.object", "All_Changes.command"], "risk_score": 42, "security_domain": "threat", "risk_severity": "low", "manual_test": "This search needs the baseline to be run first to create a lookup", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail", "update_timestamp": true}]}], "datamodel": ["Change"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloud_provisioning_activity_from_previously_unseen_country_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "previously_seen_cloud_provisioning_activity_sources", "description": "A table of source IPs, geographic locations, and the first and last time that they have that done cloud provisioning activities", "collection": "previously_seen_cloud_provisioning_activity_sources", "fields_list": "_key, src, City, Country, Region, firstTimeSeen, lastTimeSeen, enough_data"}], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/cloud_provisioning_activity_from_previously_unseen_country.yml", "source": "cloud"}, {"name": "Cloud Provisioning Activity From Previously Unseen IP Address", "id": "f86a8ec9-b042-45eb-92f4-e9ed1d781078", "version": 1, "date": "2020-08-16", "author": "Rico Valdez, Splunk", "type": "Anomaly", "status": "production", "description": "This search looks for cloud provisioning activities from previously unseen IP addresses. Provisioning activities are defined broadly as any event that runs or creates something.", "data_source": [], "search": "| tstats earliest(_time) as firstTime, latest(_time) as lastTime, values(All_Changes.object_id) as object_id from datamodel=Change where (All_Changes.action=started OR All_Changes.action=created) All_Changes.status=success by All_Changes.src, All_Changes.user, All_Changes.command | `drop_dm_object_name(\"All_Changes\")` | lookup previously_seen_cloud_provisioning_activity_sources src as src OUTPUT firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenSrc=min(firstTimeSeen) | where isnull(firstTimeSeenSrc) OR firstTimeSeenSrc > relative_time(now(), `previously_unseen_cloud_provisioning_activity_window`) | table firstTime, src, user, object_id, command | `cloud_provisioning_activity_from_previously_unseen_ip_address_filter` | `security_content_ctime(firstTime)`", "how_to_implement": "You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud Provisioning Activity Sources - Initial` to build the initial table of source IP address, geographic locations, and times. You must also enable the second baseline search `Previously Seen Cloud Provisioning Activity Sources - Update` to keep this table up to date and to age out old data. You can adjust the time window for this search by updating the `previously_unseen_cloud_provisioning_activity_window` macro. You can also provide additional filtering for this search by customizing the `cloud_provisioning_activity_from_previously_unseen_ip_address_filter` macro.", "known_false_positives": "This is a strictly behavioral search, so we define \"false positive\" slightly differently. Every time this fires, it will accurately reflect the first occurrence in the time period you're searching within, plus what is stored in the cache feature. But while there are really no \"false positives\" in a traditional sense, there is definitely lots of noise.\\\n This search will fire any time a new IP address is seen in the **GeoIP** database for any kind of provisioning activity. If you typically do all provisioning from tools inside of your country, there should be few false positives. If you are located in countries where the free version of **MaxMind GeoIP** that ships by default with Splunk has weak resolution (particularly small countries in less economically powerful regions), this may be much less valuable to you.", "references": [], "tags": {"name": "Cloud Provisioning Activity From Previously Unseen IP Address", "analytic_story": ["Suspicious Cloud Provisioning Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "message": "User $user$ is starting or creating an instance $object_id$ for the first time from IP address $src$", "mitre_attack_id": ["T1078"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "object_id", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "All_Changes.object_id", "All_Changes.action", "All_Changes.status", "All_Changes.src", "All_Changes.user", "All_Changes.command"], "risk_score": 42, "security_domain": "threat", "risk_severity": "low", "manual_test": "This search needs the baseline to be run first to create a lookup", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail", "update_timestamp": true}]}], "datamodel": ["Change"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "previously_unseen_cloud_provisioning_activity_window", "definition": "\"-70m@m\"", "description": "Use this macro to determine how far back you should be checking for new provisioning activities"}, {"name": "cloud_provisioning_activity_from_previously_unseen_ip_address_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "previously_seen_cloud_provisioning_activity_sources", "description": "A table of source IPs, geographic locations, and the first and last time that they have that done cloud provisioning activities", "collection": "previously_seen_cloud_provisioning_activity_sources", "fields_list": "_key, src, City, Country, Region, firstTimeSeen, lastTimeSeen, enough_data"}], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/cloud_provisioning_activity_from_previously_unseen_ip_address.yml", "source": "cloud"}, {"name": "Cloud Provisioning Activity From Previously Unseen Region", "id": "5aba1860-9617-4af9-b19d-aecac16fe4f2", "version": 1, "date": "2020-08-16", "author": "Rico Valdez, Bhavin Patel, Splunk", "type": "Anomaly", "status": "production", "description": "This search looks for cloud provisioning activities from previously unseen regions. Provisioning activities are defined broadly as any event that runs or creates something.", "data_source": [], "search": "| tstats earliest(_time) as firstTime, latest(_time) as lastTime from datamodel=Change where (All_Changes.action=started OR All_Changes.action=created) All_Changes.status=success by All_Changes.src, All_Changes.user, All_Changes.object, All_Changes.command | `drop_dm_object_name(\"All_Changes\")` | iplocation src | where isnotnull(Region) | lookup previously_seen_cloud_provisioning_activity_sources Region as Region OUTPUT firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenRegion=min(firstTimeSeen) | where isnull(firstTimeSeenRegion) OR firstTimeSeenRegion > relative_time(now(), `previously_unseen_cloud_provisioning_activity_window`) | table firstTime, src, Region, user, object, command | `cloud_provisioning_activity_from_previously_unseen_region_filter` | `security_content_ctime(firstTime)`", "how_to_implement": "You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud Provisioning Activity Sources - Initial` to build the initial table of source IP address, geographic locations, and times. You must also enable the second baseline search `Previously Seen Cloud Provisioning Activity Sources - Update` to keep this table up to date and to age out old data. You can adjust the time window for this search by updating the `previously_unseen_cloud_provisioning_activity_window` macro. You can also provide additional filtering for this search by customizing the `cloud_provisioning_activity_from_previously_unseen_region_filter` macro.", "known_false_positives": "This is a strictly behavioral search, so we define \"false positive\" slightly differently. Every time this fires, it will accurately reflect the first occurrence in the time period you're searching within, plus what is stored in the cache feature. But while there are really no \"false positives\" in a traditional sense, there is definitely lots of noise.\\\n This search will fire any time a new IP address is seen in the **GeoIP** database for any kind of provisioning activity. If you typically do all provisioning from tools inside of your country, there should be few false positives. If you are located in countries where the free version of **MaxMind GeoIP** that ships by default with Splunk has weak resolution (particularly small countries in less economically powerful regions), this may be much less valuable to you.", "references": [], "tags": {"name": "Cloud Provisioning Activity From Previously Unseen Region", "analytic_story": ["Suspicious Cloud Provisioning Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "message": "User $user$ is starting or creating an instance $object$ for the first time in region $Region$ from IP address $src$", "mitre_attack_id": ["T1078"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "object", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "All_Changes.action", "All_Changes.status", "All_Changes.src", "All_Changes.user", "All_Changes.object", "All_Changes.command"], "risk_score": 42, "security_domain": "threat", "risk_severity": "low", "manual_test": "This search needs the baseline to be run first to create a lookup", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail", "update_timestamp": true}]}], "datamodel": ["Change"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "previously_unseen_cloud_provisioning_activity_window", "definition": "\"-70m@m\"", "description": "Use this macro to determine how far back you should be checking for new provisioning activities"}, {"name": "cloud_provisioning_activity_from_previously_unseen_region_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "previously_seen_cloud_provisioning_activity_sources", "description": "A table of source IPs, geographic locations, and the first and last time that they have that done cloud provisioning activities", "collection": "previously_seen_cloud_provisioning_activity_sources", "fields_list": "_key, src, City, Country, Region, firstTimeSeen, lastTimeSeen, enough_data"}], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/cloud_provisioning_activity_from_previously_unseen_region.yml", "source": "cloud"}, {"name": "Correlation by Repository and Risk", "id": "8da9fdd9-6a1b-4ae0-8a34-8c25e6be9687", "version": 1, "date": "2021-09-06", "author": "Patrick Bareiss, Splunk", "type": "Correlation", "status": "production", "description": "This search correlations detections by repository and risk_score", "data_source": [], "search": "`risk_index` | fillnull | stats sum(risk_score) as risk_score values(source) as signals values(user) as user by repository | sort - risk_score | where risk_score > 80 | `correlation_by_repository_and_risk_filter`", "how_to_implement": "For Dev Sec Ops POC", "known_false_positives": "unknown", "references": [], "tags": {"name": "Correlation by Repository and Risk", "analytic_story": ["Dev Sec Ops"], "asset_type": "AWS Account", "cis20": ["CIS 13"], "confidence": 100, "impact": 70, "kill_chain_phases": ["Installation"], "message": "Correlation triggered for user $user$", "mitre_attack_id": ["T1204.003", "T1204"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time"], "risk_score": 70, "security_domain": "network", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1204.003", "mitre_attack_technique": "Malicious Image", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$"]}]}, "datamodel": [], "macros": [{"name": "risk_index", "definition": "index=risk", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "correlation_by_repository_and_risk_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/correlation_by_repository_and_risk.yml", "source": "cloud", "nes_fields": "user,dest"}, {"name": "Correlation by User and Risk", "id": "610e12dc-b6fa-4541-825e-4a0b3b6f6773", "version": 1, "date": "2021-09-06", "author": "Patrick Bareiss, Splunk", "type": "Correlation", "status": "production", "description": "This search correlations detections by user and risk_score", "data_source": [], "search": "`risk_index` | fillnull | stats sum(risk_score) as risk_score values(source) as signals values(repository) as repository by user | sort - risk_score | where risk_score > 80 | `correlation_by_user_and_risk_filter`", "how_to_implement": "For Dev Sec Ops POC", "known_false_positives": "unknown", "references": [], "tags": {"name": "Correlation by User and Risk", "analytic_story": ["Dev Sec Ops"], "asset_type": "AWS Account", "cis20": ["CIS 13"], "confidence": 100, "impact": 70, "kill_chain_phases": ["Installation"], "message": "Correlation triggered for user $user$", "mitre_attack_id": ["T1204.003", "T1204"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time"], "risk_score": 70, "security_domain": "network", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1204.003", "mitre_attack_technique": "Malicious Image", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$"]}]}, "datamodel": [], "macros": [{"name": "risk_index", "definition": "index=risk", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "correlation_by_user_and_risk_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/correlation_by_user_and_risk.yml", "source": "cloud", "nes_fields": "user,dest"}, {"name": "Detect AWS Console Login by New User", "id": "bc91a8cd-35e7-4bb2-6140-e756cc46fd71", "version": 3, "date": "2022-05-10", "author": "Rico Valdez, Splunk", "type": "Hunting", "status": "experimental", "description": "This search looks for AWS CloudTrail events wherein a console login event by a user was recorded within the last hour, then compares the event to a lookup file of previously seen users (by ARN values) who have logged into the console. The alert is fired if the user has logged into the console for the first time within the last hour", "data_source": [], "search": "| tstats earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Authentication where Authentication.signature=ConsoleLogin by Authentication.user | `drop_dm_object_name(Authentication)` | join user type=outer [ | inputlookup previously_seen_users_console_logins | stats min(firstTime) as earliestseen by user] | eval userStatus=if(earliestseen >= relative_time(now(), \"-24h@h\") OR isnull(earliestseen), \"First Time Logging into AWS Console\", \"Previously Seen User\") | where userStatus=\"First Time Logging into AWS Console\" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_aws_console_login_by_new_user_filter`", "how_to_implement": "You must install and configure the Splunk Add-on for AWS (version 5.1.0 or later) and Enterprise Security 6.2, which contains the required updates to the Authentication data model for cloud use cases. Run the `Previously Seen Users in CloudTrail - Initial` support search only once to create a baseline of previously seen IAM users within the last 30 days. Run `Previously Seen Users in CloudTrail - Update` hourly (or more frequently depending on how often you run the detection searches) to refresh the baselines.", "known_false_positives": "When a legitimate new user logins for the first time, this activity will be detected. Check how old the account is and verify that the user activity is legitimate.", "references": [], "tags": {"name": "Detect AWS Console Login by New User", "analytic_story": ["Suspicious Cloud Authentication Activities", "AWS Identity and Access Management Account Takeover"], "asset_type": "AWS Instance", "cis20": ["CIS 10"], "confidence": 60, "impact": 50, "kill_chain_phases": ["Weaponization", "Exploitation"], "message": "User $user$ is logging into the AWS console for the first time", "mitre_attack_id": ["T1586", "T1586.003", "T1552"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Authentication.signature", "Authentication.user"], "risk_score": 30, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1552", "mitre_attack_technique": "Unsecured Credentials", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail", "update_timestamp": true}]}], "datamodel": ["Authentication"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "detect_aws_console_login_by_new_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "previously_seen_users_console_logins", "description": "A table of users seen doing console logins, and the first and last time that the activity was observed", "collection": "previously_seen_users_console_logins", "fields_list": "_key, firstTime, lastTime, user, src, City, Region, Country"}], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/detect_aws_console_login_by_new_user.yml", "source": "cloud"}, {"name": "Detect AWS Console Login by User from New City", "id": "121b0b11-f8ac-4ed6-a132-3800ca4fc07a", "version": 2, "date": "2022-08-25", "author": "Bhavin Patel, Eric McGinnis Splunk", "type": "Hunting", "status": "production", "description": "This search looks for AWS CloudTrail events wherein a console login event by a user was recorded within the last hour, then compares the event to a lookup file of previously seen users (by ARN values) who have logged into the console. The alert is fired if the user has logged into the console for the first time within the last hour", "data_source": [], "search": "| tstats earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Authentication where Authentication.signature=ConsoleLogin by Authentication.user Authentication.src | iplocation Authentication.src | `drop_dm_object_name(Authentication)` | rename City as justSeenCity | table firstTime lastTime user justSeenCity | join user type=outer [| inputlookup previously_seen_users_console_logins | rename City as previouslySeenCity | stats min(firstTime) AS earliestseen by user previouslySeenCity | fields earliestseen user previouslySeenCity] | eval userCity=if(firstTime >= relative_time(now(), \"-24h@h\"), \"New City\",\"Previously Seen City\") | where userCity = \"New City\" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | table firstTime lastTime user previouslySeenCity justSeenCity userCity | `detect_aws_console_login_by_user_from_new_city_filter`", "how_to_implement": "You must install and configure the Splunk Add-on for AWS (version 5.1.0 or later) and Enterprise Security 6.2, which contains the required updates to the Authentication data model for cloud use cases. Run the `Previously Seen Users in AWS CloudTrail - Initial` support search only once to create a baseline of previously seen IAM users within the last 30 days. Run `Previously Seen Users in AWS CloudTrail - Update` hourly (or more frequently depending on how often you run the detection searches) to refresh the baselines. You can also provide additional filtering for this search by customizing the `detect_aws_console_login_by_user_from_new_city_filter` macro.", "known_false_positives": "When a legitimate new user logins for the first time, this activity will be detected. Check how old the account is and verify that the user activity is legitimate.", "references": [], "tags": {"name": "Detect AWS Console Login by User from New City", "analytic_story": ["Suspicious AWS Login Activities", "Suspicious Cloud Authentication Activities", "AWS Identity and Access Management Account Takeover", "Compromised User Account"], "asset_type": "AWS Instance", "cis20": ["CIS 10"], "confidence": 60, "impact": 30, "kill_chain_phases": ["Weaponization", "Exploitation"], "message": "User $user$ is logging into the AWS console from City $City$ for the first time", "mitre_attack_id": ["T1586", "T1586.003", "T1535"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Authentication.signature", "Authentication.user", "Authentication.src"], "risk_score": 18, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1535", "mitre_attack_technique": "Unused/Unsupported Cloud Regions", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail", "update_timestamp": true}]}], "datamodel": ["Authentication"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "detect_aws_console_login_by_user_from_new_city_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "previously_seen_users_console_logins", "description": "A table of users seen doing console logins, and the first and last time that the activity was observed", "collection": "previously_seen_users_console_logins", "fields_list": "_key, firstTime, lastTime, user, src, City, Region, Country"}], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/detect_aws_console_login_by_user_from_new_city.yml", "source": "cloud"}, {"name": "Detect AWS Console Login by User from New Country", "id": "67bd3def-c41c-4bf6-837b-ae196b4257c6", "version": 2, "date": "2022-08-25", "author": "Bhavin Patel, Eric McGinnis Splunk", "type": "Hunting", "status": "production", "description": "This search looks for AWS CloudTrail events wherein a console login event by a user was recorded within the last hour, then compares the event to a lookup file of previously seen users (by ARN values) who have logged into the console. The alert is fired if the user has logged into the console for the first time within the last hour", "data_source": [], "search": "| tstats earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Authentication where Authentication.signature=ConsoleLogin by Authentication.user Authentication.src | iplocation Authentication.src | `drop_dm_object_name(Authentication)` | rename Country as justSeenCountry | table firstTime lastTime user justSeenCountry | join user type=outer [| inputlookup previously_seen_users_console_logins | rename Country as previouslySeenCountry | stats min(firstTime) AS earliestseen by user previouslySeenCountry | fields earliestseen user previouslySeenCountry] | eval userCountry=if(firstTime >= relative_time(now(), \"-24h@h\"), \"New Country\",\"Previously Seen Country\") | where userCountry = \"New Country\" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | table firstTime lastTime user previouslySeenCountry justSeenCountry userCountry | `detect_aws_console_login_by_user_from_new_country_filter`", "how_to_implement": "You must install and configure the Splunk Add-on for AWS (version 5.1.0 or later) and Enterprise Security 6.2, which contains the required updates to the Authentication data model for cloud use cases. Run the `Previously Seen Users in AWS CloudTrail - Initial` support search only once to create a baseline of previously seen IAM users within the last 30 days. Run `Previously Seen Users in AWS CloudTrail - Update` hourly (or more frequently depending on how often you run the detection searches) to refresh the baselines. You can also provide additional filtering for this search by customizing the `detect_aws_console_login_by_user_from_new_country_filter` macro.", "known_false_positives": "When a legitimate new user logins for the first time, this activity will be detected. Check how old the account is and verify that the user activity is legitimate.", "references": [], "tags": {"name": "Detect AWS Console Login by User from New Country", "analytic_story": ["Suspicious AWS Login Activities", "Suspicious Cloud Authentication Activities", "AWS Identity and Access Management Account Takeover", "Compromised User Account"], "asset_type": "AWS Instance", "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Weaponization", "Exploitation"], "message": "User $user$ is logging into the AWS console from Country $Country$ for the first time", "mitre_attack_id": ["T1586", "T1586.003", "T1535"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Authentication.signature", "Authentication.user", "Authentication.src"], "risk_score": 42, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1535", "mitre_attack_technique": "Unused/Unsupported Cloud Regions", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail", "update_timestamp": true}]}], "datamodel": ["Authentication"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "detect_aws_console_login_by_user_from_new_country_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "previously_seen_users_console_logins", "description": "A table of users seen doing console logins, and the first and last time that the activity was observed", "collection": "previously_seen_users_console_logins", "fields_list": "_key, firstTime, lastTime, user, src, City, Region, Country"}], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/detect_aws_console_login_by_user_from_new_country.yml", "source": "cloud"}, {"name": "Detect AWS Console Login by User from New Region", "id": "9f31aa8e-e37c-46bc-bce1-8b3be646d026", "version": 2, "date": "2022-08-25", "author": "Bhavin Patel, Eric McGinnis Splunk", "type": "Hunting", "status": "production", "description": "This search looks for AWS CloudTrail events wherein a console login event by a user was recorded within the last hour, then compares the event to a lookup file of previously seen users (by ARN values) who have logged into the console. The alert is fired if the user has logged into the console for the first time within the last hour", "data_source": [], "search": "| tstats earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Authentication where Authentication.signature=ConsoleLogin by Authentication.user Authentication.src | iplocation Authentication.src | `drop_dm_object_name(Authentication)` | rename Region as justSeenRegion | table firstTime lastTime user justSeenRegion | join user type=outer [| inputlookup previously_seen_users_console_logins | rename Region as previouslySeenRegion | stats min(firstTime) AS earliestseen by user previouslySeenRegion | fields earliestseen user previouslySeenRegion] | eval userRegion=if(firstTime >= relative_time(now(), \"-24h@h\"), \"New Region\",\"Previously Seen Region\") | where userRegion= \"New Region\" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | table firstTime lastTime user previouslySeenRegion justSeenRegion userRegion | `detect_aws_console_login_by_user_from_new_region_filter`", "how_to_implement": "You must install and configure the Splunk Add-on for AWS (version 5.1.0 or later) and Enterprise Security 6.2, which contains the required updates to the Authentication data model for cloud use cases. Run the `Previously Seen Users in AWS CloudTrail - Initial` support search only once to create a baseline of previously seen IAM users within the last 30 days. Run `Previously Seen Users in AWS CloudTrail - Update` hourly (or more frequently depending on how often you run the detection searches) to refresh the baselines. You can also provide additional filtering for this search by customizing the `detect_aws_console_login_by_user_from_new_region_filter` macro.", "known_false_positives": "When a legitimate new user logins for the first time, this activity will be detected. Check how old the account is and verify that the user activity is legitimate.", "references": [], "tags": {"name": "Detect AWS Console Login by User from New Region", "analytic_story": ["Suspicious AWS Login Activities", "Suspicious Cloud Authentication Activities", "AWS Identity and Access Management Account Takeover", "Compromised User Account"], "asset_type": "AWS Instance", "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Weaponization", "Exploitation"], "message": "User $user$ is logging into the AWS console from Region $Region$ for the first time", "mitre_attack_id": ["T1586", "T1586.003", "T1535"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Authentication.signature", "Authentication.user", "Authentication.src"], "risk_score": 36, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1535", "mitre_attack_technique": "Unused/Unsupported Cloud Regions", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail", "update_timestamp": true}]}], "datamodel": ["Authentication"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "detect_aws_console_login_by_user_from_new_region_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "previously_seen_users_console_logins", "description": "A table of users seen doing console logins, and the first and last time that the activity was observed", "collection": "previously_seen_users_console_logins", "fields_list": "_key, firstTime, lastTime, user, src, City, Region, Country"}], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/detect_aws_console_login_by_user_from_new_region.yml", "source": "cloud"}, {"name": "Detect GCP Storage access from a new IP", "id": "ccc3246a-daa1-11ea-87d0-0242ac130022", "version": 1, "date": "2020-08-10", "author": "Shannon Davis, Splunk", "type": "Anomaly", "status": "experimental", "description": "This search looks at GCP Storage bucket-access logs and detects new or previously unseen remote IP addresses that have successfully accessed a GCP Storage bucket.", "data_source": [], "search": "`google_gcp_pubsub_message` | multikv | rename sc_status_ as status | rename cs_object_ as bucket_name | rename c_ip_ as remote_ip | rename cs_uri_ as request_uri | rename cs_method_ as operation | search status=\"\\\"200\\\"\" | stats earliest(_time) as firstTime latest(_time) as lastTime by bucket_name remote_ip operation request_uri | table firstTime, lastTime, bucket_name, remote_ip, operation, request_uri | inputlookup append=t previously_seen_gcp_storage_access_from_remote_ip | stats min(firstTime) as firstTime, max(lastTime) as lastTime by bucket_name remote_ip operation request_uri | outputlookup previously_seen_gcp_storage_access_from_remote_ip | eval newIP=if(firstTime >= relative_time(now(),\"-70m@m\"), 1, 0) | where newIP=1 | eval first_time=strftime(firstTime,\"%m/%d/%y %H:%M:%S\") | eval last_time=strftime(lastTime,\"%m/%d/%y %H:%M:%S\") | table first_time last_time bucket_name remote_ip operation request_uri | `detect_gcp_storage_access_from_a_new_ip_filter`", "how_to_implement": "This search relies on the Splunk Add-on for Google Cloud Platform, setting up a Cloud Pub/Sub input, along with the relevant GCP PubSub topics and logging sink to capture GCP Storage Bucket events (https://cloud.google.com/logging/docs/routing/overview). In order to capture public GCP Storage Bucket access logs, you must also enable storage bucket logging to your PubSub Topic as per https://cloud.google.com/storage/docs/access-logs. These logs are deposited into the nominated Storage Bucket on an hourly basis and typically show up by 15 minutes past the hour. It is recommended to configure any saved searches or correlation searches in Enterprise Security to run on an hourly basis at 30 minutes past the hour (cron definition of 30 * * * *). A lookup table (previously_seen_gcp_storage_access_from_remote_ip.csv) stores the previously seen access requests, and is used by this search to determine any newly seen IP addresses accessing the Storage Buckets.", "known_false_positives": "GCP Storage buckets can be accessed from any IP (if the ACLs are open to allow it), as long as it can make a successful connection. This will be a false postive, since the search is looking for a new IP within the past two hours.", "references": [], "tags": {"name": "Detect GCP Storage access from a new IP", "analytic_story": ["Suspicious GCP Storage Activities"], "asset_type": "GCP Storage Bucket", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "tbd", "mitre_attack_id": ["T1530"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Other", "role": ["Other"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "sc_status_", "cs_object_", "c_ip_", "cs_uri_", "cs_method_"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1530", "mitre_attack_technique": "Data from Cloud Storage", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["Fox Kitten"]}]}, "datamodel": [], "macros": [{"name": "google_gcp_pubsub_message", "definition": "sourcetype=\"google:gcp:pubsub:message\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_gcp_storage_access_from_a_new_ip_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "previously_seen_gcp_storage_access_from_remote_ip", "description": "A place holder for a list of GCP storage access from remote IPs", "collection": "previously_seen_gcp_storage_access_from_remote_ip", "fields_list": "_key, firstTime, lastTime, bucket_name, remote_ip, operation, request_uri"}, {"name": "previously_seen_gcp_storage_access_from_remote_ip", "description": "A place holder for a list of GCP storage access from remote IPs", "collection": "previously_seen_gcp_storage_access_from_remote_ip", "fields_list": "_key, firstTime, lastTime, bucket_name, remote_ip, operation, request_uri"}], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/detect_gcp_storage_access_from_a_new_ip.yml", "source": "cloud"}, {"name": "Detect New Open GCP Storage Buckets", "id": "f6ea3466-d6bb-11ea-87d0-0242ac130003", "version": 1, "date": "2020-08-05", "author": "Shannon Davis, Splunk", "type": "TTP", "status": "experimental", "description": "This search looks for GCP PubSub events where a user has created an open/public GCP Storage bucket.", "data_source": [], "search": "`google_gcp_pubsub_message` data.resource.type=gcs_bucket data.protoPayload.methodName=storage.setIamPermissions | spath output=action path=data.protoPayload.serviceData.policyDelta.bindingDeltas{}.action | spath output=user path=data.protoPayload.authenticationInfo.principalEmail | spath output=location path=data.protoPayload.resourceLocation.currentLocations{} | spath output=src path=data.protoPayload.requestMetadata.callerIp | spath output=bucketName path=data.protoPayload.resourceName | spath output=role path=data.protoPayload.serviceData.policyDelta.bindingDeltas{}.role | spath output=member path=data.protoPayload.serviceData.policyDelta.bindingDeltas{}.member | search (member=allUsers AND action=ADD) | table _time, bucketName, src, user, location, action, role, member | search `detect_new_open_gcp_storage_buckets_filter`", "how_to_implement": "This search relies on the Splunk Add-on for Google Cloud Platform, setting up a Cloud Pub/Sub input, along with the relevant GCP PubSub topics and logging sink to capture GCP Storage Bucket events (https://cloud.google.com/logging/docs/routing/overview).", "known_false_positives": "While this search has no known false positives, it is possible that a GCP admin has legitimately created a public bucket for a specific purpose. That said, GCP strongly advises against granting full control to the \"allUsers\" group.", "references": [], "tags": {"name": "Detect New Open GCP Storage Buckets", "analytic_story": ["Suspicious GCP Storage Activities"], "asset_type": "GCP Storage Bucket", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "tbd", "mitre_attack_id": ["T1530"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "data.resource.type", "data.protoPayload.methodName", "data.protoPayload.serviceData.policyDelta.bindingDeltas{}.action", "data.protoPayload.authenticationInfo.principalEmail", "data.protoPayload.resourceLocation.currentLocations{}", "data.protoPayload.requestMetadata.callerIp", "data.protoPayload.resourceName", "data.protoPayload.serviceData.policyDelta.bindingDeltas{}.role", "data.protoPayload.serviceData.policyDelta.bindingDeltas{}.member"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1530", "mitre_attack_technique": "Data from Cloud Storage", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["Fox Kitten"]}]}, "datamodel": ["Email"], "macros": [{"name": "google_gcp_pubsub_message", "definition": "sourcetype=\"google:gcp:pubsub:message\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_new_open_gcp_storage_buckets_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/detect_new_open_gcp_storage_buckets.yml", "source": "cloud", "nes_fields": "user,dest"}, {"name": "Detect New Open S3 buckets", "id": "2a9b80d3-6340-4345-b5ad-290bf3d0dac4", "version": 3, "date": "2021-07-19", "author": "Bhavin Patel, Patrick Bareiss, Splunk", "type": "TTP", "status": "production", "description": "This search looks for AWS CloudTrail events where a user has created an open/public S3 bucket.", "data_source": [], "search": "`cloudtrail` eventSource=s3.amazonaws.com eventName=PutBucketAcl | rex field=_raw \"(?{.+})\" | spath input=json_field output=grantees path=requestParameters.AccessControlPolicy.AccessControlList.Grant{} | search grantees=* | mvexpand grantees | spath input=grantees output=uri path=Grantee.URI | spath input=grantees output=permission path=Permission | search uri IN (\"http://acs.amazonaws.com/groups/global/AllUsers\",\"http://acs.amazonaws.com/groups/global/AuthenticatedUsers\") | search permission IN (\"READ\",\"READ_ACP\",\"WRITE\",\"WRITE_ACP\",\"FULL_CONTROL\") | rename requestParameters.bucketName AS bucketName | stats count min(_time) as firstTime max(_time) as lastTime by user_arn userIdentity.principalId userAgent uri permission bucketName | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_new_open_s3_buckets_filter` ", "how_to_implement": "You must install the AWS App for Splunk.", "known_false_positives": "While this search has no known false positives, it is possible that an AWS admin has legitimately created a public bucket for a specific purpose. That said, AWS strongly advises against granting full control to the \"All Users\" group.", "references": [], "tags": {"name": "Detect New Open S3 buckets", "analytic_story": ["Suspicious AWS S3 Activities"], "asset_type": "S3 Bucket", "cis20": ["CIS 10"], "confidence": 80, "impact": 60, "kill_chain_phases": ["Exploitation"], "message": "User $user_arn$ has created an open/public bucket $bucketName$ with the following permissions $permission$", "mitre_attack_id": ["T1530"], "nist": ["DE.CM"], "observable": [{"name": "user_arn", "type": "User", "role": ["Attacker"]}, {"name": "bucketName", "type": "Other", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventSource", "eventName", "requestParameters.bucketName", "user_arn", "userIdentity.principalId", "userAgent", "uri", "permission"], "risk_score": 48, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1530", "mitre_attack_technique": "Data from Cloud Storage", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["Fox Kitten"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1530/aws_s3_public_bucket/aws_cloudtrail_events.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_new_open_s3_buckets_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/detect_new_open_s3_buckets.yml", "source": "cloud", "nes_fields": "user,dest", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "Detect New Open S3 Buckets over AWS CLI", "id": "39c61d09-8b30-4154-922b-2d0a694ecc22", "version": 2, "date": "2021-07-19", "author": "Patrick Bareiss, Splunk", "type": "TTP", "status": "production", "description": "This search looks for AWS CloudTrail events where a user has created an open/public S3 bucket over the aws cli.", "data_source": [], "search": "`cloudtrail` eventSource=\"s3.amazonaws.com\" (userAgent=\"[aws-cli*\" OR userAgent=aws-cli* ) eventName=PutBucketAcl OR requestParameters.accessControlList.x-amz-grant-read-acp IN (\"*AuthenticatedUsers\",\"*AllUsers\") OR requestParameters.accessControlList.x-amz-grant-write IN (\"*AuthenticatedUsers\",\"*AllUsers\") OR requestParameters.accessControlList.x-amz-grant-write-acp IN (\"*AuthenticatedUsers\",\"*AllUsers\") OR requestParameters.accessControlList.x-amz-grant-full-control IN (\"*AuthenticatedUsers\",\"*AllUsers\") | rename requestParameters.bucketName AS bucketName | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by userIdentity.userName userIdentity.principalId userAgent bucketName requestParameters.accessControlList.x-amz-grant-read requestParameters.accessControlList.x-amz-grant-read-acp requestParameters.accessControlList.x-amz-grant-write requestParameters.accessControlList.x-amz-grant-write-acp requestParameters.accessControlList.x-amz-grant-full-control | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_new_open_s3_buckets_over_aws_cli_filter` ", "how_to_implement": "", "known_false_positives": "While this search has no known false positives, it is possible that an AWS admin has legitimately created a public bucket for a specific purpose. That said, AWS strongly advises against granting full control to the \"All Users\" group.", "references": [], "tags": {"name": "Detect New Open S3 Buckets over AWS CLI", "analytic_story": ["Suspicious AWS S3 Activities"], "asset_type": "S3 Bucket", "cis20": ["CIS 10"], "confidence": 80, "impact": 60, "kill_chain_phases": ["Exploitation"], "message": "User $userIdentity.userName$ has created an open/public bucket $bucketName$ using AWS CLI with the following permissions - $requestParameters.accessControlList.x-amz-grant-read$ $requestParameters.accessControlList.x-amz-grant-read-acp$ $requestParameters.accessControlList.x-amz-grant-write$ $requestParameters.accessControlList.x-amz-grant-write-acp$ $requestParameters.accessControlList.x-amz-grant-full-control$", "mitre_attack_id": ["T1530"], "nist": ["DE.CM"], "observable": [{"name": "userIdentity.userName", "type": "User", "role": ["Attacker"]}, {"name": "bucketName", "type": "Other", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventSource", "eventName", "requestParameters.accessControlList.x-amz-grant-read-acp", "requestParameters.accessControlList.x-amz-grant-write", "requestParameters.accessControlList.x-amz-grant-write-acp", "requestParameters.accessControlList.x-amz-grant-full-control", "requestParameters.bucketName", "userIdentity.userName", "userIdentity.principalId", "userAgent", "bucketName"], "risk_score": 48, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1530", "mitre_attack_technique": "Data from Cloud Storage", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["Fox Kitten"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1530/aws_s3_public_bucket/aws_cloudtrail_events.json", "source": "aws_cloudtrail", "sourcetype": "aws:cloudtrail", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_new_open_s3_buckets_over_aws_cli_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/detect_new_open_s3_buckets_over_aws_cli.yml", "source": "cloud", "nes_fields": "user,dest", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "Detect S3 access from a new IP", "id": "e6f1bb1b-f441-492b-9126-902acda217da", "version": 1, "date": "2018-06-28", "author": "Bhavin Patel, Splunk", "type": "Anomaly", "status": "experimental", "description": "This search looks at S3 bucket-access logs and detects new or previously unseen remote IP addresses that have successfully accessed an S3 bucket.", "data_source": [], "search": "`aws_s3_accesslogs` http_status=200 [search `aws_s3_accesslogs` http_status=200 | stats earliest(_time) as firstTime latest(_time) as lastTime by bucket_name remote_ip | inputlookup append=t previously_seen_S3_access_from_remote_ip | stats min(firstTime) as firstTime, max(lastTime) as lastTime by bucket_name remote_ip | outputlookup previously_seen_S3_access_from_remote_ip| eval newIP=if(firstTime >= relative_time(now(), \"-70m@m\"), 1, 0) | where newIP=1 | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | table bucket_name remote_ip]| iplocation remote_ip |rename remote_ip as src_ip | table _time bucket_name src_ip City Country operation request_uri | `detect_s3_access_from_a_new_ip_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your S3 access logs' inputs. This search works best when you run the \"Previously Seen S3 Bucket Access by Remote IP\" support search once to create a history of previously seen remote IPs and bucket names.", "known_false_positives": "S3 buckets can be accessed from any IP, as long as it can make a successful connection. This will be a false postive, since the search is looking for a new IP within the past hour", "references": [], "tags": {"name": "Detect S3 access from a new IP", "analytic_story": ["Suspicious AWS S3 Activities"], "asset_type": "S3 Bucket", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "tbd", "mitre_attack_id": ["T1530"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Other", "role": ["Other"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "http_status", "bucket_name", "remote_ip"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1530", "mitre_attack_technique": "Data from Cloud Storage", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["Fox Kitten"]}]}, "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "aws_s3_accesslogs", "definition": "sourcetype=aws:s3:accesslogs", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_s3_access_from_a_new_ip_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "previously_seen_S3_access_from_remote_ip", "description": "A placeholder for a list of IPs that have access S3", "collection": "previously_seen_S3_access_from_remote_ip", "fields_list": "_key, bucket_name,remote_ip,earliest,latest"}], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/detect_s3_access_from_a_new_ip.yml", "source": "cloud"}, {"name": "Detect Spike in AWS Security Hub Alerts for EC2 Instance", "id": "2a9b80d3-6340-4345-b5ad-290bf5d0d222", "version": 3, "date": "2021-01-26", "author": "Bhavin Patel, Splunk", "type": "Anomaly", "status": "production", "description": "This search looks for a spike in number of of AWS security Hub alerts for an EC2 instance in 4 hours intervals", "data_source": [], "search": "`aws_securityhub_finding` \"Resources{}.Type\"=AWSEC2Instance | bucket span=4h _time | stats count AS alerts values(Title) as Title values(Types{}) as Types values(vendor_account) as vendor_account values(vendor_region) as vendor_region values(severity) as severity by _time dest | eventstats avg(alerts) as total_alerts_avg, stdev(alerts) as total_alerts_stdev | eval threshold_value = 3 | eval isOutlier=if(alerts > total_alerts_avg+(total_alerts_stdev * threshold_value), 1, 0) | search isOutlier=1 | table _time dest alerts Title Types vendor_account vendor_region severity isOutlier total_alerts_avg | `detect_spike_in_aws_security_hub_alerts_for_ec2_instance_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your Security Hub inputs. The threshold_value should be tuned to your environment and schedule these searches according to the bucket span interval.", "known_false_positives": "None", "references": [], "tags": {"name": "Detect Spike in AWS Security Hub Alerts for EC2 Instance", "analytic_story": ["AWS Security Hub Alerts"], "asset_type": "AWS Instance", "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": [], "message": "Spike in AWS security Hub alerts with title $Title$ for EC2 instance $dest$", "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Resources{}.Type", "Title", "Types{}", "vendor_account", "vendor_region", "severity", "dest"], "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/security_hub_ec2_spike/security_hub_ec2_spike.json", "source": "aws_securityhub_finding", "sourcetype": "aws:securityhub:finding"}]}], "datamodel": [], "macros": [{"name": "aws_securityhub_finding", "definition": "sourcetype=\"aws:securityhub:finding\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_spike_in_aws_security_hub_alerts_for_ec2_instance_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/detect_spike_in_aws_security_hub_alerts_for_ec2_instance.yml", "source": "cloud"}, {"name": "Detect Spike in AWS Security Hub Alerts for User", "id": "2a9b80d3-6220-4345-b5ad-290bf5d0d222", "version": 3, "date": "2021-01-26", "author": "Bhavin Patel, Splunk", "type": "Anomaly", "status": "experimental", "description": "This search looks for a spike in number of of AWS security Hub alerts for an AWS IAM User in 4 hours intervals.", "data_source": [], "search": "`aws_securityhub_finding` \"findings{}.Resources{}.Type\"= AwsIamUser | rename findings{}.Resources{}.Id as user | bucket span=4h _time | stats count AS alerts by _time user | eventstats avg(alerts) as total_launched_avg, stdev(alerts) as total_launched_stdev | eval threshold_value = 2 | eval isOutlier=if(alerts > total_launched_avg+(total_launched_stdev * threshold_value), 1, 0) | search isOutlier=1 | table _time user alerts |`detect_spike_in_aws_security_hub_alerts_for_user_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your Security Hub inputs. The threshold_value should be tuned to your environment and schedule these searches according to the bucket span interval.", "known_false_positives": "None", "references": [], "tags": {"name": "Detect Spike in AWS Security Hub Alerts for User", "analytic_story": ["AWS Security Hub Alerts"], "asset_type": "AWS Instance", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": [], "message": "tbd", "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "findings{}.Resources{}.Type", "indings{}.Resources{}.Id", "user"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "datamodel": [], "macros": [{"name": "aws_securityhub_finding", "definition": "sourcetype=\"aws:securityhub:finding\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_spike_in_aws_security_hub_alerts_for_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/detect_spike_in_aws_security_hub_alerts_for_user.yml", "source": "cloud"}, {"name": "Detect Spike in blocked Outbound Traffic from your AWS", "id": "d3fffa37-492f-487b-a35d-c60fcb2acf01", "version": 1, "date": "2018-05-07", "author": "Bhavin Patel, Splunk", "type": "Anomaly", "status": "experimental", "description": "This search will detect spike in blocked outbound network connections originating from within your AWS environment. It will also update the cache file that factors in the latest data.", "data_source": [], "search": "`cloudwatchlogs_vpcflow` action=blocked (src_ip=10.0.0.0/8 OR src_ip=172.16.0.0/12 OR src_ip=192.168.0.0/16) ( dest_ip!=10.0.0.0/8 AND dest_ip!=172.16.0.0/12 AND dest_ip!=192.168.0.0/16) [search `cloudwatchlogs_vpcflow` action=blocked (src_ip=10.0.0.0/8 OR src_ip=172.16.0.0/12 OR src_ip=192.168.0.0/16) ( dest_ip!=10.0.0.0/8 AND dest_ip!=172.16.0.0/12 AND dest_ip!=192.168.0.0/16) | stats count as numberOfBlockedConnections by src_ip | inputlookup baseline_blocked_outbound_connections append=t | fields - latestCount | stats values(*) as * by src_ip | rename numberOfBlockedConnections as latestCount | eval newAvgBlockedConnections=avgBlockedConnections + (latestCount-avgBlockedConnections)/720 | eval newStdevBlockedConnections=sqrt(((pow(stdevBlockedConnections, 2)*719 + (latestCount-newAvgBlockedConnections)*(latestCount-avgBlockedConnections))/720)) | eval avgBlockedConnections=coalesce(newAvgBlockedConnections, avgBlockedConnections), stdevBlockedConnections=coalesce(newStdevBlockedConnections, stdevBlockedConnections), numDataPoints=if(isnull(latestCount), numDataPoints, numDataPoints+1) | table src_ip, latestCount, numDataPoints, avgBlockedConnections, stdevBlockedConnections | outputlookup baseline_blocked_outbound_connections | eval dataPointThreshold = 5, deviationThreshold = 3 | eval isSpike=if((latestCount > avgBlockedConnections+deviationThreshold*stdevBlockedConnections) AND numDataPoints > dataPointThreshold, 1, 0) | where isSpike=1 | table src_ip] | stats values(dest_ip) as \"Blocked Destination IPs\", values(interface_id) as \"resourceId\" count as numberOfBlockedConnections, dc(dest_ip) as uniqueDestConnections by src_ip | `detect_spike_in_blocked_outbound_traffic_from_your_aws_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your VPC Flow logs. You can modify `dataPointThreshold` and `deviationThreshold` to better fit your environment. The `dataPointThreshold` variable is the number of data points required to meet the definition of \"spike.\" The `deviationThreshold` variable is the number of standard deviations away from the mean that the value must be to be considered a spike. This search works best when you run the \"Baseline of Blocked Outbound Connection\" support search once to create a history of previously seen blocked outbound connections.", "known_false_positives": "The false-positive rate may vary based on the values of`dataPointThreshold` and `deviationThreshold`. Additionally, false positives may result when AWS administrators roll out policies enforcing network blocks, causing sudden increases in the number of blocked outbound connections.", "references": [], "tags": {"name": "Detect Spike in blocked Outbound Traffic from your AWS", "analytic_story": ["AWS Network ACL Activity", "Suspicious AWS Traffic", "Command And Control"], "asset_type": "AWS Instance", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": [], "message": "tbd", "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "action", "src_ip", "dest_ip"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "datamodel": [], "macros": [{"name": "cloudwatchlogs_vpcflow", "definition": "sourcetype=aws:cloudwatchlogs:vpcflow", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_spike_in_blocked_outbound_traffic_from_your_aws_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "baseline_blocked_outbound_connections", "description": "A lookup file that will contain the baseline information for number of blocked outbound connections", "filename": "baseline_blocked_outbound_connections.csv"}, {"name": "baseline_blocked_outbound_connections", "description": "A lookup file that will contain the baseline information for number of blocked outbound connections", "filename": "baseline_blocked_outbound_connections.csv"}], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/detect_spike_in_blocked_outbound_traffic_from_your_aws.yml", "source": "cloud"}, {"name": "Detect Spike in S3 Bucket deletion", "id": "e733a326-59d2-446d-b8db-14a17151aa68", "version": 1, "date": "2018-11-27", "author": "Bhavin Patel, Splunk", "type": "Anomaly", "status": "experimental", "description": "This search detects users creating spikes in API activity related to deletion of S3 buckets in your AWS environment. It will also update the cache file that factors in the latest data.", "data_source": [], "search": "`cloudtrail` eventName=DeleteBucket [search `cloudtrail` eventName=DeleteBucket | spath output=arn path=userIdentity.arn | stats count as apiCalls by arn | inputlookup s3_deletion_baseline append=t | fields - latestCount | stats values(*) as * by arn | rename apiCalls as latestCount | eval newAvgApiCalls=avgApiCalls + (latestCount-avgApiCalls)/720 | eval newStdevApiCalls=sqrt(((pow(stdevApiCalls, 2)*719 + (latestCount-newAvgApiCalls)*(latestCount-avgApiCalls))/720)) | eval avgApiCalls=coalesce(newAvgApiCalls, avgApiCalls), stdevApiCalls=coalesce(newStdevApiCalls, stdevApiCalls), numDataPoints=if(isnull(latestCount), numDataPoints, numDataPoints+1) | table arn, latestCount, numDataPoints, avgApiCalls, stdevApiCalls | outputlookup s3_deletion_baseline | eval dataPointThreshold = 15, deviationThreshold = 3 | eval isSpike=if((latestCount > avgApiCalls+deviationThreshold*stdevApiCalls) AND numDataPoints > dataPointThreshold, 1, 0) | where isSpike=1 | rename arn as userIdentity.arn | table userIdentity.arn] | spath output=user userIdentity.arn | spath output=bucketName path=requestParameters.bucketName | stats values(bucketName) as bucketName, count as numberOfApiCalls, dc(eventName) as uniqueApisCalled by user | `detect_spike_in_s3_bucket_deletion_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. You can modify `dataPointThreshold` and `deviationThreshold` to better fit your environment. The `dataPointThreshold` variable is the minimum number of data points required to have a statistically significant amount of data to determine. The `deviationThreshold` variable is the number of standard deviations away from the mean that the value must be to be considered a spike. This search works best when you run the \"Baseline of S3 Bucket deletion activity by ARN\" support search once to create a baseline of previously seen S3 bucket-deletion activity.", "known_false_positives": "Based on the values of`dataPointThreshold` and `deviationThreshold`, the false positive rate may vary. Please modify this according the your environment.", "references": [], "tags": {"name": "Detect Spike in S3 Bucket deletion", "analytic_story": ["Suspicious AWS S3 Activities"], "asset_type": "S3 Bucket", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "tbd", "mitre_attack_id": ["T1530"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventName", "userIdentity.arn"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1530", "mitre_attack_technique": "Data from Cloud Storage", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["Fox Kitten"]}]}, "datamodel": [], "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_spike_in_s3_bucket_deletion_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "s3_deletion_baseline", "description": "A placeholder for the baseline information for AWS S3 deletions", "collection": "s3_deletion_baseline", "fields_list": "_key, arn, latestCount, numDataPoints, avgApiCalls, stdevApiCalls"}, {"name": "s3_deletion_baseline", "description": "A placeholder for the baseline information for AWS S3 deletions", "collection": "s3_deletion_baseline", "fields_list": "_key, arn, latestCount, numDataPoints, avgApiCalls, stdevApiCalls"}], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/detect_spike_in_s3_bucket_deletion.yml", "source": "cloud", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "GCP Authentication Failed During MFA Challenge", "id": "345f7e1d-a3fe-4158-abd8-e630f9878323", "version": 1, "date": "2022-10-12", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies an authentication attempt event against a Google Cloud Platform tenant that fails during the Multi Factor Authentication challenge. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled. ", "data_source": [], "search": " `gws_reports_login` event.name=login_failure `gws_login_mfa_methods` | stats values(user) by _time, src_ip, login_challenge_method | `gcp_authentication_failed_during_mfa_challenge_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Google Workspace from Splunkbase (https://splunkbase.splunk.com/app/5556) which allows Splunk administrators to collect Google Workspace event data in Splunk using Google Workspace APIs. Specifically, this analytic leverages the User log events.", "known_false_positives": "Legitimate users may miss to reply the MFA challenge within the time window or deny it by mistake.", "references": ["https://attack.mitre.org/techniques/T1621/", "https://attack.mitre.org/techniques/T1078/004/"], "tags": {"name": "GCP Authentication Failed During MFA Challenge", "analytic_story": ["GCP Account Takeover"], "asset_type": "Google Cloud Platform tenant", "cis20": ["CIS 10"], "confidence": 90, "impact": 60, "kill_chain_phases": ["Weaponization", "Exploitation", "Delivery", "Installation"], "message": "User $user$ failed to pass MFA challenge", "mitre_attack_id": ["T1586", "T1586.003", "T1078", "T1078.004", "T1621"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "user", "src_ip", "login_challenge_method", "event.parameters{}.multiValue{}"], "risk_score": 54, "security_domain": "identity", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Ke3chang", "LAPSUS$"]}, {"mitre_attack_id": "T1621", "mitre_attack_technique": "Multi-Factor Authentication Request Generation", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "LAPSUS$"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/gcp_failed_mfa/gws_login.log", "source": "gws:reports:login", "sourcetype": "gws:reports:login", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "gws_reports_login", "definition": "sourcetype=gws:reports:login", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "gws_login_mfa_methods", "definition": "event.parameters{}.multiValue{} IN (\"backup_code\", \"google_authenticator\", \"google_prompt\", \"idv_any_phone\", \"idv_preregistered_phone\", \"internal_two_factor\", \"knowledge_employee_id\", \"knowledge_preregistered_email\", \"login_location\", \"knowledge_preregistered_phone\", \"offline_otp\", \"security_key\", \"security_key_otp\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "gcp_authentication_failed_during_mfa_challenge_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/gcp_authentication_failed_during_mfa_challenge.yml", "source": "cloud", "nes_fields": "user,dest"}, {"name": "GCP Detect gcploit framework", "id": "a1c5a85e-a162-410c-a5d9-99ff639e5a52", "version": 1, "date": "2020-10-08", "author": "Rod Soto, Splunk", "type": "TTP", "status": "experimental", "description": "This search provides detection of GCPloit exploitation framework. This framework can be used to escalate privileges and move laterally from compromised high privilege accounts.", "data_source": [], "search": "`google_gcp_pubsub_message` data.protoPayload.request.function.timeout=539s | table src src_user data.resource.labels.project_id data.protoPayload.request.function.serviceAccountEmail data.protoPayload.authorizationInfo{}.permission data.protoPayload.request.location http_user_agent | `gcp_detect_gcploit_framework_filter`", "how_to_implement": "You must install splunk GCP add-on. This search works with gcp:pubsub:message logs", "known_false_positives": "Payload.request.function.timeout value can possibly be match with other functions or requests however the source user and target request account may indicate an attempt to move laterally accross acounts or projects", "references": ["https://github.com/dxa4481/gcploit", "https://www.youtube.com/watch?v=Ml09R38jpok"], "tags": {"name": "GCP Detect gcploit framework", "analytic_story": ["GCP Cross Account Activity"], "asset_type": "GCP Account", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "message": "tbd", "mitre_attack_id": ["T1078"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "data.protoPayload.request.function.timeout", "src", "src_user", "data.resource.labels.project_id", "data.protoPayload.request.function.serviceAccountEmail", "data.protoPayload.authorizationInfo{}.permission", "data.protoPayload.request.location", "http_user_agent"], "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}]}, "datamodel": ["Email"], "macros": [{"name": "google_gcp_pubsub_message", "definition": "sourcetype=\"google:gcp:pubsub:message\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "gcp_detect_gcploit_framework_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/gcp_detect_gcploit_framework.yml", "source": "cloud", "nes_fields": "user,dest"}, {"name": "GCP Kubernetes cluster pod scan detection", "id": "19b53215-4a16-405b-8087-9e6acf619842", "version": 1, "date": "2020-07-17", "author": "Rod Soto, Splunk", "type": "Hunting", "status": "experimental", "description": "This search provides information of unauthenticated requests via user agent, and authentication data against Kubernetes cluster's pods", "data_source": [], "search": "`google_gcp_pubsub_message` category=kube-audit |spath input=properties.log |search responseStatus.code=401 |table sourceIPs{} userAgent verb requestURI responseStatus.reason properties.pod | `gcp_kubernetes_cluster_pod_scan_detection_filter`", "how_to_implement": "You must install the GCP App for Splunk (version 2.0.0 or later), then configure stackdriver and set a Pub/Sub subscription to be imported to Splunk.", "known_false_positives": "Not all unauthenticated requests are malicious, but frequency, User Agent, source IPs and pods will provide context.", "references": [], "tags": {"name": "GCP Kubernetes cluster pod scan detection", "analytic_story": ["Kubernetes Scanning Activity"], "asset_type": "GCP Kubernetes cluster", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "tbd", "mitre_attack_id": ["T1526"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "category", "responseStatus.code", "sourceIPs{}", "userAgent", "verb", "requestURI", "responseStatus.reason", "properties.pod"], "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1526", "mitre_attack_technique": "Cloud Service Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}]}, "datamodel": [], "macros": [{"name": "google_gcp_pubsub_message", "definition": "sourcetype=\"google:gcp:pubsub:message\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "gcp_kubernetes_cluster_pod_scan_detection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/gcp_kubernetes_cluster_pod_scan_detection.yml", "source": "cloud"}, {"name": "GCP Multi-Factor Authentication Disabled", "id": "b9bc5513-6fc1-4821-85a3-e1d81e451c83", "version": 1, "date": "2022-10-12", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies an attempt to disable multi-factor authentication for a GCP user. An adversary who has obtained access to an GCP tenant may disable multi-factor authentication as a way to plant a backdoor and maintain persistence using a valid account. This way the attackers can keep persistance in the environment without adding new users.", "data_source": [], "search": " `gws_reports_admin` command=UNENROLL_USER_FROM_STRONG_AUTH | stats values(user) by _time, command, actor.email, status | `gcp_multi_factor_authentication_disabled_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Google Workspace from Splunkbase (https://splunkbase.splunk.com/app/5556) which allows Splunk administrators to collect Google Workspace event data in Splunk using Google Workspace APIs. Specifically, this analytic leverages the Admin log events.", "known_false_positives": "Legitimate use case may require for users to disable MFA. Filter as needed.", "references": ["https://support.google.com/cloudidentity/answer/2537800?hl=en", "https://attack.mitre.org/tactics/TA0005/", "https://attack.mitre.org/techniques/T1556/"], "tags": {"name": "GCP Multi-Factor Authentication Disabled", "analytic_story": ["GCP Account Takeover"], "asset_type": "GCP", "cis20": ["CIS 10"], "confidence": 90, "impact": 50, "kill_chain_phases": ["Weaponization", "Exploitation", "Installation"], "message": "MFA disabled for User $user$ initiated by $actor.email$", "mitre_attack_id": ["T1586", "T1586.003", "T1556", "T1556.006"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "actor.email", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "actor.email", "user", "command", "status"], "risk_score": 45, "security_domain": "identity", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1556", "mitre_attack_technique": "Modify Authentication Process", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1556.006", "mitre_attack_technique": "Multi-Factor Authentication", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556/gcp_disable_mfa/gws_admin.log", "source": "gws:reports:admin", "sourcetype": "gws:reports:admin", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "gws_reports_admin", "definition": "sourcetype=gws:reports:admin", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "gcp_multi_factor_authentication_disabled_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/gcp_multi_factor_authentication_disabled.yml", "source": "cloud", "nes_fields": "user,dest"}, {"name": "GCP Multiple Failed MFA Requests For User", "id": "cbb3cb84-c06f-4393-adcc-5cb6195621f1", "version": 1, "date": "2022-10-14", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies multiple failed multi-factor authentication requests for a single user within a Google Cloud Platform tenant. Specifically, the analytic triggers when 10 or more MFA user prompts fail within 5 minutes. Google CLoud tenants can be very different depending on the organization, Security teams should test this detection and customize these arbitrary thresholds. The detected behavior may represent an adversary who has obtained legitimate credentials for a user and continuously repeats login attempts in order to bombard users with MFA push notifications, SMS messages, and phone calls potentially resulting in the user finally accepting the authentication request. Threat actors like the Lapsus team and APT29 have leveraged this technique to bypass multi-factor authentication controls as reported by Mandiant and others.", "data_source": [], "search": " `gws_reports_login` event.name=login_failure `gws_login_mfa_methods` | bucket span=5m _time | stats dc(_raw) AS mfa_prompts values(user) by src_ip, login_challenge_method, _time | where mfa_prompts >= 10 | `gcp_multiple_failed_mfa_requests_for_user_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Google Workspace from Splunkbase (https://splunkbase.splunk.com/app/5556) which allows Splunk administrators to collect Google Workspace event data in Splunk using Google Workspace APIs. We would also recommend tuning the detection by adjusting the window `span` and `mfa_prompts` threshold values according to your environment. Specifically, this analytic leverages the User log events.", "known_false_positives": "Multiple Failed MFA requests may also be a sign of authentication or application issues. Filter as needed.", "references": ["https://www.mandiant.com/resources/blog/russian-targeting-gov-business", "https://arstechnica.com/information-technology/2022/03/lapsus-and-solar-winds-hackers-both-use-the-same-old-trick-to-bypass-mfa/", "https://therecord.media/russian-hackers-bypass-2fa-by-annoying-victims-with-repeated-push-notifications/", "https://attack.mitre.org/techniques/T1621/", "https://attack.mitre.org/techniques/T1078/004/"], "tags": {"name": "GCP Multiple Failed MFA Requests For User", "analytic_story": ["GCP Account Takeover"], "asset_type": "Google Cloud Platform tenant", "cis20": ["CIS 10"], "confidence": 90, "impact": 60, "kill_chain_phases": ["Weaponization", "Exploitation", "Delivery", "Installation"], "message": "Multiple Failed MFA requests for user $user$", "mitre_attack_id": ["T1586", "T1586.003", "T1621", "T1078", "T1078.004"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": null, "type": "IP Address", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time"], "risk_score": 54, "security_domain": "identity", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1621", "mitre_attack_technique": "Multi-Factor Authentication Request Generation", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "LAPSUS$"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Ke3chang", "LAPSUS$"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/multiple_failed_mfa_gws/gws_login.log", "source": "gws:reports:login", "sourcetype": "gws:reports:login", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "gws_reports_login", "definition": "sourcetype=gws:reports:login", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "gws_login_mfa_methods", "definition": "event.parameters{}.multiValue{} IN (\"backup_code\", \"google_authenticator\", \"google_prompt\", \"idv_any_phone\", \"idv_preregistered_phone\", \"internal_two_factor\", \"knowledge_employee_id\", \"knowledge_preregistered_email\", \"login_location\", \"knowledge_preregistered_phone\", \"offline_otp\", \"security_key\", \"security_key_otp\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "gcp_multiple_failed_mfa_requests_for_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/gcp_multiple_failed_mfa_requests_for_user.yml", "source": "cloud", "nes_fields": "user,dest"}, {"name": "GCP Multiple Users Failing To Authenticate From Ip", "id": "da20828e-d6fb-4ee5-afb7-d0ac200923d5", "version": 1, "date": "2022-10-12", "author": "Bhavin Patel, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies one source Ip failing to authenticate into the Google Workspace user accounts with more than 20 unique valid users within 5 minutes. These user accounts may have other privileges with respect to access to other sensitive resources in the Google Cloud Platform. This behavior could represent an adversary performing a Password Spraying attack against an Google Workspace environment to obtain initial access or elevate privileges.", "data_source": [], "search": "`gws_reports_login` event.type = login event.name = login_failure | bucket span=5m _time | stats count dc(user) AS unique_accounts values(user) as tried_accounts values(authentication_method) AS authentication_method earliest(_time) as firstTime latest(_time) as lastTime by _time event.name src app id.applicationName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where unique_accounts > 20 | `gcp_multiple_users_failing_to_authenticate_from_ip_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Google Workspace from Splunkbase (https://splunkbase.splunk.com/app/5556) which allows Splunk administrators to collect Google Workspace event data in Splunk using Google Workspace APIs. We would also recommend tuning the detection by adjusting the window `span` and `unique_accounts` threshold values according to your environment. Specifically, this analytic leverages the User log events.", "known_false_positives": "No known false postives for this detection. Please review this alert.", "references": ["https://cloud.google.com/blog/products/identity-security/how-google-cloud-can-help-stop-credential-stuffing-attacks", "https://www.slideshare.net/dafthack/ok-google-how-do-i-red-team-gsuite", "https://attack.mitre.org/techniques/T1110/003/", "https://www.blackhillsinfosec.com/wp-content/uploads/2020/05/Breaching-the-Cloud-Perimeter-Slides.pdf"], "tags": {"name": "GCP Multiple Users Failing To Authenticate From Ip", "analytic_story": ["GCP Account Takeover"], "asset_type": "Google Cloud Platform tenant", "cis20": ["CIS 10"], "confidence": 90, "impact": 60, "kill_chain_phases": ["Weaponization", "Exploitation"], "message": "Multiple failed login attempts against users $tried_accounts$ seen from $src_ip$", "mitre_attack_id": ["T1586", "T1586.003", "T1110", "T1110.003", "T1110.004"], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "tried_accounts", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "event.name", "event.type", "authentication_method", "app", "id.applicationName", "src"], "risk_score": 54, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1110.004", "mitre_attack_technique": "Credential Stuffing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Chimera"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/gcp_gws_multiple_login_failure/gws_login.json", "source": "gws_login", "sourcetype": "gws:reports:login", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "gws_reports_login", "definition": "sourcetype=gws:reports:login", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "gcp_multiple_users_failing_to_authenticate_from_ip_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/gcp_multiple_users_failing_to_authenticate_from_ip.yml", "source": "cloud"}, {"name": "GCP Successful Single-Factor Authentication", "id": "40e17d88-87da-414e-b253-8dc1e4f9555b", "version": 1, "date": "2022-10-12", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies a successful authentication event against Google Cloud Platform for an account without Multi-Factor Authentication enabled. This could be evidence of a missconfiguration, a policy violation or an account take over attempt that should be investigated", "data_source": [], "search": " `gws_reports_login` event.name=login_success NOT `gws_login_mfa_methods` | stats values(user) by _time, src_ip, login_challenge_method | `gcp_successful_single_factor_authentication_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Google Workspace from Splunkbase (https://splunkbase.splunk.com/app/5556) which allows Splunk administrators to collect Google Workspace event data in Splunk using Google Workspace APIs. Specifically, this analytic leverages the User log events.", "known_false_positives": "Although not recommended, certain users may be required without multi-factor authentication. Filter as needed", "references": ["https://attack.mitre.org/techniques/T1078/004/", "https://support.google.com/a/answer/175197?hl=en", "https://www.forbes.com/sites/daveywinder/2020/07/08/new-dark-web-audit-reveals-15-billion-stolen-logins-from-100000-breaches-passwords-hackers-cybercrime/?sh=69927b2a180f"], "tags": {"name": "GCP Successful Single-Factor Authentication", "analytic_story": ["GCP Account Takeover"], "asset_type": "Google Cloud Platform tenant", "cis20": ["CIS 10"], "confidence": 90, "impact": 50, "kill_chain_phases": ["Weaponization", "Exploitation", "Delivery", "Installation"], "message": "Successful authentication for user $user$ without MFA", "mitre_attack_id": ["T1586", "T1586.003", "T1078", "T1078.004"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "event.name", "event.parameters{}.multiValue{}", "user", "src_ip", "login_challenge_method"], "risk_score": 45, "security_domain": "identity", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Ke3chang", "LAPSUS$"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.004/gcp_single_factor_auth/gws_login.log", "source": "gws:reports:login", "sourcetype": "gws:reports:login", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "gws_reports_login", "definition": "sourcetype=gws:reports:login", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "gws_login_mfa_methods", "definition": "event.parameters{}.multiValue{} IN (\"backup_code\", \"google_authenticator\", \"google_prompt\", \"idv_any_phone\", \"idv_preregistered_phone\", \"internal_two_factor\", \"knowledge_employee_id\", \"knowledge_preregistered_email\", \"login_location\", \"knowledge_preregistered_phone\", \"offline_otp\", \"security_key\", \"security_key_otp\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "gcp_successful_single_factor_authentication_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/gcp_successful_single_factor_authentication.yml", "source": "cloud", "nes_fields": "user,dest"}, {"name": "GCP Unusual Number of Failed Authentications From Ip", "id": "bd8097ed-958a-4873-87d9-44f2b4d85705", "version": 1, "date": "2022-10-13", "author": "Bhavin Patel, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies one source IP failing to authenticate into the Google Workspace with multiple valid users. This behavior could represent an adversary performing a Password Spraying attack against a Google Workspace enviroment to obtain initial access or elevate privileges. The detection calculates the standard deviation for source IP and leverages the 3-sigma statistical rule to identify an unusual number of failed authentication attempts. To customize this analytic, users can try different combinations of the bucket span time and the calculation of the upperBound field. This logic can be used for real time security monitoring as well as threat hunting exercises. While looking for anomalies using statistical methods like the standard deviation can have benefits, we also recommend using threshold-based detections to complement coverage. A similar analytic following the threshold model is `GCP Multiple Users Failing To Authenticate From Ip`", "data_source": [], "search": "`gws_reports_login` event.type = login event.name = login_failure| bucket span=5m _time | stats dc(user_name) AS unique_accounts values(user_name) as tried_accounts values(authentication_method) AS authentication_method by _time, src | eventstats avg(unique_accounts) as ip_avg , stdev(unique_accounts) as ip_std by _time | eval upperBound=(ip_avg+ip_std*3) | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0) | where isOutlier =1| `gcp_unusual_number_of_failed_authentications_from_ip_filter`", "how_to_implement": "You must install the latest version of Splunk Add-on for Google Workspace from Splunkbase (https://splunkbase.splunk.com/app/5556) which allows Splunk administrators to collect Google Workspace event data in Splunk using Google Workspace APIs. We would also recommend tuning the detection by adjusting the window `span` and `unique_accounts` threshold values according to your environment. Specifically, this analytic leverages the User log events.", "known_false_positives": "No known false positives for this detection. Please review this alert", "references": ["https://cloud.google.com/blog/products/identity-security/how-google-cloud-can-help-stop-credential-stuffing-attacks", "https://www.slideshare.net/dafthack/ok-google-how-do-i-red-team-gsuite", "https://attack.mitre.org/techniques/T1110/003/", "https://www.blackhillsinfosec.com/wp-content/uploads/2020/05/Breaching-the-Cloud-Perimeter-Slides.pdf"], "tags": {"name": "GCP Unusual Number of Failed Authentications From Ip", "analytic_story": ["GCP Account Takeover"], "asset_type": "Google Cloud Platform tenant", "cis20": ["CIS 10"], "confidence": 90, "impact": 60, "kill_chain_phases": ["Weaponization", "Exploitation"], "message": "Unusual number of failed console login attempts against users $tried_accounts$ seen from $src_ip$", "mitre_attack_id": ["T1586", "T1586.003", "T1110", "T1110.003", "T1110.004"], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "tried_accounts", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "event.name", "src", "event.type", "user_name"], "risk_score": 54, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1110.004", "mitre_attack_technique": "Credential Stuffing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Chimera"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/gcp_gws_multiple_login_failure/gws_login.json", "source": "gws_login", "sourcetype": "gws:reports:login", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "gws_reports_login", "definition": "sourcetype=gws:reports:login", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "gcp_unusual_number_of_failed_authentications_from_ip_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/gcp_unusual_number_of_failed_authentications_from_ip.yml", "source": "cloud"}, {"name": "Gdrive suspicious file sharing", "id": "a7131dae-34e3-11ec-a2de-acde48001122", "version": 1, "date": "2021-10-24", "author": "Rod Soto, Teoderick Contreras", "type": "Hunting", "status": "experimental", "description": "This search can help the detection of compromised accounts or internal users sharing potentially malicious/classified documents with users outside your organization via GSuite file sharing .", "data_source": [], "search": "`gsuite_drive` name=change_user_access | rename parameters.* as * | search email = \"*@yourdomain.com\" target_user != \"*@yourdomain.com\" | stats count values(owner) as owner values(target_user) as target values(doc_type) as doc_type values(doc_title) as doc_title dc(target_user) as distinct_target by src_ip email | where distinct_target > 50 | `gdrive_suspicious_file_sharing_filter`", "how_to_implement": "Need to implement Gsuite logging targeting Google suite drive activity. In order for the search to work for your environment please update `yourdomain.com` value in the query with the domain relavant for your organization.", "known_false_positives": "This is an anomaly search, you must specify your domain in the parameters so it either filters outside domains or focus on internal domains. This search may also help investigate compromise of accounts. By looking at for example source ip addresses, document titles and abnormal number of shares and shared target users.", "references": ["https://www.splunk.com/en_us/blog/security/investigating-gsuite-phishing-attacks-with-splunk.html"], "tags": {"name": "Gdrive suspicious file sharing", "analytic_story": ["Spearphishing Attachments", "Data Exfiltration"], "asset_type": "GDrive", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Delivery"], "message": "tbd", "mitre_attack_id": ["T1566"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "src_ip", "parameters.owner", "parameters.target_user", "parameters.doc_title", "parameters.doc_type"], "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}]}, "datamodel": [], "macros": [{"name": "gsuite_drive", "definition": "sourcetype=gsuite:drive:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "gdrive_suspicious_file_sharing_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/gdrive_suspicious_file_sharing.yml", "source": "cloud"}, {"name": "GitHub Actions Disable Security Workflow", "id": "0459f1a5-c0ac-4987-82d6-65081209f854", "version": 1, "date": "2022-04-04", "author": "Patrick Bareiss, Splunk", "type": "Anomaly", "status": "production", "description": "This search detects a disabled security workflow in GitHub Actions. An attacker can disable a security workflow in GitHub actions to hide malicious code in it.", "data_source": [], "search": "`github` workflow_run.event=push OR workflow_run.event=pull_request | stats values(workflow_run.name) as workflow_run.name by workflow_run.head_commit.id workflow_run.event workflow_run.head_branch workflow_run.head_commit.author.email workflow_run.head_commit.author.name workflow_run.head_commit.message workflow_run.head_commit.timestamp workflow_run.head_repository.full_name workflow_run.head_repository.owner.id workflow_run.head_repository.owner.login workflow_run.head_repository.owner.type | rename workflow_run.head_commit.author.name as user, workflow_run.head_commit.author.email as user_email, workflow_run.head_repository.full_name as repository, workflow_run.head_branch as branch | search NOT workflow_run.name=*security-testing* | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `github_actions_disable_security_workflow_filter`", "how_to_implement": "You must index GitHub logs. You can follow the url in reference to onboard GitHub logs. Sometimes GitHub logs are truncated, make sure to disable it in props.conf. Replace *security-testing* with the name of your security testing workflow in GitHub Actions.", "known_false_positives": "unknown", "references": ["https://www.splunk.com/en_us/blog/tips-and-tricks/getting-github-data-with-webhooks.html"], "tags": {"name": "GitHub Actions Disable Security Workflow", "analytic_story": ["Dev Sec Ops"], "asset_type": "GitHub", "cis20": ["CIS 13"], "confidence": 90, "impact": 30, "kill_chain_phases": ["Delivery"], "message": "Security Workflow is disabled in branch $branch$ for repository $repository$", "mitre_attack_id": ["T1195.002", "T1195"], "nist": ["DE.AE"], "observable": [{"name": "repository", "type": "Unknown", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["workflow_run.event", "workflow_run.name", "workflow_run.head_commit.id", "workflow_run.event workflow_run.head_branch", "workflow_run.head_commit.author.email", "workflow_run.head_commit.author.name", "workflow_run.head_commit.message", "workflow_run.head_commit.timestamp", "workflow_run.head_repository.full_name", "workflow_run.head_repository.owner.id", "workflow_run.head_repository.owner.login", "workflow_run.head_repository.owner.type"], "risk_score": 27, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1195.002", "mitre_attack_technique": "Compromise Software Supply Chain", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT41", "Cobalt Group", "Dragonfly", "GOLD SOUTHFIELD", "Sandworm Team", "Threat Group-3390"]}, {"mitre_attack_id": "T1195", "mitre_attack_technique": "Supply Chain Compromise", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1195.002/github_actions_disable_security_workflow/github_actions_disable_security_workflow.log", "source": "github", "sourcetype": "aws:firehose:json"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "github", "definition": "sourcetype=aws:firehose:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "github_actions_disable_security_workflow_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/github_actions_disable_security_workflow.yml", "source": "cloud"}, {"name": "Github Commit Changes In Master", "id": "c9d2bfe2-019f-11ec-a8eb-acde48001122", "version": 1, "date": "2021-08-20", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This search is to detect a pushed or commit to master or main branch. This is to avoid unwanted modification to master without a review to the changes. Ideally in terms of devsecops the changes made in a branch and do a PR for review. of course in some cases admin of the project may did a changes directly to master branch", "data_source": [], "search": "`github` branches{}.name = main OR branches{}.name = master | stats count min(_time) as firstTime max(_time) as lastTime by commit.commit.author.email commit.author.login commit.commit.message repository.pushed_at commit.commit.committer.date repository.full_name | rename commit.author.login as user, repository.full_name as repository | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `github_commit_changes_in_master_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs related to github logs having the fork, commit, push metadata that can be use to monitor the changes in a github project.", "known_false_positives": "admin can do changes directly to master branch", "references": ["https://www.redhat.com/en/topics/devops/what-is-devsecops"], "tags": {"name": "Github Commit Changes In Master", "analytic_story": ["Dev Sec Ops"], "asset_type": "GitHub", "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Delivery"], "message": "suspicious commit by $commit.commit.author.email$ to main branch", "mitre_attack_id": ["T1199"], "nist": ["DE.AE"], "observable": [{"name": "commit.commit.author.email", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time"], "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1199", "mitre_attack_technique": "Trusted Relationship", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "GOLD SOUTHFIELD", "LAPSUS$", "POLONIUM", "Sandworm Team", "Threat Group-3390", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1199/github_push_master/github_push_master.log", "source": "github", "sourcetype": "aws:firehose:json"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "github", "definition": "sourcetype=aws:firehose:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "github_commit_changes_in_master_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/github_commit_changes_in_master.yml", "source": "cloud"}, {"name": "Github Commit In Develop", "id": "f3030cb6-0b02-11ec-8f22-acde48001122", "version": 1, "date": "2021-09-01", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This search is to detect a pushed or commit to develop branch. This is to avoid unwanted modification to develop without a review to the changes. Ideally in terms of devsecops the changes made in a branch and do a PR for review. of course in some cases admin of the project may did a changes directly to master branch", "data_source": [], "search": "`github` branches{}.name = main OR branches{}.name = develop | stats count min(_time) as firstTime max(_time) as lastTime by commit.author.html_url commit.commit.author.email commit.author.login commit.commit.message repository.pushed_at commit.commit.committer.date | eval phase=\"code\" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `github_commit_in_develop_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs related to github logs having the fork, commit, push metadata that can be use to monitor the changes in a github project.", "known_false_positives": "admin can do changes directly to develop branch", "references": ["https://www.redhat.com/en/topics/devops/what-is-devsecops"], "tags": {"name": "Github Commit In Develop", "analytic_story": ["Dev Sec Ops"], "asset_type": "GitHub", "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Delivery"], "message": "suspicious commit by $commit.commit.author.email$ to develop branch", "mitre_attack_id": ["T1199"], "nist": ["DE.AE"], "observable": [{"name": "commit.commit.author.email", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time"], "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1199", "mitre_attack_technique": "Trusted Relationship", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "GOLD SOUTHFIELD", "LAPSUS$", "POLONIUM", "Sandworm Team", "Threat Group-3390", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1199/github_push_master/github_push_develop.json", "source": "github", "sourcetype": "aws:firehose:json"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "github", "definition": "sourcetype=aws:firehose:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "github_commit_in_develop_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/github_commit_in_develop.yml", "source": "cloud"}, {"name": "GitHub Dependabot Alert", "id": "05032b04-4469-4034-9df7-05f607d75cba", "version": 1, "date": "2021-09-01", "author": "Patrick Bareiss, Splunk", "type": "Anomaly", "status": "production", "description": "This search looks for Dependabot Alerts in Github logs.", "data_source": [], "search": "`github` alert.id=* action=create | rename repository.full_name as repository, repository.html_url as repository_url sender.login as user | stats min(_time) as firstTime max(_time) as lastTime by action alert.affected_package_name alert.affected_range alert.created_at alert.external_identifier alert.external_reference alert.fixed_in alert.severity repository repository_url user | eval phase=\"code\" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `github_dependabot_alert_filter`", "how_to_implement": "You must index GitHub logs. You can follow the url in reference to onboard GitHub logs.", "known_false_positives": "unknown", "references": ["https://www.splunk.com/en_us/blog/tips-and-tricks/getting-github-data-with-webhooks.html"], "tags": {"name": "GitHub Dependabot Alert", "analytic_story": ["Dev Sec Ops"], "asset_type": "GitHub", "cis20": ["CIS 13"], "confidence": 90, "impact": 30, "kill_chain_phases": ["Delivery"], "message": "Vulnerabilities found in packages used by GitHub repository $repository$", "mitre_attack_id": ["T1195.001", "T1195"], "nist": ["DE.AE"], "observable": [{"name": "repository", "type": "Unknown", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "alert.id", "repository.full_name", "repository.html_url", "action", "alert.affected_package_name", "alert.affected_range", "alert.created_at", "alert.external_identifier", "alert.external_reference", "alert.fixed_in", "alert.severity"], "risk_score": 27, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1195.001", "mitre_attack_technique": "Compromise Software Dependencies and Development Tools", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1195", "mitre_attack_technique": "Supply Chain Compromise", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1195.001/github_security_advisor_alert/github_security_advisor_alert.json", "source": "github", "sourcetype": "aws:firehose:json"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "github", "definition": "sourcetype=aws:firehose:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "github_dependabot_alert_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/github_dependabot_alert.yml", "source": "cloud"}, {"name": "GitHub Pull Request from Unknown User", "id": "9d7b9100-8878-4404-914e-ca5e551a641e", "version": 1, "date": "2021-09-01", "author": "Patrick Bareiss, Splunk", "type": "Anomaly", "status": "production", "description": "This search looks for Pull Request from unknown user.", "data_source": [], "search": "`github` check_suite.pull_requests{}.id=* | stats count by check_suite.head_commit.author.name repository.full_name check_suite.pull_requests{}.head.ref check_suite.head_commit.message | rename check_suite.head_commit.author.name as user repository.full_name as repository check_suite.pull_requests{}.head.ref as ref_head check_suite.head_commit.message as commit_message | search NOT `github_known_users` | eval phase=\"code\" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `github_pull_request_from_unknown_user_filter`", "how_to_implement": "You must index GitHub logs. You can follow the url in reference to onboard GitHub logs.", "known_false_positives": "unknown", "references": ["https://www.splunk.com/en_us/blog/tips-and-tricks/getting-github-data-with-webhooks.html"], "tags": {"name": "GitHub Pull Request from Unknown User", "analytic_story": ["Dev Sec Ops"], "asset_type": "GitHub", "cis20": ["CIS 13"], "confidence": 90, "impact": 30, "kill_chain_phases": ["Delivery"], "message": "Vulnerabilities found in packages used by GitHub repository $repository$", "mitre_attack_id": ["T1195.001", "T1195"], "nist": ["DE.AE"], "observable": [{"name": "repository", "type": "Unknown", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "alert.id", "repository.full_name", "repository.html_url", "action", "alert.affected_package_name", "alert.affected_range", "alert.created_at", "alert.external_identifier", "alert.external_reference", "alert.fixed_in", "alert.severity"], "risk_score": 27, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1195.001", "mitre_attack_technique": "Compromise Software Dependencies and Development Tools", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1195", "mitre_attack_technique": "Supply Chain Compromise", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1195.001/github_pull_request/github_pull_request.json", "source": "github", "sourcetype": "aws:firehose:json"}]}], "datamodel": [], "macros": [{"name": "github_known_users", "definition": "user IN (user_names_here)", "description": "specify the user allowed to create PRs in Github projects."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "github", "definition": "sourcetype=aws:firehose:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "github_pull_request_from_unknown_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/github_pull_request_from_unknown_user.yml", "source": "cloud"}, {"name": "Gsuite Drive Share In External Email", "id": "f6ee02d6-fea0-11eb-b2c2-acde48001122", "version": 1, "date": "2021-08-16", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "experimental", "description": "This search is to detect suspicious google drive or google docs files shared outside or externally. This behavior might be a good hunting query to monitor exfitration of data made by an attacker or insider to a targetted machine.", "data_source": [], "search": "`gsuite_drive` NOT (email IN(\"\", \"null\")) | rex field=parameters.owner \"[^@]+@(?[^@]+)\" | rex field=email \"[^@]+@(?[^@]+)\" | where src_domain = \"internal_test_email.com\" and not dest_domain = \"internal_test_email.com\" | eval phase=\"plan\" | eval severity=\"low\" | stats values(parameters.doc_title) as doc_title, values(parameters.doc_type) as doc_types, values(email) as dst_email_list, values(parameters.visibility) as visibility, values(parameters.doc_id) as doc_id, count min(_time) as firstTime max(_time) as lastTime by parameters.owner ip_address phase severity | rename parameters.owner as user ip_address as src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `gsuite_drive_share_in_external_email_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs related to gsuite having the file attachment metadata like file type, file extension, source email, destination email, num of attachment and etc. In order for the search to work for your environment, please edit the query to use your company specific email domain instead of `internal_test_email.com`.", "known_false_positives": "network admin or normal user may share files to customer and external team.", "references": ["https://www.redhat.com/en/topics/devops/what-is-devsecops"], "tags": {"name": "Gsuite Drive Share In External Email", "analytic_story": ["Dev Sec Ops", "Insider Threat"], "asset_type": "GSuite", "cis20": ["CIS 10"], "confidence": 90, "impact": 80, "kill_chain_phases": ["Actions on Objectives"], "message": "suspicious share gdrive from $parameters.owner$ to $email$ namely as $parameters.doc_title$", "mitre_attack_id": ["T1567.002", "T1567"], "nist": ["DE.AE"], "observable": [{"name": "parameters.owner", "type": "User", "role": ["Attacker"]}, {"name": "email", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "parameters.doc_title", "src_domain", "dest_domain", "email", "parameters.visibility", "parameters.owner", "parameters.doc_type"], "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1567.002", "mitre_attack_technique": "Exfiltration to Cloud Storage", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["Chimera", "Confucius", "Earth Lusca", "FIN7", "HAFNIUM", "HEXANE", "Kimsuky", "Leviathan", "LuminousMoth", "POLONIUM", "Threat Group-3390", "Turla", "ZIRCONIUM"]}, {"mitre_attack_id": "T1567", "mitre_attack_technique": "Exfiltration Over Web Service", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT28", "Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1567.002/gsuite_share_drive/gdrive_share_external.log", "source": "http:gsuite", "sourcetype": "gsuite:drive:json"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "gsuite_drive", "definition": "sourcetype=gsuite:drive:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "gsuite_drive_share_in_external_email_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/gsuite_drive_share_in_external_email.yml", "source": "cloud"}, {"name": "GSuite Email Suspicious Attachment", "id": "6d663014-fe92-11eb-ab07-acde48001122", "version": 1, "date": "2021-08-16", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This search is to detect a suspicious attachment file extension in Gsuite email that may related to spear phishing attack. This file type is commonly used by malware to lure user to click on it to execute malicious code to compromised targetted machine. But this search can also catch some normal files related to this file type that maybe send by employee or network admin.", "data_source": [], "search": "`gsuite_gmail` \"attachment{}.file_extension_type\" IN (\"pl\", \"py\", \"rb\", \"sh\", \"bat\", \"exe\", \"dll\", \"cpl\", \"com\", \"js\", \"vbs\", \"ps1\", \"reg\",\"swf\", \"cmd\", \"go\") | eval phase=\"plan\" | eval severity=\"medium\" | stats count min(_time) as firstTime max(_time) as lastTime values(attachment{}.file_extension_type) as email_attachments, values(attachment{}.sha256) as attachment_sha256, values(payload_size) as payload_size by destination{}.service num_message_attachments subject destination{}.address source.address phase severity | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `gsuite_email_suspicious_attachment_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs related to gsuite having the file attachment metadata like file type, file extension, source email, destination email, num of attachment and etc.", "known_false_positives": "network admin and normal user may send this file attachment as part of their day to day work. having a good protocol in attaching this file type to an e-mail may reduce the risk of having a spear phishing attack.", "references": ["https://www.redhat.com/en/topics/devops/what-is-devsecops"], "tags": {"name": "GSuite Email Suspicious Attachment", "analytic_story": ["Dev Sec Ops"], "asset_type": "GSuite", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Delivery"], "message": "suspicious email from $source.address$ to $destination{}.address$", "mitre_attack_id": ["T1566.001", "T1566"], "nist": ["DE.AE"], "observable": [{"name": "source.address", "type": "User", "role": ["Attacker"]}, {"name": "destination{}.address", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "attachment{}.file_extension_type", "attachment{}.sha256", "destination{}.service", "num_message_attachments", "payload_size", "subject", "destination{}.address", "source.address"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/gsuite_susp_attachment_ext/gsuite_gmail_file_ext.log", "source": "http:gsuite", "sourcetype": "gsuite:gmail:bigquery"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "gsuite_gmail", "definition": "sourcetype=gsuite:gmail:bigquery", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "gsuite_email_suspicious_attachment_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/gsuite_email_suspicious_attachment.yml", "source": "cloud"}, {"name": "Gsuite Email Suspicious Subject With Attachment", "id": "8ef3971e-00f2-11ec-b54f-acde48001122", "version": 1, "date": "2021-08-19", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This search is to detect a gsuite email contains suspicious subject having known file type used in spear phishing. This technique is a common and effective entry vector of attacker to compromise a network by luring the user to click or execute the suspicious attachment send from external email account because of the effective social engineering of subject related to delivery, bank and so on. On the other hand this detection may catch a normal email traffic related to legitimate transaction so better to check the email sender, spelling and etc. avoid click link or opening the attachment if you are not expecting this type of e-mail.", "data_source": [], "search": "`gsuite_gmail` num_message_attachments > 0 subject IN (\"*dhl*\", \"* ups *\", \"*delivery*\", \"*parcel*\", \"*label*\", \"*invoice*\", \"*postal*\", \"* fedex *\", \"* usps *\", \"* express *\", \"*shipment*\", \"*Banking/Tax*\",\"*shipment*\", \"*new order*\") attachment{}.file_extension_type IN (\"doc\", \"docx\", \"xls\", \"xlsx\", \"ppt\", \"pptx\", \"pdf\", \"zip\", \"rar\", \"html\",\"htm\",\"hta\") | rex field=source.from_header_address \"[^@]+@(?[^@]+)\" | rex field=destination{}.address \"[^@]+@(?[^@]+)\" | where not source_domain=\"internal_test_email.com\" and dest_domain=\"internal_test_email.com\" | eval phase=\"plan\" | eval severity=\"medium\" | stats count min(_time) as firstTime max(_time) as lastTime values(attachment{}.file_extension_type) as email_attachments, values(attachment{}.sha256) as attachment_sha256, values(payload_size) as payload_size by destination{}.service num_message_attachments subject destination{}.address source.address phase severity | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `gsuite_email_suspicious_subject_with_attachment_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs related to gsuite having the file attachment metadata like file type, file extension, source email, destination email, num of attachment and etc.", "known_false_positives": "normal user or normal transaction may contain the subject and file type attachment that this detection try to search.", "references": ["https://www.redhat.com/en/topics/devops/what-is-devsecops", "https://www.mandiant.com/resources/top-words-used-in-spear-phishing-attacks"], "tags": {"name": "Gsuite Email Suspicious Subject With Attachment", "analytic_story": ["Dev Sec Ops"], "asset_type": "GSuite", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Delivery"], "message": "suspicious email from $source.address$ to $destination{}.address$", "mitre_attack_id": ["T1566.001", "T1566"], "nist": ["DE.AE"], "observable": [{"name": "source.address", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/gsuite_susp_subj/gsuite_susp_subj_attach.log", "source": "http:gsuite", "sourcetype": "gsuite:gmail:bigquery"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "gsuite_gmail", "definition": "sourcetype=gsuite:gmail:bigquery", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "gsuite_email_suspicious_subject_with_attachment_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/gsuite_email_suspicious_subject_with_attachment.yml", "source": "cloud"}, {"name": "Gsuite Email With Known Abuse Web Service Link", "id": "8630aa22-042b-11ec-af39-acde48001122", "version": 1, "date": "2021-08-23", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This analytics is to detect a gmail containing a link that are known to be abused by malware or attacker like pastebin, telegram and discord to deliver malicious payload. This event can encounter some normal email traffic within organization and external email that normally using this application and services.", "data_source": [], "search": "`gsuite_gmail` \"link_domain{}\" IN (\"*pastebin.com*\", \"*discord*\", \"*telegram*\",\"t.me\") | rex field=source.from_header_address \"[^@]+@(?[^@]+)\" | rex field=destination{}.address \"[^@]+@(?[^@]+)\" | where not source_domain=\"internal_test_email.com\" and dest_domain=\"internal_test_email.com\" | eval phase=\"plan\" | eval severity=\"low\" |stats values(link_domain{}) as link_domains min(_time) as firstTime max(_time) as lastTime count by is_spam source.address source.from_header_address subject destination{}.address phase severity | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `gsuite_email_with_known_abuse_web_service_link_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs related to gsuite having the file attachment metadata like file type, file extension, source email, destination email, num of attachment and etc.", "known_false_positives": "normal email contains this link that are known application within the organization or network can be catched by this detection.", "references": ["https://news.sophos.com/en-us/2021/07/22/malware-increasingly-targets-discord-for-abuse/"], "tags": {"name": "Gsuite Email With Known Abuse Web Service Link", "analytic_story": ["Dev Sec Ops"], "asset_type": "GSuite", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Delivery"], "message": "suspicious email from $source.address$ to $destination{}.address$", "mitre_attack_id": ["T1566.001", "T1566"], "nist": ["DE.AE"], "observable": [{"name": "source.address", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/gsuite_susp_url/gsuite_susp_url.log", "source": "http:gsuite", "sourcetype": "gsuite:gmail:bigquery"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "gsuite_gmail", "definition": "sourcetype=gsuite:gmail:bigquery", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "gsuite_email_with_known_abuse_web_service_link_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/gsuite_email_with_known_abuse_web_service_link.yml", "source": "cloud"}, {"name": "Gsuite Outbound Email With Attachment To External Domain", "id": "dc4dc3a8-ff54-11eb-8bf7-acde48001122", "version": 1, "date": "2021-08-17", "author": "Teoderick Contreras, Stanislav Miskovic, Splunk", "type": "Anomaly", "status": "production", "description": "This search is to detect a suspicious outbound e-mail from internal email to external email domain. This can be a good hunting query to monitor insider or outbound email traffic for not common domain e-mail. The idea is to parse the domain of destination email check if there is a minimum outbound traffic < 20 with attachment.", "data_source": [], "search": "`gsuite_gmail` num_message_attachments > 0 | rex field=source.from_header_address \"[^@]+@(?[^@]+)\" | rex field=destination{}.address \"[^@]+@(?[^@]+)\" | where source_domain=\"internal_test_email.com\" and not dest_domain=\"internal_test_email.com\" | eval phase=\"plan\" | eval severity=\"low\" | stats values(subject) as subject, values(source.from_header_address) as src_domain_list, count as numEvents, dc(source.from_header_address) as numSrcAddresses, min(_time) as firstTime max(_time) as lastTime by dest_domain phase severity | where numSrcAddresses < 20 |sort - numSrcAddresses | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `gsuite_outbound_email_with_attachment_to_external_domain_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs related to gsuite having the file attachment metadata like file type, file extension, source email, destination email, num of attachment and etc.", "known_false_positives": "network admin and normal user may send this file attachment as part of their day to day work. having a good protocol in attaching this file type to an e-mail may reduce the risk of having a spear phishing attack.", "references": ["https://www.redhat.com/en/topics/devops/what-is-devsecops"], "tags": {"name": "Gsuite Outbound Email With Attachment To External Domain", "analytic_story": ["Dev Sec Ops", "Insider Threat"], "asset_type": "GSuite", "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Actions on Objectives"], "message": "suspicious email from $source.address$ to $destination{}.address$", "mitre_attack_id": ["T1048.003", "T1048"], "nist": ["DE.AE"], "observable": [{"name": "source.address", "type": "User", "role": ["Attacker"]}, {"name": "destination{}.address", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time"], "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1048.003", "mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT32", "APT33", "FIN6", "FIN8", "Lazarus Group", "OilRig", "Thrip", "Wizard Spider"]}, {"mitre_attack_id": "T1048", "mitre_attack_technique": "Exfiltration Over Alternative Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["TeamTNT"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/gsuite_outbound_email_to_external/gsuite_external_domain.log", "source": "http:gsuite", "sourcetype": "gsuite:gmail:bigquery"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "gsuite_gmail", "definition": "sourcetype=gsuite:gmail:bigquery", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "gsuite_outbound_email_with_attachment_to_external_domain_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/gsuite_outbound_email_with_attachment_to_external_domain.yml", "source": "cloud"}, {"name": "Gsuite suspicious calendar invite", "id": "03cdd68a-34fb-11ec-9bd3-acde48001122", "version": 1, "date": "2021-10-24", "author": "Rod Soto, Teoderick Contreras", "type": "Hunting", "status": "experimental", "description": "This search can help the detection of compromised accounts or internal users sending suspcious calendar invites via GSuite calendar. These invites may contain malicious links or attachments.", "data_source": [], "search": "`gsuite_calendar` |bin span=5m _time |rename parameters.* as * |search target_calendar_id!=null email=\"*yourdomain.com\"| stats count values(target_calendar_id) values(event_title) values(event_guest) by email _time | where count >100| `gsuite_suspicious_calendar_invite_filter`", "how_to_implement": "In order to successfully implement this search, you need to be ingesting logs related to gsuite (gsuite:calendar:json) having the file sharing metadata like file type, source owner, destination target user, description, etc. This search can also be made more specific by selecting specific emails, subdomains timeframe, organizational units, targeted user, etc. In order for the search to work for your environment please update `yourdomain.com` value in the query with the domain relavant for your organization.", "known_false_positives": "This search will also produce normal activity statistics. Fields such as email, ip address, name, parameters.organizer_calendar_id, parameters.target_calendar_id and parameters.event_title may give away phishing intent.For more specific results use email parameter.", "references": ["https://www.techrepublic.com/article/how-to-avoid-the-dreaded-google-calendar-malicious-invite-issue/", "https://gcn.com/cybersecurity/2012/09/the-20-most-common-words-in-phishing-attacks/280956/"], "tags": {"name": "Gsuite suspicious calendar invite", "analytic_story": ["Spearphishing Attachments"], "asset_type": "GSuite", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Delivery"], "message": "tbd", "mitre_attack_id": ["T1566"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Other", "role": ["Other"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "email", "parameters.event_title", "parameters.target_calendar_id", "parameters.event_title"], "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}]}, "datamodel": [], "macros": [{"name": "gsuite_calendar", "definition": "sourcetype=gsuite:calendar:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "gsuite_suspicious_calendar_invite_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/gsuite_suspicious_calendar_invite.yml", "source": "cloud"}, {"name": "Gsuite Suspicious Shared File Name", "id": "07eed200-03f5-11ec-98fb-acde48001122", "version": 1, "date": "2021-08-23", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This search is to detect a shared file in google drive with suspicious file name that are commonly used by spear phishing campaign. This technique is very popular to lure the user by running a malicious document or click a malicious link within the shared file that will redirected to malicious website. This detection can also catch some normal email communication between organization and its external customer.", "data_source": [], "search": "`gsuite_drive` parameters.owner_is_team_drive=false \"parameters.doc_title\" IN (\"*dhl*\", \"* ups *\", \"*delivery*\", \"*parcel*\", \"*label*\", \"*invoice*\", \"*postal*\", \"*fedex*\", \"* usps *\", \"* express *\", \"*shipment*\", \"*Banking/Tax*\",\"*shipment*\", \"*new order*\") parameters.doc_type IN (\"document\",\"pdf\", \"msexcel\", \"msword\", \"spreadsheet\", \"presentation\") | rex field=parameters.owner \"[^@]+@(?[^@]+)\" | rex field=parameters.target_user \"[^@]+@(?[^@]+)\" | where not source_domain=\"internal_test_email.com\" and dest_domain=\"internal_test_email.com\" | eval phase=\"plan\" | eval severity=\"low\" | stats count min(_time) as firstTime max(_time) as lastTime by email parameters.owner parameters.target_user parameters.doc_title parameters.doc_type phase severity | rename parameters.target_user AS user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `gsuite_suspicious_shared_file_name_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs related to gsuite having the file attachment metadata like file type, file extension, source email, destination email, num of attachment and etc. In order for the search to work for your environment, please edit the query to use your company specific email domain instead of `internal_test_email.com`.", "known_false_positives": "normal user or normal transaction may contain the subject and file type attachment that this detection try to search", "references": ["https://www.redhat.com/en/topics/devops/what-is-devsecops", "https://www.mandiant.com/resources/top-words-used-in-spear-phishing-attacks"], "tags": {"name": "Gsuite Suspicious Shared File Name", "analytic_story": ["Dev Sec Ops"], "asset_type": "GSuite", "cis20": ["CIS 10"], "confidence": 70, "impact": 30, "kill_chain_phases": ["Delivery"], "message": "suspicious share gdrive from $parameters.owner$ to $email$ namely as $parameters.doc_title$", "mitre_attack_id": ["T1566.001", "T1566"], "nist": ["DE.AE"], "observable": [{"name": "parameters.owner", "type": "User", "role": ["Attacker"]}, {"name": "email", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "parameters.doc_title", "src_domain", "dest_domain", "email", "parameters.visibility", "parameters.owner", "parameters.doc_type"], "risk_score": 21, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/gdrive_susp_file_share/gdrive_susp_attach.log", "source": "http:gsuite", "sourcetype": "gsuite:drive:json"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "gsuite_drive", "definition": "sourcetype=gsuite:drive:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "gsuite_suspicious_shared_file_name_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/gsuite_suspicious_shared_file_name.yml", "source": "cloud"}, {"name": "High Number of Login Failures from a single source", "id": "7f398cfb-918d-41f4-8db8-2e2474e02222", "version": 1, "date": "2020-12-16", "author": "Bhavin Patel, Splunk", "type": "Anomaly", "status": "experimental", "description": "This search will detect more than 5 login failures in Office365 Azure Active Directory from a single source IP address. Please adjust the threshold value of 5 as suited for your environment.", "data_source": [], "search": "`o365_management_activity` Operation=UserLoginFailed record_type=AzureActiveDirectoryStsLogon app=AzureActiveDirectory | stats count dc(user) as accounts_locked values(user) as user values(LogonError) as LogonError values(authentication_method) as authentication_method values(signature) as signature values(UserAgent) as UserAgent by src_ip record_type Operation app | search accounts_locked >= 5| `high_number_of_login_failures_from_a_single_source_filter`", "how_to_implement": "", "known_false_positives": "unknown", "references": [], "tags": {"name": "High Number of Login Failures from a single source", "analytic_story": ["Office 365 Detections"], "asset_type": "Office 365", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "tbd", "mitre_attack_id": ["T1110.001", "T1110"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Operation", "record_type", "app", "user", "LogonError", "authentication_method", "signature", "UserAgent", "src_ip", "record_type"], "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1110.001", "mitre_attack_technique": "Password Guessing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.001/high_number_of_login_failures_from_a_single_source.json", "source": "o365", "sourcetype": "o365:management:activity"}]}], "datamodel": [], "macros": [{"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "high_number_of_login_failures_from_a_single_source_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/high_number_of_login_failures_from_a_single_source.yml", "source": "cloud"}, {"name": "Kubernetes AWS detect suspicious kubectl calls", "id": "042a3d32-8318-4763-9679-09db2644a8f2", "version": 2, "date": "2022-11-11", "author": "Rod Soto, Splunk", "type": "Hunting", "status": "experimental", "description": "This search provides information on anonymous Kubectl calls with IP, verb namespace and object access context", "data_source": [], "search": "`aws_cloudwatchlogs_eks` userAgent=kubectl* sourceIPs{}!=127.0.0.1 sourceIPs{}!=::1 src_user=system:anonymous | stats count by src_ip src_user verb userAgent requestURI |`kubernetes_aws_detect_suspicious_kubectl_calls_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with cloudwatch logs.", "known_false_positives": "Kubectl calls are not malicious by nature. However source IP, verb and Object can reveal potential malicious activity, specially anonymous suspicious IPs and sensitive objects such as configmaps or secrets", "references": [], "tags": {"name": "Kubernetes AWS detect suspicious kubectl calls", "analytic_story": ["Kubernetes Sensitive Object Access Activity"], "asset_type": "Kubernetes", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": [], "message": "tbd", "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "userAgent", "sourceIPs{}", "src_user", "src_ip", "verb", "requestURI"], "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "datamodel": [], "macros": [{"name": "aws_cloudwatchlogs_eks", "definition": "sourcetype=\"aws:cloudwatchlogs:eks\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_aws_detect_suspicious_kubectl_calls_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/kubernetes_aws_detect_suspicious_kubectl_calls.yml", "source": "cloud"}, {"name": "Kubernetes Nginx Ingress LFI", "id": "0f83244b-425b-4528-83db-7a88c5f66e48", "version": 1, "date": "2021-08-20", "author": "Patrick Bareiss, Splunk", "type": "TTP", "status": "production", "description": "This search uses the Kubernetes logs from a nginx ingress controller to detect local file inclusion attacks.", "data_source": [], "search": "`kubernetes_container_controller` | rex field=_raw \"^(?\\S+)\\s+-\\s+-\\s+\\[(?[^\\]]*)\\]\\s\\\"(?[^\\\"]*)\\\"\\s(?\\S*)\\s(?\\S*)\\s\\\"(?[^\\\"]*)\\\"\\s\\\"(?[^\\\"]*)\\\"\\s(?\\S*)\\s(?\\S*)\\s\\[(?[^\\]]*)\\]\\s\\[(?[^\\]]*)\\]\\s(?\\S*)\\s(?\\S*)\\s(?\\S*)\\s(?\\S*)\\s(?\\S*)\" | lookup local_file_inclusion_paths local_file_inclusion_paths AS request OUTPUT lfi_path | search lfi_path=yes | rename remote_addr AS src_ip, upstream_status as status, proxy_upstream_name as proxy | rex field=request \"^(?\\S+)\\s(?\\S+)\\s\" | eval phase=\"operate\" | eval severity=\"high\" | stats count min(_time) as firstTime max(_time) as lastTime by src_ip, status, url, http_method, host, http_user_agent, proxy, phase, severity | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `kubernetes_nginx_ingress_lfi_filter`", "how_to_implement": "You must ingest Kubernetes logs through Splunk Connect for Kubernetes.", "known_false_positives": "unknown", "references": ["https://github.com/splunk/splunk-connect-for-kubernetes", "https://www.offensive-security.com/metasploit-unleashed/file-inclusion-vulnerabilities/"], "tags": {"name": "Kubernetes Nginx Ingress LFI", "analytic_story": ["Dev Sec Ops"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "Local File Inclusion Attack detected on $host$", "mitre_attack_id": ["T1212"], "nist": ["DE.CM"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["raw"], "risk_score": 49, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1212", "mitre_attack_technique": "Exploitation for Credential Access", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1212/kubernetes_nginx_lfi_attack/kubernetes_nginx_lfi_attack.log", "source": "kubernetes", "sourcetype": "kube:container:controller"}]}], "datamodel": [], "macros": [{"name": "kubernetes_container_controller", "definition": "sourcetype=kube:container:controller", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes data. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "kubernetes_nginx_ingress_lfi_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "local_file_inclusion_paths", "description": "A list of interesting files in a local file inclusion attack", "filename": "local_file_inclusion_paths.csv", "default_match": "false", "match_type": "WILDCARD(local_file_inclusion_paths)", "min_matches": 1, "case_sensitive_match": "false"}], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/kubernetes_nginx_ingress_lfi.yml", "source": "cloud", "nes_fields": "user,dest"}, {"name": "Kubernetes Nginx Ingress RFI", "id": "fc5531ae-62fd-4de6-9c36-b4afdae8ca95", "version": 1, "date": "2021-08-23", "author": "Patrick Bareiss, Splunk", "type": "TTP", "status": "production", "description": "This search uses the Kubernetes logs from a nginx ingress controller to detect remote file inclusion attacks.", "data_source": [], "search": "`kubernetes_container_controller` | rex field=_raw \"^(?\\S+)\\s+-\\s+-\\s+\\[(?[^\\]]*)\\]\\s\\\"(?[^\\\"]*)\\\"\\s(?\\S*)\\s(?\\S*)\\s\\\"(?[^\\\"]*)\\\"\\s\\\"(?[^\\\"]*)\\\"\\s(?\\S*)\\s(?\\S*)\\s\\[(?[^\\]]*)\\]\\s\\[(?[^\\]]*)\\]\\s(?\\S*)\\s(?\\S*)\\s(?\\S*)\\s(?\\S*)\\s(?\\S*)\" | rex field=request \"^(?\\S+)?\\s(?\\S+)\\s\" | rex field=url \"(?\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})\" | search dest_ip=* | rename remote_addr AS src_ip, upstream_status as status, proxy_upstream_name as proxy | eval phase=\"operate\" | eval severity=\"medium\" | stats count min(_time) as firstTime max(_time) as lastTime by src_ip, dest_ip status, url, http_method, host, http_user_agent, proxy, phase, severity | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `kubernetes_nginx_ingress_rfi_filter`", "how_to_implement": "You must ingest Kubernetes logs through Splunk Connect for Kubernetes.", "known_false_positives": "unknown", "references": ["https://github.com/splunk/splunk-connect-for-kubernetes", "https://www.invicti.com/blog/web-security/remote-file-inclusion-vulnerability/"], "tags": {"name": "Kubernetes Nginx Ingress RFI", "analytic_story": ["Dev Sec Ops"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "Remote File Inclusion Attack detected on $host$", "mitre_attack_id": ["T1212"], "nist": ["DE.CM"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["raw"], "risk_score": 49, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1212", "mitre_attack_technique": "Exploitation for Credential Access", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1212/kuberntest_nginx_rfi_attack/kubernetes_nginx_rfi_attack.log", "source": "kubernetes", "sourcetype": "kube:container:controller"}]}], "datamodel": [], "macros": [{"name": "kubernetes_container_controller", "definition": "sourcetype=kube:container:controller", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes data. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "kubernetes_nginx_ingress_rfi_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/kubernetes_nginx_ingress_rfi.yml", "source": "cloud", "nes_fields": "user,dest"}, {"name": "Kubernetes Scanner Image Pulling", "id": "4890cd6b-0112-4974-a272-c5c153aee551", "version": 1, "date": "2021-08-24", "author": "Patrick Bareiss, Splunk", "type": "TTP", "status": "production", "description": "This search uses the Kubernetes logs from Splunk Connect from Kubernetes to detect Kubernetes Security Scanner.", "data_source": [], "search": "`kube_objects_events` object.message IN (\"Pulling image *kube-hunter*\", \"Pulling image *kube-bench*\", \"Pulling image *kube-recon*\", \"Pulling image *kube-recon*\") | rename object.* AS * | rename involvedObject.* AS * | rename source.host AS host | eval phase=\"operate\" | eval severity=\"high\" | stats min(_time) as firstTime max(_time) as lastTime count by host, name, namespace, kind, reason, message, phase, severity | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `kubernetes_scanner_image_pulling_filter`", "how_to_implement": "You must ingest Kubernetes logs through Splunk Connect for Kubernetes.", "known_false_positives": "unknown", "references": ["https://github.com/splunk/splunk-connect-for-kubernetes"], "tags": {"name": "Kubernetes Scanner Image Pulling", "analytic_story": ["Dev Sec Ops"], "asset_type": "Kubernetes", "cis20": ["CIS 13"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Exploitation"], "message": "Kubernetes Scanner image pulled on host $host$", "mitre_attack_id": ["T1526"], "nist": ["DE.CM"], "observable": [{"name": "host", "type": "Hostname", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["object.message", "source.host", "object.involvedObject.name", "object.involvedObject.namespace", "object.involvedObject.kind", "object.message", "object.reason"], "risk_score": 81, "security_domain": "network", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1526", "mitre_attack_technique": "Cloud Service Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1526/kubernetes_kube_hunter/kubernetes_kube_hunter.json", "source": "kubernetes", "sourcetype": "kube:objects:events"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "kube_objects_events", "definition": "sourcetype=kube:objects:events", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_scanner_image_pulling_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/kubernetes_scanner_image_pulling.yml", "source": "cloud", "nes_fields": "user,dest"}, {"name": "O365 Add App Role Assignment Grant User", "id": "b2c81cc6-6040-11eb-ae93-0242ac130002", "version": 1, "date": "2021-01-26", "author": "Rod Soto, Splunk", "type": "TTP", "status": "production", "description": "This search detects the creation of a new Federation setting by alerting about an specific event related to its creation.", "data_source": [], "search": "`o365_management_activity` Workload=AzureActiveDirectory Operation=\"Add app role assignment grant to user.\" | stats count min(_time) as firstTime max(_time) as lastTime values(Actor{}.ID) as Actor.ID values(Actor{}.Type) as Actor.Type by ActorIpAddress dest ResultStatus | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `o365_add_app_role_assignment_grant_user_filter`", "how_to_implement": "You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity", "known_false_positives": "The creation of a new Federation is not necessarily malicious, however this events need to be followed closely, as it may indicate federated credential abuse or backdoor via federated identities at a different cloud provider.", "references": ["https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf", "https://www.cisa.gov/uscert/ncas/alerts/aa21-008a"], "tags": {"name": "O365 Add App Role Assignment Grant User", "analytic_story": ["Office 365 Detections", "Cloud Federated Credential Abuse"], "asset_type": "Office 365", "cis20": ["CIS 10"], "confidence": 60, "impact": 30, "kill_chain_phases": ["Installation"], "message": "User $Actor.ID$ has created a new federation setting on $dest$ from IP Address $ActorIpAddress$", "mitre_attack_id": ["T1136.003", "T1136"], "nist": ["DE.CM"], "observable": [{"name": "ActorIpAddress", "type": "IP Address", "role": ["Attacker"]}, {"name": "Actor.ID", "type": "User", "role": ["Attacker"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Workload", "Operation", "Actor{}.ID", "Actor{}.Type", "ActorIpAddress", "dest", "ResultStatus"], "risk_score": 18, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1136.003", "mitre_attack_technique": "Cloud Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT29", "LAPSUS$"]}, {"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.003/o365_new_federation/o365_new_federation.json", "source": "o365", "sourcetype": "o365:management:activity"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "o365_add_app_role_assignment_grant_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/o365_add_app_role_assignment_grant_user.yml", "source": "cloud", "nes_fields": "user,dest"}, {"name": "O365 Added Service Principal", "id": "1668812a-6047-11eb-ae93-0242ac130002", "version": 1, "date": "2022-02-03", "author": "Rod Soto, Splunk", "type": "TTP", "status": "production", "description": "This search detects the creation of a new Federation setting by alerting about an specific event related to its creation.", "data_source": [], "search": "`o365_management_activity` Workload=AzureActiveDirectory Operation=\"Add service principal credentials.\" | stats min(_time) as firstTime max(_time) as lastTime values(Actor{}.ID) as Actor.ID values(ModifiedProperties{}.Name) as ModifiedProperties.Name values(ModifiedProperties{}.NewValue) as ModifiedProperties.NewValue values(Target{}.ID) as Target.ID by ActorIpAddress Operation | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `o365_added_service_principal_filter`", "how_to_implement": "You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity", "known_false_positives": "The creation of a new Federation is not necessarily malicious, however these events need to be followed closely, as it may indicate federated credential abuse or backdoor via federated identities at a different cloud provider.", "references": ["https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf", "https://www.cisa.gov/uscert/ncas/alerts/aa21-008a", "https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html", "https://blog.sygnia.co/detection-and-hunting-of-golden-saml-attack?hsLang=en"], "tags": {"name": "O365 Added Service Principal", "analytic_story": ["Office 365 Detections", "Cloud Federated Credential Abuse"], "asset_type": "Office 365", "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Installation"], "message": "User $Actor.ID$ created a new federation setting on $Target.ID$ and added service principal credentials from IP Address $ActorIpAddress$", "mitre_attack_id": ["T1136.003", "T1136"], "nist": ["DE.CM"], "observable": [{"name": "ActorIpAddress", "type": "IP Address", "role": ["Attacker"]}, {"name": "Target.ID", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Workload", "signature", "Actor{}.ID", "ModifiedProperties{}.Name", "ModifiedProperties{}.NewValue", "Target{}.ID", "ActorIpAddress"], "risk_score": 42, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1136.003", "mitre_attack_technique": "Cloud Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT29", "LAPSUS$"]}, {"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.003/o365_add_service_principal/o365_add_service_principal.json", "source": "o365", "sourcetype": "o365:management:activity"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "o365_added_service_principal_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/o365_added_service_principal.yml", "source": "cloud", "nes_fields": "user,dest"}, {"name": "O365 Bypass MFA via Trusted IP", "id": "c783dd98-c703-4252-9e8a-f19d9f66949e", "version": 2, "date": "2022-02-03", "author": "Bhavin Patel, Splunk", "type": "TTP", "status": "production", "description": "This search detects newly added IP addresses/CIDR blocks to the list of MFA Trusted IPs to bypass multi factor authentication. Attackers are often known to use this technique so that they can bypass the MFA system.", "data_source": [], "search": "`o365_management_activity` Operation=\"Set Company Information.\" ModifiedProperties{}.Name=StrongAuthenticationPolicy | rex max_match=100 field=ModifiedProperties{}.NewValue \"(?\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\/\\d{1,2})\" | rex max_match=100 field=ModifiedProperties{}.OldValue \"(?\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\/\\d{1,2})\" | eval ip_addresses_old=if(isnotnull(ip_addresses_old),ip_addresses_old,\"0\") | mvexpand ip_addresses_new_added | where isnull(mvfind(ip_addresses_old,ip_addresses_new_added)) |stats count min(_time) as firstTime max(_time) as lastTime values(ip_addresses_old) as ip_addresses_old by user ip_addresses_new_added Operation Workload vendor_account status user_id action | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `o365_bypass_mfa_via_trusted_ip_filter`", "how_to_implement": "You must install Splunk Microsoft Office 365 add-on. This search works with o365:management:activity", "known_false_positives": "Unless it is a special case, it is uncommon to continually update Trusted IPs to MFA configuration.", "references": ["https://i.blackhat.com/USA-20/Thursday/us-20-Bienstock-My-Cloud-Is-APTs-Cloud-Investigating-And-Defending-Office-365.pdf", "https://attack.mitre.org/techniques/T1562/007/"], "tags": {"name": "O365 Bypass MFA via Trusted IP", "analytic_story": ["Office 365 Detections"], "asset_type": "Office 365", "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "User $user_id$ has added new IP addresses $ip_addresses_new_added$ to a list of trusted IPs to bypass MFA", "mitre_attack_id": ["T1562.007", "T1562"], "nist": ["DE.CM"], "observable": [{"name": "ip_addresses_new_added", "type": "IP Address", "role": ["Attacker"]}, {"name": "user_id", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "signature", "ModifiedProperties{}.Name", "ModifiedProperties{}.NewValue", "ModifiedProperties{}.OldValue", "user", "vendor_account", "status", "user_id", "action"], "risk_score": 42, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.007", "mitre_attack_technique": "Disable or Modify Cloud Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.007/o365_bypass_mfa_via_trusted_ip/o365_bypass_mfa_via_trusted_ip.json", "source": "o365", "sourcetype": "o365:management:activity"}]}], "datamodel": ["Authentication"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "o365_bypass_mfa_via_trusted_ip_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/o365_bypass_mfa_via_trusted_ip.yml", "source": "cloud", "nes_fields": "user,dest"}, {"name": "O365 Disable MFA", "id": "c783dd98-c703-4252-9e8a-f19d9f5c949e", "version": 1, "date": "2022-02-03", "author": "Rod Soto, Splunk", "type": "TTP", "status": "production", "description": "This search detects when multi factor authentication has been disabled, what entitiy performed the action and against what user", "data_source": [], "search": "`o365_management_activity` Operation=\"Disable Strong Authentication.\" | stats count earliest(_time) as firstTime latest(_time) as lastTime by UserType Operation UserId ResultStatus object | rename UserType AS user_type, Operation AS action, UserId AS src_user, object AS user, ResultStatus AS result | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_disable_mfa_filter`", "how_to_implement": "You must install the Splunk Microsoft Office 365 add-on. This search works with o365:management:activity", "known_false_positives": "Unless it is a special case, it is uncommon to disable MFA or Strong Authentication", "references": ["https://attack.mitre.org/techniques/T1556/"], "tags": {"name": "O365 Disable MFA", "analytic_story": ["Office 365 Detections"], "asset_type": "Office 365", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation", "Installation"], "message": "User $user$ has executed an operation $Operation$ for this destination $dest$", "mitre_attack_id": ["T1556"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Operation", "UserType", "user", "status", "signature", "dest", "ResultStatus"], "risk_score": 64, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1556", "mitre_attack_technique": "Modify Authentication Process", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556/o365_disable_mfa/o365_disable_mfa.json", "source": "o365", "sourcetype": "o365:management:activity"}]}], "datamodel": ["Authentication"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "o365_disable_mfa_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/o365_disable_mfa.yml", "source": "cloud", "nes_fields": "user,dest"}, {"name": "O365 Excessive Authentication Failures Alert", "id": "d441364c-349c-453b-b55f-12eccab67cf9", "version": 2, "date": "2022-02-18", "author": "Rod Soto, Splunk", "type": "Anomaly", "status": "production", "description": "This search detects when an excessive number of authentication failures occur this search also includes attempts against MFA prompt codes", "data_source": [], "search": "`o365_management_activity` Workload=AzureActiveDirectory UserAuthenticationMethod=* status=failure | stats count earliest(_time) AS firstTime latest(_time) AS lastTime values(UserAuthenticationMethod) AS UserAuthenticationMethod values(UserAgent) AS UserAgent values(status) AS status values(src_ip) AS src_ip by user | where count > 10 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_excessive_authentication_failures_alert_filter`", "how_to_implement": "You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity", "known_false_positives": "The threshold for alert is above 10 attempts and this should reduce the number of false positives.", "references": ["https://attack.mitre.org/techniques/T1110/"], "tags": {"name": "O365 Excessive Authentication Failures Alert", "analytic_story": ["Office 365 Detections"], "asset_type": "Office 365", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "User $user$ has caused excessive number of authentication failures from $src_ip$ using UserAgent $UserAgent$.", "mitre_attack_id": ["T1110"], "nist": ["DE.AE"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Workload", "UserAuthenticationMethod", "status", "UserAgent", "src_ip", "user"], "risk_score": 64, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110/o365_brute_force_login/o365_brute_force_login.json", "source": "o365", "sourcetype": "o365:management:activity"}]}], "datamodel": ["Authentication"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "o365_excessive_authentication_failures_alert_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/o365_excessive_authentication_failures_alert.yml", "source": "cloud"}, {"name": "O365 Excessive SSO logon errors", "id": "8158ccc4-6038-11eb-ae93-0242ac130002", "version": 1, "date": "2021-01-26", "author": "Rod Soto, Splunk", "type": "Anomaly", "status": "production", "description": "This search detects accounts with high number of Single Sign ON (SSO) logon errors. Excessive logon errors may indicate attempts to bruteforce of password or single sign on token hijack or reuse.", "data_source": [], "search": "`o365_management_activity` Workload=AzureActiveDirectory LogonError=SsoArtifactInvalidOrExpired | stats count min(_time) as firstTime max(_time) as lastTime by LogonError ActorIpAddress UserAgent UserId | where count > 5 | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `o365_excessive_sso_logon_errors_filter`", "how_to_implement": "You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity", "known_false_positives": "Logon errors may not be malicious in nature however it may indicate attempts to reuse a token or password obtained via credential access attack.", "references": ["https://stealthbits.com/blog/bypassing-mfa-with-pass-the-cookie/"], "tags": {"name": "O365 Excessive SSO logon errors", "analytic_story": ["Office 365 Detections", "Cloud Federated Credential Abuse"], "asset_type": "Office 365", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation", "Installation"], "message": "User $UserId$ has caused excessive number of SSO logon errors from $ActorIpAddress$ using UserAgent $UserAgent$.", "mitre_attack_id": ["T1556"], "nist": ["DE.AE"], "observable": [{"name": "ActorIpAddress", "type": "IP Address", "role": ["Attacker"]}, {"name": "UserId", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Workload", "LogonError", "ActorIpAddress", "UserAgent", "UserId"], "risk_score": 64, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1556", "mitre_attack_technique": "Modify Authentication Process", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556/o365_sso_logon_errors/o365_sso_logon_errors.json", "source": "o365", "sourcetype": "o365:management:activity"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "o365_excessive_sso_logon_errors_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/o365_excessive_sso_logon_errors.yml", "source": "cloud"}, {"name": "O365 New Federated Domain Added", "id": "e155876a-6048-11eb-ae93-0242ac130002", "version": 1, "date": "2021-01-26", "author": "Rod Soto, Splunk", "type": "TTP", "status": "production", "description": "This search detects the addition of a new Federated domain.", "data_source": [], "search": "`o365_management_activity` Workload=Exchange Operation=\"Add-FederatedDomain\" | stats count min(_time) as firstTime max(_time) as lastTime values(Parameters{}.Value) as Parameters.Value by ObjectId Operation OrganizationName OriginatingServer UserId UserKey | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_new_federated_domain_added_filter`", "how_to_implement": "You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity.", "known_false_positives": "The creation of a new Federated domain is not necessarily malicious, however these events need to be followed closely, as it may indicate federated credential abuse or backdoor via federated identities at a similar or different cloud provider.", "references": ["https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf", "https://www.cisa.gov/uscert/ncas/alerts/aa21-008a", "https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html", "https://blog.sygnia.co/detection-and-hunting-of-golden-saml-attack?hsLang=en", "https://o365blog.com/post/aadbackdoor/"], "tags": {"name": "O365 New Federated Domain Added", "analytic_story": ["Office 365 Detections", "Cloud Federated Credential Abuse"], "asset_type": "Office 365", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Installation"], "message": "User $UserId$ has added a new federated domaain $Parameters.Value$ for $OrganizationName$", "mitre_attack_id": ["T1136.003", "T1136"], "nist": ["DE.CM"], "observable": [{"name": "OrganizationName", "type": "Other", "role": ["Victim"]}, {"name": "UserId", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Workload", "Operation", "Parameters{}.Value", "ObjectId", "OrganizationName", "OriginatingServer", "UserId", "UserKey"], "risk_score": 64, "security_domain": "threat", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1136.003", "mitre_attack_technique": "Cloud Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT29", "LAPSUS$"]}, {"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.003/o365_new_federated_domain/o365_new_federated_domain.json", "source": "exchange", "sourcetype": "o365:management:activity", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "o365_new_federated_domain_added_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/o365_new_federated_domain_added.yml", "source": "cloud", "nes_fields": "user,dest"}, {"name": "O365 PST export alert", "id": "5f694cc4-a678-4a60-9410-bffca1b647dc", "version": 1, "date": "2020-12-16", "author": "Rod Soto, Splunk", "type": "TTP", "status": "production", "description": "This search detects when a user has performed an Ediscovery search or exported a PST file from the search. This PST file usually has sensitive information including email body content", "data_source": [], "search": "`o365_management_activity` Category=ThreatManagement Name=\"eDiscovery search started or exported\" | stats count earliest(_time) as firstTime latest(_time) as lastTime by Source Severity AlertEntityId Operation Name |`security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `o365_pst_export_alert_filter`", "how_to_implement": "You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity", "known_false_positives": "PST export can be done for legitimate purposes but due to the sensitive nature of its content it must be monitored.", "references": ["https://attack.mitre.org/techniques/T1114/"], "tags": {"name": "O365 PST export alert", "analytic_story": ["Office 365 Detections", "Data Exfiltration"], "asset_type": "Office 365", "cis20": ["CIS 10"], "confidence": 60, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "User $Source$ has exported a PST file from the search using this operation- $Operation$ with a severity of $Severity$", "mitre_attack_id": ["T1114"], "nist": ["DE.CM"], "observable": [{"name": "Source", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Category", "Name", "Source", "Severity", "AlertEntityId", "Operation"], "risk_score": 48, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1114", "mitre_attack_technique": "Email Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["Magic Hound", "Silent Librarian"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114/o365_export_pst_file/o365_export_pst_file.json", "source": "o365", "sourcetype": "o365:management:activity"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "o365_pst_export_alert_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/o365_pst_export_alert.yml", "source": "cloud", "nes_fields": "user,dest"}, {"name": "O365 Suspicious Admin Email Forwarding", "id": "7f398cfb-918d-41f4-8db8-2e2474e02c28", "version": 1, "date": "2020-12-16", "author": "Patrick Bareiss, Splunk", "type": "Anomaly", "status": "production", "description": "This search detects when an admin configured a forwarding rule for multiple mailboxes to the same destination.", "data_source": [], "search": "`o365_management_activity` Operation=Set-Mailbox | spath input=Parameters | rename Identity AS src_user | search ForwardingAddress=* | stats dc(src_user) AS count_src_user earliest(_time) as firstTime latest(_time) as lastTime values(src_user) AS src_user values(user) AS user by ForwardingAddress | where count_src_user > 1 |`security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` |`o365_suspicious_admin_email_forwarding_filter`", "how_to_implement": "You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity", "known_false_positives": "unknown", "references": [], "tags": {"name": "O365 Suspicious Admin Email Forwarding", "analytic_story": ["Office 365 Detections", "Data Exfiltration"], "asset_type": "Office 365", "cis20": ["CIS 10"], "confidence": 60, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "User $user$ has configured a forwarding rule for multiple mailboxes to the same destination $ForwardingAddress$", "mitre_attack_id": ["T1114.003", "T1114"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Operation", "Parameters"], "risk_score": 48, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1114.003", "mitre_attack_technique": "Email Forwarding Rule", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["Kimsuky", "LAPSUS$", "Silent Librarian"]}, {"mitre_attack_id": "T1114", "mitre_attack_technique": "Email Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["Magic Hound", "Silent Librarian"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114.003/o365_email_forwarding_rule/o365_email_forwarding_rule.json", "source": "o365", "sourcetype": "o365:management:activity"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "o365_suspicious_admin_email_forwarding_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/o365_suspicious_admin_email_forwarding.yml", "source": "cloud"}, {"name": "O365 Suspicious Rights Delegation", "id": "b25d2973-303e-47c8-bacd-52b61604c6a7", "version": 1, "date": "2020-12-15", "author": "Patrick Bareiss, Splunk", "type": "TTP", "status": "production", "description": "This search detects the assignment of rights to accesss content from another mailbox. This is usually only assigned to a service account.", "data_source": [], "search": "`o365_management_activity` Operation=Add-MailboxPermission | spath input=Parameters | rename User AS src_user, Identity AS dest_user | search AccessRights=FullAccess OR AccessRights=SendAs OR AccessRights=SendOnBehalf | stats count earliest(_time) as firstTime latest(_time) as lastTime by user src_user dest_user Operation AccessRights |`security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` |`o365_suspicious_rights_delegation_filter`", "how_to_implement": "You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity", "known_false_positives": "Service Accounts", "references": [], "tags": {"name": "O365 Suspicious Rights Delegation", "analytic_story": ["Office 365 Detections"], "asset_type": "Office 365", "cis20": ["CIS 10"], "confidence": 60, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "User $user$ has delegated suspicious rights $AccessRights$ to user $dest_user$ that allow access to sensitive", "mitre_attack_id": ["T1114.002", "T1114"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Operation", "Parameters"], "risk_score": 48, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1114.002", "mitre_attack_technique": "Remote Email Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "Chimera", "Dragonfly", "FIN4", "HAFNIUM", "Ke3chang", "Kimsuky", "Leafminer", "Magic Hound"]}, {"mitre_attack_id": "T1114", "mitre_attack_technique": "Email Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["Magic Hound", "Silent Librarian"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114.002/suspicious_rights_delegation/suspicious_rights_delegation.json", "source": "o365", "sourcetype": "o365:management:activity"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "o365_suspicious_rights_delegation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/o365_suspicious_rights_delegation.yml", "source": "cloud", "nes_fields": "user,dest"}, {"name": "O365 Suspicious User Email Forwarding", "id": "f8dfe015-dbb3-4569-ba75-b13787e06aa4", "version": 1, "date": "2020-12-16", "author": "Patrick Bareiss, Splunk", "type": "Anomaly", "status": "production", "description": "This search detects when multiple user configured a forwarding rule to the same destination.", "data_source": [], "search": "`o365_management_activity` Operation=Set-Mailbox | spath input=Parameters | rename Identity AS src_user | search ForwardingSmtpAddress=* | stats dc(src_user) AS count_src_user earliest(_time) as firstTime latest(_time) as lastTime values(src_user) AS src_user values(user) AS user by ForwardingSmtpAddress | where count_src_user > 1 |`security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` |`o365_suspicious_user_email_forwarding_filter`", "how_to_implement": "You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity", "known_false_positives": "unknown", "references": [], "tags": {"name": "O365 Suspicious User Email Forwarding", "analytic_story": ["Office 365 Detections", "Data Exfiltration"], "asset_type": "Office 365", "cis20": ["CIS 10"], "confidence": 60, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "User $user$ configured multiple users $src_user$ with a count of $count_src_user$, a forwarding rule to same destination $ForwardingSmtpAddress$", "mitre_attack_id": ["T1114.003", "T1114"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Attacker"]}, {"name": "ForwardingSmtpAddress", "type": "Email Address", "role": ["Other"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Operation", "Parameters"], "risk_score": 48, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1114.003", "mitre_attack_technique": "Email Forwarding Rule", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["Kimsuky", "LAPSUS$", "Silent Librarian"]}, {"mitre_attack_id": "T1114", "mitre_attack_technique": "Email Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["Magic Hound", "Silent Librarian"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114.003/o365_email_forwarding_rule/o365_email_forwarding_rule.json", "source": "o365", "sourcetype": "o365:management:activity"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "o365_suspicious_user_email_forwarding_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/cloud/o365_suspicious_user_email_forwarding.yml", "source": "cloud"}, {"name": "Abnormally High AWS Instances Launched by User", "id": "2a9b80d3-6340-4345-b5ad-290bf5d0dac4", "version": 2, "date": "2020-07-21", "author": "Bhavin Patel, Splunk", "type": "Anomaly", "status": "deprecated", "description": "This search looks for AWS CloudTrail events where a user successfully launches an abnormally high number of instances. This search is deprecated and have been translated to use the latest Change Datamodel", "data_source": [], "search": "`cloudtrail` eventName=RunInstances errorCode=success | bucket span=10m _time | stats count AS instances_launched by _time userName | eventstats avg(instances_launched) as total_launched_avg, stdev(instances_launched) as total_launched_stdev | eval threshold_value = 4 | eval isOutlier=if(instances_launched > total_launched_avg+(total_launched_stdev * threshold_value), 1, 0) | search isOutlier=1 AND _time >= relative_time(now(), \"-10m@m\") | eval num_standard_deviations_away = round(abs(instances_launched - total_launched_avg) / total_launched_stdev, 2) | table _time, userName, instances_launched, num_standard_deviations_away, total_launched_avg, total_launched_stdev | `abnormally_high_aws_instances_launched_by_user_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. The threshold value should be tuned to your environment.", "known_false_positives": "Many service accounts configured within an AWS infrastructure are known to exhibit this behavior. Please adjust the threshold values and filter out service accounts from the output. Always verify if this search alerted on a human user.", "references": [], "tags": {"name": "Abnormally High AWS Instances Launched by User", "analytic_story": ["AWS Cryptomining", "Suspicious AWS EC2 Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "message": "tbd", "mitre_attack_id": ["T1078.004"], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventName", "errorCode", "userName"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Ke3chang", "LAPSUS$"]}]}, "datamodel": [], "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "abnormally_high_aws_instances_launched_by_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/abnormally_high_aws_instances_launched_by_user.yml", "source": "deprecated", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "Abnormally High AWS Instances Launched by User - MLTK", "id": "dec41ad5-d579-42cb-b4c6-f5dbb778bbe5", "version": 2, "date": "2020-07-21", "author": "Jason Brewer, Splunk", "type": "Anomaly", "status": "deprecated", "description": "This search looks for AWS CloudTrail events where a user successfully launches an abnormally high number of instances. This search is deprecated and have been translated to use the latest Change Datamodel.", "data_source": [], "search": "`cloudtrail` eventName=RunInstances errorCode=success `abnormally_high_aws_instances_launched_by_user___mltk_filter` | bucket span=10m _time | stats count as instances_launched by _time src_user | apply ec2_excessive_runinstances_v1 | rename \"IsOutlier(instances_launched)\" as isOutlier | where isOutlier=1", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. The threshold value should be tuned to your environment.", "known_false_positives": "Many service accounts configured within an AWS infrastructure are known to exhibit this behavior. Please adjust the threshold values and filter out service accounts from the output. Always verify if this search alerted on a human user.", "references": [], "tags": {"name": "Abnormally High AWS Instances Launched by User - MLTK", "analytic_story": ["AWS Cryptomining", "Suspicious AWS EC2 Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "message": "tbd", "mitre_attack_id": ["T1078.004"], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventName", "errorCode", "src_user"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Ke3chang", "LAPSUS$"]}]}, "datamodel": [], "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "abnormally_high_aws_instances_launched_by_user___mltk_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/abnormally_high_aws_instances_launched_by_user___mltk.yml", "source": "deprecated", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "Abnormally High AWS Instances Terminated by User", "id": "8d301246-fccf-45e2-a8e7-3655fd14379c", "version": 2, "date": "2020-07-21", "author": "Bhavin Patel, Splunk", "type": "Anomaly", "status": "deprecated", "description": "This search looks for AWS CloudTrail events where an abnormally high number of instances were successfully terminated by a user in a 10-minute window. This search is deprecated and have been translated to use the latest Change Datamodel.", "data_source": [], "search": "`cloudtrail` eventName=TerminateInstances errorCode=success | bucket span=10m _time | stats count AS instances_terminated by _time userName | eventstats avg(instances_terminated) as total_terminations_avg, stdev(instances_terminated) as total_terminations_stdev | eval threshold_value = 4 | eval isOutlier=if(instances_terminated > total_terminations_avg+(total_terminations_stdev * threshold_value), 1, 0) | search isOutlier=1 AND _time >= relative_time(now(), \"-10m@m\")| eval num_standard_deviations_away = round(abs(instances_terminated - total_terminations_avg) / total_terminations_stdev, 2) |table _time, userName, instances_terminated, num_standard_deviations_away, total_terminations_avg, total_terminations_stdev | `abnormally_high_aws_instances_terminated_by_user_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs.", "known_false_positives": "Many service accounts configured with your AWS infrastructure are known to exhibit this behavior. Please adjust the threshold values and filter out service accounts from the output. Always verify whether this search alerted on a human user.", "references": [], "tags": {"name": "Abnormally High AWS Instances Terminated by User", "analytic_story": ["Suspicious AWS EC2 Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "message": "tbd", "mitre_attack_id": ["T1078.004"], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventName", "errorCode", "userName"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Ke3chang", "LAPSUS$"]}]}, "datamodel": [], "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "abnormally_high_aws_instances_terminated_by_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/abnormally_high_aws_instances_terminated_by_user.yml", "source": "deprecated", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "Abnormally High AWS Instances Terminated by User - MLTK", "id": "1c02b86a-cd85-473e-a50b-014a9ac8fe3e", "version": 2, "date": "2020-07-21", "author": "Jason Brewer, Splunk", "type": "Anomaly", "status": "deprecated", "description": "This search looks for AWS CloudTrail events where a user successfully terminates an abnormally high number of instances. This search is deprecated and have been translated to use the latest Change Datamodel.", "data_source": [], "search": "`cloudtrail` eventName=TerminateInstances errorCode=success `abnormally_high_aws_instances_terminated_by_user___mltk_filter` | bucket span=10m _time | stats count as instances_terminated by _time src_user | apply ec2_excessive_terminateinstances_v1 | rename \"IsOutlier(instances_terminated)\" as isOutlier | where isOutlier=1", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. The threshold value should be tuned to your environment.", "known_false_positives": "Many service accounts configured within an AWS infrastructure are known to exhibit this behavior. Please adjust the threshold values and filter out service accounts from the output. Always verify if this search alerted on a human user.", "references": [], "tags": {"name": "Abnormally High AWS Instances Terminated by User - MLTK", "analytic_story": ["Suspicious AWS EC2 Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "message": "tbd", "mitre_attack_id": ["T1078.004"], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventName", "errorCode", "src_user"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Ke3chang", "LAPSUS$"]}]}, "datamodel": [], "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "abnormally_high_aws_instances_terminated_by_user___mltk_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/abnormally_high_aws_instances_terminated_by_user___mltk.yml", "source": "deprecated", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "AWS Cloud Provisioning From Previously Unseen City", "id": "344a1778-0b25-490c-adb1-de8beddf59cd", "version": 1, "date": "2018-03-16", "author": "David Dorsey, Splunk", "type": "Anomaly", "status": "deprecated", "description": "This search looks for AWS provisioning activities from previously unseen cities. Provisioning activities are defined broadly as any event that begins with \"Run\" or \"Create.\" This search is deprecated and have been translated to use the latest Change Datamodel. ", "data_source": [], "search": "`cloudtrail` (eventName=Run* OR eventName=Create*) | iplocation sourceIPAddress | search City=* [search `cloudtrail` (eventName=Run* OR eventName=Create*) | iplocation sourceIPAddress | search City=* | stats earliest(_time) as firstTime, latest(_time) as lastTime by sourceIPAddress, City, Region, Country | inputlookup append=t previously_seen_provisioning_activity_src.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by sourceIPAddress, City, Region, Country | outputlookup previously_seen_provisioning_activity_src.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by City | eval newCity=if(firstTime >= relative_time(now(), \"-70m@m\"), 1, 0) | where newCity=1 | table City] | spath output=user userIdentity.arn | rename sourceIPAddress as src_ip | table _time, user, src_ip, City, eventName, errorCode | `aws_cloud_provisioning_from_previously_unseen_city_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. This search works best when you run the \"Previously Seen AWS Provisioning Activity Sources\" support search once to create a history of previously seen locations that have provisioned AWS resources.", "known_false_positives": "This is a strictly behavioral search, so we define \"false positive\" slightly differently. Every time this fires, it will accurately reflect the first occurrence in the time period you're searching within, plus what is stored in the cache feature. But while there are really no \"false positives\" in a traditional sense, there is definitely lots of noise.\\\n This search will fire any time a new city is seen in the **GeoIP** database for any kind of provisioning activity. If you typically do all provisioning from tools inside of your city, there should be few false positives. If you are located in countries where the free version of **MaxMind GeoIP** that ships by default with Splunk has weak resolution (particularly small countries in less economically powerful regions), this may be much less valuable to you.", "references": [], "tags": {"name": "AWS Cloud Provisioning From Previously Unseen City", "analytic_story": ["AWS Suspicious Provisioning Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "tbd", "mitre_attack_id": ["T1535"], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventName", "sourceIPAddress"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1535", "mitre_attack_technique": "Unused/Unsupported Cloud Regions", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}]}, "datamodel": [], "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_cloud_provisioning_from_previously_unseen_city_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/aws_cloud_provisioning_from_previously_unseen_city.yml", "source": "deprecated", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "AWS Cloud Provisioning From Previously Unseen Country", "id": "ceb8d3d8-06cb-49eb-beaf-829526e33ff0", "version": 1, "date": "2018-03-16", "author": "David Dorsey, Splunk", "type": "Anomaly", "status": "deprecated", "description": "This search looks for AWS provisioning activities from previously unseen countries. Provisioning activities are defined broadly as any event that begins with \"Run\" or \"Create.\" This search is deprecated and have been translated to use the latest Change Datamodel. ", "data_source": [], "search": "`cloudtrail` (eventName=Run* OR eventName=Create*) | iplocation sourceIPAddress | search Country=* [search `cloudtrail` (eventName=Run* OR eventName=Create*) | iplocation sourceIPAddress | search Country=* | stats earliest(_time) as firstTime, latest(_time) as lastTime by sourceIPAddress, City, Region, Country | inputlookup append=t previously_seen_provisioning_activity_src.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by sourceIPAddress, City, Region, Country | outputlookup previously_seen_provisioning_activity_src.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by Country | eval newCountry=if(firstTime >= relative_time(now(), \"-70m@m\"), 1, 0) | where newCountry=1 | table Country] | spath output=user userIdentity.arn | rename sourceIPAddress as src_ip | table _time, user, src_ip, Country, eventName, errorCode | `aws_cloud_provisioning_from_previously_unseen_country_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. This search works best when you run the \"Previously Seen AWS Provisioning Activity Sources\" support search once to create a history of previously seen locations that have provisioned AWS resources.", "known_false_positives": "This is a strictly behavioral search, so we define \"false positive\" slightly differently. Every time this fires, it will accurately reflect the first occurrence in the time period you're searching over plus what is stored in the cache feature. But while there are really no \"false positives\" in a traditional sense, there is definitely lots of noise.\\\n This search will fire any time a new country is seen in the **GeoIP** database for any kind of provisioning activity. If you typically do all provisioning from tools inside of your country, there should be few false positives. If you are located in countries where the free version of **MaxMind GeoIP** that ships by default with Splunk has weak resolution (particularly small countries in less economically powerful regions), this may be much less valuable to you.", "references": [], "tags": {"name": "AWS Cloud Provisioning From Previously Unseen Country", "analytic_story": ["AWS Suspicious Provisioning Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "tbd", "mitre_attack_id": ["T1535"], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventName", "sourceIPAddress"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1535", "mitre_attack_technique": "Unused/Unsupported Cloud Regions", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}]}, "datamodel": [], "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_cloud_provisioning_from_previously_unseen_country_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/aws_cloud_provisioning_from_previously_unseen_country.yml", "source": "deprecated", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "AWS Cloud Provisioning From Previously Unseen IP Address", "id": "42e15012-ac14-4801-94f4-f1acbe64880b", "version": 1, "date": "2018-03-16", "author": "David Dorsey, Splunk", "type": "Anomaly", "status": "deprecated", "description": "This search looks for AWS provisioning activities from previously unseen IP addresses. Provisioning activities are defined broadly as any event that begins with \"Run\" or \"Create.\" This search is deprecated and have been translated to use the latest Change Datamodel. ", "data_source": [], "search": "`cloudtrail` (eventName=Run* OR eventName=Create*) [search `cloudtrail` (eventName=Run* OR eventName=Create*) | iplocation sourceIPAddress | search Country=* | stats earliest(_time) as firstTime, latest(_time) as lastTime by sourceIPAddress, City, Region, Country | inputlookup append=t previously_seen_provisioning_activity_src.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by sourceIPAddress, City, Region, Country | outputlookup previously_seen_provisioning_activity_src.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by sourceIPAddress | eval newIP=if(firstTime >= relative_time(now(), \"-70m@m\"), 1, 0) | where newIP=1 | table sourceIPAddress] | spath output=user userIdentity.arn | rename sourceIPAddress as src_ip | table _time, user, src_ip, eventName, errorCode | `aws_cloud_provisioning_from_previously_unseen_ip_address_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. This search works best when you run the \"Previously Seen AWS Provisioning Activity Sources\" support search once to create a history of previously seen locations that have provisioned AWS resources.", "known_false_positives": "This is a strictly behavioral search, so we define \"false positive\" slightly differently. Every time this fires, it will accurately reflect the first occurrence in the time period you're searching within, plus what is stored in the cache feature. But while there are really no \"false positives\" in a traditional sense, there is definitely lots of noise.\\\n This search will fire any time a new IP address is seen in the **GeoIP** database for any kind of provisioning activity. If you typically do all provisioning from tools inside of your country, there should be few false positives. If you are located in countries where the free version of **MaxMind GeoIP** that ships by default with Splunk has weak resolution (particularly small countries in less economically powerful regions), this may be much less valuable to you.", "references": [], "tags": {"name": "AWS Cloud Provisioning From Previously Unseen IP Address", "analytic_story": ["AWS Suspicious Provisioning Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": [], "message": "tbd", "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventName", "sourceIPAddress"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "datamodel": [], "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_cloud_provisioning_from_previously_unseen_ip_address_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/aws_cloud_provisioning_from_previously_unseen_ip_address.yml", "source": "deprecated", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "AWS Cloud Provisioning From Previously Unseen Region", "id": "7971d3df-da82-4648-a6e5-b5637bea5253", "version": 1, "date": "2018-03-16", "author": "David Dorsey, Splunk", "type": "Anomaly", "status": "deprecated", "description": "This search looks for AWS provisioning activities from previously unseen regions. Region in this context is similar to a state in the United States. Provisioning activities are defined broadly as any event that begins with \"Run\" or \"Create.\" This search is deprecated and have been translated to use the latest Change Datamodel.", "data_source": [], "search": "`cloudtrail` (eventName=Run* OR eventName=Create*) | iplocation sourceIPAddress | search Region=* [search `cloudtrail` (eventName=Run* OR eventName=Create*) | iplocation sourceIPAddress | search Region=* | stats earliest(_time) as firstTime, latest(_time) as lastTime by sourceIPAddress, City, Region, Country | inputlookup append=t previously_seen_provisioning_activity_src.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by sourceIPAddress, City, Region, Country | outputlookup previously_seen_provisioning_activity_src.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by Region | eval newRegion=if(firstTime >= relative_time(now(), \"-70m@m\"), 1, 0) | where newRegion=1 | table Region] | spath output=user userIdentity.arn | rename sourceIPAddress as src_ip | table _time, user, src_ip, Region, eventName, errorCode | `aws_cloud_provisioning_from_previously_unseen_region_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. This search works best when you run the \"Previously Seen AWS Provisioning Activity Sources\" support search once to create a history of previously seen locations that have provisioned AWS resources.", "known_false_positives": "This is a strictly behavioral search, so we define \"false positive\" slightly differently. Every time this fires, it will accurately reflect the first occurrence in the time period you're searching within, plus what is stored in the cache feature. But while there are really no \"false positives\" in a traditional sense, there is definitely lots of noise.\\\n This search will fire any time a new region is seen in the **GeoIP** database for any kind of provisioning activity. If you typically do all provisioning from tools inside of your region, there should be few false positives. If you are located in regions where the free version of **MaxMind GeoIP** that ships by default with Splunk has weak resolution (particularly small countries in less economically powerful regions), this may be much less valuable to you.", "references": [], "tags": {"name": "AWS Cloud Provisioning From Previously Unseen Region", "analytic_story": ["AWS Suspicious Provisioning Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "tbd", "mitre_attack_id": ["T1535"], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventName", "sourceIPAddress"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1535", "mitre_attack_technique": "Unused/Unsupported Cloud Regions", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}]}, "datamodel": [], "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_cloud_provisioning_from_previously_unseen_region_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/aws_cloud_provisioning_from_previously_unseen_region.yml", "source": "deprecated", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "AWS EKS Kubernetes cluster sensitive object access", "id": "7f227943-2196-4d4d-8d6a-ac8cb308e61c", "version": 1, "date": "2020-06-23", "author": "Rod Soto, Splunk", "type": "Hunting", "status": "deprecated", "description": "This search provides information on Kubernetes accounts accessing sensitve objects such as configmaps or secrets", "data_source": [], "search": "`aws_cloudwatchlogs_eks` objectRef.resource=secrets OR configmaps sourceIPs{}!=::1 sourceIPs{}!=127.0.0.1 |table sourceIPs{} user.username user.groups{} objectRef.resource objectRef.namespace objectRef.name annotations.authorization.k8s.io/reason |dedup user.username user.groups{} |`aws_eks_kubernetes_cluster_sensitive_object_access_filter`", "how_to_implement": "You must install Splunk Add-on for Amazon Web Services and Splunk App for AWS. This search works with cloudwatch logs.", "known_false_positives": "Sensitive object access is not necessarily malicious but user and object context can provide guidance for detection.", "references": [], "tags": {"name": "AWS EKS Kubernetes cluster sensitive object access", "analytic_story": ["Kubernetes Sensitive Object Access Activity"], "asset_type": "AWS EKS Kubernetes cluster", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": [], "message": "tbd", "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time"], "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "datamodel": [], "macros": [{"name": "aws_cloudwatchlogs_eks", "definition": "sourcetype=\"aws:cloudwatchlogs:eks\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_eks_kubernetes_cluster_sensitive_object_access_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/aws_eks_kubernetes_cluster_sensitive_object_access.yml", "source": "deprecated"}, {"name": "Clients Connecting to Multiple DNS Servers", "id": "74ec6f18-604b-4202-a567-86b2066be3ce", "version": 3, "date": "2020-07-21", "author": "David Dorsey, Splunk", "type": "TTP", "status": "deprecated", "description": "This search allows you to identify the endpoints that have connected to more than five DNS servers and made DNS Queries over the time frame of the search.", "data_source": [], "search": "| tstats `security_content_summariesonly` count, values(DNS.dest) AS dest dc(DNS.dest) as dest_count from datamodel=Network_Resolution where DNS.message_type=QUERY by DNS.src | `drop_dm_object_name(\"Network_Resolution\")` |where dest_count > 5 | `clients_connecting_to_multiple_dns_servers_filter` ", "how_to_implement": "This search requires that DNS data is being ingested and populating the `Network_Resolution` data model. This data can come from DNS logs or from solutions that parse network traffic for this data, such as Splunk Stream or Bro.\\\nThis search produces fields (`dest_count`) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. These fields contribute additional context to the notable. To see the additional metadata, add the following fields, if not already present, to Incident Review - Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry):\\\\n1. **Label:** Distinct DNS Connections, **Field:** dest_count\\\nDetailed documentation on how to create a new field within Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details`", "known_false_positives": "It's possible that an enterprise has more than five DNS servers that are configured in a round-robin rotation. Please customize the search, as appropriate.", "references": [], "tags": {"name": "Clients Connecting to Multiple DNS Servers", "analytic_story": ["DNS Hijacking", "Suspicious DNS Traffic", "Host Redirection", "Command And Control"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Actions on Objectives"], "message": "tbd", "mitre_attack_id": ["T1048.003"], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "DNS.dest", "DNS.message_type", "DNS.src"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1048.003", "mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT32", "APT33", "FIN6", "FIN8", "Lazarus Group", "OilRig", "Thrip", "Wizard Spider"]}]}, "datamodel": ["Network_Resolution"], "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "clients_connecting_to_multiple_dns_servers_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/clients_connecting_to_multiple_dns_servers.yml", "source": "deprecated", "nes_fields": "user,dest"}, {"name": "Cloud Network Access Control List Deleted", "id": "021abc51-1862-41dd-ad43-43c739c0a983", "version": 1, "date": "2020-09-08", "author": "Peter Gael, Splunk", "type": "Anomaly", "status": "deprecated", "description": "Enforcing network-access controls is one of the defensive mechanisms used by cloud administrators to restrict access to a cloud instance. After the attacker has gained control of the console by compromising an admin account, they can delete a network ACL and gain access to the instance from anywhere. This search will query the Change datamodel to detect users deleting network ACLs. Deprecated because it's a duplicate", "data_source": [], "search": "`cloudtrail` eventName=DeleteNetworkAcl|rename userIdentity.arn as arn | stats count min(_time) as firstTime max(_time) as lastTime values(errorMessage) values(errorCode) values(userAgent) values(userIdentity.*) by src userName arn eventName | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `cloud_network_access_control_list_deleted_filter`", "how_to_implement": "You must be ingesting your cloud infrastructure logs from your cloud provider. You can also provide additional filtering for this search by customizing the `cloud_network_access_control_list_deleted_filter` macro.", "known_false_positives": "It's possible that a user has legitimately deleted a network ACL.", "references": [], "tags": {"name": "Cloud Network Access Control List Deleted", "analytic_story": ["Cloud Network ACL Activity"], "asset_type": "Instance", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": [], "message": "tbd", "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventName", "userIdentity.arn", "errorMessage", "errorCode", "userAgent", "src", "userName", "arn"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "cloud_network_access_control_list_deleted_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/cloud_network_access_control_list_deleted.yml", "source": "deprecated", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "Detect Activity Related to Pass the Hash Attacks", "id": "f5939373-8054-40ad-8c64-cec478a22a4b", "version": 6, "date": "2020-10-15", "author": "Bhavin Patel, Patrick Bareiss, Splunk", "type": "Hunting", "status": "deprecated", "description": "This search looks for specific authentication events from the Windows Security Event logs to detect potential attempts at using the Pass-the-Hash technique. This search is DEPRECATED as it is possible for event code 4624 to generate a high level of noise, as legitimate logon events may also trigger this event code. This can be especially true in environments with high levels of user activity, such as those with many concurrent logons or frequent logon attempts.", "data_source": ["Windows Security 4624"], "search": "`wineventlog_security` EventCode=4624 (Logon_Type=3 Logon_Process=NtLmSsp NOT AccountName=\"ANONYMOUS LOGON\") OR (Logon_Type=9 Logon_Process=seclogo) | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by EventCode, Logon_Type, WorkstationName, user, dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_activity_related_to_pass_the_hash_attacks_filter`", "how_to_implement": "To successfully implement this search, you must ingest your Windows Security Event logs and leverage the latest TA for Windows.", "known_false_positives": "Legitimate logon activity by authorized NTLM systems may be detected by this search. Please investigate as appropriate.", "references": [], "tags": {"name": "Detect Activity Related to Pass the Hash Attacks", "analytic_story": ["Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "The following $EventCode$ occurred on $dest$ by $user$ with Logon Type 3, which may be indicative of the pass the hash technique.", "mitre_attack_id": ["T1550", "T1550.002"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "EventCode", "type": "Other", "role": ["Other"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "Logon_Type", "Logon_Process", "WorkstationName", "user", "dest"], "risk_score": 49, "security_domain": "access", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1550", "mitre_attack_technique": "Use Alternate Authentication Material", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1550.002", "mitre_attack_technique": "Pass the Hash", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": ["APT1", "APT28", "APT32", "Chimera", "GALLIUM", "Kimsuky"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1550.002/atomic_red_team/windows-security.log", "source": "WinEventLog:Security", "sourcetype": "WinEventLog", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_activity_related_to_pass_the_hash_attacks_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/detect_activity_related_to_pass_the_hash_attacks.yml", "source": "deprecated", "providing_technologies": ["Microsoft Windows"]}, {"name": "Detect API activity from users without MFA", "id": "4d46e8bd-4072-48e4-92db-0325889ef894", "version": 1, "date": "2018-05-17", "author": "Bhavin Patel, Splunk", "type": "Hunting", "status": "deprecated", "description": "This search looks for AWS CloudTrail events where a user logged into the AWS account, is making API calls and has not enabled Multi Factor authentication. Multi factor authentication adds a layer of security by forcing the users to type a unique authentication code from an approved authentication device when they access AWS websites or services. AWS Best Practices recommend that you enable MFA for privileged IAM users.", "data_source": [], "search": "`cloudtrail` userIdentity.sessionContext.attributes.mfaAuthenticated=false | search NOT [| inputlookup aws_service_accounts | fields identity | rename identity as user]| stats count min(_time) as firstTime max(_time) as lastTime values(eventName) as eventName by userIdentity.arn userIdentity.type user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_api_activity_from_users_without_mfa_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. Leverage the support search `Create a list of approved AWS service accounts`: run it once every 30 days to create a list of service accounts and validate them.\\\nThis search produces fields (`eventName`,`userIdentity.type`,`userIdentity.arn`) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. These fields contribute additional context to the notable. To see the additional metadata, add the following fields, if not already present, to Incident Review - Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry):\\\\n1. **Label:** AWS Event Name, **Field:** eventName\\\n1. \\\n1. **Label:** AWS User ARN, **Field:** userIdentity.arn\\\n1. \\\n1. **Label:** AWS User Type, **Field:** userIdentity.type\\\nDetailed documentation on how to create a new field within Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details`", "known_false_positives": "Many service accounts configured within an AWS infrastructure do not have multi factor authentication enabled. Please ignore the service accounts, if triggered and instead add them to the aws_service_accounts.csv file to fine tune the detection. It is also possible that the search detects users in your environment using Single Sign-On systems, since the MFA is not handled by AWS.", "references": [], "tags": {"name": "Detect API activity from users without MFA", "analytic_story": ["AWS User Monitoring"], "asset_type": "AWS Instance", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": [], "message": "tbd", "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "userIdentity.sessionContext.attributes.mfaAuthenticated", "eventName", "userIdentity.arn", "userIdentity.type", "user"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_api_activity_from_users_without_mfa_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "aws_service_accounts", "description": "A lookup file that will contain AWS Service accounts", "filename": "aws_service_accounts.csv"}], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/detect_api_activity_from_users_without_mfa.yml", "source": "deprecated", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "Detect AWS API Activities From Unapproved Accounts", "id": "ada0f478-84a8-4641-a3f1-d82362d4bd55", "version": 2, "date": "2020-07-21", "author": "Bhavin Patel, Splunk", "type": "Hunting", "status": "deprecated", "description": "This search looks for successful AWS CloudTrail activity by user accounts that are not listed in the identity table or `aws_service_accounts.csv`. It returns event names and count, as well as the first and last time a specific user or service is detected, grouped by users. Deprecated because managing this list can be quite hard.", "data_source": [], "search": "`cloudtrail` errorCode=success | rename userName as identity | search NOT [| inputlookup identity_lookup_expanded | fields identity] | search NOT [| inputlookup aws_service_accounts | fields identity] | rename identity as user | stats count min(_time) as firstTime max(_time) as lastTime values(eventName) as eventName by user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_aws_api_activities_from_unapproved_accounts_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. You must also populate the `identity_lookup_expanded` lookup shipped with the Asset and Identity framework to be able to look up users in your identity table in Enterprise Security (ES). Leverage the support search called \"Create a list of approved AWS service accounts\": run it once every 30 days to create and validate a list of service accounts.\\\nThis search produces fields (`eventName`,`firstTime`,`lastTime`) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. These fields contribute additional context to the notable. To see the additional metadata, add the following fields, if not already present, to Incident Review - Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry):\\\\n1. **Label:** AWS Event Name, **Field:** eventName\\\n1. \\\n1. **Label:** First Time, **Field:** firstTime\\\n1. \\\n1. **Label:** Last Time, **Field:** lastTime\\\nDetailed documentation on how to create a new field within Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details`", "known_false_positives": "It's likely that you'll find activity detected by users/service accounts that are not listed in the `identity_lookup_expanded` or ` aws_service_accounts.csv` file. If the user is a legitimate service account, update the `aws_service_accounts.csv` table with that entry.", "references": [], "tags": {"name": "Detect AWS API Activities From Unapproved Accounts", "analytic_story": ["AWS User Monitoring"], "asset_type": "AWS Instance", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "message": "tbd", "mitre_attack_id": ["T1078.004"], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "errorCode", "userName", "eventName", "user"], "risk_score": 25, "security_domain": "access", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Ke3chang", "LAPSUS$"]}]}, "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_aws_api_activities_from_unapproved_accounts_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "aws_service_accounts", "description": "A lookup file that will contain AWS Service accounts", "filename": "aws_service_accounts.csv"}], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/detect_aws_api_activities_from_unapproved_accounts.yml", "source": "deprecated", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "Detect DNS requests to Phishing Sites leveraging EvilGinx2", "id": "24dd17b1-e2fb-4c31-878c-d4f226595bfa", "version": 2, "date": "2020-07-21", "author": "Bhavin Patel, Splunk", "type": "TTP", "status": "deprecated", "description": "This search looks for DNS requests for phishing domains that are leveraging EvilGinx tools to mimic websites.", "data_source": [], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(DNS.answer) as answer from datamodel=Network_Resolution.DNS by DNS.dest DNS.src DNS.query host | `drop_dm_object_name(DNS)`| rex field=query \".*?(?[^./:]+\\.(\\S{2,3}|\\S{2,3}.\\S{2,3}))$\" | stats count values(query) as query by domain dest src answer| search `evilginx_phishlets_amazon` OR `evilginx_phishlets_facebook` OR `evilginx_phishlets_github` OR `evilginx_phishlets_0365` OR `evilginx_phishlets_outlook` OR `evilginx_phishlets_aws` OR `evilginx_phishlets_google` | search NOT [ inputlookup legit_domains.csv | fields domain]| join domain type=outer [| tstats count `security_content_summariesonly` values(Web.url) as url from datamodel=Web.Web by Web.dest Web.site | rename \"Web.*\" as * | rex field=site \".*?(?[^./:]+\\.(\\S{2,3}|\\S{2,3}.\\S{2,3}))$\" | table dest domain url] | table count src dest query answer domain url | `detect_dns_requests_to_phishing_sites_leveraging_evilginx2_filter`", "how_to_implement": "You need to ingest data from your DNS logs in the Network_Resolution datamodel. Specifically you must ingest the domain that is being queried and the IP of the host originating the request. Ideally, you should also be ingesting the answer to the query and the query type. This approach allows you to also create your own localized passive DNS capability which can aid you in future investigations. You will have to add legitimate domain names to the `legit_domains.csv` file shipped with the app. \\\n **Splunk>Phantom Playbook Integration**\\\nIf Splunk>Phantom is also configured in your environment, a Playbook called `Lets Encrypt Domain Investigate` can be configured to run when any results are found by this detection search. To use this integration, install the Phantom App for Splunk `https://splunkbase.splunk.com/app/3411/`, add the correct hostname to the \"Phantom Instance\" field in the Adaptive Response Actions when configuring this detection search, and set the corresponding Playbook to active. \\\n(Playbook link:`https://my.phantom.us/4.2/playbook/lets-encrypt-domain-investigate/`).\\\n", "known_false_positives": "If a known good domain is not listed in the legit_domains.csv file, then the search could give you false postives. Please update that lookup file to filter out DNS requests to legitimate domains.", "references": [], "tags": {"name": "Detect DNS requests to Phishing Sites leveraging EvilGinx2", "analytic_story": ["Common Phishing Frameworks"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Delivery"], "message": "tbd", "mitre_attack_id": ["T1566.003"], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "DNS.answer", "DNS.dest", "DNS.src", "DNS.query", "host"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566.003", "mitre_attack_technique": "Spearphishing via Service", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT29", "Ajax Security Team", "CURIUM", "Dark Caracal", "EXOTIC LILY", "FIN6", "Lazarus Group", "Magic Hound", "OilRig", "Windshift"]}]}, "datamodel": ["Network_Resolution", "Web"], "macros": [{"name": "evilginx_phishlets_0365", "definition": "(query=login* AND query=www*)", "description": "This limits the query fields to domains that are associated with evilginx masquerading as Office 365"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "evilginx_phishlets_outlook", "definition": "(query=outlook* AND query=login* AND query=account*)", "description": "This limits the query fields to domains that are associated with evilginx masquerading as Outlook"}, {"name": "evilginx_phishlets_facebook", "definition": "(query=www* AND query = m* AND query=static*)", "description": "This limits the query fields to domains that are associated with evilginx masquerading as FaceBook"}, {"name": "evilginx_phishlets_github", "definition": "(query=api* AND query = github*)", "description": "This limits the query fields to domains that are associated with evilginx masquerading as GitHub"}, {"name": "evilginx_phishlets_google", "definition": "(query=accounts* AND query=ssl* AND query=www*)", "description": "This limits the query fields to domains that are associated with evilginx masquerading as Google"}, {"name": "evilginx_phishlets_aws", "definition": "(query=www* AND query=aws* AND query=console.aws* AND query=signin.aws* AND api-northeast-1.console.aws* AND query=fls-na* AND query=images-na*)", "description": "This limits the query fields to domains that are associated with evilginx masquerading as an AWS console"}, {"name": "evilginx_phishlets_amazon", "definition": "(query=fls-na* AND query = www* AND query=images*)", "description": "This limits the query fields to domains that are associated with evilginx masquerading as Amazon"}, {"name": "detect_dns_requests_to_phishing_sites_leveraging_evilginx2_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/detect_dns_requests_to_phishing_sites_leveraging_evilginx2.yml", "source": "deprecated", "nes_fields": "user,dest"}, {"name": "Detect Long DNS TXT Record Response", "id": "05437c07-62f5-452e-afdc-04dd44815bb9", "version": 2, "date": "2020-07-21", "author": "Rico Valdez, Splunk", "type": "TTP", "status": "deprecated", "description": "This search is used to detect attempts to use DNS tunneling, by calculating the length of responses to DNS TXT queries. Endpoints using DNS as a method of transmission for data exfiltration, Command And Control, or evasion of security controls can often be detected by noting unusually large volumes of DNS traffic. Deprecated because this detection should focus on DNS queries instead of DNS responses.", "data_source": [], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Resolution where DNS.message_type=response AND DNS.record_type=TXT by DNS.src DNS.dest DNS.answer DNS.record_type | `drop_dm_object_name(\"DNS\")` | eval anslen=len(answer) | search anslen>100 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename src as \"Source IP\", dest as \"Destination IP\", answer as \"DNS Answer\" anslen as \"Answer Length\" record_type as \"DNS Record Type\" firstTime as \"First Time\" lastTime as \"Last Time\" count as Count | table \"Source IP\" \"Destination IP\" \"DNS Answer\" \"DNS Record Type\" \"Answer Length\" Count \"First Time\" \"Last Time\" | `detect_long_dns_txt_record_response_filter`", "how_to_implement": "To successfully implement this search you need to ingest data from your DNS logs, or monitor DNS traffic using Stream, Bro or something similar. Specifically, this query requires that the DNS data model is populated with information regarding the DNS record type that is being returned as well as the data in the answer section of the protocol.", "known_false_positives": "It's possible that legitimate TXT record responses can be long enough to trigger this search. You can modify the packet threshold for this search to help mitigate false positives.", "references": [], "tags": {"name": "Detect Long DNS TXT Record Response", "analytic_story": ["Suspicious DNS Traffic", "Command And Control"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Actions on Objectives"], "message": "tbd", "mitre_attack_id": ["T1048.003"], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "DNS.message_type", "DNS.record_type", "DNS.src", "DNS.dest", "DNS.answer"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1048.003", "mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT32", "APT33", "FIN6", "FIN8", "Lazarus Group", "OilRig", "Thrip", "Wizard Spider"]}]}, "datamodel": ["Network_Resolution"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_long_dns_txt_record_response_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/detect_long_dns_txt_record_response.yml", "source": "deprecated", "nes_fields": "user,dest"}, {"name": "Detect Mimikatz Using Loaded Images", "id": "29e307ba-40af-4ab2-91b2-3c6b392bbba0", "version": 1, "date": "2019-12-03", "author": "Patrick Bareiss, Splunk", "type": "TTP", "status": "production", "description": "This search looks for reading loaded Images unique to credential dumping with Mimikatz. Deprecated because mimikatz libraries changed and very noisy sysmon Event Code.", "data_source": ["Sysmon Event ID 7"], "search": "`sysmon` EventCode=7 | stats values(ImageLoaded) as ImageLoaded values(ProcessId) as ProcessId by Computer, Image | search ImageLoaded=*WinSCard.dll ImageLoaded=*cryptdll.dll ImageLoaded=*hid.dll ImageLoaded=*samlib.dll ImageLoaded=*vaultcli.dll | rename Computer as dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_mimikatz_using_loaded_images_filter`", "how_to_implement": "This search needs Sysmon Logs and a sysmon configuration, which includes EventCode 7 with powershell.exe. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives.", "known_false_positives": "Other tools can import the same DLLs. These tools should be part of a whitelist. False positives may be present with any process that authenticates or uses credentials, PowerShell included. Filter based on parent process.", "references": ["https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html"], "tags": {"name": "Detect Mimikatz Using Loaded Images", "analytic_story": ["Credential Dumping", "Detect Zerologon Attack", "Cloud Federated Credential Abuse", "DarkSide Ransomware", "CISA AA22-257A", "CISA AA22-264A", "CISA AA22-320A", "Sandworm Tools"], "asset_type": "Windows", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "A process, $Image$, has loaded $ImageLoaded$ that are typically related to credential dumping on $Computer$. Review for further details.", "mitre_attack_id": ["T1003.001", "T1003"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "ImageLoaded", "type": "Process", "role": ["Other"]}, {"name": "Image", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "ImageLoaded", "ProcessId", "Computer", "Image"], "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "TEMP.Veles", "Threat Group-3390", "Whitefly"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_mimikatz_using_loaded_images_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/detect_mimikatz_using_loaded_images.yml", "source": "deprecated", "nes_fields": "user,dest"}, {"name": "Detect Mimikatz Via PowerShell And EventCode 4703", "id": "98917be2-bfc8-475a-8618-a9bb06575188", "version": 2, "date": "2019-02-27", "author": "Rico Valdez, Splunk", "type": "TTP", "status": "deprecated", "description": "This search looks for PowerShell requesting privileges consistent with credential dumping. Deprecated, looks like things changed from a logging perspective.", "data_source": [], "search": "`wineventlog_security` signature_id=4703 Process_Name=*powershell.exe | rex field=Message \"Enabled Privileges:\\s+(?\\w+)\\s+Disabled Privileges:\" | where privs=\"SeDebugPrivilege\" | stats count min(_time) as firstTime max(_time) as lastTime by dest, Process_Name, privs, Process_ID, Message | rename privs as \"Enabled Privilege\" | rename Process_Name as process | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_mimikatz_via_powershell_and_eventcode_4703_filter`", "how_to_implement": "You must be ingesting Windows Security logs. You must also enable the account change auditing here: http://docs.splunk.com/Documentation/Splunk/7.0.2/Data/MonitorWindowseventlogdata. Additionally, this search requires you to enable your Group Management Audit Logs in your Local Windows Security Policy and to be ingesting those logs. More information on how to enable them can be found here: http://whatevernetworks.com/auditing-group-membership-changes-in-active-directory/. Finally, please make sure that the local administrator group name is \"Administrators\" to be able to look for the right group membership changes.", "known_false_positives": "The activity may be legitimate. PowerShell is often used by administrators to perform various tasks, and it's possible this event could be generated in those cases. In these cases, false positives should be fairly obvious and you may need to tweak the search to eliminate noise.", "references": [], "tags": {"name": "Detect Mimikatz Via PowerShell And EventCode 4703", "analytic_story": ["Cloud Federated Credential Abuse"], "asset_type": "Windows", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "tbd", "mitre_attack_id": ["T1003.001"], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "signature_id", "Process_Name", "Message", "dest", "Process_ID"], "risk_score": 25, "security_domain": "access", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "TEMP.Veles", "Threat Group-3390", "Whitefly"]}]}, "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_mimikatz_via_powershell_and_eventcode_4703_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/detect_mimikatz_via_powershell_and_eventcode_4703.yml", "source": "deprecated", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Detect new API calls from user roles", "id": "22773e84-bac0-4595-b086-20d3f335b4f1", "version": 1, "date": "2018-04-16", "author": "Bhavin Patel, Splunk", "type": "Anomaly", "status": "deprecated", "description": "This search detects new API calls that have either never been seen before or that have not been seen in the previous hour, where the identity type is `AssumedRole`.", "data_source": [], "search": "`cloudtrail` eventType=AwsApiCall errorCode=success userIdentity.type=AssumedRole [search `cloudtrail` eventType=AwsApiCall errorCode=success userIdentity.type=AssumedRole | stats earliest(_time) as earliest latest(_time) as latest by userName eventName | inputlookup append=t previously_seen_api_calls_from_user_roles | stats min(earliest) as earliest, max(latest) as latest by userName eventName | outputlookup previously_seen_api_calls_from_user_roles| eval newApiCallfromUserRole=if(earliest>=relative_time(now(), \"-70m@m\"), 1, 0) | where newApiCallfromUserRole=1 | `security_content_ctime(earliest)` | `security_content_ctime(latest)` | table eventName userName] |rename userName as user| stats values(eventName) earliest(_time) as earliest latest(_time) as latest by user | `security_content_ctime(earliest)` | `security_content_ctime(latest)` | `detect_new_api_calls_from_user_roles_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. This search works best when you run the \"Previously seen API call per user roles in AWS CloudTrail\" support search once to create a history of previously seen user roles.", "known_false_positives": "It is possible that there are legitimate user roles making new or infrequently used API calls in your infrastructure, causing the search to trigger.", "references": [], "tags": {"name": "Detect new API calls from user roles", "analytic_story": ["AWS User Monitoring"], "asset_type": "AWS Instance", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "message": "tbd", "mitre_attack_id": ["T1078.004"], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventType", "errorCode", "userIdentity.type", "userName", "eventName"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Ke3chang", "LAPSUS$"]}]}, "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_new_api_calls_from_user_roles_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "previously_seen_api_calls_from_user_roles", "description": "A placeholder for a list of IPs that have access S3", "collection": "previously_seen_api_calls_from_user_roles", "fields_list": "_key,earliest,latest,userName,eventName"}], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/detect_new_api_calls_from_user_roles.yml", "source": "deprecated", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "Detect new user AWS Console Login", "id": "ada0f478-84a8-4641-a3f3-d82362dffd75", "version": 2, "date": "2020-07-21", "author": "Bhavin Patel, Splunk", "type": "Hunting", "status": "deprecated", "description": "This search looks for AWS CloudTrail events wherein a console login event by a user was recorded within the last hour, then compares the event to a lookup file of previously seen users (by ARN values) who have logged into the console. The alert is fired if the user has logged into the console for the first time within the last hour. Deprecated now this search is updated to use the Authentication datamodel.", "data_source": [], "search": "`cloudtrail` eventName=ConsoleLogin | rename userIdentity.arn as user | stats earliest(_time) as firstTime latest(_time) as lastTime by user | inputlookup append=t previously_seen_users_console_logins_cloudtrail | stats min(firstTime) as firstTime max(lastTime) as lastTime by user | eval userStatus=if(firstTime >= relative_time(now(), \"-70m@m\"), \"First Time Logging into AWS Console\",\"Previously Seen User\") | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)`| where userStatus =\"First Time Logging into AWS Console\" | `detect_new_user_aws_console_login_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. Run the \"Previously seen users in AWS CloudTrail\" support search only once to create a baseline of previously seen IAM users within the last 30 days. Run \"Update previously seen users in AWS CloudTrail\" hourly (or more frequently depending on how often you run the detection searches) to refresh the baselines.", "known_false_positives": "When a legitimate new user logins for the first time, this activity will be detected. Check how old the account is and verify that the user activity is legitimate.", "references": [], "tags": {"name": "Detect new user AWS Console Login", "analytic_story": ["Suspicious AWS Login Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "message": "tbd", "mitre_attack_id": ["T1078.004"], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventName", "userIdentity.arn"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Ke3chang", "LAPSUS$"]}]}, "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_new_user_aws_console_login_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/detect_new_user_aws_console_login.yml", "source": "deprecated", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "Detect Spike in AWS API Activity", "id": "ada0f478-84a8-4641-a3f1-d32362d4bd55", "version": 2, "date": "2020-07-21", "author": "David Dorsey, Splunk", "type": "Anomaly", "status": "deprecated", "description": "This search will detect users creating spikes of API activity in your AWS environment. It will also update the cache file that factors in the latest data. This search is deprecated and have been translated to use the latest Change Datamodel.", "data_source": [], "search": "`cloudtrail` eventType=AwsApiCall [search `cloudtrail` eventType=AwsApiCall | spath output=arn path=userIdentity.arn | stats count as apiCalls by arn | inputlookup api_call_by_user_baseline append=t | fields - latestCount | stats values(*) as * by arn | rename apiCalls as latestCount | eval newAvgApiCalls=avgApiCalls + (latestCount-avgApiCalls)/720 | eval newStdevApiCalls=sqrt(((pow(stdevApiCalls, 2)*719 + (latestCount-newAvgApiCalls)*(latestCount-avgApiCalls))/720)) | eval avgApiCalls=coalesce(newAvgApiCalls, avgApiCalls), stdevApiCalls=coalesce(newStdevApiCalls, stdevApiCalls), numDataPoints=if(isnull(latestCount), numDataPoints, numDataPoints+1) | table arn, latestCount, numDataPoints, avgApiCalls, stdevApiCalls | outputlookup api_call_by_user_baseline | eval dataPointThreshold = 15, deviationThreshold = 3 | eval isSpike=if((latestCount > avgApiCalls+deviationThreshold*stdevApiCalls) AND numDataPoints > dataPointThreshold, 1, 0) | where isSpike=1 | rename arn as userIdentity.arn | table userIdentity.arn] | spath output=user userIdentity.arn | stats values(eventName) as eventName, count as numberOfApiCalls, dc(eventName) as uniqueApisCalled by user | `detect_spike_in_aws_api_activity_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. You can modify `dataPointThreshold` and `deviationThreshold` to better fit your environment. The `dataPointThreshold` variable is the minimum number of data points required to have a statistically significant amount of data to determine. The `deviationThreshold` variable is the number of standard deviations away from the mean that the value must be to be considered a spike.\\\nThis search produces fields (`eventName`,`numberOfApiCalls`,`uniqueApisCalled`) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. These fields contribute additional context to the notable. To see the additional metadata, add the following fields, if not already present, to Incident Review - Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry):\\\\n1. **Label:** AWS Event Name, **Field:** eventName\\\n1. \\\n1. **Label:** Number of API Calls, **Field:** numberOfApiCalls\\\n1. \\\n1. **Label:** Unique API Calls, **Field:** uniqueApisCalled\\\nDetailed documentation on how to create a new field within Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details`", "known_false_positives": "", "references": [], "tags": {"name": "Detect Spike in AWS API Activity", "analytic_story": ["AWS User Monitoring"], "asset_type": "AWS Instance", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "message": "tbd", "mitre_attack_id": ["T1078.004"], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventType", "userIdentity.arn"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Ke3chang", "LAPSUS$"]}]}, "datamodel": [], "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_spike_in_aws_api_activity_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "api_call_by_user_baseline", "description": "A collection that will contain the baseline information for number of AWS API calls per user", "collection": "api_call_by_user_baseline", "fields_list": "arn, latestCount, numDataPoints, avgApiCalls, stdevApiCalls"}, {"name": "api_call_by_user_baseline", "description": "A collection that will contain the baseline information for number of AWS API calls per user", "collection": "api_call_by_user_baseline", "fields_list": "arn, latestCount, numDataPoints, avgApiCalls, stdevApiCalls"}], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/detect_spike_in_aws_api_activity.yml", "source": "deprecated", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "Detect Spike in Network ACL Activity", "id": "ada0f478-84a8-4641-a1f1-e32372d4bd53", "version": 1, "date": "2018-05-21", "author": "Bhavin Patel, Splunk", "type": "Anomaly", "status": "deprecated", "description": "This search will detect users creating spikes in API activity related to network access-control lists (ACLs)in your AWS environment. This search is deprecated and have been translated to use the latest Change Datamodel.", "data_source": [], "search": "`cloudtrail` `network_acl_events` [search `cloudtrail` `network_acl_events` | spath output=arn path=userIdentity.arn | stats count as apiCalls by arn | inputlookup network_acl_activity_baseline append=t | fields - latestCount | stats values(*) as * by arn | rename apiCalls as latestCount | eval newAvgApiCalls=avgApiCalls + (latestCount-avgApiCalls)/720 | eval newStdevApiCalls=sqrt(((pow(stdevApiCalls, 2)*719 + (latestCount-newAvgApiCalls)*(latestCount-avgApiCalls))/720)) | eval avgApiCalls=coalesce(newAvgApiCalls, avgApiCalls), stdevApiCalls=coalesce(newStdevApiCalls, stdevApiCalls), numDataPoints=if(isnull(latestCount), numDataPoints, numDataPoints+1) | table arn, latestCount, numDataPoints, avgApiCalls, stdevApiCalls | outputlookup network_acl_activity_baseline | eval dataPointThreshold = 15, deviationThreshold = 3 | eval isSpike=if((latestCount > avgApiCalls+deviationThreshold*stdevApiCalls) AND numDataPoints > dataPointThreshold, 1, 0) | where isSpike=1 | rename arn as userIdentity.arn | table userIdentity.arn] | spath output=user userIdentity.arn | stats values(eventName) as eventNames, count as numberOfApiCalls, dc(eventName) as uniqueApisCalled by user | `detect_spike_in_network_acl_activity_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. You can modify `dataPointThreshold` and `deviationThreshold` to better fit your environment. The `dataPointThreshold` variable is the minimum number of data points required to have a statistically significant amount of data to determine. The `deviationThreshold` variable is the number of standard deviations away from the mean that the value must be to be considered a spike. This search works best when you run the \"Baseline of Network ACL Activity by ARN\" support search once to create a lookup file of previously seen Network ACL Activity. To add or remove API event names related to network ACLs, edit the macro `network_acl_events`.", "known_false_positives": "The false-positive rate may vary based on the values of`dataPointThreshold` and `deviationThreshold`. Please modify this according the your environment.", "references": [], "tags": {"name": "Detect Spike in Network ACL Activity", "analytic_story": ["AWS Network ACL Activity"], "asset_type": "AWS Instance", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "tbd", "mitre_attack_id": ["T1562.007"], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "userIdentity.arn"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.007", "mitre_attack_technique": "Disable or Modify Cloud Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}]}, "datamodel": [], "macros": [{"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "network_acl_events", "definition": "(eventName = CreateNetworkAcl OR eventName = CreateNetworkAclEntry OR eventName = DeleteNetworkAcl OR eventName = DeleteNetworkAclEntry OR eventName = ReplaceNetworkAclEntry OR eventName = ReplaceNetworkAclAssociation)", "description": "This is a list of AWS event names that are associated with Network ACLs"}, {"name": "detect_spike_in_network_acl_activity_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "network_acl_activity_baseline", "description": "A lookup file that will contain the baseline information for number of AWS Network ACL Activity", "filename": "network_acl_activity_baseline.csv"}, {"name": "network_acl_activity_baseline", "description": "A lookup file that will contain the baseline information for number of AWS Network ACL Activity", "filename": "network_acl_activity_baseline.csv"}], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/detect_spike_in_network_acl_activity.yml", "source": "deprecated", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "Detect Spike in Security Group Activity", "id": "ada0f478-84a8-4641-a3f1-e32372d4bd53", "version": 1, "date": "2018-04-18", "author": "Bhavin Patel, Splunk", "type": "Anomaly", "status": "deprecated", "description": "This search will detect users creating spikes in API activity related to security groups in your AWS environment. It will also update the cache file that factors in the latest data. This search is deprecated and have been translated to use the latest Change Datamodel.", "data_source": [], "search": "`cloudtrail` `security_group_api_calls` [search `cloudtrail` `security_group_api_calls` | spath output=arn path=userIdentity.arn | stats count as apiCalls by arn | inputlookup security_group_activity_baseline append=t | fields - latestCount | stats values(*) as * by arn | rename apiCalls as latestCount | eval newAvgApiCalls=avgApiCalls + (latestCount-avgApiCalls)/720 | eval newStdevApiCalls=sqrt(((pow(stdevApiCalls, 2)*719 + (latestCount-newAvgApiCalls)*(latestCount-avgApiCalls))/720)) | eval avgApiCalls=coalesce(newAvgApiCalls, avgApiCalls), stdevApiCalls=coalesce(newStdevApiCalls, stdevApiCalls), numDataPoints=if(isnull(latestCount), numDataPoints, numDataPoints+1) | table arn, latestCount, numDataPoints, avgApiCalls, stdevApiCalls | outputlookup security_group_activity_baseline | eval dataPointThreshold = 15, deviationThreshold = 3 | eval isSpike=if((latestCount > avgApiCalls+deviationThreshold*stdevApiCalls) AND numDataPoints > dataPointThreshold, 1, 0) | where isSpike=1 | rename arn as userIdentity.arn | table userIdentity.arn] | spath output=user userIdentity.arn | stats values(eventName) as eventNames, count as numberOfApiCalls, dc(eventName) as uniqueApisCalled by user | `detect_spike_in_security_group_activity_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. You can modify `dataPointThreshold` and `deviationThreshold` to better fit your environment. The `dataPointThreshold` variable is the minimum number of data points required to have a statistically significant amount of data to determine. The `deviationThreshold` variable is the number of standard deviations away from the mean that the value must be to be considered a spike.This search works best when you run the \"Baseline of Security Group Activity by ARN\" support search once to create a history of previously seen Security Group Activity. To add or remove API event names for security groups, edit the macro `security_group_api_calls`.", "known_false_positives": "Based on the values of`dataPointThreshold` and `deviationThreshold`, the false positive rate may vary. Please modify this according the your environment.", "references": [], "tags": {"name": "Detect Spike in Security Group Activity", "analytic_story": ["AWS User Monitoring"], "asset_type": "AWS Instance", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "message": "tbd", "mitre_attack_id": ["T1078.004"], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "serIdentity.arn"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Ke3chang", "LAPSUS$"]}]}, "datamodel": [], "macros": [{"name": "security_group_api_calls", "definition": "(eventName=AuthorizeSecurityGroupIngress OR eventName=CreateSecurityGroup OR eventName=DeleteSecurityGroup OR eventName=DescribeClusterSecurityGroups OR eventName=DescribeDBSecurityGroups OR eventName=DescribeSecurityGroupReferences OR eventName=DescribeSecurityGroups OR eventName=DescribeStaleSecurityGroups OR eventName=RevokeSecurityGroupIngress OR eventName=UpdateSecurityGroupRuleDescriptionsIngress)", "description": "This macro is a list of AWS event names associated with security groups"}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_spike_in_security_group_activity_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "security_group_activity_baseline", "description": "A placeholder for the baseline information for AWS security groups", "collection": "security_group_activity_baseline", "fields_list": "_key, arn,latestCount,numDataPoints,avgApiCalls,stdevApiCalls"}, {"name": "security_group_activity_baseline", "description": "A placeholder for the baseline information for AWS security groups", "collection": "security_group_activity_baseline", "fields_list": "_key, arn,latestCount,numDataPoints,avgApiCalls,stdevApiCalls"}], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/detect_spike_in_security_group_activity.yml", "source": "deprecated", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "Detect USB device insertion", "id": "104658f4-afdc-499f-9719-17a43f9826f5", "version": 1, "date": "2017-11-27", "author": "Bhavin Patel, Splunk", "type": "TTP", "status": "deprecated", "description": "The search is used to detect hosts that generate Windows Event ID 4663 for successful attempts to write to or read from a removable storage and Event ID 4656 for failures, which occurs when a USB drive is plugged in. In this scenario we are querying the Change_Analysis data model to look for Windows Event ID 4656 or 4663 where the priority of the affected host is marked as high in the ES Assets and Identity Framework.", "data_source": [], "search": "| tstats `security_content_summariesonly` count earliest(_time) AS earliest latest(_time) AS latest from datamodel=Change_Analysis where (nodename = All_Changes) All_Changes.result=\"Removable Storage device\" (All_Changes.result_id=4663 OR All_Changes.result_id=4656) (All_Changes.src_priority=high) by All_Changes.dest | `drop_dm_object_name(\"All_Changes\")`| `security_content_ctime(earliest)`| `security_content_ctime(latest)` | `detect_usb_device_insertion_filter`", "how_to_implement": "To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663 and 4656. Ensure that the field from the event logs is being mapped to the result_id field in the Change_Analysis data model. To minimize the alert volume, this search leverages the Assets and Identity framework to filter out events from those assets not marked high priority in the Enterprise Security Assets and Identity Framework.", "known_false_positives": "Legitimate USB activity will also be detected. Please verify and investigate as appropriate.", "references": [], "tags": {"name": "Detect USB device insertion", "analytic_story": ["Data Protection"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": [], "message": "tbd", "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "All_Changes.result", "All_Changes.result_id", "All_Changes.src_priority", "All_Changes.dest"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "datamodel": ["Change", "Change_Analysis"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_usb_device_insertion_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/detect_usb_device_insertion.yml", "source": "deprecated", "nes_fields": "user,dest"}, {"name": "Detect web traffic to dynamic domain providers", "id": "134da869-e264-4a8f-8d7e-fcd01c18f301", "version": 2, "date": "2020-07-21", "author": "Bhavin Patel, Splunk", "type": "TTP", "status": "deprecated", "description": "This search looks for web connections to dynamic DNS providers.", "data_source": [], "search": "| tstats `security_content_summariesonly` count values(Web.url) as url min(_time) as firstTime from datamodel=Web where Web.status=200 by Web.src Web.dest Web.status | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `dynamic_dns_web_traffic` | `detect_web_traffic_to_dynamic_domain_providers_filter`", "how_to_implement": "This search requires you to be ingesting web-traffic logs. You can obtain these logs from indexing data from a web proxy or by using a network-traffic-analysis tool, such as Bro or Splunk Stream. The web data model must contain the URL being requested, the IP address of the host initiating the request, and the destination IP. This search also leverages a lookup file, `dynamic_dns_providers_default.csv`, which contains a non-exhaustive list of dynamic DNS providers. Consider periodically updating this local lookup file with new domains.\\\nThis search produces fields (`isDynDNS`) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. These fields contribute additional context to the notable. To see the additional metadata, add the following fields, if not already present, to Incident Review - Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry):\\\\n1. **Label:** IsDynamicDNS, **Field:** isDynDNS\\\nDetailed documentation on how to create a new field within Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details` Deprecated because duplicate.", "known_false_positives": "It is possible that list of dynamic DNS providers is outdated and/or that the URL being requested is legitimate.", "references": [], "tags": {"name": "Detect web traffic to dynamic domain providers", "analytic_story": ["Dynamic DNS"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Command And Control"], "message": "tbd", "mitre_attack_id": ["T1071.001"], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Web.url", "Web.status", "Web.src", "Web.dest"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1071.001", "mitre_attack_technique": "Web Protocols", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Chimera", "Cobalt Group", "Confucius", "Dark Caracal", "FIN4", "FIN8", "Gamaredon Group", "HAFNIUM", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LuminousMoth", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "OilRig", "Orangeworm", "Rancor", "Rocke", "Sandworm Team", "Sidewinder", "SilverTerrier", "Stealth Falcon", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "WIRTE", "Windshift", "Wizard Spider"]}]}, "datamodel": ["Web"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "dynamic_dns_web_traffic", "definition": "lookup update=true dynamic_dns_providers_default dynamic_dns_domains as url OUTPUTNEW isDynDNS_default | lookup update=true dynamic_dns_providers_local dynamic_dns_domains as url OUTPUTNEW isDynDNS_local| eval isDynDNS = coalesce(isDynDNS_default, isDynDNS_local)|fields - isDynDNS_default, isDynDNS_local| search isDynDNS=True", "description": "This is a description"}, {"name": "detect_web_traffic_to_dynamic_domain_providers_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/detect_web_traffic_to_dynamic_domain_providers.yml", "source": "deprecated", "nes_fields": "user,dest"}, {"name": "Detection of DNS Tunnels", "id": "104658f4-afdc-499f-9719-17a43f9826f4", "version": 2, "date": "2022-02-15", "author": "Bhavin Patel, Splunk", "type": "TTP", "status": "deprecated", "description": "This search is used to detect DNS tunneling, by calculating the sum of the length of DNS queries and DNS answers. The search also filters out potential false positives by filtering out queries made to internal systems and the queries originating from internal DNS, Web, and Email servers. Endpoints using DNS as a method of transmission for data exfiltration, Command And Control, or evasion of security controls can often be detected by noting an unusually large volume of DNS traffic. \\\nNOTE:Deprecated because existing detection is doing the same. This detection is replaced with two other variations, if you are using MLTK then you can use this search `ESCU - DNS Query Length Outliers - MLTK - Rule` or use the standard deviation version `ESCU - DNS Query Length With High Standard Deviation - Rule`, as an alternantive.", "data_source": [], "search": "| tstats `security_content_summariesonly` dc(\"DNS.query\") as count from datamodel=Network_Resolution where nodename=DNS \"DNS.message_type\"=\"QUERY\" NOT (`cim_corporate_web_domain_search(\"DNS.query\")`) NOT \"DNS.query\"=\"*.in-addr.arpa\" NOT (\"DNS.src_category\"=\"svc_infra_dns\" OR \"DNS.src_category\"=\"svc_infra_webproxy\" OR \"DNS.src_category\"=\"svc_infra_email*\" ) by \"DNS.src\",\"DNS.query\" | rename \"DNS.src\" as src \"DNS.query\" as message | eval length=len(message) | stats sum(length) as length by src | append [ tstats `security_content_summariesonly` dc(\"DNS.answer\") as count from datamodel=Network_Resolution where nodename=DNS \"DNS.message_type\"=\"QUERY\" NOT (`cim_corporate_web_domain_search(\"DNS.query\")`) NOT \"DNS.query\"=\"*.in-addr.arpa\" NOT (\"DNS.src_category\"=\"svc_infra_dns\" OR \"DNS.src_category\"=\"svc_infra_webproxy\" OR \"DNS.src_category\"=\"svc_infra_email*\" ) by \"DNS.src\",\"DNS.answer\" | rename \"DNS.src\" as src \"DNS.answer\" as message | eval message=if(message==\"unknown\",\"\", message) | eval length=len(message) | stats sum(length) as length by src ] | stats sum(length) as length by src | where length > 10000 | `detection_of_dns_tunnels_filter`", "how_to_implement": "To successfully implement this search, we must ensure that DNS data is being ingested and mapped to the appropriate fields in the Network_Resolution data model. Fields like src_category are automatically provided by the Assets and Identity Framework shipped with Splunk Enterprise Security. You will need to ensure you are using the Assets and Identity Framework and populating the src_category field. You will also need to enable the `cim_corporate_web_domain_search()` macro which will essentially filter out the DNS queries made to the corporate web domains to reduce alert fatigue.", "known_false_positives": "It's possible that normal DNS traffic will exhibit this behavior. If an alert is generated, please investigate and validate as appropriate. The threshold can also be modified to better suit your environment.", "references": [], "tags": {"name": "Detection of DNS Tunnels", "analytic_story": ["Data Protection", "Suspicious DNS Traffic", "Command And Control"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Actions on Objectives"], "message": "tbd", "mitre_attack_id": ["T1048.003"], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "DNS.query", "DNS.message_type", "DNS.src_category", "DNS.src"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1048.003", "mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT32", "APT33", "FIN6", "FIN8", "Lazarus Group", "OilRig", "Thrip", "Wizard Spider"]}]}, "datamodel": ["Network_Resolution"], "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detection_of_dns_tunnels_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/detection_of_dns_tunnels.yml", "source": "deprecated", "nes_fields": "user,dest"}, {"name": "DNS Query Requests Resolved by Unauthorized DNS Servers", "id": "1a67f15a-f4ff-4170-84e9-08cf6f75d6f6", "version": 3, "date": "2020-07-21", "author": "Bhavin Patel, Splunk", "type": "TTP", "status": "deprecated", "description": "This search will detect DNS requests resolved by unauthorized DNS servers. Legitimate DNS servers should be identified in the Enterprise Security Assets and Identity Framework.", "data_source": [], "search": "| tstats `security_content_summariesonly` count from datamodel=Network_Resolution where DNS.dest_category != dns_server AND DNS.src_category != dns_server by DNS.src DNS.dest | `drop_dm_object_name(\"DNS\")` | `dns_query_requests_resolved_by_unauthorized_dns_servers_filter` ", "how_to_implement": "To successfully implement this search you will need to ensure that DNS data is populating the Network_Resolution data model. It also requires that your DNS servers are identified correctly in the Assets and Identity table of Enterprise Security.", "known_false_positives": "Legitimate DNS activity can be detected in this search. Investigate, verify and update the list of authorized DNS servers as appropriate.", "references": [], "tags": {"name": "DNS Query Requests Resolved by Unauthorized DNS Servers", "analytic_story": ["DNS Hijacking", "Suspicious DNS Traffic", "Host Redirection", "Command And Control"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Command And Control"], "message": "tbd", "mitre_attack_id": ["T1071.004"], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "DNS.dest_category", "DNS.src_category", "DNS.src", "DNS.dest"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1071.004", "mitre_attack_technique": "DNS", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT18", "APT39", "APT41", "Chimera", "Cobalt Group", "FIN7", "Ke3chang", "LazyScripter", "OilRig", "Tropic Trooper"]}]}, "datamodel": ["Network_Resolution"], "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "dns_query_requests_resolved_by_unauthorized_dns_servers_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/dns_query_requests_resolved_by_unauthorized_dns_servers.yml", "source": "deprecated", "nes_fields": "user,dest"}, {"name": "DNS record changed", "id": "44d3a43e-dcd5-49f7-8356-5209bb369065", "version": 3, "date": "2020-07-21", "author": "Jose Hernandez, Splunk", "type": "TTP", "status": "deprecated", "description": "The search takes the DNS records and their answers results of the discovered_dns_records lookup and finds if any records have changed by searching DNS response from the Network_Resolution datamodel across the last day.", "data_source": [], "search": "| inputlookup discovered_dns_records | rename answer as discovered_answer | join domain[|tstats `security_content_summariesonly` count values(DNS.record_type) as type, values(DNS.answer) as current_answer values(DNS.src) as src from datamodel=Network_Resolution where DNS.message_type=RESPONSE DNS.answer!=\"unknown\" DNS.answer!=\"\" by DNS.query | rename DNS.query as query | where query!=\"unknown\" | rex field=query \"(?\\w+\\.\\w+?)(?:$|/)\"] | makemv delim=\" \" answer | makemv delim=\" \" type | sort -count | table count,src,domain,type,query,current_answer,discovered_answer | makemv current_answer | mvexpand current_answer | makemv discovered_answer | eval n=mvfind(discovered_answer, current_answer) | where isnull(n) | `dns_record_changed_filter`", "how_to_implement": "To successfully implement this search you will need to ensure that DNS data is populating the `Network_Resolution` data model. It also requires that the `discover_dns_record` lookup table be populated by the included support search \"Discover DNS record\". \\\n **Splunk>Phantom Playbook Integration**\\\nIf Splunk>Phantom is also configured in your environment, a Playbook called \"DNS Hijack Enrichment\" can be configured to run when any results are found by this detection search. The playbook takes in the DNS record changed and uses Geoip, whois, Censys and PassiveTotal to detect if DNS issuers changed. To use this integration, install the Phantom App for Splunk `https://splunkbase.splunk.com/app/3411/`, add the correct hostname to the \"Phantom Instance\" field in the Adaptive Response Actions when configuring this detection search, and set the corresponding Playbook to active. \\\n(Playbook Link:`https://my.phantom.us/4.2/playbook/dns-hijack-enrichment/`).\\\n", "known_false_positives": "Legitimate DNS changes can be detected in this search. Investigate, verify and update the list of provided current answers for the domains in question as appropriate.", "references": [], "tags": {"name": "DNS record changed", "analytic_story": ["DNS Hijacking"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Command And Control"], "message": "tbd", "mitre_attack_id": ["T1071.004"], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "DNS.record_type", "DNS.answer", "DNS.src", "DNS.message_type", "DNS.query"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1071.004", "mitre_attack_technique": "DNS", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT18", "APT39", "APT41", "Chimera", "Cobalt Group", "FIN7", "Ke3chang", "LazyScripter", "OilRig", "Tropic Trooper"]}]}, "datamodel": ["Network_Resolution"], "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "dns_record_changed_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "discovered_dns_records", "description": "A placeholder for a list of discovered DNS records generated by the baseline discover_dns_records", "filename": "discovered_dns_records.csv", "default_match": "false", "min_matches": 1}], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/dns_record_changed.yml", "source": "deprecated", "nes_fields": "user,dest"}, {"name": "Dump LSASS via procdump Rename", "id": "21276daa-663d-11eb-ae93-0242ac130002", "version": 1, "date": "2021-02-01", "author": "Michael Haag, Splunk", "type": "Hunting", "status": "deprecated", "description": "Detect a renamed instance of procdump.exe dumping the lsass process. This query looks for both -mm and -ma usage. -mm will produce a mini dump file and -ma will write a dump file with all process memory. Both are highly suspect and should be reviewed. Modify the query as needed.\\\nDuring triage, confirm this is procdump.exe executing. If it is the first time a Sysinternals utility has been ran, it is possible there will be a -accepteula on the command line. Review other endpoint data sources for cross process (injection) into lsass.exe.", "data_source": ["Sysmon Event ID 1"], "search": "`sysmon` OriginalFileName=procdump process_name!=procdump*.exe EventID=1 (CommandLine=*-ma* OR CommandLine=*-mm*) CommandLine=*lsass* | rename Computer as dest | stats count min(_time) as firstTime max(_time) as lastTime by dest, parent_process_name, process_name, OriginalFileName, CommandLine | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `dump_lsass_via_procdump_rename_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "None identified.", "references": ["https://attack.mitre.org/techniques/T1003/001/", "https://docs.microsoft.com/en-us/sysinternals/downloads/procdump", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md#atomic-test-2---dump-lsassexe-memory-using-procdump"], "tags": {"name": "Dump LSASS via procdump Rename", "analytic_story": ["Credential Dumping", "HAFNIUM Group", "CISA AA22-257A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "The following $process_name$ has been identified as renamed, spawning from $parent_process_name$ on $dest$, attempting to dump lsass.exe.", "mitre_attack_id": ["T1003.001"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "OriginalFileName", "process_name", "EventID", "CommandLine", "Computer", "parent_process_name"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "TEMP.Veles", "Threat Group-3390", "Whitefly"]}]}, "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "dump_lsass_via_procdump_rename_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/dump_lsass_via_procdump_rename.yml", "source": "deprecated"}, {"name": "EC2 Instance Modified With Previously Unseen User", "id": "56f91724-cf3f-4666-84e1-e3712fb41e76", "version": 3, "date": "2020-07-21", "author": "David Dorsey, Splunk", "type": "Anomaly", "status": "deprecated", "description": "This search looks for EC2 instances being modified by users who have not previously modified them. This search is deprecated and have been translated to use the latest Change Datamodel.", "data_source": [], "search": "`cloudtrail` `ec2_modification_api_calls` [search `cloudtrail` `ec2_modification_api_calls` errorCode=success | stats earliest(_time) as firstTime latest(_time) as lastTime by userIdentity.arn | rename userIdentity.arn as arn | inputlookup append=t previously_seen_ec2_modifications_by_user | stats min(firstTime) as firstTime, max(lastTime) as lastTime by arn | outputlookup previously_seen_ec2_modifications_by_user | eval newUser=if(firstTime >= relative_time(now(), \"-70m@m\"), 1, 0) | where newUser=1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename arn as userIdentity.arn | table userIdentity.arn] | spath output=dest responseElements.instancesSet.items{}.instanceId | spath output=user userIdentity.arn | table _time, user, dest | `ec2_instance_modified_with_previously_unseen_user_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. This search works best when you run the \"Previously Seen EC2 Launches By User\" support search once to create a history of previously seen ARNs. To add or remove APIs that modify an EC2 instance, edit the macro `ec2_modification_api_calls`.", "known_false_positives": "It's possible that a new user will start to modify EC2 instances when they haven't before for any number of reasons. Verify with the user that is modifying instances that this is the intended behavior.", "references": [], "tags": {"name": "EC2 Instance Modified With Previously Unseen User", "analytic_story": ["Unusual AWS EC2 Modifications"], "asset_type": "AWS Instance", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "message": "tbd", "mitre_attack_id": ["T1078.004"], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "errorCode", "userIdentity.arn"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Ke3chang", "LAPSUS$"]}]}, "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "ec2_modification_api_calls", "definition": "(eventName=AssociateAddress OR eventName=AssociateIamInstanceProfile OR eventName=AttachClassicLinkVpc OR eventName=AttachNetworkInterface OR eventName=AttachVolume OR eventName=BundleInstance OR eventName=DetachClassicLinkVpc OR eventName=DetachVolume OR eventName=ModifyInstanceAttribute OR eventName=ModifyInstancePlacement OR eventName=MonitorInstances OR eventName=RebootInstances OR eventName=ResetInstanceAttribute OR eventName=StartInstances OR eventName=StopInstances OR eventName=TerminateInstances OR eventName=UnmonitorInstances)", "description": "This is a list of AWS event names that have to do with modifying Amazon EC2 instances"}, {"name": "ec2_instance_modified_with_previously_unseen_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "previously_seen_ec2_modifications_by_user", "description": "A place holder for a list of AWS EC2 modifications done by each user", "filename": "previously_seen_ec2_modifications_by_user.csv"}, {"name": "previously_seen_ec2_modifications_by_user", "description": "A place holder for a list of AWS EC2 modifications done by each user", "filename": "previously_seen_ec2_modifications_by_user.csv"}], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/ec2_instance_modified_with_previously_unseen_user.yml", "source": "deprecated", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "EC2 Instance Started In Previously Unseen Region", "id": "ada0f478-84a8-4641-a3f3-d82362d6fd75", "version": 1, "date": "2018-02-23", "author": "Bhavin Patel, Splunk", "type": "Anomaly", "status": "deprecated", "description": "This search looks for AWS CloudTrail events where an instance is started in a particular region in the last one hour and then compares it to a lookup file of previously seen regions where an instance was started", "data_source": [], "search": "`cloudtrail` earliest=-1h StartInstances | stats earliest(_time) as earliest latest(_time) as latest by awsRegion | inputlookup append=t previously_seen_aws_regions.csv | stats min(earliest) as earliest max(latest) as latest by awsRegion | outputlookup previously_seen_aws_regions.csv | eval regionStatus=if(earliest >= relative_time(now(),\"-1d@d\"), \"Instance Started in a New Region\",\"Previously Seen Region\") | `security_content_ctime(earliest)` | `security_content_ctime(latest)` | where regionStatus=\"Instance Started in a New Region\" | `ec2_instance_started_in_previously_unseen_region_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. Run the \"Previously seen AWS Regions\" support search only once to create of baseline of previously seen regions. This search is deprecated and have been translated to use the latest Change Datamodel.", "known_false_positives": "It's possible that a user has unknowingly started an instance in a new region. Please verify that this activity is legitimate.", "references": [], "tags": {"name": "EC2 Instance Started In Previously Unseen Region", "analytic_story": ["AWS Cryptomining", "Suspicious AWS EC2 Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "tbd", "mitre_attack_id": ["T1535"], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "awsRegion"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1535", "mitre_attack_technique": "Unused/Unsupported Cloud Regions", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}]}, "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "ec2_instance_started_in_previously_unseen_region_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/ec2_instance_started_in_previously_unseen_region.yml", "source": "deprecated", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "EC2 Instance Started With Previously Unseen AMI", "id": "347ec301-601b-48b9-81aa-9ddf9c829dd3", "version": 1, "date": "2018-03-12", "author": "David Dorsey, Splunk", "type": "Anomaly", "status": "deprecated", "description": "This search looks for EC2 instances being created with previously unseen AMIs. This search is deprecated and have been translated to use the latest Change Datamodel.", "data_source": [], "search": "`cloudtrail` eventName=RunInstances [search `cloudtrail` eventName=RunInstances errorCode=success | stats earliest(_time) as firstTime latest(_time) as lastTime by requestParameters.instancesSet.items{}.imageId | rename requestParameters.instancesSet.items{}.imageId as amiID | inputlookup append=t previously_seen_ec2_amis.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by amiID | outputlookup previously_seen_ec2_amis.csv | eval newAMI=if(firstTime >= relative_time(now(), \"-70m@m\"), 1, 0) | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)` | where newAMI=1 | rename amiID as requestParameters.instancesSet.items{}.imageId | table requestParameters.instancesSet.items{}.imageId] | rename requestParameters.instanceType as instanceType, responseElements.instancesSet.items{}.instanceId as dest, userIdentity.arn as arn, requestParameters.instancesSet.items{}.imageId as amiID | table firstTime, lastTime, arn, amiID, dest, instanceType | `ec2_instance_started_with_previously_unseen_ami_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. This search works best when you run the \"Previously Seen EC2 AMIs\" support search once to create a history of previously seen AMIs.", "known_false_positives": "After a new AMI is created, the first systems created with that AMI will cause this alert to fire. Verify that the AMI being used was created by a legitimate user.", "references": [], "tags": {"name": "EC2 Instance Started With Previously Unseen AMI", "analytic_story": ["AWS Cryptomining"], "asset_type": "AWS Instance", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": [], "message": "tbd", "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventName", "errorCode", "requestParameters.instancesSet.items{}.imageId"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "ec2_instance_started_with_previously_unseen_ami_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/ec2_instance_started_with_previously_unseen_ami.yml", "source": "deprecated", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "EC2 Instance Started With Previously Unseen Instance Type", "id": "65541c80-03c7-4e05-83c8-1dcd57a2e1ad", "version": 2, "date": "2020-02-07", "author": "David Dorsey, Splunk", "type": "Anomaly", "status": "deprecated", "description": "This search looks for EC2 instances being created with previously unseen instance types. This search is deprecated and have been translated to use the latest Change Datamodel.", "data_source": [], "search": "`cloudtrail` eventName=RunInstances [search `cloudtrail` eventName=RunInstances errorCode=success | fillnull value=\"m1.small\" requestParameters.instanceType | stats earliest(_time) as earliest latest(_time) as latest by requestParameters.instanceType | rename requestParameters.instanceType as instanceType | inputlookup append=t previously_seen_ec2_instance_types.csv | stats min(earliest) as earliest max(latest) as latest by instanceType | outputlookup previously_seen_ec2_instance_types.csv | eval newType=if(earliest >= relative_time(now(), \"-70m@m\"), 1, 0) | `security_content_ctime(earliest)` | `security_content_ctime(latest)` | where newType=1 | rename instanceType as requestParameters.instanceType | table requestParameters.instanceType] | spath output=user userIdentity.arn | rename requestParameters.instanceType as instanceType, responseElements.instancesSet.items{}.instanceId as dest | table _time, user, dest, instanceType | `ec2_instance_started_with_previously_unseen_instance_type_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. This search works best when you run the \"Previously Seen EC2 Instance Types\" support search once to create a history of previously seen instance types.", "known_false_positives": "It is possible that an admin will create a new system using a new instance type never used before. Verify with the creator that they intended to create the system with the new instance type.", "references": [], "tags": {"name": "EC2 Instance Started With Previously Unseen Instance Type", "analytic_story": ["AWS Cryptomining"], "asset_type": "AWS Instance", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": [], "message": "tbd", "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventName", "errorCode", "requestParameters.instanceType"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "ec2_instance_started_with_previously_unseen_instance_type_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/ec2_instance_started_with_previously_unseen_instance_type.yml", "source": "deprecated", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "EC2 Instance Started With Previously Unseen User", "id": "22773e84-bac0-4595-b086-20d3f735b4f1", "version": 2, "date": "2020-07-21", "author": "David Dorsey, Splunk", "type": "Anomaly", "status": "deprecated", "description": "This search looks for EC2 instances being created by users who have not created them before. This search is deprecated and have been translated to use the latest Change Datamodel.", "data_source": [], "search": "`cloudtrail` eventName=RunInstances [search `cloudtrail` eventName=RunInstances errorCode=success | stats earliest(_time) as firstTime latest(_time) as lastTime by userIdentity.arn | rename userIdentity.arn as arn | inputlookup append=t previously_seen_ec2_launches_by_user.csv | stats min(firstTime) as firstTime, max(lastTime) as lastTime by arn | outputlookup previously_seen_ec2_launches_by_user.csv | eval newUser=if(firstTime >= relative_time(now(), \"-70m@m\"), 1, 0) | where newUser=1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename arn as userIdentity.arn | table userIdentity.arn] | rename requestParameters.instanceType as instanceType, responseElements.instancesSet.items{}.instanceId as dest, userIdentity.arn as user | table _time, user, dest, instanceType | `ec2_instance_started_with_previously_unseen_user_filter`", "how_to_implement": "You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. This search works best when you run the \"Previously Seen EC2 Launches By User\" support search once to create a history of previously seen ARNs.", "known_false_positives": "It's possible that a user will start to create EC2 instances when they haven't before for any number of reasons. Verify with the user that is launching instances that this is the intended behavior.", "references": [], "tags": {"name": "EC2 Instance Started With Previously Unseen User", "analytic_story": ["AWS Cryptomining", "Suspicious AWS EC2 Activities"], "asset_type": "AWS Instance", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "message": "tbd", "mitre_attack_id": ["T1078.004"], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "eventName", "errorCode", "userIdentity.arn"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Ke3chang", "LAPSUS$"]}]}, "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "ec2_instance_started_with_previously_unseen_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/ec2_instance_started_with_previously_unseen_user.yml", "source": "deprecated", "providing_technologies": ["Amazon Web Services - Cloudtrail"]}, {"name": "Execution of File With Spaces Before Extension", "id": "ab0353e6-a956-420b-b724-a8b4846d5d5a", "version": 3, "date": "2020-11-19", "author": "Rico Valdez, Splunk", "type": "TTP", "status": "deprecated", "description": "This search looks for processes launched from files with at least five spaces in the name before the extension. This is typically done to obfuscate the file extension by pushing it outside of the default view.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count values(Processes.process_path) as process_path min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = \"* .*\" by Processes.dest Processes.user Processes.process Processes.process_name | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | `execution_of_file_with_spaces_before_extension_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting data that records process activity from your hosts to populate the endpoint data model in the processes node. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "None identified.", "references": [], "tags": {"name": "Execution of File With Spaces Before Extension", "analytic_story": ["Windows File Extension and Association Abuse", "Masquerading - Rename System Utilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "tbd", "mitre_attack_id": ["T1036.003"], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.process_path", "Processes.process", "Processes.dest", "Processes.user", "Processes.process_name"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}]}, "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "execution_of_file_with_spaces_before_extension_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/execution_of_file_with_spaces_before_extension.yml", "source": "deprecated", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Extended Period Without Successful Netbackup Backups", "id": "a34aae96-ccf8-4aef-952c-3ea214444440", "version": 1, "date": "2017-09-12", "author": "David Dorsey, Splunk", "type": "Hunting", "status": "deprecated", "description": "This search returns a list of hosts that have not successfully completed a backup in over a week. Deprecated because it's a infrastructure monitoring.", "data_source": [], "search": "`netbackup` MESSAGE=\"Disk/Partition backup completed successfully.\" | stats latest(_time) as latestTime by COMPUTERNAME | `security_content_ctime(latestTime)` | rename COMPUTERNAME as dest | eval isOutlier=if(latestTime <= relative_time(now(), \"-7d@d\"), 1, 0) | search isOutlier=1 | table latestTime, dest | `extended_period_without_successful_netbackup_backups_filter`", "how_to_implement": "To successfully implement this search you need to first obtain data from your backup solution, either from the backup logs on your hosts, or from a central server responsible for performing the backups. If you do not use Netbackup, you can modify this search for your backup solution. Depending on how often you backup your systems, you may want to modify how far in the past to look for a successful backup, other than the default of seven days.", "known_false_positives": "None identified", "references": [], "tags": {"name": "Extended Period Without Successful Netbackup Backups", "analytic_story": ["Monitor Backup Solution"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": [], "message": "tbd", "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "MESSAGE", "COMPUTERNAME"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "netbackup", "definition": "sourcetype=\"netbackup_logs\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "extended_period_without_successful_netbackup_backups_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/extended_period_without_successful_netbackup_backups.yml", "source": "deprecated"}, {"name": "First time seen command line argument", "id": "a1b6e73f-98d5-470f-99ac-77aacd578473", "version": 5, "date": "2020-07-21", "author": "Bhavin Patel, Splunk", "type": "Hunting", "status": "deprecated", "description": "This search looks for command-line arguments that use a `/c` parameter to execute a command that has not previously been seen.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = cmd.exe Processes.process = \"* /c *\" by Processes.process Processes.process_name Processes.parent_process_name Processes.dest| `drop_dm_object_name(Processes)`| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | search [| tstats `security_content_summariesonly` earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = cmd.exe Processes.process = \"* /c *\" by Processes.process | `drop_dm_object_name(Processes)` | inputlookup append=t previously_seen_cmd_line_arguments | stats min(firstTime) as firstTime, max(lastTime) as lastTime by process | outputlookup previously_seen_cmd_line_arguments | eval newCmdLineArgument=if(firstTime >= relative_time(now(), \"-70m@m\"), 1, 0) | where newCmdLineArgument=1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | table process] | `first_time_seen_command_line_argument_filter` ", "how_to_implement": "You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must be ingesting logs with both the process name and command line from your endpoints. The complete process name with command-line arguments are mapped to the \"process\" field in the Endpoint data model. Please make sure you run the support search \"Previously seen command line arguments,\"—which creates a lookup file called `previously_seen_cmd_line_arguments.csv`—a historical baseline of all command-line arguments. You must also validate this list. For the search to do accurate calculation, ensure the search scheduling is the same value as the `relative_time` evaluation function.", "known_false_positives": "Legitimate programs can also use command-line arguments to execute. Please verify the command-line arguments to check what command/program is being executed. We recommend customizing the `first_time_seen_cmd_line_filter` macro to exclude legitimate parent_process_name", "references": [], "tags": {"name": "First time seen command line argument", "analytic_story": ["DHS Report TA18-074A", "Suspicious Command-Line Executions", "Orangeworm Attack Group", "Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns", "Hidden Cobra Malware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "message": "tbd", "mitre_attack_id": ["T1059.001", "T1059.003"], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.process_name", "Processes.process", "Processes.parent_process_name", "Processes.dest"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}]}, "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "first_time_seen_command_line_argument_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "previously_seen_cmd_line_arguments", "description": "A placeholder for a list of cmd line arugments that been seen before", "filename": "previously_seen_cmd_line_arguments.csv"}, {"name": "previously_seen_cmd_line_arguments", "description": "A placeholder for a list of cmd line arugments that been seen before", "filename": "previously_seen_cmd_line_arguments.csv"}], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/first_time_seen_command_line_argument.yml", "source": "deprecated", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "GCP Detect accounts with high risk roles by project", "id": "27af8c15-38b0-4408-b339-920170724adb", "version": 1, "date": "2020-10-09", "author": "Rod Soto, Splunk", "type": "Hunting", "status": "deprecated", "description": "This search provides detection of accounts with high risk roles by projects. Compromised accounts with high risk roles can move laterally or even scalate privileges at different projects depending on organization schema.", "data_source": [], "search": "`google_gcp_pubsub_message` data.protoPayload.request.policy.bindings{}.role=roles/owner OR roles/editor OR roles/iam.serviceAccountUser OR roles/iam.serviceAccountAdmin OR roles/iam.serviceAccountTokenCreator OR roles/dataflow.developer OR roles/dataflow.admin OR roles/composer.admin OR roles/dataproc.admin OR roles/dataproc.editor | table data.resource.type data.protoPayload.authenticationInfo.principalEmail data.protoPayload.authorizationInfo{}.permission data.protoPayload.authorizationInfo{}.resource data.protoPayload.response.bindings{}.role data.protoPayload.response.bindings{}.members{} | `gcp_detect_accounts_with_high_risk_roles_by_project_filter`", "how_to_implement": "You must install splunk GCP add-on. This search works with gcp:pubsub:message logs", "known_false_positives": "Accounts with high risk roles should be reduced to the minimum number needed, however specific tasks and setups may be simply expected behavior within organization", "references": ["https://github.com/dxa4481/gcploit", "https://www.youtube.com/watch?v=Ml09R38jpok", "https://cloud.google.com/iam/docs/understanding-roles"], "tags": {"name": "GCP Detect accounts with high risk roles by project", "analytic_story": ["GCP Cross Account Activity"], "asset_type": "GCP Account", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "message": "tbd", "mitre_attack_id": ["T1078"], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "data.protoPayload.request.policy.bindings{}.role", "data.resource.type data.protoPayload.authenticationInfo.principalEmail", "data.protoPayload.authorizationInfo{}.permission", "data.protoPayload.authorizationInfo{}.resource", "data.protoPayload.response.bindings{}.role", "data.protoPayload.response.bindings{}.members{}"], "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}]}, "datamodel": ["Email"], "macros": [{"name": "google_gcp_pubsub_message", "definition": "sourcetype=\"google:gcp:pubsub:message\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "gcp_detect_accounts_with_high_risk_roles_by_project_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/gcp_detect_accounts_with_high_risk_roles_by_project.yml", "source": "deprecated"}, {"name": "GCP Detect high risk permissions by resource and account", "id": "2e70ef35-2187-431f-aedc-4503dc9b06ba", "version": 1, "date": "2020-10-09", "author": "Rod Soto, Splunk", "type": "Hunting", "status": "deprecated", "description": "This search provides detection of high risk permissions by resource and accounts. These are permissions that can allow attackers with compromised accounts to move laterally and escalate privileges.", "data_source": [], "search": "`google_gcp_pubsub_message` data.protoPayload.authorizationInfo{}.permission=iam.serviceAccounts.getaccesstoken OR iam.serviceAccounts.setIamPolicy OR iam.serviceAccounts.actas OR dataflow.jobs.create OR composer.environments.create OR dataproc.clusters.create |table data.protoPayload.requestMetadata.callerIp data.protoPayload.authenticationInfo.principalEmail data.protoPayload.authorizationInfo{}.permission data.protoPayload.response.bindings{}.members{} data.resource.labels.project_id | `gcp_detect_high_risk_permissions_by_resource_and_account_filter`", "how_to_implement": "You must install splunk GCP add-on. This search works with gcp:pubsub:message logs", "known_false_positives": "High risk permissions are part of any GCP environment, however it is important to track resource and accounts usage, this search may produce false positives.", "references": ["https://github.com/dxa4481/gcploit", "https://www.youtube.com/watch?v=Ml09R38jpok", "https://cloud.google.com/iam/docs/permissions-reference"], "tags": {"name": "GCP Detect high risk permissions by resource and account", "analytic_story": ["GCP Cross Account Activity"], "asset_type": "GCP Account", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "message": "tbd", "mitre_attack_id": ["T1078"], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "data.protoPayload.authorizationInfo{}.permission", "data.protoPayload.requestMetadata.callerIp", "data.protoPayload.authenticationInfo.principalEmail", "data.protoPayload.authorizationInfo{}.permission", "data.protoPayload.response.bindings{}.members{}", "data.resource.labels.project_id"], "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}]}, "datamodel": ["Email"], "macros": [{"name": "google_gcp_pubsub_message", "definition": "sourcetype=\"google:gcp:pubsub:message\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "gcp_detect_high_risk_permissions_by_resource_and_account_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/gcp_detect_high_risk_permissions_by_resource_and_account.yml", "source": "deprecated"}, {"name": "gcp detect oauth token abuse", "id": "a7e9f7bb-8901-4ad0-8d88-0a4ab07b1972", "version": 1, "date": "2020-09-01", "author": "Rod Soto, Splunk", "type": "Hunting", "status": "deprecated", "description": "This search provides detection of possible GCP Oauth token abuse. GCP Oauth token without time limit can be exfiltrated and reused for keeping access sessions alive without further control of authentication, allowing attackers to access and move laterally.", "data_source": [], "search": "`google_gcp_pubsub_message` type.googleapis.com/google.cloud.audit.AuditLog |table protoPayload.@type protoPayload.status.details{}.@type protoPayload.status.details{}.violations{}.callerIp protoPayload.status.details{}.violations{}.type protoPayload.status.message | `gcp_detect_oauth_token_abuse_filter`", "how_to_implement": "You must install splunk GCP add-on. This search works with gcp:pubsub:message logs", "known_false_positives": "GCP Oauth token abuse detection will only work if there are access policies in place along with audit logs.", "references": ["https://www.netskope.com/blog/gcp-oauth-token-hijacking-in-google-cloud-part-1", "https://www.netskope.com/blog/gcp-oauth-token-hijacking-in-google-cloud-part-2"], "tags": {"name": "gcp detect oauth token abuse", "analytic_story": ["GCP Cross Account Activity"], "asset_type": "GCP Account", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "message": "tbd", "mitre_attack_id": ["T1078"], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time"], "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}]}, "datamodel": [], "macros": [{"name": "google_gcp_pubsub_message", "definition": "sourcetype=\"google:gcp:pubsub:message\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "gcp_detect_oauth_token_abuse_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/gcp_detect_oauth_token_abuse.yml", "source": "deprecated"}, {"name": "GCP Kubernetes cluster scan detection", "id": "db5957ec-0144-4c56-b512-9dccbe7a2d26", "version": 1, "date": "2020-04-15", "author": "Rod Soto, Splunk", "type": "TTP", "status": "deprecated", "description": "This search provides information of unauthenticated requests via user agent, and authentication data against Kubernetes cluster", "data_source": [], "search": "`google_gcp_pubsub_message` data.protoPayload.requestMetadata.callerIp!=127.0.0.1 data.protoPayload.requestMetadata.callerIp!=::1 \"data.labels.authorization.k8s.io/decision\"=forbid \"data.protoPayload.status.message\"=PERMISSION_DENIED data.protoPayload.authenticationInfo.principalEmail=\"system:anonymous\" | rename data.protoPayload.requestMetadata.callerIp as src_ip | stats count min(_time) as firstTime max(_time) as lastTime values(data.protoPayload.methodName) as method_name values(data.protoPayload.resourceName) as resource_name values(data.protoPayload.requestMetadata.callerSuppliedUserAgent) as http_user_agent by src_ip data.resource.labels.cluster_name | rename data.resource.labels.cluster_name as cluster_name| `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `gcp_kubernetes_cluster_scan_detection_filter` ", "how_to_implement": "You must install the GCP App for Splunk (version 2.0.0 or later), then configure stackdriver and set a Pub/Sub subscription to be imported to Splunk. You must also install Cloud Infrastructure data model.Customize the macro kubernetes_gcp_scan_fingerprint_attack_detection to filter out FPs.", "known_false_positives": "Not all unauthenticated requests are malicious, but frequency, User Agent and source IPs will provide context.", "references": [], "tags": {"name": "GCP Kubernetes cluster scan detection", "analytic_story": ["Kubernetes Scanning Activity"], "asset_type": "GCP Kubernetes cluster", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "tbd", "mitre_attack_id": ["T1526"], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time"], "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1526", "mitre_attack_technique": "Cloud Service Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}]}, "datamodel": ["Email"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "google_gcp_pubsub_message", "definition": "sourcetype=\"google:gcp:pubsub:message\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "gcp_kubernetes_cluster_scan_detection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/gcp_kubernetes_cluster_scan_detection.yml", "source": "deprecated", "nes_fields": "user,dest"}, {"name": "Identify New User Accounts", "id": "475b9e27-17e4-46e2-b7e2-648221be3b89", "version": 1, "date": "2017-09-12", "author": "Bhavin Patel, Splunk", "type": "Hunting", "status": "deprecated", "description": "This detection search will help profile user accounts in your environment by identifying newly created accounts that have been added to your network in the past week.", "data_source": [], "search": "| from datamodel Identity_Management.All_Identities | eval empStatus=case((now()-startDate)<604800, \"Accounts created in last week\") | search empStatus=\"Accounts created in last week\"| `security_content_ctime(endDate)` | `security_content_ctime(startDate)`| table identity empStatus endDate startDate | `identify_new_user_accounts_filter`", "how_to_implement": "To successfully implement this search, you need to be populating the Enterprise Security Identity_Management data model in the assets and identity framework.", "known_false_positives": "If the Identity_Management data model is not updated regularly, this search could give you false positive alerts. Please consider this and investigate appropriately.", "references": [], "tags": {"name": "Identify New User Accounts", "analytic_story": ["Account Monitoring and Controls"], "asset_type": "Domain Server", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "message": "tbd", "mitre_attack_id": ["T1078.002"], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time"], "risk_score": 25, "security_domain": "access", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078.002", "mitre_attack_technique": "Domain Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "Chimera", "Indrik Spider", "Magic Hound", "Naikon", "Sandworm Team", "TA505", "Threat Group-1314", "Wizard Spider"]}]}, "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "identify_new_user_accounts_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/identify_new_user_accounts.yml", "source": "deprecated"}, {"name": "Kubernetes AWS detect most active service accounts by pod", "id": "5b30b25d-7d32-42d8-95ca-64dfcd9076e6", "version": 1, "date": "2020-06-23", "author": "Rod Soto, Splunk", "type": "Hunting", "status": "deprecated", "description": "This search provides information on Kubernetes service accounts,accessing pods by IP address, verb and decision", "data_source": [], "search": "`aws_cloudwatchlogs_eks` user.groups{}=system:serviceaccounts objectRef.resource=pods | table sourceIPs{} user.username userAgent verb annotations.authorization.k8s.io/decision | top sourceIPs{} user.username verb annotations.authorization.k8s.io/decision |`kubernetes_aws_detect_most_active_service_accounts_by_pod_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with cloudwatch logs", "known_false_positives": "Not all service accounts interactions are malicious. Analyst must consider IP, verb and decision context when trying to detect maliciousness.", "references": [], "tags": {"name": "Kubernetes AWS detect most active service accounts by pod", "analytic_story": ["Kubernetes Sensitive Role Activity"], "asset_type": "AWS EKS Kubernetes cluster", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": [], "message": "tbd", "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time"], "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "datamodel": [], "macros": [{"name": "aws_cloudwatchlogs_eks", "definition": "sourcetype=\"aws:cloudwatchlogs:eks\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_aws_detect_most_active_service_accounts_by_pod_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/kubernetes_aws_detect_most_active_service_accounts_by_pod.yml", "source": "deprecated"}, {"name": "Kubernetes AWS detect sensitive role access", "id": "b6013a7b-85e0-4a45-b051-10b252d69569", "version": 1, "date": "2020-06-23", "author": "Rod Soto, Splunk", "type": "Hunting", "status": "deprecated", "description": "This search provides information on Kubernetes accounts accessing sensitve objects such as configmpas or secrets", "data_source": [], "search": "`aws_cloudwatchlogs_eks` objectRef.resource=clusterroles OR clusterrolebindings sourceIPs{}!=::1 sourceIPs{}!=127.0.0.1 | table sourceIPs{} user.username user.groups{} objectRef.namespace requestURI annotations.authorization.k8s.io/reason | dedup user.username user.groups{} |`kubernetes_aws_detect_sensitive_role_access_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with cloudwatch logs.", "known_false_positives": "Sensitive role resource access is necessary for cluster operation, however source IP, namespace and user group may indicate possible malicious use. ", "references": [], "tags": {"name": "Kubernetes AWS detect sensitive role access", "analytic_story": ["Kubernetes Sensitive Role Activity"], "asset_type": "AWS EKS Kubernetes cluster", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": [], "message": "tbd", "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time"], "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "datamodel": [], "macros": [{"name": "aws_cloudwatchlogs_eks", "definition": "sourcetype=\"aws:cloudwatchlogs:eks\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_aws_detect_sensitive_role_access_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/kubernetes_aws_detect_sensitive_role_access.yml", "source": "deprecated"}, {"name": "Kubernetes AWS detect service accounts forbidden failure access", "id": "a6959c57-fa8f-4277-bb86-7c32fba579d5", "version": 1, "date": "2020-06-23", "author": "Rod Soto, Splunk", "type": "Hunting", "status": "deprecated", "description": "This search provides information on Kubernetes service accounts with failure or forbidden access status, this search can be extended by using top or rare operators to find trends or rarities in failure status, user agents, source IPs and request URI", "data_source": [], "search": "`aws_cloudwatchlogs_eks` user.groups{}=system:serviceaccounts responseStatus.status = Failure | table sourceIPs{} user.username userAgent verb responseStatus.status requestURI | `kubernetes_aws_detect_service_accounts_forbidden_failure_access_filter`", "how_to_implement": "You must install splunk AWS add on and Splunk App for AWS. This search works with cloudwatch logs.", "known_false_positives": "This search can give false positives as there might be inherent issues with authentications and permissions at cluster.", "references": [], "tags": {"name": "Kubernetes AWS detect service accounts forbidden failure access", "analytic_story": ["Kubernetes Sensitive Object Access Activity"], "asset_type": "AWS EKS Kubernetes cluster", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": [], "message": "tbd", "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time"], "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "datamodel": [], "macros": [{"name": "aws_cloudwatchlogs_eks", "definition": "sourcetype=\"aws:cloudwatchlogs:eks\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_aws_detect_service_accounts_forbidden_failure_access_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/kubernetes_aws_detect_service_accounts_forbidden_failure_access.yml", "source": "deprecated"}, {"name": "Kubernetes Azure active service accounts by pod namespace", "id": "55a2264a-b7f0-45e5-addd-1e5ab3415c72", "version": 1, "date": "2020-05-26", "author": "Rod Soto, Splunk", "type": "Hunting", "status": "deprecated", "description": "This search provides information on Kubernetes service accounts,accessing pods and namespaces by IP address and verb", "data_source": [], "search": "`kubernetes_azure` category=kube-audit | spath input=properties.log | search user.groups{}=system:serviceaccounts* OR user.username=system.anonymous OR annotations.authorization.k8s.io/decision=allow | table sourceIPs{} user.username userAgent verb responseStatus.reason responseStatus.status properties.pod objectRef.namespace | top sourceIPs{} user.username verb responseStatus.status properties.pod objectRef.namespace |`kubernetes_azure_active_service_accounts_by_pod_namespace_filter`", "how_to_implement": "You must install the Add-on for Microsoft Cloud Services and Configure Kube-Audit data diagnostics", "known_false_positives": "Not all service accounts interactions are malicious. Analyst must consider IP and verb context when trying to detect maliciousness.", "references": [], "tags": {"name": "Kubernetes Azure active service accounts by pod namespace", "analytic_story": ["Kubernetes Sensitive Role Activity"], "asset_type": "Azure AKS Kubernetes cluster", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": [], "message": "tbd", "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time"], "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "datamodel": [], "macros": [{"name": "kubernetes_azure", "definition": "sourcetype=mscs:storage:blob:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes data from Azure. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_azure_active_service_accounts_by_pod_namespace_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/kubernetes_azure_active_service_accounts_by_pod_namespace.yml", "source": "deprecated"}, {"name": "Kubernetes Azure detect RBAC authorization by account", "id": "47af7d20-0607-4079-97d7-7a29af58b54e", "version": 1, "date": "2020-05-26", "author": "Rod Soto, Splunk", "type": "Hunting", "status": "deprecated", "description": "This search provides information on Kubernetes RBAC authorizations by accounts, this search can be modified by adding rare or top to see both extremes of RBAC by accounts occurrences", "data_source": [], "search": "`kubernetes_azure` category=kube-audit | spath input=properties.log | search annotations.authorization.k8s.io/reason=* | table sourceIPs{} user.username userAgent annotations.authorization.k8s.io/reason |stats count by user.username annotations.authorization.k8s.io/reason | rare user.username annotations.authorization.k8s.io/reason |`kubernetes_azure_detect_rbac_authorization_by_account_filter`", "how_to_implement": "You must install the Add-on for Microsoft Cloud Services and Configure Kube-Audit data diagnostics", "known_false_positives": "Not all RBAC Authorications are malicious. RBAC authorizations can uncover malicious activity specially if sensitive Roles have been granted.", "references": [], "tags": {"name": "Kubernetes Azure detect RBAC authorization by account", "analytic_story": ["Kubernetes Sensitive Role Activity"], "asset_type": "Azure AKS Kubernetes cluster", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": [], "message": "tbd", "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time"], "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "datamodel": [], "macros": [{"name": "kubernetes_azure", "definition": "sourcetype=mscs:storage:blob:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes data from Azure. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_azure_detect_rbac_authorization_by_account_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/kubernetes_azure_detect_rbac_authorization_by_account.yml", "source": "deprecated"}, {"name": "Kubernetes Azure detect sensitive object access", "id": "1bba382b-07fd-4ffa-b390-8002739b76e8", "version": 1, "date": "2020-05-20", "author": "Rod Soto, Splunk", "type": "Hunting", "status": "deprecated", "description": "This search provides information on Kubernetes accounts accessing sensitve objects such as configmpas or secrets", "data_source": [], "search": "`kubernetes_azure` category=kube-audit | spath input=properties.log| search objectRef.resource=secrets OR configmaps user.username=system.anonymous OR annotations.authorization.k8s.io/decision=allow |table user.username user.groups{} objectRef.resource objectRef.namespace objectRef.name annotations.authorization.k8s.io/reason |dedup user.username user.groups{} |`kubernetes_azure_detect_sensitive_object_access_filter`", "how_to_implement": "You must install the Add-on for Microsoft Cloud Services and Configure Kube-Audit data diagnostics", "known_false_positives": "Sensitive object access is not necessarily malicious but user and object context can provide guidance for detection.", "references": [], "tags": {"name": "Kubernetes Azure detect sensitive object access", "analytic_story": ["Kubernetes Sensitive Object Access Activity"], "asset_type": "Azure AKS Kubernetes cluster", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": [], "message": "tbd", "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time"], "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "datamodel": [], "macros": [{"name": "kubernetes_azure", "definition": "sourcetype=mscs:storage:blob:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes data from Azure. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_azure_detect_sensitive_object_access_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/kubernetes_azure_detect_sensitive_object_access.yml", "source": "deprecated"}, {"name": "Kubernetes Azure detect sensitive role access", "id": "f27349e5-1641-4f6a-9e68-30402be0ad4c", "version": 1, "date": "2020-05-20", "author": "Rod Soto, Splunk", "type": "Hunting", "status": "deprecated", "description": "This search provides information on Kubernetes accounts accessing sensitve objects such as configmpas or secrets", "data_source": [], "search": "`kubernetes_azure` category=kube-audit | spath input=properties.log| search objectRef.resource=clusterroles OR clusterrolebindings | table sourceIPs{} user.username user.groups{} objectRef.namespace requestURI annotations.authorization.k8s.io/reason | dedup user.username user.groups{} |`kubernetes_azure_detect_sensitive_role_access_filter`", "how_to_implement": "You must install the Add-on for Microsoft Cloud Services and Configure Kube-Audit data diagnostics", "known_false_positives": "Sensitive role resource access is necessary for cluster operation, however source IP, namespace and user group may indicate possible malicious use. ", "references": [], "tags": {"name": "Kubernetes Azure detect sensitive role access", "analytic_story": ["Kubernetes Sensitive Role Activity"], "asset_type": "Azure AKS Kubernetes cluster", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": [], "message": "tbd", "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time"], "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "datamodel": [], "macros": [{"name": "kubernetes_azure", "definition": "sourcetype=mscs:storage:blob:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes data from Azure. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_azure_detect_sensitive_role_access_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/kubernetes_azure_detect_sensitive_role_access.yml", "source": "deprecated"}, {"name": "Kubernetes Azure detect service accounts forbidden failure access", "id": "019690d7-420f-4da0-b320-f27b09961514", "version": 1, "date": "2020-05-20", "author": "Rod Soto, Splunk", "type": "Hunting", "status": "deprecated", "description": "This search provides information on Kubernetes service accounts with failure or forbidden access status", "data_source": [], "search": "`kubernetes_azure` category=kube-audit | spath input=properties.log | search user.groups{}=system:serviceaccounts* responseStatus.reason=Forbidden | table sourceIPs{} user.username userAgent verb responseStatus.reason responseStatus.status properties.pod objectRef.namespace |`kubernetes_azure_detect_service_accounts_forbidden_failure_access_filter`", "how_to_implement": "You must install the Add-on for Microsoft Cloud Services and Configure Kube-Audit data diagnostics", "known_false_positives": "This search can give false positives as there might be inherent issues with authentications and permissions at cluster.", "references": [], "tags": {"name": "Kubernetes Azure detect service accounts forbidden failure access", "analytic_story": ["Kubernetes Sensitive Object Access Activity"], "asset_type": "Azure AKS Kubernetes cluster", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": [], "message": "tbd", "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time"], "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "datamodel": [], "macros": [{"name": "kubernetes_azure", "definition": "sourcetype=mscs:storage:blob:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes data from Azure. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_azure_detect_service_accounts_forbidden_failure_access_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/kubernetes_azure_detect_service_accounts_forbidden_failure_access.yml", "source": "deprecated"}, {"name": "Kubernetes Azure detect suspicious kubectl calls", "id": "4b6d1ba8-0000-4cec-87e6-6cbbd71651b5", "version": 1, "date": "2020-05-26", "author": "Rod Soto, Splunk", "type": "Hunting", "status": "deprecated", "description": "This search provides information on rare Kubectl calls with IP, verb namespace and object access context", "data_source": [], "search": "`kubernetes_azure` category=kube-audit | spath input=properties.log | spath input=responseObject.metadata.annotations.kubectl.kubernetes.io/last-applied-configuration | search userAgent=kubectl* sourceIPs{}!=127.0.0.1 sourceIPs{}!=::1 | table sourceIPs{} verb userAgent user.groups{} objectRef.resource objectRef.namespace requestURI | rare sourceIPs{} verb userAgent user.groups{} objectRef.resource objectRef.namespace requestURI |`kubernetes_azure_detect_suspicious_kubectl_calls_filter`", "how_to_implement": "You must install the Add-on for Microsoft Cloud Services and Configure Kube-Audit data diagnostics", "known_false_positives": "Kubectl calls are not malicious by nature. However source IP, verb and Object can reveal potential malicious activity, specially suspicious IPs and sensitive objects such as configmaps or secrets", "references": [], "tags": {"name": "Kubernetes Azure detect suspicious kubectl calls", "analytic_story": ["Kubernetes Sensitive Object Access Activity"], "asset_type": "Azure AKS Kubernetes cluster", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": [], "message": "tbd", "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time"], "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "datamodel": [], "macros": [{"name": "kubernetes_azure", "definition": "sourcetype=mscs:storage:blob:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes data from Azure. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_azure_detect_suspicious_kubectl_calls_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/kubernetes_azure_detect_suspicious_kubectl_calls.yml", "source": "deprecated"}, {"name": "Kubernetes Azure pod scan fingerprint", "id": "86aad3e0-732f-4f66-bbbc-70df448e461d", "version": 1, "date": "2020-05-20", "author": "Rod Soto, Splunk", "type": "Hunting", "status": "deprecated", "description": "This search provides information of unauthenticated requests via source IP user agent, request URI and response status data against Kubernetes cluster pod in Azure", "data_source": [], "search": "`kubernetes_azure` category=kube-audit | spath input=properties.log | search responseStatus.code=401 | table sourceIPs{} userAgent verb requestURI responseStatus.reason properties.pod |`kubernetes_azure_pod_scan_fingerprint_filter`", "how_to_implement": "You must install the Add-on for Microsoft Cloud Services and Configure Kube-Audit data diagnostics", "known_false_positives": "Not all unauthenticated requests are malicious, but source IPs, userAgent, verb, request URI and response status will provide context.", "references": [], "tags": {"name": "Kubernetes Azure pod scan fingerprint", "analytic_story": ["Kubernetes Scanning Activity"], "asset_type": "Azure AKS Kubernetes cluster", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": [], "message": "tbd", "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time"], "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "datamodel": [], "macros": [{"name": "kubernetes_azure", "definition": "sourcetype=mscs:storage:blob:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes data from Azure. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_azure_pod_scan_fingerprint_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/kubernetes_azure_pod_scan_fingerprint.yml", "source": "deprecated"}, {"name": "Kubernetes Azure scan fingerprint", "id": "c5e5bd5c-1013-4841-8b23-e7b3253c840a", "version": 1, "date": "2020-05-19", "author": "Rod Soto, Splunk", "type": "Hunting", "status": "deprecated", "description": "This search provides information of unauthenticated requests via source IP user agent, request URI and response status data against Kubernetes cluster in Azure", "data_source": [], "search": "`kubernetes_azure` category=kube-audit | spath input=properties.log | search responseStatus.code=401 | table sourceIPs{} userAgent verb requestURI responseStatus.reason |`kubernetes_azure_scan_fingerprint_filter`", "how_to_implement": "You must install the Add-on for Microsoft Cloud Services and Configure Kube-Audit data diagnostics", "known_false_positives": "Not all unauthenticated requests are malicious, but source IPs, userAgent, verb, request URI and response status will provide context.", "references": [], "tags": {"name": "Kubernetes Azure scan fingerprint", "analytic_story": ["Kubernetes Scanning Activity"], "asset_type": "Azure AKS Kubernetes cluster", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "tbd", "mitre_attack_id": ["T1526"], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time"], "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1526", "mitre_attack_technique": "Cloud Service Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}]}, "datamodel": [], "macros": [{"name": "kubernetes_azure", "definition": "sourcetype=mscs:storage:blob:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes data from Azure. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_azure_scan_fingerprint_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/kubernetes_azure_scan_fingerprint.yml", "source": "deprecated"}, {"name": "Kubernetes GCP detect most active service accounts by pod", "id": "7f5c2779-88a0-4824-9caa-0f606c8f260f", "version": 1, "date": "2020-07-10", "author": "Rod Soto, Splunk", "type": "Hunting", "status": "deprecated", "description": "This search provides information on Kubernetes service accounts,accessing pods by IP address, verb and decision", "data_source": [], "search": "`google_gcp_pubsub_message` data.protoPayload.request.spec.group{}=system:serviceaccounts | table src_ip src_user http_user_agent data.protoPayload.request.spec.nonResourceAttributes.verb data.labels.authorization.k8s.io/decision data.protoPayload.response.spec.resourceAttributes.resource | top src_ip src_user http_user_agent data.labels.authorization.k8s.io/decision data.protoPayload.response.spec.resourceAttributes.resource |`kubernetes_gcp_detect_most_active_service_accounts_by_pod_filter`", "how_to_implement": "You must install splunk GCP add on. This search works with pubsub messaging service logs", "known_false_positives": "Not all service accounts interactions are malicious. Analyst must consider IP, verb and decision context when trying to detect maliciousness.", "references": [], "tags": {"name": "Kubernetes GCP detect most active service accounts by pod", "analytic_story": ["Kubernetes Sensitive Role Activity"], "asset_type": "GCP GKE Kubernetes cluster", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": [], "message": "tbd", "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time"], "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "datamodel": [], "macros": [{"name": "google_gcp_pubsub_message", "definition": "sourcetype=\"google:gcp:pubsub:message\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_gcp_detect_most_active_service_accounts_by_pod_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/kubernetes_gcp_detect_most_active_service_accounts_by_pod.yml", "source": "deprecated"}, {"name": "Kubernetes GCP detect RBAC authorizations by account", "id": "99487de3-7192-4b41-939d-fbe9acfb1340", "version": 1, "date": "2020-07-11", "author": "Rod Soto, Splunk", "type": "Hunting", "status": "deprecated", "description": "This search provides information on Kubernetes RBAC authorizations by accounts, this search can be modified by adding top to see both extremes of RBAC by accounts occurrences", "data_source": [], "search": "`google_gcp_pubsub_message` data.labels.authorization.k8s.io/reason=ClusterRoleBinding OR Clusterrole | table src_ip src_user data.labels.authorization.k8s.io/decision data.labels.authorization.k8s.io/reason | rare src_user data.labels.authorization.k8s.io/reason |`kubernetes_gcp_detect_rbac_authorizations_by_account_filter`", "how_to_implement": "You must install splunk AWS add on for GCP. This search works with pubsub messaging service logs", "known_false_positives": "Not all RBAC Authorications are malicious. RBAC authorizations can uncover malicious activity specially if sensitive Roles have been granted.", "references": [], "tags": {"name": "Kubernetes GCP detect RBAC authorizations by account", "analytic_story": ["Kubernetes Sensitive Role Activity"], "asset_type": "GCP GKE Kubernetes cluster", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": [], "message": "tbd", "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time"], "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "datamodel": [], "macros": [{"name": "google_gcp_pubsub_message", "definition": "sourcetype=\"google:gcp:pubsub:message\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_gcp_detect_rbac_authorizations_by_account_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/kubernetes_gcp_detect_rbac_authorizations_by_account.yml", "source": "deprecated"}, {"name": "Kubernetes GCP detect sensitive object access", "id": "bdb6d596-86a0-4aba-8369-418ae8b9963a", "version": 1, "date": "2020-07-11", "author": "Rod Soto, Splunk", "type": "Hunting", "status": "deprecated", "description": "This search provides information on Kubernetes accounts accessing sensitve objects such as configmaps or secrets", "data_source": [], "search": "`google_gcp_pubsub_message` data.protoPayload.authorizationInfo{}.resource=configmaps OR secrets | table data.protoPayload.requestMetadata.callerIp src_user data.resource.labels.cluster_name data.protoPayload.request.metadata.namespace data.labels.authorization.k8s.io/decision | dedup data.protoPayload.requestMetadata.callerIp src_user data.resource.labels.cluster_name |`kubernetes_gcp_detect_sensitive_object_access_filter`", "how_to_implement": "You must install splunk add on for GCP . This search works with pubsub messaging service logs.", "known_false_positives": "Sensitive object access is not necessarily malicious but user and object context can provide guidance for detection.", "references": [], "tags": {"name": "Kubernetes GCP detect sensitive object access", "analytic_story": ["Kubernetes Sensitive Object Access Activity"], "asset_type": "GCP GKE Kubernetes cluster", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": [], "message": "tbd", "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time"], "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "datamodel": [], "macros": [{"name": "google_gcp_pubsub_message", "definition": "sourcetype=\"google:gcp:pubsub:message\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_gcp_detect_sensitive_object_access_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/kubernetes_gcp_detect_sensitive_object_access.yml", "source": "deprecated"}, {"name": "Kubernetes GCP detect sensitive role access", "id": "a46923f6-36b9-4806-a681-31f314907c30", "version": 1, "date": "2020-07-11", "author": "Rod Soto, Splunk", "type": "Hunting", "status": "deprecated", "description": "This search provides information on Kubernetes accounts accessing sensitve objects such as configmpas or secrets", "data_source": [], "search": "`google_gcp_pubsub_message` data.labels.authorization.k8s.io/reason=ClusterRoleBinding OR Clusterrole dest=apis/rbac.authorization.k8s.io/v1 src_ip!=::1 | table src_ip src_user http_user_agent data.labels.authorization.k8s.io/decision data.labels.authorization.k8s.io/reason | dedup src_ip src_user |`kubernetes_gcp_detect_sensitive_role_access_filter`", "how_to_implement": "You must install splunk add on for GCP. This search works with pubsub messaging servicelogs.", "known_false_positives": "Sensitive role resource access is necessary for cluster operation, however source IP, user agent, decision and reason may indicate possible malicious use. ", "references": [], "tags": {"name": "Kubernetes GCP detect sensitive role access", "analytic_story": ["Kubernetes Sensitive Role Activity"], "asset_type": "GCP GKE EKS Kubernetes cluster", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": [], "message": "tbd", "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time"], "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "datamodel": [], "macros": [{"name": "google_gcp_pubsub_message", "definition": "sourcetype=\"google:gcp:pubsub:message\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_gcp_detect_sensitive_role_access_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/kubernetes_gcp_detect_sensitive_role_access.yml", "source": "deprecated"}, {"name": "Kubernetes GCP detect service accounts forbidden failure access", "id": "7094808d-432a-48e7-bb3c-77e96c894f3b", "version": 1, "date": "2020-06-23", "author": "Rod Soto, Splunk", "type": "Hunting", "status": "deprecated", "description": "This search provides information on Kubernetes service accounts with failure or forbidden access status, this search can be extended by using top or rare operators to find trends or rarities in failure status, user agents, source IPs and request URI", "data_source": [], "search": "`google_gcp_pubsub_message` system:serviceaccounts data.protoPayload.response.status.allowed!=* | table src_ip src_user http_user_agent data.protoPayload.response.spec.resourceAttributes.namespace data.resource.labels.cluster_name data.protoPayload.response.spec.resourceAttributes.verb data.protoPayload.request.status.allowed data.protoPayload.response.status.reason data.labels.authorization.k8s.io/decision | dedup src_ip src_user | `kubernetes_gcp_detect_service_accounts_forbidden_failure_access_filter`", "how_to_implement": "You must install splunk add on for GCP. This search works with pubsub messaging service logs.", "known_false_positives": "This search can give false positives as there might be inherent issues with authentications and permissions at cluster.", "references": [], "tags": {"name": "Kubernetes GCP detect service accounts forbidden failure access", "analytic_story": ["Kubernetes Sensitive Object Access Activity"], "asset_type": "GCP GKE Kubernetes cluster", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": [], "message": "tbd", "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time"], "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "datamodel": [], "macros": [{"name": "google_gcp_pubsub_message", "definition": "sourcetype=\"google:gcp:pubsub:message\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_gcp_detect_service_accounts_forbidden_failure_access_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/kubernetes_gcp_detect_service_accounts_forbidden_failure_access.yml", "source": "deprecated"}, {"name": "Kubernetes GCP detect suspicious kubectl calls", "id": "a5bed417-070a-41f2-a1e4-82b6aa281557", "version": 1, "date": "2020-07-11", "author": "Rod Soto, Splunk", "type": "Hunting", "status": "deprecated", "description": "This search provides information on anonymous Kubectl calls with IP, verb namespace and object access context", "data_source": [], "search": "`google_gcp_pubsub_message` data.protoPayload.requestMetadata.callerSuppliedUserAgent=kubectl* src_user=system:unsecured OR src_user=system:anonymous | table src_ip src_user data.protoPayload.requestMetadata.callerSuppliedUserAgent data.protoPayload.authorizationInfo{}.granted object_path |dedup src_ip src_user |`kubernetes_gcp_detect_suspicious_kubectl_calls_filter`", "how_to_implement": "You must install splunk add on for GCP. This search works with pubsub messaging logs.", "known_false_positives": "Kubectl calls are not malicious by nature. However source IP, source user, user agent, object path, and authorization context can reveal potential malicious activity, specially anonymous suspicious IPs and sensitive objects such as configmaps or secrets", "references": [], "tags": {"name": "Kubernetes GCP detect suspicious kubectl calls", "analytic_story": ["Kubernetes Sensitive Object Access Activity"], "asset_type": "GCP GKE Kubernetes cluster", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": [], "message": "tbd", "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time"], "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "datamodel": [], "macros": [{"name": "google_gcp_pubsub_message", "definition": "sourcetype=\"google:gcp:pubsub:message\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_gcp_detect_suspicious_kubectl_calls_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/kubernetes_gcp_detect_suspicious_kubectl_calls.yml", "source": "deprecated"}, {"name": "Monitor DNS For Brand Abuse", "id": "24dd17b1-e2fb-4c31-878c-d4f746595bfa", "version": 1, "date": "2017-09-23", "author": "David Dorsey, Splunk", "type": "TTP", "status": "deprecated", "description": "This search looks for DNS requests for faux domains similar to the domains that you want to have monitored for abuse.", "data_source": [], "search": "| tstats `security_content_summariesonly` values(DNS.answer) as IPs min(_time) as firstTime from datamodel=Network_Resolution by DNS.src, DNS.query | `drop_dm_object_name(\"DNS\")` | `security_content_ctime(firstTime)`| `brand_abuse_dns` | `monitor_dns_for_brand_abuse_filter`", "how_to_implement": "You need to ingest data from your DNS logs. Specifically you must ingest the domain that is being queried and the IP of the host originating the request. Ideally, you should also be ingesting the answer to the query and the query type. This approach allows you to also create your own localized passive DNS capability which can aid you in future investigations. You also need to have run the search \"ESCU - DNSTwist Domain Names\", which creates the permutations of the domain that will be checked for. You also need the [`dnstwist`](https://gist.github.com/d1vious/c4c2aae7fa7d5cbb1f24adc5f6303ac1) custom command.", "known_false_positives": "None at this time", "references": [], "tags": {"name": "Monitor DNS For Brand Abuse", "analytic_story": ["Brand Monitoring"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": [], "message": "tbd", "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "datamodel": ["Network_Resolution"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "brand_abuse_dns", "definition": "lookup update=true brandMonitoring_lookup domain as query OUTPUT domain_abuse | search domain_abuse=true", "description": "This macro limits the output to only domains that are in the brand monitoring lookup file"}, {"name": "monitor_dns_for_brand_abuse_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/monitor_dns_for_brand_abuse.yml", "source": "deprecated", "nes_fields": "user,dest"}, {"name": "Open Redirect in Splunk Web", "id": "d199fb99-2312-451a-9daa-e5efa6ed76a7", "version": 1, "date": "2017-09-19", "author": "Bhavin Patel, Splunk", "type": "TTP", "status": "deprecated", "description": "This search allows you to look for evidence of exploitation for CVE-2016-4859, the Splunk Open Redirect Vulnerability.", "data_source": [], "search": "index=_internal sourcetype=splunk_web_access return_to=\"/%09/*\" | `open_redirect_in_splunk_web_filter`", "how_to_implement": "No extra steps needed to implement this search.", "known_false_positives": "None identified", "references": [], "tags": {"name": "Open Redirect in Splunk Web", "analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Splunk Server", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": [], "message": "tbd", "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "cve": ["CVE-2016-4859"], "mitre_attack_enrichments": []}, "datamodel": [], "macros": [{"name": "open_redirect_in_splunk_web_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2016-4859", "cvss": 5.8, "summary": "Open redirect vulnerability in Splunk Enterprise 6.4.x prior to 6.4.3, Splunk Enterprise 6.3.x prior to 6.3.6, Splunk Enterprise 6.2.x prior to 6.2.10, Splunk Enterprise 6.1.x prior to 6.1.11, Splunk Enterprise 6.0.x prior to 6.0.12, Splunk Enterprise 5.0.x prior to 5.0.16 and Splunk Light prior to 6.4.3 allows to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/open_redirect_in_splunk_web.yml", "source": "deprecated", "nes_fields": "user,dest"}, {"name": "Osquery pack - ColdRoot detection", "id": "a6fffe5e-05c3-4c04-badc-887607fbb8dc", "version": 1, "date": "2019-01-29", "author": "Rico Valdez, Splunk", "type": "TTP", "status": "deprecated", "description": "This search looks for ColdRoot events from the osx-attacks osquery pack.", "data_source": [], "search": "| from datamodel Alerts.Alerts | search app=osquery:results (name=pack_osx-attacks_OSX_ColdRoot_RAT_Launchd OR name=pack_osx-attacks_OSX_ColdRoot_RAT_Files) | rename columns.path as path | bucket _time span=30s | stats count(path) by _time, host, user, path | `osquery_pack___coldroot_detection_filter`", "how_to_implement": "In order to properly run this search, Splunk needs to ingest data from your osquery deployed agents with the [osx-attacks.conf](https://github.com/facebook/osquery/blob/experimental/packs/osx-attacks.conf#L599) pack enabled. Also the [TA-OSquery](https://github.com/d1vious/TA-osquery) must be deployed across your indexers and universal forwarders in order to have the osquery data populate the Alerts data model", "known_false_positives": "There are no known false positives.", "references": [], "tags": {"name": "Osquery pack - ColdRoot detection", "analytic_story": ["ColdRoot MacOS RAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": [], "message": "tbd", "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time"], "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "datamodel": [], "macros": [{"name": "osquery_pack___coldroot_detection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/osquery_pack___coldroot_detection.yml", "source": "deprecated", "nes_fields": "user,dest"}, {"name": "Processes created by netsh", "id": "b89919ed-fe5f-492c-b139-95dbb162041e", "version": 5, "date": "2020-11-23", "author": "Bhavin Patel, Splunk", "type": "TTP", "status": "deprecated", "description": "This search looks for processes launching netsh.exe to execute various commands via the netsh command-line utility. Netsh.exe is a command-line scripting utility that allows you to, either locally or remotely, display or modify the network configuration of a computer that is currently running. Netsh can be used as a persistence proxy technique to execute a helper .dll when netsh.exe is executed. In this search, we are looking for processes spawned by netsh.exe that are executing commands via the command line. Deprecated because we have another detection of the same type.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=netsh.exe by Processes.user Processes.dest Processes.parent_process Processes.parent_process_name Processes.process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `processes_created_by_netsh_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting logs with the process name, command-line arguments, and parent processes from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "It is unusual for netsh.exe to have any child processes in most environments. It makes sense to investigate the child process and verify whether the process spawned is legitimate. We explicitely exclude \"C:\\Program Files\\rempl\\sedlauncher.exe\" process path since it is a legitimate process by Mircosoft.", "references": [], "tags": {"name": "Processes created by netsh", "analytic_story": ["Netsh Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "tbd", "mitre_attack_id": ["T1562.004"], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.004", "mitre_attack_technique": "Disable or Modify System Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "Carbanak", "Dragonfly", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "Rocke", "TeamTNT"]}]}, "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "processes_created_by_netsh_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/processes_created_by_netsh.yml", "source": "deprecated", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Prohibited Software On Endpoint", "id": "a51bfe1a-94f0-48cc-b4e4-b6ae50145893", "version": 2, "date": "2019-10-11", "author": "David Dorsey, Splunk", "type": "Hunting", "status": "deprecated", "description": "This search looks for applications on the endpoint that you have marked as prohibited.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes by Processes.dest Processes.user Processes.process_name | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | `prohibited_processes` | `prohibited_software_on_endpoint_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting data that records process activity from your hosts to populate the endpoint data model in the processes node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is usually generated via logs that report process tracking in your Windows audit settings. In addition, you must also have only the `process_name` (not the entire process path) marked as \"prohibited\" in the Enterprise Security `interesting processes` table. To include the process names marked as \"prohibited\", which is included with ES Content Updates, run the included search Add Prohibited Processes to Enterprise Security.", "known_false_positives": "None identified", "references": [], "tags": {"name": "Prohibited Software On Endpoint", "analytic_story": ["Monitor for Unauthorized Software", "Emotet Malware DHS Report TA18-201A ", "SamSam Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": [], "message": "tbd", "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_times"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "prohibited_software_on_endpoint_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/prohibited_software_on_endpoint.yml", "source": "deprecated", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Reg exe used to hide files directories via registry keys", "id": "61a7d1e6-f5d4-41d9-a9be-39a1ffe69459", "version": 2, "date": "2019-02-27", "author": "Bhavin Patel, Splunk", "type": "TTP", "status": "deprecated", "description": "The search looks for command-line arguments used to hide a file or directory using the reg add command.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = reg.exe Processes.process=\"*add*\" Processes.process=\"*Hidden*\" Processes.process=\"*REG_DWORD*\" by Processes.process_name Processes.parent_process_name Processes.dest Processes.user| `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)`| regex process = \"(/d\\s+2)\" | `reg_exe_used_to_hide_files_directories_via_registry_keys_filter`", "how_to_implement": "You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the \"process\" field in the Endpoint data model.", "known_false_positives": "None at the moment", "references": [], "tags": {"name": "Reg exe used to hide files directories via registry keys", "analytic_story": ["Windows Defense Evasion Tactics", "Suspicious Windows Registry Activities", "Windows Persistence Techniques"], "asset_type": "", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "tbd", "mitre_attack_id": ["T1564.001"], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1564.001", "mitre_attack_technique": "Hidden Files and Directories", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "HAFNIUM", "Lazarus Group", "LuminousMoth", "Mustang Panda", "Rocke", "Transparent Tribe", "Tropic Trooper"]}]}, "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "reg_exe_used_to_hide_files_directories_via_registry_keys_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/reg_exe_used_to_hide_files_directories_via_registry_keys.yml", "source": "deprecated", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Remote Registry Key modifications", "id": "c9f4b923-f8af-4155-b697-1354f5dcbc5e", "version": 3, "date": "2020-03-02", "author": "Bhavin Patel, Splunk", "type": "TTP", "status": "deprecated", "description": "This search monitors for remote modifications to registry keys.", "data_source": ["Sysmon Event ID 13"], "search": "| tstats `security_content_summariesonly` count values(Registry.registry_key_name) as registry_key_name values(Registry.registry_path) as registry_path min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path=\"\\\\\\\\*\" by Registry.dest , Registry.user | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `remote_registry_key_modifications_filter`", "how_to_implement": "To successfully implement this search, you must populate the `Endpoint` data model. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry. Deprecated because I don't think the logic is right.", "known_false_positives": "This technique may be legitimately used by administrators to modify remote registries, so it's important to filter these events out.", "references": [], "tags": {"name": "Remote Registry Key modifications", "analytic_story": ["Windows Defense Evasion Tactics", "Suspicious Windows Registry Activities", "Windows Persistence Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": [], "message": "tbd", "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "remote_registry_key_modifications_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/remote_registry_key_modifications.yml", "source": "deprecated", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Scheduled tasks used in BadRabbit ransomware", "id": "1297fb80-f42a-4b4a-9c8b-78c066437cf6", "version": 3, "date": "2020-07-21", "author": "Bhavin Patel, Splunk", "type": "TTP", "status": "deprecated", "description": "This search looks for flags passed to schtasks.exe on the command-line that indicate that task names related to the execution of Bad Rabbit ransomware were created or deleted. Deprecated because we already have a similar detection", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.process) as process from datamodel=Endpoint.Processes where Processes.process_name=schtasks.exe (Processes.process= \"*create*\" OR Processes.process= \"*delete*\") by Processes.parent_process Processes.process_name Processes.user | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)` | search (process=*rhaegal* OR process=*drogon* OR *viserion_*) | `scheduled_tasks_used_in_badrabbit_ransomware_filter`", "how_to_implement": "You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the \"process\" field in the Endpoint data model.", "known_false_positives": "No known false positives", "references": [], "tags": {"name": "Scheduled tasks used in BadRabbit ransomware", "analytic_story": ["Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation", "Exploitation"], "message": "tbd", "mitre_attack_id": ["T1053.005"], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TEMP.Veles", "Wizard Spider", "menuPass"]}]}, "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "scheduled_tasks_used_in_badrabbit_ransomware_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/scheduled_tasks_used_in_badrabbit_ransomware.yml", "source": "deprecated", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Spectre and Meltdown Vulnerable Systems", "id": "354be8e0-32cd-4da0-8c47-796de13b60ea", "version": 1, "date": "2017-01-07", "author": "David Dorsey, Splunk", "type": "TTP", "status": "deprecated", "description": "The search is used to detect systems that are still vulnerable to the Spectre and Meltdown vulnerabilities.", "data_source": [], "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Vulnerabilities where Vulnerabilities.cve =\"CVE-2017-5753\" OR Vulnerabilities.cve =\"CVE-2017-5715\" OR Vulnerabilities.cve =\"CVE-2017-5754\" by Vulnerabilities.dest | `drop_dm_object_name(Vulnerabilities)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `spectre_and_meltdown_vulnerable_systems_filter`", "how_to_implement": "The search requires that you are ingesting your vulnerability-scanner data and that it reports the CVE of the vulnerability identified.", "known_false_positives": "It is possible that your vulnerability scanner is not detecting that the patches have been applied.", "references": [], "tags": {"name": "Spectre and Meltdown Vulnerable Systems", "analytic_story": ["Spectre And Meltdown Vulnerabilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": [], "message": "tbd", "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "cve": ["CVE-2017-5753"], "mitre_attack_enrichments": []}, "datamodel": ["Vulnerabilities"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "spectre_and_meltdown_vulnerable_systems_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2017-5753", "cvss": 4.7, "summary": "Systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/spectre_and_meltdown_vulnerable_systems.yml", "source": "deprecated", "nes_fields": "user,dest"}, {"name": "Splunk Enterprise Information Disclosure", "id": "f6a26b7b-7e80-4963-a9a8-d836e7534ebd", "version": 1, "date": "2018-06-14", "author": "David Dorsey, Splunk", "type": "TTP", "status": "deprecated", "description": "This search allows you to look for evidence of exploitation for CVE-2018-11409, a Splunk Enterprise Information Disclosure Bug.", "data_source": [], "search": "index=_internal sourcetype=splunkd_ui_access server-info | search clientip!=127.0.0.1 uri_path=\"*raw/services/server/info/server-info\" | rename clientip as src_ip, splunk_server as dest | stats earliest(_time) as firstTime, latest(_time) as lastTime, values(uri) as uri, values(useragent) as http_user_agent, values(user) as user by src_ip, dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `splunk_enterprise_information_disclosure_filter`", "how_to_implement": "The REST endpoint that exposes system information is also necessary for the proper operation of Splunk clustering and instrumentation. Whitelisting your Splunk systems will reduce false positives.", "known_false_positives": "Retrieving server information may be a legitimate API request. Verify that the attempt is a valid request for information.", "references": [], "tags": {"name": "Splunk Enterprise Information Disclosure", "analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Splunk Server", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": [], "message": "tbd", "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "cve": ["CVE-2018-11409"], "mitre_attack_enrichments": []}, "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "splunk_enterprise_information_disclosure_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2018-11409", "cvss": 5.0, "summary": "Splunk through 7.0.1 allows information disclosure by appending __raw/services/server/info/server-info?output_mode=json to a query, as demonstrated by discovering a license key."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/splunk_enterprise_information_disclosure.yml", "source": "deprecated", "nes_fields": "user,dest"}, {"name": "Suspicious Changes to File Associations", "id": "1b989a0e-0129-4446-a695-f193a5b746fc", "version": 4, "date": "2020-07-22", "author": "Rico Valdez, Splunk", "type": "TTP", "status": "deprecated", "description": "This search looks for changes to registry values that control Windows file associations, executed by a process that is not typical for legitimate, routine changes to this area.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.process_name) as process_name values(Processes.parent_process_name) as parent_process_name FROM datamodel=Endpoint.Processes where Processes.process_name!=Explorer.exe AND Processes.process_name!=OpenWith.exe by Processes.process_id Processes.dest | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | join [| tstats `security_content_summariesonly` values(Registry.registry_path) as registry_path count from datamodel=Endpoint.Registry where Registry.registry_path=*\\\\Explorer\\\\FileExts* by Registry.process_id Registry.dest | `drop_dm_object_name(\"Registry\")` | table process_id dest registry_path]| `suspicious_changes_to_file_associations_filter` ", "how_to_implement": "To successfully implement this search you need to be ingesting information on registry changes that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` and `Registry` nodes.", "known_false_positives": "There may be other processes in your environment that users may legitimately use to modify file associations. If this is the case and you are finding false positives, you can modify the search to add those processes as exceptions.", "references": [], "tags": {"name": "Suspicious Changes to File Associations", "analytic_story": ["Suspicious Windows Registry Activities", "Windows File Extension and Association Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation", "Exploitation"], "message": "tbd", "mitre_attack_id": ["T1546.001"], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1546.001", "mitre_attack_technique": "Change Default File Association", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Kimsuky"]}]}, "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "suspicious_changes_to_file_associations_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/suspicious_changes_to_file_associations.yml", "source": "deprecated", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Suspicious Email - UBA Anomaly", "id": "56e877a6-1455-4479-ad16-0550dc1e33f8", "version": 3, "date": "2020-07-22", "author": "Bhavin Patel, Splunk", "type": "Anomaly", "status": "deprecated", "description": "This detection looks for emails that are suspicious because of their sender, domain rareness, or behavior differences. This is an anomaly generated by Splunk User Behavior Analytics (UBA).", "data_source": [], "search": "|tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(All_UEBA_Events.category) as category from datamodel=UEBA where nodename=All_UEBA_Events.UEBA_Anomalies All_UEBA_Events.UEBA_Anomalies.uba_model = \"SuspiciousEmailDetectionModel\" by All_UEBA_Events.description All_UEBA_Events.severity All_UEBA_Events.user All_UEBA_Events.uba_event_type All_UEBA_Events.link All_UEBA_Events.signature All_UEBA_Events.url All_UEBA_Events.UEBA_Anomalies.uba_model | `drop_dm_object_name(All_UEBA_Events)` | `drop_dm_object_name(UEBA_Anomalies)`| `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `suspicious_email___uba_anomaly_filter`", "how_to_implement": "You must be ingesting data from email logs and have Splunk integrated with UBA. This anomaly is raised by a UBA detection model called \"SuspiciousEmailDetectionModel.\" Ensure that this model is enabled on your UBA instance.", "known_false_positives": "This detection model will alert on any sender domain that is seen for the first time. This could be a potential false positive. The next step is to investigate and add the URL to an allow list if you determine that it is a legitimate sender.", "references": [], "tags": {"name": "Suspicious Email - UBA Anomaly", "analytic_story": ["Suspicious Emails"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Delivery"], "message": "tbd", "mitre_attack_id": ["T1566"], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time"], "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}]}, "datamodel": ["Email", "UEBA"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "suspicious_email___uba_anomaly_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/suspicious_email___uba_anomaly.yml", "source": "deprecated"}, {"name": "Suspicious File Write", "id": "57f76b8a-32f0-42ed-b358-d9fa3ca7bac8", "version": 3, "date": "2019-04-25", "author": "Rico Valdez, Splunk", "type": "Hunting", "status": "deprecated", "description": "The search looks for files created with names that have been linked to malicious activity.", "data_source": ["Sysmon Event ID 11"], "search": "| tstats `security_content_summariesonly` count values(Filesystem.action) as action values(Filesystem.file_path) as file_path min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem by Filesystem.file_name Filesystem.dest | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Filesystem)` | `suspicious_writes` | `suspicious_file_write_filter`", "how_to_implement": "You must be ingesting data that records the filesystem activity from your hosts to populate the Endpoint file-system data model node. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or via other endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report file system reads and writes. In addition, this search leverages an included lookup file that contains the names of the files to watch for, as well as a note to communicate why that file name is being monitored. This lookup file can be edited to add or remove file the file names you want to monitor.", "known_false_positives": "It's possible for a legitimate file to be created with the same name as one noted in the lookup file. Filenames listed in the lookup file should be unique enough that collisions are rare. Looking at the location of the file and the process responsible for the activity can help determine whether or not the activity is legitimate.", "references": [], "tags": {"name": "Suspicious File Write", "analytic_story": ["Hidden Cobra Malware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": [], "message": "tbd", "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "suspicious_writes", "definition": "lookup suspicious_writes_lookup file as file_name OUTPUT note as \"Reference\" | search \"Reference\" != False", "description": "This macro limites the output to file names that have been marked as suspicious"}, {"name": "suspicious_file_write_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/suspicious_file_write.yml", "source": "deprecated", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Suspicious Powershell Command-Line Arguments", "id": "2cdb91d2-542c-497f-b252-be495e71f38c", "version": 6, "date": "2021-01-19", "author": "David Dorsey, Splunk", "type": "TTP", "status": "deprecated", "description": "This search looks for PowerShell processes started with a base64 encoded command-line passed to it, with parameters to modify the execution policy for the process, and those that prevent the display of an interactive prompt to the user. This combination of command-line options is suspicious because it overrides the default PowerShell execution policy, attempts to hide itself from the user, and passes an encoded script to be run on the command-line. Deprecated because almost the same as Malicious PowerShell Process - Encoded Command", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=powershell.exe by Processes.user Processes.process_name Processes.parent_process_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| search (process=*-EncodedCommand* OR process=*-enc*) process=*-Exec* | `suspicious_powershell_command_line_arguments_filter`", "how_to_implement": "You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the \"process\" field in the Endpoint data model.", "known_false_positives": "Legitimate process can have this combination of command-line options, but it's not common.", "references": [], "tags": {"name": "Suspicious Powershell Command-Line Arguments", "analytic_story": ["Malicious PowerShell", "Hermetic Wiper", "CISA AA22-320A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "message": "tbd", "mitre_attack_id": ["T1059.001"], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}]}, "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "suspicious_powershell_command_line_arguments_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/suspicious_powershell_command_line_arguments.yml", "source": "deprecated", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Suspicious Rundll32 Rename", "id": "7360137f-abad-473e-8189-acbdaa34d114", "version": 5, "date": "2022-04-07", "author": "Michael Haag, Splunk", "type": "Hunting", "status": "deprecated", "description": "The following hunting analytic identifies renamed instances of rundll32.exe executing. rundll32.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64. During investigation, validate it is the legitimate rundll32.exe executing and what script content it is loading. This query relies on the original filename or internal name from the PE meta data. Expand the query as needed by looking for specific command line arguments outlined in other analytics.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.original_file_name=RUNDLL32.exe AND Processes.process_name!=rundll32.exe by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_rundll32_rename_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Although unlikely, some legitimate applications may use a moved copy of rundll32, triggering a false positive.", "references": ["https://attack.mitre.org/techniques/T1218/011/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md", "https://lolbas-project.github.io/lolbas/Binaries/Rundll32/"], "tags": {"name": "Suspicious Rundll32 Rename", "analytic_story": ["Suspicious Rundll32 Activity", "Masquerading - Rename System Utilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "Suspicious renamed rundll32.exe binary ran on $dest$ by $user$", "mitre_attack_id": ["T1218", "T1036", "T1218.011", "T1036.003"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "User", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}]}, "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "suspicious_rundll32_rename_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/suspicious_rundll32_rename.yml", "source": "deprecated", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Suspicious writes to System Volume Information", "id": "cd6297cd-2bdd-4aa1-84aa-5d2f84228fac", "version": 2, "date": "2020-07-22", "author": "Rico Valdez, Splunk", "type": "Hunting", "status": "deprecated", "description": "This search detects writes to the 'System Volume Information' folder by something other than the System process.", "data_source": ["Sysmon Event ID 1"], "search": "(`sysmon` OR tag=process) EventCode=11 process_id!=4 file_path=*System\\ Volume\\ Information* | stats count min(_time) as firstTime max(_time) as lastTime by dest, Image, file_path | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `suspicious_writes_to_system_volume_information_filter`", "how_to_implement": "You need to be ingesting logs with both the process name and command-line from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "It is possible that other utilities or system processes may legitimately write to this folder. Investigate and modify the search to include exceptions as appropriate.", "references": [], "tags": {"name": "Suspicious writes to System Volume Information", "analytic_story": ["Collection and Staging"], "asset_type": "Windows", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "tbd", "mitre_attack_id": ["T1036"], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}]}, "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "suspicious_writes_to_system_volume_information_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/suspicious_writes_to_system_volume_information.yml", "source": "deprecated"}, {"name": "Uncommon Processes On Endpoint", "id": "29ccce64-a10c-4389-a45f-337cb29ba1f7", "version": 4, "date": "2020-07-22", "author": "David Dorsey, Splunk", "type": "Hunting", "status": "deprecated", "description": "This search looks for applications on the endpoint that you have marked as uncommon.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes by Processes.dest Processes.user Processes.process Processes.process_name | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | `uncommon_processes` |`uncommon_processes_on_endpoint_filter` ", "how_to_implement": "You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the \"process\" field in the Endpoint data model. This search uses a lookup file `uncommon_processes_default.csv` to track various features of process names that are usually uncommon in most environments. Please consider updating `uncommon_processes_local.csv` to hunt for processes that are uncommon in your environment.", "known_false_positives": "None identified", "references": [], "tags": {"name": "Uncommon Processes On Endpoint", "analytic_story": ["Windows Privilege Escalation", "Unusual Processes", "Hermetic Wiper"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "message": "tbd", "mitre_attack_id": ["T1204.002"], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1204.002", "mitre_attack_technique": "Malicious File", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "Ajax Security Team", "Andariel", "Aoqin Dragon", "BITTER", "BRONZE BUTLER", "BlackTech", "CURIUM", "Cobalt Group", "Confucius", "Dark Caracal", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "IndigoZebra", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Whitefly", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}]}, "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "uncommon_processes", "definition": "lookup update=true lookup_uncommon_processes_default process_name as process_name outputnew uncommon_default,category_default,analytic_story_default,kill_chain_phase_default,mitre_attack_default | lookup update=true lookup_uncommon_processes_local process_name as process_name outputnew uncommon_local,category_local,analytic_story_local,kill_chain_phase_local,mitre_attack_local | eval uncommon = coalesce(uncommon_default, uncommon_local), analytic_story = coalesce(analytic_story_default, analytic_story_local), category=coalesce(category_default, category_local), kill_chain_phase=coalesce(kill_chain_phase_default, kill_chain_phase_local), mitre_attack=coalesce(mitre_attack_default, mitre_attack_local) | fields - analytic_story_default, analytic_story_local, category_default, category_local, kill_chain_phase_default, kill_chain_phase_local, mitre_attack_default, mitre_attack_local, uncommon_default, uncommon_local | search uncommon=true", "description": "This macro limits the output to processes that have been marked as uncommon"}, {"name": "uncommon_processes_on_endpoint_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/uncommon_processes_on_endpoint.yml", "source": "deprecated", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Unsigned Image Loaded by LSASS", "id": "56ef054c-76ef-45f9-af4a-a634695dcd65", "version": 1, "date": "2019-12-06", "author": "Patrick Bareiss, Splunk", "type": "TTP", "status": "deprecated", "description": "This search detects loading of unsigned images by LSASS. Deprecated because too noisy.", "data_source": ["Sysmon Event ID 7"], "search": "`sysmon` EventID=7 Image=*lsass.exe Signed=false | stats count min(_time) as firstTime max(_time) as lastTime by Computer, Image, ImageLoaded, Signed, SHA1 | rename Computer as dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `unsigned_image_loaded_by_lsass_filter` ", "how_to_implement": "This search needs Sysmon Logs with a sysmon configuration, which includes EventCode 7 with lsass.exe. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives.", "known_false_positives": "Other tools could load images into LSASS for legitimate reason. But enterprise tools should always use signed DLLs.", "references": ["https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf"], "tags": {"name": "Unsigned Image Loaded by LSASS", "analytic_story": ["Credential Dumping"], "asset_type": "Windows", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "tbd", "mitre_attack_id": ["T1003.001"], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "TEMP.Veles", "Threat Group-3390", "Whitefly"]}]}, "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "unsigned_image_loaded_by_lsass_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/unsigned_image_loaded_by_lsass.yml", "source": "deprecated", "nes_fields": "user,dest"}, {"name": "Unsuccessful Netbackup backups", "id": "a34aae96-ccf8-4aaa-952c-3ea21444444f", "version": 1, "date": "2017-09-12", "author": "David Dorsey, Splunk", "type": "Hunting", "status": "deprecated", "description": "This search gives you the hosts where a backup was attempted and then failed.", "data_source": [], "search": "`netbackup` | stats latest(_time) as latestTime by COMPUTERNAME, MESSAGE | search MESSAGE=\"An error occurred, failed to backup.\" | `security_content_ctime(latestTime)` | rename COMPUTERNAME as dest, MESSAGE as signature | table latestTime, dest, signature | `unsuccessful_netbackup_backups_filter`", "how_to_implement": "To successfully implement this search you need to obtain data from your backup solution, either from the backup logs on your endpoints or from a central server responsible for performing the backups. If you do not use Netbackup, you can modify this search for your specific backup solution.", "known_false_positives": "None identified", "references": [], "tags": {"name": "Unsuccessful Netbackup backups", "analytic_story": ["Monitor Backup Solution"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": [], "message": "tbd", "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "netbackup", "definition": "sourcetype=\"netbackup_logs\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "unsuccessful_netbackup_backups_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/unsuccessful_netbackup_backups.yml", "source": "deprecated"}, {"name": "Web Fraud - Account Harvesting", "id": "bf1d7b5c-df2f-4249-a401-c09fdc221ddf", "version": 1, "date": "2018-10-08", "author": "Jim Apger, Splunk", "type": "TTP", "status": "deprecated", "description": "This search is used to identify the creation of multiple user accounts using the same email domain name.", "data_source": [], "search": "`stream_http` http_content_type=text* uri=\"/magento2/customer/account/loginPost/\" | rex field=cookie \"form_key=(?\\w+)\" | rex field=form_data \"login\\[username\\]=(?[^&|^$]+)\" | search Username=* | rex field=Username \"@(?.*)\" | stats dc(Username) as UniqueUsernames list(Username) as src_user by email_domain | where UniqueUsernames> 25 | `web_fraud___account_harvesting_filter`", "how_to_implement": "We start with a dataset that provides visibility into the email address used for the account creation. In this example, we are narrowing our search down to the single web page that hosts the Magento2 e-commerce platform (via URI) used for account creation, the single http content-type to grab only the user's clicks, and the http field that provides the username (form_data), for performance reasons. After we have the username and email domain, we look for numerous account creations per email domain. Common data sources used for this detection are customized Apache logs or Splunk Stream.", "known_false_positives": "As is common with many fraud-related searches, we are usually looking to attribute risk or synthesize relevant context with loosely written detections that simply detect anamolous behavior. This search will need to be customized to fit your environment—improving its fidelity by counting based on something much more specific, such as a device ID that may be present in your dataset. Consideration for whether the large number of registrations are occuring from a first-time seen domain may also be important. Extending the search window to look further back in time, or even calculating the average per hour/day for each email domain to look for an anomalous spikes, will improve this search. You can also use Shannon entropy or Levenshtein Distance (both courtesy of URL Toolbox) to consider the randomness or similarity of the email name or email domain, as the names are often machine-generated.", "references": ["https://splunkbase.splunk.com/app/2734/", "https://splunkbase.splunk.com/app/1809/"], "tags": {"name": "Web Fraud - Account Harvesting", "analytic_story": ["Web Fraud Detection"], "asset_type": "Account", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "message": "tbd", "mitre_attack_id": ["T1136"], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "http_content_type", "uri", "cookie"], "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider"]}]}, "datamodel": [], "macros": [{"name": "stream_http", "definition": "sourcetype=stream:http", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "web_fraud___account_harvesting_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/web_fraud___account_harvesting.yml", "source": "deprecated", "nes_fields": "user,dest"}, {"name": "Web Fraud - Anomalous User Clickspeed", "id": "31337bbb-bc22-4752-b599-ef192df2dc7a", "version": 1, "date": "2018-10-08", "author": "Jim Apger, Splunk", "type": "Anomaly", "status": "deprecated", "description": "This search is used to examine web sessions to identify those where the clicks are occurring too quickly for a human or are occurring with a near-perfect cadence (high periodicity or low standard deviation), resembling a script driven session.", "data_source": [], "search": "`stream_http` http_content_type=text* | rex field=cookie \"form_key=(?\\w+)\" | streamstats window=2 current=1 range(_time) as TimeDelta by session_id | where TimeDelta>0 |stats count stdev(TimeDelta) as ClickSpeedStdDev avg(TimeDelta) as ClickSpeedAvg by session_id | where count>5 AND (ClickSpeedStdDev<.5 OR ClickSpeedAvg<.5) | `web_fraud___anomalous_user_clickspeed_filter`", "how_to_implement": "Start with a dataset that allows you to see clickstream data for each user click on the website. That data must have a time stamp and must contain a reference to the session identifier being used by the website. This ties the clicks together into clickstreams. This value is usually found in the http cookie. With a bit of tuning, a version of this search could be used in high-volume scenarios, such as scraping, crawling, application DDOS, credit-card testing, account takeover, etc. Common data sources used for this detection are customized Apache logs, customized IIS, and Splunk Stream.", "known_false_positives": "As is common with many fraud-related searches, we are usually looking to attribute risk or synthesize relevant context with loosly written detections that simply detect anamoluous behavior.", "references": ["https://en.wikipedia.org/wiki/Session_ID", "https://en.wikipedia.org/wiki/Session_(computer_science)", "https://en.wikipedia.org/wiki/HTTP_cookie", "https://splunkbase.splunk.com/app/1809/"], "tags": {"name": "Web Fraud - Anomalous User Clickspeed", "analytic_story": ["Web Fraud Detection"], "asset_type": "account", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "message": "tbd", "mitre_attack_id": ["T1078"], "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "http_content_type", "cookie"], "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}]}, "datamodel": [], "macros": [{"name": "stream_http", "definition": "sourcetype=stream:http", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "web_fraud___anomalous_user_clickspeed_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/web_fraud___anomalous_user_clickspeed.yml", "source": "deprecated"}, {"name": "Web Fraud - Password Sharing Across Accounts", "id": "31337a1a-53b9-4e05-96e9-55c934cb71d3", "version": 1, "date": "2018-10-08", "author": "Jim Apger, Splunk", "type": "Anomaly", "status": "deprecated", "description": "This search is used to identify user accounts that share a common password.", "data_source": [], "search": "`stream_http` http_content_type=text* uri=/magento2/customer/account/loginPost* | rex field=form_data \"login\\[username\\]=(?[^&|^$]+)\" | rex field=form_data \"login\\[password\\]=(?[^&|^$]+)\" | stats dc(Username) as UniqueUsernames values(Username) as user list(src_ip) as src_ip by Password|where UniqueUsernames>5 | `web_fraud___password_sharing_across_accounts_filter`", "how_to_implement": "We need to start with a dataset that allows us to see the values of usernames and passwords that users are submitting to the website hosting the Magento2 e-commerce platform (commonly found in the HTTP form_data field). A tokenized or hashed value of a password is acceptable and certainly preferable to a clear-text password. Common data sources used for this detection are customized Apache logs, customized IIS, and Splunk Stream.", "known_false_positives": "As is common with many fraud-related searches, we are usually looking to attribute risk or synthesize relevant context with loosely written detections that simply detect anamoluous behavior.", "references": ["https://en.wikipedia.org/wiki/Session_ID", "https://en.wikipedia.org/wiki/Session_(computer_science)", "https://en.wikipedia.org/wiki/HTTP_cookie", "https://splunkbase.splunk.com/app/1809/"], "tags": {"name": "Web Fraud - Password Sharing Across Accounts", "analytic_story": ["Web Fraud Detection"], "asset_type": "account", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": [], "message": "tbd", "nist": ["DE.AE"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "http_content_type", "uri"], "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "datamodel": [], "macros": [{"name": "stream_http", "definition": "sourcetype=stream:http", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "web_fraud___password_sharing_across_accounts_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/web_fraud___password_sharing_across_accounts.yml", "source": "deprecated"}, {"name": "Windows connhost exe started forcefully", "id": "c114aaca-68ee-41c2-ad8c-32bf21db8769", "version": 1, "date": "2020-11-06", "author": "Rod Soto, Jose Hernandez, Splunk", "type": "TTP", "status": "deprecated", "description": "The search looks for the Console Window Host process (connhost.exe) executed using the force flag -ForceV1. This is not regular behavior in the Windows OS and is often seen executed by the Ryuk Ransomware. DEPRECATED This event is actually seen in the windows 10 client of attack_range_local. After further testing we realized this is not specific to Ryuk. ", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes WHERE Processes.process=\"*C:\\\\Windows\\\\system32\\\\conhost.exe* 0xffffffff *-ForceV1*\" by Processes.user Processes.process_name Processes.process Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `windows_connhost_exe_started_forcefully_filter`", "how_to_implement": "You must be ingesting data that records the process-system activity from your hosts to populate the Endpoint Processes data-model object. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data.", "known_false_positives": "This process should not be ran forcefully, we have not see any false positives for this detection", "references": [], "tags": {"name": "Windows connhost exe started forcefully", "analytic_story": ["Ryuk Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "message": "tbd", "mitre_attack_id": ["T1059.003"], "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}]}, "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_connhost_exe_started_forcefully_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/windows_connhost_exe_started_forcefully.yml", "source": "deprecated", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows hosts file modification", "id": "06a6fc63-a72d-41dc-8736-7e3dd9612116", "version": 1, "date": "2018-11-02", "author": "Rico Valdez, Splunk", "type": "TTP", "status": "deprecated", "description": "The search looks for modifications to the hosts file on all Windows endpoints across your environment.", "data_source": ["Sysmon Event ID 11"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem by Filesystem.file_name Filesystem.file_path Filesystem.dest | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | search Filesystem.file_name=hosts AND Filesystem.file_path=*Windows\\\\System32\\\\* | `drop_dm_object_name(Filesystem)` | `windows_hosts_file_modification_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting data that records the file-system activity from your hosts to populate the Endpoint.Filesystem data model node. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or by other endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report file-system reads and writes.", "known_false_positives": "There may be legitimate reasons for system administrators to add entries to this file.", "references": [], "tags": {"name": "Windows hosts file modification", "analytic_story": ["Host Redirection"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": [], "message": "tbd", "nist": ["DE.CM"], "observable": [{"name": "field", "type": "Unknown", "role": ["Unknown"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_hosts_file_modification_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/deprecated/windows_hosts_file_modification.yml", "source": "deprecated", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "3CX Supply Chain Attack Network Indicators", "id": "791b727c-deec-4fbe-a732-756131b3c5a1", "version": 1, "date": "2023-03-30", "author": "Michael Haag, Splunk", "type": "TTP", "status": "experimental", "description": "The analytic provided below employs the Network_Resolution datamodel to detect domain indicators associated with the 3CX supply chain attack. By leveraging this query, you can efficiently conduct retrospective analysis of your data to uncover potential compromises.", "data_source": [], "search": "| tstats `security_content_summariesonly` values(DNS.answer) as IPs min(_time) as firstTime from datamodel=Network_Resolution by DNS.src, DNS.query | `drop_dm_object_name(DNS)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | lookup 3cx_ioc_domains domain as query OUTPUT Description isIOC | search isIOC=true | `3cx_supply_chain_attack_network_indicators_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information into the `Network Resolution` datamodel in the `DNS` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA''s are installed.", "known_false_positives": "False positives will be present for accessing the 3cx[.]com website. Remove from the lookup as needed.", "references": ["https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/", "https://www.cisa.gov/news-events/alerts/2023/03/30/supply-chain-attack-against-3cxdesktopapp", "https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/", "https://www.3cx.com/community/threads/crowdstrike-endpoint-security-detection-re-3cx-desktop-app.119934/page-2#post-558898", "https://www.3cx.com/community/threads/3cx-desktopapp-security-alert.119951/"], "tags": {"name": "3CX Supply Chain Attack Network Indicators", "analytic_story": ["3CX Supply Chain Attack"], "asset_type": "Network", "cis20": ["CIS 13"], "confidence": 100, "impact": 100, "kill_chain_phases": ["Delivery"], "message": "Indicators related to 3CX supply chain attack have been identified on $src$.", "mitre_attack_id": ["T1195.002"], "nist": ["DE.CM"], "observable": [{"name": "src", "type": "Hostname", "role": ["Victim"]}, {"name": "query", "type": "URL String", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["DNS.src", "DNS.query", "_time"], "risk_score": 100, "security_domain": "network", "risk_severity": "high", "cve": ["CVE-2023-29059"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1195.002", "mitre_attack_technique": "Compromise Software Supply Chain", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT41", "Cobalt Group", "Dragonfly", "GOLD SOUTHFIELD", "Sandworm Team", "Threat Group-3390"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1195.002/3CX/3cx_network-windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Network_Resolution"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "3cx_supply_chain_attack_network_indicators_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "3cx_ioc_domains", "description": "A list of domains from the 3CX supply chain attack.", "filename": "3cx_ioc_domains.csv", "default_match": "false", "match_type": "WILDCARD(domain)", "min_matches": 1, "case_sensitive_match": "false"}], "cve_enrichment": [{"id": "CVE-2023-29059", "cvss": null, "summary": "3CX DesktopApp through 18.12.416 has embedded malicious code, as exploited in the wild in March 2023. This affects versions 18.12.407 and 18.12.416 of the 3CX DesktopApp Electron Windows application shipped in Update 7, and versions 18.11.1213, 18.12.402, 18.12.407, and 18.12.416 of the 3CX DesktopApp Electron macOS application."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/3cx_supply_chain_attack_network_indicators.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "7zip CommandLine To SMB Share Path", "id": "01d29b48-ff6f-11eb-b81e-acde48001122", "version": 1, "date": "2021-08-17", "author": "Teoderick Contreras, Splunk", "type": "Hunting", "status": "production", "description": "This search is to detect a suspicious 7z process with commandline pointing to SMB network share. This technique was seen in CONTI LEAK tools where it use 7z to archive a sensitive files and place it in network share tmp folder. This search is a good hunting query that may give analyst a hint why specific user try to archive a file pointing to SMB user which is un usual.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name =\"7z.exe\" OR Processes.process_name = \"7za.exe\" OR Processes.original_file_name = \"7z.exe\" OR Processes.original_file_name = \"7za.exe\") AND (Processes.process=\"*\\\\C$\\\\*\" OR Processes.process=\"*\\\\Admin$\\\\*\" OR Processes.process=\"*\\\\IPC$\\\\*\") by Processes.original_file_name Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.parent_process_id Processes.process_id Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `7zip_commandline_to_smb_share_path_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed 7z.exe may be used.", "known_false_positives": "unknown", "references": ["https://threadreaderapp.com/thread/1423361119926816776.html"], "tags": {"name": "7zip CommandLine To SMB Share Path", "analytic_story": ["Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "archive process $process_name$ with suspicious cmdline $process$ in host $dest$", "mitre_attack_id": ["T1560.001", "T1560"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "SourceImage", "type": "Process", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1560.001", "mitre_attack_technique": "Archive via Utility", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "CopyKittens", "Earth Lusca", "FIN8", "Fox Kitten", "GALLIUM", "Gallmaker", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "MuddyWater", "Mustang Panda", "Sowbug", "Turla", "menuPass"]}, {"mitre_attack_id": "T1560", "mitre_attack_technique": "Archive Collected Data", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT28", "APT32", "Axiom", "Dragonfly", "FIN6", "Ke3chang", "Lazarus Group", "Leviathan", "LuminousMoth", "Patchwork", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/conti/conti_leak/windows-sysmon_7z.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "7zip_commandline_to_smb_share_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/7zip_commandline_to_smb_share_path.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Access LSASS Memory for Dump Creation", "id": "fb4c31b0-13e8-4155-8aa5-24de4b8d6717", "version": 2, "date": "2019-12-06", "author": "Patrick Bareiss, Splunk", "type": "TTP", "status": "production", "description": "The following analytic is designed to detect potentially malicious activities involving the Local Security Authority Subsystem Service (LSASS) process. Specifically, it identifies when the LSASS process memory is being dumped, an action often associated with credential dumping attacks. This analytic leverages Sysmon logs, particularly those with EventCode 10 related to lsass.exe. It searches for indicators of LSASS memory dumping, such as specific call traces to dbgcore.dll and dbghelp.dll. While memory dumps can be legitimate administrative tasks, LSASS memory dumps are typically unusual and warrant investigation. To implement this analytic, ensure your Sysmon setup includes EventCode 10 logging for lsass.exe and customize the provided macros (sysmon and post-filter macro) to match your specific Splunk environment configuration.", "data_source": ["Sysmon Event ID 1"], "search": "`sysmon` EventCode=10 TargetImage=*lsass.exe CallTrace=*dbgcore.dll* OR CallTrace=*dbghelp.dll* | stats count min(_time) as firstTime max(_time) as lastTime by Computer, TargetImage, TargetProcessId, SourceImage, SourceProcessId | rename Computer as dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `access_lsass_memory_for_dump_creation_filter` ", "how_to_implement": "This search requires Sysmon Logs and a Sysmon configuration, which includes EventCode 10 for lsass.exe. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives.", "known_false_positives": "Administrators can create memory dumps for debugging purposes, but memory dumps of the LSASS process would be unusual.", "references": ["https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf"], "tags": {"name": "Access LSASS Memory for Dump Creation", "analytic_story": ["Credential Dumping"], "asset_type": "Windows", "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "process $SourceImage$ injected into $TargetImage$ and was attempted dump LSASS on $dest$. Adversaries tend to do this when trying to accesss credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS).", "mitre_attack_id": ["T1003.001", "T1003"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "TargetImage", "type": "Process", "role": ["Target"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "TargetImage", "CallTrace", "Computer", "TargetProcessId", "SourceImage", "SourceProcessId"], "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "TEMP.Veles", "Threat Group-3390", "Whitefly"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "access_lsass_memory_for_dump_creation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/access_lsass_memory_for_dump_creation.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Account Discovery With Net App", "id": "339805ce-ac30-11eb-b87d-acde48001122", "version": 4, "date": "2023-01-04", "author": "Teoderick Contreras, Splunk, TheLawsOfChaos, Github Community", "type": "TTP", "status": "production", "description": "This search is to detect a potential account discovery series of command used by several malware or attack to recon the target machine. This technique is also seen in some note worthy malware like trickbot where it runs a cmd process, or even drop its module that will execute the said series of net command. This series of command are good correlation search and indicator of attacker recon if seen in the machines within a none technical user or department (HR, finance, ceo and etc) network.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.parent_process) as parent_process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` AND (Processes.process=\"* user *\" OR Processes.process=\"*config*\" OR Processes.process=\"*view /all*\") by Processes.process_name Processes.dest Processes.user Processes.parent_process_name | where count >=4 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `account_discovery_with_net_app_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product..", "known_false_positives": "Admin or power user may used this series of command.", "references": ["https://labs.vipre.com/trickbot-and-its-modules/", "https://whitehat.eu/incident-response-case-study-featuring-ryuk-and-trickbot-part-2/", "https://app.any.run/tasks/48414a33-3d66-4a46-afe5-c2003bb55ccf/"], "tags": {"name": "Account Discovery With Net App", "analytic_story": ["Trickbot", "IcedID"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 10, "kill_chain_phases": ["Exploitation"], "message": "Suspicious $process_name$ usage detected on endpoint $dest$ by user $user$.", "mitre_attack_id": ["T1087.002", "T1087"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "process_name", "type": "Process Name", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 5, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["BRONZE BUTLER", "Chimera", "Dragonfly", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Turla", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/trickbot/infection/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "process_net", "definition": "(Processes.process_name=\"net.exe\" OR Processes.original_file_name=\"net.exe\" OR Processes.process_name=\"net1.exe\" OR Processes.original_file_name=\"net1.exe\")", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "account_discovery_with_net_app_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/account_discovery_with_net_app.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Active Directory Lateral Movement Identified", "id": "6aa6f9dd-adfe-45a8-8f74-c4c7a0d7d037", "version": 1, "date": "2023-04-19", "author": "Michael Haag, Splunk", "type": "Correlation", "status": "production", "description": "The primary objective of this correlation rule is to detect and alert on potential lateral movement activities within an organization's Active Directory (AD) environment. By identifying multiple analytics associated with the Active Directory Lateral Movement analytic story, security analysts can gain better insight into possible threats and respond accordingly to mitigate risks. The correlation rule will trigger an alert when multiple analytics from the Active Directory Lateral Movement analytic story are detected within a specified time frame. The rule will generate an alert if a predetermined threshold of correlated analytics is reached within the specified time frame. This threshold can be customized to suit the needs and risk appetite of the organization.", "data_source": [], "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where All_Risk.analyticstories=\"Active Directory Lateral Movement\" All_Risk.risk_object_type=\"system\" by All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where source_count >= 4 | `active_directory_lateral_movement_identified_filter`", "how_to_implement": "Splunk Enterprise Security is required to utilize this correlation. In addition, modify the source_count value to your environment. In our testing, a count of 4 or 5 was decent in a lab, but the number may need to be increased as the analytic story includes over 30 analytics. In addition, based on false positives, modify any analytics to be anomaly and lower or increase risk based on organization importance.", "known_false_positives": "False positives will most likely be present based on risk scoring and how the organization handles system to system communication. Filter, or modify as needed. In addition to count by analytics, adding a risk score may be useful. In our testing, with 22 events over 30 days, the risk scores ranged from 500 to 80,000. Your organization will be different, monitor and modify as needed.", "references": ["https://attack.mitre.org/tactics/TA0008/", "https://research.splunk.com/stories/active_directory_lateral_movement/"], "tags": {"name": "Active Directory Lateral Movement Identified", "analytic_story": ["Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "Activity related to lateral movement has been identified on $risk_object$.", "mitre_attack_id": ["T1210"], "nist": ["DE.AE"], "observable": [{"name": "risk_object", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["All_Risk.calculated_risk_score", "All_Risk.annotations.mitre_attack.mitre_tactic_id", "All_Risk.annotations.mitre_attack.mitre_technique_id", "All_Risk.tag", "All_Risk.analyticstories", "All_Risk.risk_object_type", "All_Risk.risk_object", "All_Risk.annotations.mitre_attack.mitre_tactic"], "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "atomic_guid": [], "mitre_attack_enrichments": [{"mitre_attack_id": "T1210", "mitre_attack_technique": "Exploitation of Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "Dragonfly", "Earth Lusca", "FIN7", "Fox Kitten", "MuddyWater", "Threat Group-3390", "Tonto Team", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://raw.githubusercontent.com/splunk/attack_data/master/datasets/attack_techniques/T1218/living_off_the_land/adlm_risk.log", "source": "adlm", "sourcetype": "stash"}]}], "datamodel": ["Risk"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "active_directory_lateral_movement_identified_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/active_directory_lateral_movement_identified.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Active Directory Privilege Escalation Identified", "id": "583e8a68-f2f7-45be-8fc9-bf725f0e22fd", "version": 1, "date": "2023-05-23", "author": "Mauricio Velazco, Splunk", "type": "Correlation", "status": "production", "description": "The primary objective of this correlation rule is to detect and alert on potential privilege escalation activities within an organization's Active Directory (AD) environment. By identifying multiple analytics associated with the Active Directory Privilege Escalation analytic story, security analysts can gain better insight into possible threats and respond accordingly to mitigate risks. The correlation rule will trigger an alert when multiple analytics from the Active Directory Privilege Escalation analytic story are detected within a specified time frame. The rule will generate an alert if a predetermined threshold of correlated analytics is reached within the specified time frame. This threshold can be customized to suit the needs and risk appetite of the organization.", "data_source": [], "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where All_Risk.analyticstories=\"Active Directory Privilege Escalation\" All_Risk.risk_object_type=\"system\" by All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where source_count >= 4 | `active_directory_privilege_escalation_identified_filter`", "how_to_implement": "Splunk Enterprise Security is required to utilize this correlation. In addition, modify the source_count value to your environment. In our testing, a count of 4 or 5 was decent in a lab, but the number may need to be increased as the analytic story includes over 30 analytics. In addition, based on false positives, modify any analytics to be anomaly and lower or increase risk based on organization importance.", "known_false_positives": "False positives will most likely be present based on risk scoring and how the organization handles system to system communication. Filter, or modify as needed. In addition to count by analytics, adding a risk score may be useful. In our testing, with 22 events over 30 days, the risk scores ranged from 500 to 80,000. Your organization will be different, monitor and modify as needed.", "references": ["https://attack.mitre.org/tactics/TA0004/", "https://research.splunk.com/stories/active_directory_privilege_escalation/"], "tags": {"name": "Active Directory Privilege Escalation Identified", "analytic_story": ["Active Directory Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "Activity related to privilege escalation has been identified on $risk_object$.", "mitre_attack_id": ["T1484"], "nist": ["DE.AE"], "observable": [{"name": "risk_object", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["All_Risk.calculated_risk_score", "All_Risk.annotations.mitre_attack.mitre_tactic_id", "All_Risk.annotations.mitre_attack.mitre_technique_id", "All_Risk.tag", "All_Risk.analyticstories", "All_Risk.risk_object_type", "All_Risk.risk_object", "All_Risk.annotations.mitre_attack.mitre_tactic"], "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "atomic_guid": [], "mitre_attack_enrichments": [{"mitre_attack_id": "T1484", "mitre_attack_technique": "Domain Policy Modification", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://raw.githubusercontent.com/splunk/attack_data/master/datasets/attack_techniques/T1484/privesc/priv_esc.log", "source": "adlm", "sourcetype": "stash"}]}], "datamodel": ["Risk"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "active_directory_privilege_escalation_identified_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/active_directory_privilege_escalation_identified.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Active Setup Registry Autostart", "id": "f64579c0-203f-11ec-abcc-acde48001122", "version": 4, "date": "2023-04-27", "author": "Steven Dick, Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This analytic is to detect a suspicious modification of the active setup registry for persistence and privilege escalation. This technique was seen in several malware (poisonIvy), adware and APT to gain persistence to the compromised machine upon boot up. This TTP is a good indicator to further check the process id that do the modification since modification of this registry is not commonly done. check the legitimacy of the file and process involve in this rules to check if it is a valid setup installer that creating or modifying this registry.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_value_name= \"StubPath\" Registry.registry_path = \"*\\\\SOFTWARE\\\\Microsoft\\\\Active Setup\\\\Installed Components*\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `active_setup_registry_autostart_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "Active setup installer may add or modify this registry.", "references": ["https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Backdoor%3AWin32%2FPoisonivy.E", "https://attack.mitre.org/techniques/T1547/014/"], "tags": {"name": "Active Setup Registry Autostart", "analytic_story": ["Data Destruction", "Windows Privilege Escalation", "Hermetic Wiper", "Windows Persistence Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "message": "modified/added/deleted registry entry $Registry.registry_path$ in $dest$", "mitre_attack_id": ["T1547.014", "T1547"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.dest", "Registry.registry_value_name", "Registry.registry_key_name", "Registry.registry_path", "Registry.registry_value_data", "Registry.process_guid"], "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1547.014", "mitre_attack_technique": "Active Setup", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/t1547.014/active_setup_stubpath/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "active_setup_registry_autostart_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/active_setup_registry_autostart.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Add DefaultUser And Password In Registry", "id": "d4a3eb62-0f1e-11ec-a971-acde48001122", "version": 4, "date": "2023-03-29", "author": "Steven Dick, Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "this search is to detect a suspicious registry modification to implement auto admin logon to a host. This technique was seen in BlackMatter ransomware to automatically logon to the compromise host after triggering a safemode boot to continue encrypting the whole network. This behavior is not a common practice and really a suspicious TTP or alert need to be consider if found within then network premise.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon*\" AND Registry.registry_value_name= DefaultPassword OR Registry.registry_value_name= DefaultUserName) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `add_defaultuser_and_password_in_registry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "unknown", "references": ["https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/"], "tags": {"name": "Add DefaultUser And Password In Registry", "analytic_story": ["BlackMatter Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "modified registry key $registry_key_name$ with registry value $registry_value_name$ to prepare autoadminlogon", "mitre_attack_id": ["T1552.002", "T1552"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.dest", "Registry.registry_value_name", "Registry.registry_key_name", "Registry.registry_path", "Registry.registry_value_data", "Registry.process_guid"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1552.002", "mitre_attack_technique": "Credentials in Registry", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT32"]}, {"mitre_attack_id": "T1552", "mitre_attack_technique": "Unsecured Credentials", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552.002/autoadminlogon/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "add_defaultuser_and_password_in_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/add_defaultuser_and_password_in_registry.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Add or Set Windows Defender Exclusion", "id": "773b66fe-4dd9-11ec-8289-acde48001122", "version": 1, "date": "2023-04-14", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This analytic will identify a suspicious process command-line related to Windows Defender exclusion feature. This command is abused by adversaries, malware authors and red teams to bypass Windows Defender Antivirus products by excluding folder path, file path, process and extensions. From its real time or schedule scan to execute their malicious code. This is a good indicator for defense evasion and to look further for events after this behavior.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process = \"*Add-MpPreference *\" OR Processes.process = \"*Set-MpPreference *\") AND Processes.process=\"*-exclusion*\" by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `add_or_set_windows_defender_exclusion_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.", "known_false_positives": "Admin or user may choose to use this windows features. Filter as needed.", "references": ["https://tccontre.blogspot.com/2020/01/remcos-rat-evading-windows-defender-av.html", "https://app.any.run/tasks/cf1245de-06a7-4366-8209-8e3006f2bfe5/", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/"], "tags": {"name": "Add or Set Windows Defender Exclusion", "analytic_story": ["CISA AA22-320A", "AgentTesla", "Remcos", "Windows Defense Evasion Tactics", "Data Destruction", "WhisperGate"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "exclusion command $process$ executed on $dest$", "mitre_attack_id": ["T1562.001", "T1562"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/defender_exclusion_sysmon/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "add_or_set_windows_defender_exclusion_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/add_or_set_windows_defender_exclusion.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "AdsiSearcher Account Discovery", "id": "de7fcadc-04f3-11ec-a241-acde48001122", "version": 2, "date": "2023-04-14", "author": "Teoderick Contreras, Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the `[Adsisearcher]` type accelerator being used to query Active Directory for domain groups. Red Teams and adversaries may leverage `[Adsisearcher]` to enumerate domain users for situational awareness and Active Directory Discovery.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 ScriptBlockText = \"*[adsisearcher]*\" ScriptBlockText = \"*objectcategory=user*\" ScriptBlockText = \"*.findAll()*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode Computer ScriptBlockText UserID | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `adsisearcher_account_discovery_filter`", "how_to_implement": "The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "references": ["https://attack.mitre.org/techniques/T1087/002/", "https://www.blackhillsinfosec.com/red-blue-purple/", "https://devblogs.microsoft.com/scripting/use-the-powershell-adsisearcher-type-accelerator-to-search-active-directory/"], "tags": {"name": "AdsiSearcher Account Discovery", "analytic_story": ["Data Destruction", "Active Directory Discovery", "Industroyer2"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "powershell process having commandline $Message$ for user enumeration", "mitre_attack_id": ["T1087.002", "T1087"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "UserID", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "Message", "ComputerName", "User"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["BRONZE BUTLER", "Chimera", "Dragonfly", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Turla", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/AD_discovery/adsisearcher_powershell.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "XmlWinEventLog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "adsisearcher_account_discovery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/adsisearcher_account_discovery.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Allow File And Printing Sharing In Firewall", "id": "ce27646e-d411-11eb-8a00-acde48001122", "version": 2, "date": "2021-06-23", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This search is to detect a suspicious modification of firewall to allow file and printer sharing. This technique was seen in ransomware to be able to discover more machine connected to the compromised host to encrypt more files", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_netsh` Processes.process= \"*firewall*\" Processes.process= \"*group=\\\"File and Printer Sharing\\\"*\" Processes.process=\"*enable=Yes*\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `allow_file_and_printing_sharing_in_firewall_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "network admin may modify this firewall feature that may cause this rule to be triggered.", "references": ["https://community.fortinet.com:443/t5/FortiEDR/How-FortiEDR-detects-and-blocks-Revil-Ransomware-aka-sodinokibi/ta-p/189638?externalID=FD52469", "https://app.any.run/tasks/c0f98850-af65-4352-9746-fbebadee4f05/"], "tags": {"name": "Allow File And Printing Sharing In Firewall", "analytic_story": ["Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "", "mitre_attack_id": ["T1562.007", "T1562"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.007", "mitre_attack_technique": "Disable or Modify Cloud Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/ransomware_ttp/data2/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_netsh", "definition": "(Processes.process_name=netsh.exe OR Processes.original_file_name=netsh.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "allow_file_and_printing_sharing_in_firewall_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/allow_file_and_printing_sharing_in_firewall.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Allow Inbound Traffic By Firewall Rule Registry", "id": "0a46537c-be02-11eb-92ca-acde48001122", "version": 5, "date": "2023-03-29", "author": "Steven Dick, Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This analytic detects a potential suspicious modification of firewall rule registry allowing inbound traffic in specific port with public profile. This technique was identified when an adversary wants to grant remote access to a machine by allowing the traffic in a firewall rule.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\System\\\\CurrentControlSet\\\\Services\\\\SharedAccess\\\\Parameters\\\\FirewallPolicy\\\\FirewallRules\\\\*\" Registry.registry_value_data = \"*|Action=Allow|*\" Registry.registry_value_data = \"*|Dir=In|*\" Registry.registry_value_data = \"*|LPort=*\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `allow_inbound_traffic_by_firewall_rule_registry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "network admin may add/remove/modify public inbound firewall rule that may cause this rule to be triggered.", "references": ["https://docs.microsoft.com/en-us/powershell/module/netsecurity/new-netfirewallrule?view=windowsserver2019-ps"], "tags": {"name": "Allow Inbound Traffic By Firewall Rule Registry", "analytic_story": ["Prohibited Traffic Allowed or Protocol Mismatch", "Windows Registry Abuse", "Azorult"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "Suspicious firewall allow rule modifications were detected via the registry on endpoint $dest$ by user $user$.", "mitre_attack_id": ["T1021.001", "T1021"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.dest", "Registry.registry_value_name", "Registry.registry_key_name", "Registry.registry_path", "Registry.registry_value_data", "Registry.process_guid"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1021.001", "mitre_attack_technique": "Remote Desktop Protocol", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT1", "APT3", "APT39", "APT41", "Axiom", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dragonfly", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "HEXANE", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "OilRig", "Patchwork", "Silence", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/honeypots/casper/datasets1/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "allow_inbound_traffic_by_firewall_rule_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/allow_inbound_traffic_by_firewall_rule_registry.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Allow Inbound Traffic In Firewall Rule", "id": "a5d85486-b89c-11eb-8267-acde48001122", "version": 1, "date": "2021-05-19", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies suspicious PowerShell command to allow inbound traffic inbound to a specific local port within the public profile. This technique was seen in some attacker want to have a remote access to a machine by allowing the traffic in firewall rule.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 Message = \"*firewall*\" Message = \"*Inbound*\" Message = \"*Allow*\" Message = \"*-LocalPort*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode Message ComputerName User | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `allow_inbound_traffic_in_firewall_rule_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the powershell logs from your endpoints. make sure you enable needed registry to monitor this event.", "known_false_positives": "administrator may allow inbound traffic in certain network or machine.", "references": ["https://docs.microsoft.com/en-us/powershell/module/netsecurity/new-netfirewallrule?view=windowsserver2019-ps"], "tags": {"name": "Allow Inbound Traffic In Firewall Rule", "analytic_story": ["Prohibited Traffic Allowed or Protocol Mismatch"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 30, "impact": 10, "kill_chain_phases": ["Exploitation"], "message": "Suspicious firewall modification detected on endpoint $ComputerName$ by user $user$.", "mitre_attack_id": ["T1021.001", "T1021"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "ComputerName", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "Message", "ComputerName", "User"], "risk_score": 3, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1021.001", "mitre_attack_technique": "Remote Desktop Protocol", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT1", "APT3", "APT39", "APT41", "Axiom", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dragonfly", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "HEXANE", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "OilRig", "Patchwork", "Silence", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/honeypots/casper/datasets1/windows-powershell.log", "source": "WinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "WinEventLog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "allow_inbound_traffic_in_firewall_rule_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/allow_inbound_traffic_in_firewall_rule.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Allow Network Discovery In Firewall", "id": "ccd6a38c-d40b-11eb-85a5-acde48001122", "version": 2, "date": "2021-06-23", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This search is to detect a suspicious modification to the firewall to allow network discovery on a machine. This technique was seen in couple of ransomware (revil, reddot) to discover other machine connected to the compromised host to encrypt more files.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_netsh` Processes.process= \"*firewall*\" Processes.process= \"*group=\\\"Network Discovery\\\"*\" Processes.process=\"*enable*\" Processes.process=\"*Yes*\" by Processes.dest Processes.user Processes.parent_process Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `allow_network_discovery_in_firewall_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "network admin may modify this firewall feature that may cause this rule to be triggered.", "references": ["https://community.fortinet.com:443/t5/FortiEDR/How-FortiEDR-detects-and-blocks-Revil-Ransomware-aka-sodinokibi/ta-p/189638?externalID=FD52469", "https://app.any.run/tasks/c0f98850-af65-4352-9746-fbebadee4f05/"], "tags": {"name": "Allow Network Discovery In Firewall", "analytic_story": ["Ransomware", "Revil Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "", "mitre_attack_id": ["T1562.007", "T1562"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.007", "mitre_attack_technique": "Disable or Modify Cloud Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/ransomware_ttp/data2/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_netsh", "definition": "(Processes.process_name=netsh.exe OR Processes.original_file_name=netsh.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "allow_network_discovery_in_firewall_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/allow_network_discovery_in_firewall.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Allow Operation with Consent Admin", "id": "7de17d7a-c9d8-11eb-a812-acde48001122", "version": 4, "date": "2023-03-29", "author": "Steven Dick, Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This analytic identifies a potential privilege escalation attempt to perform malicious task. This registry modification is designed to allow the `Consent Admin` to perform an operation that requires elevation without consent or credentials. We also found this in some attacker to gain privilege escalation to the compromise machine.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System*\" Registry.registry_value_name = ConsentPromptBehaviorAdmin Registry.registry_value_data = \"0x00000000\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `allow_operation_with_consent_admin_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "unknown", "references": ["https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-gpsb/341747f5-6b5d-4d30-85fc-fa1cc04038d4", "https://www.trendmicro.com/vinfo/no/threat-encyclopedia/malware/Ransom.Win32.MRDEC.MRA/"], "tags": {"name": "Allow Operation with Consent Admin", "analytic_story": ["Ransomware", "Windows Registry Abuse", "Azorult"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "Suspicious registry modification was performed on endpoint $dest$ by user $user$. This behavior is indicative of privilege escalation.", "mitre_attack_id": ["T1548"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.dest", "Registry.registry_value_name", "Registry.registry_key_name", "Registry.registry_path", "Registry.registry_value_data", "Registry.process_guid"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/ransomware_ttp/data1/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "allow_operation_with_consent_admin_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/allow_operation_with_consent_admin.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Anomalous usage of 7zip", "id": "9364ee8e-a39a-11eb-8f1d-acde48001122", "version": 1, "date": "2023-06-13", "author": "Michael Haag, Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "The following detection identifies a 7z.exe spawned from `Rundll32.exe` or `Dllhost.exe`. It is assumed that the adversary has brought in `7z.exe` and `7z.dll`. It has been observed where an adversary will rename `7z.exe`. Additional coverage may be required to identify the behavior of renamed instances of `7z.exe`. During triage, identify the source of injection into `Rundll32.exe` or `Dllhost.exe`. Capture any files written to disk and analyze as needed. Review parallel processes for additional behaviors. Typically, archiving files will result in exfiltration.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN (\"rundll32.exe\", \"dllhost.exe\") Processes.process_name=*7z* by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `anomalous_usage_of_7zip_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "False positives should be limited as this behavior is not normal for `rundll32.exe` or `dllhost.exe` to spawn and run 7zip.", "references": ["https://attack.mitre.org/techniques/T1560/001/", "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", "https://thedfirreport.com/2021/01/31/bazar-no-ryuk/"], "tags": {"name": "Anomalous usage of 7zip", "analytic_story": ["Cobalt Strike", "NOBELIUM Group", "Graceful Wipe Out Attack"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$. This behavior is indicative of suspicious loading of 7zip.", "mitre_attack_id": ["T1560.001", "T1560"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.process_name", "Processes.process", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.parent_process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1560.001", "mitre_attack_technique": "Archive via Utility", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "CopyKittens", "Earth Lusca", "FIN8", "Fox Kitten", "GALLIUM", "Gallmaker", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "MuddyWater", "Mustang Panda", "Sowbug", "Turla", "menuPass"]}, {"mitre_attack_id": "T1560", "mitre_attack_technique": "Archive Collected Data", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT28", "APT32", "Axiom", "Dragonfly", "FIN6", "Ke3chang", "Lazarus Group", "Leviathan", "LuminousMoth", "Patchwork", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1560.001/archive_utility/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "anomalous_usage_of_7zip_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/anomalous_usage_of_7zip.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Any Powershell DownloadFile", "id": "1a93b7ea-7af7-11eb-adb5-acde48001122", "version": 3, "date": "2023-04-14", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the use of PowerShell downloading a file using `DownloadFile` method. This particular method is utilized in many different PowerShell frameworks to download files and output to disk. Identify the source (IP/domain) and destination file and triage appropriately. If AMSI logging or PowerShell transaction logs are available, review for further details of the implant.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` Processes.process=*DownloadFile* by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `any_powershell_downloadfile_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives may be present and filtering will need to occur by parent process or command line argument. It may be required to modify this query to an EDR product for more granular coverage.", "references": ["https://docs.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadfile?view=net-5.0", "https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md"], "tags": {"name": "Any Powershell DownloadFile", "analytic_story": ["DarkCrystal RAT", "Ingress Tool Transfer", "Hermetic Wiper", "Malicious PowerShell", "Data Destruction", "Log4Shell CVE-2021-44228"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 80, "kill_chain_phases": ["Installation", "Command And Control"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$. This behavior identifies the use of DownloadFile within PowerShell.", "mitre_attack_id": ["T1059", "T1059.001", "T1105"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "cve": ["CVE-2021-44228"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "ZIRCONIUM", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_powershell", "definition": "(Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "any_powershell_downloadfile_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2021-44228", "cvss": 9.3, "summary": "Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/any_powershell_downloadfile.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Any Powershell DownloadString", "id": "4d015ef2-7adf-11eb-95da-acde48001122", "version": 3, "date": "2023-04-05", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the use of PowerShell downloading a file using `DownloadString` method. This particular method is utilized in many different PowerShell frameworks to download files and output to disk. Identify the source (IP/domain) and destination file and triage appropriately. If AMSI logging or PowerShell transaction logs are available, review for further details of the implant.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` Processes.process=*.DownloadString* by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `any_powershell_downloadstring_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives may be present and filtering will need to occur by parent process or command line argument. It may be required to modify this query to an EDR product for more granular coverage.", "references": ["https://docs.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadstring?view=net-5.0", "https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md", "https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/"], "tags": {"name": "Any Powershell DownloadString", "analytic_story": ["Winter Vivern", "Ingress Tool Transfer", "Hermetic Wiper", "Malicious PowerShell", "HAFNIUM Group", "Data Destruction", "IcedID"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 80, "kill_chain_phases": ["Installation", "Command And Control"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$. This behavior identifies the use of DownloadString within PowerShell.", "mitre_attack_id": ["T1059", "T1059.001", "T1105"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "ZIRCONIUM", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_powershell", "definition": "(Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "any_powershell_downloadstring_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/any_powershell_downloadstring.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Attacker Tools On Endpoint", "id": "a51bfe1a-94f0-48cc-b4e4-16a110145893", "version": 2, "date": "2021-11-04", "author": "Bhavin Patel, Splunk", "type": "TTP", "status": "production", "description": "The following analytic aims to identify the use of tools commonly exploited by cybercriminals. The use of these tools often signals nefarious activities like unauthorized access, network scanning, or data exfiltration, representing a significant threat to an organization's security infrastructure. By examining process activity on the host, particularly those processes corresponding to known attacker tool names, this analytic serves as an early warning system for potential security incidents. However, its precision must be balanced with the understanding that some administrative activities might also trigger alerts, resulting in false positives. This underlines the importance of cyber analysts having a clear understanding of typical endpoint activities and behaviors within their organization, enabling them to accurately interpret and respond to these alerts.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.process) as process values(Processes.parent_process) as parent_process from datamodel=Endpoint.Processes where Processes.dest!=unknown Processes.user!=unknown by Processes.dest Processes.user Processes.process_name Processes.process | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | lookup attacker_tools attacker_tool_names AS process_name OUTPUT description | search description !=false| `attacker_tools_on_endpoint_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting data that records process activity from your hosts to populate the endpoint data model in the processes node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is usually generated via logs that report process tracking in your Windows audit settings.", "known_false_positives": "Some administrator activity can be potentially triggered, please add those users to the filter macro.", "references": [], "tags": {"name": "Attacker Tools On Endpoint", "analytic_story": ["Monitor for Unauthorized Software", "XMRig", "SamSam Ransomware", "Unusual Processes", "CISA AA22-264A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation", "Reconnaissance"], "message": "An attacker tool $process_name$,listed in attacker_tools.csv is executed on host $dest$ by User $user$. This process $process_name$ is known to do- $description$", "mitre_attack_id": ["T1036.005", "T1036", "T1003", "T1595"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process", "Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["Processes.dest", "Processes.user", "Processes.process_name", "Processes.parent_process"], "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1036.005", "mitre_attack_technique": "Match Legitimate Name or Location", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "APT32", "APT39", "APT41", "Aoqin Dragon", "BRONZE BUTLER", "BackdoorDiplomacy", "Blue Mockingbird", "Carbanak", "Chimera", "Darkhotel", "Earth Lusca", "FIN7", "Ferocious Kitten", "Fox Kitten", "Gamaredon Group", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Poseidon Group", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "Sowbug", "TEMP.Veles", "TeamTNT", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Whitefly", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1595", "mitre_attack_technique": "Active Scanning", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1595/attacker_scan_tools/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "attacker_tools_on_endpoint_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "attacker_tools", "description": "A list of tools used by attackers", "filename": "attacker_tools.csv", "default_match": "false", "match_type": "WILDCARD(attacker_tool_names)", "min_matches": 1, "case_sensitive_match": "false"}], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/attacker_tools_on_endpoint.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Attempt To Add Certificate To Untrusted Store", "id": "6bc5243e-ef36-45dc-9b12-f4a6be131159", "version": 7, "date": "2021-09-16", "author": "Patrick Bareiss, Rico Valdez, Splunk", "type": "TTP", "status": "production", "description": "The following analytic is designed to detect potential security threats involving the misuse of system trust. It works by detecting events where a process attempts to add a certificate to the untrusted certificate store, an action often associated with disabling security tools. The analytic uses Sysmon Event ID 1 data source, particularly focusing on process activities and command-line arguments related to 'certutil -addstore'. It's essential to ingest data that records process activity and logs containing process names and command lines for its effective operation. Be aware, sometimes administrators might legitimately perform this action. The analytic's value lies in detecting isolated or unexpected instances, indicative of potential malicious activities. Cybersecurity analysts should understand the importance of trust mechanisms and their subversion in system security.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime values(Processes.process) as process max(_time) as lastTime from datamodel=Endpoint.Processes where `process_certutil` (Processes.process=*-addstore*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `attempt_to_add_certificate_to_untrusted_store_filter`", "how_to_implement": "You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the \"process\" field in the Endpoint data model.", "known_false_positives": "There may be legitimate reasons for administrators to add a certificate to the untrusted certificate store. In such cases, this will typically be done on a large number of systems.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"], "tags": {"name": "Attempt To Add Certificate To Untrusted Store", "analytic_story": ["Disabling Security Tools"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified attempting to add a certificate to the store on endpoint $dest$ by user $user$.", "mitre_attack_id": ["T1553.004", "T1553"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.parent_process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1553.004", "mitre_attack_technique": "Install Root Certificate", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1553", "mitre_attack_technique": "Subvert Trust Controls", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Axiom"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1553.004/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_certutil", "definition": "(Processes.process_name=certutil.exe OR Processes.original_file_name=CertUtil.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "attempt_to_add_certificate_to_untrusted_store_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/attempt_to_add_certificate_to_untrusted_store.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Attempt To Stop Security Service", "id": "c8e349c6-b97c-486e-8949-bd7bcd1f3910", "version": 4, "date": "2023-06-13", "author": "Rico Valdez, Splunk", "type": "TTP", "status": "production", "description": "This search looks for attempts to stop security-related services on the endpoint.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` OR Processes.process_name = sc.exe Processes.process=\"* stop *\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |lookup security_services_lookup service as process OUTPUTNEW category, description | search category=security | `attempt_to_stop_security_service_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "None identified. Attempts to disable security-related services should be identified and understood.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md#atomic-test-14---disable-arbitrary-security-windows-service", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/"], "tags": {"name": "Attempt To Stop Security Service", "analytic_story": ["WhisperGate", "Graceful Wipe Out Attack", "Disabling Security Tools", "Data Destruction", "Azorult", "Trickbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 40, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified attempting to disable security services on endpoint $dest$ by user $user$.", "mitre_attack_id": ["T1562.001", "T1562"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 20, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_defend_service_stop/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "process_net", "definition": "(Processes.process_name=\"net.exe\" OR Processes.original_file_name=\"net.exe\" OR Processes.process_name=\"net1.exe\" OR Processes.original_file_name=\"net1.exe\")", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "attempt_to_stop_security_service_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "security_services_lookup", "description": "A list of services that deal with security", "filename": "security_services.csv", "default_match": "false", "match_type": "WILDCARD(service)", "min_matches": 1}], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/attempt_to_stop_security_service.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Attempted Credential Dump From Registry via Reg exe", "id": "e9fb4a59-c5fb-440a-9f24-191fbc6b2911", "version": 7, "date": "2023-04-14", "author": "Patrick Bareiss, Splunk", "type": "TTP", "status": "production", "description": "Monitor for execution of reg.exe with parameters specifying an export of keys that contain hashed credentials that attackers may try to crack offline.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=reg* OR Processes.process_name=cmd* Processes.process=*save* (Processes.process=*HKEY_LOCAL_MACHINE\\\\Security* OR Processes.process=*HKEY_LOCAL_MACHINE\\\\SAM* OR Processes.process=*HKEY_LOCAL_MACHINE\\\\System* OR Processes.process=*HKLM\\\\Security* OR Processes.process=*HKLM\\\\System* OR Processes.process=*HKLM\\\\SAM*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `attempted_credential_dump_from_registry_via_reg_exe_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "None identified.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md#atomic-test-1---registry-dump-of-sam-creds-and-secrets"], "tags": {"name": "Attempted Credential Dump From Registry via Reg exe", "analytic_story": ["Industroyer2", "Windows Registry Abuse", "Credential Dumping", "DarkSide Ransomware", "Data Destruction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 90, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to export the registry keys.", "mitre_attack_id": ["T1003.002", "T1003"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Dragonfly", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.002/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}, {"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.002/atomic_red_team/crowdstrike_falcon.log", "source": "crowdstrike", "sourcetype": "crowdstrike:events:sensor"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "attempted_credential_dump_from_registry_via_reg_exe_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/attempted_credential_dump_from_registry_via_reg_exe.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Auto Admin Logon Registry Entry", "id": "1379d2b8-0f18-11ec-8ca3-acde48001122", "version": 4, "date": "2023-04-11", "author": "Steven Dick, Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "this search is to detect a suspicious registry modification to implement auto admin logon to a host. This technique was seen in BlackMatter ransomware to automatically logon to the compromise host after triggering a safemode boot to continue encrypting the whole network. This behavior is not a common practice and really a suspicious TTP or alert need to be consider if found within then network premise.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon*\" AND Registry.registry_value_name=AutoAdminLogon AND Registry.registry_value_data=1) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `auto_admin_logon_registry_entry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "unknown", "references": ["https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/"], "tags": {"name": "Auto Admin Logon Registry Entry", "analytic_story": ["BlackMatter Ransomware", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "modified registry key $registry_key_name$ with registry value $registry_value_name$ to prepare autoadminlogon", "mitre_attack_id": ["T1552.002", "T1552"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.dest", "Registry.registry_value_name", "Registry.registry_key_name", "Registry.registry_path", "Registry.registry_value_data", "Registry.process_guid"], "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1552.002", "mitre_attack_technique": "Credentials in Registry", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT32"]}, {"mitre_attack_id": "T1552", "mitre_attack_technique": "Unsecured Credentials", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552.002/autoadminlogon/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "auto_admin_logon_registry_entry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/auto_admin_logon_registry_entry.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Batch File Write to System32", "id": "503d17cb-9eab-4cf8-a20e-01d5c6987ae3", "version": 4, "date": "2023-4-11", "author": "Steven Dick, Michael Haag, Rico Valdez, Splunk", "type": "TTP", "status": "production", "description": "The search looks for a batch file (.bat) written to the Windows system directory tree.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=* by _time span=1h Processes.process_guid Processes.process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | join process_guid [| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN (\"*\\\\system32\\\\*\", \"*\\\\syswow64\\\\*\") Filesystem.file_name=\"*.bat\" by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path Filesystem.process_guid | `drop_dm_object_name(Filesystem)`] | table dest user file_create_time, file_name, file_path, process_name, firstTime, lastTime | dedup file_create_time | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `batch_file_write_to_system32_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "It is possible for this search to generate a notable event for a batch file write to a path that includes the string \"system32\", but is not the actual Windows system directory. As such, you should confirm the path of the batch file identified by the search. In addition, a false positive may be generated by an administrator copying a legitimate batch file in this directory tree. You should confirm that the activity is legitimate and modify the search to add exclusions, as necessary.", "references": [], "tags": {"name": "Batch File Write to System32", "analytic_story": ["SamSam Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Installation"], "message": "A file - $file_name$ was written to system32 has occurred on endpoint $dest$ by user $user$.", "mitre_attack_id": ["T1204", "T1204.002"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "file_name", "type": "File Name", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Filesystem.dest", "Filesystem.file_create_time", "Filesystem.file_name", "Filesystem.user", "Filesystem.file_path", "Processes.process_name", "Processes.dest", "Filesystem.process_guid", "Processes.process_guid", "Processes.dest", "Processes.process_name"], "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$"]}, {"mitre_attack_id": "T1204.002", "mitre_attack_technique": "Malicious File", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "Ajax Security Team", "Andariel", "Aoqin Dragon", "BITTER", "BRONZE BUTLER", "BlackTech", "CURIUM", "Cobalt Group", "Confucius", "Dark Caracal", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "IndigoZebra", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Whitefly", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204.002/batch_file_in_system32/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "batch_file_write_to_system32_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/batch_file_write_to_system32.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Bcdedit Command Back To Normal Mode Boot", "id": "dc7a8004-0f18-11ec-8c54-acde48001122", "version": 1, "date": "2021-09-06", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This search is to detect a suspicious bcdedit commandline to configure the host from safe mode back to normal boot configuration. This technique was seen in blackMatter ransomware where it force the compromised host to boot in safe mode to continue its encryption and bring back to normal boot using bcdedit deletevalue command. This TTP can be a good alert for host that booted from safe mode forcefully since it need to modify the boot configuration to bring it back to normal.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = bcdedit.exe Processes.process=\"*/deletevalue*\" Processes.process=\"*{current}*\" Processes.process=\"*safeboot*\" by Processes.process_name Processes.process Processes.parent_process_name Processes.dest Processes.user |`drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `bcdedit_command_back_to_normal_mode_boot_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed rundll32.exe may be used.", "known_false_positives": "unknown", "references": ["https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/"], "tags": {"name": "Bcdedit Command Back To Normal Mode Boot", "analytic_story": ["BlackMatter Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 50, "kill_chain_phases": ["Actions on Objectives"], "message": "bcdedit process with commandline $process$ to bring back to normal boot configuration the $dest$", "mitre_attack_id": ["T1490"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.process_name", "Processes.process", "Processes.parent_process_name", "Processes.parent_process", "Processes.dest", "Processes.user"], "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552.002/autoadminlogon/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "bcdedit_command_back_to_normal_mode_boot_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/bcdedit_command_back_to_normal_mode_boot.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "BCDEdit Failure Recovery Modification", "id": "809b31d2-5462-11eb-ae93-0242ac130002", "version": 1, "date": "2020-12-21", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "This search looks for flags passed to bcdedit.exe modifications to the built-in Windows error recovery boot configurations. This is typically used by ransomware to prevent recovery.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = bcdedit.exe Processes.process=\"*recoveryenabled*\" (Processes.process=\"* no*\") by Processes.process_name Processes.process Processes.parent_process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `bcdedit_failure_recovery_modification_filter`", "how_to_implement": "You must be ingesting endpoint data that tracks process activity, including parent-child relationships from your endpoints to populate the Endpoint data model in the Processes node. Tune based on parent process names.", "known_false_positives": "Administrators may modify the boot configuration.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-4---windows---disable-windows-recovery-console-repair"], "tags": {"name": "BCDEdit Failure Recovery Modification", "analytic_story": ["Ryuk Ransomware", "Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 100, "kill_chain_phases": ["Actions on Objectives"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting disable the ability to recover the endpoint.", "mitre_attack_id": ["T1490"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.process_name", "Processes.process", "Processes.parent_process_name", "Processes.dest", "Processes.user"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1490/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "bcdedit_failure_recovery_modification_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/bcdedit_failure_recovery_modification.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "BITS Job Persistence", "id": "e97a5ffe-90bf-11eb-928a-acde48001122", "version": 2, "date": "2021-09-16", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following query identifies Microsoft Background Intelligent Transfer Service utility `bitsadmin.exe` scheduling a BITS job to persist on an endpoint. The query identifies the parameters used to create, resume or add a file to a BITS job. Typically seen combined in a oneliner or ran in sequence. If identified, review the BITS job created and capture any files written to disk. It is possible for BITS to be used to upload files and this may require further network data analysis to identify. You can use `bitsadmin /list /verbose` to list out the jobs during investigation.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_bitsadmin` Processes.process IN (*create*, *addfile*, *setnotifyflags*, *setnotifycmdline*, *setminretrydelay*, *setcustomheaders*, *resume* ) by Processes.dest Processes.user Processes.original_file_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `bits_job_persistence_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Limited false positives will be present. Typically, applications will use `BitsAdmin.exe`. Any filtering should be done based on command-line arguments (legitimate applications) or parent process.", "references": ["https://attack.mitre.org/techniques/T1197/", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/bitsadmin", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md#atomic-test-3---persist-download--execute", "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/"], "tags": {"name": "BITS Job Persistence", "analytic_story": ["BITS Jobs", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Exploitation", "Installation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to persist using BITS.", "mitre_attack_id": ["T1197"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1197", "mitre_attack_technique": "BITS Jobs", "mitre_attack_tactics": ["Defense Evasion", "Persistence"], "mitre_attack_groups": ["APT39", "APT41", "Leviathan", "Patchwork"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1197/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}, {"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1197/atomic_red_team/crowdstrike_falcon.log", "source": "crowdstrike", "sourcetype": "crowdstrike:events:sensor"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_bitsadmin", "definition": "(Processes.process_name=bitsadmin.exe OR Processes.original_file_name=bitsadmin.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "bits_job_persistence_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/bits_job_persistence.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "BITSAdmin Download File", "id": "80630ff4-8e4c-11eb-aab5-acde48001122", "version": 3, "date": "2022-11-29", "author": "Michael Haag, Sittikorn S", "type": "TTP", "status": "production", "description": "The following query identifies Microsoft Background Intelligent Transfer Service utility `bitsadmin.exe` using the `transfer` parameter to download a remote object. In addition, look for `download` or `upload` on the command-line, the switches are not required to perform a transfer. Capture any files downloaded. Review the reputation of the IP or domain used. Typically once executed, a follow on command will be used to execute the dropped file. Note that the network connection or file modification events related will not spawn or create from `bitsadmin.exe`, but the artifacts will appear in a parallel process of `svchost.exe` with a command-line similar to `svchost.exe -k netsvcs -s BITS`. It's important to review all parallel and child processes to capture any behaviors and artifacts. In some suspicious and malicious instances, BITS jobs will be created. You can use `bitsadmin /list /verbose` to list out the jobs during investigation.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_bitsadmin` Processes.process IN (\"*transfer*\", \"*addfile*\") by Processes.dest Processes.user Processes.parent_process Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `bitsadmin_download_file_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Limited false positives, however it may be required to filter based on parent process name or network connection.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/8eb52117b748d378325f7719554a896e37bccec7/atomics/T1105/T1105.md#atomic-test-9---windows---bitsadmin-bits-download", "https://github.com/redcanaryco/atomic-red-team/blob/bc705cb7aaa5f26f2d96585fac8e4c7052df0ff9/atomics/T1197/T1197.md", "https://docs.microsoft.com/en-us/windows/win32/bits/bitsadmin-tool", "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/"], "tags": {"name": "BITSAdmin Download File", "analytic_story": ["Ingress Tool Transfer", "BITS Jobs", "DarkSide Ransomware", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation", "Installation", "Command And Control"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to download a file.", "mitre_attack_id": ["T1197", "T1105"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1197", "mitre_attack_technique": "BITS Jobs", "mitre_attack_tactics": ["Defense Evasion", "Persistence"], "mitre_attack_groups": ["APT39", "APT41", "Leviathan", "Patchwork"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "ZIRCONIUM", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1197/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}, {"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1197/atomic_red_team/crowdstrike_falcon.log", "source": "crowdstrike", "sourcetype": "crowdstrike:events:sensor"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_bitsadmin", "definition": "(Processes.process_name=bitsadmin.exe OR Processes.original_file_name=bitsadmin.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "bitsadmin_download_file_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/bitsadmin_download_file.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "CertUtil Download With URLCache and Split Arguments", "id": "415b4306-8bfb-11eb-85c4-acde48001122", "version": 3, "date": "2022-02-03", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "Certutil.exe may download a file from a remote destination using `-urlcache`. This behavior does require a URL to be passed on the command-line. In addition, `-f` (force) and `-split` (Split embedded ASN.1 elements, and save to files) will be used. It is not entirely common for `certutil.exe` to contact public IP space. However, it is uncommon for `certutil.exe` to write files to world writeable paths.\\ During triage, capture any files on disk and review. Review the reputation of the remote IP or domain in question.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_certutil` (Processes.process=*urlcache* Processes.process=*split*) OR Processes.process=*urlcache* by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.original_file_name Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `certutil_download_with_urlcache_and_split_arguments_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Limited false positives in most environments, however tune as needed based on parent-child relationship or network connection.", "references": ["https://attack.mitre.org/techniques/T1105/", "https://www.avira.com/en/blog/certutil-abused-by-attackers-to-spread-threats", "https://web.archive.org/web/20210921110637/https://www.fireeye.com/blog/threat-research/2019/10/certutil-qualms-they-came-to-drop-fombs.html"], "tags": {"name": "CertUtil Download With URLCache and Split Arguments", "analytic_story": ["Ingress Tool Transfer", "DarkSide Ransomware", "Living Off The Land", "ProxyNotShell", "CISA AA22-277A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 90, "kill_chain_phases": ["Command And Control"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to download a file.", "mitre_attack_id": ["T1105"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "ZIRCONIUM", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_certutil", "definition": "(Processes.process_name=certutil.exe OR Processes.original_file_name=CertUtil.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "certutil_download_with_urlcache_and_split_arguments_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/certutil_download_with_urlcache_and_split_arguments.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "CertUtil Download With VerifyCtl and Split Arguments", "id": "801ad9e4-8bfb-11eb-8b31-acde48001122", "version": 3, "date": "2022-02-03", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "Certutil.exe may download a file from a remote destination using `-VerifyCtl`. This behavior does require a URL to be passed on the command-line. In addition, `-f` (force) and `-split` (Split embedded ASN.1 elements, and save to files) will be used. It is not entirely common for `certutil.exe` to contact public IP space. \\ During triage, capture any files on disk and review. Review the reputation of the remote IP or domain in question. Using `-VerifyCtl`, the file will either be written to the current working directory or `%APPDATA%\\..\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\`. ", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_certutil` (Processes.process=*verifyctl* Processes.process=*split*) OR Processes.process=*verifyctl* by Processes.dest Processes.user Processes.original_file_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `certutil_download_with_verifyctl_and_split_arguments_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Limited false positives in most environments, however tune as needed based on parent-child relationship or network connection.", "references": ["https://attack.mitre.org/techniques/T1105/", "https://www.hexacorn.com/blog/2020/08/23/certutil-one-more-gui-lolbin/", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc732443(v=ws.11)#-verifyctl", "https://www.avira.com/en/blog/certutil-abused-by-attackers-to-spread-threats"], "tags": {"name": "CertUtil Download With VerifyCtl and Split Arguments", "analytic_story": ["Ingress Tool Transfer", "DarkSide Ransomware", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 90, "kill_chain_phases": ["Command And Control"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to download a file.", "mitre_attack_id": ["T1105"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "ZIRCONIUM", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_certutil", "definition": "(Processes.process_name=certutil.exe OR Processes.original_file_name=CertUtil.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "certutil_download_with_verifyctl_and_split_arguments_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/certutil_download_with_verifyctl_and_split_arguments.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Certutil exe certificate extraction", "id": "337a46be-600f-11eb-ae93-0242ac130002", "version": 2, "date": "2022-07-15", "author": "Rod Soto, Splunk", "type": "TTP", "status": "production", "description": "This search looks for arguments to certutil.exe indicating the manipulation or extraction of Certificate. This certificate can then be used to sign new authentication tokens specially inside Federated environments such as Windows ADFS.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=certutil.exe Processes.process = \"*-exportPFX*\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `certutil_exe_certificate_extraction_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "Unless there are specific use cases, manipulating or exporting certificates using certutil is uncommon. Extraction of certificate has been observed during attacks such as Golden SAML and other campaigns targeting Federated services.", "references": ["https://blog.sygnia.co/detection-and-hunting-of-golden-saml-attack", "https://strontic.github.io/xcyclopedia/library/certutil.exe-09A8A29BAA3A451713FD3D07943B4A43.html"], "tags": {"name": "Certutil exe certificate extraction", "analytic_story": ["Windows Persistence Techniques", "Cloud Federated Credential Abuse", "Living Off The Land", "Windows Certificate Services"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 90, "kill_chain_phases": [], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting export a certificate.", "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": []}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/certutil_exe_certificate_extraction/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "certutil_exe_certificate_extraction_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/certutil_exe_certificate_extraction.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "CertUtil With Decode Argument", "id": "bfe94226-8c10-11eb-a4b3-acde48001122", "version": 2, "date": "2021-03-23", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "CertUtil.exe may be used to `encode` and `decode` a file, including PE and script code. Encoding will convert a file to base64 with `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----` tags. Malicious usage will include decoding a encoded file that was downloaded. Once decoded, it will be loaded by a parallel process. Note that there are two additional command switches that may be used - `encodehex` and `decodehex`. Similarly, the file will be encoded in HEX and later decoded for further execution. During triage, identify the source of the file being decoded. Review its contents or execution behavior for further analysis.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_certutil` Processes.process=*decode* by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `certutil_with_decode_argument_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Typically seen used to `encode` files, but it is possible to see legitimate use of `decode`. Filter based on parent-child relationship, file paths, endpoint or user.", "references": ["https://attack.mitre.org/techniques/T1140/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1140/T1140.md", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", "https://www.bleepingcomputer.com/news/security/certutilexe-could-allow-attackers-to-download-malware-while-bypassing-av/"], "tags": {"name": "CertUtil With Decode Argument", "analytic_story": ["Deobfuscate-Decode Files or Information", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to decode a file.", "mitre_attack_id": ["T1140"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1140", "mitre_attack_technique": "Deobfuscate/Decode Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT39", "BRONZE BUTLER", "Darkhotel", "Earth Lusca", "Gamaredon Group", "Gorgon Group", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "Molerats", "MuddyWater", "OilRig", "Rocke", "Sandworm Team", "TA505", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "WIRTE", "ZIRCONIUM", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1140/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_certutil", "definition": "(Processes.process_name=certutil.exe OR Processes.original_file_name=CertUtil.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "certutil_with_decode_argument_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/certutil_with_decode_argument.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Change Default File Association", "id": "462d17d8-1f71-11ec-ad07-acde48001122", "version": 1, "date": "2023-04-14", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This analytic is developed to detect suspicious registry modification to change the default file association of windows to malicious payload. This technique was seen in some APT where it modify the default process to run file association, like .txt to notepad.exe. Instead notepad.exe it will point to a Script or other payload that will load malicious commands to the compromised host.", "data_source": ["Sysmon Event ID 13"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path =\"*\\\\shell\\\\open\\\\command\\\\*\" Registry.registry_path = \"*HKCR\\\\*\" by Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `change_default_file_association_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry.", "known_false_positives": "unknown", "references": ["https://dmcxblue.gitbook.io/red-team-notes-2-0/red-team-techniques/privilege-escalation/untitled-3/accessibility-features"], "tags": {"name": "Change Default File Association", "analytic_story": ["Hermetic Wiper", "Windows Registry Abuse", "Prestige Ransomware", "Windows Privilege Escalation", "Windows Persistence Techniques", "Data Destruction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "message": "modified/added/deleted registry entry $Registry.registry_path$ in $dest$", "mitre_attack_id": ["T1546.001", "T1546"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.dest", "Registry.user", "Registry.registry_path", "Registry.registry_key_name", "Registry.registry_value_name"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1546.001", "mitre_attack_technique": "Change Default File Association", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Kimsuky"]}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.001/txtfile_reg/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "change_default_file_association_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/change_default_file_association.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Change To Safe Mode With Network Config", "id": "81f1dce0-0f18-11ec-a5d7-acde48001122", "version": 1, "date": "2021-09-06", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This search is to detect a suspicious bcdedit commandline to configure the host to boot in safe mode with network config. This technique was seen in blackMatter ransomware where it force the compromised host to boot in safe mode to continue its encryption and bring back to normal boot using bcdedit deletevalue command. This TTP can be a good alert for host that booted from safe mode forcefully since it need to modify the boot configuration to bring it back to normal.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = bcdedit.exe Processes.process=\"*/set*\" Processes.process=\"*{current}*\" Processes.process=\"*safeboot*\" Processes.process=\"*network*\" by Processes.process_name Processes.process Processes.parent_process_name Processes.dest Processes.user |`drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `change_to_safe_mode_with_network_config_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed rundll32.exe may be used.", "known_false_positives": "unknown", "references": ["https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/"], "tags": {"name": "Change To Safe Mode With Network Config", "analytic_story": ["BlackMatter Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Actions on Objectives"], "message": "bcdedit process with commandline $process$ to force safemode boot the $dest$", "mitre_attack_id": ["T1490"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.process_name", "Processes.process", "Processes.parent_process_name", "Processes.parent_process", "Processes.dest", "Processes.user"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552.002/autoadminlogon/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "change_to_safe_mode_with_network_config_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/change_to_safe_mode_with_network_config.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "CHCP Command Execution", "id": "21d236ec-eec1-11eb-b23e-acde48001122", "version": 1, "date": "2021-07-27", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This search is to detect execution of chcp.exe application. this utility is used to change the active code page of the console. This technique was seen in icedid malware to know the locale region/language/country of the compromise host.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=chcp.com Processes.parent_process_name = cmd.exe (Processes.parent_process=*/c* OR Processes.parent_process=*/k*) by Processes.process_name Processes.process Processes.parent_process_name Processes.parent_process Processes.process_id Processes.parent_process_id Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `chcp_command_execution_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed chcp.com may be used.", "known_false_positives": "other tools or script may used this to change code page to UTF-* or others", "references": ["https://ss64.com/nt/chcp.html", "https://twitter.com/tccontre18/status/1419941156633329665?s=20"], "tags": {"name": "CHCP Command Execution", "analytic_story": ["IcedID", "Azorult"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Installation"], "message": "parent process $parent_process_name$ spawning chcp process $process_name$ with parent command line $parent_process$", "mitre_attack_id": ["T1059"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "process_name", "process", "parent_process_name", "parent_process", "process_id", "parent_process_id", "dest", "user"], "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/simulated_icedid/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "chcp_command_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/chcp_command_execution.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Check Elevated CMD using whoami", "id": "a9079b18-1633-11ec-859c-acde48001122", "version": 1, "date": "2021-09-15", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This search is to detect a suspicious whoami execution to check if the cmd or shell instance process is with elevated privileges. This technique was seen in FIN7 js implant where it execute this as part of its data collection to the infected machine to check if the running shell cmd process is elevated or not. This TTP is really a good alert for known attacker that recon on the targetted host. This command is not so commonly executed by a normal user or even an admin to check if a process is elevated.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = \"*whoami*\" Processes.process = \"*/group*\" Processes.process = \"* find *\" Processes.process = \"*12288*\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `check_elevated_cmd_using_whoami_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed rundll32.exe may be used.", "known_false_positives": "unknown", "references": [], "tags": {"name": "Check Elevated CMD using whoami", "analytic_story": ["FIN7"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "Process name $process_name$ with commandline $process$ in $dest$", "mitre_attack_id": ["T1033"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.parent_process_name", "Processes.parent_process", "Processes.process_name", "Processes.process_id", "Processes.process", "Processes.dest", "Processes.user"], "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1033", "mitre_attack_technique": "System Owner/User Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT37", "APT38", "APT39", "APT41", "Chimera", "Dragonfly", "Earth Lusca", "FIN10", "GALLIUM", "Gamaredon Group", "HAFNIUM", "HEXANE", "Ke3chang", "Lazarus Group", "LuminousMoth", "Magic Hound", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "Stealth Falcon", "Threat Group-3390", "Tropic Trooper", "Windshift", "Wizard Spider", "ZIRCONIUM"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/fin7/fin7_js_2/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "check_elevated_cmd_using_whoami_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/check_elevated_cmd_using_whoami.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Child Processes of Spoolsv exe", "id": "aa0c4aeb-5b18-41c4-8c07-f1442d7599df", "version": 3, "date": "2023-04-14", "author": "Rico Valdez, Splunk", "type": "TTP", "status": "experimental", "description": "This search looks for child processes of spoolsv.exe. This activity is associated with a POC privilege-escalation exploit associated with CVE-2018-8440. Spoolsv.exe is the process associated with the Print Spooler service in Windows and typically runs as SYSTEM.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count values(Processes.process_name) as process_name values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=spoolsv.exe AND Processes.process_name!=regsvr32.exe by Processes.dest Processes.parent_process Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `child_processes_of_spoolsv_exe_filter` ", "how_to_implement": "You must be ingesting endpoint data that tracks process activity, including parent-child relationships from your endpoints to populate the Endpoint data model in the Processes node. The command-line arguments are mapped to the \"process\" field in the Endpoint data model. Update the `children_of_spoolsv_filter` macro to filter out legitimate child processes spawned by spoolsv.exe.", "known_false_positives": "Some legitimate printer-related processes may show up as children of spoolsv.exe. You should confirm that any activity as legitimate and may be added as exclusions in the search.", "references": [], "tags": {"name": "Child Processes of Spoolsv exe", "analytic_story": ["Data Destruction", "Hermetic Wiper", "Windows Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "tbd", "mitre_attack_id": ["T1068"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.process_name", "Processes.process", "Processes.parent_process_name", "Processes.process_name", "Processes.dest", "Processes.parent_process", "Processes.user"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "cve": ["CVE-2018-8440"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "PLATINUM", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}]}, "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "child_processes_of_spoolsv_exe_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2018-8440", "cvss": 7.2, "summary": "An elevation of privilege vulnerability exists when Windows improperly handles calls to Advanced Local Procedure Call (ALPC), aka \"Windows ALPC Elevation of Privilege Vulnerability.\" This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/child_processes_of_spoolsv_exe.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Clear Unallocated Sector Using Cipher App", "id": "cd80a6ac-c9d9-11eb-8839-acde48001122", "version": 1, "date": "2021-06-10", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "this search is to detect execution of `cipher.exe` to clear the unallocated sectors of a specific disk. This technique was seen in some ransomware to make it impossible to forensically recover deleted files.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"cipher.exe\" Processes.process = \"*/w:*\" by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.dest Processes.user Processes.process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `clear_unallocated_sector_using_cipher_app_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "administrator may execute this app to manage disk", "references": ["https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/3/", "https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/sophoslabs-ransomware-behavior-report.pdf"], "tags": {"name": "Clear Unallocated Sector Using Cipher App", "analytic_story": ["Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 100, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to clear the unallocated sectors of a specific disk.", "mitre_attack_id": ["T1070.004", "T1070"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1070.004", "mitre_attack_technique": "File Deletion", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT3", "APT32", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "Cobalt Group", "Dragonfly", "Evilnum", "FIN10", "FIN5", "FIN6", "FIN8", "Gamaredon Group", "Group5", "Kimsuky", "Lazarus Group", "Magic Hound", "Metador", "Mustang Panda", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "Silence", "TEMP.Veles", "TeamTNT", "The White Company", "Threat Group-3390", "Tropic Trooper", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/ransomware_ttp/data1/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "clear_unallocated_sector_using_cipher_app_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/clear_unallocated_sector_using_cipher_app.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Clop Common Exec Parameter", "id": "5a8a2a72-8322-11eb-9ee9-acde48001122", "version": 1, "date": "2021-03-17", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "The following analytics are designed to identifies some CLOP ransomware variant that using arguments to execute its main code or feature of its code. In this variant if the parameter is \"runrun\", CLOP ransomware will try to encrypt files in network shares and if it is \"temp.dat\", it will try to read from some stream pipe or file start encrypting files within the infected local machines. This technique can be also identified as an anti-sandbox technique to make its code non-responsive since it is waiting for some parameter to execute properly.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` values(Processes.process) as cmdline values(Processes.parent_process_name) as parent_process values(Processes.process_name) count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name != \"*temp.dat*\" Processes.process = \"*runrun*\" OR Processes.process = \"*temp.dat*\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `clop_common_exec_parameter_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "Operators can execute third party tools using these parameters.", "references": ["https://www.mandiant.com/resources/fin11-email-campaigns-precursor-for-ransomware-data-theft", "https://blog.virustotal.com/2020/11/keep-your-friends-close-keep-ransomware.html"], "tags": {"name": "Clop Common Exec Parameter", "analytic_story": ["Clop Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 100, "kill_chain_phases": ["Installation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting using arguments to execute its main code or feature of its code related to Clop ransomware.", "mitre_attack_id": ["T1204"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/clop/clop_b/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "clop_common_exec_parameter_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/clop_common_exec_parameter.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Clop Ransomware Known Service Name", "id": "07e08a12-870c-11eb-b5f9-acde48001122", "version": 1, "date": "2021-03-17", "author": "Teoderick Contreras", "type": "TTP", "status": "production", "description": "This detection is to identify the common service name created by the CLOP ransomware as part of its persistence and high privilege code execution in the infected machine. Ussually CLOP ransomware use StartServiceCtrlDispatcherW API in creating this service entry.", "data_source": ["Sysmon Event ID 7"], "search": "`wineventlog_system` EventCode=7045 Service_Name IN (\"SecurityCenterIBM\", \"WinCheckDRVs\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode Service_File_Name Service_Name Service_Start_Type Service_Type | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `clop_ransomware_known_service_name_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the Service name, Service File Name Service Start type, and Service Type from your endpoints.", "known_false_positives": "unknown", "references": ["https://www.mandiant.com/resources/fin11-email-campaigns-precursor-for-ransomware-data-theft", "https://blog.virustotal.com/2020/11/keep-your-friends-close-keep-ransomware.html"], "tags": {"name": "Clop Ransomware Known Service Name", "analytic_story": ["Clop Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 100, "kill_chain_phases": ["Installation", "Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ executing known Clop Ransomware service names.", "mitre_attack_id": ["T1543"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["EventCode", "cmdline", "_time", "parent_process_name", "process_name", "OriginalFileName", "process_path"], "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/clop/clop_a/windows-system.log", "source": "WinEventLog:System", "sourcetype": "WinEventLog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_system", "definition": "eventtype=wineventlog_system", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "clop_ransomware_known_service_name_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/clop_ransomware_known_service_name.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "CMD Carry Out String Command Parameter", "id": "54a6ed00-3256-11ec-b031-acde48001122", "version": 3, "date": "2023-04-05", "author": "Teoderick Contreras, Bhavin Patel, Splunk", "type": "Hunting", "status": "production", "description": "The following analytic identifies command-line arguments where `cmd.exe /c` is used to execute a program. `cmd /c` is used to run commands in MS-DOS and terminate after command or process completion. This technique is commonly seen in adversaries and malware to execute batch command using different shell like PowerShell or different process other than `cmd.exe`. This is a good hunting query for suspicious command-line made by a script or relative process execute it.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_cmd` AND Processes.process=\"* /c *\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cmd_carry_out_string_command_parameter_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives may be high based on legitimate scripted code in any environment. Filter as needed.", "references": ["https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/"], "tags": {"name": "CMD Carry Out String Command Parameter", "analytic_story": ["ProxyNotShell", "Qakbot", "Winter Vivern", "DarkCrystal RAT", "AsyncRAT", "Log4Shell CVE-2021-44228", "Hermetic Wiper", "Chaos Ransomware", "IcedID", "WhisperGate", "Data Destruction", "Living Off The Land", "Azorult", "Data Destruction"], "asset_type": "Endpoint", "automated_detection_testing": "passed", "cis20": ["CIS 10"], "confidence": 50, "impact": 60, "kill_chain_phases": ["Installation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting spawn a new process.", "mitre_attack_id": ["T1059.003", "T1059"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.parent_process_name", "Processes.parent_process", "Processes.process_name", "Processes.process_id", "Processes.process", "Processes.dest", "Processes.user", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "cve": ["CVE-2021-44228"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/cmd_carry_str_param/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_cmd", "definition": "(Processes.process_name=cmd.exe OR Processes.original_file_name=Cmd.Exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "cmd_carry_out_string_command_parameter_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2021-44228", "cvss": 9.3, "summary": "Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/cmd_carry_out_string_command_parameter.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "CMD Echo Pipe - Escalation", "id": "eb277ba0-b96b-11eb-b00e-acde48001122", "version": 2, "date": "2023-06-13", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "This analytic identifies a common behavior by Cobalt Strike and other frameworks where the adversary will escalate privileges, either via `jump` (Cobalt Strike PTH) or `getsystem`, using named-pipe impersonation. A suspicious event will look like `cmd.exe /c echo 4sgryt3436 > \\\\.\\Pipe\\5erg53`.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_cmd` OR Processes.process=*%comspec%* (Processes.process=*echo* AND Processes.process=*pipe*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cmd_echo_pipe___escalation_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Unknown. It is possible filtering may be required to ensure fidelity.", "references": ["https://redcanary.com/threat-detection-report/threats/cobalt-strike/", "https://github.com/rapid7/meterpreter/blob/master/source/extensions/priv/server/elevate/namedpipe.c"], "tags": {"name": "CMD Echo Pipe - Escalation", "analytic_story": ["Cobalt Strike", "Graceful Wipe Out Attack"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ potentially performing privilege escalation using named pipes related to Cobalt Strike and other frameworks.", "mitre_attack_id": ["T1059", "T1059.003", "T1543.003", "T1543"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/cobalt_strike/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_cmd", "definition": "(Processes.process_name=cmd.exe OR Processes.original_file_name=Cmd.Exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "cmd_echo_pipe___escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/cmd_echo_pipe___escalation.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Cmdline Tool Not Executed In CMD Shell", "id": "6c3f7dd8-153c-11ec-ac2d-acde48001122", "version": 2, "date": "2022-10-27", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = \"ipconfig.exe\" OR Processes.process_name = \"systeminfo.exe\" OR Processes.process_name = \"net.exe\" OR Processes.process_name = \"net1.exe\" OR Processes.process_name = \"arp.exe\" OR Processes.process_name = \"nslookup.exe\" OR Processes.process_name = \"route.exe\" OR Processes.process_name = \"netstat.exe\" OR Processes.process_name = \"whoami.exe\") AND NOT (Processes.parent_process_name = \"cmd.exe\" OR Processes.parent_process_name = \"powershell*\" OR Processes.parent_process_name=\"pwsh.exe\" OR Processes.parent_process_name = \"explorer.exe\") by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process_id Processes.process Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cmdline_tool_not_executed_in_cmd_shell_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "A network operator or systems administrator may utilize an automated host discovery application that may generate false positives. Filter as needed.", "references": ["https://www.mandiant.com/resources/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation", "https://attack.mitre.org/groups/G0046/", "https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/"], "tags": {"name": "Cmdline Tool Not Executed In CMD Shell", "analytic_story": ["FIN7", "Qakbot", "CISA AA22-277A", "Qakbot", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Installation"], "message": "A non-standard parent process $parent_process_name$ spawned child process $process_name$ to execute command-line tool on $dest$.", "mitre_attack_id": ["T1059", "T1059.007"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.007", "mitre_attack_technique": "JavaScript", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "Cobalt Group", "Earth Lusca", "Ember Bear", "Evilnum", "FIN6", "FIN7", "Higaisa", "Indrik Spider", "Kimsuky", "LazyScripter", "Leafminer", "Molerats", "MuddyWater", "Sidewinder", "Silence", "TA505", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/fin7/jssloader/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "cmdline_tool_not_executed_in_cmd_shell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/cmdline_tool_not_executed_in_cmd_shell.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "CMLUA Or CMSTPLUA UAC Bypass", "id": "f87b5062-b405-11eb-a889-acde48001122", "version": 1, "date": "2021-05-13", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This analytic detects a potential process using COM Object like CMLUA or CMSTPLUA to bypass UAC. This technique has been used by ransomware adversaries to gain administrative privileges to its running process.", "data_source": ["Sysmon Event ID 7"], "search": "`sysmon` EventCode=7 ImageLoaded IN (\"*\\\\CMLUA.dll\", \"*\\\\CMSTPLUA.dll\", \"*\\\\CMLUAUTIL.dll\") NOT(process_name IN(\"CMSTP.exe\", \"CMMGR32.exe\")) NOT(Image IN(\"*\\\\windows\\\\*\", \"*\\\\program files*\")) | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded process_name Computer EventCode Signed ProcessId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cmlua_or_cmstplua_uac_bypass_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name and imageloaded executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "Legitimate windows application that are not on the list loading this dll. Filter as needed.", "references": ["https://attack.mitre.org/techniques/T1218/003/"], "tags": {"name": "CMLUA Or CMSTPLUA UAC Bypass", "analytic_story": ["DarkSide Ransomware", "Ransomware", "LockBit Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "The following module $ImageLoaded$ was loaded by a non-standard application on endpoint $Computer$ by user $user$.", "mitre_attack_id": ["T1218", "T1218.003"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "ImageLoaded", "type": "Other", "role": ["Other"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Image", "ImageLoaded", "process_name", "Computer", "EventCode", "Signed", "ProcessId"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.003", "mitre_attack_technique": "CMSTP", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Cobalt Group", "MuddyWater"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/darkside_cmstp_com/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "cmlua_or_cmstplua_uac_bypass_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/cmlua_or_cmstplua_uac_bypass.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Cobalt Strike Named Pipes", "id": "5876d429-0240-4709-8b93-ea8330b411b5", "version": 2, "date": "2023-06-13", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the use of default or publicly known named pipes used with Cobalt Strike. A named pipe is a named, one-way or duplex pipe for communication between the pipe server and one or more pipe clients. Cobalt Strike uses named pipes in many ways and has default values used with the Artifact Kit and Malleable C2 Profiles. The following query assists with identifying these default named pipes. Each EDR product presents named pipes a little different. Consider taking the values and generating a query based on the product of choice. \\\nUpon triage, review the process performing the named pipe. If it is explorer.exe, It is possible it was injected into by another process. Review recent parallel processes to identify suspicious patterns or behaviors. A parallel process may have a network connection, review and follow the connection back to identify any file modifications.", "data_source": ["Sysmon Event ID 1"], "search": "`sysmon` EventID=17 OR EventID=18 PipeName IN (\\\\msagent_*, \\\\DserNamePipe*, \\\\srvsvc_*, \\\\postex_*, \\\\status_*, \\\\MSSE-*, \\\\spoolss_*, \\\\win_svc*, \\\\ntsvcs*, \\\\winsock*, \\\\UIA_PIPE*) | stats count min(_time) as firstTime max(_time) as lastTime by Computer, process_name, process_id process_path, PipeName | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cobalt_strike_named_pipes_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "The idea of using named pipes with Cobalt Strike is to blend in. Therefore, some of the named pipes identified and added may cause false positives. Filter by process name or pipe name to reduce false positives.", "references": ["https://attack.mitre.org/techniques/T1218/009/", "https://docs.microsoft.com/en-us/windows/win32/ipc/named-pipes", "https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/index.htm#cshid=1040", "https://www.cobaltstrike.com/blog/learn-pipe-fitting-for-all-of-your-offense-projects/", "https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752", "https://www.mandiant.com/resources/shining-a-light-on-darkside-ransomware-operations"], "tags": {"name": "Cobalt Strike Named Pipes", "analytic_story": ["LockBit Ransomware", "Graceful Wipe Out Attack", "Cobalt Strike", "DarkSide Ransomware", "Trickbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "An instance of $process_name$ was identified on endpoint $Computer$ by user $user$ accessing known suspicious named pipes related to Cobalt Strike.", "mitre_attack_id": ["T1055"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Parent Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventID", "PipeName", "Computer", "process_name", "process_path", "process_id"], "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/cobalt_strike/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "cobalt_strike_named_pipes_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/cobalt_strike_named_pipes.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Common Ransomware Extensions", "id": "a9e5c5db-db11-43ca-86a8-c852d1b2c0ec", "version": 5, "date": "2022-11-10", "author": "David Dorsey, Michael Haag, Splunk, Steven Dick", "type": "Hunting", "status": "production", "description": "The search looks for file modifications with extensions commonly used by Ransomware", "data_source": ["Sysmon Event ID 11"], "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime count latest(Filesystem.user) as user values(Filesystem.file_path) as file_path from datamodel=Endpoint.Filesystem by Filesystem.file_name Filesystem.dest _time span=1h | `drop_dm_object_name(Filesystem)` | rex field=file_name \"(?\\.[^\\.]+)$\" | rex field=file_path \"(?([^\\\\\\]*\\\\\\)*).*\" | stats min(firstTime) as firstTime max(lastTime) as lastTime latest(user) as user dc(true_file_path) as path_count dc(file_name) as file_count latest(file_name) as file_name latest(true_file_path) as file_path by dest file_extension | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `ransomware_extensions` | where path_count > 1 OR file_count > 20 | `common_ransomware_extensions_filter`", "how_to_implement": "You must be ingesting data that records the filesystem activity from your hosts to populate the Endpoint Filesystem data model node. To see the additional metadata, add the following fields, if not already present, please review the detailed documentation on how to create a new field within Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details`", "known_false_positives": "It is possible for a legitimate file with these extensions to be created. If this is a true ransomware attack, there will be a large number of files created with these extensions.", "references": ["https://github.com/splunk/security_content/issues/2448"], "tags": {"name": "Common Ransomware Extensions", "analytic_story": ["SamSam Ransomware", "Ryuk Ransomware", "Ransomware", "Clop Ransomware", "Prestige Ransomware", "LockBit Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 90, "kill_chain_phases": ["Actions on Objectives"], "message": "The device $dest$ wrote $file_count$ files to $path_count$ path(s) with the $file_extension$ extension. This extension and behavior may indicate a $Name$ ransomware attack.", "mitre_attack_id": ["T1485"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "file_name", "type": "File Name", "role": ["Victim"]}, {"name": "file_count", "type": "Other", "role": ["Other"]}, {"name": "path_count", "type": "Other", "role": ["Other"]}, {"name": "file_extension", "type": "Other", "role": ["Other"]}, {"name": "Name", "type": "Other", "role": ["Other"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Filesystem.user", "Filesystem.dest", "Filesystem.file_path", "Filesystem.file_name"], "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/ransomware_notes/ransom-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "ransomware_extensions", "definition": "lookup update=true ransomware_extensions_lookup Extensions AS file_extension OUTPUT Name | search Name !=False", "description": "This macro limits the output to files that have extensions associated with ransomware"}, {"name": "common_ransomware_extensions_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/common_ransomware_extensions.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Common Ransomware Notes", "id": "ada0f478-84a8-4641-a3f1-d82362d6bd71", "version": 4, "date": "2020-11-09", "author": "David Dorsey, Splunk", "type": "Hunting", "status": "production", "description": "The search looks for files created with names matching those typically used in ransomware notes that tell the victim how to get their data back.", "data_source": ["Sysmon Event ID 11"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.user) as user values(Filesystem.dest) as dest values(Filesystem.file_path) as file_path from datamodel=Endpoint.Filesystem by Filesystem.file_name | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `ransomware_notes` | `common_ransomware_notes_filter`", "how_to_implement": "You must be ingesting data that records file-system activity from your hosts to populate the Endpoint Filesystem data-model node. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or via other endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report file-system reads and writes.", "known_false_positives": "It's possible that a legitimate file could be created with the same name used by ransomware note files.", "references": [], "tags": {"name": "Common Ransomware Notes", "analytic_story": ["SamSam Ransomware", "Ransomware", "Ryuk Ransomware", "Clop Ransomware", "Chaos Ransomware", "LockBit Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 90, "kill_chain_phases": ["Actions on Objectives"], "message": "A file - $file_name$ was written to disk on endpoint $dest$ by user $user$, this is indicative of a known ransomware note file and should be reviewed immediately.", "mitre_attack_id": ["T1485"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "file_name", "type": "File Name", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Filesystem.user", "Filesystem.dest", "Filesystem.file_path", "Filesystem.file_name"], "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/ransomware_notes/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "ransomware_notes", "definition": "lookup ransomware_notes_lookup ransomware_notes as file_name OUTPUT status as \"Known Ransomware Notes\" | search \"Known Ransomware Notes\"=True", "description": "This macro limits the output to files that have been identified as a ransomware note"}, {"name": "common_ransomware_notes_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/common_ransomware_notes.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Conti Common Exec parameter", "id": "624919bc-c382-11eb-adcc-acde48001122", "version": 1, "date": "2021-06-02", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This search detects the suspicious commandline argument of revil ransomware to encrypt specific or all local drive and network shares of the compromised machine or host.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = \"*-m local*\" OR Processes.process = \"*-m net*\" OR Processes.process = \"*-m all*\" OR Processes.process = \"*-nomutex*\" by Processes.process_name Processes.process Processes.parent_process_name Processes.parent_process Processes.dest Processes.user Processes.process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `conti_common_exec_parameter_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "3rd party tool may have commandline parameter that can trigger this detection.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.conti"], "tags": {"name": "Conti Common Exec parameter", "analytic_story": ["Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Installation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ executing specific Conti Ransomware related parameters.", "mitre_attack_id": ["T1204"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/conti/inf1/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "conti_common_exec_parameter_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/conti_common_exec_parameter.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Control Loading from World Writable Directory", "id": "10423ac4-10c9-11ec-8dc4-acde48001122", "version": 1, "date": "2021-09-08", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following detection identifies control.exe loading either a .cpl or .inf from a writable directory. This is related to CVE-2021-40444. During triage, review parallel processes, parent and child, for further suspicious behaviors. In addition, capture file modifications and analyze.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=control.exe OR Processes.original_file_name=CONTROL.EXE) AND Processes.process IN (\"*\\\\appdata\\\\*\", \"*\\\\windows\\\\temp\\\\*\", \"*\\\\programdata\\\\*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `control_loading_from_world_writable_directory_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Limited false positives will be present as control.exe does not natively load from writable paths as defined. One may add .cpl or .inf to the command-line if there is any false positives. Tune as needed.", "references": ["https://strontic.github.io/xcyclopedia/library/rundll32.exe-111474C61232202B5B588D2B512CBB25.html", "https://app.any.run/tasks/36c14029-9df8-439c-bba0-45f2643b0c70/", "https://attack.mitre.org/techniques/T1218/011/", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.002/T1218.002.yaml"], "tags": {"name": "Control Loading from World Writable Directory", "analytic_story": ["Microsoft MSHTML Remote Code Execution CVE-2021-40444", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to load a suspicious file from disk.", "mitre_attack_id": ["T1218", "T1218.002"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "cve": ["CVE-2021-40444"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.002", "mitre_attack_technique": "Control Panel", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Ember Bear"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.002/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "control_loading_from_world_writable_directory_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2021-40444", "cvss": 6.8, "summary": "Microsoft MSHTML Remote Code Execution Vulnerability"}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/control_loading_from_world_writable_directory.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Create local admin accounts using net exe", "id": "b89919ed-fe5f-492c-b139-151bb162040e", "version": 6, "date": "2021-09-08", "author": "Bhavin Patel, Splunk", "type": "TTP", "status": "production", "description": "This search looks for the creation of local administrator accounts using net.exe .", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count values(Processes.user) as user values(Processes.parent_process) as parent_process values(parent_process_name) as parent_process_name min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=net.exe OR Processes.process_name=net1.exe) AND Processes.process=*/add* AND (Processes.process=*administrators* OR Processes.process=*administratoren* OR Processes.process=*administrateurs* OR Processes.process=*administrador* OR Processes.process=*amministratori* OR Processes.process=*administratorer*) by Processes.process Processes.process_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `create_local_admin_accounts_using_net_exe_filter`", "how_to_implement": "You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the \"process\" field in the Endpoint data model.", "known_false_positives": "Administrators often leverage net.exe to create admin accounts.", "references": [], "tags": {"name": "Create local admin accounts using net exe", "analytic_story": ["DHS Report TA18-074A", "Azorult", "CISA AA22-257A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 50, "kill_chain_phases": ["Installation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to add a user to the local Administrators group.", "mitre_attack_id": ["T1136.001", "T1136"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1136.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT39", "APT41", "Dragonfly", "Fox Kitten", "Kimsuky", "Leafminer", "Magic Hound", "TeamTNT"]}, {"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/atomic_red_team/windows-security.log", "source": "WinEventLog:Security", "sourcetype": "WinEventLog", "update_timestamp": true}, {"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/atomic_red_team/windows-system.log", "source": "WinEventLog:System", "sourcetype": "WinEventLog", "update_timestamp": true}, {"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "create_local_admin_accounts_using_net_exe_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/create_local_admin_accounts_using_net_exe.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Create or delete windows shares using net exe", "id": "743a322c-9a68-4a0f-9c17-85d9cce2a27c", "version": 6, "date": "2020-09-16", "author": "Bhavin Patel, Splunk", "type": "TTP", "status": "production", "description": "This search looks for the creation or deletion of hidden shares using net.exe.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count values(Processes.user) as user values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` by Processes.process Processes.process_name Processes.original_file_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | search process=*share* | `create_or_delete_windows_shares_using_net_exe_filter` ", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Administrators often leverage net.exe to create or delete network shares. You should verify that the activity was intentional and is legitimate.", "references": ["https://attack.mitre.org/techniques/T1070/005/"], "tags": {"name": "Create or delete windows shares using net exe", "analytic_story": ["Hidden Cobra Malware", "CISA AA22-277A", "Windows Post-Exploitation", "Prestige Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ enumerating Windows file shares.", "mitre_attack_id": ["T1070", "T1070.005"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1070.005", "mitre_attack_technique": "Network Share Connection Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Threat Group-3390"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1070.005/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "process_net", "definition": "(Processes.process_name=\"net.exe\" OR Processes.original_file_name=\"net.exe\" OR Processes.process_name=\"net1.exe\" OR Processes.original_file_name=\"net1.exe\")", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "create_or_delete_windows_shares_using_net_exe_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/create_or_delete_windows_shares_using_net_exe.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Create Remote Thread In Shell Application", "id": "10399c1e-f51e-11eb-b920-acde48001122", "version": 1, "date": "2021-08-04", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This search is to detect suspicious process injection in command shell. This technique was seen in IcedID where it execute cmd.exe process to inject its shellcode as part of its execution as banking trojan. It is really uncommon to have a create remote thread execution in the following application.", "data_source": ["Sysmon Event ID 8"], "search": "`sysmon` EventCode=8 TargetImage IN (\"*\\\\cmd.exe\", \"*\\\\powershell*\") | stats count min(_time) as firstTime max(_time) as lastTime by TargetImage TargetProcessId SourceProcessId EventCode StartAddress SourceImage Computer | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `create_remote_thread_in_shell_application_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "unknown", "references": ["https://thedfirreport.com/2021/07/19/icedid-and-cobalt-strike-vs-antivirus/"], "tags": {"name": "Create Remote Thread In Shell Application", "analytic_story": ["IcedID", "Qakbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "process $SourceImage$ create a remote thread to shell app process $TargetImage$ in host $Computer$", "mitre_attack_id": ["T1055"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "SourceImage", "type": "Process", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "SourceImage", "TargetImage", "TargetProcessId", "SourceProcessId", "StartAddress", "EventCode", "Computer"], "risk_score": 70, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/simulated_icedid/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "create_remote_thread_in_shell_application_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/create_remote_thread_in_shell_application.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Create Remote Thread into LSASS", "id": "67d4dbef-9564-4699-8da8-03a151529edc", "version": 1, "date": "2019-12-06", "author": "Patrick Bareiss, Splunk", "type": "TTP", "status": "production", "description": "The following analytic developed to detect potential credential dumping attacks where a remote thread is created in the Local Security Authority Subsystem Service (LSASS). Credential dumping, a common tactic used by adversaries to steal user authentication credentials, is a significant threat to network security. The analytic leverages Sysmon Event ID 8 logs and looks for processes creating remote threads in lsass.exe, an unusual activity generally linked to credential theft. The confidence level in this alert is high, but it's worth noting that there might be cases where legitimate tools can access LSASS, generating similar logs. As an analyst, it is critical to understand the broader context of such events and differentiate between legitimate activities and possible threats.", "data_source": ["Sysmon Event ID 8"], "search": "`sysmon` EventID=8 TargetImage=*lsass.exe | stats count min(_time) as firstTime max(_time) as lastTime by Computer, EventCode, TargetImage, TargetProcessId | rename Computer as dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `create_remote_thread_into_lsass_filter`", "how_to_implement": "This search needs Sysmon Logs with a Sysmon configuration, which includes EventCode 8 with lsass.exe. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives.", "known_false_positives": "Other tools can access LSASS for legitimate reasons and generate an event. In these cases, tweaking the search may help eliminate noise.", "references": ["https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf"], "tags": {"name": "Create Remote Thread into LSASS", "analytic_story": ["Credential Dumping"], "asset_type": "Windows", "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Exploitation"], "message": "A process has created a remote thread into $TargetImage$ on $dest$. This behavior is indicative of credential dumping and should be investigated.", "mitre_attack_id": ["T1003.001", "T1003"], "nist": ["DE.CM"], "observable": [{"name": "TargetImage", "type": "Other", "role": ["Other"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventID", "TargetImage", "Computer", "EventCode", "TargetImage", "TargetProcessId", "dest"], "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "TEMP.Veles", "Threat Group-3390", "Whitefly"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "create_remote_thread_into_lsass_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/create_remote_thread_into_lsass.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Creation of lsass Dump with Taskmgr", "id": "b2fbe95a-9c62-4c12-8a29-24b97e84c0cd", "version": 1, "date": "2020-02-03", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "Detect the hands on keyboard behavior of Windows Task Manager creating a process dump of lsass.exe. Upon this behavior occurring, a file write/modification will occur in the users profile under \\AppData\\Local\\Temp. The dump file, lsass.dmp, cannot be renamed, however if the dump occurs more than once, it will be named lsass (2).dmp.", "data_source": ["Sysmon Event ID 1"], "search": "`sysmon` EventID=11 process_name=taskmgr.exe TargetFilename=*lsass*.dmp | stats count min(_time) as firstTime max(_time) as lastTime by Computer, object_category, process_name, TargetFilename | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `creation_of_lsass_dump_with_taskmgr_filter`", "how_to_implement": "This search requires Sysmon Logs and a Sysmon configuration, which includes EventCode 11 for detecting file create of lsass.dmp. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives.", "known_false_positives": "Administrators can create memory dumps for debugging purposes, but memory dumps of the LSASS process would be unusual.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md#atomic-test-5---dump-lsassexe-memory-using-windows-task-manager", "https://attack.mitre.org/techniques/T1003/001/", "https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf"], "tags": {"name": "Creation of lsass Dump with Taskmgr", "analytic_story": ["Credential Dumping", "CISA AA22-257A"], "asset_type": "Windows", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "$process_name$ was identified on endpoint $Computer$ writing $TargetFilename$ to disk. This behavior is related to dumping credentials via Task Manager.", "mitre_attack_id": ["T1003.001", "T1003"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "TargetFilename", "type": "File Name", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventID", "process_name", "TargetFilename", "Computer", "object_category"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "TEMP.Veles", "Threat Group-3390", "Whitefly"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "creation_of_lsass_dump_with_taskmgr_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/creation_of_lsass_dump_with_taskmgr.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Creation of Shadow Copy", "id": "eb120f5f-b879-4a63-97c1-93352b5df844", "version": 1, "date": "2019-12-10", "author": "Patrick Bareiss, Splunk", "type": "TTP", "status": "production", "description": "Monitor for signs that Vssadmin or Wmic has been used to create a shadow copy.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=vssadmin.exe Processes.process=*create* Processes.process=*shadow*) OR (Processes.process_name=wmic.exe Processes.process=*shadowcopy* Processes.process=*create*) by Processes.dest Processes.user Processes.process_name Processes.process Processes.parent_process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `creation_of_shadow_copy_filter`", "how_to_implement": "You must be ingesting endpoint data that tracks process activity, including parent-child relationships from your endpoints, to populate the Endpoint data model in the Processes node. The command-line arguments are mapped to the \"process\" field in the Endpoint data model.", "known_false_positives": "Legitimate administrator usage of Vssadmin or Wmic will create false positives.", "references": ["https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf", "https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF"], "tags": {"name": "Creation of Shadow Copy", "analytic_story": ["Credential Dumping", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to create a shadow copy to perform offline password cracking.", "mitre_attack_id": ["T1003.003", "T1003"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.003", "mitre_attack_technique": "NTDS", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "Chimera", "Dragonfly", "FIN6", "Fox Kitten", "HAFNIUM", "Ke3chang", "LAPSUS$", "Mustang Panda", "Sandworm Team", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.003/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}, {"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.003/atomic_red_team/crowdstrike_falcon.log", "source": "crowdstrike", "sourcetype": "crowdstrike:events:sensor"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "creation_of_shadow_copy_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/creation_of_shadow_copy.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Creation of Shadow Copy with wmic and powershell", "id": "2ed8b538-d284-449a-be1d-82ad1dbd186b", "version": 3, "date": "2021-09-16", "author": "Patrick Bareiss, Splunk", "type": "TTP", "status": "production", "description": "This search detects the use of wmic and Powershell to create a shadow copy.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_wmic` OR `process_powershell` Processes.process=*shadowcopy* Processes.process=*create* by Processes.user Processes.process_name Processes.original_file_name Processes.process Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `creation_of_shadow_copy_with_wmic_and_powershell_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Legtimate administrator usage of wmic to create a shadow copy.", "references": ["https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf", "https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF"], "tags": {"name": "Creation of Shadow Copy with wmic and powershell", "analytic_story": ["Credential Dumping", "Living Off The Land", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to create a shadow copy to perform offline password cracking.", "mitre_attack_id": ["T1003.003", "T1003"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.003", "mitre_attack_technique": "NTDS", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "Chimera", "Dragonfly", "FIN6", "Fox Kitten", "HAFNIUM", "Ke3chang", "LAPSUS$", "Mustang Panda", "Sandworm Team", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.003/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_powershell", "definition": "(Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "process_wmic", "definition": "(Processes.process_name=wmic.exe OR Processes.original_file_name=wmic.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "creation_of_shadow_copy_with_wmic_and_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/creation_of_shadow_copy_with_wmic_and_powershell.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Credential Dumping via Copy Command from Shadow Copy", "id": "d8c406fe-23d2-45f3-a983-1abe7b83ff3b", "version": 2, "date": "2021-09-16", "author": "Patrick Bareiss, Splunk", "type": "TTP", "status": "production", "description": "This search detects credential dumping using copy command from a shadow copy.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_cmd` (Processes.process=*\\\\system32\\\\config\\\\sam* OR Processes.process=*\\\\system32\\\\config\\\\security* OR Processes.process=*\\\\system32\\\\config\\\\system* OR Processes.process=*\\\\windows\\\\ntds\\\\ntds.dit*) by Processes.dest Processes.user Processes.process_name Processes.process Processes.parent_process Processes.original_file_name Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `credential_dumping_via_copy_command_from_shadow_copy_filter` ", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "unknown", "references": ["https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf"], "tags": {"name": "Credential Dumping via Copy Command from Shadow Copy", "analytic_story": ["Credential Dumping"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to copy SAM and NTDS.dit for offline password cracking.", "mitre_attack_id": ["T1003.003", "T1003"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.003", "mitre_attack_technique": "NTDS", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "Chimera", "Dragonfly", "FIN6", "Fox Kitten", "HAFNIUM", "Ke3chang", "LAPSUS$", "Mustang Panda", "Sandworm Team", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.003/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_cmd", "definition": "(Processes.process_name=cmd.exe OR Processes.original_file_name=Cmd.Exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "credential_dumping_via_copy_command_from_shadow_copy_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/credential_dumping_via_copy_command_from_shadow_copy.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Credential Dumping via Symlink to Shadow Copy", "id": "c5eac648-fae0-4263-91a6-773df1f4c903", "version": 2, "date": "2021-09-16", "author": "Patrick Bareiss, Splunk", "type": "TTP", "status": "production", "description": "This search detects the creation of a symlink to a shadow copy.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_cmd` Processes.process=*mklink* Processes.process=*HarddiskVolumeShadowCopy* by Processes.dest Processes.user Processes.process_name Processes.process Processes.parent_process Processes.original_file_name Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `credential_dumping_via_symlink_to_shadow_copy_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "unknown", "references": ["https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf"], "tags": {"name": "Credential Dumping via Symlink to Shadow Copy", "analytic_story": ["Credential Dumping"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to create symlink to a shadow copy to grab credentials.", "mitre_attack_id": ["T1003.003", "T1003"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.003", "mitre_attack_technique": "NTDS", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "Chimera", "Dragonfly", "FIN6", "Fox Kitten", "HAFNIUM", "Ke3chang", "LAPSUS$", "Mustang Panda", "Sandworm Team", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.003/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_cmd", "definition": "(Processes.process_name=cmd.exe OR Processes.original_file_name=Cmd.Exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "credential_dumping_via_symlink_to_shadow_copy_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/credential_dumping_via_symlink_to_shadow_copy.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "CSC Net On The Fly Compilation", "id": "ea73128a-43ab-11ec-9753-acde48001122", "version": 1, "date": "2021-11-12", "author": "Teoderick Contreras, Splunk", "type": "Hunting", "status": "production", "description": "this analytic is to detect a suspicious compile before delivery approach of .net compiler csc.exe. This technique was seen in several adversaries, malware and even in red teams to take advantage the csc.exe .net compiler tool to compile on the fly a malicious .net code to evade detection from security product. This is a good hunting query to check further the file or process created after this event and check the file path that passed to csc.exe which is the .net code. Aside from that, powershell is capable of using this compiler in executing .net code in a powershell script so filter on that case is needed.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_csc` Processes.process = \"*/noconfig*\" Processes.process = \"*/fullpaths*\" Processes.process = \"*@*\" by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `csc_net_on_the_fly_compilation_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "A network operator or systems administrator may utilize an automated powershell script taht execute .net code that may generate false positive. filter is needed.", "references": ["https://app.any.run/tasks/ad4c3cda-41f2-4401-8dba-56cc2d245488/", "https://tccontre.blogspot.com/2019/06/maicious-macro-that-compile-c-code-as.html"], "tags": {"name": "CSC Net On The Fly Compilation", "analytic_story": ["Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "csc.exe with commandline $process$ to compile .net code on $dest$ by $user$", "mitre_attack_id": ["T1027.004", "T1027"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1027.004", "mitre_attack_technique": "Compile After Delivery", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Gamaredon Group", "MuddyWater", "Rocke"]}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT19", "APT28", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BITTER", "BackdoorDiplomacy", "BlackOasis", "Blue Mockingbird", "Dark Caracal", "Darkhotel", "Earth Lusca", "Elderwood", "Ember Bear", "Fox Kitten", "GALLIUM", "Gallmaker", "Gamaredon Group", "Group5", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "Metador", "Mofang", "Molerats", "Moses Staff", "Mustang Panda", "OilRig", "Putter Panda", "Rocke", "Sandworm Team", "Sidewinder", "TA505", "TeamTNT", "Threat Group-3390", "Transparent Tribe", "Tropic Trooper", "Whitefly", "Windshift", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/vilsel/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_csc", "definition": "(Processes.process_name=csc.exe OR Processes.original_file_name=csc.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "csc_net_on_the_fly_compilation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/csc_net_on_the_fly_compilation.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Curl Download and Bash Execution", "id": "900bc324-59f3-11ec-9fb4-acde48001122", "version": 1, "date": "2021-12-10", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the use of curl on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=curl (Processes.process=\"*-s *\") OR (Processes.process=\"*|*\" AND Processes.process=\"*bash*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `curl_download_and_bash_execution_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon for Linux, you will need to ensure mapping is occurring correctly. If the EDR is not parsing the pipe bash in the command-line, modifying the analytic will be required. Add parent process name (Processes.parent_process_name) as needed to filter.", "known_false_positives": "False positives should be limited, however filtering may be required.", "references": ["https://www.huntress.com/blog/rapid-response-critical-rce-vulnerability-is-affecting-java", "https://www.lunasec.io/docs/blog/log4j-zero-day/", "https://gist.github.com/nathanqthai/01808c569903f41a52e7e7b575caa890"], "tags": {"name": "Curl Download and Bash Execution", "analytic_story": ["Ingress Tool Transfer", "Log4Shell CVE-2021-44228", "Linux Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Command And Control"], "message": "An instance of $process_name$ was identified on endpoint $dest$ attempting to download a remote file and run it with bash.", "mitre_attack_id": ["T1105"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "cve": ["CVE-2021-44228"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "ZIRCONIUM", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/linux-sysmon_curlwget.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "curl_download_and_bash_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2021-44228", "cvss": 9.3, "summary": "Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/curl_download_and_bash_execution.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Delete ShadowCopy With PowerShell", "id": "5ee2bcd0-b2ff-11eb-bb34-acde48001122", "version": 2, "date": "2022-05-02", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This following analytic detects PowerShell command to delete shadow copy using the WMIC PowerShell module. This technique was seen used by a recent adversary to deploy DarkSide Ransomware where it executed a child process of PowerShell to execute a hex encoded command to delete shadow copy. This hex encoded command was able to be decrypted by PowerShell log.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 ScriptBlockText= \"*ShadowCopy*\" (ScriptBlockText = \"*Delete*\" OR ScriptBlockText = \"*Remove*\") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `delete_shadowcopy_with_powershell_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the powershell logs from your endpoints. make sure you enable needed registry to monitor this event.", "known_false_positives": "unknown", "references": ["https://www.mandiant.com/resources/shining-a-light-on-darkside-ransomware-operations", "https://www.techtarget.com/searchwindowsserver/tutorial/Set-up-PowerShell-script-block-logging-for-added-security"], "tags": {"name": "Delete ShadowCopy With PowerShell", "analytic_story": ["DarkSide Ransomware", "Ransomware", "Revil Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Actions on Objectives"], "message": "An attempt to delete ShadowCopy was performed using PowerShell on $Computer$ by $User$.", "mitre_attack_id": ["T1490"], "nist": ["DE.CM"], "observable": [{"name": "UserID", "type": "User", "role": ["Victim"]}, {"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "ScriptBlockText", "Opcode", "Computer", "UserID", "EventCode"], "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/sbl_xml.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "delete_shadowcopy_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/delete_shadowcopy_with_powershell.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Deleting Of Net Users", "id": "1c8c6f66-acce-11eb-aafb-acde48001122", "version": 2, "date": "2023-06-13", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This analytic will detect a suspicious net.exe/net1.exe command-line to delete a user on a system. This technique may be use by an administrator for legitimate purposes, however this behavior has been used in the wild to impair some user or deleting adversaries tracks created during its lateral movement additional systems. During triage, review parallel processes for additional behavior. Identify any other user accounts created before or after.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.parent_process) as parent_process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` AND Processes.process=\"*user*\" AND Processes.process=\"*/delete*\" by Processes.process_name Processes.original_file_name Processes.dest Processes.user Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `deleting_of_net_users_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "System administrators or scripts may delete user accounts via this technique. Filter as needed.", "references": ["https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/"], "tags": {"name": "Deleting Of Net Users", "analytic_story": ["XMRig", "Graceful Wipe Out Attack"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Actions on Objectives"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to delete accounts.", "mitre_attack_id": ["T1531"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1531", "mitre_attack_technique": "Account Access Removal", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["LAPSUS$"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/xmrig_miner/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "process_net", "definition": "(Processes.process_name=\"net.exe\" OR Processes.original_file_name=\"net.exe\" OR Processes.process_name=\"net1.exe\" OR Processes.original_file_name=\"net1.exe\")", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "deleting_of_net_users_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/deleting_of_net_users.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Deleting Shadow Copies", "id": "b89919ed-ee5f-492c-b139-95dbb162039e", "version": 4, "date": "2020-11-09", "author": "David Dorsey, Splunk", "type": "TTP", "status": "production", "description": "The vssadmin.exe utility is used to interact with the Volume Shadow Copy Service. Wmic is an interface to the Windows Management Instrumentation. This search looks for either of these tools being used to delete shadow copies.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=vssadmin.exe OR Processes.process_name=wmic.exe) Processes.process=*delete* Processes.process=*shadow* by Processes.user Processes.process_name Processes.parent_process_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `deleting_shadow_copies_filter`", "how_to_implement": "You must be ingesting endpoint data that tracks process activity, including parent-child relationships from your endpoints to populate the Endpoint data model in the Processes node. The command-line arguments are mapped to the \"process\" field in the Endpoint data model.", "known_false_positives": "vssadmin.exe and wmic.exe are standard applications shipped with modern versions of windows. They may be used by administrators to legitimately delete old backup copies, although this is typically rare.", "references": ["https://blogs.vmware.com/security/2022/10/lockbit-3-0-also-known-as-lockbit-black.html"], "tags": {"name": "Deleting Shadow Copies", "analytic_story": ["Windows Log Manipulation", "SamSam Ransomware", "Ransomware", "Clop Ransomware", "CISA AA22-264A", "Prestige Ransomware", "Chaos Ransomware", "LockBit Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Actions on Objectives"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to delete shadow copies.", "mitre_attack_id": ["T1490"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1490/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "deleting_shadow_copies_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/deleting_shadow_copies.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Detect AzureHound Command-Line Arguments", "id": "26f02e96-c300-11eb-b611-acde48001122", "version": 1, "date": "2021-06-01", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the common command-line argument used by AzureHound `Invoke-AzureHound`. Being the script is FOSS, function names may be modified, but these changes are dependent upon the operator. In most instances the defaults are used. This analytic works to identify the common command-line attributes used. It does not cover the entirety of every argument in order to avoid false positives.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process IN (\"*invoke-azurehound*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_azurehound_command_line_arguments_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "Unknown.", "references": ["https://attack.mitre.org/software/S0521/", "https://github.com/BloodHoundAD/BloodHound/tree/master/Collectors", "https://posts.specterops.io/introducing-bloodhound-4-0-the-azure-update-9b2b26c5e350", "https://github.com/BloodHoundAD/BloodHound/blob/master/Collectors/AzureHound.ps1"], "tags": {"name": "Detect AzureHound Command-Line Arguments", "analytic_story": ["Discovery Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ using AzureHound to enumerate AzureAD.", "mitre_attack_id": ["T1087.002", "T1069.001", "T1482", "T1087.001", "T1087", "T1069.002", "T1069"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["BRONZE BUTLER", "Chimera", "Dragonfly", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Turla", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1069.001", "mitre_attack_technique": "Local Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "HEXANE", "OilRig", "Tonto Team", "Turla", "admin@338"]}, {"mitre_attack_id": "T1482", "mitre_attack_technique": "Domain Trust Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "Earth Lusca", "FIN8", "Magic Hound"]}, {"mitre_attack_id": "T1087.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "Chimera", "Fox Kitten", "Ke3chang", "Moses Staff", "OilRig", "Poseidon Group", "Threat Group-3390", "Turla", "admin@338"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1069.002", "mitre_attack_technique": "Domain Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Dragonfly", "Inception", "Ke3chang", "LAPSUS$", "OilRig", "Turla"]}, {"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "TA505"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/sharphound/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_azurehound_command_line_arguments_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/detect_azurehound_command_line_arguments.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Detect AzureHound File Modifications", "id": "1c34549e-c31b-11eb-996b-acde48001122", "version": 1, "date": "2021-06-01", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic is similar to SharpHound file modifications, but this instance covers the use of Invoke-AzureHound. AzureHound is the SharpHound equivilent but for Azure. It's possible this may never be seen in an environment as most attackers may execute this tool remotely. Once execution is complete, a zip file with a similar name will drop `20210601090751-azurecollection.zip`. In addition to the zip, multiple .json files will be written to disk, which are in the zip.", "data_source": ["Sysmon Event ID 11"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_name IN (\"*-azurecollection.zip\", \"*-azprivroleadminrights.json\", \"*-azglobaladminrights.json\", \"*-azcloudappadmins.json\", \"*-azapplicationadmins.json\") by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.file_path Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_azurehound_file_modifications_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on file modifications that include the name of the process, and file, responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node.", "known_false_positives": "False positives should be limited as the analytic is specific to a filename with extension .zip. Filter as needed.", "references": ["https://posts.specterops.io/introducing-bloodhound-4-0-the-azure-update-9b2b26c5e350", "https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Collectors/AzureHound.ps1"], "tags": {"name": "Detect AzureHound File Modifications", "analytic_story": ["Discovery Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "A file - $file_name$ was written to disk that is related to AzureHound, a AzureAD enumeration utility, has occurred on endpoint $dest$ by user $user$.", "mitre_attack_id": ["T1087.002", "T1069.001", "T1482", "T1087.001", "T1087", "T1069.002", "T1069"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "file_name", "type": "File Name", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "file_path", "dest", "file_name", "process_id", "file_create_time"], "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["BRONZE BUTLER", "Chimera", "Dragonfly", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Turla", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1069.001", "mitre_attack_technique": "Local Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "HEXANE", "OilRig", "Tonto Team", "Turla", "admin@338"]}, {"mitre_attack_id": "T1482", "mitre_attack_technique": "Domain Trust Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "Earth Lusca", "FIN8", "Magic Hound"]}, {"mitre_attack_id": "T1087.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "Chimera", "Fox Kitten", "Ke3chang", "Moses Staff", "OilRig", "Poseidon Group", "Threat Group-3390", "Turla", "admin@338"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1069.002", "mitre_attack_technique": "Domain Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Dragonfly", "Inception", "Ke3chang", "LAPSUS$", "OilRig", "Turla"]}, {"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "TA505"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/sharphound/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_azurehound_file_modifications_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/detect_azurehound_file_modifications.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Detect Baron Samedit CVE-2021-3156", "id": "93fbec4e-0375-440c-8db3-4508eca470c4", "version": 1, "date": "2021-01-27", "author": "Shannon Davis, Splunk", "type": "TTP", "status": "experimental", "description": "This search detects the heap-based buffer overflow of sudoedit", "data_source": [], "search": "`linux_hosts` \"sudoedit -s \\\\\" | `detect_baron_samedit_cve_2021_3156_filter`", "how_to_implement": "Splunk Universal Forwarder running on Linux systems, capturing logs from the /var/log directory. The vulnerability is exposed when a non privledged user tries passing in a single \\ character at the end of the command while using the shell and edit flags.", "known_false_positives": "unknown", "references": [], "tags": {"name": "Detect Baron Samedit CVE-2021-3156", "analytic_story": ["Baron Samedit CVE-2021-3156"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "tbd", "mitre_attack_id": ["T1068"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Other", "role": ["Other"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "cve": ["CVE-2021-3156"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "PLATINUM", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}]}, "datamodel": [], "macros": [{"name": "linux_hosts", "definition": "index=*", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_baron_samedit_cve_2021_3156_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2021-3156", "cvss": 7.2, "summary": "Sudo before 1.9.5p2 contains an off-by-one error that can result in a heap-based buffer overflow, which allows privilege escalation to root via \"sudoedit -s\" and a command-line argument that ends with a single backslash character."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/detect_baron_samedit_cve_2021_3156.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Detect Baron Samedit CVE-2021-3156 Segfault", "id": "10f2bae0-bbe6-4984-808c-37dc1c67980d", "version": 1, "date": "2021-01-29", "author": "Shannon Davis, Splunk", "type": "TTP", "status": "experimental", "description": "This search detects the heap-based buffer overflow of sudoedit", "data_source": [], "search": "`linux_hosts` TERM(sudoedit) TERM(segfault) | stats count min(_time) as firstTime max(_time) as lastTime by host | where count > 5 | `detect_baron_samedit_cve_2021_3156_segfault_filter`", "how_to_implement": "Splunk Universal Forwarder running on Linux systems (tested on Centos and Ubuntu), where segfaults are being logged. This also captures instances where the exploit has been compiled into a binary. The detection looks for greater than 5 instances of sudoedit combined with segfault over your search time period on a single host", "known_false_positives": "If sudoedit is throwing segfaults for other reasons this will pick those up too.", "references": [], "tags": {"name": "Detect Baron Samedit CVE-2021-3156 Segfault", "analytic_story": ["Baron Samedit CVE-2021-3156"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "tbd", "mitre_attack_id": ["T1068"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Other", "role": ["Other"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "host"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "cve": ["CVE-2021-3156"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "PLATINUM", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}]}, "datamodel": [], "macros": [{"name": "linux_hosts", "definition": "index=*", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_baron_samedit_cve_2021_3156_segfault_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2021-3156", "cvss": 7.2, "summary": "Sudo before 1.9.5p2 contains an off-by-one error that can result in a heap-based buffer overflow, which allows privilege escalation to root via \"sudoedit -s\" and a command-line argument that ends with a single backslash character."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/detect_baron_samedit_cve_2021_3156_segfault.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Detect Baron Samedit CVE-2021-3156 via OSQuery", "id": "1de31d5d-8fa6-4ee0-af89-17069134118a", "version": 1, "date": "2021-01-28", "author": "Shannon Davis, Splunk", "type": "TTP", "status": "experimental", "description": "This search detects the heap-based buffer overflow of sudoedit", "data_source": [], "search": "`osquery_process` | search \"columns.cmdline\"=\"sudoedit -s \\\\*\" | `detect_baron_samedit_cve_2021_3156_via_osquery_filter`", "how_to_implement": "OSQuery installed and configured to pick up process events (info at https://osquery.io) as well as using the Splunk OSQuery Add-on https://splunkbase.splunk.com/app/4402. The vulnerability is exposed when a non privledged user tries passing in a single \\ character at the end of the command while using the shell and edit flags.", "known_false_positives": "unknown", "references": [], "tags": {"name": "Detect Baron Samedit CVE-2021-3156 via OSQuery", "analytic_story": ["Baron Samedit CVE-2021-3156"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "tbd", "mitre_attack_id": ["T1068"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Other", "role": ["Other"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "columns.cmdline"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "cve": ["CVE-2021-3156"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "PLATINUM", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}]}, "datamodel": [], "macros": [{"name": "osquery_process", "definition": "eventtype=\"osquery-process\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_baron_samedit_cve_2021_3156_via_osquery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2021-3156", "cvss": 7.2, "summary": "Sudo before 1.9.5p2 contains an off-by-one error that can result in a heap-based buffer overflow, which allows privilege escalation to root via \"sudoedit -s\" and a command-line argument that ends with a single backslash character."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/detect_baron_samedit_cve_2021_3156_via_osquery.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Detect Computer Changed with Anonymous Account", "id": "1400624a-d42d-484d-8843-e6753e6e3645", "version": 1, "date": "2020-09-18", "author": "Rod Soto, Jose Hernandez, Splunk", "type": "Hunting", "status": "experimental", "description": "This search looks for Event Code 4742 (Computer Change) or EventCode 4624 (An account was successfully logged on) with an anonymous account.", "data_source": ["Windows Security 4624"], "search": "`wineventlog_security` EventCode=4624 OR EventCode=4742 TargetUserName=\"ANONYMOUS LOGON\" LogonType=3 | stats count values(host) as host, values(TargetDomainName) as Domain, values(user) as user | `detect_computer_changed_with_anonymous_account_filter`", "how_to_implement": "This search requires audit computer account management to be enabled on the system in order to generate Event ID 4742. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Event Logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives.", "known_false_positives": "None thus far found", "references": ["https://www.lares.com/blog/from-lares-labs-defensive-guidance-for-zerologon-cve-2020-1472/"], "tags": {"name": "Detect Computer Changed with Anonymous Account", "analytic_story": ["Detect Zerologon Attack"], "asset_type": "Windows", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "The following $EventCode$ occurred on $dest$ by $user$ with Logon Type 3, which may be indicative of the an account or group being changed by an anonymous account.", "mitre_attack_id": ["T1210"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "EventCode", "type": "Other", "role": ["Other"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "TargetUserName", "LogonType", "TargetDomainName", "user"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "cve": ["CVE-2020-1472"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1210", "mitre_attack_technique": "Exploitation of Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "Dragonfly", "Earth Lusca", "FIN7", "Fox Kitten", "MuddyWater", "Threat Group-3390", "Tonto Team", "Wizard Spider", "menuPass"]}]}, "datamodel": [], "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_computer_changed_with_anonymous_account_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2020-1472", "cvss": 9.3, "summary": "An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC), aka 'Netlogon Elevation of Privilege Vulnerability'."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/detect_computer_changed_with_anonymous_account.yml", "source": "endpoint", "providing_technologies": ["Microsoft Windows"]}, {"name": "Detect Copy of ShadowCopy with Script Block Logging", "id": "9251299c-ea5b-11eb-a8de-acde48001122", "version": 1, "date": "2021-07-21", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable on critical endpoints or all. \\\nThis analytic identifies `copy` or `[System.IO.File]::Copy` being used to capture the SAM, SYSTEM or SECURITY hives identified in script block. This will catch the most basic use cases for credentials being taken for offline cracking. \\\nDuring triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 Message IN (\"*copy*\",\"*[System.IO.File]::Copy*\") AND Message IN (\"*System32\\\\config\\\\SAM*\", \"*System32\\\\config\\\\SYSTEM*\",\"*System32\\\\config\\\\SECURITY*\") | stats count min(_time) as firstTime max(_time) as lastTime by OpCode ComputerName User EventCode Message | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_copy_of_shadowcopy_with_script_block_logging_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Limited false positives as the scope is limited to SAM, SYSTEM and SECURITY hives.", "references": ["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934", "https://github.com/GossiTheDog/HiveNightmare", "https://github.com/JumpsecLabs/Guidance-Advice/tree/main/SAM_Permissions"], "tags": {"name": "Detect Copy of ShadowCopy with Script Block Logging", "analytic_story": ["Credential Dumping"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "PowerShell was identified running a script to capture the SAM hive on endpoint $ComputerName$ by user $user$.", "mitre_attack_id": ["T1003.002", "T1003"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "ComputerName", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Message", "OpCode", "ComputerName", "User", "EventCode"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "cve": ["CVE-2021-36934"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Dragonfly", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.002/serioussam/windows-powershell.log", "source": "WinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "wineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_copy_of_shadowcopy_with_script_block_logging_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2021-36934", "cvss": 4.6, "summary": "Windows Elevation of Privilege Vulnerability"}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/detect_copy_of_shadowcopy_with_script_block_logging.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Detect Credential Dumping through LSASS access", "id": "2c365e57-4414-4540-8dc0-73ab10729996", "version": 3, "date": "2019-12-03", "author": "Patrick Bareiss, Splunk", "type": "TTP", "status": "production", "description": "This search looks for reading lsass memory consistent with credential dumping.", "data_source": ["Sysmon Event ID 1"], "search": "`sysmon` EventCode=10 TargetImage=*lsass.exe (GrantedAccess=0x1010 OR GrantedAccess=0x1410) | stats count min(_time) as firstTime max(_time) as lastTime by Computer, SourceImage, SourceProcessId, TargetImage, TargetProcessId, EventCode, GrantedAccess | rename Computer as dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_credential_dumping_through_lsass_access_filter` ", "how_to_implement": "This search needs Sysmon Logs and a sysmon configuration, which includes EventCode 10 with lsass.exe. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives.", "known_false_positives": "The activity may be legitimate. Other tools can access lsass for legitimate reasons, and it's possible this event could be generated in those cases. In these cases, false positives should be fairly obvious and you may need to tweak the search to eliminate noise.", "references": [], "tags": {"name": "Detect Credential Dumping through LSASS access", "analytic_story": ["Credential Dumping", "Detect Zerologon Attack"], "asset_type": "Windows", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "The $source_image$ has attempted access to read $TargetImage$ was identified on endpoint $Computer$, this is indicative of credential dumping and should be investigated.", "mitre_attack_id": ["T1003.001", "T1003"], "nist": ["DE.CM"], "observable": [{"name": "source_image", "type": "Other", "role": ["Victim"]}, {"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "TargetImage", "type": "Other", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "TargetImage", "GrantedAccess", "Computer", "SourceImage", "SourceProcessId", "TargetImage", "TargetProcessId"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "TEMP.Veles", "Threat Group-3390", "Whitefly"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_credential_dumping_through_lsass_access_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/detect_credential_dumping_through_lsass_access.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Detect Empire with PowerShell Script Block Logging", "id": "bc1dc6b8-c954-11eb-bade-acde48001122", "version": 2, "date": "2023-04-14", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable on critical endpoints or all. \\\nThis analytic identifies the common PowerShell stager used by PowerShell-Empire. Each stager that may use PowerShell all uses the same pattern. The initial HTTP will be base64 encoded and use `system.net.webclient`. Note that some obfuscation may evade the analytic. \\\nDuring triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 (ScriptBlockText=*system.net.webclient* AND ScriptBlockText=*frombase64string*) | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_empire_with_powershell_script_block_logging_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "False positives may only pertain to it not being related to Empire, but another framework. Filter as needed if any applications use the same pattern.", "references": ["https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", "https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf", "https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/", "https://github.com/BC-SECURITY/Empire", "https://www.splunk.com/en_us/blog/security/hunting-for-malicious-powershell-using-script-block-logging.html"], "tags": {"name": "Detect Empire with PowerShell Script Block Logging", "analytic_story": ["Malicious PowerShell", "Hermetic Wiper", "Data Destruction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Installation"], "message": "The following behavior was identified and typically related to PowerShell-Empire on $Computer$ by $UserID$.", "mitre_attack_id": ["T1059", "T1059.001"], "nist": ["DE.CM"], "observable": [{"name": "UserID", "type": "User", "role": ["Victim"]}, {"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "ScriptBlockText", "Opcode", "Computer", "UserID", "EventCode"], "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/empire.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_empire_with_powershell_script_block_logging_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/detect_empire_with_powershell_script_block_logging.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Detect Excessive Account Lockouts From Endpoint", "id": "c026e3dd-7e18-4abb-8f41-929e836efe74", "version": 6, "date": "2022-08-25", "author": "David Dorsey, Splunk", "type": "Anomaly", "status": "production", "description": "This search identifies endpoints that have caused a relatively high number of account lockouts in a short period.", "data_source": [], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(All_Changes.user) as user from datamodel=Change.All_Changes where All_Changes.result=\"*locked out*\" by All_Changes.dest All_Changes.result |`drop_dm_object_name(\"All_Changes\")` |`drop_dm_object_name(\"Account_Management\")`| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | search count > 5 | `detect_excessive_account_lockouts_from_endpoint_filter`", "how_to_implement": "You must ingest your Windows security event logs in the `Change` datamodel under the nodename is `Account_Management`, for this search to execute successfully. Please consider updating the cron schedule and the count of lockouts you want to monitor, according to your environment. \\\n **Splunk>Phantom Playbook Integration**\\\nIf Splunk>Phantom is also configured in your environment, a Playbook called \"Excessive Account Lockouts Enrichment and Response\" can be configured to run when any results are found by this detection search. The Playbook executes the Contextual and Investigative searches in this Story, conducts additional information gathering on Windows endpoints, and takes a response action to shut down the affected endpoint. To use this integration, install the Phantom App for Splunk `https://splunkbase.splunk.com/app/3411/`, add the correct hostname to the \"Phantom Instance\" field in the Adaptive Response Actions when configuring this detection search, and set the corresponding Playbook to active. \\\n(Playbook Link:`https://my.phantom.us/4.1/playbook/excessive-account-lockouts-enrichment-and-response/`).\\\n", "known_false_positives": "It's possible that a widely used system, such as a kiosk, could cause a large number of account lockouts.", "references": [], "tags": {"name": "Detect Excessive Account Lockouts From Endpoint", "analytic_story": ["Account Monitoring and Controls"], "asset_type": "Windows", "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "message": "Multiple accounts have been locked out. Review $dest$ and results related to $user$.", "mitre_attack_id": ["T1078", "T1078.002"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "All_Changes.user", "nodename", "All_Changes.result", "All_Changes.dest"], "risk_score": 36, "security_domain": "access", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.002", "mitre_attack_technique": "Domain Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "Chimera", "Indrik Spider", "Magic Hound", "Naikon", "Sandworm Team", "TA505", "Threat Group-1314", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.002/account_lockout/windows-security.log", "source": "WinEventLog:Security", "sourcetype": "WinEventLog", "update_timestamp": true}, {"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.002/account_lockout/windows-system.log", "source": "WinEventLog:System", "sourcetype": "WinEventLog", "update_timestamp": true}]}], "datamodel": ["Change"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_excessive_account_lockouts_from_endpoint_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/detect_excessive_account_lockouts_from_endpoint.yml", "source": "endpoint"}, {"name": "Detect Excessive User Account Lockouts", "id": "95a7f9a5-6096-437e-a19e-86f42ac609bd", "version": 4, "date": "2022-08-25", "author": "David Dorsey, Splunk", "type": "Anomaly", "status": "production", "description": "This search detects user accounts that have been locked out a relatively high number of times in a short period.", "data_source": [], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Change.All_Changes where All_Changes.result=\"*locked out*\" by All_Changes.user All_Changes.result |`drop_dm_object_name(\"All_Changes\")` |`drop_dm_object_name(\"Account_Management\")`| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | search count > 5 | `detect_excessive_user_account_lockouts_filter`", "how_to_implement": "ou must ingest your Windows security event logs in the `Change` datamodel under the nodename is `Account_Management`, for this search to execute successfully. Please consider updating the cron schedule and the count of lockouts you want to monitor, according to your environment.", "known_false_positives": "It is possible that a legitimate user is experiencing an issue causing multiple account login failures leading to lockouts.", "references": [], "tags": {"name": "Detect Excessive User Account Lockouts", "analytic_story": ["Account Monitoring and Controls"], "asset_type": "Windows", "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "message": "Multiple accounts have been locked out. Review $nodename$ and $result$ related to $user$.", "mitre_attack_id": ["T1078", "T1078.003"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "result", "type": "Other", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "All_Changes.result", "nodename", "All_Changes.user"], "risk_score": 36, "security_domain": "access", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.003", "mitre_attack_technique": "Local Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "FIN10", "HAFNIUM", "Kimsuky", "PROMETHIUM", "Tropic Trooper", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.002/account_lockout/windows-security.log", "source": "WinEventLog:Security", "sourcetype": "WinEventLog", "update_timestamp": true}, {"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.002/account_lockout/windows-system.log", "source": "WinEventLog:System", "sourcetype": "WinEventLog", "update_timestamp": true}]}], "datamodel": ["Change"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_excessive_user_account_lockouts_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/detect_excessive_user_account_lockouts.yml", "source": "endpoint"}, {"name": "Detect Exchange Web Shell", "id": "8c14eeee-2af1-4a4b-bda8-228da0f4862a", "version": 4, "date": "2022-09-30", "author": "Michael Haag, Shannon Davis, David Dorsey, Splunk", "type": "TTP", "status": "production", "description": "The following query identifies suspicious .aspx created in 3 paths identified by Microsoft as known drop locations for Exchange exploitation related to HAFNIUM group and recently disclosed vulnerablity named ProxyShell and ProxyNotShell. Paths include: `\\HttpProxy\\owa\\auth\\`, `\\inetpub\\wwwroot\\aspnet_client\\`, and `\\HttpProxy\\OAB\\`. Upon triage, the suspicious .aspx file will likely look obvious on the surface. inspect the contents for script code inside. Identify additional log sources, IIS included, to review source and other potential exploitation. It is often the case that a particular threat is only applicable to a specific subset of systems in your environment. Typically analytics to detect those threats are written without the benefit of being able to only target those systems as well. Writing analytics against all systems when those behaviors are limited to identifiable subsets of those systems is suboptimal. Consider the case ProxyShell vulnerability on Microsoft Exchange Servers. With asset information, a hunter can limit their analytics to systems that have been identified as Exchange servers. A hunter may start with the theory that the exchange server is communicating with new systems that it has not previously. If this theory is run against all publicly facing systems, the amount of noise it will generate will likely render this theory untenable. However, using the asset information to limit this analytic to just the Exchange servers will reduce the noise allowing the hunter to focus only on the systems where this behavioral change is relevant.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=System by _time span=1h Processes.process_id Processes.process_name Processes.dest | `drop_dm_object_name(Processes)` | join process_guid, _time [| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN (\"*\\\\HttpProxy\\\\owa\\\\auth\\\\*\", \"*\\\\inetpub\\\\wwwroot\\\\aspnet_client\\\\*\", \"*\\\\HttpProxy\\\\OAB\\\\*\") Filesystem.file_name IN( \"*.aspx\", \"*.ashx\") by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path | `drop_dm_object_name(Filesystem)` | fields _time dest file_create_time file_name file_path process_name process_path process] | dedup file_create_time | table dest file_create_time, file_name, file_path, process_name | `detect_exchange_web_shell_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node and `Filesystem` node.", "known_false_positives": "The query is structured in a way that `action` (read, create) is not defined. Review the results of this query, filter, and tune as necessary. It may be necessary to generate this query specific to your endpoint product.", "references": ["https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/MSTICIoCs-ExchangeServerVulnerabilitiesDisclosedMarch2021.csv", "https://www.zerodayinitiative.com/blog/2021/8/17/from-pwn2own-2021-a-new-attack-surface-on-microsoft-exchange-proxyshell", "https://www.youtube.com/watch?v=FC6iHw258RI", "https://www.huntress.com/blog/rapid-response-microsoft-exchange-servers-still-vulnerable-to-proxyshell-exploit#what-should-you-do"], "tags": {"name": "Detect Exchange Web Shell", "analytic_story": ["HAFNIUM Group", "ProxyShell", "CISA AA22-257A", "ProxyNotShell"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Installation", "Delivery"], "message": "A file - $file_name$ was written to disk that is related to IIS exploitation previously performed by HAFNIUM. Review further file modifications on endpoint $dest$ by user $user$.", "mitre_attack_id": ["T1505", "T1505.003", "T1190", "T1133"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "file_name", "type": "File Name", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Filesystem.file_path", "Filesystem.process_id", "Filesystem.file_name", "Filesystem.file_hash", "Filesystem.user"], "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1505.003", "mitre_attack_technique": "Web Shell", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT38", "APT39", "BackdoorDiplomacy", "Deep Panda", "Dragonfly", "Fox Kitten", "GALLIUM", "HAFNIUM", "Kimsuky", "Leviathan", "Magic Hound", "Moses Staff", "OilRig", "Sandworm Team", "TEMP.Veles", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Volatile Cedar"]}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Chimera", "Dragonfly", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.003/windows-sysmon_proxylogon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_exchange_web_shell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/detect_exchange_web_shell.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Detect HTML Help Renamed", "id": "62fed254-513b-460e-953d-79771493a9f3", "version": 4, "date": "2022-04-07", "author": "Michael Haag, Splunk", "type": "Hunting", "status": "production", "description": "The following analytic identifies a renamed instance of hh.exe (HTML Help) executing a Compiled HTML Help (CHM). This particular technique will load Windows script code from a compiled help file. CHM files may contain nearly any file type embedded, but only execute html/htm. Upon a successful execution, the following script engines may be used for execution - JScript, VBScript, VBScript.Encode, JScript.Encode, JScript.Compact. Analyst may identify vbscript.dll or jscript.dll loading into hh.exe upon execution. The \"htm\" and \"html\" file extensions were the only extensions observed to be supported for the execution of Shortcut commands or WSH script code. During investigation, identify script content origination. Validate it is the legitimate version of hh.exe by reviewing the PE metadata. hh.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name!=hh.exe AND Processes.original_file_name=HH.EXE by Processes.dest Processes.user Processes.parent_process_name Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_html_help_renamed_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Although unlikely a renamed instance of hh.exe will be used legitimately, filter as needed.", "references": ["https://attack.mitre.org/techniques/T1218/001/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.001/T1218.001.md", "https://lolbas-project.github.io/lolbas/Binaries/Hh/"], "tags": {"name": "Detect HTML Help Renamed", "analytic_story": ["Suspicious Compiled HTML Activity", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "The following $process_name$ has been identified as renamed, spawning from $parent_process_name$.", "mitre_attack_id": ["T1218", "T1218.001"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.001", "mitre_attack_technique": "Compiled HTML File", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "APT41", "Dark Caracal", "OilRig", "Silence"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.001/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_html_help_renamed_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/detect_html_help_renamed.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Detect HTML Help Spawn Child Process", "id": "723716de-ee55-4cd4-9759-c44e7e55ba4b", "version": 1, "date": "2021-02-11", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies hh.exe (HTML Help) execution of a Compiled HTML Help (CHM) that spawns a child process. This particular technique will load Windows script code from a compiled help file. CHM files may contain nearly any file type embedded, but only execute html/htm. Upon a successful execution, the following script engines may be used for execution - JScript, VBScript, VBScript.Encode, JScript.Encode, JScript.Compact. Analyst may identify vbscript.dll or jscript.dll loading into hh.exe upon execution. The \"htm\" and \"html\" file extensions were the only extensions observed to be supported for the execution of Shortcut commands or WSH script code. During investigation, identify script content origination. Review child process events and investigate further. hh.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=hh.exe by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_html_help_spawn_child_process_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "Although unlikely, some legitimate applications (ex. web browsers) may spawn a child process. Filter as needed.", "references": ["https://attack.mitre.org/techniques/T1218/001/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.001/T1218.001.md", "https://lolbas-project.github.io/lolbas/Binaries/Hh/", "https://gist.github.com/mgeeky/cce31c8602a144d8f2172a73d510e0e7", "https://web.archive.org/web/20220119133748/https://cyberforensicator.com/2019/01/20/silence-dissecting-malicious-chm-files-and-performing-forensic-analysis/"], "tags": {"name": "Detect HTML Help Spawn Child Process", "analytic_story": ["Suspicious Compiled HTML Activity", "Living Off The Land", "AgentTesla"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ spawning a child process, typically not normal behavior.", "mitre_attack_id": ["T1218", "T1218.001"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.001", "mitre_attack_technique": "Compiled HTML File", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "APT41", "Dark Caracal", "OilRig", "Silence"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.001/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_html_help_spawn_child_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/detect_html_help_spawn_child_process.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Detect HTML Help URL in Command Line", "id": "8c5835b9-39d9-438b-817c-95f14c69a31e", "version": 2, "date": "2021-09-16", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies hh.exe (HTML Help) execution of a Compiled HTML Help (CHM) file from a remote url. This particular technique will load Windows script code from a compiled help file. CHM files may contain nearly any file type embedded, but only execute html/htm. Upon a successful execution, the following script engines may be used for execution - JScript, VBScript, VBScript.Encode, JScript.Encode, JScript.Compact. Analyst may identify vbscript.dll or jscript.dll loading into hh.exe upon execution. The \"htm\" and \"html\" file extensions were the only extensions observed to be supported for the execution of Shortcut commands or WSH script code. During investigation, identify script content origination. Review reputation of remote IP and domain. Some instances, it is worth decompiling the .chm file to review its original contents. hh.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_hh` Processes.process=*http* by Processes.dest Processes.user Processes.parent_process Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_html_help_url_in_command_line_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Although unlikely, some legitimate applications may retrieve a CHM remotely, filter as needed.", "references": ["https://attack.mitre.org/techniques/T1218/001/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.001/T1218.001.md", "https://lolbas-project.github.io/lolbas/Binaries/Hh/", "https://blog.sevagas.com/?Hacking-around-HTA-files", "https://gist.github.com/mgeeky/cce31c8602a144d8f2172a73d510e0e7", "https://web.archive.org/web/20220119133748/https://cyberforensicator.com/2019/01/20/silence-dissecting-malicious-chm-files-and-performing-forensic-analysis/"], "tags": {"name": "Detect HTML Help URL in Command Line", "analytic_story": ["Suspicious Compiled HTML Activity", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 90, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_proces_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ contacting a remote destination to potentally download a malicious payload.", "mitre_attack_id": ["T1218", "T1218.001"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.001", "mitre_attack_technique": "Compiled HTML File", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "APT41", "Dark Caracal", "OilRig", "Silence"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.001/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_hh", "definition": "(Processes.process_name=hh.exe OR Processes.original_file_name=HH.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "detect_html_help_url_in_command_line_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/detect_html_help_url_in_command_line.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Detect HTML Help Using InfoTech Storage Handlers", "id": "0b2eefa5-5508-450d-b970-3dd2fb761aec", "version": 2, "date": "2021-09-16", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies hh.exe (HTML Help) execution of a Compiled HTML Help (CHM) file using InfoTech Storage Handlers. This particular technique will load Windows script code from a compiled help file, using InfoTech Storage Handlers. itss.dll will load upon execution. Three InfoTech Storage handlers are supported - ms-its, its, mk:@MSITStore. ITSS may be used to launch a specific html/htm file from within a CHM file. CHM files may contain nearly any file type embedded. Upon a successful execution, the following script engines may be used for execution - JScript, VBScript, VBScript.Encode, JScript.Encode, JScript.Compact. Analyst may identify vbscript.dll or jscript.dll loading into hh.exe upon execution. The \"htm\" and \"html\" file extensions were the only extensions observed to be supported for the execution of Shortcut commands or WSH script code. During investigation, identify script content origination. hh.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_hh` Processes.process IN (\"*its:*\", \"*mk:@MSITStore:*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_html_help_using_infotech_storage_handlers_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "It is rare to see instances of InfoTech Storage Handlers being used, but it does happen in some legitimate instances. Filter as needed.", "references": ["https://attack.mitre.org/techniques/T1218/001/", "https://www.kb.cert.org/vuls/id/851869", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.001/T1218.001.md", "https://lolbas-project.github.io/lolbas/Binaries/Hh/", "https://gist.github.com/mgeeky/cce31c8602a144d8f2172a73d510e0e7", "https://web.archive.org/web/20220119133748/https://cyberforensicator.com/2019/01/20/silence-dissecting-malicious-chm-files-and-performing-forensic-analysis/"], "tags": {"name": "Detect HTML Help Using InfoTech Storage Handlers", "analytic_story": ["Suspicious Compiled HTML Activity", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "$process_name$ has been identified using Infotech Storage Handlers to load a specific file within a CHM on $dest$ under user $user$.", "mitre_attack_id": ["T1218", "T1218.001"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.001", "mitre_attack_technique": "Compiled HTML File", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "APT41", "Dark Caracal", "OilRig", "Silence"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.001/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_hh", "definition": "(Processes.process_name=hh.exe OR Processes.original_file_name=HH.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "detect_html_help_using_infotech_storage_handlers_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/detect_html_help_using_infotech_storage_handlers.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Detect Mimikatz With PowerShell Script Block Logging", "id": "8148c29c-c952-11eb-9255-acde48001122", "version": 2, "date": "2022-02-24", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. \\\nThis analytic identifies common Mimikatz functions that may be identified in the script block, including `mimikatz`. This will catch the most basic use cases for Pass the Ticket, Pass the Hash and `-DumprCreds`. \\\nDuring triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 ScriptBlockText IN (*mimikatz*, *-dumpcr*, *sekurlsa::pth*, *kerberos::ptt*, *kerberos::golden*) | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_mimikatz_with_powershell_script_block_logging_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "False positives should be limited as the commands being identifies are quite specific to EventCode 4104 and Mimikatz. Filter as needed.", "references": ["https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", "https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf", "https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/", "https://www.splunk.com/en_us/blog/security/hunting-for-malicious-powershell-using-script-block-logging.html"], "tags": {"name": "Detect Mimikatz With PowerShell Script Block Logging", "analytic_story": ["Hermetic Wiper", "Malicious PowerShell", "CISA AA22-264A", "CISA AA22-320A", "Sandworm Tools", "Data Destruction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 90, "kill_chain_phases": ["Exploitation", "Installation"], "message": "The following behavior was identified and typically related to MimiKatz being loaded within the context of PowerShell on $Computer$ by $UserID$.", "mitre_attack_id": ["T1003", "T1059.001"], "nist": ["DE.CM"], "observable": [{"name": "UserID", "type": "User", "role": ["Victim"]}, {"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "ScriptBlockText", "Opcode", "Computer", "UserID", "EventCode"], "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/credaccess-powershell.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_mimikatz_with_powershell_script_block_logging_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/detect_mimikatz_with_powershell_script_block_logging.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Detect mshta inline hta execution", "id": "a0873b32-5b68-11eb-ae93-0242ac130002", "version": 6, "date": "2021-09-16", "author": "Bhavin Patel, Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies \"mshta.exe\" execution with inline protocol handlers. \"JavaScript\", \"VBScript\", and \"About\" are the only supported options when invoking HTA content directly on the command-line. The search will return the first time and last time these command-line arguments were used for these executions, as well as the target system, the user, process \"mshta.exe\" and its parent process.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_mshta` (Processes.process=*vbscript* OR Processes.process=*javascript* OR Processes.process=*about*) by Processes.user Processes.process_name Processes.original_file_name Processes.parent_process_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_mshta_inline_hta_execution_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Although unlikely, some legitimate applications may exhibit this behavior, triggering a false positive.", "references": ["https://github.com/redcanaryco/AtomicTestHarnesses", "https://redcanary.com/blog/introducing-atomictestharnesses/", "https://docs.microsoft.com/en-us/windows/win32/search/-search-3x-wds-extidx-prot-implementing"], "tags": {"name": "Detect mshta inline hta execution", "analytic_story": ["Suspicious MSHTA Activity", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 90, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ executing with inline HTA, indicative of defense evasion.", "mitre_attack_id": ["T1218", "T1218.005"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.005", "mitre_attack_technique": "Mshta", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "APT32", "Confucius", "Earth Lusca", "FIN7", "Gamaredon Group", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "MuddyWater", "Mustang Panda", "SideCopy", "Sidewinder", "TA551"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.005/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_mshta", "definition": "(Processes.process_name=mshta.exe OR Processes.original_file_name=MSHTA.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "detect_mshta_inline_hta_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/detect_mshta_inline_hta_execution.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Detect mshta renamed", "id": "8f45fcf0-5b68-11eb-ae93-0242ac130002", "version": 3, "date": "2022-04-07", "author": "Michael Haag, Splunk", "type": "Hunting", "status": "production", "description": "The following analytic identifies renamed instances of mshta.exe executing. Mshta.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64. This analytic utilizes the internal name of the PE to identify if is the legitimate mshta binary. Further analysis should be performed to review the executed content and validation it is the real mshta.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name!=mshta.exe AND Processes.original_file_name=MSHTA.EXE by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_mshta_renamed_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Although unlikely, some legitimate applications may use a moved copy of mshta.exe, but never renamed, triggering a false positive.", "references": ["https://github.com/redcanaryco/AtomicTestHarnesses", "https://redcanary.com/blog/introducing-atomictestharnesses/"], "tags": {"name": "Detect mshta renamed", "analytic_story": ["Suspicious MSHTA Activity", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "The following $process_name$ has been identified as renamed, spawning from $parent_process_name$.", "mitre_attack_id": ["T1218", "T1218.005"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.005", "mitre_attack_technique": "Mshta", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "APT32", "Confucius", "Earth Lusca", "FIN7", "Gamaredon Group", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "MuddyWater", "Mustang Panda", "SideCopy", "Sidewinder", "TA551"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.005/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_mshta_renamed_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/detect_mshta_renamed.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Detect MSHTA Url in Command Line", "id": "9b3af1e6-5b68-11eb-ae93-0242ac130002", "version": 2, "date": "2021-09-16", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "This analytic identifies when Microsoft HTML Application Host (mshta.exe) utility is used to make remote http connections. Adversaries may use mshta.exe to proxy the download and execution of remote .hta files. The analytic identifies command line arguments of http and https being used. This technique is commonly used by malicious software to bypass preventative controls. The search will return the first time and last time these command-line arguments were used for these executions, as well as the target system, the user, process \"rundll32.exe\" and its parent process.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_mshta` (Processes.process=\"*http://*\" OR Processes.process=\"*https://*\") by Processes.user Processes.process_name Processes.parent_process_name Processes.original_file_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_mshta_url_in_command_line_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "It is possible legitimate applications may perform this behavior and will need to be filtered.", "references": ["https://github.com/redcanaryco/AtomicTestHarnesses", "https://redcanary.com/blog/introducing-atomictestharnesses/", "https://docs.microsoft.com/en-us/windows/win32/search/-search-3x-wds-extidx-prot-implementing"], "tags": {"name": "Detect MSHTA Url in Command Line", "analytic_story": ["Suspicious MSHTA Activity", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $est$ by user $user$ attempting to access a remote destination to download an additional payload.", "mitre_attack_id": ["T1218", "T1218.005"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.005", "mitre_attack_technique": "Mshta", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "APT32", "Confucius", "Earth Lusca", "FIN7", "Gamaredon Group", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "MuddyWater", "Mustang Panda", "SideCopy", "Sidewinder", "TA551"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.005/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_mshta", "definition": "(Processes.process_name=mshta.exe OR Processes.original_file_name=MSHTA.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "detect_mshta_url_in_command_line_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/detect_mshta_url_in_command_line.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Detect New Local Admin account", "id": "b25f6f62-0712-43c1-b203-083231ffd97d", "version": 2, "date": "2020-07-08", "author": "David Dorsey, Splunk", "type": "TTP", "status": "production", "description": "This search looks for newly created accounts that have been elevated to local administrators.", "data_source": [], "search": "`wineventlog_security` EventCode=4720 OR (EventCode=4732 Group_Name=Administrators) | transaction member_id connected=false maxspan=180m | rename member_id as user | stats count min(_time) as firstTime max(_time) as lastTime by user dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_new_local_admin_account_filter`", "how_to_implement": "You must be ingesting Windows event logs using the Splunk Windows TA and collecting event code 4720 and 4732", "known_false_positives": "The activity may be legitimate. For this reason, it's best to verify the account with an administrator and ask whether there was a valid service request for the account creation. If your local administrator group name is not \"Administrators\", this search may generate an excessive number of false positives", "references": [], "tags": {"name": "Detect New Local Admin account", "analytic_story": ["DHS Report TA18-074A", "HAFNIUM Group", "CISA AA22-257A"], "asset_type": "Windows", "cis20": ["CIS 10"], "confidence": 70, "impact": 60, "kill_chain_phases": ["Installation"], "message": "A $user$ on $dest$ was added recently. Identify if this was legitimate behavior or not.", "mitre_attack_id": ["T1136.001", "T1136"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "Group_Name", "member_id", "dest", "user"], "risk_score": 42, "security_domain": "access", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1136.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT39", "APT41", "Dragonfly", "Fox Kitten", "Kimsuky", "Leafminer", "Magic Hound", "TeamTNT"]}, {"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/atomic_red_team/windows-security.log", "source": "WinEventLog:Security", "sourcetype": "WinEventLog", "update_timestamp": true}, {"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/atomic_red_team/windows-system.log", "source": "WinEventLog:System", "sourcetype": "WinEventLog", "update_timestamp": true}, {"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_new_local_admin_account_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/detect_new_local_admin_account.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Detect Outlook exe writing a zip file", "id": "a51bfe1a-94f0-4822-b1e4-16ae10145893", "version": 4, "date": "2023-2-07", "author": "Bhavin Patel, Splunk", "type": "TTP", "status": "experimental", "description": "This search looks for execution of process `outlook.exe` where the process is writing a `.zip` file to the disk.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where Processes.process_name=outlook.exe by _time span=5m Processes.parent_process_id Processes.process_id Processes.dest Processes.process_name Processes.parent_process_name Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename process_id as malicious_id| rename parent_process_id as outlook_id| join malicious_id type=inner[| tstats `security_content_summariesonly` count values(Filesystem.file_path) as file_path values(Filesystem.file_name) as file_name FROM datamodel=Endpoint.Filesystem where (Filesystem.file_path=*.zip* OR Filesystem.file_name=*.lnk ) AND (Filesystem.file_path=C:\\\\Users* OR Filesystem.file_path=*Local\\\\Temp*) by _time span=5m Filesystem.process_id Filesystem.file_hash Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename process_id as malicious_id| fields malicious_id outlook_id dest file_path file_name file_hash count file_id] | table firstTime lastTime user malicious_id outlook_id process_name parent_process_name file_name file_path | where file_name != \"\" | `detect_outlook_exe_writing_a_zip_file_filter` ", "how_to_implement": "You must be ingesting data that records filesystem and process activity from your hosts to populate the Endpoint data model. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or endpoint data sources, such as Sysmon.", "known_false_positives": "It is not uncommon for outlook to write legitimate zip files to the disk.", "references": [], "tags": {"name": "Detect Outlook exe writing a zip file", "analytic_story": ["Spearphishing Attachments"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Delivery"], "message": "tbd", "mitre_attack_id": ["T1566", "T1566.001"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.process_name", "Processes.parent_process_id", "Processes.process_id", "Processes.dest", "Processes.parent_process_name", "Processes.user"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}]}, "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_outlook_exe_writing_a_zip_file_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/detect_outlook_exe_writing_a_zip_file.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Detect Path Interception By Creation Of program exe", "id": "cbef820c-e1ff-407f-887f-0a9240a2d477", "version": 3, "date": "2020-07-03", "author": "Patrick Bareiss, Splunk", "type": "TTP", "status": "production", "description": "The detection Detect Path Interception By Creation Of program exe is detecting the abuse of unquoted service paths, which is a popular technique for privilege escalation. ", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=services.exe by Processes.user Processes.process_name Processes.process Processes.dest | `drop_dm_object_name(Processes)` | rex field=process \"^.*?\\\\\\\\(?[^\\\\\\\\]*\\.(?:exe|bat|com|ps1))\" | eval process_name = lower(process_name) | eval service_process = lower(service_process) | where process_name != service_process | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_path_interception_by_creation_of_program_exe_filter`", "how_to_implement": "You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the \"process\" field in the Endpoint data model.", "known_false_positives": "unknown", "references": ["https://medium.com/@SumitVerma101/windows-privilege-escalation-part-1-unquoted-service-path-c7a011a8d8ae"], "tags": {"name": "Detect Path Interception By Creation Of program exe", "analytic_story": ["Windows Persistence Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation", "Installation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to perform privilege escalation by using unquoted service paths.", "mitre_attack_id": ["T1574.009", "T1574"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1574.009", "mitre_attack_technique": "Path Interception by Unquoted Path", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.009/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_path_interception_by_creation_of_program_exe_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/detect_path_interception_by_creation_of_program_exe.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Detect processes used for System Network Configuration Discovery", "id": "a51bfe1a-94f0-48cc-b1e4-16ae10145893", "version": 2, "date": "2020-11-10", "author": "Bhavin Patel, Splunk", "type": "TTP", "status": "production", "description": "This search looks for fast execution of processes used for system network configuration discovery on the endpoint.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where NOT Processes.user IN (\"\",\"unknown\") by Processes.dest Processes.process_name Processes.user _time | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | search `system_network_configuration_discovery_tools` | transaction dest connected=false maxpause=5m |where eventcount>=5 | table firstTime lastTime dest user process_name process parent_process eventcount | `detect_processes_used_for_system_network_configuration_discovery_filter`", "how_to_implement": "You must be ingesting data that records registry activity from your hosts to populate the Endpoint data model in the processes node. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or endpoint data sources, such as Sysmon. The data used for this search is usually generated via logs that report reads and writes to the registry or that are populated via Windows event logs, after enabling process tracking in your Windows audit settings.", "known_false_positives": "It is uncommon for normal users to execute a series of commands used for network discovery. System administrators often use scripts to execute these commands. These can generate false positives.", "references": [], "tags": {"name": "Detect processes used for System Network Configuration Discovery", "analytic_story": ["Unusual Processes"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 40, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning multiple $process_name$ was identified on endpoint $dest$ by user $user$ typically not a normal behavior of the process.", "mitre_attack_id": ["T1016"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 32, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1016", "mitre_attack_technique": "System Network Configuration Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT19", "APT3", "APT32", "APT41", "Chimera", "Darkhotel", "Dragonfly", "Earth Lusca", "GALLIUM", "HAFNIUM", "HEXANE", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "SideCopy", "Sidewinder", "Stealth Falcon", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1016/discovery_commands/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "system_network_configuration_discovery_tools", "definition": "(process_name= \"arp.exe\" OR process_name= \"at.exe\" OR process_name= \"attrib.exe\" OR process_name= \"cscript.exe\" OR process_name= \"dsquery.exe\" OR process_name= \"hostname.exe\" OR process_name= \"ipconfig.exe\" OR process_name= \"mimikatz.exe\" OR process_name= \"nbstat.exe\" OR process_name= \"net.exe\" OR process_name= \"netsh.exe\" OR process_name= \"nslookup.exe\" OR process_name= \"ping.exe\" OR process_name= \"quser.exe\" OR process_name= \"qwinsta.exe\" OR process_name= \"reg.exe\" OR process_name= \"runas.exe\" OR process_name= \"sc.exe\" OR process_name= \"schtasks.exe\" OR process_name= \"ssh.exe\" OR process_name= \"systeminfo.exe\" OR process_name= \"taskkill.exe\" OR process_name= \"telnet.exe\" OR process_name= \"tracert.exe\" OR process_name=\"wscript.exe\" OR process_name= \"xcopy.exe\")", "description": "This macro is a list of process that can be used to discover the network configuration"}, {"name": "detect_processes_used_for_system_network_configuration_discovery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/detect_processes_used_for_system_network_configuration_discovery.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Detect Prohibited Applications Spawning cmd exe", "id": "dcfd6b40-42f9-469d-a433-2e53f7486664", "version": 6, "date": "2020-11-10", "author": "Bhavin Patel, Splunk", "type": "Hunting", "status": "production", "description": "This search looks for executions of cmd.exe spawned by a process that is often abused by attackers and that does not typically launch cmd.exe.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_cmd` by Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.dest Processes.user| `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` |search [`prohibited_apps_launching_cmd`] | `detect_prohibited_applications_spawning_cmd_exe_filter`", "how_to_implement": "You must be ingesting data that records process activity from your hosts and populates the Endpoint data model with the resultant dataset. This search includes a lookup file, `prohibited_apps_launching_cmd.csv`, that contains a list of processes that should not be spawning cmd.exe. You can modify this lookup to better suit your environment. To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "There are circumstances where an application may legitimately execute and interact with the Windows command-line interface. Investigate and modify the lookup file, as appropriate.", "references": [], "tags": {"name": "Detect Prohibited Applications Spawning cmd exe", "analytic_story": ["Suspicious Command-Line Executions", "Suspicious MSHTA Activity", "Suspicious Zoom Child Processes", "NOBELIUM Group"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Installation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ running prohibited applications.", "mitre_attack_id": ["T1059", "T1059.003"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.003/powershell_spawn_cmd/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "prohibited_apps_launching_cmd", "definition": "| inputlookup prohibited_apps_launching_cmd | rename prohibited_applications as parent_process_name | eval parent_process_name=\"*\" . parent_process_name | table parent_process_name", "description": "This macro outputs a list of process that should not be the parent process of cmd.exe"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_cmd", "definition": "(Processes.process_name=cmd.exe OR Processes.original_file_name=Cmd.Exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "detect_prohibited_applications_spawning_cmd_exe_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/detect_prohibited_applications_spawning_cmd_exe.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Detect PsExec With accepteula Flag", "id": "27c3a83d-cada-47c6-9042-67baf19d2574", "version": 4, "date": "2021-09-16", "author": "Bhavin Patel, Splunk", "type": "TTP", "status": "production", "description": "This search looks for events where `PsExec.exe` is run with the `accepteula` flag in the command line. PsExec is a built-in Windows utility that enables you to execute processes on other systems. It is fully interactive for console applications. This tool is widely used for launching interactive command prompts on remote systems. Threat actors leverage this extensively for executing code on compromised systems. If an attacker is running PsExec for the first time, they will be prompted to accept the end-user license agreement (EULA), which can be passed as the argument `accepteula` within the command line.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_psexec` Processes.process=*accepteula* by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)`| `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_psexec_with_accepteula_flag_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Administrators can leverage PsExec for accessing remote systems and might pass `accepteula` as an argument if they are running this tool for the first time. However, it is not likely that you'd see multiple occurrences of this event on a machine", "references": ["https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF"], "tags": {"name": "Detect PsExec With accepteula Flag", "analytic_story": ["SamSam Ransomware", "DHS Report TA18-074A", "HAFNIUM Group", "DarkSide Ransomware", "Active Directory Lateral Movement", "CISA AA22-320A", "Sandworm Tools", "Volt Typhoon", "IcedID"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ running the utility for possibly the first time.", "mitre_attack_id": ["T1021", "T1021.002"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "Turla", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.002/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_psexec", "definition": "(Processes.process_name=psexec.exe OR Processes.process_name=psexec64.exe OR Processes.original_file_name=psexec.c)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "detect_psexec_with_accepteula_flag_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/detect_psexec_with_accepteula_flag.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Detect Rare Executables", "id": "44fddcb2-8d3b-454c-874e-7c6de5a4f7ac", "version": 3, "date": "2022-11-10", "author": "Bhavin Patel, Splunk", "type": "Anomaly", "status": "experimental", "description": "This search will return a table of processes in the a given window, remove process names which are in the allowed list and list out the top 30 rare processes discovered on different hosts.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count values(Processes.dest) as dest values(Processes.user) as user min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes by Processes.process_name | rename Processes.process_name as process | `filter_rare_process_allow_list` | sort count | head 30 | rex field=user \"(?.*)\\\\\\\\(?.*)\" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_rare_executables_filter` ", "how_to_implement": "To successfully implement this search, you must be ingesting data that records process activity from your hosts and populating the `Endpoint` data model with the resultant dataset. The macro `filter_rare_process_allow_list` searches two lookup files for allowed processes. These consist of `rare_process_allow_list_default.csv` and `rare_process_allow_list_local.csv`. To add your own processes to the allow list, add them to `rare_process_allow_list_local.csv`. If you wish to remove an entry from the default lookup file, you will have to modify the macro itself to set the allow_list value for that process to false. You can modify the limit parameter and search scheduling to better suit your environment.", "known_false_positives": "Some legitimate processes may be only rarely executed in your environment. As these are identified, update `rare_process_allow_list_local.csv` to filter them out of your search results.", "references": [], "tags": {"name": "Detect Rare Executables", "analytic_story": ["Unusual Processes"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": [], "message": "tbd", "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.process_name"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "filter_rare_process_allow_list", "definition": "lookup update=true lookup_rare_process_allow_list_default process as process OUTPUTNEW allow_list | where allow_list=\"false\" | lookup update=true lookup_rare_process_allow_list_local process as process OUTPUT allow_list | where allow_list=\"false\"", "description": "This macro is intended to allow_list processes that have been definied as rare"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_rare_executables_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/detect_rare_executables.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Detect RClone Command-Line Usage", "id": "32e0baea-b3f1-11eb-a2ce-acde48001122", "version": 2, "date": "2021-11-29", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "This analytic identifies commonly used command-line arguments used by `rclone.exe` to initiate a file transfer. Some arguments were negated as they are specific to the configuration used by adversaries. In particular, an adversary may list the files or directories of the remote file share using `ls` or `lsd`, which is not indicative of malicious behavior. During triage, at this stage of a ransomware event, exfiltration is about to occur or has already. Isolate the endpoint and continue investigating by review file modifications and parallel processes.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rclone` Processes.process IN (\"*copy*\", \"*mega*\", \"*pcloud*\", \"*ftp*\", \"*--config*\", \"*--progress*\", \"*--no-check-certificate*\", \"*--ignore-existing*\", \"*--auto-confirm*\", \"*--transfers*\", \"*--multi-thread-streams*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_rclone_command_line_usage_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives should be limited as this is restricted to the Rclone process name. Filter or tune the analytic as needed.", "references": ["https://redcanary.com/blog/rclone-mega-extortion/", "https://www.mandiant.com/resources/shining-a-light-on-darkside-ransomware-operations", "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/"], "tags": {"name": "Detect RClone Command-Line Usage", "analytic_story": ["DarkSide Ransomware", "Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 50, "kill_chain_phases": ["Actions on Objectives"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to connect to a remote cloud service to move files or folders.", "mitre_attack_id": ["T1020"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id", "Processes.original_file_name"], "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1020", "mitre_attack_technique": "Automated Exfiltration", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["Gamaredon Group", "Ke3chang", "Sidewinder", "Tropic Trooper"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1020/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_rclone", "definition": "(Processes.original_file_name=rclone.exe OR Processes.process_name=rclone.exe)", "description": "Matches the process with its original file name."}, {"name": "detect_rclone_command_line_usage_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/detect_rclone_command_line_usage.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Detect Regasm Spawning a Process", "id": "72170ec5-f7d2-42f5-aefb-2b8be6aad15f", "version": 1, "date": "2021-02-12", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies regasm.exe spawning a process. This particular technique has been used in the wild to bypass application control products. Regasm.exe and Regsvcs.exe are signed by Microsoft. Spawning of a child process is rare from either process and should be investigated further. During investigation, identify and retrieve the content being loaded. Review parallel processes for additional suspicious behavior. Gather any other file modifications and review accordingly. regsvcs.exe and regasm.exe are natively found in C:\\Windows\\Microsoft.NET\\Framework\\v*\\regasm|regsvcs.exe and C:\\Windows\\Microsoft.NET\\Framework64\\v*\\regasm|regsvcs.exe.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=regasm.exe by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_regasm_spawning_a_process_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "Although unlikely, limited instances of regasm.exe or regsvcs.exe may cause a false positive. Filter based endpoint usage, command line arguments, or process lineage.", "references": ["https://attack.mitre.org/techniques/T1218/009/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md", "https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/", "https://lolbas-project.github.io/lolbas/Binaries/Regasm/"], "tags": {"name": "Detect Regasm Spawning a Process", "analytic_story": ["Suspicious Regsvcs Regasm Activity", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ spawning a child process, typically not normal behavior for $parent_process_name$.", "mitre_attack_id": ["T1218", "T1218.009"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.parent_process_name", "Processes.dest", "Processes.user", "Processes.parent_process", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.009", "mitre_attack_technique": "Regsvcs/Regasm", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.009/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_regasm_spawning_a_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/detect_regasm_spawning_a_process.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Detect Regasm with Network Connection", "id": "07921114-6db4-4e2e-ae58-3ea8a52ae93f", "version": 2, "date": "2022-02-18", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies regasm.exe with a network connection to a public IP address, exluding private IP space. This particular technique has been used in the wild to bypass application control products. Regasm.exe and Regsvcs.exe are signed by Microsoft. By contacting a remote Command And Control server, the adversary will have the ability to escalate privileges and complete the objectives. During investigation, identify and retrieve the content being loaded. Review parallel processes for additional suspicious behavior. Gather any other file modifications and review accordingly. Review the reputation of the remote IP or domain and block as needed. regsvcs.exe and regasm.exe are natively found in C:\\Windows\\Microsoft.NET\\Framework\\v*\\regasm|regsvcs.exe and C:\\Windows\\Microsoft.NET\\Framework64\\v*\\regasm|regsvcs.exe.", "data_source": ["Sysmon Event ID 3"], "search": "`sysmon` EventID=3 dest_ip!=10.0.0.0/12 dest_ip!=172.16.0.0/12 dest_ip!=192.168.0.0/16 process_name=regasm.exe | rename Computer as dest | stats count min(_time) as firstTime max(_time) as lastTime by dest, user, process_name, src_ip, dest_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_regasm_with_network_connection_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "Although unlikely, limited instances of regasm.exe with a network connection may cause a false positive. Filter based endpoint usage, command line arguments, or process lineage.", "references": ["https://attack.mitre.org/techniques/T1218/009/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md", "https://lolbas-project.github.io/lolbas/Binaries/Regasm/"], "tags": {"name": "Detect Regasm with Network Connection", "analytic_story": ["Suspicious Regsvcs Regasm Activity", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "An instance of $process_name$ contacting a remote destination was identified on endpoint $Computer$ by user $user$. This behavior is not normal for $process_name$.", "mitre_attack_id": ["T1218", "T1218.009"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventID", "dest_ip", "process_name", "Computer", "user", "src_ip", "dest_host", "dest_ip"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.009", "mitre_attack_technique": "Regsvcs/Regasm", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.009/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_regasm_with_network_connection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/detect_regasm_with_network_connection.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Detect Regasm with no Command Line Arguments", "id": "c3bc1430-04e7-4178-835f-047d8e6e97df", "version": 3, "date": "2022-03-15", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies regasm.exe with no command line arguments. This particular behavior occurs when another process injects into regasm.exe, no command line arguments will be present. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. Regasm.exe are natively found in `C:\\Windows\\Microsoft.NET\\Framework\\v*\\regasm|regsvcs.exe` and `C:\\Windows\\Microsoft.NET\\Framework64\\v*\\regasm|regsvcs.exe`.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where `process_regasm` by _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process=\"(?i)(regasm\\.exe.{0,4}$)\" | `detect_regasm_with_no_command_line_arguments_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Although unlikely, limited instances of regasm.exe or may cause a false positive. Filter based endpoint usage, command line arguments, or process lineage.", "references": ["https://attack.mitre.org/techniques/T1218/009/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md", "https://lolbas-project.github.io/lolbas/Binaries/Regasm/"], "tags": {"name": "Detect Regasm with no Command Line Arguments", "analytic_story": ["Suspicious Regsvcs Regasm Activity", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "The process $process_name$ was spawned by $parent_process_name$ without any command-line arguments on $dest$ by $user$.", "mitre_attack_id": ["T1218", "T1218.009"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.009", "mitre_attack_technique": "Regsvcs/Regasm", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.009/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_regasm", "definition": "(Processes.process_name=regasm.exe OR Processes.original_file_name=RegAsm.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "detect_regasm_with_no_command_line_arguments_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/detect_regasm_with_no_command_line_arguments.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Detect Regsvcs Spawning a Process", "id": "bc477b57-5c21-4ab6-9c33-668772e7f114", "version": 1, "date": "2021-02-12", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies regsvcs.exe spawning a process. This particular technique has been used in the wild to bypass application control products. Regasm.exe and Regsvcs.exe are signed by Microsoft. Spawning of a child process is rare from either process and should be investigated further. During investigation, identify and retrieve the content being loaded. Review parallel processes for additional suspicious behavior. Gather any other file modifications and review accordingly. regsvcs.exe and regasm.exe are natively found in C:\\Windows\\Microsoft.NET\\Framework\\v*\\regasm|regsvcs.exe and C:\\Windows\\Microsoft.NET\\Framework64\\v*\\regasm|regsvcs.exe.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=regsvcs.exe by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_regsvcs_spawning_a_process_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "Although unlikely, limited instances of regasm.exe or regsvcs.exe may cause a false positive. Filter based endpoint usage, command line arguments, or process lineage.", "references": ["https://attack.mitre.org/techniques/T1218/009/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md", "https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/"], "tags": {"name": "Detect Regsvcs Spawning a Process", "analytic_story": ["Suspicious Regsvcs Regasm Activity", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ typically not normal for this process.", "mitre_attack_id": ["T1218", "T1218.009"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.parent_process_name", "Processes.dest", "Processes.user", "Processes.parent_process", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.009", "mitre_attack_technique": "Regsvcs/Regasm", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.009/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_regsvcs_spawning_a_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/detect_regsvcs_spawning_a_process.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Detect Regsvcs with Network Connection", "id": "e3e7a1c0-f2b9-445c-8493-f30a63522d1a", "version": 2, "date": "2022-02-18", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies Regsvcs.exe with a network connection to a public IP address, exluding private IP space. This particular technique has been used in the wild to bypass application control products. Regasm.exe and Regsvcs.exe are signed by Microsoft. By contacting a remote Command And Control server, the adversary will have the ability to escalate privileges and complete the objectives. During investigation, identify and retrieve the content being loaded. Review parallel processes for additional suspicious behavior. Gather any other file modifications and review accordingly. Review the reputation of the remote IP or domain and block as needed. regsvcs.exe and regasm.exe are natively found in C:\\Windows\\Microsoft.NET\\Framework\\v*\\regasm|regsvcs.exe and C:\\Windows\\Microsoft.NET\\Framework64\\v*\\regasm|regsvcs.exe.", "data_source": ["Sysmon Event ID 3"], "search": "`sysmon` EventID=3 dest_ip!=10.0.0.0/12 dest_ip!=172.16.0.0/12 dest_ip!=192.168.0.0/16 process_name=regsvcs.exe | rename Computer as dest | stats count min(_time) as firstTime max(_time) as lastTime by dest, user, process_name, src_ip, dest_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_regsvcs_with_network_connection_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "Although unlikely, limited instances of regsvcs.exe may cause a false positive. Filter based endpoint usage, command line arguments, or process lineage.", "references": ["https://attack.mitre.org/techniques/T1218/009/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md", "https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/"], "tags": {"name": "Detect Regsvcs with Network Connection", "analytic_story": ["Suspicious Regsvcs Regasm Activity", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "An instance of $process_name$ contacting a remote destination was identified on endpoint $Computer$ by user $user$. This behavior is not normal for $process_name$.", "mitre_attack_id": ["T1218", "T1218.009"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventID", "dest_ip", "process_name", "Computer", "user", "src_ip", "dest_host"], "risk_score": 80, "security_domain": "Endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.009", "mitre_attack_technique": "Regsvcs/Regasm", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.009/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_regsvcs_with_network_connection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/detect_regsvcs_with_network_connection.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Detect Regsvcs with No Command Line Arguments", "id": "6b74d578-a02e-4e94-a0d1-39440d0bf254", "version": 3, "date": "2022-03-15", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies regsvcs.exe with no command line arguments. This particular behavior occurs when another process injects into regsvcs.exe, no command line arguments will be present. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. Regasm.exe are natively found in C:\\Windows\\Microsoft.NET\\Framework\\v*\\regasm|regsvcs.exe and C:\\Windows\\Microsoft.NET\\Framework64\\v*\\regasm|regsvcs.exe.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where `process_regsvcs` by _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process=\"(?i)(regsvcs\\.exe.{0,4}$)\"| `detect_regsvcs_with_no_command_line_arguments_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Although unlikely, limited instances of regsvcs.exe may cause a false positive. Filter based endpoint usage, command line arguments, or process lineage.", "references": ["https://attack.mitre.org/techniques/T1218/009/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md", "https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/"], "tags": {"name": "Detect Regsvcs with No Command Line Arguments", "analytic_story": ["Suspicious Regsvcs Regasm Activity", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "The process $process_name$ was spawned by $parent_process_name$ without any command-line arguments on $dest$ by $user$.", "mitre_attack_id": ["T1218", "T1218.009"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.009", "mitre_attack_technique": "Regsvcs/Regasm", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.009/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_regsvcs", "definition": "(Processes.process_name=regsvcs.exe OR Processes.original_file_name=RegSvcs.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "detect_regsvcs_with_no_command_line_arguments_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/detect_regsvcs_with_no_command_line_arguments.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Detect Regsvr32 Application Control Bypass", "id": "070e9b80-6252-11eb-ae93-0242ac130002", "version": 2, "date": "2023-06-13", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe is also a Microsoft signed binary.This variation of the technique is often referred to as a \"Squiblydoo\" attack. \\\nUpon investigating, look for network connections to remote destinations (internal or external). Be cautious to modify the query to look for \"scrobj.dll\", the \".dll\" is not required to load scrobj. \"scrobj.dll\" will be loaded by \"regsvr32.exe\" upon execution. ", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_regsvr32` Processes.process=*scrobj* by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_regsvr32_application_control_bypass_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Limited false positives related to third party software registering .DLL's.", "references": ["https://attack.mitre.org/techniques/T1218/010/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/T1218.010.md", "https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/", "https://support.microsoft.com/en-us/topic/how-to-use-the-regsvr32-tool-and-troubleshoot-regsvr32-error-messages-a98d960a-7392-e6fe-d90a-3f4e0cb543e5"], "tags": {"name": "Detect Regsvr32 Application Control Bypass", "analytic_story": ["Cobalt Strike", "Living Off The Land", "Suspicious Regsvr32 Activity", "Graceful Wipe Out Attack"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ in an attempt to bypass detection and preventative controls was identified on endpoint $dest$ by user $user$.", "mitre_attack_id": ["T1218", "T1218.010"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.010", "mitre_attack_technique": "Regsvr32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "Blue Mockingbird", "Cobalt Group", "Deep Panda", "Inception", "Kimsuky", "Leviathan", "TA551", "WIRTE"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.010/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "process_regsvr32", "definition": "(Processes.process_name=regsvr32.exe OR Processes.original_file_name=REGSVR32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_regsvr32_application_control_bypass_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/detect_regsvr32_application_control_bypass.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Detect Renamed 7-Zip", "id": "4057291a-b8cf-11eb-95fe-acde48001122", "version": 2, "date": "2021-09-16", "author": "Michael Haag, Splunk", "type": "Hunting", "status": "production", "description": "The following analytic identifies renamed 7-Zip usage using Sysmon. At this stage of an attack, review parallel processes and file modifications for data that is staged or potentially have been exfiltrated. This analytic utilizes the OriginalFileName to capture the renamed process. During triage, validate this is the legitimate version of `7zip` by reviewing the PE metadata. In addition, review parallel processes for further suspicious behavior.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.original_file_name=7z*.exe AND Processes.process_name!=7z*.exe) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_renamed_7_zip_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "Limited false positives, however this analytic will need to be modified for each environment if Sysmon is not used.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"], "tags": {"name": "Detect Renamed 7-Zip", "analytic_story": ["Collection and Staging"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "The following $process_name$ has been identified as renamed, spawning from $parent_process_name$ on $dest$ by $user$.", "mitre_attack_id": ["T1560.001", "T1560"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 27, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1560.001", "mitre_attack_technique": "Archive via Utility", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "CopyKittens", "Earth Lusca", "FIN8", "Fox Kitten", "GALLIUM", "Gallmaker", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "MuddyWater", "Mustang Panda", "Sowbug", "Turla", "menuPass"]}, {"mitre_attack_id": "T1560", "mitre_attack_technique": "Archive Collected Data", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT28", "APT32", "Axiom", "Dragonfly", "FIN6", "Ke3chang", "Lazarus Group", "Leviathan", "LuminousMoth", "Patchwork", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1560.001/archive_utility/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_renamed_7_zip_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/detect_renamed_7_zip.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Detect Renamed PSExec", "id": "683e6196-b8e8-11eb-9a79-acde48001122", "version": 4, "date": "2022-04-07", "author": "Michael Haag, Splunk", "type": "Hunting", "status": "production", "description": "The following analytic identifies renamed instances of `PsExec.exe` being utilized on an endpoint. Most instances, it is highly probable to capture `Psexec.exe` or other SysInternal utility usage with the command-line argument of `-accepteula`. During triage, validate this is the legitimate version of `PsExec` by reviewing the PE metadata. In addition, review parallel processes for further suspicious behavior.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name!=psexec.exe OR Processes.process_name!=psexec64.exe) AND Processes.original_file_name=psexec.c by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_renamed_psexec_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Limited false positives should be present. It is possible some third party applications may use older versions of PsExec, filter as needed.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.002/T1569.002.yaml", "https://redcanary.com/blog/threat-hunting-psexec-lateral-movement/"], "tags": {"name": "Detect Renamed PSExec", "analytic_story": ["SamSam Ransomware", "DHS Report TA18-074A", "HAFNIUM Group", "DarkSide Ransomware", "Active Directory Lateral Movement", "CISA AA22-320A", "Sandworm Tools"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 30, "kill_chain_phases": ["Installation"], "message": "The following $process_name$ has been identified as renamed, spawning from $parent_process_name$ on $dest$ by $user$.", "mitre_attack_id": ["T1569", "T1569.002"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 27, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1569.002/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_renamed_psexec_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/detect_renamed_psexec.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Detect Renamed RClone", "id": "6dca1124-b3ec-11eb-9328-acde48001122", "version": 2, "date": "2021-09-16", "author": "Michael Haag, Splunk", "type": "Hunting", "status": "production", "description": "The following analytic identifies the usage of `rclone.exe`, renamed, being used to exfiltrate data to a remote destination. RClone has been used by multiple ransomware groups to exfiltrate data. In many instances, it will be downloaded from the legitimate site and executed accordingly. During triage, isolate the endpoint and begin to review parallel processes for additional behavior. At this stage, the adversary may have staged data to be exfiltrated.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.original_file_name=rclone.exe AND Processes.process_name!=rclone.exe) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_renamed_rclone_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives should be limited as this analytic identifies renamed instances of `rclone.exe`. Filter as needed if there is a legitimate business use case.", "references": ["https://redcanary.com/blog/rclone-mega-extortion/", "https://www.mandiant.com/resources/shining-a-light-on-darkside-ransomware-operations", "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/"], "tags": {"name": "Detect Renamed RClone", "analytic_story": ["DarkSide Ransomware", "Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 30, "kill_chain_phases": ["Actions on Objectives"], "message": "The following $process_name$ has been identified as renamed, spawning from $parent_process_name$ on $dest$ by $user$.", "mitre_attack_id": ["T1020"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 27, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1020", "mitre_attack_technique": "Automated Exfiltration", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["Gamaredon Group", "Ke3chang", "Sidewinder", "Tropic Trooper"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1020/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_renamed_rclone_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/detect_renamed_rclone.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Detect Renamed WinRAR", "id": "1b7bfb2c-b8e6-11eb-99ac-acde48001122", "version": 3, "date": "2021-09-16", "author": "Michael Haag, Splunk", "type": "Hunting", "status": "production", "description": "The following analtyic identifies renamed instances of `WinRAR.exe`. In most cases, it is not common for WinRAR to be used renamed, however it is common to be installed by a third party application and executed from a non-standard path. During triage, validate additional metadata from the binary that this is `WinRAR`. Review parallel processes and file modifications.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.original_file_name=WinRAR.exe (Processes.process_name!=rar.exe OR Processes.process_name!=winrar.exe) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_renamed_winrar_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Unknown. It is possible third party applications use renamed instances of WinRAR.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"], "tags": {"name": "Detect Renamed WinRAR", "analytic_story": ["Collection and Staging", "CISA AA22-277A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "The following $process_name$ has been identified as renamed, spawning from $parent_process_name$ on $dest$ by $user$.", "mitre_attack_id": ["T1560.001", "T1560"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 27, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1560.001", "mitre_attack_technique": "Archive via Utility", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "CopyKittens", "Earth Lusca", "FIN8", "Fox Kitten", "GALLIUM", "Gallmaker", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "MuddyWater", "Mustang Panda", "Sowbug", "Turla", "menuPass"]}, {"mitre_attack_id": "T1560", "mitre_attack_technique": "Archive Collected Data", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT28", "APT32", "Axiom", "Dragonfly", "FIN6", "Ke3chang", "Lazarus Group", "Leviathan", "LuminousMoth", "Patchwork", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1560.001/archive_utility/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_renamed_winrar_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/detect_renamed_winrar.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Detect RTLO In File Name", "id": "468b7e11-d362-43b8-b6ec-7a2d3b246678", "version": 2, "date": "2023-04-26", "author": "Steven Dick", "type": "TTP", "status": "production", "description": "This search is used to detect the abuse of the right-to-left override (RTLO or RLO) character (U+202E) RTLO. This technique is used by adversaries to disguise a string and/or file name to make it appear benign. The RTLO character is a non-printing Unicode character that causes the text that follows it to be displayed in reverse.", "data_source": ["Sysmon Event ID 11", "Sysmon Event ID 23", "Sysmon Event ID 26"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.file_create_time) as file_create_time from datamodel=Endpoint.Filesystem where Filesystem.file_name!=unknown by Filesystem.dest Filesystem.user Filesystem.process_id Filesystem.file_name Filesystem.file_path | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex file_name = \"\\\\x{202E}\" | rex field=file_name \"(?.+)(?\\\\x{202E})(?.+)\" | eval file_name_with_RTLO=file_name | eval file_name=RTLO_file_1.RTLO_file_2 | fields - RTLO* | `detect_rtlo_in_file_name_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that includes the full command line of the process being launched on your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Implementation in regions that use right to left in native language.", "references": ["https://attack.mitre.org/techniques/T1036/002/", "https://resources.infosecinstitute.com/topic/spoof-using-right-to-left-override-rtlo-technique-2/", "https://www.trendmicro.com/en_us/research/17/f/following-trail-blacktech-cyber-espionage-campaigns.html"], "tags": {"name": "Detect RTLO In File Name", "analytic_story": ["Spearphishing Attachments"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "Suspicious RTLO detected in $file_name$ on endpoint $dest$ by user $user$.", "mitre_attack_id": ["T1036.002", "T1036"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "file_name", "type": "File Name", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Filesystem.dest", "Filesystem.user", "Filesystem.file_name", "Filesystem.file_path", "Filesystem.process_id"], "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1036.002", "mitre_attack_technique": "Right-to-Left Override", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["BRONZE BUTLER", "BlackTech", "Ferocious Kitten", "Ke3chang", "Scarlet Mimic"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036.002/outlook_attachment/rtlo_events.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_rtlo_in_file_name_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/detect_rtlo_in_file_name.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Detect RTLO In Process", "id": "22ac27b4-7189-4a4f-9375-b9017c9620d7", "version": 2, "date": "2023-04-26", "author": "Steven Dick", "type": "TTP", "status": "production", "description": "This search is used to detect the abuse of the right-to-left override (RTLO or RLO) character (U+202E) RTLO. This technique is used by adversaries to disguise a string and/or file name to make it appear benign. The RTLO character is a non-printing Unicode character that causes the text that follows it to be displayed in reverse.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process!=unknown AND Processes.action=allowed by Processes.dest Processes.user Processes.original_file_name Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | regex process=\"\\\\x{202E}\" | rex field=process \"(?.+)(?\\\\x{202E})(?.+)\" | eval process_with_RTLO=process | eval process=RTLO_command_1.RTLO_command_2 | fields - RTLO* | `detect_rtlo_in_process_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that includes the full command line of the process being launched on your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Implementation in regions that use right to left in native language.", "references": ["https://attack.mitre.org/techniques/T1036/002/", "https://resources.infosecinstitute.com/topic/spoof-using-right-to-left-override-rtlo-technique-2/", "https://www.trendmicro.com/en_us/research/17/f/following-trail-blacktech-cyber-espionage-campaigns.html"], "tags": {"name": "Detect RTLO In Process", "analytic_story": ["Spearphishing Attachments"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "Suspicious RTLO detected in $process_name$ on endpoint $dest$ by user $user$.", "mitre_attack_id": ["T1036.002", "T1036"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "process_name", "type": "Process Name", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.process_guid", "Processes.parent_process_id", "Processes.parent_process_name", "Processes.parent_process"], "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1036.002", "mitre_attack_technique": "Right-to-Left Override", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["BRONZE BUTLER", "BlackTech", "Ferocious Kitten", "Ke3chang", "Scarlet Mimic"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036.002/outlook_attachment/rtlo_events.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_rtlo_in_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/detect_rtlo_in_process.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Detect Rundll32 Application Control Bypass - advpack", "id": "4aefadfe-9abd-4bf8-b3fd-867e9ef95bf8", "version": 2, "date": "2021-02-04", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies rundll32.exe loading advpack.dll and ieadvpack.dll by calling the LaunchINFSection function on the command line. This particular technique will load script code from a file. Upon a successful execution, the following module loads may occur - clr.dll, jscript.dll and scrobj.dll. During investigation, identify script content origination. Generally, a child process will spawn from rundll32.exe, but that may be bypassed based on script code contents. Rundll32.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64. During investigation, review any network connections and obtain the script content executed. It's possible other files are on disk.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*advpack* by Processes.dest Processes.user Processes.parent_process_name Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_rundll32_application_control_bypass___advpack_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Although unlikely, some legitimate applications may use advpack.dll or ieadvpack.dll, triggering a false positive.", "references": ["https://attack.mitre.org/techniques/T1218/011/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md", "https://lolbas-project.github.io/lolbas/Binaries/Rundll32/", "https://lolbas-project.github.io/lolbas/Libraries/Advpack/", "https://bohops.com/2018/02/26/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence/"], "tags": {"name": "Detect Rundll32 Application Control Bypass - advpack", "analytic_story": ["Suspicious Rundll32 Activity", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ loading advpack.dll and ieadvpack.dll by calling the LaunchINFSection function on the command line was identified on endpoint $dest$ by user $user$.", "mitre_attack_id": ["T1218", "T1218.011"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.011/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_rundll32", "definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "detect_rundll32_application_control_bypass___advpack_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/detect_rundll32_application_control_bypass___advpack.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Detect Rundll32 Application Control Bypass - setupapi", "id": "61e7b44a-6088-4f26-b788-9a96ba13b37a", "version": 2, "date": "2021-02-04", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies rundll32.exe loading setupapi.dll and iesetupapi.dll by calling the LaunchINFSection function on the command line. This particular technique will load script code from a file. Upon a successful execution, the following module loads may occur - clr.dll, jscript.dll and scrobj.dll. During investigation, identify script content origination. Generally, a child process will spawn from rundll32.exe, but that may be bypassed based on script code contents. Rundll32.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64. During investigation, review any network connections and obtain the script content executed. It's possible other files are on disk.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*setupapi* by Processes.dest Processes.user Processes.parent_process_name Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_rundll32_application_control_bypass___setupapi_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "Although unlikely, some legitimate applications may use setupapi triggering a false positive.", "references": ["https://attack.mitre.org/techniques/T1218/011/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md", "https://lolbas-project.github.io/lolbas/Binaries/Rundll32/", "https://lolbas-project.github.io/lolbas/Libraries/Setupapi/", "https://bohops.com/2018/02/26/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence/"], "tags": {"name": "Detect Rundll32 Application Control Bypass - setupapi", "analytic_story": ["Suspicious Rundll32 Activity", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ loading setupapi.dll and iesetupapi.dll by calling the LaunchINFSection function on the command line was identified on endpoint $dest$ by user $user$.", "mitre_attack_id": ["T1218", "T1218.011"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.011/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_rundll32", "definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "detect_rundll32_application_control_bypass___setupapi_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/detect_rundll32_application_control_bypass___setupapi.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Detect Rundll32 Application Control Bypass - syssetup", "id": "71b9bf37-cde1-45fb-b899-1b0aa6fa1183", "version": 2, "date": "2021-02-04", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies rundll32.exe loading syssetup.dll by calling the LaunchINFSection function on the command line. This particular technique will load script code from a file. Upon a successful execution, the following module loads may occur - clr.dll, jscript.dll and scrobj.dll. During investigation, identify script content origination. Generally, a child process will spawn from rundll32.exe, but that may be bypassed based on script code contents. Rundll32.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64. During investigation, review any network connections and obtain the script content executed. It's possible other files are on disk.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*syssetup* by Processes.dest Processes.user Processes.parent_process_name Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_rundll32_application_control_bypass___syssetup_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Although unlikely, some legitimate applications may use syssetup.dll, triggering a false positive.", "references": ["https://attack.mitre.org/techniques/T1218/011/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md", "https://lolbas-project.github.io/lolbas/Binaries/Rundll32/", "https://lolbas-project.github.io/lolbas/Libraries/Syssetup/", "https://bohops.com/2018/02/26/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence/"], "tags": {"name": "Detect Rundll32 Application Control Bypass - syssetup", "analytic_story": ["Suspicious Rundll32 Activity", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ loading syssetup.dll by calling the LaunchINFSection function on the command line was identified on endpoint $dest$ by user $user$.", "mitre_attack_id": ["T1218", "T1218.011"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.011/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_rundll32", "definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "detect_rundll32_application_control_bypass___syssetup_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/detect_rundll32_application_control_bypass___syssetup.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Detect Rundll32 Inline HTA Execution", "id": "91c79f14-5b41-11eb-ae93-0242ac130002", "version": 2, "date": "2021-01-20", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies \"rundll32.exe\" execution with inline protocol handlers. \"JavaScript\", \"VBScript\", and \"About\" are the only supported options when invoking HTA content directly on the command-line. This type of behavior is commonly observed with fileless malware or application whitelisting bypass techniques. The search will return the first time and last time these command-line arguments were used for these executions, as well as the target system, the user, process \"rundll32.exe\" and its parent process.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` (Processes.process=*vbscript* OR Processes.process=*javascript* OR Processes.process=*about*) by Processes.user Processes.process_name Processes.parent_process_name Processes.original_file_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_rundll32_inline_hta_execution_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Although unlikely, some legitimate applications may exhibit this behavior, triggering a false positive.", "references": ["https://github.com/redcanaryco/AtomicTestHarnesses", "https://redcanary.com/blog/introducing-atomictestharnesses/", "https://docs.microsoft.com/en-us/windows/win32/search/-search-3x-wds-extidx-prot-implementing"], "tags": {"name": "Detect Rundll32 Inline HTA Execution", "analytic_story": ["Suspicious MSHTA Activity", "NOBELIUM Group", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "Suspicious rundll32.exe inline HTA execution on $dest$", "mitre_attack_id": ["T1218", "T1218.005"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.005", "mitre_attack_technique": "Mshta", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "APT32", "Confucius", "Earth Lusca", "FIN7", "Gamaredon Group", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "MuddyWater", "Mustang Panda", "SideCopy", "Sidewinder", "TA551"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.005/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_rundll32", "definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "detect_rundll32_inline_hta_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/detect_rundll32_inline_hta_execution.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Detect SharpHound Command-Line Arguments", "id": "a0bdd2f6-c2ff-11eb-b918-acde48001122", "version": 1, "date": "2021-06-01", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies common command-line arguments used by SharpHound `-collectionMethod` and `invoke-bloodhound`. Being the script is FOSS, function names may be modified, but these changes are dependent upon the operator. In most instances the defaults are used. This analytic works to identify the common command-line attributes used. It does not cover the entirety of every argument in order to avoid false positives.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process IN (\"*-collectionMethod*\",\"*invoke-bloodhound*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_sharphound_command_line_arguments_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "False positives should be limited as the arguments used are specific to SharpHound. Filter as needed or add more command-line arguments as needed.", "references": ["https://attack.mitre.org/software/S0521/", "https://thedfirreport.com/?s=bloodhound", "https://github.com/BloodHoundAD/BloodHound/tree/master/Collectors", "https://github.com/BloodHoundAD/SharpHound3", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md#atomic-test-2---run-bloodhound-from-local-disk"], "tags": {"name": "Detect SharpHound Command-Line Arguments", "analytic_story": ["Discovery Techniques", "Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "Possible SharpHound command-Line arguments identified on $dest$", "mitre_attack_id": ["T1087.002", "T1069.001", "T1482", "T1087.001", "T1087", "T1069.002", "T1069"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 24, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["BRONZE BUTLER", "Chimera", "Dragonfly", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Turla", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1069.001", "mitre_attack_technique": "Local Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "HEXANE", "OilRig", "Tonto Team", "Turla", "admin@338"]}, {"mitre_attack_id": "T1482", "mitre_attack_technique": "Domain Trust Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "Earth Lusca", "FIN8", "Magic Hound"]}, {"mitre_attack_id": "T1087.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "Chimera", "Fox Kitten", "Ke3chang", "Moses Staff", "OilRig", "Poseidon Group", "Threat Group-3390", "Turla", "admin@338"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1069.002", "mitre_attack_technique": "Domain Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Dragonfly", "Inception", "Ke3chang", "LAPSUS$", "OilRig", "Turla"]}, {"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "TA505"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/sharphound/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_sharphound_command_line_arguments_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/detect_sharphound_command_line_arguments.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Detect SharpHound File Modifications", "id": "42b4b438-beed-11eb-ba1d-acde48001122", "version": 2, "date": "2022-10-09", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "SharpHound is used as a reconnaissance collector, ingestor, for BloodHound. SharpHound will query the domain controller and begin gathering all the data related to the domain and trusts. For output, it will drop a .zip file upon completion following a typical pattern that is often not changed. This analytic focuses on the default file name scheme. Note that this may be evaded with different parameters within SharpHound, but that depends on the operator. `-randomizefilenames` and `-encryptzip` are two examples. In addition, executing SharpHound via .exe or .ps1 without any command-line arguments will still perform activity and dump output to the default filename. Example default filename `20210601181553_BloodHound.zip`. SharpHound creates multiple temp files following the same pattern `20210601182121_computers.json`, `domains.json`, `gpos.json`, `ous.json` and `users.json`. Tuning may be required, or remove these json's entirely if it is too noisy. During traige, review parallel processes for further suspicious behavior. Typically, the process executing the `.ps1` ingestor will be PowerShell.", "data_source": ["Sysmon Event ID 11"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_name IN (\"*bloodhound.zip\", \"*_computers.json\", \"*_gpos.json\", \"*_domains.json\", \"*_users.json\", \"*_groups.json\", \"*_ous.json\", \"*_containers.json\") by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.file_path Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_sharphound_file_modifications_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on file modifications that include the name of the process, and file, responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node.", "known_false_positives": "False positives should be limited as the analytic is specific to a filename with extension .zip. Filter as needed.", "references": ["https://attack.mitre.org/software/S0521/", "https://thedfirreport.com/?s=bloodhound", "https://github.com/BloodHoundAD/BloodHound/tree/master/Collectors", "https://github.com/BloodHoundAD/SharpHound3", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md#atomic-test-2---run-bloodhound-from-local-disk"], "tags": {"name": "Detect SharpHound File Modifications", "analytic_story": ["Discovery Techniques", "Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "Potential SharpHound file modifications identified on $dest$", "mitre_attack_id": ["T1087.002", "T1069.001", "T1482", "T1087.001", "T1087", "T1069.002", "T1069"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "User", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "file_path", "dest", "file_name", "process_id", "file_create_time"], "risk_score": 24, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["BRONZE BUTLER", "Chimera", "Dragonfly", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Turla", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1069.001", "mitre_attack_technique": "Local Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "HEXANE", "OilRig", "Tonto Team", "Turla", "admin@338"]}, {"mitre_attack_id": "T1482", "mitre_attack_technique": "Domain Trust Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "Earth Lusca", "FIN8", "Magic Hound"]}, {"mitre_attack_id": "T1087.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "Chimera", "Fox Kitten", "Ke3chang", "Moses Staff", "OilRig", "Poseidon Group", "Threat Group-3390", "Turla", "admin@338"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1069.002", "mitre_attack_technique": "Domain Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Dragonfly", "Inception", "Ke3chang", "LAPSUS$", "OilRig", "Turla"]}, {"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "TA505"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/sharphound/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_sharphound_file_modifications_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/detect_sharphound_file_modifications.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Detect SharpHound Usage", "id": "dd04b29a-beed-11eb-87bc-acde48001122", "version": 2, "date": "2021-05-27", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies SharpHound binary usage by using the original filena,e. In addition to renaming the PE, other coverage is available to detect command-line arguments. This particular analytic looks for the original_file_name of `SharpHound.exe` and the process name. It is possible older instances of SharpHound.exe have different original filenames. Dependent upon the operator, the code may be re-compiled and the attributes removed or changed to anything else. During triage, review the metadata of the binary in question. Review parallel processes for suspicious behavior. Identify the source of this binary.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=sharphound.exe OR Processes.original_file_name=SharpHound.exe) by Processes.dest Processes.user Processes.parent_process_name Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_sharphound_usage_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives should be limited as this is specific to a file attribute not used by anything else. Filter as needed.", "references": ["https://attack.mitre.org/software/S0521/", "https://thedfirreport.com/?s=bloodhound", "https://github.com/BloodHoundAD/BloodHound/tree/master/Collectors", "https://github.com/BloodHoundAD/SharpHound3", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md#atomic-test-2---run-bloodhound-from-local-disk"], "tags": {"name": "Detect SharpHound Usage", "analytic_story": ["Discovery Techniques", "Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "Potential SharpHound binary identified on $dest$", "mitre_attack_id": ["T1087.002", "T1069.001", "T1482", "T1087.001", "T1087", "T1069.002", "T1069"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 24, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["BRONZE BUTLER", "Chimera", "Dragonfly", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Turla", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1069.001", "mitre_attack_technique": "Local Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "HEXANE", "OilRig", "Tonto Team", "Turla", "admin@338"]}, {"mitre_attack_id": "T1482", "mitre_attack_technique": "Domain Trust Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "Earth Lusca", "FIN8", "Magic Hound"]}, {"mitre_attack_id": "T1087.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "Chimera", "Fox Kitten", "Ke3chang", "Moses Staff", "OilRig", "Poseidon Group", "Threat Group-3390", "Turla", "admin@338"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1069.002", "mitre_attack_technique": "Domain Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Dragonfly", "Inception", "Ke3chang", "LAPSUS$", "OilRig", "Turla"]}, {"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "TA505"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/sharphound/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_sharphound_usage_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/detect_sharphound_usage.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Detect suspicious processnames using pretrained model in DSDL", "id": "a15f8977-ad7d-4669-92ef-b59b97219bf5", "version": 1, "date": "2023-01-23", "author": "Abhinav Mishra, Kumar Sharad and Namratha Sreekanta, Splunk", "type": "Anomaly", "status": "experimental", "description": "The following analytic uses a pre-trained Deep Learning model to predict whether a processname is suspicious or not. Malwares and malicious programs such as ransomware often use tactics, techniques, and procedures (TTPs) such as copying malicious files to the local machine to propagate themselves across the network. A key indicator of compromise is that after a successful execution of the malware, it copies itself as an executable file with a randomly generated filename and places this file in one of the directories. Such techniques are seen in several malwares such as TrickBot. We develop machine learning model that uses a Recurrent Neural Network (RNN) to distinguish between malicious and benign processnames. The model is trained independently and is then made available for download. We use a character level RNN to classify malicious vs. benign processnames. The higher is_malicious_prob, the more likely is the processname to be suspicious (between [0,1]). The threshold for flagging a processname as suspicious is set as 0.5.", "data_source": ["Sysmon Event Code 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes by Processes.process_name Processes.parent_process_name Processes.process Processes.user Processes.dest | `drop_dm_object_name(Processes)` | rename process_name as text | fields text, parent_process_name, process, user, dest | apply detect_suspicious_processnames_using_pretrained_model_in_dsdl | rename predicted_label as is_suspicious_score | rename text as process_name | where is_suspicious_score > 0.5 | `detect_suspicious_processnames_using_pretrained_model_in_dsdl_filter`", "how_to_implement": "Steps to deploy detect suspicious processnames model into Splunk App DSDL. This detection depends on the Splunk app for Data Science and Deep Learning which can be found here - `https://splunkbase.splunk.com/app/4607/` and the Endpoint datamodel. The detection uses a pre-trained deep learning model that needs to be deployed in the DSDL app. Follow the steps for deployment here - `https://github.com/splunk/security_content/wiki/How-to-deploy-pre-trained-Deep-Learning-models-for-ESCU`.\\\n* Download the `artifacts .tar.gz` file from the link - `https://seal.splunkresearch.com/detect_suspicious_processnames_using_pretrained_model_in_dsdl.tar.gz`.\\\n* Download the `detect_suspicious_processnames_using_pretrained_model_in_dsdl.ipynb` Jupyter notebook from the link - `https://github.com/splunk/security_content/notebooks`.\\\n* Login to the Jupyter Lab assigned for `detect_suspicious_processnames_using_pretrained_model_in_dsdl` container. This container should be listed on Containers page for DSDL app.\\\n* Follow the steps below inside Jupyter Notebook:\\\n* Upload the `detect_suspicious_processnames_using_pretrained_model_in_dsdl.tar.gz` file into `app/model/data/detect_suspicious_processnames_using_pretrained_model_in_dsdl/` path using the upload option in the Jupyter Notebook.\\\n* Untar the artifact `detect_suspicious_processnames_using_pretrained_model_in_dsdl.tar.gz` using `tar -xf app/model/data/detect_suspicious_processnames_using_pretrained_model_in_dsdl.tar.gz -C app/model/data/detect_suspicious_processnames_using_pretrained_model_in_dsdl/`.\\\n* Upload `detect_suspicious_processnames_using_pretrained_model_in_dsdl.ipynb` into the Jupyter Notebooks folder using the upload option in Jupyter Notebook.\\\n* Save the notebook using the save option in Jupyter Notebook.\\\n* Upload `detect_suspicious_processnames_using_pretrained_model_in_dsdl.json` into `notebooks/data` folder.", "known_false_positives": "False positives may be present if a suspicious processname is similar to a benign processname.", "references": ["https://www.cisa.gov/uscert/ncas/alerts/aa20-302a", "https://www.splunk.com/en_us/blog/security/random-words-on-entropy-and-dns.html"], "tags": {"name": "Detect suspicious processnames using pretrained model in DSDL", "analytic_story": ["Suspicious Command-Line Executions"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 50, "kill_chain_phases": ["Installation"], "message": "The process $process$ is running from an unusual place by $user$ on $dest$ with a processname that appears to be randomly generated.", "mitre_attack_id": ["T1059"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.process", "Processes.parent_process_name", "Processes.process_name", "Processes.parent_process", "Processes.user", "Processes.dest"], "risk_score": 45, "security_domain": "Endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}]}, "datamodel": ["Endpoint"], "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_suspicious_processnames_using_pretrained_model_in_dsdl_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/detect_suspicious_processnames_using_pretrained_model_in_dsdl.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Detect Use of cmd exe to Launch Script Interpreters", "id": "b89919ed-fe5f-492c-b139-95dbb162039e", "version": 4, "date": "2020-07-21", "author": "Bhavin Patel, Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "This search looks for the execution of the cscript.exe or wscript.exe processes, with a parent of cmd.exe. The search will return the count, the first and last time this execution was seen on a machine, the user, and the destination of the machine", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count values(Processes.process) min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=\"cmd.exe\" (Processes.process_name=cscript.exe OR Processes.process_name =wscript.exe) by Processes.parent_process Processes.process_name Processes.user Processes.dest | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)` | `detect_use_of_cmd_exe_to_launch_script_interpreters_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting data that records process activity from your hosts to populate the endpoint data model in the processes node. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "Some legitimate applications may exhibit this behavior.", "references": [], "tags": {"name": "Detect Use of cmd exe to Launch Script Interpreters", "analytic_story": ["Emotet Malware DHS Report TA18-201A ", "Suspicious Command-Line Executions", "Azorult"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Installation"], "message": "cmd.exe launching script interpreters on $dest$", "mitre_attack_id": ["T1059", "T1059.003"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.process", "Processes.parent_process_name", "Processes.process_name", "Processes.parent_process", "Processes.user", "Processes.dest"], "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.003/cmd_spawns_cscript/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_use_of_cmd_exe_to_launch_script_interpreters_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/detect_use_of_cmd_exe_to_launch_script_interpreters.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Detect Webshell Exploit Behavior", "id": "22597426-6dbd-49bd-bcdc-4ec19857192f", "version": 2, "date": "2023-04-26", "author": "Steven Dick", "type": "TTP", "status": "production", "description": "This search is used to detect the abuse of web applications by adversaries. Adversaries may install a backdoor or script onto web servers by exploiting known vulnerabilities or misconfigruations. Web shells are used to establish persistent access to systems and provide a set of executable functions or a command-line interface on the system hosting the Web server.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count max(_time) as lastTime, min(_time) as firstTime from datamodel=Endpoint.Processes where (Processes.process_name IN (\"arp.exe\",\"at.exe\",\"bash.exe\",\"bitsadmin.exe\",\"certutil.exe\",\"cmd.exe\",\"cscript.exe\", \"dsget.exe\",\"dsquery.exe\",\"find.exe\",\"findstr.exe\",\"fsutil.exe\",\"hostname.exe\",\"ipconfig.exe\",\"ksh.exe\",\"nbstat.exe\", \"net.exe\",\"net1.exe\",\"netdom.exe\",\"netsh.exe\",\"netstat.exe\",\"nltest.exe\",\"nslookup.exe\",\"ntdsutil.exe\",\"pathping.exe\", \"ping.exe\",\"powershell.exe\",\"pwsh.exe\",\"qprocess.exe\",\"query.exe\",\"qwinsta.exe\",\"reg.exe\",\"rundll32.exe\",\"sc.exe\", \"scrcons.exe\",\"schtasks.exe\",\"sh.exe\",\"systeminfo.exe\",\"tasklist.exe\",\"tracert.exe\",\"ver.exe\",\"vssadmin.exe\", \"wevtutil.exe\",\"whoami.exe\",\"wmic.exe\",\"wscript.exe\",\"wusa.exe\",\"zsh.exe\") AND Processes.parent_process_name IN (\"w3wp.exe\", \"http*.exe\", \"nginx*.exe\", \"php*.exe\", \"php-cgi*.exe\",\"tomcat*.exe\")) by Processes.dest,Processes.user,Processes.parent_process,Processes.parent_process_name,Processes.process,Processes.process_name | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_webshell_exploit_behavior_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that includes the full command line of the process being launched on your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Legitimate OS functions called by vendor applications, baseline the environment and filter before enabling. Recommend throttle by dest/process_name", "references": ["https://attack.mitre.org/techniques/T1505/003/", "https://github.com/nsacyber/Mitigating-Web-Shells", "https://www.hackingarticles.in/multiple-ways-to-exploit-tomcat-manager/"], "tags": {"name": "Detect Webshell Exploit Behavior", "analytic_story": ["ProxyShell", "ProxyNotShell", "HAFNIUM Group", "CISA AA22-257A", "CISA AA22-264A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 100, "kill_chain_phases": ["Installation"], "message": "Webshell Exploit Behavior - $parent_process_name$ spawned $process_name$ on $dest$.", "mitre_attack_id": ["T1505", "T1505.003"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process", "Processes.parent_process_name", "Processes.process", "Processes.process_name"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "supported_tas": ["Splunk_TA_microsoft_sysmon"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1505.003", "mitre_attack_technique": "Web Shell", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT38", "APT39", "BackdoorDiplomacy", "Deep Panda", "Dragonfly", "Fox Kitten", "GALLIUM", "HAFNIUM", "Kimsuky", "Leviathan", "Magic Hound", "Moses Staff", "OilRig", "Sandworm Team", "TEMP.Veles", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Volatile Cedar"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.003/generic_webshell_exploit/generic_webshell_exploit.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_webshell_exploit_behavior_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [{"name": "Splunk Add-on for Sysmon", "url": "https://splunkbase.splunk.com/app/5709"}], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/detect_webshell_exploit_behavior.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Detect WMI Event Subscription Persistence", "id": "01d9a0c2-cece-11eb-ab46-acde48001122", "version": 1, "date": "2021-06-16", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the use of WMI Event Subscription to establish persistence or perform privilege escalation. WMI can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. WMI subscription execution is proxied by the WMI Provider Host process (WmiPrvSe.exe) and thus may result in elevated SYSTEM privileges. This analytic is restricted by commonly added process execution and a path. If the volume is low enough, remove the values and flag on any new subscriptions.\\\nAll event subscriptions have three components \\\n1. Filter - WQL Query for the events we want. EventID equals 19 \\\n1. Consumer - An action to take upon triggering the filter. EventID equals 20 \\\n1. Binding - Registers a filter to a consumer. EventID equals 21 \\\nMonitor for the creation of new WMI EventFilter, EventConsumer, and FilterToConsumerBinding. It may be pertinent to review all 3 to identify the flow of execution. In addition, EventCode 4104 may assist with any other PowerShell script usage that registered the subscription.", "data_source": ["Sysmon Event ID 20"], "search": "`sysmon` EventID=20 | stats count min(_time) as firstTime max(_time) as lastTime by Computer User Destination | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_wmi_event_subscription_persistence_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with that provide WMI Event Subscription from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA and have enabled EventID 19, 20 and 21. Tune and filter known good to limit the volume.", "known_false_positives": "It is possible some applications will create a consumer and may be required to be filtered. For tuning, add any additional LOLBin's for further depth of coverage.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.003/T1546.003.md", "https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/", "https://github.com/trustedsec/SysmonCommunityGuide/blob/master/chapters/WMI-events.md", "https://in.security/2019/04/03/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/"], "tags": {"name": "Detect WMI Event Subscription Persistence", "analytic_story": ["Suspicious WMI Use"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "message": "Possible malicious WMI Subscription created on $dest$", "mitre_attack_id": ["T1546.003", "T1546"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Destination", "Computer", "User"], "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1546.003", "mitre_attack_technique": "Windows Management Instrumentation Event Subscription", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT33", "Blue Mockingbird", "FIN8", "Leviathan", "Metador", "Mustang Panda", "Turla"]}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.003/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_wmi_event_subscription_persistence_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/detect_wmi_event_subscription_persistence.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Detection of tools built by NirSoft", "id": "3d8d201c-aa03-422d-b0ee-2e5ecf9718c0", "version": 3, "date": "2020-07-21", "author": "Bhavin Patel, Splunk", "type": "TTP", "status": "experimental", "description": "This search looks for specific command-line arguments that may indicate the execution of tools made by Nirsoft, which are legitimate, but may be abused by attackers.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) values(Processes.process) as process max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process=\"* /stext *\" OR Processes.process=\"* /scomma *\" ) by Processes.parent_process Processes.process_name Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `detection_of_tools_built_by_nirsoft_filter`", "how_to_implement": "You must be ingesting endpoint data that tracks process activity, including parent-child relationships from your endpoints to populate the Endpoint data model in the Processes node. The command-line arguments are mapped to the \"process\" field in the Endpoint data model.", "known_false_positives": "While legitimate, these NirSoft tools are prone to abuse. You should verfiy that the tool was used for a legitimate purpose.", "references": [], "tags": {"name": "Detection of tools built by NirSoft", "analytic_story": ["Emotet Malware DHS Report TA18-201A "], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation", "Exploitation"], "message": "tbd", "mitre_attack_id": ["T1072"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.process", "Processes.parent_process", "Processes.process_name", "Processes.user"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1072", "mitre_attack_technique": "Software Deployment Tools", "mitre_attack_tactics": ["Execution", "Lateral Movement"], "mitre_attack_groups": ["APT32", "Sandworm Team", "Silence", "Threat Group-1314"]}]}, "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detection_of_tools_built_by_nirsoft_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/detection_of_tools_built_by_nirsoft.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Disable AMSI Through Registry", "id": "9c27ec42-d338-11eb-9044-acde48001122", "version": 4, "date": "2023-04-11", "author": "Steven Dick, Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "this search is to identify modification in registry to disable AMSI windows feature to evade detections. This technique was seen in several ransomware, RAT and even APT to impaire defenses of the compromise machine and to be able to execute payload with minimal alert as much as possible.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows Script\\\\Settings\\\\AmsiEnable\" Registry.registry_value_data = \"0x00000000\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_amsi_through_registry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "network operator may disable this feature of windows but not so common.", "references": ["https://blog.f-secure.com/hunting-for-amsi-bypasses/", "https://gist.github.com/rxwx/8955e5abf18dc258fd6b43a3a7f4dbf9"], "tags": {"name": "Disable AMSI Through Registry", "analytic_story": ["Ransomware", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "Disable AMSI Through Registry", "mitre_attack_id": ["T1562.001", "T1562"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.dest", "Registry.registry_value_name", "Registry.registry_key_name", "Registry.registry_path", "Registry.registry_value_data", "Registry.process_guid"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/ransomware_ttp/data2/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "disable_amsi_through_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/disable_amsi_through_registry.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Disable Defender AntiVirus Registry", "id": "aa4f695a-3024-11ec-9987-acde48001122", "version": 4, "date": "2023-04-11", "author": "Steven Dick, Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This particular behavior is typically executed when an adversary or malware gains access to an endpoint and begins to perform execution and to evade detections. Usually, a batch (.bat) file will be executed and multiple registry and scheduled task modifications will occur. During triage, review parallel processes and identify any further file modifications. Endpoint should be isolated.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = \"*\\\\Policies\\\\Microsoft\\\\Windows Defender*\" Registry.registry_value_name IN (\"DisableAntiSpyware\",\"DisableAntiVirus\") Registry.registry_value_data = 0x00000001) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_defender_antivirus_registry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "admin or user may choose to disable windows defender product", "references": ["https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/"], "tags": {"name": "Disable Defender AntiVirus Registry", "analytic_story": ["IcedID", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "modified/added/deleted registry entry $registry_path$ in $dest$", "mitre_attack_id": ["T1562.001", "T1562"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.dest", "Registry.registry_value_name", "Registry.registry_key_name", "Registry.registry_path", "Registry.registry_value_data", "Registry.process_guid"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/disable_av/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "disable_defender_antivirus_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/disable_defender_antivirus_registry.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Disable Defender BlockAtFirstSeen Feature", "id": "2dd719ac-3021-11ec-97b4-acde48001122", "version": 4, "date": "2023-04-11", "author": "Steven Dick, Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This analytic is intended to detect a suspicious modification of the Windows registry to disable a Windows Defender feature. This technique is intended to bypass or evade detection from Windows Defender AV, specifically the BlockAtFirstSeen feature where it blocks suspicious files the first time seen on the host.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = \"*\\\\Microsoft\\\\Windows Defender\\\\SpyNet*\" Registry.registry_value_name = DisableBlockAtFirstSeen Registry.registry_value_data = 0x00000001) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_defender_blockatfirstseen_feature_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "admin or user may choose to disable windows defender product", "references": ["https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/"], "tags": {"name": "Disable Defender BlockAtFirstSeen Feature", "analytic_story": ["IcedID", "Windows Registry Abuse", "Azorult"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "modified/added/deleted registry entry $registry_path$ in $dest$", "mitre_attack_id": ["T1562.001", "T1562"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.dest", "Registry.registry_value_name", "Registry.registry_key_name", "Registry.registry_path", "Registry.registry_value_data", "Registry.process_guid"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/disable_av/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "disable_defender_blockatfirstseen_feature_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/disable_defender_blockatfirstseen_feature.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Disable Defender Enhanced Notification", "id": "dc65678c-301f-11ec-8e30-acde48001122", "version": 3, "date": "2022-11-14", "author": "Steven Dick, Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This analytic is intended to detect a suspicious modification of registry to disable windows defender features. This technique attempts to bypass or evade detection from Windows Defender AV, specifically the Enhanced Notification feature where a user or admin would receive alerts.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time) AS lastTime FROM datamodel=Endpoint.Processes BY _time span=1h Processes.user Processes.process_id Processes.process_name Processes.process Processes.process_path Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_guid | `drop_dm_object_name(Processes)` | join process_guid [ | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = \"*Microsoft\\\\Windows Defender\\\\Reporting*\" Registry.registry_value_name = DisableEnhancedNotifications Registry.registry_value_data = 0x00000001) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`] | fields firstTime lastTime dest user parent_process_name parent_process process_name process_path process registry_key_name registry_path registry_value_name registry_value_data process_guid | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_defender_antivirus_registry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "user may choose to disable windows defender AV", "references": ["https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/"], "tags": {"name": "Disable Defender Enhanced Notification", "analytic_story": ["IcedID", "Windows Registry Abuse", "Azorult"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "modified/added/deleted registry entry $registry_path$ in $dest$", "mitre_attack_id": ["T1562.001", "T1562"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.user", "Processes.dest", "Processes.process_id", "Processes.process_name", "Processes.process", "Processes.process_path", "Processes.parent_process_name", "Processes.parent_process", "Processes.process_guid", "Registry.dest", "Registry.registry_value_name", "Registry.registry_key_name", "Registry.registry_path", "Registry.registry_value_data", "Registry.process_guid"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/disable_av/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "disable_defender_enhanced_notification_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/disable_defender_enhanced_notification.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Disable Defender MpEngine Registry", "id": "cc391750-3024-11ec-955a-acde48001122", "version": 4, "date": "2023-04-11", "author": "Steven Dick, Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This particular behavior is typically executed when an adversary or malware gains access to an endpoint and begins to perform execution and to evade detections. Usually, a batch (.bat) file will be executed and multiple registry and scheduled task modifications will occur. During triage, review parallel processes and identify any further file modifications. Endpoint should be isolated.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = \"*\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\MpEngine*\" Registry.registry_value_name = MpEnablePus Registry.registry_value_data = 0x00000000) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_defender_mpengine_registry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "admin or user may choose to disable windows defender product", "references": ["https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/"], "tags": {"name": "Disable Defender MpEngine Registry", "analytic_story": ["IcedID", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "modified/added/deleted registry entry $registry_path$ in $dest$", "mitre_attack_id": ["T1562.001", "T1562"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.dest", "Registry.registry_value_name", "Registry.registry_key_name", "Registry.registry_path", "Registry.registry_value_data", "Registry.process_guid"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/disable_av/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "disable_defender_mpengine_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/disable_defender_mpengine_registry.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Disable Defender Spynet Reporting", "id": "898debf4-3021-11ec-ba7c-acde48001122", "version": 4, "date": "2023-04-27", "author": "Steven Dick, Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This analytic is intended to detect a suspicious modification of registry to disable Windows Defender feature. This technique is intended to bypass or evade detection from Windows Defender AV product, specifically the spynet reporting for Defender telemetry.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = \"*\\\\Microsoft\\\\Windows Defender\\\\SpyNet*\" Registry.registry_value_name = SpynetReporting Registry.registry_value_data = 0x00000000) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_defender_spynet_reporting_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "admin or user may choose to disable windows defender product", "references": ["https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/"], "tags": {"name": "Disable Defender Spynet Reporting", "analytic_story": ["IcedID", "Windows Registry Abuse", "Azorult", "Qakbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "modified/added/deleted registry entry $registry_path$ in $dest$", "mitre_attack_id": ["T1562.001", "T1562"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.dest", "Registry.registry_value_name", "Registry.registry_key_name", "Registry.registry_path", "Registry.registry_value_data", "Registry.process_guid"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/disable_av/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "disable_defender_spynet_reporting_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/disable_defender_spynet_reporting.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Disable Defender Submit Samples Consent Feature", "id": "73922ff8-3022-11ec-bf5e-acde48001122", "version": 4, "date": "2023-04-27", "author": "Steven Dick, Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This analytic is intended to detect a suspicious modification of the Windows registry to disable a Windows Defender feature. This technique is intended to bypass or evade detection from Windows Defender AV, specifically the feature that submits samples for further analysis.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = \"*\\\\Microsoft\\\\Windows Defender\\\\SpyNet*\" Registry.registry_value_name = SubmitSamplesConsent Registry.registry_value_data = 0x00000000) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_defender_submit_samples_consent_feature_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "admin or user may choose to disable windows defender product", "references": ["https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/"], "tags": {"name": "Disable Defender Submit Samples Consent Feature", "analytic_story": ["IcedID", "Windows Registry Abuse", "Azorult"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "modified/added/deleted registry entry $Registry.registry_path$ in $dest$", "mitre_attack_id": ["T1562.001", "T1562"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.dest", "Registry.registry_value_name", "Registry.registry_key_name", "Registry.registry_path", "Registry.registry_value_data", "Registry.process_guid"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/disable_av/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "disable_defender_submit_samples_consent_feature_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/disable_defender_submit_samples_consent_feature.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Disable ETW Through Registry", "id": "f0eacfa4-d33f-11eb-8f9d-acde48001122", "version": 4, "date": "2023-04-27", "author": "Steven Dick, Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "this search is to identify modification in registry to disable ETW windows feature to evade detections. This technique was seen in several ransomware, RAT and even APT to impaire defenses of the compromise machine and to be able to execute payload with minimal alert as much as possible.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\.NETFramework\\\\ETWEnabled\" Registry.registry_value_data = \"0x00000000\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_etw_through_registry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "network operator may disable this feature of windows but not so common.", "references": ["https://app.any.run/tasks/c0f98850-af65-4352-9746-fbebadee4f05/"], "tags": {"name": "Disable ETW Through Registry", "analytic_story": ["Ransomware", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "Disable ETW Through Registry", "mitre_attack_id": ["T1562.001", "T1562"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.dest", "Registry.registry_value_name", "Registry.registry_key_name", "Registry.registry_path", "Registry.registry_value_data", "Registry.process_guid"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/ransomware_ttp/data2/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "disable_etw_through_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/disable_etw_through_registry.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Disable Logs Using WevtUtil", "id": "236e7c8e-c9d9-11eb-a824-acde48001122", "version": 1, "date": "2021-06-10", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This search is to detect execution of wevtutil.exe to disable logs. This technique was seen in several ransomware to disable the event logs to evade alerts and detections.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"wevtutil.exe\" Processes.process = \"*sl*\" Processes.process = \"*/e:false*\" by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.dest Processes.user Processes.process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_logs_using_wevtutil_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "network operator may disable audit event logs for debugging purposes.", "references": ["https://www.bleepingcomputer.com/news/security/new-ransom-x-ransomware-used-in-texas-txdot-cyberattack/"], "tags": {"name": "Disable Logs Using WevtUtil", "analytic_story": ["Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "WevtUtil.exe used to disable Event Logging on $dest", "mitre_attack_id": ["T1070", "T1070.001"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.parent_process_name", "Processes.parent_process", "Processes.process_name", "Processes.process", "Processes.dest", "Processes.user", "Processes.process_id", "Processes.process_guid"], "risk_score": 24, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1070.001", "mitre_attack_technique": "Clear Windows Event Logs", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "APT38", "APT41", "Chimera", "Dragonfly", "FIN5", "FIN8", "Indrik Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/ransomware_ttp/data1/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "disable_logs_using_wevtutil_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/disable_logs_using_wevtutil.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Disable Registry Tool", "id": "cd2cf33c-9201-11eb-a10a-acde48001122", "version": 4, "date": "2023-04-27", "author": "Steven Dick, Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This search identifies modification of registry to disable the regedit or registry tools of the windows operating system. Since registry tool is a swiss knife in analyzing registry, malware such as RAT or trojan Spy disable this application to prevent the removal of their registry entry such as persistence, file less components and defense evasion.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\DisableRegistryTools\" Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_registry_tool_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "admin may disable this application for non technical user.", "references": ["https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry"], "tags": {"name": "Disable Registry Tool", "analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 40, "kill_chain_phases": ["Exploitation"], "message": "Disabled Registry Tools on $dest$", "mitre_attack_id": ["T1562.001", "T1562"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.dest", "Registry.registry_value_name", "Registry.registry_key_name", "Registry.registry_path", "Registry.registry_value_data", "Registry.process_guid"], "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-security.log", "source": "WinEventLog:Security", "sourcetype": "WinEventLog", "update_timestamp": true}, {"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-system.log", "source": "WinEventLog:System", "sourcetype": "WinEventLog", "update_timestamp": true}, {"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "disable_registry_tool_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/disable_registry_tool.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Disable Schedule Task", "id": "db596056-3019-11ec-a9ff-acde48001122", "version": 1, "date": "2021-10-18", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This analytic is to detect a suspicious commandline to disable existing schedule task. This technique is used by adversaries or commodity malware like IcedID to disable security application (AV products) in the targetted host to evade detections. This TTP is a good pivot to check further why and what other process run before and after this detection. check which process execute the commandline and what task is disabled. parent child process is quite valuable in this scenario too.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=schtasks.exe Processes.process=*/change* Processes.process=*/disable* by Processes.user Processes.process_name Processes.process Processes.parent_process_name Processes.parent_process Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_schedule_task_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "admin may disable problematic schedule task", "references": ["https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/"], "tags": {"name": "Disable Schedule Task", "analytic_story": ["IcedID", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "schtask process with commandline $process$ to disable schedule task in $dest$", "mitre_attack_id": ["T1562.001", "T1562"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.user", "Processes.process_name", "Processes.parent_process_name", "Processes.dest"], "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/disable_schtask/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "disable_schedule_task_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/disable_schedule_task.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Disable Security Logs Using MiniNt Registry", "id": "39ebdc68-25b9-11ec-aec7-acde48001122", "version": 4, "date": "2023-04-27", "author": "Steven Dick, Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This analytic is to detect a suspicious registry modification to disable security audit logs. This technique was shared by a researcher to disable Security logs of windows by adding this registry. The Windows will think it is WinPE and will not log any event to the Security Log", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=\"*\\\\Control\\\\MiniNt\\\\*\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_security_logs_using_minint_registry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "Unknown.", "references": ["https://twitter.com/0gtweet/status/1182516740955226112"], "tags": {"name": "Disable Security Logs Using MiniNt Registry", "analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "modified/added/deleted registry entry $Registry.registry_path$ in $dest$", "mitre_attack_id": ["T1112"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.dest", "Registry.registry_value_name", "Registry.registry_key_name", "Registry.registry_path", "Registry.registry_value_data", "Registry.process_guid"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/minint_reg/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "disable_security_logs_using_minint_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/disable_security_logs_using_minint_registry.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Disable Show Hidden Files", "id": "6f3ccfa2-91fe-11eb-8f9b-acde48001122", "version": 4, "date": "2023-04-27", "author": "Steven Dick, Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "The following analytic is to identify a modification in the Windows registry to prevent users from seeing all the files with hidden attributes. This event or techniques are known on some worm and trojan spy malware that will drop hidden files on the infected machine.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE ((Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\Hidden\" OR Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\HideFileExt\" Registry.registry_value_data = \"0x00000001\") OR (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\ShowSuperHidden\" Registry.registry_value_data = \"0x00000000\")) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_show_hidden_files_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "unknown", "references": ["https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/W32~Tiotua-P/detailed-analysis"], "tags": {"name": "Disable Show Hidden Files", "analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse", "Azorult"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 40, "kill_chain_phases": ["Exploitation"], "message": "Disabled 'Show Hidden Files' on $dest$", "mitre_attack_id": ["T1564.001", "T1562.001", "T1564", "T1562"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.dest", "Registry.registry_value_name", "Registry.registry_key_name", "Registry.registry_path", "Registry.registry_value_data", "Registry.process_guid"], "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1564.001", "mitre_attack_technique": "Hidden Files and Directories", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "HAFNIUM", "Lazarus Group", "LuminousMoth", "Mustang Panda", "Rocke", "Transparent Tribe", "Tropic Trooper"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1564", "mitre_attack_technique": "Hide Artifacts", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-security.log", "source": "WinEventLog:Security", "sourcetype": "WinEventLog", "update_timestamp": true}, {"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-system.log", "source": "WinEventLog:System", "sourcetype": "WinEventLog", "update_timestamp": true}, {"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "disable_show_hidden_files_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/disable_show_hidden_files.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Disable UAC Remote Restriction", "id": "9928b732-210e-11ec-b65e-acde48001122", "version": 4, "date": "2023-04-27", "author": "Steven Dick, Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This analytic is to detect a suspicious modification of registry to disable UAC remote restriction. This technique was well documented in Microsoft page where attacker may modify this registry value to bypassed UAC feature of windows host. This is a good indicator that some tries to bypassed UAC to suspicious process or gain privilege escalation.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=\"*\\\\CurrentVersion\\\\Policies\\\\System*\" Registry.registry_value_name=\"LocalAccountTokenFilterPolicy\" Registry.registry_value_data=\"0x00000001\" ) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_uac_remote_restriction_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "admin may set this policy for non-critical machine.", "references": ["https://docs.microsoft.com/en-us/troubleshoot/windows-server/windows-security/user-account-control-and-remote-restriction"], "tags": {"name": "Disable UAC Remote Restriction", "analytic_story": ["Windows Defense Evasion Tactics", "Suspicious Windows Registry Activities", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "modified/added/deleted registry entry $Registry.registry_path$ in $dest$", "mitre_attack_id": ["T1548.002", "T1548"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.dest", "Registry.registry_value_name", "Registry.registry_key_name", "Registry.registry_path", "Registry.registry_value_data", "Registry.process_guid"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.002", "mitre_attack_technique": "Bypass User Account Control", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT37", "BRONZE BUTLER", "Cobalt Group", "Earth Lusca", "Evilnum", "MuddyWater", "Patchwork", "Threat Group-3390"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.002/LocalAccountTokenFilterPolicy/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "disable_uac_remote_restriction_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/disable_uac_remote_restriction.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Disable Windows App Hotkeys", "id": "1490f224-ad8b-11eb-8c4f-acde48001122", "version": 4, "date": "2023-04-27", "author": "Steven Dick, Teoderick Contreras, Splunkk", "type": "TTP", "status": "production", "description": "This analytic detects a suspicious registry modification to disable Windows hotkey (shortcut keys) for native Windows applications. This technique is commonly used to disable certain or several Windows applications like `taskmgr.exe` and `cmd.exe`. This technique is used to impair the analyst in analyzing and removing the attacker implant in compromised systems.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=\"*\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*\" AND Registry.registry_value_data= \"HotKey Disabled\" AND Registry.registry_value_name = \"Debugger\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_windows_app_hotkeys_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "unknown", "references": ["https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/"], "tags": {"name": "Disable Windows App Hotkeys", "analytic_story": ["XMRig", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 40, "kill_chain_phases": ["Exploitation"], "message": "Disabled 'Windows App Hotkeys' on $dest$", "mitre_attack_id": ["T1562.001", "T1562"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.dest", "Registry.registry_value_name", "Registry.registry_key_name", "Registry.registry_path", "Registry.registry_value_data", "Registry.process_guidr"], "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/hotkey_disabled_hidden_user/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "disable_windows_app_hotkeys_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/disable_windows_app_hotkeys.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Disable Windows Behavior Monitoring", "id": "79439cae-9200-11eb-a4d3-acde48001122", "version": 4, "date": "2023-04-27", "author": "Steven Dick, Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This search is to identifies a modification in registry to disable the windows denfender real time behavior monitoring. This event or technique is commonly seen in RAT, bot, or Trojan to disable AV to evade detections.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableBehaviorMonitoring\" OR Registry.registry_path= \"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableOnAccessProtection\" OR Registry.registry_path= \"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableScanOnRealtimeEnable\" OR Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableRealtimeMonitoring\" OR Registry.registry_path= \"*\\\\Real-Time Protection\\\\DisableIntrusionPreventionSystem\" OR Registry.registry_path= \"*\\\\Real-Time Protection\\\\DisableIOAVProtection\" OR Registry.registry_path= \"*\\\\Real-Time Protection\\\\DisableScriptScanning\" AND Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_windows_behavior_monitoring_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "admin or user may choose to disable this windows features.", "references": ["https://tccontre.blogspot.com/2020/01/remcos-rat-evading-windows-defender-av.html"], "tags": {"name": "Disable Windows Behavior Monitoring", "analytic_story": ["Azorult", "Windows Registry Abuse", "Revil Ransomware", "RedLine Stealer", "Ransomware", "Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 40, "kill_chain_phases": ["Exploitation"], "message": "Windows Defender real time behavior monitoring disabled on $dest", "mitre_attack_id": ["T1562.001", "T1562"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.dest", "Registry.registry_value_name", "Registry.registry_key_name", "Registry.registry_path", "Registry.registry_value_data", "Registry.process_guid"], "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-security.log", "source": "WinEventLog:Security", "sourcetype": "WinEventLog", "update_timestamp": true}, {"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-system.log", "source": "WinEventLog:System", "sourcetype": "WinEventLog", "update_timestamp": true}, {"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "disable_windows_behavior_monitoring_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/disable_windows_behavior_monitoring.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Disable Windows SmartScreen Protection", "id": "664f0fd0-91ff-11eb-a56f-acde48001122", "version": 4, "date": "2023-04-27", "author": "Steven Dick, Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "The following search identifies a modification of registry to disable the smartscreen protection of windows machine. This is windows feature provide an early warning system against website that might engage in phishing attack or malware distribution. This modification are seen in RAT malware to cover their tracks upon downloading other of its component or other payload.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\SmartScreenEnabled\" Registry.registry_value_data= \"Off\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_windows_smartscreen_protection_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "admin or user may choose to disable this windows features.", "references": ["https://tccontre.blogspot.com/2020/01/remcos-rat-evading-windows-defender-av.html"], "tags": {"name": "Disable Windows SmartScreen Protection", "analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "The Windows Smartscreen was disabled on $dest$ by $user$.", "mitre_attack_id": ["T1562.001", "T1562"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.dest", "Registry.registry_value_name", "Registry.registry_key_name", "Registry.registry_path", "Registry.registry_value_data", "Registry.process_guid"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-security.log", "source": "WinEventLog:Security", "sourcetype": "WinEventLog", "update_timestamp": true}, {"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-system.log", "source": "WinEventLog:System", "sourcetype": "WinEventLog", "update_timestamp": true}, {"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "disable_windows_smartscreen_protection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/disable_windows_smartscreen_protection.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Disabled Kerberos Pre-Authentication Discovery With Get-ADUser", "id": "114c6bfe-9406-11ec-bcce-acde48001122", "version": 2, "date": "2022-05-03", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-ADUser` commandlet with specific parameters. `Get-ADUser` is part of the Active Directory PowerShell module used to manage Windows Active Directory networks. As the name suggests, `Get-ADUser` is used to query for domain users. With the appropiate parameters, Get-ADUser allows adversaries to discover domain accounts with Kerberos Pre Authentication disabled.\\ Red Teams and adversaries alike use may abuse Get-ADUSer to enumerate these accounts and attempt to crack their passwords offline.", "data_source": ["Powershell 4104"], "search": " `powershell` EventCode=4104 (ScriptBlockText = \"*Get-ADUser*\" AND ScriptBlockText=\"*4194304*\") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `disabled_kerberos_pre_authentication_discovery_with_get_aduser_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators or power users may use search for accounts with Kerberos Pre Authentication disabled for legitimate purposes.", "references": ["https://attack.mitre.org/techniques/T1558/004/", "https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html", "https://stealthbits.com/blog/cracking-active-directory-passwords-with-as-rep-roasting/"], "tags": {"name": "Disabled Kerberos Pre-Authentication Discovery With Get-ADUser", "analytic_story": ["Active Directory Kerberos Attacks"], "asset_type": "endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 60, "kill_chain_phases": ["Exploitation"], "message": "Disabled Kerberos Pre-Authentication Discovery With Get-ADUser from $dest$", "mitre_attack_id": ["T1558", "T1558.004"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "ScriptBlockText", "Opcode", "Computer", "UserID", "EventCode"], "risk_score": 54, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1558", "mitre_attack_technique": "Steal or Forge Kerberos Tickets", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1558.004", "mitre_attack_technique": "AS-REP Roasting", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1558.004/getaduser/get-aduser-powershell.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "disabled_kerberos_pre_authentication_discovery_with_get_aduser_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/disabled_kerberos_pre_authentication_discovery_with_get_aduser.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Disabled Kerberos Pre-Authentication Discovery With PowerView", "id": "b0b34e2c-90de-11ec-baeb-acde48001122", "version": 2, "date": "2022-05-03", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-DomainUser` commandlet with specific parameters. `Get-DomainUser` is part of PowerView, a PowerShell tool used to perform enumeration on Windows Active Directory networks. As the name suggests, `Get-DomainUser` is used to identify domain users and combining it with `-PreauthNotRequired` allows adversaries to discover domain accounts with Kerberos Pre Authentication disabled.\\ Red Teams and adversaries alike use may leverage PowerView to enumerate these accounts and attempt to crack their passwords offline.", "data_source": ["Powershell 4104"], "search": " `powershell` EventCode=4104 (ScriptBlockText = \"*Get-DomainUser*\" AND ScriptBlockText=\"*PreauthNotRequired*\") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `disabled_kerberos_pre_authentication_discovery_with_powerview_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators or power users may use PowerView for troubleshooting", "references": ["https://attack.mitre.org/techniques/T1558/004/", "https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html", "https://stealthbits.com/blog/cracking-active-directory-passwords-with-as-rep-roasting/"], "tags": {"name": "Disabled Kerberos Pre-Authentication Discovery With PowerView", "analytic_story": ["Active Directory Kerberos Attacks"], "asset_type": "endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 60, "kill_chain_phases": ["Exploitation"], "message": "Disabled Kerberos Pre-Authentication Discovery With PowerView from $dest$", "mitre_attack_id": ["T1558", "T1558.004"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "ScriptBlockText", "Opcode", "Computer", "UserID", "EventCode"], "risk_score": 54, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1558", "mitre_attack_technique": "Steal or Forge Kerberos Tickets", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1558.004", "mitre_attack_technique": "AS-REP Roasting", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/getdomainuser.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "disabled_kerberos_pre_authentication_discovery_with_powerview_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/disabled_kerberos_pre_authentication_discovery_with_powerview.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Disabling CMD Application", "id": "ff86077c-9212-11eb-a1e6-acde48001122", "version": 4, "date": "2023-04-27", "author": "Steven Dick, Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "this search is to identify modification in registry to disable cmd prompt application. This technique is commonly seen in RAT, Trojan or WORM to prevent triaging or deleting there samples through cmd application which is one of the tool of analyst to traverse on directory and files.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\DisableCMD\" Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_cmd_application_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "admin may disable this application for non technical user.", "references": ["https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry"], "tags": {"name": "Disabling CMD Application", "analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "The Windows command prompt was disabled on $dest$ by $user$.", "mitre_attack_id": ["T1562.001", "T1562"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.dest", "Registry.registry_value_name", "Registry.registry_key_name", "Registry.registry_path", "Registry.registry_value_data", "Registry.process_guid"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-security.log", "source": "WinEventLog:Security", "sourcetype": "WinEventLog", "update_timestamp": true}, {"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-system.log", "source": "WinEventLog:System", "sourcetype": "WinEventLog", "update_timestamp": true}, {"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "disabling_cmd_application_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/disabling_cmd_application.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Disabling ControlPanel", "id": "6ae0148e-9215-11eb-a94a-acde48001122", "version": 4, "date": "2023-04-27", "author": "Steven Dick, Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "this search is to identify registry modification to disable control panel window. This technique is commonly seen in malware to prevent their artifacts , persistence removed on the infected machine.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoControlPanel\" Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_controlpanel_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "admin may disable this application for non technical user.", "references": ["https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry"], "tags": {"name": "Disabling ControlPanel", "analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "The Windows Control Panel was disabled on $dest$ by $user$.", "mitre_attack_id": ["T1562.001", "T1562"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.dest", "Registry.registry_value_name", "Registry.registry_key_name", "Registry.registry_path", "Registry.registry_value_data", "Registry.process_guid"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-security.log", "source": "WinEventLog:Security", "sourcetype": "WinEventLog", "update_timestamp": true}, {"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-system.log", "source": "WinEventLog:System", "sourcetype": "WinEventLog", "update_timestamp": true}, {"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "disabling_controlpanel_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/disabling_controlpanel.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Disabling Defender Services", "id": "911eacdc-317f-11ec-ad30-acde48001122", "version": 4, "date": "2023-04-27", "author": "Steven Dick, Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This particular behavior is typically executed when an adversaries or malware gains access to an endpoint and beings to perform execution and to evade detections. Usually, a batch (.bat) will be executed and multiple registry and scheduled task modifications will occur. During triage, review parallel processes and identify any further file modifications. Endpoint should be isolated.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = \"*\\\\System\\\\CurrentControlSet\\\\Services\\\\*\" AND (Registry.registry_path IN(\"*WdBoot*\", \"*WdFilter*\", \"*WdNisDrv*\", \"*WdNisSvc*\",\"*WinDefend*\", \"*SecurityHealthService*\")) AND Registry.registry_value_name = Start Registry.registry_value_data = 0x00000004) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_defender_services_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "admin or user may choose to disable windows defender product", "references": ["https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/"], "tags": {"name": "Disabling Defender Services", "analytic_story": ["IcedID", "Windows Registry Abuse", "RedLine Stealer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "modified/added/deleted registry entry $registry_path$ in $dest$", "mitre_attack_id": ["T1562.001", "T1562"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.dest", "Registry.registry_value_name", "Registry.registry_key_name", "Registry.registry_path", "Registry.registry_value_data", "Registry.process_guid"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/disable_av/sysmon2.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "disabling_defender_services_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/disabling_defender_services.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Disabling Firewall with Netsh", "id": "6860a62c-9203-11eb-9e05-acde48001122", "version": 2, "date": "2021-03-31", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This search is to identifies suspicious firewall disabling using netsh application. this technique is commonly seen in malware that tries to communicate or download its component or other payload to its C2 server.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_netsh` Processes.process= \"*firewall*\" (Processes.process= \"*off*\" OR Processes.process= \"*disable*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_firewall_with_netsh_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "admin may disable firewall during testing or fixing network problem.", "references": ["https://tccontre.blogspot.com/2020/01/remcos-rat-evading-windows-defender-av.html"], "tags": {"name": "Disabling Firewall with Netsh", "analytic_story": ["Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "The Windows Firewall was disabled on $dest$ by $user$.", "mitre_attack_id": ["T1562.001", "T1562"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-security.log", "source": "WinEventLog:Security", "sourcetype": "WinEventLog", "update_timestamp": true}, {"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-system.log", "source": "WinEventLog:System", "sourcetype": "WinEventLog", "update_timestamp": true}, {"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_netsh", "definition": "(Processes.process_name=netsh.exe OR Processes.original_file_name=netsh.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "disabling_firewall_with_netsh_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/disabling_firewall_with_netsh.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Disabling FolderOptions Windows Feature", "id": "83776de4-921a-11eb-868a-acde48001122", "version": 4, "date": "2023-04-27", "author": "Steven Dick, Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This search is to identify registry modification to disable folder options feature of windows to show hidden files, file extension and etc. This technique used by malware in combination if disabling show hidden files feature to hide their files and also to hide the file extension to lure the user base on file icons or fake file extensions.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoFolderOptions\" Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_folderoptions_windows_feature_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "admin may disable this application for non technical user.", "references": ["https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry"], "tags": {"name": "Disabling FolderOptions Windows Feature", "analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "The Windows Folder Options, to hide files, was disabled on $dest$ by $user$.", "mitre_attack_id": ["T1562.001", "T1562"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.dest", "Registry.registry_value_name", "Registry.registry_key_name", "Registry.registry_path", "Registry.registry_value_data", "Registry.process_guid"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-security.log", "source": "WinEventLog:Security", "sourcetype": "WinEventLog", "update_timestamp": true}, {"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-system.log", "source": "WinEventLog:System", "sourcetype": "WinEventLog", "update_timestamp": true}, {"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "disabling_folderoptions_windows_feature_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/disabling_folderoptions_windows_feature.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Disabling Net User Account", "id": "c0325326-acd6-11eb-98c2-acde48001122", "version": 2, "date": "2021-05-04", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This analytic will identify a suspicious command-line that disables a user account using the `net.exe` utility native to Windows. This technique may used by the adversaries to interrupt availability of such users to do their malicious act.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.parent_process) as parent_process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` AND Processes.process=\"*user*\" AND Processes.process=\"*/active:no*\" by Processes.process_name Processes.original_file_name Processes.dest Processes.user Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_net_user_account_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "unknown", "references": ["https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/"], "tags": {"name": "Disabling Net User Account", "analytic_story": ["XMRig"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Actions on Objectives"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified disabling a user account on endpoint $dest$ by user $user$.", "mitre_attack_id": ["T1531"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1531", "mitre_attack_technique": "Account Access Removal", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["LAPSUS$"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/xmrig_miner/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "process_net", "definition": "(Processes.process_name=\"net.exe\" OR Processes.original_file_name=\"net.exe\" OR Processes.process_name=\"net1.exe\" OR Processes.original_file_name=\"net1.exe\")", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "disabling_net_user_account_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/disabling_net_user_account.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Disabling NoRun Windows App", "id": "de81bc46-9213-11eb-adc9-acde48001122", "version": 4, "date": "2023-04-27", "author": "Steven Dick, Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This search is to identify modification of registry to disable run application in window start menu. this application is known to be a helpful shortcut to windows OS user to run known application and also to execute some reg or batch script. This technique is used malware to make cleaning of its infection more harder by preventing known application run easily through run shortcut.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoRun\" Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_norun_windows_app_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "admin may disable this application for non technical user.", "references": ["https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry", "https://blog.malwarebytes.com/detections/pum-optional-norun/"], "tags": {"name": "Disabling NoRun Windows App", "analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "The Windows registry was modified to disable run application in window start menu on $dest$ by $user$.", "mitre_attack_id": ["T1562.001", "T1562"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.dest", "Registry.registry_value_name", "Registry.registry_key_name", "Registry.registry_path", "Registry.registry_value_data", "Registry.process_guid"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-security.log", "source": "WinEventLog:Security", "sourcetype": "WinEventLog", "update_timestamp": true}, {"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-system.log", "source": "WinEventLog:System", "sourcetype": "WinEventLog", "update_timestamp": true}, {"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "disabling_norun_windows_app_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/disabling_norun_windows_app.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Disabling Remote User Account Control", "id": "bbc644bc-37df-4e1a-9c88-ec9a53e2038c", "version": 4, "date": "2020-11-18", "author": "David Dorsey, Patrick Bareiss, Splunk", "type": "TTP", "status": "production", "description": "The search looks for modifications to registry keys that control the enforcement of Windows User Account Control (UAC).", "data_source": ["Sysmon Event ID 13"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path=*HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\EnableLUA* Registry.registry_value_data=\"0x00000000\" by Registry.dest, Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action | `drop_dm_object_name(Registry)` | `disabling_remote_user_account_control_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or via other endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report registry modifications.", "known_false_positives": "This registry key may be modified via administrators to implement a change in system policy. This type of change should be a very rare occurrence.", "references": [], "tags": {"name": "Disabling Remote User Account Control", "analytic_story": ["Windows Defense Evasion Tactics", "Suspicious Windows Registry Activities", "Remcos", "Windows Registry Abuse", "Azorult", "AgentTesla"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "The Windows registry keys that control the enforcement of Windows User Account Control (UAC) were modified on $dest$ by $user$.", "mitre_attack_id": ["T1548.002", "T1548"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.registry_path", "Registry.registry_value_name", "Registry.dest", "Registry.registry_key_name", "Registry.user", "Registry.action"], "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.002", "mitre_attack_technique": "Bypass User Account Control", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT37", "BRONZE BUTLER", "Cobalt Group", "Earth Lusca", "Evilnum", "MuddyWater", "Patchwork", "Threat Group-3390"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.002/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "disabling_remote_user_account_control_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/disabling_remote_user_account_control.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Disabling SystemRestore In Registry", "id": "f4f837e2-91fb-11eb-8bf6-acde48001122", "version": 4, "date": "2023-04-27", "author": "Steven Dick, Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "The following search identifies the modification of registry related in disabling the system restore of a machine. This event or behavior are seen in some RAT malware to make the restore of the infected machine difficult and keep their infection on the box.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SystemRestore\\\\DisableSR\" OR Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SystemRestore\\\\DisableConfig\" OR Registry.registry_path= \"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\SystemRestore\\\\DisableSR\" OR Registry.registry_path= \"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\SystemRestore\\\\DisableConfig\" Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_systemrestore_in_registry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "in some cases admin can disable systemrestore on a machine.", "references": ["https://tccontre.blogspot.com/2020/01/remcos-rat-evading-windows-defender-av.html"], "tags": {"name": "Disabling SystemRestore In Registry", "analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Actions on Objectives"], "message": "The Windows registry was modified to disable system restore on $dest$ by $user$.", "mitre_attack_id": ["T1490"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.dest", "Registry.registry_value_name", "Registry.registry_key_name", "Registry.registry_path", "Registry.registry_value_data", "Registry.process_guid"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-security.log", "source": "WinEventLog:Security", "sourcetype": "WinEventLog", "update_timestamp": true}, {"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-system.log", "source": "WinEventLog:System", "sourcetype": "WinEventLog", "update_timestamp": true}, {"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "disabling_systemrestore_in_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/disabling_systemrestore_in_registry.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Disabling Task Manager", "id": "dac279bc-9202-11eb-b7fb-acde48001122", "version": 4, "date": "2023-04-27", "author": "Steven Dick, Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This search is to identifies modification of registry to disable the task manager of windows operating system. this event or technique are commonly seen in malware such as RAT, Trojan, TrojanSpy or worm to prevent the user to terminate their process.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\DisableTaskMgr\" Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_task_manager_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "admin may disable this application for non technical user.", "references": ["https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry", "https://blog.talosintelligence.com/2020/05/threat-roundup-0424-0501.html"], "tags": {"name": "Disabling Task Manager", "analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "The Windows Task Manager was disabled on $dest$ by $user$.", "mitre_attack_id": ["T1562.001", "T1562"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["Registry.dest", "Registry.registry_value_name", "Registry.registry_key_name", "Registry.registry_path", "Registry.registry_value_data", "Registry.process_guid"], "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-security.log", "source": "WinEventLog:Security", "sourcetype": "WinEventLog", "update_timestamp": true}, {"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-system.log", "source": "WinEventLog:System", "sourcetype": "WinEventLog", "update_timestamp": true}, {"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "disabling_task_manager_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/disabling_task_manager.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Disabling Windows Local Security Authority Defences via Registry", "id": "45cd08f8-a2c9-4f4e-baab-e1a0c624b0ab", "version": 1, "date": "2022-09-09", "author": "Dean Luxton", "type": "TTP", "status": "production", "description": "This detection looks for the deletion of registry keys which disable LSA protection and MS Defender Device Guard.", "data_source": ["Sysmon Event ID 13"], "search": "| tstats `security_content_summariesonly` min(_time) as _time from datamodel=Endpoint.Registry where Registry.registry_path IN (\"*\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\LsaCfgFlags\", \"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\DeviceGuard\\\\*\", \"*\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\RunAsPPL\") Registry.action IN (deleted, unknown) by Registry.action Registry.registry_path Registry.process_guid | `drop_dm_object_name(Registry)` | join type=outer process_guid [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes by Processes.user Processes.process_name Processes.process Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_guid | `drop_dm_object_name(Processes)`] | table _time action dest user parent_process_name parent_process process_name process process_guid registry_path | `disabling_windows_local_security_authority_defences_via_registry_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry.", "known_false_positives": "Potential to be triggered by an administrator disabling protections for troubleshooting purposes.", "references": ["https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection", "https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-manage"], "tags": {"name": "Disabling Windows Local Security Authority Defences via Registry", "analytic_story": ["Windows Defence Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 60, "kill_chain_phases": ["Exploitation", "Installation"], "message": "An attempt to disable Windows LSA defences was detected on $dest$. The reg key $registry_path$ was deleted by $user$.", "mitre_attack_id": ["T1556"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.action", "Registry.registry_path", "Registry.dest", "Registry.user"], "risk_score": 60, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1556", "mitre_attack_technique": "Modify Authentication Process", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556/disable_lsa_protection/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "disabling_windows_local_security_authority_defences_via_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/disabling_windows_local_security_authority_defences_via_registry.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "DLLHost with no Command Line Arguments with Network", "id": "f1c07594-a141-11eb-8407-acde48001122", "version": 4, "date": "2023-06-13", "author": "Steven Dick, Michael Haag, Splunk", "type": "TTP", "status": "experimental", "description": "The following analytic identifies DLLHost.exe with no command line arguments with a network connection. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, triage any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where Processes.process_name=dllhost.exe Processes.action!=\"blocked\" by host _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name Processes.parent_process | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process=\"(?i)(dllhost\\.exe.{0,4}$)\" | rename dest as src | join host process_id [| tstats `security_content_summariesonly` count latest(All_Traffic.dest) as dest latest(All_Traffic.dest_ip) as dest_ip latest(All_Traffic.dest_port) as dest_port FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port != 0 by host All_Traffic.process_id | `drop_dm_object_name(All_Traffic)`] | `dllhost_with_no_command_line_arguments_with_network_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` and `port` node.", "known_false_positives": "Although unlikely, some legitimate third party applications may use a moved copy of dllhost, triggering a false positive.", "references": ["https://raw.githubusercontent.com/threatexpress/malleable-c2/c3385e481159a759f79b8acfe11acf240893b830/jquery-c2.4.2.profile", "https://www.cobaltstrike.com/blog/learn-pipe-fitting-for-all-of-your-offense-projects/"], "tags": {"name": "DLLHost with no Command Line Arguments with Network", "analytic_story": ["Cobalt Strike", "Graceful Wipe Out Attack"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "The process $process_name$ was spawned by $parent_process_name$ without any command-line arguments on $src$ by $user$.", "mitre_attack_id": ["T1055"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_image", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventID", "process_name", "process_id", "parent_process_name", "dest_port", "process_path"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/cobalt_strike/windows-sysmon_dllhost.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint", "Network_Traffic"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "dllhost_with_no_command_line_arguments_with_network_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/dllhost_with_no_command_line_arguments_with_network.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "DNS Exfiltration Using Nslookup App", "id": "2452e632-9e0d-11eb-bacd-acde48001122", "version": 1, "date": "2021-04-15", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "this search is to detect potential DNS exfiltration using nslookup application. This technique are seen in couple of malware and APT group to exfiltrated collected data in a infected machine or infected network. This detection is looking for unique use of nslookup where it tries to use specific record type, TXT, A, AAAA, that are commonly used by attacker and also the retry parameter which is designed to query C2 DNS multiple tries.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.process_id) as process_id values(Processes.parent_process) as parent_process count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"nslookup.exe\" Processes.process = \"*-querytype=*\" OR Processes.process=\"*-qt=*\" OR Processes.process=\"*-q=*\" OR Processes.process=\"-type=*\" OR Processes.process=\"*-retry=*\" by Processes.dest Processes.user Processes.process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `dns_exfiltration_using_nslookup_app_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances of nslookup.exe may be used.", "known_false_positives": "admin nslookup usage", "references": ["https://www.mandiant.com/resources/fin7-spear-phishing-campaign-targets-personnel-involved-sec-filings", "https://www.varonis.com/blog/dns-tunneling", "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/"], "tags": {"name": "DNS Exfiltration Using Nslookup App", "analytic_story": ["Suspicious DNS Traffic", "Dynamic DNS", "Data Exfiltration", "Command And Control"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 90, "kill_chain_phases": ["Actions on Objectives"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ performing activity related to DNS exfiltration.", "mitre_attack_id": ["T1048"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1048", "mitre_attack_technique": "Exfiltration Over Alternative Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["TeamTNT"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1048.003/nslookup_exfil/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "dns_exfiltration_using_nslookup_app_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/dns_exfiltration_using_nslookup_app.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Domain Account Discovery with Dsquery", "id": "b1a8ce04-04c2-11ec-bea7-acde48001122", "version": 1, "date": "2021-08-24", "author": "Teoderick Contreras, Mauricio Velazco, Splunk", "type": "Hunting", "status": "production", "description": "This analytic looks for the execution of `dsquery.exe` with command-line arguments utilized to discover domain users. The `user` argument returns a list of all users registered in the domain. Red Teams and adversaries alike engage in remote system discovery for situational awareness and Active Directory Discovery.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=\"dsquery.exe\" AND Processes.process = \"*user*\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `domain_account_discovery_with_dsquery_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "references": ["https://jpcertcc.github.io/ToolAnalysisResultSheet/details/dsquery.htm", "https://attack.mitre.org/techniques/T1087/002/"], "tags": {"name": "Domain Account Discovery with Dsquery", "analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "an instance of process $process_name$ with commandline $process$ in $dest$", "mitre_attack_id": ["T1087.002", "T1087"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id", "Processes.parent_process_name"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["BRONZE BUTLER", "Chimera", "Dragonfly", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Turla", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/AD_discovery/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "domain_account_discovery_with_dsquery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/domain_account_discovery_with_dsquery.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Domain Account Discovery With Net App", "id": "98f6a534-04c2-11ec-96b2-acde48001122", "version": 1, "date": "2023-06-13", "author": "Teoderick Contreras, Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "This analytic looks for the execution of `net.exe` or `net1.exe` with command-line arguments utilized to query for domain users. Red Teams and adversaries alike may use net.exe to enumerate domain users for situational awareness and Active Directory Discovery.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` AND Processes.process = \"* user*\" AND Processes.process = \"*/do*\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `domain_account_discovery_with_net_app_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "references": ["https://docs.microsoft.com/en-us/defender-for-identity/playbook-domain-dominance", "https://attack.mitre.org/techniques/T1087/002/"], "tags": {"name": "Domain Account Discovery With Net App", "analytic_story": ["Active Directory Discovery", "Graceful Wipe Out Attack"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "an instance of process $process_name$ with commandline $process$ in $dest$", "mitre_attack_id": ["T1087.002", "T1087"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id", "Processes.parent_process_name"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["BRONZE BUTLER", "Chimera", "Dragonfly", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Turla", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/AD_discovery/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "process_net", "definition": "(Processes.process_name=\"net.exe\" OR Processes.original_file_name=\"net.exe\" OR Processes.process_name=\"net1.exe\" OR Processes.original_file_name=\"net1.exe\")", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "domain_account_discovery_with_net_app_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/domain_account_discovery_with_net_app.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Domain Account Discovery with Wmic", "id": "383572e0-04c5-11ec-bdcc-acde48001122", "version": 1, "date": "2021-08-24", "author": "Teoderick Contreras, Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "This analytic looks for the execution of `wmic.exe` with command-line arguments utilized to query for domain users. Red Teams and adversaries alike use wmic.exe to enumerate domain users for situational awareness and Active Directory Discovery.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=\"wmic.exe\" AND Processes.process = \"*/NAMESPACE:\\\\\\\\root\\\\directory\\\\ldap*\" AND Processes.process = \"*ds_user*\" AND Processes.process = \"*GET*\" AND Processes.process = \"*ds_samaccountname*\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `domain_account_discovery_with_wmic_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "references": ["https://attack.mitre.org/techniques/T1087/002/"], "tags": {"name": "Domain Account Discovery with Wmic", "analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "an instance of process $process_name$ with commandline $process$ in $dest$", "mitre_attack_id": ["T1087.002", "T1087"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id", "Processes.parent_process_name"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["BRONZE BUTLER", "Chimera", "Dragonfly", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Turla", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/AD_discovery/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "domain_account_discovery_with_wmic_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/domain_account_discovery_with_wmic.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Domain Controller Discovery with Nltest", "id": "41243735-89a7-4c83-bcdd-570aa78f00a1", "version": 1, "date": "2021-08-30", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "This analytic looks for the execution of `nltest.exe` with command-line arguments utilized to discover remote systems. The arguments `/dclist:` and '/dsgetdc:', can be used to return a list of all domain controllers. Red Teams and adversaries alike may use nltest.exe to identify domain controllers in a Windows Domain for situational awareness and Active Directory Discovery.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"nltest.exe\") (Processes.process=\"*/dclist:*\" OR Processes.process=\"*/dsgetdc:*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `domain_controller_discovery_with_nltest_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "references": ["https://attack.mitre.org/techniques/T1018/"], "tags": {"name": "Domain Controller Discovery with Nltest", "analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "Domain controller discovery on $dest$ by $user$", "mitre_attack_id": ["T1018"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 21, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1018", "mitre_attack_technique": "Remote System Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "BRONZE BUTLER", "Chimera", "Deep Panda", "Dragonfly", "Earth Lusca", "FIN5", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "HEXANE", "Indrik Spider", "Ke3chang", "Leafminer", "Magic Hound", "Naikon", "Rocke", "Sandworm Team", "Silence", "Threat Group-3390", "Turla", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1018/AD_discovery/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "domain_controller_discovery_with_nltest_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/domain_controller_discovery_with_nltest.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Domain Controller Discovery with Wmic", "id": "64c7adaa-48ee-483c-b0d6-7175bc65e6cc", "version": 1, "date": "2021-09-01", "author": "Mauricio Velazco, Splunk", "type": "Hunting", "status": "production", "description": "This analytic looks for the execution of `wmic.exe` with command-line arguments utilized to discover remote systems. The arguments utilized in this command line return a list of all domain controllers in a Windows domain. Red Teams and adversaries alike use *.exe to identify remote systems for situational awareness and Active Directory Discovery.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"wmic.exe\") (Processes.process=\"\" OR Processes.process=\"*DomainControllerAddress*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `domain_controller_discovery_with_wmic_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "references": ["https://attack.mitre.org/techniques/T1018/"], "tags": {"name": "Domain Controller Discovery with Wmic", "analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "Domain controller discovery on $dest$ by $user$", "mitre_attack_id": ["T1018"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 21, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1018", "mitre_attack_technique": "Remote System Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "BRONZE BUTLER", "Chimera", "Deep Panda", "Dragonfly", "Earth Lusca", "FIN5", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "HEXANE", "Indrik Spider", "Ke3chang", "Leafminer", "Magic Hound", "Naikon", "Rocke", "Sandworm Team", "Silence", "Threat Group-3390", "Turla", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1018/AD_discovery/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "domain_controller_discovery_with_wmic_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/domain_controller_discovery_with_wmic.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Domain Group Discovery with Adsisearcher", "id": "089c862f-5f83-49b5-b1c8-7e4ff66560c7", "version": 1, "date": "2021-08-25", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the `[Adsisearcher]` type accelerator being used to query Active Directory for domain groups. Red Teams and adversaries may leverage `[Adsisearcher]` to enumerate domain groups for situational awareness and Active Directory Discovery.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 (Message = \"*[adsisearcher]*\" AND Message = \"*(objectcategory=group)*\" AND Message = \"*findAll()*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode Message ComputerName User | `security_content_ctime(firstTime)` | `domain_group_discovery_with_adsisearcher_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators or power users may use Adsisearcher for troubleshooting.", "references": ["https://attack.mitre.org/techniques/T1069/002/", "https://devblogs.microsoft.com/scripting/use-the-powershell-adsisearcher-type-accelerator-to-search-active-directory/"], "tags": {"name": "Domain Group Discovery with Adsisearcher", "analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "Domain group discovery enumeration using PowerShell on $dest$ by $user$", "mitre_attack_id": ["T1069", "T1069.002"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "Message", "ComputerName", "User"], "risk_score": 18, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "TA505"]}, {"mitre_attack_id": "T1069.002", "mitre_attack_technique": "Domain Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Dragonfly", "Inception", "Ke3chang", "LAPSUS$", "OilRig", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.002/AD_discovery/windows-powershell.log", "source": "WinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "wineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "domain_group_discovery_with_adsisearcher_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/domain_group_discovery_with_adsisearcher.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Domain Group Discovery With Dsquery", "id": "f0c9d62f-a232-4edd-b17e-bc409fb133d4", "version": 1, "date": "2021-09-01", "author": "Mauricio Velazco, Splunk", "type": "Hunting", "status": "production", "description": "This analytic looks for the execution of `dsquery.exe` with command-line arguments utilized to query for domain groups. The argument `group`, returns a list of all domain groups. Red Teams and adversaries alike use may leverage dsquery.exe to enumerate domain groups for situational awareness and Active Directory Discovery.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"dsquery.exe\") (Processes.process=\"*group*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `domain_group_discovery_with_dsquery_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "references": ["https://attack.mitre.org/techniques/T1069/002/"], "tags": {"name": "Domain Group Discovery With Dsquery", "analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "Domain group discovery enumeration on $dest$ by $user$", "mitre_attack_id": ["T1069", "T1069.002"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "TA505"]}, {"mitre_attack_id": "T1069.002", "mitre_attack_technique": "Domain Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Dragonfly", "Inception", "Ke3chang", "LAPSUS$", "OilRig", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.002/AD_discovery/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "domain_group_discovery_with_dsquery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/domain_group_discovery_with_dsquery.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Domain Group Discovery With Net", "id": "f2f14ac7-fa81-471a-80d5-7eb65c3c7349", "version": 1, "date": "2023-06-13", "author": "Mauricio Velazco, Splunk", "type": "Hunting", "status": "production", "description": "This analytic looks for the execution of `net.exe` with command-line arguments utilized to query for domain groups. The argument `group /domain`, returns a list of all domain groups. Red Teams and adversaries alike use net.exe to enumerate domain groups for situational awareness and Active Directory Discovery.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"net.exe\" OR Processes.process_name=\"net1.exe\") (Processes.process=*group* AND Processes.process=*/do*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `domain_group_discovery_with_net_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "references": ["https://attack.mitre.org/techniques/T1069/002/"], "tags": {"name": "Domain Group Discovery With Net", "analytic_story": ["Windows Post-Exploitation", "Active Directory Discovery", "Prestige Ransomware", "Graceful Wipe Out Attack"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "Domain group discovery enumeration on $dest$ by $user$", "mitre_attack_id": ["T1069", "T1069.002"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "TA505"]}, {"mitre_attack_id": "T1069.002", "mitre_attack_technique": "Domain Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Dragonfly", "Inception", "Ke3chang", "LAPSUS$", "OilRig", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.002/AD_discovery/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "domain_group_discovery_with_net_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/domain_group_discovery_with_net.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Domain Group Discovery With Wmic", "id": "a87736a6-95cd-4728-8689-3c64d5026b3e", "version": 1, "date": "2021-08-25", "author": "Mauricio Velazco, Splunk", "type": "Hunting", "status": "production", "description": "This analytic looks for the execution of `wmic.exe` with command-line arguments utilized to query for domain groups. The arguments utilized in this command return a list of all domain groups. Red Teams and adversaries alike use wmic.exe to enumerate domain groups for situational awareness and Active Directory Discovery.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"wmic.exe\") (Processes.process=*/NAMESPACE:\\\\\\\\root\\\\directory\\\\ldap* AND Processes.process=*ds_group* AND Processes.process=\"*GET ds_samaccountname*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `domain_group_discovery_with_wmic_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "references": ["https://attack.mitre.org/techniques/T1069/002/"], "tags": {"name": "Domain Group Discovery With Wmic", "analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "Domain group discovery enumeration on $dest$ by $user$", "mitre_attack_id": ["T1069", "T1069.002"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "TA505"]}, {"mitre_attack_id": "T1069.002", "mitre_attack_technique": "Domain Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Dragonfly", "Inception", "Ke3chang", "LAPSUS$", "OilRig", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.002/AD_discovery/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "domain_group_discovery_with_wmic_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/domain_group_discovery_with_wmic.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Download Files Using Telegram", "id": "58194e28-ae5e-11eb-8912-acde48001122", "version": 1, "date": "2021-05-06", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "The following analytic will identify a suspicious download by the Telegram application on a Windows system. This behavior was identified on a honeypot where the adversary gained access, installed Telegram and followed through with downloading different network scanners (port, bruteforcer, masscan) to the system and later used to mapped the whole network and further move laterally.", "data_source": [], "search": "`sysmon` EventCode= 15 process_name = \"telegram.exe\" TargetFilename = \"*:Zone.Identifier\" |stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode Image process_id TargetFilename Hash | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `download_files_using_telegram_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name and TargetFilename from your endpoints or Events that monitor filestream events which is happened when process download something. (EventCode 15) If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "normal download of file in telegram app. (if it was a common app in network)", "references": ["https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/"], "tags": {"name": "Download Files Using Telegram", "analytic_story": ["XMRig"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Command And Control"], "message": "Suspicious files were downloaded with the Telegram application on $dest$ by $user$.", "mitre_attack_id": ["T1105"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Computer", "EventCode", "Image", "process_id", "TargetFilename", "Hash"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "ZIRCONIUM", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/minergate/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "download_files_using_telegram_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/download_files_using_telegram.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Drop IcedID License dat", "id": "b7a045fc-f14a-11eb-8e79-acde48001122", "version": 1, "date": "2021-07-30", "author": "Teoderick Contreras, Splunk", "type": "Hunting", "status": "production", "description": "This search is to detect dropping a suspicious file named as \"license.dat\" in %appdata%. This behavior seen in latest IcedID malware that contain the actual core bot that will be injected in other process to do banking stealing.", "data_source": [], "search": "`sysmon` EventCode= 11 TargetFilename = \"*\\\\license.dat\" AND (TargetFilename=\"*\\\\appdata\\\\*\" OR TargetFilename=\"*\\\\programdata\\\\*\") |stats count min(_time) as firstTime max(_time) as lastTime by TargetFilename EventCode process_id process_name Computer | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_icedid_license_dat_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "unknown", "references": ["https://www.cisecurity.org/insights/white-papers/security-primer-icedid"], "tags": {"name": "Drop IcedID License dat", "analytic_story": ["IcedID"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Installation"], "message": "process $SourceImage$ create a file $TargetImage$ in host $Computer$", "mitre_attack_id": ["T1204", "T1204.002"], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "SourceImage", "type": "Process", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time"], "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$"]}, {"mitre_attack_id": "T1204.002", "mitre_attack_technique": "Malicious File", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "Ajax Security Team", "Andariel", "Aoqin Dragon", "BITTER", "BRONZE BUTLER", "BlackTech", "CURIUM", "Cobalt Group", "Confucius", "Dark Caracal", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "IndigoZebra", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Whitefly", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/simulated_icedid/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "drop_icedid_license_dat_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/drop_icedid_license_dat.yml", "source": "endpoint"}, {"name": "DSQuery Domain Discovery", "id": "cc316032-924a-11eb-91a2-acde48001122", "version": 1, "date": "2021-03-31", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies \"dsquery.exe\" execution with arguments looking for `TrustedDomain` query directly on the command-line. This is typically indicative of an Administrator or adversary perform domain trust discovery. Note that this query does not identify any other variations of \"Dsquery.exe\" usage.\\\nWithin this detection, it is assumed `dsquery.exe` is not moved or renamed.\\\nThe search will return the first time and last time these command-line arguments were used for these executions, as well as the target system, the user, process \"dsquery.exe\" and its parent process.\\\nDSQuery.exe is natively found in `C:\\Windows\\system32` and `C:\\Windows\\syswow64` and only on Server operating system.\\\nThe following DLL(s) are loaded when DSQuery.exe is launched `dsquery.dll`. If found loaded by another process, it is possible dsquery is running within that process context in memory.\\\nIn addition to trust discovery, review parallel processes for additional behaviors performed. Identify the parent process and capture any files (batch files, for example) being used.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=dsquery.exe Processes.process=*trustedDomain* by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `dsquery_domain_discovery_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "Limited false positives. If there is a true false positive, filter based on command-line or parent process.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.md", "https://blog.harmj0y.net/redteaming/a-guide-to-attacking-domain-trusts/", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc732952(v=ws.11)", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc754232(v=ws.11)"], "tags": {"name": "DSQuery Domain Discovery", "analytic_story": ["Domain Trust Discovery", "Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified performing domain discovery on endpoint $dest$ by user $user$.", "mitre_attack_id": ["T1482"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1482", "mitre_attack_technique": "Domain Trust Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "Earth Lusca", "FIN8", "Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1482/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "dsquery_domain_discovery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/dsquery_domain_discovery.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Dump LSASS via comsvcs DLL", "id": "8943b567-f14d-4ee8-a0bb-2121d4ce3184", "version": 2, "date": "2023-04-14", "author": "Patrick Bareiss, Splunk", "type": "TTP", "status": "production", "description": "The following analytic detects the behavior of dumping credentials from memory, a tactic commonly used by adversaries. Specifically, it targets the exploitation of the Local Security Authority Subsystem Service (LSASS) in Windows, which manages system-level authentication. Threat actors can use the comsvcs.dll to exploit this process and obtain valuable credentials. The analytic identifies instances where the rundll32 process is used in conjunction with the comsvcs.dll and MiniDump, indicating potential LSASS dumping attempts. This tactic is often part of more extensive attack campaigns and is associated with numerous threat groups. Identifying this behavior is crucial for security operations center (SOC) analysts, as credential theft can lead to broader system compromise, persistence, lateral movement, and escalated privileges. It is important to note that no legitimate use of this technique has been identified so far. The impact of the attack, if a true positive is found, can be severe. Attackers can use the stolen credentials to access sensitive information or systems, leading to data theft, ransomware attacks, or other damaging outcomes. To implement this analytic, ensure that logs with process information are ingested from your endpoints. However, be aware of potential false positives, as legitimate uses of the LSASS process may cause benign activities to be flagged. Upon triage, review the processes involved in the LSASS dumping attempt, capture and inspect any relevant on-disk artifacts, and look for concurrent processes to identify the attack source. By identifying and mitigating LSASS exploitation attempts early on, SOC analysts can better protect their organization's assets and prevent potential breaches.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*comsvcs.dll* Processes.process=*MiniDump* by Processes.user Processes.process_name Processes.original_file_name Processes.process Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `dump_lsass_via_comsvcs_dll_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "None identified.", "references": ["https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/", "https://twitter.com/SBousseaden/status/1167417096374050817", "https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/"], "tags": {"name": "Dump LSASS via comsvcs DLL", "analytic_story": ["Industroyer2", "HAFNIUM Group", "CISA AA22-264A", "Prestige Ransomware", "Credential Dumping", "CISA AA22-257A", "Living Off The Land", "Suspicious Rundll32 Activity", "Data Destruction", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified accessing credentials using comsvcs.dll on endpoint $dest$ by user $user$.", "mitre_attack_id": ["T1003.001", "T1003"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "TEMP.Veles", "Threat Group-3390", "Whitefly"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_rundll32", "definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "dump_lsass_via_comsvcs_dll_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/dump_lsass_via_comsvcs_dll.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Dump LSASS via procdump", "id": "3742ebfe-64c2-11eb-ae93-0242ac130002", "version": 3, "date": "2022-08-31", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "Detect procdump.exe dumping the lsass process. This query looks for both -mm and -ma usage. -mm will produce a mini dump file and -ma will write a dump file with all process memory. Both are highly suspect and should be reviewed. This query does not monitor for the internal name (original_file_name=procdump) of the PE or look for procdump64.exe. Modify the query as needed.\\\nDuring triage, confirm this is procdump.exe executing. If it is the first time a Sysinternals utility has been ran, it is possible there will be a -accepteula on the command line. Review other endpoint data sources for cross process (injection) into lsass.exe.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_procdump` (Processes.process=*-ma* OR Processes.process=*-mm*) Processes.process=*lsass* by Processes.user Processes.process_name Processes.process Processes.original_file_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `dump_lsass_via_procdump_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "None identified.", "references": ["https://attack.mitre.org/techniques/T1003/001/", "https://docs.microsoft.com/en-us/sysinternals/downloads/procdump", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md#atomic-test-2---dump-lsassexe-memory-using-procdump", "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/"], "tags": {"name": "Dump LSASS via procdump", "analytic_story": ["Credential Dumping", "HAFNIUM Group", "CISA AA22-257A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified attempting to dump lsass.exe on endpoint $dest$ by user $user$.", "mitre_attack_id": ["T1003.001", "T1003"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "TEMP.Veles", "Threat Group-3390", "Whitefly"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}, {"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/crowdstrike_falcon.log", "source": "crowdstrike", "sourcetype": "crowdstrike:events:sensor"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_procdump", "definition": "(Processes.process_name=procdump.exe OR Processes.process_name=procdump64.exe OR Processes.original_file_name=procdump)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "dump_lsass_via_procdump_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/dump_lsass_via_procdump.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Elevated Group Discovery With Net", "id": "a23a0e20-0b1b-4a07-82e5-ec5f70811e7a", "version": 1, "date": "2021-08-25", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "This analytic looks for the execution of `net.exe` or `net1.exe` with command-line arguments utilized to query for specific elevated domain groups. Red Teams and adversaries alike use net.exe to enumerate elevated domain groups for situational awareness and Active Directory Discovery to identify high privileged users.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"net.exe\" OR Processes.process_name=\"net1.exe\") (Processes.process=\"*group*\" AND Processes.process=\"*/do*\") (Processes.process=\"*Domain Admins*\" OR Processes.process=\"*Enterprise Admins*\" OR Processes.process=\"*Schema Admins*\" OR Processes.process=\"*Account Operators*\" OR Processes.process=\"*Server Operators*\" OR Processes.process=\"*Protected Users*\" OR Processes.process=\"*Dns Admins*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `elevated_group_discovery_with_net_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "references": ["https://attack.mitre.org/techniques/T1069/002/", "https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-b--privileged-accounts-and-groups-in-active-directory", "https://adsecurity.org/?p=3658", "https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF"], "tags": {"name": "Elevated Group Discovery With Net", "analytic_story": ["Active Directory Discovery", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "Elevated domain group discovery enumeration on $dest$ by $user$", "mitre_attack_id": ["T1069", "T1069.002"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 21, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "TA505"]}, {"mitre_attack_id": "T1069.002", "mitre_attack_technique": "Domain Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Dragonfly", "Inception", "Ke3chang", "LAPSUS$", "OilRig", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.002/AD_discovery/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "elevated_group_discovery_with_net_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/elevated_group_discovery_with_net.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Elevated Group Discovery with PowerView", "id": "10d62950-0de5-4199-a710-cff9ea79b413", "version": 1, "date": "2021-08-25", "author": "Mauricio Velazco, Splunk", "type": "Hunting", "status": "production", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-DomainGroupMember` commandlet. `Get-DomainGroupMember` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. As the name suggests, `Get-DomainGroupMember` is used to list the members of an specific domain group. Red Teams and adversaries alike use PowerView to enumerate elevated domain groups for situational awareness and Active Directory Discovery to identify high privileged users.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 (Message = \"*Get-DomainGroupMember*\") AND Message IN (\"*Domain Admins*\",\"*Enterprise Admins*\", \"*Schema Admins*\", \"*Account Operators*\" , \"*Server Operators*\", \"*Protected Users*\", \"*Dns Admins*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode Message ComputerName User | `security_content_ctime(firstTime)` | `elevated_group_discovery_with_powerview_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators or power users may use this PowerView for troubleshooting.", "references": ["https://attack.mitre.org/techniques/T1069/002/", "https://powersploit.readthedocs.io/en/latest/Recon/Get-DomainGroupMember/", "https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-b--privileged-accounts-and-groups-in-active-directory", "https://attack.mitre.org/techniques/T1069/002/"], "tags": {"name": "Elevated Group Discovery with PowerView", "analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "Elevated group discovery using PowerView on $dest$ by $user$", "mitre_attack_id": ["T1069", "T1069.002"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "Message", "ComputerName", "User"], "risk_score": 21, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "TA505"]}, {"mitre_attack_id": "T1069.002", "mitre_attack_technique": "Domain Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Dragonfly", "Inception", "Ke3chang", "LAPSUS$", "OilRig", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.002/AD_discovery/windows-powershell.log", "source": "WinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "wineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "elevated_group_discovery_with_powerview_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/elevated_group_discovery_with_powerview.yml", "source": "endpoint", "providing_technologies": ["Microsoft Windows"]}, {"name": "Elevated Group Discovery With Wmic", "id": "3f6bbf22-093e-4cb4-9641-83f47b8444b6", "version": 1, "date": "2021-08-25", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "This analytic looks for the execution of `wmic.exe` with command-line arguments utilized to query for specific domain groups. Red Teams and adversaries alike use net.exe to enumerate elevated domain groups for situational awareness and Active Directory Discovery to identify high privileged users.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"wmic.exe\") (Processes.process=*/NAMESPACE:\\\\\\\\root\\\\directory\\\\ldap*) (Processes.process=\"*Domain Admins*\" OR Processes.process=\"*Enterprise Admins*\" OR Processes.process=\"*Schema Admins*\" OR Processes.process=\"*Account Operators*\" OR Processes.process=\"*Server Operators*\" OR Processes.process=\"*Protected Users*\" OR Processes.process=\"*Dns Admins*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `elevated_group_discovery_with_wmic_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "references": ["https://attack.mitre.org/techniques/T1069/002/", "https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-b--privileged-accounts-and-groups-in-active-directory", "https://adsecurity.org/?p=3658"], "tags": {"name": "Elevated Group Discovery With Wmic", "analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "Elevated domain group discovery enumeration on $dest$ by $user$", "mitre_attack_id": ["T1069", "T1069.002"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 21, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "TA505"]}, {"mitre_attack_id": "T1069.002", "mitre_attack_technique": "Domain Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Dragonfly", "Inception", "Ke3chang", "LAPSUS$", "OilRig", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.002/AD_discovery/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "elevated_group_discovery_with_wmic_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/elevated_group_discovery_with_wmic.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Enable RDP In Other Port Number", "id": "99495452-b899-11eb-96dc-acde48001122", "version": 4, "date": "2023-04-27", "author": "Steven Dick, Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This search is to detect a modification to registry to enable rdp to a machine with different port number. This technique was seen in some atttacker tries to do lateral movement and remote access to a compromised machine to gain control of it.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=\"*HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp*\" Registry.registry_value_name = \"PortNumber\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `enable_rdp_in_other_port_number_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "unknown", "references": ["https://www.mvps.net/docs/how-to-secure-remote-desktop-rdp/"], "tags": {"name": "Enable RDP In Other Port Number", "analytic_story": ["Prohibited Traffic Allowed or Protocol Mismatch", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "RDP was moved to a non-standard port on $dest$ by $user$.", "mitre_attack_id": ["T1021"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.dest", "Registry.registry_value_name", "Registry.registry_key_name", "Registry.registry_path", "Registry.registry_value_data", "Registry.process_guid"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/honeypots/casper/datasets1/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "enable_rdp_in_other_port_number_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/enable_rdp_in_other_port_number.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Enable WDigest UseLogonCredential Registry", "id": "0c7d8ffe-25b1-11ec-9f39-acde48001122", "version": 4, "date": "2023-04-27", "author": "Steven Dick, Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This analytic is to detect a suspicious registry modification to enable plain text credential feature of windows. This technique was used by several malware and also by mimikatz to be able to dumpe the a plain text credential to the compromised or target host. This TTP is really a good indicator that someone wants to dump the crendential of the host so it must be a good pivot for credential dumping techniques.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=\"*\\\\System\\\\CurrentControlSet\\\\Control\\\\SecurityProviders\\\\WDigest\\\\*\" Registry.registry_value_name = \"UseLogonCredential\" Registry.registry_value_data=0x00000001) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `enable_wdigest_uselogoncredential_registry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "unknown", "references": ["https://www.csoonline.com/article/3438824/how-to-detect-and-halt-credential-theft-via-windows-wdigest.html"], "tags": {"name": "Enable WDigest UseLogonCredential Registry", "analytic_story": ["Credential Dumping", "Windows Registry Abuse", "CISA AA22-320A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "wdigest registry $registry_path$ was modified in $dest$", "mitre_attack_id": ["T1112", "T1003"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.dest", "Registry.registry_value_name", "Registry.registry_key_name", "Registry.registry_path", "Registry.registry_value_data", "Registry.process_guid"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/atomic_red_team/wdigest_windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "enable_wdigest_uselogoncredential_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/enable_wdigest_uselogoncredential_registry.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Enumerate Users Local Group Using Telegram", "id": "fcd74532-ae54-11eb-a5ab-acde48001122", "version": 1, "date": "2021-05-06", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This analytic will detect a suspicious Telegram process enumerating all network users in a local group. This technique was seen in a Monero infected honeypot to mapped all the users on the compromised system. EventCode 4798 is generated when a process enumerates a user's security-enabled local groups on a computer or device.", "data_source": ["Windows Security 4798"], "search": "`wineventlog_security` EventCode=4798 Process_Name = \"*\\\\telegram.exe\" | stats count min(_time) as firstTime max(_time) as lastTime by ComputerName EventCode Process_Name Process_ID Account_Name Account_Domain Logon_ID Security_ID Message | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `enumerate_users_local_group_using_telegram_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the Task Schedule (Exa. Security Log EventCode 4798) endpoints. Tune and filter known instances of process like logonUI used in your environment.", "known_false_positives": "unknown", "references": ["https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4798"], "tags": {"name": "Enumerate Users Local Group Using Telegram", "analytic_story": ["XMRig"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "The Telegram application has been identified enumerating local groups on $ComputerName$ by $user$.", "mitre_attack_id": ["T1087"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "ComputerName", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "ComputerName", "EventCode", "Process_Name", "Process_ID", "Account_Name", "Account_Domain", "Logon_ID", "Security_ID", "Message"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/minergate/windows-security.log", "source": "WinEventLog:Security", "sourcetype": "WinEventLog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "enumerate_users_local_group_using_telegram_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/enumerate_users_local_group_using_telegram.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Esentutl SAM Copy", "id": "d372f928-ce4f-11eb-a762-acde48001122", "version": 1, "date": "2021-08-18", "author": "Michael Haag, Splunk", "type": "Hunting", "status": "production", "description": "The following analytic identifies the process - `esentutl.exe` - being used to capture credentials stored in ntds.dit or the SAM file on disk. During triage, review parallel processes and determine if legitimate activity. Upon determination of illegitimate activity, take further action to isolate and contain the threat.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_esentutl` Processes.process IN (\"*ntds*\", \"*SAM*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `esentutl_sam_copy_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives should be limited. Filter as needed.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/6a570c2a4630cf0c2bd41a2e8375b5d5ab92f700/atomics/T1003.002/T1003.002.md", "https://attack.mitre.org/software/S0404/"], "tags": {"name": "Esentutl SAM Copy", "analytic_story": ["Credential Dumping", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user user$ attempting to capture credentials for offline cracking or observability.", "mitre_attack_id": ["T1003.002", "T1003"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Dragonfly", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.002/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "process_esentutl", "definition": "(Processes.process_name=esentutl.exe OR Processes.original_file_name=esentutl.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "esentutl_sam_copy_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/esentutl_sam_copy.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "ETW Registry Disabled", "id": "8ed523ac-276b-11ec-ac39-acde48001122", "version": 4, "date": "2023-04-27", "author": "Steven Dick, Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This analytic is to detect a registry modification to disable ETW feature of windows. This technique is to evade EDR appliance to evade detections and hide its execution from audit logs.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=\"*\\\\SOFTWARE\\\\Microsoft\\\\.NETFramework*\" Registry.registry_value_name = ETWEnabled Registry.registry_value_data=0x00000000) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `etw_registry_disabled_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "unknown", "references": ["https://gist.github.com/Cyb3rWard0g/a4a115fd3ab518a0e593525a379adee3"], "tags": {"name": "ETW Registry Disabled", "analytic_story": ["Hermetic Wiper", "Windows Privilege Escalation", "Windows Persistence Techniques", "Windows Registry Abuse", "Data Destruction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 90, "kill_chain_phases": ["Exploitation"], "message": "modified/added/deleted registry entry $Registry.registry_path$ in $dest$", "mitre_attack_id": ["T1562.006", "T1127", "T1562"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.dest", "Registry.registry_value_name", "Registry.registry_key_name", "Registry.registry_path", "Registry.registry_value_data", "Registry.process_guid"], "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.006", "mitre_attack_technique": "Indicator Blocking", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1127", "mitre_attack_technique": "Trusted Developer Utilities Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1127/etw_disable/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "etw_registry_disabled_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/etw_registry_disabled.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Eventvwr UAC Bypass", "id": "9cf8fe08-7ad8-11eb-9819-acde48001122", "version": 3, "date": "2022-11-14", "author": "Steven Dick, Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following search identifies Eventvwr bypass by identifying the registry modification into a specific path that eventvwr.msc looks to (but is not valid) upon execution. A successful attack will include a suspicious command to be executed upon eventvwr.msc loading. Upon triage, review the parallel processes that have executed. Identify any additional registry modifications on the endpoint that may look suspicious. Remediate as necessary.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time) AS lastTime FROM datamodel=Endpoint.Processes BY _time span=1h Processes.user Processes.process_id Processes.process_name Processes.process Processes.process_path Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_guid | `drop_dm_object_name(Processes)` | join process_guid [ | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=\"*mscfile\\\\shell\\\\open\\\\command\\\\*\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`] | fields firstTime lastTime dest user parent_process_name parent_process process_name process_path process registry_key_name registry_path registry_value_name registry_value_data process_guid | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `eventvwr_uac_bypass_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "Some false positives may be present and will need to be filtered.", "references": ["https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.002/T1548.002.md", "https://attack.mitre.org/techniques/T1548/002/", "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/"], "tags": {"name": "Eventvwr UAC Bypass", "analytic_story": ["Windows Defense Evasion Tactics", "IcedID", "Living Off The Land", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "Registry values were modified to bypass UAC using Event Viewer on $dest$ by $user$.", "mitre_attack_id": ["T1548.002", "T1548"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.user", "Processes.dest", "Processes.process_id", "Processes.process_name", "Processes.process", "Processes.process_path", "Processes.parent_process_name", "Processes.parent_process", "Processes.process_guid", "Registry.dest", "Registry.registry_value_name", "Registry.registry_key_name", "Registry.registry_path", "Registry.registry_value_data", "Registry.process_guid"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.002", "mitre_attack_technique": "Bypass User Account Control", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT37", "BRONZE BUTLER", "Cobalt Group", "Earth Lusca", "Evilnum", "MuddyWater", "Patchwork", "Threat Group-3390"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.002/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "eventvwr_uac_bypass_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/eventvwr_uac_bypass.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Excel Spawning PowerShell", "id": "42d40a22-9be3-11eb-8f08-acde48001122", "version": 1, "date": "2021-04-12", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following detection identifies Microsoft Excel spawning PowerShell. Typically, this is not common behavior and not default with Excel.exe. Excel.exe will generally be found in the following path `C:\\Program Files\\Microsoft Office\\root\\Office16` (version will vary). PowerShell spawning from Excel.exe is common for a spearphishing attachment and is actively used. Albeit, the command executed will most likely be encoded and captured via another detection. During triage, review parallel processes and identify any files that may have been written.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count values(Processes.process) min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=\"excel.exe\" `process_powershell` by Processes.parent_process Processes.process_name Processes.user Processes.dest Processes.original_file_name | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)` | `excel_spawning_powershell_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives should be limited, but if any are present, filter as needed.", "references": ["https://redcanary.com/threat-detection-report/techniques/powershell/", "https://attack.mitre.org/techniques/T1566/001/"], "tags": {"name": "Excel Spawning PowerShell", "analytic_story": ["Spearphishing Attachments"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$, indicating potential suspicious macro execution.", "mitre_attack_id": ["T1003.002", "T1003"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Dragonfly", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/macro/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_powershell", "definition": "(Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "excel_spawning_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/excel_spawning_powershell.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Excel Spawning Windows Script Host", "id": "57fe880a-9be3-11eb-9bf3-acde48001122", "version": 1, "date": "2021-04-12", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following detection identifies Microsoft Excel spawning Windows Script Host - `cscript.exe` or `wscript.exe`. Typically, this is not common behavior and not default with Excel.exe. Excel.exe will generally be found in the following path `C:\\Program Files\\Microsoft Office\\root\\Office16` (version will vary). `cscript.exe` or `wscript.exe` default location is `c:\\windows\\system32\\` or c:windows\\syswow64`. `cscript.exe` or `wscript.exe` spawning from Excel.exe is common for a spearphishing attachment and is actively used. Albeit, the command-line executed will most likely be obfuscated and captured via another detection. During triage, review parallel processes and identify any files that may have been written. Review the reputation of the remote destination and block accordingly.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count values(Processes.process) min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=\"excel.exe\" Processes.process_name IN (\"cscript.exe\", \"wscript.exe\") by Processes.parent_process Processes.process_name Processes.user Processes.dest | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)` | `excel_spawning_windows_script_host_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "False positives should be limited, but if any are present, filter as needed. In some instances, `cscript.exe` is used for legitimate business practices.", "references": ["https://app.any.run/tasks/8ecfbc29-03d0-421c-a5bf-3905d29192a2/", "https://attack.mitre.org/techniques/T1566/001/"], "tags": {"name": "Excel Spawning Windows Script Host", "analytic_story": ["Spearphishing Attachments"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$, indicating potential suspicious macro execution.", "mitre_attack_id": ["T1003.002", "T1003"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "process_name", "process_id", "parent_process_name", "dest", "user", "parent_process_id"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Dragonfly", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/macro/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "excel_spawning_windows_script_host_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/excel_spawning_windows_script_host.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Excessive Attempt To Disable Services", "id": "8fa2a0f0-acd9-11eb-8994-acde48001122", "version": 1, "date": "2021-05-04", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic will identify suspicious series of command-line to disable several services. This technique is seen where the adversary attempts to disable security app services or other malware services to complete the objective on the compromised system.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"sc.exe\" AND Processes.process=\"*config*\" OR Processes.process=\"*Disabled*\" by Processes.process_name Processes.parent_process_name Processes.dest Processes.user _time span=1m | where count >=4 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_attempt_to_disable_services_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed sc.exe may be used.", "known_false_positives": "unknown", "references": ["https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/"], "tags": {"name": "Excessive Attempt To Disable Services", "analytic_story": ["XMRig", "Azorult"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Actions on Objectives"], "message": "An excessive amount of $process_name$ was executed on $dest$ attempting to disable services.", "mitre_attack_id": ["T1489"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.process", "Processes.process_id", "Processes.process_name", "Processes.parent_process_name", "Processes.dest", "Processes.user"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1489", "mitre_attack_technique": "Service Stop", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Indrik Spider", "Lazarus Group", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/xmrig_miner/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "excessive_attempt_to_disable_services_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/excessive_attempt_to_disable_services.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Excessive distinct processes from Windows Temp", "id": "23587b6a-c479-11eb-b671-acde48001122", "version": 2, "date": "2022-02-28", "author": "Michael Hart, Mauricio Velazco, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic will identify suspicious series of process executions. We have observed that post exploit framework tools like Koadic and Meterpreter will launch an excessive number of processes with distinct file paths from Windows\\Temp to execute actions on objective. This behavior is extremely anomalous compared to typical application behaviors that use Windows\\Temp.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` values(Processes.process) as process distinct_count(Processes.process) as distinct_process_count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_path = \"*\\\\Windows\\\\Temp\\\\*\" by Processes.dest Processes.user _time span=20m | where distinct_process_count > 37 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_distinct_processes_from_windows_temp_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the full process path in the process field of CIM's Process data model. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed sc.exe may be used.", "known_false_positives": "Many benign applications will create processes from executables in Windows\\Temp, although unlikely to exceed the given threshold. Filter as needed.", "references": ["https://www.offensive-security.com/metasploit-unleashed/about-meterpreter/"], "tags": {"name": "Excessive distinct processes from Windows Temp", "analytic_story": ["Meterpreter"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Installation"], "message": "Multiple processes were executed out of windows\\temp within a short amount of time on $dest$.", "mitre_attack_id": ["T1059"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.process", "Processes.dest", "Processes.user"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/meterpreter/windows_temp_processes/logExcessiveWindowsTemp.log", "source": "WinEventLog:Security", "sourcetype": "WinEventLog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "excessive_distinct_processes_from_windows_temp_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/excessive_distinct_processes_from_windows_temp.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Excessive File Deletion In WinDefender Folder", "id": "b5baa09a-7a05-11ec-8da4-acde48001122", "version": 1, "date": "2023-04-14", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This analytic will identify excessive file deletion events in the Windows Defender folder. This technique was seen in the WhisperGate malware campaign in which adversaries abused Nirsofts advancedrun.exe to gain administrative privilege to then execute PowerShell commands to delete files within the Windows Defender application folder. This behavior is a good indicator the offending process is trying to corrupt a Windows Defender installation.", "data_source": ["Sysmon Event ID 23"], "search": "`sysmon` EventCode=23 TargetFilename = \"*\\\\ProgramData\\\\Microsoft\\\\Windows Defender*\" | stats values(TargetFilename) as deleted_files min(_time) as firstTime max(_time) as lastTime count by user EventCode Image ProcessID Computer |where count >=50 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_file_deletion_in_windefender_folder_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, TargetFilename, and ProcessID executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "Windows Defender AV updates may cause this alert. Please update the filter macros to remove false positives.", "references": ["https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/"], "tags": {"name": "Excessive File Deletion In WinDefender Folder", "analytic_story": ["Data Destruction", "WhisperGate"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Actions on Objectives"], "message": "High frequency file deletion activity detected on host $Computer$", "mitre_attack_id": ["T1485"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "Computer", "type": "Endpoint", "role": ["Victim"]}, {"name": "deleted_files", "type": "File Name", "role": ["Target"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "TargetFilename", "Computer", "user", "Image", "ProcessID"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/excessive_file_del_in_windefender_dir/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "excessive_file_deletion_in_windefender_folder_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/excessive_file_deletion_in_windefender_folder.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Excessive number of service control start as disabled", "id": "77592bec-d5cc-11eb-9e60-acde48001122", "version": 1, "date": "2021-06-25", "author": "Michael Hart, Splunk", "type": "Anomaly", "status": "production", "description": "This detection targets behaviors observed when threat actors have used sc.exe to modify services. We observed malware in a honey pot spawning numerous sc.exe processes in a short period of time, presumably to impair defenses, possibly to block others from compromising the same machine. This detection will alert when we see both an excessive number of sc.exe processes launched with specific commandline arguments to disable the start of certain services.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` distinct_count(Processes.process) as distinct_cmdlines values(Processes.process_id) as process_ids min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes WHERE Processes.process_name = \"sc.exe\" AND Processes.process=\"*start= disabled*\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.parent_process_id, _time span=30m | where distinct_cmdlines >= 8 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_number_of_service_control_start_as_disabled_filter`", "how_to_implement": "You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must be ingesting logs with both the process name and command line from your endpoints. The complete process name with command-line arguments are mapped to the \"process\" field in the Endpoint data model.", "known_false_positives": "Legitimate programs and administrators will execute sc.exe with the start disabled flag. It is possible, but unlikely from the telemetry of normal Windows operation we observed, that sc.exe will be called more than seven times in a short period of time.", "references": ["https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/sc-create", "https://attack.mitre.org/techniques/T1562/001/"], "tags": {"name": "Excessive number of service control start as disabled", "analytic_story": ["Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "An excessive amount of $process_name$ was executed on $dest$ attempting to disable services.", "mitre_attack_id": ["T1562.001", "T1562"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/sc_service_start_disabled/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "excessive_number_of_service_control_start_as_disabled_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/excessive_number_of_service_control_start_as_disabled.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Excessive number of taskhost processes", "id": "f443dac2-c7cf-11eb-ab51-acde48001122", "version": 1, "date": "2021-06-07", "author": "Michael Hart", "type": "Anomaly", "status": "production", "description": "This detection targets behaviors observed in post exploit kits like Meterpreter and Koadic that are run in memory. We have observed that these tools must invoke an excessive number of taskhost.exe and taskhostex.exe processes to complete various actions (discovery, lateral movement, etc.). It is extremely uncommon in the course of normal operations to see so many distinct taskhost and taskhostex processes running concurrently in a short time frame.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` values(Processes.process_id) as process_ids min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes WHERE Processes.process_name = \"taskhost.exe\" OR Processes.process_name = \"taskhostex.exe\" BY Processes.dest Processes.process_name _time span=1h | `drop_dm_object_name(Processes)` | eval pid_count=mvcount(process_ids) | eval taskhost_count_=if(process_name == \"taskhost.exe\", pid_count, 0) | eval taskhostex_count_=if(process_name == \"taskhostex.exe\", pid_count, 0) | stats sum(taskhost_count_) as taskhost_count, sum(taskhostex_count_) as taskhostex_count by _time, dest, firstTime, lastTime | where taskhost_count > 10 and taskhostex_count > 10 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_number_of_taskhost_processes_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting events related to processes on the endpoints that include the name of the process and process id into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "Administrators, administrative actions or certain applications may run many instances of taskhost and taskhostex concurrently. Filter as needed.", "references": ["https://attack.mitre.org/software/S0250/"], "tags": {"name": "Excessive number of taskhost processes", "analytic_story": ["Meterpreter"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 80, "kill_chain_phases": ["Installation"], "message": "An excessive amount of $process_name$ was executed on $dest$ indicative of suspicious behavior.", "mitre_attack_id": ["T1059"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.process_id", "Processes.process_name", "Processes.dest", "Processes.user"], "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/meterpreter/taskhost_processes/logExcessiveTaskHost.log", "source": "WinEventLog:Security", "sourcetype": "WinEventLog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "excessive_number_of_taskhost_processes_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/excessive_number_of_taskhost_processes.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Excessive Service Stop Attempt", "id": "ae8d3f4a-acd7-11eb-8846-acde48001122", "version": 2, "date": "2021-05-04", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic identifies suspicious series of attempt to kill multiple services on a system using either `net.exe` or `sc.exe`. This technique is use by adversaries to terminate security services or other related services to continue there objective and evade detections.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` OR Processes.process_name = \"sc.exe\" OR Processes.process_name = \"net1.exe\" AND Processes.process=\"*stop*\" OR Processes.process=\"*delete*\" by Processes.process_name Processes.original_file_name Processes.parent_process_name Processes.dest Processes.user _time span=1m | where count >=5 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_service_stop_attempt_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "unknown", "references": ["https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/"], "tags": {"name": "Excessive Service Stop Attempt", "analytic_story": ["XMRig", "Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Actions on Objectives"], "message": "An excessive amount of $process_name$ was executed on $dest$ attempting to disable services.", "mitre_attack_id": ["T1489"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1489", "mitre_attack_technique": "Service Stop", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Indrik Spider", "Lazarus Group", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/xmrig_miner/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "process_net", "definition": "(Processes.process_name=\"net.exe\" OR Processes.original_file_name=\"net.exe\" OR Processes.process_name=\"net1.exe\" OR Processes.original_file_name=\"net1.exe\")", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "excessive_service_stop_attempt_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/excessive_service_stop_attempt.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Excessive Usage Of Cacls App", "id": "0bdf6092-af17-11eb-939a-acde48001122", "version": 1, "date": "2021-05-07", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies excessive usage of `cacls.exe`, `xcacls.exe` or `icacls.exe` application to change file or folder permission. This behavior is commonly seen where the adversary attempts to impair some users from deleting or accessing its malware components or artifact from the compromised system.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.process_id) as process_id values(Processes.process_name) as process_name count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"cacls.exe\" OR Processes.process_name = \"icacls.exe\" OR Processes.process_name = \"XCACLS.exe\" by Processes.parent_process_name Processes.parent_process Processes.dest Processes.user _time span=1m | where count >=10 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_usage_of_cacls_app_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "Administrators or administrative scripts may use this application. Filter as needed.", "references": ["https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/"], "tags": {"name": "Excessive Usage Of Cacls App", "analytic_story": ["XMRig", "Azorult", "Windows Post-Exploitation", "Prestige Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "An excessive amount of $process_name$ was executed on $dest$ attempting to modify permissions.", "mitre_attack_id": ["T1222"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.process", "Processes.process_id", "Processes.process_name", "Processes.parent_process_name", "Processes.dest", "Processes.user"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/xmrig_miner/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "excessive_usage_of_cacls_app_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/excessive_usage_of_cacls_app.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Excessive Usage Of Net App", "id": "45e52536-ae42-11eb-b5c6-acde48001122", "version": 2, "date": "2023-06-13", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic identifies excessive usage of `net.exe` or `net1.exe` within a bucket of time (1 minute). This behavior was seen in a Monero incident where the adversary attempts to create many users, delete and disable users as part of its malicious behavior.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` by Processes.process_name Processes.parent_process_name Processes.original_file_name Processes.dest Processes.user _time span=1m | where count >=10 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_usage_of_net_app_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "unknown. Filter as needed. Modify the time span as needed.", "references": ["https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/"], "tags": {"name": "Excessive Usage Of Net App", "analytic_story": ["Prestige Ransomware", "Graceful Wipe Out Attack", "XMRig", "Windows Post-Exploitation", "Azorult", "Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 40, "kill_chain_phases": ["Actions on Objectives"], "message": "Excessive usage of net1.exe or net.exe within 1m, with command line $process$ has been detected on $dest$ by $user$", "mitre_attack_id": ["T1531"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 28, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1531", "mitre_attack_technique": "Account Access Removal", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["LAPSUS$"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/xmrig_miner/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "process_net", "definition": "(Processes.process_name=\"net.exe\" OR Processes.original_file_name=\"net.exe\" OR Processes.process_name=\"net1.exe\" OR Processes.original_file_name=\"net1.exe\")", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "excessive_usage_of_net_app_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/excessive_usage_of_net_app.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Excessive Usage of NSLOOKUP App", "id": "0a69fdaa-a2b8-11eb-b16d-acde48001122", "version": 2, "date": "2022-06-03", "author": "Teoderick Contreras, Stanislav Miskovic, Splunk", "type": "Anomaly", "status": "production", "description": "This search is to detect potential DNS exfiltration using nslookup application. This technique are seen in couple of malware and APT group to exfiltrated collected data in a infected machine or infected network. This detection is looking for unique use of nslookup where it tries to use specific record type (TXT, A, AAAA) that are commonly used by attacker and also the retry parameter which is designed to query C2 DNS multiple tries.", "data_source": [], "search": "`sysmon` EventCode = 1 process_name = \"nslookup.exe\" | bucket _time span=1m | stats count as numNsLookup by Computer, _time | eventstats avg(numNsLookup) as avgNsLookup, stdev(numNsLookup) as stdNsLookup, count as numSlots by Computer | eval upperThreshold=(avgNsLookup + stdNsLookup *3) | eval isOutlier=if(numNsLookup > 20 and numNsLookup >= upperThreshold, 1, 0) | search isOutlier=1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_usage_of_nslookup_app_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances of nslookup.exe may be used.", "known_false_positives": "unknown", "references": ["https://www.mandiant.com/resources/fin7-spear-phishing-campaign-targets-personnel-involved-sec-filings", "https://www.varonis.com/blog/dns-tunneling", "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/"], "tags": {"name": "Excessive Usage of NSLOOKUP App", "analytic_story": ["Suspicious DNS Traffic", "Dynamic DNS", "Data Exfiltration", "Command And Control"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 40, "kill_chain_phases": ["Actions on Objectives"], "message": "Excessive usage of nslookup.exe has been detected on $Computer$. This detection is triggered as as it violates the dynamic threshold", "mitre_attack_id": ["T1048"], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Computer", "process_name", "EventCode"], "risk_score": 28, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1048", "mitre_attack_technique": "Exfiltration Over Alternative Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["TeamTNT"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1048.003/nslookup_exfil/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "excessive_usage_of_nslookup_app_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/excessive_usage_of_nslookup_app.yml", "source": "endpoint"}, {"name": "Excessive Usage Of SC Service Utility", "id": "cb6b339e-d4c6-11eb-a026-acde48001122", "version": 1, "date": "2021-06-24", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This search is to detect a suspicious excessive usage of sc.exe in a host machine. This technique was seen in several ransomware , xmrig and other malware to create, modify, delete or disable a service may related to security application or to gain privilege escalation.", "data_source": [], "search": "`sysmon` EventCode = 1 process_name = \"sc.exe\" | bucket _time span=15m | stats values(process) as process count as numScExe by Computer, _time | eventstats avg(numScExe) as avgScExe, stdev(numScExe) as stdScExe, count as numSlots by Computer | eval upperThreshold=(avgScExe + stdScExe *3) | eval isOutlier=if(avgScExe > 5 and avgScExe >= upperThreshold, 1, 0) | search isOutlier=1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_usage_of_sc_service_utility_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed taskkill.exe may be used.", "known_false_positives": "excessive execution of sc.exe is quite suspicious since it can modify or execute app in high privilege permission.", "references": ["https://app.any.run/tasks/c0f98850-af65-4352-9746-fbebadee4f05/"], "tags": {"name": "Excessive Usage Of SC Service Utility", "analytic_story": ["Ransomware", "Azorult"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "message": "Excessive Usage Of SC Service Utility", "mitre_attack_id": ["T1569", "T1569.002"], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "process_name", "process"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/ransomware_ttp/data2/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "excessive_usage_of_sc_service_utility_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/excessive_usage_of_sc_service_utility.yml", "source": "endpoint"}, {"name": "Excessive Usage Of Taskkill", "id": "fe5bca48-accb-11eb-a67c-acde48001122", "version": 1, "date": "2021-05-04", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic identifies excessive usage of `taskkill.exe` application. This application is commonly used by adversaries to evade detections by killing security product processes or even other processes to evade detection.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"taskkill.exe\" by Processes.parent_process_name Processes.process_name Processes.dest Processes.user _time span=1m | where count >=10 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_usage_of_taskkill_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed taskkill.exe may be used.", "known_false_positives": "Unknown. Filter as needed.", "references": ["https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/", "https://www.joesandbox.com/analysis/702680/0/html"], "tags": {"name": "Excessive Usage Of Taskkill", "analytic_story": ["XMRig", "Azorult", "CISA AA22-264A", "AgentTesla", "CISA AA22-277A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 40, "kill_chain_phases": ["Exploitation"], "message": "Excessive usage of taskkill.exe with process id $process_id$ (more than 10 within 1m) has been detected on $dest$ with a parent process of $parent_process_name$.", "mitre_attack_id": ["T1562.001", "T1562"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process Name", "role": ["Parent Process", "Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.parent_process_name", "Processes.process_name", "Processes.dest", "Processes.user", "Processes.process", "Processes.process_id"], "risk_score": 28, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/xmrig_miner/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "excessive_usage_of_taskkill_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/excessive_usage_of_taskkill.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Exchange PowerShell Abuse via SSRF", "id": "29228ab4-0762-11ec-94aa-acde48001122", "version": 2, "date": "2022-10-02", "author": "Michael Haag, Splunk", "type": "TTP", "status": "experimental", "description": "This analytic identifies suspicious behavior related to ProxyShell against on-premise Microsoft Exchange servers. This analytic has been replaced by GUID d436f9e7-0ee7-4a47-864b-6dea2c4e2752 which utilizes the Web Datamodel. \\\nModification of this analytic is requried to ensure fields are mapped accordingly. \\\nA suspicious event will have `PowerShell`, the method `POST` and `autodiscover.json`. This is indicative of accessing PowerShell on the back end of Exchange with SSRF. \\\nAn event will look similar to `POST /autodiscover/autodiscover.json a=dsxvu@fnsso.flq/powershell/?X-Rps-CAT=VgEAVAdXaW5kb3d...` (abbreviated) \\\nReview the source attempting to perform this activity against your environment. In addition, review PowerShell logs and access recently granted to Exchange roles.", "data_source": [], "search": "`exchange` c_uri=\"*//autodiscover*\" cs_uri_query=\"*PowerShell*\" cs_method=\"POST\" | stats count min(_time) as firstTime max(_time) as lastTime by dest, cs_uri_query, cs_method, c_uri | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `exchange_powershell_abuse_via_ssrf_filter`", "how_to_implement": "The following analytic requires on-premise Exchange to be logging to Splunk using the TA - https://splunkbase.splunk.com/app/3225. Ensure logs are parsed correctly, or tune the analytic for your environment.", "known_false_positives": "Limited false positives, however, tune as needed.", "references": ["https://github.com/GossiTheDog/ThreatHunting/blob/master/AzureSentinel/Exchange-Powershell-via-SSRF", "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1"], "tags": {"name": "Exchange PowerShell Abuse via SSRF", "analytic_story": ["ProxyShell", "ProxyNotShell"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Delivery", "Installation"], "message": "Activity related to ProxyShell has been identified on $dest$. Review events and take action accordingly.", "mitre_attack_id": ["T1190", "T1133"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "dest", "cs_uri_query", "cs_method", "c_uri"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Chimera", "Dragonfly", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}]}, "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "exchange", "definition": "sourcetype=\"MSWindows:IIS\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "exchange_powershell_abuse_via_ssrf_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/exchange_powershell_abuse_via_ssrf.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Exchange PowerShell Module Usage", "id": "2d10095e-05ae-11ec-8fdf-acde48001122", "version": 5, "date": "2022-11-21", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the usage of Exchange PowerShell modules that were recently used for a proof of concept related to ProxyShell. Adversaries may abuse a limited set of PwSh Modules related to Exchange once gained access via ProxyShell or ProxyNotShell.\\\nInherently, the usage of the modules is not malicious, but reviewing parallel processes, and user, of the session will assist with determining the intent. \\\nModule - New-MailboxExportRequest will begin the process of exporting contents of a primary mailbox or archive to a .pst file. \\\nModule - New-managementroleassignment can assign a management role to a management role group, management role assignment policy, user, or universal security group (USG). \\\nModule - New-MailboxSearch cmdlet to create a mailbox search and either get an estimate of search results, place search results on In-Place Hold or copy them to a Discovery mailbox. You can also place all contents in a mailbox on hold by not specifying a search query, which accomplishes similar results as Litigation Hold. \\ Module - Get-Recipient cmdlet to view existing recipient objects in your organization. This cmdlet returns all mail-enabled objects (for example, mailboxes, mail users, mail contacts, and distribution groups).", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 ScriptBlockText IN (\"*New-MailboxExportRequest*\", \"*New-ManagementRoleAssignment*\", \"*New-MailboxSearch*\", \"*Get-Recipient*\", \"Search-Mailbox\") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `exchange_powershell_module_usage_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators or power users may use this PowerShell commandlet for troubleshooting.", "references": ["https://docs.microsoft.com/en-us/powershell/module/exchange/new-mailboxexportrequest?view=exchange-ps", "https://docs.microsoft.com/en-us/powershell/module/exchange/new-managementroleassignment?view=exchange-ps", "https://blog.orange.tw/2021/08/proxyshell-a-new-attack-surface-on-ms-exchange-part-3.html", "https://www.zerodayinitiative.com/blog/2021/8/17/from-pwn2own-2021-a-new-attack-surface-on-microsoft-exchange-proxyshell", "https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/", "https://www.cisa.gov/uscert/ncas/alerts/aa22-264a", "https://learn.microsoft.com/en-us/powershell/module/exchange/new-mailboxsearch?view=exchange-ps", "https://learn.microsoft.com/en-us/powershell/module/exchange/get-recipient?view=exchange-ps", "https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/"], "tags": {"name": "Exchange PowerShell Module Usage", "analytic_story": ["ProxyShell", "CISA AA22-264A", "ProxyNotShell", "CISA AA22-277A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 40, "kill_chain_phases": ["Installation"], "message": "Suspicious Exchange PowerShell module usaged was identified on $dest$.", "mitre_attack_id": ["T1059", "T1059.001"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "ScriptBlockText", "Opcode", "Computer", "UserID", "EventCode"], "risk_score": 32, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/exchange/windows-powershell.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "XmlWinEventLog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "exchange_powershell_module_usage_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/exchange_powershell_module_usage.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Executable File Written in Administrative SMB Share", "id": "f63c34fe-a435-11eb-935a-acde48001122", "version": 2, "date": "2023-06-13", "author": "Teoderick Contreras, Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies executable files (.exe or .dll) being written to Windows administrative SMB shares (Admin$, IPC$, C$). This represents suspicious behavior as its commonly used by tools like PsExec/PaExec and others to stage service binaries before creating and starting a Windows service on remote endpoints. Red Teams and adversaries alike may abuse administrative shares for lateral movement and remote code execution. The Trickbot malware family also implements this behavior to try to infect other machines in the infected network.", "data_source": ["Windows Security 5145"], "search": "`wineventlog_security` EventCode=5145 Relative_Target_Name IN (\"*.exe\",\"*.dll\") Object_Type=File Share_Name IN (\"\\\\\\\\*\\\\C$\",\"\\\\\\\\*\\\\IPC$\",\"\\\\\\\\*\\\\admin$\") Access_Mask= \"0x2\" | stats min(_time) as firstTime max(_time) as lastTime count by EventCode Share_Name Relative_Target_Name Object_Type Access_Mask user src_port Source_Address | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `executable_file_written_in_administrative_smb_share_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Security Event Logs with 5145 EventCode enabled. The Windows TA is also required. Also enable the object Audit access success/failure in your group policy.", "known_false_positives": "System Administrators may use looks like PsExec for troubleshooting or administrations tasks. However, this will typically come only from certain users and certain systems that can be added to an allow list.", "references": ["https://attack.mitre.org/techniques/T1021/002/", "https://www.rapid7.com/blog/post/2013/03/09/psexec-demystified/", "https://labs.vipre.com/trickbot-and-its-modules/", "https://whitehat.eu/incident-response-case-study-featuring-ryuk-and-trickbot-part-2/", "https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/"], "tags": {"name": "Executable File Written in Administrative SMB Share", "analytic_story": ["Active Directory Lateral Movement", "Prestige Ransomware", "Graceful Wipe Out Attack", "Industroyer2", "IcedID", "Data Destruction", "Hermetic Wiper", "Trickbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "$user$ dropped or created an executable file in known sensitive SMB share. Share name=$Share_Name$, Target name=$Relative_Target_Name$, and Access mask=$Access_Mask$", "mitre_attack_id": ["T1021", "T1021.002"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "Share_Name", "Relative_Target_Name", "Object_Type", "Access_Mask", "user", "src_port", "Source_Address"], "risk_score": 70, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "Turla", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/trickbot/exe_smbshare/windows-security.log", "source": "WinEventLog:Security", "sourcetype": "WinEventLog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "executable_file_written_in_administrative_smb_share_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/executable_file_written_in_administrative_smb_share.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Executables Or Script Creation In Suspicious Path", "id": "a7e3f0f0-ae42-11eb-b245-acde48001122", "version": 1, "date": "2023-06-13", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic identifies potentially malicious executables or scripts by examining a list of suspicious file paths on Windows Operating System. The purpose of this technique is to uncover files with known file extensions that could be used by adversaries to evade detection and persistence. The suspicious file paths selected for investigation are typically uncommon and uncommonly associated with executable or script files. By scrutinizing these paths, we can proactively identify potential security threats and enhance overall system security.", "data_source": ["Sysmon Event ID 11"], "search": "|tstats `security_content_summariesonly` values(Filesystem.file_path) as file_path count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where (Filesystem.file_name = *.exe OR Filesystem.file_name = *.dll OR Filesystem.file_name = *.sys OR Filesystem.file_name = *.com OR Filesystem.file_name = *.vbs OR Filesystem.file_name = *.vbe OR Filesystem.file_name = *.js OR Filesystem.file_name = *.ps1 OR Filesystem.file_name = *.bat OR Filesystem.file_name = *.cmd OR Filesystem.file_name = *.pif) AND ( Filesystem.file_path = *\\\\windows\\\\fonts\\\\* OR Filesystem.file_path = *\\\\windows\\\\temp\\\\* OR Filesystem.file_path = *\\\\users\\\\public\\\\* OR Filesystem.file_path = *\\\\windows\\\\debug\\\\* OR Filesystem.file_path = *\\\\Users\\\\Administrator\\\\Music\\\\* OR Filesystem.file_path = *\\\\Windows\\\\servicing\\\\* OR Filesystem.file_path = *\\\\Users\\\\Default\\\\* OR Filesystem.file_path = *Recycle.bin* OR Filesystem.file_path = *\\\\Windows\\\\Media\\\\* OR Filesystem.file_path = *\\\\Windows\\\\repair\\\\* OR Filesystem.file_path = *\\\\AppData\\\\Local\\\\Temp* OR Filesystem.file_path = *\\\\PerfLogs\\\\*) by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.user | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `executables_or_script_creation_in_suspicious_path_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the Filesystem responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node.", "known_false_positives": "Administrators may allow creation of script or exe in the paths specified. Filter as needed.", "references": ["https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/", "https://twitter.com/pr0xylife/status/1590394227758104576", "https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/"], "tags": {"name": "Executables Or Script Creation In Suspicious Path", "analytic_story": ["WhisperGate", "XMRig", "Industroyer2", "Remcos", "Data Destruction", "Hermetic Wiper", "Azorult", "DarkCrystal RAT", "Graceful Wipe Out Attack", "IcedID", "Swift Slicer", "Qakbot", "RedLine Stealer", "Brute Ratel C4", "AsyncRAT", "LockBit Ransomware", "AgentTesla", "Double Zero Destructor", "Volt Typhoon", "Chaos Ransomware", "Trickbot", "Amadey"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 40, "kill_chain_phases": ["Exploitation"], "message": "Suspicious executable or scripts with file name $file_name$, $file_path$ and process_id $process_id$ executed in suspicious file path in Windows by $user$", "mitre_attack_id": ["T1036"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "process_id", "type": "Process", "role": ["Attacker"]}, {"name": "file_name", "type": "File Name", "role": ["Other", "Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Filesystem.file_path", "Filesystem.file_create_time", "Filesystem.process_id", "Filesystem.file_name", "Filesystem.user"], "risk_score": 20, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/xmrig_miner/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "executables_or_script_creation_in_suspicious_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Execute Javascript With Jscript COM CLSID", "id": "dc64d064-d346-11eb-8588-acde48001122", "version": 1, "date": "2021-06-22", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This analytic will identify suspicious process of cscript.exe where it tries to execute javascript using jscript.encode CLSID (COM OBJ). This technique was seen in ransomware (reddot ransomware) where it execute javascript with this com object with combination of amsi disabling technique.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"cscript.exe\" Processes.process=\"*-e:{F414C262-6AC0-11CF-B6D1-00AA00BBBB58}*\" by Processes.parent_process_name Processes.process_name Processes.process Processes.parent_process Processes.process_id Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `execute_javascript_with_jscript_com_clsid_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the Filesystem responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node.", "known_false_positives": "unknown", "references": ["https://app.any.run/tasks/c0f98850-af65-4352-9746-fbebadee4f05/"], "tags": {"name": "Execute Javascript With Jscript COM CLSID", "analytic_story": ["Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 80, "kill_chain_phases": ["Installation"], "message": "Suspicious process of cscript.exe with a parent process $parent_process_name$ where it tries to execute javascript using jscript.encode CLSID (COM OBJ), detected on $dest$ by $user$", "mitre_attack_id": ["T1059", "T1059.005"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "process_id", "type": "Process", "role": ["Attacker"]}, {"name": "parent_process_name", "type": "Process Name", "role": ["Parent Process", "Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.parent_process", "Processes.process_id", "Processes.dest", "Processes.user"], "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.005", "mitre_attack_technique": "Visual Basic", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT32", "APT33", "APT37", "APT38", "APT39", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Earth Lusca", "FIN4", "FIN7", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "Transparent Tribe", "Turla", "WIRTE", "Windshift"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/ransomware_ttp/data2/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "execute_javascript_with_jscript_com_clsid_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/execute_javascript_with_jscript_com_clsid.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Execution of File with Multiple Extensions", "id": "b06a555e-dce0-417d-a2eb-28a5d8d66ef7", "version": 3, "date": "2020-11-18", "author": "Rico Valdez, Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This search looks for processes launched from files that have double extensions in the file name. This is typically done to obscure the \"real\" file extension and make it appear as though the file being accessed is a data file, as opposed to executable content.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process IN (\"*.doc.exe\", \"*.xls.exe\",\"*.ppt.exe\", \"*.htm.exe\", \"*.html.exe\", \"*.txt.exe\", \"*.pdf.exe\", \"*.docx.exe\", \"*.xlsx.exe\", \"*.pptx.exe\",\"*.one.exe\", \"*.bat.exe\", \"*rtf.exe\") by Processes.dest Processes.user Processes.process Processes.parent_process | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | `execution_of_file_with_multiple_extensions_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting data that records process activity from your hosts to populate the endpoint data model in the processes node.", "known_false_positives": "None identified.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat"], "tags": {"name": "Execution of File with Multiple Extensions", "analytic_story": ["Windows File Extension and Association Abuse", "Masquerading - Rename System Utilities", "AsyncRAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "process $process$ have double extensions in the file name is executed on $dest$ by $user$", "mitre_attack_id": ["T1036", "T1036.003"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "process", "type": "Process", "role": ["Parent Process", "Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.process", "Processes.dest", "Processes.user", "Processes.parent_process"], "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036.003/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "execution_of_file_with_multiple_extensions_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/execution_of_file_with_multiple_extensions.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Extraction of Registry Hives", "id": "8bbb7d58-b360-11eb-ba21-acde48001122", "version": 2, "date": "2021-09-09", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the use of `reg.exe` exporting Windows Registry hives containing credentials. Adversaries may use this technique to export registry hives for offline credential access attacks. Typically found executed from a untrusted process or script. Upon execution, a file will be written to disk.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_reg` (Processes.process=*save* OR Processes.process=*export*) AND (Processes.process=\"*\\sam *\" OR Processes.process=\"*\\system *\" OR Processes.process=\"*\\security *\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `extraction_of_registry_hives_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "It is possible some agent based products will generate false positives. Filter as needed.", "references": ["https://www.mandiant.com/resources/shining-a-light-on-darkside-ransomware-operations", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md", "https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF"], "tags": {"name": "Extraction of Registry Hives", "analytic_story": ["DarkSide Ransomware", "Credential Dumping", "CISA AA22-257A", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "Suspicious use of `reg.exe` exporting Windows Registry hives containing credentials executed on $dest$ by user $user$, with a parent process of $parent_process_id$", "mitre_attack_id": ["T1003.002", "T1003"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "parent_process_id", "type": "Process", "role": ["Parent Process", "Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Dragonfly", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.002/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "process_reg", "definition": "(Processes.process_name=reg.exe OR Processes.original_file_name=reg.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "extraction_of_registry_hives_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/extraction_of_registry_hives.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "File with Samsam Extension", "id": "02c6cfc2-ae66-4735-bfc7-6291da834cbf", "version": 1, "date": "2018-12-14", "author": "Rico Valdez, Splunk", "type": "TTP", "status": "production", "description": "The search looks for file writes with extensions consistent with a SamSam ransomware attack.", "data_source": ["Sysmon Event ID 11"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.user) as user values(Filesystem.dest) as dest values(Filesystem.file_path) as file_path from datamodel=Endpoint.Filesystem by Filesystem.file_name | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)`| rex field=file_name \"(?\\.[^\\.]+)$\" | search file_extension=.stubbin OR file_extension=.berkshire OR file_extension=.satoshi OR file_extension=.sophos OR file_extension=.keyxml | `file_with_samsam_extension_filter`", "how_to_implement": "You must be ingesting data that records file-system activity from your hosts to populate the Endpoint file-system data-model node. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data.", "known_false_positives": "Because these extensions are not typically used in normal operations, you should investigate all results.", "references": [], "tags": {"name": "File with Samsam Extension", "analytic_story": ["SamSam Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 100, "kill_chain_phases": [], "message": "File writes $file_name$ with extensions consistent with a SamSam ransomware attack seen on $dest$", "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "file_name", "type": "File Name", "role": ["Other", "Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Filesystem.user", "Filesystem.dest", "Filesystem.file_path", "Filesystem.file_name"], "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": []}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036.003/samsam_extension/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "file_with_samsam_extension_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/file_with_samsam_extension.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Firewall Allowed Program Enable", "id": "9a8f63a8-43ac-11ec-904c-acde48001122", "version": 1, "date": "2021-11-12", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic detects a potential suspicious modification of firewall rule allowing to execute specific application. This technique was identified when an adversary and red teams to bypassed firewall file execution restriction in a targetted host. Take note that this event or command can run by administrator during testing or allowing legitimate tool or application.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = \"*firewall*\" Processes.process = \"*allow*\" Processes.process = \"*add*\" Processes.process = \"*ENABLE*\" by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `firewall_allowed_program_enable_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "A network operator or systems administrator may utilize an automated or manual execution of this firewall rule that may generate false positives. Filter as needed.", "references": ["https://app.any.run/tasks/ad4c3cda-41f2-4401-8dba-56cc2d245488/"], "tags": {"name": "Firewall Allowed Program Enable", "analytic_story": ["Windows Defense Evasion Tactics", "Azorult"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "firewall allowed program commandline $process$ of $process_name$ on $dest$ by $user$", "mitre_attack_id": ["T1562.004", "T1562"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.004", "mitre_attack_technique": "Disable or Modify System Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "Carbanak", "Dragonfly", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/vilsel/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "firewall_allowed_program_enable_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/firewall_allowed_program_enable.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "First Time Seen Child Process of Zoom", "id": "e91bd102-d630-4e76-ab73-7e3ba22c5961", "version": 1, "date": "2020-05-20", "author": "David Dorsey, Splunk", "type": "Anomaly", "status": "experimental", "description": "This search looks for child processes spawned by zoom.exe or zoom.us that has not previously been seen.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` min(_time) as firstTime values(Processes.parent_process_name) as parent_process_name values(Processes.parent_process_id) as parent_process_id values(Processes.process_name) as process_name values(Processes.process) as process from datamodel=Endpoint.Processes where (Processes.parent_process_name=zoom.exe OR Processes.parent_process_name=zoom.us) by Processes.process_id Processes.dest | `drop_dm_object_name(Processes)` | lookup zoom_first_time_child_process dest as dest process_name as process_name OUTPUT firstTimeSeen | where isnull(firstTimeSeen) OR firstTimeSeen > relative_time(now(), \"`previously_seen_zoom_child_processes_window`\") | `security_content_ctime(firstTime)` | table firstTime dest, process_id, process_name, parent_process_id, parent_process_name |`first_time_seen_child_process_of_zoom_filter`", "how_to_implement": "You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You should run the baseline search `Previously Seen Zoom Child Processes - Initial` to build the initial table of child processes and hostnames for this search to work. You should also schedule at the same interval as this search the second baseline search `Previously Seen Zoom Child Processes - Update` to keep this table up to date and to age out old child processes. Please update the `previously_seen_zoom_child_processes_window` macro to adjust the time window.", "known_false_positives": "A new child process of zoom isn't malicious by that fact alone. Further investigation of the actions of the child process is needed to verify any malicious behavior is taken.", "references": [], "tags": {"name": "First Time Seen Child Process of Zoom", "analytic_story": ["Suspicious Zoom Child Processes"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "Child process $process_name$ with $process_id$ spawned by zoom.exe or zoom.us which has not been previously on host $dest$", "mitre_attack_id": ["T1068"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "process_name", "type": "Process Name", "role": ["Attacker", "Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.parent_process_name", "Processes.parent_process_id", "Processes.process_name", "Processes.process", "Processes.parent_process_name", "Processes.process_id", "Processes.dest"], "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "PLATINUM", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}]}, "datamodel": ["Endpoint"], "macros": [{"name": "previously_seen_zoom_child_processes_window", "definition": "\"-70m@m\"", "description": "Use this macro to determine how far back you should be checking for new zoom child processes"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "first_time_seen_child_process_of_zoom_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "zoom_first_time_child_process", "description": "A list of suspicious file names", "collection": "zoom_first_time_child_process", "fields_list": "_key, dest, process_name, firstTimeSeen, lastTimeSeen"}], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/first_time_seen_child_process_of_zoom.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "First Time Seen Running Windows Service", "id": "823136f2-d755-4b6d-ae04-372b486a5808", "version": 4, "date": "2020-07-21", "author": "David Dorsey, Splunk", "type": "Anomaly", "status": "experimental", "description": "This search looks for the first and last time a Windows service is seen running in your environment. This table is then cached.", "data_source": ["Sysmon Event ID 7"], "search": "`wineventlog_system` EventCode=7036 | rex field=Message \"The (?[-\\(\\)\\s\\w]+) service entered the (?\\w+) state\" | where state=\"running\" | lookup previously_seen_running_windows_services service as service OUTPUT firstTimeSeen | where isnull(firstTimeSeen) OR firstTimeSeen > relative_time(now(), `previously_seen_windows_services_window`) | table _time dest service | `first_time_seen_running_windows_service_filter`", "how_to_implement": "While this search does not require you to adhere to Splunk CIM, you must be ingesting your Windows system event logs in order for this search to execute successfully. You should run the baseline search `Previously Seen Running Windows Services - Initial` to build the initial table of child processes and hostnames for this search to work. You should also schedule at the same interval as this search the second baseline search `Previously Seen Running Windows Services - Update` to keep this table up to date and to age out old Windows Services. Please update the `previously_seen_windows_services_window` macro to adjust the time window. Please ensure that the Splunk Add-on for Microsoft Windows is version 8.0.0 or above.", "known_false_positives": "A previously unseen service is not necessarily malicious. Verify that the service is legitimate and that was installed by a legitimate process.", "references": [], "tags": {"name": "First Time Seen Running Windows Service", "analytic_story": ["Windows Service Abuse", "Orangeworm Attack Group", "NOBELIUM Group"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "message": "tbd", "mitre_attack_id": ["T1569", "T1569.002"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "Message", "dest"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}]}, "datamodel": [], "macros": [{"name": "previously_seen_windows_services_window", "definition": "\"-70m@m\"", "description": "Use this macro to determine how far back you should be checking for new Windows services"}, {"name": "wineventlog_system", "definition": "eventtype=wineventlog_system", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "first_time_seen_running_windows_service_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "previously_seen_running_windows_services", "description": "A placeholder for the list of Windows Services running", "collection": "previously_seen_running_windows_services", "fields_list": "_key, service, firstTimeSeen, lastTimeSeen"}], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/first_time_seen_running_windows_service.yml", "source": "endpoint"}, {"name": "FodHelper UAC Bypass", "id": "909f8fd8-7ac8-11eb-a1f3-acde48001122", "version": 1, "date": "2021-03-01", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "Fodhelper.exe has a known UAC bypass as it attempts to look for specific registry keys upon execution, that do not exist. Therefore, an attacker can write its malicious commands in these registry keys to be executed by fodhelper.exe with the highest privilege. \\\n1. `HKCU:\\Software\\Classes\\ms-settings\\shell\\open\\command`\\\n1. `HKCU:\\Software\\Classes\\ms-settings\\shell\\open\\command\\DelegateExecute`\\\n1. `HKCU:\\Software\\Classes\\ms-settings\\shell\\open\\command\\(default)`\\\nUpon triage, fodhelper.exe will have a child process and read access will occur on the registry keys. Isolate the endpoint and review parallel processes for additional behavior.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=fodhelper.exe by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `fodhelper_uac_bypass_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "Limited to no false positives are expected.", "references": ["https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.002/T1548.002.md", "https://github.com/gushmazuko/WinBypass/blob/master/FodhelperBypass.ps1", "https://attack.mitre.org/techniques/T1548/002/"], "tags": {"name": "FodHelper UAC Bypass", "analytic_story": ["Windows Defense Evasion Tactics", "IcedID"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Exploitation"], "message": "Suspcious registy keys added by process fodhelper.exe (process_id- $process_id), with a parent_process of $parent_process_name$ that has been executed on $dest$ by $user$.", "mitre_attack_id": ["T1112", "T1548.002", "T1548"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process Name", "role": ["Parent Process", "Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.parent_process_name", "Processes.dest", "Processes.user", "Processes.parent_process", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1548.002", "mitre_attack_technique": "Bypass User Account Control", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT37", "BRONZE BUTLER", "Cobalt Group", "Earth Lusca", "Evilnum", "MuddyWater", "Patchwork", "Threat Group-3390"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.002/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "fodhelper_uac_bypass_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/fodhelper_uac_bypass.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Fsutil Zeroing File", "id": "4e5e024e-fabb-11eb-8b8f-acde48001122", "version": 1, "date": "2021-08-11", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This search is to detect a suspicious fsutil process to zeroing a target file. This technique was seen in lockbit ransomware where it tries to zero out its malware path as part of its defense evasion after encrypting the compromised host.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=fsutil.exe Processes.process=\"*setzerodata*\" by Processes.user Processes.process_name Processes.parent_process_name Processes.dest Processes.process Processes.parent_process | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `fsutil_zeroing_file_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "unknown", "references": ["https://app.any.run/tasks/e0ac072d-58c9-4f53-8a3b-3e491c7ac5db/", "https://news.sophos.com/en-us/2020/04/24/lockbit-ransomware-borrows-tricks-to-keep-up-with-revil-and-maze/"], "tags": {"name": "Fsutil Zeroing File", "analytic_story": ["Ransomware", "LockBit Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 60, "kill_chain_phases": ["Exploitation"], "message": "Possible file data deletion on $dest$ using $process$", "mitre_attack_id": ["T1070"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.user", "Processes.process_name", "Processes.parent_process_name", "Processes.dest", "Processes.process", "Processes.parent_process"], "risk_score": 54, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1070/fsutil_file_zero/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "fsutil_zeroing_file_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/fsutil_zeroing_file.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Get ADDefaultDomainPasswordPolicy with Powershell", "id": "36e46ebe-065a-11ec-b4c7-acde48001122", "version": 1, "date": "2021-08-26", "author": "Teoderick Contreras, Splunk", "type": "Hunting", "status": "production", "description": "This analytic looks for the execution of `powershell.exe` executing the Get-ADDefaultDomainPasswordPolicy commandlet used to obtain the password policy in a Windows domain. Red Teams and adversaries alike may use PowerShell to enumerate domain policies for situational awareness and Active Directory Discovery.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"cmd.exe\" OR Processes.process_name=\"powershell*\") AND Processes.process = \"*Get-ADDefaultDomainPasswordPolicy*\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_addefaultdomainpasswordpolicy_with_powershell_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed rundll32.exe may be used.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "references": ["https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet", "https://attack.mitre.org/techniques/T1201/", "https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-addefaultdomainpasswordpolicy?view=windowsserver2019-ps"], "tags": {"name": "Get ADDefaultDomainPasswordPolicy with Powershell", "analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "an instance of process $process_name$ with commandline $process$ in $dest$", "mitre_attack_id": ["T1201"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id", "Processes.parent_process_name"], "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1201", "mitre_attack_technique": "Password Policy Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "OilRig", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1201/pwd_policy_discovery/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "get_addefaultdomainpasswordpolicy_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/get_addefaultdomainpasswordpolicy_with_powershell.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Get ADDefaultDomainPasswordPolicy with Powershell Script Block", "id": "1ff7ccc8-065a-11ec-91e4-acde48001122", "version": 2, "date": "2022-03-22", "author": "Teoderick Contreras, Mauricio Velazco, Splunk", "type": "Hunting", "status": "production", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-ADDefaultDomainPasswordPolicy` commandlet used to obtain the password policy in a Windows domain. Red Teams and adversaries alike may use PowerShell to enumerate domain policies for situational awareness and Active Directory Discovery.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 ScriptBlockText =\"*Get-ADDefaultDomainPasswordPolicy*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_addefaultdomainpasswordpolicy_with_powershell_script_block_filter`", "how_to_implement": "The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "references": ["https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet", "https://attack.mitre.org/techniques/T1201/", "https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-addefaultdomainpasswordpolicy?view=windowsserver2019-ps"], "tags": {"name": "Get ADDefaultDomainPasswordPolicy with Powershell Script Block", "analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "powershell process having commandline $Message$ to query domain password policy", "mitre_attack_id": ["T1201"], "nist": ["DE.AE"], "observable": [{"name": "ComputerName", "type": "Hostname", "role": ["Victim"]}, {"name": "User", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "Message", "ComputerName", "User"], "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1201", "mitre_attack_technique": "Password Policy Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "OilRig", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1201/pwd_policy_discovery/windows-powershell-xml.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "get_addefaultdomainpasswordpolicy_with_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/get_addefaultdomainpasswordpolicy_with_powershell_script_block.yml", "source": "endpoint", "providing_technologies": ["Microsoft Windows"]}, {"name": "Get ADUser with PowerShell", "id": "0b6ee3f4-04e3-11ec-a87d-acde48001122", "version": 1, "date": "2021-08-24", "author": "Teoderick Contreras, Mauricio Velazco, Splunk", "type": "Hunting", "status": "production", "description": "This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to enumerate domain users. The `Get-AdUser' commandlet returns a list of all domain users. Red Teams and adversaries alike may use this commandlet to identify remote systems for situational awareness and Active Directory Discovery.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"cmd.exe\" OR Processes.process_name=\"powershell*\") AND Processes.process = \"*Get-ADUser*\" AND Processes.process = \"*-filter*\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_aduser_with_powershell_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "references": ["https://www.blackhillsinfosec.com/red-blue-purple/", "https://attack.mitre.org/techniques/T1087/002/", "https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-aduser?view=windowsserver2019-ps"], "tags": {"name": "Get ADUser with PowerShell", "analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "an instance of process $process_name$ with commandline $process$ in $dest$", "mitre_attack_id": ["T1087.002", "T1087"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id", "Processes.parent_process_name"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["BRONZE BUTLER", "Chimera", "Dragonfly", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Turla", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/AD_discovery/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "get_aduser_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/get_aduser_with_powershell.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Get ADUser with PowerShell Script Block", "id": "21432e40-04f4-11ec-b7e6-acde48001122", "version": 2, "date": "2022-09-13", "author": "Teoderick Contreras, Mauricio Velazco, Splunk", "type": "Hunting", "status": "production", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-AdGUser` commandlet. The `Get-AdUser` commandlet is used to return a list of all domain users. Red Teams and adversaries may leverage this commandlet to enumerate domain groups for situational awareness and Active Directory Discovery.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 ScriptBlockText = \"*get-aduser*\" ScriptBlockText = \"*-filter*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_aduser_with_powershell_script_block_filter`", "how_to_implement": "The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "references": ["https://www.blackhillsinfosec.com/red-blue-purple/", "https://attack.mitre.org/techniques/T1087/002/", "https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-aduser?view=windowsserver2019-ps"], "tags": {"name": "Get ADUser with PowerShell Script Block", "analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "powershell process having commandline $Message$ for user enumeration", "mitre_attack_id": ["T1087.002", "T1087"], "nist": ["DE.AE"], "observable": [{"name": "ComputerName", "type": "Hostname", "role": ["Victim"]}, {"name": "User", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "Message", "ComputerName", "User"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["BRONZE BUTLER", "Chimera", "Dragonfly", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Turla", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/AD_discovery/aduser_powershell.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "XmlWinEventLog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "get_aduser_with_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/get_aduser_with_powershell_script_block.yml", "source": "endpoint", "providing_technologies": ["Microsoft Windows"]}, {"name": "Get ADUserResultantPasswordPolicy with Powershell", "id": "8b5ef342-065a-11ec-b0fc-acde48001122", "version": 1, "date": "2021-08-26", "author": "Teoderick Contreras, Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "This analytic looks for the execution of `powershell.exe` executing the Get ADUserResultantPasswordPolicy commandlet used to obtain the password policy in a Windows domain. Red Teams and adversaries alike may use PowerShell to enumerate domain policies for situational awareness and Active Directory Discovery.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"cmd.exe\" OR Processes.process_name=\"powershell*\") AND Processes.process = \"*Get-ADUserResultantPasswordPolicy*\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_aduserresultantpasswordpolicy_with_powershell_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed rundll32.exe may be used.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "references": ["https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet", "https://attack.mitre.org/techniques/T1201/", "https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-aduserresultantpasswordpolicy?view=windowsserver2019-ps"], "tags": {"name": "Get ADUserResultantPasswordPolicy with Powershell", "analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "an instance of process $process_name$ with commandline $process$ in $dest$", "mitre_attack_id": ["T1201"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id", "Processes.parent_process_name"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1201", "mitre_attack_technique": "Password Policy Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "OilRig", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1201/pwd_policy_discovery/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "get_aduserresultantpasswordpolicy_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/get_aduserresultantpasswordpolicy_with_powershell.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Get ADUserResultantPasswordPolicy with Powershell Script Block", "id": "737e1eb0-065a-11ec-921a-acde48001122", "version": 2, "date": "2022-05-02", "author": "Teoderick Contreras, Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-ADUserResultantPasswordPolicy` commandlet used to obtain the password policy in a Windows domain. Red Teams and adversaries alike may use PowerShell to enumerate domain policies for situational awareness and Active Directory Discovery.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 ScriptBlockText=\"*Get-ADUserResultantPasswordPolicy*\" | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_aduserresultantpasswordpolicy_with_powershell_script_block_filter`", "how_to_implement": "The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "references": ["https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet", "https://attack.mitre.org/techniques/T1201/", "https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-aduserresultantpasswordpolicy?view=windowsserver2019-ps"], "tags": {"name": "Get ADUserResultantPasswordPolicy with Powershell Script Block", "analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "powershell process having commandline $ScriptBlockText$ to query domain user password policy.", "mitre_attack_id": ["T1201"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "User", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "ScriptBlockText", "Opcode", "Computer", "UserID", "EventCode"], "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1201", "mitre_attack_technique": "Password Policy Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "OilRig", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/sbl_xml.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "get_aduserresultantpasswordpolicy_with_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/get_aduserresultantpasswordpolicy_with_powershell_script_block.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Get DomainPolicy with Powershell", "id": "b8f9947e-065a-11ec-aafb-acde48001122", "version": 1, "date": "2021-08-26", "author": "Teoderick Contreras, Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "This analytic looks for the execution of `powershell.exe` executing the `Get-DomainPolicy` commandlet used to obtain the password policy in a Windows domain. Red Teams and adversaries alike may use PowerShell to enumerate domain policies for situational awareness and Active Directory Discovery.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"cmd.exe\" OR Processes.process_name=\"powershell*\") AND Processes.process = \"*Get-DomainPolicy*\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_domainpolicy_with_powershell_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed rundll32.exe may be used.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "references": ["https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet", "https://powersploit.readthedocs.io/en/latest/Recon/Get-DomainPolicy/", "https://attack.mitre.org/techniques/T1201/"], "tags": {"name": "Get DomainPolicy with Powershell", "analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "an instance of process $process_name$ with commandline $process$ in $dest$", "mitre_attack_id": ["T1201"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id", "Processes.parent_process_name"], "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1201", "mitre_attack_technique": "Password Policy Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "OilRig", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1201/pwd_policy_discovery/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "get_domainpolicy_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/get_domainpolicy_with_powershell.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Get DomainPolicy with Powershell Script Block", "id": "a360d2b2-065a-11ec-b0bf-acde48001122", "version": 2, "date": "2022-05-02", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get DomainPolicy` commandlet used to obtain the password policy in a Windows domain. Red Teams and adversaries alike may use PowerShell to enumerate domain policies for situational awareness and Active Directory Discovery.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 ScriptBlockText =\"*Get-DomainPolicy*\" | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_domainpolicy_with_powershell_script_block_filter`", "how_to_implement": "The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "references": ["https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet", "https://powersploit.readthedocs.io/en/latest/Recon/Get-DomainPolicy/", "https://attack.mitre.org/techniques/T1201/"], "tags": {"name": "Get DomainPolicy with Powershell Script Block", "analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "powershell process having commandline $ScriptBlockText$ to query domain policy.", "mitre_attack_id": ["T1201"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "UserID", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "ScriptBlockText", "Opcode", "Computer", "UserID", "EventCode"], "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1201", "mitre_attack_technique": "Password Policy Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "OilRig", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/domainpolicy.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "get_domainpolicy_with_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/get_domainpolicy_with_powershell_script_block.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Get-DomainTrust with PowerShell", "id": "4fa7f846-054a-11ec-a836-acde48001122", "version": 1, "date": "2021-08-24", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "This analytic identifies Get-DomainTrust from PowerView in order to gather domain trust information. Typically, this is utilized within a script being executed and used to enumerate the domain trust information. This grants the adversary an understanding of how large or small the domain is. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=*get-domaintrust* by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_domaintrust_with_powershell_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Limited false positives as this requires an active Administrator or adversary to bring in, import, and execute.", "references": ["https://blog.harmj0y.net/redteaming/a-guide-to-attacking-domain-trusts/"], "tags": {"name": "Get-DomainTrust with PowerShell", "analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 40, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "Suspicious PowerShell Get-DomainTrust was identified on endpoint $dest$ by user $user$.", "mitre_attack_id": ["T1482"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 12, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1482", "mitre_attack_technique": "Domain Trust Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "Earth Lusca", "FIN8", "Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1482/discovery/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "get_domaintrust_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/get_domaintrust_with_powershell.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Get-DomainTrust with PowerShell Script Block", "id": "89275e7e-0548-11ec-bf75-acde48001122", "version": 2, "date": "2022-05-02", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable on critical endpoints or all. \\\nThis analytic identifies Get-DomainTrust from PowerView in order to gather domain trust information. \\\nDuring triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 ScriptBlockText = \"*get-domaintrust*\" | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_domaintrust_with_powershell_script_block_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "It is possible certain system management frameworks utilize this command to gather trust information.", "references": ["https://blog.harmj0y.net/redteaming/a-guide-to-attacking-domain-trusts/", "https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", "https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf", "https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/"], "tags": {"name": "Get-DomainTrust with PowerShell Script Block", "analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 40, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "Suspicious PowerShell Get-DomainTrust was identified on endpoint $Computer$ by user $UserID$.", "mitre_attack_id": ["T1482"], "nist": ["DE.CM"], "observable": [{"name": "UserID", "type": "User", "role": ["Victim"]}, {"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "ScriptBlockText", "Opcode", "Computer", "UserID", "EventCode"], "risk_score": 12, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1482", "mitre_attack_technique": "Domain Trust Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "Earth Lusca", "FIN8", "Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/domaintrust.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "get_domaintrust_with_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/get_domaintrust_with_powershell_script_block.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Get DomainUser with PowerShell", "id": "9a5a41d6-04e7-11ec-923c-acde48001122", "version": 1, "date": "2021-08-24", "author": "Teoderick Contreras, Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to enumerate domain users. `Get-DomainUser` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. Red Teams and adversaries alike may leverage PowerView to enumerate domain users for situational awareness and Active Directory Discovery.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"cmd.exe\" OR Processes.process_name=\"powershell*\") AND Processes.process = \"*Get-DomainUser*\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_domainuser_with_powershell_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "references": ["https://powersploit.readthedocs.io/en/latest/Recon/Get-DomainUser/"], "tags": {"name": "Get DomainUser with PowerShell", "analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "an instance of process $process_name$ with commandline $process$ in $dest$", "mitre_attack_id": ["T1087.002", "T1087"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id", "Processes.parent_process_name"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["BRONZE BUTLER", "Chimera", "Dragonfly", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Turla", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/AD_discovery/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "get_domainuser_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/get_domainuser_with_powershell.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Get DomainUser with PowerShell Script Block", "id": "61994268-04f4-11ec-865c-acde48001122", "version": 3, "date": "2022-11-13", "author": "Teoderick Contreras, Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-DomainUser` commandlet. `GetDomainUser` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. Red Teams and adversaries alike may use PowerView to enumerate domain users for situational awareness and Active Directory Discovery.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 ScriptBlockText = \"*Get-DomainUser*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_domainuser_with_powershell_script_block_filter`", "how_to_implement": "The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "references": ["https://powersploit.readthedocs.io/en/latest/Recon/Get-DomainUser/"], "tags": {"name": "Get DomainUser with PowerShell Script Block", "analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "powershell process having commandline $Message$ for user enumeration", "mitre_attack_id": ["T1087.002", "T1087"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "UserID", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "Message", "ComputerName", "User"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["BRONZE BUTLER", "Chimera", "Dragonfly", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Turla", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/AD_discovery/windows-powershell-xml.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "get_domainuser_with_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/get_domainuser_with_powershell_script_block.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Get-ForestTrust with PowerShell", "id": "584f4884-0bf1-11ec-a5ec-acde48001122", "version": 1, "date": "2021-09-02", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "This analytic identifies Get-ForestTrust from PowerSploit in order to gather domain trust information. Typically, this is utilized within a script being executed and used to enumerate the domain trust information. This grants the adversary an understanding of how large or small the domain is. During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=powershell.exe OR Processes.process_name=cmd.exe Processes.process=*get-foresttrust* by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_foresttrust_with_powershell_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Limited false positives as this requires an active Administrator or adversary to bring in, import, and execute.", "references": ["https://powersploit.readthedocs.io/en/latest/Recon/Get-ForestTrust/"], "tags": {"name": "Get-ForestTrust with PowerShell", "analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 40, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "Suspicious PowerShell Get-ForestTrust was identified on endpoint $dest$ by user $user$.", "mitre_attack_id": ["T1482"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 12, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1482", "mitre_attack_technique": "Domain Trust Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "Earth Lusca", "FIN8", "Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1482/discovery/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "get_foresttrust_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/get_foresttrust_with_powershell.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Get-ForestTrust with PowerShell Script Block", "id": "70fac80e-0bf1-11ec-9ba0-acde48001122", "version": 2, "date": "2022-02-24", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable on critical endpoints or all. \\\nThis analytic identifies Get-ForestTrust from PowerSploit in order to gather domain trust information. \\\nDuring triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 ScriptBlockText = \"*get-foresttrust*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_foresttrust_with_powershell_script_block_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "False positives may be present. Tune as needed.", "references": ["https://powersploit.readthedocs.io/en/latest/Recon/Get-ForestTrust/", "https://www.splunk.com/en_us/blog/security/hunting-for-malicious-powershell-using-script-block-logging.html"], "tags": {"name": "Get-ForestTrust with PowerShell Script Block", "analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 40, "impact": 30, "kill_chain_phases": ["Exploitation", "Installation"], "message": "Suspicious PowerShell Get-ForestTrust was identified on endpoint $Computer$ by user $UserID$.", "mitre_attack_id": ["T1482", "T1059.001"], "nist": ["DE.CM"], "observable": [{"name": "UserID", "type": "User", "role": ["Victim"]}, {"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "ScriptBlockText", "Path", "Opcode", "Computer", "UserID"], "risk_score": 12, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1482", "mitre_attack_technique": "Domain Trust Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "Earth Lusca", "FIN8", "Magic Hound"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1482/discovery/windows-powershell-xml.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "get_foresttrust_with_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/get_foresttrust_with_powershell_script_block.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Get WMIObject Group Discovery", "id": "5434f670-155d-11ec-8cca-acde48001122", "version": 1, "date": "2021-09-14", "author": "Michael Haag, Splunk", "type": "Hunting", "status": "production", "description": "The following hunting analytic identifies the use of `Get-WMIObject Win32_Group` being used with PowerShell to identify local groups on the endpoint. \\ Typically, by itself, is not malicious but may raise suspicion based on time of day, endpoint and username. \\ During triage, review parallel processes and identify any further suspicious behavior.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=powershell.exe OR processes.process_name=cmd.exe) (Processes.process=\"*Get-WMIObject*\" AND Processes.process=\"*Win32_Group*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `get_wmiobject_group_discovery_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives may be present. Tune as needed.", "references": ["https://attack.mitre.org/techniques/T1069/001/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"], "tags": {"name": "Get WMIObject Group Discovery", "analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "System group discovery on $dest$ by $user$.", "mitre_attack_id": ["T1069", "T1069.001"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "TA505"]}, {"mitre_attack_id": "T1069.001", "mitre_attack_technique": "Local Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "HEXANE", "OilRig", "Tonto Team", "Turla", "admin@338"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.001/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "get_wmiobject_group_discovery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/get_wmiobject_group_discovery.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Get WMIObject Group Discovery with Script Block Logging", "id": "69df7f7c-155d-11ec-a055-acde48001122", "version": 2, "date": "2022-03-22", "author": "Michael Haag, Splunk", "type": "Hunting", "status": "production", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable on critical endpoints or all. \\\nThis analytic identifies the usage of `Get-WMIObject Win32_Group`, which is typically used as a way to identify groups on the endpoint. Typically, by itself, is not malicious but may raise suspicion based on time of day, endpoint and username. \\\nDuring triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 ScriptBlockText = \"*Get-WMIObject*\" AND ScriptBlockText = \"*Win32_Group*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_wmiobject_group_discovery_with_script_block_logging_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "False positives may be present. Tune as needed.", "references": ["https://www.splunk.com/en_us/blog/security/powershell-detections-threat-research-release-august-2021.html", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md", "https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", "https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf", "https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/"], "tags": {"name": "Get WMIObject Group Discovery with Script Block Logging", "analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "System group discovery enumeration on $dest$ by $user$.", "mitre_attack_id": ["T1069", "T1069.001"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "Message", "ComputerName", "User"], "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "TA505"]}, {"mitre_attack_id": "T1069.001", "mitre_attack_technique": "Local Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "HEXANE", "OilRig", "Tonto Team", "Turla", "admin@338"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.001/atomic_red_team/windows-powershell-xml.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "get_wmiobject_group_discovery_with_script_block_logging_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/get_wmiobject_group_discovery_with_script_block_logging.yml", "source": "endpoint", "providing_technologies": ["Microsoft Windows"]}, {"name": "GetAdComputer with PowerShell", "id": "c5a31f80-5888-4d81-9f78-1cc65026316e", "version": 1, "date": "2021-09-07", "author": "Mauricio Velazco, Splunk", "type": "Hunting", "status": "production", "description": "This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to discover remote systems. The `Get-AdComputer' commandlet returns a list of all domain computers. Red Teams and adversaries alike may use this commandlet to identify remote systems for situational awareness and Active Directory Discovery.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"powershell.exe\") (Processes.process=*Get-AdComputer*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getadcomputer_with_powershell_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "references": ["https://attack.mitre.org/techniques/T1018/"], "tags": {"name": "GetAdComputer with PowerShell", "analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "Remote system discovery enumeration on $dest$ by $user$", "mitre_attack_id": ["T1018"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1018", "mitre_attack_technique": "Remote System Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "BRONZE BUTLER", "Chimera", "Deep Panda", "Dragonfly", "Earth Lusca", "FIN5", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "HEXANE", "Indrik Spider", "Ke3chang", "Leafminer", "Magic Hound", "Naikon", "Rocke", "Sandworm Team", "Silence", "Threat Group-3390", "Turla", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1018/AD_discovery/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "getadcomputer_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/getadcomputer_with_powershell.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "GetAdComputer with PowerShell Script Block", "id": "a9a1da02-8e27-4bf7-a348-f4389c9da487", "version": 3, "date": "2022-05-02", "author": "Mauricio Velazco, Splunk", "type": "Hunting", "status": "production", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-AdGroup` commandlet. The `Get-AdGroup` commandlet is used to return a list of all domain computers. Red Teams and adversaries may leverage this commandlet to enumerate domain computers for situational awareness and Active Directory Discovery.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 (ScriptBlockText = \"*Get-AdComputer*\") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `getadcomputer_with_powershell_script_block_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators or power users may use this PowerShell commandlet for troubleshooting.", "references": ["https://attack.mitre.org/techniques/T1018/", "https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-adgroup?view=windowsserver2019-ps"], "tags": {"name": "GetAdComputer with PowerShell Script Block", "analytic_story": ["Active Directory Discovery", "CISA AA22-320A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "Remote system discovery enumeration on $Computer$ by $UserID$", "mitre_attack_id": ["T1018"], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "ScriptBlockText", "Opcode", "Computer", "UserID", "EventCode"], "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1018", "mitre_attack_technique": "Remote System Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "BRONZE BUTLER", "Chimera", "Deep Panda", "Dragonfly", "Earth Lusca", "FIN5", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "HEXANE", "Indrik Spider", "Ke3chang", "Leafminer", "Magic Hound", "Naikon", "Rocke", "Sandworm Team", "Silence", "Threat Group-3390", "Turla", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/sbl_xml.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "getadcomputer_with_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/getadcomputer_with_powershell_script_block.yml", "source": "endpoint", "providing_technologies": ["Microsoft Windows"]}, {"name": "GetAdGroup with PowerShell", "id": "872e3063-0fc4-4e68-b2f3-f2b99184a708", "version": 1, "date": "2021-08-25", "author": "Mauricio Velazco, Splunk", "type": "Hunting", "status": "production", "description": "This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to query for domain groups. The `Get-AdGroup` commandlnet is used to return a list of all groups available in a Windows Domain. Red Teams and adversaries alike may leverage this commandlet to enumerate domain groups for situational awareness and Active Directory Discovery.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"powershell.exe\") (Processes.process=*Get-AdGroup*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getadgroup_with_powershell_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "references": ["https://attack.mitre.org/techniques/T1069/002/", "https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-adgroup?view=windowsserver2019-ps"], "tags": {"name": "GetAdGroup with PowerShell", "analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "Domain group discovery enumeration on $dest$ by $user$", "mitre_attack_id": ["T1069", "T1069.002"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "TA505"]}, {"mitre_attack_id": "T1069.002", "mitre_attack_technique": "Domain Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Dragonfly", "Inception", "Ke3chang", "LAPSUS$", "OilRig", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.002/AD_discovery/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "getadgroup_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/getadgroup_with_powershell.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "GetAdGroup with PowerShell Script Block", "id": "e4c73d68-794b-468d-b4d0-dac1772bbae7", "version": 2, "date": "2022-03-22", "author": "Mauricio Velazco, Splunk", "type": "Hunting", "status": "production", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-AdGroup` commandlet. The `Get-AdGroup` commandlet is used to return a list of all domain groups. Red Teams and adversaries may leverage this commandlet to enumerate domain groups for situational awareness and Active Directory Discovery.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 ScriptBlockText = \"*Get-ADGroup*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getadgroup_with_powershell_script_block_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators or power users may use this PowerShell commandlet for troubleshooting.", "references": ["https://attack.mitre.org/techniques/T1069/002/", "https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-adgroup?view=windowsserver2019-ps"], "tags": {"name": "GetAdGroup with PowerShell Script Block", "analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "Domain group discovery enumeration using PowerShell on $dest$ by $user$", "mitre_attack_id": ["T1069", "T1069.002"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "Message", "ComputerName", "User"], "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "TA505"]}, {"mitre_attack_id": "T1069.002", "mitre_attack_technique": "Domain Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Dragonfly", "Inception", "Ke3chang", "LAPSUS$", "OilRig", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.002/AD_discovery/windows-powershell-xml.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "getadgroup_with_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/getadgroup_with_powershell_script_block.yml", "source": "endpoint", "providing_technologies": ["Microsoft Windows"]}, {"name": "GetCurrent User with PowerShell", "id": "7eb9c3d5-c98c-4088-acc5-8240bad15379", "version": 1, "date": "2021-09-13", "author": "Mauricio Velazco, Splunk", "type": "Hunting", "status": "production", "description": "This analytic looks for the execution of `powerhsell.exe` with command-line arguments that execute the `GetCurrent` method of the WindowsIdentity .NET class. This method returns an object that represents the current Windows user. Red Teams and adversaries may leverage this method to identify the logged user on a compromised endpoint for situational awareness and Active Directory Discovery.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"powershell.exe\") (Processes.process=*System.Security.Principal.WindowsIdentity* OR Processes.process=*GetCurrent()*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getcurrent_user_with_powershell_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "references": ["https://attack.mitre.org/techniques/T1033/"], "tags": {"name": "GetCurrent User with PowerShell", "analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "System user discovery on $dest$", "mitre_attack_id": ["T1033"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1033", "mitre_attack_technique": "System Owner/User Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT37", "APT38", "APT39", "APT41", "Chimera", "Dragonfly", "Earth Lusca", "FIN10", "GALLIUM", "Gamaredon Group", "HAFNIUM", "HEXANE", "Ke3chang", "Lazarus Group", "LuminousMoth", "Magic Hound", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "Stealth Falcon", "Threat Group-3390", "Tropic Trooper", "Windshift", "Wizard Spider", "ZIRCONIUM"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1033/AD_discovery/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "getcurrent_user_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/getcurrent_user_with_powershell.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "GetCurrent User with PowerShell Script Block", "id": "80879283-c30f-44f7-8471-d1381f6d437a", "version": 2, "date": "2022-03-22", "author": "Mauricio Velazco, Splunk", "type": "Hunting", "status": "production", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `GetCurrent` method of the WindowsIdentity .NET class. This method returns an object that represents the current Windows user. Red Teams and adversaries may leverage this method to identify the logged user on a compromised endpoint for situational awareness and Active Directory Discovery.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 ScriptBlockText = \"*[System.Security.Principal.WindowsIdentity]*\" ScriptBlockText = \"*GetCurrent()*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getcurrent_user_with_powershell_script_block_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators or power users may use this PowerShell commandlet for troubleshooting.", "references": ["https://attack.mitre.org/techniques/T1033/", "https://docs.microsoft.com/en-us/dotnet/api/system.security.principal.windowsidentity.getcurrent?view=net-6.0&viewFallbackFrom=net-5.0"], "tags": {"name": "GetCurrent User with PowerShell Script Block", "analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "System user discovery on $dest$", "mitre_attack_id": ["T1033"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Path", "Message", "OpCode", "ComputerName", "User", "EventCode"], "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1033", "mitre_attack_technique": "System Owner/User Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT37", "APT38", "APT39", "APT41", "Chimera", "Dragonfly", "Earth Lusca", "FIN10", "GALLIUM", "Gamaredon Group", "HAFNIUM", "HEXANE", "Ke3chang", "Lazarus Group", "LuminousMoth", "Magic Hound", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "Stealth Falcon", "Threat Group-3390", "Tropic Trooper", "Windshift", "Wizard Spider", "ZIRCONIUM"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1033/AD_discovery/windows-powershell-xml.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "getcurrent_user_with_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/getcurrent_user_with_powershell_script_block.yml", "source": "endpoint", "providing_technologies": ["Microsoft Windows"]}, {"name": "GetDomainComputer with PowerShell", "id": "ed550c19-712e-43f6-bd19-6f58f61b3a5e", "version": 1, "date": "2021-09-07", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to discover remote systems. `Get-DomainComputer` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. Red Teams and adversaries alike may leverage PowerView to enumerate domain groups for situational awareness and Active Directory Discovery.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"powershell.exe\") (Processes.process=*Get-DomainComputer*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getdomaincomputer_with_powershell_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "Administrators or power users may use PowerView for troubleshooting.", "references": ["https://attack.mitre.org/techniques/T1018/"], "tags": {"name": "GetDomainComputer with PowerShell", "analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "Remote system discovery enumeration on $dest$ by $user$", "mitre_attack_id": ["T1018"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 24, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1018", "mitre_attack_technique": "Remote System Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "BRONZE BUTLER", "Chimera", "Deep Panda", "Dragonfly", "Earth Lusca", "FIN5", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "HEXANE", "Indrik Spider", "Ke3chang", "Leafminer", "Magic Hound", "Naikon", "Rocke", "Sandworm Team", "Silence", "Threat Group-3390", "Turla", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1018/AD_discovery/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "getdomaincomputer_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/getdomaincomputer_with_powershell.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "GetDomainComputer with PowerShell Script Block", "id": "f64da023-b988-4775-8d57-38e512beb56e", "version": 2, "date": "2022-05-02", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-DomainComputer` commandlet. `GetDomainComputer` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. Red Teams and adversaries alike may use PowerView to enumerate domain computers for situational awareness and Active Directory Discovery.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 (ScriptBlockText = \"*Get-DomainComputer*\") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `getdomaincomputer_with_powershell_script_block_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators or power users may use PowerView for troubleshooting.", "references": ["https://attack.mitre.org/techniques/T1018/", "https://powersploit.readthedocs.io/en/latest/Recon/Get-DomainComputer/"], "tags": {"name": "GetDomainComputer with PowerShell Script Block", "analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "Remote system discovery with PowerView on $Computer$ by $user$", "mitre_attack_id": ["T1018"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "ScriptBlockText", "Opcode", "Computer", "UserID", "EventCode"], "risk_score": 24, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1018", "mitre_attack_technique": "Remote System Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "BRONZE BUTLER", "Chimera", "Deep Panda", "Dragonfly", "Earth Lusca", "FIN5", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "HEXANE", "Indrik Spider", "Ke3chang", "Leafminer", "Magic Hound", "Naikon", "Rocke", "Sandworm Team", "Silence", "Threat Group-3390", "Turla", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/sbl_xml.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "getdomaincomputer_with_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/getdomaincomputer_with_powershell_script_block.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "GetDomainController with PowerShell", "id": "868ee0e4-52ab-484a-833a-6d85b7c028d0", "version": 1, "date": "2021-09-07", "author": "Mauricio Velazco, Splunk", "type": "Hunting", "status": "production", "description": "This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to discover remote systems. `Get-DomainController` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. Red Teams and adversaries alike may leverage PowerView to enumerate domain groups for situational awareness and Active Directory Discovery.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"powershell.exe\") (Processes.process=*Get-DomainController*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getdomaincontroller_with_powershell_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "Administrators or power users may use PowerView for troubleshooting.", "references": ["https://attack.mitre.org/techniques/T1018/", "https://powersploit.readthedocs.io/en/latest/Recon/Get-DomainController/"], "tags": {"name": "GetDomainController with PowerShell", "analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "Remote system discovery using PowerView on $dest$ by $user$", "mitre_attack_id": ["T1018"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 24, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1018", "mitre_attack_technique": "Remote System Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "BRONZE BUTLER", "Chimera", "Deep Panda", "Dragonfly", "Earth Lusca", "FIN5", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "HEXANE", "Indrik Spider", "Ke3chang", "Leafminer", "Magic Hound", "Naikon", "Rocke", "Sandworm Team", "Silence", "Threat Group-3390", "Turla", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1018/AD_discovery/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "getdomaincontroller_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/getdomaincontroller_with_powershell.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "GetDomainController with PowerShell Script Block", "id": "676b600a-a94d-4951-b346-11329431e6c1", "version": 2, "date": "2022-05-02", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-DomainController` commandlet. `Get-DomainController` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. Red Teams and adversaries alike may use PowerView to enumerate domain computers for situational awareness and Active Directory Discovery.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 (ScriptBlockText = \"*Get-DomainController*\") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `getdomaincontroller_with_powershell_script_block_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators or power users may use this PowerShell commandlet for troubleshooting.", "references": ["https://attack.mitre.org/techniques/T1018/", "https://powersploit.readthedocs.io/en/latest/Recon/Get-DomainController/"], "tags": {"name": "GetDomainController with PowerShell Script Block", "analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "Remote system discovery with PowerView on $Computer$ by $UserID$", "mitre_attack_id": ["T1018"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "ScriptBlockText", "Opcode", "Computer", "UserID", "EventCode"], "risk_score": 24, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1018", "mitre_attack_technique": "Remote System Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "BRONZE BUTLER", "Chimera", "Deep Panda", "Dragonfly", "Earth Lusca", "FIN5", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "HEXANE", "Indrik Spider", "Ke3chang", "Leafminer", "Magic Hound", "Naikon", "Rocke", "Sandworm Team", "Silence", "Threat Group-3390", "Turla", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/getdc.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "getdomaincontroller_with_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/getdomaincontroller_with_powershell_script_block.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "GetDomainGroup with PowerShell", "id": "93c94be3-bead-4a60-860f-77ca3fe59903", "version": 1, "date": "2021-08-25", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to query for domain groups. `Get-DomainGroup` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. Red Teams and adversaries alike may leverage PowerView to enumerate domain groups for situational awareness and Active Directory Discovery.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"powershell.exe\") (Processes.process=*Get-DomainGroup*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getdomaingroup_with_powershell_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "references": ["https://attack.mitre.org/techniques/T1069/002/", "https://powersploit.readthedocs.io/en/latest/Recon/Get-DomainGroup/"], "tags": {"name": "GetDomainGroup with PowerShell", "analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "Domain group discovery with PowerView on $dest$ by $user$", "mitre_attack_id": ["T1069", "T1069.002"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "TA505"]}, {"mitre_attack_id": "T1069.002", "mitre_attack_technique": "Domain Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Dragonfly", "Inception", "Ke3chang", "LAPSUS$", "OilRig", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.002/AD_discovery/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "getdomaingroup_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/getdomaingroup_with_powershell.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "GetDomainGroup with PowerShell Script Block", "id": "09725404-a44f-4ed3-9efa-8ed5d69e4c53", "version": 2, "date": "2022-05-02", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-DomainGroup` commandlet. `Get-DomainGroup` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. As the name suggests, `Get-DomainGroup` is used to query domain groups. Red Teams and adversaries may leverage this function to enumerate domain groups for situational awareness and Active Directory Discovery.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 (ScriptBlockText = \"*Get-DomainGroup*\") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `getdomaingroup_with_powershell_script_block_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators or power users may use this PowerView functions for troubleshooting.", "references": ["https://attack.mitre.org/techniques/T1069/002/", "https://powersploit.readthedocs.io/en/latest/Recon/Get-DomainGroup/"], "tags": {"name": "GetDomainGroup with PowerShell Script Block", "analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "Domain group discovery enumeration using PowerView on $Computer$ by $UserID$", "mitre_attack_id": ["T1069", "T1069.002"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "ScriptBlockText", "Opcode", "Computer", "UserID", "EventCode"], "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "TA505"]}, {"mitre_attack_id": "T1069.002", "mitre_attack_technique": "Domain Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Dragonfly", "Inception", "Ke3chang", "LAPSUS$", "OilRig", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/domaingroup.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "getdomaingroup_with_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/getdomaingroup_with_powershell_script_block.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "GetLocalUser with PowerShell", "id": "85fae8fa-0427-11ec-8b78-acde48001122", "version": 1, "date": "2021-08-23", "author": "Mauricio Velazco, Splunk", "type": "Hunting", "status": "production", "description": "This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to query for local users. The `Get-LocalUser` commandlet is used to return a list of all local users. Red Teams and adversaries may leverage this commandlet to enumerate users for situational awareness and Active Directory Discovery.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"powershell.exe\") (Processes.process=*Get-LocalUser*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getlocaluser_with_powershell_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "Administrators or power users may use this PowerShell commandlet for troubleshooting.", "references": ["https://attack.mitre.org/techniques/T1087/001/"], "tags": {"name": "GetLocalUser with PowerShell", "analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "Local user discovery enumeration using PowerShell on $dest$ by $user$", "mitre_attack_id": ["T1087", "T1087.001"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time"], "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1087.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "Chimera", "Fox Kitten", "Ke3chang", "Moses Staff", "OilRig", "Poseidon Group", "Threat Group-3390", "Turla", "admin@338"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.001/AD_discovery/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "getlocaluser_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/getlocaluser_with_powershell.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "GetLocalUser with PowerShell Script Block", "id": "2e891cbe-0426-11ec-9c9c-acde48001122", "version": 2, "date": "2022-03-22", "author": "Mauricio Velazco, Splunk", "type": "Hunting", "status": "production", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-LocalUser` commandlet. The `Get-LocalUser` commandlet is used to return a list of all local users. Red Teams and adversaries may leverage this commandlet to enumerate users for situational awareness and Active Directory Discovery.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 (ScriptBlockText = \"*Get-LocalUser*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getlocaluser_with_powershell_script_block_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators or power users may use this PowerShell commandlet for troubleshooting.", "references": ["https://attack.mitre.org/techniques/T1087/001/", "https://www.splunk.com/en_us/blog/security/hunting-for-malicious-powershell-using-script-block-logging.html"], "tags": {"name": "GetLocalUser with PowerShell Script Block", "analytic_story": ["Active Directory Discovery", "Malicious PowerShell"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation", "Installation"], "message": "Local user discovery enumeration using PowerShell on $Computer$ by $user$", "mitre_attack_id": ["T1087", "T1087.001", "T1059.001"], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "ScriptBlockText", "Computer", "UserID"], "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1087.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "Chimera", "Fox Kitten", "Ke3chang", "Moses Staff", "OilRig", "Poseidon Group", "Threat Group-3390", "Turla", "admin@338"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.001/AD_discovery/windows-powershell-xml.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "getlocaluser_with_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/getlocaluser_with_powershell_script_block.yml", "source": "endpoint", "providing_technologies": ["Microsoft Windows"]}, {"name": "GetNetTcpconnection with PowerShell", "id": "e02af35c-1de5-4afe-b4be-f45aba57272b", "version": 1, "date": "2021-08-25", "author": "Mauricio Velazco, Splunk", "type": "Hunting", "status": "production", "description": "This analytic looks for the execution of `powershell.exe` with command-line utilized to get a listing of network connections on a compromised system. The `Get-NetTcpConnection` commandlet lists the current TCP connections. Red Teams and adversaries alike may use this commandlet for situational awareness and Active Directory Discovery.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"powershell.exe\") (Processes.process=*Get-NetTcpConnection*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getnettcpconnection_with_powershell_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "references": ["https://attack.mitre.org/techniques/T1049/", "https://docs.microsoft.com/en-us/powershell/module/nettcpip/get-nettcpconnection?view=windowsserver2019-ps"], "tags": {"name": "GetNetTcpconnection with PowerShell", "analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "Network Connection discovery on $dest$ by $user$", "mitre_attack_id": ["T1049"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1049", "mitre_attack_technique": "System Network Connections Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT38", "APT41", "Andariel", "BackdoorDiplomacy", "Chimera", "Earth Lusca", "GALLIUM", "HEXANE", "Ke3chang", "Lazarus Group", "Magic Hound", "MuddyWater", "Mustang Panda", "OilRig", "Poseidon Group", "Sandworm Team", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "admin@338", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1049/AD_discovery/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "getnettcpconnection_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/getnettcpconnection_with_powershell.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "GetNetTcpconnection with PowerShell Script Block", "id": "091712ff-b02a-4d43-82ed-34765515d95d", "version": 2, "date": "2022-04-02", "author": "Mauricio Velazco, Splunk", "type": "Hunting", "status": "production", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-NetTcpconnection ` commandlet. This commandlet is used to return a listing of network connections on a compromised system. Red Teams and adversaries alike may use this commandlet for situational awareness and Active Directory Discovery.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 (ScriptBlockText = \"*Get-NetTcpconnection*\") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `getnettcpconnection_with_powershell_script_block_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators or power users may use this PowerShell commandlet for troubleshooting.", "references": ["https://attack.mitre.org/techniques/T1049/", "https://docs.microsoft.com/en-us/powershell/module/nettcpip/get-nettcpconnection?view=windowsserver2019-ps"], "tags": {"name": "GetNetTcpconnection with PowerShell Script Block", "analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "Network Connection discovery on $Computer$ by $user$", "mitre_attack_id": ["T1049"], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "ScriptBlockText", "Opcode", "Computer", "UserID", "EventCode"], "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1049", "mitre_attack_technique": "System Network Connections Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT38", "APT41", "Andariel", "BackdoorDiplomacy", "Chimera", "Earth Lusca", "GALLIUM", "HEXANE", "Ke3chang", "Lazarus Group", "Magic Hound", "MuddyWater", "Mustang Panda", "OilRig", "Poseidon Group", "Sandworm Team", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "admin@338", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/nettcpconnection.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "getnettcpconnection_with_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/getnettcpconnection_with_powershell_script_block.yml", "source": "endpoint", "providing_technologies": ["Microsoft Windows"]}, {"name": "GetWmiObject Ds Computer with PowerShell", "id": "7141122c-3bc2-4aaa-ab3b-7a85a0bbefc3", "version": 1, "date": "2021-09-07", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to discover remote systems. The `Get-WmiObject` commandlet combined with the `DS_Computer` parameter can be used to return a list of all domain computers. Red Teams and adversaries alike may leverage WMI in this case, using PowerShell, to enumerate domain groups for situational awareness and Active Directory Discovery.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"powershell.exe\") (Processes.process=*Get-WmiObject* AND Processes.process=\"*namespace root\\\\directory\\\\ldap*\" AND Processes.process=\"*class ds_computer*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getwmiobject_ds_computer_with_powershell_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "references": ["https://attack.mitre.org/techniques/T1018/"], "tags": {"name": "GetWmiObject Ds Computer with PowerShell", "analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "Remote system discovery enumeration using WMI on $dest$ by $user$", "mitre_attack_id": ["T1018"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 21, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1018", "mitre_attack_technique": "Remote System Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "BRONZE BUTLER", "Chimera", "Deep Panda", "Dragonfly", "Earth Lusca", "FIN5", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "HEXANE", "Indrik Spider", "Ke3chang", "Leafminer", "Magic Hound", "Naikon", "Rocke", "Sandworm Team", "Silence", "Threat Group-3390", "Turla", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1018/AD_discovery/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "getwmiobject_ds_computer_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/getwmiobject_ds_computer_with_powershell.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "GetWmiObject Ds Computer with PowerShell Script Block", "id": "29b99201-723c-4118-847a-db2b3d3fb8ea", "version": 2, "date": "2022-05-02", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-WmiObject` commandlet. The `DS_Computer` class parameter leverages WMI to query for all domain computers. Red Teams and adversaries may leverage this commandlet to enumerate domain computers for situational awareness and Active Directory Discovery.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 (ScriptBlockText=*Get-WmiObject* AND ScriptBlockText=\"*namespace root\\\\directory\\\\ldap*\" AND ScriptBlockText=\"*class ds_computer*\") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `getwmiobject_ds_computer_with_powershell_script_block_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators or power users may use this PowerShell commandlet for troubleshooting.", "references": ["https://attack.mitre.org/techniques/T1018/", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1"], "tags": {"name": "GetWmiObject Ds Computer with PowerShell Script Block", "analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "Remote system discovery enumeration on $Computer$ by $UserID$", "mitre_attack_id": ["T1018"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "ScriptBlockText", "Opcode", "Computer", "UserID", "EventCode"], "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1018", "mitre_attack_technique": "Remote System Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "BRONZE BUTLER", "Chimera", "Deep Panda", "Dragonfly", "Earth Lusca", "FIN5", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "HEXANE", "Indrik Spider", "Ke3chang", "Leafminer", "Magic Hound", "Naikon", "Rocke", "Sandworm Team", "Silence", "Threat Group-3390", "Turla", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/sbl_xml.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "getwmiobject_ds_computer_with_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/getwmiobject_ds_computer_with_powershell_script_block.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "GetWmiObject Ds Group with PowerShell", "id": "df275a44-4527-443b-b884-7600e066e3eb", "version": 1, "date": "2021-08-25", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to query for domain groups. The `Get-WmiObject` commandlet combined with the `-class ds_group` parameter can be used to return the full list of groups in a Windows domain. Red Teams and adversaries alike may leverage WMI in this case, using PowerShell, to enumerate domain groups for situational awareness and Active Directory Discovery.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"powershell.exe\") (Processes.process=*Get-WmiObject* AND Processes.process=\"*namespace root\\\\directory\\\\ldap*\" AND Processes.process=\"*class ds_group*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getwmiobject_ds_group_with_powershell_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "references": ["https://attack.mitre.org/techniques/T1069/002/", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1"], "tags": {"name": "GetWmiObject Ds Group with PowerShell", "analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "Domain group discovery enumeration on $dest$ by $user$", "mitre_attack_id": ["T1069", "T1069.002"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "TA505"]}, {"mitre_attack_id": "T1069.002", "mitre_attack_technique": "Domain Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Dragonfly", "Inception", "Ke3chang", "LAPSUS$", "OilRig", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.002/AD_discovery/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "getwmiobject_ds_group_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/getwmiobject_ds_group_with_powershell.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "GetWmiObject Ds Group with PowerShell Script Block", "id": "67740bd3-1506-469c-b91d-effc322cc6e5", "version": 2, "date": "2022-05-02", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-WmiObject` commandlet used with specific parameters . The `DS_Group` parameter leverages WMI to query for all domain groups. Red Teams and adversaries may leverage this commandlet to enumerate domain groups for situational awareness and Active Directory Discovery.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 (ScriptBlockText=*Get-WmiObject* AND ScriptBlockText=\"*namespace root\\\\directory\\\\ldap*\" AND ScriptBlockText=\"*class ds_group*\") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `getwmiobject_ds_group_with_powershell_script_block_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators or power users may use this PowerShell commandlet for troubleshooting.", "references": ["https://attack.mitre.org/techniques/T1069/002/", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1"], "tags": {"name": "GetWmiObject Ds Group with PowerShell Script Block", "analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "Domain group discovery enumeration using PowerShell on $Computer$ by $UserID$", "mitre_attack_id": ["T1069", "T1069.002"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "ScriptBlockText", "Opcode", "Computer", "UserID", "EventCode"], "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "TA505"]}, {"mitre_attack_id": "T1069.002", "mitre_attack_technique": "Domain Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Dragonfly", "Inception", "Ke3chang", "LAPSUS$", "OilRig", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/sbl_xml.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "getwmiobject_ds_group_with_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/getwmiobject_ds_group_with_powershell_script_block.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "GetWmiObject DS User with PowerShell", "id": "22d3b118-04df-11ec-8fa3-acde48001122", "version": 1, "date": "2021-08-24", "author": "Teoderick Contreras, Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to query for domain users. The `Get-WmiObject` commandlet combined with the `-class ds_user` parameter can be used to return the full list of users in a Windows domain. Red Teams and adversaries alike may leverage WMI in this case, using PowerShell, to enumerate domain users for situational awareness and Active Directory Discovery.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"cmd.exe\" OR Processes.process_name=\"powershell*\") AND Processes.process = \"*get-wmiobject*\" AND Processes.process = \"*ds_user*\" AND Processes.process = \"*root\\\\directory\\\\ldap*\" AND Processes.process = \"*-namespace*\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getwmiobject_ds_user_with_powershell_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "references": ["https://jpcertcc.github.io/ToolAnalysisResultSheet/details/dsquery.htm"], "tags": {"name": "GetWmiObject DS User with PowerShell", "analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "an instance of process $process_name$ with commandline $process$ in $dest$", "mitre_attack_id": ["T1087.002", "T1087"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id", "Processes.parent_process_name"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["BRONZE BUTLER", "Chimera", "Dragonfly", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Turla", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/AD_discovery/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "getwmiobject_ds_user_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/getwmiobject_ds_user_with_powershell.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "GetWmiObject DS User with PowerShell Script Block", "id": "fabd364e-04f3-11ec-b34b-acde48001122", "version": 2, "date": "2022-05-02", "author": "Teoderick Contreras, Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-WmiObject` commandlet. The `DS_User` class parameter leverages WMI to query for all domain users. Red Teams and adversaries may leverage this commandlet to enumerate domain users for situational awareness and Active Directory Discovery.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 ScriptBlockText = \"*get-wmiobject*\" ScriptBlockText = \"*ds_user*\" ScriptBlockText = \"*-namespace*\" ScriptBlockText = \"*root\\\\directory\\\\ldap*\" | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getwmiobject_ds_user_with_powershell_script_block_filter`", "how_to_implement": "he following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "references": ["https://www.blackhillsinfosec.com/red-blue-purple/", "https://docs.microsoft.com/en-us/windows/win32/wmisdk/describing-the-ldap-namespace"], "tags": {"name": "GetWmiObject DS User with PowerShell Script Block", "analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "powershell process having commandline $ScriptBlockText$ for user enumeration", "mitre_attack_id": ["T1087.002", "T1087"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "User", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "ScriptBlockText", "Opcode", "Computer", "UserID", "EventCode"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["BRONZE BUTLER", "Chimera", "Dragonfly", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Turla", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/sbl_xml.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "getwmiobject_ds_user_with_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/getwmiobject_ds_user_with_powershell_script_block.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "GetWmiObject User Account with PowerShell", "id": "b44f6ac6-0429-11ec-87e9-acde48001122", "version": 1, "date": "2023-04-05", "author": "Mauricio Velazco, Splunk", "type": "Hunting", "status": "production", "description": "This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to query local users. The `Get-WmiObject` commandlet combined with the `Win32_UserAccount` parameter is used to return a list of all local users. Red Teams and adversaries may leverage this commandlet to enumerate users for situational awareness and Active Directory Discovery.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"powershell.exe\") (Processes.process=*Get-WmiObject* AND Processes.process=*Win32_UserAccount*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getwmiobject_user_account_with_powershell_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "Administrators or power users may use this PowerShell commandlet for troubleshooting.", "references": ["https://attack.mitre.org/techniques/T1087/001/"], "tags": {"name": "GetWmiObject User Account with PowerShell", "analytic_story": ["Winter Vivern", "Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "Local user discovery enumeration using PowerShell on $dest$ by $user$", "mitre_attack_id": ["T1087", "T1087.001"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time"], "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1087.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "Chimera", "Fox Kitten", "Ke3chang", "Moses Staff", "OilRig", "Poseidon Group", "Threat Group-3390", "Turla", "admin@338"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.001/AD_discovery/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "getwmiobject_user_account_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/getwmiobject_user_account_with_powershell.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "GetWmiObject User Account with PowerShell Script Block", "id": "640b0eda-0429-11ec-accd-acde48001122", "version": 2, "date": "2023-04-05", "author": "Mauricio Velazco, Splunk", "type": "Hunting", "status": "production", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-WmiObject` commandlet used with specific parameters. The `Win32_UserAccount` parameter is used to return a list of all local users. Red Teams and adversaries may leverage this commandlet to enumerate users for situational awareness and Active Directory Discovery.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 (ScriptBlockText=\"*Get-WmiObject*\" AND ScriptBlockText=\"*Win32_UserAccount*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | `security_content_ctime(firstTime)` | `getwmiobject_user_account_with_powershell_script_block_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators or power users may use this PowerShell commandlet for troubleshooting.", "references": ["https://attack.mitre.org/techniques/T1087/001/", "https://www.splunk.com/en_us/blog/security/hunting-for-malicious-powershell-using-script-block-logging.html"], "tags": {"name": "GetWmiObject User Account with PowerShell Script Block", "analytic_story": ["Winter Vivern", "Active Directory Discovery", "Malicious PowerShell"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation", "Installation"], "message": "Local user discovery enumeration using PowerShell on $Computer$ by $UserID$", "mitre_attack_id": ["T1087", "T1087.001", "T1059.001"], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "ScriptBlockText", "Computer", "UserID"], "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1087.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "Chimera", "Fox Kitten", "Ke3chang", "Moses Staff", "OilRig", "Poseidon Group", "Threat Group-3390", "Turla", "admin@338"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/sbl_xml.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "getwmiobject_user_account_with_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/getwmiobject_user_account_with_powershell_script_block.yml", "source": "endpoint", "providing_technologies": ["Microsoft Windows"]}, {"name": "GPUpdate with no Command Line Arguments with Network", "id": "2c853856-a140-11eb-a5b5-acde48001122", "version": 2, "date": "2023-06-13", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies gpupdate.exe with no command line arguments and with a network connection. It is unusual for gpupdate.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, triage any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. gpupdate.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=gpupdate.exe by _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process=\"(?i)(gpupdate\\.exe.{0,4}$)\"| join process_id [| tstats `security_content_summariesonly` count FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port != 0 by All_Traffic.process_id All_Traffic.dest All_Traffic.dest_port | `drop_dm_object_name(All_Traffic)` | rename dest as C2 ] | table _time dest parent_process_name process_name process_path process process_id dest_port C2 | `gpupdate_with_no_command_line_arguments_with_network_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "Limited false positives may be present in small environments. Tuning may be required based on parent process.", "references": ["https://raw.githubusercontent.com/xx0hcd/Malleable-C2-Profiles/0ef8cf4556e26f6d4190c56ba697c2159faa5822/crimeware/trick_ryuk.profile", "https://www.cobaltstrike.com/blog/learn-pipe-fitting-for-all-of-your-offense-projects/"], "tags": {"name": "GPUpdate with no Command Line Arguments with Network", "analytic_story": ["Cobalt Strike", "Graceful Wipe Out Attack"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Exploitation"], "message": "Process gpupdate.exe with parent_process $parent_process_name$ is executed on $dest$ by user $user$, followed by an outbound network connection to $connection_to_CNC$ on port $dest_port$. This behaviour is seen with cobaltstrike.", "mitre_attack_id": ["T1055"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process Name", "role": ["Parent Process", "Attacker"]}, {"name": "connection_to_CNC", "type": "IP Address", "role": ["Other"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventID", "process_name", "process_id", "parent_process_name", "dest_port", "process_path"], "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/cobalt_strike/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint", "Network_Traffic"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "gpupdate_with_no_command_line_arguments_with_network_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/gpupdate_with_no_command_line_arguments_with_network.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Hide User Account From Sign-In Screen", "id": "834ba832-ad89-11eb-937d-acde48001122", "version": 4, "date": "2023-04-27", "author": "Steven Dick, Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This analytic identifies a suspicious registry modification to hide a user account on the Windows Login screen. This technique was seen in some tradecraft where the adversary will create a hidden user account with Admin privileges in login screen to avoid noticing by the user that they already compromise and to persist on that said machine.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=\"*\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\SpecialAccounts\\\\Userlist*\" AND Registry.registry_value_data = \"0x00000000\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `hide_user_account_from_sign_in_screen_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "Unknown. Filter as needed.", "references": ["https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/"], "tags": {"name": "Hide User Account From Sign-In Screen", "analytic_story": ["XMRig", "Windows Registry Abuse", "Azorult"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 90, "kill_chain_phases": ["Exploitation"], "message": "Suspicious registry modification ($registry_value_name$) which is used go hide a user account on the Windows Login screen detected on $dest$ executed by $user$", "mitre_attack_id": ["T1562.001", "T1562"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "registry_value_name", "type": "Other", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.dest", "Registry.registry_value_name", "Registry.registry_key_name", "Registry.registry_path", "Registry.registry_value_data", "Registry.process_guid"], "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/hotkey_disabled_hidden_user/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "hide_user_account_from_sign_in_screen_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/hide_user_account_from_sign_in_screen.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Hiding Files And Directories With Attrib exe", "id": "6e5a3ae4-90a3-462d-9aa6-0119f638c0f1", "version": 4, "date": "2020-07-21", "author": "Bhavin Patel, Splunk", "type": "TTP", "status": "production", "description": "Attackers leverage an existing Windows binary, attrib.exe, to mark specific as hidden by using specific flags so that the victim does not see the file. The search looks for specific command-line arguments to detect the use of attrib.exe to hide files.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) values(Processes.process) as process max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=attrib.exe (Processes.process=*+h*) by Processes.parent_process Processes.process_name Processes.user Processes.dest | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)`| `hiding_files_and_directories_with_attrib_exe_filter` ", "how_to_implement": "You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the \"process\" field in the Endpoint data model.", "known_false_positives": "Some applications and users may legitimately use attrib.exe to interact with the files. ", "references": [], "tags": {"name": "Hiding Files And Directories With Attrib exe", "analytic_story": ["Windows Defense Evasion Tactics", "Windows Persistence Techniques", "Azorult"], "asset_type": "", "cis20": ["CIS 10"], "confidence": 80, "impact": 90, "kill_chain_phases": ["Exploitation"], "message": "Attrib.exe with +h flag to hide files on $dest$ executed by $user$ is detected.", "mitre_attack_id": ["T1222", "T1222.001"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "parent_process", "type": "Other", "role": ["Attacker", "Parent Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.process", "Processes.process_name", "Processes.parent_process", "Processes.user", "Processes.dest"], "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1222.001", "mitre_attack_technique": "Windows File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1222.001/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "hiding_files_and_directories_with_attrib_exe_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/hiding_files_and_directories_with_attrib_exe.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "High Frequency Copy Of Files In Network Share", "id": "40925f12-4709-11ec-bb43-acde48001122", "version": 1, "date": "2021-11-16", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic is to detect a suspicious high frequency copying/moving of files in network share as part of information sabotage. This anomaly event can be a good indicator of insider trying to sabotage data by transfering classified or internal files within network share to exfitrate it after or to lure evidence of insider attack to other user. This behavior may catch several noise if network share is a common place for classified or internal document processing.", "data_source": ["Sysmon Event ID 5"], "search": "`wineventlog_security` EventCode=5145 Relative_Target_Name IN (\"*.doc\",\"*.docx\",\"*.xls\",\"*.xlsx\",\"*.ppt\",\"*.pptx\",\"*.log\",\"*.txt\",\"*.db\",\"*.7z\",\"*.zip\",\"*.rar\",\"*.tar\",\"*.gz\",\"*.jpg\",\"*.gif\",\"*.png\",\"*.bmp\",\"*.pdf\",\"*.rtf\",\"*.key\") Object_Type=File Share_Name IN (\"\\\\\\\\*\\\\C$\",\"\\\\\\\\*\\\\IPC$\",\"\\\\\\\\*\\\\admin$\") Access_Mask= \"0x2\" | bucket _time span=5m | stats values(Relative_Target_Name) as valRelativeTargetName, values(Share_Name) as valShareName, values(Object_Type) as valObjectType, values(Access_Mask) as valAccessmask, values(src_port) as valSrcPort, values(Source_Address) as valSrcAddress count as numShareName by dest, _time, EventCode, user | eventstats avg(numShareName) as avgShareName, stdev(numShareName) as stdShareName, count as numSlots by dest, _time, EventCode, user | eval upperThreshold=(avgShareName + stdShareName *3) | eval isOutlier=if(avgShareName > 20 and avgShareName >= upperThreshold, 1, 0) | search isOutlier=1 | `high_frequency_copy_of_files_in_network_share_filter`", "how_to_implement": "o successfully implement this search, you need to be ingesting Windows Security Event Logs with 5145 EventCode enabled. The Windows TA is also required. Also enable the object Audit access success/failure in your group policy.", "known_false_positives": "this behavior may seen in normal transfer of file within network if network share is common place for sharing documents.", "references": ["https://attack.mitre.org/techniques/T1537/"], "tags": {"name": "High Frequency Copy Of Files In Network Share", "analytic_story": ["Information Sabotage", "Insider Threat"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Actions on Objectives"], "message": "high frequency copy of document in network share $Share_Name$ from $Source_Address$ by $user$", "mitre_attack_id": ["T1537"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "Share_Name", "Relative_Target_Name", "Object_Type", "Access_Mask", "user", "src_port", "Source_Address"], "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1537", "mitre_attack_technique": "Transfer Data to Cloud Account", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1537/high_copy_files_in_net_share/security.log", "source": "WinEventLog:Security", "sourcetype": "WinEventLog"}]}], "datamodel": [], "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "high_frequency_copy_of_files_in_network_share_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/high_frequency_copy_of_files_in_network_share.yml", "source": "endpoint", "providing_technologies": ["Microsoft Windows"]}, {"name": "High Process Termination Frequency", "id": "17cd75b2-8666-11eb-9ab4-acde48001122", "version": 2, "date": "2022-09-14", "author": "Teoderick Contreras", "type": "Anomaly", "status": "production", "description": "This analytic is designed to identify a high frequency of process termination events on a computer in a short period of time, which is a common behavior of ransomware malware before encrypting files. This technique is designed to avoid an exception error while accessing (docs, images, database and etc..) in the infected machine for encryption.", "data_source": ["Sysmon Event ID 5"], "search": "`sysmon` EventCode=5 |bin _time span=3s |stats values(Image) as proc_terminated min(_time) as firstTime max(_time) as lastTime count by _time Computer EventCode ProcessID | where count >= 15 | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `high_process_termination_frequency_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the Image (process full path of terminated process) from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "admin or user tool that can terminate multiple process.", "references": ["https://www.mandiant.com/resources/fin11-email-campaigns-precursor-for-ransomware-data-theft", "https://blog.virustotal.com/2020/11/keep-your-friends-close-keep-ransomware.html"], "tags": {"name": "High Process Termination Frequency", "analytic_story": ["Clop Ransomware", "LockBit Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 90, "kill_chain_phases": ["Actions on Objectives"], "message": "High frequency process termination (more than 15 processes within 3s) detected on host $Computer$", "mitre_attack_id": ["T1486"], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}, {"name": "proc_terminated", "type": "Process", "role": ["Target"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["EventCode", "Image", "Computer", "_time", "ProcessID"], "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1486", "mitre_attack_technique": "Data Encrypted for Impact", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "APT41", "FIN7", "Indrik Spider", "Magic Hound", "Sandworm Team", "TA505"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/clop/clop_a/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "high_process_termination_frequency_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/high_process_termination_frequency.yml", "source": "endpoint"}, {"name": "Hunting 3CXDesktopApp Software", "id": "553d0429-1a1c-44bf-b3f5-a8513deb9ee5", "version": 1, "date": "2023-03-30", "author": "Michael Haag, Splunk", "type": "Hunting", "status": "production", "description": "The hunting analytic outlined below is designed to detect any version of the 3CXDesktopApp, also known as the 3CX Desktop App, operating on either Mac or Windows systems. It is important to note that this particular analytic employs the Endpoint datamodel Processes node, which means that the file version information is not provided. Recently, 3CX has identified a vulnerability specifically in versions 18.12.407 and 18.12.416 of the desktop app.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=3CXDesktopApp.exe OR Processes.process_name=\"3CX Desktop App\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `hunting_3cxdesktopapp_software_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "There may be false positives generated due to the reliance on version numbers for identification purposes. Despite this limitation, the primary goal of this approach is to aid in the detection of the software within the environment.", "references": ["https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/", "https://www.cisa.gov/news-events/alerts/2023/03/30/supply-chain-attack-against-3cxdesktopapp", "https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/", "https://www.3cx.com/community/threads/crowdstrike-endpoint-security-detection-re-3cx-desktop-app.119934/page-2#post-558898", "https://www.3cx.com/community/threads/3cx-desktopapp-security-alert.119951/"], "tags": {"name": "Hunting 3CXDesktopApp Software", "analytic_story": ["3CX Supply Chain Attack"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 80, "kill_chain_phases": ["Delivery"], "message": "An instance $process_name$ was identified on endpoint $dest$.", "mitre_attack_id": ["T1195.002"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "cve": ["CVE-2023-29059"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1195.002", "mitre_attack_technique": "Compromise Software Supply Chain", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT41", "Cobalt Group", "Dragonfly", "GOLD SOUTHFIELD", "Sandworm Team", "Threat Group-3390"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1195.002/3CX/3cx_windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "hunting_3cxdesktopapp_software_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2023-29059", "cvss": null, "summary": "3CX DesktopApp through 18.12.416 has embedded malicious code, as exploited in the wild in March 2023. This affects versions 18.12.407 and 18.12.416 of the 3CX DesktopApp Electron Windows application shipped in Update 7, and versions 18.11.1213, 18.12.402, 18.12.407, and 18.12.416 of the 3CX DesktopApp Electron macOS application."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/hunting_3cxdesktopapp_software.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Icacls Deny Command", "id": "cf8d753e-a8fe-11eb-8f58-acde48001122", "version": 1, "date": "2023-06-06", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This analytic identifies instances where an adversary modifies the security permissions of a particular file or directory. This technique is frequently observed in the tradecraft of Advanced Persistent Threats (APTs) and coinminer scripts. The purpose of this behavior is to actively evade detection and impede access to their associated files. By identifying these security permission changes, we can enhance our ability to detect and respond to potential threats, mitigating the impact of malicious activities on the system.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN( \"icacls.exe\", \"cacls.exe\", \"xcacls.exe\") AND Processes.process IN (\"*/deny*\", \"*/D*\") by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `icacls_deny_command_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed icacls.exe may be used.", "known_false_positives": "Unknown. It is possible some administrative scripts use ICacls. Filter as needed.", "references": ["https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/"], "tags": {"name": "Icacls Deny Command", "analytic_story": ["XMRig", "Azorult", "Sandworm Tools"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 90, "kill_chain_phases": ["Exploitation"], "message": "Process name $process_name$ with deny argument executed by $user$ to change security permission of a specific file or directory on host $dest$", "mitre_attack_id": ["T1222"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.parent_process_name", "Processes.process_name", "Processes.dest", "Processes.user", "Processes.process_id", "Processes.process"], "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/xmrig_miner/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "icacls_deny_command_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/icacls_deny_command.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "ICACLS Grant Command", "id": "b1b1e316-accc-11eb-a9b4-acde48001122", "version": 1, "date": "2023-06-06", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This analytic identifies adversaries who manipulate the security permissions of specific files or directories by granting additional access. This technique is frequently observed in the tradecraft of Advanced Persistent Threats (APTs) and coinminer scripts. The objective behind this behavior is to actively evade detection mechanisms and tightly control access to their associated files. By identifying these security permission modifications, we can improve our ability to identify and respond to potential threats, thereby minimizing the impact of malicious activities on the system.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN( \"icacls.exe\", \"cacls.exe\", \"xcacls.exe\") AND Processes.process IN (\"*/grant*\", \"*/G*\") by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `icacls_grant_command_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed icacls.exe may be used.", "known_false_positives": "Unknown. Filter as needed.", "references": ["https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/"], "tags": {"name": "ICACLS Grant Command", "analytic_story": ["XMRig", "Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "Process name $process_name$ with grant argument executed by $user$ to change security permission of a specific file or directory on host $dest$", "mitre_attack_id": ["T1222"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.parent_process_name", "Processes.process_name", "Processes.dest", "Processes.user", "Processes.process_id", "Processes.process"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/xmrig_miner/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "icacls_grant_command_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/icacls_grant_command.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "IcedID Exfiltrated Archived File Creation", "id": "0db4da70-f14b-11eb-8043-acde48001122", "version": 1, "date": "2021-07-30", "author": "Teoderick Contreras, Splunk", "type": "Hunting", "status": "production", "description": "This search is to detect a suspicious file creation namely passff.tar and cookie.tar. This files are possible archived of stolen browser information like history and cookies in a compromised machine with IcedID.", "data_source": [], "search": "`sysmon` EventCode= 11 (TargetFilename = \"*\\\\passff.tar\" OR TargetFilename = \"*\\\\cookie.tar\") |stats count min(_time) as firstTime max(_time) as lastTime by TargetFilename EventCode process_id process_name Computer | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `icedid_exfiltrated_archived_file_creation_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "unknown", "references": ["https://www.cisecurity.org/insights/white-papers/security-primer-icedid"], "tags": {"name": "IcedID Exfiltrated Archived File Creation", "analytic_story": ["IcedID"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "process $SourceImage$ create a file $TargetImage$ in host $Computer$", "mitre_attack_id": ["T1560.001", "T1560"], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "SourceImage", "type": "Process", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "TargetFilename", "EventCode", "process_id", "process_name", "Computer"], "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1560.001", "mitre_attack_technique": "Archive via Utility", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "CopyKittens", "Earth Lusca", "FIN8", "Fox Kitten", "GALLIUM", "Gallmaker", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "MuddyWater", "Mustang Panda", "Sowbug", "Turla", "menuPass"]}, {"mitre_attack_id": "T1560", "mitre_attack_technique": "Archive Collected Data", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT28", "APT32", "Axiom", "Dragonfly", "FIN6", "Ke3chang", "Lazarus Group", "Leviathan", "LuminousMoth", "Patchwork", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/simulated_icedid/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "icedid_exfiltrated_archived_file_creation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/icedid_exfiltrated_archived_file_creation.yml", "source": "endpoint"}, {"name": "Impacket Lateral Movement Commandline Parameters", "id": "8ce07472-496f-11ec-ab3b-3e22fbd008af", "version": 3, "date": "2023-06-13", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "This analytic looks for the presence of suspicious commandline parameters typically present when using Impacket tools. Impacket is a collection of python classes meant to be used with Microsoft network protocols. There are multiple scripts that leverage impacket libraries like `wmiexec.py`, `smbexec.py`, `dcomexec.py` and `atexec.py` used to execute commands on remote endpoints. By default, these scripts leverage administrative shares and hardcoded parameters that can be used as a signature to detect its use. Red Teams and adversaries alike may leverage Impackets tools for lateral movement and remote code execution.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=cmd.exe (Processes.process = \"*/Q /c * \\\\\\\\127.0.0.1\\\\*$*\" AND Processes.process IN (\"*2>&1*\",\"*2>&1*\")) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `impacket_lateral_movement_commandline_parameters_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints.", "known_false_positives": "Although uncommon, Administrators may leverage Impackets tools to start a process on remote systems for system administration or automation use cases.", "references": ["https://attack.mitre.org/techniques/T1021/002/", "https://attack.mitre.org/techniques/T1021/003/", "https://attack.mitre.org/techniques/T1047/", "https://attack.mitre.org/techniques/T1053/", "https://attack.mitre.org/techniques/T1053/005/", "https://github.com/SecureAuthCorp/impacket", "https://vk9-sec.com/impacket-remote-code-execution-rce-on-windows-from-linux/", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/", "https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/"], "tags": {"name": "Impacket Lateral Movement Commandline Parameters", "analytic_story": ["Active Directory Lateral Movement", "CISA AA22-277A", "WhisperGate", "Prestige Ransomware", "Volt Typhoon", "Graceful Wipe Out Attack", "Industroyer2", "Data Destruction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 90, "kill_chain_phases": ["Exploitation", "Installation"], "message": "Suspicious command line parameters on $dest$ may represent a lateral movement attack with Impackets tools", "mitre_attack_id": ["T1021", "T1021.002", "T1021.003", "T1047", "T1543.003"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1021.003", "mitre_attack_technique": "Distributed Component Object Model", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "Earth Lusca", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "Threat Group-3390", "Windshift", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.003/impacket/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "impacket_lateral_movement_commandline_parameters_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/impacket_lateral_movement_commandline_parameters.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Impacket Lateral Movement smbexec CommandLine Parameters", "id": "bb3c1bac-6bdf-4aa0-8dc9-068b8b712a76", "version": 1, "date": "2023-06-13", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "This analytic focuses on identifying suspicious command-line parameters commonly associated with the use of Impacket wmiexec.py. Impacket is a set of Python classes designed for working with Microsoft network protocols, and it includes several scripts like wmiexec.py, smbexec.py, dcomexec.py, and atexec.py that enable command execution on remote endpoints. These scripts typically utilize administrative shares and hardcoded parameters, which can serve as signatures to detect their usage. Both Red Teams and adversaries may employ Impacket tools for lateral movement and remote code execution purposes. By monitoring for these specific command-line indicators, the analytic aims to detect potentially malicious activities related to Impacket tool usage.", "data_source": ["Sysmon Event ID 1", "Windows Security 4688"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=cmd.exe by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | where match(process, \"(?i)cmd\\.exe\\s+\\/Q\\s+\\/c\") AND match(process,\"(?i)echo\\s+cd\") AND match(process, \"(?i)\\\\__output\") AND match(process, \"(?i)C:\\\\\\\\Windows\\\\\\\\[a-zA-Z]{1,8}\\\\.bat\") AND match(process, \"\\\\\\\\127\\.0\\.0\\.1\\\\.*\") | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `impacket_lateral_movement_smbexec_commandline_parameters_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Although uncommon, Administrators may leverage Impackets tools to start a process on remote systems for system administration or automation use cases.", "references": ["https://attack.mitre.org/techniques/T1021/002/", "https://attack.mitre.org/techniques/T1021/003/", "https://attack.mitre.org/techniques/T1047/", "https://attack.mitre.org/techniques/T1053/", "https://attack.mitre.org/techniques/T1053/005/", "https://github.com/SecureAuthCorp/impacket", "https://vk9-sec.com/impacket-remote-code-execution-rce-on-windows-from-linux/", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/", "https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/"], "tags": {"name": "Impacket Lateral Movement smbexec CommandLine Parameters", "analytic_story": ["Active Directory Lateral Movement", "CISA AA22-277A", "WhisperGate", "Prestige Ransomware", "Volt Typhoon", "Graceful Wipe Out Attack", "Industroyer2", "Data Destruction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 90, "kill_chain_phases": ["Exploitation", "Installation"], "message": "Suspicious command-line parameters on $dest$ may represent lateral movement using smbexec.", "mitre_attack_id": ["T1021", "T1021.002", "T1021.003", "T1047", "T1543.003"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["Processes.process_name", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "atomic_guid": [], "mitre_attack_enrichments": [{"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1021.003", "mitre_attack_technique": "Distributed Component Object Model", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "Earth Lusca", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "Threat Group-3390", "Windshift", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.002/atomic_red_team/smbexec_windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "impacket_lateral_movement_smbexec_commandline_parameters_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/impacket_lateral_movement_smbexec_commandline_parameters.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Impacket Lateral Movement WMIExec Commandline Parameters", "id": "d6e464e4-5c6a-474e-82d2-aed616a3a492", "version": 1, "date": "2023-06-13", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "This analytic looks for the presence of suspicious commandline parameters typically present when using Impacket tools. Impacket is a collection of python classes meant to be used with Microsoft network protocols. There are multiple scripts that leverage impacket libraries like `wmiexec.py`, `smbexec.py`, `dcomexec.py` and `atexec.py` used to execute commands on remote endpoints. By default, these scripts leverage administrative shares and hardcoded parameters that can be used as a signature to detect its use. Red Teams and adversaries alike may leverage Impackets tools for lateral movement and remote code execution.", "data_source": ["Sysmon Event ID 1", "Windows Security 4688"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=wmiprvse.exe by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | where match(process, \"(?i)cmd\\.exe\\s+\\/Q\\s+\\/c\") AND match(process, \"\\\\\\\\127\\.0\\.0\\.1\\\\.*\") AND match(process, \"__\\\\d{1,10}\\\\.\\\\d{1,10}\") | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `impacket_lateral_movement_wmiexec_commandline_parameters_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Although uncommon, Administrators may leverage Impackets tools to start a process on remote systems for system administration or automation use cases.", "references": ["https://attack.mitre.org/techniques/T1021/002/", "https://attack.mitre.org/techniques/T1021/003/", "https://attack.mitre.org/techniques/T1047/", "https://attack.mitre.org/techniques/T1053/", "https://attack.mitre.org/techniques/T1053/005/", "https://github.com/SecureAuthCorp/impacket", "https://vk9-sec.com/impacket-remote-code-execution-rce-on-windows-from-linux/", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/", "https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/"], "tags": {"name": "Impacket Lateral Movement WMIExec Commandline Parameters", "analytic_story": ["Active Directory Lateral Movement", "CISA AA22-277A", "WhisperGate", "Prestige Ransomware", "Volt Typhoon", "Graceful Wipe Out Attack", "Industroyer2", "Data Destruction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 90, "kill_chain_phases": ["Exploitation", "Installation"], "message": "Suspicious command-line parameters on $dest$ may represent lateral movement using wmiexec.", "mitre_attack_id": ["T1021", "T1021.002", "T1021.003", "T1047", "T1543.003"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["Processes.process_name", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "atomic_guid": [], "mitre_attack_enrichments": [{"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1021.003", "mitre_attack_technique": "Distributed Component Object Model", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "Earth Lusca", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "Threat Group-3390", "Windshift", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.002/atomic_red_team/wmiexec_windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "impacket_lateral_movement_wmiexec_commandline_parameters_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/impacket_lateral_movement_wmiexec_commandline_parameters.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Interactive Session on Remote Endpoint with PowerShell", "id": "a4e8f3a4-48b2-11ec-bcfc-3e22fbd008af", "version": 3, "date": "2022-03-22", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the usage of the `Enter-PSSession`. This commandlet can be used to open an interactive session on a remote endpoint leveraging the WinRM protocol. Red Teams and adversaries alike may abuse WinRM and `Enter-PSSession` for lateral movement and remote code execution.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 (ScriptBlockText=\"*Enter-PSSession*\" AND ScriptBlockText=\"*-ComputerName*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `interactive_session_on_remote_endpoint_with_powershell_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup instructions can be found https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators may leverage WinRM and `Enter-PSSession` for administrative and troubleshooting tasks. This activity is usually limited to a small set of hosts or users. In certain environments, tuning may not be possible.", "references": ["https://attack.mitre.org/techniques/T1021/006/", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enter-pssession?view=powershell-7.2"], "tags": {"name": "Interactive Session on Remote Endpoint with PowerShell", "analytic_story": ["Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 90, "kill_chain_phases": ["Exploitation"], "message": "An interactive session was opened on a remote endpoint from $ComputerName", "mitre_attack_id": ["T1021", "T1021.006"], "nist": ["DE.CM"], "observable": [{"name": "ComputerName", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "Message", "ComputerName", "User"], "risk_score": 45, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1021.006", "mitre_attack_technique": "Windows Remote Management", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Chimera", "Threat Group-3390", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.006/lateral_movement_pssession/windows-powershell-xml.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "interactive_session_on_remote_endpoint_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/interactive_session_on_remote_endpoint_with_powershell.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Java Class File download by Java User Agent", "id": "8281ce42-5c50-11ec-82d2-acde48001122", "version": 1, "date": "2021-12-13", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies a Java user agent performing a GET request for a .class file from the remote site. This is potentially indicative of exploitation of the Java application and may be related to current event CVE-2021-44228 (Log4Shell).", "data_source": [], "search": "| tstats count from datamodel=Web where Web.http_user_agent=\"*Java*\" Web.http_method=\"GET\" Web.url=\"*.class*\" by Web.http_user_agent Web.http_method, Web.url,Web.url_length Web.src, Web.dest | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `java_class_file_download_by_java_user_agent_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting web or proxy logs, or ensure it is being filled by a proxy like device, into the Web Datamodel. For additional filtering, allow list private IP space or restrict by known good.", "known_false_positives": "Filtering may be required in some instances, filter as needed.", "references": ["https://arstechnica.com/information-technology/2021/12/as-log4shell-wreaks-havoc-payroll-service-reports-ransomware-attack/"], "tags": {"name": "Java Class File download by Java User Agent", "analytic_story": ["Log4Shell CVE-2021-44228"], "asset_type": "Web Server", "cis20": ["CIS 13"], "confidence": 50, "impact": 80, "kill_chain_phases": ["Delivery"], "message": "A Java user agent $http_user_agent$ was performing a $http_method$ to retrieve a remote class file.", "mitre_attack_id": ["T1190"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "http_user_agent", "type": "Other", "role": ["Other"]}, {"name": "http_method", "type": "Other", "role": ["Other"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Web.http_method", "Web.url", "Web.url_length", "Web.src", "Web.dest", "Web.http_user_agent"], "risk_score": 40, "security_domain": "network", "risk_severity": "low", "cve": ["CVE-2021-44228"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/java/java.log", "source": "stream:http", "sourcetype": "stream:http"}]}], "datamodel": ["Web"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "java_class_file_download_by_java_user_agent_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2021-44228", "cvss": 9.3, "summary": "Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/java_class_file_download_by_java_user_agent.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Java Writing JSP File", "id": "eb65619c-4f8d-4383-a975-d352765d344b", "version": 2, "date": "2022-06-03", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the process java writing a .jsp to disk. This is potentially indicative of a web shell being written to disk. Modify and tune the analytic based on data ingested. For instance, it may be worth running a broad query for jsp file writes first before performing a join.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name IN (\"java\",\"java.exe\", \"javaw.exe\") by _time Processes.process_id Processes.process_name Processes.dest Processes.process_guid Processes.user | `drop_dm_object_name(Processes)` | join process_guid [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Filesystem where Filesystem.file_name=\"*.jsp*\" by _time Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path Filesystem.process_guid Filesystem.user | `drop_dm_object_name(Filesystem)` | fields _time process_guid file_path file_name file_create_time user dest process_name] | stats count min(_time) as firstTime max(_time) as lastTime by dest process_name process_guid file_name file_path file_create_time user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `java_writing_jsp_file_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` and `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives are possible and filtering may be required. Restrict by assets or filter known jsp files that are common for the environment.", "references": ["https://www.microsoft.com/security/blog/2022/04/04/springshell-rce-vulnerability-guidance-for-protecting-against-and-detecting-cve-2022-22965/", "https://github.com/TheGejr/SpringShell", "https://www.tenable.com/blog/spring4shell-faq-spring-framework-remote-code-execution-vulnerability"], "tags": {"name": "Java Writing JSP File", "analytic_story": ["Spring4Shell CVE-2022-22965", "Atlassian Confluence Server and Data Center CVE-2022-26134"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 60, "kill_chain_phases": ["Delivery", "Installation"], "message": "An instance of $process_name$ was identified on endpoint $dest$ writing a jsp file to disk, potentially indicative of exploitation.", "mitre_attack_id": ["T1190", "T1133"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id", "Filesystem.dest", "Filesystem.file_create_time", "Filesystem.file_name", "Filesystem.file_path", "Filesystem.process_guid", "Filesystem.user"], "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "cve": ["CVE-2022-22965"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Chimera", "Dragonfly", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/spring4shell/java_write_jsp-linux-sysmon.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "java_writing_jsp_file_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2022-22965", "cvss": 7.5, "summary": "A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/java_writing_jsp_file.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Jscript Execution Using Cscript App", "id": "002f1e24-146e-11ec-a470-acde48001122", "version": 1, "date": "2021-09-13", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This search is to detect a execution of jscript using cscript process. Commonly when a user run jscript file it was executed by wscript.exe application. This technique was seen in FIN7 js implant to execute its malicious script using cscript process. This behavior is uncommon and a good artifacts to check further anomalies within the network", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name = \"cscript.exe\" AND Processes.parent_process = \"*//e:jscript*\") OR (Processes.process_name = \"cscript.exe\" AND Processes.process = \"*//e:jscript*\") by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process_id Processes.process Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `jscript_execution_using_cscript_app_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "unknown", "references": ["https://www.mandiant.com/resources/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation", "https://attack.mitre.org/groups/G0046/"], "tags": {"name": "Jscript Execution Using Cscript App", "analytic_story": ["FIN7", "Remcos"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Installation"], "message": "Process name $process_name$ with commandline $process$ to execute jscript in $dest$", "mitre_attack_id": ["T1059", "T1059.007"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.parent_process_name", "Processes.parent_process", "Processes.process_name", "Processes.process_id", "Processes.process", "Processes.dest", "Processes.user"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.007", "mitre_attack_technique": "JavaScript", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "Cobalt Group", "Earth Lusca", "Ember Bear", "Evilnum", "FIN6", "FIN7", "Higaisa", "Indrik Spider", "Kimsuky", "LazyScripter", "Leafminer", "Molerats", "MuddyWater", "Sidewinder", "Silence", "TA505", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/fin7/fin7_macro_js_1/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "jscript_execution_using_cscript_app_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/jscript_execution_using_cscript_app.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Kerberoasting spn request with RC4 encryption", "id": "5cc67381-44fa-4111-8a37-7a230943f027", "version": 4, "date": "2023-04-14", "author": "Jose Hernandez, Patrick Bareiss, Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic leverages Kerberos Event 4769, A Kerberos service ticket was requested, to identify a potential kerberoasting attack against Active Directory networks. Kerberoasting allows an adversary to request kerberos tickets for domain accounts typically used as service accounts and attempt to crack them offline allowing them to obtain privileged access to the domain. This analytic looks for a specific combination of the Ticket_Options field based on common kerberoasting tools. Defenders should be aware that it may be possible for a Kerberoast attack to use different Ticket_Options.", "data_source": ["Windows Security 4769"], "search": "`wineventlog_security` EventCode=4769 Service_Name!=\"*$\" (Ticket_Options=0x40810000 OR Ticket_Options=0x40800000 OR Ticket_Options=0x40810010) Ticket_Encryption_Type=0x17 | stats count min(_time) as firstTime max(_time) as lastTime by dest, service, service_id, Ticket_Encryption_Type, Ticket_Options | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `kerberoasting_spn_request_with_rc4_encryption_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled.", "known_false_positives": "Older systems that support kerberos RC4 by default like NetApp may generate false positives. Filter as needed", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/4e3e9c8096dde00639a6b98845ec349135554ed5/atomics/T1208/T1208.md", "https://www.hub.trimarcsecurity.com/post/trimarc-research-detecting-kerberoasting-activity"], "tags": {"name": "Kerberoasting spn request with RC4 encryption", "analytic_story": ["Data Destruction", "Hermetic Wiper", "Windows Privilege Escalation", "Active Directory Kerberos Attacks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 90, "kill_chain_phases": ["Exploitation"], "message": "Potential kerberoasting attack via service principal name requests detected on $dest$", "mitre_attack_id": ["T1558", "T1558.003"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "Ticket_Options", "Ticket_Encryption_Type", "dest", "service", "service_id"], "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1558", "mitre_attack_technique": "Steal or Forge Kerberos Tickets", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1558.003", "mitre_attack_technique": "Kerberoasting", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["FIN7", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1558.003/rubeus/windows-security.log", "source": "WinEventLog:Security", "sourcetype": "WinEventLog", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kerberoasting_spn_request_with_rc4_encryption_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/kerberoasting_spn_request_with_rc4_encryption.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Kerberos Pre-Authentication Flag Disabled in UserAccountControl", "id": "0cb847ee-9423-11ec-b2df-acde48001122", "version": 1, "date": "2022-02-22", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic leverages Windows Security Event 4738, `A user account was changed`, to identify a change performed on a domain user object that disables Kerberos Pre-Authentication. Disabling the Pre Authentication flag in the UserAccountControl property allows an adversary to easily perform a brute force attack against the user's password offline leveraging the ASP REP Roasting technique. Red Teams and adversaries alike who have obtained privileges in an Active Directory network may use this technique as a backdoor or a way to escalate privileges.", "data_source": ["Windows Security 4738"], "search": " `wineventlog_security` EventCode=4738 MSADChangedAttributes=\"*Don't Require Preauth' - Enabled*\" | table EventCode, Account_Name, Security_ID, MSADChangedAttributes | `kerberos_pre_authentication_flag_disabled_in_useraccountcontrol_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller events. The Advanced Security Audit policy setting `User Account Management` within `Account Management` needs to be enabled.", "known_false_positives": "Unknown.", "references": ["https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties", "https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html", "https://stealthbits.com/blog/cracking-active-directory-passwords-with-as-rep-roasting/"], "tags": {"name": "Kerberos Pre-Authentication Flag Disabled in UserAccountControl", "analytic_story": ["Active Directory Kerberos Attacks"], "asset_type": "endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "Kerberos Pre Authentication was Disabled for $Account_Name$", "mitre_attack_id": ["T1558", "T1558.004"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "Account_Name", "Security_ID", "MSADChangedAttributes"], "risk_score": 45, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1558", "mitre_attack_technique": "Steal or Forge Kerberos Tickets", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1558.004", "mitre_attack_technique": "AS-REP Roasting", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1558.004/powershell/windows-security.log", "source": "WinEventLog:Security", "sourcetype": "WinEventLog", "update_timestamp": true}]}], "datamodel": ["Change"], "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kerberos_pre_authentication_flag_disabled_in_useraccountcontrol_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/kerberos_pre_authentication_flag_disabled_in_useraccountcontrol.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Kerberos Pre-Authentication Flag Disabled with PowerShell", "id": "59b51620-94c9-11ec-b3d5-acde48001122", "version": 2, "date": "2022-03-22", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Set-ADAccountControl` commandlet with specific parameters. `Set-ADAccountControl` is part of the Active Directory PowerShell module used to manage Windows Active Directory networks. As the name suggests, `Set-ADAccountControl` is used to modify User Account Control values for an Active Directory domain account. With the appropiate parameters, Set-ADAccountControl allows adversaries to disable Kerberos Pre-Authentication for an account to to easily perform a brute force attack against the user's password offline leveraging the ASP REP Roasting technique. Red Teams and adversaries alike who have obtained privileges in an Active Directory network may use this technique as a backdoor or a way to escalate privileges.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 (ScriptBlockText = \"*Set-ADAccountControl*\" AND ScriptBlockText=\"*DoesNotRequirePreAuth:$true*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `kerberos_pre_authentication_flag_disabled_with_powershell_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Although unlikely, Administrators may need to set this flag for legitimate purposes.", "references": ["https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties", "https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html", "https://stealthbits.com/blog/cracking-active-directory-passwords-with-as-rep-roasting/"], "tags": {"name": "Kerberos Pre-Authentication Flag Disabled with PowerShell", "analytic_story": ["Active Directory Kerberos Attacks"], "asset_type": "endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "Kerberos Pre Authentication was Disabled using PowerShell on $dest$", "mitre_attack_id": ["T1558", "T1558.004"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time"], "risk_score": 45, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1558", "mitre_attack_technique": "Steal or Forge Kerberos Tickets", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1558.004", "mitre_attack_technique": "AS-REP Roasting", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1558.004/powershell/windows-powershell-xml.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kerberos_pre_authentication_flag_disabled_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/kerberos_pre_authentication_flag_disabled_with_powershell.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Kerberos Service Ticket Request Using RC4 Encryption", "id": "7d90f334-a482-11ec-908c-acde48001122", "version": 1, "date": "2022-03-15", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic leverages Kerberos Event 4769, A Kerberos service ticket was requested, to identify a potential Kerberos Service Ticket request related to a Golden Ticket attack. Adversaries who have obtained the Krbtgt account NTLM password hash may forge a Kerberos Granting Ticket (TGT) to obtain unrestricted access to an Active Directory environment. Armed with a Golden Ticket, attackers can request service tickets to move laterally and execute code on remote systems. Looking for Kerberos Service Ticket requests using the legacy RC4 encryption mechanism could represent the second stage of a Golden Ticket attack. RC4 usage should be rare on a modern network since Windows Vista & Windows Sever 2008 and newer support AES Kerberos encryption.\\ Defenders should note that if an attacker does not leverage the NTLM password hash but rather the AES key to create a golden ticket, this detection may be bypassed.", "data_source": ["Windows Security 4769"], "search": " `wineventlog_security` EventCode=4769 Service_Name=\"*$\" (Ticket_Options=0x40810000 OR Ticket_Options=0x40800000 OR Ticket_Options=0x40810010) Ticket_Encryption_Type=0x17 | stats count min(_time) as firstTime max(_time) as lastTime by dest, service, service_id, Ticket_Encryption_Type, Ticket_Options | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `kerberos_service_ticket_request_using_rc4_encryption_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled.", "known_false_positives": "Based on Microsoft documentation, legacy systems or applications will use RC4-HMAC as the default encryption for Kerberos Service Ticket requests. Specifically, systems before Windows Server 2008 and Windows Vista. Newer systems will use AES128 or AES256.", "references": ["https://attack.mitre.org/techniques/T1558/001/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4769", "https://adsecurity.org/?p=1515", "https://gist.github.com/TarlogicSecurity/2f221924fef8c14a1d8e29f3cb5c5c4a", "https://en.hackndo.com/kerberos-silver-golden-tickets/"], "tags": {"name": "Kerberos Service Ticket Request Using RC4 Encryption", "analytic_story": ["Active Directory Kerberos Attacks", "Active Directory Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 90, "kill_chain_phases": ["Exploitation"], "message": "A Kerberos Service TTicket request with RC4 encryption was requested from $Client_Address$", "mitre_attack_id": ["T1558", "T1558.001"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "Ticket_Options", "Ticket_Encryption_Type", "dest", "service", "service_id"], "risk_score": 45, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1558", "mitre_attack_technique": "Steal or Forge Kerberos Tickets", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1558.001", "mitre_attack_technique": "Golden Ticket", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Ke3chang"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1558.001/impacket/windows-security.log", "source": "WinEventLog:Security", "sourcetype": "WinEventLog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kerberos_service_ticket_request_using_rc4_encryption_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/kerberos_service_ticket_request_using_rc4_encryption.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Kerberos TGT Request Using RC4 Encryption", "id": "18916468-9c04-11ec-bdc6-acde48001122", "version": 1, "date": "2022-03-04", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic leverages Event 4768, A Kerberos authentication ticket (TGT) was requested, to identify a TGT request with encryption type 0x17, or RC4-HMAC. This encryption type is no longer utilized by newer systems and could represent evidence of an OverPass The Hash attack. Similar to Pass The Hash, OverPass The Hash is a form of credential theft that allows adversaries to move laterally or consume resources in a target network. Leveraging this attack, an adversary who has stolen the NTLM hash of a valid domain account is able to authenticate to the Kerberos Distribution Center(KDC) on behalf of the legitimate account and obtain a Kerberos TGT ticket. Depending on the privileges of the compromised account, this ticket may be used to obtain unauthorized access to systems and other network resources.", "data_source": ["Windows Security 4768"], "search": " `wineventlog_security` EventCode=4768 Ticket_Encryption_Type=0x17 Account_Name!=*$ | `kerberos_tgt_request_using_rc4_encryption_filter` ", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled.", "known_false_positives": "Based on Microsoft documentation, legacy systems or applications will use RC4-HMAC as the default encryption for TGT requests. Specifically, systems before Windows Server 2008 and Windows Vista. Newer systems will use AES128 or AES256.", "references": ["https://stealthbits.com/blog/how-to-detect-overpass-the-hash-attacks/", "https://www.thehacker.recipes/ad/movement/kerberos/ptk", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768"], "tags": {"name": "Kerberos TGT Request Using RC4 Encryption", "analytic_story": ["Active Directory Kerberos Attacks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "A Kerberos TGT request with RC4 encryption was requested for $Account_Name$ from $Client_Address$", "mitre_attack_id": ["T1550"], "nist": ["DE.CM"], "observable": [{"name": "Client_Address", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "Ticket_Encryption_Type", "Account_Name", "Client_Address"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1550", "mitre_attack_technique": "Use Alternate Authentication Material", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1550/impacket/windows-security.log", "source": "WinEventLog:Security", "sourcetype": "WinEventLog"}]}], "datamodel": [], "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kerberos_tgt_request_using_rc4_encryption_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/kerberos_tgt_request_using_rc4_encryption.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Kerberos User Enumeration", "id": "d82d4af4-a0bd-11ec-9445-3e22fbd008af", "version": 1, "date": "2022-03-10", "author": "Mauricio Velazco, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic leverages Event Id 4768, A Kerberos authentication ticket (TGT) was requested, to identify one source endpoint trying to obtain an unusual number Kerberos TGT ticket for non existing users. This behavior could represent an adversary abusing the Kerberos protocol to perform a user enumeration attack against an Active Directory environment. When Kerberos is sent a TGT request with no preauthentication for an invalid username, it responds with KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN or 0x6. Red teams and adversaries alike may abuse the Kerberos protocol to validate a list of users use them to perform further attacks.\\ The detection calculates the standard deviation for each host and leverages the 3-sigma statistical rule to identify an unusual number requests. To customize this analytic, users can try different combinations of the `bucket` span time and the calculation of the `upperBound` field.", "data_source": ["Windows Security 4768"], "search": " `wineventlog_security` EventCode=4768 Result_Code=0x6 Account_Name!=\"*$\" | bucket span=2m _time | stats dc(Account_Name) AS unique_accounts values(Account_Name) as tried_accounts by _time, Client_Address | eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std by Client_Address | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0) | search isOutlier=1 | `kerberos_user_enumeration_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled.", "known_false_positives": "Possible false positive scenarios include but are not limited to vulnerability scanners and missconfigured systems.", "references": ["https://github.com/ropnop/kerbrute", "https://attack.mitre.org/techniques/T1589/002/", "https://redsiege.com/tools-techniques/2020/04/user-enumeration-part-3-windows/"], "tags": {"name": "Kerberos User Enumeration", "analytic_story": ["Active Directory Kerberos Attacks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 30, "kill_chain_phases": ["Reconnaissance"], "message": "Potential Kerberos based user enumeration attack $Client_Address$", "mitre_attack_id": ["T1589", "T1589.002"], "nist": ["DE.AE"], "observable": [{"name": "Client_Address", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "Result_Code", "Account_Name", "Client_Address"], "risk_score": 24, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1589", "mitre_attack_technique": "Gather Victim Identity Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["APT32", "HEXANE", "LAPSUS$", "Magic Hound"]}, {"mitre_attack_id": "T1589.002", "mitre_attack_technique": "Email Addresses", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["APT32", "EXOTIC LILY", "HAFNIUM", "HEXANE", "Kimsuky", "LAPSUS$", "Lazarus Group", "Magic Hound", "MuddyWater", "Sandworm Team", "Silent Librarian", "TA551"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1589.002/kerbrute/windows-security.log", "source": "WinEventLog:Security", "sourcetype": "WinEventLog"}]}], "datamodel": [], "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kerberos_user_enumeration_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/kerberos_user_enumeration.yml", "source": "endpoint", "providing_technologies": ["Microsoft Windows"]}, {"name": "Known Services Killed by Ransomware", "id": "3070f8e0-c528-11eb-b2a0-acde48001122", "version": 1, "date": "2021-06-04", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This search detects a suspicioous termination of known services killed by ransomware before encrypting files in a compromised machine. This technique is commonly seen in most of ransomware now a days to avoid exception error while accessing the targetted files it wants to encrypts because of the open handle of those services to the targetted file.", "data_source": ["Sysmon Event ID 7"], "search": "`wineventlog_system` EventCode=7036 Message IN (\"*Volume Shadow Copy*\",\"*VSS*\", \"*backup*\", \"*sophos*\", \"*sql*\", \"*memtas*\", \"*mepocs*\", \"*veeam*\", \"*svc$*\", \"DefWatch\", \"ccEvtMgr\", \"ccSetMgr\", \"SavRoam\", \"RTVscan\", \"QBFCService\", \"QBIDPService\", \"Intuit.QuickBooks.FCS\", \"QBCFMonitorService\" \"YooBackup\", \"YooIT\", \"*Veeam*\", \"PDVFSService\", \"BackupExecVSSProvider\", \"BackupExecAgentAccelerator\", \"BackupExec*\", \"WdBoot\", \"WdFilter\", \"WdNisDrv\", \"WdNisSvc\", \"WinDefend\", \"wscsvc\", \"Sense\", \"sppsvc\", \"SecurityHealthService\") Message=\"*service entered the stopped state*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode Message dest Type | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `known_services_killed_by_ransomware_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the 7036 EventCode ScManager in System audit Logs from your endpoints.", "known_false_positives": "Admin activities or installing related updates may do a sudden stop to list of services we monitor.", "references": ["https://krebsonsecurity.com/2021/05/a-closer-look-at-the-darkside-ransomware-gang/", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/", "https://news.sophos.com/en-us/2020/04/24/lockbit-ransomware-borrows-tricks-to-keep-up-with-revil-and-maze/", "https://blogs.vmware.com/security/2022/10/lockbit-3-0-also-known-as-lockbit-black.html"], "tags": {"name": "Known Services Killed by Ransomware", "analytic_story": ["Ransomware", "BlackMatter Ransomware", "LockBit Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 90, "kill_chain_phases": ["Actions on Objectives"], "message": "Known services $Message$ terminated by a potential ransomware on $dest$", "mitre_attack_id": ["T1490"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "Message", "type": "Other", "role": ["Other"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "Message", "dest", "Type"], "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/revil/inf3/windows-system.log", "source": "WinEventLog:System", "sourcetype": "WinEventLog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_system", "definition": "eventtype=wineventlog_system", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "known_services_killed_by_ransomware_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/known_services_killed_by_ransomware.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Linux Account Manipulation Of SSH Config and Keys", "id": "73a56508-1cf5-4df7-b8d9-5737fbdc27d2", "version": 2, "date": "2023-04-27", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic is to detect a deletion of ssh key in a linux machine. attacker may delete or modify ssh key to impair some security features or act as defense evasion in compromised linux machine. This Anomaly can be also a good indicator of a malware trying to wipe or delete several files in a compromised host as part of its destructive payload like what acidrain malware does in linux or router machines. This detection can be a good pivot to check what process and user tries to delete this type of files which is not so common and need further investigation.", "data_source": ["Sysmon Event ID 11"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.action=deleted AND Filesystem.file_path IN (\"/etc/ssh/*\", \"~/.ssh/*\") by _time span=1h Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.process_guid Filesystem.action | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_account_manipulation_of_ssh_config_and_keys_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "Administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "references": ["https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/"], "tags": {"name": "Linux Account Manipulation Of SSH Config and Keys", "analytic_story": ["Acidrain"], "asset_type": "endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Actions on Objectives", "Exploitation"], "message": "a $process_name$ deleting a SSH key in $dest$", "mitre_attack_id": ["T1485", "T1070.004", "T1070"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Filesystem.dest", "Filesystem.file_create_time", "Filesystem.file_name", "Filesystem.process_guid", "Filesystem.file_path", "Filesystem.action"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1070.004", "mitre_attack_technique": "File Deletion", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT3", "APT32", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "Cobalt Group", "Dragonfly", "Evilnum", "FIN10", "FIN5", "FIN6", "FIN8", "Gamaredon Group", "Group5", "Kimsuky", "Lazarus Group", "Magic Hound", "Metador", "Mustang Panda", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "Silence", "TEMP.Veles", "TeamTNT", "The White Company", "Threat Group-3390", "Tropic Trooper", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/acidrain/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_account_manipulation_of_ssh_config_and_keys_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_account_manipulation_of_ssh_config_and_keys.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Add Files In Known Crontab Directories", "id": "023f3452-5f27-11ec-bf00-acde48001122", "version": 1, "date": "2021-12-17", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic aims to detect unauthorized activities through suspicious file creation in recognized cron table directories, prevalent Unix-based locations for scheduling tasks. This behavior is often exploited by nefarious entities like malware or threat actors, including red teamers, to establish persistence on a targeted or compromised host. The analogy to Windows-based scheduled tasks helps explain the utility of a crontab or cron job. To enhance clarity and actionable intelligence, the anomaly query flags the anomaly, urging further investigation into the added file's details. A cybersecurity analyst should consider additional data points such as the user identity involved, the file's nature and purpose, file origin, timestamp, and any changes in system behavior post file execution. This comprehensive understanding aids in accurately determining the file's legitimacy, facilitating prompt and effective response actions.", "data_source": ["Sysmon Event ID 11"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN (\"*/etc/cron*\", \"*/var/spool/cron/*\") by Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.process_guid Filesystem.file_path | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `linux_add_files_in_known_crontab_directories_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the file name, file path, and process_guid executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "Administrator or network operator can create file in crontab folders for automation purposes. Please update the filter macros to remove false positives.", "references": ["https://www.sandflysecurity.com/blog/detecting-cronrat-malware-on-linux-instantly/", "https://www.cyberciti.biz/faq/how-do-i-add-jobs-to-cron-under-linux-or-unix-oses/"], "tags": {"name": "Linux Add Files In Known Crontab Directories", "analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Living Off The Land", "Scheduled Tasks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation", "Exploitation"], "message": "a file $file_name$ is created in $file_path$ on $dest$", "mitre_attack_id": ["T1053.003", "T1053"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Filesystem.dest", "Filesystem.file_create_time", "Filesystem.file_name", "Filesystem.process_guid", "Filesystem.file_path"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1053.003", "mitre_attack_technique": "Cron", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT38", "Rocke"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.003/cronjobs_entry/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_add_files_in_known_crontab_directories_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_add_files_in_known_crontab_directories.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Add User Account", "id": "51fbcaf2-6259-11ec-b0f3-acde48001122", "version": 1, "date": "2021-12-21", "author": "Teoderick Contreras, Splunk", "type": "Hunting", "status": "production", "description": "This analytic looks for commands to create user accounts on the linux platform. This technique is commonly abuse by adversaries, malware author and red teamers to persist on the targeted or compromised host by creating new user with an elevated privilege. This Hunting query may catch normal creation of user by administrator so filter is needed.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count from datamodel=Endpoint.Processes where Processes.process_name IN (\"useradd\", \"adduser\") OR Processes.process IN (\"*useradd *\", \"*adduser *\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_add_user_account_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "Administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "references": ["https://linuxize.com/post/how-to-create-users-in-linux-using-the-useradd-command/"], "tags": {"name": "Linux Add User Account", "analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "message": "A commandline $process$ that may create user account on $dest$", "mitre_attack_id": ["T1136.001", "T1136"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1136.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT39", "APT41", "Dragonfly", "Fox Kitten", "Kimsuky", "Leafminer", "Magic Hound", "TeamTNT"]}, {"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/linux_adduser/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_add_user_account_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_add_user_account.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Adding Crontab Using List Parameter", "id": "52f6d751-1fd4-4c74-a4c9-777ecfeb5c58", "version": 1, "date": "2023-04-14", "author": "Teoderick Contreras, Splunk", "type": "Hunting", "status": "production", "description": "The following analytic identifies suspicious modifications to cron jobs on Linux systems using the crontab command with list parameters. This command line parameter can be abused by malware like Industroyer2, as well as adversaries and red teamers, to add a crontab entry for executing their malicious code on a schedule of their choice. However, it's important to note that administrators or normal users may also use this command for legitimate automation purposes, so filtering is required to minimize false positives. Identifying the modification of cron jobs using list parameters is valuable for a SOC as it indicates potential malicious activity or an attempt to establish persistence on the system. If a true positive is detected, further investigation should be conducted to analyze the added cron job, its associated command, and the impact it may have on the system. This includes examining the purpose of the job, reviewing any on-disk artifacts, and identifying any related processes or activities occurring concurrently. The impact of a true positive can range from unauthorized execution of malicious code to data destruction or other damaging outcomes.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"crontab\" Processes.process= \"* -l*\" by Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_adding_crontab_using_list_parameter_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives.", "references": ["https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/", "https://cert.gov.ua/article/39518"], "tags": {"name": "Linux Adding Crontab Using List Parameter", "analytic_story": ["Industroyer2", "Linux Privilege Escalation", "Linux Living Off The Land", "Data Destruction", "Linux Persistence Techniques", "Scheduled Tasks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation", "Exploitation"], "message": "A possible crontab list command $process$ executed on $dest$", "mitre_attack_id": ["T1053.003", "T1053"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1053.003", "mitre_attack_technique": "Cron", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT38", "Rocke"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.003/crontab_list_parameter/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_adding_crontab_using_list_parameter_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_adding_crontab_using_list_parameter.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux apt-get Privilege Escalation", "id": "d870ce3b-e796-402f-b2af-cab4da1223f2", "version": 1, "date": "2022-08-11", "author": "Gowthamaraj Rajendran, Splunk", "type": "Anomaly", "status": "production", "description": "The apt-get is a command line tool for interacting with the Advanced Package Tool (APT) library (a package management system for Linux distributions). It allows you to search for, install, manage, update, and remove software. The tool does not build software from the source code. If sudo right is given to the tool for user, then the user can run system commands as root and possibly get a root shell.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*apt-get*\" AND Processes.process=\"*APT::Update::Pre-Invoke::*\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_apt_get_privilege_escalation_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints into the Endpoint datamodel. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "False positives may be present, filter as needed.", "references": ["https://gtfobins.github.io/gtfobins/apt-get/", "https://phoenixnap.com/kb/how-to-use-apt-get-commands"], "tags": {"name": "Linux apt-get Privilege Escalation", "analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 20, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "mitre_attack_id": ["T1548.003", "T1548"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 10, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.003", "mitre_attack_technique": "Sudo and Sudo Caching", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/apt_get/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_apt_get_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_apt_get_privilege_escalation.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux APT Privilege Escalation", "id": "4d5a05fa-77d9-4fd0-af9c-05704f9f9a88", "version": 1, "date": "2022-08-11", "author": "Gowthamaraj Rajendran, Splunk", "type": "Anomaly", "status": "production", "description": "Advanced Package Tool, more commonly known as APT, is a collection of tools used to install, update, remove, and otherwise manage software packages on Debian and its derivative operating systems, including Ubuntu and Linux Mint. If sudo right is given to the tool for user, then the user can run system commands as root and possibly get a root shell.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*apt*\" AND Processes.process=\"*APT::Update::Pre-Invoke::*\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_apt_privilege_escalation_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints into the Endpoint datamodel. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "False positives may be present, filter as needed.", "references": ["https://gtfobins.github.io/gtfobins/apt/", "https://www.digitalocean.com/community/tutorials/what-is-apt"], "tags": {"name": "Linux APT Privilege Escalation", "analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 20, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "mitre_attack_id": ["T1548.003", "T1548"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 10, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.003", "mitre_attack_technique": "Sudo and Sudo Caching", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/apt/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_apt_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_apt_privilege_escalation.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux At Allow Config File Creation", "id": "977b3082-5f3d-11ec-b954-acde48001122", "version": 1, "date": "2021-12-17", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic detects the creation of suspicious configuration files, /etc/at.allow or /etc/at.deny, in Linux. These files are commonly abused by malware, adversaries, or red teamers to establish persistence on compromised hosts. The configuration files determine which users are allowed to execute the \"at\" application, which is used for scheduling tasks in Linux. Attackers can add their user or a compromised username to these files to execute malicious code using \"at.\" It's important to consider potential false positives as administrators or network operators may create these files for legitimate automation purposes. Adjust the filter macros to minimize false positives.\\\nIdentifying the creation of these configuration files is valuable for a SOC as it indicates potential unauthorized activities or an attacker attempting to establish persistence. If a true positive is found, further investigation is necessary to examine the contents of the created configuration file and determine the source of creation. The impact of a true positive can vary but could result in unauthorized execution of malicious code, data theft, or other detrimental consequences. Analysts should review the file path, creation time, and associated processes to assess the extent of the attack and initiate appropriate response actions.", "data_source": ["Sysmon Event ID 11"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN (\"*/etc/at.allow\", \"*/etc/at.deny\") by Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.process_guid Filesystem.file_path | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `linux_at_allow_config_file_creation_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the file name, file path, and process_guid executions from your endpoints into the Endpoint datamodel. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "Administrator or network operator can create this file for automation purposes. Please update the filter macros to remove false positives.", "references": ["https://linuxize.com/post/at-command-in-linux/"], "tags": {"name": "Linux At Allow Config File Creation", "analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Living Off The Land", "Scheduled Tasks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation", "Exploitation"], "message": "A file $file_name$ is created in $file_path$ on $dest$", "mitre_attack_id": ["T1053.003", "T1053"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Filesystem.dest", "Filesystem.file_create_time", "Filesystem.file_name", "Filesystem.process_guid", "Filesystem.file_path"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1053.003", "mitre_attack_technique": "Cron", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT38", "Rocke"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.002/at_execution/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_at_allow_config_file_creation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_at_allow_config_file_creation.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux At Application Execution", "id": "bf0a378e-5f3c-11ec-a6de-acde48001122", "version": 2, "date": "2022-05-26", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic detects the execution of the \"At\" application in Linux, which can be used by attackers to create persistence entries on a compromised host. The \"At\" application can be used for automation purposes by administrators or network operators, so the filter macros should be updated to remove false positives. If a true positive is found, it suggests an attacker is trying to maintain access to the environment or potentially deliver additional malicious payloads, leading to data theft, ransomware, or other damaging outcomes. To implement this analytic, ensure you are ingesting logs with the required fields from your endpoints into the Endpoint datamodel. When a true positive is detected, it suggests that an attacker is attempting to establish persistence or deliver additional malicious payloads by leveraging the \"At\" application. This behavior can lead to data theft, ransomware attacks, or other damaging outcomes.\\\nDuring triage, the SOC analyst should review the context surrounding the execution of the \"At\" application. This includes identifying the user, the parent process responsible for invoking the application, and the specific command-line arguments used. It is important to consider whether the execution is expected behavior by an administrator or network operator for legitimate automation purposes.\\\nThe presence of \"At\" application execution may indicate an attacker's attempt to maintain unauthorized access to the environment. Immediate investigation and response are necessary to mitigate further risks, identify the attacker's intentions, and prevent potential harm to the organization.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count from datamodel=Endpoint.Processes where Processes.process_name IN (\"at\", \"atd\") OR Processes.parent_process_name IN (\"at\", \"atd\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_at_application_execution_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints into the Endpoint datamodel. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives.", "references": ["https://attack.mitre.org/techniques/T1053/001/", "https://www.linkedin.com/pulse/getting-attacker-ip-address-from-malicious-linux-job-craig-rowland/"], "tags": {"name": "Linux At Application Execution", "analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Living Off The Land", "Scheduled Tasks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Installation", "Exploitation"], "message": "At application was executed in $dest$", "mitre_attack_id": ["T1053.002", "T1053"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1053.002", "mitre_attack_technique": "At", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "BRONZE BUTLER", "Threat Group-3390"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.002/at_execution/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_at_application_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_at_application_execution.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux AWK Privilege Escalation", "id": "4510cae0-96a2-4840-9919-91d262db210a", "version": 1, "date": "2022-07-31", "author": "Gowthamaraj Rajendran, Splunk", "type": "Anomaly", "status": "production", "description": "Awk is mostly used for processing and scanning patterns. It checks one or more files to determine whether any lines fit the specified patterns, and if so, it does the appropriate action. If sudo right is given to AWK binary for the user, then the user can run system commands as root and possibly get a root shell.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*sudo*\" AND Processes.process=\"*awk*\" AND Processes.process=\"*BEGIN*system*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_awk_privilege_escalation_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints into the Endpoint datamodel. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "False positives are present based on automated tooling or system administrative usage. Filter as needed.", "references": ["https://www.hacknos.com/awk-privilege-escalation/"], "tags": {"name": "Linux AWK Privilege Escalation", "analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 60, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "mitre_attack_id": ["T1548.003", "T1548"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.003", "mitre_attack_technique": "Sudo and Sudo Caching", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/awk/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_awk_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_awk_privilege_escalation.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Busybox Privilege Escalation", "id": "387c4e78-f4a4-413d-ad44-e9f7bc4642c9", "version": 1, "date": "2022-08-11", "author": "Gowthamaraj Rajendran, Splunk", "type": "Anomaly", "status": "production", "description": "BusyBox combines tiny versions of many common UNIX utilities into a single small executable. It provides minimalist replacements for most of the utilities you usually find in GNU coreutils, util-linux, etc. If sudo right is given to BusyBox application for the user, then the user can run system commands as root and possibly get a root shell.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*busybox*\" AND Processes.process=\"*sh*\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_busybox_privilege_escalation_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints into the Endpoint datamodel. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "False positives may be present, filter as needed.", "references": ["https://gtfobins.github.io/gtfobins/busybox/", "https://man.archlinux.org/man/busybox.1.en"], "tags": {"name": "Linux Busybox Privilege Escalation", "analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 20, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "mitre_attack_id": ["T1548.003", "T1548"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 10, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.003", "mitre_attack_technique": "Sudo and Sudo Caching", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/busybox/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_busybox_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_busybox_privilege_escalation.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux c89 Privilege Escalation", "id": "54c95f4d-3e5d-44be-9521-ea19ba62f7a8", "version": 1, "date": "2022-08-11", "author": "Gowthamaraj Rajendran, Splunk", "type": "Anomaly", "status": "production", "description": "The c89 and cc commands compile, assemble, and link-edit C programs; the cxx or c++ command does the same for C++ programs. The c89 command should be used when compiling C programs that are written according to Standard C. If sudo right is given to c89 application for the user, then the user can run system commands as root and possibly get a root shell.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*c89*\" AND Processes.process=\"*-wrapper*\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_c89_privilege_escalation_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints into the Endpoint datamodel. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "False positives may be present, filter as needed.", "references": ["https://gtfobins.github.io/gtfobins/c89/", "https://www.ibm.com/docs/en/zos/2.1.0?topic=guide-c89-compiler-invocation-using-host-environment-variables"], "tags": {"name": "Linux c89 Privilege Escalation", "analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 60, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "mitre_attack_id": ["T1548.003", "T1548"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.003", "mitre_attack_technique": "Sudo and Sudo Caching", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/c89/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_c89_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_c89_privilege_escalation.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux c99 Privilege Escalation", "id": "e1c6dec5-2249-442d-a1f9-99a4bd228183", "version": 1, "date": "2022-08-11", "author": "Gowthamaraj Rajendran, Splunk", "type": "Anomaly", "status": "production", "description": "The c99 utility is an interface to the standard C compilation system; it shall accept source code conforming to the ISO C standard. The system conceptually consists of a compiler and link editor. If sudo right is given to ruby application for the user, then the user can run system commands as root and possibly get a root shell.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*c99*\" AND Processes.process=\"*-wrapper*\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_c99_privilege_escalation_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints into the Endpoint datamodel. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "False positives may be present, filter as needed.", "references": ["https://gtfobins.github.io/gtfobins/c99/", "https://pubs.opengroup.org/onlinepubs/009604499/utilities/c99.html"], "tags": {"name": "Linux c99 Privilege Escalation", "analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 60, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "mitre_attack_id": ["T1548.003", "T1548"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.003", "mitre_attack_technique": "Sudo and Sudo Caching", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/c99/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_c99_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_c99_privilege_escalation.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Change File Owner To Root", "id": "c1400ea2-6257-11ec-ad49-acde48001122", "version": 1, "date": "2021-12-21", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic looks for a commandline that change the file owner to root using chown utility tool. This technique is commonly abuse by adversaries, malware author and red teamers to escalate privilege to the targeted or compromised host by changing the owner of their malicious file to root. This event is not so common in corporate network except from the administrator doing normal task that needs high privilege.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = chown OR Processes.process = \"*chown *\") AND Processes.process = \"* root *\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_change_file_owner_to_root_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "Administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "references": ["https://unix.stackexchange.com/questions/101073/how-to-change-permissions-from-root-user-to-all-users", "https://askubuntu.com/questions/617850/changing-from-user-to-superuser"], "tags": {"name": "Linux Change File Owner To Root", "analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "A commandline $process$ that may change ownership to root on $dest$", "mitre_attack_id": ["T1222.002", "T1222"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1222.002", "mitre_attack_technique": "Linux and Mac File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.001/chmod_uid/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_change_file_owner_to_root_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_change_file_owner_to_root.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Clipboard Data Copy", "id": "7173b2ad-6146-418f-85ae-c3479e4515fc", "version": 1, "date": "2022-07-28", "author": "Michael Haag, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies the use of Linux Xclip copying data out of the clipboard. Adversaries have utilized this technique to capture passwords, IP addresses, or store payloads.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=xclip Processes.process IN (\"*-o *\", \"*-sel *\", \"*-selection *\", \"*clip *\",\"*clipboard*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_clipboard_data_copy_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives may be present on Linux desktop as it may commonly be used by administrators or end users. Filter as needed.", "references": ["https://attack.mitre.org/techniques/T1115/", "https://linux.die.net/man/1/xclip"], "tags": {"name": "Linux Clipboard Data Copy", "analytic_story": ["Linux Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 40, "impact": 40, "kill_chain_phases": ["Exploitation"], "message": "An instance of $process_name$ was identified on endpoint $dest$ by user $user$ adding or removing content from the clipboard.", "mitre_attack_id": ["T1115"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 16, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1115", "mitre_attack_technique": "Clipboard Data", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT38", "APT39"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1115/atomic_red_team/linux-sysmon.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_clipboard_data_copy_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_clipboard_data_copy.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Common Process For Elevation Control", "id": "66ab15c0-63d0-11ec-9e70-acde48001122", "version": 1, "date": "2021-12-23", "author": "Teoderick Contreras, Splunk", "type": "Hunting", "status": "production", "description": "This analytic is to look for possible elevation control access using a common known process in linux platform to change the attribute and file ownership. This technique is commonly abused by adversaries, malware author and red teamers to gain persistence or privilege escalation on the target or compromised host. This common process is used to modify file attribute, file ownership or SUID. This tools can be used in legitimate purposes so filter is needed.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN (\"chmod\", \"chown\", \"fchmod\", \"fchmodat\", \"fchown\", \"fchownat\", \"fremovexattr\", \"fsetxattr\", \"lchown\", \"lremovexattr\", \"lsetxattr\", \"removexattr\", \"setuid\", \"setgid\", \"setreuid\", \"setregid\", \"chattr\") OR Processes.process IN (\"*chmod *\", \"*chown *\", \"*fchmod *\", \"*fchmodat *\", \"*fchown *\", \"*fchownat *\", \"*fremovexattr *\", \"*fsetxattr *\", \"*lchown *\", \"*lremovexattr *\", \"*lsetxattr *\", \"*removexattr *\", \"*setuid *\", \"*setgid *\", \"*setreuid *\", \"*setregid *\", \"*setcap *\", \"*chattr *\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_common_process_for_elevation_control_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "Administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "references": ["https://attack.mitre.org/techniques/T1548/001/", "https://github.com/Neo23x0/auditd/blob/master/audit.rules#L285-L297", "https://github.com/bfuzzy1/auditd-attack/blob/master/auditd-attack/auditd-attack.rules#L269-L270", "https://github.com/microsoft/MSTIC-Sysmon/blob/main/linux/configs/attack-based/privilege_escalation/T1548.001_ElevationControl_CommonProcesses.xml"], "tags": {"name": "Linux Common Process For Elevation Control", "analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "A commandline $process$ with process $process_name$ on $dest$", "mitre_attack_id": ["T1548.001", "T1548"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.001", "mitre_attack_technique": "Setuid and Setgid", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.001/chmod_uid/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_common_process_for_elevation_control_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_common_process_for_elevation_control.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Composer Privilege Escalation", "id": "a3bddf71-6ba3-42ab-a6b2-396929b16d92", "version": 1, "date": "2022-08-11", "author": "Gowthamaraj Rajendran, Splunk", "type": "Anomaly", "status": "production", "description": "Composer is a tool for dependency management in PHP. It allows you to declare the libraries your project depends on and it will manage (install/update) them for you. If sudo right is given to tool for the user, then the user can run system commands as root and possibly get a root shell.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*composer*\" AND Processes.process=\"*run-script*\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_composer_privilege_escalation_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints into the Endpoint datamodel. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "False positives may be present, filter as needed.", "references": ["https://gtfobins.github.io/gtfobins/composer/", "https://getcomposer.org/doc/00-intro.md"], "tags": {"name": "Linux Composer Privilege Escalation", "analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 20, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "mitre_attack_id": ["T1548.003", "T1548"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 10, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.003", "mitre_attack_technique": "Sudo and Sudo Caching", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/composer/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_composer_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_composer_privilege_escalation.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Cpulimit Privilege Escalation", "id": "d4e40b7e-aad3-4a7d-aac8-550ea5222be5", "version": 1, "date": "2022-08-11", "author": "Gowthamaraj Rajendran, Splunk", "type": "Anomaly", "status": "production", "description": "cpulimit is a simple program which attempts to limit the cpu usage of a process (expressed in percentage, not in cpu time). This is useful to control batch jobs, when you don't want them to eat too much cpu. If sudo right is given to the program for the user, then the user can run system commands as root and possibly get a root shell.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*cpulimit*\" AND Processes.process=\"*-l*\" AND Processes.process=\"*-f*\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_cpulimit_privilege_escalation_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints into the Endpoint datamodel. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "False positives may be present, filter as needed.", "references": ["https://gtfobins.github.io/gtfobins/cpulimit/", "http://cpulimit.sourceforge.net/"], "tags": {"name": "Linux Cpulimit Privilege Escalation", "analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 40, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "mitre_attack_id": ["T1548.003", "T1548"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 20, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.003", "mitre_attack_technique": "Sudo and Sudo Caching", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/cpulimit/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_cpulimit_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_cpulimit_privilege_escalation.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Csvtool Privilege Escalation", "id": "f8384f9e-1a5c-4c3a-96d6-8a7e5a38a8b8", "version": 1, "date": "2022-08-11", "author": "Gowthamaraj Rajendran, Splunk", "type": "Anomaly", "status": "production", "description": "csvtool is an easy to use command-line tool to work with .CSV files. If sudo right is given to the tool for the user, then the user can run system commands as root and possibly get a root shell.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*csvtool*\" AND Processes.process=\"*call*\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_csvtool_privilege_escalation_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints into the Endpoint datamodel. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "False positives may be present, filter as needed.", "references": ["https://gtfobins.github.io/gtfobins/csvtool/"], "tags": {"name": "Linux Csvtool Privilege Escalation", "analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 20, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "mitre_attack_id": ["T1548.003", "T1548"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 10, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.003", "mitre_attack_technique": "Sudo and Sudo Caching", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/csvtool/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_csvtool_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_csvtool_privilege_escalation.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Curl Upload File", "id": "c1de2d9a-0c02-4bb4-a49a-510c6e9cf2bf", "version": 1, "date": "2022-07-29", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies curl being utilized with the -F or --form, --upload-file, -T, -d, --data, --data-raw, -I and --head switches to upload AWS credentials or config to a remote destination. This enables uploading of binary files and so forth. To force the 'content' part to be a file, prefix the file name with an @ sign. To just get the content part from a file, prefix the file name with the symbol <. The difference between @ and < is then that @ makes a file get attached in the post as a file upload, while the < makes a text field and just get the contents for that text field from a file. This technique was utlized by the TeamTNT group to exfiltrate AWS credentials.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=curl Processes.process IN (\"*-F *\", \"*--form *\",\"*--upload-file *\",\"*-T *\",\"*-d *\",\"*--data *\",\"*--data-raw *\", \"*-I *\", \"*--head *\") AND Processes.process IN (\"*.aws/credentials*\". \"*.aws/config*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_curl_upload_file_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Filtering may be required. In addition to AWS credentials, add other important files and monitor. The inverse would be to look for _all_ -F behavior and tune from there.", "references": ["https://curl.se/docs/manpage.html", "https://www.cadosecurity.com/team-tnt-the-first-crypto-mining-worm-to-steal-aws-credentials/", "https://gtfobins.github.io/gtfobins/curl/"], "tags": {"name": "Linux Curl Upload File", "analytic_story": ["Linux Living Off The Land", "Data Exfiltration", "Ingress Tool Transfer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Command And Control"], "message": "An instance of $process_name$ was identified on endpoint $dest$ by user $user$ attempting to upload important files to a remote destination.", "mitre_attack_id": ["T1105"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "ZIRCONIUM", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/curl-linux-sysmon.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_curl_upload_file_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_curl_upload_file.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Data Destruction Command", "id": "b11d3979-b2f7-411b-bb1a-bd00e642173b", "version": 1, "date": "2023-04-14", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies a unix shell command that can wipe root folders of a linux host. This commandline is being abused by Awfulshred malware that wipes or corrupts files in a targeted Linux host. The shell command uses the rm command with force recursive deletion even in the root folder. This TTP can be a good indicator that a user or a process wants to wipe roots directory files in Linux host.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"rm\" AND Processes.process IN (\"* -rf*\", \"* -fr*\") AND Processes.process = \"* --no-preserve-root\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `linux_data_destruction_command_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "unknown", "references": ["https://cert.gov.ua/article/3718487", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/"], "tags": {"name": "Linux Data Destruction Command", "analytic_story": ["AwfulShred", "Data Destruction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 100, "kill_chain_phases": ["Actions on Objectives"], "message": "a $process_name$ execute rm command with --no-preserve-root parmeter that can wipe root files in $dest$", "mitre_attack_id": ["T1485"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/awfulshred/test1/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_data_destruction_command_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_data_destruction_command.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux DD File Overwrite", "id": "9b6aae5e-8d85-11ec-b2ae-acde48001122", "version": 1, "date": "2023-04-14", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This analytic is to look for dd command to overwrite file. This technique was abused by adversaries or threat actor to destroy files or data on specific system or in a large number of host within network to interrupt host avilability, services and many more. This is also used to destroy data where it make the file irrecoverable by forensic techniques through overwriting files, data or local and remote drives.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"dd\" AND Processes.process = \"*of=*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_dd_file_overwrite_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "Administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "references": ["https://gtfobins.github.io/gtfobins/dd/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"], "tags": {"name": "Linux DD File Overwrite", "analytic_story": ["Data Destruction", "Industroyer2"], "asset_type": "endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Actions on Objectives"], "message": "A commandline $process$ executed on $dest$", "mitre_attack_id": ["T1485"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/linux_dd_file_overwrite/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_dd_file_overwrite_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_dd_file_overwrite.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Decode Base64 to Shell", "id": "637b603e-1799-40fd-bf87-47ecbd551b66", "version": 1, "date": "2022-07-27", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies base64 being decoded and passed to a Linux shell.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process IN (\"*base64 -d*\",\"*base64 --decode*\") AND Processes.process=\"*|*\" `linux_shells` by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_decode_base64_to_shell_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives may be present based on legitimate software being utilized. Filter as needed.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md#atomic-test-1---decode-base64-data-into-script", "https://redcanary.com/blog/lateral-movement-with-secure-shell/", "https://linux.die.net/man/1/base64"], "tags": {"name": "Linux Decode Base64 to Shell", "analytic_story": ["Linux Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Installation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ decoding base64 and passing it to a shell.", "mitre_attack_id": ["T1027", "T1059.004"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT19", "APT28", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BITTER", "BackdoorDiplomacy", "BlackOasis", "Blue Mockingbird", "Dark Caracal", "Darkhotel", "Earth Lusca", "Elderwood", "Ember Bear", "Fox Kitten", "GALLIUM", "Gallmaker", "Gamaredon Group", "Group5", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "Metador", "Mofang", "Molerats", "Moses Staff", "Mustang Panda", "OilRig", "Putter Panda", "Rocke", "Sandworm Team", "Sidewinder", "TA505", "TeamTNT", "Threat Group-3390", "Transparent Tribe", "Tropic Trooper", "Whitefly", "Windshift", "menuPass"]}, {"mitre_attack_id": "T1059.004", "mitre_attack_technique": "Unix Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT41", "Rocke", "TeamTNT"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1027/atomic_red_team/linux-sysmon.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_shells", "definition": "(Processes.process_name IN (\"sh\", \"ksh\", \"zsh\", \"bash\", \"dash\", \"rbash\", \"fish\", \"csh\", \"tcsh\", \"ion\", \"eshell\"))", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "linux_decode_base64_to_shell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_decode_base64_to_shell.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Deleting Critical Directory Using RM Command", "id": "33f89303-cc6f-49ad-921d-2eaea38a6f7a", "version": 1, "date": "2023-04-14", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies a suspicious deletion of a critical folder in Linux machine using rm command. This technique was seen in industroyer2 campaign to wipe or destroy energy facilities of a targeted sector. Deletion in these list of folder is not so common since it need some elevated privileges to access some of it. We recommend to look further events specially in file access or file deletion, process commandline that may related to this technique.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name =rm AND Processes.process= \"* -rf *\" AND Processes.process IN (\"*/boot/*\", \"*/var/log/*\", \"*/etc/*\", \"*/dev/*\") by Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_deleting_critical_directory_using_rm_command_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives.", "references": ["https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/", "https://cert.gov.ua/article/39518"], "tags": {"name": "Linux Deleting Critical Directory Using RM Command", "analytic_story": ["AwfulShred", "Data Destruction", "Industroyer2"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Actions on Objectives"], "message": "A deletion in known critical list of folder using rm command $process$ executed on $dest$", "mitre_attack_id": ["T1485"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/rm_shred_critical_dir/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_deleting_critical_directory_using_rm_command_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_deleting_critical_directory_using_rm_command.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Deletion Of Cron Jobs", "id": "3b132a71-9335-4f33-9932-00bb4f6ac7e8", "version": 2, "date": "2023-04-27", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic is to detect a deletion of cron job in a linux machine. This technique can be related to an attacker, threat actor or malware to disable scheduled cron jobs that might be related to security or to evade some detections. We also saw that this technique can be a good indicator for malware that is trying to wipe or delete several files on the compromised host like the acidrain malware. This anomaly detection can be a good pivot detection to look for process and user doing it why they doing. Take note that this event can be done by administrator so filtering on those possible false positive event is needed.", "data_source": ["Sysmon Event ID 11"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.action=deleted Filesystem.file_path=\"/etc/cron.*\" by _time span=1h Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.process_guid Filesystem.action | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_deletion_of_cron_jobs_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "Administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "references": ["https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/"], "tags": {"name": "Linux Deletion Of Cron Jobs", "analytic_story": ["AcidRain", "Data Destruction"], "asset_type": "endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Actions on Objectives", "Exploitation"], "message": "a $process_name$ deleting cron jobs in $dest$", "mitre_attack_id": ["T1485", "T1070.004", "T1070"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Filesystem.dest", "Filesystem.file_create_time", "Filesystem.file_name", "Filesystem.process_guid", "Filesystem.file_path", "Filesystem.action"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1070.004", "mitre_attack_technique": "File Deletion", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT3", "APT32", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "Cobalt Group", "Dragonfly", "Evilnum", "FIN10", "FIN5", "FIN6", "FIN8", "Gamaredon Group", "Group5", "Kimsuky", "Lazarus Group", "Magic Hound", "Metador", "Mustang Panda", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "Silence", "TEMP.Veles", "TeamTNT", "The White Company", "Threat Group-3390", "Tropic Trooper", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/acidrain/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_deletion_of_cron_jobs_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_deletion_of_cron_jobs.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Deletion Of Init Daemon Script", "id": "729aab57-d26f-4156-b97f-ab8dda8f44b1", "version": 2, "date": "2023-04-27", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This analytic is to detect a deletion of init daemon script in a linux machine. daemon script that place in /etc/init.d/ is a directory that can start and stop some daemon services in linux machines. attacker may delete or modify daemon script to impair some security features or act as defense evasion in a compromised linux machine. This TTP can be also a good indicator of a malware trying to wipe or delete several files in compromised host as part of its destructive payload like what acidrain malware does in linux or router machines. This detection can be a good pivot to check what process and user tries to delete this type of files which is not so common and need further investigation.", "data_source": ["Sysmon Event ID 11"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.action=deleted Filesystem.file_path IN ( \"/etc/init.d/*\") by _time span=1h Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.process_guid Filesystem.action | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_deletion_of_init_daemon_script_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "Administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "references": ["https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/"], "tags": {"name": "Linux Deletion Of Init Daemon Script", "analytic_story": ["AcidRain", "Data Destruction"], "asset_type": "endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Actions on Objectives", "Exploitation"], "message": "a $process_name$ deleting a daemon script in $dest$", "mitre_attack_id": ["T1485", "T1070.004", "T1070"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Filesystem.dest", "Filesystem.file_create_time", "Filesystem.file_name", "Filesystem.process_guid", "Filesystem.file_path", "Filesystem.action"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1070.004", "mitre_attack_technique": "File Deletion", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT3", "APT32", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "Cobalt Group", "Dragonfly", "Evilnum", "FIN10", "FIN5", "FIN6", "FIN8", "Gamaredon Group", "Group5", "Kimsuky", "Lazarus Group", "Magic Hound", "Metador", "Mustang Panda", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "Silence", "TEMP.Veles", "TeamTNT", "The White Company", "Threat Group-3390", "Tropic Trooper", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/acidrain/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_deletion_of_init_daemon_script_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_deletion_of_init_daemon_script.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Deletion Of Services", "id": "b509bbd3-0331-4aaa-8e4a-d2affe100af6", "version": 2, "date": "2023-04-27", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This analytic is to detect a deletion of services in a linux machine. attacker may delete or modify services to impair some security features or act as defense evasion in a compromised linux machine. This TTP can be also a good indicator of a malware trying to wipe or delete several files in a compromised host as part of its destructive payload like what acidrain malware does in linux or router machines. This detection can be a good pivot to check what process and user tries to delete this type of files which is not so common and need further investigation.", "data_source": ["Sysmon Event ID 11"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.action=deleted Filesystem.file_path IN ( \"/etc/systemd/*\", \"*/lib/systemd/*\", \"*/run/systemd/*\") Filesystem.file_path = \"*.service\" by _time span=1h Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.process_guid Filesystem.action | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_deletion_of_services_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "Administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "references": ["https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/", "https://unix.stackexchange.com/questions/224992/where-do-i-put-my-systemd-unit-file", "https://cert.gov.ua/article/3718487"], "tags": {"name": "Linux Deletion Of Services", "analytic_story": ["AwfulShred", "AcidRain", "Data Destruction"], "asset_type": "endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Actions on Objectives", "Exploitation"], "message": "a $process_name$ deleting a services in $dest$", "mitre_attack_id": ["T1485", "T1070.004", "T1070"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Filesystem.dest", "Filesystem.file_create_time", "Filesystem.file_name", "Filesystem.process_guid", "Filesystem.file_path", "Filesystem.action"], "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1070.004", "mitre_attack_technique": "File Deletion", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT3", "APT32", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "Cobalt Group", "Dragonfly", "Evilnum", "FIN10", "FIN5", "FIN6", "FIN8", "Gamaredon Group", "Group5", "Kimsuky", "Lazarus Group", "Magic Hound", "Metador", "Mustang Panda", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "Silence", "TEMP.Veles", "TeamTNT", "The White Company", "Threat Group-3390", "Tropic Trooper", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/acidrain/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_deletion_of_services_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_deletion_of_services.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Deletion of SSL Certificate", "id": "839ab790-a60a-4f81-bfb3-02567063f615", "version": 2, "date": "2023-04-27", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic is to detect a deletion of ssl certificate in a linux machine. attacker may delete or modify ssl certificate to impair some security features or act as defense evasion in compromised linux machine. This Anomaly can be also a good indicator of a malware trying to wipe or delete several files in a compromised host as part of its destructive payload like what acidrain malware does in linux or router machines. This detection can be a good pivot to check what process and user tries to delete this type of files which is not so common and need further investigation.", "data_source": ["Sysmon Event ID 11"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.action=deleted Filesystem.file_path = \"/etc/ssl/certs/*\" Filesystem.file_path IN (\"*.pem\", \"*.crt\") by _time span=1h Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.process_guid Filesystem.action | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_deletion_of_ssl_certificate_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "Administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "references": ["https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/"], "tags": {"name": "Linux Deletion of SSL Certificate", "analytic_story": ["Acidrain"], "asset_type": "endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Actions on Objectives", "Exploitation"], "message": "a $process_name$ deleting a SSL certificate in $dest$", "mitre_attack_id": ["T1485", "T1070.004", "T1070"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Filesystem.dest", "Filesystem.file_create_time", "Filesystem.file_name", "Filesystem.process_guid", "Filesystem.file_path", "Filesystem.action"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1070.004", "mitre_attack_technique": "File Deletion", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT3", "APT32", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "Cobalt Group", "Dragonfly", "Evilnum", "FIN10", "FIN5", "FIN6", "FIN8", "Gamaredon Group", "Group5", "Kimsuky", "Lazarus Group", "Magic Hound", "Metador", "Mustang Panda", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "Silence", "TEMP.Veles", "TeamTNT", "The White Company", "Threat Group-3390", "Tropic Trooper", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/acidrain/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_deletion_of_ssl_certificate_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_deletion_of_ssl_certificate.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Disable Services", "id": "f2e08a38-6689-4df4-ad8c-b51c16262316", "version": 1, "date": "2023-04-14", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "The following analytic is to detect events that attempts to disable a service. This is typically identified in parallel with other instances of service enumeration of attempts to stop a service and then delete it. Adversaries utilize this technique like industroyer2 malware to terminate security services or other related services to continue there objective as a destructive payload.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN (\"systemctl\", \"service\", \"svcadm\") Processes.process = \"* disable*\" by Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_disable_services_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives.", "references": ["https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/", "https://cert.gov.ua/article/39518"], "tags": {"name": "Linux Disable Services", "analytic_story": ["AwfulShred", "Data Destruction", "Industroyer2"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Actions on Objectives"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified attempting to disable services on endpoint $dest$ by $user$.", "mitre_attack_id": ["T1489"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1489", "mitre_attack_technique": "Service Stop", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Indrik Spider", "Lazarus Group", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1489/linux_service_stop_disable/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_disable_services_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_disable_services.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Doas Conf File Creation", "id": "f6343e86-6e09-11ec-9376-acde48001122", "version": 1, "date": "2022-01-05", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic is to detect the creation of doas.conf file in linux host platform. This configuration file can be use by doas utility tool to allow or permit standard users to perform tasks as root, the same way sudo does. This tool is developed as a minimalistic alternative to sudo application. This tool can be abused advesaries, attacker or malware to gain elevated privileges to the targeted or compromised host. On the other hand this can also be executed by administrator for a certain task that needs admin rights. In this case filter is needed.", "data_source": ["Sysmon Event ID 11"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN (\"*/etc/doas.conf\") by Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.process_guid Filesystem.file_path | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `linux_doas_conf_file_creation_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "Administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "references": ["https://wiki.gentoo.org/wiki/Doas", "https://www.makeuseof.com/how-to-install-and-use-doas/"], "tags": {"name": "Linux Doas Conf File Creation", "analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "A file $file_name$ is created in $file_path$ on $dest$", "mitre_attack_id": ["T1548.003", "T1548"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Filesystem.dest", "Filesystem.file_create_time", "Filesystem.file_name", "Filesystem.process_guid", "Filesystem.file_path"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.003", "mitre_attack_technique": "Sudo and Sudo Caching", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/doas/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_doas_conf_file_creation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_doas_conf_file_creation.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Doas Tool Execution", "id": "d5a62490-6e09-11ec-884e-acde48001122", "version": 1, "date": "2022-01-05", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic is to detect the doas tool execution in linux host platform. This utility tool allow standard users to perform tasks as root, the same way sudo does. This tool is developed as a minimalistic alternative to sudo application. This tool can be abused advesaries, attacker or malware to gain elevated privileges to the targeted or compromised host. On the other hand this can also be executed by administrator for a certain task that needs admin rights. In this case filter is needed.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"doas\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_doas_tool_execution_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "Administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "references": ["https://wiki.gentoo.org/wiki/Doas", "https://www.makeuseof.com/how-to-install-and-use-doas/"], "tags": {"name": "Linux Doas Tool Execution", "analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "A doas $process_name$ with commandline $process$ was executed on $dest$", "mitre_attack_id": ["T1548.003", "T1548"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.003", "mitre_attack_technique": "Sudo and Sudo Caching", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/doas_exec/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_doas_tool_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_doas_tool_execution.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Docker Privilege Escalation", "id": "2e7bfb78-85f6-47b5-bc2f-15813a4ef2b3", "version": 1, "date": "2022-07-31", "author": "Gowthamaraj Rajendran, Splunk", "type": "Anomaly", "status": "production", "description": "Docker is an open source containerization platform. It helps programmers to bundle applications into containers, which are standardized executable parts that include the application source code along with the OS libraries and dependencies needed to run that code in any setting. The user can add mount the root directory into a container and edit the /etc/password file to add a super user. This requires the user to be privileged enough to run docker, i.e. being in the docker group or being root.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process IN(\"*docker*-v*/*:*\",\"*docker*--volume*/*:*\") OR Processes.process IN(\"*docker*exec*sh*\",\"*docker*exec*bash*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_docker_privilege_escalation_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints into the Endpoint datamodel. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "False positives are present based on automated tooling or system administrative usage. Filter as needed.", "references": ["https://gtfobins.github.io/gtfobins/docker/"], "tags": {"name": "Linux Docker Privilege Escalation", "analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 10, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "mitre_attack_id": ["T1548.003", "T1548"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 5, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.003", "mitre_attack_technique": "Sudo and Sudo Caching", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/docker/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_docker_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_docker_privilege_escalation.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Edit Cron Table Parameter", "id": "0d370304-5f26-11ec-a4bb-acde48001122", "version": 1, "date": "2021-12-17", "author": "Teoderick Contreras, Splunk", "type": "Hunting", "status": "production", "description": "The following analytic detects the suspicious editing of cron jobs in Linux via the crontab command-line parameter. This tactic could be used by adversaries or malware to schedule execution of their malicious code, potentially leading to system compromise or unauthorized persistent access. It pinpoints this activity by monitoring command-line executions involving 'crontab' and the edit parameter (-e).\\\nRecognizing such activity is vital for a SOC as cron job manipulations might signal unauthorized persistence attempts or scheduled malicious actions, potentially resulting in substantial harm. A true positive signifies an active threat, with implications ranging from unauthorized access to broader network compromise.\\\nTo implement this analytic, logs capturing process name, parent process, and command-line executions from your endpoints must be ingested.\\\nKnown false positives could stem from valid administrative tasks or automation processes using crontab. To reduce these, fine-tune the filter macros according to the benign activities within your environment. These adjustments ensure legitimate actions aren't mistaken for threats, allowing analysts to focus on genuine potential risks.\\", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = crontab Processes.process = \"*crontab *\" Processes.process = \"* -e*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_edit_cron_table_parameter_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives.", "references": ["https://attack.mitre.org/techniques/T1053/003/"], "tags": {"name": "Linux Edit Cron Table Parameter", "analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Living Off The Land", "Scheduled Tasks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Installation", "Exploitation"], "message": "A possible crontab edit command $process$ executed on $dest$", "mitre_attack_id": ["T1053.003", "T1053"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1053.003", "mitre_attack_technique": "Cron", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT38", "Rocke"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.003/crontab_edit_parameter/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_edit_cron_table_parameter_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_edit_cron_table_parameter.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Emacs Privilege Escalation", "id": "92033cab-1871-483d-a03b-a7ce98665cfc", "version": 1, "date": "2022-08-09", "author": "Gowthamaraj Rajendran, Splunk", "type": "Anomaly", "status": "production", "description": "EMACS is a family of text editors that are characterized by their extensibility. The manual for the most widely used variant, GNU Emacs, describes it as \"the extensible, customizable, self-documenting, real-time display editor\". If sudo right is given to EMACS tool for the user, then the user can run special commands as root and possibly get a root shell.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*emacs*\" AND Processes.process=\"*--eval*\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_emacs_privilege_escalation_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints into the Endpoint datamodel. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "False positives may be present, filter as needed.", "references": ["https://gtfobins.github.io/gtfobins/emacs/", "https://en.wikipedia.org/wiki/Emacs"], "tags": {"name": "Linux Emacs Privilege Escalation", "analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 40, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "mitre_attack_id": ["T1548.003", "T1548"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 20, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.003", "mitre_attack_technique": "Sudo and Sudo Caching", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/emacs/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_emacs_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_emacs_privilege_escalation.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux File Created In Kernel Driver Directory", "id": "b85bbeec-6326-11ec-9311-acde48001122", "version": 1, "date": "2021-12-22", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic looks for suspicious file creation in kernel/driver directory in linux platform. This directory is known folder for all linux kernel module available within the system. so creation of file in this directory is a good indicator that there is a possible rootkit installation in the host machine. This technique was abuse by adversaries, malware author and red teamers to gain high privileges to their malicious code such us in kernel level. Even this event is not so common administrator or legitimate 3rd party tool may install driver or linux kernel module as part of its installation.", "data_source": ["Sysmon Event ID 11"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN (\"*/kernel/drivers/*\") by Filesystem.dest Filesystem.file_name Filesystem.process_guid Filesystem.file_path | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `linux_file_created_in_kernel_driver_directory_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the file name, file path, and process_guid executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "Administrator or network operator can create file in this folders for automation purposes. Please update the filter macros to remove false positives.", "references": ["https://docs.fedoraproject.org/en-US/fedora/rawhide/system-administrators-guide/kernel-module-driver-configuration/Working_with_Kernel_Modules/", "https://security.stackexchange.com/questions/175953/how-to-load-a-malicious-lkm-at-startup", "https://0x00sec.org/t/kernel-rootkits-getting-your-hands-dirty/1485"], "tags": {"name": "Linux File Created In Kernel Driver Directory", "analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Rootkit"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "message": "A file $file_name$ is created in $file_path$ on $dest$", "mitre_attack_id": ["T1547.006", "T1547"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Filesystem.dest", "Filesystem.file_create_time", "Filesystem.file_name", "Filesystem.process_guid", "Filesystem.file_path"], "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1547.006", "mitre_attack_technique": "Kernel Modules and Extensions", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.006/loading_linux_kernel_module/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_file_created_in_kernel_driver_directory_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_file_created_in_kernel_driver_directory.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux File Creation In Init Boot Directory", "id": "97d9cfb2-61ad-11ec-bb2d-acde48001122", "version": 1, "date": "2021-12-20", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic looks for suspicious file creation on init system directories for automatic execution of script or file upon boot up. This technique is commonly abuse by adversaries, malware author and red teamer to persist on the targeted or compromised host. This behavior can be executed or use by an administrator or network operator to add script files or binary files as part of a task or automation. filter is needed.", "data_source": ["Sysmon Event ID 11"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN (\"*/etc/init.d/*\", \"*/etc/rc.d/*\", \"*/sbin/init.d/*\", \"*/etc/rc.local*\") by Filesystem.dest Filesystem.file_name Filesystem.process_guid Filesystem.file_path | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `linux_file_creation_in_init_boot_directory_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the file name, file path, and process_guid executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase", "known_false_positives": "Administrator or network operator can create file in this folders for automation purposes. Please update the filter macros to remove false positives.", "references": ["https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/"], "tags": {"name": "Linux File Creation In Init Boot Directory", "analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "message": "A file $file_name$ is created in $file_path$ on $dest$", "mitre_attack_id": ["T1037.004", "T1037"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Filesystem.dest", "Filesystem.file_create_time", "Filesystem.file_name", "Filesystem.process_guid", "Filesystem.file_path"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1037.004", "mitre_attack_technique": "RC Scripts", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1037", "mitre_attack_technique": "Boot or Logon Initialization Scripts", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Rocke"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.004/linux_init_profile/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_file_creation_in_init_boot_directory_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_file_creation_in_init_boot_directory.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux File Creation In Profile Directory", "id": "46ba0082-61af-11ec-9826-acde48001122", "version": 1, "date": "2021-12-20", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic looks for suspicious file creation in /etc/profile.d directory to automatically execute scripts by shell upon boot up of a linux machine. This technique is commonly abused by adversaries, malware and red teamers as a persistence mechanism to the targeted or compromised host. This Anomaly detection is a good indicator that someone wants to run a code after boot up which can be done also by the administrator or network operator for automation purposes.", "data_source": ["Sysmon Event ID 11"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN (\"*/etc/profile.d/*\") by Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.process_guid Filesystem.file_path | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `linux_file_creation_in_profile_directory_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the file name, file path, and process_guid executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "Administrator or network operator can create file in profile.d folders for automation purposes. Please update the filter macros to remove false positives.", "references": ["https://attack.mitre.org/techniques/T1546/004/", "https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/"], "tags": {"name": "Linux File Creation In Profile Directory", "analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "message": "A file $file_name$ is created in $file_path$ on $dest$", "mitre_attack_id": ["T1546.004", "T1546"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Filesystem.dest", "Filesystem.file_create_time", "Filesystem.file_name", "Filesystem.process_guid", "Filesystem.file_path"], "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1546.004", "mitre_attack_technique": "Unix Shell Configuration Modification", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.004/linux_init_profile/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_file_creation_in_profile_directory_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_file_creation_in_profile_directory.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Find Privilege Escalation", "id": "2ff4e0c2-8256-4143-9c07-1e39c7231111", "version": 1, "date": "2022-08-09", "author": "Gowthamaraj Rajendran, Splunk", "type": "Anomaly", "status": "production", "description": "Find is a command-line utility that locates files based on some user-specified criteria and either prints the pathname of each matched object or, if another action is requested, performs that action on each matched object. If sudo right is given to find utility for the user, then the user can run system commands as root and possibly get a root shell.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*find*\" AND Processes.process=\"*-exec*\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_find_privilege_escalation_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints into the Endpoint datamodel. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "False positives are present based on automated tooling or system administrative usage. Filter as needed.", "references": ["https://gtfobins.github.io/gtfobins/find/", "https://en.wikipedia.org/wiki/Find_(Unix)"], "tags": {"name": "Linux Find Privilege Escalation", "analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 10, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "mitre_attack_id": ["T1548.003", "T1548"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 5, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.003", "mitre_attack_technique": "Sudo and Sudo Caching", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/find/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_find_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_find_privilege_escalation.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux GDB Privilege Escalation", "id": "310b7da2-ab52-437f-b1bf-0bd458674308", "version": 1, "date": "2022-08-09", "author": "Gowthamaraj Rajendran, Splunk", "type": "Anomaly", "status": "production", "description": "GDB is the acronym for GNU Debugger. This tool helps to debug the programs written in C, C++, Ada, Fortran, etc. The console can be opened using the gdb command on terminal. If sudo right is given to GDB tool for the user, then the user can run system commands as root and possibly get a root shell.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*gdb*\" AND Processes.process=\"*-nx*\" AND Processes.process=\"*-ex*!*\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_gdb_privilege_escalation_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints into the Endpoint datamodel. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "False positives may be present, filter as needed.", "references": ["https://gtfobins.github.io/gtfobins/gdb/"], "tags": {"name": "Linux GDB Privilege Escalation", "analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 20, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "mitre_attack_id": ["T1548.003", "T1548"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 10, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.003", "mitre_attack_technique": "Sudo and Sudo Caching", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/gdb/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_gdb_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_gdb_privilege_escalation.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Gem Privilege Escalation", "id": "0115482a-5dcb-4bb0-bcca-5d095d224236", "version": 1, "date": "2022-08-09", "author": "Gowthamaraj Rajendran, Splunk", "type": "Anomaly", "status": "production", "description": "RubyGems is a package manager for the Ruby programming language that provides a standard format for distributing Ruby programs and libraries (in a self-contained format called a \"gem\"), a tool designed to easily manage the installation of gems, and a server for distributing them. If sudo right is given to GEM utility for the user, then the user can run system commands as root and possibly get a root shell.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*gem*open*-e*\" AND Processes.process=\"*-c*\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_gem_privilege_escalation_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints into the Endpoint datamodel. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "False positives may be present, filter as needed.", "references": ["https://gtfobins.github.io/gtfobins/gem/", "https://en.wikipedia.org/wiki/RubyGems"], "tags": {"name": "Linux Gem Privilege Escalation", "analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 20, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "mitre_attack_id": ["T1548.003", "T1548"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 10, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.003", "mitre_attack_technique": "Sudo and Sudo Caching", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/gem/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_gem_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_gem_privilege_escalation.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux GNU Awk Privilege Escalation", "id": "0dcf43b9-50d8-42a6-acd9-d1c9201fe6ae", "version": 1, "date": "2022-08-09", "author": "Gowthamaraj Rajendran, Splunk", "type": "Anomaly", "status": "production", "description": "gawk command in Linux is used for pattern scanning and processing language. The awk command requires no compiling and allows the user to use variables, numeric functions, string functions, and logical operators. It is a utility that enables programmers to write tiny and effective programs in the form of statements that define text patterns that are to be searched for, in a text document and the action that is to be taken when a match is found within a line. If sudo right is given to gawk tool for the user, then the user can run system commands as root and possibly get a root shell.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*gawk*\" AND Processes.process=\"*BEGIN*{system*\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `linux_gnu_awk_privilege_escalation_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints into the Endpoint datamodel. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "False positives may be present, filter as needed.", "references": ["https://gtfobins.github.io/gtfobins/gawk/", "https://www.geeksforgeeks.org/gawk-command-in-linux-with-examples/"], "tags": {"name": "Linux GNU Awk Privilege Escalation", "analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 60, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "mitre_attack_id": ["T1548.003", "T1548"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.003", "mitre_attack_technique": "Sudo and Sudo Caching", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/gawk/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_gnu_awk_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_gnu_awk_privilege_escalation.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Hardware Addition SwapOff", "id": "c1eea697-99ed-44c2-9b70-d8935464c499", "version": 1, "date": "2023-04-14", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic looks for process execution to disable the swapping of paging devices. This technique was seen in Awfulshred malware that disables the swapping of the specified devices and files. This anomaly detection can be a good indicator that a process or a user tries to disable this Linux feature in a targeted host.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"swapoff\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `linux_hardware_addition_swapoff_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "administrator may disable swapping of devices in a linux host. Filter is needed.", "references": ["https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/"], "tags": {"name": "Linux Hardware Addition SwapOff", "analytic_story": ["AwfulShred", "Data Destruction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Delivery"], "message": "a $process_name$ swap off paging device in $dest$", "mitre_attack_id": ["T1200"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1200", "mitre_attack_technique": "Hardware Additions", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["DarkVishnya"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/awfulshred/test1/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_hardware_addition_swapoff_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_hardware_addition_swapoff.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux High Frequency Of File Deletion In Boot Folder", "id": "e27fbc5d-0445-4c4a-bc39-87f060d5c602", "version": 2, "date": "2023-04-27", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This analytic is to detect a high frequency of file deletion relative to process name and process id /boot/ folder. These events was seen in industroyer2 wiper malware where it tries to delete all files in a critical directory in linux directory. This detection already contains some filter that might cause false positive during our testing.", "data_source": ["Sysmon Event ID 11"], "search": "| tstats `security_content_summariesonly` values(Filesystem.file_name) as deletedFileNames values(Filesystem.file_path) as deletedFilePath dc(Filesystem.file_path) as numOfDelFilePath count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.action=deleted Filesystem.file_path = \"/boot/*\" by _time span=1h Filesystem.dest Filesystem.process_guid Filesystem.action | `drop_dm_object_name(Filesystem)` | where numOfDelFilePath >= 200 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_high_frequency_of_file_deletion_in_boot_folder_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "linux package installer/uninstaller may cause this event. Please update you filter macro to remove false positives.", "references": ["https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/", "https://cert.gov.ua/article/39518"], "tags": {"name": "Linux High Frequency Of File Deletion In Boot Folder", "analytic_story": ["Data Destruction", "Industroyer2"], "asset_type": "endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 100, "kill_chain_phases": ["Actions on Objectives", "Exploitation"], "message": "a $process_name$ deleting multiple files in /boot/ folder in $dest$", "mitre_attack_id": ["T1485", "T1070.004", "T1070"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Filesystem.dest", "Filesystem.file_create_time", "Filesystem.file_name", "Filesystem.process_guid", "Filesystem.file_path", "Filesystem.action"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1070.004", "mitre_attack_technique": "File Deletion", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT3", "APT32", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "Cobalt Group", "Dragonfly", "Evilnum", "FIN10", "FIN5", "FIN6", "FIN8", "Gamaredon Group", "Group5", "Kimsuky", "Lazarus Group", "Magic Hound", "Metador", "Mustang Panda", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "Silence", "TEMP.Veles", "TeamTNT", "The White Company", "Threat Group-3390", "Tropic Trooper", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/rm_boot_dir/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_high_frequency_of_file_deletion_in_boot_folder_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_high_frequency_of_file_deletion_in_boot_folder.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux High Frequency Of File Deletion In Etc Folder", "id": "9d867448-2aff-4d07-876c-89409a752ff8", "version": 2, "date": "2023-04-27", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic is to detect a high frequency of file deletion relative to process name and process id /etc/ folder. These events was seen in acidrain wiper malware where it tries to delete all files in a non-standard directory in linux directory. This detection already contains some filter that might cause false positive during our testing. But we recommend to add more filter if needed.", "data_source": ["Sysmon Event ID 11"], "search": "| tstats `security_content_summariesonly` values(Filesystem.file_name) as deletedFileNames values(Filesystem.file_path) as deletedFilePath dc(Filesystem.file_path) as numOfDelFilePath count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.action=deleted Filesystem.file_path = \"/etc/*\" by _time span=1h Filesystem.dest Filesystem.process_guid Filesystem.action | `drop_dm_object_name(Filesystem)` | where numOfDelFilePath >= 200 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_high_frequency_of_file_deletion_in_etc_folder_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "linux package installer/uninstaller may cause this event. Please update you filter macro to remove false positives.", "references": ["https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/"], "tags": {"name": "Linux High Frequency Of File Deletion In Etc Folder", "analytic_story": ["AcidRain", "Data Destruction"], "asset_type": "endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Actions on Objectives", "Exploitation"], "message": "a $process_name$ deleting multiple files in /etc/ folder in $dest$", "mitre_attack_id": ["T1485", "T1070.004", "T1070"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Filesystem.dest", "Filesystem.file_create_time", "Filesystem.file_name", "Filesystem.process_guid", "Filesystem.file_path", "Filesystem.action"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1070.004", "mitre_attack_technique": "File Deletion", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT3", "APT32", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "Cobalt Group", "Dragonfly", "Evilnum", "FIN10", "FIN5", "FIN6", "FIN8", "Gamaredon Group", "Group5", "Kimsuky", "Lazarus Group", "Magic Hound", "Metador", "Mustang Panda", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "Silence", "TEMP.Veles", "TeamTNT", "The White Company", "Threat Group-3390", "Tropic Trooper", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/acidrain/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_high_frequency_of_file_deletion_in_etc_folder_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_high_frequency_of_file_deletion_in_etc_folder.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Impair Defenses Process Kill", "id": "435c6b33-adf9-47fe-be87-8e29fd6654f5", "version": 1, "date": "2023-04-14", "author": "Teoderick Contreras, Splunk", "type": "Hunting", "status": "production", "description": "This analytic looks for PKILL process execution for possible termination of process. This technique is being used by several Threat actors, adversaries and red teamers to terminate processes in a targeted linux machine. This Hunting detection can be a good pivot to check a possible defense evasion technique or termination of security application in a linux host or wiper like Awfulshred that corrupt all files.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN ( \"pgrep\", \"pkill\") Processes.process = \"*pkill *\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `linux_impair_defenses_process_kill_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "network admin can terminate a process using this linux command. Filter is needed.", "references": ["https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/", "https://cert.gov.ua/article/3718487"], "tags": {"name": "Linux Impair Defenses Process Kill", "analytic_story": ["AwfulShred", "Data Destruction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "a $process_name$ tries to execute pkill commandline to terminate process in $dest$", "mitre_attack_id": ["T1562.001", "T1562"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/awfulshred/test1/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_impair_defenses_process_kill_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_impair_defenses_process_kill.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Indicator Removal Clear Cache", "id": "e0940505-0b73-4719-84e6-cb94c44a5245", "version": 1, "date": "2023-04-14", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This analytic looks for processes that clear or free page cache in Linux system host. This technique was seen in Awfulshred malware wiper that tries to clear the cache using kernel system request drop_caches while wiping all files in the targeted host. This TTP detection can be a good indicator of user or process tries to clear page cache to delete tracks or might be a wiper like Awfulshred.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN (\"dash\", \"sudo\", \"bash\") AND Processes.process IN(\"* echo 3 > *\", \"* echo 2 > *\",\"* echo 1 > *\") AND Processes.process = \"*/proc/sys/vm/drop_caches\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `linux_indicator_removal_clear_cache_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "unknown", "references": ["https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/", "https://cert.gov.ua/article/3718487"], "tags": {"name": "Linux Indicator Removal Clear Cache", "analytic_story": ["AwfulShred", "Data Destruction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "a $process_name$ clear cache using kernel drop cache system request in $dest$", "mitre_attack_id": ["T1070"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/awfulshred/test3/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_indicator_removal_clear_cache_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_indicator_removal_clear_cache.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Indicator Removal Service File Deletion", "id": "6c077f81-2a83-4537-afbc-0e62e3215d55", "version": 1, "date": "2023-04-14", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic looks for suspicious linux processes that delete service unit configuration files. This technique was seen in several malware to delete service configuration files to corrupt a services or security product as part of its defense evasion. This TTP detection can be a good indicator of possible malware try to kill several services or a wiper like AwfulShred shell script that wipes the targeted linux host", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"rm\" AND Processes.process = \"*rm *\" AND Processes.process = \"*.service\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `linux_indicator_removal_service_file_deletion_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "network admin can delete services unit configuration file as part of normal software installation. Filter is needed.", "references": ["https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/", "https://cert.gov.ua/article/3718487"], "tags": {"name": "Linux Indicator Removal Service File Deletion", "analytic_story": ["AwfulShred", "Data Destruction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Exploitation"], "message": "a $process_name$ has a commandline $process$ to delete service configuration file in $dest$", "mitre_attack_id": ["T1070.004", "T1070"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1070.004", "mitre_attack_technique": "File Deletion", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT3", "APT32", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "Cobalt Group", "Dragonfly", "Evilnum", "FIN10", "FIN5", "FIN6", "FIN8", "Gamaredon Group", "Group5", "Kimsuky", "Lazarus Group", "Magic Hound", "Metador", "Mustang Panda", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "Silence", "TEMP.Veles", "TeamTNT", "The White Company", "Threat Group-3390", "Tropic Trooper", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/awfulshred/test1/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_indicator_removal_service_file_deletion_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_indicator_removal_service_file_deletion.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Ingress Tool Transfer Hunting", "id": "52fd468b-cb6d-48f5-b16a-92f1c9bb10cf", "version": 1, "date": "2022-07-29", "author": "Michael Haag, Splunk", "type": "Hunting", "status": "production", "description": "The following analytic hunts for curl and wget being utilized in the environment. This is meant to help with identifying normal usage and potentially malicious. Utilize this query to tune other curl and wget analytics.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=curl OR Processes.process_name=wget) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_ingress_tool_transfer_hunting_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives will be present. This query is meant to help tune other curl and wget analytics.", "references": ["https://gtfobins.github.io/gtfobins/curl/", "https://curl.se/docs/manpage.html#-I", "https://gtfobins.github.io/gtfobins/curl/", "https://github.com/rapid7/metasploit-framework/search?q=curl"], "tags": {"name": "Linux Ingress Tool Transfer Hunting", "analytic_story": ["Linux Living Off The Land", "Ingress Tool Transfer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 10, "impact": 10, "kill_chain_phases": ["Command And Control"], "message": "An instance of $process_name$ was identified on endpoint $dest$ by user $user$ utilizing curl or wget.", "mitre_attack_id": ["T1105"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 1, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "ZIRCONIUM", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/curl-linux-sysmon.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_ingress_tool_transfer_hunting_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_ingress_tool_transfer_hunting.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Ingress Tool Transfer with Curl", "id": "8c1de57d-abc1-4b41-a727-a7a8fc5e0857", "version": 1, "date": "2022-07-29", "author": "Michael Haag, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies curl with the command-line switches that are commonly used to download, output, a remote script or binary. MetaSploit Framework will combine the -sO switch with | chmod +x to enable a simple one liner to download and set the execute bit to run the file immediately. During triage, review the remote domain and file being downloaded for legitimacy.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=curl by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where match(process, \"(?i)(-O|-sO|-ksO|--output)\") | `linux_ingress_tool_transfer_with_curl_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives will be present. Tune and then change type to TTP.", "references": ["https://gtfobins.github.io/gtfobins/curl/", "https://curl.se/docs/manpage.html#-I", "https://gtfobins.github.io/gtfobins/curl/", "https://github.com/rapid7/metasploit-framework/search?q=curl"], "tags": {"name": "Linux Ingress Tool Transfer with Curl", "analytic_story": ["Linux Living Off The Land", "Ingress Tool Transfer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 30, "impact": 40, "kill_chain_phases": ["Command And Control"], "message": "An instance of $process_name$ was identified on endpoint $dest$ by user $user$ to download a remote file. Review activity for further details.", "mitre_attack_id": ["T1105"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 12, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "ZIRCONIUM", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/curl-linux-sysmon.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_ingress_tool_transfer_with_curl_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_ingress_tool_transfer_with_curl.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Insert Kernel Module Using Insmod Utility", "id": "18b5a1a0-6326-11ec-943a-acde48001122", "version": 1, "date": "2021-12-22", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic looks for inserting of linux kernel module using insmod utility function. This event can detect a installation of rootkit or malicious kernel module to gain elevated privileges to their malicious code and bypassed detections. This Anomaly detection is a good indicator that someone installing kernel module in a linux host either admin or adversaries. filter is needed in this scenario", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN(\"kmod\", \"sudo\") AND Processes.process = *insmod* by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_insert_kernel_module_using_insmod_utility_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "Administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "references": ["https://docs.fedoraproject.org/en-US/fedora/rawhide/system-administrators-guide/kernel-module-driver-configuration/Working_with_Kernel_Modules/", "https://security.stackexchange.com/questions/175953/how-to-load-a-malicious-lkm-at-startup", "https://0x00sec.org/t/kernel-rootkits-getting-your-hands-dirty/1485"], "tags": {"name": "Linux Insert Kernel Module Using Insmod Utility", "analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Rootkit"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "message": "A commandline $process$ that may install kernel module on $dest$", "mitre_attack_id": ["T1547.006", "T1547"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1547.006", "mitre_attack_technique": "Kernel Modules and Extensions", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.006/loading_linux_kernel_module/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_insert_kernel_module_using_insmod_utility_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_insert_kernel_module_using_insmod_utility.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Install Kernel Module Using Modprobe Utility", "id": "387b278a-6326-11ec-aa2c-acde48001122", "version": 1, "date": "2021-12-22", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic looks for possible installing a linux kernel module using modprobe utility function. This event can detect a installation of rootkit or malicious kernel module to gain elevated privileges to their malicious code and bypassed detections. This Anomaly detection is a good indicator that someone installing kernel module in a linux host either admin or adversaries. filter is needed in this scenario", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN(\"kmod\", \"sudo\") AND Processes.process = *modprobe* by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_install_kernel_module_using_modprobe_utility_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "Administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "references": ["https://docs.fedoraproject.org/en-US/fedora/rawhide/system-administrators-guide/kernel-module-driver-configuration/Working_with_Kernel_Modules/", "https://security.stackexchange.com/questions/175953/how-to-load-a-malicious-lkm-at-startup", "https://0x00sec.org/t/kernel-rootkits-getting-your-hands-dirty/1485"], "tags": {"name": "Linux Install Kernel Module Using Modprobe Utility", "analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Rootkit"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "message": "A commandline $process$ that may install kernel module on $dest$", "mitre_attack_id": ["T1547.006", "T1547"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1547.006", "mitre_attack_technique": "Kernel Modules and Extensions", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.006/loading_linux_kernel_module/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_install_kernel_module_using_modprobe_utility_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_install_kernel_module_using_modprobe_utility.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Iptables Firewall Modification", "id": "309d59dc-1e1b-49b2-9800-7cf18d12f7b7", "version": 3, "date": "2023-04-12", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic looks for suspicious commandline that modify the iptables firewall setting of a linux machine. This technique was seen in cyclopsblink malware where it modifies the firewall setting of the compromised machine to allow traffic to its tcp port that will be used to communicate with its C2 server.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = \"*iptables *\" AND Processes.process = \"* --dport *\" AND Processes.process = \"* ACCEPT*\" AND Processes.process = \"*&>/dev/null*\" AND Processes.process = \"* tcp *\" AND NOT(Processes.parent_process_path IN(\"/bin/*\", \"/lib/*\", \"/usr/bin/*\", \"/sbin/*\")) by Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid Processes.dest _time span=10s Processes.user Processes.parent_process_name Processes.parent_process_path Processes.process_path | rex field=Processes.process \"--dport (?3269|636|989|994|995|8443)\" | stats values(Processes.process) as processes_exec values(port) as ports values(Processes.process_guid) as guids values(Processes.process_id) as pids dc(port) as port_count count by Processes.process_name Processes.parent_process_name Processes.parent_process_id Processes.dest Processes.user Processes.parent_process_path Processes.process_path | where port_count >=3 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_iptables_firewall_modification_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "administrator may do this commandline for auditing and testing purposes. In this scenario filter is needed.", "references": ["https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf", "https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html"], "tags": {"name": "Linux Iptables Firewall Modification", "analytic_story": ["Sandworm Tools", "CyclopsBLink"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "A commandline $process$ that may modify iptables firewall on $dest$", "mitre_attack_id": ["T1562.004", "T1562"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.004", "mitre_attack_technique": "Disable or Modify System Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "Carbanak", "Dragonfly", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/cyclopsblink/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_iptables_firewall_modification_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_iptables_firewall_modification.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Java Spawning Shell", "id": "7b09db8a-5c20-11ec-9945-acde48001122", "version": 1, "date": "2023-04-14", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the process name of Java, Apache, or Tomcat spawning a Linux shell. This is potentially indicative of exploitation of the Java application and may be related to current event CVE-2021-44228 (Log4Shell). The shells included in the macro are \"sh\", \"ksh\", \"zsh\", \"bash\", \"dash\", \"rbash\", \"fish\", \"csh', \"tcsh', \"ion\", \"eshell\". Upon triage, review parallel processes and command-line arguments to determine legitimacy.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=java OR Processes.parent_process_name=apache OR Processes.parent_process_name=tomcat `linux_shells` by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_java_spawning_shell_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon for Linux, you will need to ensure mapping is occurring correctly. Ensure EDR product is mapping OS Linux to the datamodel properly. Add any additional java process names for your environment to the analytic as needed.", "known_false_positives": "Filtering may be required on internal developer build systems or classify assets as web facing and restrict the analytic based on asset type.", "references": ["https://blog.netlab.360.com/ten-families-of-malicious-samples-are-spreading-using-the-log4j2-vulnerability-now/", "https://gist.github.com/olafhartong/916ebc673ba066537740164f7e7e1d72"], "tags": {"name": "Linux Java Spawning Shell", "analytic_story": ["Data Destruction", "Spring4Shell CVE-2022-22965", "Hermetic Wiper", "Log4Shell CVE-2021-44228"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 80, "kill_chain_phases": ["Delivery", "Installation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ spawning a Linux shell, potentially indicative of exploitation.", "mitre_attack_id": ["T1190", "T1133"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "cve": ["CVE-2021-44228"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Chimera", "Dragonfly", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/java/java_spawn_shell_nix.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_shells", "definition": "(Processes.process_name IN (\"sh\", \"ksh\", \"zsh\", \"bash\", \"dash\", \"rbash\", \"fish\", \"csh\", \"tcsh\", \"ion\", \"eshell\"))", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "linux_java_spawning_shell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2021-44228", "cvss": 9.3, "summary": "Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_java_spawning_shell.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Kernel Module Enumeration", "id": "6df99886-0e04-4c11-8b88-325747419278", "version": 1, "date": "2022-07-27", "author": "Michael Haag, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies the process kmod being utilized to list kernel modules in use. Typically, this is not seen as malicious, however it may be a precurser to the use of insmod to install a module.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=kmod Processes.process IN (\"*lsmod*\", \"*list*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_kernel_module_enumeration_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives are present based on automated tooling or system administrative usage. Filter as needed.", "references": ["https://man7.org/linux/man-pages/man8/kmod.8.html"], "tags": {"name": "Linux Kernel Module Enumeration", "analytic_story": ["Linux Rootkit"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ enumeration kernel modules.", "mitre_attack_id": ["T1082", "T1014"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1082", "mitre_attack_technique": "System Information Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT18", "APT19", "APT3", "APT32", "APT37", "APT38", "Aquatic Panda", "Blue Mockingbird", "Chimera", "Confucius", "Darkhotel", "Gamaredon Group", "HEXANE", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Sowbug", "Stealth Falcon", "TeamTNT", "Tropic Trooper", "Turla", "Windigo", "Windshift", "Wizard Spider", "ZIRCONIUM", "admin@338"]}, {"mitre_attack_id": "T1014", "mitre_attack_technique": "Rootkit", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT41", "Rocke", "TeamTNT", "Winnti Group"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1082/atomic_red_team/linux-sysmon.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_kernel_module_enumeration_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_kernel_module_enumeration.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Kworker Process In Writable Process Path", "id": "1cefb270-74a5-4e27-aa0c-2b6fa7c5b4ed", "version": 2, "date": "2023-04-12", "author": "Teoderick Contreras, Splunk", "type": "Hunting", "status": "production", "description": "This analytic looks for suspicious process kworker commandline in a linux machine. kworker process name or thread are common names of kernel threads in linux process. This hunting detections can lead to investigate process contains process path in writable directory in linux like /home/, /var/log and /tmp/. This technique was seen in cyclopsblink malware to blend its core and other of its child process as normal kworker on the compromised machine. This detection might be a good pivot to look for other IOC related to cyclopsblink malware or attacks.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process = \"*[kworker/*\" Processes.parent_process_path IN (\"/home/*\", \"/tmp/*\", \"/var/log/*\") Processes.process=\"*iptables*\" by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_path Processes.process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_kworker_process_in_writable_process_path_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "unknown", "references": ["https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf", "https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html"], "tags": {"name": "Linux Kworker Process In Writable Process Path", "analytic_story": ["Sandworm Tools", "CyclopsBLink"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Exploitation"], "message": "a $process_name$ with kworker commandline in $dest$", "mitre_attack_id": ["T1036.004", "T1036"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id", "Processes.parent_process_path", "Processes.process_path"], "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1036.004", "mitre_attack_technique": "Masquerade Task or Service", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT32", "APT41", "BITTER", "BackdoorDiplomacy", "Carbanak", "FIN6", "FIN7", "Fox Kitten", "Higaisa", "Kimsuky", "Lazarus Group", "Magic Hound", "Naikon", "PROMETHIUM", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/cyclopsblink/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_kworker_process_in_writable_process_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_kworker_process_in_writable_process_path.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Make Privilege Escalation", "id": "80b22836-5091-4944-80ee-f733ac443f4f", "version": 1, "date": "2022-08-09", "author": "Gowthamaraj Rajendran, Splunk", "type": "Anomaly", "status": "production", "description": "The Linux make command is used to build and maintain groups of programs and files from the source code. In Linux, it is one of the most frequently used commands by the developers. It assists developers to install and compile many utilities from the terminal. If sudo right is given to make utility for the user, then the user can run system commands as root and possibly get a root shell.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*make*-s*\" AND Processes.process=\"*--eval*\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_make_privilege_escalation_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints into the Endpoint datamodel. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "False positives may be present, filter as needed.", "references": ["https://gtfobins.github.io/gtfobins/make/", "https://www.javatpoint.com/linux-make-command"], "tags": {"name": "Linux Make Privilege Escalation", "analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 40, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "mitre_attack_id": ["T1548.003", "T1548"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 20, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.003", "mitre_attack_technique": "Sudo and Sudo Caching", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/make/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_make_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_make_privilege_escalation.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux MySQL Privilege Escalation", "id": "c0d810f4-230c-44ea-b703-989da02ff145", "version": 1, "date": "2022-08-09", "author": "Gowthamaraj Rajendran, Splunk", "type": "Anomaly", "status": "production", "description": "MySQL is an open-source relational database management system. Its name is a combination of \"My\", the name of co-founder Michael Widenius's daughter My, and \"SQL\", the abbreviation for Structured Query Language. If sudo right is given to mysql utility for the user, then the user can run system commands as root and possibly get a root shell.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*mysql*-e*\" AND Processes.process=\"*\\!**\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_mysql_privilege_escalation_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints into the Endpoint datamodel. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "False positives are present based on automated tooling or system administrative usage. Filter as needed.", "references": ["https://gtfobins.github.io/gtfobins/mysql/"], "tags": {"name": "Linux MySQL Privilege Escalation", "analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 60, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "mitre_attack_id": ["T1548.003", "T1548"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.003", "mitre_attack_technique": "Sudo and Sudo Caching", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/mysql/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_mysql_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_mysql_privilege_escalation.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Ngrok Reverse Proxy Usage", "id": "bc84d574-708c-467d-b78a-4c1e20171f97", "version": 1, "date": "2023-01-12", "author": "Michael Haag, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies the use of Ngrok being utilized on the Linux operating system. Unfortunately, there is no original file name for Ngrok, so it may be worth an additional hunt to identify any command-line arguments. The sign of someone using Ngrok is not malicious, however, more recently it has become an adversary tool.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=ngrok Processes.process IN (\"*start*\", \"*--config*\",\"*http*\",\"*authtoken*\", \"*http*\", \"*tcp*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_ngrok_reverse_proxy_usage_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints into the Endpoint datamodel. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "False positives may be present if Ngrok is an authorized utility. Filter as needed.", "references": ["https://ngrok.com", "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf"], "tags": {"name": "Linux Ngrok Reverse Proxy Usage", "analytic_story": ["Reverse Network Proxy"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 50, "kill_chain_phases": ["Command And Control"], "message": "A reverse proxy was identified spawning from $parent_process_name$ - $process_name$ on endpoint $dest$ by user $user$.", "mitre_attack_id": ["T1572", "T1090", "T1102"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 50, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1572", "mitre_attack_technique": "Protocol Tunneling", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Chimera", "Cobalt Group", "FIN6", "Fox Kitten", "Leviathan", "Magic Hound", "OilRig"]}, {"mitre_attack_id": "T1090", "mitre_attack_technique": "Proxy", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "Blue Mockingbird", "CopyKittens", "Earth Lusca", "Fox Kitten", "LAPSUS$", "Magic Hound", "POLONIUM", "Sandworm Team", "Turla", "Windigo"]}, {"mitre_attack_id": "T1102", "mitre_attack_technique": "Web Service", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT32", "EXOTIC LILY", "Ember Bear", "FIN6", "FIN8", "Fox Kitten", "Gamaredon Group", "Inception", "LazyScripter", "Mustang Panda", "Rocke", "TeamTNT", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1572/ngrok/ngrok_linux-sysmon.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_ngrok_reverse_proxy_usage_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_ngrok_reverse_proxy_usage.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Node Privilege Escalation", "id": "2e58a4ff-398f-42f4-8fd0-e01ebfe2a8ce", "version": 1, "date": "2022-07-31", "author": "Gowthamaraj Rajendran, Splunk", "type": "Anomaly", "status": "production", "description": "Node.js is a back-end JavaScript runtime environment that is open-source, cross-platform, runs on the V8 engine, and executes JavaScript code outside of a web browser. It was created to help create scalable network applications. If the binary is allowed to run as superuser by sudo, it does not drop the elevated privileges and may be used to access the file system, escalate or maintain privileged access.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*sudo*node*\" AND Processes.process=\"*-e*\" AND Processes.process=\"*child_process.spawn*\" AND Processes.process=\"*stdio*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_node_privilege_escalation_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints into the Endpoint datamodel. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "False positives are present based on automated tooling or system administrative usage. Filter as needed.", "references": ["https://gtfobins.github.io/gtfobins/docker/", "https://en.wikipedia.org/wiki/Node.js"], "tags": {"name": "Linux Node Privilege Escalation", "analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "mitre_attack_id": ["T1548.003", "T1548"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.003", "mitre_attack_technique": "Sudo and Sudo Caching", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/node/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_node_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_node_privilege_escalation.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux NOPASSWD Entry In Sudoers File", "id": "ab1e0d52-624a-11ec-8e0b-acde48001122", "version": 1, "date": "2021-12-21", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic is to look for suspicious command lines that may add entry to /etc/sudoers with NOPASSWD attribute in linux platform. This technique is commonly abuse by adversaries, malware author and red teamers to gain elevated privilege to the targeted or compromised host. /etc/sudoers file controls who can run what commands users can execute on the machines and can also control whether user need a password to execute particular commands. This file is composed of aliases (basically variables) and user specifications.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = \"*NOPASSWD:*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_nopasswd_entry_in_sudoers_file_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "Administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "references": ["https://askubuntu.com/questions/334318/sudoers-file-enable-nopasswd-for-user-all-commands", "https://help.ubuntu.com/community/Sudoers"], "tags": {"name": "Linux NOPASSWD Entry In Sudoers File", "analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "a commandline $process$ executed on $dest$", "mitre_attack_id": ["T1548.003", "T1548"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.003", "mitre_attack_technique": "Sudo and Sudo Caching", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/nopasswd_sudoers/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_nopasswd_entry_in_sudoers_file_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_nopasswd_entry_in_sudoers_file.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Obfuscated Files or Information Base64 Decode", "id": "303b38b2-c03f-44e2-8f41-4594606fcfc7", "version": 1, "date": "2022-07-27", "author": "Michael Haag, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies the use of base64 decode on Linux being utilized to deobfuscate a file. Identify the source of the file and determine if legitimate. Review parallel processes for further behavior before and after.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process IN (\"*base64 -d*\",\"*base64 --decode*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_obfuscated_files_or_information_base64_decode_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives may be present and will require some tuning based on processes. Filter as needed.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md#atomic-test-1---decode-base64-data-into-script", "https://redcanary.com/blog/lateral-movement-with-secure-shell/", "https://linux.die.net/man/1/base64"], "tags": {"name": "Linux Obfuscated Files or Information Base64 Decode", "analytic_story": ["Linux Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ decoding base64.", "mitre_attack_id": ["T1027"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT19", "APT28", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BITTER", "BackdoorDiplomacy", "BlackOasis", "Blue Mockingbird", "Dark Caracal", "Darkhotel", "Earth Lusca", "Elderwood", "Ember Bear", "Fox Kitten", "GALLIUM", "Gallmaker", "Gamaredon Group", "Group5", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "Metador", "Mofang", "Molerats", "Moses Staff", "Mustang Panda", "OilRig", "Putter Panda", "Rocke", "Sandworm Team", "Sidewinder", "TA505", "TeamTNT", "Threat Group-3390", "Transparent Tribe", "Tropic Trooper", "Whitefly", "Windshift", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1027/atomic_red_team/linux-sysmon.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_obfuscated_files_or_information_base64_decode_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_obfuscated_files_or_information_base64_decode.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Octave Privilege Escalation", "id": "78f7487d-42ce-4f7f-8685-2159b25fb477", "version": 1, "date": "2022-08-11", "author": "Gowthamaraj Rajendran, Splunk", "type": "Anomaly", "status": "production", "description": "GNU Octave is a high-level programming language primarily intended for scientific computing and numerical computation. Octave helps in solving linear and nonlinear problems numerically, and for performing other numerical experiments using a language that is mostly compatible with MATLAB. If sudo right is given to the application for the user, then the user can run system commands as root and possibly get a root shell.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*octave-cli*\" AND Processes.process=\"*--eval*\" AND Processes.process=\"*system*\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_octave_privilege_escalation_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints into the Endpoint datamodel. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "False positives may be present, filter as needed.", "references": ["https://gtfobins.github.io/gtfobins/octave/", "https://en.wikipedia.org/wiki/GNU_Octave"], "tags": {"name": "Linux Octave Privilege Escalation", "analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 40, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "mitre_attack_id": ["T1548.003", "T1548"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 20, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.003", "mitre_attack_technique": "Sudo and Sudo Caching", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/octave/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_octave_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_octave_privilege_escalation.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux OpenVPN Privilege Escalation", "id": "d25feebe-fa1c-4754-8a1e-afb03bedc0f2", "version": 1, "date": "2022-08-11", "author": "Gowthamaraj Rajendran, Splunk", "type": "Anomaly", "status": "production", "description": "OpenVPN is a virtual private network system that implements techniques to create secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It implements both client and server applications. If sudo right is given to the OpenVPN application for the user, then the user can run system commands as root and possibly get a root shell.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*openvpn*\" AND Processes.process=\"*--dev*\" AND Processes.process=\"*--script-security*\" AND Processes.process=\"*--up*\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_openvpn_privilege_escalation_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints into the Endpoint datamodel. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "False positives may be present, filter as needed.", "references": ["https://gtfobins.github.io/gtfobins/openvpn/", "https://en.wikipedia.org/wiki/OpenVPN"], "tags": {"name": "Linux OpenVPN Privilege Escalation", "analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 60, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "mitre_attack_id": ["T1548.003", "T1548"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.003", "mitre_attack_technique": "Sudo and Sudo Caching", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/openvpn/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_openvpn_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_openvpn_privilege_escalation.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Persistence and Privilege Escalation Risk Behavior", "id": "ad5ac21b-3b1e-492c-8e19-ea5d5e8e5cf1", "version": 3, "date": "2022-08-30", "author": "Michael Haag, Splunk", "type": "Correlation", "status": "production", "description": "The following correlation is specific to Linux persistence and privilege escalation tactics and is tied to two analytic stories and any Linux analytic tied to persistence and privilege escalation. These techniques often overlap with Persistence techniques, as OS features that let an adversary persist can execute in an elevated context.", "data_source": [], "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where (All_Risk.analyticstories IN (\"Linux Privilege Escalation\", \"Linux Persistence Techniques\") OR source = \"*Linux*\") All_Risk.annotations.mitre_attack.mitre_tactic IN (\"persistence\", \"privilege-escalation\") All_Risk.risk_object_type=\"system\" by All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where source_count >= 4 | `linux_persistence_and_privilege_escalation_risk_behavior_filter`", "how_to_implement": "Ensure Linux anomaly and TTP analytics are enabled. TTP may be set to Notables for point detections, anomaly should not be notables but risk generators. The correlation relies on more than x amount of distict detection names generated before generating a notable. Modify the value as needed. Default value is set to 4. This value may need to be increased based on activity in your environment.", "known_false_positives": "False positives will be present based on many factors. Tune the correlation as needed to reduce too many triggers.", "references": ["https://attack.mitre.org/tactics/TA0004/"], "tags": {"name": "Linux Persistence and Privilege Escalation Risk Behavior", "analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "Privilege escalation and persistence behaviors have been identified on $risk_object$.", "mitre_attack_id": ["T1548"], "nist": ["DE.AE"], "observable": [{"name": "risk_object", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "All_Risk.analyticstories", "All_Risk.risk_object_type", "All_Risk.risk_object", "All_Risk.annotations.mitre_attack.mitre_tactic", "source"], "risk_score": 56, "security_domain": "audit", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/linux_risk/linuxrisk.log", "source": "linuxrisk", "sourcetype": "stash", "update_timestamp": true}]}], "datamodel": ["Risk"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_persistence_and_privilege_escalation_risk_behavior_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_persistence_and_privilege_escalation_risk_behavior.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Linux PHP Privilege Escalation", "id": "4fc4c031-e5be-4cc0-8cf9-49f9f507bcb5", "version": 1, "date": "2022-08-09", "author": "Gowthamaraj Rajendran, Splunk", "type": "Anomaly", "status": "production", "description": "PHP is a general-purpose scripting language geared toward web development. It was originally created by Danish-Canadian programmer Rasmus Lerdorf in 1994. The PHP reference implementation is now produced by The PHP Group. If sudo right is given to php application for the user, then the user can run system commands as root and possibly get a root shell.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*php*-r*\" AND Processes.process=\"*system*\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_php_privilege_escalation_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints into the Endpoint datamodel. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "False positives may be present, filter as needed.", "references": ["https://gtfobins.github.io/gtfobins/php/", "https://en.wikipedia.org/wiki/PHP"], "tags": {"name": "Linux PHP Privilege Escalation", "analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 60, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "mitre_attack_id": ["T1548.003", "T1548"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.003", "mitre_attack_technique": "Sudo and Sudo Caching", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/php/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_php_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_php_privilege_escalation.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux pkexec Privilege Escalation", "id": "03e22c1c-8086-11ec-ac2e-acde48001122", "version": 1, "date": "2022-01-28", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies `pkexec` spawning with no command-line arguments. A vulnerability in Polkit's pkexec component identified as CVE-2021-4034 (PwnKit) which is present in the default configuration of all major Linux distributions and can be exploited to gain full root privileges on the system.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=pkexec by _time Processes.dest Processes.process_id Processes.parent_process_name Processes.process_name Processes.process Processes.process_path | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process=\"(^.{1}$)\" | `linux_pkexec_privilege_escalation_filter`", "how_to_implement": "Depending on the EDR product in use, there are multiple ways to \"null\" the command-line field, Processes.process. Two that may be useful `process=\"(^.{0}$)\"` or `| where isnull(process)`. To generate data for this behavior, Sysmon for Linux was utilized. To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives may be present, filter as needed.", "references": ["https://www.reddit.com/r/crowdstrike/comments/sdfeig/20220126_cool_query_friday_hunting_pwnkit_local/", "https://linux.die.net/man/1/pkexec", "https://www.bleepingcomputer.com/news/security/linux-system-service-bug-gives-root-on-all-major-distros-exploit-released/", "https://access.redhat.com/security/security-updates/#/?q=polkit&p=1&sort=portal_publication_date%20desc&rows=10&portal_advisory_type=Security%20Advisory&documentKind=PortalProduct"], "tags": {"name": "Linux pkexec Privilege Escalation", "analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ related to a local privilege escalation in polkit pkexec.", "mitre_attack_id": ["T1068"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "cve": ["CVE-2021-4034"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "PLATINUM", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1068/pkexec/linux-sysmon.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_pkexec_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2021-4034", "cvss": 7.2, "summary": "A local privilege escalation vulnerability was found on polkit's pkexec utility. The pkexec application is a setuid tool designed to allow unprivileged users to run commands as privileged users according predefined policies. The current version of pkexec doesn't handle the calling parameters count correctly and ends trying to execute environment variables as commands. An attacker can leverage this by crafting environment variables in such a way it'll induce pkexec to execute arbitrary code. When successfully executed the attack can cause a local privilege escalation given unprivileged users administrative rights on the target machine."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_pkexec_privilege_escalation.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Possible Access Or Modification Of sshd Config File", "id": "7a85eb24-72da-11ec-ac76-acde48001122", "version": 1, "date": "2022-01-11", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic is to look for suspicious process command-line that might be accessing or modifying sshd_config. This file is the ssh configuration file that might be modify by threat actors or adversaries to redirect port connection, allow user using authorized key generated during attack. This anomaly detection might catch noise from administrator auditing or modifying ssh configuration file. In this scenario filter is needed", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN(\"cat\", \"nano*\",\"vim*\", \"vi*\") AND Processes.process IN(\"*/etc/ssh/sshd_config\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_possible_access_or_modification_of_sshd_config_file_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "Administrator or network operator can use this commandline for automation purposes. Please update the filter macros to remove false positives.", "references": ["https://www.hackingarticles.in/ssh-penetration-testing-port-22/", "https://attack.mitre.org/techniques/T1098/004/"], "tags": {"name": "Linux Possible Access Or Modification Of sshd Config File", "analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "message": "a commandline $process$ executed on $dest$", "mitre_attack_id": ["T1098.004", "T1098"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1098.004", "mitre_attack_technique": "SSH Authorized Keys", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Earth Lusca", "TeamTNT"]}, {"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT41", "Dragonfly", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.004/ssh_authorized_keys/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_possible_access_or_modification_of_sshd_config_file_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_possible_access_or_modification_of_sshd_config_file.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Possible Access To Credential Files", "id": "16107e0e-71fc-11ec-b862-acde48001122", "version": 1, "date": "2022-01-10", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic is to detect a possible attempt to dump or access the content of /etc/passwd and /etc/shadow to enable offline credential cracking. \"etc/passwd\" store user information within linux OS while \"etc/shadow\" contain the user passwords hash. Adversaries and threat actors may attempt to access this to gain persistence and/or privilege escalation. This anomaly detection can be a good indicator of possible credential dumping technique but it might catch some normal administrator automation scripts or during credential auditing. In this scenario filter is needed.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN(\"cat\", \"nano*\",\"vim*\", \"vi*\") AND Processes.process IN(\"*/etc/shadow*\", \"*/etc/passwd*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_possible_access_to_credential_files_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "Administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "references": ["https://askubuntu.com/questions/445361/what-is-difference-between-etc-shadow-and-etc-passwd", "https://attack.mitre.org/techniques/T1003/008/"], "tags": {"name": "Linux Possible Access To Credential Files", "analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "A commandline $process$ executed on $dest$", "mitre_attack_id": ["T1003.008", "T1003"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.008", "mitre_attack_technique": "/etc/passwd and /etc/shadow", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.008/copy_file_stdoutpipe/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_possible_access_to_credential_files_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_possible_access_to_credential_files.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Possible Access To Sudoers File", "id": "4479539c-71fc-11ec-b2e2-acde48001122", "version": 1, "date": "2022-01-10", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic is to detect a possible access or modification of /etc/sudoers file. \"/etc/sudoers\" file controls who can run what command as what users on what machine and can also control whether a specific user need a password for particular commands. adversaries and threat actors abuse this file to gain persistence and/or privilege escalation during attack on targeted host.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN(\"cat\", \"nano*\",\"vim*\", \"vi*\") AND Processes.process IN(\"*/etc/sudoers*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_possible_access_to_sudoers_file_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "references": ["https://attack.mitre.org/techniques/T1548/003/", "https://web.archive.org/web/20210708035426/https://www.cobaltstrike.com/downloads/csmanual43.pdf"], "tags": {"name": "Linux Possible Access To Sudoers File", "analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "A commandline $process$ executed on $dest$", "mitre_attack_id": ["T1548.003", "T1548"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.003", "mitre_attack_technique": "Sudo and Sudo Caching", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.008/copy_file_stdoutpipe/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_possible_access_to_sudoers_file_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_possible_access_to_sudoers_file.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Possible Append Command To At Allow Config File", "id": "7bc20606-5f40-11ec-a586-acde48001122", "version": 2, "date": "2022-05-26", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic is designed to identify suspicious command lines that may append user entries to either /etc/at.allow or /etc/at.deny. These files can be exploited by malicious actors for persistence on a compromised Linux host by altering permissions for scheduled tasks using the at command.\\\nIn this context, an attacker can create a user or add an existing user to these configuration files to execute their malicious code through scheduled tasks. The detection of such anomalous behavior can serve as an effective indicator warranting further investigation to validate if the activity is indeed malicious or a false positive.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count from datamodel=Endpoint.Processes where Processes.process = \"*echo*\" AND Processes.process IN(\"*/etc/at.allow\", \"*/etc/at.deny\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_possible_append_command_to_at_allow_config_file_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "Administrator or network operator can use this commandline for automation purposes. Please update the filter macros to remove false positives.", "references": ["https://linuxize.com/post/at-command-in-linux/", "https://attack.mitre.org/techniques/T1053/001/"], "tags": {"name": "Linux Possible Append Command To At Allow Config File", "analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques", "Scheduled Tasks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Installation", "Exploitation"], "message": "A commandline $process$ that may modify at allow config file in $dest$", "mitre_attack_id": ["T1053.002", "T1053"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1053.002", "mitre_attack_technique": "At", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "BRONZE BUTLER", "Threat Group-3390"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.002/at_execution/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_possible_append_command_to_at_allow_config_file_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_possible_append_command_to_at_allow_config_file.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Possible Append Command To Profile Config File", "id": "9c94732a-61af-11ec-91e3-acde48001122", "version": 1, "date": "2021-12-20", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic looks for suspicious command-lines that can be possibly used to modify user profile files to automatically execute scripts/executables by shell upon reboot of the machine. This technique is commonly abused by adversaries, malware and red teamers as persistence mechanism to the targeted or compromised host. This Anomaly detection is a good indicator that someone wants to run code after reboot which can be done also by the administrator or network operator for automation purposes.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = \"*echo*\" AND Processes.process IN(\"*~/.bashrc\", \"*~/.bash_profile\", \"*/etc/profile\", \"~/.bash_login\", \"*~/.profile\", \"~/.bash_logout\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_possible_append_command_to_profile_config_file_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "Administrator or network operator can use this commandline for automation purposes. Please update the filter macros to remove false positives.", "references": ["https://unix.stackexchange.com/questions/129143/what-is-the-purpose-of-bashrc-and-how-does-it-work", "https://attack.mitre.org/techniques/T1546/004/"], "tags": {"name": "Linux Possible Append Command To Profile Config File", "analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "message": "a commandline $process$ that may modify profile files in $dest$", "mitre_attack_id": ["T1546.004", "T1546"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1546.004", "mitre_attack_technique": "Unix Shell Configuration Modification", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.004/linux_init_profile/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_possible_append_command_to_profile_config_file_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_possible_append_command_to_profile_config_file.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Possible Append Cronjob Entry on Existing Cronjob File", "id": "b5b91200-5f27-11ec-bb4e-acde48001122", "version": 1, "date": "2021-12-17", "author": "Teoderick Contreras, Splunk", "type": "Hunting", "status": "production", "description": "The following analytic is designed to detect potential tampering with cronjob files on a Linux system. It specifically searches for command lines that may be used to append code to existing cronjob files, a technique often employed by adversaries, malware, and red teamers for persistence or privilege escalation. Altering existing or sometimes normal cronjob script files allows malicious code to be executed automatically.\\\nThe analytic operates by monitoring logs for specific process names, parent processes, and command-line executions from your endpoints. It specifically checks for any 'echo' command which modifies files in directories commonly associated with cron jobs such as '/etc/cron*', '/var/spool/cron/', and '/etc/anacrontab'. If such activity is detected, an alert is triggered.\\\nThis behavior is worth identifying for a SOC because malicious cron jobs can lead to system compromises and unauthorized data access, impacting business operations and data integrity.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count from datamodel=Endpoint.Processes where Processes.process = \"*echo*\" AND Processes.process IN(\"*/etc/cron*\", \"*/var/spool/cron/*\", \"*/etc/anacrontab*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_possible_append_cronjob_entry_on_existing_cronjob_file_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "False positives may arise from legitimate actions by administrators or network operators who may use these commands for automation purposes. Therefore, it's recommended to adjust filter macros to eliminate such false positives.", "references": ["https://attack.mitre.org/techniques/T1053/003/", "https://blog.aquasec.com/threat-alert-kinsing-malware-container-vulnerability", "https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/"], "tags": {"name": "Linux Possible Append Cronjob Entry on Existing Cronjob File", "analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Living Off The Land", "Scheduled Tasks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "message": "A commandline $process$ that may modify cronjob file in $dest$", "mitre_attack_id": ["T1053.003", "T1053"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1053.003", "mitre_attack_technique": "Cron", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT38", "Rocke"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.003/cronjobs_entry/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_possible_append_cronjob_entry_on_existing_cronjob_file_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_possible_append_cronjob_entry_on_existing_cronjob_file.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Possible Cronjob Modification With Editor", "id": "dcc89bde-5f24-11ec-87ca-acde48001122", "version": 1, "date": "2021-12-17", "author": "Teoderick Contreras, Splunk", "type": "Hunting", "status": "production", "description": "The following analytic detects potential unauthorized modifications to Linux cronjobs using text editors like \"nano\", \"vi\" or \"vim\". It identifies this behavior by tracking command-line executions that interact with paths related to cronjob configuration, a common Linux scheduling utility. Cronjob files may be manipulated by attackers for privilege escalation or persistent access, making such changes critical to monitor.\\ The identified behavior is significant for a Security Operations Center (SOC) as it could indicate an ongoing attempt at establishing persistent access or privilege escalation, leading to data breaches, system compromise, or other malicious activities.\\\nIn case of a true positive, the impact could be severe. An attacker with escalated privileges or persistent access could carry out damaging actions, such as data theft, sabotage, or further network penetration.\\\nTo implement this analytic, ensure ingestion of logs tracking process name, parent process, and command-line executions from your endpoints. Utilize the Add-on for Linux Sysmon from Splunkbase if you're using Sysmon.\\\nKnown false positives include legitimate administrative tasks, as these commands may also be used for benign purposes. Careful tuning and filtering based on known benign activity in your environment can minimize these instances.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name IN(\"nano\",\"vim.basic\") OR Processes.process IN (\"*nano *\", \"*vi *\", \"*vim *\")) AND Processes.process IN(\"*/etc/cron*\", \"*/var/spool/cron/*\", \"*/etc/anacrontab*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_possible_cronjob_modification_with_editor_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "Administrator or network operator can use this commandline for automation purposes. Please update the filter macros to remove false positives.", "references": ["https://attack.mitre.org/techniques/T1053/003/"], "tags": {"name": "Linux Possible Cronjob Modification With Editor", "analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Living Off The Land", "Scheduled Tasks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 30, "impact": 20, "kill_chain_phases": ["Installation", "Exploitation"], "message": "A commandline $process$ that may modify cronjob file using editor in $dest$", "mitre_attack_id": ["T1053.003", "T1053"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 6, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1053.003", "mitre_attack_technique": "Cron", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT38", "Rocke"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.003/cronjobs_entry/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_possible_cronjob_modification_with_editor_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_possible_cronjob_modification_with_editor.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Possible Ssh Key File Creation", "id": "c04ef40c-72da-11ec-8eac-acde48001122", "version": 1, "date": "2022-01-11", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic is to look for possible ssh key file creation on ~/.ssh/ folder. This technique is commonly abused by threat actors and adversaries to gain persistence and privilege escalation to the targeted host. by creating ssh private and public key and passing the public key to the attacker server. threat actor can access remotely the machine using openssh daemon service.", "data_source": ["Sysmon Event ID 11"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN (\"*/.ssh*\") by Filesystem.dest Filesystem.file_name Filesystem.process_guid Filesystem.file_path | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `linux_possible_ssh_key_file_creation_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the file name, file path, and process_guid executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "Administrator or network operator can create file in ~/.ssh folders for automation purposes. Please update the filter macros to remove false positives.", "references": ["https://www.hackingarticles.in/ssh-penetration-testing-port-22/", "https://attack.mitre.org/techniques/T1098/004/"], "tags": {"name": "Linux Possible Ssh Key File Creation", "analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Installation"], "message": "A file $file_name$ is created in $file_path$ on $dest$", "mitre_attack_id": ["T1098.004", "T1098"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Filesystem.dest", "Filesystem.file_create_time", "Filesystem.file_name", "Filesystem.process_guid", "Filesystem.file_path"], "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1098.004", "mitre_attack_technique": "SSH Authorized Keys", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Earth Lusca", "TeamTNT"]}, {"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT41", "Dragonfly", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.004/ssh_authorized_keys/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_possible_ssh_key_file_creation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_possible_ssh_key_file_creation.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Preload Hijack Library Calls", "id": "cbe2ca30-631e-11ec-8670-acde48001122", "version": 1, "date": "2021-12-22", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This analytic is to detect a suspicious command that may hijack a library function in linux platform. This technique is commonly abuse by adversaries, malware author and red teamers to gain privileges and persist on the machine. This detection pertains to loading a dll to hijack or hook a library function of specific program using LD_PRELOAD command.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = \"*LD_PRELOAD*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_preload_hijack_library_calls_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase", "known_false_positives": "Administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "references": ["https://compilepeace.medium.com/memory-malware-part-0x2-writing-userland-rootkits-via-ld-preload-30121c8343d5"], "tags": {"name": "Linux Preload Hijack Library Calls", "analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation", "Installation"], "message": "A commandline $process$ that may hijack library function on $dest$", "mitre_attack_id": ["T1574.006", "T1574"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1574.006", "mitre_attack_technique": "Dynamic Linker Hijacking", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT41", "Rocke"]}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.006/lib_hijack/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_preload_hijack_library_calls_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_preload_hijack_library_calls.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Proxy Socks Curl", "id": "bd596c22-ad1e-44fc-b242-817253ce8b08", "version": 1, "date": "2022-07-29", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies curl being utilized with a proxy based on command-line arguments - -x, socks, --preproxy and --proxy. This behavior is built into the MetaSploit Framework as a auxiliary module. What does socks buy an adversary? SOCKS4a extends the SOCKS4 protocol to allow a client to specify a destination domain name rather than an IP address. The SOCKS5 protocol is defined in RFC 1928. It is an incompatible extension of the SOCKS4 protocol; it offers more choices for authentication and adds support for IPv6 and UDP, the latter of which can be used for DNS lookups. The protocols, and a proxy itself, allow an adversary to evade controls in place monitoring traffic, making it harder for the defender to identify and track activity.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=curl Processes.process IN (\"*-x *\", \"*socks4a://*\", \"*socks5h://*\", \"*socks4://*\",\"*socks5://*\", \"*--preproxy *\", \"--proxy*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_proxy_socks_curl_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives may be present based on proxy usage internally. Filter as needed.", "references": ["https://www.offensive-security.com/metasploit-unleashed/proxytunnels/", "https://curl.se/docs/manpage.html", "https://en.wikipedia.org/wiki/SOCKS", "https://oxylabs.io/blog/curl-with-proxy", "https://reqbin.com/req/c-ddxflki5/curl-proxy-server#:~:text=To%20use%20a%20proxy%20with,be%20URL%20decoded%20by%20Curl.", "https://gtfobins.github.io/gtfobins/curl/"], "tags": {"name": "Linux Proxy Socks Curl", "analytic_story": ["Linux Living Off The Land", "Ingress Tool Transfer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Command And Control"], "message": "An instance of $process_name$ was identified on endpoint $dest$ by user $user$ utilizing a proxy. Review activity for further details.", "mitre_attack_id": ["T1090", "T1095"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1090", "mitre_attack_technique": "Proxy", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "Blue Mockingbird", "CopyKittens", "Earth Lusca", "Fox Kitten", "LAPSUS$", "Magic Hound", "POLONIUM", "Sandworm Team", "Turla", "Windigo"]}, {"mitre_attack_id": "T1095", "mitre_attack_technique": "Non-Application Layer Protocol", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT3", "BITTER", "BackdoorDiplomacy", "FIN6", "HAFNIUM", "Metador", "PLATINUM"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/curl-linux-sysmon.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_proxy_socks_curl_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_proxy_socks_curl.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Puppet Privilege Escalation", "id": "1d19037f-466e-4d56-8d87-36fafd9aa3ce", "version": 1, "date": "2022-08-11", "author": "Gowthamaraj Rajendran, Splunk", "type": "Anomaly", "status": "production", "description": "In computing, Puppet is a software configuration management tool which includes its own declarative language to describe system configuration. It is a model-driven solution that requires limited programming knowledge to use. If sudo right is given to the tool for the user, then the user can run system commands as root and possibly get a root shell.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*puppet*\" AND Processes.process=\"*apply*\" AND Processes.process=\"*-e*\" AND Processes.process=\"*exec*\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_puppet_privilege_escalation_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints into the Endpoint datamodel. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "False positives may be present, filter as needed.", "references": ["https://gtfobins.github.io/gtfobins/puppet/", "https://en.wikipedia.org/wiki/Puppet_(software)"], "tags": {"name": "Linux Puppet Privilege Escalation", "analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 10, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "mitre_attack_id": ["T1548.003", "T1548"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 5, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.003", "mitre_attack_technique": "Sudo and Sudo Caching", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/puppet/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_puppet_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_puppet_privilege_escalation.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux RPM Privilege Escalation", "id": "f8e58a23-cecd-495f-9c65-6c76b4cb9774", "version": 1, "date": "2022-08-09", "author": "Gowthamaraj Rajendran, Splunk", "type": "Anomaly", "status": "production", "description": "RPM Package Manager is a free and open-source package management system. The name RPM refers to the .rpm file format and the package manager program itself. RPM was intended primarily for Linux distributions; the file format is the baseline package format of the Linux Standard Base. If sudo right is given to rpm utility for the user, then the user can run system commands as root and possibly get a root shell.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*rpm*--eval*\" AND Processes.process=\"*lua:os.execute*\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_rpm_privilege_escalation_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints into the Endpoint datamodel. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "False positives are present based on automated tooling or system administrative usage. Filter as needed.", "references": ["https://gtfobins.github.io/gtfobins/rpm/", "https://en.wikipedia.org/wiki/RPM_Package_Manager"], "tags": {"name": "Linux RPM Privilege Escalation", "analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 60, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "mitre_attack_id": ["T1548.003", "T1548"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.003", "mitre_attack_technique": "Sudo and Sudo Caching", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/rpm/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_rpm_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_rpm_privilege_escalation.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Ruby Privilege Escalation", "id": "097b28b5-7004-4d40-a715-7e390501788b", "version": 1, "date": "2022-08-09", "author": "Gowthamaraj Rajendran, Splunk", "type": "Anomaly", "status": "production", "description": "Ruby is one of the most used and easy to use programming languages. Ruby is an open-source, object-oriented interpreter that can be installed on a Linux system. If sudo right is given to ruby application for the user, then the user can run system commands as root and possibly get a root shell.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*ruby*-e*\" AND Processes.process=\"*exec*\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_ruby_privilege_escalation_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints into the Endpoint datamodel. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "False positives are present based on automated tooling or system administrative usage. Filter as needed.", "references": ["https://gtfobins.github.io/gtfobins/ruby/"], "tags": {"name": "Linux Ruby Privilege Escalation", "analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 60, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "mitre_attack_id": ["T1548.003", "T1548"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.003", "mitre_attack_technique": "Sudo and Sudo Caching", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/ruby/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_ruby_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_ruby_privilege_escalation.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Service File Created In Systemd Directory", "id": "c7495048-61b6-11ec-9a37-acde48001122", "version": 1, "date": "2021-12-20", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic is designed to detect suspicious file creation within the systemd timer directory on Linux platforms. Systemd is a system and service manager for Linux, similar to the combination of wininit.exe and services.exe on Windows. This process initializes a Linux system and starts defined services in unit files. Malicious actors, such as adversaries, malware, or red teamers, can exploit this feature by embedding a systemd service file for persistence on the targeted or compromised host.\\\nThe analytic works by monitoring logs with file name, file path, and process GUID data from your endpoints. If a .service file is created in certain systemd directories, the analytic triggers an alert. This behavior is significant for a Security Operations Center (SOC) as it may indicate a persistent threat within the network, with a potential impact of system compromise or data exfiltration.", "data_source": ["Sysmon Event ID 11"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_name = *.service Filesystem.file_path IN (\"*/etc/systemd/system*\", \"*/lib/systemd/system*\", \"*/usr/lib/systemd/system*\", \"*/run/systemd/system*\", \"*~/.config/systemd/*\", \"*~/.local/share/systemd/*\",\"*/etc/systemd/user*\", \"*/lib/systemd/user*\", \"*/usr/lib/systemd/user*\", \"*/run/systemd/user*\") by Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.process_guid Filesystem.file_path | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `linux_service_file_created_in_systemd_directory_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the file name, file path, and process_guid executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "False positives may arise when administrators or network operators create files in systemd directories for legitimate automation tasks. Therefore, it's important to adjust filter macros to account for valid activities. To implement this search successfully, it's crucial to ingest appropriate logs, preferably using the Linux Sysmon Add-on from Splunkbase for those using Sysmon.", "references": ["https://attack.mitre.org/techniques/T1053/006/", "https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/", "https://redcanary.com/blog/attck-t1501-understanding-systemd-service-persistence/", "https://github.com/microsoft/MSTIC-Sysmon/blob/main/linux/configs/attack-based/persistence/T1053.003_Cron_Activity.xml"], "tags": {"name": "Linux Service File Created In Systemd Directory", "analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Living Off The Land", "Scheduled Tasks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "message": "A service file named as $file_path$ is created in systemd folder on $dest$", "mitre_attack_id": ["T1053.006", "T1053"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Filesystem.dest", "Filesystem.file_create_time", "Filesystem.file_name", "Filesystem.process_guid", "Filesystem.file_path"], "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1053.006", "mitre_attack_technique": "Systemd Timers", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.006/service_systemd/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_service_file_created_in_systemd_directory_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_service_file_created_in_systemd_directory.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Service Restarted", "id": "084275ba-61b8-11ec-8d64-acde48001122", "version": 1, "date": "2023-04-14", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic detects the restarting or re-enabling of services in the Linux platform. It focuses on the use of the systemctl or service tools for executing these actions. Adversaries may leverage this technique to repeatedly execute malicious payloads as a form of persistence. Linux hosts typically start services during boot to perform background system functions. However, administrators may also create legitimate services for specific tools or applications as part of task automation. In such cases, it is recommended to verify the service path of the registered script or executable and identify the creator of the service for further validation.\\\nIt's important to be aware that this analytic may generate false positives as administrators or network operators may use the same command-line for legitimate automation purposes. Filter macros should be updated accordingly to minimize false positives.\\\nIdentifying restarted or re-enabled services is valuable for a SOC as it can indicate potential malicious activities attempting to maintain persistence or execute unauthorized actions on Linux systems. By detecting and investigating these events, security analysts can respond promptly to mitigate risks and prevent further compromise. The impact of a true positive can range from unauthorized access to data destruction or other damaging outcomes.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name IN (\"systemctl\", \"service\") OR Processes.process IN (\"*systemctl *\", \"*service *\")) Processes.process IN (\"*restart*\", \"*reload*\", \"*reenable*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_service_restarted_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and commandline executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "Administrator or network operator can use this commandline for automation purposes. Please update the filter macros to remove false positives.", "references": ["https://attack.mitre.org/techniques/T1543/003/"], "tags": {"name": "Linux Service Restarted", "analytic_story": ["AwfulShred", "Linux Privilege Escalation", "Linux Living Off The Land", "Data Destruction", "Linux Persistence Techniques", "Scheduled Tasks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation", "Exploitation"], "message": "A commandline $process$ that may create or start a service on $dest$", "mitre_attack_id": ["T1053.006", "T1053"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1053.006", "mitre_attack_technique": "Systemd Timers", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.006/service_systemd/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_service_restarted_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_service_restarted.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Service Started Or Enabled", "id": "e0428212-61b7-11ec-88a3-acde48001122", "version": 1, "date": "2021-12-20", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic detects the creation or enabling of services in Linux platforms, specifically using the systemctl or service tool application. This behavior is worth identifying as adversaries may create or modify services to execute malicious payloads as part of persistence. Legitimate services created by administrators for automation purposes may also trigger this analytic, so it is important to update the filter macros to remove false positives. If a true positive is found, it suggests an possible attacker is attempting to persist within the environment or deliver additional malicious payloads, leading to data theft, ransomware, or other damaging outcomes. To implement this analytic, ensure you are ingesting logs with the process name, parent process, and command-line executions from your endpoints.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name IN (\"systemctl\", \"service\") OR Processes.process IN (\"*systemctl *\", \"*service *\")) Processes.process IN (\"* start *\", \"* enable *\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_service_started_or_enabled_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "Administrator or network operator can use this commandline for automation purposes. Please update the filter macros to remove false positives.", "references": ["https://attack.mitre.org/techniques/T1543/003/"], "tags": {"name": "Linux Service Started Or Enabled", "analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Living Off The Land", "Scheduled Tasks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 60, "kill_chain_phases": ["Installation", "Exploitation"], "message": "a commandline $process$ that may create or start a service on $dest", "mitre_attack_id": ["T1053.006", "T1053"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1053.006", "mitre_attack_technique": "Systemd Timers", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.006/service_systemd/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_service_started_or_enabled_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_service_started_or_enabled.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Setuid Using Chmod Utility", "id": "bf0304b6-6250-11ec-9d7c-acde48001122", "version": 1, "date": "2021-12-21", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic looks for suspicious chmod utility execution to enable SUID bit. This allows a user to temporarily gain root access, usually in order to run a program. For example, only the root account is allowed to change the password information contained in the password database; If the SUID bit appears as an s, the file's owner also has execute permission to the file; if it appears as an S, the file's owner does not have execute permission. The second specialty permission is the SGID, or set group id bit. It is similar to the SUID bit, except it can temporarily change group membership, usually to execute a program. The SGID bit is set if an s or an S appears in the group section of permissions.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes WHERE (Processes.process_name = chmod OR Processes.process = \"*chmod *\") AND Processes.process IN(\"* g+s *\", \"* u+s *\", \"* 4777 *\", \"* 4577 *\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_setuid_using_chmod_utility_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "Administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "references": ["https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/"], "tags": {"name": "Linux Setuid Using Chmod Utility", "analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "a commandline $process$ that may set suid or sgid on $dest$", "mitre_attack_id": ["T1548.001", "T1548"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.001", "mitre_attack_technique": "Setuid and Setgid", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.001/chmod_uid/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_setuid_using_chmod_utility_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_setuid_using_chmod_utility.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Setuid Using Setcap Utility", "id": "9d96022e-6250-11ec-9a19-acde48001122", "version": 1, "date": "2021-12-21", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic looks for suspicious setcap utility execution to enable SUID bit. This allows a user to temporarily gain root access, usually in order to run a program. For example, only the root account is allowed to change the password information contained in the password database; If the SUID bit appears as an s, the file's owner also has execute permission to the file; if it appears as an S, the file's owner does not have execute permission. The second specialty permission is the SGID, or set group id bit. It is similar to the SUID bit, except it can temporarily change group membership, usually to execute a program. The SGID bit is set if an s or an S appears in the group section of permissions.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = setcap OR Processes.process = \"*setcap *\") AND Processes.process IN (\"* cap_setuid=ep *\", \"* cap_setuid+ep *\", \"* cap_net_bind_service+p *\", \"* cap_net_raw+ep *\", \"* cap_dac_read_search+ep *\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_setuid_using_setcap_utility_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "Administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "references": ["https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/"], "tags": {"name": "Linux Setuid Using Setcap Utility", "analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "A commandline $process$ that may set suid or sgid on $dest$", "mitre_attack_id": ["T1548.001", "T1548"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.001", "mitre_attack_technique": "Setuid and Setgid", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.001/linux_setcap/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_setuid_using_setcap_utility_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_setuid_using_setcap_utility.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Shred Overwrite Command", "id": "c1952cf1-643c-4965-82de-11c067cbae76", "version": 1, "date": "2023-04-14", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This analytic is to detect a shred process to overwrite a files in a linux machine. Shred Linux application is designed to overwrite file to hide its contents or make the deleted file un-recoverable. Weve seen this technique in industroyer2 malware that tries to wipe energy facilities of targeted sector as part of its destructive attack. It might be some normal user may use this command for valid purposes but it is recommended to check what files, disk or folder it tries to shred that might be good pivot for incident response in this type of destructive malware.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name =shred AND Processes.process IN (\"*-n*\", \"*-u*\", \"*-z*\", \"*-s*\") by Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_shred_overwrite_command_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives.", "references": ["https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/", "https://cert.gov.ua/article/39518"], "tags": {"name": "Linux Shred Overwrite Command", "analytic_story": ["Industroyer2", "AwfulShred", "Linux Privilege Escalation", "Data Destruction", "Linux Persistence Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Actions on Objectives"], "message": "A possible shred overwrite command $process$ executed on $dest$", "mitre_attack_id": ["T1485"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/rm_shred_critical_dir/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_shred_overwrite_command_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_shred_overwrite_command.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Sqlite3 Privilege Escalation", "id": "ab75dbb7-c3ba-4689-9c1b-8d2717bdcba1", "version": 1, "date": "2022-08-11", "author": "Gowthamaraj Rajendran, Splunk", "type": "Anomaly", "status": "production", "description": "sqlite3 is a terminal-based front-end to the SQLite library that can evaluate queries interactively and display the results in multiple formats. sqlite3 can also be used within shell scripts and other applications to provide batch processing features. If sudo right is given to this application for the user, then the user can run system commands as root and possibly get a root shell.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*sqlite3*\" AND Processes.process=\"*.shell*\" AND Processes.process=\"*sudo*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_sqlite3_privilege_escalation_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints into the Endpoint datamodel. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "False positives may be present, filter as needed.", "references": ["https://gtfobins.github.io/gtfobins/sqlite3/", "https://manpages.ubuntu.com/manpages/trusty/en/man1/sqlite3.1.html"], "tags": {"name": "Linux Sqlite3 Privilege Escalation", "analytic_story": ["Linux Privilege Escalation", "Linux Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 60, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$", "mitre_attack_id": ["T1548.003", "T1548"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.003", "mitre_attack_technique": "Sudo and Sudo Caching", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/sqlite3/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_sqlite3_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_sqlite3_privilege_escalation.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux SSH Authorized Keys Modification", "id": "f5ab595e-28e5-4327-8077-5008ba97c850", "version": 1, "date": "2022-07-27", "author": "Michael Haag, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies based on process execution the modification of SSH Authorized Keys. Adversaries perform this behavior to persist on endpoints. During triage, review parallel processes and capture any additional file modifications for review.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN (\"bash\",\"cat\") Processes.process IN (\"*/authorized_keys*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_ssh_authorized_keys_modification_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Filtering will be required as system administrators will add and remove. One way to filter query is to add \"echo\".", "references": ["https://redcanary.com/blog/lateral-movement-with-secure-shell/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.004/T1098.004.md"], "tags": {"name": "Linux SSH Authorized Keys Modification", "analytic_story": ["Linux Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Installation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ modifying SSH Authorized Keys.", "mitre_attack_id": ["T1098.004"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1098.004", "mitre_attack_technique": "SSH Authorized Keys", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Earth Lusca", "TeamTNT"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.004/ssh_authorized_keys/authkey_linux-sysmon.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_ssh_authorized_keys_modification_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_ssh_authorized_keys_modification.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux SSH Remote Services Script Execute", "id": "aa1748dd-4a5c-457a-9cf6-ca7b4eb711b3", "version": 1, "date": "2023-03-03", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies SSH being utilized to move laterally and execute a script or file on the remote host.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=ssh Processes.process IN (\"*oStrictHostKeyChecking*\", \"*oConnectTimeout*\", \"*oBatchMode*\") AND Processes.process IN (\"*http:*\",\"*https:*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_ssh_remote_services_script_execute_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "This is not a common command to be executed. Filter as needed.", "references": ["https://redcanary.com/blog/lateral-movement-with-secure-shell/"], "tags": {"name": "Linux SSH Remote Services Script Execute", "analytic_story": ["Linux Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "An instance of $process_name$ was identified on endpoint $dest$ by user $user$ attempting to move laterally and download a file.", "mitre_attack_id": ["T1021.004"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1021.004", "mitre_attack_technique": "SSH", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT39", "BlackTech", "FIN7", "Fox Kitten", "GCMAN", "Lazarus Group", "Leviathan", "OilRig", "Rocke", "TEMP.Veles", "TeamTNT", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.004/atomic_red_team/linux-sysmon.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_ssh_remote_services_script_execute_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_ssh_remote_services_script_execute.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Stdout Redirection To Dev Null File", "id": "de62b809-a04d-46b5-9a15-8298d330f0c8", "version": 1, "date": "2023-04-14", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "experimental", "description": "This analytic looks for suspicious commandline that redirect the stdout or possible stderror to dev/null file. This technique was seen in cyclopsblink malware where it redirect the possible output or error while modify the iptables firewall setting of the compromised machine to hide its action from the user. This Anomaly detection is a good pivot to look further why process or user use this un common approach.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = \"*&>/dev/null*\" by Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid Processes.dest Processes.user Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_stdout_redirection_to_dev_null_file_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "unknown", "references": ["https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf", "https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html"], "tags": {"name": "Linux Stdout Redirection To Dev Null File", "analytic_story": ["CyclopsBLink", "Data Destruction", "Industroyer2"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Exploitation"], "message": "a commandline $process$ that redirect stdout to dev/null in $dest$", "mitre_attack_id": ["T1562.004", "T1562"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.004", "mitre_attack_technique": "Disable or Modify System Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "Carbanak", "Dragonfly", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/cyclopsblink/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_stdout_redirection_to_dev_null_file_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_stdout_redirection_to_dev_null_file.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Stop Services", "id": "d05204a5-9f1c-4946-a7f3-4fa58d76d5fd", "version": 1, "date": "2023-04-14", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "The following analytic is to detect events that attempt to stop or clear a service. This is typically identified in parallel with other instances of service enumeration of attempts to stop a service and then delete it. Adversaries utilize this technique like industroyer2 malware to terminate security services or other related services to continue there objective as a destructive payload.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN (\"systemctl\", \"service\", \"svcadm\") Processes.process =\"*stop*\" by Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_stop_services_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives.", "references": ["https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/", "https://cert.gov.ua/article/39518"], "tags": {"name": "Linux Stop Services", "analytic_story": ["AwfulShred", "Data Destruction", "Industroyer2"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Actions on Objectives"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified attempting to stop services on endpoint $dest$ by $user$.", "mitre_attack_id": ["T1489"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1489", "mitre_attack_technique": "Service Stop", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Indrik Spider", "Lazarus Group", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1489/linux_service_stop_disable/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_stop_services_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_stop_services.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Sudo OR Su Execution", "id": "4b00f134-6d6a-11ec-a90c-acde48001122", "version": 1, "date": "2022-01-04", "author": "Teoderick Contreras, Splunk", "type": "Hunting", "status": "production", "description": "This analytic is to detect the execution of sudo or su command in linux operating system. The \"sudo\" command allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments. This command is commonly abused by adversaries, malware author and red teamers to elevate privileges to the targeted host. This command can be executed by administrator for legitimate purposes or to execute process that need admin privileges, In this scenario filter is needed.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN (\"sudo\", \"su\") OR Processes.parent_process_name IN (\"sudo\", \"su\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_sudo_or_su_execution_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "Administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "references": ["https://attack.mitre.org/techniques/T1548/003/"], "tags": {"name": "Linux Sudo OR Su Execution", "analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "A commandline $process$ that execute sudo or su in $dest$", "mitre_attack_id": ["T1548.003", "T1548"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.003", "mitre_attack_technique": "Sudo and Sudo Caching", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/sudo_su/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_sudo_or_su_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_sudo_or_su_execution.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Sudoers Tmp File Creation", "id": "be254a5c-63e7-11ec-89da-acde48001122", "version": 1, "date": "2021-12-23", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic is to looks for file creation of sudoers.tmp file cause by editing /etc/sudoers using visudo or editor in linux platform. This technique may abuse by adversaries, malware author and red teamers to gain elevated privilege to targeted or compromised host. /etc/sudoers file controls who can run what commands as what users on what machines and can also control special things such as whether you need a password for particular commands. The file is composed of aliases (basically variables) and user specifications (which control who can run what).", "data_source": ["Sysmon Event ID 11"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN (\"*sudoers.tmp*\") by Filesystem.dest Filesystem.file_name Filesystem.process_guid Filesystem.file_path | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `linux_sudoers_tmp_file_creation_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "references": ["https://forum.ubuntuusers.de/topic/sudo-visudo-gibt-etc-sudoers-tmp/"], "tags": {"name": "Linux Sudoers Tmp File Creation", "analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "A file $file_name$ is created in $file_path$ on $dest$", "mitre_attack_id": ["T1548.003", "T1548"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Filesystem.dest", "Filesystem.file_create_time", "Filesystem.file_name", "Filesystem.process_guid", "Filesystem.file_path"], "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.003", "mitre_attack_technique": "Sudo and Sudo Caching", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/sudoers_temp/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_sudoers_tmp_file_creation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_sudoers_tmp_file_creation.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux System Network Discovery", "id": "535cb214-8b47-11ec-a2c7-acde48001122", "version": 1, "date": "2023-04-14", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic is to look for possible enumeration of local network configuration. This technique is commonly used as part of recon of adversaries or threat actor to know some network information for its next or further attack. This anomaly detections may capture normal event made by administrator during auditing or testing network connection of specific host or network to network.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count values(Processes.process_name) as process_name_list values(Processes.process) as process_list values(Processes.process_id) as process_id_list values(Processes.parent_process_id) as parent_process_id_list values(Processes.process_guid) as process_guid_list dc(Processes.process_name) as process_name_count from datamodel=Endpoint.Processes where Processes.process_name IN (\"arp\", \"ifconfig\", \"ip\", \"netstat\", \"firewall-cmd\", \"ufw\", \"iptables\", \"ss\", \"route\") by _time span=30m Processes.dest Processes.user | where process_name_count >=4 | `drop_dm_object_name(Processes)`| `linux_system_network_discovery_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "Administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md"], "tags": {"name": "Linux System Network Discovery", "analytic_story": ["Data Destruction", "Network Discovery", "Industroyer2"], "asset_type": "endpoint", "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "A commandline $process$ executed on $dest$", "mitre_attack_id": ["T1016"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1016", "mitre_attack_technique": "System Network Configuration Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT19", "APT3", "APT32", "APT41", "Chimera", "Darkhotel", "Dragonfly", "Earth Lusca", "GALLIUM", "HAFNIUM", "HEXANE", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "SideCopy", "Sidewinder", "Stealth Falcon", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1016/atomic_red_team/linux_net_discovery/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_system_network_discovery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_system_network_discovery.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux System Reboot Via System Request Key", "id": "e1912b58-ed9c-422c-bbb0-2dbc70398345", "version": 1, "date": "2023-04-14", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This analytic is to look for possible execution of SysReq hack to reboot the Linux system host. This technique was seen in Awfulshred malware wiper to reboot the compromised host by using the linux magic sysreq key. This kernel configuration can trigger reboot by piping out 'b' to /proc/sysrq-trigger after enabling all the functions of sysrq. This TTP detection can be a good indicator of possible suspicious processes running on the Linux host since this command is not a common way to reboot a system.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN (\"dash\", \"sudo\", \"bash\") Processes.process = \"* echo b > *\" Processes.process = \"*/proc/sysrq-trigger\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `linux_system_reboot_via_system_request_key_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "unknown", "references": ["https://www.kernel.org/doc/html/latest/admin-guide/sysrq.html", "https://cert.gov.ua/article/3718487", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/"], "tags": {"name": "Linux System Reboot Via System Request Key", "analytic_story": ["AwfulShred", "Data Destruction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Actions on Objectives"], "message": "a $process_name$ execute sysrq command $process$ to reboot $dest$", "mitre_attack_id": ["T1529"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.process_name", "Processes.process_path", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1529", "mitre_attack_technique": "System Shutdown/Reboot", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/awfulshred/test2/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_system_reboot_via_system_request_key_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_system_reboot_via_system_request_key.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Unix Shell Enable All SysRq Functions", "id": "e7a96937-3b58-4962-8dce-538e4763cf15", "version": 1, "date": "2023-04-14", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic is to look for possible execution of SysReq hack to enable all functions of kernel system requests of the Linux system host. This technique was seen in AwfulShred malware wiper to reboot the compromised host by using the linux magic sysreq key. This kernel configuration can be triggered by piping out bitmask '1' to /proc/sys/kernel/sysrq. This TTP detection can be a good indicator of possible suspicious processes running on the Linux host since this command is not so common shell commandline.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN (\"dash\", \"sudo\", \"bash\") Processes.process = \"* echo 1 > *\" Processes.process = \"*/proc/sys/kernel/sysrq\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `linux_unix_shell_enable_all_sysrq_functions_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "unknown", "references": ["https://www.kernel.org/doc/html/latest/admin-guide/sysrq.html", "https://cert.gov.ua/article/3718487", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/"], "tags": {"name": "Linux Unix Shell Enable All SysRq Functions", "analytic_story": ["AwfulShred", "Data Destruction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Installation"], "message": "a $process_name$ execute sysrq command $process$ to enable all function of system request in $dest$", "mitre_attack_id": ["T1059.004", "T1059"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.process_name", "Processes.process_path", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.004", "mitre_attack_technique": "Unix Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT41", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/awfulshred/test2/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_unix_shell_enable_all_sysrq_functions_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_unix_shell_enable_all_sysrq_functions.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Linux Visudo Utility Execution", "id": "08c41040-624c-11ec-a71f-acde48001122", "version": 1, "date": "2021-12-21", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic is to looks for suspicious commandline that add entry to /etc/sudoers by using visudo utility tool in linux platform. This technique may abuse by adversaries, malware author and red teamers to gain elevated privilege to targeted or compromised host. /etc/sudoers file controls who can run what commands as what users on what machines and can also control special things such as whether you need a password for particular commands. The file is composed of aliases (basically variables) and user specifications (which control who can run what).", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = visudo by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_visudo_utility_execution_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.", "known_false_positives": "Administrator or network operator can execute this command. Please update the filter macros to remove false positives.", "references": ["https://askubuntu.com/questions/334318/sudoers-file-enable-nopasswd-for-user-all-commands"], "tags": {"name": "Linux Visudo Utility Execution", "analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 40, "impact": 40, "kill_chain_phases": ["Exploitation"], "message": "A commandline $process$ executed on $dest$", "mitre_attack_id": ["T1548.003", "T1548"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 16, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.003", "mitre_attack_technique": "Sudo and Sudo Caching", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/visudo/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "linux_visudo_utility_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/linux_visudo_utility_execution.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Living Off The Land", "id": "1be30d80-3a39-4df9-9102-64a467b24abc", "version": 2, "date": "2022-09-09", "author": "Michael Haag, Splunk", "type": "Correlation", "status": "production", "description": "The following correlation identifies a distinct amount of analytics associated with the Living Off The Land analytic story that identify potentially suspicious behavior.", "data_source": [], "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where All_Risk.analyticstories=\"Living Off The Land\" All_Risk.risk_object_type=\"system\" by All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where source_count >= 5 | `living_off_the_land_filter`", "how_to_implement": "To implement this correlation search a user needs to enable all detections in the Living Off The Land Analytic Story and confirm it is generating risk events. A simple search `index=risk analyticstories=\"Living Off The Land\"` should contain events.", "known_false_positives": "There are no known false positive for this search, but it could contain false positives as multiple detections can trigger and not have successful exploitation. Modify the static value distinct_detection_name to a higher value. It is also required to tune analytics that are also tagged to ensure volume is never too much.", "references": ["https://www.splunk.com/en_us/blog/security/living-off-the-land-threat-research-february-2022-release.html", "https://research.splunk.com/stories/living_off_the_land/"], "tags": {"name": "Living Off The Land", "analytic_story": ["Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 90, "kill_chain_phases": ["Command And Control", "Delivery", "Installation"], "message": "An increase of Living Off The Land behavior has been detected on $affected_systems$", "mitre_attack_id": ["T1105", "T1190", "T1059", "T1133"], "nist": ["DE.AE"], "observable": [{"name": "affected_systems", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "All_Risk.analyticstories", "All_Risk.risk_object_type", "All_Risk.risk_object", "All_Risk.annotations.mitre_attack.mitre_tactic", "source"], "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Chimera", "Dragonfly", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://raw.githubusercontent.com/splunk/attack_data/master/datasets/attack_techniques/T1218/living_off_the_land/lolbinrisk.log", "source": "lotl", "sourcetype": "stash"}]}], "datamodel": ["Risk"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "living_off_the_land_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/living_off_the_land.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Loading Of Dynwrapx Module", "id": "eac5e8ba-4857-11ec-9371-acde48001122", "version": 1, "date": "2021-11-18", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "DynamicWrapperX is an ActiveX component that can be used in a script to call Windows API functions, but it requires the dynwrapx.dll to be installed and registered. With that, registering or loading dynwrapx.dll to a host is highly suspicious. In most instances when it is used maliciously, the best way to triage is to review parallel processes and pivot on the process_guid. Review the registry for any suspicious modifications meant to load dynwrapx.dll. Identify any suspicious module loads of dynwrapx.dll. This detection will return and identify the processes that invoke vbs/wscript/cscript.", "data_source": ["Sysmon Event ID 7"], "search": "`sysmon` EventCode=7 (ImageLoaded = \"*\\\\dynwrapx.dll\" OR OriginalFileName = \"dynwrapx.dll\" OR Product = \"DynamicWrapperX\") | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded OriginalFileName Product process_name Computer EventCode Signed ProcessId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `loading_of_dynwrapx_module_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on processes that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` and `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives should be limited, however it is possible to filter by Processes.process_name and specific processes (ex. wscript.exe). Filter as needed. This may need modification based on EDR telemetry and how it brings in registry data. For example, removal of (Default).", "references": ["https://blog.f-secure.com/hunting-for-koadic-a-com-based-rootkit/", "https://www.script-coding.com/dynwrapx_eng.html", "https://bohops.com/2018/06/28/abusing-com-registry-structure-clsid-localserver32-inprocserver32/", "https://tria.ge/210929-ap75vsddan", "https://www.virustotal.com/gui/file/cb77b93150cb0f7fe65ce8a7e2a5781e727419451355a7736db84109fa215a89", "https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat"], "tags": {"name": "Loading Of Dynwrapx Module", "analytic_story": ["Remcos", "AsyncRAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "dynwrapx.dll loaded by process $process_name$ on $Computer$", "mitre_attack_id": ["T1055", "T1055.001"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Image", "ImageLoaded", "OriginalFileName", "Product", "process_name", "Computer", "EventCode", "Signed", "ProcessId"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "Turla"]}, {"mitre_attack_id": "T1055.001", "mitre_attack_technique": "Dynamic-link Library Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["BackdoorDiplomacy", "Lazarus Group", "Leviathan", "Putter Panda", "TA505", "Tropic Trooper", "Turla", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/remcos/remcos_dynwrapx/sysmon_dynwraper.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "loading_of_dynwrapx_module_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/loading_of_dynwrapx_module.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Local Account Discovery with Net", "id": "5d0d4830-0133-11ec-bae3-acde48001122", "version": 2, "date": "2021-09-16", "author": "Mauricio Velazco, Splunk", "type": "Hunting", "status": "production", "description": "This analytic looks for the execution of `net.exe` or `net1.exe` with command-line arguments utilized to query for local users. The two arguments `user` and 'users', return a list of all local users. Red Teams and adversaries alike use net.exe to enumerate users for situational awareness and Active Directory Discovery.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` (Processes.process=*user OR Processes.process=*users) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `local_account_discovery_with_net_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "references": ["https://attack.mitre.org/techniques/T1087/001/"], "tags": {"name": "Local Account Discovery with Net", "analytic_story": ["Active Directory Discovery", "Sandworm Tools"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "Local user discovery enumeration on $dest$ by $user$", "mitre_attack_id": ["T1087", "T1087.001"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time"], "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1087.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "Chimera", "Fox Kitten", "Ke3chang", "Moses Staff", "OilRig", "Poseidon Group", "Threat Group-3390", "Turla", "admin@338"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.001/AD_discovery/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "process_net", "definition": "(Processes.process_name=\"net.exe\" OR Processes.original_file_name=\"net.exe\" OR Processes.process_name=\"net1.exe\" OR Processes.original_file_name=\"net1.exe\")", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "local_account_discovery_with_net_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/local_account_discovery_with_net.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Local Account Discovery With Wmic", "id": "4902d7aa-0134-11ec-9d65-acde48001122", "version": 2, "date": "2021-09-16", "author": "Mauricio Velazco, Splunk", "type": "Hunting", "status": "production", "description": "This analytic looks for the execution of `wmic.exe` with command-line arguments utilized to query for local users. The argument `useraccount` is used to leverage WMI to return a list of all local users. Red Teams and adversaries alike use net.exe to enumerate users for situational awareness and Active Directory Discovery.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_wmic` (Processes.process=*useraccount*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `local_account_discovery_with_wmic_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "references": ["https://attack.mitre.org/techniques/T1087/001/"], "tags": {"name": "Local Account Discovery With Wmic", "analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "Local user discovery enumeration on $dest$ by $user$", "mitre_attack_id": ["T1087", "T1087.001"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time"], "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1087.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "Chimera", "Fox Kitten", "Ke3chang", "Moses Staff", "OilRig", "Poseidon Group", "Threat Group-3390", "Turla", "admin@338"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.001/AD_discovery/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_wmic", "definition": "(Processes.process_name=wmic.exe OR Processes.original_file_name=wmic.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "local_account_discovery_with_wmic_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/local_account_discovery_with_wmic.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Log4Shell CVE-2021-44228 Exploitation", "id": "9be30d80-3a39-4df9-9102-64a467b24eac", "version": 3, "date": "2022-09-09", "author": "Jose Hernandez, Splunk", "type": "Correlation", "status": "production", "description": "This correlation find exploitation of Log4Shell CVE-2021-44228 against systems using detections from Splunk Security Content Analytic Story. It does this by calculating the distinct count of MITRE ATT&CK tactics from Log4Shell detections fired. If the count is larger than 2 or more distinct MITRE ATT&CK tactics we assume high problability of exploitation. The Analytic story breaks down into 3 major phases of a Log4Shell exploitation, specifically> Initial Payload delivery eg. `${jndi:ldap://PAYLOAD_INJECTED}` Call back to malicious LDAP server eg. Exploit.class Post Exploitation Activity/Lateral Movement using Powershell or similar T1562.001 Each of these phases fall into different MITRE ATT&CK Tactics (Initial Access, Execution, Command And Control), by looking into 2 or more phases showing up in detections triggerd is how this correlation search finds exploitation. If we get a notable from this correlation search the best way to triage it is by investigating the affected systems against Log4Shell exploitation using Splunk SOAR playbooks.", "data_source": [], "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where All_Risk.analyticstories=\"Log4Shell CVE-2021-44228\" All_Risk.risk_object_type=\"system\" by All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where source_count >= 2 | `log4shell_cve_2021_44228_exploitation_filter`", "how_to_implement": "To implement this correlation search a user needs to enable all detections in the Log4Shell Analytic Story and confirm it is generation risk events. A simple search `index=risk analyticstories=\"Log4Shell CVE-2021-44228\"` should contain events.", "known_false_positives": "There are no known false positive for this search, but it could contain false positives as multiple detections can trigger and not have successful exploitation.", "references": ["https://research.splunk.com/stories/log4shell_cve-2021-44228/", "https://www.splunk.com/en_us/blog/security/simulating-detecting-and-responding-to-log4shell-with-splunk.html"], "tags": {"name": "Log4Shell CVE-2021-44228 Exploitation", "analytic_story": ["Log4Shell CVE-2021-44228", "CISA AA22-320A"], "asset_type": "endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 90, "kill_chain_phases": ["Command And Control", "Delivery", "Installation"], "message": "Log4Shell Exploitation detected against $risk_object$.", "mitre_attack_id": ["T1105", "T1190", "T1059", "T1133"], "nist": ["DE.AE"], "observable": [{"name": "risk_object", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "All_Risk.analyticstories", "All_Risk.risk_object_type", "All_Risk.risk_object", "All_Risk.annotations.mitre_attack.mitre_tactic", "source"], "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Chimera", "Dragonfly", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://raw.githubusercontent.com/splunk/attack_data/master/datasets/suspicious_behaviour/log4shell_exploitation/log4shell_correlation.txt", "source": "log4shell", "sourcetype": "stash"}]}], "datamodel": ["Risk"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "log4shell_cve_2021_44228_exploitation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/log4shell_cve_2021_44228_exploitation.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Logon Script Event Trigger Execution", "id": "4c38c264-1f74-11ec-b5fa-acde48001122", "version": 1, "date": "2023-04-14", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This search is to detect a suspicious modification of registry entry to persist and gain privilege escalation upon booting up of compromised host. This technique was seen in several APT and malware where it modify UserInitMprLogonScript registry entry to its malicious payload to be executed upon boot up of the machine.", "data_source": ["Sysmon Event ID 13"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path IN (\"*\\\\Environment\\\\UserInitMprLogonScript\") by Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `logon_script_event_trigger_execution_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry.", "known_false_positives": "unknown", "references": ["https://attack.mitre.org/techniques/T1037/001/"], "tags": {"name": "Logon Script Event Trigger Execution", "analytic_story": ["Data Destruction", "Windows Privilege Escalation", "Hermetic Wiper", "Windows Persistence Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "message": "modified/added/deleted registry entry $Registry.registry_path$ in $dest$", "mitre_attack_id": ["T1037", "T1037.001"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.dest", "Registry.user", "Registry.registry_path", "Registry.registry_key_name", "Registry.registry_value_name"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1037", "mitre_attack_technique": "Boot or Logon Initialization Scripts", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Rocke"]}, {"mitre_attack_id": "T1037.001", "mitre_attack_technique": "Logon Script (Windows)", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "Cobalt Group"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1037.001/logonscript_reg/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "logon_script_event_trigger_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/logon_script_event_trigger_execution.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "LOLBAS With Network Traffic", "id": "2820f032-19eb-497e-8642-25b04a880359", "version": 1, "date": "2021-12-09", "author": "Steven Dick", "type": "TTP", "status": "production", "description": "The following analytic identifies LOLBAS with network traffic. When adversaries abuse LOLBAS they are often used to download malicious code or executables. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like downloading malicious code. Looking for these process can help defenders identify lateral movement, command-and-control, or exfiltration activies.", "data_source": [], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic.All_Traffic where (All_Traffic.app IN (\"*Regsvcs.exe\", \"*\\\\Ftp.exe\", \"*OfflineScannerShell.exe\", \"*Rasautou.exe\", \"*Schtasks.exe\", \"*Xwizard.exe\", \"*Pnputil.exe\", \"*Atbroker.exe\", \"*Pcwrun.exe\", \"*Ttdinject.exe\", \"*Mshta.exe\", \"*Bitsadmin.exe\", \"*Certoc.exe\", \"*Ieexec.exe\", \"*Microsoft.Workflow.Compiler.exe\", \"*Runscripthelper.exe\", \"*Forfiles.exe\", \"*Msbuild.exe\", \"*Register-cimprovider.exe\", \"*Tttracer.exe\", \"*Ie4uinit.exe\", \"*Bash.exe\", \"*Hh.exe\", \"*SettingSyncHost.exe\", \"*Cmstp.exe\", \"*Stordiag.exe\", \"*Scriptrunner.exe\", \"*Odbcconf.exe\", \"*Extexport.exe\", \"*Msdt.exe\", \"*WorkFolders.exe\", \"*Diskshadow.exe\", \"*Mavinject.exe\", \"*Regasm.exe\", \"*Gpscript.exe\", \"*Regsvr32.exe\", \"*Msiexec.exe\", \"*Wuauclt.exe\", \"*Presentationhost.exe\", \"*Wmic.exe\", \"*Runonce.exe\", \"*Syncappvpublishingserver.exe\", \"*Verclsid.exe\", \"*Infdefaultinstall.exe\", \"*Installutil.exe\", \"*Netsh.exe\", \"*Wab.exe\", \"*Dnscmd.exe\", \"*\\\\At.exe\", \"*Pcalua.exe\", \"*Msconfig.exe\", \"*makecab.exe\", \"*cscript.exe\", \"*notepad.exe\", \"*\\\\cmd.exe\", \"*certutil.exe\", \"*\\\\powershell.exe\", \"*powershell_ise.exe\")) by All_Traffic.app,All_Traffic.src,All_Traffic.src_ip,All_Traffic.user,All_Traffic.dest,All_Traffic.dest_ip | `drop_dm_object_name(All_Traffic)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rex field=app \".*\\\\\\(?.*)$\" | rename app as process | `lolbas_with_network_traffic_filter`", "how_to_implement": "To successfully implement this detection you must ingest events into the Network traffic data model that contain the source, destination, and communicating process in the app feild. Relevant processes must also be ingested in the Endpoint data model with matching process_id feild. Sysmon EID1 and EID3 are good examples of this type this data type.", "known_false_positives": "Legitmate usage of internal automation or scripting, espically powershell.exe internal to internal or logon scripts. It may be necessary to omit internal IP ranges if extremely noisy. ie NOT dest_ip IN (\"10.0.0.0/8\",\"172.16.0.0/12\",\"192.168.0.0/16\",\"170.98.0.0/16\",\"0:0:0:0:0:0:0:1\") ", "references": ["https://lolbas-project.github.io/#", "https://www.sans.org/presentations/lolbin-detection-methods-seven-common-attacks-revealed/"], "tags": {"name": "LOLBAS With Network Traffic", "analytic_story": ["Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Command And Control", "Actions on Objectives", "Exploitation"], "message": "The LOLBAS $process_name$ on device $src$ was seen communicating with $dest$.", "mitre_attack_id": ["T1105", "T1567", "T1218"], "nist": ["DE.CM"], "observable": [{"name": "src", "type": "Hostname", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.user", "Processes.process_id", "Processes.process_name", "Processes.process", "Processes.process_path", "Processes.dest", "Processes.parent_process_name", "Processes.parent_process", "Processes.process_guid", "All_Traffic.app", "All_Traffic.src", "All_Traffic.src_ip", "All_Traffic.dest", "All_Traffic.dest_ip", "All_Traffic.process_id"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1567", "mitre_attack_technique": "Exfiltration Over Web Service", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT28", "Magic Hound"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218/lolbas_with_network_traffic/lolbas_with_network_traffic.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Network_Traffic"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "lolbas_with_network_traffic_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/lolbas_with_network_traffic.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "MacOS - Re-opened Applications", "id": "40bb64f9-f619-4e3d-8732-328d40377c4b", "version": 1, "date": "2020-02-07", "author": "Jamie Windley, Splunk", "type": "TTP", "status": "experimental", "description": "This search looks for processes referencing the plist files that determine which applications are re-opened when a user reboots their machine.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*com.apple.loginwindow*\" by Processes.user Processes.process_name Processes.parent_process_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `macos___re_opened_applications_filter`", "how_to_implement": "In order to properly run this search, Splunk needs to ingest process data from your osquery deployed agents with the [splunk.conf](https://github.com/splunk/TA-osquery/blob/master/config/splunk.conf) pack enabled. Also the [TA-OSquery](https://github.com/splunk/TA-osquery) must be deployed across your indexers and universal forwarders in order to have the data populate the Endpoint data model.", "known_false_positives": "At this stage, there are no known false positives. During testing, no process events refering the com.apple.loginwindow.plist files were observed during normal operation of re-opening applications on reboot. Therefore, it can be asumed that any occurences of this in the process events would be worth investigating. In the event that the legitimate modification by the system of these files is in fact logged to the process log, then the process_name of that process can be added to an allow list.", "references": [], "tags": {"name": "MacOS - Re-opened Applications", "analytic_story": ["ColdRoot MacOS RAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": [], "message": "tbd", "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.process", "Processes.parent_process", "Processes.user", "Processes.process_name", "Processes.parent_process_name", "Processes.dest"], "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "macos___re_opened_applications_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/macos___re_opened_applications.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "MacOS LOLbin", "id": "58d270fb-5b39-418e-a855-4b8ac046805e", "version": 1, "date": "2022-03-04", "author": "Patrick Bareiss, Splunk", "type": "TTP", "status": "production", "description": "Detect multiple executions of Living off the Land (LOLbin) binaries in a short period of time.", "data_source": [], "search": "`osquery` name=es_process_events columns.cmdline IN (\"find*\", \"crontab*\", \"screencapture*\", \"openssl*\", \"curl*\", \"wget*\", \"killall*\", \"funzip*\") | rename columns.* as * | stats min(_time) as firstTime max(_time) as lastTime values(cmdline) as cmdline, values(pid) as pid, values(parent) as parent, values(path) as path, values(signing_id) as signing_id, dc(path) as dc_path by username host | rename username as User, cmdline as process, path as process_path | where dc_path > 3 | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `macos_lolbin_filter`", "how_to_implement": "This detection uses osquery and endpoint security on MacOS. Follow the link in references, which describes how to setup process auditing in MacOS with endpoint security and osquery.", "known_false_positives": "None identified.", "references": ["https://osquery.readthedocs.io/en/stable/deployment/process-auditing/"], "tags": {"name": "MacOS LOLbin", "analytic_story": ["Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "message": "Multiplle LOLbin are executed on host $host$ by user $user$", "mitre_attack_id": ["T1059.004", "T1059"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "process", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "columns.cmdline", "columns.pid", "columns.parent", "columns.path", "columns.signing_id", "columns.username", "host"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.004", "mitre_attack_technique": "Unix Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT41", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.004/macos_lolbin/osquery.log", "source": "osquery", "sourcetype": "osquery:results"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "osquery", "definition": "sourcetype=osquery:results", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "macos_lolbin_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/macos_lolbin.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "MacOS plutil", "id": "c11f2b57-92c1-4cd2-b46c-064eafb833ac", "version": 2, "date": "2022-05-26", "author": "Patrick Bareiss, Splunk", "type": "TTP", "status": "production", "description": "Detect usage of plutil to modify plist files. Adversaries can modiy plist files to executed binaries or add command line arguments. Plist files in auto-run locations are executed upon user logon or system startup.", "data_source": [], "search": "`osquery` name=es_process_events columns.path=/usr/bin/plutil | rename columns.* as * | stats count min(_time) as firstTime max(_time) as lastTime by username host cmdline pid path parent signing_id | rename username as User, cmdline as process, path as process_path | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `macos_plutil_filter`", "how_to_implement": "This detection uses osquery and endpoint security on MacOS. Follow the link in references, which describes how to setup process auditing in MacOS with endpoint security and osquery.", "known_false_positives": "Administrators using plutil to change plist files.", "references": ["https://osquery.readthedocs.io/en/stable/deployment/process-auditing/"], "tags": {"name": "MacOS plutil", "analytic_story": ["Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "plutil are executed on $host$ from $user$", "mitre_attack_id": ["T1647"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "process", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "columns.cmdline", "columns.pid", "columns.parent", "columns.path", "columns.signing_id", "columns.username", "host"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1647", "mitre_attack_technique": "Plist File Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1647/atomic_red_team/osquery.log", "source": "osquery", "sourcetype": "osquery:results"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "osquery", "definition": "sourcetype=osquery:results", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "macos_plutil_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/macos_plutil.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Mailsniper Invoke functions", "id": "a36972c8-b894-11eb-9f78-acde48001122", "version": 2, "date": "2022-05-02", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This search is to detect known mailsniper.ps1 functions executed in a machine. This technique was seen in some attacker to harvest some sensitive e-mail in a compromised exchange server.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 ScriptBlockText IN (\"*Invoke-GlobalO365MailSearch*\", \"*Invoke-GlobalMailSearch*\", \"*Invoke-SelfSearch*\", \"*Invoke-PasswordSprayOWA*\", \"*Invoke-PasswordSprayEWS*\",\"*Invoke-DomainHarvestOWA*\", \"*Invoke-UsernameHarvestOWA*\",\"*Invoke-OpenInboxFinder*\",\"*Invoke-InjectGEventAPI*\",\"*Invoke-InjectGEvent*\",\"*Invoke-SearchGmail*\", \"*Invoke-MonitorCredSniper*\", \"*Invoke-AddGmailRule*\",\"*Invoke-PasswordSprayEAS*\",\"*Invoke-UsernameHarvestEAS*\") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `mailsniper_invoke_functions_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the powershell logs from your endpoints. make sure you enable needed registry to monitor this event.", "known_false_positives": "unknown", "references": ["https://www.blackhillsinfosec.com/introducing-mailsniper-a-tool-for-searching-every-users-email-for-sensitive-data/"], "tags": {"name": "Mailsniper Invoke functions", "analytic_story": ["Data Exfiltration"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 90, "kill_chain_phases": ["Exploitation"], "message": "mailsniper.ps1 functions $ScriptBlockText$ executed on a $Computer$ by user $user$.", "mitre_attack_id": ["T1114", "T1114.001"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "ScriptBlockText", "Opcode", "Computer", "UserID", "EventCode"], "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1114", "mitre_attack_technique": "Email Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["Magic Hound", "Silent Librarian"]}, {"mitre_attack_id": "T1114.001", "mitre_attack_technique": "Local Email Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "Chimera", "Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/sbl_xml.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "mailsniper_invoke_functions_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/mailsniper_invoke_functions.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Malicious InProcServer32 Modification", "id": "127c8d08-25ff-11ec-9223-acde48001122", "version": 1, "date": "2021-10-05", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies a process modifying the registry with a known malicious CLSID under InProcServer32. Most COM classes are registered with the operating system and are identified by a GUID that represents the Class Identifier (CLSID) within the registry (usually under HKLM\\\\Software\\\\Classes\\\\CLSID or HKCU\\\\Software\\\\Classes\\\\CLSID). Behind the implementation of a COM class is the server (some binary) that is referenced within registry keys under the CLSID. The LocalServer32 key represents a path to an executable (exe) implementation, and the InprocServer32 key represents a path to a dynamic link library (DLL) implementation (Bohops). During triage, review parallel processes for suspicious activity. Pivot on the process GUID to see the full timeline of events. Analyze the value and look for file modifications. Being this is looking for inprocserver32, a DLL found in the value will most likely be loaded by a parallel process.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes by _time Processes.process_id Processes.process_name Processes.dest Processes.process_guid Processes.user | `drop_dm_object_name(Processes)` | join process_guid [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\CLSID\\\\{89565275-A714-4a43-912E-978B935EDCCC}\\\\InProcServer32\\\\(Default)\" by Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.dest Registry.process_guid Registry.user | `drop_dm_object_name(Registry)` | fields _time dest registry_path registry_key_name registry_value_name process_name process_path process process_guid user] | stats count min(_time) as firstTime max(_time) as lastTime by dest, process_name registry_path registry_key_name registry_value_name user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `malicious_inprocserver32_modification_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives should be limited, filter as needed. In our test case, Remcos used regsvr32.exe to modify the registry. It may be required, dependent upon the EDR tool producing registry events, to remove (Default) from the command-line.", "references": ["https://bohops.com/2018/06/28/abusing-com-registry-structure-clsid-localserver32-inprocserver32/", "https://tria.ge/210929-ap75vsddan", "https://www.virustotal.com/gui/file/cb77b93150cb0f7fe65ce8a7e2a5781e727419451355a7736db84109fa215a89"], "tags": {"name": "Malicious InProcServer32 Modification", "analytic_story": ["Suspicious Regsvr32 Activity", "Remcos"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "The $process_name$ was identified on endpoint $dest$ modifying the registry with a known malicious clsid under InProcServer32.", "mitre_attack_id": ["T1218.010", "T1112"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "dest", "process_name", "registry_path", "registry_key_name", "registry_value_name", "user"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218.010", "mitre_attack_technique": "Regsvr32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "Blue Mockingbird", "Cobalt Group", "Deep Panda", "Inception", "Kimsuky", "Leviathan", "TA551", "WIRTE"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/remcos/remcos/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "malicious_inprocserver32_modification_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/malicious_inprocserver32_modification.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Malicious Powershell Executed As A Service", "id": "8e204dfd-cae0-4ea8-a61d-e972a1ff2ff8", "version": 1, "date": "2021-04-07", "author": "Ryan Becwar", "type": "TTP", "status": "production", "description": "This detection is to identify the abuse the Windows SC.exe to execute malicious commands or payloads via PowerShell.", "data_source": ["Sysmon Event ID 7"], "search": " `wineventlog_system` EventCode=7045 | eval l_Service_File_Name=lower(Service_File_Name) | regex l_Service_File_Name=\"powershell[.\\s]|powershell_ise[.\\s]|pwsh[.\\s]|psexec[.\\s]\" | regex l_Service_File_Name=\"-nop[rofile\\s]+|-w[indowstyle]*\\s+hid[den]*|-noe[xit\\s]+|-enc[odedcommand\\s]+\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode Service_File_Name Service_Name Service_Start_Type Service_Type Service_Account user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `malicious_powershell_executed_as_a_service_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows System logs with the Service name, Service File Name Service Start type, and Service Type from your endpoints.", "known_false_positives": "Creating a hidden powershell service is rare and could key off of those instances.", "references": ["https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/dosfuscation-report.pdf", "http://az4n6.blogspot.com/2017/", "https://www.danielbohannon.com/blog-1/2017/3/12/powershell-execution-argument-obfuscation-how-it-can-make-detection-easier"], "tags": {"name": "Malicious Powershell Executed As A Service", "analytic_story": ["Malicious Powershell"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 90, "kill_chain_phases": ["Installation"], "message": "Identifies the abuse the Windows SC.exe to execute malicious powerShell as a service $Service_File_Name$ by $user$ on $dest$", "mitre_attack_id": ["T1569", "T1569.002"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["EventCode", "Service_File_Name", "Service_Type", "_time", "Service_Name", "Service_Start_Type", "Service_Account", "user"], "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1569.002/atomic_red_team/windows-system.log", "source": "WinEventLog:System", "sourcetype": "WinEventLog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_system", "definition": "eventtype=wineventlog_system", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "malicious_powershell_executed_as_a_service_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/malicious_powershell_executed_as_a_service.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Malicious PowerShell Process - Encoded Command", "id": "c4db14d9-7909-48b4-a054-aa14d89dbb19", "version": 7, "date": "2022-01-18", "author": "David Dorsey, Michael Haag, Splunk", "type": "Hunting", "status": "production", "description": "The following analytic identifies the use of the EncodedCommand PowerShell parameter. This is typically used by Administrators to run complex scripts, but commonly used by adversaries to hide their code. \\\nThe analytic identifies all variations of EncodedCommand, as PowerShell allows the ability to shorten the parameter. For example enc, enco, encod and so forth. In addition, through our research it was identified that PowerShell will interpret different command switch types beyond the hyphen. We have added endash, emdash, horizontal bar, and forward slash. \\\nDuring triage, review parallel events to determine legitimacy. Tune as needed based on admin scripts in use. \\\nAlternatively, may use regex per matching here https://regexr.com/662ov.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` by Processes.user Processes.process_name Processes.process Processes.parent_process_name Processes.original_file_name Processes.dest Processes.process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where match(process,\"(?i)[\\-|\\/|–|—|―]e(nc*o*d*e*d*c*o*m*m*a*n*d*)*\\s+[^-]\") | `malicious_powershell_process___encoded_command_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "System administrators may use this option, but it's not common.", "references": ["https://regexr.com/662ov", "https://github.com/redcanaryco/AtomicTestHarnesses/blob/master/TestHarnesses/T1059.001_PowerShell/OutPowerShellCommandLineParameter.ps1", "https://ss64.com/ps/powershell.html", "https://twitter.com/M_haggis/status/1440758396534214658?s=20", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/", "https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/"], "tags": {"name": "Malicious PowerShell Process - Encoded Command", "analytic_story": ["Hermetic Wiper", "Malicious PowerShell", "NOBELIUM Group", "WhisperGate", "DarkCrystal RAT", "Qakbot", "CISA AA22-320A", "Sandworm Tools", "Data Destruction", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "Powershell.exe running potentially malicious encodede commands on $dest$", "mitre_attack_id": ["T1027"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.process_name", "Processes.process", "Processes.user", "Processes.parent_process_name", "Processes.dest", "Processes.process_id"], "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT19", "APT28", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BITTER", "BackdoorDiplomacy", "BlackOasis", "Blue Mockingbird", "Dark Caracal", "Darkhotel", "Earth Lusca", "Elderwood", "Ember Bear", "Fox Kitten", "GALLIUM", "Gallmaker", "Gamaredon Group", "Group5", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "Metador", "Mofang", "Molerats", "Moses Staff", "Mustang Panda", "OilRig", "Putter Panda", "Rocke", "Sandworm Team", "Sidewinder", "TA505", "TeamTNT", "Threat Group-3390", "Transparent Tribe", "Tropic Trooper", "Whitefly", "Windshift", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1027/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_powershell", "definition": "(Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "malicious_powershell_process___encoded_command_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/malicious_powershell_process___encoded_command.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Malicious PowerShell Process - Execution Policy Bypass", "id": "9be56c82-b1cc-4318-87eb-d138afaaca39", "version": 5, "date": "2020-07-21", "author": "Rico Valdez, Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "This search looks for PowerShell processes started with parameters used to bypass the local execution policy for scripts. These parameters are often observed in attacks leveraging PowerShell scripts as they override the default PowerShell execution policy.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` values(Processes.process_id) as process_id, values(Processes.parent_process_id) as parent_process_id values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` (Processes.process=\"* -ex*\" OR Processes.process=\"* bypass *\") by Processes.process_id, Processes.user, Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `malicious_powershell_process___execution_policy_bypass_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "There may be legitimate reasons to bypass the PowerShell execution policy. The PowerShell script being run with this parameter should be validated to ensure that it is legitimate.", "references": ["https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/"], "tags": {"name": "Malicious PowerShell Process - Execution Policy Bypass", "analytic_story": ["DHS Report TA18-074A", "HAFNIUM Group", "DarkCrystal RAT", "AsyncRAT", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Installation"], "message": "PowerShell local execution policy bypass attempt on $dest$", "mitre_attack_id": ["T1059", "T1059.001"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/encoded_powershell/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_powershell", "definition": "(Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "malicious_powershell_process___execution_policy_bypass_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/malicious_powershell_process___execution_policy_bypass.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Malicious PowerShell Process With Obfuscation Techniques", "id": "cde75cf6-3c7a-4dd6-af01-27cdb4511fd4", "version": 5, "date": "2023-04-14", "author": "David Dorsey, Splunk", "type": "TTP", "status": "production", "description": "This search looks for PowerShell processes launched with arguments that have characters indicative of obfuscation on the command-line.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` by Processes.user Processes.process_name Processes.original_file_name Processes.parent_process_name Processes.dest Processes.process | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| eval num_obfuscation = (mvcount(split(process,\"`\"))-1) + (mvcount(split(process, \"^\"))-1) + (mvcount(split(process, \"'\"))-1) | `malicious_powershell_process_with_obfuscation_techniques_filter` | search num_obfuscation > 10 ", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "These characters might be legitimately on the command-line, but it is not common.", "references": [], "tags": {"name": "Malicious PowerShell Process With Obfuscation Techniques", "analytic_story": ["Malicious PowerShell", "Hermetic Wiper", "Data Destruction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Installation"], "message": "Powershell.exe running with potential obfuscated arguments on $dest$", "mitre_attack_id": ["T1059", "T1059.001"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/obfuscated_powershell/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_powershell", "definition": "(Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "malicious_powershell_process_with_obfuscation_techniques_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/malicious_powershell_process_with_obfuscation_techniques.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Mimikatz PassTheTicket CommandLine Parameters", "id": "13bbd574-83ac-11ec-99d4-acde48001122", "version": 1, "date": "2022-02-01", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic looks for the use of Mimikatz command line parameters leveraged to execute pass the ticket attacks. Red teams and adversaries alike may use the pass the ticket technique using stolen Kerberos tickets to move laterally within an environment, bypassing normal system access controls. Defenders should be aware that adversaries may customize the source code of Mimikatz and modify the command line parameters. This would effectively bypass this analytic.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process = \"*sekurlsa::tickets /export*\" OR Processes.process = \"*kerberos::ptt*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `mimikatz_passtheticket_commandline_parameters_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "Although highly unlikely, legitimate applications may use the same command line parameters as Mimikatz.", "references": ["https://github.com/gentilkiwi/mimikatz", "https://attack.mitre.org/techniques/T1550/003/"], "tags": {"name": "Mimikatz PassTheTicket CommandLine Parameters", "analytic_story": ["Active Directory Kerberos Attacks", "CISA AA22-320A", "Sandworm Tools"], "asset_type": "endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Exploitation"], "message": "Mimikatz command line parameters for pass the ticket attacks were used on $dest$", "mitre_attack_id": ["T1550", "T1550.003"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id", "Processes.parent_process_name"], "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1550", "mitre_attack_technique": "Use Alternate Authentication Material", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1550.003", "mitre_attack_technique": "Pass the Ticket", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": ["APT29", "APT32", "BRONZE BUTLER"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1550.003/mimikatz/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "mimikatz_passtheticket_commandline_parameters_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/mimikatz_passtheticket_commandline_parameters.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Mmc LOLBAS Execution Process Spawn", "id": "f6601940-4c74-11ec-b9b7-3e22fbd008af", "version": 1, "date": "2021-11-23", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies `mmc.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the DCOM protocol and the MMC20 COM object, the executed command is spawned as a child processs of `mmc.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of mmc.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name=mmc.exe) (Processes.process_name IN (\"Regsvcs.exe\", \"Ftp.exe\", \"OfflineScannerShell.exe\", \"Rasautou.exe\", \"Schtasks.exe\", \"Xwizard.exe\", \"Dllhost.exe\", \"Pnputil.exe\", \"Atbroker.exe\", \"Pcwrun.exe\", \"Ttdinject.exe\",\"Mshta.exe\", \"Bitsadmin.exe\", \"Certoc.exe\", \"Ieexec.exe\", \"Microsoft.Workflow.Compiler.exe\", \"Runscripthelper.exe\", \"Forfiles.exe\", \"Msbuild.exe\", \"Register-cimprovider.exe\", \"Tttracer.exe\", \"Ie4uinit.exe\", \"Bash.exe\", \"Hh.exe\", \"SettingSyncHost.exe\", \"Cmstp.exe\", \"Mmc.exe\", \"Stordiag.exe\", \"Scriptrunner.exe\", \"Odbcconf.exe\", \"Extexport.exe\", \"Msdt.exe\", \"WorkFolders.exe\", \"Diskshadow.exe\", \"Mavinject.exe\", \"Regasm.exe\", \"Gpscript.exe\", \"Rundll32.exe\", \"Regsvr32.exe\", \"Msiexec.exe\", \"Wuauclt.exe\", \"Presentationhost.exe\", \"Wmic.exe\", \"Runonce.exe\", \"Syncappvpublishingserver.exe\", \"Verclsid.exe\", \"Infdefaultinstall.exe\", \"Explorer.exe\", \"Installutil.exe\", \"Netsh.exe\", \"Wab.exe\", \"Dnscmd.exe\", \"At.exe\", \"Pcalua.exe\", \"Msconfig.exe\")) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `mmc_lolbas_execution_process_spawn_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints.", "known_false_positives": "Legitimate applications may trigger this behavior, filter as needed.", "references": ["https://attack.mitre.org/techniques/T1021/003/", "https://www.cybereason.com/blog/dcom-lateral-movement-techniques", "https://lolbas-project.github.io/"], "tags": {"name": "Mmc LOLBAS Execution Process Spawn", "analytic_story": ["Active Directory Lateral Movement", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 90, "kill_chain_phases": ["Exploitation"], "message": "Mmc.exe spawned a LOLBAS process on $dest$.", "mitre_attack_id": ["T1021", "T1021.003", "T1218.014"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 54, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1021.003", "mitre_attack_technique": "Distributed Component Object Model", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1218.014", "mitre_attack_technique": "MMC", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.003/lateral_movement_lolbas/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "mmc_lolbas_execution_process_spawn_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/mmc_lolbas_execution_process_spawn.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Modification Of Wallpaper", "id": "accb0712-c381-11eb-8e5b-acde48001122", "version": 1, "date": "2021-06-02", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This analytic identifies suspicious modification of registry to deface or change the wallpaper of a compromised machines as part of its payload. This technique was commonly seen in ransomware like REVIL where it create a bitmap file contain a note that the machine was compromised and make it as a wallpaper.", "data_source": [], "search": "`sysmon` EventCode =13 (TargetObject= \"*\\\\Control Panel\\\\Desktop\\\\Wallpaper\" AND Image != \"*\\\\explorer.exe\") OR (TargetObject= \"*\\\\Control Panel\\\\Desktop\\\\Wallpaper\" AND Details = \"*\\\\temp\\\\*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode Image TargetObject Details Computer process_guid process_id user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `modification_of_wallpaper_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the Image, TargetObject registry key, registry Details from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "3rd party tool may used to changed the wallpaper of the machine", "references": ["https://krebsonsecurity.com/2021/05/a-closer-look-at-the-darkside-ransomware-gang/", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/", "https://news.sophos.com/en-us/2020/04/24/lockbit-ransomware-borrows-tricks-to-keep-up-with-revil-and-maze/"], "tags": {"name": "Modification Of Wallpaper", "analytic_story": ["Ransomware", "Revil Ransomware", "BlackMatter Ransomware", "Windows Registry Abuse", "Brute Ratel C4", "LockBit Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 60, "kill_chain_phases": ["Actions on Objectives"], "message": "Wallpaper modification on $dest$", "mitre_attack_id": ["T1491"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "Image", "TargetObject", "Details", "Computer", "process_guid", "process_id", "user_id"], "risk_score": 54, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1491", "mitre_attack_technique": "Defacement", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/revil/inf1/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "modification_of_wallpaper_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/modification_of_wallpaper.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Modify ACL permission To Files Or Folder", "id": "7e8458cc-acca-11eb-9e3f-acde48001122", "version": 2, "date": "2022-03-17", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic identifies suspicious modification of ACL permission to a files or folder to make it available to everyone. This technique may be used by the adversary to evade ACLs or protected files access. This changes is commonly configured by the file or directory owner with appropriate permission. This behavior is a good indicator if this command seen on a machine utilized by an account with no permission to do so.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = \"cacls.exe\" OR Processes.process_name = \"icacls.exe\" OR Processes.process_name = \"xcacls.exe\") AND Processes.process = \"*/G*\" AND (Processes.process = \"* everyone:*\" OR Processes.process = \"* SYSTEM:*\" OR Processes.process = \"* S-1-1-0:*\") by Processes.parent_process_name Processes.process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `modify_acl_permission_to_files_or_folder_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed cacls.exe may be used.", "known_false_positives": "administrators may use this command. Filter as needed.", "references": ["https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/"], "tags": {"name": "Modify ACL permission To Files Or Folder", "analytic_story": ["XMRig"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 40, "kill_chain_phases": ["Exploitation"], "message": "Suspicious ACL permission modification on $dest$", "mitre_attack_id": ["T1222"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.parent_process_name", "Processes.process_name", "Processes.dest", "Processes.user", "Processes.process", "Processes.process_id"], "risk_score": 32, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/xmrig_miner/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "modify_acl_permission_to_files_or_folder_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/modify_acl_permission_to_files_or_folder.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Monitor Registry Keys for Print Monitors", "id": "f5f6af30-7ba7-4295-bfe9-07de87c01bbc", "version": 5, "date": "2023-04-27", "author": "Steven Dick, Bhavin Patel, Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This search looks for registry activity associated with modifications to the registry key `HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Monitors`. In this scenario, an attacker can load an arbitrary .dll into the print-monitor registry by giving the full path name to the after.dll. The system will execute the .dll with elevated (SYSTEM) permissions and will persist after reboot.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.action=modified AND Registry.registry_path=\"*CurrentControlSet\\\\Control\\\\Print\\\\Monitors*\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `monitor_registry_keys_for_print_monitors_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "You will encounter noise from legitimate print-monitor registry entries.", "references": [], "tags": {"name": "Monitor Registry Keys for Print Monitors", "analytic_story": ["Suspicious Windows Registry Activities", "Windows Persistence Techniques", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "message": "New print monitor added on $dest$", "mitre_attack_id": ["T1547.010", "T1547"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.dest", "Registry.registry_value_name", "Registry.registry_key_name", "Registry.registry_path", "Registry.registry_value_data", "Registry.process_guid"], "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1547.010", "mitre_attack_technique": "Port Monitors", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.010/atomic_red_team/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "monitor_registry_keys_for_print_monitors_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/monitor_registry_keys_for_print_monitors.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "MS Exchange Mailbox Replication service writing Active Server Pages", "id": "985f322c-57a5-11ec-b9ac-acde48001122", "version": 1, "date": "2021-12-07", "author": "Michael Haag, Splunk", "type": "TTP", "status": "experimental", "description": "The following query identifies suspicious .aspx created in 3 paths identified by Microsoft as known drop locations for Exchange exploitation related to HAFNIUM group and recently disclosed vulnerablity named ProxyShell. Paths include: `\\HttpProxy\\owa\\auth\\`, `\\inetpub\\wwwroot\\aspnet_client\\`, and `\\HttpProxy\\OAB\\`. The analytic is limited to process name MSExchangeMailboxReplication.exe, which typically does not write .aspx files to disk. Upon triage, the suspicious .aspx file will likely look obvious on the surface. inspect the contents for script code inside. Identify additional log sources, IIS included, to review source and other potential exploitation. It is often the case that a particular threat is only applicable to a specific subset of systems in your environment. Typically analytics to detect those threats are written without the benefit of being able to only target those systems as well. Writing analytics against all systems when those behaviors are limited to identifiable subsets of those systems is suboptimal. Consider the case ProxyShell vulnerability on Microsoft Exchange Servers. With asset information, a hunter can limit their analytics to systems that have been identified as Exchange servers. A hunter may start with the theory that the exchange server is communicating with new systems that it has not previously. If this theory is run against all publicly facing systems, the amount of noise it will generate will likely render this theory untenable. However, using the asset information to limit this analytic to just the Exchange servers will reduce the noise allowing the hunter to focus only on the systems where this behavioral change is relevant.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=MSExchangeMailboxReplication.exe by _time span=1h Processes.process_id Processes.process_name Processes.process_guid Processes.dest | `drop_dm_object_name(Processes)` | join process_guid, _time [| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN (\"*\\\\HttpProxy\\\\owa\\\\auth\\\\*\", \"*\\\\inetpub\\\\wwwroot\\\\aspnet_client\\\\*\", \"*\\\\HttpProxy\\\\OAB\\\\*\") Filesystem.file_name=\"*.aspx\" by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path | `drop_dm_object_name(Filesystem)` | fields _time dest file_create_time file_name file_path process_name process_path process process_guid] | dedup file_create_time | table dest file_create_time, file_name, file_path, process_name | `ms_exchange_mailbox_replication_service_writing_active_server_pages_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node and `Filesystem` node.", "known_false_positives": "The query is structured in a way that `action` (read, create) is not defined. Review the results of this query, filter, and tune as necessary. It may be necessary to generate this query specific to your endpoint product.", "references": ["https://redcanary.com/blog/blackbyte-ransomware/"], "tags": {"name": "MS Exchange Mailbox Replication service writing Active Server Pages", "analytic_story": ["ProxyShell", "Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Installation", "Delivery"], "message": "A file - $file_name$ was written to disk that is related to IIS exploitation related to ProxyShell. Review further file modifications on endpoint $dest$ by user $user$.", "mitre_attack_id": ["T1505", "T1505.003", "T1190", "T1133"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "file_name", "type": "File Name", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Filesystem.file_path", "Filesystem.process_id", "Filesystem.file_name", "Filesystem.file_hash", "Filesystem.user", "Filesystem.process_guid", "Processes.process_name", "Processes.process_id", "Processes.process_name", "Processes.process_guid"], "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1505.003", "mitre_attack_technique": "Web Shell", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT38", "APT39", "BackdoorDiplomacy", "Deep Panda", "Dragonfly", "Fox Kitten", "GALLIUM", "HAFNIUM", "Kimsuky", "Leviathan", "Magic Hound", "Moses Staff", "OilRig", "Sandworm Team", "TEMP.Veles", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Volatile Cedar"]}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Chimera", "Dragonfly", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}]}, "datamodel": ["Endpoint"], "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "ms_exchange_mailbox_replication_service_writing_active_server_pages_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/ms_exchange_mailbox_replication_service_writing_active_server_pages.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "MS Scripting Process Loading Ldap Module", "id": "0b0c40dc-14a6-11ec-b267-acde48001122", "version": 1, "date": "2021-09-13", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This search is to detect a suspicious MS scripting process such as wscript.exe or cscript.exe that loading ldap module to process ldap query. This behavior was seen in FIN7 implant where it uses javascript to execute ldap query to parse host information that will send to its C2 server. this anomaly detections is a good initial step to hunt further a suspicious ldap query or ldap related events to the host that may give you good information regarding ldap or AD information processing or might be a attacker.", "data_source": [], "search": "`sysmon` EventCode =7 Image IN (\"*\\\\wscript.exe\", \"*\\\\cscript.exe\") ImageLoaded IN (\"*\\\\Wldap32.dll\", \"*\\\\adsldp.dll\", \"*\\\\adsldpc.dll\") | stats min(_time) as firstTime max(_time) as lastTime count by Image EventCode process_name ProcessId ProcessGuid Computer ImageLoaded | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `ms_scripting_process_loading_ldap_module_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed rundll32.exe may be used.", "known_false_positives": "automation scripting language may used by network operator to do ldap query.", "references": ["https://www.mandiant.com/resources/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation", "https://attack.mitre.org/groups/G0046/"], "tags": {"name": "MS Scripting Process Loading Ldap Module", "analytic_story": ["FIN7"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Installation"], "message": "$process_name$ loading ldap modules $ImageLoaded$ in $dest$", "mitre_attack_id": ["T1059", "T1059.007"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Image", "EventCode", "process_name", "ProcessId", "ProcessGuid", "Computer", "ImageLoaded"], "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.007", "mitre_attack_technique": "JavaScript", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "Cobalt Group", "Earth Lusca", "Ember Bear", "Evilnum", "FIN6", "FIN7", "Higaisa", "Indrik Spider", "Kimsuky", "LazyScripter", "Leafminer", "Molerats", "MuddyWater", "Sidewinder", "Silence", "TA505", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/fin7/fin7_js_2/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "ms_scripting_process_loading_ldap_module_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/ms_scripting_process_loading_ldap_module.yml", "source": "endpoint"}, {"name": "MS Scripting Process Loading WMI Module", "id": "2eba3d36-14a6-11ec-a682-acde48001122", "version": 1, "date": "2021-09-13", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This search is to detect a suspicious MS scripting process such as wscript.exe or cscript.exe that loading wmi module to process wmi query. This behavior was seen in FIN7 implant where it uses javascript to execute wmi query to parse host information that will send to its C2 server. this anomaly detections is a good initial step to hunt further a suspicious wmi query or wmi related events to the host that may give you good information regarding process that are commonly using wmi query or modules or might be an attacker using this technique.", "data_source": [], "search": "`sysmon` EventCode =7 Image IN (\"*\\\\wscript.exe\", \"*\\\\cscript.exe\") ImageLoaded IN (\"*\\\\fastprox.dll\", \"*\\\\wbemdisp.dll\", \"*\\\\wbemprox.dll\", \"*\\\\wbemsvc.dll\" , \"*\\\\wmiutils.dll\", \"*\\\\wbemcomn.dll\") | stats min(_time) as firstTime max(_time) as lastTime count by Image EventCode process_name ProcessId ProcessGuid Computer ImageLoaded | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `ms_scripting_process_loading_wmi_module_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed rundll32.exe may be used.", "known_false_positives": "automation scripting language may used by network operator to do ldap query.", "references": ["https://www.mandiant.com/resources/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation", "https://attack.mitre.org/groups/G0046/"], "tags": {"name": "MS Scripting Process Loading WMI Module", "analytic_story": ["FIN7"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Installation"], "message": "$process_name$ loading wmi modules $ImageLoaded$ in $dest$", "mitre_attack_id": ["T1059", "T1059.007"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Image", "EventCode", "process_name", "ProcessId", "ProcessGuid", "Computer", "ImageLoaded"], "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.007", "mitre_attack_technique": "JavaScript", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "Cobalt Group", "Earth Lusca", "Ember Bear", "Evilnum", "FIN6", "FIN7", "Higaisa", "Indrik Spider", "Kimsuky", "LazyScripter", "Leafminer", "Molerats", "MuddyWater", "Sidewinder", "Silence", "TA505", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/fin7/fin7_js_2/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "ms_scripting_process_loading_wmi_module_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/ms_scripting_process_loading_wmi_module.yml", "source": "endpoint"}, {"name": "MSBuild Suspicious Spawned By Script Process", "id": "213b3148-24ea-11ec-93a2-acde48001122", "version": 1, "date": "2021-10-04", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This analytic is to detect a suspicious child process of MSBuild spawned by Windows Script Host - cscript or wscript. This behavior or event are commonly seen and used by malware or adversaries to execute malicious msbuild process using malicious script in the compromised host. During triage, review parallel processes and identify any file modifications. MSBuild may load a script from the same path without having command-line arguments.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count values(Processes.process_name) as process_name values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN (\"wscript.exe\", \"cscript.exe\") AND `process_msbuild` by Processes.dest Processes.parent_process Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `msbuild_suspicious_spawned_by_script_process_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives should be limited as developers do not spawn MSBuild via a WSH.", "references": ["https://app.any.run/tasks/dc93ee63-050c-4ff8-b07e-8277af9ab939/"], "tags": {"name": "MSBuild Suspicious Spawned By Script Process", "analytic_story": ["Trusted Developer Utilities Proxy Execution MSBuild"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "Msbuild.exe process spawned by $parent_process_name$ on $dest$ executed by $user$", "mitre_attack_id": ["T1127.001", "T1127"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "User", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.parent_process", "Processes.parent_process_name", "Processes.process_name", "Processes.original_file_name", "Processes.user"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1127.001", "mitre_attack_technique": "MSBuild", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1127", "mitre_attack_technique": "Trusted Developer Utilities Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1127.001/regsvr32_silent/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_msbuild", "definition": "(Processes.process_name=msbuild.exe OR Processes.original_file_name=MSBuild.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "msbuild_suspicious_spawned_by_script_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/msbuild_suspicious_spawned_by_script_process.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Mshta spawning Rundll32 OR Regsvr32 Process", "id": "4aa5d062-e893-11eb-9eb2-acde48001122", "version": 2, "date": "2021-07-19", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This search is to detect a suspicious mshta.exe process that spawn rundll32 or regsvr32 child process. This technique was seen in several malware nowadays like trickbot to load its initial .dll stage loader to execute and download the the actual trickbot payload.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name = \"mshta.exe\" `process_rundll32` OR `process_regsvr32` by Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.process_guid Processes.user Processes.dest | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `mshta_spawning_rundll32_or_regsvr32_process_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "limitted. this anomaly behavior is not commonly seen in clean host.", "references": ["https://twitter.com/cyb3rops/status/1416050325870587910?s=21"], "tags": {"name": "Mshta spawning Rundll32 OR Regsvr32 Process", "analytic_story": ["Trickbot", "IcedID", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "a mshta parent process $parent_process_name$ spawn child process $process_name$ in host $dest$", "mitre_attack_id": ["T1218", "T1218.005"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.005", "mitre_attack_technique": "Mshta", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "APT32", "Confucius", "Earth Lusca", "FIN7", "Gamaredon Group", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "MuddyWater", "Mustang Panda", "SideCopy", "Sidewinder", "TA551"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/trickbot/spear_phish/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "process_regsvr32", "definition": "(Processes.process_name=regsvr32.exe OR Processes.original_file_name=REGSVR32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_rundll32", "definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "mshta_spawning_rundll32_or_regsvr32_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/mshta_spawning_rundll32_or_regsvr32_process.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "MSHTML Module Load in Office Product", "id": "5f1c168e-118b-11ec-84ff-acde48001122", "version": 5, "date": "2023-02-15", "author": "Michael Haag, Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following detection identifies the module load of mshtml.dll into an Office product. This behavior has been related to CVE-2021-40444, whereas the malicious document will load ActiveX, which activates the MSHTML component. The vulnerability resides in the MSHTML component. During triage, identify parallel processes and capture any file modifications for analysis.", "data_source": ["Sysmon Event ID 7"], "search": "`sysmon` EventID=7 parent_process_name IN (\"winword.exe\",\"excel.exe\",\"powerpnt.exe\",\"mspub.exe\",\"visio.exe\",\"wordpad.exe\",\"wordview.exe\",\"onenote.exe\",\"onenotem.exe\",\"onenoteviewer.exe\",\"onenoteim.exe\", \"msaccess.exe\") ImageLoaded IN (\"*\\\\mshtml.dll\", \"*\\\\Microsoft.mshtml.dll\",\"*\\\\IE.Interop.MSHTML.dll\",\"*\\\\MshtmlDac.dll\",\"*\\\\MshtmlDed.dll\",\"*\\\\MshtmlDer.dll\") | stats count min(_time) as firstTime max(_time) as lastTime by Computer, process_name, ImageLoaded, OriginalFileName, ProcessGuid | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `mshtml_module_load_in_office_product_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process names and image loads from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "Limited false positives will be present, however, tune as necessary.", "references": ["https://app.any.run/tasks/36c14029-9df8-439c-bba0-45f2643b0c70/", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444", "https://strontic.github.io/xcyclopedia/index-dll", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/"], "tags": {"name": "MSHTML Module Load in Office Product", "analytic_story": ["Spearphishing Attachments", "Microsoft MSHTML Remote Code Execution CVE-2021-40444"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Delivery"], "message": "An instance of $process_name$ was identified on endpoint $dest$ loading mshtml.dll.", "mitre_attack_id": ["T1566", "T1566.001"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "ImageLoaded", "process_name", "OriginalFileName", "process_id", "dest"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "cve": ["CVE-2021-40444"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/macro/windows-sysmon_mshtml.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "mshtml_module_load_in_office_product_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2021-40444", "cvss": 6.8, "summary": "Microsoft MSHTML Remote Code Execution Vulnerability"}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/mshtml_module_load_in_office_product.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "MSI Module Loaded by Non-System Binary", "id": "ccb98a66-5851-11ec-b91c-acde48001122", "version": 1, "date": "2023-04-14", "author": "Michael Haag, Splunk", "type": "Hunting", "status": "production", "description": "The following hunting analytic identifies `msi.dll` being loaded by a binary not located in `system32`, `syswow64`, `winsxs` or `windows` paths. This behavior is most recently related to InstallerFileTakeOver, or CVE-2021-41379, and DLL side-loading. CVE-2021-41379 requires a binary to be dropped and `msi.dll` to be loaded by it. To Successful exploitation of this issue happens in four parts \\\n1. Generation of an MSI that will trigger bad behavior. \\\n1. Preparing a directory for MSI installation. \\\n1. Inducing an error state. \\\n1. Racing to introduce a junction and a symlink to trick msiexec.exe to modify the attacker specified file. \\\nIn addition, `msi.dll` has been abused in DLL side-loading attacks by being loaded by non-system binaries.", "data_source": ["Sysmon Event ID 7"], "search": "`sysmon` EventCode=7 ImageLoaded=\"*\\\\msi.dll\" NOT (Image IN (\"*\\\\System32\\\\*\",\"*\\\\syswow64\\\\*\",\"*\\\\windows\\\\*\", \"*\\\\winsxs\\\\*\")) | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded process_name Computer EventCode ProcessId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `msi_module_loaded_by_non_system_binary_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name and imageloaded executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "It is possible some Administrative utilities will load msi.dll outside of normal system paths, filter as needed.", "references": ["https://attackerkb.com/topics/7LstI2clmF/cve-2021-41379/rapid7-analysis", "https://github.com/klinix5/InstallerFileTakeOver", "https://github.com/mandiant/red_team_tool_countermeasures/blob/master/rules/PGF/supplemental/hxioc/msi.dll%20Hijack%20(Methodology).ioc"], "tags": {"name": "MSI Module Loaded by Non-System Binary", "analytic_story": ["Data Destruction", "Hermetic Wiper", "Windows Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 80, "kill_chain_phases": ["Exploitation", "Installation"], "message": "The following module $ImageLoaded$ was loaded by $Image$ outside of the normal system paths on endpoint $Computer$, potentally related to DLL side-loading.", "mitre_attack_id": ["T1574.002", "T1574"], "nist": ["DE.AE"], "observable": [{"name": "process_name", "type": "Process Name", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Image", "ImageLoaded", "process_name", "Computer", "EventCode", "ProcessId"], "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "cve": ["CVE-2021-41379"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1574.002", "mitre_attack_technique": "DLL Side-Loading", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT41", "BRONZE BUTLER", "BlackTech", "Chimera", "Earth Lusca", "GALLIUM", "Higaisa", "Lazarus Group", "LuminousMoth", "MuddyWater", "Mustang Panda", "Naikon", "Patchwork", "SideCopy", "Sidewinder", "Threat Group-3390", "Tropic Trooper", "menuPass"]}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.002/msi_module_load/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "msi_module_loaded_by_non_system_binary_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2021-41379", "cvss": 4.6, "summary": "Windows Installer Elevation of Privilege Vulnerability"}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/msi_module_loaded_by_non_system_binary.yml", "source": "endpoint"}, {"name": "Msmpeng Application DLL Side Loading", "id": "8bb3f280-dd9b-11eb-84d5-acde48001122", "version": 3, "date": "2023-03-15", "author": "Teoderick Contreras, Splunk, Sanjay Govind", "type": "TTP", "status": "production", "description": "This search is to detect a suspicious creation of msmpeng.exe or mpsvc.dll in non default windows defender folder. This technique was seen couple days ago with revil ransomware in Kaseya Supply chain. The approach is to drop an old version of msmpeng.exe to load the actual payload name as mspvc.dll which will load the revil ransomware to the compromise machine", "data_source": ["Sysmon Event ID 11"], "search": "|tstats `security_content_summariesonly` values(Filesystem.file_path) as file_path count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where (Filesystem.file_name = \"msmpeng.exe\" OR Filesystem.file_name = \"mpsvc.dll\") AND NOT (Filesystem.file_path IN (\"*\\\\Program Files\\\\windows defender\\\\*\",\"*\\\\WinSxS\\\\*defender-service*\",\"*\\\\WinSxS\\\\Temp\\\\*defender-service*\")) by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.user | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `msmpeng_application_dll_side_loading_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the Filesystem responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node.", "known_false_positives": "quite minimal false positive expected.", "references": ["https://community.sophos.com/b/security-blog/posts/active-ransomware-attack-on-kaseya-customers"], "tags": {"name": "Msmpeng Application DLL Side Loading", "analytic_story": ["Ransomware", "Revil Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Installation"], "message": "", "mitre_attack_id": ["T1574.002", "T1574"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Filesystem.file_create_time", "Filesystem.process_id", "Filesystem.file_name", "Filesystem.user", "Filesystem.file_path"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1574.002", "mitre_attack_technique": "DLL Side-Loading", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT41", "BRONZE BUTLER", "BlackTech", "Chimera", "Earth Lusca", "GALLIUM", "Higaisa", "Lazarus Group", "LuminousMoth", "MuddyWater", "Mustang Panda", "Naikon", "Patchwork", "SideCopy", "Sidewinder", "Threat Group-3390", "Tropic Trooper", "menuPass"]}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets//malware/revil/msmpeng_side/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "msmpeng_application_dll_side_loading_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/msmpeng_application_dll_side_loading.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Net Localgroup Discovery", "id": "54f5201e-155b-11ec-a6e2-acde48001122", "version": 1, "date": "2023-06-13", "author": "Michael Haag, Splunk", "type": "Hunting", "status": "production", "description": "The following hunting analytic will identify the use of localgroup discovery using `net localgroup`. During triage, review parallel processes and identify any further suspicious behavior.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=net.exe OR Processes.process_name=net1.exe (Processes.process=\"*localgroup*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `net_localgroup_discovery_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives may be present. Tune as needed.", "references": ["https://attack.mitre.org/techniques/T1069/001/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md", "https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF", "https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/"], "tags": {"name": "Net Localgroup Discovery", "analytic_story": ["Prestige Ransomware", "Volt Typhoon", "Graceful Wipe Out Attack", "IcedID", "Windows Discovery Techniques", "Windows Post-Exploitation", "Azorult", "Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "Local group discovery on $dest$ by $user$.", "mitre_attack_id": ["T1069", "T1069.001"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "TA505"]}, {"mitre_attack_id": "T1069.001", "mitre_attack_technique": "Local Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "HEXANE", "OilRig", "Tonto Team", "Turla", "admin@338"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.001/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "net_localgroup_discovery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/net_localgroup_discovery.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "NET Profiler UAC bypass", "id": "0252ca80-e30d-11eb-8aa3-acde48001122", "version": 2, "date": "2022-02-18", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This search is to detect modification of registry to bypass UAC windows feature. This technique is to add a payload dll path on .NET COR file path that will be loaded by mmc.exe as soon it was executed. This detection rely on monitoring the registry key and values in the detection area. It may happened that windows update some dll related to mmc.exe and add dll path in this registry. In this case filtering is needed.", "data_source": ["Sysmon Event ID 13"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\Environment\\\\COR_PROFILER_PATH\" Registry.registry_value_data = \"*.dll\" by Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `net_profiler_uac_bypass_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.", "known_false_positives": "limited false positive. It may trigger by some windows update that will modify this registry.", "references": ["https://offsec.almond.consulting/UAC-bypass-dotnet.html"], "tags": {"name": "NET Profiler UAC bypass", "analytic_story": ["Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "Suspicious modification of registry $registry_path$ with possible payload path $registry_value_name$ in $dest$", "mitre_attack_id": ["T1548.002", "T1548"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.registry_path", "Registry.registry_key_name", "Registry.registry_value_name", "Registry.dest"], "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.002", "mitre_attack_technique": "Bypass User Account Control", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT37", "BRONZE BUTLER", "Cobalt Group", "Earth Lusca", "Evilnum", "MuddyWater", "Patchwork", "Threat Group-3390"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/uac_bypass/windows-sysmon2.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "net_profiler_uac_bypass_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/net_profiler_uac_bypass.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Network Connection Discovery With Arp", "id": "ae008c0f-83bd-4ed4-9350-98d4328e15d2", "version": 1, "date": "2021-09-10", "author": "Mauricio Velazco, Splunk", "type": "Hunting", "status": "production", "description": "This analytic looks for the execution of `arp.exe` utilized to get a listing of network connections on a compromised system. Red Teams and adversaries alike may use arp.exe for situational awareness and Active Directory Discovery.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"arp.exe\") (Processes.process=*-a*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `network_connection_discovery_with_arp_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "references": ["https://attack.mitre.org/techniques/T1049/", "https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/", "https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/"], "tags": {"name": "Network Connection Discovery With Arp", "analytic_story": ["Active Directory Discovery", "Qakbot", "Windows Post-Exploitation", "Prestige Ransomware", "Volt Typhoon", "IcedID"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "Network Connection discovery on $dest$ by $user$", "mitre_attack_id": ["T1049"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1049", "mitre_attack_technique": "System Network Connections Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT38", "APT41", "Andariel", "BackdoorDiplomacy", "Chimera", "Earth Lusca", "GALLIUM", "HEXANE", "Ke3chang", "Lazarus Group", "Magic Hound", "MuddyWater", "Mustang Panda", "OilRig", "Poseidon Group", "Sandworm Team", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "admin@338", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1049/AD_discovery/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "network_connection_discovery_with_arp_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/network_connection_discovery_with_arp.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Network Connection Discovery With Net", "id": "640337e5-6e41-4b7f-af06-9d9eab5e1e2d", "version": 1, "date": "2021-09-10", "author": "Mauricio Velazco, Splunk", "type": "Hunting", "status": "production", "description": "This analytic looks for the execution of `net.exe` with command-line arguments utilized to get a listing of network connections on a compromised system. Red Teams and adversaries alike may use net.exe for situational awareness and Active Directory Discovery.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"net.exe\" OR Processes.process_name=\"net1.exe\") (Processes.process=*use*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `network_connection_discovery_with_net_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "references": ["https://attack.mitre.org/techniques/T1049/"], "tags": {"name": "Network Connection Discovery With Net", "analytic_story": ["Active Directory Discovery", "Azorult", "Windows Post-Exploitation", "Prestige Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "Network Connection discovery on $dest$ by $user$", "mitre_attack_id": ["T1049"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1049", "mitre_attack_technique": "System Network Connections Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT38", "APT41", "Andariel", "BackdoorDiplomacy", "Chimera", "Earth Lusca", "GALLIUM", "HEXANE", "Ke3chang", "Lazarus Group", "Magic Hound", "MuddyWater", "Mustang Panda", "OilRig", "Poseidon Group", "Sandworm Team", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "admin@338", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1049/AD_discovery/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "network_connection_discovery_with_net_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/network_connection_discovery_with_net.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Network Connection Discovery With Netstat", "id": "2cf5cc25-f39a-436d-a790-4857e5995ede", "version": 1, "date": "2021-09-10", "author": "Mauricio Velazco, Splunk", "type": "Hunting", "status": "production", "description": "This analytic looks for the execution of `netstat.exe` with command-line arguments utilized to get a listing of network connections on a compromised system. Red Teams and adversaries alike may use netstat.exe for situational awareness and Active Directory Discovery.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"netstat.exe\") (Processes.process=*-a*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `network_connection_discovery_with_netstat_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "references": ["https://attack.mitre.org/techniques/T1049/", "https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/"], "tags": {"name": "Network Connection Discovery With Netstat", "analytic_story": ["Active Directory Discovery", "Qakbot", "CISA AA22-277A", "Windows Post-Exploitation", "Prestige Ransomware", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "Network Connection discovery on $dest$ by $user$", "mitre_attack_id": ["T1049"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1049", "mitre_attack_technique": "System Network Connections Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT38", "APT41", "Andariel", "BackdoorDiplomacy", "Chimera", "Earth Lusca", "GALLIUM", "HEXANE", "Ke3chang", "Lazarus Group", "Magic Hound", "MuddyWater", "Mustang Panda", "OilRig", "Poseidon Group", "Sandworm Team", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "admin@338", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1049/AD_discovery/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "network_connection_discovery_with_netstat_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/network_connection_discovery_with_netstat.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Network Discovery Using Route Windows App", "id": "dd83407e-439f-11ec-ab8e-acde48001122", "version": 1, "date": "2021-11-12", "author": "Teoderick Contreras, Splunk", "type": "Hunting", "status": "production", "description": "This analytic look for a spawned process of route.exe windows application. Adversaries and red teams alike abuse this application the recon or do a network discovery on a target host. but one possible false positive might be an automated tool used by a system administator or a powershell script in amazon ec2 config services.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_route` by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `network_discovery_using_route_windows_app_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "A network operator or systems administrator may utilize an automated host discovery application that may generate false positives or an amazon ec2 script that uses this application. Filter as needed.", "references": ["https://app.any.run/tasks/ad4c3cda-41f2-4401-8dba-56cc2d245488/"], "tags": {"name": "Network Discovery Using Route Windows App", "analytic_story": ["Active Directory Discovery", "Qakbot", "CISA AA22-277A", "Windows Post-Exploitation", "Prestige Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "Network Connection discovery on $dest$ by $user$", "mitre_attack_id": ["T1016", "T1016.001"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1016", "mitre_attack_technique": "System Network Configuration Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT19", "APT3", "APT32", "APT41", "Chimera", "Darkhotel", "Dragonfly", "Earth Lusca", "GALLIUM", "HAFNIUM", "HEXANE", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "SideCopy", "Sidewinder", "Stealth Falcon", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1016.001", "mitre_attack_technique": "Internet Connection Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Gamaredon Group", "HAFNIUM", "HEXANE", "Magic Hound", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/vilsel/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "WinEventLog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "process_route", "definition": "(Processes.process_name=route.exe OR Processes.original_file_name=route.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "network_discovery_using_route_windows_app_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/network_discovery_using_route_windows_app.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Network Share Discovery Via Dir Command", "id": "dc1457d0-1d9b-422e-b5a7-db46c184d9aa", "version": 1, "date": "2023-05-23", "author": "Teoderick Contreras, Splunk", "type": "Hunting", "status": "production", "description": "The following analytic identifies object access on Windows administrative SMB shares (Admin$, IPC$, C$). This represents suspicious behavior as its commonly used by tools like PsExec/PaExec and others to stage service binaries before creating and starting a Windows service on remote endpoints. Red Teams and adversaries alike may abuse administrative shares for lateral movement and remote code execution. The IcedID malware family also implements this behavior to try to infect other machines in the infected network.", "data_source": ["Windows Security 5140"], "search": "`wineventlog_security` EventCode=5140 ShareName IN(\"\\\\\\\\*\\\\ADMIN$\",\"\\\\\\\\*\\\\C$\",\"*\\\\\\\\*\\\\IPC$\") AccessMask= 0x1 | stats min(_time) as firstTime max(_time) as lastTime count by ShareName IpAddress ObjectType SubjectUserName SubjectDomainName IpPort AccessMask Computer | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `network_share_discovery_via_dir_command_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Security Event Logs with 5140 EventCode enabled. The Windows TA is also required. Also enable the object Audit access success/failure in your group policy.", "known_false_positives": "System Administrators may use looks like net.exe or \"dir commandline\" for troubleshooting or administrations tasks. However, this will typically come only from certain users and certain systems that can be added to an allow list.", "references": ["https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/"], "tags": {"name": "Network Share Discovery Via Dir Command", "analytic_story": ["IcedID"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "$user$ list executable files or directory in known sensitive SMB share. Share name=$Share_Name$, Access mask=$Access_Mask$", "mitre_attack_id": ["T1135"], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "ShareName", "IpAddress", "ObjectType", "SubjectUserName", "SubjectDomainName", "IpPort", "AccessMask", "Computer"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "atomic_guid": ["13daa2cf-195a-43df-a8bd-7dd5ffb607b5"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1135", "mitre_attack_technique": "Network Share Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT32", "APT38", "APT39", "APT41", "Chimera", "DarkVishnya", "Dragonfly", "Sowbug", "Tonto Team", "Tropic Trooper", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1135/net_share_discovery_via_dir/smb_access_security_xml.log", "source": "XmlWinEventLog:Security", "sourcetype": "XmlWinEventLog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "network_share_discovery_via_dir_command_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/network_share_discovery_via_dir_command.yml", "source": "endpoint", "providing_technologies": ["Microsoft Windows"]}, {"name": "Nishang PowershellTCPOneLine", "id": "1a382c6c-7c2e-11eb-ac69-acde48001122", "version": 2, "date": "2021-03-03", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "This query detects the Nishang Invoke-PowerShellTCPOneLine utility that spawns a call back to a remote Command And Control server. This is a powershell oneliner. In addition, this will capture on the command-line additional utilities used by Nishang. Triage the endpoint and identify any parallel processes that look suspicious. Review the reputation of the remote IP or domain contacted by the powershell process.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` (Processes.process=*Net.Sockets.TCPClient* AND Processes.process=*System.Text.ASCIIEncoding*) by Processes.dest Processes.user Processes.parent_process Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `nishang_powershelltcponeline_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Limited false positives may be present. Filter as needed based on initial analysis.", "references": ["https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcpOneLine.ps1", "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", "https://www.rapid7.com/blog/post/2021/03/03/rapid7s-insightidr-enables-detection-and-response-to-microsoft-exchange-0-day/"], "tags": {"name": "Nishang PowershellTCPOneLine", "analytic_story": ["HAFNIUM Group"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Installation"], "message": "Possible Nishang Invoke-PowerShellTCPOneLine behavior on $dest$", "mitre_attack_id": ["T1059", "T1059.001"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_powershell", "definition": "(Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "nishang_powershelltcponeline_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/nishang_powershelltcponeline.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "NLTest Domain Trust Discovery", "id": "c3e05466-5f22-11eb-ae93-0242ac130002", "version": 2, "date": "2022-04-18", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "This search looks for the execution of `nltest.exe` with command-line arguments utilized to query for Domain Trust information. Two arguments `/domain trusts`, returns a list of trusted domains, and `/all_trusts`, returns all trusted domains. Red Teams and adversaries alike use NLTest.exe to enumerate the current domain to assist with further understanding where to pivot next.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_nltest` (Processes.process=*/domain_trusts* OR Processes.process=*/all_trusts*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `nltest_domain_trust_discovery_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "Administrators may use nltest for troubleshooting purposes, otherwise, rarely used.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.md", "https://malware.news/t/lets-learn-trickbot-implements-network-collector-module-leveraging-cmd-wmi-ldap/19104", "https://attack.mitre.org/techniques/T1482/", "https://owasp.org/www-pdf-archive/Red_Team_Operating_in_a_Modern_Environment.pdf", "https://ss64.com/nt/nltest.html", "https://redcanary.com/threat-detection-report/techniques/domain-trust-discovery/", "https://thedfirreport.com/2020/10/08/ryuks-return/"], "tags": {"name": "NLTest Domain Trust Discovery", "analytic_story": ["Ryuk Ransomware", "Domain Trust Discovery", "IcedID", "Active Directory Discovery", "Qakbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "Domain trust discovery execution on $dest$", "mitre_attack_id": ["T1482"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.process_name", "Processes.process", "Processes.dest", "Processes.user", "Processes.parent_process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1482", "mitre_attack_technique": "Domain Trust Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "Earth Lusca", "FIN8", "Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1482/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_nltest", "definition": "(Processes.process_name=nltest.exe OR Processes.original_file_name=nltestrk.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "nltest_domain_trust_discovery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/nltest_domain_trust_discovery.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Non Chrome Process Accessing Chrome Default Dir", "id": "81263de4-160a-11ec-944f-acde48001122", "version": 1, "date": "2023-04-25", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This search is to detect an anomaly event of a non-chrome process accessing the files in chrome user default folder. This folder contains all the sqlite database of the chrome browser related to users login, history, cookies and etc. Most of the RAT, trojan spy as well as FIN7 jssloader try to parse the those sqlite database to collect information on the compromised host. This SACL Event (4663) need to be enabled to tthe firefox profile directory to be eable to use this. Since you monitoring this access to the folder, we observed noise that needs to be filter out and hence added sqlite db browser and explorer .exe to make this detection more stable.", "data_source": ["Windows Security 4663"], "search": "`wineventlog_security` EventCode=4663 NOT (process_name IN (\"*\\\\chrome.exe\", \"*\\\\explorer.exe\", \"*sql*\")) Object_Name=\"*\\\\Google\\\\Chrome\\\\User Data\\\\Default*\" | stats count min(_time) as firstTime max(_time) as lastTime by Object_Name Object_Type process_name Access_Mask Accesses process_id EventCode dest user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `non_chrome_process_accessing_chrome_default_dir_filter`", "how_to_implement": "To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable \"Audit Object Access\" in Group Policy. Then check the two boxes listed for both \"Success\" and \"Failure.\"", "known_false_positives": "other browser not listed related to firefox may catch by this rule.", "references": [], "tags": {"name": "Non Chrome Process Accessing Chrome Default Dir", "analytic_story": ["Remcos", "3CX Supply Chain Attack", "AgentTesla", "RedLine Stealer", "FIN7"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "a non firefox browser process $process_name$ accessing $Object_Name$", "mitre_attack_id": ["T1555", "T1555.003"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Object_Name", "Object_Type", "process_name", "Access_Mask", "Accesses", "process_id", "EventCode", "dest", "user"], "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1555", "mitre_attack_technique": "Credentials from Password Stores", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT33", "APT39", "Evilnum", "FIN6", "HEXANE", "Leafminer", "MuddyWater", "OilRig", "Stealth Falcon"]}, {"mitre_attack_id": "T1555.003", "mitre_attack_technique": "Credentials from Web Browsers", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT3", "APT33", "APT37", "Ajax Security Team", "FIN6", "HEXANE", "Inception", "Kimsuky", "LAPSUS$", "Leafminer", "Molerats", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Stealth Falcon", "TA505", "ZIRCONIUM"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/fin7/fin7_sacl/security2.log", "source": "WinEventLog:Security", "sourcetype": "WinEventLog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "non_chrome_process_accessing_chrome_default_dir_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/non_chrome_process_accessing_chrome_default_dir.yml", "source": "endpoint", "providing_technologies": ["Microsoft Windows"]}, {"name": "Non Firefox Process Access Firefox Profile Dir", "id": "e6fc13b0-1609-11ec-b533-acde48001122", "version": 1, "date": "2023-04-25", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This search is to detect an anomaly event of a non-firefox process accessing the files in the profile folder. This folder contains all the sqlite database of the firefox browser related to users login, history, cookies and etc. Most of the RAT, trojan spy as well as FIN7 jssloader try to parse the those sqlite database to collect information on the compromised host. This SACL Event (4663) needs to be enabled to the firefox profile directory to use this. Since this is monitoring the access to the folder, we have obsevered noise and hence added `sqlite db browser` and `explorer.exe` to make this detection more stable.", "data_source": ["Windows Security 4663"], "search": "`wineventlog_security` EventCode=4663 NOT (process_name IN (\"*\\\\firefox.exe\", \"*\\\\explorer.exe\", \"*sql*\")) Object_Name=\"*\\\\AppData\\\\Roaming\\\\Mozilla\\\\Firefox\\\\Profiles*\" | stats count min(_time) as firstTime max(_time) as lastTime by Object_Name Object_Type process_name Access_Mask Accesses process_id EventCode dest user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `non_firefox_process_access_firefox_profile_dir_filter`", "how_to_implement": "To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable \"Audit Object Access\" in Group Policy. Then check the two boxes listed for both \"Success\" and \"Failure.\"", "known_false_positives": "other browser not listed related to firefox may catch by this rule.", "references": [], "tags": {"name": "Non Firefox Process Access Firefox Profile Dir", "analytic_story": ["Azorult", "Remcos", "3CX Supply Chain Attack", "AgentTesla", "RedLine Stealer", "FIN7"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "a non firefox browser process $process_name$ accessing $Object_Name$", "mitre_attack_id": ["T1555", "T1555.003"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Object_Name", "Object_Type", "process_name", "Access_Mask", "Accesses", "process_id", "EventCode", "dest", "user"], "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1555", "mitre_attack_technique": "Credentials from Password Stores", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT33", "APT39", "Evilnum", "FIN6", "HEXANE", "Leafminer", "MuddyWater", "OilRig", "Stealth Falcon"]}, {"mitre_attack_id": "T1555.003", "mitre_attack_technique": "Credentials from Web Browsers", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT3", "APT33", "APT37", "Ajax Security Team", "FIN6", "HEXANE", "Inception", "Kimsuky", "LAPSUS$", "Leafminer", "Molerats", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Stealth Falcon", "TA505", "ZIRCONIUM"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/fin7/fin7_sacl/security.log", "source": "WinEventLog:Security", "sourcetype": "WinEventLog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "non_firefox_process_access_firefox_profile_dir_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/non_firefox_process_access_firefox_profile_dir.yml", "source": "endpoint", "providing_technologies": ["Microsoft Windows"]}, {"name": "Notepad with no Command Line Arguments", "id": "5adbc5f1-9a2f-41c1-a810-f37e015f8179", "version": 1, "date": "2023-02-22", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies behavior related to default SliverC2 framework where it will inject into Notepad.exe and spawn Notepad.exe with no command line arguments. In testing, this is a common procedure for SliverC2 usage, however may be modified or changed. From Microsoft, \"The Sideload, SpawnDll, and Execute-Assembly commands spawn and inject into notepad.exe by default. The following query finds process creation events where the same process creates and injects into notepad.exe within 10 seconds.\"", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where Processes.process_name=notepad.exe AND Processes.action!=\"blocked\" by host _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name Processes.parent_process | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process=\"(?i)(notepad\\.exe.{0,4}$)\" | `notepad_with_no_command_line_arguments_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives may be present and filtering may need to occur based on organization endpoint behavior.", "references": ["https://www.microsoft.com/en-us/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/", "https://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors#Purple-Team-Section"], "tags": {"name": "Notepad with no Command Line Arguments", "analytic_story": ["BishopFox Sliver Adversary Emulation Framework"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ with no command line arguments.", "mitre_attack_id": ["T1055"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/sliver/notepad_windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "notepad_with_no_command_line_arguments_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/notepad_with_no_command_line_arguments.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Ntdsutil Export NTDS", "id": "da63bc76-61ae-11eb-ae93-0242ac130002", "version": 1, "date": "2021-01-28", "author": "Michael Haag, Patrick Bareiss, Splunk", "type": "TTP", "status": "production", "description": "Monitor for signs that Ntdsutil is being used to Extract Active Directory database - NTDS.dit, typically used for offline password cracking. It may be used in normal circumstances with no command line arguments or shorthand variations of more common arguments. Ntdsutil.exe is typically seen run on a Windows Server. Typical command used to dump ntds.dit \\\nntdsutil \"ac i ntds\" \"ifm\" \"create full C:\\Temp\" q q \\\nThis technique uses \"Install from Media\" (IFM), which will extract a copy of the Active Directory database. A successful export of the Active Directory database will yield a file modification named ntds.dit to the destination.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=ntdsutil.exe Processes.process=*ntds* Processes.process=*create*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `ntdsutil_export_ntds_filter`", "how_to_implement": "You must be ingesting endpoint data that tracks process activity, including parent-child relationships from your endpoints, to populate the Endpoint data model in the Processes node. The command-line arguments are mapped to the \"process\" field in the Endpoint data model.", "known_false_positives": "Highly possible Server Administrators will troubleshoot with ntdsutil.exe, generating false positives.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.003/T1003.003.md#atomic-test-3---dump-active-directory-database-with-ntdsutil", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc753343(v=ws.11)", "https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf", "https://strontic.github.io/xcyclopedia/library/vss_ps.dll-97B15BDAE9777F454C9A6BA25E938DB3.html", "https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/"], "tags": {"name": "Ntdsutil Export NTDS", "analytic_story": ["Credential Dumping", "HAFNIUM Group", "Living Off The Land", "Prestige Ransomware", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 100, "kill_chain_phases": ["Exploitation"], "message": "Active Directory NTDS export on $dest$", "mitre_attack_id": ["T1003.003", "T1003"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.process_name", "Processes.process", "Processes.dest", "Processes.user", "Processes.parent_process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 50, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.003", "mitre_attack_technique": "NTDS", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "Chimera", "Dragonfly", "FIN6", "Fox Kitten", "HAFNIUM", "Ke3chang", "LAPSUS$", "Mustang Panda", "Sandworm Team", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.003/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "ntdsutil_export_ntds_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/ntdsutil_export_ntds.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Office Application Drop Executable", "id": "73ce70c4-146d-11ec-9184-acde48001122", "version": 4, "date": "2023-02-15", "author": "Teoderick Contreras, Michael Haag, Splunk, TheLawsOfChaos, Github", "type": "TTP", "status": "production", "description": "This search is to detect a suspicious MS office application that drops or creates executables or scripts in a Windows Operating System. This behavior is commonly seen in spear phishing office attachment where it drop malicious files or script to compromised the host. It might be some normal macro may drop script or tools as part of automation but still this behavior is reallly suspicious and not commonly seen in normal office application", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name IN (\"winword.exe\",\"excel.exe\",\"powerpnt.exe\",\"mspub.exe\",\"visio.exe\",\"wordpad.exe\",\"wordview.exe\",\"onenote.exe\",\"onenotem.exe\",\"onenoteviewer.exe\",\"onenoteim.exe\",\"msaccess.exe\") by _time span=1h Processes.process_id Processes.process_name Processes.process Processes.dest Processes.process_guid | `drop_dm_object_name(Processes)` |join process_guid, _time [| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_name IN (\"*.exe\",\"*.dll\",\"*.pif\",\"*.scr\",\"*.js\",\"*.vbs\",\"*.vbe\",\"*.ps1\") by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.process_guid Filesystem.file_path | `drop_dm_object_name(Filesystem)` | fields _time dest file_create_time file_name file_path process_name process_path process process_guid] | dedup file_create_time | table dest, process_name, process, file_create_time, file_name, file_path, process_guid | `office_application_drop_executable_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed rundll32.exe may be used.", "known_false_positives": "office macro for automation may do this behavior", "references": ["https://www.mandiant.com/resources/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation", "https://attack.mitre.org/groups/G0046/", "https://www.joesandbox.com/analysis/702680/0/html", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/"], "tags": {"name": "Office Application Drop Executable", "analytic_story": ["FIN7", "AgentTesla", "CVE-2023-21716 Word RTF Heap Corruption"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Delivery"], "message": "process $process_name$ drops a file $file_name$ in host $dest$", "mitre_attack_id": ["T1566", "T1566.001"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "process_name", "file_name", "process_guid", "dest", "user_id"], "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/fin7/fin7_macro_js_1/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "office_application_drop_executable_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/office_application_drop_executable.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Office Application Spawn Regsvr32 process", "id": "2d9fc90c-f11f-11eb-9300-acde48001122", "version": 4, "date": "2023-02-15", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "this detection was designed to identifies suspicious spawned process of known MS office application due to macro or malicious code. this technique can be seen in so many malware like IcedID that used MS office as its weapon or attack vector to initially infect the machines.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name = \"winword.exe\" OR Processes.parent_process_name = \"excel.exe\" OR Processes.parent_process_name = \"powerpnt.exe\" OR Processes.parent_process_name = \"outlook.exe\" OR Processes.parent_process_name = \"onenote.exe\" OR Processes.parent_process_name = \"onenotem.exe\" OR Processes.parent_process_name = \"onenoteviewer.exe\" OR Processes.parent_process_name = \"onenoteim.exe\" OR Processes.parent_process_name=\"msaccess.exe\") `process_regsvr32` by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.user Processes.dest | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `office_application_spawn_regsvr32_process_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "unknown", "references": ["https://www.joesandbox.com/analysis/380662/0/html", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/"], "tags": {"name": "Office Application Spawn Regsvr32 process", "analytic_story": ["IcedID", "Qakbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Delivery"], "message": "Office application spawning regsvr32.exe on $dest$", "mitre_attack_id": ["T1566", "T1566.001"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/phish_icedid/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "process_regsvr32", "definition": "(Processes.process_name=regsvr32.exe OR Processes.original_file_name=REGSVR32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "office_application_spawn_regsvr32_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/office_application_spawn_regsvr32_process.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Office Application Spawn rundll32 process", "id": "958751e4-9c5f-11eb-b103-acde48001122", "version": 4, "date": "2023-02-15", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This detection was designed to identify suspicious spawned processes of known MS office applications due to macro or malicious code. this technique can be seen in so many malware like trickbot that used MS office as its weapon or attack vector to initially infect the machines.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name = \"winword.exe\" OR Processes.parent_process_name = \"excel.exe\" OR Processes.parent_process_name = \"powerpnt.exe\" OR Processes.parent_process_name= \"onenote.exe\" OR Processes.parent_process_name = \"onenotem.exe\" OR Processes.parent_process_name = \"onenoteviewer.exe\" OR Processes.parent_process_name = \"onenoteim.exe\" OR Processes.parent_process_name = \"msaccess.exe\") AND `process_rundll32` by Processes.parent_process Processes.process_name Processes.process_id Processes.process_guid Processes.process Processes.user Processes.dest | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `office_application_spawn_rundll32_process_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "unknown", "references": ["https://any.run/malware-trends/trickbot", "https://any.run/report/47561b4e949041eff0a0f4693c59c81726591779fe21183ae9185b5eb6a69847/aba3722a-b373-4dae-8273-8730fb40cdbe", "https://www.joesandbox.com/analysis/702680/0/html", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/"], "tags": {"name": "Office Application Spawn rundll32 process", "analytic_story": ["Spearphishing Attachments", "Trickbot", "IcedID", "AgentTesla"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Delivery"], "message": "Office application spawning rundll32.exe on $dest$", "mitre_attack_id": ["T1566", "T1566.001"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/datasets/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_rundll32", "definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "office_application_spawn_rundll32_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/office_application_spawn_rundll32_process.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Office Document Creating Schedule Task", "id": "cc8b7b74-9d0f-11eb-8342-acde48001122", "version": 4, "date": "2023-02-15", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "this search detects a potential malicious office document that create schedule task entry through macro VBA api or through loading taskschd.dll. This technique was seen in so many malicious macro malware that create persistence , beaconing using task schedule malware entry The search will return the first time and last time the task was registered, as well as the `Command` to be executed, `Task Name`, `Author`, `Enabled`, and whether it is `Hidden` or not. schtasks.exe is natively found in `C:\\Windows\\system32` and `C:\\Windows\\syswow64`. The following DLL(s) are loaded when schtasks.exe or TaskService is launched -`taskschd.dll`. If found loaded by another process, it's possible a scheduled task is being registered within that process context in memory. Upon triage, identify the task scheduled source. Was it schtasks.exe or via TaskService? Review the job created and the Command to be executed. Capture any artifacts on disk and review. Identify any parallel processes within the same timeframe to identify source.'", "data_source": ["Sysmon Event ID 7"], "search": "`sysmon` EventCode=7 parent_process_name IN (\"WINWORD.EXE\", \"EXCEL.EXE\", \"POWERPNT.EXE\",\"onenote.exe\",\"onenotem.exe\",\"onenoteviewer.exe\",\"onenoteim.exe\", \"msaccess.exe\") ImageLoaded = \"*\\\\taskschd.dll\" | stats min(_time) as firstTime max(_time) as lastTime values(ImageLoaded) as AllImageLoaded count by Computer EventCode Image parent_process_name ProcessId ProcessGuid | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `office_document_creating_schedule_task_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name and ImageLoaded (Like sysmon EventCode 7) from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Also be sure to include those monitored dll to your own sysmon config.", "known_false_positives": "unknown", "references": ["https://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/", "https://redcanary.com/threat-detection-report/techniques/scheduled-task-job/", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/"], "tags": {"name": "Office Document Creating Schedule Task", "analytic_story": ["Spearphishing Attachments"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Delivery"], "message": "Office document creating a schedule task on $dest$", "mitre_attack_id": ["T1566", "T1566.001"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["ImageLoaded", "AllImageLoaded", "Computer", "EventCode", "Image", "process_name", "ProcessId", "ProcessGuid", "_time"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/datasets/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "office_document_creating_schedule_task_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/office_document_creating_schedule_task.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Office Document Executing Macro Code", "id": "b12c89bc-9d06-11eb-a592-acde48001122", "version": 4, "date": "2023-01-24", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "this detection was designed to identifies suspicious office documents that using macro code. Macro code is known to be one of the prevalent weaponization or attack vector of threat actor. This malicious macro code is embed to a office document as an attachment that may execute malicious payload, download malware payload or other malware component. It is really good practice to disable macro by default to avoid automatically execute macro code while opening or closing a office document files.", "data_source": ["Sysmon Event ID 7"], "search": "`sysmon` EventCode=7 parent_process_name IN (\"WINWORD.EXE\", \"EXCEL.EXE\", \"POWERPNT.EXE\",\"onenote.exe\",\"onenotem.exe\",\"onenoteviewer.exe\",\"onenoteim.exe\",\"msaccess.exe\") ImageLoaded IN (\"*\\\\VBE7INTL.DLL\",\"*\\\\VBE7.DLL\", \"*\\\\VBEUI.DLL\") | stats min(_time) as firstTime max(_time) as lastTime values(ImageLoaded) as AllImageLoaded count by Computer EventCode Image process_name ProcessId ProcessGuid | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `office_document_executing_macro_code_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name and ImageLoaded (Like sysmon EventCode 7) from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Also be sure to include those monitored dll to your own sysmon config.", "known_false_positives": "Normal Office Document macro use for automation", "references": ["https://www.joesandbox.com/analysis/386500/0/html", "https://www.joesandbox.com/analysis/702680/0/html", "https://bazaar.abuse.ch/sample/02cbc1ab80695fc12ff8822b926957c3a600247b9ca412a137f69cb5716c8781/", "https://www.fortinet.com/blog/threat-research/latest-remcos-rat-phishing", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/"], "tags": {"name": "Office Document Executing Macro Code", "analytic_story": ["Spearphishing Attachments", "Trickbot", "IcedID", "DarkCrystal RAT", "AgentTesla", "Qakbot", "Azorult", "Remcos"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Delivery"], "message": "Office document executing a macro on $dest$", "mitre_attack_id": ["T1566", "T1566.001"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["ImageLoaded", "AllImageLoaded", "Computer", "EventCode", "Image", "process_name", "ProcessId", "ProcessGuid", "_time"], "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/datasets/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "office_document_executing_macro_code_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/office_document_executing_macro_code.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Office Document Spawned Child Process To Download", "id": "6fed27d2-9ec7-11eb-8fe4-aa665a019aa3", "version": 5, "date": "2023-02-15", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This search is to detect potential malicious office document executing lolbin child process to download payload or other malware. Since most of the attacker abused the capability of office document to execute living on land application to blend it to the normal noise in the infected machine to cover its track.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN (\"winword.exe\",\"excel.exe\",\"powerpnt.exe\",\"mspub.exe\",\"visio.exe\",\"onenote.exe\",\"onenotem.exe\",\"onenoteviewer.exe\",\"onenoteim.exe\",\"msaccess.exe\") Processes.process IN (\"*http:*\",\"*https:*\") NOT (Processes.original_file_name IN(\"firefox.exe\", \"chrome.exe\",\"iexplore.exe\",\"msedge.exe\")) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `office_document_spawned_child_process_to_download_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances office application and browser may be used.", "known_false_positives": "Default browser not in the filter list.", "references": ["https://app.any.run/tasks/92d7ef61-bfd7-4c92-bc15-322172b4ebec/", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/"], "tags": {"name": "Office Document Spawned Child Process To Download", "analytic_story": ["Spearphishing Attachments"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Delivery"], "message": "Office document spawning suspicious child process on $dest$", "mitre_attack_id": ["T1566", "T1566.001"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/datasets2/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "office_document_spawned_child_process_to_download_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/office_document_spawned_child_process_to_download.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Office Product Spawn CMD Process", "id": "b8b19420-e892-11eb-9244-acde48001122", "version": 4, "date": "2022-02-15", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "this search is to detect a suspicious office product process that spawn cmd child process. This is commonly seen in a ms office product having macro to execute shell command to download or execute malicious lolbin relative to its malicious code. This is seen in trickbot spear phishing doc where it execute shell cmd to run mshta payload.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name = \"winword.exe\" OR Processes.parent_process_name= \"excel.exe\" OR Processes.parent_process_name = \"powerpnt.exe\" OR Processes.parent_process_name= \"onenote.exe\" OR Processes.parent_process_name = \"onenotem.exe\" OR Processes.parent_process_name = \"onenoteviewer.exe\" OR Processes.parent_process_name = \"onenoteim.exe\" OR Processes.parent_process_name = \"msaccess.exe\") `process_cmd` by Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.process_guid Processes.user Processes.dest Processes.original_file_name | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `office_product_spawn_cmd_process_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "IT or network admin may create an document automation that will run shell script.", "references": ["https://twitter.com/cyb3rops/status/1416050325870587910?s=21", "https://bazaar.abuse.ch/sample/02cbc1ab80695fc12ff8822b926957c3a600247b9ca412a137f69cb5716c8781/", "https://www.fortinet.com/blog/threat-research/latest-remcos-rat-phishing", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/"], "tags": {"name": "Office Product Spawn CMD Process", "analytic_story": ["Trickbot", "DarkCrystal RAT", "Azorult", "Remcos", "Qakbot", "AgentTesla", "CVE-2023-21716 Word RTF Heap Corruption"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Delivery"], "message": "an office product parent process $parent_process_name$ spawn child process $process_name$ in host $dest$", "mitre_attack_id": ["T1566", "T1566.001"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/trickbot/spear_phish/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_cmd", "definition": "(Processes.process_name=cmd.exe OR Processes.original_file_name=Cmd.Exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "office_product_spawn_cmd_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/office_product_spawn_cmd_process.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Office Product Spawning BITSAdmin", "id": "e8c591f4-a6d7-11eb-8cf7-acde48001122", "version": 4, "date": "2023-02-15", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following detection identifies the latest behavior utilized by different malware families (including TA551, IcedID). This detection identifies any Windows Office Product spawning `bitsadmin.exe`. In malicious instances, the command-line of `bitsadmin.exe` will contain a URL to a remote destination or similar command-line arguments as transfer, Download, priority, Foreground. In addition, Threat Research has released a detections identifying suspicious use of `bitsadmin.exe`. In this instance, we narrow our detection down to the Office suite as a parent process. During triage, review all file modifications. Capture and analyze any artifacts on disk. The Office Product, or `bitsadmin.exe` will have reached out to a remote destination, capture and block the IPs or domain. Review additional parallel processes for further activity.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN (\"winword.exe\",\"excel.exe\",\"powerpnt.exe\",\"mspub.exe\",\"visio.exe\",\"onenote.exe\",\"onenotem.exe\",\"onenoteviewer.exe\",\"onenoteim.exe\", \"msaccess.exe\") `process_bitsadmin` by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `office_product_spawning_bitsadmin_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "No false positives known. Filter as needed.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/"], "tags": {"name": "Office Product Spawning BITSAdmin", "analytic_story": ["Spearphishing Attachments"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Delivery"], "message": "office parent process $parent_process_name$ will execute a suspicious child process $process_name$ with process id $process_id$ in host $dest$", "mitre_attack_id": ["T1566", "T1566.001"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/macro/windows-sysmon_macros.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_bitsadmin", "definition": "(Processes.process_name=bitsadmin.exe OR Processes.original_file_name=bitsadmin.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "office_product_spawning_bitsadmin_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/office_product_spawning_bitsadmin.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Office Product Spawning CertUtil", "id": "6925fe72-a6d5-11eb-9e17-acde48001122", "version": 4, "date": "2023-02-15", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following detection identifies the latest behavior utilized by different malware families (including TA551, IcedID). This detection identifies any Windows Office Product spawning `certutil.exe`. In malicious instances, the command-line of `certutil.exe` will contain a URL to a remote destination. In addition, Threat Research has released a detections identifying suspicious use of `certutil.exe`. In this instance, we narrow our detection down to the Office suite as a parent process. During triage, review all file modifications. Capture and analyze any artifacts on disk. The Office Product, or `certutil.exe` will have reached out to a remote destination, capture and block the IPs or domain. Review additional parallel processes for further activity.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN (\"winword.exe\",\"excel.exe\",\"powerpnt.exe\",\"mspub.exe\",\"visio.exe\",\"onenote.exe\",\"onenotem.exe\",\"onenoteviewer.exe\",\"onenoteim.exe\",\"msaccess.exe\") `process_certutil` by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `office_product_spawning_certutil_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "No false positives known. Filter as needed.", "references": ["https://redcanary.com/threat-detection-report/threats/TA551/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/"], "tags": {"name": "Office Product Spawning CertUtil", "analytic_story": ["Spearphishing Attachments", "AgentTesla", "Trickbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Delivery"], "message": "office parent process $parent_process_name$ will execute a suspicious child process $process_name$ with process id $process_id$ in host $dest$", "mitre_attack_id": ["T1566", "T1566.001"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process Name", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/macro/windows-sysmon_macros.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_certutil", "definition": "(Processes.process_name=certutil.exe OR Processes.original_file_name=CertUtil.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "office_product_spawning_certutil_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/office_product_spawning_certutil.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Office Product Spawning MSHTA", "id": "6078fa20-a6d2-11eb-b662-acde48001122", "version": 3, "date": "2023-02-15", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following detection identifies the latest behavior utilized by different malware families (including TA551, IcedID). This detection identifies any Windows Office Product spawning `mshta.exe`. In malicious instances, the command-line of `mshta.exe` will contain the `hta` file locally, or a URL to the remote destination. In addition, Threat Research has released a detections identifying suspicious use of `mshta.exe`. In this instance, we narrow our detection down to the Office suite as a parent process. During triage, review all file modifications. Capture and analyze any artifacts on disk. The Office Product, or `mshta.exe` will have reached out to a remote destination, capture and block the IPs or domain. Review additional parallel processes for further activity.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN (\"winword.exe\",\"excel.exe\",\"powerpnt.exe\",\"mspub.exe\",\"visio.exe\", \"onenote.exe\",\"onenotem.exe\", \"msaccess.exe\") `process_mshta` by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `office_product_spawning_mshta_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "No false positives known. Filter as needed.", "references": ["https://redcanary.com/threat-detection-report/threats/TA551/"], "tags": {"name": "Office Product Spawning MSHTA", "analytic_story": ["Spearphishing Attachments", "IcedID", "Azorult"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Delivery"], "message": "office parent process $parent_process_name$ will execute a suspicious child process $process_name$ with process id $process_id$ in host $dest$", "mitre_attack_id": ["T1566", "T1566.001"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/macro/windows-sysmon_macros.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_mshta", "definition": "(Processes.process_name=mshta.exe OR Processes.original_file_name=MSHTA.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "office_product_spawning_mshta_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/office_product_spawning_mshta.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Office Product Spawning Rundll32 with no DLL", "id": "c661f6be-a38c-11eb-be57-acde48001122", "version": 4, "date": "2023-02-15", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following detection identifies the latest behavior utilized by IcedID malware family. This detection identifies any Windows Office Product spawning `rundll32.exe` without a `.dll` file extension. In malicious instances, the command-line of `rundll32.exe` will look like `rundll32 ..\\oepddl.igk2,DllRegisterServer`. In addition, Threat Research has released a detection identifying the use of `DllRegisterServer` on the command-line of `rundll32.exe`. In this instance, we narrow our detection down to the Office suite as a parent process. During triage, review all file modifications. Capture and analyze the `DLL` that was dropped to disk. The Office Product will have reached out to a remote destination, capture and block the IPs or domain. Review additional parallel processes for further activity.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN (\"winword.exe\",\"excel.exe\",\"powerpnt.exe\",\"mspub.exe\",\"visio.exe\",\"onenote.exe\",\"onenotem.exe\",\"onenoteviewer.exe\",\"onenoteim.exe\", \"msaccess.exe\") `process_rundll32` (Processes.process!=*.dll*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `office_product_spawning_rundll32_with_no_dll_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives should be limited, but if any are present, filter as needed.", "references": ["https://www.joesandbox.com/analysis/395471/0/html", "https://app.any.run/tasks/cef4b8ba-023c-4b3b-b2ef-6486a44f6ed9/", "https://any.run/malware-trends/icedid"], "tags": {"name": "Office Product Spawning Rundll32 with no DLL", "analytic_story": ["Spearphishing Attachments"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Delivery"], "message": "office parent process $parent_process_name$ will execute a suspicious child process $process_name$ with process id $process_id$ and no dll commandline $process$ in host $dest$", "mitre_attack_id": ["T1566", "T1566.001"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/macro/windows-sysmon_icedid.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_rundll32", "definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "office_product_spawning_rundll32_with_no_dll_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/office_product_spawning_rundll32_with_no_dll.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Office Product Spawning Windows Script Host", "id": "b3628a5b-8d02-42fa-a891-eebf2351cbe1", "version": 3, "date": "2023-02-15", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic will identify a Windows Office Product spawning WScript.exe or CScript.exe. Tuning may be required based on legitimate application usage that may spawn scripts from an Office product.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN (\"winword.exe\",\"excel.exe\",\"powerpnt.exe\",\"mspub.exe\",\"visio.exe\",\"onenote.exe\",\"onenotem.exe\",\"onenoteviewer.exe\",\"onenoteim.exe\", \"msaccess.exe\") Processes.process_name IN (\"wscript.exe\", \"cscript.exe\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `office_product_spawning_windows_script_host_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives may be present based on macro based approved documents in the organization. Filtering may be needed.", "references": ["https://blog.cluster25.duskrise.com/2022/09/23/in-the-footsteps-of-the-fancy-bear-powerpoint-graphite/", "https://www.fortinet.com/blog/threat-research/latest-remcos-rat-phishing", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/"], "tags": {"name": "Office Product Spawning Windows Script Host", "analytic_story": ["Spearphishing Attachments", "Remcos"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Delivery"], "message": "office parent process $parent_process_name$ will execute a suspicious child process $process_name$ on host $dest$.", "mitre_attack_id": ["T1566", "T1566.001"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.002/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "office_product_spawning_windows_script_host_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/office_product_spawning_windows_script_host.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Office Product Spawning Wmic", "id": "ffc236d6-a6c9-11eb-95f1-acde48001122", "version": 5, "date": "2023-02-15", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following detection identifies the latest behavior utilized by Ursnif malware family. This detection identifies any Windows Office Product spawning `wmic.exe`. In malicious instances, the command-line of `wmic.exe` will contain `wmic process call create`. In addition, Threat Research has released a detection identifying the use of `wmic process call create` on the command-line of `wmic.exe`. In this instance, we narrow our detection down to the Office suite as a parent process. During triage, review all file modifications. Capture and analyze any artifacts on disk. The Office Product, or `wmic.exe` will have reached out to a remote destination, capture and block the IPs or domain. Review additional parallel processes for further activity.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN (\"winword.exe\",\"excel.exe\",\"powerpnt.exe\",\"mspub.exe\",\"visio.exe\",\"onenote.exe\",\"onenotem.exe\",\"onenoteviewer.exe\",\"onenoteim.exe\",\"msaccess.exe\") `process_wmic` by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `office_product_spawning_wmic_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "No false positives known. Filter as needed.", "references": ["https://app.any.run/tasks/fb894ab8-a966-4b72-920b-935f41756afd/", "https://attack.mitre.org/techniques/T1047/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/T1047.md", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/"], "tags": {"name": "Office Product Spawning Wmic", "analytic_story": ["Spearphishing Attachments", "FIN7"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Delivery"], "message": "office parent process $parent_process_name$ will execute a suspicious child process $process_name$ with process id $process_id$ in host $dest$", "mitre_attack_id": ["T1566", "T1566.001"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process Name", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/macro/windows-sysmon_macros.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_wmic", "definition": "(Processes.process_name=wmic.exe OR Processes.original_file_name=wmic.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "office_product_spawning_wmic_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/office_product_spawning_wmic.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Office Product Writing cab or inf", "id": "f48cd1d4-125a-11ec-a447-acde48001122", "version": 4, "date": "2023-02-15", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies behavior related to CVE-2021-40444. Whereas the malicious document will load ActiveX and download the remote payload (.inf, .cab). During triage, review parallel processes and further activity on endpoint to identify additional patterns. Retrieve the file modifications and analyze further.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name IN (\"winword.exe\",\"excel.exe\",\"powerpnt.exe\",\"mspub.exe\",\"visio.exe\",\"wordpad.exe\",\"wordview.exe\",\"onenote.exe\",\"onenotem.exe\",\"onenoteviewer.exe\",\"onenoteim.exe\",\"msaccess.exe\") by _time span=1h Processes.process_id Processes.process_name Processes.process Processes.dest Processes.process_guid | `drop_dm_object_name(Processes)` |rename process_guid as proc_guid | join proc_guid, _time [ | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_name IN (\"*.inf\",\"*.cab\") by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path Filesystem.process_guid | `drop_dm_object_name(Filesystem)` |rename process_guid as proc_guid | fields _time dest file_create_time file_name file_path process_name process_path process proc_guid] | dedup file_create_time | table dest, process_name, process, file_create_time, file_name, file_path, proc_guid | `office_product_writing_cab_or_inf_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node and `Filesystem` node.", "known_false_positives": "The query is structured in a way that `action` (read, create) is not defined. Review the results of this query, filter, and tune as necessary. It may be necessary to generate this query specific to your endpoint product.", "references": ["https://twitter.com/vxunderground/status/1436326057179860992?s=20", "https://app.any.run/tasks/36c14029-9df8-439c-bba0-45f2643b0c70/", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444", "https://twitter.com/RonnyTNL/status/1436334640617373699?s=20", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/"], "tags": {"name": "Office Product Writing cab or inf", "analytic_story": ["Spearphishing Attachments", "Microsoft MSHTML Remote Code Execution CVE-2021-40444"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Delivery"], "message": "An instance of $process_name$ was identified on $dest$ writing an inf or cab file to this. This is not typical of $process_name$.", "mitre_attack_id": ["T1566", "T1566.001"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "dest", "process_name", "process", "file_create_time", "file_name", "file_path"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "cve": ["CVE-2021-40444"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/macro/windows-sysmon_cabinf.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "office_product_writing_cab_or_inf_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2021-40444", "cvss": 6.8, "summary": "Microsoft MSHTML Remote Code Execution Vulnerability"}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/office_product_writing_cab_or_inf.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Office Spawning Control", "id": "053e027c-10c7-11ec-8437-acde48001122", "version": 3, "date": "2023-02-15", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following detection identifies control.exe spawning from an office product. This detection identifies any Windows Office Product spawning `control.exe`. In malicious instances, the command-line of `control.exe` will contain a file path to a .cpl or .inf, related to CVE-2021-40444. In this instance, we narrow our detection down to the Office suite as a parent process. During triage, review all file modifications. Capture and analyze any artifacts on disk. review parallel and child processes to identify further suspicious behavior", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN (\"winword.exe\",\"excel.exe\",\"powerpnt.exe\",\"mspub.exe\",\"visio.exe\",\"wordpad.exe\",\"wordview.exe\",\"onenote.exe\",\"onenotem.exe\",\"onenoteviewer.exe\",\"onenoteim.exe\",\"msaccess.exe\") Processes.process_name=control.exe by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `office_spawning_control_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Limited false positives should be present.", "references": ["https://strontic.github.io/xcyclopedia/library/control.exe-1F13E714A0FEA8887707DFF49287996F.html", "https://app.any.run/tasks/36c14029-9df8-439c-bba0-45f2643b0c70/", "https://attack.mitre.org/techniques/T1218/011/", "https://www.echotrail.io/insights/search/control.exe/", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.002/T1218.002.yaml", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/"], "tags": {"name": "Office Spawning Control", "analytic_story": ["Spearphishing Attachments", "Microsoft MSHTML Remote Code Execution CVE-2021-40444"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Delivery"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ clicking a suspicious attachment.", "mitre_attack_id": ["T1566", "T1566.001"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "cve": ["CVE-2021-40444"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/macro/windows-sysmon_control.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "office_spawning_control_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2021-40444", "cvss": 6.8, "summary": "Microsoft MSHTML Remote Code Execution Vulnerability"}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/office_spawning_control.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Outbound Network Connection from Java Using Default Ports", "id": "d2c14d28-5c47-11ec-9892-acde48001122", "version": 2, "date": "2022-06-28", "author": "Mauricio Velazco, Lou Stella, Splunk", "type": "TTP", "status": "production", "description": "A required step while exploiting the CVE-2021-44228-Log4j vulnerability is that the victim server will perform outbound connections to attacker-controlled infrastructure. This is required as part of the JNDI lookup as well as for retrieving the second stage .class payload. The following analytic identifies the Java process reaching out to default ports used by the LDAP and RMI protocols. This behavior could represent successfull exploitation. Note that adversaries can easily decide to use arbitrary ports for these protocols and potentially bypass this detection.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where (Processes.process_name=\"java.exe\" OR Processes.process_name=javaw.exe OR Processes.process_name=javaw.exe) by _time Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | join process_id [| tstats `security_content_summariesonly` count FROM datamodel=Network_Traffic.All_Traffic where (All_Traffic.dest_port= 389 OR All_Traffic.dest_port= 636 OR All_Traffic.dest_port = 1389 OR All_Traffic.dest_port = 1099 ) by All_Traffic.process_id All_Traffic.dest All_Traffic.dest_port | `drop_dm_object_name(All_Traffic)` | rename dest as connection_to_CNC] | table _time dest parent_process_name process_name process_path process connection_to_CNC dest_port| `outbound_network_connection_from_java_using_default_ports_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "Legitimate Java applications may use perform outbound connections to these ports. Filter as needed", "references": ["https://www.lunasec.io/docs/blog/log4j-zero-day/", "https://www.govcert.admin.ch/blog/zero-day-exploit-targeting-popular-java-library-log4j/"], "tags": {"name": "Outbound Network Connection from Java Using Default Ports", "analytic_story": ["Log4Shell CVE-2021-44228"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 90, "kill_chain_phases": ["Delivery", "Installation"], "message": "Java performed outbound connections to default ports of LDAP or RMI on $dest$", "mitre_attack_id": ["T1190", "T1133"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.process_id", "Processes.process_name", "Processes.dest", "Processes.process_path", "Processes.process", "Processes.parent_process_name", "All_Traffic.process_id", "All_Traffic.dest", "All_Traffic.dest_port"], "risk_score": 54, "security_domain": "endpoint", "risk_severity": "medium", "cve": ["CVE-2021-44228"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Chimera", "Dragonfly", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/outbound_java/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint", "Network_Traffic"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "outbound_network_connection_from_java_using_default_ports_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2021-44228", "cvss": 9.3, "summary": "Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/outbound_network_connection_from_java_using_default_ports.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Overwriting Accessibility Binaries", "id": "13c2f6c3-10c5-4deb-9ba1-7c4460ebe4ae", "version": 4, "date": "2023-04-14", "author": "David Dorsey, Splunk", "type": "TTP", "status": "production", "description": "Microsoft Windows contains accessibility features that can be launched with a key combination before a user has logged in. An adversary can modify or replace these programs so they can get a command prompt or backdoor without logging in to the system. This search looks for modifications to these binaries.", "data_source": ["Sysmon Event ID 11"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.user) as user values(Filesystem.dest) as dest values(Filesystem.file_path) as file_path from datamodel=Endpoint.Filesystem where (Filesystem.file_path=*\\\\Windows\\\\System32\\\\sethc.exe* OR Filesystem.file_path=*\\\\Windows\\\\System32\\\\utilman.exe* OR Filesystem.file_path=*\\\\Windows\\\\System32\\\\osk.exe* OR Filesystem.file_path=*\\\\Windows\\\\System32\\\\Magnify.exe* OR Filesystem.file_path=*\\\\Windows\\\\System32\\\\Narrator.exe* OR Filesystem.file_path=*\\\\Windows\\\\System32\\\\DisplaySwitch.exe* OR Filesystem.file_path=*\\\\Windows\\\\System32\\\\AtBroker.exe*) by Filesystem.file_name Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `overwriting_accessibility_binaries_filter`", "how_to_implement": "You must be ingesting data that records the filesystem activity from your hosts to populate the Endpoint file-system data model node. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data.", "known_false_positives": "Microsoft may provide updates to these binaries. Verify that these changes do not correspond with your normal software update cycle.", "references": [], "tags": {"name": "Overwriting Accessibility Binaries", "analytic_story": ["Data Destruction", "Hermetic Wiper", "Windows Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "message": "A suspicious file modification or replace in $file_path$ in host $dest$", "mitre_attack_id": ["T1546", "T1546.008"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "file_path", "type": "File", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Filesystem.dest", "Filesystem.file_path", "Filesystem.file_name", "Filesystem.dest"], "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1546.008", "mitre_attack_technique": "Accessibility Features", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT3", "APT41", "Axiom", "Deep Panda", "Fox Kitten"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.008/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "overwriting_accessibility_binaries_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/overwriting_accessibility_binaries.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "PaperCut NG Suspicious Behavior Debug Log", "id": "395163b8-689b-444b-86c7-9fe9ad624734", "version": 1, "date": "2023-05-15", "author": "Michael Haag, Splunk", "type": "Hunting", "status": "experimental", "description": "The following hunting analytic is designed to monitor and detect potential exploitation attempts targeting a PaperCut NG server by analyzing its debug log data. By focusing on public IP addresses accessing the PaperCut NG instance, this analytic aims to identify unauthorized or suspicious access attempts. Furthermore, it searches for specific URIs that have been discovered in the proof of concept code, which are associated with known exploits or vulnerabilities. The analytic is focused on the user admin. Regex is used mainly because the log is not parsed by Splunk and there is no TA for this debug log.", "data_source": [], "search": "`papercutng` (loginType=Admin OR userName=admin) | eval uri_match=if(match(_raw, \"(?i)(\\/app\\?service=page\\/SetupCompleted|\\/app|\\/app\\?service=page\\/PrinterList|\\/app\\?service=direct\\/1\\/PrinterList\\/selectPrinter&sp=l1001|\\/app\\?service=direct\\/1\\/PrinterDetails\\/printerOptionsTab\\.tab)\"), \"URI matches\", null()) | eval ip_match=if(match(_raw, \"(?i)((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))\") AND NOT match(_raw, \"(?i)(10\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))|(172\\.(1[6-9]|2[0-9]|3[0-1])\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))|(192\\.168\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))\"), \"IP matches\", null()) | where (isnotnull(uri_match) OR isnotnull(ip_match)) | stats sparkline, count, values(uri_match) AS uri_match, values(ip_match) AS ip_match latest(_raw) BY host, index, sourcetype | `papercut_ng_suspicious_behavior_debug_log_filter`", "how_to_implement": "Debug logs must be enabled and shipped to Splunk in order to properly identify behavior with this analytic.", "known_false_positives": "False positives may be present, as this is based on the admin user accessing the Papercut NG instance from a public IP address. Filter as needed.", "references": ["https://www.papercut.com/kb/Main/HowToCollectApplicationServerDebugLogs", "https://github.com/inodee/threathunting-spl/blob/master/hunt-queries/HAFNIUM.md", "https://www.cisa.gov/news-events/alerts/2023/05/11/cisa-and-fbi-release-joint-advisory-response-active-exploitation-papercut-vulnerability", "https://www.papercut.com/kb/Main/PO-1216-and-PO-1219", "https://www.horizon3.ai/papercut-cve-2023-27350-deep-dive-and-indicators-of-compromise/", "https://www.bleepingcomputer.com/news/security/hackers-actively-exploit-critical-rce-bug-in-papercut-servers/", "https://www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software"], "tags": {"name": "PaperCut NG Suspicious Behavior Debug Log", "analytic_story": ["PaperCut MF NG Vulnerability"], "asset_type": "Web Server", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Delivery", "Installation"], "message": "Behavior related to exploitation of PaperCut NG has been identified on $host$.", "mitre_attack_id": ["T1190", "T1133"], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["uri_match", "ip_match", "index", "sourcetype", "host"], "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "atomic_guid": [], "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Chimera", "Dragonfly", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/papercut/server.log", "source": "papercutng", "sourcetype": "papercutng"}]}], "datamodel": [], "macros": [{"name": "papercutng", "definition": "sourcetype=\"papercutng\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "papercut_ng_suspicious_behavior_debug_log_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/papercut_ng_suspicious_behavior_debug_log.yml", "source": "endpoint"}, {"name": "Password Policy Discovery with Net", "id": "09336538-065a-11ec-8665-acde48001122", "version": 1, "date": "2021-08-26", "author": "Teoderick Contreras, Mauricio Velazco, Splunk", "type": "Hunting", "status": "production", "description": "This analytic looks for the execution of `net.exe` or `net1.exe` with command line arguments used to obtain the domain password policy. Red Teams and adversaries may leverage `net.exe` for situational awareness and Active Directory Discovery.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"net.exe\" OR Processes.process_name=\"net1.exe\") AND Processes.process = \"*accounts*\" AND Processes.process = \"*/domain*\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `password_policy_discovery_with_net_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed rundll32.exe may be used.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "references": ["https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet"], "tags": {"name": "Password Policy Discovery with Net", "analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "an instance of process $process_name$ with commandline $process$ in $dest$", "mitre_attack_id": ["T1201"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id", "Processes.parent_process_name"], "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1201", "mitre_attack_technique": "Password Policy Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "OilRig", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1201/pwd_policy_discovery/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "password_policy_discovery_with_net_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/password_policy_discovery_with_net.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Permission Modification using Takeown App", "id": "fa7ca5c6-c9d8-11eb-bce9-acde48001122", "version": 1, "date": "2021-06-10", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This search is to detect a modification of file or directory permission using takeown.exe windows app. This technique was seen in some ransomware that take the ownership of a folder or files to encrypt or delete it.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"takeown.exe\" Processes.process = \"*/f*\" by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.dest Processes.user Processes.process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `permission_modification_using_takeown_app_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "takeown.exe is a normal windows application that may used by network operator.", "references": ["https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/"], "tags": {"name": "Permission Modification using Takeown App", "analytic_story": ["Ransomware", "Sandworm Tools"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "A suspicious of execution of $process_name$ with process id $process_id$ and commandline $process$ to modify permission of directory or files in host $dest$", "mitre_attack_id": ["T1222"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.parent_process_name", "Processes.parent_process", "Processes.process_name", "Processes.process", "Processes.dest", "Processes.user", "Processes.process_id", "Processes.process_guid"], "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/ransomware_ttp/data1/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "permission_modification_using_takeown_app_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/permission_modification_using_takeown_app.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "PetitPotam Network Share Access Request", "id": "95b8061a-0a67-11ec-85ec-acde48001122", "version": 1, "date": "2021-08-31", "author": "Michael Haag, Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic utilizes Windows Event Code 5145, \"A network share object was checked to see whether client can be granted desired access\". During our research into PetitPotam, CVE-2021-36942, we identified the ocurrence of this event on the target host with specific values. \\\nTo enable 5145 events via Group Policy - Computer Configuration->Polices->Windows Settings->Security Settings->Advanced Audit Policy Configuration. Expand this node, go to Object Access (Audit Polices->Object Access), then select the Setting Audit Detailed File Share Audit \\\nIt is possible this is not enabled by default and may need to be reviewed and enabled. \\\nDuring triage, review parallel security events to identify further suspicious activity.", "data_source": ["Sysmon Event ID 5"], "search": "`wineventlog_security` Account_Name=\"ANONYMOUS LOGON\" EventCode=5145 Relative_Target_Name=lsarpc | stats count min(_time) as firstTime max(_time) as lastTime by dest, Security_ID, Share_Name, Source_Address, Accesses, Message | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `petitpotam_network_share_access_request_filter`", "how_to_implement": "Windows Event Code 5145 is required to utilize this analytic and it may not be enabled in most environments.", "known_false_positives": "False positives have been limited when the Anonymous Logon is used for Account Name.", "references": ["https://attack.mitre.org/techniques/T1187/", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5145", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5145"], "tags": {"name": "PetitPotam Network Share Access Request", "analytic_story": ["PetitPotam NTLM Relay on Active Directory Certificate Services"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "A remote host is enumerating a $dest$ to identify permissions. This is a precursor event to CVE-2021-36942, PetitPotam.", "mitre_attack_id": ["T1187"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "dest", "Security_ID", "Share_Name", "Source_Address", "Accesses", "Message"], "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "cve": ["CVE-2021-36942"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1187", "mitre_attack_technique": "Forced Authentication", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["DarkHydrus", "Dragonfly"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1187/petitpotam/windows-security.log", "source": "WinEventLog:Security", "sourcetype": "WinEventLog", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "petitpotam_network_share_access_request_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2021-36942", "cvss": 5.0, "summary": "Windows LSA Spoofing Vulnerability"}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/petitpotam_network_share_access_request.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "PetitPotam Suspicious Kerberos TGT Request", "id": "e3ef244e-0a67-11ec-abf2-acde48001122", "version": 1, "date": "2021-08-31", "author": "Michael Haag, Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifes Event Code 4768, A `Kerberos authentication ticket (TGT) was requested`, successfull occurs. This behavior has been identified to assist with detecting PetitPotam, CVE-2021-36942. Once an attacer obtains a computer certificate by abusing Active Directory Certificate Services in combination with PetitPotam, the next step would be to leverage the certificate for malicious purposes. One way of doing this is to request a Kerberos Ticket Granting Ticket using a tool like Rubeus. This request will generate a 4768 event with some unusual fields depending on the environment. This analytic will require tuning, we recommend filtering Account_Name to Domain Controllers for your environment.", "data_source": ["Windows Security 4768"], "search": "`wineventlog_security` EventCode=4768 Client_Address!=\"::1\" Certificate_Thumbprint!=\"\" Account_Name=*$ | stats count min(_time) as firstTime max(_time) as lastTime by dest, Account_Name, Client_Address, action, Message | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `petitpotam_suspicious_kerberos_tgt_request_filter`", "how_to_implement": "The following analytic requires Event Code 4768. Ensure that it is logging no Domain Controllers and appearing in Splunk.", "known_false_positives": "False positives are possible if the environment is using certificates for authentication.", "references": ["https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4768", "https://isc.sans.edu/forums/diary/Active+Directory+Certificate+Services+ADCS+PKI+domain+admin+vulnerability/27668/"], "tags": {"name": "PetitPotam Suspicious Kerberos TGT Request", "analytic_story": ["PetitPotam NTLM Relay on Active Directory Certificate Services", "Active Directory Kerberos Attacks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "A Kerberos TGT was requested in a non-standard manner against $dest$, potentially related to CVE-2021-36942, PetitPotam.", "mitre_attack_id": ["T1003"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "dest", "Account_Name", "Client_Address", "action", "Message"], "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "cve": ["CVE-2021-36942"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1187/petitpotam/windows-security.log", "source": "WinEventLog:Security", "sourcetype": "WinEventLog", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "petitpotam_suspicious_kerberos_tgt_request_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2021-36942", "cvss": 5.0, "summary": "Windows LSA Spoofing Vulnerability"}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/petitpotam_suspicious_kerberos_tgt_request.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Ping Sleep Batch Command", "id": "ce058d6c-79f2-11ec-b476-acde48001122", "version": 1, "date": "2023-04-14", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic will identify the possible execution of ping sleep batch commands. This technique was seen in several malware samples and is used to trigger sleep times without explicitly calling sleep functions or commandlets. The goal is to delay the execution of malicious code and bypass detection or sandbox analysis. This detection can be a good indicator of a process delaying its execution for malicious purposes.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_ping` (Processes.parent_process = \"*ping*\" Processes.parent_process = *-n* Processes.parent_process=\"* Nul*\"Processes.parent_process=\"*>*\") OR (Processes.process = \"*ping*\" Processes.process = *-n* Processes.process=\"* Nul*\"Processes.process=\"*>*\") by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.user Processes.dest | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `ping_sleep_batch_command_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "Administrator or network operator may execute this command. Please update the filter macros to remove false positives.", "references": ["https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/"], "tags": {"name": "Ping Sleep Batch Command", "analytic_story": ["Data Destruction", "WhisperGate"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Exploitation"], "message": "suspicious $process$ commandline run in $dest$", "mitre_attack_id": ["T1497", "T1497.003"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1497", "mitre_attack_technique": "Virtualization/Sandbox Evasion", "mitre_attack_tactics": ["Defense Evasion", "Discovery"], "mitre_attack_groups": ["Darkhotel"]}, {"mitre_attack_id": "T1497.003", "mitre_attack_technique": "Time Based Evasion", "mitre_attack_tactics": ["Defense Evasion", "Discovery"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1497.003/ping_sleep/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_ping", "definition": "(Processes.process_name=ping.exe OR Processes.original_file_name=ping.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "ping_sleep_batch_command_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/ping_sleep_batch_command.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Possible Browser Pass View Parameter", "id": "8ba484e8-4b97-11ec-b19a-acde48001122", "version": 1, "date": "2021-11-22", "author": "Teoderick Contreras, Splunk", "type": "Hunting", "status": "production", "description": "This analytic will detect if a suspicious process contains a commandline parameter related to a web browser credential dumper. This technique is used by Remcos RAT malware which uses the Nirsoft webbrowserpassview.exe application to dump web browser credentials. Remcos uses the \"/stext\" command line to dump the credentials in text format. This Hunting query is a good indicator of hosts suffering from possible Remcos RAT infection. Since the hunting query is based on the parameter command and the possible path where it will save the text credential information, it may catch normal tools that are using the same command and behavior.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process IN (\"*/stext *\", \"*/shtml *\", \"*/LoadPasswordsIE*\", \"*/LoadPasswordsFirefox*\", \"*/LoadPasswordsChrome*\", \"*/LoadPasswordsOpera*\", \"*/LoadPasswordsSafari*\" , \"*/UseOperaPasswordFile*\", \"*/OperaPasswordFile*\",\"*/stab*\", \"*/scomma*\", \"*/stabular*\", \"*/shtml*\", \"*/sverhtml*\", \"*/sxml*\", \"*/skeepass*\" ) AND Processes.process IN (\"*\\\\temp\\\\*\", \"*\\\\users\\\\public\\\\*\", \"*\\\\programdata\\\\*\") by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `possible_browser_pass_view_parameter_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "False positive is quite limited. Filter is needed", "references": ["https://www.nirsoft.net/utils/web_browser_password.html", "https://app.any.run/tasks/df0baf9f-8baf-4c32-a452-16562ecb19be/"], "tags": {"name": "Possible Browser Pass View Parameter", "analytic_story": ["Remcos"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 40, "impact": 40, "kill_chain_phases": ["Exploitation"], "message": "suspicious process $process_name$ contains commandline $process$ on $dest$", "mitre_attack_id": ["T1555.003", "T1555"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 16, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1555.003", "mitre_attack_technique": "Credentials from Web Browsers", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT3", "APT33", "APT37", "Ajax Security Team", "FIN6", "HEXANE", "Inception", "Kimsuky", "LAPSUS$", "Leafminer", "Molerats", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Stealth Falcon", "TA505", "ZIRCONIUM"]}, {"mitre_attack_id": "T1555", "mitre_attack_technique": "Credentials from Password Stores", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT33", "APT39", "Evilnum", "FIN6", "HEXANE", "Leafminer", "MuddyWater", "OilRig", "Stealth Falcon"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1555/web_browser_pass_view/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "possible_browser_pass_view_parameter_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/possible_browser_pass_view_parameter.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Possible Lateral Movement PowerShell Spawn", "id": "cb909b3e-512b-11ec-aa31-3e22fbd008af", "version": 1, "date": "2023-04-14", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic is designed to identify possible lateral movement attacks that involve the spawning of a PowerShell process as a child or grandchild process of commonly abused processes. These processes include services.exe, wmiprsve.exe, svchost.exe, wsmprovhost.exe, and mmc.exe.\\\nSuch behavior is indicative of legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management, and the DCOM protocol being abused to start a process on a remote endpoint. This behavior is often seen during lateral movement techniques where adversaries or red teams abuse these services for lateral movement and remote code execution.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name=wmiprvse.exe OR Processes.parent_process_name=services.exe OR Processes.parent_process_name=svchost.exe OR Processes.parent_process_name=wsmprovhost.exe OR Processes.parent_process_name=mmc.exe) (Processes.process_name=powershell.exe OR (Processes.process_name=cmd.exe AND Processes.process=*powershell.exe*) OR Processes.process_name=pwsh.exe OR (Processes.process_name=cmd.exe AND Processes.process=*pwsh.exe*)) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `possible_lateral_movement_powershell_spawn_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints.", "known_false_positives": "Legitimate applications may spawn PowerShell as a child process of the the identified processes. Filter as needed.", "references": ["https://attack.mitre.org/techniques/T1021/003/", "https://attack.mitre.org/techniques/T1021/006/", "https://attack.mitre.org/techniques/T1047/", "https://attack.mitre.org/techniques/T1053/005/", "https://attack.mitre.org/techniques/T1543/003/"], "tags": {"name": "Possible Lateral Movement PowerShell Spawn", "analytic_story": ["Active Directory Lateral Movement", "Malicious PowerShell", "Hermetic Wiper", "Data Destruction", "Scheduled Tasks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 90, "kill_chain_phases": ["Exploitation", "Installation"], "message": "A PowerShell process was spawned as a child process of typically abused processes on $dest$", "mitre_attack_id": ["T1021", "T1021.003", "T1021.006", "T1047", "T1053.005", "T1543.003", "T1059.001", "T1218.014"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 45, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1021.003", "mitre_attack_technique": "Distributed Component Object Model", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1021.006", "mitre_attack_technique": "Windows Remote Management", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Chimera", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "Earth Lusca", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "Threat Group-3390", "Windshift", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1218.014", "mitre_attack_technique": "MMC", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1543.003/lateral_movement_powershell/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "possible_lateral_movement_powershell_spawn_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/possible_lateral_movement_powershell_spawn.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Potential password in username", "id": "5ced34b4-ab32-4bb0-8f22-3b8f186f0a38", "version": 1, "date": "2022-05-11", "author": "Mikael Bjerkeland, Splunk", "type": "Hunting", "status": "production", "description": "This search identifies users who have entered their passwords in username fields. This is done by looking for failed authentication attempts using usernames with a length longer than 7 characters and a high Shannon entropy, and looks for the next successful authentication attempt from the same source system to the same destination system as the failed attempt.", "data_source": [], "search": "| tstats `security_content_summariesonly` earliest(_time) AS starttime latest(_time) AS endtime latest(sourcetype) AS sourcetype values(Authentication.src) AS src values(Authentication.dest) AS dest count FROM datamodel=Authentication WHERE nodename=Authentication.Failed_Authentication BY \"Authentication.user\" | `drop_dm_object_name(Authentication)` | lookup ut_shannon_lookup word AS user | where ut_shannon>3 AND len(user)>=8 AND mvcount(src) == 1 | sort count, - ut_shannon | eval incorrect_cred=user | eval endtime=endtime+1000 | map maxsearches=70 search=\"| tstats `security_content_summariesonly` earliest(_time) AS starttime latest(_time) AS endtime latest(sourcetype) AS sourcetype values(Authentication.src) AS src values(Authentication.dest) AS dest count FROM datamodel=Authentication WHERE nodename=Authentication.Successful_Authentication Authentication.src=\\\"$src$\\\" Authentication.dest=\\\"$dest$\\\" sourcetype IN (\\\"$sourcetype$\\\") earliest=\\\"$starttime$\\\" latest=\\\"$endtime$\\\" BY \\\"Authentication.user\\\" | `drop_dm_object_name(\\\"Authentication\\\")` | `potential_password_in_username_false_positive_reduction` | eval incorrect_cred=\\\"$incorrect_cred$\\\" | eval ut_shannon=\\\"$ut_shannon$\\\" | sort count\" | where user!=incorrect_cred | outlier action=RM count | `potential_password_in_username_filter`", "how_to_implement": "To successfully implement this search, you need to have relevant authentication logs mapped to the Authentication data model. You also need to have the Splunk TA URL Toolbox (https://splunkbase.splunk.com/app/2734/) installed. The detection must run with a time interval shorter than endtime+1000.", "known_false_positives": "Valid usernames with high entropy or source/destination system pairs with multiple authenticating users will make it difficult to identify the real user authenticating.", "references": ["https://medium.com/@markmotig/search-for-passwords-accidentally-typed-into-the-username-field-975f1a389928"], "tags": {"name": "Potential password in username", "analytic_story": ["Credential Dumping", "Insider Threat"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 30, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "message": "Potential password in username ($user$) with Shannon entropy ($ut_shannon$)", "mitre_attack_id": ["T1078.003", "T1552.001"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["Authentication.user", "Authentication.src", "Authentication.dest", "sourcetype"], "risk_score": 21, "security_domain": "access", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078.003", "mitre_attack_technique": "Local Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "FIN10", "HAFNIUM", "Kimsuky", "PROMETHIUM", "Tropic Trooper", "Turla"]}, {"mitre_attack_id": "T1552.001", "mitre_attack_technique": "Credentials In Files", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT3", "APT33", "Fox Kitten", "Kimsuky", "Leafminer", "MuddyWater", "OilRig", "TA505", "TeamTNT"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552.001/password_in_username/linux_secure.log", "source": "/var/log/secure", "sourcetype": "linux_secure"}]}], "datamodel": ["Authentication"], "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "potential_password_in_username_false_positive_reduction", "definition": "search *", "description": "Add customer specific known false positives to the map command used in detection - Potential password in username"}, {"name": "potential_password_in_username_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/potential_password_in_username.yml", "source": "endpoint"}, {"name": "Potentially malicious code on commandline", "id": "9c53c446-757e-11ec-871d-acde48001122", "version": 1, "date": "2022-01-14", "author": "Michael Hart, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic uses a pretrained machine learning text classifier to detect potentially malicious commandlines. The model identifies unusual combinations of keywords found in samples of commandlines where adversaries executed powershell code, primarily for C2 communication. For example, adversaries will leverage IO capabilities such as \"streamreader\" and \"webclient\", threading capabilties such as \"mutex\" locks, programmatic constructs like \"function\" and \"catch\", and cryptographic operations like \"computehash\". Although observing one of these keywords in a commandline script is possible, combinations of keywords observed in attack data are not typically found in normal usage of the commandline. The model will output a score where all values above zero are suspicious, anything greater than one particularly so.", "data_source": [], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=\"Endpoint.Processes\" by Processes.parent_process_name Processes.process_name Processes.process Processes.user Processes.dest | `drop_dm_object_name(Processes)` | where len(process) > 200 | `potentially_malicious_code_on_cmdline_tokenize_score` | apply unusual_commandline_detection | eval score='predicted(unusual_cmdline_logits)', process=orig_process | fields - unusual_cmdline* predicted(unusual_cmdline_logits) orig_process | where score > 0.5 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `potentially_malicious_code_on_commandline_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. You will also need to install the Machine Learning Toolkit version 5.3 or above to apply the pretrained model.", "known_false_positives": "This model is an anomaly detector that identifies usage of APIs and scripting constructs that are correllated with malicious activity. These APIs and scripting constructs are part of the programming langauge and advanced scripts may generate false positives.", "references": ["https://attack.mitre.org/techniques/T1059/003/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md"], "tags": {"name": "Potentially malicious code on commandline", "analytic_story": ["Suspicious Command-Line Executions"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 20, "impact": 60, "kill_chain_phases": ["Installation"], "message": "Unusual command-line execution with hallmarks of malicious activity run by $user$ found on $dest$ with commandline $process$", "mitre_attack_id": ["T1059.003"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.process", "Processes.parent_process_name", "Processes.process_name", "Processes.parent_process", "Processes.user", "Processes.dest"], "risk_score": 12, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/malicious_cmd_line_samples/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "potentially_malicious_code_on_cmdline_tokenize_score", "definition": "eval orig_process=process, process=replace(lower(process), \"`\", \"\") | makemv tokenizer=\"([\\w\\d\\-]+)\" process | eval unusual_cmdline_feature_for=if(match(process, \"^for$\"), mvcount(mvfilter(match(process, \"^for$\"))), 0), unusual_cmdline_feature_netsh=if(match(process, \"^netsh$\"), mvcount(mvfilter(match(process, \"^netsh$\"))), 0), unusual_cmdline_feature_readbytes=if(match(process, \"^readbytes$\"), mvcount(mvfilter(match(process, \"^readbytes$\"))), 0), unusual_cmdline_feature_set=if(match(process, \"^set$\"), mvcount(mvfilter(match(process, \"^set$\"))), 0), unusual_cmdline_feature_unrestricted=if(match(process, \"^unrestricted$\"), mvcount(mvfilter(match(process, \"^unrestricted$\"))), 0), unusual_cmdline_feature_winstations=if(match(process, \"^winstations$\"), mvcount(mvfilter(match(process, \"^winstations$\"))), 0), unusual_cmdline_feature_-value=if(match(process, \"^-value$\"), mvcount(mvfilter(match(process, \"^-value$\"))), 0), unusual_cmdline_feature_compression=if(match(process, \"^compression$\"), mvcount(mvfilter(match(process, \"^compression$\"))), 0), unusual_cmdline_feature_server=if(match(process, \"^server$\"), mvcount(mvfilter(match(process, \"^server$\"))), 0), unusual_cmdline_feature_set-mppreference=if(match(process, \"^set-mppreference$\"), mvcount(mvfilter(match(process, \"^set-mppreference$\"))), 0), unusual_cmdline_feature_terminal=if(match(process, \"^terminal$\"), mvcount(mvfilter(match(process, \"^terminal$\"))), 0), unusual_cmdline_feature_-name=if(match(process, \"^-name$\"), mvcount(mvfilter(match(process, \"^-name$\"))), 0), unusual_cmdline_feature_catch=if(match(process, \"^catch$\"), mvcount(mvfilter(match(process, \"^catch$\"))), 0), unusual_cmdline_feature_get-wmiobject=if(match(process, \"^get-wmiobject$\"), mvcount(mvfilter(match(process, \"^get-wmiobject$\"))), 0), unusual_cmdline_feature_hklm=if(match(process, \"^hklm$\"), mvcount(mvfilter(match(process, \"^hklm$\"))), 0), unusual_cmdline_feature_streamreader=if(match(process, \"^streamreader$\"), mvcount(mvfilter(match(process, \"^streamreader$\"))), 0), unusual_cmdline_feature_system32=if(match(process, \"^system32$\"), mvcount(mvfilter(match(process, \"^system32$\"))), 0), unusual_cmdline_feature_username=if(match(process, \"^username$\"), mvcount(mvfilter(match(process, \"^username$\"))), 0), unusual_cmdline_feature_webrequest=if(match(process, \"^webrequest$\"), mvcount(mvfilter(match(process, \"^webrequest$\"))), 0), unusual_cmdline_feature_count=if(match(process, \"^count$\"), mvcount(mvfilter(match(process, \"^count$\"))), 0), unusual_cmdline_feature_webclient=if(match(process, \"^webclient$\"), mvcount(mvfilter(match(process, \"^webclient$\"))), 0), unusual_cmdline_feature_writeallbytes=if(match(process, \"^writeallbytes$\"), mvcount(mvfilter(match(process, \"^writeallbytes$\"))), 0), unusual_cmdline_feature_convert=if(match(process, \"^convert$\"), mvcount(mvfilter(match(process, \"^convert$\"))), 0), unusual_cmdline_feature_create=if(match(process, \"^create$\"), mvcount(mvfilter(match(process, \"^create$\"))), 0), unusual_cmdline_feature_function=if(match(process, \"^function$\"), mvcount(mvfilter(match(process, \"^function$\"))), 0), unusual_cmdline_feature_net=if(match(process, \"^net$\"), mvcount(mvfilter(match(process, \"^net$\"))), 0), unusual_cmdline_feature_com=if(match(process, \"^com$\"), mvcount(mvfilter(match(process, \"^com$\"))), 0), unusual_cmdline_feature_http=if(match(process, \"^http$\"), mvcount(mvfilter(match(process, \"^http$\"))), 0), unusual_cmdline_feature_io=if(match(process, \"^io$\"), mvcount(mvfilter(match(process, \"^io$\"))), 0), unusual_cmdline_feature_system=if(match(process, \"^system$\"), mvcount(mvfilter(match(process, \"^system$\"))), 0), unusual_cmdline_feature_new-object=if(match(process, \"^new-object$\"), mvcount(mvfilter(match(process, \"^new-object$\"))), 0), unusual_cmdline_feature_if=if(match(process, \"^if$\"), mvcount(mvfilter(match(process, \"^if$\"))), 0), unusual_cmdline_feature_threading=if(match(process, \"^threading$\"), mvcount(mvfilter(match(process, \"^threading$\"))), 0), unusual_cmdline_feature_mutex=if(match(process, \"^mutex$\"), mvcount(mvfilter(match(process, \"^mutex$\"))), 0), unusual_cmdline_feature_cryptography=if(match(process, \"^cryptography$\"), mvcount(mvfilter(match(process, \"^cryptography$\"))), 0), unusual_cmdline_feature_computehash=if(match(process, \"^computehash$\"), mvcount(mvfilter(match(process, \"^computehash$\"))), 0)", "description": "Performs the tokenization and application of the malicious commandline classifier"}, {"name": "potentially_malicious_code_on_commandline_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/potentially_malicious_code_on_commandline.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "PowerShell 4104 Hunting", "id": "d6f2b006-0041-11ec-8885-acde48001122", "version": 4, "date": "2023-06-14", "author": "Michael Haag, Splunk", "type": "Hunting", "status": "production", "description": "The following Hunting analytic assists with identifying suspicious PowerShell execution using Script Block Logging, or EventCode 4104. This analytic is not meant to be ran hourly, but occasionally to identify malicious or suspicious PowerShell. This analytic is a combination of work completed by Alex Teixeira and Splunk Threat Research Team.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 | eval DoIt = if(match(ScriptBlockText,\"(?i)(\\$doit)\"), \"4\", 0) | eval enccom=if(match(ScriptBlockText,\"[A-Za-z0-9+\\/]{44,}([A-Za-z0-9+\\/]{4}|[A-Za-z0-9+\\/]{3}=|[A-Za-z0-9+\\/]{2}==)\") OR match(ScriptBlockText, \"(?i)[-]e(nc*o*d*e*d*c*o*m*m*a*n*d*)*\\s+[^-]\"),4,0) | eval suspcmdlet=if(match(ScriptBlockText, \"(?i)Add-Exfiltration|Add-Persistence|Add-RegBackdoor|Add-ScrnSaveBackdoor|Check-VM|Do-Exfiltration|Enabled-DuplicateToken|Exploit-Jboss|Find-Fruit|Find-GPOLocation|Find-TrustedDocuments|Get-ApplicationHost|Get-ChromeDump|Get-ClipboardContents|Get-FoxDump|Get-GPPPassword|Get-IndexedItem|Get-Keystrokes|LSASecret|Get-PassHash|Get-RegAlwaysInstallElevated|Get-RegAutoLogon|Get-RickAstley|Get-Screenshot|Get-SecurityPackages|Get-ServiceFilePermission|Get-ServicePermission|Get-ServiceUnquoted|Get-SiteListPassword|Get-System|Get-TimedScreenshot|Get-UnattendedInstallFile|Get-Unconstrained|Get-VaultCredential|Get-VulnAutoRun|Get-VulnSchTask|Gupt-Backdoor|HTTP-Login|Install-SSP|Install-ServiceBinary|Invoke-ACLScanner|Invoke-ADSBackdoor|Invoke-ARPScan|Invoke-AllChecks|Invoke-BackdoorLNK|Invoke-BypassUAC|Invoke-CredentialInjection|Invoke-DCSync|Invoke-DllInjection|Invoke-DowngradeAccount|Invoke-EgressCheck|Invoke-Inveigh|Invoke-InveighRelay|Invoke-Mimikittenz|Invoke-NetRipper|Invoke-NinjaCopy|Invoke-PSInject|Invoke-Paranoia|Invoke-PortScan|Invoke-PoshRat|Invoke-PostExfil|Invoke-PowerDump|Invoke-PowerShellTCP|Invoke-PsExec|Invoke-PsUaCme|Invoke-ReflectivePEInjection|Invoke-ReverseDNSLookup|Invoke-RunAs|Invoke-SMBScanner|Invoke-SSHCommand|Invoke-Service|Invoke-Shellcode|Invoke-Tater|Invoke-ThunderStruck|Invoke-Token|Invoke-UserHunter|Invoke-VoiceTroll|Invoke-WScriptBypassUAC|Invoke-WinEnum|MailRaider|New-HoneyHash|Out-Minidump|Port-Scan|PowerBreach|PowerUp|PowerView|Remove-Update|Set-MacAttribute|Set-Wallpaper|Show-TargetScreen|Start-CaptureServer|VolumeShadowCopyTools|NEEEEWWW|(Computer|User)Property|CachedRDPConnection|get-net\\S+|invoke-\\S+hunter|Install-Service|get-\\S+(credent|password)|remoteps|Kerberos.*(policy|ticket)|netfirewall|Uninstall-Windows|Verb\\s+Runas|AmsiBypass|nishang|Invoke-Interceptor|EXEonRemote|NetworkRelay|PowerShelludp|PowerShellIcmp|CreateShortcut|copy-vss|invoke-dll|invoke-mass|out-shortcut|Invoke-ShellCommand\"),1,0) | eval base64 = if(match(lower(ScriptBlockText),\"frombase64\"), \"4\", 0) | eval empire=if(match(lower(ScriptBlockText),\"system.net.webclient\") AND match(lower(ScriptBlockText), \"frombase64string\") ,5,0) | eval mimikatz=if(match(lower(ScriptBlockText),\"mimikatz\") OR match(lower(ScriptBlockText), \"-dumpcr\") OR match(lower(ScriptBlockText), \"SEKURLSA::Pth\") OR match(lower(ScriptBlockText), \"kerberos::ptt\") OR match(lower(ScriptBlockText), \"kerberos::golden\") ,5,0) | eval iex=if(match(ScriptBlockText, \"(?i)iex|invoke-expression\"),2,0) | eval webclient=if(match(lower(ScriptBlockText),\"http\") OR match(lower(ScriptBlockText),\"web(client|request)\") OR match(lower(ScriptBlockText),\"socket\") OR match(lower(ScriptBlockText),\"download(file|string)\") OR match(lower(ScriptBlockText),\"bitstransfer\") OR match(lower(ScriptBlockText),\"internetexplorer.application\") OR match(lower(ScriptBlockText),\"xmlhttp\"),5,0) | eval get = if(match(lower(ScriptBlockText),\"get-\"), \"1\", 0) | eval rundll32 = if(match(lower(ScriptBlockText),\"rundll32\"), \"4\", 0) | eval suspkeywrd=if(match(ScriptBlockText, \"(?i)(bitstransfer|mimik|metasp|AssemblyBuilderAccess|Reflection\\.Assembly|shellcode|injection|cnvert|shell\\.application|start-process|Rc4ByteStream|System\\.Security\\.Cryptography|lsass\\.exe|localadmin|LastLoggedOn|hijack|BackupPrivilege|ngrok|comsvcs|backdoor|brute.?force|Port.?Scan|Exfiltration|exploit|DisableRealtimeMonitoring|beacon)\"),1,0) | eval syswow64 = if(match(lower(ScriptBlockText),\"syswow64\"), \"3\", 0) | eval httplocal = if(match(lower(ScriptBlockText),\"http://127.0.0.1\"), \"4\", 0) | eval reflection = if(match(lower(ScriptBlockText),\"reflection\"), \"1\", 0) | eval invokewmi=if(match(lower(ScriptBlockText), \"(?i)(wmiobject|WMIMethod|RemoteWMI|PowerShellWmi|wmicommand)\"),5,0) | eval downgrade=if(match(ScriptBlockText, \"(?i)([-]ve*r*s*i*o*n*\\s+2)\") OR match(lower(ScriptBlockText),\"powershell -version\"),3,0) | eval compressed=if(match(ScriptBlockText, \"(?i)GZipStream|::Decompress|IO.Compression|write-zip|(expand|compress)-Archive\"),5,0) | eval invokecmd = if(match(lower(ScriptBlockText),\"invoke-command\"), \"4\", 0) | addtotals fieldname=Score DoIt, enccom, suspcmdlet, suspkeywrd, compressed, downgrade, mimikatz, iex, empire, rundll32, webclient, syswow64, httplocal, reflection, invokewmi, invokecmd, base64, get | stats values(Score) by DoIt, enccom, compressed, downgrade, iex, mimikatz, rundll32, empire, webclient, syswow64, httplocal, reflection, invokewmi, invokecmd, base64, get, suspcmdlet, suspkeywrd | `powershell_4104_hunting_filter`", "how_to_implement": "The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.", "known_false_positives": "Limited false positives. May filter as needed.", "references": ["https://github.com/inodee/threathunting-spl/blob/master/hunt-queries/powershell_qualifiers.md", "https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell", "https://github.com/marcurdy/dfir-toolset/blob/master/Powershell%20Blueteam.txt", "https://devblogs.microsoft.com/powershell/powershell-the-blue-team/", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging?view=powershell-5.1", "https://www.mandiant.com/resources/greater-visibilityt", "https://hurricanelabs.com/splunk-tutorials/how-to-use-powershell-transcription-logs-in-splunk/", "https://www.splunk.com/en_us/blog/security/hunting-for-malicious-powershell-using-script-block-logging.html", "https://adlumin.com/post/powerdrop-a-new-insidious-powershell-script-for-command-and-control-attacks-targets-u-s-aerospace-defense-industry/"], "tags": {"name": "PowerShell 4104 Hunting", "analytic_story": ["Malicious PowerShell", "Hermetic Wiper", "Data Destruction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Installation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $Computer$ by user $user$ executing suspicious commands.", "mitre_attack_id": ["T1059", "T1059.001"], "nist": ["DE.AE"], "observable": [{"name": "UserID", "type": "User", "role": ["Victim"]}, {"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "ScriptBlockText", "Opcode", "Computer", "UserID", "EventCode"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/sbl_xml.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "powershell_4104_hunting_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/powershell_4104_hunting.yml", "source": "endpoint", "providing_technologies": ["Microsoft Windows"]}, {"name": "PowerShell - Connect To Internet With Hidden Window", "id": "ee18ed37-0802-4268-9435-b3b91aaa18db", "version": 8, "date": "2023-04-14", "author": "David Dorsey, Michael Haag Splunk", "type": "Hunting", "status": "production", "description": "The following hunting analytic identifies PowerShell commands utilizing the WindowStyle parameter to hide the window on the compromised endpoint. This combination of command-line options is suspicious because it is overriding the default PowerShell execution policy, attempts to hide its activity from the user, and connects to the Internet. Removed in this version of the query is New-Object. The analytic identifies all variations of WindowStyle, as PowerShell allows the ability to shorten the parameter. For example w, win, windowsty and so forth. In addition, through our research it was identified that PowerShell will interpret different command switch types beyond the hyphen. We have added endash, emdash, horizontal bar, and forward slash.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` by Processes.user Processes.process_name Processes.process Processes.parent_process_name Processes.original_file_name Processes.dest Processes.process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where match(process,\"(?i)[\\-|\\/|–|—|―]w(in*d*o*w*s*t*y*l*e*)*\\s+[^-]\") | `powershell___connect_to_internet_with_hidden_window_filter`", "how_to_implement": "You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the \"process\" field in the Endpoint data model.", "known_false_positives": "Legitimate process can have this combination of command-line options, but it's not common.", "references": ["https://regexr.com/663rr", "https://github.com/redcanaryco/AtomicTestHarnesses/blob/master/TestHarnesses/T1059.001_PowerShell/OutPowerShellCommandLineParameter.ps1", "https://ss64.com/ps/powershell.html", "https://twitter.com/M_haggis/status/1440758396534214658?s=20", "https://blog.netlab.360.com/ten-families-of-malicious-samples-are-spreading-using-the-log4j2-vulnerability-now/"], "tags": {"name": "PowerShell - Connect To Internet With Hidden Window", "analytic_story": ["AgentTesla", "HAFNIUM Group", "Hermetic Wiper", "Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns", "Malicious PowerShell", "Data Destruction", "Log4Shell CVE-2021-44228"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Installation"], "message": "PowerShell processes $process$ started with parameters to modify the execution policy of the run, run in a hidden window, and connect to the Internet on host $dest$ executed by user $user$.", "mitre_attack_id": ["T1059.001", "T1059"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "process", "type": "Process", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.process", "Processes.process_name", "Processes.user", "Processes.parent_process_name", "Processes.dest"], "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "cve": ["CVE-2021-44228"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/hidden_powershell/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_powershell", "definition": "(Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "powershell___connect_to_internet_with_hidden_window_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2021-44228", "cvss": 9.3, "summary": "Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/powershell___connect_to_internet_with_hidden_window.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Powershell COM Hijacking InprocServer32 Modification", "id": "ea61e291-af05-4716-932a-67faddb6ae6f", "version": 1, "date": "2022-09-26", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic utilizes PowerShell ScriptBlock Logging to identify a script that is attempting to modify or add a component object model to inprocserver32 path within the registry.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 ScriptBlockText = \"*Software\\\\Classes\\\\CLSID\\\\*\\\\InProcServer32*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_com_hijacking_inprocserver32_modification_filter`", "how_to_implement": "The following analytic requires PowerShell operational logs to be imported. Modify the PowerShell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.", "known_false_positives": "False positives will be present if any scripts are adding to inprocserver32. Filter as needed.", "references": ["https://attack.mitre.org/techniques/T1546/015/", "https://www.splunk.com/en_us/blog/security/hunting-for-malicious-powershell-using-script-block-logging.html", "https://blog.cluster25.duskrise.com/2022/09/23/in-the-footsteps-of-the-fancy-bear-powerpoint-graphite/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.015/T1546.015.md"], "tags": {"name": "Powershell COM Hijacking InprocServer32 Modification", "analytic_story": ["Malicious PowerShell"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "message": "A PowerShell script has been identified with InProcServer32 within the script code on $Computer$.", "mitre_attack_id": ["T1546.015", "T1059", "T1059.001"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "ScriptBlockText", "Opcode", "Computer", "UserID", "EventCode"], "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1546.015", "mitre_attack_technique": "Component Object Model Hijacking", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.015/atomic_red_team/windows-powershell.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "powershell_com_hijacking_inprocserver32_modification_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/powershell_com_hijacking_inprocserver32_modification.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Powershell Creating Thread Mutex", "id": "637557ec-ca08-11eb-bd0a-acde48001122", "version": 3, "date": "2022-05-02", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies suspicious PowerShell script execution via EventCode 4104 that is using the `mutex` function. This function is commonly seen in some obfuscated PowerShell scripts to make sure that only one instance of there process is running on a compromise machine. During triage, review parallel processes within the same timeframe. Review the full script block to identify other related artifacts.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 ScriptBlockText = \"*Threading.Mutex*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_creating_thread_mutex_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "powershell developer may used this function in their script for instance checking too.", "references": ["https://isc.sans.edu/forums/diary/Some+Powershell+Malicious+Code/22988/", "https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", "https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf", "https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/"], "tags": {"name": "Powershell Creating Thread Mutex", "analytic_story": ["Malicious PowerShell"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 50, "kill_chain_phases": ["Exploitation", "Installation"], "message": "A suspicious powershell script contains Thread Mutex in $ScriptBlockText$ with EventCode $EventCode$ in host $Computer$", "mitre_attack_id": ["T1027", "T1027.005", "T1059.001"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "UserID", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "ScriptBlockText", "Computer", "UserID"], "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT19", "APT28", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BITTER", "BackdoorDiplomacy", "BlackOasis", "Blue Mockingbird", "Dark Caracal", "Darkhotel", "Earth Lusca", "Elderwood", "Ember Bear", "Fox Kitten", "GALLIUM", "Gallmaker", "Gamaredon Group", "Group5", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "Metador", "Mofang", "Molerats", "Moses Staff", "Mustang Panda", "OilRig", "Putter Panda", "Rocke", "Sandworm Team", "Sidewinder", "TA505", "TeamTNT", "Threat Group-3390", "Transparent Tribe", "Tropic Trooper", "Whitefly", "Windshift", "menuPass"]}, {"mitre_attack_id": "T1027.005", "mitre_attack_technique": "Indicator Removal from Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT3", "Deep Panda", "GALLIUM", "OilRig", "Patchwork", "TEMP.Veles", "Turla"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/sbl_xml.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "powershell_creating_thread_mutex_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/powershell_creating_thread_mutex.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Powershell Disable Security Monitoring", "id": "c148a894-dd93-11eb-bf2a-acde48001122", "version": 3, "date": "2022-07-15", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "This search identifies a modification in registry to disable the windows defender real time behavior monitoring. This event or technique is commonly seen in RATs, bots, or Trojans to disable AV to evade detections.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` Processes.process=\"*set-mppreference*\" AND Processes.process IN (\"*disablerealtimemonitoring*\",\"*disableioavprotection*\",\"*disableintrusionpreventionsystem*\",\"*disablescriptscanning*\",\"*disableblockatfirstseen*\",\"*DisableBehaviorMonitoring*\",\"*drtm *\",\"*dioavp *\",\"*dscrptsc *\",\"*dbaf *\",\"*dbm *\") by Processes.dest Processes.user Processes.parent_process Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_disable_security_monitoring_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Limited false positives. However, tune based on scripts that may perform this action.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md#atomic-test-15---tamper-with-windows-defender-atp-powershell", "https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps"], "tags": {"name": "Powershell Disable Security Monitoring", "analytic_story": ["Ransomware", "Revil Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "Windows Defender Real-time Behavior Monitoring disabled on $dest$", "mitre_attack_id": ["T1562.001", "T1562"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/pwh_defender_disabling/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_powershell", "definition": "(Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "powershell_disable_security_monitoring_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/powershell_disable_security_monitoring.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "PowerShell Domain Enumeration", "id": "e1866ce2-ca22-11eb-8e44-acde48001122", "version": 2, "date": "2023-04-14", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable on critical endpoints or all. \\\nThis analytic identifies specific PowerShell modules typically used to enumerate an organizations domain or users. \\\nDuring triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 ScriptBlockText IN (*get-netdomaintrust*, *get-netforesttrust*, *get-addomain*, *get-adgroupmember*, *get-domainuser*) | stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_domain_enumeration_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "It is possible there will be false positives, filter as needed.", "references": ["https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", "https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf", "https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/", "https://www.splunk.com/en_us/blog/security/hunting-for-malicious-powershell-using-script-block-logging.html"], "tags": {"name": "PowerShell Domain Enumeration", "analytic_story": ["Malicious PowerShell", "Hermetic Wiper", "Data Destruction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 60, "kill_chain_phases": ["Installation"], "message": "A suspicious powershell script contains domain enumeration command in $ScriptBlockText$ with EventCode $EventCode$ in host $Computer$", "mitre_attack_id": ["T1059", "T1059.001"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "UserID", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "ScriptBlockText", "Opcode", "Computer", "UserID", "EventCode"], "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/enumeration.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "powershell_domain_enumeration_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/powershell_domain_enumeration.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "PowerShell Enable PowerShell Remoting", "id": "40e3b299-19a5-4460-96e9-e1467f714f8e", "version": 1, "date": "2023-03-22", "author": "Michael Haag, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic utilizes PowerShell Script Block Logging (EventCode 4104) to identify the use of Enable-PSRemoting cmdlet. This cmdlet allows users to enable PowerShell remoting on a local or remote computer, which allows other computers to run commands on the target computer. The ability to remotely execute commands can be abused by attackers to take control of compromised systems and pivot to other systems on the network. By detecting the use of Enable-PSRemoting cmdlet via script block logging, this analytic can help organizations identify potential malicious activity related to attackers attempting to gain remote control of compromised systems.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 ScriptBlockText=\"*Enable-PSRemoting*\" | stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `powershell_enable_powershell_remoting_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Note that false positives may occur due to the use of the Enable-PSRemoting cmdlet by legitimate users, such as system administrators. It is recommended to apply appropriate filters as needed to minimize the number of false positives.", "references": ["https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting?view=powershell-7.3"], "tags": {"name": "PowerShell Enable PowerShell Remoting", "analytic_story": ["Malicious PowerShell"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "message": "PowerShell was identified running a Invoke-PSremoting on $Computer$.", "mitre_attack_id": ["T1059.001", "T1059"], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "ScriptBlockText", "Computer"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/atomic_red_team/4104-psremoting-windows-powershell.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "powershell_enable_powershell_remoting_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/powershell_enable_powershell_remoting.yml", "source": "endpoint", "providing_technologies": ["Microsoft Windows"]}, {"name": "Powershell Enable SMB1Protocol Feature", "id": "afed80b2-d34b-11eb-a952-acde48001122", "version": 2, "date": "2023-04-14", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This search is to detect a suspicious enabling of smb1protocol through `powershell.exe`. This technique was seen in some ransomware (like reddot) where it enable smb share to do the lateral movement and encrypt other files within the compromise network system.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 ScriptBlockText = \"*Enable-WindowsOptionalFeature*\" ScriptBlockText = \"*SMB1Protocol*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_enable_smb1protocol_feature_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the powershell logs from your endpoints. make sure you enable needed registry to monitor this event.", "known_false_positives": "network operator may enable or disable this windows feature.", "references": ["https://app.any.run/tasks/c0f98850-af65-4352-9746-fbebadee4f05/", "https://www.splunk.com/en_us/blog/security/hunting-for-malicious-powershell-using-script-block-logging.html"], "tags": {"name": "Powershell Enable SMB1Protocol Feature", "analytic_story": ["Ransomware", "Malicious PowerShell", "Hermetic Wiper", "Data Destruction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "Powershell Enable SMB1Protocol Feature on $Computer$", "mitre_attack_id": ["T1027", "T1027.005"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "ScriptBlockText", "Computer", "UserID"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT19", "APT28", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BITTER", "BackdoorDiplomacy", "BlackOasis", "Blue Mockingbird", "Dark Caracal", "Darkhotel", "Earth Lusca", "Elderwood", "Ember Bear", "Fox Kitten", "GALLIUM", "Gallmaker", "Gamaredon Group", "Group5", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "Metador", "Mofang", "Molerats", "Moses Staff", "Mustang Panda", "OilRig", "Putter Panda", "Rocke", "Sandworm Team", "Sidewinder", "TA505", "TeamTNT", "Threat Group-3390", "Transparent Tribe", "Tropic Trooper", "Whitefly", "Windshift", "menuPass"]}, {"mitre_attack_id": "T1027.005", "mitre_attack_technique": "Indicator Removal from Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT3", "Deep Panda", "GALLIUM", "OilRig", "Patchwork", "TEMP.Veles", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/sbl_xml.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "powershell_enable_smb1protocol_feature_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/powershell_enable_smb1protocol_feature.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Powershell Execute COM Object", "id": "65711630-f9bf-11eb-8d72-acde48001122", "version": 2, "date": "2023-04-14", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This search is to detect a COM CLSID execution through powershell. This technique was seen in several adversaries and malware like ransomware conti where it has a feature to execute command using COM Object. This technique may use by network operator at some cases but a good indicator if some application want to gain privilege escalation or bypass uac.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 ScriptBlockText = \"*CreateInstance([type]::GetTypeFromCLSID*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_execute_com_object_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "network operrator may use this command.", "references": ["https://threadreaderapp.com/thread/1423361119926816776.html", "https://www.splunk.com/en_us/blog/security/hunting-for-malicious-powershell-using-script-block-logging.html"], "tags": {"name": "Powershell Execute COM Object", "analytic_story": ["Ransomware", "Malicious PowerShell", "Hermetic Wiper", "Data Destruction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 10, "kill_chain_phases": ["Installation", "Exploitation"], "message": "A suspicious powershell script contains COM CLSID command in $ScriptBlockText$ with EventCode $EventCode$ in host $Computer$", "mitre_attack_id": ["T1546.015", "T1546", "T1059.001"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "ScriptBlockText", "Computer", "EventCode"], "risk_score": 5, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1546.015", "mitre_attack_technique": "Component Object Model Hijacking", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28"]}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.015/pwh_com_object/windows-powershell-xml.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "powershell_execute_com_object_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/powershell_execute_com_object.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Powershell Fileless Process Injection via GetProcAddress", "id": "a26d9db4-c883-11eb-9d75-acde48001122", "version": 2, "date": "2023-04-14", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. \\\nThis analytic identifies `GetProcAddress` in the script block. This is not normal to be used by most PowerShell scripts and is typically unsafe/malicious. Many attack toolkits use GetProcAddress to obtain code execution. \\\nIn use, `$var_gpa = $var_unsafe_native_methods.GetMethod(GetProcAddress` and later referenced/executed elsewhere. \\\nDuring triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 ScriptBlockText=*getprocaddress* | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_fileless_process_injection_via_getprocaddress_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Limited false positives. Filter as needed.", "references": ["https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", "https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf", "https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/", "https://www.splunk.com/en_us/blog/security/hunting-for-malicious-powershell-using-script-block-logging.html"], "tags": {"name": "Powershell Fileless Process Injection via GetProcAddress", "analytic_story": ["Malicious PowerShell", "Hermetic Wiper", "Data Destruction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 60, "kill_chain_phases": ["Installation", "Exploitation"], "message": "A suspicious powershell script contains GetProcAddress API in $ScriptBlockText$ with EventCode $EventCode$ in host $Computer$", "mitre_attack_id": ["T1059", "T1055", "T1059.001"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "ScriptBlockText", "Opcode", "Computer", "UserID", "EventCode"], "risk_score": 48, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "Turla"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/sbl_xml.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "powershell_fileless_process_injection_via_getprocaddress_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/powershell_fileless_process_injection_via_getprocaddress.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Powershell Fileless Script Contains Base64 Encoded Content", "id": "8acbc04c-c882-11eb-b060-acde48001122", "version": 3, "date": "2023-04-05", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable on critical endpoints or all. \\\nThis analytic identifies `FromBase64String` within the script block. A typical malicious instance will include additional code. \\\nCommand example - `[Byte[]]$var_code = [System.Convert]::FromBase64String(38uqIyMjQ6rG....` \\\nDuring triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 ScriptBlockText = \"*frombase64string*\" OR ScriptBlockText = \"*gnirtS46esaBmorF*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_fileless_script_contains_base64_encoded_content_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "False positives should be limited. Filter as needed.", "references": ["https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", "https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf", "https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/", "https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/"], "tags": {"name": "Powershell Fileless Script Contains Base64 Encoded Content", "analytic_story": ["Hermetic Wiper", "Malicious PowerShell", "Winter Vivern", "AsyncRAT", "Data Destruction", "IcedID"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "message": "A suspicious powershell script contains base64 command in $ScriptBlockText$ with EventCode $EventCode$ in host $Computer$", "mitre_attack_id": ["T1059", "T1027", "T1059.001"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "ScriptBlockText", "Opcode", "Computer", "UserID", "EventCode"], "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT19", "APT28", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BITTER", "BackdoorDiplomacy", "BlackOasis", "Blue Mockingbird", "Dark Caracal", "Darkhotel", "Earth Lusca", "Elderwood", "Ember Bear", "Fox Kitten", "GALLIUM", "Gallmaker", "Gamaredon Group", "Group5", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "Metador", "Mofang", "Molerats", "Moses Staff", "Mustang Panda", "OilRig", "Putter Panda", "Rocke", "Sandworm Team", "Sidewinder", "TA505", "TeamTNT", "Threat Group-3390", "Transparent Tribe", "Tropic Trooper", "Whitefly", "Windshift", "menuPass"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/frombase64string.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "powershell_fileless_script_contains_base64_encoded_content_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/powershell_fileless_script_contains_base64_encoded_content.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "PowerShell Get LocalGroup Discovery", "id": "b71adfcc-155b-11ec-9413-acde48001122", "version": 1, "date": "2021-09-14", "author": "Michael Haag, Splunk", "type": "Hunting", "status": "production", "description": "The following hunting analytic identifies the use of `get-localgroup` being used with PowerShell to identify local groups on the endpoint. During triage, review parallel processes and identify any further suspicious behavior.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=powershell.exe OR Processes.process_name=cmd.exe) (Processes.process=\"*get-localgroup*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `powershell_get_localgroup_discovery_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives may be present. Tune as needed.", "references": ["https://attack.mitre.org/techniques/T1069/001/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"], "tags": {"name": "PowerShell Get LocalGroup Discovery", "analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "Local group discovery on $dest$ by $user$.", "mitre_attack_id": ["T1069", "T1069.001"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "TA505"]}, {"mitre_attack_id": "T1069.001", "mitre_attack_technique": "Local Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "HEXANE", "OilRig", "Tonto Team", "Turla", "admin@338"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.001/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "powershell_get_localgroup_discovery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/powershell_get_localgroup_discovery.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Powershell Get LocalGroup Discovery with Script Block Logging", "id": "d7c6ad22-155c-11ec-bb64-acde48001122", "version": 2, "date": "2022-04-26", "author": "Michael Haag, Splunk", "type": "Hunting", "status": "production", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable on critical endpoints or all. \\\nThis analytic identifies PowerShell cmdlet - `get-localgroup` being ran. Typically, by itself, is not malicious but may raise suspicion based on time of day, endpoint and username. \\\nDuring triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 ScriptBlockText = \"*get-localgroup*\" | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_get_localgroup_discovery_with_script_block_logging_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "False positives may be present. Tune as needed.", "references": ["https://www.splunk.com/en_us/blog/security/powershell-detections-threat-research-release-august-2021.html", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md", "https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell", "https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", "https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf", "https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/"], "tags": {"name": "Powershell Get LocalGroup Discovery with Script Block Logging", "analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "Local group discovery on $dest$ by $user$.", "mitre_attack_id": ["T1069", "T1069.001"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "ScriptBlockText", "Opcode", "Computer", "UserID", "EventCode"], "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "TA505"]}, {"mitre_attack_id": "T1069.001", "mitre_attack_technique": "Local Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "HEXANE", "OilRig", "Tonto Team", "Turla", "admin@338"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/getlocalgroup.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "powershell_get_localgroup_discovery_with_script_block_logging_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/powershell_get_localgroup_discovery_with_script_block_logging.yml", "source": "endpoint", "providing_technologies": ["Microsoft Windows"]}, {"name": "PowerShell Invoke CIMMethod CIMSession", "id": "651ee958-a433-471c-b264-39725b788b83", "version": 1, "date": "2023-03-22", "author": "Michael Haag, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic identifies the use of the New-CIMSession cmdlet being created along with the Invoke-CIMMethod cmdlet being used within PowerShell. This particular behavior is similar to the usage of the Invoke-WMIMethod cmdlet, which is known for executing WMI commands on targets using NTLMv2 pass-the-hash authentication. The New-CIMSession cmdlet allows users to create a new CIM session object for a specified computer system, which can then be used to execute CIM operations remotely. Similarly, the Invoke-CIMMethod cmdlet is used to invoke a specified method on one or more CIM objects. Therefore, the combination of New-CIMSession and Invoke-CIMMethod cmdlets in PowerShell can potentially indicate malicious behavior, and this analytic can help detect such activity.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 ScriptBlockText IN (\"*invoke-CIMMethod*\", \"*New-CimSession*\") | stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_invoke_cimmethod_cimsession_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "False positives may be present based on third-party applications or administrators using CIM. It is recommended to apply appropriate filters as needed to minimize the number of false positives.", "references": ["https://learn.microsoft.com/en-us/powershell/module/cimcmdlets/invoke-cimmethod?view=powershell-7.3"], "tags": {"name": "PowerShell Invoke CIMMethod CIMSession", "analytic_story": ["Malicious PowerShell", "Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "message": "PowerShell was identified running a Invoke-CIMMethod Invoke-CIMSession on $Computer$.", "mitre_attack_id": ["T1047"], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "ScriptBlockText", "Computer"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "Earth Lusca", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "Threat Group-3390", "Windshift", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1047/atomic_red_team/4104-cimmethod-windows-powershell.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "powershell_invoke_cimmethod_cimsession_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/powershell_invoke_cimmethod_cimsession.yml", "source": "endpoint", "providing_technologies": ["Microsoft Windows"]}, {"name": "PowerShell Invoke WmiExec Usage", "id": "0734bd21-2769-4972-a5f1-78bb1e011224", "version": 1, "date": "2023-03-22", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "This analytic detects the usage of the Invoke-WMIExec utility within PowerShell Script Block Logging (EventCode 4104). The utility is used for executing WMI commands on targets using NTLMv2 pass-the-hash authentication.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 ScriptBlockText IN (\"*invoke-wmiexec*\") | stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_invoke_wmiexec_usage_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "False positives should be limited as this analytic is designed to detect a specific utility. It is recommended to apply appropriate filters as needed to minimize the number of false positives.", "references": ["https://github.com/Kevin-Robertson/Invoke-TheHash/blob/master/Invoke-WMIExec.ps1"], "tags": {"name": "PowerShell Invoke WmiExec Usage", "analytic_story": ["Suspicious WMI Use"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 100, "kill_chain_phases": ["Installation"], "message": "PowerShell was identified running a Invoke-WmiExec on $Computer$.", "mitre_attack_id": ["T1047"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "ScriptBlockText", "Computer"], "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "Earth Lusca", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "Threat Group-3390", "Windshift", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1047/atomic_red_team/invokewmiexec_windows-powershell.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "powershell_invoke_wmiexec_usage_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/powershell_invoke_wmiexec_usage.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Powershell Load Module in Meterpreter", "id": "d5905da5-d050-48db-9259-018d8f034fcf", "version": 1, "date": "2022-11-22", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable on critical endpoints or all. \\\nThis analytic identifies \"MSF.Powershell\",\"MSF.Powershell.Meterpreter\",\"MSF.Powershell.Meterpreter.Kiwi\",\"MSF.Powershell.Meterpreter.Transport\" being used. This behavior is related to when a Meterpreter session is started and the operator runs load_kiwi. \\\nDuring triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 ScriptBlockText IN (\"*MSF.Powershell*\",\"*MSF.Powershell.Meterpreter*\",\"*MSF.Powershell.Meterpreter.Kiwi*\",\"*MSF.Powershell.Meterpreter.Transport*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_load_module_in_meterpreter_filter`", "how_to_implement": "The following analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.", "known_false_positives": "False positives should be very limited as this is strict to MetaSploit behavior.", "references": ["https://github.com/OJ/metasploit-payloads/blob/master/powershell/MSF.Powershell/Scripts.cs"], "tags": {"name": "Powershell Load Module in Meterpreter", "analytic_story": ["MetaSploit"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 100, "kill_chain_phases": ["Installation"], "message": "PowerShell was identified running a script utilized by Meterpreter from MetaSploit on endpoint $Computer$ by user $user_id$.", "mitre_attack_id": ["T1059", "T1059.001"], "nist": ["DE.CM"], "observable": [{"name": "user_id", "type": "User", "role": ["Victim"]}, {"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "ScriptBlockText", "Computer", "User_id"], "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/metasploit/msf.powershell.powershell.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "powershell_load_module_in_meterpreter_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/powershell_load_module_in_meterpreter.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "PowerShell Loading DotNET into Memory via Reflection", "id": "85bc3f30-ca28-11eb-bd21-acde48001122", "version": 3, "date": "2023-04-05", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. \\\nThis analytic identifies the use of PowerShell loading .net assembly via reflection. This is commonly found in malicious PowerShell usage, including Empire and Cobalt Strike. In addition, the `load(` value may be modifed by removing `(` and it will identify more events to review. \\\nDuring triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 ScriptBlockText IN (\"*[system.reflection.assembly]::load(*\",\"*[reflection.assembly]*\", \"*reflection.assembly*\") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_loading_dotnet_into_memory_via_reflection_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "False positives should be limited as day to day scripts do not use this method.", "references": ["https://docs.microsoft.com/en-us/dotnet/api/system.reflection.assembly?view=net-5.0", "https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", "https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf", "https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/"], "tags": {"name": "PowerShell Loading DotNET into Memory via Reflection", "analytic_story": ["Winter Vivern", "AgentTesla", "AsyncRAT", "Hermetic Wiper", "Malicious PowerShell", "Data Destruction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Installation"], "message": "A suspicious powershell script contains reflective class assembly command in $ScriptBlockText$ to load .net code in memory with EventCode $EventCode$ in host $Computer$", "mitre_attack_id": ["T1059", "T1059.001"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "UserID", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "ScriptBlockText", "Opcode", "Computer", "UserID", "EventCode"], "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/reflection.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "powershell_loading_dotnet_into_memory_via_reflection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Powershell Processing Stream Of Data", "id": "0d718b52-c9f1-11eb-bc61-acde48001122", "version": 2, "date": "2023-04-14", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies suspicious PowerShell script execution via EventCode 4104 that is processing compressed stream data. This is typically found in obfuscated PowerShell or PowerShell executing embedded .NET or binary files that are stream flattened and will be deflated durnig execution. During triage, review parallel processes within the same timeframe. Review the full script block to identify other related artifacts.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 ScriptBlockText = \"*IO.Compression.*\" OR ScriptBlockText = \"*IO.StreamReader*\" OR ScriptBlockText = \"*]::Decompress*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_processing_stream_of_data_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "powershell may used this function to process compressed data.", "references": ["https://medium.com/@ahmedjouini99/deobfuscating-emotets-powershell-payload-e39fb116f7b9", "https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell", "https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", "https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf", "https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/", "https://www.splunk.com/en_us/blog/security/hunting-for-malicious-powershell-using-script-block-logging.html", "https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/"], "tags": {"name": "Powershell Processing Stream Of Data", "analytic_story": ["Malicious PowerShell", "AsyncRAT", "Hermetic Wiper", "Data Destruction", "IcedID"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 50, "kill_chain_phases": ["Installation"], "message": "A suspicious powershell script contains stream command in $ScriptBlockText$ commonly for processing compressed or to decompressed binary file with EventCode $EventCode$ in host $Computer$", "mitre_attack_id": ["T1059", "T1059.001"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "UserID", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "ScriptBlockText", "Computer", "UserID", "Score"], "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/streamreader.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "powershell_processing_stream_of_data_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/powershell_processing_stream_of_data.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Powershell Remote Thread To Known Windows Process", "id": "ec102cb2-a0f5-11eb-9b38-acde48001122", "version": 2, "date": "2022-08-25", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "this search is designed to detect suspicious powershell process that tries to inject code and to known/critical windows process and execute it using CreateRemoteThread. This technique is seen in several malware like trickbot and offensive tooling like cobaltstrike where it load a shellcode to svchost.exe to execute reverse shell to c2 and download another payload", "data_source": [], "search": "`sysmon` EventCode = 8 parent_process_name IN (\"powershell_ise.exe\", \"powershell.exe\") TargetImage IN (\"*\\\\svchost.exe\",\"*\\\\csrss.exe\" \"*\\\\gpupdate.exe\", \"*\\\\explorer.exe\",\"*\\\\services.exe\",\"*\\\\winlogon.exe\",\"*\\\\smss.exe\",\"*\\\\wininit.exe\",\"*\\\\userinit.exe\",\"*\\\\spoolsv.exe\",\"*\\\\taskhost.exe\") | stats min(_time) as firstTime max(_time) as lastTime count by SourceImage process_name SourceProcessId SourceProcessGuid TargetImage TargetProcessId NewThreadId StartAddress Computer EventCode | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_remote_thread_to_known_windows_process_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, Create Remote thread from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances of create remote thread may be used.", "known_false_positives": "unknown", "references": ["https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/"], "tags": {"name": "Powershell Remote Thread To Known Windows Process", "analytic_story": ["Trickbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "A suspicious powershell process $process_name$ that tries to create a remote thread on target process $TargetImage$ with eventcode $EventCode$ in host $Computer$", "mitre_attack_id": ["T1055"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "SourceImage", "process_name", "SourceProcessId", "SourceProcessGuid", "TargetImage", "TargetProcessId", "NewThreadId", "StartAddress", "Computer", "EventCode"], "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/trickbot/infection/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "powershell_remote_thread_to_known_windows_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/powershell_remote_thread_to_known_windows_process.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Powershell Remove Windows Defender Directory", "id": "adf47620-79fa-11ec-b248-acde48001122", "version": 3, "date": "2023-04-14", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This analytic will identify a suspicious PowerShell command used to delete the Windows Defender folder. This technique was seen used by the WhisperGate malware campaign where it used Nirsofts advancedrun.exe to gain administrative privileges to then execute a PowerShell command to delete the Windows Defender folder. This is a good indicator the offending process is trying corrupt a Windows Defender installation.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 ScriptBlockText = \"*rmdir *\" AND ScriptBlockText = \"*\\\\Microsoft\\\\Windows Defender*\" | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_remove_windows_defender_directory_filter` ", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "unknown", "references": ["https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/"], "tags": {"name": "Powershell Remove Windows Defender Directory", "analytic_story": ["Data Destruction", "WhisperGate"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 100, "kill_chain_phases": ["Exploitation"], "message": "suspicious powershell script $ScriptBlockText$ was executed on the $Computer$", "mitre_attack_id": ["T1562.001", "T1562"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "UserID", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "ScriptBlockText", "Opcode", "Computer", "UserID", "EventCode"], "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/sbl_xml.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "powershell_remove_windows_defender_directory_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/powershell_remove_windows_defender_directory.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "PowerShell Start-BitsTransfer", "id": "39e2605a-90d8-11eb-899e-acde48001122", "version": 2, "date": "2021-03-29", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "Start-BitsTransfer is the PowerShell \"version\" of BitsAdmin.exe. Similar functionality is present. This technique variation is not as commonly used by adversaries, but has been abused in the past. Lesser known uses include the ability to set the `-TransferType` to `Upload` for exfiltration of files. In an instance where `Upload` is used, it is highly possible files will be archived. During triage, review parallel processes and process lineage. Capture any files on disk and review. For the remote domain or IP, what is the reputation?", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` Processes.process=*start-bitstransfer* by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.original_file_name Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_start_bitstransfer_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Limited false positives. It is possible administrators will utilize Start-BitsTransfer for administrative tasks, otherwise filter based parent process or command-line arguments.", "references": ["https://isc.sans.edu/diary/Investigating+Microsoft+BITS+Activity/23281", "https://docs.microsoft.com/en-us/windows/win32/bits/using-windows-powershell-to-create-bits-transfer-jobs"], "tags": {"name": "PowerShell Start-BitsTransfer", "analytic_story": ["BITS Jobs"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Exploitation", "Installation"], "message": "A suspicious process $process_name$ with commandline $process$ that are related to bittransfer functionality in host $dest$", "mitre_attack_id": ["T1197"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1197", "mitre_attack_technique": "BITS Jobs", "mitre_attack_tactics": ["Defense Evasion", "Persistence"], "mitre_attack_groups": ["APT39", "APT41", "Leviathan", "Patchwork"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1197/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_powershell", "definition": "(Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "powershell_start_bitstransfer_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/powershell_start_bitstransfer.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "PowerShell Start or Stop Service", "id": "04207f8a-e08d-4ee6-be26-1e0c4488b04a", "version": 1, "date": "2023-03-24", "author": "Michael Haag, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic identifies the use of PowerShell's Start-Service or Stop-Service cmdlets on an endpoint. These cmdlets allow users to start or stop a specified Windows service. The ability to manipulate services can be leveraged by attackers to disable or stop critical services, which can cause system instability or disrupt business operations. By detecting the use of Start-Service or Stop-Service cmdlets via PowerShell, this analytic can help organizations identify potential malicious activity related to attackers attempting to manipulate services on compromised systems. However, note that this behavior may be noisy, as these cmdlets are commonly used by system administrators or other legitimate users to manage services. Therefore, it is recommended not to enable this analytic as a direct notable or TTP. Instead, it should be used as part of a broader set of security controls to detect and investigate potential threats.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 ScriptBlockText IN (\"*start-service*\", \"*stop-service*\") | stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_start_or_stop_service_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "This behavior may be noisy, as these cmdlets are commonly used by system administrators or other legitimate users to manage services. Therefore, it is recommended not to enable this analytic as a direct notable or TTP. Instead, it should be used as part of a broader set of security controls to detect and investigate potential threats.", "references": ["https://learn-powershell.net/2012/01/15/startingstopping-and-restarting-remote-services-with-powershell/", "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/start-service?view=powershell-7.3"], "tags": {"name": "PowerShell Start or Stop Service", "analytic_story": ["Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 20, "impact": 50, "kill_chain_phases": ["Installation"], "message": "PowerShell was identified attempting to start or stop a service on $Computer$.", "mitre_attack_id": ["T1059.001"], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "ScriptBlockText", "Computer"], "risk_score": 10, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/atomic_red_team/start_stop_service_windows-powershell.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "powershell_start_or_stop_service_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/powershell_start_or_stop_service.yml", "source": "endpoint", "providing_technologies": ["Microsoft Windows"]}, {"name": "Powershell Using memory As Backing Store", "id": "c396a0c4-c9f2-11eb-b4f5-acde48001122", "version": 2, "date": "2023-04-14", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies suspicious PowerShell script execution via EventCode 4104 that is using memory stream as new object backstore. The malicious PowerShell script will contain stream flate data and will be decompressed in memory to run or drop the actual payload. During triage, review parallel processes within the same timeframe. Review the full script block to identify other related artifacts.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 ScriptBlockText = *New-Object* ScriptBlockText = *IO.MemoryStream* | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_using_memory_as_backing_store_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "powershell may used this function to store out object into memory.", "references": ["https://web.archive.org/web/20201112031711/https://www.carbonblack.com/blog/decoding-malicious-powershell-streams/", "https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", "https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf", "https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/", "https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/"], "tags": {"name": "Powershell Using memory As Backing Store", "analytic_story": ["Malicious PowerShell", "Hermetic Wiper", "Data Destruction", "IcedID"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 50, "kill_chain_phases": ["Installation"], "message": "A PowerShell script contains memorystream command in $ScriptBlockText$ as new object backstore with EventCode $EventCode$ on host $Computer$.", "mitre_attack_id": ["T1059.001", "T1059"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "UserID", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "ScriptBlockText", "Computer", "UserID"], "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/honeypots/pwsh/windows-powershell-xml.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "powershell_using_memory_as_backing_store_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/powershell_using_memory_as_backing_store.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Powershell Windows Defender Exclusion Commands", "id": "907ac95c-4dd9-11ec-ba2c-acde48001122", "version": 1, "date": "2023-04-14", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This analytic will detect a suspicious process commandline related to windows defender exclusion feature. This command is abused by adversaries, malware author and red teams to bypassed Windows Defender Anti-Virus product by excluding folder path, file path, process, extensions and etc. from its real time or schedule scan to execute their malicious code. This is a good indicator for defense evasion and to look further for events after this behavior.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 (Message = \"*Add-MpPreference *\" OR Message = \"*Set-MpPreference *\") AND Message = \"*-exclusion*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode Message ComputerName User | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_windows_defender_exclusion_commands_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.", "known_false_positives": "admin or user may choose to use this windows features.", "references": ["https://tccontre.blogspot.com/2020/01/remcos-rat-evading-windows-defender-av.html", "https://app.any.run/tasks/cf1245de-06a7-4366-8209-8e3006f2bfe5/", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/"], "tags": {"name": "Powershell Windows Defender Exclusion Commands", "analytic_story": ["CISA AA22-320A", "AgentTesla", "Remcos", "Windows Defense Evasion Tactics", "Data Destruction", "WhisperGate"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "exclusion command $Message$ executed on $ComputerName$", "mitre_attack_id": ["T1562.001", "T1562"], "nist": ["DE.CM"], "observable": [{"name": "User", "type": "User", "role": ["Victim"]}, {"name": "ComputerName", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "Message", "ComputerName", "User"], "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/defender_exclusion_powershell/powershell.log", "source": "WinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "WinEventLog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "powershell_windows_defender_exclusion_commands_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/powershell_windows_defender_exclusion_commands.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Prevent Automatic Repair Mode using Bcdedit", "id": "7742aa92-c9d9-11eb-bbfc-acde48001122", "version": 1, "date": "2021-06-10", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This search is to detect a suspicious bcdedit.exe execution to ignore all failures. This technique was used by ransomware to prevent the compromise machine automatically boot in repair mode.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"bcdedit.exe\" Processes.process = \"*bootstatuspolicy*\" Processes.process = \"*ignoreallfailures*\" by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.dest Processes.user Processes.process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `prevent_automatic_repair_mode_using_bcdedit_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed bcdedit.exe may be used.", "known_false_positives": "Administrators may modify the boot configuration ignore failure during testing and debugging.", "references": ["https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf"], "tags": {"name": "Prevent Automatic Repair Mode using Bcdedit", "analytic_story": ["Ransomware", "Chaos Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Actions on Objectives"], "message": "A suspicious process $process_name$ with process id $process_id$ contains commandline $process$ to ignore all bcdedit execution failure in host $dest$", "mitre_attack_id": ["T1490"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.parent_process_name", "Processes.parent_process", "Processes.process_name", "Processes.process", "Processes.dest", "Processes.user", "Processes.process_id", "Processes.process_guid"], "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/ransomware_ttp/data1/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "prevent_automatic_repair_mode_using_bcdedit_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/prevent_automatic_repair_mode_using_bcdedit.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Print Processor Registry Autostart", "id": "1f5b68aa-2037-11ec-898e-acde48001122", "version": 1, "date": "2023-04-14", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "experimental", "description": "This analytic is to detect a suspicious modification or new registry entry regarding print processor. This registry is known to be abuse by turla or other APT to gain persistence and privilege escalation to the compromised machine. This is done by adding the malicious dll payload on the new created key in this registry that will be executed as it restarted the spoolsv.exe process and services.", "data_source": ["Sysmon Event ID 13"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path =\"*\\\\Control\\\\Print\\\\Environments\\\\Windows x64\\\\Print Processors*\" by Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `print_processor_registry_autostart_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry.", "known_false_positives": "possible new printer installation may add driver component on this registry.", "references": ["https://attack.mitre.org/techniques/T1547/012/", "https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/"], "tags": {"name": "Print Processor Registry Autostart", "analytic_story": ["Data Destruction", "Windows Privilege Escalation", "Hermetic Wiper", "Windows Persistence Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "message": "modified/added/deleted registry entry $Registry.registry_path$ in $dest$", "mitre_attack_id": ["T1547.012", "T1547"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.dest", "Registry.user", "Registry.registry_path", "Registry.registry_key_name", "Registry.registry_value_name"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1547.012", "mitre_attack_technique": "Print Processors", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.012/print_reg/sysmon_print.log", "source": "WinEventLog:Microsoft-Windows-PrintService/Operational", "sourcetype": "WinEventLog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "print_processor_registry_autostart_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/print_processor_registry_autostart.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Print Spooler Adding A Printer Driver", "id": "313681a2-da8e-11eb-adad-acde48001122", "version": 1, "date": "2021-07-01", "author": "Mauricio Velazco, Michael Haag, Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies new printer drivers being load by utilizing the Windows PrintService operational logs, EventCode 316. This was identified during our testing of CVE-2021-34527 previously (CVE-2021-1675) or PrintNightmare. \\\nWithin the proof of concept code, the following event will occur - \"Printer driver 1234 for Windows x64 Version-3 was added or updated. Files:- UNIDRV.DLL, kernelbase.dll, evil.dll. No user action is required.\" \\\nDuring triage, isolate the endpoint and review for source of exploitation. Capture any additional file modification events and review the source of where the exploitation began.", "data_source": ["Sysmon Event ID 3"], "search": "`printservice` EventCode=316 category = \"Adding a printer driver\" Message = \"*kernelbase.dll,*\" Message = \"*UNIDRV.DLL,*\" Message = \"*.DLL.*\" | stats count min(_time) as firstTime max(_time) as lastTime by OpCode EventCode ComputerName Message | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `print_spooler_adding_a_printer_driver_filter`", "how_to_implement": "You will need to ensure PrintService Admin and Operational logs are being logged to Splunk from critical or all systems.", "known_false_positives": "Unknown. This may require filtering.", "references": ["https://twitter.com/MalwareJake/status/1410421445608476679?s=20", "https://www.truesec.com/hub/blog/fix-for-printnightmare-cve-2021-1675-exploit-to-keep-your-print-servers-running-while-a-patch-is-not-available", "https://www.truesec.com/hub/blog/exploitable-critical-rce-vulnerability-allows-regular-users-to-fully-compromise-active-directory-printnightmare-cve-2021-1675", "https://www.reddit.com/r/msp/comments/ob6y02/critical_vulnerability_printnightmare_exposes"], "tags": {"name": "Print Spooler Adding A Printer Driver", "analytic_story": ["PrintNightmare CVE-2021-34527"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "message": "Suspicious print driver was loaded on endpoint $ComputerName$.", "mitre_attack_id": ["T1547.012", "T1547"], "nist": ["DE.CM"], "observable": [{"name": "ComputerName", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "OpCode", "EventCode", "ComputerName", "Message"], "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "cve": ["CVE-2021-34527", "CVE-2021-1675"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1547.012", "mitre_attack_technique": "Print Processors", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.012/printnightmare/windows-printservice_operational.log", "source": "WinEventLog:Microsoft-Windows-PrintService/Operational", "sourcetype": "WinEventLog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "printservice", "definition": "source=\"wineventlog:microsoft-windows-printservice/operational\" OR source=\"WinEventLog:Microsoft-Windows-PrintService/Admin\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "print_spooler_adding_a_printer_driver_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2021-34527", "cvss": 9.0, "summary": "Windows Print Spooler Remote Code Execution Vulnerability"}, {"id": "CVE-2021-1675", "cvss": 9.3, "summary": "Windows Print Spooler Elevation of Privilege Vulnerability"}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/print_spooler_adding_a_printer_driver.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Print Spooler Failed to Load a Plug-in", "id": "1adc9548-da7c-11eb-8f13-acde48001122", "version": 1, "date": "2021-07-01", "author": "Mauricio Velazco, Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies driver load errors utilizing the Windows PrintService Admin logs. This was identified during our testing of CVE-2021-34527 previously (CVE-2021-1675) or PrintNightmare. \\\nWithin the proof of concept code, the following error will occur - \"The print spooler failed to load a plug-in module C:\\Windows\\system32\\spool\\DRIVERS\\x64\\3\\meterpreter.dll, error code 0x45A. See the event user data for context information.\" \\\nThe analytic is based on file path and failure to load the plug-in. \\\nDuring triage, isolate the endpoint and review for source of exploitation. Capture any additional file modification events.", "data_source": [], "search": "`printservice` ((ErrorCode=\"0x45A\" (EventCode=\"808\" OR EventCode=\"4909\")) OR (\"The print spooler failed to load a plug-in module\" OR \"\\\\drivers\\\\x64\\\\\")) | stats count min(_time) as firstTime max(_time) as lastTime by OpCode EventCode ComputerName Message | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `print_spooler_failed_to_load_a_plug_in_filter`", "how_to_implement": "You will need to ensure PrintService Admin and Operational logs are being logged to Splunk from critical or all systems.", "known_false_positives": "False positives are unknown and filtering may be required.", "references": ["https://www.truesec.com/hub/blog/fix-for-printnightmare-cve-2021-1675-exploit-to-keep-your-print-servers-running-while-a-patch-is-not-available", "https://www.truesec.com/hub/blog/exploitable-critical-rce-vulnerability-allows-regular-users-to-fully-compromise-active-directory-printnightmare-cve-2021-1675", "https://www.reddit.com/r/msp/comments/ob6y02/critical_vulnerability_printnightmare_exposes"], "tags": {"name": "Print Spooler Failed to Load a Plug-in", "analytic_story": ["PrintNightmare CVE-2021-34527"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "message": "Suspicious printer spooler errors have occured on endpoint $ComputerName$ with EventCode $EventCode$.", "mitre_attack_id": ["T1547.012", "T1547"], "nist": ["DE.CM"], "observable": [{"name": "ComputerName", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "OpCode", "EventCode", "ComputerName", "Message"], "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "cve": ["CVE-2021-34527", "CVE-2021-1675"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1547.012", "mitre_attack_technique": "Print Processors", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.012/printnightmare/windows-printservice_admin.log", "source": "WinEventLog:Microsoft-Windows-PrintService/Admin", "sourcetype": "WinEventLog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "printservice", "definition": "source=\"wineventlog:microsoft-windows-printservice/operational\" OR source=\"WinEventLog:Microsoft-Windows-PrintService/Admin\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "print_spooler_failed_to_load_a_plug_in_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2021-34527", "cvss": 9.0, "summary": "Windows Print Spooler Remote Code Execution Vulnerability"}, {"id": "CVE-2021-1675", "cvss": 9.3, "summary": "Windows Print Spooler Elevation of Privilege Vulnerability"}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/print_spooler_failed_to_load_a_plug_in.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Process Creating LNK file in Suspicious Location", "id": "5d814af1-1041-47b5-a9ac-d754e82e9a26", "version": 5, "date": "2021-08-26", "author": "Jose Hernandez, Splunk", "type": "TTP", "status": "production", "description": "This search looks for a process launching an `*.lnk` file under `C:\\User*` or `*\\Local\\Temp\\*`. This is common behavior used by various spear phishing tools.", "data_source": ["Sysmon Event ID 11"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_name=\"*.lnk\" AND (Filesystem.file_path=\"C:\\\\User\\\\*\" OR Filesystem.file_path=\"*\\\\Temp\\\\*\") by _time span=1h Filesystem.process_guid Filesystem.file_name Filesystem.file_path Filesystem.file_hash Filesystem.user | `drop_dm_object_name(Filesystem)` | rename process_guid as lnk_guid | join lnk_guid, _time [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=* by _time span=1h Processes.parent_process_guid Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process | `drop_dm_object_name(Processes)` | rename parent_process_guid as lnk_guid | fields _time lnk_guid process_id dest process_name process_path process] | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | table firstTime, lastTime, lnk_guid, process_id, user, dest, file_name, file_path, process_name, process, process_path, file_hash | `process_creating_lnk_file_in_suspicious_location_filter`", "how_to_implement": "You must be ingesting data that records filesystem and process activity from your hosts to populate the Endpoint data model. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or endpoint data sources, such as Sysmon.", "known_false_positives": "This detection should yield little or no false positive results. It is uncommon for LNK files to be executed from temporary or user directories.", "references": ["https://attack.mitre.org/techniques/T1566/001/", "https://www.trendmicro.com/en_us/research/17/e/rising-trend-attackers-using-lnk-files-download-malware.html", "https://twitter.com/pr0xylife/status/1590394227758104576"], "tags": {"name": "Process Creating LNK file in Suspicious Location", "analytic_story": ["Spearphishing Attachments", "Qakbot", "IcedID"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Delivery"], "message": "A process $process_name$ that launching .lnk file in $file_path$ in host $dest$", "mitre_attack_id": ["T1566", "T1566.002"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Filesystem.file_name", "Filesystem.file_path", "Filesystem.process_id", "Filesystem.file_name", "Filesystem.file_path", "Filesystem.file_hash", "Filesystem.user"], "risk_score": 63, "security_domain": "network", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.002", "mitre_attack_technique": "Spearphishing Link", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "APT3", "APT32", "APT33", "APT39", "BlackTech", "Cobalt Group", "Confucius", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "Evilnum", "FIN4", "FIN7", "FIN8", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "TA505", "Transparent Tribe", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.002/lnk_file_temp_folder/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_creating_lnk_file_in_suspicious_location_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/process_creating_lnk_file_in_suspicious_location.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Process Deleting Its Process File Path", "id": "f7eda4bc-871c-11eb-b110-acde48001122", "version": 2, "date": "2023-04-14", "author": "Teoderick Contreras", "type": "TTP", "status": "production", "description": "This detection is to identify a suspicious process that tries to delete the process file path related to its process. This technique is known to be defense evasion once a certain condition of malware is satisfied or not. Clop ransomware use this technique where it will try to delete its process file path using a .bat command if the keyboard layout is not the layout it tries to infect.", "data_source": ["Sysmon Event ID 1"], "search": "`sysmon` EventCode=1 CommandLine = \"* /c *\" CommandLine = \"* del*\" Image = \"*\\\\cmd.exe\" | eval result = if(like(process,\"%\".parent_process.\"%\"), \"Found\", \"Not Found\") | stats min(_time) as firstTime max(_time) as lastTime count by Computer user ParentImage ParentCommandLine Image CommandLine EventCode ProcessID result | where result = \"Found\" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `process_deleting_its_process_file_path_filter`", "how_to_implement": "You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the \"process\" field in the Endpoint data model.", "known_false_positives": "unknown", "references": ["https://www.mandiant.com/resources/fin11-email-campaigns-precursor-for-ransomware-data-theft", "https://blog.virustotal.com/2020/11/keep-your-friends-close-keep-ransomware.html", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/"], "tags": {"name": "Process Deleting Its Process File Path", "analytic_story": ["Clop Ransomware", "Data Destruction", "WhisperGate", "Remcos"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 60, "kill_chain_phases": ["Exploitation"], "message": "A process $Image$ tries to delete its process path in commandline $cmdline$ as part of defense evasion in host $Computer$", "mitre_attack_id": ["T1070"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["EventCode", "Computer", "user", "ParentImage", "ParentCommandLine", "Image", "cmdline", "ProcessID", "result", "_time"], "risk_score": 60, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/clop/clop_a/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "process_deleting_its_process_file_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/process_deleting_its_process_file_path.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Process Execution via WMI", "id": "24869767-8579-485d-9a4f-d9ddfd8f0cac", "version": 4, "date": "2020-03-16", "author": "Rico Valdez, Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies `WmiPrvSE.exe` spawning a process. This typically occurs when a process is instantiated from a local or remote process using `wmic.exe`. During triage, review parallel processes for suspicious behavior or commands executed. Review the process and command-line spawning from `wmiprvse.exe`. Contain and remediate the endpoint as necessary.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=WmiPrvSE.exe by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `process_execution_via_wmi_filter` ", "how_to_implement": "You must be ingesting endpoint data that tracks process activity, including parent-child relationships from your endpoints to populate the Endpoint data model in the Processes node. The command-line arguments are mapped to the \"process\" field in the Endpoint data model.", "known_false_positives": "Although unlikely, administrators may use wmi to execute commands for legitimate purposes.", "references": [], "tags": {"name": "Process Execution via WMI", "analytic_story": ["Suspicious WMI Use"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Installation"], "message": "A remote instance execution of wmic.exe that will spawn $parent_process_name$ in host $dest$", "mitre_attack_id": ["T1047"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.process", "Processes.parent_process_name", "Processes.user", "Processes.dest", "Processes.process_name"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "Earth Lusca", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "Threat Group-3390", "Windshift", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1047/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_execution_via_wmi_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/process_execution_via_wmi.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Process Kill Base On File Path", "id": "5ffaa42c-acdb-11eb-9ad3-acde48001122", "version": 2, "date": "2021-05-04", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the use of `wmic.exe` using `delete` to remove a executable path. This is typically ran via a batch file during beginning stages of an adversary setting up for mining on an endpoint.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_wmic` AND Processes.process=\"*process*\" AND Processes.process=\"*executablepath*\" AND Processes.process=\"*delete*\" by Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `process_kill_base_on_file_path_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Unknown.", "references": ["https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/"], "tags": {"name": "Process Kill Base On File Path", "analytic_story": ["XMRig"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "A process $process_name$ attempt to kill process by its file path using commandline $process$ in host $dest$", "mitre_attack_id": ["T1562.001", "T1562"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/xmrig_miner/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_wmic", "definition": "(Processes.process_name=wmic.exe OR Processes.original_file_name=wmic.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "process_kill_base_on_file_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/process_kill_base_on_file_path.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Process Writing DynamicWrapperX", "id": "b0a078e4-2601-11ec-9aec-acde48001122", "version": 1, "date": "2021-10-05", "author": "Michael Haag, Splunk", "type": "Hunting", "status": "production", "description": "DynamicWrapperX is an ActiveX component that can be used in a script to call Windows API functions, but it requires the dynwrapx.dll to be installed and registered. With that, a binary writing dynwrapx.dll to disk and registering it into the registry is highly suspect. Why is it needed? In most malicious instances, it will be written to disk at a non-standard location. During triage, review parallel processes and pivot on the process_guid. Review the registry for any suspicious modifications meant to load dynwrapx.dll. Identify any suspicious module loads of dynwrapx.dll. This will identify the process that will invoke vbs/wscript/cscript.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes by _time Processes.process_id Processes.process_name Processes.dest Processes.process_guid Processes.user | `drop_dm_object_name(Processes)` | join process_guid [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Filesystem where Filesystem.file_name=\"dynwrapx.dll\" by _time Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path Filesystem.process_guid Filesystem.user | `drop_dm_object_name(Filesystem)` | fields _time process_guid file_path file_name file_create_time user dest process_name] | stats count min(_time) as firstTime max(_time) as lastTime by dest process_name process_guid file_name file_path file_create_time user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `process_writing_dynamicwrapperx_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` and `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives should be limited, however it is possible to filter by Processes.process_name and specific processes (ex. wscript.exe). Filter as needed. This may need modification based on EDR telemetry and how it brings in registry data. For example, removal of (Default).", "references": ["https://blog.f-secure.com/hunting-for-koadic-a-com-based-rootkit/", "https://www.script-coding.com/dynwrapx_eng.html", "https://bohops.com/2018/06/28/abusing-com-registry-structure-clsid-localserver32-inprocserver32/", "https://tria.ge/210929-ap75vsddan", "https://www.virustotal.com/gui/file/cb77b93150cb0f7fe65ce8a7e2a5781e727419451355a7736db84109fa215a89"], "tags": {"name": "Process Writing DynamicWrapperX", "analytic_story": ["Remcos"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Installation"], "message": "An instance of $process_name$ was identified on endpoint $dest$ downloading the DynamicWrapperX dll.", "mitre_attack_id": ["T1059", "T1559.001"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "dest", "process_name", "process_guid", "file_name", "file_path", "file_create_time user"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1559.001", "mitre_attack_technique": "Component Object Model", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["Gamaredon Group", "MuddyWater"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/remcos/remcos/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_writing_dynamicwrapperx_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/process_writing_dynamicwrapperx.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Processes launching netsh", "id": "b89919ed-fe5f-492c-b139-95dbb162040e", "version": 4, "date": "2021-09-16", "author": "Michael Haag, Josef Kuepker, Splunk", "type": "Anomaly", "status": "production", "description": "This search looks for processes launching netsh.exe. Netsh is a command-line scripting utility that allows you to, either locally or remotely, display or modify the network configuration of a computer that is currently running. Netsh can be used as a persistence proxy technique to execute a helper DLL when netsh.exe is executed. In this search, we are looking for processes spawned by netsh.exe and executing commands via the command line.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count values(Processes.process) AS Processes.process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_netsh` by Processes.parent_process_name Processes.parent_process Processes.original_file_name Processes.process_name Processes.user Processes.dest |`drop_dm_object_name(\"Processes\")` |`security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` |`processes_launching_netsh_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Some VPN applications are known to launch netsh.exe. Outside of these instances, it is unusual for an executable to launch netsh.exe and run commands.", "references": ["https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/"], "tags": {"name": "Processes launching netsh", "analytic_story": ["Netsh Abuse", "Disabling Security Tools", "DHS Report TA18-074A", "Azorult", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 20, "kill_chain_phases": ["Exploitation"], "message": "A process $process_name$ has launched netsh with command-line $process$ on $dest$.", "mitre_attack_id": ["T1562.004", "T1562"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.process", "Processes.parent_process_name", "Processes.parent_process", "Processes.process_name", "Processes.user", "Processes.dest"], "risk_score": 14, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.004", "mitre_attack_technique": "Disable or Modify System Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "Carbanak", "Dragonfly", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.004/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_netsh", "definition": "(Processes.process_name=netsh.exe OR Processes.original_file_name=netsh.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "processes_launching_netsh_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/processes_launching_netsh.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Processes Tapping Keyboard Events", "id": "2a371608-331d-4034-ae2c-21dda8f1d0ec", "version": 1, "date": "2019-01-25", "author": "Jose Hernandez, Splunk", "type": "TTP", "status": "experimental", "description": "This search looks for processes in an MacOS system that is tapping keyboard events in MacOS, and essentially monitoring all keystrokes made by a user. This is a common technique used by RATs to log keystrokes from a victim, although it can also be used by legitimate processes like Siri to react on human input", "data_source": [], "search": "| from datamodel Alerts.Alerts | search app=osquery:results name=pack_osx-attacks_Keyboard_Event_Taps | rename columns.cmdline as cmd, columns.name as process_name, columns.pid as process_id| dedup host,process_name | table host,process_name, cmd, process_id | `processes_tapping_keyboard_events_filter`", "how_to_implement": "In order to properly run this search, Splunk needs to ingest data from your osquery deployed agents with the [osx-attacks.conf](https://github.com/facebook/osquery/blob/experimental/packs/osx-attacks.conf#L599) pack enabled. Also the [TA-OSquery](https://github.com/d1vious/TA-osquery) must be deployed across your indexers and universal forwarders in order to have the osquery data populate the Alerts data model.", "known_false_positives": "There might be some false positives as keyboard event taps are used by processes like Siri and Zoom video chat, for some good examples of processes to exclude please see [this](https://github.com/facebook/osquery/pull/5345#issuecomment-454639161) comment.", "references": [], "tags": {"name": "Processes Tapping Keyboard Events", "analytic_story": ["ColdRoot MacOS RAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": [], "message": "tbd", "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Other", "role": ["Other"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "app", "name", "columns.cmdline", "columns.name", "columns.pid", "host"], "risk_score": 25, "security_domain": "threat", "risk_severity": "low", "mitre_attack_enrichments": []}, "datamodel": [], "macros": [{"name": "processes_tapping_keyboard_events_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/processes_tapping_keyboard_events.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Randomly Generated Scheduled Task Name", "id": "9d22a780-5165-11ec-ad4f-3e22fbd008af", "version": 1, "date": "2021-11-29", "author": "Mauricio Velazco, Splunk", "type": "Hunting", "status": "experimental", "description": "The following hunting analytic leverages Event ID 4698, `A scheduled task was created`, to identify the creation of a Scheduled Task with a suspicious, high entropy, Task Name. To achieve this, this analytic also leverages the `ut_shannon` function from the URL ToolBox Splunk application. Red teams and adversaries alike may abuse the Task Scheduler to create and start a remote Scheduled Task and obtain remote code execution. To achieve this goal, tools like Impacket or Crapmapexec, typically create a Scheduled Task with a random task name on the victim host. This hunting analytic may help defenders identify Scheduled Tasks created as part of a lateral movement attack. The entropy threshold `ut_shannon > 3` should be customized by users. The Command field can be used to determine if the task has malicious intent or not.", "data_source": ["Windows Security 4698"], "search": " `wineventlog_security` EventCode=4698 | xmlkv Message | lookup ut_shannon_lookup word as Task_Name | where ut_shannon > 3 | table _time, dest, Task_Name, ut_shannon, Command, Author, Enabled, Hidden | `randomly_generated_scheduled_task_name_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4698 EventCode enabled. The Windows TA as well as the URL ToolBox application are also required.", "known_false_positives": "Legitimate applications may use random Scheduled Task names.", "references": ["https://attack.mitre.org/techniques/T1053/005/", "https://splunkbase.splunk.com/app/2734/", "https://en.wikipedia.org/wiki/Entropy_(information_theory)"], "tags": {"name": "Randomly Generated Scheduled Task Name", "analytic_story": ["Active Directory Lateral Movement", "CISA AA22-257A", "Scheduled Tasks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 90, "kill_chain_phases": ["Installation", "Exploitation"], "message": "A windows scheduled task with a suspicious task name was created on $dest$", "mitre_attack_id": ["T1053", "T1053.005"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "dest", "Task_Name", "Description", "Command"], "risk_score": 45, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TEMP.Veles", "Wizard Spider", "menuPass"]}]}, "datamodel": [], "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "randomly_generated_scheduled_task_name_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/randomly_generated_scheduled_task_name.yml", "source": "endpoint", "providing_technologies": ["Microsoft Windows"]}, {"name": "Randomly Generated Windows Service Name", "id": "2032a95a-5165-11ec-a2c3-3e22fbd008af", "version": 1, "date": "2021-11-29", "author": "Mauricio Velazco, Splunk", "type": "Hunting", "status": "experimental", "description": "The following hunting analytic leverages Event ID 7045, `A new service was installed in the system`, to identify the installation of a Windows Service with a suspicious, high entropy, Service Name. To achieve this, this analytic also leverages the `ut_shannon` function from the URL ToolBox Splunk application. Red teams and adversaries alike may abuse the Service Control Manager to create and start a remote Windows Service and obtain remote code execution. To achieve this goal, some tools like Metasploit, Cobalt Strike and Impacket, typically create a Windows Service with a random service name on the victim host. This hunting analytic may help defenders identify Windows Services installed as part of a lateral movement attack. The entropy threshold `ut_shannon > 3` should be customized by users. The Service_File_Name field can be used to determine if the Windows Service has malicious intent or not.", "data_source": ["Sysmon Event ID 7"], "search": " `wineventlog_system` EventCode=7045 | lookup ut_shannon_lookup word as Service_Name | where ut_shannon > 3 | table EventCode ComputerName Service_Name ut_shannon Service_Start_Type Service_Type Service_File_Name | `randomly_generated_windows_service_name_filter` ", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the Service name, Service File Name Service Start type, and Service Type from your endpoints. The Windows TA as well as the URL ToolBox application are also required.", "known_false_positives": "Legitimate applications may use random Windows Service names.", "references": ["https://attack.mitre.org/techniques/T1543/003/"], "tags": {"name": "Randomly Generated Windows Service Name", "analytic_story": ["Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 90, "kill_chain_phases": ["Installation", "Exploitation"], "message": "A Windows Service with a suspicious service name was installed on $ComputerName$", "mitre_attack_id": ["T1543", "T1543.003"], "nist": ["DE.AE"], "observable": [{"name": "Service_File_Name", "type": "Other", "role": ["Other"]}, {"name": "ComputerName", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "ComputerName", "Service_File_Name", "Service_Type", "Service_Name", "Service_Start_Type"], "risk_score": 45, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}]}, "datamodel": [], "macros": [{"name": "wineventlog_system", "definition": "eventtype=wineventlog_system", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "randomly_generated_windows_service_name_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/randomly_generated_windows_service_name.yml", "source": "endpoint"}, {"name": "Ransomware Notes bulk creation", "id": "eff7919a-8330-11eb-83f8-acde48001122", "version": 1, "date": "2021-03-12", "author": "Teoderick Contreras", "type": "Anomaly", "status": "production", "description": "The following analytics identifies a big number of instance of ransomware notes (filetype e.g .txt, .html, .hta) file creation to the infected machine. This behavior is a good sensor if the ransomware note filename is quite new for security industry or the ransomware note filename is not in your ransomware lookup table list for monitoring.", "data_source": ["Sysmon Event ID 1"], "search": "`sysmon` EventCode=11 file_name IN (\"*\\.txt\",\"*\\.html\",\"*\\.hta\") |bin _time span=10s | stats min(_time) as firstTime max(_time) as lastTime dc(TargetFilename) as unique_readme_path_count values(TargetFilename) as list_of_readme_path by Computer Image file_name | where unique_readme_path_count >= 15 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `ransomware_notes_bulk_creation_filter`", "how_to_implement": "You must be ingesting data that records the filesystem activity from your hosts to populate the Endpoint file-system data model node. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data.", "known_false_positives": "unknown", "references": ["https://www.mandiant.com/resources/fin11-email-campaigns-precursor-for-ransomware-data-theft", "https://blog.virustotal.com/2020/11/keep-your-friends-close-keep-ransomware.html"], "tags": {"name": "Ransomware Notes bulk creation", "analytic_story": ["Clop Ransomware", "DarkSide Ransomware", "BlackMatter Ransomware", "Chaos Ransomware", "LockBit Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Actions on Objectives"], "message": "A high frequency file creation of $file_name$ in different file path in host $Computer$", "mitre_attack_id": ["T1486"], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["EventCode", "file_name", "_time", "TargetFilename", "Computer", "Image", "user"], "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1486", "mitre_attack_technique": "Data Encrypted for Impact", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "APT41", "FIN7", "Indrik Spider", "Magic Hound", "Sandworm Team", "TA505"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/clop/clop_a/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "ransomware_notes_bulk_creation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/ransomware_notes_bulk_creation.yml", "source": "endpoint"}, {"name": "Recon AVProduct Through Pwh or WMI", "id": "28077620-c9f6-11eb-8785-acde48001122", "version": 2, "date": "2023-04-14", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies suspicious PowerShell script execution via EventCode 4104 performing checks to identify anti-virus products installed on the endpoint. This technique is commonly found in malware and APT events where the adversary will map all running security applications or services. During triage, review parallel processes within the same timeframe. Review the full script block to identify other related artifacts.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 (ScriptBlockText = \"*SELECT*\" OR ScriptBlockText = \"*WMIC*\") AND (ScriptBlockText = \"*AntiVirusProduct*\" OR ScriptBlockText = \"*AntiSpywareProduct*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `recon_avproduct_through_pwh_or_wmi_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "network administrator may used this command for checking purposes", "references": ["https://news.sophos.com/en-us/2020/05/12/maze-ransomware-1-year-counting/", "https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", "https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf", "https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/", "https://www.splunk.com/en_us/blog/security/hunting-for-malicious-powershell-using-script-block-logging.html"], "tags": {"name": "Recon AVProduct Through Pwh or WMI", "analytic_story": ["Qakbot", "Windows Post-Exploitation", "Hermetic Wiper", "Ransomware", "Prestige Ransomware", "Malicious PowerShell", "Data Destruction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Reconnaissance"], "message": "A suspicious powershell script contains AV recon command in $ScriptBlockText$ with EventCode $EventCode$ in host $Computer$", "mitre_attack_id": ["T1592"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "User", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "ScriptBlockText", "Computer", "UserID"], "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1592", "mitre_attack_technique": "Gather Victim Host Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/t1592/pwh_av_recon/windows-powershell-xml.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "recon_avproduct_through_pwh_or_wmi_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/recon_avproduct_through_pwh_or_wmi.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Recon Using WMI Class", "id": "018c1972-ca07-11eb-9473-acde48001122", "version": 2, "date": "2023-04-14", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies suspicious PowerShell via EventCode 4104, where WMI is performing an event query looking for running processes or running services. This technique is commonly found where the adversary will identify services and system information on the compromised machine. During triage, review parallel processes within the same timeframe. Review the full script block to identify other related artifacts.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 (ScriptBlockText= \"*SELECT*\" OR ScriptBlockText= \"*Get-WmiObject*\") AND (ScriptBlockText= \"*Win32_Bios*\" OR ScriptBlockText= \"*Win32_OperatingSystem*\" OR ScriptBlockText= \"*Win32_Processor*\" OR ScriptBlockText= \"*Win32_ComputerSystem*\" OR ScriptBlockText= \"*Win32_PnPEntity*\" OR ScriptBlockText= \"*Win32_ShadowCopy*\" OR ScriptBlockText= \"*Win32_DiskDrive*\" OR ScriptBlockText= \"*Win32_PhysicalMemory*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `recon_using_wmi_class_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "network administrator may used this command for checking purposes", "references": ["https://news.sophos.com/en-us/2020/05/12/maze-ransomware-1-year-counting/", "https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", "https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf", "https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/", "https://www.splunk.com/en_us/blog/security/hunting-for-malicious-powershell-using-script-block-logging.html", "https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/", "https://blogs.vmware.com/security/2022/10/lockbit-3-0-also-known-as-lockbit-black.html"], "tags": {"name": "Recon Using WMI Class", "analytic_story": ["AsyncRAT", "Qakbot", "Industroyer2", "Hermetic Wiper", "LockBit Ransomware", "Malicious PowerShell", "Data Destruction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 75, "kill_chain_phases": ["Reconnaissance", "Installation"], "message": "A suspicious powershell script contains host recon command in $ScriptBlockText$ with EventCode $EventCode$ in host $Computer$", "mitre_attack_id": ["T1592", "T1059.001"], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "User", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "ScriptBlockText", "Computer", "UserID"], "risk_score": 60, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1592", "mitre_attack_technique": "Gather Victim Host Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/reconusingwmi.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "recon_using_wmi_class_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/recon_using_wmi_class.yml", "source": "endpoint", "providing_technologies": ["Microsoft Windows"]}, {"name": "Recursive Delete of Directory In Batch CMD", "id": "ba570b3a-d356-11eb-8358-acde48001122", "version": 3, "date": "2022-11-12", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This search is to detect a suspicious commandline designed to delete files or directory recursive using batch command. This technique was seen in ransomware (reddot) where it it tries to delete the files in recycle bin to impaire user from recovering deleted files.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_cmd` Processes.process=*/c* Processes.process=\"* rd *\" Processes.process=\"*/s*\" Processes.process=\"*/q*\" by Processes.user Processes.process_name Processes.parent_process_name Processes.parent_process Processes.process Processes.process_id Processes.dest |`drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `recursive_delete_of_directory_in_batch_cmd_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "network operator may use this batch command to delete recursively a directory or files within directory", "references": ["https://app.any.run/tasks/c0f98850-af65-4352-9746-fbebadee4f05/"], "tags": {"name": "Recursive Delete of Directory In Batch CMD", "analytic_story": ["Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "Recursive Delete of Directory In Batch CMD by $user$ on $dest$", "mitre_attack_id": ["T1070.004", "T1070"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1070.004", "mitre_attack_technique": "File Deletion", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT3", "APT32", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "Cobalt Group", "Dragonfly", "Evilnum", "FIN10", "FIN5", "FIN6", "FIN8", "Gamaredon Group", "Group5", "Kimsuky", "Lazarus Group", "Magic Hound", "Metador", "Mustang Panda", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "Silence", "TEMP.Veles", "TeamTNT", "The White Company", "Threat Group-3390", "Tropic Trooper", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/ransomware_ttp/data2/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_cmd", "definition": "(Processes.process_name=cmd.exe OR Processes.original_file_name=Cmd.Exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "recursive_delete_of_directory_in_batch_cmd_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/recursive_delete_of_directory_in_batch_cmd.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Reg exe Manipulating Windows Services Registry Keys", "id": "8470d755-0c13-45b3-bd63-387a373c10cf", "version": 5, "date": "2020-11-26", "author": "Rico Valdez, Splunk", "type": "TTP", "status": "production", "description": "The search looks for reg.exe modifying registry keys that define Windows services and their configurations.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.process_name) as process_name values(Processes.parent_process_name) as parent_process_name values(Processes.user) as user FROM datamodel=Endpoint.Processes where Processes.process_name=reg.exe Processes.process=*reg* Processes.process=*add* Processes.process=*Services* by Processes.process_id Processes.dest Processes.process | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `reg_exe_manipulating_windows_services_registry_keys_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry.", "known_false_positives": "It is unusual for a service to be created or modified by directly manipulating the registry. However, there may be legitimate instances of this behavior. It is important to validate and investigate, as appropriate.", "references": [], "tags": {"name": "Reg exe Manipulating Windows Services Registry Keys", "analytic_story": ["Windows Service Abuse", "Windows Persistence Techniques", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 75, "kill_chain_phases": ["Exploitation", "Installation"], "message": "A reg.exe process $process_name$ with commandline $process$ in host $dest$", "mitre_attack_id": ["T1574.011", "T1574"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.process_name", "Processes.parent_process_name", "Processes.user", "Processes.process", "Processes.process_id", "Processes.dest"], "risk_score": 45, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1574.011", "mitre_attack_technique": "Services Registry Permissions Weakness", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.011/change_registry_path_service/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "reg_exe_manipulating_windows_services_registry_keys_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/reg_exe_manipulating_windows_services_registry_keys.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Registry Keys for Creating SHIM Databases", "id": "f5f6af30-7aa7-4295-bfe9-07fe87c01bbb", "version": 6, "date": "2023-04-27", "author": "Steven Dick, Bhavin Patel, Patrick Bareiss, Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This search looks for registry activity associated with application compatibility shims, which can be leveraged by attackers for various nefarious purposes.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=*CurrentVersion\\\\AppCompatFlags\\\\Custom* OR Registry.registry_path=*CurrentVersion\\\\AppCompatFlags\\\\InstalledSDB*) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `registry_keys_for_creating_shim_databases_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "There are many legitimate applications that leverage shim databases for compatibility purposes for legacy applications", "references": [], "tags": {"name": "Registry Keys for Creating SHIM Databases", "analytic_story": ["Suspicious Windows Registry Activities", "Windows Persistence Techniques", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "message": "A registry activity in $registry_path$ related to shim modication in host $dest$", "mitre_attack_id": ["T1546.011", "T1546"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.dest", "Registry.registry_value_name", "Registry.registry_key_name", "Registry.registry_path", "Registry.registry_value_data", "Registry.process_guid"], "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1546.011", "mitre_attack_technique": "Application Shimming", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["FIN7"]}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.011/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "registry_keys_for_creating_shim_databases_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/registry_keys_for_creating_shim_databases.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Registry Keys Used For Persistence", "id": "f5f6af30-7aa7-4295-bfe9-07fe87c01a4b", "version": 9, "date": "2023-06-06", "author": "Jose Hernandez, David Dorsey, Teoderick Contreras, Rod Soto, Splunk", "type": "TTP", "status": "production", "description": "The search looks for modifications or alterations made to registry keys that have the potential to initiate the launch of an application or service during system startup. By monitoring and detecting modifications in these registry keys, we can identify suspicious or unauthorized changes that could be indicative of malicious activity. This proactive approach helps in safeguarding the system's integrity and security by promptly identifying and mitigating potential threats that aim to gain persistence or execute malicious actions during the startup process.", "data_source": ["Sysmon Event ID 12", "Sysmon Event ID 13", "Sysmon Event ID 14"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where (Registry.registry_path=*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce OR Registry.registry_path=*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\StartupApproved\\\\Run OR Registry.registry_path= \"*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\*\" OR Registry.registry_path= \"*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\*\" OR Registry.registry_path=*\\\\currentversion\\\\run* OR Registry.registry_path=*\\\\currentVersion\\\\Windows\\\\Appinit_Dlls* OR Registry.registry_path=*\\\\CurrentVersion\\\\Winlogon\\\\Shell* OR Registry.registry_path=*\\\\CurrentVersion\\\\Winlogon\\\\Notify* OR Registry.registry_path=*\\\\CurrentVersion\\\\Winlogon\\\\Userinit* OR Registry.registry_path=*\\\\CurrentVersion\\\\Winlogon\\\\VmApplet* OR Registry.registry_path=*\\\\currentversion\\\\policies\\\\explorer\\\\run* OR Registry.registry_path=*\\\\currentversion\\\\runservices* OR Registry.registry_path=HKLM\\\\SOFTWARE\\\\Microsoft\\\\Netsh\\\\* OR Registry.registry_path= \"*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\Common Startup\" OR Registry.registry_path= *\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\SharedTaskScheduler OR Registry.registry_path= *\\\\Classes\\\\htmlfile\\\\shell\\\\open\\\\command OR (Registry.registry_path=\"*Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options*\" AND Registry.registry_key_name=Debugger) OR (Registry.registry_path=\"*\\\\CurrentControlSet\\\\Control\\\\Lsa\" AND Registry.registry_key_name=\"Security Packages\") OR (Registry.registry_path=\"*\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\OSConfig\" AND Registry.registry_key_name=\"Security Packages\") OR (Registry.registry_path=\"*\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\") OR (Registry.registry_path=\"*currentVersion\\\\Windows\" AND Registry.registry_key_name=\"Load\") OR (Registry.registry_path=\"*\\\\CurrentVersion\" AND Registry.registry_key_name=\"Svchost\") OR (Registry.registry_path=\"*\\\\CurrentControlSet\\Control\\Session Manager\"AND Registry.registry_key_name=\"BootExecute\") OR (Registry.registry_path=\"*\\\\Software\\\\Run\" AND Registry.registry_key_name=\"auto_update\")) by Registry.dest Registry.user Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `registry_keys_used_for_persistence_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry.", "known_false_positives": "There are many legitimate applications that must execute on system startup and will use these registry keys to accomplish that task.", "references": [], "tags": {"name": "Registry Keys Used For Persistence", "analytic_story": ["Suspicious Windows Registry Activities", "Suspicious MSHTA Activity", "DHS Report TA18-074A", "Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns", "Ransomware", "Windows Persistence Techniques", "Emotet Malware DHS Report TA18-201A ", "IcedID", "Remcos", "Windows Registry Abuse", "Azorult", "Qakbot", "Chaos Ransomware", "AsyncRAT", "Amadey", "Sneaky Active Directory Persistence Tricks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 95, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "message": "A registry activity in $registry_path$ related to persistence in host $dest$", "mitre_attack_id": ["T1547.001", "T1547"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.registry_key_name", "Registry.registry_path", "Registry.dest", "Registry.user"], "risk_score": 76, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.001/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "registry_keys_used_for_persistence_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/registry_keys_used_for_persistence.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Registry Keys Used For Privilege Escalation", "id": "c9f4b923-f8af-4155-b697-1354f5bcbc5e", "version": 7, "date": "2023-04-27", "author": "Steven Dick, David Dorsey, Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This search looks for modifications to registry keys that can be used to elevate privileges. The registry keys under \"Image File Execution Options\" are used to intercept calls to an executable and can be used to attach malicious binaries to benign system binaries.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE ((Registry.registry_path=\"*Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options*\") AND (Registry.registry_value_name=GlobalFlag OR Registry.registry_value_name=Debugger)) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `registry_keys_used_for_privilege_escalation_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "There are many legitimate applications that must execute upon system startup and will use these registry keys to accomplish that task.", "references": ["https://blog.malwarebytes.com/101/2015/12/an-introduction-to-image-file-execution-options/"], "tags": {"name": "Registry Keys Used For Privilege Escalation", "analytic_story": ["Cloud Federated Credential Abuse", "Hermetic Wiper", "Windows Privilege Escalation", "Windows Registry Abuse", "Data Destruction", "Suspicious Windows Registry Activities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 95, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "message": "A registry activity in $registry_path$ related to privilege escalation in host $dest$", "mitre_attack_id": ["T1546.012", "T1546"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.dest", "Registry.registry_value_name", "Registry.registry_key_name", "Registry.registry_path", "Registry.registry_value_data", "Registry.process_guid"], "risk_score": 76, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1546.012", "mitre_attack_technique": "Image File Execution Options Injection", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["TEMP.Veles"]}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.012/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "registry_keys_used_for_privilege_escalation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/registry_keys_used_for_privilege_escalation.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Regsvr32 Silent and Install Param Dll Loading", "id": "f421c250-24e7-11ec-bc43-acde48001122", "version": 1, "date": "2023-04-14", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic is to detect a loading of dll using regsvr32 application with silent parameter and dllinstall execution. This technique was seen in several RAT malware similar to remcos, njrat and adversaries to load their malicious DLL on the compromised machine. This TTP may executed by normal 3rd party application so it is better to pivot by the parent process, parent command-line and command-line of the file that execute this regsvr32.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_regsvr32` AND Processes.process=\"*/i*\" by Processes.dest Processes.parent_process Processes.process Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where match(process,\"(?i)[\\-|\\/][Ss]{1}\") | `regsvr32_silent_and_install_param_dll_loading_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Other third part application may used this parameter but not so common in base windows environment.", "references": ["https://app.any.run/tasks/dc93ee63-050c-4ff8-b07e-8277af9ab939/", "https://attack.mitre.org/techniques/T1218/010/"], "tags": {"name": "Regsvr32 Silent and Install Param Dll Loading", "analytic_story": ["AsyncRAT", "Hermetic Wiper", "Living Off The Land", "Data Destruction", "Remcos", "Suspicious Regsvr32 Activity"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to load a DLL using the silent and dllinstall parameter.", "mitre_attack_id": ["T1218", "T1218.010"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.010", "mitre_attack_technique": "Regsvr32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "Blue Mockingbird", "Cobalt Group", "Deep Panda", "Inception", "Kimsuky", "Leviathan", "TA551", "WIRTE"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.005/vbs_wscript/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "process_regsvr32", "definition": "(Processes.process_name=regsvr32.exe OR Processes.original_file_name=REGSVR32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "regsvr32_silent_and_install_param_dll_loading_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/regsvr32_silent_and_install_param_dll_loading.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Regsvr32 with Known Silent Switch Cmdline", "id": "c9ef7dc4-eeaf-11eb-b2b6-acde48001122", "version": 2, "date": "2021-07-27", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies Regsvr32.exe utilizing the silent switch to load DLLs. This technique has most recently been seen in IcedID campaigns to load its initial dll that will download the 2nd stage loader that will download and decrypt the config payload. The switch type may be either a hyphen `-` or forward slash `/`. This behavior is typically found with `-s`, and it is possible there are more switch types that may be used. \\ During triage, review parallel processes and capture any artifacts that may have landed on disk. Isolate and contain the endpoint as necessary.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_regsvr32` by Processes.user Processes.process_name Processes.process Processes.parent_process_name Processes.original_file_name Processes.dest Processes.process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where match(process,\"(?i)[\\-|\\/][Ss]{1}\") | `regsvr32_with_known_silent_switch_cmdline_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "minimal. but network operator can use this application to load dll.", "references": ["https://app.any.run/tasks/56680cba-2bbc-4b34-8633-5f7878ddf858/", "https://regexr.com/699e2"], "tags": {"name": "Regsvr32 with Known Silent Switch Cmdline", "analytic_story": ["IcedID", "Suspicious Regsvr32 Activity", "Remcos", "Living Off The Land", "Qakbot", "AsyncRAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to load a DLL using the silent parameter.", "mitre_attack_id": ["T1218", "T1218.010"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.010", "mitre_attack_technique": "Regsvr32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "Blue Mockingbird", "Cobalt Group", "Deep Panda", "Inception", "Kimsuky", "Leviathan", "TA551", "WIRTE"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/inf_icedid/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "process_regsvr32", "definition": "(Processes.process_name=regsvr32.exe OR Processes.original_file_name=REGSVR32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "regsvr32_with_known_silent_switch_cmdline_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/regsvr32_with_known_silent_switch_cmdline.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Remcos client registry install entry", "id": "f2a1615a-1d63-11ec-97d2-acde48001122", "version": 3, "date": "2022-11-14", "author": "Steven Dick, Bhavin Patel, Rod Soto, Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This search detects registry key license at host where Remcos RAT agent is installed.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time) AS lastTime FROM datamodel=Endpoint.Processes BY _time span=1h Processes.user Processes.process_id Processes.process_name Processes.process Processes.process_path Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_guid | `drop_dm_object_name(Processes)` | join process_guid [ | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_key_name=*\\\\Software\\\\Remcos*) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`] | fields firstTime lastTime dest user parent_process_name parent_process process_name process_path process registry_key_name registry_path registry_value_name registry_value_data process_guid | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |`remcos_client_registry_install_entry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/570", "known_false_positives": "unknown", "references": ["https://attack.mitre.org/software/S0332/"], "tags": {"name": "Remcos client registry install entry", "analytic_story": ["Remcos", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 90, "kill_chain_phases": ["Exploitation"], "message": "A registry entry $registry_path$ with registry keyname $registry_key_name$ related to Remcos RAT in host $dest$", "mitre_attack_id": ["T1112"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.user", "Processes.dest", "Processes.process_id", "Processes.process_name", "Processes.process", "Processes.process_path", "Processes.parent_process_name", "Processes.parent_process", "Processes.process_guid", "Registry.dest", "Registry.registry_value_name", "Registry.registry_key_name", "Registry.registry_path", "Registry.registry_value_data", "Registry.process_guid"], "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/remcos/remcos_registry/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "remcos_client_registry_install_entry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/remcos_client_registry_install_entry.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Remcos RAT File Creation in Remcos Folder", "id": "25ae862a-1ac3-11ec-94a1-acde48001122", "version": 2, "date": "2021-09-21", "author": "Teoderick Contreras, Splunk, Sanjay Govind", "type": "TTP", "status": "production", "description": "This search is to detect file creation in remcos folder in appdata which is the keylog and clipboard logs that will be send to its c2 server. This is really a good TTP indicator that there is a remcos rat in the system that do keylogging, clipboard grabbing and audio recording.", "data_source": ["Sysmon Event ID 11"], "search": "|tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_name IN (\"*.dat\") Filesystem.file_path = \"*\\\\remcos\\\\*\" by _time Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.file_create_time | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `remcos_rat_file_creation_in_remcos_folder_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "unknown", "references": ["https://success.trendmicro.com/dcx/s/solution/1123281-remcos-malware-information?language=en_US", "https://blog.malwarebytes.com/threat-intelligence/2021/07/remcos-rat-delivered-via-visual-basic/"], "tags": {"name": "Remcos RAT File Creation in Remcos Folder", "analytic_story": ["Remcos"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 100, "kill_chain_phases": ["Exploitation"], "message": "file $file_name$ created in $file_path$ of $dest$", "mitre_attack_id": ["T1113"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "dest", "file_create_time", "file_name", "file_path"], "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1113", "mitre_attack_technique": "Screen Capture", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT28", "APT39", "BRONZE BUTLER", "Dark Caracal", "Dragonfly", "FIN7", "GOLD SOUTHFIELD", "Gamaredon Group", "Group5", "Magic Hound", "MuddyWater", "OilRig", "Silence"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/remcos/remcos_agent/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "remcos_rat_file_creation_in_remcos_folder_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/remcos_rat_file_creation_in_remcos_folder.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Remote Desktop Process Running On System", "id": "f5939373-8054-40ad-8c64-cec478a22a4a", "version": 5, "date": "2020-07-21", "author": "David Dorsey, Splunk", "type": "Hunting", "status": "experimental", "description": "This search looks for the remote desktop process mstsc.exe running on systems upon which it doesn't typically run. This is accomplished by filtering out all systems that are noted in the `common_rdp_source category` in the Assets and Identity framework.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=*mstsc.exe AND Processes.dest_category!=common_rdp_source by Processes.dest Processes.user Processes.process | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | `remote_desktop_process_running_on_system_filter` ", "how_to_implement": "To successfully implement this search, you must be ingesting data that records process activity from your hosts to populate the endpoint data model in the processes node. The search requires you to identify systems that do not commonly use remote desktop. You can use the included support search \"Identify Systems Using Remote Desktop\" to identify these systems. After identifying them, you will need to add the \"common_rdp_source\" category to that system using the Enterprise Security Assets and Identities framework. This can be done by adding an entry in the assets.csv file located in `SA-IdentityManagement/lookups`.", "known_false_positives": "Remote Desktop may be used legitimately by users on the network.", "references": [], "tags": {"name": "Remote Desktop Process Running On System", "analytic_story": ["Hidden Cobra Malware", "Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "tbd", "mitre_attack_id": ["T1021.001", "T1021"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.process", "Processes.dest_category", "Processes.dest", "Processes.user"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1021.001", "mitre_attack_technique": "Remote Desktop Protocol", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT1", "APT3", "APT39", "APT41", "Axiom", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dragonfly", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "HEXANE", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "OilRig", "Patchwork", "Silence", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}]}, "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "remote_desktop_process_running_on_system_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/remote_desktop_process_running_on_system.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Remote Process Instantiation via DCOM and PowerShell", "id": "d4f42098-4680-11ec-ad07-3e22fbd008af", "version": 1, "date": "2021-11-15", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "This analytic looks for the execution of `powershell.exe` with arguments utilized to start a process on a remote endpoint by abusing the DCOM protocol. Specifically, this search looks for the abuse of ShellExecute and ExecuteShellCommand. Red Teams and adversaries alike may abuse DCOM and `powershell.exe` for lateral movement and remote code execution.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` (Processes.process=\"*Document.ActiveView.ExecuteShellCommand*\" OR Processes.process=\"*Document.Application.ShellExecute*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `remote_process_instantiation_via_dcom_and_powershell_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints.", "known_false_positives": "Administrators may leverage DCOM to start a process on remote systems, but this activity is usually limited to a small set of hosts or users.", "references": ["https://attack.mitre.org/techniques/T1021/003/", "https://www.cybereason.com/blog/dcom-lateral-movement-techniques"], "tags": {"name": "Remote Process Instantiation via DCOM and PowerShell", "analytic_story": ["Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 90, "kill_chain_phases": ["Exploitation"], "message": "A process was started on a remote endpoint from $dest by abusing DCOM using PowerShell.exe", "mitre_attack_id": ["T1021", "T1021.003"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1021.003", "mitre_attack_technique": "Distributed Component Object Model", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.003/lateral_movement/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_powershell", "definition": "(Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "remote_process_instantiation_via_dcom_and_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/remote_process_instantiation_via_dcom_and_powershell.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Remote Process Instantiation via DCOM and PowerShell Script Block", "id": "fa1c3040-4680-11ec-a618-3e22fbd008af", "version": 2, "date": "2022-03-22", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of PowerShell with arguments utilized to start a process on a remote endpoint by abusing the DCOM protocol. Specifically, this search looks for the abuse of ShellExecute and ExecuteShellCommand. Red Teams and adversaries alike may abuse DCOM for lateral movement and remote code execution.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 (ScriptBlockText=\"*Document.Application.ShellExecute*\" OR ScriptBlockText=\"*Document.ActiveView.ExecuteShellCommand*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `remote_process_instantiation_via_dcom_and_powershell_script_block_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup instructions can be found https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators may leverage DCOM to start a process on remote systems, but this activity is usually limited to a small set of hosts or users.", "references": ["https://attack.mitre.org/techniques/T1021/003/", "https://www.cybereason.com/blog/dcom-lateral-movement-techniques"], "tags": {"name": "Remote Process Instantiation via DCOM and PowerShell Script Block", "analytic_story": ["Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 90, "kill_chain_phases": ["Exploitation"], "message": "A process was started on a remote endpoint from $Computer$ by abusing WMI using PowerShell.exe", "mitre_attack_id": ["T1021", "T1021.003"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "ScriptBlockText", "Computer", "user_id"], "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1021.003", "mitre_attack_technique": "Distributed Component Object Model", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.006/lateral_movement_psh/windows-powershell-xml.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "remote_process_instantiation_via_dcom_and_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/remote_process_instantiation_via_dcom_and_powershell_script_block.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Remote Process Instantiation via WinRM and PowerShell", "id": "ba24cda8-4716-11ec-8009-3e22fbd008af", "version": 1, "date": "2021-11-16", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "This analytic looks for the execution of `powershell.exe` with arguments utilized to start a process on a remote endpoint by abusing the WinRM protocol. Specifically, this search looks for the abuse of the `Invoke-Command` commandlet. Red Teams and adversaries alike may abuse WinRM and `powershell.exe` for lateral movement and remote code execution.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` (Processes.process=\"*Invoke-Command*\" AND Processes.process=\"*-ComputerName*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `remote_process_instantiation_via_winrm_and_powershell_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints.", "known_false_positives": "Administrators may leverage WinRM and `Invoke-Command` to start a process on remote systems for system administration or automation use cases. However, this activity is usually limited to a small set of hosts or users.", "references": ["https://attack.mitre.org/techniques/T1021/006/", "https://pentestlab.blog/2018/05/15/lateral-movement-winrm/"], "tags": {"name": "Remote Process Instantiation via WinRM and PowerShell", "analytic_story": ["Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 90, "kill_chain_phases": ["Exploitation"], "message": "A process was started on a remote endpoint from $dest by abusing WinRM using PowerShell.exe", "mitre_attack_id": ["T1021", "T1021.006"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 45, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1021.006", "mitre_attack_technique": "Windows Remote Management", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Chimera", "Threat Group-3390", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.006/lateral_movement_psh/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_powershell", "definition": "(Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "remote_process_instantiation_via_winrm_and_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/remote_process_instantiation_via_winrm_and_powershell.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Remote Process Instantiation via WinRM and PowerShell Script Block", "id": "7d4c618e-4716-11ec-951c-3e22fbd008af", "version": 2, "date": "2022-03-22", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of PowerShell with arguments utilized to start a process on a remote endpoint by abusing the WinRM protocol. Specifically, this search looks for the abuse of the `Invoke-Command` commandlet. Red Teams and adversaries alike may abuse WinRM for lateral movement and remote code execution.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 (ScriptBlockText=\"*Invoke-Command*\" AND ScriptBlockText=\"*-ComputerName*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `remote_process_instantiation_via_winrm_and_powershell_script_block_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup instructions can be found https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators may leverage WinRM and `Invoke-Command` to start a process on remote systems for system administration or automation use cases. This activity is usually limited to a small set of hosts or users. In certain environments, tuning may not be possible.", "references": ["https://attack.mitre.org/techniques/T1021/006/", "https://pentestlab.blog/2018/05/15/lateral-movement-winrm/"], "tags": {"name": "Remote Process Instantiation via WinRM and PowerShell Script Block", "analytic_story": ["Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 90, "kill_chain_phases": ["Exploitation"], "message": "A process was started on a remote endpoint from $Computer$ by abusing WinRM using PowerShell.exe", "mitre_attack_id": ["T1021", "T1021.006"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "ScriptBlockText", "Opcode", "Computer", "UserID", "EventCode"], "risk_score": 45, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1021.006", "mitre_attack_technique": "Windows Remote Management", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Chimera", "Threat Group-3390", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.006/lateral_movement_psh/windows-powershell-xml.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "remote_process_instantiation_via_winrm_and_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/remote_process_instantiation_via_winrm_and_powershell_script_block.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Remote Process Instantiation via WinRM and Winrs", "id": "0dd296a2-4338-11ec-ba02-3e22fbd008af", "version": 1, "date": "2021-11-11", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "This analytic looks for the execution of `winrs.exe` with command-line arguments utilized to start a process on a remote endpoint. Red Teams and adversaries alike may abuse the WinRM protocol and this binary for lateral movement and remote code execution.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=winrs.exe OR Processes.original_file_name=winrs.exe) (Processes.process=\"*-r:*\" OR Processes.process=\"*-remote:*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `remote_process_instantiation_via_winrm_and_winrs_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints.", "known_false_positives": "Administrators may leverage WinRM and WinRs to start a process on remote systems, but this activity is usually limited to a small set of hosts or users.", "references": ["https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/winrs", "https://attack.mitre.org/techniques/T1021/006/"], "tags": {"name": "Remote Process Instantiation via WinRM and Winrs", "analytic_story": ["Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 90, "kill_chain_phases": ["Exploitation"], "message": "A process was started on a remote endpoint from $dest", "mitre_attack_id": ["T1021", "T1021.006"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 54, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1021.006", "mitre_attack_technique": "Windows Remote Management", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Chimera", "Threat Group-3390", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.006/lateral_movement/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "remote_process_instantiation_via_winrm_and_winrs_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/remote_process_instantiation_via_winrm_and_winrs.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Remote Process Instantiation via WMI", "id": "d25d2c3d-d9d8-40ec-8fdf-e86fe155a3da", "version": 7, "date": "2021-11-12", "author": "Rico Valdez, Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "This analytic identifies wmic.exe being launched with parameters to spawn a process on a remote system. Red Teams and adversaries alike may abuse WMI and this binary for lateral movement and remote code execution.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_wmic` (Processes.process=\"*/node:*\" AND Processes.process=\"*process*\" AND Processes.process=\"*call*\" AND Processes.process=\"*create*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `remote_process_instantiation_via_wmi_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "The wmic.exe utility is a benign Windows application. It may be used legitimately by Administrators with these parameters for remote system administration, but it's relatively uncommon.", "references": ["https://attack.mitre.org/techniques/T1047/", "https://docs.microsoft.com/en-us/windows/win32/cimwin32prov/create-method-in-class-win32-process"], "tags": {"name": "Remote Process Instantiation via WMI", "analytic_story": ["Ransomware", "Suspicious WMI Use", "Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Installation"], "message": "A wmic.exe process $process$ contain process spawn commandline $process$ in host $dest$", "mitre_attack_id": ["T1047"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "Earth Lusca", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "Threat Group-3390", "Windshift", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1047/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_wmic", "definition": "(Processes.process_name=wmic.exe OR Processes.original_file_name=wmic.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "remote_process_instantiation_via_wmi_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/remote_process_instantiation_via_wmi.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Remote Process Instantiation via WMI and PowerShell", "id": "112638b4-4634-11ec-b9ab-3e22fbd008af", "version": 1, "date": "2021-11-15", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "This analytic looks for the execution of `powershell.exe` leveraging the `Invoke-WmiMethod` commandlet complemented with arguments utilized to start a process on a remote endpoint by abusing WMI. Red Teams and adversaries alike may abuse WMI and `powershell.exe` for lateral movement and remote code execution.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` (Processes.process=\"*Invoke-WmiMethod*\" AND Processes.process=\"*-CN*\" AND Processes.process=\"*-Class Win32_Process*\" AND Processes.process=\"*-Name create*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `remote_process_instantiation_via_wmi_and_powershell_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints.", "known_false_positives": "Administrators may leverage WWMI and powershell.exe to start a process on remote systems, but this activity is usually limited to a small set of hosts or users.", "references": ["https://attack.mitre.org/techniques/T1047/", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/invoke-wmimethod?view=powershell-5.1"], "tags": {"name": "Remote Process Instantiation via WMI and PowerShell", "analytic_story": ["Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 90, "kill_chain_phases": ["Installation"], "message": "A process was started on a remote endpoint from $dest by abusing WMI using PowerShell.exe", "mitre_attack_id": ["T1047"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "Earth Lusca", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "Threat Group-3390", "Windshift", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1047/lateral_movement/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_powershell", "definition": "(Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "remote_process_instantiation_via_wmi_and_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/remote_process_instantiation_via_wmi_and_powershell.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Remote Process Instantiation via WMI and PowerShell Script Block", "id": "2a048c14-4634-11ec-a618-3e22fbd008af", "version": 2, "date": "2022-11-15", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Invoke-WmiMethod` commandlet with arguments utilized to start a process on a remote endpoint by abusing WMI. Red Teams and adversaries alike may abuse WMI and this commandlet for lateral movement and remote code execution.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 ScriptBlockText=\"*Invoke-WmiMethod*\" AND (ScriptBlockText=\"*-CN*\" OR ScriptBlockText=\"*-ComputerName*\") AND ScriptBlockText=\"*-Class Win32_Process*\" AND ScriptBlockText=\"*-Name create*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `remote_process_instantiation_via_wmi_and_powershell_script_block_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup instructions can be found https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators may leverage WWMI and powershell.exe to start a process on remote systems, but this activity is usually limited to a small set of hosts or users.", "references": ["https://attack.mitre.org/techniques/T1047/", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/invoke-wmimethod?view=powershell-5.1"], "tags": {"name": "Remote Process Instantiation via WMI and PowerShell Script Block", "analytic_story": ["Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 90, "kill_chain_phases": ["Installation"], "message": "A process was started on a remote endpoint from $Computer$ by abusing WMI using PowerShell.exe", "mitre_attack_id": ["T1047"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "Message", "Computer", "UserID"], "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "Earth Lusca", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "Threat Group-3390", "Windshift", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1047/lateral_movement/wmi_remote_process_powershell.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "XmlWinEventLog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "remote_process_instantiation_via_wmi_and_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/remote_process_instantiation_via_wmi_and_powershell_script_block.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Remote System Discovery with Adsisearcher", "id": "70803451-0047-4e12-9d63-77fa7eb8649c", "version": 2, "date": "2022-06-29", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the `[Adsisearcher]` type accelerator being used to query Active Directory for domain computers. Red Teams and adversaries may leverage `[Adsisearcher]` to enumerate domain computers for situational awareness and Active Directory Discovery.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 ScriptBlockText = \"*adsisearcher*\" AND ScriptBlockText = \"*objectcategory=computer*\" AND ScriptBlockText IN (\"*findAll()*\",\"*findOne()*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | `security_content_ctime(firstTime)` | `remote_system_discovery_with_adsisearcher_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators or power users may use Adsisearcher for troubleshooting.", "references": ["https://attack.mitre.org/techniques/T1018/", "https://devblogs.microsoft.com/scripting/use-the-powershell-adsisearcher-type-accelerator-to-search-active-directory/"], "tags": {"name": "Remote System Discovery with Adsisearcher", "analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "Remote system discovery enumeration on $Computer$ by $user$", "mitre_attack_id": ["T1018"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "ScriptBlockText", "Computer", "UserID"], "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1018", "mitre_attack_technique": "Remote System Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "BRONZE BUTLER", "Chimera", "Deep Panda", "Dragonfly", "Earth Lusca", "FIN5", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "HEXANE", "Indrik Spider", "Ke3chang", "Leafminer", "Magic Hound", "Naikon", "Rocke", "Sandworm Team", "Silence", "Threat Group-3390", "Turla", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/AD_discovery/adsisearcher-powershell.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "remote_system_discovery_with_adsisearcher_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/remote_system_discovery_with_adsisearcher.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Remote System Discovery with Dsquery", "id": "9fb562f4-42f8-4139-8e11-a82edf7ed718", "version": 1, "date": "2021-08-31", "author": "Mauricio Velazco, Splunk", "type": "Hunting", "status": "production", "description": "This analytic looks for the execution of `dsquery.exe` with command-line arguments utilized to discover remote systems. The `computer` argument returns a list of all computers registered in the domain. Red Teams and adversaries alike engage in remote system discovery for situational awareness and Active Directory Discovery.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"dsquery.exe\") (Processes.process=\"*computer*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `remote_system_discovery_with_dsquery_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "references": ["https://attack.mitre.org/techniques/T1018/", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc732952(v=ws.11)"], "tags": {"name": "Remote System Discovery with Dsquery", "analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "Remote system discovery enumeration on $dest$ by $user$", "mitre_attack_id": ["T1018"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1018", "mitre_attack_technique": "Remote System Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "BRONZE BUTLER", "Chimera", "Deep Panda", "Dragonfly", "Earth Lusca", "FIN5", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "HEXANE", "Indrik Spider", "Ke3chang", "Leafminer", "Magic Hound", "Naikon", "Rocke", "Sandworm Team", "Silence", "Threat Group-3390", "Turla", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1018/AD_discovery/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "remote_system_discovery_with_dsquery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/remote_system_discovery_with_dsquery.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Remote System Discovery with Net", "id": "9df16706-04a2-41e2-bbfe-9b38b34409d3", "version": 1, "date": "2021-08-30", "author": "Mauricio Velazco, Splunk", "type": "Hunting", "status": "production", "description": "This analytic looks for the execution of `net.exe` or `net1.exe` with command-line arguments utilized to discover remote systems. The argument `domain computers /domain` returns a list of all domain computers. Red Teams and adversaries alike use net.exe to identify remote systems for situational awareness and Active Directory Discovery.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"net.exe\" OR Processes.process_name=\"net1.exe\") (Processes.process=\"*domain computers*\" AND Processes.process=*/do*) OR (Processes.process=\"*view*\" AND Processes.process=*/do*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `remote_system_discovery_with_net_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "references": ["https://attack.mitre.org/techniques/T1018/", "https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/"], "tags": {"name": "Remote System Discovery with Net", "analytic_story": ["Active Directory Discovery", "IcedID"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "Remote system discovery enumeration on $dest$ by $user$", "mitre_attack_id": ["T1018"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1018", "mitre_attack_technique": "Remote System Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "BRONZE BUTLER", "Chimera", "Deep Panda", "Dragonfly", "Earth Lusca", "FIN5", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "HEXANE", "Indrik Spider", "Ke3chang", "Leafminer", "Magic Hound", "Naikon", "Rocke", "Sandworm Team", "Silence", "Threat Group-3390", "Turla", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1018/AD_discovery/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "remote_system_discovery_with_net_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/remote_system_discovery_with_net.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Remote System Discovery with Wmic", "id": "d82eced3-b1dc-42ab-859e-a2fc98827359", "version": 1, "date": "2021-09-01", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "This analytic looks for the execution of `wmic.exe` with command-line arguments utilized to discover remote systems. The arguments utilized in this command return a list of all the systems registered in the domain. Red Teams and adversaries alike may leverage WMI and wmic.exe to identify remote systems for situational awareness and Active Directory Discovery.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"wmic.exe\") (Processes.process=*/NAMESPACE:\\\\\\\\root\\\\directory\\\\ldap* AND Processes.process=*ds_computer* AND Processes.process=\"*GET ds_samaccountname*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `remote_system_discovery_with_wmic_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "references": ["https://attack.mitre.org/techniques/T1018/", "https://docs.microsoft.com/en-us/windows/win32/wmisdk/wmic"], "tags": {"name": "Remote System Discovery with Wmic", "analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "Remote system discovery enumeration on $dest$ by $user$", "mitre_attack_id": ["T1018"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1018", "mitre_attack_technique": "Remote System Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "BRONZE BUTLER", "Chimera", "Deep Panda", "Dragonfly", "Earth Lusca", "FIN5", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "HEXANE", "Indrik Spider", "Ke3chang", "Leafminer", "Magic Hound", "Naikon", "Rocke", "Sandworm Team", "Silence", "Threat Group-3390", "Turla", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1018/AD_discovery/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "remote_system_discovery_with_wmic_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/remote_system_discovery_with_wmic.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Remote WMI Command Attempt", "id": "272df6de-61f1-4784-877c-1fbc3e2d0838", "version": 4, "date": "2023-06-13", "author": "Rico Valdez, Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies usage of `wmic.exe` spawning a local or remote process, identified by the `node` switch. During triage, review parallel processes for additional commands executed. Look for any file modifications before and after `wmic.exe` execution. In addition, identify the remote endpoint and confirm execution or file modifications. Contain and isolate the endpoint as needed.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_wmic` Processes.process=*node* by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `remote_wmi_command_attempt_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. Deprecated because duplicate of Remote Process Instantiation via WMI.", "known_false_positives": "Administrators may use this legitimately to gather info from remote systems. Filter as needed.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/T1047.yaml", "https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/", "https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/"], "tags": {"name": "Remote WMI Command Attempt", "analytic_story": ["Volt Typhoon", "Graceful Wipe Out Attack", "IcedID", "Suspicious WMI Use", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Installation"], "message": "A wmic.exe process $process$ contain node commandline $process$ in host $dest$", "mitre_attack_id": ["T1047"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.user", "Processes.process_name", "Processes.parent_process_name", "Processes.dest", "Processes.parent_process", "Processes.parent_process_id", "Processes.process_id"], "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "Earth Lusca", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "Threat Group-3390", "Windshift", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1047/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_wmic", "definition": "(Processes.process_name=wmic.exe OR Processes.original_file_name=wmic.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "remote_wmi_command_attempt_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/remote_wmi_command_attempt.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Resize ShadowStorage volume", "id": "bc760ca6-8336-11eb-bcbb-acde48001122", "version": 1, "date": "2021-03-12", "author": "Teoderick Contreras", "type": "TTP", "status": "production", "description": "The following analytics identifies the resizing of shadowstorage by ransomware malware to avoid the shadow volumes being made again. this technique is an alternative by ransomware attacker than deleting the shadowstorage which is known alert in defensive team. one example of ransomware that use this technique is CLOP ransomware where it drops a .bat file that will resize the shadowstorage to minimum size as much as possible", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` values(Processes.process) as cmdline values(Processes.parent_process_name) as parent_process values(Processes.process_name) as process_name min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name = \"cmd.exe\" OR Processes.parent_process_name = \"powershell.exe\" OR Processes.parent_process_name = \"powershell_ise.exe\" OR Processes.parent_process_name = \"wmic.exe\" Processes.process_name = \"vssadmin.exe\" Processes.process=\"*resize*\" Processes.process=\"*shadowstorage*\" Processes.process=\"*/maxsize*\" by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.dest Processes.user Processes.process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `resize_shadowstorage_volume_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "network admin can resize the shadowstorage for valid purposes.", "references": ["https://www.mandiant.com/resources/fin11-email-campaigns-precursor-for-ransomware-data-theft", "https://blog.virustotal.com/2020/11/keep-your-friends-close-keep-ransomware.html", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md", "https://redcanary.com/blog/blackbyte-ransomware/", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/vssadmin-resize-shadowstorage"], "tags": {"name": "Resize ShadowStorage volume", "analytic_story": ["Clop Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 80, "kill_chain_phases": ["Actions on Objectives"], "message": "A process $parent_process_name$ attempt to resize shadow copy with commandline $process$ in host $dest$", "mitre_attack_id": ["T1490"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["Processes.process", "Processes.parent_process_name", "_time", "Processes.process_name", "Processes.parent_process", "Processes.dest", "Processes.user"], "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/clop/clop_a/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "resize_shadowstorage_volume_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/resize_shadowstorage_volume.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Revil Common Exec Parameter", "id": "85facebe-c382-11eb-9c3e-acde48001122", "version": 2, "date": "2021-06-02", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This analytic identifies suspicious commandline parameter that are commonly used by REVIL ransomware to encrypts the compromise machine.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = \"* -nolan *\" OR Processes.process = \"* -nolocal *\" OR Processes.process = \"* -fast *\" OR Processes.process = \"* -full *\" by Processes.process_name Processes.process Processes.parent_process_name Processes.parent_process Processes.dest Processes.user Processes.process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `revil_common_exec_parameter_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "third party tool may have same command line parameters as revil ransomware.", "references": ["https://krebsonsecurity.com/2021/05/a-closer-look-at-the-darkside-ransomware-gang/", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/"], "tags": {"name": "Revil Common Exec Parameter", "analytic_story": ["Ransomware", "Revil Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 60, "kill_chain_phases": ["Installation"], "message": "A process $process_name$ with commandline $process$ related to revil ransomware in host $dest$", "mitre_attack_id": ["T1204"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.process_name", "Processes.process", "Processes.parent_process_name", "Processes.parent_process", "Processes.dest", "Processes.user", "Processes.process_id", "Processes.process_guid"], "risk_score": 54, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/revil/inf1/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "revil_common_exec_parameter_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/revil_common_exec_parameter.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Revil Registry Entry", "id": "e3d3f57a-c381-11eb-9e35-acde48001122", "version": 3, "date": "2022-11-14", "author": "Steven Dick, Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This analytic identifies suspicious modification in registry entry to keep some malware data during its infection. This technique seen in several apt implant, malware and ransomware like REVIL where it keep some information like the random generated file extension it uses for all the encrypted files and ransomware notes file name in the compromised host.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time) AS lastTime FROM datamodel=Endpoint.Processes BY _time span=1h Processes.user Processes.process_id Processes.process_name Processes.process Processes.process_path Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_guid | `drop_dm_object_name(Processes)` | join process_guid [ | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=\"*\\\\SOFTWARE\\\\WOW6432Node\\\\Facebook_Assistant\\\\*\" OR Registry.registry_path=\"*\\\\SOFTWARE\\\\WOW6432Node\\\\BlackLivesMatter*\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`] | fields firstTime lastTime dest user parent_process_name parent_process process_name process_path process registry_key_name registry_path registry_value_name registry_value_data process_guid | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `revil_registry_entry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "unknown", "references": ["https://krebsonsecurity.com/2021/05/a-closer-look-at-the-darkside-ransomware-gang/", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/"], "tags": {"name": "Revil Registry Entry", "analytic_story": ["Ransomware", "Revil Ransomware", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 60, "kill_chain_phases": ["Exploitation"], "message": "A registry entry $registry_path$ with registry value $registry_value_name$ and $registry_value_name$ related to revil ransomware in host $dest$", "mitre_attack_id": ["T1112"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.user", "Processes.dest", "Processes.process_id", "Processes.process_name", "Processes.process", "Processes.process_path", "Processes.parent_process_name", "Processes.parent_process", "Processes.process_guid", "Registry.dest", "Registry.registry_value_name", "Registry.registry_key_name", "Registry.registry_path", "Registry.registry_value_data", "Registry.process_guid"], "risk_score": 60, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/revil/inf1/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "revil_registry_entry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/revil_registry_entry.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Rubeus Command Line Parameters", "id": "cca37478-8377-11ec-b59a-acde48001122", "version": 1, "date": "2022-02-01", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "Rubeus is a C# toolset for raw Kerberos interaction and abuses. It is heavily adapted from Benjamin Delpys Kekeo project and Vincent LE TOUXs MakeMeEnterpriseAdmin project. This analytic looks for the use of Rubeus command line arguments utilized in common Kerberos attacks like exporting and importing tickets, forging silver and golden tickets, requesting a TGT or TGS, kerberoasting, password spraying, etc. Red teams and adversaries alike use Rubeus for Kerberos attacks within Active Directory networks. Defenders should be aware that adversaries may customize the source code of Rubeus and modify the command line parameters. This would effectively bypass this analytic.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process = \"*ptt /ticket*\" OR Processes.process = \"* monitor /interval*\" OR Processes.process =\"* asktgt* /user:*\" OR Processes.process =\"* asktgs* /service:*\" OR Processes.process =\"* golden* /user:*\" OR Processes.process =\"* silver* /service:*\" OR Processes.process =\"* kerberoast*\" OR Processes.process =\"* asreproast*\" OR Processes.process = \"* renew* /ticket:*\" OR Processes.process = \"* brute* /password:*\" OR Processes.process = \"* brute* /passwords:*\" OR Processes.process =\"* harvest*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `rubeus_command_line_parameters_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "Although unlikely, legitimate applications may use the same command line parameters as Rubeus. Filter as needed.", "references": ["https://github.com/GhostPack/Rubeus", "https://web.archive.org/web/20210725005734/http://www.harmj0y.net/blog/redteaming/from-kekeo-to-rubeus/", "https://attack.mitre.org/techniques/T1550/003/", "https://en.hackndo.com/kerberos-silver-golden-tickets/"], "tags": {"name": "Rubeus Command Line Parameters", "analytic_story": ["Active Directory Kerberos Attacks", "Active Directory Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Exploitation"], "message": "Rubeus command line parameters were used on $dest$", "mitre_attack_id": ["T1550", "T1550.003", "T1558", "T1558.003", "T1558.004"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id", "Processes.parent_process_name"], "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1550", "mitre_attack_technique": "Use Alternate Authentication Material", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1550.003", "mitre_attack_technique": "Pass the Ticket", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": ["APT29", "APT32", "BRONZE BUTLER"]}, {"mitre_attack_id": "T1558", "mitre_attack_technique": "Steal or Forge Kerberos Tickets", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1558.003", "mitre_attack_technique": "Kerberoasting", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["FIN7", "Wizard Spider"]}, {"mitre_attack_id": "T1558.004", "mitre_attack_technique": "AS-REP Roasting", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1550.003/rubeus/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "rubeus_command_line_parameters_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/rubeus_command_line_parameters.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Rubeus Kerberos Ticket Exports Through Winlogon Access", "id": "5ed8c50a-8869-11ec-876f-acde48001122", "version": 1, "date": "2022-02-07", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic looks for a process accessing the winlogon.exe system process. The Splunk Threat Research team identified this behavior when using the Rubeus tool to monitor for and export kerberos tickets from memory. Before being able to export tickets. Rubeus will try to escalate privileges to SYSTEM by obtaining a handle to winlogon.exe before trying to monitor for kerberos tickets. Exporting tickets from memory is typically the first step for pass the ticket attacks. Red teams and adversaries alike may use the pass the ticket technique using stolen Kerberos tickets to move laterally within an environment, bypassing normal system access controls. Defenders should be aware that adversaries may customize the source code of Rubeus to potentially bypass this analytic.", "data_source": ["Sysmon Event ID 1"], "search": " `sysmon` EventCode=10 TargetImage=C:\\\\Windows\\\\system32\\\\winlogon.exe (GrantedAccess=0x1f3fff) (SourceImage!=C:\\\\Windows\\\\system32\\\\svchost.exe AND SourceImage!=C:\\\\Windows\\\\system32\\\\lsass.exe AND SourceImage!=C:\\\\Windows\\\\system32\\\\LogonUI.exe AND SourceImage!=C:\\\\Windows\\\\system32\\\\smss.exe AND SourceImage!=C:\\\\Windows\\\\system32\\\\wbem\\\\wmiprvse.exe) | stats count min(_time) as firstTime max(_time) as lastTime by Computer, SourceImage, SourceProcessId, TargetImage, TargetProcessId, EventCode, GrantedAccess | rename Computer as dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `rubeus_kerberos_ticket_exports_through_winlogon_access_filter`", "how_to_implement": "This search needs Sysmon Logs and a sysmon configuration, which includes EventCode 10. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment.", "known_false_positives": "Legitimate applications may obtain a handle for winlogon.exe. Filter as needed", "references": ["https://github.com/GhostPack/Rubeus", "https://web.archive.org/web/20210725005734/http://www.harmj0y.net/blog/redteaming/from-kekeo-to-rubeus/", "https://attack.mitre.org/techniques/T1550/003/"], "tags": {"name": "Rubeus Kerberos Ticket Exports Through Winlogon Access", "analytic_story": ["Active Directory Kerberos Attacks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Exploitation"], "message": "Winlogon.exe was accessed by $SourceImage$ on $dest$", "mitre_attack_id": ["T1550", "T1550.003"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "TargetImage", "type": "Process", "role": ["Target"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "TargetImage", "CallTrace", "Computer", "TargetProcessId", "SourceImage", "SourceProcessId"], "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1550", "mitre_attack_technique": "Use Alternate Authentication Material", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1550.003", "mitre_attack_technique": "Pass the Ticket", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": ["APT29", "APT32", "BRONZE BUTLER"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1550.003/rubeus/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "rubeus_kerberos_ticket_exports_through_winlogon_access_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/rubeus_kerberos_ticket_exports_through_winlogon_access.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Runas Execution in CommandLine", "id": "4807e716-43a4-11ec-a0e7-acde48001122", "version": 1, "date": "2023-04-14", "author": "Teoderick Contreras, Splunk", "type": "Hunting", "status": "production", "description": "This analytic look for a spawned runas.exe process with a administrator user option parameter. This parameter was abused by adversaries, malware author or even red teams to gain elevated privileges in target host. This is a good hunting query to figure out privilege escalation tactics that may used for different stages like lateral movement but take note that administrator may use this command in purpose so its better to see other event context before and after this analytic.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_runas` AND Processes.process = \"*/user:*\" AND Processes.process = \"*admin*\" by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `runas_execution_in_commandline_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "A network operator or systems administrator may utilize an automated or manual execute this command that may generate false positives. filter is needed.", "references": ["https://app.any.run/tasks/ad4c3cda-41f2-4401-8dba-56cc2d245488/"], "tags": {"name": "Runas Execution in CommandLine", "analytic_story": ["Data Destruction", "Hermetic Wiper", "Windows Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "elevated process using runas on $dest$ by $user$", "mitre_attack_id": ["T1134", "T1134.001"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}, {"mitre_attack_id": "T1134.001", "mitre_attack_technique": "Token Impersonation/Theft", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "FIN8"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/vilsel/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_runas", "definition": "(Processes.process_name=runas.exe OR Processes.original_file_name=runas.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "runas_execution_in_commandline_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/runas_execution_in_commandline.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Rundll32 Control RunDLL Hunt", "id": "c8e7ced0-10c5-11ec-8b03-acde48001122", "version": 1, "date": "2021-09-08", "author": "Michael Haag, Splunk", "type": "Hunting", "status": "production", "description": "The following hunting detection identifies rundll32.exe with `control_rundll` within the command-line, loading a .cpl or another file type. Developed in relation to CVE-2021-40444. Rundll32.exe can also be used to execute Control Panel Item files (.cpl) through the undocumented shell32.dll functions Control_RunDLL and Control_RunDLLAsUser. Double-clicking a .cpl file also causes rundll32.exe to execute. \\ This is written to be a bit more broad by not including .cpl. \\ During triage, review parallel processes to identify any further suspicious behavior.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*Control_RunDLL* by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `rundll32_control_rundll_hunt_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "This is a hunting detection, meant to provide a understanding of how voluminous control_rundll is within the environment.", "references": ["https://strontic.github.io/xcyclopedia/library/rundll32.exe-111474C61232202B5B588D2B512CBB25.html", "https://app.any.run/tasks/36c14029-9df8-439c-bba0-45f2643b0c70/", "https://attack.mitre.org/techniques/T1218/011/", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.002/T1218.002.yaml", "https://redcanary.com/blog/intelligence-insights-december-2021/"], "tags": {"name": "Rundll32 Control RunDLL Hunt", "analytic_story": ["Suspicious Rundll32 Activity", "Microsoft MSHTML Remote Code Execution CVE-2021-40444", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to load a suspicious file from disk.", "mitre_attack_id": ["T1218", "T1218.011"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "cve": ["CVE-2021-40444"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.002/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_rundll32", "definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "rundll32_control_rundll_hunt_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2021-40444", "cvss": 6.8, "summary": "Microsoft MSHTML Remote Code Execution Vulnerability"}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/rundll32_control_rundll_hunt.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Rundll32 Control RunDLL World Writable Directory", "id": "1adffe86-10c3-11ec-8ce6-acde48001122", "version": 1, "date": "2021-09-08", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following detection identifies rundll32.exe with `control_rundll` within the command-line, loading a .cpl or another file type from windows\\temp, programdata, or appdata. Developed in relation to CVE-2021-40444. Rundll32.exe can also be used to execute Control Panel Item files (.cpl) through the undocumented shell32.dll functions Control_RunDLL and Control_RunDLLAsUser. Double-clicking a .cpl file also causes rundll32.exe to execute. This is written to be a bit more broad by not including .cpl. The paths are specified, add more as needed. During triage, review parallel processes to identify any further suspicious behavior.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*Control_RunDLL* AND Processes.process IN (\"*\\\\appdata\\\\*\", \"*\\\\windows\\\\temp\\\\*\", \"*\\\\programdata\\\\*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `rundll32_control_rundll_world_writable_directory_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "This may be tuned, or a new one related, by adding .cpl to command-line. However, it's important to look for both. Tune/filter as needed.", "references": ["https://strontic.github.io/xcyclopedia/library/rundll32.exe-111474C61232202B5B588D2B512CBB25.html", "https://app.any.run/tasks/36c14029-9df8-439c-bba0-45f2643b0c70/", "https://attack.mitre.org/techniques/T1218/011/", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.002/T1218.002.yaml", "https://redcanary.com/blog/intelligence-insights-december-2021/"], "tags": {"name": "Rundll32 Control RunDLL World Writable Directory", "analytic_story": ["Suspicious Rundll32 Activity", "Microsoft MSHTML Remote Code Execution CVE-2021-40444", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to load a suspicious file from disk.", "mitre_attack_id": ["T1218", "T1218.011"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "cve": ["CVE-2021-40444"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.002/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_rundll32", "definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "rundll32_control_rundll_world_writable_directory_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2021-40444", "cvss": 6.8, "summary": "Microsoft MSHTML Remote Code Execution Vulnerability"}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/rundll32_control_rundll_world_writable_directory.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Rundll32 Create Remote Thread To A Process", "id": "2dbeee3a-f067-11eb-96c0-acde48001122", "version": 1, "date": "2021-07-29", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This analytic identifies the suspicious Remote Thread execution of rundll32.exe to any process. This technique was seen in IcedID malware to execute its malicious code in normal process for defense evasion and to steal sensitive information in the compromised host.", "data_source": ["Sysmon Event ID 8"], "search": "`sysmon` EventCode=8 SourceImage = \"*\\\\rundll32.exe\" TargetImage = \"*.exe\" | stats count min(_time) as firstTime max(_time) as lastTime by SourceImage TargetImage TargetProcessId SourceProcessId StartAddress EventCode Computer | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `rundll32_create_remote_thread_to_a_process_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the SourceImage, TargetImage, and EventCode executions from your endpoints related to create remote thread or injecting codes. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "unknown", "references": ["https://www.joesandbox.com/analysis/380662/0/html"], "tags": {"name": "Rundll32 Create Remote Thread To A Process", "analytic_story": ["IcedID", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "rundl32 process $SourceImage$ create a remote thread to process $TargetImage$ in host $Computer$", "mitre_attack_id": ["T1055"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "SourceImage", "type": "Process", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "SourceImage", "TargetImage", "TargetProcessId", "SourceProcessId", "StartAddress", "EventCode", "Computer"], "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/inf_icedid/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "rundll32_create_remote_thread_to_a_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/rundll32_create_remote_thread_to_a_process.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Rundll32 CreateRemoteThread In Browser", "id": "f8a22586-ee2d-11eb-a193-acde48001122", "version": 1, "date": "2021-07-26", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This analytic identifies the suspicious Remote Thread execution of rundll32.exe process to \"firefox.exe\" and \"chrome.exe\" browser. This technique was seen in IcedID malware where it hooks the browser to parse banking information as user used the targetted browser process.", "data_source": ["Sysmon Event ID 8"], "search": "`sysmon` EventCode=8 SourceImage = \"*\\\\rundll32.exe\" TargetImage IN (\"*\\\\firefox.exe\", \"*\\\\chrome.exe\", \"*\\\\iexplore.exe\",\"*\\\\microsoftedgecp.exe\") | stats count min(_time) as firstTime max(_time) as lastTime by SourceImage TargetImage TargetProcessId SourceProcessId StartAddress EventCode Computer | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `rundll32_createremotethread_in_browser_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the SourceImage, TargetImage, and EventCode executions from your endpoints related to create remote thread or injecting codes. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "unknown", "references": ["https://www.joesandbox.com/analysis/380662/0/html"], "tags": {"name": "Rundll32 CreateRemoteThread In Browser", "analytic_story": ["IcedID", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "rundl32 process $SourceImage$ create a remote thread to browser process $TargetImage$ in host $Computer$", "mitre_attack_id": ["T1055"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "SourceImage", "type": "Process", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "SourceImage", "TargetImage", "TargetProcessId", "SourceProcessId", "StartAddress", "EventCode", "Computer"], "risk_score": 70, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/inf_icedid/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "rundll32_createremotethread_in_browser_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/rundll32_createremotethread_in_browser.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Rundll32 DNSQuery", "id": "f1483f5e-ee29-11eb-9d23-acde48001122", "version": 2, "date": "2022-02-18", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This search is to detect a suspicious rundll32.exe process having a http connection and do a dns query in some web domain. This technique was seen in IcedID malware where the rundll32 that execute its payload will contact amazon.com to check internet connect and to communicate to its C&C server to download config and other file component.", "data_source": ["Sysmon Event ID 22"], "search": "`sysmon` EventCode=22 process_name=\"rundll32.exe\" | stats count min(_time) as firstTime max(_time) as lastTime by Image QueryName QueryStatus ProcessId Computer | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `rundll32_dnsquery_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name and eventcode = 22 dnsquery executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed rundll32.exe may be used.", "known_false_positives": "unknown", "references": ["https://any.run/malware-trends/icedid"], "tags": {"name": "Rundll32 DNSQuery", "analytic_story": ["IcedID", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "rundll32 process $process_name$ having a dns query to $QueryName$ in host $Computer$", "mitre_attack_id": ["T1218", "T1218.011"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Image", "QueryName", "QueryStatus", "ProcessId", "Computer"], "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/inf_icedid/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "rundll32_dnsquery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/rundll32_dnsquery.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Rundll32 LockWorkStation", "id": "fa90f372-f91d-11eb-816c-acde48001122", "version": 2, "date": "2021-08-09", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This search is to detect a suspicious rundll32 commandline to lock the workstation through command line. This technique was seen in CONTI leak tooling and script as part of its defense evasion. This technique is not a common practice to lock a screen and maybe a good indicator of compromise.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=rundll32.exe Processes.process= \"*user32.dll,LockWorkStation*\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `rundll32_lockworkstation_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed rundll32.exe may be used.", "known_false_positives": "unknown", "references": ["https://threadreaderapp.com/thread/1423361119926816776.html"], "tags": {"name": "Rundll32 LockWorkStation", "analytic_story": ["Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "process $process_name$ with cmdline $process$ in host $dest$", "mitre_attack_id": ["T1218", "T1218.011"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "SourceImage", "type": "Process Name", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/conti/conti_leak/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "rundll32_lockworkstation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/rundll32_lockworkstation.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Rundll32 Process Creating Exe Dll Files", "id": "6338266a-ee2a-11eb-bf68-acde48001122", "version": 1, "date": "2021-07-26", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This search is to detect a suspicious rundll32 process that drops executable (.exe or .dll) files. This behavior seen in rundll32 process of IcedID that tries to drop copy of itself in temp folder or download executable drop it either appdata or programdata as part of its execution.", "data_source": ["Sysmon Event ID 1"], "search": "`sysmon` EventCode=11 process_name=\"rundll32.exe\" TargetFilename IN (\"*.exe\", \"*.dll\",) | stats count min(_time) as firstTime max(_time) as lastTime by Image TargetFilename ProcessGuid dest user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `rundll32_process_creating_exe_dll_files_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, TargetFilename, and eventcode 11 executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed rundll32.exe may be used.", "known_false_positives": "unknown", "references": ["https://any.run/malware-trends/icedid"], "tags": {"name": "Rundll32 Process Creating Exe Dll Files", "analytic_story": ["IcedID", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "rundll32 process $process_name$ drops a file $TargetFilename$ in host $dest$", "mitre_attack_id": ["T1218", "T1218.011"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Image", "TargetFilename", "ProcessGuid", "dest", "user_id"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/inf_icedid/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "rundll32_process_creating_exe_dll_files_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/rundll32_process_creating_exe_dll_files.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Rundll32 Shimcache Flush", "id": "a913718a-25b6-11ec-96d3-acde48001122", "version": 1, "date": "2021-10-05", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This analytic is to detect a suspicious rundll32 commandline to clear shim cache. This technique is a anti-forensic technique to clear the cache taht are one important artifacts in terms of digital forensic during attacks or incident. This TTP is a good indicator that someone tries to evade some tools and clear foothold on the machine.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` AND Processes.process = \"*apphelp.dll,ShimFlushCache*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `rundll32_shimcache_flush_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "unknown", "references": ["https://blueteamops.medium.com/shimcache-flush-89daff28d15e"], "tags": {"name": "Rundll32 Shimcache Flush", "analytic_story": ["Unusual Processes", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "rundll32 process execute $process$ to clear shim cache in $dest$", "mitre_attack_id": ["T1112"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "User", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/shimcache_flush/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_rundll32", "definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "rundll32_shimcache_flush_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/rundll32_shimcache_flush.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Rundll32 with no Command Line Arguments with Network", "id": "35307032-a12d-11eb-835f-acde48001122", "version": 4, "date": "2023-06-13", "author": "Steven Dick, Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies rundll32.exe with no command line arguments and performing a network connection. It is unusual for rundll32.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, triage any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. Rundll32.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where `process_rundll32` AND Processes.action!=\"blocked\" by host _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name Processes.parent_process | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process=\"(?i)(rundll32\\.exe.{0,4}$)\" | rename dest as src | join host process_id [| tstats `security_content_summariesonly` count latest(All_Traffic.dest) as dest latest(All_Traffic.dest_ip) as dest_ip latest(All_Traffic.dest_port) as dest_port FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port != 0 by host All_Traffic.process_id | `drop_dm_object_name(All_Traffic)`] | `rundll32_with_no_command_line_arguments_with_network_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` and `port` node. To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Although unlikely, some legitimate applications may use a moved copy of rundll32, triggering a false positive.", "references": ["https://attack.mitre.org/techniques/T1218/011/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md", "https://lolbas-project.github.io/lolbas/Binaries/Rundll32/", "https://bohops.com/2018/02/26/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence/"], "tags": {"name": "Rundll32 with no Command Line Arguments with Network", "analytic_story": ["Cobalt Strike", "PrintNightmare CVE-2021-34527", "Suspicious Rundll32 Activity", "Graceful Wipe Out Attack"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "A rundll32 process $process_name$ with no commandline argument like this process commandline $process$ in host $src$", "mitre_attack_id": ["T1218", "T1218.011"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process Name", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 70, "security_domain": "endpoint", "risk_severity": "medium", "cve": ["CVE-2021-34527"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/cobalt_strike/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint", "Network_Traffic"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_rundll32", "definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "rundll32_with_no_command_line_arguments_with_network_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2021-34527", "cvss": 9.0, "summary": "Windows Print Spooler Remote Code Execution Vulnerability"}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/rundll32_with_no_command_line_arguments_with_network.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "RunDLL Loading DLL By Ordinal", "id": "6c135f8d-5e60-454e-80b7-c56eed739833", "version": 6, "date": "2022-02-08", "author": "Michael Haag, David Dorsey, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies rundll32.exe loading an export function by ordinal value. Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly, may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Utilizing ordinal values makes it a bit more complicated for analysts to understand the behavior until the DLL is reviewed.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where match(process,\"rundll32.+\\#\\d+\") | `rundll_loading_dll_by_ordinal_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives are possible with native utilities and third party applications. Filtering may be needed based on command-line, or add world writeable paths to restrict query.", "references": ["https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/", "https://twitter.com/M_haggis/status/1491109262428635136", "https://twitter.com/pr0xylife/status/1590394227758104576"], "tags": {"name": "RunDLL Loading DLL By Ordinal", "analytic_story": ["Unusual Processes", "Suspicious Rundll32 Activity", "Living Off The Land", "IcedID"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "A rundll32 process $process_name$ with ordinal parameter like this process commandline $process$ on host $dest$.", "mitre_attack_id": ["T1218", "T1218.011"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.011/atomic_red_team/ordinal_windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_rundll32", "definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "rundll_loading_dll_by_ordinal_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/rundll_loading_dll_by_ordinal.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Ryuk Test Files Detected", "id": "57d44d70-28d9-4ed1-acf5-1c80ae2bbce3", "version": 1, "date": "2020-11-06", "author": "Rod Soto, Jose Hernandez, Splunk", "type": "TTP", "status": "production", "description": "The search looks for files that contain the key word *Ryuk* under any folder in the C drive, which is consistent with Ryuk propagation.", "data_source": ["Sysmon Event ID 11"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem WHERE \"Filesystem.file_path\"=C:\\\\*Ryuk* BY \"Filesystem.dest\", \"Filesystem.user\", \"Filesystem.file_path\" | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `ryuk_test_files_detected_filter`", "how_to_implement": "You must be ingesting data that records the filesystem activity from your hosts to populate the Endpoint Filesystem data-model object. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data.", "known_false_positives": "If there are files with this keywoord as file names it might trigger false possitives, please make use of our filters to tune out potential FPs.", "references": [], "tags": {"name": "Ryuk Test Files Detected", "analytic_story": ["Ryuk Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 70, "kill_chain_phases": ["Actions on Objectives"], "message": "A creation of ryuk test file $file_path$ in host $dest$", "mitre_attack_id": ["T1486"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Filesystem.file_path", "Filesystem.dest", "Filesystem.user"], "risk_score": 70, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1486", "mitre_attack_technique": "Data Encrypted for Impact", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "APT41", "FIN7", "Indrik Spider", "Magic Hound", "Sandworm Team", "TA505"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/ryuk/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "ryuk_test_files_detected_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/ryuk_test_files_detected.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Ryuk Wake on LAN Command", "id": "538d0152-7aaa-11eb-beaa-acde48001122", "version": 1, "date": "2021-03-01", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "This Splunk query identifies the use of Wake-on-LAN utilized by Ryuk ransomware. The Ryuk Ransomware uses the Wake-on-Lan feature to turn on powered off devices on a compromised network to have greater success encrypting them. This is a high fidelity indicator of Ryuk ransomware executing on an endpoint. Upon triage, isolate the endpoint. Additional file modification events will be within the users profile (\\appdata\\roaming) and in public directories (users\\public\\). Review all Scheduled Tasks on the isolated endpoint and across the fleet. Suspicious Scheduled Tasks will include a path to a unknown binary and those endpoints should be isolated until triaged.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process=\"*8 LAN*\" OR Processes.process=\"*9 REP*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `ryuk_wake_on_lan_command_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "Limited to no known false positives.", "references": ["https://www.bleepingcomputer.com/news/security/ryuk-ransomware-uses-wake-on-lan-to-encrypt-offline-devices/", "https://www.bleepingcomputer.com/news/security/ryuk-ransomware-now-self-spreads-to-other-windows-lan-devices/", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-006.pdf"], "tags": {"name": "Ryuk Wake on LAN Command", "analytic_story": ["Ryuk Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Installation"], "message": "A process $process_name$ with wake on LAN commandline $process$ in host $dest$", "mitre_attack_id": ["T1059", "T1059.003"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.process", "Processes.dest", "Processes.user", "Processes.parent_process", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.003/ryuk/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "ryuk_wake_on_lan_command_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/ryuk_wake_on_lan_command.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "SAM Database File Access Attempt", "id": "57551656-ebdb-11eb-afdf-acde48001122", "version": 1, "date": "2023-06-13", "author": "Michael Haag, Mauricio Velazco, Splunk", "type": "Hunting", "status": "production", "description": "The following analytic identifies access to SAM, SYSTEM or SECURITY databases' within the file path of `windows\\system32\\config` using Windows Security EventCode 4663. This particular behavior is related to credential access, an attempt to either use a Shadow Copy or recent CVE-2021-36934 to access the SAM database. The Security Account Manager (SAM) is a database file in Windows XP, Windows Vista, Windows 7, 8.1 and 10 that stores users' passwords.", "data_source": ["Windows Security 4663"], "search": "`wineventlog_security` (EventCode=4663) process_name!=*\\\\dllhost.exe Object_Name IN (\"*\\\\Windows\\\\System32\\\\config\\\\SAM*\",\"*\\\\Windows\\\\System32\\\\config\\\\SYSTEM*\",\"*\\\\Windows\\\\System32\\\\config\\\\SECURITY*\") | stats values(Accesses) count by process_name Object_Name dest user | `sam_database_file_access_attempt_filter`", "how_to_implement": "To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable \"Audit Object Access\" in Group Policy. Then check the two boxes listed for both \"Success\" and \"Failure.\"", "known_false_positives": "Natively, `dllhost.exe` will access the files. Every environment will have additional native processes that do as well. Filter by process_name. As an aside, one can remove process_name entirely and add `Object_Name=*ShadowCopy*`.", "references": ["https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4663", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4663", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934", "https://github.com/GossiTheDog/HiveNightmare", "https://github.com/JumpsecLabs/Guidance-Advice/tree/main/SAM_Permissions", "https://en.wikipedia.org/wiki/Security_Account_Manager"], "tags": {"name": "SAM Database File Access Attempt", "analytic_story": ["Credential Dumping", "Graceful Wipe Out Attack"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "The following process $process_name$ accessed the object $Object_Name$ attempting to gain access to credentials on $dest$ by user $user$.", "mitre_attack_id": ["T1003.002", "T1003"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}, {"name": "Object_Name", "type": "File", "role": ["Other"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "process_name", "Object_Name", "dest", "user"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "cve": ["CVE-2021-36934"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Dragonfly", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.002/serioussam/windows-security.log", "source": "WinEventLog:Security", "sourcetype": "WinEventLog"}]}], "datamodel": [], "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "sam_database_file_access_attempt_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2021-36934", "cvss": 4.6, "summary": "Windows Elevation of Privilege Vulnerability"}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/sam_database_file_access_attempt.yml", "source": "endpoint", "providing_technologies": ["Microsoft Windows"]}, {"name": "Samsam Test File Write", "id": "493a879d-519d-428f-8f57-a06a0fdc107e", "version": 1, "date": "2018-12-14", "author": "Rico Valdez, Splunk", "type": "TTP", "status": "production", "description": "The search looks for a file named \"test.txt\" written to the windows system directory tree, which is consistent with Samsam propagation.", "data_source": ["Sysmon Event ID 11"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.user) as user values(Filesystem.dest) as dest values(Filesystem.file_name) as file_name from datamodel=Endpoint.Filesystem where Filesystem.file_path=*\\\\windows\\\\system32\\\\test.txt by Filesystem.file_path | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `samsam_test_file_write_filter`", "how_to_implement": "You must be ingesting data that records the file-system activity from your hosts to populate the Endpoint file-system data-model node. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data.", "known_false_positives": "No false positives have been identified.", "references": [], "tags": {"name": "Samsam Test File Write", "analytic_story": ["SamSam Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 20, "impact": 60, "kill_chain_phases": ["Actions on Objectives"], "message": "A samsam ransomware test file creation in $file_path$ in host $dest$", "mitre_attack_id": ["T1486"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Filesystem.user", "Filesystem.dest", "Filesystem.file_name", "Filesystem.file_path"], "risk_score": 12, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1486", "mitre_attack_technique": "Data Encrypted for Impact", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "APT41", "FIN7", "Indrik Spider", "Magic Hound", "Sandworm Team", "TA505"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1486/sam_sam_note/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "samsam_test_file_write_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/samsam_test_file_write.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Sc exe Manipulating Windows Services", "id": "f0c693d8-2a89-4ce7-80b4-98fea4c3ea6d", "version": 4, "date": "2020-07-21", "author": "Rico Valdez, Splunk", "type": "TTP", "status": "production", "description": "This search looks for arguments to sc.exe indicating the creation or modification of a Windows service.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = sc.exe (Processes.process=\"* create *\" OR Processes.process=\"* config *\") by Processes.process_name Processes.parent_process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `sc_exe_manipulating_windows_services_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "Using sc.exe to manipulate Windows services is uncommon. However, there may be legitimate instances of this behavior. It is important to validate and investigate as appropriate.", "references": ["https://www.secureworks.com/blog/drokbk-malware-uses-github-as-dead-drop-resolver"], "tags": {"name": "Sc exe Manipulating Windows Services", "analytic_story": ["Windows Service Abuse", "DHS Report TA18-074A", "Orangeworm Attack Group", "Windows Persistence Techniques", "Disabling Security Tools", "NOBELIUM Group", "Azorult", "Windows Drivers"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "message": "A sc process $process_name$ with commandline $process$ to create of configure services in host $dest$", "mitre_attack_id": ["T1543.003", "T1543"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.process_name", "Processes.process", "Processes.parent_process_name", "Processes.dest", "Processes.user"], "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1543.003/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "sc_exe_manipulating_windows_services_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/sc_exe_manipulating_windows_services.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "SchCache Change By App Connect And Create ADSI Object", "id": "991eb510-0fc6-11ec-82d3-acde48001122", "version": 1, "date": "2021-09-07", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic is to detect an application try to connect and create ADSI Object to do LDAP query. Every time an application connects to the directory and attempts to create an ADSI object, the Active Directory Schema is checked for changes. If it has changed since the last connection, the schema is downloaded and stored in a cache on the local computer either in %LOCALAPPDATA%\\Microsoft\\Windows\\SchCache or %systemroot%\\SchCache. We found this a good anomaly use case to detect suspicious application like blackmatter ransomware that use ADS object api to execute ldap query. having a good list of ldap or normal AD query tool used within the network is a good start to reduce the noise.", "data_source": ["Sysmon Event ID 1"], "search": "`sysmon` EventCode=11 TargetFilename = \"*\\\\Windows\\\\SchCache\\\\*\" TargetFilename = \"*.sch*\" NOT (Image IN (\"*\\\\Windows\\\\system32\\\\mmc.exe\")) |stats count min(_time) as firstTime max(_time) as lastTime by Image TargetFilename EventCode process_id process_name Computer | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `schcache_change_by_app_connect_and_create_adsi_object_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "normal application like mmc.exe and other ldap query tool may trigger this detections.", "references": ["https://docs.microsoft.com/en-us/windows/win32/adsi/adsi-and-uac", "https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/"], "tags": {"name": "SchCache Change By App Connect And Create ADSI Object", "analytic_story": ["blackMatter ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "process $Image$ create a file $TargetFilename$ in host $Computer$", "mitre_attack_id": ["T1087.002", "T1087"], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Image", "TargetFilename", "EventCode", "process_id", "process_name", "Computer"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["BRONZE BUTLER", "Chimera", "Dragonfly", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Turla", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/blackmatter_schcache/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "schcache_change_by_app_connect_and_create_adsi_object_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/schcache_change_by_app_connect_and_create_adsi_object.yml", "source": "endpoint"}, {"name": "Schedule Task with HTTP Command Arguments", "id": "523c2684-a101-11eb-916b-acde48001122", "version": 1, "date": "2023-04-05", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "The following analytic detects the registration of suspicious tasks on Windows using the Windows Security EventCode 4698, \"A scheduled task was created.\" It specifically looks for tasks registered through schtasks.exe or TaskService that have command arguments containing the string \"HTTP.\" This behavior is often associated with malware or attacks that utilize Living off the Land binaries (lolbins) to download additional files or payloads to the compromised machine.\\\nThe search returns information about the task, such as the task name, command, author, enabled status, hidden status, and arguments. Upon triage, it is important to identify the source of the scheduled task, whether it was registered through schtasks.exe or TaskService. Review the details of the created task and the command to be executed. Capture relevant artifacts on disk and examine them. Additionally, identify any parallel processes occurring within the same timeframe to determine the source of the attack.\\\nImplementing this analytic requires ingesting logs with information about task schedules, specifically Windows Security Log EventCode 4698, from your endpoints. It is recommended to tune and filter known instances of task schedules used in your environment to minimize false positives.\\\nDetecting the registration of suspicious tasks with HTTP command arguments is valuable for a SOC as it indicates potential malicious activity or an attempt to establish persistence on the system. If a true positive is found, further investigation is warranted to analyze the nature and purpose of the scheduled task, identify any downloaded files or payloads, and mitigate the associated risks. The impact of a true positive can vary but may include data exfiltration, malware propagation, or unauthorized access to sensitive information.", "data_source": ["Windows Security 4698"], "search": "`wineventlog_security` EventCode=4698 | xmlkv Message| search Arguments IN (\"*http*\") | stats count min(_time) as firstTime max(_time) as lastTime by dest, Task_Name, Command, Author, Enabled, Hidden, Arguments | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `schedule_task_with_http_command_arguments_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the task schedule (Exa. Security Log EventCode 4698) endpoints. Tune and filter known instances of Task schedule used in your environment.", "known_false_positives": "unknown", "references": ["https://app.any.run/tasks/92d7ef61-bfd7-4c92-bc15-322172b4ebec/"], "tags": {"name": "Schedule Task with HTTP Command Arguments", "analytic_story": ["Living Off The Land", "Winter Vivern", "Windows Persistence Techniques", "Scheduled Tasks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "message": "A schedule task process commandline arguments $Arguments$ with http string on it in host $dest$", "mitre_attack_id": ["T1053"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "dest", "Task_Name", "Command", "Author", "Enabled", "Hidden", "Arguments"], "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/tasksched/windows-security.log", "source": "WinEventLog:Security", "sourcetype": "WinEventLog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "schedule_task_with_http_command_arguments_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/schedule_task_with_http_command_arguments.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Schedule Task with Rundll32 Command Trigger", "id": "75b00fd8-a0ff-11eb-8b31-acde48001122", "version": 1, "date": "2021-04-19", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "The following analytic detects the creation of suspicious tasks in Windows, specifically tasks using the rundll32 command. It's implemented using Windows Security EventCode 4698 for A scheduled task was created, and looks for tasks executed either via schtasks.exe or TaskService. This behavior is worth identifying as it is commonly used by malware, such as TrickBot, that leverages rundll32 to execute its downloader.\\\nIf a true positive is found, it suggests an attacker is trying to persist within the environment or potentially deliver additional malicious payloads, leading to data theft, ransomware, or other damaging outcomes.\\\nTo implement this analytic, ensure you are ingesting logs with task schedule information from your endpoints. Be aware of potential false positives - legitimate uses of Task Scheduler in your environment may cause benign activities to be flagged.\\\nUpon triage, review the scheduled task's source and the command to be executed. Capture and inspect any relevant on-disk artifacts, and look for concurrent processes to identify the attack source. This approach helps analysts detect potential threats earlier and mitigate the risks.", "data_source": ["Windows Security 4698"], "search": "`wineventlog_security` EventCode=4698 | xmlkv Message | search Command IN (\"*rundll32*\") | stats count min(_time) as firstTime max(_time) as lastTime by dest, Task_Name, Command, Author, Enabled, Hidden, Arguments | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `schedule_task_with_rundll32_command_trigger_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the task schedule (Exa. Security Log EventCode 4698) endpoints. Tune and filter known instances of Task schedule used in your environment.", "known_false_positives": "unknown", "references": ["https://labs.vipre.com/trickbot-and-its-modules/", "https://whitehat.eu/incident-response-case-study-featuring-ryuk-and-trickbot-part-2/"], "tags": {"name": "Schedule Task with Rundll32 Command Trigger", "analytic_story": ["Windows Persistence Techniques", "Trickbot", "IcedID", "Living Off The Land", "Scheduled Tasks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "message": "A schedule task process commandline rundll32 arguments $Arguments$ in host $dest$", "mitre_attack_id": ["T1053"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "dest", "Task_Name", "Command", "Author", "Enabled", "Hidden", "Arguments"], "risk_score": 70, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/trickbot/tasksched/windows-security.log", "source": "WinEventLog:Security", "sourcetype": "WinEventLog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "schedule_task_with_rundll32_command_trigger_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/schedule_task_with_rundll32_command_trigger.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Scheduled Task Creation on Remote Endpoint using At", "id": "4be54858-432f-11ec-8209-3e22fbd008af", "version": 1, "date": "2021-11-11", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic detects the creation of suspicious tasks on a remote Windows endpoint using the at.exe command with command-line arguments. This technique is commonly used by red teams and adversaries for lateral movement and remote code execution. The at.exe binary leverages the deprecated AT protocol, which may still work on previous versions of Windows. Attackers can enable this protocol on demand by modifying a system registry key. It is important to consider potential false positives. While administrators may create scheduled tasks on remote systems, this activity is typically limited to a small set of hosts or users.\\\nIdentifying the creation of scheduled tasks on remote endpoints is crucial for a Security Operations Center (SOC) because it indicates potential unauthorized activity or an attacker attempting to establish persistence or execute malicious code. The impact of a true positive can be significant, leading to unauthorized access, data theft, or other damaging outcomes. During triage, investigate the source and purpose of the scheduled task, inspect relevant on-disk artifacts, and analyze concurrent processes to identify the extent of the attack and take appropriate response actions.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=at.exe OR Processes.original_file_name=at.exe) (Processes.process=*\\\\\\\\*) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `scheduled_task_creation_on_remote_endpoint_using_at_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints.", "known_false_positives": "Administrators may create scheduled tasks on remote systems, but this activity is usually limited to a small set of hosts or users.", "references": ["https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/at", "https://docs.microsoft.com/en-us/windows/win32/cimwin32prov/win32-scheduledjob?redirectedfrom=MSDN"], "tags": {"name": "Scheduled Task Creation on Remote Endpoint using At", "analytic_story": ["Active Directory Lateral Movement", "Living Off The Land", "Scheduled Tasks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 90, "kill_chain_phases": ["Installation", "Exploitation"], "message": "A Windows Scheduled Task was created on a remote endpoint from $dest", "mitre_attack_id": ["T1053", "T1053.002"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 54, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1053.002", "mitre_attack_technique": "At", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "BRONZE BUTLER", "Threat Group-3390"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.002/lateral_movement/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "scheduled_task_creation_on_remote_endpoint_using_at_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/scheduled_task_creation_on_remote_endpoint_using_at.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Scheduled Task Deleted Or Created via CMD", "id": "d5af132c-7c17-439c-9d31-13d55340f36c", "version": 6, "date": "2023-04-05", "author": "Bhavin Patel, Splunk", "type": "TTP", "status": "production", "description": "This analytic focuses on identifying the creation or deletion of scheduled tasks using the schtasks.exe utility with the corresponding command-line flags (-create or -delete). This technique has been notably associated with threat actors like Dragonfly and the SUNBURST attack against SolarWinds. The purpose of this analytic is to detect suspicious activity related to scheduled tasks that could indicate malicious intent or unauthorized system manipulation. By monitoring for these specific command-line flags, we can enhance our ability to identify potential threats and prevent attacks similar to the use of scheduled tasks in the BadRabbit Ransomware incident.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=schtasks.exe (Processes.process=*delete* OR Processes.process=*create*) by Processes.user Processes.process_name Processes.parent_process_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `scheduled_task_deleted_or_created_via_cmd_filter` ", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "While it is possible for legitimate scripts or administrators to trigger this behavior, filtering can be applied based on the parent process and application to reduce false positives. Analysts should reference the provided references to understand the context and threat landscape associated with this activity.", "references": ["https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", "https://www.joesandbox.com/analysis/691823/0/html"], "tags": {"name": "Scheduled Task Deleted Or Created via CMD", "analytic_story": ["Qakbot", "NOBELIUM Group", "Windows Persistence Techniques", "Winter Vivern", "Prestige Ransomware", "DarkCrystal RAT", "AgentTesla", "Trickbot", "AsyncRAT", "Sandworm Tools", "Living Off The Land", "CISA AA22-257A", "DHS Report TA18-074A", "Azorult", "Amadey", "Scheduled Tasks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "message": "A schedule task process $process_name$ with create or delete commandline $process$ in host $dest$", "mitre_attack_id": ["T1053.005", "T1053"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.process", "Processes.parent_process", "Processes.process_name", "Processes.user", "Processes.parent_process_name", "Processes.dest"], "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "scheduled_task_deleted_or_created_via_cmd_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Scheduled Task Initiation on Remote Endpoint", "id": "95cf4608-4302-11ec-8194-3e22fbd008af", "version": 1, "date": "2021-11-11", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "This analytic detects instances of 'schtasks.exe' being used to start a Scheduled Task on a remote endpoint. Adversaries often abuse the Task Scheduler for lateral movement and remote code execution. The search parameters include process details such as the process name, parent process, and command-line executions. Although legitimate administrators may start scheduled tasks on remote systems, this activity is usually limited to a small set of hosts or users. The findings from this analytic provide valuable insight into potentially malicious activities on an endpoint.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=schtasks.exe OR Processes.original_file_name=schtasks.exe) (Processes.process=*/s* AND Processes.process=*/run*) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `scheduled_task_initiation_on_remote_endpoint_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints.", "known_false_positives": "Administrators may start scheduled tasks on remote systems, but this activity is usually limited to a small set of hosts or users.", "references": ["https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks", "https://attack.mitre.org/techniques/T1053/005/"], "tags": {"name": "Scheduled Task Initiation on Remote Endpoint", "analytic_story": ["Active Directory Lateral Movement", "Living Off The Land", "Scheduled Tasks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 90, "kill_chain_phases": ["Installation", "Exploitation"], "message": "A Windows Scheduled Task was ran on a remote endpoint from $dest", "mitre_attack_id": ["T1053", "T1053.005"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 54, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TEMP.Veles", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/lateral_movement/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "scheduled_task_initiation_on_remote_endpoint_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/scheduled_task_initiation_on_remote_endpoint.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Schtasks Run Task On Demand", "id": "bb37061e-af1f-11eb-a159-acde48001122", "version": 1, "date": "2023-04-14", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "The following analytic is designed to detect when a Windows Scheduled Task is executed on demand via shell or command line. Adversaries often force the execution of their created Scheduled Tasks for persistent access or lateral movement within a compromised machine. This analytic is driven by process-related data, specifically process name, parent process, and command-line executions, sourced from endpoint logs. The search criteria focus on 'schtasks.exe' with an associated 'run' command.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"schtasks.exe\" Processes.process = \"*/run*\" by Processes.process_name Processes.parent_process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `schtasks_run_task_on_demand_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed schtasks.exe may be used.", "known_false_positives": "Bear in mind, administrators debugging Scheduled Task entries may trigger this analytic, necessitating fine-tuning and filtering to distinguish between legitimate and potentially malicious use of 'schtasks.exe'.", "references": ["https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/"], "tags": {"name": "Schtasks Run Task On Demand", "analytic_story": ["Qakbot", "Industroyer2", "XMRig", "CISA AA22-257A", "Data Destruction", "Scheduled Tasks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 60, "kill_chain_phases": ["Installation", "Exploitation"], "message": "A \"on demand\" execution of schedule task process $process_name$ using commandline $process$ in host $dest$", "mitre_attack_id": ["T1053"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.process", "Processes.process_id", "Processes.process_name", "Processes.parent_process_name", "Processes.dest", "Processes.user"], "risk_score": 48, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/xmrig_miner/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "schtasks_run_task_on_demand_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/schtasks_run_task_on_demand.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Schtasks scheduling job on remote system", "id": "1297fb80-f42a-4b4a-9c8a-88c066237cf6", "version": 6, "date": "2022-05-23", "author": "David Dorsey, Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic is designed to detect suspicious command-line arguments executed through 'schtasks.exe' to create a scheduled task on a remote endpoint. The analytic scans process data, checking for instances where 'schtasks.exe' has been used with specific command-line flags that suggest an attempt at lateral movement or remote code execution, common techniques employed by adversaries and red teams. Key data points include the process name, the specific command line used, the parent process name, the target destination, and the user involved. Also, timestamp data gives context to when these activities occurred.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = schtasks.exe OR Processes.original_file_name=schtasks.exe) (Processes.process=\"*/create*\" AND Processes.process=\"*/s*\") by Processes.process_name Processes.process Processes.parent_process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `schtasks_scheduling_job_on_remote_system_filter`", "how_to_implement": "You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the \"process\" field in the Endpoint data model.", "known_false_positives": "While it is possible to have false positives, due to legitimate administrative tasks, these are usually limited and should still be validated and investigated as appropriate.", "references": [], "tags": {"name": "Schtasks scheduling job on remote system", "analytic_story": ["Active Directory Lateral Movement", "NOBELIUM Group", "Living Off The Land", "Prestige Ransomware", "Scheduled Tasks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "message": "A schedule task process $process_name$ with remote job command-line $process$ in host $dest$ by $user$.", "mitre_attack_id": ["T1053.005", "T1053"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.process_name", "Processes.process", "Processes.parent_process_name", "Processes.dest", "Processes.user"], "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "schtasks_scheduling_job_on_remote_system_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/schtasks_scheduling_job_on_remote_system.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Schtasks used for forcing a reboot", "id": "1297fb80-f42a-4b4a-9c8a-88c066437cf6", "version": 4, "date": "2020-12-07", "author": "Bhavin Patel, Splunk", "type": "TTP", "status": "production", "description": "The following analytic utilizes a Splunk query to pinpoint potential threats by monitoring the 'schtasks.exe' command-line usage. This particular command, especially when used in tandem with 'shutdown' and '/create' flags, can suggest an adversarial force intending to schedule unwarranted system reboots. The query focuses on endpoint process data and retrieves details such as the process name, the parent process name, the destination, and the user involved. Essential to the investigation are the earliest and latest timestamps of these events, providing an activity timeline. Data such as the targeted host and initiating user offer valuable context for analyst.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=schtasks.exe Processes.process=\"*shutdown*\" Processes.process=\"*/create *\" by Processes.process_name Processes.parent_process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `schtasks_used_for_forcing_a_reboot_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "This analytic may also capture legitimate administrative activities such as system updates or maintenance tasks, which can be classified as false positives. Filter as needed.", "references": [], "tags": {"name": "Schtasks used for forcing a reboot", "analytic_story": ["Windows Persistence Techniques", "Ransomware", "Scheduled Tasks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "message": "A schedule task process $process_name$ with force reboot commandline $process$ in host $dest$", "mitre_attack_id": ["T1053.005", "T1053"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.process", "Processes.process_name", "Processes.parent_process_name", "Processes.dest", "Processes.user"], "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/schtask_shutdown/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "schtasks_used_for_forcing_a_reboot_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/schtasks_used_for_forcing_a_reboot.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Screensaver Event Trigger Execution", "id": "58cea3ec-1f6d-11ec-8560-acde48001122", "version": 1, "date": "2023-04-14", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This analytic is developed to detect possible event trigger execution through screensaver registry entry modification for persistence or privilege escalation. This technique was seen in several APT and malware where they put the malicious payload path to the SCRNSAVE.EXE registry key to redirect the execution to their malicious payload path. This TTP is a good indicator that some attacker may modify this entry for their persistence and privilege escalation.", "data_source": ["Sysmon Event ID 13"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where (Registry.registry_path=\"*\\\\Control Panel\\\\Desktop\\\\SCRNSAVE.EXE*\") by Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `screensaver_event_trigger_execution_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry.", "known_false_positives": "unknown", "references": ["https://attack.mitre.org/techniques/T1546/002/", "https://dmcxblue.gitbook.io/red-team-notes-2-0/red-team-techniques/privilege-escalation/untitled-3/screensaver"], "tags": {"name": "Screensaver Event Trigger Execution", "analytic_story": ["Hermetic Wiper", "Windows Privilege Escalation", "Windows Persistence Techniques", "Windows Registry Abuse", "Data Destruction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "message": "modified/added/deleted registry entry $Registry.registry_path$ in $dest$", "mitre_attack_id": ["T1546", "T1546.002"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.dest", "Registry.user", "Registry.registry_path", "Registry.registry_key_name", "Registry.registry_value_name"], "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1546.002", "mitre_attack_technique": "Screensaver", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.002/scrnsave_reg/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "screensaver_event_trigger_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/screensaver_event_trigger_execution.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Script Execution via WMI", "id": "aa73f80d-d728-4077-b226-81ea0c8be589", "version": 4, "date": "2020-03-16", "author": "Rico Valdez, Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic is designed to detect the potential misuse of Windows Management Instrumentation (WMI) for malicious purposes. WMI can be utilized by adversaries to execute scripts, a method often employed for maintaining stealth while carrying out malicious activities. The process 'scrcons.exe', integral to executing WMI scripts, is primarily monitored by this analytic. The underlying threat lies in the fact that successful execution of a malicious script can lead to numerous negative outcomes, including system compromise, data exfiltration, or the establishment of persistence. It's essential for cybersecurity analysts to remain vigilant towards unexpected or isolated script executions via WMI, as such instances often signal suspicious activities or potential security breaches. Although uncommon, administrators may occasionally use WMI to launch scripts for legitimate purposes. Therefore, discerning malicious activities from benign ones is crucial in this context.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=scrcons.exe by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `script_execution_via_wmi_filter` ", "how_to_implement": "You must be ingesting endpoint data that tracks process activity, including parent-child relationships from your endpoints to populate the Endpoint data model in the Processes node. The command-line arguments are mapped to the \"process\" field in the Endpoint data model.", "known_false_positives": "Although unlikely, administrators may use wmi to launch scripts for legitimate purposes. Filter as needed.", "references": ["https://redcanary.com/blog/child-processes/"], "tags": {"name": "Script Execution via WMI", "analytic_story": ["Suspicious WMI Use"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Installation"], "message": "A wmic.exe process $process_name$ that execute script in host $dest$", "mitre_attack_id": ["T1047"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.process_name", "Processes.user", "Processes.dest"], "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "Earth Lusca", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "Threat Group-3390", "Windshift", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1047/execution_scrcons/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "script_execution_via_wmi_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/script_execution_via_wmi.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Sdclt UAC Bypass", "id": "d71efbf6-da63-11eb-8c6e-acde48001122", "version": 3, "date": "2022-11-14", "author": "Steven Dick, Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This search is to detect a suspicious sdclt.exe registry modification. This technique is commonly seen when attacker try to bypassed UAC by using sdclt.exe application by modifying some registry that sdclt.exe tries to open or query with payload file path on it to be executed.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time) AS lastTime FROM datamodel=Endpoint.Processes BY _time span=1h Processes.user Processes.process_id Processes.process_name Processes.process Processes.process_path Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_guid | `drop_dm_object_name(Processes)` | join process_guid [ | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE ((Registry.registry_path= \"*\\\\Windows\\\\CurrentVersion\\\\App Paths\\\\control.exe*\" OR Registry.registry_path= \"*\\\\exefile\\\\shell\\\\runas\\\\command\\\\*\") (Registry.registry_value_name = \"(Default)\" OR Registry.registry_value_name = \"IsolatedCommand\")) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`] | fields firstTime lastTime dest user parent_process_name parent_process process_name process_path process registry_key_name registry_path registry_value_name registry_value_data process_guid | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `sdclt_uac_bypass_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "Limited to no false positives are expected.", "references": ["https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/", "https://github.com/hfiref0x/UACME", "https://www.cyborgsecurity.com/cyborg-labs/threat-hunt-deep-dives-user-account-control-bypass-via-registry-modification/"], "tags": {"name": "Sdclt UAC Bypass", "analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "Suspicious modification of registry $registry_path$ with possible payload path $registry_value_name$ in $dest$", "mitre_attack_id": ["T1548.002", "T1548"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.user", "Processes.dest", "Processes.process_id", "Processes.process_name", "Processes.process", "Processes.process_path", "Processes.parent_process_name", "Processes.parent_process", "Processes.process_guid", "Registry.dest", "Registry.registry_value_name", "Registry.registry_key_name", "Registry.registry_path", "Registry.registry_value_data", "Registry.process_guid"], "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.002", "mitre_attack_technique": "Bypass User Account Control", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT37", "BRONZE BUTLER", "Cobalt Group", "Earth Lusca", "Evilnum", "MuddyWater", "Patchwork", "Threat Group-3390"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/uac_bypass/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "sdclt_uac_bypass_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/sdclt_uac_bypass.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Sdelete Application Execution", "id": "31702fc0-2682-11ec-85c3-acde48001122", "version": 1, "date": "2021-10-06", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This analytic is to detect the execution of sdelete.exe application sysinternal tools. This tool is one of the most use tool of malware and adversaries to remove or clear their tracks and artifact in the targetted host. This tool is designed to delete securely a file in file system that remove the forensic evidence on the machine. A good TTP query to check why user execute this application which is not a common practice.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.parent_process) as parent_process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_sdelete` by Processes.process_name Processes.original_file_name Processes.dest Processes.user Processes.parent_process_name Processes.parent_process | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `sdelete_application_execution_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "user may execute and use this application", "references": ["https://app.any.run/tasks/956f50be-2c13-465a-ac00-6224c14c5f89/"], "tags": {"name": "Sdelete Application Execution", "analytic_story": ["Masquerading - Rename System Utilities"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Actions on Objectives", "Exploitation"], "message": "sdelete process $process_name$ executed in $dest$", "mitre_attack_id": ["T1485", "T1070.004", "T1070"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1070.004", "mitre_attack_technique": "File Deletion", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT3", "APT32", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "Cobalt Group", "Dragonfly", "Evilnum", "FIN10", "FIN5", "FIN6", "FIN8", "Gamaredon Group", "Group5", "Kimsuky", "Lazarus Group", "Magic Hound", "Metador", "Mustang Panda", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "Silence", "TEMP.Veles", "TeamTNT", "The White Company", "Threat Group-3390", "Tropic Trooper", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/sdelete/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_sdelete", "definition": "(Processes.process_name=sdelete.exe OR Processes.original_file_name=sdelete.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "sdelete_application_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/sdelete_application_execution.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "SearchProtocolHost with no Command Line with Network", "id": "b690df8c-a145-11eb-a38b-acde48001122", "version": 3, "date": "2023-06-13", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies searchprotocolhost.exe with no command line arguments and with a network connection. It is unusual for searchprotocolhost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. searchprotocolhost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=searchprotocolhost.exe by _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process=\"(?i)(searchprotocolhost\\.exe.{0,4}$)\" | join process_id [| tstats `security_content_summariesonly` count FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port != 0 by All_Traffic.process_id All_Traffic.dest All_Traffic.dest_port | `drop_dm_object_name(All_Traffic)` | rename dest as C2 ] | table _time dest parent_process_name process_name process_path process process_id dest_port C2 | `searchprotocolhost_with_no_command_line_with_network_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` and `ports` node.", "known_false_positives": "Limited false positives may be present in small environments. Tuning may be required based on parent process.", "references": ["https://github.com/mandiant/red_team_tool_countermeasures/blob/master/rules/PGF/supplemental/hxioc/SUSPICIOUS%20EXECUTION%20OF%20SEARCHPROTOCOLHOST%20(METHODOLOGY).ioc"], "tags": {"name": "SearchProtocolHost with no Command Line with Network", "analytic_story": ["Cobalt Strike", "Graceful Wipe Out Attack"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "A searchprotocolhost.exe process $process_name$ with no commandline in host $dest$", "mitre_attack_id": ["T1055"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process Name", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "process_name", "process_id", "parent_process_name", "dest_port", "process_path"], "risk_score": 70, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/cobalt_strike/windows-sysmon_searchprotocolhost.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint", "Network_Traffic"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "searchprotocolhost_with_no_command_line_with_network_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/searchprotocolhost_with_no_command_line_with_network.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "SecretDumps Offline NTDS Dumping Tool", "id": "5672819c-be09-11eb-bbfb-acde48001122", "version": 1, "date": "2023-06-13", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This analytic detects a potential usage of secretsdump.py tool for dumping credentials (ntlm hash) from a copy of ntds.dit and SAM.Security,SYSTEM registrry hive. This technique was seen in some attacker that dump ntlm hashes offline after having a copy of ntds.dit and SAM/SYSTEM/SECURITY registry hive.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"python*.exe\" Processes.process = \"*.py*\" Processes.process = \"*-ntds*\" (Processes.process = \"*-system*\" OR Processes.process = \"*-sam*\" OR Processes.process = \"*-security*\" OR Processes.process = \"*-bootkey*\") by Processes.process_name Processes.process Processes.parent_process_name Processes.parent_process Processes.dest Processes.user Processes.process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `secretdumps_offline_ntds_dumping_tool_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "unknown", "references": ["https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py"], "tags": {"name": "SecretDumps Offline NTDS Dumping Tool", "analytic_story": ["Credential Dumping", "Graceful Wipe Out Attack"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "A secretdump process $process_name$ with secretdump commandline $process$ to dump credentials in host $dest$", "mitre_attack_id": ["T1003.003", "T1003"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.process_name", "Processes.process", "Processes.parent_process_name", "Processes.parent_process", "Processes.dest", "Processes.user", "Processes.process_id", "Processes.process_guid"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.003", "mitre_attack_technique": "NTDS", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "Chimera", "Dragonfly", "FIN6", "Fox Kitten", "HAFNIUM", "Ke3chang", "LAPSUS$", "Mustang Panda", "Sandworm Team", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/honeypots/casper/datasets1/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "secretdumps_offline_ntds_dumping_tool_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/secretdumps_offline_ntds_dumping_tool.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "ServicePrincipalNames Discovery with PowerShell", "id": "13243068-2d38-11ec-8908-acde48001122", "version": 2, "date": "2022-02-26", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies `powershell.exe` usage, using Script Block Logging EventCode 4104, related to querying the domain for Service Principle Names. typically, this is a precursor activity related to kerberoasting or the silver ticket attack. \\\nWhat is a ServicePrincipleName? \\\nA service principal name (SPN) is a unique identifier of a service instance. SPNs are used by Kerberos authentication to associate a service instance with a service logon account. This allows a client application to request that the service authenticate an account even if the client does not have the account name.\\\nThe following analytic identifies the use of KerberosRequestorSecurityToken class within the script block. Using .NET System.IdentityModel.Tokens.KerberosRequestorSecurityToken class in PowerShell is the equivelant of using setspn.exe. \\\nDuring triage, review parallel processes for further suspicious activity.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 ScriptBlockText=\"*KerberosRequestorSecurityToken*\" | stats count min(_time) as firstTime max(_time) as lastTime by ScriptBlockText Opcode Computer UserID EventCode | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `serviceprincipalnames_discovery_with_powershell_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "False positives should be limited, however filter as needed.", "references": ["https://docs.microsoft.com/en-us/windows/win32/ad/service-principal-names", "https://docs.microsoft.com/en-us/dotnet/api/system.identitymodel.tokens.kerberosrequestorsecuritytoken?view=netframework-4.8", "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/t1208-kerberoasting", "https://strontic.github.io/xcyclopedia/library/setspn.exe-5C184D581524245DAD7A0A02B51FD2C2.html", "https://attack.mitre.org/techniques/T1558/003/", "https://social.technet.microsoft.com/wiki/contents/articles/717.service-principal-names-spn-setspn-syntax.aspx", "https://web.archive.org/web/20220212163642/https://www.harmj0y.net/blog/powershell/kerberoasting-without-mimikatz/", "https://blog.zsec.uk/paving-2-da-wholeset/", "https://msitpros.com/?p=3113", "https://adsecurity.org/?p=3466", "https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", "https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf", "https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/"], "tags": {"name": "ServicePrincipalNames Discovery with PowerShell", "analytic_story": ["Active Directory Discovery", "Active Directory Kerberos Attacks", "Malicious PowerShell", "Active Directory Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $Computer$ by user $UserID$ attempting to identify service principle names.", "mitre_attack_id": ["T1558.003"], "nist": ["DE.CM"], "observable": [{"name": "UserID", "type": "User", "role": ["Victim"]}, {"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "ScriptBlockText", "Opcode", "Computer", "UserID", "EventCode"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1558.003", "mitre_attack_technique": "Kerberoasting", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["FIN7", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/sbl_xml.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "serviceprincipalnames_discovery_with_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/serviceprincipalnames_discovery_with_powershell.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "ServicePrincipalNames Discovery with SetSPN", "id": "ae8b3efc-2d2e-11ec-8b57-acde48001122", "version": 1, "date": "2021-10-14", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies `setspn.exe` usage related to querying the domain for Service Principle Names. typically, this is a precursor activity related to kerberoasting or the silver ticket attack. \\\nWhat is a ServicePrincipleName? \\\nA service principal name (SPN) is a unique identifier of a service instance. SPNs are used by Kerberos authentication to associate a service instance with a service logon account. This allows a client application to request that the service authenticate an account even if the client does not have the account name.\\\nExample usage includes the following \\\n1. setspn -T offense -Q */* 1. setspn -T attackrange.local -F -Q MSSQLSvc/* 1. setspn -Q */* > allspns.txt 1. setspn -q \\\nValues \\\n1. -F = perform queries at the forest, rather than domain level 1. -T = perform query on the specified domain or forest (when -F is also used) 1. -Q = query for existence of SPN \\\nDuring triage, review parallel processes for further suspicious activity.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_setspn` (Processes.process=\"*-t*\" AND Processes.process=\"*-f*\") OR (Processes.process=\"*-q*\" AND Processes.process=\"**/**\") OR (Processes.process=\"*-q*\") OR (Processes.process=\"*-s*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `serviceprincipalnames_discovery_with_setspn_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives may be caused by Administrators resetting SPNs or querying for SPNs. Filter as needed.", "references": ["https://docs.microsoft.com/en-us/windows/win32/ad/service-principal-names", "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/t1208-kerberoasting", "https://strontic.github.io/xcyclopedia/library/setspn.exe-5C184D581524245DAD7A0A02B51FD2C2.html", "https://attack.mitre.org/techniques/T1558/003/", "https://social.technet.microsoft.com/wiki/contents/articles/717.service-principal-names-spn-setspn-syntax.aspx", "https://web.archive.org/web/20220212163642/https://www.harmj0y.net/blog/powershell/kerberoasting-without-mimikatz/", "https://blog.zsec.uk/paving-2-da-wholeset/", "https://msitpros.com/?p=3113", "https://adsecurity.org/?p=3466"], "tags": {"name": "ServicePrincipalNames Discovery with SetSPN", "analytic_story": ["Active Directory Discovery", "Active Directory Kerberos Attacks", "Active Directory Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to identify service principle names.", "mitre_attack_id": ["T1558.003"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1558.003", "mitre_attack_technique": "Kerberoasting", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["FIN7", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1558.003/atomic_red_team/windows-sysmon_setspn.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_setspn", "definition": "(Processes.process_name=setspn.exe OR Processes.original_file_name=setspn.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "serviceprincipalnames_discovery_with_setspn_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/serviceprincipalnames_discovery_with_setspn.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Services Escalate Exe", "id": "c448488c-b7ec-11eb-8253-acde48001122", "version": 1, "date": "2023-06-13", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the use of `svc-exe` with Cobalt Strike. The behavior typically follows after an adversary has already gained initial access and is escalating privileges. Using `svc-exe`, a randomly named binary will be downloaded from the remote Teamserver and placed on disk within `C:\\Windows\\400619a.exe`. Following, the binary will be added to the registry under key `HKLM\\System\\CurrentControlSet\\Services\\400619a\\` with multiple keys and values added to look like a legitimate service. Upon loading, `services.exe` will spawn the randomly named binary from `\\\\127.0.0.1\\ADMIN$\\400619a.exe`. The process lineage is completed with `400619a.exe` spawning rundll32.exe, which is the default `spawnto_` value for Cobalt Strike. The `spawnto_` value is arbitrary and may be any process on disk (typically system32/syswow64 binary). The `spawnto_` process will also contain a network connection. During triage, review parallel procesess and identify any additional file modifications.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=services.exe Processes.process_path=*admin$* by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `services_escalate_exe_filter`", "how_to_implement": "To successfully implement this search, you will need to ensure that DNS data is populating the Network_Resolution data model.", "known_false_positives": "False positives should be limited as `services.exe` should never spawn a process from `ADMIN$`. Filter as needed.", "references": ["https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://attack.mitre.org/techniques/T1548/", "https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/index.htm#cshid=1085"], "tags": {"name": "Services Escalate Exe", "analytic_story": ["Cobalt Strike", "Graceful Wipe Out Attack"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 95, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "A service process $parent_process_name$ with process path $process_path$ in host $dest$", "mitre_attack_id": ["T1548"], "nist": ["DE.CM"], "observable": [{"name": "Processes.dest", "type": "Hostname", "role": ["Victim"]}, {"name": "Processes.user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 76, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/cobalt_strike/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "services_escalate_exe_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/services_escalate_exe.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Services LOLBAS Execution Process Spawn", "id": "ba9e1954-4c04-11ec-8b74-3e22fbd008af", "version": 1, "date": "2021-11-22", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies `services.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Service Control Manager and creating a remote malicious service, the executed command is spawned as a child process of `services.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of services.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name=services.exe) (Processes.process_name IN (\"Regsvcs.exe\", \"Ftp.exe\", \"OfflineScannerShell.exe\", \"Rasautou.exe\", \"Schtasks.exe\", \"Xwizard.exe\", \"Dllhost.exe\", \"Pnputil.exe\", \"Atbroker.exe\", \"Pcwrun.exe\", \"Ttdinject.exe\",\"Mshta.exe\", \"Bitsadmin.exe\", \"Certoc.exe\", \"Ieexec.exe\", \"Microsoft.Workflow.Compiler.exe\", \"Runscripthelper.exe\", \"Forfiles.exe\", \"Msbuild.exe\", \"Register-cimprovider.exe\", \"Tttracer.exe\", \"Ie4uinit.exe\", \"Bash.exe\", \"Hh.exe\", \"SettingSyncHost.exe\", \"Cmstp.exe\", \"Mmc.exe\", \"Stordiag.exe\", \"Scriptrunner.exe\", \"Odbcconf.exe\", \"Extexport.exe\", \"Msdt.exe\", \"WorkFolders.exe\", \"Diskshadow.exe\", \"Mavinject.exe\", \"Regasm.exe\", \"Gpscript.exe\", \"Rundll32.exe\", \"Regsvr32.exe\", \"Msiexec.exe\", \"Wuauclt.exe\", \"Presentationhost.exe\", \"Wmic.exe\", \"Runonce.exe\", \"Syncappvpublishingserver.exe\", \"Verclsid.exe\", \"Infdefaultinstall.exe\", \"Explorer.exe\", \"Installutil.exe\", \"Netsh.exe\", \"Wab.exe\", \"Dnscmd.exe\", \"At.exe\", \"Pcalua.exe\", \"Msconfig.exe\")) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `services_lolbas_execution_process_spawn_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints.", "known_false_positives": "Legitimate applications may trigger this behavior, filter as needed.", "references": ["https://attack.mitre.org/techniques/T1543/003/", "https://pentestlab.blog/2020/07/21/lateral-movement-services/", "https://lolbas-project.github.io/"], "tags": {"name": "Services LOLBAS Execution Process Spawn", "analytic_story": ["Active Directory Lateral Movement", "Living Off The Land", "Qakbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 90, "kill_chain_phases": ["Installation", "Exploitation"], "message": "Services.exe spawned a LOLBAS process on $dest", "mitre_attack_id": ["T1543", "T1543.003"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 54, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1543.003/lateral_movement_lolbas/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "services_lolbas_execution_process_spawn_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/services_lolbas_execution_process_spawn.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Set Default PowerShell Execution Policy To Unrestricted or Bypass", "id": "c2590137-0b08-4985-9ec5-6ae23d92f63d", "version": 8, "date": "2023-04-14", "author": "Steven Dick, Patrick Bareiss, Splunk", "type": "TTP", "status": "production", "description": "Monitor for changes of the ExecutionPolicy in the registry to the values \"unrestricted\" or \"bypass,\" which allows the execution of malicious scripts.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time) AS lastTime FROM datamodel=Endpoint.Processes BY _time span=1h Processes.user Processes.process_id Processes.process_name Processes.process Processes.process_path Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_guid | `drop_dm_object_name(Processes)` | join process_guid [ | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=*Software\\\\Microsoft\\\\Powershell\\\\1\\\\ShellIds\\\\Microsoft.PowerShell* Registry.registry_value_name=ExecutionPolicy (Registry.registry_value_data=Unrestricted OR Registry.registry_value_data=Bypass)) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`] | fields firstTime lastTime dest user parent_process_name parent_process process_name process_path process registry_key_name registry_path registry_value_name registry_value_data process_guid | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `set_default_powershell_execution_policy_to_unrestricted_or_bypass_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "Administrators may attempt to change the default execution policy on a system for a variety of reasons. However, setting the policy to \"unrestricted\" or \"bypass\" as this search is designed to identify, would be unusual. Hits should be reviewed and investigated as appropriate.", "references": [], "tags": {"name": "Set Default PowerShell Execution Policy To Unrestricted or Bypass", "analytic_story": ["HAFNIUM Group", "Hermetic Wiper", "Credential Dumping", "Malicious PowerShell", "Data Destruction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 60, "kill_chain_phases": ["Installation"], "message": "A registry modification in $registry_path$ with reg key $registry_key_name$ and reg value $registry_value_name$ in host $dest$", "mitre_attack_id": ["T1059", "T1059.001"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "registry_path", "type": "Unknown", "role": ["Other"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.user", "Processes.dest", "Processes.process_id", "Processes.process_name", "Processes.process", "Processes.process_path", "Processes.parent_process_name", "Processes.parent_process", "Processes.process_guid", "Registry.dest", "Registry.registry_value_name", "Registry.registry_key_name", "Registry.registry_path", "Registry.registry_value_data", "Registry.process_guid"], "risk_score": 48, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_execution_policy/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "set_default_powershell_execution_policy_to_unrestricted_or_bypass_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/set_default_powershell_execution_policy_to_unrestricted_or_bypass.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Shim Database File Creation", "id": "6e4c4588-ba2f-42fa-97e6-9f6f548eaa33", "version": 3, "date": "2020-12-08", "author": "David Dorsey, Splunk", "type": "TTP", "status": "production", "description": "This search looks for shim database files being written to default directories. The sdbinst.exe application is used to install shim database files (.sdb). According to Microsoft, a shim is a small library that transparently intercepts an API, changes the parameters passed, handles the operation itself, or redirects the operation elsewhere.", "data_source": ["Sysmon Event ID 11"], "search": "| tstats `security_content_summariesonly` count values(Filesystem.action) values(Filesystem.file_hash) as file_hash values(Filesystem.file_path) as file_path min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path=*Windows\\\\AppPatch\\\\Custom* by Filesystem.file_name Filesystem.dest | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` |`drop_dm_object_name(Filesystem)` | `shim_database_file_creation_filter`", "how_to_implement": "You must be ingesting data that records the filesystem activity from your hosts to populate the Endpoint file-system data model node. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data.", "known_false_positives": "Because legitimate shim files are created and used all the time, this event, in itself, is not suspicious. However, if there are other correlating events, it may warrant further investigation.", "references": [], "tags": {"name": "Shim Database File Creation", "analytic_story": ["Windows Persistence Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "message": "A process that possibly write shim database in $file_path$ in host $dest$", "mitre_attack_id": ["T1546.011", "T1546"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "file_path", "type": "File", "role": ["Other"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Filesystem.file_hash", "Filesystem.file_path", "Filesystem.file_name", "Filesystem.dest"], "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1546.011", "mitre_attack_technique": "Application Shimming", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["FIN7"]}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.011/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "shim_database_file_creation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/shim_database_file_creation.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Shim Database Installation With Suspicious Parameters", "id": "404620de-46d8-48b6-90cc-8a8d7b0876a3", "version": 4, "date": "2020-11-23", "author": "David Dorsey, Splunk", "type": "TTP", "status": "production", "description": "This search detects the process execution and arguments required to silently create a shim database. The sdbinst.exe application is used to install shim database files (.sdb). A shim is a small library which transparently intercepts an API, changes the parameters passed, handles the operation itself, or redirects the operation elsewhere.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = sdbinst.exe by Processes.process_name Processes.parent_process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `shim_database_installation_with_suspicious_parameters_filter`", "how_to_implement": "You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the \"process\" field in the Endpoint data model.", "known_false_positives": "None identified", "references": [], "tags": {"name": "Shim Database Installation With Suspicious Parameters", "analytic_story": ["Windows Persistence Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "message": "A process $process_name$ that possible create a shim db silently in host $dest$", "mitre_attack_id": ["T1546.011", "T1546"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.process_name", "Processes.parent_process_name", "Processes.dest", "Processes.user"], "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1546.011", "mitre_attack_technique": "Application Shimming", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["FIN7"]}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.011/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "shim_database_installation_with_suspicious_parameters_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/shim_database_installation_with_suspicious_parameters.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Short Lived Scheduled Task", "id": "6fa31414-546e-11ec-adfa-acde48001122", "version": 1, "date": "2021-12-03", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic utilizes Windows Security EventCode 4698, \"A scheduled task was created,\" and EventCode 4699, \"A scheduled task was deleted,\" to identify scheduled tasks that are created and deleted within a short time frame of less than 30 seconds. This behavior is indicative of a potential lateral movement attack where the Task Scheduler is abused to achieve code execution. Both red teams and adversaries may exploit the Task Scheduler for lateral movement and remote code execution.\\\nTo implement this analytic, ensure that you are ingesting Windows Security Event Logs with EventCode 4698 enabled. Additionally, the Windows TA (Technology Add-on) is required to parse and extract the necessary information from the logs.\\\nIt's important to note that while uncommon, legitimate applications may create and delete scheduled tasks within a short duration. Analysts should filter the results based on the specific context and environment to reduce false positives.\\\nIdentifying short-lived scheduled tasks is valuable for a SOC as it can indicate malicious activities attempting to move laterally or execute unauthorized code on Windows systems. By detecting and investigating these events, security analysts can respond promptly to prevent further compromise and mitigate potential risks. The impact of a true positive could range from unauthorized access to data exfiltration or the execution of malicious payloads.", "data_source": ["Windows Security 4698"], "search": " `wineventlog_security` EventCode=4698 OR EventCode=4699 | xmlkv Message | transaction Task_Name startswith=(EventCode=4698) endswith=(EventCode=4699) | eval short_lived=case((duration<30),\"TRUE\") | search short_lived = TRUE | table _time, ComputerName, Account_Name, Command, Task_Name, short_lived | `short_lived_scheduled_task_filter` ", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4698 EventCode enabled. The Windows TA is also required.", "known_false_positives": "Although uncommon, legitimate applications may create and delete a Scheduled Task within 30 seconds. Filter as needed.", "references": ["https://attack.mitre.org/techniques/T1053/005/", "https://docs.microsoft.com/en-us/windows/win32/taskschd/about-the-task-scheduler"], "tags": {"name": "Short Lived Scheduled Task", "analytic_story": ["Active Directory Lateral Movement", "CISA AA22-257A", "Scheduled Tasks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Installation", "Exploitation"], "message": "A windows scheduled task was created and deleted in 30 seconds on $ComputerName$", "mitre_attack_id": ["T1053.005"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "dest", "ComputerName", "Account_Name", "Task_Name", "Description", "Command"], "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TEMP.Veles", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/lateral_movement/windows-security.log", "source": "WinEventLog:Security", "sourcetype": "WinEventLog"}]}], "datamodel": [], "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "short_lived_scheduled_task_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/short_lived_scheduled_task.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Short Lived Windows Accounts", "id": "b25f6f62-0782-43c1-b403-083231ffd97d", "version": 2, "date": "2020-07-06", "author": "David Dorsey, Splunk", "type": "TTP", "status": "production", "description": "This search detects accounts that were created and deleted in a short time period.", "data_source": [], "search": "| tstats `security_content_summariesonly` values(All_Changes.result_id) as result_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Change where All_Changes.result_id=4720 OR All_Changes.result_id=4726 by _time span=4h All_Changes.user All_Changes.dest | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(\"All_Changes\")` | search result_id = 4720 result_id=4726 | transaction user connected=false maxspan=240m | table firstTime lastTime count user dest result_id | `short_lived_windows_accounts_filter`", "how_to_implement": "This search requires you to have enabled your Group Management Audit Logs in your Local Windows Security Policy and be ingesting those logs. More information on how to enable them can be found here: http://whatevernetworks.com/auditing-group-membership-changes-in-active-directory/", "known_false_positives": "It is possible that an administrator created and deleted an account in a short time period. Verifying activity with an administrator is advised.", "references": [], "tags": {"name": "Short Lived Windows Accounts", "analytic_story": ["Account Monitoring and Controls"], "asset_type": "Windows", "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Installation"], "message": "A user account created or delete shortly in host $dest$", "mitre_attack_id": ["T1136.001", "T1136"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "All_Changes.result_id", "All_Changes.user", "All_Changes.dest"], "risk_score": 63, "security_domain": "access", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1136.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT39", "APT41", "Dragonfly", "Fox Kitten", "Kimsuky", "Leafminer", "Magic Hound", "TeamTNT"]}, {"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/atomic_red_team/windows-security.log", "source": "WinEventLog:Security", "sourcetype": "WinEventLog", "update_timestamp": true}, {"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/atomic_red_team/windows-system.log", "source": "WinEventLog:System", "sourcetype": "WinEventLog", "update_timestamp": true}, {"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Change"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "short_lived_windows_accounts_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/short_lived_windows_accounts.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "SilentCleanup UAC Bypass", "id": "56d7cfcc-da63-11eb-92d4-acde48001122", "version": 3, "date": "2022-11-14", "author": "Steven Dick, Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This search is to detect a suspicious modification of registry that may related to UAC bypassed. This registry will be trigger once the attacker abuse the silentcleanup task schedule to gain high privilege execution that will bypass User control account.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time) AS lastTime FROM datamodel=Endpoint.Processes BY _time span=1h Processes.user Processes.process_id Processes.process_name Processes.process Processes.process_path Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_guid | `drop_dm_object_name(Processes)` | join process_guid [ | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\Environment\\\\windir\" Registry.registry_value_data = \"*.exe*\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`] | fields firstTime lastTime dest user parent_process_name parent_process process_name process_path process registry_key_name registry_path registry_value_name registry_value_data process_guid | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `silentcleanup_uac_bypass_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "unknown", "references": ["https://github.com/hfiref0x/UACME", "https://www.intezer.com/blog/malware-analysis/klingon-rat-holding-on-for-dear-life/"], "tags": {"name": "SilentCleanup UAC Bypass", "analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "Suspicious modification of registry $registry_path$ with possible payload path $registry_value_name$ in $dest$", "mitre_attack_id": ["T1548.002", "T1548"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.user", "Processes.dest", "Processes.process_id", "Processes.process_name", "Processes.process", "Processes.process_path", "Processes.parent_process_name", "Processes.parent_process", "Processes.process_guid", "Registry.dest", "Registry.registry_value_name", "Registry.registry_key_name", "Registry.registry_path", "Registry.registry_value_data", "Registry.process_guid"], "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.002", "mitre_attack_technique": "Bypass User Account Control", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT37", "BRONZE BUTLER", "Cobalt Group", "Earth Lusca", "Evilnum", "MuddyWater", "Patchwork", "Threat Group-3390"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/uac_bypass/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "silentcleanup_uac_bypass_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/silentcleanup_uac_bypass.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Single Letter Process On Endpoint", "id": "a4214f0b-e01c-41bc-8cc4-d2b71e3056b4", "version": 3, "date": "2020-12-08", "author": "David Dorsey, Splunk", "type": "TTP", "status": "production", "description": "This search looks for process names that consist only of a single letter.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes by Processes.dest, Processes.user, Processes.process, Processes.process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | eval process_name_length = len(process_name), endExe = if(substr(process_name, -4) == \".exe\", 1, 0) | search process_name_length=5 AND endExe=1 | table count, firstTime, lastTime, dest, user, process, process_name | `single_letter_process_on_endpoint_filter`", "how_to_implement": "You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the \"process\" field in the Endpoint data model.", "known_false_positives": "Single-letter executables are not always malicious. Investigate this activity with your normal incident-response process.", "references": [], "tags": {"name": "Single Letter Process On Endpoint", "analytic_story": ["DHS Report TA18-074A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Installation"], "message": "A suspicious process $process_name$ with single letter in host $dest$", "mitre_attack_id": ["T1204", "T1204.002"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.process", "Processes.process_name"], "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$"]}, {"mitre_attack_id": "T1204.002", "mitre_attack_technique": "Malicious File", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "Ajax Security Team", "Andariel", "Aoqin Dragon", "BITTER", "BRONZE BUTLER", "BlackTech", "CURIUM", "Cobalt Group", "Confucius", "Dark Caracal", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "IndigoZebra", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Whitefly", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204.002/single_letter_exe/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "single_letter_process_on_endpoint_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/single_letter_process_on_endpoint.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "SLUI RunAs Elevated", "id": "8d124810-b3e4-11eb-96c7-acde48001122", "version": 1, "date": "2021-05-13", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the Microsoft Software Licensing User Interface Tool, `slui.exe`, elevating access using the `-verb runas` function. This particular bypass utilizes a registry key/value. Identified by two sources, the registry keys are `HKCU\\Software\\Classes\\exefile\\shell` and `HKCU\\Software\\Classes\\launcher.Systemsettings\\Shell\\open\\command`. To simulate this behavior, multiple POC are available. The analytic identifies the use of `runas` by `slui.exe`.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=slui.exe (Processes.process=*-verb* Processes.process=*runas*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `slui_runas_elevated_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "Limited false positives should be present as this is not commonly used by legitimate applications.", "references": ["https://www.exploit-db.com/exploits/46998", "https://mattharr0ey.medium.com/privilege-escalation-uac-bypass-in-changepk-c40b92818d1b", "https://gist.github.com/r00t-3xp10it/0c92cd554d3156fd74f6c25660ccc466", "https://www.rapid7.com/db/modules/exploit/windows/local/bypassuac_sluihijack/", "https://www.mandiant.com/resources/shining-a-light-on-darkside-ransomware-operations"], "tags": {"name": "SLUI RunAs Elevated", "analytic_story": ["DarkSide Ransomware", "Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "A slui process $process_name$ with elevated commandline $process$ in host $dest$", "mitre_attack_id": ["T1548.002", "T1548"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.002", "mitre_attack_technique": "Bypass User Account Control", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT37", "BRONZE BUTLER", "Cobalt Group", "Earth Lusca", "Evilnum", "MuddyWater", "Patchwork", "Threat Group-3390"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.002/slui/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "slui_runas_elevated_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/slui_runas_elevated.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "SLUI Spawning a Process", "id": "879c4330-b3e0-11eb-b1b1-acde48001122", "version": 1, "date": "2021-05-13", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the Microsoft Software Licensing User Interface Tool, `slui.exe`, spawning a child process. This behavior is associated with publicly known UAC bypass. `slui.exe` is commonly associated with software updates and is most often spawned by `svchost.exe`. The `slui.exe` process should not have child processes, and any processes spawning from it will be running with elevated privileges. During triage, review the child process and additional parallel processes. Identify any file modifications that may have lead to the bypass.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=slui.exe by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `slui_spawning_a_process_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "Certain applications may spawn from `slui.exe` that are legitimate. Filtering will be needed to ensure proper monitoring.", "references": ["https://www.exploit-db.com/exploits/46998", "https://www.rapid7.com/db/modules/exploit/windows/local/bypassuac_sluihijack/", "https://www.mandiant.com/resources/shining-a-light-on-darkside-ransomware-operations"], "tags": {"name": "SLUI Spawning a Process", "analytic_story": ["DarkSide Ransomware", "Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "A slui process $parent_process_name$ spawning child process $process_name$ in host $dest$", "mitre_attack_id": ["T1548.002", "T1548"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.002", "mitre_attack_technique": "Bypass User Account Control", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT37", "BRONZE BUTLER", "Cobalt Group", "Earth Lusca", "Evilnum", "MuddyWater", "Patchwork", "Threat Group-3390"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.002/slui/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "slui_spawning_a_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/slui_spawning_a_process.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Spike in File Writes", "id": "fdb0f805-74e4-4539-8c00-618927333aae", "version": 3, "date": "2020-03-16", "author": "David Dorsey, Splunk", "type": "Anomaly", "status": "experimental", "description": "The search looks for a sharp increase in the number of files written to a particular host", "data_source": ["Sysmon Event ID 11"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Filesystem where Filesystem.action=created by _time span=1h, Filesystem.dest | `drop_dm_object_name(Filesystem)` | eventstats max(_time) as maxtime | stats count as num_data_samples max(eval(if(_time >= relative_time(maxtime, \"-1d@d\"), count, null))) as \"count\" avg(eval(if(_time upperBound) AND num_data_samples >=20, 1, 0) | search isOutlier=1 | `spike_in_file_writes_filter` ", "how_to_implement": "In order to implement this search, you must populate the Endpoint file-system data model node. This is typically populated via endpoint detection and response product, such as Carbon Black or endpoint data sources such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the file system.", "known_false_positives": "It is important to understand that if you happen to install any new applications on your hosts or are copying a large number of files, you can expect to see a large increase of file modifications.", "references": [], "tags": {"name": "Spike in File Writes", "analytic_story": ["SamSam Ransomware", "Ryuk Ransomware", "Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": [], "message": "tbd", "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Filesystem.action", "Filesystem.dest"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "datamodel": ["Endpoint"], "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "spike_in_file_writes_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/spike_in_file_writes.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Spoolsv Spawning Rundll32", "id": "15d905f6-da6b-11eb-ab82-acde48001122", "version": 2, "date": "2021-07-01", "author": "Mauricio Velazco, Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies a suspicious child process, `rundll32.exe`, with no command-line arguments being spawned from `spoolsv.exe`. This was identified during our testing of CVE-2021-34527 previously (CVE-2021-1675) or PrintNightmare. Typically, this is not normal behavior for `spoolsv.exe` to spawn a process. During triage, isolate the endpoint and review for source of exploitation. Capture any additional file modification events.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=spoolsv.exe `process_rundll32` by Processes.dest Processes.user Processes.parent_process Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `spoolsv_spawning_rundll32_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Limited false positives have been identified. There are limited instances where `rundll32.exe` may be spawned by a legitimate print driver.", "references": ["https://www.truesec.com/hub/blog/fix-for-printnightmare-cve-2021-1675-exploit-to-keep-your-print-servers-running-while-a-patch-is-not-available", "https://www.truesec.com/hub/blog/exploitable-critical-rce-vulnerability-allows-regular-users-to-fully-compromise-active-directory-printnightmare-cve-2021-1675", "https://www.reddit.com/r/msp/comments/ob6y02/critical_vulnerability_printnightmare_exposes"], "tags": {"name": "Spoolsv Spawning Rundll32", "analytic_story": ["PrintNightmare CVE-2021-34527"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "message": "$parent_process$ has spawned $process_name$ on endpoint $ComputerName$. This behavior is suspicious and related to PrintNightmare.", "mitre_attack_id": ["T1547.012", "T1547"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "parent_process_id", "type": "Process", "role": ["Parent Process", "Attacker"]}, {"name": "process_id", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "cve": ["CVE-2021-34527"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1547.012", "mitre_attack_technique": "Print Processors", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.012/printnightmare/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_rundll32", "definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "spoolsv_spawning_rundll32_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2021-34527", "cvss": 9.0, "summary": "Windows Print Spooler Remote Code Execution Vulnerability"}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/spoolsv_spawning_rundll32.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Spoolsv Suspicious Loaded Modules", "id": "a5e451f8-da81-11eb-b245-acde48001122", "version": 2, "date": "2021-07-01", "author": "Mauricio Velazco, Michael Haag, Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This search is to detect suspicious loading of dll in specific path relative to printnightmare exploitation. In this search we try to detect the loaded modules made by spoolsv.exe after the exploitation.", "data_source": ["Sysmon Event ID 7"], "search": "`sysmon` EventCode=7 Image =\"*\\\\spoolsv.exe\" ImageLoaded=\"*\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\*\" ImageLoaded = \"*.dll\" | stats dc(ImageLoaded) as countImgloaded values(ImageLoaded) as ImgLoaded count min(_time) as firstTime max(_time) as lastTime by Image Computer ProcessId EventCode | where countImgloaded >= 3 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `spoolsv_suspicious_loaded_modules_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name and imageloaded executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "unknown", "references": ["https://raw.githubusercontent.com/hieuttmmo/sigma/dceb13fe3f1821b119ae495b41e24438bd97e3d0/rules/windows/image_load/sysmon_cve_2021_1675_print_nightmare.yml"], "tags": {"name": "Spoolsv Suspicious Loaded Modules", "analytic_story": ["PrintNightmare CVE-2021-34527"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "message": "$Image$ with process id $process_id$ has loaded a driver from $ImageLoaded$ on endpoint $Computer$. This behavior is suspicious and related to PrintNightmare.", "mitre_attack_id": ["T1547.012", "T1547"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}, {"name": "process_id", "type": "Process Name", "role": ["Parent Process", "Attacker"]}, {"name": "ImageLoaded", "type": "File", "role": ["Other"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Image", "Computer", "EventCode", "ImageLoaded"], "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "cve": ["CVE-2021-34527"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1547.012", "mitre_attack_technique": "Print Processors", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.012/printnightmare/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "spoolsv_suspicious_loaded_modules_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2021-34527", "cvss": 9.0, "summary": "Windows Print Spooler Remote Code Execution Vulnerability"}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/spoolsv_suspicious_loaded_modules.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Spoolsv Suspicious Process Access", "id": "799b606e-da81-11eb-93f8-acde48001122", "version": 1, "date": "2021-07-01", "author": "Mauricio Velazco, Michael Haag, Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This analytic identifies a suspicious behavior related to PrintNightmare, or CVE-2021-34527 previously (CVE-2021-1675), to gain privilege escalation on the vulnerable machine. This exploit attacks a critical Windows Print Spooler Vulnerability to elevate privilege. This detection is to look for suspicious process access made by the spoolsv.exe that may related to the attack.", "data_source": ["Sysmon Event ID 1"], "search": "`sysmon` EventCode=10 SourceImage = \"*\\\\spoolsv.exe\" CallTrace = \"*\\\\Windows\\\\system32\\\\spool\\\\DRIVERS\\\\x64\\\\*\" TargetImage IN (\"*\\\\rundll32.exe\", \"*\\\\spoolsv.exe\") GrantedAccess = 0x1fffff | stats count min(_time) as firstTime max(_time) as lastTime by Computer SourceImage TargetImage GrantedAccess CallTrace EventCode ProcessID| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `spoolsv_suspicious_process_access_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with process access event where SourceImage, TargetImage, GrantedAccess and CallTrace executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances of spoolsv.exe.", "known_false_positives": "Unknown. Filter as needed.", "references": ["https://github.com/cube0x0/impacket/commit/73b9466c17761384ece11e1028ec6689abad6818", "https://www.truesec.com/hub/blog/fix-for-printnightmare-cve-2021-1675-exploit-to-keep-your-print-servers-running-while-a-patch-is-not-available", "https://www.truesec.com/hub/blog/exploitable-critical-rce-vulnerability-allows-regular-users-to-fully-compromise-active-directory-printnightmare-cve-2021-1675", "https://www.reddit.com/r/msp/comments/ob6y02/critical_vulnerability_printnightmare_exposes"], "tags": {"name": "Spoolsv Suspicious Process Access", "analytic_story": ["PrintNightmare CVE-2021-34527"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "$SourceImage$ was GrantedAccess open access to $TargetImage$ on endpoint $Computer$. This behavior is suspicious and related to PrintNightmare.", "mitre_attack_id": ["T1068"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}, {"name": "ProcessID", "type": "Process", "role": ["Parent Process"]}, {"name": "TargetImage", "type": "Process Name", "role": ["Target"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "SourceImage", "TargetImage", "GrantedAccess", "CallTrace", "EventCode"], "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "cve": ["CVE-2021-34527"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "PLATINUM", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.012/printnightmare/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "spoolsv_suspicious_process_access_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2021-34527", "cvss": 9.0, "summary": "Windows Print Spooler Remote Code Execution Vulnerability"}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/spoolsv_suspicious_process_access.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Spoolsv Writing a DLL", "id": "d5bf5cf2-da71-11eb-92c2-acde48001122", "version": 1, "date": "2021-07-01", "author": "Mauricio Velazco, Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies a `.dll` being written by `spoolsv.exe`. This was identified during our testing of CVE-2021-34527 previously (CVE-2021-1675) or PrintNightmare. Typically, this is not normal behavior for `spoolsv.exe` to write a `.dll`. Current POC code used will write the suspicious DLL to disk within a path of `\\spool\\drivers\\x64\\`. During triage, isolate the endpoint and review for source of exploitation. Capture any additional file modification events.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=spoolsv.exe by _time Processes.process_id Processes.process_name Processes.dest | `drop_dm_object_name(Processes)` | join process_guid, _time [| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path=\"*\\\\spool\\\\drivers\\\\x64\\\\*\" Filesystem.file_name=\"*.dll\" by _time Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path | `drop_dm_object_name(Filesystem)` | fields _time dest file_create_time file_name file_path process_name process_path process] | dedup file_create_time | table dest file_create_time, file_name, file_path, process_name | `spoolsv_writing_a_dll_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node and `Filesystem` node.", "known_false_positives": "Unknown.", "references": ["https://www.truesec.com/hub/blog/fix-for-printnightmare-cve-2021-1675-exploit-to-keep-your-print-servers-running-while-a-patch-is-not-available", "https://www.truesec.com/hub/blog/exploitable-critical-rce-vulnerability-allows-regular-users-to-fully-compromise-active-directory-printnightmare-cve-2021-1675", "https://www.reddit.com/r/msp/comments/ob6y02/critical_vulnerability_printnightmare_exposes"], "tags": {"name": "Spoolsv Writing a DLL", "analytic_story": ["PrintNightmare CVE-2021-34527"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "message": "$process_name$ has been identified writing dll's to $file_path$ on endpoint $dest$. This behavior is suspicious and related to PrintNightmare.", "mitre_attack_id": ["T1547.012", "T1547"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "process_id", "type": "Process", "role": ["Child Process"]}, {"name": "file_path", "type": "File", "role": ["Other"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Filesystem.dest", "Filesystem.file_create_time", "Filesystem.file_name", "Filesystem.file_path", "Processes.process_name", "Processes.process_id", "Processes.process_name", "Processes.dest"], "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "cve": ["CVE-2021-34527"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1547.012", "mitre_attack_technique": "Print Processors", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.012/printnightmare/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "spoolsv_writing_a_dll_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2021-34527", "cvss": 9.0, "summary": "Windows Print Spooler Remote Code Execution Vulnerability"}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/spoolsv_writing_a_dll.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Spoolsv Writing a DLL - Sysmon", "id": "347fd388-da87-11eb-836d-acde48001122", "version": 1, "date": "2021-07-01", "author": "Mauricio Velazco, Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies a `.dll` being written by `spoolsv.exe`. This was identified during our testing of CVE-2021-34527 previously(CVE-2021-1675) or PrintNightmare. Typically, this is not normal behavior for `spoolsv.exe` to write a `.dll`. Current POC code used will write the suspicious DLL to disk within a path of `\\spool\\drivers\\x64\\`. During triage, isolate the endpoint and review for source of exploitation. Capture any additional file modification events.", "data_source": ["Sysmon Event ID 1"], "search": "`sysmon` EventID=11 process_name=spoolsv.exe file_path=\"*\\\\spool\\\\drivers\\\\x64\\\\*\" file_name=*.dll | stats count min(_time) as firstTime max(_time) as lastTime by dest, UserID, process_name, file_path, file_name, TargetFilename, process_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `spoolsv_writing_a_dll___sysmon_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed rundll32.exe may be used.", "known_false_positives": "Limited false positives. Filter as needed.", "references": ["https://github.com/cube0x0/impacket/commit/73b9466c17761384ece11e1028ec6689abad6818", "https://www.truesec.com/hub/blog/fix-for-printnightmare-cve-2021-1675-exploit-to-keep-your-print-servers-running-while-a-patch-is-not-available", "https://www.truesec.com/hub/blog/exploitable-critical-rce-vulnerability-allows-regular-users-to-fully-compromise-active-directory-printnightmare-cve-2021-1675", "https://www.reddit.com/r/msp/comments/ob6y02/critical_vulnerability_printnightmare_exposes"], "tags": {"name": "Spoolsv Writing a DLL - Sysmon", "analytic_story": ["PrintNightmare CVE-2021-34527"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "message": "$process_name$ has been identified writing dll's to $file_path$ on endpoint $dest$. This behavior is suspicious and related to PrintNightmare.", "mitre_attack_id": ["T1547.012", "T1547"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "process_id", "type": "Process", "role": ["Child Process"]}, {"name": "file_path", "type": "File", "role": ["Other"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "dest", "UserID", "process_name", "file_path", "file_name", "TargetFilename"], "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "cve": ["CVE-2021-34527"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1547.012", "mitre_attack_technique": "Print Processors", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.012/printnightmare/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "spoolsv_writing_a_dll___sysmon_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2021-34527", "cvss": 9.0, "summary": "Windows Print Spooler Remote Code Execution Vulnerability"}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/spoolsv_writing_a_dll___sysmon.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Sqlite Module In Temp Folder", "id": "0f216a38-f45f-11eb-b09c-acde48001122", "version": 1, "date": "2021-08-03", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This search is to detect a suspicious file creation of sqlite3.dll in %temp% folder. This behavior was seen in IcedID malware where it download sqlite module to parse browser database like for chrome or firefox to stole browser information related to bank, credit card or credentials.", "data_source": ["Sysmon Event ID 1"], "search": "`sysmon` EventCode=11 (TargetFilename = \"*\\\\sqlite32.dll\" OR TargetFilename = \"*\\\\sqlite64.dll\") (TargetFilename = \"*\\\\temp\\\\*\") |stats count min(_time) as firstTime max(_time) as lastTime by process_name TargetFilename EventCode ProcessId Image | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `sqlite_module_in_temp_folder_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "unknown", "references": ["https://www.cisecurity.org/insights/white-papers/security-primer-icedid"], "tags": {"name": "Sqlite Module In Temp Folder", "analytic_story": ["IcedID"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "process $SourceImage$ create a file $TargetImage$ in host $Computer$", "mitre_attack_id": ["T1005"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "SourceImage", "type": "Process", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "process_name", "TargetFilename", "EventCode", "ProcessId", "Image"], "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1005", "mitre_attack_technique": "Data from Local System", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT37", "APT38", "APT39", "APT41", "Andariel", "Axiom", "BRONZE BUTLER", "CURIUM", "Dark Caracal", "Dragonfly", "FIN6", "FIN7", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HAFNIUM", "Inception", "Ke3chang", "Kimsuky", "LAPSUS$", "Lazarus Group", "LuminousMoth", "Magic Hound", "Patchwork", "Sandworm Team", "Stealth Falcon", "Threat Group-3390", "Turla", "Windigo", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/simulated_icedid/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "sqlite_module_in_temp_folder_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/sqlite_module_in_temp_folder.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Steal or Forge Authentication Certificates Behavior Identified", "id": "87ac670e-bbfd-44ca-b566-44e9f835518d", "version": 1, "date": "2023-05-01", "author": "Michael Haag, Splunk", "type": "Correlation", "status": "production", "description": "This correlation rule focuses on detecting potential threats associated with MITRE ATT&CK T1649 (Steal or Forge Authentication Certificates). The rule is designed to identify instances where 5 or more analytics related to Windows Certificate Services analytic story that are triggered within a specified time frame, which may indicate a potential attack in progress. By aggregating these analytics, security teams can swiftly respond to and investigate any suspicious activities, enhancing their ability to protect critical assets and prevent unauthorized access to sensitive information.", "data_source": [], "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where All_Risk.analyticstories=\"Windows Certificate Services\" All_Risk.risk_object_type=\"system\" by All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where source_count >= 5 | `steal_or_forge_authentication_certificates_behavior_identified_filter`", "how_to_implement": "The Windows Certificate Services analytic story must have 5 or more analytics enabled. In addition, ensure data is being logged that is required. Modify the correlation as needed based on volume of noise related to the other analytics.", "known_false_positives": "False positives may be present based on automated tooling or system administrators. Filter as needed.", "references": ["https://research.splunk.com/stories/windows_certificate_services/", "https://attack.mitre.org/techniques/T1649/"], "tags": {"name": "Steal or Forge Authentication Certificates Behavior Identified", "analytic_story": ["Windows Certificate Services"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "Steal or Forge Authentication Certificates Behavior Identified on $risk_object$.", "mitre_attack_id": ["T1649"], "nist": ["DE.AE"], "observable": [{"name": "risk_object", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["All_Risk.analyticstories", "All_Risk.risk_object_type", "All_Risk.risk_object", "All_Risk.annotations.mitre_attack.mitre_tactic", "source"], "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "atomic_guid": ["290df60e-4b5d-4a5e-b0c7-dc5348ea0c86", "78b274f8-acb0-428b-b1f7-7b0d0e73330a", "7617f689-bbd8-44bc-adcd-6f8968897848"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1649", "mitre_attack_technique": "Steal or Forge Authentication Certificates", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/atomic_red_team/risk_certificate_services.log", "source": "certs", "sourcetype": "stash"}]}], "datamodel": ["Risk"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "steal_or_forge_authentication_certificates_behavior_identified_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/steal_or_forge_authentication_certificates_behavior_identified.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Sunburst Correlation DLL and Network Event", "id": "701a8740-e8db-40df-9190-5516d3819787", "version": 1, "date": "2020-12-14", "author": "Patrick Bareiss, Splunk", "type": "TTP", "status": "experimental", "description": "The malware sunburst will load the malicious dll by SolarWinds.BusinessLayerHost.exe. After a period of 12-14 days, the malware will attempt to resolve a subdomain of avsvmcloud.com. This detections will correlate both events.", "data_source": ["Sysmon Event ID 7"], "search": "(`sysmon` EventCode=7 ImageLoaded=*SolarWinds.Orion.Core.BusinessLayer.dll) OR (`sysmon` EventCode=22 QueryName=*avsvmcloud.com) | eventstats dc(EventCode) AS dc_events | where dc_events=2 | stats min(_time) as firstTime max(_time) as lastTime values(ImageLoaded) AS ImageLoaded values(QueryName) AS QueryName by host | rename host as dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `sunburst_correlation_dll_and_network_event_filter` ", "how_to_implement": "This detection relies on sysmon logs with the Event ID 7, Driver loaded. Please tune your sysmon config that you DriverLoad event for SolarWinds.Orion.Core.BusinessLayer.dll is captured by Sysmon. Additionally, you need sysmon logs for Event ID 22, DNS Query. We suggest to run this detection at least once a day over the last 14 days.", "known_false_positives": "unknown", "references": ["https://www.mandiant.com/resources/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor"], "tags": {"name": "Sunburst Correlation DLL and Network Event", "analytic_story": ["NOBELIUM Group"], "asset_type": "Windows", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "message": "tbd", "mitre_attack_id": ["T1203"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "ImageLoaded", "QueryName"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1203", "mitre_attack_technique": "Exploitation for Client Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT12", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT41", "Andariel", "Aoqin Dragon", "Axiom", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "Higaisa", "Inception", "Lazarus Group", "Leviathan", "MuddyWater", "Mustang Panda", "Patchwork", "Sandworm Team", "Sidewinder", "TA459", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "admin@338"]}]}, "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "sunburst_correlation_dll_and_network_event_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/sunburst_correlation_dll_and_network_event.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Suspicious Computer Account Name Change", "id": "35a61ed8-61c4-11ec-bc1e-acde48001122", "version": 1, "date": "2021-12-20", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "As part of the sAMAccountName Spoofing (CVE-2021-42278) and Domain Controller Impersonation (CVE-2021-42287) exploitation chain, adversaries need to create a new computer account name and rename it to match the name of a domain controller account without the ending '$'. In Windows Active Directory environments, computer account names always end with `$`. This analytic leverages Event Id 4781, `The name of an account was changed`, to identify a computer account rename event with a suspicious name that does not terminate with `$`. This behavior could represent an exploitation attempt of CVE-2021-42278 and CVE-2021-42287 for privilege escalation.", "data_source": ["Windows Security 4781"], "search": "`wineventlog_security` EventCode=4781 Old_Account_Name=\"*$\" New_Account_Name!=\"*$\" | table _time, ComputerName, Account_Name, Old_Account_Name, New_Account_Name | `suspicious_computer_account_name_change_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows event logs from your hosts. In addition, the Splunk Windows TA is needed.", "known_false_positives": "Renaming a computer account name to a name that not end with '$' is highly unsual and may not have any legitimate scenarios.", "references": ["https://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42278", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42287"], "tags": {"name": "Suspicious Computer Account Name Change", "analytic_story": ["sAMAccountName Spoofing and Domain Controller Impersonation", "Active Directory Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 100, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "message": "A computer account $Old_Account_Name$ was renamed with a suspicious computer name", "mitre_attack_id": ["T1078", "T1078.002"], "nist": ["DE.CM"], "observable": [{"name": "ComputerName", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "ComputerName", "Account_Name", "Old_Account_Name", "New_Account_Name"], "risk_score": 70, "security_domain": "endpoint", "risk_severity": "medium", "cve": ["CVE-2021-42287", "CVE-2021-42278"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.002", "mitre_attack_technique": "Domain Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "Chimera", "Indrik Spider", "Magic Hound", "Naikon", "Sandworm Team", "TA505", "Threat Group-1314", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.002/samaccountname_spoofing/windows-security.log", "source": "WinEventLog:Security", "sourcetype": "WinEventLog", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "suspicious_computer_account_name_change_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2021-42287", "cvss": 6.5, "summary": "Active Directory Domain Services Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-42278, CVE-2021-42282, CVE-2021-42291."}, {"id": "CVE-2021-42278", "cvss": 6.5, "summary": "Active Directory Domain Services Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-42282, CVE-2021-42287, CVE-2021-42291."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/suspicious_computer_account_name_change.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Suspicious Copy on System32", "id": "ce633e56-25b2-11ec-9e76-acde48001122", "version": 1, "date": "2021-10-05", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This analytic is to detect a suspicious copy of file from systemroot folder of the windows OS. This technique is commonly used by APT or other malware as part of execution (LOLBIN) to run its malicious code using the available legitimate tool in OS. this type of event may seen or may execute of normal user in some instance but this is really a anomaly that needs to be check within the network.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN(\"cmd.exe\", \"powershell*\",\"pwsh.exe\", \"sqlps.exe\", \"sqltoolsps.exe\", \"powershell_ise.exe\") AND `process_copy` AND Processes.process IN(\"*\\\\Windows\\\\System32\\*\", \"*\\\\Windows\\\\SysWow64\\\\*\") AND Processes.process = \"*copy*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `suspicious_copy_on_system32_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "every user may do this event but very un-ussual.", "references": ["https://www.hybrid-analysis.com/sample/8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd?environmentId=120", "https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/"], "tags": {"name": "Suspicious Copy on System32", "analytic_story": ["Unusual Processes", "Qakbot", "IcedID", "AsyncRAT", "Sandworm Tools", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "execution of copy exe to copy file from $process$ in $dest$", "mitre_attack_id": ["T1036.003", "T1036"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "User", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036.003/copy_sysmon/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_copy", "definition": "(Processes.process_name=copy.exe OR Processes.original_file_name=copy.exe OR Processes.process_name=xcopy.exe OR Processes.original_file_name=xcopy.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "suspicious_copy_on_system32_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/suspicious_copy_on_system32.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Suspicious Curl Network Connection", "id": "3f613dc0-21f2-4063-93b1-5d3c15eef22f", "version": 1, "date": "2021-02-22", "author": "Michael Haag, Splunk", "type": "TTP", "status": "experimental", "description": "The following analytic identifies the use of a curl contacting suspicious remote domains to checkin to Command And Control servers or download further implants. In the context of Silver Sparrow, curl is identified contacting s3.amazonaws.com. This particular behavior is common with MacOS adware-malicious software.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=curl Processes.process=s3.amazonaws.com by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `suspicious_curl_network_connection_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "Unknown. Filter as needed.", "references": ["https://redcanary.com/blog/clipping-silver-sparrows-wings/", "https://www.marcosantadev.com/manage-plist-files-plistbuddy/"], "tags": {"name": "Suspicious Curl Network Connection", "analytic_story": ["Silver Sparrow", "Ingress Tool Transfer", "Linux Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Command And Control"], "message": "tbd", "mitre_attack_id": ["T1105"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.process_name", "Processes.process", "Processes.dest", "Processes.user", "Processes.parent_process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "ZIRCONIUM", "menuPass"]}]}, "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "suspicious_curl_network_connection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/suspicious_curl_network_connection.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Suspicious DLLHost no Command Line Arguments", "id": "ff61e98c-0337-4593-a78f-72a676c56f26", "version": 4, "date": "2023-06-13", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where `process_dllhost` by _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process=\"(?i)(dllhost\\.exe.{0,4}$)\" | `suspicious_dllhost_no_command_line_arguments_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Limited false positives may be present in small environments. Tuning may be required based on parent process.", "references": ["https://raw.githubusercontent.com/threatexpress/malleable-c2/c3385e481159a759f79b8acfe11acf240893b830/jquery-c2.4.2.profile", "https://www.cobaltstrike.com/blog/learn-pipe-fitting-for-all-of-your-offense-projects/"], "tags": {"name": "Suspicious DLLHost no Command Line Arguments", "analytic_story": ["Cobalt Strike", "Graceful Wipe Out Attack"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "Suspicious dllhost.exe process with no command line arguments executed on $dest$ by $user$", "mitre_attack_id": ["T1055"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "User", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/cobalt_strike/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_dllhost", "definition": "(Processes.process_name=dllhost.exe OR Processes.original_file_name=dllhost.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "suspicious_dllhost_no_command_line_arguments_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/suspicious_dllhost_no_command_line_arguments.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Suspicious Driver Loaded Path", "id": "f880acd4-a8f1-11eb-a53b-acde48001122", "version": 1, "date": "2021-04-29", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This analytic will detect suspicious driver loaded paths. This technique is commonly used by malicious software like coin miners (xmrig) to register its malicious driver from notable directories where executable or drivers do not commonly exist. During triage, validate this driver is for legitimate business use. Review the metadata and certificate information. Unsigned drivers from non-standard paths is not normal, but occurs. In addition, review driver loads into `ntoskrnl.exe` for possible other drivers of interest. Long tail analyze drivers by path (outside of default, and in default) for further review.", "data_source": ["Sysmon Event ID 6"], "search": "`sysmon` EventCode=6 ImageLoaded = \"*.sys\" NOT (ImageLoaded IN(\"*\\\\WINDOWS\\\\inf\",\"*\\\\WINDOWS\\\\System32\\\\drivers\\\\*\", \"*\\\\WINDOWS\\\\System32\\\\DriverStore\\\\FileRepository\\\\*\")) | stats min(_time) as firstTime max(_time) as lastTime count by Computer ImageLoaded Hashes IMPHASH Signature Signed | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_driver_loaded_path_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the driver loaded and Signature from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "Limited false positives will be present. Some applications do load drivers", "references": ["https://www.trendmicro.com/vinfo/hk/threat-encyclopedia/malware/trojan.ps1.powtran.a/", "https://redcanary.com/blog/tracking-driver-inventory-to-expose-rootkits/"], "tags": {"name": "Suspicious Driver Loaded Path", "analytic_story": ["XMRig", "CISA AA22-320A", "AgentTesla"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "message": "Suspicious driver $ImageLoaded$ on $Computer$", "mitre_attack_id": ["T1543.003", "T1543"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}, {"name": "ImageLoaded", "type": "File Name", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Computer", "ImageLoaded", "Hashes", "IMPHASH", "Signature", "Signed"], "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/xmrig_miner/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "suspicious_driver_loaded_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/suspicious_driver_loaded_path.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Suspicious Event Log Service Behavior", "id": "2b85aa3d-f5f6-4c2e-a081-a09f6e1c2e40", "version": 1, "date": "2021-06-17", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic utilizes Windows Event ID 1100 to identify when Windows event log service is shutdown. Note that this is a voluminous analytic that will require tuning or restricted to specific endpoints based on criticality. This event generates every time Windows Event Log service has shut down. It also generates during normal system shutdown. During triage, based on time of day and user, determine if this was planned. If not planned, follow through with reviewing parallel alerts and other data sources to determine what else may have occurred.", "data_source": ["Sysmon Event ID 1"], "search": "(`wineventlog_security` EventCode=1100) | stats count min(_time) as firstTime max(_time) as lastTime by dest Message EventCode | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_event_log_service_behavior_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows event logs from your hosts. In addition, the Splunk Windows TA is needed.", "known_false_positives": "It is possible the Event Logging service gets shut down due to system errors or legitimately administration tasks. Filter as needed.", "references": ["https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-1100", "https://www.ired.team/offensive-security/defense-evasion/disabling-windows-event-logs-by-suspending-eventlog-service-threads", "https://attack.mitre.org/techniques/T1070/001/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.001/T1070.001.md"], "tags": {"name": "Suspicious Event Log Service Behavior", "analytic_story": ["Windows Log Manipulation", "Ransomware", "Clop Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "The Windows Event Log Service shutdown on $ComputerName$", "mitre_attack_id": ["T1070", "T1070.001"], "nist": ["DE.CM"], "observable": [{"name": "ComputerName", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "dest"], "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1070.001", "mitre_attack_technique": "Clear Windows Event Logs", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "APT38", "APT41", "Chimera", "Dragonfly", "FIN5", "FIN8", "Indrik Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1070.001/atomic_red_team/windows-security.log", "source": "WinEventLog:Security", "sourcetype": "WinEventLog", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "suspicious_event_log_service_behavior_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/suspicious_event_log_service_behavior.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Suspicious GPUpdate no Command Line Arguments", "id": "f308490a-473a-40ef-ae64-dd7a6eba284a", "version": 3, "date": "2023-06-13", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies gpupdate.exe with no command line arguments. It is unusual for gpupdate.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. gpupdate.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where `process_gpupdate` by _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process=\"(?i)(gpupdate\\.exe.{0,4}$)\" | `suspicious_gpupdate_no_command_line_arguments_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "Limited false positives may be present in small environments. Tuning may be required based on parent process.", "references": ["https://raw.githubusercontent.com/xx0hcd/Malleable-C2-Profiles/0ef8cf4556e26f6d4190c56ba697c2159faa5822/crimeware/trick_ryuk.profile", "https://www.cobaltstrike.com/blog/learn-pipe-fitting-for-all-of-your-offense-projects/"], "tags": {"name": "Suspicious GPUpdate no Command Line Arguments", "analytic_story": ["Cobalt Strike", "Graceful Wipe Out Attack"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "Suspicious gpupdate.exe process with no command line arguments executed on $dest$ by $user$", "mitre_attack_id": ["T1055"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "User", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/cobalt_strike/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_gpupdate", "definition": "(Processes.process_name=gpupdate.exe OR Processes.original_file_name=GPUpdate.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "suspicious_gpupdate_no_command_line_arguments_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/suspicious_gpupdate_no_command_line_arguments.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Suspicious IcedID Rundll32 Cmdline", "id": "bed761f8-ee29-11eb-8bf3-acde48001122", "version": 2, "date": "2021-07-26", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This search is to detect a suspicious rundll32.exe commandline to execute dll file. This technique was seen in IcedID malware to load its payload dll with the following parameter to load encrypted dll payload which is the license.dat.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*/i:* by Processes.process_name Processes.process Processes.parent_process_name Processes.parent_process Processes.process_id Processes.parent_process_id Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_icedid_rundll32_cmdline_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "limitted. this parameter is not commonly used by windows application but can be used by the network operator.", "references": ["https://threatpost.com/icedid-banking-trojan-surges-emotet/165314/"], "tags": {"name": "Suspicious IcedID Rundll32 Cmdline", "analytic_story": ["IcedID", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "rundll32 process $process_name$ with commandline $process$ in host $dest$", "mitre_attack_id": ["T1218", "T1218.011"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/inf_icedid/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_rundll32", "definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "suspicious_icedid_rundll32_cmdline_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/suspicious_icedid_rundll32_cmdline.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Suspicious Image Creation In Appdata Folder", "id": "f6f904c4-1ac0-11ec-806b-acde48001122", "version": 2, "date": "2022-07-07", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This search is to detect a suspicious creation of image in appdata folder made by process that also has a file reference in appdata folder. This technique was seen in remcos rat that capture screenshot of the compromised machine and place it in the appdata and will be send to its C2 server. This TTP is really a good indicator to check that process because it is in suspicious folder path and image files are not commonly created by user in this folder path.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=*.exe Processes.process_path=\"*\\\\appdata\\\\Roaming\\\\*\" by _time span=1h Processes.process_id Processes.process_name Processes.process Processes.dest Processes.process_guid | `drop_dm_object_name(Processes)` |rename process_guid as proc_guid |join proc_guid, _time [| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_name IN (\"*.png\",\"*.jpg\",\"*.bmp\",\"*.gif\",\"*.tiff\") Filesystem.file_path= \"*\\\\appdata\\\\Roaming\\\\*\" by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path Filesystem.process_guid | `drop_dm_object_name(Filesystem)` |rename process_guid as proc_guid | fields _time dest file_create_time file_name file_path process_name process_path process proc_guid] | `suspicious_image_creation_in_appdata_folder_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "unknown", "references": ["https://success.trendmicro.com/dcx/s/solution/1123281-remcos-malware-information?language=en_US", "https://blog.malwarebytes.com/threat-intelligence/2021/07/remcos-rat-delivered-via-visual-basic/"], "tags": {"name": "Suspicious Image Creation In Appdata Folder", "analytic_story": ["Remcos"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "process $process_name$ creating image file $file_path$ in $dest$", "mitre_attack_id": ["T1113"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "dest", "file_create_time", "file_name", "file_path", "process_name", "process_path", "process"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1113", "mitre_attack_technique": "Screen Capture", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT28", "APT39", "BRONZE BUTLER", "Dark Caracal", "Dragonfly", "FIN7", "GOLD SOUTHFIELD", "Gamaredon Group", "Group5", "Magic Hound", "MuddyWater", "OilRig", "Silence"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/remcos/remcos_agent/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "suspicious_image_creation_in_appdata_folder_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/suspicious_image_creation_in_appdata_folder.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Suspicious Kerberos Service Ticket Request", "id": "8b1297bc-6204-11ec-b7c4-acde48001122", "version": 1, "date": "2021-12-20", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "As part of the sAMAccountName Spoofing (CVE-2021-42278) and Domain Controller Impersonation (CVE-2021-42287) exploitation chain, adversaries will request and obtain a Kerberos Service Ticket (TGS) with a domain controller computer account as the Service Name. This Service Ticket can be then used to take control of the domain controller on the final part of the attack. This analytic leverages Event Id 4769, `A Kerberos service ticket was requested`, to identify an unusual TGS request where the Account_Name requesting the ticket matches the Service_Name field. This behavior could represent an exploitation attempt of CVE-2021-42278 and CVE-2021-42287 for privilege escalation.", "data_source": ["Windows Security 4769"], "search": " `wineventlog_security` EventCode=4769 | eval isSuspicious = if(lower(Service_Name) = lower(mvindex(split(Account_Name,\"@\"),0)+\"$\"),1,0) | where isSuspicious = 1 | table _time, Client_Address, Account_Name, Service_Name, Failure_Code, isSuspicious | `suspicious_kerberos_service_ticket_request_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled.", "known_false_positives": "We have tested this detection logic with ~2 million 4769 events and did not identify false positives. However, they may be possible in certain environments. Filter as needed.", "references": ["https://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42278", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42287", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-sfu/02636893-7a1f-4357-af9a-b672e3e3de13"], "tags": {"name": "Suspicious Kerberos Service Ticket Request", "analytic_story": ["sAMAccountName Spoofing and Domain Controller Impersonation", "Active Directory Kerberos Attacks", "Active Directory Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 100, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "message": "A suspicious Kerberos Service Ticket was requested by $Account_Name$", "mitre_attack_id": ["T1078", "T1078.002"], "nist": ["DE.CM"], "observable": [{"name": "ComputerName", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "Service_Name", "Account_Name", "Client_Address", "Failure_Code"], "risk_score": 60, "security_domain": "endpoint", "risk_severity": "medium", "cve": ["CVE-2021-42287", "CVE-2021-42278"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.002", "mitre_attack_technique": "Domain Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "Chimera", "Indrik Spider", "Magic Hound", "Naikon", "Sandworm Team", "TA505", "Threat Group-1314", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.002/samaccountname_spoofing/windows-security.log", "source": "WinEventLog:Security", "sourcetype": "WinEventLog", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "suspicious_kerberos_service_ticket_request_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2021-42287", "cvss": 6.5, "summary": "Active Directory Domain Services Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-42278, CVE-2021-42282, CVE-2021-42291."}, {"id": "CVE-2021-42278", "cvss": 6.5, "summary": "Active Directory Domain Services Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-42282, CVE-2021-42287, CVE-2021-42291."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/suspicious_kerberos_service_ticket_request.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Suspicious Linux Discovery Commands", "id": "0edd5112-56c9-11ec-b990-acde48001122", "version": 1, "date": "2021-12-06", "author": "Bhavin Patel, Splunk", "type": "TTP", "status": "production", "description": "This search, detects execution of suspicious bash commands from various commonly leveraged bash scripts like (AutoSUID, LinEnum, LinPeas) to perform discovery of possible paths of privilege execution, password files, vulnerable directories, executables and file permissions on a Linux host.\\\nThe search logic specifically looks for high number of distinct commands run in a short period of time.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count values(Processes.process) values(Processes.process_name) values(Processes.parent_process_name) dc(Processes.process) as distinct_commands dc(Processes.process_name) as distinct_process_names min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where [|inputlookup linux_tool_discovery_process.csv | rename process as Processes.process |table Processes.process] by _time span=5m Processes.user Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| where distinct_commands > 40 AND distinct_process_names > 3| `suspicious_linux_discovery_commands_filter`", "how_to_implement": "This detection search is based on Splunk add-on for Microsoft Sysmon-Linux.(https://splunkbase.splunk.com/app/6176/). Please install this add-on to parse fields correctly and execute detection search. Consider customizing the time window and threshold values according to your environment.", "known_false_positives": "Unless an administrator is using these commands to troubleshoot or audit a system, the execution of these commands should be monitored.", "references": ["https://attack.mitre.org/matrices/enterprise/linux/", "https://attack.mitre.org/techniques/T1059/004/", "https://github.com/IvanGlinkin/AutoSUID", "https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS", "https://github.com/rebootuser/LinEnum"], "tags": {"name": "Suspicious Linux Discovery Commands", "analytic_story": ["Linux Post-Exploitation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Installation"], "message": "Suspicious Linux Discovery Commands detected on $dest$", "mitre_attack_id": ["T1059.004"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.process", "Processes.parent_process_name", "Processes.user", "Processes.process_name"], "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.004", "mitre_attack_technique": "Unix Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT41", "Rocke", "TeamTNT"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.004/linux_discovery_tools/sysmon_linux.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "suspicious_linux_discovery_commands_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/suspicious_linux_discovery_commands.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Suspicious microsoft workflow compiler rename", "id": "f0db4464-55d9-11eb-ae93-0242ac130002", "version": 4, "date": "2023-06-13", "author": "Michael Haag, Splunk", "type": "Hunting", "status": "production", "description": "The following analytic identifies a renamed instance of microsoft.workflow.compiler.exe. Microsoft.workflow.compiler.exe is natively found in C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319 and is rarely utilized. When investigating, identify the executed code on disk and review. A spawned child process from microsoft.workflow.compiler.exe is uncommon. In any instance, microsoft.workflow.compiler.exe spawning from an Office product or any living off the land binary is highly suspect.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name!=microsoft.workflow.compiler.exe AND Processes.original_file_name=Microsoft.Workflow.Compiler.exe by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_microsoft_workflow_compiler_rename_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Although unlikely, some legitimate applications may use a moved copy of microsoft.workflow.compiler.exe, triggering a false positive.", "references": ["https://lolbas-project.github.io/lolbas/Binaries/Microsoft.Workflow.Compiler/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md#atomic-test-6---microsoftworkflowcompilerexe-payload-execution"], "tags": {"name": "Suspicious microsoft workflow compiler rename", "analytic_story": ["Masquerading - Rename System Utilities", "Trusted Developer Utilities Proxy Execution", "Graceful Wipe Out Attack", "Living Off The Land", "Cobalt Strike"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "Suspicious renamed microsoft.workflow.compiler.exe binary ran on $dest$ by $user$", "mitre_attack_id": ["T1036", "T1127", "T1036.003"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "User", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1127", "mitre_attack_technique": "Trusted Developer Utilities Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1127/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "suspicious_microsoft_workflow_compiler_rename_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/suspicious_microsoft_workflow_compiler_rename.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Suspicious microsoft workflow compiler usage", "id": "9bbc62e8-55d8-11eb-ae93-0242ac130002", "version": 2, "date": "2021-01-12", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies microsoft.workflow.compiler.exe usage. microsoft.workflow.compiler.exe is natively found in C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319 and is rarely utilized. When investigating, identify the executed code on disk and review. It is not a commonly used process by many applications.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_microsoftworkflowcompiler` by Processes.dest Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_microsoft_workflow_compiler_usage_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Although unlikely, limited instances have been identified coming from native Microsoft utilities similar to SCCM.", "references": ["https://lolbas-project.github.io/lolbas/Binaries/Msbuild/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md#atomic-test-6---microsoftworkflowcompilerexe-payload-execution"], "tags": {"name": "Suspicious microsoft workflow compiler usage", "analytic_story": ["Trusted Developer Utilities Proxy Execution", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "Suspicious microsoft.workflow.compiler.exe process ran on $dest$ by $user$", "mitre_attack_id": ["T1127"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "User", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1127", "mitre_attack_technique": "Trusted Developer Utilities Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1127/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "process_microsoftworkflowcompiler", "definition": "(Processes.process_name=microsoft.workflow.compiler.exe OR Processes.original_file_name=Microsoft.Workflow.Compiler.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "suspicious_microsoft_workflow_compiler_usage_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/suspicious_microsoft_workflow_compiler_usage.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Suspicious msbuild path", "id": "f5198224-551c-11eb-ae93-0242ac130002", "version": 3, "date": "2023-06-13", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies msbuild.exe executing from a non-standard path. Msbuild.exe is natively found in C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319 and C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319. Instances of Visual Studio will run a copy of msbuild.exe. A moved instance of MSBuild is suspicious, however there are instances of build applications that will move or use a copy of MSBuild.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count values(Processes.process_name) as process_name values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_msbuild` AND (Processes.process_path!=*\\\\framework*\\\\v*\\\\*) by Processes.dest Processes.original_file_name Processes.parent_process Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `suspicious_msbuild_path_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Some legitimate applications may use a moved copy of msbuild.exe, triggering a false positive. Baselining of MSBuild.exe usage is recommended to better understand it's path usage. Visual Studio runs an instance out of a path that will need to be filtered on.", "references": ["https://lolbas-project.github.io/lolbas/Binaries/Msbuild/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md"], "tags": {"name": "Suspicious msbuild path", "analytic_story": ["Masquerading - Rename System Utilities", "Graceful Wipe Out Attack", "Living Off The Land", "Trusted Developer Utilities Proxy Execution MSBuild", "Cobalt Strike"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "Msbuild.exe ran from an uncommon path on $dest$ execyted by $user$", "mitre_attack_id": ["T1036", "T1127", "T1036.003", "T1127.001"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "User", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1127", "mitre_attack_technique": "Trusted Developer Utilities Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1127.001", "mitre_attack_technique": "MSBuild", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1127.001/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_msbuild", "definition": "(Processes.process_name=msbuild.exe OR Processes.original_file_name=MSBuild.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "suspicious_msbuild_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/suspicious_msbuild_path.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Suspicious MSBuild Rename", "id": "4006adac-5937-11eb-ae93-0242ac130002", "version": 3, "date": "2023-06-13", "author": "Michael Haag, Splunk", "type": "Hunting", "status": "production", "description": "The following analytic identifies renamed instances of msbuild.exe executing. Msbuild.exe is natively found in C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319 and C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319. During investigation, identify the code executed and what is executing a renamed instance of MSBuild.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name!=msbuild.exe AND Processes.original_file_name=MSBuild.exe by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_msbuild_rename_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Although unlikely, some legitimate applications may use a moved copy of msbuild, triggering a false positive.", "references": ["https://lolbas-project.github.io/lolbas/Binaries/Msbuild/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md", "https://github.com/infosecn1nja/MaliciousMacroMSBuild/"], "tags": {"name": "Suspicious MSBuild Rename", "analytic_story": ["Masquerading - Rename System Utilities", "Graceful Wipe Out Attack", "Living Off The Land", "Trusted Developer Utilities Proxy Execution MSBuild", "Cobalt Strike"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "Suspicious renamed msbuild.exe binary ran on $dest$ by $user$", "mitre_attack_id": ["T1036", "T1127", "T1036.003", "T1127.001"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "User", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1127", "mitre_attack_technique": "Trusted Developer Utilities Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1127.001", "mitre_attack_technique": "MSBuild", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1127.001/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "suspicious_msbuild_rename_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/suspicious_msbuild_rename.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Suspicious MSBuild Spawn", "id": "a115fba6-5514-11eb-ae93-0242ac130002", "version": 2, "date": "2021-01-12", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies wmiprvse.exe spawning msbuild.exe. This behavior is indicative of a COM object being utilized to spawn msbuild from wmiprvse.exe. It is common for MSBuild.exe to be spawned from devenv.exe while using Visual Studio. In this instance, there will be command line arguments and file paths. In a malicious instance, MSBuild.exe will spawn from non-standard processes and have no command line arguments. For example, MSBuild.exe spawning from explorer.exe, powershell.exe is far less common and should be investigated.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count values(Processes.process_name) as process_name values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=wmiprvse.exe AND `process_msbuild` by Processes.dest Processes.parent_process Processes.original_file_name Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_msbuild_spawn_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Although unlikely, some legitimate applications may exhibit this behavior, triggering a false positive.", "references": ["https://lolbas-project.github.io/lolbas/Binaries/Msbuild/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md"], "tags": {"name": "Suspicious MSBuild Spawn", "analytic_story": ["Trusted Developer Utilities Proxy Execution MSBuild", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "Suspicious msbuild.exe process executed on $dest$ by $user$", "mitre_attack_id": ["T1127", "T1127.001"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "User", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1127", "mitre_attack_technique": "Trusted Developer Utilities Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1127.001", "mitre_attack_technique": "MSBuild", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1127.001/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_msbuild", "definition": "(Processes.process_name=msbuild.exe OR Processes.original_file_name=MSBuild.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "suspicious_msbuild_spawn_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/suspicious_msbuild_spawn.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Suspicious mshta child process", "id": "60023bb6-5500-11eb-ae93-0242ac130002", "version": 1, "date": "2021-01-12", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies child processes spawning from \"mshta.exe\". The search will return the first time and last time these command-line arguments were used for these executions, as well as the target system, the user, parent process \"mshta.exe\" and its child process.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count values(Processes.process_name) as process_name values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=mshta.exe AND (Processes.process_name=powershell.exe OR Processes.process_name=colorcpl.exe OR Processes.process_name=msbuild.exe OR Processes.process_name=microsoft.workflow.compiler.exe OR Processes.process_name=searchprotocolhost.exe OR Processes.process_name=scrcons.exe OR Processes.process_name=cscript.exe OR Processes.process_name=wscript.exe OR Processes.process_name=powershell.exe OR Processes.process_name=cmd.exe) by Processes.dest Processes.parent_process Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_mshta_child_process_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "Although unlikely, some legitimate applications may exhibit this behavior, triggering a false positive.", "references": ["https://github.com/redcanaryco/AtomicTestHarnesses", "https://redcanary.com/blog/introducing-atomictestharnesses/"], "tags": {"name": "Suspicious mshta child process", "analytic_story": ["Suspicious MSHTA Activity", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "suspicious mshta child process detected on host $dest$ by user $user$.", "mitre_attack_id": ["T1218", "T1218.005"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "parent_process", "type": "Process Name", "role": ["Parent Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.process_name", "Processes.process", "Processes.parent_process_name", "Processes.dest", "Processes.parent_process", "Processes.user"], "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.005", "mitre_attack_technique": "Mshta", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "APT32", "Confucius", "Earth Lusca", "FIN7", "Gamaredon Group", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "MuddyWater", "Mustang Panda", "SideCopy", "Sidewinder", "TA551"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.005/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "suspicious_mshta_child_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/suspicious_mshta_child_process.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Suspicious mshta spawn", "id": "4d33a488-5b5f-11eb-ae93-0242ac130002", "version": 2, "date": "2021-01-20", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies wmiprvse.exe spawning mshta.exe. This behavior is indicative of a DCOM object being utilized to spawn mshta from wmiprvse.exe or svchost.exe. In this instance, adversaries may use LethalHTA that will spawn mshta.exe from svchost.exe.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count values(Processes.process_name) as process_name values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name=svchost.exe OR Processes.parent_process_name=wmiprvse.exe) AND `process_mshta` by Processes.dest Processes.parent_process Processes.user Processes.original_file_name| `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_mshta_spawn_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Although unlikely, some legitimate applications may exhibit this behavior, triggering a false positive.", "references": ["https://codewhitesec.blogspot.com/2018/07/lethalhta.html", "https://github.com/redcanaryco/AtomicTestHarnesses", "https://redcanary.com/blog/introducing-atomictestharnesses/"], "tags": {"name": "Suspicious mshta spawn", "analytic_story": ["Suspicious MSHTA Activity", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "mshta.exe spawned by wmiprvse.exe on $dest$", "mitre_attack_id": ["T1218", "T1218.005"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.005", "mitre_attack_technique": "Mshta", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "APT32", "Confucius", "Earth Lusca", "FIN7", "Gamaredon Group", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "MuddyWater", "Mustang Panda", "SideCopy", "Sidewinder", "TA551"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.005/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_mshta", "definition": "(Processes.process_name=mshta.exe OR Processes.original_file_name=MSHTA.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "suspicious_mshta_spawn_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/suspicious_mshta_spawn.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Suspicious PlistBuddy Usage", "id": "c3194009-e0eb-4f84-87a9-4070f8688f00", "version": 1, "date": "2021-02-22", "author": "Michael Haag, Splunk", "type": "TTP", "status": "experimental", "description": "The following analytic identifies the use of a native MacOS utility, PlistBuddy, creating or modifying a properly list (.plist) file. In the instance of Silver Sparrow, the following commands were executed:\\\n- PlistBuddy -c \"Add :Label string init_verx\" ~/Library/Launchagents/init_verx.plist \\\n- PlistBuddy -c \"Add :RunAtLoad bool true\" ~/Library/Launchagents/init_verx.plist \\\n- PlistBuddy -c \"Add :StartInterval integer 3600\" ~/Library/Launchagents/init_verx.plist \\\n- PlistBuddy -c \"Add :ProgramArguments array\" ~/Library/Launchagents/init_verx.plist \\\n- PlistBuddy -c \"Add :ProgramArguments:0 string /bin/sh\" ~/Library/Launchagents/init_verx.plist \\\n- PlistBuddy -c \"Add :ProgramArguments:1 string -c\" ~/Library/Launchagents/init_verx.plist \\\nUpon triage, capture the property list file being written to disk and review for further indicators. Contain the endpoint and triage further.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=PlistBuddy (Processes.process=*LaunchAgents* OR Processes.process=*RunAtLoad* OR Processes.process=*true*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `suspicious_plistbuddy_usage_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "Some legitimate applications may use PlistBuddy to create or modify property lists and possibly generate false positives. Review the property list being modified or created to confirm.", "references": ["https://www.marcosantadev.com/manage-plist-files-plistbuddy/"], "tags": {"name": "Suspicious PlistBuddy Usage", "analytic_story": ["Silver Sparrow"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation", "Exploitation"], "message": "tbd", "mitre_attack_id": ["T1543.001", "T1543"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.process_name", "Processes.process", "Processes.dest", "Processes.user", "Processes.parent_process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1543.001", "mitre_attack_technique": "Launch Agent", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "suspicious_plistbuddy_usage_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/suspicious_plistbuddy_usage.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Suspicious PlistBuddy Usage via OSquery", "id": "20ba6c32-c733-4a32-b64e-2688cf231399", "version": 1, "date": "2021-02-22", "author": "Michael Haag, Splunk", "type": "TTP", "status": "experimental", "description": "The following analytic identifies the use of a native MacOS utility, PlistBuddy, creating or modifying a properly list (.plist) file. In the instance of Silver Sparrow, the following commands were executed:\\\n- PlistBuddy -c \"Add :Label string init_verx\" ~/Library/Launchagents/init_verx.plist \\\n- PlistBuddy -c \"Add :RunAtLoad bool true\" ~/Library/Launchagents/init_verx.plist \\\n- PlistBuddy -c \"Add :StartInterval integer 3600\" ~/Library/Launchagents/init_verx.plist \\\n- PlistBuddy -c \"Add :ProgramArguments array\" ~/Library/Launchagents/init_verx.plist \\\n- PlistBuddy -c \"Add :ProgramArguments:0 string /bin/sh\" ~/Library/Launchagents/init_verx.plist \\\n- PlistBuddy -c \"Add :ProgramArguments:1 string -c\" ~/Library/Launchagents/init_verx.plist \\\nUpon triage, capture the property list file being written to disk and review for further indicators. Contain the endpoint and triage further.", "data_source": [], "search": "`osquery_process` \"columns.cmdline\"=\"*LaunchAgents*\" OR \"columns.cmdline\"=\"*RunAtLoad*\" OR \"columns.cmdline\"=\"*true*\" | `suspicious_plistbuddy_usage_via_osquery_filter`", "how_to_implement": "OSQuery must be installed and configured to pick up process events (info at https://osquery.io) as well as using the Splunk OSQuery Add-on https://splunkbase.splunk.com/app/4402. Modify the macro and validate fields are correct.", "known_false_positives": "Some legitimate applications may use PlistBuddy to create or modify property lists and possibly generate false positives. Review the property list being modified or created to confirm.", "references": ["https://www.marcosantadev.com/manage-plist-files-plistbuddy/"], "tags": {"name": "Suspicious PlistBuddy Usage via OSquery", "analytic_story": ["Silver Sparrow"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation", "Exploitation"], "message": "tbd", "mitre_attack_id": ["T1543.001", "T1543"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Other", "role": ["Other"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "columns.cmdline"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1543.001", "mitre_attack_technique": "Launch Agent", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "datamodel": [], "macros": [{"name": "osquery_process", "definition": "eventtype=\"osquery-process\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "suspicious_plistbuddy_usage_via_osquery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/suspicious_plistbuddy_usage_via_osquery.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Suspicious Process DNS Query Known Abuse Web Services", "id": "3cf0dc36-484d-11ec-a6bc-acde48001122", "version": 2, "date": "2023-04-14", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This analytic detects a suspicious process making a DNS query via known, abused text-paste web services, VoIP, instant messaging, and digital distribution platforms used to download external files. This technique is abused by adversaries, malware actors, and red teams to download a malicious file on the target host. This is a good TTP indicator for possible initial access techniques. A user will experience false positives if the following instant messaging is allowed or common applications like telegram or discord are allowed in the corporate network.", "data_source": ["Sysmon Event ID 22"], "search": "`sysmon` EventCode=22 QueryName IN (\"*pastebin*\", \"*discord*\", \"*telegram*\", \"*t.me*\") process_name IN (\"cmd.exe\", \"*powershell*\", \"pwsh.exe\", \"wscript.exe\", \"cscript.exe\") | stats count min(_time) as firstTime max(_time) as lastTime by Image QueryName QueryStatus process_name QueryResults Computer | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_process_dns_query_known_abuse_web_services_filter`", "how_to_implement": "This detection relies on sysmon logs with the Event ID 22, DNS Query. We suggest you run this detection at least once a day over the last 14 days.", "known_false_positives": "Noise and false positive can be seen if the following instant messaging is allowed to use within corporate network. In this case, a filter is needed.", "references": ["https://urlhaus.abuse.ch/url/1798923/", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/"], "tags": {"name": "Suspicious Process DNS Query Known Abuse Web Services", "analytic_story": ["Data Destruction", "WhisperGate", "Remcos"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Installation"], "message": "suspicious process $process_name$ has a dns query in $QueryName$ on $Computer$", "mitre_attack_id": ["T1059.005", "T1059"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Image", "QueryName", "QueryStatus", "process_name", "QueryResults", "Computer"], "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.005", "mitre_attack_technique": "Visual Basic", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT32", "APT33", "APT37", "APT38", "APT39", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Earth Lusca", "FIN4", "FIN7", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "Transparent Tribe", "Turla", "WIRTE", "Windshift"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/remcos/remcos_pastebin_download/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "suspicious_process_dns_query_known_abuse_web_services_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/suspicious_process_dns_query_known_abuse_web_services.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Suspicious Process File Path", "id": "9be25988-ad82-11eb-a14f-acde48001122", "version": 1, "date": "2023-06-13", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This analytic identifies a suspicious processes running in file paths that are not typically associated with legitimate software. Adversaries often employ this technique to drop and execute malicious executables in accessible locations that do not require administrative privileges. By monitoring for processes running in such unconventional file paths, we can identify potential indicators of compromise and proactively respond to malicious activity. This analytic plays a crucial role in enhancing system security by pinpointing suspicious behaviors commonly associated with malware and unauthorized software execution.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count values(Processes.process_name) as process_name values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_path = \"*\\\\windows\\\\fonts\\\\*\" OR Processes.process_path = \"*\\\\windows\\\\temp\\\\*\" OR Processes.process_path = \"*\\\\users\\\\public\\\\*\" OR Processes.process_path = \"*\\\\windows\\\\debug\\\\*\" OR Processes.process_path = \"*\\\\Users\\\\Administrator\\\\Music\\\\*\" OR Processes.process_path = \"*\\\\Windows\\\\servicing\\\\*\" OR Processes.process_path = \"*\\\\Users\\\\Default\\\\*\" OR Processes.process_path = \"*Recycle.bin*\" OR Processes.process_path = \"*\\\\Windows\\\\Media\\\\*\" OR Processes.process_path = \"\\\\Windows\\\\repair\\\\*\" OR Processes.process_path = \"*\\\\temp\\\\*\" OR Processes.process_path = \"*\\\\PerfLogs\\\\*\" by Processes.parent_process_name Processes.parent_process Processes.process_path Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_process_file_path_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "Administrators may allow execution of specific binaries in non-standard paths. Filter as needed.", "references": ["https://www.trendmicro.com/vinfo/hk/threat-encyclopedia/malware/trojan.ps1.powtran.a/", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/", "https://twitter.com/pr0xylife/status/1590394227758104576", "https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat", "https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/"], "tags": {"name": "Suspicious Process File Path", "analytic_story": ["WhisperGate", "XMRig", "Industroyer2", "Remcos", "Data Destruction", "Hermetic Wiper", "Azorult", "DarkCrystal RAT", "Graceful Wipe Out Attack", "IcedID", "Swift Slicer", "Qakbot", "RedLine Stealer", "Brute Ratel C4", "Prestige Ransomware", "AsyncRAT", "LockBit Ransomware", "AgentTesla", "Double Zero Destructor", "Volt Typhoon", "Chaos Ransomware", "Trickbot", "Amadey"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "message": "Suspicious process $process_name$ running from a suspicious process path- $process_path$ on host- $dest$", "mitre_attack_id": ["T1543"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "process_path", "type": "Process Name", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.process_name", "Processes.process", "Processes.parent_process_name", "Processes.parent_process", "Processes.process_path", "Processes.dest", "Processes.user"], "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/xmrig_miner/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "suspicious_process_file_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/suspicious_process_file_path.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Suspicious Process With Discord DNS Query", "id": "4d4332ae-792c-11ec-89c1-acde48001122", "version": 2, "date": "2023-04-14", "author": "Teoderick Contreras, Mauricio Velazco, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic identifies a process making a DNS query to Discord, a well known instant messaging and digital distribution platform. Discord can be abused by adversaries, as seen in the WhisperGate campaign, to host and download malicious. external files. A process resolving a Discord DNS name could be an indicator of malware trying to download files from Discord for further execution.", "data_source": ["Sysmon Event ID 22"], "search": "`sysmon` EventCode=22 QueryName IN (\"*discord*\") Image != \"*\\\\AppData\\\\Local\\\\Discord\\\\*\" AND Image != \"*\\\\Program Files*\" AND Image != \"discord.exe\" | stats count min(_time) as firstTime max(_time) as lastTime by Image QueryName QueryStatus process_name QueryResults Computer | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_process_with_discord_dns_query_filter`", "how_to_implement": "his detection relies on sysmon logs with the Event ID 22, DNS Query.", "known_false_positives": "Noise and false positive can be seen if the following instant messaging is allowed to use within corporate network. In this case, a filter is needed.", "references": ["https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/", "https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/"], "tags": {"name": "Suspicious Process With Discord DNS Query", "analytic_story": ["Data Destruction", "WhisperGate"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Installation"], "message": "suspicious process $process_name$ has a dns query in $QueryName$ on $Computer$", "mitre_attack_id": ["T1059.005", "T1059"], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process Name", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Image", "QueryName", "QueryStatus", "process_name", "QueryResults", "Computer"], "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.005", "mitre_attack_technique": "Visual Basic", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT32", "APT33", "APT37", "APT38", "APT39", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Earth Lusca", "FIN4", "FIN7", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "Transparent Tribe", "Turla", "WIRTE", "Windshift"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.005/discord_dnsquery/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "suspicious_process_with_discord_dns_query_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/suspicious_process_with_discord_dns_query.yml", "source": "endpoint"}, {"name": "Suspicious Reg exe Process", "id": "a6b3ab4e-dd77-4213-95fa-fc94701995e0", "version": 4, "date": "2020-07-22", "author": "David Dorsey, Splunk", "type": "Anomaly", "status": "production", "description": "This search looks for reg.exe being launched from a command prompt not started by the user. When a user launches cmd.exe, the parent process is usually explorer.exe. This search filters out those instances.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where Processes.parent_process_name != explorer.exe Processes.process_name =cmd.exe by Processes.user Processes.process_name Processes.parent_process_name Processes.dest Processes.process_id Processes.parent_process_id | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | search [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.parent_process_name=cmd.exe Processes.process_name= reg.exe by Processes.parent_process_id Processes.dest Processes.process_name | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename parent_process_id as process_id |dedup process_id| table process_id dest] | `suspicious_reg_exe_process_filter` ", "how_to_implement": "You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the \"process\" field in the Endpoint data model.", "known_false_positives": "It's possible for system administrators to write scripts that exhibit this behavior. If this is the case, the search will need to be modified to filter them out.", "references": ["https://car.mitre.org/wiki/CAR-2013-03-001/"], "tags": {"name": "Suspicious Reg exe Process", "analytic_story": ["Windows Defense Evasion Tactics", "Disabling Security Tools", "DHS Report TA18-074A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to add a registry entry.", "mitre_attack_id": ["T1112"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.parent_process_name", "Processes.process_name", "Processes.user", "Processes.parent_process_name", "Processes.dest", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "suspicious_reg_exe_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/suspicious_reg_exe_process.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Suspicious Regsvr32 Register Suspicious Path", "id": "62732736-6250-11eb-ae93-0242ac130002", "version": 3, "date": "2023-03-02", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "Adversaries may abuse Regsvr32.exe to proxy execution of malicious code by using non-standard file extensions to load DLLs. Upon investigating, look for network connections to remote destinations (internal or external). Review additional parrallel processes and child processes for additional activity.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_regsvr32` Processes.process IN (\"*\\\\appdata\\\\*\", \"*\\\\programdata\\\\*\",\"*\\\\windows\\\\temp\\\\*\") NOT (Processes.process IN (\"*.dll*\", \"*.ax*\", \"*.ocx*\")) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `suspicious_regsvr32_register_suspicious_path_filter`", "how_to_implement": "You must be ingesting endpoint data that tracks process activity, including parent-child relationships from your endpoints, to populate the Endpoint data model in the Processes node. The command-line arguments are mapped to the \"process\" field in the Endpoint data model. Tune the query by filtering additional extensions found to be used by legitimate processes. To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Limited false positives with the query restricted to specified paths. Add more world writeable paths as tuning continues.", "references": ["https://attack.mitre.org/techniques/T1218/010/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/T1218.010.md", "https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/", "https://support.microsoft.com/en-us/topic/how-to-use-the-regsvr32-tool-and-troubleshoot-regsvr32-error-messages-a98d960a-7392-e6fe-d90a-3f4e0cb543e5", "https://any.run/report/f29a7d2ecd3585e1e4208e44bcc7156ab5388725f1d29d03e7699da0d4598e7c/0826458b-5367-45cf-b841-c95a33a01718"], "tags": {"name": "Suspicious Regsvr32 Register Suspicious Path", "analytic_story": ["Suspicious Regsvr32 Activity", "Icedid", "Living Off The Land", "Qakbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to evade detection by using a non-standard file extension.", "mitre_attack_id": ["T1218", "T1218.010"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.010", "mitre_attack_technique": "Regsvr32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "Blue Mockingbird", "Cobalt Group", "Deep Panda", "Inception", "Kimsuky", "Leviathan", "TA551", "WIRTE"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.010/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "process_regsvr32", "definition": "(Processes.process_name=regsvr32.exe OR Processes.original_file_name=REGSVR32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "suspicious_regsvr32_register_suspicious_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/suspicious_regsvr32_register_suspicious_path.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Suspicious Rundll32 dllregisterserver", "id": "8c00a385-9b86-4ac0-8932-c9ec3713b159", "version": 2, "date": "2021-02-09", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies rundll32.exe using dllregisterserver on the command line to load a DLL. When a DLL is registered, the DllRegisterServer method entry point in the DLL is invoked. This is typically seen when a DLL is being registered on the system. Not every instance is considered malicious, but it will capture malicious use of it. During investigation, review the parent process and parrellel processes executing. Capture the DLL being loaded and inspect further. Rundll32.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*dllregisterserver* by Processes.dest Processes.user Processes.parent_process Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_rundll32_dllregisterserver_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "This is likely to produce false positives and will require some filtering. Tune the query by adding command line paths to known good DLLs, or filtering based on parent process names.", "references": ["https://attack.mitre.org/techniques/T1218/011/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md", "https://lolbas-project.github.io/lolbas/Binaries/Rundll32/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/seedworm-apt-iran-middle-east", "https://github.com/pan-unit42/tweets/blob/master/2020-12-10-IOCs-from-Ursnif-infection-with-Delf-variant.txt", "https://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-qakbot-zip-based-campaign/", "https://docs.microsoft.com/en-us/windows/win32/api/olectl/nf-olectl-dllregisterserver?redirectedfrom=MSDN"], "tags": {"name": "Suspicious Rundll32 dllregisterserver", "analytic_story": ["Suspicious Rundll32 Activity", "Living Off The Land", "IcedID"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to register a DLL. code", "mitre_attack_id": ["T1218", "T1218.011"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.011/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_rundll32", "definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "suspicious_rundll32_dllregisterserver_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/suspicious_rundll32_dllregisterserver.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Suspicious Rundll32 no Command Line Arguments", "id": "e451bd16-e4c5-4109-8eb1-c4c6ecf048b4", "version": 3, "date": "2023-06-13", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies rundll32.exe with no command line arguments. It is unusual for rundll32.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. Rundll32.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where `process_rundll32` by _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process=\"(?i)(rundll32\\.exe.{0,4}$)\" | `suspicious_rundll32_no_command_line_arguments_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Although unlikely, some legitimate applications may use a moved copy of rundll32, triggering a false positive.", "references": ["https://attack.mitre.org/techniques/T1218/011/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md", "https://lolbas-project.github.io/lolbas/Binaries/Rundll32/", "https://bohops.com/2018/02/26/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence/"], "tags": {"name": "Suspicious Rundll32 no Command Line Arguments", "analytic_story": ["Cobalt Strike", "PrintNightmare CVE-2021-34527", "Suspicious Rundll32 Activity", "Graceful Wipe Out Attack"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "Suspicious rundll32.exe process with no command line arguments executed on $dest$ by $user$", "mitre_attack_id": ["T1218", "T1218.011"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "User", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "cve": ["CVE-2021-34527"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.011/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_rundll32", "definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "suspicious_rundll32_no_command_line_arguments_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2021-34527", "cvss": 9.0, "summary": "Windows Print Spooler Remote Code Execution Vulnerability"}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/suspicious_rundll32_no_command_line_arguments.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Suspicious Rundll32 PluginInit", "id": "92d51712-ee29-11eb-b1ae-acde48001122", "version": 2, "date": "2021-07-26", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This search is to detect a suspicious rundll32.exe process with plugininit parameter. This technique is commonly seen in IcedID malware to execute its initial dll stager to download another payload to the compromised machine.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*PluginInit* by Processes.process_name Processes.process Processes.parent_process_name Processes.original_file_name Processes.parent_process Processes.process_id Processes.parent_process_id Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_rundll32_plugininit_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "third party application may used this dll export name to execute function.", "references": ["https://threatpost.com/icedid-banking-trojan-surges-emotet/165314/"], "tags": {"name": "Suspicious Rundll32 PluginInit", "analytic_story": ["IcedID"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 60, "kill_chain_phases": ["Exploitation"], "message": "rundll32 process $process_name$ with commandline $process$ in host $dest$", "mitre_attack_id": ["T1218", "T1218.011"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/inf_icedid/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_rundll32", "definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "suspicious_rundll32_plugininit_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/suspicious_rundll32_plugininit.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Suspicious Rundll32 StartW", "id": "9319dda5-73f2-4d43-a85a-67ce961bddb7", "version": 3, "date": "2023-06-13", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies rundll32.exe executing a DLL function name, Start and StartW, on the command line that is commonly observed with Cobalt Strike x86 and x64 DLL payloads. Rundll32.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64. Typically, the DLL will be written and loaded from a world writeable path or user location. In most instances it will not have a valid certificate (Unsigned). During investigation, review the parent process and other parallel application execution. Capture and triage the DLL in question. In the instance of Cobalt Strike, rundll32.exe is the default process it opens and injects shellcode into. This default process can be changed, but typically is not.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*start* by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_rundll32_startw_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Although unlikely, some legitimate applications may use Start as a function and call it via the command line. Filter as needed.", "references": ["https://attack.mitre.org/techniques/T1218/011/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md", "https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/index.htm#cshid=1036", "https://lolbas-project.github.io/lolbas/Binaries/Rundll32/", "https://bohops.com/2018/02/26/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence/"], "tags": {"name": "Suspicious Rundll32 StartW", "analytic_story": ["Cobalt Strike", "Suspicious Rundll32 Activity", "Graceful Wipe Out Attack", "Trickbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "rundll32.exe running with suspicious parameters on $dest$", "mitre_attack_id": ["T1218", "T1218.011"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "User", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.011/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_rundll32", "definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "suspicious_rundll32_startw_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/suspicious_rundll32_startw.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Suspicious Scheduled Task from Public Directory", "id": "7feb7972-7ac3-11eb-bac8-acde48001122", "version": 1, "date": "2021-03-01", "author": "Michael Haag, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic, \"Suspicious Scheduled Task from Public Directory\", detects the registration of scheduled tasks aimed to execute a binary or script from public directories, a behavior often associated with malware deployment. It utilizes the Sysmon Event ID 1 data source, searching for instances where schtasks.exe is connected with the directories users\\public, \\programdata\\, or \\windows\\temp and involves the /create command.\\\nThe registration of such scheduled tasks in public directories could suggest that an attacker is trying to maintain persistence or execute malicious scripts. If confirmed as a true positive, this could lead to data compromise, unauthorized access, and potential lateral movement within the network.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=schtasks.exe (Processes.process=*\\\\users\\\\public\\\\* OR Processes.process=*\\\\programdata\\\\* OR Processes.process=*windows\\\\temp*) Processes.process=*/create* by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `suspicious_scheduled_task_from_public_directory_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "The main source of false positives could be the legitimate use of scheduled tasks from these directories. Careful tuning of this search may be necessary to suit the specifics of your environment, reducing the rate of false positives.", "references": ["https://attack.mitre.org/techniques/T1053/005/"], "tags": {"name": "Suspicious Scheduled Task from Public Directory", "analytic_story": ["Ransomware", "Ryuk Ransomware", "Windows Persistence Techniques", "Living Off The Land", "Azorult", "DarkCrystal RAT", "Scheduled Tasks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "message": "Suspicious scheduled task registered on $dest$", "mitre_attack_id": ["T1053.005", "T1053"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "User", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.process_name", "Processes.process", "Processes.dest", "Processes.user", "Processes.parent_process", "Processes.process_name", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/schtasks/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "suspicious_scheduled_task_from_public_directory_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/suspicious_scheduled_task_from_public_directory.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Suspicious SearchProtocolHost no Command Line Arguments", "id": "f52d2db8-31f9-4aa7-a176-25779effe55c", "version": 3, "date": "2023-06-13", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies searchprotocolhost.exe with no command line arguments. It is unusual for searchprotocolhost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. searchprotocolhost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=searchprotocolhost.exe by _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process=\"(?i)(searchprotocolhost\\.exe.{0,4}$)\" | `suspicious_searchprotocolhost_no_command_line_arguments_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Limited false positives may be present in small environments. Tuning may be required based on parent process.", "references": ["https://github.com/mandiant/red_team_tool_countermeasures/blob/master/rules/PGF/supplemental/hxioc/SUSPICIOUS%20EXECUTION%20OF%20SEARCHPROTOCOLHOST%20(METHODOLOGY).ioc"], "tags": {"name": "Suspicious SearchProtocolHost no Command Line Arguments", "analytic_story": ["Cobalt Strike", "Graceful Wipe Out Attack"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "Suspicious searchprotocolhost.exe process with no command line arguments executed on $dest$ by $user$", "mitre_attack_id": ["T1055"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "User", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/cobalt_strike/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "suspicious_searchprotocolhost_no_command_line_arguments_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/suspicious_searchprotocolhost_no_command_line_arguments.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Suspicious SQLite3 LSQuarantine Behavior", "id": "e1997b2e-655f-4561-82fd-aeba8e1c1a86", "version": 1, "date": "2021-02-22", "author": "Michael Haag, Splunk", "type": "TTP", "status": "experimental", "description": "The following analytic identifies the use of a SQLite3 querying the MacOS preferences to identify the original URL the pkg was downloaded from. This particular behavior is common with MacOS adware-malicious software. Upon triage, review other processes in parallel for suspicious activity. Identify any recent package installations.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=sqlite3 Processes.process=*LSQuarantine* by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `suspicious_sqlite3_lsquarantine_behavior_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "Unknown.", "references": ["https://redcanary.com/blog/clipping-silver-sparrows-wings/", "https://www.marcosantadev.com/manage-plist-files-plistbuddy/"], "tags": {"name": "Suspicious SQLite3 LSQuarantine Behavior", "analytic_story": ["Silver Sparrow"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "tbd", "mitre_attack_id": ["T1074"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.process_name", "Processes.process", "Processes.dest", "Processes.user", "Processes.parent_process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1074", "mitre_attack_technique": "Data Staged", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["Wizard Spider"]}]}, "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "suspicious_sqlite3_lsquarantine_behavior_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/suspicious_sqlite3_lsquarantine_behavior.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Suspicious Ticket Granting Ticket Request", "id": "d77d349e-6269-11ec-9cfe-acde48001122", "version": 1, "date": "2021-12-21", "author": "Mauricio Velazco, Splunk", "type": "Hunting", "status": "production", "description": "As part of the sAMAccountName Spoofing (CVE-2021-42278) and Domain Controller Impersonation (CVE-2021-42287) exploitation chain, adversaries will need to request a Kerberos Ticket Granting Ticket (TGT) on behalf of the newly created and renamed computer account. The TGT request will be preceded by a computer account name event. This analytic leverages Event Id 4781, `The name of an account was changed` and event Id 4768 `A Kerberos authentication ticket (TGT) was requested` to correlate a sequence of events where the new computer account on event id 4781 matches the request account on event id 4768. This behavior could represent an exploitation attempt of CVE-2021-42278 and CVE-2021-42287 for privilege escalation.", "data_source": ["Windows Security 4768"], "search": " `wineventlog_security` (EventCode=4781 Old_Account_Name=\"*$\" New_Account_Name!=\"*$\") OR (EventCode=4768 Account_Name!=\"*$\") | eval RenamedComputerAccount = coalesce(New_Account_Name, mvindex(Account_Name,0)) | transaction RenamedComputerAccount startswith=(EventCode=4781) endswith=(EventCode=4768) | eval short_lived=case((duration<2),\"TRUE\") | search short_lived = TRUE | table _time, ComputerName, EventCode, Account_Name,RenamedComputerAccount, short_lived |`suspicious_ticket_granting_ticket_request_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled.", "known_false_positives": "A computer account name change event inmediately followed by a kerberos TGT request with matching fields is unsual. However, legitimate behavior may trigger it. Filter as needed.", "references": ["https://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42278", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42287"], "tags": {"name": "Suspicious Ticket Granting Ticket Request", "analytic_story": ["sAMAccountName Spoofing and Domain Controller Impersonation", "Active Directory Kerberos Attacks", "Active Directory Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 100, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "message": "A suspicious TGT was requested was requested", "mitre_attack_id": ["T1078", "T1078.002"], "nist": ["DE.AE"], "observable": [{"name": "ComputerName", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "Old_Account_Name", "New_Account_Name", "Account_Name", "ComputerName"], "risk_score": 60, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.002", "mitre_attack_technique": "Domain Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "Chimera", "Indrik Spider", "Magic Hound", "Naikon", "Sandworm Team", "TA505", "Threat Group-1314", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.002/samaccountname_spoofing/windows-security.log", "source": "WinEventLog:Security", "sourcetype": "WinEventLog", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "suspicious_ticket_granting_ticket_request_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/suspicious_ticket_granting_ticket_request.yml", "source": "endpoint", "providing_technologies": ["Microsoft Windows"]}, {"name": "Suspicious WAV file in Appdata Folder", "id": "5be109e6-1ac5-11ec-b421-acde48001122", "version": 2, "date": "2022-07-07", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This analytic is to detect a suspicious creation of .wav file in appdata folder. This behavior was seen in Remcos RAT malware where it put the audio recording in the appdata\\audio folde as part of data collection. this recording can be send to its C2 server as part of its exfiltration to the compromised machine. creation of wav files in this folder path is not a ussual disk place used by user to save audio format file.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=*.exe Processes.process_path=\"*\\\\appdata\\\\Roaming\\\\*\" by _time span=1h Processes.process_id Processes.process_name Processes.process Processes.dest Processes.process_guid | `drop_dm_object_name(Processes)` |rename process_guid as proc_guid | join proc_guid, _time [ | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_name IN (\"*.wav\") Filesystem.file_path = \"*\\\\appdata\\\\Roaming\\\\*\" by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path Filesystem.process_guid | `drop_dm_object_name(Filesystem)` |rename process_guid as proc_guid | fields file_name file_path process_name process_path process dest file_create_time _time proc_guid] | `suspicious_wav_file_in_appdata_folder_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, file_name, file_path and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "unknown", "references": ["https://success.trendmicro.com/dcx/s/solution/1123281-remcos-malware-information?language=en_US", "https://blog.malwarebytes.com/threat-intelligence/2021/07/remcos-rat-delivered-via-visual-basic/"], "tags": {"name": "Suspicious WAV file in Appdata Folder", "analytic_story": ["Remcos"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "process $process_name$ creating image file $file_path$ in $dest$", "mitre_attack_id": ["T1113"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "dest", "file_create_time", "file_name", "file_path", "process_name", "process_path", "process"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1113", "mitre_attack_technique": "Screen Capture", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT28", "APT39", "BRONZE BUTLER", "Dark Caracal", "Dragonfly", "FIN7", "GOLD SOUTHFIELD", "Gamaredon Group", "Group5", "Magic Hound", "MuddyWater", "OilRig", "Silence"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/remcos/remcos_agent/sysmon_wav.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "suspicious_wav_file_in_appdata_folder_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/suspicious_wav_file_in_appdata_folder.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Suspicious wevtutil Usage", "id": "2827c0fd-e1be-4868-ae25-59d28e0f9d4f", "version": 4, "date": "2021-10-11", "author": "David Dorsey, Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The wevtutil.exe application is the windows event log utility. This searches for wevtutil.exe with parameters for clearing the application, security, setup, trace or system event logs.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=wevtutil.exe Processes.process IN (\"* cl *\", \"*clear-log*\") (Processes.process=\"*System*\" OR Processes.process=\"*Security*\" OR Processes.process=\"*Setup*\" OR Processes.process=\"*Application*\" OR Processes.process=\"*trace*\") by Processes.process_name Processes.parent_process_name Processes.dest Processes.user| `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `suspicious_wevtutil_usage_filter`", "how_to_implement": "You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the \"process\" field in the Endpoint data model.", "known_false_positives": "The wevtutil.exe application is a legitimate Windows event log utility. Administrators may use it to manage Windows event logs.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.001/T1070.001.md"], "tags": {"name": "Suspicious wevtutil Usage", "analytic_story": ["Windows Log Manipulation", "Ransomware", "Clop Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 40, "kill_chain_phases": ["Exploitation"], "message": "Wevtutil.exe being used to clear Event Logs on $dest$ by $user$", "mitre_attack_id": ["T1070.001", "T1070"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "User", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.process", "Processes.process_name", "Processes.parent_process_name", "Processes.dest", "Processes.user"], "risk_score": 28, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1070.001", "mitre_attack_technique": "Clear Windows Event Logs", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "APT38", "APT41", "Chimera", "Dragonfly", "FIN5", "FIN8", "Indrik Spider"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1070.001/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "suspicious_wevtutil_usage_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/suspicious_wevtutil_usage.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Suspicious writes to windows Recycle Bin", "id": "b5541828-8ffd-4070-9d95-b3da4de924cb", "version": 4, "date": "2020-07-22", "author": "Rico Valdez, Splunk", "type": "TTP", "status": "production", "description": "This search detects writes to the recycle bin by a process other than explorer.exe.", "data_source": ["Sysmon Event ID 11"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.file_path) as file_path values(Filesystem.file_name) as file_name FROM datamodel=Endpoint.Filesystem where Filesystem.file_path = \"*$Recycle.Bin*\" by Filesystem.process_id Filesystem.dest | `drop_dm_object_name(\"Filesystem\")`| search [| tstats `security_content_summariesonly` values(Processes.user) as user values(Processes.process_name) as process_name values(Processes.parent_process_name) as parent_process_name FROM datamodel=Endpoint.Processes where Processes.process_name != \"explorer.exe\" by Processes.process_id Processes.dest| `drop_dm_object_name(\"Processes\")` | table process_id dest] | `suspicious_writes_to_windows_recycle_bin_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on filesystem and process logs responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` and `Filesystem` nodes.", "known_false_positives": "Because the Recycle Bin is a hidden folder in modern versions of Windows, it would be unusual for a process other than explorer.exe to write to it. Incidents should be investigated as appropriate.", "references": [], "tags": {"name": "Suspicious writes to windows Recycle Bin", "analytic_story": ["Collection and Staging"], "asset_type": "Windows", "cis20": ["CIS 10"], "confidence": 70, "impact": 40, "kill_chain_phases": ["Exploitation"], "message": "Suspicious writes to windows Recycle Bin process $Processes.process_name$", "mitre_attack_id": ["T1036"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "Processes.process_name", "type": "Process", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Filesystem.file_path", "Filesystem.file_name", "Filesystem.process_id", "Filesystem.dest", "Processes.user", "Processes.process_name", "Processes.parent_process_name", "Processes.process_id", "Processes.dest"], "risk_score": 28, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036/write_to_recycle_bin/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "suspicious_writes_to_windows_recycle_bin_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/suspicious_writes_to_windows_recycle_bin.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Svchost LOLBAS Execution Process Spawn", "id": "09e5c72a-4c0d-11ec-aa29-3e22fbd008af", "version": 2, "date": "2021-11-22", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic is designed to spot instances of 'svchost.exe' initiating a Living Off The Land Binaries and Scripts (LOLBAS) execution process. Often, adversaries manipulate Task Scheduler to execute code on remote endpoints, resulting in the spawning of a malicious command as a child process of 'svchost.exe'. By tracking child processes of 'svchost.exe' that align with the LOLBAS project, potential lateral movement activity can be detected. The analytic examines process details, including the process name, parent process, and command-line executions. A comprehensive list of LOLBAS processes is included in the search parameters. Although the analytic might catch legitimate applications exhibiting this behavior, these instances should be filtered accordingly. The findings from this analytic offer valuable insight into potentially malicious activities on an endpoint.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name=svchost.exe) (Processes.process_name IN (\"Regsvcs.exe\", \"Ftp.exe\", \"OfflineScannerShell.exe\", \"Rasautou.exe\", \"Schtasks.exe\", \"Xwizard.exe\", \"Pnputil.exe\", \"Atbroker.exe\", \"Pcwrun.exe\", \"Ttdinject.exe\",\"Mshta.exe\", \"Bitsadmin.exe\", \"Certoc.exe\", \"Ieexec.exe\", \"Microsoft.Workflow.Compiler.exe\", \"Runscripthelper.exe\", \"Forfiles.exe\", \"Msbuild.exe\", \"Register-cimprovider.exe\", \"Tttracer.exe\", \"Ie4uinit.exe\", \"Bash.exe\", \"Hh.exe\", \"SettingSyncHost.exe\", \"Cmstp.exe\", \"Stordiag.exe\", \"Scriptrunner.exe\", \"Odbcconf.exe\", \"Extexport.exe\", \"Msdt.exe\", \"WorkFolders.exe\", \"Diskshadow.exe\", \"Mavinject.exe\", \"Regasm.exe\", \"Gpscript.exe\", \"Regsvr32.exe\", \"Msiexec.exe\", \"Wuauclt.exe\", \"Presentationhost.exe\", \"Wmic.exe\", \"Runonce.exe\", \"Syncappvpublishingserver.exe\", \"Verclsid.exe\", \"Infdefaultinstall.exe\", \"Installutil.exe\", \"Netsh.exe\", \"Wab.exe\", \"Dnscmd.exe\", \"At.exe\", \"Pcalua.exe\", \"Msconfig.exe\")) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `svchost_lolbas_execution_process_spawn_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints.", "known_false_positives": "Legitimate applications may trigger this behavior, filter as needed.", "references": ["https://attack.mitre.org/techniques/T1053/005/", "https://www.ired.team/offensive-security/persistence/t1053-schtask", "https://lolbas-project.github.io/"], "tags": {"name": "Svchost LOLBAS Execution Process Spawn", "analytic_story": ["Active Directory Lateral Movement", "Living Off The Land", "Scheduled Tasks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 90, "kill_chain_phases": ["Installation", "Exploitation"], "message": "Svchost.exe spawned a LOLBAS process on $dest$", "mitre_attack_id": ["T1053", "T1053.005"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 54, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TEMP.Veles", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/lateral_movement_lolbas/windows-security.log", "source": "WinEventLog:Security", "sourcetype": "WinEventLog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "svchost_lolbas_execution_process_spawn_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/svchost_lolbas_execution_process_spawn.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "System Info Gathering Using Dxdiag Application", "id": "f92d74f2-4921-11ec-b685-acde48001122", "version": 1, "date": "2021-11-19", "author": "Teoderick Contreras, Splunk", "type": "Hunting", "status": "production", "description": "This analytic is to detect a suspicious dxdiag.exe process command-line execution. Dxdiag is used to collect the system info of the target host. This technique has been used by Remcos RATS, various actors, and other malware to collect information as part of the recon or collection phase of an attack. This behavior should rarely be seen in a corporate network, but this command line can be used by a network administrator to audit host machine specifications. Thus in some rare cases, this detection will contain false positives in its results. To triage further, analyze what commands were passed after it pipes out the result to a file for further processing.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_dxdiag` AND Processes.process = \"* /t *\" by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `system_info_gathering_using_dxdiag_application_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` and `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "This commandline can be used by a network administrator to audit host machine specifications. Thus, a filter is needed.", "references": ["https://app.any.run/tasks/df0baf9f-8baf-4c32-a452-16562ecb19be/"], "tags": {"name": "System Info Gathering Using Dxdiag Application", "analytic_story": ["Remcos"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Reconnaissance"], "message": "dxdiag.exe process with commandline $process$ on $dest$", "mitre_attack_id": ["T1592"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1592", "mitre_attack_technique": "Gather Victim Host Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/t1592/host_info_dxdiag/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_dxdiag", "definition": "(Processes.process_name=dxdiag.exe OR Processes.original_file_name=dxdiag.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "system_info_gathering_using_dxdiag_application_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/system_info_gathering_using_dxdiag_application.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "System Information Discovery Detection", "id": "8e99f89e-ae58-4ebc-bf52-ae0b1a277e72", "version": 2, "date": "2021-09-07", "author": "Patrick Bareiss, Splunk", "type": "TTP", "status": "production", "description": "Detect system information discovery techniques used by attackers to understand configurations of the system to further exploit it.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process=\"*wmic* qfe*\" OR Processes.process=*systeminfo* OR Processes.process=*hostname*) by Processes.user Processes.process_name Processes.process Processes.dest Processes.parent_process_name | `drop_dm_object_name(Processes)` | eventstats dc(process) as dc_processes_by_dest by dest | where dc_processes_by_dest > 2 | stats values(process) as process min(firstTime) as firstTime max(lastTime) as lastTime by user, dest parent_process_name | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `system_information_discovery_detection_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "Administrators debugging servers", "references": ["https://web.archive.org/web/20210119205146/https://oscp.infosecsanyam.in/priv-escalation/windows-priv-escalation"], "tags": {"name": "System Information Discovery Detection", "analytic_story": ["Discovery Techniques"], "asset_type": "Windows", "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "Potential system information discovery behavior on $dest$ by $User$", "mitre_attack_id": ["T1082"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "User", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.process", "Processes.user", "Processes.process_name", "Processes.dest"], "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1082", "mitre_attack_technique": "System Information Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT18", "APT19", "APT3", "APT32", "APT37", "APT38", "Aquatic Panda", "Blue Mockingbird", "Chimera", "Confucius", "Darkhotel", "Gamaredon Group", "HEXANE", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Sowbug", "Stealth Falcon", "TeamTNT", "Tropic Trooper", "Turla", "Windigo", "Windshift", "Wizard Spider", "ZIRCONIUM", "admin@338"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1082/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "system_information_discovery_detection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/system_information_discovery_detection.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "System Processes Run From Unexpected Locations", "id": "a34aae96-ccf8-4aef-952c-3ea21444444d", "version": 6, "date": "2020-12-08", "author": "David Dorsey, Michael Haag, Splunk", "type": "Anomaly", "status": "production", "description": "This search looks for system processes that typically execute from `C:\\Windows\\System32\\` or `C:\\Windows\\SysWOW64`. This may indicate a malicious process that is trying to hide as a legitimate process.\\\nThis detection utilizes a lookup that is deduped `system32` and `syswow64` directories from Server 2016 and Windows 10.\\\nDuring triage, review the parallel processes - what process moved the native Windows binary? identify any artifacts on disk and review. If a remote destination is contacted, what is the reputation?", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where Processes.process_path !=\"C:\\\\Windows\\\\System32*\" Processes.process_path !=\"C:\\\\Windows\\\\SysWOW64*\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_hash | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `is_windows_system_file` | `system_processes_run_from_unexpected_locations_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "This detection may require tuning based on third party applications utilizing native Windows binaries in non-standard paths.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.yaml", "https://attack.mitre.org/techniques/T1036/003/"], "tags": {"name": "System Processes Run From Unexpected Locations", "analytic_story": ["Suspicious Command-Line Executions", "Unusual Processes", "Ransomware", "Masquerading - Rename System Utilities", "Qakbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 60, "kill_chain_phases": ["Exploitation"], "message": "A System process $process_name$ is running from $process_path$ on $dest$, potentially non-standard.", "mitre_attack_id": ["T1036", "T1036.003"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}, {"name": "process_path", "type": "Other", "role": ["Other"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.process_path", "Processes.user", "Processes.dest", "Processes.process_name", "Processes.process_id", "Processes.parent_process_name", "Processes.process_hash"], "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036.003/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "is_windows_system_file", "definition": "lookup update=true is_windows_system_file filename as process_name OUTPUT systemFile | search systemFile=true", "description": "This macro limits the output to process names that are in the Windows System directory"}, {"name": "system_processes_run_from_unexpected_locations_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/system_processes_run_from_unexpected_locations.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "System User Discovery With Query", "id": "ad03bfcf-8a91-4bc2-a500-112993deba87", "version": 1, "date": "2021-09-13", "author": "Mauricio Velazco, Splunk", "type": "Hunting", "status": "production", "description": "This analytic looks for the execution of `query.exe` with command-line arguments utilized to discover the logged user. Red Teams and adversaries alike may leverage `query.exe` to identify system users on a compromised endpoint for situational awareness and Active Directory Discovery.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"query.exe\") (Processes.process=*user*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `system_user_discovery_with_query_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "references": ["https://attack.mitre.org/techniques/T1033/"], "tags": {"name": "System User Discovery With Query", "analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "System user discovery on $dest$", "mitre_attack_id": ["T1033"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1033", "mitre_attack_technique": "System Owner/User Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT37", "APT38", "APT39", "APT41", "Chimera", "Dragonfly", "Earth Lusca", "FIN10", "GALLIUM", "Gamaredon Group", "HAFNIUM", "HEXANE", "Ke3chang", "Lazarus Group", "LuminousMoth", "Magic Hound", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "Stealth Falcon", "Threat Group-3390", "Tropic Trooper", "Windshift", "Wizard Spider", "ZIRCONIUM"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1033/AD_discovery/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "system_user_discovery_with_query_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/system_user_discovery_with_query.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "System User Discovery With Whoami", "id": "894fc43e-6f50-47d5-a68b-ee9ee23e18f4", "version": 1, "date": "2023-04-05", "author": "Mauricio Velazco, Splunk", "type": "Hunting", "status": "production", "description": "This analytic looks for the execution of `whoami.exe` without any arguments. This windows native binary prints out the current logged user. Red Teams and adversaries alike may leverage `whoami.exe` to identify system users on a compromised endpoint for situational awareness and Active Directory Discovery.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"whoami.exe\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `system_user_discovery_with_whoami_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "references": ["https://attack.mitre.org/techniques/T1033/"], "tags": {"name": "System User Discovery With Whoami", "analytic_story": ["Winter Vivern", "Active Directory Discovery", "Qakbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "System user discovery on $dest$", "mitre_attack_id": ["T1033"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1033", "mitre_attack_technique": "System Owner/User Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT37", "APT38", "APT39", "APT41", "Chimera", "Dragonfly", "Earth Lusca", "FIN10", "GALLIUM", "Gamaredon Group", "HAFNIUM", "HEXANE", "Ke3chang", "Lazarus Group", "LuminousMoth", "Magic Hound", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "Stealth Falcon", "Threat Group-3390", "Tropic Trooper", "Windshift", "Wizard Spider", "ZIRCONIUM"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1033/AD_discovery/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "system_user_discovery_with_whoami_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/system_user_discovery_with_whoami.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Time Provider Persistence Registry", "id": "5ba382c4-2105-11ec-8d8f-acde48001122", "version": 4, "date": "2023-04-27", "author": "Steven Dick, Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This analytic is to detect a suspicious modification of time provider registry for persistence and autostart. This technique can allow the attacker to persist on the compromised host and autostart as soon as the machine boot up. This TTP can be a good indicator of suspicious behavior since this registry is not commonly modified by normal user or even an admin.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=\"*\\\\CurrentControlSet\\\\Services\\\\W32Time\\\\TimeProviders*\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `time_provider_persistence_registry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "unknown", "references": ["https://pentestlab.blog/2019/10/22/persistence-time-providers/", "https://attack.mitre.org/techniques/T1547/003/"], "tags": {"name": "Time Provider Persistence Registry", "analytic_story": ["Hermetic Wiper", "Windows Privilege Escalation", "Windows Persistence Techniques", "Windows Registry Abuse", "Data Destruction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "message": "modified/added/deleted registry entry $Registry.registry_path$ in $dest$", "mitre_attack_id": ["T1547.003", "T1547"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.dest", "Registry.registry_value_name", "Registry.registry_key_name", "Registry.registry_path", "Registry.registry_value_data", "Registry.process_guid"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1547.003", "mitre_attack_technique": "Time Providers", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.003/timeprovider_reg/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "time_provider_persistence_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/time_provider_persistence_registry.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Trickbot Named Pipe", "id": "1804b0a4-a682-11eb-8f68-acde48001122", "version": 1, "date": "2021-04-26", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "this search is to detect potential trickbot infection through the create/connected named pipe to the system. This technique is used by trickbot to communicate to its c2 to post or get command during infection.", "data_source": [], "search": "`sysmon` EventCode IN (17,18) PipeName=\"\\\\pipe\\\\*lacesomepipe\" | stats min(_time) as firstTime max(_time) as lastTime count by Computer user_id EventCode PipeName signature Image process_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `trickbot_named_pipe_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name and pipename from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. .", "known_false_positives": "unknown", "references": ["https://labs.vipre.com/trickbot-and-its-modules/", "https://whitehat.eu/incident-response-case-study-featuring-ryuk-and-trickbot-part-2/"], "tags": {"name": "Trickbot Named Pipe", "analytic_story": ["Trickbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "Possible Trickbot namedpipe created on $Computer$ by $Image$", "mitre_attack_id": ["T1055"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}, {"name": "Image", "type": "Process", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Computer", "user_id", "EventCode", "PipeName", "signature", "Image", "process_id"], "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/trickbot/namedpipe/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "trickbot_named_pipe_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/trickbot_named_pipe.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "UAC Bypass MMC Load Unsigned Dll", "id": "7f04349c-e30d-11eb-bc7f-acde48001122", "version": 1, "date": "2021-07-12", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This search is to detect a suspicious loaded unsigned dll by MMC.exe application. This technique is commonly seen in attacker that tries to bypassed UAC feature or gain privilege escalation. This is done by modifying some CLSID registry that will trigger the mmc.exe to load the dll path", "data_source": ["Sysmon Event ID 7"], "search": "`sysmon` EventCode=7 ImageLoaded = \"*.dll\" Image = \"*\\\\mmc.exe\" Signed=false Company != \"Microsoft Corporation\" | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded Signed ProcessId OriginalFileName Computer EventCode Company | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `uac_bypass_mmc_load_unsigned_dll_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name and imageloaded executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "unknown. all of the dll loaded by mmc.exe is microsoft signed dll.", "references": ["https://offsec.almond.consulting/UAC-bypass-dotnet.html"], "tags": {"name": "UAC Bypass MMC Load Unsigned Dll", "analytic_story": ["Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "Suspicious unsigned $ImageLoaded$ loaded by $Image$ on endpoint $Computer$ with EventCode $EventCode$", "mitre_attack_id": ["T1548.002", "T1548", "T1218.014"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Image", "ImageLoaded", "Signed", "ProcessId", "OriginalFileName", "Computer", "EventCode", "Company"], "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.002", "mitre_attack_technique": "Bypass User Account Control", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT37", "BRONZE BUTLER", "Cobalt Group", "Earth Lusca", "Evilnum", "MuddyWater", "Patchwork", "Threat Group-3390"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1218.014", "mitre_attack_technique": "MMC", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/uac_bypass/windows-sysmon2.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "uac_bypass_mmc_load_unsigned_dll_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/uac_bypass_mmc_load_unsigned_dll.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "UAC Bypass With Colorui COM Object", "id": "2bcccd20-fc2b-11eb-8d22-acde48001122", "version": 1, "date": "2021-08-13", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This search is to detect a possible uac bypass using the colorui.dll COM Object. this technique was seen in so many malware and ransomware like lockbit where it make use of the colorui.dll COM CLSID to bypass UAC.", "data_source": ["Sysmon Event ID 7"], "search": "`sysmon` EventCode=7 ImageLoaded=\"*\\\\colorui.dll\" process_name != \"colorcpl.exe\" NOT(Image IN(\"*\\\\windows\\\\*\", \"*\\\\program files*\")) | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded process_name Computer EventCode Signed ProcessId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `uac_bypass_with_colorui_com_object_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "not so common. but 3rd part app may load this dll.", "references": ["https://news.sophos.com/en-us/2020/04/24/lockbit-ransomware-borrows-tricks-to-keep-up-with-revil-and-maze/"], "tags": {"name": "UAC Bypass With Colorui COM Object", "analytic_story": ["Ransomware", "LockBit Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 60, "kill_chain_phases": ["Exploitation"], "message": "The following module $ImageLoaded$ was loaded by a non-standard application on endpoint $Computer$ by user $user$.", "mitre_attack_id": ["T1218", "T1218.003"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "ImageLoaded", "type": "Other", "role": ["Other"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Image", "ImageLoaded", "process_name", "Computer", "EventCode", "Signed", "ProcessId"], "risk_score": 48, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.003", "mitre_attack_technique": "CMSTP", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Cobalt Group", "MuddyWater"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.015/uac_colorui/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "uac_bypass_with_colorui_com_object_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/uac_bypass_with_colorui_com_object.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Uninstall App Using MsiExec", "id": "1fca2b28-f922-11eb-b2dd-acde48001122", "version": 1, "date": "2021-08-09", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This search is to detect a suspicious un-installation of application using msiexec. This technique was seen in conti leak tool and script where it tries to uninstall AV product using this commandline. This commandline to uninstall product is not a common practice in enterprise network.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=msiexec.exe Processes.process= \"* /qn *\" Processes.process= \"*/X*\" Processes.process= \"*REBOOT=*\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `uninstall_app_using_msiexec_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "unknown.", "references": ["https://threadreaderapp.com/thread/1423361119926816776.html"], "tags": {"name": "Uninstall App Using MsiExec", "analytic_story": ["Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "process $process_name$ with a cmdline $process$ in host $dest$", "mitre_attack_id": ["T1218.007", "T1218"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218.007", "mitre_attack_technique": "Msiexec", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Machete", "Molerats", "Rancor", "TA505", "ZIRCONIUM"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/conti/conti_leak/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "uninstall_app_using_msiexec_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/uninstall_app_using_msiexec.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Unknown Process Using The Kerberos Protocol", "id": "c91a0852-9fbb-11ec-af44-acde48001122", "version": 1, "date": "2022-03-09", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies a process performing an outbound connection on port 88 used by default by the network authentication protocol Kerberos. Typically, on a regular Windows endpoint, only the lsass.exe process is the one tasked with connecting to the Kerberos Distribution Center to obtain Kerberos tickets. Identifying an unknown process using this protocol may be evidence of an adversary abusing the Kerberos protocol.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name!=lsass.exe by _time Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | join process_id [| tstats `security_content_summariesonly` count FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port = 88 by All_Traffic.process_id All_Traffic.dest All_Traffic.dest_port | `drop_dm_object_name(All_Traffic)` ] | table _time dest parent_process_name process_name process_path process process_id dest_port | `unknown_process_using_the_kerberos_protocol_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting your endpoint events and populating the Endpoint and Network data models.", "known_false_positives": "Custom applications may leverage the Kerberos protocol. Filter as needed.", "references": ["https://stealthbits.com/blog/how-to-detect-overpass-the-hash-attacks/", "https://www.thehacker.recipes/ad/movement/kerberos/ptk"], "tags": {"name": "Unknown Process Using The Kerberos Protocol", "analytic_story": ["Active Directory Kerberos Attacks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Exploitation"], "message": "", "mitre_attack_id": ["T1550"], "nist": ["DE.CM"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}, {"name": "dest_ip", "type": "IP Address", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "All_Traffic.dest_ip", "All_Traffic.dest_port", "All_Traffic.src_ip", "Processes.process_id", "Processes.process_name", "Processes.dest", "Processes.process_path", "Processes.process", "Processes.parent_process_name"], "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1550", "mitre_attack_technique": "Use Alternate Authentication Material", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1550/rubeus/windows-security.log", "source": "WinEventLog:Security", "sourcetype": "WinEventLog"}, {"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1550/rubeus/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint", "Network_Traffic"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "unknown_process_using_the_kerberos_protocol_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/unknown_process_using_the_kerberos_protocol.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Unload Sysmon Filter Driver", "id": "e5928ff3-23eb-4d8b-b8a4-dcbc844fdfbe", "version": 4, "date": "2022-06-01", "author": "Bhavin Patel, Splunk", "type": "TTP", "status": "production", "description": "Attackers often disable security tools to avoid detection. This search looks for the usage of process `fltMC.exe` to unload a Sysmon Driver that will stop sysmon from collecting the data.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime values(Processes.process) as process max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=fltMC.exe AND Processes.process=*unload* AND Processes.process=*SysmonDrv* by Processes.process_name Processes.process_id Processes.parent_process_name Processes.process Processes.dest Processes.user | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)` |`unload_sysmon_filter_driver_filter`| table firstTime lastTime dest user count process_name process_id parent_process_name process", "how_to_implement": "You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the \"process\" field in the Endpoint data model. This search is also shipped with `unload_sysmon_filter_driver_filter` macro, update this macro to filter out false positives.", "known_false_positives": "Unknown at the moment", "references": ["https://www.ired.team/offensive-security/defense-evasion/unloading-sysmon-driver"], "tags": {"name": "Unload Sysmon Filter Driver", "analytic_story": ["Disabling Security Tools"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "Possible Sysmon filter driver unloading on $dest$", "mitre_attack_id": ["T1562.001", "T1562"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_name", "Processes.dest", "Processes.user"], "risk_score": 45, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/unload_sysmon/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "unload_sysmon_filter_driver_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/unload_sysmon_filter_driver.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Unloading AMSI via Reflection", "id": "a21e3484-c94d-11eb-b55b-acde48001122", "version": 1, "date": "2023-04-14", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable on critical endpoints or all. \\\nThis analytic identifies the behavior of AMSI being tampered with. Implemented natively in many frameworks, the command will look similar to `SEtValuE($Null,(New-OBJEct COLlECtionS.GenerIC.HAshSEt{[StrINg]))}$ReF=[ReF].AsSeMbLY.GeTTyPe(\"System.Management.Automation.Amsi\"+\"Utils\")` taken from Powershell-Empire. \\\nDuring triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 ScriptBlockText = *system.management.automation.amsi* | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `unloading_amsi_via_reflection_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Potential for some third party applications to disable AMSI upon invocation. Filter as needed.", "references": ["https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", "https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf", "https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/"], "tags": {"name": "Unloading AMSI via Reflection", "analytic_story": ["Malicious PowerShell", "Hermetic Wiper", "Data Destruction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation", "Installation"], "message": "Possible AMSI Unloading via Reflection using PowerShell on $Computer$", "mitre_attack_id": ["T1562", "T1059.001", "T1059"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "ScriptBlockText", "Opcode", "Computer", "UserID", "EventCode"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/windows-powershell-xml.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "unloading_amsi_via_reflection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/unloading_amsi_via_reflection.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Unusual Number of Computer Service Tickets Requested", "id": "ac3b81c0-52f4-11ec-ac44-acde48001122", "version": 1, "date": "2021-12-01", "author": "Mauricio Velazco, Splunk", "type": "Hunting", "status": "experimental", "description": "The following hunting analytic leverages Event ID 4769, `A Kerberos service ticket was requested`, to identify an unusual number of computer service ticket requests from one source. When a domain joined endpoint connects to a remote endpoint, it first will request a Kerberos Ticket with the computer name as the Service Name. An endpoint requesting a large number of computer service tickets for different endpoints could represent malicious behavior like lateral movement, malware staging, reconnaissance, etc.\\\nThe detection calculates the standard deviation for each host and leverages the 3-sigma statistical rule to identify an unusual number of service requests. To customize this analytic, users can try different combinations of the `bucket` span time, the calculation of the `upperBound` field as well as the Outlier calculation. This logic can be used for real time security monitoring as well as threat hunting exercises.\\", "data_source": ["Windows Security 4769"], "search": " `wineventlog_security` EventCode=4769 Service_Name=\"*$\" Account_Name!=\"*$*\" | bucket span=2m _time | stats dc(Service_Name) AS unique_targets values(Service_Name) as host_targets by _time, Client_Address, Account_Name | eventstats avg(unique_targets) as comp_avg , stdev(unique_targets) as comp_std by Client_Address, Account_Name | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_targets >10 and unique_targets >= upperBound, 1, 0) | `unusual_number_of_computer_service_tickets_requested_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled.", "known_false_positives": "An single endpoint requesting a large number of computer service tickets is not common behavior. Possible false positive scenarios include but are not limited to vulnerability scanners, administration systeams and missconfigured systems.", "references": ["https://attack.mitre.org/techniques/T1078/"], "tags": {"name": "Unusual Number of Computer Service Tickets Requested", "analytic_story": ["Active Directory Lateral Movement", "Active Directory Kerberos Attacks", "Active Directory Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "message": "", "mitre_attack_id": ["T1078"], "nist": ["DE.AE"], "observable": [{"name": "Client_Address", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "Ticket_Options", "Ticket_Encryption_Type", "dest", "service", "service_id"], "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}]}, "datamodel": [], "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "unusual_number_of_computer_service_tickets_requested_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/unusual_number_of_computer_service_tickets_requested.yml", "source": "endpoint", "providing_technologies": ["Microsoft Windows"]}, {"name": "Unusual Number of Kerberos Service Tickets Requested", "id": "eb3e6702-8936-11ec-98fe-acde48001122", "version": 1, "date": "2022-02-08", "author": "Mauricio Velazco, Splunk", "type": "Anomaly", "status": "production", "description": "The following hunting analytic leverages Kerberos Event 4769, A Kerberos service ticket was requested, to identify a potential kerberoasting attack against Active Directory networks. Kerberoasting allows an adversary to request kerberos tickets for domain accounts typically used as service accounts and attempt to crack them offline allowing them to obtain privileged access to the domain.\\\nThe detection calculates the standard deviation for each host and leverages the 3-sigma statistical rule to identify an unusual number service ticket requests. To customize this analytic, users can try different combinations of the `bucket` span time and the calculation of the `upperBound` field.", "data_source": ["Windows Security 4769"], "search": " `wineventlog_security` EventCode=4769 Service_Name!=\"*$\" Ticket_Encryption_Type=0x17 | bucket span=2m _time | stats dc(Service_Name) AS unique_services values(Service_Name) as requested_services by _time, Client_Address | eventstats avg(unique_services) as comp_avg , stdev(unique_services) as comp_std by Client_Address | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_services > 2 and unique_services >= upperBound, 1, 0) | search isOutlier=1 | `unusual_number_of_kerberos_service_tickets_requested_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled.", "known_false_positives": "An single endpoint requesting a large number of kerberos service tickets is not common behavior. Possible false positive scenarios include but are not limited to vulnerability scanners, administration systems and missconfigured systems.", "references": ["https://attack.mitre.org/techniques/T1558/003/", "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/t1208-kerberoasting"], "tags": {"name": "Unusual Number of Kerberos Service Tickets Requested", "analytic_story": ["Active Directory Kerberos Attacks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Exploitation"], "message": "tbd", "mitre_attack_id": ["T1558", "T1558.003"], "nist": ["DE.AE"], "observable": [{"name": "Client_Address", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "Ticket_Options", "Ticket_Encryption_Type", "dest", "Service_Name", "service_id", "Client_Address"], "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1558", "mitre_attack_technique": "Steal or Forge Kerberos Tickets", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1558.003", "mitre_attack_technique": "Kerberoasting", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["FIN7", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1558.003/rubeus/windows-security.log", "source": "WinEventLog:Security", "sourcetype": "WinEventLog"}]}], "datamodel": [], "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "unusual_number_of_kerberos_service_tickets_requested_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/unusual_number_of_kerberos_service_tickets_requested.yml", "source": "endpoint", "providing_technologies": ["Microsoft Windows"]}, {"name": "Unusual Number of Remote Endpoint Authentication Events", "id": "acb5dc74-5324-11ec-a36d-acde48001122", "version": 1, "date": "2021-12-01", "author": "Mauricio Velazco, Splunk", "type": "Hunting", "status": "experimental", "description": "The following hunting analytic leverages Event ID 4624, `An account was successfully logged on`, to identify an unusual number of remote authentication attempts coming from one source. An endpoint authenticating to a large number of remote endpoints could represent malicious behavior like lateral movement, malware staging, reconnaissance, etc.\\\nThe detection calculates the standard deviation for each host and leverages the 3-sigma statistical rule to identify an unusual high number of authentication events. To customize this analytic, users can try different combinations of the `bucket` span time, the calculation of the `upperBound` field as well as the Outlier calculation. This logic can be used for real time security monitoring as well as threat hunting exercises.\\", "data_source": ["Windows Security 4624"], "search": " `wineventlog_security` EventCode=4624 Logon_Type=3 Account_Name!=\"*$\" | eval Source_Account = mvindex(Account_Name, 1) | bucket span=2m _time | stats dc(ComputerName) AS unique_targets values(ComputerName) as target_hosts by _time, Source_Network_Address, Source_Account | eventstats avg(unique_targets) as comp_avg , stdev(unique_targets) as comp_std by Source_Network_Address, Source_Account | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_targets >10 and unique_targets >= upperBound, 1, 0) | `unusual_number_of_remote_endpoint_authentication_events_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Event Logs from domain controllers as well as member servers and workstations. The Advanced Security Audit policy setting `Audit Logon` within `Logon/Logoff` needs to be enabled.", "known_false_positives": "An single endpoint authenticating to a large number of hosts is not common behavior. Possible false positive scenarios include but are not limited to vulnerability scanners, jump servers and missconfigured systems.", "references": ["https://attack.mitre.org/techniques/T1078/"], "tags": {"name": "Unusual Number of Remote Endpoint Authentication Events", "analytic_story": ["Active Directory Lateral Movement", "Active Directory Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "message": "", "mitre_attack_id": ["T1078"], "nist": ["DE.AE"], "observable": [{"name": "ComputerName", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "Logon_Type", "Caller_Process_Name", "Security_ID", "Account_Name", "ComputerName"], "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}]}, "datamodel": [], "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "unusual_number_of_remote_endpoint_authentication_events_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/unusual_number_of_remote_endpoint_authentication_events.yml", "source": "endpoint", "providing_technologies": ["Microsoft Windows"]}, {"name": "Unusually Long Command Line", "id": "c77162d3-f93c-45cc-80c8-22f6a4264e7f", "version": 5, "date": "2020-12-08", "author": "David Dorsey, Splunk", "type": "Anomaly", "status": "experimental", "description": "Command lines that are extremely long may be indicative of malicious activity on your hosts.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes by Processes.user Processes.dest Processes.process_name Processes.process | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| eval processlen=len(process) | eventstats stdev(processlen) as stdev, avg(processlen) as avg by dest | stats max(processlen) as maxlen, values(stdev) as stdevperhost, values(avg) as avgperhost by dest, user, process_name, process | `unusually_long_command_line_filter` |eval threshold = 3 | where maxlen > ((threshold*stdevperhost) + avgperhost)", "how_to_implement": "You must be ingesting endpoint data that tracks process activity, including parent-child relationships, from your endpoints to populate the Endpoint data model in the Processes node. The command-line arguments are mapped to the process field in the Endpoint data model.", "known_false_positives": "Some legitimate applications start with long command lines.", "references": [], "tags": {"name": "Unusually Long Command Line", "analytic_story": ["Suspicious Command-Line Executions", "Unusual Processes", "Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns", "Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 70, "kill_chain_phases": [], "message": "Unusually long command line $Processes.process_name$ on $dest$", "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "Processes.process_name", "type": "Process", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.user", "Processes.dest", "Processes.process_name", "Processes.process"], "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "unusually_long_command_line_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/unusually_long_command_line.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Unusually Long Command Line - MLTK", "id": "57edaefa-a73b-45e5-bbae-f39c1473f941", "version": 1, "date": "2019-05-08", "author": "Rico Valdez, Splunk", "type": "Anomaly", "status": "experimental", "description": "Command lines that are extremely long may be indicative of malicious activity on your hosts. This search leverages the Machine Learning Toolkit (MLTK) to help identify command lines with lengths that are unusual for a given user.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes by Processes.user Processes.dest Processes.process_name Processes.process | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| eval processlen=len(process) | search user!=unknown | apply cmdline_pdfmodel threshold=0.01 | rename \"IsOutlier(processlen)\" as isOutlier | search isOutlier > 0 | table firstTime lastTime user dest process_name process processlen count | `unusually_long_command_line___mltk_filter`", "how_to_implement": "You must be ingesting endpoint data that monitors command lines and populates the Endpoint data model in the Processes node. The command-line arguments are mapped to the \"process\" field in the Endpoint data model. In addition, MLTK version >= 4.2 must be installed on your search heads, along with any required dependencies. Finally, the support search \"Baseline of Command Line Length - MLTK\" must be executed before this detection search, as it builds an ML model over the historical data used by this search. It is important that this search is run in the same app context as the associated support search, so that the model created by the support search is available for use. You should periodically re-run the support search to rebuild the model with the latest data available in your environment.", "known_false_positives": "Some legitimate applications use long command lines for installs or updates. You should review identified command lines for legitimacy. You may modify the first part of the search to omit legitimate command lines from consideration. If you are seeing more results than desired, you may consider changing the value of threshold in the search to a smaller value. You should also periodically re-run the support search to re-build the ML model on the latest data. You may get unexpected results if the user identified in the results is not present in the data used to build the associated model.", "references": [], "tags": {"name": "Unusually Long Command Line - MLTK", "analytic_story": ["Suspicious Command-Line Executions", "Unusual Processes", "Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns", "Ransomware"], "asset_type": "", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": [], "message": "tbd", "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.user", "Processes.dest", "Processes.process_name", "Processes.process"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": []}, "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "unusually_long_command_line___mltk_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/unusually_long_command_line___mltk.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "User Discovery With Env Vars PowerShell", "id": "0cdf318b-a0dd-47d7-b257-c621c0247de8", "version": 1, "date": "2021-09-13", "author": "Mauricio Velazco, Splunk", "type": "Hunting", "status": "production", "description": "This analytic looks for the execution of `powershell.exe` with command-line arguments that leverage PowerShell environment variables to identify the current logged user. Red Teams and adversaries may leverage this method to identify the logged user on a compromised endpoint for situational awareness and Active Directory Discovery.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"powershell.exe\") (Processes.process=\"*$env:UserName*\" OR Processes.process=\"*[System.Environment]::UserName*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `user_discovery_with_env_vars_powershell_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "references": ["https://attack.mitre.org/techniques/T1033/"], "tags": {"name": "User Discovery With Env Vars PowerShell", "analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "System user discovery on $dest$", "mitre_attack_id": ["T1033"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1033", "mitre_attack_technique": "System Owner/User Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT37", "APT38", "APT39", "APT41", "Chimera", "Dragonfly", "Earth Lusca", "FIN10", "GALLIUM", "Gamaredon Group", "HAFNIUM", "HEXANE", "Ke3chang", "Lazarus Group", "LuminousMoth", "Magic Hound", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "Stealth Falcon", "Threat Group-3390", "Tropic Trooper", "Windshift", "Wizard Spider", "ZIRCONIUM"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1033/AD_discovery/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "user_discovery_with_env_vars_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/user_discovery_with_env_vars_powershell.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "User Discovery With Env Vars PowerShell Script Block", "id": "77f41d9e-b8be-47e3-ab35-5776f5ec1d20", "version": 2, "date": "2022-03-22", "author": "Mauricio Velazco, Splunk", "type": "Hunting", "status": "production", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the use of PowerShell environment variables to identify the current logged user. Red Teams and adversaries may leverage this method to identify the logged user on a compromised endpoint for situational awareness and Active Directory Discovery.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 (ScriptBlockText = \"*$env:UserName*\" OR ScriptBlockText = \"*[System.Environment]::UserName*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `user_discovery_with_env_vars_powershell_script_block_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators or power users may use this PowerShell commandlet for troubleshooting.", "references": ["https://attack.mitre.org/techniques/T1033/"], "tags": {"name": "User Discovery With Env Vars PowerShell Script Block", "analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "System user discovery on $dest$", "mitre_attack_id": ["T1033"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Path", "Message", "OpCode", "ComputerName", "User", "EventCode"], "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1033", "mitre_attack_technique": "System Owner/User Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT37", "APT38", "APT39", "APT41", "Chimera", "Dragonfly", "Earth Lusca", "FIN10", "GALLIUM", "Gamaredon Group", "HAFNIUM", "HEXANE", "Ke3chang", "Lazarus Group", "LuminousMoth", "Magic Hound", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "Stealth Falcon", "Threat Group-3390", "Tropic Trooper", "Windshift", "Wizard Spider", "ZIRCONIUM"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1033/AD_discovery/windows-powershell-xml.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "user_discovery_with_env_vars_powershell_script_block_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/user_discovery_with_env_vars_powershell_script_block.yml", "source": "endpoint", "providing_technologies": ["Microsoft Windows"]}, {"name": "USN Journal Deletion", "id": "b6e0ff70-b122-4227-9368-4cf322ab43c3", "version": 2, "date": "2018-12-03", "author": "David Dorsey, Splunk", "type": "TTP", "status": "production", "description": "The fsutil.exe application is a legitimate Windows utility used to perform tasks related to the file allocation table (FAT) and NTFS file systems. The update sequence number (USN) change journal provides a log of all changes made to the files on the disk. This search looks for fsutil.exe deleting the USN journal.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=fsutil.exe by Processes.user Processes.process_name Processes.parent_process_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | search process=\"*deletejournal*\" AND process=\"*usn*\" | `usn_journal_deletion_filter`", "how_to_implement": "You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the \"process\" field in the Endpoint data model.", "known_false_positives": "None identified", "references": [], "tags": {"name": "USN Journal Deletion", "analytic_story": ["Windows Log Manipulation", "Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "Possible USN journal deletion on $dest$", "mitre_attack_id": ["T1070"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.process", "Processes.parent_process", "Processes.process_name", "Processes.user", "Processes.parent_process_name", "Processes.dest"], "risk_score": 45, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1070/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "usn_journal_deletion_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/usn_journal_deletion.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Vbscript Execution Using Wscript App", "id": "35159940-228f-11ec-8a49-acde48001122", "version": 1, "date": "2021-10-01", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This analytic is to detect a suspicious wscript commandline to execute vbscript. This technique was seen in several malware to execute malicious vbs file using wscript application. commonly vbs script is associated to cscript process and this can be a technique to evade process parent child detections or even some av script emulation system.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name = \"wscript.exe\" AND Processes.parent_process = \"*//e:vbscript*\") OR (Processes.process_name = \"wscript.exe\" AND Processes.process = \"*//e:vbscript*\") by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process_id Processes.process Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `vbscript_execution_using_wscript_app_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "unknown", "references": ["https://www.joesandbox.com/analysis/369332/0/html", "https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat"], "tags": {"name": "Vbscript Execution Using Wscript App", "analytic_story": ["FIN7", "Remcos", "AsyncRAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Installation"], "message": "Process name $process_name$ with commandline $process$ to execute vbsscript", "mitre_attack_id": ["T1059.005", "T1059"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.005", "mitre_attack_technique": "Visual Basic", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT32", "APT33", "APT37", "APT38", "APT39", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Earth Lusca", "FIN4", "FIN7", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "Transparent Tribe", "Turla", "WIRTE", "Windshift"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.005/vbs_wscript/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "vbscript_execution_using_wscript_app_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/vbscript_execution_using_wscript_app.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Verclsid CLSID Execution", "id": "61e9a56a-20fa-11ec-8ba3-acde48001122", "version": 1, "date": "2021-09-29", "author": "Teoderick Contreras, Splunk", "type": "Hunting", "status": "production", "description": "This analytic is to detect a possible abuse of verclsid to execute malicious file through generate CLSID. This process is a normal application of windows to verify the CLSID COM object before it is instantiated by Windows Explorer. This hunting query can be a good pivot point to analyze what is he CLSID or COM object pointing too to check if it is a valid application or not.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.parent_process) as parent_process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_verclsid` AND Processes.process=\"*/S*\" Processes.process=\"*/C*\" AND Processes.process=\"*{*\" AND Processes.process=\"*}*\" by Processes.process_name Processes.original_file_name Processes.dest Processes.user Processes.parent_process_name Processes.parent_process | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `verclsid_clsid_execution_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "windows can used this application for its normal COM object validation.", "references": ["https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5", "https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/"], "tags": {"name": "Verclsid CLSID Execution", "analytic_story": ["Unusual Processes"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "process $process_name$ to execute possible clsid commandline $process$ in $dest$", "mitre_attack_id": ["T1218.012", "T1218"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218.012", "mitre_attack_technique": "Verclsid", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.012/verclsid_exec/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "process_verclsid", "definition": "(Processes.process_name=verclsid.exe OR Processes.original_file_name=verclsid.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "verclsid_clsid_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/verclsid_clsid_execution.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "W3WP Spawning Shell", "id": "0f03423c-7c6a-11eb-bc47-acde48001122", "version": 2, "date": "2023-04-14", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "This query identifies a shell, PowerShell.exe or Cmd.exe, spawning from W3WP.exe, or IIS. In addition to IIS logs, this behavior with an EDR product will capture potential webshell activity, similar to the HAFNIUM Group abusing CVEs, on publicly available Exchange mail servers. During triage, review the parent process and child process of the shell being spawned. Review the command-line arguments and any file modifications that may occur. Identify additional parallel process, child processes, that may highlight further commands executed. After triaging, work to contain the threat and patch the system that is vulnerable.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count values(Processes.process_name) as process_name values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=w3wp.exe AND `process_cmd` OR `process_powershell` by Processes.dest Processes.parent_process Processes.original_file_name Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `w3wp_spawning_shell_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Baseline your environment before production. It is possible build systems using IIS will spawn cmd.exe to perform a software build. Filter as needed.", "references": ["https://www.microsoft.com/security/blog/2020/02/04/ghost-in-the-shell-investigating-web-shell-attacks/", "https://www.zerodayinitiative.com/blog/2021/8/17/from-pwn2own-2021-a-new-attack-surface-on-microsoft-exchange-proxyshell", "https://www.youtube.com/watch?v=FC6iHw258RI", "https://www.huntress.com/blog/rapid-response-microsoft-exchange-servers-still-vulnerable-to-proxyshell-exploit#what-should-you-do"], "tags": {"name": "W3WP Spawning Shell", "analytic_story": ["HAFNIUM Group", "CISA AA22-264A", "Hermetic Wiper", "ProxyNotShell", "ProxyShell", "CISA AA22-257A", "Data Destruction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Installation"], "message": "Possible Web Shell execution on $dest$", "mitre_attack_id": ["T1505", "T1505.003"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "cve": ["CVE-2021-34473", "CVE-2021-34523", "CVE-2021-31207"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1505.003", "mitre_attack_technique": "Web Shell", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT38", "APT39", "BackdoorDiplomacy", "Deep Panda", "Dragonfly", "Fox Kitten", "GALLIUM", "HAFNIUM", "Kimsuky", "Leviathan", "Magic Hound", "Moses Staff", "OilRig", "Sandworm Team", "TEMP.Veles", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Volatile Cedar"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.003/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_cmd", "definition": "(Processes.process_name=cmd.exe OR Processes.original_file_name=Cmd.Exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "process_powershell", "definition": "(Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "w3wp_spawning_shell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2021-34473", "cvss": 10.0, "summary": "Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-31196, CVE-2021-31206."}, {"id": "CVE-2021-34523", "cvss": 7.5, "summary": "Microsoft Exchange Server Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-33768, CVE-2021-34470."}, {"id": "CVE-2021-31207", "cvss": 6.5, "summary": "Microsoft Exchange Server Security Feature Bypass Vulnerability"}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/w3wp_spawning_shell.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "WBAdmin Delete System Backups", "id": "cd5aed7e-5cea-11eb-ae93-0242ac130002", "version": 1, "date": "2021-01-22", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "This search looks for flags passed to wbadmin.exe (Windows Backup Administrator Tool) that delete backup files. This is typically used by ransomware to prevent recovery.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=wbadmin.exe Processes.process=\"*delete*\" AND (Processes.process=\"*catalog*\" OR Processes.process=\"*systemstatebackup*\") by Processes.process_name Processes.process Processes.parent_process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `wbadmin_delete_system_backups_filter`", "how_to_implement": "You must be ingesting endpoint data that tracks process activity, including parent-child relationships from your endpoints to populate the Endpoint data model in the Processes node. Tune based on parent process names.", "known_false_positives": "Administrators may modify the boot configuration.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md", "https://thedfirreport.com/2020/10/08/ryuks-return/", "https://attack.mitre.org/techniques/T1490/", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin"], "tags": {"name": "WBAdmin Delete System Backups", "analytic_story": ["Ryuk Ransomware", "Ransomware", "Prestige Ransomware", "Chaos Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Actions on Objectives"], "message": "System backups deletion on $dest$", "mitre_attack_id": ["T1490"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.process_name", "Processes.process", "Processes.parent_process_name", "Processes.dest", "Processes.user"], "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1490/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "wbadmin_delete_system_backups_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/wbadmin_delete_system_backups.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Wbemprox COM Object Execution", "id": "9d911ce0-c3be-11eb-b177-acde48001122", "version": 1, "date": "2021-06-02", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies a potential suspicious process loading a COM object from wbemprox.dll or faskprox.dll. The Microsoft Component Object Model (COM) is a platform-independent, distributed, object-oriented system for creating binary software components that can interact. This feature is being abused by several threat actors, adversaries or even red teamers to gain privilege escalation or even to evade detections. This TTP is a good indicator that a process is loading possible known .dll modules that were known for its COM object.", "data_source": ["Sysmon Event ID 7"], "search": "`sysmon` EventCode=7 ImageLoaded IN (\"*\\\\fastprox.dll\", \"*\\\\wbemprox.dll\", \"*\\\\wbemcomn.dll\") NOT (process_name IN (\"wmiprvse.exe\", \"WmiApSrv.exe\", \"unsecapp.exe\")) NOT(Image IN(\"*\\\\windows\\\\*\",\"*\\\\program files*\", \"*\\\\wbem\\\\*\")) | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded process_name Computer EventCode Signed ProcessId Hashes IMPHASH | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `wbemprox_com_object_execution_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name and imageloaded executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "legitimate process that are not in the exception list may trigger this event.", "references": ["https://krebsonsecurity.com/2021/05/a-closer-look-at-the-darkside-ransomware-gang/", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/"], "tags": {"name": "Wbemprox COM Object Execution", "analytic_story": ["Ransomware", "Revil Ransomware", "LockBit Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "Suspicious COM Object Execution on $Computer$", "mitre_attack_id": ["T1218", "T1218.003"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Image", "ImageLoaded", "process_name", "Computer", "EventCode", "Signed", "ProcessId", "Hashes", "IMPHASH"], "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.003", "mitre_attack_technique": "CMSTP", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Cobalt Group", "MuddyWater"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/revil/inf2/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "wbemprox_com_object_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/wbemprox_com_object_execution.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Wermgr Process Connecting To IP Check Web Services", "id": "ed313326-a0f9-11eb-a89c-acde48001122", "version": 2, "date": "2022-06-01", "author": "Teoderick Contreras, Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "this search is designed to detect suspicious wermgr.exe process that tries to connect to known IP web services. This technique is know for trickbot and other trojan spy malware to recon the infected machine and look for its ip address without so much finger print on the commandline process. Since wermgr.exe is designed for error handling process of windows it is really suspicious that this process is trying to connect to this IP web services cause that maybe cause of some malicious code injection.", "data_source": [], "search": "`sysmon` EventCode =22 process_name = wermgr.exe QueryName IN (\"*wtfismyip.com\", \"*checkip.amazonaws.com\", \"*ipecho.net\", \"*ipinfo.io\", \"*api.ipify.org\", \"*icanhazip.com\", \"*ip.anysrc.com\",\"*api.ip.sb\", \"ident.me\", \"www.myexternalip.com\", \"*zen.spamhaus.org\", \"*cbl.abuseat.org\", \"*b.barracudacentral.org\",\"*dnsbl-1.uceprotect.net\", \"*spam.dnsbl.sorbs.net\") | stats min(_time) as firstTime max(_time) as lastTime count by Image process_name ProcessId QueryName QueryStatus QueryResults Computer EventCode | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `wermgr_process_connecting_to_ip_check_web_services_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, dns query name process path , and query ststus from your endpoints like EventCode 22. If you are using Sysmon, you must have at least version 12 of the Sysmon TA.", "known_false_positives": "unknown", "references": ["https://labs.vipre.com/trickbot-and-its-modules/", "https://whitehat.eu/incident-response-case-study-featuring-ryuk-and-trickbot-part-2/"], "tags": {"name": "Wermgr Process Connecting To IP Check Web Services", "analytic_story": ["Trickbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Reconnaissance"], "message": "Wermgr.exe process connecting IP location web services on $ComputerName$", "mitre_attack_id": ["T1590", "T1590.005"], "nist": ["DE.CM"], "observable": [{"name": "ComputerName", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "process_path", "process_name", "process_id", "QueryName", "QueryStatus", "QueryResults", "Computer", "EventCode"], "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1590", "mitre_attack_technique": "Gather Victim Network Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["HAFNIUM"]}, {"mitre_attack_id": "T1590.005", "mitre_attack_technique": "IP Addresses", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["Andariel", "HAFNIUM", "Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/trickbot/infection/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "wermgr_process_connecting_to_ip_check_web_services_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/wermgr_process_connecting_to_ip_check_web_services.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Wermgr Process Create Executable File", "id": "ab3bcce0-a105-11eb-973c-acde48001122", "version": 1, "date": "2021-04-19", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "this search is designed to detect potential malicious wermgr.exe process that drops or create executable file. Since wermgr.exe is an application trigger when error encountered in a process, it is really un ussual to this process to drop executable file. This technique is commonly seen in trickbot malware where it injects it code to this process to execute it malicious behavior like downloading other payload", "data_source": ["Sysmon Event ID 1"], "search": "`sysmon` EventCode=11 process_name = \"wermgr.exe\" TargetFilename = \"*.exe\" | stats min(_time) as firstTime max(_time) as lastTime count by Image TargetFilename process_name dest EventCode ProcessId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `wermgr_process_create_executable_file_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances of wermgr.exe may be used.", "known_false_positives": "unknown", "references": ["https://labs.vipre.com/trickbot-and-its-modules/", "https://whitehat.eu/incident-response-case-study-featuring-ryuk-and-trickbot-part-2/"], "tags": {"name": "Wermgr Process Create Executable File", "analytic_story": ["Trickbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "Wermgr.exe writing executable files on $dest$", "mitre_attack_id": ["T1027"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Image", "TargetFilename", "process_name", "dest", "EventCode", "ProcessId"], "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT19", "APT28", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BITTER", "BackdoorDiplomacy", "BlackOasis", "Blue Mockingbird", "Dark Caracal", "Darkhotel", "Earth Lusca", "Elderwood", "Ember Bear", "Fox Kitten", "GALLIUM", "Gallmaker", "Gamaredon Group", "Group5", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "Metador", "Mofang", "Molerats", "Moses Staff", "Mustang Panda", "OilRig", "Putter Panda", "Rocke", "Sandworm Team", "Sidewinder", "TA505", "TeamTNT", "Threat Group-3390", "Transparent Tribe", "Tropic Trooper", "Whitefly", "Windshift", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/trickbot/infection/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "wermgr_process_create_executable_file_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/wermgr_process_create_executable_file.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Wermgr Process Spawned CMD Or Powershell Process", "id": "e8fc95bc-a107-11eb-a978-acde48001122", "version": 2, "date": "2021-04-19", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This search is designed to detect suspicious cmd and powershell process spawned by wermgr.exe process. This suspicious behavior are commonly seen in code injection technique technique like trickbot to execute a shellcode, dll modules to run malicious behavior.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` values(Processes.process) as cmdline min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name = \"wermgr.exe\" `process_cmd` OR `process_powershell` by Processes.parent_process_name Processes.original_file_name Processes.parent_process_id Processes.process_name Processes.process Processes.process_id Processes.process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `wermgr_process_spawned_cmd_or_powershell_process_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "unknown", "references": ["https://labs.vipre.com/trickbot-and-its-modules/", "https://whitehat.eu/incident-response-case-study-featuring-ryuk-and-trickbot-part-2/"], "tags": {"name": "Wermgr Process Spawned CMD Or Powershell Process", "analytic_story": ["Trickbot", "Qakbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Installation"], "message": "Wermgr.exe spawning suspicious processes on $dest$", "mitre_attack_id": ["T1059"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/trickbot/infection/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_cmd", "definition": "(Processes.process_name=cmd.exe OR Processes.original_file_name=Cmd.Exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "process_powershell", "definition": "(Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "wermgr_process_spawned_cmd_or_powershell_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/wermgr_process_spawned_cmd_or_powershell_process.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Wget Download and Bash Execution", "id": "35682718-5a85-11ec-b8f7-acde48001122", "version": 1, "date": "2021-12-11", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=wget (Processes.process=\"*-q *\" OR Processes.process=\"*--quiet*\" AND Processes.process=\"*-O- *\") OR (Processes.process=\"*|*\" AND Processes.process=\"*bash*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `wget_download_and_bash_execution_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon for Linux, you will need to ensure mapping is occurring correctly. If the EDR is not parsing the pipe bash in the command-line, modifying the analytic will be required. Add parent process name (Processes.parent_process_name) as needed to filter.", "known_false_positives": "False positives should be limited, however filtering may be required.", "references": ["https://www.huntress.com/blog/rapid-response-critical-rce-vulnerability-is-affecting-java", "https://www.lunasec.io/docs/blog/log4j-zero-day/", "https://gist.github.com/nathanqthai/01808c569903f41a52e7e7b575caa890"], "tags": {"name": "Wget Download and Bash Execution", "analytic_story": ["Ingress Tool Transfer", "Log4Shell CVE-2021-44228"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Command And Control"], "message": "An instance of $process_name$ was identified on endpoint $dest$ attempting to download a remote file and run it with bash.", "mitre_attack_id": ["T1105"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "cve": ["CVE-2021-44228"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "ZIRCONIUM", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/linux-sysmon_curlwget.log", "source": "Syslog:Linux-Sysmon/Operational", "sourcetype": "sysmon_linux"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "wget_download_and_bash_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2021-44228", "cvss": 9.3, "summary": "Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/wget_download_and_bash_execution.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Access Token Manipulation SeDebugPrivilege", "id": "6ece9ed0-5f92-4315-889d-48560472b188", "version": 1, "date": "2022-08-24", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies a suspicious process enabling the \"SeDebugPrivilege\" privilege token. SeDebugPrivilege allows a process to inspect and adjust the memory of other processes, and has long been a security concern. SeDebugPrivilege allows the token bearer to access any process or thread, regardless of security descriptors, per Palantir. This technique is abused by adversaries to gain debug privileges with their malicious software to be able to access or debug a process to dump credentials or to inject malicious code.", "data_source": ["Windows Security 4703"], "search": "`wineventlog_security` EventCode=4703 EnabledPrivilegeList = \"*SeDebugPrivilege*\" AND NOT(ProcessName IN (\"*\\\\Program File*\", \"*\\\\System32\\\\lsass.exe*\", \"*\\\\SysWOW64\\\\lsass.exe*\", \"*\\\\SysWOW64\\\\svchost.exe*\", \"*\\\\System32\\\\svchost.exe*\")) | stats count min(_time) as firstTime max(_time) as lastTime by Computer ProcessName ProcessId SubjectDomainName SubjectUserName SubjectUserSid TargetUserName TargetLogonId TargetDomainName EnabledPrivilegeList action | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_access_token_manipulation_sedebugprivilege_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4703 EventCode enabled. The Windows TA is also required.", "known_false_positives": "Some native binaries and browser applications may request SeDebugPrivilege. Filter as needed.", "references": ["https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4703", "https://devblogs.microsoft.com/oldnewthing/20080314-00/?p=23113", "https://blog.palantir.com/windows-privilege-abuse-auditing-detection-and-defense-3078a403d74e", "https://atomicredteam.io/privilege-escalation/T1134.001/#atomic-test-2---%60sedebugprivilege%60-token-duplication", "https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat"], "tags": {"name": "Windows Access Token Manipulation SeDebugPrivilege", "analytic_story": ["Brute Ratel C4", "AsyncRAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Exploitation"], "message": "A process $ProcessName$ adjust its privileges with SeDebugPrivilege on $Computer$.", "mitre_attack_id": ["T1134.002", "T1134"], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "ProcessName", "Security_ID", "action", "result", "Process_ID", "Message", "member_dn", "ComputerName", "user"], "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1134.002", "mitre_attack_technique": "Create Process with Token", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Lazarus Group", "Turla"]}, {"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/sedebugprivilege_token/security-xml.log", "source": "XmlWinEventLog:Security", "sourcetype": "XmlWinEventLog", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_access_token_manipulation_sedebugprivilege_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_access_token_manipulation_sedebugprivilege.yml", "source": "endpoint", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows Access Token Manipulation Winlogon Duplicate Token Handle", "id": "dda126d7-1d99-4f0b-b72a-4c14031f9398", "version": 1, "date": "2022-08-24", "author": "Teoderick Contreras, Splunk", "type": "Hunting", "status": "production", "description": "The following analytic identifies a process requesting access to winlogon.exe attempting to duplicate its handle. This technique was seen in several adversaries to gain privileges for their process. Winlogon.exe is the common targeted process of this technique because it contains high privileges and security tokens.", "data_source": ["Sysmon Event ID 1"], "search": "`sysmon` EventCode=10 TargetImage IN(\"*\\\\system32\\\\winlogon.exe*\", \"*\\\\SysWOW64\\\\winlogon.exe*\") GrantedAccess = 0x1040 | stats count min(_time) as firstTime max(_time) as lastTime by SourceImage TargetImage SourceProcessGUID TargetProcessGUID SourceProcessId TargetProcessId GrantedAccess CallTrace Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_access_token_manipulation_winlogon_duplicate_token_handle_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting data that records process activity from your hosts to populate the endpoint data model in the processes node. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "It is possible legitimate applications will request access to winlogon, filter as needed.", "references": ["https://docs.microsoft.com/en-us/windows/win32/api/handleapi/nf-handleapi-duplicatehandle", "https://attack.mitre.org/techniques/T1134/001/"], "tags": {"name": "Windows Access Token Manipulation Winlogon Duplicate Token Handle", "analytic_story": ["Brute Ratel C4"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Exploitation"], "message": "A process $SourceImage$ is duplicating the handle token of winlogon.exe in $Computer$", "mitre_attack_id": ["T1134.001", "T1134"], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}, {"name": "SourceImage", "type": "Process Name", "role": ["Parent Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "SourceImage", "TargetImage", "SourceProcessGUID", "TargetProcessGUID", "SourceProcessId", "TargetProcessId", "GrantedAccess", "CallTrace", "Computer", "user_id"], "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1134.001", "mitre_attack_technique": "Token Impersonation/Theft", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "FIN8"]}, {"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/brute_duplicate_token/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_access_token_manipulation_winlogon_duplicate_token_handle_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_access_token_manipulation_winlogon_duplicate_token_handle.yml", "source": "endpoint"}, {"name": "Windows Access Token Winlogon Duplicate Handle In Uncommon Path", "id": "b8f7ed6b-0556-4c84-bffd-839c262b0278", "version": 1, "date": "2022-08-24", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies a process requesting access in winlogon.exe to duplicate its handle with a non-common or public process source path. This technique was seen where adversaries attempt to gain privileges to their process. This duplicate handle access technique, may refer to a malicious process duplicating the process token of winlogon.exe and using it to a new process instance. Winlogon.exe is the common targeted process of this technique because it contains high privileges and security tokens.", "data_source": ["Sysmon Event ID 1"], "search": "`sysmon` EventCode=10 TargetImage IN(\"*\\\\system32\\\\winlogon.exe*\", \"*\\\\SysWOW64\\\\winlogon.exe*\") AND GrantedAccess = 0x1040 AND NOT (SourceImage IN(\"C:\\\\Windows\\\\*\", \"C:\\\\Program File*\", \"%systemroot%\\\\*\")) | stats count min(_time) as firstTime max(_time) as lastTime by SourceImage TargetImage SourceProcessGUID TargetProcessGUID SourceProcessId TargetProcessId GrantedAccess CallTrace | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_access_token_winlogon_duplicate_handle_in_uncommon_path_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting data that records process activity from your hosts to populate the endpoint data model in the processes node. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "It is possible legitimate applications will request access to winlogon, filter as needed.", "references": ["https://docs.microsoft.com/en-us/windows/win32/api/handleapi/nf-handleapi-duplicatehandle", "https://attack.mitre.org/techniques/T1134/001/"], "tags": {"name": "Windows Access Token Winlogon Duplicate Handle In Uncommon Path", "analytic_story": ["Brute Ratel C4"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "a process $SourceImage$ is duplicating the handle token of winlogon.exe in $Computer$", "mitre_attack_id": ["T1134.001", "T1134"], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}, {"name": "SourceImage", "type": "Process Name", "role": ["Parent Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "SourceImage", "TargetImage", "SourceProcessGUID", "TargetProcessGUID", "SourceProcessId", "TargetProcessId", "GrantedAccess", "CallTrace", "Computer", "user_id"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1134.001", "mitre_attack_technique": "Token Impersonation/Theft", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "FIN8"]}, {"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/brute_duplicate_token/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_access_token_winlogon_duplicate_handle_in_uncommon_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_access_token_winlogon_duplicate_handle_in_uncommon_path.yml", "source": "endpoint"}, {"name": "Windows AD AdminSDHolder ACL Modified", "id": "00d877c3-7b7b-443d-9562-6b231e2abab9", "version": 1, "date": "2022-11-15", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the modification of the Access Control List for the AdminSDHolder object within a Windows domain. Specifically, the detection triggers on the addition of a new rule to the existing ACL. AdminSDHolder is an object located in the System Partition in Active Directory and is used as a security template for objects that are members of certain privileged groups. Objects in these groups are enumerated and any objects with security descriptors that dont match the AdminSDHolder ACL are flagged for updating. The Security Descriptor propagator (SDProp) process runs every 60 minutes on the PDC Emulator and re-stamps the object Access Control List (ACL) with the security permissions set on the AdminSDHolder. An adversary who has obtained privileged access to a Windows Domain may modify the AdminSDHolder ACL to establish persistence and allow an unprivileged user to take control of a domain.", "data_source": ["Windows Security 5136"], "search": " `wineventlog_security` EventCode=5136 AttributeLDAPDisplayName=nTSecurityDescriptor OperationType=\"%%14674\" ObjectDN=\"CN=AdminSDHolder,CN=System*\" | rex field=AttributeValue max_match=10000 \"A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;(?PS-1-[0-59]-\\d{2}-\\d{8,10}-\\d{8,10}-\\d{8,10}-[1-9]\\d{3})\\)\" | stats values(added_user_sid) by _time, Computer, SubjectUserName, ObjectDN | `windows_ad_adminsdholder_acl_modified_filter`", "how_to_implement": "To successfully implement this search, you ned to be ingesting eventcode `5136`. The Advanced Security Audit policy setting `Audit Directory Services Changes` within `DS Access` needs to be enabled. Additionally, a SACL needs to be created for the AdminSDHolder object in order to log modifications.", "known_false_positives": "Adding new users or groups to the AdminSDHolder ACL is not usual. Filter as needed", "references": ["https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-c--protected-accounts-and-groups-in-active-directory", "https://social.technet.microsoft.com/wiki/contents/articles/22331.adminsdholder-protected-groups-and-security-descriptor-propagator.aspx", "https://adsecurity.org/?p=1906", "https://pentestlab.blog/2022/01/04/domain-persistence-adminsdholder/", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136", "https://learn.microsoft.com/en-us/windows/win32/secauthz/access-control-lists", "https://medium.com/@cryps1s/detecting-windows-endpoint-compromise-with-sacls-cd748e10950"], "tags": {"name": "Windows AD AdminSDHolder ACL Modified", "analytic_story": ["Sneaky Active Directory Persistence Tricks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "message": "The AdminSDHolder domain object has been modified on $Computer$ by $SubjectUserName$", "mitre_attack_id": ["T1546"], "nist": ["DE.CM"], "observable": [{"name": "SubjectUserName", "type": "User", "role": ["Attacker"]}, {"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "AttributeLDAPDisplayName", "OperationType", "ObjectDN", "Computer", "SubjectUserName", "AttributeValue"], "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546/adminsdholder_modified/windows-security.log", "source": "XmlWinEventLog:Security", "sourcetype": "XmlWinEventLog"}]}], "datamodel": [], "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_ad_adminsdholder_acl_modified_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_ad_adminsdholder_acl_modified.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows AD Cross Domain SID History Addition", "id": "41bbb371-28ba-439c-bb5c-d9930c28365d", "version": 1, "date": "2022-11-17", "author": "Dean Luxton", "type": "TTP", "status": "production", "description": "The following analytic looks for changes to the sIDHistory AD attribute of user or computer objects within different domains. The SID history AD attribute allows users to inherit permissions from a separate AD account without group changes. Initially developed for access continuity when migrating user accounts to different domains, this attribute can also be abused by adversaries for inter-domain privilege escalation and persistence.", "data_source": ["Windows Security 4742", "Windows Security 4738"], "search": "`wineventlog_security` (EventCode=4742 OR EventCode=4738) NOT SidHistory IN (\"%%1793\", -) | rex field=SidHistory \"(^%{|^)(?P.*)(\\-|\\\\\\)\" | rex field=TargetSid \"^(?P.*)(\\-|\\\\\\)\" | where SidHistoryMatch!=TargetSidmatch AND SidHistoryMatch!=TargetDomainName | rename TargetSid as userSid | table _time action status host user userSid SidHistory Logon_ID src_user | `windows_ad_cross_domain_sid_history_addition_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting eventcodes `4738` and `4742`. The Advanced Security Audit policy settings `Audit User Account Management` and `Audit Computer Account Management` within `Account Management` all need to be enabled.", "known_false_positives": "Domain mergers and migrations may generate large volumes of false positives for this analytic.", "references": ["https://adsecurity.org/?p=1772", "https://learn.microsoft.com/en-us/windows/win32/adschema/a-sidhistory?redirectedfrom=MSDN", "https://learn.microsoft.com/en-us/defender-for-identity/security-assessment-unsecure-sid-history-attribute"], "tags": {"name": "Windows AD Cross Domain SID History Addition", "analytic_story": ["Sneaky Active Directory Persistence Tricks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 100, "kill_chain_phases": ["Exploitation"], "message": "Active Directory SID History Attribute was added to $user$ by $src_user$", "mitre_attack_id": ["T1134.005", "T1134"], "nist": ["DE.CM"], "observable": [{"name": "src_user", "type": "User", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "SidHistory", "TargetSid", "TargetDomainName", "user", "src_user", "Logon_ID"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1134.005", "mitre_attack_technique": "SID-History Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1134.005/mimikatz/windows-security-xml.log", "source": "XmlWinEventLog:Security", "sourcetype": "XmlWinEventLog"}]}], "datamodel": [], "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_ad_cross_domain_sid_history_addition_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_ad_cross_domain_sid_history_addition.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows AD Domain Controller Audit Policy Disabled", "id": "fc3ccef1-60a4-4239-bd66-b279511b4d14", "version": 1, "date": "2023-01-26", "author": "Dean Luxton", "type": "TTP", "status": "production", "description": "This analytic looks for audit policies being disabled on a domain controller.", "data_source": ["Windows Security 4719"], "search": "`wineventlog_security` EventCode=4719 (AuditPolicyChanges IN (\"%%8448\",\"%%8450\",\"%%8448, %%8450\") OR Changes IN (\"Failure removed\",\"Success removed\",\"Success removed, Failure removed\")) dest_category=\"domain_controller\"| replace \"%%8448\" with \"Success removed\", \"%%8450\" with \"Failure removed\", \"%%8448, %%8450\" with \"Success removed, Failure removed\" in AuditPolicyChanges | eval AuditPolicyChanges=coalesce(AuditPolicyChanges,Changes), SubcategoryGuid=coalesce(SubcategoryGuid,Subcategory_GUID) | stats min(_time) as _time values(host) as dest by AuditPolicyChanges SubcategoryGuid | lookup advanced_audit_policy_guids GUID as SubcategoryGuid OUTPUT Category SubCategory | `windows_ad_domain_controller_audit_policy_disabled_filter`", "how_to_implement": "Ensure you are ingesting EventCode `4719` from your domain controllers, the category domain_controller exists in assets and identities, and that assets and identities is enabled. If A&I is not configured, you will need to manually filter the results within the base search.", "known_false_positives": "Unknown", "references": ["https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4719"], "tags": {"name": "Windows AD Domain Controller Audit Policy Disabled", "analytic_story": ["Sneaky Active Directory Persistence Tricks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 100, "kill_chain_phases": ["Exploitation"], "message": "GPO $SubCategory$ of $Category$ was disabled on $dest$", "mitre_attack_id": ["T1562.001"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "AuditPolicyChanges", "SubcategoryGuid"], "risk_score": 60, "security_domain": "endpoint", "risk_severity": "medium", "manual_test": "This search uses a lookup provided by Enterprise Security and needs to be manually tested", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable_gpo/windows-security-xml.log", "source": "XmlWinEventLog:Security", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Change"], "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_ad_domain_controller_audit_policy_disabled_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "advanced_audit_policy_guids", "description": "List of GUIDs associated with Windows advanced audit policies", "filename": "advanced_audit_policy_guids.csv", "default_match": "false", "match_type": "WILDCARD(GUID)", "min_matches": 1, "case_sensitive_match": "false"}], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_ad_domain_controller_audit_policy_disabled.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows AD Domain Controller Promotion", "id": "e633a0ef-2a6e-4ed7-b925-5ff999e5d1f0", "version": 1, "date": "2023-01-26", "author": "Dean Luxton", "type": "TTP", "status": "production", "description": "This analytic identifies a genuine DC promotion event. Identifying when a computer assigns itself the necessary SPNs to function as a domain controller. Note these events are triggered on the existing domain controllers, not the newly joined domain controller. This detection will serve to identify rogue DCs added to the network. There are 2x detections within this analytic story which identify DCShadow attacks, if you do not currently possess the logging for these detections, remove the where clause within this detection to identify DCShadow activity.", "data_source": ["Windows Security 4742"], "search": "`wineventlog_security` EventCode=4742 ServicePrincipalNames IN (\"*E3514235-4B06-11D1-AB04-00C04FC2DCD2/*\",\"*GC/*\")| stats min(_time) as _time latest(ServicePrincipalNames) as ServicePrincipalNames,values(signature) as signature, values(src_user) as src_user, values(user) as user by Logon_ID, dvc| where src_user=user| rename Logon_ID as TargetLogonId, user as dest | appendpipe [| map search=\"search `wineventlog_security` EventCode=4624 TargetLogonId=$TargetLogonId$\" | fields - dest, dvc, signature]| stats min(_time) as _time, values(TargetUserSid) as TargetUserSid, values(Target_Domain) as Target_Domain, values(user) as user, values(status) as status, values(src_category) as src_category, values(src_ip) as src_ip values(ServicePrincipalNames) as ServicePrincipalNames values(signature) as signature values(dest) as dest values(dvc) as dvc by TargetLogonId | eval dest=trim(dest,\"$\") | `windows_ad_domain_controller_promotion_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting eventcode `4742`. The Advanced Security Audit policy setting `Audit Computer Account Management` within `Account Management` needs to be enabled.", "known_false_positives": "None.", "references": ["https://attack.mitre.org/techniques/T1207/"], "tags": {"name": "Windows AD Domain Controller Promotion", "analytic_story": ["Sneaky Active Directory Persistence Tricks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "AD Domain Controller Promotion Event Detected for $dest$", "mitre_attack_id": ["T1207"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "ServicePrincipalNames", "src_user", "user", "Logon_ID", "dvc"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1207", "mitre_attack_technique": "Rogue Domain Controller", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1207/dc_promo/windows-security-xml.log", "source": "XmlWinEventLog:Security", "sourcetype": "XmlWinEventLog"}]}], "datamodel": [], "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_ad_domain_controller_promotion_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_ad_domain_controller_promotion.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows AD Domain Replication ACL Addition", "id": "8c372853-f459-4995-afdc-280c114d33ab", "version": 1, "date": "2022-11-18", "author": "Dean Luxton", "type": "TTP", "status": "experimental", "description": "This analytic detects the addition of the permissions necessary to perform a DCSync attack. In order to replicate AD objects, the initiating user or computer must have the following permissions on the domain. - DS-Replication-Get-Changes - DS-Replication-Get-Changes-All Certain Sync operations may require the additional permission of DS-Replication-Get-Changes-In-Filtered-Set. By default, adding DCSync permissions via the Powerview Add-ObjectACL operation adds all 3. This alert identifies where this trifecta has been met, and also where just the base level requirements have been met.", "data_source": [], "search": "`wineventlog_security` | rex field=AttributeValue max_match=10000 \\\"OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;(?PS-1-[0-59]-\\d{2}-\\d{8,10}-\\d{8,10}-\\d{8,10}-[1-9]\\d{3})\\)\\\"| table _time dest src_user DSRGetChanges_user_sid DSRGetChangesAll_user_sid DSRGetChangesFiltered_user_sid| mvexpand DSRGetChanges_user_sid| eval minDCSyncPermissions=if(DSRGetChanges_user_sid=DSRGetChangesAll_user_sid,\\\"true\\\",\\\"false\\\"), fullSet=if(DSRGetChanges_user_sid=DSRGetChangesAll_user_sid AND DSRGetChanges_user_sid=DSRGetChangesFiltered_user_sid,\\\"true\\\",\\\"false\\\")| where minDCSyncPermissions=\\\"true\\\" | lookup identity_lookup_expanded objectSid as DSRGetChanges_user_sid OUTPUT sAMAccountName as user | rename DSRGetChanges_user_sid as userSid | stats min(_time) as _time values(user) as user by dest src_user userSid minDCSyncPermissions fullSet| `windows_ad_domain_replication_acl_addition_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting the eventcode 5136. The Advanced Security Audit policy setting `Audit Directory Services Changes` within `DS Access` needs to be enabled, alongside a SACL for `everybody` to `Write All Properties` applied to the domain root and all descendant objects. Once the necessary logging has been enabled, enumerate the domain policy to verify if existing accounts with access need to be whitelisted, or revoked. Assets and Identities is also leveraged to automatically translate the objectSid into username. Ensure your identities lookup is configured with the sAMAccountName and objectSid of all AD user and computer objects.", "known_false_positives": "When there is a change to nTSecurityDescriptor, Windows logs the entire ACL with the newly added components. If existing accounts are present with this permission, they will raise an alert each time the nTSecurityDescriptor is updated unless whitelisted.", "references": ["https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/1522b774-6464-41a3-87a5-1e5633c3fbbb", "https://github.com/SigmaHQ/sigma/blob/29a5c62784faf986dc03952ae3e90e3df3294284/rules/windows/builtin/security/win_security_account_backdoor_dcsync_rights.yml"], "tags": {"name": "Windows AD Domain Replication ACL Addition", "analytic_story": ["Sneaky Active Directory Persistence Tricks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 100, "kill_chain_phases": ["Exploitation"], "message": "$src_user$ has granted $user$ permission to replicate AD objects", "mitre_attack_id": ["T1484"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "dest", "src_user", "AttributeLDAPDisplayName", "AttributeValue", "ObjectClass"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "manual_test": "This search uses a lookup provided by Enterprise Security and needs to be manually tested.", "mitre_attack_enrichments": [{"mitre_attack_id": "T1484", "mitre_attack_technique": "Domain Policy Modification", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484/aclmodification/windows-security-xml.log", "source": "XmlWinEventLog:Security", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Change"], "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_ad_domain_replication_acl_addition_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_ad_domain_replication_acl_addition.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows AD DSRM Account Changes", "id": "08cb291e-ea77-48e8-a95a-0799319bf056", "version": 1, "date": "2022-09-08", "author": "Dean Luxton", "type": "TTP", "status": "production", "description": "Aside from being used to promote genuine domain controllers, the DSRM (Directory Services Restore Mode) account can be used to persist within a Domain. A DC can be configured to allow the DSRM account to logon & be used in the same way as a local administrator account. This detection is looking for alterations to the behaviour of the account via registry.", "data_source": ["Sysmon Event ID 13"], "search": "| tstats `security_content_summariesonly` min(_time) as _time from datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\DSRMAdminLogonBehavior\" Registry.registry_value_data IN (\"*1\",\"*2\") by Registry.action Registry.registry_path Registry.registry_value_data Registry.registry_value_type Registry.process_guid | `drop_dm_object_name(Registry)` | join type=outer process_guid [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes by Processes.user Processes.process_name Processes.process Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_guid | `drop_dm_object_name(Processes)`] | table _time action dest user parent_process_name parent_process process_name process process_guid registry_path registry_value_data registry_value_type | `windows_ad_dsrm_account_changes_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry.", "known_false_positives": "Disaster recovery events.", "references": ["https://adsecurity.org/?p=1714"], "tags": {"name": "Windows AD DSRM Account Changes", "analytic_story": ["Sneaky Active Directory Persistence Tricks", "Windows Registry Abuse", "Windows Persistence Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 100, "kill_chain_phases": ["Installation"], "message": "DSRM Account Changes Initiated on $dest$ by $user$", "mitre_attack_id": ["T1098"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.registry_value_data", "Registry.registry_path", "Registry.dest", "Registry.user"], "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT41", "Dragonfly", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/dsrm_account/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_ad_dsrm_account_changes_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_ad_dsrm_account_changes.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows AD DSRM Password Reset", "id": "d1ab841c-36a6-46cf-b50f-b2b04b31182a", "version": 1, "date": "2022-09-08", "author": "Dean Luxton", "type": "TTP", "status": "production", "description": "Aside from being used to promote genuine domain controllers, the DSRM (Directory Services Restore Mode) account can be used to persist within a Domain. A DC can be configured to allow the DSRM account to logon & be used in the same way as a local administrator account. This detection is looking for any password reset attempts against that account.", "data_source": ["Windows Security 4794"], "search": "| tstats `security_content_summariesonly` min(_time) as _time from datamodel=Change where All_Changes.result_id=\"4794\" AND All_Changes.result=\"An attempt was made to set the Directory Services Restore Mode administrator password\" by All_Changes.action, All_Changes.dest, All_Changes.src, All_Changes.user | `drop_dm_object_name(All_Changes)` | `windows_ad_dsrm_password_reset_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting eventcode `4794` and have the Advanced Security Audit policy `Audit User Account Management` within `Account Management` enabled.", "known_false_positives": "Resetting the DSRM password for legitamate reasons, i.e. forgot the password. Disaster recovery. Deploying AD backdoor deliberately.", "references": ["https://adsecurity.org/?p=1714"], "tags": {"name": "Windows AD DSRM Password Reset", "analytic_story": ["Sneaky Active Directory Persistence Tricks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 100, "kill_chain_phases": ["Installation"], "message": "DSRM Account Password was reset on $dest$ by $user$", "mitre_attack_id": ["T1098"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "All_Changes.result_id", "All_Changes.result", "All_Changes.action", "All_Changes.dest", "All_Changes.src", "All_Changes.user"], "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT41", "Dragonfly", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/dsrm_account/windows-security-xml.log", "source": "XmlWinEventLog:Security", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Change"], "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_ad_dsrm_password_reset_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_ad_dsrm_password_reset.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Windows AD Privileged Account SID History Addition", "id": "6b521149-b91c-43aa-ba97-c2cac59ec830", "version": 1, "date": "2022-09-12", "author": "Dean Luxton", "type": "TTP", "status": "production", "description": "This detection identifies when the SID of a privileged user is added to the SID History attribute of another user. Useful for tracking SID history abuse across multiple domains. This detection leverages the Asset and Identities framework. See the implementation section for further details on configuration.", "data_source": ["Windows Security 4742", "Windows Security 4738"], "search": "`wineventlog_security` (EventCode=4742 OR EventCode=4738) NOT SidHistory IN (\"%%1793\", -) | rex field=SidHistory \"(^%{|^)(?P.*?)(}$|$)\" | eval category=\"privileged\" | lookup identity_lookup_expanded category, identity as SidHistory OUTPUT identity_tag as match | where isnotnull(match) | rename TargetSid as userSid | table _time action status host user userSid SidHistory Logon_ID src_user | `windows_ad_privileged_account_sid_history_addition_filter`", "how_to_implement": "Ensure you have objectSid and the Down Level Logon Name `DOMAIN\\sAMACountName` added to the identity field of your Asset and Identities lookup, along with the category of privileged for the applicable users. Ensure you are ingesting eventcodes 4742 and 4738. Two advanced audit policies `Audit User Account Management` and `Audit Computer Account Management` under `Account Management` are required to generate these event codes.", "known_false_positives": "Migration of privileged accounts.", "references": ["https://adsecurity.org/?p=1772"], "tags": {"name": "Windows AD Privileged Account SID History Addition", "analytic_story": ["Sneaky Active Directory Persistence Tricks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 100, "kill_chain_phases": ["Exploitation"], "message": "A Privileged User Account SID History Attribute was added to $user$ by $src_user$", "mitre_attack_id": ["T1134.005", "T1134"], "nist": ["DE.CM"], "observable": [{"name": "src_user", "type": "User", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "SidHistory", "TargetSid", "TargetDomainName", "user", "src_user", "Logon_ID"], "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "manual_test": "This search uses a lookup provided by Enterprise Security and needs to be manually tested.", "mitre_attack_enrichments": [{"mitre_attack_id": "T1134.005", "mitre_attack_technique": "SID-History Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1134.005/mimikatz/windows-security-xml.log", "source": "XmlWinEventLog:Security", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_ad_privileged_account_sid_history_addition_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_ad_privileged_account_sid_history_addition.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows AD Replication Request Initiated by User Account", "id": "51307514-1236-49f6-8686-d46d93cc2821", "version": 1, "date": "2022-09-08", "author": "Dean Luxton", "type": "TTP", "status": "production", "description": "This alert was written to detect activity associated with the DCSync attack. When a domain controller receives a replication request, the user account permissions are validated, however no checks are performed to validate the request was initiated by a Domain Controller. Once an attacker gains control of an account with the necessary privileges, they can request password hashes for any or all users within the domain. This alert detects when a user account creates a handle to domainDNS with the necessary replication permissions.", "data_source": ["Windows Security 4662"], "search": "`wineventlog_security` EventCode=4662 ObjectType IN (\"%{19195a5b-6da0-11d0-afd3-00c04fd930c9}\", \"domainDNS\") AND Properties IN (\"*Replicating Directory Changes All*\", \"*{1131f6ad-9c07-11d1-f79f-00c04fc2dcd2}*\", \"*{9923a32a-3607-11d2-b9be-0000f87a36b2}*\",\"*{1131f6ac-9c07-11d1-f79f-00c04fc2dcd2}*\") AND AccessMask=\"0x100\" AND NOT (SubjectUserSid=\"NT AUT*\" OR SubjectUserSid=\"S-1-5-18\" OR SubjectDomainName=\"Window Manager\" OR SubjectUserName=\"*$\") | stats min(_time) as _time, count by SubjectDomainName, SubjectUserName, Computer, Logon_ID, ObjectName, ObjectServer, ObjectType, OperationType, status | rename SubjectDomainName as Target_Domain, SubjectUserName as user, Logon_ID as TargetLogonId, _time as attack_time | appendpipe [| map search=\"search `wineventlog_security` EventCode=4624 TargetLogonId=$TargetLogonId$\"] | table attack_time, AuthenticationPackageName, LogonProcessName, LogonType, TargetUserSid, Target_Domain, user, Computer, TargetLogonId, status, src_ip, src_category, ObjectName, ObjectServer, ObjectType, OperationType | stats min(attack_time) as _time values(TargetUserSid) as TargetUserSid, values(Target_Domain) as Target_Domain, values(user) as user, values(Computer) as Computer, values(status) as status, values(src_category) as src_category, values(src_ip) as src_ip by TargetLogonId | `windows_ad_replication_request_initiated_by_user_account_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting eventcode `4662`. The Advanced Security Audit policy settings `Audit Directory Services Access` within `DS Access` needs to be enabled, as well as the following SACLs applied to the domain root and all descendant objects. The principals `everybody`, `Domain Computers`, and `Domain Controllers` auditing the permissions `Replicating Directory Changes`, `Replicating Directory Changes All`, and `Replicating Directory Changes In Filtered Set`", "known_false_positives": "Azure AD Connect syncing operations.", "references": ["https://adsecurity.org/?p=1729", "https://www.linkedin.com/pulse/mimikatz-dcsync-event-log-detections-john-dwyer", "https://github.com/SigmaHQ/sigma/blob/0.22-699-g29a5c6278/rules/windows/builtin/security/win_security_dcsync.yml"], "tags": {"name": "Windows AD Replication Request Initiated by User Account", "analytic_story": ["Sneaky Active Directory Persistence Tricks", "Credential Dumping"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 100, "kill_chain_phases": ["Exploitation"], "message": "Windows Active Directory Replication Request Initiated by User Account $user$ at $src_ip$", "mitre_attack_id": ["T1003.006", "T1003"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "ObjectType", "Properties", "AccessMask", "SubjectDomainName", "SubjectUserName", "SubjectUserSid", "Computer", "Logon_ID", "ObjectName", "ObjectServer", "ObjectType", "OperationType", "status"], "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.006", "mitre_attack_technique": "DCSync", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Earth Lusca", "LAPSUS$"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.006/impacket/windows-security-xml.log", "source": "XmlWinEventLog:Security", "sourcetype": "XmlWinEventLog"}]}], "datamodel": ["Authentication", "Change"], "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_ad_replication_request_initiated_by_user_account_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_ad_replication_request_initiated_by_user_account.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows AD Replication Request Initiated from Unsanctioned Location", "id": "50998483-bb15-457b-a870-965080d9e3d3", "version": 1, "date": "2022-11-17", "author": "Dean Luxton", "type": "TTP", "status": "production", "description": "This alert was written to detect activity associated with the DCSync attack performed by computer accounts. When a domain controller receives a replication request, the account permissions are validated, however no checks are performed to validate the request was initiated by a Domain Controller. Once an attacker gains control of an account with the necessary privileges, they can request password hashes for any or all users within the domain. This alert detects when a computer account account creates a handle to domainDNS with the necessary replication permissions. These requests are then filtered to exclude where the events originate from a known domain controller IP address.", "data_source": ["Windows Security 4662", "Windows Security 4624"], "search": "`wineventlog_security` EventCode=4662 ObjectType IN (\"%{19195a5b-6da0-11d0-afd3-00c04fd930c9}\", \"domainDNS\") AND Properties IN (\"*Replicating Directory Changes All*\", \"*{1131f6ad-9c07-11d1-f79f-00c04fc2dcd2}*\", \"*{9923a32a-3607-11d2-b9be-0000f87a36b2}*\",\"*{1131f6ac-9c07-11d1-f79f-00c04fc2dcd2}*\") AND AccessMask=\"0x100\" AND (SubjectUserSid=\"NT AUT*\" OR SubjectUserSid=\"S-1-5-18\" OR SubjectDomainName=\"Window Manager\" OR SubjectUserName=\"*$\") | stats min(_time) as attack_time, count by SubjectDomainName, SubjectUserName, Computer, Logon_ID, ObjectName, ObjectServer, ObjectType, OperationType, status | rename SubjectDomainName as Target_Domain, SubjectUserName as user, Logon_ID as TargetLogonId | appendpipe [| map search=\"search `wineventlog_security` EventCode=4624 TargetLogonId=$TargetLogonId$\"] | table attack_time, AuthenticationPackageName, LogonProcessName, LogonType, TargetUserSid, Target_Domain, user, Computer, TargetLogonId, status, src_ip, src_category, ObjectName, ObjectServer, ObjectType, OperationType | stats min(attack_time) as _time, values(TargetUserSid) as TargetUserSid, values(Target_Domain) as Target_Domain, values(user) as user, values(Computer) as Computer, values(status) as status, values(src_category) as src_category, values(src_ip) as src_ip by TargetLogonId | search NOT src_category=\"domain_controller\" | `windows_ad_replication_request_initiated_from_unsanctioned_location_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting eventcode `4662`. The Advanced Security Audit policy settings `Audit Directory Services Access` within `DS Access` needs to be enabled, as well as the following SACLs applied to the domain root and all descendant objects. The principals `everybody`, `Domain Computers`, and `Domain Controllers` auditing the permissions `Replicating Directory Changes`, `Replicating Directory Changes All`, and `Replicating Directory Changes In Filtered Set` Assets and Identities will also need to be configured, with the category of domain_controller added for domain controllers.", "known_false_positives": "Genuine DC promotion may trigger this alert.", "references": ["https://adsecurity.org/?p=1729", "https://www.linkedin.com/pulse/mimikatz-dcsync-event-log-detections-john-dwyer", "https://github.com/SigmaHQ/sigma/blob/0.22-699-g29a5c6278/rules/windows/builtin/security/win_security_dcsync.yml"], "tags": {"name": "Windows AD Replication Request Initiated from Unsanctioned Location", "analytic_story": ["Sneaky Active Directory Persistence Tricks", "Credential Dumping"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 100, "kill_chain_phases": ["Exploitation"], "message": "Windows Active Directory Replication Request Initiated from Unsanctioned Location $src_ip$ by $user$", "mitre_attack_id": ["T1003.006", "T1003"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "ObjectType", "Properties", "AccessMask", "SubjectDomainName", "SubjectUserName", "SubjectUserSid", "Computer", "Logon_ID", "ObjectName", "ObjectServer", "ObjectType", "OperationType", "status"], "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.006", "mitre_attack_technique": "DCSync", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Earth Lusca", "LAPSUS$"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.006/impacket/windows-security-xml.log", "source": "XmlWinEventLog:Security", "sourcetype": "XmlWinEventLog"}]}], "datamodel": ["Authentication", "Change"], "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_ad_replication_request_initiated_from_unsanctioned_location_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_ad_replication_request_initiated_from_unsanctioned_location.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows AD Same Domain SID History Addition", "id": "5fde0b7c-df7a-40b1-9b3a-294c00f0289d", "version": 2, "date": "2022-09-09", "author": "Dean Luxton", "type": "TTP", "status": "production", "description": "The following analytic looks for changes to the sIDHistory AD attribute of user or computer objects which exist within the same domain. The SID history AD attribute allows users to inherit permissions from a separate AD account without group changes. Initially developed for access continuity when migrating user accounts to different domains, this attribute can also be abused by adversaries to stealthily grant access to a backdoor account within the same domain. This analytic was written to pick up on activity via Mimikatz sid::patch. Please note there are additional avenues to abuse SID history such as DCShadow & Golden / Diamond tickets which won't be detected using these event codes.", "data_source": ["Windows Security 4742", "Windows Security 4738"], "search": "`wineventlog_security` (EventCode=4742 OR EventCode=4738) NOT SidHistory IN (\"%%1793\", -) | rex field=SidHistory \"(^%{|^)(?P.*)(\\-|\\\\\\)\" | rex field=TargetSid \"^(?P.*)(\\-|\\\\\\)\" | where SidHistoryMatch=TargetSidmatch OR SidHistoryMatch=TargetDomainName | rename TargetSid as userSid, TargetDomainName as userDomainName | table _time action status host user userSid userDomainName SidHistory Logon_ID src_user | `windows_ad_same_domain_sid_history_addition_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting eventcodes `4738` and `4742`. The Advanced Security Audit policy settings `Audit User Account Management` and `Audit Computer Account Management` within `Account Management` all need to be enabled. SID resolution is not required..", "known_false_positives": "Unknown", "references": ["https://adsecurity.org/?p=1772", "https://learn.microsoft.com/en-us/windows/win32/adschema/a-sidhistory?redirectedfrom=MSDN", "https://learn.microsoft.com/en-us/defender-for-identity/security-assessment-unsecure-sid-history-attribute", "https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/sid-history-injection"], "tags": {"name": "Windows AD Same Domain SID History Addition", "analytic_story": ["Sneaky Active Directory Persistence Tricks", "Windows Persistence Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 100, "kill_chain_phases": ["Exploitation"], "message": "Active Directory SID History Attribute was added to $user$ by $src_user$", "mitre_attack_id": ["T1134.005", "T1134"], "nist": ["DE.CM"], "observable": [{"name": "src_user", "type": "User", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "SidHistory", "TargetSid", "TargetDomainName", "user", "src_user", "Logon_ID"], "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1134.005", "mitre_attack_technique": "SID-History Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1134.005/mimikatz/windows-security-xml.log", "source": "XmlWinEventLog:Security", "sourcetype": "XmlWinEventLog"}]}], "datamodel": [], "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_ad_same_domain_sid_history_addition_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_ad_same_domain_sid_history_addition.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows AD ServicePrincipalName Added To Domain Account", "id": "8a1259cb-0ea7-409c-8bfe-74bad89259f9", "version": 1, "date": "2022-11-17", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the addition of a Service Principal Name to a domain account. While this event may be part of a legitimate action part of certain administrative operations, it may also be evidence of a persistence attack. Domain accounts with Servce Principal Names are vulnerable to a technique called Kerberoasting that enables attackers to potentially obtain the cleartext password of the account by performing offline cracking. An adversary who has obtained privileged access to a domain environment may add an SPN to a privileged account to then leverage the Kerberoasting technique and attempt to obtain its clertext password.", "data_source": ["Windows Security 5136"], "search": " `wineventlog_security` EventCode=5136 AttributeLDAPDisplayName=servicePrincipalName OperationType=\"%%14674\" | stats values(ObjectDN) by _time, Computer, SubjectUserName, AttributeValue | `windows_ad_serviceprincipalname_added_to_domain_account_filter`", "how_to_implement": "To successfully implement this search, you ned to be ingesting eventcode `5136`. The Advanced Security Audit policy setting `Audit Directory Services Changes` within `DS Access` needs to be enabled. Additionally, a SACL needs to be created for AD objects in order to ingest attribute modifications.", "known_false_positives": "A Service Principal Name should only be added to an account when an application requires it. While infrequent, this detection may trigger on legitimate actions. Filter as needed.", "references": ["https://adsecurity.org/?p=3466", "https://www.thehacker.recipes/ad/movement/dacl/targeted-kerberoasting", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136", "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/t1208-kerberoasting"], "tags": {"name": "Windows AD ServicePrincipalName Added To Domain Account", "analytic_story": ["https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/service_principal_name_added/windows-security.log"], "asset_type": "endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 60, "kill_chain_phases": ["Installation"], "message": "A Servince Principal Name for $ObjectDN$ was set by $SubjectUserName$", "mitre_attack_id": ["T1098"], "nist": ["DE.CM"], "observable": [{"name": "SubjectUserName", "type": "User", "role": ["Attacker"]}, {"name": "ObjectDN", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "ObjectDN", "signature", "SubjectUserName", "Computer"], "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT41", "Dragonfly", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/service_principal_name_added/windows-security.log", "source": "XmlWinEventLog:Security", "sourcetype": "XmlWinEventLog"}]}], "datamodel": [], "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_ad_serviceprincipalname_added_to_domain_account_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_ad_serviceprincipalname_added_to_domain_account.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows AD Short Lived Domain Account ServicePrincipalName", "id": "b681977c-d90c-4efc-81a5-c58f945fb541", "version": 1, "date": "2022-11-18", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the addition of a Service Principal Name to a domain account that is quickly deleted within 5 minutes or less. While this event may be part of a legitimate action part of certain administrative operations, it may also be evidence of a persistence attack. Domain accounts with Service Principal Names are vulnerable to a technique called Kerberoasting that enables attackers to potentially obtain the cleartext password of the account by performing offline cracking. An adversary who has obtained privileged access to a domain environment may add an SPN to a privileged account to then leverage the Kerberoasting technique and attempt to obtain its clertext password. To clean things up, the adversary may delete the SPN which will trigger this detection.", "data_source": ["Windows Security 5136"], "search": " `wineventlog_security` EventCode=5136 AttributeLDAPDisplayName=servicePrincipalName | transaction ObjectDN AttributeValue startswith=(EventCode=5136 OperationType=\"%%14674\") endswith=(EventCode=5136 OperationType=\"%%14675\") | eval short_lived=case((duration<300),\"TRUE\") | search short_lived = TRUE | `windows_ad_short_lived_domain_account_serviceprincipalname_filter`", "how_to_implement": "To successfully implement this search, you ned to be ingesting eventcode `5136`. The Advanced Security Audit policy setting `Audit Directory Services Changes` within `DS Access` needs to be enabled. Additionally, a SACL needs to be created for AD objects in order to ingest attribute modifications.", "known_false_positives": "A Service Principal Name should only be added to an account when an application requires it. Adding an SPN and quickly deleting it is less common but may be part of legitimate action. Filter as needed.", "references": ["https://adsecurity.org/?p=3466", "https://www.thehacker.recipes/ad/movement/dacl/targeted-kerberoasting", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136", "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/t1208-kerberoasting"], "tags": {"name": "Windows AD Short Lived Domain Account ServicePrincipalName", "analytic_story": ["Sneaky Active Directory Persistence Tricks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 50, "kill_chain_phases": ["Installation"], "message": "A Servince Principal Name for $ObjectDN$ was set and shortly deleted", "mitre_attack_id": ["T1098"], "nist": ["DE.CM"], "observable": [{"name": "SubjectUserName", "type": "User", "role": ["Attacker"]}, {"name": "ObjectDN", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "ObjectDN", "signature", "SubjectUserName", "Computer"], "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT41", "Dragonfly", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/short_lived_service_principal_name/windows-security.log", "source": "XmlWinEventLog:Security", "sourcetype": "XmlWinEventLog"}]}], "datamodel": [], "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_ad_short_lived_domain_account_serviceprincipalname_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_ad_short_lived_domain_account_serviceprincipalname.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows AD Short Lived Domain Controller SPN Attribute", "id": "57e27f27-369c-4df8-af08-e8c7ee8373d4", "version": 2, "date": "2022-09-02", "author": "Dean Luxton", "type": "TTP", "status": "production", "description": "The following analytic identifies when either a global catalog SPN or a DRS RPC SPN are temporarily added to an Active Directory computer object, both of which can be evidence of a DCShadow attack. DCShadow allows an attacker who has obtained privileged access to register a rogue Domain Controller (DC). Once registered, the rogue DC may be able to inject and replicate changes into the AD infrastructure for any domain object, including credentials and keys. This technique was initially released in 2018 by security researchers Benjamin Delpy and Vincent Le Toux. No event logs are written for changes to AD attributes, allowing for stealthy backdoors to be implanted in the domain, or metadata such as timestamps overwritten to cover tracks.", "data_source": ["Windows Security 5136", "Windows Security 4624"], "search": "`wineventlog_security` EventCode=5136 AttributeLDAPDisplayName=servicePrincipalName (AttributeValue=\"GC/*\" OR AttributeValue=\"E3514235-4B06-11D1-AB04-00C04FC2DCD2/*\") | stats min(_time) as _time range(_time) as duration values(OperationType) as OperationType values(src_nt_domain) as src_nt_domain values(src_user) as src_user values(Computer) as Computer, values(ObjectDN) as ObjectDN by Logon_ID | eval short_lived=case((duration<30),\"TRUE\") | where short_lived=\"TRUE\" AND mvcount(OperationType)>1 | replace \"%%14674\" with \"Value Added\", \"%%14675\" with \"Value Deleted\" in OperationType | rename Logon_ID as TargetLogonId | appendpipe [| map search=\"search `wineventlog_security` EventCode=4624 TargetLogonId=$TargetLogonId$\"] | stats min(_time) as _time, values(TargetUserSid) as TargetUserSid, values(Target_Domain) as Target_Domain, values(user) as user, values(Computer) as Computer, values(status) as status, values(src_category) as src_category, values(src_ip) as src_ip values(ObjectDN) as ObjectDN values(OperationType) as OperationType by TargetLogonId | `windows_ad_short_lived_domain_controller_spn_attribute_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting eventcode `5136`. The Advanced Security Audit policy setting `Audit Directory Services Changes` within `DS Access` needs to be enabled, alongside a SACL for `everybody` to `Write All Properties` applied to the domain root and all descendant objects.", "known_false_positives": "None.", "references": ["https://www.dcshadow.com/", "https://blog.netwrix.com/2022/09/28/dcshadow_attack/", "https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2", "https://attack.mitre.org/techniques/T1207/", "https://blog.alsid.eu/dcshadow-explained-4510f52fc19d"], "tags": {"name": "Windows AD Short Lived Domain Controller SPN Attribute", "analytic_story": ["Sneaky Active Directory Persistence Tricks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 100, "kill_chain_phases": ["Exploitation"], "message": "Short Lived Domain Controller SPN AD Attribute Triggered by $user$ from $src_ip$", "mitre_attack_id": ["T1207"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "src_ip", "type": "IP Address", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "AttributeLDAPDisplayName", "AttributeValue", "src_nt_domain", "src_user", "Computer", "ObjectDN", "Logon_ID", "signature"], "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1207", "mitre_attack_technique": "Rogue Domain Controller", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1207/mimikatz/windows-security-xml.log", "source": "XmlWinEventLog:Security", "sourcetype": "XmlWinEventLog"}]}], "datamodel": [], "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_ad_short_lived_domain_controller_spn_attribute_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_ad_short_lived_domain_controller_spn_attribute.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows AD Short Lived Server Object", "id": "193769d3-1e33-43a9-970e-ad4a88256cdb", "version": 1, "date": "2022-10-17", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies a change in an Active Directory environment that could represent evidence of the DCShadow attack. DCShadow allows an attacker who has obtained privileged access to register a rogue Domain Controller (DC). Once registered, the rogue DC may be able to inject and replicate changes in the AD infrastructure for any domain object, including credentials and keys. This technique was initially released in 2018 by security researchers Benjamin Delpy and Vincent Le Toux. Specifically, the detection will trigger when a possible rogue Domain Controller computer object is created and quickly deleted within 30 seconds or less in an Active Directory domain. This behavior was identfied by simulating the DCShadow attack with Mimikatz.", "data_source": ["Windows Security 5137", "Windows Security 5141"], "search": " `wineventlog_security` EventCode=5137 OR EventCode=5141 ObjectDN=\"*CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration*\" | transaction ObjectDN startswith=(EventCode=5137) endswith=(EventCode=5141) | eval short_lived=case((duration<30),\"TRUE\") | search short_lived = TRUE | stats values(ObjectDN) values(signature) values(EventCode) by _time, Computer, SubjectUserName | `windows_ad_short_lived_server_object_filter`", "how_to_implement": "To successfully implement this search, you ned to be ingesting Event codes `5137` and `5141`. The Advanced Security Audit policy setting `Audit Directory Services Changes` within `DS Access` needs to be enabled. For these event codes to be generated, specific SACLs are required.", "known_false_positives": "Creating and deleting a server object within 30 seconds or less is unusual but not impossible in a production environment. Filter as needed.", "references": ["https://www.dcshadow.com/", "https://attack.mitre.org/techniques/T1207/", "https://stealthbits.com/blog/detecting-dcshadow-with-event-logs/", "https://pentestlab.blog/2018/04/16/dcshadow/", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5137", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5141"], "tags": {"name": "Windows AD Short Lived Server Object", "analytic_story": ["Sneaky Active Directory Persistence Tricks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "Potential DCShadow Attack Detected on $Computer$", "mitre_attack_id": ["T1207"], "nist": ["DE.CM"], "observable": [{"name": "SubjectUserName", "type": "User", "role": ["Attacker"]}, {"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "ObjectDN", "signature", "SubjectUserName", "Computer"], "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1207", "mitre_attack_technique": "Rogue Domain Controller", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1207/short_lived_server_object/windows-security.log", "source": "XmlWinEventLog:Security", "sourcetype": "XmlWinEventLog"}]}], "datamodel": [], "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_ad_short_lived_server_object_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_ad_short_lived_server_object.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows AD SID History Attribute Modified", "id": "1155e47d-307f-4247-beab-71071e3a458c", "version": 1, "date": "2022-11-16", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic leverages event code `5136` to identify a modification of the SID History AD attribute. The SID history AD attribute allows users to inherit permissions from a separate AD account without group changes. Initially developed for access continuity when migrating user accounts to different domains, this attribute can also be abused by adversaries to stealthily grant access to a backdoor account within the same domain.", "data_source": ["Windows Security 5136"], "search": " `wineventlog_security` EventCode=5136 AttributeLDAPDisplayName=sIDHistory OperationType=\"%%14674\" | stats values(ObjectDN) by _time, Computer, SubjectUserName, AttributeValue | `windows_ad_sid_history_attribute_modified_filter`", "how_to_implement": "To successfully implement this search, you ned to be ingesting eventcode `5136`. The Advanced Security Audit policy setting `Audit Directory Services Changes` within `DS Access` needs to be enabled. Additionally, a SACL needs to be created for AD objects in order to ingest attribute modifications.", "known_false_positives": "Domain mergers and migrations may generate large volumes of false positives for this analytic.", "references": ["https://adsecurity.org/?p=1772", "https://learn.microsoft.com/en-us/windows/win32/adschema/a-sidhistory?redirectedfrom=MSDN", "https://learn.microsoft.com/en-us/defender-for-identity/security-assessment-unsecure-sid-history-attribute", "https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/sid-history-injection"], "tags": {"name": "Windows AD SID History Attribute Modified", "analytic_story": ["Sneaky Active Directory Persistence Tricks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "SID History AD attribute modified by $SubjectUserName$ for $ObjectDN$", "mitre_attack_id": ["T1134", "T1134.005"], "nist": ["DE.CM"], "observable": [{"name": "SubjectUserName", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "AttributeLDAPDisplayName", "OperationType=", "ObjectDN", "Computer", "SubjectUserName", "AttributeValue"], "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}, {"mitre_attack_id": "T1134.005", "mitre_attack_technique": "SID-History Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1134.005/sid_history2/windows-security.log", "source": "XmlWinEventLog:Security", "sourcetype": "XmlWinEventLog"}]}], "datamodel": [], "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_ad_sid_history_attribute_modified_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_ad_sid_history_attribute_modified.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows AdFind Exe", "id": "bd3b0187-189b-46c0-be45-f52da2bae67f", "version": 3, "date": "2023-06-13", "author": "Jose Hernandez, Bhavin Patel, Splunk", "type": "TTP", "status": "production", "description": "This search looks for the execution of `adfind.exe` with command-line arguments that it uses by default specifically the filter or search functions. It also considers the arguments necessary like objectcategory, see readme for more details: https://www.joeware.net/freetools/tools/adfind/usage.htm. AdFind.exe is a powerful tool that is commonly used for querying and retrieving information from Active Directory (AD). While it is primarily designed for AD administration and management, it has been seen used before by Wizard Spider, FIN6 and actors whom also launched SUNBURST.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process=\"* -f *\" OR Processes.process=\"* -b *\") AND (Processes.process=*objectcategory* OR Processes.process=\"* -gcb *\" OR Processes.process=\"* -sc *\") by Processes.dest Processes.user Processes.process_name Processes.process Processes.parent_process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_adfind_exe_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "ADfind is a command-line tool for AD administration and management that is seen to be leveraged by various adversaries. Filter out legitimate administrator usage using the filter macro.", "references": ["https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/", "https://www.mandiant.com/resources/a-nasty-trick-from-credential-theft-malware-to-business-disruption", "https://www.joeware.net/freetools/tools/adfind/index.htm", "https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/"], "tags": {"name": "Windows AdFind Exe", "analytic_story": ["Domain Trust Discovery", "IcedID", "NOBELIUM Group", "Graceful Wipe Out Attack"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "Windows AdFind Exe", "mitre_attack_id": ["T1018"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.process", "Processes.dest", "Processes.user", "Processes.process_name", "Processes.parent_process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1018", "mitre_attack_technique": "Remote System Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "BRONZE BUTLER", "Chimera", "Deep Panda", "Dragonfly", "Earth Lusca", "FIN5", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "HEXANE", "Indrik Spider", "Ke3chang", "Leafminer", "Magic Hound", "Naikon", "Rocke", "Sandworm Team", "Silence", "Threat Group-3390", "Turla", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1018/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_adfind_exe_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_adfind_exe.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Administrative Shares Accessed On Multiple Hosts", "id": "d92f2d95-05fb-48a7-910f-4d3d61ab8655", "version": 1, "date": "2023-03-23", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic leverages Event IDs 5140 or 5145 to identify a source computer accessing windows administrative shares (C$, Admin$ and IPC$ ) across a large number remote endpoints. Specifically, the logic will trigger when a source endpoint accesses administrative shares across 30 or more target computers within a 5 minute timespan. This behavior could represent an adversary who is enumerating network shares across an Active Directory environment in the search for sensitive files, a common technique leveraged by red teamers and threat actors. As environments differ across organizations, security teams should customize the thresholds of this detection as needed.", "data_source": [], "search": " `wineventlog_security` EventCode=5140 OR EventCode=5145 (ShareName=\"\\\\\\\\*\\\\ADMIN$\" OR ShareName=\"\\\\\\\\*\\\\IPC$\" OR ShareName=\"\\\\\\\\*\\\\C$\") | bucket span=5m _time | stats dc(Computer) AS unique_targets values(Computer) as host_targets values(ShareName) as shares by _time, IpAddress, SubjectUserName, EventCode | where unique_targets > 30 | `windows_administrative_shares_accessed_on_multiple_hosts_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting file share events. The Advanced Security Audit policy setting `Audit Detailed File Share` or `Audit File Share` within `Object Access` need to be enabled.", "known_false_positives": "An single endpoint accessing windows administrative shares across a large number of endpoints is not common behavior. Possible false positive scenarios include but are not limited to vulnerability scanners, administration systems and missconfigured systems.", "references": ["https://attack.mitre.org/techniques/T1135/", "https://en.wikipedia.org/wiki/Administrative_share", "https://thedfirreport.com/2023/01/23/sharefinder-how-threat-actors-discover-file-shares/", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5140", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5145"], "tags": {"name": "Windows Administrative Shares Accessed On Multiple Hosts", "analytic_story": ["Active Directory Privilege Escalation", "Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "$IpAddress$ accessed the IPC share on more than 30 endpoints in a timespan of 5 minutes.", "mitre_attack_id": ["T1135"], "nist": ["DE.CM"], "observable": [{"name": "host_targets", "type": "Endpoint", "role": ["Victim"]}, {"name": "IpAddress", "type": "Endpoint", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "ShareName", "Computer", "IpAddress", "SubjectUserName"], "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1135", "mitre_attack_technique": "Network Share Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT32", "APT38", "APT39", "APT41", "Chimera", "DarkVishnya", "Dragonfly", "Sowbug", "Tonto Team", "Tropic Trooper", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1135/ipc_share_accessed/windows-security.log", "source": "XmlWinEventLog:Security", "sourcetype": "XmlWinEventLog"}]}], "datamodel": [], "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_administrative_shares_accessed_on_multiple_hosts_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_administrative_shares_accessed_on_multiple_hosts.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows Admon Default Group Policy Object Modified", "id": "83458004-db60-4170-857d-8572f16f070b", "version": 1, "date": "2023-03-29", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic leverages Splunks Admon to identify the modification of a default Group Policy Object. A fresh installation of an Active Directory network will typically contain two default group policy objects `Default Domain Controllers Policy` and `Default Domain Policy`. The default domain controllers policy is used to enforce and set policies to all the domain controllers within the domain environment. The default domain policy is linked to all users and computers by default. An adversary who has obtained privileged access to an Active Directory network may modify the default group policy objects to obtain further access, deploy persistence or execute malware across a large number of hosts. Security teams should monitor the modification of the default GPOs.", "data_source": [], "search": " `admon` admonEventType=Update objectCategory=\"CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=*\" (displayName=\"Default Domain Policy\" OR displayName=\"Default Domain Controllers Policy\") | stats min(_time) as firstTime max(_time) as lastTime values(gPCFileSysPath) by dcName, displayName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_admon_default_group_policy_object_modified_filter`", "how_to_implement": "To successfully implement this search, you need to be monitoring Active Directory logs using Admon. Details can be found here https://docs.splunk.com/Documentation/SplunkCloud/8.1.2101/Data/MonitorActiveDirectory", "known_false_positives": "The default Group Policy Objects within an AD network may be legitimately updated for administrative operations, filter as needed.", "references": ["https://attack.mitre.org/techniques/T1484/", "https://attack.mitre.org/techniques/T1484/001", "https://www.trustedsec.com/blog/weaponizing-group-policy-objects-access/", "https://adsecurity.org/?p=2716", "https://docs.splunk.com/Documentation/SplunkCloud/8.1.2101/Data/MonitorActiveDirectory"], "tags": {"name": "Windows Admon Default Group Policy Object Modified", "analytic_story": ["Active Directory Privilege Escalation", "Sneaky Active Directory Persistence Tricks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 100, "kill_chain_phases": ["Exploitation"], "message": "A default domain group policy was updated on $dcName$", "mitre_attack_id": ["T1484", "T1484.001"], "nist": ["DE.CM"], "observable": [{"name": "dcName", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "admonEventType", "objectCategory", "displayName", "gPCFileSysPath", "dcName"], "risk_score": 50, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1484", "mitre_attack_technique": "Domain Policy Modification", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1484.001", "mitre_attack_technique": "Group Policy Modification", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Indrik Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/default_domain_policy_modified/windows-security.log", "source": "ActiveDirectory", "sourcetype": "ActiveDirectory"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "admon", "definition": "source=ActiveDirectory", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_admon_default_group_policy_object_modified_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_admon_default_group_policy_object_modified.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Windows Admon Group Policy Object Created", "id": "69201633-30d9-48ef-b1b6-e680805f0582", "version": 1, "date": "2023-04-06", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic leverages Splunks Admon to identify the creation of a new Group Policy Object. With GPOs, system administrators can manage and configure applications, software operations, and user settings throughout an entire organization. GPOs can be abused and leveraged by adversaries to escalate privileges or deploy malware across an Active Directory network. As an example, the Lockbit ransomware malware will create new group policies on the domain controller that are then pushed out to every device on the network. Security teams should monitor the creation of new Group Policy Objects.", "data_source": [], "search": " `admon` admonEventType=Update objectCategory=\"CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=*\" versionNumber=0 displayName!=\"New Group Policy Object\" | stats min(_time) as firstTime max(_time) as lastTime values(gPCFileSysPath) by dcName, displayName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_admon_group_policy_object_created_filter`", "how_to_implement": "To successfully implement this search, you need to be monitoring Active Directory logs using Admon. Details can be found here https://docs.splunk.com/Documentation/SplunkCloud/8.1.2101/Data/MonitorActiveDirectory", "known_false_positives": "Group Policy Objects are created as part of regular administrative operations, filter as needed.", "references": ["https://attack.mitre.org/techniques/T1484/", "https://attack.mitre.org/techniques/T1484/001", "https://www.trustedsec.com/blog/weaponizing-group-policy-objects-access/", "https://adsecurity.org/?p=2716", "https://docs.splunk.com/Documentation/SplunkCloud/8.1.2101/Data/MonitorActiveDirectory"], "tags": {"name": "Windows Admon Group Policy Object Created", "analytic_story": ["Active Directory Privilege Escalation", "Sneaky Active Directory Persistence Tricks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 100, "kill_chain_phases": ["Exploitation"], "message": "A new group policy objected was created on $dcName$", "mitre_attack_id": ["T1484", "T1484.001"], "nist": ["DE.CM"], "observable": [{"name": "dcName", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "admonEventType", "objectCategory", "displayName", "gPCFileSysPath", "dcName"], "risk_score": 50, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1484", "mitre_attack_technique": "Domain Policy Modification", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1484.001", "mitre_attack_technique": "Group Policy Modification", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Indrik Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/group_policy_created/windows-admon.log", "source": "ActiveDirectory", "sourcetype": "ActiveDirectory"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "admon", "definition": "source=ActiveDirectory", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_admon_group_policy_object_created_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_admon_group_policy_object_created.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Windows Apache Benchmark Binary", "id": "894f48ea-8d85-4dcd-9132-c66cdb407c9b", "version": 1, "date": "2022-11-21", "author": "Michael Haag, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies a default behavior of a MetaSploit payload. MetaSploit uses Apache Benchmark to generate payloads. The payloads contain standard artifacts including \"Apache Benchmark\" and the original file name is always ab.exe. During triage, review the process and it's path. It is possible network connections spawned from it. Review parallel processes for further behaviors.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.original_file_name=ab.exe by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_apache_benchmark_binary_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives should be limited as there is a small subset of binaries that contain the original file name of ab.exe. Filter as needed.", "references": ["https://seclists.org/metasploit/2013/q3/13"], "tags": {"name": "Windows Apache Benchmark Binary", "analytic_story": ["MetaSploit"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 100, "kill_chain_phases": ["Installation"], "message": "A known MetaSploit default payload has been identified on $dest$ ran by $user$, $parent_process_name$ spawning $process_name$.", "mitre_attack_id": ["T1059"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/metasploit/apachebench_windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_apache_benchmark_binary_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_apache_benchmark_binary.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows App Layer Protocol Qakbot NamedPipe", "id": "63a2c15e-9448-43c5-a4a8-9852266aaada", "version": 1, "date": "2022-11-10", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies a suspicious process creating or connecting to a possible Qakbot named pipe . This technique was seen in Qakbot malware that creates named pipe after injecting its code in legitimate process to communicate on other process that also has an injected code to steal information on the compromised host. This Anomaly detection can be a good pivot for possible Qakbot infection. This detection looks for possible random generated named pipe (in GUID form) created by known process being abused by Qakbot.", "data_source": [], "search": "`sysmon` EventCode IN (17, 18) EventType IN ( \"CreatePipe\", \"ConnectPipe\") Image IN (\"*\\\\calc.exe\", \"*\\\\notepad.exe\", \"*\\\\rdpclip.exe\", \"*\\\\explorer.exe\", \"*\\\\wermgr.exe\", \"*\\\\ping.exe\", \"*\\\\OneDriveSetup.exe\", \"*\\\\dxdiag.exe\", \"*\\\\mobsync.exe\", \"*\\\\msra.exe\", \"*\\\\xwizard.exe\") | regex PipeName=\"^\\\\\\{[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{8}\" | stats min(_time) as firstTime max(_time) as lastTime count by Image EventType ProcessGuid ProcessId PipeName SecurityID EventCode Computer UserID | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_app_layer_protocol_qakbot_namedpipe_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, pipename, processguid and named pipe event type from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "unknown", "references": ["https://strontic.github.io/xcyclopedia/library/wermgr.exe-0F652BF7ADA772981E8AAB0D108FCC92.html", "https://www.trellix.com/en-us/about/newsroom/stories/research/demystifying-qbot-malware.html", "https://www.elastic.co/security-labs/qbot-malware-analysis"], "tags": {"name": "Windows App Layer Protocol Qakbot NamedPipe", "analytic_story": ["Qakbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Command And Control"], "message": "$Image$ is creating or connecting to a named pipe $PipeName$ in $Computer$", "mitre_attack_id": ["T1071"], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Image", "EventType", "ProcessGuid", "ProcessId", "PipeName", "Computer", "UserID", "SecurityID"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1071", "mitre_attack_technique": "Application Layer Protocol", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Dragonfly", "Magic Hound", "Rocke", "TeamTNT"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/qakbot/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_app_layer_protocol_qakbot_namedpipe_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_app_layer_protocol_qakbot_namedpipe.yml", "source": "endpoint"}, {"name": "Windows App Layer Protocol Wermgr Connect To NamedPipe", "id": "2f3a4092-548b-421c-9caa-84918e1787ef", "version": 1, "date": "2022-10-28", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies a suspicious wermgr.exe process creating or connecting to a named pipe. Wermgr.exe is part of Windows OS Problem reporting application responsible for reporting problems, fault or error happen on the Windows OS. This file is being abused by several Threat actors and malware such as Trickbot and Qakbot to execute their malicious code. This anomaly detection can be a good pivot on possible wermgr.exe processes having injected malicious code that might be related to qakbot infection that communicates via named pipe.", "data_source": [], "search": "`sysmon` EventCode IN (17, 18) Image= \"*\\\\wermgr.exe\" EventType IN ( \"CreatePipe\", \"ConnectPipe\") | stats min(_time) as firstTime max(_time) as lastTime count by Image EventType ProcessGuid ProcessId PipeName SecurityID EventCode Computer UserID | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_app_layer_protocol_wermgr_connect_to_namedpipe_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, pipename, processguid and named pipe event type from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "unknown", "references": ["https://strontic.github.io/xcyclopedia/library/wermgr.exe-0F652BF7ADA772981E8AAB0D108FCC92.html", "https://www.trellix.com/en-us/about/newsroom/stories/research/demystifying-qbot-malware.html"], "tags": {"name": "Windows App Layer Protocol Wermgr Connect To NamedPipe", "analytic_story": ["Qakbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Command And Control"], "message": "wermgr.exe process is creating or connecting to a named pipe $PipeName$ in $Computer$", "mitre_attack_id": ["T1071"], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Image", "EventType", "ProcessGuid", "ProcessId", "PipeName", "Computer", "UserID", "SecurityID"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1071", "mitre_attack_technique": "Application Layer Protocol", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Dragonfly", "Magic Hound", "Rocke", "TeamTNT"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/qakbot/qbot_wermgr2/sysmon_wermgr2.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_app_layer_protocol_wermgr_connect_to_namedpipe_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_app_layer_protocol_wermgr_connect_to_namedpipe.yml", "source": "endpoint"}, {"name": "Windows Application Layer Protocol RMS Radmin Tool Namedpipe", "id": "b62a6040-49f4-47c8-b3f6-fc1adb952a33", "version": 1, "date": "2022-06-24", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the use of default or publicly known named pipes used by RMX remote admin tool. A named pipe is a named, one-way or duplex pipe for communication between the pipe server and one or more pipe clients. RMX Tool uses named pipes in many way as part of its communication for its server and client component. This tool was abuse by several adversaries and malware like Azorult to collect data to the targeted host. This TTP is a good indicator that this tool was install in production premise and need to check if the user has a valid reason why it need to install this legitimate application.", "data_source": [], "search": "`sysmon` EventCode IN (17, 18) EventType IN ( \"CreatePipe\", \"ConnectPipe\") PipeName IN (\"\\\\RManFUSServerNotify32\", \"\\\\RManFUSCallbackNotify32\", \"\\\\RMSPrint*\") | stats min(_time) as firstTime max(_time) as lastTime count by Image EventType ProcessId PipeName Computer UserID | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_application_layer_protocol_rms_radmin_tool_namedpipe_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "False positives may be present. Filter based on pipe name or process.", "references": ["https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/", "https://attack.mitre.org/techniques/T1071/"], "tags": {"name": "Windows Application Layer Protocol RMS Radmin Tool Namedpipe", "analytic_story": ["Azorult"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Command And Control"], "message": "possible RMS admin tool named pipe was created in $dest$", "mitre_attack_id": ["T1071"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Image", "EventType", "ProcessId", "PipeName", "Computer", "UserID"], "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1071", "mitre_attack_technique": "Application Layer Protocol", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Dragonfly", "Magic Hound", "Rocke", "TeamTNT"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_application_layer_protocol_rms_radmin_tool_namedpipe_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_application_layer_protocol_rms_radmin_tool_namedpipe.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Windows Autostart Execution LSASS Driver Registry Modification", "id": "57fb8656-141e-4d8a-9f51-62cff4ecb82a", "version": 1, "date": "2022-08-22", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the abuse of two undocumented registry keys that allow for a DLL to load into lsass.exe to potentially capture credentials. Upon successful modification of \\CurrentControlSet\\Services\\NTDS\\DirectoryServiceExtPt or \\CurrentControlSet\\Services\\NTDS\\LsaDbExtPt, a DLL either remote or local will be set as the value and load up into lsass.exe. Based on POC code a text file may be written to disk with credentials.", "data_source": ["Sysmon Event ID 13"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path IN (\"*\\\\CurrentControlSet\\\\Services\\\\NTDS\\\\DirectoryServiceExtPt\",\"*\\\\CurrentControlSet\\\\Services\\\\NTDS\\\\LsaDbExtPt\") by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest Registry.process_guid | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_autostart_execution_lsass_driver_registry_modification_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives may be present on recent Windows Operating Systems. Filtering may be required based on process_name. In addition, look for non-standard, unsigned, module loads into LSASS. If query is too noisy, modify by adding Endpoint.processes process_name to query to identify the process making the modification.", "references": ["https://blog.xpnsec.com/exploring-mimikatz-part-1/", "https://github.com/oxfemale/LogonCredentialsSteal/tree/master/lsass_lib"], "tags": {"name": "Windows Autostart Execution LSASS Driver Registry Modification", "analytic_story": ["Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "message": "The registry values for DirectoryServiceExtPt or LsaDbExtPt were modified on $dest$.", "mitre_attack_id": ["T1547.008"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.registry_key_name", "Registry.registry_path", "Registry.user", "Registry.dest", "Registry.registry_value_name", "Registry.action"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1547.008", "mitre_attack_technique": "LSASS Driver", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.008/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_autostart_execution_lsass_driver_registry_modification_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_autostart_execution_lsass_driver_registry_modification.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Binary Proxy Execution Mavinject DLL Injection", "id": "ccf4b61b-1b26-4f2e-a089-f2009c569c57", "version": 1, "date": "2022-07-07", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "Adversaries may abuse mavinject.exe to inject malicious DLLs into running processes (i.e. Dynamic-link Library Injection), allowing for arbitrary code execution (ex. C:\\Windows\\system32\\mavinject.exe PID /INJECTRUNNING PATH_DLL). In addition to Dynamic-link Library Injection, Mavinject.exe can also be abused to perform import descriptor injection via its /HMODULE command-line parameter (ex. mavinject.exe PID /HMODULE=BASE_ADDRESS PATH_DLL ORDINAL_NUMBER). This command would inject an import table entry consisting of the specified DLL into the module at the given base address. During triage, review file modifcations and parallel processes.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=mavinject.exe Processes.process IN (\"*injectrunning*\", \"*hmodule=0x*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_binary_proxy_execution_mavinject_dll_injection_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives may be present, filter on DLL name or parent process.", "references": ["https://attack.mitre.org/techniques/T1218/013/", "https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md#atomic-test-1---mavinject---inject-dll-into-running-process"], "tags": {"name": "Windows Binary Proxy Execution Mavinject DLL Injection", "analytic_story": ["Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting load a DLL.", "mitre_attack_id": ["T1218.013", "T1218"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process Name", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218.013", "mitre_attack_technique": "Mavinject", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.013/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_binary_proxy_execution_mavinject_dll_injection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_binary_proxy_execution_mavinject_dll_injection.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Boot or Logon Autostart Execution In Startup Folder", "id": "99d157cb-923f-4a00-aee9-1f385412146f", "version": 1, "date": "2023-01-12", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic will identify suspicious files dropped or created in the Windows %startup% folder. This technique is a common way to gain persistence on a targeted host. Threat actor, adversaries and red teamer abuse this folder path to automatically execute their malicious sample upon boot or restart of the infected host. This TTP detection is a good indicator that a suspicious process wants to gain persistence on the targeted host. We suggest to verify the process name by using the process guid field, the file created and also the user and the computer name for further investigation.", "data_source": ["Sysmon Event ID 11"], "search": "|tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_path = \"*\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\*\" by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.user Filesystem.file_path Filesystem.process_guid Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_boot_or_logon_autostart_execution_in_startup_folder_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the Filesystem responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node.", "known_false_positives": "Administrators may allow creation of script or exe in this path.", "references": ["https://attack.mitre.org/techniques/T1204/002/", "https://www.fortinet.com/blog/threat-research/chaos-ransomware-variant-sides-with-russia"], "tags": {"name": "Windows Boot or Logon Autostart Execution In Startup Folder", "analytic_story": ["Chaos Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Installation", "Exploitation"], "message": "a process dropped a file in %startup% folder in $dest$", "mitre_attack_id": ["T1547.001", "T1547"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Filesystem.file_create_time", "Filesystem.process_id", "Filesystem.file_name", "Filesystem.user", "Filesystem.file_path", "Filesystem.process_guid", "Filesystem.dest"], "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/chaos_ransomware/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_boot_or_logon_autostart_execution_in_startup_folder_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_boot_or_logon_autostart_execution_in_startup_folder.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows BootLoader Inventory", "id": "4f7e3913-4db3-4ccd-afe4-31198982305d", "version": 1, "date": "2023-04-14", "author": "Michael Haag, Splunk", "type": "Hunting", "status": "experimental", "description": "The following hunting query utilizes a PowerShell Scripted input that captures the bootloader paths for each Windows endpoint it is deployed to. The template inputs.conf is located in the references link. By default, it only captures the path, but may be modified to capture everything that BCDedit provides. It can be verbose, but may be worth it.", "data_source": [], "search": "`bootloader_inventory` | stats count min(_time) as firstTime max(_time) as lastTime values(_raw) by host | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_bootloader_inventory_filter`", "how_to_implement": "To implement this analytic, a new stanza will need to be added to a inputs.conf and deployed to all or some Windows endpoints. https://gist.github.com/MHaggis/26518cd2844b0e03de6126660bb45707 provides the stanza. If modifying the sourcetype, be sure to update the Macro for this analytic. Recommend running it daily, or weekly, depending on threat model.", "known_false_positives": "No false positives here, only bootloaders. Filter as needed or create a lookup as a baseline.", "references": ["https://gist.github.com/MHaggis/26518cd2844b0e03de6126660bb45707", "https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/"], "tags": {"name": "Windows BootLoader Inventory", "analytic_story": ["BlackLotus Campaign", "Windows BootKits"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Exploitation", "Installation"], "message": "A list of BootLoaders are present on $dest$", "mitre_attack_id": ["T1542.001", "T1542"], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "_raw"], "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "atomic_guid": [], "mitre_attack_enrichments": [{"mitre_attack_id": "T1542.001", "mitre_attack_technique": "System Firmware", "mitre_attack_tactics": ["Defense Evasion", "Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1542", "mitre_attack_technique": "Pre-OS Boot", "mitre_attack_tactics": ["Defense Evasion", "Persistence"], "mitre_attack_groups": []}]}, "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "bootloader_inventory", "definition": "sourcetype = PwSh:bootloader", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_bootloader_inventory_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_bootloader_inventory.yml", "source": "endpoint"}, {"name": "Windows Cached Domain Credentials Reg Query", "id": "40ccb8e0-1785-466e-901e-6a8b75c04ecd", "version": 1, "date": "2022-11-30", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies a process command line related to the discovery of cache domain credential logon count in the registry. This Technique was being abused by several post exploitation tool like Winpeas where it query CachedLogonsCount registry value in Winlogon registry. This value can be good information about the login caching setting on the Windows OS target host. A value of 0 means login caching is disable and values > 50 caches only 50 login attempts. By default all versions of Windows 10 save cached logins except Windows Server 2008.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_reg` AND Processes.process = \"* query *\" AND Processes.process = \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon*\" AND Processes.process = \"*CACHEDLOGONSCOUNT*\" by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_cached_domain_credentials_reg_query_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances of wermgr.exe may be used.", "known_false_positives": "unknown", "references": ["https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/", "https://learn.microsoft.com/de-de/troubleshoot/windows-server/user-profiles-and-logon/cached-domain-logon-information", "https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS"], "tags": {"name": "Windows Cached Domain Credentials Reg Query", "analytic_story": ["Windows Post-Exploitation", "Prestige Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "a process with commandline $process$ tries to retrieve cache domain credential logon count in $dest$", "mitre_attack_id": ["T1003.005", "T1003"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id", "Processes.parent_process_guid", "Processes.process_guid"], "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.005", "mitre_attack_technique": "Cached Domain Credentials", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT33", "Leafminer", "MuddyWater", "OilRig"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "process_reg", "definition": "(Processes.process_name=reg.exe OR Processes.original_file_name=reg.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_cached_domain_credentials_reg_query_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_cached_domain_credentials_reg_query.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Change Default File Association For No File Ext", "id": "dbdf52ad-d6a1-4b68-975f-0a10939d8e38", "version": 1, "date": "2022-11-30", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This analytic is developed to detect suspicious process commandline to change or set the default file association of a file without file extension with notepad.exe. This technique was seen in some APT and ransomware Prestige where it set/modify the default process to run file association, like .txt to notepad.exe.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_reg` AND Processes.process=\"* add *\" AND Processes.process=\"* HKCR\\\\*\" AND Processes.process=\"*\\\\shell\\\\open\\\\command*\" AND Processes.process= *Notepad.exe* by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | rex field=process \"Notepad\\.exe (?.*$)\" | rex field=file_name_association \"\\.(?[^\\.]*$)\" | where isnull(extension) and isnotnull(file_name_association) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_change_default_file_association_for_no_file_ext_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry.", "known_false_positives": "unknown", "references": ["https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"], "tags": {"name": "Windows Change Default File Association For No File Ext", "analytic_story": ["Prestige Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "message": "process with commandline $process$ set or change the file association of a file with no file extension in $dest$", "mitre_attack_id": ["T1546.001", "T1546"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1546.001", "mitre_attack_technique": "Change Default File Association", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Kimsuky"]}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/prestige_ransomware/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "process_reg", "definition": "(Processes.process_name=reg.exe OR Processes.original_file_name=reg.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_change_default_file_association_for_no_file_ext_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_change_default_file_association_for_no_file_ext.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows ClipBoard Data via Get-ClipBoard", "id": "ab73289e-2246-4de0-a14b-67006c72a893", "version": 1, "date": "2022-11-30", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies a powershell script command to retrieve clipboard data. This technique was seen in several post exploitation tools like WINPEAS to steal sensitive information that was saved in clipboard. Using the Get-Clipboard powershell commandlet, adversaries can be able collect data stored in clipboard that might be a copied user name, password or other sensitive information.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 ScriptBlockText = \"*Get-Clipboard*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_clipboard_data_via_get_clipboard_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "It is possible there will be false positives, filter as needed.", "references": ["https://attack.mitre.org/techniques/T1115/", "https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS", "https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"], "tags": {"name": "Windows ClipBoard Data via Get-ClipBoard", "analytic_story": ["Windows Post-Exploitation", "Prestige Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "powershell script $ScriptBlockText$ execute Get-Clipboard commandlet in $dest$", "mitre_attack_id": ["T1115"], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "UserID", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "ScriptBlockText", "Opcode", "Computer", "UserID", "EventCode"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1115", "mitre_attack_technique": "Clipboard Data", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT38", "APT39"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/powershell/windows-powershell-xml2.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_clipboard_data_via_get_clipboard_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_clipboard_data_via_get_clipboard.yml", "source": "endpoint", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows COM Hijacking InprocServer32 Modification", "id": "b7bd83c0-92b5-4fc7-b286-23eccfa2c561", "version": 1, "date": "2022-09-26", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the use of reg.exe performing an add to the InProcServer32, which may be related to COM hijacking. Adversaries can use the COM system to insert malicious code that can be executed in place of legitimate software through hijacking the COM references and relationships as a means for persistence. Hijacking a COM object requires a change in the Registry to replace a reference to a legitimate system component which may cause that component to not work when executed. When that system component is executed through normal system operation the adversary's code will be executed instead.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_reg` Processes.process=*inprocserver32* by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_com_hijacking_inprocserver32_modification_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives may be present and some filtering may be required.", "references": ["https://attack.mitre.org/techniques/T1546/015/", "https://blog.cluster25.duskrise.com/2022/09/23/in-the-footsteps-of-the-fancy-bear-powerpoint-graphite/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.015/T1546.015.md"], "tags": {"name": "Windows COM Hijacking InprocServer32 Modification", "analytic_story": ["Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to modify InProcServer32 within the registry.", "mitre_attack_id": ["T1546.015", "T1546"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["UPDATE"], "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1546.015", "mitre_attack_technique": "Component Object Model Hijacking", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28"]}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.015/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "process_reg", "definition": "(Processes.process_name=reg.exe OR Processes.original_file_name=reg.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_com_hijacking_inprocserver32_modification_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_com_hijacking_inprocserver32_modification.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Command and Scripting Interpreter Hunting Path Traversal", "id": "d0026380-b3c4-4da0-ac8e-02790063ff6b", "version": 1, "date": "2022-06-01", "author": "Teoderick Contreras, Michael Haag, Splunk", "type": "Hunting", "status": "production", "description": "The following analytic identifies path traversal command-line execution and should be used to tune and driver other more higher fidelity analytics. This technique was seen in malicious document that execute malicious code using msdt.exe and path traversal technique that serve as defense evasion. This Hunting query is a good pivot to look for possible suspicious process and command-line that runs execute path traversal technique to run malicious code. This may help you to find possible downloaded malware or other lolbin execution.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes by Processes.original_file_name Processes.process_id Processes.parent_process_id Processes.process_hash Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | eval count_of_pattern1 = (mvcount(split(process,\"/..\"))-1) | eval count_of_pattern2 = (mvcount(split(process,\"\\..\"))-1) | eval count_of_pattern3 = (mvcount(split(process,\"\\\\..\"))-1) | eval count_of_pattern4 = (mvcount(split(process,\"//..\"))-1) | search count_of_pattern1 > 1 OR count_of_pattern2 > 1 OR count_of_pattern3 > 1 OR count_of_pattern4 > 1 | `windows_command_and_scripting_interpreter_hunting_path_traversal_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product", "known_false_positives": "false positive may vary depends on the score you want to check. The bigger number of path traversal string count the better.", "references": ["https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/"], "tags": {"name": "Windows Command and Scripting Interpreter Hunting Path Traversal", "analytic_story": ["Windows Defense Evasion Tactics", "Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Installation"], "message": "A parent process $parent_process_name$ has spawned a child $process_name$ with path traversal commandline $process$ in $dest$", "mitre_attack_id": ["T1059"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/path_traversal/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_command_and_scripting_interpreter_hunting_path_traversal_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_command_and_scripting_interpreter_hunting_path_traversal.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Command and Scripting Interpreter Path Traversal Exec", "id": "58fcdeb1-728d-415d-b0d7-3ab18a275ec2", "version": 2, "date": "2022-06-01", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies path traversal command-line execution. This technique was seen in malicious document that execute malicious code using msdt.exe and path traversal technique that serve as defense evasion. This TTP is a good pivot to look for more suspicious process and command-line that runs before and after this execution. This may help you to find possible downloaded malware or other lolbin execution.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where Processes.process=\"*\\/..\\/..\\/..\\/*\" OR Processes.process=\"*\\\\..\\\\..\\\\..\\\\*\" OR Processes.process=\"*\\/\\/..\\/\\/..\\/\\/..\\/\\/*\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_id Processes.process_hash | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_command_and_scripting_interpreter_path_traversal_exec_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product", "known_false_positives": "Not known at this moment.", "references": ["https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/"], "tags": {"name": "Windows Command and Scripting Interpreter Path Traversal Exec", "analytic_story": ["Windows Defense Evasion Tactics", "Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 90, "kill_chain_phases": ["Installation"], "message": "A parent process $parent_process_name$ has spawned a child $process_name$ with path traversal commandline $process$ in $dest$", "mitre_attack_id": ["T1059"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/path_traversal/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_command_and_scripting_interpreter_path_traversal_exec_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_command_and_scripting_interpreter_path_traversal_exec.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Command Shell DCRat ForkBomb Payload", "id": "2bb1a362-7aa8-444a-92ed-1987e8da83e1", "version": 1, "date": "2022-07-28", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies DCRat \"forkbomb\" payload feature. This technique was seen in dark crystal RAT backdoor capabilities where it will execute several cmd child process executing \"notepad.exe & pause\". This analytic detects the multiple cmd.exe and child process notepad.exe execution using batch script in the targeted host within 30s timeframe. this TTP can be a good pivot to check DCRat infection.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.parent_process) as parent_process values(Processes.parent_process_id) as parent_process_id values(Processes.process_id) as process_id dc(Processes.parent_process_id) as parent_process_id_count dc(Processes.process_id) as process_id_count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name= \"cmd.exe\" (Processes.process_name = \"notepad.exe\" OR Processes.original_file_name= \"notepad.exe\") Processes.parent_process = \"*.bat*\" by Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.parent_process Processes.dest Processes.user _time span=30s | where parent_process_id_count>= 10 AND process_id_count >=10 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_command_shell_dcrat_forkbomb_payload_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "unknown", "references": ["https://cert.gov.ua/article/405538", "https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat", "https://www.mandiant.com/resources/analyzing-dark-crystal-rat-backdoor"], "tags": {"name": "Windows Command Shell DCRat ForkBomb Payload", "analytic_story": ["DarkCrystal RAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Installation"], "message": "Multiple cmd.exe processes with child process of notepad.exe executed on $dest$", "mitre_attack_id": ["T1059.003", "T1059"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/dcrat/dcrat_forkbomb/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_command_shell_dcrat_forkbomb_payload_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_command_shell_dcrat_forkbomb_payload.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Command Shell Fetch Env Variables", "id": "048839e4-1eaa-43ff-8a22-86d17f6fcc13", "version": 1, "date": "2022-10-27", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies a suspicious process command line fetching the environment variables with a non-shell parent process. This technique was seen in qakbot malware where it fetches the environment variable in the target or compromised host. This TTP detection is a good pivot of possible malicious behavior since the command line is executed by a common non-shell process like cmd.exe , powershell.exe and many more. This can also be a good sign that the parent process has a malicious code injected to it to execute this command.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = \"*cmd /c set\" OR Processes.process = \"*cmd.exe /c set\" AND NOT (Processes.parent_process_name = \"cmd.exe\" OR Processes.parent_process_name = \"powershell*\" OR Processes.parent_process_name=\"pwsh.exe\" OR Processes.parent_process_name = \"explorer.exe\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_command_shell_fetch_env_variables_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "shell process that are not included in this search may cause False positive. Filter is needed.", "references": ["https://twitter.com/pr0xylife/status/1585612370441031680?s=46&t=Dc3CJi4AnM-8rNoacLbScg"], "tags": {"name": "Windows Command Shell Fetch Env Variables", "analytic_story": ["Qakbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "non-shell parent process has a child process $process_name$ with a commandline $process$ to fetch env variables in $dest$", "mitre_attack_id": ["T1055"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/qakbot/qbot_wermgr/sysmon_wermgr.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_command_shell_fetch_env_variables_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_command_shell_fetch_env_variables.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Computer Account Created by Computer Account", "id": "97a8dc5f-8a7c-4fed-9e3e-ec407fd0268a", "version": 1, "date": "2022-04-27", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifes a Computer Account creating a new Computer Account with specific a Service Principle Name - \"RestrictedKrbHost\". The RestrictedKrbHost service class allows client applications to use Kerberos authentication when they do not have the identity of the service but have the server name.", "data_source": ["Windows Security 4741"], "search": "`wineventlog_security` EventCode=4741 user_type=computer Subject_Account_Domain!=\"NT AUTHORITY\" Message=*RestrictedKrbHost* | stats count min(_time) as firstTime max(_time) as lastTime by dest, subject, action ,src_user, user, Account_Name, Subject_Account_Name,Subject_Account_Domain | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_computer_account_created_by_computer_account_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4741 EventCode enabled. The Windows TA is also required.", "known_false_positives": "It is possible third party applications may have a computer account that adds computer accounts, filtering may be required.", "references": ["https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-kile/445e4499-7e49-4f2a-8d82-aaf2d1ee3c47", "https://github.com/Dec0ne/KrbRelayUp"], "tags": {"name": "Windows Computer Account Created by Computer Account", "analytic_story": ["Active Directory Kerberos Attacks", "Local Privilege Escalation With KrbRelayUp"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "A Computer Account created a Computer Account on $dest$, possibly indicative of Kerberos relay attack.", "mitre_attack_id": ["T1558"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "dest", "subject", "action", "src_user", "user", "Account_Name", "Subject_Account_Name", "Subject_Account_Domain"], "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1558", "mitre_attack_technique": "Steal or Forge Kerberos Tickets", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1558/krbrelayup/krbrelayup.log", "source": "WinEventLog:Security", "sourcetype": "WinEventLog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_computer_account_created_by_computer_account_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_computer_account_created_by_computer_account.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows Computer Account Requesting Kerberos Ticket", "id": "fb3b2bb3-75a4-4279-848a-165b42624770", "version": 1, "date": "2022-04-27", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies a ComputerAccount requesting a Kerberos Ticket. typically, a user account requests a Kerberos ticket. This behavior was identified with KrbUpRelay, but additional Kerberos attacks have exhibited similar behavior.", "data_source": ["Windows Security 4768"], "search": "`wineventlog_security` EventCode=4768 Account_Name=\"*$\" src_ip!=\"::1\" | stats count min(_time) as firstTime max(_time) as lastTime by dest, subject, action, Supplied_Realm_Name, user, Account_Name, src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_computer_account_requesting_kerberos_ticket_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4768 EventCode enabled. The Windows TA is also required.", "known_false_positives": "It is possible false positives will be present based on third party applications. Filtering may be needed.", "references": ["https://github.com/Dec0ne/KrbRelayUp"], "tags": {"name": "Windows Computer Account Requesting Kerberos Ticket", "analytic_story": ["Active Directory Kerberos Attacks", "Local Privilege Escalation With KrbRelayUp"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "A Computer Account requested a Kerberos ticket on $dest$, possibly indicative of Kerberos relay attack.", "mitre_attack_id": ["T1558"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "dest", "subject", "action", "Supplied_Realm_Name", "user", "Account_Name", "src_ip"], "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1558", "mitre_attack_technique": "Steal or Forge Kerberos Tickets", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1558/krbrelayup/krbrelayup.log", "source": "WinEventLog:Security", "sourcetype": "WinEventLog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_computer_account_requesting_kerberos_ticket_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_computer_account_requesting_kerberos_ticket.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows Computer Account With SPN", "id": "9a3e57e7-33f4-470e-b25d-165baa6e8357", "version": 1, "date": "2022-04-28", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies two SPNs, HOST and RestrictedKrbHost, added using the KrbRelayUp behavior. This particular behavior has been found in other Kerberos based attacks.", "data_source": ["Windows Security 4741"], "search": "`wineventlog_security` EventCode=4741 MSADChangedAttributes IN (\"*HOST/*\",\"*RestrictedKrbHost/*\") AND New_UAC_Value=0x80 | eval Effecting_Account=mvindex(Security_ID,1) | eval New_Computer_Account_Name=mvindex(Security_ID,0) | stats count min(_time) as firstTime max(_time) as lastTime values(EventCode),values(Account_Domain),values(Security_ID), values(Effecting_Account), values(New_Computer_Account_Name),values(SAM_Account_Name),values(DNS_Host_Name),values(MSADChangedAttributes) by dest Logon_ID subject | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_computer_account_with_spn_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4741 EventCode enabled. The Windows TA is also required.", "known_false_positives": "It is possible third party applications may add these SPNs to Computer Accounts, filtering may be needed.", "references": ["https://www.trustedsec.com/blog/an-attack-path-mapping-approach-to-cves-2021-42287-and-2021-42278", "https://github.com/Dec0ne/KrbRelayUp"], "tags": {"name": "Windows Computer Account With SPN", "analytic_story": ["Active Directory Kerberos Attacks", "Local Privilege Escalation With KrbRelayUp"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "A Computer Account was created with SPNs related to Kerberos on $dest$, possibly indicative of Kerberos relay attack.", "mitre_attack_id": ["T1558"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "MSADChangedAttributes", "New_UAC_Value", "Security_ID", "Account_Domain", "SAM_Account_Name", "DNS_Host_Name", "Logon_Id"], "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1558", "mitre_attack_technique": "Steal or Forge Kerberos Tickets", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1558/krbrelayup/krbrelayup.log", "source": "WinEventLog:Security", "sourcetype": "WinEventLog"}]}], "datamodel": ["Change"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_computer_account_with_spn_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_computer_account_with_spn.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows Create Local Account", "id": "3fb2e8e3-7bc0-4567-9722-c5ab9f8595eb", "version": 1, "date": "2022-10-05", "author": "Michael Haag, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies a new local user account added to a computer. Note that, this should be restricted to critical assets.", "data_source": [], "search": "| tstats `security_content_summariesonly` values(All_Changes.result_id) as result_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Change where All_Changes.result_id=4720 by All_Changes.user All_Changes.dest All_Changes.result All_Changes.action | `drop_dm_object_name(\"All_Changes\")` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_create_local_account_filter`", "how_to_implement": "This search requires you to have enabled your Group Management Audit Logs in your Local Windows Security Policy and be ingesting those logs. More information on how to enable them can be found here: http://whatevernetworks.com/auditing-group-membership-changes-in-active-directory/", "known_false_positives": "It is possible that an administrator created the account. Verifying activity with an administrator is advised. This analytic is set to anomaly to allow for risk to be added. Filter and tune as needed. Restrict to critical infrastructure to reduce any volume.", "references": ["https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/"], "tags": {"name": "Windows Create Local Account", "analytic_story": ["Account Monitoring and Controls"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 20, "kill_chain_phases": ["Installation"], "message": "The following $user$ was added to $dest$ as a local account.", "mitre_attack_id": ["T1136.001", "T1136"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["All_Changes.user", "All_Changes.dest", "All_Changes.result", "All_Changes.action"], "risk_score": 18, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1136.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT39", "APT41", "Dragonfly", "Fox Kitten", "Kimsuky", "Leafminer", "Magic Hound", "TeamTNT"]}, {"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/atomic_red_team/4720.log", "source": "XmlWinEventLog:Security", "sourcetype": "XmlWinEventLog", "update_timestamp": true}]}], "datamodel": ["Change"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_create_local_account_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_create_local_account.yml", "source": "endpoint"}, {"name": "Windows Credential Dumping LSASS Memory Createdump", "id": "b3b7ce35-fce5-4c73-85f4-700aeada81a9", "version": 1, "date": "2023-01-23", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the use of CreateDump.exe being used to perform a process dump. This particular binary is not native to Windows, but is found to be brought in my many different third party applications including PowerShell 7.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=createdump.exe OR Processes.original_file_name=\"FX_VER_INTERNALNAME_STR\" Processes.process=\"*-u *\" AND Processes.process=\"*-f *\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_credential_dumping_lsass_memory_createdump_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives may be present if an application is dumping processes, filter as needed. Recommend reviewing createdump.exe usage across the fleet to better understand all usage and by what.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md#atomic-test-11---dump-lsass-with-createdumpexe-from-net-v5"], "tags": {"name": "Windows Credential Dumping LSASS Memory Createdump", "analytic_story": ["Credential Dumping"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 100, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to dump a process.", "mitre_attack_id": ["T1003.001"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 70, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "TEMP.Veles", "Threat Group-3390", "Whitefly"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/createdump_windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_credential_dumping_lsass_memory_createdump_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_credential_dumping_lsass_memory_createdump.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Credentials from Password Stores Chrome Extension Access", "id": "2e65afe0-9a75-4487-bd87-ada9a9f1b9af", "version": 1, "date": "2023-04-26", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic focuses on identifying non-chrome processes that attempt to access the Chrome extensions file. This file contains crucial settings and information related to the browser's extensions installed on the computer. Adversaries and malware authors have been known to exploit this file to extract sensitive information from the Chrome browser on targeted hosts. Detecting such anomalous behavior provides valuable insights for analyzing suspicious processes beyond the commonly observed chrome.exe and explorer.exe executables. By monitoring for access to the Chrome extensions file by non-chrome processes, we can enhance our ability to detect potential threats and protect sensitive information stored within the browser.", "data_source": ["Security Event ID 4663"], "search": "`wineventlog_security` EventCode=4663 object_file_path=\"*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\User Data\\\\Default\\\\Local Extension Settings\\\\*\" AND NOT (process_path IN (\"*:\\\\Windows\\\\explorer.exe\", \"*\\\\chrome.exe\")) | stats count min(_time) as firstTime max(_time) as lastTime by object_file_name object_file_path process_name process_path process_id EventCode dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_credentials_from_password_stores_chrome_extension_access_filter`", "how_to_implement": "To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable \"Audit Object Access\" in Group Policy. Then check the two boxes listed for both \"Success\" and \"Failure.\"", "known_false_positives": "Uninstall chrome browser extension application may access this file and folder path to removed chrome installation in the target host. Filter is needed.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer"], "tags": {"name": "Windows Credentials from Password Stores Chrome Extension Access", "analytic_story": ["RedLine Stealer", "Amadey"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "A non-chrome process $process_name$ accessing chrome browser extension folder files on $dest$", "mitre_attack_id": ["T1012"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "object_file_name", "object_file_path", "process_name", "process_path", "process_id", "EventCode", "dest"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1012", "mitre_attack_technique": "Query Registry", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT32", "APT39", "Chimera", "Dragonfly", "Fox Kitten", "Kimsuky", "Lazarus Group", "OilRig", "Stealth Falcon", "Threat Group-3390", "Turla", "ZIRCONIUM"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/redline/browser_ext_access/security-ext-raw.log", "source": "XmlWinEventLog:Security", "sourcetype": "XmlWinEventLog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_credentials_from_password_stores_chrome_extension_access_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_credentials_from_password_stores_chrome_extension_access.yml", "source": "endpoint", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows Credentials from Password Stores Chrome LocalState Access", "id": "3b1d09a8-a26f-473e-a510-6c6613573657", "version": 1, "date": "2023-04-26", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic is designed to detect non-chrome processes accessing the Chrome user data file called \"local state.\" This file contains important settings and information related to the browser's operations on the computer. Threat actors, adversaries, and malware authors have been known to exploit this file in attempts to extract the encrypted master key used for decrypting passwords saved in the Chrome browser. Detecting access to the \"local state\" file by non-chrome processes serves as a valuable pivot for analyzing suspicious processes beyond the commonly observed chrome.exe and explorer.exe executables. By monitoring for this anomaly, we can improve our ability to identify potential threats and safeguard sensitive information stored within the browser.", "data_source": ["Security Event ID 4663"], "search": "`wineventlog_security` EventCode=4663 object_file_path=\"*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\User Data\\\\Local State\" NOT (process_name IN (\"*\\\\chrome.exe\",\"*:\\\\Windows\\\\explorer.exe\")) | stats count min(_time) as firstTime max(_time) as lastTime by object_file_name object_file_path process_name process_path process_id EventCode dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_credentials_from_password_stores_chrome_localstate_access_filter`", "how_to_implement": "To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable \"Audit Object Access\" in Group Policy. Then check the two boxes listed for both \"Success\" and \"Failure.\"", "known_false_positives": "Uninstall chrome application may access this file and folder path to removed chrome installation in target host. Filter is needed.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer"], "tags": {"name": "Windows Credentials from Password Stores Chrome LocalState Access", "analytic_story": ["RedLine Stealer", "Amadey"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "A non-chrome process $process_name$ accessing \"Chrome\\\\User Data\\\\Local State\" file on $dest$", "mitre_attack_id": ["T1012"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "object_file_name", "object_file_path", "process_name", "process_path", "process_id", "EventCode", "dest"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1012", "mitre_attack_technique": "Query Registry", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT32", "APT39", "Chimera", "Dragonfly", "Fox Kitten", "Kimsuky", "Lazarus Group", "OilRig", "Stealth Falcon", "Threat Group-3390", "Turla", "ZIRCONIUM"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/redline/chrome_local_state_simulate_access/redline-local-state-security-xml.log", "source": "XmlWinEventLog:Security", "sourcetype": "XmlWinEventLog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_credentials_from_password_stores_chrome_localstate_access_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_credentials_from_password_stores_chrome_localstate_access.yml", "source": "endpoint", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows Credentials from Password Stores Chrome Login Data Access", "id": "0d32ba37-80fc-4429-809c-0ba15801aeaf", "version": 1, "date": "2023-04-27", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic is designed to identify non-chrome processes accessing the Chrome user data file called \"login data.\" This SQLite database file contains important information related to the browser's operations on the computer. Threat actors, adversaries, and malware authors have been known to exploit this file in attempts to extract and decrypt passwords saved in the Chrome browser. Detecting access to the \"login data\" file by non-chrome processes serves as a valuable pivot for analyzing suspicious processes beyond the commonly observed chrome.exe and explorer.exe executables. By monitoring for this anomaly, we can enhance our ability to detect potential threats and protect sensitive information stored within the browser.", "data_source": ["Security Event ID 4663"], "search": "`wineventlog_security` EventCode=4663 object_file_path=\"*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\User Data\\\\Default\\\\Login Data\" AND NOT (process_path IN (\"*:\\\\Windows\\\\explorer.exe\", \"*:\\\\Windows\\\\System32\\\\dllhost.exe\", \"*\\\\chrome.exe\")) | stats count min(_time) as firstTime max(_time) as lastTime by object_file_name object_file_path process_name process_path process_id EventCode dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_credentials_from_password_stores_chrome_login_data_access_filter`", "how_to_implement": "To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable \"Audit Object Access\" in Group Policy. Then check the two boxes listed for both \"Success\" and \"Failure.\"", "known_false_positives": "Uninstall application may access this registry to remove the entry of the target application. filter is needed.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer"], "tags": {"name": "Windows Credentials from Password Stores Chrome Login Data Access", "analytic_story": ["RedLine Stealer", "Amadey"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "A non-chrome process $process_name$ accessing Chrome \"Login Data\" file on $dest$", "mitre_attack_id": ["T1012"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "object_file_name", "object_file_path", "process_name", "process_path", "process_id", "EventCode", "dest"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1012", "mitre_attack_technique": "Query Registry", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT32", "APT39", "Chimera", "Dragonfly", "Fox Kitten", "Kimsuky", "Lazarus Group", "OilRig", "Stealth Falcon", "Threat Group-3390", "Turla", "ZIRCONIUM"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/redline/chrome_login_data_simulate_access/redline-login-data-security-xml.log", "source": "XmlWinEventLog:Security", "sourcetype": "XmlWinEventLog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_credentials_from_password_stores_chrome_login_data_access_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_credentials_from_password_stores_chrome_login_data_access.yml", "source": "endpoint", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows Credentials from Password Stores Query", "id": "db02d6b4-5d5b-4c33-8d8f-f0577516a8c7", "version": 1, "date": "2022-11-30", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies a process execution of Windows OS cmdkey.exe tool. This tool is being abused or used by several post exploitation tool such as winpeas that being used by ransomware prestige to list stored user names, passwords or credentials in the targeted Windows OS host. This information can be used by the attacker to gain privilege escalation and persistence in the targeted hosts for further attacks.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=\"cmdkey.exe\" OR Processes.original_file_name = \"cmdkey.exe\" AND Processes.process = \"*/list*\" by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_credentials_from_password_stores_query_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances of wermgr.exe may be used.", "known_false_positives": "network administrator can use this tool for auditing process.", "references": ["https://ss64.com/nt/cmdkey.html", "https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS", "https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"], "tags": {"name": "Windows Credentials from Password Stores Query", "analytic_story": ["Windows Post-Exploitation", "Prestige Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "a process $process_name$ was executed in $dest$ to display stored username and credentials.", "mitre_attack_id": ["T1555"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id", "Processes.parent_process_guid", "Processes.process_guid"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1555", "mitre_attack_technique": "Credentials from Password Stores", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT33", "APT39", "Evilnum", "FIN6", "HEXANE", "Leafminer", "MuddyWater", "OilRig", "Stealth Falcon"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/winpeas_cmdkeylist/cmdkey-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_credentials_from_password_stores_query_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_credentials_from_password_stores_query.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Credentials in Registry Reg Query", "id": "a8b3124e-2278-4b73-ae9c-585117079fb2", "version": 1, "date": "2022-11-30", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies a process command line related to the discovery of possible password or credentials in the registry. This technique is being abused by adversaries or post exploitation tools like winpeas to steal credentials in the registry in the targeted host. Registry can contain several sensitive information like username and credentials that can be used for privilege escalation, persistence or even in lateral movement. This Anomaly detection can be a good pivot to detect a suspicious process querying a registry related to password or private keys.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_reg` AND Processes.process = \"* query *\" AND Processes.process IN (\"*\\\\Software\\\\ORL\\\\WinVNC3\\\\Password*\", \"*\\\\SOFTWARE\\\\RealVNC\\\\WinVNC4 /v password*\", \"*\\\\CurrentControlSet\\\\Services\\\\SNMP*\", \"*\\\\Software\\\\TightVNC\\\\Server*\", \"*\\\\Software\\\\SimonTatham\\\\PuTTY\\\\Sessions*\", \"*\\\\Software\\\\OpenSSH\\\\Agent\\\\Keys*\", \"*password*\") by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_credentials_in_registry_reg_query_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances of wermgr.exe may be used.", "known_false_positives": "unknown", "references": ["https://attack.mitre.org/techniques/T1552/002/", "https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS", "https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"], "tags": {"name": "Windows Credentials in Registry Reg Query", "analytic_story": ["Windows Post-Exploitation", "Prestige Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "reg query commandline $process$ in $dest$", "mitre_attack_id": ["T1552.002", "T1552"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id", "Processes.parent_process_guid", "Processes.process_guid"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1552.002", "mitre_attack_technique": "Credentials in Registry", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT32"]}, {"mitre_attack_id": "T1552", "mitre_attack_technique": "Unsecured Credentials", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/winpeas_search_pwd/query-putty-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "process_reg", "definition": "(Processes.process_name=reg.exe OR Processes.original_file_name=reg.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_credentials_in_registry_reg_query_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_credentials_in_registry_reg_query.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Curl Download to Suspicious Path", "id": "c32f091e-30db-11ec-8738-acde48001122", "version": 1, "date": "2021-10-19", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the use of Windows Curl.exe downloading a file to a suspicious location. \\\n-O or --output is used when a file is to be downloaded and placed in a specified location. \\\nDuring triage, review parallel processes for further behavior. In addition, identify if the download was successful. If a file was downloaded, capture and analyze.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_curl` Processes.process IN (\"*-O *\",\"*--output*\") Processes.process IN (\"*\\\\appdata\\\\*\",\"*\\\\programdata\\\\*\",\"*\\\\public\\\\*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_curl_download_to_suspicious_path_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "It is possible Administrators or super users will use Curl for legitimate purposes. Filter as needed.", "references": ["https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://attack.mitre.org/techniques/T1105/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md"], "tags": {"name": "Windows Curl Download to Suspicious Path", "analytic_story": ["IcedID", "Ingress Tool Transfer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Command And Control"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ to download a file to a suspicious directory.", "mitre_attack_id": ["T1105"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "ZIRCONIUM", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/windows-sysmon_curl.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_curl", "definition": "(Processes.process_name=curl.exe OR Processes.original_file_name=Curl.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "windows_curl_download_to_suspicious_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_curl_download_to_suspicious_path.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Curl Upload to Remote Destination", "id": "42f8f1a2-4228-11ec-aade-acde48001122", "version": 1, "date": "2021-11-10", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the use of Windows Curl.exe uploading a file to a remote destination. \\\n`-T` or `--upload-file` is used when a file is to be uploaded to a remotge destination. \\\n`-d` or `--data` POST is the HTTP method that was invented to send data to a receiving web application, and it is, for example, how most common HTML forms on the web work. \\\nHTTP multipart formposts are done with `-F`, but this appears to not be compatible with the Windows version of Curl. Will update if identified adversary tradecraft. \\\nAdversaries may use one of the three methods based on the remote destination and what they are attempting to upload (zip vs txt). During triage, review parallel processes for further behavior. In addition, identify if the upload was successful in network logs. If a file was uploaded, isolate the endpoint and review.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_curl` Processes.process IN (\"*-T *\",\"*--upload-file *\", \"*-d *\", \"*--data *\", \"*-F *\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_curl_upload_to_remote_destination_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives may be limited to source control applications and may be required to be filtered out.", "references": ["https://everything.curl.dev/usingcurl/uploads", "https://techcommunity.microsoft.com/t5/containers/tar-and-curl-come-to-windows/ba-p/382409", "https://twitter.com/d1r4c/status/1279042657508081664?s=20"], "tags": {"name": "Windows Curl Upload to Remote Destination", "analytic_story": ["Ingress Tool Transfer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Command And Control"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ uploading a file to a remote destination.", "mitre_attack_id": ["T1105"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "ZIRCONIUM", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/windows-sysmon_curl_upload.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_curl", "definition": "(Processes.process_name=curl.exe OR Processes.original_file_name=Curl.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "windows_curl_upload_to_remote_destination_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_curl_upload_to_remote_destination.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Data Destruction Recursive Exec Files Deletion", "id": "3596a799-6320-4a2f-8772-a9e98ddb2960", "version": 1, "date": "2023-04-14", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies a suspicious process recursively deleting files in a compromised host. This behavior was seen in several destructive malware, wiper like caddy wiper, doublezero, and now swiftslicer that delete or overwrite files with random generated strings to make it unrecoverable. This analytic can also catch a possible recursive file write on multiple files using Sysmon Event 23. Sysmon treats the modified file as a deleted one as soon as it was overwritten. This analytic can be a good indicator that a possible destructive malware is running in a host machine or a big software application is being uninstalled.", "data_source": ["Sysmon Event ID 23"], "search": "`sysmon` EventCode=23 TargetFilename IN (\"*.exe\", \"*.sys\", \"*.dll\") | bin _time span=2m | stats values(TargetFilename) as deleted_files min(_time) as firstTime max(_time) as lastTime count by Computer user EventCode Image ProcessID | where count >=500 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_data_destruction_recursive_exec_files_deletion_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the deleted target file name, process name and process id from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "uninstall a big software application may trigger this detection. Filter is needed.", "references": ["https://www.welivesecurity.com/2023/01/27/swiftslicer-new-destructive-wiper-malware-ukraine/"], "tags": {"name": "Windows Data Destruction Recursive Exec Files Deletion", "analytic_story": ["Swift Slicer", "Data Destruction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Actions on Objectives"], "message": "a big number of executable files being deleted in $Computer$", "mitre_attack_id": ["T1485"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "Computer", "type": "Endpoint", "role": ["Victim"]}, {"name": "deleted_files", "type": "File Name", "role": ["Target"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["EventCode", "TargetFilename", "Computer", "user", "Image", "ProcessID", "_time"], "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/swift_slicer/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_data_destruction_recursive_exec_files_deletion_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_data_destruction_recursive_exec_files_deletion.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Windows Defacement Modify Transcodedwallpaper File", "id": "e11c3d90-5bc7-42ad-94cd-ba75db10d897", "version": 1, "date": "2022-08-25", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies a modification to the Transcodedwallpaper file in the wallpaper theme directory to change the wallpaper of the host machine. This technique was seen in adversaries attempting to deface or change the desktop wallpaper of the targeted host. During our testing, the common process that affects or changes the wallpaper if a user changes it via desktop personalized setting is explorer.exe.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_path !=\"*\\\\Windows\\\\Explorer.EXE\" by _time span=1h Processes.process_id Processes.process_name Processes.process Processes.dest Processes.process_guid Processes.original_file_name | `drop_dm_object_name(Processes)` |rename process_guid as proc_guid | join proc_guid, _time [ | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Filesystem where Filesystem.file_path = \"*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Themes\\\\TranscodedWallpaper\" by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path Filesystem.process_guid | `drop_dm_object_name(Filesystem)` |rename process_guid as proc_guid | fields file_name file_path process_name process_path process dest file_create_time _time proc_guid] | `windows_defacement_modify_transcodedwallpaper_file_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "3rd part software application can change the wallpaper. Filter is needed.", "references": ["https://forums.ivanti.com/s/article/Wallpaper-Windows-Settings-Desktop-Settings-and-the-transcodedwallpaper-jpg?language=en_US", "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ransom_sifreli.a"], "tags": {"name": "Windows Defacement Modify Transcodedwallpaper File", "analytic_story": ["Brute Ratel C4"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Actions on Objectives"], "message": "modification or creation of transcodedwallpaper file by $process_name$ in $dest$", "mitre_attack_id": ["T1491"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "dest", "file_create_time", "file_name", "file_path", "process_name", "process_path", "process"], "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1491", "mitre_attack_technique": "Defacement", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/wallpaper_via_transcodedwallpaper/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_defacement_modify_transcodedwallpaper_file_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_defacement_modify_transcodedwallpaper_file.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Default Group Policy Object Modified", "id": "fe6a6cc4-9e0d-4d66-bcf4-2c7f44860876", "version": 1, "date": "2023-03-28", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic leverages Event ID 5136 to identify the modification of a default Group Policy Object. A fresh installation of an Active Directory network will typically contain two default group policy objects `Default Domain Controllers Policy` and `Default Domain Policy`. The default domain controllers policy is used to enforce and set policies to all the domain controllers within the domain environment. The default domain policy is linked to all users and computers by default. An adversary who has obtained privileged access to an Active Directory network may modify the default group policy objects to obtain further access, deploy persistence or execute malware across a large number of hosts. Security teams should monitor the modification of the default GPOs.", "data_source": [], "search": " `wineventlog_security` EventCode=5136 ObjectClass=groupPolicyContainer AttributeLDAPDisplayName=versionNumber (ObjectDN=\"CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=POLICIES,CN=SYSTEM,DC=*\" OR ObjectDN=\"CN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=POLICIES,CN=SYSTEM,DC=*\") | stats min(_time) as firstTime max(_time) as lastTime by ObjectDN SubjectUserSid AttributeValue Computer DSName | rename AttributeValue as versionNumber | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_default_group_policy_object_modified_filter`", "how_to_implement": "To successfully implement this search, the Advanced Security Audit policy setting `Audit Directory Service Changes` within `DS Access` needs to be enabled. Furthermore, the appropriate system access control lists (SACL) need to be created as the used events are not logged by default. A good guide to accomplish this can be found here https://jgspiers.com/audit-group-policy-changes/.", "known_false_positives": "The default Group Policy Objects within an AD network may be legitimately updated for administrative operations, filter as needed.", "references": ["https://attack.mitre.org/techniques/T1484/", "https://attack.mitre.org/techniques/T1484/001", "https://www.trustedsec.com/blog/weaponizing-group-policy-objects-access/", "https://adsecurity.org/?p=2716"], "tags": {"name": "Windows Default Group Policy Object Modified", "analytic_story": ["Active Directory Privilege Escalation", "Sneaky Active Directory Persistence Tricks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 100, "kill_chain_phases": ["Exploitation"], "message": "A default group policy object was modified on $Computer$ by $SubjectUserSid$", "mitre_attack_id": ["T1484", "T1484.001"], "nist": ["DE.CM"], "observable": [{"name": "SubjectUserSid", "type": "User", "role": ["Attacker"]}, {"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["EventCode", "ObjectClass", "AttributeLDAPDisplayName", "ObjectDN", "Computer", "DSName", "AttributeValue", "SubjectUserSid"], "risk_score": 50, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1484", "mitre_attack_technique": "Domain Policy Modification", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1484.001", "mitre_attack_technique": "Group Policy Modification", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Indrik Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/default_domain_policy_modified/windows-security.log", "source": "XmlWinEventLog:Security", "sourcetype": "XmlWinEventLog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_default_group_policy_object_modified_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_default_group_policy_object_modified.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows Default Group Policy Object Modified with GPME", "id": "eaf688b3-bb8f-454d-b105-920a862cd8cb", "version": 1, "date": "2023-04-24", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic leverages the Endpoint datamodel to identify the potential edition of a default Group Policy Object. A fresh installation of an Active Directory network will typically contain two default group policy objects `Default Domain Controllers Policy` and `Default Domain Policy`. The default domain controllers policy is used to enforce and set policies to all the domain controllers within the domain environment. The default domain policy is linked to all users and computers by default. An adversary who has obtained privileged access to an Active Directory network may modify the default group policy objects to obtain further access, deploy persistence or execute malware across a large number of hosts. Security teams should monitor the edition of the default GPOs.", "data_source": [], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=mmc.exe (Processes.process =*gpme.msc*) AND (Processes.process = \"*31B2F340-016D-11D2-945F-00C04FB984F9*\" OR Processes.process = \"*6AC1786C-016F-11D2-945F-00C04fB984F9*\" ) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_default_group_policy_object_modified_with_gpme_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "The default Group Policy Objects within an AD network may be legitimately updated for administrative operations, filter as needed.", "references": ["https://attack.mitre.org/techniques/T1484/", "https://attack.mitre.org/techniques/T1484/001", "https://www.trustedsec.com/blog/weaponizing-group-policy-objects-access/", "https://adsecurity.org/?p=2716", "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn265969(v=ws.11)"], "tags": {"name": "Windows Default Group Policy Object Modified with GPME", "analytic_story": ["Active Directory Privilege Escalation", "Sneaky Active Directory Persistence Tricks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 100, "kill_chain_phases": ["Exploitation"], "message": "A default group policy object was opened with Group Policy Manage Editor on $dest$", "mitre_attack_id": ["T1484", "T1484.001"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 50, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1484", "mitre_attack_technique": "Domain Policy Modification", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1484.001", "mitre_attack_technique": "Group Policy Modification", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Indrik Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/default_domain_policy_modified/windows-security.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_default_group_policy_object_modified_with_gpme_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_default_group_policy_object_modified_with_gpme.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Defender Exclusion Registry Entry", "id": "13395a44-4dd9-11ec-9df7-acde48001122", "version": 3, "date": "2023-04-27", "author": "Steven Dick, Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This analytic will detect a suspicious process that modify a registry related to windows defender exclusion feature. This registry is abused by adversaries, malware author and red teams to bypassed Windows Defender Anti-Virus product by excluding folder path, file path, process, extensions and etc. from its real time or schedule scan to execute their malicious code. This is a good indicator for a defense evasion and to look further for events after this behavior.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = \"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Exclusions\\\\*\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_defender_exclusion_registry_entry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "admin or user may choose to use this windows features.", "references": ["https://tccontre.blogspot.com/2020/01/remcos-rat-evading-windows-defender-av.html", "https://app.any.run/tasks/cf1245de-06a7-4366-8209-8e3006f2bfe5/", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/"], "tags": {"name": "Windows Defender Exclusion Registry Entry", "analytic_story": ["Remcos", "Windows Defense Evasion Tactics", "Azorult", "Qakbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "exclusion registry $registry_path$ modified or added on $dest$", "mitre_attack_id": ["T1562.001", "T1562"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["Registry.dest", "Registry.registry_value_name", "Registry.registry_key_name", "Registry.registry_path", "Registry.registry_value_data", "Registry.process_guid"], "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/defender_exclusion_sysmon/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_defender_exclusion_registry_entry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_defender_exclusion_registry_entry.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Deleted Registry By A Non Critical Process File Path", "id": "15e70689-f55b-489e-8a80-6d0cd6d8aad2", "version": 2, "date": "2023-04-14", "author": "Steven Dick, Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic is to detect deletion of registry with suspicious process file path. This technique was seen in Double Zero wiper malware where it will delete all the subkey in HKLM, HKCU and HKU registry hive as part of its destructive payload to the targeted hosts. This anomaly detections can catch possible malware or advesaries deleting registry as part of defense evasion or even payload impact but can also catch for third party application updates or installation. In this scenario false positive filter is needed.", "data_source": ["Sysmon Event ID 13"], "search": "| tstats `security_content_summariesonly` count from datamodel=Endpoint.Registry WHERE Registry.action=deleted BY _time span=1h Registry.dest Registry.registry_path Registry.registry_value_name Registry.registry_key_name Registry.process_guid Registry.registry_value_data Registry.action | `drop_dm_object_name(Registry)` | join process_guid [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes WHERE NOT (Processes.process_path IN (\"*\\\\windows\\\\*\", \"*\\\\program files*\")) by _time span=1h Processes.process_id Processes.process_name Processes.process Processes.user Processes.parent_process_name Processes.parent_process Processes.process_path Processes.process_guid | `drop_dm_object_name(Processes)`] | fields _time parent_process_name parent_process process_name process_path process process_guid registry_path registry_value_name registry_value_data registry_key_name action dest user | `windows_deleted_registry_by_a_non_critical_process_file_path_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "This detection can catch for third party application updates or installation. In this scenario false positive filter is needed.", "references": ["https://blog.talosintelligence.com/2022/03/threat-advisory-doublezero.html"], "tags": {"name": "Windows Deleted Registry By A Non Critical Process File Path", "analytic_story": ["Data Destruction", "Double Zero Destructor"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Exploitation"], "message": "registry was deleted by a suspicious $process_name$ with proces path $process_path in $dest$", "mitre_attack_id": ["T1112"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["Processes.user", "Processes.dest", "Processes.process_id", "Processes.process_name", "Processes.process", "Processes.process_path", "Processes.parent_process_name", "Processes.parent_process", "Processes.process_guid", "Registry.dest", "Registry.registry_value_name", "Registry.registry_key_name", "Registry.registry_path", "Registry.registry_value_data", "Registry.process_guid"], "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/doublezero_wiper/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_deleted_registry_by_a_non_critical_process_file_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_deleted_registry_by_a_non_critical_process_file_path.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Disable Change Password Through Registry", "id": "0df33e1a-9ef6-11ec-a1ad-acde48001122", "version": 3, "date": "2023-04-27", "author": "Steven Dick, Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic is to detect a suspicious registry modification to disable change password feature of the windows host. This registry modification may disables the Change Password button on the Windows Security dialog box (which appears when you press Ctrl+Alt+Del). As a result, users cannot change their Windows password on demand. This technique was seen in some malware family like ransomware to prevent the user to change the password after ownning the network or a system during attack. This windows feature may implemented by administrator to prevent normal user to change the password of a critical host or server, In this type of scenario filter is needed to minimized false positive.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\DisableChangePassword\" Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_change_password_through_registry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "This windows feature may implemented by administrator to prevent normal user to change the password of a critical host or server, In this type of scenario filter is needed to minimized false positive.", "references": ["https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ransom_heartbleed.thdobah"], "tags": {"name": "Windows Disable Change Password Through Registry", "analytic_story": ["Ransomware", "Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "Registry modification in \"DisableChangePassword\" on $dest$", "mitre_attack_id": ["T1112"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.dest", "Registry.registry_value_name", "Registry.registry_key_name", "Registry.registry_path", "Registry.registry_value_data", "Registry.process_guid"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/ransomware_disable_reg/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Change", "Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_disable_change_password_through_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_disable_change_password_through_registry.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Disable Lock Workstation Feature Through Registry", "id": "c82adbc6-9f00-11ec-a81f-acde48001122", "version": 3, "date": "2023-04-27", "author": "Steven Dick, Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic is to detect a suspicious registry modification to disable Lock Computer windows features. This registry modification prevent the user from locking its screen or computer that are being abused by several malware for example ransomware. This technique was used by threat actor to make its payload more impactful to the compromised host.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\DisableLockWorkstation\" Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_lock_workstation_feature_through_registry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "unknown", "references": ["https://www.bleepingcomputer.com/news/security/in-dev-ransomware-forces-you-do-to-survey-before-unlocking-computer/", "https://heimdalsecurity.com/blog/fatalrat-targets-telegram/"], "tags": {"name": "Windows Disable Lock Workstation Feature Through Registry", "analytic_story": ["Ransomware", "Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "Registry modification in \"DisableLockWorkstation\" on $dest$", "mitre_attack_id": ["T1112"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.dest", "Registry.registry_value_name", "Registry.registry_key_name", "Registry.registry_path", "Registry.registry_value_data", "Registry.process_guid"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/ransomware_disable_reg/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_disable_lock_workstation_feature_through_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_disable_lock_workstation_feature_through_registry.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Disable LogOff Button Through Registry", "id": "b2fb6830-9ed1-11ec-9fcb-acde48001122", "version": 3, "date": "2023-04-27", "author": "Steven Dick, Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic is to detect a suspicious registry modification to disable logoff feature in windows host. This registry when enable will prevent users to log off of the system by using any method, including programs run from the command line, such as scripts. It also disables or removes all menu items and buttons that log the user off of the system. This technique was seen abused by ransomware malware to make the compromised host un-useful and hard to remove other registry modification made on the machine that needs restart to take effect. This windows feature may implement by administrator in some server where shutdown is critical. In that scenario filter of machine and users that can modify this registry is needed.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\*\" Registry.registry_value_name IN (\"NoLogOff\", \"StartMenuLogOff\") Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_logoff_button_through_registry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "This windows feature may implement by administrator in some server where shutdown is critical. In that scenario filter of machine and users that can modify this registry is needed.", "references": ["https://www.hybrid-analysis.com/sample/e2d4018fd3bd541c153af98ef7c25b2bf4a66bc3bfb89e437cde89fd08a9dd7b/5b1f4d947ca3e10f22714774", "https://malwiki.org/index.php?title=DigiPop.xp", "https://www.trendmicro.com/vinfo/be/threat-encyclopedia/search/js_noclose.e/2"], "tags": {"name": "Windows Disable LogOff Button Through Registry", "analytic_story": ["Ransomware", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "Registry modification in \"NoLogOff\" on $dest$", "mitre_attack_id": ["T1112"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.dest", "Registry.registry_value_name", "Registry.registry_key_name", "Registry.registry_path", "Registry.registry_value_data", "Registry.process_guid"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/ransomware_disable_reg/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_disable_logoff_button_through_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_disable_logoff_button_through_registry.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Disable Memory Crash Dump", "id": "59e54602-9680-11ec-a8a6-acde48001122", "version": 2, "date": "2023-04-27", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies a process that is attempting to disable the ability on Windows to generate a memory crash dump. This was recently identified being utilized by HermeticWiper. To disable crash dumps, the value must be set to 0. This feature is typically modified to perform a memory crash dump when a computer stops unexpectedly because of a Stop error (also known as a blue screen, system crash, or bug check).", "data_source": ["Sysmon Event ID 13"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry where (Registry.registry_path=\"*\\\\CurrentControlSet\\\\Control\\\\CrashControl\\\\CrashDumpEnabled\") AND Registry.registry_value_data=\"0x00000000\" by _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_memory_crash_dump_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the Filesystem responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` and `Registry` node.", "known_false_positives": "unknown", "references": ["https://blog.talosintelligence.com/2022/02/threat-advisory-hermeticwiper.html", "https://docs.microsoft.com/en-us/troubleshoot/windows-server/performance/memory-dump-file-options"], "tags": {"name": "Windows Disable Memory Crash Dump", "analytic_story": ["Ransomware", "Data Destruction", "Windows Registry Abuse", "Hermetic Wiper"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 90, "kill_chain_phases": ["Actions on Objectives"], "message": "A process $process_name$ was identified attempting to disable memory crash dumps on $dest$.", "mitre_attack_id": ["T1485"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.dest", "Registry.registry_value_name", "Registry.registry_key_name", "Registry.registry_path", "Registry.registry_value_data", "Registry.process_guid"], "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/hermetic_wiper/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_disable_memory_crash_dump_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_disable_memory_crash_dump.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Disable Notification Center", "id": "1cd983c8-8fd6-11ec-a09d-acde48001122", "version": 3, "date": "2023-04-27", "author": "Steven Dick, Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "The following search identifies a modification of registry to disable the windows notification center feature in a windows host machine. This registry modification removes notification and action center from the notification area on the task bar. This modification are seen in RAT malware to cover their tracks upon downloading other of its component or other payload.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_value_name= \"DisableNotificationCenter\" Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_notification_center_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "admin or user may choose to disable this windows features.", "references": ["https://tccontre.blogspot.com/2020/01/remcos-rat-evading-windows-defender-av.html"], "tags": {"name": "Windows Disable Notification Center", "analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 60, "kill_chain_phases": ["Exploitation"], "message": "The Windows notification center was disabled on $dest$ by $user$.", "mitre_attack_id": ["T1112"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["Registry.dest", "Registry.registry_value_name", "Registry.registry_key_name", "Registry.registry_path", "Registry.registry_value_data", "Registry.process_guid"], "risk_score": 48, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/disable_notif_center/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_disable_notification_center_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_disable_notification_center.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Disable Shutdown Button Through Registry", "id": "55fb2958-9ecd-11ec-a06a-acde48001122", "version": 3, "date": "2023-04-27", "author": "Steven Dick, Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic is to detect a suspicious registry modification to disable shutdown button on the logon user. This technique was seen in several malware especially in ransomware family like killdisk malware variant to make the compromised host un-useful and hard to remove other registry modification made on the machine that needs restart to take effect. This windows feature may implement by administrator in some server where shutdown is critical. In that scenario filter of machine and users that can modify this registry is needed.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE ((Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\shutdownwithoutlogon\" Registry.registry_value_data = \"0x00000000\") OR (Registry.registry_path=\"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoClose\" Registry.registry_value_data = \"0x00000001\")) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_shutdown_button_through_registry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "This windows feature may implement by administrator in some server where shutdown is critical. In that scenario filter of machine and users that can modify this registry is needed.", "references": ["https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ransom.msil.screenlocker.a/"], "tags": {"name": "Windows Disable Shutdown Button Through Registry", "analytic_story": ["Ransomware", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "Registry modification in \"shutdownwithoutlogon\" on $dest$", "mitre_attack_id": ["T1112"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.dest", "Registry.registry_value_name", "Registry.registry_key_name", "Registry.registry_path", "Registry.registry_value_data", "Registry.process_guid"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/ransomware_disable_reg/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_disable_shutdown_button_through_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_disable_shutdown_button_through_registry.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Disable Windows Event Logging Disable HTTP Logging", "id": "23fb6787-255f-4d5b-9a66-9fd7504032b5", "version": 1, "date": "2022-12-21", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies AppCmd.exe being utilized to disable HTTP logging on IIS. Adversaries may perform this action to disable logging and delete the logs so remove any trace or events on disk.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where NOT (Processes.parent_process_name IN (\"msiexec.exe\", \"iissetup.exe\")) Processes.process_name=appcmd.exe Processes.process IN (\"*set config*\", \"*httplogging*\",\"*dontlog:true*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_windows_event_logging_disable_http_logging_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives may be present only if scripts or Administrators are disabling logging. Filter as needed by parent process or other.", "references": ["https://www.crowdstrike.com/wp-content/uploads/2022/05/crowdstrike-iceapple-a-novel-internet-information-services-post-exploitation-framework-1.pdf", "https://unit42.paloaltonetworks.com/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/", "https://www.secureworks.com/research/bronze-union", "https://strontic.github.io/xcyclopedia/library/appcmd.exe-055B2B09409F980BF9B5A3969D01E5B2.html"], "tags": {"name": "Windows Disable Windows Event Logging Disable HTTP Logging", "analytic_story": ["IIS Components", "Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation", "Installation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to disable IIS HTTP Logging.", "mitre_attack_id": ["T1562.002", "T1562", "T1505", "T1505.004"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.002", "mitre_attack_technique": "Disable Windows Event Logging", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound", "Threat Group-3390"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1505.004", "mitre_attack_technique": "IIS Components", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.004/disable_http_logging_windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_disable_windows_event_logging_disable_http_logging_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_disable_windows_event_logging_disable_http_logging.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Disable Windows Group Policy Features Through Registry", "id": "63a449ae-9f04-11ec-945e-acde48001122", "version": 4, "date": "2023-04-27", "author": "Steven Dick, Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic is to detect a suspicious registry modification to disable windows features. These techniques are seen in several ransomware malware to impair the compromised host to make it hard for analyst to mitigate or response from the attack. Disabling these known features make the analysis and forensic response more hard. Disabling these feature is not so common but can still be implemented by the administrator for security purposes. In this scenario filters for users that are allowed doing this is needed.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\*\" OR Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\*\" Registry.registry_value_name IN (\"NoDesktop\", \"NoFind\", \"NoControlPanel\", \"NoFileMenu\", \"NoSetTaskbar\", \"NoTrayContextMenu\", \"TaskbarLockAll\", \"NoThemesTab\",\"NoPropertiesMyDocuments\",\"NoVisualStyleChoice\",\"NoColorChoice\",\"NoPropertiesMyDocuments\") Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_windows_group_policy_features_through_registry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "Disabling these features for legitimate purposes is not a common use case but can still be implemented by the administrators. Filter as needed.", "references": ["https://hybrid-analysis.com/sample/ef1c427394c205580576d18ba68d5911089c7da0386f19d1ca126929d3e671ab?environmentId=120&lang=en", "https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Krotten-N/detailed-analysis", "https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details"], "tags": {"name": "Windows Disable Windows Group Policy Features Through Registry", "analytic_story": ["Ransomware", "Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "Registry modification to disable windows features on $dest$", "mitre_attack_id": ["T1112"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.dest", "Registry.registry_value_name", "Registry.registry_key_name", "Registry.registry_path", "Registry.registry_value_data", "Registry.process_guid"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/ransomware_disable_reg/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_disable_windows_group_policy_features_through_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_disable_windows_group_policy_features_through_registry.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows DisableAntiSpyware Registry", "id": "23150a40-9301-4195-b802-5bb4f43067fb", "version": 2, "date": "2023-04-25", "author": "Rod Soto, Jose Hernandez, Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The search looks for the Registry Key DisableAntiSpyware set to disable. This is consistent with Ryuk infections across a fleet of endpoints. This particular behavior is typically executed when an ransomware actor gains access to an endpoint and beings to perform execution. Usually, a batch (.bat) will be executed and multiple registry and scheduled task modifications will occur. During triage, review parallel processes and identify any further file modifications. Endpoint should be isolated.", "data_source": ["Sysmon Event ID 13"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_value_name=\"DisableAntiSpyware\" AND Registry.registry_value_data=\"0x00000001\" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_disableantispyware_registry_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.", "known_false_positives": "It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search.", "references": ["https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/"], "tags": {"name": "Windows DisableAntiSpyware Registry", "analytic_story": ["Azorult", "Windows Registry Abuse", "CISA AA22-264A", "RedLine Stealer", "Windows Defense Evasion Tactics", "Ryuk Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "Windows DisableAntiSpyware registry key set to 'disabled' on $dest$", "mitre_attack_id": ["T1562.001", "T1562"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.registry_key_name", "Registry.registry_value_name", "Registry.dest", "Registry.user", "Registry.registry_path"], "risk_score": 24, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_disableantispyware_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_disableantispyware_registry.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows DiskCryptor Usage", "id": "d56fe0c8-4650-11ec-a8fa-acde48001122", "version": 1, "date": "2021-11-15", "author": "Michael Haag, Splunk", "type": "Hunting", "status": "production", "description": "The following analytic identifies DiskCryptor process name of dcrypt.exe or internal name dcinst.exe. This utility has been utilized by adversaries to encrypt disks manually during an operation. In addition, during install, a dcrypt.sys driver is installed and requires a reboot in order to take effect. There are no command-line arguments used.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"dcrypt.exe\" OR Processes.original_file_name=dcinst.exe) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_diskcryptor_usage_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "It is possible false positives may be present based on the internal name dcinst.exe, filter as needed. It may be worthy to alert on the service name.", "references": ["https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/", "https://github.com/DavidXanatos/DiskCryptor"], "tags": {"name": "Windows DiskCryptor Usage", "analytic_story": ["Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Actions on Objectives"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to encrypt disks.", "mitre_attack_id": ["T1486"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1486", "mitre_attack_technique": "Data Encrypted for Impact", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "APT41", "FIN7", "Indrik Spider", "Magic Hound", "Sandworm Team", "TA505"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1486/dcrypt/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_diskcryptor_usage_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_diskcryptor_usage.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Diskshadow Proxy Execution", "id": "58adae9e-8ea3-11ec-90f6-acde48001122", "version": 1, "date": "2022-02-15", "author": "Lou Stella, Splunk", "type": "TTP", "status": "production", "description": "DiskShadow.exe is a Microsoft Signed binary present on Windows Server. It has a scripting mode intended for complex scripted backup operations. This feature also allows for execution of arbitrary unsigned code. This analytic looks for the usage of the scripting mode flags in executions of DiskShadow. During triage, compare to known backup behavior in your environment and then review the scripts called by diskshadow.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_diskshadow` (Processes.process=*-s* OR Processes.process=*/s*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_diskshadow_proxy_execution_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on processes that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition,confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Administrators using the DiskShadow tool in their infrastructure as a main backup tool with scripts will cause false positives that can be filtered with `windows_diskshadow_proxy_execution_filter`", "references": ["https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/"], "tags": {"name": "Windows Diskshadow Proxy Execution", "analytic_story": ["Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "Possible Signed Binary Proxy Execution on $dest$", "mitre_attack_id": ["T1218"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.process", "Porcesses.dest", "Processes.user", "Processes.parent_process", "Processes.process_name", "Processes.process_id", "Processes.parent_process_id", "Processes.original_file_name"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218/diskshadow/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "process_diskshadow", "definition": "(Processes.process_name=diskshadow.exe OR Processes.original_file_name=diskshadow.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_diskshadow_proxy_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_diskshadow_proxy_execution.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows DISM Remove Defender", "id": "8567da9e-47f0-11ec-99a9-acde48001122", "version": 1, "date": "2021-11-17", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the use of the Windows Disk Image Utility, `dism.exe`, to remove Windows Defender. Adversaries may use `dism.exe` to disable Defender before completing their objective.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=dism.exe (Processes.process=\"*/online*\" AND Processes.process=\"*/disable-feature*\" AND Processes.process=\"*Windows-Defender*\" AND Processes.process=\"*/remove*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_dism_remove_defender_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Some legitimate administrative tools leverage `dism.exe` to manipulate packages and features of the operating system. Filter as needed.", "references": ["https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/"], "tags": {"name": "Windows DISM Remove Defender", "analytic_story": ["Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to disable Windows Defender.", "mitre_attack_id": ["T1562.001", "T1562"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 80, "security_domain": "access", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/atomic_red_team/windows-sysmon_dism.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_dism_remove_defender_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_dism_remove_defender.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows DLL Search Order Hijacking Hunt", "id": "79c7d0fc-60c7-41be-a616-ccda752efe89", "version": 2, "date": "2022-12-31", "author": "Michael Haag, Splunk", "type": "Hunting", "status": "production", "description": "The following hunting analytic is an experimental query built against a accidental feature using the latest Sysmon TA 3.0 (https://splunkbase.splunk.com/app/5709/) which maps the module load (ImageLoaded) to process_name. This analytic will deprecate once this is fixed. This hunting analytic identifies known libraries in Windows that may be used in a DLL search order hijack or DLL Sideloading setting. This may require recompiling the DLL, moving the DLL or moving the vulnerable process. The query looks for any running out of system32 or syswow64. Some libraries natively run out of other application paths and will need to be added to the exclusion as needed. The lookup is comprised of Microsoft native libraries identified within the Hijacklibs.net project.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.process_name) as process_name from datamodel=Endpoint.Processes where Processes.dest!=unknown Processes.user!=unknown NOT (Processes.process_path IN (\"*\\\\system32\\\\*\", \"*\\\\syswow64\\\\*\",\"*\\\\winsxs\\\\*\",\"*\\\\wbem\\\\*\")) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process_path | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | lookup hijacklibs library AS process_name OUTPUT islibrary | search islibrary = True | rename parent_process_name as \"Process Name\" process_name AS ImageLoaded process_path AS Module_Path | `windows_dll_search_order_hijacking_hunt_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. This may only with with Sysmon data and the Sysmon TA. Your mileage may vary.", "known_false_positives": "False positives will be present based on paths. Filter or add other paths to the exclusion as needed.", "references": ["https://hijacklibs.net"], "tags": {"name": "Windows DLL Search Order Hijacking Hunt", "analytic_story": ["Living Off The Land", "Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 10, "impact": 10, "kill_chain_phases": ["Exploitation", "Installation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to perform DLL search order hijacking.", "mitre_attack_id": ["T1574.001", "T1574"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process_path"], "risk_score": 1, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1574.001", "mitre_attack_technique": "DLL Search Order Hijacking", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT41", "Aquatic Panda", "BackdoorDiplomacy", "Evilnum", "RTM", "Threat Group-3390", "Tonto Team", "Whitefly", "menuPass"]}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.001/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_dll_search_order_hijacking_hunt_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "hijacklibs", "description": "A list of potentially abused libraries in Windows", "filename": "hijacklibs.csv", "default_match": "false", "match_type": "WILDCARD(library)", "min_matches": 1, "case_sensitive_match": "false"}], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_dll_search_order_hijacking_hunt.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows DLL Search Order Hijacking Hunt with Sysmon", "id": "79c7d1fc-64c7-91be-a616-ccda752efe81", "version": 2, "date": "2022-12-31", "author": "Michael Haag, Splunk", "type": "Hunting", "status": "production", "description": "The following hunting analytic is an experimental query built against a accidental feature using the latest Sysmon TA 3.0 (https://splunkbase.splunk.com/app/5709/) which maps the module load (ImageLoaded) to process_name. This analytic will deprecate once this is fixed. This hunting analytic identifies known libraries in Windows that may be used in a DLL search order hijack or DLL Sideloading setting. This may require recompiling the DLL, moving the DLL or moving the vulnerable process. The query looks for any running out of system32 or syswow64. Some libraries natively run out of other application paths and will need to be added to the exclusion as needed. The lookup is comprised of Microsoft native libraries identified within the Hijacklibs.net project.", "data_source": ["Sysmon Event ID 7"], "search": "`sysmon` EventCode=7 NOT (process_path IN (\"*\\\\system32\\\\*\", \"*\\\\syswow64\\\\*\",\"*\\\\winsxs\\\\*\",\"*\\\\wbem\\\\*\")) | lookup hijacklibs library AS process_name OUTPUT islibrary | search islibrary = True | rename Computer as dest process_name AS ImageLoaded process_path AS Module_Path | stats values(parent_process_name) count by _time dest ImageLoaded Module_Path | `windows_dll_search_order_hijacking_hunt_with_sysmon_filter`", "how_to_implement": "The latest Sysmon TA 3.0 https://splunkbase.splunk.com/app/5709 will add the ImageLoaded name to the process_name field, allowing this query to work. Use as an example and implement for other products.", "known_false_positives": "False positives will be present based on paths. Filter or add other paths to the exclusion as needed.", "references": ["https://hijacklibs.net"], "tags": {"name": "Windows DLL Search Order Hijacking Hunt with Sysmon", "analytic_story": ["Living Off The Land", "Windows Defense Evasion Tactics", "Qakbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 10, "impact": 10, "kill_chain_phases": ["Exploitation", "Installation"], "message": "An instance of $parent_process_name$ loading $process_name$ was identified on endpoint $dest$.", "mitre_attack_id": ["T1574.001", "T1574"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "dest", "ImageLoaded", "Module_Path"], "risk_score": 1, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1574.001", "mitre_attack_technique": "DLL Search Order Hijacking", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT41", "Aquatic Panda", "BackdoorDiplomacy", "Evilnum", "RTM", "Threat Group-3390", "Tonto Team", "Whitefly", "menuPass"]}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.001/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_dll_search_order_hijacking_hunt_with_sysmon_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "hijacklibs", "description": "A list of potentially abused libraries in Windows", "filename": "hijacklibs.csv", "default_match": "false", "match_type": "WILDCARD(library)", "min_matches": 1, "case_sensitive_match": "false"}], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_dll_search_order_hijacking_hunt_with_sysmon.yml", "source": "endpoint"}, {"name": "Windows DLL Search Order Hijacking with iscsicpl", "id": "f39ee679-3b1e-4f47-841c-5c3c580acda2", "version": 1, "date": "2022-07-29", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies a recently disclosed search ordler DLL hijack in iscsicpl.exe. The malicious DLL must be in a new path and iscsicpl.exe, upon load, will execute the payload. The analytic is restricted to Windows shells. Two proof of concepts were identified and utilized to determine the behavior. The command-line is an option to go after, but most likely identifying a child process off iscsicpl.exe will be more effective. Monitoring for suspicious DLL loads is also an option.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=iscsicpl.exe `windows_shells` by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_dll_search_order_hijacking_with_iscsicpl_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives may be present, filtering may be required. Remove the Windows Shells macro to determine if other utilities are using iscsicpl.exe.", "references": ["https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC", "https://github.com/422926799/csplugin/tree/master/bypassUAC"], "tags": {"name": "Windows DLL Search Order Hijacking with iscsicpl", "analytic_story": ["Windows Defense Evasion Tactics", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation", "Installation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to elevate access.", "mitre_attack_id": ["T1574.001"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1574.001", "mitre_attack_technique": "DLL Search Order Hijacking", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT41", "Aquatic Panda", "BackdoorDiplomacy", "Evilnum", "RTM", "Threat Group-3390", "Tonto Team", "Whitefly", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.001/iscsicpl/iscsicpl-windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_shells", "definition": "(Processes.process_name=cmd.exe OR Processes.process_name=powershell.exe OR Processes.process_name=pwsh.exe OR Processes.process_name=sh.exe OR Processes.process_name=bash.exe OR Processes.process_name=wscript.exe OR Processes.process_name=cscript.exe)", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_dll_search_order_hijacking_with_iscsicpl_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_dll_search_order_hijacking_with_iscsicpl.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows DLL Side-Loading In Calc", "id": "af01f6db-26ac-440e-8d89-2793e303f137", "version": 1, "date": "2022-10-24", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies suspicious DLL modules loaded by calc.exe that are not in windows %systemroot%\\system32 or %systemroot%\\sysWoW64 folder. This technique is well used by Qakbot malware to execute its malicious DLL file via dll side loading technique in calc process execution. This TTP detection is a good indicator that a suspicious dll was loaded in a public or non-common installation folder of Windows Operating System that needs further investigation.", "data_source": ["Sysmon Event ID 7"], "search": "`sysmon` EventCode=7 Image = \"*\\calc.exe\" AND NOT (Image IN (\"*:\\\\windows\\\\system32\\\\*\", \"*:\\\\windows\\\\sysWow64\\\\*\")) AND NOT(ImageLoaded IN(\"*:\\\\windows\\\\system32\\\\*\", \"*:\\\\windows\\\\sysWow64\\\\*\", \"*:\\\\windows\\\\WinSXS\\\\*\")) | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded OriginalFileName Product process_name Computer EventCode Signed ProcessId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_dll_side_loading_in_calc_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on processes that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` and `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "unknown", "references": ["https://www.bitdefender.com/blog/hotforsecurity/new-qakbot-malware-strain-replaces-windows-calculator-dll-to-infected-pcs/"], "tags": {"name": "Windows DLL Side-Loading In Calc", "analytic_story": ["Qakbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 90, "kill_chain_phases": ["Exploitation", "Installation"], "message": "a dll modules is loaded by calc.exe in $ImageLoaded$ that are not in common windows OS installation folder in $Computer$", "mitre_attack_id": ["T1574.002", "T1574"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Image", "ImageLoaded", "OriginalFileName", "Product", "process_name", "Computer", "EventCode", "Signed", "ProcessId"], "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1574.002", "mitre_attack_technique": "DLL Side-Loading", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT41", "BRONZE BUTLER", "BlackTech", "Chimera", "Earth Lusca", "GALLIUM", "Higaisa", "Lazarus Group", "LuminousMoth", "MuddyWater", "Mustang Panda", "Naikon", "Patchwork", "SideCopy", "Sidewinder", "Threat Group-3390", "Tropic Trooper", "menuPass"]}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/qakbot/qbot2/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_dll_side_loading_in_calc_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_dll_side_loading_in_calc.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Windows DLL Side-Loading Process Child Of Calc", "id": "295ca9ed-e97b-4520-90f7-dfb6469902e1", "version": 1, "date": "2022-10-20", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies the suspicious child process of calc.exe due to dll side loading technique to execute another executable. This technique was seen in qakbot malware that uses dll side loading technique to calc applications to load its malicious dll code. The malicious dll that abuses dll side loading technique will load the actual qakbot loader dll using regsvr32.exe application. This TTP is a good indicator of qakbot since the calc.exe will not load other child processes aside from win32calc.exe.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name = \"calc.exe\") AND Processes.process_name != \"win32calc.exe\" by Processes.parent_process Processes.process_name Processes.process_id Processes.process_guid Processes.process Processes.user Processes.dest | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_dll_side_loading_process_child_of_calc_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "unknown", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot"], "tags": {"name": "Windows DLL Side-Loading Process Child Of Calc", "analytic_story": ["Qakbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Exploitation", "Installation"], "message": "calc.exe has a child process $process_name$ in $dest$", "mitre_attack_id": ["T1574.002", "T1574"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1574.002", "mitre_attack_technique": "DLL Side-Loading", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT41", "BRONZE BUTLER", "BlackTech", "Chimera", "Earth Lusca", "GALLIUM", "Higaisa", "Lazarus Group", "LuminousMoth", "MuddyWater", "Mustang Panda", "Naikon", "Patchwork", "SideCopy", "Sidewinder", "Threat Group-3390", "Tropic Trooper", "menuPass"]}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/qakbot/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_dll_side_loading_process_child_of_calc_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_dll_side_loading_process_child_of_calc.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows DNS Gather Network Info", "id": "347e0892-e8f3-4512-afda-dc0e3fa996f3", "version": 1, "date": "2023-04-05", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies a process command line used to enumerate DNS records. Adversaries, threat actors, or red teamers may employ this technique to gather information about a victim's DNS, which can be utilized during targeting. This method was also observed as part of a tool used by the Sandworm APT group in a geopolitical cyber warfare attack. By using the dnscmd.exe Windows application, an attacker can enumerate DNS records for specific domains within the targeted network, potentially aiding in further attacks. This anomaly detection can serve as a valuable starting point for identifying users and hostnames that may be compromised or targeted by adversaries seeking to collect data information.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"dnscmd.exe\" Processes.process = \"* /enumrecords *\" by Processes.parent_process Processes.process_name Processes.process_id Processes.process_guid Processes.process Processes.user Processes.dest | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_dns_gather_network_info_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "network administrator can execute this command to enumerate DNS record. Filter or add other paths to the exclusion as needed.", "references": ["https://cert.gov.ua/article/3718487", "https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF"], "tags": {"name": "Windows DNS Gather Network Info", "analytic_story": ["Sandworm Tools", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Reconnaissance"], "message": "A process commandline $process$ to enumerate dns record in $dest$", "mitre_attack_id": ["T1590.002"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1590.002", "mitre_attack_technique": "DNS", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1590.002/enum_dns_record/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_dns_gather_network_info_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_dns_gather_network_info.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows DnsAdmins New Member Added", "id": "27e600aa-77f8-4614-bc80-2662a67e2f48", "version": 1, "date": "2023-04-06", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic leverages Event ID 4732 to identify the addition of a new member to the DnsAdmins group within Active Directory. . Members of the DnsAdmin group can manage the DNS service which most of the times runs on the Domain Controller. By abusing legitimate DNS management functionality, a member of the DnsAdmins group can escalate privileges by executing malicious code on a Domain Controller as SYSTEM. Security teams should monitor the modification of the DnsAdmins group and validate the changes are legitimate.", "data_source": ["Windows_Security_4732.yml"], "search": " `wineventlog_security` EventCode=4732 TargetUserName=DnsAdmins | stats min(_time) as firstTime max(_time) as lastTime values(SubjectUserName) values(Computer) by MemberSid, TargetUserName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_dnsadmins_new_member_added_filter`", "how_to_implement": "To successfully implement this search, Domain Controller events need to be ingested. The Advanced Security Audit policy setting `Audit Security Group Management` within `Account Management` needs to be enabled.", "known_false_positives": "New members can be added to the DnsAdmins group as part of legitimate administrative tasks. Filter as needed.", "references": ["https://attack.mitre.org/techniques/T1098/", "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/from-dnsadmins-to-system-to-domain-compromise", "https://www.hackingarticles.in/windows-privilege-escalation-dnsadmins-to-domainadmin/", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4732"], "tags": {"name": "Windows DnsAdmins New Member Added", "analytic_story": ["Active Directory Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 80, "kill_chain_phases": ["Installation"], "message": "A new member was added to the DnsAdmins group by $SubjectUserName$", "mitre_attack_id": ["T1098"], "nist": ["DE.CM"], "observable": [{"name": "SubjectUserName", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "TargetUserName", "SubjectUserName", "Computer", "MemberSid", "TargetUserName"], "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT41", "Dragonfly", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/dnsadmins_member_added/windows-security.log", "source": "XmlWinEventLog:Security", "sourcetype": "XmlWinEventLog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_dnsadmins_new_member_added_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_dnsadmins_new_member_added.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows DotNet Binary in Non Standard Path", "id": "fddf3b56-7933-11ec-98a6-acde48001122", "version": 1, "date": "2023-04-14", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies native .net binaries within the Windows operating system that may be abused by adversaries by moving it to a new directory. The analytic identifies the .net binary by using a lookup and compares the process name and original file name (internal name). The analytic utilizes a lookup with the is_net_windows_file macro to identify the binary process name and original file name. if one or the other matches an alert will be generated. Adversaries abuse these binaries as they are native to windows and native DotNet. Note that not all SDK (post install of Windows) are captured in the lookup.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where NOT (Processes.process_path IN (\"*\\\\Windows\\\\ADWS\\\\*\",\"*\\\\Windows\\\\SysWOW64*\", \"*\\\\Windows\\\\system32*\", \"*\\\\Windows\\\\NetworkController\\\\*\", \"*\\\\Windows\\\\SystemApps\\\\*\", \"*\\\\WinSxS\\\\*\", \"*\\\\Windows\\\\Microsoft.NET\\\\*\")) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.original_file_name Processes.process_path Processes.process_id Processes.parent_process_id | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `is_net_windows_file` | `windows_dotnet_binary_in_non_standard_path_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives may be present and filtering may be required. Certain utilities will run from non-standard paths based on the third-party application in use.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.yaml", "https://attack.mitre.org/techniques/T1036/003/", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md"], "tags": {"name": "Windows DotNet Binary in Non Standard Path", "analytic_story": ["Masquerading - Rename System Utilities", "Ransomware", "Unusual Processes", "Signed Binary Proxy Execution InstallUtil", "Data Destruction", "WhisperGate"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ from a non-standard path was identified on endpoint $dest$ by user $user$.", "mitre_attack_id": ["T1036", "T1036.003", "T1218", "T1218.004"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.004", "mitre_attack_technique": "InstallUtil", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Mustang Panda", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.004/atomic_red_team/windows-sysmon_installutil_path.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "is_net_windows_file", "definition": "lookup update=true is_net_windows_file filename as process_name OUTPUT netFile | lookup update=true is_net_windows_file originalFileName as original_file_name OUTPUT netFile | search netFile=true", "description": "This macro limits the output to process names that are .net binaries on Windows Server 2016 and Windows 11."}, {"name": "windows_dotnet_binary_in_non_standard_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_dotnet_binary_in_non_standard_path.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Driver Inventory", "id": "f87aa96b-369b-4a3e-9021-1bbacbfcb8fb", "version": 1, "date": "2023-02-03", "author": "Michael Haag, Splunk", "type": "Hunting", "status": "experimental", "description": "The following hunting / inventory query assists defenders in identifying Drivers being loaded across the fleet. This query relies upon a PowerShell script input to be deployed to critical systems and beyond. If capturing all via the input, this will provide retrospection into drivers persisting. Note, that this is not perfect across a large fleet. Modify the query as you need to view the data differently.", "data_source": [], "search": "`driverinventory` | stats values(Path) min(_time) as firstTime max(_time) as lastTime count by host DriverType | rename host as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_driver_inventory_filter`", "how_to_implement": "To capture the drivers by host, utilize the referenced Gist to create the inputs, props and transforms. Otherwise, this hunt query will not work.", "known_false_positives": "Filter and modify the analytic as you'd like. Filter based on path. Remove the system32\\drivers and look for non-standard paths.", "references": ["https://gist.github.com/MHaggis/3e4dc85c69b3f7a4595a06c8a692f244"], "tags": {"name": "Windows Driver Inventory", "analytic_story": ["Windows Drivers"], "asset_type": "endpoint", "cis20": ["CIS 10"], "confidence": 10, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "Drivers have been identified on $dest$.", "mitre_attack_id": ["T1068"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Path", "host", "DriverType"], "risk_score": 5, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "PLATINUM", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1068/drivers/driver_inventory.log", "source": "PwSh:DriverInventory", "sourcetype": "PwSh:DriverInventory", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "driverinventory", "definition": "sourcetype=PwSh:DriverInventory", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_driver_inventory_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_driver_inventory.yml", "source": "endpoint"}, {"name": "Windows Driver Load Non-Standard Path", "id": "9216ef3d-066a-4958-8f27-c84589465e62", "version": 2, "date": "2023-02-24", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic uses Windows EventCode 7045 to identify new Kernel Mode Drivers being loaded in Windows from a non-standard path. Note that, adversaries may move malicious or vulnerable drivers into these paths and load up. The idea is that this analytic provides visibility into drivers loading in non-standard file paths.", "data_source": ["Sysmon Event ID 7"], "search": "`wineventlog_system` EventCode=7045 ServiceType=\"kernel mode driver\" NOT (ImagePath IN (\"*\\\\Windows\\\\*\", \"*\\\\Program File*\", \"*\\\\systemroot\\\\*\",\"%SystemRoot%*\", \"system32\\*\")) | stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode ImagePath ServiceName ServiceType | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_driver_load_non_standard_path_filter`", "how_to_implement": "To implement this analytic, the Windows EventCode 7045 will need to be logged. The Windows TA for Splunk is also recommended.", "known_false_positives": "False positives may be present based on legitimate third party applications needing to install drivers. Filter, or allow list known good drivers consistently being installed in these paths.", "references": ["https://redcanary.com/blog/tracking-driver-inventory-to-expose-rootkits/", "https://attack.mitre.org/techniques/T1014/", "https://www.fuzzysecurity.com/tutorials/28.html"], "tags": {"name": "Windows Driver Load Non-Standard Path", "analytic_story": ["Windows Drivers", "CISA AA22-320A", "AgentTesla"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Exploitation"], "message": "A kernel mode driver was loaded from a non-standard path on $ComputerName$.", "mitre_attack_id": ["T1014", "T1068"], "nist": ["DE.CM"], "observable": [{"name": "ComputerName", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Computer", "EventCode", "ImagePath", "ServiceName", "ServiceType"], "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1014", "mitre_attack_technique": "Rootkit", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT41", "Rocke", "TeamTNT", "Winnti Group"]}, {"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "PLATINUM", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1068/drivers/xml7045_windows-system.log", "source": "XmlWinEventLog:System", "sourcetype": "XmlWinEventLog", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_system", "definition": "eventtype=wineventlog_system", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_driver_load_non_standard_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_driver_load_non_standard_path.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Windows Drivers Loaded by Signature", "id": "d2d4af6a-6c2b-4d79-80c5-fc2cf12a2f68", "version": 1, "date": "2022-03-30", "author": "Michael Haag, Splunk", "type": "Hunting", "status": "production", "description": "The following analytic assists with viewing all drivers being loaded by using Sysmon EventCode 6 (Driver Load). Sysmon provides some simple fields to assist with identifying suspicious drivers. Use this analytic to look at prevalence of driver (count), path of driver, signature status and hash. Review these fields with scrutiny until the ability to prove the driver is legitimate and has a purpose in the environment.", "data_source": ["Sysmon Event ID 6"], "search": "`sysmon` EventCode=6 | stats min(_time) as firstTime max(_time) as lastTime values(ImageLoaded) count by Computer Signed Signature service_signature_verified service_signature_exists Hashes | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_drivers_loaded_by_signature_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have the latest version of the Sysmon TA. Most EDR products provide the ability to review driver loads, or module loads, and using a query as such help with hunting for malicious drivers.", "known_false_positives": "This analytic is meant to assist with identifying drivers loaded in the environment and not to be setup for notables off the bat.", "references": ["https://redcanary.com/blog/tracking-driver-inventory-to-expose-rootkits/", "https://attack.mitre.org/techniques/T1014/", "https://www.fuzzysecurity.com/tutorials/28.html"], "tags": {"name": "Windows Drivers Loaded by Signature", "analytic_story": ["Windows Drivers", "CISA AA22-320A", "AgentTesla"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 60, "kill_chain_phases": ["Exploitation"], "message": "A driver has loaded on $Computer$.", "mitre_attack_id": ["T1014", "T1068"], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "ImageLoaded", "Computer", "Signed", "Signature", "service_signature_verified", "service_signature_exists", "Hashes"], "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1014", "mitre_attack_technique": "Rootkit", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT41", "Rocke", "TeamTNT", "Winnti Group"]}, {"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "PLATINUM", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1014/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_drivers_loaded_by_signature_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_drivers_loaded_by_signature.yml", "source": "endpoint"}, {"name": "Windows Enable Win32 ScheduledJob via Registry", "id": "12c80db8-ef62-4456-92df-b23e1b3219f6", "version": 1, "date": "2023-03-27", "author": "Michael Haag, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic searches for a registry modification that enables the use of the at.exe or wmi Win32_ScheduledJob command to add scheduled tasks on a Windows endpoint. Specifically, it looks for the creation of a new DWORD value named \"EnableAt\" in the following registry path: \"HKLM:\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Configuration\". If this value is set to 1, it enables the at.exe and wmi Win32_ScheduledJob commands to schedule tasks on the system. Detecting this registry modification is important because it may indicate that an attacker has enabled the ability to add scheduled tasks to the system, which can be used to execute malicious code at specific times or intervals.", "data_source": ["Sysmon Event ID 13"], "search": "| tstats `security_content_summariesonly` count values(Registry.registry_key_name) as registry_key_name values(Registry.registry_path) as registry_path min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path=\"*\\\\CurrentVersion\\\\Schedule\\\\Configuration*\" Registry.registry_value_name=EnableAt by Registry.dest, Registry.user, Registry.registry_value_name, Registry.registry_value_type | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `windows_enable_win32_scheduledjob_via_registry_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "In some cases, an automated script or system may enable this setting continuously, leading to false positives. To avoid such situations, it is recommended to monitor the frequency and context of the registry modification and modify or filter the detection rules as needed. This can help to reduce the number of false positives and ensure that only genuine threats are identified. Additionally, it is important to investigate any detected instances of this modification and analyze them in the broader context of the system and network to determine if further action is necessary.", "references": ["https://securityonline.info/wmiexec-regout-get-outputdata-response-from-registry/", "https://learn.microsoft.com/en-us/windows/win32/cimwin32prov/win32-scheduledjob"], "tags": {"name": "Windows Enable Win32 ScheduledJob via Registry", "analytic_story": ["Active Directory Lateral Movement", "Scheduled Tasks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation", "Exploitation"], "message": "A process has modified the schedule task registry value - EnableAt - on endpoint $dest$ by user $user$.", "mitre_attack_id": ["T1053.005"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.registry_path", "Registry.dest", "Registry.user", "Registry.registry_value_name", "Registry.registry_value_type"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TEMP.Veles", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/atomic_red_team/enableat_windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_enable_win32_scheduledjob_via_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_enable_win32_scheduledjob_via_registry.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Event For Service Disabled", "id": "9c2620a8-94a1-11ec-b40c-acde48001122", "version": 2, "date": "2023-04-25", "author": "Teoderick Contreras, Splunk", "type": "Hunting", "status": "production", "description": "This analytic will identify suspicious system event of services that was modified from start to disabled. This technique is seen where the adversary attempts to disable security app services, other malware services to evade the defense systems on the compromised host", "data_source": ["Sysmon Event ID 7"], "search": "`wineventlog_system` EventCode=7040 Message = \"*service was changed from demand start to disabled.\" | stats count min(_time) as firstTime max(_time) as lastTime by ComputerName EventCode Message User Sid service service_name | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_event_for_service_disabled_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the Service name, Service File Name Service Start type, and Service Type from your endpoints.", "known_false_positives": "Windows service update may cause this event. In that scenario, filtering is needed.", "references": ["https://blog.talosintelligence.com/2018/02/olympic-destroyer.html"], "tags": {"name": "Windows Event For Service Disabled", "analytic_story": ["Windows Defense Evasion Tactics", "RedLine Stealer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Exploitation"], "message": "Service was disabled on $Computer$", "mitre_attack_id": ["T1562.001", "T1562"], "nist": ["DE.AE"], "observable": [{"name": "ComputerName", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "ComputerName", "EventCode", "Message", "User", "Sid"], "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/olympic_destroyer/system.log", "source": "WinEventLog:System", "sourcetype": "WinEventLog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_system", "definition": "eventtype=wineventlog_system", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_event_for_service_disabled_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_event_for_service_disabled.yml", "source": "endpoint"}, {"name": "Windows Event Log Cleared", "id": "ad517544-aff9-4c96-bd99-d6eb43bfbb6a", "version": 6, "date": "2020-07-06", "author": "Rico Valdez, Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic utilizes Windows Security Event ID 1102 or System log event 104 to identify when a Windows event log is cleared. Note that this analytic will require tuning or restricted to specific endpoints based on criticality. During triage, based on time of day and user, determine if this was planned. If not planned, follow through with reviewing parallel alerts and other data sources to determine what else may have occurred.", "data_source": ["Sysmon Event ID 1"], "search": "(`wineventlog_security` EventCode=1102) OR (`wineventlog_system` EventCode=104) | stats count min(_time) as firstTime max(_time) as lastTime by dest Message EventCode | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_event_log_cleared_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows event logs from your hosts. In addition, the Splunk Windows TA is needed.", "known_false_positives": "It is possible that these logs may be legitimately cleared by Administrators. Filter as needed.", "references": ["https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-1102", "https://www.ired.team/offensive-security/defense-evasion/disabling-windows-event-logs-by-suspending-eventlog-service-threads", "https://attack.mitre.org/techniques/T1070/001/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.001/T1070.001.md"], "tags": {"name": "Windows Event Log Cleared", "analytic_story": ["Windows Log Manipulation", "Ransomware", "Clop Ransomware", "CISA AA22-264A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "Windows event logs cleared on $dest$ via EventCode $EventCode$", "mitre_attack_id": ["T1070", "T1070.001"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "dest"], "risk_score": 70, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1070.001", "mitre_attack_technique": "Clear Windows Event Logs", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "APT38", "APT41", "Chimera", "Dragonfly", "FIN5", "FIN8", "Indrik Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1070.001/atomic_red_team/windows-security.log", "source": "WinEventLog:Security", "sourcetype": "WinEventLog", "update_timestamp": true}, {"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1070.001/atomic_red_team/windows-system.log", "source": "WinEventLog:System", "sourcetype": "WinEventLog", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_system", "definition": "eventtype=wineventlog_system", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_event_log_cleared_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_event_log_cleared.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows Event Triggered Image File Execution Options Injection", "id": "f7abfab9-12ea-44e8-8745-475f9ca6e0a4", "version": 1, "date": "2022-09-08", "author": "Michael Haag, Splunk", "type": "Hunting", "status": "production", "description": "The following hunting analytic identifies EventCode 3000 in Application channel indicating a process exit. This behavior is based on process names being added to the Image File Execution Options under HKLM \\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\ and \\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit. Once these are set for a process, an eventcode 3000 will generate. The example used is from Thinkst Canary where a CanaryToken is setup to monitor for a commonly abused living off the land binary (ex. Klist.exe) and generate an event when it occurs. This can be seen as settings traps to monitor for suspicious behavior. Monitor and tune this hunting analytic and setup traps across your organization and begin monitoring.", "data_source": ["Sysmon Event ID 3"], "search": "`wineventlog_application` EventCode=3000 | rename param1 AS \"Process\" param2 AS \"Exit_Code\" | stats count min(_time) as firstTime max(_time) as lastTime by Process Exit_Code dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_event_triggered_image_file_execution_options_injection_filter`", "how_to_implement": "This analytic requires capturing the Windows Event Log Application channel in XML.", "known_false_positives": "False positives may be present and tuning will be required before turning into a TTP or notable.", "references": ["https://blog.thinkst.com/2022/09/sensitive-command-token-so-much-offense.html", "https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/registry-entries-for-silent-process-exit"], "tags": {"name": "Windows Event Triggered Image File Execution Options Injection", "analytic_story": ["Windows Persistence Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation", "Exploitation"], "message": "Windows eventcode 3000 triggered on $dest$ potentially indicating persistence or a monitoring of a process has occurred.", "mitre_attack_id": ["T1546.012"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Process", "Exit_Code", "dest", "EventCode"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1546.012", "mitre_attack_technique": "Image File Execution Options Injection", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["TEMP.Veles"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.012/atomic_red_team/windows-application.log", "source": "XmlWinEventLog:Application", "sourcetype": "XmlWinEventLog", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_application", "definition": "eventtype=wineventlog_application OR source=\"XmlWinEventLog:Application\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_event_triggered_image_file_execution_options_injection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_event_triggered_image_file_execution_options_injection.yml", "source": "endpoint"}, {"name": "Windows Excessive Disabled Services Event", "id": "c3f85976-94a5-11ec-9a58-acde48001122", "version": 1, "date": "2022-02-23", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This analytic will identify suspicious excessive number of system events of services that was modified from start to disabled. This technique is seen where the adversary attempts to disable security app services, other malware services oer serve as an destructive impact to complete the objective on the compromised system. One good example for this scenario is Olympic destroyer where it disable all active services in the compromised host as part of its destructive impact and defense evasion.", "data_source": ["Sysmon Event ID 7"], "search": "`wineventlog_system` EventCode=7040 Message = \"*service was changed from demand start to disabled.\" | stats count values(Message) as MessageList dc(Message) as MessageCount min(_time) as firstTime max(_time) as lastTime by ComputerName EventCode User Sid | where MessageCount >=10 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_excessive_disabled_services_event_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the Service name, Service File Name Service Start type, and Service Type from your endpoints.", "known_false_positives": "Unknown", "references": ["https://blog.talosintelligence.com/2018/02/olympic-destroyer.html"], "tags": {"name": "Windows Excessive Disabled Services Event", "analytic_story": ["Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Exploitation"], "message": "Service was disabled in $Computer$", "mitre_attack_id": ["T1562.001", "T1562"], "nist": ["DE.CM"], "observable": [{"name": "ComputerName", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "ComputerName", "EventCode", "Message", "User", "Sid"], "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/olympic_destroyer/system.log", "source": "WinEventLog:System", "sourcetype": "WinEventLog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_system", "definition": "eventtype=wineventlog_system", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_excessive_disabled_services_event_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_excessive_disabled_services_event.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Windows Execute Arbitrary Commands with MSDT", "id": "e1d5145f-38fe-42b9-a5d5-457796715f97", "version": 3, "date": "2022-06-29", "author": "Michael Haag, Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies a recently disclosed arbitraty command execution using Windows msdt.exe - a Diagnostics Troubleshooting Wizard. The sample identified will use the ms-msdt:/ protocol handler to load msdt.exe to retrieve a remote payload. During triage, review file modifications for html. Identify parallel process execution that may be related, including an Office Product.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=msdt.exe Processes.process IN (\"*msdt*\",\"*ms-msdt:*\",\"*ms-msdt:/id*\",\"*ms-msdt:-id*\",\"*/id*\") AND (Processes.process=\"*IT_BrowseForFile=*\" OR Processes.process=\"*IT_RebrowseForFile=*\" OR Processes.process=\"*.xml*\") AND Processes.process=\"*PCWDiagnostic*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_execute_arbitrary_commands_with_msdt_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives may be present, filter as needed. Added .xml to potentially capture any answer file usage. Remove as needed.", "references": ["https://isc.sans.edu/diary/rss/28694", "https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e", "https://twitter.com/nao_sec/status/1530196847679401984?s=20&t=ZiXYI4dQuA-0_dzQzSUb3A", "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", "https://www.virustotal.com/gui/file/4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784/detection", "https://strontic.github.io/xcyclopedia/library/msdt.exe-152D4C9F63EFB332CCB134C6953C0104.html"], "tags": {"name": "Windows Execute Arbitrary Commands with MSDT", "analytic_story": ["Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 100, "kill_chain_phases": ["Exploitation"], "message": "A parent process $parent_process_name$ has spawned a child process $process_name$ on host $dest$ possibly indicative of indirect command execution.", "mitre_attack_id": ["T1218"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "cve": ["CVE-2022-30190"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/macro/msdt.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_execute_arbitrary_commands_with_msdt_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2022-30190", "cvss": 9.3, "summary": "Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_execute_arbitrary_commands_with_msdt.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Exfiltration Over C2 Via Invoke RestMethod", "id": "06ade821-f6fa-40d0-80af-15bc1d45b3ba", "version": 1, "date": "2023-04-05", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the potential exfiltration of data using PowerShell's Invoke-RestMethod. This technique was observed in the Winter-Vivern malware, which uploads desktop screenshots and files from compromised or targeted hosts. Detecting this TTP can serve as a valuable indicator that a process is attempting to upload files to an external or internal URI link. We recommend examining the process, the files it is trying to upload, and the URL link or C2 destination where the data is being uploaded.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 ScriptBlockText = \"*Invoke-RestMethod *\" AND ScriptBlockText = \"* -Uri *\" AND ScriptBlockText = \"* -Method *\" AND ScriptBlockText = \"* Post *\" AND ScriptBlockText = \"* -InFile *\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_exfiltration_over_c2_via_invoke_restmethod_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "False positives should be limited. Filter as needed.", "references": ["https://twitter.com/_CERT_UA/status/1620781684257091584", "https://cert.gov.ua/article/3761104"], "tags": {"name": "Windows Exfiltration Over C2 Via Invoke RestMethod", "analytic_story": ["Winter Vivern"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Actions on Objectives"], "message": "A PowerShell script on $Computer$ is attempting to transfer files to a remote URL.", "mitre_attack_id": ["T1041"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "ScriptBlockText", "Computer", "UserID", "EventCode"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1041", "mitre_attack_technique": "Exfiltration Over C2 Channel", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "Chimera", "Confucius", "GALLIUM", "Gamaredon Group", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "LuminousMoth", "MuddyWater", "Sandworm Team", "Stealth Falcon", "Wizard Spider", "ZIRCONIUM"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winter-vivern/pwh_exfiltration/windows-powershell-xml.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_exfiltration_over_c2_via_invoke_restmethod_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_exfiltration_over_c2_via_invoke_restmethod.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows Exfiltration Over C2 Via Powershell UploadString", "id": "59e8bf41-7472-412a-90d3-00f3afa452e9", "version": 1, "date": "2023-04-05", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies potential data exfiltration using the PowerShell net.webclient command. This technique was observed in the Winter-Vivern malware, which uploads desktop screenshots and files from compromised or targeted hosts. Detecting this TTP can serve as a valuable indicator that a process is attempting to upload files to an external or internal URI link. We recommend examining the process, the files it is trying to upload, and the URL link or C2 destination where the data is being uploaded.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 ScriptBlockText = \"*Net.webclient*\" AND ScriptBlockText = \"*.UploadString*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_exfiltration_over_c2_via_powershell_uploadstring_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "False positives should be limited. Filter as needed.", "references": ["https://twitter.com/_CERT_UA/status/1620781684257091584", "https://cert.gov.ua/article/3761104"], "tags": {"name": "Windows Exfiltration Over C2 Via Powershell UploadString", "analytic_story": ["Winter Vivern"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Actions on Objectives"], "message": "A PowerShell script on $Computer$ is attempting to transfer files to a remote URL.", "mitre_attack_id": ["T1041"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "ScriptBlockText", "Computer", "UserID", "EventCode"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1041", "mitre_attack_technique": "Exfiltration Over C2 Channel", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "Chimera", "Confucius", "GALLIUM", "Gamaredon Group", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "LuminousMoth", "MuddyWater", "Sandworm Team", "Stealth Falcon", "Wizard Spider", "ZIRCONIUM"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winter-vivern/pwh_uploadstring/windows-powershell-xml.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_exfiltration_over_c2_via_powershell_uploadstring_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_exfiltration_over_c2_via_powershell_uploadstring.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows Export Certificate", "id": "d8ddfa9b-b724-4df9-9dbe-f34cc0936714", "version": 2, "date": "2023-02-11", "author": "Michael Haag, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies when a certificate is exported from the Windows Certificate Store. This analytic utilizes the Certificates Lifecycle log channel event ID 1007. EventID 1007 is focused on the Export of a certificate from the local certificate store. In addition, review the ProcessName field as it will help to determine automation/Admin or adversary extracting the certificate. Depending on the organization, the certificate may be used for authentication to the VPN or private resources.", "data_source": ["Sysmon Event ID 1"], "search": "`certificateservices_lifecycle` EventCode=1007 | xmlkv UserData_Xml | stats count min(_time) as firstTime max(_time) as lastTime by Computer, SubjectName, UserData_Xml | rename Computer as dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `windows_export_certificate_filter`", "how_to_implement": "To implement this analytic, you must collect Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational or Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational.", "known_false_positives": "False positives may be generated based on an automated process or service that exports certificates on the regular. Review is required before setting to alert. Monitor for abnormal processes performing an export.", "references": ["https://atomicredteam.io/defense-evasion/T1553.004/#atomic-test-4---install-root-ca-on-windows"], "tags": {"name": "Windows Export Certificate", "analytic_story": ["Windows Certificate Services"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Exploitation"], "message": "An certificate was exported on $dest$ from the Windows Certificate Store.", "mitre_attack_id": ["T1552.004", "T1552", "T1649"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "dest", "SubjectName", "UserData_Xml"], "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1552.004", "mitre_attack_technique": "Private Keys", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1552", "mitre_attack_technique": "Unsecured Credentials", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1649", "mitre_attack_technique": "Steal or Forge Authentication Certificates", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/atomic_red_team/certificateservices-lifecycle.log", "source": "XmlWinEventLog:Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational", "sourcetype": "XmlWinEventLog", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "certificateservices_lifecycle", "definition": "(source=XmlWinEventLog:Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational OR source=XmlWinEventLog:Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational)", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_export_certificate_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_export_certificate.yml", "source": "endpoint"}, {"name": "Windows File Share Discovery With Powerview", "id": "a44c0be1-d7ab-41e4-92fd-aa9af4fe232c", "version": 1, "date": "2023-03-20", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the use of the Invoke-ShareFinder PowerShell commandlet part of PowerView. This module obtains the list of all active domain computers and lists the active shares on each computer. Network file shares in Active Directory environments may contain sensitive information like backups, scripts, credentials, etc. Adversaries who have obtained a foothold in an AD network may leverage PowerView to identify secrets and leverage them for Privilege Escalation or Lateral Movement.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 (ScriptBlockText=Invoke-ShareFinder*) | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_file_share_discovery_with_powerview_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.=", "known_false_positives": "Security teams may leverage PowerView proactively to identify and remediate sensitive file shares. Filter as needed.", "references": ["https://github.com/PowerShellEmpire/PowerTools/blob/master/PowerView/powerview.ps1", "https://thedfirreport.com/2023/01/23/sharefinder-how-threat-actors-discover-file-shares/", "https://attack.mitre.org/techniques/T1135/"], "tags": {"name": "Windows File Share Discovery With Powerview", "analytic_story": ["Active Directory Privilege Escalation", "Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 60, "kill_chain_phases": ["Exploitation"], "message": "Invoke-ShareFinder commandlet was executed on $Computer$", "mitre_attack_id": ["T1135"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "UserID", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "ScriptBlockText", "Opcode", "Computer", "UserID"], "risk_score": 48, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1135", "mitre_attack_technique": "Network Share Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT32", "APT38", "APT39", "APT41", "Chimera", "DarkVishnya", "Dragonfly", "Sowbug", "Tonto Team", "Tropic Trooper", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1135/powerview_sharefinder/windows-powershell.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "XmlWinEventLog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_file_share_discovery_with_powerview_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_file_share_discovery_with_powerview.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows File Transfer Protocol In Non-Common Process Path", "id": "0f43758f-1fe9-470a-a9e4-780acc4d5407", "version": 1, "date": "2022-09-16", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies a possible windows application having a FTP connection in a non common installation path in windows operating system.This network protocol is being used by adversaries, threat actors and malware like AgentTesla as a Command And Control communication to transfer its collected stolen information like the desktop screenshots, browser information and system information of a targeted or compromised host.", "data_source": ["Sysmon Event ID 3"], "search": "`sysmon` EventCode=3 NOT(Image IN(\"*\\\\program files*\", \"*\\\\windows\\\\system32\\\\*\",\"*\\\\windows\\\\SysWOW64\\\\*\")) (DestinationPortName=\"ftp\" OR DestinationPort=21) | stats count min(_time) as firstTime max(_time) as lastTime by Image DestinationPort DestinationPortName DestinationHostname DestinationIp SourcePort SourcePortName Protocol SourceHostname Computer user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_file_transfer_protocol_in_non_common_process_path_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name and sysmon eventcode = 3 connection events from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "third party application may use this network protocol as part of its feature. Filter is needed.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla"], "tags": {"name": "Windows File Transfer Protocol In Non-Common Process Path", "analytic_story": ["AgentTesla"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Command And Control"], "message": "a process $Image$ is having a FTP connection to $DestinationHostname$ in $Computer$", "mitre_attack_id": ["T1071.003", "T1071"], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Image", "DestinationPort", "DestinationPortName", "DestinationHostname", "SourceHostname", "SourcePort", "SourcePortName", "Protocol", "DestinationIp", "Computer", "user"], "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1071.003", "mitre_attack_technique": "Mail Protocols", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT28", "APT32", "Kimsuky", "SilverTerrier", "Turla"]}, {"mitre_attack_id": "T1071", "mitre_attack_technique": "Application Layer Protocol", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Dragonfly", "Magic Hound", "Rocke", "TeamTNT"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/agent_tesla/agent_tesla_ftp/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_file_transfer_protocol_in_non_common_process_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_file_transfer_protocol_in_non_common_process_path.yml", "source": "endpoint"}, {"name": "Windows File Without Extension In Critical Folder", "id": "0dbcac64-963c-11ec-bf04-acde48001122", "version": 1, "date": "2023-04-14", "author": "Teoderick Contreras, Bhavin Patel, Splunk", "type": "TTP", "status": "production", "description": "This analytic is to look for suspicious file creation in the critical folder like \"System32\\Drivers\" folder without file extension. This artifacts was seen in latest hermeticwiper where it drops its driver component in Driver Directory both the compressed(without file extension) and the actual driver component (with .sys file extension). This TTP is really a good indication that a host might be compromised by this destructive malware that wipes the boot sector of the system.", "data_source": ["Sysmon Event ID 11"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN (\"*\\\\System32\\\\drivers\\\\*\", \"*\\\\syswow64\\\\drivers\\\\*\") by _time span=5m Filesystem.dest Filesystem.user Filesystem.file_name Filesystem.file_path Filesystem.process_guid Filesystem.file_create_time | `drop_dm_object_name(Filesystem)` | rex field=\"file_name\" \"\\.(?[^\\.]*$)\" | where isnull(extension) | join process_guid [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes by _time span=5m Processes.process_name Processes.dest Processes.process_guid Processes.user | `drop_dm_object_name(Processes)`] | stats count min(_time) as firstTime max(_time) as lastTime by dest process_name process_guid file_name file_path file_create_time user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_file_without_extension_in_critical_folder_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the Filesystem responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node.", "known_false_positives": "Unknown at this point", "references": ["https://blog.talosintelligence.com/2022/02/threat-advisory-hermeticwiper.html"], "tags": {"name": "Windows File Without Extension In Critical Folder", "analytic_story": ["Data Destruction", "Hermetic Wiper"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 90, "kill_chain_phases": ["Actions on Objectives"], "message": "Driver file with out file extension drop in $file_path$ in $dest$", "mitre_attack_id": ["T1485"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Filesystem.file_create_time", "Filesystem.process_id", "Filesystem.file_name", "Filesystem.user", "Filesystem.file_path", "Filesystem.dest", "Processes.process_name", "Processes.dest", "Processes.process_guid", "Processes.user"], "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/hermetic_wiper/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_file_without_extension_in_critical_folder_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_file_without_extension_in_critical_folder.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Files and Dirs Access Rights Modification Via Icacls", "id": "c76b796c-27e1-4520-91c4-4a58695c749e", "version": 1, "date": "2023-06-06", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This analytic aims to identify potential adversaries who manipulate the security permissions of specific files or directories. This technique is frequently observed in the tradecraft of Advanced Persistent Threats (APTs) and coinminer scripts. By modifying the security permissions, adversaries seek to evade detection and impede access to their component files. Such actions indicate a deliberate effort to maintain control over compromised systems and hinder investigation or remediation efforts. Detecting these security permission changes can serve as a valuable indicator of an ongoing attack and enable timely response to mitigate the impact of the adversary's activities.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN( \"icacls.exe\", \"cacls.exe\",\"xcacls.exe\") AND Processes.process IN (\"*:R*\", \"*:W*\", \"*:F*\", \"*:C*\",, \"*:N*\",\"*/P*\", \"*/E*\") by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_files_and_dirs_access_rights_modification_via_icacls_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed icacls.exe may be used.", "known_false_positives": "Unknown. It is possible some administrative scripts use ICacls. Filter as needed.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey"], "tags": {"name": "Windows Files and Dirs Access Rights Modification Via Icacls", "analytic_story": ["Amadey"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "Process name $process_name$ with access right modification argument executed by $user$ to change security permission of a specific file or directory on host $dest$", "mitre_attack_id": ["T1222.001", "T1222"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.parent_process_name", "Processes.parent_process", "Processes.process_name", "Processes.process", "Processes.process_guid", "Processes.dest", "Processes.user", "Processes.process_id", "Processes.process"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "atomic_guid": ["3309f53e-b22b-4eb6-8fd2-a6cf58b355a9"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1222.001", "mitre_attack_technique": "Windows File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/amadey/access_permission/amadey_sysmon2.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_files_and_dirs_access_rights_modification_via_icacls_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_files_and_dirs_access_rights_modification_via_icacls.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Findstr GPP Discovery", "id": "1631ac2d-f2a9-42fa-8a59-d6e210d472f5", "version": 1, "date": "2023-03-16", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the use of the findstr command employed to search for unsecured credentials Group Policy Preferences (GPP). GPP are tools that allow administrators to create domain policies with embedded credentials. These policies allow administrators to set local accounts. These group policies are stored in SYSVOL on a domain controller. This means that any domain user can view the SYSVOL share and decrypt the password (using the AES key that has been made public). While Microsoft released a patch that impedes Administrators to create unsecure credentials, existing Group Policy Preferences files with passwords are not removed from SYSVOL.", "data_source": [], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=findstr.exe AND Processes.process=*sysvol* AND Processes.process=*cpassword*) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_findstr_gpp_discovery_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Administrators may leverage findstr to find passwords in GPO to validate exposure. Filter as needed.", "references": ["https://attack.mitre.org/techniques/T1552/006/", "https://pentestlab.blog/2017/03/20/group-policy-preferences/", "https://adsecurity.org/?p=2288", "https://www.hackingarticles.in/credential-dumping-group-policy-preferences-gpp/", "https://support.microsoft.com/en-us/topic/ms14-025-vulnerability-in-group-policy-preferences-could-allow-elevation-of-privilege-may-13-2014-60734e15-af79-26ca-ea53-8cd617073c30"], "tags": {"name": "Windows Findstr GPP Discovery", "analytic_story": ["Active Directory Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "Findstr was executed to discover GPP credentials on $dest$", "mitre_attack_id": ["T1552", "T1552.006"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.user", "Processes.dest", "Processes.process_name", "Processes.process", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process_id", "Processes.parent_process_id", "Processes.original_file_name"], "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1552", "mitre_attack_technique": "Unsecured Credentials", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1552.006", "mitre_attack_technique": "Group Policy Preferences", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT33"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552.006/findstr_gpp_discovery/windows-security.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_findstr_gpp_discovery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_findstr_gpp_discovery.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Gather Victim Host Information Camera", "id": "e4df4676-ea41-4397-b160-3ee0140dc332", "version": 1, "date": "2022-07-28", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic detects a powershell script that enumerate camera mounted to the targeted host. This technique was seen in DCRat malware, where it runs a powershell command to look for camera information that will be pass on to its C2 server. This anomaly detection can be a good pivot to check who and why this enumeration is needed and what parent process execute this powershell script command.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 ScriptBlockText= \"* Win32_PnPEntity *\" ScriptBlockText= \"*SELECT*\" ScriptBlockText= \"*WHERE*\" ScriptBlockText = \"*PNPClass*\" ScriptBlockText IN (\"*Image*\", \"*Camera*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_gather_victim_host_information_camera_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Administrators may execute this powershell command to get hardware information related to camera.", "references": ["https://cert.gov.ua/article/405538", "https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat", "https://www.mandiant.com/resources/analyzing-dark-crystal-rat-backdoor"], "tags": {"name": "Windows Gather Victim Host Information Camera", "analytic_story": ["DarkCrystal RAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 60, "kill_chain_phases": ["Reconnaissance"], "message": "powershell script $ScriptBlockText$ to enumerate camera in $Computer$", "mitre_attack_id": ["T1592.001", "T1592"], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "User", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "ScriptBlockText", "Computer", "EventCode"], "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1592.001", "mitre_attack_technique": "Hardware", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1592", "mitre_attack_technique": "Gather Victim Host Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/dcrat/dcrat_enum_camera/windows-powershell-xml.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_gather_victim_host_information_camera_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_gather_victim_host_information_camera.yml", "source": "endpoint", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows Gather Victim Identity SAM Info", "id": "a18e85d7-8b98-4399-820c-d46a1ca3516f", "version": 1, "date": "2022-08-24", "author": "Teoderick Contreras, Splunk", "type": "Hunting", "status": "production", "description": "The following analytic identifies a process that loads the samlib.dll module. This module is being abused by adversaries, threat actors and red teamers to access information of SAM objects or access credentials information in DC. This hunting query can be a good indicator that a process is capable of accessing the SAM object.", "data_source": ["Sysmon Event ID 7"], "search": "`sysmon` EventCode=7 (ImageLoaded = \"*\\\\samlib.dll\" AND OriginalFileName = \"samlib.dll\") OR (ImageLoaded = \"*\\\\samcli.dll\" AND OriginalFileName = \"SAMCLI.DLL\") AND NOT (Image IN(\"C:\\\\Windows\\\\*\", \"C:\\\\Program File*\", \"%systemroot%\\\\*\")) | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded process_name Computer EventCode Signed ProcessId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_gather_victim_identity_sam_info_filter`", "how_to_implement": "The latest Sysmon TA 3.0 https://splunkbase.splunk.com/app/5709 will add the ImageLoaded name to the process_name field, allowing this query to work. Use as an example and implement for other products.", "known_false_positives": "this module can be loaded by a third party application. Filter is needed.", "references": ["https://redcanary.com/blog/active-breach-evading-defenses/", "https://strontic.github.io/xcyclopedia/library/samlib.dll-0BDF6351009F6EBA5BA7E886F23263B1.html"], "tags": {"name": "Windows Gather Victim Identity SAM Info", "analytic_story": ["Brute Ratel C4"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Reconnaissance"], "message": "An instance of $Computer$ that loads $ImageLoaded$ that are related to accessing to SAM object information.", "mitre_attack_id": ["T1589.001", "T1589"], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Image", "ImageLoaded", "Computer", "EventCode", "Signed", "ProcessId"], "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1589.001", "mitre_attack_technique": "Credentials", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["APT28", "Chimera", "LAPSUS$", "Leviathan", "Magic Hound"]}, {"mitre_attack_id": "T1589", "mitre_attack_technique": "Gather Victim Identity Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["APT32", "HEXANE", "LAPSUS$", "Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/loading_samlib/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_gather_victim_identity_sam_info_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_gather_victim_identity_sam_info.yml", "source": "endpoint"}, {"name": "Windows Gather Victim Network Info Through Ip Check Web Services", "id": "70f7c952-0758-46d6-9148-d8969c4481d1", "version": 1, "date": "2022-06-21", "author": "Teoderick Contreras, Splunk", "type": "Hunting", "status": "production", "description": "The following analytic identifies process that attempts to connect to a known IP web services. This technique is commonly used by trickbot and other malware to perform reconnaissance against the infected machine and look for its IP address.", "data_source": ["Sysmon Event ID 22"], "search": "`sysmon` EventCode=22 QueryName IN (\"*wtfismyip.com\", \"*checkip.amazonaws.com\", \"*ipecho.net\", \"*ipinfo.io\", \"*api.ipify.org\", \"*icanhazip.com\", \"*ip.anysrc.com\",\"*api.ip.sb\", \"ident.me\", \"www.myexternalip.com\", \"*zen.spamhaus.org\", \"*cbl.abuseat.org\", \"*b.barracudacentral.org\", \"*dnsbl-1.uceprotect.net\", \"*spam.dnsbl.sorbs.net\", \"*iplogger.org*\", \"*ip-api.com*\") | stats min(_time) as firstTime max(_time) as lastTime count by Image ProcessId QueryName QueryStatus QueryResults Computer EventCode | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_gather_victim_network_info_through_ip_check_web_services_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, dns query name process path , and query ststus from your endpoints like EventCode 22. If you are using Sysmon, you must have at least version 12 of the Sysmon TA.", "known_false_positives": "Filter internet browser application to minimize the false positive of this detection.", "references": ["https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/"], "tags": {"name": "Windows Gather Victim Network Info Through Ip Check Web Services", "analytic_story": ["Azorult", "DarkCrystal RAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Reconnaissance"], "message": "process connecting IP location web services on $Computer$", "mitre_attack_id": ["T1590.005", "T1590"], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Image", "ProcessId", "QueryName", "QueryStatus", "QueryResults", "Computer", "EventCode"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1590.005", "mitre_attack_technique": "IP Addresses", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["Andariel", "HAFNIUM", "Magic Hound"]}, {"mitre_attack_id": "T1590", "mitre_attack_technique": "Gather Victim Network Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["HAFNIUM"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_gather_victim_network_info_through_ip_check_web_services_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_gather_victim_network_info_through_ip_check_web_services.yml", "source": "endpoint"}, {"name": "Windows Get-AdComputer Unconstrained Delegation Discovery", "id": "c8640777-469f-4638-ab44-c34a3233ffac", "version": 1, "date": "2022-03-28", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the Get-ADComputer commandlet used with specific parameters to discover Windows endpoints with Kerberos Unconstrained Delegation. Red Teams and adversaries alike may leverage use this technique for situational awareness and Active Directory Discovery.", "data_source": ["Powershell 4104"], "search": " `powershell` EventCode=4104 (Message = \"*Get-ADComputer*\" AND Message = \"*TrustedForDelegation*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode Message ComputerName User | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_get_adcomputer_unconstrained_delegation_discovery_filter`", "how_to_implement": "The following analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.", "known_false_positives": "Administrators or power users may leverage PowerView for system management or troubleshooting.", "references": ["https://attack.mitre.org/techniques/T1018/", "https://adsecurity.org/?p=1667", "https://docs.microsoft.com/en-us/defender-for-identity/cas-isp-unconstrained-kerberos", "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/domain-compromise-via-unrestricted-kerberos-delegation", "https://www.cyberark.com/resources/threat-research-blog/weakness-within-kerberos-delegation"], "tags": {"name": "Windows Get-AdComputer Unconstrained Delegation Discovery", "analytic_story": ["Active Directory Kerberos Attacks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "Suspicious PowerShell Get-ADComputer was identified on endpoint $ComputerName$", "mitre_attack_id": ["T1018"], "nist": ["DE.CM"], "observable": [{"name": "ComputerName", "type": "Hostname", "role": ["Victim"]}, {"name": "User", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "Message", "ComputerName", "User"], "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1018", "mitre_attack_technique": "Remote System Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "BRONZE BUTLER", "Chimera", "Deep Panda", "Dragonfly", "Earth Lusca", "FIN5", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "HEXANE", "Indrik Spider", "Ke3chang", "Leafminer", "Magic Hound", "Naikon", "Rocke", "Sandworm Team", "Silence", "Threat Group-3390", "Turla", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1018/unconstrained2/windows-powershell.log", "source": "WinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "WinEventLog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_get_adcomputer_unconstrained_delegation_discovery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_get_adcomputer_unconstrained_delegation_discovery.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows Group Policy Object Created", "id": "23add2a8-ea22-4fd4-8bc0-8c0b822373a1", "version": 1, "date": "2023-03-27", "author": "Mauricio Velazco", "type": "TTP", "status": "production", "description": "The following analytic leverages Event IDs 5136 and 51137 to identify the creation of a new Group Policy Object. With GPOs, system administrators can manage and configure applications, software operations, and user settings throughout an entire organization. GPOs can be abused and leveraged by adversaries to escalate privileges or deploy malware across an Active Directory network. As an example, the Lockbit ransomware malware will create new group policies on the domain controller that are then pushed out to every device on the network. Security teams should monitor the creation of new Group Policy Objects.", "data_source": [], "search": " `wineventlog_security` EventCode=5137 OR (EventCode=5136 AttributeValue!=\"New Group Policy Object\" AND (AttributeLDAPDisplayName=displayName OR AttributeLDAPDisplayName=gPCFileSysPath) ) ObjectClass=groupPolicyContainer | stats values(AttributeValue) as details values(SubjectUserSid) as User values(ObjectDN) as ObjectDN by ObjectGUID Computer | eval GPO_Name = mvindex(details, 0) | eval GPO_Path = mvindex(details, 1) | fields - details | `windows_group_policy_object_created_filter`", "how_to_implement": "To successfully implement this search, the Advanced Security Audit policy setting `Audit Directory Service Changes` within `DS Access` needs to be enabled. Furthermore, the appropriate system access control lists (SACL) need to be created as the used events are not logged by default. A good guide to accomplish this can be found here https://jgspiers.com/audit-group-policy-changes/.", "known_false_positives": "Group Policy Objects are created as part of regular administrative operations, filter as needed.", "references": ["https://attack.mitre.org/techniques/T1484/", "https://attack.mitre.org/techniques/T1484/001", "https://www.trustedsec.com/blog/weaponizing-group-policy-objects-access/", "https://adsecurity.org/?p=2716", "https://www.bleepingcomputer.com/news/security/lockbit-ransomware-now-encrypts-windows-domains-using-group-policies/", "https://www.varonis.com/blog/group-policy-objects"], "tags": {"name": "Windows Group Policy Object Created", "analytic_story": ["Active Directory Privilege Escalation", "Sneaky Active Directory Persistence Tricks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 80, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "message": "A new group policy objected was created by $User$", "mitre_attack_id": ["T1484", "T1484.001", "T1078.002"], "nist": ["DE.CM"], "observable": [{"name": "User", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "AttributeValue", "AttributeLDAPDisplayName", "ObjectClass", "SubjectUserSid", "ObjectDN", "ObjectGUID", "Computer"], "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1484", "mitre_attack_technique": "Domain Policy Modification", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1484.001", "mitre_attack_technique": "Group Policy Modification", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Indrik Spider"]}, {"mitre_attack_id": "T1078.002", "mitre_attack_technique": "Domain Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "Chimera", "Indrik Spider", "Magic Hound", "Naikon", "Sandworm Team", "TA505", "Threat Group-1314", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/group_policy_created/windows-security.log", "source": "XmlWinEventLog:Security", "sourcetype": "XmlWinEventLog"}]}], "datamodel": [], "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_group_policy_object_created_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_group_policy_object_created.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows Hidden Schedule Task Settings", "id": "0b730470-5fe8-4b13-93a7-fe0ad014d0cc", "version": 1, "date": "2023-04-14", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "The following analytic detects creation of hidden scheculed tasks such that it this task is not visible on the UI. Such behavior is indicative of certain malware, such as Industroyer2, or attacks leveraging living-off-the-land binaries (LOLBINs) to download additional payloads to a compromised machine. This analytic relies on the Windows Security EventCode 4698, indicating the creation of a scheduled task. The search focuses on identifying instances where the 'Hidden' setting is enabled, signaling potential nefarious activity. To implement this search, you need to ingest logs with task scheduling details from your endpoints. As false positives are currently unknown, it is advised to tune and filter based on the known use of task scheduling in your environment. This analytic provides crucial visibility into stealthy, potentially harmful scheduled tasks on Windows systems.", "data_source": ["Windows Security 4698"], "search": "`wineventlog_security` EventCode=4698 | xmlkv Message | search Hidden = true | stats count min(_time) as firstTime max(_time) as lastTime by Task_Name, Command, Author, Hidden, dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_hidden_schedule_task_settings_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the task schedule (Exa. Security Log EventCode 4698) endpoints. Tune and filter known instances of Task schedule used in your environment.", "known_false_positives": "unknown", "references": ["https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/", "https://cert.gov.ua/article/39518"], "tags": {"name": "Windows Hidden Schedule Task Settings", "analytic_story": ["CISA AA22-257A", "Active Directory Discovery", "Industroyer2", "Data Destruction", "Scheduled Tasks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "message": "A schedule task with hidden setting enable in host $dest$", "mitre_attack_id": ["T1053"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "dest", "Task_Name", "Command", "Author", "Enabled", "Hidden", "Arguments"], "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053/hidden_schedule_task/security.log", "source": "WinEventLog:Security", "sourcetype": "WinEventLog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_hidden_schedule_task_settings_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_hidden_schedule_task_settings.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows Hide Notification Features Through Registry", "id": "cafa4bce-9f06-11ec-a7b2-acde48001122", "version": 3, "date": "2023-04-27", "author": "Steven Dick, Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic is to detect a suspicious registry modification to hide common windows notification feature from compromised host. This technique was seen in some ransomware family to add more impact to its payload that are visually seen by user aside from the encrypted files and ransomware notes. Even this a good anomaly detection, administrator may implement this changes for auditing or security reason. In this scenario filter is needed.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\*\" Registry.registry_value_name IN (\"HideClock\", \"HideSCAHealth\", \"HideSCANetwork\", \"HideSCAPower\", \"HideSCAVolume\") Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_hide_notification_features_through_registry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "unknown", "references": ["https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/Ransom.Win32.ONALOCKER.A/"], "tags": {"name": "Windows Hide Notification Features Through Registry", "analytic_story": ["Ransomware", "Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "Registry modification to hide windows notification on $dest$", "mitre_attack_id": ["T1112"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.dest", "Registry.registry_value_name", "Registry.registry_key_name", "Registry.registry_path", "Registry.registry_value_data", "Registry.process_guid"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/ransomware_disable_reg/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_hide_notification_features_through_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_hide_notification_features_through_registry.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows High File Deletion Frequency", "id": "45b125c4-866f-11eb-a95a-acde48001122", "version": 1, "date": "2023-04-14", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This search looks for high frequency of file deletion relative to process name and process id. These events usually happen when the ransomware tries to encrypt the files with the ransomware file extensions and sysmon treat the original files to be deleted as soon it was replace as encrypted data.", "data_source": ["Sysmon Event ID 23"], "search": "`sysmon` EventCode=23 TargetFilename IN (\"*.cmd\", \"*.ini\",\"*.gif\", \"*.jpg\", \"*.jpeg\", \"*.db\", \"*.ps1\", \"*.doc*\", \"*.xls*\", \"*.ppt*\", \"*.bmp\",\"*.zip\", \"*.rar\", \"*.7z\", \"*.chm\", \"*.png\", \"*.log\", \"*.vbs\", \"*.js\", \"*.vhd\", \"*.bak\", \"*.wbcat\", \"*.bkf\" , \"*.backup*\", \"*.dsk\", \"*.win\") | stats values(TargetFilename) as deleted_files min(_time) as firstTime max(_time) as lastTime count by Computer user EventCode Image ProcessID |where count >=100 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_high_file_deletion_frequency_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the deleted target file name, process name and process id from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "user may delete bunch of pictures or files in a folder.", "references": ["https://www.mandiant.com/resources/fin11-email-campaigns-precursor-for-ransomware-data-theft", "https://blog.virustotal.com/2020/11/keep-your-friends-close-keep-ransomware.html", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/"], "tags": {"name": "Windows High File Deletion Frequency", "analytic_story": ["Clop Ransomware", "DarkCrystal RAT", "Swift Slicer", "Data Destruction", "WhisperGate", "Sandworm Tools"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 90, "kill_chain_phases": ["Actions on Objectives"], "message": "High frequency file deletion activity detected on host $Computer$", "mitre_attack_id": ["T1485"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "Computer", "type": "Endpoint", "role": ["Victim"]}, {"name": "deleted_files", "type": "File Name", "role": ["Target"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["EventCode", "TargetFilename", "Computer", "user", "Image", "ProcessID", "_time"], "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/clop/clop_a/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_high_file_deletion_frequency_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_high_file_deletion_frequency.yml", "source": "endpoint"}, {"name": "Windows Hijack Execution Flow Version Dll Side Load", "id": "8351340b-ac0e-41ec-8b07-dd01bf32d6ea", "version": 1, "date": "2022-08-24", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic is to detect a process loading version.dll that is not in %windir%\\\\system32 or %windir%\\\\syswow64 dir path. This event is seen in ransomware and APT malware that executes malicious version.dll placed in the same folder of onedrive application that will execute that module. This technique is known to be DLL side loading. This technique was used to execute an agent of Brute Ratel C4 red teaming tools to serve as remote admin tool to collect and compromise target host.", "data_source": ["Sysmon Event ID 7"], "search": "`sysmon` EventCode=7 ImageLoaded = \"*\\\\version.dll\" AND (Signed = \"false\" OR NOT(ImageLoaded IN(\"*\\\\windows\\\\system32*\", \"*\\\\windows\\\\syswow64\\\\*\"))) | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded process_name Computer EventCode Signed ProcessId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_hijack_execution_flow_version_dll_side_load_filter`", "how_to_implement": "The latest Sysmon TA 3.0 https://splunkbase.splunk.com/app/5709 will add the ImageLoaded name to the process_name field, allowing this query to work. Use as an example and implement for other products.", "known_false_positives": "unknown", "references": ["https://www.mdsec.co.uk/2022/08/part-3-how-i-met-your-beacon-brute-ratel/"], "tags": {"name": "Windows Hijack Execution Flow Version Dll Side Load", "analytic_story": ["Brute Ratel C4"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 50, "kill_chain_phases": ["Exploitation", "Installation"], "message": "a process $Image$ loading $ImageLoaded$ as a side load dll in $Computer$", "mitre_attack_id": ["T1574.001", "T1574"], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Image", "ImageLoaded", "process_name", "Computer", "EventCode", "Signed", "ProcessId"], "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1574.001", "mitre_attack_technique": "DLL Search Order Hijacking", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT41", "Aquatic Panda", "BackdoorDiplomacy", "Evilnum", "RTM", "Threat Group-3390", "Tonto Team", "Whitefly", "menuPass"]}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/iso_version_dll_campaign/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_hijack_execution_flow_version_dll_side_load_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_hijack_execution_flow_version_dll_side_load.yml", "source": "endpoint"}, {"name": "Windows Hunting System Account Targeting Lsass", "id": "1c6abb08-73d1-11ec-9ca0-acde48001122", "version": 1, "date": "2022-01-12", "author": "Michael Haag, Splunk", "type": "Hunting", "status": "production", "description": "The following hunting analytic identifies all processes requesting access into Lsass.exe. his behavior may be related to credential dumping or applications requiring access to credentials. Triaging this event will require understanding the GrantedAccess from the SourceImage. In addition, whether the account is privileged or not. Review the process requesting permissions and review parallel processes.", "data_source": ["Sysmon Event ID 1"], "search": "`sysmon` EventCode=10 TargetImage=*lsass.exe | stats count min(_time) as firstTime max(_time) as lastTime by Computer, TargetImage, GrantedAccess, SourceImage, SourceProcessId, SourceUser, TargetUser | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_hunting_system_account_targeting_lsass_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Enabling EventCode 10 TargetProcess lsass.exe is required.", "known_false_positives": "False positives will occur based on GrantedAccess and SourceUser, filter based on source image as needed. Utilize this hunting analytic to tune out false positives in TTP or anomaly analytics.", "references": ["https://en.wikipedia.org/wiki/Local_Security_Authority_Subsystem_Service", "https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump", "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", "https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1", "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights?redirectedfrom=MSDN"], "tags": {"name": "Windows Hunting System Account Targeting Lsass", "analytic_story": ["Credential Dumping"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "A process, $SourceImage$, has requested access to LSASS on $dest$. Review for further details.", "mitre_attack_id": ["T1003.001", "T1003"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "SourceImage", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Computer", "TargetImage", "GrantedAccess", "SourceImage", "SourceProcessId", "SourceUser", "TargetUser"], "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "TEMP.Veles", "Threat Group-3390", "Whitefly"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/windows-sysmon_creddump.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_hunting_system_account_targeting_lsass_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_hunting_system_account_targeting_lsass.yml", "source": "endpoint"}, {"name": "Windows Identify Protocol Handlers", "id": "bd5c311e-a6ea-48ae-a289-19a3398e3648", "version": 2, "date": "2022-09-13", "author": "Michael Haag, Splunk", "type": "Hunting", "status": "production", "description": "The following hunting analytic will identify any protocol handlers utilized on the command-line. A protocol handler is an application that knows how to handle particular types of links: for example, a mail client is a protocol handler for \"mailto:\" links. When the user clicks a \"mailto:\" link, the browser opens the application selected as the handler for the \"mailto:\" protocol (or offers them a choice of handlers, depending on their settings). To identify protocol handlers we can use NirSoft https://www.nirsoft.net/utils/url_protocol_view.html URLProtocolView or query the registry using PowerShell.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.process) as process values(Processes.parent_process) as parent_process from datamodel=Endpoint.Processes by Processes.dest Processes.user Processes.process_name Processes.process | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | lookup windows_protocol_handlers handler AS process OUTPUT handler ishandler | where ishandler=\"TRUE\" | `windows_identify_protocol_handlers_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives will be found. https and http is a URL Protocol handler that will trigger this analytic. Tune based on process or command-line.", "references": ["https://gist.github.com/MHaggis/a0d3edb57d36e0916c94c0a464b2722e", "https://www.oreilly.com/library/view/learning-java/1565927184/apas02.html", "https://blogs.windows.com/msedgedev/2022/01/20/getting-started-url-protocol-handlers-microsoft-edge/", "https://github.com/Mr-Un1k0d3r/PoisonHandler", "https://www.mdsec.co.uk/2021/03/phishing-users-to-take-a-test/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md#atomic-test-5---protocolhandlerexe-downloaded-a-suspicious-file", "https://techcommunity.microsoft.com/t5/windows-it-pro-blog/disabling-the-msix-ms-appinstaller-protocol-handler/ba-p/3119479", "https://www.huntress.com/blog/microsoft-office-remote-code-execution-follina-msdt-bug", "https://parsiya.net/blog/2021-03-17-attack-surface-analysis-part-2-custom-protocol-handlers/"], "tags": {"name": "Windows Identify Protocol Handlers", "analytic_story": ["Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 20, "impact": 30, "kill_chain_phases": ["Installation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ utilizing a protocol handler.", "mitre_attack_id": ["T1059"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process Name", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 6, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/protocol_handlers/protocolhandlers.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_identify_protocol_handlers_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "windows_protocol_handlers", "description": "A list of Windows Protocol Handlers", "filename": "windows_protocol_handlers.csv", "default_match": "false", "match_type": "WILDCARD(handler)", "min_matches": 1, "case_sensitive_match": "false"}], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_identify_protocol_handlers.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows IIS Components Add New Module", "id": "38fe731c-1f13-43d4-b878-a5bbe44807e3", "version": 1, "date": "2022-12-19", "author": "Michael Haag, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies the process AppCmd.exe installing a new module into IIS. AppCmd is a utility to manage IIS web sites and App Pools. An adversary may run this command to install a webshell or backdoor. This has been found to be used for credit card scraping, persistence, and further post-exploitation. An administrator may run this to install new modules for a web site or during IIS updates.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where NOT (Processes.parent_process_name IN (\"msiexec.exe\", \"iissetup.exe\")) Processes.process_name=appcmd.exe Processes.process IN (\"*install *\", \"*module *\") AND Processes.process=\"*image*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_iis_components_add_new_module_filter`", "how_to_implement": "Tune the analytic for your environment by filtering by known good modules or processes. Enable as TTP once the volume is low enough. To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives may be present until properly tuned. Filter as needed.", "references": ["https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/", "https://www.crowdstrike.com/wp-content/uploads/2022/05/crowdstrike-iceapple-a-novel-internet-information-services-post-exploitation-framework-1.pdf", "https://unit42.paloaltonetworks.com/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/", "https://www.secureworks.com/research/bronze-union", "https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1505.004", "https://strontic.github.io/xcyclopedia/library/appcmd.exe-055B2B09409F980BF9B5A3969D01E5B2.html"], "tags": {"name": "Windows IIS Components Add New Module", "analytic_story": ["IIS Components"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Installation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to install a new IIS module.", "mitre_attack_id": ["T1505", "T1505.004"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1505.004", "mitre_attack_technique": "IIS Components", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.004/appcmd_install-windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_iis_components_add_new_module_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_iis_components_add_new_module.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows IIS Components Get-WebGlobalModule Module Query", "id": "20db5f70-34b4-4e83-8926-fa26119de173", "version": 1, "date": "2022-12-20", "author": "Michael Haag, Splunk", "type": "Hunting", "status": "production", "description": "The following analytic requires the use of PowerShell inputs to run Get-WebGlobalModule to list out all the IIS Modules installed. The output is a list of Module names and the Image path of the DLL.", "data_source": [], "search": "`iis_get_webglobalmodule` | stats count min(_time) as firstTime max(_time) as lastTime by host name image | rename host as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_iis_components_get_webglobalmodule_module_query_filter`", "how_to_implement": "You must ingest the PwSh cmdlet Get-WebGlobalModule in order to utilize this analytic. Follow https://gist.github.com/MHaggis/64396dfd9fc3734e1d1901a8f2f07040", "known_false_positives": "This analytic is meant to assist with hunting modules across a fleet of IIS servers. Filter and modify as needed.", "references": ["https://docs.splunk.com/Documentation/Splunk/9.0.2/Data/MonitorWindowsdatawithPowerShellscripts", "https://gist.github.com/MHaggis/64396dfd9fc3734e1d1901a8f2f07040", "https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1505.004"], "tags": {"name": "Windows IIS Components Get-WebGlobalModule Module Query", "analytic_story": ["IIS Components"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 10, "impact": 10, "kill_chain_phases": ["Installation"], "message": "IIS Modules have been listed on $dest$.", "mitre_attack_id": ["T1505.004", "T1505"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "host", "name", "image"], "risk_score": 1, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1505.004", "mitre_attack_technique": "IIS Components", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.004/pwsh_installediismodules.log", "source": "powershell://AppCmdModules", "sourcetype": "Pwsh:InstalledIISModules", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "iis_get_webglobalmodule", "definition": "sourcetype=\"Pwsh:InstalledIISModules\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_iis_components_get_webglobalmodule_module_query_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_iis_components_get_webglobalmodule_module_query.yml", "source": "endpoint"}, {"name": "Windows IIS Components Module Failed to Load", "id": "40c2ba5b-dd6a-496b-9e6e-c9524d0be167", "version": 1, "date": "2022-12-20", "author": "Michael Haag, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic utilizes EventCode 2282 which generates when a Module DLL could not be loaded due to a configuration problem. This typically occurs when a IIS module is installed but is failing to load. This typically results in thousands of events until the issue is resolved. Review the module that is failing and determine if it is legitimate or not.", "data_source": ["Sysmon Event ID 22"], "search": "`wineventlog_application` EventCode=2282 | stats count min(_time) as firstTime max(_time) as lastTime by EventCode dest Name ModuleDll | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_iis_components_module_failed_to_load_filter`", "how_to_implement": "IIS must be installed and Application event logs must be collected in order to utilize this analytic.", "known_false_positives": "False positives will be present until all module failures are resolved or reviewed.", "references": ["https://social.technet.microsoft.com/wiki/contents/articles/21757.event-id-2282-iis-worker-process-availability.aspx", "https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/", "https://www.crowdstrike.com/wp-content/uploads/2022/05/crowdstrike-iceapple-a-novel-internet-information-services-post-exploitation-framework-1.pdf", "https://unit42.paloaltonetworks.com/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/", "https://www.secureworks.com/research/bronze-union", "https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1505.004", "https://strontic.github.io/xcyclopedia/library/appcmd.exe-055B2B09409F980BF9B5A3969D01E5B2.html"], "tags": {"name": "Windows IIS Components Module Failed to Load", "analytic_story": ["IIS Components"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "message": "A new IIS Module has been loaded and should be reviewed on $dest$.", "mitre_attack_id": ["T1505", "T1505.004"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "OpCode", "EventCode", "ComputerName", "Message"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1505.004", "mitre_attack_technique": "IIS Components", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.004/2282_windows-application.log", "source": "XmlWinEventLog:Application", "sourcetype": "XmlWinEventLog", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_application", "definition": "eventtype=wineventlog_application OR source=\"XmlWinEventLog:Application\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_iis_components_module_failed_to_load_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_iis_components_module_failed_to_load.yml", "source": "endpoint"}, {"name": "Windows IIS Components New Module Added", "id": "55f22929-cfd3-4388-ba5c-4d01fac7ee7e", "version": 1, "date": "2022-12-19", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic uses the Windows Event log - Microsoft-IIS-Configuration/Operational - which must be enabled and logged on Windows IIS servers before it can be Splunked. The following analytic identifies newly installed IIS modules. Per Microsoft, IIS modules are not commonly added to a production IIS server, so alerting on this event ID should be enabled.IIS modules can be installed at a global level or at a site level. In detecting malicious IIS modules, it is important to check both the global and site level for unauthorized modules. Regular monitoring of these locations for such modules and comparing against a known good list can help detect and identify malicious IIS modules.", "data_source": [], "search": "`iis_operational_logs` EventCode=29 | stats count min(_time) as firstTime max(_time) as lastTime by OpCode EventCode ComputerName Message | rename ComputerName AS dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_iis_components_new_module_added_filter`", "how_to_implement": "You must enabled the IIS Configuration Operational log before ingesting in Splunk. Setup and inputs may be found here https://gist.github.com/MHaggis/64396dfd9fc3734e1d1901a8f2f07040.", "known_false_positives": "False positives may be present when updates or an administrator adds a new module to IIS. Monitor and filter as needed.", "references": ["https://gist.github.com/MHaggis/64396dfd9fc3734e1d1901a8f2f07040", "https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/", "https://www.crowdstrike.com/wp-content/uploads/2022/05/crowdstrike-iceapple-a-novel-internet-information-services-post-exploitation-framework-1.pdf", "https://unit42.paloaltonetworks.com/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/", "https://www.secureworks.com/research/bronze-union", "https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1505.004", "https://strontic.github.io/xcyclopedia/library/appcmd.exe-055B2B09409F980BF9B5A3969D01E5B2.html"], "tags": {"name": "Windows IIS Components New Module Added", "analytic_story": ["IIS Components"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 60, "kill_chain_phases": ["Installation"], "message": "A new IIS Module has been loaded and should be reviewed on $dest$.", "mitre_attack_id": ["T1505", "T1505.004"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "OpCode", "EventCode", "ComputerName", "Message"], "risk_score": 48, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1505.004", "mitre_attack_technique": "IIS Components", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.004/IIS-Configuration-Operational.log", "source": "IIS:Configuration:Operational", "sourcetype": "IIS:Configuration:Operational", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "iis_operational_logs", "definition": "sourcetype=\"IIS:Configuration:Operational\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_iis_components_new_module_added_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_iis_components_new_module_added.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Windows Impair Defense Add Xml Applocker Rules", "id": "467ed9d9-8035-470e-ad5e-ae5189283033", "version": 1, "date": "2022-06-24", "author": "Teoderick Contreras, Splunk", "type": "Hunting", "status": "production", "description": "The following analytic is to identify a process that imports applocker xml policy using PowerShell commandlet. This technique was seen in Azorult malware where it drop an xml Applocker policy that will deny several AV products and further executed the PowerShell Applocker commandlet.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` AND Processes.process=\"*Import-Module Applocker*\" AND Processes.process=\"*Set-AppLockerPolicy *\" AND Processes.process=\"* -XMLPolicy *\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_add_xml_applocker_rules_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Administrators may execute this command that may cause some false positive.", "references": ["https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/"], "tags": {"name": "Windows Impair Defense Add Xml Applocker Rules", "analytic_story": ["Azorult"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "Applocker importing xml policy command was executed in $dest$", "mitre_attack_id": ["T1562.001", "T1562"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.registry_key_name", "Registry.registry_path", "Registry.user", "Registry.dest", "Registry.registry_value_name", "Registry.action"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_powershell", "definition": "(Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "windows_impair_defense_add_xml_applocker_rules_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_impair_defense_add_xml_applocker_rules.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Impair Defense Delete Win Defender Context Menu", "id": "395ed5fe-ad13-4366-9405-a228427bdd91", "version": 1, "date": "2022-06-07", "author": "Teoderick Contreras, Splunk", "type": "Hunting", "status": "production", "description": "The search looks for the deletion of Windows Defender context menu within the registry. This is consistent behavior with RAT malware across a fleet of endpoints. This particular behavior is executed when an adversary gains access to an endpoint and begins to perform execution. Usually, a batch (.bat) will be executed and multiple registry and scheduled task modifications will occur. During triage, review parallel processes and identify any further file modifications.", "data_source": ["Sysmon Event ID 13"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path = \"*\\\\shellex\\\\ContextMenuHandlers\\\\EPP\" Registry.action = deleted by Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.action Registry.dest Registry.user | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_delete_win_defender_context_menu_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.", "known_false_positives": "It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search.", "references": ["https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/", "https://app.any.run/tasks/45f5d114-91ea-486c-ab01-41c4093d2861/"], "tags": {"name": "Windows Impair Defense Delete Win Defender Context Menu", "analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "Windows Defender context menu registry key deleted on $dest$.", "mitre_attack_id": ["T1562.001", "T1562"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.registry_key_name", "Registry.registry_value_name", "Registry.dest", "Registry.user", "Registry.registry_path", "Registry.action"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/delete_win_defender_context_menu/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_impair_defense_delete_win_defender_context_menu_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_impair_defense_delete_win_defender_context_menu.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Impair Defense Delete Win Defender Profile Registry", "id": "65d4b105-ec52-48ec-ac46-289d0fbf7d96", "version": 1, "date": "2022-06-07", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "The search looks for the deletion of Windows Defender main profile within the registry. This was used by RAT malware across a fleet of endpoints. This particular behavior is typically executed when an adversary gains access to an endpoint and beings to perform execution. Usually, a batch (.bat) will be executed and multiple registry and scheduled task modifications will occur. During triage, review parallel processes and identify any further file modifications.", "data_source": ["Sysmon Event ID 13"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path = \"*\\\\Policies\\\\Microsoft\\\\Windows Defender\" Registry.action = deleted by Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.action Registry.user Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_delete_win_defender_profile_registry_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.", "known_false_positives": "It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search.", "references": ["https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/", "https://app.any.run/tasks/45f5d114-91ea-486c-ab01-41c4093d2861/"], "tags": {"name": "Windows Impair Defense Delete Win Defender Profile Registry", "analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "Windows Defender Logger registry key set to 'disabled' on $dest$.", "mitre_attack_id": ["T1562.001", "T1562"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.registry_key_name", "Registry.registry_value_name", "Registry.dest", "Registry.user", "Registry.registry_path", "Registry.action"], "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/delete_win_defender_context_menu/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_impair_defense_delete_win_defender_profile_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_impair_defense_delete_win_defender_profile_registry.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Impair Defense Deny Security Software With Applocker", "id": "e0b6ca60-9e29-4450-b51a-bba0abae2313", "version": 1, "date": "2022-06-24", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies a modification in the Windows registry by the Applocker utility that contains details or registry data values related to denying the execution of several security products. This technique was seen in Azorult malware where it drops an xml Applocker policy that will deny several AV products and then loaded by using PowerShell Applocker commandlet.", "data_source": ["Sysmon Event ID 13"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Group Policy Objects\\\\*\" AND Registry.registry_path= \"*}Machine\\\\Software\\\\Policies\\\\Microsoft\\\\Windows\\\\SrpV2*\") OR Registry.registry_path=\"*\\\\Software\\\\Policies\\\\Microsoft\\\\Windows\\\\SrpV2*\" AND Registry.registry_value_data = \"*Action\\=\\\"Deny\\\"*\" AND Registry.registry_value_data IN(\"*O=SYMANTEC*\",\"*O=MCAFEE*\",\"*O=KASPERSKY*\",\"*O=BLEEPING COMPUTER*\", \"*O=PANDA SECURITY*\",\"*O=SYSTWEAK SOFTWARE*\", \"*O=TREND MICRO*\", \"*O=AVAST*\", \"*O=GRIDINSOFT*\", \"*O=MICROSOFT*\", \"*O=NANO SECURITY*\", \"*O=SUPERANTISPYWARE.COM*\", \"*O=DOCTOR WEB*\", \"*O=MALWAREBYTES*\", \"*O=ESET*\", \"*O=AVIRA*\", \"*O=WEBROOT*\") by Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.registry_key_name Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_deny_security_software_with_applocker_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.", "known_false_positives": "False positives may be present based on organization use of Applocker. Filter as needed.", "references": ["https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/", "https://www.microsoftpressstore.com/articles/article.aspx?p=2228450&seqNum=11"], "tags": {"name": "Windows Impair Defense Deny Security Software With Applocker", "analytic_story": ["Azorult"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 100, "kill_chain_phases": ["Exploitation"], "message": "Applocker registry modification to deny the action of several AV products on $dest$.", "mitre_attack_id": ["T1562.001", "T1562"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_impair_defense_deny_security_software_with_applocker_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_impair_defense_deny_security_software_with_applocker.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Impair Defenses Disable HVCI", "id": "b061dfcc-f0aa-42cc-a6d4-a87f172acb79", "version": 1, "date": "2023-04-13", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic refers to a detection mechanism designed to identify when the Hypervisor-protected Code Integrity (HVCI) feature is disabled within the Windows registry. HVCI is a security feature in Windows 10 and Windows Server 2016 that helps protect the kernel and system processes from being tampered with by malicious code. HVCI relies on hardware-assisted virtualization and Microsoft's Hyper-V hypervisor to ensure that only kernel-mode code that has been signed by Microsoft or the system's hardware manufacturer can be executed. This prevents attackers from exploiting vulnerabilities to run unsigned code, like kernel-mode rootkits or other malicious software, at the kernel level. Disabling HVCI may expose the system to security risks and could be an indicator of a potential compromise or unauthorized activity. The analytic aims to detect and report events or configurations that lead to the disabling of HVCI.", "data_source": ["Sysmon Event ID 13"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path = \"*\\\\CurrentControlSet\\\\Control\\\\DeviceGuard\\\\Scenarios\\\\HypervisorEnforcedCodeIntegrity\\\\Enabled\" Registry.registry_value_data=\"0x00000000\" by Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.action Registry.user Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defenses_disable_hvci_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives will be limited to administrative scripts disabling HVCI. Filter as needed.", "references": ["https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/"], "tags": {"name": "Windows Impair Defenses Disable HVCI", "analytic_story": ["BlackLotus Campaign", "Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "HVCI has been disabled on $dest$.", "mitre_attack_id": ["T1562.001", "T1562"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["Registry.registry_path", "Registry.registry_value_data", "Registry.registry_value_name", "Registry.process_guid", "Registry.action", "Registry.user", "Registry.dest"], "risk_score": 70, "security_domain": "endpoint", "risk_severity": "medium", "atomic_guid": ["70bd71e6-eba4-4e00-92f7-617911dbe020"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/atomic_red_team/hvci_windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_impair_defenses_disable_hvci_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_impair_defenses_disable_hvci.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Impair Defenses Disable Win Defender Auto Logging", "id": "76406a0f-f5e0-4167-8e1f-337fdc0f1b0c", "version": 1, "date": "2022-06-07", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "The search looks for the Registry Key DefenderApiLogger or DefenderAuditLogger set to disable. This is consistent with RAT malware across a fleet of endpoints. This particular behavior is typically executed when an adversary gains access to an endpoint and beings to perform execution. Usually, a batch (.bat) will be executed and multiple registry and scheduled task modifications will occur. During triage, review parallel processes and identify any further file modifications.", "data_source": ["Sysmon Event ID 13"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where (Registry.registry_path = \"*WMI\\\\Autologger\\\\DefenderApiLogger\\\\Start\" OR Registry.registry_path = \"*WMI\\\\Autologger\\\\DefenderAuditLogger\\\\Start\") Registry.registry_value_data =\"0x00000000\" by Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.action Registry.dest Registry.user | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defenses_disable_win_defender_auto_logging_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.", "known_false_positives": "It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search.", "references": ["https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/", "https://app.any.run/tasks/45f5d114-91ea-486c-ab01-41c4093d2861/"], "tags": {"name": "Windows Impair Defenses Disable Win Defender Auto Logging", "analytic_story": ["Windows Defense Evasion Tactics", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "Windows Defender Logger registry key set to 'disabled' on $dest$.", "mitre_attack_id": ["T1562.001", "T1562"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.registry_key_name", "Registry.registry_value_name", "Registry.dest", "Registry.user", "Registry.registry_path", "Registry.action"], "risk_score": 24, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable_defender_logging/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_impair_defenses_disable_win_defender_auto_logging_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_impair_defenses_disable_win_defender_auto_logging.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Indirect Command Execution Via forfiles", "id": "1fdf31c9-ff4d-4c48-b799-0e8666e08787", "version": 1, "date": "2022-04-05", "author": "Eric McGinnis, Splunk", "type": "TTP", "status": "production", "description": "The following analytic detects programs that have been started by forfiles.exe. According to Microsoft, the 'The forfiles command lets you run a command on or pass arguments to multiple files'. While this tool can be used to start legitimate programs, usually within the context of a batch script, it has been observed being used to evade protections on command line execution.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process=\"*forfiles* /c *\" by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_path | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_indirect_command_execution_via_forfiles_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the full process path in the process field of CIM's Process data model. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where forfiles.exe may be used.", "known_false_positives": "Some legacy applications may be run using pcalua.exe. Similarly, forfiles.exe may be used in legitimate batch scripts. Filter these results as needed.", "references": ["https://twitter.com/KyleHanslovan/status/912659279806640128", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/forfiles"], "tags": {"name": "Windows Indirect Command Execution Via forfiles", "analytic_story": ["Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "The Program Compatability Assistant (pcalua.exe) launched the process $process_name$", "mitre_attack_id": ["T1202"], "nist": ["DE.CM"], "observable": [{"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.dest", "Processes.user", "Processes.parent_process", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id", "Processes.process_path"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1202", "mitre_attack_technique": "Indirect Command Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1202/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_indirect_command_execution_via_forfiles_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_indirect_command_execution_via_forfiles.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Indirect Command Execution Via pcalua", "id": "3428ac18-a410-4823-816c-ce697d26f7a8", "version": 1, "date": "2022-04-05", "author": "Eric McGinnis, Splunk", "type": "TTP", "status": "production", "description": "The following analytic detects programs that have been started by pcalua.exe. pcalua.exe is the Microsoft Windows Program Compatability Assistant. While this tool can be used to start legitimate programs, it has been observed being used to evade protections on command line execution.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process=\"*pcalua* -a*\" by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_path | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_indirect_command_execution_via_pcalua_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the full process path in the process field of CIM's Process data model. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where pcalua.exe may be used.", "known_false_positives": "Some legacy applications may be run using pcalua.exe. Filter these results as needed.", "references": ["https://twitter.com/KyleHanslovan/status/912659279806640128", "https://lolbas-project.github.io/lolbas/Binaries/Pcalua/"], "tags": {"name": "Windows Indirect Command Execution Via pcalua", "analytic_story": ["Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "The Program Compatability Assistant (pcalua.exe) launched the process $process_name$", "mitre_attack_id": ["T1202"], "nist": ["DE.CM"], "observable": [{"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.dest", "Processes.user", "Processes.parent_process", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id", "Processes.process_path"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1202", "mitre_attack_technique": "Indirect Command Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1202/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_indirect_command_execution_via_pcalua_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_indirect_command_execution_via_pcalua.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Indirect Command Execution Via Series Of Forfiles", "id": "bfdaabe7-3db8-48c5-80c1-220f9b8f22be", "version": 1, "date": "2022-11-30", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic is developed to detect suspicious excessive usage of forfiles.exe process. This event was seen in post exploitation tool WINPEAS that was used by Ransomware Prestige. Forfiles command lets you run a command on or pass arguments to multiple files. This Windows OS built-in tool being abused to list all files in specific directory or drive.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.process_guid) as process_guid values(Processes.process_name) as process_name count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"forfiles.exe\" OR Processes.original_file_name = \"forfiles.exe\" by Processes.parent_process_name Processes.parent_process Processes.dest Processes.user _time span=1m | where count >=20 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_indirect_command_execution_via_series_of_forfiles_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry.", "known_false_positives": "unknown", "references": ["https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/forfiles", "https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS", "https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"], "tags": {"name": "Windows Indirect Command Execution Via Series Of Forfiles", "analytic_story": ["Windows Post-Exploitation", "Prestige Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "excessive forfiles process execution in $dest$", "mitre_attack_id": ["T1202"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1202", "mitre_attack_technique": "Indirect Command Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_indirect_command_execution_via_series_of_forfiles_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_indirect_command_execution_via_series_of_forfiles.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Information Discovery Fsutil", "id": "2181f261-93e6-4166-a5a9-47deac58feff", "version": 1, "date": "2022-11-30", "author": "Teoderick Contreras, Splunk", "type": "Hunting", "status": "production", "description": "The following analytic identifies a process execution of Windows OS built-in tool FSUTIL to discover file system information. This tool is being abused or used by several adversaries or threat actor to query/list all drives, drive type, volume information or volume statistics by using the FSINFO parameter of this tool. This technique was seen in WINPEAS post exploitation tool that is being used by ransomware prestige to gain privilege and persistence to the targeted host.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=\"fsutil.exe\" OR Processes.original_file_name = \"fsutil.exe\" AND Processes.process = \"*fsinfo*\" by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_information_discovery_fsutil_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances of wermgr.exe may be used.", "known_false_positives": "unknown", "references": ["https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil", "https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS", "https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"], "tags": {"name": "Windows Information Discovery Fsutil", "analytic_story": ["Windows Post-Exploitation", "Prestige Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "process $process_name$ with commandline $process$ is executed in $dest$", "mitre_attack_id": ["T1082"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id", "Processes.parent_process_guid", "Processes.process_guid"], "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1082", "mitre_attack_technique": "System Information Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT18", "APT19", "APT3", "APT32", "APT37", "APT38", "Aquatic Panda", "Blue Mockingbird", "Chimera", "Confucius", "Darkhotel", "Gamaredon Group", "HEXANE", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Sowbug", "Stealth Falcon", "TeamTNT", "Tropic Trooper", "Turla", "Windigo", "Windshift", "Wizard Spider", "ZIRCONIUM", "admin@338"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/winpeas_fsutil/fsutil-fsinfo-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_information_discovery_fsutil_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_information_discovery_fsutil.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Ingress Tool Transfer Using Explorer", "id": "76753bab-f116-4ea3-8fb9-89b638be58a9", "version": 2, "date": "2022-08-30", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies the Windows Explorer process with a URL within the command-line. Explorer.exe is known Windows process that handles start menu, taskbar, desktop and file manager. Many adversaries abuse this process, like DCRat malware, where it attempts to open the URL with the default browser application on the target host by putting the URL as a parameter on explorer.exe process. This anomaly detection might be a good pivot to check which user and how this process was executed, what is the parent process and what is the URL link. This technique is not commonly used to open an URL.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = explorer.exe OR Processes.original_file_name = explorer.exe) AND NOT (Processes.parent_process_name IN(\"userinit.exe\", \"svchost.exe\")) Processes.process IN (\"* http://*\", \"* https://*\") by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_ingress_tool_transfer_using_explorer_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives may be present based on legitimate applications or third party utilities. Filter out any additional parent process names.", "references": ["https://www.mandiant.com/resources/analyzing-dark-crystal-rat-backdoor"], "tags": {"name": "Windows Ingress Tool Transfer Using Explorer", "analytic_story": ["DarkCrystal RAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Command And Control"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to download a remote payload.", "mitre_attack_id": ["T1105"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "ZIRCONIUM", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/dcrat/dcrat_explorer_url/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_ingress_tool_transfer_using_explorer_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_ingress_tool_transfer_using_explorer.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Input Capture Using Credential UI Dll", "id": "406c21d6-6c75-4e9f-9ca9-48049a1dd90e", "version": 1, "date": "2022-08-24", "author": "Teoderick Contreras, Splunk", "type": "Hunting", "status": "production", "description": "The following analytic identifies a process that loads the credui.dll module. This legitimate module is typically abused by adversaries, threat actors and red teamers to create a credential UI prompt dialog box to lure users for possible credential theft or can be used to dump the credentials of a targeted host. This hunting query is a good pivot to check why the process loaded this dll and if it is a legitimate file. This hunting query may hit false positive for a third party application that uses a credential login UI for user login.", "data_source": ["Sysmon Event ID 7"], "search": "`sysmon` EventCode=7 (ImageLoaded = \"*\\\\credui.dll\" AND OriginalFileName = \"credui.dll\") OR (ImageLoaded = \"*\\\\wincredui.dll\" AND OriginalFileName = \"wincredui.dll\") AND NOT(Image IN(\"*\\\\windows\\\\explorer.exe\", \"*\\\\windows\\\\system32\\\\*\", \"*\\\\windows\\\\sysWow64\\\\*\", \"*:\\\\program files*\")) | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded OriginalFileName Computer EventCode Signed ProcessId ProcessGuid | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_input_capture_using_credential_ui_dll_filter`", "how_to_implement": "The latest Sysmon TA 3.0 https://splunkbase.splunk.com/app/5709 will add the ImageLoaded name to the process_name field, allowing this query to work. Use as an example and implement for other products.", "known_false_positives": "this module can be loaded by a third party application. Filter is needed.", "references": ["https://docs.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md#atomic-test-2---powershell---prompt-user-for-password"], "tags": {"name": "Windows Input Capture Using Credential UI Dll", "analytic_story": ["Brute Ratel C4"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "a process $Image$ loaded $ImageLoaded$ in $Computer$", "mitre_attack_id": ["T1056.002", "T1056"], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Image", "ImageLoaded", "process_name", "Computer", "EventCode", "Signed", "ProcessId"], "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1056.002", "mitre_attack_technique": "GUI Input Capture", "mitre_attack_tactics": ["Collection", "Credential Access"], "mitre_attack_groups": ["FIN4"]}, {"mitre_attack_id": "T1056", "mitre_attack_technique": "Input Capture", "mitre_attack_tactics": ["Collection", "Credential Access"], "mitre_attack_groups": ["APT39"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/iso_version_dll_campaign/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_input_capture_using_credential_ui_dll_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_input_capture_using_credential_ui_dll.yml", "source": "endpoint"}, {"name": "Windows InstallUtil Credential Theft", "id": "ccfeddec-43ec-11ec-b494-acde48001122", "version": 3, "date": "2022-08-25", "author": "Michael Haag, Mauricio Velazo, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the Windows InstallUtil.exe binary loading `vaultcli.dll` and Samlib.dll`. This technique may be used to execute code to bypassing application control and capture credentials by utilizing a tool like MimiKatz. \\\nWhen `InstallUtil.exe` is used in a malicous manner, the path to an executable on the filesystem is typically specified. Take note of the parent process. In a suspicious instance, this will be spawned from a non-standard process like `Cmd.exe`, `PowerShell.exe` or `Explorer.exe`. \\\nIf used by a developer, typically this will be found with multiple command-line switches/arguments and spawn from Visual Studio. \\\nDuring triage review resulting network connections, file modifications, and parallel processes. Capture any artifacts and review further.", "data_source": ["Sysmon Event ID 7"], "search": "`sysmon` EventCode=7 parent_process_name=installutil.exe ImageLoaded IN (\"*\\\\samlib.dll\", \"*\\\\vaultcli.dll\") | stats count min(_time) as firstTime max(_time) as lastTime by Computer, parent_process_name, ImageLoaded, OriginalFileName, ProcessId | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_installutil_credential_theft_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and module loads from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "Typically this will not trigger as by it's very nature InstallUtil does not need credentials. Filter as needed.", "references": ["https://gist.github.com/xorrior/bbac3919ca2aef8d924bdf3b16cce3d0"], "tags": {"name": "Windows InstallUtil Credential Theft", "analytic_story": ["Signed Binary Proxy Execution InstallUtil"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ loading samlib.dll and vaultcli.dll to potentially capture credentials in memory.", "mitre_attack_id": ["T1218.004", "T1218"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218.004", "mitre_attack_technique": "InstallUtil", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Mustang Panda", "menuPass"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.004/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_installutil_credential_theft_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_installutil_credential_theft.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Windows InstallUtil in Non Standard Path", "id": "dcf74b22-7933-11ec-857c-acde48001122", "version": 1, "date": "2023-04-14", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the Windows binary InstallUtil.exe running from a non-standard location. The analytic utilizes a macro for InstallUtil and identifies both the process_name and original_file_name.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where `process_installutil` NOT (Processes.process_path IN (\"*\\\\Windows\\\\ADWS\\\\*\",\"*\\\\Windows\\\\SysWOW64*\", \"*\\\\Windows\\\\system32*\", \"*\\\\Windows\\\\NetworkController\\\\*\", \"*\\\\Windows\\\\SystemApps\\\\*\", \"*\\\\WinSxS\\\\*\", \"*\\\\Windows\\\\Microsoft.NET\\\\*\")) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_id Processes.process_hash | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_installutil_in_non_standard_path_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives may be present and filtering may be required. Certain utilities will run from non-standard paths based on the third-party application in use.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.yaml", "https://attack.mitre.org/techniques/T1036/003/", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md"], "tags": {"name": "Windows InstallUtil in Non Standard Path", "analytic_story": ["Masquerading - Rename System Utilities", "Ransomware", "Unusual Processes", "Signed Binary Proxy Execution InstallUtil", "Living Off The Land", "Data Destruction", "WhisperGate"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ from a non-standard path was identified on endpoint $dest$ by user $user$.", "mitre_attack_id": ["T1036", "T1036.003", "T1218", "T1218.004"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.004", "mitre_attack_technique": "InstallUtil", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Mustang Panda", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.004/atomic_red_team/windows-sysmon_installutil_path.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_installutil", "definition": "(Processes.process_name=installutil.exe OR Processes.original_file_name=InstallUtil.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "windows_installutil_in_non_standard_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_installutil_in_non_standard_path.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows InstallUtil Remote Network Connection", "id": "4fbf9270-43da-11ec-9486-acde48001122", "version": 2, "date": "2022-03-16", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the Windows InstallUtil.exe binary making a remote network connection. This technique may be used to download and execute code while bypassing application control. \\\nWhen `InstallUtil.exe` is used in a malicous manner, the path to an executable on the filesystem is typically specified. Take note of the parent process. In a suspicious instance, this will be spawned from a non-standard process like `Cmd.exe`, `PowerShell.exe` or `Explorer.exe`. \\\nIf used by a developer, typically this will be found with multiple command-line switches/arguments and spawn from Visual Studio. \\\nDuring triage review resulting network connections, file modifications, and parallel processes. Capture any artifacts and review further.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where `process_installutil` by _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | join process_id [| tstats `security_content_summariesonly` count FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port != 0 by All_Traffic.process_id All_Traffic.dest All_Traffic.dest_port | `drop_dm_object_name(All_Traffic)` | rename dest as C2 ] | table _time dest parent_process_name process_name process_path process process_id dest_port C2 | `windows_installutil_remote_network_connection_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` and `Ports` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Limited false positives should be present as InstallUtil is not typically used to download remote files. Filter as needed based on Developers requirements.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md"], "tags": {"name": "Windows InstallUtil Remote Network Connection", "analytic_story": ["Signed Binary Proxy Execution InstallUtil", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ generating a remote download.", "mitre_attack_id": ["T1218.004", "T1218"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id", "Ports.process_guid", "Ports.dest", "Ports.dest_port"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218.004", "mitre_attack_technique": "InstallUtil", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Mustang Panda", "menuPass"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.004/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint", "Network_Traffic"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_installutil", "definition": "(Processes.process_name=installutil.exe OR Processes.original_file_name=InstallUtil.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "windows_installutil_remote_network_connection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_installutil_remote_network_connection.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows InstallUtil Uninstall Option", "id": "cfa7b9ac-43f0-11ec-9b48-acde48001122", "version": 1, "date": "2021-11-12", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the Windows InstallUtil.exe binary. This will execute code while bypassing application control using the `/u` (uninstall) switch. \\\nInstallUtil uses the functions install and uninstall within the System.Configuration.Install namespace to process .net assembly. Install function requires admin privileges, however, uninstall function can be run as an unprivileged user.\\\nWhen `InstallUtil.exe` is used in a malicous manner, the path to an executable on the filesystem is typically specified. Take note of the parent process. In a suspicious instance, this will be spawned from a non-standard process like `Cmd.exe`, `PowerShell.exe` or `Explorer.exe`. \\\nIf used by a developer, typically this will be found with multiple command-line switches/arguments and spawn from Visual Studio. \\\nDuring triage review resulting network connections, file modifications, and parallel processes. Capture any artifacts and review further.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_installutil` Processes.process IN (\"*/u*\", \"*uninstall*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_installutil_uninstall_option_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Limited false positives should be present. Filter as needed by parent process or application.", "references": ["https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_12", "https://github.com/api0cradle/UltimateAppLockerByPassList/blob/master/md/Installutil.exe.md", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md"], "tags": {"name": "Windows InstallUtil Uninstall Option", "analytic_story": ["Signed Binary Proxy Execution InstallUtil", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ performing an uninstall.", "mitre_attack_id": ["T1218.004", "T1218"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218.004", "mitre_attack_technique": "InstallUtil", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Mustang Panda", "menuPass"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.004/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_installutil", "definition": "(Processes.process_name=installutil.exe OR Processes.original_file_name=InstallUtil.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "windows_installutil_uninstall_option_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_installutil_uninstall_option.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows InstallUtil Uninstall Option with Network", "id": "1a52c836-43ef-11ec-a36c-acde48001122", "version": 2, "date": "2022-03-16", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the Windows InstallUtil.exe binary making a remote network connection. This technique may be used to download and execute code while bypassing application control using the `/u` (uninstall) switch. \\\nInstallUtil uses the functions install and uninstall within the System.Configuration.Install namespace to process .net assembly. Install function requires admin privileges, however, uninstall function can be run as an unprivileged user.\\\nWhen `InstallUtil.exe` is used in a malicous manner, the path to an executable on the filesystem is typically specified. Take note of the parent process. In a suspicious instance, this will be spawned from a non-standard process like `Cmd.exe`, `PowerShell.exe` or `Explorer.exe`. \\\nIf used by a developer, typically this will be found with multiple command-line switches/arguments and spawn from Visual Studio. \\\nDuring triage review resulting network connections, file modifications, and parallel processes. Capture any artifacts and review further.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where `process_installutil` Processes.process IN (\"*/u*\", \"*uninstall*\") by _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | join process_id [| tstats `security_content_summariesonly` count FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port != 0 by All_Traffic.process_id All_Traffic.dest All_Traffic.dest_port | `drop_dm_object_name(All_Traffic)` | rename dest as C2 ] | table _time dest parent_process_name process_name process_path process process_id dest_port C2 | `windows_installutil_uninstall_option_with_network_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` and `Ports` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Limited false positives should be present as InstallUtil is not typically used to download remote files. Filter as needed based on Developers requirements.", "references": ["https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_12", "https://github.com/api0cradle/UltimateAppLockerByPassList/blob/master/md/Installutil.exe.md", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md"], "tags": {"name": "Windows InstallUtil Uninstall Option with Network", "analytic_story": ["Signed Binary Proxy Execution InstallUtil", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ performing an uninstall.", "mitre_attack_id": ["T1218.004", "T1218"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id", "Ports.process_guid", "Ports.dest", "Ports.dest_port"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218.004", "mitre_attack_technique": "InstallUtil", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Mustang Panda", "menuPass"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.004/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint", "Network_Traffic"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_installutil", "definition": "(Processes.process_name=installutil.exe OR Processes.original_file_name=InstallUtil.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "windows_installutil_uninstall_option_with_network_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_installutil_uninstall_option_with_network.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows InstallUtil URL in Command Line", "id": "28e06670-43df-11ec-a569-acde48001122", "version": 1, "date": "2021-11-12", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the Windows InstallUtil.exe binary passing a HTTP request on the command-line. This technique may be used to download and execute code while bypassing application control. \\\nWhen `InstallUtil.exe` is used in a malicous manner, the path to an executable on the filesystem is typically specified. Take note of the parent process. In a suspicious instance, this will be spawned from a non-standard process like `Cmd.exe`, `PowerShell.exe` or `Explorer.exe`. \\\nIf used by a developer, typically this will be found with multiple command-line switches/arguments and spawn from Visual Studio. \\\nDuring triage review resulting network connections, file modifications, and parallel processes. Capture any artifacts and review further.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_installutil` Processes.process IN (\"*http://*\",\"*https://*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_installutil_url_in_command_line_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Limited false positives should be present as InstallUtil is not typically used to download remote files. Filter as needed based on Developers requirements.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md", "https://gist.github.com/DanielRTeixeira/0fd06ec8f041f34a32bf5623c6dd479d"], "tags": {"name": "Windows InstallUtil URL in Command Line", "analytic_story": ["Signed Binary Proxy Execution InstallUtil", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ passing a URL on the command-line.", "mitre_attack_id": ["T1218.004", "T1218"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218.004", "mitre_attack_technique": "InstallUtil", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Mustang Panda", "menuPass"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.004/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_installutil", "definition": "(Processes.process_name=installutil.exe OR Processes.original_file_name=InstallUtil.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "windows_installutil_url_in_command_line_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_installutil_url_in_command_line.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows ISO LNK File Creation", "id": "d7c2c09b-9569-4a9e-a8b6-6a39a99c1d32", "version": 2, "date": "2022-09-19", "author": "Michael Haag, Teoderick Contreras, Splunk", "type": "Hunting", "status": "production", "description": "The following analytic identifies the use of a delivered ISO file that has been mounted and the afformention lnk or file opened within it. When the ISO file is opened, the files are saved in the %USER%\\AppData\\Local\\Temp\\\\ path. The analytic identifies .iso.lnk written to the path. The name of the ISO file is prepended.", "data_source": ["Sysmon Event ID 11"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN (\"*\\\\Microsoft\\\\Windows\\\\Recent\\\\*\") Filesystem.file_name IN (\"*.iso.lnk\", \"*.img.lnk\", \"*.vhd.lnk\", \"*vhdx.lnk\") by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.file_path Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_iso_lnk_file_creation_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives may be high depending on the environment and consistent use of ISOs mounting. Restrict to servers, or filter out based on commonly used ISO names. Filter as needed.", "references": ["https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/", "https://github.com/MHaggis/notes/blob/master/utilities/ISOBuilder.ps1", "https://isc.sans.edu/diary/Recent+AZORult+activity/25120", "https://tccontre.blogspot.com/2020/01/remcos-rat-evading-windows-defender-av.html"], "tags": {"name": "Windows ISO LNK File Creation", "analytic_story": ["Spearphishing Attachments", "Brute Ratel C4", "AgentTesla", "Qakbot", "IcedID", "Azorult", "Remcos"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 80, "kill_chain_phases": ["Delivery", "Installation"], "message": "An ISO file was mounted on $dest$ and should be reviewed and filtered as needed.", "mitre_attack_id": ["T1566.001", "T1566", "T1204.001", "T1204"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["Filesystem.file_create_time", "Filesystem.process_id", "Filesystem.file_name", "Filesystem.file_path", "Filesystem.dest"], "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1204.001", "mitre_attack_technique": "Malicious Link", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT28", "APT29", "APT3", "APT32", "APT33", "APT39", "BlackTech", "Cobalt Group", "Confucius", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "Evilnum", "FIN4", "FIN7", "FIN8", "Kimsuky", "LazyScripter", "Leviathan", "LuminousMoth", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "TA505", "Transparent Tribe", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556.001/atomic_red_team/iso_windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_iso_lnk_file_creation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_iso_lnk_file_creation.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Java Spawning Shells", "id": "28c81306-5c47-11ec-bfea-acde48001122", "version": 2, "date": "2023-01-23", "author": "Michael Haag, Splunk", "type": "TTP", "status": "experimental", "description": "The following analytic identifies the process name of java.exe and w3wp.exe spawning a Windows shell. This is potentially indicative of exploitation of the Java application and may be related to current event CVE-2021-44228 (Log4Shell). The shells included in the macro are \"cmd.exe\", \"powershell.exe\". Upon triage, review parallel processes and command-line arguments to determine legitimacy.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=java.exe OR Processes.parent_process_name=w3wp.exe `windows_shells` by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_java_spawning_shells_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. Restrict the analytic to publicly facing endpoints to reduce false positives. Add any additional identified web application process name to the query. Add any further Windows process names to the macro (ex. LOLBins) to further expand this query.", "known_false_positives": "Filtering may be required on internal developer build systems or classify assets as web facing and restrict the analytic based on that.", "references": ["https://blog.netlab.360.com/ten-families-of-malicious-samples-are-spreading-using-the-log4j2-vulnerability-now/", "https://gist.github.com/olafhartong/916ebc673ba066537740164f7e7e1d72", "https://www.horizon3.ai/manageengine-cve-2022-47966-technical-deep-dive/", "https://github.com/horizon3ai/CVE-2022-47966/blob/3a51c6b72ebbd87392babd955a8fbeaee2090b35/CVE-2022-47966.py", "https://blog.viettelcybersecurity.com/saml-show-stopper/", "https://www.horizon3.ai/manageengine-cve-2022-47966-iocs/"], "tags": {"name": "Windows Java Spawning Shells", "analytic_story": ["Log4Shell CVE-2021-44228"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 80, "kill_chain_phases": ["Delivery", "Installation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ spawning a Windows shell, potentially indicative of exploitation.", "mitre_attack_id": ["T1190", "T1133"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "cve": ["CVE-2021-44228", "CVE-2022-47966"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Chimera", "Dragonfly", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}]}, "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_shells", "definition": "(Processes.process_name=cmd.exe OR Processes.process_name=powershell.exe OR Processes.process_name=pwsh.exe OR Processes.process_name=sh.exe OR Processes.process_name=bash.exe OR Processes.process_name=wscript.exe OR Processes.process_name=cscript.exe)", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_java_spawning_shells_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2021-44228", "cvss": 9.3, "summary": "Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects."}, {"id": "CVE-2022-47966", "cvss": null, "summary": "Multiple Zoho ManageEngine on-premise products, such as ServiceDesk Plus through 14003, allow remote code execution due to use of Apache xmlsec (aka XML Security for Java) 1.4.1, because the xmlsec XSLT features, by design in that version, make the application responsible for certain security protections, and the ManageEngine applications did not provide those protections."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_java_spawning_shells.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Kerberos Local Successful Logon", "id": "8309c3a8-4d34-48ae-ad66-631658214653", "version": 1, "date": "2022-04-27", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies a local successful authentication event on a Windows endpoint using the Kerberos package. The target user security identified will be set to the built-in local Administrator account, along with the remote address as localhost - 127.0.0.1. This may be indicative of a kerberos relay attack. Upon triage, review for recently ran binaries on disk. In addition, look for new computer accounts added to Active Directory and other anomolous AD events.", "data_source": ["Windows Security 4624"], "search": "`wineventlog_security` EventCode=4624 Logon_Type=3 Authentication_Package=Kerberos action=success src_ip=127.0.0.1 | stats count min(_time) as firstTime max(_time) as lastTime by dest, subject, action, Security_ID, user, Account_Name, src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_kerberos_local_successful_logon_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4624 EventCode enabled. The Windows TA is also required.", "known_false_positives": "False positives are possible, filtering may be required to restrict to workstations vs domain controllers. Filter as needed.", "references": ["https://github.com/Dec0ne/KrbRelayUp"], "tags": {"name": "Windows Kerberos Local Successful Logon", "analytic_story": ["Active Directory Kerberos Attacks", "Local Privilege Escalation With KrbRelayUp"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "A successful localhost Kerberos authentication event occurred on $dest$, possibly indicative of Kerberos relay attack.", "mitre_attack_id": ["T1558"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "dest", "subject", "action", "Security_ID", "user", "Account_Name", "src_ip"], "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1558", "mitre_attack_technique": "Steal or Forge Kerberos Tickets", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1558/krbrelayup/krbrelayup.log", "source": "WinEventLog:Security", "sourcetype": "WinEventLog"}]}], "datamodel": ["Authentication"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_kerberos_local_successful_logon_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_kerberos_local_successful_logon.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows KrbRelayUp Service Creation", "id": "e40ef542-8241-4419-9af4-6324582ea60a", "version": 1, "date": "2022-05-02", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the default service name created by KrbRelayUp. Defenders should be aware that attackers could change the hardcoded service name of the KrbRelayUp tool and bypass this detection.", "data_source": ["Sysmon Event ID 7"], "search": "`wineventlog_system` EventCode=7045 Service_Name IN (\"KrbSCM\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode Service_File_Name Service_Name Service_Start_Type Service_Type | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_krbrelayup_service_creation_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows System Event Logs with 7045 EventCode enabled. The Windows TA is also required.", "known_false_positives": "False positives should be limited as this is specific to KrbRelayUp based attack. Filter as needed.", "references": ["https://github.com/Dec0ne/KrbRelayUp"], "tags": {"name": "Windows KrbRelayUp Service Creation", "analytic_story": ["Local Privilege Escalation With KrbRelayUp"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "message": "A service was created on $dest$, related to KrbRelayUp.", "mitre_attack_id": ["T1543.003"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "Service_File_Name", "Service_Name", "Service_Start_Type", "Service_Type"], "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1543.003/krbrelayup/windows-system.log", "source": "WinEventLog:System", "sourcetype": "WinEventLog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_system", "definition": "eventtype=wineventlog_system", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_krbrelayup_service_creation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_krbrelayup_service_creation.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Windows Large Number of Computer Service Tickets Requested", "id": "386ad394-c9a7-4b4f-b66f-586252de20f0", "version": 1, "date": "2023-03-20", "author": "Mauricio Velazco, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic leverages Event ID 4769, `A Kerberos service ticket was requested`, to identify more than 30 computer service ticket requests from one source. When a domain joined endpoint connects to other remote endpoint, it will first request a Kerberos Service Ticket with the computer name as the Service Name. A user requesting a large number of computer service tickets for different endpoints could represent malicious behavior like lateral movement, malware staging, reconnaissance, etc.\\\nActive Directory environments can be very different depending on the organization. Users should test this detection and customize the arbitrary threshold as needed.", "data_source": ["Windows Security 4769"], "search": " `wineventlog_security` EventCode=4769 ServiceName=\"*$\" TargetUserName!=\"*$\" | bucket span=5m _time | stats dc(ServiceName) AS unique_targets values(ServiceName) as host_targets by _time, IpAddress, TargetUserName | where unique_targets > 30 | `windows_large_number_of_computer_service_tickets_requested_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled.", "known_false_positives": "An single endpoint requesting a large number of kerberos service tickets is not common behavior. Possible false positive scenarios include but are not limited to vulnerability scanners, administration systems and missconfigured systems.", "references": ["https://thedfirreport.com/2023/01/23/sharefinder-how-threat-actors-discover-file-shares/", "https://attack.mitre.org/techniques/T1135/", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4769"], "tags": {"name": "Windows Large Number of Computer Service Tickets Requested", "analytic_story": ["Active Directory Privilege Escalation", "Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 60, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "message": "A large number of kerberos computer service tickets were requested by $IpAddress$ within 5 minutes.", "mitre_attack_id": ["T1135", "T1078"], "nist": ["DE.AE"], "observable": [{"name": "IpAddress", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "ServiceName", "TargetUserName", "IpAddress"], "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1135", "mitre_attack_technique": "Network Share Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT32", "APT38", "APT39", "APT41", "Chimera", "DarkVishnya", "Dragonfly", "Sowbug", "Tonto Team", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1135/large_number_computer_service_tickets/windows-security.log", "source": "XmlWinEventLog:Security", "sourcetype": "XmlWinEventLog"}]}], "datamodel": [], "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_large_number_of_computer_service_tickets_requested_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_large_number_of_computer_service_tickets_requested.yml", "source": "endpoint", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows Lateral Tool Transfer RemCom", "id": "e373a840-5bdc-47ef-b2fd-9cc7aaf387f0", "version": 1, "date": "2023-03-20", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "This analytic identifies the use of RemCom.exe - The open source psexec. This utility provides the ability to move laterally and run scripts or commands remotely.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=remcom.exe OR Processes.original_file_name=RemCom.exe) Processes.process=\"*\\\\*\" Processes.process IN (\"*/user:*\", \"*/pwd:*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_lateral_tool_transfer_remcom_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives may be present based on Administrative use. Filter as needed.", "references": ["https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/", "https://github.com/kavika13/RemCom"], "tags": {"name": "Windows Lateral Tool Transfer RemCom", "analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to move laterally.", "mitre_attack_id": ["T1570"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1570", "mitre_attack_technique": "Lateral Tool Transfer", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT32", "Aoqin Dragon", "Chimera", "FIN10", "GALLIUM", "Magic Hound", "Sandworm Team", "Turla", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1570/remcom/remcom_windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_lateral_tool_transfer_remcom_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_lateral_tool_transfer_remcom.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Ldifde Directory Object Behavior", "id": "35cd29ca-f08c-4489-8815-f715c45460d3", "version": 1, "date": "2023-05-25", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the use of Ldifde.exe, which provides the ability to create, modify, or delete LDAP directory objects. Natively, the binary is only installed on a domain controller. However, adversaries or administrators may install the Windows Remote Server Admin Tools for ldifde.exe. Ldifde.exe is a Microsoft Windows command-line utility used to import or export LDAP directory entries. LDAP stands for Lightweight Directory Access Protocol, which is a protocol used for accessing and managing directory information services over an IP network. LDIF, on the other hand, stands for LDAP Data Interchange Format, a standard plain-text data interchange format for representing LDAP directory entries. -i This is a flag used with Ldifde.exe to denote import mode. In import mode, Ldifde.exe takes an LDIF file and imports its contents into the LDAP directory. The data in the LDIF file might include new objects to be created, or modifications or deletions to existing objects. -f This flag is used to specify the filename of the LDIF file that Ldifde.exe will import from (in the case of the -i flag) or export to (without the -i flag). For example, if you wanted to import data from a file called data.ldif, you would use the command ldifde -i -f data.ldif. Keep in mind that while the use of Ldifde.exe is legitimate in many contexts, it can also be used maliciously. For instance, an attacker who has gained access to a domain controller could potentially use Ldifde.exe to export sensitive data or make unauthorized changes to the directory. Therefore, it's important to monitor for unusual or unauthorized use of this tool.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=ldifde.exe Processes.process IN (\"*-i *\", \"*-f *\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_ldifde_directory_object_behavior_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives may be present, filter as needed.", "references": ["https://lolbas-project.github.io/lolbas/Binaries/Ldifde/", "https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF", "https://twitter.com/0gtweet/status/1564968845726580736?s=20", "https://strontic.github.io/xcyclopedia/library/ldifde.exe-45D28FB47E9B6ACC5DCA9FDA3E790210.html"], "tags": {"name": "Windows Ldifde Directory Object Behavior", "analytic_story": ["Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 80, "kill_chain_phases": ["Command And Control", "Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ utilizing ldifde on a domain controller.", "mitre_attack_id": ["T1105", "T1069.002"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "atomic_guid": ["22cf8cb9-adb1-4e8c-80ca-7c723dfc8784"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1069.002", "mitre_attack_technique": "Domain Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Dragonfly", "Inception", "Ke3chang", "LAPSUS$", "OilRig", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.002/AD_discovery/ldifde_windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_ldifde_directory_object_behavior_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_ldifde_directory_object_behavior.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Linked Policies In ADSI Discovery", "id": "510ea428-4731-4d2f-8829-a28293e427aa", "version": 1, "date": "2023-04-14", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the `[Adsisearcher]` type accelerator being used to query Active Directory for domain groups. Red Teams and adversaries may leverage `[Adsisearcher]` to enumerate domain organizational unit for situational awareness and Active Directory Discovery.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 ScriptBlockText = \"*[adsisearcher]*\" ScriptBlockText = \"*objectcategory=organizationalunit*\" ScriptBlockText = \"*findAll()*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_linked_policies_in_adsi_discovery_filter`", "how_to_implement": "The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "references": ["https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/", "https://medium.com/@pentesttas/discover-hidden-gpo-s-on-active-directory-using-ps-adsi-a284b6814c81"], "tags": {"name": "Windows Linked Policies In ADSI Discovery", "analytic_story": ["Data Destruction", "Active Directory Discovery", "Industroyer2"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "powershell process having commandline $Message$ for user enumeration", "mitre_attack_id": ["T1087.002", "T1087"], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "ScriptBlockText", "Computer", "user_id"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["BRONZE BUTLER", "Chimera", "Dragonfly", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Turla", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/adsi_discovery/windows-powershell-xml2.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_linked_policies_in_adsi_discovery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_linked_policies_in_adsi_discovery.yml", "source": "endpoint", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows Local Administrator Credential Stuffing", "id": "09555511-aca6-484a-b6ab-72cd03d73c34", "version": 1, "date": "2023-03-22", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic leverages events 4625 and 4624 to identify an endpoint using the builtin local Administrator account to authenticate to a large numbers of endpoints. Specifically, the logic will trigger when an endpoints attempts to authenticate to more than 30 target computers within a 5 minute timespan. This behavior could represent an adversary who has obtained access to local credentials and is trying to validate if these credentials work on other hosts to escalate their privileges. As environments differ across organizations, security teams should customize the thresholds of this detection as needed.", "data_source": ["Windows Security 4624"], "search": " `wineventlog_security` EventCode=4625 OR EventCode=4624 Logon_Type=3 TargetUserName=Administrator | bucket span=5m _time | stats dc(Computer) AS unique_targets values(Computer) as host_targets by _time, IpAddress, TargetUserName, EventCode | where unique_targets > 30 | `windows_local_administrator_credential_stuffing_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Event Logs from domain controllers as well as member servers and workstations. The Advanced Security Audit policy setting `Audit Logon` within `Logon/Logoff` needs to be enabled.", "known_false_positives": "Vulnerability scanners or system administration tools may also trigger this detection. Filter as needed.", "references": ["https://attack.mitre.org/techniques/T1110/004/", "https://attack.mitre.org/techniques/T1110/", "https://www.blackhillsinfosec.com/wide-spread-local-admin-testing/", "https://www.pentestpartners.com/security-blog/admin-password-re-use-dont-do-it/", "https://www.praetorian.com/blog/microsofts-local-administrator-password-solution-laps/", "https://wiki.porchetta.industries/smb-protocol/password-spraying"], "tags": {"name": "Windows Local Administrator Credential Stuffing", "analytic_story": ["Active Directory Privilege Escalation", "Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "Local Administrator credential stuffing attack coming from $IpAddress$", "mitre_attack_id": ["T1110", "T1110.004"], "nist": ["DE.CM"], "observable": [{"name": "host_targets", "type": "Endpoint", "role": ["Victim"]}, {"name": "IpAddress", "type": "Endpoint", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "Logon_Type", "TargetUserName", "Computer", "IpAddress"], "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1110.004", "mitre_attack_technique": "Credential Stuffing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Chimera"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.004/local_administrator_cred_stuffing/windows-security.log", "source": "XmlWinEventLog:Security", "sourcetype": "XmlWinEventLog"}]}], "datamodel": [], "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_local_administrator_credential_stuffing_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_local_administrator_credential_stuffing.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows Mail Protocol In Non-Common Process Path", "id": "ac3311f5-661d-4e99-bd1f-3ec665b05441", "version": 1, "date": "2022-09-16", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies a possible windows application having a SMTP connection in a non common installation path in windows operating system.This network protocol is being used by adversaries, threat actors and malware like AgentTesla as a Command And Control communication to transfer its collected stolen information like the desktop screenshots, browser information and system information of a targeted or compromised host.", "data_source": ["Sysmon Event ID 3"], "search": "`sysmon` EventCode=3 NOT(Image IN(\"*\\\\program files*\", \"*\\\\thunderbird.exe\",\"*\\\\outlook.exe\")) (DestinationPortName=\"smtp\" OR DestinationPort=25 OR DestinationPort=587) | stats count min(_time) as firstTime max(_time) as lastTime by Image DestinationPort DestinationPortName DestinationHostname SourceHostname SourcePort SourcePortName Protocol DestinationIp Computer user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_mail_protocol_in_non_common_process_path_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name and sysmon eventcode = 3 connection events from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "third party application may use this network protocol as part of its feature. Filter is needed.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla"], "tags": {"name": "Windows Mail Protocol In Non-Common Process Path", "analytic_story": ["AgentTesla"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Command And Control"], "message": "a process $Image$ is having a SMTP connection to $DestinationHostname$ in $Computer$", "mitre_attack_id": ["T1071.003", "T1071"], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Image", "DestinationPort", "DestinationPortName", "DestinationHostname", "SourceHostname", "SourcePort", "SourcePortName", "Protocol", "DestinationIp", "Computer", "user"], "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1071.003", "mitre_attack_technique": "Mail Protocols", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT28", "APT32", "Kimsuky", "SilverTerrier", "Turla"]}, {"mitre_attack_id": "T1071", "mitre_attack_technique": "Application Layer Protocol", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Dragonfly", "Magic Hound", "Rocke", "TeamTNT"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/agent_tesla/agent_tesla_smtp/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_mail_protocol_in_non_common_process_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_mail_protocol_in_non_common_process_path.yml", "source": "endpoint"}, {"name": "Windows Masquerading Explorer As Child Process", "id": "61490da9-52a1-4855-a0c5-28233c88c481", "version": 1, "date": "2022-10-20", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies a suspicious parent process of explorer.exe. Explorer is usually executed by userinit.exe that will exit after execution that causes the main explorer.exe no parent process. Some malware like qakbot spawn another explorer.exe to inject its code. This TTP detection is a good indicator that a process spawning explorer.exe might inject code or masquerading its parent child process to evade detections.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN(\"cmd.exe\", \"powershell.exe\", \"regsvr32.exe\") AND Processes.process_name = \"explorer.exe\" by Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process_id Processes.process_guid Processes.process Processes.user Processes.dest Processes.parent_process_id | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `windows_masquerading_explorer_as_child_process_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "unknown", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot"], "tags": {"name": "Windows Masquerading Explorer As Child Process", "analytic_story": ["Qakbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Exploitation", "Installation"], "message": "explorer.exe hash a suspicious parent process $parent_process_name$ in $dest$", "mitre_attack_id": ["T1574.002", "T1574"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1574.002", "mitre_attack_technique": "DLL Side-Loading", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT41", "BRONZE BUTLER", "BlackTech", "Chimera", "Earth Lusca", "GALLIUM", "Higaisa", "Lazarus Group", "LuminousMoth", "MuddyWater", "Mustang Panda", "Naikon", "Patchwork", "SideCopy", "Sidewinder", "Threat Group-3390", "Tropic Trooper", "menuPass"]}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/qakbot/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_masquerading_explorer_as_child_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_masquerading_explorer_as_child_process.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Mimikatz Binary Execution", "id": "a9e0d6d3-9676-4e26-994d-4e0406bb4467", "version": 1, "date": "2022-11-16", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "As simple as it sounds, this analytic identifies when the native mimikatz.exe binary executes on Windows. It does look for the original file name as well, just in case the binary is renamed. Adversaries sometimes bring in the default binary and run it directly. Benjamin Delpy originally created Mimikatz as a proof of concept to show Microsoft that its authentication protocols were vulnerable to an attack. Instead, he inadvertently created one of the most widely used and downloaded threat actor tools of the past 20 years. Mimikatz is an open-source application that allows users to view and save authentication credentials such as Kerberos tickets.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=mimikatz.exe OR Processes.original_file_name=mimikatz.exe) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_mimikatz_binary_execution_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives should be limited as this is directly looking for Mimikatz, the credential dumping utility.", "references": ["https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf", "https://www.varonis.com/blog/what-is-mimikatz", "https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF"], "tags": {"name": "Windows Mimikatz Binary Execution", "analytic_story": ["Credential Dumping", "CISA AA22-320A", "Sandworm Tools", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 100, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting dump credentials.", "mitre_attack_id": ["T1003"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003/credential_extraction/mimikatzwindows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_mimikatz_binary_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_mimikatz_binary_execution.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Mimikatz Crypto Export File Extensions", "id": "3a9a6806-16a8-4cda-8d73-b49d10a05b16", "version": 1, "date": "2023-02-07", "author": "Michael Haag, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies hardcoded extensions related to the Crypo module within Mimikatz. Moving certificates or downloading them is not malicious, however with Mimikatz having hardcoded names it helps to identify potential usage of certificates being exported.", "data_source": ["Sysmon Event ID 11"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_name IN (\"*.keyx.rsa.pvk\",\"*sign.rsa.pvk\",\"*sign.dsa.pvk\",\"*dsa.ec.p8k\",\"*dh.ec.p8k\", \"*.pfx\", \"*.der\") by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Filesystem)` | `windows_mimikatz_crypto_export_file_extensions_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives may be present and may need to be reviewed before this can be turned into a TTP. In addition, remove .pfx (standalone) if it's too much volume.", "references": ["https://github.com/gentilkiwi/mimikatz/blob/master/mimikatz/modules/kuhl_m_crypto.c#L628-L645"], "tags": {"name": "Windows Mimikatz Crypto Export File Extensions", "analytic_story": ["Windows Certificate Services", "Sandworm Tools"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 40, "kill_chain_phases": ["Exploitation"], "message": "Certificate file extensions realted to Mimikatz were identified on disk on $dest$.", "mitre_attack_id": ["T1649"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Filesystem.dest", "Filesystem.file_create_time", "Filesystem.file_name", "Filesystem.file_path"], "risk_score": 28, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1649", "mitre_attack_technique": "Steal or Forge Authentication Certificates", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/atomic_red_team/certwrite_windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_mimikatz_crypto_export_file_extensions_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_mimikatz_crypto_export_file_extensions.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Modify Registry Auto Minor Updates", "id": "be498b9f-d804-4bbf-9fc0-d5448466b313", "version": 1, "date": "2023-04-21", "author": "Teoderick Contreras, Splunk", "type": "Hunting", "status": "production", "description": "The following analytic identifies a suspicious registry modification of Windows auto update configuration. This technique was being abused by several adversaries, malware authors and also red-teamers to bypass detection or to be able to compromise the target host with zero day exploit or as an additional defense evasion technique. RedLine Stealer is one of the malware we've seen that uses this technique to evade detection and add more payload on the target host. This detection looks for registry modification that will \"Treat minor updates like other updates\".", "data_source": ["Sysmon EventID 12", "Sysmon EventID 13", "Sysmon EventID 14"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path=\"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WindowsUpdate\\\\AU\\\\AutoInstallMinorUpdates\" AND Registry.registry_value_data=\"0x00000000\" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_auto_minor_updates_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "administrators may enable or disable this feature that may cause some false positive.", "references": ["https://learn.microsoft.com/de-de/security-updates/windowsupdateservices/18127499"], "tags": {"name": "Windows Modify Registry Auto Minor Updates", "analytic_story": ["RedLine Stealer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "A registry modification in Windows auto update configuration on $dest$", "mitre_attack_id": ["T1112"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.registry_key_name", "Registry.registry_path", "Registry.user", "Registry.dest", "Registry.registry_value_name", "Registry.action", "Registry.registry_value_data"], "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/redline/modify_registry/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint", "Updates"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_auto_minor_updates_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_modify_registry_auto_minor_updates.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Modify Registry Auto Update Notif", "id": "4d1409df-40c7-4b11-aec4-bd0e709dfc12", "version": 1, "date": "2023-04-21", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies a suspicious registry modification of Windows auto update notification. This technique was being abused by several adversaries, malware authors and also red-teamers to bypass detection or to be able to compromise the target host with zero day exploit or as an additional defense evasion technique. RedLine Stealer is one of the malware we've seen that uses this technique to evade detection and add more payload on the target host. This detection looks for registry modification that will switch the automatic windows update to \"Notify before download\".", "data_source": ["Sysmon EventID 12", "Sysmon EventID 13", "Sysmon EventID 14"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path=\"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WindowsUpdate\\\\AU\\\\AUOptions\" AND Registry.registry_value_data=\"0x00000002\" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_auto_update_notif_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "administrators may enable or disable this feature that may cause some false positive.", "references": ["https://learn.microsoft.com/de-de/security-updates/windowsupdateservices/18127499"], "tags": {"name": "Windows Modify Registry Auto Update Notif", "analytic_story": ["RedLine Stealer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "A registry modification in Windows auto update notification on $dest$", "mitre_attack_id": ["T1112"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.registry_key_name", "Registry.registry_path", "Registry.user", "Registry.dest", "Registry.registry_value_name", "Registry.action", "Registry.registry_value_data"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "atomic_guid": ["12e03af7-79f9-4f95-af48-d3f12f28a260"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/redline/modify_registry/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_auto_update_notif_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_modify_registry_auto_update_notif.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Modify Registry Default Icon Setting", "id": "a7a7afdb-3c58-45b6-9bff-63e5acfd9d40", "version": 1, "date": "2023-01-16", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic is developed to detect suspicious registry modification to change the default icon association of windows to ransomware . This technique was seen in Lockbit ransomware where it modified the default icon association of the compromised Windows OS host with its dropped ransomware icon file as part of its defacement payload. This registry is not commonly modified by a normal user so having this anomaly detection may help to catch possible lockbit ransomware infection or other malware.", "data_source": ["Sysmon Event ID 13"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path =\"*\\\\defaultIcon\\\\(Default)*\" Registry.registry_path = \"*HKCR\\\\*\" by Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.action Registry.dest Registry.user | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `windows_modify_registry_default_icon_setting_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry.", "known_false_positives": "unknown", "references": ["https://blogs.vmware.com/security/2022/10/lockbit-3-0-also-known-as-lockbit-black.html", "https://news.sophos.com/en-us/2020/04/24/lockbit-ransomware-borrows-tricks-to-keep-up-with-revil-and-maze/"], "tags": {"name": "Windows Modify Registry Default Icon Setting", "analytic_story": ["LockBit Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "a registry $Registry.registry_path$ was modified or created to modify defaulticon settings of the $dest$", "mitre_attack_id": ["T1112"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.dest", "Registry.user", "Registry.registry_path", "Registry.registry_key_name", "Registry.registry_value_name", "Registry.action"], "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/lockbit_ransomware/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_default_icon_setting_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_modify_registry_default_icon_setting.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Modify Registry Disable Toast Notifications", "id": "ed4eeacb-8d5a-488e-bc97-1ce6ded63b84", "version": 1, "date": "2022-06-22", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic is to identify a modification in the Windows registry to disable toast notifications. This Windows Operating System feature is responsible for alerting or notifying user if application or OS need some updates. Adversaries and malwares like Azorult abuse this technique to disable important update notification in compromised host. This anomaly detection is a good pivot to look for further events related to defense evasion and execution.", "data_source": ["Sysmon Event ID 13"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\PushNotifications\\\\ToastEnabled*\" Registry.registry_value_data=\"0x00000000\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_disable_toast_notifications_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.", "known_false_positives": "administrators may enable or disable this feature that may cause some false positive.", "references": ["https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-remoteassistance-exe-fallowtogethelp", "https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/"], "tags": {"name": "Windows Modify Registry Disable Toast Notifications", "analytic_story": ["Azorult"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "the registry for DisallowRun settings was modified to enable in $dest$", "mitre_attack_id": ["T1112"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.registry_key_name", "Registry.registry_path", "Registry.user", "Registry.dest", "Registry.registry_value_name", "Registry.action"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_disable_toast_notifications_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_modify_registry_disable_toast_notifications.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Modify Registry Disable Win Defender Raw Write Notif", "id": "0e5e25c3-32f4-46f7-ba4a-5b95c3b90f5b", "version": 1, "date": "2022-06-23", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies a modification in the Windows registry to disable Windows Defender raw write notification feature. This policy controls whether raw volume write notifications are sent to behavior monitoring or not. This registry was recently identified in Azorult malware to bypass Windows Defender detections or behavior monitoring in terms of volume write.", "data_source": ["Sysmon Event ID 13"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\Windows Defender\\\\Real-Time Protection\\\\DisableRawWriteNotification*\" Registry.registry_value_data=\"0x00000001\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_disable_win_defender_raw_write_notif_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.", "known_false_positives": "Administrators may enable or disable this feature that may cause some false positive. Filter as needed.", "references": ["https://admx.help/?Category=SystemCenterEndpointProtection&Policy=Microsoft.Policies.Antimalware::real-time_protection_disablerawwritenotification", "https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/"], "tags": {"name": "Windows Modify Registry Disable Win Defender Raw Write Notif", "analytic_story": ["Azorult"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "The registry for raw write notification settings was modified to disable in $dest$.", "mitre_attack_id": ["T1112"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.registry_key_name", "Registry.registry_path", "Registry.user", "Registry.dest", "Registry.registry_value_name", "Registry.action"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_disable_win_defender_raw_write_notif_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_modify_registry_disable_win_defender_raw_write_notif.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Modify Registry Disable WinDefender Notifications", "id": "8e207707-ad40-4eb3-b865-3a52aec91f26", "version": 1, "date": "2023-04-21", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies a suspicious registry modification to disable Windows Defender notification. This technique was being abused by several adversaries, malware authors and also red-teamers to evade detection on the targeted machine. RedLine Stealer is one of the malware we've seen that uses this technique to bypass Windows defender detection.", "data_source": ["Sysmon EventID 12", "Sysmon EventID 13", "Sysmon EventID 14"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path=\"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender Security Center\\\\Notifications\\\\DisableNotifications\" AND Registry.registry_value_data=\"0x00000001\" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_disable_windefender_notifications_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "administrators may enable or disable this feature that may cause some false positive.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer"], "tags": {"name": "Windows Modify Registry Disable WinDefender Notifications", "analytic_story": ["RedLine Stealer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "A registry modification to disable Windows Defender notification on $dest$", "mitre_attack_id": ["T1112"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.registry_key_name", "Registry.registry_path", "Registry.user", "Registry.dest", "Registry.registry_value_name", "Registry.action", "Registry.registry_value_data"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "atomic_guid": ["12e03af7-79f9-4f95-af48-d3f12f28a260"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/redline/modify_registry/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_disable_windefender_notifications_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_modify_registry_disable_windefender_notifications.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Modify Registry Disable Windows Security Center Notif", "id": "27ed3e79-6d86-44dd-b9ab-524451c97a7b", "version": 1, "date": "2022-06-22", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic is to identify a modification in the Windows registry to disable windows center notifications. This Windows Operating System feature is responsible for alerting or notifying user if application or OS need some updates. Adversaries and malwares like Azorult abuse this technique to disable important update notification in compromised host. This anomaly detection is a good pivot to look for further events related to defense evasion and execution.", "data_source": ["Sysmon Event ID 13"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\Windows\\\\CurrentVersion\\\\ImmersiveShell\\\\UseActionCenterExperience*\" Registry.registry_value_data=\"0x00000000\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_disable_windows_security_center_notif_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.", "known_false_positives": "administrators may enable or disable this feature that may cause some false positive.", "references": ["https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-remoteassistance-exe-fallowtogethelp", "https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/"], "tags": {"name": "Windows Modify Registry Disable Windows Security Center Notif", "analytic_story": ["Azorult"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "the registry for security center notification settings was modified to disable mode in $dest$", "mitre_attack_id": ["T1112"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.registry_key_name", "Registry.registry_path", "Registry.user", "Registry.dest", "Registry.registry_value_name", "Registry.action"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_disable_windows_security_center_notif_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_modify_registry_disable_windows_security_center_notif.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Modify Registry Disabling WER Settings", "id": "21cbcaf1-b51f-496d-a0c1-858ff3070452", "version": 1, "date": "2022-06-22", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies a modification in the Windows registry to disable Windows error reporting settings. This Windows feature allows the user to report bugs, errors, failure or problems encountered in specific application or processes. Adversaries use this technique to hide any error or failure that some of its malicious components trigger.", "data_source": ["Sysmon Event ID 13"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\Windows Error Reporting\\\\disable*\" Registry.registry_value_data=\"0x00000001\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_disabling_wer_settings_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.", "known_false_positives": "Administrators may enable or disable this feature that may cause some false positive, however is not common. Filter as needed.", "references": ["https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-remoteassistance-exe-fallowtogethelp", "https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/"], "tags": {"name": "Windows Modify Registry Disabling WER Settings", "analytic_story": ["Azorult"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "the registry for WER settings was modified to be disabled on $dest$.", "mitre_attack_id": ["T1112"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.registry_key_name", "Registry.registry_path", "Registry.user", "Registry.dest", "Registry.registry_value_name", "Registry.action"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_disabling_wer_settings_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_modify_registry_disabling_wer_settings.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Modify Registry DisAllow Windows App", "id": "4bc788d3-c83a-48c5-a4e2-e0c6dba57889", "version": 1, "date": "2022-06-22", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies modification in the Windows registry to prevent user running specific computer programs that could aid them in manually removing malware or detecting it using security products. This technique was recently identified in Azorult malware where it uses this registry value to prevent several AV products to execute on the compromised host machine.", "data_source": ["Sysmon Event ID 13"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\DisallowRun*\" Registry.registry_value_data=\"0x00000001\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_disallow_windows_app_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.", "known_false_positives": "Administrators may enable or disable this feature that may cause some false positive. Filter as needed.", "references": ["https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/"], "tags": {"name": "Windows Modify Registry DisAllow Windows App", "analytic_story": ["Azorult"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "The registry for DisallowRun settings was modified to enable in $dest$.", "mitre_attack_id": ["T1112"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.registry_key_name", "Registry.registry_path", "Registry.user", "Registry.dest", "Registry.registry_value_name", "Registry.action"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_disallow_windows_app_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_modify_registry_disallow_windows_app.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Modify Registry Do Not Connect To Win Update", "id": "e09c598e-8dd0-4e73-b740-4b96b689199e", "version": 1, "date": "2023-04-21", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies a suspicious registry modification of Windows auto update configuration. This technique was being abused by several adversaries, malware authors and also red-teamers to bypass detection or to be able to compromise the target host with zero day exploit or as an additional defense evasion technique. RedLine Stealer is one of the malware we've seen that uses this technique to evade detection and add more payload on the target host. This detection looks for registry modification that will disable Windos update functionality, and may cause connection to public services such as the Windows Store to stop working. This policy applies only when this PC is configured to connect to an intranet update service using the \"Specify intranet Microsoft update service location\" policy.", "data_source": ["Sysmon EventID 12", "Sysmon EventID 13", "Sysmon EventID 14"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path=\"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WindowsUpdate\\\\DoNotConnectToWindowsUpdateInternetLocations\" AND Registry.registry_value_data=\"0x00000001\" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_do_not_connect_to_win_update_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "administrators may enable or disable this feature that may cause some false positive.", "references": ["https://learn.microsoft.com/de-de/security-updates/windowsupdateservices/18127499", "https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsUpdate::DoNotConnectToWindowsUpdateInternetLocations"], "tags": {"name": "Windows Modify Registry Do Not Connect To Win Update", "analytic_story": ["RedLine Stealer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "a registry modification in Windows auto update configuration in $dest$", "mitre_attack_id": ["T1112"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.registry_key_name", "Registry.registry_path", "Registry.user", "Registry.dest", "Registry.registry_value_name", "Registry.action", "Registry.registry_value_data"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "atomic_guid": ["12e03af7-79f9-4f95-af48-d3f12f28a260"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/redline/modify_registry/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_do_not_connect_to_win_update_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_modify_registry_do_not_connect_to_win_update.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Modify Registry No Auto Reboot With Logon User", "id": "6a12fa9f-580d-4627-8c7f-313e359bdc6a", "version": 1, "date": "2023-04-21", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies a suspicious registry modification of Windows auto update configuration. This technique was being abused by several adversaries, malware authors and also red-teamers to bypass detection or to be able to compromise the target host with zero day exploit or as an additional defense evasion technique. RedLine Stealer is one of the malware we've seen that uses this technique to evade detection and add more payload on the target host. This detection looks for registry modification that will allow \"Logged-on user gets to choose whether or not to restart his or her compute\".", "data_source": ["Sysmon EventID 12", "Sysmon EventID 13", "Sysmon EventID 14"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path=\"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WindowsUpdate\\\\AU\\\\NoAutoRebootWithLoggedOnUsers\" AND Registry.registry_value_data=\"0x00000001\" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_no_auto_reboot_with_logon_user_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Administrators may enable or disable this feature that may cause some false positive.", "references": ["https://learn.microsoft.com/de-de/security-updates/windowsupdateservices/18127499"], "tags": {"name": "Windows Modify Registry No Auto Reboot With Logon User", "analytic_story": ["RedLine Stealer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "A registry modification in Windows auto update configuration on $dest$", "mitre_attack_id": ["T1112"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.registry_key_name", "Registry.registry_path", "Registry.user", "Registry.dest", "Registry.registry_value_name", "Registry.action", "Registry.registry_value_data"], "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "atomic_guid": ["12e03af7-79f9-4f95-af48-d3f12f28a260"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/redline/modify_registry/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_no_auto_reboot_with_logon_user_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_modify_registry_no_auto_reboot_with_logon_user.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Modify Registry No Auto Update", "id": "fbd4f333-17bb-4eab-89cb-860fa2e0600e", "version": 1, "date": "2023-04-21", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies a suspicious registry modification of Windows auto update configuration. This technique was being abused by several adversaries, malware authors and also red-teamers to bypass detection or to be able to compromise the target host with zero day exploit or as an additional defense evasion technique. RedLine Stealer is one of the malware we've seen that uses this technique to evade detection and add more payload on the target host. This detection looks for registry modification that will \"Disable Automatic Updates\".", "data_source": ["Sysmon EventID 12", "Sysmon EventID 13", "Sysmon EventID 14"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path=\"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WindowsUpdate\\\\AU\\\\NoAutoUpdate\" AND Registry.registry_value_data=\"0x00000001\" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_no_auto_update_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Administrators may enable or disable this feature that may cause some false positive.", "references": ["https://learn.microsoft.com/de-de/security-updates/windowsupdateservices/18127499"], "tags": {"name": "Windows Modify Registry No Auto Update", "analytic_story": ["RedLine Stealer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "A registry modification in Windows auto update configuration on $dest$", "mitre_attack_id": ["T1112"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.registry_key_name", "Registry.registry_path", "Registry.user", "Registry.dest", "Registry.registry_value_name", "Registry.action", "Registry.registry_value_data"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "atomic_guid": ["12e03af7-79f9-4f95-af48-d3f12f28a260"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/redline/modify_registry/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_no_auto_update_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_modify_registry_no_auto_update.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Modify Registry Qakbot Binary Data Registry", "id": "2e768497-04e0-4188-b800-70dd2be0e30d", "version": 1, "date": "2022-11-10", "author": "Teoderick Contreras, Bhavin Patel, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies a suspicious registry entry created by Qakbot malware as part of its malicious execution. This \"Binary Data\" Registry was created by newly spawn explorer.exe where its malicious code is injected to it. The registry consist of 8 random registry value name with encrypted binary data on its registry value data. This anomaly detections can be a good pivot for possible Qakbot malware infection or other malware that uses registry to save or store there config or malicious code on the registry data stream.", "data_source": ["Sysmon Event ID 13"], "search": "| tstats `security_content_summariesonly` count dc(registry_value_name) as registry_value_name_count FROM datamodel=Endpoint.Registry where Registry.registry_path=\"*\\\\SOFTWARE\\\\Microsoft\\\\*\" AND Registry.registry_value_data = \"Binary Data\" by _time span=1m Registry.dest Registry.user Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.process_id Registry.registry_key_name | `drop_dm_object_name(Registry)` | rename process_guid as proc_guid | eval registry_key_name_len = len(registry_key_name) | eval registry_value_name_len = len(registry_value_name) | regex registry_value_name=\"^[0-9a-fA-F]{8}\" | where registry_key_name_len < 80 AND registry_value_name_len == 8 | join proc_guid, _time [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name IN (\"explorer.exe\", \"wermgr.exe\",\"dxdiag.exe\", \"OneDriveSetup.exe\", \"mobsync.exe\", \"msra.exe\", \"xwizard.exe\") by _time span=1m Processes.process_id Processes.process_name Processes.process Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_guid Processes.process_path | `drop_dm_object_name(Processes)` | rename process_guid as proc_guid | fields _time dest user parent_process_name parent_process process_name process_path process proc_guid registry_path registry_value_name registry_value_data process_id registry_key_name registry_value_name_count] | stats min(_time) as firstTime max(_time) as lastTime values(registry_value_name) as registry_value_name dc(registry_value_name) as registry_value_name_count by process_path registry_key_name registry_value_data proc_guid registry_key_name_len registry_value_name_len | where registry_value_name_count >= 5 | `windows_modify_registry_qakbot_binary_data_registry_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.", "known_false_positives": "unknown", "references": ["https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/decrypting-qakbots-encrypted-registry-keys/"], "tags": {"name": "Windows Modify Registry Qakbot Binary Data Registry", "analytic_story": ["Qakbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "registry with binary data $registry_path$ created by $process_name$ in $dest$", "mitre_attack_id": ["T1112"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "dest", "user", "parent_process_name", "parent_process", "process_name", "process_path", "process", "proc_guid", "registry_path", "registry_value_name", "registry_value_data", "process_id", "registry_key_name", "registry_key_name_len", "registry_value_name_len"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/qakbot/qbot2/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_qakbot_binary_data_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_modify_registry_qakbot_binary_data_registry.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Modify Registry Reg Restore", "id": "d0072bd2-6d73-4c1b-bc77-ded6d2da3a4e", "version": 1, "date": "2022-12-12", "author": "Teoderick Contreras, Splunk", "type": "Hunting", "status": "production", "description": "The following analytic identifies a process execution of reg.exe with \"restore\" parameter. This reg.exe parameter is commonly used to restore registry backup data in a targeted host. This approach or technique was also seen in post-exploitation tool like winpeas where it uses \"reg save\" and \"reg restore\" to check the registry modification restriction in targeted host after gaining access to it.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_reg` AND Processes.process = \"* restore *\" by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_reg_restore_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances of wermgr.exe may be used.", "known_false_positives": "network administrator can use this command tool to backup registry before updates or modifying critical registries.", "references": ["https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/quser", "https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS", "https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"], "tags": {"name": "Windows Modify Registry Reg Restore", "analytic_story": ["Windows Post-Exploitation", "Prestige Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "execution of process $process_name$ in $dest$", "mitre_attack_id": ["T1012"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id", "Processes.parent_process_guid", "Processes.process_guid"], "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1012", "mitre_attack_technique": "Query Registry", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT32", "APT39", "Chimera", "Dragonfly", "Fox Kitten", "Kimsuky", "Lazarus Group", "OilRig", "Stealth Falcon", "Threat Group-3390", "Turla", "ZIRCONIUM"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "process_reg", "definition": "(Processes.process_name=reg.exe OR Processes.original_file_name=reg.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_reg_restore_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_modify_registry_reg_restore.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Modify Registry Regedit Silent Reg Import", "id": "824dd598-71be-4203-bc3b-024f4cda340e", "version": 1, "date": "2022-06-24", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies modification of Windows registry using regedit.exe application with silent mode parameter. regedit.exe windows application is commonly used as GUI app to check or modify registry. This application is also has undocumented command-line parameter and one of those are silent mode parameter that performs action without stopping for confirmation with dialog box. Importing registry from .reg files need to monitor in a production environment since it can be used adversaries to import RMS registry in compromised host.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"regedit.exe\" OR Processes.original_file_name=\"regedit.exe\") AND Processes.process=\"* /s *\" AND Processes.process=\"*.reg*\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_regedit_silent_reg_import_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Administrators may execute this command that may cause some false positive. Filter as needed.", "references": ["https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/", "https://www.techtarget.com/searchwindowsserver/tip/Command-line-options-for-Regeditexe"], "tags": {"name": "Windows Modify Registry Regedit Silent Reg Import", "analytic_story": ["Azorult"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "The regedit app was executed with silet mode parameter to import .reg file on $dest$.", "mitre_attack_id": ["T1112"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_regedit_silent_reg_import_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_modify_registry_regedit_silent_reg_import.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Modify Registry Suppress Win Defender Notif", "id": "e3b42daf-fff4-429d-bec8-2a199468cea9", "version": 1, "date": "2022-06-22", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic is to identify a modification in the Windows registry to suppress windows defender notification. This technique was abuse by adversaries and threat actor to bypassed windows defender on the targeted host. Azorult malware is one of the malware use this technique that also disable toast notification and other windows features as part of its malicious behavior.", "data_source": ["Sysmon Event ID 13"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\Windows Defender\\\\UX Configuration\\\\Notification_Suppress*\" Registry.registry_value_data=\"0x00000001\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_suppress_win_defender_notif_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.", "known_false_positives": "administrators may enable or disable this feature that may cause some false positive.", "references": ["https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-remoteassistance-exe-fallowtogethelp", "https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/"], "tags": {"name": "Windows Modify Registry Suppress Win Defender Notif", "analytic_story": ["Azorult"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "the registry for suppresing windows fdefender notification settings was modified to disabled in $dest$", "mitre_attack_id": ["T1112"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.registry_key_name", "Registry.registry_path", "Registry.user", "Registry.dest", "Registry.registry_value_name", "Registry.action"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_suppress_win_defender_notif_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_modify_registry_suppress_win_defender_notif.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Modify Registry Tamper Protection", "id": "12094335-88fc-4c3a-b55f-e62dd8c93c23", "version": 1, "date": "2023-04-21", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies a suspicious registry modification to tamper Windows Defender protection. This technique was being abused by several adversaries, malware authors and also red-teamers to evade detection on the targeted machine. RedLine Stealer is one of the malware we've seen that uses this technique to bypass Windows defender detection.", "data_source": ["Sysmon EventID 12", "Sysmon EventID 13", "Sysmon EventID 14"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path=\"*\\\\SOFTWARE\\\\Microsoft\\\\Windows Defender\\\\Features\\\\TamperProtection\" AND Registry.registry_value_data=\"0x00000000\" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_tamper_protection_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Administrators may enable or disable this feature that may cause some false positive.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer"], "tags": {"name": "Windows Modify Registry Tamper Protection", "analytic_story": ["RedLine Stealer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "A registry modification to tamper Windows Defender protection on $dest$", "mitre_attack_id": ["T1112"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.registry_key_name", "Registry.registry_path", "Registry.user", "Registry.dest", "Registry.registry_value_name", "Registry.action", "Registry.registry_value_data"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "atomic_guid": ["12e03af7-79f9-4f95-af48-d3f12f28a260"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/redline/modify_registry/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_tamper_protection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_modify_registry_tamper_protection.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Modify Registry UpdateServiceUrlAlternate", "id": "ca4e94fb-7969-4d63-8630-3625809a1f70", "version": 1, "date": "2023-04-21", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies a suspicious registry modification of Windows auto update configuration. This technique was being abused by several adversaries, malware authors and also red-teamers to bypass detection or to be able to compromise the target host with zero day exploit or as an additional defense evasion technique. RedLine Stealer is one of the malware we've seen that uses this technique to evade detection and add more payload on the target host. This detection looks for registry modification that specifies an intranet server to host updates from Microsoft Update.", "data_source": ["Sysmon EventID 12", "Sysmon EventID 13", "Sysmon EventID 14"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path=\"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WindowsUpdate\\\\UpdateServiceUrlAlternate\" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_updateserviceurlalternate_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Administrators may enable or disable this feature that may cause some false positive.", "references": ["https://learn.microsoft.com/de-de/security-updates/windowsupdateservices/18127499"], "tags": {"name": "Windows Modify Registry UpdateServiceUrlAlternate", "analytic_story": ["RedLine Stealer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "A registry modification in Windows auto update configuration on $dest$", "mitre_attack_id": ["T1112"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.registry_key_name", "Registry.registry_path", "Registry.user", "Registry.dest", "Registry.registry_value_name", "Registry.action", "Registry.registry_value_data"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/redline/modify_registry/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_updateserviceurlalternate_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_modify_registry_updateserviceurlalternate.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Modify Registry USeWuServer", "id": "c427bafb-0b2c-4b18-ad85-c03c6fed9e75", "version": 1, "date": "2023-04-21", "author": "Teoderick Contreras, Splunk", "type": "Hunting", "status": "production", "description": "The following analytic identifies a suspicious registry modification of Windows auto update configuration. This technique was being abused by several adversaries, malware authors and also red-teamers to bypass detection or to be able to compromise the target host with zero day exploit or as an additional defense evasion technique. RedLine Stealer is one of the malware we've seen that uses this technique to evade detection and add more payload on the target host. This detection looks for registry modification that will use \"The WUServer value unless this key is set\".", "data_source": ["Sysmon EventID 12", "Sysmon EventID 13", "Sysmon EventID 14"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path=\"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WindowsUpdate\\\\AU\\\\UseWUServer\" AND Registry.registry_value_data=\"0x00000001\" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_usewuserver_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "administrators may enable or disable this feature that may cause some false positive.", "references": ["https://learn.microsoft.com/de-de/security-updates/windowsupdateservices/18127499"], "tags": {"name": "Windows Modify Registry USeWuServer", "analytic_story": ["RedLine Stealer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "a registry modification in Windows auto update configuration in $dest$", "mitre_attack_id": ["T1112"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.registry_key_name", "Registry.registry_path", "Registry.user", "Registry.dest", "Registry.registry_value_name", "Registry.action", "Registry.registry_value_data"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/redline/modify_registry/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_usewuserver_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_modify_registry_usewuserver.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Modify Registry WuServer", "id": "a02ad386-e26d-44ce-aa97-6a46cee31439", "version": 1, "date": "2023-04-21", "author": "Teoderick Contreras, Splunk", "type": "Hunting", "status": "production", "description": "The following analytic identifies a suspicious registry modification of Windows auto update configuration. This technique was being abused by several adversaries, malware authors and also red-teamers to bypass detection or to be able to compromise the target host with zero day exploit or as an additional defense evasion technique. RedLine Stealer is one of the malware we've seen that uses this technique to evade detection and add more payload on the target host. This detection looks for registry modification related to the WSUS server used by Automatic Updates and (by default) API callers. This policy is paired with WUStatusServer; both must be set to the same value in order for them to be valid.", "data_source": ["Sysmon EventID 12", "Sysmon EventID 13", "Sysmon EventID 14"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path=\"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WindowsUpdate\\\\WUServer\" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_wuserver_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Administrators may enable or disable this feature that may cause some false positive.", "references": ["https://learn.microsoft.com/de-de/security-updates/windowsupdateservices/18127499"], "tags": {"name": "Windows Modify Registry WuServer", "analytic_story": ["RedLine Stealer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "A registry modification in Windows auto update configuration on $dest$", "mitre_attack_id": ["T1112"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.registry_key_name", "Registry.registry_path", "Registry.user", "Registry.dest", "Registry.registry_value_name", "Registry.action", "Registry.registry_value_data"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/redline/modify_registry/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_wuserver_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_modify_registry_wuserver.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Modify Registry wuStatusServer", "id": "073e69d0-68b2-4142-aa90-a7ee6f590676", "version": 1, "date": "2023-04-21", "author": "Teoderick Contreras, Splunk", "type": "Hunting", "status": "production", "description": "The following analytic identifies a suspicious registry modification of Windows auto update configuration. This technique was being abused by several adversaries, malware authors and also red-teamers to bypass detection or to be able to compromise the target host with zero day exploit or as an additional defense evasion technique. RedLine Stealer is one of the malware we've seen that uses this technique to evade detection and add more payload on the target host. This detection looks for registry modification related to the server to which reporting information will be sent for client computers that use the WSUS server configured by the WUServer key. This policy is paired with WUServer; both must be set to the same value in order for them to be valid.", "data_source": ["Sysmon EventID 12", "Sysmon EventID 13", "Sysmon EventID 14"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path=\"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WindowsUpdate\\\\WUStatusServer\" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_wustatusserver_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "administrators may enable or disable this feature that may cause some false positive.", "references": ["https://learn.microsoft.com/de-de/security-updates/windowsupdateservices/18127499"], "tags": {"name": "Windows Modify Registry wuStatusServer", "analytic_story": ["RedLine Stealer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "a registry modification in Windows auto update configuration in $dest$", "mitre_attack_id": ["T1112"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.registry_key_name", "Registry.registry_path", "Registry.user", "Registry.dest", "Registry.registry_value_name", "Registry.action", "Registry.registry_value_data"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/redline/modify_registry/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_modify_registry_wustatusserver_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_modify_registry_wustatusserver.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Modify Show Compress Color And Info Tip Registry", "id": "b7548c2e-9a10-11ec-99e3-acde48001122", "version": 3, "date": "2023-04-27", "author": "Steven Dick, Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This analytic is to look for suspicious registry modification related to file compression color and information tips. This IOC was seen in hermetic wiper where it has a thread that will create this registry entry to change the color of compressed or encrypted files in NTFS file system as well as the pop up information tips. This is a good indicator that a process tries to modified one of the registry GlobalFolderOptions related to file compression attribution in terms of color in NTFS file system.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = \"*\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced*\" AND Registry.registry_value_name IN(\"ShowCompColor\", \"ShowInfoTip\")) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_show_compress_color_and_info_tip_registry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "unknown", "references": ["https://blog.talosintelligence.com/2022/02/threat-advisory-hermeticwiper.html"], "tags": {"name": "Windows Modify Show Compress Color And Info Tip Registry", "analytic_story": ["Data Destruction", "Windows Defense Evasion Tactics", "Windows Registry Abuse", "Hermetic Wiper"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "Registry modification in \"ShowCompColor\" and \"ShowInfoTips\" on $dest$", "mitre_attack_id": ["T1112"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.dest", "Registry.registry_value_name", "Registry.registry_key_name", "Registry.registry_path", "Registry.registry_value_data", "Registry.process_guid"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/hermetic_wiper/globalfolderoptions_reg/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_modify_show_compress_color_and_info_tip_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_modify_show_compress_color_and_info_tip_registry.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows MOF Event Triggered Execution via WMI", "id": "e59b5a73-32bf-4467-a585-452c36ae10c1", "version": 1, "date": "2022-07-15", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following anaytic identifies MOFComp.exe loading a MOF file. The Managed Object Format (MOF) compiler parses a file containing MOF statements and adds the classes and class instances defined in the file to the WMI repository. Typically, MOFComp.exe does not reach out to the public internet or load a MOF file from User Profile paths. A filter and consumer is typically registered in WMI. Review parallel processes and query WMI subscriptions to gather artifacts. The default path of mofcomp.exe is C:\\Windows\\System32\\wbem.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name IN (\"cmd.exe\", \"powershell.exe\") Processes.process_name=mofcomp.exe) OR (Processes.process_name=mofcomp.exe Processes.process IN (\"*\\\\AppData\\\\Local\\\\*\",\"*\\\\Users\\\\Public\\\\*\", \"*\\\\WINDOWS\\\\Temp\\\\*\")) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_mof_event_triggered_execution_via_wmi_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives may be present from automation based applications (SCCM), filtering may be required. In addition, break the query out based on volume of usage. Filter process names or f", "references": ["https://attack.mitre.org/techniques/T1546/003/", "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", "https://docs.microsoft.com/en-us/windows/win32/wmisdk/mofcomp", "https://pentestlab.blog/2020/01/21/persistence-wmi-event-subscription/", "https://www.sakshamdixit.com/wmi-events/"], "tags": {"name": "Windows MOF Event Triggered Execution via WMI", "analytic_story": ["Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ loading a MOF file.", "mitre_attack_id": ["T1546.003"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1546.003", "mitre_attack_technique": "Windows Management Instrumentation Event Subscription", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT33", "Blue Mockingbird", "FIN8", "Leviathan", "Metador", "Mustang Panda", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.003/atomic_red_team/mofcomp.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_mof_event_triggered_execution_via_wmi_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_mof_event_triggered_execution_via_wmi.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows MOVEit Transfer Writing ASPX", "id": "c0ed2aca-5666-45b3-813f-ddfac3f3eda0", "version": 1, "date": "2023-06-01", "author": "Michael Haag, Splunk", "type": "TTP", "status": "experimental", "description": "This analytic detects the creation of new ASPX files in the MOVEit Transfer application's \"wwwroot\" directory. This activity is indicative of the recent critical vulnerability found in MOVEit Transfer, where threat actors have been observed exploiting a zero-day vulnerability to install a malicious ASPX file (e.g., \"human2.aspx\") in the wwwroot directory. The injected file could then be used to exfiltrate sensitive data, including user credentials and file metadata. The vulnerability affects the MOVEit Transfer managed file transfer software developed by Progress, a subsidiary of US-based Progress Software Corporation. This analytic requires endpoint data reflecting process and filesystem activity. The identified process must be responsible for the creation of new ASPX or ASHX files in the specified directory.", "data_source": ["Sysmon Event ID 11"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=System by _time span=1h Processes.process_id Processes.process_name Processes.dest | `drop_dm_object_name(Processes)` | join process_guid, _time [| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN (\"*\\\\MOVEitTransfer\\\\wwwroot\\\\*\") Filesystem.file_name IN(\"*.aspx\", \"*.ashx\", \"*.asp*\") OR Filesystem.file_name IN (\"human2.aspx\",\"_human2.aspx\") by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path | `drop_dm_object_name(Filesystem)` | fields _time dest file_create_time file_name file_path process_name process_path process] | dedup file_create_time | table dest file_create_time, file_name, file_path, process_name | `windows_moveit_transfer_writing_aspx_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node and `Filesystem` node.", "known_false_positives": "The query is structured in a way that `action` (read, create) is not defined. Review the results of this query, filter, and tune as necessary. It may be necessary to generate this query specific to your endpoint product.", "references": ["https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023", "https://www.reddit.com/r/sysadmin/comments/13wxuej/critical_vulnerability_moveit_file_transfer/", "https://www.bleepingcomputer.com/news/security/new-moveit-transfer-zero-day-mass-exploited-in-data-theft-attacks/", "https://www.reddit.com/r/sysadmin/comments/13wxuej/critical_vulnerability_moveit_file_transfer/", "https://www.mandiant.com/resources/blog/zero-day-moveit-data-theft"], "tags": {"name": "Windows MOVEit Transfer Writing ASPX", "analytic_story": ["MOVEit Transfer Critical Vulnerability"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 100, "kill_chain_phases": ["Delivery", "Installation"], "message": "The MOVEit application on $dest$ has written a new ASPX file to disk.", "mitre_attack_id": ["T1190", "T1133"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Filesystem.file_path", "Filesystem.process_id", "Filesystem.file_name", "Filesystem.file_hash", "Filesystem.user", "Filesystem.file_create_time", "Processes.process_id", "Processes.process_name", "Processes.dest"], "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "atomic_guid": [], "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Chimera", "Dragonfly", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.003/moveit_windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_moveit_transfer_writing_aspx_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_moveit_transfer_writing_aspx.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows MSExchange Management Mailbox Cmdlet Usage", "id": "396de86f-25e7-4b0e-be09-a330be35249d", "version": 1, "date": "2022-11-21", "author": "Michael Haag, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic uses the Exchange Management logs, that are enabled by default, to identify suspicious Cmdlet usage related to ProxyShell and ProxyNotShell abuse.", "data_source": ["Sysmon Event ID 1"], "search": "`msexchange_management` EventCode=1 Message IN (\"*New-MailboxExportRequest*\", \"*New-ManagementRoleAssignment*\", \"*New-MailboxSearch*\", \"*Get-Recipient*\", \"*Search-Mailbox*\") | stats count min(_time) as firstTime max(_time) as lastTime by host Message | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename host AS dest | `windows_msexchange_management_mailbox_cmdlet_usage_filter`", "how_to_implement": "The following analytic requires collecting the Exchange Management logs via a input. An example inputs is here https://gist.github.com/MHaggis/f66f1d608ea046efb9157020cd34c178. We used multiline as the XML format of the logs will require props/transforms. Multiline gives us everything we need in Message for now. Update the macro with your correct sourcetype.", "known_false_positives": "False positives may be present when an Administrator utilizes the cmdlets in the query. Filter or monitor as needed.", "references": ["https://gist.github.com/MHaggis/f66f1d608ea046efb9157020cd34c178"], "tags": {"name": "Windows MSExchange Management Mailbox Cmdlet Usage", "analytic_story": ["ProxyShell", "ProxyNotShell"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 40, "kill_chain_phases": ["Installation"], "message": "Cmdlets related to ProxyShell and ProxyNotShell have been identified on $dest$.", "mitre_attack_id": ["T1059", "T1059.001"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Message", "dest"], "risk_score": 32, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/exchange/msexchangemanagement.log", "source": "WinEventLog:MSExchange Management", "sourcetype": "MSExchange:management", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "msexchange_management", "definition": "sourcetype=MSExchange:management", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_msexchange_management_mailbox_cmdlet_usage_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_msexchange_management_mailbox_cmdlet_usage.yml", "source": "endpoint"}, {"name": "Windows Mshta Execution In Registry", "id": "e13ceade-b673-4d34-adc4-4d9c01729753", "version": 1, "date": "2022-10-14", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the usage of mshta.exe Windows binary in registry to execute malicious script. This technique was seen in kovter malware where it create several registry entry which is a encoded javascript and will be executed by another registry containing mshta and javascript activexobject to execute the encoded script using wscript.shell. This TTP is a good indication of kovter malware or other adversaries or threat actors leveraging fileless detection that survive system reboot.", "data_source": ["Sysmon Event ID 13"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_value_data = \"*mshta*\" OR Registry.registry_value_data IN (\"*javascript:*\", \"*vbscript:*\",\"*WScript.Shell*\") by Registry.registry_key_name Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_mshta_execution_in_registry_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry.", "known_false_positives": "unknown", "references": ["https://redcanary.com/threat-detection-report/techniques/mshta/", "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/fileless-threats?view=o365-worldwide"], "tags": {"name": "Windows Mshta Execution In Registry", "analytic_story": ["Suspicious Windows Registry Activities", "Windows Persistence Techniques"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "a registry $registry_path$ contains mshta $registry_value_data$ in $dest$", "mitre_attack_id": ["T1218.005"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.registry_key_name", "Registry.registry_path", "Registry.dest", "Registry.registry_value_data", "Registry.action"], "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218.005", "mitre_attack_technique": "Mshta", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "APT32", "Confucius", "Earth Lusca", "FIN7", "Gamaredon Group", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "MuddyWater", "Mustang Panda", "SideCopy", "Sidewinder", "TA551"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.005/mshta_in_registry/sysmon3.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_mshta_execution_in_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_mshta_execution_in_registry.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows MSIExec DLLRegisterServer", "id": "fdb59aef-d88f-4909-8369-ec2afbd2c398", "version": 1, "date": "2022-06-14", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the usage of msiexec.exe using the /y switch parameter, which grants the ability for msiexec to load DLLRegisterServer. Upon triage, review parent process and capture any artifacts for further review.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_msiexec` Processes.process IN (\"*/y*\", \"*-y*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_msiexec_dllregisterserver_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "This analytic will need to be tuned for your environment based on legitimate usage of msiexec.exe. Filter as needed.", "references": ["https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md"], "tags": {"name": "Windows MSIExec DLLRegisterServer", "analytic_story": ["Windows System Binary Proxy Execution MSIExec"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to register a file.", "mitre_attack_id": ["T1218.007"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process Name", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218.007", "mitre_attack_technique": "Msiexec", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Machete", "Molerats", "Rancor", "TA505", "ZIRCONIUM"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.007/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "process_msiexec", "definition": "(Processes.process_name=msiexec.exe OR Processes.original_file_name=msiexec.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_msiexec_dllregisterserver_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_msiexec_dllregisterserver.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows MSIExec Remote Download", "id": "6aa49ff2-3c92-4586-83e0-d83eb693dfda", "version": 1, "date": "2022-06-16", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies msiexec.exe with http in the command-line. This procedure will utilize msiexec.exe to download a remote file and load it. During triage, review parallel processes and capture any artifacts on disk for review.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_msiexec` Processes.process IN (\"*http://*\", \"*https://*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_msiexec_remote_download_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives may be present, filter by destination or parent process as needed.", "references": ["https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md"], "tags": {"name": "Windows MSIExec Remote Download", "analytic_story": ["Windows System Binary Proxy Execution MSIExec"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to download a remote file.", "mitre_attack_id": ["T1218.007"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process Name", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218.007", "mitre_attack_technique": "Msiexec", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Machete", "Molerats", "Rancor", "TA505", "ZIRCONIUM"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.007/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "process_msiexec", "definition": "(Processes.process_name=msiexec.exe OR Processes.original_file_name=msiexec.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_msiexec_remote_download_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_msiexec_remote_download.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows MSIExec Spawn Discovery Command", "id": "e9d05aa2-32f0-411b-930c-5b8ca5c4fcee", "version": 1, "date": "2022-06-13", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies MSIExec spawning multiple discovery commands, including spawning Cmd.exe or PowerShell.exe. Typically, child processes are not common from MSIExec other than MSIExec spawning itself.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=msiexec.exe Processes.process_name IN (\"powershell.exe\",\"cmd.exe\", \"nltest.exe\",\"ipconfig.exe\",\"systeminfo.exe\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_msiexec_spawn_discovery_command_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives will be present with MSIExec spawning Cmd or PowerShell. Filtering will be needed. In addition, add other known discovery processes to enhance query.", "references": ["https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md"], "tags": {"name": "Windows MSIExec Spawn Discovery Command", "analytic_story": ["Windows System Binary Proxy Execution MSIExec"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ running different discovery commands.", "mitre_attack_id": ["T1218.007"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process Name", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218.007", "mitre_attack_technique": "Msiexec", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Machete", "Molerats", "Rancor", "TA505", "ZIRCONIUM"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.007/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_msiexec_spawn_discovery_command_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_msiexec_spawn_discovery_command.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows MSIExec Unregister DLLRegisterServer", "id": "a27db3c5-1a9a-46df-a577-765d3f1a3c24", "version": 1, "date": "2022-06-14", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the usage of msiexec.exe using the /z switch parameter, which grants the ability for msiexec to unload DLLRegisterServer. Upon triage, review parent process and capture any artifacts for further review.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_msiexec` Processes.process IN (\"*/z*\", \"*-z*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_msiexec_unregister_dllregisterserver_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "This analytic will need to be tuned for your environment based on legitimate usage of msiexec.exe. Filter as needed.", "references": ["https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md"], "tags": {"name": "Windows MSIExec Unregister DLLRegisterServer", "analytic_story": ["Windows System Binary Proxy Execution MSIExec"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to unregister a file.", "mitre_attack_id": ["T1218.007"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process Name", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218.007", "mitre_attack_technique": "Msiexec", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Machete", "Molerats", "Rancor", "TA505", "ZIRCONIUM"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.007/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "process_msiexec", "definition": "(Processes.process_name=msiexec.exe OR Processes.original_file_name=msiexec.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_msiexec_unregister_dllregisterserver_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_msiexec_unregister_dllregisterserver.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows MSIExec With Network Connections", "id": "827409a1-5393-4d8d-8da4-bbb297c262a7", "version": 1, "date": "2022-06-16", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies MSIExec with any network connection over port 443 or 80. Typically, MSIExec does not perform network communication to the internet.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where `process_msiexec` by _time Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | join process_id [| tstats `security_content_summariesonly` count FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port IN (\"80\",\"443\") by All_Traffic.process_id All_Traffic.dest All_Traffic.dest_port All_Traffic.dest_ip | `drop_dm_object_name(All_Traffic)` ] | table _time dest parent_process_name process_name process_path process process_id dest_port dest_ip | `windows_msiexec_with_network_connections_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. Add parent process as a filter, filter known good processes. This may be voluminous due to the join on process_id. All_Traffic does not have process_guid, yet.", "known_false_positives": "False positives will be present and filtering is required.", "references": ["https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md"], "tags": {"name": "Windows MSIExec With Network Connections", "analytic_story": ["Windows System Binary Proxy Execution MSIExec"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "An instance of $process_name$ was identified on endpoint $dest$ contacting a remote destination.", "mitre_attack_id": ["T1218.007"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process Name", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.process_id", "Processes.process_name", "Processes.dest", "Processes.process_path", "Processes.process", "Processes.parent_process_name", "All_Traffic.process_id", "All_Traffic.dest", "All_Traffic.dest_port", "All_Traffic.dest_ip"], "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218.007", "mitre_attack_technique": "Msiexec", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Machete", "Molerats", "Rancor", "TA505", "ZIRCONIUM"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.007/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint", "Network_Traffic"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "process_msiexec", "definition": "(Processes.process_name=msiexec.exe OR Processes.original_file_name=msiexec.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_msiexec_with_network_connections_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_msiexec_with_network_connections.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Multi hop Proxy TOR Website Query", "id": "4c2d198b-da58-48d7-ba27-9368732d0054", "version": 1, "date": "2022-09-16", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies a dns query to a known TOR proxy website. This technique was seen in several adversaries, threat actors and malware like AgentTesla to To disguise the source of its malicious traffic. adversaries may chain together multiple proxies. This Anomaly detection might be a good pivot for a process trying to download or use TOR proxies in a compromised host machine.", "data_source": ["Sysmon Event ID 22"], "search": "`sysmon` EventCode=22 QueryName IN (\"*.torproject.org\", \"www.theonionrouter.com\") | stats count min(_time) as firstTime max(_time) as lastTime by Image QueryName QueryStatus ProcessId Computer | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_multi_hop_proxy_tor_website_query_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name and sysmon eventcode = 22 dns query events from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "third party application may use this proxies if allowed in production environment. Filter is needed.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla"], "tags": {"name": "Windows Multi hop Proxy TOR Website Query", "analytic_story": ["AgentTesla"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Command And Control"], "message": "a process $Image$ is having a dns query in a tor domain $QueryName$ in $Computer$", "mitre_attack_id": ["T1071.003", "T1071"], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Image", "QueryName", "QueryStatus", "ProcessId", "Computer"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1071.003", "mitre_attack_technique": "Mail Protocols", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT28", "APT32", "Kimsuky", "SilverTerrier", "Turla"]}, {"mitre_attack_id": "T1071", "mitre_attack_technique": "Application Layer Protocol", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Dragonfly", "Magic Hound", "Rocke", "TeamTNT"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/agent_tesla/agent_tesla_tor_dns_query/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_multi_hop_proxy_tor_website_query_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_multi_hop_proxy_tor_website_query.yml", "source": "endpoint"}, {"name": "Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos", "id": "98f22d82-9d62-11eb-9fcf-acde48001122", "version": 2, "date": "2021-04-14", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies one source endpoint failing to authenticate with 30 unique disabled domain users using the Kerberos protocol within 5 minutes. This behavior could represent an adversary performing a Password Spraying attack against an Active Directory environment using Kerberos to obtain initial access or elevate privileges. Active Directory environments can be very different depending on the organization. Users should test this detection and customize the arbitrary threshold when needed. As attackers progress in a breach, mistakes will be made. In certain scenarios, adversaries may execute a password spraying attack against disabled users. Event 4768 is generated every time the Key Distribution Center issues a Kerberos Ticket Granting Ticket (TGT). Failure code `0x12` stands for `clients credentials have been revoked` (account disabled, expired or locked out).\\\nThis logic can be used for real time security monitoring as well as threat hunting exercises. This detection will only trigger on domain controllers, not on member servers or workstations.\\\nThe analytics returned fields allow analysts to investigate the event further by providing fields like source ip and attempted user accounts.", "data_source": ["Windows Security 4768"], "search": "`wineventlog_security` EventCode=4768 TargetUserName!=*$ Status=0x12 | bucket span=5m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as tried_accounts by _time, IpAddress | where unique_accounts > 30 | `windows_multiple_disabled_users_failed_to_authenticate_wth_kerberos_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled.", "known_false_positives": "A host failing to authenticate with multiple disabled domain users is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners, multi-user systems missconfigured systems.", "references": ["https://attack.mitre.org/techniques/T1110/003/"], "tags": {"name": "Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos", "analytic_story": ["Active Directory Password Spraying", "Active Directory Kerberos Attacks", "Volt Typhoon", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "Potential Kerberos based password spraying attack from $IpAddress$", "mitre_attack_id": ["T1110.003", "T1110"], "nist": ["DE.CM"], "observable": [{"name": "IpAddress", "role": ["Attacker"], "type": "Endpoint"}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "Status", "TargetUserName", "IpAddress"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_disabled_users_kerberos_xml/windows-security.log", "source": "XmlWinEventLog:Security", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_multiple_disabled_users_failed_to_authenticate_wth_kerberos_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_multiple_disabled_users_failed_to_authenticate_wth_kerberos.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows Multiple Invalid Users Fail To Authenticate Using Kerberos", "id": "001266a6-9d5b-11eb-829b-acde48001122", "version": 2, "date": "2021-04-14", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies one source endpoint failing to authenticate with 30 unique invalid domain users using the Kerberos protocol. This behavior could represent an adversary performing a Password Spraying attack against an Active Directory environment using Kerberos to obtain initial access or elevate privileges. Active Directory environments can be very different depending on the organization. Users should test this detection and customize the arbitrary threshold when needed. As attackers progress in a breach, mistakes will be made. In certain scenarios, adversaries may execute a password spraying attack using an invalid list of users. Event 4768 is generated every time the Key Distribution Center issues a Kerberos Ticket Granting Ticket (TGT). Failure code 0x6 stands for `client not found in Kerberos database` (the attempted user is not a valid domain user).\\\nThis logic can be used for real time security monitoring as well as threat hunting exercises. This detection will only trigger on domain controllers, not on member servers or workstations.\\\nThe analytics returned fields allow analysts to investigate the event further by providing fields like source ip and attempted user accounts.", "data_source": ["Windows Security 4768"], "search": "`wineventlog_security` EventCode=4768 TargetUserName!=*$ Status=0x6 | bucket span=5m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as tried_accounts by _time, IpAddress | where unique_accounts > 30 | `windows_multiple_invalid_users_fail_to_authenticate_using_kerberos_filter` ", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled.", "known_false_positives": "A host failing to authenticate with multiple invalid domain users is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners, multi-user systems and missconfigured systems.", "references": ["https://attack.mitre.org/techniques/T1110/003/"], "tags": {"name": "Windows Multiple Invalid Users Fail To Authenticate Using Kerberos", "analytic_story": ["Active Directory Password Spraying", "Active Directory Kerberos Attacks", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "Potential Kerberos based password spraying attack from $IpAddress$", "mitre_attack_id": ["T1110.003", "T1110"], "nist": ["DE.CM"], "observable": [{"name": "IpAddress", "role": ["Attacker"], "type": "Endpoint"}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "Status", "TargetUserName", "IpAddress"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_invalid_users_kerberos_xml/windows-security.log", "source": "XmlWinEventLog:Security", "sourcetype": "XmlWinEventLog"}]}], "datamodel": [], "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_multiple_invalid_users_fail_to_authenticate_using_kerberos_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_multiple_invalid_users_fail_to_authenticate_using_kerberos.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows Multiple Invalid Users Failed To Authenticate Using NTLM", "id": "57ad5a64-9df7-11eb-a290-acde48001122", "version": 2, "date": "2021-04-15", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies one source endpoint failing to authenticate with 30 unique invalid users using the NTLM protocol. This behavior could represent an adversary performing a Password Spraying attack against an Active Directory environment using NTLM to obtain initial access or elevate privileges. Active Directory environments can be very different depending on the organization. Users should test this detection and customize the arbitrary threshold when needed. As attackers progress in a breach, mistakes will be made. In certain scenarios, adversaries may execute a password spraying attack using an invalid list of users. Event 4776 is generated on the computer that is authoritative for the provided credentials. For domain accounts, the domain controller is authoritative. For local accounts, the local computer is authoritative. Error code 0xC0000064 stands for `The username you typed does not exist` (the attempted user is a legitimate domain user).\\\nThis logic can be used for real time security monitoring as well as threat hunting exercises. This detection will only trigger on domain controllers, not on member servers or workstations.\\\nThe analytics returned fields allow analysts to investigate the event further by providing fields like source workstation name and attempted user accounts.", "data_source": ["Windows Security 4776"], "search": " `wineventlog_security` EventCode=4776 TargetUserName!=*$ Status=0xc0000064 | bucket span=5m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as tried_accounts by _time, Workstation | where unique_accounts > 30 | `windows_multiple_invalid_users_failed_to_authenticate_using_ntlm_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller events. The Advanced Security Audit policy setting `Audit Credential Validation' within `Account Logon` needs to be enabled.", "known_false_positives": "A host failing to authenticate with multiple invalid domain users is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners and missconfigured systems. If this detection triggers on a host other than a Domain Controller, the behavior could represent a password spraying attack against the host's local accounts.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-credential-validation", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776"], "tags": {"name": "Windows Multiple Invalid Users Failed To Authenticate Using NTLM", "analytic_story": ["Active Directory Password Spraying", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "Potential NTLM based password spraying attack from $Workstation$", "mitre_attack_id": ["T1110.003", "T1110"], "nist": ["DE.CM"], "observable": [{"name": "Workstation", "role": ["Attacker"], "type": "Endpoint"}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "TargetUserName", "Workstation", "Status"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_invalid_users_ntlm_xml/windows-security.log", "source": "XmlWinEventLog:Security", "sourcetype": "XmlWinEventLog"}]}], "datamodel": [], "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_multiple_invalid_users_failed_to_authenticate_using_ntlm_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_multiple_invalid_users_failed_to_authenticate_using_ntlm.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials", "id": "e61918fa-9ca4-11eb-836c-acde48001122", "version": 2, "date": "2021-04-13", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies a source user failing to authenticate with 30 unique users using explicit credentials on a host. This behavior could represent an adversary performing a Password Spraying attack against an Active Directory environment to obtain initial access or elevate privileges. Active Directory environments can be very different depending on the organization. Users should test this detection and customize the arbitrary threshold when needed. Event 4648 is generated when a process attempts an account logon by explicitly specifying that accounts credentials. This event generates on domain controllers, member servers, and workstations.\\\nThis logic can be used for real time security monitoring as well as threat hunting exercises. This detection will trigger on the potenfially malicious host, perhaps controlled via a trojan or operated by an insider threat, from where a password spraying attack is being executed.\\\nThe analytics returned fields allow analysts to investigate the event further by providing fields like source account, attempted user accounts and the endpoint were the behavior was identified.", "data_source": ["Windows Security 4648"], "search": " `wineventlog_security` EventCode=4648 Caller_User_Name!=*$ Target_User_Name!=*$ | bucket span=5m _time | stats dc(Target_User_Name) AS unique_accounts values(Target_User_Name) as tried_account by _time, Computer, Caller_User_Name | where unique_accounts > 30 | `windows_multiple_users_fail_to_authenticate_wth_explicitcredentials_filter` ", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Event Logs from domain controllers as well as member servers and workstations. The Advanced Security Audit policy setting `Audit Logon` within `Logon/Logoff` needs to be enabled.", "known_false_positives": "A source user failing attempting to authenticate multiple users on a host is not a common behavior for regular systems. Some applications, however, may exhibit this behavior in which case sets of users hosts can be added to an allow list. Possible false positive scenarios include systems where several users connect to like Mail servers, identity providers, remote desktop services, Citrix, etc.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4648", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events"], "tags": {"name": "Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials", "analytic_story": ["Active Directory Password Spraying", "Insider Threat", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "Potential password spraying attack from $Computer$", "mitre_attack_id": ["T1110.003", "T1110"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "role": ["Victim"], "type": "Endpoint"}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "Target_User_Name", "Caller_User_Name", "Computer"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_explicit_credential_spray_xml/windows-security.log", "source": "XmlWinEventLog:Security", "sourcetype": "XmlWinEventLog"}]}], "datamodel": [], "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_multiple_users_fail_to_authenticate_wth_explicitcredentials_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_multiple_users_fail_to_authenticate_wth_explicitcredentials.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows Multiple Users Failed To Authenticate From Host Using NTLM", "id": "7ed272a4-9c77-11eb-af22-acde48001122", "version": 2, "date": "2021-04-13", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies one source endpoint failing to authenticate with 30 unique valid users using the NTLM protocol. This behavior could represent an adversary performing a Password Spraying attack against an Active Directory environment using NTLM to obtain initial access or elevate privileges. Active Directory environments can be very different depending on the organization. Users should test this detection and customize the arbitrary threshold when needed. Event 4776 is generated on the computer that is authoritative for the provided credentials. For domain accounts, the domain controller is authoritative. For local accounts, the local computer is authoritative. Error code 0xC000006A means: misspelled or bad password (the attempted user is a legitimate domain user).\\\nThis logic can be used for real time security monitoring as well as threat hunting exercises. This detection will only trigger on domain controllers, not on member servers or workstations.\\\nThe analytics returned fields allow analysts to investigate the event further by providing fields like source workstation name and attempted user accounts.", "data_source": ["Windows Security 4776"], "search": " `wineventlog_security` EventCode=4776 TargetUserName!=*$ Status=0xC000006A | bucket span=5m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as tried_accounts by _time, Workstation | where unique_accounts > 30 | `windows_multiple_users_failed_to_authenticate_from_host_using_ntlm_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller events. The Advanced Security Audit policy setting `Audit Credential Validation` within `Account Logon` needs to be enabled.", "known_false_positives": "A host failing to authenticate with multiple valid domain users is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners and missconfigured systems. If this detection triggers on a host other than a Domain Controller, the behavior could represent a password spraying attack against the host's local accounts.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-credential-validation", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776"], "tags": {"name": "Windows Multiple Users Failed To Authenticate From Host Using NTLM", "analytic_story": ["Active Directory Password Spraying", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "Potential NTLM based password spraying attack from $Workstation$", "mitre_attack_id": ["T1110.003", "T1110"], "nist": ["DE.CM"], "observable": [{"name": "Workstation", "role": ["Attacker"], "type": "Endpoint"}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "Status", "TargetUserName", "Workstation"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_valid_users_ntlm_xml/windows-security.log", "source": "XmlWinEventLog:Security", "sourcetype": "XmlWinEventLog"}]}], "datamodel": [], "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_multiple_users_failed_to_authenticate_from_host_using_ntlm_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_multiple_users_failed_to_authenticate_from_host_using_ntlm.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows Multiple Users Failed To Authenticate From Process", "id": "9015385a-9c84-11eb-bef2-acde48001122", "version": 2, "date": "2021-04-13", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies a source process name failing to authenticate with 30 uniquer users. This behavior could represent an adversary performing a Password Spraying attack against an Active Directory environment to obtain initial access or elevate privileges. Active Directory environments can be very different depending on the organization. Users should test this detection and customize the arbitrary threshold when needed. Event 4625 generates on domain controllers, member servers, and workstations when an account fails to logon. Logon Type 2 describes an iteractive logon attempt.\\\nThis logic can be used for real time security monitoring as well as threat hunting exercises. This detection will trigger on the potenfially malicious host, perhaps controlled via a trojan or operated by an insider threat, from where a password spraying attack is being executed. This could be a domain controller as well as a member server or workstation.\\\nThe analytics returned fields allow analysts to investigate the event further by providing fields like source process name, source account and attempted user accounts.", "data_source": ["Windows Security 4625"], "search": " `wineventlog_security` EventCode=4625 Logon_Type=2 ProcessName!=\"-\" | bucket span=5m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as tried_accounts by _time, ProcessName, SubjectUserName, Computer | where unique_accounts > 30 | `windows_multiple_users_failed_to_authenticate_from_process_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Event Logs from domain controllers aas well as member servers and workstations. The Advanced Security Audit policy setting `Audit Logon` within `Logon/Logoff` needs to be enabled.", "known_false_positives": "A process failing to authenticate with multiple users is not a common behavior for legitimate user sessions. Possible false positive scenarios include but are not limited to vulnerability scanners and missconfigured systems.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4625", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events"], "tags": {"name": "Windows Multiple Users Failed To Authenticate From Process", "analytic_story": ["Active Directory Password Spraying", "Insider Threat", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "Potential password spraying attack from $Computer$", "mitre_attack_id": ["T1110.003", "T1110"], "nist": ["DE.CM"], "observable": [{"name": "ComputerName", "role": ["Victim"], "type": "Endpoint"}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "Logon_Type", "ProcessName", "SubjectUserName", "TargetUserName", "Computer"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_multiple_users_from_process_xml/windows-security.log", "source": "XmlWinEventLog:Security", "sourcetype": "XmlWinEventLog"}]}], "datamodel": [], "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_multiple_users_failed_to_authenticate_from_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_multiple_users_failed_to_authenticate_from_process.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows Multiple Users Failed To Authenticate Using Kerberos", "id": "3a91a212-98a9-11eb-b86a-acde48001122", "version": 2, "date": "2021-04-08", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies one source endpoint failing to authenticate with 30 unique users using the Kerberos protocol. This behavior could represent an adversary performing a Password Spraying attack against an Active Directory environment using Kerberos to obtain initial access or elevate privileges. Active Directory environments can be very different depending on the organization. Users should test this detection and customize the arbitrary threshold when needed. Event 4771 is generated when the Key Distribution Center fails to issue a Kerberos Ticket Granting Ticket (TGT). Failure code 0x18 stands for `wrong password provided` (the attempted user is a legitimate domain user).\\\nThis logic can be used for real time security monitoring as well as threat hunting exercises. This detection will only trigger on domain controllers, not on member servers or workstations.\\\nThe analytics returned fields allow analysts to investigate the event further by providing fields like source ip and attempted user accounts.", "data_source": ["Windows Security 4771"], "search": "`wineventlog_security` EventCode=4771 TargetUserName!=\"*$\" Status=0x18 | bucket span=5m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as tried_accounts by _time, IpAddress | where unique_accounts > 30 | `windows_multiple_users_failed_to_authenticate_using_kerberos_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled.", "known_false_positives": "A host failing to authenticate with multiple valid domain users is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners, missconfigured systems and multi-user systems like Citrix farms.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn319109(v=ws.11)", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4771"], "tags": {"name": "Windows Multiple Users Failed To Authenticate Using Kerberos", "analytic_story": ["Active Directory Password Spraying", "Active Directory Kerberos Attacks", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "Potential Kerberos based password spraying attack from $IpAddress$", "mitre_attack_id": ["T1110.003", "T1110"], "nist": ["DE.CM"], "observable": [{"name": "IpAddress", "role": ["Attacker"], "type": "Endpoint"}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "Status", "TargetUserName", "IpAddress"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_valid_users_kerberos_xml/windows-security.log", "source": "XmlWinEventLog:Security", "sourcetype": "XmlWinEventLog"}]}], "datamodel": [], "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_multiple_users_failed_to_authenticate_using_kerberos_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_multiple_users_failed_to_authenticate_using_kerberos.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows Multiple Users Remotely Failed To Authenticate From Host", "id": "80f9d53e-9ca1-11eb-b0d6-acde48001122", "version": 2, "date": "2021-04-13", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies a source host failing to authenticate against a remote host with 30 unique users. This behavior could represent an adversary performing a Password Spraying attack against an Active Directory environment to obtain initial access or elevate privileges. Active Directory environments can be very different depending on the organization. Users should test this detection and customize the arbitrary threshold when needed. Event 4625 documents each and every failed attempt to logon to the local computer. This event generates on domain controllers, member servers, and workstations. Logon Type 3 describes an remote authentication attempt.\\\nThis logic can be used for real time security monitoring as well as threat hunting exercises. This detection will trigger on the host that is the target of the password spraying attack. This could be a domain controller as well as a member server or workstation.\\\nThe analytics returned fields allow analysts to investigate the event further by providing fields like source process name, source account and attempted user accounts.", "data_source": ["Windows Security 4625"], "search": " `wineventlog_security` EventCode=4625 Logon_Type=3 IpAddress!=\"-\" | bucket span=5m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as tried_accounts by _time, IpAddress, Computer | where unique_accounts > 30 | `windows_multiple_users_remotely_failed_to_authenticate_from_host_filter` ", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Event Logs from domain controllers as as well as member servers and workstations. The Advanced Security Audit policy setting `Audit Logon` within `Logon/Logoff` needs to be enabled.", "known_false_positives": "A host failing to authenticate with multiple valid users against a remote host is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners, remote administration tools, missconfigyred systems, etc.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4625", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events"], "tags": {"name": "Windows Multiple Users Remotely Failed To Authenticate From Host", "analytic_story": ["Active Directory Password Spraying", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "Potential password spraying attack on $ComputerName$", "mitre_attack_id": ["T1110.003", "T1110"], "nist": ["DE.CM"], "observable": [{"name": "ComputerName", "role": ["Victim"], "type": "Endpoint"}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "Logon_Type", "TargetUserName", "Computer", "IpAddress"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_remote_spray_xml/windows-security.log", "source": "XmlWinEventLog:Security", "sourcetype": "XmlWinEventLog"}]}], "datamodel": [], "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_multiple_users_remotely_failed_to_authenticate_from_host_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_multiple_users_remotely_failed_to_authenticate_from_host.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows Ngrok Reverse Proxy Usage", "id": "e2549f2c-0aef-408a-b0c1-e0f270623436", "version": 2, "date": "2023-01-12", "author": "Michael Haag, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies the use of ngrok.exe being utilized on the Windows operating system. Unfortunately, there is no original file name for Ngrok, so it may be worth an additional hunt to identify any command-line arguments. The sign of someone using Ngrok is not malicious, however, more recently it has become an adversary tool.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=ngrok.exe Processes.process IN (\"*start*\", \"*--config*\",\"*http*\",\"*authtoken*\", \"*http*\", \"*tcp*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_ngrok_reverse_proxy_usage_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives will be present based on organizations that allow the use of Ngrok. Filter or monitor as needed.", "references": ["https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf"], "tags": {"name": "Windows Ngrok Reverse Proxy Usage", "analytic_story": ["Reverse Network Proxy", "CISA AA22-320A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 50, "kill_chain_phases": ["Command And Control"], "message": "A reverse proxy was identified spawning from $parent_process_name$ - $process_name$ on endpoint $dest$ by user $user$.", "mitre_attack_id": ["T1572", "T1090", "T1102"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 50, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1572", "mitre_attack_technique": "Protocol Tunneling", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Chimera", "Cobalt Group", "FIN6", "Fox Kitten", "Leviathan", "Magic Hound", "OilRig"]}, {"mitre_attack_id": "T1090", "mitre_attack_technique": "Proxy", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "Blue Mockingbird", "CopyKittens", "Earth Lusca", "Fox Kitten", "LAPSUS$", "Magic Hound", "POLONIUM", "Sandworm Team", "Turla", "Windigo"]}, {"mitre_attack_id": "T1102", "mitre_attack_technique": "Web Service", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT32", "EXOTIC LILY", "Ember Bear", "FIN6", "FIN8", "Fox Kitten", "Gamaredon Group", "Inception", "LazyScripter", "Mustang Panda", "Rocke", "TeamTNT", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1572/ngrok/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_ngrok_reverse_proxy_usage_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_ngrok_reverse_proxy_usage.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows NirSoft AdvancedRun", "id": "bb4f3090-7ae4-11ec-897f-acde48001122", "version": 1, "date": "2023-04-14", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the use of AdvancedRun.exe. AdvancedRun.exe has similar capabilities as other remote programs like psexec. AdvancedRun may also ingest a configuration file with all settings defined and perform its activity. The analytic is written in a way to identify a renamed binary and also the common command-line arguments.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=advancedrun.exe OR Processes.original_file_name=advancedrun.exe) Processes.process IN (\"*EXEFilename*\",\"*/cfg*\",\"*RunAs*\", \"*WindowState*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `windows_nirsoft_advancedrun_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives should be limited as it is specific to AdvancedRun. Filter as needed based on legitimate usage.", "references": ["http://www.nirsoft.net/utils/advanced_run.html", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/"], "tags": {"name": "Windows NirSoft AdvancedRun", "analytic_story": ["Ransomware", "Unusual Processes", "Data Destruction", "WhisperGate"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 60, "kill_chain_phases": ["Weaponization"], "message": "An instance of advancedrun.exe, $process_name$, was spawned by $parent_process_name$ on $dest$ by $user$.", "mitre_attack_id": ["T1588.002"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 60, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1588.002", "mitre_attack_technique": "Tool", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT19", "APT28", "APT29", "APT32", "APT33", "APT38", "APT39", "APT41", "Aoqin Dragon", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Carbanak", "Chimera", "Cleaver", "Cobalt Group", "CopyKittens", "DarkHydrus", "DarkVishnya", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN5", "FIN6", "Ferocious Kitten", "GALLIUM", "Gorgon Group", "HEXANE", "Inception", "IndigoZebra", "Ke3chang", "Kimsuky", "LAPSUS$", "Lazarus Group", "Leafminer", "LuminousMoth", "Magic Hound", "Metador", "Moses Staff", "MuddyWater", "POLONIUM", "Patchwork", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "TA505", "TEMP.Veles", "Threat Group-3390", "Thrip", "Turla", "WIRTE", "Whitefly", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1588.002/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_nirsoft_advancedrun_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_nirsoft_advancedrun.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows NirSoft Utilities", "id": "5b2f4596-7d4c-11ec-88a7-acde48001122", "version": 1, "date": "2023-04-14", "author": "Michael Haag, Splunk", "type": "Hunting", "status": "production", "description": "The following hunting analytic assists with identifying the proces execution of commonly used utilities from NirSoft. Potentially not adversary behavior, but worth identifying to know if the software is present and being used.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.original_file_name Processes.process_path Processes.process_id Processes.parent_process_id | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `is_nirsoft_software` | `windows_nirsoft_utilities_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives may be present. Filtering may be required before setting to alert.", "references": ["https://www.cisa.gov/uscert/ncas/alerts/TA18-201A", "http://www.nirsoft.net/", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/"], "tags": {"name": "Windows NirSoft Utilities", "analytic_story": ["Data Destruction", "WhisperGate"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Weaponization"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ related to NiRSoft software usage.", "mitre_attack_id": ["T1588.002"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1588.002", "mitre_attack_technique": "Tool", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT19", "APT28", "APT29", "APT32", "APT33", "APT38", "APT39", "APT41", "Aoqin Dragon", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Carbanak", "Chimera", "Cleaver", "Cobalt Group", "CopyKittens", "DarkHydrus", "DarkVishnya", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN5", "FIN6", "Ferocious Kitten", "GALLIUM", "Gorgon Group", "HEXANE", "Inception", "IndigoZebra", "Ke3chang", "Kimsuky", "LAPSUS$", "Lazarus Group", "Leafminer", "LuminousMoth", "Magic Hound", "Metador", "Moses Staff", "MuddyWater", "POLONIUM", "Patchwork", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "TA505", "TEMP.Veles", "Threat Group-3390", "Thrip", "Turla", "WIRTE", "Whitefly", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1588.002/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "is_nirsoft_software", "definition": "lookup update=true is_nirsoft_software filename as process_name OUTPUT nirsoftFile | search nirsoftFile=true", "description": "This macro is related to potentially identifiable software related to NirSoft. Remove or filter as needed based."}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_nirsoft_utilities_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_nirsoft_utilities.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Non-System Account Targeting Lsass", "id": "b1ce9a72-73cf-11ec-981b-acde48001122", "version": 2, "date": "2022-07-30", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies non SYSTEM accounts requesting access to lsass.exe. This behavior may be related to credential dumping or applications requiring access to credentials. Triaging this event will require understanding the GrantedAccess from the SourceImage. In addition, whether the account is privileged or not. Review the process requesting permissions and review parallel processes.", "data_source": ["Sysmon Event ID 1"], "search": "`sysmon` EventCode=10 TargetImage=*lsass.exe NOT (SourceUser=\"NT AUTHORITY\\\\*\") | stats count min(_time) as firstTime max(_time) as lastTime by Computer, TargetImage, GrantedAccess, SourceImage, SourceProcessId, SourceUser, TargetUser | rename Computer as dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `windows_non_system_account_targeting_lsass_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Enabling EventCode 10 TargetProcess lsass.exe is required.", "known_false_positives": "False positives will occur based on legitimate application requests, filter based on source image as needed.", "references": ["https://en.wikipedia.org/wiki/Local_Security_Authority_Subsystem_Service", "https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump", "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", "https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1", "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights?redirectedfrom=MSDN"], "tags": {"name": "Windows Non-System Account Targeting Lsass", "analytic_story": ["Credential Dumping"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "A process, $SourceImage$, has loaded $ImageLoaded$ that are typically related to credential dumping on $dest$. Review for further details.", "mitre_attack_id": ["T1003.001", "T1003"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "ImageLoaded", "type": "Process", "role": ["Other"]}, {"name": "SourceImage", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Computer", "TargetImage", "GrantedAccess", "SourceImage", "SourceProcessId", "SourceUser", "TargetUser"], "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "TEMP.Veles", "Threat Group-3390", "Whitefly"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/windows-sysmon_creddump.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_non_system_account_targeting_lsass_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_non_system_account_targeting_lsass.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Windows Odbcconf Hunting", "id": "0562ad4b-fdaa-4882-b12f-7b8e0034cd72", "version": 1, "date": "2022-06-30", "author": "Michael Haag, Splunk", "type": "Hunting", "status": "production", "description": "The following analytic identifies Odbcconf.exe running in the environment to assist with identifying tuning higher fidelity analytics related to Odbcconf.exe.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=odbcconf.exe by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_odbcconf_hunting_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives will be present as this is meant to assist with filtering and tuning.", "references": ["https://strontic.github.io/xcyclopedia/library/odbcconf.exe-07FBA12552331355C103999806627314.html", "https://twitter.com/redcanary/status/1541838407894171650?s=20&t=kp3WBPtfnyA3xW7D7wx0uw"], "tags": {"name": "Windows Odbcconf Hunting", "analytic_story": ["Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 20, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to circumvent controls.", "mitre_attack_id": ["T1218.008"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process Name", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 6, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218.008", "mitre_attack_technique": "Odbcconf", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Cobalt Group"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.008/atomic_red_team/windows-sysmon-odbc-regsvr.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_odbcconf_hunting_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_odbcconf_hunting.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Odbcconf Load DLL", "id": "141e7fca-a9f0-40fd-a539-9aac8be41f1b", "version": 1, "date": "2022-06-28", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies odbcconf.exe, Windows Open Database Connectivity utility, utilizing the action function of regsvr to load a DLL. An example will look like - odbcconf.exe /A { REGSVR T1218-2.dll }. During triage, review parent process, parallel procesess and file modifications.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=odbcconf.exe Processes.process IN (\"*/a *\", \"*-a*\") Processes.process=\"*regsvr*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_odbcconf_load_dll_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives may be present and filtering may need to occur based on legitimate application usage. Filter as needed.", "references": ["https://strontic.github.io/xcyclopedia/library/odbcconf.exe-07FBA12552331355C103999806627314.html", "https://twitter.com/redcanary/status/1541838407894171650?s=20&t=kp3WBPtfnyA3xW7D7wx0uw"], "tags": {"name": "Windows Odbcconf Load DLL", "analytic_story": ["Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 60, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to circumvent controls.", "mitre_attack_id": ["T1218.008"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process Name", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218.008", "mitre_attack_technique": "Odbcconf", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Cobalt Group"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.008/atomic_red_team/windows-sysmon-odbc-regsvr.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_odbcconf_load_dll_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_odbcconf_load_dll.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Odbcconf Load Response File", "id": "1acafff9-1347-4b40-abae-f35aa4ba85c1", "version": 1, "date": "2022-06-30", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the odbcconf.exe, Windows Open Database Connectivity utility, loading up a resource file. The file extension is arbitrary and may be named anything. The resource file itself may have different commands supported by Odbcconf to load up a DLL (REGSVR) on disk or additional commands. During triage, review file modifications and parallel processes.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=odbcconf.exe Processes.process IN (\"*-f *\",\"*/f *\") Processes.process=\"*.rsp*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_odbcconf_load_response_file_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives may be present and filtering may need to occur based on legitimate application usage. Filter as needed.", "references": ["https://strontic.github.io/xcyclopedia/library/odbcconf.exe-07FBA12552331355C103999806627314.html", "https://twitter.com/redcanary/status/1541838407894171650?s=20&t=kp3WBPtfnyA3xW7D7wx0uw"], "tags": {"name": "Windows Odbcconf Load Response File", "analytic_story": ["Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 60, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to circumvent controls.", "mitre_attack_id": ["T1218.008"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process Name", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218.008", "mitre_attack_technique": "Odbcconf", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Cobalt Group"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.008/atomic_red_team/windows-sysmon-odbc-rsp.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_odbcconf_load_response_file_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_odbcconf_load_response_file.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Office Product Spawning MSDT", "id": "127eba64-c981-40bf-8589-1830638864a7", "version": 3, "date": "2023-02-15", "author": "Michael Haag, Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies a Microsoft Office product spawning the Windows msdt.exe process. MSDT is a Diagnostics Troubleshooting Wizard native to Windows. This behavior is related to a recently identified sample utilizing protocol handlers to evade preventative controls, including if macros are disabled in the document. During triage, review file modifications for html. In addition, parallel processes including PowerShell and CertUtil.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN (\"winword.exe\",\"excel.exe\",\"powerpnt.exe\",\"outlook.exe\",\"mspub.exe\",\"visio.exe\",\"onenote.exe\",\"onenotem.exe\",\"onenoteviewer.exe\",\"onenoteim.exe\",\"msaccess.exe\") Processes.process_name=msdt.exe by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `windows_office_product_spawning_msdt_filter`", "how_to_implement": "how To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives should be limited, however filter as needed.", "references": ["https://isc.sans.edu/diary/rss/28694", "https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e", "https://twitter.com/nao_sec/status/1530196847679401984?s=20&t=ZiXYI4dQuA-0_dzQzSUb3A", "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", "https://www.virustotal.com/gui/file/4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784/detection", "https://strontic.github.io/xcyclopedia/library/msdt.exe-152D4C9F63EFB332CCB134C6953C0104.html", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/"], "tags": {"name": "Windows Office Product Spawning MSDT", "analytic_story": ["Spearphishing Attachments", "Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 100, "kill_chain_phases": ["Delivery"], "message": "Office parent process $parent_process_name$ has spawned a child process $process_name$ on host $dest$.", "mitre_attack_id": ["T1566", "T1566.001"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "cve": ["CVE-2022-30190"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/macro/msdt.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_office_product_spawning_msdt_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2022-30190", "cvss": 9.3, "summary": "Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_office_product_spawning_msdt.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows PaperCut NG Spawn Shell", "id": "a602d9a2-aaea-45f8-bf0f-d851168d61ca", "version": 1, "date": "2023-05-15", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic is designed to detect instances where the PaperCut NG application (pc-app.exe) spawns a Windows shell, specifically cmd.exe or PowerShell. This behavior may indicate potential malicious activity, such as an attacker attempting to gain unauthorized access or execute harmful commands on the affected system.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=pc-app.exe `process_cmd` OR `process_powershell` OR Processes.process_name=java.exe by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_papercut_ng_spawn_shell_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives may be present, but most likely not. Filter as needed.", "references": ["https://www.cisa.gov/news-events/alerts/2023/05/11/cisa-and-fbi-release-joint-advisory-response-active-exploitation-papercut-vulnerability", "https://www.papercut.com/kb/Main/PO-1216-and-PO-1219"], "tags": {"name": "Windows PaperCut NG Spawn Shell", "analytic_story": ["PaperCut MF NG Vulnerability"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 100, "kill_chain_phases": ["Installation", "Delivery"], "message": "The PaperCut NG application has spawned a shell $process_name$ on endpoint $dest$ by $user$.", "mitre_attack_id": ["T1059", "T1190", "T1133"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "atomic_guid": [], "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Chimera", "Dragonfly", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/papercut/papercutng-app-spawn_windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_cmd", "definition": "(Processes.process_name=cmd.exe OR Processes.original_file_name=Cmd.Exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "process_powershell", "definition": "(Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "windows_papercut_ng_spawn_shell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_papercut_ng_spawn_shell.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Password Managers Discovery", "id": "a3b3bc96-1c4f-4eba-8218-027cac739a48", "version": 1, "date": "2022-11-30", "author": "Teoderick Contreras, Splunk", "type": "Hunting", "status": "production", "description": "The following analytic identifies a process command line that retrieves information related to password manager software. This technique was seen in several post exploitation tools like winpeas that are being used by Ransomware Prestige to gather this type of information. Password Managers applications are designed to store user credentials, normally in an encrypted database. Credentials are typically accessible after a user provides a master password that unlocks the database. After the database is unlocked, these credentials may be copied to memory. These databases can be stored as files on disk. Due to this password manager software designed adversaries may find or look for keywords related to the Password Manager databases that can be stolen or extracted for further attacks.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = \"*dir *\" OR Processes.process = \"*findstr*\" AND Processes.process IN ( \"*.kdbx*\", \"*credential*\", \"*key3.db*\",\"*pass*\", \"*cred*\", \"*key4.db*\", \"*accessTokens*\", \"*access_tokens*\", \"*.htpasswd*\", \"*Ntds.dit*\") by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_password_managers_discovery_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances of wermgr.exe may be used.", "known_false_positives": "unknown", "references": ["https://attack.mitre.org/techniques/T1555/005/", "https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS", "https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"], "tags": {"name": "Windows Password Managers Discovery", "analytic_story": ["Windows Post-Exploitation", "Prestige Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "a process with commandline $process$ that can retrieve information related to password manager databases in $dest$", "mitre_attack_id": ["T1555.005"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id", "Processes.parent_process_guid", "Processes.process_guid"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1555.005", "mitre_attack_technique": "Password Managers", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Fox Kitten", "Threat Group-3390"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/winpeas_search_pwd_db/dir-db-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_password_managers_discovery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_password_managers_discovery.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Phishing PDF File Executes URL Link", "id": "2fa9dec8-9d8e-46d3-96c1-202c06f0e6e1", "version": 1, "date": "2023-01-18", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic is developed to detect suspicious pdf viewer processes that have a browser application child processes. This event was seen in a pdf spear phishing attachment containing a malicious URL link to download the actual payload. When a user clicks the malicious link the pdf viewer application will execute a process of the host default browser to connect to the malicious site. This anomaly detection can be a good indicator that a possible pdf file has a link executed by a user. The pdf viewer and browser list in this detection is still in progress, add the common browser and pdf viewer you use in opening pdf in your network.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN (\"AcroRd32.exe\", \"FoxitPDFReader.exe\") Processes.process_name IN (\"firefox.exe\", \"chrome.exe\", \"iexplore.exe\") by Processes.user Processes.parent_process_name Processes.process_name Processes.parent_process Processes.process Processes.process_id Processes.dest |`drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_phishing_pdf_file_executes_url_link_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives in PDF file opened PDF Viewer having legitimate URL link, however filter as needed.", "references": ["https://twitter.com/pr0xylife/status/1615382907446767616?s=20"], "tags": {"name": "Windows Phishing PDF File Executes URL Link", "analytic_story": ["Spearphishing Attachments"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Delivery"], "message": "a pdf file opened in pdf viewer process $parent_process_name$ has a child process of a browser $process_name$ in $dest$", "mitre_attack_id": ["T1566.001", "T1566"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/phishing_pdf_uri/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_phishing_pdf_file_executes_url_link_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_phishing_pdf_file_executes_url_link.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Phishing Recent ISO Exec Registry", "id": "cb38ee66-8ae5-47de-bd66-231c7bbc0b2c", "version": 2, "date": "2022-09-19", "author": "Teoderick Contreras, Splunk", "type": "Hunting", "status": "production", "description": "The following hunting analytic identifies registry artifacts when an ISO container is opened, clicked or mounted on the Windows operating system. As Microsoft makes changes to macro based document execution, adversaries have begun to utilize container based initial access based phishing campaigns to evade preventative controls. Once the ISO is clicked or mounted it will create a registry artifact related to this event as a recent application executed or opened.", "data_source": ["Sysmon Event ID 13"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_key_name= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\RecentDocs\\\\.iso\" OR Registry.registry_key_name= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\RecentDocs\\\\.img\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_phishing_recent_iso_exec_registry_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives may be high depending on the environment and consistent use of ISOs. Restrict to servers, or filter out based on commonly used ISO names. Filter as needed.", "references": ["https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/", "https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/", "https://isc.sans.edu/diary/Recent+AZORult+activity/25120", "https://tccontre.blogspot.com/2020/01/remcos-rat-evading-windows-defender-av.html"], "tags": {"name": "Windows Phishing Recent ISO Exec Registry", "analytic_story": ["Brute Ratel C4", "AgentTesla", "Qakbot", "IcedID", "Azorult", "Remcos"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 50, "kill_chain_phases": ["Delivery"], "message": "An ISO file was mounted on $dest$ and should be reviewed and filtered as needed.", "mitre_attack_id": ["T1566.001", "T1566"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.registry_key_name", "Registry.user", "Registry.registry_path", "Registry.registry_value_data", "Registry.action", "Registry.dest"], "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/iso_version_dll_campaign/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_phishing_recent_iso_exec_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_phishing_recent_iso_exec_registry.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Possible Credential Dumping", "id": "e4723b92-7266-11ec-af45-acde48001122", "version": 3, "date": "2022-08-24", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic is an enhanced version of two previous analytics that identifies common GrantedAccess permission requests and CallTrace DLLs in order to detect credential dumping. \\\nGrantedAccess is the requested permissions by the SourceImage into the TargetImage. \\\nCallTrace Stack trace of where open process is called. Included is the DLL and the relative virtual address of the functions in the call stack right before the open process call. \\\ndbgcore.dll or dbghelp.dll are two core Windows debug DLLs that have minidump functions which provide a way for applications to produce crashdump files that contain a useful subset of the entire process context. \\\nThe idea behind using ntdll.dll is to blend in by using native api of ntdll.dll. For example in sekurlsa module there are many ntdll exported api, like RtlCopyMemory, used to execute this module which is related to lsass dumping.", "data_source": ["Sysmon Event ID 1"], "search": "`sysmon` EventCode=10 TargetImage=*\\\\lsass.exe GrantedAccess IN (\"0x01000\", \"0x1010\", \"0x1038\", \"0x40\", \"0x1400\", \"0x1fffff\", \"0x1410\", \"0x143a\", \"0x1438\", \"0x1000\") CallTrace IN (\"*dbgcore.dll*\", \"*dbghelp.dll*\", \"*ntdll.dll*\", \"*kernelbase.dll*\", \"*kernel32.dll*\") NOT SourceUser IN (\"NT AUTHORITY\\\\SYSTEM\", \"NT AUTHORITY\\\\NETWORK SERVICE\")| stats count min(_time) as firstTime max(_time) as lastTime by, Computer, SourceImage, GrantedAccess, TargetImage, SourceProcessId, SourceUser, TargetUser | rename Computer as dest | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)` | `windows_possible_credential_dumping_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Enabling EventCode 10 TargetProcess lsass.exe is required.", "known_false_positives": "False positives will occur based on GrantedAccess 0x1010 and 0x1400, filter based on source image as needed or remove them. Concern is Cobalt Strike usage of Mimikatz will generate 0x1010 initially, but later be caught.", "references": ["https://en.wikipedia.org/wiki/Local_Security_Authority_Subsystem_Service", "https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump", "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", "https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1", "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights?redirectedfrom=MSDN", "https://github.com/redcanaryco/AtomicTestHarnesses/blob/master/TestHarnesses/T1003.001_DumpLSASS/DumpLSASS.ps1"], "tags": {"name": "Windows Possible Credential Dumping", "analytic_story": ["Credential Dumping", "Detect Zerologon Attack", "DarkSide Ransomware", "CISA AA22-257A", "CISA AA22-264A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "A process, $SourceImage$, has loaded $ImageLoaded$ that are typically related to credential dumping on $dest$. Review for further details.", "mitre_attack_id": ["T1003.001", "T1003"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "ImageLoaded", "type": "Process", "role": ["Other"]}, {"name": "SourceImage", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Computer", "TargetImage", "GrantedAccess", "SourceImage", "SourceProcessId", "SourceUser", "TargetUser"], "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "TEMP.Veles", "Threat Group-3390", "Whitefly"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/windows-sysmon_creddump.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_possible_credential_dumping_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_possible_credential_dumping.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Windows PowerShell Add Module to Global Assembly Cache", "id": "3fc16961-97e5-4a5b-a079-e4ab0d9763eb", "version": 1, "date": "2023-01-18", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following PowerShell Script Block analytic identifies the native ability to add a DLL to the Windows Global Assembly Cache. Each computer where the Common Language Runtime is installed has a machine-wide code cache called the Global Assembly Cache. The Global Assembly Cache stores assemblies specifically designated to be shared by several applications on the computer. By adding a DLL to the GAC, this allows an adversary to call it via any other means across the operating systems. This is native and built into Windows. Per the Microsoft blog, the more high fidelity method may be to look for W3WP.exe spawning PowerShell that includes the same CommandLine as identified in this analytic.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 ScriptBlockText IN(\"*system.enterpriseservices.internal.publish*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powershell_add_module_to_global_assembly_cache_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "False positives may be present based on developers or third party utilities adding items to the GAC.", "references": ["https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/", "https://www.microsoft.com/en-us/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/"], "tags": {"name": "Windows PowerShell Add Module to Global Assembly Cache", "analytic_story": ["IIS Components"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Installation"], "message": "PowerShell was used to install a module to the Global Assembly Cache on $Computer$.", "mitre_attack_id": ["T1505", "T1505.004"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "ScriptBlockText", "Computer", "EventCode"], "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1505.004", "mitre_attack_technique": "IIS Components", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.004/pwsh_publish_powershell.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_powershell_add_module_to_global_assembly_cache_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_powershell_add_module_to_global_assembly_cache.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows Powershell Cryptography Namespace", "id": "f8b482f4-6d62-49fa-a905-dfa15698317b", "version": 1, "date": "2023-01-26", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies suspicious PowerShell script execution via EventCode 4104 that is processing cryptography namespace library. This technique was seen in several powershell malware, loader, downloader and stager that will decrypt or decode the next malicious stager or the actual payload. This Anomaly detection can be a good indicator that a powershell process to decrypt code. We recommend to further check the parent_process_name, the file or data it tries to decrypt, network connection and user who execute the script.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 ScriptBlockText = \"*System.Security.Cryptography*\" AND NOT(ScriptBlockText IN (\"*SHA*\", \"*MD5*\", \"*DeriveBytes*\")) | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powershell_cryptography_namespace_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "False positives should be limited. Filter as needed.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat"], "tags": {"name": "Windows Powershell Cryptography Namespace", "analytic_story": ["AsyncRAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "message": "A suspicious powershell script contains cryptography command in $ScriptBlockText$ with EventCode $EventCode$ in host $Computer$", "mitre_attack_id": ["T1059.001", "T1059"], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "User", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "ScriptBlockText", "Opcode", "Computer", "UserID", "EventCodes"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/asyncrat_crypto_pwh_namespace/windows-powershell-xml.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_powershell_cryptography_namespace_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_powershell_cryptography_namespace.yml", "source": "endpoint", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows PowerShell Disable HTTP Logging", "id": "27958de0-2857-43ca-9d4c-b255cf59dcab", "version": 1, "date": "2022-12-21", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analtyic identifies the use of get-WebConfigurationProperty and Set-ItemProperty attempting to disable HTTP logging on windows via PowerShell. Adversaries may perform this action to disable HTTP logging to cover tracks and delete logs on disk.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 ScriptBlockText IN(\"*get-WebConfigurationProperty*\",\"*Set-ItemProperty*\") AND ScriptBlockText IN (\"*httpLogging*\",\"*Logfile.enabled*\") AND ScriptBlockText IN (\"*dontLog*\", \"*false*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powershell_disable_http_logging_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "It is possible administrators or scripts may run these commands, filtering may be required.", "references": ["https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/", "https://www.crowdstrike.com/wp-content/uploads/2022/05/crowdstrike-iceapple-a-novel-internet-information-services-post-exploitation-framework-1.pdf", "https://unit42.paloaltonetworks.com/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/", "https://www.secureworks.com/research/bronze-union"], "tags": {"name": "Windows PowerShell Disable HTTP Logging", "analytic_story": ["IIS Components", "Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation", "Installation"], "message": "A PowerShell Cmdlet related to disable or modifying a IIS HTTP logging has occurred on $Computer$.", "mitre_attack_id": ["T1562", "T1562.002", "T1505", "T1505.004"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "ScriptBlockText", "Computer", "EventCode"], "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1562.002", "mitre_attack_technique": "Disable Windows Event Logging", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound", "Threat Group-3390"]}, {"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1505.004", "mitre_attack_technique": "IIS Components", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.004/4104_disable_http_logging_windows-powershell.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Web"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_powershell_disable_http_logging_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_powershell_disable_http_logging.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows PowerShell Export Certificate", "id": "5e38ded4-c964-41f4-8cb6-4a1a53c6929f", "version": 1, "date": "2023-02-01", "author": "Michael Haag, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies the PowerShell Cmdlet export-certificate utilizing Script Block Logging. This particular behavior is related to an adversary attempting to steal certificates local to the Windows endpoint within the Certificate Store.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 ScriptBlockText IN (\"*export-certificate*\") | rename Computer as dest | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText dest user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powershell_export_certificate_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "It is possible administrators or scripts may run these commands, filtering may be required.", "references": ["https://dev.to/iamthecarisma/managing-windows-pfx-certificates-through-powershell-3pj", "https://learn.microsoft.com/en-us/powershell/module/pki/export-certificate?view=windowsserver2022-ps"], "tags": {"name": "Windows PowerShell Export Certificate", "analytic_story": ["Windows Certificate Services"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Exploitation"], "message": "A PowerShell Cmdlet related to exporting a Certificate was ran on $dest$, attempting to export a certificate.", "mitre_attack_id": ["T1552.004", "T1552", "T1649"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "ScriptBlockText", "dest", "EventCode"], "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1552.004", "mitre_attack_technique": "Private Keys", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1552", "mitre_attack_technique": "Unsecured Credentials", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1649", "mitre_attack_technique": "Steal or Forge Authentication Certificates", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29"]}]}, "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_powershell_export_certificate_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_powershell_export_certificate.yml", "source": "endpoint", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows PowerShell Export PfxCertificate", "id": "ed06725f-6da6-439f-9dcc-ab30e891297c", "version": 1, "date": "2023-02-01", "author": "Michael Haag, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies the PowerShell Cmdlet export-pfxcertificate utilizing Script Block Logging. This particular behavior is related to an adversary attempting to steal certificates local to the Windows endpoint within the Certificate Store.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 ScriptBlockText IN (\"*export-pfxcertificate*\") | rename Computer as dest | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText dest user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powershell_export_pfxcertificate_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "It is possible administrators or scripts may run these commands, filtering may be required.", "references": ["https://dev.to/iamthecarisma/managing-windows-pfx-certificates-through-powershell-3pj", "https://learn.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate?view=windowsserver2022-ps"], "tags": {"name": "Windows PowerShell Export PfxCertificate", "analytic_story": ["Windows Certificate Services"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Exploitation"], "message": "A PowerShell Cmdlet related to exporting a PFX Certificate was ran on $dest$, attempting to export a certificate.", "mitre_attack_id": ["T1552.004", "T1552", "T1649"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "ScriptBlockText", "dest", "EventCode"], "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1552.004", "mitre_attack_technique": "Private Keys", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1552", "mitre_attack_technique": "Unsecured Credentials", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1649", "mitre_attack_technique": "Steal or Forge Authentication Certificates", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/atomic_red_team/4104_export_pfxcertificate.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_powershell_export_pfxcertificate_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_powershell_export_pfxcertificate.yml", "source": "endpoint", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows PowerShell Get CIMInstance Remote Computer", "id": "d8c972eb-ed84-431a-8869-ca4bd83257d1", "version": 1, "date": "2023-03-27", "author": "Michael Haag, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic identifies the use of Get-CimInstance cmdlet with the -ComputerName parameter, which indicates that the cmdlet is being used to retrieve information from a remote computer. This can be useful for detecting instances of remote access, such as when an attacker uses PowerShell to connect to a remote system and gather information. By monitoring for this cmdlet with the -ComputerName parameter, security analysts can identify potential malicious activity on remote systems and take appropriate action to mitigate any threats.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 ScriptBlockText=\"*get-ciminstance*\" AND ScriptBlockText=\"*computername*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powershell_get_ciminstance_remote_computer_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "This is meant to be a low risk RBA anomaly analytic or to be used for hunting. Enable this with a low risk score and let it generate risk in the risk index.", "references": ["https://learn.microsoft.com/en-us/powershell/module/cimcmdlets/get-ciminstance?view=powershell-7.3"], "tags": {"name": "Windows PowerShell Get CIMInstance Remote Computer", "analytic_story": ["Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Installation"], "message": "A PowerShell Cmdlet Get-CIMInstnace was ran on $Computer$, attempting to connect to a remote host.", "mitre_attack_id": ["T1059.001"], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "ScriptBlockText", "Computer", "EventCode"], "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/atomic_red_team/get_ciminstance_windows-powershell.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_powershell_get_ciminstance_remote_computer_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_powershell_get_ciminstance_remote_computer.yml", "source": "endpoint", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows PowerShell IIS Components WebGlobalModule Usage", "id": "33fc9f6f-0ce7-4696-924e-a69ec61a3d57", "version": 1, "date": "2022-12-21", "author": "Michael Haag, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies the usage of PowerShell Cmdlets - New-WebGlobalModule, Enable-WebGlobalModule and Set-WebGlobalModule being utilized to create (new), enable (start) or modify a current IIS Module. These commands are equivalent to AppCmd.exe parameters. Adversaries may utilize these cmdlets as they are lesser known and perform the same activity as AppCmd.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 ScriptBlockText IN(\"*New-WebGlobalModule*\",\"*Enable-WebGlobalModule*\",\"*Set-WebGlobalModule*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powershell_iis_components_webglobalmodule_usage_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "It is possible administrators or scripts may run these commands, filtering may be required.", "references": ["https://learn.microsoft.com/en-us/powershell/module/webadministration/new-webglobalmodule?view=windowsserver2022-ps", "https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/", "https://www.crowdstrike.com/wp-content/uploads/2022/05/crowdstrike-iceapple-a-novel-internet-information-services-post-exploitation-framework-1.pdf", "https://unit42.paloaltonetworks.com/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/", "https://www.secureworks.com/research/bronze-union", "https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1505.004"], "tags": {"name": "Windows PowerShell IIS Components WebGlobalModule Usage", "analytic_story": ["IIS Components"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Installation"], "message": "A PowerShell Cmdlet related to enabling, creating or modifying a IIS module has occurred on $Computer$.", "mitre_attack_id": ["T1505", "T1505.004"], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "ScriptBlockText", "Computer", "EventCode"], "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1505.004", "mitre_attack_technique": "IIS Components", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.004/4104_windows-powershell.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Web"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_powershell_iis_components_webglobalmodule_usage_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_powershell_iis_components_webglobalmodule_usage.yml", "source": "endpoint", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows Powershell Import Applocker Policy", "id": "102af98d-0ca3-4aa4-98d6-7ab2b98b955a", "version": 1, "date": "2022-06-30", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "The following analytic is to identify the imports of Windows PowerShell Applocker commandlets. This technique was seen in Azorult malware where it drops an xml Applocker policy that will deny several AV product and then loaded using PowerShell Applocker commandlet.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 ScriptBlockText=\"*Import-Module Applocker*\" ScriptBlockText=\"*Set-AppLockerPolicy *\" ScriptBlockText=\"* -XMLPolicy *\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powershell_import_applocker_policy_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "administrators may execute this command that may cause some false positive.", "references": ["https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/"], "tags": {"name": "Windows Powershell Import Applocker Policy", "analytic_story": ["Azorult"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "message": "A PowerShell script contains Import Applocker Policy command $ScriptBlockText$ with EventCode $EventCode$ in host $Computer$", "mitre_attack_id": ["T1059.001", "T1059", "T1562.001", "T1562"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "User", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "ScriptBlockText", "Computer", "EventCode"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/import_applocker_policy/windows-powershell-xml2.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_powershell_import_applocker_policy_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_powershell_import_applocker_policy.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows PowerShell ScheduleTask", "id": "ddf82fcb-e9ee-40e3-8712-a50b5bf323fc", "version": 1, "date": "2023-06-12", "author": "Michael Haag, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic detects potential malicious activities related to PowerShell's task scheduling cmdlets. It looks for anomalies in PowerShell logs, specifically EventCode 4104, associated with script block logging. The analytic flags unusual or suspicious use patterns of key task-related cmdlets such as 'New-ScheduledTask', 'Set-ScheduledTask', and others, which are often used by attackers for persistence and remote execution of malicious code. If a true positive is found, it suggests an possible attacker is attempting to persist within the environment or potentially deliver additional malicious payloads, leading to data theft, ransomware, or other damaging outcomes. To implement this analytic, PowerShell Script Block Logging needs to be enabled on some or all endpoints. Analysts should be aware of benign administrative tasks that can trigger alerts and tune the analytic accordingly to reduce false positives. Upon triage, review the PowerShell logs for any unusual or unexpected cmdlet usage, IP addresses, user accounts, or timestamps. If these factors align with known malicious behavior patterns, immediate mitigation steps, such as isolation of the affected systems, user account changes, and relevant threat hunting activities, should be initiated. This proactive analysis significantly enhances an organization's capacity to swiftly respond to, and potentially prevent, the execution of advanced persistent threats in their network.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 ScriptBlockText IN (\"*New-ScheduledTask*\", \"*New-ScheduledTaskAction*\", \"*New-ScheduledTaskSettingsSet*\", \"*New-ScheduledTaskTrigger*\", \"*Register-ClusteredScheduledTask*\", \"*Register-ScheduledTask*\", \"*Set-ClusteredScheduledTask*\", \"*Set-ScheduledTask*\", \"*Start-ScheduledTask*\", \"*Enable-ScheduledTask*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powershell_scheduletask_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Benign administrative tasks can also trigger alerts, necessitating a firm understanding of the typical system behavior and precise tuning of the analytic to reduce false positives.", "references": ["https://learn.microsoft.com/en-us/powershell/module/scheduledtasks/?view=windowsserver2022-ps", "https://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/"], "tags": {"name": "Windows PowerShell ScheduleTask", "analytic_story": ["Scheduled Tasks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation", "Exploitation"], "message": "The PowerShell cmdlets related to task creation, modification and start occurred on $Computer$ by $user_id$.", "mitre_attack_id": ["T1053.005", "T1059.001", "T1059"], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "user_id", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "ScriptBlockText", "Computer", "EventCode"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "atomic_guid": ["af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/atomic_red_team/pwsh_scheduledtask.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_powershell_scheduletask_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_powershell_scheduletask.yml", "source": "endpoint", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows PowerShell WMI Win32 ScheduledJob", "id": "47c69803-2c09-408b-b40a-063c064cbb16", "version": 1, "date": "2023-03-27", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic detects the use of the PowerShell script block logging mechanism to detect the use of the Win32_ScheduledJob WMI class. This class allows the creation and management of scheduled tasks on Windows systems. However, due to security concerns, the class has been disabled by default in Windows systems, and its use must be explicitly enabled by modifying the registry. As a result, the detection of the use of this class may indicate malicious activity, especially if the class was enabled on the system by the attacker. Therefore, it is recommended to monitor the use of Win32_ScheduledJob through PowerShell script block logging and to investigate any suspicious activity.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 ScriptBlockText=\"*win32_scheduledjob*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powershell_wmi_win32_scheduledjob_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "False positives may be present based on legacy applications or utilities. Win32_ScheduledJob uses the Remote Procedure Call (RPC) protocol to create scheduled tasks on remote computers. It uses the DCOM (Distributed Component Object Model) infrastructure to establish a connection with the remote computer and invoke the necessary methods. The RPC service needs to be running on both the local and remote computers for the communication to take place.", "references": ["https://securityonline.info/wmiexec-regout-get-outputdata-response-from-registry/", "https://learn.microsoft.com/en-us/windows/win32/cimwin32prov/win32-scheduledjob"], "tags": {"name": "Windows PowerShell WMI Win32 ScheduledJob", "analytic_story": ["Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 80, "kill_chain_phases": ["Installation"], "message": "PowerShell attempting to create a task via WMI - Win32_ScheduledJob, was ran on $dest$.", "mitre_attack_id": ["T1059.001", "T1059"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "ScriptBlockText", "dest", "EventCode"], "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/atomic_red_team/win32_scheduledjob_windows-powershell.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_powershell_wmi_win32_scheduledjob_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_powershell_wmi_win32_scheduledjob.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows PowerSploit GPP Discovery", "id": "0130a0df-83a1-4647-9011-841e950ff302", "version": 1, "date": "2023-03-16", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the use of the Get-GPPPassword PowerShell commandlet employed to search for unsecured credentials Group Policy Preferences (GPP). GPP are tools that allow administrators to create domain policies with embedded credentials. These policies allow administrators to set local accounts. These group policies are stored in SYSVOL on a domain controller. This means that any domain user can view the SYSVOL share and decrypt the password (using the AES key that has been made public). While Microsoft released a patch that impedes Administrators to create unsecure credentials, existing Group Policy Preferences files with passwords are not removed from SYSVOL.", "data_source": ["Powershell 4104"], "search": " `powershell` EventCode=4104 (ScriptBlockText=Get-GPPPassword OR ScriptBlockText=Get-CachedGPPPassword) | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powersploit_gpp_discovery_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Unknown", "references": ["https://attack.mitre.org/techniques/T1552/006/", "https://pentestlab.blog/2017/03/20/group-policy-preferences/", "https://adsecurity.org/?p=2288", "https://www.hackingarticles.in/credential-dumping-group-policy-preferences-gpp/", "https://adsecurity.org/?p=2288", "https://support.microsoft.com/en-us/topic/ms14-025-vulnerability-in-group-policy-preferences-could-allow-elevation-of-privilege-may-13-2014-60734e15-af79-26ca-ea53-8cd617073c30"], "tags": {"name": "Windows PowerSploit GPP Discovery", "analytic_story": ["Active Directory Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "Commandlets leveraged to discover GPP credentials were executed on $Computer$", "mitre_attack_id": ["T1552", "T1552.006"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "UserID", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "ScriptBlockText", "Opcode", "Computer", "UserID"], "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1552", "mitre_attack_technique": "Unsecured Credentials", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1552.006", "mitre_attack_technique": "Group Policy Preferences", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT33"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552.006/powershell_gpp_discovery/win-powershell.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "XmlWinEventLog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_powersploit_gpp_discovery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_powersploit_gpp_discovery.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows PowerView AD Access Control List Enumeration", "id": "39405650-c364-4e1e-a740-32a63ef042a6", "version": 1, "date": "2023-04-20", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic leverages Event ID 4104 to identify the execution of the PowerView powershell commandlets `Get-ObjectAcl` or `Get-DomainObjectAcl`. This commandlets are used to enumerate Access Control List permissions given to Active Directory objects. In an active directory environment, an object is an entity that represents an available resource within the organizations network, such as domain controllers, users, groups, computers, shares, etc. Maintaining Active Directory permissions is complicated and hard to manage, especially in complex and large environments with multiple domains. Weak permissions may allow adversaries and red teamers to escalate their privileges in Active Directory. PowerView is a common tool leveraged by attackers to identify and exploit configuration weaknesses.", "data_source": ["Powershell 4104"], "search": " `powershell` EventCode=4104 (ScriptBlockText=*get-objectacl* OR ScriptBlockText=*Get-DomainObjectAcl* ) | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powerview_ad_access_control_list_enumeration_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.=", "known_false_positives": "Administrators may leverage PowerView for legitimate purposes, filter as needed.", "references": ["https://attack.mitre.org/techniques/T1078/002/", "https://medium.com/r3d-buck3t/enumerating-access-controls-in-active-directory-c06e2efa8b89", "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-acls-aces", "https://powersploit.readthedocs.io/en/latest/Recon/Get-DomainObjectAcl/"], "tags": {"name": "Windows PowerView AD Access Control List Enumeration", "analytic_story": ["Active Directory Discovery", "Active Directory Privilege Escalation"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 40, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "message": "PowerView AD acccess control list enumeration detected on $Computer$", "mitre_attack_id": ["T1078.002", "T1069"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "ScriptBlockText", "Opcode", "UserID"], "risk_score": 20, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078.002", "mitre_attack_technique": "Domain Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "Chimera", "Indrik Spider", "Magic Hound", "Naikon", "Sandworm Team", "TA505", "Threat Group-1314", "Wizard Spider"]}, {"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "TA505"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.002/powerview_acl_enumeration/windows-powershell.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "XmlWinEventLog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_powerview_ad_access_control_list_enumeration_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_powerview_ad_access_control_list_enumeration.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows PowerView Constrained Delegation Discovery", "id": "86dc8176-6e6c-42d6-9684-5444c6557ab3", "version": 1, "date": "2022-03-31", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify commandlets used by the PowerView hacking tool leveraged to discover Windows endpoints with Kerberos Constrained Delegation. Red Teams and adversaries alike may leverage use this technique for situational awareness and Active Directory Discovery.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 (Message = \"*Get-DomainComputer*\" OR Message = \"*Get-NetComputer*\") AND (Message = \"*-TrustedToAuth*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode Message ComputerName User | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powerview_constrained_delegation_discovery_filter`", "how_to_implement": "The following analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.", "known_false_positives": "Administrators or power users may leverage PowerView for system management or troubleshooting.", "references": ["https://attack.mitre.org/techniques/T1018/", "https://adsecurity.org/?p=1667", "https://docs.microsoft.com/en-us/defender-for-identity/cas-isp-unconstrained-kerberos", "https://www.guidepointsecurity.com/blog/delegating-like-a-boss-abusing-kerberos-delegation-in-active-directory/", "https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/constrained-delegation", "https://www.cyberark.com/resources/threat-research-blog/weakness-within-kerberos-delegation"], "tags": {"name": "Windows PowerView Constrained Delegation Discovery", "analytic_story": ["Active Directory Kerberos Attacks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "Suspicious PowerShell Get-DomainComputer was identified on endpoint $ComputerName$", "mitre_attack_id": ["T1018"], "nist": ["DE.CM"], "observable": [{"name": "ComputerName", "type": "Hostname", "role": ["Victim"]}, {"name": "User", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "Message", "ComputerName", "User"], "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1018", "mitre_attack_technique": "Remote System Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "BRONZE BUTLER", "Chimera", "Deep Panda", "Dragonfly", "Earth Lusca", "FIN5", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "HEXANE", "Indrik Spider", "Ke3chang", "Leafminer", "Magic Hound", "Naikon", "Rocke", "Sandworm Team", "Silence", "Threat Group-3390", "Turla", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1018/constrained/windows-powershell.log", "source": "WinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "WinEventLog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_powerview_constrained_delegation_discovery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_powerview_constrained_delegation_discovery.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows PowerView Kerberos Service Ticket Request", "id": "970455a1-4ac2-47e1-a9a5-9e75443ddcb9", "version": 1, "date": "2022-06-22", "author": "Gowthamaraj Rajendran, Splunk", "type": "TTP", "status": "production", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-DomainSPNTicket` commandlets with specific parameters. This commandlet is a part of PowerView, a PowerShell tool used to perform enumeration and discovery on Windows Active Directory networks. As the name suggests, this commandlet is used to request the kerberos ticket for a specified service principal name (SPN). Once the ticket is received, it may be cracked using password cracking tools like hashcat to extract the password of the SPN account. Red Teams and adversaries alike may leverage PowerView and these commandlets to identify accounts that can be attacked with the Kerberoasting technique.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 ScriptBlockText=*Get-DomainSPNTicket* | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powerview_kerberos_service_ticket_request_filter`", "how_to_implement": "The following analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.", "known_false_positives": "False positive may include Administrators using PowerView for troubleshooting and management.", "references": ["https://powersploit.readthedocs.io/en/latest/Recon/Get-DomainSPNTicket/", "https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/kerberoast", "https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1", "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/t1208-kerberoasting", "https://attack.mitre.org/techniques/T1558/003"], "tags": {"name": "Windows PowerView Kerberos Service Ticket Request", "analytic_story": ["Active Directory Kerberos Attacks"], "asset_type": "endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "PowerView commandlets used for requesting SPN service ticket executed on $Computer$", "mitre_attack_id": ["T1558", "T1558.003"], "nist": ["DE.CM"], "observable": [{"name": "Client_Address", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "Computer", "ScriptBlockText"], "risk_score": 27, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1558", "mitre_attack_technique": "Steal or Forge Kerberos Tickets", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1558.003", "mitre_attack_technique": "Kerberoasting", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["FIN7", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1558.003/powerview/windows-powershell-xml.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "XmlWinEventLog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_powerview_kerberos_service_ticket_request_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_powerview_kerberos_service_ticket_request.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows PowerView SPN Discovery", "id": "a7093c28-796c-4ebb-9997-e2c18b870837", "version": 1, "date": "2022-06-22", "author": "Gowthamaraj Rajendran, Splunk", "type": "TTP", "status": "production", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-DomainUser` or `Get-NetUSer` commandlets with specific parameters. These commandlets are part of PowerView, a PowerShell tool used to perform enumeration and discovery on Windows Active Directory networks. As the names suggest, these commandlets are used to identify domain users in a network and combining them with the `-SPN` parameter allows adversaries to discover domain accounts associated with a Service Principal Name (SPN). Red Teams and adversaries alike may leverage PowerView and these commandlets to identify accounts that can be attacked with the Kerberoasting technique.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 (ScriptBlockText =*Get-NetUser* OR ScriptBlockText=*Get-DomainUser*) ScriptBlockText= *-SPN* | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_powerview_spn_discovery_filter`", "how_to_implement": "The following analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.", "known_false_positives": "False positive may include Administrators using PowerView for troubleshooting and management.", "references": ["https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/kerberoast", "https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1", "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/t1208-kerberoasting", "https://attack.mitre.org/techniques/T1558/003"], "tags": {"name": "Windows PowerView SPN Discovery", "analytic_story": ["Active Directory Kerberos Attacks"], "asset_type": "endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "PowerView commandlets used for SPN discovery executed on $Computer$", "mitre_attack_id": ["T1558", "T1558.003"], "nist": ["DE.CM"], "observable": [{"name": "Client_Address", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "Computer", "ScriptBlockText"], "risk_score": 27, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1558", "mitre_attack_technique": "Steal or Forge Kerberos Tickets", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1558.003", "mitre_attack_technique": "Kerberoasting", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["FIN7", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1558.003/powerview-2/windows-powershell.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "XmlWinEventLog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_powerview_spn_discovery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_powerview_spn_discovery.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows PowerView Unconstrained Delegation Discovery", "id": "fbf9e47f-e531-4fea-942d-5c95af7ed4d6", "version": 1, "date": "2022-03-28", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify commandlets used by the PowerView hacking tool leveraged to discover Windows endpoints with Kerberos Unconstrained Delegation. Red Teams and adversaries alike may leverage use this technique for situational awareness and Active Directory Discovery.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 (Message = \"*Get-DomainComputer*\" OR Message = \"*Get-NetComputer*\") AND (Message = \"*-Unconstrained*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode Message ComputerName User | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powerview_unconstrained_delegation_discovery_filter`", "how_to_implement": "The following analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.", "known_false_positives": "Administrators or power users may leverage PowerView for system management or troubleshooting.", "references": ["https://attack.mitre.org/techniques/T1018/", "https://adsecurity.org/?p=1667", "https://docs.microsoft.com/en-us/defender-for-identity/cas-isp-unconstrained-kerberos", "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/domain-compromise-via-unrestricted-kerberos-delegation", "https://www.cyberark.com/resources/threat-research-blog/weakness-within-kerberos-delegation"], "tags": {"name": "Windows PowerView Unconstrained Delegation Discovery", "analytic_story": ["Active Directory Kerberos Attacks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "Suspicious PowerShell Get-DomainComputer was identified on endpoint $ComputerName$", "mitre_attack_id": ["T1018"], "nist": ["DE.CM"], "observable": [{"name": "ComputerName", "type": "Hostname", "role": ["Victim"]}, {"name": "User", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "Message", "ComputerName", "User"], "risk_score": 35, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1018", "mitre_attack_technique": "Remote System Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "BRONZE BUTLER", "Chimera", "Deep Panda", "Dragonfly", "Earth Lusca", "FIN5", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "HEXANE", "Indrik Spider", "Ke3chang", "Leafminer", "Magic Hound", "Naikon", "Rocke", "Sandworm Team", "Silence", "Threat Group-3390", "Turla", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1018/unconstrained/windows-powershell.log", "source": "WinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "WinEventLog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_powerview_unconstrained_delegation_discovery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_powerview_unconstrained_delegation_discovery.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows Private Keys Discovery", "id": "5c1c2877-06c0-40ee-a1a2-db71f1372b5b", "version": 1, "date": "2022-11-30", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies a process command line that retrieves information related to private keys files. This technique was seen in several post exploitation tools like winpeas that are being used by Ransomware Prestige to search for private key certificates on the compromised host for insecurely stored credentials. This files can be used by adversaries to gain privileges, persistence or remote service authentication to collect more sensitive information. Some private keys required password for operation, so in this case adversaries may need to have that passphrase either via keylogging or brute force attack.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = \"*dir *\" OR Processes.process = \"*findstr*\" AND Processes.process IN ( \"*.rdg*\", \"*.gpg*\", \"*.pgp*\", \"*.p12*\", \"*.der*\", \"*.csr*\", \"*.cer*\", \"*.ovpn*\", \"*.key*\", \"*.ppk*\", \"*.p12*\", \"*.pem*\", \"*.pfx*\", \"*.p7b*\", \"*.asc*\") by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_private_keys_discovery_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances of wermgr.exe may be used.", "known_false_positives": "unknown", "references": ["https://attack.mitre.org/techniques/T1552/004/", "https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS", "https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"], "tags": {"name": "Windows Private Keys Discovery", "analytic_story": ["Windows Post-Exploitation", "Prestige Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "a process with commandline $process$ that can retrieve information related to private keys in $dest$", "mitre_attack_id": ["T1552.004", "T1552"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id", "Processes.parent_process_guid", "Processes.process_guid"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1552.004", "mitre_attack_technique": "Private Keys", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1552", "mitre_attack_technique": "Unsecured Credentials", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/winpeas_search_private_key/dir-private-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_private_keys_discovery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_private_keys_discovery.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Process Injection into Notepad", "id": "b8340d0f-ba48-4391-bea7-9e793c5aae36", "version": 1, "date": "2023-02-22", "author": "Michael Haag, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic utilizes Sysmon to identify process injection into Notepad.exe, based on GrantedAccess requests - 0x40 and 0x1fffff. This particular behavior is attributed to the defaults of the SliverC2 framework by BishopFox. By default, the analytic filters out any SourceImage paths of System32, Syswow64 and program files. Add more as needed, or remove and monitor what is consistently injecting into notepad.exe. This particular behavior will occur from a source image that is the initial payload dropped.", "data_source": ["Sysmon Event ID 10"], "search": "`sysmon` EventCode=10 TargetImage IN (*\\\\notepad.exe) NOT (SourceImage IN (\"*\\\\system32\\\\*\",\"*\\\\syswow64\\\\*\",\"*\\\\Program Files\\\\*\")) GrantedAccess IN (\"0x40\",\"0x1fffff\") | stats count min(_time) as firstTime max(_time) as lastTime by dest SourceImage TargetImage GrantedAccess CallTrace | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_process_injection_into_notepad_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "False positives may be present based on SourceImage paths. If removing the paths is important, realize svchost and many native binaries inject into notepad consistently. Restrict or tune as needed.", "references": ["https://dominicbreuker.com/post/learning_sliver_c2_08_implant_basics/", "https://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors"], "tags": {"name": "Windows Process Injection into Notepad", "analytic_story": ["BishopFox Sliver Adversary Emulation Framework"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 40, "kill_chain_phases": ["Exploitation"], "message": "An instance of $SourceImage$ injecting into $TargetImage$ was identified on endpoint $dest$.", "mitre_attack_id": ["T1055", "T1055.002"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "SourceImage", "type": "Process", "role": ["Parent Process"]}, {"name": "TargetImage", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "dest", "SourceImage", "TargetImage", "GrantedAccess", "CallTrace"], "risk_score": 32, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "Turla"]}, {"mitre_attack_id": "T1055.002", "mitre_attack_technique": "Portable Executable Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Gorgon Group", "Rocke"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/sliver/T1055_windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_process_injection_into_notepad_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_process_injection_into_notepad.yml", "source": "endpoint"}, {"name": "Windows Process Injection Of Wermgr to Known Browser", "id": "aec755a5-3a2c-4be0-ab34-6540e68644e9", "version": 1, "date": "2022-10-28", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This analytic identifies the suspicious Remote Thread execution of wermgr.exe process to \"firefox.exe\", \"chrome.exe\" and other known browsers. This technique was seen in Qakbot malware that executes its malicious code by injecting its code in legitimate Windows Operating System processes such as wermgr.exe to steal information in the compromised host. This TTP detection can be a good pivot to detect wermgr.exe process injected with qakbot code that tries to remote thread code execution in known browsers like firefox and edge which is not a common behavior of this wermgr.exe application.", "data_source": ["Sysmon Event ID 8"], "search": "`sysmon` EventCode=8 SourceImage = \"*\\\\wermgr.exe\" TargetImage IN (\"*\\\\firefox.exe\", \"*\\\\chrome.exe\", \"*\\\\iexplore.exe\",\"*\\\\microsoftedgecp.exe\") | stats count min(_time) as firstTime max(_time) as lastTime by SourceImage TargetImage SourceProcessGuid SourceProcessId StartAddress StartFunction TargetProcessGuid TargetProcessId EventCode Computer | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_process_injection_of_wermgr_to_known_browser_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the SourceImage, TargetImage, and EventCode executions from your endpoints related to create remote thread or injecting codes. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "unknown", "references": ["https://news.sophos.com/en-us/2022/03/10/qakbot-decoded/", "https://www.trellix.com/en-us/about/newsroom/stories/research/demystifying-qbot-malware.html"], "tags": {"name": "Windows Process Injection Of Wermgr to Known Browser", "analytic_story": ["Qakbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "wermgr.exe process $SourceImage$ create a remote thread to a browser process $TargetImage$ in host $Computer$", "mitre_attack_id": ["T1055.001", "T1055"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "SourceImage", "TargetImage", "SourceProcessGuid", "SourceProcessId", "StartAddress", "StartFunction", "TargetProcessGuid", "TargetProcessId", "EventCode", "Computer"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1055.001", "mitre_attack_technique": "Dynamic-link Library Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["BackdoorDiplomacy", "Lazarus Group", "Leviathan", "Putter Panda", "TA505", "Tropic Trooper", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/qakbot/remote_thread/sysmon_wermgr_remote.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_process_injection_of_wermgr_to_known_browser_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_process_injection_of_wermgr_to_known_browser.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Windows Process Injection Remote Thread", "id": "8a618ade-ca8f-4d04-b972-2d526ba59924", "version": 1, "date": "2023-06-15", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies a suspicious remote thread execution in some process being abused by threat actor and malware like qakbot. Qakbot is one of the malware using this technique to load its malicious dll module or malicious code in the targeted host. This TTP can be a good pivot to verify what is the behavior of the targeted Image process after this detection trigger. look for network connection, child process execution, file access and many more that helps to verify the indication of malware infection.", "data_source": ["Sysmon Event ID 8"], "search": "`sysmon` EventCode=8 TargetImage IN (\"*\\\\Taskmgr.exe\", \"*\\\\calc.exe\", \"*\\\\notepad.exe\", \"*\\\\rdpclip.exe\", \"*\\\\explorer.exe\", \"*\\\\wermgr.exe\", \"*\\\\ping.exe\", \"*\\\\OneDriveSetup.exe\", \"*\\\\dxdiag.exe\", \"*\\\\mobsync.exe\", \"*\\\\msra.exe\", \"*\\\\xwizard.exe\",\"*\\\\cmd.exe\", \"*\\\\powershell.exe\") | stats count min(_time) as firstTime max(_time) as lastTime by TargetImage TargetProcessId SourceProcessId EventCode StartAddress SourceImage Computer | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_process_injection_remote_thread_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting data that records process activity from your hosts like remote thread EventCode=8 of sysmon. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "unknown", "references": ["https://twitter.com/pr0xylife/status/1585612370441031680?s=46&t=Dc3CJi4AnM-8rNoacLbScg", "https://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/"], "tags": {"name": "Windows Process Injection Remote Thread", "analytic_story": ["Qakbot", "Graceful Wipe Out Attack"], "asset_type": "80", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "process $SourceImage$ create a remote thread to process $TargetImage$ on host $Computer$", "mitre_attack_id": ["T1055", "T1055.002"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "SourceImage", "type": "Process", "role": ["Attacker"]}, {"name": "TargetImage", "type": "Process", "role": ["Target"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "SourceImage", "TargetImage", "TargetProcessId", "SourceProcessId", "StartAddress", "EventCode", "Computer", "signature", "TargetProcessGuid", "SourceProcessGuid", "StartAddress"], "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "Turla"]}, {"mitre_attack_id": "T1055.002", "mitre_attack_technique": "Portable Executable Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Gorgon Group", "Rocke"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/qakbot/qbot_wermgr2/sysmon_wermgr2.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_process_injection_remote_thread_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_process_injection_remote_thread.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Windows Process Injection Wermgr Child Process", "id": "360ae6b0-38b5-4328-9e2b-bc9436cddb17", "version": 1, "date": "2022-10-27", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies a suspicious wermgr.exe parent process having a child process not related to error, fault or windows werfault event. This technique was seen in Qakbot malware where it inject its malicious code in wermgr to evade detections and hide from the analyst to execute its recon and its malicious behavior. This Anomaly detection can be a good pivot to start investigating a possible qakbot infection in the network. The Wermgr.exe process is not known to have other child processes aside from itself or werfault.exe", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name = \"wermgr.exe\" AND NOT (Processes.process_name IN (\"WerFaultSecure.exe\", \"wermgr.exe\", \"WerFault.exe\")) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_process_injection_wermgr_child_process_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "unknown", "references": ["https://twitter.com/pr0xylife/status/1585612370441031680?s=46&t=Dc3CJi4AnM-8rNoacLbScg"], "tags": {"name": "Windows Process Injection Wermgr Child Process", "analytic_story": ["Qakbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "wermgr parent process has a child process $process_name$ in $dest$", "mitre_attack_id": ["T1055"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/qakbot/qbot_wermgr/sysmon_wermgr.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_process_injection_wermgr_child_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_process_injection_wermgr_child_process.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Process Injection With Public Source Path", "id": "492f09cf-5d60-4d87-99dd-0bc325532dda", "version": 1, "date": "2022-08-24", "author": "Teoderick Contreras, Splunk", "type": "Hunting", "status": "production", "description": "The following analytic identifies a process in a non-standard file path on Windows attempting to create a remote thread into a process. This Windows API,CreateRemoteThread, is commonly used by adversaries for process injection to evade detections or gain privilege escalation.", "data_source": ["Sysmon Event ID 8"], "search": "`sysmon` EventCode=8 TargetImage = \"*.exe\" AND NOT(SourceImage IN(\"C:\\\\Windows\\\\*\", \"C:\\\\Program File*\", \"%systemroot%\\\\*\")) | stats count min(_time) as firstTime max(_time) as lastTime by SourceImage TargetImage signature TargetProcessGuid SourceProcessGuid TargetProcessId SourceProcessId StartAddress EventCode Computer | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_process_injection_with_public_source_path_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting data that records process activity from your hosts to populate the endpoint data model in the processes node. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "Some security products or third party applications may utilize CreateRemoteThread, filter as needed before enabling as a notable.", "references": ["https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/"], "tags": {"name": "Windows Process Injection With Public Source Path", "analytic_story": ["Brute Ratel C4"], "asset_type": "80", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "process $SourceImage$ create a remote thread to process $TargetImage$ on host $Computer$", "mitre_attack_id": ["T1055", "T1055.002"], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "SourceImage", "type": "Process", "role": ["Attacker"]}, {"name": "TargetImage", "type": "Process", "role": ["Target"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "SourceImage", "TargetImage", "TargetProcessId", "SourceProcessId", "StartAddress", "EventCode", "Computer", "signature", "TargetProcessGuid", "SourceProcessGuid", "StartAddress"], "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "Turla"]}, {"mitre_attack_id": "T1055.002", "mitre_attack_technique": "Portable Executable Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Gorgon Group", "Rocke"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/create_remote_thread/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_process_injection_with_public_source_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_process_injection_with_public_source_path.yml", "source": "endpoint"}, {"name": "Windows Process With NamedPipe CommandLine", "id": "e64399d4-94a8-11ec-a9da-acde48001122", "version": 1, "date": "2022-02-23", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic is to look for process commandline that contains named pipe. This technique was seen in some adversaries, threat actor and malware like olympic destroyer to communicate to its other child processes after process injection that serve as defense evasion and privilege escalation. On the other hand this analytic may catch some normal process that using this technique for example browser application. In that scenario we include common process path we've seen during testing that cause false positive which is the program files. False positive may still be arise if the normal application is in other folder path.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = \"*\\\\\\\\.\\\\pipe\\\\*\" NOT (Processes.process_path IN (\"*\\\\program files*\")) by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_path Processes.process_guid Processes.parent_process_id Processes.dest Processes.user Processes.process_path | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_process_with_namedpipe_commandline_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "Normal browser application may use this technique. Please update the filter macros to remove false positives.", "references": ["https://blog.talosintelligence.com/2018/02/olympic-destroyer.html"], "tags": {"name": "Windows Process With NamedPipe CommandLine", "analytic_story": ["Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "Process with named pipe in $process$ on $dest$", "mitre_attack_id": ["T1055"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id", "Processes.process_guid"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/olympic_destroyer/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_process_with_namedpipe_commandline_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_process_with_namedpipe_commandline.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Processes Killed By Industroyer2 Malware", "id": "d8bea5ca-9d4a-4249-8b56-64a619109835", "version": 1, "date": "2023-04-14", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic is to look for known processes killed by industroyer2 malware. This technique was seen in the industroyer2 malware attack that tries to kill several processes of windows host machines related to the energy facility network. This anomaly might be a good indicator to check which process kill these processes or why the process was killed.", "data_source": ["Sysmon Event ID 5"], "search": "`sysmon` EventCode=5 process_name IN (\"PServiceControl.exe\", \"PService_PPD.exe\") | stats min(_time) as firstTime max(_time) as lastTime count by process_name process process_path process_guid process_id EventCode dest user_id | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `windows_processes_killed_by_industroyer2_malware_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4698 EventCode enabled. The Windows TA is also required.", "known_false_positives": "False positives are possible if legitimate applications are allowed to terminate this process during testing or updates. Filter as needed based on paths that are used legitimately.", "references": ["https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/"], "tags": {"name": "Windows Processes Killed By Industroyer2 Malware", "analytic_story": ["Data Destruction", "Industroyer2"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Actions on Objectives"], "message": "process was terminated $process_name$ in $dest$", "mitre_attack_id": ["T1489"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id", "Processes.process_guid"], "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1489", "mitre_attack_technique": "Service Stop", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Indrik Spider", "Lazarus Group", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/industroyer2/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_processes_killed_by_industroyer2_malware_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_processes_killed_by_industroyer2_malware.yml", "source": "endpoint"}, {"name": "Windows Protocol Tunneling with Plink", "id": "8aac5e1e-0fab-4437-af0b-c6e60af23eed", "version": 1, "date": "2022-09-15", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the use of Plink being utilized to proxy egress or laterally in an organization. The analytic is limited to specific Plink options on the command-line, including -R -L and -D which will have the remote and local IP address or port and -l for a username. Modify the options as seen fit for your organization.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=plink.exe OR Processes.original_file_name=Plink Processes.process IN (\"*-R *\", \"*-L *\", \"*-D *\", \"*-l *\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_protocol_tunneling_with_plink_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives may be present if the organization allows for SSH tunneling outbound or internally. Filter as needed.", "references": ["https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/", "https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html", "https://attack.mitre.org/techniques/T1572/", "https://documentation.help/PuTTY/using-cmdline-portfwd.html#S3.8.3.5"], "tags": {"name": "Windows Protocol Tunneling with Plink", "analytic_story": ["CISA AA22-257A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Command And Control", "Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to tunnel to a remote destination.", "mitre_attack_id": ["T1572", "T1021.004"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1572", "mitre_attack_technique": "Protocol Tunneling", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Chimera", "Cobalt Group", "FIN6", "Fox Kitten", "Leviathan", "Magic Hound", "OilRig"]}, {"mitre_attack_id": "T1021.004", "mitre_attack_technique": "SSH", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT39", "BlackTech", "FIN7", "Fox Kitten", "GCMAN", "Lazarus Group", "Leviathan", "OilRig", "Rocke", "TEMP.Veles", "TeamTNT", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1572/plink/plink-windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_protocol_tunneling_with_plink_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_protocol_tunneling_with_plink.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Proxy Via Netsh", "id": "c137bfe8-6036-4cff-b77b-4e327dd0a1cf", "version": 1, "date": "2023-05-25", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This search looks for processes launching netsh.exe for connection proxy. Netsh is a command-line scripting utility that allows you to, either locally or remotely, display or modify the network configuration of a computer that is currently running. Netsh can be used as a persistence proxy technique to execute a helper DLL when netsh.exe is executed. In this search, we are looking for processes spawned by netsh.exe and executing commands via the command line.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_netsh` Processes.process = \"* portproxy *\" Processes.process = \"* v4tov4 *\" by Processes.parent_process_name Processes.parent_process Processes.original_file_name Processes.process_name Processes.process Processes.user Processes.dest |`drop_dm_object_name(\"Processes\")` |`security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `windows_proxy_via_netsh_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Some VPN applications are known to launch netsh.exe. Outside of these instances, it is unusual for an executable to launch netsh.exe and run commands.", "references": ["https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/"], "tags": {"name": "Windows Proxy Via Netsh", "analytic_story": ["Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Command And Control"], "message": "A process $process_name$ has launched netsh with command-line $process$ on $dest$.", "mitre_attack_id": ["T1090.001", "T1090"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.process", "Processes.parent_process_name", "Processes.parent_process", "Processes.process_name", "Processes.user", "Processes.dest"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "atomic_guid": ["b8223ea9-4be2-44a6-b50a-9657a3d4e72a"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1090.001", "mitre_attack_technique": "Internal Proxy", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT39", "Higaisa", "Lazarus Group", "Strider", "Turla"]}, {"mitre_attack_id": "T1090", "mitre_attack_technique": "Proxy", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "Blue Mockingbird", "CopyKittens", "Earth Lusca", "Fox Kitten", "LAPSUS$", "Magic Hound", "POLONIUM", "Sandworm Team", "Turla", "Windigo"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1090.001/netsh_portproxy/volt_sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_netsh", "definition": "(Processes.process_name=netsh.exe OR Processes.original_file_name=netsh.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "windows_proxy_via_netsh_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_proxy_via_netsh.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Proxy Via Registry", "id": "0270455b-1385-4579-9ac5-e77046c508ae", "version": 1, "date": "2023-05-25", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This search looks for processes launching netsh.exe for connection proxy. Netsh is a command-line scripting utility that allows you to, either locally or remotely, display or modify the network configuration of a computer that is currently running. Netsh can be used as a persistence proxy technique to execute a helper DLL when netsh.exe is executed. In this search, we are looking for processes spawned by netsh.exe and executing commands via the command line.", "data_source": ["Sysmon EventID 12", "Sysmon EventID 13", "Sysmon EventID 14"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path =\"*\\\\System\\\\CurrentControlSet\\\\Services\\\\PortProxy\\\\v4tov4\\\\tcp*\" by Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.action Registry.dest Registry.user | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `windows_proxy_via_registry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "unknown", "references": ["https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/"], "tags": {"name": "Windows Proxy Via Registry", "analytic_story": ["Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Command And Control"], "message": "A registry modification for port proxy in$dest$", "mitre_attack_id": ["T1090.001", "T1090"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.registry_key_name", "Registry.registry_path", "Registry.user", "Registry.dest", "Registry.registry_value_name", "Registry.action", "Registry.registry_value_data"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "atomic_guid": ["b8223ea9-4be2-44a6-b50a-9657a3d4e72a"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1090.001", "mitre_attack_technique": "Internal Proxy", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT39", "Higaisa", "Lazarus Group", "Strider", "Turla"]}, {"mitre_attack_id": "T1090", "mitre_attack_technique": "Proxy", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "Blue Mockingbird", "CopyKittens", "Earth Lusca", "Fox Kitten", "LAPSUS$", "Magic Hound", "POLONIUM", "Sandworm Team", "Turla", "Windigo"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1090.001/netsh_portproxy/volt_sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_proxy_via_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_proxy_via_registry.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Query Registry Browser List Application", "id": "45ebd21c-f4bf-4ced-bd49-d25b6526cebb", "version": 1, "date": "2023-04-25", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies a suspicious process accessing default internet browsers registry entry. This registry is used by Windows to store information about default internet browsers installed on a system. Malware, adversaries or red-teamers can abuse this registry key to collect data about the installed internet browsers and their associated settings. This information can be used to steal sensitive data such as login credentials, browsing history, and saved passwords. We observed noise that needs to be filter out so we add several known path of Windows Application to make this detection more stable.", "data_source": ["Security Event ID 4663"], "search": "`wineventlog_security` EventCode=4663 object_file_path IN (\"*\\\\SOFTWARE\\\\Clients\\\\StartMenuInternet\\\\*\", \"*\\\\SOFTWARE\\\\Clients\\\\StartMenuInternet\\\\*\") AND NOT (process_path IN (\"*:\\\\Windows\\\\System32\\\\*\", \"*:\\\\Windows\\\\SysWow64\\\\*\", \"*:\\\\Program Files*\", \"*:\\\\Windows\\\\*\")) | stats count min(_time) as firstTime max(_time) as lastTime by object_file_name object_file_path process_name process_path process_id EventCode dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_query_registry_browser_list_application_filter`", "how_to_implement": "To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable \"Audit Object Access\" in Group Policy. Then check the two boxes listed for both \"Success\" and \"Failure.\"", "known_false_positives": "uninstall application may access this registry to remove the entry of the target application. filter is needed.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer"], "tags": {"name": "Windows Query Registry Browser List Application", "analytic_story": ["RedLine Stealer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "A suspicious process accessing installed default browser registry on $dest$", "mitre_attack_id": ["T1012"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "object_file_name", "object_file_path", "process_name", "process_path", "process_id", "EventCode", "dest"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1012", "mitre_attack_technique": "Query Registry", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT32", "APT39", "Chimera", "Dragonfly", "Fox Kitten", "Kimsuky", "Lazarus Group", "OilRig", "Stealth Falcon", "Threat Group-3390", "Turla", "ZIRCONIUM"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/redline/browser_list/ar3_4663_redline_reg.log", "source": "XmlWinEventLog:Security", "sourcetype": "XmlWinEventLog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_query_registry_browser_list_application_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_query_registry_browser_list_application.yml", "source": "endpoint", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows Query Registry Reg Save", "id": "cbee60c1-b776-456f-83c2-faa56bdbe6c6", "version": 1, "date": "2022-12-12", "author": "Teoderick Contreras, Splunk", "type": "Hunting", "status": "production", "description": "The following analytic identifies a process execution of reg.exe with \"save\" parameter. This reg.exe parameter is commonly being abused by threat actors, adversaries and red-teamers to dump credentials or to check the registry modification capabilities of certain users or administrators in targeted hosts. This approach was seen in post-exploitation tool like winpeas where it uses \"reg save\" and \"reg restore\" to check registry modification restriction in targeted host after gaining access to it.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_reg` AND Processes.process = \"* save *\" by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_query_registry_reg_save_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances of wermgr.exe may be used.", "known_false_positives": "network administrator can use this command tool to backup registry before updates or modifying critical registries.", "references": ["https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/quser", "https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS", "https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"], "tags": {"name": "Windows Query Registry Reg Save", "analytic_story": ["Windows Post-Exploitation", "Prestige Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "execution of process $process_name$ in $dest$", "mitre_attack_id": ["T1012"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id", "Processes.parent_process_guid", "Processes.process_guid"], "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1012", "mitre_attack_technique": "Query Registry", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT32", "APT39", "Chimera", "Dragonfly", "Fox Kitten", "Kimsuky", "Lazarus Group", "OilRig", "Stealth Falcon", "Threat Group-3390", "Turla", "ZIRCONIUM"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "process_reg", "definition": "(Processes.process_name=reg.exe OR Processes.original_file_name=reg.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_query_registry_reg_save_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_query_registry_reg_save.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Query Registry UnInstall Program List", "id": "535fd4fc-7151-4062-9d7e-e896bea77bf6", "version": 1, "date": "2023-04-25", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies a suspicious query on uninstall application list in Windows OS registry. This registry is commonly used by legitimate software to store information about installed applications on a Windows system, such as their name, version, publisher, and installation path. However, malware, adversaries or even red-teamers can abuse this registry key to retrieve information stored in the \"Uninstall\" key to gather data about installed applications in the target host. This Anomaly detection can be a good pivot to detect a possible suspicious process accessing this registry which is not commonly accessed by a normal user.", "data_source": ["Security Event ID 4663"], "search": "`wineventlog_security` EventCode=4663 object_file_path=\"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Uninstall\\\\*\" | stats count min(_time) as firstTime max(_time) as lastTime by object_file_name object_file_path process_name process_path process_id EventCode dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_query_registry_uninstall_program_list_filter`", "how_to_implement": "To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable \"Audit Object Access\" in Group Policy. Then check the two boxes listed for both \"Success\" and \"Failure.\"", "known_false_positives": "Uninstall application may access this registry to remove the entry of the target application. Filter is needed.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer"], "tags": {"name": "Windows Query Registry UnInstall Program List", "analytic_story": ["RedLine Stealer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "A suspicious process $process_name$ accessing uninstall registry on $dest$", "mitre_attack_id": ["T1012"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "object_file_name", "object_file_path", "process_name", "process_path", "process_id", "EventCode", "dest"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1012", "mitre_attack_technique": "Query Registry", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT32", "APT39", "Chimera", "Dragonfly", "Fox Kitten", "Kimsuky", "Lazarus Group", "OilRig", "Stealth Falcon", "Threat Group-3390", "Turla", "ZIRCONIUM"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/redline/recon_registry/recon-reg-redline-security-xml.log", "source": "XmlWinEventLog:Security", "sourcetype": "XmlWinEventLog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_query_registry_uninstall_program_list_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_query_registry_uninstall_program_list.yml", "source": "endpoint", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows Raccine Scheduled Task Deletion", "id": "c9f010da-57ab-11ec-82bd-acde48001122", "version": 1, "date": "2021-12-07", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the Raccine Rules Updater scheduled task being deleted. Adversaries may attempt to remove this task in order to prevent the update of Raccine. Raccine is a \"ransomware vaccine\" created by security researcher Florian Roth, designed to intercept and prevent precursors and active ransomware behavior.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=schtasks.exe Processes.process=\"*delete*\" AND Processes.process=\"*Raccine*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_raccine_scheduled_task_deletion_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives should be limited, however filter as needed.", "references": ["https://redcanary.com/blog/blackbyte-ransomware/", "https://github.com/Neo23x0/Raccine"], "tags": {"name": "Windows Raccine Scheduled Task Deletion", "analytic_story": ["Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user user$ attempting to disable Raccines scheduled task.", "mitre_attack_id": ["T1562.001"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/atomic_red_team/windows-sysmon_raccine.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_raccine_scheduled_task_deletion_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_raccine_scheduled_task_deletion.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Rapid Authentication On Multiple Hosts", "id": "62606c77-d53d-4182-9371-b02cdbbbcef7", "version": 1, "date": "2023-03-23", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic leverages Event ID 4624 to identify a source computer authenticating to a large number of remote endpoints within an Active Directory network. Specifically, the logic will trigger when a source endpoint authenticates to 30 or more target computers within a 5 minute timespan. This behavior could represent an adversary who is moving laterally across the environment or enumerating network shares in the search for sensitive files. As environments differ across organizations, security teams should customize the thresholds of this detection as needed.", "data_source": ["Windows Security 4624"], "search": " `wineventlog_security` EventCode=4624 LogonType=3 TargetUserName!=\"ANONYMOUS LOGON\" TargetUserName!=\"*$\" | bucket span=5m _time | stats dc(Computer) AS unique_targets values(Computer) as host_targets by _time, IpAddress, TargetUserName | where unique_targets > 30 | `windows_rapid_authentication_on_multiple_hosts_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Event Logs from domain controllers as well as member servers and workstations. The Advanced Security Audit policy setting `Audit Logon` within `Logon/Logoff` needs to be enabled.", "known_false_positives": "Vulnerability scanners or system administration tools may also trigger this detection. Filter as needed.", "references": ["https://attack.mitre.org/techniques/T1135/", "https://thedfirreport.com/2023/01/23/sharefinder-how-threat-actors-discover-file-shares/", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624"], "tags": {"name": "Windows Rapid Authentication On Multiple Hosts", "analytic_story": ["Active Directory Privilege Escalation", "Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 60, "kill_chain_phases": ["Exploitation"], "message": "The source computer with ip address $IpAddress$ authenticated to a large number of remote endpoints within 5 minutes.", "mitre_attack_id": ["T1003.002"], "nist": ["DE.CM"], "observable": [{"name": "host_targets", "type": "Endpoint", "role": ["Victim"]}, {"name": "IpAddress", "type": "Endpoint", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "Logon_Type", "TargetUserName", "Computer", "IpAddress"], "risk_score": 48, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Dragonfly", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1135/rapid_authentication_multiple_hosts/windows-security.log", "source": "XmlWinEventLog:Security", "sourcetype": "XmlWinEventLog"}]}], "datamodel": [], "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_rapid_authentication_on_multiple_hosts_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_rapid_authentication_on_multiple_hosts.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows Rasautou DLL Execution", "id": "6f42b8be-8e96-11ec-ad5a-acde48001122", "version": 1, "date": "2022-02-15", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the Windows Windows Remote Auto Dialer, rasautou.exe executing an arbitrary DLL. This technique is used to execute arbitrary shellcode or DLLs via the rasautou.exe LOLBin capability. During triage, review parent and child process behavior including file and image loads.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=rasautou.exe Processes.process=\"* -d *\"AND Processes.process=\"* -p *\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_rasautou_dll_execution_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives will be limited to applications that require Rasautou.exe to load a DLL from disk. Filter as needed.", "references": ["https://github.com/mandiant/DueDLLigence", "https://github.com/MHaggis/notes/blob/master/utilities/Invoke-SPLDLLigence.ps1", "https://gist.github.com/NickTyrer/c6043e4b302d5424f701f15baf136513", "https://www.mandiant.com/resources/staying-hidden-on-the-endpoint-evading-detection-with-shellcode"], "tags": {"name": "Windows Rasautou DLL Execution", "analytic_story": ["Windows Defense Evasion Tactics"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ attempting to load a DLL in a suspicious manner.", "mitre_attack_id": ["T1055.001", "T1218", "T1055"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1055.001", "mitre_attack_technique": "Dynamic-link Library Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["BackdoorDiplomacy", "Lazarus Group", "Leviathan", "Putter Panda", "TA505", "Tropic Trooper", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055.001/rasautou/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_rasautou_dll_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_rasautou_dll_execution.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Raw Access To Disk Volume Partition", "id": "a85aa37e-9647-11ec-90c5-acde48001122", "version": 1, "date": "2023-06-13", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic is to look for suspicious raw access read to device disk partition of the host machine. This technique was seen in several attacks by adversaries or threat actor to wipe, encrypt or overwrite the boot sector of each partition as part of their impact payload for example the \"hermeticwiper\" malware. This detection is a good indicator that there is a process try to read or write on boot sector.", "data_source": ["Sysmon Event ID 9"], "search": "`sysmon` EventCode=9 Device = \\\\Device\\\\HarddiskVolume* NOT (Image IN(\"*\\\\Windows\\\\System32\\\\*\", \"*\\\\Windows\\\\SysWOW64\\\\*\")) | stats count min(_time) as firstTime max(_time) as lastTime by Image Device ProcessGuid ProcessId EventDescription EventCode Computer | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_raw_access_to_disk_volume_partition_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the raw access read event (like sysmon eventcode 9), process name and process guid from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "This event is really notable but we found minimal number of normal application from system32 folder like svchost.exe accessing it too. In this case we used 'system32' and 'syswow64' path as a filter for this detection.", "references": ["https://blog.talosintelligence.com/2022/02/threat-advisory-hermeticwiper.html"], "tags": {"name": "Windows Raw Access To Disk Volume Partition", "analytic_story": ["CISA AA22-264A", "Graceful Wipe Out Attack", "Data Destruction", "Hermetic Wiper", "Caddy Wiper"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 90, "kill_chain_phases": ["Actions on Objectives"], "message": "Process accessing disk partition $device$ in $dest$", "mitre_attack_id": ["T1561.002", "T1561"], "nist": ["DE.AE"], "observable": [{"name": "ComputerName", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Computer", "Image", "Device", "ProcessGuid", "ProcessId", "EventDescription", "EventCode"], "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1561.002", "mitre_attack_technique": "Disk Structure Wipe", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1561", "mitre_attack_technique": "Disk Wipe", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/hermetic_wiper/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_raw_access_to_disk_volume_partition_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_raw_access_to_disk_volume_partition.yml", "source": "endpoint"}, {"name": "Windows Raw Access To Master Boot Record Drive", "id": "7b83f666-900c-11ec-a2d9-acde48001122", "version": 1, "date": "2023-06-13", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This analytic is to look for suspicious raw access read to drive where the master boot record is placed. This technique was seen in several attacks by adversaries or threat actor to wipe, encrypt or overwrite the master boot record code as part of their impact payload. This detection is a good indicator that there is a process try to read or write on MBR sector.", "data_source": ["Sysmon Event ID 9"], "search": "`sysmon` EventCode=9 Device = \\\\Device\\\\Harddisk0\\\\DR0 NOT (Image IN(\"*\\\\Windows\\\\System32\\\\*\", \"*\\\\Windows\\\\SysWOW64\\\\*\")) | stats count min(_time) as firstTime max(_time) as lastTime by Computer Image Device ProcessGuid ProcessId EventDescription EventCode | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_raw_access_to_master_boot_record_drive_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the raw access read event (like sysmon eventcode 9), process name and process guid from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "This event is really notable but we found minimal number of normal application from system32 folder like svchost.exe accessing it too. In this case we used 'system32' and 'syswow64' path as a filter for this detection.", "references": ["https://www.splunk.com/en_us/blog/security/threat-advisory-strt-ta02-destructive-software.html", "https://www.crowdstrike.com/blog/technical-analysis-of-whispergate-malware/", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/"], "tags": {"name": "Windows Raw Access To Master Boot Record Drive", "analytic_story": ["CISA AA22-264A", "WhisperGate", "Graceful Wipe Out Attack", "Data Destruction", "Hermetic Wiper", "Caddy Wiper"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 90, "kill_chain_phases": ["Actions on Objectives"], "message": "process accessing MBR $device$ in $dest$", "mitre_attack_id": ["T1561.002", "T1561"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Computer", "Image", "Device", "ProcessGuid", "ProcessId", "EventDescription", "EventCode"], "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1561.002", "mitre_attack_technique": "Disk Structure Wipe", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1561", "mitre_attack_technique": "Disk Wipe", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1561.002/mbr_raw_access/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_raw_access_to_master_boot_record_drive_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_raw_access_to_master_boot_record_drive.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Windows RDP Connection Successful", "id": "ceaed840-56b3-4a70-b8e1-d762b1c5c08c", "version": 1, "date": "2023-04-17", "author": "Michael Haag, Splunk", "type": "Hunting", "status": "production", "description": "The following analytic identifies successful remote desktop connections. Utilize this analytic to hunt for successful attempts. In addition, the query may be modified for EventCode=1148 to potentially identify failed attempts. In testing, 1148 would not generate based on a failed logon attempt. Note this analytic requires enabling and a stanza in a inputs.conf.", "data_source": [], "search": "`remoteconnectionmanager` EventCode=1149 | stats count min(_time) as firstTime max(_time) as lastTime by ComputerName, Source_Network_Address, User, Message | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename ComputerName as dest | `windows_rdp_connection_successful_filter`", "how_to_implement": "The following analyic requires the WIndows TerminalServices RemoteConnectionManager Operational log to be enabled and ingested into Splunk. For the inputs, review https://gist.github.com/MHaggis/138c6bf563bacbda4a2524f089773706.", "known_false_positives": "False positives will be present, filter as needed or restrict to critical assets on the perimeter.", "references": ["https://gist.github.com/MHaggis/138c6bf563bacbda4a2524f089773706", "https://doublepulsar.com/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6"], "tags": {"name": "Windows RDP Connection Successful", "analytic_story": ["Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "A successful RDP connection on $dest$ occurred.", "mitre_attack_id": ["T1563.002"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "Source_Network_Address", "type": "IP Address", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["EventCode", "ComputerName", "Source_Network_Address", "User", "Message"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "atomic_guid": [], "mitre_attack_enrichments": [{"mitre_attack_id": "T1563.002", "mitre_attack_technique": "RDP Hijacking", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Axiom"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1563.002/rdphijack/remoteconnectionmanager.log", "source": "WinEventLog:Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational", "sourcetype": "wineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "remoteconnectionmanager", "definition": "source=\"WinEventLog:Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_rdp_connection_successful_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_rdp_connection_successful.yml", "source": "endpoint"}, {"name": "Windows Registry BootExecute Modification", "id": "eabbac3a-45aa-4659-920f-6b8cff383fb8", "version": 1, "date": "2023-05-03", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "This analytic monitors the BootExecute registry key for any modifications from its default value, which could indicate potential malicious activity. The BootExecute registry key, located at HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager, manages the list of applications and services that are executed during system boot. By default, the BootExecute value is set to \"autocheck autochk *\". Attackers might attempt to modify this value to achieve persistence, load malicious code, or tamper with the system's boot process.", "data_source": ["Sysmon Event ID 13"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE Registry.registry_path=\"HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Session Manager\\\\BootExecute\" BY _time span=1h Registry.dest Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid, Registry.action | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_registry_bootexecute_modification_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on Windows Registry that include the name of the path and key responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives may be present and will need to be filtered.", "references": ["https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/"], "tags": {"name": "Windows Registry BootExecute Modification", "analytic_story": ["Windows BootKits"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 100, "kill_chain_phases": ["Exploitation", "Installation"], "message": "The Registry BootExecute value was modified on $dest$ and should be reviewed immediately.", "mitre_attack_id": ["T1542", "T1547.001"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.dest", "Registry.registry_path", "Registry.registry_key_name", "Registry.registry_value_name", "Registry.registry_value_data", "Registry.process_guid", "Registry.action"], "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "atomic_guid": [], "mitre_attack_enrichments": [{"mitre_attack_id": "T1542", "mitre_attack_technique": "Pre-OS Boot", "mitre_attack_tactics": ["Defense Evasion", "Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.001/atomic_red_team/bootexecute-windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_registry_bootexecute_modification_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_registry_bootexecute_modification.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Registry Certificate Added", "id": "5ee98b2f-8b9e-457a-8bdc-dd41aaba9e87", "version": 2, "date": "2023-04-27", "author": "Michael Haag, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies installation of a root CA certificate by monitoring the registry. The base paths may be found [here](https://gist.github.com/mattifestation/75d6117707bcf8c26845b3cbb6ad2b6b/raw/ae65ef15c706140ffc2e165615204e20f2903028/RootCAInstallationDetection.xml). In short, there are specific certificate registry paths that will be written to (SetValue) when a new certificate is added. The high-fidelity events to pay attention to are SetValue events where the TargetObject property ends with \"\\Blob\" as this indicates the direct installation or modification of a root certificate binary blob. The other high fidelity reference will be which process is making the registry modifications. There are very few processes that modify these day to day, therefore monitoring for all to start (hunting) provides a great beginning.", "data_source": ["Sysmon Event ID 13"], "search": "| tstats `security_content_summariesonly` count from datamodel=Endpoint.Registry where Registry.registry_path IN (\"*\\\\certificates\\\\*\") AND Registry.registry_value_name=\"Blob\" by _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_value_name Registry.process_guid Registry.registry_key_name Registry.registry_value_data | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_registry_certificate_added_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` and `Registry` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives will be limited to a legitimate business applicating consistently adding new root certificates to the endpoint. Filter by user, process, or thumbprint.", "references": ["https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec", "https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1553.004"], "tags": {"name": "Windows Registry Certificate Added", "analytic_story": ["Windows Drivers", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 60, "kill_chain_phases": ["Exploitation"], "message": "A root certificate was added on $dest$.", "mitre_attack_id": ["T1553.004", "T1553"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.registry_path", "Registry.registry_key_name", "Registry.registry_value_name", "Registry.dest"], "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1553.004", "mitre_attack_technique": "Install Root Certificate", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1553", "mitre_attack_technique": "Subvert Trust Controls", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Axiom"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1587.002/atomic_red_team/certblob_windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_registry_certificate_added_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_registry_certificate_added.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Registry Delete Task SD", "id": "ffeb7893-ff06-446f-815b-33ca73224e92", "version": 1, "date": "2022-04-13", "author": "Michael Haag, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies a process attempting to delete a scheduled task SD (Security Descriptor) from within the registry path of that task. This may occur from a non-standard process running and may not come from reg.exe. This particular behavior will remove the actual Task Name from the Task Scheduler GUI and from the command-line query - schtasks.exe /query. In addition, in order to perform this action, the user context will need to be SYSTEM.\\ Identifying the deletion of a scheduled task's Security Descriptor from the registry is significant for a SOC as it may indicate malicious activity attempting to remove evidence of a scheduled task, potentially for defense evasion purposes. If a true positive is detected, it suggests an attacker with privileged access attempting to remove traces of their activities, which can have a significant impact on the security and functionality of affected systems. Immediate investigation and response are required to mitigate further risks and preserve the integrity of the environment.", "data_source": ["Sysmon Event ID 13"], "search": "| tstats `security_content_summariesonly` count from datamodel=Endpoint.Registry where Registry.registry_path IN (\"*\\\\Schedule\\\\TaskCache\\\\Tree\\\\*\") Registry.user=\"SYSTEM\" Registry.registry_value_name=\"SD\" (Registry.action=Deleted OR Registry.action=modified) by _time Registry.dest Registry.process_guid Registry.user Registry.registry_path Registry.registry_value_name Registry.registry_key_name Registry.registry_value_data Registry.status Registry.action | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_registry_delete_task_sd_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives should be limited as the activity is not common to delete ONLY the SD from the registry. Filter as needed. Update the analytic Modified or Deleted values based on product that is in the datamodel.", "references": ["https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/", "https://gist.github.com/MHaggis/5f7fd6745915166fc6da863d685e2728", "https://gist.github.com/MHaggis/b246e2fae6213e762a6e694cabaf0c17"], "tags": {"name": "Windows Registry Delete Task SD", "analytic_story": ["Windows Registry Abuse", "Windows Persistence Techniques", "Scheduled Tasks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "message": "A scheduled task security descriptor was deleted from the registry on $dest$.", "mitre_attack_id": ["T1053.005", "T1562"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.registry_path", "Registry.registry_key_name", "Registry.registry_value_name", "Registry.dest", "Processes.process_id", "Processes.process_name", "Processes.process", "Processes.dest", "Processes.process_guid"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/taskschedule/sd_delete_windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_registry_delete_task_sd_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_registry_delete_task_sd.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Registry Modification for Safe Mode Persistence", "id": "c6149154-c9d8-11eb-9da7-acde48001122", "version": 4, "date": "2023-04-27", "author": "Teoderick Contreras, Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies a modification or registry add to the safeboot registry as an autostart mechanism. This technique is utilized by adversaries to persist a driver or service into Safe Mode. Two keys are monitored in this analytic, Minimal and Network. adding values to Minimal will load into Safe Mode and by adding into Network it will provide the service or drive the ability to perform network connections in Safe Mode.", "data_source": ["Sysmon Event ID 13"], "search": "| tstats `security_content_summariesonly` count from datamodel=Endpoint.Registry where Registry.registry_path IN (\"*SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Minimal\\\\*\",\"*SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Network\\\\*\") by _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_value_name Registry.process_guid Registry.registry_key_name Registry.registry_value_data | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_registry_modification_for_safe_mode_persistence_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry.", "known_false_positives": "updated windows application needed in safe boot may used this registry", "references": ["https://malware.news/t/threat-analysis-unit-tau-threat-intelligence-notification-snatch-ransomware/36365", "https://redcanary.com/blog/tracking-driver-inventory-to-expose-rootkits/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1112/T1112.md", "https://blog.didierstevens.com/2007/03/26/playing-with-safe-mode/"], "tags": {"name": "Windows Registry Modification for Safe Mode Persistence", "analytic_story": ["Ransomware", "Windows Registry Abuse", "Windows Drivers"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 60, "kill_chain_phases": ["Installation", "Exploitation"], "message": "Safeboot registry $registry_path$ was added or modified with a new value $registry_value_name$ on $dest$", "mitre_attack_id": ["T1547.001", "T1547"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.registry_path", "Registry.registry_key_name", "Registry.registry_value_name", "Registry.dest"], "risk_score": 42, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/ransomware_ttp/data1/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_registry_modification_for_safe_mode_persistence_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_registry_modification_for_safe_mode_persistence.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Regsvr32 Renamed Binary", "id": "7349a9e9-3cf6-4171-bb0c-75607a8dcd1a", "version": 1, "date": "2022-10-27", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "The following hunting analytic identifies renamed instances of regsv32.exe executing. regsv32.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64. During investigation, validate if it is the legitimate regsv32.exe executing and what dll module content it is loading. This query relies on the original filename or internal name from the PE meta data. Expand the query as needed by looking for specific command line arguments outlined in other analytics.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name != regsvr32.exe AND Processes.original_file_name=regsvr32.exe by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_regsvr32_renamed_binary_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "unknown", "references": ["https://twitter.com/pr0xylife/status/1585612370441031680?s=46&t=Dc3CJi4AnM-8rNoacLbScg"], "tags": {"name": "Windows Regsvr32 Renamed Binary", "analytic_story": ["Qakbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "regsvr32 was renamed as $process_name$ in $dest$", "mitre_attack_id": ["T1218.010", "T1218"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218.010", "mitre_attack_technique": "Regsvr32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "Blue Mockingbird", "Cobalt Group", "Deep Panda", "Inception", "Kimsuky", "Leviathan", "TA551", "WIRTE"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/qakbot/qbot_3/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_regsvr32_renamed_binary_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_regsvr32_renamed_binary.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Remote Access Software BRC4 Loaded Dll", "id": "73cf5dcb-cf36-4167-8bbe-384fe5384d05", "version": 1, "date": "2022-08-24", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "The following anomaly detection identifies the behavior related to 4 native Windows DLLs being loaded by a non-standard process. Identified by MDSec during their research into Brute Ratel, MDSec identified a high signal analytic by calling out these 4 DLLs being loaded into a process. LogonCLI.dll is the Net Logon Client DLL and is related to users and other domain services to get authenticated. Credui.dll is Credential Manager User Interface. Credential managers receive notifications when authentication information changes. For example, credential managers are notified when a user logs on or an account password changes. Samcli.dll is the Security Accounts Manager Client DLL. Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through in-memory techniques or through the Windows Registry where the SAM database is stored. Dbghelp.dll is Windows Image Helper. Windows Image Helper is commonly seen in credential dumping due to native functions. All of these modules are important to monitor and track and combined may lead to credentail access or dumping.", "data_source": ["Sysmon Event ID 7"], "search": "`sysmon` EventCode=7 |bin _time span=30s | eval BRC4_AnomalyLoadedDll=case(OriginalFileName==\"credui.dll\", 1, OriginalFileName==\"DBGHELP.DLL\", 1, OriginalFileName==\"SAMCLI.DLL\", 1, OriginalFileName==\"winhttp.dll\", 1, 1=1, 0) | eval BRC4_LoadedDllPath=case(match(ImageLoaded, \"credui.dll\"), 1, match(ImageLoaded, \"dbghelp.dll\"), 1, match(ImageLoaded, \"samcli.dll\"), 1, match(ImageLoaded, \"winhttp.dll\"), 1, 1=1, 0) | stats count min(_time) as firstTime max(_time) as lastTime values(ImageLoaded) as ImageLoaded values(OriginalFileName) as OriginalFileName dc(ImageLoaded) as ImageLoadedCount by Image BRC4_LoadedDllPath BRC4_AnomalyLoadedDll Computer EventCode Signed | where ImageLoadedCount == 4 AND (BRC4_LoadedDllPath == 1 OR BRC4_AnomalyLoadedDll == 1) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_remote_access_software_brc4_loaded_dll_filter`", "how_to_implement": "The latest Sysmon TA 3.0 https://splunkbase.splunk.com/app/5709 will add the ImageLoaded name to the process_name field, allowing this query to work. Use as an example and implement for other products.", "known_false_positives": "This module can be loaded by a third party application. Filter is needed.", "references": ["https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/", "https://www.mdsec.co.uk/2022/08/part-3-how-i-met-your-beacon-brute-ratel/", "https://strontic.github.io/xcyclopedia/library/logoncli.dll-138871DBE68D0696D3D7FA91BC2873B1.html", "https://strontic.github.io/xcyclopedia/library/credui.dll-A5BD797BBC2DD55231B9DE99837E5461.html", "https://docs.microsoft.com/en-us/windows/win32/secauthn/credential-manager", "https://strontic.github.io/xcyclopedia/library/samcli.dll-522D6D616EF142CDE965BD3A450A9E4C.html", "https://strontic.github.io/xcyclopedia/library/dbghelp.dll-15A55EAB307EF8C190FE6135C0A86F7C.html"], "tags": {"name": "Windows Remote Access Software BRC4 Loaded Dll", "analytic_story": ["Brute Ratel C4"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Command And Control", "Exploitation"], "message": "a process $Image$ loaded several modules $ImageLoaded$ that might related to credential access on $Computer$.", "mitre_attack_id": ["T1219", "T1003"], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Image", "ImageLoaded", "process_name", "Computer", "EventCode", "Signed", "ProcessId"], "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1219", "mitre_attack_technique": "Remote Access Software", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Carbanak", "Cobalt Group", "DarkVishnya", "Evilnum", "GOLD SOUTHFIELD", "Kimsuky", "MuddyWater", "Mustang Panda", "RTM", "Sandworm Team", "TeamTNT", "Thrip"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/iso_version_dll_campaign/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_remote_access_software_brc4_loaded_dll_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_remote_access_software_brc4_loaded_dll.yml", "source": "endpoint"}, {"name": "Windows Remote Access Software Hunt", "id": "8bd22c9f-05a2-4db1-b131-29271f28cb0a", "version": 1, "date": "2022-08-22", "author": "Michael Haag, Splunk", "type": "Hunting", "status": "production", "description": "The following hunting analytic is meant to help organizations understand what remote access software is being used in the environment. When reviewing this hunt, confirm the software identified is authorized to be utilized. Based on fidelity, create a new analytic for specific utilities banned within the organization. Adversaries use these utilities to retain remote access capabilities to the environment. Utilities in the lookup include AnyDesk, GoToMyPC, LogMeIn, TeamViewer and much more. Review the lookup for the entire list and add any others.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.process) as process values(Processes.parent_process) as parent_process from datamodel=Endpoint.Processes where Processes.dest!=unknown Processes.user!=unknown by Processes.dest Processes.user Processes.process_name Processes.process | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | lookup remote_access_software remote_utility AS process_name OUTPUT isutility | search isutility = True | `windows_remote_access_software_hunt_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives will be found. Filter as needed and create higher fidelity analytics based off banned remote access software.", "references": ["https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md", "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/"], "tags": {"name": "Windows Remote Access Software Hunt", "analytic_story": ["Insider Threat", "Command And Control", "Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 10, "impact": 10, "kill_chain_phases": ["Command And Control"], "message": "The following Remote Access Software $process_name$ was identified on $dest$.", "mitre_attack_id": ["T1219"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 1, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1219", "mitre_attack_technique": "Remote Access Software", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Carbanak", "Cobalt Group", "DarkVishnya", "Evilnum", "GOLD SOUTHFIELD", "Kimsuky", "MuddyWater", "Mustang Panda", "RTM", "Sandworm Team", "TeamTNT", "Thrip"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1219/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_remote_access_software_hunt_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "remote_access_software", "description": "A list of Remote Access Software", "filename": "remote_access_software.csv", "default_match": "false", "match_type": "WILDCARD(remote_software)", "min_matches": 1, "case_sensitive_match": "false"}], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_remote_access_software_hunt.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Remote Access Software RMS Registry", "id": "e5b7b5a9-e471-4be8-8c5d-4083983ba329", "version": 1, "date": "2022-06-22", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "The following analytic is to identify a modification or creation of Windows registry related to the Remote Manipulator System (RMS) Remote Admin tool. RMS is a legitimate tool developed by russian organization TektonIT and has been observed being abused by adversaries to gain remote access to the targeted host. Azorult malware utilized RMS to gain remote access.", "data_source": ["Sysmon Event ID 13"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\SYSTEM\\\\Remote Manipulator System*\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_remote_access_software_rms_registry_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.", "known_false_positives": "administrators may enable or disable this feature that may cause some false positive.", "references": ["https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/", "https://malpedia.caad.fkie.fraunhofer.de/details/win.rms"], "tags": {"name": "Windows Remote Access Software RMS Registry", "analytic_story": ["Azorult"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 100, "kill_chain_phases": ["Command And Control"], "message": "the registry related to RMS tool is created in $dest$", "mitre_attack_id": ["T1219"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.registry_key_name", "Registry.registry_path", "Registry.user", "Registry.dest", "Registry.registry_value_name", "Registry.action"], "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1219", "mitre_attack_technique": "Remote Access Software", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Carbanak", "Cobalt Group", "DarkVishnya", "Evilnum", "GOLD SOUTHFIELD", "Kimsuky", "MuddyWater", "Mustang Panda", "RTM", "Sandworm Team", "TeamTNT", "Thrip"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_remote_access_software_rms_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_remote_access_software_rms_registry.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Remote Assistance Spawning Process", "id": "ced50492-8849-11ec-9f68-acde48001122", "version": 1, "date": "2022-02-07", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the use of Microsoft Remote Assistance, msra.exe, spawning PowerShell.exe or cmd.exe as a child process. Msra.exe by default has no command-line arguments and typically spawns itself. It will generate a network connection to the remote system that is connected. This behavior is indicative of another process injected into msra.exe. Review the parent process or cross process events to identify source.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=msra.exe `windows_shells` by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_remote_assistance_spawning_process_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives should be limited, filter as needed. Add additional shells as needed.", "references": ["https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/", "https://app.any.run/tasks/ca1616de-89a1-4afc-a3e4-09d428df2420/"], "tags": {"name": "Windows Remote Assistance Spawning Process", "analytic_story": ["Unusual Processes"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$, generating behavior not common with msra.exe.", "mitre_attack_id": ["T1055"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/msra/msra-windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_shells", "definition": "(Processes.process_name=cmd.exe OR Processes.process_name=powershell.exe OR Processes.process_name=pwsh.exe OR Processes.process_name=sh.exe OR Processes.process_name=bash.exe OR Processes.process_name=wscript.exe OR Processes.process_name=cscript.exe)", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_remote_assistance_spawning_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_remote_assistance_spawning_process.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Remote Create Service", "id": "0dc44d03-8c00-482d-ba7c-796ba7ab18c9", "version": 1, "date": "2023-03-20", "author": "Michael Haag, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic identifies an endpoint that remotely connects to another endpoint to create a new service using sc.exe. On the remote endpoint, the new service will be created and this action will trigger the creation of EventCode 7045 along with all the resulting service information.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=sc.exe Processes.process IN (\"*create*\") Processes.process=\"*\\\\\\\\*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_remote_create_service_filter`", "how_to_implement": "To implement this search, it is necessary to ingest information on processes that include the name of the process responsible for the changes from your endpoints into the Endpoint data model within the Processes node. Additionally, it is recommended to confirm that the latest version of CIM App (4.20 or higher) and the latest TA for the endpoint product are installed.", "known_false_positives": "Note that false positives may occur, and filtering may be necessary, especially when it comes to remote service creation by administrators or software management utilities.", "references": ["https://attack.mitre.org/techniques/T1543/003/"], "tags": {"name": "Windows Remote Create Service", "analytic_story": ["Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation", "Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to create a remote service.", "mitre_attack_id": ["T1543", "T1543.003"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1543.003/atomic_red_team/remote_service_create_windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_remote_create_service_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_remote_create_service.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Remote Service Rdpwinst Tool Execution", "id": "c8127f87-c7c9-4036-89ed-8fe4b30e678c", "version": 1, "date": "2022-06-24", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies RDPWInst.exe tool, which is a RDP wrapper library tool designed to enable remote desktop host support and concurrent RDP session on reduced functionality system. Unfortunately, this open project was abused by adversaries to enable RDP connection to the targeted host for remote access and potentially be for lateral movement.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"RDPWInst.exe\" OR Processes.original_file_name=\"RDPWInst.exe\") AND Processes.process IN (\"* -i*\", \"* -s*\", \"* -o*\", \"* -w*\", \"* -r*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_remote_service_rdpwinst_tool_execution_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "This tool was designed for home usage and not commonly seen in production environment. Filter as needed.", "references": ["https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/"], "tags": {"name": "Windows Remote Service Rdpwinst Tool Execution", "analytic_story": ["Azorult"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Exploitation"], "message": "Rdpwinst.exe executed on $dest$.", "mitre_attack_id": ["T1021.001", "T1021"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1021.001", "mitre_attack_technique": "Remote Desktop Protocol", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT1", "APT3", "APT39", "APT41", "Axiom", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dragonfly", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "HEXANE", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "OilRig", "Patchwork", "Silence", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_remote_service_rdpwinst_tool_execution_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_remote_service_rdpwinst_tool_execution.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Remote Services Allow Rdp In Firewall", "id": "9170cb54-ea15-41e1-9dfc-9f3363ce9b02", "version": 1, "date": "2022-06-21", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic is to identify a modification in the Windows firewall to enable remote desktop protocol on a targeted machine. This technique was seen in several adversaries, malware or red teamer to remotely access the compromised or targeted host by allowing this protocol in firewall. Even this protocol might be allowed in some production environment, This TTP behavior is a good pivot to check who and why the user want to enable this feature through firewall which is also common traits of attack to start lateral movement.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` values(Processes.process) as cmdline values(Processes.parent_process_name) as parent_process values(Processes.process_name) count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = \"netsh.exe\" OR Processes.original_file_name= \"netsh.exe\") AND Processes.process = \"*firewall*\" AND Processes.process = \"*add*\" AND Processes.process = \"*protocol=TCP*\" AND Processes.process = \"*localport=3389*\" AND Processes.process = \"*action=allow*\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_remote_services_allow_rdp_in_firewall_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting data that records process activity from your hosts to populate the endpoint data model in the processes node. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "administrators may enable or disable this feature that may cause some false positive.", "references": ["https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/"], "tags": {"name": "Windows Remote Services Allow Rdp In Firewall", "analytic_story": ["Azorult"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "new firewall rules was added to allow rdp connection to $dest$", "mitre_attack_id": ["T1021.001", "T1021"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.process_name", "Processes.process", "Processes.parent_process_name", "Processes.parent_process", "Processes.process_id", "Processes.parent_process_id", "Processes.dest", "Processes.user"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1021.001", "mitre_attack_technique": "Remote Desktop Protocol", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT1", "APT3", "APT39", "APT41", "Axiom", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dragonfly", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "HEXANE", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "OilRig", "Patchwork", "Silence", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_remote_services_allow_rdp_in_firewall_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_remote_services_allow_rdp_in_firewall.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Remote Services Allow Remote Assistance", "id": "9bce3a97-bc97-4e89-a1aa-ead151c82fbb", "version": 1, "date": "2022-06-21", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic is to identify a modification in the Windows registry to enable remote desktop assistance on a targeted machine. This technique was seen in several adversaries, malware or red teamer like azorult to remotely access the compromised or targeted host by enabling this protocol in registry. Even this protocol might be allowed in some production environment, This Anomaly behavior is a good pivot to check who and why the user want to enable this feature through registry which is un-common. And as per stated in microsoft documentation the default value of this registry is false that makes this a good indicator of suspicious behavior.", "data_source": ["Sysmon Event ID 13"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\Control\\\\Terminal Server\\\\fAllowToGetHelp*\" Registry.registry_value_data=\"0x00000001\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_remote_services_allow_remote_assistance_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.", "known_false_positives": "administrators may enable or disable this feature that may cause some false positive.", "references": ["https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-remoteassistance-exe-fallowtogethelp", "https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/"], "tags": {"name": "Windows Remote Services Allow Remote Assistance", "analytic_story": ["Azorult"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "the registry for rdp protocol was modified to enable in $dest$", "mitre_attack_id": ["T1021.001", "T1021"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.registry_key_name", "Registry.registry_path", "Registry.user", "Registry.dest", "Registry.registry_value_name", "Registry.action"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1021.001", "mitre_attack_technique": "Remote Desktop Protocol", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT1", "APT3", "APT39", "APT41", "Axiom", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dragonfly", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "HEXANE", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "OilRig", "Patchwork", "Silence", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_remote_services_allow_remote_assistance_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_remote_services_allow_remote_assistance.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Remote Services Rdp Enable", "id": "8fbd2e88-4ea5-40b9-9217-fd0855e08cc0", "version": 1, "date": "2022-06-21", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "The following analytic is to identify a modification in the Windows registry to enable remote desktop protocol on a targeted machine. This technique was seen in several adversaries, malware or red teamer to remotely access the compromised or targeted host by enabling this protocol in registry. Even this protocol might be allowed in some production environment, This TTP behavior is a good pivot to check who and why the user want to enable this feature through registry which is un-common.", "data_source": ["Sysmon Event ID 13"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\Control\\\\Terminal Server\\\\fDenyTSConnections*\" Registry.registry_value_data=\"0x00000000\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_remote_services_rdp_enable_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.", "known_false_positives": "administrators may enable or disable this feature that may cause some false positive.", "references": ["https://www.hybrid-analysis.com/sample/9d6611c2779316f1ef4b4a6edcfdfb5e770fe32b31ec2200df268c3bd236ed75?environmentId=100"], "tags": {"name": "Windows Remote Services Rdp Enable", "analytic_story": ["Azorult"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "the registry for rdp protocol was modified to enable in $dest$", "mitre_attack_id": ["T1021.001", "T1021"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.registry_key_name", "Registry.registry_path", "Registry.user", "Registry.dest", "Registry.registry_value_name", "Registry.action"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1021.001", "mitre_attack_technique": "Remote Desktop Protocol", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT1", "APT3", "APT39", "APT41", "Axiom", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dragonfly", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "HEXANE", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "OilRig", "Patchwork", "Silence", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_remote_services_rdp_enable_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_remote_services_rdp_enable.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Replication Through Removable Media", "id": "60df805d-4605-41c8-bbba-57baa6a4eb97", "version": 1, "date": "2023-01-17", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This analytic is developed to detect suspicious executable or script files created or dropped in the root drive of a targeted host. This technique is commonly used by threat actors, adversaries or even red teamers to replicate or spread in possible removable drives. Back then, WORM malware was popular for this technique where it would drop a copy of itself in the root drive to be able to spread or to have a lateral movement in other network machines. Nowadays, Ransomware like CHAOS ransomware also use this technique to spread its malicious code in possible removable drives. This TTP detection can be a good indicator that a process might create a persistence technique or lateral movement of a targeted machine. We suggest checking the process name that creates this event, the file created, user type, and the reason why that executable or scripts are dropped in the root drive.", "data_source": ["Sysmon Event ID 11"], "search": "|tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where (Filesystem.file_name = *.exe OR Filesystem.file_name = *.dll OR Filesystem.file_name = *.sys OR Filesystem.file_name = *.com OR Filesystem.file_name = *.vbs OR Filesystem.file_name = *.vbe OR Filesystem.file_name = *.js OR Filesystem.file_name= *.bat OR Filesystem.file_name = *.cmd OR Filesystem.file_name = *.pif) by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.file_path Filesystem.user | `drop_dm_object_name(Filesystem)` | eval dropped_file_path = split(file_path, \"\\\\\") | eval dropped_file_path_split_count = mvcount(dropped_file_path) | eval root_drive = mvindex(dropped_file_path,0) | where LIKE(root_drive, \"%:\") AND dropped_file_path_split_count = 2 AND root_drive!= \"C:\" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_replication_through_removable_media_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the Filesystem responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node.", "known_false_positives": "Administrators may allow creation of script or exe in the paths specified. Filter as needed.", "references": ["https://attack.mitre.org/techniques/T1204/002/", "https://www.fortinet.com/blog/threat-research/chaos-ransomware-variant-sides-with-russia"], "tags": {"name": "Windows Replication Through Removable Media", "analytic_story": ["Chaos Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Delivery", "Exploitation"], "message": "executable or script $file_path$ was drop in root drive $root_drive$ in $dest$", "mitre_attack_id": ["T1091"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "process_id", "type": "Process", "role": ["Attacker"]}, {"name": "file_name", "type": "File Name", "role": ["Other", "Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Filesystem.file_path", "Filesystem.file_create_time", "Filesystem.process_id", "Filesystem.file_name", "Filesystem.user"], "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1091", "mitre_attack_technique": "Replication Through Removable Media", "mitre_attack_tactics": ["Initial Access", "Lateral Movement"], "mitre_attack_groups": ["APT28", "Aoqin Dragon", "Darkhotel", "FIN7", "LuminousMoth", "Mustang Panda", "Tropic Trooper"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/chaos_ransomware/spread_in_root_drives/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_replication_through_removable_media_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_replication_through_removable_media.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Root Domain linked policies Discovery", "id": "80ffaede-1f12-49d5-a86e-b4b599b68b3c", "version": 1, "date": "2023-04-14", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the `[Adsisearcher]` type accelerator being used to query Active Directory for domain groups. Red Teams and adversaries may leverage `[Adsisearcher]` to enumerate root domain linked policies for situational awareness and Active Directory Discovery.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 ScriptBlockText = \"*[adsisearcher]*\" ScriptBlockText = \"*.SearchRooT*\" ScriptBlockText = \"*.gplink*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_root_domain_linked_policies_discovery_filter`", "how_to_implement": "The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "references": ["https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/", "https://medium.com/@pentesttas/discover-hidden-gpo-s-on-active-directory-using-ps-adsi-a284b6814c81"], "tags": {"name": "Windows Root Domain linked policies Discovery", "analytic_story": ["Data Destruction", "Active Directory Discovery", "Industroyer2"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "powershell process having commandline $Message$ for user enumeration", "mitre_attack_id": ["T1087.002", "T1087"], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "ScriptBlockText", "Computer", "user_id"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["BRONZE BUTLER", "Chimera", "Dragonfly", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Turla", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/adsi_discovery/windows-powershell-xml1.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_root_domain_linked_policies_discovery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_root_domain_linked_policies_discovery.yml", "source": "endpoint", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows Rundll32 WebDAV Request", "id": "320099b7-7eb1-4153-a2b4-decb53267de2", "version": 1, "date": "2023-03-15", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies rundll32.exe with the commandline arguments loading davclnt.dll function - davsetcookie - to be used to access a remote WebDav instance. This particular behavior was recently showcased in CVE-2023-23397.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=rundll32.exe Processes.process IN (\"*\\\\windows\\\\system32\\\\davclnt.dll,*davsetcookie*\",\"*\\\\windows\\\\syswow64\\\\davclnt.dll,*davsetcookie*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_rundll32_webdav_request_filter`", "how_to_implement": "In addition to getting the correct data, adding a join with network connection will assist with making this higher fidelity. We removed the parent_process_name=svchost.exe to look more broad, this will need to be tuned. To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives will be present based on legitimate software, filtering may need to occur.", "references": ["https://strontic.github.io/xcyclopedia/library/davclnt.dll-0EA3050E7CC710526E330C413C165DA0.html", "https://twitter.com/ACEResponder/status/1636116096506818562?s=20", "https://twitter.com/domchell/status/1635999068282408962?s=20", "https://msrc.microsoft.com/blog/2023/03/microsoft-mitigates-outlook-elevation-of-privilege-vulnerability/", "https://www.pwndefend.com/2023/03/15/the-long-game-persistent-hash-theft/"], "tags": {"name": "Windows Rundll32 WebDAV Request", "analytic_story": ["CVE-2023-23397 Outlook Elevation of Privilege"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 80, "kill_chain_phases": ["Actions on Objectives"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to contact a remote WebDav server.", "mitre_attack_id": ["T1048.003"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 48, "security_domain": "endpoint", "risk_severity": "low", "cve": ["CVE-2023-23397"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1048.003", "mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT32", "APT33", "FIN6", "FIN8", "Lazarus Group", "OilRig", "Thrip", "Wizard Spider"]}]}, "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_rundll32_webdav_request_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2023-23397", "cvss": null, "summary": "Microsoft Outlook Elevation of Privilege Vulnerability"}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_rundll32_webdav_request.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Rundll32 WebDav With Network Connection", "id": "f03355e0-28b5-4e9b-815a-6adffc63b38c", "version": 1, "date": "2023-03-16", "author": "Michael Haag, Splunk", "type": "TTP", "status": "experimental", "description": "The following analytic identifies rundll32.exe with the commandline arguments loading davclnt.dll function - davsetcookie - to be used to access a remote WebDav instance. The analytic attempts to use join from Processes and All_Traffic to identify the network connection. This particular behavior was recently showcased in CVE-2023-23397.", "data_source": [], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where Processes.parent_process_name=svchost.exe `process_rundll32` Processes.process IN (\"*\\\\windows\\\\system32\\\\davclnt.dll,*davsetcookie*\", \"*\\\\windows\\\\syswow64\\\\davclnt.dll,*davsetcookie*\") by host _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name Processes.parent_process | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename dest as src | join host process_id [ | tstats `security_content_summariesonly` count latest(All_Traffic.dest) as dest latest(All_Traffic.dest_ip) as dest_ip latest(All_Traffic.dest_port) as dest_port FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port!=0 NOT (All_Traffic.dest_ip IN (10.0.0.0/12, 172.16.0.0/12, 192.168.0.0/16)) by host All_Traffic.process_id | `drop_dm_object_name(All_Traffic)`] | `windows_rundll32_webdav_with_network_connection_filter`", "how_to_implement": "We removed the parent_process_name=svchost.exe to look more broad, this will need to be tuned. To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node and the All_Traffic Datamodel. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives will be present based on legitimate software, filtering may need to occur.", "references": ["https://strontic.github.io/xcyclopedia/library/davclnt.dll-0EA3050E7CC710526E330C413C165DA0.html", "https://twitter.com/ACEResponder/status/1636116096506818562?s=20", "https://twitter.com/domchell/status/1635999068282408962?s=20", "https://msrc.microsoft.com/blog/2023/03/microsoft-mitigates-outlook-elevation-of-privilege-vulnerability/", "https://www.pwndefend.com/2023/03/15/the-long-game-persistent-hash-theft/"], "tags": {"name": "Windows Rundll32 WebDav With Network Connection", "analytic_story": ["CVE-2023-23397 Outlook Elevation of Privilege"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 80, "kill_chain_phases": ["Actions on Objectives"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to contact a remote WebDav server.", "mitre_attack_id": ["T1048.003"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id", "All_Traffic.dest_port", "All_Traffic.dest_ip", "All_Traffic.dest"], "risk_score": 48, "security_domain": "endpoint", "risk_severity": "low", "cve": ["CVE-2023-23397"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1048.003", "mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT32", "APT33", "FIN6", "FIN8", "Lazarus Group", "OilRig", "Thrip", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1048.003/cve-2023-23397/webdav_windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint", "Network_Traffic"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_rundll32", "definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "windows_rundll32_webdav_with_network_connection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2023-23397", "cvss": null, "summary": "Microsoft Outlook Elevation of Privilege Vulnerability"}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_rundll32_webdav_with_network_connection.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Scheduled Task Created Via XML", "id": "7e03b682-3965-4598-8e91-a60a40a3f7e4", "version": 1, "date": "2023-04-05", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "The following analytic detects the creation of suspicious scheduled tasks in Windows, specifically tasks created using schtasks.exe with the -create flag and an XML parameter in the command-line. This technique is commonly employed by threat actors, adversaries, and red teamers to establish persistence or achieve privilege escalation on targeted hosts. Notably, malware like Trickbot and Winter-Vivern have been observed using XML files to create scheduled tasks. Monitoring and investigating this activity is crucial to mitigate potential security risks. It is important to be aware that scripts or administrators may trigger this analytic, leading to potential false positives. To minimize false positives, adjust the filter based on the parent process or application.\\\nWhen a true positive is detected, it suggests an attacker's attempt to gain persistence or execute additional malicious payloads, potentially resulting in data theft, ransomware, or other damaging outcomes. During triage, review the source of the scheduled task, the command to be executed, and capture any relevant on-disk artifacts. Analyze concurrent processes to identify the source of the attack. This analytic enables analysts to detect and respond to potential threats early, mitigating the associated risks effectively.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=schtasks.exe Processes.process=*create* Processes.process=\"* /xml *\" by Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_guid Processes.process_id Processes.parent_process_guid Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_scheduled_task_created_via_xml_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "It is possible scripts or administrators may trigger this analytic. Filter as needed based on parent process, application.", "references": ["https://twitter.com/_CERT_UA/status/1620781684257091584", "https://cert.gov.ua/article/3761104"], "tags": {"name": "Windows Scheduled Task Created Via XML", "analytic_story": ["Winter Vivern", "Scheduled Tasks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "message": "A scheduled task process, $process_name$, with 'create' or 'delete' commands present in the command line.", "mitre_attack_id": ["T1053.005", "T1053"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.parent_process_name", "Processes.parent_process", "Processes.process_name", "Processes.process_id", "Processes.process", "Processes.dest", "Processes.user", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winter-vivern/scheduledtask/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_scheduled_task_created_via_xml_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_scheduled_task_created_via_xml.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Scheduled Task with Highest Privileges", "id": "2f15e1a4-0fc2-49dd-919e-cbbe60699218", "version": 1, "date": "2023-01-26", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "The following analytic detects the creation of a new task with the highest execution privilege via Schtasks.exe. This tactic is often observed in AsyncRAT attacks, where the scheduled task is used for persistence and privilege escalation. AsyncRAT sets up a scheduled task with parameters '/rl' and 'highest', triggering this technique. It's a strong indicator of potential malware or adversaries seeking to establish persistence and escalate privileges through scheduled tasks. This is crucial for a Security Operations Center (SOC) as it can prevent unauthorized system access and potential data breaches.\\\nThe analytic works by monitoring logs for process name, parent process, and command-line executions. In the presence of the '*/rl ' and ' highest *' commands in a schtasks.exe process, an alert is triggered.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"schtasks.exe\" Processes.process = \"*/rl *\" Processes.process = \"* highest *\" by Processes.process_name Processes.parent_process_name Processes.parent_process Processes.process Processes.process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_scheduled_task_with_highest_privileges_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances of wermgr.exe may be used.", "known_false_positives": "False positives may arise from legitimate applications that create tasks to run as SYSTEM. Therefore, it's recommended to adjust filters based on parent process or modify the query to include world writable paths for restriction.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat"], "tags": {"name": "Windows Scheduled Task with Highest Privileges", "analytic_story": ["AsyncRAT", "Scheduled Tasks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "message": "a $process_name$ creating a schedule task $process$ with highest run level privilege in $dest$", "mitre_attack_id": ["T1053", "T1053.005"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TEMP.Veles", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/asyncrat_highest_priv_schtasks/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_scheduled_task_with_highest_privileges_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_scheduled_task_with_highest_privileges.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Schtasks Create Run As System", "id": "41a0e58e-884c-11ec-9976-acde48001122", "version": 1, "date": "2022-02-07", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the creation of a new task to start and run as an elevated user - SYSTEM using Schtasks.exe. This behavior is commonly used by adversaries to spawn a process in an elevated state. If a true positive is found, it suggests an attacker is attempting to persist within the environment or potentially deliver additional malicious payloads, leading to data theft, ransomware, or other damaging outcomes. Upon triage, review the scheduled task's source and the command to be executed. Capture and inspect any relevant on-disk artifacts, and look for concurrent processes to identify the attack source. This approach helps analysts detect potential threats earlier and mitigate the risks.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_schtasks` Processes.process=\"*/create *\" AND Processes.process=\"*/ru *\" AND Processes.process=\"*system*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_schtasks_create_run_as_system_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives will be limited to legitimate applications creating a task to run as SYSTEM. Filter as needed based on parent process, or modify the query to have world writeable paths to restrict it.", "references": ["https://pentestlab.blog/2019/11/04/persistence-scheduled-tasks/", "https://www.ired.team/offensive-security/persistence/t1053-schtask", "https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/"], "tags": {"name": "Windows Schtasks Create Run As System", "analytic_story": ["Windows Persistence Techniques", "Qakbot", "Scheduled Tasks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "message": "An $process_name$ was created on endpoint $dest$ attempting to spawn as SYSTEM.", "mitre_attack_id": ["T1053.005", "T1053"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 48, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/schtask_system/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "process_schtasks", "definition": "(Processes.process_name=schtasks.exe OR Processes.original_file_name=schtasks.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_schtasks_create_run_as_system_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_schtasks_create_run_as_system.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Screen Capture Via Powershell", "id": "5e0b1936-8f99-4399-8ee2-9edc5b32e170", "version": 1, "date": "2023-04-05", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies a potential PowerShell script that captures screen images on compromised or targeted hosts. This technique was observed in the Winter-Vivern malware, which attempts to capture desktop screens using a PowerShell script and send the images to its C2 server as part of its exfiltration strategy. This TTP serves as a useful indicator that a PowerShell process may be gathering desktop screenshots from a host system, potentially signaling malicious activity.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 ScriptBlockText = \"*[Drawing.Graphics]::FromImage(*\" AND ScriptBlockText = \"*New-Object Drawing.Bitmap*\" AND ScriptBlockText = \"*.CopyFromScreen*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_screen_capture_via_powershell_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "unknown", "references": ["https://twitter.com/_CERT_UA/status/1620781684257091584", "https://cert.gov.ua/article/3761104"], "tags": {"name": "Windows Screen Capture Via Powershell", "analytic_story": ["Winter Vivern"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "A PowerShell script was identified possibly performing screen captures on $Computer$.", "mitre_attack_id": ["T1113"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "ScriptBlockText", "Computer", "UserID", "EventCode"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1113", "mitre_attack_technique": "Screen Capture", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT28", "APT39", "BRONZE BUTLER", "Dark Caracal", "Dragonfly", "FIN7", "GOLD SOUTHFIELD", "Gamaredon Group", "Group5", "Magic Hound", "MuddyWater", "OilRig", "Silence"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winter-vivern/pwh_exfiltration/windows-powershell-xml.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_screen_capture_via_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_screen_capture_via_powershell.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows Security Account Manager Stopped", "id": "69c12d59-d951-431e-ab77-ec426b8d65e6", "version": 1, "date": "2020-11-06", "author": "Rod Soto, Jose Hernandez, Splunk", "type": "TTP", "status": "production", "description": "The search looks for a Windows Security Account Manager (SAM) was stopped via command-line. This is consistent with Ryuk infections across a fleet of endpoints.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes WHERE (\"Processes.process_name\"=\"net*.exe\" \"Processes.process\"=\"*stop \\\"samss\\\"*\") BY \"Processes.dest\", \"Processes.user\", \"Processes.process\" | `drop_dm_object_name(Processes)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_security_account_manager_stopped_filter`", "how_to_implement": "You must be ingesting data that records the process-system activity from your hosts to populate the Endpoint Processes data-model object. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data.", "known_false_positives": "SAM is a critical windows service, stopping it would cause major issues on an endpoint this makes false positive rare. AlthoughNo false positives have been identified.", "references": [], "tags": {"name": "Windows Security Account Manager Stopped", "analytic_story": ["Ryuk Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 70, "kill_chain_phases": ["Actions on Objectives"], "message": "The Windows Security Account Manager (SAM) was stopped via cli by $user$ on $dest$ by this command: $processs$", "mitre_attack_id": ["T1489"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "process", "type": "Process", "role": ["Target"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.process_name", "Processes.process", "Processes.dest", "Processes.user"], "risk_score": 70, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1489", "mitre_attack_technique": "Service Stop", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Indrik Spider", "Lazarus Group", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/ryuk/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_security_account_manager_stopped_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_security_account_manager_stopped.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Security Support Provider Reg Query", "id": "31302468-93c9-4eca-9ae3-2d41f53a4e2b", "version": 1, "date": "2022-11-30", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies a process command line related to the discovery of possible Security Support Providers in the registry. This technique is being abused by adversaries or post exploitation tools like winpeas to gather LSA protection and configuration in the registry in the targeted host. This registry entry can contain several information related to LSA that validates users for local and remote sign-ins and enforces local security policies. Understanding LSA protection may give a good information in accessing LSA content in memory which is commonly attack by adversaries and tool like mimikatz to scrape password hashes or clear plain text passwords.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_reg` AND Processes.process = \"* query *\" AND Processes.process = \"*\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\LSA*\" Processes.process IN (\"*RunAsPPL*\" , \"*LsaCfgFlags*\") by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_security_support_provider_reg_query_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances of wermgr.exe may be used.", "known_false_positives": "unknown", "references": ["https://blog.netwrix.com/2022/01/11/understanding-lsa-protection/", "https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS", "https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"], "tags": {"name": "Windows Security Support Provider Reg Query", "analytic_story": ["Windows Post-Exploitation", "Prestige Ransomware", "Sneaky Active Directory Persistence Tricks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Installation", "Exploitation"], "message": "process with reg query command line $process$ in $dest$", "mitre_attack_id": ["T1547.005", "T1547"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id", "Processes.parent_process_guid", "Processes.process_guid"], "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1547.005", "mitre_attack_technique": "Security Support Provider", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "process_reg", "definition": "(Processes.process_name=reg.exe OR Processes.original_file_name=reg.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_security_support_provider_reg_query_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_security_support_provider_reg_query.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Server Software Component GACUtil Install to GAC", "id": "7c025ef0-9e65-4c57-be39-1c13dbb1613e", "version": 1, "date": "2023-01-17", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the Windows SDK utility - GACUtil.exe, being utilized to add a DLL into the Global Assembly Cache (GAC). Each computer where the Common Language Runtime is installed has a machine-wide code cache called the Global Assembly Cache. The Global Assembly Cache stores assemblies specifically designated to be shared by several applications on the computer. By adding a DLL to the GAC, this allows an adversary to call it via any other means across the operating systems. As outlined by Microsoft in their blog, it is not common to see this spawning from W3WP.exe, however, in a non-development environment it may not be common at all. Note that in order to utilize GACutil.exe, The Windows SDK must be installed, this is not a native binary.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=gacutil.exe Processes.process IN (\"*-i *\",\"*/i *\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_server_software_component_gacutil_install_to_gac_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives may be present if gacutil.exe is utilized day to day by developers. Filter as needed.", "references": ["https://strontic.github.io/xcyclopedia/library/gacutil.exe-F2FE4DF74BD214EDDC1A658043828089.html", "https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/", "https://www.microsoft.com/en-us/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/", "https://learn.microsoft.com/en-us/dotnet/framework/app-domains/gac"], "tags": {"name": "Windows Server Software Component GACUtil Install to GAC", "analytic_story": ["IIS Components"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Installation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to add a module to the global assembly cache.", "mitre_attack_id": ["T1505", "T1505.004"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1505.004", "mitre_attack_technique": "IIS Components", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.004/gacutil_windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_server_software_component_gacutil_install_to_gac_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_server_software_component_gacutil_install_to_gac.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Service Create Kernel Mode Driver", "id": "0b4e3b06-1b2b-4885-b752-cf06d12a90cb", "version": 1, "date": "2022-05-05", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifes a new kernel driver being added to Windows using sc.exe. Adding a Kernel driver is not common day to day and should be investigated to further understand the source.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=sc.exe Processes.process=\"*kernel*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_create_kernel_mode_driver_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives may be present based on common applications adding new drivers, however, filter as needed.", "references": ["https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/"], "tags": {"name": "Windows Service Create Kernel Mode Driver", "analytic_story": ["Windows Drivers", "CISA AA22-320A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 60, "kill_chain_phases": ["Installation", "Exploitation"], "message": "Service control, $process_name$, loaded a new kernel mode driver on $dest$ by $user$.", "mitre_attack_id": ["T1543.003", "T1543", "T1068"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 48, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "PLATINUM", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1068/drivers/sc_kernel.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_service_create_kernel_mode_driver_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_service_create_kernel_mode_driver.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Service Create RemComSvc", "id": "0be4b5d6-c449-4084-b945-2392b519c33b", "version": 1, "date": "2023-03-20", "author": "Michael Haag, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies RemComSvc installed on an endpoint. This typically occurs when someone is moving laterally with RemCom.exe.", "data_source": ["Windows System 7045"], "search": "`wineventlog_system` EventCode=7045 ServiceName=\"RemCom Service\" | stats count min(_time) as firstTime max(_time) as lastTime by dest ImagePath ServiceName ServiceType | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_create_remcomsvc_filter`", "how_to_implement": "To implement this analytic, the Windows EventCode 7045 will need to be logged. The Windows TA for Splunk is also recommended.", "known_false_positives": "False positives may be present, filter as needed based on administrative activity.", "references": ["https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/", "https://github.com/kavika13/RemCom"], "tags": {"name": "Windows Service Create RemComSvc", "analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 40, "kill_chain_phases": ["Installation", "Exploitation"], "message": "A new service was created related to RemCom on $dest$.", "mitre_attack_id": ["T1543.003", "T1543"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "dest", "EventCode", "ImagePath", "ServiceName", "ServiceType"], "risk_score": 32, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1543.003/atomic_red_team/remcom_windows-system.log", "source": "XmlWinEventLog:System", "sourcetype": "XmlWinEventLog", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_system", "definition": "eventtype=wineventlog_system", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_service_create_remcomsvc_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_service_create_remcomsvc.yml", "source": "endpoint"}, {"name": "Windows Service Create SliverC2", "id": "89dad3ee-57ec-43dc-9044-131c4edd663f", "version": 1, "date": "2023-03-03", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "When an adversary utilizes SliverC2 to laterally move with the Psexec module, it will create a service with the name and description of \"Sliver\" and \"Sliver Implant\". Note that these may be easily changed and are specific to only SliverC2. We have also created the same regex as Microsoft has outlined to attempt to capture the suspicious service path (regex101 reference).", "data_source": ["Windows System 7045"], "search": "`wineventlog_system` EventCode=7045 ServiceName=\"sliver\" | stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode ImagePath ServiceName ServiceType | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_create_sliverc2_filter`", "how_to_implement": "To implement this analytic, the Windows EventCode 7045 will need to be logged from the System Event log. The Windows TA for Splunk is also recommended.", "known_false_positives": "False positives should be limited, but if another service out there is named Sliver, filtering may be needed.", "references": ["https://github.com/BishopFox/sliver/blob/71f94928bf36c1557ea5fbeffa161b71116f56b2/client/command/exec/psexec.go#LL61C5-L61C16", "https://www.microsoft.com/en-us/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/", "https://regex101.com/r/DWkkXm/1"], "tags": {"name": "Windows Service Create SliverC2", "analytic_story": ["BishopFox Sliver Adversary Emulation Framework"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 90, "kill_chain_phases": ["Installation"], "message": "A user mode service was created on $ComputerName$ related to SliverC2.", "mitre_attack_id": ["T1569", "T1569.002"], "nist": ["DE.CM"], "observable": [{"name": "ComputerName", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["EventCode", "Computer", "ServiceName", "ImagePath", "ServiceType"], "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/sliver/sliver_windows-system.log", "source": "XmlWinEventLog:System", "sourcetype": "XmlWinEventLog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_system", "definition": "eventtype=wineventlog_system", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_service_create_sliverc2_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_service_create_sliverc2.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Windows Service Create with Tscon", "id": "c13b3d74-6b63-4db5-a841-4206f0370077", "version": 1, "date": "2023-03-29", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic detects potential RDP Hijacking attempts by monitoring a series of actions taken by an attacker to gain unauthorized access to a remote system. The attacker first runs the quser command to query the remote host for disconnected user sessions. Upon identifying a disconnected session, they use the sc.exe command to create a new Windows service with a binary path that launches tscon.exe. By specifying the disconnected session ID and a destination ID, the attacker can transfer the disconnected session to a new RDP session, effectively hijacking the user's session. This analytic allows security teams to detect and respond to RDP Hijacking attempts, mitigating potential risks and impacts on targeted systems.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=sc.exe Processes.process=\"*/dest:rdp-tcp*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_create_with_tscon_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives may arise in the RDP Hijacking analytic when legitimate administrators access remote sessions for maintenance or troubleshooting purposes. These activities might resemble an attacker''s attempt to hijack a disconnected session, leading to false alarms. To mitigate the risk of false positives and improve the overall security posture, organizations can implement Group Policy to automatically disconnect RDP sessions when they are complete. By enforcing this policy, administrators ensure that disconnected sessions are promptly terminated, reducing the window of opportunity for an attacker to hijack a session. Additionally, organizations can also implement access control mechanisms and monitor the behavior of privileged accounts to further enhance security and reduce the chances of false positives in RDP Hijacking detection.", "references": ["https://doublepulsar.com/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563.002/T1563.002.md"], "tags": {"name": "Windows Service Create with Tscon", "analytic_story": ["Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation", "Installation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to hijack a RDP session.", "mitre_attack_id": ["T1563.002", "T1563", "T1543.003"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1563.002", "mitre_attack_technique": "RDP Hijacking", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Axiom"]}, {"mitre_attack_id": "T1563", "mitre_attack_technique": "Remote Service Session Hijacking", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1563.002/rdphijack/tscon_windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_service_create_with_tscon_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_service_create_with_tscon.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Service Created with Suspicious Service Path", "id": "429141be-8311-11eb-adb6-acde48001122", "version": 3, "date": "2022-11-14", "author": "Teoderick Contreras, Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytics uses Windows Event Id 7045, `New Service Was Installed`, to identify the creation of a Windows Service where the service binary path path is located in a non-common Service folder in Windows. Red Teams and adversaries alike may create malicious Services for lateral movement or remote code execution as well as persistence and execution. The Clop ransomware has also been seen in the wild abusing Windows services.", "data_source": ["Sysmon Event ID 7"], "search": " `wineventlog_system` EventCode=7045 Service_File_Name = \"*.exe\" NOT (Service_File_Name IN (\"*:\\\\Windows\\\\*\", \"*:\\\\Program File*\", \"*:\\\\Programdata\\\\*\", \"*%systemroot%\\\\*\")) | stats count min(_time) as firstTime max(_time) as lastTime by EventCode Service_File_Name Service_Name Service_Start_Type Service_Type dest user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_created_with_suspicious_service_path_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the Service name, Service File Name Service Start type, and Service Type from your endpoints.", "known_false_positives": "Legitimate applications may install services with uncommon services paths.", "references": ["https://www.mandiant.com/resources/fin11-email-campaigns-precursor-for-ransomware-data-theft", "https://blog.virustotal.com/2020/11/keep-your-friends-close-keep-ransomware.html"], "tags": {"name": "Windows Service Created with Suspicious Service Path", "analytic_story": ["Clop Ransomware", "Active Directory Lateral Movement", "Brute Ratel C4", "Qakbot", "Snake Malware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Installation"], "message": "A service $Service_File_Name$ was created from a non-standard path using $Service_Name$", "mitre_attack_id": ["T1569", "T1569.002"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "Service_File_Name", "type": "Other", "role": ["Other"]}, {"name": "Service_Name", "type": "Other", "role": ["Other"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["EventCode", "Service_File_Name", "Service_Type", "_time", "Service_Name", "Service_Start_Type", "dest"], "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/clop/clop_a/windows-system.log", "source": "WinEventLog:System", "sourcetype": "WinEventLog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_system", "definition": "eventtype=wineventlog_system", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_service_created_with_suspicious_service_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_service_created_with_suspicious_service_path.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Windows Service Created Within Public Path", "id": "3abb2eda-4bb8-11ec-9ae4-3e22fbd008af", "version": 1, "date": "2021-11-22", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytc uses Windows Event Id 7045, `New Service Was Installed`, to identify the creation of a Windows Service where the service binary path is located in public paths. This behavior could represent the installation of a malicious service. Red Teams and adversaries alike may create malicious Services for lateral movement or remote code execution", "data_source": ["Sysmon Event ID 7"], "search": "`wineventlog_system` EventCode=7045 Service_File_Name = \"*\\.exe\" NOT (Service_File_Name IN (\"C:\\\\Windows\\\\*\", \"C:\\\\Program File*\", \"C:\\\\Programdata\\\\*\", \"%systemroot%\\\\*\")) | stats count min(_time) as firstTime max(_time) as lastTime by ComputerName EventCode Service_File_Name Service_Name Service_Start_Type Service_Type | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_created_within_public_path_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the Service name, Service File Name Service Start type, and Service Type from your endpoints.", "known_false_positives": "Legitimate applications may install services with uncommon services paths.", "references": ["https://docs.microsoft.com/en-us/windows/win32/services/service-control-manager", "https://pentestlab.blog/2020/07/21/lateral-movement-services/"], "tags": {"name": "Windows Service Created Within Public Path", "analytic_story": ["Active Directory Lateral Movement", "Snake Malware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 90, "kill_chain_phases": ["Installation", "Exploitation"], "message": "A Windows Service $Service_File_Name$ with a public path was created on $ComputerName", "mitre_attack_id": ["T1543", "T1543.003"], "nist": ["DE.CM"], "observable": [{"name": "Service_File_Name", "type": "Other", "role": ["Other"]}, {"name": "ComputerName", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["EventCode", "Service_File_Name", "Service_Type", "_time", "Service_Name", "Service_Start_Type"], "risk_score": 54, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1543.003/lateral_movement_suspicious_path/windows-system.log", "source": "WinEventLog:System", "sourcetype": "WinEventLog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_system", "definition": "eventtype=wineventlog_system", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_service_created_within_public_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_service_created_within_public_path.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Windows Service Creation on Remote Endpoint", "id": "e0eea4fa-4274-11ec-882b-3e22fbd008af", "version": 1, "date": "2021-11-10", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "This analytic looks for the execution of `sc.exe` with command-line arguments utilized to create a Windows Service on a remote endpoint. Red Teams and adversaries alike may abuse the Service Control Manager for lateral movement and remote code execution.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=sc.exe OR Processes.original_file_name=sc.exe) (Processes.process=*\\\\\\\\* AND Processes.process=*create* AND Processes.process=*binpath*) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `windows_service_creation_on_remote_endpoint_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints.", "known_false_positives": "Administrators may create Windows Services on remote systems, but this activity is usually limited to a small set of hosts or users.", "references": ["https://docs.microsoft.com/en-us/windows/win32/services/service-control-manager", "https://docs.microsoft.com/en-us/windows/win32/services/controlling-a-service-using-sc", "https://attack.mitre.org/techniques/T1543/003/"], "tags": {"name": "Windows Service Creation on Remote Endpoint", "analytic_story": ["Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 90, "kill_chain_phases": ["Installation", "Exploitation"], "message": "A Windows Service was created on a remote endpoint from $dest", "mitre_attack_id": ["T1543", "T1543.003"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 54, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1543.003/lateral_movement/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_service_creation_on_remote_endpoint_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_service_creation_on_remote_endpoint.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Service Creation Using Registry Entry", "id": "25212358-948e-11ec-ad47-acde48001122", "version": 3, "date": "2023-04-27", "author": "Steven Dick, Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This analytic is to look for suspicious modification or creation of registry to have service entry. This technique is abused by adversaries or threat actor to persist, gain privileges in the machine or even lateral movement. This technique can be executed using reg.exe application or using windows API like for example the CrashOveride malware. This detection is a good indicator that a process is trying to create a service entry using registry ImagePath.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=\"*\\\\SYSTEM\\\\CurrentControlSet\\\\Services*\" Registry.registry_value_name = ImagePath) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_creation_using_registry_entry_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "Third party tools may used this technique to create services but not so common.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/36d49de4c8b00bf36054294b4a1fcbab3917d7c5/atomics/T1574.011/T1574.011.md"], "tags": {"name": "Windows Service Creation Using Registry Entry", "analytic_story": ["Active Directory Lateral Movement", "Suspicious Windows Registry Activities", "Windows Persistence Techniques", "Windows Registry Abuse", "Brute Ratel C4"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation", "Installation"], "message": "A Windows Service was created on a endpoint from $dest$", "mitre_attack_id": ["T1574.011"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.dest", "Registry.registry_value_name", "Registry.registry_key_name", "Registry.registry_path", "Registry.registry_value_data", "Registry.process_guid"], "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1574.011", "mitre_attack_technique": "Services Registry Permissions Weakness", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.011/change_registry_path_service/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_service_creation_using_registry_entry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_service_creation_using_registry_entry.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Service Deletion In Registry", "id": "daed6823-b51c-4843-a6ad-169708f1323e", "version": 1, "date": "2022-08-24", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies a service being deleted from the Windows Registry under CurrentControlSet\\Services. Adversaries may delete a service as part of defense evasion.", "data_source": ["Sysmon Event ID 13"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\SYSTEM\\\\CurrentControlSet\\\\Services*\" AND (Registry.action = deleted OR (Registry.registry_value_name = DeleteFlag AND Registry.registry_value_data = 0x00000001 AND Registry.action=modified)) by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_value_name Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_deletion_in_registry_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.", "known_false_positives": "This event can be seen when administrator delete a service or uninstall/reinstall a software that creates service entry, but it is still recommended to check this alert with high priority.", "references": ["https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/"], "tags": {"name": "Windows Service Deletion In Registry", "analytic_story": ["Brute Ratel C4"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 30, "impact": 60, "kill_chain_phases": ["Actions on Objectives"], "message": "A service was deleted on $dest$ within the Windows registry.", "mitre_attack_id": ["T1489"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.registry_key_name", "Registry.registry_path", "Registry.user", "Registry.dest", "Registry.registry_value_name", "Processes.process_id", "Processes.process_name", "Processes.process", "Processes.dest", "Processes.parent_process_name", "Processes.parent_process", "Processes.process_guid"], "risk_score": 18, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1489", "mitre_attack_technique": "Service Stop", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Indrik Spider", "Lazarus Group", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/service_deletion/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_service_deletion_in_registry_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_service_deletion_in_registry.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Service Initiation on Remote Endpoint", "id": "3f519894-4276-11ec-ab02-3e22fbd008af", "version": 1, "date": "2021-11-10", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "This analytic looks for the execution of `sc.exe` with command-line arguments utilized to start a Windows Service on a remote endpoint. Red Teams and adversaries alike may abuse the Service Control Manager for lateral movement and remote code execution.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=sc.exe OR Processes.original_file_name=sc.exe) (Processes.process=*\\\\\\\\* AND Processes.process=*start*) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `windows_service_initiation_on_remote_endpoint_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints.", "known_false_positives": "Administrators may start Windows Services on remote systems, but this activity is usually limited to a small set of hosts or users.", "references": ["https://docs.microsoft.com/en-us/windows/win32/services/controlling-a-service-using-sc", "https://attack.mitre.org/techniques/T1543/003/"], "tags": {"name": "Windows Service Initiation on Remote Endpoint", "analytic_story": ["Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 90, "kill_chain_phases": ["Installation", "Exploitation"], "message": "A Windows Service was started on a remote endpoint from $dest", "mitre_attack_id": ["T1543", "T1543.003"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 54, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1543.003/lateral_movement/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_service_initiation_on_remote_endpoint_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_service_initiation_on_remote_endpoint.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Service Stop By Deletion", "id": "196ff536-58d9-4d1b-9686-b176b04e430b", "version": 1, "date": "2023-06-13", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies Windows Service Control, `sc.exe`, attempting to delete a service. This is typically identified in parallel with other instances of service enumeration of attempts to stop a service and then delete it. Adversaries utilize this technique to terminate security services or other related services to continue there objective and evade detections.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = sc.exe OR Processes.original_file_name = sc.exe) Processes.process=\"* delete *\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_stop_by_deletion_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "It is possible administrative scripts may start/stop/delete services. Filter as needed.", "references": ["https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/", "https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.003/T1543.003.md"], "tags": {"name": "Windows Service Stop By Deletion", "analytic_story": ["Azorult", "Graceful Wipe Out Attack"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Actions on Objectives"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ attempting to delete a service.", "mitre_attack_id": ["T1489"], "nist": ["DE.CM"], "observable": [{"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.process_name", "Processes.process", "Processes.parent_process_name", "Processes.parent_process", "Processes.process_id", "Processes.parent_process_id", "Processes.dest", "Processes.user"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1489", "mitre_attack_technique": "Service Stop", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Indrik Spider", "Lazarus Group", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_service_stop_by_deletion_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_service_stop_by_deletion.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Service Stop Via Net and SC Application", "id": "827af04b-0d08-479b-9b84-b7d4644e4b80", "version": 1, "date": "2023-06-13", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic identifies suspicious attempts to stop services on a system using either `net.exe` or `sc.exe`. This technique is used by adversaries to terminate security services or other related services to continue their objective and evade detections. This technique is also commonly used by ransomware threat actors to successfully encrypt databases or files being processed or used by Windows OS Services.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` OR Processes.process_name = \"sc.exe\" OR Processes.original_file_name= \"sc.exe\" AND Processes.process=\"*stop*\" by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_stop_via_net__and_sc_application_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Windows OS or software may stop and restart services due to some critical update.", "references": ["https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"], "tags": {"name": "Windows Service Stop Via Net and SC Application", "analytic_story": ["Prestige Ransomware", "Graceful Wipe Out Attack"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Actions on Objectives"], "message": "$process$ was executed on $dest$ attempting to stop service.", "mitre_attack_id": ["T1489"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1489", "mitre_attack_technique": "Service Stop", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Indrik Spider", "Lazarus Group", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/prestige_ransomware/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "process_net", "definition": "(Processes.process_name=\"net.exe\" OR Processes.original_file_name=\"net.exe\" OR Processes.process_name=\"net1.exe\" OR Processes.original_file_name=\"net1.exe\")", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_service_stop_via_net__and_sc_application_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_service_stop_via_net__and_sc_application.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Service Stop Win Updates", "id": "0dc25c24-6fcf-456f-b08b-dd55a183e4de", "version": 1, "date": "2023-04-21", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies a windows update service being disabled in Windows OS. This technique is being abused by adversaries or threat actors to add defense mechanisms to their malware implant in the targeted host. Disabling windows update will put the compromised host vulnerable in some zero day exploit or even some update features against threats. RedLine Stealer kills this service as part of its defense evasion mechanism.", "data_source": ["System Event ID 7040"], "search": "`wineventlog_system` EventCode=7040 (service_name IN (\"Update Orchestrator Service for Windows Update\", \"WaaSMedicSvc\", \"Windows Update\") OR param1 IN (\"UsoSvc\", \"WaaSMedicSvc\", \"wuauserv\")) AND (param3=disabled OR start_mode = disabled) | stats count min(_time) as firstTime max(_time) as lastTime by Computer Error_Code service_name start_mode param1 param2 param3 param4 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_stop_win_updates_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the Service name, Service File Name Service Start type, and Service Type from your endpoints (like Windows system.log Event ID 7040)", "known_false_positives": "Network administrator may disable this services as part of its audit process within the network. Filter is needed.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer"], "tags": {"name": "Windows Service Stop Win Updates", "analytic_story": ["RedLine Stealer"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Actions on Objectives"], "message": "Windows update services $service_name$ was being disabled on $dest$", "mitre_attack_id": ["T1489"], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Computer", "EventCode", "Error_Code", "service_name", "start_mode", "param1", "param2", "param3", "param4"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1489", "mitre_attack_technique": "Service Stop", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Indrik Spider", "Lazarus Group", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/redline/win_update_services_stop/system.log", "source": "XmlWinEventLog:System", "sourcetype": "XmlWinEventLog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_system", "definition": "eventtype=wineventlog_system", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_service_stop_win_updates_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_service_stop_win_updates.yml", "source": "endpoint"}, {"name": "Windows Snake Malware File Modification Crmlog", "id": "27187e0e-c221-471d-a7bd-04f698985ff6", "version": 1, "date": "2023-05-10", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identfies a .crmlog written to windows\\registration. Per the report, typically, this file has been found within the %windows%\\Registration directory with the format of ..crmlog and is decrypted by Snake's kernel driver.", "data_source": ["Sysmon Event ID 11"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_path=\"*\\\\windows\\\\registration\\\\*\" AND Filesystem.file_name=\"*.crmlog\" by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.file_path Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_snake_malware_file_modification_crmlog_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives may be present as the file pattern does match legitimate files on disk. It is possible other native tools write the same file name scheme.", "references": ["https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF"], "tags": {"name": "Windows Snake Malware File Modification Crmlog", "analytic_story": ["Snake Malware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "A file related to Snake Malware has been identified on $dest$.", "mitre_attack_id": ["T1027"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Filesystem.file_create_time", "Filesystem.process_id", "Filesystem.file_name", "Filesystem.file_path", "Filesystem.dest"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "atomic_guid": ["7e47ee60-9dd1-4269-9c4f-97953b183268"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT19", "APT28", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BITTER", "BackdoorDiplomacy", "BlackOasis", "Blue Mockingbird", "Dark Caracal", "Darkhotel", "Earth Lusca", "Elderwood", "Ember Bear", "Fox Kitten", "GALLIUM", "Gallmaker", "Gamaredon Group", "Group5", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "Metador", "Mofang", "Molerats", "Moses Staff", "Mustang Panda", "OilRig", "Putter Panda", "Rocke", "Sandworm Team", "Sidewinder", "TA505", "TeamTNT", "Threat Group-3390", "Transparent Tribe", "Tropic Trooper", "Whitefly", "Windshift", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/snakemalware/snake_crmlog-windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_snake_malware_file_modification_crmlog_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_snake_malware_file_modification_crmlog.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Snake Malware Kernel Driver Comadmin", "id": "628d9c7c-3242-43b5-9620-7234c080a726", "version": 1, "date": "2023-05-11", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the comadmin.dat file written to disk, which is related to Snake Malware. From the report, Snakes installer drops the kernel driver and a custom DLL which is used to load the driver into a single AES encrypted file on disk. Typically, this file is named comadmin.dat and is stored in the %windows%\\system32\\Com directory.", "data_source": ["Sysmon Event ID 13"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_path=\"*\\\\windows\\\\system32\\\\com\\\\*\" AND Filesystem.file_name=\"comadmin.dat\" by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.file_path Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_snake_malware_kernel_driver_comadmin_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives may be present, filter as needed.", "references": ["https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF"], "tags": {"name": "Windows Snake Malware Kernel Driver Comadmin", "analytic_story": ["Snake Malware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "message": "A kernel driver comadmin.dat related to Snake Malware was written to disk on $dest$.", "mitre_attack_id": ["T1547.006"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Filesystem.file_create_time", "Filesystem.process_id", "Filesystem.file_name", "Filesystem.file_path", "Filesystem.dest"], "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "atomic_guid": ["e5cb5564-cc7b-4050-86e8-f2d9eec1941f"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1547.006", "mitre_attack_technique": "Kernel Modules and Extensions", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/snakemalware/comadmin_windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_snake_malware_kernel_driver_comadmin_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_snake_malware_kernel_driver_comadmin.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Snake Malware Registry Modification wav OpenWithProgIds", "id": "13cf8b79-805d-443c-bf52-f55bd7610dfd", "version": 1, "date": "2023-05-10", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The follow analytic identifies the registry being modified at .wav\\\\OpenWithProgIds\\, which is related to the Snake Malware campaign. Upon execution, Snake's WerFault.exe will attempt to decrypt an encrypted blob within the Windows registry that is typically found at HKLM:\\SOFTWARE\\Classes\\.wav\\OpenWithProgIds. The encrypted data includes the AES key, IV, and path that is used to find and decrypt the file containing Snake's kernel driver and kernel driver loader.", "data_source": ["Sysmon Event ID 13"], "search": "| tstats `security_content_summariesonly` count values(Registry.registry_key_name) as registry_key_name values(Registry.registry_path) as registry_path min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path=\"*\\\\.wav\\\\OpenWithProgIds\\\\*\" by Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `windows_snake_malware_registry_modification_wav_openwithprogids_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives may be present and will require tuning based on program Ids in large organizations.", "references": ["https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF"], "tags": {"name": "Windows Snake Malware Registry Modification wav OpenWithProgIds", "analytic_story": ["Snake Malware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "A registry modification related to Snake Malware has been identified on $dest$.", "mitre_attack_id": ["T1112"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Registry.dest", "Registry.user", "Registry.registry_path", "Registry.registry_key_name", "Registry.registry_value_name"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "atomic_guid": ["8318ad20-0488-4a64-98f4-72525a012f6b"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/snakemalware/snake_malware_regblob-windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_snake_malware_registry_modification_wav_openwithprogids_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_snake_malware_registry_modification_wav_openwithprogids.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Snake Malware Service Create", "id": "64eb091f-8cab-4b41-9b09-8fb4942377df", "version": 1, "date": "2023-05-11", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies a new service WerFaultSvc being created with a binary path located in the windows winsxs path. Per the report, the Snake version primarily discussed in this advisory registers a service to maintain persistence on a system. Typically this service is named WerFaultSvc which we assess was used to blend in with the legitimate Windows service WerSvc. On boot, this service will execute Snakes WerFault.exe, which Snake developers chose to hide among the numerous valid Windows WerFault.exe files in the windows WinSxS directory. Executing WerFault.exe will start the process of decrypting Snakes components and loading them into memory.", "data_source": ["Windows System 7045"], "search": "`wineventlog_system` EventCode=7045 ImagePath=\"*\\\\windows\\\\winSxS\\\\*\" ImagePath=\"*\\Werfault.exe\" | stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode ImagePath ServiceName ServiceType | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_snake_malware_service_create_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows System logs with the Service name, Service File Name Service Start type, and Service Type from your endpoints.", "known_false_positives": "False positives should be limited as this is a strict primary indicator used by Snake Malware.", "references": ["https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF"], "tags": {"name": "Windows Snake Malware Service Create", "analytic_story": ["Snake Malware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "message": "A service, WerFaultSvc, was created on $dest$ and is related to Snake Malware.", "mitre_attack_id": ["T1547.006", "T1569.002"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["EventCode", "Service_File_Name", "Service_Type", "_time", "Service_Name", "Service_Start_Type", "Service_Account", "user"], "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "atomic_guid": ["b8db787e-dbea-493c-96cb-9272296ddc49"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1547.006", "mitre_attack_technique": "Kernel Modules and Extensions", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/snakemalware/snake-service-windows-system.log", "source": "XmlWinEventLog:System", "sourcetype": "XmlWinEventLog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_system", "definition": "eventtype=wineventlog_system", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_snake_malware_service_create_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_snake_malware_service_create.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Windows Spearphishing Attachment Connect To None MS Office Domain", "id": "1cb40e15-cffa-45cc-abbd-e35884a49766", "version": 2, "date": "2023-02-15", "author": "Teoderick Contreras, Splunk", "type": "Hunting", "status": "production", "description": "this detection was designed to identifies suspicious office documents that connect to a website aside from Microsoft Office Domain. This technique was seen in several malicious documents that abuses .rels xml properties of MS office to connect or download malicious files. This hunting query can be a good pivot or guide to check what URL link it tries to connect, what domain, where the documents came from and how the connection happens.", "data_source": ["Sysmon Event ID 22"], "search": "`sysmon` EventCode=22 Image IN (\"*\\\\winword.exe\",\"*\\\\excel.exe\",\"*\\\\powerpnt.exe\",\"*\\\\mspub.exe\",\"*\\\\visio.exe\",\"*\\\\wordpad.exe\",\"*\\\\wordview.exe\",\"*\\\\onenote.exe\", \"*\\\\onenotem.exe\",\"*\\\\onenoteviewer.exe\",\"*\\\\onenoteim.exe\", \"*\\\\msaccess.exe\") AND NOT(QueryName IN (\"*.office.com\", \"*.office.net\")) | stats count min(_time) as firstTime max(_time) as lastTime by Image QueryName QueryResults QueryStatus Computer | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_spearphishing_attachment_connect_to_none_ms_office_domain_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "Windows Office document may contain legitimate url link other than MS office Domain. filter is needed", "references": ["https://www.netskope.com/blog/asyncrat-using-fully-undetected-downloader", "https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat"], "tags": {"name": "Windows Spearphishing Attachment Connect To None MS Office Domain", "analytic_story": ["Spearphishing Attachments", "AsyncRAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Delivery"], "message": "a office document process $Image$ connect to an URL link $QueryName$ in $Computer$", "mitre_attack_id": ["T1566.001", "T1566"], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Image", "QueryName", "QueryResults", "QueryStatus", "Computer"], "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/office_doc_abuses_rels/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_spearphishing_attachment_connect_to_none_ms_office_domain_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_spearphishing_attachment_connect_to_none_ms_office_domain.yml", "source": "endpoint"}, {"name": "Windows Spearphishing Attachment Onenote Spawn Mshta", "id": "35aeb0e7-7de5-444a-ac45-24d6788796ec", "version": 1, "date": "2023-01-24", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "The following detection identifies the latest behavior utilized by different malware families (including TA551, AsyncRat, Redline and DCRAT). This detection identifies onenote Office Product spawning `mshta.exe`. In malicious instances, the command-line of `mshta.exe` will contain the `hta` file locally, or a URL to the remote destination. In addition, Threat Research has released a detections identifying suspicious use of `mshta.exe`. In this instance, we narrow our detection down to the Office suite as a parent process. During triage, review all file modifications. Capture and analyze any artifacts on disk. The Office Product, or `mshta.exe` will have reached out to a remote destination, capture and block the IPs or domain. Review additional parallel processes for further activity.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN (\"onenote.exe\", \"onenotem.exe\") `process_mshta` by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_spearphishing_attachment_onenote_spawn_mshta_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "No false positives known. Filter as needed.", "references": ["https://www.bleepingcomputer.com/news/security/hackers-now-use-microsoft-onenote-attachments-to-spread-malware/", "https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat"], "tags": {"name": "Windows Spearphishing Attachment Onenote Spawn Mshta", "analytic_story": ["Spearphishing Attachments", "AsyncRAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Delivery"], "message": "office parent process $parent_process_name$ will execute a suspicious child process $process_name$ with process id $process_id$ in host $dest$", "mitre_attack_id": ["T1566.001", "T1566"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 81, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/onenote_spear_phishing/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_mshta", "definition": "(Processes.process_name=mshta.exe OR Processes.original_file_name=MSHTA.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "windows_spearphishing_attachment_onenote_spawn_mshta_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_spearphishing_attachment_onenote_spawn_mshta.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Special Privileged Logon On Multiple Hosts", "id": "4c461f5a-c2cc-4e86-b132-c262fc9edca7", "version": 1, "date": "2023-03-27", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic leverages Event ID 4672 to identify a source user authenticating with special privileges across a large number remote endpoints. Specifically, the logic will trigger when a source user obtains special privileges across 30 or more target computers within a 5 minute timespan. Special privileges are assigned to a new logon session when sensitive privileges like SeDebugPrivilege and SeImpersonatePrivilege are assigned. This behavior could represent an adversary who is moving laterally and executing remote code across the network. It can also be triggered by other behavior like an adversary enumerating network shares. As environments differ across organizations, security teams should customize the thresholds of this detection as needed.", "data_source": [], "search": " `wineventlog_security` EventCode=4672 AND NOT(Caller_User_Name IN (\"DWM-1\",\"DWM-2\",\"DWM-3\",\"LOCAL SERVICE\",\"NETWORK SERVICE\",\"SYSTEM\",\"*$\")) | bucket span=5m _time | stats dc(Computer) AS unique_targets values(Computer) as host_targets values(PrivilegeList) as privileges by _time, Caller_User_Name | where unique_targets > 30 | `windows_special_privileged_logon_on_multiple_hosts_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting special logon events. The Advanced Security Audit policy setting `Audit Special Logon` within `Logon/Logoff` need to be enabled.", "known_false_positives": "Vulnerability scanners or system administration tools may also trigger this detection. Filter as needed.", "references": ["https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4672", "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn319113(v=ws.11)", "https://thedfirreport.com/2023/01/23/sharefinder-how-threat-actors-discover-file-shares/", "https://attack.mitre.org/tactics/TA0008/"], "tags": {"name": "Windows Special Privileged Logon On Multiple Hosts", "analytic_story": ["Active Directory Privilege Escalation", "Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "A source user $Caller_User_Name$ obtained special privileges on a large number of endpoints within 5 minutes.", "mitre_attack_id": ["T1087", "T1021.002", "T1135"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}, {"name": "Caller_User_Name", "type": "User", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "Caller_User_Name", "Computer", "PrivilegeList"], "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1135", "mitre_attack_technique": "Network Share Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT32", "APT38", "APT39", "APT41", "Chimera", "DarkVishnya", "Dragonfly", "Sowbug", "Tonto Team", "Tropic Trooper", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/special_logon_on_mulitple_hosts/windows-security.log", "source": "XmlWinEventLog:Security", "sourcetype": "XmlWinEventLog"}]}], "datamodel": [], "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_special_privileged_logon_on_multiple_hosts_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_special_privileged_logon_on_multiple_hosts.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows Steal Authentication Certificates Certificate Issued", "id": "9b1a5385-0c31-4c39-9753-dc26b8ce64c2", "version": 1, "date": "2023-02-06", "author": "Michael Haag, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies when a new certificate is issued against the Certificate Services - AD CS. By its very nature this is not malicious, but should be tracked and correlated with other events related to certificates being issued. When the CA issues the certificate, it creates EID 4887 'Certificate Services approved a certificate request and issued a certificate\". The event supplies the requester user context, the DNS hostname of the machine they requested the certificate from, and the time they requested the certificate. The attributes fields in these event commonly has values for CDC, RMD, and CCM which correspond to Client DC, Request Machine DNS name, and Cert Client Machine, respectively.", "data_source": [], "search": "`wineventlog_security` EventCode=4887 | stats count min(_time) as firstTime max(_time) as lastTime by dest, name, Requester, action, Attributes, Subject | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_steal_authentication_certificates_certificate_issued_filter`", "how_to_implement": "To implement this analytic, enhanced Audit Logging must be enabled on AD CS and within Group Policy Management for CS server. See Page 115 of first reference.", "known_false_positives": "False positives will be generated based on normal certificates issued. Leave enabled to generate Risk, as this is meant to be an anomaly analytic.", "references": ["https://specterops.io/wp-content/uploads/sites/3/2022/06/Certified_Pre-Owned.pdf"], "tags": {"name": "Windows Steal Authentication Certificates Certificate Issued", "analytic_story": ["Windows Certificate Services"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 10, "kill_chain_phases": ["Exploitation"], "message": "A certificate was issued to $dest$.", "mitre_attack_id": ["T1649"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "dest", "name", "Requester", "action", "Attributes"], "risk_score": 8, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1649", "mitre_attack_technique": "Steal or Forge Authentication Certificates", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/atomic_red_team/4887_windows-security.log", "source": "XmlWinEventLog:Security", "sourcetype": "XmlWinEventLog", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_steal_authentication_certificates_certificate_issued_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_steal_authentication_certificates_certificate_issued.yml", "source": "endpoint", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows Steal Authentication Certificates Certificate Request", "id": "747d7800-2eaa-422d-b994-04d8bb9e06d0", "version": 1, "date": "2023-02-06", "author": "Michael Haag, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies when a new certificate is requested against the Certificate Services - AD CS. By its very nature this is not malicious, but should be tracked and correlated with other events related to certificate requests. When an account requests a certificate, the CA generates event ID (EID) 4886 \"Certificate Services received a certificate request\".", "data_source": [], "search": "`wineventlog_security` EventCode=4886 | stats count min(_time) as firstTime max(_time) as lastTime by dest, name, Requester, action, Attributes | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_steal_authentication_certificates_certificate_request_filter`", "how_to_implement": "To implement this analytic, enhanced Audit Logging must be enabled on AD CS and within Group Policy Management for CS server. See Page 115 of first reference.", "known_false_positives": "False positives will be generated based on normal certificate requests. Leave enabled to generate Risk, as this is meant to be an anomaly analytic.", "references": ["https://specterops.io/wp-content/uploads/sites/3/2022/06/Certified_Pre-Owned.pdf"], "tags": {"name": "Windows Steal Authentication Certificates Certificate Request", "analytic_story": ["Windows Certificate Services"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 10, "kill_chain_phases": ["Exploitation"], "message": "A certificate was requested by $dest$.", "mitre_attack_id": ["T1649"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "dest", "name", "Requester", "action", "Attributes"], "risk_score": 8, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1649", "mitre_attack_technique": "Steal or Forge Authentication Certificates", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/atomic_red_team/4886_windows-security.log", "source": "XmlWinEventLog:Security", "sourcetype": "XmlWinEventLog", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_steal_authentication_certificates_certificate_request_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_steal_authentication_certificates_certificate_request.yml", "source": "endpoint", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows Steal Authentication Certificates CertUtil Backup", "id": "bac85b56-0b65-4ce5-aad5-d94880df0967", "version": 1, "date": "2023-02-06", "author": "Michael Haag, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic is focused on CertUtil.exe performing a backup of the Certificate Store. Typically, administrators may perform this task to migrate or perform backups of the store, however it may be found uncommon in most organizations.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_certutil` Processes.process IN (\"*-backupdb *\", \"*-backup *\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_steal_authentication_certificates_certutil_backup_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives will be generated based on normal certificate store backups. Leave enabled to generate Risk, as this is meant to be an anomaly analytic. If CS backups are not normal, enable as TTP.", "references": ["https://specterops.io/wp-content/uploads/sites/3/2022/06/Certified_Pre-Owned.pdf"], "tags": {"name": "Windows Steal Authentication Certificates CertUtil Backup", "analytic_story": ["Windows Certificate Services"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to backup the Certificate Store.", "mitre_attack_id": ["T1649"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1649", "mitre_attack_technique": "Steal or Forge Authentication Certificates", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/atomic_red_team/backupdb_certutil_windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_certutil", "definition": "(Processes.process_name=certutil.exe OR Processes.original_file_name=CertUtil.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "windows_steal_authentication_certificates_certutil_backup_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_steal_authentication_certificates_certutil_backup.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Steal Authentication Certificates CryptoAPI", "id": "905d5692-6d7c-432f-bc7e-a6b4f464d40e", "version": 1, "date": "2023-02-08", "author": "Michael Haag, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic utilizes a Windows Event Log - CAPI2 - or CryptoAPI 2, to identify suspicious certificate extraction. Typically, this event log is meant for diagnosing PKI issues, however is a great source to identify certificate exports. Note that this event log is noisy as it captures common PKI requests from many different processes. EventID 70 is generated anytime a certificate is exported. The description for EventID 70 is \"Acquire Certificate Private Key\". STRT tested this analytic using Mimikatz binary and the implementation of Mimikatz in Cobalt Strike.", "data_source": ["Sysmon Event ID 7"], "search": "`capi2_operational` EventCode=70 | xmlkv UserData_Xml | stats count min(_time) as firstTime max(_time) as lastTime by Computer, UserData_Xml | rename Computer as dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `windows_steal_authentication_certificates_cryptoapi_filter`", "how_to_implement": "To implement this analytic, one will need to enable the Microsoft-Windows-CAPI2/Operational log within the Windows Event Log. Note this is a debug log for many purposes, and the analytic only focuses in on EventID 70. Review the following gist for additional enabling information.", "known_false_positives": "False positives may be present in some instances of legitimate applications requiring to export certificates. Filter as needed.", "references": ["https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-vista/cc749296(v=ws.10)"], "tags": {"name": "Windows Steal Authentication Certificates CryptoAPI", "analytic_story": ["Windows Certificate Services"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "Certificates were exported via the CryptoAPI 2 on $dest$.", "mitre_attack_id": ["T1649"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Computer", "UserData_Xml"], "risk_score": 24, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1649", "mitre_attack_technique": "Steal or Forge Authentication Certificates", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/atomic_red_team/capi2-operational.log", "source": "XmlWinEventLog:Microsoft-Windows-CAPI2/Operational", "sourcetype": "XmlWinEventLog", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "capi2_operational", "definition": "(source=XmlWinEventLog:Microsoft-Windows-CAPI2/Operational)", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_steal_authentication_certificates_cryptoapi_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_steal_authentication_certificates_cryptoapi.yml", "source": "endpoint"}, {"name": "Windows Steal Authentication Certificates CS Backup", "id": "a2f4cc7f-6503-4078-b206-f83a29f408a7", "version": 1, "date": "2023-02-06", "author": "Michael Haag, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies when the Active Directory Certificate Services store is backed up utilizing Event ID 4876. This event triggers whenever the backup occurs in the UI of CertSrv.msc or via CertUtil.exe -BackupDB occurs.", "data_source": [], "search": "`wineventlog_security` EventCode=4876| stats count min(_time) as firstTime max(_time) as lastTime by dest, name, action, Caller_Domain ,Caller_User_Name | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_steal_authentication_certificates_cs_backup_filter`", "how_to_implement": "To implement this analytic, enhanced Audit Logging must be enabled on AD CS and within Group Policy Management for CS server. See Page 128 of first reference.", "known_false_positives": "False positives will be generated based on normal certificate store backups. Leave enabled to generate Risk, as this is meant to be an anomaly analytic. If CS backups are not normal, enable as TTP.", "references": ["https://specterops.io/wp-content/uploads/sites/3/2022/06/Certified_Pre-Owned.pdf"], "tags": {"name": "Windows Steal Authentication Certificates CS Backup", "analytic_story": ["Windows Certificate Services"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "The Active Directory Certiciate Services was backed up on $dest$.", "mitre_attack_id": ["T1649"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "dest", "name", "action", "Caller_Domain", "Caller_User_Name"], "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1649", "mitre_attack_technique": "Steal or Forge Authentication Certificates", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/atomic_red_team/4876_windows-security.log", "source": "XmlWinEventLog:Security", "sourcetype": "XmlWinEventLog", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_steal_authentication_certificates_cs_backup_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_steal_authentication_certificates_cs_backup.yml", "source": "endpoint", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows Steal Authentication Certificates Export Certificate", "id": "e39dc429-c2a5-4f1f-9c3c-6b211af6b332", "version": 1, "date": "2023-02-01", "author": "Michael Haag, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies the use of export-certificate, the PowerShell cmdlet, being utilized on the command-line in an attempt to export the certifcate from the local Windows Certificate Store.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*export-certificate*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_steal_authentication_certificates_export_certificate_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "Filtering may be requried based on automated utilities and third party applications that may export certificates.", "references": ["https://dev.to/iamthecarisma/managing-windows-pfx-certificates-through-powershell-3pj", "https://learn.microsoft.com/en-us/powershell/module/pki/export-certificate?view=windowsserver2022-ps"], "tags": {"name": "Windows Steal Authentication Certificates Export Certificate", "analytic_story": ["Windows Certificate Services"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to export a certificate from the local Windows Certificate Store.", "mitre_attack_id": ["T1649"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1649", "mitre_attack_technique": "Steal or Forge Authentication Certificates", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/atomic_red_team/export_certificate_windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_steal_authentication_certificates_export_certificate_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_steal_authentication_certificates_export_certificate.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Steal Authentication Certificates Export PfxCertificate", "id": "391329f3-c14b-4b8d-8b37-ac5012637360", "version": 1, "date": "2023-02-01", "author": "Michael Haag, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies the use of export-pfxcertificate, the PowerShell cmdlet, being utilized on the command-line in an attempt to export the certifcate from the local Windows Certificate Store.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\"*export-pfxcertificate*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_steal_authentication_certificates_export_pfxcertificate_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "Filtering may be requried based on automated utilities and third party applications that may export certificates.", "references": ["https://dev.to/iamthecarisma/managing-windows-pfx-certificates-through-powershell-3pj", "https://learn.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate?view=windowsserver2022-ps"], "tags": {"name": "Windows Steal Authentication Certificates Export PfxCertificate", "analytic_story": ["Windows Certificate Services"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to export a certificate from the local Windows Certificate Store.", "mitre_attack_id": ["T1649"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1649", "mitre_attack_technique": "Steal or Forge Authentication Certificates", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/atomic_red_team/export_pfxcertificate_windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_steal_authentication_certificates_export_pfxcertificate_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_steal_authentication_certificates_export_pfxcertificate.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Steal or Forge Kerberos Tickets Klist", "id": "09d88404-1e29-46cb-806c-1eedbc85ad5d", "version": 1, "date": "2022-11-30", "author": "Teoderick Contreras, Splunk", "type": "Hunting", "status": "production", "description": "The following analytic identifies a process execution of Windows OS klist.exe tool. This tool is being abused or used by several post exploitation tool such as winpeas that being used by ransomware prestige to display or gather list of currently cached kerberos ticket. This cahced data can be used for lateral movement or even privilege escalation on the targeted host. This hunting query can be a good pivot in possible kerberos attack or pass the hash technique.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=\"klist.exe\" OR Processes.original_file_name = \"klist.exe\" Processes.parent_process_name IN (\"cmd.exe\", \"powershell*\") by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_steal_or_forge_kerberos_tickets_klist_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances of wermgr.exe may be used.", "known_false_positives": "unknown", "references": ["https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS", "https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"], "tags": {"name": "Windows Steal or Forge Kerberos Tickets Klist", "analytic_story": ["Windows Post-Exploitation", "Prestige Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "process klist.exe executed in $dest$", "mitre_attack_id": ["T1558"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id", "Processes.parent_process_guid", "Processes.process_guid"], "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1558", "mitre_attack_technique": "Steal or Forge Kerberos Tickets", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_steal_or_forge_kerberos_tickets_klist_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_steal_or_forge_kerberos_tickets_klist.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows System Binary Proxy Execution Compiled HTML File Decompile", "id": "2acf0e19-4149-451c-a3f3-39cd3c77e37d", "version": 1, "date": "2022-08-31", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the decompile parameter with the HTML Help application, HH.exe. This is a uncommon command to see ran and behavior. Most recently this was seen in a APT41 campaign where a CHM file was delivered and a script inside used a technique for running an arbitrary command in a CHM file via an ActiveX object. This unpacks an HTML help file to a specified path for launching the next stage.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_hh` Processes.process=*-decompile* by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_system_binary_proxy_execution_compiled_html_file_decompile_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives should be limited, filter as needed.", "references": ["https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", "https://redcanary.com/blog/introducing-atomictestharnesses/", "https://attack.mitre.org/techniques/T1218/001/", "https://docs.microsoft.com/en-us/windows/win32/api/htmlhelp/nf-htmlhelp-htmlhelpa"], "tags": {"name": "Windows System Binary Proxy Execution Compiled HTML File Decompile", "analytic_story": ["Suspicious Compiled HTML Activity", "Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 100, "kill_chain_phases": ["Exploitation"], "message": "$process_name$ has been identified using decompile against a CHM on $dest$ under user $user$.", "mitre_attack_id": ["T1218.001", "T1218"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218.001", "mitre_attack_technique": "Compiled HTML File", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "APT41", "Dark Caracal", "OilRig", "Silence"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.001/atomic_red_team/hh_decom_windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_hh", "definition": "(Processes.process_name=hh.exe OR Processes.original_file_name=HH.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "windows_system_binary_proxy_execution_compiled_html_file_decompile_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_system_binary_proxy_execution_compiled_html_file_decompile.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows System Discovery Using ldap Nslookup", "id": "2418780f-7c3e-4c45-b8b4-996ea850cd49", "version": 1, "date": "2022-10-21", "author": "Teoderick Contreras, Splunk", "type": "Hunting", "status": "production", "description": "The following analytic identifies the execution of nslookup.exe tool to get domain information. Nslookup.exe is a command-line tool that can display information to diagnose domain name systems. This Nslookup feature is being abused by Qakbot malware to gather domain information such as SRV service location records, server name and many more.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = \"nslookup.exe\" OR Processes.original_file_name = \"nslookup.exe\") AND Processes.process = \"*_ldap._tcp.dc._msdcs*\" by Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process_id Processes.process_guid Processes.process Processes.user Processes.dest Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `windows_system_discovery_using_ldap_nslookup_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "dministrator may execute this commandline tool for auditing purposes. Filter as needed.", "references": ["https://securelist.com/qakbot-technical-analysis/103931/", "https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/verify-srv-dns-records-have-been-created"], "tags": {"name": "Windows System Discovery Using ldap Nslookup", "analytic_story": ["Qakbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "System nslookup domain discovery on $dest$", "mitre_attack_id": ["T1033"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1033", "mitre_attack_technique": "System Owner/User Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT37", "APT38", "APT39", "APT41", "Chimera", "Dragonfly", "Earth Lusca", "FIN10", "GALLIUM", "Gamaredon Group", "HAFNIUM", "HEXANE", "Ke3chang", "Lazarus Group", "LuminousMoth", "Magic Hound", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "Stealth Falcon", "Threat Group-3390", "Tropic Trooper", "Windshift", "Wizard Spider", "ZIRCONIUM"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1033/qakbot_discovery_cmdline/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_system_discovery_using_ldap_nslookup_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_system_discovery_using_ldap_nslookup.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows System Discovery Using Qwinsta", "id": "2e765c1b-144a-49f0-93d0-1df4287cca04", "version": 1, "date": "2022-10-21", "author": "Teoderick Contreras, Splunk", "type": "Hunting", "status": "production", "description": "The following analytic identifies the execution of qwinsta.exe executable in Windows Operating System. This Windows executable file can display information about sessions on a remote desktop session host server. The information includes servername, sessionname, username and many more. This tool is being abused of Qakbot malware to gather information to the targeted or compromised host that will be send back to its Command And Control server.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"qwinsta.exe\" OR Processes.original_file_name = \"qwinsta.exe\" by Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process_id Processes.process_guid Processes.process Processes.user Processes.dest Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `windows_system_discovery_using_qwinsta_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Administrator may execute this commandline tool for auditing purposes. Filter as needed.", "references": ["https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/qwinsta", "https://securelist.com/qakbot-technical-analysis/103931/"], "tags": {"name": "Windows System Discovery Using Qwinsta", "analytic_story": ["Qakbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "System qwinsta domain discovery on $dest$", "mitre_attack_id": ["T1033"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1033", "mitre_attack_technique": "System Owner/User Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT37", "APT38", "APT39", "APT41", "Chimera", "Dragonfly", "Earth Lusca", "FIN10", "GALLIUM", "Gamaredon Group", "HAFNIUM", "HEXANE", "Ke3chang", "Lazarus Group", "LuminousMoth", "Magic Hound", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "Stealth Falcon", "Threat Group-3390", "Tropic Trooper", "Windshift", "Wizard Spider", "ZIRCONIUM"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1033/qakbot_discovery_cmdline/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_system_discovery_using_qwinsta_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_system_discovery_using_qwinsta.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows System File on Disk", "id": "993ce99d-9cdd-42c7-a2cf-733d5954e5a6", "version": 2, "date": "2022-05-16", "author": "Michael Haag, Splunk", "type": "Hunting", "status": "production", "description": "The following hunting analytic will assist with identifying new .sys files introduced in the environment. This query is meant to identify sys file creates on disk. There will be noise, but reducing common process names or applications should help to limit any volume. The idea is to identify new sys files written to disk and identify them before they're added as a new kernel mode driver.", "data_source": ["Sysmon Event ID 11"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_name=\"*.sys*\" by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path Filesystem.file_hash | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_system_file_on_disk_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on files from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. In addition, filtering may occur by adding NOT (Filesystem.file_path IN (\"*\\\\Windows\\\\*\", \"*\\\\Program File*\", \"*\\\\systemroot\\\\*\",\"%SystemRoot%*\", \"system32\\*\")). This will level out the noise generated to potentally lead to generating notables.", "known_false_positives": "False positives will be present. Filter as needed.", "references": ["https://redcanary.com/blog/tracking-driver-inventory-to-expose-rootkits/"], "tags": {"name": "Windows System File on Disk", "analytic_story": ["Windows Drivers", "CISA AA22-264A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 20, "kill_chain_phases": ["Exploitation"], "message": "A new driver is present on $dest$.", "mitre_attack_id": ["T1068"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 10, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "PLATINUM", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1068/drivers/sysmon_sys_filemod.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_system_file_on_disk_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_system_file_on_disk.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows System LogOff Commandline", "id": "74a8133f-93e7-4b71-9bd3-13a66124fd57", "version": 1, "date": "2022-07-27", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies Windows commandline to logoff a windows host machine. This technique was seen in several APT, RAT like dcrat and other commodity malware to shutdown the machine to add more impact, interrupt access, aid destruction of the system like wiping disk or inhibit system recovery. This TTP is a good pivot to check why application trigger this commandline which is not so common way to logoff a machine.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = shutdown.exe OR Processes.original_file_name = shutdown.exe) Processes.process=\"*shutdown*\" Processes.process=\"* /l*\" Processes.process=\"* /t*\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_system_logoff_commandline_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Administrator may execute this commandline to trigger shutdown, logoff or restart the host machine.", "references": ["https://attack.mitre.org/techniques/T1529/", "https://www.mandiant.com/resources/analyzing-dark-crystal-rat-backdoor"], "tags": {"name": "Windows System LogOff Commandline", "analytic_story": ["DarkCrystal RAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Actions on Objectives"], "message": "Process name $process_name$ is seen to execute logoff commandline on $dest$", "mitre_attack_id": ["T1529"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1529", "mitre_attack_technique": "System Shutdown/Reboot", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/dcrat/reboot_logoff_commandline/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_system_logoff_commandline_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_system_logoff_commandline.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows System Network Config Discovery Display DNS", "id": "e24f0a0e-41a9-419f-9999-eacab15efc36", "version": 1, "date": "2022-11-30", "author": "Teoderick Contreras, Splunk", "type": "Hunting", "status": "production", "description": "The following analytic identifies a process command line that retrieves dns reply information using Windows OS built-in tool IPConfig. This technique is being abused by threat actors, adversaries and post exploitation tools like WINPEAS to retrieve DNS information for the targeted host. This IPConfig parameter (/displaydns) can show dns server resource record, record name, record type, time to live data length and dns reply. This hunting detection can be a good pivot to check which process is executing this command line in specific host system that may lead to malware or adversaries gathering network information.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=\"ipconfig.exe\" OR Processes.original_file_name = \"ipconfig.exe\" AND Processes.process = \"*/displaydns*\" by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_system_network_config_discovery_display_dns_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances of wermgr.exe may be used.", "known_false_positives": "unknown", "references": ["https://superuser.com/questions/230308/explain-output-of-ipconfig-displaydns", "https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS", "https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"], "tags": {"name": "Windows System Network Config Discovery Display DNS", "analytic_story": ["Windows Post-Exploitation", "Prestige Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "process $process_name$ with commandline $process$ is executed in $dest$", "mitre_attack_id": ["T1016"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id", "Processes.parent_process_guid", "Processes.process_guid"], "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1016", "mitre_attack_technique": "System Network Configuration Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT19", "APT3", "APT32", "APT41", "Chimera", "Darkhotel", "Dragonfly", "Earth Lusca", "GALLIUM", "HAFNIUM", "HEXANE", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "SideCopy", "Sidewinder", "Stealth Falcon", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_system_network_config_discovery_display_dns_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_system_network_config_discovery_display_dns.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows System Network Connections Discovery Netsh", "id": "abfb7cc5-c275-4a97-9029-62cd8d4ffeca", "version": 1, "date": "2022-11-30", "author": "Teoderick Contreras, Splunk", "type": "Hunting", "status": "production", "description": "The following analytic identifies a process execution of Windows OS built-in tool netsh.exe to show state, configuration and profile of host firewall. This tool is being used or abused by several adversaries or even post exploitation tool to bypass firewall rules or to discover firewall settings. This hunting detection can help to detect a possible suspicious usage of netsh.exe to retrieve firewall settings or even firewall wlan profile. We recommend checking which parent process and process name execute this command. Also check the process file path for verification that may lead to further TTP's threat behavior.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_netsh`AND Processes.process = \"* show *\" Processes.process IN (\"*state*\", \"*config*\", \"*wlan*\", \"*profile*\") by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_system_network_connections_discovery_netsh_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances of wermgr.exe may be used.", "known_false_positives": "network administrator can use this tool for auditing process.", "references": ["https://attack.mitre.org/techniques/T1049/", "https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS", "https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"], "tags": {"name": "Windows System Network Connections Discovery Netsh", "analytic_story": ["Windows Post-Exploitation", "Prestige Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "netsh process with command line $process$ in $dest$", "mitre_attack_id": ["T1049"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id", "Processes.parent_process_guid", "Processes.process_guid"], "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1049", "mitre_attack_technique": "System Network Connections Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT38", "APT41", "Andariel", "BackdoorDiplomacy", "Chimera", "Earth Lusca", "GALLIUM", "HEXANE", "Ke3chang", "Lazarus Group", "Magic Hound", "MuddyWater", "Mustang Panda", "OilRig", "Poseidon Group", "Sandworm Team", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "admin@338", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_netsh", "definition": "(Processes.process_name=netsh.exe OR Processes.original_file_name=netsh.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "windows_system_network_connections_discovery_netsh_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_system_network_connections_discovery_netsh.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows System Reboot CommandLine", "id": "97fc2b60-c8eb-4711-93f7-d26fade3686f", "version": 1, "date": "2022-07-27", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies Windows commandline to reboot a windows host machine. This technique was seen in several APT, RAT like dcrat and other commodity malware to shutdown the machine to add more impact, interrupt access, aid destruction of the system like wiping disk or inhibit system recovery. This TTP is a good pivot to check why application trigger this commandline which is not so common way to reboot a machine. Compare to shutdown and logoff shutdown.exe feature, reboot seen in some automation script like ansible to reboot the machine.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = shutdown.exe OR Processes.original_file_name = shutdown.exe) Processes.process=\"*shutdown*\" Processes.process=\"* /r*\" Processes.process=\"* /t*\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_system_reboot_commandline_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Administrator may execute this commandline to trigger shutdown or restart the host machine.", "references": ["https://attack.mitre.org/techniques/T1529/", "https://www.mandiant.com/resources/analyzing-dark-crystal-rat-backdoor"], "tags": {"name": "Windows System Reboot CommandLine", "analytic_story": ["DarkCrystal RAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 60, "kill_chain_phases": ["Actions on Objectives"], "message": "Process $process_name$ that executed reboot via commandline on $dest$", "mitre_attack_id": ["T1529"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1529", "mitre_attack_technique": "System Shutdown/Reboot", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/dcrat/reboot_logoff_commandline/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_system_reboot_commandline_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_system_reboot_commandline.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows System Script Proxy Execution Syncappvpublishingserver", "id": "8dd73f89-682d-444c-8b41-8e679966ad3c", "version": 1, "date": "2022-09-26", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the abuse of Syncappvpublishingserver.vbs, which is a native script on Windows that may be utilized to download remote files or perform privilege escalation.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN (\"wscript.exe\",\"cscript.exe\") Processes.process=\"*syncappvpublishingserver.vbs*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_system_script_proxy_execution_syncappvpublishingserver_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives may be present if the vbscript syncappvpublishingserver is used for legitimate purposes. Filter as needed. Adding a n; to the command-line arguments may help reduce any noise.", "references": ["https://lolbas-project.github.io/lolbas/Scripts/Syncappvpublishingserver/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216/T1216.md#atomic-test-1---syncappvpublishingserver-signed-script-powershell-command-execution"], "tags": {"name": "Windows System Script Proxy Execution Syncappvpublishingserver", "analytic_story": ["Living Off The Land"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 60, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to download files or evade critical controls.", "mitre_attack_id": ["T1216", "T1218"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1216", "mitre_attack_technique": "System Script Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1216/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_system_script_proxy_execution_syncappvpublishingserver_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_system_script_proxy_execution_syncappvpublishingserver.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows System Shutdown CommandLine", "id": "4fee57b8-d825-4bf3-9ea8-bf405cdb614c", "version": 2, "date": "2023-06-20", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This detection rule is designed to identify the execution of the Windows shutdown command via command line interface. The shutdown command can be utilized by system administrators to properly halt, power off, or reboot a computer. However, in a security context, attackers who have gained unauthorized access to a system may also use this command in an effort to erase tracks, or to cause disruption and denial of service. In some instances, they might execute the shutdown command after installing a backdoor, to force the system to restart, ensuring that changes take effect or evading detection by security tools. Monitoring for the use of the Windows shutdown command, especially in conjunction with other unusual or unauthorized activities, can be an important part of identifying malicious behavior within a network. It is advised that security professionals analyze the context in which the shutdown command is being executed to differentiate between legitimate administrative functions and potentially malicious activity.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = shutdown.exe OR Processes.original_file_name = shutdown.exe) Processes.process=\"*shutdown*\" AND Processes.process IN(\"* /s*\", \"* -s*\", \"* /r*\", \"* -r*\") AND Processes.process=\"* /t*\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_system_shutdown_commandline_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Administrator may execute this commandline to trigger shutdown or restart the host machine.", "references": ["https://attack.mitre.org/techniques/T1529/", "https://www.mandiant.com/resources/analyzing-dark-crystal-rat-backdoor"], "tags": {"name": "Windows System Shutdown CommandLine", "analytic_story": ["DarkCrystal RAT", "Sandworm Tools"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Actions on Objectives"], "message": "Process $process_name$ seen to execute shutdown via commandline on $dest$", "mitre_attack_id": ["T1529"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1529", "mitre_attack_technique": "System Shutdown/Reboot", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/dcrat/shutdown_commandline/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_system_shutdown_commandline_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_system_shutdown_commandline.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows System Time Discovery W32tm Delay", "id": "b2cc69e7-11ba-42dc-a269-59c069a48870", "version": 1, "date": "2022-07-28", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies DCRat delay time tactics using w32tm. This technique was seen in DCRAT malware where it uses stripchart function of w32tm.exe application to delay the execution of its payload like c2 communication , beaconing and execution. This anomaly detection may help the analyst to check other possible event like the process who execute this command that may lead to DCRat attack.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = w32tm.exe Processes.process= \"* /stripchart *\" Processes.process= \"* /computer:localhost *\" Processes.process= \"* /period:*\" Processes.process= \"* /dataonly *\" Processes.process= \"* /samples:*\" by Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_system_time_discovery_w32tm_delay_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "unknown", "references": ["https://cert.gov.ua/article/405538", "https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat", "https://www.mandiant.com/resources/analyzing-dark-crystal-rat-backdoor"], "tags": {"name": "Windows System Time Discovery W32tm Delay", "analytic_story": ["DarkCrystal RAT"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Exploitation"], "message": "Process name w32tm.exe is using suspcicious command line arguments $process$ on host $dest$.", "mitre_attack_id": ["T1124"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 36, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1124", "mitre_attack_technique": "System Time Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["BRONZE BUTLER", "Chimera", "Darkhotel", "Higaisa", "Lazarus Group", "Sidewinder", "The White Company", "Turla", "ZIRCONIUM"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/dcrat/dcrat_delay_execution/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_system_time_discovery_w32tm_delay_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_system_time_discovery_w32tm_delay.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows System User Discovery Via Quser", "id": "0c3f3e09-e47a-410e-856f-a02a5c5fafb0", "version": 1, "date": "2022-11-30", "author": "Teoderick Contreras, Splunk", "type": "Hunting", "status": "production", "description": "The following analytic identifies a process execution of Windows OS quser.exe tool. This tool is being abused or used by several post exploitation tool such as winpeas that being used by ransomware prestige to display or gather information about user sessions on a Remote Desktop Session Host server. This command can find out if a specific user is logged on to a specific Remote Desktop Session Host server. This tool can retrieve some RDP information that can be use by attacker for further attack like Name of the user , Name of the session on the Remote Desktop Session Host server, Session ID, State of the session (active or disconnected), Idle time (the number of minutes since the last keystroke or mouse movement at the session) and Date and time the user logged on.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=\"quser.exe\" OR Processes.original_file_name = \"quser.exe\" by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_system_user_discovery_via_quser_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances of wermgr.exe may be used.", "known_false_positives": "network administrator can use this command tool to audit RDP access of user in specific network or host.", "references": ["https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/quser", "https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS", "https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"], "tags": {"name": "Windows System User Discovery Via Quser", "analytic_story": ["Windows Post-Exploitation", "Prestige Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "execution of process $process_name$ in $dest$", "mitre_attack_id": ["T1033"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id", "Processes.parent_process_guid", "Processes.process_guid"], "risk_score": 9, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1033", "mitre_attack_technique": "System Owner/User Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT37", "APT38", "APT39", "APT41", "Chimera", "Dragonfly", "Earth Lusca", "FIN10", "GALLIUM", "Gamaredon Group", "HAFNIUM", "HEXANE", "Ke3chang", "Lazarus Group", "LuminousMoth", "Magic Hound", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "Stealth Falcon", "Threat Group-3390", "Tropic Trooper", "Windshift", "Wizard Spider", "ZIRCONIUM"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_system_user_discovery_via_quser_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_system_user_discovery_via_quser.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Terminating Lsass Process", "id": "7ab3c319-a4e7-4211-9e8c-40a049d0dba6", "version": 1, "date": "2023-04-14", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "This analytic is to detect a suspicious process terminating Lsass process. Lsass process is known to be a critical process that is responsible for enforcing security policy system. This process was commonly targetted by threat actor or red teamer to gain privilege escalation or persistence in the targeted machine because it handles credentials of the logon users. In this analytic we tried to detect a suspicious process having a granted access PROCESS_TERMINATE to lsass process to modify or delete protected registrys. This technique was seen in doublezero malware that tries to wipe files and registry in compromised hosts. This anomaly detection can be a good pivot of incident response for possible credential dumping or evading security policy in a host or network environment.", "data_source": ["Sysmon Event ID 1"], "search": "`sysmon` EventCode=10 TargetImage=*lsass.exe GrantedAccess = 0x1 | stats count min(_time) as firstTime max(_time) as lastTime by SourceImage, TargetImage, TargetProcessId, SourceProcessId, GrantedAccess CallTrace, Computer | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_terminating_lsass_process_filter`", "how_to_implement": "This search requires Sysmon Logs and a Sysmon configuration, which includes EventCode 10 for lsass.exe. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives.", "known_false_positives": "unknown", "references": ["https://blog.talosintelligence.com/2022/03/threat-advisory-doublezero.html"], "tags": {"name": "Windows Terminating Lsass Process", "analytic_story": ["Data Destruction", "Double Zero Destructor"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "a process $SourceImage$ terminates Lsass process in $dest$", "mitre_attack_id": ["T1562.001", "T1562"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "TargetImage", "type": "Process", "role": ["Target"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "TargetImage", "CallTrace", "Computer", "TargetProcessId", "SourceImage", "SourceProcessId", "GrantedAccess"], "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/doublezero_wiper/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_terminating_lsass_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_terminating_lsass_process.yml", "source": "endpoint"}, {"name": "Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos", "id": "f65aa026-b811-42ab-b4b9-d9088137648f", "version": 1, "date": "2022-09-22", "author": "Mauricio Velazco, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies one source endpoint failing to authenticate with multiple disabled domain users using the Kerberos protocol. This behavior could represent an adversary performing a Password Spraying attack against an Active Directory environment using Kerberos to obtain initial access or elevate privileges. As attackers progress in a breach, mistakes will be made. In certain scenarios, adversaries may execute a password spraying attack against disabled users. Event 4768 is generated every time the Key Distribution Center issues a Kerberos Ticket Granting Ticket (TGT). Failure code `0x12` stands for `clients credentials have been revoked` (account disabled, expired or locked out).\\\nThe detection calculates the standard deviation for each host and leverages the 3-sigma statistical rule to identify an unusual number of users. To customize this analytic, users can try different combinations of the `bucket` span time and the calculation of the `upperBound` field. This logic can be used for real time security monitoring as well as threat hunting exercises.\\\nThis detection will only trigger on domain controllers, not on member servers or workstations.\\\nThe analytics returned fields allow analysts to investigate the event further by providing fields like source ip and attempted user accounts.", "data_source": ["Windows Security 4768"], "search": "`wineventlog_security` EventCode=4768 TargetUserName!=*$ Status=0x12 | bucket span=5m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as tried_accounts by _time, IpAddress | eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std by IpAddress | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0) | search isOutlier=1 | `windows_unusual_count_of_disabled_users_failed_auth_using_kerberos_filter` ", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled.", "known_false_positives": "A host failing to authenticate with multiple disabled domain users is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners, multi-user systems missconfigured systems.", "references": ["https://attack.mitre.org/techniques/T1110/003/"], "tags": {"name": "Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos", "analytic_story": ["Active Directory Password Spraying", "Active Directory Kerberos Attacks", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "Potential Kerberos based password spraying attack from $IpAddress$", "mitre_attack_id": ["T1110.003", "T1110"], "nist": ["DE.AE"], "observable": [{"name": "IpAddress", "role": ["Attacker"], "type": "Endpoint"}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "Status", "TargetUserName", "IpAddress"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_disabled_users_kerberos_xml/windows-security.log", "source": "XmlWinEventLog:Security", "sourcetype": "XmlWinEventLog"}]}], "datamodel": [], "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_unusual_count_of_disabled_users_failed_auth_using_kerberos_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_unusual_count_of_disabled_users_failed_to_auth_using_kerberos.yml", "source": "endpoint", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos", "id": "f122cb2e-d773-4f11-8399-62a3572d8dd7", "version": 1, "date": "2022-09-22", "author": "Mauricio Velazco, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies one source endpoint failing to authenticate with multiple invalid domain users using the Kerberos protocol. This behavior could represent an adversary performing a Password Spraying attack against an Active Directory environment using Kerberos to obtain initial access or elevate privileges. As attackers progress in a breach, mistakes will be made. In certain scenarios, adversaries may execute a password spraying attack using an invalid list of users. Event 4768 is generated every time the Key Distribution Center issues a Kerberos Ticket Granting Ticket (TGT). Failure code 0x6 stands for `client not found in Kerberos database` (the attempted user is not a valid domain user).\\\nThe detection calculates the standard deviation for each host and leverages the 3-sigma statistical rule to identify an unusual number of users. To customize this analytic, users can try different combinations of the `bucket` span time and the calculation of the `upperBound` field. This logic can be used for real time security monitoring as well as threat hunting exercises.\\\nThis detection will only trigger on domain controllers, not on member servers or workstations.\\\nThe analytics returned fields allow analysts to investigate the event further by providing fields like source ip and attempted user accounts.", "data_source": ["Windows Security 4768"], "search": "`wineventlog_security` EventCode=4768 TargetUserName!=*$ Status=0x6 | bucket span=5m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as tried_accounts by _time, IpAddress | eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std by IpAddress | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0) | search isOutlier=1 | `windows_unusual_count_of_invalid_users_fail_to_auth_using_kerberos_filter` ", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled.", "known_false_positives": "A host failing to authenticate with multiple invalid domain users is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners, multi-user systems and missconfigured systems.", "references": ["https://attack.mitre.org/techniques/T1110/003/"], "tags": {"name": "Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos", "analytic_story": ["Active Directory Password Spraying", "Active Directory Kerberos Attacks", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "Potential Kerberos based password spraying attack from $IpAddress$", "mitre_attack_id": ["T1110.003", "T1110"], "nist": ["DE.AE"], "observable": [{"name": "IpAddress", "role": ["Attacker"], "type": "Endpoint"}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "Status", "TargetUserName", "IpAddress"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_invalid_users_kerberos_xml/windows-security.log", "source": "XmlWinEventLog:Security", "sourcetype": "XmlWinEventLog"}]}], "datamodel": [], "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_unusual_count_of_invalid_users_fail_to_auth_using_kerberos_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_unusual_count_of_invalid_users_fail_to_auth_using_kerberos.yml", "source": "endpoint", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM", "id": "15603165-147d-4a6e-9778-bd0ff39e668f", "version": 1, "date": "2022-09-22", "author": "Mauricio Velazco, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies one source endpoint failing to authenticate with multiple invalid users using the NTLM protocol. This behavior could represent an adversary performing a Password Spraying attack against an Active Directory environment using NTLM to obtain initial access or elevate privileges. As attackers progress in a breach, mistakes will be made. In certain scenarios, adversaries may execute a password spraying attack using an invalid list of users. Event 4776 is generated on the computer that is authoritative for the provided credentials. For domain accounts, the domain controller is authoritative. For local accounts, the local computer is authoritative. Error code 0xC0000064 stands for `The username you typed does not exist` (the attempted user is a legitimate domain user).\\\nThe detection calculates the standard deviation for each host and leverages the 3-sigma statistical rule to identify an unusual number of users. To customize this analytic, users can try different combinations of the `bucket` span time and the calculation of the `upperBound` field. This logic can be used for real time security monitoring as well as threat hunting exercises.\\\nThis detection will only trigger on domain controllers, not on member servers or workstations.\\\nThe analytics returned fields allow analysts to investigate the event further by providing fields like source workstation name and attempted user accounts.", "data_source": ["Windows Security 4776"], "search": " `wineventlog_security` EventCode=4776 TargetUserName!=*$ Status=0xc0000064 | bucket span=2m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as tried_accounts by _time, Workstation | eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std by Workstation | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0) | search isOutlier=1 | `windows_unusual_count_of_invalid_users_failed_to_auth_using_ntlm_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller events. The Advanced Security Audit policy setting `Audit Credential Validation' within `Account Logon` needs to be enabled.", "known_false_positives": "A host failing to authenticate with multiple invalid domain users is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners and missconfigured systems. If this detection triggers on a host other than a Domain Controller, the behavior could represent a password spraying attack against the host's local accounts.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-credential-validation", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776"], "tags": {"name": "Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM", "analytic_story": ["Active Directory Password Spraying", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "Potential NTLM based password spraying attack from $Source_Workstation$", "mitre_attack_id": ["T1110.003", "T1110"], "nist": ["DE.AE"], "observable": [{"name": "Workstation", "role": ["Attacker"], "type": "Endpoint"}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "TargetUserName", "Workstation", "Status"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_invalid_users_ntlm_xml/windows-security.log", "source": "XmlWinEventLog:Security", "sourcetype": "XmlWinEventLog"}]}], "datamodel": [], "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_unusual_count_of_invalid_users_failed_to_auth_using_ntlm_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_unusual_count_of_invalid_users_failed_to_auth_using_ntlm.yml", "source": "endpoint", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials", "id": "14f414cf-3080-4b9b-aaf6-55a4ce947b93", "version": 1, "date": "2022-09-22", "author": "Mauricio Velazco, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies a source user failing to authenticate with multiple users using explicit credentials on a host. This behavior could represent an adversary performing a Password Spraying attack against an Active Directory environment to obtain initial access or elevate privileges. Event 4648 is generated when a process attempts an account logon by explicitly specifying that accounts credentials. This event generates on domain controllers, member servers, and workstations.\\\nThe detection calculates the standard deviation for each host and leverages the 3-sigma statistical rule to identify an unusual number of users. To customize this analytic, users can try different combinations of the `bucket` span time and the calculation of the `upperBound` field. This logic can be used for real time security monitoring as well as threat hunting exercises.\\\nThis detection will trigger on the potenfially malicious host, perhaps controlled via a trojan or operated by an insider threat, from where a password spraying attack is being executed.\\\nThe analytics returned fields allow analysts to investigate the event further by providing fields like source account, attempted user accounts and the endpoint were the behavior was identified.", "data_source": ["Windows Security 4648"], "search": " `wineventlog_security` EventCode=4648 Caller_User_Name!=*$ Target_User_Name!=*$ | bucket span=5m _time | stats dc(Target_User_Name) AS unique_accounts values(Target_User_Name) as tried_account by _time, Computer, Caller_User_Name | eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std by Computer | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0) | search isOutlier=1 | `windows_unusual_count_of_users_fail_to_auth_wth_explicitcredentials_filter` ", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Event Logs from domain controllers as well as member servers and workstations. The Advanced Security Audit policy setting `Audit Logon` within `Logon/Logoff` needs to be enabled.", "known_false_positives": "A source user failing attempting to authenticate multiple users on a host is not a common behavior for regular systems. Some applications, however, may exhibit this behavior in which case sets of users hosts can be added to an allow list. Possible false positive scenarios include systems where several users connect to like Mail servers, identity providers, remote desktop services, Citrix, etc.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4648", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events"], "tags": {"name": "Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials", "analytic_story": ["Active Directory Password Spraying", "Insider Threat", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "Potential password spraying attack from $Computer$", "mitre_attack_id": ["T1110.003", "T1110"], "nist": ["DE.AE"], "observable": [{"name": "Computer", "role": ["Attacker"], "type": "Endpoint"}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "Target_User_Name", "Caller_User_Name", "Computer"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_explicit_credential_spray_xml/windows-security.log", "source": "XmlWinEventLog:Security", "sourcetype": "XmlWinEventLog"}]}], "datamodel": [], "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_unusual_count_of_users_fail_to_auth_wth_explicitcredentials_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_unusual_count_of_users_fail_to_auth_wth_explicitcredentials.yml", "source": "endpoint", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows Unusual Count Of Users Failed To Auth Using Kerberos", "id": "bc9cb715-08ba-40c3-9758-6e2b26e455cb", "version": 1, "date": "2022-09-22", "author": "Mauricio Velazco, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies one source endpoint failing to authenticate with multiple valid users using the Kerberos protocol. This behavior could represent an adversary performing a Password Spraying attack against an Active Directory environment using Kerberos to obtain initial access or elevate privileges. Event 4771 is generated when the Key Distribution Center fails to issue a Kerberos Ticket Granting Ticket (TGT). Failure code 0x18 stands for `wrong password provided` (the attempted user is a legitimate domain user).\\\nThe detection calculates the standard deviation for each host and leverages the 3-sigma statistical rule to identify an unusual number of users. To customize this analytic, users can try different combinations of the `bucket` span time and the calculation of the `upperBound` field. This logic can be used for real time security monitoring as well as threat hunting exercises.\\\nThis detection will only trigger on domain controllers, not on member servers or workstations.\\\nThe analytics returned fields allow analysts to investigate the event further by providing fields like source ip and attempted user accounts.", "data_source": ["Windows Security 4771"], "search": "`wineventlog_security` EventCode=4771 TargetUserName!=\"*$\" Status=0x18 | bucket span=5m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as tried_accounts by _time, IpAddress | eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std by IpAddress | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0) | search isOutlier=1 | `windows_unusual_count_of_users_failed_to_auth_using_kerberos_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled.", "known_false_positives": "A host failing to authenticate with multiple valid domain users is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners, missconfigured systems and multi-user systems like Citrix farms.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn319109(v=ws.11)", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4771"], "tags": {"name": "Windows Unusual Count Of Users Failed To Auth Using Kerberos", "analytic_story": ["Active Directory Password Spraying", "Active Directory Kerberos Attacks", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "Potential Kerberos based password spraying attack from $IpAddress$", "mitre_attack_id": ["T1110.003", "T1110"], "nist": ["DE.AE"], "observable": [{"name": "IpAddress", "role": ["Attacker"], "type": "Endpoint"}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "Status", "TargetUserName", "IpAddress"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_valid_users_kerberos_xml/windows-security.log", "source": "XmlWinEventLog:Security", "sourcetype": "XmlWinEventLog"}]}], "datamodel": [], "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_unusual_count_of_users_failed_to_auth_using_kerberos_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_unusual_count_of_users_failed_to_auth_using_kerberos.yml", "source": "endpoint", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows Unusual Count Of Users Failed To Authenticate From Process", "id": "25bdb6cb-2e49-4d34-a93c-d6c567c122fe", "version": 1, "date": "2022-09-22", "author": "Mauricio Velazco, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies a source process name failing to authenticate with multiple users. This behavior could represent an adversary performing a Password Spraying attack against an Active Directory environment to obtain initial access or elevate privileges. Event 4625 generates on domain controllers, member servers, and workstations when an account fails to logon. Logon Type 2 describes an iteractive logon attempt.\\\nThe detection calculates the standard deviation for each host and leverages the 3-sigma statistical rule to identify an unusual number of users. To customize this analytic, users can try different combinations of the `bucket` span time and the calculation of the `upperBound` field. This logic can be used for real time security monitoring as well as threat hunting exercises.\\\nThis detection will trigger on the potenfially malicious host, perhaps controlled via a trojan or operated by an insider threat, from where a password spraying attack is being executed. This could be a domain controller as well as a member server or workstation.\\\nThe analytics returned fields allow analysts to investigate the event further by providing fields like source process name, source account and attempted user accounts.", "data_source": ["Windows Security 4625"], "search": " `wineventlog_security` EventCode=4625 Logon_Type=2 ProcessName!=\"-\" | bucket span=2m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as tried_accounts by _time, ProcessName, SubjectUserName, Computer | eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std by ProcessName, SubjectUserName, Computer | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0) | search isOutlier=1 | `windows_unusual_count_of_users_failed_to_authenticate_from_process_filter` ", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Event Logs from domain controllers aas well as member servers and workstations. The Advanced Security Audit policy setting `Audit Logon` within `Logon/Logoff` needs to be enabled.", "known_false_positives": "A process failing to authenticate with multiple users is not a common behavior for legitimate user sessions. Possible false positive scenarios include but are not limited to vulnerability scanners and missconfigured systems.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4625", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events"], "tags": {"name": "Windows Unusual Count Of Users Failed To Authenticate From Process", "analytic_story": ["Active Directory Password Spraying", "Insider Threat", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "Potential password spraying attack from $Computer$", "mitre_attack_id": ["T1110.003", "T1110"], "nist": ["DE.AE"], "observable": [{"name": "Computer", "role": ["Attacker"], "type": "Endpoint"}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "Logon_Type", "ProcessName", "SubjectUserName", "TargetUserName", "Computer"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_multiple_users_from_process_xml/windows-security.log", "source": "XmlWinEventLog:Security", "sourcetype": "XmlWinEventLog"}]}], "datamodel": [], "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_unusual_count_of_users_failed_to_authenticate_from_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_unusual_count_of_users_failed_to_authenticate_from_process.yml", "source": "endpoint", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows Unusual Count Of Users Failed To Authenticate Using NTLM", "id": "6f6c8fd7-6a6b-4af9-a0e9-57cfc47a58b4", "version": 1, "date": "2022-09-22", "author": "Mauricio Velazco, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies one source endpoint failing to authenticate with multiple valid users using the NTLM protocol. This behavior could represent an adversary performing a Password Spraying attack against an Active Directory environment using NTLM to obtain initial access or elevate privileges. Event 4776 is generated on the computer that is authoritative for the provided credentials. For domain accounts, the domain controller is authoritative. For local accounts, the local computer is authoritative. Error code 0xC000006A means: misspelled or bad password (the attempted user is a legitimate domain user).\\\nThe detection calculates the standard deviation for each host and leverages the 3-sigma statistical rule to identify an unusual number of users. To customize this analytic, users can try different combinations of the `bucket` span time and the calculation of the `upperBound` field. This logic can be used for real time security monitoring as well as threat hunting exercises.\\\nThis detection will only trigger on domain controllers, not on member servers or workstations.\\\nThe analytics returned fields allow analysts to investigate the event further by providing fields like source workstation name and attempted user accounts.", "data_source": ["Windows Security 4776"], "search": " `wineventlog_security` EventCode=4776 TargetUserName!=*$ Status=0xC000006A | bucket span=2m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as tried_accounts by _time, Workstation | eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std by Workstation | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0) | search isOutlier=1 | `windows_unusual_count_of_users_failed_to_authenticate_using_ntlm_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Domain Controller events. The Advanced Security Audit policy setting `Audit Credential Validation` within `Account Logon` needs to be enabled.", "known_false_positives": "A host failing to authenticate with multiple valid domain users is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners and missconfigured systems. If this detection triggers on a host other than a Domain Controller, the behavior could represent a password spraying attack against the host's local accounts.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-credential-validation", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776"], "tags": {"name": "Windows Unusual Count Of Users Failed To Authenticate Using NTLM", "analytic_story": ["Active Directory Password Spraying", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "Potential NTLM based password spraying attack from $Workstation$", "mitre_attack_id": ["T1110.003", "T1110"], "nist": ["DE.AE"], "observable": [{"name": "Workstation", "role": ["Attacker"], "type": "Endpoint"}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "Status", "TargetUserName", "Workstation"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_valid_users_ntlm_xml/windows-security.log", "source": "XmlWinEventLog:Security", "sourcetype": "XmlWinEventLog"}]}], "datamodel": [], "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_unusual_count_of_users_failed_to_authenticate_using_ntlm_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_unusual_count_of_users_failed_to_authenticate_using_ntlm.yml", "source": "endpoint", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows Unusual Count Of Users Remotely Failed To Auth From Host", "id": "cf06a0ee-ffa9-4ed3-be77-0670ed9bab52", "version": 1, "date": "2022-09-22", "author": "Mauricio Velazco, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies a source host failing to authenticate against a remote host with multiple users. This behavior could represent an adversary performing a Password Spraying attack against an Active Directory environment to obtain initial access or elevate privileges. Event 4625 documents each and every failed attempt to logon to the local computer. This event generates on domain controllers, member servers, and workstations. Logon Type 3 describes an remote authentication attempt.\\\nThe detection calculates the standard deviation for each host and leverages the 3-sigma statistical rule to identify an unusual number of users. To customize this analytic, users can try different combinations of the `bucket` span time and the calculation of the `upperBound` field. This logic can be used for real time security monitoring as well as threat hunting exercises.\\\nThis detection will trigger on the host that is the target of the password spraying attack. This could be a domain controller as well as a member server or workstation.\\\nThe analytics returned fields allow analysts to investigate the event further by providing fields like source process name, source account and attempted user accounts.", "data_source": ["Windows Security 4625"], "search": " `wineventlog_security` EventCode=4625 Logon_Type=3 IpAddress!=\"-\" | bucket span=2m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as tried_accounts by _time, IpAddress, Computer | eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std by IpAddress, Computer | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0) | search isOutlier=1 | `windows_unusual_count_of_users_remotely_failed_to_auth_from_host_filter` ", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Event Logs from domain controllers as as well as member servers and workstations. The Advanced Security Audit policy setting `Audit Logon` within `Logon/Logoff` needs to be enabled.", "known_false_positives": "A host failing to authenticate with multiple valid users against a remote host is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners, remote administration tools, missconfigyred systems, etc.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4625", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events"], "tags": {"name": "Windows Unusual Count Of Users Remotely Failed To Auth From Host", "analytic_story": ["Active Directory Password Spraying", "Volt Typhoon"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "Potential password spraying attack on $Computer$", "mitre_attack_id": ["T1110.003", "T1110"], "nist": ["DE.AE"], "observable": [{"name": "Computer", "role": ["Attacker"], "type": "Endpoint"}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "Logon_Type", "TargetUserName", "Computer", "IpAddress"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_remote_spray_xml/windows-security.log", "source": "XmlWinEventLog:Security", "sourcetype": "XmlWinEventLog"}]}], "datamodel": [], "macros": [{"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_unusual_count_of_users_remotely_failed_to_auth_from_host_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_unusual_count_of_users_remotely_failed_to_auth_from_host.yml", "source": "endpoint", "providing_technologies": ["Microsoft Windows"]}, {"name": "Windows User Execution Malicious URL Shortcut File", "id": "5c7ee6ad-baf4-44fb-b2f0-0cfeddf82dbc", "version": 1, "date": "2023-01-12", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This analytic will identify suspicious creation of URL shortcut link files. This technique was seen in CHAOS ransomware where it will drop this .url link file in %startup% folder that contains the path of its malicious dropped file to execute upon the reboot of the targeted host. The creation of this file can be created by a normal application or software but it is a good practice to verify this type of file specially the resource it tries to execute which is commonly a website.", "data_source": ["Sysmon Event ID 11"], "search": "|tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where NOT(Filesystem.file_path IN (\"*\\\\Program Files*\")) Filesystem.file_name = *.url by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.user Filesystem.file_path Filesystem.process_guid Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_user_execution_malicious_url_shortcut_file_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the Filesystem responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node.", "known_false_positives": "Administrators may allow creation of script or exe in this path.", "references": ["https://attack.mitre.org/techniques/T1204/002/", "https://www.fortinet.com/blog/threat-research/chaos-ransomware-variant-sides-with-russia"], "tags": {"name": "Windows User Execution Malicious URL Shortcut File", "analytic_story": ["Chaos Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Installation"], "message": "a process created URL shortcut file in $file_path$ of $dest$", "mitre_attack_id": ["T1204.002", "T1204"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Filesystem.file_create_time", "Filesystem.process_id", "Filesystem.file_name", "Filesystem.user", "Filesystem.file_path", "Filesystem.process_guid", "Filesystem.dest"], "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1204.002", "mitre_attack_technique": "Malicious File", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "Ajax Security Team", "Andariel", "Aoqin Dragon", "BITTER", "BRONZE BUTLER", "BlackTech", "CURIUM", "Cobalt Group", "Confucius", "Dark Caracal", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "IndigoZebra", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Whitefly", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/chaos_ransomware/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_user_execution_malicious_url_shortcut_file_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_user_execution_malicious_url_shortcut_file.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Valid Account With Never Expires Password", "id": "73a931db-1830-48b3-8296-cd9cfa09c3c8", "version": 1, "date": "2022-06-23", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies net.exe updating user account policies for password requirement with non-expiring password. This technique was seen in several adversaries and malware like Azorult to maintain the foothold (persistence), gaining privilege escalation, defense evasion and possible for lateral movement for specific users or created user account on the targeted host. This TTP detections is a good pivot to see further what other events that users executes on the machines.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` AND Processes.process=\"* accounts *\" AND Processes.process=\"* /maxpwage:unlimited\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_valid_account_with_never_expires_password_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "This behavior is not commonly seen in production environment and not advisable, filter as needed.", "references": ["https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/", "https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/net-commands-on-operating-systems"], "tags": {"name": "Windows Valid Account With Never Expires Password", "analytic_story": ["Azorult"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 100, "kill_chain_phases": ["Actions on Objectives"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ attempting to make non-expiring password on host user accounts.", "mitre_attack_id": ["T1489"], "nist": ["DE.CM"], "observable": [{"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 100, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1489", "mitre_attack_technique": "Service Stop", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Indrik Spider", "Lazarus Group", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "process_net", "definition": "(Processes.process_name=\"net.exe\" OR Processes.original_file_name=\"net.exe\" OR Processes.process_name=\"net1.exe\" OR Processes.original_file_name=\"net1.exe\")", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "windows_valid_account_with_never_expires_password_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_valid_account_with_never_expires_password.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows Vulnerable 3CX Software", "id": "f2cc1584-46ee-485b-b905-977c067f36de", "version": 1, "date": "2023-03-30", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic leverages Sysmon, a powerful system monitoring and logging tool, to pinpoint instances of the 3CXDesktopApp.exe with a FileVersion of 18.12.x.Recently, 3CX has discovered a vulnerability specifically in versions 18.12.407 and 18.12.416 of the desktop app.", "data_source": ["Sysmon Event Code 1"], "search": "`sysmon` (process_name=3CXDesktopApp.exe OR OriginalFileName=3CXDesktopApp.exe) FileVersion=18.12.* | rename Computer as dest | stats count min(_time) as firstTime max(_time) as lastTime by dest, parent_process_name,process_name, OriginalFileName, CommandLine | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_vulnerable_3cx_software_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "False positives may be present based on file version, modify the analytic to only look for version between 18.12.407 and 18.12.416 as needed.", "references": ["https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/", "https://www.cisa.gov/news-events/alerts/2023/03/30/supply-chain-attack-against-3cxdesktopapp", "https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/", "https://www.3cx.com/community/threads/crowdstrike-endpoint-security-detection-re-3cx-desktop-app.119934/page-2#post-558898", "https://www.3cx.com/community/threads/3cx-desktopapp-security-alert.119951/"], "tags": {"name": "Windows Vulnerable 3CX Software", "analytic_story": ["3CX Supply Chain Attack"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 100, "kill_chain_phases": ["Delivery"], "message": "A known vulnerable instance of 3CX Software $process_name$ ran on $dest$, related to a supply chain attack.", "mitre_attack_id": ["T1195.002"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "OriginalFileName", "process_name", "EventID", "CommandLine", "Computer", "parent_process_name"], "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "cve": ["CVE-2023-29059"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1195.002", "mitre_attack_technique": "Compromise Software Supply Chain", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT41", "Cobalt Group", "Dragonfly", "GOLD SOUTHFIELD", "Sandworm Team", "Threat Group-3390"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1195.002/3CX/3cx_windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_vulnerable_3cx_software_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2023-29059", "cvss": null, "summary": "3CX DesktopApp through 18.12.416 has embedded malicious code, as exploited in the wild in March 2023. This affects versions 18.12.407 and 18.12.416 of the 3CX DesktopApp Electron Windows application shipped in Update 7, and versions 18.11.1213, 18.12.402, 18.12.407, and 18.12.416 of the 3CX DesktopApp Electron macOS application."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_vulnerable_3cx_software.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Windows Vulnerable Driver Loaded", "id": "a2b1f1ef-221f-4187-b2a4-d4b08ec745f4", "version": 1, "date": "2022-12-12", "author": "Michael Haag, Splunk", "type": "Hunting", "status": "experimental", "description": "The following analytic utilizes a known list of vulnerable Windows drivers to help defenders find potential persistence or privelege escalation via a vulnerable driver. This analytic uses Sysmon EventCode 6, driver loading. A known gap with this lookup is that it does not use the hash or known signer of the vulnerable driver therefore it is up to the defender to identify version and signing info and confirm it is a vulnerable driver.", "data_source": ["Sysmon Event ID 6"], "search": "`sysmon` EventCode=6 | lookup loldrivers driver_name AS ImageLoaded OUTPUT is_driver driver_description | search is_driver = TRUE | stats min(_time) as firstTime max(_time) as lastTime count by dest ImageLoaded driver_description | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_vulnerable_driver_loaded_filter`", "how_to_implement": "Sysmon collects driver loads via EventID 6, however you may modify the query to utilize this lookup to identify potentially persistent drivers that are known to be vulnerable.", "known_false_positives": "False positives will be present. Drill down into the driver further by version number and cross reference by signer. Review the reference material in the lookup. In addition, modify the query to look within specific paths, which will remove a lot of \"normal\" drivers.", "references": ["https://github.com/SigmaHQ/sigma/blob/master/rules/windows/driver_load/driver_load_vuln_drivers_names.yml", "https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md", "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", "https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/", "https://github.com/jbaines-r7/dellicious", "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/public/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md", "https://github.com/namazso/physmem_drivers", "https://github.com/stong/CVE-2020-15368", "https://github.com/CaledoniaProject/drivers-binaries", "https://github.com/Chigusa0w0/AsusDriversPrivEscala", "https://www.welivesecurity.com/2022/01/11/signed-kernel-drivers-unguarded-gateway-windows-core/", "https://eclypsium.com/2019/11/12/mother-of-all-drivers/", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37969"], "tags": {"name": "Windows Vulnerable Driver Loaded", "analytic_story": ["Windows Drivers"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation", "Exploitation"], "message": "An process has loaded a possible vulnerable driver on $dest$. Review and escalate as needed.", "mitre_attack_id": ["T1543.003"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "dest", "ImageLoaded"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1014/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_vulnerable_driver_loaded_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [{"name": "loldrivers", "description": "A list of known vulnerable drivers", "filename": "loldrivers.csv", "default_match": "false", "match_type": "WILDCARD(driver_name)", "min_matches": 1, "case_sensitive_match": "false"}], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_vulnerable_driver_loaded.yml", "source": "endpoint"}, {"name": "Windows WinLogon with Public Network Connection", "id": "65615b3a-62ea-4d65-bb9f-6f07c17df4ea", "version": 1, "date": "2023-05-03", "author": "Michael Haag, Splunk", "type": "Hunting", "status": "experimental", "description": "The following analytic is designed to detect anomalous behavior associated with the BlackLotus Campaign, a sophisticated bootkit attack reported by ESET and further investigated in a blog by Microsoft, which provided hunting queries for security analysts. The primary focus of this analytic is to identify instances of Winlogon.exe, a critical Windows process, connecting to public IP space, which is indicative of potential malicious activity.\\ The BlackLotus Campaign is a bootkit-based attack that compromises system integrity by infecting the Master Boot Record (MBR) and Volume Boot Record (VBR). This malware variant can bypass traditional security measures, load before the operating system, and maintain persistence on the target system.\\\nWinlogon.exe is a critical Windows process responsible for managing user logon and logoff processes. Under normal circumstances, Winlogon.exe should not be connecting to public IP addresses. However, if it does, it may indicate that the process has been compromised as part of the BlackLotus Campaign or another malicious operation.\\\nThis analytic monitors network connections made by Winlogon.exe and triggers an alert if it detects connections to public IP space. By identifying such anomalous behavior, security analysts can investigate further and respond swiftly to potential threats.", "data_source": ["Sysmon Event ID 1", "Sysmon Event ID 3"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN (winlogon.exe) Processes.process!=unknown by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | join process_id [| tstats `security_content_summariesonly` count FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port != 0 NOT (All_Traffic.dest IN (127.0.0.1,10.0.0.0/12,172.16.0.0/12, 192.168.0.0/16, 0:0:0:0:0:0:0:1)) by All_Traffic.process_id All_Traffic.dest All_Traffic.dest_port | `drop_dm_object_name(All_Traffic)` | rename dest as publicIp ] | table dest parent_process_name process_name process_path process process_id dest_port publicIp | `windows_winlogon_with_public_network_connection_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node and Network_Traffic datamodel under All Traffic. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives will be present and filtering will be required. Legitimate IPs will be present and need to be filtered.", "references": ["https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/"], "tags": {"name": "Windows WinLogon with Public Network Connection", "analytic_story": ["BlackLotus Campaign"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Installation"], "message": "Winlogon.exe has generated a network connection to a remote destination on endpoint $dest$.", "mitre_attack_id": ["T1542.003"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["dest", "parent_process_name", "process_name", "process_path", "process", "process_id", "dest_port", "publicIp"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "atomic_guid": [], "mitre_attack_enrichments": [{"mitre_attack_id": "T1542.003", "mitre_attack_technique": "Bootkit", "mitre_attack_tactics": ["Defense Evasion", "Persistence"], "mitre_attack_groups": ["APT28", "APT41", "Lazarus Group"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1542.003/bootkits/network-winlogon-windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint", "Network_Traffic"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_winlogon_with_public_network_connection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_winlogon_with_public_network_connection.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows WMI Impersonate Token", "id": "cf192860-2d94-40db-9a51-c04a2e8a8f8b", "version": 1, "date": "2022-10-24", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies a possible wmi token impersonation activities in a process or command. This technique was seen in Qakbot malware where it will execute a vbscript code contains wmi impersonation object to gain privilege escalation or as defense evasion. This Anomaly detection looks for wmiprvse.exe SourceImage having a duplicate handle or full granted access in a target process.", "data_source": ["Sysmon Event ID 1"], "search": "`sysmon` EventCode=10 SourceImage = \"*\\\\wmiprvse.exe\" GrantedAccess IN (\"0x1478\", \"0x1fffff\") | stats count min(_time) as firstTime max(_time) as lastTime by SourceImage TargetImage SourceProcessGUID TargetProcessGUID SourceProcessId TargetProcessId GrantedAccess CallTrace Computer | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_wmi_impersonate_token_filter`", "how_to_implement": "This search requires Sysmon Logs and a Sysmon configuration, which includes EventCode 10. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives.", "known_false_positives": "administrator may execute impersonate wmi object script for auditing. Filter is needed.", "references": ["https://github.com/trustedsec/SysmonCommunityGuide/blob/master/chapters/process-access.md", "https://www.joesandbox.com/analysis/278341/0/html"], "tags": {"name": "Windows WMI Impersonate Token", "analytic_story": ["Qakbot"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "message": "wmiprvse.exe process having a duplicate or full Granted Access $GrantedAccess$ to $TargetImage$ process in $dest$", "mitre_attack_id": ["T1047"], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "SourceImage", "TargetImage", "SourceProcessGUID", "TargetProcessGUID", "SourceProcessId", "TargetProcessId", "GrantedAccess", "CallTrace", "Computer"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "Earth Lusca", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "Threat Group-3390", "Windshift", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1047/wmi_impersonate/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_wmi_impersonate_token_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_wmi_impersonate_token.yml", "source": "endpoint"}, {"name": "Windows WMI Process And Service List", "id": "ef3c5ef2-3f6d-4087-aa75-49bf746dc907", "version": 1, "date": "2022-11-30", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies suspicious process command line, where WMI is performing an event query looking for running processes or running services. This technique is commonly found where the adversary will identify services and system information on the compromised machine. During triage, review parallel processes within the same timeframe. Review the full script block to identify other related artifacts.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_wmic` Processes.process IN (\"*process list*\", \"*service list*\") by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_wmi_process_and_service_list_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances of wermgr.exe may be used.", "known_false_positives": "netowrk administrator or IT may execute this command for auditing processes and services.", "references": ["https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS", "https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"], "tags": {"name": "Windows WMI Process And Service List", "analytic_story": ["Windows Post-Exploitation", "Prestige Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 20, "impact": 20, "kill_chain_phases": ["Installation"], "message": "wmi command $process$ to list processes and services in $dest$", "mitre_attack_id": ["T1047"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id", "Processes.parent_process_guid", "Processes.process_guid"], "risk_score": 4, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "Earth Lusca", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "Threat Group-3390", "Windshift", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_wmic", "definition": "(Processes.process_name=wmic.exe OR Processes.original_file_name=wmic.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "windows_wmi_process_and_service_list_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_wmi_process_and_service_list.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Windows WMI Process Call Create", "id": "0661c2de-93de-11ec-9833-acde48001122", "version": 1, "date": "2022-02-22", "author": "Teoderick Contreras, Splunk", "type": "Hunting", "status": "production", "description": "This analytic is to look for wmi commandlines to execute or create process. This technique was used by adversaries or threat actor to execute their malicious payload in local or remote host. This hunting query is a good pivot to start to look further which process trigger the wmi or what process it execute locally or remotely.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_wmic` Processes.process = \"* process *\" Processes.process = \"* call *\" Processes.process = \"* create *\" by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_path Processes.process_guid Processes.parent_process_id Processes.dest Processes.user Processes.process_path | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_wmi_process_call_create_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "Administrators may execute this command for testing or auditing.", "references": ["https://github.com/NVISOsecurity/sigma-public/blob/master/rules/windows/process_creation/win_susp_wmi_execution.yml", "https://github.com/redcanaryco/atomic-red-team/blob/2b804d25418004a5f1ba50e9dc637946ab8733c7/atomics/T1047/T1047.md", "https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/", "https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/"], "tags": {"name": "Windows WMI Process Call Create", "analytic_story": ["Suspicious WMI Use", "Qakbot", "Volt Typhoon", "IcedID"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "message": "process with $process$ commandline executed in $dest$", "mitre_attack_id": ["T1047"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id", "Processes.process_guid"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "Earth Lusca", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "Threat Group-3390", "Windshift", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1047/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_wmic", "definition": "(Processes.process_name=wmic.exe OR Processes.original_file_name=wmic.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "windows_wmi_process_call_create_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/windows_wmi_process_call_create.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "WinEvent Scheduled Task Created to Spawn Shell", "id": "203ef0ea-9bd8-11eb-8201-acde48001122", "version": 2, "date": "2023-04-05", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following query utilizes Windows Security EventCode 4698, indicating 'a scheduled task was created', to identify potentially suspicious tasks. These tasks may be registered on Windows through either schtasks.exe or TaskService, and are set up to execute a command with a native Windows shell such as PowerShell, Cmd, Wscript, or Cscript.\\\nThe search will return the initial and final times the task was registered, along with details like the 'Command' set to be executed, 'Task Name', 'Author', whether it's 'Enabled', and if it is 'Hidden'.\\\nSchtasks.exe is typically found in C:\\Windows\\system32 and C:\\Windows\\syswow64. The DLL 'taskschd.dll' is loaded when either schtasks.exe or TaskService is launched. If this DLL is found loaded by another process, it's possible that a scheduled task is being registered within the context of that process in memory.\\\nDuring triage, it's essential to identify the source of the scheduled task. Was it registered via schtasks.exe or TaskService? Review the job that was created and the command set to be executed. It's also recommended to capture and review any artifacts on disk, and identify any parallel processes within the same timeframe to locate the source.", "data_source": ["Windows Security 4698"], "search": "`wineventlog_security` EventCode=4698 | xmlkv Message | search Command IN (\"*powershell.exe*\", \"*wscript.exe*\", \"*cscript.exe*\", \"*cmd.exe*\", \"*sh.exe*\", \"*ksh.exe*\", \"*zsh.exe*\", \"*bash.exe*\", \"*scrcons.exe*\", \"*pwsh.exe*\") | stats count min(_time) as firstTime max(_time) as lastTime by dest, Task_Name, Command, Author, Enabled, Hidden | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `winevent_scheduled_task_created_to_spawn_shell_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4698 EventCode enabled. The Windows TA is also required.", "known_false_positives": "False positives are possible if legitimate applications are allowed to register tasks that call a shell to be spawned. Filter as needed based on command-line or processes that are used legitimately.", "references": ["https://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4698", "https://redcanary.com/threat-detection-report/techniques/scheduled-task-job/", "https://docs.microsoft.com/en-us/windows/win32/taskschd/time-trigger-example--scripting-?redirectedfrom=MSDN"], "tags": {"name": "WinEvent Scheduled Task Created to Spawn Shell", "analytic_story": ["Ransomware", "Windows Persistence Techniques", "Winter Vivern", "Ryuk Ransomware", "CISA AA22-257A", "Scheduled Tasks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "message": "A windows scheduled task was created (task name=$Task_Name$) on $dest$ by the following command: $Command$", "mitre_attack_id": ["T1053.005", "T1053"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "Command", "type": "Unknown", "role": ["Target"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "dest", "Task_Name", "Description", "Command"], "risk_score": 70, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/atomic_red_team/windows-security.log", "source": "WinEventLog:Security", "sourcetype": "WinEventLog", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "winevent_scheduled_task_created_to_spawn_shell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/winevent_scheduled_task_created_to_spawn_shell.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "WinEvent Scheduled Task Created Within Public Path", "id": "5d9c6eee-988c-11eb-8253-acde48001122", "version": 1, "date": "2023-04-05", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic utilizes Windows Security EventCode 4698, which indicates the creation of a scheduled task on a Windows system. The purpose of this query is to identify suspicious tasks that have been registered using either schtasks.exe or TaskService and involve executing a command from a user-writable file path.\\\nWhen this analytic is triggered, it provides information such as the first and last registration time of the task, the command to be executed, the task name, author, and whether it is set as hidden or not. It is worth noting that schtasks.exe is commonly located in C:\\Windows\\system32 and C:\\Windows\\syswow64, and it loads the taskschd.dll DLL when launched. If this DLL is loaded by another process, it suggests that a scheduled task may be registered within that process's context in memory.\\\nDuring the triage process, it is essential to identify the source of the scheduled task creation, whether it was initiated through schtasks.exe or TaskService. The analyst should review the task that was created, including the command to be executed. Additionally, any artifacts on disk related to the task should be captured and analyzed. It is also recommended to identify any parallel processes that occurred within the same timeframe to determine the source of the task creation.\\\nBy conducting this triage process, security analysts can gain insights into potentially malicious or suspicious scheduled tasks, helping them identify the source and assess the impact of the task. This analytic is valuable for a Security Operations Center (SOC) as it can detect unauthorized or suspicious activity that could indicate an attacker's attempt to establish persistence or execute unauthorized commands on the system.\\", "data_source": ["Windows Security 4698"], "search": "`wineventlog_security` EventCode=4698 | xmlkv Message | search Command IN (\"*\\\\users\\\\public\\\\*\", \"*\\\\programdata\\\\*\", \"*\\\\temp\\\\*\", \"*\\\\Windows\\\\Tasks\\\\*\", \"*\\\\appdata\\\\*\", \"*\\\\perflogs\\\\*\") | stats count min(_time) as firstTime max(_time) as lastTime by dest, Task_Name, Command, Author, Enabled, Hidden | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `winevent_scheduled_task_created_within_public_path_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4698 EventCode enabled. The Windows TA is also required.", "known_false_positives": "False positives are possible if legitimate applications are allowed to register tasks in public paths. Filter as needed based on paths that are used legitimately.", "references": ["https://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4698", "https://redcanary.com/threat-detection-report/techniques/scheduled-task-job/", "https://docs.microsoft.com/en-us/windows/win32/taskschd/time-trigger-example--scripting-?redirectedfrom=MSDN", "https://app.any.run/tasks/e26f1b2e-befa-483b-91d2-e18636e2faf3/"], "tags": {"name": "WinEvent Scheduled Task Created Within Public Path", "analytic_story": ["Ransomware", "Windows Persistence Techniques", "Winter Vivern", "Prestige Ransomware", "AsyncRAT", "Ryuk Ransomware", "IcedID", "CISA AA22-257A", "Industroyer2", "Active Directory Lateral Movement", "Data Destruction", "Scheduled Tasks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "message": "A windows scheduled task was created (task name=$Task_Name$) on $dest$ by the following command: $Command$", "mitre_attack_id": ["T1053.005", "T1053"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "Command", "type": "Unknown", "role": ["Target"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "dest", "Task_Name", "Description", "Command"], "risk_score": 70, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/taskschedule/windows-security.log", "source": "WinEventLog:Security", "sourcetype": "WinEventLog", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "winevent_scheduled_task_created_within_public_path_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/winevent_scheduled_task_created_within_public_path.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Microsoft Windows"]}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "id": "b3632472-310b-11ec-9aab-acde48001122", "version": 1, "date": "2023-04-05", "author": "Michael Haag, Splunk", "type": "Hunting", "status": "production", "description": "The following hunting analytic aims to identify suspicious tasks that have been registered and executed in Windows using EventID 200 (action run) and 201 (action completed) from the Windows Task Scheduler logs. This analytic helps detect evasive techniques used to register tasks on Windows systems. It is recommended to filter the results based on the ActionName field by specifying specific paths that are not commonly used in your environment.\\\nAfter implementing this analytic, it is important to review parallel events related to the scheduled tasks. EventID 106 will be generated when a new task is created, but it does not necessarily mean that the task has been executed. Analysts should capture any files on disk associated with the task and perform further analysis.\\\nTo implement this analytic, Task Scheduler logs must be collected. This can be done by adding a stanza for [WinEventLog://Microsoft-Windows-TaskScheduler/Operational] in the inputs.conf file and setting renderXml=false. It is worth noting that not translating the logs into XML may require specific extraction of items from the Message field.\\\nFalse positives are expected with this analytic, so it is important to filter the results based on the paths or specific keywords of interest in the ActionName field to reduce noise.\\\nIdentifying and analyzing scheduled tasks that have been executed is crucial for a Security Operations Center (SOC) as it helps detect potentially malicious or unauthorized activities on Windows systems. By capturing and investigating the associated events, analysts can uncover signs of persistence mechanisms, unauthorized code execution, or suspicious behaviors. The impact of a true positive could range from unauthorized access to data exfiltration or the execution of malicious payloads.", "data_source": [], "search": "`wineventlog_task_scheduler` EventCode IN (\"200\",\"201\") | rename ComputerName as dest | stats count min(_time) as firstTime max(_time) as lastTime by Message dest EventCode category | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `winevent_windows_task_scheduler_event_action_started_filter`", "how_to_implement": "Task Scheduler logs are required to be collected. Enable logging with inputs.conf by adding a stanza for [WinEventLog://Microsoft-Windows-TaskScheduler/Operational] and renderXml=false. Note, not translating it in XML may require a proper extraction of specific items in the Message.", "known_false_positives": "False positives will be present. Filter based on ActionName paths or specify keywords of interest.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md", "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/"], "tags": {"name": "WinEvent Windows Task Scheduler Event Action Started", "analytic_story": ["Qakbot", "Windows Persistence Techniques", "Winter Vivern", "Prestige Ransomware", "DarkCrystal RAT", "AsyncRAT", "Winter Vivern", "IcedID", "CISA AA22-257A", "Industroyer2", "Sandworm Tools", "Data Destruction", "Amadey", "Scheduled Tasks"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "message": "A Scheduled Task was scheduled and ran on $dest$.", "mitre_attack_id": ["T1053.005"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "TaskName", "ActionName", "EventID", "dest", "ProcessID"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TEMP.Veles", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/windows_taskschedule/windows-taskschedule.log", "source": "WinEventLog:Microsoft-Windows-TaskScheduler/Operational", "sourcetype": "wineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wineventlog_task_scheduler", "definition": "source=\"WinEventLog:Microsoft-Windows-TaskScheduler/Operational\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "winevent_windows_task_scheduler_event_action_started_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/winevent_windows_task_scheduler_event_action_started.yml", "source": "endpoint"}, {"name": "Winhlp32 Spawning a Process", "id": "d17dae9e-2618-11ec-b9f5-acde48001122", "version": 1, "date": "2021-10-05", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies winhlp32.exe, found natively in `c:\\windows\\`, spawning a child process that loads a file out of appdata, programdata, or temp. Winhlp32.exe has a rocky past in that multiple vulnerabilities were found and added to MetaSploit. WinHlp32.exe is required to display 32-bit Help files that have the \".hlp\" file name extension. This particular instance is related to a Remcos sample where dynwrapx.dll is added to the registry under inprocserver32, and later module loaded by winhlp32.exe to spawn wscript.exe and load a vbs or file from disk. During triage, review parallel processes to identify further suspicious behavior. Review module loads for unsuspecting unsigned modules. Capture any file modifications and analyze.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=winhlp32.exe Processes.process IN (\"*\\\\appdata\\\\*\",\"*\\\\programdata\\\\*\", \"*\\\\temp\\\\*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `winhlp32_spawning_a_process_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives should be limited as winhlp32.exe is typically not used with the latest flavors of Windows OS. However, filter as needed.", "references": ["https://www.exploit-db.com/exploits/16541", "https://tria.ge/210929-ap75vsddan", "https://www.virustotal.com/gui/file/cb77b93150cb0f7fe65ce8a7e2a5781e727419451355a7736db84109fa215a89"], "tags": {"name": "Winhlp32 Spawning a Process", "analytic_story": ["Remcos"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$, and is not typical activity for this process.", "mitre_attack_id": ["T1055"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/remcos/remcos/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "winhlp32_spawning_a_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/winhlp32_spawning_a_process.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "WinRM Spawning a Process", "id": "a081836a-ba4d-11eb-8593-acde48001122", "version": 1, "date": "2021-05-21", "author": "Drew Church, Michael Haag, Splunk", "type": "TTP", "status": "experimental", "description": "The following analytic identifies suspicious processes spawning from WinRM (wsmprovhost.exe). This analytic is related to potential exploitation of CVE-2021-31166. which is a kernel-mode device driver http.sys vulnerability. Current proof of concept code will blue-screen the operating system. However, http.sys used by many different Windows processes, including WinRM. In this case, identifying suspicious process create (child processes) from `wsmprovhost.exe` is what this analytic is identifying.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=wsmprovhost.exe Processes.process_name IN (\"cmd.exe\",\"sh.exe\",\"bash.exe\",\"powershell.exe\",\"pwsh.exe\",\"schtasks.exe\",\"certutil.exe\",\"whoami.exe\",\"bitsadmin.exe\",\"scp.exe\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `winrm_spawning_a_process_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "Unknown. Add new processes or filter as needed. It is possible system management software may spawn processes from `wsmprovhost.exe`.", "references": ["https://github.com/SigmaHQ/sigma/blob/9b7fb0c0f3af2e53ed483e29e0d0f88ccf1c08ca/rules/windows/process_access/win_susp_shell_spawn_from_winrm.yml", "https://www.zerodayinitiative.com/blog/2021/5/17/cve-2021-31166-a-wormable-code-execution-bug-in-httpsys", "https://github.com/0vercl0k/CVE-2021-31166/blob/main/cve-2021-31166.py"], "tags": {"name": "WinRM Spawning a Process", "analytic_story": ["Unusual Processes"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Delivery"], "message": "tbd", "mitre_attack_id": ["T1190"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "cve": ["CVE-2021-31166"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "menuPass"]}]}, "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "winrm_spawning_a_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2021-31166", "cvss": 7.5, "summary": "HTTP Protocol Stack Remote Code Execution Vulnerability"}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/winrm_spawning_a_process.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Winword Spawning Cmd", "id": "6fcbaedc-a37b-11eb-956b-acde48001122", "version": 2, "date": "2021-04-22", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following detection identifies Microsoft Word spawning `cmd.exe`. Typically, this is not common behavior and not default with winword.exe. Winword.exe will generally be found in the following path `C:\\Program Files\\Microsoft Office\\root\\Office16` (version will vary). Cmd.exe spawning from winword.exe is common for a spearphishing attachment and is actively used. Albeit, the command-line will indicate what is being executed. During triage, review parallel processes and identify any files that may have been written. It is possible that COM is utilized to trampoline the child process to `explorer.exe` or `wmiprvse.exe`.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=winword.exe `process_cmd` by Processes.dest Processes.user Processes.parent_process Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `winword_spawning_cmd_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives should be limited, but if any are present, filter as needed.", "references": ["https://app.any.run/tasks/73af0064-a785-4c0a-ab0d-cde593fe16ef/"], "tags": {"name": "Winword Spawning Cmd", "analytic_story": ["Spearphishing Attachments", "DarkCrystal RAT", "CVE-2023-21716 Word RTF Heap Corruption"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 70, "kill_chain_phases": ["Delivery"], "message": "$parent_process_name$ on $dest$ by $user$ launched command: $process_name$ which is very common in spearphishing attacks.", "mitre_attack_id": ["T1566", "T1566.001"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Target"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 70, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/macro/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_cmd", "definition": "(Processes.process_name=cmd.exe OR Processes.original_file_name=Cmd.Exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "winword_spawning_cmd_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/winword_spawning_cmd.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Winword Spawning PowerShell", "id": "b2c950b8-9be2-11eb-8658-acde48001122", "version": 2, "date": "2021-04-12", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following detection identifies Microsoft Word spawning PowerShell. Typically, this is not common behavior and not default with winword.exe. Winword.exe will generally be found in the following path `C:\\Program Files\\Microsoft Office\\root\\Office16` (version will vary). PowerShell spawning from winword.exe is common for a spearphishing attachment and is actively used. Albeit, the command executed will most likely be encoded and captured via another detection. During triage, review parallel processes and identify any files that may have been written.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=\"winword.exe\" `process_powershell` by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `winword_spawning_powershell_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives should be limited, but if any are present, filter as needed.", "references": ["https://redcanary.com/threat-detection-report/techniques/powershell/", "https://attack.mitre.org/techniques/T1566/001/", "https://app.any.run/tasks/b79fa381-f35c-4b3e-8d02-507e7ee7342f/", "https://app.any.run/tasks/181ac90b-0898-4631-8701-b778a30610ad/"], "tags": {"name": "Winword Spawning PowerShell", "analytic_story": ["Spearphishing Attachments", "DarkCrystal RAT", "CVE-2023-21716 Word RTF Heap Corruption"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 70, "kill_chain_phases": ["Delivery"], "message": "$parent_process_name$ on $dest$ by $user$ launched the following powershell process: $process_name$ which is very common in spearphishing attacks", "mitre_attack_id": ["T1566", "T1566.001"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Target"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 70, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/macro/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_powershell", "definition": "(Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "winword_spawning_powershell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/winword_spawning_powershell.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Winword Spawning Windows Script Host", "id": "637e1b5c-9be1-11eb-9c32-acde48001122", "version": 1, "date": "2021-04-12", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following detection identifies Microsoft Winword.exe spawning Windows Script Host - `cscript.exe` or `wscript.exe`. Typically, this is not common behavior and not default with Winword.exe. Winword.exe will generally be found in the following path `C:\\Program Files\\Microsoft Office\\root\\Office16` (version will vary). `cscript.exe` or `wscript.exe` default location is `c:\\windows\\system32\\` or c:windows\\syswow64\\`. `cscript.exe` or `wscript.exe` spawning from Winword.exe is common for a spearphishing attachment and is actively used. Albeit, the command-line executed will most likely be obfuscated and captured via another detection. During triage, review parallel processes and identify any files that may have been written. Review the reputation of the remote destination and block accordingly.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=\"winword.exe\" Processes.process_name IN (\"cscript.exe\", \"wscript.exe\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `winword_spawning_windows_script_host_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.", "known_false_positives": "There will be limited false positives and it will be different for every environment. Tune by child process or command-line as needed.", "references": ["https://attack.mitre.org/techniques/T1566/001/"], "tags": {"name": "Winword Spawning Windows Script Host", "analytic_story": ["Spearphishing Attachments", "CVE-2023-21716 Word RTF Heap Corruption"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 70, "kill_chain_phases": ["Delivery"], "message": "User $user$ on $dest$ spawned Windows Script Host from Winword.exe", "mitre_attack_id": ["T1566", "T1566.001"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Target"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "process_name", "process_id", "parent_process_name", "dest", "user", "parent_process_id"], "risk_score": 70, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/macro/windows-sysmon_wsh.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "winword_spawning_windows_script_host_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/winword_spawning_windows_script_host.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "WMI Permanent Event Subscription", "id": "71bfdb13-f200-4c6c-b2c9-a2e07adf437d", "version": 1, "date": "2018-10-23", "author": "Rico Valdez, Splunk", "type": "TTP", "status": "experimental", "description": "The following analytic seeks to detect the creation of Windows Management Instrumentation (WMI) permanent event subscriptions, a technique often used by adversaries for persistence. Such a subscription allows for the execution of specified scripts or binaries in response to defined system events, potentially enabling malicious activities to persist unnoticed. The analytic uses Sysmon Event ID 5 data, specifically focusing on instances where consumers of these events are not the expected \"NTEventLogEventConsumer.\" Although WMI event subscriptions can be used legitimately by administrators, unusual or unexpected subscription creation should be treated as suspicious. Analysts need to be cognizant of the potential for false positives in legitimate administrative activities and should understand WMI activity within the context of the monitored environment.", "data_source": ["Sysmon Event ID 5"], "search": "`wmi` EventCode=5861 Binding | rex field=Message \"Consumer =\\s+(?[^;|^$]+)\" | search consumer!=\"NTEventLogEventConsumer=\\\"SCM Event Log Consumer\\\"\" | stats count min(_time) as firstTime max(_time) as lastTime by ComputerName, consumer, Message | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | rename ComputerName as dest | `wmi_permanent_event_subscription_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting the Windows WMI activity logs. This can be done by adding a stanza to inputs.conf on the system generating logs with a title of [WinEventLog://Microsoft-Windows-WMI-Activity/Operational].", "known_false_positives": "Although unlikely, administrators may use event subscriptions for legitimate purposes.", "references": [], "tags": {"name": "WMI Permanent Event Subscription", "analytic_story": ["Suspicious WMI Use"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "message": "tbd", "mitre_attack_id": ["T1047"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "Message", "consumer", "ComputerName"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "Earth Lusca", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "Threat Group-3390", "Windshift", "Wizard Spider", "menuPass"]}]}, "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wmi", "definition": "sourcetype=\"wineventlog:microsoft-windows-wmi-activity/operational\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "wmi_permanent_event_subscription_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/wmi_permanent_event_subscription.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "WMI Permanent Event Subscription - Sysmon", "id": "ad05aae6-3b2a-4f73-af97-57bd26cee3b9", "version": 3, "date": "2020-12-08", "author": "Rico Valdez, Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "This analytic looks for the creation of WMI permanent event subscriptions. The following analytic identifies the use of WMI Event Subscription to establish persistence or perform privilege escalation. WMI can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. WMI subscription execution is proxied by the WMI Provider Host process (WmiPrvSe.exe) and thus may result in elevated SYSTEM privileges. This analytic is restricted by commonly added process execution and a path. If the volume is low enough, remove the values and flag on any new subscriptions.\\\nAll event subscriptions have three components \\\n1. Filter - WQL Query for the events we want. EventID = 19 \\\n1. Consumer - An action to take upon triggering the filter. EventID = 20 \\\n1. Binding - Registers a filter to a consumer. EventID = 21 \\\nMonitor for the creation of new WMI EventFilter, EventConsumer, and FilterToConsumerBinding. It may be pertinent to review all 3 to identify the flow of execution. In addition, EventCode 4104 may assist with any other PowerShell script usage that registered the subscription.", "data_source": ["Sysmon Event ID 21"], "search": "`sysmon` EventCode=21 | rename host as dest | table _time, dest, user, Operation, EventType, Query, Consumer, Filter | `wmi_permanent_event_subscription___sysmon_filter`", "how_to_implement": "To successfully implement this search, you must be collecting Sysmon data using Sysmon version 6.1 or greater and have Sysmon configured to generate alerts for WMI activity (eventID= 19, 20, 21). In addition, you must have at least version 6.0.4 of the Sysmon TA installed to properly parse the fields.", "known_false_positives": "Although unlikely, administrators may use event subscriptions for legitimate purposes.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.003/T1546.003.md", "https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/", "https://github.com/trustedsec/SysmonCommunityGuide/blob/master/chapters/WMI-events.md", "https://in.security/2019/04/03/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/"], "tags": {"name": "WMI Permanent Event Subscription - Sysmon", "analytic_story": ["Suspicious WMI Use"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 30, "kill_chain_phases": ["Installation", "Exploitation"], "message": "User $user$ on $host$ executed the following suspicious WMI query: $Query$. Filter: $filter$. Consumer: $Consumer$. EventCode: $EventCode$", "mitre_attack_id": ["T1546.003", "T1546"], "nist": ["DE.CM"], "observable": [{"name": "host", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "host", "user", "Operation", "EventType", "Query", "Consumer", "Filter"], "risk_score": 30, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1546.003", "mitre_attack_technique": "Windows Management Instrumentation Event Subscription", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT33", "Blue Mockingbird", "FIN8", "Leviathan", "Metador", "Mustang Panda", "Turla"]}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.003/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "wmi_permanent_event_subscription___sysmon_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/wmi_permanent_event_subscription___sysmon.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "WMI Recon Running Process Or Services", "id": "b5cd5526-cce7-11eb-b3bd-acde48001122", "version": 2, "date": "2023-04-14", "author": "Teoderick Contreras, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies suspicious PowerShell script execution via EventCode 4104, where WMI is performing an event query looking for running processes or running services. This technique is commonly found in malware and APT events where the adversary will map all running security applications or services on the compromised machine. During triage, review parallel processes within the same timeframe. Review the full script block to identify other related artifacts.", "data_source": ["Powershell 4104"], "search": "`powershell` EventCode=4104 ScriptBlockText= \"*SELECT*\" AND (ScriptBlockText=\"*Win32_Process*\" OR ScriptBlockText=\"*Win32_Service*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `wmi_recon_running_process_or_services_filter`", "how_to_implement": "To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.", "known_false_positives": "Network administrator may used this command for checking purposes", "references": ["https://news.sophos.com/en-us/2020/05/12/maze-ransomware-1-year-counting/", "https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/", "https://github.com/trustedsec/SysmonCommunityGuide/blob/master/chapters/WMI-events.md", "https://in.security/2019/04/03/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/"], "tags": {"name": "WMI Recon Running Process Or Services", "analytic_story": ["Malicious PowerShell", "Hermetic Wiper", "Data Destruction"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 20, "kill_chain_phases": ["Reconnaissance"], "message": "Suspicious powerShell script execution by $user$ on $Computer$ via EventCode 4104, where WMI is performing an event query looking for running processes or running services", "mitre_attack_id": ["T1592"], "nist": ["DE.AE"], "observable": [{"name": "Computer", "type": "Endpoint", "role": ["Victim"]}, {"name": "User", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "ScriptBlockText", "Opcode", "Computer", "UserID", "EventCode"], "risk_score": 20, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1592", "mitre_attack_technique": "Gather Victim Host Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/win32process.log", "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "wmi_recon_running_process_or_services_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/wmi_recon_running_process_or_services.yml", "source": "endpoint", "providing_technologies": ["Microsoft Windows"]}, {"name": "WMI Temporary Event Subscription", "id": "38cbd42c-1098-41bb-99cf-9d6d2b296d83", "version": 1, "date": "2018-10-23", "author": "Rico Valdez, Splunk", "type": "TTP", "status": "experimental", "description": "This search looks for the creation of WMI temporary event subscriptions.", "data_source": ["Sysmon Event ID 5"], "search": "`wmi` EventCode=5860 Temporary | rex field=Message \"NotificationQuery =\\s+(?[^;|^$]+)\" | search query!=\"SELECT * FROM Win32_ProcessStartTrace WHERE ProcessName = 'wsmprovhost.exe'\" AND query!=\"SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'\" | stats count min(_time) as firstTime max(_time) as lastTime by ComputerName, query | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `wmi_temporary_event_subscription_filter`", "how_to_implement": "To successfully implement this search, you must be ingesting the Windows WMI activity logs. This can be done by adding a stanza to inputs.conf on the system generating logs with a title of [WinEventLog://Microsoft-Windows-WMI-Activity/Operational].", "known_false_positives": "Some software may create WMI temporary event subscriptions for various purposes. The included search contains an exception for two of these that occur by default on Windows 10 systems. You may need to modify the search to create exceptions for other legitimate events.", "references": [], "tags": {"name": "WMI Temporary Event Subscription", "analytic_story": ["Suspicious WMI Use"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "message": "tbd", "mitre_attack_id": ["T1047"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Other", "role": ["Other"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "EventCode", "Message", "query"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "Earth Lusca", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "Threat Group-3390", "Windshift", "Wizard Spider", "menuPass"]}]}, "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "wmi", "definition": "sourcetype=\"wineventlog:microsoft-windows-wmi-activity/operational\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "wmi_temporary_event_subscription_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/wmi_temporary_event_subscription.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "Wmic Group Discovery", "id": "83317b08-155b-11ec-8e00-acde48001122", "version": 1, "date": "2021-09-14", "author": "Michael Haag, Splunk", "type": "Hunting", "status": "production", "description": "The following hunting analytic identifies the use of `wmic.exe` enumerating local groups on the endpoint. \\\nTypically, by itself, is not malicious but may raise suspicion based on time of day, endpoint and username. \\\nDuring triage, review parallel processes and identify any further suspicious behavior.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=wmic.exe (Processes.process=\"*group get name*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `wmic_group_discovery_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Administrators or power users may use this command for troubleshooting.", "references": ["https://attack.mitre.org/techniques/T1069/001/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"], "tags": {"name": "Wmic Group Discovery", "analytic_story": ["Active Directory Discovery"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "message": "Local group discovery on $dest$ by $user$.", "mitre_attack_id": ["T1069", "T1069.001"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "TA505"]}, {"mitre_attack_id": "T1069.001", "mitre_attack_technique": "Local Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "HEXANE", "OilRig", "Tonto Team", "Turla", "admin@338"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.001/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "wmic_group_discovery_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/wmic_group_discovery.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Wmic NonInteractive App Uninstallation", "id": "bff0e7a0-317f-11ec-ab4e-acde48001122", "version": 2, "date": "2022-07-19", "author": "Teoderick Contreras, Splunk", "type": "Hunting", "status": "production", "description": "This analytic indentifies WMIC command-line attempting to uninstall application non-interactively. This technique was seen in IcedID to uninstall AV products on the compromised host to evade detection. This Hunting query maybe a good indicator that some process tries to uninstall application using wmic which is not a common behavior. This approach may seen in some script or third part appication to uninstall their application but it is a good thing to check what it uninstall and why.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=wmic.exe Processes.process=\"* product *\" Processes.process=\"*where name*\" Processes.process=\"*call uninstall*\" Processes.process=\"*/nointeractive*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `wmic_noninteractive_app_uninstallation_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "Third party application may use this approach to uninstall applications.", "references": ["https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/"], "tags": {"name": "Wmic NonInteractive App Uninstallation", "analytic_story": ["IcedID", "Azorult"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "Wmic $process_name$ with command-line $process$ on $dest$ attempting to uninstall software.", "mitre_attack_id": ["T1562.001", "T1562"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}, {"name": "process_name", "type": "Process", "role": ["Target"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/disable_av/sysmon2.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "wmic_noninteractive_app_uninstallation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/wmic_noninteractive_app_uninstallation.yml", "source": "endpoint", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "WMIC XSL Execution via URL", "id": "787e9dd0-4328-11ec-a029-acde48001122", "version": 1, "date": "2021-11-11", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies `wmic.exe` loading a remote XSL (eXtensible Stylesheet Language) script. This originally was identified by Casey Smith, dubbed Squiblytwo, as an application control bypass. Many adversaries will utilize this technique to invoke JScript or VBScript within an XSL file. This technique can also execute local/remote scripts and, similar to its Regsvr32 \"Squiblydoo\" counterpart, leverages a trusted, built-in Windows tool. Adversaries may abuse any alias in Windows Management Instrumentation provided they utilize the /FORMAT switch. Upon identifying a suspicious execution, review for confirmed network connnection and script download.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_wmic` Processes.process IN (\"*http://*\", \"*https://*\") Processes.process=\"*/format:*\" by Processes.parent_process_name Processes.original_file_name Processes.parent_process Processes.process_name Processes.process_id Processes.process Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `wmic_xsl_execution_via_url_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.", "known_false_positives": "False positives are limited as legitimate applications typically do not download files or xsl using WMIC. Filter as needed.", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.md", "https://web.archive.org/web/20190814201250/https://subt0x11.blogspot.com/2018/04/wmicexe-whitelisting-bypass-hacking.html", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.md#atomic-test-4---wmic-bypass-using-remote-xsl-file"], "tags": {"name": "WMIC XSL Execution via URL", "analytic_story": ["Suspicious WMI Use"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ utilizing wmic to download a remote XSL script.", "mitre_attack_id": ["T1220"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1220", "mitre_attack_technique": "XSL Script Processing", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Cobalt Group", "Higaisa"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1220/atomic_red_team/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_wmic", "definition": "(Processes.process_name=wmic.exe OR Processes.original_file_name=wmic.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "wmic_xsl_execution_via_url_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/wmic_xsl_execution_via_url.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Wmiprsve LOLBAS Execution Process Spawn", "id": "95a455f0-4c04-11ec-b8ac-3e22fbd008af", "version": 1, "date": "2021-11-22", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies `wmiprsve.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing Windows Management Instrumentation (WMI), the executed command is spawned as a child process of `wmiprvse.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of wmiprvse.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name=wmiprvse.exe) (Processes.process_name IN (\"Regsvcs.exe\", \"Ftp.exe\", \"OfflineScannerShell.exe\", \"Rasautou.exe\", \"Schtasks.exe\", \"Xwizard.exe\", \"Dllhost.exe\", \"Pnputil.exe\", \"Atbroker.exe\", \"Pcwrun.exe\", \"Ttdinject.exe\",\"Mshta.exe\", \"Bitsadmin.exe\", \"Certoc.exe\", \"Ieexec.exe\", \"Microsoft.Workflow.Compiler.exe\", \"Runscripthelper.exe\", \"Forfiles.exe\", \"Msbuild.exe\", \"Register-cimprovider.exe\", \"Tttracer.exe\", \"Ie4uinit.exe\", \"Bash.exe\", \"Hh.exe\", \"SettingSyncHost.exe\", \"Cmstp.exe\", \"Mmc.exe\", \"Stordiag.exe\", \"Scriptrunner.exe\", \"Odbcconf.exe\", \"Extexport.exe\", \"Msdt.exe\", \"WorkFolders.exe\", \"Diskshadow.exe\", \"Mavinject.exe\", \"Regasm.exe\", \"Gpscript.exe\", \"Rundll32.exe\", \"Regsvr32.exe\", \"Msiexec.exe\", \"Wuauclt.exe\", \"Presentationhost.exe\", \"Wmic.exe\", \"Runonce.exe\", \"Syncappvpublishingserver.exe\", \"Verclsid.exe\", \"Infdefaultinstall.exe\", \"Explorer.exe\", \"Installutil.exe\", \"Netsh.exe\", \"Wab.exe\", \"Dnscmd.exe\", \"At.exe\", \"Pcalua.exe\", \"Msconfig.exe\")) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `wmiprsve_lolbas_execution_process_spawn_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints.", "known_false_positives": "Legitimate applications may trigger this behavior, filter as needed.", "references": ["https://attack.mitre.org/techniques/T1047/", "https://www.ired.team/offensive-security/lateral-movement/t1047-wmi-for-lateral-movement", "https://lolbas-project.github.io/"], "tags": {"name": "Wmiprsve LOLBAS Execution Process Spawn", "analytic_story": ["Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 90, "kill_chain_phases": ["Installation"], "message": "Wmiprsve.exe spawned a LOLBAS process on $dest$.", "mitre_attack_id": ["T1047"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 54, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "Earth Lusca", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "Threat Group-3390", "Windshift", "Wizard Spider", "menuPass"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1047/lateral_movement_lolbas/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "wmiprsve_lolbas_execution_process_spawn_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/wmiprsve_lolbas_execution_process_spawn.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Wscript Or Cscript Suspicious Child Process", "id": "1f35e1da-267b-11ec-90a9-acde48001122", "version": 1, "date": "2023-04-14", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This analytic identifies a suspicious spawned process by WScript or CScript process. This technique was a common technique used by adversaries and malware to execute different LOLBIN, other scripts like PowerShell or spawn a suspended process to inject its code as a defense evasion. This TTP may detect some normal script that using several application tool that are in the list of the child process it detects but a good pivot and indicator that a script is may execute suspicious code.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN (\"cscript.exe\", \"wscript.exe\") Processes.process_name IN (\"regsvr32.exe\", \"rundll32.exe\",\"winhlp32.exe\",\"certutil.exe\",\"msbuild.exe\",\"cmd.exe\",\"powershell*\",\"wmic.exe\",\"mshta.exe\") by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `wscript_or_cscript_suspicious_child_process_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "Administrators may create vbs or js script that use several tool as part of its execution. Filter as needed.", "references": ["https://www.hybrid-analysis.com/sample/8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd?environmentId=120", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/"], "tags": {"name": "Wscript Or Cscript Suspicious Child Process", "analytic_story": ["Remcos", "FIN7", "Unusual Processes", "Data Destruction", "WhisperGate"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation", "Installation"], "message": "wscript or cscript parent process spawned $process_name$ in $dest$", "mitre_attack_id": ["T1055", "T1543", "T1134.004", "T1134"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}, {"name": "user", "type": "User", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "Turla"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1134.004", "mitre_attack_technique": "Parent PID Spoofing", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.005/vbs_wscript/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "wscript_or_cscript_suspicious_child_process_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/wscript_or_cscript_suspicious_child_process.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Wsmprovhost LOLBAS Execution Process Spawn", "id": "2eed004c-4c0d-11ec-93e8-3e22fbd008af", "version": 1, "date": "2021-11-22", "author": "Mauricio Velazco, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies `Wsmprovhost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Windows Remote Management (WinRm) protocol, the executed command is spawned as a child processs of `Wsmprovhost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of Wsmprovhost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name=wsmprovhost.exe) (Processes.process_name IN (\"Regsvcs.exe\", \"Ftp.exe\", \"OfflineScannerShell.exe\", \"Rasautou.exe\", \"Schtasks.exe\", \"Xwizard.exe\", \"Dllhost.exe\", \"Pnputil.exe\", \"Atbroker.exe\", \"Pcwrun.exe\", \"Ttdinject.exe\",\"Mshta.exe\", \"Bitsadmin.exe\", \"Certoc.exe\", \"Ieexec.exe\", \"Microsoft.Workflow.Compiler.exe\", \"Runscripthelper.exe\", \"Forfiles.exe\", \"Msbuild.exe\", \"Register-cimprovider.exe\", \"Tttracer.exe\", \"Ie4uinit.exe\", \"Bash.exe\", \"Hh.exe\", \"SettingSyncHost.exe\", \"Cmstp.exe\", \"Mmc.exe\", \"Stordiag.exe\", \"Scriptrunner.exe\", \"Odbcconf.exe\", \"Extexport.exe\", \"Msdt.exe\", \"WorkFolders.exe\", \"Diskshadow.exe\", \"Mavinject.exe\", \"Regasm.exe\", \"Gpscript.exe\", \"Rundll32.exe\", \"Regsvr32.exe\", \"Msiexec.exe\", \"Wuauclt.exe\", \"Presentationhost.exe\", \"Wmic.exe\", \"Runonce.exe\", \"Syncappvpublishingserver.exe\", \"Verclsid.exe\", \"Infdefaultinstall.exe\", \"Explorer.exe\", \"Installutil.exe\", \"Netsh.exe\", \"Wab.exe\", \"Dnscmd.exe\", \"At.exe\", \"Pcalua.exe\", \"Msconfig.exe\")) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `wsmprovhost_lolbas_execution_process_spawn_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints.", "known_false_positives": "Legitimate applications may trigger this behavior, filter as needed.", "references": ["https://attack.mitre.org/techniques/T1021/006/", "https://lolbas-project.github.io/", "https://pentestlab.blog/2018/05/15/lateral-movement-winrm/"], "tags": {"name": "Wsmprovhost LOLBAS Execution Process Spawn", "analytic_story": ["Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 60, "impact": 90, "kill_chain_phases": ["Exploitation"], "message": "Wsmprovhost.exe spawned a LOLBAS process on $dest$.", "mitre_attack_id": ["T1021", "T1021.006"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_path", "Processes.process_path", "Processes.parent_process_id"], "risk_score": 54, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1021.006", "mitre_attack_technique": "Windows Remote Management", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Chimera", "Threat Group-3390", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.006/lateral_movement_lolbas/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "wsmprovhost_lolbas_execution_process_spawn_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/wsmprovhost_lolbas_execution_process_spawn.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "WSReset UAC Bypass", "id": "8b5901bc-da63-11eb-be43-acde48001122", "version": 3, "date": "2022-11-14", "author": "Steven Dick, Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This search is to detect a suspicious modification of registry related to UAC bypass. This technique is to modify the registry in this detection, create a registry value with the path of the payload and run WSreset.exe to bypass User account Control.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time) AS lastTime FROM datamodel=Endpoint.Processes BY _time span=1h Processes.user Processes.process_id Processes.process_name Processes.process Processes.process_path Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_guid | `drop_dm_object_name(Processes)` | join process_guid [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE Registry.registry_path= \"*\\\\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\\\\Shell\\\\open\\\\command*\" AND (Registry.registry_value_name = \"(Default)\" OR Registry.registry_value_name = \"DelegateExecute\") by _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`] | fields firstTime lastTime dest user parent_process_name parent_process process_name process_path process registry_key_name registry_path registry_value_name registry_value_data process_guid | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `wsreset_uac_bypass_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709", "known_false_positives": "unknown", "references": ["https://github.com/hfiref0x/UACME", "https://blog.morphisec.com/trickbot-uses-a-new-windows-10-uac-bypass"], "tags": {"name": "WSReset UAC Bypass", "analytic_story": ["Windows Defense Evasion Tactics", "Living Off The Land", "Windows Registry Abuse"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "Suspicious modification of registry $registry_path$ with possible payload path $registry_value_name$ in $dest$", "mitre_attack_id": ["T1548.002", "T1548"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.user", "Processes.dest", "Processes.process_id", "Processes.process_name", "Processes.process", "Processes.process_path", "Processes.parent_process_name", "Processes.parent_process", "Processes.process_guid", "Registry.dest", "Registry.registry_value_name", "Registry.registry_key_name", "Registry.registry_path", "Registry.registry_value_data", "Registry.process_guid"], "risk_score": 63, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1548.002", "mitre_attack_technique": "Bypass User Account Control", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT37", "BRONZE BUTLER", "Cobalt Group", "Earth Lusca", "Evilnum", "MuddyWater", "Patchwork", "Threat Group-3390"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/uac_bypass/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "wsreset_uac_bypass_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/wsreset_uac_bypass.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "XMRIG Driver Loaded", "id": "90080fa6-a8df-11eb-91e4-acde48001122", "version": 1, "date": "2021-04-29", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This analytic identifies XMRIG coinminer driver installation on the system. The XMRIG driver name by default is `WinRing0x64.sys`. This cpu miner is an open source project that is commonly abused by adversaries to infect and mine bitcoin.", "data_source": ["Sysmon Event ID 6"], "search": "`sysmon` EventCode=6 Signature=\"Noriyuki MIYAZAKI\" OR ImageLoaded= \"*\\\\WinRing0x64.sys\" | stats min(_time) as firstTime max(_time) as lastTime count by Computer ImageLoaded Hashes IMPHASH Signature Signed | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `xmrig_driver_loaded_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the driver loaded and Signature from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "False positives should be limited.", "references": ["https://www.trendmicro.com/vinfo/hk/threat-encyclopedia/malware/trojan.ps1.powtran.a/"], "tags": {"name": "XMRIG Driver Loaded", "analytic_story": ["XMRig", "CISA AA22-320A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "message": "A driver $ImageLoaded$ related to xmrig crytominer loaded in host $Computer$", "mitre_attack_id": ["T1543.003", "T1543"], "nist": ["DE.CM"], "observable": [{"name": "Computer", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Computer", "ImageLoaded", "Hashes", "IMPHASH", "Signature", "Signed"], "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/xmrig_miner/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "xmrig_driver_loaded_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/xmrig_driver_loaded.yml", "source": "endpoint", "nes_fields": "user,dest"}, {"name": "XSL Script Execution With WMIC", "id": "004e32e2-146d-11ec-a83f-acde48001122", "version": 1, "date": "2021-09-13", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This search is to detect a suspicious wmic.exe process or renamed wmic process to execute malicious xsl file. This technique was seen in FIN7 to execute its malicous jscript using the .xsl as the loader with the help of wmic.exe process. This TTP is really a good indicator for you to hunt further for FIN7 or other attacker that known to used this technique.", "data_source": ["Sysmon Event ID 1"], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_wmic` Processes.process = \"*os get*\" Processes.process=\"*/format:*\" Processes.process = \"*.xsl*\" by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process_id Processes.process Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `xsl_script_execution_with_wmic_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.", "known_false_positives": "unknown", "references": ["https://www.mandiant.com/resources/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation", "https://attack.mitre.org/groups/G0046/", "https://web.archive.org/web/20190814201250/https://subt0x11.blogspot.com/2018/04/wmicexe-whitelisting-bypass-hacking.html", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.md#atomic-test-3---wmic-bypass-using-local-xsl-file"], "tags": {"name": "XSL Script Execution With WMIC", "analytic_story": ["FIN7", "Suspicious WMI Use"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ utilizing wmic to load a XSL script.", "mitre_attack_id": ["T1220"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "parent_process_name", "type": "Process", "role": ["Parent Process"]}, {"name": "process_name", "type": "Process", "role": ["Child Process"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Processes.parent_process_name", "Processes.parent_process", "Processes.process_name", "Processes.process_id", "Processes.process", "Processes.dest", "Processes.user"], "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1220", "mitre_attack_technique": "XSL Script Processing", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Cobalt Group", "Higaisa"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/fin7/fin7_macro_js_1/sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Endpoint"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "process_wmic", "definition": "(Processes.process_name=wmic.exe OR Processes.original_file_name=wmic.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "xsl_script_execution_with_wmic_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/endpoint/xsl_script_execution_with_wmic.yml", "source": "endpoint", "nes_fields": "user,dest", "providing_technologies": ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"]}, {"name": "Detect ARP Poisoning", "id": "b44bebd6-bd39-467b-9321-73971bcd7aac", "version": 1, "date": "2020-08-11", "author": "Mikael Bjerkeland, Splunk", "type": "TTP", "status": "experimental", "description": "By enabling Dynamic ARP Inspection as a Layer 2 Security measure on the organization's network devices, we will be able to detect ARP Poisoning attacks in the Infrastructure.", "data_source": [], "search": "`cisco_networks` facility=\"PM\" mnemonic=\"ERR_DISABLE\" disable_cause=\"arp-inspection\" | eval src_interface=src_int_prefix_long+src_int_suffix | stats min(_time) AS firstTime max(_time) AS lastTime count BY host src_interface | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)`| `detect_arp_poisoning_filter`", "how_to_implement": "This search uses a standard SPL query on logs from Cisco Network devices. The network devices must be configured with DHCP Snooping (see https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960x/software/15-0_2_EX/security/configuration_guide/b_sec_152ex_2960-x_cg/b_sec_152ex_2960-x_cg_chapter_01101.html) and Dynamic ARP Inspection (see https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960x/software/15-2_2_e/security/configuration_guide/b_sec_1522e_2960x_cg/b_sec_1522e_2960x_cg_chapter_01111.html) and log with a severity level of minimum \"5 - notification\". The search also requires that the Cisco Networks Add-on for Splunk (https://splunkbase.splunk.com/app/1467) is used to parse the logs from the Cisco network devices.", "known_false_positives": "This search might be prone to high false positives if DHCP Snooping or ARP inspection has been incorrectly configured, or if a device normally sends many ARP packets (unlikely).", "references": [], "tags": {"name": "Detect ARP Poisoning", "analytic_story": ["Router and Infrastructure Security"], "asset_type": "Infrastructure", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Delivery", "Actions on Objectives", "Exploitation"], "message": "tbd", "mitre_attack_id": ["T1200", "T1498", "T1557", "T1557.002"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Other", "role": ["Other"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "facility", "mnemonic", "disable_cause", "src_int_prefix_long", "src_int_suffix", "host", "src_interface"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1200", "mitre_attack_technique": "Hardware Additions", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["DarkVishnya"]}, {"mitre_attack_id": "T1498", "mitre_attack_technique": "Network Denial of Service", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT28"]}, {"mitre_attack_id": "T1557", "mitre_attack_technique": "Adversary-in-the-Middle", "mitre_attack_tactics": ["Collection", "Credential Access"], "mitre_attack_groups": ["Kimsuky"]}, {"mitre_attack_id": "T1557.002", "mitre_attack_technique": "ARP Cache Poisoning", "mitre_attack_tactics": ["Collection", "Credential Access"], "mitre_attack_groups": ["Cleaver", "LuminousMoth"]}]}, "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cisco_networks", "definition": "eventtype=cisco_ios", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_arp_poisoning_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/network/detect_arp_poisoning.yml", "source": "network", "nes_fields": "user,dest"}, {"name": "Detect DGA domains using pretrained model in DSDL", "id": "92e24f32-9b9a-4060-bba2-2a0eb31f3493", "version": 1, "date": "2023-01-18", "author": "Abhinav Mishra, Kumar Sharad and Namratha Sreekanta, Splunk", "type": "Anomaly", "status": "experimental", "description": "The following analytic uses a pre trained deep learning model to detect Domain Generation Algorithm (DGA) generated domains. The model is trained independently and is then made available for download. One of the prominent indicators of a domain being DGA generated is if the domain name consists of unusual character sequences or concatenated dictionary words. Adversaries often use clever techniques to obfuscate machine generated domain names as human generated. Predicting DGA generated domain names requires analysis and building a model based on carefully chosen features. The deep learning model we have developed uses the domain name to analyze patterns of character sequences along with carefully chosen custom features to predict if a domain is DGA generated. The model takes a domain name consisting of second-level and top-level domain names as input and outputs a dga_score. Higher the dga_score, the more likely the input domain is a DGA domain. The threshold for flagging a domain as DGA is set at 0.5.", "data_source": [], "search": "| tstats `security_content_summariesonly` values(DNS.answer) as IPs min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Resolution by DNS.src, DNS.query | `drop_dm_object_name(DNS)` | rename query AS domain | fields IPs, src, domain, firstTime, lastTime | apply pretrained_dga_model_dsdl | rename pred_dga_proba AS dga_score | where dga_score>0.5 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | table src, domain, IPs, firstTime, lastTime, dga_score | `detect_dga_domains_using_pretrained_model_in_dsdl_filter`", "how_to_implement": "Steps to deploy DGA detection model into Splunk App DSDL.\\ This detection depends on the Splunk app for Data Science and Deep Learning which can be found here - https://splunkbase.splunk.com/app/4607/ and the Network Resolution datamodel which can be found here - https://splunkbase.splunk.com/app/1621/. The detection uses a pre-trained deep learning model that needs to be deployed in DSDL app. Follow the steps for deployment here - https://github.com/splunk/security_content/wiki/How-to-deploy-pre-trained-Deep-Learning-models-for-ESCU.\\ * Download the artifacts .tar.gz file from the link `https://seal.splunkresearch.com/pretrained_dga_model_dsdl.tar.gz`\\\n* Download the pretrained_dga_model_dsdl.ipynb Jupyter notebook from `https://github.com/splunk/security_content/notebooks`\\\n* Login to the Jupyter Lab for pretrained_dga_model_dsdl container. This container should be listed on Containers page for DSDL app.\\\n* Below steps need to be followed inside Jupyter lab \\\n* Upload the pretrained_dga_model_dsdl.tar.gz file into `app/model/data` path using the upload option in the jupyter notebook.\\\n* Untar the artifact `pretrained_dga_model_dsdl.tar.gz` using `tar -xf app/model/data/pretrained_dga_model_dsdl.tar.gz -C app/model/data`\\\n* Upload `pretrained_dga_model_dsdl.pynb` into Jupyter lab notebooks folder using the upload option in Jupyter lab\\\n* Save the notebook using the save option in jupyter notebook.\\\n* Upload `pretrained_dga_model_dsdl.json` into `notebooks/data` folder.", "known_false_positives": "False positives may be present if domain name is similar to dga generated domains.", "references": ["https://attack.mitre.org/techniques/T1568/002/", "https://unit42.paloaltonetworks.com/threat-brief-understanding-domain-generation-algorithms-dga/", "https://en.wikipedia.org/wiki/Domain_generation_algorithm"], "tags": {"name": "Detect DGA domains using pretrained model in DSDL", "analytic_story": ["Data Exfiltration", "DNS Hijacking", "Suspicious DNS Traffic", "Dynamic DNS", "Command And Control"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Command And Control"], "message": "A potential connection to a DGA domain $domain$ was detected from host $src$, kindly review.", "mitre_attack_id": ["T1568.002"], "nist": ["DE.AE"], "observable": [{"name": "domain", "type": "URL String", "role": ["Attacker"]}, {"name": "src", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["IPs", "src", "domain", "firstTime", "lastTime"], "risk_score": 63, "security_domain": "Network", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1568.002", "mitre_attack_technique": "Domain Generation Algorithms", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "TA551"]}]}, "datamodel": ["Network_Resolution"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_dga_domains_using_pretrained_model_in_dsdl_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/network/detect_dga_domains_using_pretrained_model_in_dsdl.yml", "source": "network"}, {"name": "Detect DNS Data Exfiltration using pretrained model in DSDL", "id": "92f65c3a-168c-11ed-71eb-0242ac120012", "version": 1, "date": "2023-04-27", "author": "Abhinav Mishra, Kumar Sharad and Namratha Sreekanta, Splunk", "type": "Anomaly", "status": "experimental", "description": "The following analytic uses a pre trained deep learning model to detect DNS data exfiltration. The model is trained on the data we collected and is inferred on live data. This detection detects low throughput DNS Tunneling (data exfiltration) using features computed from past events between the same src and domain. The search uses macros from URL ToolBox app to generate features used by the model. The model is a deep learning model that accepts DNS request as input along with a few custom features to generate a pred_is_exfiltration_proba score. The higher the pred_is_exfiltration_proba, the more likely the DNS request is data exfiltration. The threshold for flagging a request as DNS exfiltration is set at 0.5.", "data_source": [], "search": "| tstats `security_content_summariesonly` count from datamodel=Network_Resolution by DNS.src _time DNS.query | `drop_dm_object_name(\"DNS\")` | sort - _time,src, query | streamstats count as rank by src query | where rank < 10 | table src,query,rank,_time | apply detect_dns_data_exfiltration_using_pretrained_model_in_dsdl | table src,_time,query,rank,pred_is_dns_data_exfiltration_proba,pred_is_dns_data_exfiltration | where rank == 1 | rename pred_is_dns_data_exfiltration_proba as is_exfiltration_score | rename pred_is_dns_data_exfiltration as is_exfiltration | where is_exfiltration_score > 0.5 | `security_content_ctime(_time)` | table src, _time,query,is_exfiltration_score,is_exfiltration | `detect_dns_data_exfiltration_using_pretrained_model_in_dsdl_filter`", "how_to_implement": "Steps to deploy detect DNS data exfiltration model into Splunk App DSDL. This detection depends on the Splunk app for Data Science and Deep Learning which can be found here - https://splunkbase.splunk.com/app/4607/ and the Network Resolution datamodel which can be found here - https://splunkbase.splunk.com/app/1621/. The detection uses a pre-trained deep learning model that needs to be deployed in DSDL app. Follow the steps for deployment here - `https://github.com/splunk/security_content/wiki/How-to-deploy-pre-trained-Deep-Learning-models-for-ESCU`.\\\n* Download the `artifacts .tar.gz` file from the link - https://seal.splunkresearch.com/detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.tar.gz Download the `detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.ipynb` Jupyter notebook from https://github.com/splunk/security_content/notebooks\\\n* Login to the Jupyter Lab assigned for detect_dns_data_exfiltration_using_pretrained_model_in_dsdl container. This container should be listed on Containers page for DSDL app.\\\n* Below steps need to be followed inside Jupyter lab \\\n* Upload the detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.tar.gz file into `app/model/data` path using the upload option in the jupyter notebook.\\\n* Untar the artifact detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.tar.gz using `tar -xf app/model/data/detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.tar.gz -C app/model/data`\\\n* Upload detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.pynb into Jupyter lab notebooks folder using the upload option in Jupyter lab \\\n* Save the notebook using the save option in jupyter notebook. \\\n* Upload `detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.json` into `notebooks/data` folder.", "known_false_positives": "False positives may be present if DNS data exfiltration request look very similar to benign DNS requests.", "references": ["https://attack.mitre.org/techniques/T1048/003/", "https://unit42.paloaltonetworks.com/dns-tunneling-how-dns-can-be-abused-by-malicious-actors/", "https://en.wikipedia.org/wiki/Data_exfiltration"], "tags": {"name": "Detect DNS Data Exfiltration using pretrained model in DSDL", "analytic_story": ["DNS Hijacking", "Suspicious DNS Traffic", "Command and Control"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "confidence": 90, "impact": 50, "kill_chain_phases": ["Actions on Objectives"], "message": "A DNS data exfiltration request was sent by this host $src$ , kindly review.", "mitre_attack_id": ["T1048.003"], "nist": ["DE.AE"], "observable": [{"name": "query", "type": "Other", "role": ["Attacker"]}, {"name": "src", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "DNS.message_type", "DNS.record_type", "DNS.src", "DNS.dest", "DNS.answer"], "risk_score": 45, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1048.003", "mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT32", "APT33", "FIN6", "FIN8", "Lazarus Group", "OilRig", "Thrip", "Wizard Spider"]}]}, "datamodel": ["Network_Resolution"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_dns_data_exfiltration_using_pretrained_model_in_dsdl_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/network/detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.yml", "source": "network"}, {"name": "Detect hosts connecting to dynamic domain providers", "id": "a1e761ac-1344-4dbd-88b2-3f34c912d359", "version": 3, "date": "2021-01-14", "author": "Bhavin Patel, Splunk", "type": "TTP", "status": "production", "description": "Malicious actors often abuse legitimate Dynamic DNS services to host malicious payloads or interactive Command And Control nodes. Attackers will automate domain resolution changes by routing dynamic domains to countless IP addresses to circumvent firewall blocks, block lists as well as frustrate a network defenders analytic and investigative processes. This search will look for DNS queries made from within your infrastructure to suspicious dynamic domains.", "data_source": [], "search": "| tstats `security_content_summariesonly` count values(DNS.answer) as answer min(_time) as firstTime from datamodel=Network_Resolution by DNS.query host | `drop_dm_object_name(\"DNS\")` | `security_content_ctime(firstTime)` | `dynamic_dns_providers` | `detect_hosts_connecting_to_dynamic_domain_providers_filter`", "how_to_implement": "First, you'll need to ingest data from your DNS operations. This can be done by ingesting logs from your server or data, collected passively by Splunk Stream or a similar solution. Specifically, data that contains the domain that is being queried and the IP of the host originating the request must be populating the `Network_Resolution` data model. This search also leverages a lookup file, `dynamic_dns_providers_default.csv`, which contains a non-exhaustive list of Dynamic DNS providers. Please consider updating the local lookup periodically by adding new domains to the list of `dynamic_dns_providers_local.csv`.\\\nThis search produces fields (query, answer, isDynDNS) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. These fields contribute additional context to the notable event. To see the additional metadata, add the following fields, if not already present, to Incident Review. Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry):\\\\n1. **Label:** DNS Query, **Field:** query\\\n1. \\\n1. **Label:** DNS Answer, **Field:** answer\\\n1. \\\n1. **Label:** IsDynamicDNS, **Field:** isDynDNS\\\nDetailed documentation on how to create a new field within Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details`", "known_false_positives": "Some users and applications may leverage Dynamic DNS to reach out to some domains on the Internet since dynamic DNS by itself is not malicious, however this activity must be verified.", "references": [], "tags": {"name": "Detect hosts connecting to dynamic domain providers", "analytic_story": ["Data Protection", "Prohibited Traffic Allowed or Protocol Mismatch", "DNS Hijacking", "Suspicious DNS Traffic", "Dynamic DNS", "Command And Control"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Delivery"], "message": "A dns query $query$ from your infra connecting to suspicious domain in host $host$", "mitre_attack_id": ["T1189"], "nist": ["DE.CM"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "DNS.answer", "DNS.query", "host"], "risk_score": 56, "security_domain": "network", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1189", "mitre_attack_technique": "Drive-by Compromise", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT19", "APT28", "APT32", "APT37", "APT38", "Andariel", "Axiom", "BRONZE BUTLER", "Dark Caracal", "Darkhotel", "Dragonfly", "Earth Lusca", "Elderwood", "Lazarus Group", "Leafminer", "Leviathan", "Machete", "Magic Hound", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Threat Group-3390", "Transparent Tribe", "Turla", "Windigo", "Windshift"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1189/dyn_dns_site/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Network_Resolution"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "dynamic_dns_providers", "definition": "lookup update=true dynamic_dns_providers_default dynamic_dns_domains as query OUTPUTNEW isDynDNS_default | lookup update=true dynamic_dns_providers_local dynamic_dns_domains as query OUTPUTNEW isDynDNS_local| eval isDynDNS = coalesce(isDynDNS_default, isDynDNS_local)|fields - isDynDNS_default, isDynDNS_local| search isDynDNS=True", "description": "This macro limits the output of the query field to dynamic dns domains. It looks up the domains in a file provided by Splunk and one intended to be updated by the end user."}, {"name": "detect_hosts_connecting_to_dynamic_domain_providers_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/network/detect_hosts_connecting_to_dynamic_domain_providers.yml", "source": "network", "nes_fields": "user,dest"}, {"name": "Detect IPv6 Network Infrastructure Threats", "id": "c3be767e-7959-44c5-8976-0e9c12a91ad2", "version": 1, "date": "2020-10-28", "author": "Mikael Bjerkeland, Splunk", "type": "TTP", "status": "experimental", "description": "By enabling IPv6 First Hop Security as a Layer 2 Security measure on the organization's network devices, we will be able to detect various attacks such as packet forging in the Infrastructure.", "data_source": [], "search": "`cisco_networks` facility=\"SISF\" mnemonic IN (\"IP_THEFT\",\"MAC_THEFT\",\"MAC_AND_IP_THEFT\",\"PAK_DROP\") | eval src_interface=src_int_prefix_long+src_int_suffix | eval dest_interface=dest_int_prefix_long+dest_int_suffix | stats min(_time) AS firstTime max(_time) AS lastTime values(src_mac) AS src_mac values(src_vlan) AS src_vlan values(mnemonic) AS mnemonic values(vendor_explanation) AS vendor_explanation values(src_ip) AS src_ip values(dest_ip) AS dest_ip values(dest_interface) AS dest_interface values(action) AS action count BY host src_interface | table host src_interface dest_interface src_mac src_ip dest_ip src_vlan mnemonic vendor_explanation action count | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `detect_ipv6_network_infrastructure_threats_filter`", "how_to_implement": "This search uses a standard SPL query on logs from Cisco Network devices. The network devices must be configured with one or more First Hop Security measures such as RA Guard, DHCP Guard and/or device tracking. See References for more information. The search also requires that the Cisco Networks Add-on for Splunk (https://splunkbase.splunk.com/app/1467) is used to parse the logs from the Cisco network devices.", "known_false_positives": "None currently known", "references": ["https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2019/pdf/BRKSEC-3200.pdf", "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6_fhsec/configuration/xe-16-12/ip6f-xe-16-12-book/ip6-ra-guard.html", "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6_fhsec/configuration/xe-16-12/ip6f-xe-16-12-book/ip6-snooping.html", "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6_fhsec/configuration/xe-16-12/ip6f-xe-16-12-book/ip6-dad-proxy.html", "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6_fhsec/configuration/xe-16-12/ip6f-xe-16-12-book/ip6-nd-mcast-supp.html", "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6_fhsec/configuration/xe-16-12/ip6f-xe-16-12-book/ip6-dhcpv6-guard.html", "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6_fhsec/configuration/xe-16-12/ip6f-xe-16-12-book/ip6-src-guard.html", "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6_fhsec/configuration/xe-16-12/ip6f-xe-16-12-book/ipv6-dest-guard.html"], "tags": {"name": "Detect IPv6 Network Infrastructure Threats", "analytic_story": ["Router and Infrastructure Security"], "asset_type": "Infrastructure", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Delivery", "Actions on Objectives", "Exploitation"], "message": "tbd", "mitre_attack_id": ["T1200", "T1498", "T1557", "T1557.002"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "facility", "mnemonic", "src_int_prefix_long", "src_int_suffix", "dest_int_prefix_long", "dest_int_suffix", "src_mac", "src_vlan", "vendor_explanation", "action"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1200", "mitre_attack_technique": "Hardware Additions", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["DarkVishnya"]}, {"mitre_attack_id": "T1498", "mitre_attack_technique": "Network Denial of Service", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT28"]}, {"mitre_attack_id": "T1557", "mitre_attack_technique": "Adversary-in-the-Middle", "mitre_attack_tactics": ["Collection", "Credential Access"], "mitre_attack_groups": ["Kimsuky"]}, {"mitre_attack_id": "T1557.002", "mitre_attack_technique": "ARP Cache Poisoning", "mitre_attack_tactics": ["Collection", "Credential Access"], "mitre_attack_groups": ["Cleaver", "LuminousMoth"]}]}, "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cisco_networks", "definition": "eventtype=cisco_ios", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_ipv6_network_infrastructure_threats_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/network/detect_ipv6_network_infrastructure_threats.yml", "source": "network", "nes_fields": "user,dest"}, {"name": "Detect Large Outbound ICMP Packets", "id": "e9c102de-4d43-42a7-b1c8-8062ea297419", "version": 2, "date": "2018-06-01", "author": "Rico Valdez, Splunk", "type": "TTP", "status": "experimental", "description": "This search looks for outbound ICMP packets with a packet size larger than 1,000 bytes. Various threat actors have been known to use ICMP as a command and control channel for their attack infrastructure. Large ICMP packets from an endpoint to a remote host may be indicative of this activity.", "data_source": [], "search": "| tstats `security_content_summariesonly` count earliest(_time) as firstTime latest(_time) as lastTime values(All_Traffic.action) values(All_Traffic.bytes) from datamodel=Network_Traffic where All_Traffic.action !=blocked All_Traffic.dest_category !=internal (All_Traffic.protocol=icmp OR All_Traffic.transport=icmp) All_Traffic.bytes > 1000 by All_Traffic.src_ip All_Traffic.dest_ip | `drop_dm_object_name(\"All_Traffic\")` | search ( dest_ip!=10.0.0.0/8 AND dest_ip!=172.16.0.0/12 AND dest_ip!=192.168.0.0/16) | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)` | `detect_large_outbound_icmp_packets_filter`", "how_to_implement": "In order to run this search effectively, we highly recommend that you leverage the Assets and Identity framework. It is important that you have a good understanding of how your network segments are designed and that you are able to distinguish internal from external address space. Add a category named `internal` to the CIDRs that host the company's assets in the `assets_by_cidr.csv` lookup file, which is located in `$SPLUNK_HOME/etc/apps/SA-IdentityManagement/lookups/`. More information on updating this lookup can be found here: https://docs.splunk.com/Documentation/ES/5.0.0/Admin/Addassetandidentitydata. This search also requires you to be ingesting your network traffic and populating the Network_Traffic data model", "known_false_positives": "ICMP packets are used in a variety of ways to help troubleshoot networking issues and ensure the proper flow of traffic. As such, it is possible that a large ICMP packet could be perfectly legitimate. If large ICMP packets are associated with Command And Control traffic, there will typically be a large number of these packets observed over time. If the search is providing a large number of false positives, you can modify the macro `detect_large_outbound_icmp_packets_filter` to adjust the byte threshold or add specific IP addresses to an allow list.", "references": [], "tags": {"name": "Detect Large Outbound ICMP Packets", "analytic_story": ["Command And Control"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Command And Control"], "message": "tbd", "mitre_attack_id": ["T1095"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "All_Traffic.action", "All_Traffic.bytes", "All_Traffic.dest_category", "All_Traffic.protocol", "All_Traffic.transport", "All_Traffic.src_ip", "All_Traffic.dest_ip"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1095", "mitre_attack_technique": "Non-Application Layer Protocol", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT3", "BITTER", "BackdoorDiplomacy", "FIN6", "HAFNIUM", "Metador", "PLATINUM"]}]}, "datamodel": ["Network_Traffic"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_large_outbound_icmp_packets_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/network/detect_large_outbound_icmp_packets.yml", "source": "network", "nes_fields": "user,dest"}, {"name": "Detect Outbound LDAP Traffic", "id": "5e06e262-d7cd-4216-b2f8-27b437e18458", "version": 1, "date": "2021-12-13", "author": "Bhavin Patel, Johan Bjerke, Splunk", "type": "Hunting", "status": "production", "description": "Malicious actors often abuse misconfigured LDAP servers or applications that use the LDAP servers in organizations. Outbound LDAP traffic should not be allowed outbound through your perimeter firewall. This search will help determine if you have any LDAP connections to IP addresses outside of private (RFC1918) address space.", "data_source": [], "search": "| tstats earliest(_time) as earliest_time latest(_time) as latest_time values(All_Traffic.dest_ip) as dest_ip from datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port = 389 OR All_Traffic.dest_port = 636 AND NOT (All_Traffic.dest_ip = 10.0.0.0/8 OR All_Traffic.dest_ip=192.168.0.0/16 OR All_Traffic.dest_ip = 172.16.0.0/12) by All_Traffic.src_ip All_Traffic.dest_ip |`drop_dm_object_name(\"All_Traffic\")` | where src_ip != dest_ip | `security_content_ctime(latest_time)` | `security_content_ctime(earliest_time)` |`detect_outbound_ldap_traffic_filter`", "how_to_implement": "You must be ingesting Zeek DNS and Zeek Conn data into Splunk. Zeek data should also be getting ingested in JSON format and should be mapped to the Network Traffic datamodels that are in use for this search.", "known_false_positives": "Unknown at this moment. Outbound LDAP traffic should not be allowed outbound through your perimeter firewall. Please check those servers to verify if the activity is legitimate.", "references": ["https://www.govcert.ch/blog/zero-day-exploit-targeting-popular-java-library-log4j/"], "tags": {"name": "Detect Outbound LDAP Traffic", "analytic_story": ["Log4Shell CVE-2021-44228"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Delivery", "Installation"], "message": "An outbound LDAP connection from $src_ip$ in your infrastructure connecting to dest ip $dest_ip$", "mitre_attack_id": ["T1190", "T1059"], "nist": ["DE.AE"], "observable": [{"name": "src_ip", "type": "IP Address", "role": ["Victim"]}, {"name": "dest_ip", "type": "IP Address", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "All_Traffic.dest_ip", "All_Traffic.dest_port", "All_Traffic.src_ip"], "risk_score": 56, "security_domain": "network", "risk_severity": "medium", "cve": ["CVE-2021-44228"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/outbound_ldap/bro_conn.json", "source": "/opt/malware/conn.log", "sourcetype": "bro:conn:json"}]}], "datamodel": ["Network_Traffic"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "detect_outbound_ldap_traffic_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2021-44228", "cvss": 9.3, "summary": "Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/network/detect_outbound_ldap_traffic.yml", "source": "network"}, {"name": "Detect Outbound SMB Traffic", "id": "1bed7774-304a-4e8f-9d72-d80e45ff492b", "version": 3, "date": "2020-07-21", "author": "Bhavin Patel, Stuart Hopkins from Splunk", "type": "TTP", "status": "experimental", "description": "This search looks for outbound SMB connections made by hosts within your network to the Internet. SMB traffic is used for Windows file-sharing activity. One of the techniques often used by attackers involves retrieving the credential hash using an SMB request made to a compromised server controlled by the threat actor.", "data_source": [], "search": "| tstats `security_content_summariesonly` earliest(_time) as start_time latest(_time) as end_time values(All_Traffic.action) as action values(All_Traffic.app) as app values(All_Traffic.dest_ip) as dest_ip values(All_Traffic.dest_port) as dest_port values(sourcetype) as sourcetype count from datamodel=Network_Traffic where ((All_Traffic.dest_port=139 OR All_Traffic.dest_port=445 OR All_Traffic.app=\"smb\") AND NOT (All_Traffic.action=\"blocked\" OR All_Traffic.dest_category=\"internal\" OR All_Traffic.dest_ip=10.0.0.0/8 OR All_Traffic.dest_ip=172.16.0.0/12 OR All_Traffic.dest_ip=192.168.0.0/16 OR All_Traffic.dest_ip=100.64.0.0/10)) by All_Traffic.src_ip | `drop_dm_object_name(\"All_Traffic\")` | `security_content_ctime(start_time)` | `security_content_ctime(end_time)` | `detect_outbound_smb_traffic_filter`", "how_to_implement": "In order to run this search effectively, we highly recommend that you leverage the Assets and Identity framework. It is important that you have good understanding of how your network segments are designed, and be able to distinguish internal from external address space. Add a category named `internal` to the CIDRs that host the companys assets in `assets_by_cidr.csv` lookup file, which is located in `$SPLUNK_HOME/etc/apps/SA-IdentityManagement/lookups/`. More information on updating this lookup can be found here: https://docs.splunk.com/Documentation/ES/5.0.0/Admin/Addassetandidentitydata. This search also requires you to be ingesting your network traffic and populating the Network_Traffic data model", "known_false_positives": "It is likely that the outbound Server Message Block (SMB) traffic is legitimate, if the company's internal networks are not well-defined in the Assets and Identity Framework. Categorize the internal CIDR blocks as `internal` in the lookup file to avoid creating notable events for traffic destined to those CIDR blocks. Any other network connection that is going out to the Internet should be investigated and blocked. Best practices suggest preventing external communications of all SMB versions and related protocols at the network boundary.", "references": [], "tags": {"name": "Detect Outbound SMB Traffic", "analytic_story": ["Hidden Cobra Malware", "DHS Report TA18-074A", "NOBELIUM Group"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Command And Control"], "message": "tbd", "mitre_attack_id": ["T1071.002", "T1071"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "All_Traffic.action", "All_Traffic.app", "All_Traffic.dest_ip", "All_Traffic.dest_port", "sourcetype", "All_Traffic.dest_category", "All_Traffic.src_ip"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1071.002", "mitre_attack_technique": "File Transfer Protocols", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "Kimsuky", "SilverTerrier"]}, {"mitre_attack_id": "T1071", "mitre_attack_technique": "Application Layer Protocol", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Dragonfly", "Magic Hound", "Rocke", "TeamTNT"]}]}, "datamodel": ["Network_Traffic"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_outbound_smb_traffic_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/network/detect_outbound_smb_traffic.yml", "source": "network", "nes_fields": "user,dest"}, {"name": "Detect Port Security Violation", "id": "2de3d5b8-a4fa-45c5-8540-6d071c194d24", "version": 1, "date": "2020-10-28", "author": "Mikael Bjerkeland, Splunk", "type": "TTP", "status": "experimental", "description": "By enabling Port Security on a Cisco switch you can restrict input to an interface by limiting and identifying MAC addresses of the workstations that are allowed to access the port. When you assign secure MAC addresses to a secure port, the port does not forward packets with source addresses outside the group of defined addresses. If you limit the number of secure MAC addresses to one and assign a single secure MAC address, the workstation attached to that port is assured the full bandwidth of the port. If a port is configured as a secure port and the maximum number of secure MAC addresses is reached, when the MAC address of a workstation attempting to access the port is different from any of the identified secure MAC addresses, a security violation occurs.", "data_source": [], "search": "`cisco_networks` (facility=\"PM\" mnemonic=\"ERR_DISABLE\" disable_cause=\"psecure-violation\") OR (facility=\"PORT_SECURITY\" mnemonic=\"PSECURE_VIOLATION\" OR mnemonic=\"PSECURE_VIOLATION_VLAN\") | eval src_interface=src_int_prefix_long+src_int_suffix | stats min(_time) AS firstTime max(_time) AS lastTime values(disable_cause) AS disable_cause values(src_mac) AS src_mac values(src_vlan) AS src_vlan values(action) AS action count by host src_interface | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_port_security_violation_filter`", "how_to_implement": "This search uses a standard SPL query on logs from Cisco Network devices. The network devices must be configured with Port Security and Error Disable for this to work (see https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/25ew/configuration/guide/conf/port_sec.html) and log with a severity level of minimum \"5 - notification\". The search also requires that the Cisco Networks Add-on for Splunk (https://splunkbase.splunk.com/app/1467) is used to parse the logs from the Cisco network devices.", "known_false_positives": "This search might be prone to high false positives if you have malfunctioning devices connected to your ethernet ports or if end users periodically connect physical devices to the network.", "references": [], "tags": {"name": "Detect Port Security Violation", "analytic_story": ["Router and Infrastructure Security"], "asset_type": "Infrastructure", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Delivery", "Actions on Objectives", "Exploitation"], "message": "tbd", "mitre_attack_id": ["T1200", "T1498", "T1557", "T1557.002"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Other", "role": ["Other"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "facility", "mnemonic", "disable_cause", "src_int_prefix_long", "src_int_suffix", "src_mac", "src_vlan", "action", "host", "src_interface"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1200", "mitre_attack_technique": "Hardware Additions", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["DarkVishnya"]}, {"mitre_attack_id": "T1498", "mitre_attack_technique": "Network Denial of Service", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT28"]}, {"mitre_attack_id": "T1557", "mitre_attack_technique": "Adversary-in-the-Middle", "mitre_attack_tactics": ["Collection", "Credential Access"], "mitre_attack_groups": ["Kimsuky"]}, {"mitre_attack_id": "T1557.002", "mitre_attack_technique": "ARP Cache Poisoning", "mitre_attack_tactics": ["Collection", "Credential Access"], "mitre_attack_groups": ["Cleaver", "LuminousMoth"]}]}, "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cisco_networks", "definition": "eventtype=cisco_ios", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_port_security_violation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/network/detect_port_security_violation.yml", "source": "network", "nes_fields": "user,dest"}, {"name": "Detect Rogue DHCP Server", "id": "6e1ada88-7a0d-4ac1-92c6-03d354686079", "version": 1, "date": "2020-08-11", "author": "Mikael Bjerkeland, Splunk", "type": "TTP", "status": "experimental", "description": "By enabling DHCP Snooping as a Layer 2 Security measure on the organization's network devices, we will be able to detect unauthorized DHCP servers handing out DHCP leases to devices on the network (Man in the Middle attack).", "data_source": [], "search": "`cisco_networks` facility=\"DHCP_SNOOPING\" mnemonic=\"DHCP_SNOOPING_UNTRUSTED_PORT\" | stats min(_time) AS firstTime max(_time) AS lastTime count values(message_type) AS message_type values(src_mac) AS src_mac BY host | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)`| `detect_rogue_dhcp_server_filter`", "how_to_implement": "This search uses a standard SPL query on logs from Cisco Network devices. The network devices must be configured with DHCP Snooping enabled (see https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960x/software/15-0_2_EX/security/configuration_guide/b_sec_152ex_2960-x_cg/b_sec_152ex_2960-x_cg_chapter_01101.html) and log with a severity level of minimum \"5 - notification\". The search also requires that the Cisco Networks Add-on for Splunk (https://splunkbase.splunk.com/app/1467) is used to parse the logs from the Cisco network devices.", "known_false_positives": "This search might be prone to high false positives if DHCP Snooping has been incorrectly configured or in the unlikely event that the DHCP server has been moved to another network interface.", "references": [], "tags": {"name": "Detect Rogue DHCP Server", "analytic_story": ["Router and Infrastructure Security"], "asset_type": "Infrastructure", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Delivery", "Actions on Objectives", "Exploitation"], "message": "tbd", "mitre_attack_id": ["T1200", "T1498", "T1557"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Other", "role": ["Other"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "facility", "mnemonic", "message_type", "src_mac", "host"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1200", "mitre_attack_technique": "Hardware Additions", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["DarkVishnya"]}, {"mitre_attack_id": "T1498", "mitre_attack_technique": "Network Denial of Service", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT28"]}, {"mitre_attack_id": "T1557", "mitre_attack_technique": "Adversary-in-the-Middle", "mitre_attack_tactics": ["Collection", "Credential Access"], "mitre_attack_groups": ["Kimsuky"]}]}, "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cisco_networks", "definition": "eventtype=cisco_ios", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_rogue_dhcp_server_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/network/detect_rogue_dhcp_server.yml", "source": "network", "nes_fields": "user,dest"}, {"name": "Detect SNICat SNI Exfiltration", "id": "82d06410-134c-11eb-adc1-0242ac120002", "version": 1, "date": "2020-10-21", "author": "Shannon Davis, Splunk", "type": "TTP", "status": "experimental", "description": "This search looks for commands that the SNICat tool uses in the TLS SNI field.", "data_source": [], "search": "`zeek_ssl` | rex field=server_name \"(?(LIST|LS|SIZE|LD|CB|CD|EX|ALIVE|EXIT|WHERE|finito)-[A-Za-z0-9]{16}\\.)\" | stats count by src_ip dest_ip server_name snicat | where count>0 | table src_ip dest_ip server_name snicat | `detect_snicat_sni_exfiltration_filter`", "how_to_implement": "You must be ingesting Zeek SSL data into Splunk. Zeek data should also be getting ingested in JSON format. We are detecting when any of the predefined SNICat commands are found within the server_name (SNI) field. These commands are LIST, LS, SIZE, LD, CB, EX, ALIVE, EXIT, WHERE, and finito. You can go further once this has been detected, and run other searches to decode the SNI data to prove or disprove if any data exfiltration has taken place.", "known_false_positives": "Unknown", "references": ["https://www.mnemonic.io/resources/blog/introducing-snicat/", "https://github.com/mnemonic-no/SNIcat", "https://attack.mitre.org/techniques/T1041/"], "tags": {"name": "Detect SNICat SNI Exfiltration", "analytic_story": ["Data Exfiltration"], "asset_type": "Network", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Actions on Objectives"], "message": "tbd", "mitre_attack_id": ["T1041"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "server_name", "src_ip", "dest_ip"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1041", "mitre_attack_technique": "Exfiltration Over C2 Channel", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "Chimera", "Confucius", "GALLIUM", "Gamaredon Group", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "LuminousMoth", "MuddyWater", "Sandworm Team", "Stealth Falcon", "Wizard Spider", "ZIRCONIUM"]}]}, "datamodel": [], "macros": [{"name": "zeek_ssl", "definition": "index=zeek sourcetype=\"zeek:ssl:json\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_snicat_sni_exfiltration_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/network/detect_snicat_sni_exfiltration.yml", "source": "network", "nes_fields": "user,dest"}, {"name": "Detect Software Download To Network Device", "id": "cc590c66-f65f-48f2-986a-4797244762f8", "version": 1, "date": "2020-10-28", "author": "Mikael Bjerkeland, Splunk", "type": "TTP", "status": "experimental", "description": "Adversaries may abuse netbooting to load an unauthorized network device operating system from a Trivial File Transfer Protocol (TFTP) server. TFTP boot (netbooting) is commonly used by network administrators to load configuration-controlled network device images from a centralized management server. Netbooting is one option in the boot sequence and can be used to centralize, manage, and control device images.", "data_source": [], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where (All_Traffic.transport=udp AND All_Traffic.dest_port=69) OR (All_Traffic.transport=tcp AND All_Traffic.dest_port=21) OR (All_Traffic.transport=tcp AND All_Traffic.dest_port=22) AND All_Traffic.dest_category!=common_software_repo_destination AND All_Traffic.src_category=network OR All_Traffic.src_category=router OR All_Traffic.src_category=switch by All_Traffic.src All_Traffic.dest All_Traffic.dest_port | `drop_dm_object_name(\"All_Traffic\")` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_software_download_to_network_device_filter`", "how_to_implement": "This search looks for Network Traffic events to TFTP, FTP or SSH/SCP ports from network devices. Make sure to tag any network devices as network, router or switch in order for this detection to work. If the TFTP traffic doesn't traverse a firewall nor packet inspection, these events will not be logged. This is typically an issue if the TFTP server is on the same subnet as the network device. There is also a chance of the network device loading software using a DHCP assigned IP address (netboot) which is not in the Asset inventory.", "known_false_positives": "This search will also report any legitimate attempts of software downloads to network devices as well as outbound SSH sessions from network devices.", "references": [], "tags": {"name": "Detect Software Download To Network Device", "analytic_story": ["Router and Infrastructure Security"], "asset_type": "Infrastructure", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Installation"], "message": "tbd", "mitre_attack_id": ["T1542.005", "T1542"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "All_Traffic.transport", "All_Traffic.dest_port", "All_Traffic.dest_category", "All_Traffic.src_category", "All_Traffic.src", "All_Traffic.dest"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1542.005", "mitre_attack_technique": "TFTP Boot", "mitre_attack_tactics": ["Defense Evasion", "Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1542", "mitre_attack_technique": "Pre-OS Boot", "mitre_attack_tactics": ["Defense Evasion", "Persistence"], "mitre_attack_groups": []}]}, "datamodel": ["Network_Traffic"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_software_download_to_network_device_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/network/detect_software_download_to_network_device.yml", "source": "network", "nes_fields": "user,dest"}, {"name": "Detect suspicious DNS TXT records using pretrained model in DSDL", "id": "92f65c3a-968c-11ed-a1eb-0242ac120002", "version": 1, "date": "2023-01-15", "author": "Abhinav Mishra, Kumar Sharad and Namratha Sreekanta, Splunk", "type": "Anomaly", "status": "experimental", "description": "The following analytic uses a pre trained deep learning model to detect suspicious DNS TXT records. The model is trained independently and is then made available for download. The DNS TXT records are categorized into commonly identified types like email, verification, http using regular expressions https://www.tide-project.nl/blog/wtmc2020/. The TXT records that do not match regular expressions for well known types are labeled as 1 for \"unknown/suspicious\" and otherwise 0 for \"not suspicious\". The deep learning model we have developed uses DNS TXT responses to analyze patterns of character sequences to predict if a DNS TXT is suspicious or not. The higher the pred_is_unknown_proba, the more likely the DNS TXT record is suspicious. The threshold for flagging a domain as suspicious is set at 0.5.", "data_source": [], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Resolution where DNS.message_type=response AND DNS.record_type=TXT by DNS.src DNS.dest DNS.answer DNS.record_type | `drop_dm_object_name(\"DNS\")` | rename answer as text | fields firstTime, lastTime, message_type,record_type,src,dest, text | apply detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl | rename predicted_is_unknown as is_suspicious_score | where is_suspicious_score > 0.5 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | table src,dest,text,record_type, firstTime, lastTime,is_suspicious_score | `detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl_filter`", "how_to_implement": "Steps to deploy detect suspicious DNS TXT records model into Splunk App DSDL. This detection depends on the Splunk app for Data Science and Deep Learning which can be found here - `https://splunkbase.splunk.com/app/4607/` and the Network Resolution datamodel which can be found here - `https://splunkbase.splunk.com/app/1621/`. The detection uses a pre-trained deep learning model that needs to be deployed in DSDL app. Follow the steps for deployment here - `https://github.com/splunk/security_content/wiki/How-to-deploy-pre-trained-Deep-Learning-models-for-ESCU`.\\\n* Download the `artifacts .tar.gz` file from the link - `https://seal.splunkresearch.com/detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.tar.gz`.\\\n* Download the `detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.ipynb` Jupyter notebook from `https://github.com/splunk/security_content/notebooks`.\\\n* Login to the Jupyter Lab assigned for `detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl` container. This container should be listed on Containers page for DSDL app.\\\n* Below steps need to be followed inside Jupyter lab.\\\n* Upload the `detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.tar.gz` file into `app/model/data` path using the upload option in the jupyter notebook.\\\n* Untar the artifact `detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.tar.gz` using `tar -xf app/model/data/detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.tar.gz -C app/model/data`.\\\n* Upload detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.ipynb` into Jupyter lab notebooks folder using the upload option in Jupyter lab.\\\n* Save the notebook using the save option in Jupyter notebook.\\\n* Upload `detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.json` into `notebooks/data` folder.", "known_false_positives": "False positives may be present if DNS TXT record contents are similar to benign DNS TXT record contents.", "references": ["https://attack.mitre.org/techniques/T1071/004/", "https://unit42.paloaltonetworks.com/dns-tunneling-how-dns-can-be-abused-by-malicious-actors/", "https://en.wikipedia.org/wiki/TXT_record"], "tags": {"name": "Detect suspicious DNS TXT records using pretrained model in DSDL", "analytic_story": ["DNS Hijacking", "Suspicious DNS Traffic", "Command and Control"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "confidence": 90, "impact": 50, "kill_chain_phases": ["Command And Control"], "message": "A suspicious DNS TXT response was detected on host $src$ , kindly review.", "mitre_attack_id": ["T1568.002"], "nist": ["DE.AE"], "observable": [{"name": "answer", "type": "Other", "role": ["Attacker"]}, {"name": "src", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "DNS.message_type", "DNS.record_type", "DNS.src", "DNS.dest", "DNS.answer"], "risk_score": 45, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1568.002", "mitre_attack_technique": "Domain Generation Algorithms", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "TA551"]}]}, "datamodel": ["Network_Resolution"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/network/detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.yml", "source": "network"}, {"name": "Detect Traffic Mirroring", "id": "42b3b753-5925-49c5-9742-36fa40a73990", "version": 1, "date": "2020-10-28", "author": "Mikael Bjerkeland, Splunk", "type": "TTP", "status": "experimental", "description": "Adversaries may leverage traffic mirroring in order to automate data exfiltration over compromised network infrastructure. Traffic mirroring is a native feature for some network devices and used for network analysis and may be configured to duplicate traffic and forward to one or more destinations for analysis by a network analyzer or other monitoring device.", "data_source": [], "search": "`cisco_networks` (facility=\"MIRROR\" mnemonic=\"ETH_SPAN_SESSION_UP\") OR (facility=\"SPAN\" mnemonic=\"SESSION_UP\") OR (facility=\"SPAN\" mnemonic=\"PKTCAP_START\") OR (mnemonic=\"CFGLOG_LOGGEDCMD\" command=\"monitor session*\") | stats min(_time) AS firstTime max(_time) AS lastTime count BY host facility mnemonic | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)` | `detect_traffic_mirroring_filter`", "how_to_implement": "This search uses a standard SPL query on logs from Cisco Network devices. The network devices must log with a severity level of minimum \"5 - notification\". The search also requires that the Cisco Networks Add-on for Splunk (https://splunkbase.splunk.com/app/1467) is used to parse the logs from the Cisco network devices and that the devices have been configured according to the documentation of the Cisco Networks Add-on. Also note that an attacker may disable logging from the device prior to enabling traffic mirroring.", "known_false_positives": "This search will return false positives for any legitimate traffic captures by network administrators.", "references": [], "tags": {"name": "Detect Traffic Mirroring", "analytic_story": ["Router and Infrastructure Security"], "asset_type": "Infrastructure", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Delivery", "Actions on Objectives"], "message": "tbd", "mitre_attack_id": ["T1200", "T1020", "T1498", "T1020.001"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Other", "role": ["Other"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "facility", "mnemonic", "host"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1200", "mitre_attack_technique": "Hardware Additions", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["DarkVishnya"]}, {"mitre_attack_id": "T1020", "mitre_attack_technique": "Automated Exfiltration", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["Gamaredon Group", "Ke3chang", "Sidewinder", "Tropic Trooper"]}, {"mitre_attack_id": "T1498", "mitre_attack_technique": "Network Denial of Service", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT28"]}, {"mitre_attack_id": "T1020.001", "mitre_attack_technique": "Traffic Duplication", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": []}]}, "datamodel": [], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "cisco_networks", "definition": "eventtype=cisco_ios", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_traffic_mirroring_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/network/detect_traffic_mirroring.yml", "source": "network", "nes_fields": "user,dest"}, {"name": "Detect Unauthorized Assets by MAC address", "id": "dcfd6b40-42f9-469d-a433-2e53f7489ff4", "version": 2, "date": "2017-09-13", "author": "Bhavin Patel, Splunk", "type": "TTP", "status": "experimental", "description": "By populating the organization's assets within the assets_by_str.csv, we will be able to detect unauthorized devices that are trying to connect with the organization's network by inspecting DHCP request packets, which are issued by devices when they attempt to obtain an IP address from the DHCP server. The MAC address associated with the source of the DHCP request is checked against the list of known devices, and reports on those that are not found.", "data_source": [], "search": "| tstats `security_content_summariesonly` count from datamodel=Network_Sessions where nodename=All_Sessions.DHCP All_Sessions.tag=dhcp by All_Sessions.dest_ip All_Sessions.dest_mac | dedup All_Sessions.dest_mac| `drop_dm_object_name(\"Network_Sessions\")`|`drop_dm_object_name(\"All_Sessions\")` | search NOT [| inputlookup asset_lookup_by_str |rename mac as dest_mac | fields + dest_mac] | `detect_unauthorized_assets_by_mac_address_filter`", "how_to_implement": "This search uses the Network_Sessions data model shipped with Enterprise Security. It leverages the Assets and Identity framework to populate the assets_by_str.csv file located in SA-IdentityManagement, which will contain a list of known authorized organizational assets including their MAC addresses. Ensure that all inventoried systems have their MAC address populated.", "known_false_positives": "This search might be prone to high false positives. Please consider this when conducting analysis or investigations. Authorized devices may be detected as unauthorized. If this is the case, verify the MAC address of the system responsible for the false positive and add it to the Assets and Identity framework with the proper information.", "references": [], "tags": {"name": "Detect Unauthorized Assets by MAC address", "analytic_story": ["Asset Tracking"], "asset_type": "Infrastructure", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": [], "message": "tbd", "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "All_Sessions.signature", "All_Sessions.src_ip", "All_Sessions.dest_mac"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "datamodel": ["Network_Sessions"], "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_unauthorized_assets_by_mac_address_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/network/detect_unauthorized_assets_by_mac_address.yml", "source": "network", "nes_fields": "user,dest"}, {"name": "Detect Windows DNS SIGRed via Splunk Stream", "id": "babd8d10-d073-11ea-87d0-0242ac130003", "version": 1, "date": "2020-07-28", "author": "Shannon Davis, Splunk", "type": "TTP", "status": "experimental", "description": "The following analytic is an experimental search designed to identify SIGRed exploitation attempts. SIGRed is a severe, wormable, remote code execution vulnerability in Windows DNS servers, identified as CVE-2020-1350. This analytic specifically looks for DNS SIG and KEY records, and TCP payloads larger than 65KB - potential indicators of the SIGRed exploit. It requires ingestion of both Splunk Stream DNS and TCP data. The search does rely on macro definitions for 'stream:dns' and 'stream:tcp', which should be replaced with appropriate configurations tailored to your Splunk environment.", "data_source": [], "search": "`stream_dns` | spath \"query_type{}\" | search \"query_type{}\" IN (SIG,KEY) | spath protocol_stack | search protocol_stack=\"ip:tcp:dns\" | append [search `stream_tcp` bytes_out>65000] | `detect_windows_dns_sigred_via_splunk_stream_filter` | stats count by flow_id | where count>1 | fields - count", "how_to_implement": "You must be ingesting Splunk Stream DNS and Splunk Stream TCP. We are detecting SIG and KEY records via stream:dns and TCP payload over 65KB in size via stream:tcp. Replace the macro definitions ('stream:dns' and 'stream:tcp') with configurations for your Splunk environment.", "known_false_positives": "unknown", "references": [], "tags": {"name": "Detect Windows DNS SIGRed via Splunk Stream", "analytic_story": ["Windows DNS SIGRed CVE-2020-1350"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "message": "tbd", "mitre_attack_id": ["T1203"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Other", "role": ["Other"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "cve": ["CVE-2020-1350"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1203", "mitre_attack_technique": "Exploitation for Client Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT12", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT41", "Andariel", "Aoqin Dragon", "Axiom", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "Higaisa", "Inception", "Lazarus Group", "Leviathan", "MuddyWater", "Mustang Panda", "Patchwork", "Sandworm Team", "Sidewinder", "TA459", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "admin@338"]}]}, "datamodel": [], "macros": [{"name": "stream_dns", "definition": "sourcetype=stream:dns", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "stream_tcp", "definition": "sourcetype=stream:tcp", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_windows_dns_sigred_via_splunk_stream_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2020-1350", "cvss": 10.0, "summary": "A remote code execution vulnerability exists in Windows Domain Name System servers when they fail to properly handle requests, aka 'Windows DNS Server Remote Code Execution Vulnerability'."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/network/detect_windows_dns_sigred_via_splunk_stream.yml", "source": "network", "nes_fields": "user,dest"}, {"name": "Detect Windows DNS SIGRed via Zeek", "id": "c5c622e4-d073-11ea-87d0-0242ac130003", "version": 1, "date": "2020-07-28", "author": "Shannon Davis, Splunk", "type": "TTP", "status": "experimental", "description": "This search detects SIGRed via Zeek DNS and Zeek Conn data.", "data_source": [], "search": "| tstats `security_content_summariesonly` count from datamodel=Network_Resolution where DNS.query_type IN (SIG,KEY) by DNS.flow_id | rename DNS.flow_id as flow_id | append [| tstats `security_content_summariesonly` count from datamodel=Network_Traffic where All_Traffic.bytes_in>65000 by All_Traffic.flow_id | rename All_Traffic.flow_id as flow_id] | `detect_windows_dns_sigred_via_zeek_filter` | stats count by flow_id | where count>1 | fields - count ", "how_to_implement": "You must be ingesting Zeek DNS and Zeek Conn data into Splunk. Zeek data should also be getting ingested in JSON format. We are detecting SIG and KEY records via bro:dns:json and TCP payload over 65KB in size via bro:conn:json. The Network Resolution and Network Traffic datamodels are in use for this search.", "known_false_positives": "unknown", "references": [], "tags": {"name": "Detect Windows DNS SIGRed via Zeek", "analytic_story": ["Windows DNS SIGRed CVE-2020-1350"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "message": "tbd", "mitre_attack_id": ["T1203"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Other", "role": ["Other"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "DNS.query_type", "DNS.flow_id", "All_Traffic.bytes_in", "All_Traffic.flow_id"], "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "cve": ["CVE-2020-1350"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1203", "mitre_attack_technique": "Exploitation for Client Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT12", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT41", "Andariel", "Aoqin Dragon", "Axiom", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "Higaisa", "Inception", "Lazarus Group", "Leviathan", "MuddyWater", "Mustang Panda", "Patchwork", "Sandworm Team", "Sidewinder", "TA459", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "admin@338"]}]}, "datamodel": ["Network_Resolution", "Network_Traffic"], "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_windows_dns_sigred_via_zeek_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2020-1350", "cvss": 10.0, "summary": "A remote code execution vulnerability exists in Windows Domain Name System servers when they fail to properly handle requests, aka 'Windows DNS Server Remote Code Execution Vulnerability'."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/network/detect_windows_dns_sigred_via_zeek.yml", "source": "network", "nes_fields": "user,dest"}, {"name": "Detect Zerologon via Zeek", "id": "bf7a06ec-f703-11ea-adc1-0242ac120002", "version": 1, "date": "2020-09-15", "author": "Shannon Davis, Splunk", "type": "TTP", "status": "experimental", "description": "This search detects attempts to run exploits for the Zerologon CVE-2020-1472 vulnerability via Zeek RPC", "data_source": [], "search": "`zeek_rpc` operation IN (NetrServerPasswordSet2,NetrServerReqChallenge,NetrServerAuthenticate3) | bin span=5m _time | stats values(operation) dc(operation) as opscount count(eval(operation==\"NetrServerReqChallenge\")) as challenge count(eval(operation==\"NetrServerAuthenticate3\")) as authcount count(eval(operation==\"NetrServerPasswordSet2\")) as passcount count as totalcount by _time,src_ip,dest_ip | search opscount=3 authcount>4 passcount>0 | search `detect_zerologon_via_zeek_filter`", "how_to_implement": "You must be ingesting Zeek DCE-RPC data into Splunk. Zeek data should also be getting ingested in JSON format. We are detecting when all three RPC operations (NetrServerReqChallenge, NetrServerAuthenticate3, NetrServerPasswordSet2) are splunk_security_essentials_app via bro:rpc:json. These three operations are then correlated on the Zeek UID field.", "known_false_positives": "unknown", "references": ["https://www.secura.com/blog/zero-logon", "https://github.com/SecuraBV/CVE-2020-1472", "https://msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472"], "tags": {"name": "Detect Zerologon via Zeek", "analytic_story": ["Detect Zerologon Attack"], "asset_type": "Network", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Delivery"], "message": "tbd", "mitre_attack_id": ["T1190"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "operation"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "cve": ["CVE-2020-1472"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "menuPass"]}]}, "datamodel": [], "macros": [{"name": "zeek_rpc", "definition": "index=zeek sourcetype=\"zeek:rpc:json\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_zerologon_via_zeek_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2020-1472", "cvss": 9.3, "summary": "An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC), aka 'Netlogon Elevation of Privilege Vulnerability'."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/network/detect_zerologon_via_zeek.yml", "source": "network", "nes_fields": "user,dest"}, {"name": "DNS Query Length Outliers - MLTK", "id": "85fbcfe8-9718-4911-adf6-7000d077a3a9", "version": 2, "date": "2020-01-22", "author": "Rico Valdez, Splunk", "type": "Anomaly", "status": "experimental", "description": "This search allows you to identify DNS requests that are unusually large for the record type being requested in your environment.", "data_source": [], "search": "| tstats `security_content_summariesonly` count min(_time) as start_time max(_time) as end_time values(DNS.src) as src values(DNS.dest) as dest from datamodel=Network_Resolution by DNS.query DNS.record_type | search DNS.record_type=* | `drop_dm_object_name(DNS)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | eval query_length = len(query) | apply dns_query_pdfmodel threshold=0.01 | rename \"IsOutlier(query_length)\" as isOutlier | search isOutlier > 0 | sort -query_length | table start_time end_time query record_type count src dest query_length | `dns_query_length_outliers___mltk_filter` ", "how_to_implement": "To successfully implement this search, you will need to ensure that DNS data is populating the Network_Resolution data model. In addition, the Machine Learning Toolkit (MLTK) version 4.2 or greater must be installed on your search heads, along with any required dependencies. Finally, the support search \"Baseline of DNS Query Length - MLTK\" must be executed before this detection search, because it builds a machine-learning (ML) model over the historical data used by this search. It is important that this search is run in the same app context as the associated support search, so that the model created by the support search is available for use. You should periodically re-run the support search to rebuild the model with the latest data available in your environment.\\\nThis search produces fields (`query`,`query_length`,`count`) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. These fields contribute additional context to the notable. To see the additional metadata, add the following fields, if not already present, to Incident Review - Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry):\\\\n1. **Label:** DNS Query, **Field:** query\\\n1. \\\n1. **Label:** DNS Query Length, **Field:** query_length\\\n1. \\\n1. **Label:** Number of events, **Field:** count\\\nDetailed documentation on how to create a new field within Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details`", "known_false_positives": "If you are seeing more results than desired, you may consider reducing the value for threshold in the search. You should also periodically re-run the support search to re-build the ML model on the latest data.", "references": [], "tags": {"name": "DNS Query Length Outliers - MLTK", "analytic_story": ["Hidden Cobra Malware", "Suspicious DNS Traffic", "Command And Control"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Command And Control"], "message": "tbd", "mitre_attack_id": ["T1071.004", "T1071"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "DNS.src", "DNS.dest", "DNS.query", "DNS.record_type"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1071.004", "mitre_attack_technique": "DNS", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT18", "APT39", "APT41", "Chimera", "Cobalt Group", "FIN7", "Ke3chang", "LazyScripter", "OilRig", "Tropic Trooper"]}, {"mitre_attack_id": "T1071", "mitre_attack_technique": "Application Layer Protocol", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Dragonfly", "Magic Hound", "Rocke", "TeamTNT"]}]}, "datamodel": ["Network_Resolution"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "dns_query_length_outliers___mltk_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/network/dns_query_length_outliers___mltk.yml", "source": "network"}, {"name": "DNS Query Length With High Standard Deviation", "id": "1a67f15a-f4ff-4170-84e9-08cf6f75d6f5", "version": 4, "date": "2021-10-06", "author": "Bhavin Patel, Splunk", "type": "Anomaly", "status": "production", "description": "This search allows you to identify DNS requests and compute the standard deviation on the length of the names being resolved, then filter on two times the standard deviation to show you those queries that are unusually large for your environment.", "data_source": [], "search": "| tstats `security_content_summariesonly` count from datamodel=Network_Resolution where NOT DNS.message_type IN(\"Pointer\",\"PTR\") by DNS.query host| `drop_dm_object_name(\"DNS\")` | eval tlds=split(query,\".\") | eval tld=mvindex(tlds,-1) | eval tld_len=len(tld) | search tld_len<=24 | eval query_length = len(query) | table host query query_length record_type count | eventstats stdev(query_length) AS stdev avg(query_length) AS avg p50(query_length) AS p50| where query_length>(avg+stdev*2) | eval z_score=(query_length-avg)/stdev | `dns_query_length_with_high_standard_deviation_filter`", "how_to_implement": "To successfully implement this search, you will need to ensure that DNS data is populating the Network_Resolution data model.", "known_false_positives": "It's possible there can be long domain names that are legitimate.", "references": [], "tags": {"name": "DNS Query Length With High Standard Deviation", "analytic_story": ["Hidden Cobra Malware", "Suspicious DNS Traffic", "Command And Control"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Actions on Objectives"], "message": "A dns query $query$ with 2 time standard deviation of name len of the dns query in host $host$", "mitre_attack_id": ["T1048.003", "T1048"], "nist": ["DE.AE"], "observable": [{"name": "host", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "DNS.query"], "risk_score": 56, "security_domain": "network", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1048.003", "mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT32", "APT33", "FIN6", "FIN8", "Lazarus Group", "OilRig", "Thrip", "Wizard Spider"]}, {"mitre_attack_id": "T1048", "mitre_attack_technique": "Exfiltration Over Alternative Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["TeamTNT"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1048.003/long_dns_queries/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog"}]}], "datamodel": ["Network_Resolution"], "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "dns_query_length_with_high_standard_deviation_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/network/dns_query_length_with_high_standard_deviation.yml", "source": "network"}, {"name": "Excessive DNS Failures", "id": "104658f4-afdc-499e-9719-17243f9826f1", "version": 3, "date": "2022-12-21", "author": "bowesmana, Bhavin Patel, Splunk", "type": "Anomaly", "status": "experimental", "description": "This search identifies DNS query failures by counting the number of DNS responses that do not indicate success, and trigger on more than 50 occurrences.", "data_source": [], "search": "| tstats `security_content_summariesonly` count from datamodel=Network_Resolution where nodename=DNS \"DNS.reply_code\"!=\"No Error\" \"DNS.reply_code\"!=\"NoError\" DNS.reply_code!=\"unknown\" NOT \"DNS.query\"=\"*.arpa\" \"DNS.query\"=\"*.*\" by \"DNS.src\" \"DNS.query\" \"DNS.reply_code\" | `drop_dm_object_name(\"DNS\")` | lookup cim_corporate_web_domain_lookup domain as query OUTPUT domain | where isnull(domain) | lookup update=true alexa_lookup_by_str domain as query OUTPUT rank | where isnull(rank) | eventstats max(count) as mc by src reply_code | eval mode_query=if(count=mc, query, null()) | stats sum(count) as count values(mode_query) as query values(mc) as max_query_count by src reply_code | where count>50 | `get_asset(src)` | `excessive_dns_failures_filter` ", "how_to_implement": "To successfully implement this search you must ensure that DNS data is populating the Network_Resolution data model.", "known_false_positives": "It is possible legitimate traffic can trigger this rule. Please investigate as appropriate. The threshold for generating an event can also be customized to better suit your environment.", "references": [], "tags": {"name": "Excessive DNS Failures", "analytic_story": ["Suspicious DNS Traffic", "Command And Control"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Command And Control"], "message": "Excessive DNS failures detected on $src$", "mitre_attack_id": ["T1071.004", "T1071"], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "DNS.query", "DNS.reply_code", "DNS.src"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1071.004", "mitre_attack_technique": "DNS", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT18", "APT39", "APT41", "Chimera", "Cobalt Group", "FIN7", "Ke3chang", "LazyScripter", "OilRig", "Tropic Trooper"]}, {"mitre_attack_id": "T1071", "mitre_attack_technique": "Application Layer Protocol", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Dragonfly", "Magic Hound", "Rocke", "TeamTNT"]}]}, "datamodel": ["Network_Resolution"], "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "excessive_dns_failures_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/network/excessive_dns_failures.yml", "source": "network"}, {"name": "F5 BIG-IP iControl REST Vulnerability CVE-2022-1388", "id": "bb1c2c30-107a-4e56-a4b9-1f7022867bfe", "version": 1, "date": "2022-05-10", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies a recent unauthenticated remote code execution vulnerablity against the F5 BIG-IP iControl REST API. The analytic identifies the URI path found in the POCs and the HTTP Method of POST. In addition, the request header will have the commands that may be executed in fields utilcmdargs and the auth field of X-F5-Auth-Token, which may have a random base64 encoded value.", "data_source": [], "search": "| tstats count from datamodel=Web where Web.url=\"*/mgmt/tm/util/bash*\" Web.http_method=\"POST\" by Web.http_user_agent Web.http_method, Web.url,Web.url_length Web.src, Web.dest | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `f5_big_ip_icontrol_rest_vulnerability_cve_2022_1388_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting web or proxy logs, or ensure it is being filled by a proxy like device, into the Web Datamodel. For additional filtering, allow list private IP space or restrict by known good.", "known_false_positives": "False positives may be present if the activity is blocked or was not successful. Filter known vulnerablity scanners. Filter as needed.", "references": ["https://github.com/dk4trin/templates-nuclei/blob/main/CVE-2022-1388.yaml", "https://www.randori.com/blog/vulnerability-analysis-cve-2022-1388/", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1388", "https://twitter.com/da_667/status/1523770267327250438?s=20&t=-JnB_aNWuJFsmcOmxGUWLQ", "https://github.com/horizon3ai/CVE-2022-1388/blob/main/CVE-2022-1388.py"], "tags": {"name": "F5 BIG-IP iControl REST Vulnerability CVE-2022-1388", "analytic_story": ["F5 BIG-IP Vulnerability CVE-2022-1388"], "asset_type": "Web Server", "cis20": ["CIS 13"], "confidence": 70, "impact": 100, "kill_chain_phases": ["Delivery", "Installation"], "message": "An attempt to exploit CVE-2022-1388 against an F5 appliance $dest$ has occurred.", "mitre_attack_id": ["T1190", "T1133"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["Web.http_method", "Web.url", "Web.url_length", "Web.src", "Web.dest", "Web.http_user_agent"], "risk_score": 70, "security_domain": "network", "risk_severity": "medium", "cve": ["CVE-2022-1388"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Chimera", "Dragonfly", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/f5/f5.log", "source": "pan:threat", "sourcetype": "pan:threat", "update_timestamp": true}]}], "datamodel": ["Web"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "f5_big_ip_icontrol_rest_vulnerability_cve_2022_1388_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2022-1388", "cvss": 7.5, "summary": "On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all 12.1.x and 11.6.x versions, undisclosed requests may bypass iControl REST authentication. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated"}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/network/f5_big_ip_icontrol_rest_vulnerability_cve_2022_1388.yml", "source": "network", "nes_fields": "user,dest"}, {"name": "Hosts receiving high volume of network traffic from email server", "id": "7f5fb3e1-4209-4914-90db-0ec21b556368", "version": 2, "date": "2020-07-21", "author": "Bhavin Patel, Splunk", "type": "Anomaly", "status": "experimental", "description": "This search looks for an increase of data transfers from your email server to your clients. This could be indicative of a malicious actor collecting data using your email server.", "data_source": [], "search": "| tstats `security_content_summariesonly` sum(All_Traffic.bytes_in) as bytes_in from datamodel=Network_Traffic where All_Traffic.dest_category=email_server by All_Traffic.src_ip _time span=1d | `drop_dm_object_name(\"All_Traffic\")` | eventstats avg(bytes_in) as avg_bytes_in stdev(bytes_in) as stdev_bytes_in | eventstats count as num_data_samples avg(eval(if(_time < relative_time(now(), \"@d\"), bytes_in, null))) as per_source_avg_bytes_in stdev(eval(if(_time < relative_time(now(), \"@d\"), bytes_in, null))) as per_source_stdev_bytes_in by src_ip | eval minimum_data_samples = 4, deviation_threshold = 3 | where num_data_samples >= minimum_data_samples AND bytes_in > (avg_bytes_in + (deviation_threshold * stdev_bytes_in)) AND bytes_in > (per_source_avg_bytes_in + (deviation_threshold * per_source_stdev_bytes_in)) AND _time >= relative_time(now(), \"@d\") | eval num_standard_deviations_away_from_server_average = round(abs(bytes_in - avg_bytes_in) / stdev_bytes_in, 2), num_standard_deviations_away_from_client_average = round(abs(bytes_in - per_source_avg_bytes_in) / per_source_stdev_bytes_in, 2) | table src_ip, _time, bytes_in, avg_bytes_in, per_source_avg_bytes_in, num_standard_deviations_away_from_server_average, num_standard_deviations_away_from_client_average | `hosts_receiving_high_volume_of_network_traffic_from_email_server_filter`", "how_to_implement": "This search requires you to be ingesting your network traffic and populating the Network_Traffic data model. Your email servers must be categorized as \"email_server\" for the search to work, as well. You may need to adjust the deviation_threshold and minimum_data_samples values based on the network traffic in your environment. The \"deviation_threshold\" field is a multiplying factor to control how much variation you're willing to tolerate. The \"minimum_data_samples\" field is the minimum number of connections of data samples required for the statistic to be valid.", "known_false_positives": "The false-positive rate will vary based on how you set the deviation_threshold and data_samples values. Our recommendation is to adjust these values based on your network traffic to and from your email servers.", "references": [], "tags": {"name": "Hosts receiving high volume of network traffic from email server", "analytic_story": ["Collection and Staging"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "tbd", "mitre_attack_id": ["T1114.002", "T1114"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "All_Traffic.bytes_in", "All_Traffic.dest_category", "All_Traffic.src_ip"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1114.002", "mitre_attack_technique": "Remote Email Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "Chimera", "Dragonfly", "FIN4", "HAFNIUM", "Ke3chang", "Kimsuky", "Leafminer", "Magic Hound"]}, {"mitre_attack_id": "T1114", "mitre_attack_technique": "Email Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["Magic Hound", "Silent Librarian"]}]}, "datamodel": ["Network_Traffic"], "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "hosts_receiving_high_volume_of_network_traffic_from_email_server_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/network/hosts_receiving_high_volume_of_network_traffic_from_email_server.yml", "source": "network"}, {"name": "Large Volume of DNS ANY Queries", "id": "8fa891f7-a533-4b3c-af85-5aa2e7c1f1eb", "version": 1, "date": "2017-09-20", "author": "Bhavin Patel, Splunk", "type": "Anomaly", "status": "experimental", "description": "The search is used to identify attempts to use your DNS Infrastructure for DDoS purposes via a DNS amplification attack leveraging ANY queries.", "data_source": [], "search": "| tstats `security_content_summariesonly` count from datamodel=Network_Resolution where nodename=DNS \"DNS.message_type\"=\"QUERY\" \"DNS.record_type\"=\"ANY\" by \"DNS.dest\" | `drop_dm_object_name(\"DNS\")` | where count>200 | `large_volume_of_dns_any_queries_filter`", "how_to_implement": "To successfully implement this search you must ensure that DNS data is populating the Network_Resolution data model.", "known_false_positives": "Legitimate ANY requests may trigger this search, however it is unusual to see a large volume of them under typical circumstances. You may modify the threshold in the search to better suit your environment.", "references": [], "tags": {"name": "Large Volume of DNS ANY Queries", "analytic_story": ["DNS Amplification Attacks"], "asset_type": "DNS Servers", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Actions on Objectives"], "message": "tbd", "mitre_attack_id": ["T1498", "T1498.002"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "DNS.message_type", "DNS.record_type", "DNS.dest"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1498", "mitre_attack_technique": "Network Denial of Service", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT28"]}, {"mitre_attack_id": "T1498.002", "mitre_attack_technique": "Reflection Amplification", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}]}, "datamodel": ["Network_Resolution"], "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "large_volume_of_dns_any_queries_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/network/large_volume_of_dns_any_queries.yml", "source": "network"}, {"name": "Multiple Archive Files Http Post Traffic", "id": "4477f3ea-a28f-11eb-b762-acde48001122", "version": 1, "date": "2021-04-21", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This search is designed to detect high frequency of archive files data exfiltration through HTTP POST method protocol. This are one of the common techniques used by APT or trojan spy after doing the data collection like screenshot, recording, sensitive data to the infected machines. The attacker may execute archiving command to the collected data, save it a temp folder with a hidden attribute then send it to its C2 through HTTP POST. Sometimes adversaries will rename the archive files or encode/encrypt to cover their tracks. This detection can detect a renamed archive files transfer to HTTP POST since it checks the request body header. Unfortunately this detection cannot support archive that was encrypted or encoded before doing the exfiltration.", "data_source": [], "search": "`stream_http` http_method=POST |eval archive_hdr1=substr(form_data,1,2) | eval archive_hdr2 = substr(form_data,1,4) |stats values(form_data) as http_request_body min(_time) as firstTime max(_time) as lastTime count by http_method http_user_agent uri_path url bytes_in bytes_out archive_hdr1 archive_hdr2 |where count >20 AND (archive_hdr1 = \"7z\" OR archive_hdr1 = \"PK\" OR archive_hdr2=\"Rar!\") | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `multiple_archive_files_http_post_traffic_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the stream HTTP logs or network logs that catch network traffic. Make sure that the http-request-body, payload, or request field is enabled in stream http configuration.", "known_false_positives": "Normal archive transfer via HTTP protocol may trip this detection.", "references": ["https://attack.mitre.org/techniques/T1560/001/", "https://www.mandiant.com/resources/apt39-iranian-cyber-espionage-group-focused-on-personal-information", "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/"], "tags": {"name": "Multiple Archive Files Http Post Traffic", "analytic_story": ["Data Exfiltration", "Command And Control"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Actions on Objectives"], "message": "A http post $http_method$ sending packet with possible archive bytes header 4form_data$ in uri path $uri_path$", "mitre_attack_id": ["T1048.003", "T1048"], "nist": ["DE.CM"], "observable": [{"name": "uri_path", "type": "URL String", "role": ["Attacker"]}, {"name": "form_data", "type": "Other", "role": ["Other"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "http_method", "http_user_agent", "uri_path", "url", "bytes_in", "bytes_out", "archive_hdr1", "archive_hdr2", "form_data"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1048.003", "mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT32", "APT33", "FIN6", "FIN8", "Lazarus Group", "OilRig", "Thrip", "Wizard Spider"]}, {"mitre_attack_id": "T1048", "mitre_attack_technique": "Exfiltration Over Alternative Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["TeamTNT"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1048.003/archive_http_post/stream_http_events.log", "source": "stream", "sourcetype": "stream:http"}]}], "datamodel": [], "macros": [{"name": "stream_http", "definition": "sourcetype=stream:http", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "multiple_archive_files_http_post_traffic_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/network/multiple_archive_files_http_post_traffic.yml", "source": "network", "nes_fields": "user,dest"}, {"name": "Ngrok Reverse Proxy on Network", "id": "5790a766-53b8-40d3-a696-3547b978fcf0", "version": 1, "date": "2022-11-16", "author": "Michael Haag, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies the 4 most common Ngrok used domains based on DNS queries under the Network Resolution datamodel. It's possible these domains may be ran against the Web datamodel or ran with a direct query across network/proxy traffic. The sign of someone using Ngrok is not malicious, however, more recenctly it has become an adversary tool.", "data_source": [], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Resolution where DNS.query IN (\"*.ngrok.com\",\"*.ngrok.io\", \"ngrok.*.tunnel.com\", \"korgn.*.lennut.com\") by DNS.src DNS.query DNS.answer | `drop_dm_object_name(\"DNS\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `ngrok_reverse_proxy_on_network_filter`", "how_to_implement": "The Network Resolution Datamodel will need to have data mapped to it regarding DNS queries. Modify query as needed to use another source.", "known_false_positives": "False positives will be present based on organizations that allow the use of Ngrok. Filter or monitor as needed.", "references": ["https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf"], "tags": {"name": "Ngrok Reverse Proxy on Network", "analytic_story": ["Reverse Network Proxy", "CISA AA22-320A"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "confidence": 100, "impact": 50, "kill_chain_phases": ["Command And Control"], "message": "An endpoint, $src$, is beaconing out to the reverse proxy service of Ngrok.", "mitre_attack_id": ["T1572", "T1090", "T1102"], "nist": ["DE.AE"], "observable": [{"name": "src", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["DNS.src", "DNS.query", "DNS.answer"], "risk_score": 50, "security_domain": "network", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1572", "mitre_attack_technique": "Protocol Tunneling", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Chimera", "Cobalt Group", "FIN6", "Fox Kitten", "Leviathan", "Magic Hound", "OilRig"]}, {"mitre_attack_id": "T1090", "mitre_attack_technique": "Proxy", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "Blue Mockingbird", "CopyKittens", "Earth Lusca", "Fox Kitten", "LAPSUS$", "Magic Hound", "POLONIUM", "Sandworm Team", "Turla", "Windigo"]}, {"mitre_attack_id": "T1102", "mitre_attack_technique": "Web Service", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT32", "EXOTIC LILY", "Ember Bear", "FIN6", "FIN8", "Fox Kitten", "Gamaredon Group", "Inception", "LazyScripter", "Mustang Panda", "Rocke", "TeamTNT", "Turla"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1572/ngrok/windows-sysmon.log", "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sourcetype": "xmlwineventlog", "update_timestamp": true}]}], "datamodel": ["Network_Resolution"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "ngrok_reverse_proxy_on_network_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/network/ngrok_reverse_proxy_on_network.yml", "source": "network"}, {"name": "Plain HTTP POST Exfiltrated Data", "id": "e2b36208-a364-11eb-8909-acde48001122", "version": 1, "date": "2021-04-22", "author": "Teoderick Contreras, Splunk", "type": "TTP", "status": "production", "description": "This search is to detect potential plain HTTP POST method data exfiltration. This network traffic is commonly used by trickbot, trojanspy, keylogger or APT adversary where arguments or commands are sent in plain text to the remote C2 server using HTTP POST method as part of data exfiltration.", "data_source": [], "search": "`stream_http` http_method=POST form_data IN (\"*wermgr.exe*\",\"*svchost.exe*\", \"*name=\\\"proclist\\\"*\",\"*ipconfig*\", \"*name=\\\"sysinfo\\\"*\", \"*net view*\") |stats values(form_data) as http_request_body min(_time) as firstTime max(_time) as lastTime count by http_method http_user_agent uri_path url bytes_in bytes_out | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `plain_http_post_exfiltrated_data_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the stream HTTP logs or network logs that catch network traffic. Make sure that the http-request-body, payload, or request field is enabled.", "known_false_positives": "unknown", "references": ["https://blog.talosintelligence.com/2020/03/trickbot-primer.html"], "tags": {"name": "Plain HTTP POST Exfiltrated Data", "analytic_story": ["Data Exfiltration", "Command And Control"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Actions on Objectives"], "message": "A http post $http_method$ sending packet with plain text of information $form_data$ in uri path $uri_path$", "mitre_attack_id": ["T1048.003", "T1048"], "nist": ["DE.CM"], "observable": [{"name": "uri_path", "type": "URL String", "role": ["Attacker"]}, {"name": "form_data", "type": "Other", "role": ["Other"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "http_method", "http_user_agent", "uri_path", "url", "bytes_in", "bytes_out"], "risk_score": 63, "security_domain": "network", "risk_severity": "medium", "mitre_attack_enrichments": [{"mitre_attack_id": "T1048.003", "mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT32", "APT33", "FIN6", "FIN8", "Lazarus Group", "OilRig", "Thrip", "Wizard Spider"]}, {"mitre_attack_id": "T1048", "mitre_attack_technique": "Exfiltration Over Alternative Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["TeamTNT"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1048.003/plain_exfil_data/stream_http_events.log", "source": "stream", "sourcetype": "stream:http"}]}], "datamodel": [], "macros": [{"name": "stream_http", "definition": "sourcetype=stream:http", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "plain_http_post_exfiltrated_data_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/network/plain_http_post_exfiltrated_data.yml", "source": "network", "nes_fields": "user,dest"}, {"name": "Prohibited Network Traffic Allowed", "id": "ce5a0962-849f-4720-a678-753fe6674479", "version": 2, "date": "2020-07-21", "author": "Rico Valdez, Splunk", "type": "TTP", "status": "experimental", "description": "This search looks for network traffic defined by port and transport layer protocol in the Enterprise Security lookup table \"lookup_interesting_ports\", that is marked as prohibited, and has an associated 'allow' action in the Network_Traffic data model. This could be indicative of a misconfigured network device.", "data_source": [], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where All_Traffic.action = allowed by All_Traffic.src_ip All_Traffic.dest_ip All_Traffic.dest_port All_Traffic.action | lookup update=true interesting_ports_lookup dest_port as All_Traffic.dest_port OUTPUT app is_prohibited note transport | search is_prohibited=true | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(\"All_Traffic\")` | `prohibited_network_traffic_allowed_filter`", "how_to_implement": "In order to properly run this search, Splunk needs to ingest data from firewalls or other network control devices that mediate the traffic allowed into an environment. This is necessary so that the search can identify an 'action' taken on the traffic of interest. The search requires the Network_Traffic data model be populated.", "known_false_positives": "None identified", "references": [], "tags": {"name": "Prohibited Network Traffic Allowed", "analytic_story": ["Prohibited Traffic Allowed or Protocol Mismatch", "Ransomware", "Command And Control"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Actions on Objectives"], "message": "tbd", "mitre_attack_id": ["T1048"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "All_Traffic.action", "All_Traffic.src_ip", "All_Traffic.dest_ip", "All_Traffic.dest_port"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1048", "mitre_attack_technique": "Exfiltration Over Alternative Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["TeamTNT"]}]}, "datamodel": ["Network_Traffic"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "prohibited_network_traffic_allowed_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/network/prohibited_network_traffic_allowed.yml", "source": "network", "nes_fields": "user,dest"}, {"name": "Protocol or Port Mismatch", "id": "54dc1265-2f74-4b6d-b30d-49eb506a31b3", "version": 2, "date": "2020-07-21", "author": "Rico Valdez, Splunk", "type": "Anomaly", "status": "experimental", "description": "This search looks for network traffic on common ports where a higher layer protocol does not match the port that is being used. For example, this search should identify cases where protocols other than HTTP are running on TCP port 80. This can be used by attackers to circumvent firewall restrictions, or as an attempt to hide malicious communications over ports and protocols that are typically allowed and not well inspected.", "data_source": [], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where (All_Traffic.app=dns NOT All_Traffic.dest_port=53) OR ((All_Traffic.app=web-browsing OR All_Traffic.app=http) NOT (All_Traffic.dest_port=80 OR All_Traffic.dest_port=8080 OR All_Traffic.dest_port=8000)) OR (All_Traffic.app=ssl NOT (All_Traffic.dest_port=443 OR All_Traffic.dest_port=8443)) OR (All_Traffic.app=smtp NOT All_Traffic.dest_port=25) by All_Traffic.src_ip, All_Traffic.dest_ip, All_Traffic.app, All_Traffic.dest_port |`security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(\"All_Traffic\")` | `protocol_or_port_mismatch_filter`", "how_to_implement": "Running this search properly requires a technology that can inspect network traffic and identify common protocols. Technologies such as Bro and Palo Alto Networks firewalls are two examples that will identify protocols via inspection, and not just assume a specific protocol based on the transport protocol and ports.", "known_false_positives": "None identified", "references": [], "tags": {"name": "Protocol or Port Mismatch", "analytic_story": ["Prohibited Traffic Allowed or Protocol Mismatch", "Command And Control"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Actions on Objectives"], "message": "tbd", "mitre_attack_id": ["T1048.003", "T1048"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "All_Traffic.app", "All_Traffic.dest_port", "All_Traffic.src_ip", "All_Traffic.dest_ip"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1048.003", "mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT32", "APT33", "FIN6", "FIN8", "Lazarus Group", "OilRig", "Thrip", "Wizard Spider"]}, {"mitre_attack_id": "T1048", "mitre_attack_technique": "Exfiltration Over Alternative Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["TeamTNT"]}]}, "datamodel": ["Network_Traffic"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "protocol_or_port_mismatch_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/network/protocol_or_port_mismatch.yml", "source": "network"}, {"name": "Protocols passing authentication in cleartext", "id": "6923cd64-17a0-453c-b945-81ac2d8c6db9", "version": 3, "date": "2021-08-19", "author": "Rico Valdez, Splunk", "type": "TTP", "status": "experimental", "description": "The following analytic identifies cleartext protocols at risk of leaking sensitive information. Currently, this consists of legacy protocols such as telnet (port 23), POP3 (port 110), IMAP (port 143), and non-anonymous FTP (port 21) sessions. While some of these protocols may be used over SSL, they typically are found on different assigned ports in those instances.", "data_source": [], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where All_Traffic.action!=blocked AND All_Traffic.transport=\"tcp\" AND (All_Traffic.dest_port=\"23\" OR All_Traffic.dest_port=\"143\" OR All_Traffic.dest_port=\"110\" OR (All_Traffic.dest_port=\"21\" AND All_Traffic.user != \"anonymous\")) by All_Traffic.user All_Traffic.src All_Traffic.dest All_Traffic.dest_port | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(\"All_Traffic\")` | `protocols_passing_authentication_in_cleartext_filter`", "how_to_implement": "This search requires you to be ingesting your network traffic, and populating the Network_Traffic data model. For more accurate result it's better to limit destination to organization private and public IP range, like All_Traffic.dest IN(192.168.0.0/16,172.16.0.0/12,10.0.0.0/8, x.x.x.x/22)", "known_false_positives": "Some networks may use kerberized FTP or telnet servers, however, this is rare.", "references": ["https://www.rackaid.com/blog/secure-your-email-and-file-transfers/", "https://www.infosecmatter.com/capture-passwords-using-wireshark/"], "tags": {"name": "Protocols passing authentication in cleartext", "analytic_story": ["Use of Cleartext Protocols"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": [], "message": "tbd", "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "All_Traffic.transport", "All_Traffic.dest_port", "All_Traffic.user", "All_Traffic.src", "All_Traffic.dest", "All_Traffic.action"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "datamodel": ["Network_Traffic"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "protocols_passing_authentication_in_cleartext_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/network/protocols_passing_authentication_in_cleartext.yml", "source": "network", "nes_fields": "user,dest"}, {"name": "Remote Desktop Network Bruteforce", "id": "a98727cc-286b-4ff2-b898-41df64695923", "version": 2, "date": "2020-07-21", "author": "Jose Hernandez, Splunk", "type": "TTP", "status": "experimental", "description": "This search looks for RDP application network traffic and filters any source/destination pair generating more than twice the standard deviation of the average traffic.", "data_source": [], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where All_Traffic.app=rdp by All_Traffic.src All_Traffic.dest All_Traffic.dest_port | eventstats stdev(count) AS stdev avg(count) AS avg p50(count) AS p50 | where count>(avg + stdev*2) | rename All_Traffic.src AS src All_Traffic.dest AS dest | table firstTime lastTime src dest count avg p50 stdev | `remote_desktop_network_bruteforce_filter`", "how_to_implement": "You must ensure that your network traffic data is populating the Network_Traffic data model.", "known_false_positives": "RDP gateways may have unusually high amounts of traffic from all other hosts' RDP applications in the network.", "references": [], "tags": {"name": "Remote Desktop Network Bruteforce", "analytic_story": ["SamSam Ransomware", "Ryuk Ransomware"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "$dest$ may be the target of an RDP Bruteforce", "mitre_attack_id": ["T1021.001", "T1021"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "All_Traffic.app", "All_Traffic.src", "All_Traffic.dest", "All_Traffic.dest_port"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1021.001", "mitre_attack_technique": "Remote Desktop Protocol", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT1", "APT3", "APT39", "APT41", "Axiom", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dragonfly", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "HEXANE", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "OilRig", "Patchwork", "Silence", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}]}, "datamodel": ["Network_Traffic"], "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "remote_desktop_network_bruteforce_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/network/remote_desktop_network_bruteforce.yml", "source": "network", "nes_fields": "user,dest"}, {"name": "Remote Desktop Network Traffic", "id": "272b8407-842d-4b3d-bead-a704584003d3", "version": 3, "date": "2020-07-07", "author": "David Dorsey, Splunk", "type": "Anomaly", "status": "experimental", "description": "This search looks for network traffic on TCP/3389, the default port used by remote desktop. While remote desktop traffic is not uncommon on a network, it is usually associated with known hosts. This search will ignore common RDP sources and common RDP destinations so you can focus on the uncommon uses of remote desktop on your network.", "data_source": [], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where All_Traffic.dest_port=3389 AND All_Traffic.dest_category!=common_rdp_destination AND All_Traffic.src_category!=common_rdp_source AND all_Traffic.action=\"allowed\" by All_Traffic.src All_Traffic.dest All_Traffic.dest_port | `drop_dm_object_name(\"All_Traffic\")` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `remote_desktop_network_traffic_filter` ", "how_to_implement": "To successfully implement this search you need to identify systems that commonly originate remote desktop traffic and that commonly receive remote desktop traffic. You can use the included support search \"Identify Systems Creating Remote Desktop Traffic\" to identify systems that originate the traffic and the search \"Identify Systems Receiving Remote Desktop Traffic\" to identify systems that receive a lot of remote desktop traffic. After identifying these systems, you will need to add the \"common_rdp_source\" or \"common_rdp_destination\" category to that system depending on the usage, using the Enterprise Security Assets and Identities framework. This can be done by adding an entry in the assets.csv file located in SA-IdentityManagement/lookups.", "known_false_positives": "Remote Desktop may be used legitimately by users on the network.", "references": [], "tags": {"name": "Remote Desktop Network Traffic", "analytic_story": ["SamSam Ransomware", "Ryuk Ransomware", "Hidden Cobra Malware", "Active Directory Lateral Movement"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "tbd", "mitre_attack_id": ["T1021.001", "T1021"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "All_Traffic.dest_port", "All_Traffic.dest_category", "All_Traffic.src_category", "All_Traffic.src", "All_Traffic.dest", "All_Traffic.dest_port"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1021.001", "mitre_attack_technique": "Remote Desktop Protocol", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT1", "APT3", "APT39", "APT41", "Axiom", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dragonfly", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "HEXANE", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "OilRig", "Patchwork", "Silence", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}]}, "datamodel": ["Network_Traffic"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "remote_desktop_network_traffic_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/network/remote_desktop_network_traffic.yml", "source": "network"}, {"name": "SMB Traffic Spike", "id": "7f5fb3e1-4209-4914-90db-0ec21b936378", "version": 3, "date": "2020-07-22", "author": "David Dorsey, Splunk", "type": "Anomaly", "status": "experimental", "description": "This search looks for spikes in the number of Server Message Block (SMB) traffic connections.", "data_source": [], "search": "| tstats `security_content_summariesonly` count from datamodel=Network_Traffic where All_Traffic.dest_port=139 OR All_Traffic.dest_port=445 OR All_Traffic.app=smb by _time span=1h, All_Traffic.src | `drop_dm_object_name(\"All_Traffic\")` | eventstats max(_time) as maxtime | stats count as num_data_samples max(eval(if(_time >= relative_time(maxtime, \"-70m@m\"), count, null))) as count avg(eval(if(_time upperBound AND num_data_samples >=50, 1, 0) | where isOutlier=1 | table src count | `smb_traffic_spike_filter` ", "how_to_implement": "This search requires you to be ingesting your network traffic logs and populating the `Network_Traffic` data model.", "known_false_positives": "A file server may experience high-demand loads that could cause this analytic to trigger.", "references": [], "tags": {"name": "SMB Traffic Spike", "analytic_story": ["Emotet Malware DHS Report TA18-201A ", "Hidden Cobra Malware", "Ransomware", "DHS Report TA18-074A"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "tbd", "mitre_attack_id": ["T1021.002", "T1021"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "All_Traffic.dest_port", "All_Traffic.app", "All_Traffic.src"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}]}, "datamodel": ["Network_Traffic"], "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "smb_traffic_spike_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/network/smb_traffic_spike.yml", "source": "network"}, {"name": "SMB Traffic Spike - MLTK", "id": "d25773ba-9ad8-48d1-858e-07ad0bbeb828", "version": 3, "date": "2020-07-22", "author": "Rico Valdez, Splunk", "type": "Anomaly", "status": "experimental", "description": "This search uses the Machine Learning Toolkit (MLTK) to identify spikes in the number of Server Message Block (SMB) connections.", "data_source": [], "search": "| tstats `security_content_summariesonly` count values(All_Traffic.dest_ip) as dest values(All_Traffic.dest_port) as port from datamodel=Network_Traffic where All_Traffic.dest_port=139 OR All_Traffic.dest_port=445 OR All_Traffic.app=smb by _time span=1h, All_Traffic.src | eval HourOfDay=strftime(_time, \"%H\") | eval DayOfWeek=strftime(_time, \"%A\") | `drop_dm_object_name(All_Traffic)` | apply smb_pdfmodel threshold=0.001 | rename \"IsOutlier(count)\" as isOutlier | search isOutlier > 0 | sort -count | table _time src dest port count | `smb_traffic_spike___mltk_filter` ", "how_to_implement": "To successfully implement this search, you will need to ensure that DNS data is populating the Network_Resolution data model. In addition, the Machine Learning Toolkit (MLTK) version 4.2 or greater must be installed on your search heads, along with any required dependencies. Finally, the support search \"Baseline of SMB Traffic - MLTK\" must be executed before this detection search, because it builds a machine-learning (ML) model over the historical data used by this search. It is important that this search is run in the same app context as the associated support search, so that the model created by the support search is available for use. You should periodically re-run the support search to rebuild the model with the latest data available in your environment.\\\nThis search produces a field (Number of events,count) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. This field contributes additional context to the notable. To see the additional metadata, add the following field, if not already present, to Incident Review - Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry): \\\n1. **Label:** Number of events, **Field:** count\\\nDetailed documentation on how to create a new field within Incident Review is found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details`", "known_false_positives": "If you are seeing more results than desired, you may consider reducing the value of the threshold in the search. You should also periodically re-run the support search to re-build the ML model on the latest data. Please update the `smb_traffic_spike_mltk_filter` macro to filter out false positive results", "references": [], "tags": {"name": "SMB Traffic Spike - MLTK", "analytic_story": ["Emotet Malware DHS Report TA18-201A ", "Hidden Cobra Malware", "Ransomware", "DHS Report TA18-074A"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "message": "tbd", "mitre_attack_id": ["T1021.002", "T1021"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "All_Traffic.dest_ip", "All_Traffic.dest_port", "All_Traffic.app", "All_Traffic.src"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}]}, "datamodel": ["Network_Traffic"], "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "smb_traffic_spike___mltk_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/network/smb_traffic_spike___mltk.yml", "source": "network"}, {"name": "Splunk Identified SSL TLS Certificates", "id": "620fbb89-86fd-4e2e-925f-738374277586", "version": 1, "date": "2022-05-25", "author": "Michael Haag, Splunk", "type": "Hunting", "status": "production", "description": "The following analytic uses tags of SSL, TLS and certificate to identify the usage of the Splunk default certificates being utilized in the environment. Recommended guidance is to utilize valid TLS certificates which documentation may be found in Splunk Docs - https://docs.splunk.com/Documentation/Splunk/8.2.6/Security/AboutsecuringyourSplunkconfigurationwithSSL.", "data_source": [], "search": "tag IN (ssl, tls, certificate) ssl_issuer_common_name=*splunk* | stats values(src) AS \"Host(s) with Default Cert\" count by ssl_issuer ssl_subject_common_name ssl_subject_organization ssl_subject host sourcetype | `splunk_identified_ssl_tls_certificates_filter`", "how_to_implement": "Ingestion of SSL/TLS data is needed and to be tagged properly as ssl, tls or certificate. This data may come from a proxy, zeek, or Splunk Streams. Splunk SOAR customers can find a SOAR workbook that walks an analyst through the process of running these hunting searches in the references list of this detection. In order to use this workbook, a user will need to run a curl command to post the file to their SOAR instance such as \"curl -u username:password https://soar.instance.name/rest/rest/workbook_template -d @splunk_psa_0622.json\". A user should then create an empty container or case, attach the workbook, and begin working through the tasks.", "known_false_positives": "False positives will not be present as it is meant to assist with identifying default certificates being utilized.", "references": ["https://docs.splunk.com/Documentation/Splunk/8.2.6/Security/AboutsecuringyourSplunkconfigurationwithSSL", "https://www.github.com/splunk/security_content/blob/develop/workbooks/splunk_psa_0622.json"], "tags": {"name": "Splunk Identified SSL TLS Certificates", "analytic_story": ["Splunk Vulnerabilities"], "asset_type": "Proxy", "cis20": ["CIS 13"], "confidence": 70, "impact": 60, "kill_chain_phases": ["Exploitation"], "message": "The following $dest$ is using the self signed Splunk certificate.", "mitre_attack_id": ["T1040"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["ssl_issuer", "ssl_subject_common_name", "ssl_subject_organization", "ssl_subject", "host", "sourcetype"], "risk_score": 42, "security_domain": "network", "risk_severity": "low", "cve": ["CVE-2022-32151", "CVE-2022-32152"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1040", "mitre_attack_technique": "Network Sniffing", "mitre_attack_tactics": ["Credential Access", "Discovery"], "mitre_attack_groups": ["APT28", "APT33", "DarkVishnya", "Kimsuky", "Sandworm Team"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1040/ssltls/ssl_splunk.log", "source": "stream:tcp", "sourcetype": "stream:tcp", "update_timestamp": true}]}], "datamodel": [], "macros": [{"name": "splunk_identified_ssl_tls_certificates_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2022-32151", "cvss": 6.4, "summary": "The httplib and urllib Python libraries that Splunk shipped with Splunk Enterprise did not validate certificates using the certificate authority (CA) certificate stores by default in Splunk Enterprise versions before 9.0 and Splunk Cloud Platform versions before 8.2.2203. Python 3 client libraries now verify server certificates by default and use the appropriate CA certificate stores for each library. Apps and add-ons that include their own HTTP libraries are not affected. For Splunk Enterprise, update to Splunk Enterprise version 9.0 and Configure TLS host name validation for Splunk-to-Splunk communications (https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/EnableTLSCertHostnameValidation) to enable the remediation."}, {"id": "CVE-2022-32152", "cvss": 6.5, "summary": "Splunk Enterprise peers in Splunk Enterprise versions before 9.0 and Splunk Cloud Platform versions before 8.2.2203 did not validate the TLS certificates during Splunk-to-Splunk communications by default. Splunk peer communications configured properly with valid certificates were not vulnerable. However, an attacker with administrator credentials could add a peer without a valid certificate and connections from misconfigured nodes without valid certificates did not fail by default. For Splunk Enterprise, update to Splunk Enterprise version 9.0 and Configure TLS host name validation for Splunk-to-Splunk communications (https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/EnableTLSCertHostnameValidation) to enable the remediation."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/network/splunk_identified_ssl_tls_certificates.yml", "source": "network"}, {"name": "SSL Certificates with Punycode", "id": "696694df-5706-495a-81f2-79501fa11b90", "version": 1, "date": "2022-11-01", "author": "Michael Haag, Splunk", "type": "Hunting", "status": "experimental", "description": "The following analytic utilizes the Certificates Datamodel to look for punycode domains, starting with xn--, found in the SSL issuer email domain. The presence of punycode here does not equate to evil, therefore we need to decode the punycode to determine what it translates to. Remove the CyberChef recipe as needed and decode manually. Note that this is not the exact location of the malicious punycode to trip CVE-2022-3602, but a method to at least identify fuzzing occurring on these email paths. What does evil look like? it will start with", "data_source": [], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Certificates.All_Certificates by All_Certificates.SSL.ssl_issuer_email_domain All_Certificates.SSL.ssl_issuer All_Certificates.SSL.ssl_subject_email All_Certificates.SSL.dest All_Certificates.SSL.src All_Certificates.SSL.sourcetype All_Certificates.SSL.ssl_subject_email_domain | `drop_dm_object_name(\"All_Certificates.SSL\")` | eval punycode=if(like(ssl_issuer_email_domain,\"%xn--%\"),1,0) | where punycode=1 | cyberchef infield=\"ssl_issuer_email_domain\" outfield=\"convertedPuny\" jsonrecipe=\"[{\"op\":\"From Punycode\",\"args\":[true]}]\" | table ssl_issuer_email_domain convertedPuny ssl_issuer ssl_subject_email dest src sourcetype ssl_subject_email_domain | `ssl_certificates_with_punycode_filter`", "how_to_implement": "Ensure data is properly being ingested into the Certificates datamodel. If decoding the of interest, the CyberChef app is needed https://splunkbase.splunk.com/app/5348. If decoding is not needed, remove the cyberchef lines.", "known_false_positives": "False positives may be present if the organization works with international businesses. Filter as needed.", "references": ["https://www.splunk.com/en_us/blog/security/nothing-puny-about-cve-2022-3602.html", "https://www.openssl.org/blog/blog/2022/11/01/email-address-overflows/", "https://community.emergingthreats.net/t/out-of-band-ruleset-update-summary-2022-11-01/117", "https://github.com/corelight/CVE-2022-3602/tree/master/scripts"], "tags": {"name": "SSL Certificates with Punycode", "analytic_story": ["OpenSSL CVE-2022-3602"], "asset_type": "Network", "cis20": ["CIS 13"], "confidence": 30, "impact": 50, "kill_chain_phases": ["Command And Control"], "message": "A x509 certificate has been identified to have punycode in the SSL issuer email domain on $dest$.", "mitre_attack_id": ["T1573"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["All_Certificates.SSL.ssl_issuer_email_domain", "All_Certificates.SSL.ssl_issuer", "All_Certificates.SSL.ssl_subject_email", "All_Certificates.SSL.dest", "All_Certificates.SSL.src", "All_Certificates.SSL.sourcetype", "All_Certificates.SSL.ssl_subject_email_domain"], "risk_score": 15, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1573", "mitre_attack_technique": "Encrypted Channel", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT29", "BITTER", "Magic Hound", "Tropic Trooper"]}]}, "datamodel": [], "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "ssl_certificates_with_punycode_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/network/ssl_certificates_with_punycode.yml", "source": "network"}, {"name": "TOR Traffic", "id": "ea688274-9c06-4473-b951-e4cb7a5d7a45", "version": 2, "date": "2020-07-22", "author": "David Dorsey, Splunk", "type": "TTP", "status": "experimental", "description": "This search looks for network traffic identified as The Onion Router (TOR), a benign anonymity network which can be abused for a variety of nefarious purposes.", "data_source": [], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where All_Traffic.app=tor AND All_Traffic.action=allowed by All_Traffic.src_ip All_Traffic.dest_ip All_Traffic.dest_port All_Traffic.action | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(\"All_Traffic\")` | `tor_traffic_filter`", "how_to_implement": "In order to properly run this search, Splunk needs to ingest data from firewalls or other network control devices that mediate the traffic allowed into an environment. This is necessary so that the search can identify an 'action' taken on the traffic of interest. The search requires the Network_Traffic data model be populated.", "known_false_positives": "None at this time", "references": [], "tags": {"name": "TOR Traffic", "analytic_story": ["Prohibited Traffic Allowed or Protocol Mismatch", "Ransomware", "NOBELIUM Group", "Command And Control"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Command And Control"], "message": "tbd", "mitre_attack_id": ["T1071", "T1071.001"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "All_Traffic.app", "All_Traffic.action", "All_Traffic.src_ip", "All_Traffic.dest_ip", "All_Traffic.dest_port"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1071", "mitre_attack_technique": "Application Layer Protocol", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Dragonfly", "Magic Hound", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1071.001", "mitre_attack_technique": "Web Protocols", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Chimera", "Cobalt Group", "Confucius", "Dark Caracal", "FIN4", "FIN8", "Gamaredon Group", "HAFNIUM", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LuminousMoth", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "OilRig", "Orangeworm", "Rancor", "Rocke", "Sandworm Team", "Sidewinder", "SilverTerrier", "Stealth Falcon", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "WIRTE", "Windshift", "Wizard Spider"]}]}, "datamodel": ["Network_Traffic"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "tor_traffic_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/network/tor_traffic.yml", "source": "network", "nes_fields": "user,dest"}, {"name": "Unusually Long Content-Type Length", "id": "57a0a2bf-353f-40c1-84dc-29293f3c35b7", "version": 1, "date": "2017-10-13", "author": "Bhavin Patel, Splunk", "type": "Anomaly", "status": "experimental", "description": "This search looks for unusually long strings in the Content-Type http header that the client sends the server.", "data_source": [], "search": "`stream_http` | eval cs_content_type_length = len(cs_content_type) | where cs_content_type_length > 100 | table endtime src_ip dest_ip cs_content_type_length cs_content_type url | `unusually_long_content_type_length_filter`", "how_to_implement": "This particular search leverages data extracted from Stream:HTTP. You must configure the http stream using the Splunk Stream App on your Splunk Stream deployment server to extract the cs_content_type field.", "known_false_positives": "Very few legitimate Content-Type fields will have a length greater than 100 characters.", "references": [], "tags": {"name": "Unusually Long Content-Type Length", "analytic_story": ["Apache Struts Vulnerability"], "asset_type": "Web Server", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": [], "message": "tbd", "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "cs_content_type", "endtime", "src_ip", "dest_ip", "url"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "datamodel": [], "macros": [{"name": "stream_http", "definition": "sourcetype=stream:http", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "unusually_long_content_type_length_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/network/unusually_long_content_type_length.yml", "source": "network"}, {"name": "Windows AD Replication Service Traffic", "id": "c6e24183-a5f4-4b2a-ad01-2eb456d09b67", "version": 1, "date": "2022-11-26", "author": "Steven Dick", "type": "TTP", "status": "experimental", "description": "This search looks for evidence of Active Directory replication traffic [MS-DRSR] from unexpected sources. This traffic is often seen exclusively between Domain Controllers for AD database replication. Any detections from non-domain controller source to a domain controller may indicate the usage of DCSync or DCShadow credential dumping techniques.", "data_source": [], "search": "| tstats `security_content_summariesonly` count values(All_Traffic.transport) as transport values(All_Traffic.user) as user values(All_Traffic.src_category) as src_category values(All_Traffic.dest_category) as dest_category min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where All_Traffic.app IN (\"ms-dc-replication\",\"*drsr*\",\"ad drs\") by All_Traffic.src All_Traffic.dest All_Traffic.app | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(\"All_Traffic\")` | `windows_ad_replication_service_traffic_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting application aware firewall or proxy logs into the Network Datamodel. Categorize all known domain controller Assets servers with an appropriate category for filtering.", "known_false_positives": "New domain controllers or certian scripts run by administrators.", "references": ["https://adsecurity.org/?p=1729", "https://attack.mitre.org/techniques/T1003/006/", "https://attack.mitre.org/techniques/T1207/"], "tags": {"name": "Windows AD Replication Service Traffic", "analytic_story": ["Sneaky Active Directory Persistence Tricks"], "asset_type": "endpoint", "cis20": ["CIS 13"], "confidence": 100, "impact": 100, "kill_chain_phases": ["Exploitation"], "message": "Active Directory Replication Traffic from Unknown Source - $src$", "mitre_attack_id": ["T1003", "T1003.006", "T1207"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "IP Address", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["All_Traffic.src", "All_Traffic.dest", "All_Traffic.app"], "risk_score": 100, "security_domain": "network", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1003.006", "mitre_attack_technique": "DCSync", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Earth Lusca", "LAPSUS$"]}, {"mitre_attack_id": "T1207", "mitre_attack_technique": "Rogue Domain Controller", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}]}, "datamodel": ["Network_Traffic"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_ad_replication_service_traffic_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/network/windows_ad_replication_service_traffic.yml", "source": "network", "nes_fields": "user,dest"}, {"name": "Windows AD Rogue Domain Controller Network Activity", "id": "c4aeeeef-da7f-4338-b3ba-553cbcbe2138", "version": 1, "date": "2022-09-08", "author": "Dean Luxton", "type": "TTP", "status": "experimental", "description": "This detection is looking at zeek wiredata for specific replication RPC calls being performed from a device which is not a domain controller. If you would like to capture these RPC calls using Splunk Stream, please vote for my idea here https://ideas.splunk.com/ideas/APPSID-I-619 ;)", "data_source": [], "search": "`zeek_rpc` DrsReplicaAdd OR DRSGetNCChanges | where NOT (dest_category=\"Domain Controller\") OR NOT (src_category=\"Domain Controller\") | fillnull value=\"Unknown\" src_category, dest_category | table _time endpoint operation src src_category dest dest_category | `windows_ad_rogue_domain_controller_network_activity_filter`", "how_to_implement": "Run zeek on domain controllers to capture the DCE RPC calls, ensure the domain controller categories are defined in Assets and Identities.", "known_false_positives": "None.", "references": ["https://adsecurity.org/?p=1729"], "tags": {"name": "Windows AD Rogue Domain Controller Network Activity", "analytic_story": ["Sneaky Active Directory Persistence Tricks"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "confidence": 100, "impact": 100, "kill_chain_phases": ["Exploitation"], "message": "Rogue DC Activity Detected from $src_category$ device $src$ to $dest$ ($dest_category$)", "mitre_attack_id": ["T1207"], "nist": ["DE.CM"], "observable": [{"name": "src", "type": "IP Address", "role": ["Attacker"]}, {"name": "dest", "type": "IP Address", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "src", "dest"], "risk_score": 100, "security_domain": "network", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1207", "mitre_attack_technique": "Rogue Domain Controller", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}]}, "datamodel": ["Change"], "macros": [{"name": "zeek_rpc", "definition": "index=zeek sourcetype=\"zeek:rpc:json\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "windows_ad_rogue_domain_controller_network_activity_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/network/windows_ad_rogue_domain_controller_network_activity.yml", "source": "network", "nes_fields": "user,dest"}, {"name": "Zeek x509 Certificate with Punycode", "id": "029d6fe4-a5fe-43af-827e-c78c50e81d81", "version": 1, "date": "2022-11-03", "author": "Michael Haag, Splunk", "type": "Hunting", "status": "experimental", "description": "The following analytic utilizes the Zeek x509 log. Modify the zeek_x509 macro with your index and sourcetype as needed. You will need to ensure the full x509 is logged as the potentially malicious punycode is nested under subject alternative names. In this particular analytic, it will identify punycode within the subject alternative name email and other fields. Note, that OtherFields is meant to be BOOL (true,false), therefore we may never see xn-- in that field. Upon identifying punycode, manually copy and paste, or add CyberChef recipe to query, and decode the punycode manually.", "data_source": [], "search": "`zeek_x509` | rex field=san.email{} \"\\@(?xn--.*)\" | rex field=san.other_fields{} \"\\@(?xn--.*)\" | stats values(domain_detected) by basic_constraints.ca source host | `zeek_x509_certificate_with_punycode_filter`", "how_to_implement": "The following analytic requires x509 certificate data to be logged entirely. In particular, for CVE-2022-3602, the punycode will be within the leaf certificate. The analytic may be modified to look for all xn--, or utilize a network IDS/monitoring tool like Zeek or Suricata to drill down into cert captured. Note for Suricata, the certificate is base64 encoded and will need to be decoded to capture the punycode (punycode will need to be decoded after).", "known_false_positives": "False positives may be present if the organization works with international businesses. Filter as needed.", "references": ["https://community.emergingthreats.net/t/out-of-band-ruleset-update-summary-2022-11-01/117", "https://github.com/corelight/CVE-2022-3602/tree/master/scripts", "https://docs.zeek.org/en/master/logs/x509.html", "https://www.splunk.com/en_us/blog/security/nothing-puny-about-cve-2022-3602.html", "https://www.openssl.org/blog/blog/2022/11/01/email-address-overflows/", "https://docs.zeek.org/en/master/scripts/base/init-bare.zeek.html#type-X509::SubjectAlternativeName"], "tags": {"name": "Zeek x509 Certificate with Punycode", "analytic_story": ["OpenSSL CVE-2022-3602"], "asset_type": "Network", "cis20": ["CIS 13"], "confidence": 30, "impact": 50, "kill_chain_phases": ["Command And Control"], "message": "A x509 certificate has been identified to have punycode in the subject alternative name on $dest$.", "mitre_attack_id": ["T1573"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["domain_detected", "basic_constraints.ca", "source", "host"], "risk_score": 15, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1573", "mitre_attack_technique": "Encrypted Channel", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT29", "BITTER", "Magic Hound", "Tropic Trooper"]}]}, "datamodel": [], "macros": [{"name": "zeek_x509", "definition": "sourcetype=\"zeek:x509:json\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "zeek_x509_certificate_with_punycode_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/network/zeek_x509_certificate_with_punycode.yml", "source": "network"}, {"name": "Confluence Unauthenticated Remote Code Execution CVE-2022-26134", "id": "fcf4bd3f-a79f-4b7a-83bf-2692d60b859c", "version": 1, "date": "2022-06-03", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic assists with identifying CVE-2022-26134 based exploitation utilizing the Web datamodel to cover network and CIM compliant web logs. The parameters were captured from live scanning and the POC provided by Rapid7. This analytic is written against multiple proof of concept codes released and seen in the wild (scanning). During triage, review any endpoint based logs for further activity including writing a jsp file to disk and commands/processes spawning running as root from the Confluence process.", "data_source": [], "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN (\"*${*\", \"*%2F%7B*\") (Web.url=\"*org.apache.commons.io.IOUtils*\" Web.url=\"*java.lang.Runtime@getRuntime().exec*\") OR (Web.url=\"*java.lang.Runtime%40getRuntime%28%29.exec*\") OR (Web.url=\"*getEngineByName*\" AND Web.url=\"*nashorn*\" AND Web.url=\"*ProcessBuilder*\") by Web.http_user_agent Web.http_method, Web.url,Web.url_length Web.src, Web.dest sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `confluence_unauthenticated_remote_code_execution_cve_2022_26134_filter`", "how_to_implement": "This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache or Splunk for Nginx. In addition, network based logs or event data like PAN Threat.", "known_false_positives": "Tune based on assets if possible, or restrict to known Confluence servers. Remove the ${ for a more broad query. To identify more exec, remove everything up to the last parameter (Runtime().exec) for a broad query.", "references": ["https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html", "https://www.splunk.com/en_us/blog/security/atlassian-confluence-vulnerability-cve-2022-26134.html", "https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/", "https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/"], "tags": {"name": "Confluence Unauthenticated Remote Code Execution CVE-2022-26134", "analytic_story": ["Atlassian Confluence Server and Data Center CVE-2022-26134"], "asset_type": "Web Server", "cis20": ["CIS 13"], "confidence": 100, "impact": 100, "kill_chain_phases": ["Installation", "Delivery"], "message": "A URL was requested related to CVE-2022-26134, a unauthenticated remote code execution vulnerability, on $dest$ by $src$.", "mitre_attack_id": ["T1505", "T1190", "T1133"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "IP Address", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Web.http_method", "Web.url", "Web.url_length", "Web.src", "Web.dest", "Web.http_user_agent"], "risk_score": 100, "security_domain": "network", "risk_severity": "high", "cve": ["CVE-2022-26134"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Chimera", "Dragonfly", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/java/confluence.log", "source": "pan:threat", "sourcetype": "pan:threat", "update_timestamp": true}]}], "datamodel": ["Web"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "confluence_unauthenticated_remote_code_execution_cve_2022_26134_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2022-26134", "cvss": 7.5, "summary": "In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are from 1.3.0 before 7.4.17, from 7.13.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and from 7.18.0 before 7.18.1."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/web/confluence_unauthenticated_remote_code_execution_cve_2022_26134.yml", "source": "web", "nes_fields": "user,dest"}, {"name": "Detect attackers scanning for vulnerable JBoss servers", "id": "104658f4-afdc-499e-9719-17243f982681", "version": 1, "date": "2017-09-23", "author": "Bhavin Patel, Splunk", "type": "TTP", "status": "experimental", "description": "This search looks for specific GET or HEAD requests to web servers that are indicative of reconnaissance attempts to identify vulnerable JBoss servers. JexBoss is described as the exploit tool of choice for this malicious activity.", "data_source": [], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where (Web.http_method=\"GET\" OR Web.http_method=\"HEAD\") AND (Web.url=\"*/web-console/ServerInfo.jsp*\" OR Web.url=\"*web-console*\" OR Web.url=\"*jmx-console*\" OR Web.url = \"*invoker*\") by Web.http_method, Web.url, Web.src, Web.dest | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_attackers_scanning_for_vulnerable_jboss_servers_filter`", "how_to_implement": "You must be ingesting data from the web server or network traffic that contains web specific information, and populating the Web data model.", "known_false_positives": "It's possible for legitimate HTTP requests to be made to URLs containing the suspicious paths.", "references": [], "tags": {"name": "Detect attackers scanning for vulnerable JBoss servers", "analytic_story": ["JBoss Vulnerability", "SamSam Ransomware"], "asset_type": "Web Server", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "message": "tbd", "mitre_attack_id": ["T1082", "T1133"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Web.http_method", "Web.url", "Web.src", "Web.dest"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1082", "mitre_attack_technique": "System Information Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT18", "APT19", "APT3", "APT32", "APT37", "APT38", "Aquatic Panda", "Blue Mockingbird", "Chimera", "Confucius", "Darkhotel", "Gamaredon Group", "HEXANE", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Sowbug", "Stealth Falcon", "TeamTNT", "Tropic Trooper", "Turla", "Windigo", "Windshift", "Wizard Spider", "ZIRCONIUM", "admin@338"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Chimera", "Dragonfly", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}]}, "datamodel": ["Web"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_attackers_scanning_for_vulnerable_jboss_servers_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/web/detect_attackers_scanning_for_vulnerable_jboss_servers.yml", "source": "web", "nes_fields": "user,dest"}, {"name": "Detect F5 TMUI RCE CVE-2020-5902", "id": "810e4dbc-d46e-11ea-87d0-0242ac130003", "version": 1, "date": "2020-08-02", "author": "Shannon Davis, Splunk", "type": "TTP", "status": "experimental", "description": "This search detects remote code exploit attempts on F5 BIG-IP, BIG-IQ, and Traffix SDC devices", "data_source": [], "search": "`f5_bigip_rogue` | regex _raw=\"(hsqldb;|.*\\\\.\\\\.;.*)\" | search `detect_f5_tmui_rce_cve_2020_5902_filter`", "how_to_implement": "To consistently detect exploit attempts on F5 devices using the vulnerabilities contained within CVE-2020-5902 it is recommended to ingest logs via syslog. As many BIG-IP devices will have SSL enabled on their management interfaces, detections via wire data may not pick anything up unless you are decrypting SSL traffic in order to inspect it. I am using a regex string from a Cloudflare mitigation technique to try and always catch the offending string (..;), along with the other exploit of using (hsqldb;).", "known_false_positives": "unknown", "references": ["https://www.ptsecurity.com/ww-en/about/news/f5-fixes-critical-vulnerability-discovered-by-positive-technologies-in-big-ip-application-delivery-controller/", "https://support.f5.com/csp/article/K52145254"], "tags": {"name": "Detect F5 TMUI RCE CVE-2020-5902", "analytic_story": ["F5 TMUI RCE CVE-2020-5902"], "asset_type": "Network", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Delivery"], "message": "tbd", "mitre_attack_id": ["T1190"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Other", "role": ["Other"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "cve": ["CVE-2020-5902"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "menuPass"]}]}, "datamodel": [], "macros": [{"name": "f5_bigip_rogue", "definition": "index=netops sourcetype=\"f5:bigip:rogue\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "detect_f5_tmui_rce_cve_2020_5902_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2020-5902", "cvss": 10.0, "summary": "In BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has a Remote Code Execution (RCE) vulnerability in undisclosed pages."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/web/detect_f5_tmui_rce_cve_2020_5902.yml", "source": "web", "nes_fields": "user,dest"}, {"name": "Detect malicious requests to exploit JBoss servers", "id": "c8bff7a4-11ea-4416-a27d-c5bca472913d", "version": 1, "date": "2017-09-23", "author": "Bhavin Patel, Splunk", "type": "TTP", "status": "experimental", "description": "This search is used to detect malicious HTTP requests crafted to exploit jmx-console in JBoss servers. The malicious requests have a long URL length, as the payload is embedded in the URL.", "data_source": [], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where (Web.http_method=\"GET\" OR Web.http_method=\"HEAD\") by Web.http_method, Web.url,Web.url_length Web.src, Web.dest | search Web.url=\"*jmx-console/HtmlAdaptor?action=invokeOpByName&name=jboss.admin*import*\" AND Web.url_length > 200 | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | table src, dest_ip, http_method, url, firstTime, lastTime | `detect_malicious_requests_to_exploit_jboss_servers_filter`", "how_to_implement": "You must ingest data from the web server or capture network data that contains web specific information with solutions such as Bro or Splunk Stream, and populating the Web data model", "known_false_positives": "No known false positives for this detection.", "references": [], "tags": {"name": "Detect malicious requests to exploit JBoss servers", "analytic_story": ["JBoss Vulnerability", "SamSam Ransomware"], "asset_type": "Web Server", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": [], "message": "tbd", "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Web.http_method", "Web.url", "Web.url_length", "Web.src", "Web.dest"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "datamodel": ["Web"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "detect_malicious_requests_to_exploit_jboss_servers_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/web/detect_malicious_requests_to_exploit_jboss_servers.yml", "source": "web", "nes_fields": "user,dest"}, {"name": "Exploit Public Facing Application via Apache Commons Text", "id": "19a481e0-c97c-4d14-b1db-75a708eb592e", "version": 2, "date": "2023-01-23", "author": "Michael Haag, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies activity related to Text4Shell, or the critical vulnerability CVE-2022-42889 in Apache Commons Text Library. Apache Commons Text versions 1.5 through 1.9 are affected, but it has been patched in version 1.10. The analytic may need to be tuned for your environment before enabling as a TTP, or direct Notable. Apache Commons Text is a Java library described as a library focused on algorithms working on strings. We can see it as a general-purpose text manipulation toolkit. This vulnerability affects the StringSubstitutor interpolator class, which is included in the Commons Text library. A default interpolator allows for string lookups that can lead to Remote Code Execution. This is due to a logic flaw that makes the script, dns, and url lookup keys interpolated by default, as opposed to what it should be, according to the documentation of the StringLookupFactory class. Those keys allow an attacker to execute arbitrary code via lookups.", "data_source": [], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.http_method IN (POST, GET) by Web.src Web.status Web.uri_path Web.dest Web.http_method Web.uri_query Web.http_user_agent | `drop_dm_object_name(\"Web\")` | eval utf=if(like(lower(uri_query),\"%:utf-8:http%\"),2,0) | eval lookup = if(like(lower(uri_query), \"%url%\") OR like(lower(uri_query), \"%dns%\") OR like(lower(uri_query), \"%script%\"),2,0) | eval other_lookups = if(like(lower(uri_query), \"%env%\") OR like(lower(uri_query), \"%file%\") OR like(lower(uri_query), \"%getRuntime%\") OR like(lower(uri_query), \"%java%\") OR like(lower(uri_query), \"%localhost%\") OR like(lower(uri_query), \"%properties%\") OR like(lower(uri_query), \"%resource%\") OR like(lower(uri_query), \"%sys%\") OR like(lower(uri_query), \"%xml%\") OR like(lower(uri_query), \"%base%\"),1,0) | addtotals fieldname=Score utf lookup other_lookups | fields Score, src, dest, status, uri_query, uri_path, http_method, http_user_agent firstTime lastTime | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where Score >= 4 | `exploit_public_facing_application_via_apache_commons_text_filter`", "how_to_implement": "To implement, one must be collecting network traffic that is normalized in CIM and able to be queried via the Web datamodel. Or, take the chunks out needed and tie to a specific network source type to hunt in. Tune as needed, or remove the other_lookups statement.", "known_false_positives": "False positives are present when the values are set to 1 for utf and lookup. It's possible to raise this to TTP (direct notable) if removal of other_lookups occur and Score is raised to 2 (down from 4).", "references": ["https://sysdig.com/blog/cve-2022-42889-text4shell/", "https://nvd.nist.gov/vuln/detail/CVE-2022-42889", "https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om", "https://www.rapid7.com/blog/post/2022/10/17/cve-2022-42889-keep-calm-and-stop-saying-4shell/", "https://github.com/kljunowsky/CVE-2022-42889-text4shell", "https://medium.com/geekculture/text4shell-exploit-walkthrough-ebc02a01f035"], "tags": {"name": "Exploit Public Facing Application via Apache Commons Text", "analytic_story": ["Text4Shell CVE-2022-42889"], "asset_type": "Web Server", "cis20": ["CIS 13"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Installation", "Delivery"], "message": "A URL was requested related to Text4Shell on $dest$ by $src$.", "mitre_attack_id": ["T1505.003", "T1505", "T1190", "T1133"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "IP Address", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Web.http_method", "Web.src", "Web.dest", "Web.http_user_agent", "Web.status", "Web.uri_query", "Web.uri_path"], "risk_score": 49, "security_domain": "network", "risk_severity": "low", "cve": ["CVE-2022-42889"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1505.003", "mitre_attack_technique": "Web Shell", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT38", "APT39", "BackdoorDiplomacy", "Deep Panda", "Dragonfly", "Fox Kitten", "GALLIUM", "HAFNIUM", "Kimsuky", "Leviathan", "Magic Hound", "Moses Staff", "OilRig", "Sandworm Team", "TEMP.Veles", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Volatile Cedar"]}, {"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Chimera", "Dragonfly", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/text4shell/text4shell.log", "source": "bro:http:json", "sourcetype": "bro:http:json", "update_timestamp": true}]}], "datamodel": ["Web"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "exploit_public_facing_application_via_apache_commons_text_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2022-42889", "cvss": null, "summary": "Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is \"${prefix:name}\", where \"prefix\" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - \"script\" - execute expressions using the JVM script execution engine (javax.script) - \"dns\" - resolve dns records - \"url\" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Text 1.10.0, which disables the problematic interpolators by default."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/web/exploit_public_facing_application_via_apache_commons_text.yml", "source": "web"}, {"name": "Exploit Public-Facing Fortinet FortiNAC CVE-2022-39952", "id": "2038f5c6-5aba-4221-8ae2-ca76e2ca8b97", "version": 1, "date": "2023-02-21", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies a recent CVE-2022-39952 released publicly where the URI configWizard/keyUpload.jsp recieves a POST with the payload.zip, from there the POC script will schedule a cron to run the payload and contact the remote C2.", "data_source": [], "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN (\"*configWizard/keyUpload.jsp*\") by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `exploit_public_facing_fortinet_fortinac_cve_2022_39952_filter`", "how_to_implement": "This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto.", "known_false_positives": "False positives may be present. Modify the query as needed to POST, or add additional filtering (based on log source).", "references": ["https://github.com/horizon3ai/CVE-2022-39952", "https://www.horizon3.ai/fortinet-fortinac-cve-2022-39952-deep-dive-and-iocs/", "https://viz.greynoise.io/tag/fortinac-rce-attempt?days=30"], "tags": {"name": "Exploit Public-Facing Fortinet FortiNAC CVE-2022-39952", "analytic_story": ["Fortinet FortiNAC CVE-2022-39952"], "asset_type": "Network", "cis20": ["CIS 13"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Delivery", "Installation"], "message": "Potential CVE-2022-39952 against a Fortinet NAC may be occurring against $dest$.", "mitre_attack_id": ["T1190", "T1133"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["Web.http_user_agent", "Web.http_method", "Web.url", "Web.url_length", "Web.src", "Web.dest", "sourcetype"], "risk_score": 64, "security_domain": "network", "risk_severity": "medium", "cve": ["CVE-2022-39952"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Chimera", "Dragonfly", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/fortigate/web_fortinetnac.log", "source": "pan:threat", "sourcetype": "pan:threat", "update_timestamp": true}]}], "datamodel": ["Web"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "exploit_public_facing_fortinet_fortinac_cve_2022_39952_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2022-39952", "cvss": null, "summary": "A external control of file name or path in Fortinet FortiNAC versions 9.4.0, 9.2.0 through 9.2.5, 9.1.0 through 9.1.7, 8.8.0 through 8.8.11, 8.7.0 through 8.7.6, 8.6.0 through 8.6.5, 8.5.0 through 8.5.4, 8.3.7 may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP request."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/web/exploit_public_facing_fortinet_fortinac_cve_2022_39952.yml", "source": "web", "nes_fields": "user,dest"}, {"name": "Fortinet Appliance Auth bypass", "id": "a83122f2-fa09-4868-a230-544dbc54bc1c", "version": 1, "date": "2022-10-14", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "CVE-2022-40684 is a Fortinet appliance auth bypass that is actively being exploited and a POC is released publicy. The POC adds a SSH key to the appliance. Note that the exploit can be used with any HTTP method (GET, POST, PUT, DELETE, etc). The REST API request failing is not an indication that an attacker was unsuccessful. Horizon3 was able to modify the admin SSH keys though a REST API request that reportedly failed. The collection /api/v2/ endpoints can be used to configure the system and modify the administrator user. Any logs found that meet the above conditions and also have a URL containing /api/v2/ should be cause for concern. Further investigation of any matching log entries can reveal any damage an attack has done. Additionally, an attacker may perform the following actions to further compromise a system Modify the admin SSH key to enable the attacker to login to the compromised system. \\\nAdd new local users. \\\nUpdate networking configurations to reroute traffic. \\\nDownload the system configuration. \\\nInitiate packet captures to capture other sensitive system information. Reference Horizon3.ai", "data_source": [], "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN (\"*/api/v2/cmdb/system/admin*\") Web.http_method IN (\"GET\", \"PUT\") by Web.http_user_agent, Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `fortinet_appliance_auth_bypass_filter`", "how_to_implement": "This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache. Splunk for Nginx, or Splunk for Palo Alto.", "known_false_positives": "GET requests will be noisy and need to be filtered out or removed from the query based on volume. Restrict analytic to known publically facing Fortigates, or run analytic as a Hunt until properly tuned. It is also possible the user agent may be filtered on Report Runner or Node.js only for the exploit, however, it is unknown at this if other user agents may be used.", "references": ["https://www.wordfence.com/blog/2022/10/threat-advisory-cve-2022-40684-fortinet-appliance-auth-bypass/", "https://www.horizon3.ai/fortios-fortiproxy-and-fortiswitchmanager-authentication-bypass-technical-deep-dive-cve-2022-40684/", "https://github.com/horizon3ai/CVE-2022-40684", "https://www.horizon3.ai/fortinet-iocs-cve-2022-40684/", "https://attackerkb.com/topics/QWOxGIKkGx/cve-2022-40684/rapid7-analysis", "https://github.com/rapid7/metasploit-framework/pull/17143"], "tags": {"name": "Fortinet Appliance Auth bypass", "analytic_story": ["CVE-2022-40684 Fortinet Appliance Auth bypass"], "asset_type": "Network", "cis20": ["CIS 13"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Delivery", "Installation"], "message": "Potential CVE-2022-40684 against a Fortinet appliance may be occurring against $dest$.", "mitre_attack_id": ["T1190", "T1133"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["Web.http_user_agent", "Web.http_method", "Web.url", "Web.url_length", "Web.src", "Web.dest", "sourcetype"], "risk_score": 81, "security_domain": "network", "risk_severity": "high", "cve": ["CVE-2022-40684"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Chimera", "Dragonfly", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/fortigate/fortinetcve202240684.log", "source": "pan:threat", "sourcetype": "pan:threat", "update_timestamp": true}]}], "datamodel": ["Web"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "fortinet_appliance_auth_bypass_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2022-40684", "cvss": null, "summary": "An authentication bypass using an alternate path or channel [CWE-288] in Fortinet FortiOS version 7.2.0 through 7.2.1 and 7.0.0 through 7.0.6, FortiProxy version 7.2.0 and version 7.0.0 through 7.0.6 and FortiSwitchManager version 7.2.0 and 7.0.0 allows an unauthenticated atttacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/web/fortinet_appliance_auth_bypass.yml", "source": "web", "nes_fields": "user,dest"}, {"name": "Hunting for Log4Shell", "id": "158b68fa-5d1a-11ec-aac8-acde48001122", "version": 1, "date": "2021-12-14", "author": "Michael Haag, Splunk", "type": "Hunting", "status": "production", "description": "The following hunting query assists with quickly assessing CVE-2021-44228, or Log4Shell, activity mapped to the Web Datamodel. This is a combination query attempting to identify, score and dashboard. Because the Log4Shell vulnerability requires the string to be in the logs, this will work to identify the activity anywhere in the HTTP headers using _raw. Modify the first line to use the same pattern matching against other log sources. Scoring is based on a simple rubric of 0-5. 5 being the best match, and less than 5 meant to identify additional patterns that will equate to a higher total score. \\\nThe first jndi match identifies the standard pattern of `{jndi:` \\\njndi_fastmatch is meant to identify any jndi in the logs. The score is set low and is meant to be the \"base\" score used later. \\\njndi_proto is a protocol match that identifies `jndi` and one of `ldap, ldaps, rmi, dns, nis, iiop, corba, nds, http, https.` \\\nall_match is a very well written regex by https://gist.github.com/Schvenn that identifies nearly all patterns of this attack behavior. \\\nenv works to identify environment variables in the header, meant to capture `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY` and `env`. \\\nuri_detect is string match looking for the common uri paths currently being scanned/abused in the wild. \\\nkeywords matches on enumerated values that, like `$ctx:loginId`, that may be found in the header used by the adversary. \\\nlookup matching is meant to catch some basic obfuscation that has been identified using upper, lower and date. \\\nScoring will then occur based on any findings. The base score is meant to be 2 , created by jndi_fastmatch. Everything else is meant to increase that score. \\\nFinally, a simple table is created to show the scoring and the _raw field. Sort based on score or columns of interest.", "data_source": [], "search": "| from datamodel Web.Web | eval jndi=if(match(_raw, \"(\\{|%7B)[jJnNdDiI]{4}:\"),4,0) | eval jndi_fastmatch=if(match(_raw, \"[jJnNdDiI]{4}\"),2,0) | eval jndi_proto=if(match(_raw,\"(?i)jndi:(ldap[s]?|rmi|dns|nis|iiop|corba|nds|http|https):\"),5,0) | eval all_match = if(match(_raw, \"(?i)(%(25){0,}20|\\s)*(%(25){0,}24|\\$)(%(25){0,}20|\\s)*(%(25){0,}7B|{)(%(25){0,}20|\\s)*(%(25){0,}(6A|4A)|J)(%(25){0,}(6E|4E)|N)(%(25){0,}(64|44)|D)(%(25){0,}(69|49)|I)(%(25){0,}20|\\s)*(%(25){0,}3A|:)[\\w\\%]+(%(25){1,}3A|:)(%(25){1,}2F|\\/)[^\\n]+\"),5,0) | eval env_var = if(match(_raw, \"env:\") OR match(_raw, \"env:AWS_ACCESS_KEY_ID\") OR match(_raw, \"env:AWS_SECRET_ACCESS_KEY\"),5,0) | eval uridetect = if(match(_raw, \"(?i)Basic\\/Command\\/Base64|Basic\\/ReverseShell|Basic\\/TomcatMemshell|Basic\\/JBossMemshell|Basic\\/WebsphereMemshell|Basic\\/SpringMemshell|Basic\\/Command|Deserialization\\/CommonsCollectionsK|Deserialization\\/CommonsBeanutils|Deserialization\\/Jre8u20\\/TomcatMemshell|Deserialization\\/CVE_2020_2555\\/WeblogicMemshell|TomcatBypass|GroovyBypass|WebsphereBypass\"),4,0) | eval keywords = if(match(_raw,\"(?i)\\$\\{ctx\\:loginId\\}|\\$\\{map\\:type\\}|\\$\\{filename\\}|\\$\\{date\\:MM-dd-yyyy\\}|\\$\\{docker\\:containerId\\}|\\$\\{docker\\:containerName\\}|\\$\\{docker\\:imageName\\}|\\$\\{env\\:USER\\}|\\$\\{event\\:Marker\\}|\\$\\{mdc\\:UserId\\}|\\$\\{java\\:runtime\\}|\\$\\{java\\:vm\\}|\\$\\{java\\:os\\}|\\$\\{jndi\\:logging/context-name\\}|\\$\\{hostName\\}|\\$\\{docker\\:containerId\\}|\\$\\{k8s\\:accountName\\}|\\$\\{k8s\\:clusterName\\}|\\$\\{k8s\\:containerId\\}|\\$\\{k8s\\:containerName\\}|\\$\\{k8s\\:host\\}|\\$\\{k8s\\:labels.app\\}|\\$\\{k8s\\:labels.podTemplateHash\\}|\\$\\{k8s\\:masterUrl\\}|\\$\\{k8s\\:namespaceId\\}|\\$\\{k8s\\:namespaceName\\}|\\$\\{k8s\\:podId\\}|\\$\\{k8s\\:podIp\\}|\\$\\{k8s\\:podName\\}|\\$\\{k8s\\:imageId\\}|\\$\\{k8s\\:imageName\\}|\\$\\{log4j\\:configLocation\\}|\\$\\{log4j\\:configParentLocation\\}|\\$\\{spring\\:spring.application.name\\}|\\$\\{main\\:myString\\}|\\$\\{main\\:0\\}|\\$\\{main\\:1\\}|\\$\\{main\\:2\\}|\\$\\{main\\:3\\}|\\$\\{main\\:4\\}|\\$\\{main\\:bar\\}|\\$\\{name\\}|\\$\\{marker\\}|\\$\\{marker\\:name\\}|\\$\\{spring\\:profiles.active[0]|\\$\\{sys\\:logPath\\}|\\$\\{web\\:rootDir\\}|\\$\\{sys\\:user.name\\}\"),4,0) | eval obf = if(match(_raw, \"(\\$|%24)[^ /]*({|%7b)[^ /]*(j|%6a)[^ /]*(n|%6e)[^ /]*(d|%64)[^ /]*(i|%69)[^ /]*(:|%3a)[^ /]*(:|%3a)[^ /]*(/|%2f)\"),5,0) | eval lookups = if(match(_raw, \"(?i)({|%7b)(main|sys|k8s|spring|lower|upper|env|date|sd)\"),4,0) | addtotals fieldname=Score, jndi, jndi_proto, env_var, uridetect, all_match, jndi_fastmatch, keywords, obf, lookups | where Score > 2 | stats values(Score) by jndi, jndi_proto, env_var, uridetect, all_match, jndi_fastmatch, keywords, lookups, obf, _raw | `hunting_for_log4shell_filter`", "how_to_implement": "Out of the box, the Web datamodel is required to be pre-filled. However, tested was performed against raw httpd access logs. Change the first line to any dataset to pass the regex's against.", "known_false_positives": "It is highly possible you will find false positives, however, the base score is set to 2 for _any_ jndi found in raw logs. tune and change as needed, include any filtering.", "references": ["https://gist.github.com/olafhartong/916ebc673ba066537740164f7e7e1d72", "https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b#gistcomment-3994449", "https://regex101.com/r/OSrm0q/1/", "https://github.com/Neo23x0/signature-base/blob/master/yara/expl_log4j_cve_2021_44228.yar", "https://news.sophos.com/en-us/2021/12/12/log4shell-hell-anatomy-of-an-exploit-outbreak/", "https://gist.github.com/MHaggis/1899b8554f38c8692a9fb0ceba60b44c", "https://twitter.com/sasi2103/status/1469764719850442760?s=20"], "tags": {"name": "Hunting for Log4Shell", "analytic_story": ["Log4Shell CVE-2021-44228", "CISA AA22-320A"], "asset_type": "Web Server", "cis20": ["CIS 13"], "confidence": 50, "impact": 80, "kill_chain_phases": ["Delivery", "Installation"], "message": "Hunting for Log4Shell exploitation has occurred.", "mitre_attack_id": ["T1190", "T1133"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "http_method", "type": "Other", "role": ["Other"]}, {"name": "src", "type": "Other", "role": ["Other"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "_raw"], "risk_score": 40, "security_domain": "network", "risk_severity": "low", "cve": ["CVE-2021-44228"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Chimera", "Dragonfly", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/java/log4shell-nginx.log", "source": "/var/log/nginx/access.log", "sourcetype": "nginx:plus:kv"}]}], "datamodel": ["Web"], "macros": [{"name": "hunting_for_log4shell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2021-44228", "cvss": 9.3, "summary": "Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/web/hunting_for_log4shell.yml", "source": "web"}, {"name": "Log4Shell JNDI Payload Injection Attempt", "id": "c184f12e-5c90-11ec-bf1f-497c9a704a72", "version": 1, "date": "2021-12-13", "author": "Jose Hernandez", "type": "Anomaly", "status": "production", "description": "CVE-2021-44228 Log4Shell payloads can be injected via various methods, but on of the most common vectors injection is via Web calls. Many of the vulnerable java web applications that are using log4j have a web component to them are specially targets of this injection, specifically projects like Apache Struts, Flink, Druid, and Solr. The exploit is triggered by a LDAP lookup function in the log4j package, its invocation is similar to `${jndi:ldap://PAYLOAD_INJECTED}`, when executed against vulnerable web applications the invocation can be seen in various part of web logs. Specifically it has been successfully exploited via headers like X-Forwarded-For, User-Agent, Referer, and X-Api-Version. In this detection we first limit the scope of our search to the Web Datamodel and use the `| from datamodel` function to benefit from schema accelerated searching capabilities, mainly because the second part of the detection is pretty heavy, it runs a regex across all _raw events that looks for `${jndi:ldap://` pattern across all potential web fields available to the raw data, like http headers for example. If you see results for this detection, it means that there was a attempt at a injection, which could be a reconnaissance activity or a valid expliotation attempt, but this does not exactly mean that the host was indeed successfully exploited.", "data_source": [], "search": "| from datamodel Web.Web | regex _raw=\"[jJnNdDiI]{4}(\\:|\\%3A|\\/|\\%2F)\\w+(\\:\\/\\/|\\%3A\\%2F\\%2F)(\\$\\{.*?\\}(\\.)?)?\" | fillnull | stats count by action, category, dest, dest_port, http_content_type, http_method, http_referrer, http_user_agent, site, src, url, url_domain, user | `log4shell_jndi_payload_injection_attempt_filter`", "how_to_implement": "This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache or Splunk for Nginx.", "known_false_positives": "If there is a vulnerablility scannner looking for log4shells this will trigger, otherwise likely to have low false positives.", "references": ["https://www.lunasec.io/docs/blog/log4j-zero-day/"], "tags": {"name": "Log4Shell JNDI Payload Injection Attempt", "analytic_story": ["Log4Shell CVE-2021-44228", "CISA AA22-257A", "CISA AA22-320A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 30, "impact": 50, "kill_chain_phases": ["Delivery", "Installation"], "message": "CVE-2021-44228 Log4Shell triggered for host $dest$", "mitre_attack_id": ["T1190", "T1133"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["action", "category", "dest", "dest_port", "http_content_type", "http_method", "http_referrer", "http_user_agent", "site", "src", "url", "url_domain", "user"], "risk_score": 15, "security_domain": "threat", "risk_severity": "low", "cve": ["CVE-2021-44228"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Chimera", "Dragonfly", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/log4j_proxy_logs/log4j_proxy_logs.log", "source": "nginx", "sourcetype": "nginx:plus:kv"}]}], "datamodel": ["Web"], "macros": [{"name": "log4shell_jndi_payload_injection_attempt_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2021-44228", "cvss": 9.3, "summary": "Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/web/log4shell_jndi_payload_injection_attempt.yml", "source": "web"}, {"name": "Log4Shell JNDI Payload Injection with Outbound Connection", "id": "69afee44-5c91-11ec-bf1f-497c9a704a72", "version": 1, "date": "2021-12-13", "author": "Jose Hernandez", "type": "Anomaly", "status": "production", "description": "CVE-2021-44228 Log4Shell payloads can be injected via various methods, but on of the most common vectors injection is via Web calls. Many of the vulnerable java web applications that are using log4j have a web component to them are specially targets of this injection, specifically projects like Apache Struts, Flink, Druid, and Solr. The exploit is triggered by a LDAP lookup function in the log4j package, its invocation is similar to `${jndi:ldap://PAYLOAD_INJECTED}`, when executed against vulnerable web applications the invocation can be seen in various part of web logs. Specifically it has been successfully exploited via headers like X-Forwarded-For, User-Agent, Referer, and X-Api-Version. In this detection we match the invocation function with a network connection to a malicious ip address.", "data_source": [], "search": "| from datamodel Web.Web | rex field=_raw max_match=0 \"[jJnNdDiI]{4}(\\:|\\%3A|\\/|\\%2F)(?\\w+)(\\:\\/\\/|\\%3A\\%2F\\%2F)(\\$\\{.*?\\}(\\.)?)?(?[a-zA-Z0-9\\.\\-\\_\\$]+)\" | join affected_host type=inner [| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic.All_Traffic by All_Traffic.dest | `drop_dm_object_name(All_Traffic)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename dest AS affected_host] | fillnull | stats count by action, category, dest, dest_port, http_content_type, http_method, http_referrer, http_user_agent, site, src, url, url_domain, user | `log4shell_jndi_payload_injection_with_outbound_connection_filter`", "how_to_implement": "This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache or Splunk for Nginx.", "known_false_positives": "If there is a vulnerablility scannner looking for log4shells this will trigger, otherwise likely to have low false positives.", "references": ["https://www.lunasec.io/docs/blog/log4j-zero-day/"], "tags": {"name": "Log4Shell JNDI Payload Injection with Outbound Connection", "analytic_story": ["Log4Shell CVE-2021-44228", "CISA AA22-320A"], "asset_type": "Endpoint", "cis20": ["CIS 10"], "confidence": 30, "impact": 50, "kill_chain_phases": ["Delivery", "Installation"], "message": "CVE-2021-44228 Log4Shell triggered for host $dest$", "mitre_attack_id": ["T1190", "T1133"], "nist": ["DE.AE"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["action", "category", "dest", "dest_port", "http_content_type", "http_method", "http_referrer", "http_user_agent", "site", "src", "url", "url_domain", "user"], "risk_score": 15, "security_domain": "threat", "risk_severity": "low", "cve": ["CVE-2021-44228"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Chimera", "Dragonfly", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/log4j_proxy_logs/log4j_proxy_logs.log", "source": "nginx", "sourcetype": "nginx:plus:kv"}, {"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/log4j_network_logs/log4j_network_logs.log", "source": "stream:Splunk_IP", "sourcetype": "stream:ip"}]}], "datamodel": ["Network_Traffic", "Web"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "log4shell_jndi_payload_injection_with_outbound_connection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2021-44228", "cvss": 9.3, "summary": "Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/web/log4shell_jndi_payload_injection_with_outbound_connection.yml", "source": "web"}, {"name": "Monitor Web Traffic For Brand Abuse", "id": "134da869-e264-4a8f-8d7e-fcd0ec88f301", "version": 1, "date": "2017-09-23", "author": "David Dorsey, Splunk", "type": "TTP", "status": "experimental", "description": "This search looks for Web requests to faux domains similar to the one that you want to have monitored for abuse.", "data_source": [], "search": "| tstats `security_content_summariesonly` values(Web.url) as urls min(_time) as firstTime from datamodel=Web by Web.src | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `brand_abuse_web` | `monitor_web_traffic_for_brand_abuse_filter`", "how_to_implement": "You need to ingest data from your web traffic. This can be accomplished by indexing data from a web proxy, or using a network traffic analysis tool, such as Bro or Splunk Stream. You also need to have run the search \"ESCU - DNSTwist Domain Names\", which creates the permutations of the domain that will be checked for.", "known_false_positives": "None at this time", "references": [], "tags": {"name": "Monitor Web Traffic For Brand Abuse", "analytic_story": ["Brand Monitoring"], "asset_type": "Endpoint", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": [], "message": "tbd", "nist": ["DE.CM"], "observable": [{"name": "src", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Web.url", "Web.src"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": []}, "datamodel": ["Web"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "brand_abuse_web", "definition": "lookup update=true brandMonitoring_lookup domain as urls OUTPUT domain_abuse | search domain_abuse=true", "description": "This macro limits the output to only domains that are in the brand monitoring lookup file"}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "monitor_web_traffic_for_brand_abuse_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/web/monitor_web_traffic_for_brand_abuse.yml", "source": "web", "nes_fields": "user,dest"}, {"name": "PaperCut NG Remote Web Access Attempt", "id": "9fcb214a-dc42-4ce7-a650-f1d2cab16a6a", "version": 1, "date": "2023-05-15", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic is designed to detect potential exploitation attempts on publicly accessible PaperCut NG servers. It identifies connections from public IP addresses to the server and specifically monitors for URI paths commonly found in proof-of-concept (POC) scripts for exploiting PaperCut NG vulnerabilities. These URI paths have been observed in both Metasploit modules and standalone scripts used for attacking PaperCut NG servers. When a public IP address is detected accessing one or more of these suspicious URI paths, an alert may be generated to notify the security team of the potential threat. The team can then investigate the source IP address, the targeted PaperCut NG server, and any other relevant information to determine the nature of the activity and take appropriate actions to mitigate the risk.", "data_source": [], "search": "| tstats count from datamodel=Web where Web.url IN (\"/app?service=page/SetupCompleted\", \"/app\", \"/app?service=page/PrinterList\", \"/app?service=direct/1/PrinterList/selectPrinter&sp=*\", \"/app?service=direct/1/PrinterDetails/printerOptionsTab.tab\") NOT (src IN (\"10.*.*.*\",\"172.16.*.*\", \"192.168.*.*\", \"169.254.*.*\", \"127.*.*.*\", \"fc00::*\", \"fd00::*\", \"fe80::*\")) by Web.http_user_agent Web.http_method, Web.url,Web.url_length Web.src, Web.dest Web.dest_port sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `papercut_ng_remote_web_access_attempt_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on Web traffic that include fields relavent for traffic into the `Web` datamodel.", "known_false_positives": "False positives may be present, filter as needed.", "references": ["https://www.cisa.gov/news-events/alerts/2023/05/11/cisa-and-fbi-release-joint-advisory-response-active-exploitation-papercut-vulnerability", "https://www.papercut.com/kb/Main/PO-1216-and-PO-1219", "https://www.horizon3.ai/papercut-cve-2023-27350-deep-dive-and-indicators-of-compromise/", "https://www.bleepingcomputer.com/news/security/hackers-actively-exploit-critical-rce-bug-in-papercut-servers/", "https://www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software"], "tags": {"name": "PaperCut NG Remote Web Access Attempt", "analytic_story": ["PaperCut MF NG Vulnerability"], "asset_type": "Web Server", "cis20": ["CIS 13"], "confidence": 70, "impact": 90, "kill_chain_phases": ["Delivery", "Installation"], "message": "URIs specific to PaperCut NG have been access by a public IP against $dest$.", "mitre_attack_id": ["T1190", "T1133"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Web.http_user_agent", "Web.http_method", "Web.url", "Web.url_length", "Web.src", "Web.dest", "sourcetype"], "risk_score": 63, "security_domain": "network", "risk_severity": "medium", "atomic_guid": [], "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Chimera", "Dragonfly", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/papercut/papercutng-suricata.log", "source": "suricata", "sourcetype": "suricata"}]}], "datamodel": ["Web"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "papercut_ng_remote_web_access_attempt_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/web/papercut_ng_remote_web_access_attempt.yml", "source": "web", "nes_fields": "user,dest"}, {"name": "ProxyShell ProxyNotShell Behavior Detected", "id": "c32fab32-6aaf-492d-bfaf-acbed8e50cdf", "version": 1, "date": "2022-10-03", "author": "Michael Haag, Splunk", "type": "Correlation", "status": "production", "description": "The following correlation will identify activity related to Windows Exchange being actively exploited by adversaries related to ProxyShell or ProxyNotShell. In addition, the analytic correlates post-exploitation Cobalt Strike analytic story. Common post-exploitation behavior has been seen in the wild includes adversaries running nltest, Cobalt Strike, Mimikatz and adding a new user. The correlation specifically looks for 5 distinct analyticstories to trigger. Modify or tune as needed for your organization. 5 analytics is an arbitrary number but was chosen to reduce the amount of noise but also require the 2 analytic stories or a ProxyShell and CobaltStrike to fire. Adversaries will exploit the vulnerable Exchange server, abuse SSRF, drop a web shell, utilize the PowerShell Exchange modules and begin post-exploitation.", "data_source": [], "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.analyticstories) as analyticstories values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count dc(All_Risk.analyticstories) as dc_analyticstories from datamodel=Risk.All_Risk where All_Risk.analyticstories IN (\"ProxyNotShell\",\"ProxyShell\") OR (All_Risk.analyticstories IN (\"ProxyNotShell\",\"ProxyShell\") AND All_Risk.analyticstories=\"Cobalt Strike\") All_Risk.risk_object_type=\"system\" by _time span=1h All_Risk.risk_object All_Risk.risk_object_type | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| where source_count >=5 | `proxyshell_proxynotshell_behavior_detected_filter`", "how_to_implement": "To implement this correlation, you will need to enable ProxyShell, ProxyNotShell and Cobalt Strike analytic stories (the anaytics themselves) and ensure proper data is being collected for Web and Endpoint datamodels. Run the correlation rule seperately to validate it is not triggering too much or generating incorrectly. Validate by running ProxyShell POC code and Cobalt Strike behavior.", "known_false_positives": "False positives will be limited, however tune or modify the query as needed.", "references": ["https://www.gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html", "https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/"], "tags": {"name": "ProxyShell ProxyNotShell Behavior Detected", "analytic_story": ["ProxyShell", "ProxyNotShell"], "asset_type": "Web Server", "cis20": ["CIS 13"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Delivery", "Installation"], "message": "ProxyShell or ProxyNotShell activity has been identified on $risk_object$.", "mitre_attack_id": ["T1190", "T1133"], "nist": ["DE.AE"], "observable": [{"name": "risk_object", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["All_Risk.analyticstories", "All_Risk.risk_object_type", "All_Risk.risk_object", "All_Risk.annotations.mitre_attack.mitre_tactic", "source"], "risk_score": 81, "security_domain": "network", "risk_severity": "high", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Chimera", "Dragonfly", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/proxyshell/proxyshell-risk.log", "source": "proxyshell", "sourcetype": "stash", "update_timestamp": true}]}], "datamodel": ["Risk"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "proxyshell_proxynotshell_behavior_detected_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/web/proxyshell_proxynotshell_behavior_detected.yml", "source": "web", "nes_fields": "user,dest"}, {"name": "Spring4Shell Payload URL Request", "id": "9d44d649-7d67-4559-95c1-8022ff49420b", "version": 1, "date": "2022-07-12", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic is static indicators related to CVE-2022-22963, Spring4Shell. The 3 indicators provide an amount of fidelity that source IP is attemping to exploit a web shell on the destination. The filename and cmd are arbitrary in this exploitation. Java will write a JSP to disk and a process will spawn from Java based on the cmd passed. This is indicative of typical web shell activity.", "data_source": [], "search": "| tstats count from datamodel=Web where Web.http_method IN (\"GET\") Web.url IN (\"*tomcatwar.jsp*\",\"*poc.jsp*\",\"*shell.jsp*\") by Web.http_user_agent Web.http_method, Web.url,Web.url_length Web.src, Web.dest sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `spring4shell_payload_url_request_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on Web traffic that include fields relavent for traffic into the `Web` datamodel.", "known_false_positives": "The jsp file names are static names used in current proof of concept code. =", "references": ["https://www.microsoft.com/security/blog/2022/04/04/springshell-rce-vulnerability-guidance-for-protecting-against-and-detecting-cve-2022-22965/", "https://github.com/TheGejr/SpringShell", "https://www.tenable.com/blog/spring4shell-faq-spring-framework-remote-code-execution-vulnerability"], "tags": {"name": "Spring4Shell Payload URL Request", "analytic_story": ["Spring4Shell CVE-2022-22965"], "asset_type": "Web Server", "cis20": ["CIS 13"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Installation", "Delivery"], "message": "A URL was requested related to Spring4Shell POC code on $dest$ by $src$.", "mitre_attack_id": ["T1505.003", "T1505", "T1190", "T1133"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "IP Address", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Web.http_method", "Web.url", "Web.url_length", "Web.src", "Web.dest", "Web.http_user_agent"], "risk_score": 36, "security_domain": "network", "risk_severity": "low", "cve": ["CVE-2022-22965"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1505.003", "mitre_attack_technique": "Web Shell", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT38", "APT39", "BackdoorDiplomacy", "Deep Panda", "Dragonfly", "Fox Kitten", "GALLIUM", "HAFNIUM", "Kimsuky", "Leviathan", "Magic Hound", "Moses Staff", "OilRig", "Sandworm Team", "TEMP.Veles", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Volatile Cedar"]}, {"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Chimera", "Dragonfly", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/spring4shell/spring4shell_nginx.log", "source": "/var/log/nginx/access.log", "sourcetype": "nginx:plus:kv"}]}], "datamodel": ["Web"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "spring4shell_payload_url_request_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2022-22965", "cvss": 7.5, "summary": "A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/web/spring4shell_payload_url_request.yml", "source": "web", "nes_fields": "user,dest"}, {"name": "SQL Injection with Long URLs", "id": "e0aad4cf-0790-423b-8328-7564d0d938f9", "version": 3, "date": "2022-03-28", "author": "Bhavin Patel, Splunk", "type": "TTP", "status": "experimental", "description": "This search looks for long URLs that have several SQL commands visible within them.", "data_source": [], "search": "| tstats `security_content_summariesonly` count from datamodel=Web where Web.dest_category=web_server AND (Web.url_length > 1024 OR Web.http_user_agent_length > 200) by Web.src Web.dest Web.url Web.url_length Web.http_user_agent | `drop_dm_object_name(\"Web\")` | eval url=lower(url) | eval num_sql_cmds=mvcount(split(url, \"alter%20table\")) + mvcount(split(url, \"between\")) + mvcount(split(url, \"create%20table\")) + mvcount(split(url, \"create%20database\")) + mvcount(split(url, \"create%20index\")) + mvcount(split(url, \"create%20view\")) + mvcount(split(url, \"delete\")) + mvcount(split(url, \"drop%20database\")) + mvcount(split(url, \"drop%20index\")) + mvcount(split(url, \"drop%20table\")) + mvcount(split(url, \"exists\")) + mvcount(split(url, \"exec\")) + mvcount(split(url, \"group%20by\")) + mvcount(split(url, \"having\")) + mvcount(split(url, \"insert%20into\")) + mvcount(split(url, \"inner%20join\")) + mvcount(split(url, \"left%20join\")) + mvcount(split(url, \"right%20join\")) + mvcount(split(url, \"full%20join\")) + mvcount(split(url, \"select\")) + mvcount(split(url, \"distinct\")) + mvcount(split(url, \"select%20top\")) + mvcount(split(url, \"union\")) + mvcount(split(url, \"xp_cmdshell\")) - 24 | where num_sql_cmds > 3 | `sql_injection_with_long_urls_filter`", "how_to_implement": "To successfully implement this search, you need to be monitoring network communications to your web servers or ingesting your HTTP logs and populating the Web data model. You must also identify your web servers in the Enterprise Security assets table.", "known_false_positives": "It's possible that legitimate traffic will have long URLs or long user agent strings and that common SQL commands may be found within the URL. Please investigate as appropriate.", "references": [], "tags": {"name": "SQL Injection with Long URLs", "analytic_story": ["SQL Injection"], "asset_type": "Database Server", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Delivery"], "message": "SQL injection attempt with url $url$ detected on $dest$", "mitre_attack_id": ["T1190"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Endpoint", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Web.dest_category", "Web.url_length", "Web.http_user_agent_length", "Web.src", "Web.dest", "Web.url", "Web.http_user_agent"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "menuPass"]}]}, "datamodel": ["Web"], "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "sql_injection_with_long_urls_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/web/sql_injection_with_long_urls.yml", "source": "web", "nes_fields": "user,dest"}, {"name": "Supernova Webshell", "id": "2ec08a09-9ff1-4dac-b59f-1efd57972ec1", "version": 1, "date": "2021-01-06", "author": "John Stoner, Splunk", "type": "TTP", "status": "experimental", "description": "This search aims to detect the Supernova webshell used in the SUNBURST attack.", "data_source": [], "search": "| tstats `security_content_summariesonly` count from datamodel=Web.Web where web.url=*logoimagehandler.ashx*codes* OR Web.url=*logoimagehandler.ashx*clazz* OR Web.url=*logoimagehandler.ashx*method* OR Web.url=*logoimagehandler.ashx*args* by Web.src Web.dest Web.url Web.vendor_product Web.user Web.http_user_agent _time span=1s | `supernova_webshell_filter`", "how_to_implement": "To successfully implement this search, you need to be monitoring web traffic to your Solarwinds Orion. The logs should be ingested into splunk and populating/mapped to the Web data model.", "known_false_positives": "There might be false positives associted with this detection since items like args as a web argument is pretty generic.", "references": ["https://www.splunk.com/en_us/blog/security/detecting-supernova-malware-solarwinds-continued.html", "https://www.guidepointsecurity.com/blog/supernova-solarwinds-net-webshell-analysis/"], "tags": {"name": "Supernova Webshell", "analytic_story": ["NOBELIUM Group"], "asset_type": "Web Server", "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation", "Delivery"], "message": "tbd", "mitre_attack_id": ["T1505.003", "T1133"], "nist": ["DE.CM"], "observable": [{"name": "user", "type": "User", "role": ["Victim"]}, {"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Web.url", "Web.src", "Web.dest", "Web.vendor_product", "Web.user", "Web.http_user_agent"], "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [{"mitre_attack_id": "T1505.003", "mitre_attack_technique": "Web Shell", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT38", "APT39", "BackdoorDiplomacy", "Deep Panda", "Dragonfly", "Fox Kitten", "GALLIUM", "HAFNIUM", "Kimsuky", "Leviathan", "Magic Hound", "Moses Staff", "OilRig", "Sandworm Team", "TEMP.Veles", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Volatile Cedar"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Chimera", "Dragonfly", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}]}, "datamodel": ["Web"], "macros": [{"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "supernova_webshell_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/web/supernova_webshell.yml", "source": "web", "nes_fields": "user,dest"}, {"name": "VMWare Aria Operations Exploit Attempt", "id": "d5d865e4-03e6-43da-98f4-28a4f42d4df7", "version": 1, "date": "2023-06-21", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic is designed to detect potential exploitation attempts against VMWare vRealize Network Insight that align with the characteristics of CVE-2023-20887. This specific vulnerability is a critical security flaw that, if exploited, could allow an attacker to execute arbitrary code on the affected system.\\\nThe analytic operates by monitoring web traffic, specifically HTTP POST requests, directed towards a specific URL endpoint (\"/saas./resttosaasservlet\"). This endpoint is known to be vulnerable and is a common target for attackers exploiting this vulnerability.\\\nThe behavior this analytic detects is the sending of HTTP POST requests to the vulnerable endpoint. This is a significant indicator of an attempted exploit as it is the primary method used to trigger the vulnerability. The analytic detects this behavior by analyzing web traffic data and identifying HTTP POST requests directed at the vulnerable endpoint.\\\nIdentifying this behavior is crucial for a Security Operations Center (SOC) as it can indicate an active attempt to exploit a known vulnerability within the network. If the identified behavior is a true positive, it suggests an attacker is attempting to exploit the CVE-2023-20887 vulnerability in VMWare vRealize Network Insight. The impact of such an attack could be severe, potentially allowing the attacker to execute arbitrary code on the affected system, leading to unauthorized access, data theft, or further propagation within the network.", "data_source": [], "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN (\"*/saas./resttosaasservlet*\") Web.http_method=POST Web.status IN (\"unknown\", \"200\") by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `vmware_aria_operations_exploit_attempt_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting web or proxy logs, or ensure it is being filled by a proxy like device, into the Web Datamodel. Restrict to specific dest assets to reduce false positives.", "known_false_positives": "False positives will be present based on gateways in use, modify the status field as needed.", "references": ["https://nvd.nist.gov/vuln/detail/CVE-2023-20887", "https://viz.greynoise.io/tag/vmware-aria-operations-for-networks-rce-attempt?days=30", "https://github.com/sinsinology/CVE-2023-20887", "https://summoning.team/blog/vmware-vrealize-network-insight-rce-cve-2023-20887/"], "tags": {"name": "VMWare Aria Operations Exploit Attempt", "analytic_story": ["VMware Aria Operations vRealize CVE-2023-20887"], "asset_type": "Web Server", "cis20": ["CIS 13"], "confidence": 80, "impact": 90, "kill_chain_phases": ["Delivery", "Installation", "Exploitation"], "message": "An exploitation attempt has occurred against $dest$ from $src$ related to CVE-2023-20887", "mitre_attack_id": ["T1133", "T1190", "T1210", "T1068"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["Web.http_method", "Web.url", "Web.url_length", "Web.src", "Web.dest", "Web.http_user_agent"], "risk_score": 72, "security_domain": "network", "risk_severity": "medium", "atomic_guid": [], "mitre_attack_enrichments": [{"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Chimera", "Dragonfly", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "menuPass"]}, {"mitre_attack_id": "T1210", "mitre_attack_technique": "Exploitation of Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "Dragonfly", "Earth Lusca", "FIN7", "Fox Kitten", "MuddyWater", "Threat Group-3390", "Tonto Team", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "PLATINUM", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/vmware/vmware_aria.log", "source": "pan:threat", "sourcetype": "pan:threat"}]}], "datamodel": ["Web"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "vmware_aria_operations_exploit_attempt_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/web/vmware_aria_operations_exploit_attempt.yml", "source": "web", "nes_fields": "user,dest"}, {"name": "VMware Server Side Template Injection Hunt", "id": "5796b570-ad12-44df-b1b5-b7e6ae3aabb0", "version": 1, "date": "2022-05-19", "author": "Michael Haag, Splunk", "type": "Hunting", "status": "production", "description": "The following hunting analytic identifies the server side template injection related to CVE-2022-22954, however is a variation found within the same endpoint of the URL scheme.", "data_source": [], "search": "| tstats count from datamodel=Web where Web.http_method IN (\"GET\") Web.url=\"*deviceudid=*\" AND Web.url IN (\"*java.lang.ProcessBuilder*\",\"*freemarker.template.utility.ObjectConstructor*\") by Web.http_user_agent Web.http_method, Web.url,Web.url_length Web.src, Web.dest sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `vmware_server_side_template_injection_hunt_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting web or proxy logs, or ensure it is being filled by a proxy like device, into the Web Datamodel. For additional filtering, allow list private IP space or restrict by known good.", "known_false_positives": "False positives may be present if the activity is blocked or was not successful. Filter known vulnerablity scanners. Filter as needed.", "references": ["https://www.cisa.gov/uscert/ncas/alerts/aa22-138b", "https://github.com/wvu/metasploit-framework/blob/master/modules/exploits/linux/http/vmware_workspace_one_access_cve_2022_22954.rb", "https://github.com/sherlocksecurity/VMware-CVE-2022-22954", "https://www.vmware.com/security/advisories/VMSA-2022-0011.html", "https://attackerkb.com/topics/BDXyTqY1ld/cve-2022-22954/rapid7-analysis", "https://twitter.com/wvuuuuuuuuuuuuu/status/1519476924757778433"], "tags": {"name": "VMware Server Side Template Injection Hunt", "analytic_story": ["VMware Server Side Injection and Privilege Escalation"], "asset_type": "Web Server", "cis20": ["CIS 13"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Delivery", "Installation"], "message": "An attempt to exploit a VMware Server Side Injection CVE-2022-22954 on $dest$ has occurred.", "mitre_attack_id": ["T1190", "T1133"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["Web.http_method", "Web.url", "Web.url_length", "Web.src", "Web.dest", "Web.http_user_agent"], "risk_score": 35, "security_domain": "network", "risk_severity": "low", "cve": ["CVE-2022-22954"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Chimera", "Dragonfly", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/vmware/vmware_scanning_pan_threat.log", "source": "pan:threat", "sourcetype": "pan:threat", "update_timestamp": true}]}], "datamodel": ["Web"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "vmware_server_side_template_injection_hunt_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2022-22954", "cvss": 10.0, "summary": "VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability due to server-side template injection. A malicious actor with network access can trigger a server-side template injection that may result in remote code execution."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/web/vmware_server_side_template_injection_hunt.yml", "source": "web"}, {"name": "VMware Workspace ONE Freemarker Server-side Template Injection", "id": "9e5726fe-8fde-460e-bd74-cddcf6c86113", "version": 1, "date": "2022-05-19", "author": "Michael Haag, Splunk", "type": "Anomaly", "status": "production", "description": "The following analytic identifies the server side template injection related to CVE-2022-22954. Based on the scanning activity across the internet and proof of concept code available the template injection occurs at catalog-portal/ui/oauth/verify?error=&deviceudid=. Upon triage, review parallel processes and VMware logs. Following the deviceudid= may be a command to be executed. Capture any file creates and review modified files on disk.", "data_source": [], "search": "| tstats count from datamodel=Web where Web.http_method IN (\"GET\") Web.url=\"*/catalog-portal/ui/oauth/verify?error=&deviceudid=*\" AND Web.url=\"*freemarker.template.utility.Execute*\" by Web.http_user_agent Web.http_method, Web.url,Web.url_length Web.src, Web.dest sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `vmware_workspace_one_freemarker_server_side_template_injection_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting web or proxy logs, or ensure it is being filled by a proxy like device, into the Web Datamodel. For additional filtering, allow list private IP space or restrict by known good.", "known_false_positives": "False positives may be present if the activity is blocked or was not successful. Filter known vulnerablity scanners. Filter as needed.", "references": ["https://www.cisa.gov/uscert/ncas/alerts/aa22-138b", "https://github.com/wvu/metasploit-framework/blob/master/modules/exploits/linux/http/vmware_workspace_one_access_cve_2022_22954.rb", "https://github.com/sherlocksecurity/VMware-CVE-2022-22954", "https://www.vmware.com/security/advisories/VMSA-2022-0011.html", "https://attackerkb.com/topics/BDXyTqY1ld/cve-2022-22954/rapid7-analysis"], "tags": {"name": "VMware Workspace ONE Freemarker Server-side Template Injection", "analytic_story": ["VMware Server Side Injection and Privilege Escalation"], "asset_type": "Web Server", "cis20": ["CIS 13"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Delivery", "Installation"], "message": "An attempt to exploit a VMware Server Side Injection CVE-2022-22954 on $dest$ has occurred.", "mitre_attack_id": ["T1190", "T1133"], "nist": ["DE.AE"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["Web.http_method", "Web.url", "Web.url_length", "Web.src", "Web.dest", "Web.http_user_agent"], "risk_score": 49, "security_domain": "network", "risk_severity": "low", "cve": ["CVE-2022-22954"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Chimera", "Dragonfly", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/vmware/vmware_scanning_pan_threat.log", "source": "pan:threat", "sourcetype": "pan:threat", "update_timestamp": true}]}], "datamodel": ["Web"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "vmware_workspace_one_freemarker_server_side_template_injection_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2022-22954", "cvss": 10.0, "summary": "VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability due to server-side template injection. A malicious actor with network access can trigger a server-side template injection that may result in remote code execution."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/web/vmware_workspace_one_freemarker_server_side_template_injection.yml", "source": "web"}, {"name": "Web JSP Request via URL", "id": "2850c734-2d44-4431-8139-1a56f6f54c01", "version": 1, "date": "2022-04-05", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the common URL requests used by a recent CVE - CVE-2022-22965, or Spring4Shell, to access a webshell on the remote webserver. The filename and cmd are arbitrary in this exploitation. Java will write a JSP to disk and a process will spawn from Java based on the cmd passed. This is indicative of typical web shell activity.", "data_source": [], "search": "| tstats count from datamodel=Web where Web.http_method IN (\"GET\") Web.url IN (\"*.jsp?cmd=*\",\"*j&cmd=*\") by Web.http_user_agent Web.http_method, Web.url,Web.url_length Web.src, Web.dest sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `web_jsp_request_via_url_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on Web traffic that include fields relavent for traffic into the `Web` datamodel.", "known_false_positives": "False positives may be present with legitimate applications. Attempt to filter by dest IP or use Asset groups to restrict to servers.", "references": ["https://www.microsoft.com/security/blog/2022/04/04/springshell-rce-vulnerability-guidance-for-protecting-against-and-detecting-cve-2022-22965/", "https://github.com/TheGejr/SpringShell", "https://www.tenable.com/blog/spring4shell-faq-spring-framework-remote-code-execution-vulnerability"], "tags": {"name": "Web JSP Request via URL", "analytic_story": ["Spring4Shell CVE-2022-22965"], "asset_type": "Web Server", "cis20": ["CIS 13"], "confidence": 80, "impact": 90, "kill_chain_phases": ["Installation", "Delivery"], "message": "A suspicious URL has been requested against $dest$ by $src$, related to web shell activity.", "mitre_attack_id": ["T1505.003", "T1505", "T1190", "T1133"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Web.http_method", "Web.url", "Web.url_length", "Web.src", "Web.dest", "Web.http_user_agent"], "risk_score": 72, "security_domain": "network", "risk_severity": "medium", "cve": ["CVE-2022-22965"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1505.003", "mitre_attack_technique": "Web Shell", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT38", "APT39", "BackdoorDiplomacy", "Deep Panda", "Dragonfly", "Fox Kitten", "GALLIUM", "HAFNIUM", "Kimsuky", "Leviathan", "Magic Hound", "Moses Staff", "OilRig", "Sandworm Team", "TEMP.Veles", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Volatile Cedar"]}, {"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Chimera", "Dragonfly", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/spring4shell/spring4shell_nginx.log", "source": "/var/log/nginx/access.log", "sourcetype": "nginx:plus:kv"}]}], "datamodel": ["Web"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "web_jsp_request_via_url_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2022-22965", "cvss": 7.5, "summary": "A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/web/web_jsp_request_via_url.yml", "source": "web", "nes_fields": "user,dest"}, {"name": "Web Spring4Shell HTTP Request Class Module", "id": "fcdfd69d-0ca3-4476-920e-9b633cb4593e", "version": 1, "date": "2022-04-06", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies the payload related to Spring4Shell, CVE-2022-22965. This analytic uses Splunk Stream HTTP to view the http request body, form data. STRT reviewed all the current proof of concept code and determined the commonality with the payloads being passed used the same fields \"class.module.classLoader.resources.context.parent.pipeline.first\".", "data_source": [], "search": "`stream_http` http_method IN (\"POST\") | stats values(form_data) as http_request_body min(_time) as firstTime max(_time) as lastTime count by http_method http_user_agent uri_path url bytes_in bytes_out | search http_request_body IN (\"*class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat=_*\", \"*class.module.classLoader.resources.context.parent.pipeline.first.pattern*\",\"*suffix=.jsp*\") | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `web_spring4shell_http_request_class_module_filter`", "how_to_implement": "To successfully implement this search, you need to be ingesting logs with the stream HTTP logs or network logs that catch network traffic. Make sure that the http-request-body, payload, or request field is enabled.", "known_false_positives": "False positives may occur and filtering may be required. Restrict analytic to asset type.", "references": ["https://github.com/DDuarte/springshell-rce-poc/blob/master/poc.py"], "tags": {"name": "Web Spring4Shell HTTP Request Class Module", "analytic_story": ["Spring4Shell CVE-2022-22965"], "asset_type": "Web Server", "cis20": ["CIS 13"], "confidence": 80, "impact": 90, "kill_chain_phases": ["Delivery", "Installation"], "message": "A http body request related to Spring4Shell has been sent to $dest$ by $src$.", "mitre_attack_id": ["T1190", "T1133"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "http_request_body", "http_method", "http_user_agent", "uri_path", "url", "bytes_in", "bytes_out"], "risk_score": 72, "security_domain": "network", "risk_severity": "medium", "cve": ["CVE-2022-22965"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Chimera", "Dragonfly", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/spring4shell/http_request_body_streams.log", "source": "stream:http", "sourcetype": "stream:http"}]}], "datamodel": [], "macros": [{"name": "stream_http", "definition": "sourcetype=stream:http", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "web_spring4shell_http_request_class_module_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2022-22965", "cvss": 7.5, "summary": "A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/web/web_spring4shell_http_request_class_module.yml", "source": "web", "nes_fields": "user,dest"}, {"name": "Web Spring Cloud Function FunctionRouter", "id": "89dddbad-369a-4f8a-ace2-2439218735bc", "version": 1, "date": "2022-04-05", "author": "Michael Haag, Splunk", "type": "TTP", "status": "production", "description": "The following analytic identifies activity related to the web application Spring Cloud Function that was recently idenfied as vulnerable. This is CVE-2022-22963. Multiple proof of concept code was released. The URI that is hit includes `functionrouter`. The specifics of the exploit include a status of 500. In this query we did not include it, but for filtering you can add Web.status=500. The exploit data itself (based on all the POCs) is located in the form_data field. This field will include all class.modules being called.", "data_source": [], "search": "| tstats count from datamodel=Web where Web.http_method IN (\"POST\") Web.url=\"*/functionRouter*\" by Web.http_user_agent Web.http_method, Web.url,Web.url_length Web.src, Web.dest Web.status sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `web_spring_cloud_function_functionrouter_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on Web traffic that include fields relavent for traffic into the `Web` datamodel.", "known_false_positives": "False positives may be present with legitimate applications. Attempt to filter by dest IP or use Asset groups to restrict to servers.", "references": ["https://github.com/rapid7/metasploit-framework/pull/16395", "https://github.com/hktalent/spring-spel-0day-poc"], "tags": {"name": "Web Spring Cloud Function FunctionRouter", "analytic_story": ["Spring4Shell CVE-2022-22965"], "asset_type": "Web Server", "cis20": ["CIS 13"], "confidence": 60, "impact": 70, "kill_chain_phases": ["Delivery", "Installation"], "message": "A suspicious URL has been requested against $dest$ by $src$, related to a vulnerability in Spring Cloud.", "mitre_attack_id": ["T1190", "T1133"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}, {"name": "src", "type": "IP Address", "role": ["Attacker"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Web.http_method", "Web.url", "Web.url_length", "Web.src", "Web.dest", "Web.http_user_agent"], "risk_score": 42, "security_domain": "network", "risk_severity": "low", "cve": ["CVE-2022-22963"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Chimera", "Dragonfly", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/spring4shell/all_functionrouter_http_streams.log", "source": "stream:http", "sourcetype": "stream:http"}]}], "datamodel": ["Web"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "web_spring_cloud_function_functionrouter_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2022-22963", "cvss": 7.5, "summary": "In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/web/web_spring_cloud_function_functionrouter.yml", "source": "web", "nes_fields": "user,dest"}, {"name": "Windows Exchange Autodiscover SSRF Abuse", "id": "d436f9e7-0ee7-4a47-864b-6dea2c4e2752", "version": 1, "date": "2022-10-03", "author": "Michael Haag, Nathaniel Stearns, Splunk", "type": "TTP", "status": "production", "description": "The following analytic utilizes the Web datamodel and identifies the ProxyShell or ProxyNotShell abuse. This vulnerability is a Server Side Request Forgery (SSRF) vulnerability, which is a web vulnerability that allows an adversary to exploit vulnerable functionality to access server side or local network services by affectively traversing the external firewall using vulnerable web functionality. This analytic looks for the URI path and query of autodiscover, powershell and mapi along with a POST occurring. It will tally a simple score and show the output of the events that match. This analytic may be added to by simply creating a new eval statement and modifying the hardcode digit for Score.", "data_source": [], "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where (Web.status=200 OR Web.status=302 OR Web.status=401) AND Web.http_method=POST by Web.src Web.status Web.uri_path Web.dest Web.http_method Web.uri_query | `drop_dm_object_name(\"Web\")` | eval is_autodiscover=if(like(lower(uri_path),\"%autodiscover%\"),1,0) | eval powershell = if(match(lower(uri_query),\"powershell\"), \"1\",0) | eval mapi=if(like(uri_query,\"%/mapi/%\"),1,0) | addtotals fieldname=Score is_autodiscover, powershell, mapi | fields Score, src,dest, status, uri_query,uri_path,http_method | where Score >= 2 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_exchange_autodiscover_ssrf_abuse_filter`", "how_to_implement": "To successfully implement this search you need to be ingesting information on Web traffic, Exchange OR IIS logs, mapped to `Web` datamodel in the `Web` node. In addition, confirm the latest CIM App 4.20 or higher is installed.", "known_false_positives": "False positives are limited.", "references": ["https://www.gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html", "https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/", "https://twitter.com/GossiTheDog/status/1575762721353916417?s=20&t=67gq9xCWuyPm1VEm8ydfyA", "https://twitter.com/cglyer/status/1575793769814728705?s=20&t=67gq9xCWuyPm1VEm8ydfyA", "https://www.gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html", "https://research.splunk.com/stories/proxyshell/", "https://docs.splunk.com/Documentation/AddOns/released/MSIIS", "https://highon.coffee/blog/ssrf-cheat-sheet/", "https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29/"], "tags": {"name": "Windows Exchange Autodiscover SSRF Abuse", "analytic_story": ["ProxyShell", "ProxyNotShell"], "asset_type": "Web server", "cis20": ["CIS 13"], "confidence": 80, "impact": 90, "kill_chain_phases": ["Delivery", "Installation"], "message": "Activity related to ProxyShell or ProxyNotShell has been identified on $dest$. Review events and take action accordingly.", "mitre_attack_id": ["T1190", "T1133"], "nist": ["DE.CM"], "observable": [{"name": "dest", "type": "Hostname", "role": ["Victim"]}], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "required_fields": ["_time", "Web.src", "Web.status", "Web.uri_path", "Web.dest", "Web.http_method", "Web.uri_query"], "risk_score": 72, "security_domain": "network", "risk_severity": "medium", "cve": ["CVE-2021-34523", "CVE-2021-34473", "CVE-2021-31207", "CVE-2022-41040", "CVE-2022-41082"], "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Chimera", "Dragonfly", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}]}, "tests": [{"name": "True Positive Test", "attack_data": [{"data": "https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/proxyshell/proxyshell.log", "source": "ms:iis:splunk", "sourcetype": "ms:iis:splunk", "update_timestamp": true}]}], "datamodel": ["Web"], "macros": [{"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "windows_exchange_autodiscover_ssrf_abuse_filter", "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives."}], "lookups": [], "cve_enrichment": [{"id": "CVE-2021-34523", "cvss": 7.5, "summary": "Microsoft Exchange Server Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-33768, CVE-2021-34470."}, {"id": "CVE-2021-34473", "cvss": 10.0, "summary": "Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-31196, CVE-2021-31206."}, {"id": "CVE-2021-31207", "cvss": 6.5, "summary": "Microsoft Exchange Server Security Feature Bypass Vulnerability"}, {"id": "CVE-2022-41040", "cvss": null, "summary": "Microsoft Exchange Server Elevation of Privilege Vulnerability."}, {"id": "CVE-2022-41082", "cvss": null, "summary": "Microsoft Exchange Server Remote Code Execution Vulnerability."}], "splunk_app_enrichment": [], "file_path": "/home/runner/work/security_content/security_content/detections/web/windows_exchange_autodiscover_ssrf_abuse.yml", "source": "web", "nes_fields": "user,dest"}]} \ No newline at end of file diff --git a/dist/api/macros.json b/dist/api/macros.json index 323b455f18..7dd35af707 100644 --- a/dist/api/macros.json +++ b/dist/api/macros.json @@ -1 +1 @@ -{"macros": [{"name": "admon", "definition": "source=ActiveDirectory", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "amazon_security_lake", "definition": "sourcetype=aws:asl", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "audit_searches", "definition": "index=_audit sourcetype=audittrail action=search", "description": "Macro to enable easy searching of audittrail logs for searches"}, {"name": "audittrail", "definition": "index=_audit sourcetype=audittrail", "description": "Macro to enable easy searching of audittrail logs"}, {"name": "aws_cloudwatchlogs_eks", "definition": "sourcetype=\"aws:cloudwatchlogs:eks\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_config", "definition": "sourcetype=aws:config", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_description", "definition": "sourcetype=\"aws:description\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_ecr_users", "definition": "userName IN (user)", "description": "specify the user allowed to push Images to AWS ECR."}, {"name": "aws_s3_accesslogs", "definition": "sourcetype=aws:s3:accesslogs", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_securityhub_finding", "definition": "sourcetype=\"aws:securityhub:finding\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "aws_securityhub_firehose", "definition": "sourcetype=\"aws:securityhub:firehose\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "azure_audit", "definition": "sourcetype=mscs:azure:audit", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "azuread", "definition": "sourcetype=mscs:azure:eventhub", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "bootloader_inventory", "definition": "sourcetype = PwSh:bootloader", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "brand_abuse_dns", "definition": "lookup update=true brandMonitoring_lookup domain as query OUTPUT domain_abuse | search domain_abuse=true", "description": "This macro limits the output to only domains that are in the brand monitoring lookup file"}, {"name": "brand_abuse_email", "definition": "lookup update=true brandMonitoring_lookup domain as src_user OUTPUT domain_abuse | search domain_abuse=true", "description": "This macro limits the output to only domains that are in the brand monitoring lookup file"}, {"name": "brand_abuse_web", "definition": "lookup update=true brandMonitoring_lookup domain as urls OUTPUT domain_abuse | search domain_abuse=true", "description": "This macro limits the output to only domains that are in the brand monitoring lookup file"}, {"name": "capi2_operational", "definition": "(source=XmlWinEventLog:Microsoft-Windows-CAPI2/Operational)", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "certificateservices_lifecycle", "definition": "(source=XmlWinEventLog:Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational OR source=XmlWinEventLog:Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational)", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "circleci", "definition": "sourcetype=circleci", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "cisco_networks", "definition": "eventtype=cisco_ios", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "cloud_api_calls_from_previously_unseen_user_roles_activity_window", "definition": "\"-70m@m\"", "description": "Use this macro to determine how far back you should be checking for new commands from user roles"}, {"name": "cloudtrail", "definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "cloudwatch_eks", "definition": "sourcetype=\"aws:cloudwatchlogs:eks\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for AWS cloudwatch eks logs. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "cloudwatch_vpc", "definition": "sourcetype=aws:cloudwatchlogs:vpcflow", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for AWS cloudwatch vpc logs. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "cloudwatchlogs_vpcflow", "definition": "sourcetype=aws:cloudwatchlogs:vpcflow", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "driverinventory", "definition": "sourcetype=PwSh:DriverInventory", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "dynamic_dns_providers", "definition": "lookup update=true dynamic_dns_providers_default dynamic_dns_domains as query OUTPUTNEW isDynDNS_default | lookup update=true dynamic_dns_providers_local dynamic_dns_domains as query OUTPUTNEW isDynDNS_local| eval isDynDNS = coalesce(isDynDNS_default, isDynDNS_local)|fields - isDynDNS_default, isDynDNS_local| search isDynDNS=True", "description": "This macro limits the output of the query field to dynamic dns domains. It looks up the domains in a file provided by Splunk and one intended to be updated by the end user."}, {"name": "dynamic_dns_web_traffic", "definition": "lookup update=true dynamic_dns_providers_default dynamic_dns_domains as url OUTPUTNEW isDynDNS_default | lookup update=true dynamic_dns_providers_local dynamic_dns_domains as url OUTPUTNEW isDynDNS_local| eval isDynDNS = coalesce(isDynDNS_default, isDynDNS_local)|fields - isDynDNS_default, isDynDNS_local| search isDynDNS=True", "description": "This is a description"}, {"name": "ec2_modification_api_calls", "definition": "(eventName=AssociateAddress OR eventName=AssociateIamInstanceProfile OR eventName=AttachClassicLinkVpc OR eventName=AttachNetworkInterface OR eventName=AttachVolume OR eventName=BundleInstance OR eventName=DetachClassicLinkVpc OR eventName=DetachVolume OR eventName=ModifyInstanceAttribute OR eventName=ModifyInstancePlacement OR eventName=MonitorInstances OR eventName=RebootInstances OR eventName=ResetInstanceAttribute OR eventName=StartInstances OR eventName=StopInstances OR eventName=TerminateInstances OR eventName=UnmonitorInstances)", "description": "This is a list of AWS event names that have to do with modifying Amazon EC2 instances"}, {"name": "evilginx_phishlets_0365", "definition": "(query=login* AND query=www*)", "description": "This limits the query fields to domains that are associated with evilginx masquerading as Office 365"}, {"name": "evilginx_phishlets_amazon", "definition": "(query=fls-na* AND query = www* AND query=images*)", "description": "This limits the query fields to domains that are associated with evilginx masquerading as Amazon"}, {"name": "evilginx_phishlets_aws", "definition": "(query=www* AND query=aws* AND query=console.aws* AND query=signin.aws* AND api-northeast-1.console.aws* AND query=fls-na* AND query=images-na*)", "description": "This limits the query fields to domains that are associated with evilginx masquerading as an AWS console"}, {"name": "evilginx_phishlets_facebook", "definition": "(query=www* AND query = m* AND query=static*)", "description": "This limits the query fields to domains that are associated with evilginx masquerading as FaceBook"}, {"name": "evilginx_phishlets_github", "definition": "(query=api* AND query = github*)", "description": "This limits the query fields to domains that are associated with evilginx masquerading as GitHub"}, {"name": "evilginx_phishlets_google", "definition": "(query=accounts* AND query=ssl* AND query=www*)", "description": "This limits the query fields to domains that are associated with evilginx masquerading as Google"}, {"name": "evilginx_phishlets_outlook", "definition": "(query=outlook* AND query=login* AND query=account*)", "description": "This limits the query fields to domains that are associated with evilginx masquerading as Outlook"}, {"name": "exchange", "definition": "sourcetype=\"MSWindows:IIS\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "f5_bigip_rogue", "definition": "index=netops sourcetype=\"f5:bigip:rogue\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "filter_rare_process_allow_list", "definition": "lookup update=true lookup_rare_process_allow_list_default process as process OUTPUTNEW allow_list | where allow_list=\"false\" | lookup update=true lookup_rare_process_allow_list_local process as process OUTPUT allow_list | where allow_list=\"false\"", "description": "This macro is intended to allow_list processes that have been definied as rare"}, {"name": "github", "definition": "sourcetype=aws:firehose:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "github_known_users", "definition": "user IN (user_names_here)", "description": "specify the user allowed to create PRs in Github projects."}, {"name": "google_gcp_pubnet_message", "definition": "sourcetype=\"google:gcp:pubsub:message\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Google GCP. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "google_gcp_pubsub_message", "definition": "sourcetype=\"google:gcp:pubsub:message\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "gsuite_calendar", "definition": "sourcetype=gsuite:calendar:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "gsuite_drive", "definition": "sourcetype=gsuite:drive:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "gsuite_gmail", "definition": "sourcetype=gsuite:gmail:bigquery", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "gws_login_mfa_methods", "definition": "event.parameters{}.multiValue{} IN (\"backup_code\", \"google_authenticator\", \"google_prompt\", \"idv_any_phone\", \"idv_preregistered_phone\", \"internal_two_factor\", \"knowledge_employee_id\", \"knowledge_preregistered_email\", \"login_location\", \"knowledge_preregistered_phone\", \"offline_otp\", \"security_key\", \"security_key_otp\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "gws_reports_admin", "definition": "sourcetype=gws:reports:admin", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "gws_reports_login", "definition": "sourcetype=gws:reports:login", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "iis_get_webglobalmodule", "definition": "sourcetype=\"Pwsh:InstalledIISModules\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "iis_operational_logs", "definition": "sourcetype=\"IIS:Configuration:Operational\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "is_net_windows_file", "definition": "lookup update=true is_net_windows_file filename as process_name OUTPUT netFile | lookup update=true is_net_windows_file originalFileName as original_file_name OUTPUT netFile | search netFile=true", "description": "This macro limits the output to process names that are .net binaries on Windows Server 2016 and Windows 11."}, {"name": "is_nirsoft_software", "definition": "lookup update=true is_nirsoft_software filename as process_name OUTPUT nirsoftFile | search nirsoftFile=true", "description": "This macro is related to potentially identifiable software related to NirSoft. Remove or filter as needed based."}, {"name": "is_windows_system_file", "definition": "lookup update=true is_windows_system_file filename as process_name OUTPUT systemFile | search systemFile=true", "description": "This macro limits the output to process names that are in the Windows System directory"}, {"name": "kube_objects_events", "definition": "sourcetype=kube:objects:events", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_azure", "definition": "sourcetype=mscs:storage:blob:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes data from Azure. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "kubernetes_container_controller", "definition": "sourcetype=kube:container:controller", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes data. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "linux_hosts", "definition": "index=*", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "linux_shells", "definition": "(Processes.process_name IN (\"sh\", \"ksh\", \"zsh\", \"bash\", \"dash\", \"rbash\", \"fish\", \"csh\", \"tcsh\", \"ion\", \"eshell\"))", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "msexchange_management", "definition": "sourcetype=MSExchange:management", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "netbackup", "definition": "sourcetype=\"netbackup_logs\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "network_acl_events", "definition": "(eventName = CreateNetworkAcl OR eventName = CreateNetworkAclEntry OR eventName = DeleteNetworkAcl OR eventName = DeleteNetworkAclEntry OR eventName = ReplaceNetworkAclEntry OR eventName = ReplaceNetworkAclAssociation)", "description": "This is a list of AWS event names that are associated with Network ACLs"}, {"name": "notable", "definition": "index=notable", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "o365_management_activity", "definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "okta", "definition": "eventtype=okta_log", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "osquery", "definition": "sourcetype=osquery:results", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "osquery_process", "definition": "eventtype=\"osquery-process\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "papercutng", "definition": "sourcetype=\"papercutng\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "path_traversal_spl_injection", "definition": "index=_internal sourcetype=splunkd_ui_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "potential_password_in_username_false_positive_reduction", "definition": "search *", "description": "Add customer specific known false positives to the map command used in detection - Potential password in username"}, {"name": "potentially_malicious_code_on_cmdline_tokenize_score", "definition": "eval orig_process=process, process=replace(lower(process), \"`\", \"\") | makemv tokenizer=\"([\\w\\d\\-]+)\" process | eval unusual_cmdline_feature_for=if(match(process, \"^for$\"), mvcount(mvfilter(match(process, \"^for$\"))), 0), unusual_cmdline_feature_netsh=if(match(process, \"^netsh$\"), mvcount(mvfilter(match(process, \"^netsh$\"))), 0), unusual_cmdline_feature_readbytes=if(match(process, \"^readbytes$\"), mvcount(mvfilter(match(process, \"^readbytes$\"))), 0), unusual_cmdline_feature_set=if(match(process, \"^set$\"), mvcount(mvfilter(match(process, \"^set$\"))), 0), unusual_cmdline_feature_unrestricted=if(match(process, \"^unrestricted$\"), mvcount(mvfilter(match(process, \"^unrestricted$\"))), 0), unusual_cmdline_feature_winstations=if(match(process, \"^winstations$\"), mvcount(mvfilter(match(process, \"^winstations$\"))), 0), unusual_cmdline_feature_-value=if(match(process, \"^-value$\"), mvcount(mvfilter(match(process, \"^-value$\"))), 0), unusual_cmdline_feature_compression=if(match(process, \"^compression$\"), mvcount(mvfilter(match(process, \"^compression$\"))), 0), unusual_cmdline_feature_server=if(match(process, \"^server$\"), mvcount(mvfilter(match(process, \"^server$\"))), 0), unusual_cmdline_feature_set-mppreference=if(match(process, \"^set-mppreference$\"), mvcount(mvfilter(match(process, \"^set-mppreference$\"))), 0), unusual_cmdline_feature_terminal=if(match(process, \"^terminal$\"), mvcount(mvfilter(match(process, \"^terminal$\"))), 0), unusual_cmdline_feature_-name=if(match(process, \"^-name$\"), mvcount(mvfilter(match(process, \"^-name$\"))), 0), unusual_cmdline_feature_catch=if(match(process, \"^catch$\"), mvcount(mvfilter(match(process, \"^catch$\"))), 0), unusual_cmdline_feature_get-wmiobject=if(match(process, \"^get-wmiobject$\"), mvcount(mvfilter(match(process, \"^get-wmiobject$\"))), 0), unusual_cmdline_feature_hklm=if(match(process, \"^hklm$\"), mvcount(mvfilter(match(process, \"^hklm$\"))), 0), unusual_cmdline_feature_streamreader=if(match(process, \"^streamreader$\"), mvcount(mvfilter(match(process, \"^streamreader$\"))), 0), unusual_cmdline_feature_system32=if(match(process, \"^system32$\"), mvcount(mvfilter(match(process, \"^system32$\"))), 0), unusual_cmdline_feature_username=if(match(process, \"^username$\"), mvcount(mvfilter(match(process, \"^username$\"))), 0), unusual_cmdline_feature_webrequest=if(match(process, \"^webrequest$\"), mvcount(mvfilter(match(process, \"^webrequest$\"))), 0), unusual_cmdline_feature_count=if(match(process, \"^count$\"), mvcount(mvfilter(match(process, \"^count$\"))), 0), unusual_cmdline_feature_webclient=if(match(process, \"^webclient$\"), mvcount(mvfilter(match(process, \"^webclient$\"))), 0), unusual_cmdline_feature_writeallbytes=if(match(process, \"^writeallbytes$\"), mvcount(mvfilter(match(process, \"^writeallbytes$\"))), 0), unusual_cmdline_feature_convert=if(match(process, \"^convert$\"), mvcount(mvfilter(match(process, \"^convert$\"))), 0), unusual_cmdline_feature_create=if(match(process, \"^create$\"), mvcount(mvfilter(match(process, \"^create$\"))), 0), unusual_cmdline_feature_function=if(match(process, \"^function$\"), mvcount(mvfilter(match(process, \"^function$\"))), 0), unusual_cmdline_feature_net=if(match(process, \"^net$\"), mvcount(mvfilter(match(process, \"^net$\"))), 0), unusual_cmdline_feature_com=if(match(process, \"^com$\"), mvcount(mvfilter(match(process, \"^com$\"))), 0), unusual_cmdline_feature_http=if(match(process, \"^http$\"), mvcount(mvfilter(match(process, \"^http$\"))), 0), unusual_cmdline_feature_io=if(match(process, \"^io$\"), mvcount(mvfilter(match(process, \"^io$\"))), 0), unusual_cmdline_feature_system=if(match(process, \"^system$\"), mvcount(mvfilter(match(process, \"^system$\"))), 0), unusual_cmdline_feature_new-object=if(match(process, \"^new-object$\"), mvcount(mvfilter(match(process, \"^new-object$\"))), 0), unusual_cmdline_feature_if=if(match(process, \"^if$\"), mvcount(mvfilter(match(process, \"^if$\"))), 0), unusual_cmdline_feature_threading=if(match(process, \"^threading$\"), mvcount(mvfilter(match(process, \"^threading$\"))), 0), unusual_cmdline_feature_mutex=if(match(process, \"^mutex$\"), mvcount(mvfilter(match(process, \"^mutex$\"))), 0), unusual_cmdline_feature_cryptography=if(match(process, \"^cryptography$\"), mvcount(mvfilter(match(process, \"^cryptography$\"))), 0), unusual_cmdline_feature_computehash=if(match(process, \"^computehash$\"), mvcount(mvfilter(match(process, \"^computehash$\"))), 0)", "description": "Performs the tokenization and application of the malicious commandline classifier"}, {"name": "powershell", "definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "previously_seen_cloud_api_calls_per_user_role_forget_window", "definition": "\"-90d@d\"", "description": "Use this macro to determine how long to keep track of cloud api calls per user role"}, {"name": "previously_seen_cloud_compute_creations_by_user_search_window_begin_offset", "definition": "\"-70m@m\"", "description": "Use this macro to determine how far into the past the window should be to determine if the user is new or not"}, {"name": "previously_seen_cloud_compute_image_search_window_begin_offset", "definition": "\"-70m@m\"", "description": "Use this macro to determine how far into the past the window should be to determine if the image is new or not"}, {"name": "previously_seen_cloud_compute_images_forget_window", "definition": "\"-90d@d\"", "description": "Use this macro to determine how long to keep track of cloud instance images"}, {"name": "previously_seen_cloud_compute_instance_type_forget_window", "definition": "\"-90d@d\"", "description": "Use this macro to determine how long to keep track of cloud instance types"}, {"name": "previously_seen_cloud_compute_instance_types_search_window_begin_offset", "definition": "\"-70m@m\"", "description": "Use this macro to determine how far into the past the window should be to determine if the instance type is new or not"}, {"name": "previously_seen_cloud_instance_modifications_by_user_search_window_begin_offset", "definition": "\"-70m@m\"", "description": "Use this macro to determine how far into the past the window should be to determine if the user is new or not"}, {"name": "previously_seen_cloud_provisioning_activity_forget_window", "definition": "\"-90d@d\"", "description": "Use this macro to determine how long to keep track of cloud provisioning locations"}, {"name": "previously_seen_cloud_region_forget_window", "definition": "\"-90d@d\"", "description": "Use this macro to determine how long to keep track of cloud regions"}, {"name": "previously_seen_cloud_regions_search_window_begin_offset", "definition": "\"-70m@m\"", "description": "Use this macro to determine how far into the past the window should be to determine if the region is new or not"}, {"name": "previously_seen_windows_services_forget_window", "definition": "\"-90d@d\"", "description": "Use this macro to determine how long to keep track of Windows services"}, {"name": "previously_seen_windows_services_window", "definition": "\"-70m@m\"", "description": "Use this macro to determine how far back you should be checking for new Windows services"}, {"name": "previously_seen_zoom_child_processes_forget_window", "definition": "\"-90d@d\"", "description": "Use this macro to determine how long to keep track of zoom child processes"}, {"name": "previously_seen_zoom_child_processes_window", "definition": "\"-70m@m\"", "description": "Use this macro to determine how far back you should be checking for new zoom child processes"}, {"name": "previously_unseen_cloud_provisioning_activity_window", "definition": "\"-70m@m\"", "description": "Use this macro to determine how far back you should be checking for new provisioning activities"}, {"name": "printservice", "definition": "source=\"wineventlog:microsoft-windows-printservice/operational\" OR source=\"WinEventLog:Microsoft-Windows-PrintService/Admin\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "process_bitsadmin", "definition": "(Processes.process_name=bitsadmin.exe OR Processes.original_file_name=bitsadmin.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "process_certutil", "definition": "(Processes.process_name=certutil.exe OR Processes.original_file_name=CertUtil.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "process_cmd", "definition": "(Processes.process_name=cmd.exe OR Processes.original_file_name=Cmd.Exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "process_copy", "definition": "(Processes.process_name=copy.exe OR Processes.original_file_name=copy.exe OR Processes.process_name=xcopy.exe OR Processes.original_file_name=xcopy.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "process_csc", "definition": "(Processes.process_name=csc.exe OR Processes.original_file_name=csc.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "process_curl", "definition": "(Processes.process_name=curl.exe OR Processes.original_file_name=Curl.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "process_diskshadow", "definition": "(Processes.process_name=diskshadow.exe OR Processes.original_file_name=diskshadow.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "process_dllhost", "definition": "(Processes.process_name=dllhost.exe OR Processes.original_file_name=dllhost.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "process_dsquery", "definition": "(Processes.process_name=dsquery.exe OR Processes.original_file_name=dsquery.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "process_dxdiag", "definition": "(Processes.process_name=dxdiag.exe OR Processes.original_file_name=dxdiag.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "process_esentutl", "definition": "(Processes.process_name=esentutl.exe OR Processes.original_file_name=esentutl.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "process_fodhelper", "definition": "(Processes.process_name=fodhelper.exe OR Processes.original_file_name=FodHelper.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "process_gpupdate", "definition": "(Processes.process_name=gpupdate.exe OR Processes.original_file_name=GPUpdate.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "process_hh", "definition": "(Processes.process_name=hh.exe OR Processes.original_file_name=HH.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "process_installutil", "definition": "(Processes.process_name=installutil.exe OR Processes.original_file_name=InstallUtil.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "process_microsoftworkflowcompiler", "definition": "(Processes.process_name=microsoft.workflow.compiler.exe OR Processes.original_file_name=Microsoft.Workflow.Compiler.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "process_msbuild", "definition": "(Processes.process_name=msbuild.exe OR Processes.original_file_name=MSBuild.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "process_mshta", "definition": "(Processes.process_name=mshta.exe OR Processes.original_file_name=MSHTA.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "process_msiexec", "definition": "(Processes.process_name=msiexec.exe OR Processes.original_file_name=msiexec.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "process_net", "definition": "(Processes.process_name=\"net.exe\" OR Processes.original_file_name=\"net.exe\" OR Processes.process_name=\"net1.exe\" OR Processes.original_file_name=\"net1.exe\")", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "process_netsh", "definition": "(Processes.process_name=netsh.exe OR Processes.original_file_name=netsh.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "process_nltest", "definition": "(Processes.process_name=nltest.exe OR Processes.original_file_name=nltestrk.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "process_ntdsutil", "definition": "(Processes.process_name=ntdsutil.exe OR Processes.original_file_name=ntdsutil.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "process_ping", "definition": "(Processes.process_name=ping.exe OR Processes.original_file_name=ping.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "process_powershell", "definition": "(Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "process_procdump", "definition": "(Processes.process_name=procdump.exe OR Processes.process_name=procdump64.exe OR Processes.original_file_name=procdump)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "process_psexec", "definition": "(Processes.process_name=psexec.exe OR Processes.process_name=psexec64.exe OR Processes.original_file_name=psexec.c)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "process_rclone", "definition": "(Processes.original_file_name=rclone.exe OR Processes.process_name=rclone.exe)", "description": "Matches the process with its original file name."}, {"name": "process_reg", "definition": "(Processes.process_name=reg.exe OR Processes.original_file_name=reg.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "process_regasm", "definition": "(Processes.process_name=regasm.exe OR Processes.original_file_name=RegAsm.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "process_regsvcs", "definition": "(Processes.process_name=regsvcs.exe OR Processes.original_file_name=RegSvcs.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "process_regsvr32", "definition": "(Processes.process_name=regsvr32.exe OR Processes.original_file_name=REGSVR32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "process_route", "definition": "(Processes.process_name=route.exe OR Processes.original_file_name=route.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "process_runas", "definition": "(Processes.process_name=runas.exe OR Processes.original_file_name=runas.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "process_rundll32", "definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "process_schtasks", "definition": "(Processes.process_name=schtasks.exe OR Processes.original_file_name=schtasks.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "process_sdelete", "definition": "(Processes.process_name=sdelete.exe OR Processes.original_file_name=sdelete.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "process_setspn", "definition": "(Processes.process_name=setspn.exe OR Processes.original_file_name=setspn.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "process_verclsid", "definition": "(Processes.process_name=verclsid.exe OR Processes.original_file_name=verclsid.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "process_vssadmin", "definition": "(Processes.process_name=vssadmin.exe OR Processes.original_file_name=VSSADMIN.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "process_wbadmin", "definition": "(Processes.process_name=wbadmin.exe OR Processes.original_file_name=WBADMIN.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "process_wermgr", "definition": "(Processes.process_name=wermgr.exe OR Processes.original_file_name=wermgr.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "process_wmic", "definition": "(Processes.process_name=wmic.exe OR Processes.original_file_name=wmic.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/"}, {"name": "prohibited_apps_launching_cmd", "definition": "| inputlookup prohibited_apps_launching_cmd | rename prohibited_applications as parent_process_name | eval parent_process_name=\"*\" . parent_process_name | table parent_process_name", "description": "This macro outputs a list of process that should not be the parent process of cmd.exe"}, {"name": "prohibited_softwares", "definition": "lookup prohibited_softwares app as process_name OUTPUT is_prohibited | search is_prohibited=True", "description": "This macro limits the output to process_names that have been marked as prohibited"}, {"name": "ransomware_extensions", "definition": "lookup update=true ransomware_extensions_lookup Extensions AS file_extension OUTPUT Name | search Name !=False", "description": "This macro limits the output to files that have extensions associated with ransomware"}, {"name": "ransomware_notes", "definition": "lookup ransomware_notes_lookup ransomware_notes as file_name OUTPUT status as \"Known Ransomware Notes\" | search \"Known Ransomware Notes\"=True", "description": "This macro limits the output to files that have been identified as a ransomware note"}, {"name": "remoteconnectionmanager", "definition": "source=\"WinEventLog:Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "remove_valid_domains", "definition": "eval domain=trim(domain,\"*\") | search NOT[| inputlookup domains] NOT[ |inputlookup cim_corporate_email_domain_lookup] NOT[inputlookup cim_corporate_web_domain_lookup] | eval domain=\"*\"+domain+\"*\"", "description": "This macro removes valid domains from the output"}, {"name": "risk_index", "definition": "index=risk", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "s3_accesslogs", "definition": "sourcetype=aws:s3:accesslogs", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for AWS cloudwatch vpc logs. Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "security_content_ctime", "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "arguments": ["field"]}, {"name": "security_content_summariesonly", "definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only"}, {"name": "security_group_api_calls", "definition": "(eventName=AuthorizeSecurityGroupIngress OR eventName=CreateSecurityGroup OR eventName=DeleteSecurityGroup OR eventName=DescribeClusterSecurityGroups OR eventName=DescribeDBSecurityGroups OR eventName=DescribeSecurityGroupReferences OR eventName=DescribeSecurityGroups OR eventName=DescribeStaleSecurityGroups OR eventName=RevokeSecurityGroupIngress OR eventName=UpdateSecurityGroupRuleDescriptionsIngress)", "description": "This macro is a list of AWS event names associated with security groups"}, {"name": "splunk_crash_log", "definition": "(index=_internal AND sourcetype=splunkd_crash_log)", "description": "Searches through the Splunk Crash Log for low-level errors and crashes"}, {"name": "splunk_python", "definition": "index=_internal sourcetype=splunk_python", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "splunkd", "definition": "index=_internal sourcetype=splunkd", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "splunkd_failed_auths", "definition": "index=_audit \"action=login attempt\" \"info=failed\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "splunkd_ui", "definition": "index=_internal sourcetype=splunkd_ui_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "splunkd_web", "definition": "index=_internal sourcetype=splunk_web_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "splunkd_webx", "definition": "index=_internal sourcetype=splunk_web_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "splunkda", "definition": "index=_internal sourcetype=splunkd_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "stream_dns", "definition": "sourcetype=stream:dns", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "stream_http", "definition": "sourcetype=stream:http", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "stream_tcp", "definition": "sourcetype=stream:tcp", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "suspicious_email_attachments", "definition": "lookup update=true is_suspicious_file_extension_lookup file_name OUTPUT suspicious | search suspicious=true", "description": "This macro limits the output to email attachments that have suspicious extensions"}, {"name": "suspicious_writes", "definition": "lookup suspicious_writes_lookup file as file_name OUTPUT note as \"Reference\" | search \"Reference\" != False", "description": "This macro limites the output to file names that have been marked as suspicious"}, {"name": "sysmon", "definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "system_network_configuration_discovery_tools", "definition": "(process_name= \"arp.exe\" OR process_name= \"at.exe\" OR process_name= \"attrib.exe\" OR process_name= \"cscript.exe\" OR process_name= \"dsquery.exe\" OR process_name= \"hostname.exe\" OR process_name= \"ipconfig.exe\" OR process_name= \"mimikatz.exe\" OR process_name= \"nbstat.exe\" OR process_name= \"net.exe\" OR process_name= \"netsh.exe\" OR process_name= \"nslookup.exe\" OR process_name= \"ping.exe\" OR process_name= \"quser.exe\" OR process_name= \"qwinsta.exe\" OR process_name= \"reg.exe\" OR process_name= \"runas.exe\" OR process_name= \"sc.exe\" OR process_name= \"schtasks.exe\" OR process_name= \"ssh.exe\" OR process_name= \"systeminfo.exe\" OR process_name= \"taskkill.exe\" OR process_name= \"telnet.exe\" OR process_name= \"tracert.exe\" OR process_name=\"wscript.exe\" OR process_name= \"xcopy.exe\")", "description": "This macro is a list of process that can be used to discover the network configuration"}, {"name": "uncommon_processes", "definition": "lookup update=true lookup_uncommon_processes_default process_name as process_name outputnew uncommon_default,category_default,analytic_story_default,kill_chain_phase_default,mitre_attack_default | lookup update=true lookup_uncommon_processes_local process_name as process_name outputnew uncommon_local,category_local,analytic_story_local,kill_chain_phase_local,mitre_attack_local | eval uncommon = coalesce(uncommon_default, uncommon_local), analytic_story = coalesce(analytic_story_default, analytic_story_local), category=coalesce(category_default, category_local), kill_chain_phase=coalesce(kill_chain_phase_default, kill_chain_phase_local), mitre_attack=coalesce(mitre_attack_default, mitre_attack_local) | fields - analytic_story_default, analytic_story_local, category_default, category_local, kill_chain_phase_default, kill_chain_phase_local, mitre_attack_default, mitre_attack_local, uncommon_default, uncommon_local | search uncommon=true", "description": "This macro limits the output to processes that have been marked as uncommon"}, {"name": "windows_shells", "definition": "(Processes.process_name=cmd.exe OR Processes.process_name=powershell.exe OR Processes.process_name=pwsh.exe OR Processes.process_name=sh.exe OR Processes.process_name=bash.exe OR Processes.process_name=wscript.exe OR Processes.process_name=cscript.exe)", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "wineventlog_application", "definition": "eventtype=wineventlog_application OR source=\"XmlWinEventLog:Application\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "wineventlog_security", "definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "wineventlog_system", "definition": "eventtype=wineventlog_system", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "wineventlog_task_scheduler", "definition": "source=\"WinEventLog:Microsoft-Windows-TaskScheduler/Operational\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "wmi", "definition": "sourcetype=\"wineventlog:microsoft-windows-wmi-activity/operational\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "zeek_rpc", "definition": "index=zeek sourcetype=\"zeek:rpc:json\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "zeek_ssl", "definition": "index=zeek sourcetype=\"zeek:ssl:json\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}, {"name": "zeek_x509", "definition": "sourcetype=\"zeek:x509:json\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent."}]} \ No newline at end of file +{"macros": [{"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detection_of_tools_built_by_nirsoft_filter"}, {"definition": "user IN (user_names_here)", "description": "specify the user allowed to create PRs in Github projects.", "name": "github_known_users"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "credential_dumping_via_copy_command_from_shadow_copy_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_ssh_authorized_keys_modification_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_user_execution_malicious_url_shortcut_file_filter"}, {"definition": "eventtype=wineventlog_system", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "wineventlog_system"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "get_foresttrust_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_dga_domains_using_pretrained_model_in_dsdl_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "cmd_echo_pipe___escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_activity_related_to_pass_the_hash_attacks_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "okta_failed_sso_attempts_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_docker_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_rasautou_dll_execution_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "create_remote_thread_into_lsass_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_moveit_transfer_writing_aspx_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "correlation_by_repository_and_risk_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "cloud_compute_instance_created_in_previously_unused_region_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_aws_detect_suspicious_kubectl_calls_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "spoolsv_suspicious_loaded_modules_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "asl_aws_concurrent_sessions_from_different_ips_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "conti_common_exec_parameter_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_impair_defenses_disable_hvci_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "hiding_files_and_directories_with_attrib_exe_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_disable_bucket_versioning_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_csvtool_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "3cx_supply_chain_attack_network_indicators_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_rogue_dhcp_server_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "gdrive_suspicious_file_sharing_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_data_destruction_recursive_exec_files_deletion_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_start_or_stop_service_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_processes_killed_by_industroyer2_malware_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_usb_device_insertion_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_obfuscated_files_or_information_base64_decode_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_valid_account_with_never_expires_password_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_unusual_count_of_invalid_users_fail_to_auth_using_kerberos_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "uac_bypass_mmc_load_unsigned_dll_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_ruby_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "msbuild_suspicious_spawned_by_script_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_multiple_failed_mfa_requests_for_user_filter"}, {"definition": "(index=_internal AND sourcetype=splunkd_crash_log)", "description": "Searches through the Splunk Crash Log for low-level errors and crashes", "name": "splunk_crash_log"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_empire_with_powershell_script_block_logging_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "smb_traffic_spike___mltk_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "add_or_set_windows_defender_exclusion_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_file_without_extension_in_critical_folder_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "rubeus_kerberos_ticket_exports_through_winlogon_access_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "executable_file_written_in_administrative_smb_share_filter"}, {"definition": "(Processes.process_name=copy.exe OR Processes.original_file_name=copy.exe OR Processes.process_name=xcopy.exe OR Processes.original_file_name=xcopy.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_copy"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_event_triggered_image_file_execution_options_injection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_plistbuddy_usage_via_osquery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "jscript_execution_using_cscript_app_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_busybox_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_tamper_protection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "uninstall_app_using_msiexec_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_csrf_in_the_ssg_kvstore_client_endpoint_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "scheduled_task_deleted_or_created_via_cmd_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "high_number_of_login_failures_from_a_single_source_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_registry_modification_for_safe_mode_persistence_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_suspicious_user_email_forwarding_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_computer_account_requesting_kerberos_ticket_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "scheduled_task_initiation_on_remote_endpoint_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_defense_evasion_impair_security_services_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "ms_exchange_mailbox_replication_service_writing_active_server_pages_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_snicat_sni_exfiltration_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "abnormally_high_aws_instances_terminated_by_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "attempted_credential_dump_from_registry_via_reg_exe_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_dll_search_order_hijacking_with_iscsicpl_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_ec2_snapshot_shared_externally_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "certutil_download_with_verifyctl_and_split_arguments_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_service_restarted_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_local_administrator_credential_stuffing_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "asl_aws_defense_evasion_impair_security_services_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getdomaingroup_with_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disable_defender_antivirus_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_disable_toast_notifications_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_clipboard_data_copy_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "adsisearcher_account_discovery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "wget_download_and_bash_execution_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_disable_memory_crash_dump_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_rce_via_splunk_secure_gateway__splunk_mobile_alerts_feature_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_using_memory_as_backing_store_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_regsvcs_with_network_connection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_steal_authentication_certificates_export_certificate_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_microsoft_workflow_compiler_usage_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_deletion_of_cron_jobs_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_automation_runbook_created_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "add_defaultuser_and_password_in_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_regsvr32_application_control_bypass_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "okta_phishing_detection_with_fastpass_origin_check_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_event_log_service_behavior_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "wbemprox_com_object_execution_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "get_wmiobject_group_discovery_with_script_block_logging_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "recon_avproduct_through_pwh_or_wmi_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "cloud_compute_instance_created_by_previously_unseen_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "wmic_xsl_execution_via_url_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "fodhelper_uac_bypass_filter"}, {"definition": "sourcetype=aws:asl", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "amazon_security_lake"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getwmiobject_ds_user_with_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_wevtutil_usage_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_gcp_detect_sensitive_object_access_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "java_class_file_download_by_java_user_agent_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disabled_kerberos_pre_authentication_discovery_with_get_aduser_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "open_redirect_in_splunk_web_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_multiple_users_failed_to_authenticate_using_kerberos_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_snake_malware_service_create_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_credential_dumping_lsass_memory_createdump_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_enterprise_information_disclosure_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_identify_protocol_handlers_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_disable_windows_security_center_notif_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_exfiltration_over_c2_via_powershell_uploadstring_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "password_policy_discovery_with_net_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "gsuite_outbound_email_with_attachment_to_external_domain_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_external_guest_user_invited_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_query_registry_uninstall_program_list_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_linked_policies_in_adsi_discovery_filter"}, {"definition": "index=_internal sourcetype=splunk_web_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "splunkd_webx"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_disable_services_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_api_activity_from_users_without_mfa_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "get_domainuser_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_azurehound_file_modifications_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "okta_account_locked_out_filter"}, {"definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_rundll32"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_c89_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_process_injection_remote_thread_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_port_security_violation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "domain_group_discovery_with_wmic_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_curl_network_connection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "abnormally_high_number_of_cloud_instances_destroyed_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_odbcconf_load_dll_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "okta_suspicious_activity_reported_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_credential_access_failed_login_filter"}, {"definition": "(Processes.process_name=regsvr32.exe OR Processes.original_file_name=REGSVR32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_regsvr32"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "high_frequency_copy_of_files_in_network_share_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_rundll32_plugininit_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "local_account_discovery_with_wmic_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_powerview_spn_discovery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_identified_ssl_tls_certificates_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "abnormally_high_number_of_cloud_instances_launched_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_detect_sts_get_session_token_abuse_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_dns_data_exfiltration_using_pretrained_model_in_dsdl_filter"}, {"definition": "sourcetype=gsuite:drive:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "gsuite_drive"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_multiple_users_remotely_failed_to_authenticate_from_host_filter"}, {"definition": "(eventName=AssociateAddress OR eventName=AssociateIamInstanceProfile OR eventName=AttachClassicLinkVpc OR eventName=AttachNetworkInterface OR eventName=AttachVolume OR eventName=BundleInstance OR eventName=DetachClassicLinkVpc OR eventName=DetachVolume OR eventName=ModifyInstanceAttribute OR eventName=ModifyInstancePlacement OR eventName=MonitorInstances OR eventName=RebootInstances OR eventName=ResetInstanceAttribute OR eventName=StartInstances OR eventName=StopInstances OR eventName=TerminateInstances OR eventName=UnmonitorInstances)", "description": "This is a list of AWS event names that have to do with modifying Amazon EC2 instances", "name": "ec2_modification_api_calls"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "mshtml_module_load_in_office_product_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_azure_detect_suspicious_kubectl_calls_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "drop_icedid_license_dat_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "elevated_group_discovery_with_powerview_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "protocol_or_port_mismatch_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getdomaincomputer_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_mysql_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_steal_authentication_certificates_certificate_issued_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_installutil_remote_network_connection_filter"}, {"definition": "lookup update=true is_windows_system_file filename as process_name OUTPUT systemFile | search systemFile=true", "description": "This macro limits the output to process names that are in the Windows System directory", "name": "is_windows_system_file"}, {"definition": "source=\"WinEventLog:Microsoft-Windows-TaskScheduler/Operational\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "wineventlog_task_scheduler"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "remote_system_discovery_with_adsisearcher_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_network_access_control_list_deleted_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_service_stop_win_updates_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_powershell_wmi_win32_scheduledjob_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_email_attachment_extensions_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_protocol_impersonation_weak_encryption_simplerequest_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "okta_threatinsight_login_failure_with_high_unknown_users_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_baron_samedit_cve_2021_3156_via_osquery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "asl_aws_iam_delete_policy_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "schedule_task_with_http_command_arguments_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_disabling_wer_settings_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "get_addefaultdomainpasswordpolicy_with_powershell_filter"}, {"arguments": ["field"], "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "name": "security_content_ctime"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ad_dsrm_account_changes_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "okta_user_logins_from_multiple_cities_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getadcomputer_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_plistbuddy_usage_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_service_create_kernel_mode_driver_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "sam_database_file_access_attempt_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_process_injection_with_public_source_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_doas_tool_execution_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_credentials_from_password_stores_query_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_installutil_credential_theft_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_impair_defense_add_xml_applocker_rules_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_reg_restore_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_detect_permanent_key_creation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "scheduled_tasks_used_in_badrabbit_ransomware_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_mshta_execution_in_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_s3_access_from_a_new_ip_filter"}, {"definition": "(Processes.process_name=sdelete.exe OR Processes.original_file_name=sdelete.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_sdelete"}, {"definition": "sourcetype=\"wineventlog:microsoft-windows-wmi-activity/operational\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "wmi"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disabling_net_user_account_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "email_attachments_with_lots_of_spaces_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_spearphishing_attachment_onenote_spawn_mshta_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "wmi_permanent_event_subscription___sysmon_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_detect_sts_assume_role_abuse_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "ec2_instance_started_with_previously_unseen_instance_type_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_application_administrator_role_assigned_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_dnsadmins_new_member_added_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "single_letter_process_on_endpoint_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "gsuite_email_with_known_abuse_web_service_link_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "common_ransomware_notes_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_xss_in_monitoring_console_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_computer_changed_with_anonymous_account_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "account_discovery_with_net_app_filter"}, {"definition": "lookup suspicious_writes_lookup file as file_name OUTPUT note as \"Reference\" | search \"Reference\" != False", "description": "This macro limites the output to file names that have been marked as suspicious", "name": "suspicious_writes"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_powerview_kerberos_service_ticket_request_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_event_log_cleared_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "web_fraud___password_sharing_across_accounts_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "web_servers_executing_suspicious_processes_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getdomaincontroller_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_disable_notification_center_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_nirsoft_utilities_filter"}, {"definition": "(query=login* AND query=www*)", "description": "This limits the query fields to domains that are associated with evilginx masquerading as Office 365", "name": "evilginx_phishlets_0365"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "rundll32_control_rundll_hunt_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ad_replication_service_traffic_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_web_traffic_to_dynamic_domain_providers_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_deletion_of_ssl_certificate_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_access_token_winlogon_duplicate_handle_in_uncommon_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "recursive_delete_of_directory_in_batch_cmd_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_regedit_silent_reg_import_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_iam_delete_policy_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "okta_new_device_enrolled_on_account_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_remote_services_allow_rdp_in_firewall_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "overwriting_accessibility_binaries_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "gsuite_email_suspicious_attachment_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "malicious_powershell_process___execution_policy_bypass_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_impair_defenses_disable_win_defender_auto_logging_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_emacs_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_service_file_created_in_systemd_directory_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_system_script_proxy_execution_syncappvpublishingserver_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_show_compress_color_and_info_tip_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "wbadmin_delete_system_backups_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_aws_detect_most_active_service_accounts_by_pod_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "office_application_spawn_rundll32_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_disable_lock_workstation_feature_through_registry_filter"}, {"definition": "source=ActiveDirectory", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "admon"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_detect_users_with_kms_keys_performing_encryption_s3_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_spike_in_security_group_activity_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_list_all_nonstandard_admin_accounts_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_php_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_disable_windefender_notifications_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "no_windows_updates_in_a_time_frame_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "remote_process_instantiation_via_dcom_and_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ingress_tool_transfer_using_explorer_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "unknown_process_using_the_kerberos_protocol_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "gcp_kubernetes_cluster_scan_detection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_stop_services_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_regsvr32_renamed_binary_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "excessive_service_stop_attempt_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_remove_windows_defender_directory_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_fileless_process_injection_via_getprocaddress_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_event_for_service_disabled_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "clop_ransomware_known_service_name_filter"}, {"definition": "lookup update=true dynamic_dns_providers_default dynamic_dns_domains as query OUTPUTNEW isDynDNS_default | lookup update=true dynamic_dns_providers_local dynamic_dns_domains as query OUTPUTNEW isDynDNS_local| eval isDynDNS = coalesce(isDynDNS_default, isDynDNS_local)|fields - isDynDNS_default, isDynDNS_local| search isDynDNS=True", "description": "This macro limits the output of the query field to dynamic dns domains. It looks up the domains in a file provided by Splunk and one intended to be updated by the end user.", "name": "dynamic_dns_providers"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "short_lived_windows_accounts_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_msbuild_spawn_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_user_enumeration_attempt_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "delete_shadowcopy_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "elevated_group_discovery_with_net_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_iam_assume_role_policy_brute_force_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "okta_mfa_exhaustion_hunt_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disabling_folderoptions_windows_feature_filter"}, {"definition": "search *", "description": "Add customer specific known false positives to the map command used in detection - Potential password in username", "name": "potential_password_in_username_false_positive_reduction"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "gcp_multiple_failed_mfa_requests_for_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_aws_console_login_by_new_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "child_processes_of_spoolsv_exe_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_winlogon_with_public_network_connection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "network_connection_discovery_with_netstat_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_runbook_webhook_created_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_rundll32_inline_hta_execution_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_disable_logoff_button_through_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "hosts_receiving_high_volume_of_network_traffic_from_email_server_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_computer_account_with_spn_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_kworker_process_in_writable_process_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_sqlite3_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "firewall_allowed_program_enable_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_large_outbound_icmp_packets_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "malicious_powershell_executed_as_a_service_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_execute_com_object_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_scheduled_task_with_highest_privileges_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_exfiltration_via_batch_service_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_rundll32_webdav_with_network_connection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_wmi_impersonate_token_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_powershell_disable_http_logging_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "winword_spawning_cmd_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "non_firefox_process_access_firefox_profile_dir_filter"}, {"definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "o365_management_activity"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_regsvcs_spawning_a_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disable_registry_tool_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "schedule_task_with_rundll32_command_trigger_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "certutil_download_with_urlcache_and_split_arguments_filter"}, {"definition": "sourcetype=gsuite:calendar:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "gsuite_calendar"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_eks_kubernetes_cluster_sensitive_object_access_filter"}, {"definition": "(Processes.process_name=msiexec.exe OR Processes.original_file_name=msiexec.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_msiexec"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_protocol_impersonation_weak_encryption_selfsigned_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ad_adminsdholder_acl_modified_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_registry_delete_task_sd_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_updateloginprofile_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "monitor_email_for_brand_abuse_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_query_registry_reg_save_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "ngrok_reverse_proxy_on_network_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "network_connection_discovery_with_arp_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "ssl_certificates_with_punycode_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ad_rogue_domain_controller_network_activity_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "attempt_to_add_certificate_to_untrusted_store_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_files_and_dirs_access_rights_modification_via_icacls_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "shim_database_installation_with_suspicious_parameters_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "winword_spawning_windows_script_host_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_successful_single_factor_authentication_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_new_federated_domain_added_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_4104_hunting_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_multiple_failed_mfa_requests_for_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "access_lsass_memory_for_dump_creation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "papercut_ng_remote_web_access_attempt_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "zeek_x509_certificate_with_punycode_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "download_files_using_telegram_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_ami_atttribute_modification_for_exfiltration_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_azure_detect_sensitive_object_access_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_indicator_removal_clear_cache_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "wermgr_process_create_executable_file_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_spike_in_network_acl_activity_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_spike_in_s3_bucket_deletion_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "spoolsv_suspicious_process_access_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_updateserviceurlalternate_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "get_aduserresultantpasswordpolicy_with_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "get_aduser_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_at_allow_config_file_creation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_aws_api_activities_from_unapproved_accounts_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_start_bitstransfer_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ad_replication_request_initiated_from_unsanctioned_location_filter"}, {"definition": "lookup update=true is_net_windows_file filename as process_name OUTPUT netFile | lookup update=true is_net_windows_file originalFileName as original_file_name OUTPUT netFile | search netFile=true", "description": "This macro limits the output to process names that are .net binaries on Windows Server 2016 and Windows 11.", "name": "is_net_windows_file"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "change_to_safe_mode_with_network_config_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_wustatusserver_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_vulnerable_3cx_software_filter"}, {"definition": "(Processes.process_name=psexec.exe OR Processes.process_name=psexec64.exe OR Processes.original_file_name=psexec.c)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_psexec"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_successful_authentication_from_different_ips_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_proxy_socks_curl_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ad_short_lived_domain_controller_spn_attribute_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_service_deletion_in_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_command_and_scripting_interpreter_risky_spl_mltk_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_driver_load_non_standard_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_msexchange_management_mailbox_cmdlet_usage_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "supernova_webshell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_zerologon_via_zeek_filter"}, {"definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "powershell"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_dns_gather_network_info_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "first_time_seen_command_line_argument_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disabling_remote_user_account_control_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "spike_in_file_writes_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_rundll32_no_command_line_arguments_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_bypass_mfa_via_trusted_ip_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_unusual_count_of_disabled_users_failed_auth_using_kerberos_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_screen_capture_via_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "notepad_with_no_command_line_arguments_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_sharphound_command_line_arguments_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_writes_to_system_volume_information_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "abnormally_high_aws_instances_launched_by_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disable_windows_app_hotkeys_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_excessive_authentication_failures_alert_filter"}, {"definition": "sourcetype=\"netbackup_logs\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "netbackup"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_copy_on_system32_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_file_share_discovery_with_powerview_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_new_custom_domain_added_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_ipv6_network_infrastructure_threats_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "winhlp32_spawning_a_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_gcp_detect_service_accounts_forbidden_failure_access_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_node_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "cloud_provisioning_activity_from_previously_unseen_ip_address_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "resize_shadowstorage_volume_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getdomaincontroller_with_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_renamed_7_zip_filter"}, {"definition": "index=_internal sourcetype=splunkd", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "splunkd"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_possible_cronjob_modification_with_editor_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_service_create_sliverc2_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_input_capture_using_credential_ui_dll_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_indirect_command_execution_via_pcalua_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "allow_inbound_traffic_in_firewall_rule_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_stdout_redirection_to_dev_null_file_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_lateral_tool_transfer_remcom_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell___connect_to_internet_with_hidden_window_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "remote_process_instantiation_via_winrm_and_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_powershell_get_ciminstance_remote_computer_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_f5_tmui_rce_cve_2020_5902_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_account_manipulation_of_ssh_config_and_keys_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_hosts_file_modification_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "possible_browser_pass_view_parameter_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getdomaincomputer_with_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_detect_attach_to_role_policy_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "revil_common_exec_parameter_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "macos_lolbin_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_malicious_requests_to_exploit_jboss_servers_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_code_injection_via_custom_dashboard_leading_to_rce_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_renamed_rclone_filter"}, {"definition": "sourcetype=\"zeek:x509:json\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "zeek_x509"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "winevent_scheduled_task_created_within_public_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "schtasks_scheduling_job_on_remote_system_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "excessive_attempt_to_disable_services_filter"}, {"definition": "(query=outlook* AND query=login* AND query=account*)", "description": "This limits the query fields to domains that are associated with evilginx masquerading as Outlook", "name": "evilginx_phishlets_outlook"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "remote_wmi_command_attempt_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_cloud_provisioning_from_previously_unseen_ip_address_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disable_logs_using_wevtutil_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_dll_search_order_hijacking_hunt_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "vmware_workspace_one_freemarker_server_side_template_injection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "possible_lateral_movement_powershell_spawn_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "enable_wdigest_uselogoncredential_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "etw_registry_disabled_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "office_product_spawning_mshta_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_command_and_scripting_interpreter_delete_usage_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getwmiobject_ds_group_with_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_apache_benchmark_binary_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "serviceprincipalnames_discovery_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disable_etw_through_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "wermgr_process_connecting_to_ip_check_web_services_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "interactive_session_on_remote_endpoint_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "dns_query_length_with_high_standard_deviation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "enable_rdp_in_other_port_number_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "remote_system_discovery_with_wmic_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_suspicious_processnames_using_pretrained_model_in_dsdl_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_endpoint_denial_of_service_dos_zip_bomb_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "excessive_usage_of_net_app_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "github_commit_in_develop_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "rundll32_shimcache_flush_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_high_number_of_failed_authentications_from_ip_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "rundll32_dnsquery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "living_off_the_land_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "remcos_client_registry_install_entry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_disableantispyware_registry_filter"}, {"definition": "sourcetype=\"papercutng\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "papercutng"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_hidden_schedule_task_settings_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_credential_access_rds_password_reset_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_successful_console_authentication_from_multiple_ips_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_system_network_discovery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "processes_tapping_keyboard_events_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_multi_hop_proxy_tor_website_query_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_unusual_count_of_users_failed_to_authenticate_from_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "unusual_number_of_computer_service_tickets_requested_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_new_mfa_method_registered_for_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disable_show_hidden_files_filter"}, {"definition": "(eventName=AuthorizeSecurityGroupIngress OR eventName=CreateSecurityGroup OR eventName=DeleteSecurityGroup OR eventName=DescribeClusterSecurityGroups OR eventName=DescribeDBSecurityGroups OR eventName=DescribeSecurityGroupReferences OR eventName=DescribeSecurityGroups OR eventName=DescribeStaleSecurityGroups OR eventName=RevokeSecurityGroupIngress OR eventName=UpdateSecurityGroupRuleDescriptionsIngress)", "description": "This macro is a list of AWS event names associated with security groups", "name": "security_group_api_calls"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disabling_cmd_application_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "log4shell_jndi_payload_injection_with_outbound_connection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "excessive_usage_of_cacls_app_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_long_dns_txt_record_response_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "dns_record_changed_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_disable_mfa_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "web_jsp_request_via_url_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "certutil_with_decode_argument_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "revil_registry_entry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ad_domain_controller_audit_policy_disabled_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_mshta_renamed_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_attackers_scanning_for_vulnerable_jboss_servers_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "create_local_admin_accounts_using_net_exe_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "monitor_dns_for_brand_abuse_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "cloud_api_calls_from_previously_unseen_user_roles_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_iam_successful_group_deletion_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_exchange_web_shell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_powerview_constrained_delegation_discovery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "sdclt_uac_bypass_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_password_managers_discovery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "system_information_discovery_detection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_iis_components_new_module_added_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "user_discovery_with_env_vars_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "ec2_instance_started_with_previously_unseen_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "domain_account_discovery_with_net_app_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "wermgr_process_spawned_cmd_or_powershell_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_indicator_removal_service_file_deletion_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "lolbas_with_network_traffic_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_nirsoft_advancedrun_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_unix_shell_enable_all_sysrq_functions_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "svchost_lolbas_execution_process_spawn_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_dll_side_loading_process_child_of_calc_filter"}, {"definition": "(Processes.process_name=certutil.exe OR Processes.original_file_name=CertUtil.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_certutil"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disable_amsi_through_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_multiple_invalid_users_fail_to_authenticate_using_kerberos_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "mmc_lolbas_execution_process_spawn_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_setuid_using_chmod_utility_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_new_mfa_method_registered_for_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "office_spawning_control_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "dump_lsass_via_comsvcs_dll_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_privileged_role_assigned_to_service_principal_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_disable_security_monitoring_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_no_auto_reboot_with_logon_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "winevent_windows_task_scheduler_event_action_started_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_ecr_container_scanning_findings_low_informational_unknown_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_create_policy_version_to_allow_all_resources_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_disable_windows_event_logging_disable_http_logging_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_command_and_scripting_interpreter_path_traversal_exec_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disabled_kerberos_pre_authentication_discovery_with_powerview_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "smb_traffic_spike_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "gcp_multiple_users_failing_to_authenticate_from_ip_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "cloud_provisioning_activity_from_previously_unseen_country_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_service_create_with_tscon_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_detect_role_creation_filter"}, {"definition": "sourcetype=stream:http", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "stream_http"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "get_domaintrust_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_registry_certificate_added_filter"}, {"definition": "(Processes.process_name=csc.exe OR Processes.original_file_name=csc.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_csc"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getnettcpconnection_with_powershell_filter"}, {"definition": "(Processes.process_name=curl.exe OR Processes.original_file_name=Curl.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_curl"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_cloud_provisioning_from_previously_unseen_city_filter"}, {"definition": "index=_audit \"action=login attempt\" \"info=failed\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "splunkd_failed_auths"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_change_file_owner_to_root_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_multiple_users_failed_to_authenticate_from_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_mail_protocol_in_non_common_process_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "creation_of_lsass_dump_with_taskmgr_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_powershell_scheduletask_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "exchange_powershell_abuse_via_ssrf_filter"}, {"definition": "index=_internal sourcetype=splunkd_ui_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "path_traversal_spl_injection"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "circle_ci_disable_security_job_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_excessive_sso_logon_errors_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "email_servers_sending_high_volume_traffic_to_hosts_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "web_fraud___anomalous_user_clickspeed_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_clipboard_data_via_get_clipboard_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_protocol_impersonation_weak_encryption_configuration_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_schtasks_create_run_as_system_filter"}, {"definition": "(Processes.process_name=bitsadmin.exe OR Processes.original_file_name=bitsadmin.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_bitsadmin"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_service_initiation_on_remote_endpoint_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "winrm_spawning_a_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_file_created_in_kernel_driver_directory_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_system_reboot_via_system_request_key_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_rtlo_in_file_name_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_common_process_for_elevation_control_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "rundll32_create_remote_thread_to_a_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "spectre_and_meltdown_vulnerable_systems_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_new_federated_domain_added_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_user_enabled_and_password_reset_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kerberos_tgt_request_using_rc4_encryption_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_indirect_command_execution_via_forfiles_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "amazon_eks_kubernetes_cluster_scan_detection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "gcp_detect_accounts_with_high_risk_roles_by_project_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_doas_conf_file_creation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "impacket_lateral_movement_commandline_parameters_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "registry_keys_used_for_persistence_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "enumerate_users_local_group_using_telegram_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_digital_certificates_infrastructure_version_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_windows_defender_exclusion_commands_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "wmic_noninteractive_app_uninstallation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disable_defender_spynet_reporting_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_system_user_discovery_via_quser_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "spring4shell_payload_url_request_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "exploit_public_facing_fortinet_fortinac_cve_2022_39952_filter"}, {"definition": "\"-70m@m\"", "description": "Use this macro to determine how far back you should be checking for new zoom child processes", "name": "previously_seen_zoom_child_processes_window"}, {"definition": "index=zeek sourcetype=\"zeek:ssl:json\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "zeek_ssl"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "abnormally_high_aws_instances_terminated_by_user___mltk_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "excessive_usage_of_nslookup_app_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_windows_dns_sigred_via_zeek_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_disable_windows_group_policy_features_through_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "dump_lsass_via_procdump_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_file_creation_in_init_boot_directory_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_masquerading_explorer_as_child_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "process_writing_dynamicwrapperx_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_system_binary_proxy_execution_compiled_html_file_decompile_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_user_immutableid_attribute_updated_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "f5_big_ip_icontrol_rest_vulnerability_cve_2022_1388_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_network_access_control_list_created_with_all_open_ports_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "uac_bypass_with_colorui_com_object_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_octave_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_dd_file_overwrite_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_insert_kernel_module_using_insmod_utility_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "office_document_spawned_child_process_to_download_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_invoke_wmiexec_usage_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "wmi_temporary_event_subscription_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "prohibited_software_on_endpoint_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ad_sid_history_attribute_modified_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "dsquery_domain_discovery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "processes_launching_netsh_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_autostart_execution_lsass_driver_registry_modification_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "malicious_powershell_process___encoded_command_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "unload_sysmon_filter_driver_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_gnu_awk_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_windows_dns_sigred_via_splunk_stream_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_persistent_xss_via_url_validation_bypass_w_dashboard_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_ngrok_reverse_proxy_usage_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "icacls_grant_command_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "log4shell_cve_2021_44228_exploitation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disable_schedule_task_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_gcp_detect_suspicious_kubectl_calls_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "secretdumps_offline_ntds_dumping_tool_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_java_classes_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "macos___re_opened_applications_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_process_injection_into_notepad_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "dns_query_length_outliers___mltk_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_powershell_export_pfxcertificate_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_connhost_exe_started_forcefully_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_new_open_s3_buckets_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_iso_lnk_file_creation_filter"}, {"definition": "(Processes.process_name=reg.exe OR Processes.original_file_name=reg.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_reg"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_command_shell_dcrat_forkbomb_payload_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "time_provider_persistence_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "wsmprovhost_lolbas_execution_process_spawn_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "any_powershell_downloadstring_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_default_group_policy_object_modified_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "execute_javascript_with_jscript_com_clsid_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "high_process_termination_frequency_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_image_creation_in_appdata_folder_filter"}, {"definition": "lookup update=true is_nirsoft_software filename as process_name OUTPUT nirsoftFile | search nirsoftFile=true", "description": "This macro is related to potentially identifiable software related to NirSoft. Remove or filter as needed based.", "name": "is_nirsoft_software"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "dns_query_requests_resolved_by_unauthorized_dns_servers_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "silentcleanup_uac_bypass_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_baron_samedit_cve_2021_3156_segfault_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_system_discovery_using_qwinsta_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "gcp_authentication_failed_during_mfa_challenge_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_install_kernel_module_using_modprobe_utility_filter"}, {"definition": "(Processes.process_name=setspn.exe OR Processes.original_file_name=setspn.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_setspn"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_sudoers_tmp_file_creation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_powershell_iis_components_webglobalmodule_usage_filter"}, {"definition": "(Processes.process_name=msbuild.exe OR Processes.original_file_name=MSBuild.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_msbuild"}, {"definition": "(Processes.process_name=dxdiag.exe OR Processes.original_file_name=dxdiag.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_dxdiag"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "gsuite_email_suspicious_subject_with_attachment_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_regasm_with_network_connection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getdomaingroup_with_powershell_filter"}, {"definition": "(source=XmlWinEventLog:Microsoft-Windows-CAPI2/Operational)", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "capi2_operational"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_gather_victim_identity_sam_info_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_mof_event_triggered_execution_via_wmi_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_binary_proxy_execution_mavinject_dll_injection_filter"}, {"definition": "sourcetype=gws:reports:admin", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "gws_reports_admin"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_rtlo_in_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_spike_in_aws_security_hub_alerts_for_ec2_instance_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_access_token_manipulation_winlogon_duplicate_token_handle_filter"}, {"definition": "lookup update=true lookup_uncommon_processes_default process_name as process_name outputnew uncommon_default,category_default,analytic_story_default,kill_chain_phase_default,mitre_attack_default | lookup update=true lookup_uncommon_processes_local process_name as process_name outputnew uncommon_local,category_local,analytic_story_local,kill_chain_phase_local,mitre_attack_local | eval uncommon = coalesce(uncommon_default, uncommon_local), analytic_story = coalesce(analytic_story_default, analytic_story_local), category=coalesce(category_default, category_local), kill_chain_phase=coalesce(kill_chain_phase_default, kill_chain_phase_local), mitre_attack=coalesce(mitre_attack_default, mitre_attack_local) | fields - analytic_story_default, analytic_story_local, category_default, category_local, kill_chain_phase_default, kill_chain_phase_local, mitre_attack_default, mitre_attack_local, uncommon_default, uncommon_local | search uncommon=true", "description": "This macro limits the output to processes that have been marked as uncommon", "name": "uncommon_processes"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "allow_inbound_traffic_by_firewall_rule_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_digital_certificates_lack_of_encryption_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_high_number_of_failed_authentications_for_user_filter"}, {"definition": "lookup update=true brandMonitoring_lookup domain as query OUTPUT domain_abuse | search domain_abuse=true", "description": "This macro limits the output to only domains that are in the brand monitoring lookup file", "name": "brand_abuse_dns"}, {"definition": "sourcetype=MSExchange:management", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "msexchange_management"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "net_profiler_uac_bypass_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "allow_file_and_printing_sharing_in_firewall_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_rdp_connection_successful_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_multiple_users_failing_to_authenticate_from_ip_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disabling_systemrestore_in_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_curl_upload_to_remote_destination_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "office_product_spawn_cmd_process_filter"}, {"definition": "sourcetype=\"aws:cloudwatchlogs:eks\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "aws_cloudwatchlogs_eks"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "excel_spawning_windows_script_host_filter"}, {"definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "cloudtrail"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_rbac_bypass_on_indexing_preview_rest_endpoint_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_terminating_lsass_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_command_and_scripting_interpreter_risky_commands_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_privileged_authentication_administrator_role_assigned_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "system_info_gathering_using_dxdiag_application_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ad_privileged_account_sid_history_addition_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_get_localgroup_discovery_with_script_block_logging_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ad_dsrm_password_reset_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "extended_period_without_successful_netbackup_backups_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_edit_cron_table_parameter_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_saml_access_by_provider_user_and_principal_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "randomly_generated_windows_service_name_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "web_spring_cloud_function_functionrouter_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "msmpeng_application_dll_side_loading_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_service_started_or_enabled_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_gpupdate_no_command_line_arguments_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_creating_thread_mutex_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "excessive_number_of_taskhost_processes_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "abnormally_high_number_of_cloud_security_group_api_calls_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_disable_shutdown_button_through_registry_filter"}, {"definition": "lookup update=true ransomware_extensions_lookup Extensions AS file_extension OUTPUT Name | search Name !=False", "description": "This macro limits the output to files that have extensions associated with ransomware", "name": "ransomware_extensions"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_auto_minor_updates_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_traffic_mirroring_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "log4shell_jndi_payload_injection_attempt_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_process_with_namedpipe_commandline_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "protocols_passing_authentication_in_cleartext_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getnettcpconnection_with_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "domain_group_discovery_with_adsisearcher_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_export_certificate_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_gem_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "asl_aws_defense_evasion_delete_cloudwatch_log_group_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_possible_append_cronjob_entry_on_existing_cronjob_file_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "cmdline_tool_not_executed_in_cmd_shell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "osquery_pack___coldroot_detection_filter"}, {"definition": "userName IN (user)", "description": "specify the user allowed to push Images to AWS ECR.", "name": "aws_ecr_users"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "process_creating_lnk_file_in_suspicious_location_filter"}, {"definition": "eventtype=\"osquery-process\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "osquery_process"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_add_user_account_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_spike_in_blocked_outbound_traffic_from_your_aws_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_system_network_connections_discovery_netsh_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_remote_service_rdpwinst_tool_execution_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_powershell_add_module_to_global_assembly_cache_filter"}, {"definition": "index=risk", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "risk_index"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_wmi_process_and_service_list_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "attempt_to_stop_security_service_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_path_traversal_in_splunk_app_for_lookup_file_edit_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_aws_console_login_by_user_from_new_city_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_outbound_smb_traffic_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_ecr_container_scanning_findings_medium_filter"}, {"definition": "(Processes.original_file_name=rclone.exe OR Processes.process_name=rclone.exe)", "description": "Matches the process with its original file name.", "name": "process_rclone"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "get_aduserresultantpasswordpolicy_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "reg_exe_manipulating_windows_services_registry_keys_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "rubeus_command_line_parameters_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "sunburst_correlation_dll_and_network_event_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "office_application_spawn_regsvr32_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_added_service_principal_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_prohibited_applications_spawning_cmd_exe_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "remote_system_discovery_with_dsquery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "creation_of_shadow_copy_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "hunting_3cxdesktopapp_software_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "clients_connecting_to_multiple_dns_servers_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "web_fraud___account_harvesting_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "execution_of_file_with_multiple_extensions_filter"}, {"definition": "sourcetype=osquery:results", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "osquery"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_sharphound_usage_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_password_policy_changes_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disable_security_logs_using_minint_registry_filter"}, {"definition": "index=_internal sourcetype=splunk_python", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "splunk_python"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ad_replication_request_initiated_by_user_account_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_possible_ssh_key_file_creation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_mimikatz_crypto_export_file_extensions_filter"}, {"definition": "(query=fls-na* AND query = www* AND query=images*)", "description": "This limits the query fields to domains that are associated with evilginx masquerading as Amazon", "name": "evilginx_phishlets_amazon"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_credential_dumping_through_lsass_access_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_computer_account_created_by_computer_account_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_scheduled_task_created_via_xml_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_security_account_manager_stopped_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "slui_runas_elevated_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_rundll32_rename_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_powerview_unconstrained_delegation_discovery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_impair_defense_delete_win_defender_profile_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_driver_loaded_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_msbuild_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_authentication_failed_during_mfa_challenge_filter"}, {"definition": "sourcetype=circleci", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "circleci"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "remote_process_instantiation_via_wmi_and_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "cloud_compute_instance_created_with_previously_unseen_image_filter"}, {"definition": "(Processes.process_name=wmic.exe OR Processes.original_file_name=wmic.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_wmic"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_rundll32_startw_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_remote_access_software_brc4_loaded_dll_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_ecr_container_upload_outside_business_hours_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "unusually_long_command_line_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "winword_spawning_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_service_principal_created_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_psexec_with_accepteula_flag_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_writes_to_windows_recycle_bin_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "schtasks_used_for_forcing_a_reboot_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "usn_journal_deletion_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_puppet_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_ingress_tool_transfer_hunting_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "system_user_discovery_with_query_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "vmware_aria_operations_exploit_attempt_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_persistence_and_privilege_escalation_risk_behavior_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_cloud_provisioning_from_previously_unseen_country_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_wuserver_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "cobalt_strike_named_pipes_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "ec2_instance_started_with_previously_unseen_ami_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "office_product_spawning_bitsadmin_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_rclone_command_line_usage_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disable_defender_blockatfirstseen_feature_filter"}, {"definition": "(Processes.process_name=schtasks.exe OR Processes.original_file_name=schtasks.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_schtasks"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_azure_scan_fingerprint_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "dump_lsass_via_procdump_rename_filter"}, {"definition": "sourcetype=kube:objects:events", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "kube_objects_events"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_privileged_role_assigned_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_odbcconf_load_response_file_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_file_transfer_protocol_in_non_common_process_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "macos_plutil_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "excessive_usage_of_sc_service_utility_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_apt_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_powershell_cryptography_namespace_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_exfiltration_via_datasync_task_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_special_privileged_logon_on_multiple_hosts_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_console_login_failed_during_mfa_challenge_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_azure_detect_sensitive_role_access_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "cloud_compute_instance_created_with_previously_unseen_instance_type_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_detect_users_creating_keys_with_encrypt_policy_without_mfa_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "multiple_okta_users_with_invalid_credentials_from_the_same_ip_filter"}, {"definition": "(Processes.process_name=ping.exe OR Processes.original_file_name=ping.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_ping"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_unusual_number_of_failed_authentications_from_ip_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_decode_base64_to_shell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "excessive_distinct_processes_from_windows_temp_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_system_discovery_using_ldap_nslookup_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_xss_in_save_table_dialog_header_in_search_page_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_cross_account_activity_from_previously_unseen_account_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ad_short_lived_server_object_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_apt_get_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_msiexec_with_network_connections_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_aws_console_login_by_user_from_new_country_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_domain_enumeration_filter"}, {"definition": "(Processes.process_name=microsoft.workflow.compiler.exe OR Processes.original_file_name=Microsoft.Workflow.Compiler.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_microsoftworkflowcompiler"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_nginx_ingress_lfi_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kerberos_pre_authentication_flag_disabled_in_useraccountcontrol_filter"}, {"definition": "(query=www* AND query = m* AND query=static*)", "description": "This limits the query fields to domains that are associated with evilginx masquerading as FaceBook", "name": "evilginx_phishlets_facebook"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "chcp_command_execution_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_cached_domain_credentials_reg_query_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "spoolsv_writing_a_dll_filter"}, {"definition": "index=_audit sourcetype=audittrail action=search", "description": "Macro to enable easy searching of audittrail logs for searches", "name": "audit_searches"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_get_localgroup_discovery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "fortinet_appliance_auth_bypass_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_proxy_via_registry_filter"}, {"definition": "(Processes.process_name=nltest.exe OR Processes.original_file_name=nltestrk.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_nltest"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "hide_user_account_from_sign_in_screen_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "rundll32_lockworkstation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "okta_new_api_token_created_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_large_number_of_computer_service_tickets_requested_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_enable_smb1protocol_feature_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "wsreset_uac_bypass_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_suspicious_admin_email_forwarding_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_installutil_in_non_standard_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "asl_aws_excessive_security_scanning_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_html_help_spawn_child_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_gcp_detect_sensitive_role_access_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_system_file_on_disk_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "curl_download_and_bash_execution_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_spike_in_aws_security_hub_alerts_for_user_filter"}, {"definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "wineventlog_security"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_service_created_with_suspicious_service_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "wmiprsve_lolbas_execution_process_spawn_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_scheduled_task_from_public_directory_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_exfiltration_over_c2_via_invoke_restmethod_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "okta_risk_threshold_exceeded_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "known_services_killed_by_ransomware_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "loading_of_dynwrapx_module_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_kernel_module_enumeration_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_com_hijacking_inprocserver32_modification_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_risky_spl_using_pretrained_ml_model_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "okta_suspicious_use_of_a_session_cookie_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_system_time_discovery_w32tm_delay_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_steal_authentication_certificates_cryptoapi_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "remote_process_instantiation_via_dcom_and_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_unusual_number_of_failed_authentications_from_ip_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "gcp_detect_gcploit_framework_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_outlook_exe_writing_a_zip_file_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_defense_evasion_delete_cloudwatch_log_group_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "gcp_unusual_number_of_failed_authentications_from_ip_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "domain_controller_discovery_with_wmic_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "path_traversal_spl_injection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "mshta_spawning_rundll32_or_regsvr32_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "dllhost_with_no_command_line_arguments_with_network_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "excessive_number_of_service_control_start_as_disabled_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_hijack_execution_flow_version_dll_side_load_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "wmi_recon_running_process_or_services_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_remote_services_allow_remote_assistance_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_file_creation_in_profile_directory_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "gcp_multi_factor_authentication_disabled_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kerberos_user_enumeration_filter"}, {"definition": "sourcetype=\"aws:securityhub:finding\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "aws_securityhub_finding"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "asl_aws_defense_evasion_delete_cloudtrail_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_createloginprofile_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_renamed_psexec_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_successful_single_factor_authentication_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_private_keys_discovery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_command_shell_fetch_env_variables_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disable_defender_mpengine_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "remote_system_discovery_with_net_filter"}, {"definition": "(Processes.process_name=mshta.exe OR Processes.original_file_name=MSHTA.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_mshta"}, {"definition": "source=\"wineventlog:microsoft-windows-printservice/operational\" OR source=\"WinEventLog:Microsoft-Windows-PrintService/Admin\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "printservice"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_account_discovery_drilldown_dashboard_disclosure_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "office_document_executing_macro_code_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "net_localgroup_discovery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_processing_stream_of_data_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "get_domainpolicy_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_installutil_url_in_command_line_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_exchange_autodiscover_ssrf_abuse_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "petitpotam_suspicious_kerberos_tgt_request_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_papercut_ng_spawn_shell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_unnecessary_file_extensions_allowed_by_lookup_table_uploads_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "unsigned_image_loaded_by_lsass_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_hosts_connecting_to_dynamic_domain_providers_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_spearphishing_attachment_connect_to_none_ms_office_domain_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "steal_or_forge_authentication_certificates_behavior_identified_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_credentials_from_password_stores_chrome_localstate_access_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ad_cross_domain_sid_history_addition_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_concurrent_sessions_from_different_ips_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "remote_process_instantiation_via_wmi_and_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "searchprotocolhost_with_no_command_line_with_network_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "unloading_amsi_via_reflection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "domain_group_discovery_with_net_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_app_layer_protocol_qakbot_namedpipe_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_service_creation_on_remote_endpoint_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_exfiltration_via_anomalous_getobject_api_activity_filter"}, {"definition": "sourcetype=aws:s3:accesslogs", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "aws_s3_accesslogs"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disabling_task_manager_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_file_write_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_access_token_manipulation_sedebugprivilege_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_low_privilege_user_can_view_hashed_splunk_password_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "trickbot_named_pipe_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_preload_hijack_library_calls_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_new_user_aws_console_login_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_renamed_winrar_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_software_download_to_network_device_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "uncommon_processes_on_endpoint_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_mshta_child_process_filter"}, {"definition": "sourcetype=gsuite:gmail:bigquery", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "gsuite_gmail"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "unusually_long_command_line___mltk_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "active_setup_registry_autostart_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "malicious_inprocserver32_modification_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ldifde_directory_object_behavior_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_protocol_tunneling_with_plink_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_multiple_disabled_users_failed_to_authenticate_wth_kerberos_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_dll_search_order_hijacking_hunt_with_sysmon_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "active_directory_lateral_movement_identified_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_high_frequency_of_file_deletion_in_boot_folder_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "allow_network_discovery_in_firewall_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_unusual_count_of_users_remotely_failed_to_auth_from_host_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_adfind_exe_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "anomalous_usage_of_7zip_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_remote_assistance_spawning_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_system_network_config_discovery_display_dns_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "github_commit_changes_in_master_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_curl_upload_file_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "wscript_or_cscript_suspicious_child_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_ecr_container_upload_unknown_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_new_api_calls_from_user_roles_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "confluence_unauthenticated_remote_code_execution_cve_2022_26134_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "exploit_public_facing_application_via_apache_commons_text_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "cmlua_or_cmstplua_uac_bypass_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "gcp_kubernetes_cluster_pod_scan_detection_filter"}, {"definition": "eventtype=okta_log", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "okta"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_impair_defense_deny_security_software_with_applocker_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_dos_via_malformed_s2s_request_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_pim_role_assignment_activated_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_service_stop_via_net__and_sc_application_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "ec2_instance_started_in_previously_unseen_region_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_mshta_inline_hta_execution_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disable_uac_remote_restriction_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "correlation_by_user_and_risk_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "credential_dumping_via_symlink_to_shadow_copy_filter"}, {"definition": "(Processes.process_name=netsh.exe OR Processes.original_file_name=netsh.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_netsh"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_global_administrator_role_assigned_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "office_product_spawning_rundll32_with_no_dll_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_phishing_pdf_file_executes_url_link_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_installutil_uninstall_option_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "nltest_domain_trust_discovery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "get_addefaultdomainpasswordpolicy_with_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_defense_evasion_putbucketlifecycle_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kerberos_pre_authentication_flag_disabled_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getlocaluser_with_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_usewuserver_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_outbound_ldap_traffic_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_app_layer_protocol_wermgr_connect_to_namedpipe_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_data_destruction_command_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_new_open_s3_buckets_over_aws_cli_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_html_help_renamed_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_azure_detect_service_accounts_forbidden_failure_access_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_indirect_command_execution_via_series_of_forfiles_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "potentially_malicious_code_on_commandline_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "process_execution_via_wmi_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_arp_poisoning_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "remote_desktop_network_bruteforce_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_shred_overwrite_command_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "domain_group_discovery_with_dsquery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_possible_credential_dumping_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_load_module_in_meterpreter_filter"}, {"definition": "source=\"WinEventLog:Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "remoteconnectionmanager"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "system_processes_run_from_unexpected_locations_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ad_domain_controller_promotion_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "asl_aws_new_mfa_method_registered_for_user_filter"}, {"definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "sysmon"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "bcdedit_failure_recovery_modification_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_root_domain_linked_policies_discovery_filter"}, {"definition": "eventtype=wineventlog_application OR source=\"XmlWinEventLog:Application\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "wineventlog_application"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_deleted_registry_by_a_non_critical_process_file_path_filter"}, {"definition": "(source=XmlWinEventLog:Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational OR source=XmlWinEventLog:Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational)", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "certificateservices_lifecycle"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_use_of_cmd_exe_to_launch_script_interpreters_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_path_interception_by_creation_of_program_exe_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_powersploit_gpp_discovery_filter"}, {"definition": "(Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_powershell"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_powershell_export_certificate_filter"}, {"definition": "sourcetype=\"MSWindows:IIS\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "exchange"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "ms_scripting_process_loading_wmi_module_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_default_group_policy_object_modified_with_gpme_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "local_account_discovery_with_net_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "plain_http_post_exfiltrated_data_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_azure_detect_rbac_authorization_by_account_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "icacls_deny_command_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disabling_defender_services_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "prevent_automatic_repair_mode_using_bcdedit_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "create_remote_thread_in_shell_application_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_multiple_users_failing_to_authenticate_from_ip_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_possible_append_command_to_profile_config_file_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_rundll32_application_control_bypass___syssetup_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_sudo_or_su_execution_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "shim_database_file_creation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_system_logoff_commandline_filter"}, {"definition": "(Processes.process_name=verclsid.exe OR Processes.original_file_name=verclsid.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_verclsid"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_excessive_account_lockouts_from_endpoint_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_unusual_count_of_users_failed_to_auth_using_kerberos_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "runas_execution_in_commandline_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_diskshadow_proxy_execution_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disable_windows_behavior_monitoring_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_mshta_url_in_command_line_filter"}, {"definition": "index=_internal sourcetype=splunk_web_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "splunkd_web"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_gather_victim_network_info_through_ip_check_web_services_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_azure_active_service_accounts_by_pod_namespace_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "cloud_network_access_control_list_deleted_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "creation_of_shadow_copy_with_wmic_and_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_system_reboot_commandline_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "office_product_spawning_windows_script_host_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_wav_file_in_appdata_folder_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "domain_account_discovery_with_wmic_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "domain_controller_discovery_with_nltest_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_service_principal_new_client_credentials_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "network_connection_discovery_with_net_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disabling_windows_local_security_authority_defences_via_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "non_chrome_process_accessing_chrome_default_dir_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "icedid_exfiltrated_archived_file_creation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "java_writing_jsp_file_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "cloud_provisioning_activity_from_previously_unseen_region_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "process_deleting_its_process_file_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disabling_firewall_with_netsh_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_dos_via_dump_spl_command_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_diskcryptor_usage_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_data_exfiltration_from_analytics_workspace_using_sid_query_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_credential_access_getpassworddata_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_edit_user_privilege_escalation_filter"}, {"definition": "\"-70m@m\"", "description": "Use this macro to determine how far back you should be checking for new provisioning activities", "name": "previously_unseen_cloud_provisioning_activity_window"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_at_application_execution_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "monitor_web_traffic_for_brand_abuse_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "xmrig_driver_loaded_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_s3_exfiltration_behavior_identified_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_microsoft_workflow_compiler_rename_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_enable_win32_scheduledjob_via_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getwmiobject_user_account_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "registry_keys_for_creating_shim_databases_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_auto_update_notif_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_mimikatz_via_powershell_and_eventcode_4703_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "okta_threatinsight_threat_detected_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ngrok_reverse_proxy_usage_filter"}, {"definition": "index=_internal sourcetype=splunkd_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "splunkda"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_automation_account_created_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ad_domain_replication_acl_addition_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_qakbot_binary_data_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_iam_failure_group_deletion_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_mshta_spawn_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_risky_command_abuse_disclosed_february_2023_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "bits_job_persistence_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getlocaluser_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "okta_two_or_more_rejected_okta_pushes_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_service_created_within_public_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disabling_controlpanel_filter"}, {"definition": "(Processes.process_name=cmd.exe OR Processes.process_name=powershell.exe OR Processes.process_name=pwsh.exe OR Processes.process_name=sh.exe OR Processes.process_name=bash.exe OR Processes.process_name=wscript.exe OR Processes.process_name=cscript.exe)", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "windows_shells"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_remote_access_software_rms_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_searchprotocolhost_no_command_line_arguments_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_suspicious_rights_delegation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_steal_or_forge_kerberos_tickets_klist_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "mailsniper_invoke_functions_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_curl_download_to_suspicious_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_xss_via_view_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_remote_create_service_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "wmi_permanent_event_subscription_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "github_pull_request_from_unknown_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "hunting_for_log4shell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_rundll32_application_control_bypass___advpack_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "dns_exfiltration_using_nslookup_app_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_create_local_account_filter"}, {"definition": "sourcetype=aws:cloudwatchlogs:vpcflow", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "cloudwatchlogs_vpcflow"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "schcache_change_by_app_connect_and_create_adsi_object_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_group_policy_object_created_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_administrative_shares_accessed_on_multiple_hosts_filter"}, {"definition": "sourcetype = PwSh:bootloader", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "bootloader_inventory"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "first_time_seen_running_windows_service_filter"}, {"definition": "(Processes.process_name=installutil.exe OR Processes.original_file_name=InstallUtil.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_installutil"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_findstr_gpp_discovery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_aws_detect_sensitive_role_access_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_rpm_privilege_escalation_filter"}, {"definition": "index=zeek sourcetype=\"zeek:rpc:json\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "zeek_rpc"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "remote_desktop_network_traffic_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "vmware_server_side_template_injection_hunt_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "user_discovery_with_env_vars_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_possible_append_command_to_at_allow_config_file_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_unusual_count_of_users_failed_to_authenticate_using_ntlm_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_nginx_ingress_rfi_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "rundll32_control_rundll_world_writable_directory_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "randomly_generated_scheduled_task_name_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_rundll32_application_control_bypass___setupapi_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_gather_victim_host_information_camera_filter"}, {"definition": "lookup update=true brandMonitoring_lookup domain as urls OUTPUT domain_abuse | search domain_abuse=true", "description": "This macro limits the output to only domains that are in the brand monitoring lookup file", "name": "brand_abuse_web"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_cloud_provisioning_from_previously_unseen_region_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "okta_multiple_failed_requests_to_access_applications_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_possible_access_or_modification_of_sshd_config_file_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_new_open_gcp_storage_buckets_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_iptables_firewall_modification_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "mimikatz_passtheticket_commandline_parameters_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_deletion_of_init_daemon_script_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "get_foresttrust_with_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kerberoasting_spn_request_with_rc4_encryption_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "outbound_network_connection_from_java_using_default_ports_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_multi_factor_authentication_disabled_filter"}, {"definition": "(Processes.process_name=route.exe OR Processes.original_file_name=route.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_route"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "winevent_scheduled_task_created_to_spawn_shell_filter"}, {"definition": "(Processes.process_name=runas.exe OR Processes.original_file_name=runas.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_runas"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_krbrelayup_service_creation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "auto_admin_logon_registry_entry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "remote_desktop_process_running_on_system_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_azurehound_command_line_arguments_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "bitsadmin_download_file_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "asl_aws_multi_factor_authentication_disabled_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "reg_exe_used_to_hide_files_directories_via_registry_keys_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "regsvr32_silent_and_install_param_dll_loading_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "verclsid_clsid_execution_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_credentials_in_registry_reg_query_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "unsuccessful_netbackup_backups_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "sqlite_module_in_temp_folder_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_deleting_critical_directory_using_rm_command_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_phishing_recent_iso_exec_registry_filter"}, {"definition": "(Processes.process_name=diskshadow.exe OR Processes.original_file_name=diskshadow.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_diskshadow"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "clop_common_exec_parameter_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_get_adcomputer_unconstrained_delegation_discovery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_gcp_storage_access_from_a_new_ip_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_office_product_spawning_msdt_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "services_lolbas_execution_process_spawn_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_cpulimit_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_defense_evasion_update_cloudtrail_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "ec2_instance_modified_with_previously_unseen_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "get_aduser_with_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "monitor_registry_keys_for_print_monitors_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_nopasswd_entry_in_sudoers_file_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_steal_authentication_certificates_certutil_backup_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_processes_used_for_system_network_configuration_discovery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "gsuite_suspicious_calendar_invite_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_no_auto_update_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_msbuild_rename_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_iis_components_get_webglobalmodule_module_query_filter"}, {"definition": "lookup ransomware_notes_lookup ransomware_notes as file_name OUTPUT status as \"Known Ransomware Notes\" | search \"Known Ransomware Notes\"=True", "description": "This macro limits the output to files that have been identified as a ransomware note", "name": "ransomware_notes"}, {"definition": "index=netops sourcetype=\"f5:bigip:rogue\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "f5_bigip_rogue"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_process_with_discord_dns_query_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "spoolsv_spawning_rundll32_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_find_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "nishang_powershelltcponeline_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "github_dependabot_alert_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "office_product_spawning_certutil_filter"}, {"definition": "sourcetype=aws:firehose:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "github"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disable_windows_smartscreen_protection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_regsvr32_register_suspicious_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getwmiobject_ds_user_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "cloud_instance_modified_by_previously_unseen_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "gcp_detect_high_risk_permissions_by_resource_and_account_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "modification_of_wallpaper_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "gcp_detect_oauth_token_abuse_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "fsutil_zeroing_file_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_process_file_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_powerview_ad_access_control_list_enumeration_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_disallow_windows_app_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_unusual_count_of_users_fail_to_auth_wth_explicitcredentials_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_impair_defense_delete_win_defender_context_menu_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_new_login_attempts_to_routers_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_gdb_privilege_escalation_filter"}, {"definition": "sourcetype=kube:container:controller", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes data. Replace the macro definition with configurations for your Splunk Environmnent.", "name": "kubernetes_container_controller"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_process_injection_wermgr_child_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "ntdsutil_export_ntds_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_active_directory_high_risk_sign_in_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "potential_password_in_username_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "esentutl_sam_copy_filter"}, {"definition": "(process_name= \"arp.exe\" OR process_name= \"at.exe\" OR process_name= \"attrib.exe\" OR process_name= \"cscript.exe\" OR process_name= \"dsquery.exe\" OR process_name= \"hostname.exe\" OR process_name= \"ipconfig.exe\" OR process_name= \"mimikatz.exe\" OR process_name= \"nbstat.exe\" OR process_name= \"net.exe\" OR process_name= \"netsh.exe\" OR process_name= \"nslookup.exe\" OR process_name= \"ping.exe\" OR process_name= \"quser.exe\" OR process_name= \"qwinsta.exe\" OR process_name= \"reg.exe\" OR process_name= \"runas.exe\" OR process_name= \"sc.exe\" OR process_name= \"schtasks.exe\" OR process_name= \"ssh.exe\" OR process_name= \"systeminfo.exe\" OR process_name= \"taskkill.exe\" OR process_name= \"telnet.exe\" OR process_name= \"tracert.exe\" OR process_name=\"wscript.exe\" OR process_name= \"xcopy.exe\")", "description": "This macro is a list of process that can be used to discover the network configuration", "name": "system_network_configuration_discovery_tools"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_adding_crontab_using_list_parameter_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_rapid_authentication_on_multiple_hosts_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getwmiobject_ds_group_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "elevated_group_discovery_with_wmic_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_mimikatz_using_loaded_images_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "short_lived_scheduled_task_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_wmi_event_subscription_persistence_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_awk_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_pim_role_assigned_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_defender_exclusion_registry_entry_filter"}, {"definition": "sourcetype=\"IIS:Configuration:Operational\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "iis_operational_logs"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_defense_evasion_stop_logging_cloudtrail_filter"}, {"definition": "(query=api* AND query = github*)", "description": "This limits the query fields to domains that are associated with evilginx masquerading as GitHub", "name": "evilginx_phishlets_github"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "sdelete_application_execution_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_admon_default_group_policy_object_modified_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_fileless_script_contains_base64_encoded_content_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "control_loading_from_world_writable_directory_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "sc_exe_manipulating_windows_services_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "domain_account_discovery_with_dsquery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "impacket_lateral_movement_smbexec_commandline_parameters_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_disable_change_password_through_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_powershell_import_applocker_policy_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_bootloader_inventory_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_webshell_exploit_behavior_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_aws_detect_service_accounts_forbidden_failure_access_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "excessive_file_deletion_in_windefender_folder_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "w3wp_spawning_shell_filter"}, {"definition": "(eventName = CreateNetworkAcl OR eventName = CreateNetworkAclEntry OR eventName = DeleteNetworkAcl OR eventName = DeleteNetworkAclEntry OR eventName = ReplaceNetworkAclEntry OR eventName = ReplaceNetworkAclAssociation)", "description": "This is a list of AWS event names that are associated with Network ACLs", "name": "network_acl_events"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "cloud_provisioning_activity_from_previously_unseen_city_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "gcp_successful_single_factor_authentication_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_high_number_of_failed_authentications_for_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_suppress_win_defender_notif_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "ransomware_notes_bulk_creation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "rundll32_with_no_command_line_arguments_with_network_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disabling_norun_windows_app_filter"}, {"definition": "\"-70m@m\"", "description": "Use this macro to determine how far back you should be checking for new Windows services", "name": "previously_seen_windows_services_window"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_add_app_role_assignment_grant_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_security_support_provider_reg_query_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_service_stop_by_deletion_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "print_spooler_adding_a_printer_driver_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "schtasks_run_task_on_demand_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_baron_samedit_cve_2021_3156_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_reg_exe_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "unusual_number_of_kerberos_service_tickets_requested_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_steal_authentication_certificates_cs_backup_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getadgroup_with_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "persistent_xss_in_rapiddiag_through_user_interface_views_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_http_response_splitting_via_rest_spl_command_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_high_file_deletion_frequency_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_email___uba_anomaly_filter"}, {"definition": "sourcetype=mscs:azure:eventhub", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "azuread"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_regasm_with_no_command_line_arguments_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_composer_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_registry_bootexecute_modification_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_excessive_user_account_lockouts_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "certutil_exe_certificate_extraction_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "office_product_writing_cab_or_inf_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "remcos_rat_file_creation_in_remcos_folder_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_reflected_xss_in_the_templates_lists_radio_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "remote_registry_key_modifications_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_proxy_via_netsh_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_query_registry_browser_list_application_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_dllhost_no_command_line_arguments_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "okta_threatinsight_suspected_passwordspray_attack_filter"}, {"definition": "sourcetype=PwSh:DriverInventory", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "driverinventory"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_exfiltration_via_ec2_snapshot_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_invoke_cimmethod_cimsession_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_com_hijacking_inprocserver32_modification_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "impacket_lateral_movement_wmiexec_commandline_parameters_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "multiple_archive_files_http_post_traffic_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_service_creation_using_registry_entry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getadcomputer_with_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "papercut_ng_suspicious_behavior_debug_log_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "okta_account_lockout_events_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "spoolsv_writing_a_dll___sysmon_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "slui_spawning_a_process_filter"}, {"definition": "eventtype=cisco_ios", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "cisco_networks"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_changes_to_file_associations_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_exfiltration_via_bucket_replication_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_default_icon_setting_filter"}, {"definition": "index=*", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "linux_hosts"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "remote_process_instantiation_via_winrm_and_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "tor_traffic_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_process_injection_forwarder_bundle_downloads_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_computer_account_name_change_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "office_document_creating_schedule_task_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_information_discovery_fsutil_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_copy_of_shadowcopy_with_script_block_logging_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_credentials_from_password_stores_chrome_login_data_access_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_defense_evasion_delete_cloudtrail_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_ticket_granting_ticket_request_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "any_powershell_downloadfile_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "common_ransomware_extensions_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_raw_access_to_disk_volume_partition_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_multiple_users_fail_to_authenticate_wth_explicitcredentials_filter"}, {"definition": "sourcetype=\"Pwsh:InstalledIISModules\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "iis_get_webglobalmodule"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_mimikatz_with_powershell_script_block_logging_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_openvpn_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "csc_net_on_the_fly_compilation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "amazon_eks_kubernetes_pod_scan_detection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_loading_dotnet_into_memory_via_reflection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_driver_inventory_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_ingress_tool_transfer_with_curl_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "rundll32_process_creating_exe_dll_files_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "screensaver_event_trigger_execution_filter"}, {"definition": "sourcetype=gws:reports:login", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "gws_reports_login"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "github_actions_disable_security_workflow_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getcurrent_user_with_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_multi_factor_authentication_disabled_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_remote_services_rdp_enable_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "gsuite_suspicious_shared_file_name_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_do_not_connect_to_win_update_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_command_and_scripting_interpreter_hunting_path_traversal_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_execute_arbitrary_commands_with_msdt_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_c99_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_new_local_admin_account_filter"}, {"definition": "sourcetype=stream:tcp", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "stream_tcp"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_regsvcs_with_no_command_line_arguments_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_disable_win_defender_raw_write_notif_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "prohibited_network_traffic_allowed_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_setuid_using_setcap_utility_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_system_shutdown_commandline_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "logon_script_event_trigger_execution_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_dotnet_binary_in_non_standard_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getwmiobject_ds_computer_with_powershell_script_block_filter"}, {"definition": "(Processes.process_name=gpupdate.exe OR Processes.original_file_name=GPUpdate.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_gpupdate"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_raw_access_to_master_boot_record_drive_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "large_volume_of_dns_any_queries_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "create_or_delete_windows_shares_using_net_exe_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "vbscript_execution_using_wscript_app_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "excessive_usage_of_taskkill_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "recon_using_wmi_class_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "office_product_spawning_wmic_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_iis_components_module_failed_to_load_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_msiexec_unregister_dllregisterserver_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_service_create_remcomsvc_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_stored_xss_via_data_model_objectname_field_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "abnormally_high_aws_instances_launched_by_user___mltk_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detection_of_dns_tunnels_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_hunting_system_account_targeting_lsass_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "unusually_long_content_type_length_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_icedid_rundll32_cmdline_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_deletion_of_services_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_enable_powershell_remoting_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_improperly_formatted_parameter_crashes_splunkd_filter"}, {"definition": "(query=accounts* AND query=ssl* AND query=www*)", "description": "This limits the query fields to domains that are associated with evilginx masquerading as Google", "name": "evilginx_phishlets_google"}, {"definition": "lookup update=true dynamic_dns_providers_default dynamic_dns_domains as url OUTPUTNEW isDynDNS_default | lookup update=true dynamic_dns_providers_local dynamic_dns_domains as url OUTPUTNEW isDynDNS_local| eval isDynDNS = coalesce(isDynDNS_default, isDynDNS_local)|fields - isDynDNS_default, isDynDNS_local| search isDynDNS=True", "description": "This is a description", "name": "dynamic_dns_web_traffic"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_dism_remove_defender_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "okta_mismatch_between_source_and_response_for_verify_push_request_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "processes_created_by_netsh_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_java_spawning_shell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "change_default_file_association_filter"}, {"definition": "(Processes.process_name=esentutl.exe OR Processes.original_file_name=esentutl.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_esentutl"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "circle_ci_disable_security_step_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "rundll32_createremotethread_in_browser_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_process_dns_query_known_abuse_web_services_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_rundll32_dllregisterserver_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_credentials_from_password_stores_chrome_extension_access_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "services_escalate_exe_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "gsuite_drive_share_in_external_email_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "excel_spawning_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "unusual_number_of_remote_endpoint_authentication_events_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_steal_authentication_certificates_export_pfxcertificate_filter"}, {"definition": "sourcetype=mscs:azure:audit", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "azure_audit"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_saml_update_identity_provider_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ad_short_lived_domain_account_serviceprincipalname_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_server_software_component_gacutil_install_to_gac_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "network_share_discovery_via_dir_command_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "web_spring4shell_http_request_class_module_filter"}, {"definition": "event.parameters{}.multiValue{} IN (\"backup_code\", \"google_authenticator\", \"google_prompt\", \"idv_any_phone\", \"idv_preregistered_phone\", \"internal_two_factor\", \"knowledge_employee_id\", \"knowledge_preregistered_email\", \"login_location\", \"knowledge_preregistered_phone\", \"offline_otp\", \"security_key\", \"security_key_otp\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "gws_login_mfa_methods"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_linux_discovery_commands_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_aws_console_login_by_user_from_new_region_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "rundll_loading_dll_by_ordinal_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "exchange_powershell_module_usage_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "active_directory_privilege_escalation_identified_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_sqlite3_lsquarantine_behavior_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_possible_access_to_credential_files_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_html_help_using_infotech_storage_handlers_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_kerberos_local_successful_logon_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "extraction_of_registry_hives_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "modify_acl_permission_to_files_or_folder_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "ms_scripting_process_loading_ldap_module_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_installutil_uninstall_option_with_network_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "execution_of_file_with_spaces_before_extension_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_sharphound_file_modifications_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_multiple_invalid_users_failed_to_authenticate_using_ntlm_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_iis_components_add_new_module_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_multiple_users_failed_to_authenticate_from_host_using_ntlm_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disable_defender_submit_samples_consent_feature_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "ryuk_wake_on_lan_command_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_java_spawning_shells_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "samsam_test_file_write_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_scanner_image_pulling_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "sql_injection_with_long_urls_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_msiexec_dllregisterserver_filter"}, {"definition": "(query=www* AND query=aws* AND query=console.aws* AND query=signin.aws* AND api-northeast-1.console.aws* AND query=fls-na* AND query=images-na*)", "description": "This limits the query fields to domains that are associated with evilginx masquerading as an AWS console", "name": "evilginx_phishlets_aws"}, {"definition": "lookup update=true lookup_rare_process_allow_list_default process as process OUTPUTNEW allow_list | where allow_list=\"false\" | lookup update=true lookup_rare_process_allow_list_local process as process OUTPUT allow_list | where allow_list=\"false\"", "description": "This macro is intended to allow_list processes that have been definied as rare", "name": "filter_rare_process_allow_list"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "ping_sleep_batch_command_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "print_spooler_failed_to_load_a_plug_in_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "excessive_dns_failures_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "cmd_carry_out_string_command_parameter_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_regasm_spawning_a_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_add_files_in_known_crontab_directories_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "executables_or_script_creation_in_suspicious_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_snake_malware_registry_modification_wav_openwithprogids_filter"}, {"definition": "sourcetype=stream:dns", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "stream_dns"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "remote_process_instantiation_via_wmi_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "get_domainuser_with_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_iam_accessdenied_discovery_events_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_lambda_updatefunctioncode_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_ssh_remote_services_script_execute_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "petitpotam_network_share_access_request_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_process_injection_of_wermgr_to_known_browser_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "abnormally_high_number_of_cloud_infrastructure_api_calls_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "get_domaintrust_with_powershell_script_block_filter"}, {"definition": "(Processes.process_name=dllhost.exe OR Processes.original_file_name=dllhost.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_dllhost"}, {"definition": "(Processes.process_name=regsvcs.exe OR Processes.original_file_name=RegSvcs.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_regsvcs"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_dll_side_loading_in_calc_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kerberos_service_ticket_request_using_rc4_encryption_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "network_discovery_using_route_windows_app_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_raccine_scheduled_task_deletion_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "batch_file_write_to_system32_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "file_with_samsam_extension_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getwmiobject_user_account_with_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "gpupdate_with_no_command_line_arguments_with_network_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_excessive_disabled_services_event_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "deleting_of_net_users_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_unauthorized_assets_by_mac_address_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "set_default_powershell_execution_policy_to_unrestricted_or_bypass_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_possible_access_to_sudoers_file_filter"}, {"definition": "sourcetype=mscs:storage:blob:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes data from Azure. Replace the macro definition with configurations for your Splunk Environmnent.", "name": "kubernetes_azure"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getwmiobject_ds_computer_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_steal_authentication_certificates_certificate_request_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_wmi_process_call_create_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "system_user_discovery_with_whoami_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_msiexec_spawn_discovery_command_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "get_wmiobject_group_discovery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "first_time_seen_child_process_of_zoom_filter"}, {"definition": "lookup update=true is_suspicious_file_extension_lookup file_name OUTPUT suspicious | search suspicious=true", "description": "This macro limits the output to email attachments that have suspicious extensions", "name": "suspicious_email_attachments"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "malicious_powershell_process_with_obfuscation_techniques_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_boot_or_logon_autostart_execution_in_startup_folder_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "eventvwr_uac_bypass_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_change_default_file_association_for_no_file_ext_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_non_system_account_targeting_lsass_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "email_files_written_outside_of_the_outlook_directory_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_createaccesskey_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_spike_in_aws_api_activity_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "print_processor_registry_autostart_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "office_application_drop_executable_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_azure_pod_scan_fingerprint_filter"}, {"definition": "(Processes.process_name=\"net.exe\" OR Processes.original_file_name=\"net.exe\" OR Processes.process_name=\"net1.exe\" OR Processes.original_file_name=\"net1.exe\")", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_net"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "wmic_group_discovery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_application_layer_protocol_rms_radmin_tool_namedpipe_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_remote_thread_to_known_windows_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_high_number_of_failed_authentications_from_ip_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "proxyshell_proxynotshell_behavior_detected_filter"}, {"definition": "(Processes.process_name IN (\"sh\", \"ksh\", \"zsh\", \"bash\", \"dash\", \"rbash\", \"fish\", \"csh\", \"tcsh\", \"ion\", \"eshell\"))", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "linux_shells"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_pkexec_privilege_escalation_filter"}, {"definition": "index=_audit sourcetype=audittrail", "description": "Macro to enable easy searching of audittrail logs", "name": "audittrail"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_visudo_utility_execution_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_gcp_detect_most_active_service_accounts_by_pod_filter"}, {"definition": "(Processes.process_name=regasm.exe OR Processes.original_file_name=RegAsm.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_regasm"}, {"definition": "(Processes.process_name=hh.exe OR Processes.original_file_name=HH.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_hh"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "xsl_script_execution_with_wmic_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_mimikatz_binary_execution_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "attacker_tools_on_endpoint_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_vulnerable_driver_loaded_filter"}, {"definition": "| inputlookup prohibited_apps_launching_cmd | rename prohibited_applications as parent_process_name | eval parent_process_name=\"*\" . parent_process_name | table parent_process_name", "description": "This macro outputs a list of process that should not be the parent process of cmd.exe", "name": "prohibited_apps_launching_cmd"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_concurrent_sessions_from_different_ips_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ad_same_domain_sid_history_addition_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_admon_group_policy_object_created_filter"}, {"definition": "(Processes.process_name=procdump.exe OR Processes.process_name=procdump64.exe OR Processes.original_file_name=procdump)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_procdump"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disable_defender_enhanced_notification_filter"}, {"definition": "sourcetype=\"google:gcp:pubsub:message\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "google_gcp_pubsub_message"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_pst_export_alert_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "clear_unallocated_sector_using_cipher_app_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "asl_aws_password_policy_changes_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_hide_notification_features_through_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_rundll32_webdav_request_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "scheduled_task_creation_on_remote_endpoint_using_at_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_gcp_detect_rbac_authorizations_by_account_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "registry_keys_used_for_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_replication_through_removable_media_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_remote_access_software_hunt_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_powershell_command_line_arguments_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "check_elevated_cmd_using_whoami_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "get_domainpolicy_with_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_make_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_successful_powershell_authentication_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "allow_operation_with_consent_admin_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_setdefaultpolicyversion_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_rare_executables_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "msi_module_loaded_by_non_system_binary_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "remote_process_instantiation_via_winrm_and_winrs_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ad_serviceprincipalname_added_to_domain_account_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "deleting_shadow_copies_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "bcdedit_command_back_to_normal_mode_boot_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "process_kill_base_on_file_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "asl_aws_createaccesskey_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "regsvr32_with_known_silent_switch_cmdline_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_high_frequency_of_file_deletion_in_etc_folder_filter"}, {"definition": "index=_internal sourcetype=splunkd_ui_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "splunkd_ui"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_dns_requests_to_phishing_sites_leveraging_evilginx2_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_hardware_addition_swapoff_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_html_help_url_in_command_line_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "ryuk_test_files_detected_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getcurrent_user_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_snake_malware_file_modification_crmlog_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getadgroup_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "serviceprincipalnames_discovery_with_setspn_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_unusual_count_of_invalid_users_failed_to_auth_using_ntlm_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "permission_modification_using_takeown_app_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_snake_malware_kernel_driver_comadmin_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_excessive_security_scanning_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "identify_new_user_accounts_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_defacement_modify_transcodedwallpaper_file_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_drivers_loaded_by_signature_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_odbcconf_hunting_filter"}, {"definition": "(Processes.process_name=cmd.exe OR Processes.original_file_name=Cmd.Exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_cmd"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_service_principal_owner_added_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "script_execution_via_wmi_filter"}, {"definition": "eval orig_process=process, process=replace(lower(process), \"`\", \"\") | makemv tokenizer=\"([\\w\\d\\-]+)\" process | eval unusual_cmdline_feature_for=if(match(process, \"^for$\"), mvcount(mvfilter(match(process, \"^for$\"))), 0), unusual_cmdline_feature_netsh=if(match(process, \"^netsh$\"), mvcount(mvfilter(match(process, \"^netsh$\"))), 0), unusual_cmdline_feature_readbytes=if(match(process, \"^readbytes$\"), mvcount(mvfilter(match(process, \"^readbytes$\"))), 0), unusual_cmdline_feature_set=if(match(process, \"^set$\"), mvcount(mvfilter(match(process, \"^set$\"))), 0), unusual_cmdline_feature_unrestricted=if(match(process, \"^unrestricted$\"), mvcount(mvfilter(match(process, \"^unrestricted$\"))), 0), unusual_cmdline_feature_winstations=if(match(process, \"^winstations$\"), mvcount(mvfilter(match(process, \"^winstations$\"))), 0), unusual_cmdline_feature_-value=if(match(process, \"^-value$\"), mvcount(mvfilter(match(process, \"^-value$\"))), 0), unusual_cmdline_feature_compression=if(match(process, \"^compression$\"), mvcount(mvfilter(match(process, \"^compression$\"))), 0), unusual_cmdline_feature_server=if(match(process, \"^server$\"), mvcount(mvfilter(match(process, \"^server$\"))), 0), unusual_cmdline_feature_set-mppreference=if(match(process, \"^set-mppreference$\"), mvcount(mvfilter(match(process, \"^set-mppreference$\"))), 0), unusual_cmdline_feature_terminal=if(match(process, \"^terminal$\"), mvcount(mvfilter(match(process, \"^terminal$\"))), 0), unusual_cmdline_feature_-name=if(match(process, \"^-name$\"), mvcount(mvfilter(match(process, \"^-name$\"))), 0), unusual_cmdline_feature_catch=if(match(process, \"^catch$\"), mvcount(mvfilter(match(process, \"^catch$\"))), 0), unusual_cmdline_feature_get-wmiobject=if(match(process, \"^get-wmiobject$\"), mvcount(mvfilter(match(process, \"^get-wmiobject$\"))), 0), unusual_cmdline_feature_hklm=if(match(process, \"^hklm$\"), mvcount(mvfilter(match(process, \"^hklm$\"))), 0), unusual_cmdline_feature_streamreader=if(match(process, \"^streamreader$\"), mvcount(mvfilter(match(process, \"^streamreader$\"))), 0), unusual_cmdline_feature_system32=if(match(process, \"^system32$\"), mvcount(mvfilter(match(process, \"^system32$\"))), 0), unusual_cmdline_feature_username=if(match(process, \"^username$\"), mvcount(mvfilter(match(process, \"^username$\"))), 0), unusual_cmdline_feature_webrequest=if(match(process, \"^webrequest$\"), mvcount(mvfilter(match(process, \"^webrequest$\"))), 0), unusual_cmdline_feature_count=if(match(process, \"^count$\"), mvcount(mvfilter(match(process, \"^count$\"))), 0), unusual_cmdline_feature_webclient=if(match(process, \"^webclient$\"), mvcount(mvfilter(match(process, \"^webclient$\"))), 0), unusual_cmdline_feature_writeallbytes=if(match(process, \"^writeallbytes$\"), mvcount(mvfilter(match(process, \"^writeallbytes$\"))), 0), unusual_cmdline_feature_convert=if(match(process, \"^convert$\"), mvcount(mvfilter(match(process, \"^convert$\"))), 0), unusual_cmdline_feature_create=if(match(process, \"^create$\"), mvcount(mvfilter(match(process, \"^create$\"))), 0), unusual_cmdline_feature_function=if(match(process, \"^function$\"), mvcount(mvfilter(match(process, \"^function$\"))), 0), unusual_cmdline_feature_net=if(match(process, \"^net$\"), mvcount(mvfilter(match(process, \"^net$\"))), 0), unusual_cmdline_feature_com=if(match(process, \"^com$\"), mvcount(mvfilter(match(process, \"^com$\"))), 0), unusual_cmdline_feature_http=if(match(process, \"^http$\"), mvcount(mvfilter(match(process, \"^http$\"))), 0), unusual_cmdline_feature_io=if(match(process, \"^io$\"), mvcount(mvfilter(match(process, \"^io$\"))), 0), unusual_cmdline_feature_system=if(match(process, \"^system$\"), mvcount(mvfilter(match(process, \"^system$\"))), 0), unusual_cmdline_feature_new-object=if(match(process, \"^new-object$\"), mvcount(mvfilter(match(process, \"^new-object$\"))), 0), unusual_cmdline_feature_if=if(match(process, \"^if$\"), mvcount(mvfilter(match(process, \"^if$\"))), 0), unusual_cmdline_feature_threading=if(match(process, \"^threading$\"), mvcount(mvfilter(match(process, \"^threading$\"))), 0), unusual_cmdline_feature_mutex=if(match(process, \"^mutex$\"), mvcount(mvfilter(match(process, \"^mutex$\"))), 0), unusual_cmdline_feature_cryptography=if(match(process, \"^cryptography$\"), mvcount(mvfilter(match(process, \"^cryptography$\"))), 0), unusual_cmdline_feature_computehash=if(match(process, \"^computehash$\"), mvcount(mvfilter(match(process, \"^computehash$\"))), 0)", "description": "Performs the tokenization and application of the malicious commandline classifier", "name": "potentially_malicious_code_on_cmdline_tokenize_score"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "7zip_commandline_to_smb_share_path_filter"}, {"definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only", "name": "security_content_summariesonly"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_msiexec_remote_download_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_impair_defenses_process_kill_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_kerberos_service_ticket_request_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_ecr_container_scanning_findings_high_filter"}]} \ No newline at end of file diff --git a/dist/api/stories.json b/dist/api/stories.json index 95f4b1da0b..4391870ae2 100644 --- a/dist/api/stories.json +++ b/dist/api/stories.json @@ -1 +1 @@ -{"stories": [{"name": "3CX Supply Chain Attack", "id": "c4d7618c-73a7-4f7c-8071-060c36850785", "version": 1, "date": "2023-03-30", "author": "Michael Haag, Splunk", "description": "On March 29, 2023, CrowdStrike Falcon OverWatch observed unexpected malicious activity emanating from a legitimate, signed binary, 3CXDesktopApp, a softphone application from 3CX. The malicious activity includes beaconing to actor controlled infrastructure, deployment of second stage payloads, and, in a small number of cases, hands on keyboard activity. (CrowdStrike)", "narrative": "On March 22, 2023, cybersecurity firm SentinelOne observed a surge in behavioral detections of trojanized 3CXDesktopApp installers, a popular PABX voice and video conferencing software. The multi-stage attack chain, which automatically quarantines trojanized installers, involves downloading ICO files with base64 data from GitHub and eventually leads to a 3rd stage infostealer DLL that is still under analysis. While the Mac installer remains unconfirmed as trojanized, ongoing investigations are also examining other potentially compromised applications, such as Chrome extensions. The threat actor behind the supply chain compromise, which started in February 2022, has used a code signing certificate to sign the trojanized binaries, but connections to existing threat clusters remain unclear. SentinelOne updated their IOCs on March 30th, 2023, with contributions from the research community and continues to monitor the situation for further developments. 3CX identified the vulnerability in the recent versions 18.12.407 and 18.12.416 for the desktop app. A new certificate for the app will also be produced.", "references": ["https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/", "https://www.cisa.gov/news-events/alerts/2023/03/30/supply-chain-attack-against-3cxdesktopapp", "https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/", "https://www.3cx.com/community/threads/crowdstrike-endpoint-security-detection-re-3cx-desktop-app.119934/page-2#post-558898", "https://www.3cx.com/community/threads/3cx-desktopapp-security-alert.119951/", "https://www.elastic.co/security-labs/elastic-users-protected-from-suddenicon-supply-chain-attack", "https://www.volexity.com/blog/2023/03/30/3cx-supply-chain-compromise-leads-to-iconic-incident/"], "tags": {"name": "3CX Supply Chain Attack", "analytic_story": "3CX Supply Chain Attack", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1195.002", "mitre_attack_technique": "Compromise Software Supply Chain", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT41", "Cobalt Group", "Dragonfly", "GOLD SOUTHFIELD", "Sandworm Team", "Threat Group-3390"]}, {"mitre_attack_id": "T1555", "mitre_attack_technique": "Credentials from Password Stores", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT33", "APT39", "Evilnum", "FIN6", "HEXANE", "Leafminer", "MuddyWater", "OilRig", "Stealth Falcon"]}, {"mitre_attack_id": "T1555.003", "mitre_attack_technique": "Credentials from Web Browsers", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT3", "APT33", "APT37", "Ajax Security Team", "FIN6", "HEXANE", "Inception", "Kimsuky", "LAPSUS$", "Leafminer", "Molerats", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Stealth Falcon", "TA505", "ZIRCONIUM"]}], "mitre_attack_tactics": ["Credential Access", "Initial Access"], "datamodels": ["Endpoint", "Network_Resolution"], "kill_chain_phases": ["Delivery", "Exploitation"]}, "detection_names": ["ESCU - 3CX Supply Chain Attack Network Indicators - Rule", "ESCU - Hunting 3CXDesktopApp Software - Rule", "ESCU - Non Chrome Process Accessing Chrome Default Dir - Rule", "ESCU - Non Firefox Process Access Firefox Profile Dir - Rule", "ESCU - Windows Vulnerable 3CX Software - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "3CX Supply Chain Attack Network Indicators", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Software Supply Chain"}]}}, {"name": "Hunting 3CXDesktopApp Software", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Software Supply Chain"}]}}, {"name": "Non Chrome Process Accessing Chrome Default Dir", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}}, {"name": "Non Firefox Process Access Firefox Profile Dir", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}}, {"name": "Windows Vulnerable 3CX Software", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Software Supply Chain"}]}}]}, {"name": "IcedID", "id": "1d2cc747-63d7-49a9-abb8-93aa36305603", "version": 1, "date": "2021-07-29", "author": "Teoderick Contreras, Splunk", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the IcedID banking trojan, including looking for file writes associated with its payload, process injection, shellcode execution and data collection.", "narrative": "IcedId banking trojan campaigns targeting banks and other vertical sectors.This malware is known in Microsoft Windows OS targetting browser such as firefox and chrom to steal banking information. It is also known to its unique payload downloaded in C2 where it can be a .png file that hides the core shellcode bot using steganography technique or gzip dat file that contains \"license.dat\" which is the actual core icedid bot.", "references": ["https://threatpost.com/icedid-banking-trojan-surges-emotet/165314/", "https://app.any.run/tasks/48414a33-3d66-4a46-afe5-c2003bb55ccf/"], "tags": {"name": "IcedID", "analytic_story": "IcedID", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["BRONZE BUTLER", "Chimera", "Dragonfly", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Turla", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "Turla"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$"]}, {"mitre_attack_id": "T1204.002", "mitre_attack_technique": "Malicious File", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "Ajax Security Team", "Andariel", "Aoqin Dragon", "BITTER", "BRONZE BUTLER", "BlackTech", "CURIUM", "Cobalt Group", "Confucius", "Dark Caracal", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "IndigoZebra", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Whitefly", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1548.002", "mitre_attack_technique": "Bypass User Account Control", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT37", "BRONZE BUTLER", "Cobalt Group", "Earth Lusca", "Evilnum", "MuddyWater", "Patchwork", "Threat Group-3390"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1560.001", "mitre_attack_technique": "Archive via Utility", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "CopyKittens", "Earth Lusca", "FIN8", "Fox Kitten", "GALLIUM", "Gallmaker", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "MuddyWater", "Mustang Panda", "Sowbug", "Turla", "menuPass"]}, {"mitre_attack_id": "T1560", "mitre_attack_technique": "Archive Collected Data", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT28", "APT32", "Axiom", "Dragonfly", "FIN6", "Ke3chang", "Lazarus Group", "Leviathan", "LuminousMoth", "Patchwork", "menuPass"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.005", "mitre_attack_technique": "Mshta", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "APT32", "Confucius", "Earth Lusca", "FIN7", "Gamaredon Group", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "MuddyWater", "Mustang Panda", "SideCopy", "Sidewinder", "TA551"]}, {"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "TA505"]}, {"mitre_attack_id": "T1069.001", "mitre_attack_technique": "Local Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "HEXANE", "OilRig", "Tonto Team", "Turla", "admin@338"]}, {"mitre_attack_id": "T1049", "mitre_attack_technique": "System Network Connections Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT38", "APT41", "Andariel", "BackdoorDiplomacy", "Chimera", "Earth Lusca", "GALLIUM", "HEXANE", "Ke3chang", "Lazarus Group", "Magic Hound", "MuddyWater", "Mustang Panda", "OilRig", "Poseidon Group", "Sandworm Team", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1135", "mitre_attack_technique": "Network Share Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT32", "APT38", "APT39", "APT41", "Chimera", "DarkVishnya", "Dragonfly", "Sowbug", "Tonto Team", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1482", "mitre_attack_technique": "Domain Trust Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "Earth Lusca", "FIN8", "Magic Hound"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT19", "APT28", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BITTER", "BackdoorDiplomacy", "BlackOasis", "Blue Mockingbird", "Dark Caracal", "Darkhotel", "Earth Lusca", "Elderwood", "Ember Bear", "Fox Kitten", "GALLIUM", "Gallmaker", "Gamaredon Group", "Group5", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "Metador", "Mofang", "Molerats", "Moses Staff", "Mustang Panda", "OilRig", "Putter Panda", "Rocke", "Sandworm Team", "Sidewinder", "TA505", "TeamTNT", "Threat Group-3390", "Transparent Tribe", "Tropic Trooper", "Whitefly", "Windshift", "menuPass"]}, {"mitre_attack_id": "T1566.002", "mitre_attack_technique": "Spearphishing Link", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "APT3", "APT32", "APT33", "APT39", "BlackTech", "Cobalt Group", "Confucius", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "Evilnum", "FIN4", "FIN7", "FIN8", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "TA505", "Transparent Tribe", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1218.010", "mitre_attack_technique": "Regsvr32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "Blue Mockingbird", "Cobalt Group", "Deep Panda", "Inception", "Kimsuky", "Leviathan", "TA551", "WIRTE"]}, {"mitre_attack_id": "T1018", "mitre_attack_technique": "Remote System Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "BRONZE BUTLER", "Chimera", "Deep Panda", "Dragonfly", "Earth Lusca", "FIN5", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "HEXANE", "Indrik Spider", "Ke3chang", "Leafminer", "Magic Hound", "Naikon", "Rocke", "Sandworm Team", "Silence", "Threat Group-3390", "Turla", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "Earth Lusca", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "Threat Group-3390", "Windshift", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1005", "mitre_attack_technique": "Data from Local System", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT37", "APT38", "APT39", "APT41", "Andariel", "Axiom", "BRONZE BUTLER", "CURIUM", "Dark Caracal", "Dragonfly", "FIN6", "FIN7", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HAFNIUM", "Inception", "Ke3chang", "Kimsuky", "LAPSUS$", "Lazarus Group", "LuminousMoth", "Magic Hound", "Patchwork", "Sandworm Team", "Stealth Falcon", "Threat Group-3390", "Turla", "Windigo", "menuPass"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1204.001", "mitre_attack_technique": "Malicious Link", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT28", "APT29", "APT3", "APT32", "APT33", "APT39", "BlackTech", "Cobalt Group", "Confucius", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "Evilnum", "FIN4", "FIN7", "FIN8", "Kimsuky", "LazyScripter", "Leviathan", "LuminousMoth", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "TA505", "Transparent Tribe", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TEMP.Veles", "Wizard Spider", "menuPass"]}], "mitre_attack_tactics": ["Collection", "Command And Control", "Defense Evasion", "Discovery", "Execution", "Initial Access", "Lateral Movement", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Command And Control", "Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Account Discovery With Net App - Rule", "ESCU - Any Powershell DownloadString - Rule", "ESCU - CHCP Command Execution - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Create Remote Thread In Shell Application - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Disable Defender AntiVirus Registry - Rule", "ESCU - Disable Defender BlockAtFirstSeen Feature - Rule", "ESCU - Disable Defender Enhanced Notification - Rule", "ESCU - Disable Defender MpEngine Registry - Rule", "ESCU - Disable Defender Spynet Reporting - Rule", "ESCU - Disable Defender Submit Samples Consent Feature - Rule", "ESCU - Disable Schedule Task - Rule", "ESCU - Disabling Defender Services - Rule", "ESCU - Drop IcedID License dat - Rule", "ESCU - Eventvwr UAC Bypass - Rule", "ESCU - Executable File Written in Administrative SMB Share - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - FodHelper UAC Bypass - Rule", "ESCU - IcedID Exfiltrated Archived File Creation - Rule", "ESCU - Mshta spawning Rundll32 OR Regsvr32 Process - Rule", "ESCU - Net Localgroup Discovery - Rule", "ESCU - Network Connection Discovery With Arp - Rule", "ESCU - Network Share Discovery Via Dir Command - Rule", "ESCU - NLTest Domain Trust Discovery - Rule", "ESCU - Office Application Spawn Regsvr32 process - Rule", "ESCU - Office Application Spawn rundll32 process - Rule", "ESCU - Office Document Executing Macro Code - Rule", "ESCU - Office Product Spawning MSHTA - Rule", "ESCU - Powershell Fileless Script Contains Base64 Encoded Content - Rule", "ESCU - Powershell Processing Stream Of Data - Rule", "ESCU - Powershell Using memory As Backing Store - Rule", "ESCU - Process Creating LNK file in Suspicious Location - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Regsvr32 with Known Silent Switch Cmdline - Rule", "ESCU - Remote System Discovery with Net - Rule", "ESCU - Remote WMI Command Attempt - Rule", "ESCU - Rundll32 Create Remote Thread To A Process - Rule", "ESCU - Rundll32 CreateRemoteThread In Browser - Rule", "ESCU - Rundll32 DNSQuery - Rule", "ESCU - Rundll32 Process Creating Exe Dll Files - Rule", "ESCU - RunDLL Loading DLL By Ordinal - Rule", "ESCU - Schedule Task with Rundll32 Command Trigger - Rule", "ESCU - Sqlite Module In Temp Folder - Rule", "ESCU - Suspicious Copy on System32 - Rule", "ESCU - Suspicious IcedID Rundll32 Cmdline - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious Rundll32 dllregisterserver - Rule", "ESCU - Suspicious Rundll32 PluginInit - Rule", "ESCU - Windows AdFind Exe - Rule", "ESCU - Windows Curl Download to Suspicious Path - Rule", "ESCU - Windows ISO LNK File Creation - Rule", "ESCU - Windows Phishing Recent ISO Exec Registry - Rule", "ESCU - Windows WMI Process Call Create - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule", "ESCU - Wmic NonInteractive App Uninstallation - Rule"], "investigation_names": [], "baseline_names": ["ESCU - Previously seen command line arguments"], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Account Discovery With Net App", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}}, {"name": "Any Powershell DownloadString", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "CHCP Command Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Create Remote Thread In Shell Application", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "Detect PsExec With accepteula Flag", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}}, {"name": "Disable Defender AntiVirus Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disable Defender BlockAtFirstSeen Feature", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disable Defender Enhanced Notification", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disable Defender MpEngine Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disable Defender Spynet Reporting", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disable Defender Submit Samples Consent Feature", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disable Schedule Task", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disabling Defender Services", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Drop IcedID License dat", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "User Execution"}, {"mitre_attack_technique": "Malicious File"}]}}, {"name": "Eventvwr UAC Bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Executable File Written in Administrative SMB Share", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}]}}, {"name": "FodHelper UAC Bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}, {"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "IcedID Exfiltrated Archived File Creation", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Archive via Utility"}, {"mitre_attack_technique": "Archive Collected Data"}]}}, {"name": "Mshta spawning Rundll32 OR Regsvr32 Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Mshta"}]}}, {"name": "Net Localgroup Discovery", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Local Groups"}]}}, {"name": "Network Connection Discovery With Arp", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Connections Discovery"}]}}, {"name": "Network Share Discovery Via Dir Command", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Network Share Discovery"}]}}, {"name": "NLTest Domain Trust Discovery", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Trust Discovery"}]}}, {"name": "Office Application Spawn Regsvr32 process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Application Spawn rundll32 process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Document Executing Macro Code", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Product Spawning MSHTA", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Powershell Fileless Script Contains Base64 Encoded Content", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Obfuscated Files or Information"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Powershell Processing Stream Of Data", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Powershell Using memory As Backing Store", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Process Creating LNK file in Suspicious Location", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Link"}]}}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Regsvr32 with Known Silent Switch Cmdline", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}}, {"name": "Remote System Discovery with Net", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote System Discovery"}]}}, {"name": "Remote WMI Command Attempt", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}}, {"name": "Rundll32 Create Remote Thread To A Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "Rundll32 CreateRemoteThread In Browser", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "Rundll32 DNSQuery", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Rundll32 Process Creating Exe Dll Files", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "RunDLL Loading DLL By Ordinal", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Schedule Task with Rundll32 Command Trigger", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Sqlite Module In Temp Folder", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data from Local System"}]}}, {"name": "Suspicious Copy on System32", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "Masquerading"}]}}, {"name": "Suspicious IcedID Rundll32 Cmdline", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Suspicious Rundll32 dllregisterserver", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Suspicious Rundll32 PluginInit", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Windows AdFind Exe", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote System Discovery"}]}}, {"name": "Windows Curl Download to Suspicious Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "Windows ISO LNK File Creation", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Malicious Link"}, {"mitre_attack_technique": "User Execution"}]}}, {"name": "Windows Phishing Recent ISO Exec Registry", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}}, {"name": "Windows WMI Process Call Create", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}]}}, {"name": "Wmic NonInteractive App Uninstallation", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}]}, {"name": "AcidRain", "id": "c68717c6-4938-434b-987c-e1ce9d516124", "version": 1, "date": "2022-04-12", "author": "Teoderick Contreras, Splunk", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the acidrain malware including deleting of files and etc. AcidRain is an ELF MIPS malware specifically designed to wipe modems and routers. The complete list of targeted devices is unknown at this time, but WatchGuard FireBox has specifically been listed as a target. This malware is capable of wiping and deleting non-standard linux files and overwriting storage device files that might related to router, ssd card and many more.", "narrative": "Adversaries may use this technique to maximize the impact on the target organization in operations where network wide availability interruption is the goal.", "references": ["https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/"], "tags": {"name": "AcidRain", "analytic_story": "AcidRain", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1070.004", "mitre_attack_technique": "File Deletion", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT3", "APT32", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "Cobalt Group", "Dragonfly", "Evilnum", "FIN10", "FIN5", "FIN6", "FIN8", "Gamaredon Group", "Group5", "Kimsuky", "Lazarus Group", "Magic Hound", "Metador", "Mustang Panda", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "Silence", "TEMP.Veles", "TeamTNT", "The White Company", "Threat Group-3390", "Tropic Trooper", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}], "mitre_attack_tactics": ["Defense Evasion", "Impact"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Actions on Objectives", "Exploitation"]}, "detection_names": ["ESCU - Linux Deletion Of Cron Jobs - Rule", "ESCU - Linux Deletion Of Init Daemon Script - Rule", "ESCU - Linux Deletion Of Services - Rule", "ESCU - Linux High Frequency Of File Deletion In Etc Folder - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Linux Deletion Of Cron Jobs", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}, {"mitre_attack_technique": "File Deletion"}, {"mitre_attack_technique": "Indicator Removal"}]}}, {"name": "Linux Deletion Of Init Daemon Script", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}, {"mitre_attack_technique": "File Deletion"}, {"mitre_attack_technique": "Indicator Removal"}]}}, {"name": "Linux Deletion Of Services", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}, {"mitre_attack_technique": "File Deletion"}, {"mitre_attack_technique": "Indicator Removal"}]}}, {"name": "Linux High Frequency Of File Deletion In Etc Folder", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}, {"mitre_attack_technique": "File Deletion"}, {"mitre_attack_technique": "Indicator Removal"}]}}]}, {"name": "Active Directory Discovery", "id": "8460679c-2b21-463e-b381-b813417c32f2", "version": 1, "date": "2021-08-20", "author": "Mauricio Velazco, Splunk", "description": "Monitor for activities and techniques associated with Discovery and Reconnaissance within with Active Directory environments.", "narrative": "Discovery consists of techniques an adversay uses to gain knowledge about an internal environment or network. These techniques provide adversaries with situational awareness and allows them to have the necessary information before deciding how to act or who/what to target next.\\\nOnce an attacker obtains an initial foothold in an Active Directory environment, she is forced to engage in Discovery techniques in the initial phases of a breach to better understand and navigate the target network. Some examples include but are not limited to enumerating domain users, domain admins, computers, domain controllers, network shares, group policy objects, domain trusts, etc.", "references": ["https://attack.mitre.org/tactics/TA0007/", "https://adsecurity.org/?p=2535", "https://attack.mitre.org/techniques/T1087/001/", "https://attack.mitre.org/techniques/T1087/002/", "https://attack.mitre.org/techniques/T1087/003/", "https://attack.mitre.org/techniques/T1482/", "https://attack.mitre.org/techniques/T1201/", "https://attack.mitre.org/techniques/T1069/001/", "https://attack.mitre.org/techniques/T1069/002/", "https://attack.mitre.org/techniques/T1018/", "https://attack.mitre.org/techniques/T1049/", "https://attack.mitre.org/techniques/T1033/"], "tags": {"name": "Active Directory Discovery", "analytic_story": "Active Directory Discovery", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["BRONZE BUTLER", "Chimera", "Dragonfly", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Turla", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1018", "mitre_attack_technique": "Remote System Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "BRONZE BUTLER", "Chimera", "Deep Panda", "Dragonfly", "Earth Lusca", "FIN5", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "HEXANE", "Indrik Spider", "Ke3chang", "Leafminer", "Magic Hound", "Naikon", "Rocke", "Sandworm Team", "Silence", "Threat Group-3390", "Turla", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "TA505"]}, {"mitre_attack_id": "T1069.002", "mitre_attack_technique": "Domain Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Dragonfly", "Inception", "Ke3chang", "LAPSUS$", "OilRig", "Turla"]}, {"mitre_attack_id": "T1482", "mitre_attack_technique": "Domain Trust Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "Earth Lusca", "FIN8", "Magic Hound"]}, {"mitre_attack_id": "T1201", "mitre_attack_technique": "Password Policy Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "OilRig", "Turla"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1069.001", "mitre_attack_technique": "Local Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "HEXANE", "OilRig", "Tonto Team", "Turla", "admin@338"]}, {"mitre_attack_id": "T1033", "mitre_attack_technique": "System Owner/User Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT37", "APT38", "APT39", "APT41", "Chimera", "Dragonfly", "Earth Lusca", "FIN10", "GALLIUM", "Gamaredon Group", "HAFNIUM", "HEXANE", "Ke3chang", "Lazarus Group", "LuminousMoth", "Magic Hound", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "Stealth Falcon", "Threat Group-3390", "Tropic Trooper", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1087.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "Chimera", "Fox Kitten", "Ke3chang", "Moses Staff", "OilRig", "Poseidon Group", "Threat Group-3390", "Turla", "admin@338"]}, {"mitre_attack_id": "T1049", "mitre_attack_technique": "System Network Connections Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT38", "APT41", "Andariel", "BackdoorDiplomacy", "Chimera", "Earth Lusca", "GALLIUM", "HEXANE", "Ke3chang", "Lazarus Group", "Magic Hound", "MuddyWater", "Mustang Panda", "OilRig", "Poseidon Group", "Sandworm Team", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1016", "mitre_attack_technique": "System Network Configuration Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT19", "APT3", "APT32", "APT41", "Chimera", "Darkhotel", "Dragonfly", "Earth Lusca", "GALLIUM", "HAFNIUM", "HEXANE", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "SideCopy", "Sidewinder", "Stealth Falcon", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1016.001", "mitre_attack_technique": "Internet Connection Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Gamaredon Group", "HAFNIUM", "HEXANE", "Magic Hound", "Turla"]}, {"mitre_attack_id": "T1558.003", "mitre_attack_technique": "Kerberoasting", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["FIN7", "Wizard Spider"]}, {"mitre_attack_id": "T1135", "mitre_attack_technique": "Network Share Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT32", "APT38", "APT39", "APT41", "Chimera", "DarkVishnya", "Dragonfly", "Sowbug", "Tonto Team", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1570", "mitre_attack_technique": "Lateral Tool Transfer", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT32", "Aoqin Dragon", "Chimera", "FIN10", "GALLIUM", "Magic Hound", "Sandworm Team", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1078.002", "mitre_attack_technique": "Domain Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "Chimera", "Indrik Spider", "Magic Hound", "Naikon", "Sandworm Team", "TA505", "Threat Group-1314", "Wizard Spider"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Discovery", "Execution", "Initial Access", "Lateral Movement", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - AdsiSearcher Account Discovery - Rule", "ESCU - Domain Account Discovery with Dsquery - Rule", "ESCU - Domain Account Discovery With Net App - Rule", "ESCU - Domain Account Discovery with Wmic - Rule", "ESCU - Domain Controller Discovery with Nltest - Rule", "ESCU - Domain Controller Discovery with Wmic - Rule", "ESCU - Domain Group Discovery with Adsisearcher - Rule", "ESCU - Domain Group Discovery With Dsquery - Rule", "ESCU - Domain Group Discovery With Net - Rule", "ESCU - Domain Group Discovery With Wmic - Rule", "ESCU - DSQuery Domain Discovery - Rule", "ESCU - Elevated Group Discovery With Net - Rule", "ESCU - Elevated Group Discovery with PowerView - Rule", "ESCU - Elevated Group Discovery With Wmic - Rule", "ESCU - Get ADDefaultDomainPasswordPolicy with Powershell - Rule", "ESCU - Get ADDefaultDomainPasswordPolicy with Powershell Script Block - Rule", "ESCU - Get ADUser with PowerShell - Rule", "ESCU - Get ADUser with PowerShell Script Block - Rule", "ESCU - Get ADUserResultantPasswordPolicy with Powershell - Rule", "ESCU - Get ADUserResultantPasswordPolicy with Powershell Script Block - Rule", "ESCU - Get DomainPolicy with Powershell - Rule", "ESCU - Get DomainPolicy with Powershell Script Block - Rule", "ESCU - Get-DomainTrust with PowerShell - Rule", "ESCU - Get-DomainTrust with PowerShell Script Block - Rule", "ESCU - Get DomainUser with PowerShell - Rule", "ESCU - Get DomainUser with PowerShell Script Block - Rule", "ESCU - Get-ForestTrust with PowerShell - Rule", "ESCU - Get-ForestTrust with PowerShell Script Block - Rule", "ESCU - Get WMIObject Group Discovery - Rule", "ESCU - Get WMIObject Group Discovery with Script Block Logging - Rule", "ESCU - GetAdComputer with PowerShell - Rule", "ESCU - GetAdComputer with PowerShell Script Block - Rule", "ESCU - GetAdGroup with PowerShell - Rule", "ESCU - GetAdGroup with PowerShell Script Block - Rule", "ESCU - GetCurrent User with PowerShell - Rule", "ESCU - GetCurrent User with PowerShell Script Block - Rule", "ESCU - GetDomainComputer with PowerShell - Rule", "ESCU - GetDomainComputer with PowerShell Script Block - Rule", "ESCU - GetDomainController with PowerShell - Rule", "ESCU - GetDomainController with PowerShell Script Block - Rule", "ESCU - GetDomainGroup with PowerShell - Rule", "ESCU - GetDomainGroup with PowerShell Script Block - Rule", "ESCU - GetLocalUser with PowerShell - Rule", "ESCU - GetLocalUser with PowerShell Script Block - Rule", "ESCU - GetNetTcpconnection with PowerShell - Rule", "ESCU - GetNetTcpconnection with PowerShell Script Block - Rule", "ESCU - GetWmiObject Ds Computer with PowerShell - Rule", "ESCU - GetWmiObject Ds Computer with PowerShell Script Block - Rule", "ESCU - GetWmiObject Ds Group with PowerShell - Rule", "ESCU - GetWmiObject Ds Group with PowerShell Script Block - Rule", "ESCU - GetWmiObject DS User with PowerShell - Rule", "ESCU - GetWmiObject DS User with PowerShell Script Block - Rule", "ESCU - GetWmiObject User Account with PowerShell - Rule", "ESCU - GetWmiObject User Account with PowerShell Script Block - Rule", "ESCU - Local Account Discovery with Net - Rule", "ESCU - Local Account Discovery With Wmic - Rule", "ESCU - Net Localgroup Discovery - Rule", "ESCU - Network Connection Discovery With Arp - Rule", "ESCU - Network Connection Discovery With Net - Rule", "ESCU - Network Connection Discovery With Netstat - Rule", "ESCU - Network Discovery Using Route Windows App - Rule", "ESCU - NLTest Domain Trust Discovery - Rule", "ESCU - Password Policy Discovery with Net - Rule", "ESCU - PowerShell Get LocalGroup Discovery - Rule", "ESCU - Powershell Get LocalGroup Discovery with Script Block Logging - Rule", "ESCU - Remote System Discovery with Adsisearcher - Rule", "ESCU - Remote System Discovery with Dsquery - Rule", "ESCU - Remote System Discovery with Net - Rule", "ESCU - Remote System Discovery with Wmic - Rule", "ESCU - ServicePrincipalNames Discovery with PowerShell - Rule", "ESCU - ServicePrincipalNames Discovery with SetSPN - Rule", "ESCU - System User Discovery With Query - Rule", "ESCU - System User Discovery With Whoami - Rule", "ESCU - User Discovery With Env Vars PowerShell - Rule", "ESCU - User Discovery With Env Vars PowerShell Script Block - Rule", "ESCU - Windows File Share Discovery With Powerview - Rule", "ESCU - Windows Hidden Schedule Task Settings - Rule", "ESCU - Windows Lateral Tool Transfer RemCom - Rule", "ESCU - Windows Linked Policies In ADSI Discovery - Rule", "ESCU - Windows PowerView AD Access Control List Enumeration - Rule", "ESCU - Windows Root Domain linked policies Discovery - Rule", "ESCU - Windows Service Create RemComSvc - Rule", "ESCU - Wmic Group Discovery - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Mauricio Velazco", "detections": [{"name": "AdsiSearcher Account Discovery", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}}, {"name": "Domain Account Discovery with Dsquery", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}}, {"name": "Domain Account Discovery With Net App", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}}, {"name": "Domain Account Discovery with Wmic", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}}, {"name": "Domain Controller Discovery with Nltest", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote System Discovery"}]}}, {"name": "Domain Controller Discovery with Wmic", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote System Discovery"}]}}, {"name": "Domain Group Discovery with Adsisearcher", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}}, {"name": "Domain Group Discovery With Dsquery", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}}, {"name": "Domain Group Discovery With Net", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}}, {"name": "Domain Group Discovery With Wmic", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}}, {"name": "DSQuery Domain Discovery", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Trust Discovery"}]}}, {"name": "Elevated Group Discovery With Net", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}}, {"name": "Elevated Group Discovery with PowerView", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}}, {"name": "Elevated Group Discovery With Wmic", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}}, {"name": "Get ADDefaultDomainPasswordPolicy with Powershell", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Policy Discovery"}]}}, {"name": "Get ADDefaultDomainPasswordPolicy with Powershell Script Block", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Policy Discovery"}]}}, {"name": "Get ADUser with PowerShell", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}}, {"name": "Get ADUser with PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}}, {"name": "Get ADUserResultantPasswordPolicy with Powershell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Policy Discovery"}]}}, {"name": "Get ADUserResultantPasswordPolicy with Powershell Script Block", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Policy Discovery"}]}}, {"name": "Get DomainPolicy with Powershell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Policy Discovery"}]}}, {"name": "Get DomainPolicy with Powershell Script Block", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Policy Discovery"}]}}, {"name": "Get-DomainTrust with PowerShell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Trust Discovery"}]}}, {"name": "Get-DomainTrust with PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Trust Discovery"}]}}, {"name": "Get DomainUser with PowerShell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}}, {"name": "Get DomainUser with PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}}, {"name": "Get-ForestTrust with PowerShell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Trust Discovery"}]}}, {"name": "Get-ForestTrust with PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Trust Discovery"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Get WMIObject Group Discovery", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Local Groups"}]}}, {"name": "Get WMIObject Group Discovery with Script Block Logging", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Local Groups"}]}}, {"name": "GetAdComputer with PowerShell", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote System Discovery"}]}}, {"name": "GetAdComputer with PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote System Discovery"}]}}, {"name": "GetAdGroup with PowerShell", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}}, {"name": "GetAdGroup with PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}}, {"name": "GetCurrent User with PowerShell", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Owner/User Discovery"}]}}, {"name": "GetCurrent User with PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Owner/User Discovery"}]}}, {"name": "GetDomainComputer with PowerShell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote System Discovery"}]}}, {"name": "GetDomainComputer with PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote System Discovery"}]}}, {"name": "GetDomainController with PowerShell", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote System Discovery"}]}}, {"name": "GetDomainController with PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote System Discovery"}]}}, {"name": "GetDomainGroup with PowerShell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}}, {"name": "GetDomainGroup with PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}}, {"name": "GetLocalUser with PowerShell", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Local Account"}]}}, {"name": "GetLocalUser with PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "GetNetTcpconnection with PowerShell", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Connections Discovery"}]}}, {"name": "GetNetTcpconnection with PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Connections Discovery"}]}}, {"name": "GetWmiObject Ds Computer with PowerShell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote System Discovery"}]}}, {"name": "GetWmiObject Ds Computer with PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote System Discovery"}]}}, {"name": "GetWmiObject Ds Group with PowerShell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}}, {"name": "GetWmiObject Ds Group with PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}}, {"name": "GetWmiObject DS User with PowerShell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}}, {"name": "GetWmiObject DS User with PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}}, {"name": "GetWmiObject User Account with PowerShell", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Local Account"}]}}, {"name": "GetWmiObject User Account with PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Local Account Discovery with Net", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Local Account"}]}}, {"name": "Local Account Discovery With Wmic", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Local Account"}]}}, {"name": "Net Localgroup Discovery", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Local Groups"}]}}, {"name": "Network Connection Discovery With Arp", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Connections Discovery"}]}}, {"name": "Network Connection Discovery With Net", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Connections Discovery"}]}}, {"name": "Network Connection Discovery With Netstat", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Connections Discovery"}]}}, {"name": "Network Discovery Using Route Windows App", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Configuration Discovery"}, {"mitre_attack_technique": "Internet Connection Discovery"}]}}, {"name": "NLTest Domain Trust Discovery", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Trust Discovery"}]}}, {"name": "Password Policy Discovery with Net", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Policy Discovery"}]}}, {"name": "PowerShell Get LocalGroup Discovery", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Local Groups"}]}}, {"name": "Powershell Get LocalGroup Discovery with Script Block Logging", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Local Groups"}]}}, {"name": "Remote System Discovery with Adsisearcher", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote System Discovery"}]}}, {"name": "Remote System Discovery with Dsquery", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote System Discovery"}]}}, {"name": "Remote System Discovery with Net", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote System Discovery"}]}}, {"name": "Remote System Discovery with Wmic", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote System Discovery"}]}}, {"name": "ServicePrincipalNames Discovery with PowerShell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Kerberoasting"}]}}, {"name": "ServicePrincipalNames Discovery with SetSPN", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Kerberoasting"}]}}, {"name": "System User Discovery With Query", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Owner/User Discovery"}]}}, {"name": "System User Discovery With Whoami", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Owner/User Discovery"}]}}, {"name": "User Discovery With Env Vars PowerShell", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Owner/User Discovery"}]}}, {"name": "User Discovery With Env Vars PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Owner/User Discovery"}]}}, {"name": "Windows File Share Discovery With Powerview", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Network Share Discovery"}]}}, {"name": "Windows Hidden Schedule Task Settings", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Windows Lateral Tool Transfer RemCom", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Lateral Tool Transfer"}]}}, {"name": "Windows Linked Policies In ADSI Discovery", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}}, {"name": "Windows PowerView AD Access Control List Enumeration", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Accounts"}, {"mitre_attack_technique": "Permission Groups Discovery"}]}}, {"name": "Windows Root Domain linked policies Discovery", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}}, {"name": "Windows Service Create RemComSvc", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Wmic Group Discovery", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Local Groups"}]}}]}, {"name": "Active Directory Kerberos Attacks", "id": "38b8cf16-8461-11ec-ade1-acde48001122", "version": 1, "date": "2022-02-02", "author": "Mauricio Velazco, Splunk", "description": "Monitor for activities and techniques associated with Kerberos based attacks within with Active Directory environments.", "narrative": "Kerberos, initially named after Cerberus, the three-headed dog in Greek mythology, is a network authentication protocol that allows computers and users to prove their identity through a trusted third-party. This trusted third-party issues Kerberos tickets using symmetric encryption to allow users access to services and network resources based on their privilege level. Kerberos is the default authentication protocol used on Windows Active Directory networks since the introduction of Windows Server 2003. With Kerberos being the backbone of Windows authentication, it is commonly abused by adversaries across the different phases of a breach including initial access, privilege escalation, defense evasion, credential access, lateral movement, etc.\\ This Analytic Story groups detection use cases in which the Kerberos protocol is abused. Defenders can leverage these analytics to detect and hunt for adversaries engaging in Kerberos based attacks.", "references": ["https://en.wikipedia.org/wiki/Kerberos_(protocol)", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-kile/2a32282e-dd48-4ad9-a542-609804b02cc9", "https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html", "https://stealthbits.com/blog/cracking-active-directory-passwords-with-as-rep-roasting/", "https://attack.mitre.org/techniques/T1558/003/", "https://attack.mitre.org/techniques/T1550/003/", "https://attack.mitre.org/techniques/T1558/004/"], "tags": {"name": "Active Directory Kerberos Attacks", "analytic_story": "Active Directory Kerberos Attacks", "category": ["Adversary Tactics", "Account Compromise", "Lateral Movement", "Privilege Escalation"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1558", "mitre_attack_technique": "Steal or Forge Kerberos Tickets", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1558.004", "mitre_attack_technique": "AS-REP Roasting", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1558.003", "mitre_attack_technique": "Kerberoasting", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["FIN7", "Wizard Spider"]}, {"mitre_attack_id": "T1558.001", "mitre_attack_technique": "Golden Ticket", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Ke3chang"]}, {"mitre_attack_id": "T1550", "mitre_attack_technique": "Use Alternate Authentication Material", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1589", "mitre_attack_technique": "Gather Victim Identity Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["APT32", "HEXANE", "LAPSUS$", "Magic Hound"]}, {"mitre_attack_id": "T1589.002", "mitre_attack_technique": "Email Addresses", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["APT32", "EXOTIC LILY", "HAFNIUM", "HEXANE", "Kimsuky", "LAPSUS$", "Lazarus Group", "Magic Hound", "MuddyWater", "Sandworm Team", "Silent Librarian", "TA551"]}, {"mitre_attack_id": "T1550.003", "mitre_attack_technique": "Pass the Ticket", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": ["APT29", "APT32", "BRONZE BUTLER"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.002", "mitre_attack_technique": "Domain Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "Chimera", "Indrik Spider", "Magic Hound", "Naikon", "Sandworm Team", "TA505", "Threat Group-1314", "Wizard Spider"]}, {"mitre_attack_id": "T1018", "mitre_attack_technique": "Remote System Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "BRONZE BUTLER", "Chimera", "Deep Panda", "Dragonfly", "Earth Lusca", "FIN5", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "HEXANE", "Indrik Spider", "Ke3chang", "Leafminer", "Magic Hound", "Naikon", "Rocke", "Sandworm Team", "Silence", "Threat Group-3390", "Turla", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}], "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Discovery", "Initial Access", "Lateral Movement", "Persistence", "Privilege Escalation", "Reconnaissance"], "datamodels": ["Authentication", "Change", "Endpoint", "Network_Traffic"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation", "Reconnaissance"]}, "detection_names": ["ESCU - Disabled Kerberos Pre-Authentication Discovery With Get-ADUser - Rule", "ESCU - Disabled Kerberos Pre-Authentication Discovery With PowerView - Rule", "ESCU - Kerberoasting spn request with RC4 encryption - Rule", "ESCU - Kerberos Pre-Authentication Flag Disabled in UserAccountControl - Rule", "ESCU - Kerberos Pre-Authentication Flag Disabled with PowerShell - Rule", "ESCU - Kerberos Service Ticket Request Using RC4 Encryption - Rule", "ESCU - Kerberos TGT Request Using RC4 Encryption - Rule", "ESCU - Kerberos User Enumeration - Rule", "ESCU - Mimikatz PassTheTicket CommandLine Parameters - Rule", "ESCU - PetitPotam Suspicious Kerberos TGT Request - Rule", "ESCU - Rubeus Command Line Parameters - Rule", "ESCU - Rubeus Kerberos Ticket Exports Through Winlogon Access - Rule", "ESCU - ServicePrincipalNames Discovery with PowerShell - Rule", "ESCU - ServicePrincipalNames Discovery with SetSPN - Rule", "ESCU - Suspicious Kerberos Service Ticket Request - Rule", "ESCU - Suspicious Ticket Granting Ticket Request - Rule", "ESCU - Unknown Process Using The Kerberos Protocol - Rule", "ESCU - Unusual Number of Computer Service Tickets Requested - Rule", "ESCU - Unusual Number of Kerberos Service Tickets Requested - Rule", "ESCU - Windows Computer Account Created by Computer Account - Rule", "ESCU - Windows Computer Account Requesting Kerberos Ticket - Rule", "ESCU - Windows Computer Account With SPN - Rule", "ESCU - Windows Get-AdComputer Unconstrained Delegation Discovery - Rule", "ESCU - Windows Kerberos Local Successful Logon - Rule", "ESCU - Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos - Rule", "ESCU - Windows Multiple Invalid Users Fail To Authenticate Using Kerberos - Rule", "ESCU - Windows Multiple Users Failed To Authenticate Using Kerberos - Rule", "ESCU - Windows PowerView Constrained Delegation Discovery - Rule", "ESCU - Windows PowerView Kerberos Service Ticket Request - Rule", "ESCU - Windows PowerView SPN Discovery - Rule", "ESCU - Windows PowerView Unconstrained Delegation Discovery - Rule", "ESCU - Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos - Rule", "ESCU - Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos - Rule", "ESCU - Windows Unusual Count Of Users Failed To Auth Using Kerberos - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Mauricio Velazco", "detections": [{"name": "Disabled Kerberos Pre-Authentication Discovery With Get-ADUser", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "AS-REP Roasting"}]}}, {"name": "Disabled Kerberos Pre-Authentication Discovery With PowerView", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "AS-REP Roasting"}]}}, {"name": "Kerberoasting spn request with RC4 encryption", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "Kerberoasting"}]}}, {"name": "Kerberos Pre-Authentication Flag Disabled in UserAccountControl", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "AS-REP Roasting"}]}}, {"name": "Kerberos Pre-Authentication Flag Disabled with PowerShell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "AS-REP Roasting"}]}}, {"name": "Kerberos Service Ticket Request Using RC4 Encryption", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "Golden Ticket"}]}}, {"name": "Kerberos TGT Request Using RC4 Encryption", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Use Alternate Authentication Material"}]}}, {"name": "Kerberos User Enumeration", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Gather Victim Identity Information"}, {"mitre_attack_technique": "Email Addresses"}]}}, {"name": "Mimikatz PassTheTicket CommandLine Parameters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Use Alternate Authentication Material"}, {"mitre_attack_technique": "Pass the Ticket"}]}}, {"name": "PetitPotam Suspicious Kerberos TGT Request", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Rubeus Command Line Parameters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Use Alternate Authentication Material"}, {"mitre_attack_technique": "Pass the Ticket"}, {"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "Kerberoasting"}, {"mitre_attack_technique": "AS-REP Roasting"}]}}, {"name": "Rubeus Kerberos Ticket Exports Through Winlogon Access", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Use Alternate Authentication Material"}, {"mitre_attack_technique": "Pass the Ticket"}]}}, {"name": "ServicePrincipalNames Discovery with PowerShell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Kerberoasting"}]}}, {"name": "ServicePrincipalNames Discovery with SetSPN", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Kerberoasting"}]}}, {"name": "Suspicious Kerberos Service Ticket Request", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Domain Accounts"}]}}, {"name": "Suspicious Ticket Granting Ticket Request", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Domain Accounts"}]}}, {"name": "Unknown Process Using The Kerberos Protocol", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Use Alternate Authentication Material"}]}}, {"name": "Unusual Number of Computer Service Tickets Requested", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "Unusual Number of Kerberos Service Tickets Requested", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "Kerberoasting"}]}}, {"name": "Windows Computer Account Created by Computer Account", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}]}}, {"name": "Windows Computer Account Requesting Kerberos Ticket", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}]}}, {"name": "Windows Computer Account With SPN", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}]}}, {"name": "Windows Get-AdComputer Unconstrained Delegation Discovery", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote System Discovery"}]}}, {"name": "Windows Kerberos Local Successful Logon", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}]}}, {"name": "Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Multiple Invalid Users Fail To Authenticate Using Kerberos", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Multiple Users Failed To Authenticate Using Kerberos", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows PowerView Constrained Delegation Discovery", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote System Discovery"}]}}, {"name": "Windows PowerView Kerberos Service Ticket Request", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "Kerberoasting"}]}}, {"name": "Windows PowerView SPN Discovery", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "Kerberoasting"}]}}, {"name": "Windows PowerView Unconstrained Delegation Discovery", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote System Discovery"}]}}, {"name": "Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Unusual Count Of Users Failed To Auth Using Kerberos", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}]}, {"name": "Active Directory Lateral Movement", "id": "399d65dc-1f08-499b-a259-aad9051f38ad", "version": 3, "date": "2021-12-09", "author": "David Dorsey, Mauricio Velazco Splunk", "description": "Detect and investigate tactics, techniques, and procedures around how attackers move laterally within an Active Directory environment. Since lateral movement is often a necessary step in a breach, it is important for cyber defenders to deploy detection coverage.", "narrative": "Once attackers gain a foothold within an enterprise, they will seek to expand their accesses and leverage techniques that facilitate lateral movement. Attackers will often spend quite a bit of time and effort moving laterally. Because lateral movement renders an attacker the most vulnerable to detection, it's an excellent focus for detection and investigation.\\\nIndications of lateral movement in an Active Directory network can include the abuse of system utilities (such as `psexec.exe`), unauthorized use of remote desktop services, `file/admin$` shares, WMI, PowerShell, Service Control Manager, the DCOM protocol, WinRM or the abuse of scheduled tasks. Organizations must be extra vigilant in detecting lateral movement techniques and look for suspicious activity in and around high-value strategic network assets, such as Active Directory, which are often considered the primary target or \"crown jewels\" to a persistent threat actor.\\\nAn adversary can use lateral movement for multiple purposes, including remote execution of tools, pivoting to additional systems, obtaining access to specific information or files, access to additional credentials, exfiltrating data, or delivering a secondary effect. Adversaries may use legitimate credentials alongside inherent network and operating-system functionality to remotely connect to other systems and remain under the radar of network defenders.\\\nIf there is evidence of lateral movement, it is imperative for analysts to collect evidence of the associated offending hosts. For example, an attacker might leverage host A to gain access to host B. From there, the attacker may try to move laterally to host C. In this example, the analyst should gather as much information as possible from all three hosts. \\\n It is also important to collect authentication logs for each host, to ensure that the offending accounts are well-documented. Analysts should account for all processes to ensure that the attackers did not install unauthorized software.", "references": ["https://www.fireeye.com/blog/executive-perspective/2015/08/malware_lateral_move.html", "http://www.irongeek.com/i.php?page=videos/derbycon7/t405-hunting-lateral-movement-for-fun-and-profit-mauricio-velazco"], "tags": {"name": "Active Directory Lateral Movement", "analytic_story": "Active Directory Lateral Movement", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1550", "mitre_attack_technique": "Use Alternate Authentication Material", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1550.002", "mitre_attack_technique": "Pass the Hash", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": ["APT1", "APT28", "APT32", "Chimera", "GALLIUM", "Kimsuky"]}, {"mitre_attack_id": "T1210", "mitre_attack_technique": "Exploitation of Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "Dragonfly", "Earth Lusca", "FIN7", "Fox Kitten", "MuddyWater", "Threat Group-3390", "Tonto Team", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1021.003", "mitre_attack_technique": "Distributed Component Object Model", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "Earth Lusca", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "Threat Group-3390", "Windshift", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1021.006", "mitre_attack_technique": "Windows Remote Management", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Chimera", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1218.014", "mitre_attack_technique": "MMC", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1021.001", "mitre_attack_technique": "Remote Desktop Protocol", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT1", "APT3", "APT39", "APT41", "Axiom", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dragonfly", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "HEXANE", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "OilRig", "Patchwork", "Silence", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1053.002", "mitre_attack_technique": "At", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "BRONZE BUTLER", "Threat Group-3390"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1135", "mitre_attack_technique": "Network Share Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT32", "APT38", "APT39", "APT41", "Chimera", "DarkVishnya", "Dragonfly", "Sowbug", "Tonto Team", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1110.004", "mitre_attack_technique": "Credential Stuffing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Chimera"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Dragonfly", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1563.002", "mitre_attack_technique": "RDP Hijacking", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Axiom"]}, {"mitre_attack_id": "T1563", "mitre_attack_technique": "Remote Service Session Hijacking", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1574.011", "mitre_attack_technique": "Services Registry Permissions Weakness", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Discovery", "Execution", "Initial Access", "Lateral Movement", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint", "Network_Traffic", "Risk"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Detect Activity Related to Pass the Hash Attacks - Rule", "ESCU - Active Directory Lateral Movement Identified - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Detect Renamed PSExec - Rule", "ESCU - Executable File Written in Administrative SMB Share - Rule", "ESCU - Impacket Lateral Movement Commandline Parameters - Rule", "ESCU - Impacket Lateral Movement smbexec CommandLine Parameters - Rule", "ESCU - Impacket Lateral Movement WMIExec Commandline Parameters - Rule", "ESCU - Interactive Session on Remote Endpoint with PowerShell - Rule", "ESCU - Mmc LOLBAS Execution Process Spawn - Rule", "ESCU - Possible Lateral Movement PowerShell Spawn - Rule", "ESCU - PowerShell Invoke CIMMethod CIMSession - Rule", "ESCU - PowerShell Start or Stop Service - Rule", "ESCU - Randomly Generated Scheduled Task Name - Rule", "ESCU - Randomly Generated Windows Service Name - Rule", "ESCU - Remote Desktop Process Running On System - Rule", "ESCU - Remote Process Instantiation via DCOM and PowerShell - Rule", "ESCU - Remote Process Instantiation via DCOM and PowerShell Script Block - Rule", "ESCU - Remote Process Instantiation via WinRM and PowerShell - Rule", "ESCU - Remote Process Instantiation via WinRM and PowerShell Script Block - Rule", "ESCU - Remote Process Instantiation via WinRM and Winrs - Rule", "ESCU - Remote Process Instantiation via WMI - Rule", "ESCU - Remote Process Instantiation via WMI and PowerShell - Rule", "ESCU - Remote Process Instantiation via WMI and PowerShell Script Block - Rule", "ESCU - Scheduled Task Creation on Remote Endpoint using At - Rule", "ESCU - Scheduled Task Initiation on Remote Endpoint - Rule", "ESCU - Schtasks scheduling job on remote system - Rule", "ESCU - Services LOLBAS Execution Process Spawn - Rule", "ESCU - Short Lived Scheduled Task - Rule", "ESCU - Svchost LOLBAS Execution Process Spawn - Rule", "ESCU - Unusual Number of Computer Service Tickets Requested - Rule", "ESCU - Unusual Number of Remote Endpoint Authentication Events - Rule", "ESCU - Windows Administrative Shares Accessed On Multiple Hosts - Rule", "ESCU - Windows Enable Win32 ScheduledJob via Registry - Rule", "ESCU - Windows Large Number of Computer Service Tickets Requested - Rule", "ESCU - Windows Local Administrator Credential Stuffing - Rule", "ESCU - Windows PowerShell Get CIMInstance Remote Computer - Rule", "ESCU - Windows PowerShell WMI Win32 ScheduledJob - Rule", "ESCU - Windows Rapid Authentication On Multiple Hosts - Rule", "ESCU - Windows RDP Connection Successful - Rule", "ESCU - Windows Remote Create Service - Rule", "ESCU - Windows Service Create with Tscon - Rule", "ESCU - Windows Service Created with Suspicious Service Path - Rule", "ESCU - Windows Service Created Within Public Path - Rule", "ESCU - Windows Service Creation on Remote Endpoint - Rule", "ESCU - Windows Service Creation Using Registry Entry - Rule", "ESCU - Windows Service Initiation on Remote Endpoint - Rule", "ESCU - Windows Special Privileged Logon On Multiple Hosts - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - Wmiprsve LOLBAS Execution Process Spawn - Rule", "ESCU - Wsmprovhost LOLBAS Execution Process Spawn - Rule", "ESCU - Remote Desktop Network Traffic - Rule"], "investigation_names": ["ESCU - Investigate Successful Remote Desktop Authentications - Response Task"], "baseline_names": ["ESCU - Identify Systems Creating Remote Desktop Traffic", "ESCU - Identify Systems Receiving Remote Desktop Traffic", "ESCU - Identify Systems Using Remote Desktop"], "author_company": "Mauricio Velazco Splunk", "author_name": "David Dorsey", "detections": [{"name": "Detect Activity Related to Pass the Hash Attacks", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Use Alternate Authentication Material"}, {"mitre_attack_technique": "Pass the Hash"}]}}, {"name": "Active Directory Lateral Movement Identified", "source": "endpoint", "type": "Correlation", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploitation of Remote Services"}]}}, {"name": "Detect PsExec With accepteula Flag", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}}, {"name": "Detect Renamed PSExec", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}}, {"name": "Executable File Written in Administrative SMB Share", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}}, {"name": "Impacket Lateral Movement Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Impacket Lateral Movement smbexec CommandLine Parameters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Impacket Lateral Movement WMIExec Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Interactive Session on Remote Endpoint with PowerShell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "Windows Remote Management"}]}}, {"name": "Mmc LOLBAS Execution Process Spawn", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "MMC"}]}}, {"name": "Possible Lateral Movement PowerShell Spawn", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Remote Management"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "MMC"}]}}, {"name": "PowerShell Invoke CIMMethod CIMSession", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}}, {"name": "PowerShell Start or Stop Service", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "PowerShell"}]}}, {"name": "Randomly Generated Scheduled Task Name", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}, {"mitre_attack_technique": "Scheduled Task"}]}}, {"name": "Randomly Generated Windows Service Name", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Remote Desktop Process Running On System", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Desktop Protocol"}, {"mitre_attack_technique": "Remote Services"}]}}, {"name": "Remote Process Instantiation via DCOM and PowerShell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "Distributed Component Object Model"}]}}, {"name": "Remote Process Instantiation via DCOM and PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "Distributed Component Object Model"}]}}, {"name": "Remote Process Instantiation via WinRM and PowerShell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "Windows Remote Management"}]}}, {"name": "Remote Process Instantiation via WinRM and PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "Windows Remote Management"}]}}, {"name": "Remote Process Instantiation via WinRM and Winrs", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "Windows Remote Management"}]}}, {"name": "Remote Process Instantiation via WMI", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}}, {"name": "Remote Process Instantiation via WMI and PowerShell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}}, {"name": "Remote Process Instantiation via WMI and PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}}, {"name": "Scheduled Task Creation on Remote Endpoint using At", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}, {"mitre_attack_technique": "At"}]}}, {"name": "Scheduled Task Initiation on Remote Endpoint", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}, {"mitre_attack_technique": "Scheduled Task"}]}}, {"name": "Schtasks scheduling job on remote system", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Services LOLBAS Execution Process Spawn", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Short Lived Scheduled Task", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}]}}, {"name": "Svchost LOLBAS Execution Process Spawn", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}, {"mitre_attack_technique": "Scheduled Task"}]}}, {"name": "Unusual Number of Computer Service Tickets Requested", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "Unusual Number of Remote Endpoint Authentication Events", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "Windows Administrative Shares Accessed On Multiple Hosts", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Network Share Discovery"}]}}, {"name": "Windows Enable Win32 ScheduledJob via Registry", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}]}}, {"name": "Windows Large Number of Computer Service Tickets Requested", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Network Share Discovery"}, {"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "Windows Local Administrator Credential Stuffing", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Credential Stuffing"}]}}, {"name": "Windows PowerShell Get CIMInstance Remote Computer", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "PowerShell"}]}}, {"name": "Windows PowerShell WMI Win32 ScheduledJob", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Windows Rapid Authentication On Multiple Hosts", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Security Account Manager"}]}}, {"name": "Windows RDP Connection Successful", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "RDP Hijacking"}]}}, {"name": "Windows Remote Create Service", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Windows Service Create with Tscon", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "RDP Hijacking"}, {"mitre_attack_technique": "Remote Service Session Hijacking"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Windows Service Created with Suspicious Service Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}}, {"name": "Windows Service Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Windows Service Creation on Remote Endpoint", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Windows Service Creation Using Registry Entry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Services Registry Permissions Weakness"}]}}, {"name": "Windows Service Initiation on Remote Endpoint", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Windows Special Privileged Logon On Multiple Hosts", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Network Share Discovery"}]}}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Wmiprsve LOLBAS Execution Process Spawn", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}}, {"name": "Wsmprovhost LOLBAS Execution Process Spawn", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "Windows Remote Management"}]}}, {"name": "Remote Desktop Network Traffic", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Desktop Protocol"}, {"mitre_attack_technique": "Remote Services"}]}}]}, {"name": "Active Directory Password Spraying", "id": "3de109da-97d2-11eb-8b6a-acde48001122", "version": 2, "date": "2021-04-07", "author": "Mauricio Velazco, Splunk", "description": "Monitor for activities and techniques associated with Password Spraying attacks within Active Directory environments.", "narrative": "In a password spraying attack, adversaries leverage one or a small list of commonly used / popular passwords against a large volume of usernames to acquire valid account credentials. Unlike a Brute Force attack that targets a specific user or small group of users with a large number of passwords, password spraying follows the opposite aproach and increases the chances of obtaining valid credentials while avoiding account lockouts. This allows adversaries to remain undetected if the target organization does not have the proper monitoring and detection controls in place.\\\nPassword Spraying can be leveraged by adversaries across different stages in an attack. It can be used to obtain an iniial access to an environment but can also be used to escalate privileges when access has been already achieved. In some scenarios, this technique capitalizes on a security policy most organizations implement, password rotation. As enterprise users change their passwords, it is possible some pick predictable, seasonal passwords such as `$CompanyNameWinter`, `Summer2021`, etc.\\\nSpecifically, this Analytic Story is focused on detecting possible Password Spraying attacks against Active Directory environments leveraging Windows Event Logs in the `Account Logon` and `Logon/Logoff` Advanced Audit Policy categories. It presents 16 detection analytics which can aid defenders in identifying instances where one source user, source host or source process attempts to authenticate against a target or targets using a high or statiscally unsual, number of unique users. A user, host or process attempting to authenticate with multiple users is not common behavior for legitimate systems and should be monitored by security teams. Possible false positive scenarios include but are not limited to vulnerability scanners, remote administration tools, multi-user systems and missconfigured systems. These should be easily spotted when first implementing the detection and addded to an allow list or lookup table. The presented detections can also be used in Threat Hunting exercises.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://www.microsoft.com/security/blog/2020/04/23/protecting-organization-password-spray-attacks/", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn452415(v=ws.11)"], "tags": {"name": "Active Directory Password Spraying", "analytic_story": "Active Directory Password Spraying", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}], "mitre_attack_tactics": ["Credential Access"], "datamodels": [], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos - Rule", "ESCU - Windows Multiple Invalid Users Fail To Authenticate Using Kerberos - Rule", "ESCU - Windows Multiple Invalid Users Failed To Authenticate Using NTLM - Rule", "ESCU - Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials - Rule", "ESCU - Windows Multiple Users Failed To Authenticate From Host Using NTLM - Rule", "ESCU - Windows Multiple Users Failed To Authenticate From Process - Rule", "ESCU - Windows Multiple Users Failed To Authenticate Using Kerberos - Rule", "ESCU - Windows Multiple Users Remotely Failed To Authenticate From Host - Rule", "ESCU - Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos - Rule", "ESCU - Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos - Rule", "ESCU - Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM - Rule", "ESCU - Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials - Rule", "ESCU - Windows Unusual Count Of Users Failed To Auth Using Kerberos - Rule", "ESCU - Windows Unusual Count Of Users Failed To Authenticate From Process - Rule", "ESCU - Windows Unusual Count Of Users Failed To Authenticate Using NTLM - Rule", "ESCU - Windows Unusual Count Of Users Remotely Failed To Auth From Host - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Mauricio Velazco", "detections": [{"name": "Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Multiple Invalid Users Fail To Authenticate Using Kerberos", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Multiple Invalid Users Failed To Authenticate Using NTLM", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Multiple Users Failed To Authenticate From Host Using NTLM", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Multiple Users Failed To Authenticate From Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Multiple Users Failed To Authenticate Using Kerberos", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Multiple Users Remotely Failed To Authenticate From Host", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Unusual Count Of Users Failed To Auth Using Kerberos", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Unusual Count Of Users Failed To Authenticate From Process", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Unusual Count Of Users Failed To Authenticate Using NTLM", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Unusual Count Of Users Remotely Failed To Auth From Host", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}]}, {"name": "Active Directory Privilege Escalation", "id": "fa34a5d8-df0a-404c-8237-11f99cba1d5f", "version": 1, "date": "2023-03-20", "author": "Mauricio Velazco, Splunk", "description": "Monitor for activities and techniques associated with Privilege Escalation attacks within Active Directory environments.", "narrative": "Privilege Escalation consists of techniques that adversaries use to gain higher-level permissions on a system or network. Adversaries can often enter and explore a network with unprivileged access but require elevated permissions to follow through on their objectives. Common approaches are to take advantage of system weaknesses, misconfigurations, and vulnerabilities.\\\nActive Directory is a central component of most enterprise networks, providing authentication and authorization services for users, computers, and other resources. It stores sensitive information such as passwords, user accounts, and security policies, and is therefore a high-value target for attackers. Privilege escalation attacks in Active Directory typically involve exploiting vulnerabilities or misconfigurations across the network to gain elevated privileges, such as Domain Administrator access. Once an attacker has escalated their privileges and taken full control of a domain, they can easily move laterally throughout the network, access sensitive data, and carry out further attacks. Security teams should monitor for privilege escalation attacks in Active Directory to identify a breach before attackers achieve operational success.\\\nThe following analytic story groups detection opportunities that seek to identify an adversary attempting to escalate privileges in an Active Directory network.", "references": ["https://attack.mitre.org/tactics/TA0004/", "https://adsecurity.org/?p=3658", "https://adsecurity.org/?p=2362"], "tags": {"name": "Active Directory Privilege Escalation", "analytic_story": "Active Directory Privilege Escalation", "category": [], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1484", "mitre_attack_technique": "Domain Policy Modification", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1558", "mitre_attack_technique": "Steal or Forge Kerberos Tickets", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1558.001", "mitre_attack_technique": "Golden Ticket", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Ke3chang"]}, {"mitre_attack_id": "T1550", "mitre_attack_technique": "Use Alternate Authentication Material", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1550.003", "mitre_attack_technique": "Pass the Ticket", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": ["APT29", "APT32", "BRONZE BUTLER"]}, {"mitre_attack_id": "T1558.003", "mitre_attack_technique": "Kerberoasting", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["FIN7", "Wizard Spider"]}, {"mitre_attack_id": "T1558.004", "mitre_attack_technique": "AS-REP Roasting", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.002", "mitre_attack_technique": "Domain Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "Chimera", "Indrik Spider", "Magic Hound", "Naikon", "Sandworm Team", "TA505", "Threat Group-1314", "Wizard Spider"]}, {"mitre_attack_id": "T1135", "mitre_attack_technique": "Network Share Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT32", "APT38", "APT39", "APT41", "Chimera", "DarkVishnya", "Dragonfly", "Sowbug", "Tonto Team", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1484.001", "mitre_attack_technique": "Group Policy Modification", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Indrik Spider"]}, {"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT41", "Dragonfly", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}, {"mitre_attack_id": "T1552", "mitre_attack_technique": "Unsecured Credentials", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1552.006", "mitre_attack_technique": "Group Policy Preferences", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT33"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1110.004", "mitre_attack_technique": "Credential Stuffing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Chimera"]}, {"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "TA505"]}, {"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Dragonfly", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "Turla", "Wizard Spider"]}], "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Discovery", "Initial Access", "Lateral Movement", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint", "Risk"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Active Directory Privilege Escalation Identified - Rule", "ESCU - Kerberos Service Ticket Request Using RC4 Encryption - Rule", "ESCU - Rubeus Command Line Parameters - Rule", "ESCU - ServicePrincipalNames Discovery with PowerShell - Rule", "ESCU - ServicePrincipalNames Discovery with SetSPN - Rule", "ESCU - Suspicious Computer Account Name Change - Rule", "ESCU - Suspicious Kerberos Service Ticket Request - Rule", "ESCU - Suspicious Ticket Granting Ticket Request - Rule", "ESCU - Unusual Number of Computer Service Tickets Requested - Rule", "ESCU - Unusual Number of Remote Endpoint Authentication Events - Rule", "ESCU - Windows Administrative Shares Accessed On Multiple Hosts - Rule", "ESCU - Windows Admon Default Group Policy Object Modified - Rule", "ESCU - Windows Admon Group Policy Object Created - Rule", "ESCU - Windows Default Group Policy Object Modified - Rule", "ESCU - Windows Default Group Policy Object Modified with GPME - Rule", "ESCU - Windows DnsAdmins New Member Added - Rule", "ESCU - Windows File Share Discovery With Powerview - Rule", "ESCU - Windows Findstr GPP Discovery - Rule", "ESCU - Windows Group Policy Object Created - Rule", "ESCU - Windows Large Number of Computer Service Tickets Requested - Rule", "ESCU - Windows Local Administrator Credential Stuffing - Rule", "ESCU - Windows PowerSploit GPP Discovery - Rule", "ESCU - Windows PowerView AD Access Control List Enumeration - Rule", "ESCU - Windows Rapid Authentication On Multiple Hosts - Rule", "ESCU - Windows Special Privileged Logon On Multiple Hosts - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Mauricio Velazco", "detections": [{"name": "Active Directory Privilege Escalation Identified", "source": "endpoint", "type": "Correlation", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Policy Modification"}]}}, {"name": "Kerberos Service Ticket Request Using RC4 Encryption", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "Golden Ticket"}]}}, {"name": "Rubeus Command Line Parameters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Use Alternate Authentication Material"}, {"mitre_attack_technique": "Pass the Ticket"}, {"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "Kerberoasting"}, {"mitre_attack_technique": "AS-REP Roasting"}]}}, {"name": "ServicePrincipalNames Discovery with PowerShell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Kerberoasting"}]}}, {"name": "ServicePrincipalNames Discovery with SetSPN", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Kerberoasting"}]}}, {"name": "Suspicious Computer Account Name Change", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Domain Accounts"}]}}, {"name": "Suspicious Kerberos Service Ticket Request", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Domain Accounts"}]}}, {"name": "Suspicious Ticket Granting Ticket Request", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Domain Accounts"}]}}, {"name": "Unusual Number of Computer Service Tickets Requested", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "Unusual Number of Remote Endpoint Authentication Events", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "Windows Administrative Shares Accessed On Multiple Hosts", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Network Share Discovery"}]}}, {"name": "Windows Admon Default Group Policy Object Modified", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Policy Modification"}, {"mitre_attack_technique": "Group Policy Modification"}]}}, {"name": "Windows Admon Group Policy Object Created", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Policy Modification"}, {"mitre_attack_technique": "Group Policy Modification"}]}}, {"name": "Windows Default Group Policy Object Modified", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Policy Modification"}, {"mitre_attack_technique": "Group Policy Modification"}]}}, {"name": "Windows Default Group Policy Object Modified with GPME", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Policy Modification"}, {"mitre_attack_technique": "Group Policy Modification"}]}}, {"name": "Windows DnsAdmins New Member Added", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Manipulation"}]}}, {"name": "Windows File Share Discovery With Powerview", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Network Share Discovery"}]}}, {"name": "Windows Findstr GPP Discovery", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Unsecured Credentials"}, {"mitre_attack_technique": "Group Policy Preferences"}]}}, {"name": "Windows Group Policy Object Created", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Policy Modification"}, {"mitre_attack_technique": "Group Policy Modification"}, {"mitre_attack_technique": "Domain Accounts"}]}}, {"name": "Windows Large Number of Computer Service Tickets Requested", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Network Share Discovery"}, {"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "Windows Local Administrator Credential Stuffing", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Credential Stuffing"}]}}, {"name": "Windows PowerSploit GPP Discovery", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Unsecured Credentials"}, {"mitre_attack_technique": "Group Policy Preferences"}]}}, {"name": "Windows PowerView AD Access Control List Enumeration", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Accounts"}, {"mitre_attack_technique": "Permission Groups Discovery"}]}}, {"name": "Windows Rapid Authentication On Multiple Hosts", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Security Account Manager"}]}}, {"name": "Windows Special Privileged Logon On Multiple Hosts", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Network Share Discovery"}]}}]}, {"name": "AgentTesla", "id": "9bb6077a-843e-418b-b134-c57ef997103c", "version": 1, "date": "2022-04-12", "author": "Teoderick Contreras, Splunk", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the AgentTesla malware including .chm application child process, ftp/smtp connection, persistence and many more. AgentTesla is one of the advanced remote access trojans (RAT) that are capable of stealing sensitive information from the infected or targeted host machine. It can collect various types of data, including browser profile information, keystrokes, capture screenshots and vpn credentials. AgentTesla has been active malware since 2014 and often delivered as a malicious attachment in phishing emails.It is also the top malware in 2021 based on the CISA report.", "narrative": "Adversaries or threat actor may use this malware to maximize the impact of infection on the target organization in operations where network wide availability interruption is the goal.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla", "https://cert.gov.ua/article/861292", "https://www.cisa.gov/uscert/ncas/alerts/aa22-216a", "https://www.joesandbox.com/analysis/702680/0/html"], "tags": {"name": "AgentTesla", "analytic_story": "AgentTesla", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.001", "mitre_attack_technique": "Compiled HTML File", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "APT41", "Dark Caracal", "OilRig", "Silence"]}, {"mitre_attack_id": "T1548.002", "mitre_attack_technique": "Bypass User Account Control", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT37", "BRONZE BUTLER", "Cobalt Group", "Earth Lusca", "Evilnum", "MuddyWater", "Patchwork", "Threat Group-3390"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1555", "mitre_attack_technique": "Credentials from Password Stores", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT33", "APT39", "Evilnum", "FIN6", "HEXANE", "Leafminer", "MuddyWater", "OilRig", "Stealth Falcon"]}, {"mitre_attack_id": "T1555.003", "mitre_attack_technique": "Credentials from Web Browsers", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT3", "APT33", "APT37", "Ajax Security Team", "FIN6", "HEXANE", "Inception", "Kimsuky", "LAPSUS$", "Leafminer", "Molerats", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Stealth Falcon", "TA505", "ZIRCONIUM"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1014", "mitre_attack_technique": "Rootkit", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT41", "Rocke", "TeamTNT", "Winnti Group"]}, {"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "PLATINUM", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}, {"mitre_attack_id": "T1071.003", "mitre_attack_technique": "Mail Protocols", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT28", "APT32", "Kimsuky", "SilverTerrier", "Turla"]}, {"mitre_attack_id": "T1071", "mitre_attack_technique": "Application Layer Protocol", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Dragonfly", "Magic Hound", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1204.001", "mitre_attack_technique": "Malicious Link", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT28", "APT29", "APT3", "APT32", "APT33", "APT39", "BlackTech", "Cobalt Group", "Confucius", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "Evilnum", "FIN4", "FIN7", "FIN8", "Kimsuky", "LazyScripter", "Leviathan", "LuminousMoth", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "TA505", "Transparent Tribe", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$"]}], "mitre_attack_tactics": ["Command And Control", "Credential Access", "Defense Evasion", "Execution", "Initial Access", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Command And Control", "Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Add or Set Windows Defender Exclusion - Rule", "ESCU - Detect HTML Help Spawn Child Process - Rule", "ESCU - Disabling Remote User Account Control - Rule", "ESCU - Excessive Usage Of Taskkill - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Non Chrome Process Accessing Chrome Default Dir - Rule", "ESCU - Non Firefox Process Access Firefox Profile Dir - Rule", "ESCU - Office Application Drop Executable - Rule", "ESCU - Office Application Spawn rundll32 process - Rule", "ESCU - Office Document Executing Macro Code - Rule", "ESCU - Office Product Spawn CMD Process - Rule", "ESCU - Office Product Spawning CertUtil - Rule", "ESCU - PowerShell - Connect To Internet With Hidden Window - Rule", "ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", "ESCU - Powershell Windows Defender Exclusion Commands - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Suspicious Driver Loaded Path - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Windows Driver Load Non-Standard Path - Rule", "ESCU - Windows Drivers Loaded by Signature - Rule", "ESCU - Windows File Transfer Protocol In Non-Common Process Path - Rule", "ESCU - Windows ISO LNK File Creation - Rule", "ESCU - Windows Mail Protocol In Non-Common Process Path - Rule", "ESCU - Windows Multi hop Proxy TOR Website Query - Rule", "ESCU - Windows Phishing Recent ISO Exec Registry - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Add or Set Windows Defender Exclusion", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Detect HTML Help Spawn Child Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Compiled HTML File"}]}}, {"name": "Disabling Remote User Account Control", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Excessive Usage Of Taskkill", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}]}}, {"name": "Non Chrome Process Accessing Chrome Default Dir", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}}, {"name": "Non Firefox Process Access Firefox Profile Dir", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}}, {"name": "Office Application Drop Executable", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Application Spawn rundll32 process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Document Executing Macro Code", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Product Spawn CMD Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Product Spawning CertUtil", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "PowerShell - Connect To Internet With Hidden Window", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "PowerShell Loading DotNET into Memory via Reflection", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Powershell Windows Defender Exclusion Commands", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Suspicious Driver Loaded Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Windows Driver Load Non-Standard Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Rootkit"}, {"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}}, {"name": "Windows Drivers Loaded by Signature", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Rootkit"}, {"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}}, {"name": "Windows File Transfer Protocol In Non-Common Process Path", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Mail Protocols"}, {"mitre_attack_technique": "Application Layer Protocol"}]}}, {"name": "Windows ISO LNK File Creation", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Malicious Link"}, {"mitre_attack_technique": "User Execution"}]}}, {"name": "Windows Mail Protocol In Non-Common Process Path", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Mail Protocols"}, {"mitre_attack_technique": "Application Layer Protocol"}]}}, {"name": "Windows Multi hop Proxy TOR Website Query", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Mail Protocols"}, {"mitre_attack_technique": "Application Layer Protocol"}]}}, {"name": "Windows Phishing Recent ISO Exec Registry", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}}]}, {"name": "Apache Struts Vulnerability", "id": "2dcfd6a2-e7d2-4873-b6ba-adaf819d2a1e", "version": 1, "date": "2018-12-06", "author": "Rico Valdez, Splunk", "description": "Detect and investigate activities--such as unusually long `Content-Type` length, suspicious java classes and web servers executing suspicious processes--consistent with attempts to exploit Apache Struts vulnerabilities.", "narrative": "In March of 2017, a remote code-execution vulnerability in the Jakarta Multipart parser in Apache Struts, a widely used open-source framework for creating Java web applications, was disclosed and assigned to CVE-2017-5638. About two months later, hackers exploited the flaw to carry out the world's 5th largest data breach. The target, credit giant Equifax, told investigators that it had become aware of the vulnerability two months before the attack. \\\nThe exploit involved manipulating the `Content-Type HTTP` header to execute commands embedded in the header.\\\nThis Analytic Story contains two different searches that help to identify activity that may be related to this issue. The first search looks for characteristics of the `Content-Type` header consistent with attempts to exploit the vulnerability. This should be a relatively pertinent indicator, as the `Content-Type` header is generally consistent and does not have a large degree of variation.\\\nThe second search looks for the execution of various commands typically entered on the command shell when an attacker first lands on a system. These commands are not generally executed on web servers during the course of day-to-day operation, but they may be used when the system is undergoing maintenance or troubleshooting.\\\nFirst, it is helpful is to understand how often the notable event is generated, as well as the commonalities in some of these events. This may help determine whether this is a common occurrence that is of a lesser concern or a rare event that may require more extensive investigation. It can also help to understand whether the issue is restricted to a single user or system or is broader in scope.\\\nWhen looking at the target of the behavior illustrated by the event, you should note the sensitivity of the user and or/system to help determine the potential impact. It is also helpful to see what other events involving the target have occurred in the recent past. This can help tie different events together and give further situational awareness regarding the target.\\\nVarious types of information for external systems should be reviewed and (potentially) collected if the incident is, indeed, judged to be malicious. Information like this can be useful in generating your own threat intelligence to create alerts in the future.\\\nLooking at the country, responsible party, and fully qualified domain names associated with the external IP address--as well as the registration information associated with those domain names, if they are frequently visited by others--can help you answer the question of \"who,\" in regard to the external system. Answering that can help qualify the event and may serve useful for tracking. In addition, there are various sources that can provide some reputation information on the IP address or domain name, which can assist in determining if the event is malicious in nature. Finally, determining whether or not there are other events associated with the IP address may help connect some dots or show other events that should be brought into scope.\\\nGathering various data elements on the system of interest can sometimes help quickly determine that something suspicious may be happening. Some of these items include determining who else may have recently logged into the system, whether any unusual scheduled tasks exist, whether the system is communicating on suspicious ports, whether there are modifications to sensitive registry keys, and whether there are any known vulnerabilities on the system. This information can often highlight other activity commonly seen in attack scenarios or give more information about how the system may have been targeted.\\\nhen a specific service or application is targeted, it is often helpful to know the associated version to help determine whether or not it is vulnerable to a specific exploit.\\\nhen it is suspected there is an attack targeting a web server, it is helpful to look at some of the behavior of the web service to see if there is evidence that the service has been compromised. Some indications of this might be network connections to external resources, the web service spawning child processes that are not associated with typical behavior, and whether the service wrote any files that might be malicious in nature.\\\nIn the event that a suspicious file is found, we can review more information about it to help determine if it is, in fact, malicious. Identifying the file type, any processes that have the file open, what processes created and/or modified the file, and the number of systems that may have this file can help to determine if the file is malicious. Also, determining the file hash and checking it against reputation sources, such as VirusTotal, can sometimes quickly help determine whether it is malicious in nature.\\\nOften, a simple inspection of a suspect process name and path can tell you if the system has been compromised. For example, if `svchost.exe` is found running from a location other than `C:\\Windows\\System32`, it is likely something malicious designed to hide in plain sight when simply reviewing process names. Similarly, if the process itself seems legitimate, but the parent process is running from the temporary browser cache, there may be activity initiated via a compromised website the user visited.\\\nIt can also be very helpful to examine various behaviors of the process of interest or the parent of the process that is of interest. For example, if it turns out that the process of interest is malicious, it would be good to see if the parent to that process spawned other processes that might also be worth further scrutiny. If a process is suspect, reviewing the network connections made around the time of the event and/or if the process spawned any child processes could be helpful in determining whether it is malicious or executing a malicious script.", "references": ["https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/v3.2/dev/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf"], "tags": {"name": "Apache Struts Vulnerability", "analytic_story": "Apache Struts Vulnerability", "category": ["Vulnerability"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1082", "mitre_attack_technique": "System Information Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT18", "APT19", "APT3", "APT32", "APT37", "APT38", "Aquatic Panda", "Blue Mockingbird", "Chimera", "Confucius", "Darkhotel", "Gamaredon Group", "HEXANE", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Sowbug", "Stealth Falcon", "TeamTNT", "Tropic Trooper", "Turla", "Windigo", "Windshift", "Wizard Spider", "ZIRCONIUM", "admin@338"]}], "mitre_attack_tactics": ["Discovery"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Suspicious Java Classes - Rule", "ESCU - Web Servers Executing Suspicious Processes - Rule", "ESCU - Unusually Long Content-Type Length - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task", "ESCU - Investigate Suspicious Strings in HTTP Header - Response Task", "ESCU - Investigate Web POSTs From src - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Suspicious Java Classes", "source": "application", "type": "Anomaly", "tags": {"mitre_attack_enrichments": []}}, {"name": "Web Servers Executing Suspicious Processes", "source": "application", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Information Discovery"}]}}, {"name": "Unusually Long Content-Type Length", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": []}}]}, {"name": "Asset Tracking", "id": "91c676cf-0b23-438d-abee-f6335e1fce77", "version": 1, "date": "2017-09-13", "author": "Bhavin Patel, Splunk", "description": "Keep a careful inventory of every asset on your network to make it easier to detect rogue devices. Unauthorized/unmanaged devices could be an indication of malicious behavior that should be investigated further.", "narrative": "This Analytic Story is designed to help you develop a better understanding of what authorized and unauthorized devices are part of your enterprise. This story can help you better categorize and classify assets, providing critical business context and awareness of their assets during an incident. Information derived from this Analytic Story can be used to better inform and support other analytic stories. For successful detection, you will need to leverage the Assets and Identity Framework from Enterprise Security to populate your known assets.", "references": ["https://www.cisecurity.org/controls/inventory-of-authorized-and-unauthorized-devices/"], "tags": {"name": "Asset Tracking", "analytic_story": "Asset Tracking", "category": ["Best Practices"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Network_Sessions"], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect Unauthorized Assets by MAC address - Rule"], "investigation_names": ["ESCU - Get First Occurrence and Last Occurrence of a MAC Address - Response Task", "ESCU - Get Notable History - Response Task"], "baseline_names": ["ESCU - Count of assets by category"], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Detect Unauthorized Assets by MAC address", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": []}}]}, {"name": "AsyncRAT", "id": "d7053072-7dd2-4874-8314-bfcbc99978a4", "version": 1, "date": "2023-01-24", "author": "Teoderick Contreras, Splunk", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the AsyncRAT malware including mshta application child process, bat loader execution, persistence and many more. AsyncRAT is an open source remote administration tool released last 2019. It's designed to remotely control computers via an encrypted connection, with view screen, keylogger, chat communication, persistence, defense evasion (e.g. Windows defender), DOS attack and many more.", "narrative": "although this project contains legal disclaimer, Adversaries or threat actors are popularly used in some attacks. This malware recently came across a Fully undetected batch script loader that downloads and loads the AsyncRAT from its C2 server. The batch script is obfuscated and will load a powershell loader that will decode and decrypt (AES256) the actual AsyncRAT malware.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat", "https://www.netskope.com/blog/asyncrat-using-fully-undetected-downloader"], "tags": {"name": "AsyncRAT", "analytic_story": "AsyncRAT", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "Turla"]}, {"mitre_attack_id": "T1055.001", "mitre_attack_technique": "Dynamic-link Library Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["BackdoorDiplomacy", "Lazarus Group", "Leviathan", "Putter Panda", "TA505", "Tropic Trooper", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT19", "APT28", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BITTER", "BackdoorDiplomacy", "BlackOasis", "Blue Mockingbird", "Dark Caracal", "Darkhotel", "Earth Lusca", "Elderwood", "Ember Bear", "Fox Kitten", "GALLIUM", "Gallmaker", "Gamaredon Group", "Group5", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "Metador", "Mofang", "Molerats", "Moses Staff", "Mustang Panda", "OilRig", "Putter Panda", "Rocke", "Sandworm Team", "Sidewinder", "TA505", "TeamTNT", "Threat Group-3390", "Transparent Tribe", "Tropic Trooper", "Whitefly", "Windshift", "menuPass"]}, {"mitre_attack_id": "T1592", "mitre_attack_technique": "Gather Victim Host Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.010", "mitre_attack_technique": "Regsvr32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "Blue Mockingbird", "Cobalt Group", "Deep Panda", "Inception", "Kimsuky", "Leviathan", "TA551", "WIRTE"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1059.005", "mitre_attack_technique": "Visual Basic", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT32", "APT33", "APT37", "APT38", "APT39", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Earth Lusca", "FIN4", "FIN7", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "Transparent Tribe", "Turla", "WIRTE", "Windshift"]}, {"mitre_attack_id": "T1134.002", "mitre_attack_technique": "Create Process with Token", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Lazarus Group", "Turla"]}, {"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}], "mitre_attack_tactics": ["Defense Evasion", "Execution", "Initial Access", "Persistence", "Privilege Escalation", "Reconnaissance"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation", "Reconnaissance"]}, "detection_names": ["ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Execution of File with Multiple Extensions - Rule", "ESCU - Loading Of Dynwrapx Module - Rule", "ESCU - Malicious PowerShell Process - Execution Policy Bypass - Rule", "ESCU - Powershell Fileless Script Contains Base64 Encoded Content - Rule", "ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", "ESCU - Powershell Processing Stream Of Data - Rule", "ESCU - Recon Using WMI Class - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Regsvr32 Silent and Install Param Dll Loading - Rule", "ESCU - Regsvr32 with Known Silent Switch Cmdline - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Suspicious Copy on System32 - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Vbscript Execution Using Wscript App - Rule", "ESCU - Windows Access Token Manipulation SeDebugPrivilege - Rule", "ESCU - Windows Powershell Cryptography Namespace - Rule", "ESCU - Windows Scheduled Task with Highest Privileges - Rule", "ESCU - Windows Spearphishing Attachment Connect To None MS Office Domain - Rule", "ESCU - Windows Spearphishing Attachment Onenote Spawn Mshta - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}]}}, {"name": "Execution of File with Multiple Extensions", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}]}}, {"name": "Loading Of Dynwrapx Module", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}, {"mitre_attack_technique": "Dynamic-link Library Injection"}]}}, {"name": "Malicious PowerShell Process - Execution Policy Bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Powershell Fileless Script Contains Base64 Encoded Content", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Obfuscated Files or Information"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "PowerShell Loading DotNET into Memory via Reflection", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Powershell Processing Stream Of Data", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Recon Using WMI Class", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Gather Victim Host Information"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Regsvr32 Silent and Install Param Dll Loading", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}}, {"name": "Regsvr32 with Known Silent Switch Cmdline", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Suspicious Copy on System32", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "Masquerading"}]}}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Vbscript Execution Using Wscript App", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Visual Basic"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Windows Access Token Manipulation SeDebugPrivilege", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create Process with Token"}, {"mitre_attack_technique": "Access Token Manipulation"}]}}, {"name": "Windows Powershell Cryptography Namespace", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Windows Scheduled Task with Highest Privileges", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}, {"mitre_attack_technique": "Scheduled Task"}]}}, {"name": "Windows Spearphishing Attachment Connect To None MS Office Domain", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}}, {"name": "Windows Spearphishing Attachment Onenote Spawn Mshta", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}]}}]}, {"name": "Atlassian Confluence Server and Data Center CVE-2022-26134", "id": "91623a50-41fa-4c4e-8637-c239b80ff439", "version": 1, "date": "2022-06-03", "author": "Michael Haag, Splunk", "description": "On June 2, security researchers at Volexity published a blog outlining the discovery of an unauthenticated remote code execution zero day vulnerability (CVE-2022-26134) being actively exploited in Atlassian Confluence Server and Data Center instances in the wild. Atlassian released a fix within 24 hours of the blog''s release.", "narrative": "Atlassian describes the vulnerability as an Object-Graph Navigation Language (OGNL) injection allowing an unauthenticated user to execute arbitrary code on a Confluence Server or Data Server instance. Volexity did not release proof-of-concept (POC) exploit code, but researchers there have observed coordinated, widespread exploitation. Volexity first discovered the vulnerability over the weekend on two Internet-facing web servers running Confluence Server software. The investigation was due to suspicious activity on the hosts, including JSP webshells that were written to disk.", "references": ["https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html", "https://www.splunk.com/en_us/blog/security/atlassian-confluence-vulnerability-cve-2022-26134.html", "https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/", "https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/"], "tags": {"name": "Atlassian Confluence Server and Data Center CVE-2022-26134", "analytic_story": "Atlassian Confluence Server and Data Center CVE-2022-26134", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Application Security", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "menuPass"]}, {"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Initial Access", "Persistence"], "datamodels": ["Endpoint", "Web"], "kill_chain_phases": ["Delivery", "Installation"]}, "detection_names": ["ESCU - Java Writing JSP File - Rule", "ESCU - Confluence Unauthenticated Remote Code Execution CVE-2022-26134 - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Java Writing JSP File", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}}, {"name": "Confluence Unauthenticated Remote Code Execution CVE-2022-26134", "source": "web", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Exploit Public-Facing Application"}]}}]}, {"name": "AwfulShred", "id": "e36935ce-f48c-4fb2-8109-7e80c1cdc9e2", "version": 1, "date": "2023-01-24", "author": "Teoderick Contreras, Splunk", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the AwfulShred malware including wiping files, process kill, system reboot via system request, shred, and service stops.", "narrative": "AwfulShred is a malicious linux shell script designed to corrupt or wipe the linux targeted system. It uses shred command to overwrite files and to increase data damage. This obfuscated malicious script can also disable and corrupts apache, HTTP and SSH services, deactivate swap files, clear bash history and finally reboot the system.", "references": ["https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/", "https://cert.gov.ua/article/3718487"], "tags": {"name": "AwfulShred", "analytic_story": "AwfulShred", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1070.004", "mitre_attack_technique": "File Deletion", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT3", "APT32", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "Cobalt Group", "Dragonfly", "Evilnum", "FIN10", "FIN5", "FIN6", "FIN8", "Gamaredon Group", "Group5", "Kimsuky", "Lazarus Group", "Magic Hound", "Metador", "Mustang Panda", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "Silence", "TEMP.Veles", "TeamTNT", "The White Company", "Threat Group-3390", "Tropic Trooper", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1489", "mitre_attack_technique": "Service Stop", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Indrik Spider", "Lazarus Group", "Wizard Spider"]}, {"mitre_attack_id": "T1200", "mitre_attack_technique": "Hardware Additions", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["DarkVishnya"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1053.006", "mitre_attack_technique": "Systemd Timers", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1529", "mitre_attack_technique": "System Shutdown/Reboot", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group"]}, {"mitre_attack_id": "T1059.004", "mitre_attack_technique": "Unix Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT41", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}], "mitre_attack_tactics": ["Defense Evasion", "Execution", "Impact", "Initial Access", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Actions on Objectives", "Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Linux Data Destruction Command - Rule", "ESCU - Linux Deleting Critical Directory Using RM Command - Rule", "ESCU - Linux Deletion Of Services - Rule", "ESCU - Linux Disable Services - Rule", "ESCU - Linux Hardware Addition SwapOff - Rule", "ESCU - Linux Impair Defenses Process Kill - Rule", "ESCU - Linux Indicator Removal Clear Cache - Rule", "ESCU - Linux Indicator Removal Service File Deletion - Rule", "ESCU - Linux Service Restarted - Rule", "ESCU - Linux Shred Overwrite Command - Rule", "ESCU - Linux Stop Services - Rule", "ESCU - Linux System Reboot Via System Request Key - Rule", "ESCU - Linux Unix Shell Enable All SysRq Functions - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Linux Data Destruction Command", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Linux Deleting Critical Directory Using RM Command", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Linux Deletion Of Services", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}, {"mitre_attack_technique": "File Deletion"}, {"mitre_attack_technique": "Indicator Removal"}]}}, {"name": "Linux Disable Services", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Service Stop"}]}}, {"name": "Linux Hardware Addition SwapOff", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Hardware Additions"}]}}, {"name": "Linux Impair Defenses Process Kill", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Linux Indicator Removal Clear Cache", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indicator Removal"}]}}, {"name": "Linux Indicator Removal Service File Deletion", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "File Deletion"}, {"mitre_attack_technique": "Indicator Removal"}]}}, {"name": "Linux Service Restarted", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Systemd Timers"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Shred Overwrite Command", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Linux Stop Services", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Service Stop"}]}}, {"name": "Linux System Reboot Via System Request Key", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Shutdown/Reboot"}]}}, {"name": "Linux Unix Shell Enable All SysRq Functions", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Unix Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}]}, {"name": "AWS Cross Account Activity", "id": "2f2f610a-d64d-48c2-b57c-967a2b49ab5a", "version": 1, "date": "2018-06-04", "author": "David Dorsey, Splunk", "description": "Track when a user assumes an IAM role in another AWS account to obtain cross-account access to services and resources in that account. Accessing new roles could be an indication of malicious activity.", "narrative": "Amazon Web Services (AWS) admins manage access to AWS resources and services across the enterprise using AWS's Identity and Access Management (IAM) functionality. IAM provides the ability to create and manage AWS users, groups, and roles-each with their own unique set of privileges and defined access to specific resources (such as EC2 instances, the AWS Management Console, API, or the command-line interface). Unlike conventional (human) users, IAM roles are assumable by anyone in the organization. They provide users with dynamically created temporary security credentials that expire within a set time period.\\\nHerein lies the rub. In between the time between when the temporary credentials are issued and when they expire is a period of opportunity, where a user could leverage the temporary credentials to wreak havoc-spin up or remove instances, create new users, elevate privileges, and other malicious activities-throughout the environment.\\\nThis Analytic Story includes searches that will help you monitor your AWS CloudTrail logs for evidence of suspicious cross-account activity. For example, while accessing multiple AWS accounts and roles may be perfectly valid behavior, it may be suspicious when an account requests privileges of an account it has not accessed in the past. After identifying suspicious activities, you can use the provided investigative searches to help you probe more deeply.", "references": ["https://aws.amazon.com/blogs/security/aws-cloudtrail-now-tracks-cross-account-activity-to-its-origin/"], "tags": {"name": "AWS Cross Account Activity", "analytic_story": "AWS Cross Account Activity", "category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1550", "mitre_attack_technique": "Use Alternate Authentication Material", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Lateral Movement", "Persistence", "Privilege Escalation"], "datamodels": [], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - aws detect attach to role policy - Rule", "ESCU - aws detect permanent key creation - Rule", "ESCU - aws detect role creation - Rule", "ESCU - aws detect sts assume role abuse - Rule", "ESCU - aws detect sts get session token abuse - Rule"], "investigation_names": ["ESCU - AWS Investigate User Activities By AccessKeyId - Response Task", "ESCU - Get Notable History - Response Task"], "baseline_names": ["ESCU - Previously Seen AWS Cross Account Activity"], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "aws detect attach to role policy", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "aws detect permanent key creation", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "aws detect role creation", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "aws detect sts assume role abuse", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "aws detect sts get session token abuse", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Use Alternate Authentication Material"}]}}]}, {"name": "AWS Defense Evasion", "id": "4e00b690-293f-434d-a9d8-bcfb2ea5fff9", "version": 1, "date": "2022-07-15", "author": "Gowthamaraj Rajendran, Splunk", "description": "Identify activity and techniques associated with the Evasion of Defenses within AWS, such as Disabling CloudTrail, Deleting CloudTrail and many others.", "narrative": "Adversaries employ a variety of techniques in order to avoid detection and operate without barriers. This often involves modifying the configuration of security monitoring tools to get around them or explicitly disabling them to prevent them from running. This Analytic Story includes analytics that identify activity consistent with adversaries attempting to disable various security mechanisms on AWS. Such activity may involve deleting the CloudTrail logs , as this is where all the AWS logs get stored or explicitly changing the retention policy of S3 buckets. Other times, adversaries attempt deletion of a specified AWS CloudWatch log group.", "references": ["https://attack.mitre.org/tactics/TA0005/"], "tags": {"name": "AWS Defense Evasion", "analytic_story": "AWS Defense Evasion", "category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.008", "mitre_attack_technique": "Disable Cloud Logs", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}], "mitre_attack_tactics": ["Defense Evasion"], "datamodels": ["Web"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - ASL AWS Defense Evasion Delete Cloudtrail - Rule", "ESCU - ASL AWS Defense Evasion Delete CloudWatch Log Group - Rule", "ESCU - ASL AWS Defense Evasion Impair Security Services - Rule", "ESCU - AWS Defense Evasion Delete Cloudtrail - Rule", "ESCU - AWS Defense Evasion Delete CloudWatch Log Group - Rule", "ESCU - AWS Defense Evasion Impair Security Services - Rule", "ESCU - AWS Defense Evasion PutBucketLifecycle - Rule", "ESCU - AWS Defense Evasion Stop Logging Cloudtrail - Rule", "ESCU - AWS Defense Evasion Update Cloudtrail - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Gowthamaraj Rajendran", "detections": [{"name": "ASL AWS Defense Evasion Delete Cloudtrail", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable Cloud Logs"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "ASL AWS Defense Evasion Delete CloudWatch Log Group", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Disable Cloud Logs"}]}}, {"name": "ASL AWS Defense Evasion Impair Security Services", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable Cloud Logs"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "AWS Defense Evasion Delete Cloudtrail", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable Cloud Logs"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "AWS Defense Evasion Delete CloudWatch Log Group", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Disable Cloud Logs"}]}}, {"name": "AWS Defense Evasion Impair Security Services", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable Cloud Logs"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "AWS Defense Evasion PutBucketLifecycle", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable Cloud Logs"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "AWS Defense Evasion Stop Logging Cloudtrail", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable Cloud Logs"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "AWS Defense Evasion Update Cloudtrail", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Disable Cloud Logs"}]}}]}, {"name": "AWS IAM Privilege Escalation", "id": "ced74200-8465-4bc3-bd2c-22782eec6750", "version": 1, "date": "2021-03-08", "author": "Bhavin Patel, Splunk", "description": "This analytic story contains detections that query your AWS Cloudtrail for activities related to privilege escalation.", "narrative": "Amazon Web Services provides a neat feature called Identity and Access Management (IAM) that enables organizations to manage various AWS services and resources in a secure way. All IAM users have roles, groups and policies associated with them which governs and sets permissions to allow a user to access specific restrictions.\\\nHowever, if these IAM policies are misconfigured and have specific combinations of weak permissions; it can allow attackers to escalate their privileges and further compromise the organization. Rhino Security Labs have published comprehensive blogs detailing various AWS Escalation methods. By using this as an inspiration, Splunks research team wants to highlight how these attack vectors look in AWS Cloudtrail logs and provide you with detection queries to uncover these potentially malicious events via this Analytic Story. ", "references": ["https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/", "https://www.cyberark.com/resources/threat-research-blog/the-cloud-shadow-admin-threat-10-permissions-to-protect", "https://labs.bishopfox.com/tech-blog/privilege-escalation-in-aws"], "tags": {"name": "AWS IAM Privilege Escalation", "analytic_story": "AWS IAM Privilege Escalation", "category": ["Cloud Security"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT41", "Dragonfly", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}, {"mitre_attack_id": "T1201", "mitre_attack_technique": "Password Policy Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "OilRig", "Turla"]}, {"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Ke3chang", "LAPSUS$"]}, {"mitre_attack_id": "T1136.003", "mitre_attack_technique": "Cloud Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT29", "LAPSUS$"]}, {"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider"]}, {"mitre_attack_id": "T1580", "mitre_attack_technique": "Cloud Infrastructure Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1069.003", "mitre_attack_technique": "Cloud Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "TA505"]}], "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Discovery", "Initial Access", "Persistence", "Privilege Escalation"], "datamodels": [], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - ASL AWS CreateAccessKey - Rule", "ESCU - ASL AWS IAM Delete Policy - Rule", "ESCU - ASL AWS Password Policy Changes - Rule", "ESCU - AWS Create Policy Version to allow all resources - Rule", "ESCU - AWS CreateAccessKey - Rule", "ESCU - AWS CreateLoginProfile - Rule", "ESCU - AWS IAM Assume Role Policy Brute Force - Rule", "ESCU - AWS IAM Delete Policy - Rule", "ESCU - AWS IAM Failure Group Deletion - Rule", "ESCU - AWS IAM Successful Group Deletion - Rule", "ESCU - AWS Password Policy Changes - Rule", "ESCU - AWS SetDefaultPolicyVersion - Rule", "ESCU - AWS UpdateLoginProfile - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "ASL AWS CreateAccessKey", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "ASL AWS IAM Delete Policy", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Manipulation"}]}}, {"name": "ASL AWS Password Policy Changes", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Policy Discovery"}]}}, {"name": "AWS Create Policy Version to allow all resources", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "AWS CreateAccessKey", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Account"}, {"mitre_attack_technique": "Create Account"}]}}, {"name": "AWS CreateLoginProfile", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Account"}, {"mitre_attack_technique": "Create Account"}]}}, {"name": "AWS IAM Assume Role Policy Brute Force", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Infrastructure Discovery"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "AWS IAM Delete Policy", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Manipulation"}]}}, {"name": "AWS IAM Failure Group Deletion", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Manipulation"}]}}, {"name": "AWS IAM Successful Group Deletion", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Groups"}, {"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Permission Groups Discovery"}]}}, {"name": "AWS Password Policy Changes", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Policy Discovery"}]}}, {"name": "AWS SetDefaultPolicyVersion", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "AWS UpdateLoginProfile", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Account"}, {"mitre_attack_technique": "Create Account"}]}}]}, {"name": "AWS Identity and Access Management Account Takeover", "id": "4210b690-293f-411d-a9d8-bcfb2ea5fff9", "version": 2, "date": "2022-08-19", "author": "Gowthamaraj Rajendran, Bhavin Patel, Splunk", "description": "Identify activity and techniques associated with accessing credential files from AWS resources, monitor unusual authentication related activities to the AWS Console and other services such as RDS.", "narrative": "Amazon Web Services provides a web service known as Identity and Access Management(IAM) for controlling and securly managing various AWS resources. This is basically the foundation of how users in AWS interact with various resources/services in cloud and vice versa. Account Takeover (ATO) is an attack whereby cybercriminals gain unauthorized access to online accounts by using different techniques like brute force, social engineering, phishing & spear phishing, credential stuffing, etc. Adversaries employ a variety of techniques to steal AWS Cloud credentials like account names, passwords and keys and takeover legitmate user accounts. Usage of legitimate keys will assist the attackers to gain access to other sensitive system and they can also mimic legitimate behaviour making them harder to be detected. Such activity may involve multiple failed login to the console, new console logins and password reset activities.", "references": ["https://attack.mitre.org/tactics/TA0006/"], "tags": {"name": "AWS Identity and Access Management Account Takeover", "analytic_story": "AWS Identity and Access Management Account Takeover", "category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1621", "mitre_attack_technique": "Multi-Factor Authentication Request Generation", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "LAPSUS$"]}, {"mitre_attack_id": "T1556", "mitre_attack_technique": "Modify Authentication Process", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1556.006", "mitre_attack_technique": "Multi-Factor Authentication", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1110.001", "mitre_attack_technique": "Password Guessing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29"]}, {"mitre_attack_id": "T1201", "mitre_attack_technique": "Password Policy Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "OilRig", "Turla"]}, {"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1110.004", "mitre_attack_technique": "Credential Stuffing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Chimera"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Ke3chang", "LAPSUS$"]}, {"mitre_attack_id": "T1552", "mitre_attack_technique": "Unsecured Credentials", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1535", "mitre_attack_technique": "Unused/Unsupported Cloud Regions", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Discovery", "Initial Access", "Persistence", "Privilege Escalation", "Resource Development"], "datamodels": ["Authentication"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation", "Weaponization"]}, "detection_names": ["ESCU - ASL AWS Multi-Factor Authentication Disabled - Rule", "ESCU - AWS Console Login Failed During MFA Challenge - Rule", "ESCU - AWS Credential Access Failed Login - Rule", "ESCU - AWS Credential Access GetPasswordData - Rule", "ESCU - AWS Credential Access RDS Password reset - Rule", "ESCU - AWS High Number Of Failed Authentications For User - Rule", "ESCU - AWS High Number Of Failed Authentications From Ip - Rule", "ESCU - AWS Multi-Factor Authentication Disabled - Rule", "ESCU - AWS Multiple Failed MFA Requests For User - Rule", "ESCU - AWS Multiple Users Failing To Authenticate From Ip - Rule", "ESCU - AWS Successful Single-Factor Authentication - Rule", "ESCU - AWS Unusual Number of Failed Authentications From Ip - Rule", "ESCU - Detect AWS Console Login by New User - Rule", "ESCU - Detect AWS Console Login by User from New City - Rule", "ESCU - Detect AWS Console Login by User from New Country - Rule", "ESCU - Detect AWS Console Login by User from New Region - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Bhavin Patel, Splunk", "author_name": "Gowthamaraj Rajendran", "detections": [{"name": "ASL AWS Multi-Factor Authentication Disabled", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Multi-Factor Authentication Request Generation"}, {"mitre_attack_technique": "Modify Authentication Process"}, {"mitre_attack_technique": "Multi-Factor Authentication"}]}}, {"name": "AWS Console Login Failed During MFA Challenge", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Multi-Factor Authentication Request Generation"}]}}, {"name": "AWS Credential Access Failed Login", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Guessing"}]}}, {"name": "AWS Credential Access GetPasswordData", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Guessing"}]}}, {"name": "AWS Credential Access RDS Password reset", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "AWS High Number Of Failed Authentications For User", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Policy Discovery"}]}}, {"name": "AWS High Number Of Failed Authentications From Ip", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Credential Stuffing"}]}}, {"name": "AWS Multi-Factor Authentication Disabled", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Multi-Factor Authentication Request Generation"}, {"mitre_attack_technique": "Modify Authentication Process"}, {"mitre_attack_technique": "Multi-Factor Authentication"}]}}, {"name": "AWS Multiple Failed MFA Requests For User", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Multi-Factor Authentication Request Generation"}]}}, {"name": "AWS Multiple Users Failing To Authenticate From Ip", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Credential Stuffing"}]}}, {"name": "AWS Successful Single-Factor Authentication", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}]}}, {"name": "AWS Unusual Number of Failed Authentications From Ip", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Credential Stuffing"}]}}, {"name": "Detect AWS Console Login by New User", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Unsecured Credentials"}]}}, {"name": "Detect AWS Console Login by User from New City", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}}, {"name": "Detect AWS Console Login by User from New Country", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}}, {"name": "Detect AWS Console Login by User from New Region", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}}]}, {"name": "AWS Network ACL Activity", "id": "2e8948a5-5239-406b-b56b-6c50ff268af4", "version": 2, "date": "2018-05-21", "author": "Bhavin Patel, Splunk", "description": "Monitor your AWS network infrastructure for bad configurations and malicious activity. Investigative searches help you probe deeper, when the facts warrant it.", "narrative": "AWS CloudTrail is an AWS service that helps you enable governance, compliance, and operational/risk auditing of your AWS account. Actions taken by a user, role, or an AWS service are recorded as events in CloudTrail. It is crucial for a company to monitor events and actions taken in the AWS Management Console, AWS Command Line Interface, and AWS SDKs and APIs to ensure that your servers are not vulnerable to attacks. This analytic story contains detection searches that leverage CloudTrail logs from AWS to check for bad configurations and malicious activity in your AWS network access controls.", "references": ["https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Appendix_NACLs.html", "https://aws.amazon.com/blogs/security/how-to-help-prepare-for-ddos-attacks-by-reducing-your-attack-surface/"], "tags": {"name": "AWS Network ACL Activity", "analytic_story": "AWS Network ACL Activity", "category": ["Cloud Security"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.007", "mitre_attack_technique": "Disable or Modify Cloud Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}], "mitre_attack_tactics": ["Defense Evasion"], "datamodels": [], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - AWS Network Access Control List Created with All Open Ports - Rule", "ESCU - AWS Network Access Control List Deleted - Rule", "ESCU - Detect Spike in blocked Outbound Traffic from your AWS - Rule", "ESCU - Detect Spike in Network ACL Activity - Rule"], "investigation_names": ["ESCU - AWS Investigate User Activities By ARN - Response Task", "ESCU - AWS Network ACL Details from ID - Response Task", "ESCU - AWS Network Interface details via resourceId - Response Task", "ESCU - Get All AWS Activity From IP Address - Response Task", "ESCU - Get DNS Server History for a host - Response Task", "ESCU - Get DNS traffic ratio - Response Task", "ESCU - Get Notable History - Response Task", "ESCU - Get Process Info - Response Task", "ESCU - Get Process Information For Port Activity - Response Task", "ESCU - Get Process Responsible For The DNS Traffic - Response Task"], "baseline_names": ["ESCU - Baseline of blocked outbound traffic from AWS", "ESCU - Baseline of Network ACL Activity by ARN"], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "AWS Network Access Control List Created with All Open Ports", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Cloud Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "AWS Network Access Control List Deleted", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Cloud Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Detect Spike in blocked Outbound Traffic from your AWS", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": []}}, {"name": "Detect Spike in Network ACL Activity", "source": "deprecated", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Cloud Firewall"}]}}]}, {"name": "AWS Security Hub Alerts", "id": "2f2f610a-d64d-48c2-b57c-96722b49ab5a", "version": 1, "date": "2020-08-04", "author": "Bhavin Patel, Splunk", "description": "This story is focused around detecting Security Hub alerts generated from AWS", "narrative": "AWS Security Hub collects and consolidates findings from AWS security services enabled in your environment, such as intrusion detection findings from Amazon GuardDuty, vulnerability scans from Amazon Inspector, S3 bucket policy findings from Amazon Macie, publicly accessible and cross-account resources from IAM Access Analyzer, and resources lacking WAF coverage from AWS Firewall Manager.", "references": ["https://aws.amazon.com/security-hub/features/"], "tags": {"name": "AWS Security Hub Alerts", "analytic_story": "AWS Security Hub Alerts", "category": ["Cloud Security"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect Spike in AWS Security Hub Alerts for EC2 Instance - Rule", "ESCU - Detect Spike in AWS Security Hub Alerts for User - Rule"], "investigation_names": ["ESCU - AWS Investigate User Activities By ARN - Response Task", "ESCU - Get EC2 Instance Details by instanceId - Response Task", "ESCU - Get EC2 Launch Details - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Detect Spike in AWS Security Hub Alerts for EC2 Instance", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": []}}, {"name": "Detect Spike in AWS Security Hub Alerts for User", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": []}}]}, {"name": "AWS User Monitoring", "id": "2e8948a5-5239-406b-b56b-6c50f1269af3", "version": 1, "date": "2018-03-12", "author": "Bhavin Patel, Splunk", "description": "Detect and investigate dormant user accounts for your AWS environment that have become active again. Because inactive and ad-hoc accounts are common attack targets, it's critical to enable governance within your environment.", "narrative": "It seems obvious that it is critical to monitor and control the users who have access to your cloud infrastructure. Nevertheless, it's all too common for enterprises to lose track of ad-hoc accounts, leaving their servers vulnerable to attack. In fact, this was the very oversight that led to Tesla's cryptojacking attack in February, 2018.\\\nIn addition to compromising the security of your data, when bad actors leverage your compute resources, it can incur monumental costs, since you will be billed for any new EC2 instances and increased bandwidth usage. \\\nFortunately, you can leverage Amazon Web Services (AWS) CloudTrail--a tool that helps you enable governance, compliance, and risk auditing of your AWS account--to give you increased visibility into your user and resource activity by recording AWS Management Console actions and API calls. You can identify which users and accounts called AWS, the source IP address from which the calls were made, and when the calls occurred.\\\nThe detection searches in this Analytic Story are designed to help you uncover AWS API activities from users not listed in the identity table, as well as similar activities from disabled accounts.", "references": ["https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf", "https://redlock.io/blog/cryptojacking-tesla"], "tags": {"name": "AWS User Monitoring", "analytic_story": "AWS User Monitoring", "category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1526", "mitre_attack_technique": "Cloud Service Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Ke3chang", "LAPSUS$"]}], "mitre_attack_tactics": ["Defense Evasion", "Discovery", "Initial Access", "Persistence", "Privilege Escalation"], "datamodels": [], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - ASL AWS Excessive Security Scanning - Rule", "ESCU - AWS Excessive Security Scanning - Rule", "ESCU - Detect API activity from users without MFA - Rule", "ESCU - Detect AWS API Activities From Unapproved Accounts - Rule", "ESCU - Detect new API calls from user roles - Rule", "ESCU - Detect Spike in AWS API Activity - Rule", "ESCU - Detect Spike in Security Group Activity - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task", "ESCU - Investigate AWS User Activities by user field - Response Task"], "baseline_names": ["ESCU - Baseline of Security Group Activity by ARN", "ESCU - Create a list of approved AWS service accounts", "ESCU - Baseline of API Calls per User ARN", "ESCU - Previously seen API call per user roles in CloudTrail"], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "ASL AWS Excessive Security Scanning", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Service Discovery"}]}}, {"name": "AWS Excessive Security Scanning", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Service Discovery"}]}}, {"name": "Detect API activity from users without MFA", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": []}}, {"name": "Detect AWS API Activities From Unapproved Accounts", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Accounts"}]}}, {"name": "Detect new API calls from user roles", "source": "deprecated", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Accounts"}]}}, {"name": "Detect Spike in AWS API Activity", "source": "deprecated", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Accounts"}]}}, {"name": "Detect Spike in Security Group Activity", "source": "deprecated", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Accounts"}]}}]}, {"name": "Azorult", "id": "efed5343-4ac2-42b1-a16d-da2428d0ce94", "version": 1, "date": "2022-06-09", "author": "Teoderick Contreras, Splunk", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the Azorult malware including firewall modification, icacl execution, spawning more process, botnet c2 communication, defense evasion and etc. The AZORULT malware was first discovered in 2016 to be an information stealer that steals browsing history, cookies, ID/passwords, cryptocurrency information and more. It can also be a downloader of other malware. A variant of this malware was able to create a new, hidden administrator account on the machine to set a registry key to establish a Remote Desktop Protocol (RDP) connection. Exploit kits such as Fallout Exploit Kit (EK) and phishing mails with social engineering technique are one of the major infection vectors of the AZORult malware. The current malspam and phishing emails use fake product order requests, invoice documents and payment information requests. This Trojan-Spyware connects to Command And Control (C&C) servers of attacker to send and receive information.", "narrative": "Adversaries may use this technique to maximize the impact on the target organization in operations where network wide availability interruption is the goal.", "references": ["https://success.trendmicro.com/dcx/s/solution/000146108-azorult-malware-information?language=en_US&sfdcIFrameOrigin=null", "https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/"], "tags": {"name": "Azorult", "analytic_story": "Azorult", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1021.001", "mitre_attack_technique": "Remote Desktop Protocol", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT1", "APT3", "APT39", "APT41", "Axiom", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dragonfly", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "HEXANE", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "OilRig", "Patchwork", "Silence", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1136.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT39", "APT41", "Dragonfly", "Fox Kitten", "Kimsuky", "Leafminer", "Magic Hound", "TeamTNT"]}, {"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider"]}, {"mitre_attack_id": "T1564.001", "mitre_attack_technique": "Hidden Files and Directories", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "HAFNIUM", "Lazarus Group", "LuminousMoth", "Mustang Panda", "Rocke", "Transparent Tribe", "Tropic Trooper"]}, {"mitre_attack_id": "T1564", "mitre_attack_technique": "Hide Artifacts", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548.002", "mitre_attack_technique": "Bypass User Account Control", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT37", "BRONZE BUTLER", "Cobalt Group", "Earth Lusca", "Evilnum", "MuddyWater", "Patchwork", "Threat Group-3390"]}, {"mitre_attack_id": "T1489", "mitre_attack_technique": "Service Stop", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Indrik Spider", "Lazarus Group", "Wizard Spider"]}, {"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1531", "mitre_attack_technique": "Account Access Removal", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["LAPSUS$"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1562.004", "mitre_attack_technique": "Disable or Modify System Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "Carbanak", "Dragonfly", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1222.001", "mitre_attack_technique": "Windows File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "TA505"]}, {"mitre_attack_id": "T1069.001", "mitre_attack_technique": "Local Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "HEXANE", "OilRig", "Tonto Team", "Turla", "admin@338"]}, {"mitre_attack_id": "T1049", "mitre_attack_technique": "System Network Connections Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT38", "APT41", "Andariel", "BackdoorDiplomacy", "Chimera", "Earth Lusca", "GALLIUM", "HEXANE", "Ke3chang", "Lazarus Group", "Magic Hound", "MuddyWater", "Mustang Panda", "OilRig", "Poseidon Group", "Sandworm Team", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1555", "mitre_attack_technique": "Credentials from Password Stores", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT33", "APT39", "Evilnum", "FIN6", "HEXANE", "Leafminer", "MuddyWater", "OilRig", "Stealth Falcon"]}, {"mitre_attack_id": "T1555.003", "mitre_attack_technique": "Credentials from Web Browsers", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT3", "APT33", "APT37", "Ajax Security Team", "FIN6", "HEXANE", "Inception", "Kimsuky", "LAPSUS$", "Leafminer", "Molerats", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Stealth Falcon", "TA505", "ZIRCONIUM"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1071", "mitre_attack_technique": "Application Layer Protocol", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Dragonfly", "Magic Hound", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1590.005", "mitre_attack_technique": "IP Addresses", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["Andariel", "HAFNIUM", "Magic Hound"]}, {"mitre_attack_id": "T1590", "mitre_attack_technique": "Gather Victim Network Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["HAFNIUM"]}, {"mitre_attack_id": "T1204.001", "mitre_attack_technique": "Malicious Link", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT28", "APT29", "APT3", "APT32", "APT33", "APT39", "BlackTech", "Cobalt Group", "Confucius", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "Evilnum", "FIN4", "FIN7", "FIN8", "Kimsuky", "LazyScripter", "Leviathan", "LuminousMoth", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "TA505", "Transparent Tribe", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1219", "mitre_attack_technique": "Remote Access Software", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Carbanak", "Cobalt Group", "DarkVishnya", "Evilnum", "GOLD SOUTHFIELD", "Kimsuky", "MuddyWater", "Mustang Panda", "RTM", "Sandworm Team", "TeamTNT", "Thrip"]}], "mitre_attack_tactics": ["Command And Control", "Credential Access", "Defense Evasion", "Discovery", "Execution", "Impact", "Initial Access", "Lateral Movement", "Persistence", "Privilege Escalation", "Reconnaissance"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Actions on Objectives", "Command And Control", "Delivery", "Exploitation", "Installation", "Reconnaissance"]}, "detection_names": ["ESCU - Allow Inbound Traffic By Firewall Rule Registry - Rule", "ESCU - Allow Operation with Consent Admin - Rule", "ESCU - Attempt To Stop Security Service - Rule", "ESCU - CHCP Command Execution - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Create local admin accounts using net exe - Rule", "ESCU - Detect Use of cmd exe to Launch Script Interpreters - Rule", "ESCU - Disable Defender BlockAtFirstSeen Feature - Rule", "ESCU - Disable Defender Enhanced Notification - Rule", "ESCU - Disable Defender Spynet Reporting - Rule", "ESCU - Disable Defender Submit Samples Consent Feature - Rule", "ESCU - Disable Show Hidden Files - Rule", "ESCU - Disable Windows Behavior Monitoring - Rule", "ESCU - Disabling Remote User Account Control - Rule", "ESCU - Excessive Attempt To Disable Services - Rule", "ESCU - Excessive Usage Of Cacls App - Rule", "ESCU - Excessive Usage Of Net App - Rule", "ESCU - Excessive Usage Of SC Service Utility - Rule", "ESCU - Excessive Usage Of Taskkill - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Firewall Allowed Program Enable - Rule", "ESCU - Hide User Account From Sign-In Screen - Rule", "ESCU - Hiding Files And Directories With Attrib exe - Rule", "ESCU - Icacls Deny Command - Rule", "ESCU - Net Localgroup Discovery - Rule", "ESCU - Network Connection Discovery With Net - Rule", "ESCU - Non Firefox Process Access Firefox Profile Dir - Rule", "ESCU - Office Document Executing Macro Code - Rule", "ESCU - Office Product Spawn CMD Process - Rule", "ESCU - Office Product Spawning MSHTA - Rule", "ESCU - Processes launching netsh - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Sc exe Manipulating Windows Services - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious Scheduled Task from Public Directory - Rule", "ESCU - Windows Application Layer Protocol RMS Radmin Tool Namedpipe - Rule", "ESCU - Windows Defender Exclusion Registry Entry - Rule", "ESCU - Windows DisableAntiSpyware Registry - Rule", "ESCU - Windows Gather Victim Network Info Through Ip Check Web Services - Rule", "ESCU - Windows Impair Defense Add Xml Applocker Rules - Rule", "ESCU - Windows Impair Defense Deny Security Software With Applocker - Rule", "ESCU - Windows ISO LNK File Creation - Rule", "ESCU - Windows Modify Registry Disable Toast Notifications - Rule", "ESCU - Windows Modify Registry Disable Win Defender Raw Write Notif - Rule", "ESCU - Windows Modify Registry Disable Windows Security Center Notif - Rule", "ESCU - Windows Modify Registry Disabling WER Settings - Rule", "ESCU - Windows Modify Registry DisAllow Windows App - Rule", "ESCU - Windows Modify Registry Regedit Silent Reg Import - Rule", "ESCU - Windows Modify Registry Suppress Win Defender Notif - Rule", "ESCU - Windows Phishing Recent ISO Exec Registry - Rule", "ESCU - Windows Powershell Import Applocker Policy - Rule", "ESCU - Windows Remote Access Software RMS Registry - Rule", "ESCU - Windows Remote Service Rdpwinst Tool Execution - Rule", "ESCU - Windows Remote Services Allow Rdp In Firewall - Rule", "ESCU - Windows Remote Services Allow Remote Assistance - Rule", "ESCU - Windows Remote Services Rdp Enable - Rule", "ESCU - Windows Service Stop By Deletion - Rule", "ESCU - Windows Valid Account With Never Expires Password - Rule", "ESCU - Wmic NonInteractive App Uninstallation - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Allow Inbound Traffic By Firewall Rule Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Desktop Protocol"}, {"mitre_attack_technique": "Remote Services"}]}}, {"name": "Allow Operation with Consent Admin", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Attempt To Stop Security Service", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "CHCP Command Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Create local admin accounts using net exe", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "Create Account"}]}}, {"name": "Detect Use of cmd exe to Launch Script Interpreters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Windows Command Shell"}]}}, {"name": "Disable Defender BlockAtFirstSeen Feature", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disable Defender Enhanced Notification", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disable Defender Spynet Reporting", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disable Defender Submit Samples Consent Feature", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disable Show Hidden Files", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Hidden Files and Directories"}, {"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Hide Artifacts"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disable Windows Behavior Monitoring", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disabling Remote User Account Control", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Excessive Attempt To Disable Services", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Service Stop"}]}}, {"name": "Excessive Usage Of Cacls App", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "File and Directory Permissions Modification"}]}}, {"name": "Excessive Usage Of Net App", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Access Removal"}]}}, {"name": "Excessive Usage Of SC Service Utility", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}}, {"name": "Excessive Usage Of Taskkill", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}]}}, {"name": "Firewall Allowed Program Enable", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify System Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Hide User Account From Sign-In Screen", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Hiding Files And Directories With Attrib exe", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "File and Directory Permissions Modification"}, {"mitre_attack_technique": "Windows File and Directory Permissions Modification"}]}}, {"name": "Icacls Deny Command", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "File and Directory Permissions Modification"}]}}, {"name": "Net Localgroup Discovery", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Local Groups"}]}}, {"name": "Network Connection Discovery With Net", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Connections Discovery"}]}}, {"name": "Non Firefox Process Access Firefox Profile Dir", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}}, {"name": "Office Document Executing Macro Code", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Product Spawn CMD Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Product Spawning MSHTA", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Processes launching netsh", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify System Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Sc exe Manipulating Windows Services", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Suspicious Scheduled Task from Public Directory", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Windows Application Layer Protocol RMS Radmin Tool Namedpipe", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Application Layer Protocol"}]}}, {"name": "Windows Defender Exclusion Registry Entry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows DisableAntiSpyware Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows Gather Victim Network Info Through Ip Check Web Services", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "IP Addresses"}, {"mitre_attack_technique": "Gather Victim Network Information"}]}}, {"name": "Windows Impair Defense Add Xml Applocker Rules", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows Impair Defense Deny Security Software With Applocker", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows ISO LNK File Creation", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Malicious Link"}, {"mitre_attack_technique": "User Execution"}]}}, {"name": "Windows Modify Registry Disable Toast Notifications", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Modify Registry Disable Win Defender Raw Write Notif", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Modify Registry Disable Windows Security Center Notif", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Modify Registry Disabling WER Settings", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Modify Registry DisAllow Windows App", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Modify Registry Regedit Silent Reg Import", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Modify Registry Suppress Win Defender Notif", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Phishing Recent ISO Exec Registry", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}}, {"name": "Windows Powershell Import Applocker Policy", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows Remote Access Software RMS Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Access Software"}]}}, {"name": "Windows Remote Service Rdpwinst Tool Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Desktop Protocol"}, {"mitre_attack_technique": "Remote Services"}]}}, {"name": "Windows Remote Services Allow Rdp In Firewall", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Desktop Protocol"}, {"mitre_attack_technique": "Remote Services"}]}}, {"name": "Windows Remote Services Allow Remote Assistance", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Desktop Protocol"}, {"mitre_attack_technique": "Remote Services"}]}}, {"name": "Windows Remote Services Rdp Enable", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Desktop Protocol"}, {"mitre_attack_technique": "Remote Services"}]}}, {"name": "Windows Service Stop By Deletion", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Service Stop"}]}}, {"name": "Windows Valid Account With Never Expires Password", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Service Stop"}]}}, {"name": "Wmic NonInteractive App Uninstallation", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}]}, {"name": "Azure Active Directory Account Takeover", "id": "41514c46-7118-4eab-a9bb-f3bfa4e3bea9", "version": 2, "date": "2022-07-14", "author": "Mauricio Velazco, Splunk", "description": "Monitor for activities and techniques associated with Account Takover attacks against Azure Active Directory tenants.", "narrative": "Azure Active Directory (Azure AD) is Microsofts enterprise cloud-based identity and access management (IAM) service. Azure AD is the backbone of most of Azure services like Office 365. It can sync with on-premise Active Directory environments and provide authentication to other cloud-based systems via the OAuth protocol. According to Microsoft, Azure AD manages more than 1.2 billion identities and processes over 8 billion authentications per day. Account Takeover (ATO) is an attack whereby cybercriminals gain unauthorized access to online accounts by using different techniques like brute force, social engineering, phishing & spear phishing, credential stuffing, etc. By posing as the real user, cyber-criminals can change account details, send out phishing emails, steal financial information or sensitive data, or use any stolen information to access further accounts within the organization. This analytic storic groups detections that can help security operations teams identify the potential compromise of Azure Active Directory accounts.", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-whatis", "https://azure.microsoft.com/en-us/services/active-directory/#overview", "https://attack.mitre.org/techniques/T1586/", "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-compare-azure-ad-to-ad", "https://www.imperva.com/learn/application-security/account-takeover-ato/", "https://www.varonis.com/blog/azure-active-directory", "https://www.barracuda.com/glossary/account-takeover"], "tags": {"name": "Azure Active Directory Account Takeover", "analytic_story": "Azure Active Directory Account Takeover", "category": ["Adversary Tactics", "Account Compromise", "Cloud Security", "Privilege Escalation"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1556", "mitre_attack_technique": "Modify Authentication Process", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1556.006", "mitre_attack_technique": "Multi-Factor Authentication", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Ke3chang", "LAPSUS$"]}, {"mitre_attack_id": "T1621", "mitre_attack_technique": "Multi-Factor Authentication Request Generation", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "LAPSUS$"]}, {"mitre_attack_id": "T1185", "mitre_attack_technique": "Browser Session Hijacking", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1110.001", "mitre_attack_technique": "Password Guessing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29"]}, {"mitre_attack_id": "T1110.004", "mitre_attack_technique": "Credential Stuffing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Chimera"]}], "mitre_attack_tactics": ["Collection", "Credential Access", "Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation", "Resource Development"], "datamodels": ["Authentication", "Risk"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation", "Weaponization"]}, "detection_names": ["ESCU - ASL AWS New MFA Method Registered For User - Rule", "ESCU - AWS New MFA Method Registered For User - Rule", "ESCU - Azure Active Directory High Risk Sign-in - Rule", "ESCU - Azure AD Authentication Failed During MFA Challenge - Rule", "ESCU - Azure AD Concurrent Sessions From Different Ips - Rule", "ESCU - Azure AD High Number Of Failed Authentications For User - Rule", "ESCU - Azure AD High Number Of Failed Authentications From Ip - Rule", "ESCU - Azure AD Multi-Factor Authentication Disabled - Rule", "ESCU - Azure AD Multiple Failed MFA Requests For User - Rule", "ESCU - Azure AD Multiple Users Failing To Authenticate From Ip - Rule", "ESCU - Azure AD New MFA Method Registered For User - Rule", "ESCU - Azure AD Successful Authentication From Different Ips - Rule", "ESCU - Azure AD Successful PowerShell Authentication - Rule", "ESCU - Azure AD Successful Single-Factor Authentication - Rule", "ESCU - Azure AD Unusual Number of Failed Authentications From Ip - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Mauricio Velazco", "detections": [{"name": "ASL AWS New MFA Method Registered For User", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Authentication Process"}, {"mitre_attack_technique": "Multi-Factor Authentication"}]}}, {"name": "AWS New MFA Method Registered For User", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Authentication Process"}, {"mitre_attack_technique": "Multi-Factor Authentication"}]}}, {"name": "Azure Active Directory High Risk Sign-in", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Spraying"}]}}, {"name": "Azure AD Authentication Failed During MFA Challenge", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Multi-Factor Authentication Request Generation"}]}}, {"name": "Azure AD Concurrent Sessions From Different Ips", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Browser Session Hijacking"}]}}, {"name": "Azure AD High Number Of Failed Authentications For User", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Guessing"}]}}, {"name": "Azure AD High Number Of Failed Authentications From Ip", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Guessing"}, {"mitre_attack_technique": "Password Spraying"}]}}, {"name": "Azure AD Multi-Factor Authentication Disabled", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Modify Authentication Process"}, {"mitre_attack_technique": "Multi-Factor Authentication"}]}}, {"name": "Azure AD Multiple Failed MFA Requests For User", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Multi-Factor Authentication Request Generation"}, {"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}]}}, {"name": "Azure AD Multiple Users Failing To Authenticate From Ip", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Credential Stuffing"}]}}, {"name": "Azure AD New MFA Method Registered For User", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Authentication Process"}, {"mitre_attack_technique": "Multi-Factor Authentication"}]}}, {"name": "Azure AD Successful Authentication From Different Ips", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Guessing"}, {"mitre_attack_technique": "Password Spraying"}]}}, {"name": "Azure AD Successful PowerShell Authentication", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}]}}, {"name": "Azure AD Successful Single-Factor Authentication", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}]}}, {"name": "Azure AD Unusual Number of Failed Authentications From Ip", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Credential Stuffing"}]}}]}, {"name": "Azure Active Directory Persistence", "id": "dca983db-6334-4a0d-be32-80611ca1396c", "version": 1, "date": "2022-08-17", "author": "Mauricio Velazco, Splunk", "description": "Monitor for activities and techniques associated with the execution of Persistence techniques against Azure Active Directory tenants.", "narrative": "Azure Active Directory (Azure AD) is Microsofts enterprise cloud-based identity and access management (IAM) service. Azure AD is the backbone of most of Azure services like Office 365. It can sync with on-premise Active Directory environments and provide authentication to other cloud-based systems via the OAuth protocol. According to Microsoft, Azure AD manages more than 1.2 billion identities and processes over 8 billion authentications per day.\\ Persistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access. This analytic storic groups detections that can help security operations teams identify the potential execution of Persistence techniques targeting Azure Active Directory tenants. ", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-whatis", "https://azure.microsoft.com/en-us/services/active-directory/#overview", "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-compare-azure-ad-to-ad", "https://attack.mitre.org/tactics/TA0003/", "https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/Persistence/"], "tags": {"name": "Azure Active Directory Persistence", "analytic_story": "Azure Active Directory Persistence", "category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1136.003", "mitre_attack_technique": "Cloud Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT29", "LAPSUS$"]}, {"mitre_attack_id": "T1098.003", "mitre_attack_technique": "Additional Cloud Roles", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["LAPSUS$"]}, {"mitre_attack_id": "T1484", "mitre_attack_technique": "Domain Policy Modification", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1484.002", "mitre_attack_technique": "Domain Trust Modification", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT41", "Dragonfly", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}, {"mitre_attack_id": "T1098.001", "mitre_attack_technique": "Additional Cloud Credentials", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Ke3chang", "LAPSUS$"]}], "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "datamodels": [], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Azure AD External Guest User Invited - Rule", "ESCU - Azure AD Global Administrator Role Assigned - Rule", "ESCU - Azure AD New Custom Domain Added - Rule", "ESCU - Azure AD New Federated Domain Added - Rule", "ESCU - Azure AD PIM Role Assigned - Rule", "ESCU - Azure AD PIM Role Assignment Activated - Rule", "ESCU - Azure AD Privileged Role Assigned - Rule", "ESCU - Azure AD Service Principal Created - Rule", "ESCU - Azure AD Service Principal New Client Credentials - Rule", "ESCU - Azure AD Service Principal Owner Added - Rule", "ESCU - Azure AD User Enabled And Password Reset - Rule", "ESCU - Azure AD User ImmutableId Attribute Updated - Rule", "ESCU - Azure Automation Account Created - Rule", "ESCU - Azure Automation Runbook Created - Rule", "ESCU - Azure Runbook Webhook Created - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Mauricio Velazco", "detections": [{"name": "Azure AD External Guest User Invited", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Account"}]}}, {"name": "Azure AD Global Administrator Role Assigned", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Additional Cloud Roles"}]}}, {"name": "Azure AD New Custom Domain Added", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Policy Modification"}, {"mitre_attack_technique": "Domain Trust Modification"}]}}, {"name": "Azure AD New Federated Domain Added", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Policy Modification"}, {"mitre_attack_technique": "Domain Trust Modification"}]}}, {"name": "Azure AD PIM Role Assigned", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Additional Cloud Roles"}]}}, {"name": "Azure AD PIM Role Assignment Activated", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Additional Cloud Roles"}]}}, {"name": "Azure AD Privileged Role Assigned", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Additional Cloud Roles"}]}}, {"name": "Azure AD Service Principal Created", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Account"}]}}, {"name": "Azure AD Service Principal New Client Credentials", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Additional Cloud Credentials"}]}}, {"name": "Azure AD Service Principal Owner Added", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Manipulation"}]}}, {"name": "Azure AD User Enabled And Password Reset", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Manipulation"}]}}, {"name": "Azure AD User ImmutableId Attribute Updated", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Manipulation"}]}}, {"name": "Azure Automation Account Created", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create Account"}, {"mitre_attack_technique": "Cloud Account"}]}}, {"name": "Azure Automation Runbook Created", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create Account"}, {"mitre_attack_technique": "Cloud Account"}]}}, {"name": "Azure Runbook Webhook Created", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}]}}]}, {"name": "Azure Active Directory Privilege Escalation", "id": "ec78e872-b79c-417d-b256-8fde902522fb", "version": 1, "date": "2023-04-24", "author": "Mauricio Velazco, Splunk", "description": "Monitor for activities and techniques associated with Privilege Escalation attacks within Azure Active Directory tenants.", "narrative": "Privilege Escalation consists of techniques that adversaries use to gain higher-level permissions on a system or network. Adversaries can often enter and explore a network with unprivileged access but require elevated permissions to follow through on their objectives. Common approaches are to take advantage of system weaknesses, misconfigurations or vulnerabilities.\\\nAzure Active Directory (Azure AD) is Microsofts enterprise cloud-based identity and access management (IAM) service. Azure AD is the backbone of most of Azure services like Office 365 and Microsoft Teams. It can sync with on-premise Active Directory environments and provide authentication to other cloud-based systems via the OAuth protocol. According to Microsoft, Azure AD manages more than 1.2 billion identities and processes over 8 billion authentications per day.\\\nPrivilege escalation attacks in Azure AD typically involve abusing misconfigurations to gain elevated privileges, such as Global Administrator access. Once an attacker has escalated their privileges and taken full control of a tenant, they may abuse every service that leverages Azure AD including moving laterally to Azure virtual machines to access sensitive data and carry out further attacks. Security teams should monitor for privilege escalation attacks in Azure Active Directory to identify breaches before attackers achieve operational success.\\\nThe following analytic story groups detection opportunities that seek to identify an adversary attempting to escalate privileges in Azure AD tenants.", "references": ["https://attack.mitre.org/tactics/TA0003/", "https://cloudbrothers.info/en/azure-attack-paths/", "https://microsoft.github.io/Azure-Threat-Research-Matrix/PrivilegeEscalation/PrivEsc/", "https://posts.specterops.io/azure-privilege-escalation-via-service-principal-abuse-210ae2be2a5"], "tags": {"name": "Azure Active Directory Privilege Escalation", "analytic_story": "Azure Active Directory Privilege Escalation", "category": ["Adversary Tactics", "Account Compromise", "Cloud Security", "Privilege Escalation"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT41", "Dragonfly", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}, {"mitre_attack_id": "T1098.003", "mitre_attack_technique": "Additional Cloud Roles", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["LAPSUS$"]}, {"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Dragonfly", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1098.001", "mitre_attack_technique": "Additional Cloud Credentials", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Credential Access", "Persistence"], "datamodels": ["Authentication"], "kill_chain_phases": ["Exploitation", "Installation"]}, "detection_names": ["ESCU - Azure AD Application Administrator Role Assigned - Rule", "ESCU - Azure AD Global Administrator Role Assigned - Rule", "ESCU - Azure AD PIM Role Assigned - Rule", "ESCU - Azure AD PIM Role Assignment Activated - Rule", "ESCU - Azure AD Privileged Authentication Administrator Role Assigned - Rule", "ESCU - Azure AD Privileged Role Assigned to Service Principal - Rule", "ESCU - Azure AD Service Principal New Client Credentials - Rule", "ESCU - Azure AD Service Principal Owner Added - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Mauricio Velazco", "detections": [{"name": "Azure AD Application Administrator Role Assigned", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Additional Cloud Roles"}]}}, {"name": "Azure AD Global Administrator Role Assigned", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Additional Cloud Roles"}]}}, {"name": "Azure AD PIM Role Assigned", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Additional Cloud Roles"}]}}, {"name": "Azure AD PIM Role Assignment Activated", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Additional Cloud Roles"}]}}, {"name": "Azure AD Privileged Authentication Administrator Role Assigned", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Security Account Manager"}]}}, {"name": "Azure AD Privileged Role Assigned to Service Principal", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Additional Cloud Roles"}]}}, {"name": "Azure AD Service Principal New Client Credentials", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Additional Cloud Credentials"}]}}, {"name": "Azure AD Service Principal Owner Added", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Manipulation"}]}}]}, {"name": "Baron Samedit CVE-2021-3156", "id": "817b0dfc-23ba-4bcc-96cc-2cb77e428fbe", "version": 1, "date": "2021-01-27", "author": "Shannon Davis, Splunk", "description": "Uncover activity consistent with CVE-2021-3156. Discovered by the Qualys Research Team, this vulnerability has been found to affect sudo across multiple Linux distributions (Ubuntu 20.04 and prior, Debian 10 and prior, Fedora 33 and prior). As this vulnerability was committed to code in July 2011, there will be many distributions affected. Successful exploitation of this vulnerability allows any unprivileged user to gain root privileges on the vulnerable host.", "narrative": "A non-privledged user is able to execute the sudoedit command to trigger a buffer overflow. After the successful buffer overflow, they are then able to gain root privileges on the affected host. The conditions needed to be run are a trailing \"\\\" along with shell and edit flags. Monitoring the /var/log directory on Linux hosts using the Splunk Universal Forwarder will allow you to pick up this behavior when using the provided detection.", "references": ["https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit"], "tags": {"name": "Baron Samedit CVE-2021-3156", "analytic_story": "Baron Samedit CVE-2021-3156", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "PLATINUM", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}], "mitre_attack_tactics": ["Privilege Escalation"], "datamodels": [], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Detect Baron Samedit CVE-2021-3156 - Rule", "ESCU - Detect Baron Samedit CVE-2021-3156 Segfault - Rule", "ESCU - Detect Baron Samedit CVE-2021-3156 via OSQuery - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Shannon Davis", "detections": [{"name": "Detect Baron Samedit CVE-2021-3156", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}}, {"name": "Detect Baron Samedit CVE-2021-3156 Segfault", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}}, {"name": "Detect Baron Samedit CVE-2021-3156 via OSQuery", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}}]}, {"name": "BishopFox Sliver Adversary Emulation Framework", "id": "8c2e2cba-3fd8-424f-a890-5080bdaf3f31", "version": 1, "date": "2023-01-24", "author": "Michael Haag, Splunk", "description": "The following analytic story providers visibility into the latest adversary TTPs in regard to the use of Sliver. Sliver has gained more traction with adversaries as it is often seen as an alternative to Cobalt Strike. It is designed to be scalable and can be used by organizations of all sizes to perform security testing. Sliver is highly modular and contains an Extension package manager (armory) allowing easy install (automatic compilation) of various 3rd party tools such as BOFs and .NET tooling like Ghostpack (Rubeus, Seatbelt, SharpUp, Certify, and so forth) (CyberReason,2023).", "narrative": "Sliver is an open source cross-platform adversary emulation/red team framework produced by BishopFox.", "references": ["https://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors", "https://www.ncsc.gov.uk/files/Advisory%20Further%20TTPs%20associated%20with%20SVR%20cyber%20actors.pdf", "https://www.proofpoint.com/uk/blog/security-briefs/ta551-uses-sliver-red-team-tool-new-activity", "https://www.cybereason.com/blog/threat-analysis-report-bumblebee-loader-the-high-road-to-enterprise-domain-control", "https://github.com/sliverarmory/armory", "https://github.com/BishopFox/sliver"], "tags": {"name": "BishopFox Sliver Adversary Emulation Framework", "analytic_story": "BishopFox Sliver Adversary Emulation Framework", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "Turla"]}, {"mitre_attack_id": "T1055.002", "mitre_attack_technique": "Portable Executable Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Gorgon Group", "Rocke"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}], "mitre_attack_tactics": ["Defense Evasion", "Execution", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation", "Installation"]}, "detection_names": ["ESCU - Notepad with no Command Line Arguments - Rule", "ESCU - Windows Process Injection into Notepad - Rule", "ESCU - Windows Service Create SliverC2 - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Notepad with no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "Windows Process Injection into Notepad", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}, {"mitre_attack_technique": "Portable Executable Injection"}]}}, {"name": "Windows Service Create SliverC2", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}}]}, {"name": "BITS Jobs", "id": "dbc7edce-8e4c-11eb-9f31-acde48001122", "version": 1, "date": "2021-03-26", "author": "Michael Haag, Splunk", "description": "Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.", "narrative": "Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through Component Object Model (COM). BITS is commonly used by updaters, messengers, and other applications preferred to operate in the background (using available idle bandwidth) without interrupting other networked applications. File transfer tasks are implemented as BITS jobs, which contain a queue of one or more file operations. The interface to create and manage BITS jobs is accessible through PowerShell and the BITSAdmin tool. Adversaries may abuse BITS to download, execute, and even clean up after running malicious code. BITS tasks are self-contained in the BITS job database, without new files or registry modifications, and often permitted by host firewalls. BITS enabled execution may also enable persistence by creating long-standing jobs (the default maximum lifetime is 90 days and extendable) or invoking an arbitrary program when a job completes or errors (including after system reboots).", "references": ["https://attack.mitre.org/techniques/T1197/", "https://docs.microsoft.com/en-us/windows/win32/bits/bitsadmin-tool"], "tags": {"name": "BITS Jobs", "analytic_story": "BITS Jobs", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1197", "mitre_attack_technique": "BITS Jobs", "mitre_attack_tactics": ["Defense Evasion", "Persistence"], "mitre_attack_groups": ["APT39", "APT41", "Leviathan", "Patchwork"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "ZIRCONIUM", "menuPass"]}], "mitre_attack_tactics": ["Command And Control", "Defense Evasion", "Persistence"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Command And Control", "Exploitation", "Installation"]}, "detection_names": ["ESCU - BITS Job Persistence - Rule", "ESCU - BITSAdmin Download File - Rule", "ESCU - PowerShell Start-BitsTransfer - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "BITS Job Persistence", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "BITS Jobs"}]}}, {"name": "BITSAdmin Download File", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "BITS Jobs"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "PowerShell Start-BitsTransfer", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "BITS Jobs"}]}}]}, {"name": "BlackLotus Campaign", "id": "8eb0e418-a2b6-4327-a387-85c976662c8f", "version": 1, "date": "2023-04-14", "author": "Michael Haag, Splunk", "description": "The first in-the-wild UEFI bootkit bypassing UEFI Secure Boot on fully updated UEFI systems is now a reality", "narrative": "The number of UEFI vulnerabilities discovered in recent years and the failures in patching them or revoking vulnerable binaries within a reasonable time window hasn't gone unnoticed by threat actors. As a result, the first publicly known UEFI bootkit bypassing the essential platform security feature UEFI Secure Boot is now a reality. present the first public analysis of this UEFI bootkit, which is capable of running on even fully-up-to-date Windows 11 systems with UEFI Secure Boot enabled. Functionality of the bootkit and its individual features leads us to believe that we are dealing with a bootkit known as BlackLotus, the UEFI bootkit being sold on hacking forums for $5,000 since at least October 2022. (ESET, 2023) The following content aims to aid defenders in detecting suspicious bootloaders and understanding the diverse techniques employed in this campaign.", "references": ["https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/", "https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/"], "tags": {"name": "BlackLotus Campaign", "analytic_story": "BlackLotus Campaign", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1542.001", "mitre_attack_technique": "System Firmware", "mitre_attack_tactics": ["Defense Evasion", "Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1542", "mitre_attack_technique": "Pre-OS Boot", "mitre_attack_tactics": ["Defense Evasion", "Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1542.003", "mitre_attack_technique": "Bootkit", "mitre_attack_tactics": ["Defense Evasion", "Persistence"], "mitre_attack_groups": ["APT28", "APT41", "Lazarus Group"]}], "mitre_attack_tactics": ["Defense Evasion", "Persistence"], "datamodels": ["Endpoint", "Network_Traffic"], "kill_chain_phases": ["Exploitation", "Installation"]}, "detection_names": ["ESCU - Windows BootLoader Inventory - Rule", "ESCU - Windows Impair Defenses Disable HVCI - Rule", "ESCU - Windows WinLogon with Public Network Connection - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows BootLoader Inventory", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Firmware"}, {"mitre_attack_technique": "Pre-OS Boot"}]}}, {"name": "Windows Impair Defenses Disable HVCI", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows WinLogon with Public Network Connection", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Bootkit"}]}}]}, {"name": "Brand Monitoring", "id": "91c676cf-0b23-438d-abee-f6335e1fce78", "version": 1, "date": "2017-12-19", "author": "David Dorsey, Splunk", "description": "Detect and investigate activity that may indicate that an adversary is using faux domains to mislead users into interacting with malicious infrastructure. Monitor DNS, email, and web traffic for permutations of your brand name.", "narrative": "While you can educate your users and customers about the risks and threats posed by typosquatting, phishing, and corporate espionage, human error is a persistent fact of life. Of course, your adversaries are all too aware of this reality and will happily leverage it for nefarious purposes whenever possible3phishing with lookalike addresses, embedding faux command-and-control domains in malware, and hosting malicious content on domains that closely mimic your corporate servers. This is where brand monitoring comes in.\\\nYou can use our adaptation of `DNSTwist`, together with the support searches in this Analytic Story, to generate permutations of specified brands and external domains. Splunk can monitor email, DNS requests, and web traffic for these permutations and provide you with early warnings and situational awareness--powerful elements of an effective defense.\\\nNotable events will include IP addresses, URLs, and user data. Drilling down can provide you with even more actionable intelligence, including likely geographic information, contextual searches to help you scope the problem, and investigative searches.", "references": ["https://www.zerofox.com/blog/what-is-digital-risk-monitoring/", "https://securingtomorrow.mcafee.com/consumer/family-safety/what-is-typosquatting/", "https://blog.malwarebytes.com/cybercrime/2016/06/explained-typosquatting/"], "tags": {"name": "Brand Monitoring", "analytic_story": "Brand Monitoring", "category": ["Abuse"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Email", "Network_Resolution", "Web"], "kill_chain_phases": []}, "detection_names": ["ESCU - Monitor Email For Brand Abuse - Rule", "ESCU - Monitor DNS For Brand Abuse - Rule", "ESCU - Monitor Web Traffic For Brand Abuse - Rule"], "investigation_names": ["ESCU - Get Email Info - Response Task", "ESCU - Get Emails From Specific Sender - Response Task", "ESCU - Get Notable History - Response Task", "ESCU - Get Process Responsible For The DNS Traffic - Response Task"], "baseline_names": ["ESCU - DNSTwist Domain Names"], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Monitor Email For Brand Abuse", "source": "application", "type": "TTP", "tags": {"mitre_attack_enrichments": []}}, {"name": "Monitor DNS For Brand Abuse", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": []}}, {"name": "Monitor Web Traffic For Brand Abuse", "source": "web", "type": "TTP", "tags": {"mitre_attack_enrichments": []}}]}, {"name": "Brute Ratel C4", "id": "0ec9dbfe-f64e-46bb-8eb8-04e92326f513", "version": 1, "date": "2022-08-23", "author": "Teoderick Contreras, Splunk", "description": "Leverage searches that allow you to detect and investigate unusual activities that may be related to Brute Ratel Red Teaming tool. This includes creation, modification and deletion of services, collection or data, ping IP, DNS cache, process injection, debug privileges adjustment, winlogon process duplicate token, lock workstation, get clipboard or screenshot and much more.", "narrative": "Brute RATEL BRC4 is the latest red-teaming tool that simulate several TTP's. It uses several techniques like syscall, patching ETW/AMSI and written in native C to minimize noise in process command-line. This tool was seen in the wild being abused by some ransomware (blackcat) and adversaries in their campaigns to install the BRC4 agent that can serve as remote admin tool to compromise the target host or network.", "references": ["https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/", "https://www.mdsec.co.uk/2022/08/part-3-how-i-met-your-beacon-brute-ratel/"], "tags": {"name": "Brute Ratel C4", "analytic_story": "Brute Ratel C4", "category": ["Data Destruction", "Malware", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1491", "mitre_attack_technique": "Defacement", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1134.002", "mitre_attack_technique": "Create Process with Token", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Lazarus Group", "Turla"]}, {"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}, {"mitre_attack_id": "T1134.001", "mitre_attack_technique": "Token Impersonation/Theft", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "FIN8"]}, {"mitre_attack_id": "T1589.001", "mitre_attack_technique": "Credentials", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["APT28", "Chimera", "LAPSUS$", "Leviathan", "Magic Hound"]}, {"mitre_attack_id": "T1589", "mitre_attack_technique": "Gather Victim Identity Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["APT32", "HEXANE", "LAPSUS$", "Magic Hound"]}, {"mitre_attack_id": "T1574.001", "mitre_attack_technique": "DLL Search Order Hijacking", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT41", "Aquatic Panda", "BackdoorDiplomacy", "Evilnum", "RTM", "Threat Group-3390", "Tonto Team", "Whitefly", "menuPass"]}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1056.002", "mitre_attack_technique": "GUI Input Capture", "mitre_attack_tactics": ["Collection", "Credential Access"], "mitre_attack_groups": ["FIN4"]}, {"mitre_attack_id": "T1056", "mitre_attack_technique": "Input Capture", "mitre_attack_tactics": ["Collection", "Credential Access"], "mitre_attack_groups": ["APT39"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1204.001", "mitre_attack_technique": "Malicious Link", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT28", "APT29", "APT3", "APT32", "APT33", "APT39", "BlackTech", "Cobalt Group", "Confucius", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "Evilnum", "FIN4", "FIN7", "FIN8", "Kimsuky", "LazyScripter", "Leviathan", "LuminousMoth", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "TA505", "Transparent Tribe", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "Turla"]}, {"mitre_attack_id": "T1055.002", "mitre_attack_technique": "Portable Executable Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Gorgon Group", "Rocke"]}, {"mitre_attack_id": "T1219", "mitre_attack_technique": "Remote Access Software", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Carbanak", "Cobalt Group", "DarkVishnya", "Evilnum", "GOLD SOUTHFIELD", "Kimsuky", "MuddyWater", "Mustang Panda", "RTM", "Sandworm Team", "TeamTNT", "Thrip"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1574.011", "mitre_attack_technique": "Services Registry Permissions Weakness", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1489", "mitre_attack_technique": "Service Stop", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Indrik Spider", "Lazarus Group", "Wizard Spider"]}], "mitre_attack_tactics": ["Collection", "Command And Control", "Credential Access", "Defense Evasion", "Execution", "Impact", "Initial Access", "Persistence", "Privilege Escalation", "Reconnaissance"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Actions on Objectives", "Command And Control", "Delivery", "Exploitation", "Installation", "Reconnaissance"]}, "detection_names": ["ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Modification Of Wallpaper - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Windows Access Token Manipulation SeDebugPrivilege - Rule", "ESCU - Windows Access Token Manipulation Winlogon Duplicate Token Handle - Rule", "ESCU - Windows Access Token Winlogon Duplicate Handle In Uncommon Path - Rule", "ESCU - Windows Defacement Modify Transcodedwallpaper File - Rule", "ESCU - Windows Gather Victim Identity SAM Info - Rule", "ESCU - Windows Hijack Execution Flow Version Dll Side Load - Rule", "ESCU - Windows Input Capture Using Credential UI Dll - Rule", "ESCU - Windows ISO LNK File Creation - Rule", "ESCU - Windows Phishing Recent ISO Exec Registry - Rule", "ESCU - Windows Process Injection With Public Source Path - Rule", "ESCU - Windows Remote Access Software BRC4 Loaded Dll - Rule", "ESCU - Windows Service Created with Suspicious Service Path - Rule", "ESCU - Windows Service Creation Using Registry Entry - Rule", "ESCU - Windows Service Deletion In Registry - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}]}}, {"name": "Modification Of Wallpaper", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Defacement"}]}}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Windows Access Token Manipulation SeDebugPrivilege", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create Process with Token"}, {"mitre_attack_technique": "Access Token Manipulation"}]}}, {"name": "Windows Access Token Manipulation Winlogon Duplicate Token Handle", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Token Impersonation/Theft"}, {"mitre_attack_technique": "Access Token Manipulation"}]}}, {"name": "Windows Access Token Winlogon Duplicate Handle In Uncommon Path", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Token Impersonation/Theft"}, {"mitre_attack_technique": "Access Token Manipulation"}]}}, {"name": "Windows Defacement Modify Transcodedwallpaper File", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Defacement"}]}}, {"name": "Windows Gather Victim Identity SAM Info", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Credentials"}, {"mitre_attack_technique": "Gather Victim Identity Information"}]}}, {"name": "Windows Hijack Execution Flow Version Dll Side Load", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DLL Search Order Hijacking"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}}, {"name": "Windows Input Capture Using Credential UI Dll", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "GUI Input Capture"}, {"mitre_attack_technique": "Input Capture"}]}}, {"name": "Windows ISO LNK File Creation", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Malicious Link"}, {"mitre_attack_technique": "User Execution"}]}}, {"name": "Windows Phishing Recent ISO Exec Registry", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}}, {"name": "Windows Process Injection With Public Source Path", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}, {"mitre_attack_technique": "Portable Executable Injection"}]}}, {"name": "Windows Remote Access Software BRC4 Loaded Dll", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Access Software"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Windows Service Created with Suspicious Service Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}}, {"name": "Windows Service Creation Using Registry Entry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Services Registry Permissions Weakness"}]}}, {"name": "Windows Service Deletion In Registry", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Service Stop"}]}}]}, {"name": "Caddy Wiper", "id": "435a156a-8ef1-4184-bd52-22328fb65d3a", "version": 1, "date": "2022-03-25", "author": "Teoderick Contreras, Rod Soto, Splunk", "description": "Caddy Wiper is a destructive payload that detects if its running on a Domain Controller and executes killswitch if detected. If not in a DC it destroys Users and subsequent mapped drives. This wiper also destroys drive partitions inculding boot partitions.", "narrative": "Caddy Wiper is destructive malware operation found by ESET multiple organizations in Ukraine. This malicious payload destroys user files, avoids executing on Dnomain Controllers and destroys boot and drive partitions.", "references": ["https://twitter.com/ESETresearch/status/1503436420886712321", "https://www.welivesecurity.com/2022/03/15/caddywiper-new-wiper-malware-discovered-ukraine/"], "tags": {"name": "Caddy Wiper", "analytic_story": "Caddy Wiper", "category": ["Data Destruction", "Malware", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1561.002", "mitre_attack_technique": "Disk Structure Wipe", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1561", "mitre_attack_technique": "Disk Wipe", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Impact"], "datamodels": [], "kill_chain_phases": ["Actions on Objectives"]}, "detection_names": ["ESCU - Windows Raw Access To Disk Volume Partition - Rule", "ESCU - Windows Raw Access To Master Boot Record Drive - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Rod Soto, Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Windows Raw Access To Disk Volume Partition", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disk Structure Wipe"}, {"mitre_attack_technique": "Disk Wipe"}]}}, {"name": "Windows Raw Access To Master Boot Record Drive", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disk Structure Wipe"}, {"mitre_attack_technique": "Disk Wipe"}]}}]}, {"name": "CISA AA22-257A", "id": "e1aec96e-bc7d-4edf-8ff7-3da9b7b29147", "version": 1, "date": "2022-09-15", "author": "Michael Haag, Splunk", "description": "The Iranian government-sponsored APT actors are actively targeting a broad range of victims across multiple U.S. critical infrastructure sectors, including the Transportation Sector and the Healthcare and Public Health Sector, as well as Australian organizations.", "narrative": "This advisory updates joint CSA Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities, which provides information on these Iranian government-sponsored APT actors exploiting known Fortinet and Microsoft Exchange vulnerabilities to gain initial access to a broad range of targeted entities in furtherance of malicious activities, including ransom operations. The authoring agencies now judge these actors are an APT group affiliated with the IRGC. Since the initial reporting of this activity in the FBI Liaison Alert System (FLASH) report APT Actors Exploiting Fortinet Vulnerabilities to Gain Access for Malicious Activity from May 2021, the authoring agencies have continued to observe these IRGC-affiliated actors exploiting known vulnerabilities for initial access. In addition to exploiting Fortinet and Microsoft Exchange vulnerabilities, the authoring agencies have observed these APT actors exploiting VMware Horizon Log4j vulnerabilities for initial access. The IRGC-affiliated actors have used this access for follow-on activity, including disk encryption and data extortion, to support ransom operations. The IRGC-affiliated actors are actively targeting a broad range of entities, including entities across multiple U.S. critical infrastructure sectors as well as Australian, Canadian, and United Kingdom organizations. These actors often operate under the auspices of Najee Technology Hooshmand Fater LLC, based in Karaj, Iran, and Afkar System Yazd Company, based in Yazd, Iran. The authoring agencies assess the actors are exploiting known vulnerabilities on unprotected networks rather than targeting specific targeted entities or sectors. This advisory provides observed tactics, techniques, and indicators of compromise (IOCs) that the authoring agencies assess are likely associated with this IRGC-affiliated APT. The authoring agencies urge organizations, especially critical infrastructure organizations, to apply the recommendations listed in the Mitigations section of this advisory to mitigate risk of compromise from these IRGC-affiliated cyber actors.", "references": ["https://www.cisa.gov/uscert/ncas/alerts/aa21-321a", "https://www.cisa.gov/uscert/ncas/alerts/aa22-257a", "https://www.ic3.gov/Media/News/2021/210527.pdf", "https://www.us-cert.gov/sites/default/files/AA22-257A.stix.xml", "https://www.us-cert.cisa.gov/iran"], "tags": {"name": "CISA AA22-257A", "analytic_story": "CISA AA22-257A", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "TEMP.Veles", "Threat Group-3390", "Whitefly"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1136.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT39", "APT41", "Dragonfly", "Fox Kitten", "Kimsuky", "Leafminer", "Magic Hound", "TeamTNT"]}, {"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider"]}, {"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1505.003", "mitre_attack_technique": "Web Shell", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT38", "APT39", "BackdoorDiplomacy", "Deep Panda", "Dragonfly", "Fox Kitten", "GALLIUM", "HAFNIUM", "Kimsuky", "Leviathan", "Magic Hound", "Moses Staff", "OilRig", "Sandworm Team", "TEMP.Veles", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Volatile Cedar"]}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "menuPass"]}, {"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Dragonfly", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1572", "mitre_attack_technique": "Protocol Tunneling", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Chimera", "Cobalt Group", "FIN6", "Fox Kitten", "Leviathan", "Magic Hound", "OilRig"]}, {"mitre_attack_id": "T1021.004", "mitre_attack_technique": "SSH", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT39", "BlackTech", "FIN7", "Fox Kitten", "GCMAN", "Lazarus Group", "Leviathan", "OilRig", "Rocke", "TEMP.Veles", "TeamTNT", "menuPass"]}], "mitre_attack_tactics": ["Command And Control", "Credential Access", "Execution", "Initial Access", "Lateral Movement", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint", "Web"], "kill_chain_phases": ["Command And Control", "Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Detect Mimikatz Using Loaded Images - Rule", "ESCU - Dump LSASS via procdump Rename - Rule", "ESCU - Create local admin accounts using net exe - Rule", "ESCU - Creation of lsass Dump with Taskmgr - Rule", "ESCU - Detect Exchange Web Shell - Rule", "ESCU - Detect New Local Admin account - Rule", "ESCU - Detect Webshell Exploit Behavior - Rule", "ESCU - Dump LSASS via comsvcs DLL - Rule", "ESCU - Dump LSASS via procdump - Rule", "ESCU - Extraction of Registry Hives - Rule", "ESCU - Randomly Generated Scheduled Task Name - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Schtasks Run Task On Demand - Rule", "ESCU - Short Lived Scheduled Task - Rule", "ESCU - W3WP Spawning Shell - Rule", "ESCU - Windows Hidden Schedule Task Settings - Rule", "ESCU - Windows Possible Credential Dumping - Rule", "ESCU - Windows Protocol Tunneling with Plink - Rule", "ESCU - WinEvent Scheduled Task Created to Spawn Shell - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule", "ESCU - Log4Shell JNDI Payload Injection Attempt - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Detect Mimikatz Using Loaded Images", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Dump LSASS via procdump Rename", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}]}}, {"name": "Create local admin accounts using net exe", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "Create Account"}]}}, {"name": "Creation of lsass Dump with Taskmgr", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Detect Exchange Web Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}, {"mitre_attack_technique": "Exploit Public-Facing Application"}]}}, {"name": "Detect New Local Admin account", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "Create Account"}]}}, {"name": "Detect Webshell Exploit Behavior", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}]}}, {"name": "Dump LSASS via comsvcs DLL", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Dump LSASS via procdump", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Extraction of Registry Hives", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Security Account Manager"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Randomly Generated Scheduled Task Name", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}, {"mitre_attack_technique": "Scheduled Task"}]}}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Schtasks Run Task On Demand", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Short Lived Scheduled Task", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}]}}, {"name": "W3WP Spawning Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}]}}, {"name": "Windows Hidden Schedule Task Settings", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Windows Possible Credential Dumping", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Windows Protocol Tunneling with Plink", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Protocol Tunneling"}, {"mitre_attack_technique": "SSH"}]}}, {"name": "WinEvent Scheduled Task Created to Spawn Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}]}}, {"name": "Log4Shell JNDI Payload Injection Attempt", "source": "web", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}}]}, {"name": "CISA AA22-264A", "id": "bc7056a5-c3b0-4b83-93ce-5f31739305c8", "version": 1, "date": "2022-09-22", "author": "Michael Haag, Splunk", "description": "Iranian State Actors Conduct Cyber Operations Against the Government of Albania.", "narrative": "The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint Cybersecurity Advisory to provide information on recent cyber operations against the Government of Albania in July and September. This advisory provides a timeline of activity observed, from initial access to execution of encryption and wiper attacks. Additional information concerning files used by the actors during their exploitation of and cyber attack against the victim organization is provided in Appendices A and B. In September 2022, Iranian cyber actors launched another wave of cyber attacks against the Government of Albania, using similar TTPs and malware as the cyber attacks in July. These were likely done in retaliation for public attribution of the cyber attacks in July and severed diplomatic ties between Albania and Iran.", "references": ["https://www.cisa.gov/uscert/ncas/alerts/aa22-264a", "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-264a-iranian-cyber-actors-conduct-cyber-operations-against-the-government-of-albania.pdf", "https://www.mandiant.com/resources/blog/likely-iranian-threat-actor-conducts-politically-motivated-disruptive-activity-against", "https://www.microsoft.com/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government/"], "tags": {"name": "CISA AA22-264A", "analytic_story": "CISA AA22-264A", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "TEMP.Veles", "Threat Group-3390", "Whitefly"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1036.005", "mitre_attack_technique": "Match Legitimate Name or Location", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "APT32", "APT39", "APT41", "Aoqin Dragon", "BRONZE BUTLER", "BackdoorDiplomacy", "Blue Mockingbird", "Carbanak", "Chimera", "Darkhotel", "Earth Lusca", "FIN7", "Ferocious Kitten", "Fox Kitten", "Gamaredon Group", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Poseidon Group", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "Sowbug", "TEMP.Veles", "TeamTNT", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Whitefly", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1595", "mitre_attack_technique": "Active Scanning", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1505.003", "mitre_attack_technique": "Web Shell", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT38", "APT39", "BackdoorDiplomacy", "Deep Panda", "Dragonfly", "Fox Kitten", "GALLIUM", "HAFNIUM", "Kimsuky", "Leviathan", "Magic Hound", "Moses Staff", "OilRig", "Sandworm Team", "TEMP.Veles", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Volatile Cedar"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1070.001", "mitre_attack_technique": "Clear Windows Event Logs", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "APT38", "APT41", "Chimera", "Dragonfly", "FIN5", "FIN8", "Indrik Spider"]}, {"mitre_attack_id": "T1561.002", "mitre_attack_technique": "Disk Structure Wipe", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1561", "mitre_attack_technique": "Disk Wipe", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "PLATINUM", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}], "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Execution", "Impact", "Persistence", "Privilege Escalation", "Reconnaissance"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Actions on Objectives", "Exploitation", "Installation", "Reconnaissance"]}, "detection_names": ["ESCU - Detect Mimikatz Using Loaded Images - Rule", "ESCU - Attacker Tools On Endpoint - Rule", "ESCU - Deleting Shadow Copies - Rule", "ESCU - Detect Mimikatz With PowerShell Script Block Logging - Rule", "ESCU - Detect Webshell Exploit Behavior - Rule", "ESCU - Dump LSASS via comsvcs DLL - Rule", "ESCU - Excessive Usage Of Taskkill - Rule", "ESCU - Exchange PowerShell Module Usage - Rule", "ESCU - W3WP Spawning Shell - Rule", "ESCU - Windows DisableAntiSpyware Registry - Rule", "ESCU - Windows Event Log Cleared - Rule", "ESCU - Windows Possible Credential Dumping - Rule", "ESCU - Windows Raw Access To Disk Volume Partition - Rule", "ESCU - Windows Raw Access To Master Boot Record Drive - Rule", "ESCU - Windows System File on Disk - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Detect Mimikatz Using Loaded Images", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Attacker Tools On Endpoint", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Match Legitimate Name or Location"}, {"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "OS Credential Dumping"}, {"mitre_attack_technique": "Active Scanning"}]}}, {"name": "Deleting Shadow Copies", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Inhibit System Recovery"}]}}, {"name": "Detect Mimikatz With PowerShell Script Block Logging", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "OS Credential Dumping"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Detect Webshell Exploit Behavior", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}]}}, {"name": "Dump LSASS via comsvcs DLL", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Excessive Usage Of Taskkill", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Exchange PowerShell Module Usage", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "W3WP Spawning Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}]}}, {"name": "Windows DisableAntiSpyware Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows Event Log Cleared", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indicator Removal"}, {"mitre_attack_technique": "Clear Windows Event Logs"}]}}, {"name": "Windows Possible Credential Dumping", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Windows Raw Access To Disk Volume Partition", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disk Structure Wipe"}, {"mitre_attack_technique": "Disk Wipe"}]}}, {"name": "Windows Raw Access To Master Boot Record Drive", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disk Structure Wipe"}, {"mitre_attack_technique": "Disk Wipe"}]}}, {"name": "Windows System File on Disk", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}}]}, {"name": "CISA AA22-277A", "id": "db408f93-e915-4215-9962-5fada348bdd7", "version": 1, "date": "2022-10-05", "author": "Michael Haag, Splunk", "description": "From November 2021 through January 2022, the Cybersecurity and Infrastructure Security Agency (CISA) responded to advanced persistent threat (APT) activity on a Defense Industrial Base (DIB) Sector organization's enterprise network. During incident response activities, multiple utilities were utilized.", "narrative": "CISA uncovered that likely multiple APT groups compromised the organization's network, and some APT actors had long-term access to the environment. APT actors used an open-source toolkit called Impacket to gain their foothold within the environment and further compromise the network, and also used a custom data exfiltration tool, CovalentStealer, to steal the victim's sensitive data.", "references": ["https://www.cisa.gov/uscert/ncas/alerts/aa22-277a", "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-277a-impacket-and-exfiltration-tool-used-to-steal-sensitive-information-from-defense-industrial-base-organization.pdf"], "tags": {"name": "CISA AA22-277A", "analytic_story": "CISA AA22-277A", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.007", "mitre_attack_technique": "JavaScript", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "Cobalt Group", "Earth Lusca", "Ember Bear", "Evilnum", "FIN6", "FIN7", "Higaisa", "Indrik Spider", "Kimsuky", "LazyScripter", "Leafminer", "Molerats", "MuddyWater", "Sidewinder", "Silence", "TA505", "Turla"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1070.005", "mitre_attack_technique": "Network Share Connection Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Threat Group-3390"]}, {"mitre_attack_id": "T1560.001", "mitre_attack_technique": "Archive via Utility", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "CopyKittens", "Earth Lusca", "FIN8", "Fox Kitten", "GALLIUM", "Gallmaker", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "MuddyWater", "Mustang Panda", "Sowbug", "Turla", "menuPass"]}, {"mitre_attack_id": "T1560", "mitre_attack_technique": "Archive Collected Data", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT28", "APT32", "Axiom", "Dragonfly", "FIN6", "Ke3chang", "Lazarus Group", "Leviathan", "LuminousMoth", "Patchwork", "menuPass"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1021.003", "mitre_attack_technique": "Distributed Component Object Model", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "Earth Lusca", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "Threat Group-3390", "Windshift", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1049", "mitre_attack_technique": "System Network Connections Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT38", "APT41", "Andariel", "BackdoorDiplomacy", "Chimera", "Earth Lusca", "GALLIUM", "HEXANE", "Ke3chang", "Lazarus Group", "Magic Hound", "MuddyWater", "Mustang Panda", "OilRig", "Poseidon Group", "Sandworm Team", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1016", "mitre_attack_technique": "System Network Configuration Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT19", "APT3", "APT32", "APT41", "Chimera", "Darkhotel", "Dragonfly", "Earth Lusca", "GALLIUM", "HAFNIUM", "HEXANE", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "SideCopy", "Sidewinder", "Stealth Falcon", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1016.001", "mitre_attack_technique": "Internet Connection Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Gamaredon Group", "HAFNIUM", "HEXANE", "Magic Hound", "Turla"]}], "mitre_attack_tactics": ["Collection", "Command And Control", "Defense Evasion", "Discovery", "Execution", "Lateral Movement", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Command And Control", "Exploitation", "Installation"]}, "detection_names": ["ESCU - CertUtil Download With URLCache and Split Arguments - Rule", "ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", "ESCU - Create or delete windows shares using net exe - Rule", "ESCU - Detect Renamed WinRAR - Rule", "ESCU - Excessive Usage Of Taskkill - Rule", "ESCU - Exchange PowerShell Module Usage - Rule", "ESCU - Impacket Lateral Movement Commandline Parameters - Rule", "ESCU - Impacket Lateral Movement smbexec CommandLine Parameters - Rule", "ESCU - Impacket Lateral Movement WMIExec Commandline Parameters - Rule", "ESCU - Network Connection Discovery With Netstat - Rule", "ESCU - Network Discovery Using Route Windows App - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "CertUtil Download With URLCache and Split Arguments", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "Cmdline Tool Not Executed In CMD Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "JavaScript"}]}}, {"name": "Create or delete windows shares using net exe", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indicator Removal"}, {"mitre_attack_technique": "Network Share Connection Removal"}]}}, {"name": "Detect Renamed WinRAR", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Archive via Utility"}, {"mitre_attack_technique": "Archive Collected Data"}]}}, {"name": "Excessive Usage Of Taskkill", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Exchange PowerShell Module Usage", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Impacket Lateral Movement Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Impacket Lateral Movement smbexec CommandLine Parameters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Impacket Lateral Movement WMIExec Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Network Connection Discovery With Netstat", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Connections Discovery"}]}}, {"name": "Network Discovery Using Route Windows App", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Configuration Discovery"}, {"mitre_attack_technique": "Internet Connection Discovery"}]}}]}, {"name": "CISA AA22-320A", "id": "c1fca73d-3a8d-49a6-b9c0-1d5d155f7dd4", "version": 1, "date": "2022-11-16", "author": "Michael Haag, Splunk", "description": "CISA and the FBI have identified an APT activity where the adversary gained initial access via Log4Shell via a unpatched VMware Horizon server. From there the adversary moved laterally and continued to its objective.", "narrative": "From mid-June through mid-July 2022, CISA conducted an incident response engagement at a Federal Civilian Executive Branch (FCEB) organization where CISA observed suspected advanced persistent threat (APT) activity. In the course of incident response activities, CISA determined that cyber threat actors exploited the Log4Shell vulnerability in an unpatched VMware Horizon server, installed XMRig crypto mining software, moved laterally to the domain controller (DC), compromised credentials, and then implanted Ngrok reverse proxies on several hosts to maintain persistence. CISA and the Federal Bureau of Investigation (FBI) assess that the FCEB network was compromised by Iranian government-sponsored APT actors.", "references": ["https://www.cisa.gov/uscert/ncas/alerts/aa22-320a", "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf"], "tags": {"name": "CISA AA22-320A", "analytic_story": "CISA AA22-320A", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "TEMP.Veles", "Threat Group-3390", "Whitefly"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1018", "mitre_attack_technique": "Remote System Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "BRONZE BUTLER", "Chimera", "Deep Panda", "Dragonfly", "Earth Lusca", "FIN5", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "HEXANE", "Indrik Spider", "Ke3chang", "Leafminer", "Magic Hound", "Naikon", "Rocke", "Sandworm Team", "Silence", "Threat Group-3390", "Turla", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT19", "APT28", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BITTER", "BackdoorDiplomacy", "BlackOasis", "Blue Mockingbird", "Dark Caracal", "Darkhotel", "Earth Lusca", "Elderwood", "Ember Bear", "Fox Kitten", "GALLIUM", "Gallmaker", "Gamaredon Group", "Group5", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "Metador", "Mofang", "Molerats", "Moses Staff", "Mustang Panda", "OilRig", "Putter Panda", "Rocke", "Sandworm Team", "Sidewinder", "TA505", "TeamTNT", "Threat Group-3390", "Transparent Tribe", "Tropic Trooper", "Whitefly", "Windshift", "menuPass"]}, {"mitre_attack_id": "T1550", "mitre_attack_technique": "Use Alternate Authentication Material", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1550.003", "mitre_attack_technique": "Pass the Ticket", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": ["APT29", "APT32", "BRONZE BUTLER"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1014", "mitre_attack_technique": "Rootkit", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT41", "Rocke", "TeamTNT", "Winnti Group"]}, {"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "PLATINUM", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}, {"mitre_attack_id": "T1572", "mitre_attack_technique": "Protocol Tunneling", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Chimera", "Cobalt Group", "FIN6", "Fox Kitten", "Leviathan", "Magic Hound", "OilRig"]}, {"mitre_attack_id": "T1090", "mitre_attack_technique": "Proxy", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "Blue Mockingbird", "CopyKittens", "Earth Lusca", "Fox Kitten", "LAPSUS$", "Magic Hound", "POLONIUM", "Sandworm Team", "Turla", "Windigo"]}, {"mitre_attack_id": "T1102", "mitre_attack_technique": "Web Service", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT32", "EXOTIC LILY", "Ember Bear", "FIN6", "FIN8", "Fox Kitten", "Gamaredon Group", "Inception", "LazyScripter", "Mustang Panda", "Rocke", "TeamTNT", "Turla"]}], "mitre_attack_tactics": ["Command And Control", "Credential Access", "Defense Evasion", "Discovery", "Execution", "Initial Access", "Lateral Movement", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint", "Network_Resolution", "Network_Traffic", "Risk", "Web"], "kill_chain_phases": ["Command And Control", "Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Detect Mimikatz Using Loaded Images - Rule", "ESCU - Suspicious Powershell Command-Line Arguments - Rule", "ESCU - Add or Set Windows Defender Exclusion - Rule", "ESCU - Detect Mimikatz With PowerShell Script Block Logging - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Detect Renamed PSExec - Rule", "ESCU - Enable WDigest UseLogonCredential Registry - Rule", "ESCU - GetAdComputer with PowerShell Script Block - Rule", "ESCU - Log4Shell CVE-2021-44228 Exploitation - Rule", "ESCU - Malicious PowerShell Process - Encoded Command - Rule", "ESCU - Mimikatz PassTheTicket CommandLine Parameters - Rule", "ESCU - Powershell Windows Defender Exclusion Commands - Rule", "ESCU - Suspicious Driver Loaded Path - Rule", "ESCU - Windows Driver Load Non-Standard Path - Rule", "ESCU - Windows Drivers Loaded by Signature - Rule", "ESCU - Windows Mimikatz Binary Execution - Rule", "ESCU - Windows Ngrok Reverse Proxy Usage - Rule", "ESCU - Windows Service Create Kernel Mode Driver - Rule", "ESCU - XMRIG Driver Loaded - Rule", "ESCU - Ngrok Reverse Proxy on Network - Rule", "ESCU - Hunting for Log4Shell - Rule", "ESCU - Log4Shell JNDI Payload Injection Attempt - Rule", "ESCU - Log4Shell JNDI Payload Injection with Outbound Connection - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Detect Mimikatz Using Loaded Images", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Suspicious Powershell Command-Line Arguments", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "PowerShell"}]}}, {"name": "Add or Set Windows Defender Exclusion", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Detect Mimikatz With PowerShell Script Block Logging", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "OS Credential Dumping"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Detect PsExec With accepteula Flag", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}}, {"name": "Detect Renamed PSExec", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}}, {"name": "Enable WDigest UseLogonCredential Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "GetAdComputer with PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote System Discovery"}]}}, {"name": "Log4Shell CVE-2021-44228 Exploitation", "source": "endpoint", "type": "Correlation", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}, {"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Malicious PowerShell Process - Encoded Command", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Obfuscated Files or Information"}]}}, {"name": "Mimikatz PassTheTicket CommandLine Parameters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Use Alternate Authentication Material"}, {"mitre_attack_technique": "Pass the Ticket"}]}}, {"name": "Powershell Windows Defender Exclusion Commands", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Suspicious Driver Loaded Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Windows Driver Load Non-Standard Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Rootkit"}, {"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}}, {"name": "Windows Drivers Loaded by Signature", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Rootkit"}, {"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}}, {"name": "Windows Mimikatz Binary Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Windows Ngrok Reverse Proxy Usage", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Protocol Tunneling"}, {"mitre_attack_technique": "Proxy"}, {"mitre_attack_technique": "Web Service"}]}}, {"name": "Windows Service Create Kernel Mode Driver", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}}, {"name": "XMRIG Driver Loaded", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Ngrok Reverse Proxy on Network", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Protocol Tunneling"}, {"mitre_attack_technique": "Proxy"}, {"mitre_attack_technique": "Web Service"}]}}, {"name": "Hunting for Log4Shell", "source": "web", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}}, {"name": "Log4Shell JNDI Payload Injection Attempt", "source": "web", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}}, {"name": "Log4Shell JNDI Payload Injection with Outbound Connection", "source": "web", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}}]}, {"name": "Cloud Cryptomining", "id": "3b96d13c-fdc7-45dd-b3ad-c132b31cdd2a", "version": 1, "date": "2019-10-02", "author": "David Dorsey, Splunk", "description": "Monitor your cloud compute instances for activities related to cryptojacking/cryptomining. New instances that originate from previously unseen regions, users who launch abnormally high numbers of instances, or compute instances started by previously unseen users are just a few examples of potentially malicious behavior.", "narrative": "Cryptomining is an intentionally difficult, resource-intensive business. Its complexity was designed into the process to ensure that the number of blocks mined each day would remain steady. So, it's par for the course that ambitious, but unscrupulous, miners make amassing the computing power of large enterprises--a practice known as cryptojacking--a top priority. \\\nCryptojacking has attracted an increasing amount of media attention since its explosion in popularity in the fall of 2017. The attacks have moved from in-browser exploits and mobile phones to enterprise cloud services, such as Amazon Web Services (AWS), Google Cloud Platform (GCP), and Azure. It's difficult to determine exactly how widespread the practice has become, since bad actors continually evolve their ability to escape detection, including employing unlisted endpoints, moderating their CPU usage, and hiding the mining pool's IP address behind a free CDN. \\\nWhen malicious miners appropriate a cloud instance, often spinning up hundreds of new instances, the costs can become astronomical for the account holder. So it is critically important to monitor your systems for suspicious activities that could indicate that your network has been infiltrated. \\\nThis Analytic Story is focused on detecting suspicious new instances in your cloud environment to help prevent cryptominers from gaining a foothold. It contains detection searches that will detect when a previously unused instance type or AMI is used. It also contains support searches to build lookup files to ensure proper execution of the detection searches.", "references": ["https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf"], "tags": {"name": "Cloud Cryptomining", "analytic_story": "Cloud Cryptomining", "category": ["Cloud Security"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Ke3chang", "LAPSUS$"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1535", "mitre_attack_technique": "Unused/Unsupported Cloud Regions", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "datamodels": ["Change"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Abnormally High Number Of Cloud Instances Launched - Rule", "ESCU - Cloud Compute Instance Created By Previously Unseen User - Rule", "ESCU - Cloud Compute Instance Created In Previously Unused Region - Rule", "ESCU - Cloud Compute Instance Created With Previously Unseen Image - Rule", "ESCU - Cloud Compute Instance Created With Previously Unseen Instance Type - Rule"], "investigation_names": ["ESCU - AWS Investigate Security Hub alerts by dest - Response Task", "ESCU - AWS Investigate User Activities By ARN - Response Task", "ESCU - Get EC2 Instance Details by instanceId - Response Task", "ESCU - Get EC2 Launch Details - Response Task", "ESCU - Get Notable History - Response Task", "ESCU - Investigate AWS activities via region name - Response Task"], "baseline_names": ["ESCU - Baseline Of Cloud Instances Destroyed", "ESCU - Baseline Of Cloud Instances Launched", "ESCU - Previously Seen Cloud Compute Creations By User - Initial", "ESCU - Previously Seen Cloud Compute Creations By User - Update", "ESCU - Previously Seen Cloud Compute Images - Initial", "ESCU - Previously Seen Cloud Compute Images - Update", "ESCU - Previously Seen Cloud Compute Instance Types - Initial", "ESCU - Previously Seen Cloud Compute Instance Types - Update", "ESCU - Previously Seen Cloud Regions - Initial", "ESCU - Previously Seen Cloud Regions - Update"], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Abnormally High Number Of Cloud Instances Launched", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "Cloud Compute Instance Created By Previously Unseen User", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "Cloud Compute Instance Created In Previously Unused Region", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}}, {"name": "Cloud Compute Instance Created With Previously Unseen Image", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": []}}, {"name": "Cloud Compute Instance Created With Previously Unseen Instance Type", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": []}}]}, {"name": "Cloud Federated Credential Abuse", "id": "cecdc1e7-0af2-4a55-8967-b9ea62c0317d", "version": 1, "date": "2021-01-26", "author": "Rod Soto, Splunk", "description": "This analytical story addresses events that indicate abuse of cloud federated credentials. These credentials are usually extracted from endpoint desktop or servers specially those servers that provide federation services such as Windows Active Directory Federation Services. Identity Federation relies on objects such as Oauth2 tokens, cookies or SAML assertions in order to provide seamless access between cloud and perimeter environments. If these objects are either hijacked or forged then attackers will be able to pivot into victim's cloud environements.", "narrative": "This story is composed of detection searches based on endpoint that addresses the use of Mimikatz, Escalation of Privileges and Abnormal processes that may indicate the extraction of Federated directory objects such as passwords, Oauth2 tokens, certificates and keys. Cloud environment (AWS, Azure) related events are also addressed in specific cloud environment detection searches.", "references": ["https://www.cyberark.com/resources/threat-research-blog/golden-saml-newly-discovered-attack-technique-forges-authentication-to-cloud-apps", "https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf", "https://us-cert.cisa.gov/ncas/alerts/aa21-008a"], "tags": {"name": "Cloud Federated Credential Abuse", "analytic_story": "Cloud Federated Credential Abuse", "category": ["Cloud Security"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1136.003", "mitre_attack_technique": "Cloud Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT29", "LAPSUS$"]}, {"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider"]}, {"mitre_attack_id": "T1556", "mitre_attack_technique": "Modify Authentication Process", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "TEMP.Veles", "Threat Group-3390", "Whitefly"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1546.012", "mitre_attack_technique": "Image File Execution Options Injection", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["TEMP.Veles"]}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - AWS SAML Access by Provider User and Principal - Rule", "ESCU - AWS SAML Update identity provider - Rule", "ESCU - O365 Add App Role Assignment Grant User - Rule", "ESCU - O365 Added Service Principal - Rule", "ESCU - O365 Excessive SSO logon errors - Rule", "ESCU - O365 New Federated Domain Added - Rule", "ESCU - Detect Mimikatz Using Loaded Images - Rule", "ESCU - Detect Mimikatz Via PowerShell And EventCode 4703 - Rule", "ESCU - Certutil exe certificate extraction - Rule", "ESCU - Registry Keys Used For Privilege Escalation - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Rod Soto", "detections": [{"name": "AWS SAML Access by Provider User and Principal", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "AWS SAML Update identity provider", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "O365 Add App Role Assignment Grant User", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Account"}, {"mitre_attack_technique": "Create Account"}]}}, {"name": "O365 Added Service Principal", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Account"}, {"mitre_attack_technique": "Create Account"}]}}, {"name": "O365 Excessive SSO logon errors", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Authentication Process"}]}}, {"name": "O365 New Federated Domain Added", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Account"}, {"mitre_attack_technique": "Create Account"}]}}, {"name": "Detect Mimikatz Using Loaded Images", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Detect Mimikatz Via PowerShell And EventCode 4703", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}]}}, {"name": "Certutil exe certificate extraction", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": []}}, {"name": "Registry Keys Used For Privilege Escalation", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Image File Execution Options Injection"}, {"mitre_attack_technique": "Event Triggered Execution"}]}}]}, {"name": "Cobalt Strike", "id": "bcfd17e8-5461-400a-80a2-3b7d1459220c", "version": 1, "date": "2021-02-16", "author": "Michael Haag, Splunk", "description": "Cobalt Strike is threat emulation software. Red teams and penetration testers use Cobalt Strike to demonstrate the risk of a breach and evaluate mature security programs. Most recently, Cobalt Strike has become the choice tool by threat groups due to its ease of use and extensibility.", "narrative": "This Analytic Story supports you to detect Tactics, Techniques and Procedures (TTPs) from Cobalt Strike. Cobalt Strike has many ways to be enhanced by using aggressor scripts, malleable C2 profiles, default attack packages, and much more. For endpoint behavior, Cobalt Strike is most commonly identified via named pipes, spawn to processes, and DLL function names. Many additional variables are provided for in memory operation of the beacon implant. On the network, depending on the malleable C2 profile used, it is near infinite in the amount of ways to conceal the C2 traffic with Cobalt Strike. Not every query may be specific to Cobalt Strike the tool, but the methodologies and techniques used by it.\\\nSplunk Threat Research reviewed all publicly available instances of Malleabe C2 Profiles and generated a list of the most commonly used spawnto and pipenames.\\\n`Spawnto_x86` and `spawnto_x64` is the process that Cobalt Strike will spawn and injects shellcode into.\\\nPipename sets the named pipe name used in Cobalt Strikes Beacon SMB C2 traffic.\\\nWith that, new detections were generated focused on these spawnto processes spawning without command line arguments. Similar, the named pipes most commonly used by Cobalt Strike added as a detection. In generating content for Cobalt Strike, the following is considered:\\\n- Is it normal for spawnto_ value to have no command line arguments? No command line arguments and a network connection?\\\n- What is the default, or normal, process lineage for spawnto_ value?\\\n- Does the spawnto_ value make network connections?\\\n- Is it normal for spawnto_ value to load jscript, vbscript, Amsi.dll, and clr.dll?\\\nWhile investigating a detection related to this Analytic Story, keep in mind the parent process, process path, and any file modifications that may occur. Tuning may need to occur to remove any false positives.", "references": ["https://www.cobaltstrike.com/", "https://www.infocyte.com/blog/2020/09/02/cobalt-strike-the-new-favorite-among-thieves/", "https://bluescreenofjeff.com/2017-01-24-how-to-write-malleable-c2-profiles-for-cobalt-strike/", "https://blog.talosintelligence.com/2020/09/coverage-strikes-back-cobalt-strike-paper.html", "https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html", "https://github.com/MichaelKoczwara/Awesome-CobaltStrike-Defence", "https://github.com/zer0yu/Awesome-CobaltStrike"], "tags": {"name": "Cobalt Strike", "analytic_story": "Cobalt Strike", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1560.001", "mitre_attack_technique": "Archive via Utility", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "CopyKittens", "Earth Lusca", "FIN8", "Fox Kitten", "GALLIUM", "Gallmaker", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "MuddyWater", "Mustang Panda", "Sowbug", "Turla", "menuPass"]}, {"mitre_attack_id": "T1560", "mitre_attack_technique": "Archive Collected Data", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT28", "APT32", "Axiom", "Dragonfly", "FIN6", "Ke3chang", "Lazarus Group", "Leviathan", "LuminousMoth", "Patchwork", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "Turla"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.010", "mitre_attack_technique": "Regsvr32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "Blue Mockingbird", "Cobalt Group", "Deep Panda", "Inception", "Kimsuky", "Leviathan", "TA551", "WIRTE"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1127", "mitre_attack_technique": "Trusted Developer Utilities Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1127.001", "mitre_attack_technique": "MSBuild", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Collection", "Defense Evasion", "Execution", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint", "Network_Traffic"], "kill_chain_phases": ["Exploitation", "Installation"]}, "detection_names": ["ESCU - Anomalous usage of 7zip - Rule", "ESCU - CMD Echo Pipe - Escalation - Rule", "ESCU - Cobalt Strike Named Pipes - Rule", "ESCU - Detect Regsvr32 Application Control Bypass - Rule", "ESCU - DLLHost with no Command Line Arguments with Network - Rule", "ESCU - GPUpdate with no Command Line Arguments with Network - Rule", "ESCU - Rundll32 with no Command Line Arguments with Network - Rule", "ESCU - SearchProtocolHost with no Command Line with Network - Rule", "ESCU - Services Escalate Exe - Rule", "ESCU - Suspicious DLLHost no Command Line Arguments - Rule", "ESCU - Suspicious GPUpdate no Command Line Arguments - Rule", "ESCU - Suspicious microsoft workflow compiler rename - Rule", "ESCU - Suspicious msbuild path - Rule", "ESCU - Suspicious MSBuild Rename - Rule", "ESCU - Suspicious Rundll32 no Command Line Arguments - Rule", "ESCU - Suspicious Rundll32 StartW - Rule", "ESCU - Suspicious SearchProtocolHost no Command Line Arguments - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Anomalous usage of 7zip", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Archive via Utility"}, {"mitre_attack_technique": "Archive Collected Data"}]}}, {"name": "CMD Echo Pipe - Escalation", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Cobalt Strike Named Pipes", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "Detect Regsvr32 Application Control Bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}}, {"name": "DLLHost with no Command Line Arguments with Network", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "GPUpdate with no Command Line Arguments with Network", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "Rundll32 with no Command Line Arguments with Network", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "SearchProtocolHost with no Command Line with Network", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "Services Escalate Exe", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Suspicious DLLHost no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "Suspicious GPUpdate no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "Suspicious microsoft workflow compiler rename", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Rename System Utilities"}]}}, {"name": "Suspicious msbuild path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "MSBuild"}]}}, {"name": "Suspicious MSBuild Rename", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "MSBuild"}]}}, {"name": "Suspicious Rundll32 no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Suspicious Rundll32 StartW", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Suspicious SearchProtocolHost no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}]}, {"name": "ColdRoot MacOS RAT", "id": "bd91a2bc-d20b-4f44-a982-1bea98e86390", "version": 1, "date": "2019-01-09", "author": "Jose Hernandez, Splunk", "description": "Leverage searches that allow you to detect and investigate unusual activities that relate to the ColdRoot Remote Access Trojan that affects MacOS. An example of some of these activities are changing sensative binaries in the MacOS sub-system, detecting process names and executables associated with the RAT, detecting when a keyboard tab is installed on a MacOS machine and more.", "narrative": "Conventional wisdom holds that Apple's MacOS operating system is significantly less vulnerable to attack than Windows machines. While that point is debatable, it is true that attacks against MacOS systems are much less common. However, this fact does not mean that Macs are impervious to breaches. To the contrary, research has shown that that Mac malware is increasing at an alarming rate. According to AV-test, in 2018, there were 86,865 new MacOS malware variants, up from 27,338 the year before—a 31% increase. In contrast, the independent research firm found that new Windows malware had increased from 65.17M to 76.86M during that same period, less than half the rate of growth. The bottom line is that while the numbers look a lot smaller than Windows, it's definitely time to take Mac security more seriously.\\\nThis Analytic Story addresses the ColdRoot remote access trojan (RAT), which was uploaded to Github in 2016, but was still escaping detection by the first quarter of 2018, when a new, more feature-rich variant was discovered masquerading as an Apple audio driver. Among other capabilities, the Pascal-based ColdRoot can heist passwords from users' keychains and remotely control infected machines without detection. In the initial report of his findings, Patrick Wardle, Chief Research Officer for Digita Security, explained that the new ColdRoot RAT could start and kill processes on the breached system, spawn new remote-desktop sessions, take screen captures and assemble them into a live stream of the victim's desktop, and more.\\\nSearches in this Analytic Story leverage the capabilities of OSquery to address ColdRoot detection from several different angles, such as looking for the existence of associated files and processes, and monitoring for signs of an installed keylogger.", "references": ["https://www.intego.com/mac-security-blog/osxcoldroot-and-the-rat-invasion/", "https://objective-see.com/blog/blog_0x2A.html", "https://www.bleepingcomputer.com/news/security/coldroot-rat-still-undetectable-despite-being-uploaded-on-github-two-years-ago/"], "tags": {"name": "ColdRoot MacOS RAT", "analytic_story": "ColdRoot MacOS RAT", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Osquery pack - ColdRoot detection - Rule", "ESCU - MacOS - Re-opened Applications - Rule", "ESCU - Processes Tapping Keyboard Events - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task", "ESCU - Investigate Network Traffic From src ip - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "Jose Hernandez", "detections": [{"name": "Osquery pack - ColdRoot detection", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": []}}, {"name": "MacOS - Re-opened Applications", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": []}}, {"name": "Processes Tapping Keyboard Events", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": []}}]}, {"name": "Collection and Staging", "id": "8e03c61e-13c4-4dcd-bfbe-5ce5a8dc031a", "version": 1, "date": "2020-02-03", "author": "Rico Valdez, Splunk", "description": "Monitor for and investigate activities--such as suspicious writes to the Windows Recycling Bin or email servers sending high amounts of traffic to specific hosts, for example--that may indicate that an adversary is harvesting and exfiltrating sensitive data. ", "narrative": "A common adversary goal is to identify and exfiltrate data of value from a target organization. This data may include email conversations and addresses, confidential company information, links to network design/infrastructure, important dates, and so on.\\\n Attacks are composed of three activities: identification, collection, and staging data for exfiltration. Identification typically involves scanning systems and observing user activity. Collection can involve the transfer of large amounts of data from various repositories. Staging/preparation includes moving data to a central location and compressing (and optionally encoding and/or encrypting) it. All of these activities provide opportunities for defenders to identify their presence. \\\nUse the searches to detect and monitor suspicious behavior related to these activities.", "references": ["https://attack.mitre.org/wiki/Collection", "https://attack.mitre.org/wiki/Technique/T1074"], "tags": {"name": "Collection and Staging", "analytic_story": "Collection and Staging", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1114", "mitre_attack_technique": "Email Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["Magic Hound", "Silent Librarian"]}, {"mitre_attack_id": "T1114.001", "mitre_attack_technique": "Local Email Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "Chimera", "Magic Hound"]}, {"mitre_attack_id": "T1114.002", "mitre_attack_technique": "Remote Email Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "Chimera", "Dragonfly", "FIN4", "HAFNIUM", "Ke3chang", "Kimsuky", "Leafminer", "Magic Hound"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1560.001", "mitre_attack_technique": "Archive via Utility", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "CopyKittens", "Earth Lusca", "FIN8", "Fox Kitten", "GALLIUM", "Gallmaker", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "MuddyWater", "Mustang Panda", "Sowbug", "Turla", "menuPass"]}, {"mitre_attack_id": "T1560", "mitre_attack_technique": "Archive Collected Data", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT28", "APT32", "Axiom", "Dragonfly", "FIN6", "Ke3chang", "Lazarus Group", "Leviathan", "LuminousMoth", "Patchwork", "menuPass"]}], "mitre_attack_tactics": ["Collection", "Defense Evasion"], "datamodels": ["Endpoint", "Network_Traffic"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Email files written outside of the Outlook directory - Rule", "ESCU - Email servers sending high volume traffic to hosts - Rule", "ESCU - Suspicious writes to System Volume Information - Rule", "ESCU - Detect Renamed 7-Zip - Rule", "ESCU - Detect Renamed WinRAR - Rule", "ESCU - Suspicious writes to windows Recycle Bin - Rule", "ESCU - Hosts receiving high volume of network traffic from email server - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Email files written outside of the Outlook directory", "source": "application", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Email Collection"}, {"mitre_attack_technique": "Local Email Collection"}]}}, {"name": "Email servers sending high volume traffic to hosts", "source": "application", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Email Collection"}, {"mitre_attack_technique": "Remote Email Collection"}]}}, {"name": "Suspicious writes to System Volume Information", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}]}}, {"name": "Detect Renamed 7-Zip", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Archive via Utility"}, {"mitre_attack_technique": "Archive Collected Data"}]}}, {"name": "Detect Renamed WinRAR", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Archive via Utility"}, {"mitre_attack_technique": "Archive Collected Data"}]}}, {"name": "Suspicious writes to windows Recycle Bin", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}]}}, {"name": "Hosts receiving high volume of network traffic from email server", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Email Collection"}, {"mitre_attack_technique": "Email Collection"}]}}]}, {"name": "Command And Control", "id": "943773c6-c4de-4f38-89a8-0b92f98804d8", "version": 1, "date": "2018-06-01", "author": "Rico Valdez, Splunk", "description": "Detect and investigate tactics, techniques, and procedures leveraged by attackers to establish and operate Command And Control channels. Implants installed by attackers on compromised endpoints use these channels to receive instructions and send data back to the malicious operators.", "narrative": "Threat actors typically architect and implement an infrastructure to use in various ways during the course of their attack campaigns. In some cases, they leverage this infrastructure for scanning and performing reconnaissance activities. In others, they may use this infrastructure to launch actual attacks. One of the most important functions of this infrastructure is to establish servers that will communicate with implants on compromised endpoints. These servers establish a command and control channel that is used to proxy data between the compromised endpoint and the attacker. These channels relay commands from the attacker to the compromised endpoint and the output of those commands back to the attacker.\\\nBecause this communication is so critical for an adversary, they often use techniques designed to hide the true nature of the communications. There are many different techniques used to establish and communicate over these channels. This Analytic Story provides searches that look for a variety of the techniques used for these channels, as well as indications that these channels are active, by examining logs associated with border control devices and network-access control lists.", "references": ["https://attack.mitre.org/wiki/Command_and_Control", "https://searchsecurity.techtarget.com/feature/Command-and-control-servers-The-puppet-masters-that-govern-malware"], "tags": {"name": "Command And Control", "analytic_story": "Command And Control", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1048.003", "mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT32", "APT33", "FIN6", "FIN8", "Lazarus Group", "OilRig", "Thrip", "Wizard Spider"]}, {"mitre_attack_id": "T1071.004", "mitre_attack_technique": "DNS", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT18", "APT39", "APT41", "Chimera", "Cobalt Group", "FIN7", "Ke3chang", "LazyScripter", "OilRig", "Tropic Trooper"]}, {"mitre_attack_id": "T1048", "mitre_attack_technique": "Exfiltration Over Alternative Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1219", "mitre_attack_technique": "Remote Access Software", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Carbanak", "Cobalt Group", "DarkVishnya", "Evilnum", "GOLD SOUTHFIELD", "Kimsuky", "MuddyWater", "Mustang Panda", "RTM", "Sandworm Team", "TeamTNT", "Thrip"]}, {"mitre_attack_id": "T1568.002", "mitre_attack_technique": "Domain Generation Algorithms", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "TA551"]}, {"mitre_attack_id": "T1189", "mitre_attack_technique": "Drive-by Compromise", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT19", "APT28", "APT32", "APT37", "APT38", "Andariel", "Axiom", "BRONZE BUTLER", "Dark Caracal", "Darkhotel", "Dragonfly", "Earth Lusca", "Elderwood", "Lazarus Group", "Leafminer", "Leviathan", "Machete", "Magic Hound", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Threat Group-3390", "Transparent Tribe", "Turla", "Windigo", "Windshift"]}, {"mitre_attack_id": "T1095", "mitre_attack_technique": "Non-Application Layer Protocol", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT3", "BITTER", "BackdoorDiplomacy", "FIN6", "HAFNIUM", "Metador", "PLATINUM"]}, {"mitre_attack_id": "T1071", "mitre_attack_technique": "Application Layer Protocol", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Dragonfly", "Magic Hound", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1071.001", "mitre_attack_technique": "Web Protocols", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Chimera", "Cobalt Group", "Confucius", "Dark Caracal", "FIN4", "FIN8", "Gamaredon Group", "HAFNIUM", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LuminousMoth", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "OilRig", "Orangeworm", "Rancor", "Rocke", "Sandworm Team", "Sidewinder", "SilverTerrier", "Stealth Falcon", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "WIRTE", "Windshift", "Wizard Spider"]}], "mitre_attack_tactics": ["Command And Control", "Exfiltration", "Initial Access"], "datamodels": ["Endpoint", "Network_Resolution", "Network_Traffic"], "kill_chain_phases": ["Actions on Objectives", "Command And Control", "Delivery"]}, "detection_names": ["ESCU - Detect Spike in blocked Outbound Traffic from your AWS - Rule", "ESCU - Clients Connecting to Multiple DNS Servers - Rule", "ESCU - Detect Long DNS TXT Record Response - Rule", "ESCU - Detection of DNS Tunnels - Rule", "ESCU - DNS Query Requests Resolved by Unauthorized DNS Servers - Rule", "ESCU - DNS Exfiltration Using Nslookup App - Rule", "ESCU - Excessive Usage of NSLOOKUP App - Rule", "ESCU - Windows Remote Access Software Hunt - Rule", "ESCU - Detect DGA domains using pretrained model in DSDL - Rule", "ESCU - Detect hosts connecting to dynamic domain providers - Rule", "ESCU - Detect Large Outbound ICMP Packets - Rule", "ESCU - DNS Query Length Outliers - MLTK - Rule", "ESCU - DNS Query Length With High Standard Deviation - Rule", "ESCU - Excessive DNS Failures - Rule", "ESCU - Multiple Archive Files Http Post Traffic - Rule", "ESCU - Plain HTTP POST Exfiltrated Data - Rule", "ESCU - Prohibited Network Traffic Allowed - Rule", "ESCU - Protocol or Port Mismatch - Rule", "ESCU - TOR Traffic - Rule"], "investigation_names": ["ESCU - AWS Investigate User Activities By ARN - Response Task", "ESCU - AWS Network ACL Details from ID - Response Task", "ESCU - AWS Network Interface details via resourceId - Response Task", "ESCU - Get All AWS Activity From IP Address - Response Task", "ESCU - Get DNS Server History for a host - Response Task", "ESCU - Get DNS traffic ratio - Response Task", "ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task", "ESCU - Get Process Information For Port Activity - Response Task", "ESCU - Get Process Responsible For The DNS Traffic - Response Task"], "baseline_names": ["ESCU - Baseline of blocked outbound traffic from AWS", "ESCU - Baseline of DNS Query Length - MLTK", "ESCU - Count of Unique IPs Connecting to Ports"], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Detect Spike in blocked Outbound Traffic from your AWS", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": []}}, {"name": "Clients Connecting to Multiple DNS Servers", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}]}}, {"name": "Detect Long DNS TXT Record Response", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}]}}, {"name": "Detection of DNS Tunnels", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}]}}, {"name": "DNS Query Requests Resolved by Unauthorized DNS Servers", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DNS"}]}}, {"name": "DNS Exfiltration Using Nslookup App", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}}, {"name": "Excessive Usage of NSLOOKUP App", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}}, {"name": "Windows Remote Access Software Hunt", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Access Software"}]}}, {"name": "Detect DGA domains using pretrained model in DSDL", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Generation Algorithms"}]}}, {"name": "Detect hosts connecting to dynamic domain providers", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Drive-by Compromise"}]}}, {"name": "Detect Large Outbound ICMP Packets", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Non-Application Layer Protocol"}]}}, {"name": "DNS Query Length Outliers - MLTK", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DNS"}, {"mitre_attack_technique": "Application Layer Protocol"}]}}, {"name": "DNS Query Length With High Standard Deviation", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}, {"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}}, {"name": "Excessive DNS Failures", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DNS"}, {"mitre_attack_technique": "Application Layer Protocol"}]}}, {"name": "Multiple Archive Files Http Post Traffic", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}, {"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}}, {"name": "Plain HTTP POST Exfiltrated Data", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}, {"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}}, {"name": "Prohibited Network Traffic Allowed", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}}, {"name": "Protocol or Port Mismatch", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}, {"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}}, {"name": "TOR Traffic", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Application Layer Protocol"}, {"mitre_attack_technique": "Web Protocols"}]}}]}, {"name": "Compromised User Account", "id": "19669154-e9d1-4a01-b144-e6592a078092", "version": 1, "date": "2023-01-19", "author": "Mauricio Velazco, Bhavin Patel, Splunk", "description": "Monitor for activities and techniques associated with Compromised User Account attacks.", "narrative": "Compromised User Account occurs when cybercriminals gain unauthorized access to accounts by using different techniques like brute force, social engineering, phishing & spear phishing, credential stuffing, etc. By posing as the real user, cyber-criminals can change account details, send out phishing emails, steal financial information or sensitive data, or use any stolen information to access further accounts within the organization. This analytic storic groups detections that can help security operations teams identify the potential signs of Compromised User Accounts.", "references": ["https://www.proofpoint.com/us/threat-reference/compromised-account"], "tags": {"name": "Compromised User Account", "analytic_story": "Compromised User Account", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Ke3chang", "LAPSUS$"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1185", "mitre_attack_technique": "Browser Session Hijacking", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1556", "mitre_attack_technique": "Modify Authentication Process", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1556.006", "mitre_attack_technique": "Multi-Factor Authentication", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1201", "mitre_attack_technique": "Password Policy Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "OilRig", "Turla"]}, {"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1621", "mitre_attack_technique": "Multi-Factor Authentication Request Generation", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "LAPSUS$"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1110.004", "mitre_attack_technique": "Credential Stuffing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Chimera"]}, {"mitre_attack_id": "T1535", "mitre_attack_technique": "Unused/Unsupported Cloud Regions", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1110.001", "mitre_attack_technique": "Password Guessing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29"]}], "mitre_attack_tactics": ["Collection", "Credential Access", "Defense Evasion", "Discovery", "Initial Access", "Persistence", "Privilege Escalation", "Resource Development"], "datamodels": ["Authentication", "Change"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation", "Weaponization"]}, "detection_names": ["ESCU - Abnormally High Number Of Cloud Infrastructure API Calls - Rule", "ESCU - ASL AWS Concurrent Sessions From Different Ips - Rule", "ESCU - ASL AWS New MFA Method Registered For User - Rule", "ESCU - ASL AWS Password Policy Changes - Rule", "ESCU - AWS Concurrent Sessions From Different Ips - Rule", "ESCU - AWS Console Login Failed During MFA Challenge - Rule", "ESCU - AWS High Number Of Failed Authentications For User - Rule", "ESCU - AWS High Number Of Failed Authentications From Ip - Rule", "ESCU - AWS Multiple Users Failing To Authenticate From Ip - Rule", "ESCU - AWS New MFA Method Registered For User - Rule", "ESCU - AWS Password Policy Changes - Rule", "ESCU - AWS Successful Console Authentication From Multiple IPs - Rule", "ESCU - Azure AD Concurrent Sessions From Different Ips - Rule", "ESCU - Azure AD High Number Of Failed Authentications For User - Rule", "ESCU - Azure AD High Number Of Failed Authentications From Ip - Rule", "ESCU - Azure AD New MFA Method Registered For User - Rule", "ESCU - Azure AD Successful Authentication From Different Ips - Rule", "ESCU - Detect AWS Console Login by User from New City - Rule", "ESCU - Detect AWS Console Login by User from New Country - Rule", "ESCU - Detect AWS Console Login by User from New Region - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Bhavin Patel, Splunk", "author_name": "Mauricio Velazco", "detections": [{"name": "Abnormally High Number Of Cloud Infrastructure API Calls", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "ASL AWS Concurrent Sessions From Different Ips", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Browser Session Hijacking"}]}}, {"name": "ASL AWS New MFA Method Registered For User", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Authentication Process"}, {"mitre_attack_technique": "Multi-Factor Authentication"}]}}, {"name": "ASL AWS Password Policy Changes", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Policy Discovery"}]}}, {"name": "AWS Concurrent Sessions From Different Ips", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Browser Session Hijacking"}]}}, {"name": "AWS Console Login Failed During MFA Challenge", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Multi-Factor Authentication Request Generation"}]}}, {"name": "AWS High Number Of Failed Authentications For User", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Policy Discovery"}]}}, {"name": "AWS High Number Of Failed Authentications From Ip", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Credential Stuffing"}]}}, {"name": "AWS Multiple Users Failing To Authenticate From Ip", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Credential Stuffing"}]}}, {"name": "AWS New MFA Method Registered For User", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Authentication Process"}, {"mitre_attack_technique": "Multi-Factor Authentication"}]}}, {"name": "AWS Password Policy Changes", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Policy Discovery"}]}}, {"name": "AWS Successful Console Authentication From Multiple IPs", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}}, {"name": "Azure AD Concurrent Sessions From Different Ips", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Browser Session Hijacking"}]}}, {"name": "Azure AD High Number Of Failed Authentications For User", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Guessing"}]}}, {"name": "Azure AD High Number Of Failed Authentications From Ip", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Guessing"}, {"mitre_attack_technique": "Password Spraying"}]}}, {"name": "Azure AD New MFA Method Registered For User", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Authentication Process"}, {"mitre_attack_technique": "Multi-Factor Authentication"}]}}, {"name": "Azure AD Successful Authentication From Different Ips", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Guessing"}, {"mitre_attack_technique": "Password Spraying"}]}}, {"name": "Detect AWS Console Login by User from New City", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}}, {"name": "Detect AWS Console Login by User from New Country", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}}, {"name": "Detect AWS Console Login by User from New Region", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}}]}, {"name": "Credential Dumping", "id": "854d78bf-d0e2-4f4e-b05c-640905f86d7a", "version": 3, "date": "2020-02-04", "author": "Rico Valdez, Splunk", "description": "Uncover activity consistent with credential dumping, a technique wherein attackers compromise systems and attempt to obtain and exfiltrate passwords. The threat actors use these pilfered credentials to further escalate privileges and spread throughout a target environment. The included searches in this Analytic Story are designed to identify attempts to credential dumping.", "narrative": "Credential dumping—gathering credentials from a target system, often hashed or encrypted—is a common attack technique. Even though the credentials may not be in plain text, an attacker can still exfiltrate the data and set to cracking it offline, on their own systems. The threat actors target a variety of sources to extract them, including the Security Accounts Manager (SAM), Local Security Authority (LSA), NTDS from Domain Controllers, or the Group Policy Preference (GPP) files.\\\nOnce attackers obtain valid credentials, they use them to move throughout a target network with ease, discovering new systems and identifying assets of interest. Credentials obtained in this manner typically include those of privileged users, which may provide access to more sensitive information and system operations.\\\nThe detection searches in this Analytic Story monitor access to the Local Security Authority Subsystem Service (LSASS) process, the usage of shadowcopies for credential dumping and some other techniques for credential dumping.", "references": ["https://attack.mitre.org/wiki/Technique/T1003", "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html"], "tags": {"name": "Credential Dumping", "analytic_story": "Credential Dumping", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "TEMP.Veles", "Threat Group-3390", "Whitefly"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Dragonfly", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1003.003", "mitre_attack_technique": "NTDS", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "Chimera", "Dragonfly", "FIN6", "Fox Kitten", "HAFNIUM", "Ke3chang", "LAPSUS$", "Mustang Panda", "Sandworm Team", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1078.003", "mitre_attack_technique": "Local Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "FIN10", "HAFNIUM", "Kimsuky", "PROMETHIUM", "Tropic Trooper", "Turla"]}, {"mitre_attack_id": "T1552.001", "mitre_attack_technique": "Credentials In Files", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT3", "APT33", "Fox Kitten", "Kimsuky", "Leafminer", "MuddyWater", "OilRig", "TA505", "TeamTNT"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1003.006", "mitre_attack_technique": "DCSync", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Earth Lusca", "LAPSUS$"]}], "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Execution", "Initial Access", "Persistence", "Privilege Escalation"], "datamodels": ["Authentication", "Change", "Endpoint"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Detect Mimikatz Using Loaded Images - Rule", "ESCU - Dump LSASS via procdump Rename - Rule", "ESCU - Unsigned Image Loaded by LSASS - Rule", "ESCU - Access LSASS Memory for Dump Creation - Rule", "ESCU - Attempted Credential Dump From Registry via Reg exe - Rule", "ESCU - Create Remote Thread into LSASS - Rule", "ESCU - Creation of lsass Dump with Taskmgr - Rule", "ESCU - Creation of Shadow Copy - Rule", "ESCU - Creation of Shadow Copy with wmic and powershell - Rule", "ESCU - Credential Dumping via Copy Command from Shadow Copy - Rule", "ESCU - Credential Dumping via Symlink to Shadow Copy - Rule", "ESCU - Detect Copy of ShadowCopy with Script Block Logging - Rule", "ESCU - Detect Credential Dumping through LSASS access - Rule", "ESCU - Dump LSASS via comsvcs DLL - Rule", "ESCU - Dump LSASS via procdump - Rule", "ESCU - Enable WDigest UseLogonCredential Registry - Rule", "ESCU - Esentutl SAM Copy - Rule", "ESCU - Extraction of Registry Hives - Rule", "ESCU - Ntdsutil Export NTDS - Rule", "ESCU - Potential password in username - Rule", "ESCU - SAM Database File Access Attempt - Rule", "ESCU - SecretDumps Offline NTDS Dumping Tool - Rule", "ESCU - Set Default PowerShell Execution Policy To Unrestricted or Bypass - Rule", "ESCU - Windows AD Replication Request Initiated by User Account - Rule", "ESCU - Windows AD Replication Request Initiated from Unsanctioned Location - Rule", "ESCU - Windows Credential Dumping LSASS Memory Createdump - Rule", "ESCU - Windows Hunting System Account Targeting Lsass - Rule", "ESCU - Windows Mimikatz Binary Execution - Rule", "ESCU - Windows Non-System Account Targeting Lsass - Rule", "ESCU - Windows Possible Credential Dumping - Rule"], "investigation_names": ["ESCU - Investigate Failed Logins for Multiple Destinations - Response Task", "ESCU - Investigate Pass the Hash Attempts - Response Task", "ESCU - Investigate Pass the Ticket Attempts - Response Task", "ESCU - Investigate Previous Unseen User - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Detect Mimikatz Using Loaded Images", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Dump LSASS via procdump Rename", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}]}}, {"name": "Unsigned Image Loaded by LSASS", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}]}}, {"name": "Access LSASS Memory for Dump Creation", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Attempted Credential Dump From Registry via Reg exe", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Security Account Manager"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Create Remote Thread into LSASS", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Creation of lsass Dump with Taskmgr", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Creation of Shadow Copy", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "NTDS"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Creation of Shadow Copy with wmic and powershell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "NTDS"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Credential Dumping via Copy Command from Shadow Copy", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "NTDS"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Credential Dumping via Symlink to Shadow Copy", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "NTDS"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Detect Copy of ShadowCopy with Script Block Logging", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Security Account Manager"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Detect Credential Dumping through LSASS access", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Dump LSASS via comsvcs DLL", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Dump LSASS via procdump", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Enable WDigest UseLogonCredential Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Esentutl SAM Copy", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Security Account Manager"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Extraction of Registry Hives", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Security Account Manager"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Ntdsutil Export NTDS", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "NTDS"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Potential password in username", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Local Accounts"}, {"mitre_attack_technique": "Credentials In Files"}]}}, {"name": "SAM Database File Access Attempt", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Security Account Manager"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "SecretDumps Offline NTDS Dumping Tool", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "NTDS"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Set Default PowerShell Execution Policy To Unrestricted or Bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Windows AD Replication Request Initiated by User Account", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DCSync"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Windows AD Replication Request Initiated from Unsanctioned Location", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DCSync"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Windows Credential Dumping LSASS Memory Createdump", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}]}}, {"name": "Windows Hunting System Account Targeting Lsass", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Windows Mimikatz Binary Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Windows Non-System Account Targeting Lsass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Windows Possible Credential Dumping", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}]}, {"name": "CVE-2022-40684 Fortinet Appliance Auth bypass", "id": "55721831-577e-41be-beef-bdc03c81486a", "version": 1, "date": "2022-10-14", "author": "Michael Haag, Splunk", "description": "Fortinet recently patched a critical authentication bypass vulnerability in their FortiOS, FortiProxy, and FortiSwitchManager projects CVE-2022-40684.", "narrative": "FortiOS exposes a management web portal that allows a user configure the system. Additionally, a user can SSH into the system which exposes a locked down CLI interface. Any HTTP requests to the management interface of the system that match the conditions above should be cause for concern. An attacker can use this vulnerability to do just about anything they want to the vulnerable system. This includes changing network configurations, adding new users, and initiating packet captures. Note that this is not the only way to exploit this vulnerability and there may be other sets of conditions that work. For instance, a modified version of this exploit uses the User-Agent Node.js. This exploit seems to follow a trend among recently discovered enterprise software vulnerabilities where HTTP headers are improperly validated or overly trusted. (ref Horizon3.ai)", "references": ["https://www.wordfence.com/blog/2022/10/threat-advisory-cve-2022-40684-fortinet-appliance-auth-bypass/", "https://www.horizon3.ai/fortios-fortiproxy-and-fortiswitchmanager-authentication-bypass-technical-deep-dive-cve-2022-40684/", "https://github.com/horizon3ai/CVE-2022-40684", "https://attackerkb.com/topics/QWOxGIKkGx/cve-2022-40684/rapid7-analysis", "https://www.greynoise.io/blog/fortios-authentication-bypass"], "tags": {"name": "CVE-2022-40684 Fortinet Appliance Auth bypass", "analytic_story": "CVE-2022-40684 Fortinet Appliance Auth bypass", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "menuPass"]}], "mitre_attack_tactics": ["Initial Access"], "datamodels": ["Web"], "kill_chain_phases": ["Delivery"]}, "detection_names": ["ESCU - Fortinet Appliance Auth bypass - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Fortinet Appliance Auth bypass", "source": "web", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}}]}, {"name": "CVE-2023-21716 Word RTF Heap Corruption", "id": "b1aeaf2c-8496-42e7-b2f7-15c328bc75d9", "version": 1, "date": "2023-03-10", "author": "Michael Haag, Splunk", "description": "A proof-of-concept for CVE-2023-21716, a critical vulnerability in Microsoft Word that allows remote code execution utilizing a heap corruption in rich text files.", "narrative": "This analytic story covers content that will assist organizations in identifying potential RTF RCE abuse on endpoints. The vulnerability was assigned a 9.8 out of 10 severity score, with Microsoft addressing it in the February Patch Tuesday security updates along with a couple of workarounds. Security researcher Joshua Drake last year discovered the vulnerability in Microsoft Office''s \"wwlib.dll\" and sent Microsoft a technical advisory containing proof-of-concept (PoC) code showing the issue is exploitable. A remote attacker could potentially take advantage of the issue to execute code with the same privileges as the victim that opens a malicious .RTF document. Delivering the malicious file to a victim can be as easy as an attachment to an email, although plenty of other methods exist. Microsoft warns that users don''t have to open a malicious RTF document and simply loading the file in the Preview Pane is enough for the compromise to start. (BleepingComputer, 2023)", "references": ["https://www.bleepingcomputer.com/news/security/proof-of-concept-released-for-critical-microsoft-word-rce-bug/"], "tags": {"name": "CVE-2023-21716 Word RTF Heap Corruption", "analytic_story": "CVE-2023-21716 Word RTF Heap Corruption", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}], "mitre_attack_tactics": ["Initial Access"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Delivery"]}, "detection_names": ["ESCU - Office Application Drop Executable - Rule", "ESCU - Office Product Spawn CMD Process - Rule", "ESCU - Winword Spawning Cmd - Rule", "ESCU - Winword Spawning PowerShell - Rule", "ESCU - Winword Spawning Windows Script Host - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Office Application Drop Executable", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Product Spawn CMD Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Winword Spawning Cmd", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Winword Spawning PowerShell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Winword Spawning Windows Script Host", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}]}, {"name": "CVE-2023-23397 Outlook Elevation of Privilege", "id": "b459911b-551f-480f-a402-18cf89ca1e9c", "version": 1, "date": "2023-03-15", "author": "Michael Haag, Splunk", "description": "Microsoft has released CVE-2023-23397 to address the critical elevation of privilege (EoP) vulnerability affecting Microsoft Outlook for Windows.", "narrative": "Microsoft Threat Intelligence discovered limited, targeted abuse of a vulnerability in Microsoft Outlook for Windows that allows for new technology LAN manager (NTLM) credential theft. Microsoft has released CVE-2023-23397 to address the critical elevation of privilege (EoP) vulnerability affecting Microsoft Outlook for Windows. We strongly recommend all customers update Microsoft Outlook for Windows to remain secure.\\ CVE-2023-23397 is a critical EoP vulnerability in Microsoft Outlook that is triggered when an attacker sends a message with an extended MAPI property with a UNC path to an SMB (TCP 445) share on a threat actor-controlled server. No user interaction is required.\\ The connection to the remote SMB server sends the user''s NTLM negotiation message, which the attacker can then relay for authentication against other systems that support NTLM authentication. Online services such as Microsoft 365 do not support NTLM authentication and are not vulnerable to being attacked by these messages. (2023, Microsoft)", "references": ["https://twitter.com/ACEResponder/status/1636116096506818562?s=20", "https://twitter.com/domchell/status/1635999068282408962?s=20", "https://msrc.microsoft.com/blog/2023/03/microsoft-mitigates-outlook-elevation-of-privilege-vulnerability/", "https://www.pwndefend.com/2023/03/15/the-long-game-persistent-hash-theft/"], "tags": {"name": "CVE-2023-23397 Outlook Elevation of Privilege", "analytic_story": "CVE-2023-23397 Outlook Elevation of Privilege", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1048.003", "mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT32", "APT33", "FIN6", "FIN8", "Lazarus Group", "OilRig", "Thrip", "Wizard Spider"]}], "mitre_attack_tactics": ["Exfiltration"], "datamodels": ["Endpoint", "Network_Traffic"], "kill_chain_phases": ["Actions on Objectives"]}, "detection_names": ["ESCU - Windows Rundll32 WebDAV Request - Rule", "ESCU - Windows Rundll32 WebDav With Network Connection - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows Rundll32 WebDAV Request", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}]}}, {"name": "Windows Rundll32 WebDav With Network Connection", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}]}}]}, {"name": "CyclopsBLink", "id": "7c75b1c8-dfff-46f1-8250-e58df91b6fd9", "version": 1, "date": "2022-04-07", "author": "Teoderick Contreras, Splunk", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the cyclopsblink malware including firewall modification, spawning more process, botnet c2 communication, defense evasion and etc. Cyclops Blink is a Linux ELF executable compiled for 32-bit x86 and PowerPC architecture that has targeted several network devices. The complete list of targeted devices is unknown at this time, but WatchGuard FireBox has specifically been listed as a target. The modular malware consists of core components and modules that are deployed as child processes using the Linux API fork. At this point, four modules have been identified that download and upload files, gather system information and contain updating mechanisms for the malware itself. Additional modules can be downloaded and executed from the Command And Control (C2) server.", "narrative": "Adversaries may use this technique to maximize the impact on the target organization in operations where network wide availability interruption is the goal.", "references": ["https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf", "https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html"], "tags": {"name": "CyclopsBLink", "analytic_story": "Cyclops BLink", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.004", "mitre_attack_technique": "Disable or Modify System Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "Carbanak", "Dragonfly", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1036.004", "mitre_attack_technique": "Masquerade Task or Service", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT32", "APT41", "BITTER", "BackdoorDiplomacy", "Carbanak", "FIN6", "FIN7", "Fox Kitten", "Higaisa", "Kimsuky", "Lazarus Group", "Magic Hound", "Naikon", "PROMETHIUM", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}], "mitre_attack_tactics": ["Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Linux Iptables Firewall Modification - Rule", "ESCU - Linux Kworker Process In Writable Process Path - Rule", "ESCU - Linux Stdout Redirection To Dev Null File - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Linux Iptables Firewall Modification", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify System Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Linux Kworker Process In Writable Process Path", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerade Task or Service"}, {"mitre_attack_technique": "Masquerading"}]}}, {"name": "Linux Stdout Redirection To Dev Null File", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify System Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}}]}, {"name": "DarkCrystal RAT", "id": "639e6006-0885-4847-9394-ddc2902629bf", "version": 1, "date": "2022-07-26", "author": "Teoderick Contreras, Splunk", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the DcRat malware including ddos, spawning more process, botnet c2 communication, defense evasion and etc. The DcRat malware is known commercial backdoor that was first released in 2018. This tool was sold in underground forum and known to be one of the cheapest commercial RATs. DcRat is modular and bespoke plugin framework make it a very flexible option, helpful for a range of nefearious uses.", "narrative": "Adversaries may use this technique to maximize the impact on the target organization in operations where network wide availability interruption is the goal.", "references": ["https://www.mandiant.com/resources/analyzing-dark-crystal-rat-backdoor", "https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat"], "tags": {"name": "DarkCrystal RAT", "analytic_story": "DarkCrystal RAT", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT19", "APT28", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BITTER", "BackdoorDiplomacy", "BlackOasis", "Blue Mockingbird", "Dark Caracal", "Darkhotel", "Earth Lusca", "Elderwood", "Ember Bear", "Fox Kitten", "GALLIUM", "Gallmaker", "Gamaredon Group", "Group5", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "Metador", "Mofang", "Molerats", "Moses Staff", "Mustang Panda", "OilRig", "Putter Panda", "Rocke", "Sandworm Team", "Sidewinder", "TA505", "TeamTNT", "Threat Group-3390", "Transparent Tribe", "Tropic Trooper", "Whitefly", "Windshift", "menuPass"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1592.001", "mitre_attack_technique": "Hardware", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1592", "mitre_attack_technique": "Gather Victim Host Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1590.005", "mitre_attack_technique": "IP Addresses", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["Andariel", "HAFNIUM", "Magic Hound"]}, {"mitre_attack_id": "T1590", "mitre_attack_technique": "Gather Victim Network Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["HAFNIUM"]}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1529", "mitre_attack_technique": "System Shutdown/Reboot", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group"]}, {"mitre_attack_id": "T1124", "mitre_attack_technique": "System Time Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["BRONZE BUTLER", "Chimera", "Darkhotel", "Higaisa", "Lazarus Group", "Sidewinder", "The White Company", "Turla", "ZIRCONIUM"]}], "mitre_attack_tactics": ["Command And Control", "Defense Evasion", "Discovery", "Execution", "Impact", "Initial Access", "Persistence", "Privilege Escalation", "Reconnaissance"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Actions on Objectives", "Command And Control", "Delivery", "Exploitation", "Installation", "Reconnaissance"]}, "detection_names": ["ESCU - Any Powershell DownloadFile - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Malicious PowerShell Process - Encoded Command - Rule", "ESCU - Malicious PowerShell Process - Execution Policy Bypass - Rule", "ESCU - Office Document Executing Macro Code - Rule", "ESCU - Office Product Spawn CMD Process - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious Scheduled Task from Public Directory - Rule", "ESCU - Windows Command Shell DCRat ForkBomb Payload - Rule", "ESCU - Windows Gather Victim Host Information Camera - Rule", "ESCU - Windows Gather Victim Network Info Through Ip Check Web Services - Rule", "ESCU - Windows High File Deletion Frequency - Rule", "ESCU - Windows Ingress Tool Transfer Using Explorer - Rule", "ESCU - Windows System LogOff Commandline - Rule", "ESCU - Windows System Reboot CommandLine - Rule", "ESCU - Windows System Shutdown CommandLine - Rule", "ESCU - Windows System Time Discovery W32tm Delay - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule", "ESCU - Winword Spawning Cmd - Rule", "ESCU - Winword Spawning PowerShell - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Any Powershell DownloadFile", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}]}}, {"name": "Malicious PowerShell Process - Encoded Command", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Obfuscated Files or Information"}]}}, {"name": "Malicious PowerShell Process - Execution Policy Bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Office Document Executing Macro Code", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Product Spawn CMD Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Suspicious Scheduled Task from Public Directory", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Windows Command Shell DCRat ForkBomb Payload", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Windows Gather Victim Host Information Camera", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Hardware"}, {"mitre_attack_technique": "Gather Victim Host Information"}]}}, {"name": "Windows Gather Victim Network Info Through Ip Check Web Services", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "IP Addresses"}, {"mitre_attack_technique": "Gather Victim Network Information"}]}}, {"name": "Windows High File Deletion Frequency", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Windows Ingress Tool Transfer Using Explorer", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "Windows System LogOff Commandline", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Shutdown/Reboot"}]}}, {"name": "Windows System Reboot CommandLine", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Shutdown/Reboot"}]}}, {"name": "Windows System Shutdown CommandLine", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Shutdown/Reboot"}]}}, {"name": "Windows System Time Discovery W32tm Delay", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Time Discovery"}]}}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}]}}, {"name": "Winword Spawning Cmd", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Winword Spawning PowerShell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}]}, {"name": "Data Destruction", "id": "4ae5c0d1-cebd-47d1-bfce-71bf096e38aa", "version": 1, "date": "2023-04-06", "author": "Teoderick Contreras, Splunk", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the data destruction, including deleting files, overwriting files, wiping disk and unrecoverable file encryption. This analytic story may cover several known activities related to malware implants used in geo-political war to wipe disks or files to interrupt the network-wide operation of a targeted organization. Analytics can detect the behavior of \"DoubleZero Destructor\", \"CaddyWiper\", \"AcidRain\", \"AwfulShred\", \"Hermetic Wiper\", \"Swift Slicer\", \"Whisper Gate\" and many more.", "narrative": "Adversaries may partially or completely overwrite the contents of a storage device rendering the data irrecoverable through the storage interface or using 3rd party drivers to directly access disk content like Master Boot Record to wipe it. Some of these attacks were seen in geo-political war to impair the operation of targeted organizations or to interrupt network-wide services.", "references": ["https://attack.mitre.org/techniques/T1485/", "https://researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/", "https://www.picussecurity.com/blog/a-brief-history-and-further-technical-analysis-of-sodinokibi-ransomware", "https://www.splunk.com/en_us/blog/security/threat-advisory-strt-ta02-destructive-software.html", "https://www.splunk.com/en_us/blog/security/detecting-hermeticwiper.html", "https://www.splunk.com/en_us/blog/security/threat-update-doublezero-destructor.html", "https://www.splunk.com/en_us/blog/security/threat-update-caddywiper.html", "https://www.splunk.com/en_us/blog/security/strt-ta03-cpe-destructive-software.html", "https://www.splunk.com/en_us/blog/security/threat-update-cyclopsblink.html", "https://www.splunk.com/en_us/blog/security/threat-update-acidrain-wiper.html", "https://www.splunk.com/en_us/blog/security/threat-update-industroyer2.html", "https://www.splunk.com/en_us/blog/security/threat-advisory-swiftslicer-wiper-strt-ta03.html"], "tags": {"name": "Data Destruction", "analytic_story": "Data Destruction", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1547.014", "mitre_attack_technique": "Active Setup", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["BRONZE BUTLER", "Chimera", "Dragonfly", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Turla", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Dragonfly", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1546.001", "mitre_attack_technique": "Change Default File Association", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Kimsuky"]}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "PLATINUM", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "TEMP.Veles", "Threat Group-3390", "Whitefly"]}, {"mitre_attack_id": "T1562.006", "mitre_attack_technique": "Indicator Blocking", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1127", "mitre_attack_technique": "Trusted Developer Utilities Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1021.003", "mitre_attack_technique": "Distributed Component Object Model", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "Earth Lusca", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "Threat Group-3390", "Windshift", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1558", "mitre_attack_technique": "Steal or Forge Kerberos Tickets", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1558.003", "mitre_attack_technique": "Kerberoasting", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["FIN7", "Wizard Spider"]}, {"mitre_attack_id": "T1053.003", "mitre_attack_technique": "Cron", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT38", "Rocke"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1070.004", "mitre_attack_technique": "File Deletion", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT3", "APT32", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "Cobalt Group", "Dragonfly", "Evilnum", "FIN10", "FIN5", "FIN6", "FIN8", "Gamaredon Group", "Group5", "Kimsuky", "Lazarus Group", "Magic Hound", "Metador", "Mustang Panda", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "Silence", "TEMP.Veles", "TeamTNT", "The White Company", "Threat Group-3390", "Tropic Trooper", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1489", "mitre_attack_technique": "Service Stop", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Indrik Spider", "Lazarus Group", "Wizard Spider"]}, {"mitre_attack_id": "T1200", "mitre_attack_technique": "Hardware Additions", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["DarkVishnya"]}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "menuPass"]}, {"mitre_attack_id": "T1053.006", "mitre_attack_technique": "Systemd Timers", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1562.004", "mitre_attack_technique": "Disable or Modify System Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "Carbanak", "Dragonfly", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1016", "mitre_attack_technique": "System Network Configuration Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT19", "APT3", "APT32", "APT41", "Chimera", "Darkhotel", "Dragonfly", "Earth Lusca", "GALLIUM", "HAFNIUM", "HEXANE", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "SideCopy", "Sidewinder", "Stealth Falcon", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1529", "mitre_attack_technique": "System Shutdown/Reboot", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group"]}, {"mitre_attack_id": "T1059.004", "mitre_attack_technique": "Unix Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT41", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1037", "mitre_attack_technique": "Boot or Logon Initialization Scripts", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Rocke"]}, {"mitre_attack_id": "T1037.001", "mitre_attack_technique": "Logon Script (Windows)", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "Cobalt Group"]}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT19", "APT28", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BITTER", "BackdoorDiplomacy", "BlackOasis", "Blue Mockingbird", "Dark Caracal", "Darkhotel", "Earth Lusca", "Elderwood", "Ember Bear", "Fox Kitten", "GALLIUM", "Gallmaker", "Gamaredon Group", "Group5", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "Metador", "Mofang", "Molerats", "Moses Staff", "Mustang Panda", "OilRig", "Putter Panda", "Rocke", "Sandworm Team", "Sidewinder", "TA505", "TeamTNT", "Threat Group-3390", "Transparent Tribe", "Tropic Trooper", "Whitefly", "Windshift", "menuPass"]}, {"mitre_attack_id": "T1574.002", "mitre_attack_technique": "DLL Side-Loading", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT41", "BRONZE BUTLER", "BlackTech", "Chimera", "Earth Lusca", "GALLIUM", "Higaisa", "Lazarus Group", "LuminousMoth", "MuddyWater", "Mustang Panda", "Naikon", "Patchwork", "SideCopy", "Sidewinder", "Threat Group-3390", "Tropic Trooper", "menuPass"]}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1546.008", "mitre_attack_technique": "Accessibility Features", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT3", "APT41", "Axiom", "Deep Panda", "Fox Kitten"]}, {"mitre_attack_id": "T1497", "mitre_attack_technique": "Virtualization/Sandbox Evasion", "mitre_attack_tactics": ["Defense Evasion", "Discovery"], "mitre_attack_groups": ["Darkhotel"]}, {"mitre_attack_id": "T1497.003", "mitre_attack_technique": "Time Based Evasion", "mitre_attack_tactics": ["Defense Evasion", "Discovery"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1021.006", "mitre_attack_technique": "Windows Remote Management", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Chimera", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1218.014", "mitre_attack_technique": "MMC", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1027.005", "mitre_attack_technique": "Indicator Removal from Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT3", "Deep Panda", "GALLIUM", "OilRig", "Patchwork", "TEMP.Veles", "Turla"]}, {"mitre_attack_id": "T1546.015", "mitre_attack_technique": "Component Object Model Hijacking", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "Turla"]}, {"mitre_attack_id": "T1547.012", "mitre_attack_technique": "Print Processors", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1592", "mitre_attack_technique": "Gather Victim Host Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1546.012", "mitre_attack_technique": "Image File Execution Options Injection", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["TEMP.Veles"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.010", "mitre_attack_technique": "Regsvr32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "Blue Mockingbird", "Cobalt Group", "Deep Panda", "Inception", "Kimsuky", "Leviathan", "TA551", "WIRTE"]}, {"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}, {"mitre_attack_id": "T1134.001", "mitre_attack_technique": "Token Impersonation/Theft", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "FIN8"]}, {"mitre_attack_id": "T1546.002", "mitre_attack_technique": "Screensaver", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1059.005", "mitre_attack_technique": "Visual Basic", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT32", "APT33", "APT37", "APT38", "APT39", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Earth Lusca", "FIN4", "FIN7", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "Transparent Tribe", "Turla", "WIRTE", "Windshift"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547.003", "mitre_attack_technique": "Time Providers", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1505.003", "mitre_attack_technique": "Web Shell", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT38", "APT39", "BackdoorDiplomacy", "Deep Panda", "Dragonfly", "Fox Kitten", "GALLIUM", "HAFNIUM", "Kimsuky", "Leviathan", "Magic Hound", "Moses Staff", "OilRig", "Sandworm Team", "TEMP.Veles", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Volatile Cedar"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1218.004", "mitre_attack_technique": "InstallUtil", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Mustang Panda", "menuPass"]}, {"mitre_attack_id": "T1588.002", "mitre_attack_technique": "Tool", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT19", "APT28", "APT29", "APT32", "APT33", "APT38", "APT39", "APT41", "Aoqin Dragon", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Carbanak", "Chimera", "Cleaver", "Cobalt Group", "CopyKittens", "DarkHydrus", "DarkVishnya", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN5", "FIN6", "Ferocious Kitten", "GALLIUM", "Gorgon Group", "HEXANE", "Inception", "IndigoZebra", "Ke3chang", "Kimsuky", "LAPSUS$", "Lazarus Group", "Leafminer", "LuminousMoth", "Magic Hound", "Metador", "Moses Staff", "MuddyWater", "POLONIUM", "Patchwork", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "TA505", "TEMP.Veles", "Threat Group-3390", "Thrip", "Turla", "WIRTE", "Whitefly", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1561.002", "mitre_attack_technique": "Disk Structure Wipe", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1561", "mitre_attack_technique": "Disk Wipe", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1134.004", "mitre_attack_technique": "Parent PID Spoofing", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Command And Control", "Credential Access", "Defense Evasion", "Discovery", "Execution", "Impact", "Initial Access", "Lateral Movement", "Persistence", "Privilege Escalation", "Reconnaissance", "Resource Development"], "datamodels": ["Email", "Endpoint"], "kill_chain_phases": ["Actions on Objectives", "Command And Control", "Delivery", "Exploitation", "Installation", "Reconnaissance", "Weaponization"]}, "detection_names": ["ESCU - Email Attachments With Lots Of Spaces - Rule", "ESCU - Suspicious Email Attachment Extensions - Rule", "ESCU - Active Setup Registry Autostart - Rule", "ESCU - Add or Set Windows Defender Exclusion - Rule", "ESCU - AdsiSearcher Account Discovery - Rule", "ESCU - Any Powershell DownloadFile - Rule", "ESCU - Any Powershell DownloadString - Rule", "ESCU - Attempt To Stop Security Service - Rule", "ESCU - Attempted Credential Dump From Registry via Reg exe - Rule", "ESCU - Change Default File Association - Rule", "ESCU - Child Processes of Spoolsv exe - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Detect Empire with PowerShell Script Block Logging - Rule", "ESCU - Detect Mimikatz With PowerShell Script Block Logging - Rule", "ESCU - Dump LSASS via comsvcs DLL - Rule", "ESCU - ETW Registry Disabled - Rule", "ESCU - Excessive File Deletion In WinDefender Folder - Rule", "ESCU - Executable File Written in Administrative SMB Share - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Impacket Lateral Movement Commandline Parameters - Rule", "ESCU - Impacket Lateral Movement smbexec CommandLine Parameters - Rule", "ESCU - Impacket Lateral Movement WMIExec Commandline Parameters - Rule", "ESCU - Kerberoasting spn request with RC4 encryption - Rule", "ESCU - Linux Adding Crontab Using List Parameter - Rule", "ESCU - Linux Data Destruction Command - Rule", "ESCU - Linux DD File Overwrite - Rule", "ESCU - Linux Deleting Critical Directory Using RM Command - Rule", "ESCU - Linux Deletion Of Cron Jobs - Rule", "ESCU - Linux Deletion Of Init Daemon Script - Rule", "ESCU - Linux Deletion Of Services - Rule", "ESCU - Linux Disable Services - Rule", "ESCU - Linux Hardware Addition SwapOff - Rule", "ESCU - Linux High Frequency Of File Deletion In Boot Folder - Rule", "ESCU - Linux High Frequency Of File Deletion In Etc Folder - Rule", "ESCU - Linux Impair Defenses Process Kill - Rule", "ESCU - Linux Indicator Removal Clear Cache - Rule", "ESCU - Linux Indicator Removal Service File Deletion - Rule", "ESCU - Linux Java Spawning Shell - Rule", "ESCU - Linux Service Restarted - Rule", "ESCU - Linux Shred Overwrite Command - Rule", "ESCU - Linux Stdout Redirection To Dev Null File - Rule", "ESCU - Linux Stop Services - Rule", "ESCU - Linux System Network Discovery - Rule", "ESCU - Linux System Reboot Via System Request Key - Rule", "ESCU - Linux Unix Shell Enable All SysRq Functions - Rule", "ESCU - Logon Script Event Trigger Execution - Rule", "ESCU - Malicious PowerShell Process - Encoded Command - Rule", "ESCU - Malicious PowerShell Process With Obfuscation Techniques - Rule", "ESCU - MSI Module Loaded by Non-System Binary - Rule", "ESCU - Overwriting Accessibility Binaries - Rule", "ESCU - Ping Sleep Batch Command - Rule", "ESCU - Possible Lateral Movement PowerShell Spawn - Rule", "ESCU - PowerShell 4104 Hunting - Rule", "ESCU - PowerShell - Connect To Internet With Hidden Window - Rule", "ESCU - PowerShell Domain Enumeration - Rule", "ESCU - Powershell Enable SMB1Protocol Feature - Rule", "ESCU - Powershell Execute COM Object - Rule", "ESCU - Powershell Fileless Process Injection via GetProcAddress - Rule", "ESCU - Powershell Fileless Script Contains Base64 Encoded Content - Rule", "ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", "ESCU - Powershell Processing Stream Of Data - Rule", "ESCU - Powershell Remove Windows Defender Directory - Rule", "ESCU - Powershell Using memory As Backing Store - Rule", "ESCU - Powershell Windows Defender Exclusion Commands - Rule", "ESCU - Print Processor Registry Autostart - Rule", "ESCU - Process Deleting Its Process File Path - Rule", "ESCU - Recon AVProduct Through Pwh or WMI - Rule", "ESCU - Recon Using WMI Class - Rule", "ESCU - Registry Keys Used For Privilege Escalation - Rule", "ESCU - Regsvr32 Silent and Install Param Dll Loading - Rule", "ESCU - Runas Execution in CommandLine - Rule", "ESCU - Schtasks Run Task On Demand - Rule", "ESCU - Screensaver Event Trigger Execution - Rule", "ESCU - Set Default PowerShell Execution Policy To Unrestricted or Bypass - Rule", "ESCU - Suspicious Process DNS Query Known Abuse Web Services - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious Process With Discord DNS Query - Rule", "ESCU - Time Provider Persistence Registry - Rule", "ESCU - Unloading AMSI via Reflection - Rule", "ESCU - W3WP Spawning Shell - Rule", "ESCU - Windows Data Destruction Recursive Exec Files Deletion - Rule", "ESCU - Windows Deleted Registry By A Non Critical Process File Path - Rule", "ESCU - Windows Disable Memory Crash Dump - Rule", "ESCU - Windows DotNet Binary in Non Standard Path - Rule", "ESCU - Windows File Without Extension In Critical Folder - Rule", "ESCU - Windows Hidden Schedule Task Settings - Rule", "ESCU - Windows High File Deletion Frequency - Rule", "ESCU - Windows InstallUtil in Non Standard Path - Rule", "ESCU - Windows Linked Policies In ADSI Discovery - Rule", "ESCU - Windows Modify Show Compress Color And Info Tip Registry - Rule", "ESCU - Windows NirSoft AdvancedRun - Rule", "ESCU - Windows NirSoft Utilities - Rule", "ESCU - Windows Processes Killed By Industroyer2 Malware - Rule", "ESCU - Windows Raw Access To Disk Volume Partition - Rule", "ESCU - Windows Raw Access To Master Boot Record Drive - Rule", "ESCU - Windows Root Domain linked policies Discovery - Rule", "ESCU - Windows Terminating Lsass Process - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule", "ESCU - WMI Recon Running Process Or Services - Rule", "ESCU - Wscript Or Cscript Suspicious Child Process - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Email Attachments With Lots Of Spaces", "source": "application", "type": "Anomaly", "tags": {"mitre_attack_enrichments": []}}, {"name": "Suspicious Email Attachment Extensions", "source": "application", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}}, {"name": "Active Setup Registry Autostart", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Active Setup"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Add or Set Windows Defender Exclusion", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "AdsiSearcher Account Discovery", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}}, {"name": "Any Powershell DownloadFile", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "Any Powershell DownloadString", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "Attempt To Stop Security Service", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Attempted Credential Dump From Registry via Reg exe", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Security Account Manager"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Change Default File Association", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Change Default File Association"}, {"mitre_attack_technique": "Event Triggered Execution"}]}}, {"name": "Child Processes of Spoolsv exe", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}}, {"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Detect Empire with PowerShell Script Block Logging", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Detect Mimikatz With PowerShell Script Block Logging", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "OS Credential Dumping"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Dump LSASS via comsvcs DLL", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "ETW Registry Disabled", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indicator Blocking"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Excessive File Deletion In WinDefender Folder", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Executable File Written in Administrative SMB Share", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}]}}, {"name": "Impacket Lateral Movement Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Impacket Lateral Movement smbexec CommandLine Parameters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Impacket Lateral Movement WMIExec Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Kerberoasting spn request with RC4 encryption", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "Kerberoasting"}]}}, {"name": "Linux Adding Crontab Using List Parameter", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Data Destruction Command", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Linux DD File Overwrite", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Linux Deleting Critical Directory Using RM Command", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Linux Deletion Of Cron Jobs", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}, {"mitre_attack_technique": "File Deletion"}, {"mitre_attack_technique": "Indicator Removal"}]}}, {"name": "Linux Deletion Of Init Daemon Script", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}, {"mitre_attack_technique": "File Deletion"}, {"mitre_attack_technique": "Indicator Removal"}]}}, {"name": "Linux Deletion Of Services", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}, {"mitre_attack_technique": "File Deletion"}, {"mitre_attack_technique": "Indicator Removal"}]}}, {"name": "Linux Disable Services", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Service Stop"}]}}, {"name": "Linux Hardware Addition SwapOff", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Hardware Additions"}]}}, {"name": "Linux High Frequency Of File Deletion In Boot Folder", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}, {"mitre_attack_technique": "File Deletion"}, {"mitre_attack_technique": "Indicator Removal"}]}}, {"name": "Linux High Frequency Of File Deletion In Etc Folder", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}, {"mitre_attack_technique": "File Deletion"}, {"mitre_attack_technique": "Indicator Removal"}]}}, {"name": "Linux Impair Defenses Process Kill", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Linux Indicator Removal Clear Cache", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indicator Removal"}]}}, {"name": "Linux Indicator Removal Service File Deletion", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "File Deletion"}, {"mitre_attack_technique": "Indicator Removal"}]}}, {"name": "Linux Java Spawning Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}}, {"name": "Linux Service Restarted", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Systemd Timers"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Shred Overwrite Command", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Linux Stdout Redirection To Dev Null File", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify System Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Linux Stop Services", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Service Stop"}]}}, {"name": "Linux System Network Discovery", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Configuration Discovery"}]}}, {"name": "Linux System Reboot Via System Request Key", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Shutdown/Reboot"}]}}, {"name": "Linux Unix Shell Enable All SysRq Functions", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Unix Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Logon Script Event Trigger Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Boot or Logon Initialization Scripts"}, {"mitre_attack_technique": "Logon Script (Windows)"}]}}, {"name": "Malicious PowerShell Process - Encoded Command", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Obfuscated Files or Information"}]}}, {"name": "Malicious PowerShell Process With Obfuscation Techniques", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "MSI Module Loaded by Non-System Binary", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DLL Side-Loading"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}}, {"name": "Overwriting Accessibility Binaries", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Event Triggered Execution"}, {"mitre_attack_technique": "Accessibility Features"}]}}, {"name": "Ping Sleep Batch Command", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Virtualization/Sandbox Evasion"}, {"mitre_attack_technique": "Time Based Evasion"}]}}, {"name": "Possible Lateral Movement PowerShell Spawn", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Remote Management"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "MMC"}]}}, {"name": "PowerShell 4104 Hunting", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "PowerShell - Connect To Internet With Hidden Window", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "PowerShell Domain Enumeration", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Powershell Enable SMB1Protocol Feature", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Obfuscated Files or Information"}, {"mitre_attack_technique": "Indicator Removal from Tools"}]}}, {"name": "Powershell Execute COM Object", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Component Object Model Hijacking"}, {"mitre_attack_technique": "Event Triggered Execution"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Powershell Fileless Process Injection via GetProcAddress", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Process Injection"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Powershell Fileless Script Contains Base64 Encoded Content", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Obfuscated Files or Information"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "PowerShell Loading DotNET into Memory via Reflection", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Powershell Processing Stream Of Data", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Powershell Remove Windows Defender Directory", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Powershell Using memory As Backing Store", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Powershell Windows Defender Exclusion Commands", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Print Processor Registry Autostart", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Print Processors"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Process Deleting Its Process File Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indicator Removal"}]}}, {"name": "Recon AVProduct Through Pwh or WMI", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Gather Victim Host Information"}]}}, {"name": "Recon Using WMI Class", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Gather Victim Host Information"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Registry Keys Used For Privilege Escalation", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Image File Execution Options Injection"}, {"mitre_attack_technique": "Event Triggered Execution"}]}}, {"name": "Regsvr32 Silent and Install Param Dll Loading", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}}, {"name": "Runas Execution in CommandLine", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Access Token Manipulation"}, {"mitre_attack_technique": "Token Impersonation/Theft"}]}}, {"name": "Schtasks Run Task On Demand", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Screensaver Event Trigger Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Event Triggered Execution"}, {"mitre_attack_technique": "Screensaver"}]}}, {"name": "Set Default PowerShell Execution Policy To Unrestricted or Bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Suspicious Process DNS Query Known Abuse Web Services", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Visual Basic"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Suspicious Process With Discord DNS Query", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Visual Basic"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Time Provider Persistence Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Time Providers"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Unloading AMSI via Reflection", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "W3WP Spawning Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}]}}, {"name": "Windows Data Destruction Recursive Exec Files Deletion", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Windows Deleted Registry By A Non Critical Process File Path", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Disable Memory Crash Dump", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Windows DotNet Binary in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "InstallUtil"}]}}, {"name": "Windows File Without Extension In Critical Folder", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Windows Hidden Schedule Task Settings", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Windows High File Deletion Frequency", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Windows InstallUtil in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "InstallUtil"}]}}, {"name": "Windows Linked Policies In ADSI Discovery", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}}, {"name": "Windows Modify Show Compress Color And Info Tip Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows NirSoft AdvancedRun", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Tool"}]}}, {"name": "Windows NirSoft Utilities", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Tool"}]}}, {"name": "Windows Processes Killed By Industroyer2 Malware", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Service Stop"}]}}, {"name": "Windows Raw Access To Disk Volume Partition", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disk Structure Wipe"}, {"mitre_attack_technique": "Disk Wipe"}]}}, {"name": "Windows Raw Access To Master Boot Record Drive", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disk Structure Wipe"}, {"mitre_attack_technique": "Disk Wipe"}]}}, {"name": "Windows Root Domain linked policies Discovery", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}}, {"name": "Windows Terminating Lsass Process", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}]}}, {"name": "WMI Recon Running Process Or Services", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Gather Victim Host Information"}]}}, {"name": "Wscript Or Cscript Suspicious Child Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}, {"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Parent PID Spoofing"}, {"mitre_attack_technique": "Access Token Manipulation"}]}}]}, {"name": "Data Exfiltration", "id": "66b0fe0c-1351-11eb-adc1-0242ac120002", "version": 2, "date": "2023-05-17", "author": "Bhavin Patel, Shannon Davis, Splunk", "description": "Data exfiltration refers to the unauthorized transfer or extraction of sensitive or valuable data from a compromised system or network during a cyber attack. It is a critical phase in many targeted attacks, where adversaries aim to steal confidential information, such as intellectual property, financial records, personal data, or trade secrets.", "narrative": "This Analytic Story supports you to detect Tactics, Techniques and Procedures (TTPs) leveraged by adversaries to exfiltrate data from your environments. Exfiltration comes in many flavors and its done differently on every environment. Adversaries can collect data over encrypted or non-encrypted channels. They can utilise Command And Control channels that are already in place to exfiltrate data. They can use both standard data transfer protocols such as FTP, SCP, etc to exfiltrate data. Or they can use non-standard protocols such as DNS, ICMP, etc with specially crafted fields to try and circumvent security technologies in place.\\\nTechniques for getting data out of a target network typically include transferring it over their command and control channel or an alternate channel and may also include putting size limits on the transmission. In context of the cloud, this refers to the unauthorized transfer or extraction of sensitive data from cloud-based systems or services. It involves the compromise of cloud infrastructure or accounts to gain access to valuable information stored in the cloud environment. Attackers may employ various techniques, such as exploiting vulnerabilities, stealing login credentials, or using malicious code to exfiltrate data from cloud repositories or services without detection.", "references": ["https://attack.mitre.org/tactics/TA0010/", "https://bleemb.medium.com/data-exfiltration-with-native-aws-s3-features-c94ae4d13436", "https://labs.nettitude.com/blog/how-to-exfiltrate-aws-ec2-data/", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-277a"], "tags": {"name": "Data Exfiltration", "analytic_story": "Data Exfiltration", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1537", "mitre_attack_technique": "Transfer Data to Cloud Account", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1119", "mitre_attack_technique": "Automated Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "Chimera", "Confucius", "FIN5", "FIN6", "Gamaredon Group", "Ke3chang", "Mustang Panda", "OilRig", "Patchwork", "Sidewinder", "Threat Group-3390", "Tropic Trooper", "menuPass"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1114", "mitre_attack_technique": "Email Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["Magic Hound", "Silent Librarian"]}, {"mitre_attack_id": "T1114.003", "mitre_attack_technique": "Email Forwarding Rule", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["Kimsuky", "LAPSUS$", "Silent Librarian"]}, {"mitre_attack_id": "T1048", "mitre_attack_technique": "Exfiltration Over Alternative Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1114.001", "mitre_attack_technique": "Local Email Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "Chimera", "Magic Hound"]}, {"mitre_attack_id": "T1568.002", "mitre_attack_technique": "Domain Generation Algorithms", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "TA551"]}, {"mitre_attack_id": "T1041", "mitre_attack_technique": "Exfiltration Over C2 Channel", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "Chimera", "Confucius", "GALLIUM", "Gamaredon Group", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "LuminousMoth", "MuddyWater", "Sandworm Team", "Stealth Falcon", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1048.003", "mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT32", "APT33", "FIN6", "FIN8", "Lazarus Group", "OilRig", "Thrip", "Wizard Spider"]}], "mitre_attack_tactics": ["Collection", "Command And Control", "Exfiltration", "Impact", "Initial Access"], "datamodels": ["Endpoint", "Network_Resolution", "Risk"], "kill_chain_phases": ["Actions on Objectives", "Command And Control", "Delivery", "Exploitation"]}, "detection_names": ["ESCU - AWS AMI Atttribute Modification for Exfiltration - Rule", "ESCU - AWS Disable Bucket Versioning - Rule", "ESCU - AWS EC2 Snapshot Shared Externally - Rule", "ESCU - AWS Exfiltration via Anomalous GetObject API Activity - Rule", "ESCU - AWS Exfiltration via Batch Service - Rule", "ESCU - AWS Exfiltration via Bucket Replication - Rule", "ESCU - AWS Exfiltration via DataSync Task - Rule", "ESCU - AWS Exfiltration via EC2 Snapshot - Rule", "ESCU - AWS S3 Exfiltration Behavior Identified - Rule", "ESCU - Gdrive suspicious file sharing - Rule", "ESCU - O365 PST export alert - Rule", "ESCU - O365 Suspicious Admin Email Forwarding - Rule", "ESCU - O365 Suspicious User Email Forwarding - Rule", "ESCU - DNS Exfiltration Using Nslookup App - Rule", "ESCU - Excessive Usage of NSLOOKUP App - Rule", "ESCU - Linux Curl Upload File - Rule", "ESCU - Mailsniper Invoke functions - Rule", "ESCU - Detect DGA domains using pretrained model in DSDL - Rule", "ESCU - Detect SNICat SNI Exfiltration - Rule", "ESCU - Multiple Archive Files Http Post Traffic - Rule", "ESCU - Plain HTTP POST Exfiltrated Data - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task"], "baseline_names": [], "author_company": "Shannon Davis, Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "AWS AMI Atttribute Modification for Exfiltration", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Transfer Data to Cloud Account"}]}}, {"name": "AWS Disable Bucket Versioning", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Inhibit System Recovery"}]}}, {"name": "AWS EC2 Snapshot Shared Externally", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Transfer Data to Cloud Account"}]}}, {"name": "AWS Exfiltration via Anomalous GetObject API Activity", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Automated Collection"}]}}, {"name": "AWS Exfiltration via Batch Service", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Automated Collection"}]}}, {"name": "AWS Exfiltration via Bucket Replication", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Transfer Data to Cloud Account"}]}}, {"name": "AWS Exfiltration via DataSync Task", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Automated Collection"}]}}, {"name": "AWS Exfiltration via EC2 Snapshot", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Transfer Data to Cloud Account"}]}}, {"name": "AWS S3 Exfiltration Behavior Identified", "source": "cloud", "type": "Correlation", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Transfer Data to Cloud Account"}]}}, {"name": "Gdrive suspicious file sharing", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}]}}, {"name": "O365 PST export alert", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Email Collection"}]}}, {"name": "O365 Suspicious Admin Email Forwarding", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Email Forwarding Rule"}, {"mitre_attack_technique": "Email Collection"}]}}, {"name": "O365 Suspicious User Email Forwarding", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Email Forwarding Rule"}, {"mitre_attack_technique": "Email Collection"}]}}, {"name": "DNS Exfiltration Using Nslookup App", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}}, {"name": "Excessive Usage of NSLOOKUP App", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}}, {"name": "Linux Curl Upload File", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "Mailsniper Invoke functions", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Email Collection"}, {"mitre_attack_technique": "Local Email Collection"}]}}, {"name": "Detect DGA domains using pretrained model in DSDL", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Generation Algorithms"}]}}, {"name": "Detect SNICat SNI Exfiltration", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over C2 Channel"}]}}, {"name": "Multiple Archive Files Http Post Traffic", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}, {"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}}, {"name": "Plain HTTP POST Exfiltrated Data", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}, {"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}}]}, {"name": "Data Protection", "id": "91c676cf-0b23-438d-abee-f6335e1fce33", "version": 1, "date": "2017-09-14", "author": "Bhavin Patel, Splunk", "description": "Fortify your data-protection arsenal--while continuing to ensure data confidentiality and integrity--with searches that monitor for and help you investigate possible signs of data exfiltration.", "narrative": "Attackers can leverage a variety of resources to compromise or exfiltrate enterprise data. Common exfiltration techniques include remote-access channels via low-risk, high-payoff active-collections operations and close-access operations using insiders and removable media. While this Analytic Story is not a comprehensive listing of all the methods by which attackers can exfiltrate data, it provides a useful starting point.", "references": ["https://www.cisecurity.org/controls/data-protection/", "https://www.sans.org/reading-room/whitepapers/dns/splunk-detect-dns-tunneling-37022", "https://umbrella.cisco.com/blog/2013/04/15/on-the-trail-of-malicious-dynamic-dns-domains/"], "tags": {"name": "Data Protection", "analytic_story": "Data Protection", "category": ["Abuse"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1048.003", "mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT32", "APT33", "FIN6", "FIN8", "Lazarus Group", "OilRig", "Thrip", "Wizard Spider"]}, {"mitre_attack_id": "T1189", "mitre_attack_technique": "Drive-by Compromise", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT19", "APT28", "APT32", "APT37", "APT38", "Andariel", "Axiom", "BRONZE BUTLER", "Dark Caracal", "Darkhotel", "Dragonfly", "Earth Lusca", "Elderwood", "Lazarus Group", "Leafminer", "Leviathan", "Machete", "Magic Hound", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Threat Group-3390", "Transparent Tribe", "Turla", "Windigo", "Windshift"]}], "mitre_attack_tactics": ["Exfiltration", "Initial Access"], "datamodels": ["Change", "Change_Analysis", "Network_Resolution"], "kill_chain_phases": ["Actions on Objectives", "Delivery"]}, "detection_names": ["ESCU - Detect USB device insertion - Rule", "ESCU - Detection of DNS Tunnels - Rule", "ESCU - Detect hosts connecting to dynamic domain providers - Rule"], "investigation_names": ["ESCU - Get DNS Server History for a host - Response Task", "ESCU - Get DNS traffic ratio - Response Task", "ESCU - Get Notable History - Response Task", "ESCU - Get Process Info - Response Task", "ESCU - Get Process Responsible For The DNS Traffic - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Detect USB device insertion", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": []}}, {"name": "Detection of DNS Tunnels", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}]}}, {"name": "Detect hosts connecting to dynamic domain providers", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Drive-by Compromise"}]}}]}, {"name": "Deobfuscate-Decode Files or Information", "id": "0bd01a54-8cbe-11eb-abcd-acde48001122", "version": 1, "date": "2021-03-24", "author": "Michael Haag, Splunk", "description": "Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis.", "narrative": "An example of obfuscated files is `Certutil.exe` usage to encode a portable executable to a certificate file, which is base64 encoded, to hide the originating file. There are many utilities cross-platform to encode using XOR, using compressed .cab files to hide contents and scripting languages that may perform similar native Windows tasks. Triaging an event related will require the capability to review related process events and file modifications. Using a tool such as CyberChef will assist with identifying the encoding that was used, and potentially assist with decoding the contents.", "references": ["https://attack.mitre.org/techniques/T1140/"], "tags": {"name": "Deobfuscate-Decode Files or Information", "analytic_story": "Deobfuscate-Decode Files or Information", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1140", "mitre_attack_technique": "Deobfuscate/Decode Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT39", "BRONZE BUTLER", "Darkhotel", "Earth Lusca", "Gamaredon Group", "Gorgon Group", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "Molerats", "MuddyWater", "OilRig", "Rocke", "Sandworm Team", "TA505", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "WIRTE", "ZIRCONIUM", "menuPass"]}], "mitre_attack_tactics": ["Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - CertUtil With Decode Argument - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "CertUtil With Decode Argument", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Deobfuscate/Decode Files or Information"}]}}]}, {"name": "AWS Cryptomining", "id": "ced74200-8465-4bc3-bd2c-9a782eec6750", "version": 1, "date": "2018-03-08", "author": "David Dorsey, Splunk", "description": "Monitor your AWS EC2 instances for activities related to cryptojacking/cryptomining. New instances that originate from previously unseen regions, users who launch abnormally high numbers of instances, or EC2 instances started by previously unseen users are just a few examples of potentially malicious behavior.", "narrative": "Cryptomining is an intentionally difficult, resource-intensive business. Its complexity was designed into the process to ensure that the number of blocks mined each day would remain steady. So, it's par for the course that ambitious, but unscrupulous, miners make amassing the computing power of large enterprises--a practice known as cryptojacking--a top priority. \\\nCryptojacking has attracted an increasing amount of media attention since its explosion in popularity in the fall of 2017. The attacks have moved from in-browser exploits and mobile phones to enterprise cloud services, such as Amazon Web Services (AWS). It's difficult to determine exactly how widespread the practice has become, since bad actors continually evolve their ability to escape detection, including employing unlisted endpoints, moderating their CPU usage, and hiding the mining pool's IP address behind a free CDN. \\\nWhen malicious miners appropriate a cloud instance, often spinning up hundreds of new instances, the costs can become astronomical for the account holder. So, it is critically important to monitor your systems for suspicious activities that could indicate that your network has been infiltrated. \\\nThis Analytic Story is focused on detecting suspicious new instances in your EC2 environment to help prevent such a disaster. It contains detection searches that will detect when a previously unused instance type or AMI is used. It also contains support searches to build lookup files to ensure proper execution of the detection searches.", "references": ["https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf"], "tags": {"name": "AWS Cryptomining", "analytic_story": "AWS Cryptomining", "category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Ke3chang", "LAPSUS$"]}, {"mitre_attack_id": "T1535", "mitre_attack_technique": "Unused/Unsupported Cloud Regions", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "datamodels": [], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Abnormally High AWS Instances Launched by User - Rule", "ESCU - Abnormally High AWS Instances Launched by User - MLTK - Rule", "ESCU - EC2 Instance Started In Previously Unseen Region - Rule", "ESCU - EC2 Instance Started With Previously Unseen AMI - Rule", "ESCU - EC2 Instance Started With Previously Unseen Instance Type - Rule", "ESCU - EC2 Instance Started With Previously Unseen User - Rule"], "investigation_names": ["ESCU - AWS Investigate User Activities By ARN - Response Task", "ESCU - Get EC2 Instance Details by instanceId - Response Task", "ESCU - Get EC2 Launch Details - Response Task", "ESCU - Get Notable History - Response Task", "ESCU - Investigate AWS activities via region name - Response Task"], "baseline_names": ["ESCU - Baseline of Excessive AWS Instances Launched by User - MLTK", "ESCU - Previously Seen EC2 AMIs", "ESCU - Previously Seen EC2 Instance Types", "ESCU - Previously Seen EC2 Launches By User", "ESCU - Previously Seen AWS Regions"], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Abnormally High AWS Instances Launched by User", "source": "deprecated", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Accounts"}]}}, {"name": "Abnormally High AWS Instances Launched by User - MLTK", "source": "deprecated", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Accounts"}]}}, {"name": "EC2 Instance Started In Previously Unseen Region", "source": "deprecated", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}}, {"name": "EC2 Instance Started With Previously Unseen AMI", "source": "deprecated", "type": "Anomaly", "tags": {"mitre_attack_enrichments": []}}, {"name": "EC2 Instance Started With Previously Unseen Instance Type", "source": "deprecated", "type": "Anomaly", "tags": {"mitre_attack_enrichments": []}}, {"name": "EC2 Instance Started With Previously Unseen User", "source": "deprecated", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Accounts"}]}}]}, {"name": "AWS Suspicious Provisioning Activities", "id": "3338b567-3804-4261-9889-cf0ca4753c7f", "version": 1, "date": "2018-03-16", "author": "David Dorsey, Splunk", "description": "Monitor your AWS provisioning activities for behaviors originating from unfamiliar or unusual locations. These behaviors may indicate that malicious activities are occurring somewhere within your network.", "narrative": "Because most enterprise AWS activities originate from familiar geographic locations, monitoring for activity from unknown or unusual regions is an important security measure. This indicator can be especially useful in environments where it is impossible to add specific IPs to an allow list because they vary. \\\nThis Analytic Story was designed to provide you with flexibility in the precision you employ in specifying legitimate geographic regions. It can be as specific as an IP address or a city, or as broad as a region (think state) or an entire country. By determining how precise you want your geographical locations to be and monitoring for new locations that haven't previously accessed your environment, you can detect adversaries as they begin to probe your environment. Since there are legitimate reasons for activities from unfamiliar locations, this is not a standalone indicator. Nevertheless, location can be a relevant piece of information that you may wish to investigate further.", "references": ["https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf"], "tags": {"name": "AWS Suspicious Provisioning Activities", "analytic_story": "AWS Suspicious Provisioning Activities", "category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1535", "mitre_attack_technique": "Unused/Unsupported Cloud Regions", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Defense Evasion"], "datamodels": [], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - AWS Cloud Provisioning From Previously Unseen City - Rule", "ESCU - AWS Cloud Provisioning From Previously Unseen Country - Rule", "ESCU - AWS Cloud Provisioning From Previously Unseen IP Address - Rule", "ESCU - AWS Cloud Provisioning From Previously Unseen Region - Rule"], "investigation_names": ["ESCU - AWS Investigate Security Hub alerts by dest - Response Task", "ESCU - AWS Investigate User Activities By ARN - Response Task", "ESCU - Get All AWS Activity From City - Response Task", "ESCU - Get All AWS Activity From Country - Response Task", "ESCU - Get All AWS Activity From IP Address - Response Task", "ESCU - Get All AWS Activity From Region - Response Task"], "baseline_names": ["ESCU - Previously Seen AWS Provisioning Activity Sources"], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "AWS Cloud Provisioning From Previously Unseen City", "source": "deprecated", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}}, {"name": "AWS Cloud Provisioning From Previously Unseen Country", "source": "deprecated", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}}, {"name": "AWS Cloud Provisioning From Previously Unseen IP Address", "source": "deprecated", "type": "Anomaly", "tags": {"mitre_attack_enrichments": []}}, {"name": "AWS Cloud Provisioning From Previously Unseen Region", "source": "deprecated", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}}]}, {"name": "Common Phishing Frameworks", "id": "9a64ab44-9214-4639-8163-7eaa2621bd61", "version": 1, "date": "2019-04-29", "author": "Splunk Research Team, Splunk", "description": "Detect DNS and web requests to fake websites generated by the EvilGinx2 toolkit. These websites are designed to fool unwitting users who have clicked on a malicious link in a phishing email. ", "narrative": "As most people know, these emails use fraudulent domains, [email scraping](https://www.cyberscoop.com/emotet-trojan-phishing-scraping-templates-cofense-geodo/), familiar contact names inserted as senders, and other tactics to lure targets into clicking a malicious link, opening an attachment with a [nefarious payload](https://www.cyberscoop.com/emotet-trojan-phishing-scraping-templates-cofense-geodo/), or entering sensitive personal information that perpetrators may intercept. This attack technique requires a relatively low level of skill and allows adversaries to easily cast a wide net. Because phishing is a technique that relies on human psychology, you will never be able to eliminate this vulnerability 100%. But you can use automated detection to significantly reduce the risks.\\\nThis Analytic Story focuses on detecting signs of MiTM attacks enabled by [EvilGinx2](https://github.com/kgretzky/evilginx2), a toolkit that sets up a transparent proxy between the targeted site and the user. In this way, the attacker is able to intercept credentials and two-factor identification tokens. It employs a proxy template to allow a registered domain to impersonate targeted sites, such as Linkedin, Amazon, Okta, Github, Twitter, Instagram, Reddit, Office 365, and others. It can even register SSL certificates and camouflage them via a URL shortener, making them difficult to detect. Searches in this story look for signs of MiTM attacks enabled by EvilGinx2.", "references": ["https://github.com/kgretzky/evilginx2", "https://attack.mitre.org/techniques/T1192/", "https://breakdev.org/evilginx-advanced-phishing-with-two-factor-authentication-bypass/"], "tags": {"name": "Common Phishing Frameworks", "analytic_story": "Common Phishing Frameworks", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566.003", "mitre_attack_technique": "Spearphishing via Service", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT29", "Ajax Security Team", "CURIUM", "Dark Caracal", "EXOTIC LILY", "FIN6", "Lazarus Group", "Magic Hound", "OilRig", "Windshift"]}], "mitre_attack_tactics": ["Initial Access"], "datamodels": ["Network_Resolution", "Web"], "kill_chain_phases": ["Delivery"]}, "detection_names": ["ESCU - Detect DNS requests to Phishing Sites leveraging EvilGinx2 - Rule"], "investigation_names": ["ESCU - Get Certificate logs for a domain - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "Splunk Research Team", "detections": [{"name": "Detect DNS requests to Phishing Sites leveraging EvilGinx2", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Spearphishing via Service"}]}}]}, {"name": "Container Implantation Monitoring and Investigation", "id": "aa0e28b1-0521-4b6f-9d2a-7b87e34af246", "version": 1, "date": "2020-02-20", "author": "Rod Soto, Rico Valdez, Splunk", "description": "Use the searches in this story to monitor your Kubernetes registry repositories for upload, and deployment of potentially vulnerable, backdoor, or implanted containers. These searches provide information on source users, destination path, container names and repository names. The searches provide context to address Mitre T1525 which refers to container implantation upload to a company's repository either in Amazon Elastic Container Registry, Google Container Registry and Azure Container Registry.", "narrative": "Container Registrys provide a way for organizations to keep customized images of their development and infrastructure environment in private. However if these repositories are misconfigured or priviledge users credentials are compromise, attackers can potentially upload implanted containers which can be deployed across the organization. These searches allow operator to monitor who, when and what was uploaded to container registry.", "references": ["https://github.com/splunk/cloud-datamodel-security-research"], "tags": {"name": "Container Implantation Monitoring and Investigation", "analytic_story": "Container Implantation Monitoring and Investigation", "category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": [], "investigation_names": [], "baseline_names": [], "author_company": "Rico Valdez, Splunk", "author_name": "Rod Soto", "detections": []}, {"name": "Host Redirection", "id": "2e8948a5-5239-406b-b56b-6c50fe268af4", "version": 1, "date": "2017-09-14", "author": "Rico Valdez, Splunk", "description": "Detect evidence of tactics used to redirect traffic from a host to a destination other than the one intended--potentially one that is part of an adversary's attack infrastructure. An example is redirecting communications regarding patches and updates or misleading users into visiting a malicious website.", "narrative": "Attackers will often attempt to manipulate client communications for nefarious purposes. In some cases, an attacker may endeavor to modify a local host file to redirect communications with resources (such as antivirus or system-update services) to prevent clients from receiving patches or updates. In other cases, an attacker might use this tactic to have the client connect to a site that looks like the intended site, but instead installs malware or collects information from the victim. Additionally, an attacker may redirect a victim in order to execute a MITM attack and observe communications.", "references": ["https://blog.malwarebytes.com/cybercrime/2016/09/hosts-file-hijacks/"], "tags": {"name": "Host Redirection", "analytic_story": "Host Redirection", "category": ["Abuse"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1048.003", "mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT32", "APT33", "FIN6", "FIN8", "Lazarus Group", "OilRig", "Thrip", "Wizard Spider"]}, {"mitre_attack_id": "T1071.004", "mitre_attack_technique": "DNS", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT18", "APT39", "APT41", "Chimera", "Cobalt Group", "FIN7", "Ke3chang", "LazyScripter", "OilRig", "Tropic Trooper"]}], "mitre_attack_tactics": ["Command And Control", "Exfiltration"], "datamodels": ["Endpoint", "Network_Resolution"], "kill_chain_phases": ["Actions on Objectives", "Command And Control"]}, "detection_names": ["ESCU - Clients Connecting to Multiple DNS Servers - Rule", "ESCU - DNS Query Requests Resolved by Unauthorized DNS Servers - Rule", "ESCU - Windows hosts file modification - Rule"], "investigation_names": ["ESCU - Get DNS Server History for a host - Response Task", "ESCU - Get Notable History - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Clients Connecting to Multiple DNS Servers", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}]}}, {"name": "DNS Query Requests Resolved by Unauthorized DNS Servers", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DNS"}]}}, {"name": "Windows hosts file modification", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": []}}]}, {"name": "Kubernetes Sensitive Role Activity", "id": "8b3984d2-17b6-47e9-ba43-a3376e70fdcc", "version": 1, "date": "2020-05-20", "author": "Rod Soto, Splunk", "description": "This story addresses detection and response around Sensitive Role usage within a Kubernetes clusters against cluster resources and namespaces.", "narrative": "Kubernetes is the most used container orchestration platform, this orchestration platform contains sensitive roles within its architecture, specifically configmaps and secrets, if accessed by an attacker can lead to further compromise. These searches allow operator to detect suspicious requests against Kubernetes role activities", "references": ["https://www.splunk.com/en_us/blog/security/approaching-kubernetes-security-detecting-kubernetes-scan-with-splunk.html"], "tags": {"name": "Kubernetes Sensitive Role Activity", "analytic_story": "Kubernetes Sensitive Role Activity", "category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Kubernetes AWS detect most active service accounts by pod - Rule", "ESCU - Kubernetes AWS detect RBAC authorization by account - Rule", "ESCU - Kubernetes AWS detect sensitive role access - Rule", "ESCU - Kubernetes Azure active service accounts by pod namespace - Rule", "ESCU - Kubernetes Azure detect RBAC authorization by account - Rule", "ESCU - Kubernetes Azure detect sensitive role access - Rule", "ESCU - Kubernetes GCP detect most active service accounts by pod - Rule", "ESCU - Kubernetes GCP detect RBAC authorizations by account - Rule", "ESCU - Kubernetes GCP detect sensitive role access - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rod Soto", "detections": [{"name": "Kubernetes AWS detect most active service accounts by pod", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": []}}, {"name": "Kubernetes AWS detect RBAC authorization by account", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": []}}, {"name": "Kubernetes AWS detect sensitive role access", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": []}}, {"name": "Kubernetes Azure active service accounts by pod namespace", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": []}}, {"name": "Kubernetes Azure detect RBAC authorization by account", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": []}}, {"name": "Kubernetes Azure detect sensitive role access", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": []}}, {"name": "Kubernetes GCP detect most active service accounts by pod", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": []}}, {"name": "Kubernetes GCP detect RBAC authorizations by account", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": []}}, {"name": "Kubernetes GCP detect sensitive role access", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": []}}]}, {"name": "Lateral Movement", "id": "399d65dc-1f08-499b-a259-abd9051f38ad", "version": 2, "date": "2020-02-04", "author": "David Dorsey, Splunk", "description": " DEPRECATED IN FAVOR OF ACTIVE DIRECTORY LATERAL MOVEMENT. Detect and investigate tactics, techniques, and procedures around how attackers move laterally within the enterprise. Because lateral movement can expose the adversary to detection, it should be an important focus for security analysts.", "narrative": "Once attackers gain a foothold within an enterprise, they will seek to expand their accesses and leverage techniques that facilitate lateral movement. Attackers will often spend quite a bit of time and effort moving laterally. Because lateral movement renders an attacker the most vulnerable to detection, it's an excellent focus for detection and investigation. Indications of lateral movement can include the abuse of system utilities (such as `psexec.exe`), unauthorized use of remote desktop services, `file/admin$` shares, WMI, PowerShell, pass-the-hash, or the abuse of scheduled tasks. Organizations must be extra vigilant in detecting lateral movement techniques and look for suspicious activity in and around high-value strategic network assets, such as Active Directory, which are often considered the primary target or \"crown jewels\" to a persistent threat actor. An adversary can use lateral movement for multiple purposes, including remote execution of tools, pivoting to additional systems, obtaining access to specific information or files, access to additional credentials, exfiltrating data, or delivering a secondary effect. Adversaries may use legitimate credentials alongside inherent network and operating-system functionality to remotely connect to other systems and remain under the radar of network defenders. If there is evidence of lateral movement, it is imperative for analysts to collect evidence of the associated offending hosts. For example, an attacker might leverage host A to gain access to host B. From there, the attacker may try to move laterally to host C. In this example, the analyst should gather as much information as possible from all three hosts. It is also important to collect authentication logs for each host, to ensure that the offending accounts are well-documented. Analysts should account for all processes to ensure that the attackers did not install unauthorized software.", "references": ["https://www.fireeye.com/blog/executive-perspective/2015/08/malware_lateral_move.html"], "tags": {"name": "Lateral Movement", "analytic_story": "Lateral Movement", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": [], "investigation_names": ["ESCU - Get History Of Email Sources - Response Task", "ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task", "ESCU - Get Process Information For Port Activity - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": []}, {"name": "Monitor Backup Solution", "id": "abe807c7-1eb6-4304-ac32-6e7aacdb891d", "version": 1, "date": "2017-09-12", "author": "David Dorsey, Splunk", "description": "Address common concerns when monitoring your backup processes. These searches can help you reduce risks from ransomware, device theft, or denial of physical access to a host by backing up data on endpoints.", "narrative": "Having backups is a standard best practice that helps ensure continuity of business operations. Having mature backup processes can also help you reduce the risks of many security-related incidents and streamline your response processes. The detection searches in this Analytic Story will help you identify systems that have backup failures, as well as systems that have not been backed up for an extended period of time. The story will also return the notable event history and all of the backup logs for an endpoint.", "references": ["https://www.carbonblack.com/2016/03/04/tracking-locky-ransomware-using-carbon-black/"], "tags": {"name": "Monitor Backup Solution", "analytic_story": "Monitor Backup Solution", "category": ["Best Practices"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Compliance", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Extended Period Without Successful Netbackup Backups - Rule", "ESCU - Unsuccessful Netbackup backups - Rule"], "investigation_names": ["ESCU - All backup logs for host - Response Task", "ESCU - Get Notable History - Response Task"], "baseline_names": ["ESCU - Monitor Successful Backups", "ESCU - Monitor Unsuccessful Backups"], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Extended Period Without Successful Netbackup Backups", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": []}}, {"name": "Unsuccessful Netbackup backups", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": []}}]}, {"name": "Monitor for Unauthorized Software", "id": "8892a655-6205-43f7-abba-06460e38c8ae", "version": 1, "date": "2017-09-15", "author": "David Dorsey, Splunk", "description": "Identify and investigate prohibited/unauthorized software or processes that may be concealing malicious behavior within your environment. ", "narrative": "It is critical to identify unauthorized software and processes running on enterprise endpoints and determine whether they are likely to be malicious. This Analytic Story requires the user to populate the Interesting Processes table within Enterprise Security with prohibited processes. An included support search will augment this data, adding information on processes thought to be malicious. This search requires data from endpoint detection-and-response solutions, endpoint data sources (such as Sysmon), or Windows Event Logs--assuming that the Active Directory administrator has enabled process tracking within the System Event Audit Logs.\\\nIt is important to investigate any software identified as suspicious, in order to understand how it was installed or executed. Analyzing authentication logs or any historic notable events might elicit additional investigative leads of interest. For best results, schedule the search to run every two weeks. ", "references": ["https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/"], "tags": {"name": "Monitor for Unauthorized Software", "analytic_story": "Monitor for Unauthorized Software", "category": ["Best Practices"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Compliance", "mitre_attack_enrichments": [{"mitre_attack_id": "T1036.005", "mitre_attack_technique": "Match Legitimate Name or Location", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "APT32", "APT39", "APT41", "Aoqin Dragon", "BRONZE BUTLER", "BackdoorDiplomacy", "Blue Mockingbird", "Carbanak", "Chimera", "Darkhotel", "Earth Lusca", "FIN7", "Ferocious Kitten", "Fox Kitten", "Gamaredon Group", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Poseidon Group", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "Sowbug", "TEMP.Veles", "TeamTNT", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Whitefly", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1595", "mitre_attack_technique": "Active Scanning", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Reconnaissance"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation", "Reconnaissance"]}, "detection_names": ["ESCU - Prohibited Software On Endpoint - Rule", "ESCU - Attacker Tools On Endpoint - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task"], "baseline_names": ["ESCU - Add Prohibited Processes to Enterprise Security"], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Prohibited Software On Endpoint", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": []}}, {"name": "Attacker Tools On Endpoint", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Match Legitimate Name or Location"}, {"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "OS Credential Dumping"}, {"mitre_attack_technique": "Active Scanning"}]}}]}, {"name": "Spectre And Meltdown Vulnerabilities", "id": "6d3306f6-bb2b-4219-8609-8efad64032f2", "version": 1, "date": "2018-01-08", "author": "David Dorsey, Splunk", "description": "Assess and mitigate your systems' vulnerability to Spectre and Meltdown exploitation with the searches in this Analytic Story.", "narrative": "Meltdown and Spectre exploit critical vulnerabilities in modern CPUs that allow unintended access to data in memory. This Analytic Story will help you identify the systems can be patched for these vulnerabilities, as well as those that still need to be patched.", "references": ["https://meltdownattack.com/"], "tags": {"name": "Spectre And Meltdown Vulnerabilities", "analytic_story": "Spectre And Meltdown Vulnerabilities", "category": ["Vulnerability"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Vulnerabilities"], "kill_chain_phases": []}, "detection_names": ["ESCU - Spectre and Meltdown Vulnerable Systems - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task"], "baseline_names": ["ESCU - Systems Ready for Spectre-Meltdown Windows Patch"], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Spectre and Meltdown Vulnerable Systems", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": []}}]}, {"name": "Suspicious AWS EC2 Activities", "id": "2e8948a5-5239-406b-b56b-6c50f1268af3", "version": 1, "date": "2018-02-09", "author": "Bhavin Patel, Splunk", "description": "Use the searches in this Analytic Story to monitor your AWS EC2 instances for evidence of anomalous activity and suspicious behaviors, such as EC2 instances that originate from unusual locations or those launched by previously unseen users (among others). Included investigative searches will help you probe more deeply, when the information warrants it.", "narrative": "AWS CloudTrail is an AWS service that helps you enable governance, compliance, and risk auditing within your AWS account. Actions taken by a user, role, or an AWS service are recorded as events in CloudTrail. It is crucial for a company to monitor events and actions taken in the AWS Console, AWS command-line interface, and AWS SDKs and APIs to ensure that your EC2 instances are not vulnerable to attacks. This Analytic Story identifies suspicious activities in your AWS EC2 instances and helps you respond and investigate those activities.", "references": ["https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf"], "tags": {"name": "Suspicious AWS EC2 Activities", "analytic_story": "Suspicious AWS EC2 Activities", "category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Ke3chang", "LAPSUS$"]}, {"mitre_attack_id": "T1535", "mitre_attack_technique": "Unused/Unsupported Cloud Regions", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "datamodels": [], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Abnormally High AWS Instances Launched by User - Rule", "ESCU - Abnormally High AWS Instances Launched by User - MLTK - Rule", "ESCU - Abnormally High AWS Instances Terminated by User - Rule", "ESCU - Abnormally High AWS Instances Terminated by User - MLTK - Rule", "ESCU - EC2 Instance Started In Previously Unseen Region - Rule", "ESCU - EC2 Instance Started With Previously Unseen User - Rule"], "investigation_names": ["ESCU - AWS Investigate Security Hub alerts by dest - Response Task", "ESCU - AWS Investigate User Activities By ARN - Response Task", "ESCU - Get EC2 Instance Details by instanceId - Response Task", "ESCU - Get EC2 Launch Details - Response Task", "ESCU - Get Notable History - Response Task", "ESCU - Investigate AWS activities via region name - Response Task"], "baseline_names": ["ESCU - Baseline of Excessive AWS Instances Launched by User - MLTK", "ESCU - Baseline of Excessive AWS Instances Terminated by User - MLTK", "ESCU - Previously Seen EC2 Launches By User", "ESCU - Previously Seen AWS Regions"], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Abnormally High AWS Instances Launched by User", "source": "deprecated", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Accounts"}]}}, {"name": "Abnormally High AWS Instances Launched by User - MLTK", "source": "deprecated", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Accounts"}]}}, {"name": "Abnormally High AWS Instances Terminated by User", "source": "deprecated", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Accounts"}]}}, {"name": "Abnormally High AWS Instances Terminated by User - MLTK", "source": "deprecated", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Accounts"}]}}, {"name": "EC2 Instance Started In Previously Unseen Region", "source": "deprecated", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}}, {"name": "EC2 Instance Started With Previously Unseen User", "source": "deprecated", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Accounts"}]}}]}, {"name": "Unusual AWS EC2 Modifications", "id": "73de57ef-0dfc-411f-b1e7-fa24428aeae0", "version": 1, "date": "2018-04-09", "author": "David Dorsey, Splunk", "description": "Identify unusual changes to your AWS EC2 instances that may indicate malicious activity. Modifications to your EC2 instances by previously unseen users is an example of an activity that may warrant further investigation.", "narrative": "A common attack technique is to infiltrate a cloud instance and make modifications. The adversary can then secure access to your infrastructure or hide their activities. So it's important to stay alert to changes that may indicate that your environment has been compromised. \\\n Searches within this Analytic Story can help you detect the presence of a threat by monitoring for EC2 instances that have been created or changed--either by users that have never previously performed these activities or by known users who modify or create instances in a way that have not been done before. This story also provides investigative searches that help you go deeper once you detect suspicious behavior.", "references": ["https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf"], "tags": {"name": "Unusual AWS EC2 Modifications", "analytic_story": "Unusual AWS EC2 Modifications", "category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Ke3chang", "LAPSUS$"]}], "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "datamodels": [], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - EC2 Instance Modified With Previously Unseen User - Rule"], "investigation_names": ["ESCU - AWS Investigate User Activities By ARN - Response Task", "ESCU - Get EC2 Instance Details by instanceId - Response Task", "ESCU - Get Notable History - Response Task"], "baseline_names": ["ESCU - Previously Seen EC2 Modifications By User"], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "EC2 Instance Modified With Previously Unseen User", "source": "deprecated", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Accounts"}]}}]}, {"name": "Web Fraud Detection", "id": "18bb45b9-7684-45c6-9e97-1fdd0d98c0a7", "version": 1, "date": "2018-10-08", "author": "Jim Apger, Splunk", "description": "Monitor your environment for activity consistent with common attack techniques bad actors use when attempting to compromise web servers or other web-related assets.", "narrative": "The Federal Bureau of Investigations (FBI) defines Internet fraud as the use of Internet services or software with Internet access to defraud victims or to otherwise take advantage of them. According to the Bureau, Internet crime schemes are used to steal millions of dollars each year from victims and continue to plague the Internet through various methods. The agency includes phishing scams, data breaches, Denial of Service (DOS) attacks, email account compromise, malware, spoofing, and ransomware in this category.\\\nThese crimes are not the fraud itself, but rather the attack techniques commonly employed by fraudsters in their pursuit of data that enables them to commit malicious actssuch as obtaining and using stolen credit cards. They represent a serious problem that is steadily increasing and not likely to go away anytime soon.\\\nWhen developing a strategy for preventing fraud in your environment, its important to look across all of your web services for evidence that attackers are abusing enterprise resources to enumerate systems, harvest data for secondary fraudulent activity, or abuse terms of service.This Analytic Story looks for evidence of common Internet attack techniques that could be indicative of web fraud in your environmentincluding account harvesting, anomalous user clickspeed, and password sharing across accounts, to name just a few.\\\nThe account-harvesting search focuses on web pages used for user-account registration. It detects the creation of a large number of user accounts using the same email domain name, a type of activity frequently seen in advance of a fraud campaign.\\\nThe anomalous clickspeed search looks for users who are moving through your website at a faster-than-normal speed or with a perfect click cadence (high periodicity or low standard deviation), which could indicate that the user is a script, not an actual human.\\\nAnother search detects incidents wherein a single password is used across multiple accounts, which may indicate that a fraudster has infiltrated your environment and embedded a common password within a script.", "references": ["https://www.fbi.gov/scams-and-safety/common-fraud-schemes/internet-fraud", "https://www.fbi.gov/news/stories/2017-internet-crime-report-released-050718"], "tags": {"name": "Web Fraud Detection", "analytic_story": "Web Fraud Detection", "category": ["Abuse"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Fraud Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}], "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "datamodels": [], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Web Fraud - Account Harvesting - Rule", "ESCU - Web Fraud - Anomalous User Clickspeed - Rule", "ESCU - Web Fraud - Password Sharing Across Accounts - Rule"], "investigation_names": ["ESCU - Get Emails From Specific Sender - Response Task", "ESCU - Get Notable History - Response Task", "ESCU - Get Web Session Information via session id - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "Jim Apger", "detections": [{"name": "Web Fraud - Account Harvesting", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create Account"}]}}, {"name": "Web Fraud - Anomalous User Clickspeed", "source": "deprecated", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "Web Fraud - Password Sharing Across Accounts", "source": "deprecated", "type": "Anomaly", "tags": {"mitre_attack_enrichments": []}}]}, {"name": "Detect Zerologon Attack", "id": "5d14a962-569e-4578-939f-f386feb63ce4", "version": 1, "date": "2020-09-18", "author": "Rod Soto, Jose Hernandez, Stan Miskowicz, David Dorsey, Shannon Davis Splunk", "description": "Uncover activity related to the execution of Zerologon CVE-2020-11472, a technique wherein attackers target a Microsoft Windows Domain Controller to reset its computer account password. The result from this attack is attackers can now provide themselves high privileges and take over Domain Controller. The included searches in this Analytic Story are designed to identify attempts to reset Domain Controller Computer Account via exploit code remotely or via the use of tool Mimikatz as payload carrier.", "narrative": "This attack is a privilege escalation technique, where attacker targets a Netlogon secure channel connection to a domain controller, using Netlogon Remote Protocol (MS-NRPC). This vulnerability exposes vulnerable Windows Domain Controllers to be targeted via unaunthenticated RPC calls which eventually reset Domain Contoller computer account ($) providing the attacker the opportunity to exfil domain controller credential secrets and assign themselve high privileges that can lead to domain controller and potentially complete network takeover. The detection searches in this Analytic Story use Windows Event viewer events and Sysmon events to detect attack execution, these searches monitor access to the Local Security Authority Subsystem Service (LSASS) process which is an indicator of the use of Mimikatz tool which has bee updated to carry this attack payload.", "references": ["https://attack.mitre.org/wiki/Technique/T1003", "https://github.com/SecuraBV/CVE-2020-1472", "https://www.secura.com/blog/zero-logon", "https://nvd.nist.gov/vuln/detail/CVE-2020-1472"], "tags": {"name": "Detect Zerologon Attack", "analytic_story": "Detect Zerologon Attack", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "TEMP.Veles", "Threat Group-3390", "Whitefly"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1210", "mitre_attack_technique": "Exploitation of Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "Dragonfly", "Earth Lusca", "FIN7", "Fox Kitten", "MuddyWater", "Threat Group-3390", "Tonto Team", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "menuPass"]}], "mitre_attack_tactics": ["Credential Access", "Initial Access", "Lateral Movement"], "datamodels": [], "kill_chain_phases": ["Delivery", "Exploitation"]}, "detection_names": ["ESCU - Detect Mimikatz Using Loaded Images - Rule", "ESCU - Detect Computer Changed with Anonymous Account - Rule", "ESCU - Detect Credential Dumping through LSASS access - Rule", "ESCU - Windows Possible Credential Dumping - Rule", "ESCU - Detect Zerologon via Zeek - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task"], "baseline_names": [], "author_company": "Jose Hernandez, Stan Miskowicz, David Dorsey, Shannon Davis Splunk", "author_name": "Rod Soto", "detections": [{"name": "Detect Mimikatz Using Loaded Images", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Detect Computer Changed with Anonymous Account", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploitation of Remote Services"}]}}, {"name": "Detect Credential Dumping through LSASS access", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Windows Possible Credential Dumping", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Detect Zerologon via Zeek", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}}]}, {"name": "Dev Sec Ops", "id": "0ca8c38e-631e-4b81-940c-f9c5450ce41e", "version": 1, "date": "2021-08-18", "author": "Patrick Bareiss, Splunk", "description": "This story is focused around detecting attacks on a DevSecOps lifeccycle which consists of the phases plan, code, build, test, release, deploy, operate and monitor.", "narrative": "DevSecOps is a collaborative framework, which thinks about application and infrastructure security from the start. This means that security tools are part of the continuous integration and continuous deployment pipeline. In this analytics story, we focused on detections around the tools used in this framework such as GitHub as a version control system, GDrive for the documentation, CircleCI as the CI/CD pipeline, Kubernetes as the container execution engine and multiple security tools such as Semgrep and Kube-Hunter.", "references": ["https://www.redhat.com/en/topics/devops/what-is-devsecops"], "tags": {"name": "Dev Sec Ops", "analytic_story": "Dev Sec Ops", "category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1204.003", "mitre_attack_technique": "Malicious Image", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$"]}, {"mitre_attack_id": "T1554", "mitre_attack_technique": "Compromise Client Software Binary", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1195.002", "mitre_attack_technique": "Compromise Software Supply Chain", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT41", "Cobalt Group", "Dragonfly", "GOLD SOUTHFIELD", "Sandworm Team", "Threat Group-3390"]}, {"mitre_attack_id": "T1195", "mitre_attack_technique": "Supply Chain Compromise", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1199", "mitre_attack_technique": "Trusted Relationship", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "GOLD SOUTHFIELD", "LAPSUS$", "POLONIUM", "Sandworm Team", "Threat Group-3390", "menuPass"]}, {"mitre_attack_id": "T1195.001", "mitre_attack_technique": "Compromise Software Dependencies and Development Tools", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1567.002", "mitre_attack_technique": "Exfiltration to Cloud Storage", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["Chimera", "Confucius", "Earth Lusca", "FIN7", "HAFNIUM", "HEXANE", "Kimsuky", "Leviathan", "LuminousMoth", "POLONIUM", "Threat Group-3390", "Turla", "ZIRCONIUM"]}, {"mitre_attack_id": "T1567", "mitre_attack_technique": "Exfiltration Over Web Service", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT28", "Magic Hound"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1048.003", "mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT32", "APT33", "FIN6", "FIN8", "Lazarus Group", "OilRig", "Thrip", "Wizard Spider"]}, {"mitre_attack_id": "T1048", "mitre_attack_technique": "Exfiltration Over Alternative Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1212", "mitre_attack_technique": "Exploitation for Credential Access", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1526", "mitre_attack_technique": "Cloud Service Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Credential Access", "Discovery", "Execution", "Exfiltration", "Initial Access", "Persistence"], "datamodels": [], "kill_chain_phases": ["Actions on Objectives", "Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - AWS ECR Container Scanning Findings High - Rule", "ESCU - AWS ECR Container Scanning Findings Low Informational Unknown - Rule", "ESCU - AWS ECR Container Scanning Findings Medium - Rule", "ESCU - AWS ECR Container Upload Outside Business Hours - Rule", "ESCU - AWS ECR Container Upload Unknown User - Rule", "ESCU - Circle CI Disable Security Job - Rule", "ESCU - Circle CI Disable Security Step - Rule", "ESCU - Correlation by Repository and Risk - Rule", "ESCU - Correlation by User and Risk - Rule", "ESCU - GitHub Actions Disable Security Workflow - Rule", "ESCU - Github Commit Changes In Master - Rule", "ESCU - Github Commit In Develop - Rule", "ESCU - GitHub Dependabot Alert - Rule", "ESCU - GitHub Pull Request from Unknown User - Rule", "ESCU - Gsuite Drive Share In External Email - Rule", "ESCU - GSuite Email Suspicious Attachment - Rule", "ESCU - Gsuite Email Suspicious Subject With Attachment - Rule", "ESCU - Gsuite Email With Known Abuse Web Service Link - Rule", "ESCU - Gsuite Outbound Email With Attachment To External Domain - Rule", "ESCU - Gsuite Suspicious Shared File Name - Rule", "ESCU - Kubernetes Nginx Ingress LFI - Rule", "ESCU - Kubernetes Nginx Ingress RFI - Rule", "ESCU - Kubernetes Scanner Image Pulling - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Patrick Bareiss", "detections": [{"name": "AWS ECR Container Scanning Findings High", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Malicious Image"}, {"mitre_attack_technique": "User Execution"}]}}, {"name": "AWS ECR Container Scanning Findings Low Informational Unknown", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Malicious Image"}, {"mitre_attack_technique": "User Execution"}]}}, {"name": "AWS ECR Container Scanning Findings Medium", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Malicious Image"}, {"mitre_attack_technique": "User Execution"}]}}, {"name": "AWS ECR Container Upload Outside Business Hours", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Malicious Image"}, {"mitre_attack_technique": "User Execution"}]}}, {"name": "AWS ECR Container Upload Unknown User", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Malicious Image"}, {"mitre_attack_technique": "User Execution"}]}}, {"name": "Circle CI Disable Security Job", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Client Software Binary"}]}}, {"name": "Circle CI Disable Security Step", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Client Software Binary"}]}}, {"name": "Correlation by Repository and Risk", "source": "cloud", "type": "Correlation", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Malicious Image"}, {"mitre_attack_technique": "User Execution"}]}}, {"name": "Correlation by User and Risk", "source": "cloud", "type": "Correlation", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Malicious Image"}, {"mitre_attack_technique": "User Execution"}]}}, {"name": "GitHub Actions Disable Security Workflow", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Software Supply Chain"}, {"mitre_attack_technique": "Supply Chain Compromise"}]}}, {"name": "Github Commit Changes In Master", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Trusted Relationship"}]}}, {"name": "Github Commit In Develop", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Trusted Relationship"}]}}, {"name": "GitHub Dependabot Alert", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Software Dependencies and Development Tools"}, {"mitre_attack_technique": "Supply Chain Compromise"}]}}, {"name": "GitHub Pull Request from Unknown User", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Software Dependencies and Development Tools"}, {"mitre_attack_technique": "Supply Chain Compromise"}]}}, {"name": "Gsuite Drive Share In External Email", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration to Cloud Storage"}, {"mitre_attack_technique": "Exfiltration Over Web Service"}]}}, {"name": "GSuite Email Suspicious Attachment", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}}, {"name": "Gsuite Email Suspicious Subject With Attachment", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}}, {"name": "Gsuite Email With Known Abuse Web Service Link", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}}, {"name": "Gsuite Outbound Email With Attachment To External Domain", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}, {"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}}, {"name": "Gsuite Suspicious Shared File Name", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}}, {"name": "Kubernetes Nginx Ingress LFI", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploitation for Credential Access"}]}}, {"name": "Kubernetes Nginx Ingress RFI", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploitation for Credential Access"}]}}, {"name": "Kubernetes Scanner Image Pulling", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Service Discovery"}]}}]}, {"name": "DHS Report TA18-074A", "id": "0c016e5c-88be-4e2c-8c6c-c2b55b4fb4ef", "version": 2, "date": "2020-01-22", "author": "Rico Valdez, Splunk", "description": "Monitor for suspicious activities associated with DHS Technical Alert US-CERT TA18-074A. Some of the activities that adversaries used in these compromises included spearfishing attacks, malware, watering-hole domains, many and more.", "narrative": "The frequency of nation-state cyber attacks has increased significantly over the last decade. Employing numerous tactics and techniques, these attacks continue to escalate in complexity. \\\nThere is a wide range of motivations for these state-sponsored hacks, including stealing valuable corporate, military, or diplomatic dataѿall of which could confer advantages in various arenas. They may also target critical infrastructure. \\\nOne joint Technical Alert (TA) issued by the Department of Homeland and the FBI in mid-March of 2018 attributed some cyber activity targeting utility infrastructure to operatives sponsored by the Russian government. The hackers executed spearfishing attacks, installed malware, employed watering-hole domains, and more. While they caused no physical damage, the attacks provoked fears that a nation-state could turn off water, redirect power, or compromise a nuclear power plant.\\\nSuspicious activities--spikes in SMB traffic, processes that launch netsh (to modify the network configuration), suspicious registry modifications, and many more--may all be events you may wish to investigate further. While the use of these technique may be an indication that a nation-state actor is attempting to compromise your environment, it is important to note that these techniques are often employed by other groups, as well.", "references": ["https://www.us-cert.gov/ncas/alerts/TA18-074A"], "tags": {"name": "DHS Report TA18-074A", "analytic_story": "DHS Report TA18-074A", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1136.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT39", "APT41", "Dragonfly", "Fox Kitten", "Kimsuky", "Leafminer", "Magic Hound", "TeamTNT"]}, {"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1562.004", "mitre_attack_technique": "Disable or Modify System Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "Carbanak", "Dragonfly", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$"]}, {"mitre_attack_id": "T1204.002", "mitre_attack_technique": "Malicious File", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "Ajax Security Team", "Andariel", "Aoqin Dragon", "BITTER", "BRONZE BUTLER", "BlackTech", "CURIUM", "Cobalt Group", "Confucius", "Dark Caracal", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "IndigoZebra", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Whitefly", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1071.002", "mitre_attack_technique": "File Transfer Protocols", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "Kimsuky", "SilverTerrier"]}, {"mitre_attack_id": "T1071", "mitre_attack_technique": "Application Layer Protocol", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Dragonfly", "Magic Hound", "Rocke", "TeamTNT"]}], "mitre_attack_tactics": ["Command And Control", "Defense Evasion", "Execution", "Lateral Movement", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint", "Network_Traffic"], "kill_chain_phases": ["Command And Control", "Exploitation", "Installation"]}, "detection_names": ["ESCU - First time seen command line argument - Rule", "ESCU - Create local admin accounts using net exe - Rule", "ESCU - Detect New Local Admin account - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Detect Renamed PSExec - Rule", "ESCU - Malicious PowerShell Process - Execution Policy Bypass - Rule", "ESCU - Processes launching netsh - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Sc exe Manipulating Windows Services - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Single Letter Process On Endpoint - Rule", "ESCU - Suspicious Reg exe Process - Rule", "ESCU - Detect Outbound SMB Traffic - Rule", "ESCU - SMB Traffic Spike - Rule", "ESCU - SMB Traffic Spike - MLTK - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process File Activity - Response Task", "ESCU - Get Process Info - Response Task", "ESCU - Get Process Information For Port Activity - Response Task"], "baseline_names": ["ESCU - Baseline of SMB Traffic - MLTK", "ESCU - Previously seen command line arguments"], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "First time seen command line argument", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Windows Command Shell"}]}}, {"name": "Create local admin accounts using net exe", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "Create Account"}]}}, {"name": "Detect New Local Admin account", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "Create Account"}]}}, {"name": "Detect PsExec With accepteula Flag", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}}, {"name": "Detect Renamed PSExec", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}}, {"name": "Malicious PowerShell Process - Execution Policy Bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Processes launching netsh", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify System Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Sc exe Manipulating Windows Services", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Single Letter Process On Endpoint", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "User Execution"}, {"mitre_attack_technique": "Malicious File"}]}}, {"name": "Suspicious Reg exe Process", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Detect Outbound SMB Traffic", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "File Transfer Protocols"}, {"mitre_attack_technique": "Application Layer Protocol"}]}}, {"name": "SMB Traffic Spike", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Remote Services"}]}}, {"name": "SMB Traffic Spike - MLTK", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Remote Services"}]}}]}, {"name": "Disabling Security Tools", "id": "fcc27099-46a0-46b0-a271-5c7dab56b6f1", "version": 2, "date": "2020-02-04", "author": "Rico Valdez, Splunk", "description": "Looks for activities and techniques associated with the disabling of security tools on a Windows system, such as suspicious `reg.exe` processes, processes launching netsh, and many others.", "narrative": "Attackers employ a variety of tactics in order to avoid detection and operate without barriers. This often involves modifying the configuration of security tools to get around them or explicitly disabling them to prevent them from running. This Analytic Story includes searches that look for activity consistent with attackers attempting to disable various security mechanisms. Such activity may involve monitoring for suspicious registry activity, as this is where much of the configuration for Windows and various other programs reside, or explicitly attempting to shut down security-related services. Other times, attackers attempt various tricks to prevent specific programs from running, such as adding the certificates with which the security tools are signed to a block list (which would prevent them from running).", "references": ["https://attack.mitre.org/wiki/Technique/T1089", "https://blog.malwarebytes.com/cybercrime/2015/11/vonteera-adware-uses-certificates-to-disable-anti-malware/", "https://web.archive.org/web/20220425194457/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Tools-Report.pdf"], "tags": {"name": "Disabling Security Tools", "analytic_story": "Disabling Security Tools", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1553.004", "mitre_attack_technique": "Install Root Certificate", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1553", "mitre_attack_technique": "Subvert Trust Controls", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Axiom"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1562.004", "mitre_attack_technique": "Disable or Modify System Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "Carbanak", "Dragonfly", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}], "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation", "Installation"]}, "detection_names": ["ESCU - Attempt To Add Certificate To Untrusted Store - Rule", "ESCU - Attempt To Stop Security Service - Rule", "ESCU - Processes launching netsh - Rule", "ESCU - Sc exe Manipulating Windows Services - Rule", "ESCU - Suspicious Reg exe Process - Rule", "ESCU - Unload Sysmon Filter Driver - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task"], "baseline_names": ["ESCU - Baseline of SMB Traffic - MLTK", "ESCU - Previously seen command line arguments"], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Attempt To Add Certificate To Untrusted Store", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Install Root Certificate"}, {"mitre_attack_technique": "Subvert Trust Controls"}]}}, {"name": "Attempt To Stop Security Service", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Processes launching netsh", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify System Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Sc exe Manipulating Windows Services", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Suspicious Reg exe Process", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Unload Sysmon Filter Driver", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}]}, {"name": "DNS Amplification Attacks", "id": "a563972b-d2e2-4978-b6ca-6e83e24af4d3", "version": 1, "date": "2016-09-13", "author": "Bhavin Patel, Splunk", "description": "DNS poses a serious threat as a Denial of Service (DOS) amplifier, if it responds to `ANY` queries. This Analytic Story can help you detect attackers who may be abusing your company's DNS infrastructure to launch amplification attacks, causing Denial of Service to other victims.", "narrative": "The Domain Name System (DNS) is the protocol used to map domain names to IP addresses. It has been proven to work very well for its intended function. However if DNS is misconfigured, servers can be abused by attackers to levy amplification or redirection attacks against victims. Because DNS responses to `ANY` queries are so much larger than the queries themselves--and can be made with a UDP packet, which does not require a handshake--attackers can spoof the source address of the packet and cause much more data to be sent to the victim than if they sent the traffic themselves. The `ANY` requests are will be larger than normal DNS server requests, due to the fact that the server provides significant details, such as MX records and associated IP addresses. A large volume of this traffic can result in a DOS on the victim's machine. This misconfiguration leads to two possible victims, the first being the DNS servers participating in an attack and the other being the hosts that are the targets of the DOS attack.\\\nThe search in this story can help you to detect if attackers are abusing your company's DNS infrastructure to launch DNS amplification attacks causing Denial of Service to other victims.", "references": ["https://www.us-cert.gov/ncas/alerts/TA13-088A", "https://www.imperva.com/learn/application-security/dns-amplification/"], "tags": {"name": "DNS Amplification Attacks", "analytic_story": "DNS Amplification Attacks", "category": ["Abuse"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1498", "mitre_attack_technique": "Network Denial of Service", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT28"]}, {"mitre_attack_id": "T1498.002", "mitre_attack_technique": "Reflection Amplification", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Impact"], "datamodels": ["Network_Resolution"], "kill_chain_phases": ["Actions on Objectives"]}, "detection_names": ["ESCU - Large Volume of DNS ANY Queries - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Large Volume of DNS ANY Queries", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Network Denial of Service"}, {"mitre_attack_technique": "Reflection Amplification"}]}}]}, {"name": "DNS Hijacking", "id": "8169f17b-ef68-4b59-aa28-586907301221", "version": 1, "date": "2020-02-04", "author": "Bhavin Patel, Splunk", "description": "Secure your environment against DNS hijacks with searches that help you detect and investigate unauthorized changes to DNS records.", "narrative": "Dubbed the Achilles heel of the Internet (see https://www.f5.com/labs/articles/threat-intelligence/dns-is-still-the-achilles-heel-of-the-internet-25613), DNS plays a critical role in routing web traffic but is notoriously vulnerable to attack. One reason is its distributed nature. It relies on unstructured connections between millions of clients and servers over inherently insecure protocols.\\\nThe gravity and extent of the importance of securing DNS from attacks is undeniable. The fallout of compromised DNS can be disastrous. Not only can hackers bring down an entire business, they can intercept confidential information, emails, and login credentials, as well. \\\nOn January 22, 2019, the US Department of Homeland Security 2019's Cybersecurity and Infrastructure Security Agency (CISA) raised awareness of some high-profile DNS hijacking attacks against infrastructure, both in the United States and abroad. It issued Emergency Directive 19-01 (see https://cyber.dhs.gov/ed/19-01/), which summarized the activity and required government agencies to take the following four actions, all within 10 days: \\\n1. For all .gov or other agency-managed domains, audit public DNS records on all authoritative and secondary DNS servers, verify that they resolve to the intended location or report them to CISA.\\\n1. Update the passwords for all accounts on systems that can make changes to each agency 2019's DNS records.\\\n1. Implement multi-factor authentication (MFA) for all accounts on systems that can make changes to each agency's 2019 DNS records or, if impossible, provide CISA with the names of systems, the reasons why MFA cannot be enabled within the required timeline, and an ETA for when it can be enabled.\\\n1. CISA will begin regular delivery of newly added certificates to Certificate Transparency (CT) logs for agency domains via the Cyber Hygiene service. Upon receipt, agencies must immediately begin monitoring CT log data for certificates issued that they did not request. If an agency confirms that a certificate was unauthorized, it must report the certificate to the issuing certificate authority and to CISA. Of course, it makes sense to put equivalent actions in place within your environment, as well. \\\nIn DNS hijacking, the attacker assumes control over an account or makes use of a DNS service exploit to make changes to DNS records. Once they gain access, attackers can substitute their own MX records, name-server records, and addresses, redirecting emails and traffic through their infrastructure, where they can read, copy, or modify information seen. They can also generate valid encryption certificates to help them avoid browser-certificate checks. In one notable attack on the Internet service provider, GoDaddy, the hackers altered Sender Policy Framework (SPF) records a relatively minor change that did not inflict excessive damage but allowed for more effective spam campaigns.\\\nThe searches in this Analytic Story help you detect and investigate activities that may indicate that DNS hijacking has taken place within your environment.", "references": ["https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html", "https://umbrella.cisco.com/blog/2013/04/15/on-the-trail-of-malicious-dynamic-dns-domains/", "http://www.noip.com/blog/2014/07/11/dynamic-dns-can-use-2/", "https://www.splunk.com/blog/2015/08/04/detecting-dynamic-dns-domains-in-splunk.html"], "tags": {"name": "DNS Hijacking", "analytic_story": "DNS Hijacking", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1048.003", "mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT32", "APT33", "FIN6", "FIN8", "Lazarus Group", "OilRig", "Thrip", "Wizard Spider"]}, {"mitre_attack_id": "T1071.004", "mitre_attack_technique": "DNS", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT18", "APT39", "APT41", "Chimera", "Cobalt Group", "FIN7", "Ke3chang", "LazyScripter", "OilRig", "Tropic Trooper"]}, {"mitre_attack_id": "T1568.002", "mitre_attack_technique": "Domain Generation Algorithms", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "TA551"]}, {"mitre_attack_id": "T1189", "mitre_attack_technique": "Drive-by Compromise", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT19", "APT28", "APT32", "APT37", "APT38", "Andariel", "Axiom", "BRONZE BUTLER", "Dark Caracal", "Darkhotel", "Dragonfly", "Earth Lusca", "Elderwood", "Lazarus Group", "Leafminer", "Leviathan", "Machete", "Magic Hound", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Threat Group-3390", "Transparent Tribe", "Turla", "Windigo", "Windshift"]}], "mitre_attack_tactics": ["Command And Control", "Exfiltration", "Initial Access"], "datamodels": ["Network_Resolution"], "kill_chain_phases": ["Actions on Objectives", "Command And Control", "Delivery"]}, "detection_names": ["ESCU - Clients Connecting to Multiple DNS Servers - Rule", "ESCU - DNS Query Requests Resolved by Unauthorized DNS Servers - Rule", "ESCU - DNS record changed - Rule", "ESCU - Detect DGA domains using pretrained model in DSDL - Rule", "ESCU - Detect DNS Data Exfiltration using pretrained model in DSDL - Rule", "ESCU - Detect hosts connecting to dynamic domain providers - Rule", "ESCU - Detect suspicious DNS TXT records using pretrained model in DSDL - Rule"], "investigation_names": ["ESCU - Get DNS Server History for a host - Response Task"], "baseline_names": ["ESCU - Discover DNS records"], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Clients Connecting to Multiple DNS Servers", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}]}}, {"name": "DNS Query Requests Resolved by Unauthorized DNS Servers", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DNS"}]}}, {"name": "DNS record changed", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DNS"}]}}, {"name": "Detect DGA domains using pretrained model in DSDL", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Generation Algorithms"}]}}, {"name": "Detect DNS Data Exfiltration using pretrained model in DSDL", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}]}}, {"name": "Detect hosts connecting to dynamic domain providers", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Drive-by Compromise"}]}}, {"name": "Detect suspicious DNS TXT records using pretrained model in DSDL", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Generation Algorithms"}]}}]}, {"name": "sAMAccountName Spoofing and Domain Controller Impersonation", "id": "0244fdee-61be-11ec-900e-acde48001122", "version": 1, "date": "2021-12-20", "author": "Mauricio Velazco, Splunk", "description": "Monitor for activities and techniques associated with the exploitation of the sAMAccountName Spoofing (CVE-2021-42278) and Domain Controller Impersonation (CVE-2021-42287) vulnerabilities.", "narrative": "On November 9, 2021, Microsoft released patches to address two vulnerabilities that affect Windows Active Directory networks, sAMAccountName Spoofing (CVE-2021-42278) and Domain Controller Impersonation (CVE-2021-42287). On December 10, 2021, security researchers Charlie Clark and Andrew Schwartz released a blog post where they shared how to weaponise these vulnerabilities in a target network an the initial detection opportunities. When successfully exploited, CVE-2021-42278 and CVE-2021-42287 allow an adversary, who has stolen the credentials of a low priviled domain user, to obtain a Kerberos Service ticket for a Domain Controller computer account. The only requirement is to have network connectivity to a domain controller. This attack vector effectivelly allows attackers to escalate their privileges in an Active Directory from a regular domain user account and take control of a domain controller. While patches have been released to address these vulnerabilities, deploying detection controls for this attack may help help defenders identify attackers attempting exploitation.", "references": ["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42278", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42287", "https://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html"], "tags": {"name": "sAMAccountName Spoofing and Domain Controller Impersonation", "analytic_story": "sAMAccountName Spoofing and Domain Controller Impersonation", "category": ["Privilege Escalation"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.002", "mitre_attack_technique": "Domain Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "Chimera", "Indrik Spider", "Magic Hound", "Naikon", "Sandworm Team", "TA505", "Threat Group-1314", "Wizard Spider"]}], "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "datamodels": [], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Suspicious Computer Account Name Change - Rule", "ESCU - Suspicious Kerberos Service Ticket Request - Rule", "ESCU - Suspicious Ticket Granting Ticket Request - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Mauricio Velazco", "detections": [{"name": "Suspicious Computer Account Name Change", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Domain Accounts"}]}}, {"name": "Suspicious Kerberos Service Ticket Request", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Domain Accounts"}]}}, {"name": "Suspicious Ticket Granting Ticket Request", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Domain Accounts"}]}}]}, {"name": "Domain Trust Discovery", "id": "e6f30f14-8daf-11eb-a017-acde48001122", "version": 1, "date": "2021-03-25", "author": "Michael Haag, Splunk", "description": "Adversaries may attempt to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain/forest environments.", "narrative": "Domain trusts provide a mechanism for a domain to allow access to resources based on the authentication procedures of another domain. Domain trusts allow the users of the trusted domain to access resources in the trusting domain. The information discovered may help the adversary conduct SID-History Injection, Pass the Ticket, and Kerberoasting. Domain trusts can be enumerated using the DSEnumerateDomainTrusts() Win32 API call, .NET methods, and LDAP. The Windows utility Nltest is known to be used by adversaries to enumerate domain trusts.", "references": ["https://attack.mitre.org/techniques/T1482/"], "tags": {"name": "Domain Trust Discovery", "analytic_story": "Domain Trust Discovery", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1482", "mitre_attack_technique": "Domain Trust Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "Earth Lusca", "FIN8", "Magic Hound"]}, {"mitre_attack_id": "T1018", "mitre_attack_technique": "Remote System Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "BRONZE BUTLER", "Chimera", "Deep Panda", "Dragonfly", "Earth Lusca", "FIN5", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "HEXANE", "Indrik Spider", "Ke3chang", "Leafminer", "Magic Hound", "Naikon", "Rocke", "Sandworm Team", "Silence", "Threat Group-3390", "Turla", "Wizard Spider", "menuPass"]}], "mitre_attack_tactics": ["Discovery"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - DSQuery Domain Discovery - Rule", "ESCU - NLTest Domain Trust Discovery - Rule", "ESCU - Windows AdFind Exe - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "DSQuery Domain Discovery", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Trust Discovery"}]}}, {"name": "NLTest Domain Trust Discovery", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Trust Discovery"}]}}, {"name": "Windows AdFind Exe", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote System Discovery"}]}}]}, {"name": "Double Zero Destructor", "id": "f56e8c00-3224-4955-9a6e-924ec7da1df7", "version": 1, "date": "2022-03-25", "author": "Teoderick Contreras, Rod Soto, Splunk", "description": "Double Zero Destructor is a destructive payload that enumerates Domain Controllers and executes killswitch if detected. Overwrites files with Zero blocks or using MS Windows API calls such as NtFileOpen, NtFSControlFile. This payload also deletes registry hives HKCU,HKLM, HKU, HKLM BCD.", "narrative": "Double zero destructor enumerates domain controllers, delete registry hives and overwrites files using zero blocks and API calls.", "references": ["https://cert.gov.ua/article/38088", "https://blog.talosintelligence.com/2022/03/threat-advisory-doublezero.html"], "tags": {"name": "Double Zero Destructor", "analytic_story": "Double Zero Destructor", "category": ["Data Destruction", "Malware", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}], "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation", "Installation"]}, "detection_names": ["ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Windows Deleted Registry By A Non Critical Process File Path - Rule", "ESCU - Windows Terminating Lsass Process - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Rod Soto, Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}]}}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Windows Deleted Registry By A Non Critical Process File Path", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Terminating Lsass Process", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}]}, {"name": "Dynamic DNS", "id": "8169f17b-ef68-4b59-aae8-586907301221", "version": 2, "date": "2018-09-06", "author": "Bhavin Patel, Splunk", "description": "Detect and investigate hosts in your environment that may be communicating with dynamic domain providers. Attackers may leverage these services to help them avoid firewall blocks and deny lists.", "narrative": "Dynamic DNS services (DDNS) are legitimate low-cost or free services that allow users to rapidly update domain resolutions to IP infrastructure. While their usage can be benign, malicious actors can abuse DDNS to host harmful payloads or interactive-command-and-control infrastructure. These attackers will manually update or automate domain resolution changes by routing dynamic domains to IP addresses that circumvent firewall blocks and deny lists and frustrate a network defender's analytic and investigative processes. These searches will look for DNS queries made from within your infrastructure to suspicious dynamic domains and then investigate more deeply, when appropriate. While this list of top-level dynamic domains is not exhaustive, it can be dynamically updated as new suspicious dynamic domains are identified.", "references": ["https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html", "https://umbrella.cisco.com/blog/2013/04/15/on-the-trail-of-malicious-dynamic-dns-domains/", "http://www.noip.com/blog/2014/07/11/dynamic-dns-can-use-2/", "https://www.splunk.com/blog/2015/08/04/detecting-dynamic-dns-domains-in-splunk.html"], "tags": {"name": "Dynamic DNS", "analytic_story": "Dynamic DNS", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1071.001", "mitre_attack_technique": "Web Protocols", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Chimera", "Cobalt Group", "Confucius", "Dark Caracal", "FIN4", "FIN8", "Gamaredon Group", "HAFNIUM", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LuminousMoth", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "OilRig", "Orangeworm", "Rancor", "Rocke", "Sandworm Team", "Sidewinder", "SilverTerrier", "Stealth Falcon", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "WIRTE", "Windshift", "Wizard Spider"]}, {"mitre_attack_id": "T1048", "mitre_attack_technique": "Exfiltration Over Alternative Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1568.002", "mitre_attack_technique": "Domain Generation Algorithms", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "TA551"]}, {"mitre_attack_id": "T1189", "mitre_attack_technique": "Drive-by Compromise", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT19", "APT28", "APT32", "APT37", "APT38", "Andariel", "Axiom", "BRONZE BUTLER", "Dark Caracal", "Darkhotel", "Dragonfly", "Earth Lusca", "Elderwood", "Lazarus Group", "Leafminer", "Leviathan", "Machete", "Magic Hound", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Threat Group-3390", "Transparent Tribe", "Turla", "Windigo", "Windshift"]}], "mitre_attack_tactics": ["Command And Control", "Exfiltration", "Initial Access"], "datamodels": ["Endpoint", "Network_Resolution", "Web"], "kill_chain_phases": ["Actions on Objectives", "Command And Control", "Delivery"]}, "detection_names": ["ESCU - Detect web traffic to dynamic domain providers - Rule", "ESCU - DNS Exfiltration Using Nslookup App - Rule", "ESCU - Excessive Usage of NSLOOKUP App - Rule", "ESCU - Detect DGA domains using pretrained model in DSDL - Rule", "ESCU - Detect hosts connecting to dynamic domain providers - Rule"], "investigation_names": ["ESCU - Get DNS Server History for a host - Response Task", "ESCU - Get DNS traffic ratio - Response Task", "ESCU - Get Notable History - Response Task", "ESCU - Get Process Responsible For The DNS Traffic - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Detect web traffic to dynamic domain providers", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Web Protocols"}]}}, {"name": "DNS Exfiltration Using Nslookup App", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}}, {"name": "Excessive Usage of NSLOOKUP App", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}}, {"name": "Detect DGA domains using pretrained model in DSDL", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Generation Algorithms"}]}}, {"name": "Detect hosts connecting to dynamic domain providers", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Drive-by Compromise"}]}}]}, {"name": "Emotet Malware DHS Report TA18-201A ", "id": "bb9f5ed2-916e-4364-bb6d-91c310efcf52", "version": 1, "date": "2020-01-27", "author": "Bhavin Patel, Splunk", "description": "Detect rarely used executables, specific registry paths that may confer malware survivability and persistence, instances where cmd.exe is used to launch script interpreters, and other indicators that the Emotet financial malware has compromised your environment.", "narrative": "The trojan downloader known as Emotet first surfaced in 2014, when it was discovered targeting the banking industry to steal credentials. However, according to a joint technical alert (TA) issued by three government agencies (https://www.us-cert.gov/ncas/alerts/TA18-201A), Emotet has evolved far beyond those beginnings to become what a ThreatPost article called a threat-delivery service(see https://threatpost.com/emotet-malware-evolves-beyond-banking-to-threat-delivery-service/134342/). For example, in early 2018, Emotet was found to be using its loader function to spread the Quakbot and Ransomware variants. \\\nAccording to the TA, the the malware continues to be among the most costly and destructive malware affecting the private and public sectors. Researchers have linked it to the threat group Mealybug, which has also been on the security communitys radar since 2014.\\\nThe searches in this Analytic Story will help you find executables that are rarely used in your environment, specific registry paths that malware often uses to ensure survivability and persistence, instances where cmd.exe is used to launch script interpreters, and other indicators that Emotet or other malware has compromised your environment. ", "references": ["https://www.us-cert.gov/ncas/alerts/TA18-201A", "https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf", "https://www.vkremez.com/2017/05/emotet-banking-trojan-malware-analysis.html"], "tags": {"name": "Emotet Malware DHS Report TA18-201A ", "analytic_story": "Emotet Malware DHS Report TA18-201A ", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1072", "mitre_attack_technique": "Software Deployment Tools", "mitre_attack_tactics": ["Execution", "Lateral Movement"], "mitre_attack_groups": ["APT32", "Sandworm Team", "Silence", "Threat Group-1314"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Execution", "Initial Access", "Lateral Movement", "Persistence", "Privilege Escalation"], "datamodels": ["Email", "Endpoint", "Network_Traffic"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Email Attachments With Lots Of Spaces - Rule", "ESCU - Suspicious Email Attachment Extensions - Rule", "ESCU - Prohibited Software On Endpoint - Rule", "ESCU - Detect Use of cmd exe to Launch Script Interpreters - Rule", "ESCU - Detection of tools built by NirSoft - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - SMB Traffic Spike - Rule", "ESCU - SMB Traffic Spike - MLTK - Rule"], "investigation_names": ["ESCU - Get History Of Email Sources - Response Task", "ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task", "ESCU - Get Process Information For Port Activity - Response Task"], "baseline_names": ["ESCU - Baseline of SMB Traffic - MLTK", "ESCU - Add Prohibited Processes to Enterprise Security"], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Email Attachments With Lots Of Spaces", "source": "application", "type": "Anomaly", "tags": {"mitre_attack_enrichments": []}}, {"name": "Suspicious Email Attachment Extensions", "source": "application", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}}, {"name": "Prohibited Software On Endpoint", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": []}}, {"name": "Detect Use of cmd exe to Launch Script Interpreters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Windows Command Shell"}]}}, {"name": "Detection of tools built by NirSoft", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Software Deployment Tools"}]}}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "SMB Traffic Spike", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Remote Services"}]}}, {"name": "SMB Traffic Spike - MLTK", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Remote Services"}]}}]}, {"name": "F5 BIG-IP Vulnerability CVE-2022-1388", "id": "0367b177-f8d6-4c4b-a62d-86f52a590bff", "version": 1, "date": "2022-05-10", "author": "Michael Haag, Splunk", "description": "CVE-2022-1388 is a unauthenticated remote code execution vulnerablity against BIG-IP iControl REST API.", "narrative": "CVE-2022-1388 is a critical vulnerability (CVSS 9.8) in the management interface of F5 Networks'' BIG-IP solution that enables an unauthenticated attacker to gain remote code execution on the system through bypassing F5''s iControl REST authentication. The vulnerability was first discovered by F5''s internal product security team and disclosed publicly on May 4, 2022, per Randori. This vulnerability,CVE-2022-1388, may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands, create or delete files, or disable services. There is no data plane exposure; this is a control plane issue only per F5 article K23605346. Is CVE-2022-1388 Exploitable? Yes. There are now multiple POC scripts available and reports of threat actors scanning and potentially exploiting the vulnerablity. Per Randori the specific interface needed to exploit this vulnerability is rarely publicly exposed, and the risk to most organizations of exploitation by an unauthenticated external actor is low.", "references": ["https://github.com/dk4trin/templates-nuclei/blob/main/CVE-2022-1388.yaml", "https://www.randori.com/blog/vulnerability-analysis-cve-2022-1388/", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1388", "https://twitter.com/da_667/status/1523770267327250438?s=20&t=-JnB_aNWuJFsmcOmxGUWLQ", "https://github.com/horizon3ai/CVE-2022-1388/blob/main/CVE-2022-1388.py"], "tags": {"name": "F5 BIG-IP Vulnerability CVE-2022-1388", "analytic_story": "F5 BIG-IP Vulnerability CVE-2022-1388", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "menuPass"]}], "mitre_attack_tactics": ["Initial Access"], "datamodels": ["Web"], "kill_chain_phases": ["Delivery"]}, "detection_names": ["ESCU - F5 BIG-IP iControl REST Vulnerability CVE-2022-1388 - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "F5 BIG-IP iControl REST Vulnerability CVE-2022-1388", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}}]}, {"name": "F5 TMUI RCE CVE-2020-5902", "id": "7678c968-d46e-11ea-87d0-0242ac130003", "version": 1, "date": "2020-08-02", "author": "Shannon Davis, Splunk", "description": "Uncover activity consistent with CVE-2020-5902. Discovered by Positive Technologies researchers, this vulnerability affects F5 BIG-IP, BIG-IQ. and Traffix SDC devices (vulnerable versions in F5 support link below). This vulnerability allows unauthenticated users, along with authenticated users, who have access to the configuration utility to execute system commands, create/delete files, disable services, and/or execute Java code. This vulnerability can result in full system compromise.", "narrative": "A client is able to perform a remote code execution on an exposed and vulnerable system. The detection search in this Analytic Story uses syslog to detect the malicious behavior. Syslog is going to be the best detection method, as any systems using SSL to protect their management console will make detection via wire data difficult. The searches included used Splunk Connect For Syslog (https://splunkbase.splunk.com/app/4740/), and used a custom destination port to help define the data as F5 data (covered in https://splunk-connect-for-syslog.readthedocs.io/en/master/sources/F5/)", "references": ["https://www.ptsecurity.com/ww-en/about/news/f5-fixes-critical-vulnerability-discovered-by-positive-technologies-in-big-ip-application-delivery-controller/", "https://support.f5.com/csp/article/K52145254", "https://blog.cloudflare.com/cve-2020-5902-helping-to-protect-against-the-f5-tmui-rce-vulnerability/"], "tags": {"name": "F5 TMUI RCE CVE-2020-5902", "analytic_story": "F5 TMUI RCE CVE-2020-5902", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "menuPass"]}], "mitre_attack_tactics": ["Initial Access"], "datamodels": [], "kill_chain_phases": ["Delivery"]}, "detection_names": ["ESCU - Detect F5 TMUI RCE CVE-2020-5902 - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "Shannon Davis", "detections": [{"name": "Detect F5 TMUI RCE CVE-2020-5902", "source": "web", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}}]}, {"name": "FIN7", "id": "df2b00d3-06ba-49f1-b253-b19cef19b569", "version": 1, "date": "2021-09-14", "author": "Teoderick Contreras, Splunk", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the FIN7 JS Implant and JSSLoader, including looking for Image Loading of ldap and wmi modules, associated with its payload, data collection and script execution.", "narrative": "FIN7 is a Russian criminal advanced persistent threat group that has primarily targeted the U.S. retail, restaurant, and hospitality sectors since mid-2015. A portion of FIN7 is run out of the front company Combi Security. It has been called one of the most successful criminal hacking groups in the world. this passed few day FIN7 tools and implant are seen in the wild where its code is updated. the FIN& is known to use the spear phishing attack as a entry to targetted network or host that will drop its staging payload like the JS and JSSloader. Now this artifacts and implants seen downloading other malware like cobaltstrike and event ransomware to encrypt host.", "references": ["https://en.wikipedia.org/wiki/FIN7", "https://threatpost.com/fin7-windows-11-release/169206/", "https://www.proofpoint.com/us/blog/threat-insight/jssloader-recoded-and-reloaded"], "tags": {"name": "FIN7", "analytic_story": "FIN7", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1033", "mitre_attack_technique": "System Owner/User Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT37", "APT38", "APT39", "APT41", "Chimera", "Dragonfly", "Earth Lusca", "FIN10", "GALLIUM", "Gamaredon Group", "HAFNIUM", "HEXANE", "Ke3chang", "Lazarus Group", "LuminousMoth", "Magic Hound", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "Stealth Falcon", "Threat Group-3390", "Tropic Trooper", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.007", "mitre_attack_technique": "JavaScript", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "Cobalt Group", "Earth Lusca", "Ember Bear", "Evilnum", "FIN6", "FIN7", "Higaisa", "Indrik Spider", "Kimsuky", "LazyScripter", "Leafminer", "Molerats", "MuddyWater", "Sidewinder", "Silence", "TA505", "Turla"]}, {"mitre_attack_id": "T1555", "mitre_attack_technique": "Credentials from Password Stores", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT33", "APT39", "Evilnum", "FIN6", "HEXANE", "Leafminer", "MuddyWater", "OilRig", "Stealth Falcon"]}, {"mitre_attack_id": "T1555.003", "mitre_attack_technique": "Credentials from Web Browsers", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT3", "APT33", "APT37", "Ajax Security Team", "FIN6", "HEXANE", "Inception", "Kimsuky", "LAPSUS$", "Leafminer", "Molerats", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Stealth Falcon", "TA505", "ZIRCONIUM"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1059.005", "mitre_attack_technique": "Visual Basic", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT32", "APT33", "APT37", "APT38", "APT39", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Earth Lusca", "FIN4", "FIN7", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "Transparent Tribe", "Turla", "WIRTE", "Windshift"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "Turla"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1134.004", "mitre_attack_technique": "Parent PID Spoofing", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}, {"mitre_attack_id": "T1220", "mitre_attack_technique": "XSL Script Processing", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Cobalt Group", "Higaisa"]}], "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Discovery", "Execution", "Initial Access", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Check Elevated CMD using whoami - Rule", "ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", "ESCU - Jscript Execution Using Cscript App - Rule", "ESCU - MS Scripting Process Loading Ldap Module - Rule", "ESCU - MS Scripting Process Loading WMI Module - Rule", "ESCU - Non Chrome Process Accessing Chrome Default Dir - Rule", "ESCU - Non Firefox Process Access Firefox Profile Dir - Rule", "ESCU - Office Application Drop Executable - Rule", "ESCU - Office Product Spawning Wmic - Rule", "ESCU - Vbscript Execution Using Wscript App - Rule", "ESCU - Wscript Or Cscript Suspicious Child Process - Rule", "ESCU - XSL Script Execution With WMIC - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Check Elevated CMD using whoami", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Owner/User Discovery"}]}}, {"name": "Cmdline Tool Not Executed In CMD Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "JavaScript"}]}}, {"name": "Jscript Execution Using Cscript App", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "JavaScript"}]}}, {"name": "MS Scripting Process Loading Ldap Module", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "JavaScript"}]}}, {"name": "MS Scripting Process Loading WMI Module", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "JavaScript"}]}}, {"name": "Non Chrome Process Accessing Chrome Default Dir", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}}, {"name": "Non Firefox Process Access Firefox Profile Dir", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}}, {"name": "Office Application Drop Executable", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Product Spawning Wmic", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Vbscript Execution Using Wscript App", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Visual Basic"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Wscript Or Cscript Suspicious Child Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}, {"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Parent PID Spoofing"}, {"mitre_attack_technique": "Access Token Manipulation"}]}}, {"name": "XSL Script Execution With WMIC", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "XSL Script Processing"}]}}]}, {"name": "Fortinet FortiNAC CVE-2022-39952", "id": "2833a527-3b7f-41af-a950-39f7bbaff819", "version": 1, "date": "2023-02-21", "author": "Michael Haag, Splunk", "description": "On Thursday, 16 February 2023, Fortinet released a PSIRT that details CVE-2022-39952, a critical vulnerability affecting its FortiNAC product (Horizon3.ai).", "narrative": "This vulnerability, discovered by Gwendal Guegniaud of Fortinet, allows an unauthenticated attacker to write arbitrary files on the system and as a result obtain remote code execution in the context of the root user (Horizon3.ai). Impacting FortiNAC, is tracked as CVE-2022-39952 and has a CVSS v3 score of 9.8 (critical). FortiNAC is a network access control solution that helps organizations gain real time network visibility, enforce security policies, and detect and mitigate threats. An external control of file name or path vulnerability CWE-73 in FortiNAC webserver may allow an unauthenticated attacker to perform arbitrary write on the system, reads the security advisory.", "references": ["https://www.horizon3.ai/fortinet-fortinac-cve-2022-39952-deep-dive-and-iocs/", "https://viz.greynoise.io/tag/fortinac-rce-attempt?days=30", "https://www.bleepingcomputer.com/news/security/fortinet-fixes-critical-rce-flaws-in-fortinac-and-fortiweb/"], "tags": {"name": "Fortinet FortiNAC CVE-2022-39952", "analytic_story": "Fortinet FortiNAC CVE-2022-39952", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "menuPass"]}], "mitre_attack_tactics": ["Initial Access"], "datamodels": ["Web"], "kill_chain_phases": ["Delivery"]}, "detection_names": ["ESCU - Exploit Public-Facing Fortinet FortiNAC CVE-2022-39952 - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Exploit Public-Facing Fortinet FortiNAC CVE-2022-39952", "source": "web", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}}]}, {"name": "GCP Account Takeover", "id": "8601caff-414f-4c6d-9a04-75b66778869d", "version": 1, "date": "2022-10-12", "author": "Mauricio Velazco, Bhavin Patel, Splunk", "description": "Monitor for activities and techniques associated with Account Takover attacks against Google Cloud Platform tenants.", "narrative": "Account Takeover (ATO) is an attack whereby cybercriminals gain unauthorized access to online accounts by using different techniques like brute force, social engineering, phishing & spear phishing, credential stuffing, etc. By posing as the real user, cyber-criminals can change account details, send out phishing emails, steal financial information or sensitive data, or use any stolen information to access further accounts within the organization. This analytic storic groups detections that can help security operations teams identify the potential compromise of Azure Active Directory accounts.", "references": ["https://cloud.google.com/gcp", "https://cloud.google.com/architecture/identity/overview-google-authentication", "https://attack.mitre.org/techniques/T1586/", "https://www.imperva.com/learn/application-security/account-takeover-ato/", "https://www.barracuda.com/glossary/account-takeover"], "tags": {"name": "GCP Account Takeover", "analytic_story": "GCP Account Takeover", "category": ["Account Compromise"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Ke3chang", "LAPSUS$"]}, {"mitre_attack_id": "T1621", "mitre_attack_technique": "Multi-Factor Authentication Request Generation", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "LAPSUS$"]}, {"mitre_attack_id": "T1556", "mitre_attack_technique": "Modify Authentication Process", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1556.006", "mitre_attack_technique": "Multi-Factor Authentication", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1110.004", "mitre_attack_technique": "Credential Stuffing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Chimera"]}], "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation", "Resource Development"], "datamodels": [], "kill_chain_phases": ["Delivery", "Exploitation", "Installation", "Weaponization"]}, "detection_names": ["ESCU - GCP Authentication Failed During MFA Challenge - Rule", "ESCU - GCP Multi-Factor Authentication Disabled - Rule", "ESCU - GCP Multiple Failed MFA Requests For User - Rule", "ESCU - GCP Multiple Users Failing To Authenticate From Ip - Rule", "ESCU - GCP Successful Single-Factor Authentication - Rule", "ESCU - GCP Unusual Number of Failed Authentications From Ip - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Bhavin Patel, Splunk", "author_name": "Mauricio Velazco", "detections": [{"name": "GCP Authentication Failed During MFA Challenge", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Multi-Factor Authentication Request Generation"}]}}, {"name": "GCP Multi-Factor Authentication Disabled", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Modify Authentication Process"}, {"mitre_attack_technique": "Multi-Factor Authentication"}]}}, {"name": "GCP Multiple Failed MFA Requests For User", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Multi-Factor Authentication Request Generation"}, {"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}]}}, {"name": "GCP Multiple Users Failing To Authenticate From Ip", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Credential Stuffing"}]}}, {"name": "GCP Successful Single-Factor Authentication", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}]}}, {"name": "GCP Unusual Number of Failed Authentications From Ip", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Credential Stuffing"}]}}]}, {"name": "GCP Cross Account Activity", "id": "0432039c-ef41-4b03-b157-450c25dad1e6", "version": 1, "date": "2020-09-01", "author": "Rod Soto, Splunk", "description": "Track when a user assumes an IAM role in another GCP account to obtain cross-account access to services and resources in that account. Accessing new roles could be an indication of malicious activity.", "narrative": "Google Cloud Platform (GCP) admins manage access to GCP resources and services across the enterprise using GCP Identity and Access Management (IAM) functionality. IAM provides the ability to create and manage GCP users, groups, and roles-each with their own unique set of privileges and defined access to specific resources (such as Compute instances, the GCP Management Console, API, or the command-line interface). Unlike conventional (human) users, IAM roles are potentially assumable by anyone in the organization. They provide users with dynamically created temporary security credentials that expire within a set time period.\\\nIn between the time between when the temporary credentials are issued and when they expire is a period of opportunity, where a user could leverage the temporary credentials to wreak havoc-spin up or remove instances, create new users, elevate privileges, and other malicious activities-throughout the environment.\\\nThis Analytic Story includes searches that will help you monitor your GCP Audit logs logs for evidence of suspicious cross-account activity. For example, while accessing multiple GCP accounts and roles may be perfectly valid behavior, it may be suspicious when an account requests privileges of an account it has not accessed in the past. After identifying suspicious activities, you can use the provided investigative searches to help you probe more deeply.", "references": ["https://cloud.google.com/iam/docs/understanding-service-accounts"], "tags": {"name": "GCP Cross Account Activity", "analytic_story": "GCP Cross Account Activity", "category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}], "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "datamodels": ["Email"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - GCP Detect gcploit framework - Rule", "ESCU - GCP Detect accounts with high risk roles by project - Rule", "ESCU - GCP Detect high risk permissions by resource and account - Rule", "ESCU - gcp detect oauth token abuse - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rod Soto", "detections": [{"name": "GCP Detect gcploit framework", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "GCP Detect accounts with high risk roles by project", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "GCP Detect high risk permissions by resource and account", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "gcp detect oauth token abuse", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}]}}]}, {"name": "HAFNIUM Group", "id": "beae2ab0-7c3f-11eb-8b63-acde48001122", "version": 1, "date": "2021-03-03", "author": "Michael Haag, Splunk", "description": "HAFNIUM group was identified by Microsoft as exploiting 4 Microsoft Exchange CVEs in the wild - CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065.", "narrative": "On Tuesday, March 2, 2021, Microsoft released a set of security patches for its mail server, Microsoft Exchange. These patches respond to a group of vulnerabilities known to impact Exchange 2013, 2016, and 2019. It is important to note that an Exchange 2010 security update has also been issued, though the CVEs do not reference that version as being vulnerable.\\\nWhile the CVEs do not shed much light on the specifics of the vulnerabilities or exploits, the first vulnerability (CVE-2021-26855) has a remote network attack vector that allows the attacker, a group Microsoft named HAFNIUM, to authenticate as the Exchange server. Three additional vulnerabilities (CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) were also identified as part of this activity. When chained together along with CVE-2021-26855 for initial access, the attacker would have complete control over the Exchange server. This includes the ability to run code as SYSTEM and write to any path on the server.\\\nThe following Splunk detections assist with identifying the HAFNIUM groups tradecraft and methodology.", "references": ["https://www.splunk.com/en_us/blog/security/detecting-hafnium-exchange-server-zero-day-activity-in-splunk.html", "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", "https://blog.rapid7.com/2021/03/03/rapid7s-insightidr-enables-detection-and-response-to-microsoft-exchange-0-day/"], "tags": {"name": "HAFNIUM Group", "analytic_story": "HAFNIUM Group", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1114", "mitre_attack_technique": "Email Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["Magic Hound", "Silent Librarian"]}, {"mitre_attack_id": "T1114.002", "mitre_attack_technique": "Remote Email Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "Chimera", "Dragonfly", "FIN4", "HAFNIUM", "Ke3chang", "Kimsuky", "Leafminer", "Magic Hound"]}, {"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "TEMP.Veles", "Threat Group-3390", "Whitefly"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1505.003", "mitre_attack_technique": "Web Shell", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT38", "APT39", "BackdoorDiplomacy", "Deep Panda", "Dragonfly", "Fox Kitten", "GALLIUM", "HAFNIUM", "Kimsuky", "Leviathan", "Magic Hound", "Moses Staff", "OilRig", "Sandworm Team", "TEMP.Veles", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Volatile Cedar"]}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "menuPass"]}, {"mitre_attack_id": "T1136.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT39", "APT41", "Dragonfly", "Fox Kitten", "Kimsuky", "Leafminer", "Magic Hound", "TeamTNT"]}, {"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1003.003", "mitre_attack_technique": "NTDS", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "Chimera", "Dragonfly", "FIN6", "Fox Kitten", "HAFNIUM", "Ke3chang", "LAPSUS$", "Mustang Panda", "Sandworm Team", "Wizard Spider", "menuPass"]}], "mitre_attack_tactics": ["Collection", "Command And Control", "Credential Access", "Execution", "Initial Access", "Lateral Movement", "Persistence"], "datamodels": ["Endpoint", "Network_Traffic"], "kill_chain_phases": ["Command And Control", "Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Email servers sending high volume traffic to hosts - Rule", "ESCU - Dump LSASS via procdump Rename - Rule", "ESCU - Any Powershell DownloadString - Rule", "ESCU - Detect Exchange Web Shell - Rule", "ESCU - Detect New Local Admin account - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Detect Renamed PSExec - Rule", "ESCU - Detect Webshell Exploit Behavior - Rule", "ESCU - Dump LSASS via comsvcs DLL - Rule", "ESCU - Dump LSASS via procdump - Rule", "ESCU - Malicious PowerShell Process - Execution Policy Bypass - Rule", "ESCU - Nishang PowershellTCPOneLine - Rule", "ESCU - Ntdsutil Export NTDS - Rule", "ESCU - PowerShell - Connect To Internet With Hidden Window - Rule", "ESCU - Set Default PowerShell Execution Policy To Unrestricted or Bypass - Rule", "ESCU - W3WP Spawning Shell - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Email servers sending high volume traffic to hosts", "source": "application", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Email Collection"}, {"mitre_attack_technique": "Remote Email Collection"}]}}, {"name": "Dump LSASS via procdump Rename", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}]}}, {"name": "Any Powershell DownloadString", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "Detect Exchange Web Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}, {"mitre_attack_technique": "Exploit Public-Facing Application"}]}}, {"name": "Detect New Local Admin account", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "Create Account"}]}}, {"name": "Detect PsExec With accepteula Flag", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}}, {"name": "Detect Renamed PSExec", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}}, {"name": "Detect Webshell Exploit Behavior", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}]}}, {"name": "Dump LSASS via comsvcs DLL", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Dump LSASS via procdump", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Malicious PowerShell Process - Execution Policy Bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Nishang PowershellTCPOneLine", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Ntdsutil Export NTDS", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "NTDS"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "PowerShell - Connect To Internet With Hidden Window", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Set Default PowerShell Execution Policy To Unrestricted or Bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "W3WP Spawning Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}]}}]}, {"name": "Hermetic Wiper", "id": "b7511c2e-9a10-11ec-99e3-acde48001122", "version": 1, "date": "2022-03-02", "author": "Teoderick Contreras, Rod Soto, Michael Haag, Splunk", "description": "This analytic story contains detections that allow security analysts to detect and investigate unusual activities that might relate to the destructive malware targeting Ukrainian organizations also known as \"Hermetic Wiper\". This analytic story looks for abuse of Regsvr32, executables written in administrative SMB Share, suspicious processes, disabling of memory crash dump and more.", "narrative": "Hermetic Wiper is destructive malware operation found by Sentinel One targeting multiple organizations in Ukraine. This malicious payload corrupts Master Boot Records, uses signed drivers and manipulates NTFS attributes for file destruction.", "references": ["https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/", "https://www.cisa.gov/uscert/ncas/alerts/aa22-057a"], "tags": {"name": "Hermetic Wiper", "analytic_story": "Hermetic Wiper", "category": ["Data Destruction", "Malware", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1204.002", "mitre_attack_technique": "Malicious File", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "Ajax Security Team", "Andariel", "Aoqin Dragon", "BITTER", "BRONZE BUTLER", "BlackTech", "CURIUM", "Cobalt Group", "Confucius", "Dark Caracal", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "IndigoZebra", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Whitefly", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1547.014", "mitre_attack_technique": "Active Setup", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1546.001", "mitre_attack_technique": "Change Default File Association", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Kimsuky"]}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "PLATINUM", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1562.006", "mitre_attack_technique": "Indicator Blocking", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1127", "mitre_attack_technique": "Trusted Developer Utilities Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1558", "mitre_attack_technique": "Steal or Forge Kerberos Tickets", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1558.003", "mitre_attack_technique": "Kerberoasting", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["FIN7", "Wizard Spider"]}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "menuPass"]}, {"mitre_attack_id": "T1037", "mitre_attack_technique": "Boot or Logon Initialization Scripts", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Rocke"]}, {"mitre_attack_id": "T1037.001", "mitre_attack_technique": "Logon Script (Windows)", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "Cobalt Group"]}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT19", "APT28", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BITTER", "BackdoorDiplomacy", "BlackOasis", "Blue Mockingbird", "Dark Caracal", "Darkhotel", "Earth Lusca", "Elderwood", "Ember Bear", "Fox Kitten", "GALLIUM", "Gallmaker", "Gamaredon Group", "Group5", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "Metador", "Mofang", "Molerats", "Moses Staff", "Mustang Panda", "OilRig", "Putter Panda", "Rocke", "Sandworm Team", "Sidewinder", "TA505", "TeamTNT", "Threat Group-3390", "Transparent Tribe", "Tropic Trooper", "Whitefly", "Windshift", "menuPass"]}, {"mitre_attack_id": "T1574.002", "mitre_attack_technique": "DLL Side-Loading", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT41", "BRONZE BUTLER", "BlackTech", "Chimera", "Earth Lusca", "GALLIUM", "Higaisa", "Lazarus Group", "LuminousMoth", "MuddyWater", "Mustang Panda", "Naikon", "Patchwork", "SideCopy", "Sidewinder", "Threat Group-3390", "Tropic Trooper", "menuPass"]}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1546.008", "mitre_attack_technique": "Accessibility Features", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT3", "APT41", "Axiom", "Deep Panda", "Fox Kitten"]}, {"mitre_attack_id": "T1021.003", "mitre_attack_technique": "Distributed Component Object Model", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1021.006", "mitre_attack_technique": "Windows Remote Management", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Chimera", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "Earth Lusca", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "Threat Group-3390", "Windshift", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1218.014", "mitre_attack_technique": "MMC", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1027.005", "mitre_attack_technique": "Indicator Removal from Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT3", "Deep Panda", "GALLIUM", "OilRig", "Patchwork", "TEMP.Veles", "Turla"]}, {"mitre_attack_id": "T1546.015", "mitre_attack_technique": "Component Object Model Hijacking", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "Turla"]}, {"mitre_attack_id": "T1547.012", "mitre_attack_technique": "Print Processors", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1592", "mitre_attack_technique": "Gather Victim Host Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1546.012", "mitre_attack_technique": "Image File Execution Options Injection", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["TEMP.Veles"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.010", "mitre_attack_technique": "Regsvr32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "Blue Mockingbird", "Cobalt Group", "Deep Panda", "Inception", "Kimsuky", "Leviathan", "TA551", "WIRTE"]}, {"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}, {"mitre_attack_id": "T1134.001", "mitre_attack_technique": "Token Impersonation/Theft", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "FIN8"]}, {"mitre_attack_id": "T1546.002", "mitre_attack_technique": "Screensaver", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547.003", "mitre_attack_technique": "Time Providers", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1505.003", "mitre_attack_technique": "Web Shell", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT38", "APT39", "BackdoorDiplomacy", "Deep Panda", "Dragonfly", "Fox Kitten", "GALLIUM", "HAFNIUM", "Kimsuky", "Leviathan", "Magic Hound", "Moses Staff", "OilRig", "Sandworm Team", "TEMP.Veles", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Volatile Cedar"]}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1561.002", "mitre_attack_technique": "Disk Structure Wipe", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1561", "mitre_attack_technique": "Disk Wipe", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Command And Control", "Credential Access", "Defense Evasion", "Execution", "Impact", "Initial Access", "Lateral Movement", "Persistence", "Privilege Escalation", "Reconnaissance"], "datamodels": ["Email", "Endpoint"], "kill_chain_phases": ["Actions on Objectives", "Command And Control", "Delivery", "Exploitation", "Installation", "Reconnaissance"]}, "detection_names": ["ESCU - Email Attachments With Lots Of Spaces - Rule", "ESCU - Suspicious Email Attachment Extensions - Rule", "ESCU - Suspicious Powershell Command-Line Arguments - Rule", "ESCU - Uncommon Processes On Endpoint - Rule", "ESCU - Active Setup Registry Autostart - Rule", "ESCU - Any Powershell DownloadFile - Rule", "ESCU - Any Powershell DownloadString - Rule", "ESCU - Change Default File Association - Rule", "ESCU - Child Processes of Spoolsv exe - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Detect Empire with PowerShell Script Block Logging - Rule", "ESCU - Detect Mimikatz With PowerShell Script Block Logging - Rule", "ESCU - ETW Registry Disabled - Rule", "ESCU - Executable File Written in Administrative SMB Share - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Kerberoasting spn request with RC4 encryption - Rule", "ESCU - Linux Java Spawning Shell - Rule", "ESCU - Logon Script Event Trigger Execution - Rule", "ESCU - Malicious PowerShell Process - Encoded Command - Rule", "ESCU - Malicious PowerShell Process With Obfuscation Techniques - Rule", "ESCU - MSI Module Loaded by Non-System Binary - Rule", "ESCU - Overwriting Accessibility Binaries - Rule", "ESCU - Possible Lateral Movement PowerShell Spawn - Rule", "ESCU - PowerShell 4104 Hunting - Rule", "ESCU - PowerShell - Connect To Internet With Hidden Window - Rule", "ESCU - PowerShell Domain Enumeration - Rule", "ESCU - Powershell Enable SMB1Protocol Feature - Rule", "ESCU - Powershell Execute COM Object - Rule", "ESCU - Powershell Fileless Process Injection via GetProcAddress - Rule", "ESCU - Powershell Fileless Script Contains Base64 Encoded Content - Rule", "ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", "ESCU - Powershell Processing Stream Of Data - Rule", "ESCU - Powershell Using memory As Backing Store - Rule", "ESCU - Print Processor Registry Autostart - Rule", "ESCU - Recon AVProduct Through Pwh or WMI - Rule", "ESCU - Recon Using WMI Class - Rule", "ESCU - Registry Keys Used For Privilege Escalation - Rule", "ESCU - Regsvr32 Silent and Install Param Dll Loading - Rule", "ESCU - Runas Execution in CommandLine - Rule", "ESCU - Screensaver Event Trigger Execution - Rule", "ESCU - Set Default PowerShell Execution Policy To Unrestricted or Bypass - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Time Provider Persistence Registry - Rule", "ESCU - Unloading AMSI via Reflection - Rule", "ESCU - W3WP Spawning Shell - Rule", "ESCU - Windows Disable Memory Crash Dump - Rule", "ESCU - Windows File Without Extension In Critical Folder - Rule", "ESCU - Windows Modify Show Compress Color And Info Tip Registry - Rule", "ESCU - Windows Raw Access To Disk Volume Partition - Rule", "ESCU - Windows Raw Access To Master Boot Record Drive - Rule", "ESCU - WMI Recon Running Process Or Services - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Rod Soto, Michael Haag, Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Email Attachments With Lots Of Spaces", "source": "application", "type": "Anomaly", "tags": {"mitre_attack_enrichments": []}}, {"name": "Suspicious Email Attachment Extensions", "source": "application", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}}, {"name": "Suspicious Powershell Command-Line Arguments", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "PowerShell"}]}}, {"name": "Uncommon Processes On Endpoint", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Malicious File"}]}}, {"name": "Active Setup Registry Autostart", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Active Setup"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Any Powershell DownloadFile", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "Any Powershell DownloadString", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "Change Default File Association", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Change Default File Association"}, {"mitre_attack_technique": "Event Triggered Execution"}]}}, {"name": "Child Processes of Spoolsv exe", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}}, {"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Detect Empire with PowerShell Script Block Logging", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Detect Mimikatz With PowerShell Script Block Logging", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "OS Credential Dumping"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "ETW Registry Disabled", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indicator Blocking"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Executable File Written in Administrative SMB Share", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}]}}, {"name": "Kerberoasting spn request with RC4 encryption", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "Kerberoasting"}]}}, {"name": "Linux Java Spawning Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}}, {"name": "Logon Script Event Trigger Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Boot or Logon Initialization Scripts"}, {"mitre_attack_technique": "Logon Script (Windows)"}]}}, {"name": "Malicious PowerShell Process - Encoded Command", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Obfuscated Files or Information"}]}}, {"name": "Malicious PowerShell Process With Obfuscation Techniques", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "MSI Module Loaded by Non-System Binary", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DLL Side-Loading"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}}, {"name": "Overwriting Accessibility Binaries", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Event Triggered Execution"}, {"mitre_attack_technique": "Accessibility Features"}]}}, {"name": "Possible Lateral Movement PowerShell Spawn", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Remote Management"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "MMC"}]}}, {"name": "PowerShell 4104 Hunting", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "PowerShell - Connect To Internet With Hidden Window", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "PowerShell Domain Enumeration", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Powershell Enable SMB1Protocol Feature", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Obfuscated Files or Information"}, {"mitre_attack_technique": "Indicator Removal from Tools"}]}}, {"name": "Powershell Execute COM Object", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Component Object Model Hijacking"}, {"mitre_attack_technique": "Event Triggered Execution"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Powershell Fileless Process Injection via GetProcAddress", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Process Injection"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Powershell Fileless Script Contains Base64 Encoded Content", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Obfuscated Files or Information"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "PowerShell Loading DotNET into Memory via Reflection", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Powershell Processing Stream Of Data", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Powershell Using memory As Backing Store", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Print Processor Registry Autostart", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Print Processors"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Recon AVProduct Through Pwh or WMI", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Gather Victim Host Information"}]}}, {"name": "Recon Using WMI Class", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Gather Victim Host Information"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Registry Keys Used For Privilege Escalation", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Image File Execution Options Injection"}, {"mitre_attack_technique": "Event Triggered Execution"}]}}, {"name": "Regsvr32 Silent and Install Param Dll Loading", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}}, {"name": "Runas Execution in CommandLine", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Access Token Manipulation"}, {"mitre_attack_technique": "Token Impersonation/Theft"}]}}, {"name": "Screensaver Event Trigger Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Event Triggered Execution"}, {"mitre_attack_technique": "Screensaver"}]}}, {"name": "Set Default PowerShell Execution Policy To Unrestricted or Bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Time Provider Persistence Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Time Providers"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Unloading AMSI via Reflection", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "W3WP Spawning Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}]}}, {"name": "Windows Disable Memory Crash Dump", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Windows File Without Extension In Critical Folder", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Windows Modify Show Compress Color And Info Tip Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Raw Access To Disk Volume Partition", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disk Structure Wipe"}, {"mitre_attack_technique": "Disk Wipe"}]}}, {"name": "Windows Raw Access To Master Boot Record Drive", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disk Structure Wipe"}, {"mitre_attack_technique": "Disk Wipe"}]}}, {"name": "WMI Recon Running Process Or Services", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Gather Victim Host Information"}]}}]}, {"name": "Hidden Cobra Malware", "id": "baf7580b-d4b4-4774-8173-7d198e9da335", "version": 2, "date": "2020-01-22", "author": "Rico Valdez, Splunk", "description": "Monitor for and investigate activities, including the creation or deletion of hidden shares and file writes, that may be evidence of infiltration by North Korean government-sponsored cybercriminals. Details of this activity were reported in DHS Report TA-18-149A.", "narrative": "North Korea's government-sponsored \"cyber army\" has been slowly building momentum and gaining sophistication over the last 15 years or so. As a result, the group's activity, which the US government refers to as \"Hidden Cobra,\" has surreptitiously crept onto the collective radar as a preeminent global threat.\\\nThese state-sponsored actors are thought to be responsible for everything from a hack on a South Korean nuclear plant to an attack on Sony in anticipation of its release of the movie \"The Interview\" at the end of 2014. They're also notorious for cyberespionage. In recent years, the group seems to be focused on financial crimes, such as cryptojacking.\\\nIn June of 2018, The Department of Homeland Security, together with the FBI and other U.S. government partners, issued Technical Alert (TA-18-149A) to advise the public about two variants of North Korean malware. One variant, dubbed \"Joanap,\" is a multi-stage peer-to-peer botnet that allows North Korean state actors to exfiltrate data, download and execute secondary payloads, and initialize proxy communications. The other variant, \"Brambul,\" is a Windows32 SMB worm that is dropped into a victim network. When executed, the malware attempts to spread laterally within a victim's local subnet, connecting via the SMB protocol and initiating brute-force password attacks. It reports details to the Hidden Cobra actors via email, so they can use the information for secondary remote operations.\\\nAmong other searches in this Analytic Story is a detection search that looks for the creation or deletion of hidden shares, such as, \"adnim$,\" which the Hidden Cobra malware creates on the target system. Another looks for the creation of three malicious files associated with the malware. You can also use a search in this story to investigate activity that indicates that malware is sending email back to the attackers.", "references": ["https://web.archive.org/web/20191220004307/https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity", "https://web.archive.org/web/20220421112536/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdf"], "tags": {"name": "Hidden Cobra Malware", "analytic_story": "Hidden Cobra Malware", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1070.005", "mitre_attack_technique": "Network Share Connection Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Threat Group-3390"]}, {"mitre_attack_id": "T1021.001", "mitre_attack_technique": "Remote Desktop Protocol", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT1", "APT3", "APT39", "APT41", "Axiom", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dragonfly", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "HEXANE", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "OilRig", "Patchwork", "Silence", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1071.002", "mitre_attack_technique": "File Transfer Protocols", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "Kimsuky", "SilverTerrier"]}, {"mitre_attack_id": "T1071", "mitre_attack_technique": "Application Layer Protocol", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Dragonfly", "Magic Hound", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1071.004", "mitre_attack_technique": "DNS", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT18", "APT39", "APT41", "Chimera", "Cobalt Group", "FIN7", "Ke3chang", "LazyScripter", "OilRig", "Tropic Trooper"]}, {"mitre_attack_id": "T1048.003", "mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT32", "APT33", "FIN6", "FIN8", "Lazarus Group", "OilRig", "Thrip", "Wizard Spider"]}, {"mitre_attack_id": "T1048", "mitre_attack_technique": "Exfiltration Over Alternative Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "Turla", "Wizard Spider"]}], "mitre_attack_tactics": ["Command And Control", "Defense Evasion", "Execution", "Exfiltration", "Lateral Movement"], "datamodels": ["Endpoint", "Network_Resolution", "Network_Traffic"], "kill_chain_phases": ["Actions on Objectives", "Command And Control", "Exploitation", "Installation"]}, "detection_names": ["ESCU - First time seen command line argument - Rule", "ESCU - Suspicious File Write - Rule", "ESCU - Create or delete windows shares using net exe - Rule", "ESCU - Remote Desktop Process Running On System - Rule", "ESCU - Detect Outbound SMB Traffic - Rule", "ESCU - DNS Query Length Outliers - MLTK - Rule", "ESCU - DNS Query Length With High Standard Deviation - Rule", "ESCU - Remote Desktop Network Traffic - Rule", "ESCU - SMB Traffic Spike - Rule", "ESCU - SMB Traffic Spike - MLTK - Rule"], "investigation_names": ["ESCU - Get DNS Server History for a host - Response Task", "ESCU - Get DNS traffic ratio - Response Task", "ESCU - Get History Of Email Sources - Response Task", "ESCU - Get Notable History - Response Task", "ESCU - Get Outbound Emails to Hidden Cobra Threat Actors - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task", "ESCU - Get Process Information For Port Activity - Response Task", "ESCU - Get Process Responsible For The DNS Traffic - Response Task", "ESCU - Investigate Successful Remote Desktop Authentications - Response Task"], "baseline_names": ["ESCU - Baseline of DNS Query Length - MLTK", "ESCU - Baseline of SMB Traffic - MLTK", "ESCU - Identify Systems Creating Remote Desktop Traffic", "ESCU - Identify Systems Receiving Remote Desktop Traffic", "ESCU - Identify Systems Using Remote Desktop", "ESCU - Previously seen command line arguments"], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "First time seen command line argument", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Windows Command Shell"}]}}, {"name": "Suspicious File Write", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": []}}, {"name": "Create or delete windows shares using net exe", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indicator Removal"}, {"mitre_attack_technique": "Network Share Connection Removal"}]}}, {"name": "Remote Desktop Process Running On System", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Desktop Protocol"}, {"mitre_attack_technique": "Remote Services"}]}}, {"name": "Detect Outbound SMB Traffic", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "File Transfer Protocols"}, {"mitre_attack_technique": "Application Layer Protocol"}]}}, {"name": "DNS Query Length Outliers - MLTK", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DNS"}, {"mitre_attack_technique": "Application Layer Protocol"}]}}, {"name": "DNS Query Length With High Standard Deviation", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}, {"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}}, {"name": "Remote Desktop Network Traffic", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Desktop Protocol"}, {"mitre_attack_technique": "Remote Services"}]}}, {"name": "SMB Traffic Spike", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Remote Services"}]}}, {"name": "SMB Traffic Spike - MLTK", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Remote Services"}]}}]}, {"name": "IIS Components", "id": "0fbde550-8252-43ab-a26a-03976f55b58b", "version": 1, "date": "2022-12-19", "author": "Michael Haag, Splunk", "description": "Adversaries may install malicious components that run on Internet Information Services (IIS) web servers to establish persistence.", "narrative": "IIS provides several mechanisms to extend the functionality of the web servers. For example, Internet Server Application Programming Interface (ISAPI) extensions and filters can be installed to examine and/or modify incoming and outgoing IIS web requests. Extensions and filters are deployed as DLL files that export three functions - Get{Extension/Filter}Version, Http{Extension/Filter}Proc, and (optionally) Terminate{Extension/Filter}. IIS modules may also be installed to extend IIS web servers.\\\nAdversaries may install malicious ISAPI extensions and filters to observe and/or modify traffic, execute commands on compromised machines, or proxy command and control traffic. ISAPI extensions and filters may have access to all IIS web requests and responses. For example, an adversary may abuse these mechanisms to modify HTTP responses in order to distribute malicious commands/content to previously comprised hosts.\\\nAdversaries may also install malicious IIS modules to observe and/or modify traffic. IIS 7.0 introduced modules that provide the same unrestricted access to HTTP requests and responses as ISAPI extensions and filters. IIS modules can be written as a DLL that exports RegisterModule, or as a .NET application that interfaces with ASP.NET APIs to access IIS HTTP requests. (reference MITRE)", "references": ["https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/", "https://attack.mitre.org/techniques/T1505/004/", "https://www.crowdstrike.com/wp-content/uploads/2022/05/crowdstrike-iceapple-a-novel-internet-information-services-post-exploitation-framework-1.pdf", "https://unit42.paloaltonetworks.com/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/", "https://www.secureworks.com/research/bronze-union", "https://strontic.github.io/xcyclopedia/library/appcmd.exe-055B2B09409F980BF9B5A3969D01E5B2.html"], "tags": {"name": "IIS Components", "analytic_story": "IIS Components", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.002", "mitre_attack_technique": "Disable Windows Event Logging", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound", "Threat Group-3390"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1505.004", "mitre_attack_technique": "IIS Components", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Defense Evasion", "Persistence"], "datamodels": ["Endpoint", "Web"], "kill_chain_phases": ["Exploitation", "Installation"]}, "detection_names": ["ESCU - Windows Disable Windows Event Logging Disable HTTP Logging - Rule", "ESCU - Windows IIS Components Add New Module - Rule", "ESCU - Windows IIS Components Get-WebGlobalModule Module Query - Rule", "ESCU - Windows IIS Components Module Failed to Load - Rule", "ESCU - Windows IIS Components New Module Added - Rule", "ESCU - Windows PowerShell Add Module to Global Assembly Cache - Rule", "ESCU - Windows PowerShell Disable HTTP Logging - Rule", "ESCU - Windows PowerShell IIS Components WebGlobalModule Usage - Rule", "ESCU - Windows Server Software Component GACUtil Install to GAC - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows Disable Windows Event Logging Disable HTTP Logging", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable Windows Event Logging"}, {"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "IIS Components"}]}}, {"name": "Windows IIS Components Add New Module", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "IIS Components"}]}}, {"name": "Windows IIS Components Get-WebGlobalModule Module Query", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "IIS Components"}, {"mitre_attack_technique": "Server Software Component"}]}}, {"name": "Windows IIS Components Module Failed to Load", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "IIS Components"}]}}, {"name": "Windows IIS Components New Module Added", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "IIS Components"}]}}, {"name": "Windows PowerShell Add Module to Global Assembly Cache", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "IIS Components"}]}}, {"name": "Windows PowerShell Disable HTTP Logging", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Disable Windows Event Logging"}, {"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "IIS Components"}]}}, {"name": "Windows PowerShell IIS Components WebGlobalModule Usage", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "IIS Components"}]}}, {"name": "Windows Server Software Component GACUtil Install to GAC", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "IIS Components"}]}}]}, {"name": "Industroyer2", "id": "7ff7db2b-b001-498e-8fe8-caf2dbc3428a", "version": 1, "date": "2022-04-21", "author": "Teoderick Contreras, Splunk", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the Industroyer2 attack, including file writes associated with its payload, lateral movement, persistence, privilege escalation and data destruction.", "narrative": "Industroyer2 is part of continuous attack to ukraine targeting energy facilities. This malware is a windows binary that implement IEC-104 protocol to communicate with industrial equipments. This attack consist of several destructive linux script component to wipe or delete several linux critical files, powershell for domain enumeration and caddywiper to wipe boot sector of the targeted host.", "references": ["https://cert.gov.ua/article/39518", "https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/"], "tags": {"name": "Industroyer2", "analytic_story": "Industroyer2", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["BRONZE BUTLER", "Chimera", "Dragonfly", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Turla", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Dragonfly", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "TEMP.Veles", "Threat Group-3390", "Whitefly"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1021.003", "mitre_attack_technique": "Distributed Component Object Model", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "Earth Lusca", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "Threat Group-3390", "Windshift", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1053.003", "mitre_attack_technique": "Cron", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT38", "Rocke"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1489", "mitre_attack_technique": "Service Stop", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Indrik Spider", "Lazarus Group", "Wizard Spider"]}, {"mitre_attack_id": "T1070.004", "mitre_attack_technique": "File Deletion", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT3", "APT32", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "Cobalt Group", "Dragonfly", "Evilnum", "FIN10", "FIN5", "FIN6", "FIN8", "Gamaredon Group", "Group5", "Kimsuky", "Lazarus Group", "Magic Hound", "Metador", "Mustang Panda", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "Silence", "TEMP.Veles", "TeamTNT", "The White Company", "Threat Group-3390", "Tropic Trooper", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1562.004", "mitre_attack_technique": "Disable or Modify System Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "Carbanak", "Dragonfly", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1016", "mitre_attack_technique": "System Network Configuration Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT19", "APT3", "APT32", "APT41", "Chimera", "Darkhotel", "Dragonfly", "Earth Lusca", "GALLIUM", "HAFNIUM", "HEXANE", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "SideCopy", "Sidewinder", "Stealth Falcon", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1592", "mitre_attack_technique": "Gather Victim Host Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TEMP.Veles", "Wizard Spider", "menuPass"]}], "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Discovery", "Execution", "Impact", "Lateral Movement", "Persistence", "Privilege Escalation", "Reconnaissance"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Actions on Objectives", "Exploitation", "Installation", "Reconnaissance"]}, "detection_names": ["ESCU - AdsiSearcher Account Discovery - Rule", "ESCU - Attempted Credential Dump From Registry via Reg exe - Rule", "ESCU - Dump LSASS via comsvcs DLL - Rule", "ESCU - Executable File Written in Administrative SMB Share - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Impacket Lateral Movement Commandline Parameters - Rule", "ESCU - Impacket Lateral Movement smbexec CommandLine Parameters - Rule", "ESCU - Impacket Lateral Movement WMIExec Commandline Parameters - Rule", "ESCU - Linux Adding Crontab Using List Parameter - Rule", "ESCU - Linux DD File Overwrite - Rule", "ESCU - Linux Deleting Critical Directory Using RM Command - Rule", "ESCU - Linux Disable Services - Rule", "ESCU - Linux High Frequency Of File Deletion In Boot Folder - Rule", "ESCU - Linux Shred Overwrite Command - Rule", "ESCU - Linux Stdout Redirection To Dev Null File - Rule", "ESCU - Linux Stop Services - Rule", "ESCU - Linux System Network Discovery - Rule", "ESCU - Recon Using WMI Class - Rule", "ESCU - Schtasks Run Task On Demand - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Windows Hidden Schedule Task Settings - Rule", "ESCU - Windows Linked Policies In ADSI Discovery - Rule", "ESCU - Windows Processes Killed By Industroyer2 Malware - Rule", "ESCU - Windows Root Domain linked policies Discovery - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "AdsiSearcher Account Discovery", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}}, {"name": "Attempted Credential Dump From Registry via Reg exe", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Security Account Manager"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Dump LSASS via comsvcs DLL", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Executable File Written in Administrative SMB Share", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}]}}, {"name": "Impacket Lateral Movement Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Impacket Lateral Movement smbexec CommandLine Parameters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Impacket Lateral Movement WMIExec Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Linux Adding Crontab Using List Parameter", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux DD File Overwrite", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Linux Deleting Critical Directory Using RM Command", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Linux Disable Services", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Service Stop"}]}}, {"name": "Linux High Frequency Of File Deletion In Boot Folder", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}, {"mitre_attack_technique": "File Deletion"}, {"mitre_attack_technique": "Indicator Removal"}]}}, {"name": "Linux Shred Overwrite Command", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Linux Stdout Redirection To Dev Null File", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify System Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Linux Stop Services", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Service Stop"}]}}, {"name": "Linux System Network Discovery", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Configuration Discovery"}]}}, {"name": "Recon Using WMI Class", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Gather Victim Host Information"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Schtasks Run Task On Demand", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Windows Hidden Schedule Task Settings", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Windows Linked Policies In ADSI Discovery", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}}, {"name": "Windows Processes Killed By Industroyer2 Malware", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Service Stop"}]}}, {"name": "Windows Root Domain linked policies Discovery", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}]}}]}, {"name": "Information Sabotage", "id": "b71ba595-ef80-4e39-8b66-887578a7a71b", "version": 1, "date": "2021-11-17", "author": "Teoderick Contreras, Splunk", "description": "Leverage searches that allow you to detect and investigate unusual activities that might correlate to insider threat specially in terms of information sabotage.", "narrative": "Information sabotage is the type of crime many people associate with insider threat. Where the current or former employees, contractors, or business partners intentionally exceeded or misused an authorized level of access to networks, systems, or data with the intention of harming a specific individual, the organization, or the organization's data, systems, and/or daily business operations.", "references": ["https://insights.sei.cmu.edu/blog/insider-threat-deep-dive-it-sabotage/"], "tags": {"name": "Information Sabotage", "analytic_story": "Information Sabotage", "category": ["Abuse"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud", "Splunk Behavioral Analytics"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1537", "mitre_attack_technique": "Transfer Data to Cloud Account", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Exfiltration"], "datamodels": [], "kill_chain_phases": ["Actions on Objectives"]}, "detection_names": ["ESCU - High Frequency Copy Of Files In Network Share - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "High Frequency Copy Of Files In Network Share", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Transfer Data to Cloud Account"}]}}]}, {"name": "Ingress Tool Transfer", "id": "b3782036-8cbd-11eb-9d8e-acde48001122", "version": 1, "date": "2021-03-24", "author": "Michael Haag, Splunk", "description": "Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the Command And Control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP.", "narrative": "Ingress tool transfer is a Technique under tactic Command And Control. Behaviors will include the use of living off the land binaries to download implants or binaries over alternate communication ports. It is imperative to baseline applications on endpoints to understand what generates network activity, to where, and what is its native behavior. These utilities, when abused, will write files to disk in world writeable paths.\\ During triage, review the reputation of the remote public destination IP or domain. Capture any files written to disk and perform analysis. Review other parrallel processes for additional behaviors.", "references": ["https://attack.mitre.org/techniques/T1105/"], "tags": {"name": "Ingress Tool Transfer", "analytic_story": "Ingress Tool Transfer", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1197", "mitre_attack_technique": "BITS Jobs", "mitre_attack_tactics": ["Defense Evasion", "Persistence"], "mitre_attack_groups": ["APT39", "APT41", "Leviathan", "Patchwork"]}, {"mitre_attack_id": "T1090", "mitre_attack_technique": "Proxy", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "Blue Mockingbird", "CopyKittens", "Earth Lusca", "Fox Kitten", "LAPSUS$", "Magic Hound", "POLONIUM", "Sandworm Team", "Turla", "Windigo"]}, {"mitre_attack_id": "T1095", "mitre_attack_technique": "Non-Application Layer Protocol", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT3", "BITTER", "BackdoorDiplomacy", "FIN6", "HAFNIUM", "Metador", "PLATINUM"]}], "mitre_attack_tactics": ["Command And Control", "Defense Evasion", "Execution", "Persistence"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Command And Control", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Any Powershell DownloadFile - Rule", "ESCU - Any Powershell DownloadString - Rule", "ESCU - BITSAdmin Download File - Rule", "ESCU - CertUtil Download With URLCache and Split Arguments - Rule", "ESCU - CertUtil Download With VerifyCtl and Split Arguments - Rule", "ESCU - Curl Download and Bash Execution - Rule", "ESCU - Linux Curl Upload File - Rule", "ESCU - Linux Ingress Tool Transfer Hunting - Rule", "ESCU - Linux Ingress Tool Transfer with Curl - Rule", "ESCU - Linux Proxy Socks Curl - Rule", "ESCU - Suspicious Curl Network Connection - Rule", "ESCU - Wget Download and Bash Execution - Rule", "ESCU - Windows Curl Download to Suspicious Path - Rule", "ESCU - Windows Curl Upload to Remote Destination - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Any Powershell DownloadFile", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "Any Powershell DownloadString", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "BITSAdmin Download File", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "BITS Jobs"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "CertUtil Download With URLCache and Split Arguments", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "CertUtil Download With VerifyCtl and Split Arguments", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "Curl Download and Bash Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "Linux Curl Upload File", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "Linux Ingress Tool Transfer Hunting", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "Linux Ingress Tool Transfer with Curl", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "Linux Proxy Socks Curl", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Proxy"}, {"mitre_attack_technique": "Non-Application Layer Protocol"}]}}, {"name": "Suspicious Curl Network Connection", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "Wget Download and Bash Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "Windows Curl Download to Suspicious Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "Windows Curl Upload to Remote Destination", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}}]}, {"name": "Insider Threat", "id": "c633df29-a950-4c4c-a0f8-02be6730797c", "version": 1, "date": "2022-05-19", "author": "Jose Hernandez, Splunk", "description": "Monitor for activities and techniques associated with insider threats and specifically focusing on malicious insiders operating with in a corporate environment.", "narrative": "Insider Threats are best defined by CISA: \"Insider threat incidents are possible in any sector or organization. An insider threat is typically a current or former employee, third-party contractor, or business partner. In their present or former role, the person has or had access to an organization's network systems, data, or premises, and uses their access (sometimes unwittingly). To combat the insider threat, organizations can implement a proactive, prevention-focused mitigation program to detect and identify threats, assess risk, and manage that risk - before an incident occurs.\" An insider is any person who has or had authorized access to or knowledge of an organization's resources, including personnel, facilities, information, equipment, networks, and systems. These are the common insiders that create insider threats: Departing Employees, Security Evaders, Malicious Insiders, and Negligent Employees. This story aims at detecting the malicious insider.", "references": ["https://www.imperva.com/learn/application-security/insider-threats/", "https://www.cisa.gov/defining-insider-threats", "https://www.code42.com/glossary/types-of-insider-threats/", "https://github.com/Insider-Threat/Insider-Threat", "https://ctid.mitre-engenuity.org/our-work/insider-ttp-kb/"], "tags": {"name": "Insider Threat", "analytic_story": "Insider Threat", "category": ["Adversary Tactics", "Account Compromise", "Lateral Movement", "Privilege Escalation"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud", "Splunk Behavioral Analytics"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1567.002", "mitre_attack_technique": "Exfiltration to Cloud Storage", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["Chimera", "Confucius", "Earth Lusca", "FIN7", "HAFNIUM", "HEXANE", "Kimsuky", "Leviathan", "LuminousMoth", "POLONIUM", "Threat Group-3390", "Turla", "ZIRCONIUM"]}, {"mitre_attack_id": "T1567", "mitre_attack_technique": "Exfiltration Over Web Service", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT28", "Magic Hound"]}, {"mitre_attack_id": "T1048.003", "mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT32", "APT33", "FIN6", "FIN8", "Lazarus Group", "OilRig", "Thrip", "Wizard Spider"]}, {"mitre_attack_id": "T1048", "mitre_attack_technique": "Exfiltration Over Alternative Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1537", "mitre_attack_technique": "Transfer Data to Cloud Account", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1078.003", "mitre_attack_technique": "Local Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "FIN10", "HAFNIUM", "Kimsuky", "PROMETHIUM", "Tropic Trooper", "Turla"]}, {"mitre_attack_id": "T1552.001", "mitre_attack_technique": "Credentials In Files", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT3", "APT33", "Fox Kitten", "Kimsuky", "Leafminer", "MuddyWater", "OilRig", "TA505", "TeamTNT"]}, {"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1219", "mitre_attack_technique": "Remote Access Software", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Carbanak", "Cobalt Group", "DarkVishnya", "Evilnum", "GOLD SOUTHFIELD", "Kimsuky", "MuddyWater", "Mustang Panda", "RTM", "Sandworm Team", "TeamTNT", "Thrip"]}], "mitre_attack_tactics": ["Command And Control", "Credential Access", "Defense Evasion", "Exfiltration", "Initial Access", "Persistence", "Privilege Escalation"], "datamodels": ["Authentication", "Endpoint"], "kill_chain_phases": ["Actions on Objectives", "Command And Control", "Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Gsuite Drive Share In External Email - Rule", "ESCU - Gsuite Outbound Email With Attachment To External Domain - Rule", "ESCU - High Frequency Copy Of Files In Network Share - Rule", "ESCU - Potential password in username - Rule", "ESCU - Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials - Rule", "ESCU - Windows Multiple Users Failed To Authenticate From Process - Rule", "ESCU - Windows Remote Access Software Hunt - Rule", "ESCU - Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials - Rule", "ESCU - Windows Unusual Count Of Users Failed To Authenticate From Process - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Jose Hernandez", "detections": [{"name": "Gsuite Drive Share In External Email", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration to Cloud Storage"}, {"mitre_attack_technique": "Exfiltration Over Web Service"}]}}, {"name": "Gsuite Outbound Email With Attachment To External Domain", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}, {"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}}, {"name": "High Frequency Copy Of Files In Network Share", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Transfer Data to Cloud Account"}]}}, {"name": "Potential password in username", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Local Accounts"}, {"mitre_attack_technique": "Credentials In Files"}]}}, {"name": "Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Multiple Users Failed To Authenticate From Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Remote Access Software Hunt", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Access Software"}]}}, {"name": "Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Unusual Count Of Users Failed To Authenticate From Process", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}]}, {"name": "JBoss Vulnerability", "id": "1f5294cb-b85f-4c2d-9c58-ffcf248f52bd", "version": 1, "date": "2017-09-14", "author": "Bhavin Patel, Splunk", "description": "In March of 2016, adversaries were seen using JexBoss--an open-source utility used for testing and exploiting JBoss application servers. These searches help detect evidence of these attacks, such as network connections to external resources or web services spawning atypical child processes, among others.", "narrative": "This Analytic Story looks for probing and exploitation attempts targeting JBoss application servers. While the vulnerabilities associated with this story are rather dated, they were leveraged in a spring 2016 campaign in connection with the Samsam ransomware variant. Incidents involving this ransomware are unique, in that they begin with attacks against vulnerable services, rather than the phishing or drive-by attacks more common with ransomware. In this case, vulnerable JBoss applications appear to be the target of choice.\\\nIt is helpful to understand how often a notable event generated by this story occurs, as well as the commonalities between some of these events, both of which may provide clues about whether this is a common occurrence of minimal concern or a rare event that may require more extensive investigation. It may also help to understand whether the issue is restricted to a single user/system or whether it is broader in scope.\\\nWhen looking at the target of the behavior uncovered by the event, you should note the sensitivity of the user and or/system to help determine the potential impact. It is also helpful to identify other recent events involving the target. This can help tie different events together and give further situational awareness regarding the target host.\\\nVarious types of information for external systems should be reviewed and, potentially, collected if the incident is, indeed, judged to be malicious. This data may be useful for generating your own threat intelligence, so you can create future alerts.\\\nThe following factors may assist you in determining whether the event is malicious: \\\n1. Country of origin\\\n1. Responsible party\\\n1. Fully qualified domain names associated with the external IP address\\\n1. Registration of fully qualified domain names associated with external IP address Determining whether it is a dynamic domain frequently visited by others and/or how third parties categorize it can also help you qualify and understand the event and possible motivation for the attack. In addition, there are various sources that may provide reputation information on the IP address or domain name, which can assist you in determining whether the event is malicious in nature. Finally, determining whether there are other events associated with the IP address may help connect data points or expose other historic events that might be brought back into scope.\\\nGathering various data on the system of interest can sometimes help quickly determine whether something suspicious is happening. Some of these items include determining who else may have logged into the system recently, whether any unusual scheduled tasks exist, whether the system is communicating on suspicious ports, whether there are modifications to sensitive registry keys, and/or whether there are any known vulnerabilities on the system. This information can often highlight other activity commonly seen in attack scenarios or give more information about how the system may have been targeted.\\\nhen a specific service or application is targeted, it is often helpful to know the associated version, to help determine whether it is vulnerable to a specific exploit.\\\nIf you suspect an attack targeting a web server, it is helpful to look at some of the behavior of the web service to see if there is evidence that the service has been compromised. Some indications of this might be network connections to external resources, the web service spawning child processes that are not associated with typical behavior, and whether the service wrote any files that might be malicious in nature.\\\nIf a suspicious file is found, we can review more information about it to help determine if it is, in fact, malicious. Identifying the file type, any processes that opened the file, the processes that may have created and/or modified the file, and how many other systems potentially have this file can you determine whether the file is malicious. Also, determining the file hash and checking it against reputation sources, such as VirusTotal, can sometimes help you quickly determine if it is malicious in nature.\\\nOften, a simple inspection of a suspect process name and path can tell you if the system has been compromised. For example, if svchost.exe is found running from a location other than `C:\\Windows\\System32`, it is likely something malicious designed to hide in plain sight when simply reviewing process names. \\\nIt can also be helpful to examine various behaviors of and the parent of the process of interest. For example, if it turns out the process of interest is malicious, it would be good to see whether the parent process spawned other processes that might also warrant further scrutiny. If a process is suspect, a review of the network connections made around the time of the event and noting whether the process has spawned any child processes could be helpful in determining whether it is malicious or executing a malicious script.", "references": ["http://www.deependresearch.org/2016/04/jboss-exploits-view-from-victim.html"], "tags": {"name": "JBoss Vulnerability", "analytic_story": "JBoss Vulnerability", "category": ["Vulnerability"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1082", "mitre_attack_technique": "System Information Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT18", "APT19", "APT3", "APT32", "APT37", "APT38", "Aquatic Panda", "Blue Mockingbird", "Chimera", "Confucius", "Darkhotel", "Gamaredon Group", "HEXANE", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Sowbug", "Stealth Falcon", "TeamTNT", "Tropic Trooper", "Turla", "Windigo", "Windshift", "Wizard Spider", "ZIRCONIUM", "admin@338"]}], "mitre_attack_tactics": ["Discovery"], "datamodels": ["Web"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Detect attackers scanning for vulnerable JBoss servers - Rule", "ESCU - Detect malicious requests to exploit JBoss servers - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Detect attackers scanning for vulnerable JBoss servers", "source": "web", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Information Discovery"}]}}, {"name": "Detect malicious requests to exploit JBoss servers", "source": "web", "type": "TTP", "tags": {"mitre_attack_enrichments": []}}]}, {"name": "Kubernetes Scanning Activity", "id": "a9ef59cf-e981-4e66-9eef-bb049f695c09", "version": 1, "date": "2020-04-15", "author": "Rod Soto, Splunk", "description": "This story addresses detection against Kubernetes cluster fingerprint scan and attack by providing information on items such as source ip, user agent, cluster names.", "narrative": "Kubernetes is the most used container orchestration platform, this orchestration platform contains sensitve information and management priviledges of production workloads, microservices and applications. These searches allow operator to detect suspicious unauthenticated requests from the internet to kubernetes cluster.", "references": ["https://github.com/splunk/cloud-datamodel-security-research"], "tags": {"name": "Kubernetes Scanning Activity", "analytic_story": "Kubernetes Scanning Activity", "category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1526", "mitre_attack_technique": "Cloud Service Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Discovery"], "datamodels": ["Email"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Amazon EKS Kubernetes cluster scan detection - Rule", "ESCU - Amazon EKS Kubernetes Pod scan detection - Rule", "ESCU - GCP Kubernetes cluster pod scan detection - Rule", "ESCU - GCP Kubernetes cluster scan detection - Rule", "ESCU - Kubernetes Azure pod scan fingerprint - Rule", "ESCU - Kubernetes Azure scan fingerprint - Rule"], "investigation_names": ["ESCU - Amazon EKS Kubernetes activity by src ip - Response Task", "ESCU - GCP Kubernetes activity by src ip - Response Task", "ESCU - Get Notable History - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rod Soto", "detections": [{"name": "Amazon EKS Kubernetes cluster scan detection", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Service Discovery"}]}}, {"name": "Amazon EKS Kubernetes Pod scan detection", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Service Discovery"}]}}, {"name": "GCP Kubernetes cluster pod scan detection", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Service Discovery"}]}}, {"name": "GCP Kubernetes cluster scan detection", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Service Discovery"}]}}, {"name": "Kubernetes Azure pod scan fingerprint", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": []}}, {"name": "Kubernetes Azure scan fingerprint", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Service Discovery"}]}}]}, {"name": "Kubernetes Sensitive Object Access Activity", "id": "c7d4dbf0-a171-4eaf-8444-4f40392e4f92", "version": 1, "date": "2020-05-20", "author": "Rod Soto, Splunk", "description": "This story addresses detection and response of accounts acccesing Kubernetes cluster sensitive objects such as configmaps or secrets providing information on items such as user user, group. object, namespace and authorization reason.", "narrative": "Kubernetes is the most used container orchestration platform, this orchestration platform contains sensitive objects within its architecture, specifically configmaps and secrets, if accessed by an attacker can lead to further compromise. These searches allow operator to detect suspicious requests against Kubernetes sensitive objects.", "references": ["https://www.splunk.com/en_us/blog/security/approaching-kubernetes-security-detecting-kubernetes-scan-with-splunk.html"], "tags": {"name": "Kubernetes Sensitive Object Access Activity", "analytic_story": "Kubernetes Sensitive Object Access Activity", "category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Kubernetes AWS detect suspicious kubectl calls - Rule", "ESCU - AWS EKS Kubernetes cluster sensitive object access - Rule", "ESCU - Kubernetes AWS detect service accounts forbidden failure access - Rule", "ESCU - Kubernetes Azure detect sensitive object access - Rule", "ESCU - Kubernetes Azure detect service accounts forbidden failure access - Rule", "ESCU - Kubernetes Azure detect suspicious kubectl calls - Rule", "ESCU - Kubernetes GCP detect sensitive object access - Rule", "ESCU - Kubernetes GCP detect service accounts forbidden failure access - Rule", "ESCU - Kubernetes GCP detect suspicious kubectl calls - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rod Soto", "detections": [{"name": "Kubernetes AWS detect suspicious kubectl calls", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": []}}, {"name": "AWS EKS Kubernetes cluster sensitive object access", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": []}}, {"name": "Kubernetes AWS detect service accounts forbidden failure access", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": []}}, {"name": "Kubernetes Azure detect sensitive object access", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": []}}, {"name": "Kubernetes Azure detect service accounts forbidden failure access", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": []}}, {"name": "Kubernetes Azure detect suspicious kubectl calls", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": []}}, {"name": "Kubernetes GCP detect sensitive object access", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": []}}, {"name": "Kubernetes GCP detect service accounts forbidden failure access", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": []}}, {"name": "Kubernetes GCP detect suspicious kubectl calls", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": []}}]}, {"name": "Linux Living Off The Land", "id": "e405a2d7-dc8e-4227-8e9d-f60267b8c0cd", "version": 1, "date": "2022-07-27", "author": "Michael Haag, Splunk", "description": "Linux Living Off The Land consists of binaries that may be used to bypass local security restrictions within misconfigured systems.", "narrative": "Similar to Windows LOLBAS project, the GTFOBins project focuses solely on Unix binaries that may be abused in multiple categories including Reverse Shell, File Upload, File Download and much more. These binaries are native to the operating system and the functionality is typically native. The behaviors are typically not malicious by default or vulnerable, but these are built in functionality of the applications. When reviewing any notables or hunting through mountains of events of interest, it's important to identify the binary, review command-line arguments, path of file, and capture any network and file modifications. Linux analysis may be a bit cumbersome due to volume and how process behavior is seen in EDR products. Piecing it together will require some effort.", "references": ["https://gtfobins.github.io/"], "tags": {"name": "Linux Living Off The Land", "analytic_story": "Linux Living Off The Land", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1053.003", "mitre_attack_technique": "Cron", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT38", "Rocke"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1548.003", "mitre_attack_technique": "Sudo and Sudo Caching", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1053.002", "mitre_attack_technique": "At", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "BRONZE BUTLER", "Threat Group-3390"]}, {"mitre_attack_id": "T1222.002", "mitre_attack_technique": "Linux and Mac File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1115", "mitre_attack_technique": "Clipboard Data", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT38", "APT39"]}, {"mitre_attack_id": "T1548.001", "mitre_attack_technique": "Setuid and Setgid", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT19", "APT28", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BITTER", "BackdoorDiplomacy", "BlackOasis", "Blue Mockingbird", "Dark Caracal", "Darkhotel", "Earth Lusca", "Elderwood", "Ember Bear", "Fox Kitten", "GALLIUM", "Gallmaker", "Gamaredon Group", "Group5", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "Metador", "Mofang", "Molerats", "Moses Staff", "Mustang Panda", "OilRig", "Putter Panda", "Rocke", "Sandworm Team", "Sidewinder", "TA505", "TeamTNT", "Threat Group-3390", "Transparent Tribe", "Tropic Trooper", "Whitefly", "Windshift", "menuPass"]}, {"mitre_attack_id": "T1059.004", "mitre_attack_technique": "Unix Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT41", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "PLATINUM", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}, {"mitre_attack_id": "T1098.004", "mitre_attack_technique": "SSH Authorized Keys", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Earth Lusca", "TeamTNT"]}, {"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT41", "Dragonfly", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}, {"mitre_attack_id": "T1090", "mitre_attack_technique": "Proxy", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "Blue Mockingbird", "CopyKittens", "Earth Lusca", "Fox Kitten", "LAPSUS$", "Magic Hound", "POLONIUM", "Sandworm Team", "Turla", "Windigo"]}, {"mitre_attack_id": "T1095", "mitre_attack_technique": "Non-Application Layer Protocol", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT3", "BITTER", "BackdoorDiplomacy", "FIN6", "HAFNIUM", "Metador", "PLATINUM"]}, {"mitre_attack_id": "T1053.006", "mitre_attack_technique": "Systemd Timers", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1021.004", "mitre_attack_technique": "SSH", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT39", "BlackTech", "FIN7", "Fox Kitten", "GCMAN", "Lazarus Group", "Leviathan", "OilRig", "Rocke", "TEMP.Veles", "TeamTNT", "menuPass"]}], "mitre_attack_tactics": ["Collection", "Command And Control", "Defense Evasion", "Execution", "Lateral Movement", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Command And Control", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Curl Download and Bash Execution - Rule", "ESCU - Linux Add Files In Known Crontab Directories - Rule", "ESCU - Linux Adding Crontab Using List Parameter - Rule", "ESCU - Linux apt-get Privilege Escalation - Rule", "ESCU - Linux APT Privilege Escalation - Rule", "ESCU - Linux At Allow Config File Creation - Rule", "ESCU - Linux At Application Execution - Rule", "ESCU - Linux AWK Privilege Escalation - Rule", "ESCU - Linux Busybox Privilege Escalation - Rule", "ESCU - Linux c89 Privilege Escalation - Rule", "ESCU - Linux c99 Privilege Escalation - Rule", "ESCU - Linux Change File Owner To Root - Rule", "ESCU - Linux Clipboard Data Copy - Rule", "ESCU - Linux Common Process For Elevation Control - Rule", "ESCU - Linux Composer Privilege Escalation - Rule", "ESCU - Linux Cpulimit Privilege Escalation - Rule", "ESCU - Linux Csvtool Privilege Escalation - Rule", "ESCU - Linux Curl Upload File - Rule", "ESCU - Linux Decode Base64 to Shell - Rule", "ESCU - Linux Docker Privilege Escalation - Rule", "ESCU - Linux Edit Cron Table Parameter - Rule", "ESCU - Linux Emacs Privilege Escalation - Rule", "ESCU - Linux Find Privilege Escalation - Rule", "ESCU - Linux GDB Privilege Escalation - Rule", "ESCU - Linux Gem Privilege Escalation - Rule", "ESCU - Linux GNU Awk Privilege Escalation - Rule", "ESCU - Linux Ingress Tool Transfer Hunting - Rule", "ESCU - Linux Ingress Tool Transfer with Curl - Rule", "ESCU - Linux Make Privilege Escalation - Rule", "ESCU - Linux MySQL Privilege Escalation - Rule", "ESCU - Linux Node Privilege Escalation - Rule", "ESCU - Linux Obfuscated Files or Information Base64 Decode - Rule", "ESCU - Linux Octave Privilege Escalation - Rule", "ESCU - Linux OpenVPN Privilege Escalation - Rule", "ESCU - Linux PHP Privilege Escalation - Rule", "ESCU - Linux pkexec Privilege Escalation - Rule", "ESCU - Linux Possible Access Or Modification Of sshd Config File - Rule", "ESCU - Linux Possible Append Cronjob Entry on Existing Cronjob File - Rule", "ESCU - Linux Possible Cronjob Modification With Editor - Rule", "ESCU - Linux Possible Ssh Key File Creation - Rule", "ESCU - Linux Proxy Socks Curl - Rule", "ESCU - Linux Puppet Privilege Escalation - Rule", "ESCU - Linux RPM Privilege Escalation - Rule", "ESCU - Linux Ruby Privilege Escalation - Rule", "ESCU - Linux Service File Created In Systemd Directory - Rule", "ESCU - Linux Service Restarted - Rule", "ESCU - Linux Service Started Or Enabled - Rule", "ESCU - Linux Setuid Using Chmod Utility - Rule", "ESCU - Linux Sqlite3 Privilege Escalation - Rule", "ESCU - Linux SSH Authorized Keys Modification - Rule", "ESCU - Linux SSH Remote Services Script Execute - Rule", "ESCU - Suspicious Curl Network Connection - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Curl Download and Bash Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "Linux Add Files In Known Crontab Directories", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Adding Crontab Using List Parameter", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux apt-get Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux APT Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux At Allow Config File Creation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux At Application Execution", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "At"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux AWK Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Busybox Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux c89 Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux c99 Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Change File Owner To Root", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Linux and Mac File and Directory Permissions Modification"}, {"mitre_attack_technique": "File and Directory Permissions Modification"}]}}, {"name": "Linux Clipboard Data Copy", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Clipboard Data"}]}}, {"name": "Linux Common Process For Elevation Control", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Setuid and Setgid"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Composer Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Cpulimit Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Csvtool Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Curl Upload File", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "Linux Decode Base64 to Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Obfuscated Files or Information"}, {"mitre_attack_technique": "Unix Shell"}]}}, {"name": "Linux Docker Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Edit Cron Table Parameter", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Emacs Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Find Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux GDB Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Gem Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux GNU Awk Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Ingress Tool Transfer Hunting", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "Linux Ingress Tool Transfer with Curl", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "Linux Make Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux MySQL Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Node Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Obfuscated Files or Information Base64 Decode", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Obfuscated Files or Information"}]}}, {"name": "Linux Octave Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux OpenVPN Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux PHP Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux pkexec Privilege Escalation", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}}, {"name": "Linux Possible Access Or Modification Of sshd Config File", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "SSH Authorized Keys"}, {"mitre_attack_technique": "Account Manipulation"}]}}, {"name": "Linux Possible Append Cronjob Entry on Existing Cronjob File", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Possible Cronjob Modification With Editor", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Possible Ssh Key File Creation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "SSH Authorized Keys"}, {"mitre_attack_technique": "Account Manipulation"}]}}, {"name": "Linux Proxy Socks Curl", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Proxy"}, {"mitre_attack_technique": "Non-Application Layer Protocol"}]}}, {"name": "Linux Puppet Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux RPM Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Ruby Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Service File Created In Systemd Directory", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Systemd Timers"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Service Restarted", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Systemd Timers"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Service Started Or Enabled", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Systemd Timers"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Setuid Using Chmod Utility", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Setuid and Setgid"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Sqlite3 Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux SSH Authorized Keys Modification", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "SSH Authorized Keys"}]}}, {"name": "Linux SSH Remote Services Script Execute", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "SSH"}]}}, {"name": "Suspicious Curl Network Connection", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}}]}, {"name": "Linux Persistence Techniques", "id": "e40d13e5-d38b-457e-af2a-e8e6a2f2b516", "version": 1, "date": "2021-12-17", "author": "Teoderick Contreras, Splunk", "description": "Monitor for activities and techniques associated with maintaining persistence on a Linux system--a sign that an adversary may have compromised your environment.", "narrative": "Maintaining persistence is one of the first steps taken by attackers after the initial compromise. Attackers leverage various custom and built-in tools to ensure survivability and persistent access within a compromised enterprise. This Analytic Story provides searches to help you identify various behaviors used by attackers to maintain persistent access to a Linux environment.", "references": ["https://attack.mitre.org/techniques/T1053/", "https://kifarunix.com/scheduling-tasks-using-at-command-in-linux/", "https://gtfobins.github.io/gtfobins/at/", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf"], "tags": {"name": "Linux Persistence Techniques", "analytic_story": "Linux Persistence Techniques", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1053.003", "mitre_attack_technique": "Cron", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT38", "Rocke"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1136.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT39", "APT41", "Dragonfly", "Fox Kitten", "Kimsuky", "Leafminer", "Magic Hound", "TeamTNT"]}, {"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider"]}, {"mitre_attack_id": "T1053.002", "mitre_attack_technique": "At", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "BRONZE BUTLER", "Threat Group-3390"]}, {"mitre_attack_id": "T1222.002", "mitre_attack_technique": "Linux and Mac File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548.001", "mitre_attack_technique": "Setuid and Setgid", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548.003", "mitre_attack_technique": "Sudo and Sudo Caching", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547.006", "mitre_attack_technique": "Kernel Modules and Extensions", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1037.004", "mitre_attack_technique": "RC Scripts", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1037", "mitre_attack_technique": "Boot or Logon Initialization Scripts", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Rocke"]}, {"mitre_attack_id": "T1546.004", "mitre_attack_technique": "Unix Shell Configuration Modification", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1098.004", "mitre_attack_technique": "SSH Authorized Keys", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Earth Lusca", "TeamTNT"]}, {"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT41", "Dragonfly", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}, {"mitre_attack_id": "T1003.008", "mitre_attack_technique": "/etc/passwd and /etc/shadow", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1574.006", "mitre_attack_technique": "Dynamic Linker Hijacking", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT41", "Rocke"]}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1053.006", "mitre_attack_technique": "Systemd Timers", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}], "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Execution", "Impact", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint", "Risk"], "kill_chain_phases": ["Actions on Objectives", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Linux Add Files In Known Crontab Directories - Rule", "ESCU - Linux Add User Account - Rule", "ESCU - Linux Adding Crontab Using List Parameter - Rule", "ESCU - Linux At Allow Config File Creation - Rule", "ESCU - Linux At Application Execution - Rule", "ESCU - Linux Change File Owner To Root - Rule", "ESCU - Linux Common Process For Elevation Control - Rule", "ESCU - Linux Doas Conf File Creation - Rule", "ESCU - Linux Doas Tool Execution - Rule", "ESCU - Linux Edit Cron Table Parameter - Rule", "ESCU - Linux File Created In Kernel Driver Directory - Rule", "ESCU - Linux File Creation In Init Boot Directory - Rule", "ESCU - Linux File Creation In Profile Directory - Rule", "ESCU - Linux Insert Kernel Module Using Insmod Utility - Rule", "ESCU - Linux Install Kernel Module Using Modprobe Utility - Rule", "ESCU - Linux NOPASSWD Entry In Sudoers File - Rule", "ESCU - Linux Persistence and Privilege Escalation Risk Behavior - Rule", "ESCU - Linux Possible Access Or Modification Of sshd Config File - Rule", "ESCU - Linux Possible Access To Credential Files - Rule", "ESCU - Linux Possible Access To Sudoers File - Rule", "ESCU - Linux Possible Append Command To At Allow Config File - Rule", "ESCU - Linux Possible Append Command To Profile Config File - Rule", "ESCU - Linux Possible Append Cronjob Entry on Existing Cronjob File - Rule", "ESCU - Linux Possible Cronjob Modification With Editor - Rule", "ESCU - Linux Possible Ssh Key File Creation - Rule", "ESCU - Linux Preload Hijack Library Calls - Rule", "ESCU - Linux Service File Created In Systemd Directory - Rule", "ESCU - Linux Service Restarted - Rule", "ESCU - Linux Service Started Or Enabled - Rule", "ESCU - Linux Setuid Using Chmod Utility - Rule", "ESCU - Linux Setuid Using Setcap Utility - Rule", "ESCU - Linux Shred Overwrite Command - Rule", "ESCU - Linux Sudo OR Su Execution - Rule", "ESCU - Linux Sudoers Tmp File Creation - Rule", "ESCU - Linux Visudo Utility Execution - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Linux Add Files In Known Crontab Directories", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Add User Account", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "Create Account"}]}}, {"name": "Linux Adding Crontab Using List Parameter", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux At Allow Config File Creation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux At Application Execution", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "At"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Change File Owner To Root", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Linux and Mac File and Directory Permissions Modification"}, {"mitre_attack_technique": "File and Directory Permissions Modification"}]}}, {"name": "Linux Common Process For Elevation Control", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Setuid and Setgid"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Doas Conf File Creation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Doas Tool Execution", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Edit Cron Table Parameter", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux File Created In Kernel Driver Directory", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Kernel Modules and Extensions"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Linux File Creation In Init Boot Directory", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "RC Scripts"}, {"mitre_attack_technique": "Boot or Logon Initialization Scripts"}]}}, {"name": "Linux File Creation In Profile Directory", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Unix Shell Configuration Modification"}, {"mitre_attack_technique": "Event Triggered Execution"}]}}, {"name": "Linux Insert Kernel Module Using Insmod Utility", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Kernel Modules and Extensions"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Linux Install Kernel Module Using Modprobe Utility", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Kernel Modules and Extensions"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Linux NOPASSWD Entry In Sudoers File", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Persistence and Privilege Escalation Risk Behavior", "source": "endpoint", "type": "Correlation", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Possible Access Or Modification Of sshd Config File", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "SSH Authorized Keys"}, {"mitre_attack_technique": "Account Manipulation"}]}}, {"name": "Linux Possible Access To Credential Files", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "/etc/passwd and /etc/shadow"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Linux Possible Access To Sudoers File", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Possible Append Command To At Allow Config File", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "At"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Possible Append Command To Profile Config File", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Unix Shell Configuration Modification"}, {"mitre_attack_technique": "Event Triggered Execution"}]}}, {"name": "Linux Possible Append Cronjob Entry on Existing Cronjob File", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Possible Cronjob Modification With Editor", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Possible Ssh Key File Creation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "SSH Authorized Keys"}, {"mitre_attack_technique": "Account Manipulation"}]}}, {"name": "Linux Preload Hijack Library Calls", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Dynamic Linker Hijacking"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}}, {"name": "Linux Service File Created In Systemd Directory", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Systemd Timers"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Service Restarted", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Systemd Timers"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Service Started Or Enabled", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Systemd Timers"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Setuid Using Chmod Utility", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Setuid and Setgid"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Setuid Using Setcap Utility", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Setuid and Setgid"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Shred Overwrite Command", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Linux Sudo OR Su Execution", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Sudoers Tmp File Creation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Visudo Utility Execution", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}]}, {"name": "Linux Post-Exploitation", "id": "d310ccfe-5477-11ec-ad05-acde48001122", "version": 1, "date": "2021-12-03", "author": "Rod Soto", "description": "This analytic story identifies popular Linux post exploitation tools such as autoSUID, LinEnum, LinPEAS, Linux Exploit Suggesters, MimiPenguin.", "narrative": "These tools allow operators find possible exploits or paths for privilege escalation based on SUID binaries, user permissions, kernel version and distro version.", "references": ["https://attack.mitre.org/matrices/enterprise/linux/"], "tags": {"name": "Linux Post-Exploitation", "analytic_story": "Linux Post-Exploitation", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.004", "mitre_attack_technique": "Unix Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT41", "Rocke", "TeamTNT"]}], "mitre_attack_tactics": ["Execution"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation"]}, "detection_names": ["ESCU - Suspicious Linux Discovery Commands - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "no", "author_name": "Rod Soto", "detections": [{"name": "Suspicious Linux Discovery Commands", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Unix Shell"}]}}]}, {"name": "Linux Privilege Escalation", "id": "b9879c24-670a-44c0-895e-98cdb7d0e848", "version": 1, "date": "2021-12-17", "author": "Teoderick Contreras, Splunk", "description": "Monitor for and investigate activities that may be associated with a Linux privilege-escalation attack, including unusual processes running on endpoints, schedule task, services, setuid, root execution and more.", "narrative": "Privilege escalation is a \"land-and-expand\" technique, wherein an adversary gains an initial foothold on a host and then exploits its weaknesses to increase his privileges. The motivation is simple: certain actions on a Linux machine--such as installing software--may require higher-level privileges than those the attacker initially acquired. By increasing his privilege level, the attacker can gain the control required to carry out his malicious ends. This Analytic Story provides searches to detect and investigate behaviors that attackers may use to elevate their privileges in your environment.", "references": ["https://attack.mitre.org/tactics/TA0004/"], "tags": {"name": "Linux Privilege Escalation", "analytic_story": "Linux Privilege Escalation", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1053.003", "mitre_attack_technique": "Cron", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT38", "Rocke"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1136.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT39", "APT41", "Dragonfly", "Fox Kitten", "Kimsuky", "Leafminer", "Magic Hound", "TeamTNT"]}, {"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider"]}, {"mitre_attack_id": "T1548.003", "mitre_attack_technique": "Sudo and Sudo Caching", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1053.002", "mitre_attack_technique": "At", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "BRONZE BUTLER", "Threat Group-3390"]}, {"mitre_attack_id": "T1222.002", "mitre_attack_technique": "Linux and Mac File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548.001", "mitre_attack_technique": "Setuid and Setgid", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547.006", "mitre_attack_technique": "Kernel Modules and Extensions", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1037.004", "mitre_attack_technique": "RC Scripts", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1037", "mitre_attack_technique": "Boot or Logon Initialization Scripts", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Rocke"]}, {"mitre_attack_id": "T1546.004", "mitre_attack_technique": "Unix Shell Configuration Modification", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "PLATINUM", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}, {"mitre_attack_id": "T1098.004", "mitre_attack_technique": "SSH Authorized Keys", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Earth Lusca", "TeamTNT"]}, {"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT41", "Dragonfly", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}, {"mitre_attack_id": "T1003.008", "mitre_attack_technique": "/etc/passwd and /etc/shadow", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1574.006", "mitre_attack_technique": "Dynamic Linker Hijacking", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT41", "Rocke"]}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1053.006", "mitre_attack_technique": "Systemd Timers", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}], "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Execution", "Impact", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint", "Risk"], "kill_chain_phases": ["Actions on Objectives", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Linux Add Files In Known Crontab Directories - Rule", "ESCU - Linux Add User Account - Rule", "ESCU - Linux Adding Crontab Using List Parameter - Rule", "ESCU - Linux apt-get Privilege Escalation - Rule", "ESCU - Linux APT Privilege Escalation - Rule", "ESCU - Linux At Allow Config File Creation - Rule", "ESCU - Linux At Application Execution - Rule", "ESCU - Linux AWK Privilege Escalation - Rule", "ESCU - Linux Busybox Privilege Escalation - Rule", "ESCU - Linux c89 Privilege Escalation - Rule", "ESCU - Linux c99 Privilege Escalation - Rule", "ESCU - Linux Change File Owner To Root - Rule", "ESCU - Linux Common Process For Elevation Control - Rule", "ESCU - Linux Composer Privilege Escalation - Rule", "ESCU - Linux Cpulimit Privilege Escalation - Rule", "ESCU - Linux Csvtool Privilege Escalation - Rule", "ESCU - Linux Doas Conf File Creation - Rule", "ESCU - Linux Doas Tool Execution - Rule", "ESCU - Linux Docker Privilege Escalation - Rule", "ESCU - Linux Edit Cron Table Parameter - Rule", "ESCU - Linux Emacs Privilege Escalation - Rule", "ESCU - Linux File Created In Kernel Driver Directory - Rule", "ESCU - Linux File Creation In Init Boot Directory - Rule", "ESCU - Linux File Creation In Profile Directory - Rule", "ESCU - Linux Find Privilege Escalation - Rule", "ESCU - Linux GDB Privilege Escalation - Rule", "ESCU - Linux Gem Privilege Escalation - Rule", "ESCU - Linux GNU Awk Privilege Escalation - Rule", "ESCU - Linux Insert Kernel Module Using Insmod Utility - Rule", "ESCU - Linux Install Kernel Module Using Modprobe Utility - Rule", "ESCU - Linux Make Privilege Escalation - Rule", "ESCU - Linux MySQL Privilege Escalation - Rule", "ESCU - Linux Node Privilege Escalation - Rule", "ESCU - Linux NOPASSWD Entry In Sudoers File - Rule", "ESCU - Linux Octave Privilege Escalation - Rule", "ESCU - Linux OpenVPN Privilege Escalation - Rule", "ESCU - Linux Persistence and Privilege Escalation Risk Behavior - Rule", "ESCU - Linux PHP Privilege Escalation - Rule", "ESCU - Linux pkexec Privilege Escalation - Rule", "ESCU - Linux Possible Access Or Modification Of sshd Config File - Rule", "ESCU - Linux Possible Access To Credential Files - Rule", "ESCU - Linux Possible Access To Sudoers File - Rule", "ESCU - Linux Possible Append Command To At Allow Config File - Rule", "ESCU - Linux Possible Append Command To Profile Config File - Rule", "ESCU - Linux Possible Append Cronjob Entry on Existing Cronjob File - Rule", "ESCU - Linux Possible Cronjob Modification With Editor - Rule", "ESCU - Linux Possible Ssh Key File Creation - Rule", "ESCU - Linux Preload Hijack Library Calls - Rule", "ESCU - Linux Puppet Privilege Escalation - Rule", "ESCU - Linux RPM Privilege Escalation - Rule", "ESCU - Linux Ruby Privilege Escalation - Rule", "ESCU - Linux Service File Created In Systemd Directory - Rule", "ESCU - Linux Service Restarted - Rule", "ESCU - Linux Service Started Or Enabled - Rule", "ESCU - Linux Setuid Using Chmod Utility - Rule", "ESCU - Linux Setuid Using Setcap Utility - Rule", "ESCU - Linux Shred Overwrite Command - Rule", "ESCU - Linux Sqlite3 Privilege Escalation - Rule", "ESCU - Linux Sudo OR Su Execution - Rule", "ESCU - Linux Sudoers Tmp File Creation - Rule", "ESCU - Linux Visudo Utility Execution - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Linux Add Files In Known Crontab Directories", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Add User Account", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "Create Account"}]}}, {"name": "Linux Adding Crontab Using List Parameter", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux apt-get Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux APT Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux At Allow Config File Creation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux At Application Execution", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "At"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux AWK Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Busybox Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux c89 Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux c99 Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Change File Owner To Root", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Linux and Mac File and Directory Permissions Modification"}, {"mitre_attack_technique": "File and Directory Permissions Modification"}]}}, {"name": "Linux Common Process For Elevation Control", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Setuid and Setgid"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Composer Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Cpulimit Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Csvtool Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Doas Conf File Creation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Doas Tool Execution", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Docker Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Edit Cron Table Parameter", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Emacs Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux File Created In Kernel Driver Directory", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Kernel Modules and Extensions"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Linux File Creation In Init Boot Directory", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "RC Scripts"}, {"mitre_attack_technique": "Boot or Logon Initialization Scripts"}]}}, {"name": "Linux File Creation In Profile Directory", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Unix Shell Configuration Modification"}, {"mitre_attack_technique": "Event Triggered Execution"}]}}, {"name": "Linux Find Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux GDB Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Gem Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux GNU Awk Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Insert Kernel Module Using Insmod Utility", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Kernel Modules and Extensions"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Linux Install Kernel Module Using Modprobe Utility", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Kernel Modules and Extensions"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Linux Make Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux MySQL Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Node Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux NOPASSWD Entry In Sudoers File", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Octave Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux OpenVPN Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Persistence and Privilege Escalation Risk Behavior", "source": "endpoint", "type": "Correlation", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux PHP Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux pkexec Privilege Escalation", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}}, {"name": "Linux Possible Access Or Modification Of sshd Config File", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "SSH Authorized Keys"}, {"mitre_attack_technique": "Account Manipulation"}]}}, {"name": "Linux Possible Access To Credential Files", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "/etc/passwd and /etc/shadow"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Linux Possible Access To Sudoers File", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Possible Append Command To At Allow Config File", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "At"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Possible Append Command To Profile Config File", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Unix Shell Configuration Modification"}, {"mitre_attack_technique": "Event Triggered Execution"}]}}, {"name": "Linux Possible Append Cronjob Entry on Existing Cronjob File", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Possible Cronjob Modification With Editor", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Possible Ssh Key File Creation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "SSH Authorized Keys"}, {"mitre_attack_technique": "Account Manipulation"}]}}, {"name": "Linux Preload Hijack Library Calls", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Dynamic Linker Hijacking"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}}, {"name": "Linux Puppet Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux RPM Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Ruby Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Service File Created In Systemd Directory", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Systemd Timers"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Service Restarted", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Systemd Timers"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Service Started Or Enabled", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Systemd Timers"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Setuid Using Chmod Utility", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Setuid and Setgid"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Setuid Using Setcap Utility", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Setuid and Setgid"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Shred Overwrite Command", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Linux Sqlite3 Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Sudo OR Su Execution", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Sudoers Tmp File Creation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Visudo Utility Execution", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}]}, {"name": "Linux Rootkit", "id": "e30f4054-ac08-4999-b8bc-5cc46886c18d", "version": 1, "date": "2022-07-27", "author": "Michael Haag, Splunk", "description": "Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.", "narrative": "Rootkits or rootkit enabling functionality may reside at the user or kernel level in the operating system or lower, to include a hypervisor, Master Boot Record, or System Firmware. Rootkits have been seen for Windows, Linux, and Mac OS X systems. Linux rootkits may not standout as much as a Windows rootkit, therefore understanding what kernel modules are installed today and monitoring for new is important. As with any rootkit, it may blend in using a common kernel name or variation of legitimate names.", "references": ["https://attack.mitre.org/techniques/T1014/", "https://content.fireeye.com/apt-41/rpt-apt41", "https://medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a"], "tags": {"name": "Linux Rootkit", "analytic_story": "Linux Rootkit", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1547.006", "mitre_attack_technique": "Kernel Modules and Extensions", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1082", "mitre_attack_technique": "System Information Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT18", "APT19", "APT3", "APT32", "APT37", "APT38", "Aquatic Panda", "Blue Mockingbird", "Chimera", "Confucius", "Darkhotel", "Gamaredon Group", "HEXANE", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Sowbug", "Stealth Falcon", "TeamTNT", "Tropic Trooper", "Turla", "Windigo", "Windshift", "Wizard Spider", "ZIRCONIUM", "admin@338"]}, {"mitre_attack_id": "T1014", "mitre_attack_technique": "Rootkit", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT41", "Rocke", "TeamTNT", "Winnti Group"]}], "mitre_attack_tactics": ["Defense Evasion", "Discovery", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation", "Installation"]}, "detection_names": ["ESCU - Linux File Created In Kernel Driver Directory - Rule", "ESCU - Linux Insert Kernel Module Using Insmod Utility - Rule", "ESCU - Linux Install Kernel Module Using Modprobe Utility - Rule", "ESCU - Linux Kernel Module Enumeration - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Linux File Created In Kernel Driver Directory", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Kernel Modules and Extensions"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Linux Insert Kernel Module Using Insmod Utility", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Kernel Modules and Extensions"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Linux Install Kernel Module Using Modprobe Utility", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Kernel Modules and Extensions"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Linux Kernel Module Enumeration", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Information Discovery"}, {"mitre_attack_technique": "Rootkit"}]}}]}, {"name": "Living Off The Land", "id": "6f7982e2-900b-11ec-a54a-acde48001122", "version": 2, "date": "2022-03-16", "author": "Lou Stella, Splunk", "description": "Leverage analytics that allow you to identify the presence of an adversary leveraging native applications within your environment.", "narrative": "Living Off The Land refers to an adversary methodology of using native applications already installed on the target operating system to achieve their objective. Native utilities provide the adversary with reduced chances of detection by antivirus software or EDR tools. This allows the adversary to blend in with native process behavior.", "references": ["https://lolbas-project.github.io/"], "tags": {"name": "Living Off The Land", "analytic_story": "Living Off The Land", "category": ["Adversary Tactics", "Unauthorized Software", "Lateral Movement", "Privilege Escalation"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1197", "mitre_attack_technique": "BITS Jobs", "mitre_attack_tactics": ["Defense Evasion", "Persistence"], "mitre_attack_groups": ["APT39", "APT41", "Leviathan", "Patchwork"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1140", "mitre_attack_technique": "Deobfuscate/Decode Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT39", "BRONZE BUTLER", "Darkhotel", "Earth Lusca", "Gamaredon Group", "Gorgon Group", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "Molerats", "MuddyWater", "OilRig", "Rocke", "Sandworm Team", "TA505", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "WIRTE", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.002", "mitre_attack_technique": "Control Panel", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Ember Bear"]}, {"mitre_attack_id": "T1003.003", "mitre_attack_technique": "NTDS", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "Chimera", "Dragonfly", "FIN6", "Fox Kitten", "HAFNIUM", "Ke3chang", "LAPSUS$", "Mustang Panda", "Sandworm Team", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1218.001", "mitre_attack_technique": "Compiled HTML File", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "APT41", "Dark Caracal", "OilRig", "Silence"]}, {"mitre_attack_id": "T1218.005", "mitre_attack_technique": "Mshta", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "APT32", "Confucius", "Earth Lusca", "FIN7", "Gamaredon Group", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "MuddyWater", "Mustang Panda", "SideCopy", "Sidewinder", "TA551"]}, {"mitre_attack_id": "T1218.009", "mitre_attack_technique": "Regsvcs/Regasm", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1218.010", "mitre_attack_technique": "Regsvr32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "Blue Mockingbird", "Cobalt Group", "Deep Panda", "Inception", "Kimsuky", "Leviathan", "TA551", "WIRTE"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "TEMP.Veles", "Threat Group-3390", "Whitefly"]}, {"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Dragonfly", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1548.002", "mitre_attack_technique": "Bypass User Account Control", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT37", "BRONZE BUTLER", "Cobalt Group", "Earth Lusca", "Evilnum", "MuddyWater", "Patchwork", "Threat Group-3390"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "menuPass"]}, {"mitre_attack_id": "T1567", "mitre_attack_technique": "Exfiltration Over Web Service", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT28", "Magic Hound"]}, {"mitre_attack_id": "T1059.004", "mitre_attack_technique": "Unix Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT41", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1647", "mitre_attack_technique": "Plist File Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1021.003", "mitre_attack_technique": "Distributed Component Object Model", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1218.014", "mitre_attack_technique": "MMC", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1574.011", "mitre_attack_technique": "Services Registry Permissions Weakness", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "Earth Lusca", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "Threat Group-3390", "Windshift", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "Turla"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1053.002", "mitre_attack_technique": "At", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "BRONZE BUTLER", "Threat Group-3390"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1127", "mitre_attack_technique": "Trusted Developer Utilities Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1127.001", "mitre_attack_technique": "MSBuild", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1218.013", "mitre_attack_technique": "Mavinject", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1546.015", "mitre_attack_technique": "Component Object Model Hijacking", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28"]}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1574.001", "mitre_attack_technique": "DLL Search Order Hijacking", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT41", "Aquatic Panda", "BackdoorDiplomacy", "Evilnum", "RTM", "Threat Group-3390", "Tonto Team", "Whitefly", "menuPass"]}, {"mitre_attack_id": "T1202", "mitre_attack_technique": "Indirect Command Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.004", "mitre_attack_technique": "InstallUtil", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Mustang Panda", "menuPass"]}, {"mitre_attack_id": "T1546.003", "mitre_attack_technique": "Windows Management Instrumentation Event Subscription", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT33", "Blue Mockingbird", "FIN8", "Leviathan", "Metador", "Mustang Panda", "Turla"]}, {"mitre_attack_id": "T1218.008", "mitre_attack_technique": "Odbcconf", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Cobalt Group"]}, {"mitre_attack_id": "T1216", "mitre_attack_technique": "System Script Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Command And Control", "Credential Access", "Defense Evasion", "Execution", "Exfiltration", "Initial Access", "Lateral Movement", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint", "Network_Traffic", "Risk"], "kill_chain_phases": ["Actions on Objectives", "Command And Control", "Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - BITS Job Persistence - Rule", "ESCU - BITSAdmin Download File - Rule", "ESCU - CertUtil Download With URLCache and Split Arguments - Rule", "ESCU - CertUtil Download With VerifyCtl and Split Arguments - Rule", "ESCU - Certutil exe certificate extraction - Rule", "ESCU - CertUtil With Decode Argument - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Control Loading from World Writable Directory - Rule", "ESCU - Creation of Shadow Copy with wmic and powershell - Rule", "ESCU - Detect HTML Help Renamed - Rule", "ESCU - Detect HTML Help Spawn Child Process - Rule", "ESCU - Detect HTML Help URL in Command Line - Rule", "ESCU - Detect HTML Help Using InfoTech Storage Handlers - Rule", "ESCU - Detect mshta inline hta execution - Rule", "ESCU - Detect mshta renamed - Rule", "ESCU - Detect MSHTA Url in Command Line - Rule", "ESCU - Detect Regasm Spawning a Process - Rule", "ESCU - Detect Regasm with Network Connection - Rule", "ESCU - Detect Regasm with no Command Line Arguments - Rule", "ESCU - Detect Regsvcs Spawning a Process - Rule", "ESCU - Detect Regsvcs with Network Connection - Rule", "ESCU - Detect Regsvcs with No Command Line Arguments - Rule", "ESCU - Detect Regsvr32 Application Control Bypass - Rule", "ESCU - Detect Rundll32 Application Control Bypass - advpack - Rule", "ESCU - Detect Rundll32 Application Control Bypass - setupapi - Rule", "ESCU - Detect Rundll32 Application Control Bypass - syssetup - Rule", "ESCU - Detect Rundll32 Inline HTA Execution - Rule", "ESCU - Disable Schedule Task - Rule", "ESCU - Dump LSASS via comsvcs DLL - Rule", "ESCU - Esentutl SAM Copy - Rule", "ESCU - Eventvwr UAC Bypass - Rule", "ESCU - Living Off The Land - Rule", "ESCU - LOLBAS With Network Traffic - Rule", "ESCU - MacOS LOLbin - Rule", "ESCU - MacOS plutil - Rule", "ESCU - Mmc LOLBAS Execution Process Spawn - Rule", "ESCU - Mshta spawning Rundll32 OR Regsvr32 Process - Rule", "ESCU - Ntdsutil Export NTDS - Rule", "ESCU - Reg exe Manipulating Windows Services Registry Keys - Rule", "ESCU - Regsvr32 Silent and Install Param Dll Loading - Rule", "ESCU - Regsvr32 with Known Silent Switch Cmdline - Rule", "ESCU - Remote WMI Command Attempt - Rule", "ESCU - Rundll32 Control RunDLL Hunt - Rule", "ESCU - Rundll32 Control RunDLL World Writable Directory - Rule", "ESCU - Rundll32 Create Remote Thread To A Process - Rule", "ESCU - Rundll32 CreateRemoteThread In Browser - Rule", "ESCU - Rundll32 DNSQuery - Rule", "ESCU - Rundll32 Process Creating Exe Dll Files - Rule", "ESCU - Rundll32 Shimcache Flush - Rule", "ESCU - RunDLL Loading DLL By Ordinal - Rule", "ESCU - Schedule Task with HTTP Command Arguments - Rule", "ESCU - Schedule Task with Rundll32 Command Trigger - Rule", "ESCU - Scheduled Task Creation on Remote Endpoint using At - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Scheduled Task Initiation on Remote Endpoint - Rule", "ESCU - Schtasks scheduling job on remote system - Rule", "ESCU - Services LOLBAS Execution Process Spawn - Rule", "ESCU - Suspicious IcedID Rundll32 Cmdline - Rule", "ESCU - Suspicious microsoft workflow compiler rename - Rule", "ESCU - Suspicious microsoft workflow compiler usage - Rule", "ESCU - Suspicious msbuild path - Rule", "ESCU - Suspicious MSBuild Rename - Rule", "ESCU - Suspicious MSBuild Spawn - Rule", "ESCU - Suspicious mshta child process - Rule", "ESCU - Suspicious mshta spawn - Rule", "ESCU - Suspicious Regsvr32 Register Suspicious Path - Rule", "ESCU - Suspicious Rundll32 dllregisterserver - Rule", "ESCU - Suspicious Scheduled Task from Public Directory - Rule", "ESCU - Svchost LOLBAS Execution Process Spawn - Rule", "ESCU - Windows Binary Proxy Execution Mavinject DLL Injection - Rule", "ESCU - Windows COM Hijacking InprocServer32 Modification - Rule", "ESCU - Windows Diskshadow Proxy Execution - Rule", "ESCU - Windows DLL Search Order Hijacking Hunt - Rule", "ESCU - Windows DLL Search Order Hijacking Hunt with Sysmon - Rule", "ESCU - Windows DLL Search Order Hijacking with iscsicpl - Rule", "ESCU - Windows Identify Protocol Handlers - Rule", "ESCU - Windows Indirect Command Execution Via forfiles - Rule", "ESCU - Windows Indirect Command Execution Via pcalua - Rule", "ESCU - Windows InstallUtil in Non Standard Path - Rule", "ESCU - Windows InstallUtil Remote Network Connection - Rule", "ESCU - Windows InstallUtil Uninstall Option - Rule", "ESCU - Windows InstallUtil Uninstall Option with Network - Rule", "ESCU - Windows InstallUtil URL in Command Line - Rule", "ESCU - Windows MOF Event Triggered Execution via WMI - Rule", "ESCU - Windows Odbcconf Hunting - Rule", "ESCU - Windows Odbcconf Load DLL - Rule", "ESCU - Windows Odbcconf Load Response File - Rule", "ESCU - Windows System Binary Proxy Execution Compiled HTML File Decompile - Rule", "ESCU - Windows System Script Proxy Execution Syncappvpublishingserver - Rule", "ESCU - WSReset UAC Bypass - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Lou Stella", "detections": [{"name": "BITS Job Persistence", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "BITS Jobs"}]}}, {"name": "BITSAdmin Download File", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "BITS Jobs"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "CertUtil Download With URLCache and Split Arguments", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "CertUtil Download With VerifyCtl and Split Arguments", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "Certutil exe certificate extraction", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": []}}, {"name": "CertUtil With Decode Argument", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Deobfuscate/Decode Files or Information"}]}}, {"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Control Loading from World Writable Directory", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Control Panel"}]}}, {"name": "Creation of Shadow Copy with wmic and powershell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "NTDS"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Detect HTML Help Renamed", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Compiled HTML File"}]}}, {"name": "Detect HTML Help Spawn Child Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Compiled HTML File"}]}}, {"name": "Detect HTML Help URL in Command Line", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Compiled HTML File"}]}}, {"name": "Detect HTML Help Using InfoTech Storage Handlers", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Compiled HTML File"}]}}, {"name": "Detect mshta inline hta execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Mshta"}]}}, {"name": "Detect mshta renamed", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Mshta"}]}}, {"name": "Detect MSHTA Url in Command Line", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Mshta"}]}}, {"name": "Detect Regasm Spawning a Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvcs/Regasm"}]}}, {"name": "Detect Regasm with Network Connection", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvcs/Regasm"}]}}, {"name": "Detect Regasm with no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvcs/Regasm"}]}}, {"name": "Detect Regsvcs Spawning a Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvcs/Regasm"}]}}, {"name": "Detect Regsvcs with Network Connection", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvcs/Regasm"}]}}, {"name": "Detect Regsvcs with No Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvcs/Regasm"}]}}, {"name": "Detect Regsvr32 Application Control Bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}}, {"name": "Detect Rundll32 Application Control Bypass - advpack", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Detect Rundll32 Application Control Bypass - setupapi", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Detect Rundll32 Application Control Bypass - syssetup", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Detect Rundll32 Inline HTA Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Mshta"}]}}, {"name": "Disable Schedule Task", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Dump LSASS via comsvcs DLL", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Esentutl SAM Copy", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Security Account Manager"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Eventvwr UAC Bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Living Off The Land", "source": "endpoint", "type": "Correlation", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}, {"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "LOLBAS With Network Traffic", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}, {"mitre_attack_technique": "Exfiltration Over Web Service"}, {"mitre_attack_technique": "System Binary Proxy Execution"}]}}, {"name": "MacOS LOLbin", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Unix Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "MacOS plutil", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Plist File Modification"}]}}, {"name": "Mmc LOLBAS Execution Process Spawn", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "MMC"}]}}, {"name": "Mshta spawning Rundll32 OR Regsvr32 Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Mshta"}]}}, {"name": "Ntdsutil Export NTDS", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "NTDS"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Reg exe Manipulating Windows Services Registry Keys", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Services Registry Permissions Weakness"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}}, {"name": "Regsvr32 Silent and Install Param Dll Loading", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}}, {"name": "Regsvr32 with Known Silent Switch Cmdline", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}}, {"name": "Remote WMI Command Attempt", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}}, {"name": "Rundll32 Control RunDLL Hunt", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Rundll32 Control RunDLL World Writable Directory", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Rundll32 Create Remote Thread To A Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "Rundll32 CreateRemoteThread In Browser", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "Rundll32 DNSQuery", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Rundll32 Process Creating Exe Dll Files", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Rundll32 Shimcache Flush", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "RunDLL Loading DLL By Ordinal", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Schedule Task with HTTP Command Arguments", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Schedule Task with Rundll32 Command Trigger", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Scheduled Task Creation on Remote Endpoint using At", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}, {"mitre_attack_technique": "At"}]}}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Scheduled Task Initiation on Remote Endpoint", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}, {"mitre_attack_technique": "Scheduled Task"}]}}, {"name": "Schtasks scheduling job on remote system", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Services LOLBAS Execution Process Spawn", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Suspicious IcedID Rundll32 Cmdline", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Suspicious microsoft workflow compiler rename", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Rename System Utilities"}]}}, {"name": "Suspicious microsoft workflow compiler usage", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}]}}, {"name": "Suspicious msbuild path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "MSBuild"}]}}, {"name": "Suspicious MSBuild Rename", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "MSBuild"}]}}, {"name": "Suspicious MSBuild Spawn", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "MSBuild"}]}}, {"name": "Suspicious mshta child process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Mshta"}]}}, {"name": "Suspicious mshta spawn", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Mshta"}]}}, {"name": "Suspicious Regsvr32 Register Suspicious Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}}, {"name": "Suspicious Rundll32 dllregisterserver", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Suspicious Scheduled Task from Public Directory", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Svchost LOLBAS Execution Process Spawn", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}, {"mitre_attack_technique": "Scheduled Task"}]}}, {"name": "Windows Binary Proxy Execution Mavinject DLL Injection", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Mavinject"}, {"mitre_attack_technique": "System Binary Proxy Execution"}]}}, {"name": "Windows COM Hijacking InprocServer32 Modification", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Component Object Model Hijacking"}, {"mitre_attack_technique": "Event Triggered Execution"}]}}, {"name": "Windows Diskshadow Proxy Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}]}}, {"name": "Windows DLL Search Order Hijacking Hunt", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DLL Search Order Hijacking"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}}, {"name": "Windows DLL Search Order Hijacking Hunt with Sysmon", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DLL Search Order Hijacking"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}}, {"name": "Windows DLL Search Order Hijacking with iscsicpl", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DLL Search Order Hijacking"}]}}, {"name": "Windows Identify Protocol Handlers", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Windows Indirect Command Execution Via forfiles", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indirect Command Execution"}]}}, {"name": "Windows Indirect Command Execution Via pcalua", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indirect Command Execution"}]}}, {"name": "Windows InstallUtil in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "InstallUtil"}]}}, {"name": "Windows InstallUtil Remote Network Connection", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "InstallUtil"}, {"mitre_attack_technique": "System Binary Proxy Execution"}]}}, {"name": "Windows InstallUtil Uninstall Option", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "InstallUtil"}, {"mitre_attack_technique": "System Binary Proxy Execution"}]}}, {"name": "Windows InstallUtil Uninstall Option with Network", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "InstallUtil"}, {"mitre_attack_technique": "System Binary Proxy Execution"}]}}, {"name": "Windows InstallUtil URL in Command Line", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "InstallUtil"}, {"mitre_attack_technique": "System Binary Proxy Execution"}]}}, {"name": "Windows MOF Event Triggered Execution via WMI", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Management Instrumentation Event Subscription"}]}}, {"name": "Windows Odbcconf Hunting", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Odbcconf"}]}}, {"name": "Windows Odbcconf Load DLL", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Odbcconf"}]}}, {"name": "Windows Odbcconf Load Response File", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Odbcconf"}]}}, {"name": "Windows System Binary Proxy Execution Compiled HTML File Decompile", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compiled HTML File"}, {"mitre_attack_technique": "System Binary Proxy Execution"}]}}, {"name": "Windows System Script Proxy Execution Syncappvpublishingserver", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Script Proxy Execution"}, {"mitre_attack_technique": "System Binary Proxy Execution"}]}}, {"name": "WSReset UAC Bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}]}, {"name": "Local Privilege Escalation With KrbRelayUp", "id": "765790f0-2f8f-4048-8321-fd1928ec2546", "version": 1, "date": "2022-04-28", "author": "Michael Haag, Mauricio Velazco, Splunk", "description": "KrbRelayUp is a tool that allows local privilege escalation from low-priviliged domain user to local system on domain-joined computers.", "narrative": "In October 2021, James Forshaw from Googles Project Zero released a research blog post titled `Using Kerberos for Authentication Relay Attacks`. This research introduced, for the first time, ways to make Windows authenticate to a different Service Principal Name (SPN) than what would normally be derived from the hostname the client is connecting to. This effectively proved that relaying Kerberos authentication is possible\\\\. In April 2022, security researcher Mor Davidovich released a tool named KrbRelayUp which implements Kerberos relaying as well as other known Kerberos techniques with the goal of escalating privileges from a low-privileged domain user on a domain-joined device and obtain a SYSTEM shell.", "references": ["https://github.com/Dec0ne/KrbRelayUp", "https://gist.github.com/tothi/bf6c59d6de5d0c9710f23dae5750c4b9", "https://googleprojectzero.blogspot.com/2021/10/using-kerberos-for-authentication-relay.html", "https://dirkjanm.io/relaying-kerberos-over-dns-with-krbrelayx-and-mitm6/", "https://github.com/cube0x0/KrbRelay"], "tags": {"name": "Local Privilege Escalation With KrbRelayUp", "analytic_story": "Local Privilege Escalation With KrbRelayUp", "category": ["Privilege Escalation"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1558", "mitre_attack_technique": "Steal or Forge Kerberos Tickets", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}], "mitre_attack_tactics": ["Credential Access", "Persistence", "Privilege Escalation"], "datamodels": ["Authentication", "Change"], "kill_chain_phases": ["Exploitation", "Installation"]}, "detection_names": ["ESCU - Windows Computer Account Created by Computer Account - Rule", "ESCU - Windows Computer Account Requesting Kerberos Ticket - Rule", "ESCU - Windows Computer Account With SPN - Rule", "ESCU - Windows Kerberos Local Successful Logon - Rule", "ESCU - Windows KrbRelayUp Service Creation - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Mauricio Velazco, Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows Computer Account Created by Computer Account", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}]}}, {"name": "Windows Computer Account Requesting Kerberos Ticket", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}]}}, {"name": "Windows Computer Account With SPN", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}]}}, {"name": "Windows Kerberos Local Successful Logon", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}]}}, {"name": "Windows KrbRelayUp Service Creation", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Service"}]}}]}, {"name": "Log4Shell CVE-2021-44228", "id": "b4453928-5a98-11ec-afcd-8de10b48fc52", "version": 1, "date": "2021-12-11", "author": "Jose Hernandez", "description": "Log4Shell or CVE-2021-44228 is a Remote Code Execution (RCE) vulnerability in the Apache Log4j library, a widely used and ubiquitous logging framework for Java. The vulnerability allows an attacker who can control log messages to execute arbitrary code loaded from attacker-controlled servers and we anticipate that most apps using the Log4j library will meet this condition.", "narrative": "In late November 2021, Chen Zhaojun of Alibaba identified a remote code execution vulnerability. Previous work was seen in a 2016 Blackhat talk by Alvaro Munoz and Oleksandr Mirosh called [\"A Journey from JNDI/LDAP Manipulation to Remote Code Execution Dream Land\"](https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE.pdf). Reported under the CVE ID : CVE-2021-44228, released to the public on December 10, 2021. The vulnerability is exploited through improper deserialization of user input passed into the framework. It permits remote code execution and it can allow an attacker to leak sensitive data, such as environment variables, or execute malicious software on the target system.", "references": ["https://mbechler.github.io/2021/12/10/PSA_Log4Shell_JNDI_Injection/", "https://www.fastly.com/blog/digging-deeper-into-log4shell-0day-rce-exploit-found-in-log4j", "https://www.crowdstrike.com/blog/log4j2-vulnerability-analysis-and-mitigation-recommendations/", "https://www.lunasec.io/docs/blog/log4j-zero-day/", "https://www.splunk.com/en_us/blog/security/log-jammin-log4j-2-rce.html"], "tags": {"name": "Log4Shell CVE-2021-44228", "analytic_story": "Log4Shell CVE-2021-44228", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Application Security", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "menuPass"]}], "mitre_attack_tactics": ["Command And Control", "Execution", "Initial Access"], "datamodels": ["Endpoint", "Network_Traffic", "Risk", "Web"], "kill_chain_phases": ["Command And Control", "Delivery", "Installation"]}, "detection_names": ["ESCU - Any Powershell DownloadFile - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Curl Download and Bash Execution - Rule", "ESCU - Java Class File download by Java User Agent - Rule", "ESCU - Linux Java Spawning Shell - Rule", "ESCU - Log4Shell CVE-2021-44228 Exploitation - Rule", "ESCU - Outbound Network Connection from Java Using Default Ports - Rule", "ESCU - PowerShell - Connect To Internet With Hidden Window - Rule", "ESCU - Wget Download and Bash Execution - Rule", "ESCU - Windows Java Spawning Shells - Rule", "ESCU - Detect Outbound LDAP Traffic - Rule", "ESCU - Hunting for Log4Shell - Rule", "ESCU - Log4Shell JNDI Payload Injection Attempt - Rule", "ESCU - Log4Shell JNDI Payload Injection with Outbound Connection - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "no", "author_name": "Jose Hernandez", "detections": [{"name": "Any Powershell DownloadFile", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Curl Download and Bash Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "Java Class File download by Java User Agent", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}}, {"name": "Linux Java Spawning Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}}, {"name": "Log4Shell CVE-2021-44228 Exploitation", "source": "endpoint", "type": "Correlation", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}, {"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Outbound Network Connection from Java Using Default Ports", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}}, {"name": "PowerShell - Connect To Internet With Hidden Window", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Wget Download and Bash Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "Windows Java Spawning Shells", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}}, {"name": "Detect Outbound LDAP Traffic", "source": "network", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Hunting for Log4Shell", "source": "web", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}}, {"name": "Log4Shell JNDI Payload Injection Attempt", "source": "web", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}}, {"name": "Log4Shell JNDI Payload Injection with Outbound Connection", "source": "web", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}}]}, {"name": "Malicious PowerShell", "id": "2c8ff66e-0b57-42af-8ad7-912438a403fc", "version": 5, "date": "2017-08-23", "author": "David Dorsey, Splunk", "description": "Attackers are finding stealthy ways \"live off the land,\" leveraging utilities and tools that come standard on the endpoint--such as PowerShell--to achieve their goals without downloading binary files. These searches can help you detect and investigate PowerShell command-line options that may be indicative of malicious intent.", "narrative": "The searches in this Analytic Story monitor for parameters often used for malicious purposes. It is helpful to understand how often the notable events generated by this story occur, as well as the commonalities between some of these events. These factors may provide clues about whether this is a common occurrence of minimal concern or a rare event that may require more extensive investigation. Likewise, it is important to determine whether the issue is restricted to a single user/system or is broader in scope. \\\nThe following factors may assist you in determining whether the event is malicious: \\\n1. Country of origin \\\n1. Responsible party \\\n1. Fully qualified domain names associated with the external IP address \\\n1. Registration of fully qualified domain names associated with external IP address \\\nDetermining whether it is a dynamic domain frequently visited by others and/or how third parties categorize it can also help you answer some questions surrounding the attacker and details related to the external system. In addition, there are various sources--such as VirusTotal— that can provide some reputation information on the IP address or domain name, which can assist in determining whether the event is malicious. Finally, determining whether there are other events associated with the IP address may help connect data points or show other events that should be brought into scope. \\\nGathering data on the system of interest can sometimes help you quickly determine whether something suspicious is happening. Some of these items include finding out who else may have recently logged into the system, whether any unusual scheduled tasks exist, whether the system is communicating on suspicious ports, whether there are modifications to sensitive registry keys, and whether there are any known vulnerabilities on the system. This information can often highlight other activity commonly seen in attack scenarios or give more information about how the system may have been targeted. \\\nOften, a simple inspection of the process name and path can tell you if the system has been compromised. For example, if `svchost.exe` is found running from a location other than `C:\\Windows\\System32`, it is likely something malicious designed to hide in plain sight when cursorily reviewing process names. Similarly, if the process itself seems legitimate, but the parent process is running from the temporary browser cache, that could be indicative of activity initiated via a compromised website a user visited. \\\nIt can also be very helpful to examine various behaviors of the process of interest or the parent of the process of interest. For example, if it turns out the process of interest is malicious, it would be good to see if the parent to that process spawned other processes that might be worth further scrutiny. If a process is suspect, a review of the network connections made in and around the time of the event and/or whether the process spawned any child processes could be helpful, as well. \\\nIn the event a system is suspected of having been compromised via a malicious website, we suggest reviewing the browsing activity from that system around the time of the event. If categories are given for the URLs visited, that can help you zero in on possible malicious sites. \\\nMost recently we have added new content related to PowerShell Script Block logging, Windows EventCode 4104. Script block logging presents the deobfuscated and raw script executed on an endpoint. The analytics produced were tested against commonly used attack frameworks - PowerShell-Empire, Cobalt Strike and Covenant. In addition, we sampled publicly available samples that utilize PowerShell and validated coverage. The analytics are here to identify suspicious usage, cmdlets, or script values. 4104 events are enabled via the Windows registry and may generate a large volume of data if enabled globally. Enabling on critical systems or a limited set may be best. During triage of 4104 events, review parallel processes for other processes and command executed. Identify any file modifications and network communication and review accordingly. Fortunately, we get the full script to determine the level of threat identified.", "references": ["https://blogs.mcafee.com/mcafee-labs/malware-employs-powershell-to-infect-systems/", "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/"], "tags": {"name": "Malicious PowerShell", "analytic_story": "Malicious PowerShell", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1087.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "Chimera", "Fox Kitten", "Ke3chang", "Moses Staff", "OilRig", "Poseidon Group", "Threat Group-3390", "Turla", "admin@338"]}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT19", "APT28", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BITTER", "BackdoorDiplomacy", "BlackOasis", "Blue Mockingbird", "Dark Caracal", "Darkhotel", "Earth Lusca", "Elderwood", "Ember Bear", "Fox Kitten", "GALLIUM", "Gallmaker", "Gamaredon Group", "Group5", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "Metador", "Mofang", "Molerats", "Moses Staff", "Mustang Panda", "OilRig", "Putter Panda", "Rocke", "Sandworm Team", "Sidewinder", "TA505", "TeamTNT", "Threat Group-3390", "Transparent Tribe", "Tropic Trooper", "Whitefly", "Windshift", "menuPass"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1021.003", "mitre_attack_technique": "Distributed Component Object Model", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1021.006", "mitre_attack_technique": "Windows Remote Management", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Chimera", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "Earth Lusca", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "Threat Group-3390", "Windshift", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1218.014", "mitre_attack_technique": "MMC", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1546.015", "mitre_attack_technique": "Component Object Model Hijacking", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28"]}, {"mitre_attack_id": "T1027.005", "mitre_attack_technique": "Indicator Removal from Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT3", "Deep Panda", "GALLIUM", "OilRig", "Patchwork", "TEMP.Veles", "Turla"]}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "Turla"]}, {"mitre_attack_id": "T1592", "mitre_attack_technique": "Gather Victim Host Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1558.003", "mitre_attack_technique": "Kerberoasting", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["FIN7", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}], "mitre_attack_tactics": ["Command And Control", "Credential Access", "Defense Evasion", "Discovery", "Execution", "Lateral Movement", "Persistence", "Privilege Escalation", "Reconnaissance"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Command And Control", "Exploitation", "Installation", "Reconnaissance"]}, "detection_names": ["ESCU - Suspicious Powershell Command-Line Arguments - Rule", "ESCU - Any Powershell DownloadFile - Rule", "ESCU - Any Powershell DownloadString - Rule", "ESCU - Detect Empire with PowerShell Script Block Logging - Rule", "ESCU - Detect Mimikatz With PowerShell Script Block Logging - Rule", "ESCU - GetLocalUser with PowerShell Script Block - Rule", "ESCU - GetWmiObject User Account with PowerShell Script Block - Rule", "ESCU - Malicious PowerShell Process - Encoded Command - Rule", "ESCU - Malicious PowerShell Process With Obfuscation Techniques - Rule", "ESCU - Possible Lateral Movement PowerShell Spawn - Rule", "ESCU - PowerShell 4104 Hunting - Rule", "ESCU - PowerShell - Connect To Internet With Hidden Window - Rule", "ESCU - Powershell COM Hijacking InprocServer32 Modification - Rule", "ESCU - Powershell Creating Thread Mutex - Rule", "ESCU - PowerShell Domain Enumeration - Rule", "ESCU - PowerShell Enable PowerShell Remoting - Rule", "ESCU - Powershell Enable SMB1Protocol Feature - Rule", "ESCU - Powershell Execute COM Object - Rule", "ESCU - Powershell Fileless Process Injection via GetProcAddress - Rule", "ESCU - Powershell Fileless Script Contains Base64 Encoded Content - Rule", "ESCU - PowerShell Invoke CIMMethod CIMSession - Rule", "ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", "ESCU - Powershell Processing Stream Of Data - Rule", "ESCU - Powershell Using memory As Backing Store - Rule", "ESCU - Recon AVProduct Through Pwh or WMI - Rule", "ESCU - Recon Using WMI Class - Rule", "ESCU - ServicePrincipalNames Discovery with PowerShell - Rule", "ESCU - Set Default PowerShell Execution Policy To Unrestricted or Bypass - Rule", "ESCU - Unloading AMSI via Reflection - Rule", "ESCU - WMI Recon Running Process Or Services - Rule"], "investigation_names": ["ESCU - Get History Of Email Sources - Response Task", "ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Suspicious Powershell Command-Line Arguments", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "PowerShell"}]}}, {"name": "Any Powershell DownloadFile", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "Any Powershell DownloadString", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "Detect Empire with PowerShell Script Block Logging", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Detect Mimikatz With PowerShell Script Block Logging", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "OS Credential Dumping"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "GetLocalUser with PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "GetWmiObject User Account with PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Malicious PowerShell Process - Encoded Command", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Obfuscated Files or Information"}]}}, {"name": "Malicious PowerShell Process With Obfuscation Techniques", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Possible Lateral Movement PowerShell Spawn", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Remote Management"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "MMC"}]}}, {"name": "PowerShell 4104 Hunting", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "PowerShell - Connect To Internet With Hidden Window", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Powershell COM Hijacking InprocServer32 Modification", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Component Object Model Hijacking"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Powershell Creating Thread Mutex", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Obfuscated Files or Information"}, {"mitre_attack_technique": "Indicator Removal from Tools"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "PowerShell Domain Enumeration", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "PowerShell Enable PowerShell Remoting", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Powershell Enable SMB1Protocol Feature", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Obfuscated Files or Information"}, {"mitre_attack_technique": "Indicator Removal from Tools"}]}}, {"name": "Powershell Execute COM Object", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Component Object Model Hijacking"}, {"mitre_attack_technique": "Event Triggered Execution"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Powershell Fileless Process Injection via GetProcAddress", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Process Injection"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Powershell Fileless Script Contains Base64 Encoded Content", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Obfuscated Files or Information"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "PowerShell Invoke CIMMethod CIMSession", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}}, {"name": "PowerShell Loading DotNET into Memory via Reflection", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Powershell Processing Stream Of Data", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Powershell Using memory As Backing Store", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Recon AVProduct Through Pwh or WMI", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Gather Victim Host Information"}]}}, {"name": "Recon Using WMI Class", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Gather Victim Host Information"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "ServicePrincipalNames Discovery with PowerShell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Kerberoasting"}]}}, {"name": "Set Default PowerShell Execution Policy To Unrestricted or Bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Unloading AMSI via Reflection", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "WMI Recon Running Process Or Services", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Gather Victim Host Information"}]}}]}, {"name": "Masquerading - Rename System Utilities", "id": "f0258af4-a6ae-11eb-b3c2-acde48001122", "version": 1, "date": "2021-04-26", "author": "Michael Haag, Splunk", "description": "Adversaries may rename legitimate system utilities to try to evade security mechanisms concerning the usage of those utilities.", "narrative": "Security monitoring and control mechanisms may be in place for system utilities adversaries are capable of abusing. It may be possible to bypass those security mechanisms by renaming the utility prior to utilization (ex: rename rundll32.exe). An alternative case occurs when a legitimate utility is copied or moved to a different directory and renamed to avoid detections based on system utilities executing from non-standard paths.\\\nThe following content is here to assist with binaries within `system32` or `syswow64` being moved to a new location or an adversary bringing a the binary in to execute.\\\nThere will be false positives as some native Windows processes are moved or ran by third party applications from different paths. If file names are mismatched between the file name on disk and that of the binarys PE metadata, this is a likely indicator that a binary was renamed after it was compiled. Collecting and comparing disk and resource filenames for binaries by looking to see if the InternalName, OriginalFilename, and or ProductName match what is expected could provide useful leads, but may not always be indicative of malicious activity. Do not focus on the possible names a file could have, but instead on the command-line arguments that are known to be used and are distinct because it will have a better rate of detection.", "references": ["https://attack.mitre.org/techniques/T1036/003/"], "tags": {"name": "Masquerading - Rename System Utilities", "analytic_story": "Masquerading - Rename System Utilities", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551"]}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1070.004", "mitre_attack_technique": "File Deletion", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT3", "APT32", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "Cobalt Group", "Dragonfly", "Evilnum", "FIN10", "FIN5", "FIN6", "FIN8", "Gamaredon Group", "Group5", "Kimsuky", "Lazarus Group", "Magic Hound", "Metador", "Mustang Panda", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "Silence", "TEMP.Veles", "TeamTNT", "The White Company", "Threat Group-3390", "Tropic Trooper", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1127", "mitre_attack_technique": "Trusted Developer Utilities Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1127.001", "mitre_attack_technique": "MSBuild", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1218.004", "mitre_attack_technique": "InstallUtil", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Mustang Panda", "menuPass"]}], "mitre_attack_tactics": ["Defense Evasion", "Impact"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Actions on Objectives", "Exploitation"]}, "detection_names": ["ESCU - Execution of File With Spaces Before Extension - Rule", "ESCU - Suspicious Rundll32 Rename - Rule", "ESCU - Execution of File with Multiple Extensions - Rule", "ESCU - Sdelete Application Execution - Rule", "ESCU - Suspicious microsoft workflow compiler rename - Rule", "ESCU - Suspicious msbuild path - Rule", "ESCU - Suspicious MSBuild Rename - Rule", "ESCU - System Processes Run From Unexpected Locations - Rule", "ESCU - Windows DotNet Binary in Non Standard Path - Rule", "ESCU - Windows InstallUtil in Non Standard Path - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Execution of File With Spaces Before Extension", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Rename System Utilities"}]}}, {"name": "Suspicious Rundll32 Rename", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rundll32"}, {"mitre_attack_technique": "Rename System Utilities"}]}}, {"name": "Execution of File with Multiple Extensions", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}]}}, {"name": "Sdelete Application Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}, {"mitre_attack_technique": "File Deletion"}, {"mitre_attack_technique": "Indicator Removal"}]}}, {"name": "Suspicious microsoft workflow compiler rename", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Rename System Utilities"}]}}, {"name": "Suspicious msbuild path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "MSBuild"}]}}, {"name": "Suspicious MSBuild Rename", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "MSBuild"}]}}, {"name": "System Processes Run From Unexpected Locations", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}]}}, {"name": "Windows DotNet Binary in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "InstallUtil"}]}}, {"name": "Windows InstallUtil in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "InstallUtil"}]}}]}, {"name": "MetaSploit", "id": "c149b694-bd08-4535-88d3-1f288a66313f", "version": 1, "date": "2022-11-21", "author": "Michael Haag, Splunk", "description": "The following analytic story highlights content related directly to MetaSploit, which may be default configurations attributed to MetaSploit or behaviors of known knowns that are related.", "narrative": "The Metasploit framework is a very powerful tool which can be used by cybercriminals as well as ethical hackers to probe systematic vulnerabilities on networks and servers. Because it is an open-source framework, it can be easily customized and used with most operating systems.\\\nThe Metasploit Project was undertaken in 2003 by H.D. Moore for use as a Perl-based portable network tool, with assistance from core developer Matt Miller. It was fully converted to Ruby by 2007, and the license was acquired by Rapid7 in 2009, where it remains as part of the Boston-based company repertoire of IDS signature development and targeted remote exploit, fuzzing, anti-forensic, and evasion tools.\\\nPortions of these other tools reside within the Metasploit framework, which is built into the Kali Linux OS. Rapid7 has also developed two proprietary OpenCore tools, Metasploit Pro, Metasploit Express.\\\nThis framework has become the go-to exploit development and mitigation tool. Prior to Metasploit, pen testers had to perform all probes manually by using a variety of tools that may or may not have supported the platform they were testing, writing their own code by hand, and introducing it onto networks manually. Remote testing was virtually unheard of, and that limited a security specialist reach to the local area and companies spending a fortune on in-house IT or security consultants. (ref. Varonis)", "references": ["https://github.com/rapid7/metasploit-framework", "https://www.varonis.com/blog/what-is-metasploit"], "tags": {"name": "MetaSploit", "analytic_story": "MetaSploit", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}], "mitre_attack_tactics": ["Execution"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation"]}, "detection_names": ["ESCU - Powershell Load Module in Meterpreter - Rule", "ESCU - Windows Apache Benchmark Binary - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Powershell Load Module in Meterpreter", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Windows Apache Benchmark Binary", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}}]}, {"name": "Meterpreter", "id": "d5f8e298-c85a-11eb-9fea-acde48001122", "version": 1, "date": "2021-06-08", "author": "Michael Hart", "description": "Meterpreter provides red teams, pen testers and threat actors interactive access to a compromised host to run commands, upload payloads, download files, and other actions.", "narrative": "This Analytic Story supports you to detect Tactics, Techniques and Procedures (TTPs) from Meterpreter. Meterpreter is a Metasploit payload for remote execution that leverages DLL injection to make it extremely difficult to detect. Since the software runs in memory, no new processes are created upon injection. It also leverages encrypted communication channels.\\\nMeterpreter enables the operator to remotely run commands on the target machine, upload payloads, download files, dump password hashes, and much more. It is difficult to determine from the forensic evidence what actions the operator performed. Splunk Research, however, has observed anomalous behaviors on the compromised hosts that seem to only appear when Meterpreter is executing various commands. With that, we have written new detections targeted to these detections.\\\nWhile investigating a detection related to this analytic story, please bear in mind that the detections look for anomalies in system behavior. It will be imperative to look for other signs in the endpoint and network logs for lateral movement, discovery and other actions to confirm that the host was compromised and a remote actor used it to progress on their objectives.", "references": ["https://www.offensive-security.com/metasploit-unleashed/about-meterpreter/", "https://doubleoctopus.com/security-wiki/threats-and-tools/meterpreter/", "https://www.rapid7.com/products/metasploit/"], "tags": {"name": "Meterpreter", "analytic_story": "Meterpreter", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}], "mitre_attack_tactics": ["Execution"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation"]}, "detection_names": ["ESCU - Excessive distinct processes from Windows Temp - Rule", "ESCU - Excessive number of taskhost processes - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "no", "author_name": "Michael Hart", "detections": [{"name": "Excessive distinct processes from Windows Temp", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Excessive number of taskhost processes", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}}]}, {"name": "Microsoft MSHTML Remote Code Execution CVE-2021-40444", "id": "4ad4253e-10ca-11ec-8235-acde48001122", "version": 1, "date": "2021-09-08", "author": "Michael Haag, Splunk", "description": "CVE-2021-40444 is a remote code execution vulnerability in MSHTML, recently used to delivery targeted spearphishing documents.", "narrative": "Microsoft is aware of targeted attacks that attempt to exploit this vulnerability, CVE-2021-40444 by using specially-crafted Microsoft Office documents. MSHTML is a software component used to render web pages on Windows. Although it is 2019s most commonly associated with Internet Explorer, it is also used in other software. CVE-2021-40444 received a CVSS score of 8.8 out of 10. MSHTML is the beating heart of Internet Explorer, the vulnerability also exists in that browser. Although given its limited use, there is little risk of infection by that vector. Microsoft Office applications use the MSHTML component to display web content in Office documents. The attack depends on MSHTML loading a specially crafted ActiveX control when the target opens a malicious Office document. The loaded ActiveX control can then run arbitrary code to infect the system with more malware. At the moment all supported Windows versions are vulnerable. Since there is no patch available yet, Microsoft proposes a few methods to block these attacks. \\\n1. Disable the installation of all ActiveX controls in Internet Explorer via the registry. Previously-installed ActiveX controls will still run, but no new ones will be added, including malicious ones. Open documents from the Internet in Protected View or Application Guard for Office, both of which prevent the current attack. This is a default setting but it may have been changed.", "references": ["https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/09/windows-mshtml-zero-day-actively-exploited-mitigations-required/", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444", "https://www.echotrail.io/insights/search/control.exe"], "tags": {"name": "Microsoft MSHTML Remote Code Execution CVE-2021-40444", "analytic_story": "Microsoft MSHTML Remote Code Execution CVE-2021-40444", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.002", "mitre_attack_technique": "Control Panel", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Ember Bear"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551"]}], "mitre_attack_tactics": ["Defense Evasion", "Initial Access"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Delivery", "Exploitation"]}, "detection_names": ["ESCU - Control Loading from World Writable Directory - Rule", "ESCU - MSHTML Module Load in Office Product - Rule", "ESCU - Office Product Writing cab or inf - Rule", "ESCU - Office Spawning Control - Rule", "ESCU - Rundll32 Control RunDLL Hunt - Rule", "ESCU - Rundll32 Control RunDLL World Writable Directory - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Control Loading from World Writable Directory", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Control Panel"}]}}, {"name": "MSHTML Module Load in Office Product", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Product Writing cab or inf", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Spawning Control", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Rundll32 Control RunDLL Hunt", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Rundll32 Control RunDLL World Writable Directory", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}]}, {"name": "Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190", "id": "2a60a99e-c93a-4036-af70-768fac838019", "version": 1, "date": "2022-05-31", "author": "Michael Haag, Teoderick Contreras, Splunk", "description": "On Monday May 30, 2022, Microsoft issued CVE-2022-30190 regarding the Microsoft Support Diagnostic Tool (MSDT) in Windows vulnerability.", "narrative": "A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user''s rights.", "references": ["https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/", "https://isc.sans.edu/diary/rss/28694", "https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e", "https://twitter.com/nao_sec/status/1530196847679401984?s=20&t=ZiXYI4dQuA-0_dzQzSUb3A", "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", "https://www.virustotal.com/gui/file/4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784/detection", "https://strontic.github.io/xcyclopedia/library/msdt.exe-152D4C9F63EFB332CCB134C6953C0104.html"], "tags": {"name": "Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190", "analytic_story": "Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}], "mitre_attack_tactics": ["Defense Evasion", "Execution", "Initial Access"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Windows Command and Scripting Interpreter Hunting Path Traversal - Rule", "ESCU - Windows Command and Scripting Interpreter Path Traversal Exec - Rule", "ESCU - Windows Execute Arbitrary Commands with MSDT - Rule", "ESCU - Windows Office Product Spawning MSDT - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Teoderick Contreras, Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows Command and Scripting Interpreter Hunting Path Traversal", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Windows Command and Scripting Interpreter Path Traversal Exec", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Windows Execute Arbitrary Commands with MSDT", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}]}}, {"name": "Windows Office Product Spawning MSDT", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}]}, {"name": "Monitor for Updates", "id": "9ef8d677-7b52-4213-a038-99cfc7acc2d8", "version": 1, "date": "2017-09-15", "author": "Rico Valdez, Splunk", "description": "Monitor your enterprise to ensure that your endpoints are being patched and updated. Adversaries notoriously exploit known vulnerabilities that could be mitigated by applying routine security patches.", "narrative": "It is a common best practice to ensure that endpoints are being patched and updated in a timely manner, in order to reduce the risk of compromise via a publicly disclosed vulnerability. Timely application of updates/patches is important to eliminate known vulnerabilities that may be exploited by various threat actors.\\\nSearches in this analytic story are designed to help analysts monitor endpoints for system patches and/or updates. This helps analysts identify any systems that are not successfully updated in a timely matter.\\\nMicrosoft releases updates for Windows systems on a monthly cadence. They should be installed as soon as possible after following internal testing and validation procedures. Patches and updates for other systems or applications are typically released as needed.", "references": ["https://learn.cisecurity.org/20-controls-download"], "tags": {"name": "Monitor for Updates", "analytic_story": "Monitor for Updates", "category": ["Best Practices"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Compliance", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Updates"], "kill_chain_phases": []}, "detection_names": ["ESCU - No Windows Updates in a time frame - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task"], "baseline_names": ["ESCU - Windows Updates Install Failures", "ESCU - Windows Updates Install Successes"], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "No Windows Updates in a time frame", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": []}}]}, {"name": "MOVEit Transfer Critical Vulnerability", "id": "e8c05f9b-6ad4-45ac-8f5d-ff044da417c9", "version": 1, "date": "2023-06-01", "author": "Michael Haag, Splunk", "description": "A critical zero-day vulnerability has been discovered in the MOVEit Transfer file transfer software, widely used by businesses and developers worldwide. The vulnerability has been exploited by unknown threat actors to perform mass data theft from organizations. Progress Software Corporation, the developer of MOVEit, has issued a security advisory urging customers to take immediate action to protect their environments. They recommend blocking external traffic to ports 80 and 445 on the MOVEit server, and to check the c:\\MOVEitTransfer\\wwwroot\\ folder for unusual files. A patch is currently released.", "narrative": "Hackers have been actively exploiting a zero-day vulnerability found in the MOVEit Transfer software. This software, developed by Progress Software Corporation, a US-based company and its subsidiary Ipswitch, is a managed file transfer solution. It is used by thousands of organizations worldwide, including Chase, Disney, GEICO, and MLB, and by 3.5 million developers. The software allows for secure file transfers between business partners and customers using SFTP, SCP, and HTTP-based uploads.\\\nThe zero-day vulnerability has been exploited to steal data on a large scale from various organizations. The identity of the threat actors and the exact timeline of the exploitation remains unclear. However, it has been confirmed that multiple organizations have experienced breaches and data theft.\\\nIn response to this critical situation, Progress released a security advisory warning customers of the vulnerability and providing mitigation strategies while a patch has been released. They urged customers to take immediate action to protect their MOVEit environments. They suggested blocking external traffic to ports 80 and 445 on the MOVEit server and checking the c:\\MOVEitTransfer\\wwwroot\\ folder for unexpected files, including backups or large file downloads.\\\nBlocking these ports will prevent external access to the web UI, prevent some MOVEit Automation tasks from working, block APIs, and prevent the Outlook MOVEit plugin from working. However, SFTP and FTP/s protocols can continue to be used for file transfers.\\\nThere is currently no detailed information about the zero-day vulnerability. But based on the ports blocked and the specific location to check for unusual files, the flaw is likely a web-facing vulnerability.\\\nWhile Progress has officially confirmed that the vulnerability is being actively exploited, it is clear from several reports that multiple organizations have already had data stolen using this zero-day vulnerability. The exploitation appears very similar to the mass exploitation of a GoAnywhere MFT zero-day in January 2023 and the December 2020 zero-day exploitation of Accellion FTA servers. These were both managed file transfer platforms heavily exploited by the Clop ransomware gang to steal data and extort organizations.", "references": ["https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023", "https://www.reddit.com/r/sysadmin/comments/13wxuej/critical_vulnerability_moveit_file_transfer/", "https://www.bleepingcomputer.com/news/security/new-moveit-transfer-zero-day-mass-exploited-in-data-theft-attacks/", "https://www.reddit.com/r/sysadmin/comments/13wxuej/critical_vulnerability_moveit_file_transfer/"], "tags": {"name": "MOVEit Transfer Critical Vulnerability", "analytic_story": "MOVEit Transfer Critical Vulnerability", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Chimera", "Dragonfly", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}], "mitre_attack_tactics": ["Initial Access", "Persistence"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Delivery", "Installation"]}, "detection_names": ["ESCU - Windows MOVEit Transfer Writing ASPX - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows MOVEit Transfer Writing ASPX", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}]}, {"name": "Netsh Abuse", "id": "2b1800dd-92f9-47ec-a981-fdf1351e5f65", "version": 1, "date": "2017-01-05", "author": "Bhavin Patel, Splunk", "description": "Detect activities and various techniques associated with the abuse of `netsh.exe`, which can disable local firewall settings or set up a remote connection to a host from an infected system.", "narrative": "It is a common practice for attackers of all types to leverage native Windows tools and functionality to execute commands for malicious reasons. One such tool on Windows OS is `netsh.exe`,a command-line scripting utility that allows you to--either locally or remotely--display or modify the network configuration of a computer that is currently running. `Netsh.exe` can be used to discover and disable local firewall settings. It can also be used to set up a remote connection to a host from an infected system.\\\nTo get started, run the detection search to identify parent processes of `netsh.exe`.", "references": ["https://docs.microsoft.com/en-us/previous-versions/tn-archive/bb490939(v=technet.10)", "https://htmlpreview.github.io/?https://github.com/MatthewDemaske/blogbackup/blob/master/netshell.html", "https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html"], "tags": {"name": "Netsh Abuse", "analytic_story": "Netsh Abuse", "category": ["Abuse"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.004", "mitre_attack_technique": "Disable or Modify System Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "Carbanak", "Dragonfly", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}], "mitre_attack_tactics": ["Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Processes created by netsh - Rule", "ESCU - Processes launching netsh - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task"], "baseline_names": ["ESCU - Baseline of SMB Traffic - MLTK", "ESCU - Previously seen command line arguments"], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Processes created by netsh", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify System Firewall"}]}}, {"name": "Processes launching netsh", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify System Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}}]}, {"name": "Network Discovery", "id": "af228995-f182-49d7-90b3-2a732944f00f", "version": 1, "date": "2022-02-14", "author": "Teoderick Contreras, Splunk", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the network discovery, including looking for network configuration, settings such as IP, MAC address, firewall settings and many more.", "narrative": "Adversaries may use the information from System Network Configuration Discovery during automated discovery to shape follow-on behaviors, including determining certain access within the target network and what actions to do next.", "references": ["https://attack.mitre.org/techniques/T1016/", "https://www.welivesecurity.com/wp-content/uploads/2021/01/ESET_Kobalos.pdf", "https://researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/"], "tags": {"name": "Network Discovery", "analytic_story": "Network Discovery", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1016", "mitre_attack_technique": "System Network Configuration Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT19", "APT3", "APT32", "APT41", "Chimera", "Darkhotel", "Dragonfly", "Earth Lusca", "GALLIUM", "HAFNIUM", "HEXANE", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "SideCopy", "Sidewinder", "Stealth Falcon", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}], "mitre_attack_tactics": ["Discovery"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Linux System Network Discovery - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Linux System Network Discovery", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Configuration Discovery"}]}}]}, {"name": "NOBELIUM Group", "id": "758196b5-2e21-424f-a50c-6e421ce926c2", "version": 2, "date": "2020-12-14", "author": "Patrick Bareiss, Michael Haag, Splunk", "description": "Sunburst is a trojanized updates to SolarWinds Orion IT monitoring and management software. It was discovered by FireEye in December 2020. The actors behind this campaign gained access to numerous public and private organizations around the world.", "narrative": "This Analytic Story supports you to detect Tactics, Techniques and Procedures (TTPs) of the NOBELIUM Group. The threat actor behind sunburst compromised the SolarWinds.Orion.Core.BusinessLayer.dll, is a SolarWinds digitally-signed component of the Orion software framework that contains a backdoor that communicates via HTTP to third party servers. The detections in this Analytic Story are focusing on the dll loading events, file create events and network events to detect This malware.", "references": ["https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/", "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", "https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/"], "tags": {"name": "NOBELIUM Group", "analytic_story": "NOBELIUM Group", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1560.001", "mitre_attack_technique": "Archive via Utility", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "CopyKittens", "Earth Lusca", "FIN8", "Fox Kitten", "GALLIUM", "Gallmaker", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "MuddyWater", "Mustang Panda", "Sowbug", "Turla", "menuPass"]}, {"mitre_attack_id": "T1560", "mitre_attack_technique": "Archive Collected Data", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT28", "APT32", "Axiom", "Dragonfly", "FIN6", "Ke3chang", "Lazarus Group", "Leviathan", "LuminousMoth", "Patchwork", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.005", "mitre_attack_technique": "Mshta", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "APT32", "Confucius", "Earth Lusca", "FIN7", "Gamaredon Group", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "MuddyWater", "Mustang Panda", "SideCopy", "Sidewinder", "TA551"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT19", "APT28", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BITTER", "BackdoorDiplomacy", "BlackOasis", "Blue Mockingbird", "Dark Caracal", "Darkhotel", "Earth Lusca", "Elderwood", "Ember Bear", "Fox Kitten", "GALLIUM", "Gallmaker", "Gamaredon Group", "Group5", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "Metador", "Mofang", "Molerats", "Moses Staff", "Mustang Panda", "OilRig", "Putter Panda", "Rocke", "Sandworm Team", "Sidewinder", "TA505", "TeamTNT", "Threat Group-3390", "Transparent Tribe", "Tropic Trooper", "Whitefly", "Windshift", "menuPass"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1203", "mitre_attack_technique": "Exploitation for Client Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT12", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT41", "Andariel", "Aoqin Dragon", "Axiom", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "Higaisa", "Inception", "Lazarus Group", "Leviathan", "MuddyWater", "Mustang Panda", "Patchwork", "Sandworm Team", "Sidewinder", "TA459", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "admin@338"]}, {"mitre_attack_id": "T1018", "mitre_attack_technique": "Remote System Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "BRONZE BUTLER", "Chimera", "Deep Panda", "Dragonfly", "Earth Lusca", "FIN5", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "HEXANE", "Indrik Spider", "Ke3chang", "Leafminer", "Magic Hound", "Naikon", "Rocke", "Sandworm Team", "Silence", "Threat Group-3390", "Turla", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1071.002", "mitre_attack_technique": "File Transfer Protocols", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "Kimsuky", "SilverTerrier"]}, {"mitre_attack_id": "T1071", "mitre_attack_technique": "Application Layer Protocol", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Dragonfly", "Magic Hound", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1071.001", "mitre_attack_technique": "Web Protocols", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Chimera", "Cobalt Group", "Confucius", "Dark Caracal", "FIN4", "FIN8", "Gamaredon Group", "HAFNIUM", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LuminousMoth", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "OilRig", "Orangeworm", "Rancor", "Rocke", "Sandworm Team", "Sidewinder", "SilverTerrier", "Stealth Falcon", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "WIRTE", "Windshift", "Wizard Spider"]}, {"mitre_attack_id": "T1505.003", "mitre_attack_technique": "Web Shell", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT38", "APT39", "BackdoorDiplomacy", "Deep Panda", "Dragonfly", "Fox Kitten", "GALLIUM", "HAFNIUM", "Kimsuky", "Leviathan", "Magic Hound", "Moses Staff", "OilRig", "Sandworm Team", "TEMP.Veles", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Volatile Cedar"]}], "mitre_attack_tactics": ["Collection", "Command And Control", "Defense Evasion", "Discovery", "Execution", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint", "Network_Traffic", "Web"], "kill_chain_phases": ["Command And Control", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Anomalous usage of 7zip - Rule", "ESCU - Detect Prohibited Applications Spawning cmd exe - Rule", "ESCU - Detect Rundll32 Inline HTA Execution - Rule", "ESCU - First Time Seen Running Windows Service - Rule", "ESCU - Malicious PowerShell Process - Encoded Command - Rule", "ESCU - Sc exe Manipulating Windows Services - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Schtasks scheduling job on remote system - Rule", "ESCU - Sunburst Correlation DLL and Network Event - Rule", "ESCU - Windows AdFind Exe - Rule", "ESCU - Detect Outbound SMB Traffic - Rule", "ESCU - TOR Traffic - Rule", "ESCU - Supernova Webshell - Rule"], "investigation_names": [], "baseline_names": ["ESCU - Previously Seen Running Windows Services - Initial", "ESCU - Previously Seen Running Windows Services - Update"], "author_company": "Michael Haag, Splunk", "author_name": "Patrick Bareiss", "detections": [{"name": "Anomalous usage of 7zip", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Archive via Utility"}, {"mitre_attack_technique": "Archive Collected Data"}]}}, {"name": "Detect Prohibited Applications Spawning cmd exe", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Windows Command Shell"}]}}, {"name": "Detect Rundll32 Inline HTA Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Mshta"}]}}, {"name": "First Time Seen Running Windows Service", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}}, {"name": "Malicious PowerShell Process - Encoded Command", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Obfuscated Files or Information"}]}}, {"name": "Sc exe Manipulating Windows Services", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Schtasks scheduling job on remote system", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Sunburst Correlation DLL and Network Event", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploitation for Client Execution"}]}}, {"name": "Windows AdFind Exe", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote System Discovery"}]}}, {"name": "Detect Outbound SMB Traffic", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "File Transfer Protocols"}, {"mitre_attack_technique": "Application Layer Protocol"}]}}, {"name": "TOR Traffic", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Application Layer Protocol"}, {"mitre_attack_technique": "Web Protocols"}]}}, {"name": "Supernova Webshell", "source": "web", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Web Shell"}]}}]}, {"name": "Office 365 Detections", "id": "1a51dd71-effc-48b2-abc4-3e9cdb61e5b9", "version": 1, "date": "2020-12-16", "author": "Patrick Bareiss, Splunk", "description": "This story is focused around detecting Office 365 Attacks.", "narrative": "More and more companies are using Microsofts Office 365 cloud offering. Therefore, we see more and more attacks against Office 365. This story provides various detections for Office 365 attacks.", "references": ["https://i.blackhat.com/USA-20/Thursday/us-20-Bienstock-My-Cloud-Is-APTs-Cloud-Investigating-And-Defending-Office-365.pdf"], "tags": {"name": "Office 365 Detections", "analytic_story": "Office 365 Detections", "category": ["Cloud Security"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1110.001", "mitre_attack_technique": "Password Guessing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1136.003", "mitre_attack_technique": "Cloud Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT29", "LAPSUS$"]}, {"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider"]}, {"mitre_attack_id": "T1562.007", "mitre_attack_technique": "Disable or Modify Cloud Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1556", "mitre_attack_technique": "Modify Authentication Process", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1114", "mitre_attack_technique": "Email Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["Magic Hound", "Silent Librarian"]}, {"mitre_attack_id": "T1114.003", "mitre_attack_technique": "Email Forwarding Rule", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["Kimsuky", "LAPSUS$", "Silent Librarian"]}, {"mitre_attack_id": "T1114.002", "mitre_attack_technique": "Remote Email Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "Chimera", "Dragonfly", "FIN4", "HAFNIUM", "Ke3chang", "Kimsuky", "Leafminer", "Magic Hound"]}], "mitre_attack_tactics": ["Collection", "Credential Access", "Defense Evasion", "Persistence"], "datamodels": ["Authentication"], "kill_chain_phases": ["Exploitation", "Installation"]}, "detection_names": ["ESCU - High Number of Login Failures from a single source - Rule", "ESCU - O365 Add App Role Assignment Grant User - Rule", "ESCU - O365 Added Service Principal - Rule", "ESCU - O365 Bypass MFA via Trusted IP - Rule", "ESCU - O365 Disable MFA - Rule", "ESCU - O365 Excessive Authentication Failures Alert - Rule", "ESCU - O365 Excessive SSO logon errors - Rule", "ESCU - O365 New Federated Domain Added - Rule", "ESCU - O365 PST export alert - Rule", "ESCU - O365 Suspicious Admin Email Forwarding - Rule", "ESCU - O365 Suspicious Rights Delegation - Rule", "ESCU - O365 Suspicious User Email Forwarding - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Patrick Bareiss", "detections": [{"name": "High Number of Login Failures from a single source", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Guessing"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "O365 Add App Role Assignment Grant User", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Account"}, {"mitre_attack_technique": "Create Account"}]}}, {"name": "O365 Added Service Principal", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Account"}, {"mitre_attack_technique": "Create Account"}]}}, {"name": "O365 Bypass MFA via Trusted IP", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Cloud Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "O365 Disable MFA", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Authentication Process"}]}}, {"name": "O365 Excessive Authentication Failures Alert", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Brute Force"}]}}, {"name": "O365 Excessive SSO logon errors", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Authentication Process"}]}}, {"name": "O365 New Federated Domain Added", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Account"}, {"mitre_attack_technique": "Create Account"}]}}, {"name": "O365 PST export alert", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Email Collection"}]}}, {"name": "O365 Suspicious Admin Email Forwarding", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Email Forwarding Rule"}, {"mitre_attack_technique": "Email Collection"}]}}, {"name": "O365 Suspicious Rights Delegation", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Email Collection"}, {"mitre_attack_technique": "Email Collection"}]}}, {"name": "O365 Suspicious User Email Forwarding", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Email Forwarding Rule"}, {"mitre_attack_technique": "Email Collection"}]}}]}, {"name": "Okta MFA Exhaustion", "id": "7c6e508d-4b4d-42c8-82de-5ff4ea3b0cb3", "version": 1, "date": "2022-09-27", "author": "Michael Haag, Splunk", "description": "A social engineering technique called 'MFA Fatigue', aka 'MFA push spam' or 'MFA Exhaustion', is growing more popular with threat actors as it does not require malware or phishing infrastructure and has proven to be successful in attacks.", "narrative": "An MFA Fatigue attack is when a threat actor runs a script that attempts to log in with stolen credentials over and over, causing what feels like an endless stream of MFA push requests to be sent to the account's owner's mobile device. The goal is to keep this up, day and night, to break down the target's cybersecurity posture and inflict a sense of \"fatigue\" regarding these MFA prompts.", "references": ["https://www.bleepingcomputer.com/news/security/mfa-fatigue-hackers-new-favorite-tactic-in-high-profile-breaches/", "https://www.csoonline.com/article/3674156/multi-factor-authentication-fatigue-attacks-are-on-the-rise-how-to-defend-against-them.html"], "tags": {"name": "Okta MFA Exhaustion", "analytic_story": "Okta MFA Exhaustion", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1621", "mitre_attack_technique": "Multi-Factor Authentication Request Generation", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "LAPSUS$"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}], "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "datamodels": ["Authentication", "Risk"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Okta Account Locked Out - Rule", "ESCU - Okta MFA Exhaustion Hunt - Rule", "ESCU - Okta Mismatch Between Source and Response for Verify Push Request - Rule", "ESCU - Okta Risk Threshold Exceeded - Rule", "ESCU - Okta Two or More Rejected Okta Pushes - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Okta Account Locked Out", "source": "application", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Brute Force"}]}}, {"name": "Okta MFA Exhaustion Hunt", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Brute Force"}]}}, {"name": "Okta Mismatch Between Source and Response for Verify Push Request", "source": "application", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Multi-Factor Authentication Request Generation"}]}}, {"name": "Okta Risk Threshold Exceeded", "source": "application", "type": "Correlation", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Okta Two or More Rejected Okta Pushes", "source": "application", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Brute Force"}]}}]}, {"name": "OpenSSL CVE-2022-3602", "id": "491e00c9-998b-4c64-91bb-d8f9c79c1f4c", "version": 1, "date": "2022-11-02", "author": "Michael Haag, splunk", "description": "OpenSSL recently disclosed two vulnerabilities CVE-2022-3602 and CVE-2022-3786. CVE-2022-3602 is a X.509 Email Address 4-byte Buffer Overflow where puny code is utilized. This only affects OpenSSL 3.0.0 - 3.0.6.", "narrative": "A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed a malicious certificate or for an application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address in a certificate to overflow an arbitrary number of bytes containing the . character (decimal 46) on the stack. This buffer overflow could result in a crash (causing a denial of service). In a TLS client, this can be triggered by connecting to a malicious server. In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects. Users of OpenSSL 3.0.0 - 3.0.6 are encouraged to upgrade to 3.0.7 as soon as possible. If you obtain your copy of OpenSSL from your Operating System vendor or other third party then you should seek to obtain an updated version from them as soon as possible. SSL Certificates with Punycode will identify SSL certificates with Punycode. Note that it does not mean it will capture malicious payloads. If using Zeek, modify the Zeek x509 certificate with punycode to match your environment. We found during this exercise that the FULL x509 with SAN must be captured and stored, decoded, in order to query against it.", "references": ["https://www.openssl.org/blog/blog/2022/11/01/email-address-overflows/", "https://github.com/advisories/GHSA-h8jm-2x53-xhp5", "https://community.emergingthreats.net/t/out-of-band-ruleset-update-summary-2022-11-01/117", "https://github.com/corelight/CVE-2022-3602/tree/master/scripts"], "tags": {"name": "OpenSSL CVE-2022-3602", "analytic_story": "OpenSSL CVE-2022-3602", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1573", "mitre_attack_technique": "Encrypted Channel", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT29", "BITTER", "Magic Hound", "Tropic Trooper"]}], "mitre_attack_tactics": ["Command And Control"], "datamodels": [], "kill_chain_phases": ["Command And Control"]}, "detection_names": ["ESCU - SSL Certificates with Punycode - Rule", "ESCU - Zeek x509 Certificate with Punycode - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "splunk", "author_name": "Michael Haag", "detections": [{"name": "SSL Certificates with Punycode", "source": "network", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Encrypted Channel"}]}}, {"name": "Zeek x509 Certificate with Punycode", "source": "network", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Encrypted Channel"}]}}]}, {"name": "Orangeworm Attack Group", "id": "bb9f5ed2-916e-4364-bb6d-97c370efcf52", "version": 2, "date": "2020-01-22", "author": "David Dorsey, Splunk", "description": "Detect activities and various techniques associated with the Orangeworm Attack Group, a group that frequently targets the healthcare industry.", "narrative": "In May of 2018, the attack group Orangeworm was implicated for installing a custom backdoor called Trojan.Kwampirs within large international healthcare corporations in the United States, Europe, and Asia. This malware provides the attackers with remote access to the target system, decrypting and extracting a copy of its main DLL payload from its resource section. Before writing the payload to disk, it inserts a randomly generated string into the middle of the decrypted payload in an attempt to evade hash-based detections.\\\nAwareness of the Orangeworm group first surfaced in January, 2015. It has conducted targeted attacks against related industries, as well, such as pharmaceuticals and healthcare IT solution providers.\\\nHealthcare may be a promising target, because it is notoriously behind in technology, often using older operating systems and neglecting to patch computers. Even so, the group was able to evade detection for a full three years. Sources say that the malware spread quickly within the target networks, infecting computers used to control medical devices, such as MRI and X-ray machines.\\\nThis Analytic Story is designed to help you detect and investigate suspicious activities that may be indicative of an Orangeworm attack. One detection search looks for command-line arguments. Another monitors for uses of sc.exe, a non-essential Windows file that can manipulate Windows services. One of the investigative searches helps you get more information on web hosts that you suspect have been compromised.", "references": ["https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia", "https://www.infosecurity-magazine.com/news/healthcare-targeted-by-hacker/"], "tags": {"name": "Orangeworm Attack Group", "analytic_story": "Orangeworm Attack Group", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation", "Installation"]}, "detection_names": ["ESCU - First time seen command line argument - Rule", "ESCU - First Time Seen Running Windows Service - Rule", "ESCU - Sc exe Manipulating Windows Services - Rule"], "investigation_names": ["ESCU - Get History Of Email Sources - Response Task", "ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task"], "baseline_names": ["ESCU - Previously seen command line arguments", "ESCU - Previously Seen Running Windows Services - Initial", "ESCU - Previously Seen Running Windows Services - Update"], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "First time seen command line argument", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Windows Command Shell"}]}}, {"name": "First Time Seen Running Windows Service", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}}, {"name": "Sc exe Manipulating Windows Services", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}]}}]}, {"name": "PaperCut MF NG Vulnerability", "id": "2493d270-5665-4fb4-99c7-8f886f260676", "version": 1, "date": "2023-05-15", "author": "Michael Haag, Splunk", "description": "The FBI has issued a joint advisory concerning the exploitation of a PaperCut MF/NG vulnerability (CVE-2023-27350) by malicious actors, which began in mid-April 2023 and has been ongoing. In early May 2023, a group identifying themselves as the Bl00dy Ransomware Gang targeted vulnerable PaperCut servers within the Education Facilities Subsector. The advisory provides information on detecting exploitation attempts and shares known indicators of compromise (IOCs) associated with the group's activities.", "narrative": "PaperCut MF/NG versions 19 and older have reached their end-of-life, as documented on the End of Life Policy page. Customers using these older versions are advised to purchase an updated license online for PaperCut NG or through their PaperCut Partner for PaperCut MF. For users with a currently supported version (version 20 or later), they can upgrade to any maintenance release version they are licensed for.\\ If upgrading to a security patch is not possible, there are alternative options to enhance security. Users can lock down network access to their server(s) by blocking all inbound traffic from external IPs to the web management port (port 9191 and 9192 by default) and blocking all inbound traffic to the web management portal on the firewall to the server. Additionally, users can apply \"Allow list\" restrictions under Options > Advanced > Security > Allowed site server IP addresses, setting this to only allow the IP addresses of verified Site Servers on their network.\\\nThe vulnerabilities CVE-2023-27350 and CVE-2023-27351 have CVSS scores of 9.8 (Critical) and 8.2 (High), respectively. PaperCut and its partner network have activated response teams to assist PaperCut MF and NG customers, with service desks available 24/7 via their support page. The security response team at PaperCut has been working with external security advisors to compile a list of unpatched PaperCut MF/NG servers that have ports open on the public internet. They have been proactively reaching out to potentially exposed customers since Wednesday afternoon (AEST) and are working around the clock through the weekend.\\\nThe exploit was first detected in the wild on April 18th, 2023, at 03:30 AEST / April 17th, 2023, at 17:30 UTC. The earliest signature of suspicious activity on a customer server potentially linked to this vulnerability dates back to April 14th, 2023, at 01:29 AEST / April 13th, 2023, at 15:29 UTC.\\\nApplying the security fixes should not have any negative impact. Users can follow their usual upgrade procedure to obtain the upgrade. Additional links on the -Check for updates- page (accessed through the Admin interface > About > Version info > Check for updates) allow customers to download fixes for previous major versions that are still supported (e.g., 20.1.7 and 21.2.11) as well as the current version available. PaperCut MF users are advised to follow their regular upgrade process and consult their PaperCut partner or reseller for assistance.", "references": ["https://www.cisa.gov/news-events/alerts/2023/05/11/cisa-and-fbi-release-joint-advisory-response-active-exploitation-papercut-vulnerability", "https://www.papercut.com/kb/Main/PO-1216-and-PO-1219", "https://www.horizon3.ai/papercut-cve-2023-27350-deep-dive-and-indicators-of-compromise/", "https://www.bleepingcomputer.com/news/security/hackers-actively-exploit-critical-rce-bug-in-papercut-servers/", "https://www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software"], "tags": {"name": "PaperCut MF NG Vulnerability", "analytic_story": "PaperCut MF NG Vulnerability", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}], "mitre_attack_tactics": ["Execution", "Initial Access"], "datamodels": ["Endpoint", "Web"], "kill_chain_phases": ["Delivery", "Installation"]}, "detection_names": ["ESCU - PaperCut NG Suspicious Behavior Debug Log - Rule", "ESCU - Windows PaperCut NG Spawn Shell - Rule", "ESCU - PaperCut NG Remote Web Access Attempt - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "PaperCut NG Suspicious Behavior Debug Log", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}}, {"name": "Windows PaperCut NG Spawn Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Exploit Public-Facing Application"}]}}, {"name": "PaperCut NG Remote Web Access Attempt", "source": "web", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}}]}, {"name": "PetitPotam NTLM Relay on Active Directory Certificate Services", "id": "97aecafc-0a68-11ec-962f-acde48001122", "version": 1, "date": "2021-08-31", "author": "Michael Haag, Mauricio Velazco, Splunk", "description": "PetitPotam (CVE-2021-36942,) is a vulnerablity identified in Microsofts EFSRPC Protocol that can allow an unauthenticated account to escalate privileges to domain administrator given the right circumstances.", "narrative": "In June 2021, security researchers at SpecterOps released a blog post and white paper detailing several potential attack vectors against Active Directory Certificated Services (ADCS). ADCS is a Microsoft product that implements Public Key Infrastrucutre (PKI) functionality and can be used by organizations to provide and manage digital certiticates within Active Directory.\\ In July 2021, a security researcher released PetitPotam, a tool that allows attackers to coerce Windows systems into authenticating to arbitrary endpoints.\\ Combining PetitPotam with the identified ADCS attack vectors allows attackers to escalate privileges from an unauthenticated anonymous user to full domain admin privileges.", "references": ["https://us-cert.cisa.gov/ncas/current-activity/2021/07/27/microsoft-releases-guidance-mitigating-petitpotam-ntlm-relay", "https://support.microsoft.com/en-us/topic/kb5005413-mitigating-ntlm-relay-attacks-on-active-directory-certificate-services-ad-cs-3612b773-4043-4aa9-b23d-b87910cd3429", "https://www.specterops.io/assets/resources/Certified_Pre-Owned.pdf", "https://github.com/topotam/PetitPotam/", "https://github.com/gentilkiwi/mimikatz/releases/tag/2.2.0-20210723", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36942", "https://attack.mitre.org/techniques/T1187/"], "tags": {"name": "PetitPotam NTLM Relay on Active Directory Certificate Services", "analytic_story": "PetitPotam NTLM Relay on Active Directory Certificate Services", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1187", "mitre_attack_technique": "Forced Authentication", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["DarkHydrus", "Dragonfly"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}], "mitre_attack_tactics": ["Credential Access"], "datamodels": [], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - PetitPotam Network Share Access Request - Rule", "ESCU - PetitPotam Suspicious Kerberos TGT Request - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Mauricio Velazco, Splunk", "author_name": "Michael Haag", "detections": [{"name": "PetitPotam Network Share Access Request", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Forced Authentication"}]}}, {"name": "PetitPotam Suspicious Kerberos TGT Request", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "OS Credential Dumping"}]}}]}, {"name": "Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns", "id": "988C59C5-0A1C-45B6-A555-0C62276E327E", "version": 1, "date": "2020-01-22", "author": "iDefense Cyber Espionage Team, iDefense", "description": "Monitor your environment for suspicious behaviors that resemble the techniques employed by the MUDCARP threat group.", "narrative": "This story was created as a joint effort between iDefense and Splunk.\\\niDefense analysts have recently discovered a Windows executable file that, upon execution, spoofs a decryption tool and then drops a file that appears to be the custom-built javascript backdoor, \"Orz,\" which is associated with the threat actors known as MUDCARP (as well as \"temp.Periscope\" and \"Leviathan\"). The file is executed using Wscript.\\\nThe MUDCARP techniques include the use of the compressed-folders module from Microsoft, zipfldr.dll, with RouteTheCall export to run the malicious process or command. After a successful reboot, the malware is made persistent by a manipulating `[HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run]'help'='c:\\\\windows\\\\system32\\\\rundll32.exe c:\\\\windows\\\\system32\\\\zipfldr.dll,RouteTheCall c:\\\\programdata\\\\winapp.exe'`. Though this technique is not exclusive to MUDCARP, it has been spotted in the group's arsenal of advanced techniques seen in the wild.\\\nThis Analytic Story searches for evidence of tactics, techniques, and procedures (TTPs) that allow for the use of a endpoint detection-and-response (EDR) bypass technique to mask the true parent of a malicious process. It can also be set as a registry key for further sandbox evasion and to allow the malware to launch only after reboot.\\\nIf behavioral searches included in this story yield positive hits, iDefense recommends conducting IOC searches for the following:\\\n\\\n1. www.chemscalere[.]com\\\n1. chemscalere[.]com\\\n1. about.chemscalere[.]com\\\n1. autoconfig.chemscalere[.]com\\\n1. autodiscover.chemscalere[.]com\\\n1. catalog.chemscalere[.]com\\\n1. cpanel.chemscalere[.]com\\\n1. db.chemscalere[.]com\\\n1. ftp.chemscalere[.]com\\\n1. mail.chemscalere[.]com\\\n1. news.chemscalere[.]com\\\n1. update.chemscalere[.]com\\\n1. webmail.chemscalere[.]com\\\n1. www.candlelightparty[.]org\\\n1. candlelightparty[.]org\\\n1. newapp.freshasianews[.]comIn addition, iDefense also recommends that organizations review their environments for activity related to the following hashes:\\\n\\\n1. cd195ee448a3657b5c2c2d13e9c7a2e2\\\n1. b43ad826fe6928245d3c02b648296b43\\\n1. 889a9b52566448231f112a5ce9b5dfaf\\\n1. b8ec65dab97cdef3cd256cc4753f0c54\\\n1. 04d83cd3813698de28cfbba326d7647c", "references": ["https://www.infosecurity-magazine.com/news/scope-of-mudcarp-attacks-highlight-1/", "http://blog.amossys.fr/badflick-is-not-so-bad.html"], "tags": {"name": "Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns", "analytic_story": "Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation", "Installation"]}, "detection_names": ["ESCU - First time seen command line argument - Rule", "ESCU - PowerShell - Connect To Internet With Hidden Window - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Unusually Long Command Line - Rule", "ESCU - Unusually Long Command Line - MLTK - Rule"], "investigation_names": ["ESCU - Get History Of Email Sources - Response Task", "ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task"], "baseline_names": ["ESCU - Baseline of Command Line Length - MLTK", "ESCU - Previously seen command line arguments"], "author_company": "iDefense", "author_name": "iDefense Cyber Espionage Team", "detections": [{"name": "First time seen command line argument", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Windows Command Shell"}]}}, {"name": "PowerShell - Connect To Internet With Hidden Window", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Unusually Long Command Line", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": []}}, {"name": "Unusually Long Command Line - MLTK", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": []}}]}, {"name": "PrintNightmare CVE-2021-34527", "id": "fd79470a-da88-11eb-b803-acde48001122", "version": 1, "date": "2021-07-01", "author": "Splunk Threat Research Team", "description": "The following analytic story identifies behaviors related PrintNightmare, or CVE-2021-34527 previously known as (CVE-2021-1675), to gain privilege escalation on the vulnerable machine.", "narrative": "This vulnerability affects the Print Spooler service, enabled by default on Windows systems, and allows adversaries to trick this service into installing a remotely hosted print driver using a low privileged user account. Successful exploitation effectively allows adversaries to execute code in the target system (Remote Code Execution) in the context of the Print Spooler service which runs with the highest privileges (Privilege Escalation). \\\nThe prerequisites for successful exploitation consist of: \\\n1. Print Spooler service enabled on the target system \\\n1. Network connectivity to the target system (initial access has been obtained) \\\n1. Hash or password for a low privileged user ( or computer ) account. \\\nIn the most impactful scenario, an attacker would be able to leverage this vulnerability to obtain a SYSTEM shell on a domain controller and so escalate their privileges from a low privileged domain account to full domain access in the target environment as shown below.", "references": ["https://github.com/cube0x0/CVE-2021-1675/", "https://blog.truesec.com/2021/06/30/fix-for-printnightmare-cve-2021-1675-exploit-to-keep-your-print-servers-running-while-a-patch-is-not-available/", "https://blog.truesec.com/2021/06/30/exploitable-critical-rce-vulnerability-allows-regular-users-to-fully-compromise-active-directory-printnightmare-cve-2021-1675/", "https://www.reddit.com/r/msp/comments/ob6y02/critical_vulnerability_printnightmare_exposes"], "tags": {"name": "PrintNightmare CVE-2021-34527", "analytic_story": "PrintNightmare CVE-2021-34527", "category": ["Vulnerability"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1547.012", "mitre_attack_technique": "Print Processors", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551"]}, {"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "PLATINUM", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}], "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint", "Network_Traffic"], "kill_chain_phases": ["Exploitation", "Installation"]}, "detection_names": ["ESCU - Print Spooler Adding A Printer Driver - Rule", "ESCU - Print Spooler Failed to Load a Plug-in - Rule", "ESCU - Rundll32 with no Command Line Arguments with Network - Rule", "ESCU - Spoolsv Spawning Rundll32 - Rule", "ESCU - Spoolsv Suspicious Loaded Modules - Rule", "ESCU - Spoolsv Suspicious Process Access - Rule", "ESCU - Spoolsv Writing a DLL - Rule", "ESCU - Spoolsv Writing a DLL - Sysmon - Rule", "ESCU - Suspicious Rundll32 no Command Line Arguments - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "no", "author_name": "Splunk Threat Research Team", "detections": [{"name": "Print Spooler Adding A Printer Driver", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Print Processors"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Print Spooler Failed to Load a Plug-in", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Print Processors"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Rundll32 with no Command Line Arguments with Network", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Spoolsv Spawning Rundll32", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Print Processors"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Spoolsv Suspicious Loaded Modules", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Print Processors"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Spoolsv Suspicious Process Access", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}}, {"name": "Spoolsv Writing a DLL", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Print Processors"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Spoolsv Writing a DLL - Sysmon", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Print Processors"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Suspicious Rundll32 no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}]}, {"name": "Prohibited Traffic Allowed or Protocol Mismatch", "id": "6d13121c-90f3-446d-8ac3-27efbbc65218", "version": 1, "date": "2017-09-11", "author": "Rico Valdez, Splunk", "description": "Detect instances of prohibited network traffic allowed in the environment, as well as protocols running on non-standard ports. Both of these types of behaviors typically violate policy and can be leveraged by attackers.", "narrative": "A traditional security best practice is to control the ports, protocols, and services allowed within your environment. By limiting the services and protocols to those explicitly approved by policy, administrators can minimize the attack surface. The combined effect allows both network defenders and security controls to focus and not be mired in superfluous traffic or data types. Looking for deviations to policy can identify attacker activity that abuses services and protocols to run on alternate or non-standard ports in the attempt to avoid detection or frustrate forensic analysts.", "references": ["http://www.novetta.com/2015/02/advanced-methods-to-detect-advanced-cyber-attacks-protocol-abuse/"], "tags": {"name": "Prohibited Traffic Allowed or Protocol Mismatch", "analytic_story": "Prohibited Traffic Allowed or Protocol Mismatch", "category": ["Best Practices"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1021.001", "mitre_attack_technique": "Remote Desktop Protocol", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT1", "APT3", "APT39", "APT41", "Axiom", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dragonfly", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "HEXANE", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "OilRig", "Patchwork", "Silence", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1189", "mitre_attack_technique": "Drive-by Compromise", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT19", "APT28", "APT32", "APT37", "APT38", "Andariel", "Axiom", "BRONZE BUTLER", "Dark Caracal", "Darkhotel", "Dragonfly", "Earth Lusca", "Elderwood", "Lazarus Group", "Leafminer", "Leviathan", "Machete", "Magic Hound", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Threat Group-3390", "Transparent Tribe", "Turla", "Windigo", "Windshift"]}, {"mitre_attack_id": "T1048", "mitre_attack_technique": "Exfiltration Over Alternative Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1048.003", "mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT32", "APT33", "FIN6", "FIN8", "Lazarus Group", "OilRig", "Thrip", "Wizard Spider"]}, {"mitre_attack_id": "T1071", "mitre_attack_technique": "Application Layer Protocol", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Dragonfly", "Magic Hound", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1071.001", "mitre_attack_technique": "Web Protocols", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Chimera", "Cobalt Group", "Confucius", "Dark Caracal", "FIN4", "FIN8", "Gamaredon Group", "HAFNIUM", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LuminousMoth", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "OilRig", "Orangeworm", "Rancor", "Rocke", "Sandworm Team", "Sidewinder", "SilverTerrier", "Stealth Falcon", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "WIRTE", "Windshift", "Wizard Spider"]}], "mitre_attack_tactics": ["Command And Control", "Exfiltration", "Initial Access", "Lateral Movement"], "datamodels": ["Endpoint", "Network_Resolution", "Network_Traffic"], "kill_chain_phases": ["Actions on Objectives", "Command And Control", "Delivery", "Exploitation"]}, "detection_names": ["ESCU - Allow Inbound Traffic By Firewall Rule Registry - Rule", "ESCU - Allow Inbound Traffic In Firewall Rule - Rule", "ESCU - Enable RDP In Other Port Number - Rule", "ESCU - Detect hosts connecting to dynamic domain providers - Rule", "ESCU - Prohibited Network Traffic Allowed - Rule", "ESCU - Protocol or Port Mismatch - Rule", "ESCU - TOR Traffic - Rule"], "investigation_names": ["ESCU - Get DNS Server History for a host - Response Task", "ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task", "ESCU - Get Process Information For Port Activity - Response Task"], "baseline_names": ["ESCU - Count of Unique IPs Connecting to Ports"], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Allow Inbound Traffic By Firewall Rule Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Desktop Protocol"}, {"mitre_attack_technique": "Remote Services"}]}}, {"name": "Allow Inbound Traffic In Firewall Rule", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Desktop Protocol"}, {"mitre_attack_technique": "Remote Services"}]}}, {"name": "Enable RDP In Other Port Number", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}]}}, {"name": "Detect hosts connecting to dynamic domain providers", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Drive-by Compromise"}]}}, {"name": "Prohibited Network Traffic Allowed", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}}, {"name": "Protocol or Port Mismatch", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}, {"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}}, {"name": "TOR Traffic", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Application Layer Protocol"}, {"mitre_attack_technique": "Web Protocols"}]}}]}, {"name": "ProxyNotShell", "id": "4e3f17e7-9ed7-425d-a05e-b65464945836", "version": 1, "date": "2022-09-30", "author": "Michael Haag, Splunk", "description": "Two new zero day Microsoft Exchange vulnerabilities have been identified actively exploited in the wild - CVE-2022-41040 and CVE-2022-41082.", "narrative": "Microsoft is investigating two reported zero-day vulnerabilities affecting Microsoft Exchange Server 2013, 2016, and 2019. The first vulnerability, identified as CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability, while the second, identified as CVE-2022-41082, allows remote code execution (RCE) when PowerShell is accessible to the attacker. Originally identified by GTSC monitoring Exchange, some adversary post-exploitation activity was identified and is tagged to this story.", "references": ["https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/", "https://twitter.com/GossiTheDog/status/1575762721353916417?s=20&t=67gq9xCWuyPm1VEm8ydfyA", "https://twitter.com/cglyer/status/1575793769814728705?s=20&t=67gq9xCWuyPm1VEm8ydfyA", "https://www.gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html", "https://research.splunk.com/stories/proxyshell/", "https://www.inversecos.com/2022/07/hunting-for-apt-abuse-of-exchange.html"], "tags": {"name": "ProxyNotShell", "analytic_story": "ProxyNotShell", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1505.003", "mitre_attack_technique": "Web Shell", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT38", "APT39", "BackdoorDiplomacy", "Deep Panda", "Dragonfly", "Fox Kitten", "GALLIUM", "HAFNIUM", "Kimsuky", "Leviathan", "Magic Hound", "Moses Staff", "OilRig", "Sandworm Team", "TEMP.Veles", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Volatile Cedar"]}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "menuPass"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}], "mitre_attack_tactics": ["Command And Control", "Execution", "Initial Access", "Persistence"], "datamodels": ["Endpoint", "Risk", "Web"], "kill_chain_phases": ["Command And Control", "Delivery", "Installation"]}, "detection_names": ["ESCU - CertUtil Download With URLCache and Split Arguments - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Detect Exchange Web Shell - Rule", "ESCU - Detect Webshell Exploit Behavior - Rule", "ESCU - Exchange PowerShell Abuse via SSRF - Rule", "ESCU - Exchange PowerShell Module Usage - Rule", "ESCU - W3WP Spawning Shell - Rule", "ESCU - Windows MSExchange Management Mailbox Cmdlet Usage - Rule", "ESCU - ProxyShell ProxyNotShell Behavior Detected - Rule", "ESCU - Windows Exchange Autodiscover SSRF Abuse - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "CertUtil Download With URLCache and Split Arguments", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Detect Exchange Web Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}, {"mitre_attack_technique": "Exploit Public-Facing Application"}]}}, {"name": "Detect Webshell Exploit Behavior", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}]}}, {"name": "Exchange PowerShell Abuse via SSRF", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}}, {"name": "Exchange PowerShell Module Usage", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "W3WP Spawning Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}]}}, {"name": "Windows MSExchange Management Mailbox Cmdlet Usage", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "ProxyShell ProxyNotShell Behavior Detected", "source": "web", "type": "Correlation", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}}, {"name": "Windows Exchange Autodiscover SSRF Abuse", "source": "web", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}}]}, {"name": "ProxyShell", "id": "413bb68e-04e2-11ec-a835-acde48001122", "version": 1, "date": "2021-08-24", "author": "Michael Haag, Teoderick Contreras, Mauricio Velazco, Splunk", "description": "ProxyShell is a chain of exploits targeting on-premise Microsoft Exchange Server - CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207.", "narrative": "During Pwn2Own April 2021, a security researcher demonstrated an attack chain targeting on-premise Microsoft Exchange Server. August 5th, the same researcher publicly released further details and demonstrated the attack chain. CVE-2021-34473 Pre-auth path confusion leads to ACL Bypass (Patched in April by KB5001779) CVE-2021-34523 - Elevation of privilege on Exchange PowerShell backend (Patched in April by KB5001779) . CVE-2021-31207 - Post-auth Arbitrary-File-Write leads to RCE (Patched in May by KB5003435) Upon successful exploitation, the remote attacker will have SYSTEM privileges on the Exchange Server. In addition to remote access/execution, the adversary may be able to run Exchange PowerShell Cmdlets to perform further actions.", "references": ["https://y4y.space/2021/08/12/my-steps-of-reproducing-proxyshell/", "https://www.zerodayinitiative.com/blog/2021/8/17/from-pwn2own-2021-a-new-attack-surface-on-microsoft-exchange-proxyshell", "https://www.youtube.com/watch?v=FC6iHw258RI", "https://www.huntress.com/blog/rapid-response-microsoft-exchange-servers-still-vulnerable-to-proxyshell-exploit#what-should-you-do", "https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-ProxyLogon-Is-Just-The-Tip-Of-The-Iceberg-A-New-Attack-Surface-On-Microsoft-Exchange-Server.pdf", "https://www.inversecos.com/2022/07/hunting-for-apt-abuse-of-exchange.html"], "tags": {"name": "ProxyShell", "analytic_story": "ProxyShell", "category": ["Adversary Tactics", "Ransomware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1505.003", "mitre_attack_technique": "Web Shell", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT38", "APT39", "BackdoorDiplomacy", "Deep Panda", "Dragonfly", "Fox Kitten", "GALLIUM", "HAFNIUM", "Kimsuky", "Leviathan", "Magic Hound", "Moses Staff", "OilRig", "Sandworm Team", "TEMP.Veles", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Volatile Cedar"]}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}], "mitre_attack_tactics": ["Execution", "Initial Access", "Persistence"], "datamodels": ["Endpoint", "Risk", "Web"], "kill_chain_phases": ["Delivery", "Installation"]}, "detection_names": ["ESCU - Detect Exchange Web Shell - Rule", "ESCU - Detect Webshell Exploit Behavior - Rule", "ESCU - Exchange PowerShell Abuse via SSRF - Rule", "ESCU - Exchange PowerShell Module Usage - Rule", "ESCU - MS Exchange Mailbox Replication service writing Active Server Pages - Rule", "ESCU - W3WP Spawning Shell - Rule", "ESCU - Windows MSExchange Management Mailbox Cmdlet Usage - Rule", "ESCU - ProxyShell ProxyNotShell Behavior Detected - Rule", "ESCU - Windows Exchange Autodiscover SSRF Abuse - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Teoderick Contreras, Mauricio Velazco, Splunk", "author_name": "Michael Haag", "detections": [{"name": "Detect Exchange Web Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}, {"mitre_attack_technique": "Exploit Public-Facing Application"}]}}, {"name": "Detect Webshell Exploit Behavior", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}]}}, {"name": "Exchange PowerShell Abuse via SSRF", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}}, {"name": "Exchange PowerShell Module Usage", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "MS Exchange Mailbox Replication service writing Active Server Pages", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}, {"mitre_attack_technique": "Exploit Public-Facing Application"}]}}, {"name": "W3WP Spawning Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}]}}, {"name": "Windows MSExchange Management Mailbox Cmdlet Usage", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "ProxyShell ProxyNotShell Behavior Detected", "source": "web", "type": "Correlation", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}}, {"name": "Windows Exchange Autodiscover SSRF Abuse", "source": "web", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}}]}, {"name": "Qakbot", "id": "0c6169b1-f126-4d86-8e4f-f7891007ebc6", "version": 2, "date": "2022-11-14", "author": "Teoderick Contreras, Splunk", "description": "QakBot is a modular banking trojan that has been used primarily by financially-motivated actors since at least 2007. QakBot is continuously maintained and developed and has evolved from an information stealer into a delivery agent for ransomware (ref. MITRE ATT&CK).", "narrative": "QakBot notably has made its way on the CISA top malware list for 2021. QakBot for years has been under continious improvement when it comes to initial access, injection and post-exploitation. Multiple adversaries use QakBot to gain initial access and persist, most notably TA551. The actor(s) behind QakBot possess a modular framework consisting of maldoc builders, signed loaders, and DLLs that produce initially low detection rates at the beginning of the attack, which creates opportunities to deliver additional malware such as Egregor and Cobalt Strike. (ref. Cybersecurity ATT) The more recent campaigns utilize HTML smuggling to deliver a ISO container that has a LNK and QakBot payload. QakBot will either load via regsvr32.exe directly, it will attempt to perform DLL sideloading.", "references": ["https://www.cisa.gov/sites/default/files/publications/202010221030_QakBot%20TLPWHITE.pdf", "https://malpedia.caad.fkie.fraunhofer.de/details/win.QakBot", "https://securelist.com/QakBot-technical-analysis/103931/", "https://www.fortinet.com/blog/threat-research/new-variant-of-QakBot-spread-by-phishing-emails", "https://attack.mitre.org/software/S0650/", "https://cybersecurity.att.com/blogs/labs-research/the-rise-of-qakbot"], "tags": {"name": "Qakbot", "analytic_story": "Qakbot", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.007", "mitre_attack_technique": "JavaScript", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "Cobalt Group", "Earth Lusca", "Ember Bear", "Evilnum", "FIN6", "FIN7", "Higaisa", "Indrik Spider", "Kimsuky", "LazyScripter", "Leafminer", "Molerats", "MuddyWater", "Sidewinder", "Silence", "TA505", "Turla"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "Turla"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT19", "APT28", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BITTER", "BackdoorDiplomacy", "BlackOasis", "Blue Mockingbird", "Dark Caracal", "Darkhotel", "Earth Lusca", "Elderwood", "Ember Bear", "Fox Kitten", "GALLIUM", "Gallmaker", "Gamaredon Group", "Group5", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "Metador", "Mofang", "Molerats", "Moses Staff", "Mustang Panda", "OilRig", "Putter Panda", "Rocke", "Sandworm Team", "Sidewinder", "TA505", "TeamTNT", "Threat Group-3390", "Transparent Tribe", "Tropic Trooper", "Whitefly", "Windshift", "menuPass"]}, {"mitre_attack_id": "T1049", "mitre_attack_technique": "System Network Connections Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT38", "APT41", "Andariel", "BackdoorDiplomacy", "Chimera", "Earth Lusca", "GALLIUM", "HEXANE", "Ke3chang", "Lazarus Group", "Magic Hound", "MuddyWater", "Mustang Panda", "OilRig", "Poseidon Group", "Sandworm Team", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1016", "mitre_attack_technique": "System Network Configuration Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT19", "APT3", "APT32", "APT41", "Chimera", "Darkhotel", "Dragonfly", "Earth Lusca", "GALLIUM", "HAFNIUM", "HEXANE", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "SideCopy", "Sidewinder", "Stealth Falcon", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1016.001", "mitre_attack_technique": "Internet Connection Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Gamaredon Group", "HAFNIUM", "HEXANE", "Magic Hound", "Turla"]}, {"mitre_attack_id": "T1482", "mitre_attack_technique": "Domain Trust Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "Earth Lusca", "FIN8", "Magic Hound"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1566.002", "mitre_attack_technique": "Spearphishing Link", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "APT3", "APT32", "APT33", "APT39", "BlackTech", "Cobalt Group", "Confucius", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "Evilnum", "FIN4", "FIN7", "FIN8", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "TA505", "Transparent Tribe", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1592", "mitre_attack_technique": "Gather Victim Host Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.010", "mitre_attack_technique": "Regsvr32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "Blue Mockingbird", "Cobalt Group", "Deep Panda", "Inception", "Kimsuky", "Leviathan", "TA551", "WIRTE"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1033", "mitre_attack_technique": "System Owner/User Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT37", "APT38", "APT39", "APT41", "Chimera", "Dragonfly", "Earth Lusca", "FIN10", "GALLIUM", "Gamaredon Group", "HAFNIUM", "HEXANE", "Ke3chang", "Lazarus Group", "LuminousMoth", "Magic Hound", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "Stealth Falcon", "Threat Group-3390", "Tropic Trooper", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1071", "mitre_attack_technique": "Application Layer Protocol", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Dragonfly", "Magic Hound", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1574.001", "mitre_attack_technique": "DLL Search Order Hijacking", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT41", "Aquatic Panda", "BackdoorDiplomacy", "Evilnum", "RTM", "Threat Group-3390", "Tonto Team", "Whitefly", "menuPass"]}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1574.002", "mitre_attack_technique": "DLL Side-Loading", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT41", "BRONZE BUTLER", "BlackTech", "Chimera", "Earth Lusca", "GALLIUM", "Higaisa", "Lazarus Group", "LuminousMoth", "MuddyWater", "Mustang Panda", "Naikon", "Patchwork", "SideCopy", "Sidewinder", "Threat Group-3390", "Tropic Trooper", "menuPass"]}, {"mitre_attack_id": "T1204.001", "mitre_attack_technique": "Malicious Link", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT28", "APT29", "APT3", "APT32", "APT33", "APT39", "BlackTech", "Cobalt Group", "Confucius", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "Evilnum", "FIN4", "FIN7", "FIN8", "Kimsuky", "LazyScripter", "Leviathan", "LuminousMoth", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "TA505", "Transparent Tribe", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1055.001", "mitre_attack_technique": "Dynamic-link Library Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["BackdoorDiplomacy", "Lazarus Group", "Leviathan", "Putter Panda", "TA505", "Tropic Trooper", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1055.002", "mitre_attack_technique": "Portable Executable Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Gorgon Group", "Rocke"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "Earth Lusca", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "Threat Group-3390", "Windshift", "Wizard Spider", "menuPass"]}], "mitre_attack_tactics": ["Command And Control", "Defense Evasion", "Discovery", "Execution", "Initial Access", "Persistence", "Privilege Escalation", "Reconnaissance"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Command And Control", "Delivery", "Exploitation", "Installation", "Reconnaissance"]}, "detection_names": ["ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", "ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", "ESCU - Create Remote Thread In Shell Application - Rule", "ESCU - Disable Defender Spynet Reporting - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Malicious PowerShell Process - Encoded Command - Rule", "ESCU - Network Connection Discovery With Arp - Rule", "ESCU - Network Connection Discovery With Netstat - Rule", "ESCU - Network Discovery Using Route Windows App - Rule", "ESCU - NLTest Domain Trust Discovery - Rule", "ESCU - Office Application Spawn Regsvr32 process - Rule", "ESCU - Office Document Executing Macro Code - Rule", "ESCU - Office Product Spawn CMD Process - Rule", "ESCU - Process Creating LNK file in Suspicious Location - Rule", "ESCU - Recon AVProduct Through Pwh or WMI - Rule", "ESCU - Recon Using WMI Class - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Regsvr32 with Known Silent Switch Cmdline - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Schtasks Run Task On Demand - Rule", "ESCU - Services LOLBAS Execution Process Spawn - Rule", "ESCU - Suspicious Copy on System32 - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious Regsvr32 Register Suspicious Path - Rule", "ESCU - System Processes Run From Unexpected Locations - Rule", "ESCU - System User Discovery With Whoami - Rule", "ESCU - Wermgr Process Spawned CMD Or Powershell Process - Rule", "ESCU - Windows App Layer Protocol Qakbot NamedPipe - Rule", "ESCU - Windows App Layer Protocol Wermgr Connect To NamedPipe - Rule", "ESCU - Windows Command Shell Fetch Env Variables - Rule", "ESCU - Windows Defender Exclusion Registry Entry - Rule", "ESCU - Windows DLL Search Order Hijacking Hunt with Sysmon - Rule", "ESCU - Windows DLL Side-Loading In Calc - Rule", "ESCU - Windows DLL Side-Loading Process Child Of Calc - Rule", "ESCU - Windows ISO LNK File Creation - Rule", "ESCU - Windows Masquerading Explorer As Child Process - Rule", "ESCU - Windows Modify Registry Qakbot Binary Data Registry - Rule", "ESCU - Windows Phishing Recent ISO Exec Registry - Rule", "ESCU - Windows Process Injection Of Wermgr to Known Browser - Rule", "ESCU - Windows Process Injection Remote Thread - Rule", "ESCU - Windows Process Injection Wermgr Child Process - Rule", "ESCU - Windows Regsvr32 Renamed Binary - Rule", "ESCU - Windows Schtasks Create Run As System - Rule", "ESCU - Windows Service Created with Suspicious Service Path - Rule", "ESCU - Windows System Discovery Using ldap Nslookup - Rule", "ESCU - Windows System Discovery Using Qwinsta - Rule", "ESCU - Windows WMI Impersonate Token - Rule", "ESCU - Windows WMI Process Call Create - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Cmdline Tool Not Executed In CMD Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "JavaScript"}]}}, {"name": "Cmdline Tool Not Executed In CMD Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "JavaScript"}]}}, {"name": "Create Remote Thread In Shell Application", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "Disable Defender Spynet Reporting", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}]}}, {"name": "Malicious PowerShell Process - Encoded Command", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Obfuscated Files or Information"}]}}, {"name": "Network Connection Discovery With Arp", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Connections Discovery"}]}}, {"name": "Network Connection Discovery With Netstat", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Connections Discovery"}]}}, {"name": "Network Discovery Using Route Windows App", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Configuration Discovery"}, {"mitre_attack_technique": "Internet Connection Discovery"}]}}, {"name": "NLTest Domain Trust Discovery", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Trust Discovery"}]}}, {"name": "Office Application Spawn Regsvr32 process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Document Executing Macro Code", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Product Spawn CMD Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Process Creating LNK file in Suspicious Location", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Link"}]}}, {"name": "Recon AVProduct Through Pwh or WMI", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Gather Victim Host Information"}]}}, {"name": "Recon Using WMI Class", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Gather Victim Host Information"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Regsvr32 with Known Silent Switch Cmdline", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Schtasks Run Task On Demand", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Services LOLBAS Execution Process Spawn", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Suspicious Copy on System32", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "Masquerading"}]}}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Suspicious Regsvr32 Register Suspicious Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}}, {"name": "System Processes Run From Unexpected Locations", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}]}}, {"name": "System User Discovery With Whoami", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Owner/User Discovery"}]}}, {"name": "Wermgr Process Spawned CMD Or Powershell Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Windows App Layer Protocol Qakbot NamedPipe", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Application Layer Protocol"}]}}, {"name": "Windows App Layer Protocol Wermgr Connect To NamedPipe", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Application Layer Protocol"}]}}, {"name": "Windows Command Shell Fetch Env Variables", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "Windows Defender Exclusion Registry Entry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows DLL Search Order Hijacking Hunt with Sysmon", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DLL Search Order Hijacking"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}}, {"name": "Windows DLL Side-Loading In Calc", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DLL Side-Loading"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}}, {"name": "Windows DLL Side-Loading Process Child Of Calc", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DLL Side-Loading"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}}, {"name": "Windows ISO LNK File Creation", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Malicious Link"}, {"mitre_attack_technique": "User Execution"}]}}, {"name": "Windows Masquerading Explorer As Child Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DLL Side-Loading"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}}, {"name": "Windows Modify Registry Qakbot Binary Data Registry", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Phishing Recent ISO Exec Registry", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}}, {"name": "Windows Process Injection Of Wermgr to Known Browser", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Dynamic-link Library Injection"}, {"mitre_attack_technique": "Process Injection"}]}}, {"name": "Windows Process Injection Remote Thread", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}, {"mitre_attack_technique": "Portable Executable Injection"}]}}, {"name": "Windows Process Injection Wermgr Child Process", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "Windows Regsvr32 Renamed Binary", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Regsvr32"}, {"mitre_attack_technique": "System Binary Proxy Execution"}]}}, {"name": "Windows Schtasks Create Run As System", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Windows Service Created with Suspicious Service Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}}, {"name": "Windows System Discovery Using ldap Nslookup", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Owner/User Discovery"}]}}, {"name": "Windows System Discovery Using Qwinsta", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Owner/User Discovery"}]}}, {"name": "Windows WMI Impersonate Token", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}}, {"name": "Windows WMI Process Call Create", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}]}}]}, {"name": "Ransomware", "id": "cf309d0d-d4aa-4fbb-963d-1e79febd3756", "version": 1, "date": "2020-02-04", "author": "David Dorsey, Splunk", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to ransomware--spikes in SMB traffic, suspicious wevtutil usage, the presence of common ransomware extensions, and system processes run from unexpected locations, and many others.", "narrative": "Ransomware is an ever-present risk to the enterprise, wherein an infected host encrypts business-critical data, holding it hostage until the victim pays the attacker a ransom. There are many types and varieties of ransomware that can affect an enterprise. Attackers can deploy ransomware to enterprises through spearphishing campaigns and driveby downloads, as well as through traditional remote service-based exploitation. In the case of the WannaCry campaign, there was self-propagating wormable functionality that was used to maximize infection. Fortunately, organizations can apply several techniques--such as those in this Analytic Story--to detect and or mitigate the effects of ransomware.", "references": ["https://web.archive.org/web/20190826231258/https://www.carbonblack.com/2017/06/28/carbon-black-threat-research-technical-analysis-petya-notpetya-ransomware/", "https://www.splunk.com/blog/2017/06/27/closing-the-detection-to-mitigation-gap-or-to-petya-or-notpetya-whocares-.html"], "tags": {"name": "Ransomware", "analytic_story": "Ransomware", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1560.001", "mitre_attack_technique": "Archive via Utility", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "CopyKittens", "Earth Lusca", "FIN8", "Fox Kitten", "GALLIUM", "Gallmaker", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "MuddyWater", "Mustang Panda", "Sowbug", "Turla", "menuPass"]}, {"mitre_attack_id": "T1560", "mitre_attack_technique": "Archive Collected Data", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT28", "APT32", "Axiom", "Dragonfly", "FIN6", "Ke3chang", "Lazarus Group", "Leviathan", "LuminousMoth", "Patchwork", "menuPass"]}, {"mitre_attack_id": "T1562.007", "mitre_attack_technique": "Disable or Modify Cloud Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1070.004", "mitre_attack_technique": "File Deletion", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT3", "APT32", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "Cobalt Group", "Dragonfly", "Evilnum", "FIN10", "FIN5", "FIN6", "FIN8", "Gamaredon Group", "Group5", "Kimsuky", "Lazarus Group", "Magic Hound", "Metador", "Mustang Panda", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "Silence", "TEMP.Veles", "TeamTNT", "The White Company", "Threat Group-3390", "Tropic Trooper", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.003", "mitre_attack_technique": "CMSTP", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Cobalt Group", "MuddyWater"]}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$"]}, {"mitre_attack_id": "T1020", "mitre_attack_technique": "Automated Exfiltration", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["Gamaredon Group", "Ke3chang", "Sidewinder", "Tropic Trooper"]}, {"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["BRONZE BUTLER", "Chimera", "Dragonfly", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Turla", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1069.001", "mitre_attack_technique": "Local Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "HEXANE", "OilRig", "Tonto Team", "Turla", "admin@338"]}, {"mitre_attack_id": "T1482", "mitre_attack_technique": "Domain Trust Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "Earth Lusca", "FIN8", "Magic Hound"]}, {"mitre_attack_id": "T1087.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "Chimera", "Fox Kitten", "Ke3chang", "Moses Staff", "OilRig", "Poseidon Group", "Threat Group-3390", "Turla", "admin@338"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1069.002", "mitre_attack_technique": "Domain Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Dragonfly", "Inception", "Ke3chang", "LAPSUS$", "OilRig", "Turla"]}, {"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "TA505"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1070.001", "mitre_attack_technique": "Clear Windows Event Logs", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "APT38", "APT41", "Chimera", "Dragonfly", "FIN5", "FIN8", "Indrik Spider"]}, {"mitre_attack_id": "T1489", "mitre_attack_technique": "Service Stop", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Indrik Spider", "Lazarus Group", "Wizard Spider"]}, {"mitre_attack_id": "T1531", "mitre_attack_technique": "Account Access Removal", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["LAPSUS$"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.005", "mitre_attack_technique": "Visual Basic", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT32", "APT33", "APT37", "APT38", "APT39", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Earth Lusca", "FIN4", "FIN7", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "Transparent Tribe", "Turla", "WIRTE", "Windshift"]}, {"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1491", "mitre_attack_technique": "Defacement", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1505.003", "mitre_attack_technique": "Web Shell", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT38", "APT39", "BackdoorDiplomacy", "Deep Panda", "Dragonfly", "Fox Kitten", "GALLIUM", "HAFNIUM", "Kimsuky", "Leviathan", "Magic Hound", "Moses Staff", "OilRig", "Sandworm Team", "TEMP.Veles", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Volatile Cedar"]}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "menuPass"]}, {"mitre_attack_id": "T1574.002", "mitre_attack_technique": "DLL Side-Loading", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT41", "BRONZE BUTLER", "BlackTech", "Chimera", "Earth Lusca", "GALLIUM", "Higaisa", "Lazarus Group", "LuminousMoth", "MuddyWater", "Mustang Panda", "Naikon", "Patchwork", "SideCopy", "Sidewinder", "Threat Group-3390", "Tropic Trooper", "menuPass"]}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT19", "APT28", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BITTER", "BackdoorDiplomacy", "BlackOasis", "Blue Mockingbird", "Dark Caracal", "Darkhotel", "Earth Lusca", "Elderwood", "Ember Bear", "Fox Kitten", "GALLIUM", "Gallmaker", "Gamaredon Group", "Group5", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "Metador", "Mofang", "Molerats", "Moses Staff", "Mustang Panda", "OilRig", "Putter Panda", "Rocke", "Sandworm Team", "Sidewinder", "TA505", "TeamTNT", "Threat Group-3390", "Transparent Tribe", "Tropic Trooper", "Whitefly", "Windshift", "menuPass"]}, {"mitre_attack_id": "T1027.005", "mitre_attack_technique": "Indicator Removal from Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT3", "Deep Panda", "GALLIUM", "OilRig", "Patchwork", "TEMP.Veles", "Turla"]}, {"mitre_attack_id": "T1546.015", "mitre_attack_technique": "Component Object Model Hijacking", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28"]}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1592", "mitre_attack_technique": "Gather Victim Host Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "Earth Lusca", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "Threat Group-3390", "Windshift", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1218.007", "mitre_attack_technique": "Msiexec", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Machete", "Molerats", "Rancor", "TA505", "ZIRCONIUM"]}, {"mitre_attack_id": "T1486", "mitre_attack_technique": "Data Encrypted for Impact", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "APT41", "FIN7", "Indrik Spider", "Magic Hound", "Sandworm Team", "TA505"]}, {"mitre_attack_id": "T1218.004", "mitre_attack_technique": "InstallUtil", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Mustang Panda", "menuPass"]}, {"mitre_attack_id": "T1588.002", "mitre_attack_technique": "Tool", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT19", "APT28", "APT29", "APT32", "APT33", "APT38", "APT39", "APT41", "Aoqin Dragon", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Carbanak", "Chimera", "Cleaver", "Cobalt Group", "CopyKittens", "DarkHydrus", "DarkVishnya", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN5", "FIN6", "Ferocious Kitten", "GALLIUM", "Gorgon Group", "HEXANE", "Inception", "IndigoZebra", "Ke3chang", "Kimsuky", "LAPSUS$", "Lazarus Group", "Leafminer", "LuminousMoth", "Magic Hound", "Metador", "Moses Staff", "MuddyWater", "POLONIUM", "Patchwork", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "TA505", "TEMP.Veles", "Threat Group-3390", "Thrip", "Turla", "WIRTE", "Whitefly", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1219", "mitre_attack_technique": "Remote Access Software", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Carbanak", "Cobalt Group", "DarkVishnya", "Evilnum", "GOLD SOUTHFIELD", "Kimsuky", "MuddyWater", "Mustang Panda", "RTM", "Sandworm Team", "TeamTNT", "Thrip"]}, {"mitre_attack_id": "T1048", "mitre_attack_technique": "Exfiltration Over Alternative Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1071", "mitre_attack_technique": "Application Layer Protocol", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Dragonfly", "Magic Hound", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1071.001", "mitre_attack_technique": "Web Protocols", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Chimera", "Cobalt Group", "Confucius", "Dark Caracal", "FIN4", "FIN8", "Gamaredon Group", "HAFNIUM", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LuminousMoth", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "OilRig", "Orangeworm", "Rancor", "Rocke", "Sandworm Team", "Sidewinder", "SilverTerrier", "Stealth Falcon", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "WIRTE", "Windshift", "Wizard Spider"]}], "mitre_attack_tactics": ["Collection", "Command And Control", "Defense Evasion", "Discovery", "Execution", "Exfiltration", "Impact", "Initial Access", "Lateral Movement", "Persistence", "Privilege Escalation", "Reconnaissance", "Resource Development"], "datamodels": ["Change", "Endpoint", "Network_Traffic"], "kill_chain_phases": ["Actions on Objectives", "Command And Control", "Delivery", "Exploitation", "Installation", "Reconnaissance", "Weaponization"]}, "detection_names": ["ESCU - Scheduled tasks used in BadRabbit ransomware - Rule", "ESCU - 7zip CommandLine To SMB Share Path - Rule", "ESCU - Allow File And Printing Sharing In Firewall - Rule", "ESCU - Allow Network Discovery In Firewall - Rule", "ESCU - Allow Operation with Consent Admin - Rule", "ESCU - BCDEdit Failure Recovery Modification - Rule", "ESCU - Clear Unallocated Sector Using Cipher App - Rule", "ESCU - CMLUA Or CMSTPLUA UAC Bypass - Rule", "ESCU - Common Ransomware Extensions - Rule", "ESCU - Common Ransomware Notes - Rule", "ESCU - Conti Common Exec parameter - Rule", "ESCU - Delete ShadowCopy With PowerShell - Rule", "ESCU - Deleting Shadow Copies - Rule", "ESCU - Detect RClone Command-Line Usage - Rule", "ESCU - Detect Renamed RClone - Rule", "ESCU - Detect SharpHound Command-Line Arguments - Rule", "ESCU - Detect SharpHound File Modifications - Rule", "ESCU - Detect SharpHound Usage - Rule", "ESCU - Disable AMSI Through Registry - Rule", "ESCU - Disable ETW Through Registry - Rule", "ESCU - Disable Logs Using WevtUtil - Rule", "ESCU - Disable Windows Behavior Monitoring - Rule", "ESCU - Excessive Service Stop Attempt - Rule", "ESCU - Excessive Usage Of Net App - Rule", "ESCU - Excessive Usage Of SC Service Utility - Rule", "ESCU - Execute Javascript With Jscript COM CLSID - Rule", "ESCU - Fsutil Zeroing File - Rule", "ESCU - ICACLS Grant Command - Rule", "ESCU - Known Services Killed by Ransomware - Rule", "ESCU - Modification Of Wallpaper - Rule", "ESCU - MS Exchange Mailbox Replication service writing Active Server Pages - Rule", "ESCU - Msmpeng Application DLL Side Loading - Rule", "ESCU - Permission Modification using Takeown App - Rule", "ESCU - Powershell Disable Security Monitoring - Rule", "ESCU - Powershell Enable SMB1Protocol Feature - Rule", "ESCU - Powershell Execute COM Object - Rule", "ESCU - Prevent Automatic Repair Mode using Bcdedit - Rule", "ESCU - Recon AVProduct Through Pwh or WMI - Rule", "ESCU - Recursive Delete of Directory In Batch CMD - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Remote Process Instantiation via WMI - Rule", "ESCU - Revil Common Exec Parameter - Rule", "ESCU - Revil Registry Entry - Rule", "ESCU - Rundll32 LockWorkStation - Rule", "ESCU - Schtasks used for forcing a reboot - Rule", "ESCU - Spike in File Writes - Rule", "ESCU - Suspicious Event Log Service Behavior - Rule", "ESCU - Suspicious Scheduled Task from Public Directory - Rule", "ESCU - Suspicious wevtutil Usage - Rule", "ESCU - System Processes Run From Unexpected Locations - Rule", "ESCU - UAC Bypass With Colorui COM Object - Rule", "ESCU - Uninstall App Using MsiExec - Rule", "ESCU - Unusually Long Command Line - Rule", "ESCU - Unusually Long Command Line - MLTK - Rule", "ESCU - USN Journal Deletion - Rule", "ESCU - WBAdmin Delete System Backups - Rule", "ESCU - Wbemprox COM Object Execution - Rule", "ESCU - Windows Disable Change Password Through Registry - Rule", "ESCU - Windows Disable Lock Workstation Feature Through Registry - Rule", "ESCU - Windows Disable LogOff Button Through Registry - Rule", "ESCU - Windows Disable Memory Crash Dump - Rule", "ESCU - Windows Disable Shutdown Button Through Registry - Rule", "ESCU - Windows Disable Windows Group Policy Features Through Registry - Rule", "ESCU - Windows DiskCryptor Usage - Rule", "ESCU - Windows DotNet Binary in Non Standard Path - Rule", "ESCU - Windows Event Log Cleared - Rule", "ESCU - Windows Hide Notification Features Through Registry - Rule", "ESCU - Windows InstallUtil in Non Standard Path - Rule", "ESCU - Windows NirSoft AdvancedRun - Rule", "ESCU - Windows Raccine Scheduled Task Deletion - Rule", "ESCU - Windows Registry Modification for Safe Mode Persistence - Rule", "ESCU - Windows Remote Access Software Hunt - Rule", "ESCU - WinEvent Scheduled Task Created to Spawn Shell - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - Prohibited Network Traffic Allowed - Rule", "ESCU - SMB Traffic Spike - Rule", "ESCU - SMB Traffic Spike - MLTK - Rule", "ESCU - TOR Traffic - Rule"], "investigation_names": ["ESCU - Get Backup Logs For Endpoint - Response Task", "ESCU - Get History Of Email Sources - Response Task", "ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task", "ESCU - Get Process Information For Port Activity - Response Task", "ESCU - Get Sysmon WMI Activity for Host - Response Task"], "baseline_names": ["ESCU - Baseline of Command Line Length - MLTK", "ESCU - Baseline of SMB Traffic - MLTK", "ESCU - Count of Unique IPs Connecting to Ports"], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Scheduled tasks used in BadRabbit ransomware", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}]}}, {"name": "7zip CommandLine To SMB Share Path", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Archive via Utility"}, {"mitre_attack_technique": "Archive Collected Data"}]}}, {"name": "Allow File And Printing Sharing In Firewall", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Cloud Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Allow Network Discovery In Firewall", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Cloud Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Allow Operation with Consent Admin", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "BCDEdit Failure Recovery Modification", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Inhibit System Recovery"}]}}, {"name": "Clear Unallocated Sector Using Cipher App", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "File Deletion"}, {"mitre_attack_technique": "Indicator Removal"}]}}, {"name": "CMLUA Or CMSTPLUA UAC Bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "CMSTP"}]}}, {"name": "Common Ransomware Extensions", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Common Ransomware Notes", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Conti Common Exec parameter", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "User Execution"}]}}, {"name": "Delete ShadowCopy With PowerShell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Inhibit System Recovery"}]}}, {"name": "Deleting Shadow Copies", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Inhibit System Recovery"}]}}, {"name": "Detect RClone Command-Line Usage", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Automated Exfiltration"}]}}, {"name": "Detect Renamed RClone", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Automated Exfiltration"}]}}, {"name": "Detect SharpHound Command-Line Arguments", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Local Groups"}, {"mitre_attack_technique": "Domain Trust Discovery"}, {"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Domain Groups"}, {"mitre_attack_technique": "Permission Groups Discovery"}]}}, {"name": "Detect SharpHound File Modifications", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Local Groups"}, {"mitre_attack_technique": "Domain Trust Discovery"}, {"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Domain Groups"}, {"mitre_attack_technique": "Permission Groups Discovery"}]}}, {"name": "Detect SharpHound Usage", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Local Groups"}, {"mitre_attack_technique": "Domain Trust Discovery"}, {"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Domain Groups"}, {"mitre_attack_technique": "Permission Groups Discovery"}]}}, {"name": "Disable AMSI Through Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disable ETW Through Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disable Logs Using WevtUtil", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indicator Removal"}, {"mitre_attack_technique": "Clear Windows Event Logs"}]}}, {"name": "Disable Windows Behavior Monitoring", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Excessive Service Stop Attempt", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Service Stop"}]}}, {"name": "Excessive Usage Of Net App", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Access Removal"}]}}, {"name": "Excessive Usage Of SC Service Utility", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}}, {"name": "Execute Javascript With Jscript COM CLSID", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Visual Basic"}]}}, {"name": "Fsutil Zeroing File", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indicator Removal"}]}}, {"name": "ICACLS Grant Command", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "File and Directory Permissions Modification"}]}}, {"name": "Known Services Killed by Ransomware", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Inhibit System Recovery"}]}}, {"name": "Modification Of Wallpaper", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Defacement"}]}}, {"name": "MS Exchange Mailbox Replication service writing Active Server Pages", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}, {"mitre_attack_technique": "Exploit Public-Facing Application"}]}}, {"name": "Msmpeng Application DLL Side Loading", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DLL Side-Loading"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}}, {"name": "Permission Modification using Takeown App", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "File and Directory Permissions Modification"}]}}, {"name": "Powershell Disable Security Monitoring", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Powershell Enable SMB1Protocol Feature", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Obfuscated Files or Information"}, {"mitre_attack_technique": "Indicator Removal from Tools"}]}}, {"name": "Powershell Execute COM Object", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Component Object Model Hijacking"}, {"mitre_attack_technique": "Event Triggered Execution"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Prevent Automatic Repair Mode using Bcdedit", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Inhibit System Recovery"}]}}, {"name": "Recon AVProduct Through Pwh or WMI", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Gather Victim Host Information"}]}}, {"name": "Recursive Delete of Directory In Batch CMD", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "File Deletion"}, {"mitre_attack_technique": "Indicator Removal"}]}}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Remote Process Instantiation via WMI", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}}, {"name": "Revil Common Exec Parameter", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "User Execution"}]}}, {"name": "Revil Registry Entry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Rundll32 LockWorkStation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Schtasks used for forcing a reboot", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Spike in File Writes", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": []}}, {"name": "Suspicious Event Log Service Behavior", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indicator Removal"}, {"mitre_attack_technique": "Clear Windows Event Logs"}]}}, {"name": "Suspicious Scheduled Task from Public Directory", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Suspicious wevtutil Usage", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Clear Windows Event Logs"}, {"mitre_attack_technique": "Indicator Removal"}]}}, {"name": "System Processes Run From Unexpected Locations", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}]}}, {"name": "UAC Bypass With Colorui COM Object", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "CMSTP"}]}}, {"name": "Uninstall App Using MsiExec", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Msiexec"}, {"mitre_attack_technique": "System Binary Proxy Execution"}]}}, {"name": "Unusually Long Command Line", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": []}}, {"name": "Unusually Long Command Line - MLTK", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": []}}, {"name": "USN Journal Deletion", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indicator Removal"}]}}, {"name": "WBAdmin Delete System Backups", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Inhibit System Recovery"}]}}, {"name": "Wbemprox COM Object Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "CMSTP"}]}}, {"name": "Windows Disable Change Password Through Registry", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Disable Lock Workstation Feature Through Registry", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Disable LogOff Button Through Registry", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Disable Memory Crash Dump", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Windows Disable Shutdown Button Through Registry", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Disable Windows Group Policy Features Through Registry", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows DiskCryptor Usage", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Encrypted for Impact"}]}}, {"name": "Windows DotNet Binary in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "InstallUtil"}]}}, {"name": "Windows Event Log Cleared", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indicator Removal"}, {"mitre_attack_technique": "Clear Windows Event Logs"}]}}, {"name": "Windows Hide Notification Features Through Registry", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows InstallUtil in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "InstallUtil"}]}}, {"name": "Windows NirSoft AdvancedRun", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Tool"}]}}, {"name": "Windows Raccine Scheduled Task Deletion", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}]}}, {"name": "Windows Registry Modification for Safe Mode Persistence", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Windows Remote Access Software Hunt", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Access Software"}]}}, {"name": "WinEvent Scheduled Task Created to Spawn Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Prohibited Network Traffic Allowed", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}}, {"name": "SMB Traffic Spike", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Remote Services"}]}}, {"name": "SMB Traffic Spike - MLTK", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Remote Services"}]}}, {"name": "TOR Traffic", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Application Layer Protocol"}, {"mitre_attack_technique": "Web Protocols"}]}}]}, {"name": "BlackMatter Ransomware", "id": "0da348a3-78a0-412e-ab27-2de9dd7f9fee", "version": 1, "date": "2021-09-06", "author": "Teoderick Contreras, Splunk", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the BlackMatter ransomware, including looking for file writes associated with BlackMatter, force safe mode boot, autadminlogon account registry modification and more.", "narrative": "BlackMatter ransomware campaigns targeting healthcare and other vertical sectors, involve the use of ransomware payloads along with exfiltration of data per HHS bulletin. Malicious actors demand payment for ransome of data and threaten deletion and exposure of exfiltrated data.", "references": ["https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/", "https://www.bleepingcomputer.com/news/security/blackmatter-ransomware-gang-rises-from-the-ashes-of-darkside-revil/", "https://blog.malwarebytes.com/ransomware/2021/07/blackmatter-a-new-ransomware-group-claims-link-to-darkside-revil/"], "tags": {"name": "BlackMatter Ransomware", "analytic_story": "BlackMatter Ransomware", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1552.002", "mitre_attack_technique": "Credentials in Registry", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT32"]}, {"mitre_attack_id": "T1552", "mitre_attack_technique": "Unsecured Credentials", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1491", "mitre_attack_technique": "Defacement", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1486", "mitre_attack_technique": "Data Encrypted for Impact", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "APT41", "FIN7", "Indrik Spider", "Magic Hound", "Sandworm Team", "TA505"]}], "mitre_attack_tactics": ["Credential Access", "Impact"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Actions on Objectives", "Exploitation"]}, "detection_names": ["ESCU - Add DefaultUser And Password In Registry - Rule", "ESCU - Auto Admin Logon Registry Entry - Rule", "ESCU - Bcdedit Command Back To Normal Mode Boot - Rule", "ESCU - Change To Safe Mode With Network Config - Rule", "ESCU - Known Services Killed by Ransomware - Rule", "ESCU - Modification Of Wallpaper - Rule", "ESCU - Ransomware Notes bulk creation - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Add DefaultUser And Password In Registry", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Credentials in Registry"}, {"mitre_attack_technique": "Unsecured Credentials"}]}}, {"name": "Auto Admin Logon Registry Entry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Credentials in Registry"}, {"mitre_attack_technique": "Unsecured Credentials"}]}}, {"name": "Bcdedit Command Back To Normal Mode Boot", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Inhibit System Recovery"}]}}, {"name": "Change To Safe Mode With Network Config", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Inhibit System Recovery"}]}}, {"name": "Known Services Killed by Ransomware", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Inhibit System Recovery"}]}}, {"name": "Modification Of Wallpaper", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Defacement"}]}}, {"name": "Ransomware Notes bulk creation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Encrypted for Impact"}]}}]}, {"name": "Chaos Ransomware", "id": "153d7b8f-27f2-4e4d-bae8-dfafd93a22a8", "version": 1, "date": "2023-01-11", "author": "Teoderick Contreras, Splunk", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the Chaos ransomware, including looking for file writes (file encryption and ransomware notes), deleting shadow volume storage, registry key modification, dropping of files in startup folder, and more.", "narrative": "CHAOS ransomware has been seen and monitored since 2021. This ransomware is purportedly a .NET version of Ryuk ransomware but upon closer look to its code and behavior, this malware sample reveals that it doesn't share much relation to the notorious RYUK ransomware. This ransomware is one of the known ransomware that was used in the ongoing geo-political war. This ransomware is capable to check that only one copy of itself is running on the targeted host, delay of execution as part of its defense evasion technique, persistence through registry and startup folder, drop a copy of itself in each root drive of the targeted host and also in %appdata% folder and many more. As of writing this ransomware is still active and keeps on infecting Windows Operating machines and Windows networks.", "references": ["https://blog.qualys.com/vulnerabilities-threat-research/2022/01/17/the-chaos-ransomware-can-be-ravaging", "https://www.fortinet.com/blog/threat-research/chaos-ransomware-variant-in-fake-minecraft-alt-list-brings-destruction", "https://marcoramilli.com/2021/06/14/the-allegedly-ryuk-ransomware-builder-ryukjoke/", "https://www.trendmicro.com/en_us/research/21/h/chaos-ransomware-a-dangerous-proof-of-concept.html"], "tags": {"name": "Chaos Ransomware", "analytic_story": "Chaos Ransomware", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1486", "mitre_attack_technique": "Data Encrypted for Impact", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "APT41", "FIN7", "Indrik Spider", "Magic Hound", "Sandworm Team", "TA505"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1091", "mitre_attack_technique": "Replication Through Removable Media", "mitre_attack_tactics": ["Initial Access", "Lateral Movement"], "mitre_attack_groups": ["APT28", "Aoqin Dragon", "Darkhotel", "FIN7", "LuminousMoth", "Mustang Panda", "Tropic Trooper"]}, {"mitre_attack_id": "T1204.002", "mitre_attack_technique": "Malicious File", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "Ajax Security Team", "Andariel", "Aoqin Dragon", "BITTER", "BRONZE BUTLER", "BlackTech", "CURIUM", "Cobalt Group", "Confucius", "Dark Caracal", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "IndigoZebra", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Whitefly", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$"]}], "mitre_attack_tactics": ["Defense Evasion", "Execution", "Impact", "Initial Access", "Lateral Movement", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Actions on Objectives", "Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Common Ransomware Notes - Rule", "ESCU - Deleting Shadow Copies - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Prevent Automatic Repair Mode using Bcdedit - Rule", "ESCU - Ransomware Notes bulk creation - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - WBAdmin Delete System Backups - Rule", "ESCU - Windows Boot or Logon Autostart Execution In Startup Folder - Rule", "ESCU - Windows Replication Through Removable Media - Rule", "ESCU - Windows User Execution Malicious URL Shortcut File - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Common Ransomware Notes", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Deleting Shadow Copies", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Inhibit System Recovery"}]}}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}]}}, {"name": "Prevent Automatic Repair Mode using Bcdedit", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Inhibit System Recovery"}]}}, {"name": "Ransomware Notes bulk creation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Encrypted for Impact"}]}}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "WBAdmin Delete System Backups", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Inhibit System Recovery"}]}}, {"name": "Windows Boot or Logon Autostart Execution In Startup Folder", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Windows Replication Through Removable Media", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Replication Through Removable Media"}]}}, {"name": "Windows User Execution Malicious URL Shortcut File", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Malicious File"}, {"mitre_attack_technique": "User Execution"}]}}]}, {"name": "Clop Ransomware", "id": "5a6f6849-1a26-4fae-aa05-fa730556eeb6", "version": 1, "date": "2021-03-17", "author": "Rod Soto, Teoderick Contreras, Splunk", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the Clop ransomware, including looking for file writes associated with Clope, encrypting network shares, deleting and resizing shadow volume storage, registry key modification, deleting of security logs, and more.", "narrative": "Clop ransomware campaigns targeting healthcare and other vertical sectors, involve the use of ransomware payloads along with exfiltration of data per HHS bulletin. Malicious actors demand payment for ransome of data and threaten deletion and exposure of exfiltrated data.", "references": ["https://www.hhs.gov/sites/default/files/analyst-note-cl0p-tlp-white.pdf", "https://securityaffairs.co/wordpress/115250/data-breach/qualys-clop-ransomware.html", "https://www.darkreading.com/attacks-breaches/qualys-is-the-latest-victim-of-accellion-data-breach/d/d-id/1340323"], "tags": {"name": "Clop Ransomware", "analytic_story": "Clop Ransomware", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1486", "mitre_attack_technique": "Data Encrypted for Impact", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "APT41", "FIN7", "Indrik Spider", "Magic Hound", "Sandworm Team", "TA505"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1070.001", "mitre_attack_technique": "Clear Windows Event Logs", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "APT38", "APT41", "Chimera", "Dragonfly", "FIN5", "FIN8", "Indrik Spider"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}], "mitre_attack_tactics": ["Defense Evasion", "Execution", "Impact", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Actions on Objectives", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Clop Common Exec Parameter - Rule", "ESCU - Clop Ransomware Known Service Name - Rule", "ESCU - Common Ransomware Extensions - Rule", "ESCU - Common Ransomware Notes - Rule", "ESCU - Deleting Shadow Copies - Rule", "ESCU - High Process Termination Frequency - Rule", "ESCU - Process Deleting Its Process File Path - Rule", "ESCU - Ransomware Notes bulk creation - Rule", "ESCU - Resize ShadowStorage volume - Rule", "ESCU - Suspicious Event Log Service Behavior - Rule", "ESCU - Suspicious wevtutil Usage - Rule", "ESCU - Windows Event Log Cleared - Rule", "ESCU - Windows High File Deletion Frequency - Rule", "ESCU - Windows Service Created with Suspicious Service Path - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Teoderick Contreras, Splunk", "author_name": "Rod Soto", "detections": [{"name": "Clop Common Exec Parameter", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "User Execution"}]}}, {"name": "Clop Ransomware Known Service Name", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Common Ransomware Extensions", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Common Ransomware Notes", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Deleting Shadow Copies", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Inhibit System Recovery"}]}}, {"name": "High Process Termination Frequency", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Encrypted for Impact"}]}}, {"name": "Process Deleting Its Process File Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indicator Removal"}]}}, {"name": "Ransomware Notes bulk creation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Encrypted for Impact"}]}}, {"name": "Resize ShadowStorage volume", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Inhibit System Recovery"}]}}, {"name": "Suspicious Event Log Service Behavior", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indicator Removal"}, {"mitre_attack_technique": "Clear Windows Event Logs"}]}}, {"name": "Suspicious wevtutil Usage", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Clear Windows Event Logs"}, {"mitre_attack_technique": "Indicator Removal"}]}}, {"name": "Windows Event Log Cleared", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indicator Removal"}, {"mitre_attack_technique": "Clear Windows Event Logs"}]}}, {"name": "Windows High File Deletion Frequency", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Windows Service Created with Suspicious Service Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}}]}, {"name": "Ransomware Cloud", "id": "f52f6c43-05f8-4b19-a9d3-5b8c56da91c2", "version": 1, "date": "2020-10-27", "author": "Rod Soto, David Dorsey, Splunk", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to ransomware. These searches include cloud related objects that may be targeted by malicious actors via cloud providers own encryption features.", "narrative": "Ransomware is an ever-present risk to the enterprise, wherein an infected host encrypts business-critical data, holding it hostage until the victim pays the attacker a ransom. There are many types and varieties of ransomware that can affect an enterprise.Cloud ransomware can be deployed by obtaining high privilege credentials from targeted users or resources.", "references": ["https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/", "https://github.com/d1vious/git-wild-hunt", "https://www.youtube.com/watch?v=PgzNib37g0M"], "tags": {"name": "Ransomware Cloud", "analytic_story": "Ransomware Cloud", "category": ["Malware"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1486", "mitre_attack_technique": "Data Encrypted for Impact", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "APT41", "FIN7", "Indrik Spider", "Magic Hound", "Sandworm Team", "TA505"]}], "mitre_attack_tactics": ["Impact"], "datamodels": [], "kill_chain_phases": ["Actions on Objectives"]}, "detection_names": ["ESCU - AWS Detect Users creating keys with encrypt policy without MFA - Rule", "ESCU - AWS Detect Users with KMS keys performing encryption S3 - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task"], "baseline_names": [], "author_company": "David Dorsey, Splunk", "author_name": "Rod Soto", "detections": [{"name": "AWS Detect Users creating keys with encrypt policy without MFA", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Encrypted for Impact"}]}}, {"name": "AWS Detect Users with KMS keys performing encryption S3", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Encrypted for Impact"}]}}]}, {"name": "DarkSide Ransomware", "id": "507edc74-13d5-4339-878e-b9114ded1f35", "version": 1, "date": "2021-05-12", "author": "Bhavin Patel, Splunk", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the DarkSide Ransomware", "narrative": "This story addresses Darkside ransomware. This ransomware payload has many similarities to common ransomware however there are certain items particular to it. The creation of a .TXT log that shows every item being encrypted as well as the creation of ransomware notes and files adding a machine ID created based on CRC32 checksum algorithm. This ransomware payload leaves machines in minimal operation level,enough to browse the attackers websites. A customized URI with leaked information is presented to each victim.This is the ransomware payload that shut down the Colonial pipeline. The story is composed of several detection searches covering similar items to other ransomware payloads and those particular to Darkside payload.", "references": ["https://www.splunk.com/en_us/blog/security/the-darkside-of-the-ransomware-pipeline.htmlbig-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/", "https://www.mandiant.com/resources/shining-a-light-on-darkside-ransomware-operations"], "tags": {"name": "DarkSide Ransomware", "analytic_story": "DarkSide Ransomware", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "TEMP.Veles", "Threat Group-3390", "Whitefly"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Dragonfly", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1197", "mitre_attack_technique": "BITS Jobs", "mitre_attack_tactics": ["Defense Evasion", "Persistence"], "mitre_attack_groups": ["APT39", "APT41", "Leviathan", "Patchwork"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.003", "mitre_attack_technique": "CMSTP", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Cobalt Group", "MuddyWater"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "Turla"]}, {"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1020", "mitre_attack_technique": "Automated Exfiltration", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["Gamaredon Group", "Ke3chang", "Sidewinder", "Tropic Trooper"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1486", "mitre_attack_technique": "Data Encrypted for Impact", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "APT41", "FIN7", "Indrik Spider", "Magic Hound", "Sandworm Team", "TA505"]}, {"mitre_attack_id": "T1548.002", "mitre_attack_technique": "Bypass User Account Control", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT37", "BRONZE BUTLER", "Cobalt Group", "Earth Lusca", "Evilnum", "MuddyWater", "Patchwork", "Threat Group-3390"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Command And Control", "Credential Access", "Defense Evasion", "Execution", "Exfiltration", "Impact", "Lateral Movement", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Actions on Objectives", "Command And Control", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Detect Mimikatz Using Loaded Images - Rule", "ESCU - Attempted Credential Dump From Registry via Reg exe - Rule", "ESCU - BITSAdmin Download File - Rule", "ESCU - CertUtil Download With URLCache and Split Arguments - Rule", "ESCU - CertUtil Download With VerifyCtl and Split Arguments - Rule", "ESCU - CMLUA Or CMSTPLUA UAC Bypass - Rule", "ESCU - Cobalt Strike Named Pipes - Rule", "ESCU - Delete ShadowCopy With PowerShell - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Detect RClone Command-Line Usage - Rule", "ESCU - Detect Renamed PSExec - Rule", "ESCU - Detect Renamed RClone - Rule", "ESCU - Extraction of Registry Hives - Rule", "ESCU - Ransomware Notes bulk creation - Rule", "ESCU - SLUI RunAs Elevated - Rule", "ESCU - SLUI Spawning a Process - Rule", "ESCU - Windows Possible Credential Dumping - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Detect Mimikatz Using Loaded Images", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Attempted Credential Dump From Registry via Reg exe", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Security Account Manager"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "BITSAdmin Download File", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "BITS Jobs"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "CertUtil Download With URLCache and Split Arguments", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "CertUtil Download With VerifyCtl and Split Arguments", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "CMLUA Or CMSTPLUA UAC Bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "CMSTP"}]}}, {"name": "Cobalt Strike Named Pipes", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "Delete ShadowCopy With PowerShell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Inhibit System Recovery"}]}}, {"name": "Detect PsExec With accepteula Flag", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}}, {"name": "Detect RClone Command-Line Usage", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Automated Exfiltration"}]}}, {"name": "Detect Renamed PSExec", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}}, {"name": "Detect Renamed RClone", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Automated Exfiltration"}]}}, {"name": "Extraction of Registry Hives", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Security Account Manager"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Ransomware Notes bulk creation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Encrypted for Impact"}]}}, {"name": "SLUI RunAs Elevated", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "SLUI Spawning a Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Windows Possible Credential Dumping", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}]}, {"name": "LockBit Ransomware", "id": "67e5b98d-16d6-46a6-8d00-070a3d1a5cfc", "version": 1, "date": "2023-01-16", "author": "Teoderick Contreras, Splunk", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the LockBit ransomware, including looking for file writes (file encryption and ransomware notes), deleting services, terminating processes, registry key modification and more.", "narrative": "LockBit ransomware was first seen in 2019. This ransomware was used by cybercriminal in targeting multiple sectors and organizations. Lockbit is one of the ransomware being offered as a Ransomware-as-a-Service(RaaS) and also known to affiliates to implement the 'double extortion' techniques by uploading the stolen and sensitive victim information to their dark website and then threatening to sell/release it in public if their demands are not met. LockBit Ransomware advertised opportunities for threat actors that could provide credential access via RDP and VPN. Aside from this it is also uses threat emulation like Cobalt Strike and Metasploit to gain foot hold to the targeted host and persist if needed.", "references": ["https://blogs.vmware.com/security/2022/10/lockbit-3-0-also-known-as-lockbit-black.html", "https://news.sophos.com/en-us/2020/04/24/lockbit-ransomware-borrows-tricks-to-keep-up-with-revil-and-maze/", "https://www.cybereason.com/blog/threat-analysis-report-lockbit-2.0-all-paths-lead-to-ransom", "https://www.trendmicro.com/en_us/research/22/g/lockbit-ransomware-group-augments-its-latest-variant--lockbit-3-.html"], "tags": {"name": "LockBit Ransomware", "analytic_story": "LockBit Ransomware", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.003", "mitre_attack_technique": "CMSTP", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Cobalt Group", "MuddyWater"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "Turla"]}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1486", "mitre_attack_technique": "Data Encrypted for Impact", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "APT41", "FIN7", "Indrik Spider", "Magic Hound", "Sandworm Team", "TA505"]}, {"mitre_attack_id": "T1491", "mitre_attack_technique": "Defacement", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1592", "mitre_attack_technique": "Gather Victim Host Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}], "mitre_attack_tactics": ["Defense Evasion", "Execution", "Impact", "Persistence", "Privilege Escalation", "Reconnaissance"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Actions on Objectives", "Exploitation", "Installation", "Reconnaissance"]}, "detection_names": ["ESCU - CMLUA Or CMSTPLUA UAC Bypass - Rule", "ESCU - Cobalt Strike Named Pipes - Rule", "ESCU - Common Ransomware Extensions - Rule", "ESCU - Common Ransomware Notes - Rule", "ESCU - Deleting Shadow Copies - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Fsutil Zeroing File - Rule", "ESCU - High Process Termination Frequency - Rule", "ESCU - Known Services Killed by Ransomware - Rule", "ESCU - Modification Of Wallpaper - Rule", "ESCU - Ransomware Notes bulk creation - Rule", "ESCU - Recon Using WMI Class - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - UAC Bypass With Colorui COM Object - Rule", "ESCU - Wbemprox COM Object Execution - Rule", "ESCU - Windows Modify Registry Default Icon Setting - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "CMLUA Or CMSTPLUA UAC Bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "CMSTP"}]}}, {"name": "Cobalt Strike Named Pipes", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "Common Ransomware Extensions", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Common Ransomware Notes", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Deleting Shadow Copies", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Inhibit System Recovery"}]}}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}]}}, {"name": "Fsutil Zeroing File", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indicator Removal"}]}}, {"name": "High Process Termination Frequency", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Encrypted for Impact"}]}}, {"name": "Known Services Killed by Ransomware", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Inhibit System Recovery"}]}}, {"name": "Modification Of Wallpaper", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Defacement"}]}}, {"name": "Ransomware Notes bulk creation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Encrypted for Impact"}]}}, {"name": "Recon Using WMI Class", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Gather Victim Host Information"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "UAC Bypass With Colorui COM Object", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "CMSTP"}]}}, {"name": "Wbemprox COM Object Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "CMSTP"}]}}, {"name": "Windows Modify Registry Default Icon Setting", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}]}, {"name": "Prestige Ransomware", "id": "8b8d8506-b931-450c-b794-f24184ca1deb", "version": 1, "date": "2022-11-30", "author": "Teoderick Contreras, Splunk", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the Prestige Ransomware", "narrative": "This story addresses Prestige ransomware. This ransomware payload seen by Microsoft Threat Intelligence Center(MSTIC) as a ransomware campaign targeting organization in the transportation and logistic industries in some countries. This ransomware campaign highlight the destructive attack to its target organization that directly supplies or transporting military and humanitarian services or assistance. MSTIC observed this ransomware has similarities in terms of its deployment techniques with CaddyWiper and HermeticWiper which is also known malware campaign impacted multiple targeted critical infrastructure organizations. This analytic story will provide techniques and analytics that may help SOC or security researchers to monitor this threat.", "references": ["https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"], "tags": {"name": "Prestige Ransomware", "analytic_story": "Prestige Ransomware", "category": ["Malware", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1546.001", "mitre_attack_technique": "Change Default File Association", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Kimsuky"]}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1070.005", "mitre_attack_technique": "Network Share Connection Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Threat Group-3390"]}, {"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "TA505"]}, {"mitre_attack_id": "T1069.002", "mitre_attack_technique": "Domain Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Dragonfly", "Inception", "Ke3chang", "LAPSUS$", "OilRig", "Turla"]}, {"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "TEMP.Veles", "Threat Group-3390", "Whitefly"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1531", "mitre_attack_technique": "Account Access Removal", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["LAPSUS$"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1021.003", "mitre_attack_technique": "Distributed Component Object Model", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "Earth Lusca", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "Threat Group-3390", "Windshift", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1069.001", "mitre_attack_technique": "Local Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "HEXANE", "OilRig", "Tonto Team", "Turla", "admin@338"]}, {"mitre_attack_id": "T1049", "mitre_attack_technique": "System Network Connections Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT38", "APT41", "Andariel", "BackdoorDiplomacy", "Chimera", "Earth Lusca", "GALLIUM", "HEXANE", "Ke3chang", "Lazarus Group", "Magic Hound", "MuddyWater", "Mustang Panda", "OilRig", "Poseidon Group", "Sandworm Team", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1016", "mitre_attack_technique": "System Network Configuration Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT19", "APT3", "APT32", "APT41", "Chimera", "Darkhotel", "Dragonfly", "Earth Lusca", "GALLIUM", "HAFNIUM", "HEXANE", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "SideCopy", "Sidewinder", "Stealth Falcon", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1016.001", "mitre_attack_technique": "Internet Connection Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Gamaredon Group", "HAFNIUM", "HEXANE", "Magic Hound", "Turla"]}, {"mitre_attack_id": "T1003.003", "mitre_attack_technique": "NTDS", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "Chimera", "Dragonfly", "FIN6", "Fox Kitten", "HAFNIUM", "Ke3chang", "LAPSUS$", "Mustang Panda", "Sandworm Team", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1592", "mitre_attack_technique": "Gather Victim Host Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1003.005", "mitre_attack_technique": "Cached Domain Credentials", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT33", "Leafminer", "MuddyWater", "OilRig"]}, {"mitre_attack_id": "T1115", "mitre_attack_technique": "Clipboard Data", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT38", "APT39"]}, {"mitre_attack_id": "T1555", "mitre_attack_technique": "Credentials from Password Stores", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT33", "APT39", "Evilnum", "FIN6", "HEXANE", "Leafminer", "MuddyWater", "OilRig", "Stealth Falcon"]}, {"mitre_attack_id": "T1552.002", "mitre_attack_technique": "Credentials in Registry", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT32"]}, {"mitre_attack_id": "T1552", "mitre_attack_technique": "Unsecured Credentials", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1202", "mitre_attack_technique": "Indirect Command Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1082", "mitre_attack_technique": "System Information Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT18", "APT19", "APT3", "APT32", "APT37", "APT38", "Aquatic Panda", "Blue Mockingbird", "Chimera", "Confucius", "Darkhotel", "Gamaredon Group", "HEXANE", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Sowbug", "Stealth Falcon", "TeamTNT", "Tropic Trooper", "Turla", "Windigo", "Windshift", "Wizard Spider", "ZIRCONIUM", "admin@338"]}, {"mitre_attack_id": "T1012", "mitre_attack_technique": "Query Registry", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT32", "APT39", "Chimera", "Dragonfly", "Fox Kitten", "Kimsuky", "Lazarus Group", "OilRig", "Stealth Falcon", "Threat Group-3390", "Turla", "ZIRCONIUM"]}, {"mitre_attack_id": "T1555.005", "mitre_attack_technique": "Password Managers", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Fox Kitten", "Threat Group-3390"]}, {"mitre_attack_id": "T1552.004", "mitre_attack_technique": "Private Keys", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1547.005", "mitre_attack_technique": "Security Support Provider", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1489", "mitre_attack_technique": "Service Stop", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Indrik Spider", "Lazarus Group", "Wizard Spider"]}, {"mitre_attack_id": "T1558", "mitre_attack_technique": "Steal or Forge Kerberos Tickets", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1033", "mitre_attack_technique": "System Owner/User Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT37", "APT38", "APT39", "APT41", "Chimera", "Dragonfly", "Earth Lusca", "FIN10", "GALLIUM", "Gamaredon Group", "HAFNIUM", "HEXANE", "Ke3chang", "Lazarus Group", "LuminousMoth", "Magic Hound", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "Stealth Falcon", "Threat Group-3390", "Tropic Trooper", "Windshift", "Wizard Spider", "ZIRCONIUM"]}], "mitre_attack_tactics": ["Collection", "Credential Access", "Defense Evasion", "Discovery", "Execution", "Impact", "Lateral Movement", "Persistence", "Privilege Escalation", "Reconnaissance"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Actions on Objectives", "Exploitation", "Installation", "Reconnaissance"]}, "detection_names": ["ESCU - Change Default File Association - Rule", "ESCU - Common Ransomware Extensions - Rule", "ESCU - Create or delete windows shares using net exe - Rule", "ESCU - Deleting Shadow Copies - Rule", "ESCU - Domain Group Discovery With Net - Rule", "ESCU - Dump LSASS via comsvcs DLL - Rule", "ESCU - Excessive Usage Of Cacls App - Rule", "ESCU - Excessive Usage Of Net App - Rule", "ESCU - Executable File Written in Administrative SMB Share - Rule", "ESCU - Impacket Lateral Movement Commandline Parameters - Rule", "ESCU - Impacket Lateral Movement smbexec CommandLine Parameters - Rule", "ESCU - Impacket Lateral Movement WMIExec Commandline Parameters - Rule", "ESCU - Net Localgroup Discovery - Rule", "ESCU - Network Connection Discovery With Arp - Rule", "ESCU - Network Connection Discovery With Net - Rule", "ESCU - Network Connection Discovery With Netstat - Rule", "ESCU - Network Discovery Using Route Windows App - Rule", "ESCU - Ntdsutil Export NTDS - Rule", "ESCU - Recon AVProduct Through Pwh or WMI - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Schtasks scheduling job on remote system - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - WBAdmin Delete System Backups - Rule", "ESCU - Windows Cached Domain Credentials Reg Query - Rule", "ESCU - Windows Change Default File Association For No File Ext - Rule", "ESCU - Windows ClipBoard Data via Get-ClipBoard - Rule", "ESCU - Windows Credentials from Password Stores Query - Rule", "ESCU - Windows Credentials in Registry Reg Query - Rule", "ESCU - Windows Indirect Command Execution Via Series Of Forfiles - Rule", "ESCU - Windows Information Discovery Fsutil - Rule", "ESCU - Windows Modify Registry Reg Restore - Rule", "ESCU - Windows Password Managers Discovery - Rule", "ESCU - Windows Private Keys Discovery - Rule", "ESCU - Windows Query Registry Reg Save - Rule", "ESCU - Windows Security Support Provider Reg Query - Rule", "ESCU - Windows Service Stop Via Net and SC Application - Rule", "ESCU - Windows Steal or Forge Kerberos Tickets Klist - Rule", "ESCU - Windows System Network Config Discovery Display DNS - Rule", "ESCU - Windows System Network Connections Discovery Netsh - Rule", "ESCU - Windows System User Discovery Via Quser - Rule", "ESCU - Windows WMI Process And Service List - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Change Default File Association", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Change Default File Association"}, {"mitre_attack_technique": "Event Triggered Execution"}]}}, {"name": "Common Ransomware Extensions", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Create or delete windows shares using net exe", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indicator Removal"}, {"mitre_attack_technique": "Network Share Connection Removal"}]}}, {"name": "Deleting Shadow Copies", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Inhibit System Recovery"}]}}, {"name": "Domain Group Discovery With Net", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}}, {"name": "Dump LSASS via comsvcs DLL", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Excessive Usage Of Cacls App", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "File and Directory Permissions Modification"}]}}, {"name": "Excessive Usage Of Net App", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Access Removal"}]}}, {"name": "Executable File Written in Administrative SMB Share", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}}, {"name": "Impacket Lateral Movement Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Impacket Lateral Movement smbexec CommandLine Parameters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Impacket Lateral Movement WMIExec Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Net Localgroup Discovery", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Local Groups"}]}}, {"name": "Network Connection Discovery With Arp", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Connections Discovery"}]}}, {"name": "Network Connection Discovery With Net", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Connections Discovery"}]}}, {"name": "Network Connection Discovery With Netstat", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Connections Discovery"}]}}, {"name": "Network Discovery Using Route Windows App", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Configuration Discovery"}, {"mitre_attack_technique": "Internet Connection Discovery"}]}}, {"name": "Ntdsutil Export NTDS", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "NTDS"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Recon AVProduct Through Pwh or WMI", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Gather Victim Host Information"}]}}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Schtasks scheduling job on remote system", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "WBAdmin Delete System Backups", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Inhibit System Recovery"}]}}, {"name": "Windows Cached Domain Credentials Reg Query", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cached Domain Credentials"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Windows Change Default File Association For No File Ext", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Change Default File Association"}, {"mitre_attack_technique": "Event Triggered Execution"}]}}, {"name": "Windows ClipBoard Data via Get-ClipBoard", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Clipboard Data"}]}}, {"name": "Windows Credentials from Password Stores Query", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Credentials from Password Stores"}]}}, {"name": "Windows Credentials in Registry Reg Query", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Credentials in Registry"}, {"mitre_attack_technique": "Unsecured Credentials"}]}}, {"name": "Windows Indirect Command Execution Via Series Of Forfiles", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indirect Command Execution"}]}}, {"name": "Windows Information Discovery Fsutil", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Information Discovery"}]}}, {"name": "Windows Modify Registry Reg Restore", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Query Registry"}]}}, {"name": "Windows Password Managers Discovery", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Managers"}]}}, {"name": "Windows Private Keys Discovery", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Private Keys"}, {"mitre_attack_technique": "Unsecured Credentials"}]}}, {"name": "Windows Query Registry Reg Save", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Query Registry"}]}}, {"name": "Windows Security Support Provider Reg Query", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Security Support Provider"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Windows Service Stop Via Net and SC Application", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Service Stop"}]}}, {"name": "Windows Steal or Forge Kerberos Tickets Klist", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}]}}, {"name": "Windows System Network Config Discovery Display DNS", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Configuration Discovery"}]}}, {"name": "Windows System Network Connections Discovery Netsh", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Connections Discovery"}]}}, {"name": "Windows System User Discovery Via Quser", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Owner/User Discovery"}]}}, {"name": "Windows WMI Process And Service List", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}]}}]}, {"name": "Revil Ransomware", "id": "817cae42-f54b-457a-8a36-fbf45521e29e", "version": 1, "date": "2021-06-04", "author": "Teoderick Contreras, Splunk", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the Revil ransomware, including looking for file writes associated with Revil, encrypting network shares, deleting shadow volume storage, registry key modification, deleting of security logs, and more.", "narrative": "Revil ransomware is a RaaS,that a single group may operates and manges the development of this ransomware. It involve the use of ransomware payloads along with exfiltration of data. Malicious actors demand payment for ransome of data and threaten deletion and exposure of exfiltrated data.", "references": ["https://krebsonsecurity.com/2021/05/a-closer-look-at-the-darkside-ransomware-gang/", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/"], "tags": {"name": "Revil Ransomware", "analytic_story": "Revil Ransomware", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.007", "mitre_attack_technique": "Disable or Modify Cloud Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1491", "mitre_attack_technique": "Defacement", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1574.002", "mitre_attack_technique": "DLL Side-Loading", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT41", "BRONZE BUTLER", "BlackTech", "Chimera", "Earth Lusca", "GALLIUM", "Higaisa", "Lazarus Group", "LuminousMoth", "MuddyWater", "Mustang Panda", "Naikon", "Patchwork", "SideCopy", "Sidewinder", "Threat Group-3390", "Tropic Trooper", "menuPass"]}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.003", "mitre_attack_technique": "CMSTP", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Cobalt Group", "MuddyWater"]}], "mitre_attack_tactics": ["Defense Evasion", "Execution", "Impact", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Actions on Objectives", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Allow Network Discovery In Firewall - Rule", "ESCU - Delete ShadowCopy With PowerShell - Rule", "ESCU - Disable Windows Behavior Monitoring - Rule", "ESCU - Modification Of Wallpaper - Rule", "ESCU - Msmpeng Application DLL Side Loading - Rule", "ESCU - Powershell Disable Security Monitoring - Rule", "ESCU - Revil Common Exec Parameter - Rule", "ESCU - Revil Registry Entry - Rule", "ESCU - Wbemprox COM Object Execution - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Allow Network Discovery In Firewall", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Cloud Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Delete ShadowCopy With PowerShell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Inhibit System Recovery"}]}}, {"name": "Disable Windows Behavior Monitoring", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Modification Of Wallpaper", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Defacement"}]}}, {"name": "Msmpeng Application DLL Side Loading", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DLL Side-Loading"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}}, {"name": "Powershell Disable Security Monitoring", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Revil Common Exec Parameter", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "User Execution"}]}}, {"name": "Revil Registry Entry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Wbemprox COM Object Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "CMSTP"}]}}]}, {"name": "Ryuk Ransomware", "id": "507edc74-13d5-4339-878e-b9744ded1f35", "version": 1, "date": "2020-11-06", "author": "Jose Hernandez, Splunk", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the Ryuk ransomware, including looking for file writes associated with Ryuk, Stopping Security Access Manager, DisableAntiSpyware registry key modification, suspicious psexec use, and more.", "narrative": "Cybersecurity Infrastructure Security Agency (CISA) released Alert (AA20-302A) on October 28th called Ransomware Activity Targeting the Healthcare and Public Health Sector. This alert details TTPs associated with ongoing and possible imminent attacks against the Healthcare sector, and is a joint advisory in coordination with other U.S. Government agencies. The objective of these malicious campaigns is to infiltrate targets in named sectors and to drop ransomware payloads, which will likely cause disruption of service and increase risk of actual harm to the health and safety of patients at hospitals, even with the aggravant of an ongoing COVID-19 pandemic. This document specifically refers to several crimeware exploitation frameworks, emphasizing the use of Ryuk ransomware as payload. The Ryuk ransomware payload is not new. It has been well documented and identified in multiple variants. Payloads need a carrier, and for Ryuk it has often been exploitation frameworks such as Cobalt Strike, or popular crimeware frameworks such as Emotet or Trickbot.", "references": ["https://www.splunk.com/en_us/blog/security/detecting-ryuk-using-splunk-attack-range.html", "https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/", "https://us-cert.cisa.gov/ncas/alerts/aa20-302a"], "tags": {"name": "Ryuk Ransomware", "analytic_story": "Ryuk Ransomware", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1482", "mitre_attack_technique": "Domain Trust Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "Earth Lusca", "FIN8", "Magic Hound"]}, {"mitre_attack_id": "T1486", "mitre_attack_technique": "Data Encrypted for Impact", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "APT41", "FIN7", "Indrik Spider", "Magic Hound", "Sandworm Team", "TA505"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1489", "mitre_attack_technique": "Service Stop", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Indrik Spider", "Lazarus Group", "Wizard Spider"]}, {"mitre_attack_id": "T1021.001", "mitre_attack_technique": "Remote Desktop Protocol", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT1", "APT3", "APT39", "APT41", "Axiom", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dragonfly", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "HEXANE", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "OilRig", "Patchwork", "Silence", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Defense Evasion", "Discovery", "Execution", "Impact", "Lateral Movement", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint", "Network_Traffic"], "kill_chain_phases": ["Actions on Objectives", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Windows connhost exe started forcefully - Rule", "ESCU - BCDEdit Failure Recovery Modification - Rule", "ESCU - Common Ransomware Extensions - Rule", "ESCU - Common Ransomware Notes - Rule", "ESCU - NLTest Domain Trust Discovery - Rule", "ESCU - Ryuk Test Files Detected - Rule", "ESCU - Ryuk Wake on LAN Command - Rule", "ESCU - Spike in File Writes - Rule", "ESCU - Suspicious Scheduled Task from Public Directory - Rule", "ESCU - WBAdmin Delete System Backups - Rule", "ESCU - Windows DisableAntiSpyware Registry - Rule", "ESCU - Windows Security Account Manager Stopped - Rule", "ESCU - WinEvent Scheduled Task Created to Spawn Shell - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - Remote Desktop Network Bruteforce - Rule", "ESCU - Remote Desktop Network Traffic - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task"], "baseline_names": ["ESCU - Identify Systems Creating Remote Desktop Traffic", "ESCU - Identify Systems Receiving Remote Desktop Traffic", "ESCU - Identify Systems Using Remote Desktop"], "author_company": "Splunk", "author_name": "Jose Hernandez", "detections": [{"name": "Windows connhost exe started forcefully", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Command Shell"}]}}, {"name": "BCDEdit Failure Recovery Modification", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Inhibit System Recovery"}]}}, {"name": "Common Ransomware Extensions", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Common Ransomware Notes", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "NLTest Domain Trust Discovery", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Trust Discovery"}]}}, {"name": "Ryuk Test Files Detected", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Encrypted for Impact"}]}}, {"name": "Ryuk Wake on LAN Command", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Windows Command Shell"}]}}, {"name": "Spike in File Writes", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": []}}, {"name": "Suspicious Scheduled Task from Public Directory", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "WBAdmin Delete System Backups", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Inhibit System Recovery"}]}}, {"name": "Windows DisableAntiSpyware Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows Security Account Manager Stopped", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Service Stop"}]}}, {"name": "WinEvent Scheduled Task Created to Spawn Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Remote Desktop Network Bruteforce", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Desktop Protocol"}, {"mitre_attack_technique": "Remote Services"}]}}, {"name": "Remote Desktop Network Traffic", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Desktop Protocol"}, {"mitre_attack_technique": "Remote Services"}]}}]}, {"name": "SamSam Ransomware", "id": "c4b89506-fbcf-4cb7-bfd6-527e54789604", "version": 1, "date": "2018-12-13", "author": "Rico Valdez, Splunk", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the SamSam ransomware, including looking for file writes associated with SamSam, RDP brute force attacks, the presence of files with SamSam ransomware extensions, suspicious psexec use, and more.", "narrative": "The first version of the SamSam ransomware (a.k.a. Samas or SamsamCrypt) was launched in 2015 by a group of Iranian threat actors. The malicious software has affected and continues to affect thousands of victims and has raised almost $6M in ransom.\\\nAlthough categorized under the heading of ransomware, SamSam campaigns have some importance distinguishing characteristics. Most notable is the fact that conventional ransomware is a numbers game. Perpetrators use a \"spray-and-pray\" approach with phishing campaigns or other mechanisms, charging a small ransom (typically under $1,000). The goal is to find a large number of victims willing to pay these mini-ransoms, adding up to a lucrative payday. They use relatively simple methods for infecting systems.\\\nSamSam attacks are different beasts. They have become progressively more targeted and skillful than typical ransomware attacks. First, malicious actors break into a victim's network, surveil it, then run the malware manually. The attacks are tailored to cause maximum damage and the threat actors usually demand amounts in the tens of thousands of dollars.\\\nIn a typical attack on one large healthcare organization in 2018, the company ended up paying a ransom of four Bitcoins, then worth $56,707. Reports showed that access to the company's files was restored within two hours of paying the sum.\\\nAccording to Sophos, SamSam previously leveraged RDP to gain access to targeted networks via brute force. SamSam is not spread automatically, like other malware. It requires skill because it forces the attacker to adapt their tactics to the individual environment. Next, the actors escalate their privileges to admin level. They scan the networks for worthy targets, using conventional tools, such as PsExec or PaExec, to deploy/execute, quickly encrypting files.\\\nThis Analytic Story includes searches designed to help detect and investigate signs of the SamSam ransomware, such as the creation of fileswrites to system32, writes with tell-tale extensions, batch files written to system32, and evidence of brute-force attacks via RDP.", "references": ["https://www.crowdstrike.com/blog/an-in-depth-analysis-of-samsam-ransomware-and-boss-spider/", "https://nakedsecurity.sophos.com/2018/07/31/samsam-the-almost-6-million-ransomware/", "https://thehackernews.com/2018/07/samsam-ransomware-attacks.html"], "tags": {"name": "SamSam Ransomware", "analytic_story": "SamSam Ransomware", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1036.005", "mitre_attack_technique": "Match Legitimate Name or Location", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "APT32", "APT39", "APT41", "Aoqin Dragon", "BRONZE BUTLER", "BackdoorDiplomacy", "Blue Mockingbird", "Carbanak", "Chimera", "Darkhotel", "Earth Lusca", "FIN7", "Ferocious Kitten", "Fox Kitten", "Gamaredon Group", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Poseidon Group", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "Sowbug", "TEMP.Veles", "TeamTNT", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Whitefly", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1595", "mitre_attack_technique": "Active Scanning", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$"]}, {"mitre_attack_id": "T1204.002", "mitre_attack_technique": "Malicious File", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "Ajax Security Team", "Andariel", "Aoqin Dragon", "BITTER", "BRONZE BUTLER", "BlackTech", "CURIUM", "Cobalt Group", "Confucius", "Dark Caracal", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "IndigoZebra", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Whitefly", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1486", "mitre_attack_technique": "Data Encrypted for Impact", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "APT41", "FIN7", "Indrik Spider", "Magic Hound", "Sandworm Team", "TA505"]}, {"mitre_attack_id": "T1021.001", "mitre_attack_technique": "Remote Desktop Protocol", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT1", "APT3", "APT39", "APT41", "Axiom", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dragonfly", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "HEXANE", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "OilRig", "Patchwork", "Silence", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1082", "mitre_attack_technique": "System Information Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT18", "APT19", "APT3", "APT32", "APT37", "APT38", "Aquatic Panda", "Blue Mockingbird", "Chimera", "Confucius", "Darkhotel", "Gamaredon Group", "HEXANE", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Sowbug", "Stealth Falcon", "TeamTNT", "Tropic Trooper", "Turla", "Windigo", "Windshift", "Wizard Spider", "ZIRCONIUM", "admin@338"]}], "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Discovery", "Execution", "Impact", "Lateral Movement", "Reconnaissance"], "datamodels": ["Endpoint", "Network_Traffic", "Web"], "kill_chain_phases": ["Actions on Objectives", "Exploitation", "Installation", "Reconnaissance"]}, "detection_names": ["ESCU - Prohibited Software On Endpoint - Rule", "ESCU - Attacker Tools On Endpoint - Rule", "ESCU - Batch File Write to System32 - Rule", "ESCU - Common Ransomware Extensions - Rule", "ESCU - Common Ransomware Notes - Rule", "ESCU - Deleting Shadow Copies - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Detect Renamed PSExec - Rule", "ESCU - File with Samsam Extension - Rule", "ESCU - Samsam Test File Write - Rule", "ESCU - Spike in File Writes - Rule", "ESCU - Remote Desktop Network Bruteforce - Rule", "ESCU - Remote Desktop Network Traffic - Rule", "ESCU - Detect attackers scanning for vulnerable JBoss servers - Rule", "ESCU - Detect malicious requests to exploit JBoss servers - Rule"], "investigation_names": ["ESCU - Get Backup Logs For Endpoint - Response Task", "ESCU - Get History Of Email Sources - Response Task", "ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task", "ESCU - Get Process Information For Port Activity - Response Task", "ESCU - Investigate Successful Remote Desktop Authentications - Response Task"], "baseline_names": ["ESCU - Add Prohibited Processes to Enterprise Security", "ESCU - Identify Systems Creating Remote Desktop Traffic", "ESCU - Identify Systems Receiving Remote Desktop Traffic", "ESCU - Identify Systems Using Remote Desktop"], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Prohibited Software On Endpoint", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": []}}, {"name": "Attacker Tools On Endpoint", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Match Legitimate Name or Location"}, {"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "OS Credential Dumping"}, {"mitre_attack_technique": "Active Scanning"}]}}, {"name": "Batch File Write to System32", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "User Execution"}, {"mitre_attack_technique": "Malicious File"}]}}, {"name": "Common Ransomware Extensions", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Common Ransomware Notes", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Deleting Shadow Copies", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Inhibit System Recovery"}]}}, {"name": "Detect PsExec With accepteula Flag", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}}, {"name": "Detect Renamed PSExec", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}}, {"name": "File with Samsam Extension", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": []}}, {"name": "Samsam Test File Write", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Encrypted for Impact"}]}}, {"name": "Spike in File Writes", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": []}}, {"name": "Remote Desktop Network Bruteforce", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Desktop Protocol"}, {"mitre_attack_technique": "Remote Services"}]}}, {"name": "Remote Desktop Network Traffic", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Desktop Protocol"}, {"mitre_attack_technique": "Remote Services"}]}}, {"name": "Detect attackers scanning for vulnerable JBoss servers", "source": "web", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Information Discovery"}]}}, {"name": "Detect malicious requests to exploit JBoss servers", "source": "web", "type": "TTP", "tags": {"mitre_attack_enrichments": []}}]}, {"name": "RedLine Stealer", "id": "12e31e8b-671b-4d6e-b362-a682812a71eb", "version": 1, "date": "2023-04-24", "author": "Teoderick Contreras, Splunk", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the Redline Stealer trojan, including looking for file writes associated with its payload, screencapture, registry modification, persistence and data collection..", "narrative": "RedLine Stealer is a malware available on underground forum and subscription basis that are compiled or written in C#. This malware is capable of harvesting sensitive information from browsers such as saved credentials, auto file data, browser cookies and credit card information. It also gathers system information of the targeted or compromised host like username, location IP, RAM size available, hardware configuration and software installed. The current version of this malware contains features to steal wallet and crypto currency information.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer", "https://blogs.blackberry.com/en/2021/10/threat-thursday-redline-infostealer-update"], "tags": {"name": "RedLine Stealer", "analytic_story": "RedLine Stealer", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1555", "mitre_attack_technique": "Credentials from Password Stores", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT33", "APT39", "Evilnum", "FIN6", "HEXANE", "Leafminer", "MuddyWater", "OilRig", "Stealth Falcon"]}, {"mitre_attack_id": "T1555.003", "mitre_attack_technique": "Credentials from Web Browsers", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT3", "APT33", "APT37", "Ajax Security Team", "FIN6", "HEXANE", "Inception", "Kimsuky", "LAPSUS$", "Leafminer", "Molerats", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Stealth Falcon", "TA505", "ZIRCONIUM"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1012", "mitre_attack_technique": "Query Registry", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT32", "APT39", "Chimera", "Dragonfly", "Fox Kitten", "Kimsuky", "Lazarus Group", "OilRig", "Stealth Falcon", "Threat Group-3390", "Turla", "ZIRCONIUM"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1489", "mitre_attack_technique": "Service Stop", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Indrik Spider", "Lazarus Group", "Wizard Spider"]}], "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Discovery", "Impact", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint", "Updates"], "kill_chain_phases": ["Actions on Objectives", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Disable Windows Behavior Monitoring - Rule", "ESCU - Disabling Defender Services - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Non Chrome Process Accessing Chrome Default Dir - Rule", "ESCU - Non Firefox Process Access Firefox Profile Dir - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Windows Credentials from Password Stores Chrome Extension Access - Rule", "ESCU - Windows Credentials from Password Stores Chrome LocalState Access - Rule", "ESCU - Windows Credentials from Password Stores Chrome Login Data Access - Rule", "ESCU - Windows DisableAntiSpyware Registry - Rule", "ESCU - Windows Event For Service Disabled - Rule", "ESCU - Windows Modify Registry Auto Minor Updates - Rule", "ESCU - Windows Modify Registry Auto Update Notif - Rule", "ESCU - Windows Modify Registry Disable WinDefender Notifications - Rule", "ESCU - Windows Modify Registry Do Not Connect To Win Update - Rule", "ESCU - Windows Modify Registry No Auto Reboot With Logon User - Rule", "ESCU - Windows Modify Registry No Auto Update - Rule", "ESCU - Windows Modify Registry Tamper Protection - Rule", "ESCU - Windows Modify Registry UpdateServiceUrlAlternate - Rule", "ESCU - Windows Modify Registry USeWuServer - Rule", "ESCU - Windows Modify Registry WuServer - Rule", "ESCU - Windows Modify Registry wuStatusServer - Rule", "ESCU - Windows Query Registry Browser List Application - Rule", "ESCU - Windows Query Registry UnInstall Program List - Rule", "ESCU - Windows Service Stop Win Updates - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Disable Windows Behavior Monitoring", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disabling Defender Services", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}]}}, {"name": "Non Chrome Process Accessing Chrome Default Dir", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}}, {"name": "Non Firefox Process Access Firefox Profile Dir", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Windows Credentials from Password Stores Chrome Extension Access", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Query Registry"}]}}, {"name": "Windows Credentials from Password Stores Chrome LocalState Access", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Query Registry"}]}}, {"name": "Windows Credentials from Password Stores Chrome Login Data Access", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Query Registry"}]}}, {"name": "Windows DisableAntiSpyware Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows Event For Service Disabled", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows Modify Registry Auto Minor Updates", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Modify Registry Auto Update Notif", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Modify Registry Disable WinDefender Notifications", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Modify Registry Do Not Connect To Win Update", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Modify Registry No Auto Reboot With Logon User", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Modify Registry No Auto Update", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Modify Registry Tamper Protection", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Modify Registry UpdateServiceUrlAlternate", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Modify Registry USeWuServer", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Modify Registry WuServer", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Modify Registry wuStatusServer", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Query Registry Browser List Application", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Query Registry"}]}}, {"name": "Windows Query Registry UnInstall Program List", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Query Registry"}]}}, {"name": "Windows Service Stop Win Updates", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Service Stop"}]}}]}, {"name": "Remcos", "id": "2bd4aa08-b9a5-40cf-bfe5-7d43f13d496c", "version": 1, "date": "2021-09-23", "author": "Teoderick Contreras, Splunk", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the Remcos RAT trojan, including looking for file writes associated with its payload, screencapture, registry modification, UAC bypassed, persistence and data collection..", "narrative": "Remcos or Remote Control and Surveillance, marketed as a legitimate software for remotely managing Windows systems is now widely used in multiple malicious campaigns both APT and commodity malware by threat actors.", "references": ["https://success.trendmicro.com/solution/1123281-remcos-malware-information", "https://attack.mitre.org/software/S0332/", "https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos#:~:text=Remcos%20(acronym%20of%20Remote%20Control,used%20to%20remotely%20control%20computers.&text=Remcos%20can%20be%20used%20for,been%20used%20in%20hacking%20campaigns."], "tags": {"name": "Remcos", "analytic_story": "Remcos", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1548.002", "mitre_attack_technique": "Bypass User Account Control", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT37", "BRONZE BUTLER", "Cobalt Group", "Earth Lusca", "Evilnum", "MuddyWater", "Patchwork", "Threat Group-3390"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.007", "mitre_attack_technique": "JavaScript", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "Cobalt Group", "Earth Lusca", "Ember Bear", "Evilnum", "FIN6", "FIN7", "Higaisa", "Indrik Spider", "Kimsuky", "LazyScripter", "Leafminer", "Molerats", "MuddyWater", "Sidewinder", "Silence", "TA505", "Turla"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "Turla"]}, {"mitre_attack_id": "T1055.001", "mitre_attack_technique": "Dynamic-link Library Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["BackdoorDiplomacy", "Lazarus Group", "Leviathan", "Putter Panda", "TA505", "Tropic Trooper", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1218.010", "mitre_attack_technique": "Regsvr32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "Blue Mockingbird", "Cobalt Group", "Deep Panda", "Inception", "Kimsuky", "Leviathan", "TA551", "WIRTE"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1555", "mitre_attack_technique": "Credentials from Password Stores", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT33", "APT39", "Evilnum", "FIN6", "HEXANE", "Leafminer", "MuddyWater", "OilRig", "Stealth Falcon"]}, {"mitre_attack_id": "T1555.003", "mitre_attack_technique": "Credentials from Web Browsers", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT3", "APT33", "APT37", "Ajax Security Team", "FIN6", "HEXANE", "Inception", "Kimsuky", "LAPSUS$", "Leafminer", "Molerats", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Stealth Falcon", "TA505", "ZIRCONIUM"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1559.001", "mitre_attack_technique": "Component Object Model", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["Gamaredon Group", "MuddyWater"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1113", "mitre_attack_technique": "Screen Capture", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT28", "APT39", "BRONZE BUTLER", "Dark Caracal", "Dragonfly", "FIN7", "GOLD SOUTHFIELD", "Gamaredon Group", "Group5", "Magic Hound", "MuddyWater", "OilRig", "Silence"]}, {"mitre_attack_id": "T1059.005", "mitre_attack_technique": "Visual Basic", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT32", "APT33", "APT37", "APT38", "APT39", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Earth Lusca", "FIN4", "FIN7", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "Transparent Tribe", "Turla", "WIRTE", "Windshift"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1592", "mitre_attack_technique": "Gather Victim Host Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1204.001", "mitre_attack_technique": "Malicious Link", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT28", "APT29", "APT3", "APT32", "APT33", "APT39", "BlackTech", "Cobalt Group", "Confucius", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "Evilnum", "FIN4", "FIN7", "FIN8", "Kimsuky", "LazyScripter", "Leviathan", "LuminousMoth", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "TA505", "Transparent Tribe", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$"]}, {"mitre_attack_id": "T1134.004", "mitre_attack_technique": "Parent PID Spoofing", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}], "mitre_attack_tactics": ["Collection", "Credential Access", "Defense Evasion", "Execution", "Initial Access", "Persistence", "Privilege Escalation", "Reconnaissance"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation", "Reconnaissance"]}, "detection_names": ["ESCU - Add or Set Windows Defender Exclusion - Rule", "ESCU - Disabling Remote User Account Control - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Jscript Execution Using Cscript App - Rule", "ESCU - Loading Of Dynwrapx Module - Rule", "ESCU - Malicious InProcServer32 Modification - Rule", "ESCU - Non Chrome Process Accessing Chrome Default Dir - Rule", "ESCU - Non Firefox Process Access Firefox Profile Dir - Rule", "ESCU - Office Document Executing Macro Code - Rule", "ESCU - Office Product Spawn CMD Process - Rule", "ESCU - Office Product Spawning Windows Script Host - Rule", "ESCU - Possible Browser Pass View Parameter - Rule", "ESCU - Powershell Windows Defender Exclusion Commands - Rule", "ESCU - Process Deleting Its Process File Path - Rule", "ESCU - Process Writing DynamicWrapperX - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Regsvr32 Silent and Install Param Dll Loading - Rule", "ESCU - Regsvr32 with Known Silent Switch Cmdline - Rule", "ESCU - Remcos client registry install entry - Rule", "ESCU - Remcos RAT File Creation in Remcos Folder - Rule", "ESCU - Suspicious Image Creation In Appdata Folder - Rule", "ESCU - Suspicious Process DNS Query Known Abuse Web Services - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious WAV file in Appdata Folder - Rule", "ESCU - System Info Gathering Using Dxdiag Application - Rule", "ESCU - Vbscript Execution Using Wscript App - Rule", "ESCU - Windows Defender Exclusion Registry Entry - Rule", "ESCU - Windows ISO LNK File Creation - Rule", "ESCU - Windows Phishing Recent ISO Exec Registry - Rule", "ESCU - Winhlp32 Spawning a Process - Rule", "ESCU - Wscript Or Cscript Suspicious Child Process - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Add or Set Windows Defender Exclusion", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disabling Remote User Account Control", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}]}}, {"name": "Jscript Execution Using Cscript App", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "JavaScript"}]}}, {"name": "Loading Of Dynwrapx Module", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}, {"mitre_attack_technique": "Dynamic-link Library Injection"}]}}, {"name": "Malicious InProcServer32 Modification", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Regsvr32"}, {"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Non Chrome Process Accessing Chrome Default Dir", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}}, {"name": "Non Firefox Process Access Firefox Profile Dir", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}}, {"name": "Office Document Executing Macro Code", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Product Spawn CMD Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Product Spawning Windows Script Host", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Possible Browser Pass View Parameter", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Credentials from Web Browsers"}, {"mitre_attack_technique": "Credentials from Password Stores"}]}}, {"name": "Powershell Windows Defender Exclusion Commands", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Process Deleting Its Process File Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indicator Removal"}]}}, {"name": "Process Writing DynamicWrapperX", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Component Object Model"}]}}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Regsvr32 Silent and Install Param Dll Loading", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}}, {"name": "Regsvr32 with Known Silent Switch Cmdline", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}}, {"name": "Remcos client registry install entry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Remcos RAT File Creation in Remcos Folder", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Screen Capture"}]}}, {"name": "Suspicious Image Creation In Appdata Folder", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Screen Capture"}]}}, {"name": "Suspicious Process DNS Query Known Abuse Web Services", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Visual Basic"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Suspicious WAV file in Appdata Folder", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Screen Capture"}]}}, {"name": "System Info Gathering Using Dxdiag Application", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Gather Victim Host Information"}]}}, {"name": "Vbscript Execution Using Wscript App", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Visual Basic"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Windows Defender Exclusion Registry Entry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows ISO LNK File Creation", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Malicious Link"}, {"mitre_attack_technique": "User Execution"}]}}, {"name": "Windows Phishing Recent ISO Exec Registry", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}}, {"name": "Winhlp32 Spawning a Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "Wscript Or Cscript Suspicious Child Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}, {"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Parent PID Spoofing"}, {"mitre_attack_technique": "Access Token Manipulation"}]}}]}, {"name": "Reverse Network Proxy", "id": "265e4127-21fd-43e4-adac-ec5d12274111", "version": 1, "date": "2022-11-16", "author": "Michael Haag, Splunk", "description": "The following analytic story describes applications that may be abused to reverse proxy back into an organization, either for persistence or remote access.", "narrative": "This analytic story covers tools like Ngrok which is a legitimate reverse proxy tool that can create a secure tunnel to servers located behind firewalls or on local machines that do not have a public IP. Ngrok in particular has been leveraged by threat actors in several campaigns including use for lateral movement and data exfiltration. There are many open source and closed/paid that fall into this reverse proxy category. The analytic story and complemented analytics will be released as more are identified.", "references": ["https://attack.mitre.org/software/S0508/", "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf"], "tags": {"name": "Reverse Network Proxy", "analytic_story": "Reverse Network Proxy", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1572", "mitre_attack_technique": "Protocol Tunneling", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Chimera", "Cobalt Group", "FIN6", "Fox Kitten", "Leviathan", "Magic Hound", "OilRig"]}, {"mitre_attack_id": "T1090", "mitre_attack_technique": "Proxy", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "Blue Mockingbird", "CopyKittens", "Earth Lusca", "Fox Kitten", "LAPSUS$", "Magic Hound", "POLONIUM", "Sandworm Team", "Turla", "Windigo"]}, {"mitre_attack_id": "T1102", "mitre_attack_technique": "Web Service", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT32", "EXOTIC LILY", "Ember Bear", "FIN6", "FIN8", "Fox Kitten", "Gamaredon Group", "Inception", "LazyScripter", "Mustang Panda", "Rocke", "TeamTNT", "Turla"]}], "mitre_attack_tactics": ["Command And Control"], "datamodels": ["Endpoint", "Network_Resolution"], "kill_chain_phases": ["Command And Control"]}, "detection_names": ["ESCU - Linux Ngrok Reverse Proxy Usage - Rule", "ESCU - Windows Ngrok Reverse Proxy Usage - Rule", "ESCU - Ngrok Reverse Proxy on Network - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Linux Ngrok Reverse Proxy Usage", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Protocol Tunneling"}, {"mitre_attack_technique": "Proxy"}, {"mitre_attack_technique": "Web Service"}]}}, {"name": "Windows Ngrok Reverse Proxy Usage", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Protocol Tunneling"}, {"mitre_attack_technique": "Proxy"}, {"mitre_attack_technique": "Web Service"}]}}, {"name": "Ngrok Reverse Proxy on Network", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Protocol Tunneling"}, {"mitre_attack_technique": "Proxy"}, {"mitre_attack_technique": "Web Service"}]}}]}, {"name": "Router and Infrastructure Security", "id": "91c676cf-0b23-438d-abee-f6335e177e77", "version": 1, "date": "2017-09-12", "author": "Bhavin Patel, Splunk", "description": "Validate the security configuration of network infrastructure and verify that only authorized users and systems are accessing critical assets. Core routing and switching infrastructure are common strategic targets for attackers.", "narrative": "Networking devices, such as routers and switches, are often overlooked as resources that attackers will leverage to subvert an enterprise. Advanced threats actors have shown a proclivity to target these critical assets as a means to siphon and redirect network traffic, flash backdoored operating systems, and implement cryptographic weakened algorithms to more easily decrypt network traffic.\\\nThis Analytic Story helps you gain a better understanding of how your network devices are interacting with your hosts. By compromising your network devices, attackers can obtain direct access to the company's internal infrastructure— effectively increasing the attack surface and accessing private services/data.", "references": ["https://web.archive.org/web/20210420020040/https://www.fireeye.com/blog/executive-perspective/2015/09/the_new_route_toper.html", "https://www.cisco.com/c/en/us/about/security-center/event-response/synful-knock.html"], "tags": {"name": "Router and Infrastructure Security", "analytic_story": "Router and Infrastructure Security", "category": ["Best Practices"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1200", "mitre_attack_technique": "Hardware Additions", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["DarkVishnya"]}, {"mitre_attack_id": "T1498", "mitre_attack_technique": "Network Denial of Service", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT28"]}, {"mitre_attack_id": "T1557", "mitre_attack_technique": "Adversary-in-the-Middle", "mitre_attack_tactics": ["Collection", "Credential Access"], "mitre_attack_groups": ["Kimsuky"]}, {"mitre_attack_id": "T1557.002", "mitre_attack_technique": "ARP Cache Poisoning", "mitre_attack_tactics": ["Collection", "Credential Access"], "mitre_attack_groups": ["Cleaver", "LuminousMoth"]}, {"mitre_attack_id": "T1542.005", "mitre_attack_technique": "TFTP Boot", "mitre_attack_tactics": ["Defense Evasion", "Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1542", "mitre_attack_technique": "Pre-OS Boot", "mitre_attack_tactics": ["Defense Evasion", "Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1020", "mitre_attack_technique": "Automated Exfiltration", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["Gamaredon Group", "Ke3chang", "Sidewinder", "Tropic Trooper"]}, {"mitre_attack_id": "T1020.001", "mitre_attack_technique": "Traffic Duplication", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Collection", "Credential Access", "Defense Evasion", "Exfiltration", "Impact", "Initial Access", "Persistence"], "datamodels": ["Authentication", "Network_Traffic"], "kill_chain_phases": ["Actions on Objectives", "Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Detect New Login Attempts to Routers - Rule", "ESCU - Detect ARP Poisoning - Rule", "ESCU - Detect IPv6 Network Infrastructure Threats - Rule", "ESCU - Detect Port Security Violation - Rule", "ESCU - Detect Rogue DHCP Server - Rule", "ESCU - Detect Software Download To Network Device - Rule", "ESCU - Detect Traffic Mirroring - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Detect New Login Attempts to Routers", "source": "application", "type": "TTP", "tags": {"mitre_attack_enrichments": []}}, {"name": "Detect ARP Poisoning", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Hardware Additions"}, {"mitre_attack_technique": "Network Denial of Service"}, {"mitre_attack_technique": "Adversary-in-the-Middle"}, {"mitre_attack_technique": "ARP Cache Poisoning"}]}}, {"name": "Detect IPv6 Network Infrastructure Threats", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Hardware Additions"}, {"mitre_attack_technique": "Network Denial of Service"}, {"mitre_attack_technique": "Adversary-in-the-Middle"}, {"mitre_attack_technique": "ARP Cache Poisoning"}]}}, {"name": "Detect Port Security Violation", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Hardware Additions"}, {"mitre_attack_technique": "Network Denial of Service"}, {"mitre_attack_technique": "Adversary-in-the-Middle"}, {"mitre_attack_technique": "ARP Cache Poisoning"}]}}, {"name": "Detect Rogue DHCP Server", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Hardware Additions"}, {"mitre_attack_technique": "Network Denial of Service"}, {"mitre_attack_technique": "Adversary-in-the-Middle"}]}}, {"name": "Detect Software Download To Network Device", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "TFTP Boot"}, {"mitre_attack_technique": "Pre-OS Boot"}]}}, {"name": "Detect Traffic Mirroring", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Hardware Additions"}, {"mitre_attack_technique": "Automated Exfiltration"}, {"mitre_attack_technique": "Network Denial of Service"}, {"mitre_attack_technique": "Traffic Duplication"}]}}]}, {"name": "Sandworm Tools", "id": "54146850-9d26-4877-a611-2db33231e63e", "version": 1, "date": "2022-04-05", "author": "Teoderick Contreras, Splunk", "description": "This analytic story features detections that enable security analysts to identify and investigate unusual activities potentially related to the destructive malware and tools employed by the \"Sandworm\" group. This analytic story focuses on monitoring suspicious process executions, command-line activities, Master Boot Record (MBR) wiping, data destruction, and other related indicators.", "narrative": "The Sandworm group's tools are part of destructive malware operations designed to disrupt or attack Ukraine's National Information Agencies. This operation campaign consists of several malware components, including scripts, native Windows executables (LOLBINs), data wiper malware that overwrites or destroys the Master Boot Record (MBR), and file wiping using sdelete.exe on targeted hosts.", "references": ["https://cert.gov.ua/article/3718487", "https://attack.mitre.org/groups/G0034/"], "tags": {"name": "Sandworm Tools", "analytic_story": "Sandworm Tools", "category": ["Data Destruction", "Malware", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "TEMP.Veles", "Threat Group-3390", "Whitefly"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1562.004", "mitre_attack_technique": "Disable or Modify System Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "Carbanak", "Dragonfly", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1036.004", "mitre_attack_technique": "Masquerade Task or Service", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT32", "APT41", "BITTER", "BackdoorDiplomacy", "Carbanak", "FIN6", "FIN7", "Fox Kitten", "Higaisa", "Kimsuky", "Lazarus Group", "Magic Hound", "Naikon", "PROMETHIUM", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1087.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "Chimera", "Fox Kitten", "Ke3chang", "Moses Staff", "OilRig", "Poseidon Group", "Threat Group-3390", "Turla", "admin@338"]}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT19", "APT28", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BITTER", "BackdoorDiplomacy", "BlackOasis", "Blue Mockingbird", "Dark Caracal", "Darkhotel", "Earth Lusca", "Elderwood", "Ember Bear", "Fox Kitten", "GALLIUM", "Gallmaker", "Gamaredon Group", "Group5", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "Metador", "Mofang", "Molerats", "Moses Staff", "Mustang Panda", "OilRig", "Putter Panda", "Rocke", "Sandworm Team", "Sidewinder", "TA505", "TeamTNT", "Threat Group-3390", "Transparent Tribe", "Tropic Trooper", "Whitefly", "Windshift", "menuPass"]}, {"mitre_attack_id": "T1550", "mitre_attack_technique": "Use Alternate Authentication Material", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1550.003", "mitre_attack_technique": "Pass the Ticket", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": ["APT29", "APT32", "BRONZE BUTLER"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1590.002", "mitre_attack_technique": "DNS", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1649", "mitre_attack_technique": "Steal or Forge Authentication Certificates", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29"]}], "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Discovery", "Execution", "Lateral Movement", "Persistence", "Privilege Escalation", "Reconnaissance"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation", "Installation", "Reconnaissance"]}, "detection_names": ["ESCU - Detect Mimikatz Using Loaded Images - Rule", "ESCU - Detect Mimikatz With PowerShell Script Block Logging - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Detect Renamed PSExec - Rule", "ESCU - Icacls Deny Command - Rule", "ESCU - Linux Iptables Firewall Modification - Rule", "ESCU - Linux Kworker Process In Writable Process Path - Rule", "ESCU - Local Account Discovery with Net - Rule", "ESCU - Malicious PowerShell Process - Encoded Command - Rule", "ESCU - Mimikatz PassTheTicket CommandLine Parameters - Rule", "ESCU - Permission Modification using Takeown App - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Suspicious Copy on System32 - Rule", "ESCU - Windows DNS Gather Network Info - Rule", "ESCU - Windows Mimikatz Binary Execution - Rule", "ESCU - Windows Mimikatz Crypto Export File Extensions - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Detect Mimikatz Using Loaded Images", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Detect Mimikatz With PowerShell Script Block Logging", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "OS Credential Dumping"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Detect PsExec With accepteula Flag", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}}, {"name": "Detect Renamed PSExec", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}}, {"name": "Icacls Deny Command", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "File and Directory Permissions Modification"}]}}, {"name": "Linux Iptables Firewall Modification", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify System Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Linux Kworker Process In Writable Process Path", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerade Task or Service"}, {"mitre_attack_technique": "Masquerading"}]}}, {"name": "Local Account Discovery with Net", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Local Account"}]}}, {"name": "Malicious PowerShell Process - Encoded Command", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Obfuscated Files or Information"}]}}, {"name": "Mimikatz PassTheTicket CommandLine Parameters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Use Alternate Authentication Material"}, {"mitre_attack_technique": "Pass the Ticket"}]}}, {"name": "Permission Modification using Takeown App", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "File and Directory Permissions Modification"}]}}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Suspicious Copy on System32", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "Masquerading"}]}}, {"name": "Windows DNS Gather Network Info", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DNS"}]}}, {"name": "Windows Mimikatz Binary Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Windows Mimikatz Crypto Export File Extensions", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Authentication Certificates"}]}}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}]}}]}, {"name": "Signed Binary Proxy Execution InstallUtil", "id": "9482a314-43dc-11ec-a3c9-acde48001122", "version": 1, "date": "2021-11-12", "author": "Michael Haag, Splunk", "description": "Adversaries may use InstallUtil to proxy execution of code through a trusted Windows utility.", "narrative": "InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries. InstallUtil is digitally signed by Microsoft and located in the .NET directories on a Windows system: C:\\Windows\\Microsoft.NET\\Framework\\v\\InstallUtil.exe and C:\\Windows\\Microsoft.NET\\Framework64\\v\\InstallUtil.exe. \\\nThere are multiple ways to instantiate InstallUtil and they are all outlined within Atomic Red Team - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md. Two specific ways may be used and that includes invoking via installer assembly class constructor through .NET and via InstallUtil.exe. \\\nTypically, adversaries will utilize the most commonly found way to invoke via InstallUtil Uninstall method. \\\nNote that parallel processes, and parent process, play a role in how InstallUtil is being used. In particular, a developer using InstallUtil will spawn from VisualStudio. Adversaries, will spawn from non-standard processes like Explorer.exe, cmd.exe or PowerShell.exe. It's important to review the command-line to identify the DLL being loaded. \\\nParallel processes may also include csc.exe being used to compile a local `.cs` file. This file will be the input to the output. Developers usually do not build direct on the command shell, therefore this should raise suspicion.", "references": ["https://attack.mitre.org/techniques/T1218/004/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md"], "tags": {"name": "Signed Binary Proxy Execution InstallUtil", "analytic_story": "Signed Binary Proxy Execution InstallUtil", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.004", "mitre_attack_technique": "InstallUtil", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Mustang Panda", "menuPass"]}], "mitre_attack_tactics": ["Defense Evasion"], "datamodels": ["Endpoint", "Network_Traffic"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Windows DotNet Binary in Non Standard Path - Rule", "ESCU - Windows InstallUtil Credential Theft - Rule", "ESCU - Windows InstallUtil in Non Standard Path - Rule", "ESCU - Windows InstallUtil Remote Network Connection - Rule", "ESCU - Windows InstallUtil Uninstall Option - Rule", "ESCU - Windows InstallUtil Uninstall Option with Network - Rule", "ESCU - Windows InstallUtil URL in Command Line - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows DotNet Binary in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "InstallUtil"}]}}, {"name": "Windows InstallUtil Credential Theft", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "InstallUtil"}, {"mitre_attack_technique": "System Binary Proxy Execution"}]}}, {"name": "Windows InstallUtil in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "InstallUtil"}]}}, {"name": "Windows InstallUtil Remote Network Connection", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "InstallUtil"}, {"mitre_attack_technique": "System Binary Proxy Execution"}]}}, {"name": "Windows InstallUtil Uninstall Option", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "InstallUtil"}, {"mitre_attack_technique": "System Binary Proxy Execution"}]}}, {"name": "Windows InstallUtil Uninstall Option with Network", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "InstallUtil"}, {"mitre_attack_technique": "System Binary Proxy Execution"}]}}, {"name": "Windows InstallUtil URL in Command Line", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "InstallUtil"}, {"mitre_attack_technique": "System Binary Proxy Execution"}]}}]}, {"name": "Silver Sparrow", "id": "cb4f48fe-7699-11eb-af77-acde48001122", "version": 1, "date": "2021-02-24", "author": "Michael Haag, Splunk", "description": "Silver Sparrow, identified by Red Canary Intelligence, is a new forward looking MacOS (Intel and M1) malicious software downloader utilizing JavaScript for execution and a launchAgent to establish persistence.", "narrative": "Silver Sparrow works is a dropper and uses typical persistence mechanisms on a Mac. It is cross platform, covering both Intel and Apple M1 architecture. To this date, no implant has been downloaded for malicious purposes. During installation of the update.pkg or updater.pkg file, the malicious software utilizes JavaScript to generate files and scripts on disk for persistence.These files later download a implant from an S3 bucket every hour. This analytic assists with identifying different types of macOS malware families establishing LaunchAgent persistence. Per SentinelOne source, it is predicted that Silver Sparrow is likely selling itself as a mechanism to 3rd party Caffiliates or pay-per-install (PPI) partners, typically seen as commodity adware/malware. Additional indicators and behaviors may be found within the references.", "references": ["https://redcanary.com/blog/clipping-silver-sparrows-wings/", "https://www.sentinelone.com/blog/5-things-you-need-to-know-about-silver-sparrow/"], "tags": {"name": "Silver Sparrow", "analytic_story": "Silver Sparrow", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1543.001", "mitre_attack_technique": "Launch Agent", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1074", "mitre_attack_technique": "Data Staged", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["Wizard Spider"]}], "mitre_attack_tactics": ["Collection", "Command And Control", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Command And Control", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Suspicious Curl Network Connection - Rule", "ESCU - Suspicious PlistBuddy Usage - Rule", "ESCU - Suspicious PlistBuddy Usage via OSquery - Rule", "ESCU - Suspicious SQLite3 LSQuarantine Behavior - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Suspicious Curl Network Connection", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "Suspicious PlistBuddy Usage", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Launch Agent"}, {"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Suspicious PlistBuddy Usage via OSquery", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Launch Agent"}, {"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Suspicious SQLite3 LSQuarantine Behavior", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Staged"}]}}]}, {"name": "Snake Malware", "id": "032bacbb-f90d-43aa-bbcc-d87f169a29c8", "version": 1, "date": "2023-05-10", "author": "Michael Haag, Splunk", "description": "The Snake implant is considered the most sophisticated cyber espionage tool designed and used by Center 16 of Russia's Federal Security Service (FSB) for long-term intelligence collection on sensitive targets.", "narrative": "The Snake implant is considered the most sophisticated cyber espionage tool designed and used by Center 16 of Russia's Federal Security Service (FSB) for long-term intelligence collection on sensitive targets. To conduct operations using this tool, the FSB created a covert peer-to-peer (P2P) network of numerous Snake-infected computers worldwide. Many systems in this P2P network serve as relay nodes which route disguised operational traffic to and from Snake implants on the FSB's ultimate targets. Snake's custom communications protocols employ encryption and fragmentation for confidentiality and are designed to hamper detection and collection efforts. We consider Snake to be the most sophisticated cyber espionage tool in the FSB's arsenal. The sophistication of Snake stems from three principal areas. First, Snake employs means to achieve a rare level of stealth in its host components and network communications. Second, Snake's internal technical architecture allows for easy incorporation of new or replacement components. This design also facilitates the development and interoperability of Snake instances running on different host operating systems. We have observed interoperable Snake implants for Windows, MacOS, and Linux operating systems. Lastly, Snake demonstrates careful software engineering design and implementation, with the implant containing surprisingly few bugs given its complexity. (CISA, 2023)", "references": ["https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF"], "tags": {"name": "Snake Malware", "analytic_story": "Snake Malware", "category": ["Adversary Tactics", "Account Compromise", "Lateral Movement", "Privilege Escalation"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT19", "APT28", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BITTER", "BackdoorDiplomacy", "BlackOasis", "Blue Mockingbird", "Dark Caracal", "Darkhotel", "Earth Lusca", "Elderwood", "Ember Bear", "Fox Kitten", "GALLIUM", "Gallmaker", "Gamaredon Group", "Group5", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "Metador", "Mofang", "Molerats", "Moses Staff", "Mustang Panda", "OilRig", "Putter Panda", "Rocke", "Sandworm Team", "Sidewinder", "TA505", "TeamTNT", "Threat Group-3390", "Transparent Tribe", "Tropic Trooper", "Whitefly", "Windshift", "menuPass"]}, {"mitre_attack_id": "T1547.006", "mitre_attack_technique": "Kernel Modules and Extensions", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}], "mitre_attack_tactics": ["Defense Evasion", "Execution", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation", "Installation"]}, "detection_names": ["ESCU - Windows Service Created with Suspicious Service Path - Rule", "ESCU - Windows Service Created Within Public Path - Rule", "ESCU - Windows Snake Malware File Modification Crmlog - Rule", "ESCU - Windows Snake Malware Kernel Driver Comadmin - Rule", "ESCU - Windows Snake Malware Registry Modification wav OpenWithProgIds - Rule", "ESCU - Windows Snake Malware Service Create - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows Service Created with Suspicious Service Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}}, {"name": "Windows Service Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Windows Snake Malware File Modification Crmlog", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Obfuscated Files or Information"}]}}, {"name": "Windows Snake Malware Kernel Driver Comadmin", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Kernel Modules and Extensions"}]}}, {"name": "Windows Snake Malware Registry Modification wav OpenWithProgIds", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Snake Malware Service Create", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Kernel Modules and Extensions"}, {"mitre_attack_technique": "Service Execution"}]}}]}, {"name": "Sneaky Active Directory Persistence Tricks", "id": "f676c4c1-c769-4ecb-9611-5fd85b497c56", "version": 1, "date": "2022-08-29", "author": "Dean Luxton, Mauricio Velazco, Splunk", "description": "Monitor for activities and techniques associated with Windows Active Directory persistence techniques.", "narrative": "Persistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access. Active Directory is a centralized and hierarchical database that stores information about users, computers, and other resources on a network. It provides secure and efficient management of these resources and enables administrators to enforce security policies and delegate administrative tasks.\\\nIn 2015 Active Directory security researcher Sean Metcalf published a blog post titled `Sneaky Active Directory Persistence Tricks`. In this blog post, Sean described several methods through which an attacker could persist administrative access on an Active Directory network after having Domain Admin level rights for a short period of time. At the time of writing, 8 years after the initial blog post, most of these techniques are still possible since they abuse legitimate administrative functionality and not software vulnerabilities. Security engineers defending Active Directory networks should be aware of these technique available to adversaries post exploitation and deploy both preventive and detective security controls for them.\\\nThis analytic story groups detection opportunities for most of the techniques described on Seans blog post as well as other high impact attacks against Active Directory networks and Domain Controllers like DCSync and DCShadow. For some of these detection opportunities, it is necessary to enable the necessary GPOs and SACLs required, otherwise the event codes will not trigger. Each detection includes a list of requirements for enabling logging.", "references": ["https://adsecurity.org/?p=1929", "https://www.youtube.com/watch?v=Lz6haohGAMc&feature=youtu.be", "https://adsecurity.org/wp-content/uploads/2015/09/DEFCON23-2015-Metcalf-RedvsBlue-ADAttackAndDefense-Final.pdf", "https://attack.mitre.org/tactics/TA0003/", "https://www.dcshadow.com", "https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2", "https://www.linkedin.com/pulse/mimikatz-dcsync-event-log-detections-john-dwyer"], "tags": {"name": "Sneaky Active Directory Persistence Tricks", "analytic_story": "Windows Domain Controller Attacks", "category": ["Adversary Tactics", "Account Compromise", "Lateral Movement", "Privilege Escalation"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1134.005", "mitre_attack_technique": "SID-History Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1207", "mitre_attack_technique": "Rogue Domain Controller", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1484", "mitre_attack_technique": "Domain Policy Modification", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT41", "Dragonfly", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}, {"mitre_attack_id": "T1003.006", "mitre_attack_technique": "DCSync", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Earth Lusca", "LAPSUS$"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1484.001", "mitre_attack_technique": "Group Policy Modification", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Indrik Spider"]}, {"mitre_attack_id": "T1078.002", "mitre_attack_technique": "Domain Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "Chimera", "Indrik Spider", "Magic Hound", "Naikon", "Sandworm Team", "TA505", "Threat Group-1314", "Wizard Spider"]}, {"mitre_attack_id": "T1547.005", "mitre_attack_technique": "Security Support Provider", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "datamodels": ["Authentication", "Change", "Endpoint", "Network_Traffic"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Windows AD AdminSDHolder ACL Modified - Rule", "ESCU - Windows AD Cross Domain SID History Addition - Rule", "ESCU - Windows AD Domain Controller Audit Policy Disabled - Rule", "ESCU - Windows AD Domain Controller Promotion - Rule", "ESCU - Windows AD Domain Replication ACL Addition - Rule", "ESCU - Windows AD DSRM Account Changes - Rule", "ESCU - Windows AD DSRM Password Reset - Rule", "ESCU - Windows AD Privileged Account SID History Addition - Rule", "ESCU - Windows AD Replication Request Initiated by User Account - Rule", "ESCU - Windows AD Replication Request Initiated from Unsanctioned Location - Rule", "ESCU - Windows AD Same Domain SID History Addition - Rule", "ESCU - Windows AD Short Lived Domain Account ServicePrincipalName - Rule", "ESCU - Windows AD Short Lived Domain Controller SPN Attribute - Rule", "ESCU - Windows AD Short Lived Server Object - Rule", "ESCU - Windows AD SID History Attribute Modified - Rule", "ESCU - Windows Admon Default Group Policy Object Modified - Rule", "ESCU - Windows Admon Group Policy Object Created - Rule", "ESCU - Windows Default Group Policy Object Modified - Rule", "ESCU - Windows Default Group Policy Object Modified with GPME - Rule", "ESCU - Windows Group Policy Object Created - Rule", "ESCU - Windows Security Support Provider Reg Query - Rule", "ESCU - Windows AD Replication Service Traffic - Rule", "ESCU - Windows AD Rogue Domain Controller Network Activity - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Mauricio Velazco, Splunk", "author_name": "Dean Luxton", "detections": [{"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Windows AD AdminSDHolder ACL Modified", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Event Triggered Execution"}]}}, {"name": "Windows AD Cross Domain SID History Addition", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "SID-History Injection"}, {"mitre_attack_technique": "Access Token Manipulation"}]}}, {"name": "Windows AD Domain Controller Audit Policy Disabled", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}]}}, {"name": "Windows AD Domain Controller Promotion", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Rogue Domain Controller"}]}}, {"name": "Windows AD Domain Replication ACL Addition", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Policy Modification"}]}}, {"name": "Windows AD DSRM Account Changes", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Manipulation"}]}}, {"name": "Windows AD DSRM Password Reset", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Manipulation"}]}}, {"name": "Windows AD Privileged Account SID History Addition", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "SID-History Injection"}, {"mitre_attack_technique": "Access Token Manipulation"}]}}, {"name": "Windows AD Replication Request Initiated by User Account", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DCSync"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Windows AD Replication Request Initiated from Unsanctioned Location", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DCSync"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Windows AD Same Domain SID History Addition", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "SID-History Injection"}, {"mitre_attack_technique": "Access Token Manipulation"}]}}, {"name": "Windows AD Short Lived Domain Account ServicePrincipalName", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Manipulation"}]}}, {"name": "Windows AD Short Lived Domain Controller SPN Attribute", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Rogue Domain Controller"}]}}, {"name": "Windows AD Short Lived Server Object", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Rogue Domain Controller"}]}}, {"name": "Windows AD SID History Attribute Modified", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Access Token Manipulation"}, {"mitre_attack_technique": "SID-History Injection"}]}}, {"name": "Windows Admon Default Group Policy Object Modified", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Policy Modification"}, {"mitre_attack_technique": "Group Policy Modification"}]}}, {"name": "Windows Admon Group Policy Object Created", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Policy Modification"}, {"mitre_attack_technique": "Group Policy Modification"}]}}, {"name": "Windows Default Group Policy Object Modified", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Policy Modification"}, {"mitre_attack_technique": "Group Policy Modification"}]}}, {"name": "Windows Default Group Policy Object Modified with GPME", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Policy Modification"}, {"mitre_attack_technique": "Group Policy Modification"}]}}, {"name": "Windows Group Policy Object Created", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Policy Modification"}, {"mitre_attack_technique": "Group Policy Modification"}, {"mitre_attack_technique": "Domain Accounts"}]}}, {"name": "Windows Security Support Provider Reg Query", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Security Support Provider"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Windows AD Replication Service Traffic", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "OS Credential Dumping"}, {"mitre_attack_technique": "DCSync"}, {"mitre_attack_technique": "Rogue Domain Controller"}]}}, {"name": "Windows AD Rogue Domain Controller Network Activity", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Rogue Domain Controller"}]}}]}, {"name": "Spearphishing Attachments", "id": "57226b40-94f3-4ce5-b101-a75f67759c27", "version": 1, "date": "2019-04-29", "author": "Splunk Research Team, Splunk", "description": "Detect signs of malicious payloads that may indicate that your environment has been breached via a phishing attack.", "narrative": "Despite its simplicity, phishing remains the most pervasive and dangerous cyberthreat. In fact, research shows that as many as [91% of all successful attacks](https://digitalguardian.com/blog/91-percent-cyber-attacks-start-phishing-email-heres-how-protect-against-phishing) are initiated via a phishing email. \\\nAs most people know, these emails use fraudulent domains, [email scraping](https://www.cyberscoop.com/emotet-trojan-phishing-scraping-templates-cofense-geodo/), familiar contact names inserted as senders, and other tactics to lure targets into clicking a malicious link, opening an attachment with a [nefarious payload](https://www.cyberscoop.com/emotet-trojan-phishing-scraping-templates-cofense-geodo/), or entering sensitive personal information that perpetrators may intercept. This attack technique requires a relatively low level of skill and allows adversaries to easily cast a wide net. Worse, because its success relies on the gullibility of humans, it's impossible to completely \"automate\" it out of your environment. However, you can use ES and ESCU to detect and investigate potentially malicious payloads injected into your environment subsequent to a phishing attack. \\\nWhile any kind of file may contain a malicious payload, some are more likely to be perceived as benign (and thus more often escape notice) by the average victim—especially when the attacker sends an email that seems to be from one of their contacts. An example is Microsoft Office files. Most corporate users are familiar with documents with the following suffixes: .doc/.docx (MS Word), .xls/.xlsx (MS Excel), and .ppt/.pptx (MS PowerPoint), so they may click without a second thought, slashing a hole in their organizations' security. \\\nFollowing is a typical series of events, according to an [article by Trend Micro](https://blog.trendmicro.com/trendlabs-security-intelligence/rising-trend-attackers-using-lnk-files-download-malware/):\\\n1. Attacker sends a phishing email. Recipient downloads the attached file, which is typically a .docx or .zip file with an embedded .lnk file\\\n1. The .lnk file executes a PowerShell script\\\n1. Powershell executes a reverse shell, rendering the exploit successful As a side note, adversaries are likely to use a tool like Empire to craft and obfuscate payloads and their post-injection activities, such as [exfiltration, lateral movement, and persistence](https://github.com/EmpireProject/Empire).\\\nThis Analytic Story focuses on detecting signs that a malicious payload has been injected into your environment. For example, one search detects outlook.exe writing a .zip file. Another looks for suspicious .lnk files launching processes.", "references": ["https://www.fireeye.com/blog/threat-research/2019/04/spear-phishing-campaign-targets-ukraine-government.html"], "tags": {"name": "Spearphishing Attachments", "analytic_story": "Spearphishing Attachments", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1036.002", "mitre_attack_technique": "Right-to-Left Override", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["BRONZE BUTLER", "BlackTech", "Ferocious Kitten", "Ke3chang", "Scarlet Mimic"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Dragonfly", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1566.002", "mitre_attack_technique": "Spearphishing Link", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "APT3", "APT32", "APT33", "APT39", "BlackTech", "Cobalt Group", "Confucius", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "Evilnum", "FIN4", "FIN7", "FIN8", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "TA505", "Transparent Tribe", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1204.001", "mitre_attack_technique": "Malicious Link", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT28", "APT29", "APT3", "APT32", "APT33", "APT39", "BlackTech", "Cobalt Group", "Confucius", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "Evilnum", "FIN4", "FIN7", "FIN8", "Kimsuky", "LazyScripter", "Leviathan", "LuminousMoth", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "TA505", "Transparent Tribe", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$"]}], "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Execution", "Initial Access"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Gdrive suspicious file sharing - Rule", "ESCU - Gsuite suspicious calendar invite - Rule", "ESCU - Detect Outlook exe writing a zip file - Rule", "ESCU - Detect RTLO In File Name - Rule", "ESCU - Detect RTLO In Process - Rule", "ESCU - Excel Spawning PowerShell - Rule", "ESCU - Excel Spawning Windows Script Host - Rule", "ESCU - MSHTML Module Load in Office Product - Rule", "ESCU - Office Application Spawn rundll32 process - Rule", "ESCU - Office Document Creating Schedule Task - Rule", "ESCU - Office Document Executing Macro Code - Rule", "ESCU - Office Document Spawned Child Process To Download - Rule", "ESCU - Office Product Spawning BITSAdmin - Rule", "ESCU - Office Product Spawning CertUtil - Rule", "ESCU - Office Product Spawning MSHTA - Rule", "ESCU - Office Product Spawning Rundll32 with no DLL - Rule", "ESCU - Office Product Spawning Windows Script Host - Rule", "ESCU - Office Product Spawning Wmic - Rule", "ESCU - Office Product Writing cab or inf - Rule", "ESCU - Office Spawning Control - Rule", "ESCU - Process Creating LNK file in Suspicious Location - Rule", "ESCU - Windows ISO LNK File Creation - Rule", "ESCU - Windows Office Product Spawning MSDT - Rule", "ESCU - Windows Phishing PDF File Executes URL Link - Rule", "ESCU - Windows Spearphishing Attachment Connect To None MS Office Domain - Rule", "ESCU - Windows Spearphishing Attachment Onenote Spawn Mshta - Rule", "ESCU - Winword Spawning Cmd - Rule", "ESCU - Winword Spawning PowerShell - Rule", "ESCU - Winword Spawning Windows Script Host - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Splunk Research Team", "detections": [{"name": "Gdrive suspicious file sharing", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}]}}, {"name": "Gsuite suspicious calendar invite", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}]}}, {"name": "Detect Outlook exe writing a zip file", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Detect RTLO In File Name", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Right-to-Left Override"}, {"mitre_attack_technique": "Masquerading"}]}}, {"name": "Detect RTLO In Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Right-to-Left Override"}, {"mitre_attack_technique": "Masquerading"}]}}, {"name": "Excel Spawning PowerShell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Security Account Manager"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Excel Spawning Windows Script Host", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Security Account Manager"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "MSHTML Module Load in Office Product", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Application Spawn rundll32 process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Document Creating Schedule Task", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Document Executing Macro Code", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Document Spawned Child Process To Download", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Product Spawning BITSAdmin", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Product Spawning CertUtil", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Product Spawning MSHTA", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Product Spawning Rundll32 with no DLL", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Product Spawning Windows Script Host", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Product Spawning Wmic", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Product Writing cab or inf", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Spawning Control", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Process Creating LNK file in Suspicious Location", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Link"}]}}, {"name": "Windows ISO LNK File Creation", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Malicious Link"}, {"mitre_attack_technique": "User Execution"}]}}, {"name": "Windows Office Product Spawning MSDT", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Windows Phishing PDF File Executes URL Link", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}}, {"name": "Windows Spearphishing Attachment Connect To None MS Office Domain", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}}, {"name": "Windows Spearphishing Attachment Onenote Spawn Mshta", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}}, {"name": "Winword Spawning Cmd", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Winword Spawning PowerShell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Winword Spawning Windows Script Host", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}]}, {"name": "Splunk Vulnerabilities", "id": "5354df00-dce2-48ac-9a64-8adb48006828", "version": 1, "date": "2022-03-28", "author": "Lou Stella, Splunk", "description": "Keeping your Splunk Enterprise deployment up to date is critical and will help you reduce the risk associated with vulnerabilities in the product.", "narrative": "This analytic story includes detections that focus on attacker behavior targeted at your Splunk environment directly.", "references": ["https://www.splunk.com/en_us/product-security/announcements.html"], "tags": {"name": "Splunk Vulnerabilities", "analytic_story": "Splunk Vulnerabilities", "category": ["Best Practices"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Application Security", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1083", "mitre_attack_technique": "File and Directory Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT18", "APT28", "APT3", "APT32", "APT38", "APT39", "APT41", "Aoqin Dragon", "BRONZE BUTLER", "Chimera", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "Fox Kitten", "Gamaredon Group", "HAFNIUM", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Leafminer", "LuminousMoth", "Magic Hound", "MuddyWater", "Mustang Panda", "Patchwork", "Sandworm Team", "Sidewinder", "Sowbug", "TeamTNT", "Tropic Trooper", "Turla", "Windigo", "Winnti Group", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1210", "mitre_attack_technique": "Exploitation of Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "Dragonfly", "Earth Lusca", "FIN7", "Fox Kitten", "MuddyWater", "Threat Group-3390", "Tonto Team", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1189", "mitre_attack_technique": "Drive-by Compromise", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT19", "APT28", "APT32", "APT37", "APT38", "Andariel", "Axiom", "BRONZE BUTLER", "Dark Caracal", "Darkhotel", "Dragonfly", "Earth Lusca", "Elderwood", "Lazarus Group", "Leafminer", "Leviathan", "Machete", "Magic Hound", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Threat Group-3390", "Transparent Tribe", "Turla", "Windigo", "Windshift"]}, {"mitre_attack_id": "T1567", "mitre_attack_technique": "Exfiltration Over Web Service", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT28", "Magic Hound"]}, {"mitre_attack_id": "T1587.003", "mitre_attack_technique": "Digital Certificates", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29", "PROMETHIUM"]}, {"mitre_attack_id": "T1499.004", "mitre_attack_technique": "Application or System Exploitation", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1498", "mitre_attack_technique": "Network Denial of Service", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT28"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1499", "mitre_attack_technique": "Endpoint Denial of Service", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Sandworm Team"]}, {"mitre_attack_id": "T1027.006", "mitre_attack_technique": "HTML Smuggling", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1212", "mitre_attack_technique": "Exploitation for Credential Access", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "Turla"]}, {"mitre_attack_id": "T1001.003", "mitre_attack_technique": "Protocol Impersonation", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Higaisa", "Lazarus Group"]}, {"mitre_attack_id": "T1588.004", "mitre_attack_technique": "Digital Certificates", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["BlackTech", "Lazarus Group", "LuminousMoth", "Silent Librarian"]}, {"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1040", "mitre_attack_technique": "Network Sniffing", "mitre_attack_tactics": ["Credential Access", "Discovery"], "mitre_attack_groups": ["APT28", "APT33", "DarkVishnya", "Kimsuky", "Sandworm Team"]}], "mitre_attack_tactics": ["Command And Control", "Credential Access", "Defense Evasion", "Discovery", "Execution", "Exfiltration", "Impact", "Initial Access", "Lateral Movement", "Persistence", "Privilege Escalation", "Resource Development"], "datamodels": ["Splunk_Audit", "Web"], "kill_chain_phases": ["Actions on Objectives", "Command And Control", "Delivery", "Exploitation", "Installation", "Weaponization"]}, "detection_names": ["ESCU - Detect Risky SPL using Pretrained ML Model - Rule", "ESCU - Path traversal SPL injection - Rule", "ESCU - Splunk Account Discovery Drilldown Dashboard Disclosure - Rule", "ESCU - Splunk Code Injection via custom dashboard leading to RCE - Rule", "ESCU - Splunk Command and Scripting Interpreter Delete Usage - Rule", "ESCU - Splunk Command and Scripting Interpreter Risky Commands - Rule", "ESCU - Splunk Command and Scripting Interpreter Risky SPL MLTK - Rule", "ESCU - Splunk csrf in the ssg kvstore client endpoint - Rule", "ESCU - Splunk Data exfiltration from Analytics Workspace using sid query - Rule", "ESCU - Splunk Digital Certificates Infrastructure Version - Rule", "ESCU - Splunk Digital Certificates Lack of Encryption - Rule", "ESCU - Splunk DOS Via Dump SPL Command - Rule", "ESCU - Splunk DoS via Malformed S2S Request - Rule", "ESCU - Splunk Edit User Privilege Escalation - Rule", "ESCU - Splunk Endpoint Denial of Service DoS Zip Bomb - Rule", "ESCU - Splunk HTTP Response Splitting Via Rest SPL Command - Rule", "ESCU - Splunk Improperly Formatted Parameter Crashes splunkd - Rule", "ESCU - Splunk list all nonstandard admin accounts - Rule", "ESCU - Splunk Low Privilege User Can View Hashed Splunk Password - Rule", "ESCU - Splunk Path Traversal In Splunk App For Lookup File Edit - Rule", "ESCU - Persistent XSS in RapidDiag through User Interface Views - Rule", "ESCU - Splunk Persistent XSS Via URL Validation Bypass W Dashboard - Rule", "ESCU - Splunk Process Injection Forwarder Bundle Downloads - Rule", "ESCU - Splunk Protocol Impersonation Weak Encryption Configuration - Rule", "ESCU - Splunk protocol impersonation weak encryption selfsigned - Rule", "ESCU - Splunk protocol impersonation weak encryption simplerequest - Rule", "ESCU - Splunk RBAC Bypass On Indexing Preview REST Endpoint - Rule", "ESCU - Splunk RCE via Splunk Secure Gateway Splunk Mobile alerts feature - Rule", "ESCU - Splunk Reflected XSS in the templates lists radio - Rule", "ESCU - Splunk risky Command Abuse disclosed february 2023 - Rule", "ESCU - Splunk Stored XSS via Data Model objectName field - Rule", "ESCU - Splunk unnecessary file extensions allowed by lookup table uploads - Rule", "ESCU - Splunk User Enumeration Attempt - Rule", "ESCU - Splunk XSS in Monitoring Console - Rule", "ESCU - Splunk XSS in Save table dialog header in search page - Rule", "ESCU - Splunk XSS via View - Rule", "ESCU - Open Redirect in Splunk Web - Rule", "ESCU - Splunk Enterprise Information Disclosure - Rule", "ESCU - Splunk Identified SSL TLS Certificates - Rule"], "investigation_names": [], "baseline_names": ["ESCU - Splunk Command and Scripting Interpreter Risky SPL MLTK Baseline"], "author_company": "Splunk", "author_name": "Lou Stella", "detections": [{"name": "Detect Risky SPL using Pretrained ML Model", "source": "application", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Path traversal SPL injection", "source": "application", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "File and Directory Discovery"}]}}, {"name": "Splunk Account Discovery Drilldown Dashboard Disclosure", "source": "application", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Discovery"}]}}, {"name": "Splunk Code Injection via custom dashboard leading to RCE", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploitation of Remote Services"}]}}, {"name": "Splunk Command and Scripting Interpreter Delete Usage", "source": "application", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Splunk Command and Scripting Interpreter Risky Commands", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Splunk Command and Scripting Interpreter Risky SPL MLTK", "source": "application", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Splunk csrf in the ssg kvstore client endpoint", "source": "application", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Drive-by Compromise"}]}}, {"name": "Splunk Data exfiltration from Analytics Workspace using sid query", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Web Service"}]}}, {"name": "Splunk Digital Certificates Infrastructure Version", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Digital Certificates"}]}}, {"name": "Splunk Digital Certificates Lack of Encryption", "source": "application", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Digital Certificates"}]}}, {"name": "Splunk DOS Via Dump SPL Command", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Application or System Exploitation"}]}}, {"name": "Splunk DoS via Malformed S2S Request", "source": "application", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Network Denial of Service"}]}}, {"name": "Splunk Edit User Privilege Escalation", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Splunk Endpoint Denial of Service DoS Zip Bomb", "source": "application", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Endpoint Denial of Service"}]}}, {"name": "Splunk HTTP Response Splitting Via Rest SPL Command", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "HTML Smuggling"}]}}, {"name": "Splunk Improperly Formatted Parameter Crashes splunkd", "source": "application", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Endpoint Denial of Service"}]}}, {"name": "Splunk list all nonstandard admin accounts", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Drive-by Compromise"}]}}, {"name": "Splunk Low Privilege User Can View Hashed Splunk Password", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploitation for Credential Access"}]}}, {"name": "Splunk Path Traversal In Splunk App For Lookup File Edit", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "File and Directory Discovery"}]}}, {"name": "Persistent XSS in RapidDiag through User Interface Views", "source": "application", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Drive-by Compromise"}]}}, {"name": "Splunk Persistent XSS Via URL Validation Bypass W Dashboard", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Drive-by Compromise"}]}}, {"name": "Splunk Process Injection Forwarder Bundle Downloads", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "Splunk Protocol Impersonation Weak Encryption Configuration", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Protocol Impersonation"}]}}, {"name": "Splunk protocol impersonation weak encryption selfsigned", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Digital Certificates"}]}}, {"name": "Splunk protocol impersonation weak encryption simplerequest", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Digital Certificates"}]}}, {"name": "Splunk RBAC Bypass On Indexing Preview REST Endpoint", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Access Token Manipulation"}]}}, {"name": "Splunk RCE via Splunk Secure Gateway Splunk Mobile alerts feature", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploitation of Remote Services"}]}}, {"name": "Splunk Reflected XSS in the templates lists radio", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Drive-by Compromise"}]}}, {"name": "Splunk risky Command Abuse disclosed february 2023", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Splunk Stored XSS via Data Model objectName field", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Drive-by Compromise"}]}}, {"name": "Splunk unnecessary file extensions allowed by lookup table uploads", "source": "application", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Drive-by Compromise"}]}}, {"name": "Splunk User Enumeration Attempt", "source": "application", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "Splunk XSS in Monitoring Console", "source": "application", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Drive-by Compromise"}]}}, {"name": "Splunk XSS in Save table dialog header in search page", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Drive-by Compromise"}]}}, {"name": "Splunk XSS via View", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Drive-by Compromise"}]}}, {"name": "Open Redirect in Splunk Web", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": []}}, {"name": "Splunk Enterprise Information Disclosure", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": []}}, {"name": "Splunk Identified SSL TLS Certificates", "source": "network", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Network Sniffing"}]}}]}, {"name": "Spring4Shell CVE-2022-22965", "id": "dcc19913-6918-4ed2-bbba-a6b484c10ef4", "version": 1, "date": "2022-04-05", "author": "Michael Haag, Splunk", "description": "Spring4Shell is the nickname given to a zero-day vulnerability in the Spring Core Framework, a programming and configuration model for Java-based enterprise applications.", "narrative": "An attacker could exploit Spring4Shell by sending a specially crafted request to a vulnerable server. However, exploitation of Spring4Shell requires certain prerequisites, whereas the original Log4Shell vulnerability affected all versions of Log4j 2 using the default configuration. \\\nAccording to Spring, the following requirements were included in the vulnerability report, however the post cautions that there may be other ways in which this can be exploited so this may not be a complete list of requirements at this time: \\\n- Java Development Kit (JDK) 9 or greater \\\n- Apache Tomcat as the Servlet container \\\n- Packaged as a WAR \\\n- spring-webmvc or spring-webflux dependency \\\n", "references": ["https://www.tenable.com/blog/spring4shell-faq-spring-framework-remote-code-execution-vulnerability"], "tags": {"name": "Spring4Shell CVE-2022-22965", "analytic_story": "Spring4Shell CVE-2022-22965", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Application Security", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "menuPass"]}, {"mitre_attack_id": "T1505.003", "mitre_attack_technique": "Web Shell", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT38", "APT39", "BackdoorDiplomacy", "Deep Panda", "Dragonfly", "Fox Kitten", "GALLIUM", "HAFNIUM", "Kimsuky", "Leviathan", "Magic Hound", "Moses Staff", "OilRig", "Sandworm Team", "TEMP.Veles", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Volatile Cedar"]}, {"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Initial Access", "Persistence"], "datamodels": ["Endpoint", "Web"], "kill_chain_phases": ["Delivery", "Installation"]}, "detection_names": ["ESCU - Java Writing JSP File - Rule", "ESCU - Linux Java Spawning Shell - Rule", "ESCU - Spring4Shell Payload URL Request - Rule", "ESCU - Web JSP Request via URL - Rule", "ESCU - Web Spring4Shell HTTP Request Class Module - Rule", "ESCU - Web Spring Cloud Function FunctionRouter - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Java Writing JSP File", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}}, {"name": "Linux Java Spawning Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}}, {"name": "Spring4Shell Payload URL Request", "source": "web", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Web Shell"}, {"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Exploit Public-Facing Application"}]}}, {"name": "Web JSP Request via URL", "source": "web", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Web Shell"}, {"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Exploit Public-Facing Application"}]}}, {"name": "Web Spring4Shell HTTP Request Class Module", "source": "web", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}}, {"name": "Web Spring Cloud Function FunctionRouter", "source": "web", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}}]}, {"name": "SQL Injection", "id": "4f6632f5-449c-4686-80df-57625f59bab3", "version": 1, "date": "2017-09-19", "author": "Bhavin Patel, Splunk", "description": "Use the searches in this Analytic Story to help you detect structured query language (SQL) injection attempts characterized by long URLs that contain malicious parameters.", "narrative": "It is very common for attackers to inject SQL parameters into vulnerable web applications, which then interpret the malicious SQL statements.\\\nThis Analytic Story contains a search designed to identify attempts by attackers to leverage this technique to compromise a host and gain a foothold in the target environment.", "references": ["https://capec.mitre.org/data/definitions/66.html", "https://www.incapsula.com/web-application-security/sql-injection.html"], "tags": {"name": "SQL Injection", "analytic_story": "SQL Injection", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "menuPass"]}], "mitre_attack_tactics": ["Initial Access"], "datamodels": ["Web"], "kill_chain_phases": ["Delivery"]}, "detection_names": ["ESCU - SQL Injection with Long URLs - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "SQL Injection with Long URLs", "source": "web", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}}]}, {"name": "Suspicious AWS Login Activities", "id": "2e8948a5-5239-406b-b56b-6c59f1268af3", "version": 1, "date": "2019-05-01", "author": "Bhavin Patel, Splunk", "description": "Monitor your AWS authentication events using your CloudTrail logs. Searches within this Analytic Story will help you stay aware of and investigate suspicious logins. ", "narrative": "It is important to monitor and control who has access to your AWS infrastructure. Detecting suspicious logins to your AWS infrastructure will provide good starting points for investigations. Abusive behaviors caused by compromised credentials can lead to direct monetary costs, as you will be billed for any EC2 instances created by the attacker.", "references": ["https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html"], "tags": {"name": "Suspicious AWS Login Activities", "analytic_story": "Suspicious AWS Login Activities", "category": ["Cloud Security"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1535", "mitre_attack_technique": "Unused/Unsupported Cloud Regions", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Ke3chang", "LAPSUS$"]}], "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation", "Resource Development"], "datamodels": ["Authentication"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation", "Weaponization"]}, "detection_names": ["ESCU - AWS Successful Console Authentication From Multiple IPs - Rule", "ESCU - Detect AWS Console Login by User from New City - Rule", "ESCU - Detect AWS Console Login by User from New Country - Rule", "ESCU - Detect AWS Console Login by User from New Region - Rule", "ESCU - Detect new user AWS Console Login - Rule"], "investigation_names": ["ESCU - AWS Investigate User Activities By ARN - Response Task"], "baseline_names": ["ESCU - Previously seen users in CloudTrail", "ESCU - Update previously seen users in CloudTrail"], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "AWS Successful Console Authentication From Multiple IPs", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}}, {"name": "Detect AWS Console Login by User from New City", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}}, {"name": "Detect AWS Console Login by User from New Country", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}}, {"name": "Detect AWS Console Login by User from New Region", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}}, {"name": "Detect new user AWS Console Login", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Accounts"}]}}]}, {"name": "Suspicious AWS S3 Activities", "id": "66732346-8fb0-407b-9633-da16756567d6", "version": 3, "date": "2023-04-24", "author": "Bhavin Patel, Splunk", "description": "Use the searches in this Analytic Story using Cloudtrail logs to to monitor your AWS S3 buckets for evidence of anomalous activity and suspicious behaviors, such as detecting open S3 buckets and buckets being accessed from a new IP, permission and policy updates to the bucket, potential misuse of other services leading to data being leaked.", "narrative": "One of the most common ways that attackers attempt to steal data from S3 is by gaining unauthorized access to S3 buckets and copying or exfiltrating data to external locations.\\\nHowever, suspicious S3 activities can refer to any unusual behavior detected within an Amazon Web Services (AWS) Simple Storage Service (S3) bucket, including unauthorized access, unusual data transfer patterns, and access attempts from unknown IP addresses. \\\nIt is important for organizations to regularly monitor S3 activities for suspicious behavior and implement security best practices, such as using access controls, encryption, and strong authentication mechanisms, to protect sensitive data stored within S3 buckets. By staying vigilant and taking proactive measures, organizations can help prevent potential security breaches and minimize the impact of attacks if they do occur.", "references": ["https://github.com/nagwww/s3-leaks", "https://www.tripwire.com/state-of-security/security-data-protection/cloud/public-aws-s3-buckets-writable/", null], "tags": {"name": "Suspicious AWS S3 Activities", "analytic_story": "Suspicious AWS S3 Activities", "category": ["Cloud Security"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1537", "mitre_attack_technique": "Transfer Data to Cloud Account", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1119", "mitre_attack_technique": "Automated Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "Chimera", "Confucius", "FIN5", "FIN6", "Gamaredon Group", "Ke3chang", "Mustang Panda", "OilRig", "Patchwork", "Sidewinder", "Threat Group-3390", "Tropic Trooper", "menuPass"]}, {"mitre_attack_id": "T1530", "mitre_attack_technique": "Data from Cloud Storage", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["Fox Kitten"]}], "mitre_attack_tactics": ["Collection", "Exfiltration", "Impact"], "datamodels": [], "kill_chain_phases": ["Actions on Objectives", "Exploitation"]}, "detection_names": ["ESCU - AWS Disable Bucket Versioning - Rule", "ESCU - AWS Exfiltration via Bucket Replication - Rule", "ESCU - AWS Exfiltration via DataSync Task - Rule", "ESCU - Detect New Open S3 buckets - Rule", "ESCU - Detect New Open S3 Buckets over AWS CLI - Rule", "ESCU - Detect S3 access from a new IP - Rule", "ESCU - Detect Spike in S3 Bucket deletion - Rule"], "investigation_names": ["ESCU - AWS Investigate User Activities By ARN - Response Task", "ESCU - AWS S3 Bucket details via bucketName - Response Task", "ESCU - Get All AWS Activity From IP Address - Response Task", "ESCU - Get Notable History - Response Task", "ESCU - Investigate AWS activities via region name - Response Task"], "baseline_names": ["ESCU - Baseline of S3 Bucket deletion activity by ARN", "ESCU - Previously seen S3 bucket access by remote IP"], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "AWS Disable Bucket Versioning", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Inhibit System Recovery"}]}}, {"name": "AWS Exfiltration via Bucket Replication", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Transfer Data to Cloud Account"}]}}, {"name": "AWS Exfiltration via DataSync Task", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Automated Collection"}]}}, {"name": "Detect New Open S3 buckets", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data from Cloud Storage"}]}}, {"name": "Detect New Open S3 Buckets over AWS CLI", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data from Cloud Storage"}]}}, {"name": "Detect S3 access from a new IP", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data from Cloud Storage"}]}}, {"name": "Detect Spike in S3 Bucket deletion", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data from Cloud Storage"}]}}]}, {"name": "Suspicious AWS Traffic", "id": "2e8948a5-5239-406b-b56b-6c50f2168af3", "version": 1, "date": "2018-05-07", "author": "Bhavin Patel, Splunk", "description": "Leverage these searches to monitor your AWS network traffic for evidence of anomalous activity and suspicious behaviors, such as a spike in blocked outbound traffic in your virtual private cloud (VPC).", "narrative": "A virtual private cloud (VPC) is an on-demand managed cloud-computing service that isolates computing resources for each client. Inside the VPC container, the environment resembles a physical network. \\\nAmazon's VPC service enables you to launch EC2 instances and leverage other Amazon resources. The traffic that flows in and out of this VPC can be controlled via network access-control rules and security groups. Amazon also has a feature called VPC Flow Logs that enables you to log IP traffic going to and from the network interfaces in your VPC. This data is stored using Amazon CloudWatch Logs.\\\n Attackers may abuse the AWS infrastructure with insecure VPCs so they can co-opt AWS resources for command-and-control nodes, data exfiltration, and more. Once an EC2 instance is compromised, an attacker may initiate outbound network connections for malicious reasons. Monitoring these network traffic behaviors is crucial for understanding the type of traffic flowing in and out of your network and to alert you to suspicious activities.\\\nThe searches in this Analytic Story will monitor your AWS network traffic for evidence of anomalous activity and suspicious behaviors.", "references": ["https://rhinosecuritylabs.com/aws/hiding-cloudcobalt-strike-beacon-c2-using-amazon-apis/"], "tags": {"name": "Suspicious AWS Traffic", "analytic_story": "Suspicious AWS Traffic", "category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect Spike in blocked Outbound Traffic from your AWS - Rule"], "investigation_names": ["ESCU - AWS Investigate User Activities By ARN - Response Task", "ESCU - AWS Network ACL Details from ID - Response Task", "ESCU - AWS Network Interface details via resourceId - Response Task", "ESCU - Get All AWS Activity From IP Address - Response Task", "ESCU - Get DNS Server History for a host - Response Task", "ESCU - Get DNS traffic ratio - Response Task", "ESCU - Get Notable History - Response Task", "ESCU - Get Process Info - Response Task", "ESCU - Get Process Information For Port Activity - Response Task", "ESCU - Get Process Responsible For The DNS Traffic - Response Task"], "baseline_names": ["ESCU - Baseline of blocked outbound traffic from AWS"], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Detect Spike in blocked Outbound Traffic from your AWS", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": []}}]}, {"name": "Suspicious Cloud Authentication Activities", "id": "6380ebbb-55c5-4fce-b754-01fd565fb73c", "version": 1, "date": "2020-06-04", "author": "Rico Valdez, Splunk", "description": "Monitor your cloud authentication events. Searches within this Analytic Story leverage the recent cloud updates to the Authentication data model to help you stay aware of and investigate suspicious login activity. ", "narrative": "It is important to monitor and control who has access to your cloud infrastructure. Detecting suspicious logins will provide good starting points for investigations. Abusive behaviors caused by compromised credentials can lead to direct monetary costs, as you will be billed for any compute activity whether legitimate or otherwise.\\\nThis Analytic Story has data model versions of cloud searches leveraging Authentication data, including those looking for suspicious login activity, and cross-account activity for AWS.", "references": ["https://aws.amazon.com/blogs/security/aws-cloudtrail-now-tracks-cross-account-activity-to-its-origin/", "https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html"], "tags": {"name": "Suspicious Cloud Authentication Activities", "analytic_story": "Suspicious Cloud Authentication Activities", "category": ["Cloud Security"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1552", "mitre_attack_technique": "Unsecured Credentials", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1535", "mitre_attack_technique": "Unused/Unsupported Cloud Regions", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Resource Development"], "datamodels": ["Authentication"], "kill_chain_phases": ["Exploitation", "Weaponization"]}, "detection_names": ["ESCU - AWS Cross Account Activity From Previously Unseen Account - Rule", "ESCU - Detect AWS Console Login by New User - Rule", "ESCU - Detect AWS Console Login by User from New City - Rule", "ESCU - Detect AWS Console Login by User from New Country - Rule", "ESCU - Detect AWS Console Login by User from New Region - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task", "ESCU - Investigate AWS User Activities by user field - Response Task"], "baseline_names": ["ESCU - Previously Seen AWS Cross Account Activity - Initial", "ESCU - Previously Seen AWS Cross Account Activity - Update", "ESCU - Previously Seen Users in CloudTrail - Initial", "ESCU - Previously Seen Users In CloudTrail - Update"], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "AWS Cross Account Activity From Previously Unseen Account", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": []}}, {"name": "Detect AWS Console Login by New User", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Unsecured Credentials"}]}}, {"name": "Detect AWS Console Login by User from New City", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}}, {"name": "Detect AWS Console Login by User from New Country", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}}, {"name": "Detect AWS Console Login by User from New Region", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}}]}, {"name": "Suspicious Cloud Instance Activities", "id": "8168ca88-392e-42f4-85a2-767579c660ce", "version": 1, "date": "2020-08-25", "author": "David Dorsey, Splunk", "description": "Monitor your cloud infrastructure provisioning activities for behaviors originating from unfamiliar or unusual locations. These behaviors may indicate that malicious activities are occurring somewhere within your cloud environment.", "narrative": "Monitoring your cloud infrastructure logs allows you enable governance, compliance, and risk auditing. It is crucial for a company to monitor events and actions taken in the their cloud environments to ensure that your instances are not vulnerable to attacks. This Analytic Story identifies suspicious activities in your cloud compute instances and helps you respond and investigate those activities.", "references": ["https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf"], "tags": {"name": "Suspicious Cloud Instance Activities", "analytic_story": "Suspicious Cloud Instance Activities", "category": ["Cloud Security"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Ke3chang", "LAPSUS$"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1537", "mitre_attack_technique": "Transfer Data to Cloud Account", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Defense Evasion", "Exfiltration", "Initial Access", "Persistence", "Privilege Escalation"], "datamodels": ["Change", "Risk"], "kill_chain_phases": ["Actions on Objectives", "Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Abnormally High Number Of Cloud Instances Destroyed - Rule", "ESCU - Abnormally High Number Of Cloud Instances Launched - Rule", "ESCU - AWS AMI Atttribute Modification for Exfiltration - Rule", "ESCU - AWS EC2 Snapshot Shared Externally - Rule", "ESCU - AWS Exfiltration via EC2 Snapshot - Rule", "ESCU - AWS S3 Exfiltration Behavior Identified - Rule", "ESCU - Cloud Instance Modified By Previously Unseen User - Rule"], "investigation_names": ["ESCU - AWS Investigate User Activities By ARN - Response Task", "ESCU - Get All AWS Activity From IP Address - Response Task"], "baseline_names": ["ESCU - Baseline Of Cloud Instances Destroyed", "ESCU - Baseline Of Cloud Instances Launched", "ESCU - Previously Seen Cloud Instance Modifications By User - Initial", "ESCU - Previously Seen Cloud Instance Modifications By User - Update"], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Abnormally High Number Of Cloud Instances Destroyed", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "Abnormally High Number Of Cloud Instances Launched", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "AWS AMI Atttribute Modification for Exfiltration", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Transfer Data to Cloud Account"}]}}, {"name": "AWS EC2 Snapshot Shared Externally", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Transfer Data to Cloud Account"}]}}, {"name": "AWS Exfiltration via EC2 Snapshot", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Transfer Data to Cloud Account"}]}}, {"name": "AWS S3 Exfiltration Behavior Identified", "source": "cloud", "type": "Correlation", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Transfer Data to Cloud Account"}]}}, {"name": "Cloud Instance Modified By Previously Unseen User", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Valid Accounts"}]}}]}, {"name": "Suspicious Cloud Provisioning Activities", "id": "51045ded-1575-4ba6-aef7-af6c73cffd86", "version": 1, "date": "2018-08-20", "author": "David Dorsey, Splunk", "description": "Monitor your cloud infrastructure provisioning activities for behaviors originating from unfamiliar or unusual locations. These behaviors may indicate that malicious activities are occurring somewhere within your cloud environment.", "narrative": "Because most enterprise cloud infrastructure activities originate from familiar geographic locations, monitoring for activity from unknown or unusual regions is an important security measure. This indicator can be especially useful in environments where it is impossible to add specific IPs to an allow list because they vary.\\\nThis Analytic Story was designed to provide you with flexibility in the precision you employ in specifying legitimate geographic regions. It can be as specific as an IP address or a city, or as broad as a region (think state) or an entire country. By determining how precise you want your geographical locations to be and monitoring for new locations that haven't previously accessed your environment, you can detect adversaries as they begin to probe your environment. Since there are legitimate reasons for activities from unfamiliar locations, this is not a standalone indicator. Nevertheless, location can be a relevant piece of information that you may wish to investigate further.", "references": ["https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf"], "tags": {"name": "Suspicious Cloud Provisioning Activities", "analytic_story": "Suspicious Cloud Provisioning Activities", "category": ["Cloud Security"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}], "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "datamodels": ["Change"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Cloud Provisioning Activity From Previously Unseen City - Rule", "ESCU - Cloud Provisioning Activity From Previously Unseen Country - Rule", "ESCU - Cloud Provisioning Activity From Previously Unseen IP Address - Rule", "ESCU - Cloud Provisioning Activity From Previously Unseen Region - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task"], "baseline_names": ["ESCU - Previously Seen Cloud Provisioning Activity Sources - Initial", "ESCU - Previously Seen Cloud Provisioning Activity Sources - Update"], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Cloud Provisioning Activity From Previously Unseen City", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "Cloud Provisioning Activity From Previously Unseen Country", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "Cloud Provisioning Activity From Previously Unseen IP Address", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "Cloud Provisioning Activity From Previously Unseen Region", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}]}}]}, {"name": "Suspicious Cloud User Activities", "id": "1ed5ce7d-5469-4232-92af-89d1a3595b39", "version": 1, "date": "2020-09-04", "author": "David Dorsey, Splunk", "description": "Detect and investigate suspicious activities by users and roles in your cloud environments.", "narrative": "It seems obvious that it is critical to monitor and control the users who have access to your cloud infrastructure. Nevertheless, it's all too common for enterprises to lose track of ad-hoc accounts, leaving their servers vulnerable to attack. In fact, this was the very oversight that led to Tesla's cryptojacking attack in February, 2018.\\\nIn addition to compromising the security of your data, when bad actors leverage your compute resources, it can incur monumental costs, since you will be billed for any new instances and increased bandwidth usage.", "references": ["https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf", "https://redlock.io/blog/cryptojacking-tesla"], "tags": {"name": "Suspicious Cloud User Activities", "analytic_story": "Suspicious Cloud User Activities", "category": ["Cloud Security"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Ke3chang", "LAPSUS$"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1580", "mitre_attack_technique": "Cloud Infrastructure Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$"]}], "mitre_attack_tactics": ["Defense Evasion", "Discovery", "Execution", "Initial Access", "Persistence", "Privilege Escalation"], "datamodels": ["Change"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Abnormally High Number Of Cloud Infrastructure API Calls - Rule", "ESCU - Abnormally High Number Of Cloud Security Group API Calls - Rule", "ESCU - AWS IAM AccessDenied Discovery Events - Rule", "ESCU - AWS Lambda UpdateFunctionCode - Rule", "ESCU - Cloud API Calls From Previously Unseen User Roles - Rule"], "investigation_names": ["ESCU - AWS Investigate User Activities By ARN - Response Task"], "baseline_names": ["ESCU - Baseline Of Cloud Infrastructure API Calls Per User", "ESCU - Baseline Of Cloud Security Group API Calls Per User", "ESCU - Previously Seen Cloud API Calls Per User Role - Initial", "ESCU - Previously Seen Cloud API Calls Per User Role - Update"], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Abnormally High Number Of Cloud Infrastructure API Calls", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "Abnormally High Number Of Cloud Security Group API Calls", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "AWS IAM AccessDenied Discovery Events", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Infrastructure Discovery"}]}}, {"name": "AWS Lambda UpdateFunctionCode", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "User Execution"}]}}, {"name": "Cloud API Calls From Previously Unseen User Roles", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}]}}]}, {"name": "Suspicious Command-Line Executions", "id": "f4368ddf-d59f-4192-84f6-778ac5a3ffc7", "version": 2, "date": "2020-02-03", "author": "Bhavin Patel, Splunk", "description": "Leveraging the Windows command-line interface (CLI) is one of the most common attack techniques--one that is also detailed in the MITRE ATT&CK framework. Use this Analytic Story to help you identify unusual or suspicious use of the CLI on Windows systems.", "narrative": "The ability to execute arbitrary commands via the Windows CLI is a primary goal for the adversary. With access to the shell, an attacker can easily run scripts and interact with the target system. Often, attackers may only have limited access to the shell or may obtain access in unusual ways. In addition, malware may execute and interact with the CLI in ways that would be considered unusual and inconsistent with typical user activity. This provides defenders with opportunities to identify suspicious use and investigate, as appropriate. This Analytic Story contains various searches to help identify this suspicious activity, as well as others to aid you in deeper investigation.", "references": ["https://attack.mitre.org/wiki/Technique/T1059", "https://www.microsoft.com/en-us/wdsi/threats/macro-malware", "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf"], "tags": {"name": "Suspicious Command-Line Executions", "analytic_story": "Suspicious Command-Line Executions", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}], "mitre_attack_tactics": ["Defense Evasion", "Execution"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation", "Installation"]}, "detection_names": ["ESCU - First time seen command line argument - Rule", "ESCU - Detect Prohibited Applications Spawning cmd exe - Rule", "ESCU - Detect suspicious processnames using pretrained model in DSDL - Rule", "ESCU - Detect Use of cmd exe to Launch Script Interpreters - Rule", "ESCU - Potentially malicious code on commandline - Rule", "ESCU - System Processes Run From Unexpected Locations - Rule", "ESCU - Unusually Long Command Line - Rule", "ESCU - Unusually Long Command Line - MLTK - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task"], "baseline_names": ["ESCU - Baseline of Command Line Length - MLTK", "ESCU - Previously seen command line arguments"], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "First time seen command line argument", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Windows Command Shell"}]}}, {"name": "Detect Prohibited Applications Spawning cmd exe", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Windows Command Shell"}]}}, {"name": "Detect suspicious processnames using pretrained model in DSDL", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Detect Use of cmd exe to Launch Script Interpreters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Windows Command Shell"}]}}, {"name": "Potentially malicious code on commandline", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Command Shell"}]}}, {"name": "System Processes Run From Unexpected Locations", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}]}}, {"name": "Unusually Long Command Line", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": []}}, {"name": "Unusually Long Command Line - MLTK", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": []}}]}, {"name": "Suspicious Compiled HTML Activity", "id": "a09db4d1-3827-4833-87b8-3a397e532119", "version": 1, "date": "2021-02-11", "author": "Michael Haag, Splunk", "description": "Monitor and detect techniques used by attackers who leverage the mshta.exe process to execute malicious code.", "narrative": "Adversaries may abuse Compiled HTML files (.chm) to conceal malicious code. CHM files are commonly distributed as part of the Microsoft HTML Help system. CHM files are compressed compilations of various content such as HTML documents, images, and scripting/web related programming languages such VBA, JScript, Java, and ActiveX. CHM content is displayed using underlying components of the Internet Explorer browser loaded by the HTML Help executable program (hh.exe). \\\nHH.exe relies upon hhctrl.ocx to load CHM topics.This will load upon execution of a chm file. \\\nDuring investigation, review all parallel processes and child processes. It is possible for file modification events to occur and it is best to capture the CHM file and decompile it for further analysis. \\\nUpon usage of InfoTech Storage Handlers, ms-its, its, mk, itss.dll will load.", "references": ["https://redcanary.com/blog/introducing-atomictestharnesses/", "https://attack.mitre.org/techniques/T1218/001/", "https://docs.microsoft.com/en-us/windows/win32/api/htmlhelp/nf-htmlhelp-htmlhelpa"], "tags": {"name": "Suspicious Compiled HTML Activity", "analytic_story": "Suspicious Compiled HTML Activity", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.001", "mitre_attack_technique": "Compiled HTML File", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "APT41", "Dark Caracal", "OilRig", "Silence"]}], "mitre_attack_tactics": ["Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Detect HTML Help Renamed - Rule", "ESCU - Detect HTML Help Spawn Child Process - Rule", "ESCU - Detect HTML Help URL in Command Line - Rule", "ESCU - Detect HTML Help Using InfoTech Storage Handlers - Rule", "ESCU - Windows System Binary Proxy Execution Compiled HTML File Decompile - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Detect HTML Help Renamed", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Compiled HTML File"}]}}, {"name": "Detect HTML Help Spawn Child Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Compiled HTML File"}]}}, {"name": "Detect HTML Help URL in Command Line", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Compiled HTML File"}]}}, {"name": "Detect HTML Help Using InfoTech Storage Handlers", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Compiled HTML File"}]}}, {"name": "Windows System Binary Proxy Execution Compiled HTML File Decompile", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compiled HTML File"}, {"mitre_attack_technique": "System Binary Proxy Execution"}]}}]}, {"name": "Suspicious DNS Traffic", "id": "3c3835c0-255d-4f9e-ab84-e29ec9ec9b56", "version": 1, "date": "2017-09-18", "author": "Rico Valdez, Splunk", "description": "Attackers often attempt to hide within or otherwise abuse the domain name system (DNS). You can thwart attempts to manipulate this omnipresent protocol by monitoring for these types of abuses.", "narrative": "Although DNS is one of the fundamental underlying protocols that make the Internet work, it is often ignored (perhaps because of its complexity and effectiveness). However, attackers have discovered ways to abuse the protocol to meet their objectives. One potential abuse involves manipulating DNS to hijack traffic and redirect it to an IP address under the attacker's control. This could inadvertently send users intending to visit google.com, for example, to an unrelated malicious website. Another technique involves using the DNS protocol for command-and-control activities with the attacker's malicious code or to covertly exfiltrate data. The searches within this Analytic Story look for these types of abuses.", "references": ["http://blogs.splunk.com/2015/10/01/random-words-on-entropy-and-dns/", "http://www.darkreading.com/analytics/security-monitoring/got-malware-three-signs-revealed-in-dns-traffic/d/d-id/1139680", "https://live.paloaltonetworks.com/t5/Threat-Vulnerability-Articles/What-are-suspicious-DNS-queries/ta-p/71454"], "tags": {"name": "Suspicious DNS Traffic", "analytic_story": "Suspicious DNS Traffic", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1048.003", "mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT32", "APT33", "FIN6", "FIN8", "Lazarus Group", "OilRig", "Thrip", "Wizard Spider"]}, {"mitre_attack_id": "T1071.004", "mitre_attack_technique": "DNS", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT18", "APT39", "APT41", "Chimera", "Cobalt Group", "FIN7", "Ke3chang", "LazyScripter", "OilRig", "Tropic Trooper"]}, {"mitre_attack_id": "T1048", "mitre_attack_technique": "Exfiltration Over Alternative Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1568.002", "mitre_attack_technique": "Domain Generation Algorithms", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "TA551"]}, {"mitre_attack_id": "T1189", "mitre_attack_technique": "Drive-by Compromise", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT19", "APT28", "APT32", "APT37", "APT38", "Andariel", "Axiom", "BRONZE BUTLER", "Dark Caracal", "Darkhotel", "Dragonfly", "Earth Lusca", "Elderwood", "Lazarus Group", "Leafminer", "Leviathan", "Machete", "Magic Hound", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Threat Group-3390", "Transparent Tribe", "Turla", "Windigo", "Windshift"]}, {"mitre_attack_id": "T1071", "mitre_attack_technique": "Application Layer Protocol", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Dragonfly", "Magic Hound", "Rocke", "TeamTNT"]}], "mitre_attack_tactics": ["Command And Control", "Exfiltration", "Initial Access"], "datamodels": ["Endpoint", "Network_Resolution"], "kill_chain_phases": ["Actions on Objectives", "Command And Control", "Delivery"]}, "detection_names": ["ESCU - Clients Connecting to Multiple DNS Servers - Rule", "ESCU - Detect Long DNS TXT Record Response - Rule", "ESCU - Detection of DNS Tunnels - Rule", "ESCU - DNS Query Requests Resolved by Unauthorized DNS Servers - Rule", "ESCU - DNS Exfiltration Using Nslookup App - Rule", "ESCU - Excessive Usage of NSLOOKUP App - Rule", "ESCU - Detect DGA domains using pretrained model in DSDL - Rule", "ESCU - Detect DNS Data Exfiltration using pretrained model in DSDL - Rule", "ESCU - Detect hosts connecting to dynamic domain providers - Rule", "ESCU - Detect suspicious DNS TXT records using pretrained model in DSDL - Rule", "ESCU - DNS Query Length Outliers - MLTK - Rule", "ESCU - DNS Query Length With High Standard Deviation - Rule", "ESCU - Excessive DNS Failures - Rule"], "investigation_names": ["ESCU - Get DNS Server History for a host - Response Task", "ESCU - Get DNS traffic ratio - Response Task", "ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task", "ESCU - Get Process Responsible For The DNS Traffic - Response Task"], "baseline_names": ["ESCU - Baseline of DNS Query Length - MLTK"], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Clients Connecting to Multiple DNS Servers", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}]}}, {"name": "Detect Long DNS TXT Record Response", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}]}}, {"name": "Detection of DNS Tunnels", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}]}}, {"name": "DNS Query Requests Resolved by Unauthorized DNS Servers", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DNS"}]}}, {"name": "DNS Exfiltration Using Nslookup App", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}}, {"name": "Excessive Usage of NSLOOKUP App", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}}, {"name": "Detect DGA domains using pretrained model in DSDL", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Generation Algorithms"}]}}, {"name": "Detect DNS Data Exfiltration using pretrained model in DSDL", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}]}}, {"name": "Detect hosts connecting to dynamic domain providers", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Drive-by Compromise"}]}}, {"name": "Detect suspicious DNS TXT records using pretrained model in DSDL", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Generation Algorithms"}]}}, {"name": "DNS Query Length Outliers - MLTK", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DNS"}, {"mitre_attack_technique": "Application Layer Protocol"}]}}, {"name": "DNS Query Length With High Standard Deviation", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}, {"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}}, {"name": "Excessive DNS Failures", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DNS"}, {"mitre_attack_technique": "Application Layer Protocol"}]}}]}, {"name": "Suspicious Emails", "id": "2b1800dd-92f9-47ec-a981-fdf1351e5d55", "version": 1, "date": "2020-01-27", "author": "Bhavin Patel, Splunk", "description": "Email remains one of the primary means for attackers to gain an initial foothold within the modern enterprise. Detect and investigate suspicious emails in your environment with the help of the searches in this Analytic Story.", "narrative": "It is a common practice for attackers of all types to leverage targeted spearphishing campaigns and mass mailers to deliver weaponized email messages and attachments. Fortunately, there are a number of ways to monitor email data in Splunk to detect suspicious content.\\\nOnce a phishing message has been detected, the next steps are to answer the following questions: \\\n1. Which users have received this or a similar message in the past?\\\n1. When did the targeted campaign begin?\\\n1. Have any users interacted with the content of the messages (by downloading an attachment or clicking on a malicious URL)?This Analytic Story provides detection searches to identify suspicious emails, as well as contextual and investigative searches to help answer some of these questions.", "references": ["https://www.splunk.com/blog/2015/06/26/phishing-hits-a-new-level-of-quality/"], "tags": {"name": "Suspicious Emails", "analytic_story": "Suspicious Emails", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}], "mitre_attack_tactics": ["Initial Access"], "datamodels": ["Email", "UEBA"], "kill_chain_phases": ["Delivery"]}, "detection_names": ["ESCU - Email Attachments With Lots Of Spaces - Rule", "ESCU - Monitor Email For Brand Abuse - Rule", "ESCU - Suspicious Email Attachment Extensions - Rule", "ESCU - Suspicious Email - UBA Anomaly - Rule"], "investigation_names": ["ESCU - Get Email Info - Response Task", "ESCU - Get Emails From Specific Sender - Response Task", "ESCU - Get Notable History - Response Task"], "baseline_names": ["ESCU - DNSTwist Domain Names"], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Email Attachments With Lots Of Spaces", "source": "application", "type": "Anomaly", "tags": {"mitre_attack_enrichments": []}}, {"name": "Monitor Email For Brand Abuse", "source": "application", "type": "TTP", "tags": {"mitre_attack_enrichments": []}}, {"name": "Suspicious Email Attachment Extensions", "source": "application", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}}, {"name": "Suspicious Email - UBA Anomaly", "source": "deprecated", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}]}}]}, {"name": "Suspicious GCP Storage Activities", "id": "4d656b2e-d6be-11ea-87d0-0242ac130003", "version": 1, "date": "2020-08-05", "author": "Shannon Davis, Splunk", "description": "Use the searches in this Analytic Story to monitor your GCP Storage buckets for evidence of anomalous activity and suspicious behaviors, such as detecting open storage buckets and buckets being accessed from a new IP. The contextual and investigative searches will give you more information, when required.", "narrative": "Similar to other cloud providers, GCP operates on a shared responsibility model. This means the end user, you, are responsible for setting appropriate access control lists and permissions on your GCP resources.\\ This Analytics Story concentrates on detecting things like open storage buckets (both read and write) along with storage bucket access from unfamiliar users and IP addresses.", "references": ["https://cloud.google.com/blog/products/gcp/4-steps-for-hardening-your-cloud-storage-buckets-taking-charge-of-your-security", "https://rhinosecuritylabs.com/gcp/google-cloud-platform-gcp-bucket-enumeration/"], "tags": {"name": "Suspicious GCP Storage Activities", "analytic_story": "Suspicious GCP Storage Activities", "category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1530", "mitre_attack_technique": "Data from Cloud Storage", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["Fox Kitten"]}], "mitre_attack_tactics": ["Collection"], "datamodels": ["Email"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Detect GCP Storage access from a new IP - Rule", "ESCU - Detect New Open GCP Storage Buckets - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "Shannon Davis", "detections": [{"name": "Detect GCP Storage access from a new IP", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data from Cloud Storage"}]}}, {"name": "Detect New Open GCP Storage Buckets", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data from Cloud Storage"}]}}]}, {"name": "Suspicious MSHTA Activity", "id": "1e5a5a53-540b-462a-8fb7-f44a4292f5dc", "version": 2, "date": "2021-01-20", "author": "Bhavin Patel, Michael Haag, Splunk", "description": "Monitor and detect techniques used by attackers who leverage the mshta.exe process to execute malicious code.", "narrative": "One common adversary tactic is to bypass application control solutions via the mshta.exe process, which loads Microsoft HTML applications (mshtml.dll) with the .hta suffix. In these cases, attackers use the trusted Windows utility to proxy execution of malicious files, whether an .hta application, javascript, or VBScript.\\\nThe searches in this story help you detect and investigate suspicious activity that may indicate that an attacker is leveraging mshta.exe to execute malicious code.\\\nTriage\\\nValidate execution \\\n1. Determine if MSHTA.exe executed. Validate the OriginalFileName of MSHTA.exe and further PE metadata. If executed outside of c:\\windows\\system32 or c:\\windows\\syswow64, it should be highly suspect.\\\n1. Determine if script code was executed with MSHTA.\\\nSituational Awareness\\\nThe objective of this step is meant to identify suspicious behavioral indicators related to executed of Script code by MSHTA.exe.\\\n1. Parent process. Is the parent process a known LOLBin? Is the parent process an Office Application?\\\n1. Module loads. Are the known MSHTA.exe modules being loaded by a non-standard application? Is MSHTA loading any suspicious .DLLs?\\\n1. Network connections. Any network connections? Review the reputation of the remote IP or domain.\\\nRetrieval of script code\\\nThe objective of this step is to confirm the executed script code is benign or malicious.", "references": ["https://redcanary.com/blog/introducing-atomictestharnesses/", "https://redcanary.com/blog/windows-registry-attacks-threat-detection/", "https://attack.mitre.org/techniques/T1218/005/", "https://medium.com/@mbromileyDFIR/malware-monday-aebb456356c5"], "tags": {"name": "Suspicious MSHTA Activity", "analytic_story": "Suspicious MSHTA Activity", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.005", "mitre_attack_technique": "Mshta", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "APT32", "Confucius", "Earth Lusca", "FIN7", "Gamaredon Group", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "MuddyWater", "Mustang Panda", "SideCopy", "Sidewinder", "TA551"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Defense Evasion", "Execution", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation", "Installation"]}, "detection_names": ["ESCU - Detect mshta inline hta execution - Rule", "ESCU - Detect mshta renamed - Rule", "ESCU - Detect MSHTA Url in Command Line - Rule", "ESCU - Detect Prohibited Applications Spawning cmd exe - Rule", "ESCU - Detect Rundll32 Inline HTA Execution - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Suspicious mshta child process - Rule", "ESCU - Suspicious mshta spawn - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task"], "baseline_names": ["ESCU - Baseline of Command Line Length - MLTK", "ESCU - Previously seen command line arguments"], "author_company": "Michael Haag, Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Detect mshta inline hta execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Mshta"}]}}, {"name": "Detect mshta renamed", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Mshta"}]}}, {"name": "Detect MSHTA Url in Command Line", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Mshta"}]}}, {"name": "Detect Prohibited Applications Spawning cmd exe", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Windows Command Shell"}]}}, {"name": "Detect Rundll32 Inline HTA Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Mshta"}]}}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Suspicious mshta child process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Mshta"}]}}, {"name": "Suspicious mshta spawn", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Mshta"}]}}]}, {"name": "Suspicious Okta Activity", "id": "9cbd34af-8f39-4476-a423-bacd126c750b", "version": 1, "date": "2020-04-02", "author": "Rico Valdez, Splunk", "description": "Monitor your Okta environment for suspicious activities. Due to the Covid outbreak, many users are migrating over to leverage cloud services more and more. Okta is a popular tool to manage multiple users and the web-based applications they need to stay productive. The searches in this story will help monitor your Okta environment for suspicious activities and associated user behaviors.", "narrative": "Okta is the leading single sign on (SSO) provider, allowing users to authenticate once to Okta, and from there access a variety of web-based applications. These applications are assigned to users and allow administrators to centrally manage which users are allowed to access which applications. It also provides centralized logging to help understand how the applications are used and by whom. \\\nWhile SSO is a major convenience for users, it also provides attackers with an opportunity. If the attacker can gain access to Okta, they can access a variety of applications. As such monitoring the environment is important. \\\nWith people moving quickly to adopt web-based applications and ways to manage them, many are still struggling to understand how best to monitor these environments. This analytic story provides searches to help monitor this environment, and identify events and activity that warrant further investigation such as credential stuffing or password spraying attacks, and users logging in from multiple locations when travel is disallowed.", "references": ["https://attack.mitre.org/wiki/Technique/T1078", "https://owasp.org/www-community/attacks/Credential_stuffing", "https://searchsecurity.techtarget.com/answer/What-is-a-password-spraying-attack-and-how-does-it-work"], "tags": {"name": "Suspicious Okta Activity", "analytic_story": "Suspicious Okta Activity", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.001", "mitre_attack_technique": "Default Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1621", "mitre_attack_technique": "Multi-Factor Authentication Request Generation", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "LAPSUS$"]}, {"mitre_attack_id": "T1550.004", "mitre_attack_technique": "Web Session Cookie", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1538", "mitre_attack_technique": "Cloud Service Dashboard", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1556", "mitre_attack_technique": "Modify Authentication Process", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1539", "mitre_attack_technique": "Steal Web Session Cookie", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Evilnum", "LuminousMoth"]}, {"mitre_attack_id": "T1110.004", "mitre_attack_technique": "Credential Stuffing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Chimera"]}, {"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}], "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Discovery", "Initial Access", "Lateral Movement", "Persistence", "Privilege Escalation"], "datamodels": ["Authentication", "Risk"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Multiple Okta Users With Invalid Credentials From The Same IP - Rule", "ESCU - Okta Account Locked Out - Rule", "ESCU - Okta Account Lockout Events - Rule", "ESCU - Okta Failed SSO Attempts - Rule", "ESCU - Okta MFA Exhaustion Hunt - Rule", "ESCU - Okta Mismatch Between Source and Response for Verify Push Request - Rule", "ESCU - Okta Multiple Failed Requests to Access Applications - Rule", "ESCU - Okta New API Token Created - Rule", "ESCU - Okta New Device Enrolled on Account - Rule", "ESCU - Okta Phishing Detection with FastPass Origin Check - Rule", "ESCU - Okta Risk Threshold Exceeded - Rule", "ESCU - Okta Suspicious Activity Reported - Rule", "ESCU - Okta Suspicious Use of a Session Cookie - Rule", "ESCU - Okta ThreatInsight Login Failure with High Unknown users - Rule", "ESCU - Okta ThreatInsight Suspected PasswordSpray Attack - Rule", "ESCU - Okta ThreatInsight Threat Detected - Rule", "ESCU - Okta Two or More Rejected Okta Pushes - Rule", "ESCU - Okta User Logins From Multiple Cities - Rule"], "investigation_names": ["ESCU - Investigate Okta Activity by app - Response Task", "ESCU - Investigate Okta Activity by IP Address - Response Task", "ESCU - Investigate User Activities In Okta - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Multiple Okta Users With Invalid Credentials From The Same IP", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Default Accounts"}]}}, {"name": "Okta Account Locked Out", "source": "application", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Brute Force"}]}}, {"name": "Okta Account Lockout Events", "source": "application", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Default Accounts"}]}}, {"name": "Okta Failed SSO Attempts", "source": "application", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Default Accounts"}]}}, {"name": "Okta MFA Exhaustion Hunt", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Brute Force"}]}}, {"name": "Okta Mismatch Between Source and Response for Verify Push Request", "source": "application", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Multi-Factor Authentication Request Generation"}]}}, {"name": "Okta Multiple Failed Requests to Access Applications", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Web Session Cookie"}, {"mitre_attack_technique": "Cloud Service Dashboard"}]}}, {"name": "Okta New API Token Created", "source": "application", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Default Accounts"}]}}, {"name": "Okta New Device Enrolled on Account", "source": "application", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Default Accounts"}]}}, {"name": "Okta Phishing Detection with FastPass Origin Check", "source": "application", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Default Accounts"}, {"mitre_attack_technique": "Modify Authentication Process"}]}}, {"name": "Okta Risk Threshold Exceeded", "source": "application", "type": "Correlation", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Okta Suspicious Activity Reported", "source": "application", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Default Accounts"}]}}, {"name": "Okta Suspicious Use of a Session Cookie", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal Web Session Cookie"}]}}, {"name": "Okta ThreatInsight Login Failure with High Unknown users", "source": "application", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Default Accounts"}, {"mitre_attack_technique": "Credential Stuffing"}]}}, {"name": "Okta ThreatInsight Suspected PasswordSpray Attack", "source": "application", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Default Accounts"}, {"mitre_attack_technique": "Password Spraying"}]}}, {"name": "Okta ThreatInsight Threat Detected", "source": "application", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Default Accounts"}]}}, {"name": "Okta Two or More Rejected Okta Pushes", "source": "application", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Brute Force"}]}}, {"name": "Okta User Logins From Multiple Cities", "source": "application", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Default Accounts"}]}}]}, {"name": "Suspicious Regsvcs Regasm Activity", "id": "2cdf33a0-4805-4b61-b025-59c20f418fbe", "version": 1, "date": "2021-02-11", "author": "Michael Haag, Splunk", "description": "Monitor and detect techniques used by attackers who leverage the mshta.exe process to execute malicious code.", "narrative": " Adversaries may abuse Regsvcs and Regasm to proxy execution of code through a trusted Windows utility. Regsvcs and Regasm are Windows command-line utilities that are used to register .NET Component Object Model (COM) assemblies. Both are digitally signed by Microsoft. The following queries assist with detecting suspicious and malicious usage of Regasm.exe and Regsvcs.exe. Upon reviewing usage of Regasm.exe Regsvcs.exe, review file modification events for possible script code written. Review parallel process events for csc.exe being utilized to compile script code.", "references": ["https://attack.mitre.org/techniques/T1218/009/", "https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/evasion/windows/applocker_evasion_regasm_regsvcs.md", "https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/"], "tags": {"name": "Suspicious Regsvcs Regasm Activity", "analytic_story": "Suspicious Regsvcs Regasm Activity", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.009", "mitre_attack_technique": "Regsvcs/Regasm", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Detect Regasm Spawning a Process - Rule", "ESCU - Detect Regasm with Network Connection - Rule", "ESCU - Detect Regasm with no Command Line Arguments - Rule", "ESCU - Detect Regsvcs Spawning a Process - Rule", "ESCU - Detect Regsvcs with Network Connection - Rule", "ESCU - Detect Regsvcs with No Command Line Arguments - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Detect Regasm Spawning a Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvcs/Regasm"}]}}, {"name": "Detect Regasm with Network Connection", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvcs/Regasm"}]}}, {"name": "Detect Regasm with no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvcs/Regasm"}]}}, {"name": "Detect Regsvcs Spawning a Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvcs/Regasm"}]}}, {"name": "Detect Regsvcs with Network Connection", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvcs/Regasm"}]}}, {"name": "Detect Regsvcs with No Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvcs/Regasm"}]}}]}, {"name": "Suspicious Regsvr32 Activity", "id": "b8bee41e-624f-11eb-ae93-0242ac130002", "version": 1, "date": "2021-01-29", "author": "Michael Haag, Splunk", "description": "Monitor and detect techniques used by attackers who leverage the regsvr32.exe process to execute malicious code.", "narrative": "One common adversary tactic is to bypass application control solutions via the regsvr32.exe process. This particular bypass was popularized with \"SquiblyDoo\" using the \"scrobj.dll\" dll to load .sct scriptlets. This technique is still widely used by adversaries to bypass detection and prevention controls. The file extension of the DLL is irrelevant (it may load a .txt file extension for example). The searches in this story help you detect and investigate suspicious activity that may indicate that an adversary is leveraging regsvr32.exe to execute malicious code. Validate execution Determine if regsvr32.exe executed. Validate the OriginalFileName of regsvr32.exe and further PE metadata. If executed outside of c:\\windows\\system32 or c:\\windows\\syswow64, it should be highly suspect. Determine if script code was executed with regsvr32. Situational Awareness - The objective of this step is meant to identify suspicious behavioral indicators related to executed of Script code by regsvr32.exe. Parent process. Is the parent process a known LOLBin? Is the parent process an Office Application? Module loads. Is regsvr32 loading any suspicious .DLLs? Unsigned or signed from non-standard paths. Network connections. Any network connections? Review the reputation of the remote IP or domain. Retrieval of Script Code - confirm the executed script code is benign or malicious.", "references": ["https://attack.mitre.org/techniques/T1218/010/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/T1218.010.md", "https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/"], "tags": {"name": "Suspicious Regsvr32 Activity", "analytic_story": "Suspicious Regsvr32 Activity", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.010", "mitre_attack_technique": "Regsvr32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "Blue Mockingbird", "Cobalt Group", "Deep Panda", "Inception", "Kimsuky", "Leviathan", "TA551", "WIRTE"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}], "mitre_attack_tactics": ["Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Detect Regsvr32 Application Control Bypass - Rule", "ESCU - Malicious InProcServer32 Modification - Rule", "ESCU - Regsvr32 Silent and Install Param Dll Loading - Rule", "ESCU - Regsvr32 with Known Silent Switch Cmdline - Rule", "ESCU - Suspicious Regsvr32 Register Suspicious Path - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Detect Regsvr32 Application Control Bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}}, {"name": "Malicious InProcServer32 Modification", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Regsvr32"}, {"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Regsvr32 Silent and Install Param Dll Loading", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}}, {"name": "Regsvr32 with Known Silent Switch Cmdline", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}}, {"name": "Suspicious Regsvr32 Register Suspicious Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}}]}, {"name": "Suspicious Rundll32 Activity", "id": "80a65487-854b-42f1-80a1-935e4c170694", "version": 1, "date": "2021-02-03", "author": "Michael Haag, Splunk", "description": "Monitor and detect techniques used by attackers who leverage rundll32.exe to execute arbitrary malicious code.", "narrative": "One common adversary tactic is to bypass application control solutions via the rundll32.exe process. Natively, rundll32.exe will load DLLs and is a great example of a Living off the Land Binary. Rundll32.exe may load malicious DLLs by ordinals, function names or directly. The queries in this story focus on loading default DLLs, syssetup.dll, ieadvpack.dll, advpack.dll and setupapi.dll from disk that may be abused by adversaries. Additionally, two analytics developed to assist with identifying DLLRegisterServer, Start and StartW functions being called. The searches in this story help you detect and investigate suspicious activity that may indicate that an adversary is leveraging rundll32.exe to execute malicious code.", "references": ["https://attack.mitre.org/techniques/T1218/011/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md", "https://lolbas-project.github.io/lolbas/Binaries/Rundll32"], "tags": {"name": "Suspicious Rundll32 Activity", "analytic_story": "Suspicious Rundll32 Activity", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "TEMP.Veles", "Threat Group-3390", "Whitefly"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}], "mitre_attack_tactics": ["Credential Access", "Defense Evasion"], "datamodels": ["Endpoint", "Network_Traffic"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Suspicious Rundll32 Rename - Rule", "ESCU - Detect Rundll32 Application Control Bypass - advpack - Rule", "ESCU - Detect Rundll32 Application Control Bypass - setupapi - Rule", "ESCU - Detect Rundll32 Application Control Bypass - syssetup - Rule", "ESCU - Dump LSASS via comsvcs DLL - Rule", "ESCU - Rundll32 Control RunDLL Hunt - Rule", "ESCU - Rundll32 Control RunDLL World Writable Directory - Rule", "ESCU - Rundll32 with no Command Line Arguments with Network - Rule", "ESCU - RunDLL Loading DLL By Ordinal - Rule", "ESCU - Suspicious Rundll32 dllregisterserver - Rule", "ESCU - Suspicious Rundll32 no Command Line Arguments - Rule", "ESCU - Suspicious Rundll32 StartW - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Suspicious Rundll32 Rename", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rundll32"}, {"mitre_attack_technique": "Rename System Utilities"}]}}, {"name": "Detect Rundll32 Application Control Bypass - advpack", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Detect Rundll32 Application Control Bypass - setupapi", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Detect Rundll32 Application Control Bypass - syssetup", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Dump LSASS via comsvcs DLL", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Rundll32 Control RunDLL Hunt", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Rundll32 Control RunDLL World Writable Directory", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Rundll32 with no Command Line Arguments with Network", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "RunDLL Loading DLL By Ordinal", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Suspicious Rundll32 dllregisterserver", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Suspicious Rundll32 no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Suspicious Rundll32 StartW", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}]}, {"name": "Suspicious Windows Registry Activities", "id": "2b1800dd-92f9-47dd-a981-fdf1351e5d55", "version": 1, "date": "2018-05-31", "author": "Bhavin Patel, Splunk", "description": "Monitor and detect registry changes initiated from remote locations, which can be a sign that an attacker has infiltrated your system.", "narrative": "Attackers are developing increasingly sophisticated techniques for hijacking target servers, while evading detection. One such technique that has become progressively more common is registry modification.\\\n The registry is a key component of the Windows operating system. It has a hierarchical database called \"registry\" that contains settings, options, and values for executables. Once the threat actor gains access to a machine, they can use reg.exe to modify their account to obtain administrator-level privileges, maintain persistence, and move laterally within the environment.\\\n The searches in this story are designed to help you detect behaviors associated with manipulation of the Windows registry.", "references": ["https://redcanary.com/blog/windows-registry-attacks-threat-detection/", "https://attack.mitre.org/wiki/Technique/T1112"], "tags": {"name": "Suspicious Windows Registry Activities", "analytic_story": "Suspicious Windows Registry Activities", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1564.001", "mitre_attack_technique": "Hidden Files and Directories", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "HAFNIUM", "Lazarus Group", "LuminousMoth", "Mustang Panda", "Rocke", "Transparent Tribe", "Tropic Trooper"]}, {"mitre_attack_id": "T1546.001", "mitre_attack_technique": "Change Default File Association", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Kimsuky"]}, {"mitre_attack_id": "T1548.002", "mitre_attack_technique": "Bypass User Account Control", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT37", "BRONZE BUTLER", "Cobalt Group", "Earth Lusca", "Evilnum", "MuddyWater", "Patchwork", "Threat Group-3390"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547.010", "mitre_attack_technique": "Port Monitors", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1546.011", "mitre_attack_technique": "Application Shimming", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["FIN7"]}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1546.012", "mitre_attack_technique": "Image File Execution Options Injection", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["TEMP.Veles"]}, {"mitre_attack_id": "T1218.005", "mitre_attack_technique": "Mshta", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "APT32", "Confucius", "Earth Lusca", "FIN7", "Gamaredon Group", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "MuddyWater", "Mustang Panda", "SideCopy", "Sidewinder", "TA551"]}, {"mitre_attack_id": "T1574.011", "mitre_attack_technique": "Services Registry Permissions Weakness", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation", "Installation"]}, "detection_names": ["ESCU - Reg exe used to hide files directories via registry keys - Rule", "ESCU - Remote Registry Key modifications - Rule", "ESCU - Suspicious Changes to File Associations - Rule", "ESCU - Disable UAC Remote Restriction - Rule", "ESCU - Disabling Remote User Account Control - Rule", "ESCU - Monitor Registry Keys for Print Monitors - Rule", "ESCU - Registry Keys for Creating SHIM Databases - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Registry Keys Used For Privilege Escalation - Rule", "ESCU - Windows Mshta Execution In Registry - Rule", "ESCU - Windows Service Creation Using Registry Entry - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Reg exe used to hide files directories via registry keys", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Hidden Files and Directories"}]}}, {"name": "Remote Registry Key modifications", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": []}}, {"name": "Suspicious Changes to File Associations", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Change Default File Association"}]}}, {"name": "Disable UAC Remote Restriction", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Disabling Remote User Account Control", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Monitor Registry Keys for Print Monitors", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Port Monitors"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Registry Keys for Creating SHIM Databases", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Application Shimming"}, {"mitre_attack_technique": "Event Triggered Execution"}]}}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Registry Keys Used For Privilege Escalation", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Image File Execution Options Injection"}, {"mitre_attack_technique": "Event Triggered Execution"}]}}, {"name": "Windows Mshta Execution In Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Mshta"}]}}, {"name": "Windows Service Creation Using Registry Entry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Services Registry Permissions Weakness"}]}}]}, {"name": "Suspicious WMI Use", "id": "c8ddc5be-69bc-4202-b3ab-4010b27d7ad5", "version": 2, "date": "2018-10-23", "author": "Rico Valdez, Splunk", "description": "Attackers are increasingly abusing Windows Management Instrumentation (WMI), a framework and associated utilities available on all modern Windows operating systems. Because WMI can be leveraged to manage both local and remote systems, it is important to identify the processes executed and the user context within which the activity occurred.", "narrative": "WMI is a Microsoft infrastructure for management data and operations on Windows operating systems. It includes of a set of utilities that can be leveraged to manage both local and remote Windows systems. Attackers are increasingly turning to WMI abuse in their efforts to conduct nefarious tasks, such as reconnaissance, detection of antivirus and virtual machines, code execution, lateral movement, persistence, and data exfiltration. The detection searches included in this Analytic Story are used to look for suspicious use of WMI commands that attackers may leverage to interact with remote systems. The searches specifically look for the use of WMI to run processes on remote systems. In the event that unauthorized WMI execution occurs, it will be important for analysts and investigators to determine the context of the event. These details may provide insights related to how WMI was used and to what end.", "references": ["https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf", "https://web.archive.org/web/20210921091529/https://www.fireeye.com/blog/threat-research/2017/03/wmimplant_a_wmi_ba.html"], "tags": {"name": "Suspicious WMI Use", "analytic_story": "Suspicious WMI Use", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1546.003", "mitre_attack_technique": "Windows Management Instrumentation Event Subscription", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT33", "Blue Mockingbird", "FIN8", "Leviathan", "Metador", "Mustang Panda", "Turla"]}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "Earth Lusca", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "Threat Group-3390", "Windshift", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1220", "mitre_attack_technique": "XSL Script Processing", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Cobalt Group", "Higaisa"]}], "mitre_attack_tactics": ["Defense Evasion", "Execution", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation", "Installation"]}, "detection_names": ["ESCU - Detect WMI Event Subscription Persistence - Rule", "ESCU - PowerShell Invoke WmiExec Usage - Rule", "ESCU - Process Execution via WMI - Rule", "ESCU - Remote Process Instantiation via WMI - Rule", "ESCU - Remote WMI Command Attempt - Rule", "ESCU - Script Execution via WMI - Rule", "ESCU - Windows WMI Process Call Create - Rule", "ESCU - WMI Permanent Event Subscription - Rule", "ESCU - WMI Permanent Event Subscription - Sysmon - Rule", "ESCU - WMI Temporary Event Subscription - Rule", "ESCU - WMIC XSL Execution via URL - Rule", "ESCU - XSL Script Execution With WMIC - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task", "ESCU - Get Sysmon WMI Activity for Host - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Detect WMI Event Subscription Persistence", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Management Instrumentation Event Subscription"}, {"mitre_attack_technique": "Event Triggered Execution"}]}}, {"name": "PowerShell Invoke WmiExec Usage", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}}, {"name": "Process Execution via WMI", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}}, {"name": "Remote Process Instantiation via WMI", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}}, {"name": "Remote WMI Command Attempt", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}}, {"name": "Script Execution via WMI", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}}, {"name": "Windows WMI Process Call Create", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}}, {"name": "WMI Permanent Event Subscription", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}}, {"name": "WMI Permanent Event Subscription - Sysmon", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Management Instrumentation Event Subscription"}, {"mitre_attack_technique": "Event Triggered Execution"}]}}, {"name": "WMI Temporary Event Subscription", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}}, {"name": "WMIC XSL Execution via URL", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "XSL Script Processing"}]}}, {"name": "XSL Script Execution With WMIC", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "XSL Script Processing"}]}}]}, {"name": "Suspicious Zoom Child Processes", "id": "aa3749a6-49c7-491e-a03f-4eaee5fe0258", "version": 1, "date": "2020-04-13", "author": "David Dorsey, Splunk", "description": "Attackers are using Zoom as an vector to increase privileges on a sytems. This story detects new child processes of zoom and provides investigative actions for this detection.", "narrative": "Zoom is a leader in modern enterprise video communications and its usage has increased dramatically with a large amount of the population under stay-at-home orders due to the COVID-19 pandemic. With increased usage has come increased scrutiny and several security flaws have been found with this application on both Windows and macOS systems.\\\nCurrent detections focus on finding new child processes of this application on a per host basis. Investigative searches are included to gather information needed during an investigation.", "references": ["https://blog.rapid7.com/2020/04/02/dispelling-zoom-bugbears-what-you-need-to-know-about-the-latest-zoom-vulnerabilities/", "https://threatpost.com/two-zoom-zero-day-flaws-uncovered/154337/"], "tags": {"name": "Suspicious Zoom Child Processes", "analytic_story": "Suspicious Zoom Child Processes", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "PLATINUM", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}], "mitre_attack_tactics": ["Execution", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation", "Installation"]}, "detection_names": ["ESCU - Detect Prohibited Applications Spawning cmd exe - Rule", "ESCU - First Time Seen Child Process of Zoom - Rule"], "investigation_names": ["ESCU - Get Process File Activity - Response Task"], "baseline_names": ["ESCU - Previously Seen Zoom Child Processes - Initial", "ESCU - Previously Seen Zoom Child Processes - Update"], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Detect Prohibited Applications Spawning cmd exe", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Windows Command Shell"}]}}, {"name": "First Time Seen Child Process of Zoom", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}}]}, {"name": "Swift Slicer", "id": "234c9dd7-52fb-4d6f-aec9-075ef88a2cea", "version": 1, "date": "2023-02-01", "author": "Teoderick Contreras, Rod Soto, Splunk", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the swift slicer malware including overwriting of files and etc.", "narrative": "Swift Slicer is one of Windows destructive malware found by ESET that was used in a targeted organizarion to wipe critical files like windows drivers and other files to destroy and left the machine inoperable. This malware like Caddy Wiper was deliver through GPO which suggests that the attacker had taken control of the victims active directory environment.", "references": ["https://twitter.com/ESETresearch/status/1618960022150729728", "https://www.welivesecurity.com/2023/01/27/swiftslicer-new-destructive-wiper-malware-ukraine/"], "tags": {"name": "Swift Slicer", "analytic_story": "Swift Slicer", "category": ["Data Destruction", "Malware", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}], "mitre_attack_tactics": ["Defense Evasion", "Impact", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Actions on Objectives", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Windows Data Destruction Recursive Exec Files Deletion - Rule", "ESCU - Windows High File Deletion Frequency - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Rod Soto, Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}]}}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Windows Data Destruction Recursive Exec Files Deletion", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Windows High File Deletion Frequency", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}]}, {"name": "Text4Shell CVE-2022-42889", "id": "95ae800d-485e-47f7-866e-8be281aa497b", "version": 1, "date": "2022-10-26", "author": "Michael Haag, Splunk", "description": "A new critical vulnerability CVE-2022-42889 a.k.a. Text4shell, similar to the old Spring4Shell and Log4Shell, was originally reported by Alvaro Munoz on the very popular Apache Commons Text library.", "narrative": "Apache Commons Text is a Java library described as \"a library focused on algorithms working on strings.\" We can see it as a general-purpose text manipulation toolkit. This vulnerability affects the StringSubstitutor interpolator class, which is included in the Commons Text library. A default interpolator allows for string lookups that can lead to Remote Code Execution. This is due to a logic flaw that makes the \"script,\" \"dns,\" and \"url\" lookup keys interpolated by default, as opposed to what it should be, according to the documentation of the StringLookupFactory class. Those keys allow an attacker to execute arbitrary code via lookups. In order to exploit the vulnerabilities, the following requirements must be met - Run a version of Apache Commons Text from version 1.5 to 1.9 and use the StringSubstitutor interpolator. It is important to specify that the StringSubstitutor interpolator is not as widely used as the string substitution in Log4j, which led to Log4Shell. According to the CVSSv3 system, it scores 9.8 as CRITICAL severity. The severity is Critical due to the easy exploitability and huge potential impact in terms of confidentiality, integrity, and availability. As we showed in the previous section, you can take full control over the vulnerable system with a crafted request. However, it is not likely the vulnerabilities will have the same impacts as the previous Log4Shell and Spring4Shell.", "references": ["https://sysdig.com/blog/cve-2022-42889-text4shell/"], "tags": {"name": "Text4Shell CVE-2022-42889", "analytic_story": "Text4Shell CVE-2022-42889", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Application Security", "mitre_attack_enrichments": [{"mitre_attack_id": "T1505.003", "mitre_attack_technique": "Web Shell", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT38", "APT39", "BackdoorDiplomacy", "Deep Panda", "Dragonfly", "Fox Kitten", "GALLIUM", "HAFNIUM", "Kimsuky", "Leviathan", "Magic Hound", "Moses Staff", "OilRig", "Sandworm Team", "TEMP.Veles", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Volatile Cedar"]}, {"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "menuPass"]}], "mitre_attack_tactics": ["Initial Access", "Persistence"], "datamodels": ["Web"], "kill_chain_phases": ["Delivery", "Installation"]}, "detection_names": ["ESCU - Exploit Public Facing Application via Apache Commons Text - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Exploit Public Facing Application via Apache Commons Text", "source": "web", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Web Shell"}, {"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Exploit Public-Facing Application"}]}}]}, {"name": "Trickbot", "id": "16f93769-8342-44c0-9b1d-f131937cce8e", "version": 1, "date": "2021-04-20", "author": "Rod Soto, Teoderick Contreras, Splunk", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the trickbot banking trojan, including looking for file writes associated with its payload, process injection, shellcode execution and data collection even in LDAP environment.", "narrative": "trickbot banking trojan campaigns targeting banks and other vertical sectors.This malware is known in Microsoft Windows OS where target security Microsoft Defender to prevent its detection and removal. steal Verizon credentials and targeting banks using its multi component modules that collect and exfiltrate data.", "references": ["https://en.wikipedia.org/wiki/Trickbot", "https://blog.checkpoint.com/2021/03/11/february-2021s-most-wanted-malware-trickbot-takes-over-following-emotet-shutdown/"], "tags": {"name": "Trickbot", "analytic_story": "Trickbot", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["BRONZE BUTLER", "Chimera", "Dragonfly", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Turla", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "Turla"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.005", "mitre_attack_technique": "Mshta", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "APT32", "Confucius", "Earth Lusca", "FIN7", "Gamaredon Group", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "MuddyWater", "Mustang Panda", "SideCopy", "Sidewinder", "TA551"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551"]}, {"mitre_attack_id": "T1590", "mitre_attack_technique": "Gather Victim Network Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["HAFNIUM"]}, {"mitre_attack_id": "T1590.005", "mitre_attack_technique": "IP Addresses", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["Andariel", "HAFNIUM", "Magic Hound"]}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT19", "APT28", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BITTER", "BackdoorDiplomacy", "BlackOasis", "Blue Mockingbird", "Dark Caracal", "Darkhotel", "Earth Lusca", "Elderwood", "Ember Bear", "Fox Kitten", "GALLIUM", "Gallmaker", "Gamaredon Group", "Group5", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "Metador", "Mofang", "Molerats", "Moses Staff", "Mustang Panda", "OilRig", "Putter Panda", "Rocke", "Sandworm Team", "Sidewinder", "TA505", "TeamTNT", "Threat Group-3390", "Transparent Tribe", "Tropic Trooper", "Whitefly", "Windshift", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}], "mitre_attack_tactics": ["Defense Evasion", "Discovery", "Execution", "Initial Access", "Lateral Movement", "Persistence", "Privilege Escalation", "Reconnaissance"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation", "Reconnaissance"]}, "detection_names": ["ESCU - Account Discovery With Net App - Rule", "ESCU - Attempt To Stop Security Service - Rule", "ESCU - Cobalt Strike Named Pipes - Rule", "ESCU - Executable File Written in Administrative SMB Share - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Mshta spawning Rundll32 OR Regsvr32 Process - Rule", "ESCU - Office Application Spawn rundll32 process - Rule", "ESCU - Office Document Executing Macro Code - Rule", "ESCU - Office Product Spawn CMD Process - Rule", "ESCU - Office Product Spawning CertUtil - Rule", "ESCU - Powershell Remote Thread To Known Windows Process - Rule", "ESCU - Schedule Task with Rundll32 Command Trigger - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious Rundll32 StartW - Rule", "ESCU - Trickbot Named Pipe - Rule", "ESCU - Wermgr Process Connecting To IP Check Web Services - Rule", "ESCU - Wermgr Process Create Executable File - Rule", "ESCU - Wermgr Process Spawned CMD Or Powershell Process - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Teoderick Contreras, Splunk", "author_name": "Rod Soto", "detections": [{"name": "Account Discovery With Net App", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}}, {"name": "Attempt To Stop Security Service", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Cobalt Strike Named Pipes", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "Executable File Written in Administrative SMB Share", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}]}}, {"name": "Mshta spawning Rundll32 OR Regsvr32 Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Mshta"}]}}, {"name": "Office Application Spawn rundll32 process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Document Executing Macro Code", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Product Spawn CMD Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Product Spawning CertUtil", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Powershell Remote Thread To Known Windows Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "Schedule Task with Rundll32 Command Trigger", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Suspicious Rundll32 StartW", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Trickbot Named Pipe", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "Wermgr Process Connecting To IP Check Web Services", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Gather Victim Network Information"}, {"mitre_attack_technique": "IP Addresses"}]}}, {"name": "Wermgr Process Create Executable File", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Obfuscated Files or Information"}]}}, {"name": "Wermgr Process Spawned CMD Or Powershell Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}}]}, {"name": "Trusted Developer Utilities Proxy Execution", "id": "270a67a6-55d8-11eb-ae93-0242ac130002", "version": 1, "date": "2021-01-12", "author": "Michael Haag, Splunk", "description": "Monitor and detect behaviors used by attackers who leverage trusted developer utilities to execute malicious code.", "narrative": "Adversaries may take advantage of trusted developer utilities to proxy execution of malicious payloads. There are many utilities used for software development related tasks that can be used to execute code in various forms to assist in development, debugging, and reverse engineering. These utilities may often be signed with legitimate certificates that allow them to execute on a system and proxy execution of malicious code through a trusted process that effectively bypasses application control solutions.\\\nThe searches in this story help you detect and investigate suspicious activity that may indicate that an adversary is leveraging microsoft.workflow.compiler.exe to execute malicious code.", "references": ["https://attack.mitre.org/techniques/T1127/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md", "https://lolbas-project.github.io/lolbas/Binaries/Microsoft.Workflow.Compiler/"], "tags": {"name": "Trusted Developer Utilities Proxy Execution", "analytic_story": "Trusted Developer Utilities Proxy Execution", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1127", "mitre_attack_technique": "Trusted Developer Utilities Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}], "mitre_attack_tactics": ["Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Suspicious microsoft workflow compiler rename - Rule", "ESCU - Suspicious microsoft workflow compiler usage - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Suspicious microsoft workflow compiler rename", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Rename System Utilities"}]}}, {"name": "Suspicious microsoft workflow compiler usage", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}]}}]}, {"name": "Trusted Developer Utilities Proxy Execution MSBuild", "id": "be3418e2-551b-11eb-ae93-0242ac130002", "version": 1, "date": "2021-01-21", "author": "Michael Haag, Splunk", "description": "Monitor and detect techniques used by attackers who leverage the msbuild.exe process to execute malicious code.", "narrative": "Adversaries may use MSBuild to proxy execution of code through a trusted Windows utility. MSBuild.exe (Microsoft Build Engine) is a software build platform used by Visual Studio and is native to Windows. It handles XML formatted project files that define requirements for loading and building various platforms and configurations.\\\nThe inline task capability of MSBuild that was introduced in .NET version 4 allows for C# code to be inserted into an XML project file. MSBuild will compile and execute the inline task. MSBuild.exe is a signed Microsoft binary, so when it is used this way it can execute arbitrary code and bypass application control defenses that are configured to allow MSBuild.exe execution.\\\nThe searches in this story help you detect and investigate suspicious activity that may indicate that an adversary is leveraging msbuild.exe to execute malicious code.\\\nTriage\\\nValidate execution\\\n1. Determine if MSBuild.exe executed. Validate the OriginalFileName of MSBuild.exe and further PE metadata.\\\n1. Determine if script code was executed with MSBuild.\\\nSituational Awareness\\\nThe objective of this step is meant to identify suspicious behavioral indicators related to executed of Script code by MSBuild.exe.\\\n1. Parent process. Is the parent process a known LOLBin? Is the parent process an Office Application?\\\n1. Module loads. Are the known MSBuild.exe modules being loaded by a non-standard application? Is MSbuild loading any suspicious .DLLs?\\\n1. Network connections. Any network connections? Review the reputation of the remote IP or domain.\\\nRetrieval of script code\\\nThe objective of this step is to confirm the executed script code is benign or malicious.", "references": ["https://attack.mitre.org/techniques/T1127/001/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md", "https://github.com/infosecn1nja/MaliciousMacroMSBuild", "https://github.com/xorrior/RandomPS-Scripts/blob/master/Invoke-ExecuteMSBuild.ps1", "https://lolbas-project.github.io/lolbas/Binaries/Msbuild/", "https://github.com/MHaggis/CBR-Queries/blob/master/msbuild.md"], "tags": {"name": "Trusted Developer Utilities Proxy Execution MSBuild", "analytic_story": "Trusted Developer Utilities Proxy Execution MSBuild", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1127.001", "mitre_attack_technique": "MSBuild", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1127", "mitre_attack_technique": "Trusted Developer Utilities Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}], "mitre_attack_tactics": ["Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - MSBuild Suspicious Spawned By Script Process - Rule", "ESCU - Suspicious msbuild path - Rule", "ESCU - Suspicious MSBuild Rename - Rule", "ESCU - Suspicious MSBuild Spawn - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "MSBuild Suspicious Spawned By Script Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "MSBuild"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}]}}, {"name": "Suspicious msbuild path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "MSBuild"}]}}, {"name": "Suspicious MSBuild Rename", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "MSBuild"}]}}, {"name": "Suspicious MSBuild Spawn", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "MSBuild"}]}}]}, {"name": "Unusual Processes", "id": "f4368e3f-d59f-4192-84f6-748ac5a3ddb6", "version": 2, "date": "2020-02-04", "author": "Bhavin Patel, Splunk", "description": "Quickly identify systems running new or unusual processes in your environment that could be indicators of suspicious activity. Processes run from unusual locations, those with conspicuously long command lines, and rare executables are all examples of activities that may warrant deeper investigation.", "narrative": "Being able to profile a host's processes within your environment can help you more quickly identify processes that seem out of place when compared to the rest of the population of hosts or asset types.\\\nThis Analytic Story lets you identify processes that are either a) not typically seen running or b) have some sort of suspicious command-line arguments associated with them. This Analytic Story will also help you identify the user running these processes and the associated process activity on the host.\\\nIn the event an unusual process is identified, it is imperative to better understand how that process was able to execute on the host, when it first executed, and whether other hosts are affected. This extra information may provide clues that can help the analyst further investigate any suspicious activity.", "references": ["https://web.archive.org/web/20210921093439/https://www.fireeye.com/blog/threat-research/2017/08/monitoring-windows-console-activity-part-two.html", "https://www.splunk.com/pdfs/technical-briefs/advanced-threat-detection-and-response-tech-brief.pdf", "https://www.sans.org/reading-room/whitepapers/logging/detecting-security-incidents-windows-workstation-event-logs-34262"], "tags": {"name": "Unusual Processes", "analytic_story": "Unusual Processes", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1204.002", "mitre_attack_technique": "Malicious File", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "Ajax Security Team", "Andariel", "Aoqin Dragon", "BITTER", "BRONZE BUTLER", "BlackTech", "CURIUM", "Cobalt Group", "Confucius", "Dark Caracal", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "IndigoZebra", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Whitefly", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1036.005", "mitre_attack_technique": "Match Legitimate Name or Location", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "APT32", "APT39", "APT41", "Aoqin Dragon", "BRONZE BUTLER", "BackdoorDiplomacy", "Blue Mockingbird", "Carbanak", "Chimera", "Darkhotel", "Earth Lusca", "FIN7", "Ferocious Kitten", "Fox Kitten", "Gamaredon Group", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Poseidon Group", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "Sowbug", "TEMP.Veles", "TeamTNT", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Whitefly", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1595", "mitre_attack_technique": "Active Scanning", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1016", "mitre_attack_technique": "System Network Configuration Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT19", "APT3", "APT32", "APT41", "Chimera", "Darkhotel", "Dragonfly", "Earth Lusca", "GALLIUM", "HAFNIUM", "HEXANE", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "SideCopy", "Sidewinder", "Stealth Falcon", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1218.012", "mitre_attack_technique": "Verclsid", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1218.004", "mitre_attack_technique": "InstallUtil", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Mustang Panda", "menuPass"]}, {"mitre_attack_id": "T1588.002", "mitre_attack_technique": "Tool", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT19", "APT28", "APT29", "APT32", "APT33", "APT38", "APT39", "APT41", "Aoqin Dragon", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Carbanak", "Chimera", "Cleaver", "Cobalt Group", "CopyKittens", "DarkHydrus", "DarkVishnya", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN5", "FIN6", "Ferocious Kitten", "GALLIUM", "Gorgon Group", "HEXANE", "Inception", "IndigoZebra", "Ke3chang", "Kimsuky", "LAPSUS$", "Lazarus Group", "Leafminer", "LuminousMoth", "Magic Hound", "Metador", "Moses Staff", "MuddyWater", "POLONIUM", "Patchwork", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "TA505", "TEMP.Veles", "Threat Group-3390", "Thrip", "Turla", "WIRTE", "Whitefly", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "Turla"]}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "menuPass"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1134.004", "mitre_attack_technique": "Parent PID Spoofing", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}], "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Discovery", "Execution", "Initial Access", "Persistence", "Privilege Escalation", "Reconnaissance", "Resource Development"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation", "Reconnaissance", "Weaponization"]}, "detection_names": ["ESCU - Uncommon Processes On Endpoint - Rule", "ESCU - Attacker Tools On Endpoint - Rule", "ESCU - Detect processes used for System Network Configuration Discovery - Rule", "ESCU - Detect Rare Executables - Rule", "ESCU - Rundll32 Shimcache Flush - Rule", "ESCU - RunDLL Loading DLL By Ordinal - Rule", "ESCU - Suspicious Copy on System32 - Rule", "ESCU - System Processes Run From Unexpected Locations - Rule", "ESCU - Unusually Long Command Line - Rule", "ESCU - Unusually Long Command Line - MLTK - Rule", "ESCU - Verclsid CLSID Execution - Rule", "ESCU - Windows DotNet Binary in Non Standard Path - Rule", "ESCU - Windows InstallUtil in Non Standard Path - Rule", "ESCU - Windows NirSoft AdvancedRun - Rule", "ESCU - Windows Remote Assistance Spawning Process - Rule", "ESCU - WinRM Spawning a Process - Rule", "ESCU - Wscript Or Cscript Suspicious Child Process - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task"], "baseline_names": ["ESCU - Baseline of Command Line Length - MLTK"], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Uncommon Processes On Endpoint", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Malicious File"}]}}, {"name": "Attacker Tools On Endpoint", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Match Legitimate Name or Location"}, {"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "OS Credential Dumping"}, {"mitre_attack_technique": "Active Scanning"}]}}, {"name": "Detect processes used for System Network Configuration Discovery", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Configuration Discovery"}]}}, {"name": "Detect Rare Executables", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": []}}, {"name": "Rundll32 Shimcache Flush", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "RunDLL Loading DLL By Ordinal", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Suspicious Copy on System32", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "Masquerading"}]}}, {"name": "System Processes Run From Unexpected Locations", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}]}}, {"name": "Unusually Long Command Line", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": []}}, {"name": "Unusually Long Command Line - MLTK", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": []}}, {"name": "Verclsid CLSID Execution", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Verclsid"}, {"mitre_attack_technique": "System Binary Proxy Execution"}]}}, {"name": "Windows DotNet Binary in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "InstallUtil"}]}}, {"name": "Windows InstallUtil in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "InstallUtil"}]}}, {"name": "Windows NirSoft AdvancedRun", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Tool"}]}}, {"name": "Windows Remote Assistance Spawning Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "WinRM Spawning a Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}}, {"name": "Wscript Or Cscript Suspicious Child Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}, {"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Parent PID Spoofing"}, {"mitre_attack_technique": "Access Token Manipulation"}]}}]}, {"name": "Use of Cleartext Protocols", "id": "826e6431-aeef-41b4-9fc0-6d0985d65a21", "version": 1, "date": "2017-09-15", "author": "Bhavin Patel, Splunk", "description": "Leverage searches that detect cleartext network protocols that may leak credentials or should otherwise be encrypted.", "narrative": "Various legacy protocols operate by default in the clear, without the protections of encryption. This potentially leaks sensitive information that can be exploited by passively sniffing network traffic. Depending on the protocol, this information could be highly sensitive, or could allow for session hijacking. In addition, these protocols send authentication information, which would allow for the harvesting of usernames and passwords that could potentially be used to authenticate and compromise secondary systems.", "references": ["https://www.monkey.org/~dugsong/dsniff/"], "tags": {"name": "Use of Cleartext Protocols", "analytic_story": "Use of Cleartext Protocols", "category": ["Best Practices"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Network_Traffic"], "kill_chain_phases": []}, "detection_names": ["ESCU - Protocols passing authentication in cleartext - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task", "ESCU - Get Process Information For Port Activity - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Protocols passing authentication in cleartext", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": []}}]}, {"name": "VMware Aria Operations vRealize CVE-2023-20887", "id": "99171cdd-57a1-4b8a-873c-f8bee12e2025", "version": 1, "date": "2023-06-21", "author": "Michael Haag, Splunk", "description": "CVE-2023-20887 is a critical vulnerability affecting VMware's vRealize Network Insight (also known as VMware Aria Operations for Networks). It allows a remote, unauthenticated attacker to execute arbitrary commands with root privileges via the Apache Thrift RPC interface. The exploit, which has a severity score of 9.8, targets an endpoint (\"/saas./resttosaasservlet\") in the application and delivers a malicious payload designed to create a reverse shell, granting the attacker control over the system. VMware has released an advisory recommending users to update to the latest version to mitigate this threat.", "narrative": "CVE-2023-20887 is a highly critical vulnerability found in VMware's vRealize Network Insight. This software is widely used for intelligent operations management across physical, virtual, and cloud environments, so a vulnerability in it poses a significant risk to many organizations.\\\nThis particular vulnerability lies in the application's Apache Thrift RPC interface. The exploit allows an attacker to inject commands that are executed with root privileges, leading to a potential total compromise of the system. The attacker does not need to be authenticated, which further increases the risk posed by this vulnerability.\\\nThe exploit operates by sending a specially crafted payload to the \"/saas./resttosaasservlet\" endpoint. This payload contains a reverse shell command, which, when executed, allows the attacker to remotely control the victim's system. This control is obtained at the root level, providing the attacker with the ability to perform any action on the system.\\\nWhat makes this vulnerability particularly dangerous is its high severity score of 9.8, indicating it is a critical threat. It's also noteworthy that the exploitation of this vulnerability leaves specific indicators such as abnormal traffic to the \"/saas./resttosaasservlet\" endpoint and suspicious ncat commands in network traffic, which can help in its detection.\\\nVMware has acknowledged the vulnerability and has published a security advisory recommending that users update to the latest version of the software. This update effectively patches the vulnerability and protects systems from this exploit. It's crucial that all users of the affected versions of VMware's vRealize Network Insight promptly apply the update to mitigate the risk posed by CVE-2023-20887.", "references": ["https://nvd.nist.gov/vuln/detail/CVE-2023-20887", "https://summoning.team/blog/vmware-vrealize-network-insight-rce-cve-2023-20887/", "https://viz.greynoise.io/tag/VMware-aria-operations-for-networks-rce-attempt?days=30", "https://github.com/sinsinology/CVE-2023-20887"], "tags": {"name": "VMware Aria Operations vRealize CVE-2023-20887", "analytic_story": "VMware Aria Operations vRealize CVE-2023-20887", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Chimera", "Dragonfly", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "menuPass"]}, {"mitre_attack_id": "T1210", "mitre_attack_technique": "Exploitation of Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "Dragonfly", "Earth Lusca", "FIN7", "Fox Kitten", "MuddyWater", "Threat Group-3390", "Tonto Team", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "PLATINUM", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}], "mitre_attack_tactics": ["Initial Access", "Lateral Movement", "Persistence", "Privilege Escalation"], "datamodels": ["Web"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - VMWare Aria Operations Exploit Attempt - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "VMWare Aria Operations Exploit Attempt", "source": "web", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "External Remote Services"}, {"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "Exploitation of Remote Services"}, {"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}}]}, {"name": "VMware Server Side Injection and Privilege Escalation", "id": "d6d51cc2-a092-43b7-9f61-1159943afe39", "version": 1, "date": "2022-05-19", "author": "Michael Haag, Splunk", "description": "Recently disclosed CVE-2022-22954 and CVE-2022-22960 have been identified in the wild abusing VMware products to compromise internet faced devices and escalate privileges.", "narrative": "On April 6, 2022, VMware published VMSA-2022-0011, which discloses multiple vulnerabilities discovered by Steven Seeley (mr_me) of Qihoo 360 Vulnerability Research Institute. The most critical of the CVEs published in VMSA-2022-0011 is CVE-2022-22954, which is a server-side template injection issue with a CVSSv3 base score of 9.8. The vulnerability allows an unauthenticated user with network access to the web interface to execute an arbitrary shell command as the VMware user. To further exacerbate this issue, VMware also disclosed a local privilege escalation issue, CVE-2022-22960, which permits the attacker to gain root after exploiting CVE-2022-22954. Products affected include - VMware Workspace ONE Access (Access) 20.10.0.0 - 20.10.0.1, 21.08.0.0 - 21.08.0.1 and VMware Identity Manager (vIDM) 3.3.3 - 3.3.6.", "references": ["https://attackerkb.com/topics/BDXyTqY1ld/cve-2022-22954/rapid7-analysis", "https://www.cisa.gov/uscert/ncas/alerts/aa22-138b"], "tags": {"name": "VMware Server Side Injection and Privilege Escalation", "analytic_story": "VMware Server Side Injection and Privilege Escalation", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "menuPass"]}], "mitre_attack_tactics": ["Initial Access"], "datamodels": ["Web"], "kill_chain_phases": ["Delivery"]}, "detection_names": ["ESCU - VMware Server Side Template Injection Hunt - Rule", "ESCU - VMware Workspace ONE Freemarker Server-side Template Injection - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "VMware Server Side Template Injection Hunt", "source": "web", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}}, {"name": "VMware Workspace ONE Freemarker Server-side Template Injection", "source": "web", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}}]}, {"name": "Volt Typhoon", "id": "f73010e4-49eb-44ef-9f3f-2c25a1ae5415", "version": 1, "date": "2023-05-25", "author": "Teoderick Contreras, Splunk", "description": "This analytic story contains detections that allow security analysts to detect and investigate unusual activities that might relate to the \"Volt Typhoon\" group targeting critical infrastructure organizations in United States and Guam. The affected organizations include the communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education sectors. This Analytic story looks for suspicious process execution, lolbin execution, command-line activity, lsass dump and many more.", "narrative": "Volt Typhoon is a state sponsored group typically focuses on espionage and information gathering.\\ Based on Microsoft Threat Intelligence, This threat actor group puts strong emphasis on stealth in this campaign by relying almost exclusively on living-off-the-land techniques and hands-on-keyboard activity. \\ They issue commands via the command line to :\\ (1) collect data, including credentials from local and network systems, \\ (2) put the data into an archive file to stage it for exfiltration, and then \\ (3) use the stolen valid credentials to maintain persistence. \\ In addition, Volt Typhoon tries to blend into normal network activity by routing traffic through compromised small office and home office (SOHO) network equipment, including routers, firewalls, and VPN hardware. They have also been observed using custom versions of open-source tools to establish a command and control (C2) channel over proxy to further stay under the radar.", "references": ["https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/"], "tags": {"name": "Volt Typhoon", "analytic_story": "Volt Typhoon", "category": ["Data Destruction", "Malware", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.007", "mitre_attack_technique": "JavaScript", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "Cobalt Group", "Earth Lusca", "Ember Bear", "Evilnum", "FIN6", "FIN7", "Higaisa", "Indrik Spider", "Kimsuky", "LazyScripter", "Leafminer", "Molerats", "MuddyWater", "Sidewinder", "Silence", "TA505", "Turla"]}, {"mitre_attack_id": "T1003.003", "mitre_attack_technique": "NTDS", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "Chimera", "Dragonfly", "FIN6", "Fox Kitten", "HAFNIUM", "Ke3chang", "LAPSUS$", "Mustang Panda", "Sandworm Team", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "TEMP.Veles", "Threat Group-3390", "Whitefly"]}, {"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "TA505"]}, {"mitre_attack_id": "T1069.002", "mitre_attack_technique": "Domain Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Dragonfly", "Inception", "Ke3chang", "LAPSUS$", "OilRig", "Turla"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Dragonfly", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1021.003", "mitre_attack_technique": "Distributed Component Object Model", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "Earth Lusca", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "Threat Group-3390", "Windshift", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT19", "APT28", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BITTER", "BackdoorDiplomacy", "BlackOasis", "Blue Mockingbird", "Dark Caracal", "Darkhotel", "Earth Lusca", "Elderwood", "Ember Bear", "Fox Kitten", "GALLIUM", "Gallmaker", "Gamaredon Group", "Group5", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "Metador", "Mofang", "Molerats", "Moses Staff", "Mustang Panda", "OilRig", "Putter Panda", "Rocke", "Sandworm Team", "Sidewinder", "TA505", "TeamTNT", "Threat Group-3390", "Transparent Tribe", "Tropic Trooper", "Whitefly", "Windshift", "menuPass"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1069.001", "mitre_attack_technique": "Local Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "HEXANE", "OilRig", "Tonto Team", "Turla", "admin@338"]}, {"mitre_attack_id": "T1049", "mitre_attack_technique": "System Network Connections Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT38", "APT41", "Andariel", "BackdoorDiplomacy", "Chimera", "Earth Lusca", "GALLIUM", "HEXANE", "Ke3chang", "Lazarus Group", "Magic Hound", "MuddyWater", "Mustang Panda", "OilRig", "Poseidon Group", "Sandworm Team", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1562.004", "mitre_attack_technique": "Disable or Modify System Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "Carbanak", "Dragonfly", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1590.002", "mitre_attack_technique": "DNS", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1090.001", "mitre_attack_technique": "Internal Proxy", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT39", "Higaisa", "Lazarus Group", "Strider", "Turla"]}, {"mitre_attack_id": "T1090", "mitre_attack_technique": "Proxy", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "Blue Mockingbird", "CopyKittens", "Earth Lusca", "Fox Kitten", "LAPSUS$", "Magic Hound", "POLONIUM", "Sandworm Team", "Turla", "Windigo"]}], "mitre_attack_tactics": ["Command And Control", "Credential Access", "Defense Evasion", "Discovery", "Execution", "Lateral Movement", "Persistence", "Privilege Escalation", "Reconnaissance"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Command And Control", "Exploitation", "Installation", "Reconnaissance"]}, "detection_names": ["ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", "ESCU - Creation of Shadow Copy - Rule", "ESCU - Creation of Shadow Copy with wmic and powershell - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Dump LSASS via comsvcs DLL - Rule", "ESCU - Elevated Group Discovery With Net - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Extraction of Registry Hives - Rule", "ESCU - Impacket Lateral Movement Commandline Parameters - Rule", "ESCU - Impacket Lateral Movement smbexec CommandLine Parameters - Rule", "ESCU - Impacket Lateral Movement WMIExec Commandline Parameters - Rule", "ESCU - Malicious PowerShell Process - Encoded Command - Rule", "ESCU - Malicious PowerShell Process - Execution Policy Bypass - Rule", "ESCU - Net Localgroup Discovery - Rule", "ESCU - Network Connection Discovery With Arp - Rule", "ESCU - Network Connection Discovery With Netstat - Rule", "ESCU - Ntdsutil Export NTDS - Rule", "ESCU - Processes launching netsh - Rule", "ESCU - Remote WMI Command Attempt - Rule", "ESCU - Suspicious Copy on System32 - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Windows DNS Gather Network Info - Rule", "ESCU - Windows Ldifde Directory Object Behavior - Rule", "ESCU - Windows Mimikatz Binary Execution - Rule", "ESCU - Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos - Rule", "ESCU - Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos - Rule", "ESCU - Windows Multiple Invalid Users Fail To Authenticate Using Kerberos - Rule", "ESCU - Windows Multiple Invalid Users Failed To Authenticate Using NTLM - Rule", "ESCU - Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials - Rule", "ESCU - Windows Multiple Users Failed To Authenticate From Host Using NTLM - Rule", "ESCU - Windows Multiple Users Failed To Authenticate From Process - Rule", "ESCU - Windows Multiple Users Failed To Authenticate Using Kerberos - Rule", "ESCU - Windows Multiple Users Remotely Failed To Authenticate From Host - Rule", "ESCU - Windows Proxy Via Netsh - Rule", "ESCU - Windows Proxy Via Registry - Rule", "ESCU - Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos - Rule", "ESCU - Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos - Rule", "ESCU - Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM - Rule", "ESCU - Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials - Rule", "ESCU - Windows Unusual Count Of Users Failed To Auth Using Kerberos - Rule", "ESCU - Windows Unusual Count Of Users Failed To Authenticate From Process - Rule", "ESCU - Windows Unusual Count Of Users Failed To Authenticate Using NTLM - Rule", "ESCU - Windows Unusual Count Of Users Remotely Failed To Auth From Host - Rule", "ESCU - Windows WMI Process Call Create - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Cmdline Tool Not Executed In CMD Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "JavaScript"}]}}, {"name": "Creation of Shadow Copy", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "NTDS"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Creation of Shadow Copy with wmic and powershell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "NTDS"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Detect PsExec With accepteula Flag", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}}, {"name": "Dump LSASS via comsvcs DLL", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Elevated Group Discovery With Net", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}]}}, {"name": "Extraction of Registry Hives", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Security Account Manager"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Impacket Lateral Movement Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Impacket Lateral Movement smbexec CommandLine Parameters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Impacket Lateral Movement WMIExec Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Malicious PowerShell Process - Encoded Command", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Obfuscated Files or Information"}]}}, {"name": "Malicious PowerShell Process - Execution Policy Bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Net Localgroup Discovery", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Local Groups"}]}}, {"name": "Network Connection Discovery With Arp", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Connections Discovery"}]}}, {"name": "Network Connection Discovery With Netstat", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Connections Discovery"}]}}, {"name": "Ntdsutil Export NTDS", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "NTDS"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Processes launching netsh", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify System Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Remote WMI Command Attempt", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}}, {"name": "Suspicious Copy on System32", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "Masquerading"}]}}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Windows DNS Gather Network Info", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DNS"}]}}, {"name": "Windows Ldifde Directory Object Behavior", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}, {"mitre_attack_technique": "Domain Groups"}]}}, {"name": "Windows Mimikatz Binary Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Multiple Invalid Users Fail To Authenticate Using Kerberos", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Multiple Invalid Users Failed To Authenticate Using NTLM", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Multiple Users Failed To Authenticate From Host Using NTLM", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Multiple Users Failed To Authenticate From Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Multiple Users Failed To Authenticate Using Kerberos", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Multiple Users Remotely Failed To Authenticate From Host", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Proxy Via Netsh", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Internal Proxy"}, {"mitre_attack_technique": "Proxy"}]}}, {"name": "Windows Proxy Via Registry", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Internal Proxy"}, {"mitre_attack_technique": "Proxy"}]}}, {"name": "Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Unusual Count Of Users Failed To Auth Using Kerberos", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Unusual Count Of Users Failed To Authenticate From Process", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Unusual Count Of Users Failed To Authenticate Using NTLM", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Unusual Count Of Users Remotely Failed To Auth From Host", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows WMI Process Call Create", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}}]}, {"name": "WhisperGate", "id": "0150e6e5-3171-442e-83f8-1ccd8599569b", "version": 1, "date": "2022-01-19", "author": "Teoderick Contreras, Splunk", "description": "This analytic story contains detections that allow security analysts to detect and investigate unusual activities that might relate to the destructive malware targeting Ukrainian organizations also known as \"WhisperGate\". This analytic story looks for suspicious process execution, command-line activity, downloads, DNS queries and more.", "narrative": "WhisperGate/DEV-0586 is destructive malware operation found by MSTIC (Microsoft Threat Inteligence Center) targeting multiple organizations in Ukraine. This operation campaign consist of several malware component like the downloader that abuses discord platform, overwrite or destroy master boot record (MBR) of the targeted host, wiper and also windows defender evasion techniques.", "references": ["https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/", "https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3"], "tags": {"name": "WhisperGate", "analytic_story": "WhisperGate", "category": ["Data Destruction", "Malware", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1021.003", "mitre_attack_technique": "Distributed Component Object Model", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "Earth Lusca", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "Threat Group-3390", "Windshift", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT19", "APT28", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BITTER", "BackdoorDiplomacy", "BlackOasis", "Blue Mockingbird", "Dark Caracal", "Darkhotel", "Earth Lusca", "Elderwood", "Ember Bear", "Fox Kitten", "GALLIUM", "Gallmaker", "Gamaredon Group", "Group5", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "Metador", "Mofang", "Molerats", "Moses Staff", "Mustang Panda", "OilRig", "Putter Panda", "Rocke", "Sandworm Team", "Sidewinder", "TA505", "TeamTNT", "Threat Group-3390", "Transparent Tribe", "Tropic Trooper", "Whitefly", "Windshift", "menuPass"]}, {"mitre_attack_id": "T1497", "mitre_attack_technique": "Virtualization/Sandbox Evasion", "mitre_attack_tactics": ["Defense Evasion", "Discovery"], "mitre_attack_groups": ["Darkhotel"]}, {"mitre_attack_id": "T1497.003", "mitre_attack_technique": "Time Based Evasion", "mitre_attack_tactics": ["Defense Evasion", "Discovery"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1059.005", "mitre_attack_technique": "Visual Basic", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT32", "APT33", "APT37", "APT38", "APT39", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Earth Lusca", "FIN4", "FIN7", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "Transparent Tribe", "Turla", "WIRTE", "Windshift"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.004", "mitre_attack_technique": "InstallUtil", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Mustang Panda", "menuPass"]}, {"mitre_attack_id": "T1588.002", "mitre_attack_technique": "Tool", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT19", "APT28", "APT29", "APT32", "APT33", "APT38", "APT39", "APT41", "Aoqin Dragon", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Carbanak", "Chimera", "Cleaver", "Cobalt Group", "CopyKittens", "DarkHydrus", "DarkVishnya", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN5", "FIN6", "Ferocious Kitten", "GALLIUM", "Gorgon Group", "HEXANE", "Inception", "IndigoZebra", "Ke3chang", "Kimsuky", "LAPSUS$", "Lazarus Group", "Leafminer", "LuminousMoth", "Magic Hound", "Metador", "Moses Staff", "MuddyWater", "POLONIUM", "Patchwork", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "TA505", "TEMP.Veles", "Threat Group-3390", "Thrip", "Turla", "WIRTE", "Whitefly", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1561.002", "mitre_attack_technique": "Disk Structure Wipe", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1561", "mitre_attack_technique": "Disk Wipe", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "Turla"]}, {"mitre_attack_id": "T1134.004", "mitre_attack_technique": "Parent PID Spoofing", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}], "mitre_attack_tactics": ["Defense Evasion", "Discovery", "Execution", "Impact", "Lateral Movement", "Persistence", "Privilege Escalation", "Resource Development"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Actions on Objectives", "Exploitation", "Installation", "Weaponization"]}, "detection_names": ["ESCU - Add or Set Windows Defender Exclusion - Rule", "ESCU - Attempt To Stop Security Service - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Excessive File Deletion In WinDefender Folder - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Impacket Lateral Movement Commandline Parameters - Rule", "ESCU - Impacket Lateral Movement smbexec CommandLine Parameters - Rule", "ESCU - Impacket Lateral Movement WMIExec Commandline Parameters - Rule", "ESCU - Malicious PowerShell Process - Encoded Command - Rule", "ESCU - Ping Sleep Batch Command - Rule", "ESCU - Powershell Remove Windows Defender Directory - Rule", "ESCU - Powershell Windows Defender Exclusion Commands - Rule", "ESCU - Process Deleting Its Process File Path - Rule", "ESCU - Suspicious Process DNS Query Known Abuse Web Services - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious Process With Discord DNS Query - Rule", "ESCU - Windows DotNet Binary in Non Standard Path - Rule", "ESCU - Windows High File Deletion Frequency - Rule", "ESCU - Windows InstallUtil in Non Standard Path - Rule", "ESCU - Windows NirSoft AdvancedRun - Rule", "ESCU - Windows NirSoft Utilities - Rule", "ESCU - Windows Raw Access To Master Boot Record Drive - Rule", "ESCU - Wscript Or Cscript Suspicious Child Process - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Add or Set Windows Defender Exclusion", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Attempt To Stop Security Service", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Excessive File Deletion In WinDefender Folder", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}]}}, {"name": "Impacket Lateral Movement Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Impacket Lateral Movement smbexec CommandLine Parameters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Impacket Lateral Movement WMIExec Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Malicious PowerShell Process - Encoded Command", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Obfuscated Files or Information"}]}}, {"name": "Ping Sleep Batch Command", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Virtualization/Sandbox Evasion"}, {"mitre_attack_technique": "Time Based Evasion"}]}}, {"name": "Powershell Remove Windows Defender Directory", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Powershell Windows Defender Exclusion Commands", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Process Deleting Its Process File Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indicator Removal"}]}}, {"name": "Suspicious Process DNS Query Known Abuse Web Services", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Visual Basic"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Suspicious Process With Discord DNS Query", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Visual Basic"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Windows DotNet Binary in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "InstallUtil"}]}}, {"name": "Windows High File Deletion Frequency", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Windows InstallUtil in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "InstallUtil"}]}}, {"name": "Windows NirSoft AdvancedRun", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Tool"}]}}, {"name": "Windows NirSoft Utilities", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Tool"}]}}, {"name": "Windows Raw Access To Master Boot Record Drive", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disk Structure Wipe"}, {"mitre_attack_technique": "Disk Wipe"}]}}, {"name": "Wscript Or Cscript Suspicious Child Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}, {"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Parent PID Spoofing"}, {"mitre_attack_technique": "Access Token Manipulation"}]}}]}, {"name": "Windows BootKits", "id": "1bef004d-23b2-4c49-8ceb-b59af0745317", "version": 1, "date": "2023-05-03", "author": "Michael Haag, Splunk", "description": "Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.", "narrative": "A bootkit is a sophisticated type of malware that targets the boot sectors of a hard drive, specifically the Master Boot Record (MBR) and Volume Boot Record (VBR). The MBR is the initial section of the disk that is loaded following the hardware initialization process executed by the Basic Input/Output System (BIOS). It houses the boot loader, which is responsible for loading the operating system. In contrast, the VBR is located at the beginning of each partition and contains the boot code for that specific partition. When an adversary gains raw access to the boot drive, they can overwrite the MBR or VBR, effectively diverting the execution during startup from the standard boot loader to the malicious code injected by the attacker. This tampering allows the malware to load before the operating system, enabling it to execute malicious activities stealthily and maintain persistence on the compromised system. Bootkits are particularly dangerous because they can bypass security measures implemented by the operating system and antivirus software. Since they load before the operating system, they can easily evade detection and manipulate the system's behavior from the earliest stages of the boot process. This capability makes bootkits a potent tool in an attacker's arsenal for gaining unauthorized access, stealing sensitive information, or launching further attacks on other systems. To defend against bootkit attacks, organizations should implement multiple layers of security, including strong endpoint protection, regular software updates, user awareness training, and monitoring for unusual system behavior. Additionally, hardware-based security features, such as Unified Extensible Firmware Interface (UEFI) Secure Boot and Trusted Platform Module (TPM), can help protect the integrity of the boot process and reduce the risk of bootkit infections.", "references": ["https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/", "https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/"], "tags": {"name": "Windows BootKits", "analytic_story": "Windows BootKits", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1542.001", "mitre_attack_technique": "System Firmware", "mitre_attack_tactics": ["Defense Evasion", "Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1542", "mitre_attack_technique": "Pre-OS Boot", "mitre_attack_tactics": ["Defense Evasion", "Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}], "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation", "Installation"]}, "detection_names": ["ESCU - Windows BootLoader Inventory - Rule", "ESCU - Windows Registry BootExecute Modification - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows BootLoader Inventory", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Firmware"}, {"mitre_attack_technique": "Pre-OS Boot"}]}}, {"name": "Windows Registry BootExecute Modification", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Pre-OS Boot"}, {"mitre_attack_technique": "Registry Run Keys / Startup Folder"}]}}]}, {"name": "Windows Certificate Services", "id": "b92b4ac7-0026-4408-a6b5-c1d20658e124", "version": 1, "date": "2023-02-01", "author": "Michael Haag, Splunk", "description": "Adversaries may steal or forge certificates used for authentication to access remote systems or resources. Digital certificates are often used to sign and encrypt messages and/or files. Certificates are also used as authentication material.", "narrative": "The following analytic story focuses on remote and local endpoint certificate theft and abuse. Authentication certificates can be both stolen and forged. For example, AD CS certificates can be stolen from encrypted storage (in the Registry or files), misplaced certificate files (i.e. Unsecured Credentials), or directly from the Windows certificate store via various crypto APIs.With appropriate enrollment rights, users and/or machines within a domain can also request and/or manually renew certificates from enterprise certificate authorities (CA). This enrollment process defines various settings and permissions associated with the certificate. Abusing certificates for authentication credentials may enable other behaviors such as Lateral Movement. Certificate-related misconfigurations may also enable opportunities for Privilege Escalation, by way of allowing users to impersonate or assume privileged accounts or permissions via the identities (SANs) associated with a certificate. These abuses may also enable Persistence via stealing or forging certificates that can be used as Valid Accounts for the duration of the certificate's validity, despite user password resets. Authentication certificates can also be stolen and forged for machine accounts. (MITRE ATT&CK)", "references": ["https://attack.mitre.org/techniques/T1649/"], "tags": {"name": "Windows Certificate Services", "analytic_story": "Windows Certificate Services", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1649", "mitre_attack_technique": "Steal or Forge Authentication Certificates", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1552.004", "mitre_attack_technique": "Private Keys", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1552", "mitre_attack_technique": "Unsecured Credentials", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Credential Access"], "datamodels": ["Endpoint", "Risk"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Certutil exe certificate extraction - Rule", "ESCU - Steal or Forge Authentication Certificates Behavior Identified - Rule", "ESCU - Windows Export Certificate - Rule", "ESCU - Windows Mimikatz Crypto Export File Extensions - Rule", "ESCU - Windows PowerShell Export Certificate - Rule", "ESCU - Windows PowerShell Export PfxCertificate - Rule", "ESCU - Windows Steal Authentication Certificates Certificate Issued - Rule", "ESCU - Windows Steal Authentication Certificates Certificate Request - Rule", "ESCU - Windows Steal Authentication Certificates CertUtil Backup - Rule", "ESCU - Windows Steal Authentication Certificates CryptoAPI - Rule", "ESCU - Windows Steal Authentication Certificates CS Backup - Rule", "ESCU - Windows Steal Authentication Certificates Export Certificate - Rule", "ESCU - Windows Steal Authentication Certificates Export PfxCertificate - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Certutil exe certificate extraction", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": []}}, {"name": "Steal or Forge Authentication Certificates Behavior Identified", "source": "endpoint", "type": "Correlation", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Authentication Certificates"}]}}, {"name": "Windows Export Certificate", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Private Keys"}, {"mitre_attack_technique": "Unsecured Credentials"}, {"mitre_attack_technique": "Steal or Forge Authentication Certificates"}]}}, {"name": "Windows Mimikatz Crypto Export File Extensions", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Authentication Certificates"}]}}, {"name": "Windows PowerShell Export Certificate", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Private Keys"}, {"mitre_attack_technique": "Unsecured Credentials"}, {"mitre_attack_technique": "Steal or Forge Authentication Certificates"}]}}, {"name": "Windows PowerShell Export PfxCertificate", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Private Keys"}, {"mitre_attack_technique": "Unsecured Credentials"}, {"mitre_attack_technique": "Steal or Forge Authentication Certificates"}]}}, {"name": "Windows Steal Authentication Certificates Certificate Issued", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Authentication Certificates"}]}}, {"name": "Windows Steal Authentication Certificates Certificate Request", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Authentication Certificates"}]}}, {"name": "Windows Steal Authentication Certificates CertUtil Backup", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Authentication Certificates"}]}}, {"name": "Windows Steal Authentication Certificates CryptoAPI", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Authentication Certificates"}]}}, {"name": "Windows Steal Authentication Certificates CS Backup", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Authentication Certificates"}]}}, {"name": "Windows Steal Authentication Certificates Export Certificate", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Authentication Certificates"}]}}, {"name": "Windows Steal Authentication Certificates Export PfxCertificate", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Authentication Certificates"}]}}]}, {"name": "Windows Defense Evasion Tactics", "id": "56e24a28-5003-4047-b2db-e8f3c4618064", "version": 1, "date": "2018-05-31", "author": "David Dorsey, Splunk", "description": "Detect tactics used by malware to evade defenses on Windows endpoints. A few of these include suspicious `reg.exe` processes, files hidden with `attrib.exe` and disabling user-account control, among many others ", "narrative": "Defense evasion is a tactic--identified in the MITRE ATT&CK framework--that adversaries employ in a variety of ways to bypass or defeat defensive security measures. There are many techniques enumerated by the MITRE ATT&CK framework that are applicable in this context. This Analytic Story includes searches designed to identify the use of such techniques on Windows platforms.", "references": ["https://attack.mitre.org/wiki/Defense_Evasion"], "tags": {"name": "Windows Defense Evasion Tactics", "analytic_story": "Windows Defense Evasion Tactics", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1564.001", "mitre_attack_technique": "Hidden Files and Directories", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "HAFNIUM", "Lazarus Group", "LuminousMoth", "Mustang Panda", "Rocke", "Transparent Tribe", "Tropic Trooper"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1027.004", "mitre_attack_technique": "Compile After Delivery", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Gamaredon Group", "MuddyWater", "Rocke"]}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT19", "APT28", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BITTER", "BackdoorDiplomacy", "BlackOasis", "Blue Mockingbird", "Dark Caracal", "Darkhotel", "Earth Lusca", "Elderwood", "Ember Bear", "Fox Kitten", "GALLIUM", "Gallmaker", "Gamaredon Group", "Group5", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "Metador", "Mofang", "Molerats", "Moses Staff", "Mustang Panda", "OilRig", "Putter Panda", "Rocke", "Sandworm Team", "Sidewinder", "TA505", "TeamTNT", "Threat Group-3390", "Transparent Tribe", "Tropic Trooper", "Whitefly", "Windshift", "menuPass"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1564", "mitre_attack_technique": "Hide Artifacts", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548.002", "mitre_attack_technique": "Bypass User Account Control", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT37", "BRONZE BUTLER", "Cobalt Group", "Earth Lusca", "Evilnum", "MuddyWater", "Patchwork", "Threat Group-3390"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1562.004", "mitre_attack_technique": "Disable or Modify System Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "Carbanak", "Dragonfly", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1222.001", "mitre_attack_technique": "Windows File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1218.014", "mitre_attack_technique": "MMC", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1562.002", "mitre_attack_technique": "Disable Windows Event Logging", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound", "Threat Group-3390"]}, {"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1505.004", "mitre_attack_technique": "IIS Components", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1574.001", "mitre_attack_technique": "DLL Search Order Hijacking", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT41", "Aquatic Panda", "BackdoorDiplomacy", "Evilnum", "RTM", "Threat Group-3390", "Tonto Team", "Whitefly", "menuPass"]}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "Turla"]}, {"mitre_attack_id": "T1055.001", "mitre_attack_technique": "Dynamic-link Library Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["BackdoorDiplomacy", "Lazarus Group", "Leviathan", "Putter Panda", "TA505", "Tropic Trooper", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}], "mitre_attack_tactics": ["Defense Evasion", "Execution", "Impact", "Persistence", "Privilege Escalation"], "datamodels": ["Change", "Endpoint", "Web"], "kill_chain_phases": ["Actions on Objectives", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Reg exe used to hide files directories via registry keys - Rule", "ESCU - Remote Registry Key modifications - Rule", "ESCU - Add or Set Windows Defender Exclusion - Rule", "ESCU - CSC Net On The Fly Compilation - Rule", "ESCU - Disable Registry Tool - Rule", "ESCU - Disable Security Logs Using MiniNt Registry - Rule", "ESCU - Disable Show Hidden Files - Rule", "ESCU - Disable UAC Remote Restriction - Rule", "ESCU - Disable Windows Behavior Monitoring - Rule", "ESCU - Disable Windows SmartScreen Protection - Rule", "ESCU - Disabling CMD Application - Rule", "ESCU - Disabling ControlPanel - Rule", "ESCU - Disabling Firewall with Netsh - Rule", "ESCU - Disabling FolderOptions Windows Feature - Rule", "ESCU - Disabling NoRun Windows App - Rule", "ESCU - Disabling Remote User Account Control - Rule", "ESCU - Disabling SystemRestore In Registry - Rule", "ESCU - Disabling Task Manager - Rule", "ESCU - Eventvwr UAC Bypass - Rule", "ESCU - Excessive number of service control start as disabled - Rule", "ESCU - Firewall Allowed Program Enable - Rule", "ESCU - FodHelper UAC Bypass - Rule", "ESCU - Hiding Files And Directories With Attrib exe - Rule", "ESCU - NET Profiler UAC bypass - Rule", "ESCU - Powershell Windows Defender Exclusion Commands - Rule", "ESCU - Sdclt UAC Bypass - Rule", "ESCU - SilentCleanup UAC Bypass - Rule", "ESCU - SLUI RunAs Elevated - Rule", "ESCU - SLUI Spawning a Process - Rule", "ESCU - Suspicious Reg exe Process - Rule", "ESCU - UAC Bypass MMC Load Unsigned Dll - Rule", "ESCU - Windows Command and Scripting Interpreter Hunting Path Traversal - Rule", "ESCU - Windows Command and Scripting Interpreter Path Traversal Exec - Rule", "ESCU - Windows Defender Exclusion Registry Entry - Rule", "ESCU - Windows Disable Change Password Through Registry - Rule", "ESCU - Windows Disable Lock Workstation Feature Through Registry - Rule", "ESCU - Windows Disable Notification Center - Rule", "ESCU - Windows Disable Windows Event Logging Disable HTTP Logging - Rule", "ESCU - Windows Disable Windows Group Policy Features Through Registry - Rule", "ESCU - Windows DisableAntiSpyware Registry - Rule", "ESCU - Windows DISM Remove Defender - Rule", "ESCU - Windows DLL Search Order Hijacking Hunt - Rule", "ESCU - Windows DLL Search Order Hijacking Hunt with Sysmon - Rule", "ESCU - Windows DLL Search Order Hijacking with iscsicpl - Rule", "ESCU - Windows Event For Service Disabled - Rule", "ESCU - Windows Excessive Disabled Services Event - Rule", "ESCU - Windows Hide Notification Features Through Registry - Rule", "ESCU - Windows Impair Defense Delete Win Defender Context Menu - Rule", "ESCU - Windows Impair Defense Delete Win Defender Profile Registry - Rule", "ESCU - Windows Impair Defenses Disable HVCI - Rule", "ESCU - Windows Impair Defenses Disable Win Defender Auto Logging - Rule", "ESCU - Windows Modify Show Compress Color And Info Tip Registry - Rule", "ESCU - Windows PowerShell Disable HTTP Logging - Rule", "ESCU - Windows Process With NamedPipe CommandLine - Rule", "ESCU - Windows Rasautou DLL Execution - Rule", "ESCU - WSReset UAC Bypass - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Reg exe used to hide files directories via registry keys", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Hidden Files and Directories"}]}}, {"name": "Remote Registry Key modifications", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": []}}, {"name": "Add or Set Windows Defender Exclusion", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "CSC Net On The Fly Compilation", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compile After Delivery"}, {"mitre_attack_technique": "Obfuscated Files or Information"}]}}, {"name": "Disable Registry Tool", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disable Security Logs Using MiniNt Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Disable Show Hidden Files", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Hidden Files and Directories"}, {"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Hide Artifacts"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disable UAC Remote Restriction", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Disable Windows Behavior Monitoring", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disable Windows SmartScreen Protection", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disabling CMD Application", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disabling ControlPanel", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disabling Firewall with Netsh", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disabling FolderOptions Windows Feature", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disabling NoRun Windows App", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disabling Remote User Account Control", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Disabling SystemRestore In Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Inhibit System Recovery"}]}}, {"name": "Disabling Task Manager", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Eventvwr UAC Bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Excessive number of service control start as disabled", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Firewall Allowed Program Enable", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify System Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "FodHelper UAC Bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}, {"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Hiding Files And Directories With Attrib exe", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "File and Directory Permissions Modification"}, {"mitre_attack_technique": "Windows File and Directory Permissions Modification"}]}}, {"name": "NET Profiler UAC bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Powershell Windows Defender Exclusion Commands", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Sdclt UAC Bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "SilentCleanup UAC Bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "SLUI RunAs Elevated", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "SLUI Spawning a Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Suspicious Reg exe Process", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "UAC Bypass MMC Load Unsigned Dll", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}, {"mitre_attack_technique": "MMC"}]}}, {"name": "Windows Command and Scripting Interpreter Hunting Path Traversal", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Windows Command and Scripting Interpreter Path Traversal Exec", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Windows Defender Exclusion Registry Entry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows Disable Change Password Through Registry", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Disable Lock Workstation Feature Through Registry", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Disable Notification Center", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Disable Windows Event Logging Disable HTTP Logging", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable Windows Event Logging"}, {"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "IIS Components"}]}}, {"name": "Windows Disable Windows Group Policy Features Through Registry", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows DisableAntiSpyware Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows DISM Remove Defender", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows DLL Search Order Hijacking Hunt", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DLL Search Order Hijacking"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}}, {"name": "Windows DLL Search Order Hijacking Hunt with Sysmon", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DLL Search Order Hijacking"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}}, {"name": "Windows DLL Search Order Hijacking with iscsicpl", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DLL Search Order Hijacking"}]}}, {"name": "Windows Event For Service Disabled", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows Excessive Disabled Services Event", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows Hide Notification Features Through Registry", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Impair Defense Delete Win Defender Context Menu", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows Impair Defense Delete Win Defender Profile Registry", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows Impair Defenses Disable HVCI", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows Impair Defenses Disable Win Defender Auto Logging", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows Modify Show Compress Color And Info Tip Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows PowerShell Disable HTTP Logging", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Disable Windows Event Logging"}, {"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "IIS Components"}]}}, {"name": "Windows Process With NamedPipe CommandLine", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "Windows Rasautou DLL Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Dynamic-link Library Injection"}, {"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Process Injection"}]}}, {"name": "WSReset UAC Bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}]}, {"name": "Windows Discovery Techniques", "id": "f7aba570-7d59-11eb-825e-acde48001122", "version": 1, "date": "2021-03-04", "author": "Michael Hart, Splunk", "description": "Monitors for behaviors associated with adversaries discovering objects in the environment that can be leveraged in the progression of the attack.", "narrative": "Attackers may not have much if any insight into their target's environment before the initial compromise. Once a foothold has been established, attackers will start enumerating objects in the environment (accounts, services, network shares, etc.) that can be used to achieve their objectives. This Analytic Story provides searches to help identify activities consistent with adversaries gaining knowledge of compromised Windows environments.", "references": ["https://attack.mitre.org/tactics/TA0007/", "https://cyberd.us/penetration-testing", "https://attack.mitre.org/software/S0521/"], "tags": {"name": "Windows Discovery Techniques", "analytic_story": "Windows Discovery Techniques", "category": ["Adversary Tactics"], "product": ["Splunk Behavioral Analytics", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "TA505"]}, {"mitre_attack_id": "T1069.001", "mitre_attack_technique": "Local Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "HEXANE", "OilRig", "Tonto Team", "Turla", "admin@338"]}], "mitre_attack_tactics": ["Discovery"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Net Localgroup Discovery - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Hart", "detections": [{"name": "Net Localgroup Discovery", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Local Groups"}]}}]}, {"name": "Windows DNS SIGRed CVE-2020-1350", "id": "36dbb206-d073-11ea-87d0-0242ac130003", "version": 1, "date": "2020-07-28", "author": "Shannon Davis, Splunk", "description": "Uncover activity consistent with CVE-2020-1350, or SIGRed. Discovered by Checkpoint researchers, this vulnerability affects Windows 2003 to 2019, and is triggered by a malicious DNS response (only affects DNS over TCP). An attacker can use the malicious payload to cause a buffer overflow on the vulnerable system, leading to compromise. The included searches in this Analytic Story are designed to identify the large response payload for SIG and KEY DNS records which can be used for the exploit.", "narrative": "When a client requests a DNS record for a particular domain, that request gets routed first through the client's locally configured DNS server, then to any DNS server(s) configured as forwarders, and then onto the target domain's own DNS server(s). If a attacker wanted to, they could host a malicious DNS server that responds to the initial request with a specially crafted large response (~65KB). This response would flow through to the client's local DNS server, which if not patched for CVE-2020-1350, would cause the buffer overflow. The detection searches in this Analytic Story use wire data to detect the malicious behavior. Searches for Splunk Stream and Zeek are included. The Splunk Stream search correlates across stream:dns and stream:tcp, while the Zeek search correlates across bro:dns:json and bro:conn:json. These correlations are required to pick up both the DNS record types (SIG and KEY) along with the payload size (>65KB).", "references": ["https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/", "https://support.microsoft.com/en-au/help/4569509/windows-dns-server-remote-code-execution-vulnerability"], "tags": {"name": "Windows DNS SIGRed CVE-2020-1350", "analytic_story": "Windows DNS SIGRed CVE-2020-1350", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1203", "mitre_attack_technique": "Exploitation for Client Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT12", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT41", "Andariel", "Aoqin Dragon", "Axiom", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "Higaisa", "Inception", "Lazarus Group", "Leviathan", "MuddyWater", "Mustang Panda", "Patchwork", "Sandworm Team", "Sidewinder", "TA459", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "admin@338"]}], "mitre_attack_tactics": ["Execution"], "datamodels": ["Network_Resolution", "Network_Traffic"], "kill_chain_phases": ["Installation"]}, "detection_names": ["ESCU - Detect Windows DNS SIGRed via Splunk Stream - Rule", "ESCU - Detect Windows DNS SIGRed via Zeek - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "Shannon Davis", "detections": [{"name": "Detect Windows DNS SIGRed via Splunk Stream", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploitation for Client Execution"}]}}, {"name": "Detect Windows DNS SIGRed via Zeek", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploitation for Client Execution"}]}}]}, {"name": "Windows Drivers", "id": "d0a9323f-9411-4da6-86b2-18c184d750c0", "version": 1, "date": "2022-03-30", "author": "Michael Haag, Splunk", "description": "Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components.", "narrative": "A rootkit on Windows may sometimes be in the form of a Windows Driver. A driver typically has a file extension of .sys, however the internals of a sys file is similar to a Windows DLL. For Microsoft Windows to load a driver, a few requirements are needed. First, it must have a valid signature. Second, typically it should load from the windows\\system32\\drivers path. There are a few methods to investigate drivers in the environment. Drivers are noisy. An inventory of all drivers is important to understand prevalence. A driver location (Path) is also important when attempting to baseline. Looking at a driver name and path is not enough, we must also explore the signing information. Product, description, company name, signer and signing result are all items to take into account when reviewing drivers. What makes a driver malicious? Depending if a driver was dropped during a campaign or you are baselining drivers after, triaging a driver to determine maliciousness may be tough. We break this into two categories - 1. vulnerable drivers 2. driver rootkits. Attempt to identify prevelance of the driver. Is it on one or many? Review the signing information if it is present. Is it common? A lot of driver hunting will lead down rabbit holes, but we hope to help lead the way.", "references": ["https://redcanary.com/blog/tracking-driver-inventory-to-expose-rootkits/", "https://www.trendmicro.com/en_us/research/22/e/avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.html", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/daxin-backdoor-espionage", "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064459/Equation_group_questions_and_answers.pdf", "https://www.welivesecurity.com/2022/01/11/signed-kernel-drivers-unguarded-gateway-windows-core/"], "tags": {"name": "Windows Drivers", "analytic_story": "Windows Drivers", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "PLATINUM", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}, {"mitre_attack_id": "T1014", "mitre_attack_technique": "Rootkit", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT41", "Rocke", "TeamTNT", "Winnti Group"]}, {"mitre_attack_id": "T1553.004", "mitre_attack_technique": "Install Root Certificate", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1553", "mitre_attack_technique": "Subvert Trust Controls", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Axiom"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation", "Installation"]}, "detection_names": ["ESCU - Sc exe Manipulating Windows Services - Rule", "ESCU - Windows Driver Inventory - Rule", "ESCU - Windows Driver Load Non-Standard Path - Rule", "ESCU - Windows Drivers Loaded by Signature - Rule", "ESCU - Windows Registry Certificate Added - Rule", "ESCU - Windows Registry Modification for Safe Mode Persistence - Rule", "ESCU - Windows Service Create Kernel Mode Driver - Rule", "ESCU - Windows System File on Disk - Rule", "ESCU - Windows Vulnerable Driver Loaded - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Sc exe Manipulating Windows Services", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Windows Driver Inventory", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}}, {"name": "Windows Driver Load Non-Standard Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Rootkit"}, {"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}}, {"name": "Windows Drivers Loaded by Signature", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Rootkit"}, {"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}}, {"name": "Windows Registry Certificate Added", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Install Root Certificate"}, {"mitre_attack_technique": "Subvert Trust Controls"}]}}, {"name": "Windows Registry Modification for Safe Mode Persistence", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Windows Service Create Kernel Mode Driver", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}}, {"name": "Windows System File on Disk", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}}, {"name": "Windows Vulnerable Driver Loaded", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Service"}]}}]}, {"name": "Windows File Extension and Association Abuse", "id": "30552a76-ac78-48e4-b3c0-de4e34e9563d", "version": 1, "date": "2018-01-26", "author": "Rico Valdez, Splunk", "description": "Detect and investigate suspected abuse of file extensions and Windows file associations. Some of the malicious behaviors involved may include inserting spaces before file extensions or prepending the file extension with a different one, among other techniques.", "narrative": "Attackers use a variety of techniques to entice users to run malicious code or to persist on an endpoint. One way to accomplish these goals is to leverage file extensions and the mechanism Windows uses to associate files with specific applications. \\\n Since its earliest days, Windows has used extensions to identify file types. Users have become familiar with these extensions and their application associations. For example, if users see that a file ends in `.doc` or `.docx`, they will assume that it is a Microsoft Word document and expect that double-clicking will open it using `winword.exe`. The user will typically also presume that the `.docx` file is safe. \\\n Attackers take advantage of this expectation by obfuscating the true file extension. They can accomplish this in a couple of ways. One technique involves inserting multiple spaces in the file name before the extension to hide the extension from the GUI, obscuring the true nature of the file. Another approach involves prepending the real extension with a different one. This is especially effective when Windows is configured to \"hide extensions for known file types.\" In this case, the real extension is not displayed, but the prepended one is, leading end users to believe the file is a different type than it actually is.\\\nChanging the association between a file extension and an application can allow an attacker to execute arbitrary code. The technique typically involves changing the association for an often-launched file type to associate instead with a malicious program the attacker has dropped on the endpoint. When the end user launches a file that has been manipulated in this way, it will execute the attacker's malware. It will also execute the application the end user expected to run, cleverly obscuring the fact that something suspicious has occurred.\\\nRun the searches in this story to detect and investigate suspicious behavior that may indicate abuse or manipulation of Windows file extensions and/or associations.", "references": ["https://blog.malwarebytes.com/cybercrime/2013/12/file-extensions-2/", "https://attack.mitre.org/wiki/Technique/T1042"], "tags": {"name": "Windows File Extension and Association Abuse", "analytic_story": "Windows File Extension and Association Abuse", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1546.001", "mitre_attack_technique": "Change Default File Association", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Kimsuky"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}], "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation", "Installation"]}, "detection_names": ["ESCU - Execution of File With Spaces Before Extension - Rule", "ESCU - Suspicious Changes to File Associations - Rule", "ESCU - Execution of File with Multiple Extensions - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Execution of File With Spaces Before Extension", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Rename System Utilities"}]}}, {"name": "Suspicious Changes to File Associations", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Change Default File Association"}]}}, {"name": "Execution of File with Multiple Extensions", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}]}}]}, {"name": "Windows Log Manipulation", "id": "b6db2c60-a281-48b4-95f1-2cd99ed56835", "version": 2, "date": "2017-09-12", "author": "Rico Valdez, Splunk", "description": "Adversaries often try to cover their tracks by manipulating Windows logs. Use these searches to help you monitor for suspicious activity surrounding log files--an essential component of an effective defense.", "narrative": "Because attackers often modify system logs to cover their tracks and/or to thwart the investigative process, log monitoring is an industry-recognized best practice. While there are legitimate reasons to manipulate system logs, it is still worthwhile to keep track of who manipulated the logs, when they manipulated them, and in what way they manipulated them (determining which accesses, tools, or utilities were employed). Even if no malicious activity is detected, the knowledge of an attempt to manipulate system logs may be indicative of a broader security risk that should be thoroughly investigated.\\\nThe Analytic Story gives users two different ways to detect manipulation of Windows Event Logs and one way to detect deletion of the Update Sequence Number (USN) Change Journal. The story helps determine the history of the host and the users who have accessed it. Finally, the story aides in investigation by retrieving all the information on the process that caused these events (if the process has been identified).", "references": ["https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/", "https://zeltser.com/security-incident-log-review-checklist/", "http://journeyintoir.blogspot.com/2013/01/re-introducing-usnjrnl.html"], "tags": {"name": "Windows Log Manipulation", "analytic_story": "Windows Log Manipulation", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1070.001", "mitre_attack_technique": "Clear Windows Event Logs", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "APT38", "APT41", "Chimera", "Dragonfly", "FIN5", "FIN8", "Indrik Spider"]}], "mitre_attack_tactics": ["Defense Evasion", "Impact"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Actions on Objectives", "Exploitation"]}, "detection_names": ["ESCU - Deleting Shadow Copies - Rule", "ESCU - Suspicious Event Log Service Behavior - Rule", "ESCU - Suspicious wevtutil Usage - Rule", "ESCU - USN Journal Deletion - Rule", "ESCU - Windows Event Log Cleared - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Deleting Shadow Copies", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Inhibit System Recovery"}]}}, {"name": "Suspicious Event Log Service Behavior", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indicator Removal"}, {"mitre_attack_technique": "Clear Windows Event Logs"}]}}, {"name": "Suspicious wevtutil Usage", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Clear Windows Event Logs"}, {"mitre_attack_technique": "Indicator Removal"}]}}, {"name": "USN Journal Deletion", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indicator Removal"}]}}, {"name": "Windows Event Log Cleared", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indicator Removal"}, {"mitre_attack_technique": "Clear Windows Event Logs"}]}}]}, {"name": "Windows Persistence Techniques", "id": "30874d4f-20a1-488f-85ec-5d52ef74e3f9", "version": 2, "date": "2018-05-31", "author": "Bhavin Patel, Splunk", "description": "Monitor for activities and techniques associated with maintaining persistence on a Windows system--a sign that an adversary may have compromised your environment.", "narrative": "Maintaining persistence is one of the first steps taken by attackers after the initial compromise. Attackers leverage various custom and built-in tools to ensure survivability and persistent access within a compromised enterprise. This Analytic Story provides searches to help you identify various behaviors used by attackers to maintain persistent access to a Windows environment.", "references": ["http://www.fuzzysecurity.com/tutorials/19.html", "https://www.fireeye.com/blog/threat-research/2010/07/malware-persistence-windows-registry.html", "http://resources.infosecinstitute.com/common-malware-persistence-mechanisms/", "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html", "https://www.youtube.com/watch?v=dq2Hv7J9fvk"], "tags": {"name": "Windows Persistence Techniques", "analytic_story": "Windows Persistence Techniques", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1564.001", "mitre_attack_technique": "Hidden Files and Directories", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "HAFNIUM", "Lazarus Group", "LuminousMoth", "Mustang Panda", "Rocke", "Transparent Tribe", "Tropic Trooper"]}, {"mitre_attack_id": "T1547.014", "mitre_attack_technique": "Active Setup", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1546.001", "mitre_attack_technique": "Change Default File Association", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Kimsuky"]}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1574.009", "mitre_attack_technique": "Path Interception by Unquoted Path", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1562.006", "mitre_attack_technique": "Indicator Blocking", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1127", "mitre_attack_technique": "Trusted Developer Utilities Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1222.001", "mitre_attack_technique": "Windows File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1037", "mitre_attack_technique": "Boot or Logon Initialization Scripts", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Rocke"]}, {"mitre_attack_id": "T1037.001", "mitre_attack_technique": "Logon Script (Windows)", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "Cobalt Group"]}, {"mitre_attack_id": "T1547.010", "mitre_attack_technique": "Port Monitors", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547.012", "mitre_attack_technique": "Print Processors", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1574.011", "mitre_attack_technique": "Services Registry Permissions Weakness", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1546.011", "mitre_attack_technique": "Application Shimming", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["FIN7"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1546.002", "mitre_attack_technique": "Screensaver", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547.003", "mitre_attack_technique": "Time Providers", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT41", "Dragonfly", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}, {"mitre_attack_id": "T1134.005", "mitre_attack_technique": "SID-History Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}, {"mitre_attack_id": "T1546.012", "mitre_attack_technique": "Image File Execution Options Injection", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["TEMP.Veles"]}, {"mitre_attack_id": "T1218.005", "mitre_attack_technique": "Mshta", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "APT32", "Confucius", "Earth Lusca", "FIN7", "Gamaredon Group", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "MuddyWater", "Mustang Panda", "SideCopy", "Sidewinder", "TA551"]}], "mitre_attack_tactics": ["Defense Evasion", "Execution", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation", "Installation"]}, "detection_names": ["ESCU - Reg exe used to hide files directories via registry keys - Rule", "ESCU - Remote Registry Key modifications - Rule", "ESCU - Active Setup Registry Autostart - Rule", "ESCU - Certutil exe certificate extraction - Rule", "ESCU - Change Default File Association - Rule", "ESCU - Detect Path Interception By Creation Of program exe - Rule", "ESCU - ETW Registry Disabled - Rule", "ESCU - Hiding Files And Directories With Attrib exe - Rule", "ESCU - Logon Script Event Trigger Execution - Rule", "ESCU - Monitor Registry Keys for Print Monitors - Rule", "ESCU - Print Processor Registry Autostart - Rule", "ESCU - Reg exe Manipulating Windows Services Registry Keys - Rule", "ESCU - Registry Keys for Creating SHIM Databases - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Sc exe Manipulating Windows Services - Rule", "ESCU - Schedule Task with HTTP Command Arguments - Rule", "ESCU - Schedule Task with Rundll32 Command Trigger - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Schtasks used for forcing a reboot - Rule", "ESCU - Screensaver Event Trigger Execution - Rule", "ESCU - Shim Database File Creation - Rule", "ESCU - Shim Database Installation With Suspicious Parameters - Rule", "ESCU - Suspicious Scheduled Task from Public Directory - Rule", "ESCU - Time Provider Persistence Registry - Rule", "ESCU - Windows AD DSRM Account Changes - Rule", "ESCU - Windows AD Same Domain SID History Addition - Rule", "ESCU - Windows Event Triggered Image File Execution Options Injection - Rule", "ESCU - Windows Mshta Execution In Registry - Rule", "ESCU - Windows Registry Delete Task SD - Rule", "ESCU - Windows Schtasks Create Run As System - Rule", "ESCU - Windows Service Creation Using Registry Entry - Rule", "ESCU - WinEvent Scheduled Task Created to Spawn Shell - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Reg exe used to hide files directories via registry keys", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Hidden Files and Directories"}]}}, {"name": "Remote Registry Key modifications", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": []}}, {"name": "Active Setup Registry Autostart", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Active Setup"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Certutil exe certificate extraction", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": []}}, {"name": "Change Default File Association", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Change Default File Association"}, {"mitre_attack_technique": "Event Triggered Execution"}]}}, {"name": "Detect Path Interception By Creation Of program exe", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Path Interception by Unquoted Path"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}}, {"name": "ETW Registry Disabled", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indicator Blocking"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Hiding Files And Directories With Attrib exe", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "File and Directory Permissions Modification"}, {"mitre_attack_technique": "Windows File and Directory Permissions Modification"}]}}, {"name": "Logon Script Event Trigger Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Boot or Logon Initialization Scripts"}, {"mitre_attack_technique": "Logon Script (Windows)"}]}}, {"name": "Monitor Registry Keys for Print Monitors", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Port Monitors"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Print Processor Registry Autostart", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Print Processors"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Reg exe Manipulating Windows Services Registry Keys", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Services Registry Permissions Weakness"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}}, {"name": "Registry Keys for Creating SHIM Databases", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Application Shimming"}, {"mitre_attack_technique": "Event Triggered Execution"}]}}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Sc exe Manipulating Windows Services", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Schedule Task with HTTP Command Arguments", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Schedule Task with Rundll32 Command Trigger", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Schtasks used for forcing a reboot", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Screensaver Event Trigger Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Event Triggered Execution"}, {"mitre_attack_technique": "Screensaver"}]}}, {"name": "Shim Database File Creation", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Application Shimming"}, {"mitre_attack_technique": "Event Triggered Execution"}]}}, {"name": "Shim Database Installation With Suspicious Parameters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Application Shimming"}, {"mitre_attack_technique": "Event Triggered Execution"}]}}, {"name": "Suspicious Scheduled Task from Public Directory", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Time Provider Persistence Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Time Providers"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Windows AD DSRM Account Changes", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Manipulation"}]}}, {"name": "Windows AD Same Domain SID History Addition", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "SID-History Injection"}, {"mitre_attack_technique": "Access Token Manipulation"}]}}, {"name": "Windows Event Triggered Image File Execution Options Injection", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Image File Execution Options Injection"}]}}, {"name": "Windows Mshta Execution In Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Mshta"}]}}, {"name": "Windows Registry Delete Task SD", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows Schtasks Create Run As System", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Windows Service Creation Using Registry Entry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Services Registry Permissions Weakness"}]}}, {"name": "WinEvent Scheduled Task Created to Spawn Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}]}}]}, {"name": "Windows Post-Exploitation", "id": "992899b7-a5cf-4bcd-bb0d-cf81762188ba", "version": 1, "date": "2022-11-30", "author": "Teoderick Contreras, Splunk", "description": "This analytic story identifies popular Windows post exploitation tools for example winpeas.bat, winpeas.exe, WinPrivCheck.bat and many more.", "narrative": "These tools allow operators to find possible exploits or paths for privilege escalation and persistence on a targeted host. Ransomware operator like the \"Prestige ransomware\" also used or abuses these post exploitation tools such as winPEAS to scan for possible avenue to gain privileges and persistence to a targeted Windows Operating System.", "references": ["https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"], "tags": {"name": "Windows Post-Exploitation", "analytic_story": "Windows Post-Exploitation", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1070.005", "mitre_attack_technique": "Network Share Connection Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Threat Group-3390"]}, {"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "TA505"]}, {"mitre_attack_id": "T1069.002", "mitre_attack_technique": "Domain Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Dragonfly", "Inception", "Ke3chang", "LAPSUS$", "OilRig", "Turla"]}, {"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1531", "mitre_attack_technique": "Account Access Removal", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["LAPSUS$"]}, {"mitre_attack_id": "T1069.001", "mitre_attack_technique": "Local Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "HEXANE", "OilRig", "Tonto Team", "Turla", "admin@338"]}, {"mitre_attack_id": "T1049", "mitre_attack_technique": "System Network Connections Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT38", "APT41", "Andariel", "BackdoorDiplomacy", "Chimera", "Earth Lusca", "GALLIUM", "HEXANE", "Ke3chang", "Lazarus Group", "Magic Hound", "MuddyWater", "Mustang Panda", "OilRig", "Poseidon Group", "Sandworm Team", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1016", "mitre_attack_technique": "System Network Configuration Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT19", "APT3", "APT32", "APT41", "Chimera", "Darkhotel", "Dragonfly", "Earth Lusca", "GALLIUM", "HAFNIUM", "HEXANE", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "SideCopy", "Sidewinder", "Stealth Falcon", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1016.001", "mitre_attack_technique": "Internet Connection Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Gamaredon Group", "HAFNIUM", "HEXANE", "Magic Hound", "Turla"]}, {"mitre_attack_id": "T1592", "mitre_attack_technique": "Gather Victim Host Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1003.005", "mitre_attack_technique": "Cached Domain Credentials", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT33", "Leafminer", "MuddyWater", "OilRig"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1115", "mitre_attack_technique": "Clipboard Data", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT38", "APT39"]}, {"mitre_attack_id": "T1555", "mitre_attack_technique": "Credentials from Password Stores", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT33", "APT39", "Evilnum", "FIN6", "HEXANE", "Leafminer", "MuddyWater", "OilRig", "Stealth Falcon"]}, {"mitre_attack_id": "T1552.002", "mitre_attack_technique": "Credentials in Registry", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT32"]}, {"mitre_attack_id": "T1552", "mitre_attack_technique": "Unsecured Credentials", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1202", "mitre_attack_technique": "Indirect Command Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1082", "mitre_attack_technique": "System Information Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT18", "APT19", "APT3", "APT32", "APT37", "APT38", "Aquatic Panda", "Blue Mockingbird", "Chimera", "Confucius", "Darkhotel", "Gamaredon Group", "HEXANE", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Sowbug", "Stealth Falcon", "TeamTNT", "Tropic Trooper", "Turla", "Windigo", "Windshift", "Wizard Spider", "ZIRCONIUM", "admin@338"]}, {"mitre_attack_id": "T1012", "mitre_attack_technique": "Query Registry", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT32", "APT39", "Chimera", "Dragonfly", "Fox Kitten", "Kimsuky", "Lazarus Group", "OilRig", "Stealth Falcon", "Threat Group-3390", "Turla", "ZIRCONIUM"]}, {"mitre_attack_id": "T1555.005", "mitre_attack_technique": "Password Managers", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Fox Kitten", "Threat Group-3390"]}, {"mitre_attack_id": "T1552.004", "mitre_attack_technique": "Private Keys", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1547.005", "mitre_attack_technique": "Security Support Provider", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1558", "mitre_attack_technique": "Steal or Forge Kerberos Tickets", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1033", "mitre_attack_technique": "System Owner/User Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT37", "APT38", "APT39", "APT41", "Chimera", "Dragonfly", "Earth Lusca", "FIN10", "GALLIUM", "Gamaredon Group", "HAFNIUM", "HEXANE", "Ke3chang", "Lazarus Group", "LuminousMoth", "Magic Hound", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "Stealth Falcon", "Threat Group-3390", "Tropic Trooper", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "Earth Lusca", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "Threat Group-3390", "Windshift", "Wizard Spider", "menuPass"]}], "mitre_attack_tactics": ["Collection", "Credential Access", "Defense Evasion", "Discovery", "Execution", "Impact", "Persistence", "Privilege Escalation", "Reconnaissance"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Actions on Objectives", "Exploitation", "Installation", "Reconnaissance"]}, "detection_names": ["ESCU - Create or delete windows shares using net exe - Rule", "ESCU - Domain Group Discovery With Net - Rule", "ESCU - Excessive Usage Of Cacls App - Rule", "ESCU - Excessive Usage Of Net App - Rule", "ESCU - Net Localgroup Discovery - Rule", "ESCU - Network Connection Discovery With Arp - Rule", "ESCU - Network Connection Discovery With Net - Rule", "ESCU - Network Connection Discovery With Netstat - Rule", "ESCU - Network Discovery Using Route Windows App - Rule", "ESCU - Recon AVProduct Through Pwh or WMI - Rule", "ESCU - Windows Cached Domain Credentials Reg Query - Rule", "ESCU - Windows ClipBoard Data via Get-ClipBoard - Rule", "ESCU - Windows Credentials from Password Stores Query - Rule", "ESCU - Windows Credentials in Registry Reg Query - Rule", "ESCU - Windows Indirect Command Execution Via Series Of Forfiles - Rule", "ESCU - Windows Information Discovery Fsutil - Rule", "ESCU - Windows Modify Registry Reg Restore - Rule", "ESCU - Windows Password Managers Discovery - Rule", "ESCU - Windows Private Keys Discovery - Rule", "ESCU - Windows Query Registry Reg Save - Rule", "ESCU - Windows Security Support Provider Reg Query - Rule", "ESCU - Windows Steal or Forge Kerberos Tickets Klist - Rule", "ESCU - Windows System Network Config Discovery Display DNS - Rule", "ESCU - Windows System Network Connections Discovery Netsh - Rule", "ESCU - Windows System User Discovery Via Quser - Rule", "ESCU - Windows WMI Process And Service List - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Create or delete windows shares using net exe", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indicator Removal"}, {"mitre_attack_technique": "Network Share Connection Removal"}]}}, {"name": "Domain Group Discovery With Net", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}}, {"name": "Excessive Usage Of Cacls App", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "File and Directory Permissions Modification"}]}}, {"name": "Excessive Usage Of Net App", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Access Removal"}]}}, {"name": "Net Localgroup Discovery", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Local Groups"}]}}, {"name": "Network Connection Discovery With Arp", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Connections Discovery"}]}}, {"name": "Network Connection Discovery With Net", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Connections Discovery"}]}}, {"name": "Network Connection Discovery With Netstat", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Connections Discovery"}]}}, {"name": "Network Discovery Using Route Windows App", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Configuration Discovery"}, {"mitre_attack_technique": "Internet Connection Discovery"}]}}, {"name": "Recon AVProduct Through Pwh or WMI", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Gather Victim Host Information"}]}}, {"name": "Windows Cached Domain Credentials Reg Query", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cached Domain Credentials"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Windows ClipBoard Data via Get-ClipBoard", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Clipboard Data"}]}}, {"name": "Windows Credentials from Password Stores Query", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Credentials from Password Stores"}]}}, {"name": "Windows Credentials in Registry Reg Query", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Credentials in Registry"}, {"mitre_attack_technique": "Unsecured Credentials"}]}}, {"name": "Windows Indirect Command Execution Via Series Of Forfiles", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indirect Command Execution"}]}}, {"name": "Windows Information Discovery Fsutil", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Information Discovery"}]}}, {"name": "Windows Modify Registry Reg Restore", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Query Registry"}]}}, {"name": "Windows Password Managers Discovery", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Managers"}]}}, {"name": "Windows Private Keys Discovery", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Private Keys"}, {"mitre_attack_technique": "Unsecured Credentials"}]}}, {"name": "Windows Query Registry Reg Save", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Query Registry"}]}}, {"name": "Windows Security Support Provider Reg Query", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Security Support Provider"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Windows Steal or Forge Kerberos Tickets Klist", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}]}}, {"name": "Windows System Network Config Discovery Display DNS", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Configuration Discovery"}]}}, {"name": "Windows System Network Connections Discovery Netsh", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Connections Discovery"}]}}, {"name": "Windows System User Discovery Via Quser", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Owner/User Discovery"}]}}, {"name": "Windows WMI Process And Service List", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}}]}, {"name": "Windows Privilege Escalation", "id": "644e22d3-598a-429c-a007-16fdb802cae5", "version": 2, "date": "2020-02-04", "author": "David Dorsey, Splunk", "description": "Monitor for and investigate activities that may be associated with a Windows privilege-escalation attack, including unusual processes running on endpoints, modified registry keys, and more.", "narrative": "Privilege escalation is a \"land-and-expand\" technique, wherein an adversary gains an initial foothold on a host and then exploits its weaknesses to increase his privileges. The motivation is simple: certain actions on a Windows machine--such as installing software--may require higher-level privileges than those the attacker initially acquired. By increasing his privilege level, the attacker can gain the control required to carry out his malicious ends. This Analytic Story provides searches to detect and investigate behaviors that attackers may use to elevate their privileges in your environment.", "references": ["https://attack.mitre.org/tactics/TA0004/"], "tags": {"name": "Windows Privilege Escalation", "analytic_story": "Windows Privilege Escalation", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1204.002", "mitre_attack_technique": "Malicious File", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "Ajax Security Team", "Andariel", "Aoqin Dragon", "BITTER", "BRONZE BUTLER", "BlackTech", "CURIUM", "Cobalt Group", "Confucius", "Dark Caracal", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "IndigoZebra", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Whitefly", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1547.014", "mitre_attack_technique": "Active Setup", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1546.001", "mitre_attack_technique": "Change Default File Association", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Kimsuky"]}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "PLATINUM", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}, {"mitre_attack_id": "T1562.006", "mitre_attack_technique": "Indicator Blocking", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1127", "mitre_attack_technique": "Trusted Developer Utilities Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1558", "mitre_attack_technique": "Steal or Forge Kerberos Tickets", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1558.003", "mitre_attack_technique": "Kerberoasting", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["FIN7", "Wizard Spider"]}, {"mitre_attack_id": "T1037", "mitre_attack_technique": "Boot or Logon Initialization Scripts", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Rocke"]}, {"mitre_attack_id": "T1037.001", "mitre_attack_technique": "Logon Script (Windows)", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "Cobalt Group"]}, {"mitre_attack_id": "T1574.002", "mitre_attack_technique": "DLL Side-Loading", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT41", "BRONZE BUTLER", "BlackTech", "Chimera", "Earth Lusca", "GALLIUM", "Higaisa", "Lazarus Group", "LuminousMoth", "MuddyWater", "Mustang Panda", "Naikon", "Patchwork", "SideCopy", "Sidewinder", "Threat Group-3390", "Tropic Trooper", "menuPass"]}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1546.008", "mitre_attack_technique": "Accessibility Features", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT3", "APT41", "Axiom", "Deep Panda", "Fox Kitten"]}, {"mitre_attack_id": "T1547.012", "mitre_attack_technique": "Print Processors", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1546.012", "mitre_attack_technique": "Image File Execution Options Injection", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["TEMP.Veles"]}, {"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}, {"mitre_attack_id": "T1134.001", "mitre_attack_technique": "Token Impersonation/Theft", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "FIN8"]}, {"mitre_attack_id": "T1546.002", "mitre_attack_technique": "Screensaver", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547.003", "mitre_attack_technique": "Time Providers", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Execution", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation", "Installation"]}, "detection_names": ["ESCU - Uncommon Processes On Endpoint - Rule", "ESCU - Active Setup Registry Autostart - Rule", "ESCU - Change Default File Association - Rule", "ESCU - Child Processes of Spoolsv exe - Rule", "ESCU - ETW Registry Disabled - Rule", "ESCU - Kerberoasting spn request with RC4 encryption - Rule", "ESCU - Logon Script Event Trigger Execution - Rule", "ESCU - MSI Module Loaded by Non-System Binary - Rule", "ESCU - Overwriting Accessibility Binaries - Rule", "ESCU - Print Processor Registry Autostart - Rule", "ESCU - Registry Keys Used For Privilege Escalation - Rule", "ESCU - Runas Execution in CommandLine - Rule", "ESCU - Screensaver Event Trigger Execution - Rule", "ESCU - Time Provider Persistence Registry - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Uncommon Processes On Endpoint", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Malicious File"}]}}, {"name": "Active Setup Registry Autostart", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Active Setup"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Change Default File Association", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Change Default File Association"}, {"mitre_attack_technique": "Event Triggered Execution"}]}}, {"name": "Child Processes of Spoolsv exe", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}}, {"name": "ETW Registry Disabled", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indicator Blocking"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Kerberoasting spn request with RC4 encryption", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "Kerberoasting"}]}}, {"name": "Logon Script Event Trigger Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Boot or Logon Initialization Scripts"}, {"mitre_attack_technique": "Logon Script (Windows)"}]}}, {"name": "MSI Module Loaded by Non-System Binary", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DLL Side-Loading"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}}, {"name": "Overwriting Accessibility Binaries", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Event Triggered Execution"}, {"mitre_attack_technique": "Accessibility Features"}]}}, {"name": "Print Processor Registry Autostart", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Print Processors"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Registry Keys Used For Privilege Escalation", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Image File Execution Options Injection"}, {"mitre_attack_technique": "Event Triggered Execution"}]}}, {"name": "Runas Execution in CommandLine", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Access Token Manipulation"}, {"mitre_attack_technique": "Token Impersonation/Theft"}]}}, {"name": "Screensaver Event Trigger Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Event Triggered Execution"}, {"mitre_attack_technique": "Screensaver"}]}}, {"name": "Time Provider Persistence Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Time Providers"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}]}, {"name": "Windows Registry Abuse", "id": "78df1df1-25f1-4387-90f9-c4ea31ce6b75", "version": 1, "date": "2022-03-17", "author": "Teoderick Contreras, Splunk", "description": "Windows services are often used by attackers for persistence, privilege escalation, lateral movement, defense evasion, collection of data, a tool for recon, credential dumping and payload impact. This Analytic Story helps you monitor your environment for indications that Windows registry are being modified or created in a suspicious manner.", "narrative": "Windows Registry is one of the powerful and yet still mysterious Windows features that can tweak or manipulate Windows policies and low-level configuration settings. Because of this capability, most malware, adversaries or threat actors abuse this hierarchical database to do their malicious intent on a targeted host or network environment. In these cases, attackers often use tools to create or modify registry in ways that are not typical for most environments, providing opportunities for detection.", "references": ["https://attack.mitre.org/techniques/T1112/", "https://redcanary.com/blog/windows-registry-attacks-threat-detection/"], "tags": {"name": "Windows Registry Abuse", "analytic_story": "Windows Registry Abuse", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1021.001", "mitre_attack_technique": "Remote Desktop Protocol", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT1", "APT3", "APT39", "APT41", "Axiom", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dragonfly", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "HEXANE", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "OilRig", "Patchwork", "Silence", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Dragonfly", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1552.002", "mitre_attack_technique": "Credentials in Registry", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT32"]}, {"mitre_attack_id": "T1552", "mitre_attack_technique": "Unsecured Credentials", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1546.001", "mitre_attack_technique": "Change Default File Association", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Kimsuky"]}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1564.001", "mitre_attack_technique": "Hidden Files and Directories", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "HAFNIUM", "Lazarus Group", "LuminousMoth", "Mustang Panda", "Rocke", "Transparent Tribe", "Tropic Trooper"]}, {"mitre_attack_id": "T1564", "mitre_attack_technique": "Hide Artifacts", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548.002", "mitre_attack_technique": "Bypass User Account Control", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT37", "BRONZE BUTLER", "Cobalt Group", "Earth Lusca", "Evilnum", "MuddyWater", "Patchwork", "Threat Group-3390"]}, {"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1556", "mitre_attack_technique": "Modify Authentication Process", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1562.006", "mitre_attack_technique": "Indicator Blocking", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1127", "mitre_attack_technique": "Trusted Developer Utilities Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1491", "mitre_attack_technique": "Defacement", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547.010", "mitre_attack_technique": "Port Monitors", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1546.011", "mitre_attack_technique": "Application Shimming", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["FIN7"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1546.012", "mitre_attack_technique": "Image File Execution Options Injection", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["TEMP.Veles"]}, {"mitre_attack_id": "T1546.002", "mitre_attack_technique": "Screensaver", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547.003", "mitre_attack_technique": "Time Providers", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT41", "Dragonfly", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}, {"mitre_attack_id": "T1547.008", "mitre_attack_technique": "LSASS Driver", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1553.004", "mitre_attack_technique": "Install Root Certificate", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1553", "mitre_attack_technique": "Subvert Trust Controls", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Axiom"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1574.011", "mitre_attack_technique": "Services Registry Permissions Weakness", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Execution", "Impact", "Lateral Movement", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Actions on Objectives", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Allow Inbound Traffic By Firewall Rule Registry - Rule", "ESCU - Allow Operation with Consent Admin - Rule", "ESCU - Attempted Credential Dump From Registry via Reg exe - Rule", "ESCU - Auto Admin Logon Registry Entry - Rule", "ESCU - Change Default File Association - Rule", "ESCU - Disable AMSI Through Registry - Rule", "ESCU - Disable Defender AntiVirus Registry - Rule", "ESCU - Disable Defender BlockAtFirstSeen Feature - Rule", "ESCU - Disable Defender Enhanced Notification - Rule", "ESCU - Disable Defender MpEngine Registry - Rule", "ESCU - Disable Defender Spynet Reporting - Rule", "ESCU - Disable Defender Submit Samples Consent Feature - Rule", "ESCU - Disable ETW Through Registry - Rule", "ESCU - Disable Registry Tool - Rule", "ESCU - Disable Security Logs Using MiniNt Registry - Rule", "ESCU - Disable Show Hidden Files - Rule", "ESCU - Disable UAC Remote Restriction - Rule", "ESCU - Disable Windows App Hotkeys - Rule", "ESCU - Disable Windows Behavior Monitoring - Rule", "ESCU - Disable Windows SmartScreen Protection - Rule", "ESCU - Disabling CMD Application - Rule", "ESCU - Disabling ControlPanel - Rule", "ESCU - Disabling Defender Services - Rule", "ESCU - Disabling FolderOptions Windows Feature - Rule", "ESCU - Disabling NoRun Windows App - Rule", "ESCU - Disabling Remote User Account Control - Rule", "ESCU - Disabling SystemRestore In Registry - Rule", "ESCU - Disabling Task Manager - Rule", "ESCU - Disabling Windows Local Security Authority Defences via Registry - Rule", "ESCU - Enable RDP In Other Port Number - Rule", "ESCU - Enable WDigest UseLogonCredential Registry - Rule", "ESCU - ETW Registry Disabled - Rule", "ESCU - Eventvwr UAC Bypass - Rule", "ESCU - Hide User Account From Sign-In Screen - Rule", "ESCU - Modification Of Wallpaper - Rule", "ESCU - Monitor Registry Keys for Print Monitors - Rule", "ESCU - Registry Keys for Creating SHIM Databases - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Registry Keys Used For Privilege Escalation - Rule", "ESCU - Remcos client registry install entry - Rule", "ESCU - Revil Registry Entry - Rule", "ESCU - Screensaver Event Trigger Execution - Rule", "ESCU - Sdclt UAC Bypass - Rule", "ESCU - SilentCleanup UAC Bypass - Rule", "ESCU - Time Provider Persistence Registry - Rule", "ESCU - Windows AD DSRM Account Changes - Rule", "ESCU - Windows Autostart Execution LSASS Driver Registry Modification - Rule", "ESCU - Windows Disable Lock Workstation Feature Through Registry - Rule", "ESCU - Windows Disable LogOff Button Through Registry - Rule", "ESCU - Windows Disable Memory Crash Dump - Rule", "ESCU - Windows Disable Notification Center - Rule", "ESCU - Windows Disable Shutdown Button Through Registry - Rule", "ESCU - Windows Disable Windows Group Policy Features Through Registry - Rule", "ESCU - Windows DisableAntiSpyware Registry - Rule", "ESCU - Windows Hide Notification Features Through Registry - Rule", "ESCU - Windows Impair Defense Delete Win Defender Context Menu - Rule", "ESCU - Windows Impair Defense Delete Win Defender Profile Registry - Rule", "ESCU - Windows Impair Defenses Disable HVCI - Rule", "ESCU - Windows Impair Defenses Disable Win Defender Auto Logging - Rule", "ESCU - Windows Modify Show Compress Color And Info Tip Registry - Rule", "ESCU - Windows Registry Certificate Added - Rule", "ESCU - Windows Registry Delete Task SD - Rule", "ESCU - Windows Registry Modification for Safe Mode Persistence - Rule", "ESCU - Windows Service Creation Using Registry Entry - Rule", "ESCU - WSReset UAC Bypass - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Allow Inbound Traffic By Firewall Rule Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Desktop Protocol"}, {"mitre_attack_technique": "Remote Services"}]}}, {"name": "Allow Operation with Consent Admin", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Attempted Credential Dump From Registry via Reg exe", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Security Account Manager"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Auto Admin Logon Registry Entry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Credentials in Registry"}, {"mitre_attack_technique": "Unsecured Credentials"}]}}, {"name": "Change Default File Association", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Change Default File Association"}, {"mitre_attack_technique": "Event Triggered Execution"}]}}, {"name": "Disable AMSI Through Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disable Defender AntiVirus Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disable Defender BlockAtFirstSeen Feature", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disable Defender Enhanced Notification", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disable Defender MpEngine Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disable Defender Spynet Reporting", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disable Defender Submit Samples Consent Feature", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disable ETW Through Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disable Registry Tool", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disable Security Logs Using MiniNt Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Disable Show Hidden Files", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Hidden Files and Directories"}, {"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Hide Artifacts"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disable UAC Remote Restriction", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Disable Windows App Hotkeys", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disable Windows Behavior Monitoring", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disable Windows SmartScreen Protection", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disabling CMD Application", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disabling ControlPanel", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disabling Defender Services", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disabling FolderOptions Windows Feature", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disabling NoRun Windows App", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disabling Remote User Account Control", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Disabling SystemRestore In Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Inhibit System Recovery"}]}}, {"name": "Disabling Task Manager", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disabling Windows Local Security Authority Defences via Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Authentication Process"}]}}, {"name": "Enable RDP In Other Port Number", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}]}}, {"name": "Enable WDigest UseLogonCredential Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "ETW Registry Disabled", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indicator Blocking"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Eventvwr UAC Bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Hide User Account From Sign-In Screen", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Modification Of Wallpaper", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Defacement"}]}}, {"name": "Monitor Registry Keys for Print Monitors", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Port Monitors"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Registry Keys for Creating SHIM Databases", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Application Shimming"}, {"mitre_attack_technique": "Event Triggered Execution"}]}}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Registry Keys Used For Privilege Escalation", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Image File Execution Options Injection"}, {"mitre_attack_technique": "Event Triggered Execution"}]}}, {"name": "Remcos client registry install entry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Revil Registry Entry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Screensaver Event Trigger Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Event Triggered Execution"}, {"mitre_attack_technique": "Screensaver"}]}}, {"name": "Sdclt UAC Bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "SilentCleanup UAC Bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Time Provider Persistence Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Time Providers"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Windows AD DSRM Account Changes", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Manipulation"}]}}, {"name": "Windows Autostart Execution LSASS Driver Registry Modification", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Driver"}]}}, {"name": "Windows Disable Lock Workstation Feature Through Registry", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Disable LogOff Button Through Registry", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Disable Memory Crash Dump", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Windows Disable Notification Center", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Disable Shutdown Button Through Registry", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Disable Windows Group Policy Features Through Registry", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows DisableAntiSpyware Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows Hide Notification Features Through Registry", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Impair Defense Delete Win Defender Context Menu", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows Impair Defense Delete Win Defender Profile Registry", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows Impair Defenses Disable HVCI", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows Impair Defenses Disable Win Defender Auto Logging", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows Modify Show Compress Color And Info Tip Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Registry Certificate Added", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Install Root Certificate"}, {"mitre_attack_technique": "Subvert Trust Controls"}]}}, {"name": "Windows Registry Delete Task SD", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows Registry Modification for Safe Mode Persistence", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Windows Service Creation Using Registry Entry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Services Registry Permissions Weakness"}]}}, {"name": "WSReset UAC Bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}]}, {"name": "Windows Service Abuse", "id": "6dbd810e-f66d-414b-8dfc-e46de55cbfe2", "version": 3, "date": "2017-11-02", "author": "Rico Valdez, Splunk", "description": "Windows services are often used by attackers for persistence and the ability to load drivers or otherwise interact with the Windows kernel. This Analytic Story helps you monitor your environment for indications that Windows services are being modified or created in a suspicious manner.", "narrative": "The Windows operating system uses a services architecture to allow for running code in the background, similar to a UNIX daemon. Attackers will often leverage Windows services for persistence, hiding in plain sight, seeking the ability to run privileged code that can interact with the kernel. In many cases, attackers will create a new service to host their malicious code. Attackers have also been observed modifying unnecessary or unused services to point to their own code, as opposed to what was intended. In these cases, attackers often use tools to create or modify services in ways that are not typical for most environments, providing opportunities for detection.", "references": ["https://attack.mitre.org/wiki/Technique/T1050", "https://attack.mitre.org/wiki/Technique/T1031"], "tags": {"name": "Windows Service Abuse", "analytic_story": "Windows Service Abuse", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1574.011", "mitre_attack_technique": "Services Registry Permissions Weakness", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Defense Evasion", "Execution", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation", "Installation"]}, "detection_names": ["ESCU - First Time Seen Running Windows Service - Rule", "ESCU - Reg exe Manipulating Windows Services Registry Keys - Rule", "ESCU - Sc exe Manipulating Windows Services - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task"], "baseline_names": ["ESCU - Previously Seen Running Windows Services - Initial", "ESCU - Previously Seen Running Windows Services - Update"], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "First Time Seen Running Windows Service", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}}, {"name": "Reg exe Manipulating Windows Services Registry Keys", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Services Registry Permissions Weakness"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}}, {"name": "Sc exe Manipulating Windows Services", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}]}}]}, {"name": "Windows System Binary Proxy Execution MSIExec", "id": "bea2e16b-4599-46ad-a95b-116078726c68", "version": 1, "date": "2022-06-16", "author": "Michael Haag, Splunk", "description": "Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi).", "narrative": "Adversaries may abuse msiexec.exe to launch local or network accessible MSI files. Msiexec.exe can also execute DLLs. Since it may be signed and native on Windows systems, msiexec.exe can be used to bypass application control solutions that do not account for its potential abuse. Msiexec.exe execution may also be elevated to SYSTEM privileges if the AlwaysInstallElevated policy is enabled.", "references": ["https://attack.mitre.org/techniques/T1218/007/"], "tags": {"name": "Windows System Binary Proxy Execution MSIExec", "analytic_story": "Windows System Binary Proxy Execution MSIExec", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218.007", "mitre_attack_technique": "Msiexec", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Machete", "Molerats", "Rancor", "TA505", "ZIRCONIUM"]}], "mitre_attack_tactics": ["Defense Evasion"], "datamodels": ["Endpoint", "Network_Traffic"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Windows MSIExec DLLRegisterServer - Rule", "ESCU - Windows MSIExec Remote Download - Rule", "ESCU - Windows MSIExec Spawn Discovery Command - Rule", "ESCU - Windows MSIExec Unregister DLLRegisterServer - Rule", "ESCU - Windows MSIExec With Network Connections - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows MSIExec DLLRegisterServer", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Msiexec"}]}}, {"name": "Windows MSIExec Remote Download", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Msiexec"}]}}, {"name": "Windows MSIExec Spawn Discovery Command", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Msiexec"}]}}, {"name": "Windows MSIExec Unregister DLLRegisterServer", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Msiexec"}]}}, {"name": "Windows MSIExec With Network Connections", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Msiexec"}]}}]}, {"name": "Winter Vivern", "id": "5ce5f311-b311-4568-90ca-0c36781d07a4", "version": 1, "date": "2023-02-16", "author": "Teoderick Contreras, Splunk", "description": "Utilize searches that enable you to detect and investigate unusual activities potentially related to the Winter Vivern malicious software. This includes examining multiple timeout executions, scheduled task creations, screenshots, and downloading files through PowerShell, among other indicators.", "narrative": "The Winter Vivern malware, identified by CERT UA, is designed to download and run multiple PowerShell scripts on targeted hosts. These scripts aim to gather a variety of files with specific extensions, including (.edb, .ems, .eme, .emz, .key, .pem, .ovpn, .bat, .cer, .p12, .cfg, .log, .txt, .pdf, .doc, .docx, .xls, .xlsx, and .rdg), primarily from desktop directories. In addition to this, the malware captures desktop screenshots and performs data exfiltration using HTTP. To maintain its presence on the targeted host, Winter Vivern also establishes a persistence mechanism, such as creating a scheduled task.", "references": ["https://cert.gov.ua/article/3761023"], "tags": {"name": "Winter Vivern", "analytic_story": "Winter Vivern", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1087.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "Chimera", "Fox Kitten", "Ke3chang", "Moses Staff", "OilRig", "Poseidon Group", "Threat Group-3390", "Turla", "admin@338"]}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT19", "APT28", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BITTER", "BackdoorDiplomacy", "BlackOasis", "Blue Mockingbird", "Dark Caracal", "Darkhotel", "Earth Lusca", "Elderwood", "Ember Bear", "Fox Kitten", "GALLIUM", "Gallmaker", "Gamaredon Group", "Group5", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "Metador", "Mofang", "Molerats", "Moses Staff", "Mustang Panda", "OilRig", "Putter Panda", "Rocke", "Sandworm Team", "Sidewinder", "TA505", "TeamTNT", "Threat Group-3390", "Transparent Tribe", "Tropic Trooper", "Whitefly", "Windshift", "menuPass"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1033", "mitre_attack_technique": "System Owner/User Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT37", "APT38", "APT39", "APT41", "Chimera", "Dragonfly", "Earth Lusca", "FIN10", "GALLIUM", "Gamaredon Group", "HAFNIUM", "HEXANE", "Ke3chang", "Lazarus Group", "LuminousMoth", "Magic Hound", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "Stealth Falcon", "Threat Group-3390", "Tropic Trooper", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1041", "mitre_attack_technique": "Exfiltration Over C2 Channel", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "Chimera", "Confucius", "GALLIUM", "Gamaredon Group", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "LuminousMoth", "MuddyWater", "Sandworm Team", "Stealth Falcon", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1113", "mitre_attack_technique": "Screen Capture", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT28", "APT39", "BRONZE BUTLER", "Dark Caracal", "Dragonfly", "FIN7", "GOLD SOUTHFIELD", "Gamaredon Group", "Group5", "Magic Hound", "MuddyWater", "OilRig", "Silence"]}], "mitre_attack_tactics": ["Collection", "Command And Control", "Defense Evasion", "Discovery", "Execution", "Exfiltration", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Actions on Objectives", "Command And Control", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Any Powershell DownloadString - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - GetWmiObject User Account with PowerShell - Rule", "ESCU - GetWmiObject User Account with PowerShell Script Block - Rule", "ESCU - Powershell Fileless Script Contains Base64 Encoded Content - Rule", "ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", "ESCU - Schedule Task with HTTP Command Arguments - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - System User Discovery With Whoami - Rule", "ESCU - Windows Exfiltration Over C2 Via Invoke RestMethod - Rule", "ESCU - Windows Exfiltration Over C2 Via Powershell UploadString - Rule", "ESCU - Windows Scheduled Task Created Via XML - Rule", "ESCU - Windows Screen Capture Via Powershell - Rule", "ESCU - WinEvent Scheduled Task Created to Spawn Shell - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Any Powershell DownloadString", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "GetWmiObject User Account with PowerShell", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Local Account"}]}}, {"name": "GetWmiObject User Account with PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Powershell Fileless Script Contains Base64 Encoded Content", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Obfuscated Files or Information"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "PowerShell Loading DotNET into Memory via Reflection", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Schedule Task with HTTP Command Arguments", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "System User Discovery With Whoami", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Owner/User Discovery"}]}}, {"name": "Windows Exfiltration Over C2 Via Invoke RestMethod", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over C2 Channel"}]}}, {"name": "Windows Exfiltration Over C2 Via Powershell UploadString", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over C2 Channel"}]}}, {"name": "Windows Scheduled Task Created Via XML", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Windows Screen Capture Via Powershell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Screen Capture"}]}}, {"name": "WinEvent Scheduled Task Created to Spawn Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}]}}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}]}}]}, {"name": "XMRig", "id": "06723e6a-6bd8-4817-ace2-5fb8a7b06628", "version": 1, "date": "2021-05-07", "author": "Teoderick Contreras, Rod Soto Splunk", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the xmrig monero, including looking for file writes associated with its payload, process command-line, defense evasion (killing services, deleting users, modifying files or folder permission, killing other malware or other coin miner) and hacking tools including Telegram as mean of Command And Control (C2) to download other files. Adversaries may leverage the resources of co-opted systems in order to solve resource intensive problems which may impact system and/or hosted service availability. One common purpose for Resource Hijacking is to validate transactions of cryptocurrency networks and earn virtual currency. Adversaries may consume enough system resources to negatively impact and/or cause affected machines to become unresponsive. (1) Servers and cloud-based (2) systems are common targets because of the high potential for available resources, but user endpoint systems may also be compromised and used for Resource Hijacking and cryptocurrency mining.", "narrative": "XMRig is a high performance, open source, cross platform RandomX, KawPow, CryptoNight and AstroBWT unified CPU/GPU miner. This monero is seen in the wild on May 2017.", "references": ["https://github.com/xmrig/xmrig", "https://www.getmonero.org/resources/user-guides/mine-to-pool.html", "https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/", "https://blog.checkpoint.com/2021/03/11/february-2021s-most-wanted-malware-trickbot-takes-over-following-emotet-shutdown/"], "tags": {"name": "XMRig", "analytic_story": "XMRig", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1036.005", "mitre_attack_technique": "Match Legitimate Name or Location", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "APT32", "APT39", "APT41", "Aoqin Dragon", "BRONZE BUTLER", "BackdoorDiplomacy", "Blue Mockingbird", "Carbanak", "Chimera", "Darkhotel", "Earth Lusca", "FIN7", "Ferocious Kitten", "Fox Kitten", "Gamaredon Group", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Poseidon Group", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "Sowbug", "TEMP.Veles", "TeamTNT", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Whitefly", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1595", "mitre_attack_technique": "Active Scanning", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1531", "mitre_attack_technique": "Account Access Removal", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["LAPSUS$"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1489", "mitre_attack_technique": "Service Stop", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Indrik Spider", "Lazarus Group", "Wizard Spider"]}, {"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Command And Control", "Credential Access", "Defense Evasion", "Discovery", "Execution", "Impact", "Persistence", "Privilege Escalation", "Reconnaissance"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Actions on Objectives", "Command And Control", "Exploitation", "Installation", "Reconnaissance"]}, "detection_names": ["ESCU - Attacker Tools On Endpoint - Rule", "ESCU - Deleting Of Net Users - Rule", "ESCU - Disable Windows App Hotkeys - Rule", "ESCU - Disabling Net User Account - Rule", "ESCU - Download Files Using Telegram - Rule", "ESCU - Enumerate Users Local Group Using Telegram - Rule", "ESCU - Excessive Attempt To Disable Services - Rule", "ESCU - Excessive Service Stop Attempt - Rule", "ESCU - Excessive Usage Of Cacls App - Rule", "ESCU - Excessive Usage Of Net App - Rule", "ESCU - Excessive Usage Of Taskkill - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Hide User Account From Sign-In Screen - Rule", "ESCU - Icacls Deny Command - Rule", "ESCU - ICACLS Grant Command - Rule", "ESCU - Modify ACL permission To Files Or Folder - Rule", "ESCU - Process Kill Base On File Path - Rule", "ESCU - Schtasks Run Task On Demand - Rule", "ESCU - Suspicious Driver Loaded Path - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - XMRIG Driver Loaded - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Rod Soto Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Attacker Tools On Endpoint", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Match Legitimate Name or Location"}, {"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "OS Credential Dumping"}, {"mitre_attack_technique": "Active Scanning"}]}}, {"name": "Deleting Of Net Users", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Access Removal"}]}}, {"name": "Disable Windows App Hotkeys", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disabling Net User Account", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Access Removal"}]}}, {"name": "Download Files Using Telegram", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "Enumerate Users Local Group Using Telegram", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Discovery"}]}}, {"name": "Excessive Attempt To Disable Services", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Service Stop"}]}}, {"name": "Excessive Service Stop Attempt", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Service Stop"}]}}, {"name": "Excessive Usage Of Cacls App", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "File and Directory Permissions Modification"}]}}, {"name": "Excessive Usage Of Net App", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Access Removal"}]}}, {"name": "Excessive Usage Of Taskkill", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}]}}, {"name": "Hide User Account From Sign-In Screen", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Icacls Deny Command", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "File and Directory Permissions Modification"}]}}, {"name": "ICACLS Grant Command", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "File and Directory Permissions Modification"}]}}, {"name": "Modify ACL permission To Files Or Folder", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "File and Directory Permissions Modification"}]}}, {"name": "Process Kill Base On File Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Schtasks Run Task On Demand", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Suspicious Driver Loaded Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "XMRIG Driver Loaded", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}]}}]}]} \ No newline at end of file +{"stories": [{"name": "3CX Supply Chain Attack", "id": "c4d7618c-73a7-4f7c-8071-060c36850785", "version": 1, "date": "2023-03-30", "author": "Michael Haag, Splunk", "description": "On March 29, 2023, CrowdStrike Falcon OverWatch observed unexpected malicious activity emanating from a legitimate, signed binary, 3CXDesktopApp, a softphone application from 3CX. The malicious activity includes beaconing to actor controlled infrastructure, deployment of second stage payloads, and, in a small number of cases, hands on keyboard activity. (CrowdStrike)", "narrative": "On March 22, 2023, cybersecurity firm SentinelOne observed a surge in behavioral detections of trojanized 3CXDesktopApp installers, a popular PABX voice and video conferencing software. The multi-stage attack chain, which automatically quarantines trojanized installers, involves downloading ICO files with base64 data from GitHub and eventually leads to a 3rd stage infostealer DLL that is still under analysis. While the Mac installer remains unconfirmed as trojanized, ongoing investigations are also examining other potentially compromised applications, such as Chrome extensions. The threat actor behind the supply chain compromise, which started in February 2022, has used a code signing certificate to sign the trojanized binaries, but connections to existing threat clusters remain unclear. SentinelOne updated their IOCs on March 30th, 2023, with contributions from the research community and continues to monitor the situation for further developments. 3CX identified the vulnerability in the recent versions 18.12.407 and 18.12.416 for the desktop app. A new certificate for the app will also be produced.", "references": ["https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/", "https://www.cisa.gov/news-events/alerts/2023/03/30/supply-chain-attack-against-3cxdesktopapp", "https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/", "https://www.3cx.com/community/threads/crowdstrike-endpoint-security-detection-re-3cx-desktop-app.119934/page-2#post-558898", "https://www.3cx.com/community/threads/3cx-desktopapp-security-alert.119951/", "https://www.elastic.co/security-labs/elastic-users-protected-from-suddenicon-supply-chain-attack", "https://www.volexity.com/blog/2023/03/30/3cx-supply-chain-compromise-leads-to-iconic-incident/"], "tags": {"name": "3CX Supply Chain Attack", "analytic_story": "3CX Supply Chain Attack", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1195.002", "mitre_attack_technique": "Compromise Software Supply Chain", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT41", "Cobalt Group", "Dragonfly", "GOLD SOUTHFIELD", "Sandworm Team", "Threat Group-3390"]}, {"mitre_attack_id": "T1555", "mitre_attack_technique": "Credentials from Password Stores", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT33", "APT39", "Evilnum", "FIN6", "HEXANE", "Leafminer", "MuddyWater", "OilRig", "Stealth Falcon"]}, {"mitre_attack_id": "T1555.003", "mitre_attack_technique": "Credentials from Web Browsers", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT3", "APT33", "APT37", "Ajax Security Team", "FIN6", "HEXANE", "Inception", "Kimsuky", "LAPSUS$", "Leafminer", "Molerats", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Stealth Falcon", "TA505", "ZIRCONIUM"]}], "mitre_attack_tactics": ["Credential Access", "Initial Access"], "datamodels": ["Endpoint", "Network_Resolution"], "kill_chain_phases": ["Delivery", "Exploitation"]}, "detection_names": ["ESCU - 3CX Supply Chain Attack Network Indicators - Rule", "ESCU - Hunting 3CXDesktopApp Software - Rule", "ESCU - Non Chrome Process Accessing Chrome Default Dir - Rule", "ESCU - Non Firefox Process Access Firefox Profile Dir - Rule", "ESCU - Windows Vulnerable 3CX Software - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "3CX Supply Chain Attack Network Indicators", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Software Supply Chain"}]}}, {"name": "Hunting 3CXDesktopApp Software", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Software Supply Chain"}]}}, {"name": "Non Chrome Process Accessing Chrome Default Dir", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}}, {"name": "Non Firefox Process Access Firefox Profile Dir", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}}, {"name": "Windows Vulnerable 3CX Software", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Software Supply Chain"}]}}]}, {"name": "IcedID", "id": "1d2cc747-63d7-49a9-abb8-93aa36305603", "version": 1, "date": "2021-07-29", "author": "Teoderick Contreras, Splunk", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the IcedID banking trojan, including looking for file writes associated with its payload, process injection, shellcode execution and data collection.", "narrative": "IcedId banking trojan campaigns targeting banks and other vertical sectors.This malware is known in Microsoft Windows OS targetting browser such as firefox and chrom to steal banking information. It is also known to its unique payload downloaded in C2 where it can be a .png file that hides the core shellcode bot using steganography technique or gzip dat file that contains \"license.dat\" which is the actual core icedid bot.", "references": ["https://threatpost.com/icedid-banking-trojan-surges-emotet/165314/", "https://app.any.run/tasks/48414a33-3d66-4a46-afe5-c2003bb55ccf/"], "tags": {"name": "IcedID", "analytic_story": "IcedID", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["BRONZE BUTLER", "Chimera", "Dragonfly", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Turla", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "Turla"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$"]}, {"mitre_attack_id": "T1204.002", "mitre_attack_technique": "Malicious File", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "Ajax Security Team", "Andariel", "Aoqin Dragon", "BITTER", "BRONZE BUTLER", "BlackTech", "CURIUM", "Cobalt Group", "Confucius", "Dark Caracal", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "IndigoZebra", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Whitefly", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1548.002", "mitre_attack_technique": "Bypass User Account Control", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT37", "BRONZE BUTLER", "Cobalt Group", "Earth Lusca", "Evilnum", "MuddyWater", "Patchwork", "Threat Group-3390"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1560.001", "mitre_attack_technique": "Archive via Utility", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "CopyKittens", "Earth Lusca", "FIN8", "Fox Kitten", "GALLIUM", "Gallmaker", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "MuddyWater", "Mustang Panda", "Sowbug", "Turla", "menuPass"]}, {"mitre_attack_id": "T1560", "mitre_attack_technique": "Archive Collected Data", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT28", "APT32", "Axiom", "Dragonfly", "FIN6", "Ke3chang", "Lazarus Group", "Leviathan", "LuminousMoth", "Patchwork", "menuPass"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.005", "mitre_attack_technique": "Mshta", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "APT32", "Confucius", "Earth Lusca", "FIN7", "Gamaredon Group", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "MuddyWater", "Mustang Panda", "SideCopy", "Sidewinder", "TA551"]}, {"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "TA505"]}, {"mitre_attack_id": "T1069.001", "mitre_attack_technique": "Local Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "HEXANE", "OilRig", "Tonto Team", "Turla", "admin@338"]}, {"mitre_attack_id": "T1049", "mitre_attack_technique": "System Network Connections Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT38", "APT41", "Andariel", "BackdoorDiplomacy", "Chimera", "Earth Lusca", "GALLIUM", "HEXANE", "Ke3chang", "Lazarus Group", "Magic Hound", "MuddyWater", "Mustang Panda", "OilRig", "Poseidon Group", "Sandworm Team", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1135", "mitre_attack_technique": "Network Share Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT32", "APT38", "APT39", "APT41", "Chimera", "DarkVishnya", "Dragonfly", "Sowbug", "Tonto Team", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1482", "mitre_attack_technique": "Domain Trust Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "Earth Lusca", "FIN8", "Magic Hound"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT19", "APT28", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BITTER", "BackdoorDiplomacy", "BlackOasis", "Blue Mockingbird", "Dark Caracal", "Darkhotel", "Earth Lusca", "Elderwood", "Ember Bear", "Fox Kitten", "GALLIUM", "Gallmaker", "Gamaredon Group", "Group5", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "Metador", "Mofang", "Molerats", "Moses Staff", "Mustang Panda", "OilRig", "Putter Panda", "Rocke", "Sandworm Team", "Sidewinder", "TA505", "TeamTNT", "Threat Group-3390", "Transparent Tribe", "Tropic Trooper", "Whitefly", "Windshift", "menuPass"]}, {"mitre_attack_id": "T1566.002", "mitre_attack_technique": "Spearphishing Link", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "APT3", "APT32", "APT33", "APT39", "BlackTech", "Cobalt Group", "Confucius", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "Evilnum", "FIN4", "FIN7", "FIN8", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "TA505", "Transparent Tribe", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1218.010", "mitre_attack_technique": "Regsvr32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "Blue Mockingbird", "Cobalt Group", "Deep Panda", "Inception", "Kimsuky", "Leviathan", "TA551", "WIRTE"]}, {"mitre_attack_id": "T1018", "mitre_attack_technique": "Remote System Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "BRONZE BUTLER", "Chimera", "Deep Panda", "Dragonfly", "Earth Lusca", "FIN5", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "HEXANE", "Indrik Spider", "Ke3chang", "Leafminer", "Magic Hound", "Naikon", "Rocke", "Sandworm Team", "Silence", "Threat Group-3390", "Turla", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "Earth Lusca", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "Threat Group-3390", "Windshift", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1005", "mitre_attack_technique": "Data from Local System", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT37", "APT38", "APT39", "APT41", "Andariel", "Axiom", "BRONZE BUTLER", "CURIUM", "Dark Caracal", "Dragonfly", "FIN6", "FIN7", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HAFNIUM", "Inception", "Ke3chang", "Kimsuky", "LAPSUS$", "Lazarus Group", "LuminousMoth", "Magic Hound", "Patchwork", "Sandworm Team", "Stealth Falcon", "Threat Group-3390", "Turla", "Windigo", "menuPass"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1204.001", "mitre_attack_technique": "Malicious Link", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT28", "APT29", "APT3", "APT32", "APT33", "APT39", "BlackTech", "Cobalt Group", "Confucius", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "Evilnum", "FIN4", "FIN7", "FIN8", "Kimsuky", "LazyScripter", "Leviathan", "LuminousMoth", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "TA505", "Transparent Tribe", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TEMP.Veles", "Wizard Spider", "menuPass"]}], "mitre_attack_tactics": ["Collection", "Command And Control", "Defense Evasion", "Discovery", "Execution", "Initial Access", "Lateral Movement", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Command And Control", "Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Account Discovery With Net App - Rule", "ESCU - Any Powershell DownloadString - Rule", "ESCU - CHCP Command Execution - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Create Remote Thread In Shell Application - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Disable Defender AntiVirus Registry - Rule", "ESCU - Disable Defender BlockAtFirstSeen Feature - Rule", "ESCU - Disable Defender Enhanced Notification - Rule", "ESCU - Disable Defender MpEngine Registry - Rule", "ESCU - Disable Defender Spynet Reporting - Rule", "ESCU - Disable Defender Submit Samples Consent Feature - Rule", "ESCU - Disable Schedule Task - Rule", "ESCU - Disabling Defender Services - Rule", "ESCU - Drop IcedID License dat - Rule", "ESCU - Eventvwr UAC Bypass - Rule", "ESCU - Executable File Written in Administrative SMB Share - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - FodHelper UAC Bypass - Rule", "ESCU - IcedID Exfiltrated Archived File Creation - Rule", "ESCU - Mshta spawning Rundll32 OR Regsvr32 Process - Rule", "ESCU - Net Localgroup Discovery - Rule", "ESCU - Network Connection Discovery With Arp - Rule", "ESCU - Network Share Discovery Via Dir Command - Rule", "ESCU - NLTest Domain Trust Discovery - Rule", "ESCU - Office Application Spawn Regsvr32 process - Rule", "ESCU - Office Application Spawn rundll32 process - Rule", "ESCU - Office Document Executing Macro Code - Rule", "ESCU - Office Product Spawning MSHTA - Rule", "ESCU - Powershell Fileless Script Contains Base64 Encoded Content - Rule", "ESCU - Powershell Processing Stream Of Data - Rule", "ESCU - Powershell Using memory As Backing Store - Rule", "ESCU - Process Creating LNK file in Suspicious Location - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Regsvr32 with Known Silent Switch Cmdline - Rule", "ESCU - Remote System Discovery with Net - Rule", "ESCU - Remote WMI Command Attempt - Rule", "ESCU - Rundll32 Create Remote Thread To A Process - Rule", "ESCU - Rundll32 CreateRemoteThread In Browser - Rule", "ESCU - Rundll32 DNSQuery - Rule", "ESCU - Rundll32 Process Creating Exe Dll Files - Rule", "ESCU - RunDLL Loading DLL By Ordinal - Rule", "ESCU - Schedule Task with Rundll32 Command Trigger - Rule", "ESCU - Sqlite Module In Temp Folder - Rule", "ESCU - Suspicious Copy on System32 - Rule", "ESCU - Suspicious IcedID Rundll32 Cmdline - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious Rundll32 dllregisterserver - Rule", "ESCU - Suspicious Rundll32 PluginInit - Rule", "ESCU - Windows AdFind Exe - Rule", "ESCU - Windows Curl Download to Suspicious Path - Rule", "ESCU - Windows ISO LNK File Creation - Rule", "ESCU - Windows Phishing Recent ISO Exec Registry - Rule", "ESCU - Windows WMI Process Call Create - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule", "ESCU - Wmic NonInteractive App Uninstallation - Rule"], "investigation_names": [], "baseline_names": ["ESCU - Previously seen command line arguments"], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Account Discovery With Net App", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}}, {"name": "Any Powershell DownloadString", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "CHCP Command Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Create Remote Thread In Shell Application", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "Detect PsExec With accepteula Flag", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}}, {"name": "Disable Defender AntiVirus Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disable Defender BlockAtFirstSeen Feature", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disable Defender Enhanced Notification", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disable Defender MpEngine Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disable Defender Spynet Reporting", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disable Defender Submit Samples Consent Feature", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disable Schedule Task", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disabling Defender Services", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Drop IcedID License dat", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "User Execution"}, {"mitre_attack_technique": "Malicious File"}]}}, {"name": "Eventvwr UAC Bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Executable File Written in Administrative SMB Share", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}]}}, {"name": "FodHelper UAC Bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}, {"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "IcedID Exfiltrated Archived File Creation", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Archive via Utility"}, {"mitre_attack_technique": "Archive Collected Data"}]}}, {"name": "Mshta spawning Rundll32 OR Regsvr32 Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Mshta"}]}}, {"name": "Net Localgroup Discovery", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Local Groups"}]}}, {"name": "Network Connection Discovery With Arp", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Connections Discovery"}]}}, {"name": "Network Share Discovery Via Dir Command", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Network Share Discovery"}]}}, {"name": "NLTest Domain Trust Discovery", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Trust Discovery"}]}}, {"name": "Office Application Spawn Regsvr32 process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Application Spawn rundll32 process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Document Executing Macro Code", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Product Spawning MSHTA", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Powershell Fileless Script Contains Base64 Encoded Content", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Obfuscated Files or Information"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Powershell Processing Stream Of Data", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Powershell Using memory As Backing Store", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Process Creating LNK file in Suspicious Location", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Link"}]}}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Regsvr32 with Known Silent Switch Cmdline", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}}, {"name": "Remote System Discovery with Net", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote System Discovery"}]}}, {"name": "Remote WMI Command Attempt", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}}, {"name": "Rundll32 Create Remote Thread To A Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "Rundll32 CreateRemoteThread In Browser", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "Rundll32 DNSQuery", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Rundll32 Process Creating Exe Dll Files", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "RunDLL Loading DLL By Ordinal", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Schedule Task with Rundll32 Command Trigger", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Sqlite Module In Temp Folder", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data from Local System"}]}}, {"name": "Suspicious Copy on System32", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "Masquerading"}]}}, {"name": "Suspicious IcedID Rundll32 Cmdline", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Suspicious Rundll32 dllregisterserver", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Suspicious Rundll32 PluginInit", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Windows AdFind Exe", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote System Discovery"}]}}, {"name": "Windows Curl Download to Suspicious Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "Windows ISO LNK File Creation", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Malicious Link"}, {"mitre_attack_technique": "User Execution"}]}}, {"name": "Windows Phishing Recent ISO Exec Registry", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}}, {"name": "Windows WMI Process Call Create", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}]}}, {"name": "Wmic NonInteractive App Uninstallation", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}]}, {"name": "AcidRain", "id": "c68717c6-4938-434b-987c-e1ce9d516124", "version": 1, "date": "2022-04-12", "author": "Teoderick Contreras, Splunk", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the acidrain malware including deleting of files and etc. AcidRain is an ELF MIPS malware specifically designed to wipe modems and routers. The complete list of targeted devices is unknown at this time, but WatchGuard FireBox has specifically been listed as a target. This malware is capable of wiping and deleting non-standard linux files and overwriting storage device files that might related to router, ssd card and many more.", "narrative": "Adversaries may use this technique to maximize the impact on the target organization in operations where network wide availability interruption is the goal.", "references": ["https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/"], "tags": {"name": "AcidRain", "analytic_story": "AcidRain", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1070.004", "mitre_attack_technique": "File Deletion", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT3", "APT32", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "Cobalt Group", "Dragonfly", "Evilnum", "FIN10", "FIN5", "FIN6", "FIN8", "Gamaredon Group", "Group5", "Kimsuky", "Lazarus Group", "Magic Hound", "Metador", "Mustang Panda", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "Silence", "TEMP.Veles", "TeamTNT", "The White Company", "Threat Group-3390", "Tropic Trooper", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}], "mitre_attack_tactics": ["Defense Evasion", "Impact"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Actions on Objectives", "Exploitation"]}, "detection_names": ["ESCU - Linux Deletion Of Cron Jobs - Rule", "ESCU - Linux Deletion Of Init Daemon Script - Rule", "ESCU - Linux Deletion Of Services - Rule", "ESCU - Linux High Frequency Of File Deletion In Etc Folder - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Linux Deletion Of Cron Jobs", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}, {"mitre_attack_technique": "File Deletion"}, {"mitre_attack_technique": "Indicator Removal"}]}}, {"name": "Linux Deletion Of Init Daemon Script", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}, {"mitre_attack_technique": "File Deletion"}, {"mitre_attack_technique": "Indicator Removal"}]}}, {"name": "Linux Deletion Of Services", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}, {"mitre_attack_technique": "File Deletion"}, {"mitre_attack_technique": "Indicator Removal"}]}}, {"name": "Linux High Frequency Of File Deletion In Etc Folder", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}, {"mitre_attack_technique": "File Deletion"}, {"mitre_attack_technique": "Indicator Removal"}]}}]}, {"name": "Active Directory Discovery", "id": "8460679c-2b21-463e-b381-b813417c32f2", "version": 1, "date": "2021-08-20", "author": "Mauricio Velazco, Splunk", "description": "Monitor for activities and techniques associated with Discovery and Reconnaissance within with Active Directory environments.", "narrative": "Discovery consists of techniques an adversay uses to gain knowledge about an internal environment or network. These techniques provide adversaries with situational awareness and allows them to have the necessary information before deciding how to act or who/what to target next.\\\nOnce an attacker obtains an initial foothold in an Active Directory environment, she is forced to engage in Discovery techniques in the initial phases of a breach to better understand and navigate the target network. Some examples include but are not limited to enumerating domain users, domain admins, computers, domain controllers, network shares, group policy objects, domain trusts, etc.", "references": ["https://attack.mitre.org/tactics/TA0007/", "https://adsecurity.org/?p=2535", "https://attack.mitre.org/techniques/T1087/001/", "https://attack.mitre.org/techniques/T1087/002/", "https://attack.mitre.org/techniques/T1087/003/", "https://attack.mitre.org/techniques/T1482/", "https://attack.mitre.org/techniques/T1201/", "https://attack.mitre.org/techniques/T1069/001/", "https://attack.mitre.org/techniques/T1069/002/", "https://attack.mitre.org/techniques/T1018/", "https://attack.mitre.org/techniques/T1049/", "https://attack.mitre.org/techniques/T1033/"], "tags": {"name": "Active Directory Discovery", "analytic_story": "Active Directory Discovery", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["BRONZE BUTLER", "Chimera", "Dragonfly", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Turla", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1018", "mitre_attack_technique": "Remote System Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "BRONZE BUTLER", "Chimera", "Deep Panda", "Dragonfly", "Earth Lusca", "FIN5", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "HEXANE", "Indrik Spider", "Ke3chang", "Leafminer", "Magic Hound", "Naikon", "Rocke", "Sandworm Team", "Silence", "Threat Group-3390", "Turla", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "TA505"]}, {"mitre_attack_id": "T1069.002", "mitre_attack_technique": "Domain Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Dragonfly", "Inception", "Ke3chang", "LAPSUS$", "OilRig", "Turla"]}, {"mitre_attack_id": "T1482", "mitre_attack_technique": "Domain Trust Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "Earth Lusca", "FIN8", "Magic Hound"]}, {"mitre_attack_id": "T1201", "mitre_attack_technique": "Password Policy Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "OilRig", "Turla"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1069.001", "mitre_attack_technique": "Local Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "HEXANE", "OilRig", "Tonto Team", "Turla", "admin@338"]}, {"mitre_attack_id": "T1033", "mitre_attack_technique": "System Owner/User Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT37", "APT38", "APT39", "APT41", "Chimera", "Dragonfly", "Earth Lusca", "FIN10", "GALLIUM", "Gamaredon Group", "HAFNIUM", "HEXANE", "Ke3chang", "Lazarus Group", "LuminousMoth", "Magic Hound", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "Stealth Falcon", "Threat Group-3390", "Tropic Trooper", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1087.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "Chimera", "Fox Kitten", "Ke3chang", "Moses Staff", "OilRig", "Poseidon Group", "Threat Group-3390", "Turla", "admin@338"]}, {"mitre_attack_id": "T1049", "mitre_attack_technique": "System Network Connections Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT38", "APT41", "Andariel", "BackdoorDiplomacy", "Chimera", "Earth Lusca", "GALLIUM", "HEXANE", "Ke3chang", "Lazarus Group", "Magic Hound", "MuddyWater", "Mustang Panda", "OilRig", "Poseidon Group", "Sandworm Team", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1016", "mitre_attack_technique": "System Network Configuration Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT19", "APT3", "APT32", "APT41", "Chimera", "Darkhotel", "Dragonfly", "Earth Lusca", "GALLIUM", "HAFNIUM", "HEXANE", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "SideCopy", "Sidewinder", "Stealth Falcon", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1016.001", "mitre_attack_technique": "Internet Connection Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Gamaredon Group", "HAFNIUM", "HEXANE", "Magic Hound", "Turla"]}, {"mitre_attack_id": "T1558.003", "mitre_attack_technique": "Kerberoasting", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["FIN7", "Wizard Spider"]}, {"mitre_attack_id": "T1135", "mitre_attack_technique": "Network Share Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT32", "APT38", "APT39", "APT41", "Chimera", "DarkVishnya", "Dragonfly", "Sowbug", "Tonto Team", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1570", "mitre_attack_technique": "Lateral Tool Transfer", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT32", "Aoqin Dragon", "Chimera", "FIN10", "GALLIUM", "Magic Hound", "Sandworm Team", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1078.002", "mitre_attack_technique": "Domain Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "Chimera", "Indrik Spider", "Magic Hound", "Naikon", "Sandworm Team", "TA505", "Threat Group-1314", "Wizard Spider"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Discovery", "Execution", "Initial Access", "Lateral Movement", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - AdsiSearcher Account Discovery - Rule", "ESCU - Domain Account Discovery with Dsquery - Rule", "ESCU - Domain Account Discovery With Net App - Rule", "ESCU - Domain Account Discovery with Wmic - Rule", "ESCU - Domain Controller Discovery with Nltest - Rule", "ESCU - Domain Controller Discovery with Wmic - Rule", "ESCU - Domain Group Discovery with Adsisearcher - Rule", "ESCU - Domain Group Discovery With Dsquery - Rule", "ESCU - Domain Group Discovery With Net - Rule", "ESCU - Domain Group Discovery With Wmic - Rule", "ESCU - DSQuery Domain Discovery - Rule", "ESCU - Elevated Group Discovery With Net - Rule", "ESCU - Elevated Group Discovery with PowerView - Rule", "ESCU - Elevated Group Discovery With Wmic - Rule", "ESCU - Get ADDefaultDomainPasswordPolicy with Powershell - Rule", "ESCU - Get ADDefaultDomainPasswordPolicy with Powershell Script Block - Rule", "ESCU - Get ADUser with PowerShell - Rule", "ESCU - Get ADUser with PowerShell Script Block - Rule", "ESCU - Get ADUserResultantPasswordPolicy with Powershell - Rule", "ESCU - Get ADUserResultantPasswordPolicy with Powershell Script Block - Rule", "ESCU - Get DomainPolicy with Powershell - Rule", "ESCU - Get DomainPolicy with Powershell Script Block - Rule", "ESCU - Get-DomainTrust with PowerShell - Rule", "ESCU - Get-DomainTrust with PowerShell Script Block - Rule", "ESCU - Get DomainUser with PowerShell - Rule", "ESCU - Get DomainUser with PowerShell Script Block - Rule", "ESCU - Get-ForestTrust with PowerShell - Rule", "ESCU - Get-ForestTrust with PowerShell Script Block - Rule", "ESCU - Get WMIObject Group Discovery - Rule", "ESCU - Get WMIObject Group Discovery with Script Block Logging - Rule", "ESCU - GetAdComputer with PowerShell - Rule", "ESCU - GetAdComputer with PowerShell Script Block - Rule", "ESCU - GetAdGroup with PowerShell - Rule", "ESCU - GetAdGroup with PowerShell Script Block - Rule", "ESCU - GetCurrent User with PowerShell - Rule", "ESCU - GetCurrent User with PowerShell Script Block - Rule", "ESCU - GetDomainComputer with PowerShell - Rule", "ESCU - GetDomainComputer with PowerShell Script Block - Rule", "ESCU - GetDomainController with PowerShell - Rule", "ESCU - GetDomainController with PowerShell Script Block - Rule", "ESCU - GetDomainGroup with PowerShell - Rule", "ESCU - GetDomainGroup with PowerShell Script Block - Rule", "ESCU - GetLocalUser with PowerShell - Rule", "ESCU - GetLocalUser with PowerShell Script Block - Rule", "ESCU - GetNetTcpconnection with PowerShell - Rule", "ESCU - GetNetTcpconnection with PowerShell Script Block - Rule", "ESCU - GetWmiObject Ds Computer with PowerShell - Rule", "ESCU - GetWmiObject Ds Computer with PowerShell Script Block - Rule", "ESCU - GetWmiObject Ds Group with PowerShell - Rule", "ESCU - GetWmiObject Ds Group with PowerShell Script Block - Rule", "ESCU - GetWmiObject DS User with PowerShell - Rule", "ESCU - GetWmiObject DS User with PowerShell Script Block - Rule", "ESCU - GetWmiObject User Account with PowerShell - Rule", "ESCU - GetWmiObject User Account with PowerShell Script Block - Rule", "ESCU - Local Account Discovery with Net - Rule", "ESCU - Local Account Discovery With Wmic - Rule", "ESCU - Net Localgroup Discovery - Rule", "ESCU - Network Connection Discovery With Arp - Rule", "ESCU - Network Connection Discovery With Net - Rule", "ESCU - Network Connection Discovery With Netstat - Rule", "ESCU - Network Discovery Using Route Windows App - Rule", "ESCU - NLTest Domain Trust Discovery - Rule", "ESCU - Password Policy Discovery with Net - Rule", "ESCU - PowerShell Get LocalGroup Discovery - Rule", "ESCU - Powershell Get LocalGroup Discovery with Script Block Logging - Rule", "ESCU - Remote System Discovery with Adsisearcher - Rule", "ESCU - Remote System Discovery with Dsquery - Rule", "ESCU - Remote System Discovery with Net - Rule", "ESCU - Remote System Discovery with Wmic - Rule", "ESCU - ServicePrincipalNames Discovery with PowerShell - Rule", "ESCU - ServicePrincipalNames Discovery with SetSPN - Rule", "ESCU - System User Discovery With Query - Rule", "ESCU - System User Discovery With Whoami - Rule", "ESCU - User Discovery With Env Vars PowerShell - Rule", "ESCU - User Discovery With Env Vars PowerShell Script Block - Rule", "ESCU - Windows File Share Discovery With Powerview - Rule", "ESCU - Windows Hidden Schedule Task Settings - Rule", "ESCU - Windows Lateral Tool Transfer RemCom - Rule", "ESCU - Windows Linked Policies In ADSI Discovery - Rule", "ESCU - Windows PowerView AD Access Control List Enumeration - Rule", "ESCU - Windows Root Domain linked policies Discovery - Rule", "ESCU - Windows Service Create RemComSvc - Rule", "ESCU - Wmic Group Discovery - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Mauricio Velazco", "detections": [{"name": "AdsiSearcher Account Discovery", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}}, {"name": "Domain Account Discovery with Dsquery", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}}, {"name": "Domain Account Discovery With Net App", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}}, {"name": "Domain Account Discovery with Wmic", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}}, {"name": "Domain Controller Discovery with Nltest", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote System Discovery"}]}}, {"name": "Domain Controller Discovery with Wmic", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote System Discovery"}]}}, {"name": "Domain Group Discovery with Adsisearcher", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}}, {"name": "Domain Group Discovery With Dsquery", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}}, {"name": "Domain Group Discovery With Net", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}}, {"name": "Domain Group Discovery With Wmic", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}}, {"name": "DSQuery Domain Discovery", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Trust Discovery"}]}}, {"name": "Elevated Group Discovery With Net", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}}, {"name": "Elevated Group Discovery with PowerView", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}}, {"name": "Elevated Group Discovery With Wmic", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}}, {"name": "Get ADDefaultDomainPasswordPolicy with Powershell", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Policy Discovery"}]}}, {"name": "Get ADDefaultDomainPasswordPolicy with Powershell Script Block", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Policy Discovery"}]}}, {"name": "Get ADUser with PowerShell", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}}, {"name": "Get ADUser with PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}}, {"name": "Get ADUserResultantPasswordPolicy with Powershell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Policy Discovery"}]}}, {"name": "Get ADUserResultantPasswordPolicy with Powershell Script Block", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Policy Discovery"}]}}, {"name": "Get DomainPolicy with Powershell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Policy Discovery"}]}}, {"name": "Get DomainPolicy with Powershell Script Block", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Policy Discovery"}]}}, {"name": "Get-DomainTrust with PowerShell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Trust Discovery"}]}}, {"name": "Get-DomainTrust with PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Trust Discovery"}]}}, {"name": "Get DomainUser with PowerShell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}}, {"name": "Get DomainUser with PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}}, {"name": "Get-ForestTrust with PowerShell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Trust Discovery"}]}}, {"name": "Get-ForestTrust with PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Trust Discovery"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Get WMIObject Group Discovery", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Local Groups"}]}}, {"name": "Get WMIObject Group Discovery with Script Block Logging", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Local Groups"}]}}, {"name": "GetAdComputer with PowerShell", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote System Discovery"}]}}, {"name": "GetAdComputer with PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote System Discovery"}]}}, {"name": "GetAdGroup with PowerShell", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}}, {"name": "GetAdGroup with PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}}, {"name": "GetCurrent User with PowerShell", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Owner/User Discovery"}]}}, {"name": "GetCurrent User with PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Owner/User Discovery"}]}}, {"name": "GetDomainComputer with PowerShell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote System Discovery"}]}}, {"name": "GetDomainComputer with PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote System Discovery"}]}}, {"name": "GetDomainController with PowerShell", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote System Discovery"}]}}, {"name": "GetDomainController with PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote System Discovery"}]}}, {"name": "GetDomainGroup with PowerShell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}}, {"name": "GetDomainGroup with PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}}, {"name": "GetLocalUser with PowerShell", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Local Account"}]}}, {"name": "GetLocalUser with PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "GetNetTcpconnection with PowerShell", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Connections Discovery"}]}}, {"name": "GetNetTcpconnection with PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Connections Discovery"}]}}, {"name": "GetWmiObject Ds Computer with PowerShell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote System Discovery"}]}}, {"name": "GetWmiObject Ds Computer with PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote System Discovery"}]}}, {"name": "GetWmiObject Ds Group with PowerShell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}}, {"name": "GetWmiObject Ds Group with PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}}, {"name": "GetWmiObject DS User with PowerShell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}}, {"name": "GetWmiObject DS User with PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}}, {"name": "GetWmiObject User Account with PowerShell", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Local Account"}]}}, {"name": "GetWmiObject User Account with PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Local Account Discovery with Net", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Local Account"}]}}, {"name": "Local Account Discovery With Wmic", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Local Account"}]}}, {"name": "Net Localgroup Discovery", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Local Groups"}]}}, {"name": "Network Connection Discovery With Arp", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Connections Discovery"}]}}, {"name": "Network Connection Discovery With Net", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Connections Discovery"}]}}, {"name": "Network Connection Discovery With Netstat", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Connections Discovery"}]}}, {"name": "Network Discovery Using Route Windows App", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Configuration Discovery"}, {"mitre_attack_technique": "Internet Connection Discovery"}]}}, {"name": "NLTest Domain Trust Discovery", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Trust Discovery"}]}}, {"name": "Password Policy Discovery with Net", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Policy Discovery"}]}}, {"name": "PowerShell Get LocalGroup Discovery", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Local Groups"}]}}, {"name": "Powershell Get LocalGroup Discovery with Script Block Logging", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Local Groups"}]}}, {"name": "Remote System Discovery with Adsisearcher", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote System Discovery"}]}}, {"name": "Remote System Discovery with Dsquery", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote System Discovery"}]}}, {"name": "Remote System Discovery with Net", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote System Discovery"}]}}, {"name": "Remote System Discovery with Wmic", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote System Discovery"}]}}, {"name": "ServicePrincipalNames Discovery with PowerShell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Kerberoasting"}]}}, {"name": "ServicePrincipalNames Discovery with SetSPN", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Kerberoasting"}]}}, {"name": "System User Discovery With Query", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Owner/User Discovery"}]}}, {"name": "System User Discovery With Whoami", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Owner/User Discovery"}]}}, {"name": "User Discovery With Env Vars PowerShell", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Owner/User Discovery"}]}}, {"name": "User Discovery With Env Vars PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Owner/User Discovery"}]}}, {"name": "Windows File Share Discovery With Powerview", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Network Share Discovery"}]}}, {"name": "Windows Hidden Schedule Task Settings", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Windows Lateral Tool Transfer RemCom", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Lateral Tool Transfer"}]}}, {"name": "Windows Linked Policies In ADSI Discovery", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}}, {"name": "Windows PowerView AD Access Control List Enumeration", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Accounts"}, {"mitre_attack_technique": "Permission Groups Discovery"}]}}, {"name": "Windows Root Domain linked policies Discovery", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}}, {"name": "Windows Service Create RemComSvc", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Wmic Group Discovery", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Local Groups"}]}}]}, {"name": "Active Directory Kerberos Attacks", "id": "38b8cf16-8461-11ec-ade1-acde48001122", "version": 1, "date": "2022-02-02", "author": "Mauricio Velazco, Splunk", "description": "Monitor for activities and techniques associated with Kerberos based attacks within with Active Directory environments.", "narrative": "Kerberos, initially named after Cerberus, the three-headed dog in Greek mythology, is a network authentication protocol that allows computers and users to prove their identity through a trusted third-party. This trusted third-party issues Kerberos tickets using symmetric encryption to allow users access to services and network resources based on their privilege level. Kerberos is the default authentication protocol used on Windows Active Directory networks since the introduction of Windows Server 2003. With Kerberos being the backbone of Windows authentication, it is commonly abused by adversaries across the different phases of a breach including initial access, privilege escalation, defense evasion, credential access, lateral movement, etc.\\ This Analytic Story groups detection use cases in which the Kerberos protocol is abused. Defenders can leverage these analytics to detect and hunt for adversaries engaging in Kerberos based attacks.", "references": ["https://en.wikipedia.org/wiki/Kerberos_(protocol)", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-kile/2a32282e-dd48-4ad9-a542-609804b02cc9", "https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html", "https://stealthbits.com/blog/cracking-active-directory-passwords-with-as-rep-roasting/", "https://attack.mitre.org/techniques/T1558/003/", "https://attack.mitre.org/techniques/T1550/003/", "https://attack.mitre.org/techniques/T1558/004/"], "tags": {"name": "Active Directory Kerberos Attacks", "analytic_story": "Active Directory Kerberos Attacks", "category": ["Adversary Tactics", "Account Compromise", "Lateral Movement", "Privilege Escalation"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1558", "mitre_attack_technique": "Steal or Forge Kerberos Tickets", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1558.004", "mitre_attack_technique": "AS-REP Roasting", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1558.003", "mitre_attack_technique": "Kerberoasting", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["FIN7", "Wizard Spider"]}, {"mitre_attack_id": "T1558.001", "mitre_attack_technique": "Golden Ticket", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Ke3chang"]}, {"mitre_attack_id": "T1550", "mitre_attack_technique": "Use Alternate Authentication Material", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1589", "mitre_attack_technique": "Gather Victim Identity Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["APT32", "HEXANE", "LAPSUS$", "Magic Hound"]}, {"mitre_attack_id": "T1589.002", "mitre_attack_technique": "Email Addresses", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["APT32", "EXOTIC LILY", "HAFNIUM", "HEXANE", "Kimsuky", "LAPSUS$", "Lazarus Group", "Magic Hound", "MuddyWater", "Sandworm Team", "Silent Librarian", "TA551"]}, {"mitre_attack_id": "T1550.003", "mitre_attack_technique": "Pass the Ticket", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": ["APT29", "APT32", "BRONZE BUTLER"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.002", "mitre_attack_technique": "Domain Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "Chimera", "Indrik Spider", "Magic Hound", "Naikon", "Sandworm Team", "TA505", "Threat Group-1314", "Wizard Spider"]}, {"mitre_attack_id": "T1018", "mitre_attack_technique": "Remote System Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "BRONZE BUTLER", "Chimera", "Deep Panda", "Dragonfly", "Earth Lusca", "FIN5", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "HEXANE", "Indrik Spider", "Ke3chang", "Leafminer", "Magic Hound", "Naikon", "Rocke", "Sandworm Team", "Silence", "Threat Group-3390", "Turla", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}], "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Discovery", "Initial Access", "Lateral Movement", "Persistence", "Privilege Escalation", "Reconnaissance"], "datamodels": ["Authentication", "Change", "Endpoint", "Network_Traffic"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation", "Reconnaissance"]}, "detection_names": ["ESCU - Disabled Kerberos Pre-Authentication Discovery With Get-ADUser - Rule", "ESCU - Disabled Kerberos Pre-Authentication Discovery With PowerView - Rule", "ESCU - Kerberoasting spn request with RC4 encryption - Rule", "ESCU - Kerberos Pre-Authentication Flag Disabled in UserAccountControl - Rule", "ESCU - Kerberos Pre-Authentication Flag Disabled with PowerShell - Rule", "ESCU - Kerberos Service Ticket Request Using RC4 Encryption - Rule", "ESCU - Kerberos TGT Request Using RC4 Encryption - Rule", "ESCU - Kerberos User Enumeration - Rule", "ESCU - Mimikatz PassTheTicket CommandLine Parameters - Rule", "ESCU - PetitPotam Suspicious Kerberos TGT Request - Rule", "ESCU - Rubeus Command Line Parameters - Rule", "ESCU - Rubeus Kerberos Ticket Exports Through Winlogon Access - Rule", "ESCU - ServicePrincipalNames Discovery with PowerShell - Rule", "ESCU - ServicePrincipalNames Discovery with SetSPN - Rule", "ESCU - Suspicious Kerberos Service Ticket Request - Rule", "ESCU - Suspicious Ticket Granting Ticket Request - Rule", "ESCU - Unknown Process Using The Kerberos Protocol - Rule", "ESCU - Unusual Number of Computer Service Tickets Requested - Rule", "ESCU - Unusual Number of Kerberos Service Tickets Requested - Rule", "ESCU - Windows Computer Account Created by Computer Account - Rule", "ESCU - Windows Computer Account Requesting Kerberos Ticket - Rule", "ESCU - Windows Computer Account With SPN - Rule", "ESCU - Windows Get-AdComputer Unconstrained Delegation Discovery - Rule", "ESCU - Windows Kerberos Local Successful Logon - Rule", "ESCU - Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos - Rule", "ESCU - Windows Multiple Invalid Users Fail To Authenticate Using Kerberos - Rule", "ESCU - Windows Multiple Users Failed To Authenticate Using Kerberos - Rule", "ESCU - Windows PowerView Constrained Delegation Discovery - Rule", "ESCU - Windows PowerView Kerberos Service Ticket Request - Rule", "ESCU - Windows PowerView SPN Discovery - Rule", "ESCU - Windows PowerView Unconstrained Delegation Discovery - Rule", "ESCU - Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos - Rule", "ESCU - Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos - Rule", "ESCU - Windows Unusual Count Of Users Failed To Auth Using Kerberos - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Mauricio Velazco", "detections": [{"name": "Disabled Kerberos Pre-Authentication Discovery With Get-ADUser", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "AS-REP Roasting"}]}}, {"name": "Disabled Kerberos Pre-Authentication Discovery With PowerView", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "AS-REP Roasting"}]}}, {"name": "Kerberoasting spn request with RC4 encryption", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "Kerberoasting"}]}}, {"name": "Kerberos Pre-Authentication Flag Disabled in UserAccountControl", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "AS-REP Roasting"}]}}, {"name": "Kerberos Pre-Authentication Flag Disabled with PowerShell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "AS-REP Roasting"}]}}, {"name": "Kerberos Service Ticket Request Using RC4 Encryption", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "Golden Ticket"}]}}, {"name": "Kerberos TGT Request Using RC4 Encryption", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Use Alternate Authentication Material"}]}}, {"name": "Kerberos User Enumeration", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Gather Victim Identity Information"}, {"mitre_attack_technique": "Email Addresses"}]}}, {"name": "Mimikatz PassTheTicket CommandLine Parameters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Use Alternate Authentication Material"}, {"mitre_attack_technique": "Pass the Ticket"}]}}, {"name": "PetitPotam Suspicious Kerberos TGT Request", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Rubeus Command Line Parameters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Use Alternate Authentication Material"}, {"mitre_attack_technique": "Pass the Ticket"}, {"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "Kerberoasting"}, {"mitre_attack_technique": "AS-REP Roasting"}]}}, {"name": "Rubeus Kerberos Ticket Exports Through Winlogon Access", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Use Alternate Authentication Material"}, {"mitre_attack_technique": "Pass the Ticket"}]}}, {"name": "ServicePrincipalNames Discovery with PowerShell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Kerberoasting"}]}}, {"name": "ServicePrincipalNames Discovery with SetSPN", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Kerberoasting"}]}}, {"name": "Suspicious Kerberos Service Ticket Request", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Domain Accounts"}]}}, {"name": "Suspicious Ticket Granting Ticket Request", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Domain Accounts"}]}}, {"name": "Unknown Process Using The Kerberos Protocol", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Use Alternate Authentication Material"}]}}, {"name": "Unusual Number of Computer Service Tickets Requested", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "Unusual Number of Kerberos Service Tickets Requested", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "Kerberoasting"}]}}, {"name": "Windows Computer Account Created by Computer Account", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}]}}, {"name": "Windows Computer Account Requesting Kerberos Ticket", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}]}}, {"name": "Windows Computer Account With SPN", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}]}}, {"name": "Windows Get-AdComputer Unconstrained Delegation Discovery", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote System Discovery"}]}}, {"name": "Windows Kerberos Local Successful Logon", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}]}}, {"name": "Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Multiple Invalid Users Fail To Authenticate Using Kerberos", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Multiple Users Failed To Authenticate Using Kerberos", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows PowerView Constrained Delegation Discovery", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote System Discovery"}]}}, {"name": "Windows PowerView Kerberos Service Ticket Request", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "Kerberoasting"}]}}, {"name": "Windows PowerView SPN Discovery", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "Kerberoasting"}]}}, {"name": "Windows PowerView Unconstrained Delegation Discovery", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote System Discovery"}]}}, {"name": "Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Unusual Count Of Users Failed To Auth Using Kerberos", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}]}, {"name": "Active Directory Lateral Movement", "id": "399d65dc-1f08-499b-a259-aad9051f38ad", "version": 3, "date": "2021-12-09", "author": "David Dorsey, Mauricio Velazco Splunk", "description": "Detect and investigate tactics, techniques, and procedures around how attackers move laterally within an Active Directory environment. Since lateral movement is often a necessary step in a breach, it is important for cyber defenders to deploy detection coverage.", "narrative": "Once attackers gain a foothold within an enterprise, they will seek to expand their accesses and leverage techniques that facilitate lateral movement. Attackers will often spend quite a bit of time and effort moving laterally. Because lateral movement renders an attacker the most vulnerable to detection, it's an excellent focus for detection and investigation.\\\nIndications of lateral movement in an Active Directory network can include the abuse of system utilities (such as `psexec.exe`), unauthorized use of remote desktop services, `file/admin$` shares, WMI, PowerShell, Service Control Manager, the DCOM protocol, WinRM or the abuse of scheduled tasks. Organizations must be extra vigilant in detecting lateral movement techniques and look for suspicious activity in and around high-value strategic network assets, such as Active Directory, which are often considered the primary target or \"crown jewels\" to a persistent threat actor.\\\nAn adversary can use lateral movement for multiple purposes, including remote execution of tools, pivoting to additional systems, obtaining access to specific information or files, access to additional credentials, exfiltrating data, or delivering a secondary effect. Adversaries may use legitimate credentials alongside inherent network and operating-system functionality to remotely connect to other systems and remain under the radar of network defenders.\\\nIf there is evidence of lateral movement, it is imperative for analysts to collect evidence of the associated offending hosts. For example, an attacker might leverage host A to gain access to host B. From there, the attacker may try to move laterally to host C. In this example, the analyst should gather as much information as possible from all three hosts. \\\n It is also important to collect authentication logs for each host, to ensure that the offending accounts are well-documented. Analysts should account for all processes to ensure that the attackers did not install unauthorized software.", "references": ["https://www.fireeye.com/blog/executive-perspective/2015/08/malware_lateral_move.html", "http://www.irongeek.com/i.php?page=videos/derbycon7/t405-hunting-lateral-movement-for-fun-and-profit-mauricio-velazco"], "tags": {"name": "Active Directory Lateral Movement", "analytic_story": "Active Directory Lateral Movement", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1550", "mitre_attack_technique": "Use Alternate Authentication Material", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1550.002", "mitre_attack_technique": "Pass the Hash", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": ["APT1", "APT28", "APT32", "Chimera", "GALLIUM", "Kimsuky"]}, {"mitre_attack_id": "T1210", "mitre_attack_technique": "Exploitation of Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "Dragonfly", "Earth Lusca", "FIN7", "Fox Kitten", "MuddyWater", "Threat Group-3390", "Tonto Team", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1021.003", "mitre_attack_technique": "Distributed Component Object Model", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "Earth Lusca", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "Threat Group-3390", "Windshift", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1021.006", "mitre_attack_technique": "Windows Remote Management", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Chimera", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1218.014", "mitre_attack_technique": "MMC", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1021.001", "mitre_attack_technique": "Remote Desktop Protocol", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT1", "APT3", "APT39", "APT41", "Axiom", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dragonfly", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "HEXANE", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "OilRig", "Patchwork", "Silence", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1053.002", "mitre_attack_technique": "At", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "BRONZE BUTLER", "Threat Group-3390"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1135", "mitre_attack_technique": "Network Share Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT32", "APT38", "APT39", "APT41", "Chimera", "DarkVishnya", "Dragonfly", "Sowbug", "Tonto Team", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1110.004", "mitre_attack_technique": "Credential Stuffing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Chimera"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Dragonfly", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1563.002", "mitre_attack_technique": "RDP Hijacking", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Axiom"]}, {"mitre_attack_id": "T1563", "mitre_attack_technique": "Remote Service Session Hijacking", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1574.011", "mitre_attack_technique": "Services Registry Permissions Weakness", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Discovery", "Execution", "Initial Access", "Lateral Movement", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint", "Network_Traffic", "Risk"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Detect Activity Related to Pass the Hash Attacks - Rule", "ESCU - Active Directory Lateral Movement Identified - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Detect Renamed PSExec - Rule", "ESCU - Executable File Written in Administrative SMB Share - Rule", "ESCU - Impacket Lateral Movement Commandline Parameters - Rule", "ESCU - Impacket Lateral Movement smbexec CommandLine Parameters - Rule", "ESCU - Impacket Lateral Movement WMIExec Commandline Parameters - Rule", "ESCU - Interactive Session on Remote Endpoint with PowerShell - Rule", "ESCU - Mmc LOLBAS Execution Process Spawn - Rule", "ESCU - Possible Lateral Movement PowerShell Spawn - Rule", "ESCU - PowerShell Invoke CIMMethod CIMSession - Rule", "ESCU - PowerShell Start or Stop Service - Rule", "ESCU - Randomly Generated Scheduled Task Name - Rule", "ESCU - Randomly Generated Windows Service Name - Rule", "ESCU - Remote Desktop Process Running On System - Rule", "ESCU - Remote Process Instantiation via DCOM and PowerShell - Rule", "ESCU - Remote Process Instantiation via DCOM and PowerShell Script Block - Rule", "ESCU - Remote Process Instantiation via WinRM and PowerShell - Rule", "ESCU - Remote Process Instantiation via WinRM and PowerShell Script Block - Rule", "ESCU - Remote Process Instantiation via WinRM and Winrs - Rule", "ESCU - Remote Process Instantiation via WMI - Rule", "ESCU - Remote Process Instantiation via WMI and PowerShell - Rule", "ESCU - Remote Process Instantiation via WMI and PowerShell Script Block - Rule", "ESCU - Scheduled Task Creation on Remote Endpoint using At - Rule", "ESCU - Scheduled Task Initiation on Remote Endpoint - Rule", "ESCU - Schtasks scheduling job on remote system - Rule", "ESCU - Services LOLBAS Execution Process Spawn - Rule", "ESCU - Short Lived Scheduled Task - Rule", "ESCU - Svchost LOLBAS Execution Process Spawn - Rule", "ESCU - Unusual Number of Computer Service Tickets Requested - Rule", "ESCU - Unusual Number of Remote Endpoint Authentication Events - Rule", "ESCU - Windows Administrative Shares Accessed On Multiple Hosts - Rule", "ESCU - Windows Enable Win32 ScheduledJob via Registry - Rule", "ESCU - Windows Large Number of Computer Service Tickets Requested - Rule", "ESCU - Windows Local Administrator Credential Stuffing - Rule", "ESCU - Windows PowerShell Get CIMInstance Remote Computer - Rule", "ESCU - Windows PowerShell WMI Win32 ScheduledJob - Rule", "ESCU - Windows Rapid Authentication On Multiple Hosts - Rule", "ESCU - Windows RDP Connection Successful - Rule", "ESCU - Windows Remote Create Service - Rule", "ESCU - Windows Service Create with Tscon - Rule", "ESCU - Windows Service Created with Suspicious Service Path - Rule", "ESCU - Windows Service Created Within Public Path - Rule", "ESCU - Windows Service Creation on Remote Endpoint - Rule", "ESCU - Windows Service Creation Using Registry Entry - Rule", "ESCU - Windows Service Initiation on Remote Endpoint - Rule", "ESCU - Windows Special Privileged Logon On Multiple Hosts - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - Wmiprsve LOLBAS Execution Process Spawn - Rule", "ESCU - Wsmprovhost LOLBAS Execution Process Spawn - Rule", "ESCU - Remote Desktop Network Traffic - Rule"], "investigation_names": ["ESCU - Investigate Successful Remote Desktop Authentications - Response Task"], "baseline_names": ["ESCU - Identify Systems Creating Remote Desktop Traffic", "ESCU - Identify Systems Receiving Remote Desktop Traffic", "ESCU - Identify Systems Using Remote Desktop"], "author_company": "Mauricio Velazco Splunk", "author_name": "David Dorsey", "detections": [{"name": "Detect Activity Related to Pass the Hash Attacks", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Use Alternate Authentication Material"}, {"mitre_attack_technique": "Pass the Hash"}]}}, {"name": "Active Directory Lateral Movement Identified", "source": "endpoint", "type": "Correlation", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploitation of Remote Services"}]}}, {"name": "Detect PsExec With accepteula Flag", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}}, {"name": "Detect Renamed PSExec", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}}, {"name": "Executable File Written in Administrative SMB Share", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}}, {"name": "Impacket Lateral Movement Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Impacket Lateral Movement smbexec CommandLine Parameters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Impacket Lateral Movement WMIExec Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Interactive Session on Remote Endpoint with PowerShell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "Windows Remote Management"}]}}, {"name": "Mmc LOLBAS Execution Process Spawn", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "MMC"}]}}, {"name": "Possible Lateral Movement PowerShell Spawn", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Remote Management"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "MMC"}]}}, {"name": "PowerShell Invoke CIMMethod CIMSession", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}}, {"name": "PowerShell Start or Stop Service", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "PowerShell"}]}}, {"name": "Randomly Generated Scheduled Task Name", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}, {"mitre_attack_technique": "Scheduled Task"}]}}, {"name": "Randomly Generated Windows Service Name", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Remote Desktop Process Running On System", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Desktop Protocol"}, {"mitre_attack_technique": "Remote Services"}]}}, {"name": "Remote Process Instantiation via DCOM and PowerShell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "Distributed Component Object Model"}]}}, {"name": "Remote Process Instantiation via DCOM and PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "Distributed Component Object Model"}]}}, {"name": "Remote Process Instantiation via WinRM and PowerShell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "Windows Remote Management"}]}}, {"name": "Remote Process Instantiation via WinRM and PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "Windows Remote Management"}]}}, {"name": "Remote Process Instantiation via WinRM and Winrs", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "Windows Remote Management"}]}}, {"name": "Remote Process Instantiation via WMI", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}}, {"name": "Remote Process Instantiation via WMI and PowerShell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}}, {"name": "Remote Process Instantiation via WMI and PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}}, {"name": "Scheduled Task Creation on Remote Endpoint using At", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}, {"mitre_attack_technique": "At"}]}}, {"name": "Scheduled Task Initiation on Remote Endpoint", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}, {"mitre_attack_technique": "Scheduled Task"}]}}, {"name": "Schtasks scheduling job on remote system", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Services LOLBAS Execution Process Spawn", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Short Lived Scheduled Task", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}]}}, {"name": "Svchost LOLBAS Execution Process Spawn", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}, {"mitre_attack_technique": "Scheduled Task"}]}}, {"name": "Unusual Number of Computer Service Tickets Requested", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "Unusual Number of Remote Endpoint Authentication Events", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "Windows Administrative Shares Accessed On Multiple Hosts", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Network Share Discovery"}]}}, {"name": "Windows Enable Win32 ScheduledJob via Registry", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}]}}, {"name": "Windows Large Number of Computer Service Tickets Requested", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Network Share Discovery"}, {"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "Windows Local Administrator Credential Stuffing", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Credential Stuffing"}]}}, {"name": "Windows PowerShell Get CIMInstance Remote Computer", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "PowerShell"}]}}, {"name": "Windows PowerShell WMI Win32 ScheduledJob", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Windows Rapid Authentication On Multiple Hosts", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Security Account Manager"}]}}, {"name": "Windows RDP Connection Successful", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "RDP Hijacking"}]}}, {"name": "Windows Remote Create Service", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Windows Service Create with Tscon", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "RDP Hijacking"}, {"mitre_attack_technique": "Remote Service Session Hijacking"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Windows Service Created with Suspicious Service Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}}, {"name": "Windows Service Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Windows Service Creation on Remote Endpoint", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Windows Service Creation Using Registry Entry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Services Registry Permissions Weakness"}]}}, {"name": "Windows Service Initiation on Remote Endpoint", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Windows Special Privileged Logon On Multiple Hosts", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Network Share Discovery"}]}}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Wmiprsve LOLBAS Execution Process Spawn", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}}, {"name": "Wsmprovhost LOLBAS Execution Process Spawn", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "Windows Remote Management"}]}}, {"name": "Remote Desktop Network Traffic", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Desktop Protocol"}, {"mitre_attack_technique": "Remote Services"}]}}]}, {"name": "Active Directory Password Spraying", "id": "3de109da-97d2-11eb-8b6a-acde48001122", "version": 2, "date": "2021-04-07", "author": "Mauricio Velazco, Splunk", "description": "Monitor for activities and techniques associated with Password Spraying attacks within Active Directory environments.", "narrative": "In a password spraying attack, adversaries leverage one or a small list of commonly used / popular passwords against a large volume of usernames to acquire valid account credentials. Unlike a Brute Force attack that targets a specific user or small group of users with a large number of passwords, password spraying follows the opposite aproach and increases the chances of obtaining valid credentials while avoiding account lockouts. This allows adversaries to remain undetected if the target organization does not have the proper monitoring and detection controls in place.\\\nPassword Spraying can be leveraged by adversaries across different stages in an attack. It can be used to obtain an iniial access to an environment but can also be used to escalate privileges when access has been already achieved. In some scenarios, this technique capitalizes on a security policy most organizations implement, password rotation. As enterprise users change their passwords, it is possible some pick predictable, seasonal passwords such as `$CompanyNameWinter`, `Summer2021`, etc.\\\nSpecifically, this Analytic Story is focused on detecting possible Password Spraying attacks against Active Directory environments leveraging Windows Event Logs in the `Account Logon` and `Logon/Logoff` Advanced Audit Policy categories. It presents 16 detection analytics which can aid defenders in identifying instances where one source user, source host or source process attempts to authenticate against a target or targets using a high or statiscally unsual, number of unique users. A user, host or process attempting to authenticate with multiple users is not common behavior for legitimate systems and should be monitored by security teams. Possible false positive scenarios include but are not limited to vulnerability scanners, remote administration tools, multi-user systems and missconfigured systems. These should be easily spotted when first implementing the detection and addded to an allow list or lookup table. The presented detections can also be used in Threat Hunting exercises.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://www.microsoft.com/security/blog/2020/04/23/protecting-organization-password-spray-attacks/", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn452415(v=ws.11)"], "tags": {"name": "Active Directory Password Spraying", "analytic_story": "Active Directory Password Spraying", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}], "mitre_attack_tactics": ["Credential Access"], "datamodels": [], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos - Rule", "ESCU - Windows Multiple Invalid Users Fail To Authenticate Using Kerberos - Rule", "ESCU - Windows Multiple Invalid Users Failed To Authenticate Using NTLM - Rule", "ESCU - Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials - Rule", "ESCU - Windows Multiple Users Failed To Authenticate From Host Using NTLM - Rule", "ESCU - Windows Multiple Users Failed To Authenticate From Process - Rule", "ESCU - Windows Multiple Users Failed To Authenticate Using Kerberos - Rule", "ESCU - Windows Multiple Users Remotely Failed To Authenticate From Host - Rule", "ESCU - Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos - Rule", "ESCU - Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos - Rule", "ESCU - Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM - Rule", "ESCU - Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials - Rule", "ESCU - Windows Unusual Count Of Users Failed To Auth Using Kerberos - Rule", "ESCU - Windows Unusual Count Of Users Failed To Authenticate From Process - Rule", "ESCU - Windows Unusual Count Of Users Failed To Authenticate Using NTLM - Rule", "ESCU - Windows Unusual Count Of Users Remotely Failed To Auth From Host - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Mauricio Velazco", "detections": [{"name": "Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Multiple Invalid Users Fail To Authenticate Using Kerberos", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Multiple Invalid Users Failed To Authenticate Using NTLM", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Multiple Users Failed To Authenticate From Host Using NTLM", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Multiple Users Failed To Authenticate From Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Multiple Users Failed To Authenticate Using Kerberos", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Multiple Users Remotely Failed To Authenticate From Host", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Unusual Count Of Users Failed To Auth Using Kerberos", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Unusual Count Of Users Failed To Authenticate From Process", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Unusual Count Of Users Failed To Authenticate Using NTLM", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Unusual Count Of Users Remotely Failed To Auth From Host", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}]}, {"name": "Active Directory Privilege Escalation", "id": "fa34a5d8-df0a-404c-8237-11f99cba1d5f", "version": 1, "date": "2023-03-20", "author": "Mauricio Velazco, Splunk", "description": "Monitor for activities and techniques associated with Privilege Escalation attacks within Active Directory environments.", "narrative": "Privilege Escalation consists of techniques that adversaries use to gain higher-level permissions on a system or network. Adversaries can often enter and explore a network with unprivileged access but require elevated permissions to follow through on their objectives. Common approaches are to take advantage of system weaknesses, misconfigurations, and vulnerabilities.\\\nActive Directory is a central component of most enterprise networks, providing authentication and authorization services for users, computers, and other resources. It stores sensitive information such as passwords, user accounts, and security policies, and is therefore a high-value target for attackers. Privilege escalation attacks in Active Directory typically involve exploiting vulnerabilities or misconfigurations across the network to gain elevated privileges, such as Domain Administrator access. Once an attacker has escalated their privileges and taken full control of a domain, they can easily move laterally throughout the network, access sensitive data, and carry out further attacks. Security teams should monitor for privilege escalation attacks in Active Directory to identify a breach before attackers achieve operational success.\\\nThe following analytic story groups detection opportunities that seek to identify an adversary attempting to escalate privileges in an Active Directory network.", "references": ["https://attack.mitre.org/tactics/TA0004/", "https://adsecurity.org/?p=3658", "https://adsecurity.org/?p=2362"], "tags": {"name": "Active Directory Privilege Escalation", "analytic_story": "Active Directory Privilege Escalation", "category": [], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1484", "mitre_attack_technique": "Domain Policy Modification", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1558", "mitre_attack_technique": "Steal or Forge Kerberos Tickets", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1558.001", "mitre_attack_technique": "Golden Ticket", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Ke3chang"]}, {"mitre_attack_id": "T1550", "mitre_attack_technique": "Use Alternate Authentication Material", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1550.003", "mitre_attack_technique": "Pass the Ticket", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": ["APT29", "APT32", "BRONZE BUTLER"]}, {"mitre_attack_id": "T1558.003", "mitre_attack_technique": "Kerberoasting", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["FIN7", "Wizard Spider"]}, {"mitre_attack_id": "T1558.004", "mitre_attack_technique": "AS-REP Roasting", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.002", "mitre_attack_technique": "Domain Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "Chimera", "Indrik Spider", "Magic Hound", "Naikon", "Sandworm Team", "TA505", "Threat Group-1314", "Wizard Spider"]}, {"mitre_attack_id": "T1135", "mitre_attack_technique": "Network Share Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT32", "APT38", "APT39", "APT41", "Chimera", "DarkVishnya", "Dragonfly", "Sowbug", "Tonto Team", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1484.001", "mitre_attack_technique": "Group Policy Modification", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Indrik Spider"]}, {"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT41", "Dragonfly", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}, {"mitre_attack_id": "T1552", "mitre_attack_technique": "Unsecured Credentials", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1552.006", "mitre_attack_technique": "Group Policy Preferences", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT33"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1110.004", "mitre_attack_technique": "Credential Stuffing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Chimera"]}, {"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "TA505"]}, {"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Dragonfly", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "Turla", "Wizard Spider"]}], "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Discovery", "Initial Access", "Lateral Movement", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint", "Risk"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Active Directory Privilege Escalation Identified - Rule", "ESCU - Kerberos Service Ticket Request Using RC4 Encryption - Rule", "ESCU - Rubeus Command Line Parameters - Rule", "ESCU - ServicePrincipalNames Discovery with PowerShell - Rule", "ESCU - ServicePrincipalNames Discovery with SetSPN - Rule", "ESCU - Suspicious Computer Account Name Change - Rule", "ESCU - Suspicious Kerberos Service Ticket Request - Rule", "ESCU - Suspicious Ticket Granting Ticket Request - Rule", "ESCU - Unusual Number of Computer Service Tickets Requested - Rule", "ESCU - Unusual Number of Remote Endpoint Authentication Events - Rule", "ESCU - Windows Administrative Shares Accessed On Multiple Hosts - Rule", "ESCU - Windows Admon Default Group Policy Object Modified - Rule", "ESCU - Windows Admon Group Policy Object Created - Rule", "ESCU - Windows Default Group Policy Object Modified - Rule", "ESCU - Windows Default Group Policy Object Modified with GPME - Rule", "ESCU - Windows DnsAdmins New Member Added - Rule", "ESCU - Windows File Share Discovery With Powerview - Rule", "ESCU - Windows Findstr GPP Discovery - Rule", "ESCU - Windows Group Policy Object Created - Rule", "ESCU - Windows Large Number of Computer Service Tickets Requested - Rule", "ESCU - Windows Local Administrator Credential Stuffing - Rule", "ESCU - Windows PowerSploit GPP Discovery - Rule", "ESCU - Windows PowerView AD Access Control List Enumeration - Rule", "ESCU - Windows Rapid Authentication On Multiple Hosts - Rule", "ESCU - Windows Special Privileged Logon On Multiple Hosts - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Mauricio Velazco", "detections": [{"name": "Active Directory Privilege Escalation Identified", "source": "endpoint", "type": "Correlation", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Policy Modification"}]}}, {"name": "Kerberos Service Ticket Request Using RC4 Encryption", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "Golden Ticket"}]}}, {"name": "Rubeus Command Line Parameters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Use Alternate Authentication Material"}, {"mitre_attack_technique": "Pass the Ticket"}, {"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "Kerberoasting"}, {"mitre_attack_technique": "AS-REP Roasting"}]}}, {"name": "ServicePrincipalNames Discovery with PowerShell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Kerberoasting"}]}}, {"name": "ServicePrincipalNames Discovery with SetSPN", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Kerberoasting"}]}}, {"name": "Suspicious Computer Account Name Change", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Domain Accounts"}]}}, {"name": "Suspicious Kerberos Service Ticket Request", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Domain Accounts"}]}}, {"name": "Suspicious Ticket Granting Ticket Request", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Domain Accounts"}]}}, {"name": "Unusual Number of Computer Service Tickets Requested", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "Unusual Number of Remote Endpoint Authentication Events", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "Windows Administrative Shares Accessed On Multiple Hosts", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Network Share Discovery"}]}}, {"name": "Windows Admon Default Group Policy Object Modified", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Policy Modification"}, {"mitre_attack_technique": "Group Policy Modification"}]}}, {"name": "Windows Admon Group Policy Object Created", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Policy Modification"}, {"mitre_attack_technique": "Group Policy Modification"}]}}, {"name": "Windows Default Group Policy Object Modified", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Policy Modification"}, {"mitre_attack_technique": "Group Policy Modification"}]}}, {"name": "Windows Default Group Policy Object Modified with GPME", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Policy Modification"}, {"mitre_attack_technique": "Group Policy Modification"}]}}, {"name": "Windows DnsAdmins New Member Added", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Manipulation"}]}}, {"name": "Windows File Share Discovery With Powerview", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Network Share Discovery"}]}}, {"name": "Windows Findstr GPP Discovery", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Unsecured Credentials"}, {"mitre_attack_technique": "Group Policy Preferences"}]}}, {"name": "Windows Group Policy Object Created", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Policy Modification"}, {"mitre_attack_technique": "Group Policy Modification"}, {"mitre_attack_technique": "Domain Accounts"}]}}, {"name": "Windows Large Number of Computer Service Tickets Requested", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Network Share Discovery"}, {"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "Windows Local Administrator Credential Stuffing", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Credential Stuffing"}]}}, {"name": "Windows PowerSploit GPP Discovery", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Unsecured Credentials"}, {"mitre_attack_technique": "Group Policy Preferences"}]}}, {"name": "Windows PowerView AD Access Control List Enumeration", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Accounts"}, {"mitre_attack_technique": "Permission Groups Discovery"}]}}, {"name": "Windows Rapid Authentication On Multiple Hosts", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Security Account Manager"}]}}, {"name": "Windows Special Privileged Logon On Multiple Hosts", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Network Share Discovery"}]}}]}, {"name": "AgentTesla", "id": "9bb6077a-843e-418b-b134-c57ef997103c", "version": 1, "date": "2022-04-12", "author": "Teoderick Contreras, Splunk", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the AgentTesla malware including .chm application child process, ftp/smtp connection, persistence and many more. AgentTesla is one of the advanced remote access trojans (RAT) that are capable of stealing sensitive information from the infected or targeted host machine. It can collect various types of data, including browser profile information, keystrokes, capture screenshots and vpn credentials. AgentTesla has been active malware since 2014 and often delivered as a malicious attachment in phishing emails.It is also the top malware in 2021 based on the CISA report.", "narrative": "Adversaries or threat actor may use this malware to maximize the impact of infection on the target organization in operations where network wide availability interruption is the goal.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla", "https://cert.gov.ua/article/861292", "https://www.cisa.gov/uscert/ncas/alerts/aa22-216a", "https://www.joesandbox.com/analysis/702680/0/html"], "tags": {"name": "AgentTesla", "analytic_story": "AgentTesla", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.001", "mitre_attack_technique": "Compiled HTML File", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "APT41", "Dark Caracal", "OilRig", "Silence"]}, {"mitre_attack_id": "T1548.002", "mitre_attack_technique": "Bypass User Account Control", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT37", "BRONZE BUTLER", "Cobalt Group", "Earth Lusca", "Evilnum", "MuddyWater", "Patchwork", "Threat Group-3390"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1555", "mitre_attack_technique": "Credentials from Password Stores", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT33", "APT39", "Evilnum", "FIN6", "HEXANE", "Leafminer", "MuddyWater", "OilRig", "Stealth Falcon"]}, {"mitre_attack_id": "T1555.003", "mitre_attack_technique": "Credentials from Web Browsers", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT3", "APT33", "APT37", "Ajax Security Team", "FIN6", "HEXANE", "Inception", "Kimsuky", "LAPSUS$", "Leafminer", "Molerats", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Stealth Falcon", "TA505", "ZIRCONIUM"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1014", "mitre_attack_technique": "Rootkit", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT41", "Rocke", "TeamTNT", "Winnti Group"]}, {"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "PLATINUM", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}, {"mitre_attack_id": "T1071.003", "mitre_attack_technique": "Mail Protocols", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT28", "APT32", "Kimsuky", "SilverTerrier", "Turla"]}, {"mitre_attack_id": "T1071", "mitre_attack_technique": "Application Layer Protocol", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Dragonfly", "Magic Hound", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1204.001", "mitre_attack_technique": "Malicious Link", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT28", "APT29", "APT3", "APT32", "APT33", "APT39", "BlackTech", "Cobalt Group", "Confucius", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "Evilnum", "FIN4", "FIN7", "FIN8", "Kimsuky", "LazyScripter", "Leviathan", "LuminousMoth", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "TA505", "Transparent Tribe", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$"]}], "mitre_attack_tactics": ["Command And Control", "Credential Access", "Defense Evasion", "Execution", "Initial Access", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Command And Control", "Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Add or Set Windows Defender Exclusion - Rule", "ESCU - Detect HTML Help Spawn Child Process - Rule", "ESCU - Disabling Remote User Account Control - Rule", "ESCU - Excessive Usage Of Taskkill - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Non Chrome Process Accessing Chrome Default Dir - Rule", "ESCU - Non Firefox Process Access Firefox Profile Dir - Rule", "ESCU - Office Application Drop Executable - Rule", "ESCU - Office Application Spawn rundll32 process - Rule", "ESCU - Office Document Executing Macro Code - Rule", "ESCU - Office Product Spawn CMD Process - Rule", "ESCU - Office Product Spawning CertUtil - Rule", "ESCU - PowerShell - Connect To Internet With Hidden Window - Rule", "ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", "ESCU - Powershell Windows Defender Exclusion Commands - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Suspicious Driver Loaded Path - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Windows Driver Load Non-Standard Path - Rule", "ESCU - Windows Drivers Loaded by Signature - Rule", "ESCU - Windows File Transfer Protocol In Non-Common Process Path - Rule", "ESCU - Windows ISO LNK File Creation - Rule", "ESCU - Windows Mail Protocol In Non-Common Process Path - Rule", "ESCU - Windows Multi hop Proxy TOR Website Query - Rule", "ESCU - Windows Phishing Recent ISO Exec Registry - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Add or Set Windows Defender Exclusion", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Detect HTML Help Spawn Child Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Compiled HTML File"}]}}, {"name": "Disabling Remote User Account Control", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Excessive Usage Of Taskkill", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}]}}, {"name": "Non Chrome Process Accessing Chrome Default Dir", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}}, {"name": "Non Firefox Process Access Firefox Profile Dir", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}}, {"name": "Office Application Drop Executable", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Application Spawn rundll32 process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Document Executing Macro Code", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Product Spawn CMD Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Product Spawning CertUtil", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "PowerShell - Connect To Internet With Hidden Window", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "PowerShell Loading DotNET into Memory via Reflection", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Powershell Windows Defender Exclusion Commands", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Suspicious Driver Loaded Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Windows Driver Load Non-Standard Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Rootkit"}, {"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}}, {"name": "Windows Drivers Loaded by Signature", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Rootkit"}, {"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}}, {"name": "Windows File Transfer Protocol In Non-Common Process Path", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Mail Protocols"}, {"mitre_attack_technique": "Application Layer Protocol"}]}}, {"name": "Windows ISO LNK File Creation", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Malicious Link"}, {"mitre_attack_technique": "User Execution"}]}}, {"name": "Windows Mail Protocol In Non-Common Process Path", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Mail Protocols"}, {"mitre_attack_technique": "Application Layer Protocol"}]}}, {"name": "Windows Multi hop Proxy TOR Website Query", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Mail Protocols"}, {"mitre_attack_technique": "Application Layer Protocol"}]}}, {"name": "Windows Phishing Recent ISO Exec Registry", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}}]}, {"name": "Amadey", "id": "a919a01b-3ea5-4ed4-9cbe-11cd8b64c36c", "version": 1, "date": "2023-06-16", "author": "Teoderick Contreras, Splunk", "description": "This analytic story contains searches that aims to detect activities related to Amadey, a type of malware that primarily operates as a banking Trojan. It is designed to steal sensitive information such as login credentials, credit card details, and other financial data from infected systems. The malware typically targets Windows-based computers.", "narrative": "Amadey is one of the active trojans that are capable of stealing sensitive information via its from the infected or targeted host machine. It can collect various types of data, including browser profile information, clipboard data, capture screenshots and system information. Adversaries or threat actors may use this malware to maximize the impact of infection on the target organization in operations where data collection and exfiltration is the goal. The primary function is to steal information and further distribute malware. It aims to extract a variety of information from infected devices and attempts to evade the detection of security measures by reducing the volume of data exfiltration compared to that seen in other malicious instances.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey", "https://darktrace.com/blog/amadey-info-stealer-exploiting-n-day-vulnerabilities"], "tags": {"name": "Amadey", "analytic_story": "Amadey", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1012", "mitre_attack_technique": "Query Registry", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT32", "APT39", "Chimera", "Dragonfly", "Fox Kitten", "Kimsuky", "Lazarus Group", "OilRig", "Stealth Falcon", "Threat Group-3390", "Turla", "ZIRCONIUM"]}, {"mitre_attack_id": "T1222.001", "mitre_attack_technique": "Windows File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Defense Evasion", "Discovery", "Execution", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation", "Installation"]}, "detection_names": ["ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Windows Credentials from Password Stores Chrome Extension Access - Rule", "ESCU - Windows Credentials from Password Stores Chrome LocalState Access - Rule", "ESCU - Windows Credentials from Password Stores Chrome Login Data Access - Rule", "ESCU - Windows Files and Dirs Access Rights Modification Via Icacls - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}]}}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Windows Credentials from Password Stores Chrome Extension Access", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Query Registry"}]}}, {"name": "Windows Credentials from Password Stores Chrome LocalState Access", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Query Registry"}]}}, {"name": "Windows Credentials from Password Stores Chrome Login Data Access", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Query Registry"}]}}, {"name": "Windows Files and Dirs Access Rights Modification Via Icacls", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows File and Directory Permissions Modification"}, {"mitre_attack_technique": "File and Directory Permissions Modification"}]}}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}]}}]}, {"name": "Apache Struts Vulnerability", "id": "2dcfd6a2-e7d2-4873-b6ba-adaf819d2a1e", "version": 1, "date": "2018-12-06", "author": "Rico Valdez, Splunk", "description": "Detect and investigate activities--such as unusually long `Content-Type` length, suspicious java classes and web servers executing suspicious processes--consistent with attempts to exploit Apache Struts vulnerabilities.", "narrative": "In March of 2017, a remote code-execution vulnerability in the Jakarta Multipart parser in Apache Struts, a widely used open-source framework for creating Java web applications, was disclosed and assigned to CVE-2017-5638. About two months later, hackers exploited the flaw to carry out the world's 5th largest data breach. The target, credit giant Equifax, told investigators that it had become aware of the vulnerability two months before the attack. \\\nThe exploit involved manipulating the `Content-Type HTTP` header to execute commands embedded in the header.\\\nThis Analytic Story contains two different searches that help to identify activity that may be related to this issue. The first search looks for characteristics of the `Content-Type` header consistent with attempts to exploit the vulnerability. This should be a relatively pertinent indicator, as the `Content-Type` header is generally consistent and does not have a large degree of variation.\\\nThe second search looks for the execution of various commands typically entered on the command shell when an attacker first lands on a system. These commands are not generally executed on web servers during the course of day-to-day operation, but they may be used when the system is undergoing maintenance or troubleshooting.\\\nFirst, it is helpful is to understand how often the notable event is generated, as well as the commonalities in some of these events. This may help determine whether this is a common occurrence that is of a lesser concern or a rare event that may require more extensive investigation. It can also help to understand whether the issue is restricted to a single user or system or is broader in scope.\\\nWhen looking at the target of the behavior illustrated by the event, you should note the sensitivity of the user and or/system to help determine the potential impact. It is also helpful to see what other events involving the target have occurred in the recent past. This can help tie different events together and give further situational awareness regarding the target.\\\nVarious types of information for external systems should be reviewed and (potentially) collected if the incident is, indeed, judged to be malicious. Information like this can be useful in generating your own threat intelligence to create alerts in the future.\\\nLooking at the country, responsible party, and fully qualified domain names associated with the external IP address--as well as the registration information associated with those domain names, if they are frequently visited by others--can help you answer the question of \"who,\" in regard to the external system. Answering that can help qualify the event and may serve useful for tracking. In addition, there are various sources that can provide some reputation information on the IP address or domain name, which can assist in determining if the event is malicious in nature. Finally, determining whether or not there are other events associated with the IP address may help connect some dots or show other events that should be brought into scope.\\\nGathering various data elements on the system of interest can sometimes help quickly determine that something suspicious may be happening. Some of these items include determining who else may have recently logged into the system, whether any unusual scheduled tasks exist, whether the system is communicating on suspicious ports, whether there are modifications to sensitive registry keys, and whether there are any known vulnerabilities on the system. This information can often highlight other activity commonly seen in attack scenarios or give more information about how the system may have been targeted.\\\nhen a specific service or application is targeted, it is often helpful to know the associated version to help determine whether or not it is vulnerable to a specific exploit.\\\nhen it is suspected there is an attack targeting a web server, it is helpful to look at some of the behavior of the web service to see if there is evidence that the service has been compromised. Some indications of this might be network connections to external resources, the web service spawning child processes that are not associated with typical behavior, and whether the service wrote any files that might be malicious in nature.\\\nIn the event that a suspicious file is found, we can review more information about it to help determine if it is, in fact, malicious. Identifying the file type, any processes that have the file open, what processes created and/or modified the file, and the number of systems that may have this file can help to determine if the file is malicious. Also, determining the file hash and checking it against reputation sources, such as VirusTotal, can sometimes quickly help determine whether it is malicious in nature.\\\nOften, a simple inspection of a suspect process name and path can tell you if the system has been compromised. For example, if `svchost.exe` is found running from a location other than `C:\\Windows\\System32`, it is likely something malicious designed to hide in plain sight when simply reviewing process names. Similarly, if the process itself seems legitimate, but the parent process is running from the temporary browser cache, there may be activity initiated via a compromised website the user visited.\\\nIt can also be very helpful to examine various behaviors of the process of interest or the parent of the process that is of interest. For example, if it turns out that the process of interest is malicious, it would be good to see if the parent to that process spawned other processes that might also be worth further scrutiny. If a process is suspect, reviewing the network connections made around the time of the event and/or if the process spawned any child processes could be helpful in determining whether it is malicious or executing a malicious script.", "references": ["https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/v3.2/dev/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf"], "tags": {"name": "Apache Struts Vulnerability", "analytic_story": "Apache Struts Vulnerability", "category": ["Vulnerability"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1082", "mitre_attack_technique": "System Information Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT18", "APT19", "APT3", "APT32", "APT37", "APT38", "Aquatic Panda", "Blue Mockingbird", "Chimera", "Confucius", "Darkhotel", "Gamaredon Group", "HEXANE", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Sowbug", "Stealth Falcon", "TeamTNT", "Tropic Trooper", "Turla", "Windigo", "Windshift", "Wizard Spider", "ZIRCONIUM", "admin@338"]}], "mitre_attack_tactics": ["Discovery"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Suspicious Java Classes - Rule", "ESCU - Web Servers Executing Suspicious Processes - Rule", "ESCU - Unusually Long Content-Type Length - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task", "ESCU - Investigate Suspicious Strings in HTTP Header - Response Task", "ESCU - Investigate Web POSTs From src - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Suspicious Java Classes", "source": "application", "type": "Anomaly", "tags": {"mitre_attack_enrichments": []}}, {"name": "Web Servers Executing Suspicious Processes", "source": "application", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Information Discovery"}]}}, {"name": "Unusually Long Content-Type Length", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": []}}]}, {"name": "Asset Tracking", "id": "91c676cf-0b23-438d-abee-f6335e1fce77", "version": 1, "date": "2017-09-13", "author": "Bhavin Patel, Splunk", "description": "Keep a careful inventory of every asset on your network to make it easier to detect rogue devices. Unauthorized/unmanaged devices could be an indication of malicious behavior that should be investigated further.", "narrative": "This Analytic Story is designed to help you develop a better understanding of what authorized and unauthorized devices are part of your enterprise. This story can help you better categorize and classify assets, providing critical business context and awareness of their assets during an incident. Information derived from this Analytic Story can be used to better inform and support other analytic stories. For successful detection, you will need to leverage the Assets and Identity Framework from Enterprise Security to populate your known assets.", "references": ["https://www.cisecurity.org/controls/inventory-of-authorized-and-unauthorized-devices/"], "tags": {"name": "Asset Tracking", "analytic_story": "Asset Tracking", "category": ["Best Practices"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Network_Sessions"], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect Unauthorized Assets by MAC address - Rule"], "investigation_names": ["ESCU - Get First Occurrence and Last Occurrence of a MAC Address - Response Task", "ESCU - Get Notable History - Response Task"], "baseline_names": ["ESCU - Count of assets by category"], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Detect Unauthorized Assets by MAC address", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": []}}]}, {"name": "AsyncRAT", "id": "d7053072-7dd2-4874-8314-bfcbc99978a4", "version": 1, "date": "2023-01-24", "author": "Teoderick Contreras, Splunk", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the AsyncRAT malware including mshta application child process, bat loader execution, persistence and many more. AsyncRAT is an open source remote administration tool released last 2019. It's designed to remotely control computers via an encrypted connection, with view screen, keylogger, chat communication, persistence, defense evasion (e.g. Windows defender), DOS attack and many more.", "narrative": "although this project contains legal disclaimer, Adversaries or threat actors are popularly used in some attacks. This malware recently came across a Fully undetected batch script loader that downloads and loads the AsyncRAT from its C2 server. The batch script is obfuscated and will load a powershell loader that will decode and decrypt (AES256) the actual AsyncRAT malware.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat", "https://www.netskope.com/blog/asyncrat-using-fully-undetected-downloader"], "tags": {"name": "AsyncRAT", "analytic_story": "AsyncRAT", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "Turla"]}, {"mitre_attack_id": "T1055.001", "mitre_attack_technique": "Dynamic-link Library Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["BackdoorDiplomacy", "Lazarus Group", "Leviathan", "Putter Panda", "TA505", "Tropic Trooper", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT19", "APT28", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BITTER", "BackdoorDiplomacy", "BlackOasis", "Blue Mockingbird", "Dark Caracal", "Darkhotel", "Earth Lusca", "Elderwood", "Ember Bear", "Fox Kitten", "GALLIUM", "Gallmaker", "Gamaredon Group", "Group5", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "Metador", "Mofang", "Molerats", "Moses Staff", "Mustang Panda", "OilRig", "Putter Panda", "Rocke", "Sandworm Team", "Sidewinder", "TA505", "TeamTNT", "Threat Group-3390", "Transparent Tribe", "Tropic Trooper", "Whitefly", "Windshift", "menuPass"]}, {"mitre_attack_id": "T1592", "mitre_attack_technique": "Gather Victim Host Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.010", "mitre_attack_technique": "Regsvr32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "Blue Mockingbird", "Cobalt Group", "Deep Panda", "Inception", "Kimsuky", "Leviathan", "TA551", "WIRTE"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1059.005", "mitre_attack_technique": "Visual Basic", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT32", "APT33", "APT37", "APT38", "APT39", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Earth Lusca", "FIN4", "FIN7", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "Transparent Tribe", "Turla", "WIRTE", "Windshift"]}, {"mitre_attack_id": "T1134.002", "mitre_attack_technique": "Create Process with Token", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Lazarus Group", "Turla"]}, {"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}], "mitre_attack_tactics": ["Defense Evasion", "Execution", "Initial Access", "Persistence", "Privilege Escalation", "Reconnaissance"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation", "Reconnaissance"]}, "detection_names": ["ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Execution of File with Multiple Extensions - Rule", "ESCU - Loading Of Dynwrapx Module - Rule", "ESCU - Malicious PowerShell Process - Execution Policy Bypass - Rule", "ESCU - Powershell Fileless Script Contains Base64 Encoded Content - Rule", "ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", "ESCU - Powershell Processing Stream Of Data - Rule", "ESCU - Recon Using WMI Class - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Regsvr32 Silent and Install Param Dll Loading - Rule", "ESCU - Regsvr32 with Known Silent Switch Cmdline - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Suspicious Copy on System32 - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Vbscript Execution Using Wscript App - Rule", "ESCU - Windows Access Token Manipulation SeDebugPrivilege - Rule", "ESCU - Windows Powershell Cryptography Namespace - Rule", "ESCU - Windows Scheduled Task with Highest Privileges - Rule", "ESCU - Windows Spearphishing Attachment Connect To None MS Office Domain - Rule", "ESCU - Windows Spearphishing Attachment Onenote Spawn Mshta - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}]}}, {"name": "Execution of File with Multiple Extensions", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}]}}, {"name": "Loading Of Dynwrapx Module", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}, {"mitre_attack_technique": "Dynamic-link Library Injection"}]}}, {"name": "Malicious PowerShell Process - Execution Policy Bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Powershell Fileless Script Contains Base64 Encoded Content", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Obfuscated Files or Information"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "PowerShell Loading DotNET into Memory via Reflection", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Powershell Processing Stream Of Data", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Recon Using WMI Class", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Gather Victim Host Information"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Regsvr32 Silent and Install Param Dll Loading", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}}, {"name": "Regsvr32 with Known Silent Switch Cmdline", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Suspicious Copy on System32", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "Masquerading"}]}}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Vbscript Execution Using Wscript App", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Visual Basic"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Windows Access Token Manipulation SeDebugPrivilege", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create Process with Token"}, {"mitre_attack_technique": "Access Token Manipulation"}]}}, {"name": "Windows Powershell Cryptography Namespace", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Windows Scheduled Task with Highest Privileges", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}, {"mitre_attack_technique": "Scheduled Task"}]}}, {"name": "Windows Spearphishing Attachment Connect To None MS Office Domain", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}}, {"name": "Windows Spearphishing Attachment Onenote Spawn Mshta", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}]}}]}, {"name": "Atlassian Confluence Server and Data Center CVE-2022-26134", "id": "91623a50-41fa-4c4e-8637-c239b80ff439", "version": 1, "date": "2022-06-03", "author": "Michael Haag, Splunk", "description": "On June 2, security researchers at Volexity published a blog outlining the discovery of an unauthenticated remote code execution zero day vulnerability (CVE-2022-26134) being actively exploited in Atlassian Confluence Server and Data Center instances in the wild. Atlassian released a fix within 24 hours of the blog''s release.", "narrative": "Atlassian describes the vulnerability as an Object-Graph Navigation Language (OGNL) injection allowing an unauthenticated user to execute arbitrary code on a Confluence Server or Data Server instance. Volexity did not release proof-of-concept (POC) exploit code, but researchers there have observed coordinated, widespread exploitation. Volexity first discovered the vulnerability over the weekend on two Internet-facing web servers running Confluence Server software. The investigation was due to suspicious activity on the hosts, including JSP webshells that were written to disk.", "references": ["https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html", "https://www.splunk.com/en_us/blog/security/atlassian-confluence-vulnerability-cve-2022-26134.html", "https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/", "https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/"], "tags": {"name": "Atlassian Confluence Server and Data Center CVE-2022-26134", "analytic_story": "Atlassian Confluence Server and Data Center CVE-2022-26134", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Application Security", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Chimera", "Dragonfly", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Initial Access", "Persistence"], "datamodels": ["Endpoint", "Web"], "kill_chain_phases": ["Delivery", "Installation"]}, "detection_names": ["ESCU - Java Writing JSP File - Rule", "ESCU - Confluence Unauthenticated Remote Code Execution CVE-2022-26134 - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Java Writing JSP File", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}, {"name": "Confluence Unauthenticated Remote Code Execution CVE-2022-26134", "source": "web", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}]}, {"name": "AwfulShred", "id": "e36935ce-f48c-4fb2-8109-7e80c1cdc9e2", "version": 1, "date": "2023-01-24", "author": "Teoderick Contreras, Splunk", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the AwfulShred malware including wiping files, process kill, system reboot via system request, shred, and service stops.", "narrative": "AwfulShred is a malicious linux shell script designed to corrupt or wipe the linux targeted system. It uses shred command to overwrite files and to increase data damage. This obfuscated malicious script can also disable and corrupts apache, HTTP and SSH services, deactivate swap files, clear bash history and finally reboot the system.", "references": ["https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/", "https://cert.gov.ua/article/3718487"], "tags": {"name": "AwfulShred", "analytic_story": "AwfulShred", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1070.004", "mitre_attack_technique": "File Deletion", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT3", "APT32", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "Cobalt Group", "Dragonfly", "Evilnum", "FIN10", "FIN5", "FIN6", "FIN8", "Gamaredon Group", "Group5", "Kimsuky", "Lazarus Group", "Magic Hound", "Metador", "Mustang Panda", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "Silence", "TEMP.Veles", "TeamTNT", "The White Company", "Threat Group-3390", "Tropic Trooper", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1489", "mitre_attack_technique": "Service Stop", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Indrik Spider", "Lazarus Group", "Wizard Spider"]}, {"mitre_attack_id": "T1200", "mitre_attack_technique": "Hardware Additions", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["DarkVishnya"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1053.006", "mitre_attack_technique": "Systemd Timers", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1529", "mitre_attack_technique": "System Shutdown/Reboot", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group"]}, {"mitre_attack_id": "T1059.004", "mitre_attack_technique": "Unix Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT41", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}], "mitre_attack_tactics": ["Defense Evasion", "Execution", "Impact", "Initial Access", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Actions on Objectives", "Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Linux Data Destruction Command - Rule", "ESCU - Linux Deleting Critical Directory Using RM Command - Rule", "ESCU - Linux Deletion Of Services - Rule", "ESCU - Linux Disable Services - Rule", "ESCU - Linux Hardware Addition SwapOff - Rule", "ESCU - Linux Impair Defenses Process Kill - Rule", "ESCU - Linux Indicator Removal Clear Cache - Rule", "ESCU - Linux Indicator Removal Service File Deletion - Rule", "ESCU - Linux Service Restarted - Rule", "ESCU - Linux Shred Overwrite Command - Rule", "ESCU - Linux Stop Services - Rule", "ESCU - Linux System Reboot Via System Request Key - Rule", "ESCU - Linux Unix Shell Enable All SysRq Functions - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Linux Data Destruction Command", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Linux Deleting Critical Directory Using RM Command", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Linux Deletion Of Services", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}, {"mitre_attack_technique": "File Deletion"}, {"mitre_attack_technique": "Indicator Removal"}]}}, {"name": "Linux Disable Services", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Service Stop"}]}}, {"name": "Linux Hardware Addition SwapOff", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Hardware Additions"}]}}, {"name": "Linux Impair Defenses Process Kill", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Linux Indicator Removal Clear Cache", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indicator Removal"}]}}, {"name": "Linux Indicator Removal Service File Deletion", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "File Deletion"}, {"mitre_attack_technique": "Indicator Removal"}]}}, {"name": "Linux Service Restarted", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Systemd Timers"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Shred Overwrite Command", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Linux Stop Services", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Service Stop"}]}}, {"name": "Linux System Reboot Via System Request Key", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Shutdown/Reboot"}]}}, {"name": "Linux Unix Shell Enable All SysRq Functions", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Unix Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}]}, {"name": "AWS Cross Account Activity", "id": "2f2f610a-d64d-48c2-b57c-967a2b49ab5a", "version": 1, "date": "2018-06-04", "author": "David Dorsey, Splunk", "description": "Track when a user assumes an IAM role in another AWS account to obtain cross-account access to services and resources in that account. Accessing new roles could be an indication of malicious activity.", "narrative": "Amazon Web Services (AWS) admins manage access to AWS resources and services across the enterprise using AWS's Identity and Access Management (IAM) functionality. IAM provides the ability to create and manage AWS users, groups, and roles-each with their own unique set of privileges and defined access to specific resources (such as EC2 instances, the AWS Management Console, API, or the command-line interface). Unlike conventional (human) users, IAM roles are assumable by anyone in the organization. They provide users with dynamically created temporary security credentials that expire within a set time period.\\\nHerein lies the rub. In between the time between when the temporary credentials are issued and when they expire is a period of opportunity, where a user could leverage the temporary credentials to wreak havoc-spin up or remove instances, create new users, elevate privileges, and other malicious activities-throughout the environment.\\\nThis Analytic Story includes searches that will help you monitor your AWS CloudTrail logs for evidence of suspicious cross-account activity. For example, while accessing multiple AWS accounts and roles may be perfectly valid behavior, it may be suspicious when an account requests privileges of an account it has not accessed in the past. After identifying suspicious activities, you can use the provided investigative searches to help you probe more deeply.", "references": ["https://aws.amazon.com/blogs/security/aws-cloudtrail-now-tracks-cross-account-activity-to-its-origin/"], "tags": {"name": "AWS Cross Account Activity", "analytic_story": "AWS Cross Account Activity", "category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1550", "mitre_attack_technique": "Use Alternate Authentication Material", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Lateral Movement", "Persistence", "Privilege Escalation"], "datamodels": [], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - aws detect attach to role policy - Rule", "ESCU - aws detect permanent key creation - Rule", "ESCU - aws detect role creation - Rule", "ESCU - aws detect sts assume role abuse - Rule", "ESCU - aws detect sts get session token abuse - Rule"], "investigation_names": ["ESCU - AWS Investigate User Activities By AccessKeyId - Response Task", "ESCU - Get Notable History - Response Task"], "baseline_names": ["ESCU - Previously Seen AWS Cross Account Activity"], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "aws detect attach to role policy", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "aws detect permanent key creation", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "aws detect role creation", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "aws detect sts assume role abuse", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "aws detect sts get session token abuse", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Use Alternate Authentication Material"}]}}]}, {"name": "AWS Defense Evasion", "id": "4e00b690-293f-434d-a9d8-bcfb2ea5fff9", "version": 1, "date": "2022-07-15", "author": "Gowthamaraj Rajendran, Splunk", "description": "Identify activity and techniques associated with the Evasion of Defenses within AWS, such as Disabling CloudTrail, Deleting CloudTrail and many others.", "narrative": "Adversaries employ a variety of techniques in order to avoid detection and operate without barriers. This often involves modifying the configuration of security monitoring tools to get around them or explicitly disabling them to prevent them from running. This Analytic Story includes analytics that identify activity consistent with adversaries attempting to disable various security mechanisms on AWS. Such activity may involve deleting the CloudTrail logs , as this is where all the AWS logs get stored or explicitly changing the retention policy of S3 buckets. Other times, adversaries attempt deletion of a specified AWS CloudWatch log group.", "references": ["https://attack.mitre.org/tactics/TA0005/"], "tags": {"name": "AWS Defense Evasion", "analytic_story": "AWS Defense Evasion", "category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.008", "mitre_attack_technique": "Disable Cloud Logs", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}], "mitre_attack_tactics": ["Defense Evasion"], "datamodels": ["Web"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - ASL AWS Defense Evasion Delete Cloudtrail - Rule", "ESCU - ASL AWS Defense Evasion Delete CloudWatch Log Group - Rule", "ESCU - ASL AWS Defense Evasion Impair Security Services - Rule", "ESCU - AWS Defense Evasion Delete Cloudtrail - Rule", "ESCU - AWS Defense Evasion Delete CloudWatch Log Group - Rule", "ESCU - AWS Defense Evasion Impair Security Services - Rule", "ESCU - AWS Defense Evasion PutBucketLifecycle - Rule", "ESCU - AWS Defense Evasion Stop Logging Cloudtrail - Rule", "ESCU - AWS Defense Evasion Update Cloudtrail - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Gowthamaraj Rajendran", "detections": [{"name": "ASL AWS Defense Evasion Delete Cloudtrail", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable Cloud Logs"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "ASL AWS Defense Evasion Delete CloudWatch Log Group", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Disable Cloud Logs"}]}}, {"name": "ASL AWS Defense Evasion Impair Security Services", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable Cloud Logs"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "AWS Defense Evasion Delete Cloudtrail", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable Cloud Logs"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "AWS Defense Evasion Delete CloudWatch Log Group", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Disable Cloud Logs"}]}}, {"name": "AWS Defense Evasion Impair Security Services", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable Cloud Logs"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "AWS Defense Evasion PutBucketLifecycle", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable Cloud Logs"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "AWS Defense Evasion Stop Logging Cloudtrail", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable Cloud Logs"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "AWS Defense Evasion Update Cloudtrail", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Disable Cloud Logs"}]}}]}, {"name": "AWS IAM Privilege Escalation", "id": "ced74200-8465-4bc3-bd2c-22782eec6750", "version": 1, "date": "2021-03-08", "author": "Bhavin Patel, Splunk", "description": "This analytic story contains detections that query your AWS Cloudtrail for activities related to privilege escalation.", "narrative": "Amazon Web Services provides a neat feature called Identity and Access Management (IAM) that enables organizations to manage various AWS services and resources in a secure way. All IAM users have roles, groups and policies associated with them which governs and sets permissions to allow a user to access specific restrictions.\\\nHowever, if these IAM policies are misconfigured and have specific combinations of weak permissions; it can allow attackers to escalate their privileges and further compromise the organization. Rhino Security Labs have published comprehensive blogs detailing various AWS Escalation methods. By using this as an inspiration, Splunks research team wants to highlight how these attack vectors look in AWS Cloudtrail logs and provide you with detection queries to uncover these potentially malicious events via this Analytic Story. ", "references": ["https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/", "https://www.cyberark.com/resources/threat-research-blog/the-cloud-shadow-admin-threat-10-permissions-to-protect", "https://labs.bishopfox.com/tech-blog/privilege-escalation-in-aws"], "tags": {"name": "AWS IAM Privilege Escalation", "analytic_story": "AWS IAM Privilege Escalation", "category": ["Cloud Security"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT41", "Dragonfly", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}, {"mitre_attack_id": "T1201", "mitre_attack_technique": "Password Policy Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "OilRig", "Turla"]}, {"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Ke3chang", "LAPSUS$"]}, {"mitre_attack_id": "T1136.003", "mitre_attack_technique": "Cloud Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT29", "LAPSUS$"]}, {"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider"]}, {"mitre_attack_id": "T1580", "mitre_attack_technique": "Cloud Infrastructure Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1069.003", "mitre_attack_technique": "Cloud Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "TA505"]}], "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Discovery", "Initial Access", "Persistence", "Privilege Escalation"], "datamodels": [], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - ASL AWS CreateAccessKey - Rule", "ESCU - ASL AWS IAM Delete Policy - Rule", "ESCU - ASL AWS Password Policy Changes - Rule", "ESCU - AWS Create Policy Version to allow all resources - Rule", "ESCU - AWS CreateAccessKey - Rule", "ESCU - AWS CreateLoginProfile - Rule", "ESCU - AWS IAM Assume Role Policy Brute Force - Rule", "ESCU - AWS IAM Delete Policy - Rule", "ESCU - AWS IAM Failure Group Deletion - Rule", "ESCU - AWS IAM Successful Group Deletion - Rule", "ESCU - AWS Password Policy Changes - Rule", "ESCU - AWS SetDefaultPolicyVersion - Rule", "ESCU - AWS UpdateLoginProfile - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "ASL AWS CreateAccessKey", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "ASL AWS IAM Delete Policy", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Manipulation"}]}}, {"name": "ASL AWS Password Policy Changes", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Policy Discovery"}]}}, {"name": "AWS Create Policy Version to allow all resources", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "AWS CreateAccessKey", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Account"}, {"mitre_attack_technique": "Create Account"}]}}, {"name": "AWS CreateLoginProfile", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Account"}, {"mitre_attack_technique": "Create Account"}]}}, {"name": "AWS IAM Assume Role Policy Brute Force", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Infrastructure Discovery"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "AWS IAM Delete Policy", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Manipulation"}]}}, {"name": "AWS IAM Failure Group Deletion", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Manipulation"}]}}, {"name": "AWS IAM Successful Group Deletion", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Groups"}, {"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Permission Groups Discovery"}]}}, {"name": "AWS Password Policy Changes", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Policy Discovery"}]}}, {"name": "AWS SetDefaultPolicyVersion", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "AWS UpdateLoginProfile", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Account"}, {"mitre_attack_technique": "Create Account"}]}}]}, {"name": "AWS Identity and Access Management Account Takeover", "id": "4210b690-293f-411d-a9d8-bcfb2ea5fff9", "version": 2, "date": "2022-08-19", "author": "Gowthamaraj Rajendran, Bhavin Patel, Splunk", "description": "Identify activity and techniques associated with accessing credential files from AWS resources, monitor unusual authentication related activities to the AWS Console and other services such as RDS.", "narrative": "Amazon Web Services provides a web service known as Identity and Access Management(IAM) for controlling and securly managing various AWS resources. This is basically the foundation of how users in AWS interact with various resources/services in cloud and vice versa. Account Takeover (ATO) is an attack whereby cybercriminals gain unauthorized access to online accounts by using different techniques like brute force, social engineering, phishing & spear phishing, credential stuffing, etc. Adversaries employ a variety of techniques to steal AWS Cloud credentials like account names, passwords and keys and takeover legitmate user accounts. Usage of legitimate keys will assist the attackers to gain access to other sensitive system and they can also mimic legitimate behaviour making them harder to be detected. Such activity may involve multiple failed login to the console, new console logins and password reset activities.", "references": ["https://attack.mitre.org/tactics/TA0006/"], "tags": {"name": "AWS Identity and Access Management Account Takeover", "analytic_story": "AWS Identity and Access Management Account Takeover", "category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1621", "mitre_attack_technique": "Multi-Factor Authentication Request Generation", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "LAPSUS$"]}, {"mitre_attack_id": "T1556", "mitre_attack_technique": "Modify Authentication Process", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1556.006", "mitre_attack_technique": "Multi-Factor Authentication", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1110.001", "mitre_attack_technique": "Password Guessing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29"]}, {"mitre_attack_id": "T1201", "mitre_attack_technique": "Password Policy Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "OilRig", "Turla"]}, {"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1110.004", "mitre_attack_technique": "Credential Stuffing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Chimera"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Ke3chang", "LAPSUS$"]}, {"mitre_attack_id": "T1552", "mitre_attack_technique": "Unsecured Credentials", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1535", "mitre_attack_technique": "Unused/Unsupported Cloud Regions", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Discovery", "Initial Access", "Persistence", "Privilege Escalation", "Resource Development"], "datamodels": ["Authentication"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation", "Weaponization"]}, "detection_names": ["ESCU - ASL AWS Multi-Factor Authentication Disabled - Rule", "ESCU - AWS Console Login Failed During MFA Challenge - Rule", "ESCU - AWS Credential Access Failed Login - Rule", "ESCU - AWS Credential Access GetPasswordData - Rule", "ESCU - AWS Credential Access RDS Password reset - Rule", "ESCU - AWS High Number Of Failed Authentications For User - Rule", "ESCU - AWS High Number Of Failed Authentications From Ip - Rule", "ESCU - AWS Multi-Factor Authentication Disabled - Rule", "ESCU - AWS Multiple Failed MFA Requests For User - Rule", "ESCU - AWS Multiple Users Failing To Authenticate From Ip - Rule", "ESCU - AWS Successful Single-Factor Authentication - Rule", "ESCU - AWS Unusual Number of Failed Authentications From Ip - Rule", "ESCU - Detect AWS Console Login by New User - Rule", "ESCU - Detect AWS Console Login by User from New City - Rule", "ESCU - Detect AWS Console Login by User from New Country - Rule", "ESCU - Detect AWS Console Login by User from New Region - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Bhavin Patel, Splunk", "author_name": "Gowthamaraj Rajendran", "detections": [{"name": "ASL AWS Multi-Factor Authentication Disabled", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Multi-Factor Authentication Request Generation"}, {"mitre_attack_technique": "Modify Authentication Process"}, {"mitre_attack_technique": "Multi-Factor Authentication"}]}}, {"name": "AWS Console Login Failed During MFA Challenge", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Multi-Factor Authentication Request Generation"}]}}, {"name": "AWS Credential Access Failed Login", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Guessing"}]}}, {"name": "AWS Credential Access GetPasswordData", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Guessing"}]}}, {"name": "AWS Credential Access RDS Password reset", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "AWS High Number Of Failed Authentications For User", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Policy Discovery"}]}}, {"name": "AWS High Number Of Failed Authentications From Ip", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Credential Stuffing"}]}}, {"name": "AWS Multi-Factor Authentication Disabled", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Multi-Factor Authentication Request Generation"}, {"mitre_attack_technique": "Modify Authentication Process"}, {"mitre_attack_technique": "Multi-Factor Authentication"}]}}, {"name": "AWS Multiple Failed MFA Requests For User", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Multi-Factor Authentication Request Generation"}]}}, {"name": "AWS Multiple Users Failing To Authenticate From Ip", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Credential Stuffing"}]}}, {"name": "AWS Successful Single-Factor Authentication", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}]}}, {"name": "AWS Unusual Number of Failed Authentications From Ip", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Credential Stuffing"}]}}, {"name": "Detect AWS Console Login by New User", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Unsecured Credentials"}]}}, {"name": "Detect AWS Console Login by User from New City", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}}, {"name": "Detect AWS Console Login by User from New Country", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}}, {"name": "Detect AWS Console Login by User from New Region", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}}]}, {"name": "AWS Network ACL Activity", "id": "2e8948a5-5239-406b-b56b-6c50ff268af4", "version": 2, "date": "2018-05-21", "author": "Bhavin Patel, Splunk", "description": "Monitor your AWS network infrastructure for bad configurations and malicious activity. Investigative searches help you probe deeper, when the facts warrant it.", "narrative": "AWS CloudTrail is an AWS service that helps you enable governance, compliance, and operational/risk auditing of your AWS account. Actions taken by a user, role, or an AWS service are recorded as events in CloudTrail. It is crucial for a company to monitor events and actions taken in the AWS Management Console, AWS Command Line Interface, and AWS SDKs and APIs to ensure that your servers are not vulnerable to attacks. This analytic story contains detection searches that leverage CloudTrail logs from AWS to check for bad configurations and malicious activity in your AWS network access controls.", "references": ["https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Appendix_NACLs.html", "https://aws.amazon.com/blogs/security/how-to-help-prepare-for-ddos-attacks-by-reducing-your-attack-surface/"], "tags": {"name": "AWS Network ACL Activity", "analytic_story": "AWS Network ACL Activity", "category": ["Cloud Security"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.007", "mitre_attack_technique": "Disable or Modify Cloud Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}], "mitre_attack_tactics": ["Defense Evasion"], "datamodels": [], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - AWS Network Access Control List Created with All Open Ports - Rule", "ESCU - AWS Network Access Control List Deleted - Rule", "ESCU - Detect Spike in blocked Outbound Traffic from your AWS - Rule", "ESCU - Detect Spike in Network ACL Activity - Rule"], "investigation_names": ["ESCU - AWS Investigate User Activities By ARN - Response Task", "ESCU - AWS Network ACL Details from ID - Response Task", "ESCU - AWS Network Interface details via resourceId - Response Task", "ESCU - Get All AWS Activity From IP Address - Response Task", "ESCU - Get DNS Server History for a host - Response Task", "ESCU - Get DNS traffic ratio - Response Task", "ESCU - Get Notable History - Response Task", "ESCU - Get Process Info - Response Task", "ESCU - Get Process Information For Port Activity - Response Task", "ESCU - Get Process Responsible For The DNS Traffic - Response Task"], "baseline_names": ["ESCU - Baseline of blocked outbound traffic from AWS", "ESCU - Baseline of Network ACL Activity by ARN"], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "AWS Network Access Control List Created with All Open Ports", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Cloud Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "AWS Network Access Control List Deleted", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Cloud Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Detect Spike in blocked Outbound Traffic from your AWS", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": []}}, {"name": "Detect Spike in Network ACL Activity", "source": "deprecated", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Cloud Firewall"}]}}]}, {"name": "AWS Security Hub Alerts", "id": "2f2f610a-d64d-48c2-b57c-96722b49ab5a", "version": 1, "date": "2020-08-04", "author": "Bhavin Patel, Splunk", "description": "This story is focused around detecting Security Hub alerts generated from AWS", "narrative": "AWS Security Hub collects and consolidates findings from AWS security services enabled in your environment, such as intrusion detection findings from Amazon GuardDuty, vulnerability scans from Amazon Inspector, S3 bucket policy findings from Amazon Macie, publicly accessible and cross-account resources from IAM Access Analyzer, and resources lacking WAF coverage from AWS Firewall Manager.", "references": ["https://aws.amazon.com/security-hub/features/"], "tags": {"name": "AWS Security Hub Alerts", "analytic_story": "AWS Security Hub Alerts", "category": ["Cloud Security"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect Spike in AWS Security Hub Alerts for EC2 Instance - Rule", "ESCU - Detect Spike in AWS Security Hub Alerts for User - Rule"], "investigation_names": ["ESCU - AWS Investigate User Activities By ARN - Response Task", "ESCU - Get EC2 Instance Details by instanceId - Response Task", "ESCU - Get EC2 Launch Details - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Detect Spike in AWS Security Hub Alerts for EC2 Instance", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": []}}, {"name": "Detect Spike in AWS Security Hub Alerts for User", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": []}}]}, {"name": "AWS User Monitoring", "id": "2e8948a5-5239-406b-b56b-6c50f1269af3", "version": 1, "date": "2018-03-12", "author": "Bhavin Patel, Splunk", "description": "Detect and investigate dormant user accounts for your AWS environment that have become active again. Because inactive and ad-hoc accounts are common attack targets, it's critical to enable governance within your environment.", "narrative": "It seems obvious that it is critical to monitor and control the users who have access to your cloud infrastructure. Nevertheless, it's all too common for enterprises to lose track of ad-hoc accounts, leaving their servers vulnerable to attack. In fact, this was the very oversight that led to Tesla's cryptojacking attack in February, 2018.\\\nIn addition to compromising the security of your data, when bad actors leverage your compute resources, it can incur monumental costs, since you will be billed for any new EC2 instances and increased bandwidth usage. \\\nFortunately, you can leverage Amazon Web Services (AWS) CloudTrail--a tool that helps you enable governance, compliance, and risk auditing of your AWS account--to give you increased visibility into your user and resource activity by recording AWS Management Console actions and API calls. You can identify which users and accounts called AWS, the source IP address from which the calls were made, and when the calls occurred.\\\nThe detection searches in this Analytic Story are designed to help you uncover AWS API activities from users not listed in the identity table, as well as similar activities from disabled accounts.", "references": ["https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf", "https://redlock.io/blog/cryptojacking-tesla"], "tags": {"name": "AWS User Monitoring", "analytic_story": "AWS User Monitoring", "category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1526", "mitre_attack_technique": "Cloud Service Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Ke3chang", "LAPSUS$"]}], "mitre_attack_tactics": ["Defense Evasion", "Discovery", "Initial Access", "Persistence", "Privilege Escalation"], "datamodels": [], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - ASL AWS Excessive Security Scanning - Rule", "ESCU - AWS Excessive Security Scanning - Rule", "ESCU - Detect API activity from users without MFA - Rule", "ESCU - Detect AWS API Activities From Unapproved Accounts - Rule", "ESCU - Detect new API calls from user roles - Rule", "ESCU - Detect Spike in AWS API Activity - Rule", "ESCU - Detect Spike in Security Group Activity - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task", "ESCU - Investigate AWS User Activities by user field - Response Task"], "baseline_names": ["ESCU - Baseline of Security Group Activity by ARN", "ESCU - Create a list of approved AWS service accounts", "ESCU - Baseline of API Calls per User ARN", "ESCU - Previously seen API call per user roles in CloudTrail"], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "ASL AWS Excessive Security Scanning", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Service Discovery"}]}}, {"name": "AWS Excessive Security Scanning", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Service Discovery"}]}}, {"name": "Detect API activity from users without MFA", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": []}}, {"name": "Detect AWS API Activities From Unapproved Accounts", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Accounts"}]}}, {"name": "Detect new API calls from user roles", "source": "deprecated", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Accounts"}]}}, {"name": "Detect Spike in AWS API Activity", "source": "deprecated", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Accounts"}]}}, {"name": "Detect Spike in Security Group Activity", "source": "deprecated", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Accounts"}]}}]}, {"name": "Azorult", "id": "efed5343-4ac2-42b1-a16d-da2428d0ce94", "version": 1, "date": "2022-06-09", "author": "Teoderick Contreras, Splunk", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the Azorult malware including firewall modification, icacl execution, spawning more process, botnet c2 communication, defense evasion and etc. The AZORULT malware was first discovered in 2016 to be an information stealer that steals browsing history, cookies, ID/passwords, cryptocurrency information and more. It can also be a downloader of other malware. A variant of this malware was able to create a new, hidden administrator account on the machine to set a registry key to establish a Remote Desktop Protocol (RDP) connection. Exploit kits such as Fallout Exploit Kit (EK) and phishing mails with social engineering technique are one of the major infection vectors of the AZORult malware. The current malspam and phishing emails use fake product order requests, invoice documents and payment information requests. This Trojan-Spyware connects to Command And Control (C&C) servers of attacker to send and receive information.", "narrative": "Adversaries may use this technique to maximize the impact on the target organization in operations where network wide availability interruption is the goal.", "references": ["https://success.trendmicro.com/dcx/s/solution/000146108-azorult-malware-information?language=en_US&sfdcIFrameOrigin=null", "https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/"], "tags": {"name": "Azorult", "analytic_story": "Azorult", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1021.001", "mitre_attack_technique": "Remote Desktop Protocol", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT1", "APT3", "APT39", "APT41", "Axiom", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dragonfly", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "HEXANE", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "OilRig", "Patchwork", "Silence", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1136.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT39", "APT41", "Dragonfly", "Fox Kitten", "Kimsuky", "Leafminer", "Magic Hound", "TeamTNT"]}, {"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider"]}, {"mitre_attack_id": "T1564.001", "mitre_attack_technique": "Hidden Files and Directories", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "HAFNIUM", "Lazarus Group", "LuminousMoth", "Mustang Panda", "Rocke", "Transparent Tribe", "Tropic Trooper"]}, {"mitre_attack_id": "T1564", "mitre_attack_technique": "Hide Artifacts", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548.002", "mitre_attack_technique": "Bypass User Account Control", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT37", "BRONZE BUTLER", "Cobalt Group", "Earth Lusca", "Evilnum", "MuddyWater", "Patchwork", "Threat Group-3390"]}, {"mitre_attack_id": "T1489", "mitre_attack_technique": "Service Stop", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Indrik Spider", "Lazarus Group", "Wizard Spider"]}, {"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1531", "mitre_attack_technique": "Account Access Removal", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["LAPSUS$"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1562.004", "mitre_attack_technique": "Disable or Modify System Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "Carbanak", "Dragonfly", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1222.001", "mitre_attack_technique": "Windows File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "TA505"]}, {"mitre_attack_id": "T1069.001", "mitre_attack_technique": "Local Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "HEXANE", "OilRig", "Tonto Team", "Turla", "admin@338"]}, {"mitre_attack_id": "T1049", "mitre_attack_technique": "System Network Connections Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT38", "APT41", "Andariel", "BackdoorDiplomacy", "Chimera", "Earth Lusca", "GALLIUM", "HEXANE", "Ke3chang", "Lazarus Group", "Magic Hound", "MuddyWater", "Mustang Panda", "OilRig", "Poseidon Group", "Sandworm Team", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1555", "mitre_attack_technique": "Credentials from Password Stores", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT33", "APT39", "Evilnum", "FIN6", "HEXANE", "Leafminer", "MuddyWater", "OilRig", "Stealth Falcon"]}, {"mitre_attack_id": "T1555.003", "mitre_attack_technique": "Credentials from Web Browsers", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT3", "APT33", "APT37", "Ajax Security Team", "FIN6", "HEXANE", "Inception", "Kimsuky", "LAPSUS$", "Leafminer", "Molerats", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Stealth Falcon", "TA505", "ZIRCONIUM"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1071", "mitre_attack_technique": "Application Layer Protocol", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Dragonfly", "Magic Hound", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1590.005", "mitre_attack_technique": "IP Addresses", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["Andariel", "HAFNIUM", "Magic Hound"]}, {"mitre_attack_id": "T1590", "mitre_attack_technique": "Gather Victim Network Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["HAFNIUM"]}, {"mitre_attack_id": "T1204.001", "mitre_attack_technique": "Malicious Link", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT28", "APT29", "APT3", "APT32", "APT33", "APT39", "BlackTech", "Cobalt Group", "Confucius", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "Evilnum", "FIN4", "FIN7", "FIN8", "Kimsuky", "LazyScripter", "Leviathan", "LuminousMoth", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "TA505", "Transparent Tribe", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1219", "mitre_attack_technique": "Remote Access Software", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Carbanak", "Cobalt Group", "DarkVishnya", "Evilnum", "GOLD SOUTHFIELD", "Kimsuky", "MuddyWater", "Mustang Panda", "RTM", "Sandworm Team", "TeamTNT", "Thrip"]}], "mitre_attack_tactics": ["Command And Control", "Credential Access", "Defense Evasion", "Discovery", "Execution", "Impact", "Initial Access", "Lateral Movement", "Persistence", "Privilege Escalation", "Reconnaissance"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Actions on Objectives", "Command And Control", "Delivery", "Exploitation", "Installation", "Reconnaissance"]}, "detection_names": ["ESCU - Allow Inbound Traffic By Firewall Rule Registry - Rule", "ESCU - Allow Operation with Consent Admin - Rule", "ESCU - Attempt To Stop Security Service - Rule", "ESCU - CHCP Command Execution - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Create local admin accounts using net exe - Rule", "ESCU - Detect Use of cmd exe to Launch Script Interpreters - Rule", "ESCU - Disable Defender BlockAtFirstSeen Feature - Rule", "ESCU - Disable Defender Enhanced Notification - Rule", "ESCU - Disable Defender Spynet Reporting - Rule", "ESCU - Disable Defender Submit Samples Consent Feature - Rule", "ESCU - Disable Show Hidden Files - Rule", "ESCU - Disable Windows Behavior Monitoring - Rule", "ESCU - Disabling Remote User Account Control - Rule", "ESCU - Excessive Attempt To Disable Services - Rule", "ESCU - Excessive Usage Of Cacls App - Rule", "ESCU - Excessive Usage Of Net App - Rule", "ESCU - Excessive Usage Of SC Service Utility - Rule", "ESCU - Excessive Usage Of Taskkill - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Firewall Allowed Program Enable - Rule", "ESCU - Hide User Account From Sign-In Screen - Rule", "ESCU - Hiding Files And Directories With Attrib exe - Rule", "ESCU - Icacls Deny Command - Rule", "ESCU - Net Localgroup Discovery - Rule", "ESCU - Network Connection Discovery With Net - Rule", "ESCU - Non Firefox Process Access Firefox Profile Dir - Rule", "ESCU - Office Document Executing Macro Code - Rule", "ESCU - Office Product Spawn CMD Process - Rule", "ESCU - Office Product Spawning MSHTA - Rule", "ESCU - Processes launching netsh - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Sc exe Manipulating Windows Services - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious Scheduled Task from Public Directory - Rule", "ESCU - Windows Application Layer Protocol RMS Radmin Tool Namedpipe - Rule", "ESCU - Windows Defender Exclusion Registry Entry - Rule", "ESCU - Windows DisableAntiSpyware Registry - Rule", "ESCU - Windows Gather Victim Network Info Through Ip Check Web Services - Rule", "ESCU - Windows Impair Defense Add Xml Applocker Rules - Rule", "ESCU - Windows Impair Defense Deny Security Software With Applocker - Rule", "ESCU - Windows ISO LNK File Creation - Rule", "ESCU - Windows Modify Registry Disable Toast Notifications - Rule", "ESCU - Windows Modify Registry Disable Win Defender Raw Write Notif - Rule", "ESCU - Windows Modify Registry Disable Windows Security Center Notif - Rule", "ESCU - Windows Modify Registry Disabling WER Settings - Rule", "ESCU - Windows Modify Registry DisAllow Windows App - Rule", "ESCU - Windows Modify Registry Regedit Silent Reg Import - Rule", "ESCU - Windows Modify Registry Suppress Win Defender Notif - Rule", "ESCU - Windows Phishing Recent ISO Exec Registry - Rule", "ESCU - Windows Powershell Import Applocker Policy - Rule", "ESCU - Windows Remote Access Software RMS Registry - Rule", "ESCU - Windows Remote Service Rdpwinst Tool Execution - Rule", "ESCU - Windows Remote Services Allow Rdp In Firewall - Rule", "ESCU - Windows Remote Services Allow Remote Assistance - Rule", "ESCU - Windows Remote Services Rdp Enable - Rule", "ESCU - Windows Service Stop By Deletion - Rule", "ESCU - Windows Valid Account With Never Expires Password - Rule", "ESCU - Wmic NonInteractive App Uninstallation - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Allow Inbound Traffic By Firewall Rule Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Desktop Protocol"}, {"mitre_attack_technique": "Remote Services"}]}}, {"name": "Allow Operation with Consent Admin", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Attempt To Stop Security Service", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "CHCP Command Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Create local admin accounts using net exe", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "Create Account"}]}}, {"name": "Detect Use of cmd exe to Launch Script Interpreters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Windows Command Shell"}]}}, {"name": "Disable Defender BlockAtFirstSeen Feature", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disable Defender Enhanced Notification", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disable Defender Spynet Reporting", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disable Defender Submit Samples Consent Feature", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disable Show Hidden Files", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Hidden Files and Directories"}, {"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Hide Artifacts"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disable Windows Behavior Monitoring", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disabling Remote User Account Control", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Excessive Attempt To Disable Services", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Service Stop"}]}}, {"name": "Excessive Usage Of Cacls App", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "File and Directory Permissions Modification"}]}}, {"name": "Excessive Usage Of Net App", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Access Removal"}]}}, {"name": "Excessive Usage Of SC Service Utility", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}}, {"name": "Excessive Usage Of Taskkill", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}]}}, {"name": "Firewall Allowed Program Enable", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify System Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Hide User Account From Sign-In Screen", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Hiding Files And Directories With Attrib exe", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "File and Directory Permissions Modification"}, {"mitre_attack_technique": "Windows File and Directory Permissions Modification"}]}}, {"name": "Icacls Deny Command", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "File and Directory Permissions Modification"}]}}, {"name": "Net Localgroup Discovery", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Local Groups"}]}}, {"name": "Network Connection Discovery With Net", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Connections Discovery"}]}}, {"name": "Non Firefox Process Access Firefox Profile Dir", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}}, {"name": "Office Document Executing Macro Code", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Product Spawn CMD Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Product Spawning MSHTA", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Processes launching netsh", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify System Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Sc exe Manipulating Windows Services", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Suspicious Scheduled Task from Public Directory", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Windows Application Layer Protocol RMS Radmin Tool Namedpipe", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Application Layer Protocol"}]}}, {"name": "Windows Defender Exclusion Registry Entry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows DisableAntiSpyware Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows Gather Victim Network Info Through Ip Check Web Services", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "IP Addresses"}, {"mitre_attack_technique": "Gather Victim Network Information"}]}}, {"name": "Windows Impair Defense Add Xml Applocker Rules", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows Impair Defense Deny Security Software With Applocker", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows ISO LNK File Creation", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Malicious Link"}, {"mitre_attack_technique": "User Execution"}]}}, {"name": "Windows Modify Registry Disable Toast Notifications", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Modify Registry Disable Win Defender Raw Write Notif", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Modify Registry Disable Windows Security Center Notif", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Modify Registry Disabling WER Settings", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Modify Registry DisAllow Windows App", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Modify Registry Regedit Silent Reg Import", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Modify Registry Suppress Win Defender Notif", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Phishing Recent ISO Exec Registry", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}}, {"name": "Windows Powershell Import Applocker Policy", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows Remote Access Software RMS Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Access Software"}]}}, {"name": "Windows Remote Service Rdpwinst Tool Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Desktop Protocol"}, {"mitre_attack_technique": "Remote Services"}]}}, {"name": "Windows Remote Services Allow Rdp In Firewall", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Desktop Protocol"}, {"mitre_attack_technique": "Remote Services"}]}}, {"name": "Windows Remote Services Allow Remote Assistance", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Desktop Protocol"}, {"mitre_attack_technique": "Remote Services"}]}}, {"name": "Windows Remote Services Rdp Enable", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Desktop Protocol"}, {"mitre_attack_technique": "Remote Services"}]}}, {"name": "Windows Service Stop By Deletion", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Service Stop"}]}}, {"name": "Windows Valid Account With Never Expires Password", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Service Stop"}]}}, {"name": "Wmic NonInteractive App Uninstallation", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}]}, {"name": "Azure Active Directory Account Takeover", "id": "41514c46-7118-4eab-a9bb-f3bfa4e3bea9", "version": 2, "date": "2022-07-14", "author": "Mauricio Velazco, Splunk", "description": "Monitor for activities and techniques associated with Account Takover attacks against Azure Active Directory tenants.", "narrative": "Azure Active Directory (Azure AD) is Microsofts enterprise cloud-based identity and access management (IAM) service. Azure AD is the backbone of most of Azure services like Office 365. It can sync with on-premise Active Directory environments and provide authentication to other cloud-based systems via the OAuth protocol. According to Microsoft, Azure AD manages more than 1.2 billion identities and processes over 8 billion authentications per day. Account Takeover (ATO) is an attack whereby cybercriminals gain unauthorized access to online accounts by using different techniques like brute force, social engineering, phishing & spear phishing, credential stuffing, etc. By posing as the real user, cyber-criminals can change account details, send out phishing emails, steal financial information or sensitive data, or use any stolen information to access further accounts within the organization. This analytic storic groups detections that can help security operations teams identify the potential compromise of Azure Active Directory accounts.", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-whatis", "https://azure.microsoft.com/en-us/services/active-directory/#overview", "https://attack.mitre.org/techniques/T1586/", "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-compare-azure-ad-to-ad", "https://www.imperva.com/learn/application-security/account-takeover-ato/", "https://www.varonis.com/blog/azure-active-directory", "https://www.barracuda.com/glossary/account-takeover"], "tags": {"name": "Azure Active Directory Account Takeover", "analytic_story": "Azure Active Directory Account Takeover", "category": ["Adversary Tactics", "Account Compromise", "Cloud Security", "Privilege Escalation"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1556", "mitre_attack_technique": "Modify Authentication Process", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1556.006", "mitre_attack_technique": "Multi-Factor Authentication", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Ke3chang", "LAPSUS$"]}, {"mitre_attack_id": "T1621", "mitre_attack_technique": "Multi-Factor Authentication Request Generation", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "LAPSUS$"]}, {"mitre_attack_id": "T1185", "mitre_attack_technique": "Browser Session Hijacking", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1110.001", "mitre_attack_technique": "Password Guessing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29"]}, {"mitre_attack_id": "T1110.004", "mitre_attack_technique": "Credential Stuffing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Chimera"]}], "mitre_attack_tactics": ["Collection", "Credential Access", "Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation", "Resource Development"], "datamodels": ["Authentication", "Risk"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation", "Weaponization"]}, "detection_names": ["ESCU - ASL AWS New MFA Method Registered For User - Rule", "ESCU - AWS New MFA Method Registered For User - Rule", "ESCU - Azure Active Directory High Risk Sign-in - Rule", "ESCU - Azure AD Authentication Failed During MFA Challenge - Rule", "ESCU - Azure AD Concurrent Sessions From Different Ips - Rule", "ESCU - Azure AD High Number Of Failed Authentications For User - Rule", "ESCU - Azure AD High Number Of Failed Authentications From Ip - Rule", "ESCU - Azure AD Multi-Factor Authentication Disabled - Rule", "ESCU - Azure AD Multiple Failed MFA Requests For User - Rule", "ESCU - Azure AD Multiple Users Failing To Authenticate From Ip - Rule", "ESCU - Azure AD New MFA Method Registered For User - Rule", "ESCU - Azure AD Successful Authentication From Different Ips - Rule", "ESCU - Azure AD Successful PowerShell Authentication - Rule", "ESCU - Azure AD Successful Single-Factor Authentication - Rule", "ESCU - Azure AD Unusual Number of Failed Authentications From Ip - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Mauricio Velazco", "detections": [{"name": "ASL AWS New MFA Method Registered For User", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Authentication Process"}, {"mitre_attack_technique": "Multi-Factor Authentication"}]}}, {"name": "AWS New MFA Method Registered For User", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Authentication Process"}, {"mitre_attack_technique": "Multi-Factor Authentication"}]}}, {"name": "Azure Active Directory High Risk Sign-in", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Spraying"}]}}, {"name": "Azure AD Authentication Failed During MFA Challenge", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Multi-Factor Authentication Request Generation"}]}}, {"name": "Azure AD Concurrent Sessions From Different Ips", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Browser Session Hijacking"}]}}, {"name": "Azure AD High Number Of Failed Authentications For User", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Guessing"}]}}, {"name": "Azure AD High Number Of Failed Authentications From Ip", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Guessing"}, {"mitre_attack_technique": "Password Spraying"}]}}, {"name": "Azure AD Multi-Factor Authentication Disabled", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Modify Authentication Process"}, {"mitre_attack_technique": "Multi-Factor Authentication"}]}}, {"name": "Azure AD Multiple Failed MFA Requests For User", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Multi-Factor Authentication Request Generation"}, {"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}]}}, {"name": "Azure AD Multiple Users Failing To Authenticate From Ip", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Credential Stuffing"}]}}, {"name": "Azure AD New MFA Method Registered For User", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Authentication Process"}, {"mitre_attack_technique": "Multi-Factor Authentication"}]}}, {"name": "Azure AD Successful Authentication From Different Ips", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Guessing"}, {"mitre_attack_technique": "Password Spraying"}]}}, {"name": "Azure AD Successful PowerShell Authentication", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}]}}, {"name": "Azure AD Successful Single-Factor Authentication", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}]}}, {"name": "Azure AD Unusual Number of Failed Authentications From Ip", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Credential Stuffing"}]}}]}, {"name": "Azure Active Directory Persistence", "id": "dca983db-6334-4a0d-be32-80611ca1396c", "version": 1, "date": "2022-08-17", "author": "Mauricio Velazco, Splunk", "description": "Monitor for activities and techniques associated with the execution of Persistence techniques against Azure Active Directory tenants.", "narrative": "Azure Active Directory (Azure AD) is Microsofts enterprise cloud-based identity and access management (IAM) service. Azure AD is the backbone of most of Azure services like Office 365. It can sync with on-premise Active Directory environments and provide authentication to other cloud-based systems via the OAuth protocol. According to Microsoft, Azure AD manages more than 1.2 billion identities and processes over 8 billion authentications per day.\\ Persistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access. This analytic storic groups detections that can help security operations teams identify the potential execution of Persistence techniques targeting Azure Active Directory tenants. ", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-whatis", "https://azure.microsoft.com/en-us/services/active-directory/#overview", "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-compare-azure-ad-to-ad", "https://attack.mitre.org/tactics/TA0003/", "https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/Persistence/"], "tags": {"name": "Azure Active Directory Persistence", "analytic_story": "Azure Active Directory Persistence", "category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1136.003", "mitre_attack_technique": "Cloud Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT29", "LAPSUS$"]}, {"mitre_attack_id": "T1098.003", "mitre_attack_technique": "Additional Cloud Roles", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["LAPSUS$"]}, {"mitre_attack_id": "T1484", "mitre_attack_technique": "Domain Policy Modification", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1484.002", "mitre_attack_technique": "Domain Trust Modification", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT41", "Dragonfly", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}, {"mitre_attack_id": "T1098.001", "mitre_attack_technique": "Additional Cloud Credentials", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Ke3chang", "LAPSUS$"]}], "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "datamodels": [], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Azure AD External Guest User Invited - Rule", "ESCU - Azure AD Global Administrator Role Assigned - Rule", "ESCU - Azure AD New Custom Domain Added - Rule", "ESCU - Azure AD New Federated Domain Added - Rule", "ESCU - Azure AD PIM Role Assigned - Rule", "ESCU - Azure AD PIM Role Assignment Activated - Rule", "ESCU - Azure AD Privileged Role Assigned - Rule", "ESCU - Azure AD Service Principal Created - Rule", "ESCU - Azure AD Service Principal New Client Credentials - Rule", "ESCU - Azure AD Service Principal Owner Added - Rule", "ESCU - Azure AD User Enabled And Password Reset - Rule", "ESCU - Azure AD User ImmutableId Attribute Updated - Rule", "ESCU - Azure Automation Account Created - Rule", "ESCU - Azure Automation Runbook Created - Rule", "ESCU - Azure Runbook Webhook Created - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Mauricio Velazco", "detections": [{"name": "Azure AD External Guest User Invited", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Account"}]}}, {"name": "Azure AD Global Administrator Role Assigned", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Additional Cloud Roles"}]}}, {"name": "Azure AD New Custom Domain Added", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Policy Modification"}, {"mitre_attack_technique": "Domain Trust Modification"}]}}, {"name": "Azure AD New Federated Domain Added", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Policy Modification"}, {"mitre_attack_technique": "Domain Trust Modification"}]}}, {"name": "Azure AD PIM Role Assigned", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Additional Cloud Roles"}]}}, {"name": "Azure AD PIM Role Assignment Activated", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Additional Cloud Roles"}]}}, {"name": "Azure AD Privileged Role Assigned", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Additional Cloud Roles"}]}}, {"name": "Azure AD Service Principal Created", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Account"}]}}, {"name": "Azure AD Service Principal New Client Credentials", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Additional Cloud Credentials"}]}}, {"name": "Azure AD Service Principal Owner Added", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Manipulation"}]}}, {"name": "Azure AD User Enabled And Password Reset", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Manipulation"}]}}, {"name": "Azure AD User ImmutableId Attribute Updated", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Manipulation"}]}}, {"name": "Azure Automation Account Created", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create Account"}, {"mitre_attack_technique": "Cloud Account"}]}}, {"name": "Azure Automation Runbook Created", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create Account"}, {"mitre_attack_technique": "Cloud Account"}]}}, {"name": "Azure Runbook Webhook Created", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}]}}]}, {"name": "Azure Active Directory Privilege Escalation", "id": "ec78e872-b79c-417d-b256-8fde902522fb", "version": 1, "date": "2023-04-24", "author": "Mauricio Velazco, Splunk", "description": "Monitor for activities and techniques associated with Privilege Escalation attacks within Azure Active Directory tenants.", "narrative": "Privilege Escalation consists of techniques that adversaries use to gain higher-level permissions on a system or network. Adversaries can often enter and explore a network with unprivileged access but require elevated permissions to follow through on their objectives. Common approaches are to take advantage of system weaknesses, misconfigurations or vulnerabilities.\\\nAzure Active Directory (Azure AD) is Microsofts enterprise cloud-based identity and access management (IAM) service. Azure AD is the backbone of most of Azure services like Office 365 and Microsoft Teams. It can sync with on-premise Active Directory environments and provide authentication to other cloud-based systems via the OAuth protocol. According to Microsoft, Azure AD manages more than 1.2 billion identities and processes over 8 billion authentications per day.\\\nPrivilege escalation attacks in Azure AD typically involve abusing misconfigurations to gain elevated privileges, such as Global Administrator access. Once an attacker has escalated their privileges and taken full control of a tenant, they may abuse every service that leverages Azure AD including moving laterally to Azure virtual machines to access sensitive data and carry out further attacks. Security teams should monitor for privilege escalation attacks in Azure Active Directory to identify breaches before attackers achieve operational success.\\\nThe following analytic story groups detection opportunities that seek to identify an adversary attempting to escalate privileges in Azure AD tenants.", "references": ["https://attack.mitre.org/tactics/TA0003/", "https://cloudbrothers.info/en/azure-attack-paths/", "https://microsoft.github.io/Azure-Threat-Research-Matrix/PrivilegeEscalation/PrivEsc/", "https://posts.specterops.io/azure-privilege-escalation-via-service-principal-abuse-210ae2be2a5"], "tags": {"name": "Azure Active Directory Privilege Escalation", "analytic_story": "Azure Active Directory Privilege Escalation", "category": ["Adversary Tactics", "Account Compromise", "Cloud Security", "Privilege Escalation"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT41", "Dragonfly", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}, {"mitre_attack_id": "T1098.003", "mitre_attack_technique": "Additional Cloud Roles", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["LAPSUS$"]}, {"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Dragonfly", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1098.001", "mitre_attack_technique": "Additional Cloud Credentials", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Credential Access", "Persistence"], "datamodels": ["Authentication"], "kill_chain_phases": ["Exploitation", "Installation"]}, "detection_names": ["ESCU - Azure AD Application Administrator Role Assigned - Rule", "ESCU - Azure AD Global Administrator Role Assigned - Rule", "ESCU - Azure AD PIM Role Assigned - Rule", "ESCU - Azure AD PIM Role Assignment Activated - Rule", "ESCU - Azure AD Privileged Authentication Administrator Role Assigned - Rule", "ESCU - Azure AD Privileged Role Assigned to Service Principal - Rule", "ESCU - Azure AD Service Principal New Client Credentials - Rule", "ESCU - Azure AD Service Principal Owner Added - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Mauricio Velazco", "detections": [{"name": "Azure AD Application Administrator Role Assigned", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Additional Cloud Roles"}]}}, {"name": "Azure AD Global Administrator Role Assigned", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Additional Cloud Roles"}]}}, {"name": "Azure AD PIM Role Assigned", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Additional Cloud Roles"}]}}, {"name": "Azure AD PIM Role Assignment Activated", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Additional Cloud Roles"}]}}, {"name": "Azure AD Privileged Authentication Administrator Role Assigned", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Security Account Manager"}]}}, {"name": "Azure AD Privileged Role Assigned to Service Principal", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Additional Cloud Roles"}]}}, {"name": "Azure AD Service Principal New Client Credentials", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Additional Cloud Credentials"}]}}, {"name": "Azure AD Service Principal Owner Added", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Manipulation"}]}}]}, {"name": "Baron Samedit CVE-2021-3156", "id": "817b0dfc-23ba-4bcc-96cc-2cb77e428fbe", "version": 1, "date": "2021-01-27", "author": "Shannon Davis, Splunk", "description": "Uncover activity consistent with CVE-2021-3156. Discovered by the Qualys Research Team, this vulnerability has been found to affect sudo across multiple Linux distributions (Ubuntu 20.04 and prior, Debian 10 and prior, Fedora 33 and prior). As this vulnerability was committed to code in July 2011, there will be many distributions affected. Successful exploitation of this vulnerability allows any unprivileged user to gain root privileges on the vulnerable host.", "narrative": "A non-privledged user is able to execute the sudoedit command to trigger a buffer overflow. After the successful buffer overflow, they are then able to gain root privileges on the affected host. The conditions needed to be run are a trailing \"\\\" along with shell and edit flags. Monitoring the /var/log directory on Linux hosts using the Splunk Universal Forwarder will allow you to pick up this behavior when using the provided detection.", "references": ["https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit"], "tags": {"name": "Baron Samedit CVE-2021-3156", "analytic_story": "Baron Samedit CVE-2021-3156", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "PLATINUM", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}], "mitre_attack_tactics": ["Privilege Escalation"], "datamodels": [], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Detect Baron Samedit CVE-2021-3156 - Rule", "ESCU - Detect Baron Samedit CVE-2021-3156 Segfault - Rule", "ESCU - Detect Baron Samedit CVE-2021-3156 via OSQuery - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Shannon Davis", "detections": [{"name": "Detect Baron Samedit CVE-2021-3156", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}}, {"name": "Detect Baron Samedit CVE-2021-3156 Segfault", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}}, {"name": "Detect Baron Samedit CVE-2021-3156 via OSQuery", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}}]}, {"name": "BishopFox Sliver Adversary Emulation Framework", "id": "8c2e2cba-3fd8-424f-a890-5080bdaf3f31", "version": 1, "date": "2023-01-24", "author": "Michael Haag, Splunk", "description": "The following analytic story providers visibility into the latest adversary TTPs in regard to the use of Sliver. Sliver has gained more traction with adversaries as it is often seen as an alternative to Cobalt Strike. It is designed to be scalable and can be used by organizations of all sizes to perform security testing. Sliver is highly modular and contains an Extension package manager (armory) allowing easy install (automatic compilation) of various 3rd party tools such as BOFs and .NET tooling like Ghostpack (Rubeus, Seatbelt, SharpUp, Certify, and so forth) (CyberReason,2023).", "narrative": "Sliver is an open source cross-platform adversary emulation/red team framework produced by BishopFox.", "references": ["https://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors", "https://www.ncsc.gov.uk/files/Advisory%20Further%20TTPs%20associated%20with%20SVR%20cyber%20actors.pdf", "https://www.proofpoint.com/uk/blog/security-briefs/ta551-uses-sliver-red-team-tool-new-activity", "https://www.cybereason.com/blog/threat-analysis-report-bumblebee-loader-the-high-road-to-enterprise-domain-control", "https://github.com/sliverarmory/armory", "https://github.com/BishopFox/sliver"], "tags": {"name": "BishopFox Sliver Adversary Emulation Framework", "analytic_story": "BishopFox Sliver Adversary Emulation Framework", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "Turla"]}, {"mitre_attack_id": "T1055.002", "mitre_attack_technique": "Portable Executable Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Gorgon Group", "Rocke"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}], "mitre_attack_tactics": ["Defense Evasion", "Execution", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation", "Installation"]}, "detection_names": ["ESCU - Notepad with no Command Line Arguments - Rule", "ESCU - Windows Process Injection into Notepad - Rule", "ESCU - Windows Service Create SliverC2 - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Notepad with no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "Windows Process Injection into Notepad", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}, {"mitre_attack_technique": "Portable Executable Injection"}]}}, {"name": "Windows Service Create SliverC2", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}}]}, {"name": "BITS Jobs", "id": "dbc7edce-8e4c-11eb-9f31-acde48001122", "version": 1, "date": "2021-03-26", "author": "Michael Haag, Splunk", "description": "Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.", "narrative": "Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through Component Object Model (COM). BITS is commonly used by updaters, messengers, and other applications preferred to operate in the background (using available idle bandwidth) without interrupting other networked applications. File transfer tasks are implemented as BITS jobs, which contain a queue of one or more file operations. The interface to create and manage BITS jobs is accessible through PowerShell and the BITSAdmin tool. Adversaries may abuse BITS to download, execute, and even clean up after running malicious code. BITS tasks are self-contained in the BITS job database, without new files or registry modifications, and often permitted by host firewalls. BITS enabled execution may also enable persistence by creating long-standing jobs (the default maximum lifetime is 90 days and extendable) or invoking an arbitrary program when a job completes or errors (including after system reboots).", "references": ["https://attack.mitre.org/techniques/T1197/", "https://docs.microsoft.com/en-us/windows/win32/bits/bitsadmin-tool"], "tags": {"name": "BITS Jobs", "analytic_story": "BITS Jobs", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1197", "mitre_attack_technique": "BITS Jobs", "mitre_attack_tactics": ["Defense Evasion", "Persistence"], "mitre_attack_groups": ["APT39", "APT41", "Leviathan", "Patchwork"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "ZIRCONIUM", "menuPass"]}], "mitre_attack_tactics": ["Command And Control", "Defense Evasion", "Persistence"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Command And Control", "Exploitation", "Installation"]}, "detection_names": ["ESCU - BITS Job Persistence - Rule", "ESCU - BITSAdmin Download File - Rule", "ESCU - PowerShell Start-BitsTransfer - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "BITS Job Persistence", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "BITS Jobs"}]}}, {"name": "BITSAdmin Download File", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "BITS Jobs"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "PowerShell Start-BitsTransfer", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "BITS Jobs"}]}}]}, {"name": "BlackLotus Campaign", "id": "8eb0e418-a2b6-4327-a387-85c976662c8f", "version": 1, "date": "2023-04-14", "author": "Michael Haag, Splunk", "description": "The first in-the-wild UEFI bootkit bypassing UEFI Secure Boot on fully updated UEFI systems is now a reality", "narrative": "The number of UEFI vulnerabilities discovered in recent years and the failures in patching them or revoking vulnerable binaries within a reasonable time window hasn't gone unnoticed by threat actors. As a result, the first publicly known UEFI bootkit bypassing the essential platform security feature UEFI Secure Boot is now a reality. present the first public analysis of this UEFI bootkit, which is capable of running on even fully-up-to-date Windows 11 systems with UEFI Secure Boot enabled. Functionality of the bootkit and its individual features leads us to believe that we are dealing with a bootkit known as BlackLotus, the UEFI bootkit being sold on hacking forums for $5,000 since at least October 2022. (ESET, 2023) The following content aims to aid defenders in detecting suspicious bootloaders and understanding the diverse techniques employed in this campaign.", "references": ["https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/", "https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/"], "tags": {"name": "BlackLotus Campaign", "analytic_story": "BlackLotus Campaign", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1542.001", "mitre_attack_technique": "System Firmware", "mitre_attack_tactics": ["Defense Evasion", "Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1542", "mitre_attack_technique": "Pre-OS Boot", "mitre_attack_tactics": ["Defense Evasion", "Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1542.003", "mitre_attack_technique": "Bootkit", "mitre_attack_tactics": ["Defense Evasion", "Persistence"], "mitre_attack_groups": ["APT28", "APT41", "Lazarus Group"]}], "mitre_attack_tactics": ["Defense Evasion", "Persistence"], "datamodels": ["Endpoint", "Network_Traffic"], "kill_chain_phases": ["Exploitation", "Installation"]}, "detection_names": ["ESCU - Windows BootLoader Inventory - Rule", "ESCU - Windows Impair Defenses Disable HVCI - Rule", "ESCU - Windows WinLogon with Public Network Connection - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows BootLoader Inventory", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Firmware"}, {"mitre_attack_technique": "Pre-OS Boot"}]}}, {"name": "Windows Impair Defenses Disable HVCI", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows WinLogon with Public Network Connection", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Bootkit"}]}}]}, {"name": "Brand Monitoring", "id": "91c676cf-0b23-438d-abee-f6335e1fce78", "version": 1, "date": "2017-12-19", "author": "David Dorsey, Splunk", "description": "Detect and investigate activity that may indicate that an adversary is using faux domains to mislead users into interacting with malicious infrastructure. Monitor DNS, email, and web traffic for permutations of your brand name.", "narrative": "While you can educate your users and customers about the risks and threats posed by typosquatting, phishing, and corporate espionage, human error is a persistent fact of life. Of course, your adversaries are all too aware of this reality and will happily leverage it for nefarious purposes whenever possible3phishing with lookalike addresses, embedding faux command-and-control domains in malware, and hosting malicious content on domains that closely mimic your corporate servers. This is where brand monitoring comes in.\\\nYou can use our adaptation of `DNSTwist`, together with the support searches in this Analytic Story, to generate permutations of specified brands and external domains. Splunk can monitor email, DNS requests, and web traffic for these permutations and provide you with early warnings and situational awareness--powerful elements of an effective defense.\\\nNotable events will include IP addresses, URLs, and user data. Drilling down can provide you with even more actionable intelligence, including likely geographic information, contextual searches to help you scope the problem, and investigative searches.", "references": ["https://www.zerofox.com/blog/what-is-digital-risk-monitoring/", "https://securingtomorrow.mcafee.com/consumer/family-safety/what-is-typosquatting/", "https://blog.malwarebytes.com/cybercrime/2016/06/explained-typosquatting/"], "tags": {"name": "Brand Monitoring", "analytic_story": "Brand Monitoring", "category": ["Abuse"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Email", "Network_Resolution", "Web"], "kill_chain_phases": []}, "detection_names": ["ESCU - Monitor Email For Brand Abuse - Rule", "ESCU - Monitor DNS For Brand Abuse - Rule", "ESCU - Monitor Web Traffic For Brand Abuse - Rule"], "investigation_names": ["ESCU - Get Email Info - Response Task", "ESCU - Get Emails From Specific Sender - Response Task", "ESCU - Get Notable History - Response Task", "ESCU - Get Process Responsible For The DNS Traffic - Response Task"], "baseline_names": ["ESCU - DNSTwist Domain Names"], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Monitor Email For Brand Abuse", "source": "application", "type": "TTP", "tags": {"mitre_attack_enrichments": []}}, {"name": "Monitor DNS For Brand Abuse", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": []}}, {"name": "Monitor Web Traffic For Brand Abuse", "source": "web", "type": "TTP", "tags": {"mitre_attack_enrichments": []}}]}, {"name": "Brute Ratel C4", "id": "0ec9dbfe-f64e-46bb-8eb8-04e92326f513", "version": 1, "date": "2022-08-23", "author": "Teoderick Contreras, Splunk", "description": "Leverage searches that allow you to detect and investigate unusual activities that may be related to Brute Ratel Red Teaming tool. This includes creation, modification and deletion of services, collection or data, ping IP, DNS cache, process injection, debug privileges adjustment, winlogon process duplicate token, lock workstation, get clipboard or screenshot and much more.", "narrative": "Brute RATEL BRC4 is the latest red-teaming tool that simulate several TTP's. It uses several techniques like syscall, patching ETW/AMSI and written in native C to minimize noise in process command-line. This tool was seen in the wild being abused by some ransomware (blackcat) and adversaries in their campaigns to install the BRC4 agent that can serve as remote admin tool to compromise the target host or network.", "references": ["https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/", "https://www.mdsec.co.uk/2022/08/part-3-how-i-met-your-beacon-brute-ratel/"], "tags": {"name": "Brute Ratel C4", "analytic_story": "Brute Ratel C4", "category": ["Data Destruction", "Malware", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1491", "mitre_attack_technique": "Defacement", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1134.002", "mitre_attack_technique": "Create Process with Token", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Lazarus Group", "Turla"]}, {"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}, {"mitre_attack_id": "T1134.001", "mitre_attack_technique": "Token Impersonation/Theft", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "FIN8"]}, {"mitre_attack_id": "T1589.001", "mitre_attack_technique": "Credentials", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["APT28", "Chimera", "LAPSUS$", "Leviathan", "Magic Hound"]}, {"mitre_attack_id": "T1589", "mitre_attack_technique": "Gather Victim Identity Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["APT32", "HEXANE", "LAPSUS$", "Magic Hound"]}, {"mitre_attack_id": "T1574.001", "mitre_attack_technique": "DLL Search Order Hijacking", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT41", "Aquatic Panda", "BackdoorDiplomacy", "Evilnum", "RTM", "Threat Group-3390", "Tonto Team", "Whitefly", "menuPass"]}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1056.002", "mitre_attack_technique": "GUI Input Capture", "mitre_attack_tactics": ["Collection", "Credential Access"], "mitre_attack_groups": ["FIN4"]}, {"mitre_attack_id": "T1056", "mitre_attack_technique": "Input Capture", "mitre_attack_tactics": ["Collection", "Credential Access"], "mitre_attack_groups": ["APT39"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1204.001", "mitre_attack_technique": "Malicious Link", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT28", "APT29", "APT3", "APT32", "APT33", "APT39", "BlackTech", "Cobalt Group", "Confucius", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "Evilnum", "FIN4", "FIN7", "FIN8", "Kimsuky", "LazyScripter", "Leviathan", "LuminousMoth", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "TA505", "Transparent Tribe", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "Turla"]}, {"mitre_attack_id": "T1055.002", "mitre_attack_technique": "Portable Executable Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Gorgon Group", "Rocke"]}, {"mitre_attack_id": "T1219", "mitre_attack_technique": "Remote Access Software", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Carbanak", "Cobalt Group", "DarkVishnya", "Evilnum", "GOLD SOUTHFIELD", "Kimsuky", "MuddyWater", "Mustang Panda", "RTM", "Sandworm Team", "TeamTNT", "Thrip"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1574.011", "mitre_attack_technique": "Services Registry Permissions Weakness", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1489", "mitre_attack_technique": "Service Stop", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Indrik Spider", "Lazarus Group", "Wizard Spider"]}], "mitre_attack_tactics": ["Collection", "Command And Control", "Credential Access", "Defense Evasion", "Execution", "Impact", "Initial Access", "Persistence", "Privilege Escalation", "Reconnaissance"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Actions on Objectives", "Command And Control", "Delivery", "Exploitation", "Installation", "Reconnaissance"]}, "detection_names": ["ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Modification Of Wallpaper - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Windows Access Token Manipulation SeDebugPrivilege - Rule", "ESCU - Windows Access Token Manipulation Winlogon Duplicate Token Handle - Rule", "ESCU - Windows Access Token Winlogon Duplicate Handle In Uncommon Path - Rule", "ESCU - Windows Defacement Modify Transcodedwallpaper File - Rule", "ESCU - Windows Gather Victim Identity SAM Info - Rule", "ESCU - Windows Hijack Execution Flow Version Dll Side Load - Rule", "ESCU - Windows Input Capture Using Credential UI Dll - Rule", "ESCU - Windows ISO LNK File Creation - Rule", "ESCU - Windows Phishing Recent ISO Exec Registry - Rule", "ESCU - Windows Process Injection With Public Source Path - Rule", "ESCU - Windows Remote Access Software BRC4 Loaded Dll - Rule", "ESCU - Windows Service Created with Suspicious Service Path - Rule", "ESCU - Windows Service Creation Using Registry Entry - Rule", "ESCU - Windows Service Deletion In Registry - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}]}}, {"name": "Modification Of Wallpaper", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Defacement"}]}}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Windows Access Token Manipulation SeDebugPrivilege", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create Process with Token"}, {"mitre_attack_technique": "Access Token Manipulation"}]}}, {"name": "Windows Access Token Manipulation Winlogon Duplicate Token Handle", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Token Impersonation/Theft"}, {"mitre_attack_technique": "Access Token Manipulation"}]}}, {"name": "Windows Access Token Winlogon Duplicate Handle In Uncommon Path", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Token Impersonation/Theft"}, {"mitre_attack_technique": "Access Token Manipulation"}]}}, {"name": "Windows Defacement Modify Transcodedwallpaper File", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Defacement"}]}}, {"name": "Windows Gather Victim Identity SAM Info", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Credentials"}, {"mitre_attack_technique": "Gather Victim Identity Information"}]}}, {"name": "Windows Hijack Execution Flow Version Dll Side Load", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DLL Search Order Hijacking"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}}, {"name": "Windows Input Capture Using Credential UI Dll", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "GUI Input Capture"}, {"mitre_attack_technique": "Input Capture"}]}}, {"name": "Windows ISO LNK File Creation", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Malicious Link"}, {"mitre_attack_technique": "User Execution"}]}}, {"name": "Windows Phishing Recent ISO Exec Registry", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}}, {"name": "Windows Process Injection With Public Source Path", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}, {"mitre_attack_technique": "Portable Executable Injection"}]}}, {"name": "Windows Remote Access Software BRC4 Loaded Dll", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Access Software"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Windows Service Created with Suspicious Service Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}}, {"name": "Windows Service Creation Using Registry Entry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Services Registry Permissions Weakness"}]}}, {"name": "Windows Service Deletion In Registry", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Service Stop"}]}}]}, {"name": "Caddy Wiper", "id": "435a156a-8ef1-4184-bd52-22328fb65d3a", "version": 1, "date": "2022-03-25", "author": "Teoderick Contreras, Rod Soto, Splunk", "description": "Caddy Wiper is a destructive payload that detects if its running on a Domain Controller and executes killswitch if detected. If not in a DC it destroys Users and subsequent mapped drives. This wiper also destroys drive partitions inculding boot partitions.", "narrative": "Caddy Wiper is destructive malware operation found by ESET multiple organizations in Ukraine. This malicious payload destroys user files, avoids executing on Dnomain Controllers and destroys boot and drive partitions.", "references": ["https://twitter.com/ESETresearch/status/1503436420886712321", "https://www.welivesecurity.com/2022/03/15/caddywiper-new-wiper-malware-discovered-ukraine/"], "tags": {"name": "Caddy Wiper", "analytic_story": "Caddy Wiper", "category": ["Data Destruction", "Malware", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1561.002", "mitre_attack_technique": "Disk Structure Wipe", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1561", "mitre_attack_technique": "Disk Wipe", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Impact"], "datamodels": [], "kill_chain_phases": ["Actions on Objectives"]}, "detection_names": ["ESCU - Windows Raw Access To Disk Volume Partition - Rule", "ESCU - Windows Raw Access To Master Boot Record Drive - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Rod Soto, Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Windows Raw Access To Disk Volume Partition", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disk Structure Wipe"}, {"mitre_attack_technique": "Disk Wipe"}]}}, {"name": "Windows Raw Access To Master Boot Record Drive", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disk Structure Wipe"}, {"mitre_attack_technique": "Disk Wipe"}]}}]}, {"name": "CISA AA22-257A", "id": "e1aec96e-bc7d-4edf-8ff7-3da9b7b29147", "version": 1, "date": "2022-09-15", "author": "Michael Haag, Splunk", "description": "The Iranian government-sponsored APT actors are actively targeting a broad range of victims across multiple U.S. critical infrastructure sectors, including the Transportation Sector and the Healthcare and Public Health Sector, as well as Australian organizations.", "narrative": "This advisory updates joint CSA Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities, which provides information on these Iranian government-sponsored APT actors exploiting known Fortinet and Microsoft Exchange vulnerabilities to gain initial access to a broad range of targeted entities in furtherance of malicious activities, including ransom operations. The authoring agencies now judge these actors are an APT group affiliated with the IRGC. Since the initial reporting of this activity in the FBI Liaison Alert System (FLASH) report APT Actors Exploiting Fortinet Vulnerabilities to Gain Access for Malicious Activity from May 2021, the authoring agencies have continued to observe these IRGC-affiliated actors exploiting known vulnerabilities for initial access. In addition to exploiting Fortinet and Microsoft Exchange vulnerabilities, the authoring agencies have observed these APT actors exploiting VMware Horizon Log4j vulnerabilities for initial access. The IRGC-affiliated actors have used this access for follow-on activity, including disk encryption and data extortion, to support ransom operations. The IRGC-affiliated actors are actively targeting a broad range of entities, including entities across multiple U.S. critical infrastructure sectors as well as Australian, Canadian, and United Kingdom organizations. These actors often operate under the auspices of Najee Technology Hooshmand Fater LLC, based in Karaj, Iran, and Afkar System Yazd Company, based in Yazd, Iran. The authoring agencies assess the actors are exploiting known vulnerabilities on unprotected networks rather than targeting specific targeted entities or sectors. This advisory provides observed tactics, techniques, and indicators of compromise (IOCs) that the authoring agencies assess are likely associated with this IRGC-affiliated APT. The authoring agencies urge organizations, especially critical infrastructure organizations, to apply the recommendations listed in the Mitigations section of this advisory to mitigate risk of compromise from these IRGC-affiliated cyber actors.", "references": ["https://www.cisa.gov/uscert/ncas/alerts/aa21-321a", "https://www.cisa.gov/uscert/ncas/alerts/aa22-257a", "https://www.ic3.gov/Media/News/2021/210527.pdf", "https://www.us-cert.gov/sites/default/files/AA22-257A.stix.xml", "https://www.us-cert.cisa.gov/iran"], "tags": {"name": "CISA AA22-257A", "analytic_story": "CISA AA22-257A", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "TEMP.Veles", "Threat Group-3390", "Whitefly"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1136.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT39", "APT41", "Dragonfly", "Fox Kitten", "Kimsuky", "Leafminer", "Magic Hound", "TeamTNT"]}, {"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider"]}, {"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1505.003", "mitre_attack_technique": "Web Shell", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT38", "APT39", "BackdoorDiplomacy", "Deep Panda", "Dragonfly", "Fox Kitten", "GALLIUM", "HAFNIUM", "Kimsuky", "Leviathan", "Magic Hound", "Moses Staff", "OilRig", "Sandworm Team", "TEMP.Veles", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Volatile Cedar"]}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Chimera", "Dragonfly", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Dragonfly", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1572", "mitre_attack_technique": "Protocol Tunneling", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Chimera", "Cobalt Group", "FIN6", "Fox Kitten", "Leviathan", "Magic Hound", "OilRig"]}, {"mitre_attack_id": "T1021.004", "mitre_attack_technique": "SSH", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT39", "BlackTech", "FIN7", "Fox Kitten", "GCMAN", "Lazarus Group", "Leviathan", "OilRig", "Rocke", "TEMP.Veles", "TeamTNT", "menuPass"]}], "mitre_attack_tactics": ["Command And Control", "Credential Access", "Execution", "Initial Access", "Lateral Movement", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint", "Web"], "kill_chain_phases": ["Command And Control", "Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Detect Mimikatz Using Loaded Images - Rule", "ESCU - Dump LSASS via procdump Rename - Rule", "ESCU - Create local admin accounts using net exe - Rule", "ESCU - Creation of lsass Dump with Taskmgr - Rule", "ESCU - Detect Exchange Web Shell - Rule", "ESCU - Detect New Local Admin account - Rule", "ESCU - Detect Webshell Exploit Behavior - Rule", "ESCU - Dump LSASS via comsvcs DLL - Rule", "ESCU - Dump LSASS via procdump - Rule", "ESCU - Extraction of Registry Hives - Rule", "ESCU - Randomly Generated Scheduled Task Name - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Schtasks Run Task On Demand - Rule", "ESCU - Short Lived Scheduled Task - Rule", "ESCU - W3WP Spawning Shell - Rule", "ESCU - Windows Hidden Schedule Task Settings - Rule", "ESCU - Windows Possible Credential Dumping - Rule", "ESCU - Windows Protocol Tunneling with Plink - Rule", "ESCU - WinEvent Scheduled Task Created to Spawn Shell - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule", "ESCU - Log4Shell JNDI Payload Injection Attempt - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Detect Mimikatz Using Loaded Images", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Dump LSASS via procdump Rename", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}]}}, {"name": "Create local admin accounts using net exe", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "Create Account"}]}}, {"name": "Creation of lsass Dump with Taskmgr", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Detect Exchange Web Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}, {"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}, {"name": "Detect New Local Admin account", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "Create Account"}]}}, {"name": "Detect Webshell Exploit Behavior", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}]}}, {"name": "Dump LSASS via comsvcs DLL", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Dump LSASS via procdump", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Extraction of Registry Hives", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Security Account Manager"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Randomly Generated Scheduled Task Name", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}, {"mitre_attack_technique": "Scheduled Task"}]}}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Schtasks Run Task On Demand", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Short Lived Scheduled Task", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}]}}, {"name": "W3WP Spawning Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}]}}, {"name": "Windows Hidden Schedule Task Settings", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Windows Possible Credential Dumping", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Windows Protocol Tunneling with Plink", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Protocol Tunneling"}, {"mitre_attack_technique": "SSH"}]}}, {"name": "WinEvent Scheduled Task Created to Spawn Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}]}}, {"name": "Log4Shell JNDI Payload Injection Attempt", "source": "web", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}]}, {"name": "CISA AA22-264A", "id": "bc7056a5-c3b0-4b83-93ce-5f31739305c8", "version": 1, "date": "2022-09-22", "author": "Michael Haag, Splunk", "description": "Iranian State Actors Conduct Cyber Operations Against the Government of Albania.", "narrative": "The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint Cybersecurity Advisory to provide information on recent cyber operations against the Government of Albania in July and September. This advisory provides a timeline of activity observed, from initial access to execution of encryption and wiper attacks. Additional information concerning files used by the actors during their exploitation of and cyber attack against the victim organization is provided in Appendices A and B. In September 2022, Iranian cyber actors launched another wave of cyber attacks against the Government of Albania, using similar TTPs and malware as the cyber attacks in July. These were likely done in retaliation for public attribution of the cyber attacks in July and severed diplomatic ties between Albania and Iran.", "references": ["https://www.cisa.gov/uscert/ncas/alerts/aa22-264a", "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-264a-iranian-cyber-actors-conduct-cyber-operations-against-the-government-of-albania.pdf", "https://www.mandiant.com/resources/blog/likely-iranian-threat-actor-conducts-politically-motivated-disruptive-activity-against", "https://www.microsoft.com/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government/"], "tags": {"name": "CISA AA22-264A", "analytic_story": "CISA AA22-264A", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "TEMP.Veles", "Threat Group-3390", "Whitefly"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1036.005", "mitre_attack_technique": "Match Legitimate Name or Location", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "APT32", "APT39", "APT41", "Aoqin Dragon", "BRONZE BUTLER", "BackdoorDiplomacy", "Blue Mockingbird", "Carbanak", "Chimera", "Darkhotel", "Earth Lusca", "FIN7", "Ferocious Kitten", "Fox Kitten", "Gamaredon Group", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Poseidon Group", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "Sowbug", "TEMP.Veles", "TeamTNT", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Whitefly", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1595", "mitre_attack_technique": "Active Scanning", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1505.003", "mitre_attack_technique": "Web Shell", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT38", "APT39", "BackdoorDiplomacy", "Deep Panda", "Dragonfly", "Fox Kitten", "GALLIUM", "HAFNIUM", "Kimsuky", "Leviathan", "Magic Hound", "Moses Staff", "OilRig", "Sandworm Team", "TEMP.Veles", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Volatile Cedar"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1070.001", "mitre_attack_technique": "Clear Windows Event Logs", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "APT38", "APT41", "Chimera", "Dragonfly", "FIN5", "FIN8", "Indrik Spider"]}, {"mitre_attack_id": "T1561.002", "mitre_attack_technique": "Disk Structure Wipe", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1561", "mitre_attack_technique": "Disk Wipe", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "PLATINUM", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}], "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Execution", "Impact", "Persistence", "Privilege Escalation", "Reconnaissance"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Actions on Objectives", "Exploitation", "Installation", "Reconnaissance"]}, "detection_names": ["ESCU - Detect Mimikatz Using Loaded Images - Rule", "ESCU - Attacker Tools On Endpoint - Rule", "ESCU - Deleting Shadow Copies - Rule", "ESCU - Detect Mimikatz With PowerShell Script Block Logging - Rule", "ESCU - Detect Webshell Exploit Behavior - Rule", "ESCU - Dump LSASS via comsvcs DLL - Rule", "ESCU - Excessive Usage Of Taskkill - Rule", "ESCU - Exchange PowerShell Module Usage - Rule", "ESCU - W3WP Spawning Shell - Rule", "ESCU - Windows DisableAntiSpyware Registry - Rule", "ESCU - Windows Event Log Cleared - Rule", "ESCU - Windows Possible Credential Dumping - Rule", "ESCU - Windows Raw Access To Disk Volume Partition - Rule", "ESCU - Windows Raw Access To Master Boot Record Drive - Rule", "ESCU - Windows System File on Disk - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Detect Mimikatz Using Loaded Images", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Attacker Tools On Endpoint", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Match Legitimate Name or Location"}, {"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "OS Credential Dumping"}, {"mitre_attack_technique": "Active Scanning"}]}}, {"name": "Deleting Shadow Copies", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Inhibit System Recovery"}]}}, {"name": "Detect Mimikatz With PowerShell Script Block Logging", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "OS Credential Dumping"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Detect Webshell Exploit Behavior", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}]}}, {"name": "Dump LSASS via comsvcs DLL", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Excessive Usage Of Taskkill", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Exchange PowerShell Module Usage", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "W3WP Spawning Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}]}}, {"name": "Windows DisableAntiSpyware Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows Event Log Cleared", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indicator Removal"}, {"mitre_attack_technique": "Clear Windows Event Logs"}]}}, {"name": "Windows Possible Credential Dumping", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Windows Raw Access To Disk Volume Partition", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disk Structure Wipe"}, {"mitre_attack_technique": "Disk Wipe"}]}}, {"name": "Windows Raw Access To Master Boot Record Drive", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disk Structure Wipe"}, {"mitre_attack_technique": "Disk Wipe"}]}}, {"name": "Windows System File on Disk", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}}]}, {"name": "CISA AA22-277A", "id": "db408f93-e915-4215-9962-5fada348bdd7", "version": 1, "date": "2022-10-05", "author": "Michael Haag, Splunk", "description": "From November 2021 through January 2022, the Cybersecurity and Infrastructure Security Agency (CISA) responded to advanced persistent threat (APT) activity on a Defense Industrial Base (DIB) Sector organization's enterprise network. During incident response activities, multiple utilities were utilized.", "narrative": "CISA uncovered that likely multiple APT groups compromised the organization's network, and some APT actors had long-term access to the environment. APT actors used an open-source toolkit called Impacket to gain their foothold within the environment and further compromise the network, and also used a custom data exfiltration tool, CovalentStealer, to steal the victim's sensitive data.", "references": ["https://www.cisa.gov/uscert/ncas/alerts/aa22-277a", "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-277a-impacket-and-exfiltration-tool-used-to-steal-sensitive-information-from-defense-industrial-base-organization.pdf"], "tags": {"name": "CISA AA22-277A", "analytic_story": "CISA AA22-277A", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.007", "mitre_attack_technique": "JavaScript", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "Cobalt Group", "Earth Lusca", "Ember Bear", "Evilnum", "FIN6", "FIN7", "Higaisa", "Indrik Spider", "Kimsuky", "LazyScripter", "Leafminer", "Molerats", "MuddyWater", "Sidewinder", "Silence", "TA505", "Turla"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1070.005", "mitre_attack_technique": "Network Share Connection Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Threat Group-3390"]}, {"mitre_attack_id": "T1560.001", "mitre_attack_technique": "Archive via Utility", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "CopyKittens", "Earth Lusca", "FIN8", "Fox Kitten", "GALLIUM", "Gallmaker", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "MuddyWater", "Mustang Panda", "Sowbug", "Turla", "menuPass"]}, {"mitre_attack_id": "T1560", "mitre_attack_technique": "Archive Collected Data", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT28", "APT32", "Axiom", "Dragonfly", "FIN6", "Ke3chang", "Lazarus Group", "Leviathan", "LuminousMoth", "Patchwork", "menuPass"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1021.003", "mitre_attack_technique": "Distributed Component Object Model", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "Earth Lusca", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "Threat Group-3390", "Windshift", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1049", "mitre_attack_technique": "System Network Connections Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT38", "APT41", "Andariel", "BackdoorDiplomacy", "Chimera", "Earth Lusca", "GALLIUM", "HEXANE", "Ke3chang", "Lazarus Group", "Magic Hound", "MuddyWater", "Mustang Panda", "OilRig", "Poseidon Group", "Sandworm Team", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1016", "mitre_attack_technique": "System Network Configuration Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT19", "APT3", "APT32", "APT41", "Chimera", "Darkhotel", "Dragonfly", "Earth Lusca", "GALLIUM", "HAFNIUM", "HEXANE", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "SideCopy", "Sidewinder", "Stealth Falcon", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1016.001", "mitre_attack_technique": "Internet Connection Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Gamaredon Group", "HAFNIUM", "HEXANE", "Magic Hound", "Turla"]}], "mitre_attack_tactics": ["Collection", "Command And Control", "Defense Evasion", "Discovery", "Execution", "Lateral Movement", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Command And Control", "Exploitation", "Installation"]}, "detection_names": ["ESCU - CertUtil Download With URLCache and Split Arguments - Rule", "ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", "ESCU - Create or delete windows shares using net exe - Rule", "ESCU - Detect Renamed WinRAR - Rule", "ESCU - Excessive Usage Of Taskkill - Rule", "ESCU - Exchange PowerShell Module Usage - Rule", "ESCU - Impacket Lateral Movement Commandline Parameters - Rule", "ESCU - Impacket Lateral Movement smbexec CommandLine Parameters - Rule", "ESCU - Impacket Lateral Movement WMIExec Commandline Parameters - Rule", "ESCU - Network Connection Discovery With Netstat - Rule", "ESCU - Network Discovery Using Route Windows App - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "CertUtil Download With URLCache and Split Arguments", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "Cmdline Tool Not Executed In CMD Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "JavaScript"}]}}, {"name": "Create or delete windows shares using net exe", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indicator Removal"}, {"mitre_attack_technique": "Network Share Connection Removal"}]}}, {"name": "Detect Renamed WinRAR", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Archive via Utility"}, {"mitre_attack_technique": "Archive Collected Data"}]}}, {"name": "Excessive Usage Of Taskkill", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Exchange PowerShell Module Usage", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Impacket Lateral Movement Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Impacket Lateral Movement smbexec CommandLine Parameters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Impacket Lateral Movement WMIExec Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Network Connection Discovery With Netstat", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Connections Discovery"}]}}, {"name": "Network Discovery Using Route Windows App", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Configuration Discovery"}, {"mitre_attack_technique": "Internet Connection Discovery"}]}}]}, {"name": "CISA AA22-320A", "id": "c1fca73d-3a8d-49a6-b9c0-1d5d155f7dd4", "version": 1, "date": "2022-11-16", "author": "Michael Haag, Splunk", "description": "CISA and the FBI have identified an APT activity where the adversary gained initial access via Log4Shell via a unpatched VMware Horizon server. From there the adversary moved laterally and continued to its objective.", "narrative": "From mid-June through mid-July 2022, CISA conducted an incident response engagement at a Federal Civilian Executive Branch (FCEB) organization where CISA observed suspected advanced persistent threat (APT) activity. In the course of incident response activities, CISA determined that cyber threat actors exploited the Log4Shell vulnerability in an unpatched VMware Horizon server, installed XMRig crypto mining software, moved laterally to the domain controller (DC), compromised credentials, and then implanted Ngrok reverse proxies on several hosts to maintain persistence. CISA and the Federal Bureau of Investigation (FBI) assess that the FCEB network was compromised by Iranian government-sponsored APT actors.", "references": ["https://www.cisa.gov/uscert/ncas/alerts/aa22-320a", "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf"], "tags": {"name": "CISA AA22-320A", "analytic_story": "CISA AA22-320A", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "TEMP.Veles", "Threat Group-3390", "Whitefly"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1018", "mitre_attack_technique": "Remote System Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "BRONZE BUTLER", "Chimera", "Deep Panda", "Dragonfly", "Earth Lusca", "FIN5", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "HEXANE", "Indrik Spider", "Ke3chang", "Leafminer", "Magic Hound", "Naikon", "Rocke", "Sandworm Team", "Silence", "Threat Group-3390", "Turla", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Chimera", "Dragonfly", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT19", "APT28", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BITTER", "BackdoorDiplomacy", "BlackOasis", "Blue Mockingbird", "Dark Caracal", "Darkhotel", "Earth Lusca", "Elderwood", "Ember Bear", "Fox Kitten", "GALLIUM", "Gallmaker", "Gamaredon Group", "Group5", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "Metador", "Mofang", "Molerats", "Moses Staff", "Mustang Panda", "OilRig", "Putter Panda", "Rocke", "Sandworm Team", "Sidewinder", "TA505", "TeamTNT", "Threat Group-3390", "Transparent Tribe", "Tropic Trooper", "Whitefly", "Windshift", "menuPass"]}, {"mitre_attack_id": "T1550", "mitre_attack_technique": "Use Alternate Authentication Material", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1550.003", "mitre_attack_technique": "Pass the Ticket", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": ["APT29", "APT32", "BRONZE BUTLER"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1014", "mitre_attack_technique": "Rootkit", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT41", "Rocke", "TeamTNT", "Winnti Group"]}, {"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "PLATINUM", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}, {"mitre_attack_id": "T1572", "mitre_attack_technique": "Protocol Tunneling", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Chimera", "Cobalt Group", "FIN6", "Fox Kitten", "Leviathan", "Magic Hound", "OilRig"]}, {"mitre_attack_id": "T1090", "mitre_attack_technique": "Proxy", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "Blue Mockingbird", "CopyKittens", "Earth Lusca", "Fox Kitten", "LAPSUS$", "Magic Hound", "POLONIUM", "Sandworm Team", "Turla", "Windigo"]}, {"mitre_attack_id": "T1102", "mitre_attack_technique": "Web Service", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT32", "EXOTIC LILY", "Ember Bear", "FIN6", "FIN8", "Fox Kitten", "Gamaredon Group", "Inception", "LazyScripter", "Mustang Panda", "Rocke", "TeamTNT", "Turla"]}], "mitre_attack_tactics": ["Command And Control", "Credential Access", "Defense Evasion", "Discovery", "Execution", "Initial Access", "Lateral Movement", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint", "Network_Resolution", "Network_Traffic", "Risk", "Web"], "kill_chain_phases": ["Command And Control", "Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Detect Mimikatz Using Loaded Images - Rule", "ESCU - Suspicious Powershell Command-Line Arguments - Rule", "ESCU - Add or Set Windows Defender Exclusion - Rule", "ESCU - Detect Mimikatz With PowerShell Script Block Logging - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Detect Renamed PSExec - Rule", "ESCU - Enable WDigest UseLogonCredential Registry - Rule", "ESCU - GetAdComputer with PowerShell Script Block - Rule", "ESCU - Log4Shell CVE-2021-44228 Exploitation - Rule", "ESCU - Malicious PowerShell Process - Encoded Command - Rule", "ESCU - Mimikatz PassTheTicket CommandLine Parameters - Rule", "ESCU - Powershell Windows Defender Exclusion Commands - Rule", "ESCU - Suspicious Driver Loaded Path - Rule", "ESCU - Windows Driver Load Non-Standard Path - Rule", "ESCU - Windows Drivers Loaded by Signature - Rule", "ESCU - Windows Mimikatz Binary Execution - Rule", "ESCU - Windows Ngrok Reverse Proxy Usage - Rule", "ESCU - Windows Service Create Kernel Mode Driver - Rule", "ESCU - XMRIG Driver Loaded - Rule", "ESCU - Ngrok Reverse Proxy on Network - Rule", "ESCU - Hunting for Log4Shell - Rule", "ESCU - Log4Shell JNDI Payload Injection Attempt - Rule", "ESCU - Log4Shell JNDI Payload Injection with Outbound Connection - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Detect Mimikatz Using Loaded Images", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Suspicious Powershell Command-Line Arguments", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "PowerShell"}]}}, {"name": "Add or Set Windows Defender Exclusion", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Detect Mimikatz With PowerShell Script Block Logging", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "OS Credential Dumping"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Detect PsExec With accepteula Flag", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}}, {"name": "Detect Renamed PSExec", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}}, {"name": "Enable WDigest UseLogonCredential Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "GetAdComputer with PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote System Discovery"}]}}, {"name": "Log4Shell CVE-2021-44228 Exploitation", "source": "endpoint", "type": "Correlation", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}, {"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "External Remote Services"}]}}, {"name": "Malicious PowerShell Process - Encoded Command", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Obfuscated Files or Information"}]}}, {"name": "Mimikatz PassTheTicket CommandLine Parameters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Use Alternate Authentication Material"}, {"mitre_attack_technique": "Pass the Ticket"}]}}, {"name": "Powershell Windows Defender Exclusion Commands", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Suspicious Driver Loaded Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Windows Driver Load Non-Standard Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Rootkit"}, {"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}}, {"name": "Windows Drivers Loaded by Signature", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Rootkit"}, {"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}}, {"name": "Windows Mimikatz Binary Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Windows Ngrok Reverse Proxy Usage", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Protocol Tunneling"}, {"mitre_attack_technique": "Proxy"}, {"mitre_attack_technique": "Web Service"}]}}, {"name": "Windows Service Create Kernel Mode Driver", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}}, {"name": "XMRIG Driver Loaded", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Ngrok Reverse Proxy on Network", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Protocol Tunneling"}, {"mitre_attack_technique": "Proxy"}, {"mitre_attack_technique": "Web Service"}]}}, {"name": "Hunting for Log4Shell", "source": "web", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}, {"name": "Log4Shell JNDI Payload Injection Attempt", "source": "web", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}, {"name": "Log4Shell JNDI Payload Injection with Outbound Connection", "source": "web", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}]}, {"name": "Cloud Cryptomining", "id": "3b96d13c-fdc7-45dd-b3ad-c132b31cdd2a", "version": 1, "date": "2019-10-02", "author": "David Dorsey, Splunk", "description": "Monitor your cloud compute instances for activities related to cryptojacking/cryptomining. New instances that originate from previously unseen regions, users who launch abnormally high numbers of instances, or compute instances started by previously unseen users are just a few examples of potentially malicious behavior.", "narrative": "Cryptomining is an intentionally difficult, resource-intensive business. Its complexity was designed into the process to ensure that the number of blocks mined each day would remain steady. So, it's par for the course that ambitious, but unscrupulous, miners make amassing the computing power of large enterprises--a practice known as cryptojacking--a top priority. \\\nCryptojacking has attracted an increasing amount of media attention since its explosion in popularity in the fall of 2017. The attacks have moved from in-browser exploits and mobile phones to enterprise cloud services, such as Amazon Web Services (AWS), Google Cloud Platform (GCP), and Azure. It's difficult to determine exactly how widespread the practice has become, since bad actors continually evolve their ability to escape detection, including employing unlisted endpoints, moderating their CPU usage, and hiding the mining pool's IP address behind a free CDN. \\\nWhen malicious miners appropriate a cloud instance, often spinning up hundreds of new instances, the costs can become astronomical for the account holder. So it is critically important to monitor your systems for suspicious activities that could indicate that your network has been infiltrated. \\\nThis Analytic Story is focused on detecting suspicious new instances in your cloud environment to help prevent cryptominers from gaining a foothold. It contains detection searches that will detect when a previously unused instance type or AMI is used. It also contains support searches to build lookup files to ensure proper execution of the detection searches.", "references": ["https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf"], "tags": {"name": "Cloud Cryptomining", "analytic_story": "Cloud Cryptomining", "category": ["Cloud Security"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Ke3chang", "LAPSUS$"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1535", "mitre_attack_technique": "Unused/Unsupported Cloud Regions", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "datamodels": ["Change"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Abnormally High Number Of Cloud Instances Launched - Rule", "ESCU - Cloud Compute Instance Created By Previously Unseen User - Rule", "ESCU - Cloud Compute Instance Created In Previously Unused Region - Rule", "ESCU - Cloud Compute Instance Created With Previously Unseen Image - Rule", "ESCU - Cloud Compute Instance Created With Previously Unseen Instance Type - Rule"], "investigation_names": ["ESCU - AWS Investigate Security Hub alerts by dest - Response Task", "ESCU - AWS Investigate User Activities By ARN - Response Task", "ESCU - Get EC2 Instance Details by instanceId - Response Task", "ESCU - Get EC2 Launch Details - Response Task", "ESCU - Get Notable History - Response Task", "ESCU - Investigate AWS activities via region name - Response Task"], "baseline_names": ["ESCU - Baseline Of Cloud Instances Destroyed", "ESCU - Baseline Of Cloud Instances Launched", "ESCU - Previously Seen Cloud Compute Creations By User - Initial", "ESCU - Previously Seen Cloud Compute Creations By User - Update", "ESCU - Previously Seen Cloud Compute Images - Initial", "ESCU - Previously Seen Cloud Compute Images - Update", "ESCU - Previously Seen Cloud Compute Instance Types - Initial", "ESCU - Previously Seen Cloud Compute Instance Types - Update", "ESCU - Previously Seen Cloud Regions - Initial", "ESCU - Previously Seen Cloud Regions - Update"], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Abnormally High Number Of Cloud Instances Launched", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "Cloud Compute Instance Created By Previously Unseen User", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "Cloud Compute Instance Created In Previously Unused Region", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}}, {"name": "Cloud Compute Instance Created With Previously Unseen Image", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": []}}, {"name": "Cloud Compute Instance Created With Previously Unseen Instance Type", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": []}}]}, {"name": "Cloud Federated Credential Abuse", "id": "cecdc1e7-0af2-4a55-8967-b9ea62c0317d", "version": 1, "date": "2021-01-26", "author": "Rod Soto, Splunk", "description": "This analytical story addresses events that indicate abuse of cloud federated credentials. These credentials are usually extracted from endpoint desktop or servers specially those servers that provide federation services such as Windows Active Directory Federation Services. Identity Federation relies on objects such as Oauth2 tokens, cookies or SAML assertions in order to provide seamless access between cloud and perimeter environments. If these objects are either hijacked or forged then attackers will be able to pivot into victim's cloud environements.", "narrative": "This story is composed of detection searches based on endpoint that addresses the use of Mimikatz, Escalation of Privileges and Abnormal processes that may indicate the extraction of Federated directory objects such as passwords, Oauth2 tokens, certificates and keys. Cloud environment (AWS, Azure) related events are also addressed in specific cloud environment detection searches.", "references": ["https://www.cyberark.com/resources/threat-research-blog/golden-saml-newly-discovered-attack-technique-forges-authentication-to-cloud-apps", "https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf", "https://us-cert.cisa.gov/ncas/alerts/aa21-008a"], "tags": {"name": "Cloud Federated Credential Abuse", "analytic_story": "Cloud Federated Credential Abuse", "category": ["Cloud Security"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1136.003", "mitre_attack_technique": "Cloud Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT29", "LAPSUS$"]}, {"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider"]}, {"mitre_attack_id": "T1556", "mitre_attack_technique": "Modify Authentication Process", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "TEMP.Veles", "Threat Group-3390", "Whitefly"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1546.012", "mitre_attack_technique": "Image File Execution Options Injection", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["TEMP.Veles"]}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - AWS SAML Access by Provider User and Principal - Rule", "ESCU - AWS SAML Update identity provider - Rule", "ESCU - O365 Add App Role Assignment Grant User - Rule", "ESCU - O365 Added Service Principal - Rule", "ESCU - O365 Excessive SSO logon errors - Rule", "ESCU - O365 New Federated Domain Added - Rule", "ESCU - Detect Mimikatz Using Loaded Images - Rule", "ESCU - Detect Mimikatz Via PowerShell And EventCode 4703 - Rule", "ESCU - Certutil exe certificate extraction - Rule", "ESCU - Registry Keys Used For Privilege Escalation - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Rod Soto", "detections": [{"name": "AWS SAML Access by Provider User and Principal", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "AWS SAML Update identity provider", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "O365 Add App Role Assignment Grant User", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Account"}, {"mitre_attack_technique": "Create Account"}]}}, {"name": "O365 Added Service Principal", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Account"}, {"mitre_attack_technique": "Create Account"}]}}, {"name": "O365 Excessive SSO logon errors", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Authentication Process"}]}}, {"name": "O365 New Federated Domain Added", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Account"}, {"mitre_attack_technique": "Create Account"}]}}, {"name": "Detect Mimikatz Using Loaded Images", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Detect Mimikatz Via PowerShell And EventCode 4703", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}]}}, {"name": "Certutil exe certificate extraction", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": []}}, {"name": "Registry Keys Used For Privilege Escalation", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Image File Execution Options Injection"}, {"mitre_attack_technique": "Event Triggered Execution"}]}}]}, {"name": "Cobalt Strike", "id": "bcfd17e8-5461-400a-80a2-3b7d1459220c", "version": 1, "date": "2021-02-16", "author": "Michael Haag, Splunk", "description": "Cobalt Strike is threat emulation software. Red teams and penetration testers use Cobalt Strike to demonstrate the risk of a breach and evaluate mature security programs. Most recently, Cobalt Strike has become the choice tool by threat groups due to its ease of use and extensibility.", "narrative": "This Analytic Story supports you to detect Tactics, Techniques and Procedures (TTPs) from Cobalt Strike. Cobalt Strike has many ways to be enhanced by using aggressor scripts, malleable C2 profiles, default attack packages, and much more. For endpoint behavior, Cobalt Strike is most commonly identified via named pipes, spawn to processes, and DLL function names. Many additional variables are provided for in memory operation of the beacon implant. On the network, depending on the malleable C2 profile used, it is near infinite in the amount of ways to conceal the C2 traffic with Cobalt Strike. Not every query may be specific to Cobalt Strike the tool, but the methodologies and techniques used by it.\\\nSplunk Threat Research reviewed all publicly available instances of Malleabe C2 Profiles and generated a list of the most commonly used spawnto and pipenames.\\\n`Spawnto_x86` and `spawnto_x64` is the process that Cobalt Strike will spawn and injects shellcode into.\\\nPipename sets the named pipe name used in Cobalt Strikes Beacon SMB C2 traffic.\\\nWith that, new detections were generated focused on these spawnto processes spawning without command line arguments. Similar, the named pipes most commonly used by Cobalt Strike added as a detection. In generating content for Cobalt Strike, the following is considered:\\\n- Is it normal for spawnto_ value to have no command line arguments? No command line arguments and a network connection?\\\n- What is the default, or normal, process lineage for spawnto_ value?\\\n- Does the spawnto_ value make network connections?\\\n- Is it normal for spawnto_ value to load jscript, vbscript, Amsi.dll, and clr.dll?\\\nWhile investigating a detection related to this Analytic Story, keep in mind the parent process, process path, and any file modifications that may occur. Tuning may need to occur to remove any false positives.", "references": ["https://www.cobaltstrike.com/", "https://www.infocyte.com/blog/2020/09/02/cobalt-strike-the-new-favorite-among-thieves/", "https://bluescreenofjeff.com/2017-01-24-how-to-write-malleable-c2-profiles-for-cobalt-strike/", "https://blog.talosintelligence.com/2020/09/coverage-strikes-back-cobalt-strike-paper.html", "https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html", "https://github.com/MichaelKoczwara/Awesome-CobaltStrike-Defence", "https://github.com/zer0yu/Awesome-CobaltStrike"], "tags": {"name": "Cobalt Strike", "analytic_story": "Cobalt Strike", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1560.001", "mitre_attack_technique": "Archive via Utility", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "CopyKittens", "Earth Lusca", "FIN8", "Fox Kitten", "GALLIUM", "Gallmaker", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "MuddyWater", "Mustang Panda", "Sowbug", "Turla", "menuPass"]}, {"mitre_attack_id": "T1560", "mitre_attack_technique": "Archive Collected Data", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT28", "APT32", "Axiom", "Dragonfly", "FIN6", "Ke3chang", "Lazarus Group", "Leviathan", "LuminousMoth", "Patchwork", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "Turla"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.010", "mitre_attack_technique": "Regsvr32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "Blue Mockingbird", "Cobalt Group", "Deep Panda", "Inception", "Kimsuky", "Leviathan", "TA551", "WIRTE"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1127", "mitre_attack_technique": "Trusted Developer Utilities Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1127.001", "mitre_attack_technique": "MSBuild", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Collection", "Defense Evasion", "Execution", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint", "Network_Traffic"], "kill_chain_phases": ["Exploitation", "Installation"]}, "detection_names": ["ESCU - Anomalous usage of 7zip - Rule", "ESCU - CMD Echo Pipe - Escalation - Rule", "ESCU - Cobalt Strike Named Pipes - Rule", "ESCU - Detect Regsvr32 Application Control Bypass - Rule", "ESCU - DLLHost with no Command Line Arguments with Network - Rule", "ESCU - GPUpdate with no Command Line Arguments with Network - Rule", "ESCU - Rundll32 with no Command Line Arguments with Network - Rule", "ESCU - SearchProtocolHost with no Command Line with Network - Rule", "ESCU - Services Escalate Exe - Rule", "ESCU - Suspicious DLLHost no Command Line Arguments - Rule", "ESCU - Suspicious GPUpdate no Command Line Arguments - Rule", "ESCU - Suspicious microsoft workflow compiler rename - Rule", "ESCU - Suspicious msbuild path - Rule", "ESCU - Suspicious MSBuild Rename - Rule", "ESCU - Suspicious Rundll32 no Command Line Arguments - Rule", "ESCU - Suspicious Rundll32 StartW - Rule", "ESCU - Suspicious SearchProtocolHost no Command Line Arguments - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Anomalous usage of 7zip", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Archive via Utility"}, {"mitre_attack_technique": "Archive Collected Data"}]}}, {"name": "CMD Echo Pipe - Escalation", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Cobalt Strike Named Pipes", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "Detect Regsvr32 Application Control Bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}}, {"name": "DLLHost with no Command Line Arguments with Network", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "GPUpdate with no Command Line Arguments with Network", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "Rundll32 with no Command Line Arguments with Network", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "SearchProtocolHost with no Command Line with Network", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "Services Escalate Exe", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Suspicious DLLHost no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "Suspicious GPUpdate no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "Suspicious microsoft workflow compiler rename", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Rename System Utilities"}]}}, {"name": "Suspicious msbuild path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "MSBuild"}]}}, {"name": "Suspicious MSBuild Rename", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "MSBuild"}]}}, {"name": "Suspicious Rundll32 no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Suspicious Rundll32 StartW", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Suspicious SearchProtocolHost no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}]}, {"name": "ColdRoot MacOS RAT", "id": "bd91a2bc-d20b-4f44-a982-1bea98e86390", "version": 1, "date": "2019-01-09", "author": "Jose Hernandez, Splunk", "description": "Leverage searches that allow you to detect and investigate unusual activities that relate to the ColdRoot Remote Access Trojan that affects MacOS. An example of some of these activities are changing sensative binaries in the MacOS sub-system, detecting process names and executables associated with the RAT, detecting when a keyboard tab is installed on a MacOS machine and more.", "narrative": "Conventional wisdom holds that Apple's MacOS operating system is significantly less vulnerable to attack than Windows machines. While that point is debatable, it is true that attacks against MacOS systems are much less common. However, this fact does not mean that Macs are impervious to breaches. To the contrary, research has shown that that Mac malware is increasing at an alarming rate. According to AV-test, in 2018, there were 86,865 new MacOS malware variants, up from 27,338 the year before—a 31% increase. In contrast, the independent research firm found that new Windows malware had increased from 65.17M to 76.86M during that same period, less than half the rate of growth. The bottom line is that while the numbers look a lot smaller than Windows, it's definitely time to take Mac security more seriously.\\\nThis Analytic Story addresses the ColdRoot remote access trojan (RAT), which was uploaded to Github in 2016, but was still escaping detection by the first quarter of 2018, when a new, more feature-rich variant was discovered masquerading as an Apple audio driver. Among other capabilities, the Pascal-based ColdRoot can heist passwords from users' keychains and remotely control infected machines without detection. In the initial report of his findings, Patrick Wardle, Chief Research Officer for Digita Security, explained that the new ColdRoot RAT could start and kill processes on the breached system, spawn new remote-desktop sessions, take screen captures and assemble them into a live stream of the victim's desktop, and more.\\\nSearches in this Analytic Story leverage the capabilities of OSquery to address ColdRoot detection from several different angles, such as looking for the existence of associated files and processes, and monitoring for signs of an installed keylogger.", "references": ["https://www.intego.com/mac-security-blog/osxcoldroot-and-the-rat-invasion/", "https://objective-see.com/blog/blog_0x2A.html", "https://www.bleepingcomputer.com/news/security/coldroot-rat-still-undetectable-despite-being-uploaded-on-github-two-years-ago/"], "tags": {"name": "ColdRoot MacOS RAT", "analytic_story": "ColdRoot MacOS RAT", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Osquery pack - ColdRoot detection - Rule", "ESCU - MacOS - Re-opened Applications - Rule", "ESCU - Processes Tapping Keyboard Events - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task", "ESCU - Investigate Network Traffic From src ip - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "Jose Hernandez", "detections": [{"name": "Osquery pack - ColdRoot detection", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": []}}, {"name": "MacOS - Re-opened Applications", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": []}}, {"name": "Processes Tapping Keyboard Events", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": []}}]}, {"name": "Collection and Staging", "id": "8e03c61e-13c4-4dcd-bfbe-5ce5a8dc031a", "version": 1, "date": "2020-02-03", "author": "Rico Valdez, Splunk", "description": "Monitor for and investigate activities--such as suspicious writes to the Windows Recycling Bin or email servers sending high amounts of traffic to specific hosts, for example--that may indicate that an adversary is harvesting and exfiltrating sensitive data. ", "narrative": "A common adversary goal is to identify and exfiltrate data of value from a target organization. This data may include email conversations and addresses, confidential company information, links to network design/infrastructure, important dates, and so on.\\\n Attacks are composed of three activities: identification, collection, and staging data for exfiltration. Identification typically involves scanning systems and observing user activity. Collection can involve the transfer of large amounts of data from various repositories. Staging/preparation includes moving data to a central location and compressing (and optionally encoding and/or encrypting) it. All of these activities provide opportunities for defenders to identify their presence. \\\nUse the searches to detect and monitor suspicious behavior related to these activities.", "references": ["https://attack.mitre.org/wiki/Collection", "https://attack.mitre.org/wiki/Technique/T1074"], "tags": {"name": "Collection and Staging", "analytic_story": "Collection and Staging", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1114", "mitre_attack_technique": "Email Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["Magic Hound", "Silent Librarian"]}, {"mitre_attack_id": "T1114.001", "mitre_attack_technique": "Local Email Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "Chimera", "Magic Hound"]}, {"mitre_attack_id": "T1114.002", "mitre_attack_technique": "Remote Email Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "Chimera", "Dragonfly", "FIN4", "HAFNIUM", "Ke3chang", "Kimsuky", "Leafminer", "Magic Hound"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1560.001", "mitre_attack_technique": "Archive via Utility", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "CopyKittens", "Earth Lusca", "FIN8", "Fox Kitten", "GALLIUM", "Gallmaker", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "MuddyWater", "Mustang Panda", "Sowbug", "Turla", "menuPass"]}, {"mitre_attack_id": "T1560", "mitre_attack_technique": "Archive Collected Data", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT28", "APT32", "Axiom", "Dragonfly", "FIN6", "Ke3chang", "Lazarus Group", "Leviathan", "LuminousMoth", "Patchwork", "menuPass"]}], "mitre_attack_tactics": ["Collection", "Defense Evasion"], "datamodels": ["Endpoint", "Network_Traffic"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Email files written outside of the Outlook directory - Rule", "ESCU - Email servers sending high volume traffic to hosts - Rule", "ESCU - Suspicious writes to System Volume Information - Rule", "ESCU - Detect Renamed 7-Zip - Rule", "ESCU - Detect Renamed WinRAR - Rule", "ESCU - Suspicious writes to windows Recycle Bin - Rule", "ESCU - Hosts receiving high volume of network traffic from email server - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Email files written outside of the Outlook directory", "source": "application", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Email Collection"}, {"mitre_attack_technique": "Local Email Collection"}]}}, {"name": "Email servers sending high volume traffic to hosts", "source": "application", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Email Collection"}, {"mitre_attack_technique": "Remote Email Collection"}]}}, {"name": "Suspicious writes to System Volume Information", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}]}}, {"name": "Detect Renamed 7-Zip", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Archive via Utility"}, {"mitre_attack_technique": "Archive Collected Data"}]}}, {"name": "Detect Renamed WinRAR", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Archive via Utility"}, {"mitre_attack_technique": "Archive Collected Data"}]}}, {"name": "Suspicious writes to windows Recycle Bin", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}]}}, {"name": "Hosts receiving high volume of network traffic from email server", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Email Collection"}, {"mitre_attack_technique": "Email Collection"}]}}]}, {"name": "Command And Control", "id": "943773c6-c4de-4f38-89a8-0b92f98804d8", "version": 1, "date": "2018-06-01", "author": "Rico Valdez, Splunk", "description": "Detect and investigate tactics, techniques, and procedures leveraged by attackers to establish and operate Command And Control channels. Implants installed by attackers on compromised endpoints use these channels to receive instructions and send data back to the malicious operators.", "narrative": "Threat actors typically architect and implement an infrastructure to use in various ways during the course of their attack campaigns. In some cases, they leverage this infrastructure for scanning and performing reconnaissance activities. In others, they may use this infrastructure to launch actual attacks. One of the most important functions of this infrastructure is to establish servers that will communicate with implants on compromised endpoints. These servers establish a command and control channel that is used to proxy data between the compromised endpoint and the attacker. These channels relay commands from the attacker to the compromised endpoint and the output of those commands back to the attacker.\\\nBecause this communication is so critical for an adversary, they often use techniques designed to hide the true nature of the communications. There are many different techniques used to establish and communicate over these channels. This Analytic Story provides searches that look for a variety of the techniques used for these channels, as well as indications that these channels are active, by examining logs associated with border control devices and network-access control lists.", "references": ["https://attack.mitre.org/wiki/Command_and_Control", "https://searchsecurity.techtarget.com/feature/Command-and-control-servers-The-puppet-masters-that-govern-malware"], "tags": {"name": "Command And Control", "analytic_story": "Command And Control", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1048.003", "mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT32", "APT33", "FIN6", "FIN8", "Lazarus Group", "OilRig", "Thrip", "Wizard Spider"]}, {"mitre_attack_id": "T1071.004", "mitre_attack_technique": "DNS", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT18", "APT39", "APT41", "Chimera", "Cobalt Group", "FIN7", "Ke3chang", "LazyScripter", "OilRig", "Tropic Trooper"]}, {"mitre_attack_id": "T1048", "mitre_attack_technique": "Exfiltration Over Alternative Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1219", "mitre_attack_technique": "Remote Access Software", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Carbanak", "Cobalt Group", "DarkVishnya", "Evilnum", "GOLD SOUTHFIELD", "Kimsuky", "MuddyWater", "Mustang Panda", "RTM", "Sandworm Team", "TeamTNT", "Thrip"]}, {"mitre_attack_id": "T1568.002", "mitre_attack_technique": "Domain Generation Algorithms", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "TA551"]}, {"mitre_attack_id": "T1189", "mitre_attack_technique": "Drive-by Compromise", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT19", "APT28", "APT32", "APT37", "APT38", "Andariel", "Axiom", "BRONZE BUTLER", "Dark Caracal", "Darkhotel", "Dragonfly", "Earth Lusca", "Elderwood", "Lazarus Group", "Leafminer", "Leviathan", "Machete", "Magic Hound", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Threat Group-3390", "Transparent Tribe", "Turla", "Windigo", "Windshift"]}, {"mitre_attack_id": "T1095", "mitre_attack_technique": "Non-Application Layer Protocol", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT3", "BITTER", "BackdoorDiplomacy", "FIN6", "HAFNIUM", "Metador", "PLATINUM"]}, {"mitre_attack_id": "T1071", "mitre_attack_technique": "Application Layer Protocol", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Dragonfly", "Magic Hound", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1071.001", "mitre_attack_technique": "Web Protocols", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Chimera", "Cobalt Group", "Confucius", "Dark Caracal", "FIN4", "FIN8", "Gamaredon Group", "HAFNIUM", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LuminousMoth", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "OilRig", "Orangeworm", "Rancor", "Rocke", "Sandworm Team", "Sidewinder", "SilverTerrier", "Stealth Falcon", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "WIRTE", "Windshift", "Wizard Spider"]}], "mitre_attack_tactics": ["Command And Control", "Exfiltration", "Initial Access"], "datamodels": ["Endpoint", "Network_Resolution", "Network_Traffic"], "kill_chain_phases": ["Actions on Objectives", "Command And Control", "Delivery"]}, "detection_names": ["ESCU - Detect Spike in blocked Outbound Traffic from your AWS - Rule", "ESCU - Clients Connecting to Multiple DNS Servers - Rule", "ESCU - Detect Long DNS TXT Record Response - Rule", "ESCU - Detection of DNS Tunnels - Rule", "ESCU - DNS Query Requests Resolved by Unauthorized DNS Servers - Rule", "ESCU - DNS Exfiltration Using Nslookup App - Rule", "ESCU - Excessive Usage of NSLOOKUP App - Rule", "ESCU - Windows Remote Access Software Hunt - Rule", "ESCU - Detect DGA domains using pretrained model in DSDL - Rule", "ESCU - Detect hosts connecting to dynamic domain providers - Rule", "ESCU - Detect Large Outbound ICMP Packets - Rule", "ESCU - DNS Query Length Outliers - MLTK - Rule", "ESCU - DNS Query Length With High Standard Deviation - Rule", "ESCU - Excessive DNS Failures - Rule", "ESCU - Multiple Archive Files Http Post Traffic - Rule", "ESCU - Plain HTTP POST Exfiltrated Data - Rule", "ESCU - Prohibited Network Traffic Allowed - Rule", "ESCU - Protocol or Port Mismatch - Rule", "ESCU - TOR Traffic - Rule"], "investigation_names": ["ESCU - AWS Investigate User Activities By ARN - Response Task", "ESCU - AWS Network ACL Details from ID - Response Task", "ESCU - AWS Network Interface details via resourceId - Response Task", "ESCU - Get All AWS Activity From IP Address - Response Task", "ESCU - Get DNS Server History for a host - Response Task", "ESCU - Get DNS traffic ratio - Response Task", "ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task", "ESCU - Get Process Information For Port Activity - Response Task", "ESCU - Get Process Responsible For The DNS Traffic - Response Task"], "baseline_names": ["ESCU - Baseline of blocked outbound traffic from AWS", "ESCU - Baseline of DNS Query Length - MLTK", "ESCU - Count of Unique IPs Connecting to Ports"], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Detect Spike in blocked Outbound Traffic from your AWS", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": []}}, {"name": "Clients Connecting to Multiple DNS Servers", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}]}}, {"name": "Detect Long DNS TXT Record Response", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}]}}, {"name": "Detection of DNS Tunnels", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}]}}, {"name": "DNS Query Requests Resolved by Unauthorized DNS Servers", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DNS"}]}}, {"name": "DNS Exfiltration Using Nslookup App", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}}, {"name": "Excessive Usage of NSLOOKUP App", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}}, {"name": "Windows Remote Access Software Hunt", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Access Software"}]}}, {"name": "Detect DGA domains using pretrained model in DSDL", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Generation Algorithms"}]}}, {"name": "Detect hosts connecting to dynamic domain providers", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Drive-by Compromise"}]}}, {"name": "Detect Large Outbound ICMP Packets", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Non-Application Layer Protocol"}]}}, {"name": "DNS Query Length Outliers - MLTK", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DNS"}, {"mitre_attack_technique": "Application Layer Protocol"}]}}, {"name": "DNS Query Length With High Standard Deviation", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}, {"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}}, {"name": "Excessive DNS Failures", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DNS"}, {"mitre_attack_technique": "Application Layer Protocol"}]}}, {"name": "Multiple Archive Files Http Post Traffic", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}, {"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}}, {"name": "Plain HTTP POST Exfiltrated Data", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}, {"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}}, {"name": "Prohibited Network Traffic Allowed", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}}, {"name": "Protocol or Port Mismatch", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}, {"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}}, {"name": "TOR Traffic", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Application Layer Protocol"}, {"mitre_attack_technique": "Web Protocols"}]}}]}, {"name": "Compromised User Account", "id": "19669154-e9d1-4a01-b144-e6592a078092", "version": 1, "date": "2023-01-19", "author": "Mauricio Velazco, Bhavin Patel, Splunk", "description": "Monitor for activities and techniques associated with Compromised User Account attacks.", "narrative": "Compromised User Account occurs when cybercriminals gain unauthorized access to accounts by using different techniques like brute force, social engineering, phishing & spear phishing, credential stuffing, etc. By posing as the real user, cyber-criminals can change account details, send out phishing emails, steal financial information or sensitive data, or use any stolen information to access further accounts within the organization. This analytic storic groups detections that can help security operations teams identify the potential signs of Compromised User Accounts.", "references": ["https://www.proofpoint.com/us/threat-reference/compromised-account"], "tags": {"name": "Compromised User Account", "analytic_story": "Compromised User Account", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Ke3chang", "LAPSUS$"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1185", "mitre_attack_technique": "Browser Session Hijacking", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1556", "mitre_attack_technique": "Modify Authentication Process", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1556.006", "mitre_attack_technique": "Multi-Factor Authentication", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1201", "mitre_attack_technique": "Password Policy Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "OilRig", "Turla"]}, {"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1621", "mitre_attack_technique": "Multi-Factor Authentication Request Generation", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "LAPSUS$"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1110.004", "mitre_attack_technique": "Credential Stuffing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Chimera"]}, {"mitre_attack_id": "T1535", "mitre_attack_technique": "Unused/Unsupported Cloud Regions", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1110.001", "mitre_attack_technique": "Password Guessing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29"]}], "mitre_attack_tactics": ["Collection", "Credential Access", "Defense Evasion", "Discovery", "Initial Access", "Persistence", "Privilege Escalation", "Resource Development"], "datamodels": ["Authentication", "Change"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation", "Weaponization"]}, "detection_names": ["ESCU - Abnormally High Number Of Cloud Infrastructure API Calls - Rule", "ESCU - ASL AWS Concurrent Sessions From Different Ips - Rule", "ESCU - ASL AWS New MFA Method Registered For User - Rule", "ESCU - ASL AWS Password Policy Changes - Rule", "ESCU - AWS Concurrent Sessions From Different Ips - Rule", "ESCU - AWS Console Login Failed During MFA Challenge - Rule", "ESCU - AWS High Number Of Failed Authentications For User - Rule", "ESCU - AWS High Number Of Failed Authentications From Ip - Rule", "ESCU - AWS Multiple Users Failing To Authenticate From Ip - Rule", "ESCU - AWS New MFA Method Registered For User - Rule", "ESCU - AWS Password Policy Changes - Rule", "ESCU - AWS Successful Console Authentication From Multiple IPs - Rule", "ESCU - Azure AD Concurrent Sessions From Different Ips - Rule", "ESCU - Azure AD High Number Of Failed Authentications For User - Rule", "ESCU - Azure AD High Number Of Failed Authentications From Ip - Rule", "ESCU - Azure AD New MFA Method Registered For User - Rule", "ESCU - Azure AD Successful Authentication From Different Ips - Rule", "ESCU - Detect AWS Console Login by User from New City - Rule", "ESCU - Detect AWS Console Login by User from New Country - Rule", "ESCU - Detect AWS Console Login by User from New Region - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Bhavin Patel, Splunk", "author_name": "Mauricio Velazco", "detections": [{"name": "Abnormally High Number Of Cloud Infrastructure API Calls", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "ASL AWS Concurrent Sessions From Different Ips", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Browser Session Hijacking"}]}}, {"name": "ASL AWS New MFA Method Registered For User", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Authentication Process"}, {"mitre_attack_technique": "Multi-Factor Authentication"}]}}, {"name": "ASL AWS Password Policy Changes", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Policy Discovery"}]}}, {"name": "AWS Concurrent Sessions From Different Ips", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Browser Session Hijacking"}]}}, {"name": "AWS Console Login Failed During MFA Challenge", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Multi-Factor Authentication Request Generation"}]}}, {"name": "AWS High Number Of Failed Authentications For User", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Policy Discovery"}]}}, {"name": "AWS High Number Of Failed Authentications From Ip", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Credential Stuffing"}]}}, {"name": "AWS Multiple Users Failing To Authenticate From Ip", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Credential Stuffing"}]}}, {"name": "AWS New MFA Method Registered For User", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Authentication Process"}, {"mitre_attack_technique": "Multi-Factor Authentication"}]}}, {"name": "AWS Password Policy Changes", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Policy Discovery"}]}}, {"name": "AWS Successful Console Authentication From Multiple IPs", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}}, {"name": "Azure AD Concurrent Sessions From Different Ips", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Browser Session Hijacking"}]}}, {"name": "Azure AD High Number Of Failed Authentications For User", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Guessing"}]}}, {"name": "Azure AD High Number Of Failed Authentications From Ip", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Guessing"}, {"mitre_attack_technique": "Password Spraying"}]}}, {"name": "Azure AD New MFA Method Registered For User", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Authentication Process"}, {"mitre_attack_technique": "Multi-Factor Authentication"}]}}, {"name": "Azure AD Successful Authentication From Different Ips", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Guessing"}, {"mitre_attack_technique": "Password Spraying"}]}}, {"name": "Detect AWS Console Login by User from New City", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}}, {"name": "Detect AWS Console Login by User from New Country", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}}, {"name": "Detect AWS Console Login by User from New Region", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}}]}, {"name": "Credential Dumping", "id": "854d78bf-d0e2-4f4e-b05c-640905f86d7a", "version": 3, "date": "2020-02-04", "author": "Rico Valdez, Splunk", "description": "Uncover activity consistent with credential dumping, a technique wherein attackers compromise systems and attempt to obtain and exfiltrate passwords. The threat actors use these pilfered credentials to further escalate privileges and spread throughout a target environment. The included searches in this Analytic Story are designed to identify attempts to credential dumping.", "narrative": "Credential dumping—gathering credentials from a target system, often hashed or encrypted—is a common attack technique. Even though the credentials may not be in plain text, an attacker can still exfiltrate the data and set to cracking it offline, on their own systems. The threat actors target a variety of sources to extract them, including the Security Accounts Manager (SAM), Local Security Authority (LSA), NTDS from Domain Controllers, or the Group Policy Preference (GPP) files.\\\nOnce attackers obtain valid credentials, they use them to move throughout a target network with ease, discovering new systems and identifying assets of interest. Credentials obtained in this manner typically include those of privileged users, which may provide access to more sensitive information and system operations.\\\nThe detection searches in this Analytic Story monitor access to the Local Security Authority Subsystem Service (LSASS) process, the usage of shadowcopies for credential dumping and some other techniques for credential dumping.", "references": ["https://attack.mitre.org/wiki/Technique/T1003", "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html"], "tags": {"name": "Credential Dumping", "analytic_story": "Credential Dumping", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "TEMP.Veles", "Threat Group-3390", "Whitefly"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Dragonfly", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1003.003", "mitre_attack_technique": "NTDS", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "Chimera", "Dragonfly", "FIN6", "Fox Kitten", "HAFNIUM", "Ke3chang", "LAPSUS$", "Mustang Panda", "Sandworm Team", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1078.003", "mitre_attack_technique": "Local Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "FIN10", "HAFNIUM", "Kimsuky", "PROMETHIUM", "Tropic Trooper", "Turla"]}, {"mitre_attack_id": "T1552.001", "mitre_attack_technique": "Credentials In Files", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT3", "APT33", "Fox Kitten", "Kimsuky", "Leafminer", "MuddyWater", "OilRig", "TA505", "TeamTNT"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1003.006", "mitre_attack_technique": "DCSync", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Earth Lusca", "LAPSUS$"]}], "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Execution", "Initial Access", "Persistence", "Privilege Escalation"], "datamodels": ["Authentication", "Change", "Endpoint"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Detect Mimikatz Using Loaded Images - Rule", "ESCU - Dump LSASS via procdump Rename - Rule", "ESCU - Unsigned Image Loaded by LSASS - Rule", "ESCU - Access LSASS Memory for Dump Creation - Rule", "ESCU - Attempted Credential Dump From Registry via Reg exe - Rule", "ESCU - Create Remote Thread into LSASS - Rule", "ESCU - Creation of lsass Dump with Taskmgr - Rule", "ESCU - Creation of Shadow Copy - Rule", "ESCU - Creation of Shadow Copy with wmic and powershell - Rule", "ESCU - Credential Dumping via Copy Command from Shadow Copy - Rule", "ESCU - Credential Dumping via Symlink to Shadow Copy - Rule", "ESCU - Detect Copy of ShadowCopy with Script Block Logging - Rule", "ESCU - Detect Credential Dumping through LSASS access - Rule", "ESCU - Dump LSASS via comsvcs DLL - Rule", "ESCU - Dump LSASS via procdump - Rule", "ESCU - Enable WDigest UseLogonCredential Registry - Rule", "ESCU - Esentutl SAM Copy - Rule", "ESCU - Extraction of Registry Hives - Rule", "ESCU - Ntdsutil Export NTDS - Rule", "ESCU - Potential password in username - Rule", "ESCU - SAM Database File Access Attempt - Rule", "ESCU - SecretDumps Offline NTDS Dumping Tool - Rule", "ESCU - Set Default PowerShell Execution Policy To Unrestricted or Bypass - Rule", "ESCU - Windows AD Replication Request Initiated by User Account - Rule", "ESCU - Windows AD Replication Request Initiated from Unsanctioned Location - Rule", "ESCU - Windows Credential Dumping LSASS Memory Createdump - Rule", "ESCU - Windows Hunting System Account Targeting Lsass - Rule", "ESCU - Windows Mimikatz Binary Execution - Rule", "ESCU - Windows Non-System Account Targeting Lsass - Rule", "ESCU - Windows Possible Credential Dumping - Rule"], "investigation_names": ["ESCU - Investigate Failed Logins for Multiple Destinations - Response Task", "ESCU - Investigate Pass the Hash Attempts - Response Task", "ESCU - Investigate Pass the Ticket Attempts - Response Task", "ESCU - Investigate Previous Unseen User - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Detect Mimikatz Using Loaded Images", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Dump LSASS via procdump Rename", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}]}}, {"name": "Unsigned Image Loaded by LSASS", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}]}}, {"name": "Access LSASS Memory for Dump Creation", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Attempted Credential Dump From Registry via Reg exe", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Security Account Manager"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Create Remote Thread into LSASS", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Creation of lsass Dump with Taskmgr", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Creation of Shadow Copy", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "NTDS"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Creation of Shadow Copy with wmic and powershell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "NTDS"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Credential Dumping via Copy Command from Shadow Copy", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "NTDS"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Credential Dumping via Symlink to Shadow Copy", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "NTDS"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Detect Copy of ShadowCopy with Script Block Logging", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Security Account Manager"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Detect Credential Dumping through LSASS access", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Dump LSASS via comsvcs DLL", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Dump LSASS via procdump", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Enable WDigest UseLogonCredential Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Esentutl SAM Copy", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Security Account Manager"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Extraction of Registry Hives", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Security Account Manager"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Ntdsutil Export NTDS", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "NTDS"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Potential password in username", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Local Accounts"}, {"mitre_attack_technique": "Credentials In Files"}]}}, {"name": "SAM Database File Access Attempt", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Security Account Manager"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "SecretDumps Offline NTDS Dumping Tool", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "NTDS"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Set Default PowerShell Execution Policy To Unrestricted or Bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Windows AD Replication Request Initiated by User Account", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DCSync"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Windows AD Replication Request Initiated from Unsanctioned Location", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DCSync"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Windows Credential Dumping LSASS Memory Createdump", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}]}}, {"name": "Windows Hunting System Account Targeting Lsass", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Windows Mimikatz Binary Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Windows Non-System Account Targeting Lsass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Windows Possible Credential Dumping", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}]}, {"name": "CVE-2022-40684 Fortinet Appliance Auth bypass", "id": "55721831-577e-41be-beef-bdc03c81486a", "version": 1, "date": "2022-10-14", "author": "Michael Haag, Splunk", "description": "Fortinet recently patched a critical authentication bypass vulnerability in their FortiOS, FortiProxy, and FortiSwitchManager projects CVE-2022-40684.", "narrative": "FortiOS exposes a management web portal that allows a user configure the system. Additionally, a user can SSH into the system which exposes a locked down CLI interface. Any HTTP requests to the management interface of the system that match the conditions above should be cause for concern. An attacker can use this vulnerability to do just about anything they want to the vulnerable system. This includes changing network configurations, adding new users, and initiating packet captures. Note that this is not the only way to exploit this vulnerability and there may be other sets of conditions that work. For instance, a modified version of this exploit uses the User-Agent Node.js. This exploit seems to follow a trend among recently discovered enterprise software vulnerabilities where HTTP headers are improperly validated or overly trusted. (ref Horizon3.ai)", "references": ["https://www.wordfence.com/blog/2022/10/threat-advisory-cve-2022-40684-fortinet-appliance-auth-bypass/", "https://www.horizon3.ai/fortios-fortiproxy-and-fortiswitchmanager-authentication-bypass-technical-deep-dive-cve-2022-40684/", "https://github.com/horizon3ai/CVE-2022-40684", "https://attackerkb.com/topics/QWOxGIKkGx/cve-2022-40684/rapid7-analysis", "https://www.greynoise.io/blog/fortios-authentication-bypass"], "tags": {"name": "CVE-2022-40684 Fortinet Appliance Auth bypass", "analytic_story": "CVE-2022-40684 Fortinet Appliance Auth bypass", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Chimera", "Dragonfly", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}], "mitre_attack_tactics": ["Initial Access", "Persistence"], "datamodels": ["Web"], "kill_chain_phases": ["Delivery", "Installation"]}, "detection_names": ["ESCU - Fortinet Appliance Auth bypass - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Fortinet Appliance Auth bypass", "source": "web", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}]}, {"name": "CVE-2023-21716 Word RTF Heap Corruption", "id": "b1aeaf2c-8496-42e7-b2f7-15c328bc75d9", "version": 1, "date": "2023-03-10", "author": "Michael Haag, Splunk", "description": "A proof-of-concept for CVE-2023-21716, a critical vulnerability in Microsoft Word that allows remote code execution utilizing a heap corruption in rich text files.", "narrative": "This analytic story covers content that will assist organizations in identifying potential RTF RCE abuse on endpoints. The vulnerability was assigned a 9.8 out of 10 severity score, with Microsoft addressing it in the February Patch Tuesday security updates along with a couple of workarounds. Security researcher Joshua Drake last year discovered the vulnerability in Microsoft Office''s \"wwlib.dll\" and sent Microsoft a technical advisory containing proof-of-concept (PoC) code showing the issue is exploitable. A remote attacker could potentially take advantage of the issue to execute code with the same privileges as the victim that opens a malicious .RTF document. Delivering the malicious file to a victim can be as easy as an attachment to an email, although plenty of other methods exist. Microsoft warns that users don''t have to open a malicious RTF document and simply loading the file in the Preview Pane is enough for the compromise to start. (BleepingComputer, 2023)", "references": ["https://www.bleepingcomputer.com/news/security/proof-of-concept-released-for-critical-microsoft-word-rce-bug/"], "tags": {"name": "CVE-2023-21716 Word RTF Heap Corruption", "analytic_story": "CVE-2023-21716 Word RTF Heap Corruption", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}], "mitre_attack_tactics": ["Initial Access"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Delivery"]}, "detection_names": ["ESCU - Office Application Drop Executable - Rule", "ESCU - Office Product Spawn CMD Process - Rule", "ESCU - Winword Spawning Cmd - Rule", "ESCU - Winword Spawning PowerShell - Rule", "ESCU - Winword Spawning Windows Script Host - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Office Application Drop Executable", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Product Spawn CMD Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Winword Spawning Cmd", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Winword Spawning PowerShell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Winword Spawning Windows Script Host", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}]}, {"name": "CVE-2023-23397 Outlook Elevation of Privilege", "id": "b459911b-551f-480f-a402-18cf89ca1e9c", "version": 1, "date": "2023-03-15", "author": "Michael Haag, Splunk", "description": "Microsoft has released CVE-2023-23397 to address the critical elevation of privilege (EoP) vulnerability affecting Microsoft Outlook for Windows.", "narrative": "Microsoft Threat Intelligence discovered limited, targeted abuse of a vulnerability in Microsoft Outlook for Windows that allows for new technology LAN manager (NTLM) credential theft. Microsoft has released CVE-2023-23397 to address the critical elevation of privilege (EoP) vulnerability affecting Microsoft Outlook for Windows. We strongly recommend all customers update Microsoft Outlook for Windows to remain secure.\\ CVE-2023-23397 is a critical EoP vulnerability in Microsoft Outlook that is triggered when an attacker sends a message with an extended MAPI property with a UNC path to an SMB (TCP 445) share on a threat actor-controlled server. No user interaction is required.\\ The connection to the remote SMB server sends the user''s NTLM negotiation message, which the attacker can then relay for authentication against other systems that support NTLM authentication. Online services such as Microsoft 365 do not support NTLM authentication and are not vulnerable to being attacked by these messages. (2023, Microsoft)", "references": ["https://twitter.com/ACEResponder/status/1636116096506818562?s=20", "https://twitter.com/domchell/status/1635999068282408962?s=20", "https://msrc.microsoft.com/blog/2023/03/microsoft-mitigates-outlook-elevation-of-privilege-vulnerability/", "https://www.pwndefend.com/2023/03/15/the-long-game-persistent-hash-theft/"], "tags": {"name": "CVE-2023-23397 Outlook Elevation of Privilege", "analytic_story": "CVE-2023-23397 Outlook Elevation of Privilege", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1048.003", "mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT32", "APT33", "FIN6", "FIN8", "Lazarus Group", "OilRig", "Thrip", "Wizard Spider"]}], "mitre_attack_tactics": ["Exfiltration"], "datamodels": ["Endpoint", "Network_Traffic"], "kill_chain_phases": ["Actions on Objectives"]}, "detection_names": ["ESCU - Windows Rundll32 WebDAV Request - Rule", "ESCU - Windows Rundll32 WebDav With Network Connection - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows Rundll32 WebDAV Request", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}]}}, {"name": "Windows Rundll32 WebDav With Network Connection", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}]}}]}, {"name": "CyclopsBLink", "id": "7c75b1c8-dfff-46f1-8250-e58df91b6fd9", "version": 1, "date": "2022-04-07", "author": "Teoderick Contreras, Splunk", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the cyclopsblink malware including firewall modification, spawning more process, botnet c2 communication, defense evasion and etc. Cyclops Blink is a Linux ELF executable compiled for 32-bit x86 and PowerPC architecture that has targeted several network devices. The complete list of targeted devices is unknown at this time, but WatchGuard FireBox has specifically been listed as a target. The modular malware consists of core components and modules that are deployed as child processes using the Linux API fork. At this point, four modules have been identified that download and upload files, gather system information and contain updating mechanisms for the malware itself. Additional modules can be downloaded and executed from the Command And Control (C2) server.", "narrative": "Adversaries may use this technique to maximize the impact on the target organization in operations where network wide availability interruption is the goal.", "references": ["https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf", "https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html"], "tags": {"name": "CyclopsBLink", "analytic_story": "Cyclops BLink", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.004", "mitre_attack_technique": "Disable or Modify System Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "Carbanak", "Dragonfly", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1036.004", "mitre_attack_technique": "Masquerade Task or Service", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT32", "APT41", "BITTER", "BackdoorDiplomacy", "Carbanak", "FIN6", "FIN7", "Fox Kitten", "Higaisa", "Kimsuky", "Lazarus Group", "Magic Hound", "Naikon", "PROMETHIUM", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}], "mitre_attack_tactics": ["Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Linux Iptables Firewall Modification - Rule", "ESCU - Linux Kworker Process In Writable Process Path - Rule", "ESCU - Linux Stdout Redirection To Dev Null File - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Linux Iptables Firewall Modification", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify System Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Linux Kworker Process In Writable Process Path", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerade Task or Service"}, {"mitre_attack_technique": "Masquerading"}]}}, {"name": "Linux Stdout Redirection To Dev Null File", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify System Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}}]}, {"name": "DarkCrystal RAT", "id": "639e6006-0885-4847-9394-ddc2902629bf", "version": 1, "date": "2022-07-26", "author": "Teoderick Contreras, Splunk", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the DcRat malware including ddos, spawning more process, botnet c2 communication, defense evasion and etc. The DcRat malware is known commercial backdoor that was first released in 2018. This tool was sold in underground forum and known to be one of the cheapest commercial RATs. DcRat is modular and bespoke plugin framework make it a very flexible option, helpful for a range of nefearious uses.", "narrative": "Adversaries may use this technique to maximize the impact on the target organization in operations where network wide availability interruption is the goal.", "references": ["https://www.mandiant.com/resources/analyzing-dark-crystal-rat-backdoor", "https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat"], "tags": {"name": "DarkCrystal RAT", "analytic_story": "DarkCrystal RAT", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT19", "APT28", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BITTER", "BackdoorDiplomacy", "BlackOasis", "Blue Mockingbird", "Dark Caracal", "Darkhotel", "Earth Lusca", "Elderwood", "Ember Bear", "Fox Kitten", "GALLIUM", "Gallmaker", "Gamaredon Group", "Group5", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "Metador", "Mofang", "Molerats", "Moses Staff", "Mustang Panda", "OilRig", "Putter Panda", "Rocke", "Sandworm Team", "Sidewinder", "TA505", "TeamTNT", "Threat Group-3390", "Transparent Tribe", "Tropic Trooper", "Whitefly", "Windshift", "menuPass"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1592.001", "mitre_attack_technique": "Hardware", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1592", "mitre_attack_technique": "Gather Victim Host Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1590.005", "mitre_attack_technique": "IP Addresses", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["Andariel", "HAFNIUM", "Magic Hound"]}, {"mitre_attack_id": "T1590", "mitre_attack_technique": "Gather Victim Network Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["HAFNIUM"]}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1529", "mitre_attack_technique": "System Shutdown/Reboot", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group"]}, {"mitre_attack_id": "T1124", "mitre_attack_technique": "System Time Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["BRONZE BUTLER", "Chimera", "Darkhotel", "Higaisa", "Lazarus Group", "Sidewinder", "The White Company", "Turla", "ZIRCONIUM"]}], "mitre_attack_tactics": ["Command And Control", "Defense Evasion", "Discovery", "Execution", "Impact", "Initial Access", "Persistence", "Privilege Escalation", "Reconnaissance"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Actions on Objectives", "Command And Control", "Delivery", "Exploitation", "Installation", "Reconnaissance"]}, "detection_names": ["ESCU - Any Powershell DownloadFile - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Malicious PowerShell Process - Encoded Command - Rule", "ESCU - Malicious PowerShell Process - Execution Policy Bypass - Rule", "ESCU - Office Document Executing Macro Code - Rule", "ESCU - Office Product Spawn CMD Process - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious Scheduled Task from Public Directory - Rule", "ESCU - Windows Command Shell DCRat ForkBomb Payload - Rule", "ESCU - Windows Gather Victim Host Information Camera - Rule", "ESCU - Windows Gather Victim Network Info Through Ip Check Web Services - Rule", "ESCU - Windows High File Deletion Frequency - Rule", "ESCU - Windows Ingress Tool Transfer Using Explorer - Rule", "ESCU - Windows System LogOff Commandline - Rule", "ESCU - Windows System Reboot CommandLine - Rule", "ESCU - Windows System Shutdown CommandLine - Rule", "ESCU - Windows System Time Discovery W32tm Delay - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule", "ESCU - Winword Spawning Cmd - Rule", "ESCU - Winword Spawning PowerShell - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Any Powershell DownloadFile", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}]}}, {"name": "Malicious PowerShell Process - Encoded Command", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Obfuscated Files or Information"}]}}, {"name": "Malicious PowerShell Process - Execution Policy Bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Office Document Executing Macro Code", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Product Spawn CMD Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Suspicious Scheduled Task from Public Directory", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Windows Command Shell DCRat ForkBomb Payload", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Windows Gather Victim Host Information Camera", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Hardware"}, {"mitre_attack_technique": "Gather Victim Host Information"}]}}, {"name": "Windows Gather Victim Network Info Through Ip Check Web Services", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "IP Addresses"}, {"mitre_attack_technique": "Gather Victim Network Information"}]}}, {"name": "Windows High File Deletion Frequency", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Windows Ingress Tool Transfer Using Explorer", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "Windows System LogOff Commandline", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Shutdown/Reboot"}]}}, {"name": "Windows System Reboot CommandLine", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Shutdown/Reboot"}]}}, {"name": "Windows System Shutdown CommandLine", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Shutdown/Reboot"}]}}, {"name": "Windows System Time Discovery W32tm Delay", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Time Discovery"}]}}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}]}}, {"name": "Winword Spawning Cmd", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Winword Spawning PowerShell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}]}, {"name": "Data Destruction", "id": "4ae5c0d1-cebd-47d1-bfce-71bf096e38aa", "version": 1, "date": "2023-04-06", "author": "Teoderick Contreras, Splunk", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the data destruction, including deleting files, overwriting files, wiping disk and unrecoverable file encryption. This analytic story may cover several known activities related to malware implants used in geo-political war to wipe disks or files to interrupt the network-wide operation of a targeted organization. Analytics can detect the behavior of \"DoubleZero Destructor\", \"CaddyWiper\", \"AcidRain\", \"AwfulShred\", \"Hermetic Wiper\", \"Swift Slicer\", \"Whisper Gate\" and many more.", "narrative": "Adversaries may partially or completely overwrite the contents of a storage device rendering the data irrecoverable through the storage interface or using 3rd party drivers to directly access disk content like Master Boot Record to wipe it. Some of these attacks were seen in geo-political war to impair the operation of targeted organizations or to interrupt network-wide services.", "references": ["https://attack.mitre.org/techniques/T1485/", "https://researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/", "https://www.picussecurity.com/blog/a-brief-history-and-further-technical-analysis-of-sodinokibi-ransomware", "https://www.splunk.com/en_us/blog/security/threat-advisory-strt-ta02-destructive-software.html", "https://www.splunk.com/en_us/blog/security/detecting-hermeticwiper.html", "https://www.splunk.com/en_us/blog/security/threat-update-doublezero-destructor.html", "https://www.splunk.com/en_us/blog/security/threat-update-caddywiper.html", "https://www.splunk.com/en_us/blog/security/strt-ta03-cpe-destructive-software.html", "https://www.splunk.com/en_us/blog/security/threat-update-cyclopsblink.html", "https://www.splunk.com/en_us/blog/security/threat-update-acidrain-wiper.html", "https://www.splunk.com/en_us/blog/security/threat-update-industroyer2.html", "https://www.splunk.com/en_us/blog/security/threat-advisory-swiftslicer-wiper-strt-ta03.html"], "tags": {"name": "Data Destruction", "analytic_story": "Data Destruction", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1547.014", "mitre_attack_technique": "Active Setup", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["BRONZE BUTLER", "Chimera", "Dragonfly", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Turla", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Dragonfly", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1546.001", "mitre_attack_technique": "Change Default File Association", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Kimsuky"]}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "PLATINUM", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "TEMP.Veles", "Threat Group-3390", "Whitefly"]}, {"mitre_attack_id": "T1562.006", "mitre_attack_technique": "Indicator Blocking", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1127", "mitre_attack_technique": "Trusted Developer Utilities Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1021.003", "mitre_attack_technique": "Distributed Component Object Model", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "Earth Lusca", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "Threat Group-3390", "Windshift", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1558", "mitre_attack_technique": "Steal or Forge Kerberos Tickets", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1558.003", "mitre_attack_technique": "Kerberoasting", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["FIN7", "Wizard Spider"]}, {"mitre_attack_id": "T1053.003", "mitre_attack_technique": "Cron", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT38", "Rocke"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1070.004", "mitre_attack_technique": "File Deletion", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT3", "APT32", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "Cobalt Group", "Dragonfly", "Evilnum", "FIN10", "FIN5", "FIN6", "FIN8", "Gamaredon Group", "Group5", "Kimsuky", "Lazarus Group", "Magic Hound", "Metador", "Mustang Panda", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "Silence", "TEMP.Veles", "TeamTNT", "The White Company", "Threat Group-3390", "Tropic Trooper", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1489", "mitre_attack_technique": "Service Stop", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Indrik Spider", "Lazarus Group", "Wizard Spider"]}, {"mitre_attack_id": "T1200", "mitre_attack_technique": "Hardware Additions", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["DarkVishnya"]}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Chimera", "Dragonfly", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1053.006", "mitre_attack_technique": "Systemd Timers", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1562.004", "mitre_attack_technique": "Disable or Modify System Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "Carbanak", "Dragonfly", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1016", "mitre_attack_technique": "System Network Configuration Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT19", "APT3", "APT32", "APT41", "Chimera", "Darkhotel", "Dragonfly", "Earth Lusca", "GALLIUM", "HAFNIUM", "HEXANE", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "SideCopy", "Sidewinder", "Stealth Falcon", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1529", "mitre_attack_technique": "System Shutdown/Reboot", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group"]}, {"mitre_attack_id": "T1059.004", "mitre_attack_technique": "Unix Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT41", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1037", "mitre_attack_technique": "Boot or Logon Initialization Scripts", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Rocke"]}, {"mitre_attack_id": "T1037.001", "mitre_attack_technique": "Logon Script (Windows)", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "Cobalt Group"]}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT19", "APT28", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BITTER", "BackdoorDiplomacy", "BlackOasis", "Blue Mockingbird", "Dark Caracal", "Darkhotel", "Earth Lusca", "Elderwood", "Ember Bear", "Fox Kitten", "GALLIUM", "Gallmaker", "Gamaredon Group", "Group5", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "Metador", "Mofang", "Molerats", "Moses Staff", "Mustang Panda", "OilRig", "Putter Panda", "Rocke", "Sandworm Team", "Sidewinder", "TA505", "TeamTNT", "Threat Group-3390", "Transparent Tribe", "Tropic Trooper", "Whitefly", "Windshift", "menuPass"]}, {"mitre_attack_id": "T1574.002", "mitre_attack_technique": "DLL Side-Loading", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT41", "BRONZE BUTLER", "BlackTech", "Chimera", "Earth Lusca", "GALLIUM", "Higaisa", "Lazarus Group", "LuminousMoth", "MuddyWater", "Mustang Panda", "Naikon", "Patchwork", "SideCopy", "Sidewinder", "Threat Group-3390", "Tropic Trooper", "menuPass"]}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1546.008", "mitre_attack_technique": "Accessibility Features", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT3", "APT41", "Axiom", "Deep Panda", "Fox Kitten"]}, {"mitre_attack_id": "T1497", "mitre_attack_technique": "Virtualization/Sandbox Evasion", "mitre_attack_tactics": ["Defense Evasion", "Discovery"], "mitre_attack_groups": ["Darkhotel"]}, {"mitre_attack_id": "T1497.003", "mitre_attack_technique": "Time Based Evasion", "mitre_attack_tactics": ["Defense Evasion", "Discovery"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1021.006", "mitre_attack_technique": "Windows Remote Management", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Chimera", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1218.014", "mitre_attack_technique": "MMC", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1027.005", "mitre_attack_technique": "Indicator Removal from Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT3", "Deep Panda", "GALLIUM", "OilRig", "Patchwork", "TEMP.Veles", "Turla"]}, {"mitre_attack_id": "T1546.015", "mitre_attack_technique": "Component Object Model Hijacking", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "Turla"]}, {"mitre_attack_id": "T1547.012", "mitre_attack_technique": "Print Processors", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1592", "mitre_attack_technique": "Gather Victim Host Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1546.012", "mitre_attack_technique": "Image File Execution Options Injection", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["TEMP.Veles"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.010", "mitre_attack_technique": "Regsvr32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "Blue Mockingbird", "Cobalt Group", "Deep Panda", "Inception", "Kimsuky", "Leviathan", "TA551", "WIRTE"]}, {"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}, {"mitre_attack_id": "T1134.001", "mitre_attack_technique": "Token Impersonation/Theft", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "FIN8"]}, {"mitre_attack_id": "T1546.002", "mitre_attack_technique": "Screensaver", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1059.005", "mitre_attack_technique": "Visual Basic", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT32", "APT33", "APT37", "APT38", "APT39", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Earth Lusca", "FIN4", "FIN7", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "Transparent Tribe", "Turla", "WIRTE", "Windshift"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547.003", "mitre_attack_technique": "Time Providers", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1505.003", "mitre_attack_technique": "Web Shell", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT38", "APT39", "BackdoorDiplomacy", "Deep Panda", "Dragonfly", "Fox Kitten", "GALLIUM", "HAFNIUM", "Kimsuky", "Leviathan", "Magic Hound", "Moses Staff", "OilRig", "Sandworm Team", "TEMP.Veles", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Volatile Cedar"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1218.004", "mitre_attack_technique": "InstallUtil", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Mustang Panda", "menuPass"]}, {"mitre_attack_id": "T1588.002", "mitre_attack_technique": "Tool", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT19", "APT28", "APT29", "APT32", "APT33", "APT38", "APT39", "APT41", "Aoqin Dragon", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Carbanak", "Chimera", "Cleaver", "Cobalt Group", "CopyKittens", "DarkHydrus", "DarkVishnya", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN5", "FIN6", "Ferocious Kitten", "GALLIUM", "Gorgon Group", "HEXANE", "Inception", "IndigoZebra", "Ke3chang", "Kimsuky", "LAPSUS$", "Lazarus Group", "Leafminer", "LuminousMoth", "Magic Hound", "Metador", "Moses Staff", "MuddyWater", "POLONIUM", "Patchwork", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "TA505", "TEMP.Veles", "Threat Group-3390", "Thrip", "Turla", "WIRTE", "Whitefly", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1561.002", "mitre_attack_technique": "Disk Structure Wipe", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1561", "mitre_attack_technique": "Disk Wipe", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1134.004", "mitre_attack_technique": "Parent PID Spoofing", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Command And Control", "Credential Access", "Defense Evasion", "Discovery", "Execution", "Impact", "Initial Access", "Lateral Movement", "Persistence", "Privilege Escalation", "Reconnaissance", "Resource Development"], "datamodels": ["Email", "Endpoint"], "kill_chain_phases": ["Actions on Objectives", "Command And Control", "Delivery", "Exploitation", "Installation", "Reconnaissance", "Weaponization"]}, "detection_names": ["ESCU - Email Attachments With Lots Of Spaces - Rule", "ESCU - Suspicious Email Attachment Extensions - Rule", "ESCU - Active Setup Registry Autostart - Rule", "ESCU - Add or Set Windows Defender Exclusion - Rule", "ESCU - AdsiSearcher Account Discovery - Rule", "ESCU - Any Powershell DownloadFile - Rule", "ESCU - Any Powershell DownloadString - Rule", "ESCU - Attempt To Stop Security Service - Rule", "ESCU - Attempted Credential Dump From Registry via Reg exe - Rule", "ESCU - Change Default File Association - Rule", "ESCU - Child Processes of Spoolsv exe - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Detect Empire with PowerShell Script Block Logging - Rule", "ESCU - Detect Mimikatz With PowerShell Script Block Logging - Rule", "ESCU - Dump LSASS via comsvcs DLL - Rule", "ESCU - ETW Registry Disabled - Rule", "ESCU - Excessive File Deletion In WinDefender Folder - Rule", "ESCU - Executable File Written in Administrative SMB Share - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Impacket Lateral Movement Commandline Parameters - Rule", "ESCU - Impacket Lateral Movement smbexec CommandLine Parameters - Rule", "ESCU - Impacket Lateral Movement WMIExec Commandline Parameters - Rule", "ESCU - Kerberoasting spn request with RC4 encryption - Rule", "ESCU - Linux Adding Crontab Using List Parameter - Rule", "ESCU - Linux Data Destruction Command - Rule", "ESCU - Linux DD File Overwrite - Rule", "ESCU - Linux Deleting Critical Directory Using RM Command - Rule", "ESCU - Linux Deletion Of Cron Jobs - Rule", "ESCU - Linux Deletion Of Init Daemon Script - Rule", "ESCU - Linux Deletion Of Services - Rule", "ESCU - Linux Disable Services - Rule", "ESCU - Linux Hardware Addition SwapOff - Rule", "ESCU - Linux High Frequency Of File Deletion In Boot Folder - Rule", "ESCU - Linux High Frequency Of File Deletion In Etc Folder - Rule", "ESCU - Linux Impair Defenses Process Kill - Rule", "ESCU - Linux Indicator Removal Clear Cache - Rule", "ESCU - Linux Indicator Removal Service File Deletion - Rule", "ESCU - Linux Java Spawning Shell - Rule", "ESCU - Linux Service Restarted - Rule", "ESCU - Linux Shred Overwrite Command - Rule", "ESCU - Linux Stdout Redirection To Dev Null File - Rule", "ESCU - Linux Stop Services - Rule", "ESCU - Linux System Network Discovery - Rule", "ESCU - Linux System Reboot Via System Request Key - Rule", "ESCU - Linux Unix Shell Enable All SysRq Functions - Rule", "ESCU - Logon Script Event Trigger Execution - Rule", "ESCU - Malicious PowerShell Process - Encoded Command - Rule", "ESCU - Malicious PowerShell Process With Obfuscation Techniques - Rule", "ESCU - MSI Module Loaded by Non-System Binary - Rule", "ESCU - Overwriting Accessibility Binaries - Rule", "ESCU - Ping Sleep Batch Command - Rule", "ESCU - Possible Lateral Movement PowerShell Spawn - Rule", "ESCU - PowerShell 4104 Hunting - Rule", "ESCU - PowerShell - Connect To Internet With Hidden Window - Rule", "ESCU - PowerShell Domain Enumeration - Rule", "ESCU - Powershell Enable SMB1Protocol Feature - Rule", "ESCU - Powershell Execute COM Object - Rule", "ESCU - Powershell Fileless Process Injection via GetProcAddress - Rule", "ESCU - Powershell Fileless Script Contains Base64 Encoded Content - Rule", "ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", "ESCU - Powershell Processing Stream Of Data - Rule", "ESCU - Powershell Remove Windows Defender Directory - Rule", "ESCU - Powershell Using memory As Backing Store - Rule", "ESCU - Powershell Windows Defender Exclusion Commands - Rule", "ESCU - Print Processor Registry Autostart - Rule", "ESCU - Process Deleting Its Process File Path - Rule", "ESCU - Recon AVProduct Through Pwh or WMI - Rule", "ESCU - Recon Using WMI Class - Rule", "ESCU - Registry Keys Used For Privilege Escalation - Rule", "ESCU - Regsvr32 Silent and Install Param Dll Loading - Rule", "ESCU - Runas Execution in CommandLine - Rule", "ESCU - Schtasks Run Task On Demand - Rule", "ESCU - Screensaver Event Trigger Execution - Rule", "ESCU - Set Default PowerShell Execution Policy To Unrestricted or Bypass - Rule", "ESCU - Suspicious Process DNS Query Known Abuse Web Services - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious Process With Discord DNS Query - Rule", "ESCU - Time Provider Persistence Registry - Rule", "ESCU - Unloading AMSI via Reflection - Rule", "ESCU - W3WP Spawning Shell - Rule", "ESCU - Windows Data Destruction Recursive Exec Files Deletion - Rule", "ESCU - Windows Deleted Registry By A Non Critical Process File Path - Rule", "ESCU - Windows Disable Memory Crash Dump - Rule", "ESCU - Windows DotNet Binary in Non Standard Path - Rule", "ESCU - Windows File Without Extension In Critical Folder - Rule", "ESCU - Windows Hidden Schedule Task Settings - Rule", "ESCU - Windows High File Deletion Frequency - Rule", "ESCU - Windows InstallUtil in Non Standard Path - Rule", "ESCU - Windows Linked Policies In ADSI Discovery - Rule", "ESCU - Windows Modify Show Compress Color And Info Tip Registry - Rule", "ESCU - Windows NirSoft AdvancedRun - Rule", "ESCU - Windows NirSoft Utilities - Rule", "ESCU - Windows Processes Killed By Industroyer2 Malware - Rule", "ESCU - Windows Raw Access To Disk Volume Partition - Rule", "ESCU - Windows Raw Access To Master Boot Record Drive - Rule", "ESCU - Windows Root Domain linked policies Discovery - Rule", "ESCU - Windows Terminating Lsass Process - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule", "ESCU - WMI Recon Running Process Or Services - Rule", "ESCU - Wscript Or Cscript Suspicious Child Process - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Email Attachments With Lots Of Spaces", "source": "application", "type": "Anomaly", "tags": {"mitre_attack_enrichments": []}}, {"name": "Suspicious Email Attachment Extensions", "source": "application", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}}, {"name": "Active Setup Registry Autostart", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Active Setup"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Add or Set Windows Defender Exclusion", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "AdsiSearcher Account Discovery", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}}, {"name": "Any Powershell DownloadFile", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "Any Powershell DownloadString", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "Attempt To Stop Security Service", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Attempted Credential Dump From Registry via Reg exe", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Security Account Manager"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Change Default File Association", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Change Default File Association"}, {"mitre_attack_technique": "Event Triggered Execution"}]}}, {"name": "Child Processes of Spoolsv exe", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}}, {"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Detect Empire with PowerShell Script Block Logging", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Detect Mimikatz With PowerShell Script Block Logging", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "OS Credential Dumping"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Dump LSASS via comsvcs DLL", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "ETW Registry Disabled", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indicator Blocking"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Excessive File Deletion In WinDefender Folder", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Executable File Written in Administrative SMB Share", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}]}}, {"name": "Impacket Lateral Movement Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Impacket Lateral Movement smbexec CommandLine Parameters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Impacket Lateral Movement WMIExec Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Kerberoasting spn request with RC4 encryption", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "Kerberoasting"}]}}, {"name": "Linux Adding Crontab Using List Parameter", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Data Destruction Command", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Linux DD File Overwrite", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Linux Deleting Critical Directory Using RM Command", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Linux Deletion Of Cron Jobs", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}, {"mitre_attack_technique": "File Deletion"}, {"mitre_attack_technique": "Indicator Removal"}]}}, {"name": "Linux Deletion Of Init Daemon Script", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}, {"mitre_attack_technique": "File Deletion"}, {"mitre_attack_technique": "Indicator Removal"}]}}, {"name": "Linux Deletion Of Services", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}, {"mitre_attack_technique": "File Deletion"}, {"mitre_attack_technique": "Indicator Removal"}]}}, {"name": "Linux Disable Services", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Service Stop"}]}}, {"name": "Linux Hardware Addition SwapOff", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Hardware Additions"}]}}, {"name": "Linux High Frequency Of File Deletion In Boot Folder", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}, {"mitre_attack_technique": "File Deletion"}, {"mitre_attack_technique": "Indicator Removal"}]}}, {"name": "Linux High Frequency Of File Deletion In Etc Folder", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}, {"mitre_attack_technique": "File Deletion"}, {"mitre_attack_technique": "Indicator Removal"}]}}, {"name": "Linux Impair Defenses Process Kill", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Linux Indicator Removal Clear Cache", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indicator Removal"}]}}, {"name": "Linux Indicator Removal Service File Deletion", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "File Deletion"}, {"mitre_attack_technique": "Indicator Removal"}]}}, {"name": "Linux Java Spawning Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}, {"name": "Linux Service Restarted", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Systemd Timers"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Shred Overwrite Command", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Linux Stdout Redirection To Dev Null File", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify System Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Linux Stop Services", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Service Stop"}]}}, {"name": "Linux System Network Discovery", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Configuration Discovery"}]}}, {"name": "Linux System Reboot Via System Request Key", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Shutdown/Reboot"}]}}, {"name": "Linux Unix Shell Enable All SysRq Functions", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Unix Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Logon Script Event Trigger Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Boot or Logon Initialization Scripts"}, {"mitre_attack_technique": "Logon Script (Windows)"}]}}, {"name": "Malicious PowerShell Process - Encoded Command", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Obfuscated Files or Information"}]}}, {"name": "Malicious PowerShell Process With Obfuscation Techniques", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "MSI Module Loaded by Non-System Binary", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DLL Side-Loading"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}}, {"name": "Overwriting Accessibility Binaries", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Event Triggered Execution"}, {"mitre_attack_technique": "Accessibility Features"}]}}, {"name": "Ping Sleep Batch Command", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Virtualization/Sandbox Evasion"}, {"mitre_attack_technique": "Time Based Evasion"}]}}, {"name": "Possible Lateral Movement PowerShell Spawn", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Remote Management"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "MMC"}]}}, {"name": "PowerShell 4104 Hunting", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "PowerShell - Connect To Internet With Hidden Window", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "PowerShell Domain Enumeration", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Powershell Enable SMB1Protocol Feature", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Obfuscated Files or Information"}, {"mitre_attack_technique": "Indicator Removal from Tools"}]}}, {"name": "Powershell Execute COM Object", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Component Object Model Hijacking"}, {"mitre_attack_technique": "Event Triggered Execution"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Powershell Fileless Process Injection via GetProcAddress", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Process Injection"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Powershell Fileless Script Contains Base64 Encoded Content", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Obfuscated Files or Information"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "PowerShell Loading DotNET into Memory via Reflection", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Powershell Processing Stream Of Data", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Powershell Remove Windows Defender Directory", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Powershell Using memory As Backing Store", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Powershell Windows Defender Exclusion Commands", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Print Processor Registry Autostart", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Print Processors"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Process Deleting Its Process File Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indicator Removal"}]}}, {"name": "Recon AVProduct Through Pwh or WMI", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Gather Victim Host Information"}]}}, {"name": "Recon Using WMI Class", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Gather Victim Host Information"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Registry Keys Used For Privilege Escalation", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Image File Execution Options Injection"}, {"mitre_attack_technique": "Event Triggered Execution"}]}}, {"name": "Regsvr32 Silent and Install Param Dll Loading", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}}, {"name": "Runas Execution in CommandLine", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Access Token Manipulation"}, {"mitre_attack_technique": "Token Impersonation/Theft"}]}}, {"name": "Schtasks Run Task On Demand", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Screensaver Event Trigger Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Event Triggered Execution"}, {"mitre_attack_technique": "Screensaver"}]}}, {"name": "Set Default PowerShell Execution Policy To Unrestricted or Bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Suspicious Process DNS Query Known Abuse Web Services", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Visual Basic"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Suspicious Process With Discord DNS Query", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Visual Basic"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Time Provider Persistence Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Time Providers"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Unloading AMSI via Reflection", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "W3WP Spawning Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}]}}, {"name": "Windows Data Destruction Recursive Exec Files Deletion", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Windows Deleted Registry By A Non Critical Process File Path", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Disable Memory Crash Dump", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Windows DotNet Binary in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "InstallUtil"}]}}, {"name": "Windows File Without Extension In Critical Folder", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Windows Hidden Schedule Task Settings", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Windows High File Deletion Frequency", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Windows InstallUtil in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "InstallUtil"}]}}, {"name": "Windows Linked Policies In ADSI Discovery", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}}, {"name": "Windows Modify Show Compress Color And Info Tip Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows NirSoft AdvancedRun", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Tool"}]}}, {"name": "Windows NirSoft Utilities", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Tool"}]}}, {"name": "Windows Processes Killed By Industroyer2 Malware", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Service Stop"}]}}, {"name": "Windows Raw Access To Disk Volume Partition", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disk Structure Wipe"}, {"mitre_attack_technique": "Disk Wipe"}]}}, {"name": "Windows Raw Access To Master Boot Record Drive", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disk Structure Wipe"}, {"mitre_attack_technique": "Disk Wipe"}]}}, {"name": "Windows Root Domain linked policies Discovery", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}}, {"name": "Windows Terminating Lsass Process", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}]}}, {"name": "WMI Recon Running Process Or Services", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Gather Victim Host Information"}]}}, {"name": "Wscript Or Cscript Suspicious Child Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}, {"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Parent PID Spoofing"}, {"mitre_attack_technique": "Access Token Manipulation"}]}}]}, {"name": "Data Exfiltration", "id": "66b0fe0c-1351-11eb-adc1-0242ac120002", "version": 2, "date": "2023-05-17", "author": "Bhavin Patel, Shannon Davis, Splunk", "description": "Data exfiltration refers to the unauthorized transfer or extraction of sensitive or valuable data from a compromised system or network during a cyber attack. It is a critical phase in many targeted attacks, where adversaries aim to steal confidential information, such as intellectual property, financial records, personal data, or trade secrets.", "narrative": "This Analytic Story supports you to detect Tactics, Techniques and Procedures (TTPs) leveraged by adversaries to exfiltrate data from your environments. Exfiltration comes in many flavors and its done differently on every environment. Adversaries can collect data over encrypted or non-encrypted channels. They can utilise Command And Control channels that are already in place to exfiltrate data. They can use both standard data transfer protocols such as FTP, SCP, etc to exfiltrate data. Or they can use non-standard protocols such as DNS, ICMP, etc with specially crafted fields to try and circumvent security technologies in place.\\\nTechniques for getting data out of a target network typically include transferring it over their command and control channel or an alternate channel and may also include putting size limits on the transmission. In context of the cloud, this refers to the unauthorized transfer or extraction of sensitive data from cloud-based systems or services. It involves the compromise of cloud infrastructure or accounts to gain access to valuable information stored in the cloud environment. Attackers may employ various techniques, such as exploiting vulnerabilities, stealing login credentials, or using malicious code to exfiltrate data from cloud repositories or services without detection.", "references": ["https://attack.mitre.org/tactics/TA0010/", "https://bleemb.medium.com/data-exfiltration-with-native-aws-s3-features-c94ae4d13436", "https://labs.nettitude.com/blog/how-to-exfiltrate-aws-ec2-data/", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-277a"], "tags": {"name": "Data Exfiltration", "analytic_story": "Data Exfiltration", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1537", "mitre_attack_technique": "Transfer Data to Cloud Account", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1119", "mitre_attack_technique": "Automated Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "Chimera", "Confucius", "FIN5", "FIN6", "Gamaredon Group", "Ke3chang", "Mustang Panda", "OilRig", "Patchwork", "Sidewinder", "Threat Group-3390", "Tropic Trooper", "menuPass"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1114", "mitre_attack_technique": "Email Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["Magic Hound", "Silent Librarian"]}, {"mitre_attack_id": "T1114.003", "mitre_attack_technique": "Email Forwarding Rule", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["Kimsuky", "LAPSUS$", "Silent Librarian"]}, {"mitre_attack_id": "T1048", "mitre_attack_technique": "Exfiltration Over Alternative Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1114.001", "mitre_attack_technique": "Local Email Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "Chimera", "Magic Hound"]}, {"mitre_attack_id": "T1568.002", "mitre_attack_technique": "Domain Generation Algorithms", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "TA551"]}, {"mitre_attack_id": "T1041", "mitre_attack_technique": "Exfiltration Over C2 Channel", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "Chimera", "Confucius", "GALLIUM", "Gamaredon Group", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "LuminousMoth", "MuddyWater", "Sandworm Team", "Stealth Falcon", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1048.003", "mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT32", "APT33", "FIN6", "FIN8", "Lazarus Group", "OilRig", "Thrip", "Wizard Spider"]}], "mitre_attack_tactics": ["Collection", "Command And Control", "Exfiltration", "Impact", "Initial Access"], "datamodels": ["Endpoint", "Network_Resolution", "Risk"], "kill_chain_phases": ["Actions on Objectives", "Command And Control", "Delivery", "Exploitation"]}, "detection_names": ["ESCU - AWS AMI Atttribute Modification for Exfiltration - Rule", "ESCU - AWS Disable Bucket Versioning - Rule", "ESCU - AWS EC2 Snapshot Shared Externally - Rule", "ESCU - AWS Exfiltration via Anomalous GetObject API Activity - Rule", "ESCU - AWS Exfiltration via Batch Service - Rule", "ESCU - AWS Exfiltration via Bucket Replication - Rule", "ESCU - AWS Exfiltration via DataSync Task - Rule", "ESCU - AWS Exfiltration via EC2 Snapshot - Rule", "ESCU - AWS S3 Exfiltration Behavior Identified - Rule", "ESCU - Gdrive suspicious file sharing - Rule", "ESCU - O365 PST export alert - Rule", "ESCU - O365 Suspicious Admin Email Forwarding - Rule", "ESCU - O365 Suspicious User Email Forwarding - Rule", "ESCU - DNS Exfiltration Using Nslookup App - Rule", "ESCU - Excessive Usage of NSLOOKUP App - Rule", "ESCU - Linux Curl Upload File - Rule", "ESCU - Mailsniper Invoke functions - Rule", "ESCU - Detect DGA domains using pretrained model in DSDL - Rule", "ESCU - Detect SNICat SNI Exfiltration - Rule", "ESCU - Multiple Archive Files Http Post Traffic - Rule", "ESCU - Plain HTTP POST Exfiltrated Data - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task"], "baseline_names": [], "author_company": "Shannon Davis, Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "AWS AMI Atttribute Modification for Exfiltration", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Transfer Data to Cloud Account"}]}}, {"name": "AWS Disable Bucket Versioning", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Inhibit System Recovery"}]}}, {"name": "AWS EC2 Snapshot Shared Externally", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Transfer Data to Cloud Account"}]}}, {"name": "AWS Exfiltration via Anomalous GetObject API Activity", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Automated Collection"}]}}, {"name": "AWS Exfiltration via Batch Service", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Automated Collection"}]}}, {"name": "AWS Exfiltration via Bucket Replication", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Transfer Data to Cloud Account"}]}}, {"name": "AWS Exfiltration via DataSync Task", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Automated Collection"}]}}, {"name": "AWS Exfiltration via EC2 Snapshot", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Transfer Data to Cloud Account"}]}}, {"name": "AWS S3 Exfiltration Behavior Identified", "source": "cloud", "type": "Correlation", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Transfer Data to Cloud Account"}]}}, {"name": "Gdrive suspicious file sharing", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}]}}, {"name": "O365 PST export alert", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Email Collection"}]}}, {"name": "O365 Suspicious Admin Email Forwarding", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Email Forwarding Rule"}, {"mitre_attack_technique": "Email Collection"}]}}, {"name": "O365 Suspicious User Email Forwarding", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Email Forwarding Rule"}, {"mitre_attack_technique": "Email Collection"}]}}, {"name": "DNS Exfiltration Using Nslookup App", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}}, {"name": "Excessive Usage of NSLOOKUP App", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}}, {"name": "Linux Curl Upload File", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "Mailsniper Invoke functions", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Email Collection"}, {"mitre_attack_technique": "Local Email Collection"}]}}, {"name": "Detect DGA domains using pretrained model in DSDL", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Generation Algorithms"}]}}, {"name": "Detect SNICat SNI Exfiltration", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over C2 Channel"}]}}, {"name": "Multiple Archive Files Http Post Traffic", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}, {"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}}, {"name": "Plain HTTP POST Exfiltrated Data", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}, {"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}}]}, {"name": "Data Protection", "id": "91c676cf-0b23-438d-abee-f6335e1fce33", "version": 1, "date": "2017-09-14", "author": "Bhavin Patel, Splunk", "description": "Fortify your data-protection arsenal--while continuing to ensure data confidentiality and integrity--with searches that monitor for and help you investigate possible signs of data exfiltration.", "narrative": "Attackers can leverage a variety of resources to compromise or exfiltrate enterprise data. Common exfiltration techniques include remote-access channels via low-risk, high-payoff active-collections operations and close-access operations using insiders and removable media. While this Analytic Story is not a comprehensive listing of all the methods by which attackers can exfiltrate data, it provides a useful starting point.", "references": ["https://www.cisecurity.org/controls/data-protection/", "https://www.sans.org/reading-room/whitepapers/dns/splunk-detect-dns-tunneling-37022", "https://umbrella.cisco.com/blog/2013/04/15/on-the-trail-of-malicious-dynamic-dns-domains/"], "tags": {"name": "Data Protection", "analytic_story": "Data Protection", "category": ["Abuse"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1048.003", "mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT32", "APT33", "FIN6", "FIN8", "Lazarus Group", "OilRig", "Thrip", "Wizard Spider"]}, {"mitre_attack_id": "T1189", "mitre_attack_technique": "Drive-by Compromise", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT19", "APT28", "APT32", "APT37", "APT38", "Andariel", "Axiom", "BRONZE BUTLER", "Dark Caracal", "Darkhotel", "Dragonfly", "Earth Lusca", "Elderwood", "Lazarus Group", "Leafminer", "Leviathan", "Machete", "Magic Hound", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Threat Group-3390", "Transparent Tribe", "Turla", "Windigo", "Windshift"]}], "mitre_attack_tactics": ["Exfiltration", "Initial Access"], "datamodels": ["Change", "Change_Analysis", "Network_Resolution"], "kill_chain_phases": ["Actions on Objectives", "Delivery"]}, "detection_names": ["ESCU - Detect USB device insertion - Rule", "ESCU - Detection of DNS Tunnels - Rule", "ESCU - Detect hosts connecting to dynamic domain providers - Rule"], "investigation_names": ["ESCU - Get DNS Server History for a host - Response Task", "ESCU - Get DNS traffic ratio - Response Task", "ESCU - Get Notable History - Response Task", "ESCU - Get Process Info - Response Task", "ESCU - Get Process Responsible For The DNS Traffic - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Detect USB device insertion", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": []}}, {"name": "Detection of DNS Tunnels", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}]}}, {"name": "Detect hosts connecting to dynamic domain providers", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Drive-by Compromise"}]}}]}, {"name": "Deobfuscate-Decode Files or Information", "id": "0bd01a54-8cbe-11eb-abcd-acde48001122", "version": 1, "date": "2021-03-24", "author": "Michael Haag, Splunk", "description": "Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis.", "narrative": "An example of obfuscated files is `Certutil.exe` usage to encode a portable executable to a certificate file, which is base64 encoded, to hide the originating file. There are many utilities cross-platform to encode using XOR, using compressed .cab files to hide contents and scripting languages that may perform similar native Windows tasks. Triaging an event related will require the capability to review related process events and file modifications. Using a tool such as CyberChef will assist with identifying the encoding that was used, and potentially assist with decoding the contents.", "references": ["https://attack.mitre.org/techniques/T1140/"], "tags": {"name": "Deobfuscate-Decode Files or Information", "analytic_story": "Deobfuscate-Decode Files or Information", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1140", "mitre_attack_technique": "Deobfuscate/Decode Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT39", "BRONZE BUTLER", "Darkhotel", "Earth Lusca", "Gamaredon Group", "Gorgon Group", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "Molerats", "MuddyWater", "OilRig", "Rocke", "Sandworm Team", "TA505", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "WIRTE", "ZIRCONIUM", "menuPass"]}], "mitre_attack_tactics": ["Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - CertUtil With Decode Argument - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "CertUtil With Decode Argument", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Deobfuscate/Decode Files or Information"}]}}]}, {"name": "AWS Cryptomining", "id": "ced74200-8465-4bc3-bd2c-9a782eec6750", "version": 1, "date": "2018-03-08", "author": "David Dorsey, Splunk", "description": "Monitor your AWS EC2 instances for activities related to cryptojacking/cryptomining. New instances that originate from previously unseen regions, users who launch abnormally high numbers of instances, or EC2 instances started by previously unseen users are just a few examples of potentially malicious behavior.", "narrative": "Cryptomining is an intentionally difficult, resource-intensive business. Its complexity was designed into the process to ensure that the number of blocks mined each day would remain steady. So, it's par for the course that ambitious, but unscrupulous, miners make amassing the computing power of large enterprises--a practice known as cryptojacking--a top priority. \\\nCryptojacking has attracted an increasing amount of media attention since its explosion in popularity in the fall of 2017. The attacks have moved from in-browser exploits and mobile phones to enterprise cloud services, such as Amazon Web Services (AWS). It's difficult to determine exactly how widespread the practice has become, since bad actors continually evolve their ability to escape detection, including employing unlisted endpoints, moderating their CPU usage, and hiding the mining pool's IP address behind a free CDN. \\\nWhen malicious miners appropriate a cloud instance, often spinning up hundreds of new instances, the costs can become astronomical for the account holder. So, it is critically important to monitor your systems for suspicious activities that could indicate that your network has been infiltrated. \\\nThis Analytic Story is focused on detecting suspicious new instances in your EC2 environment to help prevent such a disaster. It contains detection searches that will detect when a previously unused instance type or AMI is used. It also contains support searches to build lookup files to ensure proper execution of the detection searches.", "references": ["https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf"], "tags": {"name": "AWS Cryptomining", "analytic_story": "AWS Cryptomining", "category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Ke3chang", "LAPSUS$"]}, {"mitre_attack_id": "T1535", "mitre_attack_technique": "Unused/Unsupported Cloud Regions", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "datamodels": [], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Abnormally High AWS Instances Launched by User - Rule", "ESCU - Abnormally High AWS Instances Launched by User - MLTK - Rule", "ESCU - EC2 Instance Started In Previously Unseen Region - Rule", "ESCU - EC2 Instance Started With Previously Unseen AMI - Rule", "ESCU - EC2 Instance Started With Previously Unseen Instance Type - Rule", "ESCU - EC2 Instance Started With Previously Unseen User - Rule"], "investigation_names": ["ESCU - AWS Investigate User Activities By ARN - Response Task", "ESCU - Get EC2 Instance Details by instanceId - Response Task", "ESCU - Get EC2 Launch Details - Response Task", "ESCU - Get Notable History - Response Task", "ESCU - Investigate AWS activities via region name - Response Task"], "baseline_names": ["ESCU - Baseline of Excessive AWS Instances Launched by User - MLTK", "ESCU - Previously Seen EC2 AMIs", "ESCU - Previously Seen EC2 Instance Types", "ESCU - Previously Seen EC2 Launches By User", "ESCU - Previously Seen AWS Regions"], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Abnormally High AWS Instances Launched by User", "source": "deprecated", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Accounts"}]}}, {"name": "Abnormally High AWS Instances Launched by User - MLTK", "source": "deprecated", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Accounts"}]}}, {"name": "EC2 Instance Started In Previously Unseen Region", "source": "deprecated", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}}, {"name": "EC2 Instance Started With Previously Unseen AMI", "source": "deprecated", "type": "Anomaly", "tags": {"mitre_attack_enrichments": []}}, {"name": "EC2 Instance Started With Previously Unseen Instance Type", "source": "deprecated", "type": "Anomaly", "tags": {"mitre_attack_enrichments": []}}, {"name": "EC2 Instance Started With Previously Unseen User", "source": "deprecated", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Accounts"}]}}]}, {"name": "AWS Suspicious Provisioning Activities", "id": "3338b567-3804-4261-9889-cf0ca4753c7f", "version": 1, "date": "2018-03-16", "author": "David Dorsey, Splunk", "description": "Monitor your AWS provisioning activities for behaviors originating from unfamiliar or unusual locations. These behaviors may indicate that malicious activities are occurring somewhere within your network.", "narrative": "Because most enterprise AWS activities originate from familiar geographic locations, monitoring for activity from unknown or unusual regions is an important security measure. This indicator can be especially useful in environments where it is impossible to add specific IPs to an allow list because they vary. \\\nThis Analytic Story was designed to provide you with flexibility in the precision you employ in specifying legitimate geographic regions. It can be as specific as an IP address or a city, or as broad as a region (think state) or an entire country. By determining how precise you want your geographical locations to be and monitoring for new locations that haven't previously accessed your environment, you can detect adversaries as they begin to probe your environment. Since there are legitimate reasons for activities from unfamiliar locations, this is not a standalone indicator. Nevertheless, location can be a relevant piece of information that you may wish to investigate further.", "references": ["https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf"], "tags": {"name": "AWS Suspicious Provisioning Activities", "analytic_story": "AWS Suspicious Provisioning Activities", "category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1535", "mitre_attack_technique": "Unused/Unsupported Cloud Regions", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Defense Evasion"], "datamodels": [], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - AWS Cloud Provisioning From Previously Unseen City - Rule", "ESCU - AWS Cloud Provisioning From Previously Unseen Country - Rule", "ESCU - AWS Cloud Provisioning From Previously Unseen IP Address - Rule", "ESCU - AWS Cloud Provisioning From Previously Unseen Region - Rule"], "investigation_names": ["ESCU - AWS Investigate Security Hub alerts by dest - Response Task", "ESCU - AWS Investigate User Activities By ARN - Response Task", "ESCU - Get All AWS Activity From City - Response Task", "ESCU - Get All AWS Activity From Country - Response Task", "ESCU - Get All AWS Activity From IP Address - Response Task", "ESCU - Get All AWS Activity From Region - Response Task"], "baseline_names": ["ESCU - Previously Seen AWS Provisioning Activity Sources"], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "AWS Cloud Provisioning From Previously Unseen City", "source": "deprecated", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}}, {"name": "AWS Cloud Provisioning From Previously Unseen Country", "source": "deprecated", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}}, {"name": "AWS Cloud Provisioning From Previously Unseen IP Address", "source": "deprecated", "type": "Anomaly", "tags": {"mitre_attack_enrichments": []}}, {"name": "AWS Cloud Provisioning From Previously Unseen Region", "source": "deprecated", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}}]}, {"name": "Common Phishing Frameworks", "id": "9a64ab44-9214-4639-8163-7eaa2621bd61", "version": 1, "date": "2019-04-29", "author": "Splunk Research Team, Splunk", "description": "Detect DNS and web requests to fake websites generated by the EvilGinx2 toolkit. These websites are designed to fool unwitting users who have clicked on a malicious link in a phishing email. ", "narrative": "As most people know, these emails use fraudulent domains, [email scraping](https://www.cyberscoop.com/emotet-trojan-phishing-scraping-templates-cofense-geodo/), familiar contact names inserted as senders, and other tactics to lure targets into clicking a malicious link, opening an attachment with a [nefarious payload](https://www.cyberscoop.com/emotet-trojan-phishing-scraping-templates-cofense-geodo/), or entering sensitive personal information that perpetrators may intercept. This attack technique requires a relatively low level of skill and allows adversaries to easily cast a wide net. Because phishing is a technique that relies on human psychology, you will never be able to eliminate this vulnerability 100%. But you can use automated detection to significantly reduce the risks.\\\nThis Analytic Story focuses on detecting signs of MiTM attacks enabled by [EvilGinx2](https://github.com/kgretzky/evilginx2), a toolkit that sets up a transparent proxy between the targeted site and the user. In this way, the attacker is able to intercept credentials and two-factor identification tokens. It employs a proxy template to allow a registered domain to impersonate targeted sites, such as Linkedin, Amazon, Okta, Github, Twitter, Instagram, Reddit, Office 365, and others. It can even register SSL certificates and camouflage them via a URL shortener, making them difficult to detect. Searches in this story look for signs of MiTM attacks enabled by EvilGinx2.", "references": ["https://github.com/kgretzky/evilginx2", "https://attack.mitre.org/techniques/T1192/", "https://breakdev.org/evilginx-advanced-phishing-with-two-factor-authentication-bypass/"], "tags": {"name": "Common Phishing Frameworks", "analytic_story": "Common Phishing Frameworks", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566.003", "mitre_attack_technique": "Spearphishing via Service", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT29", "Ajax Security Team", "CURIUM", "Dark Caracal", "EXOTIC LILY", "FIN6", "Lazarus Group", "Magic Hound", "OilRig", "Windshift"]}], "mitre_attack_tactics": ["Initial Access"], "datamodels": ["Network_Resolution", "Web"], "kill_chain_phases": ["Delivery"]}, "detection_names": ["ESCU - Detect DNS requests to Phishing Sites leveraging EvilGinx2 - Rule"], "investigation_names": ["ESCU - Get Certificate logs for a domain - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "Splunk Research Team", "detections": [{"name": "Detect DNS requests to Phishing Sites leveraging EvilGinx2", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Spearphishing via Service"}]}}]}, {"name": "Container Implantation Monitoring and Investigation", "id": "aa0e28b1-0521-4b6f-9d2a-7b87e34af246", "version": 1, "date": "2020-02-20", "author": "Rod Soto, Rico Valdez, Splunk", "description": "Use the searches in this story to monitor your Kubernetes registry repositories for upload, and deployment of potentially vulnerable, backdoor, or implanted containers. These searches provide information on source users, destination path, container names and repository names. The searches provide context to address Mitre T1525 which refers to container implantation upload to a company's repository either in Amazon Elastic Container Registry, Google Container Registry and Azure Container Registry.", "narrative": "Container Registrys provide a way for organizations to keep customized images of their development and infrastructure environment in private. However if these repositories are misconfigured or priviledge users credentials are compromise, attackers can potentially upload implanted containers which can be deployed across the organization. These searches allow operator to monitor who, when and what was uploaded to container registry.", "references": ["https://github.com/splunk/cloud-datamodel-security-research"], "tags": {"name": "Container Implantation Monitoring and Investigation", "analytic_story": "Container Implantation Monitoring and Investigation", "category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": [], "investigation_names": [], "baseline_names": [], "author_company": "Rico Valdez, Splunk", "author_name": "Rod Soto", "detections": []}, {"name": "Host Redirection", "id": "2e8948a5-5239-406b-b56b-6c50fe268af4", "version": 1, "date": "2017-09-14", "author": "Rico Valdez, Splunk", "description": "Detect evidence of tactics used to redirect traffic from a host to a destination other than the one intended--potentially one that is part of an adversary's attack infrastructure. An example is redirecting communications regarding patches and updates or misleading users into visiting a malicious website.", "narrative": "Attackers will often attempt to manipulate client communications for nefarious purposes. In some cases, an attacker may endeavor to modify a local host file to redirect communications with resources (such as antivirus or system-update services) to prevent clients from receiving patches or updates. In other cases, an attacker might use this tactic to have the client connect to a site that looks like the intended site, but instead installs malware or collects information from the victim. Additionally, an attacker may redirect a victim in order to execute a MITM attack and observe communications.", "references": ["https://blog.malwarebytes.com/cybercrime/2016/09/hosts-file-hijacks/"], "tags": {"name": "Host Redirection", "analytic_story": "Host Redirection", "category": ["Abuse"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1048.003", "mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT32", "APT33", "FIN6", "FIN8", "Lazarus Group", "OilRig", "Thrip", "Wizard Spider"]}, {"mitre_attack_id": "T1071.004", "mitre_attack_technique": "DNS", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT18", "APT39", "APT41", "Chimera", "Cobalt Group", "FIN7", "Ke3chang", "LazyScripter", "OilRig", "Tropic Trooper"]}], "mitre_attack_tactics": ["Command And Control", "Exfiltration"], "datamodels": ["Endpoint", "Network_Resolution"], "kill_chain_phases": ["Actions on Objectives", "Command And Control"]}, "detection_names": ["ESCU - Clients Connecting to Multiple DNS Servers - Rule", "ESCU - DNS Query Requests Resolved by Unauthorized DNS Servers - Rule", "ESCU - Windows hosts file modification - Rule"], "investigation_names": ["ESCU - Get DNS Server History for a host - Response Task", "ESCU - Get Notable History - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Clients Connecting to Multiple DNS Servers", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}]}}, {"name": "DNS Query Requests Resolved by Unauthorized DNS Servers", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DNS"}]}}, {"name": "Windows hosts file modification", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": []}}]}, {"name": "Kubernetes Sensitive Role Activity", "id": "8b3984d2-17b6-47e9-ba43-a3376e70fdcc", "version": 1, "date": "2020-05-20", "author": "Rod Soto, Splunk", "description": "This story addresses detection and response around Sensitive Role usage within a Kubernetes clusters against cluster resources and namespaces.", "narrative": "Kubernetes is the most used container orchestration platform, this orchestration platform contains sensitive roles within its architecture, specifically configmaps and secrets, if accessed by an attacker can lead to further compromise. These searches allow operator to detect suspicious requests against Kubernetes role activities", "references": ["https://www.splunk.com/en_us/blog/security/approaching-kubernetes-security-detecting-kubernetes-scan-with-splunk.html"], "tags": {"name": "Kubernetes Sensitive Role Activity", "analytic_story": "Kubernetes Sensitive Role Activity", "category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Kubernetes AWS detect most active service accounts by pod - Rule", "ESCU - Kubernetes AWS detect sensitive role access - Rule", "ESCU - Kubernetes Azure active service accounts by pod namespace - Rule", "ESCU - Kubernetes Azure detect RBAC authorization by account - Rule", "ESCU - Kubernetes Azure detect sensitive role access - Rule", "ESCU - Kubernetes GCP detect most active service accounts by pod - Rule", "ESCU - Kubernetes GCP detect RBAC authorizations by account - Rule", "ESCU - Kubernetes GCP detect sensitive role access - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rod Soto", "detections": [{"name": "Kubernetes AWS detect most active service accounts by pod", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": []}}, {"name": "Kubernetes AWS detect sensitive role access", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": []}}, {"name": "Kubernetes Azure active service accounts by pod namespace", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": []}}, {"name": "Kubernetes Azure detect RBAC authorization by account", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": []}}, {"name": "Kubernetes Azure detect sensitive role access", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": []}}, {"name": "Kubernetes GCP detect most active service accounts by pod", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": []}}, {"name": "Kubernetes GCP detect RBAC authorizations by account", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": []}}, {"name": "Kubernetes GCP detect sensitive role access", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": []}}]}, {"name": "Lateral Movement", "id": "399d65dc-1f08-499b-a259-abd9051f38ad", "version": 2, "date": "2020-02-04", "author": "David Dorsey, Splunk", "description": " DEPRECATED IN FAVOR OF ACTIVE DIRECTORY LATERAL MOVEMENT. Detect and investigate tactics, techniques, and procedures around how attackers move laterally within the enterprise. Because lateral movement can expose the adversary to detection, it should be an important focus for security analysts.", "narrative": "Once attackers gain a foothold within an enterprise, they will seek to expand their accesses and leverage techniques that facilitate lateral movement. Attackers will often spend quite a bit of time and effort moving laterally. Because lateral movement renders an attacker the most vulnerable to detection, it's an excellent focus for detection and investigation. Indications of lateral movement can include the abuse of system utilities (such as `psexec.exe`), unauthorized use of remote desktop services, `file/admin$` shares, WMI, PowerShell, pass-the-hash, or the abuse of scheduled tasks. Organizations must be extra vigilant in detecting lateral movement techniques and look for suspicious activity in and around high-value strategic network assets, such as Active Directory, which are often considered the primary target or \"crown jewels\" to a persistent threat actor. An adversary can use lateral movement for multiple purposes, including remote execution of tools, pivoting to additional systems, obtaining access to specific information or files, access to additional credentials, exfiltrating data, or delivering a secondary effect. Adversaries may use legitimate credentials alongside inherent network and operating-system functionality to remotely connect to other systems and remain under the radar of network defenders. If there is evidence of lateral movement, it is imperative for analysts to collect evidence of the associated offending hosts. For example, an attacker might leverage host A to gain access to host B. From there, the attacker may try to move laterally to host C. In this example, the analyst should gather as much information as possible from all three hosts. It is also important to collect authentication logs for each host, to ensure that the offending accounts are well-documented. Analysts should account for all processes to ensure that the attackers did not install unauthorized software.", "references": ["https://www.fireeye.com/blog/executive-perspective/2015/08/malware_lateral_move.html"], "tags": {"name": "Lateral Movement", "analytic_story": "Lateral Movement", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": [], "investigation_names": ["ESCU - Get History Of Email Sources - Response Task", "ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task", "ESCU - Get Process Information For Port Activity - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": []}, {"name": "Monitor Backup Solution", "id": "abe807c7-1eb6-4304-ac32-6e7aacdb891d", "version": 1, "date": "2017-09-12", "author": "David Dorsey, Splunk", "description": "Address common concerns when monitoring your backup processes. These searches can help you reduce risks from ransomware, device theft, or denial of physical access to a host by backing up data on endpoints.", "narrative": "Having backups is a standard best practice that helps ensure continuity of business operations. Having mature backup processes can also help you reduce the risks of many security-related incidents and streamline your response processes. The detection searches in this Analytic Story will help you identify systems that have backup failures, as well as systems that have not been backed up for an extended period of time. The story will also return the notable event history and all of the backup logs for an endpoint.", "references": ["https://www.carbonblack.com/2016/03/04/tracking-locky-ransomware-using-carbon-black/"], "tags": {"name": "Monitor Backup Solution", "analytic_story": "Monitor Backup Solution", "category": ["Best Practices"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Compliance", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Extended Period Without Successful Netbackup Backups - Rule", "ESCU - Unsuccessful Netbackup backups - Rule"], "investigation_names": ["ESCU - All backup logs for host - Response Task", "ESCU - Get Notable History - Response Task"], "baseline_names": ["ESCU - Monitor Successful Backups", "ESCU - Monitor Unsuccessful Backups"], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Extended Period Without Successful Netbackup Backups", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": []}}, {"name": "Unsuccessful Netbackup backups", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": []}}]}, {"name": "Monitor for Unauthorized Software", "id": "8892a655-6205-43f7-abba-06460e38c8ae", "version": 1, "date": "2017-09-15", "author": "David Dorsey, Splunk", "description": "Identify and investigate prohibited/unauthorized software or processes that may be concealing malicious behavior within your environment. ", "narrative": "It is critical to identify unauthorized software and processes running on enterprise endpoints and determine whether they are likely to be malicious. This Analytic Story requires the user to populate the Interesting Processes table within Enterprise Security with prohibited processes. An included support search will augment this data, adding information on processes thought to be malicious. This search requires data from endpoint detection-and-response solutions, endpoint data sources (such as Sysmon), or Windows Event Logs--assuming that the Active Directory administrator has enabled process tracking within the System Event Audit Logs.\\\nIt is important to investigate any software identified as suspicious, in order to understand how it was installed or executed. Analyzing authentication logs or any historic notable events might elicit additional investigative leads of interest. For best results, schedule the search to run every two weeks. ", "references": ["https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/"], "tags": {"name": "Monitor for Unauthorized Software", "analytic_story": "Monitor for Unauthorized Software", "category": ["Best Practices"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Compliance", "mitre_attack_enrichments": [{"mitre_attack_id": "T1036.005", "mitre_attack_technique": "Match Legitimate Name or Location", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "APT32", "APT39", "APT41", "Aoqin Dragon", "BRONZE BUTLER", "BackdoorDiplomacy", "Blue Mockingbird", "Carbanak", "Chimera", "Darkhotel", "Earth Lusca", "FIN7", "Ferocious Kitten", "Fox Kitten", "Gamaredon Group", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Poseidon Group", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "Sowbug", "TEMP.Veles", "TeamTNT", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Whitefly", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1595", "mitre_attack_technique": "Active Scanning", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Reconnaissance"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation", "Reconnaissance"]}, "detection_names": ["ESCU - Prohibited Software On Endpoint - Rule", "ESCU - Attacker Tools On Endpoint - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task"], "baseline_names": ["ESCU - Add Prohibited Processes to Enterprise Security"], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Prohibited Software On Endpoint", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": []}}, {"name": "Attacker Tools On Endpoint", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Match Legitimate Name or Location"}, {"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "OS Credential Dumping"}, {"mitre_attack_technique": "Active Scanning"}]}}]}, {"name": "Spectre And Meltdown Vulnerabilities", "id": "6d3306f6-bb2b-4219-8609-8efad64032f2", "version": 1, "date": "2018-01-08", "author": "David Dorsey, Splunk", "description": "Assess and mitigate your systems' vulnerability to Spectre and Meltdown exploitation with the searches in this Analytic Story.", "narrative": "Meltdown and Spectre exploit critical vulnerabilities in modern CPUs that allow unintended access to data in memory. This Analytic Story will help you identify the systems can be patched for these vulnerabilities, as well as those that still need to be patched.", "references": ["https://meltdownattack.com/"], "tags": {"name": "Spectre And Meltdown Vulnerabilities", "analytic_story": "Spectre And Meltdown Vulnerabilities", "category": ["Vulnerability"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Vulnerabilities"], "kill_chain_phases": []}, "detection_names": ["ESCU - Spectre and Meltdown Vulnerable Systems - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task"], "baseline_names": ["ESCU - Systems Ready for Spectre-Meltdown Windows Patch"], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Spectre and Meltdown Vulnerable Systems", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": []}}]}, {"name": "Suspicious AWS EC2 Activities", "id": "2e8948a5-5239-406b-b56b-6c50f1268af3", "version": 1, "date": "2018-02-09", "author": "Bhavin Patel, Splunk", "description": "Use the searches in this Analytic Story to monitor your AWS EC2 instances for evidence of anomalous activity and suspicious behaviors, such as EC2 instances that originate from unusual locations or those launched by previously unseen users (among others). Included investigative searches will help you probe more deeply, when the information warrants it.", "narrative": "AWS CloudTrail is an AWS service that helps you enable governance, compliance, and risk auditing within your AWS account. Actions taken by a user, role, or an AWS service are recorded as events in CloudTrail. It is crucial for a company to monitor events and actions taken in the AWS Console, AWS command-line interface, and AWS SDKs and APIs to ensure that your EC2 instances are not vulnerable to attacks. This Analytic Story identifies suspicious activities in your AWS EC2 instances and helps you respond and investigate those activities.", "references": ["https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf"], "tags": {"name": "Suspicious AWS EC2 Activities", "analytic_story": "Suspicious AWS EC2 Activities", "category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Ke3chang", "LAPSUS$"]}, {"mitre_attack_id": "T1535", "mitre_attack_technique": "Unused/Unsupported Cloud Regions", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "datamodels": [], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Abnormally High AWS Instances Launched by User - Rule", "ESCU - Abnormally High AWS Instances Launched by User - MLTK - Rule", "ESCU - Abnormally High AWS Instances Terminated by User - Rule", "ESCU - Abnormally High AWS Instances Terminated by User - MLTK - Rule", "ESCU - EC2 Instance Started In Previously Unseen Region - Rule", "ESCU - EC2 Instance Started With Previously Unseen User - Rule"], "investigation_names": ["ESCU - AWS Investigate Security Hub alerts by dest - Response Task", "ESCU - AWS Investigate User Activities By ARN - Response Task", "ESCU - Get EC2 Instance Details by instanceId - Response Task", "ESCU - Get EC2 Launch Details - Response Task", "ESCU - Get Notable History - Response Task", "ESCU - Investigate AWS activities via region name - Response Task"], "baseline_names": ["ESCU - Baseline of Excessive AWS Instances Launched by User - MLTK", "ESCU - Baseline of Excessive AWS Instances Terminated by User - MLTK", "ESCU - Previously Seen EC2 Launches By User", "ESCU - Previously Seen AWS Regions"], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Abnormally High AWS Instances Launched by User", "source": "deprecated", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Accounts"}]}}, {"name": "Abnormally High AWS Instances Launched by User - MLTK", "source": "deprecated", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Accounts"}]}}, {"name": "Abnormally High AWS Instances Terminated by User", "source": "deprecated", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Accounts"}]}}, {"name": "Abnormally High AWS Instances Terminated by User - MLTK", "source": "deprecated", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Accounts"}]}}, {"name": "EC2 Instance Started In Previously Unseen Region", "source": "deprecated", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}}, {"name": "EC2 Instance Started With Previously Unseen User", "source": "deprecated", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Accounts"}]}}]}, {"name": "Unusual AWS EC2 Modifications", "id": "73de57ef-0dfc-411f-b1e7-fa24428aeae0", "version": 1, "date": "2018-04-09", "author": "David Dorsey, Splunk", "description": "Identify unusual changes to your AWS EC2 instances that may indicate malicious activity. Modifications to your EC2 instances by previously unseen users is an example of an activity that may warrant further investigation.", "narrative": "A common attack technique is to infiltrate a cloud instance and make modifications. The adversary can then secure access to your infrastructure or hide their activities. So it's important to stay alert to changes that may indicate that your environment has been compromised. \\\n Searches within this Analytic Story can help you detect the presence of a threat by monitoring for EC2 instances that have been created or changed--either by users that have never previously performed these activities or by known users who modify or create instances in a way that have not been done before. This story also provides investigative searches that help you go deeper once you detect suspicious behavior.", "references": ["https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf"], "tags": {"name": "Unusual AWS EC2 Modifications", "analytic_story": "Unusual AWS EC2 Modifications", "category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Ke3chang", "LAPSUS$"]}], "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "datamodels": [], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - EC2 Instance Modified With Previously Unseen User - Rule"], "investigation_names": ["ESCU - AWS Investigate User Activities By ARN - Response Task", "ESCU - Get EC2 Instance Details by instanceId - Response Task", "ESCU - Get Notable History - Response Task"], "baseline_names": ["ESCU - Previously Seen EC2 Modifications By User"], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "EC2 Instance Modified With Previously Unseen User", "source": "deprecated", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Accounts"}]}}]}, {"name": "Web Fraud Detection", "id": "18bb45b9-7684-45c6-9e97-1fdd0d98c0a7", "version": 1, "date": "2018-10-08", "author": "Jim Apger, Splunk", "description": "Monitor your environment for activity consistent with common attack techniques bad actors use when attempting to compromise web servers or other web-related assets.", "narrative": "The Federal Bureau of Investigations (FBI) defines Internet fraud as the use of Internet services or software with Internet access to defraud victims or to otherwise take advantage of them. According to the Bureau, Internet crime schemes are used to steal millions of dollars each year from victims and continue to plague the Internet through various methods. The agency includes phishing scams, data breaches, Denial of Service (DOS) attacks, email account compromise, malware, spoofing, and ransomware in this category.\\\nThese crimes are not the fraud itself, but rather the attack techniques commonly employed by fraudsters in their pursuit of data that enables them to commit malicious actssuch as obtaining and using stolen credit cards. They represent a serious problem that is steadily increasing and not likely to go away anytime soon.\\\nWhen developing a strategy for preventing fraud in your environment, its important to look across all of your web services for evidence that attackers are abusing enterprise resources to enumerate systems, harvest data for secondary fraudulent activity, or abuse terms of service.This Analytic Story looks for evidence of common Internet attack techniques that could be indicative of web fraud in your environmentincluding account harvesting, anomalous user clickspeed, and password sharing across accounts, to name just a few.\\\nThe account-harvesting search focuses on web pages used for user-account registration. It detects the creation of a large number of user accounts using the same email domain name, a type of activity frequently seen in advance of a fraud campaign.\\\nThe anomalous clickspeed search looks for users who are moving through your website at a faster-than-normal speed or with a perfect click cadence (high periodicity or low standard deviation), which could indicate that the user is a script, not an actual human.\\\nAnother search detects incidents wherein a single password is used across multiple accounts, which may indicate that a fraudster has infiltrated your environment and embedded a common password within a script.", "references": ["https://www.fbi.gov/scams-and-safety/common-fraud-schemes/internet-fraud", "https://www.fbi.gov/news/stories/2017-internet-crime-report-released-050718"], "tags": {"name": "Web Fraud Detection", "analytic_story": "Web Fraud Detection", "category": ["Abuse"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Fraud Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}], "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "datamodels": [], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Web Fraud - Account Harvesting - Rule", "ESCU - Web Fraud - Anomalous User Clickspeed - Rule", "ESCU - Web Fraud - Password Sharing Across Accounts - Rule"], "investigation_names": ["ESCU - Get Emails From Specific Sender - Response Task", "ESCU - Get Notable History - Response Task", "ESCU - Get Web Session Information via session id - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "Jim Apger", "detections": [{"name": "Web Fraud - Account Harvesting", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create Account"}]}}, {"name": "Web Fraud - Anomalous User Clickspeed", "source": "deprecated", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "Web Fraud - Password Sharing Across Accounts", "source": "deprecated", "type": "Anomaly", "tags": {"mitre_attack_enrichments": []}}]}, {"name": "Detect Zerologon Attack", "id": "5d14a962-569e-4578-939f-f386feb63ce4", "version": 1, "date": "2020-09-18", "author": "Rod Soto, Jose Hernandez, Stan Miskowicz, David Dorsey, Shannon Davis Splunk", "description": "Uncover activity related to the execution of Zerologon CVE-2020-11472, a technique wherein attackers target a Microsoft Windows Domain Controller to reset its computer account password. The result from this attack is attackers can now provide themselves high privileges and take over Domain Controller. The included searches in this Analytic Story are designed to identify attempts to reset Domain Controller Computer Account via exploit code remotely or via the use of tool Mimikatz as payload carrier.", "narrative": "This attack is a privilege escalation technique, where attacker targets a Netlogon secure channel connection to a domain controller, using Netlogon Remote Protocol (MS-NRPC). This vulnerability exposes vulnerable Windows Domain Controllers to be targeted via unaunthenticated RPC calls which eventually reset Domain Contoller computer account ($) providing the attacker the opportunity to exfil domain controller credential secrets and assign themselve high privileges that can lead to domain controller and potentially complete network takeover. The detection searches in this Analytic Story use Windows Event viewer events and Sysmon events to detect attack execution, these searches monitor access to the Local Security Authority Subsystem Service (LSASS) process which is an indicator of the use of Mimikatz tool which has bee updated to carry this attack payload.", "references": ["https://attack.mitre.org/wiki/Technique/T1003", "https://github.com/SecuraBV/CVE-2020-1472", "https://www.secura.com/blog/zero-logon", "https://nvd.nist.gov/vuln/detail/CVE-2020-1472"], "tags": {"name": "Detect Zerologon Attack", "analytic_story": "Detect Zerologon Attack", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "TEMP.Veles", "Threat Group-3390", "Whitefly"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1210", "mitre_attack_technique": "Exploitation of Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "Dragonfly", "Earth Lusca", "FIN7", "Fox Kitten", "MuddyWater", "Threat Group-3390", "Tonto Team", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "menuPass"]}], "mitre_attack_tactics": ["Credential Access", "Initial Access", "Lateral Movement"], "datamodels": [], "kill_chain_phases": ["Delivery", "Exploitation"]}, "detection_names": ["ESCU - Detect Mimikatz Using Loaded Images - Rule", "ESCU - Detect Computer Changed with Anonymous Account - Rule", "ESCU - Detect Credential Dumping through LSASS access - Rule", "ESCU - Windows Possible Credential Dumping - Rule", "ESCU - Detect Zerologon via Zeek - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task"], "baseline_names": [], "author_company": "Jose Hernandez, Stan Miskowicz, David Dorsey, Shannon Davis Splunk", "author_name": "Rod Soto", "detections": [{"name": "Detect Mimikatz Using Loaded Images", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Detect Computer Changed with Anonymous Account", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploitation of Remote Services"}]}}, {"name": "Detect Credential Dumping through LSASS access", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Windows Possible Credential Dumping", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Detect Zerologon via Zeek", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}}]}, {"name": "Dev Sec Ops", "id": "0ca8c38e-631e-4b81-940c-f9c5450ce41e", "version": 1, "date": "2021-08-18", "author": "Patrick Bareiss, Splunk", "description": "This story is focused around detecting attacks on a DevSecOps lifeccycle which consists of the phases plan, code, build, test, release, deploy, operate and monitor.", "narrative": "DevSecOps is a collaborative framework, which thinks about application and infrastructure security from the start. This means that security tools are part of the continuous integration and continuous deployment pipeline. In this analytics story, we focused on detections around the tools used in this framework such as GitHub as a version control system, GDrive for the documentation, CircleCI as the CI/CD pipeline, Kubernetes as the container execution engine and multiple security tools such as Semgrep and Kube-Hunter.", "references": ["https://www.redhat.com/en/topics/devops/what-is-devsecops"], "tags": {"name": "Dev Sec Ops", "analytic_story": "Dev Sec Ops", "category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1204.003", "mitre_attack_technique": "Malicious Image", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$"]}, {"mitre_attack_id": "T1554", "mitre_attack_technique": "Compromise Client Software Binary", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1195.002", "mitre_attack_technique": "Compromise Software Supply Chain", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT41", "Cobalt Group", "Dragonfly", "GOLD SOUTHFIELD", "Sandworm Team", "Threat Group-3390"]}, {"mitre_attack_id": "T1195", "mitre_attack_technique": "Supply Chain Compromise", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1199", "mitre_attack_technique": "Trusted Relationship", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "GOLD SOUTHFIELD", "LAPSUS$", "POLONIUM", "Sandworm Team", "Threat Group-3390", "menuPass"]}, {"mitre_attack_id": "T1195.001", "mitre_attack_technique": "Compromise Software Dependencies and Development Tools", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1567.002", "mitre_attack_technique": "Exfiltration to Cloud Storage", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["Chimera", "Confucius", "Earth Lusca", "FIN7", "HAFNIUM", "HEXANE", "Kimsuky", "Leviathan", "LuminousMoth", "POLONIUM", "Threat Group-3390", "Turla", "ZIRCONIUM"]}, {"mitre_attack_id": "T1567", "mitre_attack_technique": "Exfiltration Over Web Service", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT28", "Magic Hound"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1048.003", "mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT32", "APT33", "FIN6", "FIN8", "Lazarus Group", "OilRig", "Thrip", "Wizard Spider"]}, {"mitre_attack_id": "T1048", "mitre_attack_technique": "Exfiltration Over Alternative Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1212", "mitre_attack_technique": "Exploitation for Credential Access", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1526", "mitre_attack_technique": "Cloud Service Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Credential Access", "Discovery", "Execution", "Exfiltration", "Initial Access", "Persistence"], "datamodels": [], "kill_chain_phases": ["Actions on Objectives", "Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - AWS ECR Container Scanning Findings High - Rule", "ESCU - AWS ECR Container Scanning Findings Low Informational Unknown - Rule", "ESCU - AWS ECR Container Scanning Findings Medium - Rule", "ESCU - AWS ECR Container Upload Outside Business Hours - Rule", "ESCU - AWS ECR Container Upload Unknown User - Rule", "ESCU - Circle CI Disable Security Job - Rule", "ESCU - Circle CI Disable Security Step - Rule", "ESCU - Correlation by Repository and Risk - Rule", "ESCU - Correlation by User and Risk - Rule", "ESCU - GitHub Actions Disable Security Workflow - Rule", "ESCU - Github Commit Changes In Master - Rule", "ESCU - Github Commit In Develop - Rule", "ESCU - GitHub Dependabot Alert - Rule", "ESCU - GitHub Pull Request from Unknown User - Rule", "ESCU - Gsuite Drive Share In External Email - Rule", "ESCU - GSuite Email Suspicious Attachment - Rule", "ESCU - Gsuite Email Suspicious Subject With Attachment - Rule", "ESCU - Gsuite Email With Known Abuse Web Service Link - Rule", "ESCU - Gsuite Outbound Email With Attachment To External Domain - Rule", "ESCU - Gsuite Suspicious Shared File Name - Rule", "ESCU - Kubernetes Nginx Ingress LFI - Rule", "ESCU - Kubernetes Nginx Ingress RFI - Rule", "ESCU - Kubernetes Scanner Image Pulling - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Patrick Bareiss", "detections": [{"name": "AWS ECR Container Scanning Findings High", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Malicious Image"}, {"mitre_attack_technique": "User Execution"}]}}, {"name": "AWS ECR Container Scanning Findings Low Informational Unknown", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Malicious Image"}, {"mitre_attack_technique": "User Execution"}]}}, {"name": "AWS ECR Container Scanning Findings Medium", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Malicious Image"}, {"mitre_attack_technique": "User Execution"}]}}, {"name": "AWS ECR Container Upload Outside Business Hours", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Malicious Image"}, {"mitre_attack_technique": "User Execution"}]}}, {"name": "AWS ECR Container Upload Unknown User", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Malicious Image"}, {"mitre_attack_technique": "User Execution"}]}}, {"name": "Circle CI Disable Security Job", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Client Software Binary"}]}}, {"name": "Circle CI Disable Security Step", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Client Software Binary"}]}}, {"name": "Correlation by Repository and Risk", "source": "cloud", "type": "Correlation", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Malicious Image"}, {"mitre_attack_technique": "User Execution"}]}}, {"name": "Correlation by User and Risk", "source": "cloud", "type": "Correlation", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Malicious Image"}, {"mitre_attack_technique": "User Execution"}]}}, {"name": "GitHub Actions Disable Security Workflow", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Software Supply Chain"}, {"mitre_attack_technique": "Supply Chain Compromise"}]}}, {"name": "Github Commit Changes In Master", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Trusted Relationship"}]}}, {"name": "Github Commit In Develop", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Trusted Relationship"}]}}, {"name": "GitHub Dependabot Alert", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Software Dependencies and Development Tools"}, {"mitre_attack_technique": "Supply Chain Compromise"}]}}, {"name": "GitHub Pull Request from Unknown User", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Software Dependencies and Development Tools"}, {"mitre_attack_technique": "Supply Chain Compromise"}]}}, {"name": "Gsuite Drive Share In External Email", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration to Cloud Storage"}, {"mitre_attack_technique": "Exfiltration Over Web Service"}]}}, {"name": "GSuite Email Suspicious Attachment", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}}, {"name": "Gsuite Email Suspicious Subject With Attachment", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}}, {"name": "Gsuite Email With Known Abuse Web Service Link", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}}, {"name": "Gsuite Outbound Email With Attachment To External Domain", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}, {"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}}, {"name": "Gsuite Suspicious Shared File Name", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}}, {"name": "Kubernetes Nginx Ingress LFI", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploitation for Credential Access"}]}}, {"name": "Kubernetes Nginx Ingress RFI", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploitation for Credential Access"}]}}, {"name": "Kubernetes Scanner Image Pulling", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Service Discovery"}]}}]}, {"name": "DHS Report TA18-074A", "id": "0c016e5c-88be-4e2c-8c6c-c2b55b4fb4ef", "version": 2, "date": "2020-01-22", "author": "Rico Valdez, Splunk", "description": "Monitor for suspicious activities associated with DHS Technical Alert US-CERT TA18-074A. Some of the activities that adversaries used in these compromises included spearfishing attacks, malware, watering-hole domains, many and more.", "narrative": "The frequency of nation-state cyber attacks has increased significantly over the last decade. Employing numerous tactics and techniques, these attacks continue to escalate in complexity. \\\nThere is a wide range of motivations for these state-sponsored hacks, including stealing valuable corporate, military, or diplomatic dataѿall of which could confer advantages in various arenas. They may also target critical infrastructure. \\\nOne joint Technical Alert (TA) issued by the Department of Homeland and the FBI in mid-March of 2018 attributed some cyber activity targeting utility infrastructure to operatives sponsored by the Russian government. The hackers executed spearfishing attacks, installed malware, employed watering-hole domains, and more. While they caused no physical damage, the attacks provoked fears that a nation-state could turn off water, redirect power, or compromise a nuclear power plant.\\\nSuspicious activities--spikes in SMB traffic, processes that launch netsh (to modify the network configuration), suspicious registry modifications, and many more--may all be events you may wish to investigate further. While the use of these technique may be an indication that a nation-state actor is attempting to compromise your environment, it is important to note that these techniques are often employed by other groups, as well.", "references": ["https://www.us-cert.gov/ncas/alerts/TA18-074A"], "tags": {"name": "DHS Report TA18-074A", "analytic_story": "DHS Report TA18-074A", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1136.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT39", "APT41", "Dragonfly", "Fox Kitten", "Kimsuky", "Leafminer", "Magic Hound", "TeamTNT"]}, {"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1562.004", "mitre_attack_technique": "Disable or Modify System Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "Carbanak", "Dragonfly", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$"]}, {"mitre_attack_id": "T1204.002", "mitre_attack_technique": "Malicious File", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "Ajax Security Team", "Andariel", "Aoqin Dragon", "BITTER", "BRONZE BUTLER", "BlackTech", "CURIUM", "Cobalt Group", "Confucius", "Dark Caracal", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "IndigoZebra", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Whitefly", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1071.002", "mitre_attack_technique": "File Transfer Protocols", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "Kimsuky", "SilverTerrier"]}, {"mitre_attack_id": "T1071", "mitre_attack_technique": "Application Layer Protocol", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Dragonfly", "Magic Hound", "Rocke", "TeamTNT"]}], "mitre_attack_tactics": ["Command And Control", "Defense Evasion", "Execution", "Lateral Movement", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint", "Network_Traffic"], "kill_chain_phases": ["Command And Control", "Exploitation", "Installation"]}, "detection_names": ["ESCU - First time seen command line argument - Rule", "ESCU - Create local admin accounts using net exe - Rule", "ESCU - Detect New Local Admin account - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Detect Renamed PSExec - Rule", "ESCU - Malicious PowerShell Process - Execution Policy Bypass - Rule", "ESCU - Processes launching netsh - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Sc exe Manipulating Windows Services - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Single Letter Process On Endpoint - Rule", "ESCU - Suspicious Reg exe Process - Rule", "ESCU - Detect Outbound SMB Traffic - Rule", "ESCU - SMB Traffic Spike - Rule", "ESCU - SMB Traffic Spike - MLTK - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process File Activity - Response Task", "ESCU - Get Process Info - Response Task", "ESCU - Get Process Information For Port Activity - Response Task"], "baseline_names": ["ESCU - Baseline of SMB Traffic - MLTK", "ESCU - Previously seen command line arguments"], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "First time seen command line argument", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Windows Command Shell"}]}}, {"name": "Create local admin accounts using net exe", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "Create Account"}]}}, {"name": "Detect New Local Admin account", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "Create Account"}]}}, {"name": "Detect PsExec With accepteula Flag", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}}, {"name": "Detect Renamed PSExec", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}}, {"name": "Malicious PowerShell Process - Execution Policy Bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Processes launching netsh", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify System Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Sc exe Manipulating Windows Services", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Single Letter Process On Endpoint", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "User Execution"}, {"mitre_attack_technique": "Malicious File"}]}}, {"name": "Suspicious Reg exe Process", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Detect Outbound SMB Traffic", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "File Transfer Protocols"}, {"mitre_attack_technique": "Application Layer Protocol"}]}}, {"name": "SMB Traffic Spike", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Remote Services"}]}}, {"name": "SMB Traffic Spike - MLTK", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Remote Services"}]}}]}, {"name": "Disabling Security Tools", "id": "fcc27099-46a0-46b0-a271-5c7dab56b6f1", "version": 2, "date": "2020-02-04", "author": "Rico Valdez, Splunk", "description": "Looks for activities and techniques associated with the disabling of security tools on a Windows system, such as suspicious `reg.exe` processes, processes launching netsh, and many others.", "narrative": "Attackers employ a variety of tactics in order to avoid detection and operate without barriers. This often involves modifying the configuration of security tools to get around them or explicitly disabling them to prevent them from running. This Analytic Story includes searches that look for activity consistent with attackers attempting to disable various security mechanisms. Such activity may involve monitoring for suspicious registry activity, as this is where much of the configuration for Windows and various other programs reside, or explicitly attempting to shut down security-related services. Other times, attackers attempt various tricks to prevent specific programs from running, such as adding the certificates with which the security tools are signed to a block list (which would prevent them from running).", "references": ["https://attack.mitre.org/wiki/Technique/T1089", "https://blog.malwarebytes.com/cybercrime/2015/11/vonteera-adware-uses-certificates-to-disable-anti-malware/", "https://web.archive.org/web/20220425194457/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Tools-Report.pdf"], "tags": {"name": "Disabling Security Tools", "analytic_story": "Disabling Security Tools", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1553.004", "mitre_attack_technique": "Install Root Certificate", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1553", "mitre_attack_technique": "Subvert Trust Controls", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Axiom"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1562.004", "mitre_attack_technique": "Disable or Modify System Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "Carbanak", "Dragonfly", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}], "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation", "Installation"]}, "detection_names": ["ESCU - Attempt To Add Certificate To Untrusted Store - Rule", "ESCU - Attempt To Stop Security Service - Rule", "ESCU - Processes launching netsh - Rule", "ESCU - Sc exe Manipulating Windows Services - Rule", "ESCU - Suspicious Reg exe Process - Rule", "ESCU - Unload Sysmon Filter Driver - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task"], "baseline_names": ["ESCU - Baseline of SMB Traffic - MLTK", "ESCU - Previously seen command line arguments"], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Attempt To Add Certificate To Untrusted Store", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Install Root Certificate"}, {"mitre_attack_technique": "Subvert Trust Controls"}]}}, {"name": "Attempt To Stop Security Service", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Processes launching netsh", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify System Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Sc exe Manipulating Windows Services", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Suspicious Reg exe Process", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Unload Sysmon Filter Driver", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}]}, {"name": "DNS Amplification Attacks", "id": "a563972b-d2e2-4978-b6ca-6e83e24af4d3", "version": 1, "date": "2016-09-13", "author": "Bhavin Patel, Splunk", "description": "DNS poses a serious threat as a Denial of Service (DOS) amplifier, if it responds to `ANY` queries. This Analytic Story can help you detect attackers who may be abusing your company's DNS infrastructure to launch amplification attacks, causing Denial of Service to other victims.", "narrative": "The Domain Name System (DNS) is the protocol used to map domain names to IP addresses. It has been proven to work very well for its intended function. However if DNS is misconfigured, servers can be abused by attackers to levy amplification or redirection attacks against victims. Because DNS responses to `ANY` queries are so much larger than the queries themselves--and can be made with a UDP packet, which does not require a handshake--attackers can spoof the source address of the packet and cause much more data to be sent to the victim than if they sent the traffic themselves. The `ANY` requests are will be larger than normal DNS server requests, due to the fact that the server provides significant details, such as MX records and associated IP addresses. A large volume of this traffic can result in a DOS on the victim's machine. This misconfiguration leads to two possible victims, the first being the DNS servers participating in an attack and the other being the hosts that are the targets of the DOS attack.\\\nThe search in this story can help you to detect if attackers are abusing your company's DNS infrastructure to launch DNS amplification attacks causing Denial of Service to other victims.", "references": ["https://www.us-cert.gov/ncas/alerts/TA13-088A", "https://www.imperva.com/learn/application-security/dns-amplification/"], "tags": {"name": "DNS Amplification Attacks", "analytic_story": "DNS Amplification Attacks", "category": ["Abuse"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1498", "mitre_attack_technique": "Network Denial of Service", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT28"]}, {"mitre_attack_id": "T1498.002", "mitre_attack_technique": "Reflection Amplification", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Impact"], "datamodels": ["Network_Resolution"], "kill_chain_phases": ["Actions on Objectives"]}, "detection_names": ["ESCU - Large Volume of DNS ANY Queries - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Large Volume of DNS ANY Queries", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Network Denial of Service"}, {"mitre_attack_technique": "Reflection Amplification"}]}}]}, {"name": "DNS Hijacking", "id": "8169f17b-ef68-4b59-aa28-586907301221", "version": 1, "date": "2020-02-04", "author": "Bhavin Patel, Splunk", "description": "Secure your environment against DNS hijacks with searches that help you detect and investigate unauthorized changes to DNS records.", "narrative": "Dubbed the Achilles heel of the Internet (see https://www.f5.com/labs/articles/threat-intelligence/dns-is-still-the-achilles-heel-of-the-internet-25613), DNS plays a critical role in routing web traffic but is notoriously vulnerable to attack. One reason is its distributed nature. It relies on unstructured connections between millions of clients and servers over inherently insecure protocols.\\\nThe gravity and extent of the importance of securing DNS from attacks is undeniable. The fallout of compromised DNS can be disastrous. Not only can hackers bring down an entire business, they can intercept confidential information, emails, and login credentials, as well. \\\nOn January 22, 2019, the US Department of Homeland Security 2019's Cybersecurity and Infrastructure Security Agency (CISA) raised awareness of some high-profile DNS hijacking attacks against infrastructure, both in the United States and abroad. It issued Emergency Directive 19-01 (see https://cyber.dhs.gov/ed/19-01/), which summarized the activity and required government agencies to take the following four actions, all within 10 days: \\\n1. For all .gov or other agency-managed domains, audit public DNS records on all authoritative and secondary DNS servers, verify that they resolve to the intended location or report them to CISA.\\\n1. Update the passwords for all accounts on systems that can make changes to each agency 2019's DNS records.\\\n1. Implement multi-factor authentication (MFA) for all accounts on systems that can make changes to each agency's 2019 DNS records or, if impossible, provide CISA with the names of systems, the reasons why MFA cannot be enabled within the required timeline, and an ETA for when it can be enabled.\\\n1. CISA will begin regular delivery of newly added certificates to Certificate Transparency (CT) logs for agency domains via the Cyber Hygiene service. Upon receipt, agencies must immediately begin monitoring CT log data for certificates issued that they did not request. If an agency confirms that a certificate was unauthorized, it must report the certificate to the issuing certificate authority and to CISA. Of course, it makes sense to put equivalent actions in place within your environment, as well. \\\nIn DNS hijacking, the attacker assumes control over an account or makes use of a DNS service exploit to make changes to DNS records. Once they gain access, attackers can substitute their own MX records, name-server records, and addresses, redirecting emails and traffic through their infrastructure, where they can read, copy, or modify information seen. They can also generate valid encryption certificates to help them avoid browser-certificate checks. In one notable attack on the Internet service provider, GoDaddy, the hackers altered Sender Policy Framework (SPF) records a relatively minor change that did not inflict excessive damage but allowed for more effective spam campaigns.\\\nThe searches in this Analytic Story help you detect and investigate activities that may indicate that DNS hijacking has taken place within your environment.", "references": ["https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html", "https://umbrella.cisco.com/blog/2013/04/15/on-the-trail-of-malicious-dynamic-dns-domains/", "http://www.noip.com/blog/2014/07/11/dynamic-dns-can-use-2/", "https://www.splunk.com/blog/2015/08/04/detecting-dynamic-dns-domains-in-splunk.html"], "tags": {"name": "DNS Hijacking", "analytic_story": "DNS Hijacking", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1048.003", "mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT32", "APT33", "FIN6", "FIN8", "Lazarus Group", "OilRig", "Thrip", "Wizard Spider"]}, {"mitre_attack_id": "T1071.004", "mitre_attack_technique": "DNS", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT18", "APT39", "APT41", "Chimera", "Cobalt Group", "FIN7", "Ke3chang", "LazyScripter", "OilRig", "Tropic Trooper"]}, {"mitre_attack_id": "T1568.002", "mitre_attack_technique": "Domain Generation Algorithms", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "TA551"]}, {"mitre_attack_id": "T1189", "mitre_attack_technique": "Drive-by Compromise", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT19", "APT28", "APT32", "APT37", "APT38", "Andariel", "Axiom", "BRONZE BUTLER", "Dark Caracal", "Darkhotel", "Dragonfly", "Earth Lusca", "Elderwood", "Lazarus Group", "Leafminer", "Leviathan", "Machete", "Magic Hound", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Threat Group-3390", "Transparent Tribe", "Turla", "Windigo", "Windshift"]}], "mitre_attack_tactics": ["Command And Control", "Exfiltration", "Initial Access"], "datamodels": ["Network_Resolution"], "kill_chain_phases": ["Actions on Objectives", "Command And Control", "Delivery"]}, "detection_names": ["ESCU - Clients Connecting to Multiple DNS Servers - Rule", "ESCU - DNS Query Requests Resolved by Unauthorized DNS Servers - Rule", "ESCU - DNS record changed - Rule", "ESCU - Detect DGA domains using pretrained model in DSDL - Rule", "ESCU - Detect DNS Data Exfiltration using pretrained model in DSDL - Rule", "ESCU - Detect hosts connecting to dynamic domain providers - Rule", "ESCU - Detect suspicious DNS TXT records using pretrained model in DSDL - Rule"], "investigation_names": ["ESCU - Get DNS Server History for a host - Response Task"], "baseline_names": ["ESCU - Discover DNS records"], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Clients Connecting to Multiple DNS Servers", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}]}}, {"name": "DNS Query Requests Resolved by Unauthorized DNS Servers", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DNS"}]}}, {"name": "DNS record changed", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DNS"}]}}, {"name": "Detect DGA domains using pretrained model in DSDL", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Generation Algorithms"}]}}, {"name": "Detect DNS Data Exfiltration using pretrained model in DSDL", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}]}}, {"name": "Detect hosts connecting to dynamic domain providers", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Drive-by Compromise"}]}}, {"name": "Detect suspicious DNS TXT records using pretrained model in DSDL", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Generation Algorithms"}]}}]}, {"name": "sAMAccountName Spoofing and Domain Controller Impersonation", "id": "0244fdee-61be-11ec-900e-acde48001122", "version": 1, "date": "2021-12-20", "author": "Mauricio Velazco, Splunk", "description": "Monitor for activities and techniques associated with the exploitation of the sAMAccountName Spoofing (CVE-2021-42278) and Domain Controller Impersonation (CVE-2021-42287) vulnerabilities.", "narrative": "On November 9, 2021, Microsoft released patches to address two vulnerabilities that affect Windows Active Directory networks, sAMAccountName Spoofing (CVE-2021-42278) and Domain Controller Impersonation (CVE-2021-42287). On December 10, 2021, security researchers Charlie Clark and Andrew Schwartz released a blog post where they shared how to weaponise these vulnerabilities in a target network an the initial detection opportunities. When successfully exploited, CVE-2021-42278 and CVE-2021-42287 allow an adversary, who has stolen the credentials of a low priviled domain user, to obtain a Kerberos Service ticket for a Domain Controller computer account. The only requirement is to have network connectivity to a domain controller. This attack vector effectivelly allows attackers to escalate their privileges in an Active Directory from a regular domain user account and take control of a domain controller. While patches have been released to address these vulnerabilities, deploying detection controls for this attack may help help defenders identify attackers attempting exploitation.", "references": ["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42278", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42287", "https://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html"], "tags": {"name": "sAMAccountName Spoofing and Domain Controller Impersonation", "analytic_story": "sAMAccountName Spoofing and Domain Controller Impersonation", "category": ["Privilege Escalation"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.002", "mitre_attack_technique": "Domain Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "Chimera", "Indrik Spider", "Magic Hound", "Naikon", "Sandworm Team", "TA505", "Threat Group-1314", "Wizard Spider"]}], "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "datamodels": [], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Suspicious Computer Account Name Change - Rule", "ESCU - Suspicious Kerberos Service Ticket Request - Rule", "ESCU - Suspicious Ticket Granting Ticket Request - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Mauricio Velazco", "detections": [{"name": "Suspicious Computer Account Name Change", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Domain Accounts"}]}}, {"name": "Suspicious Kerberos Service Ticket Request", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Domain Accounts"}]}}, {"name": "Suspicious Ticket Granting Ticket Request", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Domain Accounts"}]}}]}, {"name": "Domain Trust Discovery", "id": "e6f30f14-8daf-11eb-a017-acde48001122", "version": 1, "date": "2021-03-25", "author": "Michael Haag, Splunk", "description": "Adversaries may attempt to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain/forest environments.", "narrative": "Domain trusts provide a mechanism for a domain to allow access to resources based on the authentication procedures of another domain. Domain trusts allow the users of the trusted domain to access resources in the trusting domain. The information discovered may help the adversary conduct SID-History Injection, Pass the Ticket, and Kerberoasting. Domain trusts can be enumerated using the DSEnumerateDomainTrusts() Win32 API call, .NET methods, and LDAP. The Windows utility Nltest is known to be used by adversaries to enumerate domain trusts.", "references": ["https://attack.mitre.org/techniques/T1482/"], "tags": {"name": "Domain Trust Discovery", "analytic_story": "Domain Trust Discovery", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1482", "mitre_attack_technique": "Domain Trust Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "Earth Lusca", "FIN8", "Magic Hound"]}, {"mitre_attack_id": "T1018", "mitre_attack_technique": "Remote System Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "BRONZE BUTLER", "Chimera", "Deep Panda", "Dragonfly", "Earth Lusca", "FIN5", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "HEXANE", "Indrik Spider", "Ke3chang", "Leafminer", "Magic Hound", "Naikon", "Rocke", "Sandworm Team", "Silence", "Threat Group-3390", "Turla", "Wizard Spider", "menuPass"]}], "mitre_attack_tactics": ["Discovery"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - DSQuery Domain Discovery - Rule", "ESCU - NLTest Domain Trust Discovery - Rule", "ESCU - Windows AdFind Exe - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "DSQuery Domain Discovery", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Trust Discovery"}]}}, {"name": "NLTest Domain Trust Discovery", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Trust Discovery"}]}}, {"name": "Windows AdFind Exe", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote System Discovery"}]}}]}, {"name": "Double Zero Destructor", "id": "f56e8c00-3224-4955-9a6e-924ec7da1df7", "version": 1, "date": "2022-03-25", "author": "Teoderick Contreras, Rod Soto, Splunk", "description": "Double Zero Destructor is a destructive payload that enumerates Domain Controllers and executes killswitch if detected. Overwrites files with Zero blocks or using MS Windows API calls such as NtFileOpen, NtFSControlFile. This payload also deletes registry hives HKCU,HKLM, HKU, HKLM BCD.", "narrative": "Double zero destructor enumerates domain controllers, delete registry hives and overwrites files using zero blocks and API calls.", "references": ["https://cert.gov.ua/article/38088", "https://blog.talosintelligence.com/2022/03/threat-advisory-doublezero.html"], "tags": {"name": "Double Zero Destructor", "analytic_story": "Double Zero Destructor", "category": ["Data Destruction", "Malware", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}], "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation", "Installation"]}, "detection_names": ["ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Windows Deleted Registry By A Non Critical Process File Path - Rule", "ESCU - Windows Terminating Lsass Process - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Rod Soto, Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}]}}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Windows Deleted Registry By A Non Critical Process File Path", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Terminating Lsass Process", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}]}, {"name": "Dynamic DNS", "id": "8169f17b-ef68-4b59-aae8-586907301221", "version": 2, "date": "2018-09-06", "author": "Bhavin Patel, Splunk", "description": "Detect and investigate hosts in your environment that may be communicating with dynamic domain providers. Attackers may leverage these services to help them avoid firewall blocks and deny lists.", "narrative": "Dynamic DNS services (DDNS) are legitimate low-cost or free services that allow users to rapidly update domain resolutions to IP infrastructure. While their usage can be benign, malicious actors can abuse DDNS to host harmful payloads or interactive-command-and-control infrastructure. These attackers will manually update or automate domain resolution changes by routing dynamic domains to IP addresses that circumvent firewall blocks and deny lists and frustrate a network defender's analytic and investigative processes. These searches will look for DNS queries made from within your infrastructure to suspicious dynamic domains and then investigate more deeply, when appropriate. While this list of top-level dynamic domains is not exhaustive, it can be dynamically updated as new suspicious dynamic domains are identified.", "references": ["https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html", "https://umbrella.cisco.com/blog/2013/04/15/on-the-trail-of-malicious-dynamic-dns-domains/", "http://www.noip.com/blog/2014/07/11/dynamic-dns-can-use-2/", "https://www.splunk.com/blog/2015/08/04/detecting-dynamic-dns-domains-in-splunk.html"], "tags": {"name": "Dynamic DNS", "analytic_story": "Dynamic DNS", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1071.001", "mitre_attack_technique": "Web Protocols", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Chimera", "Cobalt Group", "Confucius", "Dark Caracal", "FIN4", "FIN8", "Gamaredon Group", "HAFNIUM", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LuminousMoth", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "OilRig", "Orangeworm", "Rancor", "Rocke", "Sandworm Team", "Sidewinder", "SilverTerrier", "Stealth Falcon", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "WIRTE", "Windshift", "Wizard Spider"]}, {"mitre_attack_id": "T1048", "mitre_attack_technique": "Exfiltration Over Alternative Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1568.002", "mitre_attack_technique": "Domain Generation Algorithms", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "TA551"]}, {"mitre_attack_id": "T1189", "mitre_attack_technique": "Drive-by Compromise", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT19", "APT28", "APT32", "APT37", "APT38", "Andariel", "Axiom", "BRONZE BUTLER", "Dark Caracal", "Darkhotel", "Dragonfly", "Earth Lusca", "Elderwood", "Lazarus Group", "Leafminer", "Leviathan", "Machete", "Magic Hound", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Threat Group-3390", "Transparent Tribe", "Turla", "Windigo", "Windshift"]}], "mitre_attack_tactics": ["Command And Control", "Exfiltration", "Initial Access"], "datamodels": ["Endpoint", "Network_Resolution", "Web"], "kill_chain_phases": ["Actions on Objectives", "Command And Control", "Delivery"]}, "detection_names": ["ESCU - Detect web traffic to dynamic domain providers - Rule", "ESCU - DNS Exfiltration Using Nslookup App - Rule", "ESCU - Excessive Usage of NSLOOKUP App - Rule", "ESCU - Detect DGA domains using pretrained model in DSDL - Rule", "ESCU - Detect hosts connecting to dynamic domain providers - Rule"], "investigation_names": ["ESCU - Get DNS Server History for a host - Response Task", "ESCU - Get DNS traffic ratio - Response Task", "ESCU - Get Notable History - Response Task", "ESCU - Get Process Responsible For The DNS Traffic - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Detect web traffic to dynamic domain providers", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Web Protocols"}]}}, {"name": "DNS Exfiltration Using Nslookup App", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}}, {"name": "Excessive Usage of NSLOOKUP App", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}}, {"name": "Detect DGA domains using pretrained model in DSDL", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Generation Algorithms"}]}}, {"name": "Detect hosts connecting to dynamic domain providers", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Drive-by Compromise"}]}}]}, {"name": "Emotet Malware DHS Report TA18-201A ", "id": "bb9f5ed2-916e-4364-bb6d-91c310efcf52", "version": 1, "date": "2020-01-27", "author": "Bhavin Patel, Splunk", "description": "Detect rarely used executables, specific registry paths that may confer malware survivability and persistence, instances where cmd.exe is used to launch script interpreters, and other indicators that the Emotet financial malware has compromised your environment.", "narrative": "The trojan downloader known as Emotet first surfaced in 2014, when it was discovered targeting the banking industry to steal credentials. However, according to a joint technical alert (TA) issued by three government agencies (https://www.us-cert.gov/ncas/alerts/TA18-201A), Emotet has evolved far beyond those beginnings to become what a ThreatPost article called a threat-delivery service(see https://threatpost.com/emotet-malware-evolves-beyond-banking-to-threat-delivery-service/134342/). For example, in early 2018, Emotet was found to be using its loader function to spread the Quakbot and Ransomware variants. \\\nAccording to the TA, the the malware continues to be among the most costly and destructive malware affecting the private and public sectors. Researchers have linked it to the threat group Mealybug, which has also been on the security communitys radar since 2014.\\\nThe searches in this Analytic Story will help you find executables that are rarely used in your environment, specific registry paths that malware often uses to ensure survivability and persistence, instances where cmd.exe is used to launch script interpreters, and other indicators that Emotet or other malware has compromised your environment. ", "references": ["https://www.us-cert.gov/ncas/alerts/TA18-201A", "https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf", "https://www.vkremez.com/2017/05/emotet-banking-trojan-malware-analysis.html"], "tags": {"name": "Emotet Malware DHS Report TA18-201A ", "analytic_story": "Emotet Malware DHS Report TA18-201A ", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1072", "mitre_attack_technique": "Software Deployment Tools", "mitre_attack_tactics": ["Execution", "Lateral Movement"], "mitre_attack_groups": ["APT32", "Sandworm Team", "Silence", "Threat Group-1314"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Execution", "Initial Access", "Lateral Movement", "Persistence", "Privilege Escalation"], "datamodels": ["Email", "Endpoint", "Network_Traffic"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Email Attachments With Lots Of Spaces - Rule", "ESCU - Suspicious Email Attachment Extensions - Rule", "ESCU - Prohibited Software On Endpoint - Rule", "ESCU - Detect Use of cmd exe to Launch Script Interpreters - Rule", "ESCU - Detection of tools built by NirSoft - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - SMB Traffic Spike - Rule", "ESCU - SMB Traffic Spike - MLTK - Rule"], "investigation_names": ["ESCU - Get History Of Email Sources - Response Task", "ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task", "ESCU - Get Process Information For Port Activity - Response Task"], "baseline_names": ["ESCU - Baseline of SMB Traffic - MLTK", "ESCU - Add Prohibited Processes to Enterprise Security"], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Email Attachments With Lots Of Spaces", "source": "application", "type": "Anomaly", "tags": {"mitre_attack_enrichments": []}}, {"name": "Suspicious Email Attachment Extensions", "source": "application", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}}, {"name": "Prohibited Software On Endpoint", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": []}}, {"name": "Detect Use of cmd exe to Launch Script Interpreters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Windows Command Shell"}]}}, {"name": "Detection of tools built by NirSoft", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Software Deployment Tools"}]}}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "SMB Traffic Spike", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Remote Services"}]}}, {"name": "SMB Traffic Spike - MLTK", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Remote Services"}]}}]}, {"name": "F5 BIG-IP Vulnerability CVE-2022-1388", "id": "0367b177-f8d6-4c4b-a62d-86f52a590bff", "version": 1, "date": "2022-05-10", "author": "Michael Haag, Splunk", "description": "CVE-2022-1388 is a unauthenticated remote code execution vulnerablity against BIG-IP iControl REST API.", "narrative": "CVE-2022-1388 is a critical vulnerability (CVSS 9.8) in the management interface of F5 Networks'' BIG-IP solution that enables an unauthenticated attacker to gain remote code execution on the system through bypassing F5''s iControl REST authentication. The vulnerability was first discovered by F5''s internal product security team and disclosed publicly on May 4, 2022, per Randori. This vulnerability,CVE-2022-1388, may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands, create or delete files, or disable services. There is no data plane exposure; this is a control plane issue only per F5 article K23605346. Is CVE-2022-1388 Exploitable? Yes. There are now multiple POC scripts available and reports of threat actors scanning and potentially exploiting the vulnerablity. Per Randori the specific interface needed to exploit this vulnerability is rarely publicly exposed, and the risk to most organizations of exploitation by an unauthenticated external actor is low.", "references": ["https://github.com/dk4trin/templates-nuclei/blob/main/CVE-2022-1388.yaml", "https://www.randori.com/blog/vulnerability-analysis-cve-2022-1388/", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1388", "https://twitter.com/da_667/status/1523770267327250438?s=20&t=-JnB_aNWuJFsmcOmxGUWLQ", "https://github.com/horizon3ai/CVE-2022-1388/blob/main/CVE-2022-1388.py"], "tags": {"name": "F5 BIG-IP Vulnerability CVE-2022-1388", "analytic_story": "F5 BIG-IP Vulnerability CVE-2022-1388", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Chimera", "Dragonfly", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}], "mitre_attack_tactics": ["Initial Access", "Persistence"], "datamodels": ["Web"], "kill_chain_phases": ["Delivery", "Installation"]}, "detection_names": ["ESCU - F5 BIG-IP iControl REST Vulnerability CVE-2022-1388 - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "F5 BIG-IP iControl REST Vulnerability CVE-2022-1388", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}]}, {"name": "F5 TMUI RCE CVE-2020-5902", "id": "7678c968-d46e-11ea-87d0-0242ac130003", "version": 1, "date": "2020-08-02", "author": "Shannon Davis, Splunk", "description": "Uncover activity consistent with CVE-2020-5902. Discovered by Positive Technologies researchers, this vulnerability affects F5 BIG-IP, BIG-IQ. and Traffix SDC devices (vulnerable versions in F5 support link below). This vulnerability allows unauthenticated users, along with authenticated users, who have access to the configuration utility to execute system commands, create/delete files, disable services, and/or execute Java code. This vulnerability can result in full system compromise.", "narrative": "A client is able to perform a remote code execution on an exposed and vulnerable system. The detection search in this Analytic Story uses syslog to detect the malicious behavior. Syslog is going to be the best detection method, as any systems using SSL to protect their management console will make detection via wire data difficult. The searches included used Splunk Connect For Syslog (https://splunkbase.splunk.com/app/4740/), and used a custom destination port to help define the data as F5 data (covered in https://splunk-connect-for-syslog.readthedocs.io/en/master/sources/F5/)", "references": ["https://www.ptsecurity.com/ww-en/about/news/f5-fixes-critical-vulnerability-discovered-by-positive-technologies-in-big-ip-application-delivery-controller/", "https://support.f5.com/csp/article/K52145254", "https://blog.cloudflare.com/cve-2020-5902-helping-to-protect-against-the-f5-tmui-rce-vulnerability/"], "tags": {"name": "F5 TMUI RCE CVE-2020-5902", "analytic_story": "F5 TMUI RCE CVE-2020-5902", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "menuPass"]}], "mitre_attack_tactics": ["Initial Access"], "datamodels": [], "kill_chain_phases": ["Delivery"]}, "detection_names": ["ESCU - Detect F5 TMUI RCE CVE-2020-5902 - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "Shannon Davis", "detections": [{"name": "Detect F5 TMUI RCE CVE-2020-5902", "source": "web", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}}]}, {"name": "FIN7", "id": "df2b00d3-06ba-49f1-b253-b19cef19b569", "version": 1, "date": "2021-09-14", "author": "Teoderick Contreras, Splunk", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the FIN7 JS Implant and JSSLoader, including looking for Image Loading of ldap and wmi modules, associated with its payload, data collection and script execution.", "narrative": "FIN7 is a Russian criminal advanced persistent threat group that has primarily targeted the U.S. retail, restaurant, and hospitality sectors since mid-2015. A portion of FIN7 is run out of the front company Combi Security. It has been called one of the most successful criminal hacking groups in the world. this passed few day FIN7 tools and implant are seen in the wild where its code is updated. the FIN& is known to use the spear phishing attack as a entry to targetted network or host that will drop its staging payload like the JS and JSSloader. Now this artifacts and implants seen downloading other malware like cobaltstrike and event ransomware to encrypt host.", "references": ["https://en.wikipedia.org/wiki/FIN7", "https://threatpost.com/fin7-windows-11-release/169206/", "https://www.proofpoint.com/us/blog/threat-insight/jssloader-recoded-and-reloaded"], "tags": {"name": "FIN7", "analytic_story": "FIN7", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1033", "mitre_attack_technique": "System Owner/User Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT37", "APT38", "APT39", "APT41", "Chimera", "Dragonfly", "Earth Lusca", "FIN10", "GALLIUM", "Gamaredon Group", "HAFNIUM", "HEXANE", "Ke3chang", "Lazarus Group", "LuminousMoth", "Magic Hound", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "Stealth Falcon", "Threat Group-3390", "Tropic Trooper", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.007", "mitre_attack_technique": "JavaScript", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "Cobalt Group", "Earth Lusca", "Ember Bear", "Evilnum", "FIN6", "FIN7", "Higaisa", "Indrik Spider", "Kimsuky", "LazyScripter", "Leafminer", "Molerats", "MuddyWater", "Sidewinder", "Silence", "TA505", "Turla"]}, {"mitre_attack_id": "T1555", "mitre_attack_technique": "Credentials from Password Stores", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT33", "APT39", "Evilnum", "FIN6", "HEXANE", "Leafminer", "MuddyWater", "OilRig", "Stealth Falcon"]}, {"mitre_attack_id": "T1555.003", "mitre_attack_technique": "Credentials from Web Browsers", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT3", "APT33", "APT37", "Ajax Security Team", "FIN6", "HEXANE", "Inception", "Kimsuky", "LAPSUS$", "Leafminer", "Molerats", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Stealth Falcon", "TA505", "ZIRCONIUM"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1059.005", "mitre_attack_technique": "Visual Basic", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT32", "APT33", "APT37", "APT38", "APT39", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Earth Lusca", "FIN4", "FIN7", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "Transparent Tribe", "Turla", "WIRTE", "Windshift"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "Turla"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1134.004", "mitre_attack_technique": "Parent PID Spoofing", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}, {"mitre_attack_id": "T1220", "mitre_attack_technique": "XSL Script Processing", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Cobalt Group", "Higaisa"]}], "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Discovery", "Execution", "Initial Access", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Check Elevated CMD using whoami - Rule", "ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", "ESCU - Jscript Execution Using Cscript App - Rule", "ESCU - MS Scripting Process Loading Ldap Module - Rule", "ESCU - MS Scripting Process Loading WMI Module - Rule", "ESCU - Non Chrome Process Accessing Chrome Default Dir - Rule", "ESCU - Non Firefox Process Access Firefox Profile Dir - Rule", "ESCU - Office Application Drop Executable - Rule", "ESCU - Office Product Spawning Wmic - Rule", "ESCU - Vbscript Execution Using Wscript App - Rule", "ESCU - Wscript Or Cscript Suspicious Child Process - Rule", "ESCU - XSL Script Execution With WMIC - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Check Elevated CMD using whoami", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Owner/User Discovery"}]}}, {"name": "Cmdline Tool Not Executed In CMD Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "JavaScript"}]}}, {"name": "Jscript Execution Using Cscript App", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "JavaScript"}]}}, {"name": "MS Scripting Process Loading Ldap Module", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "JavaScript"}]}}, {"name": "MS Scripting Process Loading WMI Module", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "JavaScript"}]}}, {"name": "Non Chrome Process Accessing Chrome Default Dir", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}}, {"name": "Non Firefox Process Access Firefox Profile Dir", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}}, {"name": "Office Application Drop Executable", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Product Spawning Wmic", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Vbscript Execution Using Wscript App", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Visual Basic"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Wscript Or Cscript Suspicious Child Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}, {"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Parent PID Spoofing"}, {"mitre_attack_technique": "Access Token Manipulation"}]}}, {"name": "XSL Script Execution With WMIC", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "XSL Script Processing"}]}}]}, {"name": "Fortinet FortiNAC CVE-2022-39952", "id": "2833a527-3b7f-41af-a950-39f7bbaff819", "version": 1, "date": "2023-02-21", "author": "Michael Haag, Splunk", "description": "On Thursday, 16 February 2023, Fortinet released a PSIRT that details CVE-2022-39952, a critical vulnerability affecting its FortiNAC product (Horizon3.ai).", "narrative": "This vulnerability, discovered by Gwendal Guegniaud of Fortinet, allows an unauthenticated attacker to write arbitrary files on the system and as a result obtain remote code execution in the context of the root user (Horizon3.ai). Impacting FortiNAC, is tracked as CVE-2022-39952 and has a CVSS v3 score of 9.8 (critical). FortiNAC is a network access control solution that helps organizations gain real time network visibility, enforce security policies, and detect and mitigate threats. An external control of file name or path vulnerability CWE-73 in FortiNAC webserver may allow an unauthenticated attacker to perform arbitrary write on the system, reads the security advisory.", "references": ["https://www.horizon3.ai/fortinet-fortinac-cve-2022-39952-deep-dive-and-iocs/", "https://viz.greynoise.io/tag/fortinac-rce-attempt?days=30", "https://www.bleepingcomputer.com/news/security/fortinet-fixes-critical-rce-flaws-in-fortinac-and-fortiweb/"], "tags": {"name": "Fortinet FortiNAC CVE-2022-39952", "analytic_story": "Fortinet FortiNAC CVE-2022-39952", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Chimera", "Dragonfly", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}], "mitre_attack_tactics": ["Initial Access", "Persistence"], "datamodels": ["Web"], "kill_chain_phases": ["Delivery", "Installation"]}, "detection_names": ["ESCU - Exploit Public-Facing Fortinet FortiNAC CVE-2022-39952 - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Exploit Public-Facing Fortinet FortiNAC CVE-2022-39952", "source": "web", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}]}, {"name": "GCP Account Takeover", "id": "8601caff-414f-4c6d-9a04-75b66778869d", "version": 1, "date": "2022-10-12", "author": "Mauricio Velazco, Bhavin Patel, Splunk", "description": "Monitor for activities and techniques associated with Account Takover attacks against Google Cloud Platform tenants.", "narrative": "Account Takeover (ATO) is an attack whereby cybercriminals gain unauthorized access to online accounts by using different techniques like brute force, social engineering, phishing & spear phishing, credential stuffing, etc. By posing as the real user, cyber-criminals can change account details, send out phishing emails, steal financial information or sensitive data, or use any stolen information to access further accounts within the organization. This analytic storic groups detections that can help security operations teams identify the potential compromise of Azure Active Directory accounts.", "references": ["https://cloud.google.com/gcp", "https://cloud.google.com/architecture/identity/overview-google-authentication", "https://attack.mitre.org/techniques/T1586/", "https://www.imperva.com/learn/application-security/account-takeover-ato/", "https://www.barracuda.com/glossary/account-takeover"], "tags": {"name": "GCP Account Takeover", "analytic_story": "GCP Account Takeover", "category": ["Account Compromise"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Ke3chang", "LAPSUS$"]}, {"mitre_attack_id": "T1621", "mitre_attack_technique": "Multi-Factor Authentication Request Generation", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "LAPSUS$"]}, {"mitre_attack_id": "T1556", "mitre_attack_technique": "Modify Authentication Process", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1556.006", "mitre_attack_technique": "Multi-Factor Authentication", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1110.004", "mitre_attack_technique": "Credential Stuffing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Chimera"]}], "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation", "Resource Development"], "datamodels": [], "kill_chain_phases": ["Delivery", "Exploitation", "Installation", "Weaponization"]}, "detection_names": ["ESCU - GCP Authentication Failed During MFA Challenge - Rule", "ESCU - GCP Multi-Factor Authentication Disabled - Rule", "ESCU - GCP Multiple Failed MFA Requests For User - Rule", "ESCU - GCP Multiple Users Failing To Authenticate From Ip - Rule", "ESCU - GCP Successful Single-Factor Authentication - Rule", "ESCU - GCP Unusual Number of Failed Authentications From Ip - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Bhavin Patel, Splunk", "author_name": "Mauricio Velazco", "detections": [{"name": "GCP Authentication Failed During MFA Challenge", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Multi-Factor Authentication Request Generation"}]}}, {"name": "GCP Multi-Factor Authentication Disabled", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Modify Authentication Process"}, {"mitre_attack_technique": "Multi-Factor Authentication"}]}}, {"name": "GCP Multiple Failed MFA Requests For User", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Multi-Factor Authentication Request Generation"}, {"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}]}}, {"name": "GCP Multiple Users Failing To Authenticate From Ip", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Credential Stuffing"}]}}, {"name": "GCP Successful Single-Factor Authentication", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}]}}, {"name": "GCP Unusual Number of Failed Authentications From Ip", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Credential Stuffing"}]}}]}, {"name": "GCP Cross Account Activity", "id": "0432039c-ef41-4b03-b157-450c25dad1e6", "version": 1, "date": "2020-09-01", "author": "Rod Soto, Splunk", "description": "Track when a user assumes an IAM role in another GCP account to obtain cross-account access to services and resources in that account. Accessing new roles could be an indication of malicious activity.", "narrative": "Google Cloud Platform (GCP) admins manage access to GCP resources and services across the enterprise using GCP Identity and Access Management (IAM) functionality. IAM provides the ability to create and manage GCP users, groups, and roles-each with their own unique set of privileges and defined access to specific resources (such as Compute instances, the GCP Management Console, API, or the command-line interface). Unlike conventional (human) users, IAM roles are potentially assumable by anyone in the organization. They provide users with dynamically created temporary security credentials that expire within a set time period.\\\nIn between the time between when the temporary credentials are issued and when they expire is a period of opportunity, where a user could leverage the temporary credentials to wreak havoc-spin up or remove instances, create new users, elevate privileges, and other malicious activities-throughout the environment.\\\nThis Analytic Story includes searches that will help you monitor your GCP Audit logs logs for evidence of suspicious cross-account activity. For example, while accessing multiple GCP accounts and roles may be perfectly valid behavior, it may be suspicious when an account requests privileges of an account it has not accessed in the past. After identifying suspicious activities, you can use the provided investigative searches to help you probe more deeply.", "references": ["https://cloud.google.com/iam/docs/understanding-service-accounts"], "tags": {"name": "GCP Cross Account Activity", "analytic_story": "GCP Cross Account Activity", "category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}], "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "datamodels": ["Email"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - GCP Detect gcploit framework - Rule", "ESCU - GCP Detect accounts with high risk roles by project - Rule", "ESCU - GCP Detect high risk permissions by resource and account - Rule", "ESCU - gcp detect oauth token abuse - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rod Soto", "detections": [{"name": "GCP Detect gcploit framework", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "GCP Detect accounts with high risk roles by project", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "GCP Detect high risk permissions by resource and account", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "gcp detect oauth token abuse", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}]}}]}, {"name": "Graceful Wipe Out Attack", "id": "83b15b3c-6bda-45aa-a3b6-b05c52443f44", "version": 1, "date": "2023-06-15", "author": "Teoderick Contreras, Splunk", "description": "This analytic story contains detections that allow security analysts to detect and investigate unusual activities that might relate to the destructive attack or campaign found by \"THE DFIR Report\" that uses Truebot, FlawedGrace and MBR killer malware. This analytic story looks for suspicious dropped files, cobalt strike execution, im-packet execution, registry modification, scripts, persistence, lateral movement, impact, exfiltration and recon.", "narrative": "Graceful Wipe Out Attack is a destructive malware campaign found by \"The DFIR Report\" targeting multiple organizations to collect, exfiltrate and wipe the data of targeted networks. This malicious payload corrupts or wipes Master Boot Records by using an NSIS script after the exfiltration of sensitive information from the targeted host or system.", "references": ["https://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/"], "tags": {"name": "Graceful Wipe Out Attack", "analytic_story": "Graceful Wipe Out Attack", "category": ["Data Destruction", "Malware", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1560.001", "mitre_attack_technique": "Archive via Utility", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "CopyKittens", "Earth Lusca", "FIN8", "Fox Kitten", "GALLIUM", "Gallmaker", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "MuddyWater", "Mustang Panda", "Sowbug", "Turla", "menuPass"]}, {"mitre_attack_id": "T1560", "mitre_attack_technique": "Archive Collected Data", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT28", "APT32", "Axiom", "Dragonfly", "FIN6", "Ke3chang", "Lazarus Group", "Leviathan", "LuminousMoth", "Patchwork", "menuPass"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "Turla"]}, {"mitre_attack_id": "T1531", "mitre_attack_technique": "Account Access Removal", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["LAPSUS$"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.010", "mitre_attack_technique": "Regsvr32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "Blue Mockingbird", "Cobalt Group", "Deep Panda", "Inception", "Kimsuky", "Leviathan", "TA551", "WIRTE"]}, {"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["BRONZE BUTLER", "Chimera", "Dragonfly", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Turla", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "TA505"]}, {"mitre_attack_id": "T1069.002", "mitre_attack_technique": "Domain Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Dragonfly", "Inception", "Ke3chang", "LAPSUS$", "OilRig", "Turla"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1021.003", "mitre_attack_technique": "Distributed Component Object Model", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "Earth Lusca", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "Threat Group-3390", "Windshift", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1069.001", "mitre_attack_technique": "Local Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "HEXANE", "OilRig", "Tonto Team", "Turla", "admin@338"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551"]}, {"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Dragonfly", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1003.003", "mitre_attack_technique": "NTDS", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "Chimera", "Dragonfly", "FIN6", "Fox Kitten", "HAFNIUM", "Ke3chang", "LAPSUS$", "Mustang Panda", "Sandworm Team", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1127", "mitre_attack_technique": "Trusted Developer Utilities Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1127.001", "mitre_attack_technique": "MSBuild", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1018", "mitre_attack_technique": "Remote System Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "BRONZE BUTLER", "Chimera", "Deep Panda", "Dragonfly", "Earth Lusca", "FIN5", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "HEXANE", "Indrik Spider", "Ke3chang", "Leafminer", "Magic Hound", "Naikon", "Rocke", "Sandworm Team", "Silence", "Threat Group-3390", "Turla", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1055.002", "mitre_attack_technique": "Portable Executable Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Gorgon Group", "Rocke"]}, {"mitre_attack_id": "T1561.002", "mitre_attack_technique": "Disk Structure Wipe", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1561", "mitre_attack_technique": "Disk Wipe", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1489", "mitre_attack_technique": "Service Stop", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Indrik Spider", "Lazarus Group", "Wizard Spider"]}], "mitre_attack_tactics": ["Collection", "Credential Access", "Defense Evasion", "Discovery", "Execution", "Impact", "Lateral Movement", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint", "Network_Traffic"], "kill_chain_phases": ["Actions on Objectives", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Anomalous usage of 7zip - Rule", "ESCU - Attempt To Stop Security Service - Rule", "ESCU - CMD Echo Pipe - Escalation - Rule", "ESCU - Cobalt Strike Named Pipes - Rule", "ESCU - Deleting Of Net Users - Rule", "ESCU - Detect Regsvr32 Application Control Bypass - Rule", "ESCU - DLLHost with no Command Line Arguments with Network - Rule", "ESCU - Domain Account Discovery With Net App - Rule", "ESCU - Domain Group Discovery With Net - Rule", "ESCU - Excessive Usage Of Net App - Rule", "ESCU - Executable File Written in Administrative SMB Share - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - GPUpdate with no Command Line Arguments with Network - Rule", "ESCU - Impacket Lateral Movement Commandline Parameters - Rule", "ESCU - Impacket Lateral Movement smbexec CommandLine Parameters - Rule", "ESCU - Impacket Lateral Movement WMIExec Commandline Parameters - Rule", "ESCU - Net Localgroup Discovery - Rule", "ESCU - Remote WMI Command Attempt - Rule", "ESCU - Rundll32 with no Command Line Arguments with Network - Rule", "ESCU - SAM Database File Access Attempt - Rule", "ESCU - SearchProtocolHost with no Command Line with Network - Rule", "ESCU - SecretDumps Offline NTDS Dumping Tool - Rule", "ESCU - Services Escalate Exe - Rule", "ESCU - Suspicious DLLHost no Command Line Arguments - Rule", "ESCU - Suspicious GPUpdate no Command Line Arguments - Rule", "ESCU - Suspicious microsoft workflow compiler rename - Rule", "ESCU - Suspicious msbuild path - Rule", "ESCU - Suspicious MSBuild Rename - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious Rundll32 no Command Line Arguments - Rule", "ESCU - Suspicious Rundll32 StartW - Rule", "ESCU - Suspicious SearchProtocolHost no Command Line Arguments - Rule", "ESCU - Windows AdFind Exe - Rule", "ESCU - Windows Process Injection Remote Thread - Rule", "ESCU - Windows Raw Access To Disk Volume Partition - Rule", "ESCU - Windows Raw Access To Master Boot Record Drive - Rule", "ESCU - Windows Service Stop By Deletion - Rule", "ESCU - Windows Service Stop Via Net and SC Application - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Anomalous usage of 7zip", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Archive via Utility"}, {"mitre_attack_technique": "Archive Collected Data"}]}}, {"name": "Attempt To Stop Security Service", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "CMD Echo Pipe - Escalation", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Cobalt Strike Named Pipes", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "Deleting Of Net Users", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Access Removal"}]}}, {"name": "Detect Regsvr32 Application Control Bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}}, {"name": "DLLHost with no Command Line Arguments with Network", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "Domain Account Discovery With Net App", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}}, {"name": "Domain Group Discovery With Net", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}}, {"name": "Excessive Usage Of Net App", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Access Removal"}]}}, {"name": "Executable File Written in Administrative SMB Share", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}]}}, {"name": "GPUpdate with no Command Line Arguments with Network", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "Impacket Lateral Movement Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Impacket Lateral Movement smbexec CommandLine Parameters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Impacket Lateral Movement WMIExec Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Net Localgroup Discovery", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Local Groups"}]}}, {"name": "Remote WMI Command Attempt", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}}, {"name": "Rundll32 with no Command Line Arguments with Network", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "SAM Database File Access Attempt", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Security Account Manager"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "SearchProtocolHost with no Command Line with Network", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "SecretDumps Offline NTDS Dumping Tool", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "NTDS"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Services Escalate Exe", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Suspicious DLLHost no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "Suspicious GPUpdate no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "Suspicious microsoft workflow compiler rename", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Rename System Utilities"}]}}, {"name": "Suspicious msbuild path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "MSBuild"}]}}, {"name": "Suspicious MSBuild Rename", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "MSBuild"}]}}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Suspicious Rundll32 no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Suspicious Rundll32 StartW", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Suspicious SearchProtocolHost no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "Windows AdFind Exe", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote System Discovery"}]}}, {"name": "Windows Process Injection Remote Thread", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}, {"mitre_attack_technique": "Portable Executable Injection"}]}}, {"name": "Windows Raw Access To Disk Volume Partition", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disk Structure Wipe"}, {"mitre_attack_technique": "Disk Wipe"}]}}, {"name": "Windows Raw Access To Master Boot Record Drive", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disk Structure Wipe"}, {"mitre_attack_technique": "Disk Wipe"}]}}, {"name": "Windows Service Stop By Deletion", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Service Stop"}]}}, {"name": "Windows Service Stop Via Net and SC Application", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Service Stop"}]}}]}, {"name": "HAFNIUM Group", "id": "beae2ab0-7c3f-11eb-8b63-acde48001122", "version": 1, "date": "2021-03-03", "author": "Michael Haag, Splunk", "description": "HAFNIUM group was identified by Microsoft as exploiting 4 Microsoft Exchange CVEs in the wild - CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065.", "narrative": "On Tuesday, March 2, 2021, Microsoft released a set of security patches for its mail server, Microsoft Exchange. These patches respond to a group of vulnerabilities known to impact Exchange 2013, 2016, and 2019. It is important to note that an Exchange 2010 security update has also been issued, though the CVEs do not reference that version as being vulnerable.\\\nWhile the CVEs do not shed much light on the specifics of the vulnerabilities or exploits, the first vulnerability (CVE-2021-26855) has a remote network attack vector that allows the attacker, a group Microsoft named HAFNIUM, to authenticate as the Exchange server. Three additional vulnerabilities (CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) were also identified as part of this activity. When chained together along with CVE-2021-26855 for initial access, the attacker would have complete control over the Exchange server. This includes the ability to run code as SYSTEM and write to any path on the server.\\\nThe following Splunk detections assist with identifying the HAFNIUM groups tradecraft and methodology.", "references": ["https://www.splunk.com/en_us/blog/security/detecting-hafnium-exchange-server-zero-day-activity-in-splunk.html", "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", "https://blog.rapid7.com/2021/03/03/rapid7s-insightidr-enables-detection-and-response-to-microsoft-exchange-0-day/"], "tags": {"name": "HAFNIUM Group", "analytic_story": "HAFNIUM Group", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1114", "mitre_attack_technique": "Email Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["Magic Hound", "Silent Librarian"]}, {"mitre_attack_id": "T1114.002", "mitre_attack_technique": "Remote Email Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "Chimera", "Dragonfly", "FIN4", "HAFNIUM", "Ke3chang", "Kimsuky", "Leafminer", "Magic Hound"]}, {"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "TEMP.Veles", "Threat Group-3390", "Whitefly"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1505.003", "mitre_attack_technique": "Web Shell", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT38", "APT39", "BackdoorDiplomacy", "Deep Panda", "Dragonfly", "Fox Kitten", "GALLIUM", "HAFNIUM", "Kimsuky", "Leviathan", "Magic Hound", "Moses Staff", "OilRig", "Sandworm Team", "TEMP.Veles", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Volatile Cedar"]}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Chimera", "Dragonfly", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1136.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT39", "APT41", "Dragonfly", "Fox Kitten", "Kimsuky", "Leafminer", "Magic Hound", "TeamTNT"]}, {"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1003.003", "mitre_attack_technique": "NTDS", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "Chimera", "Dragonfly", "FIN6", "Fox Kitten", "HAFNIUM", "Ke3chang", "LAPSUS$", "Mustang Panda", "Sandworm Team", "Wizard Spider", "menuPass"]}], "mitre_attack_tactics": ["Collection", "Command And Control", "Credential Access", "Execution", "Initial Access", "Lateral Movement", "Persistence"], "datamodels": ["Endpoint", "Network_Traffic"], "kill_chain_phases": ["Command And Control", "Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Email servers sending high volume traffic to hosts - Rule", "ESCU - Dump LSASS via procdump Rename - Rule", "ESCU - Any Powershell DownloadString - Rule", "ESCU - Detect Exchange Web Shell - Rule", "ESCU - Detect New Local Admin account - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Detect Renamed PSExec - Rule", "ESCU - Detect Webshell Exploit Behavior - Rule", "ESCU - Dump LSASS via comsvcs DLL - Rule", "ESCU - Dump LSASS via procdump - Rule", "ESCU - Malicious PowerShell Process - Execution Policy Bypass - Rule", "ESCU - Nishang PowershellTCPOneLine - Rule", "ESCU - Ntdsutil Export NTDS - Rule", "ESCU - PowerShell - Connect To Internet With Hidden Window - Rule", "ESCU - Set Default PowerShell Execution Policy To Unrestricted or Bypass - Rule", "ESCU - W3WP Spawning Shell - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Email servers sending high volume traffic to hosts", "source": "application", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Email Collection"}, {"mitre_attack_technique": "Remote Email Collection"}]}}, {"name": "Dump LSASS via procdump Rename", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}]}}, {"name": "Any Powershell DownloadString", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "Detect Exchange Web Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}, {"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}, {"name": "Detect New Local Admin account", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "Create Account"}]}}, {"name": "Detect PsExec With accepteula Flag", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}}, {"name": "Detect Renamed PSExec", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}}, {"name": "Detect Webshell Exploit Behavior", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}]}}, {"name": "Dump LSASS via comsvcs DLL", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Dump LSASS via procdump", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Malicious PowerShell Process - Execution Policy Bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Nishang PowershellTCPOneLine", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Ntdsutil Export NTDS", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "NTDS"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "PowerShell - Connect To Internet With Hidden Window", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Set Default PowerShell Execution Policy To Unrestricted or Bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "W3WP Spawning Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}]}}]}, {"name": "Hermetic Wiper", "id": "b7511c2e-9a10-11ec-99e3-acde48001122", "version": 1, "date": "2022-03-02", "author": "Teoderick Contreras, Rod Soto, Michael Haag, Splunk", "description": "This analytic story contains detections that allow security analysts to detect and investigate unusual activities that might relate to the destructive malware targeting Ukrainian organizations also known as \"Hermetic Wiper\". This analytic story looks for abuse of Regsvr32, executables written in administrative SMB Share, suspicious processes, disabling of memory crash dump and more.", "narrative": "Hermetic Wiper is destructive malware operation found by Sentinel One targeting multiple organizations in Ukraine. This malicious payload corrupts Master Boot Records, uses signed drivers and manipulates NTFS attributes for file destruction.", "references": ["https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/", "https://www.cisa.gov/uscert/ncas/alerts/aa22-057a"], "tags": {"name": "Hermetic Wiper", "analytic_story": "Hermetic Wiper", "category": ["Data Destruction", "Malware", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1204.002", "mitre_attack_technique": "Malicious File", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "Ajax Security Team", "Andariel", "Aoqin Dragon", "BITTER", "BRONZE BUTLER", "BlackTech", "CURIUM", "Cobalt Group", "Confucius", "Dark Caracal", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "IndigoZebra", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Whitefly", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1547.014", "mitre_attack_technique": "Active Setup", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1546.001", "mitre_attack_technique": "Change Default File Association", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Kimsuky"]}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "PLATINUM", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1562.006", "mitre_attack_technique": "Indicator Blocking", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1127", "mitre_attack_technique": "Trusted Developer Utilities Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1558", "mitre_attack_technique": "Steal or Forge Kerberos Tickets", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1558.003", "mitre_attack_technique": "Kerberoasting", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["FIN7", "Wizard Spider"]}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Chimera", "Dragonfly", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1037", "mitre_attack_technique": "Boot or Logon Initialization Scripts", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Rocke"]}, {"mitre_attack_id": "T1037.001", "mitre_attack_technique": "Logon Script (Windows)", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "Cobalt Group"]}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT19", "APT28", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BITTER", "BackdoorDiplomacy", "BlackOasis", "Blue Mockingbird", "Dark Caracal", "Darkhotel", "Earth Lusca", "Elderwood", "Ember Bear", "Fox Kitten", "GALLIUM", "Gallmaker", "Gamaredon Group", "Group5", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "Metador", "Mofang", "Molerats", "Moses Staff", "Mustang Panda", "OilRig", "Putter Panda", "Rocke", "Sandworm Team", "Sidewinder", "TA505", "TeamTNT", "Threat Group-3390", "Transparent Tribe", "Tropic Trooper", "Whitefly", "Windshift", "menuPass"]}, {"mitre_attack_id": "T1574.002", "mitre_attack_technique": "DLL Side-Loading", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT41", "BRONZE BUTLER", "BlackTech", "Chimera", "Earth Lusca", "GALLIUM", "Higaisa", "Lazarus Group", "LuminousMoth", "MuddyWater", "Mustang Panda", "Naikon", "Patchwork", "SideCopy", "Sidewinder", "Threat Group-3390", "Tropic Trooper", "menuPass"]}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1546.008", "mitre_attack_technique": "Accessibility Features", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT3", "APT41", "Axiom", "Deep Panda", "Fox Kitten"]}, {"mitre_attack_id": "T1021.003", "mitre_attack_technique": "Distributed Component Object Model", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1021.006", "mitre_attack_technique": "Windows Remote Management", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Chimera", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "Earth Lusca", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "Threat Group-3390", "Windshift", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1218.014", "mitre_attack_technique": "MMC", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1027.005", "mitre_attack_technique": "Indicator Removal from Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT3", "Deep Panda", "GALLIUM", "OilRig", "Patchwork", "TEMP.Veles", "Turla"]}, {"mitre_attack_id": "T1546.015", "mitre_attack_technique": "Component Object Model Hijacking", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "Turla"]}, {"mitre_attack_id": "T1547.012", "mitre_attack_technique": "Print Processors", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1592", "mitre_attack_technique": "Gather Victim Host Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1546.012", "mitre_attack_technique": "Image File Execution Options Injection", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["TEMP.Veles"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.010", "mitre_attack_technique": "Regsvr32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "Blue Mockingbird", "Cobalt Group", "Deep Panda", "Inception", "Kimsuky", "Leviathan", "TA551", "WIRTE"]}, {"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}, {"mitre_attack_id": "T1134.001", "mitre_attack_technique": "Token Impersonation/Theft", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "FIN8"]}, {"mitre_attack_id": "T1546.002", "mitre_attack_technique": "Screensaver", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547.003", "mitre_attack_technique": "Time Providers", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1505.003", "mitre_attack_technique": "Web Shell", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT38", "APT39", "BackdoorDiplomacy", "Deep Panda", "Dragonfly", "Fox Kitten", "GALLIUM", "HAFNIUM", "Kimsuky", "Leviathan", "Magic Hound", "Moses Staff", "OilRig", "Sandworm Team", "TEMP.Veles", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Volatile Cedar"]}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1561.002", "mitre_attack_technique": "Disk Structure Wipe", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1561", "mitre_attack_technique": "Disk Wipe", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Command And Control", "Credential Access", "Defense Evasion", "Execution", "Impact", "Initial Access", "Lateral Movement", "Persistence", "Privilege Escalation", "Reconnaissance"], "datamodels": ["Email", "Endpoint"], "kill_chain_phases": ["Actions on Objectives", "Command And Control", "Delivery", "Exploitation", "Installation", "Reconnaissance"]}, "detection_names": ["ESCU - Email Attachments With Lots Of Spaces - Rule", "ESCU - Suspicious Email Attachment Extensions - Rule", "ESCU - Suspicious Powershell Command-Line Arguments - Rule", "ESCU - Uncommon Processes On Endpoint - Rule", "ESCU - Active Setup Registry Autostart - Rule", "ESCU - Any Powershell DownloadFile - Rule", "ESCU - Any Powershell DownloadString - Rule", "ESCU - Change Default File Association - Rule", "ESCU - Child Processes of Spoolsv exe - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Detect Empire with PowerShell Script Block Logging - Rule", "ESCU - Detect Mimikatz With PowerShell Script Block Logging - Rule", "ESCU - ETW Registry Disabled - Rule", "ESCU - Executable File Written in Administrative SMB Share - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Kerberoasting spn request with RC4 encryption - Rule", "ESCU - Linux Java Spawning Shell - Rule", "ESCU - Logon Script Event Trigger Execution - Rule", "ESCU - Malicious PowerShell Process - Encoded Command - Rule", "ESCU - Malicious PowerShell Process With Obfuscation Techniques - Rule", "ESCU - MSI Module Loaded by Non-System Binary - Rule", "ESCU - Overwriting Accessibility Binaries - Rule", "ESCU - Possible Lateral Movement PowerShell Spawn - Rule", "ESCU - PowerShell 4104 Hunting - Rule", "ESCU - PowerShell - Connect To Internet With Hidden Window - Rule", "ESCU - PowerShell Domain Enumeration - Rule", "ESCU - Powershell Enable SMB1Protocol Feature - Rule", "ESCU - Powershell Execute COM Object - Rule", "ESCU - Powershell Fileless Process Injection via GetProcAddress - Rule", "ESCU - Powershell Fileless Script Contains Base64 Encoded Content - Rule", "ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", "ESCU - Powershell Processing Stream Of Data - Rule", "ESCU - Powershell Using memory As Backing Store - Rule", "ESCU - Print Processor Registry Autostart - Rule", "ESCU - Recon AVProduct Through Pwh or WMI - Rule", "ESCU - Recon Using WMI Class - Rule", "ESCU - Registry Keys Used For Privilege Escalation - Rule", "ESCU - Regsvr32 Silent and Install Param Dll Loading - Rule", "ESCU - Runas Execution in CommandLine - Rule", "ESCU - Screensaver Event Trigger Execution - Rule", "ESCU - Set Default PowerShell Execution Policy To Unrestricted or Bypass - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Time Provider Persistence Registry - Rule", "ESCU - Unloading AMSI via Reflection - Rule", "ESCU - W3WP Spawning Shell - Rule", "ESCU - Windows Disable Memory Crash Dump - Rule", "ESCU - Windows File Without Extension In Critical Folder - Rule", "ESCU - Windows Modify Show Compress Color And Info Tip Registry - Rule", "ESCU - Windows Raw Access To Disk Volume Partition - Rule", "ESCU - Windows Raw Access To Master Boot Record Drive - Rule", "ESCU - WMI Recon Running Process Or Services - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Rod Soto, Michael Haag, Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Email Attachments With Lots Of Spaces", "source": "application", "type": "Anomaly", "tags": {"mitre_attack_enrichments": []}}, {"name": "Suspicious Email Attachment Extensions", "source": "application", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}}, {"name": "Suspicious Powershell Command-Line Arguments", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "PowerShell"}]}}, {"name": "Uncommon Processes On Endpoint", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Malicious File"}]}}, {"name": "Active Setup Registry Autostart", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Active Setup"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Any Powershell DownloadFile", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "Any Powershell DownloadString", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "Change Default File Association", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Change Default File Association"}, {"mitre_attack_technique": "Event Triggered Execution"}]}}, {"name": "Child Processes of Spoolsv exe", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}}, {"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Detect Empire with PowerShell Script Block Logging", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Detect Mimikatz With PowerShell Script Block Logging", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "OS Credential Dumping"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "ETW Registry Disabled", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indicator Blocking"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Executable File Written in Administrative SMB Share", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}]}}, {"name": "Kerberoasting spn request with RC4 encryption", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "Kerberoasting"}]}}, {"name": "Linux Java Spawning Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}, {"name": "Logon Script Event Trigger Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Boot or Logon Initialization Scripts"}, {"mitre_attack_technique": "Logon Script (Windows)"}]}}, {"name": "Malicious PowerShell Process - Encoded Command", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Obfuscated Files or Information"}]}}, {"name": "Malicious PowerShell Process With Obfuscation Techniques", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "MSI Module Loaded by Non-System Binary", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DLL Side-Loading"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}}, {"name": "Overwriting Accessibility Binaries", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Event Triggered Execution"}, {"mitre_attack_technique": "Accessibility Features"}]}}, {"name": "Possible Lateral Movement PowerShell Spawn", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Remote Management"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "MMC"}]}}, {"name": "PowerShell 4104 Hunting", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "PowerShell - Connect To Internet With Hidden Window", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "PowerShell Domain Enumeration", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Powershell Enable SMB1Protocol Feature", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Obfuscated Files or Information"}, {"mitre_attack_technique": "Indicator Removal from Tools"}]}}, {"name": "Powershell Execute COM Object", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Component Object Model Hijacking"}, {"mitre_attack_technique": "Event Triggered Execution"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Powershell Fileless Process Injection via GetProcAddress", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Process Injection"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Powershell Fileless Script Contains Base64 Encoded Content", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Obfuscated Files or Information"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "PowerShell Loading DotNET into Memory via Reflection", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Powershell Processing Stream Of Data", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Powershell Using memory As Backing Store", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Print Processor Registry Autostart", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Print Processors"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Recon AVProduct Through Pwh or WMI", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Gather Victim Host Information"}]}}, {"name": "Recon Using WMI Class", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Gather Victim Host Information"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Registry Keys Used For Privilege Escalation", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Image File Execution Options Injection"}, {"mitre_attack_technique": "Event Triggered Execution"}]}}, {"name": "Regsvr32 Silent and Install Param Dll Loading", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}}, {"name": "Runas Execution in CommandLine", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Access Token Manipulation"}, {"mitre_attack_technique": "Token Impersonation/Theft"}]}}, {"name": "Screensaver Event Trigger Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Event Triggered Execution"}, {"mitre_attack_technique": "Screensaver"}]}}, {"name": "Set Default PowerShell Execution Policy To Unrestricted or Bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Time Provider Persistence Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Time Providers"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Unloading AMSI via Reflection", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "W3WP Spawning Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}]}}, {"name": "Windows Disable Memory Crash Dump", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Windows File Without Extension In Critical Folder", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Windows Modify Show Compress Color And Info Tip Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Raw Access To Disk Volume Partition", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disk Structure Wipe"}, {"mitre_attack_technique": "Disk Wipe"}]}}, {"name": "Windows Raw Access To Master Boot Record Drive", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disk Structure Wipe"}, {"mitre_attack_technique": "Disk Wipe"}]}}, {"name": "WMI Recon Running Process Or Services", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Gather Victim Host Information"}]}}]}, {"name": "Hidden Cobra Malware", "id": "baf7580b-d4b4-4774-8173-7d198e9da335", "version": 2, "date": "2020-01-22", "author": "Rico Valdez, Splunk", "description": "Monitor for and investigate activities, including the creation or deletion of hidden shares and file writes, that may be evidence of infiltration by North Korean government-sponsored cybercriminals. Details of this activity were reported in DHS Report TA-18-149A.", "narrative": "North Korea's government-sponsored \"cyber army\" has been slowly building momentum and gaining sophistication over the last 15 years or so. As a result, the group's activity, which the US government refers to as \"Hidden Cobra,\" has surreptitiously crept onto the collective radar as a preeminent global threat.\\\nThese state-sponsored actors are thought to be responsible for everything from a hack on a South Korean nuclear plant to an attack on Sony in anticipation of its release of the movie \"The Interview\" at the end of 2014. They're also notorious for cyberespionage. In recent years, the group seems to be focused on financial crimes, such as cryptojacking.\\\nIn June of 2018, The Department of Homeland Security, together with the FBI and other U.S. government partners, issued Technical Alert (TA-18-149A) to advise the public about two variants of North Korean malware. One variant, dubbed \"Joanap,\" is a multi-stage peer-to-peer botnet that allows North Korean state actors to exfiltrate data, download and execute secondary payloads, and initialize proxy communications. The other variant, \"Brambul,\" is a Windows32 SMB worm that is dropped into a victim network. When executed, the malware attempts to spread laterally within a victim's local subnet, connecting via the SMB protocol and initiating brute-force password attacks. It reports details to the Hidden Cobra actors via email, so they can use the information for secondary remote operations.\\\nAmong other searches in this Analytic Story is a detection search that looks for the creation or deletion of hidden shares, such as, \"adnim$,\" which the Hidden Cobra malware creates on the target system. Another looks for the creation of three malicious files associated with the malware. You can also use a search in this story to investigate activity that indicates that malware is sending email back to the attackers.", "references": ["https://web.archive.org/web/20191220004307/https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity", "https://web.archive.org/web/20220421112536/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdf"], "tags": {"name": "Hidden Cobra Malware", "analytic_story": "Hidden Cobra Malware", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1070.005", "mitre_attack_technique": "Network Share Connection Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Threat Group-3390"]}, {"mitre_attack_id": "T1021.001", "mitre_attack_technique": "Remote Desktop Protocol", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT1", "APT3", "APT39", "APT41", "Axiom", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dragonfly", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "HEXANE", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "OilRig", "Patchwork", "Silence", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1071.002", "mitre_attack_technique": "File Transfer Protocols", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "Kimsuky", "SilverTerrier"]}, {"mitre_attack_id": "T1071", "mitre_attack_technique": "Application Layer Protocol", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Dragonfly", "Magic Hound", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1071.004", "mitre_attack_technique": "DNS", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT18", "APT39", "APT41", "Chimera", "Cobalt Group", "FIN7", "Ke3chang", "LazyScripter", "OilRig", "Tropic Trooper"]}, {"mitre_attack_id": "T1048.003", "mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT32", "APT33", "FIN6", "FIN8", "Lazarus Group", "OilRig", "Thrip", "Wizard Spider"]}, {"mitre_attack_id": "T1048", "mitre_attack_technique": "Exfiltration Over Alternative Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "Turla", "Wizard Spider"]}], "mitre_attack_tactics": ["Command And Control", "Defense Evasion", "Execution", "Exfiltration", "Lateral Movement"], "datamodels": ["Endpoint", "Network_Resolution", "Network_Traffic"], "kill_chain_phases": ["Actions on Objectives", "Command And Control", "Exploitation", "Installation"]}, "detection_names": ["ESCU - First time seen command line argument - Rule", "ESCU - Suspicious File Write - Rule", "ESCU - Create or delete windows shares using net exe - Rule", "ESCU - Remote Desktop Process Running On System - Rule", "ESCU - Detect Outbound SMB Traffic - Rule", "ESCU - DNS Query Length Outliers - MLTK - Rule", "ESCU - DNS Query Length With High Standard Deviation - Rule", "ESCU - Remote Desktop Network Traffic - Rule", "ESCU - SMB Traffic Spike - Rule", "ESCU - SMB Traffic Spike - MLTK - Rule"], "investigation_names": ["ESCU - Get DNS Server History for a host - Response Task", "ESCU - Get DNS traffic ratio - Response Task", "ESCU - Get History Of Email Sources - Response Task", "ESCU - Get Notable History - Response Task", "ESCU - Get Outbound Emails to Hidden Cobra Threat Actors - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task", "ESCU - Get Process Information For Port Activity - Response Task", "ESCU - Get Process Responsible For The DNS Traffic - Response Task", "ESCU - Investigate Successful Remote Desktop Authentications - Response Task"], "baseline_names": ["ESCU - Baseline of DNS Query Length - MLTK", "ESCU - Baseline of SMB Traffic - MLTK", "ESCU - Identify Systems Creating Remote Desktop Traffic", "ESCU - Identify Systems Receiving Remote Desktop Traffic", "ESCU - Identify Systems Using Remote Desktop", "ESCU - Previously seen command line arguments"], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "First time seen command line argument", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Windows Command Shell"}]}}, {"name": "Suspicious File Write", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": []}}, {"name": "Create or delete windows shares using net exe", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indicator Removal"}, {"mitre_attack_technique": "Network Share Connection Removal"}]}}, {"name": "Remote Desktop Process Running On System", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Desktop Protocol"}, {"mitre_attack_technique": "Remote Services"}]}}, {"name": "Detect Outbound SMB Traffic", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "File Transfer Protocols"}, {"mitre_attack_technique": "Application Layer Protocol"}]}}, {"name": "DNS Query Length Outliers - MLTK", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DNS"}, {"mitre_attack_technique": "Application Layer Protocol"}]}}, {"name": "DNS Query Length With High Standard Deviation", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}, {"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}}, {"name": "Remote Desktop Network Traffic", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Desktop Protocol"}, {"mitre_attack_technique": "Remote Services"}]}}, {"name": "SMB Traffic Spike", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Remote Services"}]}}, {"name": "SMB Traffic Spike - MLTK", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Remote Services"}]}}]}, {"name": "IIS Components", "id": "0fbde550-8252-43ab-a26a-03976f55b58b", "version": 1, "date": "2022-12-19", "author": "Michael Haag, Splunk", "description": "Adversaries may install malicious components that run on Internet Information Services (IIS) web servers to establish persistence.", "narrative": "IIS provides several mechanisms to extend the functionality of the web servers. For example, Internet Server Application Programming Interface (ISAPI) extensions and filters can be installed to examine and/or modify incoming and outgoing IIS web requests. Extensions and filters are deployed as DLL files that export three functions - Get{Extension/Filter}Version, Http{Extension/Filter}Proc, and (optionally) Terminate{Extension/Filter}. IIS modules may also be installed to extend IIS web servers.\\\nAdversaries may install malicious ISAPI extensions and filters to observe and/or modify traffic, execute commands on compromised machines, or proxy command and control traffic. ISAPI extensions and filters may have access to all IIS web requests and responses. For example, an adversary may abuse these mechanisms to modify HTTP responses in order to distribute malicious commands/content to previously comprised hosts.\\\nAdversaries may also install malicious IIS modules to observe and/or modify traffic. IIS 7.0 introduced modules that provide the same unrestricted access to HTTP requests and responses as ISAPI extensions and filters. IIS modules can be written as a DLL that exports RegisterModule, or as a .NET application that interfaces with ASP.NET APIs to access IIS HTTP requests. (reference MITRE)", "references": ["https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/", "https://attack.mitre.org/techniques/T1505/004/", "https://www.crowdstrike.com/wp-content/uploads/2022/05/crowdstrike-iceapple-a-novel-internet-information-services-post-exploitation-framework-1.pdf", "https://unit42.paloaltonetworks.com/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/", "https://www.secureworks.com/research/bronze-union", "https://strontic.github.io/xcyclopedia/library/appcmd.exe-055B2B09409F980BF9B5A3969D01E5B2.html"], "tags": {"name": "IIS Components", "analytic_story": "IIS Components", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.002", "mitre_attack_technique": "Disable Windows Event Logging", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound", "Threat Group-3390"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1505.004", "mitre_attack_technique": "IIS Components", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Defense Evasion", "Persistence"], "datamodels": ["Endpoint", "Web"], "kill_chain_phases": ["Exploitation", "Installation"]}, "detection_names": ["ESCU - Windows Disable Windows Event Logging Disable HTTP Logging - Rule", "ESCU - Windows IIS Components Add New Module - Rule", "ESCU - Windows IIS Components Get-WebGlobalModule Module Query - Rule", "ESCU - Windows IIS Components Module Failed to Load - Rule", "ESCU - Windows IIS Components New Module Added - Rule", "ESCU - Windows PowerShell Add Module to Global Assembly Cache - Rule", "ESCU - Windows PowerShell Disable HTTP Logging - Rule", "ESCU - Windows PowerShell IIS Components WebGlobalModule Usage - Rule", "ESCU - Windows Server Software Component GACUtil Install to GAC - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows Disable Windows Event Logging Disable HTTP Logging", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable Windows Event Logging"}, {"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "IIS Components"}]}}, {"name": "Windows IIS Components Add New Module", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "IIS Components"}]}}, {"name": "Windows IIS Components Get-WebGlobalModule Module Query", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "IIS Components"}, {"mitre_attack_technique": "Server Software Component"}]}}, {"name": "Windows IIS Components Module Failed to Load", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "IIS Components"}]}}, {"name": "Windows IIS Components New Module Added", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "IIS Components"}]}}, {"name": "Windows PowerShell Add Module to Global Assembly Cache", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "IIS Components"}]}}, {"name": "Windows PowerShell Disable HTTP Logging", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Disable Windows Event Logging"}, {"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "IIS Components"}]}}, {"name": "Windows PowerShell IIS Components WebGlobalModule Usage", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "IIS Components"}]}}, {"name": "Windows Server Software Component GACUtil Install to GAC", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "IIS Components"}]}}]}, {"name": "Industroyer2", "id": "7ff7db2b-b001-498e-8fe8-caf2dbc3428a", "version": 1, "date": "2022-04-21", "author": "Teoderick Contreras, Splunk", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the Industroyer2 attack, including file writes associated with its payload, lateral movement, persistence, privilege escalation and data destruction.", "narrative": "Industroyer2 is part of continuous attack to ukraine targeting energy facilities. This malware is a windows binary that implement IEC-104 protocol to communicate with industrial equipments. This attack consist of several destructive linux script component to wipe or delete several linux critical files, powershell for domain enumeration and caddywiper to wipe boot sector of the targeted host.", "references": ["https://cert.gov.ua/article/39518", "https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/"], "tags": {"name": "Industroyer2", "analytic_story": "Industroyer2", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["BRONZE BUTLER", "Chimera", "Dragonfly", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Turla", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Dragonfly", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "TEMP.Veles", "Threat Group-3390", "Whitefly"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1021.003", "mitre_attack_technique": "Distributed Component Object Model", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "Earth Lusca", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "Threat Group-3390", "Windshift", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1053.003", "mitre_attack_technique": "Cron", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT38", "Rocke"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1489", "mitre_attack_technique": "Service Stop", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Indrik Spider", "Lazarus Group", "Wizard Spider"]}, {"mitre_attack_id": "T1070.004", "mitre_attack_technique": "File Deletion", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT3", "APT32", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "Cobalt Group", "Dragonfly", "Evilnum", "FIN10", "FIN5", "FIN6", "FIN8", "Gamaredon Group", "Group5", "Kimsuky", "Lazarus Group", "Magic Hound", "Metador", "Mustang Panda", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "Silence", "TEMP.Veles", "TeamTNT", "The White Company", "Threat Group-3390", "Tropic Trooper", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1562.004", "mitre_attack_technique": "Disable or Modify System Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "Carbanak", "Dragonfly", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1016", "mitre_attack_technique": "System Network Configuration Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT19", "APT3", "APT32", "APT41", "Chimera", "Darkhotel", "Dragonfly", "Earth Lusca", "GALLIUM", "HAFNIUM", "HEXANE", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "SideCopy", "Sidewinder", "Stealth Falcon", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1592", "mitre_attack_technique": "Gather Victim Host Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TEMP.Veles", "Wizard Spider", "menuPass"]}], "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Discovery", "Execution", "Impact", "Lateral Movement", "Persistence", "Privilege Escalation", "Reconnaissance"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Actions on Objectives", "Exploitation", "Installation", "Reconnaissance"]}, "detection_names": ["ESCU - AdsiSearcher Account Discovery - Rule", "ESCU - Attempted Credential Dump From Registry via Reg exe - Rule", "ESCU - Dump LSASS via comsvcs DLL - Rule", "ESCU - Executable File Written in Administrative SMB Share - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Impacket Lateral Movement Commandline Parameters - Rule", "ESCU - Impacket Lateral Movement smbexec CommandLine Parameters - Rule", "ESCU - Impacket Lateral Movement WMIExec Commandline Parameters - Rule", "ESCU - Linux Adding Crontab Using List Parameter - Rule", "ESCU - Linux DD File Overwrite - Rule", "ESCU - Linux Deleting Critical Directory Using RM Command - Rule", "ESCU - Linux Disable Services - Rule", "ESCU - Linux High Frequency Of File Deletion In Boot Folder - Rule", "ESCU - Linux Shred Overwrite Command - Rule", "ESCU - Linux Stdout Redirection To Dev Null File - Rule", "ESCU - Linux Stop Services - Rule", "ESCU - Linux System Network Discovery - Rule", "ESCU - Recon Using WMI Class - Rule", "ESCU - Schtasks Run Task On Demand - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Windows Hidden Schedule Task Settings - Rule", "ESCU - Windows Linked Policies In ADSI Discovery - Rule", "ESCU - Windows Processes Killed By Industroyer2 Malware - Rule", "ESCU - Windows Root Domain linked policies Discovery - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "AdsiSearcher Account Discovery", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}}, {"name": "Attempted Credential Dump From Registry via Reg exe", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Security Account Manager"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Dump LSASS via comsvcs DLL", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Executable File Written in Administrative SMB Share", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}]}}, {"name": "Impacket Lateral Movement Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Impacket Lateral Movement smbexec CommandLine Parameters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Impacket Lateral Movement WMIExec Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Linux Adding Crontab Using List Parameter", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux DD File Overwrite", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Linux Deleting Critical Directory Using RM Command", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Linux Disable Services", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Service Stop"}]}}, {"name": "Linux High Frequency Of File Deletion In Boot Folder", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}, {"mitre_attack_technique": "File Deletion"}, {"mitre_attack_technique": "Indicator Removal"}]}}, {"name": "Linux Shred Overwrite Command", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Linux Stdout Redirection To Dev Null File", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify System Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Linux Stop Services", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Service Stop"}]}}, {"name": "Linux System Network Discovery", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Configuration Discovery"}]}}, {"name": "Recon Using WMI Class", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Gather Victim Host Information"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Schtasks Run Task On Demand", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Windows Hidden Schedule Task Settings", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Windows Linked Policies In ADSI Discovery", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}}, {"name": "Windows Processes Killed By Industroyer2 Malware", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Service Stop"}]}}, {"name": "Windows Root Domain linked policies Discovery", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}]}}]}, {"name": "Information Sabotage", "id": "b71ba595-ef80-4e39-8b66-887578a7a71b", "version": 1, "date": "2021-11-17", "author": "Teoderick Contreras, Splunk", "description": "Leverage searches that allow you to detect and investigate unusual activities that might correlate to insider threat specially in terms of information sabotage.", "narrative": "Information sabotage is the type of crime many people associate with insider threat. Where the current or former employees, contractors, or business partners intentionally exceeded or misused an authorized level of access to networks, systems, or data with the intention of harming a specific individual, the organization, or the organization's data, systems, and/or daily business operations.", "references": ["https://insights.sei.cmu.edu/blog/insider-threat-deep-dive-it-sabotage/"], "tags": {"name": "Information Sabotage", "analytic_story": "Information Sabotage", "category": ["Abuse"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud", "Splunk Behavioral Analytics"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1537", "mitre_attack_technique": "Transfer Data to Cloud Account", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Exfiltration"], "datamodels": [], "kill_chain_phases": ["Actions on Objectives"]}, "detection_names": ["ESCU - High Frequency Copy Of Files In Network Share - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "High Frequency Copy Of Files In Network Share", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Transfer Data to Cloud Account"}]}}]}, {"name": "Ingress Tool Transfer", "id": "b3782036-8cbd-11eb-9d8e-acde48001122", "version": 1, "date": "2021-03-24", "author": "Michael Haag, Splunk", "description": "Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the Command And Control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP.", "narrative": "Ingress tool transfer is a Technique under tactic Command And Control. Behaviors will include the use of living off the land binaries to download implants or binaries over alternate communication ports. It is imperative to baseline applications on endpoints to understand what generates network activity, to where, and what is its native behavior. These utilities, when abused, will write files to disk in world writeable paths.\\ During triage, review the reputation of the remote public destination IP or domain. Capture any files written to disk and perform analysis. Review other parrallel processes for additional behaviors.", "references": ["https://attack.mitre.org/techniques/T1105/"], "tags": {"name": "Ingress Tool Transfer", "analytic_story": "Ingress Tool Transfer", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1197", "mitre_attack_technique": "BITS Jobs", "mitre_attack_tactics": ["Defense Evasion", "Persistence"], "mitre_attack_groups": ["APT39", "APT41", "Leviathan", "Patchwork"]}, {"mitre_attack_id": "T1090", "mitre_attack_technique": "Proxy", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "Blue Mockingbird", "CopyKittens", "Earth Lusca", "Fox Kitten", "LAPSUS$", "Magic Hound", "POLONIUM", "Sandworm Team", "Turla", "Windigo"]}, {"mitre_attack_id": "T1095", "mitre_attack_technique": "Non-Application Layer Protocol", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT3", "BITTER", "BackdoorDiplomacy", "FIN6", "HAFNIUM", "Metador", "PLATINUM"]}], "mitre_attack_tactics": ["Command And Control", "Defense Evasion", "Execution", "Persistence"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Command And Control", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Any Powershell DownloadFile - Rule", "ESCU - Any Powershell DownloadString - Rule", "ESCU - BITSAdmin Download File - Rule", "ESCU - CertUtil Download With URLCache and Split Arguments - Rule", "ESCU - CertUtil Download With VerifyCtl and Split Arguments - Rule", "ESCU - Curl Download and Bash Execution - Rule", "ESCU - Linux Curl Upload File - Rule", "ESCU - Linux Ingress Tool Transfer Hunting - Rule", "ESCU - Linux Ingress Tool Transfer with Curl - Rule", "ESCU - Linux Proxy Socks Curl - Rule", "ESCU - Suspicious Curl Network Connection - Rule", "ESCU - Wget Download and Bash Execution - Rule", "ESCU - Windows Curl Download to Suspicious Path - Rule", "ESCU - Windows Curl Upload to Remote Destination - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Any Powershell DownloadFile", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "Any Powershell DownloadString", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "BITSAdmin Download File", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "BITS Jobs"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "CertUtil Download With URLCache and Split Arguments", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "CertUtil Download With VerifyCtl and Split Arguments", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "Curl Download and Bash Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "Linux Curl Upload File", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "Linux Ingress Tool Transfer Hunting", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "Linux Ingress Tool Transfer with Curl", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "Linux Proxy Socks Curl", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Proxy"}, {"mitre_attack_technique": "Non-Application Layer Protocol"}]}}, {"name": "Suspicious Curl Network Connection", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "Wget Download and Bash Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "Windows Curl Download to Suspicious Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "Windows Curl Upload to Remote Destination", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}}]}, {"name": "Insider Threat", "id": "c633df29-a950-4c4c-a0f8-02be6730797c", "version": 1, "date": "2022-05-19", "author": "Jose Hernandez, Splunk", "description": "Monitor for activities and techniques associated with insider threats and specifically focusing on malicious insiders operating with in a corporate environment.", "narrative": "Insider Threats are best defined by CISA: \"Insider threat incidents are possible in any sector or organization. An insider threat is typically a current or former employee, third-party contractor, or business partner. In their present or former role, the person has or had access to an organization's network systems, data, or premises, and uses their access (sometimes unwittingly). To combat the insider threat, organizations can implement a proactive, prevention-focused mitigation program to detect and identify threats, assess risk, and manage that risk - before an incident occurs.\" An insider is any person who has or had authorized access to or knowledge of an organization's resources, including personnel, facilities, information, equipment, networks, and systems. These are the common insiders that create insider threats: Departing Employees, Security Evaders, Malicious Insiders, and Negligent Employees. This story aims at detecting the malicious insider.", "references": ["https://www.imperva.com/learn/application-security/insider-threats/", "https://www.cisa.gov/defining-insider-threats", "https://www.code42.com/glossary/types-of-insider-threats/", "https://github.com/Insider-Threat/Insider-Threat", "https://ctid.mitre-engenuity.org/our-work/insider-ttp-kb/"], "tags": {"name": "Insider Threat", "analytic_story": "Insider Threat", "category": ["Adversary Tactics", "Account Compromise", "Lateral Movement", "Privilege Escalation"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud", "Splunk Behavioral Analytics"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1567.002", "mitre_attack_technique": "Exfiltration to Cloud Storage", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["Chimera", "Confucius", "Earth Lusca", "FIN7", "HAFNIUM", "HEXANE", "Kimsuky", "Leviathan", "LuminousMoth", "POLONIUM", "Threat Group-3390", "Turla", "ZIRCONIUM"]}, {"mitre_attack_id": "T1567", "mitre_attack_technique": "Exfiltration Over Web Service", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT28", "Magic Hound"]}, {"mitre_attack_id": "T1048.003", "mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT32", "APT33", "FIN6", "FIN8", "Lazarus Group", "OilRig", "Thrip", "Wizard Spider"]}, {"mitre_attack_id": "T1048", "mitre_attack_technique": "Exfiltration Over Alternative Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1537", "mitre_attack_technique": "Transfer Data to Cloud Account", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1078.003", "mitre_attack_technique": "Local Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "FIN10", "HAFNIUM", "Kimsuky", "PROMETHIUM", "Tropic Trooper", "Turla"]}, {"mitre_attack_id": "T1552.001", "mitre_attack_technique": "Credentials In Files", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT3", "APT33", "Fox Kitten", "Kimsuky", "Leafminer", "MuddyWater", "OilRig", "TA505", "TeamTNT"]}, {"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1219", "mitre_attack_technique": "Remote Access Software", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Carbanak", "Cobalt Group", "DarkVishnya", "Evilnum", "GOLD SOUTHFIELD", "Kimsuky", "MuddyWater", "Mustang Panda", "RTM", "Sandworm Team", "TeamTNT", "Thrip"]}], "mitre_attack_tactics": ["Command And Control", "Credential Access", "Defense Evasion", "Exfiltration", "Initial Access", "Persistence", "Privilege Escalation"], "datamodels": ["Authentication", "Endpoint"], "kill_chain_phases": ["Actions on Objectives", "Command And Control", "Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Gsuite Drive Share In External Email - Rule", "ESCU - Gsuite Outbound Email With Attachment To External Domain - Rule", "ESCU - High Frequency Copy Of Files In Network Share - Rule", "ESCU - Potential password in username - Rule", "ESCU - Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials - Rule", "ESCU - Windows Multiple Users Failed To Authenticate From Process - Rule", "ESCU - Windows Remote Access Software Hunt - Rule", "ESCU - Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials - Rule", "ESCU - Windows Unusual Count Of Users Failed To Authenticate From Process - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Jose Hernandez", "detections": [{"name": "Gsuite Drive Share In External Email", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration to Cloud Storage"}, {"mitre_attack_technique": "Exfiltration Over Web Service"}]}}, {"name": "Gsuite Outbound Email With Attachment To External Domain", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}, {"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}}, {"name": "High Frequency Copy Of Files In Network Share", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Transfer Data to Cloud Account"}]}}, {"name": "Potential password in username", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Local Accounts"}, {"mitre_attack_technique": "Credentials In Files"}]}}, {"name": "Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Multiple Users Failed To Authenticate From Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Remote Access Software Hunt", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Access Software"}]}}, {"name": "Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Unusual Count Of Users Failed To Authenticate From Process", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}]}, {"name": "JBoss Vulnerability", "id": "1f5294cb-b85f-4c2d-9c58-ffcf248f52bd", "version": 1, "date": "2017-09-14", "author": "Bhavin Patel, Splunk", "description": "In March of 2016, adversaries were seen using JexBoss--an open-source utility used for testing and exploiting JBoss application servers. These searches help detect evidence of these attacks, such as network connections to external resources or web services spawning atypical child processes, among others.", "narrative": "This Analytic Story looks for probing and exploitation attempts targeting JBoss application servers. While the vulnerabilities associated with this story are rather dated, they were leveraged in a spring 2016 campaign in connection with the Samsam ransomware variant. Incidents involving this ransomware are unique, in that they begin with attacks against vulnerable services, rather than the phishing or drive-by attacks more common with ransomware. In this case, vulnerable JBoss applications appear to be the target of choice.\\\nIt is helpful to understand how often a notable event generated by this story occurs, as well as the commonalities between some of these events, both of which may provide clues about whether this is a common occurrence of minimal concern or a rare event that may require more extensive investigation. It may also help to understand whether the issue is restricted to a single user/system or whether it is broader in scope.\\\nWhen looking at the target of the behavior uncovered by the event, you should note the sensitivity of the user and or/system to help determine the potential impact. It is also helpful to identify other recent events involving the target. This can help tie different events together and give further situational awareness regarding the target host.\\\nVarious types of information for external systems should be reviewed and, potentially, collected if the incident is, indeed, judged to be malicious. This data may be useful for generating your own threat intelligence, so you can create future alerts.\\\nThe following factors may assist you in determining whether the event is malicious: \\\n1. Country of origin\\\n1. Responsible party\\\n1. Fully qualified domain names associated with the external IP address\\\n1. Registration of fully qualified domain names associated with external IP address Determining whether it is a dynamic domain frequently visited by others and/or how third parties categorize it can also help you qualify and understand the event and possible motivation for the attack. In addition, there are various sources that may provide reputation information on the IP address or domain name, which can assist you in determining whether the event is malicious in nature. Finally, determining whether there are other events associated with the IP address may help connect data points or expose other historic events that might be brought back into scope.\\\nGathering various data on the system of interest can sometimes help quickly determine whether something suspicious is happening. Some of these items include determining who else may have logged into the system recently, whether any unusual scheduled tasks exist, whether the system is communicating on suspicious ports, whether there are modifications to sensitive registry keys, and/or whether there are any known vulnerabilities on the system. This information can often highlight other activity commonly seen in attack scenarios or give more information about how the system may have been targeted.\\\nhen a specific service or application is targeted, it is often helpful to know the associated version, to help determine whether it is vulnerable to a specific exploit.\\\nIf you suspect an attack targeting a web server, it is helpful to look at some of the behavior of the web service to see if there is evidence that the service has been compromised. Some indications of this might be network connections to external resources, the web service spawning child processes that are not associated with typical behavior, and whether the service wrote any files that might be malicious in nature.\\\nIf a suspicious file is found, we can review more information about it to help determine if it is, in fact, malicious. Identifying the file type, any processes that opened the file, the processes that may have created and/or modified the file, and how many other systems potentially have this file can you determine whether the file is malicious. Also, determining the file hash and checking it against reputation sources, such as VirusTotal, can sometimes help you quickly determine if it is malicious in nature.\\\nOften, a simple inspection of a suspect process name and path can tell you if the system has been compromised. For example, if svchost.exe is found running from a location other than `C:\\Windows\\System32`, it is likely something malicious designed to hide in plain sight when simply reviewing process names. \\\nIt can also be helpful to examine various behaviors of and the parent of the process of interest. For example, if it turns out the process of interest is malicious, it would be good to see whether the parent process spawned other processes that might also warrant further scrutiny. If a process is suspect, a review of the network connections made around the time of the event and noting whether the process has spawned any child processes could be helpful in determining whether it is malicious or executing a malicious script.", "references": ["http://www.deependresearch.org/2016/04/jboss-exploits-view-from-victim.html"], "tags": {"name": "JBoss Vulnerability", "analytic_story": "JBoss Vulnerability", "category": ["Vulnerability"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1082", "mitre_attack_technique": "System Information Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT18", "APT19", "APT3", "APT32", "APT37", "APT38", "Aquatic Panda", "Blue Mockingbird", "Chimera", "Confucius", "Darkhotel", "Gamaredon Group", "HEXANE", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Sowbug", "Stealth Falcon", "TeamTNT", "Tropic Trooper", "Turla", "Windigo", "Windshift", "Wizard Spider", "ZIRCONIUM", "admin@338"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Chimera", "Dragonfly", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}], "mitre_attack_tactics": ["Discovery", "Initial Access", "Persistence"], "datamodels": ["Web"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Detect attackers scanning for vulnerable JBoss servers - Rule", "ESCU - Detect malicious requests to exploit JBoss servers - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Detect attackers scanning for vulnerable JBoss servers", "source": "web", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Information Discovery"}, {"mitre_attack_technique": "External Remote Services"}]}}, {"name": "Detect malicious requests to exploit JBoss servers", "source": "web", "type": "TTP", "tags": {"mitre_attack_enrichments": []}}]}, {"name": "Kubernetes Scanning Activity", "id": "a9ef59cf-e981-4e66-9eef-bb049f695c09", "version": 1, "date": "2020-04-15", "author": "Rod Soto, Splunk", "description": "This story addresses detection against Kubernetes cluster fingerprint scan and attack by providing information on items such as source ip, user agent, cluster names.", "narrative": "Kubernetes is the most used container orchestration platform, this orchestration platform contains sensitve information and management priviledges of production workloads, microservices and applications. These searches allow operator to detect suspicious unauthenticated requests from the internet to kubernetes cluster.", "references": ["https://github.com/splunk/cloud-datamodel-security-research"], "tags": {"name": "Kubernetes Scanning Activity", "analytic_story": "Kubernetes Scanning Activity", "category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1526", "mitre_attack_technique": "Cloud Service Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Discovery"], "datamodels": ["Email"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Amazon EKS Kubernetes cluster scan detection - Rule", "ESCU - Amazon EKS Kubernetes Pod scan detection - Rule", "ESCU - GCP Kubernetes cluster pod scan detection - Rule", "ESCU - GCP Kubernetes cluster scan detection - Rule", "ESCU - Kubernetes Azure pod scan fingerprint - Rule", "ESCU - Kubernetes Azure scan fingerprint - Rule"], "investigation_names": ["ESCU - Amazon EKS Kubernetes activity by src ip - Response Task", "ESCU - GCP Kubernetes activity by src ip - Response Task", "ESCU - Get Notable History - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rod Soto", "detections": [{"name": "Amazon EKS Kubernetes cluster scan detection", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Service Discovery"}]}}, {"name": "Amazon EKS Kubernetes Pod scan detection", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Service Discovery"}]}}, {"name": "GCP Kubernetes cluster pod scan detection", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Service Discovery"}]}}, {"name": "GCP Kubernetes cluster scan detection", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Service Discovery"}]}}, {"name": "Kubernetes Azure pod scan fingerprint", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": []}}, {"name": "Kubernetes Azure scan fingerprint", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Service Discovery"}]}}]}, {"name": "Kubernetes Sensitive Object Access Activity", "id": "c7d4dbf0-a171-4eaf-8444-4f40392e4f92", "version": 1, "date": "2020-05-20", "author": "Rod Soto, Splunk", "description": "This story addresses detection and response of accounts acccesing Kubernetes cluster sensitive objects such as configmaps or secrets providing information on items such as user user, group. object, namespace and authorization reason.", "narrative": "Kubernetes is the most used container orchestration platform, this orchestration platform contains sensitive objects within its architecture, specifically configmaps and secrets, if accessed by an attacker can lead to further compromise. These searches allow operator to detect suspicious requests against Kubernetes sensitive objects.", "references": ["https://www.splunk.com/en_us/blog/security/approaching-kubernetes-security-detecting-kubernetes-scan-with-splunk.html"], "tags": {"name": "Kubernetes Sensitive Object Access Activity", "analytic_story": "Kubernetes Sensitive Object Access Activity", "category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Kubernetes AWS detect suspicious kubectl calls - Rule", "ESCU - AWS EKS Kubernetes cluster sensitive object access - Rule", "ESCU - Kubernetes AWS detect service accounts forbidden failure access - Rule", "ESCU - Kubernetes Azure detect sensitive object access - Rule", "ESCU - Kubernetes Azure detect service accounts forbidden failure access - Rule", "ESCU - Kubernetes Azure detect suspicious kubectl calls - Rule", "ESCU - Kubernetes GCP detect sensitive object access - Rule", "ESCU - Kubernetes GCP detect service accounts forbidden failure access - Rule", "ESCU - Kubernetes GCP detect suspicious kubectl calls - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rod Soto", "detections": [{"name": "Kubernetes AWS detect suspicious kubectl calls", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": []}}, {"name": "AWS EKS Kubernetes cluster sensitive object access", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": []}}, {"name": "Kubernetes AWS detect service accounts forbidden failure access", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": []}}, {"name": "Kubernetes Azure detect sensitive object access", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": []}}, {"name": "Kubernetes Azure detect service accounts forbidden failure access", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": []}}, {"name": "Kubernetes Azure detect suspicious kubectl calls", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": []}}, {"name": "Kubernetes GCP detect sensitive object access", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": []}}, {"name": "Kubernetes GCP detect service accounts forbidden failure access", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": []}}, {"name": "Kubernetes GCP detect suspicious kubectl calls", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": []}}]}, {"name": "Linux Living Off The Land", "id": "e405a2d7-dc8e-4227-8e9d-f60267b8c0cd", "version": 1, "date": "2022-07-27", "author": "Michael Haag, Splunk", "description": "Linux Living Off The Land consists of binaries that may be used to bypass local security restrictions within misconfigured systems.", "narrative": "Similar to Windows LOLBAS project, the GTFOBins project focuses solely on Unix binaries that may be abused in multiple categories including Reverse Shell, File Upload, File Download and much more. These binaries are native to the operating system and the functionality is typically native. The behaviors are typically not malicious by default or vulnerable, but these are built in functionality of the applications. When reviewing any notables or hunting through mountains of events of interest, it's important to identify the binary, review command-line arguments, path of file, and capture any network and file modifications. Linux analysis may be a bit cumbersome due to volume and how process behavior is seen in EDR products. Piecing it together will require some effort.", "references": ["https://gtfobins.github.io/"], "tags": {"name": "Linux Living Off The Land", "analytic_story": "Linux Living Off The Land", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1053.003", "mitre_attack_technique": "Cron", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT38", "Rocke"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1548.003", "mitre_attack_technique": "Sudo and Sudo Caching", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1053.002", "mitre_attack_technique": "At", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "BRONZE BUTLER", "Threat Group-3390"]}, {"mitre_attack_id": "T1222.002", "mitre_attack_technique": "Linux and Mac File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1115", "mitre_attack_technique": "Clipboard Data", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT38", "APT39"]}, {"mitre_attack_id": "T1548.001", "mitre_attack_technique": "Setuid and Setgid", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT19", "APT28", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BITTER", "BackdoorDiplomacy", "BlackOasis", "Blue Mockingbird", "Dark Caracal", "Darkhotel", "Earth Lusca", "Elderwood", "Ember Bear", "Fox Kitten", "GALLIUM", "Gallmaker", "Gamaredon Group", "Group5", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "Metador", "Mofang", "Molerats", "Moses Staff", "Mustang Panda", "OilRig", "Putter Panda", "Rocke", "Sandworm Team", "Sidewinder", "TA505", "TeamTNT", "Threat Group-3390", "Transparent Tribe", "Tropic Trooper", "Whitefly", "Windshift", "menuPass"]}, {"mitre_attack_id": "T1059.004", "mitre_attack_technique": "Unix Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT41", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "PLATINUM", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}, {"mitre_attack_id": "T1098.004", "mitre_attack_technique": "SSH Authorized Keys", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Earth Lusca", "TeamTNT"]}, {"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT41", "Dragonfly", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}, {"mitre_attack_id": "T1090", "mitre_attack_technique": "Proxy", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "Blue Mockingbird", "CopyKittens", "Earth Lusca", "Fox Kitten", "LAPSUS$", "Magic Hound", "POLONIUM", "Sandworm Team", "Turla", "Windigo"]}, {"mitre_attack_id": "T1095", "mitre_attack_technique": "Non-Application Layer Protocol", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT3", "BITTER", "BackdoorDiplomacy", "FIN6", "HAFNIUM", "Metador", "PLATINUM"]}, {"mitre_attack_id": "T1053.006", "mitre_attack_technique": "Systemd Timers", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1021.004", "mitre_attack_technique": "SSH", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT39", "BlackTech", "FIN7", "Fox Kitten", "GCMAN", "Lazarus Group", "Leviathan", "OilRig", "Rocke", "TEMP.Veles", "TeamTNT", "menuPass"]}], "mitre_attack_tactics": ["Collection", "Command And Control", "Defense Evasion", "Execution", "Lateral Movement", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Command And Control", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Curl Download and Bash Execution - Rule", "ESCU - Linux Add Files In Known Crontab Directories - Rule", "ESCU - Linux Adding Crontab Using List Parameter - Rule", "ESCU - Linux apt-get Privilege Escalation - Rule", "ESCU - Linux APT Privilege Escalation - Rule", "ESCU - Linux At Allow Config File Creation - Rule", "ESCU - Linux At Application Execution - Rule", "ESCU - Linux AWK Privilege Escalation - Rule", "ESCU - Linux Busybox Privilege Escalation - Rule", "ESCU - Linux c89 Privilege Escalation - Rule", "ESCU - Linux c99 Privilege Escalation - Rule", "ESCU - Linux Change File Owner To Root - Rule", "ESCU - Linux Clipboard Data Copy - Rule", "ESCU - Linux Common Process For Elevation Control - Rule", "ESCU - Linux Composer Privilege Escalation - Rule", "ESCU - Linux Cpulimit Privilege Escalation - Rule", "ESCU - Linux Csvtool Privilege Escalation - Rule", "ESCU - Linux Curl Upload File - Rule", "ESCU - Linux Decode Base64 to Shell - Rule", "ESCU - Linux Docker Privilege Escalation - Rule", "ESCU - Linux Edit Cron Table Parameter - Rule", "ESCU - Linux Emacs Privilege Escalation - Rule", "ESCU - Linux Find Privilege Escalation - Rule", "ESCU - Linux GDB Privilege Escalation - Rule", "ESCU - Linux Gem Privilege Escalation - Rule", "ESCU - Linux GNU Awk Privilege Escalation - Rule", "ESCU - Linux Ingress Tool Transfer Hunting - Rule", "ESCU - Linux Ingress Tool Transfer with Curl - Rule", "ESCU - Linux Make Privilege Escalation - Rule", "ESCU - Linux MySQL Privilege Escalation - Rule", "ESCU - Linux Node Privilege Escalation - Rule", "ESCU - Linux Obfuscated Files or Information Base64 Decode - Rule", "ESCU - Linux Octave Privilege Escalation - Rule", "ESCU - Linux OpenVPN Privilege Escalation - Rule", "ESCU - Linux PHP Privilege Escalation - Rule", "ESCU - Linux pkexec Privilege Escalation - Rule", "ESCU - Linux Possible Access Or Modification Of sshd Config File - Rule", "ESCU - Linux Possible Append Cronjob Entry on Existing Cronjob File - Rule", "ESCU - Linux Possible Cronjob Modification With Editor - Rule", "ESCU - Linux Possible Ssh Key File Creation - Rule", "ESCU - Linux Proxy Socks Curl - Rule", "ESCU - Linux Puppet Privilege Escalation - Rule", "ESCU - Linux RPM Privilege Escalation - Rule", "ESCU - Linux Ruby Privilege Escalation - Rule", "ESCU - Linux Service File Created In Systemd Directory - Rule", "ESCU - Linux Service Restarted - Rule", "ESCU - Linux Service Started Or Enabled - Rule", "ESCU - Linux Setuid Using Chmod Utility - Rule", "ESCU - Linux Sqlite3 Privilege Escalation - Rule", "ESCU - Linux SSH Authorized Keys Modification - Rule", "ESCU - Linux SSH Remote Services Script Execute - Rule", "ESCU - Suspicious Curl Network Connection - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Curl Download and Bash Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "Linux Add Files In Known Crontab Directories", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Adding Crontab Using List Parameter", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux apt-get Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux APT Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux At Allow Config File Creation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux At Application Execution", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "At"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux AWK Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Busybox Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux c89 Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux c99 Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Change File Owner To Root", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Linux and Mac File and Directory Permissions Modification"}, {"mitre_attack_technique": "File and Directory Permissions Modification"}]}}, {"name": "Linux Clipboard Data Copy", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Clipboard Data"}]}}, {"name": "Linux Common Process For Elevation Control", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Setuid and Setgid"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Composer Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Cpulimit Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Csvtool Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Curl Upload File", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "Linux Decode Base64 to Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Obfuscated Files or Information"}, {"mitre_attack_technique": "Unix Shell"}]}}, {"name": "Linux Docker Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Edit Cron Table Parameter", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Emacs Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Find Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux GDB Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Gem Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux GNU Awk Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Ingress Tool Transfer Hunting", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "Linux Ingress Tool Transfer with Curl", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "Linux Make Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux MySQL Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Node Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Obfuscated Files or Information Base64 Decode", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Obfuscated Files or Information"}]}}, {"name": "Linux Octave Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux OpenVPN Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux PHP Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux pkexec Privilege Escalation", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}}, {"name": "Linux Possible Access Or Modification Of sshd Config File", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "SSH Authorized Keys"}, {"mitre_attack_technique": "Account Manipulation"}]}}, {"name": "Linux Possible Append Cronjob Entry on Existing Cronjob File", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Possible Cronjob Modification With Editor", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Possible Ssh Key File Creation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "SSH Authorized Keys"}, {"mitre_attack_technique": "Account Manipulation"}]}}, {"name": "Linux Proxy Socks Curl", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Proxy"}, {"mitre_attack_technique": "Non-Application Layer Protocol"}]}}, {"name": "Linux Puppet Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux RPM Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Ruby Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Service File Created In Systemd Directory", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Systemd Timers"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Service Restarted", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Systemd Timers"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Service Started Or Enabled", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Systemd Timers"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Setuid Using Chmod Utility", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Setuid and Setgid"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Sqlite3 Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux SSH Authorized Keys Modification", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "SSH Authorized Keys"}]}}, {"name": "Linux SSH Remote Services Script Execute", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "SSH"}]}}, {"name": "Suspicious Curl Network Connection", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}}]}, {"name": "Linux Persistence Techniques", "id": "e40d13e5-d38b-457e-af2a-e8e6a2f2b516", "version": 1, "date": "2021-12-17", "author": "Teoderick Contreras, Splunk", "description": "Monitor for activities and techniques associated with maintaining persistence on a Linux system--a sign that an adversary may have compromised your environment.", "narrative": "Maintaining persistence is one of the first steps taken by attackers after the initial compromise. Attackers leverage various custom and built-in tools to ensure survivability and persistent access within a compromised enterprise. This Analytic Story provides searches to help you identify various behaviors used by attackers to maintain persistent access to a Linux environment.", "references": ["https://attack.mitre.org/techniques/T1053/", "https://kifarunix.com/scheduling-tasks-using-at-command-in-linux/", "https://gtfobins.github.io/gtfobins/at/", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf"], "tags": {"name": "Linux Persistence Techniques", "analytic_story": "Linux Persistence Techniques", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1053.003", "mitre_attack_technique": "Cron", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT38", "Rocke"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1136.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT39", "APT41", "Dragonfly", "Fox Kitten", "Kimsuky", "Leafminer", "Magic Hound", "TeamTNT"]}, {"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider"]}, {"mitre_attack_id": "T1053.002", "mitre_attack_technique": "At", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "BRONZE BUTLER", "Threat Group-3390"]}, {"mitre_attack_id": "T1222.002", "mitre_attack_technique": "Linux and Mac File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548.001", "mitre_attack_technique": "Setuid and Setgid", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548.003", "mitre_attack_technique": "Sudo and Sudo Caching", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547.006", "mitre_attack_technique": "Kernel Modules and Extensions", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1037.004", "mitre_attack_technique": "RC Scripts", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1037", "mitre_attack_technique": "Boot or Logon Initialization Scripts", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Rocke"]}, {"mitre_attack_id": "T1546.004", "mitre_attack_technique": "Unix Shell Configuration Modification", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1098.004", "mitre_attack_technique": "SSH Authorized Keys", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Earth Lusca", "TeamTNT"]}, {"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT41", "Dragonfly", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}, {"mitre_attack_id": "T1003.008", "mitre_attack_technique": "/etc/passwd and /etc/shadow", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1574.006", "mitre_attack_technique": "Dynamic Linker Hijacking", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT41", "Rocke"]}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1053.006", "mitre_attack_technique": "Systemd Timers", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}], "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Execution", "Impact", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint", "Risk"], "kill_chain_phases": ["Actions on Objectives", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Linux Add Files In Known Crontab Directories - Rule", "ESCU - Linux Add User Account - Rule", "ESCU - Linux Adding Crontab Using List Parameter - Rule", "ESCU - Linux At Allow Config File Creation - Rule", "ESCU - Linux At Application Execution - Rule", "ESCU - Linux Change File Owner To Root - Rule", "ESCU - Linux Common Process For Elevation Control - Rule", "ESCU - Linux Doas Conf File Creation - Rule", "ESCU - Linux Doas Tool Execution - Rule", "ESCU - Linux Edit Cron Table Parameter - Rule", "ESCU - Linux File Created In Kernel Driver Directory - Rule", "ESCU - Linux File Creation In Init Boot Directory - Rule", "ESCU - Linux File Creation In Profile Directory - Rule", "ESCU - Linux Insert Kernel Module Using Insmod Utility - Rule", "ESCU - Linux Install Kernel Module Using Modprobe Utility - Rule", "ESCU - Linux NOPASSWD Entry In Sudoers File - Rule", "ESCU - Linux Persistence and Privilege Escalation Risk Behavior - Rule", "ESCU - Linux Possible Access Or Modification Of sshd Config File - Rule", "ESCU - Linux Possible Access To Credential Files - Rule", "ESCU - Linux Possible Access To Sudoers File - Rule", "ESCU - Linux Possible Append Command To At Allow Config File - Rule", "ESCU - Linux Possible Append Command To Profile Config File - Rule", "ESCU - Linux Possible Append Cronjob Entry on Existing Cronjob File - Rule", "ESCU - Linux Possible Cronjob Modification With Editor - Rule", "ESCU - Linux Possible Ssh Key File Creation - Rule", "ESCU - Linux Preload Hijack Library Calls - Rule", "ESCU - Linux Service File Created In Systemd Directory - Rule", "ESCU - Linux Service Restarted - Rule", "ESCU - Linux Service Started Or Enabled - Rule", "ESCU - Linux Setuid Using Chmod Utility - Rule", "ESCU - Linux Setuid Using Setcap Utility - Rule", "ESCU - Linux Shred Overwrite Command - Rule", "ESCU - Linux Sudo OR Su Execution - Rule", "ESCU - Linux Sudoers Tmp File Creation - Rule", "ESCU - Linux Visudo Utility Execution - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Linux Add Files In Known Crontab Directories", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Add User Account", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "Create Account"}]}}, {"name": "Linux Adding Crontab Using List Parameter", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux At Allow Config File Creation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux At Application Execution", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "At"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Change File Owner To Root", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Linux and Mac File and Directory Permissions Modification"}, {"mitre_attack_technique": "File and Directory Permissions Modification"}]}}, {"name": "Linux Common Process For Elevation Control", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Setuid and Setgid"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Doas Conf File Creation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Doas Tool Execution", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Edit Cron Table Parameter", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux File Created In Kernel Driver Directory", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Kernel Modules and Extensions"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Linux File Creation In Init Boot Directory", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "RC Scripts"}, {"mitre_attack_technique": "Boot or Logon Initialization Scripts"}]}}, {"name": "Linux File Creation In Profile Directory", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Unix Shell Configuration Modification"}, {"mitre_attack_technique": "Event Triggered Execution"}]}}, {"name": "Linux Insert Kernel Module Using Insmod Utility", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Kernel Modules and Extensions"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Linux Install Kernel Module Using Modprobe Utility", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Kernel Modules and Extensions"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Linux NOPASSWD Entry In Sudoers File", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Persistence and Privilege Escalation Risk Behavior", "source": "endpoint", "type": "Correlation", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Possible Access Or Modification Of sshd Config File", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "SSH Authorized Keys"}, {"mitre_attack_technique": "Account Manipulation"}]}}, {"name": "Linux Possible Access To Credential Files", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "/etc/passwd and /etc/shadow"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Linux Possible Access To Sudoers File", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Possible Append Command To At Allow Config File", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "At"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Possible Append Command To Profile Config File", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Unix Shell Configuration Modification"}, {"mitre_attack_technique": "Event Triggered Execution"}]}}, {"name": "Linux Possible Append Cronjob Entry on Existing Cronjob File", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Possible Cronjob Modification With Editor", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Possible Ssh Key File Creation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "SSH Authorized Keys"}, {"mitre_attack_technique": "Account Manipulation"}]}}, {"name": "Linux Preload Hijack Library Calls", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Dynamic Linker Hijacking"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}}, {"name": "Linux Service File Created In Systemd Directory", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Systemd Timers"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Service Restarted", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Systemd Timers"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Service Started Or Enabled", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Systemd Timers"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Setuid Using Chmod Utility", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Setuid and Setgid"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Setuid Using Setcap Utility", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Setuid and Setgid"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Shred Overwrite Command", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Linux Sudo OR Su Execution", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Sudoers Tmp File Creation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Visudo Utility Execution", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}]}, {"name": "Linux Post-Exploitation", "id": "d310ccfe-5477-11ec-ad05-acde48001122", "version": 1, "date": "2021-12-03", "author": "Rod Soto", "description": "This analytic story identifies popular Linux post exploitation tools such as autoSUID, LinEnum, LinPEAS, Linux Exploit Suggesters, MimiPenguin.", "narrative": "These tools allow operators find possible exploits or paths for privilege escalation based on SUID binaries, user permissions, kernel version and distro version.", "references": ["https://attack.mitre.org/matrices/enterprise/linux/"], "tags": {"name": "Linux Post-Exploitation", "analytic_story": "Linux Post-Exploitation", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.004", "mitre_attack_technique": "Unix Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT41", "Rocke", "TeamTNT"]}], "mitre_attack_tactics": ["Execution"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation"]}, "detection_names": ["ESCU - Suspicious Linux Discovery Commands - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "no", "author_name": "Rod Soto", "detections": [{"name": "Suspicious Linux Discovery Commands", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Unix Shell"}]}}]}, {"name": "Linux Privilege Escalation", "id": "b9879c24-670a-44c0-895e-98cdb7d0e848", "version": 1, "date": "2021-12-17", "author": "Teoderick Contreras, Splunk", "description": "Monitor for and investigate activities that may be associated with a Linux privilege-escalation attack, including unusual processes running on endpoints, schedule task, services, setuid, root execution and more.", "narrative": "Privilege escalation is a \"land-and-expand\" technique, wherein an adversary gains an initial foothold on a host and then exploits its weaknesses to increase his privileges. The motivation is simple: certain actions on a Linux machine--such as installing software--may require higher-level privileges than those the attacker initially acquired. By increasing his privilege level, the attacker can gain the control required to carry out his malicious ends. This Analytic Story provides searches to detect and investigate behaviors that attackers may use to elevate their privileges in your environment.", "references": ["https://attack.mitre.org/tactics/TA0004/"], "tags": {"name": "Linux Privilege Escalation", "analytic_story": "Linux Privilege Escalation", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1053.003", "mitre_attack_technique": "Cron", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT38", "Rocke"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1136.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT39", "APT41", "Dragonfly", "Fox Kitten", "Kimsuky", "Leafminer", "Magic Hound", "TeamTNT"]}, {"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider"]}, {"mitre_attack_id": "T1548.003", "mitre_attack_technique": "Sudo and Sudo Caching", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1053.002", "mitre_attack_technique": "At", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "BRONZE BUTLER", "Threat Group-3390"]}, {"mitre_attack_id": "T1222.002", "mitre_attack_technique": "Linux and Mac File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548.001", "mitre_attack_technique": "Setuid and Setgid", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547.006", "mitre_attack_technique": "Kernel Modules and Extensions", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1037.004", "mitre_attack_technique": "RC Scripts", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1037", "mitre_attack_technique": "Boot or Logon Initialization Scripts", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Rocke"]}, {"mitre_attack_id": "T1546.004", "mitre_attack_technique": "Unix Shell Configuration Modification", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "PLATINUM", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}, {"mitre_attack_id": "T1098.004", "mitre_attack_technique": "SSH Authorized Keys", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Earth Lusca", "TeamTNT"]}, {"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT41", "Dragonfly", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}, {"mitre_attack_id": "T1003.008", "mitre_attack_technique": "/etc/passwd and /etc/shadow", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1574.006", "mitre_attack_technique": "Dynamic Linker Hijacking", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT41", "Rocke"]}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1053.006", "mitre_attack_technique": "Systemd Timers", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}], "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Execution", "Impact", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint", "Risk"], "kill_chain_phases": ["Actions on Objectives", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Linux Add Files In Known Crontab Directories - Rule", "ESCU - Linux Add User Account - Rule", "ESCU - Linux Adding Crontab Using List Parameter - Rule", "ESCU - Linux apt-get Privilege Escalation - Rule", "ESCU - Linux APT Privilege Escalation - Rule", "ESCU - Linux At Allow Config File Creation - Rule", "ESCU - Linux At Application Execution - Rule", "ESCU - Linux AWK Privilege Escalation - Rule", "ESCU - Linux Busybox Privilege Escalation - Rule", "ESCU - Linux c89 Privilege Escalation - Rule", "ESCU - Linux c99 Privilege Escalation - Rule", "ESCU - Linux Change File Owner To Root - Rule", "ESCU - Linux Common Process For Elevation Control - Rule", "ESCU - Linux Composer Privilege Escalation - Rule", "ESCU - Linux Cpulimit Privilege Escalation - Rule", "ESCU - Linux Csvtool Privilege Escalation - Rule", "ESCU - Linux Doas Conf File Creation - Rule", "ESCU - Linux Doas Tool Execution - Rule", "ESCU - Linux Docker Privilege Escalation - Rule", "ESCU - Linux Edit Cron Table Parameter - Rule", "ESCU - Linux Emacs Privilege Escalation - Rule", "ESCU - Linux File Created In Kernel Driver Directory - Rule", "ESCU - Linux File Creation In Init Boot Directory - Rule", "ESCU - Linux File Creation In Profile Directory - Rule", "ESCU - Linux Find Privilege Escalation - Rule", "ESCU - Linux GDB Privilege Escalation - Rule", "ESCU - Linux Gem Privilege Escalation - Rule", "ESCU - Linux GNU Awk Privilege Escalation - Rule", "ESCU - Linux Insert Kernel Module Using Insmod Utility - Rule", "ESCU - Linux Install Kernel Module Using Modprobe Utility - Rule", "ESCU - Linux Make Privilege Escalation - Rule", "ESCU - Linux MySQL Privilege Escalation - Rule", "ESCU - Linux Node Privilege Escalation - Rule", "ESCU - Linux NOPASSWD Entry In Sudoers File - Rule", "ESCU - Linux Octave Privilege Escalation - Rule", "ESCU - Linux OpenVPN Privilege Escalation - Rule", "ESCU - Linux Persistence and Privilege Escalation Risk Behavior - Rule", "ESCU - Linux PHP Privilege Escalation - Rule", "ESCU - Linux pkexec Privilege Escalation - Rule", "ESCU - Linux Possible Access Or Modification Of sshd Config File - Rule", "ESCU - Linux Possible Access To Credential Files - Rule", "ESCU - Linux Possible Access To Sudoers File - Rule", "ESCU - Linux Possible Append Command To At Allow Config File - Rule", "ESCU - Linux Possible Append Command To Profile Config File - Rule", "ESCU - Linux Possible Append Cronjob Entry on Existing Cronjob File - Rule", "ESCU - Linux Possible Cronjob Modification With Editor - Rule", "ESCU - Linux Possible Ssh Key File Creation - Rule", "ESCU - Linux Preload Hijack Library Calls - Rule", "ESCU - Linux Puppet Privilege Escalation - Rule", "ESCU - Linux RPM Privilege Escalation - Rule", "ESCU - Linux Ruby Privilege Escalation - Rule", "ESCU - Linux Service File Created In Systemd Directory - Rule", "ESCU - Linux Service Restarted - Rule", "ESCU - Linux Service Started Or Enabled - Rule", "ESCU - Linux Setuid Using Chmod Utility - Rule", "ESCU - Linux Setuid Using Setcap Utility - Rule", "ESCU - Linux Shred Overwrite Command - Rule", "ESCU - Linux Sqlite3 Privilege Escalation - Rule", "ESCU - Linux Sudo OR Su Execution - Rule", "ESCU - Linux Sudoers Tmp File Creation - Rule", "ESCU - Linux Visudo Utility Execution - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Linux Add Files In Known Crontab Directories", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Add User Account", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "Create Account"}]}}, {"name": "Linux Adding Crontab Using List Parameter", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux apt-get Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux APT Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux At Allow Config File Creation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux At Application Execution", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "At"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux AWK Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Busybox Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux c89 Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux c99 Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Change File Owner To Root", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Linux and Mac File and Directory Permissions Modification"}, {"mitre_attack_technique": "File and Directory Permissions Modification"}]}}, {"name": "Linux Common Process For Elevation Control", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Setuid and Setgid"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Composer Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Cpulimit Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Csvtool Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Doas Conf File Creation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Doas Tool Execution", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Docker Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Edit Cron Table Parameter", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Emacs Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux File Created In Kernel Driver Directory", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Kernel Modules and Extensions"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Linux File Creation In Init Boot Directory", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "RC Scripts"}, {"mitre_attack_technique": "Boot or Logon Initialization Scripts"}]}}, {"name": "Linux File Creation In Profile Directory", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Unix Shell Configuration Modification"}, {"mitre_attack_technique": "Event Triggered Execution"}]}}, {"name": "Linux Find Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux GDB Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Gem Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux GNU Awk Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Insert Kernel Module Using Insmod Utility", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Kernel Modules and Extensions"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Linux Install Kernel Module Using Modprobe Utility", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Kernel Modules and Extensions"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Linux Make Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux MySQL Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Node Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux NOPASSWD Entry In Sudoers File", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Octave Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux OpenVPN Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Persistence and Privilege Escalation Risk Behavior", "source": "endpoint", "type": "Correlation", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux PHP Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux pkexec Privilege Escalation", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}}, {"name": "Linux Possible Access Or Modification Of sshd Config File", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "SSH Authorized Keys"}, {"mitre_attack_technique": "Account Manipulation"}]}}, {"name": "Linux Possible Access To Credential Files", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "/etc/passwd and /etc/shadow"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Linux Possible Access To Sudoers File", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Possible Append Command To At Allow Config File", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "At"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Possible Append Command To Profile Config File", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Unix Shell Configuration Modification"}, {"mitre_attack_technique": "Event Triggered Execution"}]}}, {"name": "Linux Possible Append Cronjob Entry on Existing Cronjob File", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Possible Cronjob Modification With Editor", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Possible Ssh Key File Creation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "SSH Authorized Keys"}, {"mitre_attack_technique": "Account Manipulation"}]}}, {"name": "Linux Preload Hijack Library Calls", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Dynamic Linker Hijacking"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}}, {"name": "Linux Puppet Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux RPM Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Ruby Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Service File Created In Systemd Directory", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Systemd Timers"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Service Restarted", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Systemd Timers"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Service Started Or Enabled", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Systemd Timers"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Setuid Using Chmod Utility", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Setuid and Setgid"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Setuid Using Setcap Utility", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Setuid and Setgid"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Shred Overwrite Command", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Linux Sqlite3 Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Sudo OR Su Execution", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Sudoers Tmp File Creation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Visudo Utility Execution", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}]}, {"name": "Linux Rootkit", "id": "e30f4054-ac08-4999-b8bc-5cc46886c18d", "version": 1, "date": "2022-07-27", "author": "Michael Haag, Splunk", "description": "Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.", "narrative": "Rootkits or rootkit enabling functionality may reside at the user or kernel level in the operating system or lower, to include a hypervisor, Master Boot Record, or System Firmware. Rootkits have been seen for Windows, Linux, and Mac OS X systems. Linux rootkits may not standout as much as a Windows rootkit, therefore understanding what kernel modules are installed today and monitoring for new is important. As with any rootkit, it may blend in using a common kernel name or variation of legitimate names.", "references": ["https://attack.mitre.org/techniques/T1014/", "https://content.fireeye.com/apt-41/rpt-apt41", "https://medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a"], "tags": {"name": "Linux Rootkit", "analytic_story": "Linux Rootkit", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1547.006", "mitre_attack_technique": "Kernel Modules and Extensions", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1082", "mitre_attack_technique": "System Information Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT18", "APT19", "APT3", "APT32", "APT37", "APT38", "Aquatic Panda", "Blue Mockingbird", "Chimera", "Confucius", "Darkhotel", "Gamaredon Group", "HEXANE", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Sowbug", "Stealth Falcon", "TeamTNT", "Tropic Trooper", "Turla", "Windigo", "Windshift", "Wizard Spider", "ZIRCONIUM", "admin@338"]}, {"mitre_attack_id": "T1014", "mitre_attack_technique": "Rootkit", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT41", "Rocke", "TeamTNT", "Winnti Group"]}], "mitre_attack_tactics": ["Defense Evasion", "Discovery", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation", "Installation"]}, "detection_names": ["ESCU - Linux File Created In Kernel Driver Directory - Rule", "ESCU - Linux Insert Kernel Module Using Insmod Utility - Rule", "ESCU - Linux Install Kernel Module Using Modprobe Utility - Rule", "ESCU - Linux Kernel Module Enumeration - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Linux File Created In Kernel Driver Directory", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Kernel Modules and Extensions"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Linux Insert Kernel Module Using Insmod Utility", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Kernel Modules and Extensions"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Linux Install Kernel Module Using Modprobe Utility", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Kernel Modules and Extensions"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Linux Kernel Module Enumeration", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Information Discovery"}, {"mitre_attack_technique": "Rootkit"}]}}]}, {"name": "Living Off The Land", "id": "6f7982e2-900b-11ec-a54a-acde48001122", "version": 2, "date": "2022-03-16", "author": "Lou Stella, Splunk", "description": "Leverage analytics that allow you to identify the presence of an adversary leveraging native applications within your environment.", "narrative": "Living Off The Land refers to an adversary methodology of using native applications already installed on the target operating system to achieve their objective. Native utilities provide the adversary with reduced chances of detection by antivirus software or EDR tools. This allows the adversary to blend in with native process behavior.", "references": ["https://lolbas-project.github.io/"], "tags": {"name": "Living Off The Land", "analytic_story": "Living Off The Land", "category": ["Adversary Tactics", "Unauthorized Software", "Lateral Movement", "Privilege Escalation"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1197", "mitre_attack_technique": "BITS Jobs", "mitre_attack_tactics": ["Defense Evasion", "Persistence"], "mitre_attack_groups": ["APT39", "APT41", "Leviathan", "Patchwork"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1140", "mitre_attack_technique": "Deobfuscate/Decode Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT39", "BRONZE BUTLER", "Darkhotel", "Earth Lusca", "Gamaredon Group", "Gorgon Group", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "Molerats", "MuddyWater", "OilRig", "Rocke", "Sandworm Team", "TA505", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "WIRTE", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.002", "mitre_attack_technique": "Control Panel", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Ember Bear"]}, {"mitre_attack_id": "T1003.003", "mitre_attack_technique": "NTDS", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "Chimera", "Dragonfly", "FIN6", "Fox Kitten", "HAFNIUM", "Ke3chang", "LAPSUS$", "Mustang Panda", "Sandworm Team", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1218.001", "mitre_attack_technique": "Compiled HTML File", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "APT41", "Dark Caracal", "OilRig", "Silence"]}, {"mitre_attack_id": "T1218.005", "mitre_attack_technique": "Mshta", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "APT32", "Confucius", "Earth Lusca", "FIN7", "Gamaredon Group", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "MuddyWater", "Mustang Panda", "SideCopy", "Sidewinder", "TA551"]}, {"mitre_attack_id": "T1218.009", "mitre_attack_technique": "Regsvcs/Regasm", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1218.010", "mitre_attack_technique": "Regsvr32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "Blue Mockingbird", "Cobalt Group", "Deep Panda", "Inception", "Kimsuky", "Leviathan", "TA551", "WIRTE"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "TEMP.Veles", "Threat Group-3390", "Whitefly"]}, {"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Dragonfly", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1548.002", "mitre_attack_technique": "Bypass User Account Control", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT37", "BRONZE BUTLER", "Cobalt Group", "Earth Lusca", "Evilnum", "MuddyWater", "Patchwork", "Threat Group-3390"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Chimera", "Dragonfly", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1567", "mitre_attack_technique": "Exfiltration Over Web Service", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT28", "Magic Hound"]}, {"mitre_attack_id": "T1059.004", "mitre_attack_technique": "Unix Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT41", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1647", "mitre_attack_technique": "Plist File Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1021.003", "mitre_attack_technique": "Distributed Component Object Model", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1218.014", "mitre_attack_technique": "MMC", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1574.011", "mitre_attack_technique": "Services Registry Permissions Weakness", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "Earth Lusca", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "Threat Group-3390", "Windshift", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "Turla"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1053.002", "mitre_attack_technique": "At", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "BRONZE BUTLER", "Threat Group-3390"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1127", "mitre_attack_technique": "Trusted Developer Utilities Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1127.001", "mitre_attack_technique": "MSBuild", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1218.013", "mitre_attack_technique": "Mavinject", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1546.015", "mitre_attack_technique": "Component Object Model Hijacking", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28"]}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1574.001", "mitre_attack_technique": "DLL Search Order Hijacking", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT41", "Aquatic Panda", "BackdoorDiplomacy", "Evilnum", "RTM", "Threat Group-3390", "Tonto Team", "Whitefly", "menuPass"]}, {"mitre_attack_id": "T1202", "mitre_attack_technique": "Indirect Command Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.004", "mitre_attack_technique": "InstallUtil", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Mustang Panda", "menuPass"]}, {"mitre_attack_id": "T1546.003", "mitre_attack_technique": "Windows Management Instrumentation Event Subscription", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT33", "Blue Mockingbird", "FIN8", "Leviathan", "Metador", "Mustang Panda", "Turla"]}, {"mitre_attack_id": "T1218.008", "mitre_attack_technique": "Odbcconf", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Cobalt Group"]}, {"mitre_attack_id": "T1216", "mitre_attack_technique": "System Script Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Command And Control", "Credential Access", "Defense Evasion", "Execution", "Exfiltration", "Initial Access", "Lateral Movement", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint", "Network_Traffic", "Risk"], "kill_chain_phases": ["Actions on Objectives", "Command And Control", "Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - BITS Job Persistence - Rule", "ESCU - BITSAdmin Download File - Rule", "ESCU - CertUtil Download With URLCache and Split Arguments - Rule", "ESCU - CertUtil Download With VerifyCtl and Split Arguments - Rule", "ESCU - Certutil exe certificate extraction - Rule", "ESCU - CertUtil With Decode Argument - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Control Loading from World Writable Directory - Rule", "ESCU - Creation of Shadow Copy with wmic and powershell - Rule", "ESCU - Detect HTML Help Renamed - Rule", "ESCU - Detect HTML Help Spawn Child Process - Rule", "ESCU - Detect HTML Help URL in Command Line - Rule", "ESCU - Detect HTML Help Using InfoTech Storage Handlers - Rule", "ESCU - Detect mshta inline hta execution - Rule", "ESCU - Detect mshta renamed - Rule", "ESCU - Detect MSHTA Url in Command Line - Rule", "ESCU - Detect Regasm Spawning a Process - Rule", "ESCU - Detect Regasm with Network Connection - Rule", "ESCU - Detect Regasm with no Command Line Arguments - Rule", "ESCU - Detect Regsvcs Spawning a Process - Rule", "ESCU - Detect Regsvcs with Network Connection - Rule", "ESCU - Detect Regsvcs with No Command Line Arguments - Rule", "ESCU - Detect Regsvr32 Application Control Bypass - Rule", "ESCU - Detect Rundll32 Application Control Bypass - advpack - Rule", "ESCU - Detect Rundll32 Application Control Bypass - setupapi - Rule", "ESCU - Detect Rundll32 Application Control Bypass - syssetup - Rule", "ESCU - Detect Rundll32 Inline HTA Execution - Rule", "ESCU - Disable Schedule Task - Rule", "ESCU - Dump LSASS via comsvcs DLL - Rule", "ESCU - Esentutl SAM Copy - Rule", "ESCU - Eventvwr UAC Bypass - Rule", "ESCU - Living Off The Land - Rule", "ESCU - LOLBAS With Network Traffic - Rule", "ESCU - MacOS LOLbin - Rule", "ESCU - MacOS plutil - Rule", "ESCU - Mmc LOLBAS Execution Process Spawn - Rule", "ESCU - Mshta spawning Rundll32 OR Regsvr32 Process - Rule", "ESCU - Ntdsutil Export NTDS - Rule", "ESCU - Reg exe Manipulating Windows Services Registry Keys - Rule", "ESCU - Regsvr32 Silent and Install Param Dll Loading - Rule", "ESCU - Regsvr32 with Known Silent Switch Cmdline - Rule", "ESCU - Remote WMI Command Attempt - Rule", "ESCU - Rundll32 Control RunDLL Hunt - Rule", "ESCU - Rundll32 Control RunDLL World Writable Directory - Rule", "ESCU - Rundll32 Create Remote Thread To A Process - Rule", "ESCU - Rundll32 CreateRemoteThread In Browser - Rule", "ESCU - Rundll32 DNSQuery - Rule", "ESCU - Rundll32 Process Creating Exe Dll Files - Rule", "ESCU - Rundll32 Shimcache Flush - Rule", "ESCU - RunDLL Loading DLL By Ordinal - Rule", "ESCU - Schedule Task with HTTP Command Arguments - Rule", "ESCU - Schedule Task with Rundll32 Command Trigger - Rule", "ESCU - Scheduled Task Creation on Remote Endpoint using At - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Scheduled Task Initiation on Remote Endpoint - Rule", "ESCU - Schtasks scheduling job on remote system - Rule", "ESCU - Services LOLBAS Execution Process Spawn - Rule", "ESCU - Suspicious IcedID Rundll32 Cmdline - Rule", "ESCU - Suspicious microsoft workflow compiler rename - Rule", "ESCU - Suspicious microsoft workflow compiler usage - Rule", "ESCU - Suspicious msbuild path - Rule", "ESCU - Suspicious MSBuild Rename - Rule", "ESCU - Suspicious MSBuild Spawn - Rule", "ESCU - Suspicious mshta child process - Rule", "ESCU - Suspicious mshta spawn - Rule", "ESCU - Suspicious Regsvr32 Register Suspicious Path - Rule", "ESCU - Suspicious Rundll32 dllregisterserver - Rule", "ESCU - Suspicious Scheduled Task from Public Directory - Rule", "ESCU - Svchost LOLBAS Execution Process Spawn - Rule", "ESCU - Windows Binary Proxy Execution Mavinject DLL Injection - Rule", "ESCU - Windows COM Hijacking InprocServer32 Modification - Rule", "ESCU - Windows Diskshadow Proxy Execution - Rule", "ESCU - Windows DLL Search Order Hijacking Hunt - Rule", "ESCU - Windows DLL Search Order Hijacking Hunt with Sysmon - Rule", "ESCU - Windows DLL Search Order Hijacking with iscsicpl - Rule", "ESCU - Windows Identify Protocol Handlers - Rule", "ESCU - Windows Indirect Command Execution Via forfiles - Rule", "ESCU - Windows Indirect Command Execution Via pcalua - Rule", "ESCU - Windows InstallUtil in Non Standard Path - Rule", "ESCU - Windows InstallUtil Remote Network Connection - Rule", "ESCU - Windows InstallUtil Uninstall Option - Rule", "ESCU - Windows InstallUtil Uninstall Option with Network - Rule", "ESCU - Windows InstallUtil URL in Command Line - Rule", "ESCU - Windows MOF Event Triggered Execution via WMI - Rule", "ESCU - Windows Odbcconf Hunting - Rule", "ESCU - Windows Odbcconf Load DLL - Rule", "ESCU - Windows Odbcconf Load Response File - Rule", "ESCU - Windows System Binary Proxy Execution Compiled HTML File Decompile - Rule", "ESCU - Windows System Script Proxy Execution Syncappvpublishingserver - Rule", "ESCU - WSReset UAC Bypass - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Lou Stella", "detections": [{"name": "BITS Job Persistence", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "BITS Jobs"}]}}, {"name": "BITSAdmin Download File", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "BITS Jobs"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "CertUtil Download With URLCache and Split Arguments", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "CertUtil Download With VerifyCtl and Split Arguments", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "Certutil exe certificate extraction", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": []}}, {"name": "CertUtil With Decode Argument", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Deobfuscate/Decode Files or Information"}]}}, {"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Control Loading from World Writable Directory", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Control Panel"}]}}, {"name": "Creation of Shadow Copy with wmic and powershell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "NTDS"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Detect HTML Help Renamed", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Compiled HTML File"}]}}, {"name": "Detect HTML Help Spawn Child Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Compiled HTML File"}]}}, {"name": "Detect HTML Help URL in Command Line", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Compiled HTML File"}]}}, {"name": "Detect HTML Help Using InfoTech Storage Handlers", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Compiled HTML File"}]}}, {"name": "Detect mshta inline hta execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Mshta"}]}}, {"name": "Detect mshta renamed", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Mshta"}]}}, {"name": "Detect MSHTA Url in Command Line", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Mshta"}]}}, {"name": "Detect Regasm Spawning a Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvcs/Regasm"}]}}, {"name": "Detect Regasm with Network Connection", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvcs/Regasm"}]}}, {"name": "Detect Regasm with no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvcs/Regasm"}]}}, {"name": "Detect Regsvcs Spawning a Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvcs/Regasm"}]}}, {"name": "Detect Regsvcs with Network Connection", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvcs/Regasm"}]}}, {"name": "Detect Regsvcs with No Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvcs/Regasm"}]}}, {"name": "Detect Regsvr32 Application Control Bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}}, {"name": "Detect Rundll32 Application Control Bypass - advpack", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Detect Rundll32 Application Control Bypass - setupapi", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Detect Rundll32 Application Control Bypass - syssetup", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Detect Rundll32 Inline HTA Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Mshta"}]}}, {"name": "Disable Schedule Task", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Dump LSASS via comsvcs DLL", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Esentutl SAM Copy", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Security Account Manager"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Eventvwr UAC Bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Living Off The Land", "source": "endpoint", "type": "Correlation", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}, {"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "External Remote Services"}]}}, {"name": "LOLBAS With Network Traffic", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}, {"mitre_attack_technique": "Exfiltration Over Web Service"}, {"mitre_attack_technique": "System Binary Proxy Execution"}]}}, {"name": "MacOS LOLbin", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Unix Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "MacOS plutil", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Plist File Modification"}]}}, {"name": "Mmc LOLBAS Execution Process Spawn", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "MMC"}]}}, {"name": "Mshta spawning Rundll32 OR Regsvr32 Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Mshta"}]}}, {"name": "Ntdsutil Export NTDS", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "NTDS"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Reg exe Manipulating Windows Services Registry Keys", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Services Registry Permissions Weakness"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}}, {"name": "Regsvr32 Silent and Install Param Dll Loading", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}}, {"name": "Regsvr32 with Known Silent Switch Cmdline", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}}, {"name": "Remote WMI Command Attempt", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}}, {"name": "Rundll32 Control RunDLL Hunt", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Rundll32 Control RunDLL World Writable Directory", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Rundll32 Create Remote Thread To A Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "Rundll32 CreateRemoteThread In Browser", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "Rundll32 DNSQuery", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Rundll32 Process Creating Exe Dll Files", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Rundll32 Shimcache Flush", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "RunDLL Loading DLL By Ordinal", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Schedule Task with HTTP Command Arguments", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Schedule Task with Rundll32 Command Trigger", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Scheduled Task Creation on Remote Endpoint using At", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}, {"mitre_attack_technique": "At"}]}}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Scheduled Task Initiation on Remote Endpoint", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}, {"mitre_attack_technique": "Scheduled Task"}]}}, {"name": "Schtasks scheduling job on remote system", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Services LOLBAS Execution Process Spawn", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Suspicious IcedID Rundll32 Cmdline", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Suspicious microsoft workflow compiler rename", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Rename System Utilities"}]}}, {"name": "Suspicious microsoft workflow compiler usage", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}]}}, {"name": "Suspicious msbuild path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "MSBuild"}]}}, {"name": "Suspicious MSBuild Rename", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "MSBuild"}]}}, {"name": "Suspicious MSBuild Spawn", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "MSBuild"}]}}, {"name": "Suspicious mshta child process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Mshta"}]}}, {"name": "Suspicious mshta spawn", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Mshta"}]}}, {"name": "Suspicious Regsvr32 Register Suspicious Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}}, {"name": "Suspicious Rundll32 dllregisterserver", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Suspicious Scheduled Task from Public Directory", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Svchost LOLBAS Execution Process Spawn", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}, {"mitre_attack_technique": "Scheduled Task"}]}}, {"name": "Windows Binary Proxy Execution Mavinject DLL Injection", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Mavinject"}, {"mitre_attack_technique": "System Binary Proxy Execution"}]}}, {"name": "Windows COM Hijacking InprocServer32 Modification", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Component Object Model Hijacking"}, {"mitre_attack_technique": "Event Triggered Execution"}]}}, {"name": "Windows Diskshadow Proxy Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}]}}, {"name": "Windows DLL Search Order Hijacking Hunt", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DLL Search Order Hijacking"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}}, {"name": "Windows DLL Search Order Hijacking Hunt with Sysmon", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DLL Search Order Hijacking"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}}, {"name": "Windows DLL Search Order Hijacking with iscsicpl", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DLL Search Order Hijacking"}]}}, {"name": "Windows Identify Protocol Handlers", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Windows Indirect Command Execution Via forfiles", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indirect Command Execution"}]}}, {"name": "Windows Indirect Command Execution Via pcalua", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indirect Command Execution"}]}}, {"name": "Windows InstallUtil in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "InstallUtil"}]}}, {"name": "Windows InstallUtil Remote Network Connection", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "InstallUtil"}, {"mitre_attack_technique": "System Binary Proxy Execution"}]}}, {"name": "Windows InstallUtil Uninstall Option", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "InstallUtil"}, {"mitre_attack_technique": "System Binary Proxy Execution"}]}}, {"name": "Windows InstallUtil Uninstall Option with Network", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "InstallUtil"}, {"mitre_attack_technique": "System Binary Proxy Execution"}]}}, {"name": "Windows InstallUtil URL in Command Line", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "InstallUtil"}, {"mitre_attack_technique": "System Binary Proxy Execution"}]}}, {"name": "Windows MOF Event Triggered Execution via WMI", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Management Instrumentation Event Subscription"}]}}, {"name": "Windows Odbcconf Hunting", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Odbcconf"}]}}, {"name": "Windows Odbcconf Load DLL", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Odbcconf"}]}}, {"name": "Windows Odbcconf Load Response File", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Odbcconf"}]}}, {"name": "Windows System Binary Proxy Execution Compiled HTML File Decompile", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compiled HTML File"}, {"mitre_attack_technique": "System Binary Proxy Execution"}]}}, {"name": "Windows System Script Proxy Execution Syncappvpublishingserver", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Script Proxy Execution"}, {"mitre_attack_technique": "System Binary Proxy Execution"}]}}, {"name": "WSReset UAC Bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}]}, {"name": "Local Privilege Escalation With KrbRelayUp", "id": "765790f0-2f8f-4048-8321-fd1928ec2546", "version": 1, "date": "2022-04-28", "author": "Michael Haag, Mauricio Velazco, Splunk", "description": "KrbRelayUp is a tool that allows local privilege escalation from low-priviliged domain user to local system on domain-joined computers.", "narrative": "In October 2021, James Forshaw from Googles Project Zero released a research blog post titled `Using Kerberos for Authentication Relay Attacks`. This research introduced, for the first time, ways to make Windows authenticate to a different Service Principal Name (SPN) than what would normally be derived from the hostname the client is connecting to. This effectively proved that relaying Kerberos authentication is possible\\\\. In April 2022, security researcher Mor Davidovich released a tool named KrbRelayUp which implements Kerberos relaying as well as other known Kerberos techniques with the goal of escalating privileges from a low-privileged domain user on a domain-joined device and obtain a SYSTEM shell.", "references": ["https://github.com/Dec0ne/KrbRelayUp", "https://gist.github.com/tothi/bf6c59d6de5d0c9710f23dae5750c4b9", "https://googleprojectzero.blogspot.com/2021/10/using-kerberos-for-authentication-relay.html", "https://dirkjanm.io/relaying-kerberos-over-dns-with-krbrelayx-and-mitm6/", "https://github.com/cube0x0/KrbRelay"], "tags": {"name": "Local Privilege Escalation With KrbRelayUp", "analytic_story": "Local Privilege Escalation With KrbRelayUp", "category": ["Privilege Escalation"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1558", "mitre_attack_technique": "Steal or Forge Kerberos Tickets", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}], "mitre_attack_tactics": ["Credential Access", "Persistence", "Privilege Escalation"], "datamodels": ["Authentication", "Change"], "kill_chain_phases": ["Exploitation", "Installation"]}, "detection_names": ["ESCU - Windows Computer Account Created by Computer Account - Rule", "ESCU - Windows Computer Account Requesting Kerberos Ticket - Rule", "ESCU - Windows Computer Account With SPN - Rule", "ESCU - Windows Kerberos Local Successful Logon - Rule", "ESCU - Windows KrbRelayUp Service Creation - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Mauricio Velazco, Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows Computer Account Created by Computer Account", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}]}}, {"name": "Windows Computer Account Requesting Kerberos Ticket", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}]}}, {"name": "Windows Computer Account With SPN", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}]}}, {"name": "Windows Kerberos Local Successful Logon", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}]}}, {"name": "Windows KrbRelayUp Service Creation", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Service"}]}}]}, {"name": "Log4Shell CVE-2021-44228", "id": "b4453928-5a98-11ec-afcd-8de10b48fc52", "version": 1, "date": "2021-12-11", "author": "Jose Hernandez", "description": "Log4Shell or CVE-2021-44228 is a Remote Code Execution (RCE) vulnerability in the Apache Log4j library, a widely used and ubiquitous logging framework for Java. The vulnerability allows an attacker who can control log messages to execute arbitrary code loaded from attacker-controlled servers and we anticipate that most apps using the Log4j library will meet this condition.", "narrative": "In late November 2021, Chen Zhaojun of Alibaba identified a remote code execution vulnerability. Previous work was seen in a 2016 Blackhat talk by Alvaro Munoz and Oleksandr Mirosh called [\"A Journey from JNDI/LDAP Manipulation to Remote Code Execution Dream Land\"](https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE.pdf). Reported under the CVE ID : CVE-2021-44228, released to the public on December 10, 2021. The vulnerability is exploited through improper deserialization of user input passed into the framework. It permits remote code execution and it can allow an attacker to leak sensitive data, such as environment variables, or execute malicious software on the target system.", "references": ["https://mbechler.github.io/2021/12/10/PSA_Log4Shell_JNDI_Injection/", "https://www.fastly.com/blog/digging-deeper-into-log4shell-0day-rce-exploit-found-in-log4j", "https://www.crowdstrike.com/blog/log4j2-vulnerability-analysis-and-mitigation-recommendations/", "https://www.lunasec.io/docs/blog/log4j-zero-day/", "https://www.splunk.com/en_us/blog/security/log-jammin-log4j-2-rce.html"], "tags": {"name": "Log4Shell CVE-2021-44228", "analytic_story": "Log4Shell CVE-2021-44228", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Application Security", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Chimera", "Dragonfly", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}], "mitre_attack_tactics": ["Command And Control", "Execution", "Initial Access", "Persistence"], "datamodels": ["Endpoint", "Network_Traffic", "Risk", "Web"], "kill_chain_phases": ["Command And Control", "Delivery", "Installation"]}, "detection_names": ["ESCU - Any Powershell DownloadFile - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Curl Download and Bash Execution - Rule", "ESCU - Java Class File download by Java User Agent - Rule", "ESCU - Linux Java Spawning Shell - Rule", "ESCU - Log4Shell CVE-2021-44228 Exploitation - Rule", "ESCU - Outbound Network Connection from Java Using Default Ports - Rule", "ESCU - PowerShell - Connect To Internet With Hidden Window - Rule", "ESCU - Wget Download and Bash Execution - Rule", "ESCU - Windows Java Spawning Shells - Rule", "ESCU - Detect Outbound LDAP Traffic - Rule", "ESCU - Hunting for Log4Shell - Rule", "ESCU - Log4Shell JNDI Payload Injection Attempt - Rule", "ESCU - Log4Shell JNDI Payload Injection with Outbound Connection - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "no", "author_name": "Jose Hernandez", "detections": [{"name": "Any Powershell DownloadFile", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Curl Download and Bash Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "Java Class File download by Java User Agent", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}}, {"name": "Linux Java Spawning Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}, {"name": "Log4Shell CVE-2021-44228 Exploitation", "source": "endpoint", "type": "Correlation", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}, {"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "External Remote Services"}]}}, {"name": "Outbound Network Connection from Java Using Default Ports", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}, {"name": "PowerShell - Connect To Internet With Hidden Window", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Wget Download and Bash Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "Windows Java Spawning Shells", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}, {"name": "Detect Outbound LDAP Traffic", "source": "network", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Hunting for Log4Shell", "source": "web", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}, {"name": "Log4Shell JNDI Payload Injection Attempt", "source": "web", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}, {"name": "Log4Shell JNDI Payload Injection with Outbound Connection", "source": "web", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}]}, {"name": "Malicious PowerShell", "id": "2c8ff66e-0b57-42af-8ad7-912438a403fc", "version": 5, "date": "2017-08-23", "author": "David Dorsey, Splunk", "description": "Attackers are finding stealthy ways \"live off the land,\" leveraging utilities and tools that come standard on the endpoint--such as PowerShell--to achieve their goals without downloading binary files. These searches can help you detect and investigate PowerShell command-line options that may be indicative of malicious intent.", "narrative": "The searches in this Analytic Story monitor for parameters often used for malicious purposes. It is helpful to understand how often the notable events generated by this story occur, as well as the commonalities between some of these events. These factors may provide clues about whether this is a common occurrence of minimal concern or a rare event that may require more extensive investigation. Likewise, it is important to determine whether the issue is restricted to a single user/system or is broader in scope. \\\nThe following factors may assist you in determining whether the event is malicious: \\\n1. Country of origin \\\n1. Responsible party \\\n1. Fully qualified domain names associated with the external IP address \\\n1. Registration of fully qualified domain names associated with external IP address \\\nDetermining whether it is a dynamic domain frequently visited by others and/or how third parties categorize it can also help you answer some questions surrounding the attacker and details related to the external system. In addition, there are various sources--such as VirusTotal— that can provide some reputation information on the IP address or domain name, which can assist in determining whether the event is malicious. Finally, determining whether there are other events associated with the IP address may help connect data points or show other events that should be brought into scope. \\\nGathering data on the system of interest can sometimes help you quickly determine whether something suspicious is happening. Some of these items include finding out who else may have recently logged into the system, whether any unusual scheduled tasks exist, whether the system is communicating on suspicious ports, whether there are modifications to sensitive registry keys, and whether there are any known vulnerabilities on the system. This information can often highlight other activity commonly seen in attack scenarios or give more information about how the system may have been targeted. \\\nOften, a simple inspection of the process name and path can tell you if the system has been compromised. For example, if `svchost.exe` is found running from a location other than `C:\\Windows\\System32`, it is likely something malicious designed to hide in plain sight when cursorily reviewing process names. Similarly, if the process itself seems legitimate, but the parent process is running from the temporary browser cache, that could be indicative of activity initiated via a compromised website a user visited. \\\nIt can also be very helpful to examine various behaviors of the process of interest or the parent of the process of interest. For example, if it turns out the process of interest is malicious, it would be good to see if the parent to that process spawned other processes that might be worth further scrutiny. If a process is suspect, a review of the network connections made in and around the time of the event and/or whether the process spawned any child processes could be helpful, as well. \\\nIn the event a system is suspected of having been compromised via a malicious website, we suggest reviewing the browsing activity from that system around the time of the event. If categories are given for the URLs visited, that can help you zero in on possible malicious sites. \\\nMost recently we have added new content related to PowerShell Script Block logging, Windows EventCode 4104. Script block logging presents the deobfuscated and raw script executed on an endpoint. The analytics produced were tested against commonly used attack frameworks - PowerShell-Empire, Cobalt Strike and Covenant. In addition, we sampled publicly available samples that utilize PowerShell and validated coverage. The analytics are here to identify suspicious usage, cmdlets, or script values. 4104 events are enabled via the Windows registry and may generate a large volume of data if enabled globally. Enabling on critical systems or a limited set may be best. During triage of 4104 events, review parallel processes for other processes and command executed. Identify any file modifications and network communication and review accordingly. Fortunately, we get the full script to determine the level of threat identified.", "references": ["https://blogs.mcafee.com/mcafee-labs/malware-employs-powershell-to-infect-systems/", "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/"], "tags": {"name": "Malicious PowerShell", "analytic_story": "Malicious PowerShell", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1087.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "Chimera", "Fox Kitten", "Ke3chang", "Moses Staff", "OilRig", "Poseidon Group", "Threat Group-3390", "Turla", "admin@338"]}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT19", "APT28", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BITTER", "BackdoorDiplomacy", "BlackOasis", "Blue Mockingbird", "Dark Caracal", "Darkhotel", "Earth Lusca", "Elderwood", "Ember Bear", "Fox Kitten", "GALLIUM", "Gallmaker", "Gamaredon Group", "Group5", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "Metador", "Mofang", "Molerats", "Moses Staff", "Mustang Panda", "OilRig", "Putter Panda", "Rocke", "Sandworm Team", "Sidewinder", "TA505", "TeamTNT", "Threat Group-3390", "Transparent Tribe", "Tropic Trooper", "Whitefly", "Windshift", "menuPass"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1021.003", "mitre_attack_technique": "Distributed Component Object Model", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1021.006", "mitre_attack_technique": "Windows Remote Management", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Chimera", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "Earth Lusca", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "Threat Group-3390", "Windshift", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1218.014", "mitre_attack_technique": "MMC", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1546.015", "mitre_attack_technique": "Component Object Model Hijacking", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28"]}, {"mitre_attack_id": "T1027.005", "mitre_attack_technique": "Indicator Removal from Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT3", "Deep Panda", "GALLIUM", "OilRig", "Patchwork", "TEMP.Veles", "Turla"]}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "Turla"]}, {"mitre_attack_id": "T1592", "mitre_attack_technique": "Gather Victim Host Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1558.003", "mitre_attack_technique": "Kerberoasting", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["FIN7", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}], "mitre_attack_tactics": ["Command And Control", "Credential Access", "Defense Evasion", "Discovery", "Execution", "Lateral Movement", "Persistence", "Privilege Escalation", "Reconnaissance"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Command And Control", "Exploitation", "Installation", "Reconnaissance"]}, "detection_names": ["ESCU - Suspicious Powershell Command-Line Arguments - Rule", "ESCU - Any Powershell DownloadFile - Rule", "ESCU - Any Powershell DownloadString - Rule", "ESCU - Detect Empire with PowerShell Script Block Logging - Rule", "ESCU - Detect Mimikatz With PowerShell Script Block Logging - Rule", "ESCU - GetLocalUser with PowerShell Script Block - Rule", "ESCU - GetWmiObject User Account with PowerShell Script Block - Rule", "ESCU - Malicious PowerShell Process - Encoded Command - Rule", "ESCU - Malicious PowerShell Process With Obfuscation Techniques - Rule", "ESCU - Possible Lateral Movement PowerShell Spawn - Rule", "ESCU - PowerShell 4104 Hunting - Rule", "ESCU - PowerShell - Connect To Internet With Hidden Window - Rule", "ESCU - Powershell COM Hijacking InprocServer32 Modification - Rule", "ESCU - Powershell Creating Thread Mutex - Rule", "ESCU - PowerShell Domain Enumeration - Rule", "ESCU - PowerShell Enable PowerShell Remoting - Rule", "ESCU - Powershell Enable SMB1Protocol Feature - Rule", "ESCU - Powershell Execute COM Object - Rule", "ESCU - Powershell Fileless Process Injection via GetProcAddress - Rule", "ESCU - Powershell Fileless Script Contains Base64 Encoded Content - Rule", "ESCU - PowerShell Invoke CIMMethod CIMSession - Rule", "ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", "ESCU - Powershell Processing Stream Of Data - Rule", "ESCU - Powershell Using memory As Backing Store - Rule", "ESCU - Recon AVProduct Through Pwh or WMI - Rule", "ESCU - Recon Using WMI Class - Rule", "ESCU - ServicePrincipalNames Discovery with PowerShell - Rule", "ESCU - Set Default PowerShell Execution Policy To Unrestricted or Bypass - Rule", "ESCU - Unloading AMSI via Reflection - Rule", "ESCU - WMI Recon Running Process Or Services - Rule"], "investigation_names": ["ESCU - Get History Of Email Sources - Response Task", "ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Suspicious Powershell Command-Line Arguments", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "PowerShell"}]}}, {"name": "Any Powershell DownloadFile", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "Any Powershell DownloadString", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "Detect Empire with PowerShell Script Block Logging", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Detect Mimikatz With PowerShell Script Block Logging", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "OS Credential Dumping"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "GetLocalUser with PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "GetWmiObject User Account with PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Malicious PowerShell Process - Encoded Command", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Obfuscated Files or Information"}]}}, {"name": "Malicious PowerShell Process With Obfuscation Techniques", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Possible Lateral Movement PowerShell Spawn", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Remote Management"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "MMC"}]}}, {"name": "PowerShell 4104 Hunting", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "PowerShell - Connect To Internet With Hidden Window", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Powershell COM Hijacking InprocServer32 Modification", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Component Object Model Hijacking"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Powershell Creating Thread Mutex", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Obfuscated Files or Information"}, {"mitre_attack_technique": "Indicator Removal from Tools"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "PowerShell Domain Enumeration", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "PowerShell Enable PowerShell Remoting", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Powershell Enable SMB1Protocol Feature", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Obfuscated Files or Information"}, {"mitre_attack_technique": "Indicator Removal from Tools"}]}}, {"name": "Powershell Execute COM Object", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Component Object Model Hijacking"}, {"mitre_attack_technique": "Event Triggered Execution"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Powershell Fileless Process Injection via GetProcAddress", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Process Injection"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Powershell Fileless Script Contains Base64 Encoded Content", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Obfuscated Files or Information"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "PowerShell Invoke CIMMethod CIMSession", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}}, {"name": "PowerShell Loading DotNET into Memory via Reflection", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Powershell Processing Stream Of Data", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Powershell Using memory As Backing Store", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Recon AVProduct Through Pwh or WMI", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Gather Victim Host Information"}]}}, {"name": "Recon Using WMI Class", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Gather Victim Host Information"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "ServicePrincipalNames Discovery with PowerShell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Kerberoasting"}]}}, {"name": "Set Default PowerShell Execution Policy To Unrestricted or Bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Unloading AMSI via Reflection", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "WMI Recon Running Process Or Services", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Gather Victim Host Information"}]}}]}, {"name": "Masquerading - Rename System Utilities", "id": "f0258af4-a6ae-11eb-b3c2-acde48001122", "version": 1, "date": "2021-04-26", "author": "Michael Haag, Splunk", "description": "Adversaries may rename legitimate system utilities to try to evade security mechanisms concerning the usage of those utilities.", "narrative": "Security monitoring and control mechanisms may be in place for system utilities adversaries are capable of abusing. It may be possible to bypass those security mechanisms by renaming the utility prior to utilization (ex: rename rundll32.exe). An alternative case occurs when a legitimate utility is copied or moved to a different directory and renamed to avoid detections based on system utilities executing from non-standard paths.\\\nThe following content is here to assist with binaries within `system32` or `syswow64` being moved to a new location or an adversary bringing a the binary in to execute.\\\nThere will be false positives as some native Windows processes are moved or ran by third party applications from different paths. If file names are mismatched between the file name on disk and that of the binarys PE metadata, this is a likely indicator that a binary was renamed after it was compiled. Collecting and comparing disk and resource filenames for binaries by looking to see if the InternalName, OriginalFilename, and or ProductName match what is expected could provide useful leads, but may not always be indicative of malicious activity. Do not focus on the possible names a file could have, but instead on the command-line arguments that are known to be used and are distinct because it will have a better rate of detection.", "references": ["https://attack.mitre.org/techniques/T1036/003/"], "tags": {"name": "Masquerading - Rename System Utilities", "analytic_story": "Masquerading - Rename System Utilities", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551"]}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1070.004", "mitre_attack_technique": "File Deletion", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT3", "APT32", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "Cobalt Group", "Dragonfly", "Evilnum", "FIN10", "FIN5", "FIN6", "FIN8", "Gamaredon Group", "Group5", "Kimsuky", "Lazarus Group", "Magic Hound", "Metador", "Mustang Panda", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "Silence", "TEMP.Veles", "TeamTNT", "The White Company", "Threat Group-3390", "Tropic Trooper", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1127", "mitre_attack_technique": "Trusted Developer Utilities Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1127.001", "mitre_attack_technique": "MSBuild", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1218.004", "mitre_attack_technique": "InstallUtil", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Mustang Panda", "menuPass"]}], "mitre_attack_tactics": ["Defense Evasion", "Impact"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Actions on Objectives", "Exploitation"]}, "detection_names": ["ESCU - Execution of File With Spaces Before Extension - Rule", "ESCU - Suspicious Rundll32 Rename - Rule", "ESCU - Execution of File with Multiple Extensions - Rule", "ESCU - Sdelete Application Execution - Rule", "ESCU - Suspicious microsoft workflow compiler rename - Rule", "ESCU - Suspicious msbuild path - Rule", "ESCU - Suspicious MSBuild Rename - Rule", "ESCU - System Processes Run From Unexpected Locations - Rule", "ESCU - Windows DotNet Binary in Non Standard Path - Rule", "ESCU - Windows InstallUtil in Non Standard Path - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Execution of File With Spaces Before Extension", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Rename System Utilities"}]}}, {"name": "Suspicious Rundll32 Rename", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rundll32"}, {"mitre_attack_technique": "Rename System Utilities"}]}}, {"name": "Execution of File with Multiple Extensions", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}]}}, {"name": "Sdelete Application Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}, {"mitre_attack_technique": "File Deletion"}, {"mitre_attack_technique": "Indicator Removal"}]}}, {"name": "Suspicious microsoft workflow compiler rename", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Rename System Utilities"}]}}, {"name": "Suspicious msbuild path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "MSBuild"}]}}, {"name": "Suspicious MSBuild Rename", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "MSBuild"}]}}, {"name": "System Processes Run From Unexpected Locations", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}]}}, {"name": "Windows DotNet Binary in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "InstallUtil"}]}}, {"name": "Windows InstallUtil in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "InstallUtil"}]}}]}, {"name": "MetaSploit", "id": "c149b694-bd08-4535-88d3-1f288a66313f", "version": 1, "date": "2022-11-21", "author": "Michael Haag, Splunk", "description": "The following analytic story highlights content related directly to MetaSploit, which may be default configurations attributed to MetaSploit or behaviors of known knowns that are related.", "narrative": "The Metasploit framework is a very powerful tool which can be used by cybercriminals as well as ethical hackers to probe systematic vulnerabilities on networks and servers. Because it is an open-source framework, it can be easily customized and used with most operating systems.\\\nThe Metasploit Project was undertaken in 2003 by H.D. Moore for use as a Perl-based portable network tool, with assistance from core developer Matt Miller. It was fully converted to Ruby by 2007, and the license was acquired by Rapid7 in 2009, where it remains as part of the Boston-based company repertoire of IDS signature development and targeted remote exploit, fuzzing, anti-forensic, and evasion tools.\\\nPortions of these other tools reside within the Metasploit framework, which is built into the Kali Linux OS. Rapid7 has also developed two proprietary OpenCore tools, Metasploit Pro, Metasploit Express.\\\nThis framework has become the go-to exploit development and mitigation tool. Prior to Metasploit, pen testers had to perform all probes manually by using a variety of tools that may or may not have supported the platform they were testing, writing their own code by hand, and introducing it onto networks manually. Remote testing was virtually unheard of, and that limited a security specialist reach to the local area and companies spending a fortune on in-house IT or security consultants. (ref. Varonis)", "references": ["https://github.com/rapid7/metasploit-framework", "https://www.varonis.com/blog/what-is-metasploit"], "tags": {"name": "MetaSploit", "analytic_story": "MetaSploit", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}], "mitre_attack_tactics": ["Execution"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation"]}, "detection_names": ["ESCU - Powershell Load Module in Meterpreter - Rule", "ESCU - Windows Apache Benchmark Binary - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Powershell Load Module in Meterpreter", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Windows Apache Benchmark Binary", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}}]}, {"name": "Meterpreter", "id": "d5f8e298-c85a-11eb-9fea-acde48001122", "version": 1, "date": "2021-06-08", "author": "Michael Hart", "description": "Meterpreter provides red teams, pen testers and threat actors interactive access to a compromised host to run commands, upload payloads, download files, and other actions.", "narrative": "This Analytic Story supports you to detect Tactics, Techniques and Procedures (TTPs) from Meterpreter. Meterpreter is a Metasploit payload for remote execution that leverages DLL injection to make it extremely difficult to detect. Since the software runs in memory, no new processes are created upon injection. It also leverages encrypted communication channels.\\\nMeterpreter enables the operator to remotely run commands on the target machine, upload payloads, download files, dump password hashes, and much more. It is difficult to determine from the forensic evidence what actions the operator performed. Splunk Research, however, has observed anomalous behaviors on the compromised hosts that seem to only appear when Meterpreter is executing various commands. With that, we have written new detections targeted to these detections.\\\nWhile investigating a detection related to this analytic story, please bear in mind that the detections look for anomalies in system behavior. It will be imperative to look for other signs in the endpoint and network logs for lateral movement, discovery and other actions to confirm that the host was compromised and a remote actor used it to progress on their objectives.", "references": ["https://www.offensive-security.com/metasploit-unleashed/about-meterpreter/", "https://doubleoctopus.com/security-wiki/threats-and-tools/meterpreter/", "https://www.rapid7.com/products/metasploit/"], "tags": {"name": "Meterpreter", "analytic_story": "Meterpreter", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}], "mitre_attack_tactics": ["Execution"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation"]}, "detection_names": ["ESCU - Excessive distinct processes from Windows Temp - Rule", "ESCU - Excessive number of taskhost processes - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "no", "author_name": "Michael Hart", "detections": [{"name": "Excessive distinct processes from Windows Temp", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Excessive number of taskhost processes", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}}]}, {"name": "Microsoft MSHTML Remote Code Execution CVE-2021-40444", "id": "4ad4253e-10ca-11ec-8235-acde48001122", "version": 1, "date": "2021-09-08", "author": "Michael Haag, Splunk", "description": "CVE-2021-40444 is a remote code execution vulnerability in MSHTML, recently used to delivery targeted spearphishing documents.", "narrative": "Microsoft is aware of targeted attacks that attempt to exploit this vulnerability, CVE-2021-40444 by using specially-crafted Microsoft Office documents. MSHTML is a software component used to render web pages on Windows. Although it is 2019s most commonly associated with Internet Explorer, it is also used in other software. CVE-2021-40444 received a CVSS score of 8.8 out of 10. MSHTML is the beating heart of Internet Explorer, the vulnerability also exists in that browser. Although given its limited use, there is little risk of infection by that vector. Microsoft Office applications use the MSHTML component to display web content in Office documents. The attack depends on MSHTML loading a specially crafted ActiveX control when the target opens a malicious Office document. The loaded ActiveX control can then run arbitrary code to infect the system with more malware. At the moment all supported Windows versions are vulnerable. Since there is no patch available yet, Microsoft proposes a few methods to block these attacks. \\\n1. Disable the installation of all ActiveX controls in Internet Explorer via the registry. Previously-installed ActiveX controls will still run, but no new ones will be added, including malicious ones. Open documents from the Internet in Protected View or Application Guard for Office, both of which prevent the current attack. This is a default setting but it may have been changed.", "references": ["https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/09/windows-mshtml-zero-day-actively-exploited-mitigations-required/", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444", "https://www.echotrail.io/insights/search/control.exe"], "tags": {"name": "Microsoft MSHTML Remote Code Execution CVE-2021-40444", "analytic_story": "Microsoft MSHTML Remote Code Execution CVE-2021-40444", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.002", "mitre_attack_technique": "Control Panel", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Ember Bear"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551"]}], "mitre_attack_tactics": ["Defense Evasion", "Initial Access"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Delivery", "Exploitation"]}, "detection_names": ["ESCU - Control Loading from World Writable Directory - Rule", "ESCU - MSHTML Module Load in Office Product - Rule", "ESCU - Office Product Writing cab or inf - Rule", "ESCU - Office Spawning Control - Rule", "ESCU - Rundll32 Control RunDLL Hunt - Rule", "ESCU - Rundll32 Control RunDLL World Writable Directory - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Control Loading from World Writable Directory", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Control Panel"}]}}, {"name": "MSHTML Module Load in Office Product", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Product Writing cab or inf", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Spawning Control", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Rundll32 Control RunDLL Hunt", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Rundll32 Control RunDLL World Writable Directory", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}]}, {"name": "Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190", "id": "2a60a99e-c93a-4036-af70-768fac838019", "version": 1, "date": "2022-05-31", "author": "Michael Haag, Teoderick Contreras, Splunk", "description": "On Monday May 30, 2022, Microsoft issued CVE-2022-30190 regarding the Microsoft Support Diagnostic Tool (MSDT) in Windows vulnerability.", "narrative": "A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user''s rights.", "references": ["https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/", "https://isc.sans.edu/diary/rss/28694", "https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e", "https://twitter.com/nao_sec/status/1530196847679401984?s=20&t=ZiXYI4dQuA-0_dzQzSUb3A", "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", "https://www.virustotal.com/gui/file/4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784/detection", "https://strontic.github.io/xcyclopedia/library/msdt.exe-152D4C9F63EFB332CCB134C6953C0104.html"], "tags": {"name": "Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190", "analytic_story": "Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}], "mitre_attack_tactics": ["Defense Evasion", "Execution", "Initial Access"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Windows Command and Scripting Interpreter Hunting Path Traversal - Rule", "ESCU - Windows Command and Scripting Interpreter Path Traversal Exec - Rule", "ESCU - Windows Execute Arbitrary Commands with MSDT - Rule", "ESCU - Windows Office Product Spawning MSDT - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Teoderick Contreras, Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows Command and Scripting Interpreter Hunting Path Traversal", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Windows Command and Scripting Interpreter Path Traversal Exec", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Windows Execute Arbitrary Commands with MSDT", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}]}}, {"name": "Windows Office Product Spawning MSDT", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}]}, {"name": "Monitor for Updates", "id": "9ef8d677-7b52-4213-a038-99cfc7acc2d8", "version": 1, "date": "2017-09-15", "author": "Rico Valdez, Splunk", "description": "Monitor your enterprise to ensure that your endpoints are being patched and updated. Adversaries notoriously exploit known vulnerabilities that could be mitigated by applying routine security patches.", "narrative": "It is a common best practice to ensure that endpoints are being patched and updated in a timely manner, in order to reduce the risk of compromise via a publicly disclosed vulnerability. Timely application of updates/patches is important to eliminate known vulnerabilities that may be exploited by various threat actors.\\\nSearches in this analytic story are designed to help analysts monitor endpoints for system patches and/or updates. This helps analysts identify any systems that are not successfully updated in a timely matter.\\\nMicrosoft releases updates for Windows systems on a monthly cadence. They should be installed as soon as possible after following internal testing and validation procedures. Patches and updates for other systems or applications are typically released as needed.", "references": ["https://learn.cisecurity.org/20-controls-download"], "tags": {"name": "Monitor for Updates", "analytic_story": "Monitor for Updates", "category": ["Best Practices"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Compliance", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Updates"], "kill_chain_phases": []}, "detection_names": ["ESCU - No Windows Updates in a time frame - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task"], "baseline_names": ["ESCU - Windows Updates Install Failures", "ESCU - Windows Updates Install Successes"], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "No Windows Updates in a time frame", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": []}}]}, {"name": "MOVEit Transfer Critical Vulnerability", "id": "e8c05f9b-6ad4-45ac-8f5d-ff044da417c9", "version": 1, "date": "2023-06-01", "author": "Michael Haag, Splunk", "description": "A critical zero-day vulnerability has been discovered in the MOVEit Transfer file transfer software, widely used by businesses and developers worldwide. The vulnerability has been exploited by unknown threat actors to perform mass data theft from organizations. Progress Software Corporation, the developer of MOVEit, has issued a security advisory urging customers to take immediate action to protect their environments. They recommend blocking external traffic to ports 80 and 445 on the MOVEit server, and to check the c:\\MOVEitTransfer\\wwwroot\\ folder for unusual files. A patch is currently released.", "narrative": "Hackers have been actively exploiting a zero-day vulnerability found in the MOVEit Transfer software. This software, developed by Progress Software Corporation, a US-based company and its subsidiary Ipswitch, is a managed file transfer solution. It is used by thousands of organizations worldwide, including Chase, Disney, GEICO, and MLB, and by 3.5 million developers. The software allows for secure file transfers between business partners and customers using SFTP, SCP, and HTTP-based uploads.\\\nThe zero-day vulnerability has been exploited to steal data on a large scale from various organizations. The identity of the threat actors and the exact timeline of the exploitation remains unclear. However, it has been confirmed that multiple organizations have experienced breaches and data theft.\\\nIn response to this critical situation, Progress released a security advisory warning customers of the vulnerability and providing mitigation strategies while a patch has been released. They urged customers to take immediate action to protect their MOVEit environments. They suggested blocking external traffic to ports 80 and 445 on the MOVEit server and checking the c:\\MOVEitTransfer\\wwwroot\\ folder for unexpected files, including backups or large file downloads.\\\nBlocking these ports will prevent external access to the web UI, prevent some MOVEit Automation tasks from working, block APIs, and prevent the Outlook MOVEit plugin from working. However, SFTP and FTP/s protocols can continue to be used for file transfers.\\\nThere is currently no detailed information about the zero-day vulnerability. But based on the ports blocked and the specific location to check for unusual files, the flaw is likely a web-facing vulnerability.\\\nWhile Progress has officially confirmed that the vulnerability is being actively exploited, it is clear from several reports that multiple organizations have already had data stolen using this zero-day vulnerability. The exploitation appears very similar to the mass exploitation of a GoAnywhere MFT zero-day in January 2023 and the December 2020 zero-day exploitation of Accellion FTA servers. These were both managed file transfer platforms heavily exploited by the Clop ransomware gang to steal data and extort organizations.", "references": ["https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023", "https://www.reddit.com/r/sysadmin/comments/13wxuej/critical_vulnerability_moveit_file_transfer/", "https://www.bleepingcomputer.com/news/security/new-moveit-transfer-zero-day-mass-exploited-in-data-theft-attacks/", "https://www.reddit.com/r/sysadmin/comments/13wxuej/critical_vulnerability_moveit_file_transfer/"], "tags": {"name": "MOVEit Transfer Critical Vulnerability", "analytic_story": "MOVEit Transfer Critical Vulnerability", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Chimera", "Dragonfly", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}], "mitre_attack_tactics": ["Initial Access", "Persistence"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Delivery", "Installation"]}, "detection_names": ["ESCU - Windows MOVEit Transfer Writing ASPX - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows MOVEit Transfer Writing ASPX", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}]}, {"name": "Netsh Abuse", "id": "2b1800dd-92f9-47ec-a981-fdf1351e5f65", "version": 1, "date": "2017-01-05", "author": "Bhavin Patel, Splunk", "description": "Detect activities and various techniques associated with the abuse of `netsh.exe`, which can disable local firewall settings or set up a remote connection to a host from an infected system.", "narrative": "It is a common practice for attackers of all types to leverage native Windows tools and functionality to execute commands for malicious reasons. One such tool on Windows OS is `netsh.exe`,a command-line scripting utility that allows you to--either locally or remotely--display or modify the network configuration of a computer that is currently running. `Netsh.exe` can be used to discover and disable local firewall settings. It can also be used to set up a remote connection to a host from an infected system.\\\nTo get started, run the detection search to identify parent processes of `netsh.exe`.", "references": ["https://docs.microsoft.com/en-us/previous-versions/tn-archive/bb490939(v=technet.10)", "https://htmlpreview.github.io/?https://github.com/MatthewDemaske/blogbackup/blob/master/netshell.html", "https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html"], "tags": {"name": "Netsh Abuse", "analytic_story": "Netsh Abuse", "category": ["Abuse"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.004", "mitre_attack_technique": "Disable or Modify System Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "Carbanak", "Dragonfly", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}], "mitre_attack_tactics": ["Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Processes created by netsh - Rule", "ESCU - Processes launching netsh - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task"], "baseline_names": ["ESCU - Baseline of SMB Traffic - MLTK", "ESCU - Previously seen command line arguments"], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Processes created by netsh", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify System Firewall"}]}}, {"name": "Processes launching netsh", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify System Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}}]}, {"name": "Network Discovery", "id": "af228995-f182-49d7-90b3-2a732944f00f", "version": 1, "date": "2022-02-14", "author": "Teoderick Contreras, Splunk", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the network discovery, including looking for network configuration, settings such as IP, MAC address, firewall settings and many more.", "narrative": "Adversaries may use the information from System Network Configuration Discovery during automated discovery to shape follow-on behaviors, including determining certain access within the target network and what actions to do next.", "references": ["https://attack.mitre.org/techniques/T1016/", "https://www.welivesecurity.com/wp-content/uploads/2021/01/ESET_Kobalos.pdf", "https://researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/"], "tags": {"name": "Network Discovery", "analytic_story": "Network Discovery", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1016", "mitre_attack_technique": "System Network Configuration Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT19", "APT3", "APT32", "APT41", "Chimera", "Darkhotel", "Dragonfly", "Earth Lusca", "GALLIUM", "HAFNIUM", "HEXANE", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "SideCopy", "Sidewinder", "Stealth Falcon", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}], "mitre_attack_tactics": ["Discovery"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Linux System Network Discovery - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Linux System Network Discovery", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Configuration Discovery"}]}}]}, {"name": "NOBELIUM Group", "id": "758196b5-2e21-424f-a50c-6e421ce926c2", "version": 2, "date": "2020-12-14", "author": "Patrick Bareiss, Michael Haag, Splunk", "description": "Sunburst is a trojanized updates to SolarWinds Orion IT monitoring and management software. It was discovered by FireEye in December 2020. The actors behind this campaign gained access to numerous public and private organizations around the world.", "narrative": "This Analytic Story supports you to detect Tactics, Techniques and Procedures (TTPs) of the NOBELIUM Group. The threat actor behind sunburst compromised the SolarWinds.Orion.Core.BusinessLayer.dll, is a SolarWinds digitally-signed component of the Orion software framework that contains a backdoor that communicates via HTTP to third party servers. The detections in this Analytic Story are focusing on the dll loading events, file create events and network events to detect This malware.", "references": ["https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/", "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", "https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/"], "tags": {"name": "NOBELIUM Group", "analytic_story": "NOBELIUM Group", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1560.001", "mitre_attack_technique": "Archive via Utility", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "CopyKittens", "Earth Lusca", "FIN8", "Fox Kitten", "GALLIUM", "Gallmaker", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "MuddyWater", "Mustang Panda", "Sowbug", "Turla", "menuPass"]}, {"mitre_attack_id": "T1560", "mitre_attack_technique": "Archive Collected Data", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT28", "APT32", "Axiom", "Dragonfly", "FIN6", "Ke3chang", "Lazarus Group", "Leviathan", "LuminousMoth", "Patchwork", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.005", "mitre_attack_technique": "Mshta", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "APT32", "Confucius", "Earth Lusca", "FIN7", "Gamaredon Group", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "MuddyWater", "Mustang Panda", "SideCopy", "Sidewinder", "TA551"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT19", "APT28", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BITTER", "BackdoorDiplomacy", "BlackOasis", "Blue Mockingbird", "Dark Caracal", "Darkhotel", "Earth Lusca", "Elderwood", "Ember Bear", "Fox Kitten", "GALLIUM", "Gallmaker", "Gamaredon Group", "Group5", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "Metador", "Mofang", "Molerats", "Moses Staff", "Mustang Panda", "OilRig", "Putter Panda", "Rocke", "Sandworm Team", "Sidewinder", "TA505", "TeamTNT", "Threat Group-3390", "Transparent Tribe", "Tropic Trooper", "Whitefly", "Windshift", "menuPass"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1203", "mitre_attack_technique": "Exploitation for Client Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT12", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT41", "Andariel", "Aoqin Dragon", "Axiom", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "Higaisa", "Inception", "Lazarus Group", "Leviathan", "MuddyWater", "Mustang Panda", "Patchwork", "Sandworm Team", "Sidewinder", "TA459", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "admin@338"]}, {"mitre_attack_id": "T1018", "mitre_attack_technique": "Remote System Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "BRONZE BUTLER", "Chimera", "Deep Panda", "Dragonfly", "Earth Lusca", "FIN5", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "HEXANE", "Indrik Spider", "Ke3chang", "Leafminer", "Magic Hound", "Naikon", "Rocke", "Sandworm Team", "Silence", "Threat Group-3390", "Turla", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1071.002", "mitre_attack_technique": "File Transfer Protocols", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "Kimsuky", "SilverTerrier"]}, {"mitre_attack_id": "T1071", "mitre_attack_technique": "Application Layer Protocol", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Dragonfly", "Magic Hound", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1071.001", "mitre_attack_technique": "Web Protocols", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Chimera", "Cobalt Group", "Confucius", "Dark Caracal", "FIN4", "FIN8", "Gamaredon Group", "HAFNIUM", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LuminousMoth", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "OilRig", "Orangeworm", "Rancor", "Rocke", "Sandworm Team", "Sidewinder", "SilverTerrier", "Stealth Falcon", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "WIRTE", "Windshift", "Wizard Spider"]}, {"mitre_attack_id": "T1505.003", "mitre_attack_technique": "Web Shell", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT38", "APT39", "BackdoorDiplomacy", "Deep Panda", "Dragonfly", "Fox Kitten", "GALLIUM", "HAFNIUM", "Kimsuky", "Leviathan", "Magic Hound", "Moses Staff", "OilRig", "Sandworm Team", "TEMP.Veles", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Volatile Cedar"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Chimera", "Dragonfly", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}], "mitre_attack_tactics": ["Collection", "Command And Control", "Defense Evasion", "Discovery", "Execution", "Initial Access", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint", "Network_Traffic", "Web"], "kill_chain_phases": ["Command And Control", "Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Anomalous usage of 7zip - Rule", "ESCU - Detect Prohibited Applications Spawning cmd exe - Rule", "ESCU - Detect Rundll32 Inline HTA Execution - Rule", "ESCU - First Time Seen Running Windows Service - Rule", "ESCU - Malicious PowerShell Process - Encoded Command - Rule", "ESCU - Sc exe Manipulating Windows Services - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Schtasks scheduling job on remote system - Rule", "ESCU - Sunburst Correlation DLL and Network Event - Rule", "ESCU - Windows AdFind Exe - Rule", "ESCU - Detect Outbound SMB Traffic - Rule", "ESCU - TOR Traffic - Rule", "ESCU - Supernova Webshell - Rule"], "investigation_names": [], "baseline_names": ["ESCU - Previously Seen Running Windows Services - Initial", "ESCU - Previously Seen Running Windows Services - Update"], "author_company": "Michael Haag, Splunk", "author_name": "Patrick Bareiss", "detections": [{"name": "Anomalous usage of 7zip", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Archive via Utility"}, {"mitre_attack_technique": "Archive Collected Data"}]}}, {"name": "Detect Prohibited Applications Spawning cmd exe", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Windows Command Shell"}]}}, {"name": "Detect Rundll32 Inline HTA Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Mshta"}]}}, {"name": "First Time Seen Running Windows Service", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}}, {"name": "Malicious PowerShell Process - Encoded Command", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Obfuscated Files or Information"}]}}, {"name": "Sc exe Manipulating Windows Services", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Schtasks scheduling job on remote system", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Sunburst Correlation DLL and Network Event", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploitation for Client Execution"}]}}, {"name": "Windows AdFind Exe", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote System Discovery"}]}}, {"name": "Detect Outbound SMB Traffic", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "File Transfer Protocols"}, {"mitre_attack_technique": "Application Layer Protocol"}]}}, {"name": "TOR Traffic", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Application Layer Protocol"}, {"mitre_attack_technique": "Web Protocols"}]}}, {"name": "Supernova Webshell", "source": "web", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Web Shell"}, {"mitre_attack_technique": "External Remote Services"}]}}]}, {"name": "Office 365 Detections", "id": "1a51dd71-effc-48b2-abc4-3e9cdb61e5b9", "version": 1, "date": "2020-12-16", "author": "Patrick Bareiss, Splunk", "description": "This story is focused around detecting Office 365 Attacks.", "narrative": "More and more companies are using Microsofts Office 365 cloud offering. Therefore, we see more and more attacks against Office 365. This story provides various detections for Office 365 attacks.", "references": ["https://i.blackhat.com/USA-20/Thursday/us-20-Bienstock-My-Cloud-Is-APTs-Cloud-Investigating-And-Defending-Office-365.pdf"], "tags": {"name": "Office 365 Detections", "analytic_story": "Office 365 Detections", "category": ["Cloud Security"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1110.001", "mitre_attack_technique": "Password Guessing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1136.003", "mitre_attack_technique": "Cloud Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT29", "LAPSUS$"]}, {"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider"]}, {"mitre_attack_id": "T1562.007", "mitre_attack_technique": "Disable or Modify Cloud Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1556", "mitre_attack_technique": "Modify Authentication Process", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1114", "mitre_attack_technique": "Email Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["Magic Hound", "Silent Librarian"]}, {"mitre_attack_id": "T1114.003", "mitre_attack_technique": "Email Forwarding Rule", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["Kimsuky", "LAPSUS$", "Silent Librarian"]}, {"mitre_attack_id": "T1114.002", "mitre_attack_technique": "Remote Email Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "Chimera", "Dragonfly", "FIN4", "HAFNIUM", "Ke3chang", "Kimsuky", "Leafminer", "Magic Hound"]}], "mitre_attack_tactics": ["Collection", "Credential Access", "Defense Evasion", "Persistence"], "datamodels": ["Authentication"], "kill_chain_phases": ["Exploitation", "Installation"]}, "detection_names": ["ESCU - High Number of Login Failures from a single source - Rule", "ESCU - O365 Add App Role Assignment Grant User - Rule", "ESCU - O365 Added Service Principal - Rule", "ESCU - O365 Bypass MFA via Trusted IP - Rule", "ESCU - O365 Disable MFA - Rule", "ESCU - O365 Excessive Authentication Failures Alert - Rule", "ESCU - O365 Excessive SSO logon errors - Rule", "ESCU - O365 New Federated Domain Added - Rule", "ESCU - O365 PST export alert - Rule", "ESCU - O365 Suspicious Admin Email Forwarding - Rule", "ESCU - O365 Suspicious Rights Delegation - Rule", "ESCU - O365 Suspicious User Email Forwarding - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Patrick Bareiss", "detections": [{"name": "High Number of Login Failures from a single source", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Guessing"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "O365 Add App Role Assignment Grant User", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Account"}, {"mitre_attack_technique": "Create Account"}]}}, {"name": "O365 Added Service Principal", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Account"}, {"mitre_attack_technique": "Create Account"}]}}, {"name": "O365 Bypass MFA via Trusted IP", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Cloud Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "O365 Disable MFA", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Authentication Process"}]}}, {"name": "O365 Excessive Authentication Failures Alert", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Brute Force"}]}}, {"name": "O365 Excessive SSO logon errors", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Authentication Process"}]}}, {"name": "O365 New Federated Domain Added", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Account"}, {"mitre_attack_technique": "Create Account"}]}}, {"name": "O365 PST export alert", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Email Collection"}]}}, {"name": "O365 Suspicious Admin Email Forwarding", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Email Forwarding Rule"}, {"mitre_attack_technique": "Email Collection"}]}}, {"name": "O365 Suspicious Rights Delegation", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Email Collection"}, {"mitre_attack_technique": "Email Collection"}]}}, {"name": "O365 Suspicious User Email Forwarding", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Email Forwarding Rule"}, {"mitre_attack_technique": "Email Collection"}]}}]}, {"name": "Okta MFA Exhaustion", "id": "7c6e508d-4b4d-42c8-82de-5ff4ea3b0cb3", "version": 1, "date": "2022-09-27", "author": "Michael Haag, Splunk", "description": "A social engineering technique called 'MFA Fatigue', aka 'MFA push spam' or 'MFA Exhaustion', is growing more popular with threat actors as it does not require malware or phishing infrastructure and has proven to be successful in attacks.", "narrative": "An MFA Fatigue attack is when a threat actor runs a script that attempts to log in with stolen credentials over and over, causing what feels like an endless stream of MFA push requests to be sent to the account's owner's mobile device. The goal is to keep this up, day and night, to break down the target's cybersecurity posture and inflict a sense of \"fatigue\" regarding these MFA prompts.", "references": ["https://www.bleepingcomputer.com/news/security/mfa-fatigue-hackers-new-favorite-tactic-in-high-profile-breaches/", "https://www.csoonline.com/article/3674156/multi-factor-authentication-fatigue-attacks-are-on-the-rise-how-to-defend-against-them.html"], "tags": {"name": "Okta MFA Exhaustion", "analytic_story": "Okta MFA Exhaustion", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1621", "mitre_attack_technique": "Multi-Factor Authentication Request Generation", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "LAPSUS$"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}], "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "datamodels": ["Authentication", "Risk"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Okta Account Locked Out - Rule", "ESCU - Okta MFA Exhaustion Hunt - Rule", "ESCU - Okta Mismatch Between Source and Response for Verify Push Request - Rule", "ESCU - Okta Risk Threshold Exceeded - Rule", "ESCU - Okta Two or More Rejected Okta Pushes - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Okta Account Locked Out", "source": "application", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Brute Force"}]}}, {"name": "Okta MFA Exhaustion Hunt", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Brute Force"}]}}, {"name": "Okta Mismatch Between Source and Response for Verify Push Request", "source": "application", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Multi-Factor Authentication Request Generation"}]}}, {"name": "Okta Risk Threshold Exceeded", "source": "application", "type": "Correlation", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Okta Two or More Rejected Okta Pushes", "source": "application", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Brute Force"}]}}]}, {"name": "OpenSSL CVE-2022-3602", "id": "491e00c9-998b-4c64-91bb-d8f9c79c1f4c", "version": 1, "date": "2022-11-02", "author": "Michael Haag, splunk", "description": "OpenSSL recently disclosed two vulnerabilities CVE-2022-3602 and CVE-2022-3786. CVE-2022-3602 is a X.509 Email Address 4-byte Buffer Overflow where puny code is utilized. This only affects OpenSSL 3.0.0 - 3.0.6.", "narrative": "A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed a malicious certificate or for an application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address in a certificate to overflow an arbitrary number of bytes containing the . character (decimal 46) on the stack. This buffer overflow could result in a crash (causing a denial of service). In a TLS client, this can be triggered by connecting to a malicious server. In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects. Users of OpenSSL 3.0.0 - 3.0.6 are encouraged to upgrade to 3.0.7 as soon as possible. If you obtain your copy of OpenSSL from your Operating System vendor or other third party then you should seek to obtain an updated version from them as soon as possible. SSL Certificates with Punycode will identify SSL certificates with Punycode. Note that it does not mean it will capture malicious payloads. If using Zeek, modify the Zeek x509 certificate with punycode to match your environment. We found during this exercise that the FULL x509 with SAN must be captured and stored, decoded, in order to query against it.", "references": ["https://www.openssl.org/blog/blog/2022/11/01/email-address-overflows/", "https://github.com/advisories/GHSA-h8jm-2x53-xhp5", "https://community.emergingthreats.net/t/out-of-band-ruleset-update-summary-2022-11-01/117", "https://github.com/corelight/CVE-2022-3602/tree/master/scripts"], "tags": {"name": "OpenSSL CVE-2022-3602", "analytic_story": "OpenSSL CVE-2022-3602", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1573", "mitre_attack_technique": "Encrypted Channel", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT29", "BITTER", "Magic Hound", "Tropic Trooper"]}], "mitre_attack_tactics": ["Command And Control"], "datamodels": [], "kill_chain_phases": ["Command And Control"]}, "detection_names": ["ESCU - SSL Certificates with Punycode - Rule", "ESCU - Zeek x509 Certificate with Punycode - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "splunk", "author_name": "Michael Haag", "detections": [{"name": "SSL Certificates with Punycode", "source": "network", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Encrypted Channel"}]}}, {"name": "Zeek x509 Certificate with Punycode", "source": "network", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Encrypted Channel"}]}}]}, {"name": "Orangeworm Attack Group", "id": "bb9f5ed2-916e-4364-bb6d-97c370efcf52", "version": 2, "date": "2020-01-22", "author": "David Dorsey, Splunk", "description": "Detect activities and various techniques associated with the Orangeworm Attack Group, a group that frequently targets the healthcare industry.", "narrative": "In May of 2018, the attack group Orangeworm was implicated for installing a custom backdoor called Trojan.Kwampirs within large international healthcare corporations in the United States, Europe, and Asia. This malware provides the attackers with remote access to the target system, decrypting and extracting a copy of its main DLL payload from its resource section. Before writing the payload to disk, it inserts a randomly generated string into the middle of the decrypted payload in an attempt to evade hash-based detections.\\\nAwareness of the Orangeworm group first surfaced in January, 2015. It has conducted targeted attacks against related industries, as well, such as pharmaceuticals and healthcare IT solution providers.\\\nHealthcare may be a promising target, because it is notoriously behind in technology, often using older operating systems and neglecting to patch computers. Even so, the group was able to evade detection for a full three years. Sources say that the malware spread quickly within the target networks, infecting computers used to control medical devices, such as MRI and X-ray machines.\\\nThis Analytic Story is designed to help you detect and investigate suspicious activities that may be indicative of an Orangeworm attack. One detection search looks for command-line arguments. Another monitors for uses of sc.exe, a non-essential Windows file that can manipulate Windows services. One of the investigative searches helps you get more information on web hosts that you suspect have been compromised.", "references": ["https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia", "https://www.infosecurity-magazine.com/news/healthcare-targeted-by-hacker/"], "tags": {"name": "Orangeworm Attack Group", "analytic_story": "Orangeworm Attack Group", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation", "Installation"]}, "detection_names": ["ESCU - First time seen command line argument - Rule", "ESCU - First Time Seen Running Windows Service - Rule", "ESCU - Sc exe Manipulating Windows Services - Rule"], "investigation_names": ["ESCU - Get History Of Email Sources - Response Task", "ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task"], "baseline_names": ["ESCU - Previously seen command line arguments", "ESCU - Previously Seen Running Windows Services - Initial", "ESCU - Previously Seen Running Windows Services - Update"], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "First time seen command line argument", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Windows Command Shell"}]}}, {"name": "First Time Seen Running Windows Service", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}}, {"name": "Sc exe Manipulating Windows Services", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}]}}]}, {"name": "PaperCut MF NG Vulnerability", "id": "2493d270-5665-4fb4-99c7-8f886f260676", "version": 1, "date": "2023-05-15", "author": "Michael Haag, Splunk", "description": "The FBI has issued a joint advisory concerning the exploitation of a PaperCut MF/NG vulnerability (CVE-2023-27350) by malicious actors, which began in mid-April 2023 and has been ongoing. In early May 2023, a group identifying themselves as the Bl00dy Ransomware Gang targeted vulnerable PaperCut servers within the Education Facilities Subsector. The advisory provides information on detecting exploitation attempts and shares known indicators of compromise (IOCs) associated with the group's activities.", "narrative": "PaperCut MF/NG versions 19 and older have reached their end-of-life, as documented on the End of Life Policy page. Customers using these older versions are advised to purchase an updated license online for PaperCut NG or through their PaperCut Partner for PaperCut MF. For users with a currently supported version (version 20 or later), they can upgrade to any maintenance release version they are licensed for.\\ If upgrading to a security patch is not possible, there are alternative options to enhance security. Users can lock down network access to their server(s) by blocking all inbound traffic from external IPs to the web management port (port 9191 and 9192 by default) and blocking all inbound traffic to the web management portal on the firewall to the server. Additionally, users can apply \"Allow list\" restrictions under Options > Advanced > Security > Allowed site server IP addresses, setting this to only allow the IP addresses of verified Site Servers on their network.\\\nThe vulnerabilities CVE-2023-27350 and CVE-2023-27351 have CVSS scores of 9.8 (Critical) and 8.2 (High), respectively. PaperCut and its partner network have activated response teams to assist PaperCut MF and NG customers, with service desks available 24/7 via their support page. The security response team at PaperCut has been working with external security advisors to compile a list of unpatched PaperCut MF/NG servers that have ports open on the public internet. They have been proactively reaching out to potentially exposed customers since Wednesday afternoon (AEST) and are working around the clock through the weekend.\\\nThe exploit was first detected in the wild on April 18th, 2023, at 03:30 AEST / April 17th, 2023, at 17:30 UTC. The earliest signature of suspicious activity on a customer server potentially linked to this vulnerability dates back to April 14th, 2023, at 01:29 AEST / April 13th, 2023, at 15:29 UTC.\\\nApplying the security fixes should not have any negative impact. Users can follow their usual upgrade procedure to obtain the upgrade. Additional links on the -Check for updates- page (accessed through the Admin interface > About > Version info > Check for updates) allow customers to download fixes for previous major versions that are still supported (e.g., 20.1.7 and 21.2.11) as well as the current version available. PaperCut MF users are advised to follow their regular upgrade process and consult their PaperCut partner or reseller for assistance.", "references": ["https://www.cisa.gov/news-events/alerts/2023/05/11/cisa-and-fbi-release-joint-advisory-response-active-exploitation-papercut-vulnerability", "https://www.papercut.com/kb/Main/PO-1216-and-PO-1219", "https://www.horizon3.ai/papercut-cve-2023-27350-deep-dive-and-indicators-of-compromise/", "https://www.bleepingcomputer.com/news/security/hackers-actively-exploit-critical-rce-bug-in-papercut-servers/", "https://www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software"], "tags": {"name": "PaperCut MF NG Vulnerability", "analytic_story": "PaperCut MF NG Vulnerability", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Chimera", "Dragonfly", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}], "mitre_attack_tactics": ["Execution", "Initial Access", "Persistence"], "datamodels": ["Endpoint", "Web"], "kill_chain_phases": ["Delivery", "Installation"]}, "detection_names": ["ESCU - PaperCut NG Suspicious Behavior Debug Log - Rule", "ESCU - Windows PaperCut NG Spawn Shell - Rule", "ESCU - PaperCut NG Remote Web Access Attempt - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "PaperCut NG Suspicious Behavior Debug Log", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}, {"name": "Windows PaperCut NG Spawn Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}, {"name": "PaperCut NG Remote Web Access Attempt", "source": "web", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}]}, {"name": "PetitPotam NTLM Relay on Active Directory Certificate Services", "id": "97aecafc-0a68-11ec-962f-acde48001122", "version": 1, "date": "2021-08-31", "author": "Michael Haag, Mauricio Velazco, Splunk", "description": "PetitPotam (CVE-2021-36942,) is a vulnerablity identified in Microsofts EFSRPC Protocol that can allow an unauthenticated account to escalate privileges to domain administrator given the right circumstances.", "narrative": "In June 2021, security researchers at SpecterOps released a blog post and white paper detailing several potential attack vectors against Active Directory Certificated Services (ADCS). ADCS is a Microsoft product that implements Public Key Infrastrucutre (PKI) functionality and can be used by organizations to provide and manage digital certiticates within Active Directory.\\ In July 2021, a security researcher released PetitPotam, a tool that allows attackers to coerce Windows systems into authenticating to arbitrary endpoints.\\ Combining PetitPotam with the identified ADCS attack vectors allows attackers to escalate privileges from an unauthenticated anonymous user to full domain admin privileges.", "references": ["https://us-cert.cisa.gov/ncas/current-activity/2021/07/27/microsoft-releases-guidance-mitigating-petitpotam-ntlm-relay", "https://support.microsoft.com/en-us/topic/kb5005413-mitigating-ntlm-relay-attacks-on-active-directory-certificate-services-ad-cs-3612b773-4043-4aa9-b23d-b87910cd3429", "https://www.specterops.io/assets/resources/Certified_Pre-Owned.pdf", "https://github.com/topotam/PetitPotam/", "https://github.com/gentilkiwi/mimikatz/releases/tag/2.2.0-20210723", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36942", "https://attack.mitre.org/techniques/T1187/"], "tags": {"name": "PetitPotam NTLM Relay on Active Directory Certificate Services", "analytic_story": "PetitPotam NTLM Relay on Active Directory Certificate Services", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1187", "mitre_attack_technique": "Forced Authentication", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["DarkHydrus", "Dragonfly"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}], "mitre_attack_tactics": ["Credential Access"], "datamodels": [], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - PetitPotam Network Share Access Request - Rule", "ESCU - PetitPotam Suspicious Kerberos TGT Request - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Mauricio Velazco, Splunk", "author_name": "Michael Haag", "detections": [{"name": "PetitPotam Network Share Access Request", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Forced Authentication"}]}}, {"name": "PetitPotam Suspicious Kerberos TGT Request", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "OS Credential Dumping"}]}}]}, {"name": "Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns", "id": "988C59C5-0A1C-45B6-A555-0C62276E327E", "version": 1, "date": "2020-01-22", "author": "iDefense Cyber Espionage Team, iDefense", "description": "Monitor your environment for suspicious behaviors that resemble the techniques employed by the MUDCARP threat group.", "narrative": "This story was created as a joint effort between iDefense and Splunk.\\\niDefense analysts have recently discovered a Windows executable file that, upon execution, spoofs a decryption tool and then drops a file that appears to be the custom-built javascript backdoor, \"Orz,\" which is associated with the threat actors known as MUDCARP (as well as \"temp.Periscope\" and \"Leviathan\"). The file is executed using Wscript.\\\nThe MUDCARP techniques include the use of the compressed-folders module from Microsoft, zipfldr.dll, with RouteTheCall export to run the malicious process or command. After a successful reboot, the malware is made persistent by a manipulating `[HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run]'help'='c:\\\\windows\\\\system32\\\\rundll32.exe c:\\\\windows\\\\system32\\\\zipfldr.dll,RouteTheCall c:\\\\programdata\\\\winapp.exe'`. Though this technique is not exclusive to MUDCARP, it has been spotted in the group's arsenal of advanced techniques seen in the wild.\\\nThis Analytic Story searches for evidence of tactics, techniques, and procedures (TTPs) that allow for the use of a endpoint detection-and-response (EDR) bypass technique to mask the true parent of a malicious process. It can also be set as a registry key for further sandbox evasion and to allow the malware to launch only after reboot.\\\nIf behavioral searches included in this story yield positive hits, iDefense recommends conducting IOC searches for the following:\\\n\\\n1. www.chemscalere[.]com\\\n1. chemscalere[.]com\\\n1. about.chemscalere[.]com\\\n1. autoconfig.chemscalere[.]com\\\n1. autodiscover.chemscalere[.]com\\\n1. catalog.chemscalere[.]com\\\n1. cpanel.chemscalere[.]com\\\n1. db.chemscalere[.]com\\\n1. ftp.chemscalere[.]com\\\n1. mail.chemscalere[.]com\\\n1. news.chemscalere[.]com\\\n1. update.chemscalere[.]com\\\n1. webmail.chemscalere[.]com\\\n1. www.candlelightparty[.]org\\\n1. candlelightparty[.]org\\\n1. newapp.freshasianews[.]comIn addition, iDefense also recommends that organizations review their environments for activity related to the following hashes:\\\n\\\n1. cd195ee448a3657b5c2c2d13e9c7a2e2\\\n1. b43ad826fe6928245d3c02b648296b43\\\n1. 889a9b52566448231f112a5ce9b5dfaf\\\n1. b8ec65dab97cdef3cd256cc4753f0c54\\\n1. 04d83cd3813698de28cfbba326d7647c", "references": ["https://www.infosecurity-magazine.com/news/scope-of-mudcarp-attacks-highlight-1/", "http://blog.amossys.fr/badflick-is-not-so-bad.html"], "tags": {"name": "Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns", "analytic_story": "Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation", "Installation"]}, "detection_names": ["ESCU - First time seen command line argument - Rule", "ESCU - PowerShell - Connect To Internet With Hidden Window - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Unusually Long Command Line - Rule", "ESCU - Unusually Long Command Line - MLTK - Rule"], "investigation_names": ["ESCU - Get History Of Email Sources - Response Task", "ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task"], "baseline_names": ["ESCU - Baseline of Command Line Length - MLTK", "ESCU - Previously seen command line arguments"], "author_company": "iDefense", "author_name": "iDefense Cyber Espionage Team", "detections": [{"name": "First time seen command line argument", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Windows Command Shell"}]}}, {"name": "PowerShell - Connect To Internet With Hidden Window", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Unusually Long Command Line", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": []}}, {"name": "Unusually Long Command Line - MLTK", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": []}}]}, {"name": "PrintNightmare CVE-2021-34527", "id": "fd79470a-da88-11eb-b803-acde48001122", "version": 1, "date": "2021-07-01", "author": "Splunk Threat Research Team", "description": "The following analytic story identifies behaviors related PrintNightmare, or CVE-2021-34527 previously known as (CVE-2021-1675), to gain privilege escalation on the vulnerable machine.", "narrative": "This vulnerability affects the Print Spooler service, enabled by default on Windows systems, and allows adversaries to trick this service into installing a remotely hosted print driver using a low privileged user account. Successful exploitation effectively allows adversaries to execute code in the target system (Remote Code Execution) in the context of the Print Spooler service which runs with the highest privileges (Privilege Escalation). \\\nThe prerequisites for successful exploitation consist of: \\\n1. Print Spooler service enabled on the target system \\\n1. Network connectivity to the target system (initial access has been obtained) \\\n1. Hash or password for a low privileged user ( or computer ) account. \\\nIn the most impactful scenario, an attacker would be able to leverage this vulnerability to obtain a SYSTEM shell on a domain controller and so escalate their privileges from a low privileged domain account to full domain access in the target environment as shown below.", "references": ["https://github.com/cube0x0/CVE-2021-1675/", "https://blog.truesec.com/2021/06/30/fix-for-printnightmare-cve-2021-1675-exploit-to-keep-your-print-servers-running-while-a-patch-is-not-available/", "https://blog.truesec.com/2021/06/30/exploitable-critical-rce-vulnerability-allows-regular-users-to-fully-compromise-active-directory-printnightmare-cve-2021-1675/", "https://www.reddit.com/r/msp/comments/ob6y02/critical_vulnerability_printnightmare_exposes"], "tags": {"name": "PrintNightmare CVE-2021-34527", "analytic_story": "PrintNightmare CVE-2021-34527", "category": ["Vulnerability"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1547.012", "mitre_attack_technique": "Print Processors", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551"]}, {"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "PLATINUM", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}], "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint", "Network_Traffic"], "kill_chain_phases": ["Exploitation", "Installation"]}, "detection_names": ["ESCU - Print Spooler Adding A Printer Driver - Rule", "ESCU - Print Spooler Failed to Load a Plug-in - Rule", "ESCU - Rundll32 with no Command Line Arguments with Network - Rule", "ESCU - Spoolsv Spawning Rundll32 - Rule", "ESCU - Spoolsv Suspicious Loaded Modules - Rule", "ESCU - Spoolsv Suspicious Process Access - Rule", "ESCU - Spoolsv Writing a DLL - Rule", "ESCU - Spoolsv Writing a DLL - Sysmon - Rule", "ESCU - Suspicious Rundll32 no Command Line Arguments - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "no", "author_name": "Splunk Threat Research Team", "detections": [{"name": "Print Spooler Adding A Printer Driver", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Print Processors"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Print Spooler Failed to Load a Plug-in", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Print Processors"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Rundll32 with no Command Line Arguments with Network", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Spoolsv Spawning Rundll32", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Print Processors"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Spoolsv Suspicious Loaded Modules", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Print Processors"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Spoolsv Suspicious Process Access", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}}, {"name": "Spoolsv Writing a DLL", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Print Processors"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Spoolsv Writing a DLL - Sysmon", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Print Processors"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Suspicious Rundll32 no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}]}, {"name": "Prohibited Traffic Allowed or Protocol Mismatch", "id": "6d13121c-90f3-446d-8ac3-27efbbc65218", "version": 1, "date": "2017-09-11", "author": "Rico Valdez, Splunk", "description": "Detect instances of prohibited network traffic allowed in the environment, as well as protocols running on non-standard ports. Both of these types of behaviors typically violate policy and can be leveraged by attackers.", "narrative": "A traditional security best practice is to control the ports, protocols, and services allowed within your environment. By limiting the services and protocols to those explicitly approved by policy, administrators can minimize the attack surface. The combined effect allows both network defenders and security controls to focus and not be mired in superfluous traffic or data types. Looking for deviations to policy can identify attacker activity that abuses services and protocols to run on alternate or non-standard ports in the attempt to avoid detection or frustrate forensic analysts.", "references": ["http://www.novetta.com/2015/02/advanced-methods-to-detect-advanced-cyber-attacks-protocol-abuse/"], "tags": {"name": "Prohibited Traffic Allowed or Protocol Mismatch", "analytic_story": "Prohibited Traffic Allowed or Protocol Mismatch", "category": ["Best Practices"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1021.001", "mitre_attack_technique": "Remote Desktop Protocol", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT1", "APT3", "APT39", "APT41", "Axiom", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dragonfly", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "HEXANE", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "OilRig", "Patchwork", "Silence", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1189", "mitre_attack_technique": "Drive-by Compromise", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT19", "APT28", "APT32", "APT37", "APT38", "Andariel", "Axiom", "BRONZE BUTLER", "Dark Caracal", "Darkhotel", "Dragonfly", "Earth Lusca", "Elderwood", "Lazarus Group", "Leafminer", "Leviathan", "Machete", "Magic Hound", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Threat Group-3390", "Transparent Tribe", "Turla", "Windigo", "Windshift"]}, {"mitre_attack_id": "T1048", "mitre_attack_technique": "Exfiltration Over Alternative Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1048.003", "mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT32", "APT33", "FIN6", "FIN8", "Lazarus Group", "OilRig", "Thrip", "Wizard Spider"]}, {"mitre_attack_id": "T1071", "mitre_attack_technique": "Application Layer Protocol", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Dragonfly", "Magic Hound", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1071.001", "mitre_attack_technique": "Web Protocols", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Chimera", "Cobalt Group", "Confucius", "Dark Caracal", "FIN4", "FIN8", "Gamaredon Group", "HAFNIUM", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LuminousMoth", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "OilRig", "Orangeworm", "Rancor", "Rocke", "Sandworm Team", "Sidewinder", "SilverTerrier", "Stealth Falcon", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "WIRTE", "Windshift", "Wizard Spider"]}], "mitre_attack_tactics": ["Command And Control", "Exfiltration", "Initial Access", "Lateral Movement"], "datamodels": ["Endpoint", "Network_Resolution", "Network_Traffic"], "kill_chain_phases": ["Actions on Objectives", "Command And Control", "Delivery", "Exploitation"]}, "detection_names": ["ESCU - Allow Inbound Traffic By Firewall Rule Registry - Rule", "ESCU - Allow Inbound Traffic In Firewall Rule - Rule", "ESCU - Enable RDP In Other Port Number - Rule", "ESCU - Detect hosts connecting to dynamic domain providers - Rule", "ESCU - Prohibited Network Traffic Allowed - Rule", "ESCU - Protocol or Port Mismatch - Rule", "ESCU - TOR Traffic - Rule"], "investigation_names": ["ESCU - Get DNS Server History for a host - Response Task", "ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task", "ESCU - Get Process Information For Port Activity - Response Task"], "baseline_names": ["ESCU - Count of Unique IPs Connecting to Ports"], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Allow Inbound Traffic By Firewall Rule Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Desktop Protocol"}, {"mitre_attack_technique": "Remote Services"}]}}, {"name": "Allow Inbound Traffic In Firewall Rule", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Desktop Protocol"}, {"mitre_attack_technique": "Remote Services"}]}}, {"name": "Enable RDP In Other Port Number", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}]}}, {"name": "Detect hosts connecting to dynamic domain providers", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Drive-by Compromise"}]}}, {"name": "Prohibited Network Traffic Allowed", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}}, {"name": "Protocol or Port Mismatch", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}, {"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}}, {"name": "TOR Traffic", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Application Layer Protocol"}, {"mitre_attack_technique": "Web Protocols"}]}}]}, {"name": "ProxyNotShell", "id": "4e3f17e7-9ed7-425d-a05e-b65464945836", "version": 1, "date": "2022-09-30", "author": "Michael Haag, Splunk", "description": "Two new zero day Microsoft Exchange vulnerabilities have been identified actively exploited in the wild - CVE-2022-41040 and CVE-2022-41082.", "narrative": "Microsoft is investigating two reported zero-day vulnerabilities affecting Microsoft Exchange Server 2013, 2016, and 2019. The first vulnerability, identified as CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability, while the second, identified as CVE-2022-41082, allows remote code execution (RCE) when PowerShell is accessible to the attacker. Originally identified by GTSC monitoring Exchange, some adversary post-exploitation activity was identified and is tagged to this story.", "references": ["https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/", "https://twitter.com/GossiTheDog/status/1575762721353916417?s=20&t=67gq9xCWuyPm1VEm8ydfyA", "https://twitter.com/cglyer/status/1575793769814728705?s=20&t=67gq9xCWuyPm1VEm8ydfyA", "https://www.gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html", "https://research.splunk.com/stories/proxyshell/", "https://www.inversecos.com/2022/07/hunting-for-apt-abuse-of-exchange.html"], "tags": {"name": "ProxyNotShell", "analytic_story": "ProxyNotShell", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1505.003", "mitre_attack_technique": "Web Shell", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT38", "APT39", "BackdoorDiplomacy", "Deep Panda", "Dragonfly", "Fox Kitten", "GALLIUM", "HAFNIUM", "Kimsuky", "Leviathan", "Magic Hound", "Moses Staff", "OilRig", "Sandworm Team", "TEMP.Veles", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Volatile Cedar"]}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Chimera", "Dragonfly", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}], "mitre_attack_tactics": ["Command And Control", "Execution", "Initial Access", "Persistence"], "datamodels": ["Endpoint", "Risk", "Web"], "kill_chain_phases": ["Command And Control", "Delivery", "Installation"]}, "detection_names": ["ESCU - CertUtil Download With URLCache and Split Arguments - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Detect Exchange Web Shell - Rule", "ESCU - Detect Webshell Exploit Behavior - Rule", "ESCU - Exchange PowerShell Abuse via SSRF - Rule", "ESCU - Exchange PowerShell Module Usage - Rule", "ESCU - W3WP Spawning Shell - Rule", "ESCU - Windows MSExchange Management Mailbox Cmdlet Usage - Rule", "ESCU - ProxyShell ProxyNotShell Behavior Detected - Rule", "ESCU - Windows Exchange Autodiscover SSRF Abuse - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "CertUtil Download With URLCache and Split Arguments", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Detect Exchange Web Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}, {"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}, {"name": "Detect Webshell Exploit Behavior", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}]}}, {"name": "Exchange PowerShell Abuse via SSRF", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}, {"name": "Exchange PowerShell Module Usage", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "W3WP Spawning Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}]}}, {"name": "Windows MSExchange Management Mailbox Cmdlet Usage", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "ProxyShell ProxyNotShell Behavior Detected", "source": "web", "type": "Correlation", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}, {"name": "Windows Exchange Autodiscover SSRF Abuse", "source": "web", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}]}, {"name": "ProxyShell", "id": "413bb68e-04e2-11ec-a835-acde48001122", "version": 1, "date": "2021-08-24", "author": "Michael Haag, Teoderick Contreras, Mauricio Velazco, Splunk", "description": "ProxyShell is a chain of exploits targeting on-premise Microsoft Exchange Server - CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207.", "narrative": "During Pwn2Own April 2021, a security researcher demonstrated an attack chain targeting on-premise Microsoft Exchange Server. August 5th, the same researcher publicly released further details and demonstrated the attack chain. CVE-2021-34473 Pre-auth path confusion leads to ACL Bypass (Patched in April by KB5001779) CVE-2021-34523 - Elevation of privilege on Exchange PowerShell backend (Patched in April by KB5001779) . CVE-2021-31207 - Post-auth Arbitrary-File-Write leads to RCE (Patched in May by KB5003435) Upon successful exploitation, the remote attacker will have SYSTEM privileges on the Exchange Server. In addition to remote access/execution, the adversary may be able to run Exchange PowerShell Cmdlets to perform further actions.", "references": ["https://y4y.space/2021/08/12/my-steps-of-reproducing-proxyshell/", "https://www.zerodayinitiative.com/blog/2021/8/17/from-pwn2own-2021-a-new-attack-surface-on-microsoft-exchange-proxyshell", "https://www.youtube.com/watch?v=FC6iHw258RI", "https://www.huntress.com/blog/rapid-response-microsoft-exchange-servers-still-vulnerable-to-proxyshell-exploit#what-should-you-do", "https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-ProxyLogon-Is-Just-The-Tip-Of-The-Iceberg-A-New-Attack-Surface-On-Microsoft-Exchange-Server.pdf", "https://www.inversecos.com/2022/07/hunting-for-apt-abuse-of-exchange.html"], "tags": {"name": "ProxyShell", "analytic_story": "ProxyShell", "category": ["Adversary Tactics", "Ransomware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1505.003", "mitre_attack_technique": "Web Shell", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT38", "APT39", "BackdoorDiplomacy", "Deep Panda", "Dragonfly", "Fox Kitten", "GALLIUM", "HAFNIUM", "Kimsuky", "Leviathan", "Magic Hound", "Moses Staff", "OilRig", "Sandworm Team", "TEMP.Veles", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Volatile Cedar"]}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Chimera", "Dragonfly", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}], "mitre_attack_tactics": ["Execution", "Initial Access", "Persistence"], "datamodels": ["Endpoint", "Risk", "Web"], "kill_chain_phases": ["Delivery", "Installation"]}, "detection_names": ["ESCU - Detect Exchange Web Shell - Rule", "ESCU - Detect Webshell Exploit Behavior - Rule", "ESCU - Exchange PowerShell Abuse via SSRF - Rule", "ESCU - Exchange PowerShell Module Usage - Rule", "ESCU - MS Exchange Mailbox Replication service writing Active Server Pages - Rule", "ESCU - W3WP Spawning Shell - Rule", "ESCU - Windows MSExchange Management Mailbox Cmdlet Usage - Rule", "ESCU - ProxyShell ProxyNotShell Behavior Detected - Rule", "ESCU - Windows Exchange Autodiscover SSRF Abuse - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Teoderick Contreras, Mauricio Velazco, Splunk", "author_name": "Michael Haag", "detections": [{"name": "Detect Exchange Web Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}, {"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}, {"name": "Detect Webshell Exploit Behavior", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}]}}, {"name": "Exchange PowerShell Abuse via SSRF", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}, {"name": "Exchange PowerShell Module Usage", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "MS Exchange Mailbox Replication service writing Active Server Pages", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}, {"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}, {"name": "W3WP Spawning Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}]}}, {"name": "Windows MSExchange Management Mailbox Cmdlet Usage", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "ProxyShell ProxyNotShell Behavior Detected", "source": "web", "type": "Correlation", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}, {"name": "Windows Exchange Autodiscover SSRF Abuse", "source": "web", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}]}, {"name": "Qakbot", "id": "0c6169b1-f126-4d86-8e4f-f7891007ebc6", "version": 2, "date": "2022-11-14", "author": "Teoderick Contreras, Splunk", "description": "QakBot is a modular banking trojan that has been used primarily by financially-motivated actors since at least 2007. QakBot is continuously maintained and developed and has evolved from an information stealer into a delivery agent for ransomware (ref. MITRE ATT&CK).", "narrative": "QakBot notably has made its way on the CISA top malware list for 2021. QakBot for years has been under continious improvement when it comes to initial access, injection and post-exploitation. Multiple adversaries use QakBot to gain initial access and persist, most notably TA551. The actor(s) behind QakBot possess a modular framework consisting of maldoc builders, signed loaders, and DLLs that produce initially low detection rates at the beginning of the attack, which creates opportunities to deliver additional malware such as Egregor and Cobalt Strike. (ref. Cybersecurity ATT) The more recent campaigns utilize HTML smuggling to deliver a ISO container that has a LNK and QakBot payload. QakBot will either load via regsvr32.exe directly, it will attempt to perform DLL sideloading.", "references": ["https://www.cisa.gov/sites/default/files/publications/202010221030_QakBot%20TLPWHITE.pdf", "https://malpedia.caad.fkie.fraunhofer.de/details/win.QakBot", "https://securelist.com/QakBot-technical-analysis/103931/", "https://www.fortinet.com/blog/threat-research/new-variant-of-QakBot-spread-by-phishing-emails", "https://attack.mitre.org/software/S0650/", "https://cybersecurity.att.com/blogs/labs-research/the-rise-of-qakbot"], "tags": {"name": "Qakbot", "analytic_story": "Qakbot", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.007", "mitre_attack_technique": "JavaScript", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "Cobalt Group", "Earth Lusca", "Ember Bear", "Evilnum", "FIN6", "FIN7", "Higaisa", "Indrik Spider", "Kimsuky", "LazyScripter", "Leafminer", "Molerats", "MuddyWater", "Sidewinder", "Silence", "TA505", "Turla"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "Turla"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT19", "APT28", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BITTER", "BackdoorDiplomacy", "BlackOasis", "Blue Mockingbird", "Dark Caracal", "Darkhotel", "Earth Lusca", "Elderwood", "Ember Bear", "Fox Kitten", "GALLIUM", "Gallmaker", "Gamaredon Group", "Group5", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "Metador", "Mofang", "Molerats", "Moses Staff", "Mustang Panda", "OilRig", "Putter Panda", "Rocke", "Sandworm Team", "Sidewinder", "TA505", "TeamTNT", "Threat Group-3390", "Transparent Tribe", "Tropic Trooper", "Whitefly", "Windshift", "menuPass"]}, {"mitre_attack_id": "T1049", "mitre_attack_technique": "System Network Connections Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT38", "APT41", "Andariel", "BackdoorDiplomacy", "Chimera", "Earth Lusca", "GALLIUM", "HEXANE", "Ke3chang", "Lazarus Group", "Magic Hound", "MuddyWater", "Mustang Panda", "OilRig", "Poseidon Group", "Sandworm Team", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1016", "mitre_attack_technique": "System Network Configuration Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT19", "APT3", "APT32", "APT41", "Chimera", "Darkhotel", "Dragonfly", "Earth Lusca", "GALLIUM", "HAFNIUM", "HEXANE", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "SideCopy", "Sidewinder", "Stealth Falcon", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1016.001", "mitre_attack_technique": "Internet Connection Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Gamaredon Group", "HAFNIUM", "HEXANE", "Magic Hound", "Turla"]}, {"mitre_attack_id": "T1482", "mitre_attack_technique": "Domain Trust Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "Earth Lusca", "FIN8", "Magic Hound"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1566.002", "mitre_attack_technique": "Spearphishing Link", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "APT3", "APT32", "APT33", "APT39", "BlackTech", "Cobalt Group", "Confucius", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "Evilnum", "FIN4", "FIN7", "FIN8", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "TA505", "Transparent Tribe", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1592", "mitre_attack_technique": "Gather Victim Host Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.010", "mitre_attack_technique": "Regsvr32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "Blue Mockingbird", "Cobalt Group", "Deep Panda", "Inception", "Kimsuky", "Leviathan", "TA551", "WIRTE"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1033", "mitre_attack_technique": "System Owner/User Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT37", "APT38", "APT39", "APT41", "Chimera", "Dragonfly", "Earth Lusca", "FIN10", "GALLIUM", "Gamaredon Group", "HAFNIUM", "HEXANE", "Ke3chang", "Lazarus Group", "LuminousMoth", "Magic Hound", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "Stealth Falcon", "Threat Group-3390", "Tropic Trooper", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1071", "mitre_attack_technique": "Application Layer Protocol", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Dragonfly", "Magic Hound", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1574.001", "mitre_attack_technique": "DLL Search Order Hijacking", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT41", "Aquatic Panda", "BackdoorDiplomacy", "Evilnum", "RTM", "Threat Group-3390", "Tonto Team", "Whitefly", "menuPass"]}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1574.002", "mitre_attack_technique": "DLL Side-Loading", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT41", "BRONZE BUTLER", "BlackTech", "Chimera", "Earth Lusca", "GALLIUM", "Higaisa", "Lazarus Group", "LuminousMoth", "MuddyWater", "Mustang Panda", "Naikon", "Patchwork", "SideCopy", "Sidewinder", "Threat Group-3390", "Tropic Trooper", "menuPass"]}, {"mitre_attack_id": "T1204.001", "mitre_attack_technique": "Malicious Link", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT28", "APT29", "APT3", "APT32", "APT33", "APT39", "BlackTech", "Cobalt Group", "Confucius", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "Evilnum", "FIN4", "FIN7", "FIN8", "Kimsuky", "LazyScripter", "Leviathan", "LuminousMoth", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "TA505", "Transparent Tribe", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1055.001", "mitre_attack_technique": "Dynamic-link Library Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["BackdoorDiplomacy", "Lazarus Group", "Leviathan", "Putter Panda", "TA505", "Tropic Trooper", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1055.002", "mitre_attack_technique": "Portable Executable Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Gorgon Group", "Rocke"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "Earth Lusca", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "Threat Group-3390", "Windshift", "Wizard Spider", "menuPass"]}], "mitre_attack_tactics": ["Command And Control", "Defense Evasion", "Discovery", "Execution", "Initial Access", "Persistence", "Privilege Escalation", "Reconnaissance"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Command And Control", "Delivery", "Exploitation", "Installation", "Reconnaissance"]}, "detection_names": ["ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", "ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", "ESCU - Create Remote Thread In Shell Application - Rule", "ESCU - Disable Defender Spynet Reporting - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Malicious PowerShell Process - Encoded Command - Rule", "ESCU - Network Connection Discovery With Arp - Rule", "ESCU - Network Connection Discovery With Netstat - Rule", "ESCU - Network Discovery Using Route Windows App - Rule", "ESCU - NLTest Domain Trust Discovery - Rule", "ESCU - Office Application Spawn Regsvr32 process - Rule", "ESCU - Office Document Executing Macro Code - Rule", "ESCU - Office Product Spawn CMD Process - Rule", "ESCU - Process Creating LNK file in Suspicious Location - Rule", "ESCU - Recon AVProduct Through Pwh or WMI - Rule", "ESCU - Recon Using WMI Class - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Regsvr32 with Known Silent Switch Cmdline - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Schtasks Run Task On Demand - Rule", "ESCU - Services LOLBAS Execution Process Spawn - Rule", "ESCU - Suspicious Copy on System32 - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious Regsvr32 Register Suspicious Path - Rule", "ESCU - System Processes Run From Unexpected Locations - Rule", "ESCU - System User Discovery With Whoami - Rule", "ESCU - Wermgr Process Spawned CMD Or Powershell Process - Rule", "ESCU - Windows App Layer Protocol Qakbot NamedPipe - Rule", "ESCU - Windows App Layer Protocol Wermgr Connect To NamedPipe - Rule", "ESCU - Windows Command Shell Fetch Env Variables - Rule", "ESCU - Windows Defender Exclusion Registry Entry - Rule", "ESCU - Windows DLL Search Order Hijacking Hunt with Sysmon - Rule", "ESCU - Windows DLL Side-Loading In Calc - Rule", "ESCU - Windows DLL Side-Loading Process Child Of Calc - Rule", "ESCU - Windows ISO LNK File Creation - Rule", "ESCU - Windows Masquerading Explorer As Child Process - Rule", "ESCU - Windows Modify Registry Qakbot Binary Data Registry - Rule", "ESCU - Windows Phishing Recent ISO Exec Registry - Rule", "ESCU - Windows Process Injection Of Wermgr to Known Browser - Rule", "ESCU - Windows Process Injection Remote Thread - Rule", "ESCU - Windows Process Injection Wermgr Child Process - Rule", "ESCU - Windows Regsvr32 Renamed Binary - Rule", "ESCU - Windows Schtasks Create Run As System - Rule", "ESCU - Windows Service Created with Suspicious Service Path - Rule", "ESCU - Windows System Discovery Using ldap Nslookup - Rule", "ESCU - Windows System Discovery Using Qwinsta - Rule", "ESCU - Windows WMI Impersonate Token - Rule", "ESCU - Windows WMI Process Call Create - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Cmdline Tool Not Executed In CMD Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "JavaScript"}]}}, {"name": "Cmdline Tool Not Executed In CMD Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "JavaScript"}]}}, {"name": "Create Remote Thread In Shell Application", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "Disable Defender Spynet Reporting", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}]}}, {"name": "Malicious PowerShell Process - Encoded Command", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Obfuscated Files or Information"}]}}, {"name": "Network Connection Discovery With Arp", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Connections Discovery"}]}}, {"name": "Network Connection Discovery With Netstat", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Connections Discovery"}]}}, {"name": "Network Discovery Using Route Windows App", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Configuration Discovery"}, {"mitre_attack_technique": "Internet Connection Discovery"}]}}, {"name": "NLTest Domain Trust Discovery", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Trust Discovery"}]}}, {"name": "Office Application Spawn Regsvr32 process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Document Executing Macro Code", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Product Spawn CMD Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Process Creating LNK file in Suspicious Location", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Link"}]}}, {"name": "Recon AVProduct Through Pwh or WMI", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Gather Victim Host Information"}]}}, {"name": "Recon Using WMI Class", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Gather Victim Host Information"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Regsvr32 with Known Silent Switch Cmdline", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Schtasks Run Task On Demand", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Services LOLBAS Execution Process Spawn", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Suspicious Copy on System32", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "Masquerading"}]}}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Suspicious Regsvr32 Register Suspicious Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}}, {"name": "System Processes Run From Unexpected Locations", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}]}}, {"name": "System User Discovery With Whoami", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Owner/User Discovery"}]}}, {"name": "Wermgr Process Spawned CMD Or Powershell Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Windows App Layer Protocol Qakbot NamedPipe", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Application Layer Protocol"}]}}, {"name": "Windows App Layer Protocol Wermgr Connect To NamedPipe", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Application Layer Protocol"}]}}, {"name": "Windows Command Shell Fetch Env Variables", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "Windows Defender Exclusion Registry Entry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows DLL Search Order Hijacking Hunt with Sysmon", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DLL Search Order Hijacking"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}}, {"name": "Windows DLL Side-Loading In Calc", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DLL Side-Loading"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}}, {"name": "Windows DLL Side-Loading Process Child Of Calc", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DLL Side-Loading"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}}, {"name": "Windows ISO LNK File Creation", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Malicious Link"}, {"mitre_attack_technique": "User Execution"}]}}, {"name": "Windows Masquerading Explorer As Child Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DLL Side-Loading"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}}, {"name": "Windows Modify Registry Qakbot Binary Data Registry", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Phishing Recent ISO Exec Registry", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}}, {"name": "Windows Process Injection Of Wermgr to Known Browser", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Dynamic-link Library Injection"}, {"mitre_attack_technique": "Process Injection"}]}}, {"name": "Windows Process Injection Remote Thread", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}, {"mitre_attack_technique": "Portable Executable Injection"}]}}, {"name": "Windows Process Injection Wermgr Child Process", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "Windows Regsvr32 Renamed Binary", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Regsvr32"}, {"mitre_attack_technique": "System Binary Proxy Execution"}]}}, {"name": "Windows Schtasks Create Run As System", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Windows Service Created with Suspicious Service Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}}, {"name": "Windows System Discovery Using ldap Nslookup", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Owner/User Discovery"}]}}, {"name": "Windows System Discovery Using Qwinsta", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Owner/User Discovery"}]}}, {"name": "Windows WMI Impersonate Token", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}}, {"name": "Windows WMI Process Call Create", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}]}}]}, {"name": "Ransomware", "id": "cf309d0d-d4aa-4fbb-963d-1e79febd3756", "version": 1, "date": "2020-02-04", "author": "David Dorsey, Splunk", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to ransomware--spikes in SMB traffic, suspicious wevtutil usage, the presence of common ransomware extensions, and system processes run from unexpected locations, and many others.", "narrative": "Ransomware is an ever-present risk to the enterprise, wherein an infected host encrypts business-critical data, holding it hostage until the victim pays the attacker a ransom. There are many types and varieties of ransomware that can affect an enterprise. Attackers can deploy ransomware to enterprises through spearphishing campaigns and driveby downloads, as well as through traditional remote service-based exploitation. In the case of the WannaCry campaign, there was self-propagating wormable functionality that was used to maximize infection. Fortunately, organizations can apply several techniques--such as those in this Analytic Story--to detect and or mitigate the effects of ransomware.", "references": ["https://web.archive.org/web/20190826231258/https://www.carbonblack.com/2017/06/28/carbon-black-threat-research-technical-analysis-petya-notpetya-ransomware/", "https://www.splunk.com/blog/2017/06/27/closing-the-detection-to-mitigation-gap-or-to-petya-or-notpetya-whocares-.html"], "tags": {"name": "Ransomware", "analytic_story": "Ransomware", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1560.001", "mitre_attack_technique": "Archive via Utility", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "CopyKittens", "Earth Lusca", "FIN8", "Fox Kitten", "GALLIUM", "Gallmaker", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "MuddyWater", "Mustang Panda", "Sowbug", "Turla", "menuPass"]}, {"mitre_attack_id": "T1560", "mitre_attack_technique": "Archive Collected Data", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT28", "APT32", "Axiom", "Dragonfly", "FIN6", "Ke3chang", "Lazarus Group", "Leviathan", "LuminousMoth", "Patchwork", "menuPass"]}, {"mitre_attack_id": "T1562.007", "mitre_attack_technique": "Disable or Modify Cloud Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1070.004", "mitre_attack_technique": "File Deletion", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT3", "APT32", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "Cobalt Group", "Dragonfly", "Evilnum", "FIN10", "FIN5", "FIN6", "FIN8", "Gamaredon Group", "Group5", "Kimsuky", "Lazarus Group", "Magic Hound", "Metador", "Mustang Panda", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "Silence", "TEMP.Veles", "TeamTNT", "The White Company", "Threat Group-3390", "Tropic Trooper", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.003", "mitre_attack_technique": "CMSTP", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Cobalt Group", "MuddyWater"]}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$"]}, {"mitre_attack_id": "T1020", "mitre_attack_technique": "Automated Exfiltration", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["Gamaredon Group", "Ke3chang", "Sidewinder", "Tropic Trooper"]}, {"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["BRONZE BUTLER", "Chimera", "Dragonfly", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Turla", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1069.001", "mitre_attack_technique": "Local Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "HEXANE", "OilRig", "Tonto Team", "Turla", "admin@338"]}, {"mitre_attack_id": "T1482", "mitre_attack_technique": "Domain Trust Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "Earth Lusca", "FIN8", "Magic Hound"]}, {"mitre_attack_id": "T1087.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "Chimera", "Fox Kitten", "Ke3chang", "Moses Staff", "OilRig", "Poseidon Group", "Threat Group-3390", "Turla", "admin@338"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1069.002", "mitre_attack_technique": "Domain Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Dragonfly", "Inception", "Ke3chang", "LAPSUS$", "OilRig", "Turla"]}, {"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "TA505"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1070.001", "mitre_attack_technique": "Clear Windows Event Logs", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "APT38", "APT41", "Chimera", "Dragonfly", "FIN5", "FIN8", "Indrik Spider"]}, {"mitre_attack_id": "T1489", "mitre_attack_technique": "Service Stop", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Indrik Spider", "Lazarus Group", "Wizard Spider"]}, {"mitre_attack_id": "T1531", "mitre_attack_technique": "Account Access Removal", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["LAPSUS$"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.005", "mitre_attack_technique": "Visual Basic", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT32", "APT33", "APT37", "APT38", "APT39", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Earth Lusca", "FIN4", "FIN7", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "Transparent Tribe", "Turla", "WIRTE", "Windshift"]}, {"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1491", "mitre_attack_technique": "Defacement", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1505.003", "mitre_attack_technique": "Web Shell", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT38", "APT39", "BackdoorDiplomacy", "Deep Panda", "Dragonfly", "Fox Kitten", "GALLIUM", "HAFNIUM", "Kimsuky", "Leviathan", "Magic Hound", "Moses Staff", "OilRig", "Sandworm Team", "TEMP.Veles", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Volatile Cedar"]}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Chimera", "Dragonfly", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1574.002", "mitre_attack_technique": "DLL Side-Loading", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT41", "BRONZE BUTLER", "BlackTech", "Chimera", "Earth Lusca", "GALLIUM", "Higaisa", "Lazarus Group", "LuminousMoth", "MuddyWater", "Mustang Panda", "Naikon", "Patchwork", "SideCopy", "Sidewinder", "Threat Group-3390", "Tropic Trooper", "menuPass"]}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT19", "APT28", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BITTER", "BackdoorDiplomacy", "BlackOasis", "Blue Mockingbird", "Dark Caracal", "Darkhotel", "Earth Lusca", "Elderwood", "Ember Bear", "Fox Kitten", "GALLIUM", "Gallmaker", "Gamaredon Group", "Group5", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "Metador", "Mofang", "Molerats", "Moses Staff", "Mustang Panda", "OilRig", "Putter Panda", "Rocke", "Sandworm Team", "Sidewinder", "TA505", "TeamTNT", "Threat Group-3390", "Transparent Tribe", "Tropic Trooper", "Whitefly", "Windshift", "menuPass"]}, {"mitre_attack_id": "T1027.005", "mitre_attack_technique": "Indicator Removal from Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT3", "Deep Panda", "GALLIUM", "OilRig", "Patchwork", "TEMP.Veles", "Turla"]}, {"mitre_attack_id": "T1546.015", "mitre_attack_technique": "Component Object Model Hijacking", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28"]}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1592", "mitre_attack_technique": "Gather Victim Host Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "Earth Lusca", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "Threat Group-3390", "Windshift", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1218.007", "mitre_attack_technique": "Msiexec", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Machete", "Molerats", "Rancor", "TA505", "ZIRCONIUM"]}, {"mitre_attack_id": "T1486", "mitre_attack_technique": "Data Encrypted for Impact", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "APT41", "FIN7", "Indrik Spider", "Magic Hound", "Sandworm Team", "TA505"]}, {"mitre_attack_id": "T1218.004", "mitre_attack_technique": "InstallUtil", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Mustang Panda", "menuPass"]}, {"mitre_attack_id": "T1588.002", "mitre_attack_technique": "Tool", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT19", "APT28", "APT29", "APT32", "APT33", "APT38", "APT39", "APT41", "Aoqin Dragon", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Carbanak", "Chimera", "Cleaver", "Cobalt Group", "CopyKittens", "DarkHydrus", "DarkVishnya", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN5", "FIN6", "Ferocious Kitten", "GALLIUM", "Gorgon Group", "HEXANE", "Inception", "IndigoZebra", "Ke3chang", "Kimsuky", "LAPSUS$", "Lazarus Group", "Leafminer", "LuminousMoth", "Magic Hound", "Metador", "Moses Staff", "MuddyWater", "POLONIUM", "Patchwork", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "TA505", "TEMP.Veles", "Threat Group-3390", "Thrip", "Turla", "WIRTE", "Whitefly", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1219", "mitre_attack_technique": "Remote Access Software", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Carbanak", "Cobalt Group", "DarkVishnya", "Evilnum", "GOLD SOUTHFIELD", "Kimsuky", "MuddyWater", "Mustang Panda", "RTM", "Sandworm Team", "TeamTNT", "Thrip"]}, {"mitre_attack_id": "T1048", "mitre_attack_technique": "Exfiltration Over Alternative Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1071", "mitre_attack_technique": "Application Layer Protocol", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Dragonfly", "Magic Hound", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1071.001", "mitre_attack_technique": "Web Protocols", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Chimera", "Cobalt Group", "Confucius", "Dark Caracal", "FIN4", "FIN8", "Gamaredon Group", "HAFNIUM", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LuminousMoth", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "OilRig", "Orangeworm", "Rancor", "Rocke", "Sandworm Team", "Sidewinder", "SilverTerrier", "Stealth Falcon", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "WIRTE", "Windshift", "Wizard Spider"]}], "mitre_attack_tactics": ["Collection", "Command And Control", "Defense Evasion", "Discovery", "Execution", "Exfiltration", "Impact", "Initial Access", "Lateral Movement", "Persistence", "Privilege Escalation", "Reconnaissance", "Resource Development"], "datamodels": ["Change", "Endpoint", "Network_Traffic"], "kill_chain_phases": ["Actions on Objectives", "Command And Control", "Delivery", "Exploitation", "Installation", "Reconnaissance", "Weaponization"]}, "detection_names": ["ESCU - Scheduled tasks used in BadRabbit ransomware - Rule", "ESCU - 7zip CommandLine To SMB Share Path - Rule", "ESCU - Allow File And Printing Sharing In Firewall - Rule", "ESCU - Allow Network Discovery In Firewall - Rule", "ESCU - Allow Operation with Consent Admin - Rule", "ESCU - BCDEdit Failure Recovery Modification - Rule", "ESCU - Clear Unallocated Sector Using Cipher App - Rule", "ESCU - CMLUA Or CMSTPLUA UAC Bypass - Rule", "ESCU - Common Ransomware Extensions - Rule", "ESCU - Common Ransomware Notes - Rule", "ESCU - Conti Common Exec parameter - Rule", "ESCU - Delete ShadowCopy With PowerShell - Rule", "ESCU - Deleting Shadow Copies - Rule", "ESCU - Detect RClone Command-Line Usage - Rule", "ESCU - Detect Renamed RClone - Rule", "ESCU - Detect SharpHound Command-Line Arguments - Rule", "ESCU - Detect SharpHound File Modifications - Rule", "ESCU - Detect SharpHound Usage - Rule", "ESCU - Disable AMSI Through Registry - Rule", "ESCU - Disable ETW Through Registry - Rule", "ESCU - Disable Logs Using WevtUtil - Rule", "ESCU - Disable Windows Behavior Monitoring - Rule", "ESCU - Excessive Service Stop Attempt - Rule", "ESCU - Excessive Usage Of Net App - Rule", "ESCU - Excessive Usage Of SC Service Utility - Rule", "ESCU - Execute Javascript With Jscript COM CLSID - Rule", "ESCU - Fsutil Zeroing File - Rule", "ESCU - ICACLS Grant Command - Rule", "ESCU - Known Services Killed by Ransomware - Rule", "ESCU - Modification Of Wallpaper - Rule", "ESCU - MS Exchange Mailbox Replication service writing Active Server Pages - Rule", "ESCU - Msmpeng Application DLL Side Loading - Rule", "ESCU - Permission Modification using Takeown App - Rule", "ESCU - Powershell Disable Security Monitoring - Rule", "ESCU - Powershell Enable SMB1Protocol Feature - Rule", "ESCU - Powershell Execute COM Object - Rule", "ESCU - Prevent Automatic Repair Mode using Bcdedit - Rule", "ESCU - Recon AVProduct Through Pwh or WMI - Rule", "ESCU - Recursive Delete of Directory In Batch CMD - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Remote Process Instantiation via WMI - Rule", "ESCU - Revil Common Exec Parameter - Rule", "ESCU - Revil Registry Entry - Rule", "ESCU - Rundll32 LockWorkStation - Rule", "ESCU - Schtasks used for forcing a reboot - Rule", "ESCU - Spike in File Writes - Rule", "ESCU - Suspicious Event Log Service Behavior - Rule", "ESCU - Suspicious Scheduled Task from Public Directory - Rule", "ESCU - Suspicious wevtutil Usage - Rule", "ESCU - System Processes Run From Unexpected Locations - Rule", "ESCU - UAC Bypass With Colorui COM Object - Rule", "ESCU - Uninstall App Using MsiExec - Rule", "ESCU - Unusually Long Command Line - Rule", "ESCU - Unusually Long Command Line - MLTK - Rule", "ESCU - USN Journal Deletion - Rule", "ESCU - WBAdmin Delete System Backups - Rule", "ESCU - Wbemprox COM Object Execution - Rule", "ESCU - Windows Disable Change Password Through Registry - Rule", "ESCU - Windows Disable Lock Workstation Feature Through Registry - Rule", "ESCU - Windows Disable LogOff Button Through Registry - Rule", "ESCU - Windows Disable Memory Crash Dump - Rule", "ESCU - Windows Disable Shutdown Button Through Registry - Rule", "ESCU - Windows Disable Windows Group Policy Features Through Registry - Rule", "ESCU - Windows DiskCryptor Usage - Rule", "ESCU - Windows DotNet Binary in Non Standard Path - Rule", "ESCU - Windows Event Log Cleared - Rule", "ESCU - Windows Hide Notification Features Through Registry - Rule", "ESCU - Windows InstallUtil in Non Standard Path - Rule", "ESCU - Windows NirSoft AdvancedRun - Rule", "ESCU - Windows Raccine Scheduled Task Deletion - Rule", "ESCU - Windows Registry Modification for Safe Mode Persistence - Rule", "ESCU - Windows Remote Access Software Hunt - Rule", "ESCU - WinEvent Scheduled Task Created to Spawn Shell - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - Prohibited Network Traffic Allowed - Rule", "ESCU - SMB Traffic Spike - Rule", "ESCU - SMB Traffic Spike - MLTK - Rule", "ESCU - TOR Traffic - Rule"], "investigation_names": ["ESCU - Get Backup Logs For Endpoint - Response Task", "ESCU - Get History Of Email Sources - Response Task", "ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task", "ESCU - Get Process Information For Port Activity - Response Task", "ESCU - Get Sysmon WMI Activity for Host - Response Task"], "baseline_names": ["ESCU - Baseline of Command Line Length - MLTK", "ESCU - Baseline of SMB Traffic - MLTK", "ESCU - Count of Unique IPs Connecting to Ports"], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Scheduled tasks used in BadRabbit ransomware", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}]}}, {"name": "7zip CommandLine To SMB Share Path", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Archive via Utility"}, {"mitre_attack_technique": "Archive Collected Data"}]}}, {"name": "Allow File And Printing Sharing In Firewall", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Cloud Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Allow Network Discovery In Firewall", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Cloud Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Allow Operation with Consent Admin", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "BCDEdit Failure Recovery Modification", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Inhibit System Recovery"}]}}, {"name": "Clear Unallocated Sector Using Cipher App", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "File Deletion"}, {"mitre_attack_technique": "Indicator Removal"}]}}, {"name": "CMLUA Or CMSTPLUA UAC Bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "CMSTP"}]}}, {"name": "Common Ransomware Extensions", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Common Ransomware Notes", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Conti Common Exec parameter", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "User Execution"}]}}, {"name": "Delete ShadowCopy With PowerShell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Inhibit System Recovery"}]}}, {"name": "Deleting Shadow Copies", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Inhibit System Recovery"}]}}, {"name": "Detect RClone Command-Line Usage", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Automated Exfiltration"}]}}, {"name": "Detect Renamed RClone", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Automated Exfiltration"}]}}, {"name": "Detect SharpHound Command-Line Arguments", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Local Groups"}, {"mitre_attack_technique": "Domain Trust Discovery"}, {"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Domain Groups"}, {"mitre_attack_technique": "Permission Groups Discovery"}]}}, {"name": "Detect SharpHound File Modifications", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Local Groups"}, {"mitre_attack_technique": "Domain Trust Discovery"}, {"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Domain Groups"}, {"mitre_attack_technique": "Permission Groups Discovery"}]}}, {"name": "Detect SharpHound Usage", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Local Groups"}, {"mitre_attack_technique": "Domain Trust Discovery"}, {"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Domain Groups"}, {"mitre_attack_technique": "Permission Groups Discovery"}]}}, {"name": "Disable AMSI Through Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disable ETW Through Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disable Logs Using WevtUtil", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indicator Removal"}, {"mitre_attack_technique": "Clear Windows Event Logs"}]}}, {"name": "Disable Windows Behavior Monitoring", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Excessive Service Stop Attempt", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Service Stop"}]}}, {"name": "Excessive Usage Of Net App", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Access Removal"}]}}, {"name": "Excessive Usage Of SC Service Utility", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}}, {"name": "Execute Javascript With Jscript COM CLSID", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Visual Basic"}]}}, {"name": "Fsutil Zeroing File", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indicator Removal"}]}}, {"name": "ICACLS Grant Command", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "File and Directory Permissions Modification"}]}}, {"name": "Known Services Killed by Ransomware", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Inhibit System Recovery"}]}}, {"name": "Modification Of Wallpaper", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Defacement"}]}}, {"name": "MS Exchange Mailbox Replication service writing Active Server Pages", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}, {"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}, {"name": "Msmpeng Application DLL Side Loading", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DLL Side-Loading"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}}, {"name": "Permission Modification using Takeown App", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "File and Directory Permissions Modification"}]}}, {"name": "Powershell Disable Security Monitoring", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Powershell Enable SMB1Protocol Feature", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Obfuscated Files or Information"}, {"mitre_attack_technique": "Indicator Removal from Tools"}]}}, {"name": "Powershell Execute COM Object", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Component Object Model Hijacking"}, {"mitre_attack_technique": "Event Triggered Execution"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Prevent Automatic Repair Mode using Bcdedit", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Inhibit System Recovery"}]}}, {"name": "Recon AVProduct Through Pwh or WMI", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Gather Victim Host Information"}]}}, {"name": "Recursive Delete of Directory In Batch CMD", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "File Deletion"}, {"mitre_attack_technique": "Indicator Removal"}]}}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Remote Process Instantiation via WMI", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}}, {"name": "Revil Common Exec Parameter", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "User Execution"}]}}, {"name": "Revil Registry Entry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Rundll32 LockWorkStation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Schtasks used for forcing a reboot", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Spike in File Writes", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": []}}, {"name": "Suspicious Event Log Service Behavior", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indicator Removal"}, {"mitre_attack_technique": "Clear Windows Event Logs"}]}}, {"name": "Suspicious Scheduled Task from Public Directory", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Suspicious wevtutil Usage", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Clear Windows Event Logs"}, {"mitre_attack_technique": "Indicator Removal"}]}}, {"name": "System Processes Run From Unexpected Locations", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}]}}, {"name": "UAC Bypass With Colorui COM Object", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "CMSTP"}]}}, {"name": "Uninstall App Using MsiExec", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Msiexec"}, {"mitre_attack_technique": "System Binary Proxy Execution"}]}}, {"name": "Unusually Long Command Line", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": []}}, {"name": "Unusually Long Command Line - MLTK", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": []}}, {"name": "USN Journal Deletion", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indicator Removal"}]}}, {"name": "WBAdmin Delete System Backups", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Inhibit System Recovery"}]}}, {"name": "Wbemprox COM Object Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "CMSTP"}]}}, {"name": "Windows Disable Change Password Through Registry", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Disable Lock Workstation Feature Through Registry", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Disable LogOff Button Through Registry", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Disable Memory Crash Dump", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Windows Disable Shutdown Button Through Registry", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Disable Windows Group Policy Features Through Registry", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows DiskCryptor Usage", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Encrypted for Impact"}]}}, {"name": "Windows DotNet Binary in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "InstallUtil"}]}}, {"name": "Windows Event Log Cleared", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indicator Removal"}, {"mitre_attack_technique": "Clear Windows Event Logs"}]}}, {"name": "Windows Hide Notification Features Through Registry", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows InstallUtil in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "InstallUtil"}]}}, {"name": "Windows NirSoft AdvancedRun", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Tool"}]}}, {"name": "Windows Raccine Scheduled Task Deletion", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}]}}, {"name": "Windows Registry Modification for Safe Mode Persistence", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Windows Remote Access Software Hunt", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Access Software"}]}}, {"name": "WinEvent Scheduled Task Created to Spawn Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Prohibited Network Traffic Allowed", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}}, {"name": "SMB Traffic Spike", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Remote Services"}]}}, {"name": "SMB Traffic Spike - MLTK", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Remote Services"}]}}, {"name": "TOR Traffic", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Application Layer Protocol"}, {"mitre_attack_technique": "Web Protocols"}]}}]}, {"name": "BlackMatter Ransomware", "id": "0da348a3-78a0-412e-ab27-2de9dd7f9fee", "version": 1, "date": "2021-09-06", "author": "Teoderick Contreras, Splunk", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the BlackMatter ransomware, including looking for file writes associated with BlackMatter, force safe mode boot, autadminlogon account registry modification and more.", "narrative": "BlackMatter ransomware campaigns targeting healthcare and other vertical sectors, involve the use of ransomware payloads along with exfiltration of data per HHS bulletin. Malicious actors demand payment for ransome of data and threaten deletion and exposure of exfiltrated data.", "references": ["https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/", "https://www.bleepingcomputer.com/news/security/blackmatter-ransomware-gang-rises-from-the-ashes-of-darkside-revil/", "https://blog.malwarebytes.com/ransomware/2021/07/blackmatter-a-new-ransomware-group-claims-link-to-darkside-revil/"], "tags": {"name": "BlackMatter Ransomware", "analytic_story": "BlackMatter Ransomware", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1552.002", "mitre_attack_technique": "Credentials in Registry", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT32"]}, {"mitre_attack_id": "T1552", "mitre_attack_technique": "Unsecured Credentials", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1491", "mitre_attack_technique": "Defacement", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1486", "mitre_attack_technique": "Data Encrypted for Impact", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "APT41", "FIN7", "Indrik Spider", "Magic Hound", "Sandworm Team", "TA505"]}], "mitre_attack_tactics": ["Credential Access", "Impact"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Actions on Objectives", "Exploitation"]}, "detection_names": ["ESCU - Add DefaultUser And Password In Registry - Rule", "ESCU - Auto Admin Logon Registry Entry - Rule", "ESCU - Bcdedit Command Back To Normal Mode Boot - Rule", "ESCU - Change To Safe Mode With Network Config - Rule", "ESCU - Known Services Killed by Ransomware - Rule", "ESCU - Modification Of Wallpaper - Rule", "ESCU - Ransomware Notes bulk creation - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Add DefaultUser And Password In Registry", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Credentials in Registry"}, {"mitre_attack_technique": "Unsecured Credentials"}]}}, {"name": "Auto Admin Logon Registry Entry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Credentials in Registry"}, {"mitre_attack_technique": "Unsecured Credentials"}]}}, {"name": "Bcdedit Command Back To Normal Mode Boot", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Inhibit System Recovery"}]}}, {"name": "Change To Safe Mode With Network Config", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Inhibit System Recovery"}]}}, {"name": "Known Services Killed by Ransomware", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Inhibit System Recovery"}]}}, {"name": "Modification Of Wallpaper", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Defacement"}]}}, {"name": "Ransomware Notes bulk creation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Encrypted for Impact"}]}}]}, {"name": "Chaos Ransomware", "id": "153d7b8f-27f2-4e4d-bae8-dfafd93a22a8", "version": 1, "date": "2023-01-11", "author": "Teoderick Contreras, Splunk", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the Chaos ransomware, including looking for file writes (file encryption and ransomware notes), deleting shadow volume storage, registry key modification, dropping of files in startup folder, and more.", "narrative": "CHAOS ransomware has been seen and monitored since 2021. This ransomware is purportedly a .NET version of Ryuk ransomware but upon closer look to its code and behavior, this malware sample reveals that it doesn't share much relation to the notorious RYUK ransomware. This ransomware is one of the known ransomware that was used in the ongoing geo-political war. This ransomware is capable to check that only one copy of itself is running on the targeted host, delay of execution as part of its defense evasion technique, persistence through registry and startup folder, drop a copy of itself in each root drive of the targeted host and also in %appdata% folder and many more. As of writing this ransomware is still active and keeps on infecting Windows Operating machines and Windows networks.", "references": ["https://blog.qualys.com/vulnerabilities-threat-research/2022/01/17/the-chaos-ransomware-can-be-ravaging", "https://www.fortinet.com/blog/threat-research/chaos-ransomware-variant-in-fake-minecraft-alt-list-brings-destruction", "https://marcoramilli.com/2021/06/14/the-allegedly-ryuk-ransomware-builder-ryukjoke/", "https://www.trendmicro.com/en_us/research/21/h/chaos-ransomware-a-dangerous-proof-of-concept.html"], "tags": {"name": "Chaos Ransomware", "analytic_story": "Chaos Ransomware", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1486", "mitre_attack_technique": "Data Encrypted for Impact", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "APT41", "FIN7", "Indrik Spider", "Magic Hound", "Sandworm Team", "TA505"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1091", "mitre_attack_technique": "Replication Through Removable Media", "mitre_attack_tactics": ["Initial Access", "Lateral Movement"], "mitre_attack_groups": ["APT28", "Aoqin Dragon", "Darkhotel", "FIN7", "LuminousMoth", "Mustang Panda", "Tropic Trooper"]}, {"mitre_attack_id": "T1204.002", "mitre_attack_technique": "Malicious File", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "Ajax Security Team", "Andariel", "Aoqin Dragon", "BITTER", "BRONZE BUTLER", "BlackTech", "CURIUM", "Cobalt Group", "Confucius", "Dark Caracal", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "IndigoZebra", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Whitefly", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$"]}], "mitre_attack_tactics": ["Defense Evasion", "Execution", "Impact", "Initial Access", "Lateral Movement", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Actions on Objectives", "Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Common Ransomware Notes - Rule", "ESCU - Deleting Shadow Copies - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Prevent Automatic Repair Mode using Bcdedit - Rule", "ESCU - Ransomware Notes bulk creation - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - WBAdmin Delete System Backups - Rule", "ESCU - Windows Boot or Logon Autostart Execution In Startup Folder - Rule", "ESCU - Windows Replication Through Removable Media - Rule", "ESCU - Windows User Execution Malicious URL Shortcut File - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Common Ransomware Notes", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Deleting Shadow Copies", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Inhibit System Recovery"}]}}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}]}}, {"name": "Prevent Automatic Repair Mode using Bcdedit", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Inhibit System Recovery"}]}}, {"name": "Ransomware Notes bulk creation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Encrypted for Impact"}]}}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "WBAdmin Delete System Backups", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Inhibit System Recovery"}]}}, {"name": "Windows Boot or Logon Autostart Execution In Startup Folder", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Windows Replication Through Removable Media", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Replication Through Removable Media"}]}}, {"name": "Windows User Execution Malicious URL Shortcut File", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Malicious File"}, {"mitre_attack_technique": "User Execution"}]}}]}, {"name": "Clop Ransomware", "id": "5a6f6849-1a26-4fae-aa05-fa730556eeb6", "version": 1, "date": "2021-03-17", "author": "Rod Soto, Teoderick Contreras, Splunk", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the Clop ransomware, including looking for file writes associated with Clope, encrypting network shares, deleting and resizing shadow volume storage, registry key modification, deleting of security logs, and more.", "narrative": "Clop ransomware campaigns targeting healthcare and other vertical sectors, involve the use of ransomware payloads along with exfiltration of data per HHS bulletin. Malicious actors demand payment for ransome of data and threaten deletion and exposure of exfiltrated data.", "references": ["https://www.hhs.gov/sites/default/files/analyst-note-cl0p-tlp-white.pdf", "https://securityaffairs.co/wordpress/115250/data-breach/qualys-clop-ransomware.html", "https://www.darkreading.com/attacks-breaches/qualys-is-the-latest-victim-of-accellion-data-breach/d/d-id/1340323"], "tags": {"name": "Clop Ransomware", "analytic_story": "Clop Ransomware", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1486", "mitre_attack_technique": "Data Encrypted for Impact", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "APT41", "FIN7", "Indrik Spider", "Magic Hound", "Sandworm Team", "TA505"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1070.001", "mitre_attack_technique": "Clear Windows Event Logs", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "APT38", "APT41", "Chimera", "Dragonfly", "FIN5", "FIN8", "Indrik Spider"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}], "mitre_attack_tactics": ["Defense Evasion", "Execution", "Impact", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Actions on Objectives", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Clop Common Exec Parameter - Rule", "ESCU - Clop Ransomware Known Service Name - Rule", "ESCU - Common Ransomware Extensions - Rule", "ESCU - Common Ransomware Notes - Rule", "ESCU - Deleting Shadow Copies - Rule", "ESCU - High Process Termination Frequency - Rule", "ESCU - Process Deleting Its Process File Path - Rule", "ESCU - Ransomware Notes bulk creation - Rule", "ESCU - Resize ShadowStorage volume - Rule", "ESCU - Suspicious Event Log Service Behavior - Rule", "ESCU - Suspicious wevtutil Usage - Rule", "ESCU - Windows Event Log Cleared - Rule", "ESCU - Windows High File Deletion Frequency - Rule", "ESCU - Windows Service Created with Suspicious Service Path - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Teoderick Contreras, Splunk", "author_name": "Rod Soto", "detections": [{"name": "Clop Common Exec Parameter", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "User Execution"}]}}, {"name": "Clop Ransomware Known Service Name", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Common Ransomware Extensions", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Common Ransomware Notes", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Deleting Shadow Copies", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Inhibit System Recovery"}]}}, {"name": "High Process Termination Frequency", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Encrypted for Impact"}]}}, {"name": "Process Deleting Its Process File Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indicator Removal"}]}}, {"name": "Ransomware Notes bulk creation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Encrypted for Impact"}]}}, {"name": "Resize ShadowStorage volume", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Inhibit System Recovery"}]}}, {"name": "Suspicious Event Log Service Behavior", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indicator Removal"}, {"mitre_attack_technique": "Clear Windows Event Logs"}]}}, {"name": "Suspicious wevtutil Usage", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Clear Windows Event Logs"}, {"mitre_attack_technique": "Indicator Removal"}]}}, {"name": "Windows Event Log Cleared", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indicator Removal"}, {"mitre_attack_technique": "Clear Windows Event Logs"}]}}, {"name": "Windows High File Deletion Frequency", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Windows Service Created with Suspicious Service Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}}]}, {"name": "Ransomware Cloud", "id": "f52f6c43-05f8-4b19-a9d3-5b8c56da91c2", "version": 1, "date": "2020-10-27", "author": "Rod Soto, David Dorsey, Splunk", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to ransomware. These searches include cloud related objects that may be targeted by malicious actors via cloud providers own encryption features.", "narrative": "Ransomware is an ever-present risk to the enterprise, wherein an infected host encrypts business-critical data, holding it hostage until the victim pays the attacker a ransom. There are many types and varieties of ransomware that can affect an enterprise.Cloud ransomware can be deployed by obtaining high privilege credentials from targeted users or resources.", "references": ["https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/", "https://github.com/d1vious/git-wild-hunt", "https://www.youtube.com/watch?v=PgzNib37g0M"], "tags": {"name": "Ransomware Cloud", "analytic_story": "Ransomware Cloud", "category": ["Malware"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1486", "mitre_attack_technique": "Data Encrypted for Impact", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "APT41", "FIN7", "Indrik Spider", "Magic Hound", "Sandworm Team", "TA505"]}], "mitre_attack_tactics": ["Impact"], "datamodels": [], "kill_chain_phases": ["Actions on Objectives"]}, "detection_names": ["ESCU - AWS Detect Users creating keys with encrypt policy without MFA - Rule", "ESCU - AWS Detect Users with KMS keys performing encryption S3 - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task"], "baseline_names": [], "author_company": "David Dorsey, Splunk", "author_name": "Rod Soto", "detections": [{"name": "AWS Detect Users creating keys with encrypt policy without MFA", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Encrypted for Impact"}]}}, {"name": "AWS Detect Users with KMS keys performing encryption S3", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Encrypted for Impact"}]}}]}, {"name": "DarkSide Ransomware", "id": "507edc74-13d5-4339-878e-b9114ded1f35", "version": 1, "date": "2021-05-12", "author": "Bhavin Patel, Splunk", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the DarkSide Ransomware", "narrative": "This story addresses Darkside ransomware. This ransomware payload has many similarities to common ransomware however there are certain items particular to it. The creation of a .TXT log that shows every item being encrypted as well as the creation of ransomware notes and files adding a machine ID created based on CRC32 checksum algorithm. This ransomware payload leaves machines in minimal operation level,enough to browse the attackers websites. A customized URI with leaked information is presented to each victim.This is the ransomware payload that shut down the Colonial pipeline. The story is composed of several detection searches covering similar items to other ransomware payloads and those particular to Darkside payload.", "references": ["https://www.splunk.com/en_us/blog/security/the-darkside-of-the-ransomware-pipeline.htmlbig-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/", "https://www.mandiant.com/resources/shining-a-light-on-darkside-ransomware-operations"], "tags": {"name": "DarkSide Ransomware", "analytic_story": "DarkSide Ransomware", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "TEMP.Veles", "Threat Group-3390", "Whitefly"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Dragonfly", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1197", "mitre_attack_technique": "BITS Jobs", "mitre_attack_tactics": ["Defense Evasion", "Persistence"], "mitre_attack_groups": ["APT39", "APT41", "Leviathan", "Patchwork"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.003", "mitre_attack_technique": "CMSTP", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Cobalt Group", "MuddyWater"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "Turla"]}, {"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1020", "mitre_attack_technique": "Automated Exfiltration", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["Gamaredon Group", "Ke3chang", "Sidewinder", "Tropic Trooper"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1486", "mitre_attack_technique": "Data Encrypted for Impact", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "APT41", "FIN7", "Indrik Spider", "Magic Hound", "Sandworm Team", "TA505"]}, {"mitre_attack_id": "T1548.002", "mitre_attack_technique": "Bypass User Account Control", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT37", "BRONZE BUTLER", "Cobalt Group", "Earth Lusca", "Evilnum", "MuddyWater", "Patchwork", "Threat Group-3390"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Command And Control", "Credential Access", "Defense Evasion", "Execution", "Exfiltration", "Impact", "Lateral Movement", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Actions on Objectives", "Command And Control", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Detect Mimikatz Using Loaded Images - Rule", "ESCU - Attempted Credential Dump From Registry via Reg exe - Rule", "ESCU - BITSAdmin Download File - Rule", "ESCU - CertUtil Download With URLCache and Split Arguments - Rule", "ESCU - CertUtil Download With VerifyCtl and Split Arguments - Rule", "ESCU - CMLUA Or CMSTPLUA UAC Bypass - Rule", "ESCU - Cobalt Strike Named Pipes - Rule", "ESCU - Delete ShadowCopy With PowerShell - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Detect RClone Command-Line Usage - Rule", "ESCU - Detect Renamed PSExec - Rule", "ESCU - Detect Renamed RClone - Rule", "ESCU - Extraction of Registry Hives - Rule", "ESCU - Ransomware Notes bulk creation - Rule", "ESCU - SLUI RunAs Elevated - Rule", "ESCU - SLUI Spawning a Process - Rule", "ESCU - Windows Possible Credential Dumping - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Detect Mimikatz Using Loaded Images", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Attempted Credential Dump From Registry via Reg exe", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Security Account Manager"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "BITSAdmin Download File", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "BITS Jobs"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "CertUtil Download With URLCache and Split Arguments", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "CertUtil Download With VerifyCtl and Split Arguments", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "CMLUA Or CMSTPLUA UAC Bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "CMSTP"}]}}, {"name": "Cobalt Strike Named Pipes", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "Delete ShadowCopy With PowerShell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Inhibit System Recovery"}]}}, {"name": "Detect PsExec With accepteula Flag", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}}, {"name": "Detect RClone Command-Line Usage", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Automated Exfiltration"}]}}, {"name": "Detect Renamed PSExec", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}}, {"name": "Detect Renamed RClone", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Automated Exfiltration"}]}}, {"name": "Extraction of Registry Hives", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Security Account Manager"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Ransomware Notes bulk creation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Encrypted for Impact"}]}}, {"name": "SLUI RunAs Elevated", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "SLUI Spawning a Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Windows Possible Credential Dumping", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}]}, {"name": "LockBit Ransomware", "id": "67e5b98d-16d6-46a6-8d00-070a3d1a5cfc", "version": 1, "date": "2023-01-16", "author": "Teoderick Contreras, Splunk", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the LockBit ransomware, including looking for file writes (file encryption and ransomware notes), deleting services, terminating processes, registry key modification and more.", "narrative": "LockBit ransomware was first seen in 2019. This ransomware was used by cybercriminal in targeting multiple sectors and organizations. Lockbit is one of the ransomware being offered as a Ransomware-as-a-Service(RaaS) and also known to affiliates to implement the 'double extortion' techniques by uploading the stolen and sensitive victim information to their dark website and then threatening to sell/release it in public if their demands are not met. LockBit Ransomware advertised opportunities for threat actors that could provide credential access via RDP and VPN. Aside from this it is also uses threat emulation like Cobalt Strike and Metasploit to gain foot hold to the targeted host and persist if needed.", "references": ["https://blogs.vmware.com/security/2022/10/lockbit-3-0-also-known-as-lockbit-black.html", "https://news.sophos.com/en-us/2020/04/24/lockbit-ransomware-borrows-tricks-to-keep-up-with-revil-and-maze/", "https://www.cybereason.com/blog/threat-analysis-report-lockbit-2.0-all-paths-lead-to-ransom", "https://www.trendmicro.com/en_us/research/22/g/lockbit-ransomware-group-augments-its-latest-variant--lockbit-3-.html"], "tags": {"name": "LockBit Ransomware", "analytic_story": "LockBit Ransomware", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.003", "mitre_attack_technique": "CMSTP", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Cobalt Group", "MuddyWater"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "Turla"]}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1486", "mitre_attack_technique": "Data Encrypted for Impact", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "APT41", "FIN7", "Indrik Spider", "Magic Hound", "Sandworm Team", "TA505"]}, {"mitre_attack_id": "T1491", "mitre_attack_technique": "Defacement", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1592", "mitre_attack_technique": "Gather Victim Host Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}], "mitre_attack_tactics": ["Defense Evasion", "Execution", "Impact", "Persistence", "Privilege Escalation", "Reconnaissance"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Actions on Objectives", "Exploitation", "Installation", "Reconnaissance"]}, "detection_names": ["ESCU - CMLUA Or CMSTPLUA UAC Bypass - Rule", "ESCU - Cobalt Strike Named Pipes - Rule", "ESCU - Common Ransomware Extensions - Rule", "ESCU - Common Ransomware Notes - Rule", "ESCU - Deleting Shadow Copies - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Fsutil Zeroing File - Rule", "ESCU - High Process Termination Frequency - Rule", "ESCU - Known Services Killed by Ransomware - Rule", "ESCU - Modification Of Wallpaper - Rule", "ESCU - Ransomware Notes bulk creation - Rule", "ESCU - Recon Using WMI Class - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - UAC Bypass With Colorui COM Object - Rule", "ESCU - Wbemprox COM Object Execution - Rule", "ESCU - Windows Modify Registry Default Icon Setting - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "CMLUA Or CMSTPLUA UAC Bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "CMSTP"}]}}, {"name": "Cobalt Strike Named Pipes", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "Common Ransomware Extensions", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Common Ransomware Notes", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Deleting Shadow Copies", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Inhibit System Recovery"}]}}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}]}}, {"name": "Fsutil Zeroing File", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indicator Removal"}]}}, {"name": "High Process Termination Frequency", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Encrypted for Impact"}]}}, {"name": "Known Services Killed by Ransomware", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Inhibit System Recovery"}]}}, {"name": "Modification Of Wallpaper", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Defacement"}]}}, {"name": "Ransomware Notes bulk creation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Encrypted for Impact"}]}}, {"name": "Recon Using WMI Class", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Gather Victim Host Information"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "UAC Bypass With Colorui COM Object", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "CMSTP"}]}}, {"name": "Wbemprox COM Object Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "CMSTP"}]}}, {"name": "Windows Modify Registry Default Icon Setting", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}]}, {"name": "Prestige Ransomware", "id": "8b8d8506-b931-450c-b794-f24184ca1deb", "version": 1, "date": "2022-11-30", "author": "Teoderick Contreras, Splunk", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the Prestige Ransomware", "narrative": "This story addresses Prestige ransomware. This ransomware payload seen by Microsoft Threat Intelligence Center(MSTIC) as a ransomware campaign targeting organization in the transportation and logistic industries in some countries. This ransomware campaign highlight the destructive attack to its target organization that directly supplies or transporting military and humanitarian services or assistance. MSTIC observed this ransomware has similarities in terms of its deployment techniques with CaddyWiper and HermeticWiper which is also known malware campaign impacted multiple targeted critical infrastructure organizations. This analytic story will provide techniques and analytics that may help SOC or security researchers to monitor this threat.", "references": ["https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"], "tags": {"name": "Prestige Ransomware", "analytic_story": "Prestige Ransomware", "category": ["Malware", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1546.001", "mitre_attack_technique": "Change Default File Association", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Kimsuky"]}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1070.005", "mitre_attack_technique": "Network Share Connection Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Threat Group-3390"]}, {"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "TA505"]}, {"mitre_attack_id": "T1069.002", "mitre_attack_technique": "Domain Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Dragonfly", "Inception", "Ke3chang", "LAPSUS$", "OilRig", "Turla"]}, {"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "TEMP.Veles", "Threat Group-3390", "Whitefly"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1531", "mitre_attack_technique": "Account Access Removal", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["LAPSUS$"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1021.003", "mitre_attack_technique": "Distributed Component Object Model", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "Earth Lusca", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "Threat Group-3390", "Windshift", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1069.001", "mitre_attack_technique": "Local Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "HEXANE", "OilRig", "Tonto Team", "Turla", "admin@338"]}, {"mitre_attack_id": "T1049", "mitre_attack_technique": "System Network Connections Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT38", "APT41", "Andariel", "BackdoorDiplomacy", "Chimera", "Earth Lusca", "GALLIUM", "HEXANE", "Ke3chang", "Lazarus Group", "Magic Hound", "MuddyWater", "Mustang Panda", "OilRig", "Poseidon Group", "Sandworm Team", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1016", "mitre_attack_technique": "System Network Configuration Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT19", "APT3", "APT32", "APT41", "Chimera", "Darkhotel", "Dragonfly", "Earth Lusca", "GALLIUM", "HAFNIUM", "HEXANE", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "SideCopy", "Sidewinder", "Stealth Falcon", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1016.001", "mitre_attack_technique": "Internet Connection Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Gamaredon Group", "HAFNIUM", "HEXANE", "Magic Hound", "Turla"]}, {"mitre_attack_id": "T1003.003", "mitre_attack_technique": "NTDS", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "Chimera", "Dragonfly", "FIN6", "Fox Kitten", "HAFNIUM", "Ke3chang", "LAPSUS$", "Mustang Panda", "Sandworm Team", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1592", "mitre_attack_technique": "Gather Victim Host Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1003.005", "mitre_attack_technique": "Cached Domain Credentials", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT33", "Leafminer", "MuddyWater", "OilRig"]}, {"mitre_attack_id": "T1115", "mitre_attack_technique": "Clipboard Data", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT38", "APT39"]}, {"mitre_attack_id": "T1555", "mitre_attack_technique": "Credentials from Password Stores", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT33", "APT39", "Evilnum", "FIN6", "HEXANE", "Leafminer", "MuddyWater", "OilRig", "Stealth Falcon"]}, {"mitre_attack_id": "T1552.002", "mitre_attack_technique": "Credentials in Registry", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT32"]}, {"mitre_attack_id": "T1552", "mitre_attack_technique": "Unsecured Credentials", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1202", "mitre_attack_technique": "Indirect Command Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1082", "mitre_attack_technique": "System Information Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT18", "APT19", "APT3", "APT32", "APT37", "APT38", "Aquatic Panda", "Blue Mockingbird", "Chimera", "Confucius", "Darkhotel", "Gamaredon Group", "HEXANE", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Sowbug", "Stealth Falcon", "TeamTNT", "Tropic Trooper", "Turla", "Windigo", "Windshift", "Wizard Spider", "ZIRCONIUM", "admin@338"]}, {"mitre_attack_id": "T1012", "mitre_attack_technique": "Query Registry", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT32", "APT39", "Chimera", "Dragonfly", "Fox Kitten", "Kimsuky", "Lazarus Group", "OilRig", "Stealth Falcon", "Threat Group-3390", "Turla", "ZIRCONIUM"]}, {"mitre_attack_id": "T1555.005", "mitre_attack_technique": "Password Managers", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Fox Kitten", "Threat Group-3390"]}, {"mitre_attack_id": "T1552.004", "mitre_attack_technique": "Private Keys", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1547.005", "mitre_attack_technique": "Security Support Provider", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1489", "mitre_attack_technique": "Service Stop", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Indrik Spider", "Lazarus Group", "Wizard Spider"]}, {"mitre_attack_id": "T1558", "mitre_attack_technique": "Steal or Forge Kerberos Tickets", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1033", "mitre_attack_technique": "System Owner/User Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT37", "APT38", "APT39", "APT41", "Chimera", "Dragonfly", "Earth Lusca", "FIN10", "GALLIUM", "Gamaredon Group", "HAFNIUM", "HEXANE", "Ke3chang", "Lazarus Group", "LuminousMoth", "Magic Hound", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "Stealth Falcon", "Threat Group-3390", "Tropic Trooper", "Windshift", "Wizard Spider", "ZIRCONIUM"]}], "mitre_attack_tactics": ["Collection", "Credential Access", "Defense Evasion", "Discovery", "Execution", "Impact", "Lateral Movement", "Persistence", "Privilege Escalation", "Reconnaissance"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Actions on Objectives", "Exploitation", "Installation", "Reconnaissance"]}, "detection_names": ["ESCU - Change Default File Association - Rule", "ESCU - Common Ransomware Extensions - Rule", "ESCU - Create or delete windows shares using net exe - Rule", "ESCU - Deleting Shadow Copies - Rule", "ESCU - Domain Group Discovery With Net - Rule", "ESCU - Dump LSASS via comsvcs DLL - Rule", "ESCU - Excessive Usage Of Cacls App - Rule", "ESCU - Excessive Usage Of Net App - Rule", "ESCU - Executable File Written in Administrative SMB Share - Rule", "ESCU - Impacket Lateral Movement Commandline Parameters - Rule", "ESCU - Impacket Lateral Movement smbexec CommandLine Parameters - Rule", "ESCU - Impacket Lateral Movement WMIExec Commandline Parameters - Rule", "ESCU - Net Localgroup Discovery - Rule", "ESCU - Network Connection Discovery With Arp - Rule", "ESCU - Network Connection Discovery With Net - Rule", "ESCU - Network Connection Discovery With Netstat - Rule", "ESCU - Network Discovery Using Route Windows App - Rule", "ESCU - Ntdsutil Export NTDS - Rule", "ESCU - Recon AVProduct Through Pwh or WMI - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Schtasks scheduling job on remote system - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - WBAdmin Delete System Backups - Rule", "ESCU - Windows Cached Domain Credentials Reg Query - Rule", "ESCU - Windows Change Default File Association For No File Ext - Rule", "ESCU - Windows ClipBoard Data via Get-ClipBoard - Rule", "ESCU - Windows Credentials from Password Stores Query - Rule", "ESCU - Windows Credentials in Registry Reg Query - Rule", "ESCU - Windows Indirect Command Execution Via Series Of Forfiles - Rule", "ESCU - Windows Information Discovery Fsutil - Rule", "ESCU - Windows Modify Registry Reg Restore - Rule", "ESCU - Windows Password Managers Discovery - Rule", "ESCU - Windows Private Keys Discovery - Rule", "ESCU - Windows Query Registry Reg Save - Rule", "ESCU - Windows Security Support Provider Reg Query - Rule", "ESCU - Windows Service Stop Via Net and SC Application - Rule", "ESCU - Windows Steal or Forge Kerberos Tickets Klist - Rule", "ESCU - Windows System Network Config Discovery Display DNS - Rule", "ESCU - Windows System Network Connections Discovery Netsh - Rule", "ESCU - Windows System User Discovery Via Quser - Rule", "ESCU - Windows WMI Process And Service List - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Change Default File Association", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Change Default File Association"}, {"mitre_attack_technique": "Event Triggered Execution"}]}}, {"name": "Common Ransomware Extensions", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Create or delete windows shares using net exe", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indicator Removal"}, {"mitre_attack_technique": "Network Share Connection Removal"}]}}, {"name": "Deleting Shadow Copies", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Inhibit System Recovery"}]}}, {"name": "Domain Group Discovery With Net", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}}, {"name": "Dump LSASS via comsvcs DLL", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Excessive Usage Of Cacls App", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "File and Directory Permissions Modification"}]}}, {"name": "Excessive Usage Of Net App", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Access Removal"}]}}, {"name": "Executable File Written in Administrative SMB Share", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}}, {"name": "Impacket Lateral Movement Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Impacket Lateral Movement smbexec CommandLine Parameters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Impacket Lateral Movement WMIExec Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Net Localgroup Discovery", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Local Groups"}]}}, {"name": "Network Connection Discovery With Arp", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Connections Discovery"}]}}, {"name": "Network Connection Discovery With Net", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Connections Discovery"}]}}, {"name": "Network Connection Discovery With Netstat", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Connections Discovery"}]}}, {"name": "Network Discovery Using Route Windows App", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Configuration Discovery"}, {"mitre_attack_technique": "Internet Connection Discovery"}]}}, {"name": "Ntdsutil Export NTDS", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "NTDS"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Recon AVProduct Through Pwh or WMI", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Gather Victim Host Information"}]}}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Schtasks scheduling job on remote system", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "WBAdmin Delete System Backups", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Inhibit System Recovery"}]}}, {"name": "Windows Cached Domain Credentials Reg Query", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cached Domain Credentials"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Windows Change Default File Association For No File Ext", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Change Default File Association"}, {"mitre_attack_technique": "Event Triggered Execution"}]}}, {"name": "Windows ClipBoard Data via Get-ClipBoard", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Clipboard Data"}]}}, {"name": "Windows Credentials from Password Stores Query", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Credentials from Password Stores"}]}}, {"name": "Windows Credentials in Registry Reg Query", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Credentials in Registry"}, {"mitre_attack_technique": "Unsecured Credentials"}]}}, {"name": "Windows Indirect Command Execution Via Series Of Forfiles", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indirect Command Execution"}]}}, {"name": "Windows Information Discovery Fsutil", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Information Discovery"}]}}, {"name": "Windows Modify Registry Reg Restore", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Query Registry"}]}}, {"name": "Windows Password Managers Discovery", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Managers"}]}}, {"name": "Windows Private Keys Discovery", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Private Keys"}, {"mitre_attack_technique": "Unsecured Credentials"}]}}, {"name": "Windows Query Registry Reg Save", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Query Registry"}]}}, {"name": "Windows Security Support Provider Reg Query", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Security Support Provider"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Windows Service Stop Via Net and SC Application", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Service Stop"}]}}, {"name": "Windows Steal or Forge Kerberos Tickets Klist", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}]}}, {"name": "Windows System Network Config Discovery Display DNS", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Configuration Discovery"}]}}, {"name": "Windows System Network Connections Discovery Netsh", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Connections Discovery"}]}}, {"name": "Windows System User Discovery Via Quser", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Owner/User Discovery"}]}}, {"name": "Windows WMI Process And Service List", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}]}}]}, {"name": "Revil Ransomware", "id": "817cae42-f54b-457a-8a36-fbf45521e29e", "version": 1, "date": "2021-06-04", "author": "Teoderick Contreras, Splunk", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the Revil ransomware, including looking for file writes associated with Revil, encrypting network shares, deleting shadow volume storage, registry key modification, deleting of security logs, and more.", "narrative": "Revil ransomware is a RaaS,that a single group may operates and manges the development of this ransomware. It involve the use of ransomware payloads along with exfiltration of data. Malicious actors demand payment for ransome of data and threaten deletion and exposure of exfiltrated data.", "references": ["https://krebsonsecurity.com/2021/05/a-closer-look-at-the-darkside-ransomware-gang/", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/"], "tags": {"name": "Revil Ransomware", "analytic_story": "Revil Ransomware", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.007", "mitre_attack_technique": "Disable or Modify Cloud Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1491", "mitre_attack_technique": "Defacement", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1574.002", "mitre_attack_technique": "DLL Side-Loading", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT41", "BRONZE BUTLER", "BlackTech", "Chimera", "Earth Lusca", "GALLIUM", "Higaisa", "Lazarus Group", "LuminousMoth", "MuddyWater", "Mustang Panda", "Naikon", "Patchwork", "SideCopy", "Sidewinder", "Threat Group-3390", "Tropic Trooper", "menuPass"]}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.003", "mitre_attack_technique": "CMSTP", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Cobalt Group", "MuddyWater"]}], "mitre_attack_tactics": ["Defense Evasion", "Execution", "Impact", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Actions on Objectives", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Allow Network Discovery In Firewall - Rule", "ESCU - Delete ShadowCopy With PowerShell - Rule", "ESCU - Disable Windows Behavior Monitoring - Rule", "ESCU - Modification Of Wallpaper - Rule", "ESCU - Msmpeng Application DLL Side Loading - Rule", "ESCU - Powershell Disable Security Monitoring - Rule", "ESCU - Revil Common Exec Parameter - Rule", "ESCU - Revil Registry Entry - Rule", "ESCU - Wbemprox COM Object Execution - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Allow Network Discovery In Firewall", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Cloud Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Delete ShadowCopy With PowerShell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Inhibit System Recovery"}]}}, {"name": "Disable Windows Behavior Monitoring", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Modification Of Wallpaper", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Defacement"}]}}, {"name": "Msmpeng Application DLL Side Loading", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DLL Side-Loading"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}}, {"name": "Powershell Disable Security Monitoring", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Revil Common Exec Parameter", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "User Execution"}]}}, {"name": "Revil Registry Entry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Wbemprox COM Object Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "CMSTP"}]}}]}, {"name": "Ryuk Ransomware", "id": "507edc74-13d5-4339-878e-b9744ded1f35", "version": 1, "date": "2020-11-06", "author": "Jose Hernandez, Splunk", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the Ryuk ransomware, including looking for file writes associated with Ryuk, Stopping Security Access Manager, DisableAntiSpyware registry key modification, suspicious psexec use, and more.", "narrative": "Cybersecurity Infrastructure Security Agency (CISA) released Alert (AA20-302A) on October 28th called Ransomware Activity Targeting the Healthcare and Public Health Sector. This alert details TTPs associated with ongoing and possible imminent attacks against the Healthcare sector, and is a joint advisory in coordination with other U.S. Government agencies. The objective of these malicious campaigns is to infiltrate targets in named sectors and to drop ransomware payloads, which will likely cause disruption of service and increase risk of actual harm to the health and safety of patients at hospitals, even with the aggravant of an ongoing COVID-19 pandemic. This document specifically refers to several crimeware exploitation frameworks, emphasizing the use of Ryuk ransomware as payload. The Ryuk ransomware payload is not new. It has been well documented and identified in multiple variants. Payloads need a carrier, and for Ryuk it has often been exploitation frameworks such as Cobalt Strike, or popular crimeware frameworks such as Emotet or Trickbot.", "references": ["https://www.splunk.com/en_us/blog/security/detecting-ryuk-using-splunk-attack-range.html", "https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/", "https://us-cert.cisa.gov/ncas/alerts/aa20-302a"], "tags": {"name": "Ryuk Ransomware", "analytic_story": "Ryuk Ransomware", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1482", "mitre_attack_technique": "Domain Trust Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "Earth Lusca", "FIN8", "Magic Hound"]}, {"mitre_attack_id": "T1486", "mitre_attack_technique": "Data Encrypted for Impact", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "APT41", "FIN7", "Indrik Spider", "Magic Hound", "Sandworm Team", "TA505"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1489", "mitre_attack_technique": "Service Stop", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Indrik Spider", "Lazarus Group", "Wizard Spider"]}, {"mitre_attack_id": "T1021.001", "mitre_attack_technique": "Remote Desktop Protocol", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT1", "APT3", "APT39", "APT41", "Axiom", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dragonfly", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "HEXANE", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "OilRig", "Patchwork", "Silence", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Defense Evasion", "Discovery", "Execution", "Impact", "Lateral Movement", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint", "Network_Traffic"], "kill_chain_phases": ["Actions on Objectives", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Windows connhost exe started forcefully - Rule", "ESCU - BCDEdit Failure Recovery Modification - Rule", "ESCU - Common Ransomware Extensions - Rule", "ESCU - Common Ransomware Notes - Rule", "ESCU - NLTest Domain Trust Discovery - Rule", "ESCU - Ryuk Test Files Detected - Rule", "ESCU - Ryuk Wake on LAN Command - Rule", "ESCU - Spike in File Writes - Rule", "ESCU - Suspicious Scheduled Task from Public Directory - Rule", "ESCU - WBAdmin Delete System Backups - Rule", "ESCU - Windows DisableAntiSpyware Registry - Rule", "ESCU - Windows Security Account Manager Stopped - Rule", "ESCU - WinEvent Scheduled Task Created to Spawn Shell - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - Remote Desktop Network Bruteforce - Rule", "ESCU - Remote Desktop Network Traffic - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task"], "baseline_names": ["ESCU - Identify Systems Creating Remote Desktop Traffic", "ESCU - Identify Systems Receiving Remote Desktop Traffic", "ESCU - Identify Systems Using Remote Desktop"], "author_company": "Splunk", "author_name": "Jose Hernandez", "detections": [{"name": "Windows connhost exe started forcefully", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Command Shell"}]}}, {"name": "BCDEdit Failure Recovery Modification", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Inhibit System Recovery"}]}}, {"name": "Common Ransomware Extensions", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Common Ransomware Notes", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "NLTest Domain Trust Discovery", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Trust Discovery"}]}}, {"name": "Ryuk Test Files Detected", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Encrypted for Impact"}]}}, {"name": "Ryuk Wake on LAN Command", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Windows Command Shell"}]}}, {"name": "Spike in File Writes", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": []}}, {"name": "Suspicious Scheduled Task from Public Directory", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "WBAdmin Delete System Backups", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Inhibit System Recovery"}]}}, {"name": "Windows DisableAntiSpyware Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows Security Account Manager Stopped", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Service Stop"}]}}, {"name": "WinEvent Scheduled Task Created to Spawn Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Remote Desktop Network Bruteforce", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Desktop Protocol"}, {"mitre_attack_technique": "Remote Services"}]}}, {"name": "Remote Desktop Network Traffic", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Desktop Protocol"}, {"mitre_attack_technique": "Remote Services"}]}}]}, {"name": "SamSam Ransomware", "id": "c4b89506-fbcf-4cb7-bfd6-527e54789604", "version": 1, "date": "2018-12-13", "author": "Rico Valdez, Splunk", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the SamSam ransomware, including looking for file writes associated with SamSam, RDP brute force attacks, the presence of files with SamSam ransomware extensions, suspicious psexec use, and more.", "narrative": "The first version of the SamSam ransomware (a.k.a. Samas or SamsamCrypt) was launched in 2015 by a group of Iranian threat actors. The malicious software has affected and continues to affect thousands of victims and has raised almost $6M in ransom.\\\nAlthough categorized under the heading of ransomware, SamSam campaigns have some importance distinguishing characteristics. Most notable is the fact that conventional ransomware is a numbers game. Perpetrators use a \"spray-and-pray\" approach with phishing campaigns or other mechanisms, charging a small ransom (typically under $1,000). The goal is to find a large number of victims willing to pay these mini-ransoms, adding up to a lucrative payday. They use relatively simple methods for infecting systems.\\\nSamSam attacks are different beasts. They have become progressively more targeted and skillful than typical ransomware attacks. First, malicious actors break into a victim's network, surveil it, then run the malware manually. The attacks are tailored to cause maximum damage and the threat actors usually demand amounts in the tens of thousands of dollars.\\\nIn a typical attack on one large healthcare organization in 2018, the company ended up paying a ransom of four Bitcoins, then worth $56,707. Reports showed that access to the company's files was restored within two hours of paying the sum.\\\nAccording to Sophos, SamSam previously leveraged RDP to gain access to targeted networks via brute force. SamSam is not spread automatically, like other malware. It requires skill because it forces the attacker to adapt their tactics to the individual environment. Next, the actors escalate their privileges to admin level. They scan the networks for worthy targets, using conventional tools, such as PsExec or PaExec, to deploy/execute, quickly encrypting files.\\\nThis Analytic Story includes searches designed to help detect and investigate signs of the SamSam ransomware, such as the creation of fileswrites to system32, writes with tell-tale extensions, batch files written to system32, and evidence of brute-force attacks via RDP.", "references": ["https://www.crowdstrike.com/blog/an-in-depth-analysis-of-samsam-ransomware-and-boss-spider/", "https://nakedsecurity.sophos.com/2018/07/31/samsam-the-almost-6-million-ransomware/", "https://thehackernews.com/2018/07/samsam-ransomware-attacks.html"], "tags": {"name": "SamSam Ransomware", "analytic_story": "SamSam Ransomware", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1036.005", "mitre_attack_technique": "Match Legitimate Name or Location", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "APT32", "APT39", "APT41", "Aoqin Dragon", "BRONZE BUTLER", "BackdoorDiplomacy", "Blue Mockingbird", "Carbanak", "Chimera", "Darkhotel", "Earth Lusca", "FIN7", "Ferocious Kitten", "Fox Kitten", "Gamaredon Group", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Poseidon Group", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "Sowbug", "TEMP.Veles", "TeamTNT", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Whitefly", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1595", "mitre_attack_technique": "Active Scanning", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$"]}, {"mitre_attack_id": "T1204.002", "mitre_attack_technique": "Malicious File", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "Ajax Security Team", "Andariel", "Aoqin Dragon", "BITTER", "BRONZE BUTLER", "BlackTech", "CURIUM", "Cobalt Group", "Confucius", "Dark Caracal", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "IndigoZebra", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Whitefly", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1486", "mitre_attack_technique": "Data Encrypted for Impact", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "APT41", "FIN7", "Indrik Spider", "Magic Hound", "Sandworm Team", "TA505"]}, {"mitre_attack_id": "T1021.001", "mitre_attack_technique": "Remote Desktop Protocol", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT1", "APT3", "APT39", "APT41", "Axiom", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dragonfly", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "HEXANE", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "OilRig", "Patchwork", "Silence", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1082", "mitre_attack_technique": "System Information Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT18", "APT19", "APT3", "APT32", "APT37", "APT38", "Aquatic Panda", "Blue Mockingbird", "Chimera", "Confucius", "Darkhotel", "Gamaredon Group", "HEXANE", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Sowbug", "Stealth Falcon", "TeamTNT", "Tropic Trooper", "Turla", "Windigo", "Windshift", "Wizard Spider", "ZIRCONIUM", "admin@338"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Chimera", "Dragonfly", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}], "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Discovery", "Execution", "Impact", "Initial Access", "Lateral Movement", "Persistence", "Reconnaissance"], "datamodels": ["Endpoint", "Network_Traffic", "Web"], "kill_chain_phases": ["Actions on Objectives", "Delivery", "Exploitation", "Installation", "Reconnaissance"]}, "detection_names": ["ESCU - Prohibited Software On Endpoint - Rule", "ESCU - Attacker Tools On Endpoint - Rule", "ESCU - Batch File Write to System32 - Rule", "ESCU - Common Ransomware Extensions - Rule", "ESCU - Common Ransomware Notes - Rule", "ESCU - Deleting Shadow Copies - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Detect Renamed PSExec - Rule", "ESCU - File with Samsam Extension - Rule", "ESCU - Samsam Test File Write - Rule", "ESCU - Spike in File Writes - Rule", "ESCU - Remote Desktop Network Bruteforce - Rule", "ESCU - Remote Desktop Network Traffic - Rule", "ESCU - Detect attackers scanning for vulnerable JBoss servers - Rule", "ESCU - Detect malicious requests to exploit JBoss servers - Rule"], "investigation_names": ["ESCU - Get Backup Logs For Endpoint - Response Task", "ESCU - Get History Of Email Sources - Response Task", "ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task", "ESCU - Get Process Information For Port Activity - Response Task", "ESCU - Investigate Successful Remote Desktop Authentications - Response Task"], "baseline_names": ["ESCU - Add Prohibited Processes to Enterprise Security", "ESCU - Identify Systems Creating Remote Desktop Traffic", "ESCU - Identify Systems Receiving Remote Desktop Traffic", "ESCU - Identify Systems Using Remote Desktop"], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Prohibited Software On Endpoint", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": []}}, {"name": "Attacker Tools On Endpoint", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Match Legitimate Name or Location"}, {"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "OS Credential Dumping"}, {"mitre_attack_technique": "Active Scanning"}]}}, {"name": "Batch File Write to System32", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "User Execution"}, {"mitre_attack_technique": "Malicious File"}]}}, {"name": "Common Ransomware Extensions", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Common Ransomware Notes", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Deleting Shadow Copies", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Inhibit System Recovery"}]}}, {"name": "Detect PsExec With accepteula Flag", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}}, {"name": "Detect Renamed PSExec", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}}, {"name": "File with Samsam Extension", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": []}}, {"name": "Samsam Test File Write", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Encrypted for Impact"}]}}, {"name": "Spike in File Writes", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": []}}, {"name": "Remote Desktop Network Bruteforce", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Desktop Protocol"}, {"mitre_attack_technique": "Remote Services"}]}}, {"name": "Remote Desktop Network Traffic", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Desktop Protocol"}, {"mitre_attack_technique": "Remote Services"}]}}, {"name": "Detect attackers scanning for vulnerable JBoss servers", "source": "web", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Information Discovery"}, {"mitre_attack_technique": "External Remote Services"}]}}, {"name": "Detect malicious requests to exploit JBoss servers", "source": "web", "type": "TTP", "tags": {"mitre_attack_enrichments": []}}]}, {"name": "RedLine Stealer", "id": "12e31e8b-671b-4d6e-b362-a682812a71eb", "version": 1, "date": "2023-04-24", "author": "Teoderick Contreras, Splunk", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the Redline Stealer trojan, including looking for file writes associated with its payload, screencapture, registry modification, persistence and data collection..", "narrative": "RedLine Stealer is a malware available on underground forum and subscription basis that are compiled or written in C#. This malware is capable of harvesting sensitive information from browsers such as saved credentials, auto file data, browser cookies and credit card information. It also gathers system information of the targeted or compromised host like username, location IP, RAM size available, hardware configuration and software installed. The current version of this malware contains features to steal wallet and crypto currency information.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer", "https://blogs.blackberry.com/en/2021/10/threat-thursday-redline-infostealer-update"], "tags": {"name": "RedLine Stealer", "analytic_story": "RedLine Stealer", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1555", "mitre_attack_technique": "Credentials from Password Stores", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT33", "APT39", "Evilnum", "FIN6", "HEXANE", "Leafminer", "MuddyWater", "OilRig", "Stealth Falcon"]}, {"mitre_attack_id": "T1555.003", "mitre_attack_technique": "Credentials from Web Browsers", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT3", "APT33", "APT37", "Ajax Security Team", "FIN6", "HEXANE", "Inception", "Kimsuky", "LAPSUS$", "Leafminer", "Molerats", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Stealth Falcon", "TA505", "ZIRCONIUM"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1012", "mitre_attack_technique": "Query Registry", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT32", "APT39", "Chimera", "Dragonfly", "Fox Kitten", "Kimsuky", "Lazarus Group", "OilRig", "Stealth Falcon", "Threat Group-3390", "Turla", "ZIRCONIUM"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1489", "mitre_attack_technique": "Service Stop", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Indrik Spider", "Lazarus Group", "Wizard Spider"]}], "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Discovery", "Impact", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint", "Updates"], "kill_chain_phases": ["Actions on Objectives", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Disable Windows Behavior Monitoring - Rule", "ESCU - Disabling Defender Services - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Non Chrome Process Accessing Chrome Default Dir - Rule", "ESCU - Non Firefox Process Access Firefox Profile Dir - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Windows Credentials from Password Stores Chrome Extension Access - Rule", "ESCU - Windows Credentials from Password Stores Chrome LocalState Access - Rule", "ESCU - Windows Credentials from Password Stores Chrome Login Data Access - Rule", "ESCU - Windows DisableAntiSpyware Registry - Rule", "ESCU - Windows Event For Service Disabled - Rule", "ESCU - Windows Modify Registry Auto Minor Updates - Rule", "ESCU - Windows Modify Registry Auto Update Notif - Rule", "ESCU - Windows Modify Registry Disable WinDefender Notifications - Rule", "ESCU - Windows Modify Registry Do Not Connect To Win Update - Rule", "ESCU - Windows Modify Registry No Auto Reboot With Logon User - Rule", "ESCU - Windows Modify Registry No Auto Update - Rule", "ESCU - Windows Modify Registry Tamper Protection - Rule", "ESCU - Windows Modify Registry UpdateServiceUrlAlternate - Rule", "ESCU - Windows Modify Registry USeWuServer - Rule", "ESCU - Windows Modify Registry WuServer - Rule", "ESCU - Windows Modify Registry wuStatusServer - Rule", "ESCU - Windows Query Registry Browser List Application - Rule", "ESCU - Windows Query Registry UnInstall Program List - Rule", "ESCU - Windows Service Stop Win Updates - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Disable Windows Behavior Monitoring", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disabling Defender Services", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}]}}, {"name": "Non Chrome Process Accessing Chrome Default Dir", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}}, {"name": "Non Firefox Process Access Firefox Profile Dir", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Windows Credentials from Password Stores Chrome Extension Access", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Query Registry"}]}}, {"name": "Windows Credentials from Password Stores Chrome LocalState Access", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Query Registry"}]}}, {"name": "Windows Credentials from Password Stores Chrome Login Data Access", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Query Registry"}]}}, {"name": "Windows DisableAntiSpyware Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows Event For Service Disabled", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows Modify Registry Auto Minor Updates", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Modify Registry Auto Update Notif", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Modify Registry Disable WinDefender Notifications", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Modify Registry Do Not Connect To Win Update", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Modify Registry No Auto Reboot With Logon User", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Modify Registry No Auto Update", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Modify Registry Tamper Protection", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Modify Registry UpdateServiceUrlAlternate", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Modify Registry USeWuServer", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Modify Registry WuServer", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Modify Registry wuStatusServer", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Query Registry Browser List Application", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Query Registry"}]}}, {"name": "Windows Query Registry UnInstall Program List", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Query Registry"}]}}, {"name": "Windows Service Stop Win Updates", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Service Stop"}]}}]}, {"name": "Remcos", "id": "2bd4aa08-b9a5-40cf-bfe5-7d43f13d496c", "version": 1, "date": "2021-09-23", "author": "Teoderick Contreras, Splunk", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the Remcos RAT trojan, including looking for file writes associated with its payload, screencapture, registry modification, UAC bypassed, persistence and data collection..", "narrative": "Remcos or Remote Control and Surveillance, marketed as a legitimate software for remotely managing Windows systems is now widely used in multiple malicious campaigns both APT and commodity malware by threat actors.", "references": ["https://success.trendmicro.com/solution/1123281-remcos-malware-information", "https://attack.mitre.org/software/S0332/", "https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos#:~:text=Remcos%20(acronym%20of%20Remote%20Control,used%20to%20remotely%20control%20computers.&text=Remcos%20can%20be%20used%20for,been%20used%20in%20hacking%20campaigns."], "tags": {"name": "Remcos", "analytic_story": "Remcos", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1548.002", "mitre_attack_technique": "Bypass User Account Control", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT37", "BRONZE BUTLER", "Cobalt Group", "Earth Lusca", "Evilnum", "MuddyWater", "Patchwork", "Threat Group-3390"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.007", "mitre_attack_technique": "JavaScript", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "Cobalt Group", "Earth Lusca", "Ember Bear", "Evilnum", "FIN6", "FIN7", "Higaisa", "Indrik Spider", "Kimsuky", "LazyScripter", "Leafminer", "Molerats", "MuddyWater", "Sidewinder", "Silence", "TA505", "Turla"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "Turla"]}, {"mitre_attack_id": "T1055.001", "mitre_attack_technique": "Dynamic-link Library Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["BackdoorDiplomacy", "Lazarus Group", "Leviathan", "Putter Panda", "TA505", "Tropic Trooper", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1218.010", "mitre_attack_technique": "Regsvr32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "Blue Mockingbird", "Cobalt Group", "Deep Panda", "Inception", "Kimsuky", "Leviathan", "TA551", "WIRTE"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1555", "mitre_attack_technique": "Credentials from Password Stores", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT33", "APT39", "Evilnum", "FIN6", "HEXANE", "Leafminer", "MuddyWater", "OilRig", "Stealth Falcon"]}, {"mitre_attack_id": "T1555.003", "mitre_attack_technique": "Credentials from Web Browsers", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT3", "APT33", "APT37", "Ajax Security Team", "FIN6", "HEXANE", "Inception", "Kimsuky", "LAPSUS$", "Leafminer", "Molerats", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Stealth Falcon", "TA505", "ZIRCONIUM"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1559.001", "mitre_attack_technique": "Component Object Model", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["Gamaredon Group", "MuddyWater"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1113", "mitre_attack_technique": "Screen Capture", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT28", "APT39", "BRONZE BUTLER", "Dark Caracal", "Dragonfly", "FIN7", "GOLD SOUTHFIELD", "Gamaredon Group", "Group5", "Magic Hound", "MuddyWater", "OilRig", "Silence"]}, {"mitre_attack_id": "T1059.005", "mitre_attack_technique": "Visual Basic", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT32", "APT33", "APT37", "APT38", "APT39", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Earth Lusca", "FIN4", "FIN7", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "Transparent Tribe", "Turla", "WIRTE", "Windshift"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1592", "mitre_attack_technique": "Gather Victim Host Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1204.001", "mitre_attack_technique": "Malicious Link", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT28", "APT29", "APT3", "APT32", "APT33", "APT39", "BlackTech", "Cobalt Group", "Confucius", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "Evilnum", "FIN4", "FIN7", "FIN8", "Kimsuky", "LazyScripter", "Leviathan", "LuminousMoth", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "TA505", "Transparent Tribe", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$"]}, {"mitre_attack_id": "T1134.004", "mitre_attack_technique": "Parent PID Spoofing", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}], "mitre_attack_tactics": ["Collection", "Credential Access", "Defense Evasion", "Execution", "Initial Access", "Persistence", "Privilege Escalation", "Reconnaissance"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation", "Reconnaissance"]}, "detection_names": ["ESCU - Add or Set Windows Defender Exclusion - Rule", "ESCU - Disabling Remote User Account Control - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Jscript Execution Using Cscript App - Rule", "ESCU - Loading Of Dynwrapx Module - Rule", "ESCU - Malicious InProcServer32 Modification - Rule", "ESCU - Non Chrome Process Accessing Chrome Default Dir - Rule", "ESCU - Non Firefox Process Access Firefox Profile Dir - Rule", "ESCU - Office Document Executing Macro Code - Rule", "ESCU - Office Product Spawn CMD Process - Rule", "ESCU - Office Product Spawning Windows Script Host - Rule", "ESCU - Possible Browser Pass View Parameter - Rule", "ESCU - Powershell Windows Defender Exclusion Commands - Rule", "ESCU - Process Deleting Its Process File Path - Rule", "ESCU - Process Writing DynamicWrapperX - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Regsvr32 Silent and Install Param Dll Loading - Rule", "ESCU - Regsvr32 with Known Silent Switch Cmdline - Rule", "ESCU - Remcos client registry install entry - Rule", "ESCU - Remcos RAT File Creation in Remcos Folder - Rule", "ESCU - Suspicious Image Creation In Appdata Folder - Rule", "ESCU - Suspicious Process DNS Query Known Abuse Web Services - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious WAV file in Appdata Folder - Rule", "ESCU - System Info Gathering Using Dxdiag Application - Rule", "ESCU - Vbscript Execution Using Wscript App - Rule", "ESCU - Windows Defender Exclusion Registry Entry - Rule", "ESCU - Windows ISO LNK File Creation - Rule", "ESCU - Windows Phishing Recent ISO Exec Registry - Rule", "ESCU - Winhlp32 Spawning a Process - Rule", "ESCU - Wscript Or Cscript Suspicious Child Process - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Add or Set Windows Defender Exclusion", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disabling Remote User Account Control", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}]}}, {"name": "Jscript Execution Using Cscript App", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "JavaScript"}]}}, {"name": "Loading Of Dynwrapx Module", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}, {"mitre_attack_technique": "Dynamic-link Library Injection"}]}}, {"name": "Malicious InProcServer32 Modification", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Regsvr32"}, {"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Non Chrome Process Accessing Chrome Default Dir", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}}, {"name": "Non Firefox Process Access Firefox Profile Dir", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}}, {"name": "Office Document Executing Macro Code", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Product Spawn CMD Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Product Spawning Windows Script Host", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Possible Browser Pass View Parameter", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Credentials from Web Browsers"}, {"mitre_attack_technique": "Credentials from Password Stores"}]}}, {"name": "Powershell Windows Defender Exclusion Commands", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Process Deleting Its Process File Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indicator Removal"}]}}, {"name": "Process Writing DynamicWrapperX", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Component Object Model"}]}}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Regsvr32 Silent and Install Param Dll Loading", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}}, {"name": "Regsvr32 with Known Silent Switch Cmdline", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}}, {"name": "Remcos client registry install entry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Remcos RAT File Creation in Remcos Folder", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Screen Capture"}]}}, {"name": "Suspicious Image Creation In Appdata Folder", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Screen Capture"}]}}, {"name": "Suspicious Process DNS Query Known Abuse Web Services", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Visual Basic"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Suspicious WAV file in Appdata Folder", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Screen Capture"}]}}, {"name": "System Info Gathering Using Dxdiag Application", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Gather Victim Host Information"}]}}, {"name": "Vbscript Execution Using Wscript App", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Visual Basic"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Windows Defender Exclusion Registry Entry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows ISO LNK File Creation", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Malicious Link"}, {"mitre_attack_technique": "User Execution"}]}}, {"name": "Windows Phishing Recent ISO Exec Registry", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}}, {"name": "Winhlp32 Spawning a Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "Wscript Or Cscript Suspicious Child Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}, {"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Parent PID Spoofing"}, {"mitre_attack_technique": "Access Token Manipulation"}]}}]}, {"name": "Reverse Network Proxy", "id": "265e4127-21fd-43e4-adac-ec5d12274111", "version": 1, "date": "2022-11-16", "author": "Michael Haag, Splunk", "description": "The following analytic story describes applications that may be abused to reverse proxy back into an organization, either for persistence or remote access.", "narrative": "This analytic story covers tools like Ngrok which is a legitimate reverse proxy tool that can create a secure tunnel to servers located behind firewalls or on local machines that do not have a public IP. Ngrok in particular has been leveraged by threat actors in several campaigns including use for lateral movement and data exfiltration. There are many open source and closed/paid that fall into this reverse proxy category. The analytic story and complemented analytics will be released as more are identified.", "references": ["https://attack.mitre.org/software/S0508/", "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf"], "tags": {"name": "Reverse Network Proxy", "analytic_story": "Reverse Network Proxy", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1572", "mitre_attack_technique": "Protocol Tunneling", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Chimera", "Cobalt Group", "FIN6", "Fox Kitten", "Leviathan", "Magic Hound", "OilRig"]}, {"mitre_attack_id": "T1090", "mitre_attack_technique": "Proxy", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "Blue Mockingbird", "CopyKittens", "Earth Lusca", "Fox Kitten", "LAPSUS$", "Magic Hound", "POLONIUM", "Sandworm Team", "Turla", "Windigo"]}, {"mitre_attack_id": "T1102", "mitre_attack_technique": "Web Service", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT32", "EXOTIC LILY", "Ember Bear", "FIN6", "FIN8", "Fox Kitten", "Gamaredon Group", "Inception", "LazyScripter", "Mustang Panda", "Rocke", "TeamTNT", "Turla"]}], "mitre_attack_tactics": ["Command And Control"], "datamodels": ["Endpoint", "Network_Resolution"], "kill_chain_phases": ["Command And Control"]}, "detection_names": ["ESCU - Linux Ngrok Reverse Proxy Usage - Rule", "ESCU - Windows Ngrok Reverse Proxy Usage - Rule", "ESCU - Ngrok Reverse Proxy on Network - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Linux Ngrok Reverse Proxy Usage", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Protocol Tunneling"}, {"mitre_attack_technique": "Proxy"}, {"mitre_attack_technique": "Web Service"}]}}, {"name": "Windows Ngrok Reverse Proxy Usage", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Protocol Tunneling"}, {"mitre_attack_technique": "Proxy"}, {"mitre_attack_technique": "Web Service"}]}}, {"name": "Ngrok Reverse Proxy on Network", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Protocol Tunneling"}, {"mitre_attack_technique": "Proxy"}, {"mitre_attack_technique": "Web Service"}]}}]}, {"name": "Router and Infrastructure Security", "id": "91c676cf-0b23-438d-abee-f6335e177e77", "version": 1, "date": "2017-09-12", "author": "Bhavin Patel, Splunk", "description": "Validate the security configuration of network infrastructure and verify that only authorized users and systems are accessing critical assets. Core routing and switching infrastructure are common strategic targets for attackers.", "narrative": "Networking devices, such as routers and switches, are often overlooked as resources that attackers will leverage to subvert an enterprise. Advanced threats actors have shown a proclivity to target these critical assets as a means to siphon and redirect network traffic, flash backdoored operating systems, and implement cryptographic weakened algorithms to more easily decrypt network traffic.\\\nThis Analytic Story helps you gain a better understanding of how your network devices are interacting with your hosts. By compromising your network devices, attackers can obtain direct access to the company's internal infrastructure— effectively increasing the attack surface and accessing private services/data.", "references": ["https://web.archive.org/web/20210420020040/https://www.fireeye.com/blog/executive-perspective/2015/09/the_new_route_toper.html", "https://www.cisco.com/c/en/us/about/security-center/event-response/synful-knock.html"], "tags": {"name": "Router and Infrastructure Security", "analytic_story": "Router and Infrastructure Security", "category": ["Best Practices"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1200", "mitre_attack_technique": "Hardware Additions", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["DarkVishnya"]}, {"mitre_attack_id": "T1498", "mitre_attack_technique": "Network Denial of Service", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT28"]}, {"mitre_attack_id": "T1557", "mitre_attack_technique": "Adversary-in-the-Middle", "mitre_attack_tactics": ["Collection", "Credential Access"], "mitre_attack_groups": ["Kimsuky"]}, {"mitre_attack_id": "T1557.002", "mitre_attack_technique": "ARP Cache Poisoning", "mitre_attack_tactics": ["Collection", "Credential Access"], "mitre_attack_groups": ["Cleaver", "LuminousMoth"]}, {"mitre_attack_id": "T1542.005", "mitre_attack_technique": "TFTP Boot", "mitre_attack_tactics": ["Defense Evasion", "Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1542", "mitre_attack_technique": "Pre-OS Boot", "mitre_attack_tactics": ["Defense Evasion", "Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1020", "mitre_attack_technique": "Automated Exfiltration", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["Gamaredon Group", "Ke3chang", "Sidewinder", "Tropic Trooper"]}, {"mitre_attack_id": "T1020.001", "mitre_attack_technique": "Traffic Duplication", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Collection", "Credential Access", "Defense Evasion", "Exfiltration", "Impact", "Initial Access", "Persistence"], "datamodels": ["Authentication", "Network_Traffic"], "kill_chain_phases": ["Actions on Objectives", "Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Detect New Login Attempts to Routers - Rule", "ESCU - Detect ARP Poisoning - Rule", "ESCU - Detect IPv6 Network Infrastructure Threats - Rule", "ESCU - Detect Port Security Violation - Rule", "ESCU - Detect Rogue DHCP Server - Rule", "ESCU - Detect Software Download To Network Device - Rule", "ESCU - Detect Traffic Mirroring - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Detect New Login Attempts to Routers", "source": "application", "type": "TTP", "tags": {"mitre_attack_enrichments": []}}, {"name": "Detect ARP Poisoning", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Hardware Additions"}, {"mitre_attack_technique": "Network Denial of Service"}, {"mitre_attack_technique": "Adversary-in-the-Middle"}, {"mitre_attack_technique": "ARP Cache Poisoning"}]}}, {"name": "Detect IPv6 Network Infrastructure Threats", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Hardware Additions"}, {"mitre_attack_technique": "Network Denial of Service"}, {"mitre_attack_technique": "Adversary-in-the-Middle"}, {"mitre_attack_technique": "ARP Cache Poisoning"}]}}, {"name": "Detect Port Security Violation", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Hardware Additions"}, {"mitre_attack_technique": "Network Denial of Service"}, {"mitre_attack_technique": "Adversary-in-the-Middle"}, {"mitre_attack_technique": "ARP Cache Poisoning"}]}}, {"name": "Detect Rogue DHCP Server", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Hardware Additions"}, {"mitre_attack_technique": "Network Denial of Service"}, {"mitre_attack_technique": "Adversary-in-the-Middle"}]}}, {"name": "Detect Software Download To Network Device", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "TFTP Boot"}, {"mitre_attack_technique": "Pre-OS Boot"}]}}, {"name": "Detect Traffic Mirroring", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Hardware Additions"}, {"mitre_attack_technique": "Automated Exfiltration"}, {"mitre_attack_technique": "Network Denial of Service"}, {"mitre_attack_technique": "Traffic Duplication"}]}}]}, {"name": "Sandworm Tools", "id": "54146850-9d26-4877-a611-2db33231e63e", "version": 1, "date": "2022-04-05", "author": "Teoderick Contreras, Splunk", "description": "This analytic story features detections that enable security analysts to identify and investigate unusual activities potentially related to the destructive malware and tools employed by the \"Sandworm\" group. This analytic story focuses on monitoring suspicious process executions, command-line activities, Master Boot Record (MBR) wiping, data destruction, and other related indicators.", "narrative": "The Sandworm group's tools are part of destructive malware operations designed to disrupt or attack Ukraine's National Information Agencies. This operation campaign consists of several malware components, including scripts, native Windows executables (LOLBINs), data wiper malware that overwrites or destroys the Master Boot Record (MBR), and file wiping using sdelete.exe on targeted hosts.", "references": ["https://cert.gov.ua/article/3718487", "https://attack.mitre.org/groups/G0034/"], "tags": {"name": "Sandworm Tools", "analytic_story": "Sandworm Tools", "category": ["Data Destruction", "Malware", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "TEMP.Veles", "Threat Group-3390", "Whitefly"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1562.004", "mitre_attack_technique": "Disable or Modify System Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "Carbanak", "Dragonfly", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1036.004", "mitre_attack_technique": "Masquerade Task or Service", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT32", "APT41", "BITTER", "BackdoorDiplomacy", "Carbanak", "FIN6", "FIN7", "Fox Kitten", "Higaisa", "Kimsuky", "Lazarus Group", "Magic Hound", "Naikon", "PROMETHIUM", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1087.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "Chimera", "Fox Kitten", "Ke3chang", "Moses Staff", "OilRig", "Poseidon Group", "Threat Group-3390", "Turla", "admin@338"]}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT19", "APT28", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BITTER", "BackdoorDiplomacy", "BlackOasis", "Blue Mockingbird", "Dark Caracal", "Darkhotel", "Earth Lusca", "Elderwood", "Ember Bear", "Fox Kitten", "GALLIUM", "Gallmaker", "Gamaredon Group", "Group5", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "Metador", "Mofang", "Molerats", "Moses Staff", "Mustang Panda", "OilRig", "Putter Panda", "Rocke", "Sandworm Team", "Sidewinder", "TA505", "TeamTNT", "Threat Group-3390", "Transparent Tribe", "Tropic Trooper", "Whitefly", "Windshift", "menuPass"]}, {"mitre_attack_id": "T1550", "mitre_attack_technique": "Use Alternate Authentication Material", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1550.003", "mitre_attack_technique": "Pass the Ticket", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": ["APT29", "APT32", "BRONZE BUTLER"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1590.002", "mitre_attack_technique": "DNS", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1649", "mitre_attack_technique": "Steal or Forge Authentication Certificates", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1529", "mitre_attack_technique": "System Shutdown/Reboot", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group"]}], "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Discovery", "Execution", "Impact", "Lateral Movement", "Persistence", "Privilege Escalation", "Reconnaissance"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Actions on Objectives", "Exploitation", "Installation", "Reconnaissance"]}, "detection_names": ["ESCU - Detect Mimikatz Using Loaded Images - Rule", "ESCU - Detect Mimikatz With PowerShell Script Block Logging - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Detect Renamed PSExec - Rule", "ESCU - Icacls Deny Command - Rule", "ESCU - Linux Iptables Firewall Modification - Rule", "ESCU - Linux Kworker Process In Writable Process Path - Rule", "ESCU - Local Account Discovery with Net - Rule", "ESCU - Malicious PowerShell Process - Encoded Command - Rule", "ESCU - Mimikatz PassTheTicket CommandLine Parameters - Rule", "ESCU - Permission Modification using Takeown App - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Suspicious Copy on System32 - Rule", "ESCU - Windows DNS Gather Network Info - Rule", "ESCU - Windows High File Deletion Frequency - Rule", "ESCU - Windows Mimikatz Binary Execution - Rule", "ESCU - Windows Mimikatz Crypto Export File Extensions - Rule", "ESCU - Windows System Shutdown CommandLine - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Detect Mimikatz Using Loaded Images", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Detect Mimikatz With PowerShell Script Block Logging", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "OS Credential Dumping"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Detect PsExec With accepteula Flag", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}}, {"name": "Detect Renamed PSExec", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}}, {"name": "Icacls Deny Command", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "File and Directory Permissions Modification"}]}}, {"name": "Linux Iptables Firewall Modification", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify System Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Linux Kworker Process In Writable Process Path", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerade Task or Service"}, {"mitre_attack_technique": "Masquerading"}]}}, {"name": "Local Account Discovery with Net", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Local Account"}]}}, {"name": "Malicious PowerShell Process - Encoded Command", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Obfuscated Files or Information"}]}}, {"name": "Mimikatz PassTheTicket CommandLine Parameters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Use Alternate Authentication Material"}, {"mitre_attack_technique": "Pass the Ticket"}]}}, {"name": "Permission Modification using Takeown App", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "File and Directory Permissions Modification"}]}}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Suspicious Copy on System32", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "Masquerading"}]}}, {"name": "Windows DNS Gather Network Info", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DNS"}]}}, {"name": "Windows High File Deletion Frequency", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Windows Mimikatz Binary Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Windows Mimikatz Crypto Export File Extensions", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Authentication Certificates"}]}}, {"name": "Windows System Shutdown CommandLine", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Shutdown/Reboot"}]}}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}]}}]}, {"name": "Scheduled Tasks", "id": "94cff925-d05c-40cf-b925-d6c5702a2399", "version": 1, "date": "2023-06-12", "author": "Michael Haag, Splunk", "description": "The MITRE ATT&CK technique T1053 refers to Scheduled Task/Job. Adversaries might use task scheduling utilities to execute programs or scripts at a predefined date and time. This method is often used for persistence but can also be used for privilege escalation or to execute tasks under certain conditions. Scheduling tasks can be beneficial for an attacker as it can allow them to execute actions at times when the system is less likely to be monitored actively. Different operating systems have different utilities for task scheduling, for example, Unix-like systems have Cron, while Windows has Scheduled Tasks and At Jobs.", "narrative": "MITRE ATT&CK technique T1053, labeled \"Scheduled Task/Job\", is a categorization of methods that adversaries use to execute malicious code by scheduling tasks or jobs on a system. This technique is widely utilized for persistence, privilege escalation, and the remote execution of tasks. The technique is applicable across various environments and platforms, including Windows, Linux, and macOS.\\\nThe technique consists of multiple sub-techniques, each highlighting a distinct mechanism for scheduling tasks or jobs. These sub-techniques include T1053.001 (Scheduled Task), T1053.002 (At for Windows), T1053.003 (Cron), T1053.004 (Launchd), T1053.005 (At for Linux), and T1053.006 (Systemd Timers).\\\nScheduled Task (T1053.001) focuses on adversaries' methods for scheduling tasks on a Windows system to maintain persistence or escalate privileges. These tasks can be set to execute at specified times, in response to particular events, or after a defined time interval.\\\nThe At command for Windows (T1053.002) enables administrators to schedule tasks on a Windows system. Adversaries may exploit this command to execute programs at system startup or at a predetermined schedule for persistence.\\\nCron (T1053.003) is a built-in job scheduler found in Unix-like operating systems. Adversaries can use cron jobs to execute programs at system startup or on a scheduled basis for persistence.\\\nLaunchd (T1053.004) is a service management framework present in macOS. Adversaries may utilize launchd to maintain persistence on macOS systems by setting up daemons or agents to execute at specific times or in response to defined events.\\\nThe At command for Linux (T1053.005) enables administrators to schedule tasks on a Linux system. Adversaries can use this command to execute programs at system startup or on a scheduled basis for persistence.\\\nSystemd Timers (T1053.006) offer a means of scheduling tasks on Linux systems using systemd. Adversaries can use systemd timers to execute programs at system startup or on a scheduled basis for persistence.\\\nDetection and mitigation strategies vary for each sub-technique. For instance, monitoring the creation of scheduled tasks or looking for uncorrelated changes to tasks that do not align with known software or patch cycles can be effective for detecting malicious activity related to this technique. Mitigation strategies may involve restricting permissions and applying application control solutions to prevent adversaries from scheduling tasks.", "references": ["https://attack.mitre.org/techniques/T1053/"], "tags": {"name": "Scheduled Tasks", "analytic_story": "Scheduled Tasks", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1053.003", "mitre_attack_technique": "Cron", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT38", "Rocke"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1053.002", "mitre_attack_technique": "At", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "BRONZE BUTLER", "Threat Group-3390"]}, {"mitre_attack_id": "T1053.006", "mitre_attack_technique": "Systemd Timers", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1021.003", "mitre_attack_technique": "Distributed Component Object Model", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1021.006", "mitre_attack_technique": "Windows Remote Management", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Chimera", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "Earth Lusca", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "Threat Group-3390", "Windshift", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1218.014", "mitre_attack_technique": "MMC", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}], "mitre_attack_tactics": ["Defense Evasion", "Execution", "Lateral Movement", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation", "Installation"]}, "detection_names": ["ESCU - Linux Add Files In Known Crontab Directories - Rule", "ESCU - Linux Adding Crontab Using List Parameter - Rule", "ESCU - Linux At Allow Config File Creation - Rule", "ESCU - Linux At Application Execution - Rule", "ESCU - Linux Edit Cron Table Parameter - Rule", "ESCU - Linux Possible Append Command To At Allow Config File - Rule", "ESCU - Linux Possible Append Cronjob Entry on Existing Cronjob File - Rule", "ESCU - Linux Possible Cronjob Modification With Editor - Rule", "ESCU - Linux Service File Created In Systemd Directory - Rule", "ESCU - Linux Service Restarted - Rule", "ESCU - Linux Service Started Or Enabled - Rule", "ESCU - Possible Lateral Movement PowerShell Spawn - Rule", "ESCU - Randomly Generated Scheduled Task Name - Rule", "ESCU - Schedule Task with HTTP Command Arguments - Rule", "ESCU - Schedule Task with Rundll32 Command Trigger - Rule", "ESCU - Scheduled Task Creation on Remote Endpoint using At - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Scheduled Task Initiation on Remote Endpoint - Rule", "ESCU - Schtasks Run Task On Demand - Rule", "ESCU - Schtasks scheduling job on remote system - Rule", "ESCU - Schtasks used for forcing a reboot - Rule", "ESCU - Short Lived Scheduled Task - Rule", "ESCU - Suspicious Scheduled Task from Public Directory - Rule", "ESCU - Svchost LOLBAS Execution Process Spawn - Rule", "ESCU - Windows Enable Win32 ScheduledJob via Registry - Rule", "ESCU - Windows Hidden Schedule Task Settings - Rule", "ESCU - Windows PowerShell ScheduleTask - Rule", "ESCU - Windows Registry Delete Task SD - Rule", "ESCU - Windows Scheduled Task Created Via XML - Rule", "ESCU - Windows Scheduled Task with Highest Privileges - Rule", "ESCU - Windows Schtasks Create Run As System - Rule", "ESCU - WinEvent Scheduled Task Created to Spawn Shell - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Linux Add Files In Known Crontab Directories", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Adding Crontab Using List Parameter", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux At Allow Config File Creation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux At Application Execution", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "At"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Edit Cron Table Parameter", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Possible Append Command To At Allow Config File", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "At"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Possible Append Cronjob Entry on Existing Cronjob File", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Possible Cronjob Modification With Editor", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Service File Created In Systemd Directory", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Systemd Timers"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Service Restarted", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Systemd Timers"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Service Started Or Enabled", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Systemd Timers"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Possible Lateral Movement PowerShell Spawn", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Remote Management"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "MMC"}]}}, {"name": "Randomly Generated Scheduled Task Name", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}, {"mitre_attack_technique": "Scheduled Task"}]}}, {"name": "Schedule Task with HTTP Command Arguments", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Schedule Task with Rundll32 Command Trigger", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Scheduled Task Creation on Remote Endpoint using At", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}, {"mitre_attack_technique": "At"}]}}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Scheduled Task Initiation on Remote Endpoint", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}, {"mitre_attack_technique": "Scheduled Task"}]}}, {"name": "Schtasks Run Task On Demand", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Schtasks scheduling job on remote system", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Schtasks used for forcing a reboot", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Short Lived Scheduled Task", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}]}}, {"name": "Suspicious Scheduled Task from Public Directory", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Svchost LOLBAS Execution Process Spawn", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}, {"mitre_attack_technique": "Scheduled Task"}]}}, {"name": "Windows Enable Win32 ScheduledJob via Registry", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}]}}, {"name": "Windows Hidden Schedule Task Settings", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Windows PowerShell ScheduleTask", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Windows Registry Delete Task SD", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows Scheduled Task Created Via XML", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Windows Scheduled Task with Highest Privileges", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}, {"mitre_attack_technique": "Scheduled Task"}]}}, {"name": "Windows Schtasks Create Run As System", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "WinEvent Scheduled Task Created to Spawn Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}]}}]}, {"name": "Signed Binary Proxy Execution InstallUtil", "id": "9482a314-43dc-11ec-a3c9-acde48001122", "version": 1, "date": "2021-11-12", "author": "Michael Haag, Splunk", "description": "Adversaries may use InstallUtil to proxy execution of code through a trusted Windows utility.", "narrative": "InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries. InstallUtil is digitally signed by Microsoft and located in the .NET directories on a Windows system: C:\\Windows\\Microsoft.NET\\Framework\\v\\InstallUtil.exe and C:\\Windows\\Microsoft.NET\\Framework64\\v\\InstallUtil.exe. \\\nThere are multiple ways to instantiate InstallUtil and they are all outlined within Atomic Red Team - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md. Two specific ways may be used and that includes invoking via installer assembly class constructor through .NET and via InstallUtil.exe. \\\nTypically, adversaries will utilize the most commonly found way to invoke via InstallUtil Uninstall method. \\\nNote that parallel processes, and parent process, play a role in how InstallUtil is being used. In particular, a developer using InstallUtil will spawn from VisualStudio. Adversaries, will spawn from non-standard processes like Explorer.exe, cmd.exe or PowerShell.exe. It's important to review the command-line to identify the DLL being loaded. \\\nParallel processes may also include csc.exe being used to compile a local `.cs` file. This file will be the input to the output. Developers usually do not build direct on the command shell, therefore this should raise suspicion.", "references": ["https://attack.mitre.org/techniques/T1218/004/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md"], "tags": {"name": "Signed Binary Proxy Execution InstallUtil", "analytic_story": "Signed Binary Proxy Execution InstallUtil", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.004", "mitre_attack_technique": "InstallUtil", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Mustang Panda", "menuPass"]}], "mitre_attack_tactics": ["Defense Evasion"], "datamodels": ["Endpoint", "Network_Traffic"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Windows DotNet Binary in Non Standard Path - Rule", "ESCU - Windows InstallUtil Credential Theft - Rule", "ESCU - Windows InstallUtil in Non Standard Path - Rule", "ESCU - Windows InstallUtil Remote Network Connection - Rule", "ESCU - Windows InstallUtil Uninstall Option - Rule", "ESCU - Windows InstallUtil Uninstall Option with Network - Rule", "ESCU - Windows InstallUtil URL in Command Line - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows DotNet Binary in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "InstallUtil"}]}}, {"name": "Windows InstallUtil Credential Theft", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "InstallUtil"}, {"mitre_attack_technique": "System Binary Proxy Execution"}]}}, {"name": "Windows InstallUtil in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "InstallUtil"}]}}, {"name": "Windows InstallUtil Remote Network Connection", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "InstallUtil"}, {"mitre_attack_technique": "System Binary Proxy Execution"}]}}, {"name": "Windows InstallUtil Uninstall Option", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "InstallUtil"}, {"mitre_attack_technique": "System Binary Proxy Execution"}]}}, {"name": "Windows InstallUtil Uninstall Option with Network", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "InstallUtil"}, {"mitre_attack_technique": "System Binary Proxy Execution"}]}}, {"name": "Windows InstallUtil URL in Command Line", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "InstallUtil"}, {"mitre_attack_technique": "System Binary Proxy Execution"}]}}]}, {"name": "Silver Sparrow", "id": "cb4f48fe-7699-11eb-af77-acde48001122", "version": 1, "date": "2021-02-24", "author": "Michael Haag, Splunk", "description": "Silver Sparrow, identified by Red Canary Intelligence, is a new forward looking MacOS (Intel and M1) malicious software downloader utilizing JavaScript for execution and a launchAgent to establish persistence.", "narrative": "Silver Sparrow works is a dropper and uses typical persistence mechanisms on a Mac. It is cross platform, covering both Intel and Apple M1 architecture. To this date, no implant has been downloaded for malicious purposes. During installation of the update.pkg or updater.pkg file, the malicious software utilizes JavaScript to generate files and scripts on disk for persistence.These files later download a implant from an S3 bucket every hour. This analytic assists with identifying different types of macOS malware families establishing LaunchAgent persistence. Per SentinelOne source, it is predicted that Silver Sparrow is likely selling itself as a mechanism to 3rd party Caffiliates or pay-per-install (PPI) partners, typically seen as commodity adware/malware. Additional indicators and behaviors may be found within the references.", "references": ["https://redcanary.com/blog/clipping-silver-sparrows-wings/", "https://www.sentinelone.com/blog/5-things-you-need-to-know-about-silver-sparrow/"], "tags": {"name": "Silver Sparrow", "analytic_story": "Silver Sparrow", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1543.001", "mitre_attack_technique": "Launch Agent", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1074", "mitre_attack_technique": "Data Staged", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["Wizard Spider"]}], "mitre_attack_tactics": ["Collection", "Command And Control", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Command And Control", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Suspicious Curl Network Connection - Rule", "ESCU - Suspicious PlistBuddy Usage - Rule", "ESCU - Suspicious PlistBuddy Usage via OSquery - Rule", "ESCU - Suspicious SQLite3 LSQuarantine Behavior - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Suspicious Curl Network Connection", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "Suspicious PlistBuddy Usage", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Launch Agent"}, {"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Suspicious PlistBuddy Usage via OSquery", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Launch Agent"}, {"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Suspicious SQLite3 LSQuarantine Behavior", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Staged"}]}}]}, {"name": "Snake Malware", "id": "032bacbb-f90d-43aa-bbcc-d87f169a29c8", "version": 1, "date": "2023-05-10", "author": "Michael Haag, Splunk", "description": "The Snake implant is considered the most sophisticated cyber espionage tool designed and used by Center 16 of Russia's Federal Security Service (FSB) for long-term intelligence collection on sensitive targets.", "narrative": "The Snake implant is considered the most sophisticated cyber espionage tool designed and used by Center 16 of Russia's Federal Security Service (FSB) for long-term intelligence collection on sensitive targets. To conduct operations using this tool, the FSB created a covert peer-to-peer (P2P) network of numerous Snake-infected computers worldwide. Many systems in this P2P network serve as relay nodes which route disguised operational traffic to and from Snake implants on the FSB's ultimate targets. Snake's custom communications protocols employ encryption and fragmentation for confidentiality and are designed to hamper detection and collection efforts. We consider Snake to be the most sophisticated cyber espionage tool in the FSB's arsenal. The sophistication of Snake stems from three principal areas. First, Snake employs means to achieve a rare level of stealth in its host components and network communications. Second, Snake's internal technical architecture allows for easy incorporation of new or replacement components. This design also facilitates the development and interoperability of Snake instances running on different host operating systems. We have observed interoperable Snake implants for Windows, MacOS, and Linux operating systems. Lastly, Snake demonstrates careful software engineering design and implementation, with the implant containing surprisingly few bugs given its complexity. (CISA, 2023)", "references": ["https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF"], "tags": {"name": "Snake Malware", "analytic_story": "Snake Malware", "category": ["Adversary Tactics", "Account Compromise", "Lateral Movement", "Privilege Escalation"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT19", "APT28", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BITTER", "BackdoorDiplomacy", "BlackOasis", "Blue Mockingbird", "Dark Caracal", "Darkhotel", "Earth Lusca", "Elderwood", "Ember Bear", "Fox Kitten", "GALLIUM", "Gallmaker", "Gamaredon Group", "Group5", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "Metador", "Mofang", "Molerats", "Moses Staff", "Mustang Panda", "OilRig", "Putter Panda", "Rocke", "Sandworm Team", "Sidewinder", "TA505", "TeamTNT", "Threat Group-3390", "Transparent Tribe", "Tropic Trooper", "Whitefly", "Windshift", "menuPass"]}, {"mitre_attack_id": "T1547.006", "mitre_attack_technique": "Kernel Modules and Extensions", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}], "mitre_attack_tactics": ["Defense Evasion", "Execution", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation", "Installation"]}, "detection_names": ["ESCU - Windows Service Created with Suspicious Service Path - Rule", "ESCU - Windows Service Created Within Public Path - Rule", "ESCU - Windows Snake Malware File Modification Crmlog - Rule", "ESCU - Windows Snake Malware Kernel Driver Comadmin - Rule", "ESCU - Windows Snake Malware Registry Modification wav OpenWithProgIds - Rule", "ESCU - Windows Snake Malware Service Create - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows Service Created with Suspicious Service Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}}, {"name": "Windows Service Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Windows Snake Malware File Modification Crmlog", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Obfuscated Files or Information"}]}}, {"name": "Windows Snake Malware Kernel Driver Comadmin", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Kernel Modules and Extensions"}]}}, {"name": "Windows Snake Malware Registry Modification wav OpenWithProgIds", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Snake Malware Service Create", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Kernel Modules and Extensions"}, {"mitre_attack_technique": "Service Execution"}]}}]}, {"name": "Sneaky Active Directory Persistence Tricks", "id": "f676c4c1-c769-4ecb-9611-5fd85b497c56", "version": 1, "date": "2022-08-29", "author": "Dean Luxton, Mauricio Velazco, Splunk", "description": "Monitor for activities and techniques associated with Windows Active Directory persistence techniques.", "narrative": "Persistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access. Active Directory is a centralized and hierarchical database that stores information about users, computers, and other resources on a network. It provides secure and efficient management of these resources and enables administrators to enforce security policies and delegate administrative tasks.\\\nIn 2015 Active Directory security researcher Sean Metcalf published a blog post titled `Sneaky Active Directory Persistence Tricks`. In this blog post, Sean described several methods through which an attacker could persist administrative access on an Active Directory network after having Domain Admin level rights for a short period of time. At the time of writing, 8 years after the initial blog post, most of these techniques are still possible since they abuse legitimate administrative functionality and not software vulnerabilities. Security engineers defending Active Directory networks should be aware of these technique available to adversaries post exploitation and deploy both preventive and detective security controls for them.\\\nThis analytic story groups detection opportunities for most of the techniques described on Seans blog post as well as other high impact attacks against Active Directory networks and Domain Controllers like DCSync and DCShadow. For some of these detection opportunities, it is necessary to enable the necessary GPOs and SACLs required, otherwise the event codes will not trigger. Each detection includes a list of requirements for enabling logging.", "references": ["https://adsecurity.org/?p=1929", "https://www.youtube.com/watch?v=Lz6haohGAMc&feature=youtu.be", "https://adsecurity.org/wp-content/uploads/2015/09/DEFCON23-2015-Metcalf-RedvsBlue-ADAttackAndDefense-Final.pdf", "https://attack.mitre.org/tactics/TA0003/", "https://www.dcshadow.com", "https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2", "https://www.linkedin.com/pulse/mimikatz-dcsync-event-log-detections-john-dwyer"], "tags": {"name": "Sneaky Active Directory Persistence Tricks", "analytic_story": "Windows Domain Controller Attacks", "category": ["Adversary Tactics", "Account Compromise", "Lateral Movement", "Privilege Escalation"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1134.005", "mitre_attack_technique": "SID-History Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1207", "mitre_attack_technique": "Rogue Domain Controller", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1484", "mitre_attack_technique": "Domain Policy Modification", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT41", "Dragonfly", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}, {"mitre_attack_id": "T1003.006", "mitre_attack_technique": "DCSync", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Earth Lusca", "LAPSUS$"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1484.001", "mitre_attack_technique": "Group Policy Modification", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Indrik Spider"]}, {"mitre_attack_id": "T1078.002", "mitre_attack_technique": "Domain Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "Chimera", "Indrik Spider", "Magic Hound", "Naikon", "Sandworm Team", "TA505", "Threat Group-1314", "Wizard Spider"]}, {"mitre_attack_id": "T1547.005", "mitre_attack_technique": "Security Support Provider", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "datamodels": ["Authentication", "Change", "Endpoint", "Network_Traffic"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Windows AD AdminSDHolder ACL Modified - Rule", "ESCU - Windows AD Cross Domain SID History Addition - Rule", "ESCU - Windows AD Domain Controller Audit Policy Disabled - Rule", "ESCU - Windows AD Domain Controller Promotion - Rule", "ESCU - Windows AD Domain Replication ACL Addition - Rule", "ESCU - Windows AD DSRM Account Changes - Rule", "ESCU - Windows AD DSRM Password Reset - Rule", "ESCU - Windows AD Privileged Account SID History Addition - Rule", "ESCU - Windows AD Replication Request Initiated by User Account - Rule", "ESCU - Windows AD Replication Request Initiated from Unsanctioned Location - Rule", "ESCU - Windows AD Same Domain SID History Addition - Rule", "ESCU - Windows AD Short Lived Domain Account ServicePrincipalName - Rule", "ESCU - Windows AD Short Lived Domain Controller SPN Attribute - Rule", "ESCU - Windows AD Short Lived Server Object - Rule", "ESCU - Windows AD SID History Attribute Modified - Rule", "ESCU - Windows Admon Default Group Policy Object Modified - Rule", "ESCU - Windows Admon Group Policy Object Created - Rule", "ESCU - Windows Default Group Policy Object Modified - Rule", "ESCU - Windows Default Group Policy Object Modified with GPME - Rule", "ESCU - Windows Group Policy Object Created - Rule", "ESCU - Windows Security Support Provider Reg Query - Rule", "ESCU - Windows AD Replication Service Traffic - Rule", "ESCU - Windows AD Rogue Domain Controller Network Activity - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Mauricio Velazco, Splunk", "author_name": "Dean Luxton", "detections": [{"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Windows AD AdminSDHolder ACL Modified", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Event Triggered Execution"}]}}, {"name": "Windows AD Cross Domain SID History Addition", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "SID-History Injection"}, {"mitre_attack_technique": "Access Token Manipulation"}]}}, {"name": "Windows AD Domain Controller Audit Policy Disabled", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}]}}, {"name": "Windows AD Domain Controller Promotion", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Rogue Domain Controller"}]}}, {"name": "Windows AD Domain Replication ACL Addition", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Policy Modification"}]}}, {"name": "Windows AD DSRM Account Changes", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Manipulation"}]}}, {"name": "Windows AD DSRM Password Reset", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Manipulation"}]}}, {"name": "Windows AD Privileged Account SID History Addition", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "SID-History Injection"}, {"mitre_attack_technique": "Access Token Manipulation"}]}}, {"name": "Windows AD Replication Request Initiated by User Account", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DCSync"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Windows AD Replication Request Initiated from Unsanctioned Location", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DCSync"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Windows AD Same Domain SID History Addition", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "SID-History Injection"}, {"mitre_attack_technique": "Access Token Manipulation"}]}}, {"name": "Windows AD Short Lived Domain Account ServicePrincipalName", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Manipulation"}]}}, {"name": "Windows AD Short Lived Domain Controller SPN Attribute", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Rogue Domain Controller"}]}}, {"name": "Windows AD Short Lived Server Object", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Rogue Domain Controller"}]}}, {"name": "Windows AD SID History Attribute Modified", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Access Token Manipulation"}, {"mitre_attack_technique": "SID-History Injection"}]}}, {"name": "Windows Admon Default Group Policy Object Modified", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Policy Modification"}, {"mitre_attack_technique": "Group Policy Modification"}]}}, {"name": "Windows Admon Group Policy Object Created", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Policy Modification"}, {"mitre_attack_technique": "Group Policy Modification"}]}}, {"name": "Windows Default Group Policy Object Modified", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Policy Modification"}, {"mitre_attack_technique": "Group Policy Modification"}]}}, {"name": "Windows Default Group Policy Object Modified with GPME", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Policy Modification"}, {"mitre_attack_technique": "Group Policy Modification"}]}}, {"name": "Windows Group Policy Object Created", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Policy Modification"}, {"mitre_attack_technique": "Group Policy Modification"}, {"mitre_attack_technique": "Domain Accounts"}]}}, {"name": "Windows Security Support Provider Reg Query", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Security Support Provider"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Windows AD Replication Service Traffic", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "OS Credential Dumping"}, {"mitre_attack_technique": "DCSync"}, {"mitre_attack_technique": "Rogue Domain Controller"}]}}, {"name": "Windows AD Rogue Domain Controller Network Activity", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Rogue Domain Controller"}]}}]}, {"name": "Spearphishing Attachments", "id": "57226b40-94f3-4ce5-b101-a75f67759c27", "version": 1, "date": "2019-04-29", "author": "Splunk Research Team, Splunk", "description": "Detect signs of malicious payloads that may indicate that your environment has been breached via a phishing attack.", "narrative": "Despite its simplicity, phishing remains the most pervasive and dangerous cyberthreat. In fact, research shows that as many as [91% of all successful attacks](https://digitalguardian.com/blog/91-percent-cyber-attacks-start-phishing-email-heres-how-protect-against-phishing) are initiated via a phishing email. \\\nAs most people know, these emails use fraudulent domains, [email scraping](https://www.cyberscoop.com/emotet-trojan-phishing-scraping-templates-cofense-geodo/), familiar contact names inserted as senders, and other tactics to lure targets into clicking a malicious link, opening an attachment with a [nefarious payload](https://www.cyberscoop.com/emotet-trojan-phishing-scraping-templates-cofense-geodo/), or entering sensitive personal information that perpetrators may intercept. This attack technique requires a relatively low level of skill and allows adversaries to easily cast a wide net. Worse, because its success relies on the gullibility of humans, it's impossible to completely \"automate\" it out of your environment. However, you can use ES and ESCU to detect and investigate potentially malicious payloads injected into your environment subsequent to a phishing attack. \\\nWhile any kind of file may contain a malicious payload, some are more likely to be perceived as benign (and thus more often escape notice) by the average victim—especially when the attacker sends an email that seems to be from one of their contacts. An example is Microsoft Office files. Most corporate users are familiar with documents with the following suffixes: .doc/.docx (MS Word), .xls/.xlsx (MS Excel), and .ppt/.pptx (MS PowerPoint), so they may click without a second thought, slashing a hole in their organizations' security. \\\nFollowing is a typical series of events, according to an [article by Trend Micro](https://blog.trendmicro.com/trendlabs-security-intelligence/rising-trend-attackers-using-lnk-files-download-malware/):\\\n1. Attacker sends a phishing email. Recipient downloads the attached file, which is typically a .docx or .zip file with an embedded .lnk file\\\n1. The .lnk file executes a PowerShell script\\\n1. Powershell executes a reverse shell, rendering the exploit successful As a side note, adversaries are likely to use a tool like Empire to craft and obfuscate payloads and their post-injection activities, such as [exfiltration, lateral movement, and persistence](https://github.com/EmpireProject/Empire).\\\nThis Analytic Story focuses on detecting signs that a malicious payload has been injected into your environment. For example, one search detects outlook.exe writing a .zip file. Another looks for suspicious .lnk files launching processes.", "references": ["https://www.fireeye.com/blog/threat-research/2019/04/spear-phishing-campaign-targets-ukraine-government.html"], "tags": {"name": "Spearphishing Attachments", "analytic_story": "Spearphishing Attachments", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1036.002", "mitre_attack_technique": "Right-to-Left Override", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["BRONZE BUTLER", "BlackTech", "Ferocious Kitten", "Ke3chang", "Scarlet Mimic"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Dragonfly", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1566.002", "mitre_attack_technique": "Spearphishing Link", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "APT3", "APT32", "APT33", "APT39", "BlackTech", "Cobalt Group", "Confucius", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "Evilnum", "FIN4", "FIN7", "FIN8", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "TA505", "Transparent Tribe", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1204.001", "mitre_attack_technique": "Malicious Link", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT28", "APT29", "APT3", "APT32", "APT33", "APT39", "BlackTech", "Cobalt Group", "Confucius", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "Evilnum", "FIN4", "FIN7", "FIN8", "Kimsuky", "LazyScripter", "Leviathan", "LuminousMoth", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "TA505", "Transparent Tribe", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$"]}], "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Execution", "Initial Access"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Gdrive suspicious file sharing - Rule", "ESCU - Gsuite suspicious calendar invite - Rule", "ESCU - Detect Outlook exe writing a zip file - Rule", "ESCU - Detect RTLO In File Name - Rule", "ESCU - Detect RTLO In Process - Rule", "ESCU - Excel Spawning PowerShell - Rule", "ESCU - Excel Spawning Windows Script Host - Rule", "ESCU - MSHTML Module Load in Office Product - Rule", "ESCU - Office Application Spawn rundll32 process - Rule", "ESCU - Office Document Creating Schedule Task - Rule", "ESCU - Office Document Executing Macro Code - Rule", "ESCU - Office Document Spawned Child Process To Download - Rule", "ESCU - Office Product Spawning BITSAdmin - Rule", "ESCU - Office Product Spawning CertUtil - Rule", "ESCU - Office Product Spawning MSHTA - Rule", "ESCU - Office Product Spawning Rundll32 with no DLL - Rule", "ESCU - Office Product Spawning Windows Script Host - Rule", "ESCU - Office Product Spawning Wmic - Rule", "ESCU - Office Product Writing cab or inf - Rule", "ESCU - Office Spawning Control - Rule", "ESCU - Process Creating LNK file in Suspicious Location - Rule", "ESCU - Windows ISO LNK File Creation - Rule", "ESCU - Windows Office Product Spawning MSDT - Rule", "ESCU - Windows Phishing PDF File Executes URL Link - Rule", "ESCU - Windows Spearphishing Attachment Connect To None MS Office Domain - Rule", "ESCU - Windows Spearphishing Attachment Onenote Spawn Mshta - Rule", "ESCU - Winword Spawning Cmd - Rule", "ESCU - Winword Spawning PowerShell - Rule", "ESCU - Winword Spawning Windows Script Host - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Splunk Research Team", "detections": [{"name": "Gdrive suspicious file sharing", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}]}}, {"name": "Gsuite suspicious calendar invite", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}]}}, {"name": "Detect Outlook exe writing a zip file", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Detect RTLO In File Name", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Right-to-Left Override"}, {"mitre_attack_technique": "Masquerading"}]}}, {"name": "Detect RTLO In Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Right-to-Left Override"}, {"mitre_attack_technique": "Masquerading"}]}}, {"name": "Excel Spawning PowerShell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Security Account Manager"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Excel Spawning Windows Script Host", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Security Account Manager"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "MSHTML Module Load in Office Product", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Application Spawn rundll32 process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Document Creating Schedule Task", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Document Executing Macro Code", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Document Spawned Child Process To Download", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Product Spawning BITSAdmin", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Product Spawning CertUtil", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Product Spawning MSHTA", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Product Spawning Rundll32 with no DLL", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Product Spawning Windows Script Host", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Product Spawning Wmic", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Product Writing cab or inf", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Spawning Control", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Process Creating LNK file in Suspicious Location", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Link"}]}}, {"name": "Windows ISO LNK File Creation", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Malicious Link"}, {"mitre_attack_technique": "User Execution"}]}}, {"name": "Windows Office Product Spawning MSDT", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Windows Phishing PDF File Executes URL Link", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}}, {"name": "Windows Spearphishing Attachment Connect To None MS Office Domain", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}}, {"name": "Windows Spearphishing Attachment Onenote Spawn Mshta", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}}, {"name": "Winword Spawning Cmd", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Winword Spawning PowerShell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Winword Spawning Windows Script Host", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}]}, {"name": "Splunk Vulnerabilities", "id": "5354df00-dce2-48ac-9a64-8adb48006828", "version": 1, "date": "2022-03-28", "author": "Lou Stella, Splunk", "description": "Keeping your Splunk Enterprise deployment up to date is critical and will help you reduce the risk associated with vulnerabilities in the product.", "narrative": "This analytic story includes detections that focus on attacker behavior targeted at your Splunk environment directly.", "references": ["https://www.splunk.com/en_us/product-security/announcements.html"], "tags": {"name": "Splunk Vulnerabilities", "analytic_story": "Splunk Vulnerabilities", "category": ["Best Practices"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Application Security", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1083", "mitre_attack_technique": "File and Directory Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT18", "APT28", "APT3", "APT32", "APT38", "APT39", "APT41", "Aoqin Dragon", "BRONZE BUTLER", "Chimera", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "Fox Kitten", "Gamaredon Group", "HAFNIUM", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Leafminer", "LuminousMoth", "Magic Hound", "MuddyWater", "Mustang Panda", "Patchwork", "Sandworm Team", "Sidewinder", "Sowbug", "TeamTNT", "Tropic Trooper", "Turla", "Windigo", "Winnti Group", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1210", "mitre_attack_technique": "Exploitation of Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "Dragonfly", "Earth Lusca", "FIN7", "Fox Kitten", "MuddyWater", "Threat Group-3390", "Tonto Team", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1189", "mitre_attack_technique": "Drive-by Compromise", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT19", "APT28", "APT32", "APT37", "APT38", "Andariel", "Axiom", "BRONZE BUTLER", "Dark Caracal", "Darkhotel", "Dragonfly", "Earth Lusca", "Elderwood", "Lazarus Group", "Leafminer", "Leviathan", "Machete", "Magic Hound", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Threat Group-3390", "Transparent Tribe", "Turla", "Windigo", "Windshift"]}, {"mitre_attack_id": "T1567", "mitre_attack_technique": "Exfiltration Over Web Service", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT28", "Magic Hound"]}, {"mitre_attack_id": "T1587.003", "mitre_attack_technique": "Digital Certificates", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29", "PROMETHIUM"]}, {"mitre_attack_id": "T1499.004", "mitre_attack_technique": "Application or System Exploitation", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1498", "mitre_attack_technique": "Network Denial of Service", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT28"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1499", "mitre_attack_technique": "Endpoint Denial of Service", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Sandworm Team"]}, {"mitre_attack_id": "T1027.006", "mitre_attack_technique": "HTML Smuggling", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1212", "mitre_attack_technique": "Exploitation for Credential Access", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "Turla"]}, {"mitre_attack_id": "T1001.003", "mitre_attack_technique": "Protocol Impersonation", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Higaisa", "Lazarus Group"]}, {"mitre_attack_id": "T1588.004", "mitre_attack_technique": "Digital Certificates", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["BlackTech", "Lazarus Group", "LuminousMoth", "Silent Librarian"]}, {"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1040", "mitre_attack_technique": "Network Sniffing", "mitre_attack_tactics": ["Credential Access", "Discovery"], "mitre_attack_groups": ["APT28", "APT33", "DarkVishnya", "Kimsuky", "Sandworm Team"]}], "mitre_attack_tactics": ["Command And Control", "Credential Access", "Defense Evasion", "Discovery", "Execution", "Exfiltration", "Impact", "Initial Access", "Lateral Movement", "Persistence", "Privilege Escalation", "Resource Development"], "datamodels": ["Splunk_Audit", "Web"], "kill_chain_phases": ["Actions on Objectives", "Command And Control", "Delivery", "Exploitation", "Installation", "Weaponization"]}, "detection_names": ["ESCU - Detect Risky SPL using Pretrained ML Model - Rule", "ESCU - Path traversal SPL injection - Rule", "ESCU - Splunk Account Discovery Drilldown Dashboard Disclosure - Rule", "ESCU - Splunk Code Injection via custom dashboard leading to RCE - Rule", "ESCU - Splunk Command and Scripting Interpreter Delete Usage - Rule", "ESCU - Splunk Command and Scripting Interpreter Risky Commands - Rule", "ESCU - Splunk Command and Scripting Interpreter Risky SPL MLTK - Rule", "ESCU - Splunk csrf in the ssg kvstore client endpoint - Rule", "ESCU - Splunk Data exfiltration from Analytics Workspace using sid query - Rule", "ESCU - Splunk Digital Certificates Infrastructure Version - Rule", "ESCU - Splunk Digital Certificates Lack of Encryption - Rule", "ESCU - Splunk DOS Via Dump SPL Command - Rule", "ESCU - Splunk DoS via Malformed S2S Request - Rule", "ESCU - Splunk Edit User Privilege Escalation - Rule", "ESCU - Splunk Endpoint Denial of Service DoS Zip Bomb - Rule", "ESCU - Splunk HTTP Response Splitting Via Rest SPL Command - Rule", "ESCU - Splunk Improperly Formatted Parameter Crashes splunkd - Rule", "ESCU - Splunk list all nonstandard admin accounts - Rule", "ESCU - Splunk Low Privilege User Can View Hashed Splunk Password - Rule", "ESCU - Splunk Path Traversal In Splunk App For Lookup File Edit - Rule", "ESCU - Persistent XSS in RapidDiag through User Interface Views - Rule", "ESCU - Splunk Persistent XSS Via URL Validation Bypass W Dashboard - Rule", "ESCU - Splunk Process Injection Forwarder Bundle Downloads - Rule", "ESCU - Splunk Protocol Impersonation Weak Encryption Configuration - Rule", "ESCU - Splunk protocol impersonation weak encryption selfsigned - Rule", "ESCU - Splunk protocol impersonation weak encryption simplerequest - Rule", "ESCU - Splunk RBAC Bypass On Indexing Preview REST Endpoint - Rule", "ESCU - Splunk RCE via Splunk Secure Gateway Splunk Mobile alerts feature - Rule", "ESCU - Splunk Reflected XSS in the templates lists radio - Rule", "ESCU - Splunk risky Command Abuse disclosed february 2023 - Rule", "ESCU - Splunk Stored XSS via Data Model objectName field - Rule", "ESCU - Splunk unnecessary file extensions allowed by lookup table uploads - Rule", "ESCU - Splunk User Enumeration Attempt - Rule", "ESCU - Splunk XSS in Monitoring Console - Rule", "ESCU - Splunk XSS in Save table dialog header in search page - Rule", "ESCU - Splunk XSS via View - Rule", "ESCU - Open Redirect in Splunk Web - Rule", "ESCU - Splunk Enterprise Information Disclosure - Rule", "ESCU - Splunk Identified SSL TLS Certificates - Rule"], "investigation_names": [], "baseline_names": ["ESCU - Splunk Command and Scripting Interpreter Risky SPL MLTK Baseline"], "author_company": "Splunk", "author_name": "Lou Stella", "detections": [{"name": "Detect Risky SPL using Pretrained ML Model", "source": "application", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Path traversal SPL injection", "source": "application", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "File and Directory Discovery"}]}}, {"name": "Splunk Account Discovery Drilldown Dashboard Disclosure", "source": "application", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Discovery"}]}}, {"name": "Splunk Code Injection via custom dashboard leading to RCE", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploitation of Remote Services"}]}}, {"name": "Splunk Command and Scripting Interpreter Delete Usage", "source": "application", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Splunk Command and Scripting Interpreter Risky Commands", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Splunk Command and Scripting Interpreter Risky SPL MLTK", "source": "application", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Splunk csrf in the ssg kvstore client endpoint", "source": "application", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Drive-by Compromise"}]}}, {"name": "Splunk Data exfiltration from Analytics Workspace using sid query", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Web Service"}]}}, {"name": "Splunk Digital Certificates Infrastructure Version", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Digital Certificates"}]}}, {"name": "Splunk Digital Certificates Lack of Encryption", "source": "application", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Digital Certificates"}]}}, {"name": "Splunk DOS Via Dump SPL Command", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Application or System Exploitation"}]}}, {"name": "Splunk DoS via Malformed S2S Request", "source": "application", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Network Denial of Service"}]}}, {"name": "Splunk Edit User Privilege Escalation", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Splunk Endpoint Denial of Service DoS Zip Bomb", "source": "application", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Endpoint Denial of Service"}]}}, {"name": "Splunk HTTP Response Splitting Via Rest SPL Command", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "HTML Smuggling"}]}}, {"name": "Splunk Improperly Formatted Parameter Crashes splunkd", "source": "application", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Endpoint Denial of Service"}]}}, {"name": "Splunk list all nonstandard admin accounts", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Drive-by Compromise"}]}}, {"name": "Splunk Low Privilege User Can View Hashed Splunk Password", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploitation for Credential Access"}]}}, {"name": "Splunk Path Traversal In Splunk App For Lookup File Edit", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "File and Directory Discovery"}]}}, {"name": "Persistent XSS in RapidDiag through User Interface Views", "source": "application", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Drive-by Compromise"}]}}, {"name": "Splunk Persistent XSS Via URL Validation Bypass W Dashboard", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Drive-by Compromise"}]}}, {"name": "Splunk Process Injection Forwarder Bundle Downloads", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "Splunk Protocol Impersonation Weak Encryption Configuration", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Protocol Impersonation"}]}}, {"name": "Splunk protocol impersonation weak encryption selfsigned", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Digital Certificates"}]}}, {"name": "Splunk protocol impersonation weak encryption simplerequest", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Digital Certificates"}]}}, {"name": "Splunk RBAC Bypass On Indexing Preview REST Endpoint", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Access Token Manipulation"}]}}, {"name": "Splunk RCE via Splunk Secure Gateway Splunk Mobile alerts feature", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploitation of Remote Services"}]}}, {"name": "Splunk Reflected XSS in the templates lists radio", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Drive-by Compromise"}]}}, {"name": "Splunk risky Command Abuse disclosed february 2023", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Splunk Stored XSS via Data Model objectName field", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Drive-by Compromise"}]}}, {"name": "Splunk unnecessary file extensions allowed by lookup table uploads", "source": "application", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Drive-by Compromise"}]}}, {"name": "Splunk User Enumeration Attempt", "source": "application", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "Splunk XSS in Monitoring Console", "source": "application", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Drive-by Compromise"}]}}, {"name": "Splunk XSS in Save table dialog header in search page", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Drive-by Compromise"}]}}, {"name": "Splunk XSS via View", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Drive-by Compromise"}]}}, {"name": "Open Redirect in Splunk Web", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": []}}, {"name": "Splunk Enterprise Information Disclosure", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": []}}, {"name": "Splunk Identified SSL TLS Certificates", "source": "network", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Network Sniffing"}]}}]}, {"name": "Spring4Shell CVE-2022-22965", "id": "dcc19913-6918-4ed2-bbba-a6b484c10ef4", "version": 1, "date": "2022-04-05", "author": "Michael Haag, Splunk", "description": "Spring4Shell is the nickname given to a zero-day vulnerability in the Spring Core Framework, a programming and configuration model for Java-based enterprise applications.", "narrative": "An attacker could exploit Spring4Shell by sending a specially crafted request to a vulnerable server. However, exploitation of Spring4Shell requires certain prerequisites, whereas the original Log4Shell vulnerability affected all versions of Log4j 2 using the default configuration. \\\nAccording to Spring, the following requirements were included in the vulnerability report, however the post cautions that there may be other ways in which this can be exploited so this may not be a complete list of requirements at this time: \\\n- Java Development Kit (JDK) 9 or greater \\\n- Apache Tomcat as the Servlet container \\\n- Packaged as a WAR \\\n- spring-webmvc or spring-webflux dependency \\\n", "references": ["https://www.tenable.com/blog/spring4shell-faq-spring-framework-remote-code-execution-vulnerability"], "tags": {"name": "Spring4Shell CVE-2022-22965", "analytic_story": "Spring4Shell CVE-2022-22965", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Application Security", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Chimera", "Dragonfly", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1505.003", "mitre_attack_technique": "Web Shell", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT38", "APT39", "BackdoorDiplomacy", "Deep Panda", "Dragonfly", "Fox Kitten", "GALLIUM", "HAFNIUM", "Kimsuky", "Leviathan", "Magic Hound", "Moses Staff", "OilRig", "Sandworm Team", "TEMP.Veles", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Volatile Cedar"]}, {"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Initial Access", "Persistence"], "datamodels": ["Endpoint", "Web"], "kill_chain_phases": ["Delivery", "Installation"]}, "detection_names": ["ESCU - Java Writing JSP File - Rule", "ESCU - Linux Java Spawning Shell - Rule", "ESCU - Spring4Shell Payload URL Request - Rule", "ESCU - Web JSP Request via URL - Rule", "ESCU - Web Spring4Shell HTTP Request Class Module - Rule", "ESCU - Web Spring Cloud Function FunctionRouter - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Java Writing JSP File", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}, {"name": "Linux Java Spawning Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}, {"name": "Spring4Shell Payload URL Request", "source": "web", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Web Shell"}, {"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}, {"name": "Web JSP Request via URL", "source": "web", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Web Shell"}, {"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}, {"name": "Web Spring4Shell HTTP Request Class Module", "source": "web", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}, {"name": "Web Spring Cloud Function FunctionRouter", "source": "web", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}]}, {"name": "SQL Injection", "id": "4f6632f5-449c-4686-80df-57625f59bab3", "version": 1, "date": "2017-09-19", "author": "Bhavin Patel, Splunk", "description": "Use the searches in this Analytic Story to help you detect structured query language (SQL) injection attempts characterized by long URLs that contain malicious parameters.", "narrative": "It is very common for attackers to inject SQL parameters into vulnerable web applications, which then interpret the malicious SQL statements.\\\nThis Analytic Story contains a search designed to identify attempts by attackers to leverage this technique to compromise a host and gain a foothold in the target environment.", "references": ["https://capec.mitre.org/data/definitions/66.html", "https://www.incapsula.com/web-application-security/sql-injection.html"], "tags": {"name": "SQL Injection", "analytic_story": "SQL Injection", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "menuPass"]}], "mitre_attack_tactics": ["Initial Access"], "datamodels": ["Web"], "kill_chain_phases": ["Delivery"]}, "detection_names": ["ESCU - SQL Injection with Long URLs - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "SQL Injection with Long URLs", "source": "web", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}}]}, {"name": "Suspicious AWS Login Activities", "id": "2e8948a5-5239-406b-b56b-6c59f1268af3", "version": 1, "date": "2019-05-01", "author": "Bhavin Patel, Splunk", "description": "Monitor your AWS authentication events using your CloudTrail logs. Searches within this Analytic Story will help you stay aware of and investigate suspicious logins. ", "narrative": "It is important to monitor and control who has access to your AWS infrastructure. Detecting suspicious logins to your AWS infrastructure will provide good starting points for investigations. Abusive behaviors caused by compromised credentials can lead to direct monetary costs, as you will be billed for any EC2 instances created by the attacker.", "references": ["https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html"], "tags": {"name": "Suspicious AWS Login Activities", "analytic_story": "Suspicious AWS Login Activities", "category": ["Cloud Security"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1535", "mitre_attack_technique": "Unused/Unsupported Cloud Regions", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Ke3chang", "LAPSUS$"]}], "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation", "Resource Development"], "datamodels": ["Authentication"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation", "Weaponization"]}, "detection_names": ["ESCU - AWS Successful Console Authentication From Multiple IPs - Rule", "ESCU - Detect AWS Console Login by User from New City - Rule", "ESCU - Detect AWS Console Login by User from New Country - Rule", "ESCU - Detect AWS Console Login by User from New Region - Rule", "ESCU - Detect new user AWS Console Login - Rule"], "investigation_names": ["ESCU - AWS Investigate User Activities By ARN - Response Task"], "baseline_names": ["ESCU - Previously seen users in CloudTrail", "ESCU - Update previously seen users in CloudTrail"], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "AWS Successful Console Authentication From Multiple IPs", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}}, {"name": "Detect AWS Console Login by User from New City", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}}, {"name": "Detect AWS Console Login by User from New Country", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}}, {"name": "Detect AWS Console Login by User from New Region", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}}, {"name": "Detect new user AWS Console Login", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Accounts"}]}}]}, {"name": "Suspicious AWS S3 Activities", "id": "66732346-8fb0-407b-9633-da16756567d6", "version": 3, "date": "2023-04-24", "author": "Bhavin Patel, Splunk", "description": "Use the searches in this Analytic Story using Cloudtrail logs to to monitor your AWS S3 buckets for evidence of anomalous activity and suspicious behaviors, such as detecting open S3 buckets and buckets being accessed from a new IP, permission and policy updates to the bucket, potential misuse of other services leading to data being leaked.", "narrative": "One of the most common ways that attackers attempt to steal data from S3 is by gaining unauthorized access to S3 buckets and copying or exfiltrating data to external locations.\\\nHowever, suspicious S3 activities can refer to any unusual behavior detected within an Amazon Web Services (AWS) Simple Storage Service (S3) bucket, including unauthorized access, unusual data transfer patterns, and access attempts from unknown IP addresses. \\\nIt is important for organizations to regularly monitor S3 activities for suspicious behavior and implement security best practices, such as using access controls, encryption, and strong authentication mechanisms, to protect sensitive data stored within S3 buckets. By staying vigilant and taking proactive measures, organizations can help prevent potential security breaches and minimize the impact of attacks if they do occur.", "references": ["https://github.com/nagwww/s3-leaks", "https://www.tripwire.com/state-of-security/security-data-protection/cloud/public-aws-s3-buckets-writable/", null], "tags": {"name": "Suspicious AWS S3 Activities", "analytic_story": "Suspicious AWS S3 Activities", "category": ["Cloud Security"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1537", "mitre_attack_technique": "Transfer Data to Cloud Account", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1119", "mitre_attack_technique": "Automated Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "Chimera", "Confucius", "FIN5", "FIN6", "Gamaredon Group", "Ke3chang", "Mustang Panda", "OilRig", "Patchwork", "Sidewinder", "Threat Group-3390", "Tropic Trooper", "menuPass"]}, {"mitre_attack_id": "T1530", "mitre_attack_technique": "Data from Cloud Storage", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["Fox Kitten"]}], "mitre_attack_tactics": ["Collection", "Exfiltration", "Impact"], "datamodels": [], "kill_chain_phases": ["Actions on Objectives", "Exploitation"]}, "detection_names": ["ESCU - AWS Disable Bucket Versioning - Rule", "ESCU - AWS Exfiltration via Bucket Replication - Rule", "ESCU - AWS Exfiltration via DataSync Task - Rule", "ESCU - Detect New Open S3 buckets - Rule", "ESCU - Detect New Open S3 Buckets over AWS CLI - Rule", "ESCU - Detect S3 access from a new IP - Rule", "ESCU - Detect Spike in S3 Bucket deletion - Rule"], "investigation_names": ["ESCU - AWS Investigate User Activities By ARN - Response Task", "ESCU - AWS S3 Bucket details via bucketName - Response Task", "ESCU - Get All AWS Activity From IP Address - Response Task", "ESCU - Get Notable History - Response Task", "ESCU - Investigate AWS activities via region name - Response Task"], "baseline_names": ["ESCU - Baseline of S3 Bucket deletion activity by ARN", "ESCU - Previously seen S3 bucket access by remote IP"], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "AWS Disable Bucket Versioning", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Inhibit System Recovery"}]}}, {"name": "AWS Exfiltration via Bucket Replication", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Transfer Data to Cloud Account"}]}}, {"name": "AWS Exfiltration via DataSync Task", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Automated Collection"}]}}, {"name": "Detect New Open S3 buckets", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data from Cloud Storage"}]}}, {"name": "Detect New Open S3 Buckets over AWS CLI", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data from Cloud Storage"}]}}, {"name": "Detect S3 access from a new IP", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data from Cloud Storage"}]}}, {"name": "Detect Spike in S3 Bucket deletion", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data from Cloud Storage"}]}}]}, {"name": "Suspicious AWS Traffic", "id": "2e8948a5-5239-406b-b56b-6c50f2168af3", "version": 1, "date": "2018-05-07", "author": "Bhavin Patel, Splunk", "description": "Leverage these searches to monitor your AWS network traffic for evidence of anomalous activity and suspicious behaviors, such as a spike in blocked outbound traffic in your virtual private cloud (VPC).", "narrative": "A virtual private cloud (VPC) is an on-demand managed cloud-computing service that isolates computing resources for each client. Inside the VPC container, the environment resembles a physical network. \\\nAmazon's VPC service enables you to launch EC2 instances and leverage other Amazon resources. The traffic that flows in and out of this VPC can be controlled via network access-control rules and security groups. Amazon also has a feature called VPC Flow Logs that enables you to log IP traffic going to and from the network interfaces in your VPC. This data is stored using Amazon CloudWatch Logs.\\\n Attackers may abuse the AWS infrastructure with insecure VPCs so they can co-opt AWS resources for command-and-control nodes, data exfiltration, and more. Once an EC2 instance is compromised, an attacker may initiate outbound network connections for malicious reasons. Monitoring these network traffic behaviors is crucial for understanding the type of traffic flowing in and out of your network and to alert you to suspicious activities.\\\nThe searches in this Analytic Story will monitor your AWS network traffic for evidence of anomalous activity and suspicious behaviors.", "references": ["https://rhinosecuritylabs.com/aws/hiding-cloudcobalt-strike-beacon-c2-using-amazon-apis/"], "tags": {"name": "Suspicious AWS Traffic", "analytic_story": "Suspicious AWS Traffic", "category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect Spike in blocked Outbound Traffic from your AWS - Rule"], "investigation_names": ["ESCU - AWS Investigate User Activities By ARN - Response Task", "ESCU - AWS Network ACL Details from ID - Response Task", "ESCU - AWS Network Interface details via resourceId - Response Task", "ESCU - Get All AWS Activity From IP Address - Response Task", "ESCU - Get DNS Server History for a host - Response Task", "ESCU - Get DNS traffic ratio - Response Task", "ESCU - Get Notable History - Response Task", "ESCU - Get Process Info - Response Task", "ESCU - Get Process Information For Port Activity - Response Task", "ESCU - Get Process Responsible For The DNS Traffic - Response Task"], "baseline_names": ["ESCU - Baseline of blocked outbound traffic from AWS"], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Detect Spike in blocked Outbound Traffic from your AWS", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": []}}]}, {"name": "Suspicious Cloud Authentication Activities", "id": "6380ebbb-55c5-4fce-b754-01fd565fb73c", "version": 1, "date": "2020-06-04", "author": "Rico Valdez, Splunk", "description": "Monitor your cloud authentication events. Searches within this Analytic Story leverage the recent cloud updates to the Authentication data model to help you stay aware of and investigate suspicious login activity. ", "narrative": "It is important to monitor and control who has access to your cloud infrastructure. Detecting suspicious logins will provide good starting points for investigations. Abusive behaviors caused by compromised credentials can lead to direct monetary costs, as you will be billed for any compute activity whether legitimate or otherwise.\\\nThis Analytic Story has data model versions of cloud searches leveraging Authentication data, including those looking for suspicious login activity, and cross-account activity for AWS.", "references": ["https://aws.amazon.com/blogs/security/aws-cloudtrail-now-tracks-cross-account-activity-to-its-origin/", "https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html"], "tags": {"name": "Suspicious Cloud Authentication Activities", "analytic_story": "Suspicious Cloud Authentication Activities", "category": ["Cloud Security"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1552", "mitre_attack_technique": "Unsecured Credentials", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1535", "mitre_attack_technique": "Unused/Unsupported Cloud Regions", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Resource Development"], "datamodels": ["Authentication"], "kill_chain_phases": ["Exploitation", "Weaponization"]}, "detection_names": ["ESCU - AWS Cross Account Activity From Previously Unseen Account - Rule", "ESCU - Detect AWS Console Login by New User - Rule", "ESCU - Detect AWS Console Login by User from New City - Rule", "ESCU - Detect AWS Console Login by User from New Country - Rule", "ESCU - Detect AWS Console Login by User from New Region - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task", "ESCU - Investigate AWS User Activities by user field - Response Task"], "baseline_names": ["ESCU - Previously Seen AWS Cross Account Activity - Initial", "ESCU - Previously Seen AWS Cross Account Activity - Update", "ESCU - Previously Seen Users in CloudTrail - Initial", "ESCU - Previously Seen Users In CloudTrail - Update"], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "AWS Cross Account Activity From Previously Unseen Account", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": []}}, {"name": "Detect AWS Console Login by New User", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Unsecured Credentials"}]}}, {"name": "Detect AWS Console Login by User from New City", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}}, {"name": "Detect AWS Console Login by User from New Country", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}}, {"name": "Detect AWS Console Login by User from New Region", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}}]}, {"name": "Suspicious Cloud Instance Activities", "id": "8168ca88-392e-42f4-85a2-767579c660ce", "version": 1, "date": "2020-08-25", "author": "David Dorsey, Splunk", "description": "Monitor your cloud infrastructure provisioning activities for behaviors originating from unfamiliar or unusual locations. These behaviors may indicate that malicious activities are occurring somewhere within your cloud environment.", "narrative": "Monitoring your cloud infrastructure logs allows you enable governance, compliance, and risk auditing. It is crucial for a company to monitor events and actions taken in the their cloud environments to ensure that your instances are not vulnerable to attacks. This Analytic Story identifies suspicious activities in your cloud compute instances and helps you respond and investigate those activities.", "references": ["https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf"], "tags": {"name": "Suspicious Cloud Instance Activities", "analytic_story": "Suspicious Cloud Instance Activities", "category": ["Cloud Security"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Ke3chang", "LAPSUS$"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1537", "mitre_attack_technique": "Transfer Data to Cloud Account", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Defense Evasion", "Exfiltration", "Initial Access", "Persistence", "Privilege Escalation"], "datamodels": ["Change", "Risk"], "kill_chain_phases": ["Actions on Objectives", "Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Abnormally High Number Of Cloud Instances Destroyed - Rule", "ESCU - Abnormally High Number Of Cloud Instances Launched - Rule", "ESCU - AWS AMI Atttribute Modification for Exfiltration - Rule", "ESCU - AWS EC2 Snapshot Shared Externally - Rule", "ESCU - AWS Exfiltration via EC2 Snapshot - Rule", "ESCU - AWS S3 Exfiltration Behavior Identified - Rule", "ESCU - Cloud Instance Modified By Previously Unseen User - Rule"], "investigation_names": ["ESCU - AWS Investigate User Activities By ARN - Response Task", "ESCU - Get All AWS Activity From IP Address - Response Task"], "baseline_names": ["ESCU - Baseline Of Cloud Instances Destroyed", "ESCU - Baseline Of Cloud Instances Launched", "ESCU - Previously Seen Cloud Instance Modifications By User - Initial", "ESCU - Previously Seen Cloud Instance Modifications By User - Update"], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Abnormally High Number Of Cloud Instances Destroyed", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "Abnormally High Number Of Cloud Instances Launched", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "AWS AMI Atttribute Modification for Exfiltration", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Transfer Data to Cloud Account"}]}}, {"name": "AWS EC2 Snapshot Shared Externally", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Transfer Data to Cloud Account"}]}}, {"name": "AWS Exfiltration via EC2 Snapshot", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Transfer Data to Cloud Account"}]}}, {"name": "AWS S3 Exfiltration Behavior Identified", "source": "cloud", "type": "Correlation", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Transfer Data to Cloud Account"}]}}, {"name": "Cloud Instance Modified By Previously Unseen User", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Valid Accounts"}]}}]}, {"name": "Suspicious Cloud Provisioning Activities", "id": "51045ded-1575-4ba6-aef7-af6c73cffd86", "version": 1, "date": "2018-08-20", "author": "David Dorsey, Splunk", "description": "Monitor your cloud infrastructure provisioning activities for behaviors originating from unfamiliar or unusual locations. These behaviors may indicate that malicious activities are occurring somewhere within your cloud environment.", "narrative": "Because most enterprise cloud infrastructure activities originate from familiar geographic locations, monitoring for activity from unknown or unusual regions is an important security measure. This indicator can be especially useful in environments where it is impossible to add specific IPs to an allow list because they vary.\\\nThis Analytic Story was designed to provide you with flexibility in the precision you employ in specifying legitimate geographic regions. It can be as specific as an IP address or a city, or as broad as a region (think state) or an entire country. By determining how precise you want your geographical locations to be and monitoring for new locations that haven't previously accessed your environment, you can detect adversaries as they begin to probe your environment. Since there are legitimate reasons for activities from unfamiliar locations, this is not a standalone indicator. Nevertheless, location can be a relevant piece of information that you may wish to investigate further.", "references": ["https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf"], "tags": {"name": "Suspicious Cloud Provisioning Activities", "analytic_story": "Suspicious Cloud Provisioning Activities", "category": ["Cloud Security"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}], "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "datamodels": ["Change"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Cloud Provisioning Activity From Previously Unseen City - Rule", "ESCU - Cloud Provisioning Activity From Previously Unseen Country - Rule", "ESCU - Cloud Provisioning Activity From Previously Unseen IP Address - Rule", "ESCU - Cloud Provisioning Activity From Previously Unseen Region - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task"], "baseline_names": ["ESCU - Previously Seen Cloud Provisioning Activity Sources - Initial", "ESCU - Previously Seen Cloud Provisioning Activity Sources - Update"], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Cloud Provisioning Activity From Previously Unseen City", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "Cloud Provisioning Activity From Previously Unseen Country", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "Cloud Provisioning Activity From Previously Unseen IP Address", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "Cloud Provisioning Activity From Previously Unseen Region", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}]}}]}, {"name": "Suspicious Cloud User Activities", "id": "1ed5ce7d-5469-4232-92af-89d1a3595b39", "version": 1, "date": "2020-09-04", "author": "David Dorsey, Splunk", "description": "Detect and investigate suspicious activities by users and roles in your cloud environments.", "narrative": "It seems obvious that it is critical to monitor and control the users who have access to your cloud infrastructure. Nevertheless, it's all too common for enterprises to lose track of ad-hoc accounts, leaving their servers vulnerable to attack. In fact, this was the very oversight that led to Tesla's cryptojacking attack in February, 2018.\\\nIn addition to compromising the security of your data, when bad actors leverage your compute resources, it can incur monumental costs, since you will be billed for any new instances and increased bandwidth usage.", "references": ["https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf", "https://redlock.io/blog/cryptojacking-tesla"], "tags": {"name": "Suspicious Cloud User Activities", "analytic_story": "Suspicious Cloud User Activities", "category": ["Cloud Security"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Ke3chang", "LAPSUS$"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1580", "mitre_attack_technique": "Cloud Infrastructure Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$"]}], "mitre_attack_tactics": ["Defense Evasion", "Discovery", "Execution", "Initial Access", "Persistence", "Privilege Escalation"], "datamodels": ["Change"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Abnormally High Number Of Cloud Infrastructure API Calls - Rule", "ESCU - Abnormally High Number Of Cloud Security Group API Calls - Rule", "ESCU - AWS IAM AccessDenied Discovery Events - Rule", "ESCU - AWS Lambda UpdateFunctionCode - Rule", "ESCU - Cloud API Calls From Previously Unseen User Roles - Rule"], "investigation_names": ["ESCU - AWS Investigate User Activities By ARN - Response Task"], "baseline_names": ["ESCU - Baseline Of Cloud Infrastructure API Calls Per User", "ESCU - Baseline Of Cloud Security Group API Calls Per User", "ESCU - Previously Seen Cloud API Calls Per User Role - Initial", "ESCU - Previously Seen Cloud API Calls Per User Role - Update"], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Abnormally High Number Of Cloud Infrastructure API Calls", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "Abnormally High Number Of Cloud Security Group API Calls", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "AWS IAM AccessDenied Discovery Events", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Infrastructure Discovery"}]}}, {"name": "AWS Lambda UpdateFunctionCode", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "User Execution"}]}}, {"name": "Cloud API Calls From Previously Unseen User Roles", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}]}}]}, {"name": "Suspicious Command-Line Executions", "id": "f4368ddf-d59f-4192-84f6-778ac5a3ffc7", "version": 2, "date": "2020-02-03", "author": "Bhavin Patel, Splunk", "description": "Leveraging the Windows command-line interface (CLI) is one of the most common attack techniques--one that is also detailed in the MITRE ATT&CK framework. Use this Analytic Story to help you identify unusual or suspicious use of the CLI on Windows systems.", "narrative": "The ability to execute arbitrary commands via the Windows CLI is a primary goal for the adversary. With access to the shell, an attacker can easily run scripts and interact with the target system. Often, attackers may only have limited access to the shell or may obtain access in unusual ways. In addition, malware may execute and interact with the CLI in ways that would be considered unusual and inconsistent with typical user activity. This provides defenders with opportunities to identify suspicious use and investigate, as appropriate. This Analytic Story contains various searches to help identify this suspicious activity, as well as others to aid you in deeper investigation.", "references": ["https://attack.mitre.org/wiki/Technique/T1059", "https://www.microsoft.com/en-us/wdsi/threats/macro-malware", "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf"], "tags": {"name": "Suspicious Command-Line Executions", "analytic_story": "Suspicious Command-Line Executions", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}], "mitre_attack_tactics": ["Defense Evasion", "Execution"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation", "Installation"]}, "detection_names": ["ESCU - First time seen command line argument - Rule", "ESCU - Detect Prohibited Applications Spawning cmd exe - Rule", "ESCU - Detect suspicious processnames using pretrained model in DSDL - Rule", "ESCU - Detect Use of cmd exe to Launch Script Interpreters - Rule", "ESCU - Potentially malicious code on commandline - Rule", "ESCU - System Processes Run From Unexpected Locations - Rule", "ESCU - Unusually Long Command Line - Rule", "ESCU - Unusually Long Command Line - MLTK - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task"], "baseline_names": ["ESCU - Baseline of Command Line Length - MLTK", "ESCU - Previously seen command line arguments"], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "First time seen command line argument", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Windows Command Shell"}]}}, {"name": "Detect Prohibited Applications Spawning cmd exe", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Windows Command Shell"}]}}, {"name": "Detect suspicious processnames using pretrained model in DSDL", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Detect Use of cmd exe to Launch Script Interpreters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Windows Command Shell"}]}}, {"name": "Potentially malicious code on commandline", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Command Shell"}]}}, {"name": "System Processes Run From Unexpected Locations", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}]}}, {"name": "Unusually Long Command Line", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": []}}, {"name": "Unusually Long Command Line - MLTK", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": []}}]}, {"name": "Suspicious Compiled HTML Activity", "id": "a09db4d1-3827-4833-87b8-3a397e532119", "version": 1, "date": "2021-02-11", "author": "Michael Haag, Splunk", "description": "Monitor and detect techniques used by attackers who leverage the mshta.exe process to execute malicious code.", "narrative": "Adversaries may abuse Compiled HTML files (.chm) to conceal malicious code. CHM files are commonly distributed as part of the Microsoft HTML Help system. CHM files are compressed compilations of various content such as HTML documents, images, and scripting/web related programming languages such VBA, JScript, Java, and ActiveX. CHM content is displayed using underlying components of the Internet Explorer browser loaded by the HTML Help executable program (hh.exe). \\\nHH.exe relies upon hhctrl.ocx to load CHM topics.This will load upon execution of a chm file. \\\nDuring investigation, review all parallel processes and child processes. It is possible for file modification events to occur and it is best to capture the CHM file and decompile it for further analysis. \\\nUpon usage of InfoTech Storage Handlers, ms-its, its, mk, itss.dll will load.", "references": ["https://redcanary.com/blog/introducing-atomictestharnesses/", "https://attack.mitre.org/techniques/T1218/001/", "https://docs.microsoft.com/en-us/windows/win32/api/htmlhelp/nf-htmlhelp-htmlhelpa"], "tags": {"name": "Suspicious Compiled HTML Activity", "analytic_story": "Suspicious Compiled HTML Activity", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.001", "mitre_attack_technique": "Compiled HTML File", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "APT41", "Dark Caracal", "OilRig", "Silence"]}], "mitre_attack_tactics": ["Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Detect HTML Help Renamed - Rule", "ESCU - Detect HTML Help Spawn Child Process - Rule", "ESCU - Detect HTML Help URL in Command Line - Rule", "ESCU - Detect HTML Help Using InfoTech Storage Handlers - Rule", "ESCU - Windows System Binary Proxy Execution Compiled HTML File Decompile - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Detect HTML Help Renamed", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Compiled HTML File"}]}}, {"name": "Detect HTML Help Spawn Child Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Compiled HTML File"}]}}, {"name": "Detect HTML Help URL in Command Line", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Compiled HTML File"}]}}, {"name": "Detect HTML Help Using InfoTech Storage Handlers", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Compiled HTML File"}]}}, {"name": "Windows System Binary Proxy Execution Compiled HTML File Decompile", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compiled HTML File"}, {"mitre_attack_technique": "System Binary Proxy Execution"}]}}]}, {"name": "Suspicious DNS Traffic", "id": "3c3835c0-255d-4f9e-ab84-e29ec9ec9b56", "version": 1, "date": "2017-09-18", "author": "Rico Valdez, Splunk", "description": "Attackers often attempt to hide within or otherwise abuse the domain name system (DNS). You can thwart attempts to manipulate this omnipresent protocol by monitoring for these types of abuses.", "narrative": "Although DNS is one of the fundamental underlying protocols that make the Internet work, it is often ignored (perhaps because of its complexity and effectiveness). However, attackers have discovered ways to abuse the protocol to meet their objectives. One potential abuse involves manipulating DNS to hijack traffic and redirect it to an IP address under the attacker's control. This could inadvertently send users intending to visit google.com, for example, to an unrelated malicious website. Another technique involves using the DNS protocol for command-and-control activities with the attacker's malicious code or to covertly exfiltrate data. The searches within this Analytic Story look for these types of abuses.", "references": ["http://blogs.splunk.com/2015/10/01/random-words-on-entropy-and-dns/", "http://www.darkreading.com/analytics/security-monitoring/got-malware-three-signs-revealed-in-dns-traffic/d/d-id/1139680", "https://live.paloaltonetworks.com/t5/Threat-Vulnerability-Articles/What-are-suspicious-DNS-queries/ta-p/71454"], "tags": {"name": "Suspicious DNS Traffic", "analytic_story": "Suspicious DNS Traffic", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1048.003", "mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT32", "APT33", "FIN6", "FIN8", "Lazarus Group", "OilRig", "Thrip", "Wizard Spider"]}, {"mitre_attack_id": "T1071.004", "mitre_attack_technique": "DNS", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT18", "APT39", "APT41", "Chimera", "Cobalt Group", "FIN7", "Ke3chang", "LazyScripter", "OilRig", "Tropic Trooper"]}, {"mitre_attack_id": "T1048", "mitre_attack_technique": "Exfiltration Over Alternative Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1568.002", "mitre_attack_technique": "Domain Generation Algorithms", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "TA551"]}, {"mitre_attack_id": "T1189", "mitre_attack_technique": "Drive-by Compromise", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT19", "APT28", "APT32", "APT37", "APT38", "Andariel", "Axiom", "BRONZE BUTLER", "Dark Caracal", "Darkhotel", "Dragonfly", "Earth Lusca", "Elderwood", "Lazarus Group", "Leafminer", "Leviathan", "Machete", "Magic Hound", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Threat Group-3390", "Transparent Tribe", "Turla", "Windigo", "Windshift"]}, {"mitre_attack_id": "T1071", "mitre_attack_technique": "Application Layer Protocol", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Dragonfly", "Magic Hound", "Rocke", "TeamTNT"]}], "mitre_attack_tactics": ["Command And Control", "Exfiltration", "Initial Access"], "datamodels": ["Endpoint", "Network_Resolution"], "kill_chain_phases": ["Actions on Objectives", "Command And Control", "Delivery"]}, "detection_names": ["ESCU - Clients Connecting to Multiple DNS Servers - Rule", "ESCU - Detect Long DNS TXT Record Response - Rule", "ESCU - Detection of DNS Tunnels - Rule", "ESCU - DNS Query Requests Resolved by Unauthorized DNS Servers - Rule", "ESCU - DNS Exfiltration Using Nslookup App - Rule", "ESCU - Excessive Usage of NSLOOKUP App - Rule", "ESCU - Detect DGA domains using pretrained model in DSDL - Rule", "ESCU - Detect DNS Data Exfiltration using pretrained model in DSDL - Rule", "ESCU - Detect hosts connecting to dynamic domain providers - Rule", "ESCU - Detect suspicious DNS TXT records using pretrained model in DSDL - Rule", "ESCU - DNS Query Length Outliers - MLTK - Rule", "ESCU - DNS Query Length With High Standard Deviation - Rule", "ESCU - Excessive DNS Failures - Rule"], "investigation_names": ["ESCU - Get DNS Server History for a host - Response Task", "ESCU - Get DNS traffic ratio - Response Task", "ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task", "ESCU - Get Process Responsible For The DNS Traffic - Response Task"], "baseline_names": ["ESCU - Baseline of DNS Query Length - MLTK"], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Clients Connecting to Multiple DNS Servers", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}]}}, {"name": "Detect Long DNS TXT Record Response", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}]}}, {"name": "Detection of DNS Tunnels", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}]}}, {"name": "DNS Query Requests Resolved by Unauthorized DNS Servers", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DNS"}]}}, {"name": "DNS Exfiltration Using Nslookup App", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}}, {"name": "Excessive Usage of NSLOOKUP App", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}}, {"name": "Detect DGA domains using pretrained model in DSDL", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Generation Algorithms"}]}}, {"name": "Detect DNS Data Exfiltration using pretrained model in DSDL", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}]}}, {"name": "Detect hosts connecting to dynamic domain providers", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Drive-by Compromise"}]}}, {"name": "Detect suspicious DNS TXT records using pretrained model in DSDL", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Generation Algorithms"}]}}, {"name": "DNS Query Length Outliers - MLTK", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DNS"}, {"mitre_attack_technique": "Application Layer Protocol"}]}}, {"name": "DNS Query Length With High Standard Deviation", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}, {"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}}, {"name": "Excessive DNS Failures", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DNS"}, {"mitre_attack_technique": "Application Layer Protocol"}]}}]}, {"name": "Suspicious Emails", "id": "2b1800dd-92f9-47ec-a981-fdf1351e5d55", "version": 1, "date": "2020-01-27", "author": "Bhavin Patel, Splunk", "description": "Email remains one of the primary means for attackers to gain an initial foothold within the modern enterprise. Detect and investigate suspicious emails in your environment with the help of the searches in this Analytic Story.", "narrative": "It is a common practice for attackers of all types to leverage targeted spearphishing campaigns and mass mailers to deliver weaponized email messages and attachments. Fortunately, there are a number of ways to monitor email data in Splunk to detect suspicious content.\\\nOnce a phishing message has been detected, the next steps are to answer the following questions: \\\n1. Which users have received this or a similar message in the past?\\\n1. When did the targeted campaign begin?\\\n1. Have any users interacted with the content of the messages (by downloading an attachment or clicking on a malicious URL)?This Analytic Story provides detection searches to identify suspicious emails, as well as contextual and investigative searches to help answer some of these questions.", "references": ["https://www.splunk.com/blog/2015/06/26/phishing-hits-a-new-level-of-quality/"], "tags": {"name": "Suspicious Emails", "analytic_story": "Suspicious Emails", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}], "mitre_attack_tactics": ["Initial Access"], "datamodels": ["Email", "UEBA"], "kill_chain_phases": ["Delivery"]}, "detection_names": ["ESCU - Email Attachments With Lots Of Spaces - Rule", "ESCU - Monitor Email For Brand Abuse - Rule", "ESCU - Suspicious Email Attachment Extensions - Rule", "ESCU - Suspicious Email - UBA Anomaly - Rule"], "investigation_names": ["ESCU - Get Email Info - Response Task", "ESCU - Get Emails From Specific Sender - Response Task", "ESCU - Get Notable History - Response Task"], "baseline_names": ["ESCU - DNSTwist Domain Names"], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Email Attachments With Lots Of Spaces", "source": "application", "type": "Anomaly", "tags": {"mitre_attack_enrichments": []}}, {"name": "Monitor Email For Brand Abuse", "source": "application", "type": "TTP", "tags": {"mitre_attack_enrichments": []}}, {"name": "Suspicious Email Attachment Extensions", "source": "application", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}}, {"name": "Suspicious Email - UBA Anomaly", "source": "deprecated", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}]}}]}, {"name": "Suspicious GCP Storage Activities", "id": "4d656b2e-d6be-11ea-87d0-0242ac130003", "version": 1, "date": "2020-08-05", "author": "Shannon Davis, Splunk", "description": "Use the searches in this Analytic Story to monitor your GCP Storage buckets for evidence of anomalous activity and suspicious behaviors, such as detecting open storage buckets and buckets being accessed from a new IP. The contextual and investigative searches will give you more information, when required.", "narrative": "Similar to other cloud providers, GCP operates on a shared responsibility model. This means the end user, you, are responsible for setting appropriate access control lists and permissions on your GCP resources.\\ This Analytics Story concentrates on detecting things like open storage buckets (both read and write) along with storage bucket access from unfamiliar users and IP addresses.", "references": ["https://cloud.google.com/blog/products/gcp/4-steps-for-hardening-your-cloud-storage-buckets-taking-charge-of-your-security", "https://rhinosecuritylabs.com/gcp/google-cloud-platform-gcp-bucket-enumeration/"], "tags": {"name": "Suspicious GCP Storage Activities", "analytic_story": "Suspicious GCP Storage Activities", "category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1530", "mitre_attack_technique": "Data from Cloud Storage", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["Fox Kitten"]}], "mitre_attack_tactics": ["Collection"], "datamodels": ["Email"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Detect GCP Storage access from a new IP - Rule", "ESCU - Detect New Open GCP Storage Buckets - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "Shannon Davis", "detections": [{"name": "Detect GCP Storage access from a new IP", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data from Cloud Storage"}]}}, {"name": "Detect New Open GCP Storage Buckets", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data from Cloud Storage"}]}}]}, {"name": "Suspicious MSHTA Activity", "id": "1e5a5a53-540b-462a-8fb7-f44a4292f5dc", "version": 2, "date": "2021-01-20", "author": "Bhavin Patel, Michael Haag, Splunk", "description": "Monitor and detect techniques used by attackers who leverage the mshta.exe process to execute malicious code.", "narrative": "One common adversary tactic is to bypass application control solutions via the mshta.exe process, which loads Microsoft HTML applications (mshtml.dll) with the .hta suffix. In these cases, attackers use the trusted Windows utility to proxy execution of malicious files, whether an .hta application, javascript, or VBScript.\\\nThe searches in this story help you detect and investigate suspicious activity that may indicate that an attacker is leveraging mshta.exe to execute malicious code.\\\nTriage\\\nValidate execution \\\n1. Determine if MSHTA.exe executed. Validate the OriginalFileName of MSHTA.exe and further PE metadata. If executed outside of c:\\windows\\system32 or c:\\windows\\syswow64, it should be highly suspect.\\\n1. Determine if script code was executed with MSHTA.\\\nSituational Awareness\\\nThe objective of this step is meant to identify suspicious behavioral indicators related to executed of Script code by MSHTA.exe.\\\n1. Parent process. Is the parent process a known LOLBin? Is the parent process an Office Application?\\\n1. Module loads. Are the known MSHTA.exe modules being loaded by a non-standard application? Is MSHTA loading any suspicious .DLLs?\\\n1. Network connections. Any network connections? Review the reputation of the remote IP or domain.\\\nRetrieval of script code\\\nThe objective of this step is to confirm the executed script code is benign or malicious.", "references": ["https://redcanary.com/blog/introducing-atomictestharnesses/", "https://redcanary.com/blog/windows-registry-attacks-threat-detection/", "https://attack.mitre.org/techniques/T1218/005/", "https://medium.com/@mbromileyDFIR/malware-monday-aebb456356c5"], "tags": {"name": "Suspicious MSHTA Activity", "analytic_story": "Suspicious MSHTA Activity", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.005", "mitre_attack_technique": "Mshta", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "APT32", "Confucius", "Earth Lusca", "FIN7", "Gamaredon Group", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "MuddyWater", "Mustang Panda", "SideCopy", "Sidewinder", "TA551"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Defense Evasion", "Execution", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation", "Installation"]}, "detection_names": ["ESCU - Detect mshta inline hta execution - Rule", "ESCU - Detect mshta renamed - Rule", "ESCU - Detect MSHTA Url in Command Line - Rule", "ESCU - Detect Prohibited Applications Spawning cmd exe - Rule", "ESCU - Detect Rundll32 Inline HTA Execution - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Suspicious mshta child process - Rule", "ESCU - Suspicious mshta spawn - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task"], "baseline_names": ["ESCU - Baseline of Command Line Length - MLTK", "ESCU - Previously seen command line arguments"], "author_company": "Michael Haag, Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Detect mshta inline hta execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Mshta"}]}}, {"name": "Detect mshta renamed", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Mshta"}]}}, {"name": "Detect MSHTA Url in Command Line", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Mshta"}]}}, {"name": "Detect Prohibited Applications Spawning cmd exe", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Windows Command Shell"}]}}, {"name": "Detect Rundll32 Inline HTA Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Mshta"}]}}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Suspicious mshta child process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Mshta"}]}}, {"name": "Suspicious mshta spawn", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Mshta"}]}}]}, {"name": "Suspicious Okta Activity", "id": "9cbd34af-8f39-4476-a423-bacd126c750b", "version": 1, "date": "2020-04-02", "author": "Rico Valdez, Splunk", "description": "Monitor your Okta environment for suspicious activities. Due to the Covid outbreak, many users are migrating over to leverage cloud services more and more. Okta is a popular tool to manage multiple users and the web-based applications they need to stay productive. The searches in this story will help monitor your Okta environment for suspicious activities and associated user behaviors.", "narrative": "Okta is the leading single sign on (SSO) provider, allowing users to authenticate once to Okta, and from there access a variety of web-based applications. These applications are assigned to users and allow administrators to centrally manage which users are allowed to access which applications. It also provides centralized logging to help understand how the applications are used and by whom. \\\nWhile SSO is a major convenience for users, it also provides attackers with an opportunity. If the attacker can gain access to Okta, they can access a variety of applications. As such monitoring the environment is important. \\\nWith people moving quickly to adopt web-based applications and ways to manage them, many are still struggling to understand how best to monitor these environments. This analytic story provides searches to help monitor this environment, and identify events and activity that warrant further investigation such as credential stuffing or password spraying attacks, and users logging in from multiple locations when travel is disallowed.", "references": ["https://attack.mitre.org/wiki/Technique/T1078", "https://owasp.org/www-community/attacks/Credential_stuffing", "https://searchsecurity.techtarget.com/answer/What-is-a-password-spraying-attack-and-how-does-it-work"], "tags": {"name": "Suspicious Okta Activity", "analytic_story": "Suspicious Okta Activity", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.001", "mitre_attack_technique": "Default Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1621", "mitre_attack_technique": "Multi-Factor Authentication Request Generation", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "LAPSUS$"]}, {"mitre_attack_id": "T1550.004", "mitre_attack_technique": "Web Session Cookie", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1538", "mitre_attack_technique": "Cloud Service Dashboard", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1556", "mitre_attack_technique": "Modify Authentication Process", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1539", "mitre_attack_technique": "Steal Web Session Cookie", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Evilnum", "LuminousMoth"]}, {"mitre_attack_id": "T1110.004", "mitre_attack_technique": "Credential Stuffing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Chimera"]}, {"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}], "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Discovery", "Initial Access", "Lateral Movement", "Persistence", "Privilege Escalation"], "datamodels": ["Authentication", "Risk"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Multiple Okta Users With Invalid Credentials From The Same IP - Rule", "ESCU - Okta Account Locked Out - Rule", "ESCU - Okta Account Lockout Events - Rule", "ESCU - Okta Failed SSO Attempts - Rule", "ESCU - Okta MFA Exhaustion Hunt - Rule", "ESCU - Okta Mismatch Between Source and Response for Verify Push Request - Rule", "ESCU - Okta Multiple Failed Requests to Access Applications - Rule", "ESCU - Okta New API Token Created - Rule", "ESCU - Okta New Device Enrolled on Account - Rule", "ESCU - Okta Phishing Detection with FastPass Origin Check - Rule", "ESCU - Okta Risk Threshold Exceeded - Rule", "ESCU - Okta Suspicious Activity Reported - Rule", "ESCU - Okta Suspicious Use of a Session Cookie - Rule", "ESCU - Okta ThreatInsight Login Failure with High Unknown users - Rule", "ESCU - Okta ThreatInsight Suspected PasswordSpray Attack - Rule", "ESCU - Okta ThreatInsight Threat Detected - Rule", "ESCU - Okta Two or More Rejected Okta Pushes - Rule", "ESCU - Okta User Logins From Multiple Cities - Rule"], "investigation_names": ["ESCU - Investigate Okta Activity by app - Response Task", "ESCU - Investigate Okta Activity by IP Address - Response Task", "ESCU - Investigate User Activities In Okta - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Multiple Okta Users With Invalid Credentials From The Same IP", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Default Accounts"}]}}, {"name": "Okta Account Locked Out", "source": "application", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Brute Force"}]}}, {"name": "Okta Account Lockout Events", "source": "application", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Default Accounts"}]}}, {"name": "Okta Failed SSO Attempts", "source": "application", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Default Accounts"}]}}, {"name": "Okta MFA Exhaustion Hunt", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Brute Force"}]}}, {"name": "Okta Mismatch Between Source and Response for Verify Push Request", "source": "application", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Multi-Factor Authentication Request Generation"}]}}, {"name": "Okta Multiple Failed Requests to Access Applications", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Web Session Cookie"}, {"mitre_attack_technique": "Cloud Service Dashboard"}]}}, {"name": "Okta New API Token Created", "source": "application", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Default Accounts"}]}}, {"name": "Okta New Device Enrolled on Account", "source": "application", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Default Accounts"}]}}, {"name": "Okta Phishing Detection with FastPass Origin Check", "source": "application", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Default Accounts"}, {"mitre_attack_technique": "Modify Authentication Process"}]}}, {"name": "Okta Risk Threshold Exceeded", "source": "application", "type": "Correlation", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Okta Suspicious Activity Reported", "source": "application", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Default Accounts"}]}}, {"name": "Okta Suspicious Use of a Session Cookie", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal Web Session Cookie"}]}}, {"name": "Okta ThreatInsight Login Failure with High Unknown users", "source": "application", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Default Accounts"}, {"mitre_attack_technique": "Credential Stuffing"}]}}, {"name": "Okta ThreatInsight Suspected PasswordSpray Attack", "source": "application", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Default Accounts"}, {"mitre_attack_technique": "Password Spraying"}]}}, {"name": "Okta ThreatInsight Threat Detected", "source": "application", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Default Accounts"}]}}, {"name": "Okta Two or More Rejected Okta Pushes", "source": "application", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Brute Force"}]}}, {"name": "Okta User Logins From Multiple Cities", "source": "application", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Default Accounts"}]}}]}, {"name": "Suspicious Regsvcs Regasm Activity", "id": "2cdf33a0-4805-4b61-b025-59c20f418fbe", "version": 1, "date": "2021-02-11", "author": "Michael Haag, Splunk", "description": "Monitor and detect techniques used by attackers who leverage the mshta.exe process to execute malicious code.", "narrative": " Adversaries may abuse Regsvcs and Regasm to proxy execution of code through a trusted Windows utility. Regsvcs and Regasm are Windows command-line utilities that are used to register .NET Component Object Model (COM) assemblies. Both are digitally signed by Microsoft. The following queries assist with detecting suspicious and malicious usage of Regasm.exe and Regsvcs.exe. Upon reviewing usage of Regasm.exe Regsvcs.exe, review file modification events for possible script code written. Review parallel process events for csc.exe being utilized to compile script code.", "references": ["https://attack.mitre.org/techniques/T1218/009/", "https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/evasion/windows/applocker_evasion_regasm_regsvcs.md", "https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/"], "tags": {"name": "Suspicious Regsvcs Regasm Activity", "analytic_story": "Suspicious Regsvcs Regasm Activity", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.009", "mitre_attack_technique": "Regsvcs/Regasm", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Detect Regasm Spawning a Process - Rule", "ESCU - Detect Regasm with Network Connection - Rule", "ESCU - Detect Regasm with no Command Line Arguments - Rule", "ESCU - Detect Regsvcs Spawning a Process - Rule", "ESCU - Detect Regsvcs with Network Connection - Rule", "ESCU - Detect Regsvcs with No Command Line Arguments - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Detect Regasm Spawning a Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvcs/Regasm"}]}}, {"name": "Detect Regasm with Network Connection", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvcs/Regasm"}]}}, {"name": "Detect Regasm with no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvcs/Regasm"}]}}, {"name": "Detect Regsvcs Spawning a Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvcs/Regasm"}]}}, {"name": "Detect Regsvcs with Network Connection", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvcs/Regasm"}]}}, {"name": "Detect Regsvcs with No Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvcs/Regasm"}]}}]}, {"name": "Suspicious Regsvr32 Activity", "id": "b8bee41e-624f-11eb-ae93-0242ac130002", "version": 1, "date": "2021-01-29", "author": "Michael Haag, Splunk", "description": "Monitor and detect techniques used by attackers who leverage the regsvr32.exe process to execute malicious code.", "narrative": "One common adversary tactic is to bypass application control solutions via the regsvr32.exe process. This particular bypass was popularized with \"SquiblyDoo\" using the \"scrobj.dll\" dll to load .sct scriptlets. This technique is still widely used by adversaries to bypass detection and prevention controls. The file extension of the DLL is irrelevant (it may load a .txt file extension for example). The searches in this story help you detect and investigate suspicious activity that may indicate that an adversary is leveraging regsvr32.exe to execute malicious code. Validate execution Determine if regsvr32.exe executed. Validate the OriginalFileName of regsvr32.exe and further PE metadata. If executed outside of c:\\windows\\system32 or c:\\windows\\syswow64, it should be highly suspect. Determine if script code was executed with regsvr32. Situational Awareness - The objective of this step is meant to identify suspicious behavioral indicators related to executed of Script code by regsvr32.exe. Parent process. Is the parent process a known LOLBin? Is the parent process an Office Application? Module loads. Is regsvr32 loading any suspicious .DLLs? Unsigned or signed from non-standard paths. Network connections. Any network connections? Review the reputation of the remote IP or domain. Retrieval of Script Code - confirm the executed script code is benign or malicious.", "references": ["https://attack.mitre.org/techniques/T1218/010/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/T1218.010.md", "https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/"], "tags": {"name": "Suspicious Regsvr32 Activity", "analytic_story": "Suspicious Regsvr32 Activity", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.010", "mitre_attack_technique": "Regsvr32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "Blue Mockingbird", "Cobalt Group", "Deep Panda", "Inception", "Kimsuky", "Leviathan", "TA551", "WIRTE"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}], "mitre_attack_tactics": ["Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Detect Regsvr32 Application Control Bypass - Rule", "ESCU - Malicious InProcServer32 Modification - Rule", "ESCU - Regsvr32 Silent and Install Param Dll Loading - Rule", "ESCU - Regsvr32 with Known Silent Switch Cmdline - Rule", "ESCU - Suspicious Regsvr32 Register Suspicious Path - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Detect Regsvr32 Application Control Bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}}, {"name": "Malicious InProcServer32 Modification", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Regsvr32"}, {"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Regsvr32 Silent and Install Param Dll Loading", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}}, {"name": "Regsvr32 with Known Silent Switch Cmdline", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}}, {"name": "Suspicious Regsvr32 Register Suspicious Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}}]}, {"name": "Suspicious Rundll32 Activity", "id": "80a65487-854b-42f1-80a1-935e4c170694", "version": 1, "date": "2021-02-03", "author": "Michael Haag, Splunk", "description": "Monitor and detect techniques used by attackers who leverage rundll32.exe to execute arbitrary malicious code.", "narrative": "One common adversary tactic is to bypass application control solutions via the rundll32.exe process. Natively, rundll32.exe will load DLLs and is a great example of a Living off the Land Binary. Rundll32.exe may load malicious DLLs by ordinals, function names or directly. The queries in this story focus on loading default DLLs, syssetup.dll, ieadvpack.dll, advpack.dll and setupapi.dll from disk that may be abused by adversaries. Additionally, two analytics developed to assist with identifying DLLRegisterServer, Start and StartW functions being called. The searches in this story help you detect and investigate suspicious activity that may indicate that an adversary is leveraging rundll32.exe to execute malicious code.", "references": ["https://attack.mitre.org/techniques/T1218/011/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md", "https://lolbas-project.github.io/lolbas/Binaries/Rundll32"], "tags": {"name": "Suspicious Rundll32 Activity", "analytic_story": "Suspicious Rundll32 Activity", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "TEMP.Veles", "Threat Group-3390", "Whitefly"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}], "mitre_attack_tactics": ["Credential Access", "Defense Evasion"], "datamodels": ["Endpoint", "Network_Traffic"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Suspicious Rundll32 Rename - Rule", "ESCU - Detect Rundll32 Application Control Bypass - advpack - Rule", "ESCU - Detect Rundll32 Application Control Bypass - setupapi - Rule", "ESCU - Detect Rundll32 Application Control Bypass - syssetup - Rule", "ESCU - Dump LSASS via comsvcs DLL - Rule", "ESCU - Rundll32 Control RunDLL Hunt - Rule", "ESCU - Rundll32 Control RunDLL World Writable Directory - Rule", "ESCU - Rundll32 with no Command Line Arguments with Network - Rule", "ESCU - RunDLL Loading DLL By Ordinal - Rule", "ESCU - Suspicious Rundll32 dllregisterserver - Rule", "ESCU - Suspicious Rundll32 no Command Line Arguments - Rule", "ESCU - Suspicious Rundll32 StartW - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Suspicious Rundll32 Rename", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rundll32"}, {"mitre_attack_technique": "Rename System Utilities"}]}}, {"name": "Detect Rundll32 Application Control Bypass - advpack", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Detect Rundll32 Application Control Bypass - setupapi", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Detect Rundll32 Application Control Bypass - syssetup", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Dump LSASS via comsvcs DLL", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Rundll32 Control RunDLL Hunt", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Rundll32 Control RunDLL World Writable Directory", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Rundll32 with no Command Line Arguments with Network", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "RunDLL Loading DLL By Ordinal", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Suspicious Rundll32 dllregisterserver", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Suspicious Rundll32 no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Suspicious Rundll32 StartW", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}]}, {"name": "Suspicious Windows Registry Activities", "id": "2b1800dd-92f9-47dd-a981-fdf1351e5d55", "version": 1, "date": "2018-05-31", "author": "Bhavin Patel, Splunk", "description": "Monitor and detect registry changes initiated from remote locations, which can be a sign that an attacker has infiltrated your system.", "narrative": "Attackers are developing increasingly sophisticated techniques for hijacking target servers, while evading detection. One such technique that has become progressively more common is registry modification.\\\n The registry is a key component of the Windows operating system. It has a hierarchical database called \"registry\" that contains settings, options, and values for executables. Once the threat actor gains access to a machine, they can use reg.exe to modify their account to obtain administrator-level privileges, maintain persistence, and move laterally within the environment.\\\n The searches in this story are designed to help you detect behaviors associated with manipulation of the Windows registry.", "references": ["https://redcanary.com/blog/windows-registry-attacks-threat-detection/", "https://attack.mitre.org/wiki/Technique/T1112"], "tags": {"name": "Suspicious Windows Registry Activities", "analytic_story": "Suspicious Windows Registry Activities", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1564.001", "mitre_attack_technique": "Hidden Files and Directories", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "HAFNIUM", "Lazarus Group", "LuminousMoth", "Mustang Panda", "Rocke", "Transparent Tribe", "Tropic Trooper"]}, {"mitre_attack_id": "T1546.001", "mitre_attack_technique": "Change Default File Association", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Kimsuky"]}, {"mitre_attack_id": "T1548.002", "mitre_attack_technique": "Bypass User Account Control", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT37", "BRONZE BUTLER", "Cobalt Group", "Earth Lusca", "Evilnum", "MuddyWater", "Patchwork", "Threat Group-3390"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547.010", "mitre_attack_technique": "Port Monitors", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1546.011", "mitre_attack_technique": "Application Shimming", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["FIN7"]}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1546.012", "mitre_attack_technique": "Image File Execution Options Injection", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["TEMP.Veles"]}, {"mitre_attack_id": "T1218.005", "mitre_attack_technique": "Mshta", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "APT32", "Confucius", "Earth Lusca", "FIN7", "Gamaredon Group", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "MuddyWater", "Mustang Panda", "SideCopy", "Sidewinder", "TA551"]}, {"mitre_attack_id": "T1574.011", "mitre_attack_technique": "Services Registry Permissions Weakness", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation", "Installation"]}, "detection_names": ["ESCU - Reg exe used to hide files directories via registry keys - Rule", "ESCU - Remote Registry Key modifications - Rule", "ESCU - Suspicious Changes to File Associations - Rule", "ESCU - Disable UAC Remote Restriction - Rule", "ESCU - Disabling Remote User Account Control - Rule", "ESCU - Monitor Registry Keys for Print Monitors - Rule", "ESCU - Registry Keys for Creating SHIM Databases - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Registry Keys Used For Privilege Escalation - Rule", "ESCU - Windows Mshta Execution In Registry - Rule", "ESCU - Windows Service Creation Using Registry Entry - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Reg exe used to hide files directories via registry keys", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Hidden Files and Directories"}]}}, {"name": "Remote Registry Key modifications", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": []}}, {"name": "Suspicious Changes to File Associations", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Change Default File Association"}]}}, {"name": "Disable UAC Remote Restriction", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Disabling Remote User Account Control", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Monitor Registry Keys for Print Monitors", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Port Monitors"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Registry Keys for Creating SHIM Databases", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Application Shimming"}, {"mitre_attack_technique": "Event Triggered Execution"}]}}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Registry Keys Used For Privilege Escalation", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Image File Execution Options Injection"}, {"mitre_attack_technique": "Event Triggered Execution"}]}}, {"name": "Windows Mshta Execution In Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Mshta"}]}}, {"name": "Windows Service Creation Using Registry Entry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Services Registry Permissions Weakness"}]}}]}, {"name": "Suspicious WMI Use", "id": "c8ddc5be-69bc-4202-b3ab-4010b27d7ad5", "version": 2, "date": "2018-10-23", "author": "Rico Valdez, Splunk", "description": "Attackers are increasingly abusing Windows Management Instrumentation (WMI), a framework and associated utilities available on all modern Windows operating systems. Because WMI can be leveraged to manage both local and remote systems, it is important to identify the processes executed and the user context within which the activity occurred.", "narrative": "WMI is a Microsoft infrastructure for management data and operations on Windows operating systems. It includes of a set of utilities that can be leveraged to manage both local and remote Windows systems. Attackers are increasingly turning to WMI abuse in their efforts to conduct nefarious tasks, such as reconnaissance, detection of antivirus and virtual machines, code execution, lateral movement, persistence, and data exfiltration. The detection searches included in this Analytic Story are used to look for suspicious use of WMI commands that attackers may leverage to interact with remote systems. The searches specifically look for the use of WMI to run processes on remote systems. In the event that unauthorized WMI execution occurs, it will be important for analysts and investigators to determine the context of the event. These details may provide insights related to how WMI was used and to what end.", "references": ["https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf", "https://web.archive.org/web/20210921091529/https://www.fireeye.com/blog/threat-research/2017/03/wmimplant_a_wmi_ba.html"], "tags": {"name": "Suspicious WMI Use", "analytic_story": "Suspicious WMI Use", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1546.003", "mitre_attack_technique": "Windows Management Instrumentation Event Subscription", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT33", "Blue Mockingbird", "FIN8", "Leviathan", "Metador", "Mustang Panda", "Turla"]}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "Earth Lusca", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "Threat Group-3390", "Windshift", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1220", "mitre_attack_technique": "XSL Script Processing", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Cobalt Group", "Higaisa"]}], "mitre_attack_tactics": ["Defense Evasion", "Execution", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation", "Installation"]}, "detection_names": ["ESCU - Detect WMI Event Subscription Persistence - Rule", "ESCU - PowerShell Invoke WmiExec Usage - Rule", "ESCU - Process Execution via WMI - Rule", "ESCU - Remote Process Instantiation via WMI - Rule", "ESCU - Remote WMI Command Attempt - Rule", "ESCU - Script Execution via WMI - Rule", "ESCU - Windows WMI Process Call Create - Rule", "ESCU - WMI Permanent Event Subscription - Rule", "ESCU - WMI Permanent Event Subscription - Sysmon - Rule", "ESCU - WMI Temporary Event Subscription - Rule", "ESCU - WMIC XSL Execution via URL - Rule", "ESCU - XSL Script Execution With WMIC - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task", "ESCU - Get Sysmon WMI Activity for Host - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Detect WMI Event Subscription Persistence", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Management Instrumentation Event Subscription"}, {"mitre_attack_technique": "Event Triggered Execution"}]}}, {"name": "PowerShell Invoke WmiExec Usage", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}}, {"name": "Process Execution via WMI", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}}, {"name": "Remote Process Instantiation via WMI", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}}, {"name": "Remote WMI Command Attempt", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}}, {"name": "Script Execution via WMI", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}}, {"name": "Windows WMI Process Call Create", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}}, {"name": "WMI Permanent Event Subscription", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}}, {"name": "WMI Permanent Event Subscription - Sysmon", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Management Instrumentation Event Subscription"}, {"mitre_attack_technique": "Event Triggered Execution"}]}}, {"name": "WMI Temporary Event Subscription", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}}, {"name": "WMIC XSL Execution via URL", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "XSL Script Processing"}]}}, {"name": "XSL Script Execution With WMIC", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "XSL Script Processing"}]}}]}, {"name": "Suspicious Zoom Child Processes", "id": "aa3749a6-49c7-491e-a03f-4eaee5fe0258", "version": 1, "date": "2020-04-13", "author": "David Dorsey, Splunk", "description": "Attackers are using Zoom as an vector to increase privileges on a sytems. This story detects new child processes of zoom and provides investigative actions for this detection.", "narrative": "Zoom is a leader in modern enterprise video communications and its usage has increased dramatically with a large amount of the population under stay-at-home orders due to the COVID-19 pandemic. With increased usage has come increased scrutiny and several security flaws have been found with this application on both Windows and macOS systems.\\\nCurrent detections focus on finding new child processes of this application on a per host basis. Investigative searches are included to gather information needed during an investigation.", "references": ["https://blog.rapid7.com/2020/04/02/dispelling-zoom-bugbears-what-you-need-to-know-about-the-latest-zoom-vulnerabilities/", "https://threatpost.com/two-zoom-zero-day-flaws-uncovered/154337/"], "tags": {"name": "Suspicious Zoom Child Processes", "analytic_story": "Suspicious Zoom Child Processes", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "PLATINUM", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}], "mitre_attack_tactics": ["Execution", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation", "Installation"]}, "detection_names": ["ESCU - Detect Prohibited Applications Spawning cmd exe - Rule", "ESCU - First Time Seen Child Process of Zoom - Rule"], "investigation_names": ["ESCU - Get Process File Activity - Response Task"], "baseline_names": ["ESCU - Previously Seen Zoom Child Processes - Initial", "ESCU - Previously Seen Zoom Child Processes - Update"], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Detect Prohibited Applications Spawning cmd exe", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Windows Command Shell"}]}}, {"name": "First Time Seen Child Process of Zoom", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}}]}, {"name": "Swift Slicer", "id": "234c9dd7-52fb-4d6f-aec9-075ef88a2cea", "version": 1, "date": "2023-02-01", "author": "Teoderick Contreras, Rod Soto, Splunk", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the swift slicer malware including overwriting of files and etc.", "narrative": "Swift Slicer is one of Windows destructive malware found by ESET that was used in a targeted organizarion to wipe critical files like windows drivers and other files to destroy and left the machine inoperable. This malware like Caddy Wiper was deliver through GPO which suggests that the attacker had taken control of the victims active directory environment.", "references": ["https://twitter.com/ESETresearch/status/1618960022150729728", "https://www.welivesecurity.com/2023/01/27/swiftslicer-new-destructive-wiper-malware-ukraine/"], "tags": {"name": "Swift Slicer", "analytic_story": "Swift Slicer", "category": ["Data Destruction", "Malware", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}], "mitre_attack_tactics": ["Defense Evasion", "Impact", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Actions on Objectives", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Windows Data Destruction Recursive Exec Files Deletion - Rule", "ESCU - Windows High File Deletion Frequency - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Rod Soto, Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}]}}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Windows Data Destruction Recursive Exec Files Deletion", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Windows High File Deletion Frequency", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}]}, {"name": "Text4Shell CVE-2022-42889", "id": "95ae800d-485e-47f7-866e-8be281aa497b", "version": 1, "date": "2022-10-26", "author": "Michael Haag, Splunk", "description": "A new critical vulnerability CVE-2022-42889 a.k.a. Text4shell, similar to the old Spring4Shell and Log4Shell, was originally reported by Alvaro Munoz on the very popular Apache Commons Text library.", "narrative": "Apache Commons Text is a Java library described as \"a library focused on algorithms working on strings.\" We can see it as a general-purpose text manipulation toolkit. This vulnerability affects the StringSubstitutor interpolator class, which is included in the Commons Text library. A default interpolator allows for string lookups that can lead to Remote Code Execution. This is due to a logic flaw that makes the \"script,\" \"dns,\" and \"url\" lookup keys interpolated by default, as opposed to what it should be, according to the documentation of the StringLookupFactory class. Those keys allow an attacker to execute arbitrary code via lookups. In order to exploit the vulnerabilities, the following requirements must be met - Run a version of Apache Commons Text from version 1.5 to 1.9 and use the StringSubstitutor interpolator. It is important to specify that the StringSubstitutor interpolator is not as widely used as the string substitution in Log4j, which led to Log4Shell. According to the CVSSv3 system, it scores 9.8 as CRITICAL severity. The severity is Critical due to the easy exploitability and huge potential impact in terms of confidentiality, integrity, and availability. As we showed in the previous section, you can take full control over the vulnerable system with a crafted request. However, it is not likely the vulnerabilities will have the same impacts as the previous Log4Shell and Spring4Shell.", "references": ["https://sysdig.com/blog/cve-2022-42889-text4shell/"], "tags": {"name": "Text4Shell CVE-2022-42889", "analytic_story": "Text4Shell CVE-2022-42889", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Application Security", "mitre_attack_enrichments": [{"mitre_attack_id": "T1505.003", "mitre_attack_technique": "Web Shell", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT38", "APT39", "BackdoorDiplomacy", "Deep Panda", "Dragonfly", "Fox Kitten", "GALLIUM", "HAFNIUM", "Kimsuky", "Leviathan", "Magic Hound", "Moses Staff", "OilRig", "Sandworm Team", "TEMP.Veles", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Volatile Cedar"]}, {"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Chimera", "Dragonfly", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}], "mitre_attack_tactics": ["Initial Access", "Persistence"], "datamodels": ["Web"], "kill_chain_phases": ["Delivery", "Installation"]}, "detection_names": ["ESCU - Exploit Public Facing Application via Apache Commons Text - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Exploit Public Facing Application via Apache Commons Text", "source": "web", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Web Shell"}, {"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}]}, {"name": "Trickbot", "id": "16f93769-8342-44c0-9b1d-f131937cce8e", "version": 1, "date": "2021-04-20", "author": "Rod Soto, Teoderick Contreras, Splunk", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the trickbot banking trojan, including looking for file writes associated with its payload, process injection, shellcode execution and data collection even in LDAP environment.", "narrative": "trickbot banking trojan campaigns targeting banks and other vertical sectors.This malware is known in Microsoft Windows OS where target security Microsoft Defender to prevent its detection and removal. steal Verizon credentials and targeting banks using its multi component modules that collect and exfiltrate data.", "references": ["https://en.wikipedia.org/wiki/Trickbot", "https://blog.checkpoint.com/2021/03/11/february-2021s-most-wanted-malware-trickbot-takes-over-following-emotet-shutdown/"], "tags": {"name": "Trickbot", "analytic_story": "Trickbot", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["BRONZE BUTLER", "Chimera", "Dragonfly", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Turla", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "Turla"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.005", "mitre_attack_technique": "Mshta", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "APT32", "Confucius", "Earth Lusca", "FIN7", "Gamaredon Group", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "MuddyWater", "Mustang Panda", "SideCopy", "Sidewinder", "TA551"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551"]}, {"mitre_attack_id": "T1590", "mitre_attack_technique": "Gather Victim Network Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["HAFNIUM"]}, {"mitre_attack_id": "T1590.005", "mitre_attack_technique": "IP Addresses", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["Andariel", "HAFNIUM", "Magic Hound"]}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT19", "APT28", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BITTER", "BackdoorDiplomacy", "BlackOasis", "Blue Mockingbird", "Dark Caracal", "Darkhotel", "Earth Lusca", "Elderwood", "Ember Bear", "Fox Kitten", "GALLIUM", "Gallmaker", "Gamaredon Group", "Group5", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "Metador", "Mofang", "Molerats", "Moses Staff", "Mustang Panda", "OilRig", "Putter Panda", "Rocke", "Sandworm Team", "Sidewinder", "TA505", "TeamTNT", "Threat Group-3390", "Transparent Tribe", "Tropic Trooper", "Whitefly", "Windshift", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}], "mitre_attack_tactics": ["Defense Evasion", "Discovery", "Execution", "Initial Access", "Lateral Movement", "Persistence", "Privilege Escalation", "Reconnaissance"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation", "Reconnaissance"]}, "detection_names": ["ESCU - Account Discovery With Net App - Rule", "ESCU - Attempt To Stop Security Service - Rule", "ESCU - Cobalt Strike Named Pipes - Rule", "ESCU - Executable File Written in Administrative SMB Share - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Mshta spawning Rundll32 OR Regsvr32 Process - Rule", "ESCU - Office Application Spawn rundll32 process - Rule", "ESCU - Office Document Executing Macro Code - Rule", "ESCU - Office Product Spawn CMD Process - Rule", "ESCU - Office Product Spawning CertUtil - Rule", "ESCU - Powershell Remote Thread To Known Windows Process - Rule", "ESCU - Schedule Task with Rundll32 Command Trigger - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious Rundll32 StartW - Rule", "ESCU - Trickbot Named Pipe - Rule", "ESCU - Wermgr Process Connecting To IP Check Web Services - Rule", "ESCU - Wermgr Process Create Executable File - Rule", "ESCU - Wermgr Process Spawned CMD Or Powershell Process - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Teoderick Contreras, Splunk", "author_name": "Rod Soto", "detections": [{"name": "Account Discovery With Net App", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}}, {"name": "Attempt To Stop Security Service", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Cobalt Strike Named Pipes", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "Executable File Written in Administrative SMB Share", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}]}}, {"name": "Mshta spawning Rundll32 OR Regsvr32 Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Mshta"}]}}, {"name": "Office Application Spawn rundll32 process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Document Executing Macro Code", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Product Spawn CMD Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Product Spawning CertUtil", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Powershell Remote Thread To Known Windows Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "Schedule Task with Rundll32 Command Trigger", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Suspicious Rundll32 StartW", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Trickbot Named Pipe", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "Wermgr Process Connecting To IP Check Web Services", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Gather Victim Network Information"}, {"mitre_attack_technique": "IP Addresses"}]}}, {"name": "Wermgr Process Create Executable File", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Obfuscated Files or Information"}]}}, {"name": "Wermgr Process Spawned CMD Or Powershell Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}}]}, {"name": "Trusted Developer Utilities Proxy Execution", "id": "270a67a6-55d8-11eb-ae93-0242ac130002", "version": 1, "date": "2021-01-12", "author": "Michael Haag, Splunk", "description": "Monitor and detect behaviors used by attackers who leverage trusted developer utilities to execute malicious code.", "narrative": "Adversaries may take advantage of trusted developer utilities to proxy execution of malicious payloads. There are many utilities used for software development related tasks that can be used to execute code in various forms to assist in development, debugging, and reverse engineering. These utilities may often be signed with legitimate certificates that allow them to execute on a system and proxy execution of malicious code through a trusted process that effectively bypasses application control solutions.\\\nThe searches in this story help you detect and investigate suspicious activity that may indicate that an adversary is leveraging microsoft.workflow.compiler.exe to execute malicious code.", "references": ["https://attack.mitre.org/techniques/T1127/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md", "https://lolbas-project.github.io/lolbas/Binaries/Microsoft.Workflow.Compiler/"], "tags": {"name": "Trusted Developer Utilities Proxy Execution", "analytic_story": "Trusted Developer Utilities Proxy Execution", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1127", "mitre_attack_technique": "Trusted Developer Utilities Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}], "mitre_attack_tactics": ["Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Suspicious microsoft workflow compiler rename - Rule", "ESCU - Suspicious microsoft workflow compiler usage - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Suspicious microsoft workflow compiler rename", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Rename System Utilities"}]}}, {"name": "Suspicious microsoft workflow compiler usage", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}]}}]}, {"name": "Trusted Developer Utilities Proxy Execution MSBuild", "id": "be3418e2-551b-11eb-ae93-0242ac130002", "version": 1, "date": "2021-01-21", "author": "Michael Haag, Splunk", "description": "Monitor and detect techniques used by attackers who leverage the msbuild.exe process to execute malicious code.", "narrative": "Adversaries may use MSBuild to proxy execution of code through a trusted Windows utility. MSBuild.exe (Microsoft Build Engine) is a software build platform used by Visual Studio and is native to Windows. It handles XML formatted project files that define requirements for loading and building various platforms and configurations.\\\nThe inline task capability of MSBuild that was introduced in .NET version 4 allows for C# code to be inserted into an XML project file. MSBuild will compile and execute the inline task. MSBuild.exe is a signed Microsoft binary, so when it is used this way it can execute arbitrary code and bypass application control defenses that are configured to allow MSBuild.exe execution.\\\nThe searches in this story help you detect and investigate suspicious activity that may indicate that an adversary is leveraging msbuild.exe to execute malicious code.\\\nTriage\\\nValidate execution\\\n1. Determine if MSBuild.exe executed. Validate the OriginalFileName of MSBuild.exe and further PE metadata.\\\n1. Determine if script code was executed with MSBuild.\\\nSituational Awareness\\\nThe objective of this step is meant to identify suspicious behavioral indicators related to executed of Script code by MSBuild.exe.\\\n1. Parent process. Is the parent process a known LOLBin? Is the parent process an Office Application?\\\n1. Module loads. Are the known MSBuild.exe modules being loaded by a non-standard application? Is MSbuild loading any suspicious .DLLs?\\\n1. Network connections. Any network connections? Review the reputation of the remote IP or domain.\\\nRetrieval of script code\\\nThe objective of this step is to confirm the executed script code is benign or malicious.", "references": ["https://attack.mitre.org/techniques/T1127/001/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md", "https://github.com/infosecn1nja/MaliciousMacroMSBuild", "https://github.com/xorrior/RandomPS-Scripts/blob/master/Invoke-ExecuteMSBuild.ps1", "https://lolbas-project.github.io/lolbas/Binaries/Msbuild/", "https://github.com/MHaggis/CBR-Queries/blob/master/msbuild.md"], "tags": {"name": "Trusted Developer Utilities Proxy Execution MSBuild", "analytic_story": "Trusted Developer Utilities Proxy Execution MSBuild", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1127.001", "mitre_attack_technique": "MSBuild", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1127", "mitre_attack_technique": "Trusted Developer Utilities Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}], "mitre_attack_tactics": ["Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - MSBuild Suspicious Spawned By Script Process - Rule", "ESCU - Suspicious msbuild path - Rule", "ESCU - Suspicious MSBuild Rename - Rule", "ESCU - Suspicious MSBuild Spawn - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "MSBuild Suspicious Spawned By Script Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "MSBuild"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}]}}, {"name": "Suspicious msbuild path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "MSBuild"}]}}, {"name": "Suspicious MSBuild Rename", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "MSBuild"}]}}, {"name": "Suspicious MSBuild Spawn", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "MSBuild"}]}}]}, {"name": "Unusual Processes", "id": "f4368e3f-d59f-4192-84f6-748ac5a3ddb6", "version": 2, "date": "2020-02-04", "author": "Bhavin Patel, Splunk", "description": "Quickly identify systems running new or unusual processes in your environment that could be indicators of suspicious activity. Processes run from unusual locations, those with conspicuously long command lines, and rare executables are all examples of activities that may warrant deeper investigation.", "narrative": "Being able to profile a host's processes within your environment can help you more quickly identify processes that seem out of place when compared to the rest of the population of hosts or asset types.\\\nThis Analytic Story lets you identify processes that are either a) not typically seen running or b) have some sort of suspicious command-line arguments associated with them. This Analytic Story will also help you identify the user running these processes and the associated process activity on the host.\\\nIn the event an unusual process is identified, it is imperative to better understand how that process was able to execute on the host, when it first executed, and whether other hosts are affected. This extra information may provide clues that can help the analyst further investigate any suspicious activity.", "references": ["https://web.archive.org/web/20210921093439/https://www.fireeye.com/blog/threat-research/2017/08/monitoring-windows-console-activity-part-two.html", "https://www.splunk.com/pdfs/technical-briefs/advanced-threat-detection-and-response-tech-brief.pdf", "https://www.sans.org/reading-room/whitepapers/logging/detecting-security-incidents-windows-workstation-event-logs-34262"], "tags": {"name": "Unusual Processes", "analytic_story": "Unusual Processes", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1204.002", "mitre_attack_technique": "Malicious File", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "Ajax Security Team", "Andariel", "Aoqin Dragon", "BITTER", "BRONZE BUTLER", "BlackTech", "CURIUM", "Cobalt Group", "Confucius", "Dark Caracal", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "IndigoZebra", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Whitefly", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1036.005", "mitre_attack_technique": "Match Legitimate Name or Location", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "APT32", "APT39", "APT41", "Aoqin Dragon", "BRONZE BUTLER", "BackdoorDiplomacy", "Blue Mockingbird", "Carbanak", "Chimera", "Darkhotel", "Earth Lusca", "FIN7", "Ferocious Kitten", "Fox Kitten", "Gamaredon Group", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Poseidon Group", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "Sowbug", "TEMP.Veles", "TeamTNT", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Whitefly", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1595", "mitre_attack_technique": "Active Scanning", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1016", "mitre_attack_technique": "System Network Configuration Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT19", "APT3", "APT32", "APT41", "Chimera", "Darkhotel", "Dragonfly", "Earth Lusca", "GALLIUM", "HAFNIUM", "HEXANE", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "SideCopy", "Sidewinder", "Stealth Falcon", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1218.012", "mitre_attack_technique": "Verclsid", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1218.004", "mitre_attack_technique": "InstallUtil", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Mustang Panda", "menuPass"]}, {"mitre_attack_id": "T1588.002", "mitre_attack_technique": "Tool", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT19", "APT28", "APT29", "APT32", "APT33", "APT38", "APT39", "APT41", "Aoqin Dragon", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Carbanak", "Chimera", "Cleaver", "Cobalt Group", "CopyKittens", "DarkHydrus", "DarkVishnya", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN5", "FIN6", "Ferocious Kitten", "GALLIUM", "Gorgon Group", "HEXANE", "Inception", "IndigoZebra", "Ke3chang", "Kimsuky", "LAPSUS$", "Lazarus Group", "Leafminer", "LuminousMoth", "Magic Hound", "Metador", "Moses Staff", "MuddyWater", "POLONIUM", "Patchwork", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "TA505", "TEMP.Veles", "Threat Group-3390", "Thrip", "Turla", "WIRTE", "Whitefly", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "Turla"]}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "menuPass"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1134.004", "mitre_attack_technique": "Parent PID Spoofing", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}], "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Discovery", "Execution", "Initial Access", "Persistence", "Privilege Escalation", "Reconnaissance", "Resource Development"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation", "Reconnaissance", "Weaponization"]}, "detection_names": ["ESCU - Uncommon Processes On Endpoint - Rule", "ESCU - Attacker Tools On Endpoint - Rule", "ESCU - Detect processes used for System Network Configuration Discovery - Rule", "ESCU - Detect Rare Executables - Rule", "ESCU - Rundll32 Shimcache Flush - Rule", "ESCU - RunDLL Loading DLL By Ordinal - Rule", "ESCU - Suspicious Copy on System32 - Rule", "ESCU - System Processes Run From Unexpected Locations - Rule", "ESCU - Unusually Long Command Line - Rule", "ESCU - Unusually Long Command Line - MLTK - Rule", "ESCU - Verclsid CLSID Execution - Rule", "ESCU - Windows DotNet Binary in Non Standard Path - Rule", "ESCU - Windows InstallUtil in Non Standard Path - Rule", "ESCU - Windows NirSoft AdvancedRun - Rule", "ESCU - Windows Remote Assistance Spawning Process - Rule", "ESCU - WinRM Spawning a Process - Rule", "ESCU - Wscript Or Cscript Suspicious Child Process - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task"], "baseline_names": ["ESCU - Baseline of Command Line Length - MLTK"], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Uncommon Processes On Endpoint", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Malicious File"}]}}, {"name": "Attacker Tools On Endpoint", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Match Legitimate Name or Location"}, {"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "OS Credential Dumping"}, {"mitre_attack_technique": "Active Scanning"}]}}, {"name": "Detect processes used for System Network Configuration Discovery", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Configuration Discovery"}]}}, {"name": "Detect Rare Executables", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": []}}, {"name": "Rundll32 Shimcache Flush", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "RunDLL Loading DLL By Ordinal", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Suspicious Copy on System32", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "Masquerading"}]}}, {"name": "System Processes Run From Unexpected Locations", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}]}}, {"name": "Unusually Long Command Line", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": []}}, {"name": "Unusually Long Command Line - MLTK", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": []}}, {"name": "Verclsid CLSID Execution", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Verclsid"}, {"mitre_attack_technique": "System Binary Proxy Execution"}]}}, {"name": "Windows DotNet Binary in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "InstallUtil"}]}}, {"name": "Windows InstallUtil in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "InstallUtil"}]}}, {"name": "Windows NirSoft AdvancedRun", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Tool"}]}}, {"name": "Windows Remote Assistance Spawning Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "WinRM Spawning a Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}}, {"name": "Wscript Or Cscript Suspicious Child Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}, {"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Parent PID Spoofing"}, {"mitre_attack_technique": "Access Token Manipulation"}]}}]}, {"name": "Use of Cleartext Protocols", "id": "826e6431-aeef-41b4-9fc0-6d0985d65a21", "version": 1, "date": "2017-09-15", "author": "Bhavin Patel, Splunk", "description": "Leverage searches that detect cleartext network protocols that may leak credentials or should otherwise be encrypted.", "narrative": "Various legacy protocols operate by default in the clear, without the protections of encryption. This potentially leaks sensitive information that can be exploited by passively sniffing network traffic. Depending on the protocol, this information could be highly sensitive, or could allow for session hijacking. In addition, these protocols send authentication information, which would allow for the harvesting of usernames and passwords that could potentially be used to authenticate and compromise secondary systems.", "references": ["https://www.monkey.org/~dugsong/dsniff/"], "tags": {"name": "Use of Cleartext Protocols", "analytic_story": "Use of Cleartext Protocols", "category": ["Best Practices"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Network_Traffic"], "kill_chain_phases": []}, "detection_names": ["ESCU - Protocols passing authentication in cleartext - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task", "ESCU - Get Process Information For Port Activity - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Protocols passing authentication in cleartext", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": []}}]}, {"name": "VMware Aria Operations vRealize CVE-2023-20887", "id": "99171cdd-57a1-4b8a-873c-f8bee12e2025", "version": 1, "date": "2023-06-21", "author": "Michael Haag, Splunk", "description": "CVE-2023-20887 is a critical vulnerability affecting VMware's vRealize Network Insight (also known as VMware Aria Operations for Networks). It allows a remote, unauthenticated attacker to execute arbitrary commands with root privileges via the Apache Thrift RPC interface. The exploit, which has a severity score of 9.8, targets an endpoint (\"/saas./resttosaasservlet\") in the application and delivers a malicious payload designed to create a reverse shell, granting the attacker control over the system. VMware has released an advisory recommending users to update to the latest version to mitigate this threat.", "narrative": "CVE-2023-20887 is a highly critical vulnerability found in VMware's vRealize Network Insight. This software is widely used for intelligent operations management across physical, virtual, and cloud environments, so a vulnerability in it poses a significant risk to many organizations.\\\nThis particular vulnerability lies in the application's Apache Thrift RPC interface. The exploit allows an attacker to inject commands that are executed with root privileges, leading to a potential total compromise of the system. The attacker does not need to be authenticated, which further increases the risk posed by this vulnerability.\\\nThe exploit operates by sending a specially crafted payload to the \"/saas./resttosaasservlet\" endpoint. This payload contains a reverse shell command, which, when executed, allows the attacker to remotely control the victim's system. This control is obtained at the root level, providing the attacker with the ability to perform any action on the system.\\\nWhat makes this vulnerability particularly dangerous is its high severity score of 9.8, indicating it is a critical threat. It's also noteworthy that the exploitation of this vulnerability leaves specific indicators such as abnormal traffic to the \"/saas./resttosaasservlet\" endpoint and suspicious ncat commands in network traffic, which can help in its detection.\\\nVMware has acknowledged the vulnerability and has published a security advisory recommending that users update to the latest version of the software. This update effectively patches the vulnerability and protects systems from this exploit. It's crucial that all users of the affected versions of VMware's vRealize Network Insight promptly apply the update to mitigate the risk posed by CVE-2023-20887.", "references": ["https://nvd.nist.gov/vuln/detail/CVE-2023-20887", "https://summoning.team/blog/vmware-vrealize-network-insight-rce-cve-2023-20887/", "https://viz.greynoise.io/tag/VMware-aria-operations-for-networks-rce-attempt?days=30", "https://github.com/sinsinology/CVE-2023-20887"], "tags": {"name": "VMware Aria Operations vRealize CVE-2023-20887", "analytic_story": "VMware Aria Operations vRealize CVE-2023-20887", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Chimera", "Dragonfly", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "menuPass"]}, {"mitre_attack_id": "T1210", "mitre_attack_technique": "Exploitation of Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "Dragonfly", "Earth Lusca", "FIN7", "Fox Kitten", "MuddyWater", "Threat Group-3390", "Tonto Team", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "PLATINUM", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}], "mitre_attack_tactics": ["Initial Access", "Lateral Movement", "Persistence", "Privilege Escalation"], "datamodels": ["Web"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - VMWare Aria Operations Exploit Attempt - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "VMWare Aria Operations Exploit Attempt", "source": "web", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "External Remote Services"}, {"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "Exploitation of Remote Services"}, {"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}}]}, {"name": "VMware Server Side Injection and Privilege Escalation", "id": "d6d51cc2-a092-43b7-9f61-1159943afe39", "version": 1, "date": "2022-05-19", "author": "Michael Haag, Splunk", "description": "Recently disclosed CVE-2022-22954 and CVE-2022-22960 have been identified in the wild abusing VMware products to compromise internet faced devices and escalate privileges.", "narrative": "On April 6, 2022, VMware published VMSA-2022-0011, which discloses multiple vulnerabilities discovered by Steven Seeley (mr_me) of Qihoo 360 Vulnerability Research Institute. The most critical of the CVEs published in VMSA-2022-0011 is CVE-2022-22954, which is a server-side template injection issue with a CVSSv3 base score of 9.8. The vulnerability allows an unauthenticated user with network access to the web interface to execute an arbitrary shell command as the VMware user. To further exacerbate this issue, VMware also disclosed a local privilege escalation issue, CVE-2022-22960, which permits the attacker to gain root after exploiting CVE-2022-22954. Products affected include - VMware Workspace ONE Access (Access) 20.10.0.0 - 20.10.0.1, 21.08.0.0 - 21.08.0.1 and VMware Identity Manager (vIDM) 3.3.3 - 3.3.6.", "references": ["https://attackerkb.com/topics/BDXyTqY1ld/cve-2022-22954/rapid7-analysis", "https://www.cisa.gov/uscert/ncas/alerts/aa22-138b"], "tags": {"name": "VMware Server Side Injection and Privilege Escalation", "analytic_story": "VMware Server Side Injection and Privilege Escalation", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Chimera", "Dragonfly", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}], "mitre_attack_tactics": ["Initial Access", "Persistence"], "datamodels": ["Web"], "kill_chain_phases": ["Delivery", "Installation"]}, "detection_names": ["ESCU - VMware Server Side Template Injection Hunt - Rule", "ESCU - VMware Workspace ONE Freemarker Server-side Template Injection - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "VMware Server Side Template Injection Hunt", "source": "web", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}, {"name": "VMware Workspace ONE Freemarker Server-side Template Injection", "source": "web", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}]}, {"name": "Volt Typhoon", "id": "f73010e4-49eb-44ef-9f3f-2c25a1ae5415", "version": 1, "date": "2023-05-25", "author": "Teoderick Contreras, Splunk", "description": "This analytic story contains detections that allow security analysts to detect and investigate unusual activities that might relate to the \"Volt Typhoon\" group targeting critical infrastructure organizations in United States and Guam. The affected organizations include the communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education sectors. This Analytic story looks for suspicious process execution, lolbin execution, command-line activity, lsass dump and many more.", "narrative": "Volt Typhoon is a state sponsored group typically focuses on espionage and information gathering.\\ Based on Microsoft Threat Intelligence, This threat actor group puts strong emphasis on stealth in this campaign by relying almost exclusively on living-off-the-land techniques and hands-on-keyboard activity. \\ They issue commands via the command line to :\\ (1) collect data, including credentials from local and network systems, \\ (2) put the data into an archive file to stage it for exfiltration, and then \\ (3) use the stolen valid credentials to maintain persistence. \\ In addition, Volt Typhoon tries to blend into normal network activity by routing traffic through compromised small office and home office (SOHO) network equipment, including routers, firewalls, and VPN hardware. They have also been observed using custom versions of open-source tools to establish a command and control (C2) channel over proxy to further stay under the radar.", "references": ["https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/"], "tags": {"name": "Volt Typhoon", "analytic_story": "Volt Typhoon", "category": ["Data Destruction", "Malware", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.007", "mitre_attack_technique": "JavaScript", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "Cobalt Group", "Earth Lusca", "Ember Bear", "Evilnum", "FIN6", "FIN7", "Higaisa", "Indrik Spider", "Kimsuky", "LazyScripter", "Leafminer", "Molerats", "MuddyWater", "Sidewinder", "Silence", "TA505", "Turla"]}, {"mitre_attack_id": "T1003.003", "mitre_attack_technique": "NTDS", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "Chimera", "Dragonfly", "FIN6", "Fox Kitten", "HAFNIUM", "Ke3chang", "LAPSUS$", "Mustang Panda", "Sandworm Team", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "TEMP.Veles", "Threat Group-3390", "Whitefly"]}, {"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "TA505"]}, {"mitre_attack_id": "T1069.002", "mitre_attack_technique": "Domain Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Dragonfly", "Inception", "Ke3chang", "LAPSUS$", "OilRig", "Turla"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Dragonfly", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1021.003", "mitre_attack_technique": "Distributed Component Object Model", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "Earth Lusca", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "Threat Group-3390", "Windshift", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT19", "APT28", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BITTER", "BackdoorDiplomacy", "BlackOasis", "Blue Mockingbird", "Dark Caracal", "Darkhotel", "Earth Lusca", "Elderwood", "Ember Bear", "Fox Kitten", "GALLIUM", "Gallmaker", "Gamaredon Group", "Group5", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "Metador", "Mofang", "Molerats", "Moses Staff", "Mustang Panda", "OilRig", "Putter Panda", "Rocke", "Sandworm Team", "Sidewinder", "TA505", "TeamTNT", "Threat Group-3390", "Transparent Tribe", "Tropic Trooper", "Whitefly", "Windshift", "menuPass"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1069.001", "mitre_attack_technique": "Local Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "HEXANE", "OilRig", "Tonto Team", "Turla", "admin@338"]}, {"mitre_attack_id": "T1049", "mitre_attack_technique": "System Network Connections Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT38", "APT41", "Andariel", "BackdoorDiplomacy", "Chimera", "Earth Lusca", "GALLIUM", "HEXANE", "Ke3chang", "Lazarus Group", "Magic Hound", "MuddyWater", "Mustang Panda", "OilRig", "Poseidon Group", "Sandworm Team", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1562.004", "mitre_attack_technique": "Disable or Modify System Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "Carbanak", "Dragonfly", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1590.002", "mitre_attack_technique": "DNS", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1090.001", "mitre_attack_technique": "Internal Proxy", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT39", "Higaisa", "Lazarus Group", "Strider", "Turla"]}, {"mitre_attack_id": "T1090", "mitre_attack_technique": "Proxy", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "Blue Mockingbird", "CopyKittens", "Earth Lusca", "Fox Kitten", "LAPSUS$", "Magic Hound", "POLONIUM", "Sandworm Team", "Turla", "Windigo"]}], "mitre_attack_tactics": ["Command And Control", "Credential Access", "Defense Evasion", "Discovery", "Execution", "Lateral Movement", "Persistence", "Privilege Escalation", "Reconnaissance"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Command And Control", "Exploitation", "Installation", "Reconnaissance"]}, "detection_names": ["ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", "ESCU - Creation of Shadow Copy - Rule", "ESCU - Creation of Shadow Copy with wmic and powershell - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Dump LSASS via comsvcs DLL - Rule", "ESCU - Elevated Group Discovery With Net - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Extraction of Registry Hives - Rule", "ESCU - Impacket Lateral Movement Commandline Parameters - Rule", "ESCU - Impacket Lateral Movement smbexec CommandLine Parameters - Rule", "ESCU - Impacket Lateral Movement WMIExec Commandline Parameters - Rule", "ESCU - Malicious PowerShell Process - Encoded Command - Rule", "ESCU - Malicious PowerShell Process - Execution Policy Bypass - Rule", "ESCU - Net Localgroup Discovery - Rule", "ESCU - Network Connection Discovery With Arp - Rule", "ESCU - Network Connection Discovery With Netstat - Rule", "ESCU - Ntdsutil Export NTDS - Rule", "ESCU - Processes launching netsh - Rule", "ESCU - Remote WMI Command Attempt - Rule", "ESCU - Suspicious Copy on System32 - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Windows DNS Gather Network Info - Rule", "ESCU - Windows Ldifde Directory Object Behavior - Rule", "ESCU - Windows Mimikatz Binary Execution - Rule", "ESCU - Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos - Rule", "ESCU - Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos - Rule", "ESCU - Windows Multiple Invalid Users Fail To Authenticate Using Kerberos - Rule", "ESCU - Windows Multiple Invalid Users Failed To Authenticate Using NTLM - Rule", "ESCU - Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials - Rule", "ESCU - Windows Multiple Users Failed To Authenticate From Host Using NTLM - Rule", "ESCU - Windows Multiple Users Failed To Authenticate From Process - Rule", "ESCU - Windows Multiple Users Failed To Authenticate Using Kerberos - Rule", "ESCU - Windows Multiple Users Remotely Failed To Authenticate From Host - Rule", "ESCU - Windows Proxy Via Netsh - Rule", "ESCU - Windows Proxy Via Registry - Rule", "ESCU - Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos - Rule", "ESCU - Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos - Rule", "ESCU - Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM - Rule", "ESCU - Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials - Rule", "ESCU - Windows Unusual Count Of Users Failed To Auth Using Kerberos - Rule", "ESCU - Windows Unusual Count Of Users Failed To Authenticate From Process - Rule", "ESCU - Windows Unusual Count Of Users Failed To Authenticate Using NTLM - Rule", "ESCU - Windows Unusual Count Of Users Remotely Failed To Auth From Host - Rule", "ESCU - Windows WMI Process Call Create - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Cmdline Tool Not Executed In CMD Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "JavaScript"}]}}, {"name": "Creation of Shadow Copy", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "NTDS"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Creation of Shadow Copy with wmic and powershell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "NTDS"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Detect PsExec With accepteula Flag", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}}, {"name": "Dump LSASS via comsvcs DLL", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Elevated Group Discovery With Net", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}]}}, {"name": "Extraction of Registry Hives", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Security Account Manager"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Impacket Lateral Movement Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Impacket Lateral Movement smbexec CommandLine Parameters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Impacket Lateral Movement WMIExec Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Malicious PowerShell Process - Encoded Command", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Obfuscated Files or Information"}]}}, {"name": "Malicious PowerShell Process - Execution Policy Bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Net Localgroup Discovery", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Local Groups"}]}}, {"name": "Network Connection Discovery With Arp", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Connections Discovery"}]}}, {"name": "Network Connection Discovery With Netstat", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Connections Discovery"}]}}, {"name": "Ntdsutil Export NTDS", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "NTDS"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Processes launching netsh", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify System Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Remote WMI Command Attempt", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}}, {"name": "Suspicious Copy on System32", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "Masquerading"}]}}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Windows DNS Gather Network Info", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DNS"}]}}, {"name": "Windows Ldifde Directory Object Behavior", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}, {"mitre_attack_technique": "Domain Groups"}]}}, {"name": "Windows Mimikatz Binary Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Multiple Invalid Users Fail To Authenticate Using Kerberos", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Multiple Invalid Users Failed To Authenticate Using NTLM", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Multiple Users Failed To Authenticate From Host Using NTLM", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Multiple Users Failed To Authenticate From Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Multiple Users Failed To Authenticate Using Kerberos", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Multiple Users Remotely Failed To Authenticate From Host", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Proxy Via Netsh", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Internal Proxy"}, {"mitre_attack_technique": "Proxy"}]}}, {"name": "Windows Proxy Via Registry", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Internal Proxy"}, {"mitre_attack_technique": "Proxy"}]}}, {"name": "Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Unusual Count Of Users Failed To Auth Using Kerberos", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Unusual Count Of Users Failed To Authenticate From Process", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Unusual Count Of Users Failed To Authenticate Using NTLM", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Unusual Count Of Users Remotely Failed To Auth From Host", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows WMI Process Call Create", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}}]}, {"name": "WhisperGate", "id": "0150e6e5-3171-442e-83f8-1ccd8599569b", "version": 1, "date": "2022-01-19", "author": "Teoderick Contreras, Splunk", "description": "This analytic story contains detections that allow security analysts to detect and investigate unusual activities that might relate to the destructive malware targeting Ukrainian organizations also known as \"WhisperGate\". This analytic story looks for suspicious process execution, command-line activity, downloads, DNS queries and more.", "narrative": "WhisperGate/DEV-0586 is destructive malware operation found by MSTIC (Microsoft Threat Inteligence Center) targeting multiple organizations in Ukraine. This operation campaign consist of several malware component like the downloader that abuses discord platform, overwrite or destroy master boot record (MBR) of the targeted host, wiper and also windows defender evasion techniques.", "references": ["https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/", "https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3"], "tags": {"name": "WhisperGate", "analytic_story": "WhisperGate", "category": ["Data Destruction", "Malware", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1021.003", "mitre_attack_technique": "Distributed Component Object Model", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "Earth Lusca", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "Threat Group-3390", "Windshift", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT19", "APT28", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BITTER", "BackdoorDiplomacy", "BlackOasis", "Blue Mockingbird", "Dark Caracal", "Darkhotel", "Earth Lusca", "Elderwood", "Ember Bear", "Fox Kitten", "GALLIUM", "Gallmaker", "Gamaredon Group", "Group5", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "Metador", "Mofang", "Molerats", "Moses Staff", "Mustang Panda", "OilRig", "Putter Panda", "Rocke", "Sandworm Team", "Sidewinder", "TA505", "TeamTNT", "Threat Group-3390", "Transparent Tribe", "Tropic Trooper", "Whitefly", "Windshift", "menuPass"]}, {"mitre_attack_id": "T1497", "mitre_attack_technique": "Virtualization/Sandbox Evasion", "mitre_attack_tactics": ["Defense Evasion", "Discovery"], "mitre_attack_groups": ["Darkhotel"]}, {"mitre_attack_id": "T1497.003", "mitre_attack_technique": "Time Based Evasion", "mitre_attack_tactics": ["Defense Evasion", "Discovery"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1059.005", "mitre_attack_technique": "Visual Basic", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT32", "APT33", "APT37", "APT38", "APT39", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Earth Lusca", "FIN4", "FIN7", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "Transparent Tribe", "Turla", "WIRTE", "Windshift"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.004", "mitre_attack_technique": "InstallUtil", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Mustang Panda", "menuPass"]}, {"mitre_attack_id": "T1588.002", "mitre_attack_technique": "Tool", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT19", "APT28", "APT29", "APT32", "APT33", "APT38", "APT39", "APT41", "Aoqin Dragon", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Carbanak", "Chimera", "Cleaver", "Cobalt Group", "CopyKittens", "DarkHydrus", "DarkVishnya", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN5", "FIN6", "Ferocious Kitten", "GALLIUM", "Gorgon Group", "HEXANE", "Inception", "IndigoZebra", "Ke3chang", "Kimsuky", "LAPSUS$", "Lazarus Group", "Leafminer", "LuminousMoth", "Magic Hound", "Metador", "Moses Staff", "MuddyWater", "POLONIUM", "Patchwork", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "TA505", "TEMP.Veles", "Threat Group-3390", "Thrip", "Turla", "WIRTE", "Whitefly", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1561.002", "mitre_attack_technique": "Disk Structure Wipe", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1561", "mitre_attack_technique": "Disk Wipe", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "Turla"]}, {"mitre_attack_id": "T1134.004", "mitre_attack_technique": "Parent PID Spoofing", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}], "mitre_attack_tactics": ["Defense Evasion", "Discovery", "Execution", "Impact", "Lateral Movement", "Persistence", "Privilege Escalation", "Resource Development"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Actions on Objectives", "Exploitation", "Installation", "Weaponization"]}, "detection_names": ["ESCU - Add or Set Windows Defender Exclusion - Rule", "ESCU - Attempt To Stop Security Service - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Excessive File Deletion In WinDefender Folder - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Impacket Lateral Movement Commandline Parameters - Rule", "ESCU - Impacket Lateral Movement smbexec CommandLine Parameters - Rule", "ESCU - Impacket Lateral Movement WMIExec Commandline Parameters - Rule", "ESCU - Malicious PowerShell Process - Encoded Command - Rule", "ESCU - Ping Sleep Batch Command - Rule", "ESCU - Powershell Remove Windows Defender Directory - Rule", "ESCU - Powershell Windows Defender Exclusion Commands - Rule", "ESCU - Process Deleting Its Process File Path - Rule", "ESCU - Suspicious Process DNS Query Known Abuse Web Services - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious Process With Discord DNS Query - Rule", "ESCU - Windows DotNet Binary in Non Standard Path - Rule", "ESCU - Windows High File Deletion Frequency - Rule", "ESCU - Windows InstallUtil in Non Standard Path - Rule", "ESCU - Windows NirSoft AdvancedRun - Rule", "ESCU - Windows NirSoft Utilities - Rule", "ESCU - Windows Raw Access To Master Boot Record Drive - Rule", "ESCU - Wscript Or Cscript Suspicious Child Process - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Add or Set Windows Defender Exclusion", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Attempt To Stop Security Service", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Excessive File Deletion In WinDefender Folder", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}]}}, {"name": "Impacket Lateral Movement Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Impacket Lateral Movement smbexec CommandLine Parameters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Impacket Lateral Movement WMIExec Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Malicious PowerShell Process - Encoded Command", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Obfuscated Files or Information"}]}}, {"name": "Ping Sleep Batch Command", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Virtualization/Sandbox Evasion"}, {"mitre_attack_technique": "Time Based Evasion"}]}}, {"name": "Powershell Remove Windows Defender Directory", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Powershell Windows Defender Exclusion Commands", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Process Deleting Its Process File Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indicator Removal"}]}}, {"name": "Suspicious Process DNS Query Known Abuse Web Services", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Visual Basic"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Suspicious Process With Discord DNS Query", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Visual Basic"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Windows DotNet Binary in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "InstallUtil"}]}}, {"name": "Windows High File Deletion Frequency", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Windows InstallUtil in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "InstallUtil"}]}}, {"name": "Windows NirSoft AdvancedRun", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Tool"}]}}, {"name": "Windows NirSoft Utilities", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Tool"}]}}, {"name": "Windows Raw Access To Master Boot Record Drive", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disk Structure Wipe"}, {"mitre_attack_technique": "Disk Wipe"}]}}, {"name": "Wscript Or Cscript Suspicious Child Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}, {"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Parent PID Spoofing"}, {"mitre_attack_technique": "Access Token Manipulation"}]}}]}, {"name": "Windows BootKits", "id": "1bef004d-23b2-4c49-8ceb-b59af0745317", "version": 1, "date": "2023-05-03", "author": "Michael Haag, Splunk", "description": "Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.", "narrative": "A bootkit is a sophisticated type of malware that targets the boot sectors of a hard drive, specifically the Master Boot Record (MBR) and Volume Boot Record (VBR). The MBR is the initial section of the disk that is loaded following the hardware initialization process executed by the Basic Input/Output System (BIOS). It houses the boot loader, which is responsible for loading the operating system. In contrast, the VBR is located at the beginning of each partition and contains the boot code for that specific partition. When an adversary gains raw access to the boot drive, they can overwrite the MBR or VBR, effectively diverting the execution during startup from the standard boot loader to the malicious code injected by the attacker. This tampering allows the malware to load before the operating system, enabling it to execute malicious activities stealthily and maintain persistence on the compromised system. Bootkits are particularly dangerous because they can bypass security measures implemented by the operating system and antivirus software. Since they load before the operating system, they can easily evade detection and manipulate the system's behavior from the earliest stages of the boot process. This capability makes bootkits a potent tool in an attacker's arsenal for gaining unauthorized access, stealing sensitive information, or launching further attacks on other systems. To defend against bootkit attacks, organizations should implement multiple layers of security, including strong endpoint protection, regular software updates, user awareness training, and monitoring for unusual system behavior. Additionally, hardware-based security features, such as Unified Extensible Firmware Interface (UEFI) Secure Boot and Trusted Platform Module (TPM), can help protect the integrity of the boot process and reduce the risk of bootkit infections.", "references": ["https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/", "https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/"], "tags": {"name": "Windows BootKits", "analytic_story": "Windows BootKits", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1542.001", "mitre_attack_technique": "System Firmware", "mitre_attack_tactics": ["Defense Evasion", "Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1542", "mitre_attack_technique": "Pre-OS Boot", "mitre_attack_tactics": ["Defense Evasion", "Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}], "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation", "Installation"]}, "detection_names": ["ESCU - Windows BootLoader Inventory - Rule", "ESCU - Windows Registry BootExecute Modification - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows BootLoader Inventory", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Firmware"}, {"mitre_attack_technique": "Pre-OS Boot"}]}}, {"name": "Windows Registry BootExecute Modification", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Pre-OS Boot"}, {"mitre_attack_technique": "Registry Run Keys / Startup Folder"}]}}]}, {"name": "Windows Certificate Services", "id": "b92b4ac7-0026-4408-a6b5-c1d20658e124", "version": 1, "date": "2023-02-01", "author": "Michael Haag, Splunk", "description": "Adversaries may steal or forge certificates used for authentication to access remote systems or resources. Digital certificates are often used to sign and encrypt messages and/or files. Certificates are also used as authentication material.", "narrative": "The following analytic story focuses on remote and local endpoint certificate theft and abuse. Authentication certificates can be both stolen and forged. For example, AD CS certificates can be stolen from encrypted storage (in the Registry or files), misplaced certificate files (i.e. Unsecured Credentials), or directly from the Windows certificate store via various crypto APIs.With appropriate enrollment rights, users and/or machines within a domain can also request and/or manually renew certificates from enterprise certificate authorities (CA). This enrollment process defines various settings and permissions associated with the certificate. Abusing certificates for authentication credentials may enable other behaviors such as Lateral Movement. Certificate-related misconfigurations may also enable opportunities for Privilege Escalation, by way of allowing users to impersonate or assume privileged accounts or permissions via the identities (SANs) associated with a certificate. These abuses may also enable Persistence via stealing or forging certificates that can be used as Valid Accounts for the duration of the certificate's validity, despite user password resets. Authentication certificates can also be stolen and forged for machine accounts. (MITRE ATT&CK)", "references": ["https://attack.mitre.org/techniques/T1649/"], "tags": {"name": "Windows Certificate Services", "analytic_story": "Windows Certificate Services", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1649", "mitre_attack_technique": "Steal or Forge Authentication Certificates", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1552.004", "mitre_attack_technique": "Private Keys", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1552", "mitre_attack_technique": "Unsecured Credentials", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Credential Access"], "datamodels": ["Endpoint", "Risk"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Certutil exe certificate extraction - Rule", "ESCU - Steal or Forge Authentication Certificates Behavior Identified - Rule", "ESCU - Windows Export Certificate - Rule", "ESCU - Windows Mimikatz Crypto Export File Extensions - Rule", "ESCU - Windows PowerShell Export Certificate - Rule", "ESCU - Windows PowerShell Export PfxCertificate - Rule", "ESCU - Windows Steal Authentication Certificates Certificate Issued - Rule", "ESCU - Windows Steal Authentication Certificates Certificate Request - Rule", "ESCU - Windows Steal Authentication Certificates CertUtil Backup - Rule", "ESCU - Windows Steal Authentication Certificates CryptoAPI - Rule", "ESCU - Windows Steal Authentication Certificates CS Backup - Rule", "ESCU - Windows Steal Authentication Certificates Export Certificate - Rule", "ESCU - Windows Steal Authentication Certificates Export PfxCertificate - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Certutil exe certificate extraction", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": []}}, {"name": "Steal or Forge Authentication Certificates Behavior Identified", "source": "endpoint", "type": "Correlation", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Authentication Certificates"}]}}, {"name": "Windows Export Certificate", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Private Keys"}, {"mitre_attack_technique": "Unsecured Credentials"}, {"mitre_attack_technique": "Steal or Forge Authentication Certificates"}]}}, {"name": "Windows Mimikatz Crypto Export File Extensions", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Authentication Certificates"}]}}, {"name": "Windows PowerShell Export Certificate", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Private Keys"}, {"mitre_attack_technique": "Unsecured Credentials"}, {"mitre_attack_technique": "Steal or Forge Authentication Certificates"}]}}, {"name": "Windows PowerShell Export PfxCertificate", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Private Keys"}, {"mitre_attack_technique": "Unsecured Credentials"}, {"mitre_attack_technique": "Steal or Forge Authentication Certificates"}]}}, {"name": "Windows Steal Authentication Certificates Certificate Issued", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Authentication Certificates"}]}}, {"name": "Windows Steal Authentication Certificates Certificate Request", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Authentication Certificates"}]}}, {"name": "Windows Steal Authentication Certificates CertUtil Backup", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Authentication Certificates"}]}}, {"name": "Windows Steal Authentication Certificates CryptoAPI", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Authentication Certificates"}]}}, {"name": "Windows Steal Authentication Certificates CS Backup", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Authentication Certificates"}]}}, {"name": "Windows Steal Authentication Certificates Export Certificate", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Authentication Certificates"}]}}, {"name": "Windows Steal Authentication Certificates Export PfxCertificate", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Authentication Certificates"}]}}]}, {"name": "Windows Defense Evasion Tactics", "id": "56e24a28-5003-4047-b2db-e8f3c4618064", "version": 1, "date": "2018-05-31", "author": "David Dorsey, Splunk", "description": "Detect tactics used by malware to evade defenses on Windows endpoints. A few of these include suspicious `reg.exe` processes, files hidden with `attrib.exe` and disabling user-account control, among many others ", "narrative": "Defense evasion is a tactic--identified in the MITRE ATT&CK framework--that adversaries employ in a variety of ways to bypass or defeat defensive security measures. There are many techniques enumerated by the MITRE ATT&CK framework that are applicable in this context. This Analytic Story includes searches designed to identify the use of such techniques on Windows platforms.", "references": ["https://attack.mitre.org/wiki/Defense_Evasion"], "tags": {"name": "Windows Defense Evasion Tactics", "analytic_story": "Windows Defense Evasion Tactics", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1564.001", "mitre_attack_technique": "Hidden Files and Directories", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "HAFNIUM", "Lazarus Group", "LuminousMoth", "Mustang Panda", "Rocke", "Transparent Tribe", "Tropic Trooper"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1027.004", "mitre_attack_technique": "Compile After Delivery", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Gamaredon Group", "MuddyWater", "Rocke"]}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT19", "APT28", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BITTER", "BackdoorDiplomacy", "BlackOasis", "Blue Mockingbird", "Dark Caracal", "Darkhotel", "Earth Lusca", "Elderwood", "Ember Bear", "Fox Kitten", "GALLIUM", "Gallmaker", "Gamaredon Group", "Group5", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "Metador", "Mofang", "Molerats", "Moses Staff", "Mustang Panda", "OilRig", "Putter Panda", "Rocke", "Sandworm Team", "Sidewinder", "TA505", "TeamTNT", "Threat Group-3390", "Transparent Tribe", "Tropic Trooper", "Whitefly", "Windshift", "menuPass"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1564", "mitre_attack_technique": "Hide Artifacts", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548.002", "mitre_attack_technique": "Bypass User Account Control", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT37", "BRONZE BUTLER", "Cobalt Group", "Earth Lusca", "Evilnum", "MuddyWater", "Patchwork", "Threat Group-3390"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1562.004", "mitre_attack_technique": "Disable or Modify System Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "Carbanak", "Dragonfly", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1222.001", "mitre_attack_technique": "Windows File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1218.014", "mitre_attack_technique": "MMC", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1562.002", "mitre_attack_technique": "Disable Windows Event Logging", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound", "Threat Group-3390"]}, {"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1505.004", "mitre_attack_technique": "IIS Components", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1574.001", "mitre_attack_technique": "DLL Search Order Hijacking", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT41", "Aquatic Panda", "BackdoorDiplomacy", "Evilnum", "RTM", "Threat Group-3390", "Tonto Team", "Whitefly", "menuPass"]}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "Turla"]}, {"mitre_attack_id": "T1055.001", "mitre_attack_technique": "Dynamic-link Library Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["BackdoorDiplomacy", "Lazarus Group", "Leviathan", "Putter Panda", "TA505", "Tropic Trooper", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}], "mitre_attack_tactics": ["Defense Evasion", "Execution", "Impact", "Persistence", "Privilege Escalation"], "datamodels": ["Change", "Endpoint", "Web"], "kill_chain_phases": ["Actions on Objectives", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Reg exe used to hide files directories via registry keys - Rule", "ESCU - Remote Registry Key modifications - Rule", "ESCU - Add or Set Windows Defender Exclusion - Rule", "ESCU - CSC Net On The Fly Compilation - Rule", "ESCU - Disable Registry Tool - Rule", "ESCU - Disable Security Logs Using MiniNt Registry - Rule", "ESCU - Disable Show Hidden Files - Rule", "ESCU - Disable UAC Remote Restriction - Rule", "ESCU - Disable Windows Behavior Monitoring - Rule", "ESCU - Disable Windows SmartScreen Protection - Rule", "ESCU - Disabling CMD Application - Rule", "ESCU - Disabling ControlPanel - Rule", "ESCU - Disabling Firewall with Netsh - Rule", "ESCU - Disabling FolderOptions Windows Feature - Rule", "ESCU - Disabling NoRun Windows App - Rule", "ESCU - Disabling Remote User Account Control - Rule", "ESCU - Disabling SystemRestore In Registry - Rule", "ESCU - Disabling Task Manager - Rule", "ESCU - Eventvwr UAC Bypass - Rule", "ESCU - Excessive number of service control start as disabled - Rule", "ESCU - Firewall Allowed Program Enable - Rule", "ESCU - FodHelper UAC Bypass - Rule", "ESCU - Hiding Files And Directories With Attrib exe - Rule", "ESCU - NET Profiler UAC bypass - Rule", "ESCU - Powershell Windows Defender Exclusion Commands - Rule", "ESCU - Sdclt UAC Bypass - Rule", "ESCU - SilentCleanup UAC Bypass - Rule", "ESCU - SLUI RunAs Elevated - Rule", "ESCU - SLUI Spawning a Process - Rule", "ESCU - Suspicious Reg exe Process - Rule", "ESCU - UAC Bypass MMC Load Unsigned Dll - Rule", "ESCU - Windows Command and Scripting Interpreter Hunting Path Traversal - Rule", "ESCU - Windows Command and Scripting Interpreter Path Traversal Exec - Rule", "ESCU - Windows Defender Exclusion Registry Entry - Rule", "ESCU - Windows Disable Change Password Through Registry - Rule", "ESCU - Windows Disable Lock Workstation Feature Through Registry - Rule", "ESCU - Windows Disable Notification Center - Rule", "ESCU - Windows Disable Windows Event Logging Disable HTTP Logging - Rule", "ESCU - Windows Disable Windows Group Policy Features Through Registry - Rule", "ESCU - Windows DisableAntiSpyware Registry - Rule", "ESCU - Windows DISM Remove Defender - Rule", "ESCU - Windows DLL Search Order Hijacking Hunt - Rule", "ESCU - Windows DLL Search Order Hijacking Hunt with Sysmon - Rule", "ESCU - Windows DLL Search Order Hijacking with iscsicpl - Rule", "ESCU - Windows Event For Service Disabled - Rule", "ESCU - Windows Excessive Disabled Services Event - Rule", "ESCU - Windows Hide Notification Features Through Registry - Rule", "ESCU - Windows Impair Defense Delete Win Defender Context Menu - Rule", "ESCU - Windows Impair Defense Delete Win Defender Profile Registry - Rule", "ESCU - Windows Impair Defenses Disable HVCI - Rule", "ESCU - Windows Impair Defenses Disable Win Defender Auto Logging - Rule", "ESCU - Windows Modify Show Compress Color And Info Tip Registry - Rule", "ESCU - Windows PowerShell Disable HTTP Logging - Rule", "ESCU - Windows Process With NamedPipe CommandLine - Rule", "ESCU - Windows Rasautou DLL Execution - Rule", "ESCU - WSReset UAC Bypass - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Reg exe used to hide files directories via registry keys", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Hidden Files and Directories"}]}}, {"name": "Remote Registry Key modifications", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": []}}, {"name": "Add or Set Windows Defender Exclusion", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "CSC Net On The Fly Compilation", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compile After Delivery"}, {"mitre_attack_technique": "Obfuscated Files or Information"}]}}, {"name": "Disable Registry Tool", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disable Security Logs Using MiniNt Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Disable Show Hidden Files", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Hidden Files and Directories"}, {"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Hide Artifacts"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disable UAC Remote Restriction", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Disable Windows Behavior Monitoring", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disable Windows SmartScreen Protection", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disabling CMD Application", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disabling ControlPanel", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disabling Firewall with Netsh", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disabling FolderOptions Windows Feature", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disabling NoRun Windows App", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disabling Remote User Account Control", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Disabling SystemRestore In Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Inhibit System Recovery"}]}}, {"name": "Disabling Task Manager", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Eventvwr UAC Bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Excessive number of service control start as disabled", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Firewall Allowed Program Enable", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify System Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "FodHelper UAC Bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}, {"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Hiding Files And Directories With Attrib exe", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "File and Directory Permissions Modification"}, {"mitre_attack_technique": "Windows File and Directory Permissions Modification"}]}}, {"name": "NET Profiler UAC bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Powershell Windows Defender Exclusion Commands", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Sdclt UAC Bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "SilentCleanup UAC Bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "SLUI RunAs Elevated", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "SLUI Spawning a Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Suspicious Reg exe Process", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "UAC Bypass MMC Load Unsigned Dll", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}, {"mitre_attack_technique": "MMC"}]}}, {"name": "Windows Command and Scripting Interpreter Hunting Path Traversal", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Windows Command and Scripting Interpreter Path Traversal Exec", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Windows Defender Exclusion Registry Entry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows Disable Change Password Through Registry", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Disable Lock Workstation Feature Through Registry", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Disable Notification Center", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Disable Windows Event Logging Disable HTTP Logging", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable Windows Event Logging"}, {"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "IIS Components"}]}}, {"name": "Windows Disable Windows Group Policy Features Through Registry", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows DisableAntiSpyware Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows DISM Remove Defender", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows DLL Search Order Hijacking Hunt", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DLL Search Order Hijacking"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}}, {"name": "Windows DLL Search Order Hijacking Hunt with Sysmon", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DLL Search Order Hijacking"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}}, {"name": "Windows DLL Search Order Hijacking with iscsicpl", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DLL Search Order Hijacking"}]}}, {"name": "Windows Event For Service Disabled", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows Excessive Disabled Services Event", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows Hide Notification Features Through Registry", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Impair Defense Delete Win Defender Context Menu", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows Impair Defense Delete Win Defender Profile Registry", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows Impair Defenses Disable HVCI", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows Impair Defenses Disable Win Defender Auto Logging", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows Modify Show Compress Color And Info Tip Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows PowerShell Disable HTTP Logging", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Disable Windows Event Logging"}, {"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "IIS Components"}]}}, {"name": "Windows Process With NamedPipe CommandLine", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "Windows Rasautou DLL Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Dynamic-link Library Injection"}, {"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Process Injection"}]}}, {"name": "WSReset UAC Bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}]}, {"name": "Windows Discovery Techniques", "id": "f7aba570-7d59-11eb-825e-acde48001122", "version": 1, "date": "2021-03-04", "author": "Michael Hart, Splunk", "description": "Monitors for behaviors associated with adversaries discovering objects in the environment that can be leveraged in the progression of the attack.", "narrative": "Attackers may not have much if any insight into their target's environment before the initial compromise. Once a foothold has been established, attackers will start enumerating objects in the environment (accounts, services, network shares, etc.) that can be used to achieve their objectives. This Analytic Story provides searches to help identify activities consistent with adversaries gaining knowledge of compromised Windows environments.", "references": ["https://attack.mitre.org/tactics/TA0007/", "https://cyberd.us/penetration-testing", "https://attack.mitre.org/software/S0521/"], "tags": {"name": "Windows Discovery Techniques", "analytic_story": "Windows Discovery Techniques", "category": ["Adversary Tactics"], "product": ["Splunk Behavioral Analytics", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "TA505"]}, {"mitre_attack_id": "T1069.001", "mitre_attack_technique": "Local Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "HEXANE", "OilRig", "Tonto Team", "Turla", "admin@338"]}], "mitre_attack_tactics": ["Discovery"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Net Localgroup Discovery - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Hart", "detections": [{"name": "Net Localgroup Discovery", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Local Groups"}]}}]}, {"name": "Windows DNS SIGRed CVE-2020-1350", "id": "36dbb206-d073-11ea-87d0-0242ac130003", "version": 1, "date": "2020-07-28", "author": "Shannon Davis, Splunk", "description": "Uncover activity consistent with CVE-2020-1350, or SIGRed. Discovered by Checkpoint researchers, this vulnerability affects Windows 2003 to 2019, and is triggered by a malicious DNS response (only affects DNS over TCP). An attacker can use the malicious payload to cause a buffer overflow on the vulnerable system, leading to compromise. The included searches in this Analytic Story are designed to identify the large response payload for SIG and KEY DNS records which can be used for the exploit.", "narrative": "When a client requests a DNS record for a particular domain, that request gets routed first through the client's locally configured DNS server, then to any DNS server(s) configured as forwarders, and then onto the target domain's own DNS server(s). If a attacker wanted to, they could host a malicious DNS server that responds to the initial request with a specially crafted large response (~65KB). This response would flow through to the client's local DNS server, which if not patched for CVE-2020-1350, would cause the buffer overflow. The detection searches in this Analytic Story use wire data to detect the malicious behavior. Searches for Splunk Stream and Zeek are included. The Splunk Stream search correlates across stream:dns and stream:tcp, while the Zeek search correlates across bro:dns:json and bro:conn:json. These correlations are required to pick up both the DNS record types (SIG and KEY) along with the payload size (>65KB).", "references": ["https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/", "https://support.microsoft.com/en-au/help/4569509/windows-dns-server-remote-code-execution-vulnerability"], "tags": {"name": "Windows DNS SIGRed CVE-2020-1350", "analytic_story": "Windows DNS SIGRed CVE-2020-1350", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1203", "mitre_attack_technique": "Exploitation for Client Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT12", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT41", "Andariel", "Aoqin Dragon", "Axiom", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "Higaisa", "Inception", "Lazarus Group", "Leviathan", "MuddyWater", "Mustang Panda", "Patchwork", "Sandworm Team", "Sidewinder", "TA459", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "admin@338"]}], "mitre_attack_tactics": ["Execution"], "datamodels": ["Network_Resolution", "Network_Traffic"], "kill_chain_phases": ["Installation"]}, "detection_names": ["ESCU - Detect Windows DNS SIGRed via Splunk Stream - Rule", "ESCU - Detect Windows DNS SIGRed via Zeek - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "Shannon Davis", "detections": [{"name": "Detect Windows DNS SIGRed via Splunk Stream", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploitation for Client Execution"}]}}, {"name": "Detect Windows DNS SIGRed via Zeek", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploitation for Client Execution"}]}}]}, {"name": "Windows Drivers", "id": "d0a9323f-9411-4da6-86b2-18c184d750c0", "version": 1, "date": "2022-03-30", "author": "Michael Haag, Splunk", "description": "Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components.", "narrative": "A rootkit on Windows may sometimes be in the form of a Windows Driver. A driver typically has a file extension of .sys, however the internals of a sys file is similar to a Windows DLL. For Microsoft Windows to load a driver, a few requirements are needed. First, it must have a valid signature. Second, typically it should load from the windows\\system32\\drivers path. There are a few methods to investigate drivers in the environment. Drivers are noisy. An inventory of all drivers is important to understand prevalence. A driver location (Path) is also important when attempting to baseline. Looking at a driver name and path is not enough, we must also explore the signing information. Product, description, company name, signer and signing result are all items to take into account when reviewing drivers. What makes a driver malicious? Depending if a driver was dropped during a campaign or you are baselining drivers after, triaging a driver to determine maliciousness may be tough. We break this into two categories - 1. vulnerable drivers 2. driver rootkits. Attempt to identify prevelance of the driver. Is it on one or many? Review the signing information if it is present. Is it common? A lot of driver hunting will lead down rabbit holes, but we hope to help lead the way.", "references": ["https://redcanary.com/blog/tracking-driver-inventory-to-expose-rootkits/", "https://www.trendmicro.com/en_us/research/22/e/avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.html", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/daxin-backdoor-espionage", "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064459/Equation_group_questions_and_answers.pdf", "https://www.welivesecurity.com/2022/01/11/signed-kernel-drivers-unguarded-gateway-windows-core/"], "tags": {"name": "Windows Drivers", "analytic_story": "Windows Drivers", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "PLATINUM", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}, {"mitre_attack_id": "T1014", "mitre_attack_technique": "Rootkit", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT41", "Rocke", "TeamTNT", "Winnti Group"]}, {"mitre_attack_id": "T1553.004", "mitre_attack_technique": "Install Root Certificate", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1553", "mitre_attack_technique": "Subvert Trust Controls", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Axiom"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation", "Installation"]}, "detection_names": ["ESCU - Sc exe Manipulating Windows Services - Rule", "ESCU - Windows Driver Inventory - Rule", "ESCU - Windows Driver Load Non-Standard Path - Rule", "ESCU - Windows Drivers Loaded by Signature - Rule", "ESCU - Windows Registry Certificate Added - Rule", "ESCU - Windows Registry Modification for Safe Mode Persistence - Rule", "ESCU - Windows Service Create Kernel Mode Driver - Rule", "ESCU - Windows System File on Disk - Rule", "ESCU - Windows Vulnerable Driver Loaded - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Sc exe Manipulating Windows Services", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Windows Driver Inventory", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}}, {"name": "Windows Driver Load Non-Standard Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Rootkit"}, {"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}}, {"name": "Windows Drivers Loaded by Signature", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Rootkit"}, {"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}}, {"name": "Windows Registry Certificate Added", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Install Root Certificate"}, {"mitre_attack_technique": "Subvert Trust Controls"}]}}, {"name": "Windows Registry Modification for Safe Mode Persistence", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Windows Service Create Kernel Mode Driver", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}}, {"name": "Windows System File on Disk", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}}, {"name": "Windows Vulnerable Driver Loaded", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Service"}]}}]}, {"name": "Windows File Extension and Association Abuse", "id": "30552a76-ac78-48e4-b3c0-de4e34e9563d", "version": 1, "date": "2018-01-26", "author": "Rico Valdez, Splunk", "description": "Detect and investigate suspected abuse of file extensions and Windows file associations. Some of the malicious behaviors involved may include inserting spaces before file extensions or prepending the file extension with a different one, among other techniques.", "narrative": "Attackers use a variety of techniques to entice users to run malicious code or to persist on an endpoint. One way to accomplish these goals is to leverage file extensions and the mechanism Windows uses to associate files with specific applications. \\\n Since its earliest days, Windows has used extensions to identify file types. Users have become familiar with these extensions and their application associations. For example, if users see that a file ends in `.doc` or `.docx`, they will assume that it is a Microsoft Word document and expect that double-clicking will open it using `winword.exe`. The user will typically also presume that the `.docx` file is safe. \\\n Attackers take advantage of this expectation by obfuscating the true file extension. They can accomplish this in a couple of ways. One technique involves inserting multiple spaces in the file name before the extension to hide the extension from the GUI, obscuring the true nature of the file. Another approach involves prepending the real extension with a different one. This is especially effective when Windows is configured to \"hide extensions for known file types.\" In this case, the real extension is not displayed, but the prepended one is, leading end users to believe the file is a different type than it actually is.\\\nChanging the association between a file extension and an application can allow an attacker to execute arbitrary code. The technique typically involves changing the association for an often-launched file type to associate instead with a malicious program the attacker has dropped on the endpoint. When the end user launches a file that has been manipulated in this way, it will execute the attacker's malware. It will also execute the application the end user expected to run, cleverly obscuring the fact that something suspicious has occurred.\\\nRun the searches in this story to detect and investigate suspicious behavior that may indicate abuse or manipulation of Windows file extensions and/or associations.", "references": ["https://blog.malwarebytes.com/cybercrime/2013/12/file-extensions-2/", "https://attack.mitre.org/wiki/Technique/T1042"], "tags": {"name": "Windows File Extension and Association Abuse", "analytic_story": "Windows File Extension and Association Abuse", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1546.001", "mitre_attack_technique": "Change Default File Association", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Kimsuky"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}], "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation", "Installation"]}, "detection_names": ["ESCU - Execution of File With Spaces Before Extension - Rule", "ESCU - Suspicious Changes to File Associations - Rule", "ESCU - Execution of File with Multiple Extensions - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Execution of File With Spaces Before Extension", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Rename System Utilities"}]}}, {"name": "Suspicious Changes to File Associations", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Change Default File Association"}]}}, {"name": "Execution of File with Multiple Extensions", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}]}}]}, {"name": "Windows Log Manipulation", "id": "b6db2c60-a281-48b4-95f1-2cd99ed56835", "version": 2, "date": "2017-09-12", "author": "Rico Valdez, Splunk", "description": "Adversaries often try to cover their tracks by manipulating Windows logs. Use these searches to help you monitor for suspicious activity surrounding log files--an essential component of an effective defense.", "narrative": "Because attackers often modify system logs to cover their tracks and/or to thwart the investigative process, log monitoring is an industry-recognized best practice. While there are legitimate reasons to manipulate system logs, it is still worthwhile to keep track of who manipulated the logs, when they manipulated them, and in what way they manipulated them (determining which accesses, tools, or utilities were employed). Even if no malicious activity is detected, the knowledge of an attempt to manipulate system logs may be indicative of a broader security risk that should be thoroughly investigated.\\\nThe Analytic Story gives users two different ways to detect manipulation of Windows Event Logs and one way to detect deletion of the Update Sequence Number (USN) Change Journal. The story helps determine the history of the host and the users who have accessed it. Finally, the story aides in investigation by retrieving all the information on the process that caused these events (if the process has been identified).", "references": ["https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/", "https://zeltser.com/security-incident-log-review-checklist/", "http://journeyintoir.blogspot.com/2013/01/re-introducing-usnjrnl.html"], "tags": {"name": "Windows Log Manipulation", "analytic_story": "Windows Log Manipulation", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1070.001", "mitre_attack_technique": "Clear Windows Event Logs", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "APT38", "APT41", "Chimera", "Dragonfly", "FIN5", "FIN8", "Indrik Spider"]}], "mitre_attack_tactics": ["Defense Evasion", "Impact"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Actions on Objectives", "Exploitation"]}, "detection_names": ["ESCU - Deleting Shadow Copies - Rule", "ESCU - Suspicious Event Log Service Behavior - Rule", "ESCU - Suspicious wevtutil Usage - Rule", "ESCU - USN Journal Deletion - Rule", "ESCU - Windows Event Log Cleared - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Deleting Shadow Copies", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Inhibit System Recovery"}]}}, {"name": "Suspicious Event Log Service Behavior", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indicator Removal"}, {"mitre_attack_technique": "Clear Windows Event Logs"}]}}, {"name": "Suspicious wevtutil Usage", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Clear Windows Event Logs"}, {"mitre_attack_technique": "Indicator Removal"}]}}, {"name": "USN Journal Deletion", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indicator Removal"}]}}, {"name": "Windows Event Log Cleared", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indicator Removal"}, {"mitre_attack_technique": "Clear Windows Event Logs"}]}}]}, {"name": "Windows Persistence Techniques", "id": "30874d4f-20a1-488f-85ec-5d52ef74e3f9", "version": 2, "date": "2018-05-31", "author": "Bhavin Patel, Splunk", "description": "Monitor for activities and techniques associated with maintaining persistence on a Windows system--a sign that an adversary may have compromised your environment.", "narrative": "Maintaining persistence is one of the first steps taken by attackers after the initial compromise. Attackers leverage various custom and built-in tools to ensure survivability and persistent access within a compromised enterprise. This Analytic Story provides searches to help you identify various behaviors used by attackers to maintain persistent access to a Windows environment.", "references": ["http://www.fuzzysecurity.com/tutorials/19.html", "https://www.fireeye.com/blog/threat-research/2010/07/malware-persistence-windows-registry.html", "http://resources.infosecinstitute.com/common-malware-persistence-mechanisms/", "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html", "https://www.youtube.com/watch?v=dq2Hv7J9fvk"], "tags": {"name": "Windows Persistence Techniques", "analytic_story": "Windows Persistence Techniques", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1564.001", "mitre_attack_technique": "Hidden Files and Directories", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "HAFNIUM", "Lazarus Group", "LuminousMoth", "Mustang Panda", "Rocke", "Transparent Tribe", "Tropic Trooper"]}, {"mitre_attack_id": "T1547.014", "mitre_attack_technique": "Active Setup", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1546.001", "mitre_attack_technique": "Change Default File Association", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Kimsuky"]}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1574.009", "mitre_attack_technique": "Path Interception by Unquoted Path", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1562.006", "mitre_attack_technique": "Indicator Blocking", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1127", "mitre_attack_technique": "Trusted Developer Utilities Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1222.001", "mitre_attack_technique": "Windows File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1037", "mitre_attack_technique": "Boot or Logon Initialization Scripts", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Rocke"]}, {"mitre_attack_id": "T1037.001", "mitre_attack_technique": "Logon Script (Windows)", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "Cobalt Group"]}, {"mitre_attack_id": "T1547.010", "mitre_attack_technique": "Port Monitors", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547.012", "mitre_attack_technique": "Print Processors", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1574.011", "mitre_attack_technique": "Services Registry Permissions Weakness", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1546.011", "mitre_attack_technique": "Application Shimming", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["FIN7"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1546.002", "mitre_attack_technique": "Screensaver", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547.003", "mitre_attack_technique": "Time Providers", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT41", "Dragonfly", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}, {"mitre_attack_id": "T1134.005", "mitre_attack_technique": "SID-History Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}, {"mitre_attack_id": "T1546.012", "mitre_attack_technique": "Image File Execution Options Injection", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["TEMP.Veles"]}, {"mitre_attack_id": "T1218.005", "mitre_attack_technique": "Mshta", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "APT32", "Confucius", "Earth Lusca", "FIN7", "Gamaredon Group", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "MuddyWater", "Mustang Panda", "SideCopy", "Sidewinder", "TA551"]}], "mitre_attack_tactics": ["Defense Evasion", "Execution", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation", "Installation"]}, "detection_names": ["ESCU - Reg exe used to hide files directories via registry keys - Rule", "ESCU - Remote Registry Key modifications - Rule", "ESCU - Active Setup Registry Autostart - Rule", "ESCU - Certutil exe certificate extraction - Rule", "ESCU - Change Default File Association - Rule", "ESCU - Detect Path Interception By Creation Of program exe - Rule", "ESCU - ETW Registry Disabled - Rule", "ESCU - Hiding Files And Directories With Attrib exe - Rule", "ESCU - Logon Script Event Trigger Execution - Rule", "ESCU - Monitor Registry Keys for Print Monitors - Rule", "ESCU - Print Processor Registry Autostart - Rule", "ESCU - Reg exe Manipulating Windows Services Registry Keys - Rule", "ESCU - Registry Keys for Creating SHIM Databases - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Sc exe Manipulating Windows Services - Rule", "ESCU - Schedule Task with HTTP Command Arguments - Rule", "ESCU - Schedule Task with Rundll32 Command Trigger - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Schtasks used for forcing a reboot - Rule", "ESCU - Screensaver Event Trigger Execution - Rule", "ESCU - Shim Database File Creation - Rule", "ESCU - Shim Database Installation With Suspicious Parameters - Rule", "ESCU - Suspicious Scheduled Task from Public Directory - Rule", "ESCU - Time Provider Persistence Registry - Rule", "ESCU - Windows AD DSRM Account Changes - Rule", "ESCU - Windows AD Same Domain SID History Addition - Rule", "ESCU - Windows Event Triggered Image File Execution Options Injection - Rule", "ESCU - Windows Mshta Execution In Registry - Rule", "ESCU - Windows Registry Delete Task SD - Rule", "ESCU - Windows Schtasks Create Run As System - Rule", "ESCU - Windows Service Creation Using Registry Entry - Rule", "ESCU - WinEvent Scheduled Task Created to Spawn Shell - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Reg exe used to hide files directories via registry keys", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Hidden Files and Directories"}]}}, {"name": "Remote Registry Key modifications", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": []}}, {"name": "Active Setup Registry Autostart", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Active Setup"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Certutil exe certificate extraction", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": []}}, {"name": "Change Default File Association", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Change Default File Association"}, {"mitre_attack_technique": "Event Triggered Execution"}]}}, {"name": "Detect Path Interception By Creation Of program exe", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Path Interception by Unquoted Path"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}}, {"name": "ETW Registry Disabled", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indicator Blocking"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Hiding Files And Directories With Attrib exe", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "File and Directory Permissions Modification"}, {"mitre_attack_technique": "Windows File and Directory Permissions Modification"}]}}, {"name": "Logon Script Event Trigger Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Boot or Logon Initialization Scripts"}, {"mitre_attack_technique": "Logon Script (Windows)"}]}}, {"name": "Monitor Registry Keys for Print Monitors", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Port Monitors"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Print Processor Registry Autostart", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Print Processors"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Reg exe Manipulating Windows Services Registry Keys", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Services Registry Permissions Weakness"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}}, {"name": "Registry Keys for Creating SHIM Databases", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Application Shimming"}, {"mitre_attack_technique": "Event Triggered Execution"}]}}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Sc exe Manipulating Windows Services", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Schedule Task with HTTP Command Arguments", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Schedule Task with Rundll32 Command Trigger", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Schtasks used for forcing a reboot", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Screensaver Event Trigger Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Event Triggered Execution"}, {"mitre_attack_technique": "Screensaver"}]}}, {"name": "Shim Database File Creation", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Application Shimming"}, {"mitre_attack_technique": "Event Triggered Execution"}]}}, {"name": "Shim Database Installation With Suspicious Parameters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Application Shimming"}, {"mitre_attack_technique": "Event Triggered Execution"}]}}, {"name": "Suspicious Scheduled Task from Public Directory", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Time Provider Persistence Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Time Providers"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Windows AD DSRM Account Changes", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Manipulation"}]}}, {"name": "Windows AD Same Domain SID History Addition", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "SID-History Injection"}, {"mitre_attack_technique": "Access Token Manipulation"}]}}, {"name": "Windows Event Triggered Image File Execution Options Injection", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Image File Execution Options Injection"}]}}, {"name": "Windows Mshta Execution In Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Mshta"}]}}, {"name": "Windows Registry Delete Task SD", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows Schtasks Create Run As System", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Windows Service Creation Using Registry Entry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Services Registry Permissions Weakness"}]}}, {"name": "WinEvent Scheduled Task Created to Spawn Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}]}}]}, {"name": "Windows Post-Exploitation", "id": "992899b7-a5cf-4bcd-bb0d-cf81762188ba", "version": 1, "date": "2022-11-30", "author": "Teoderick Contreras, Splunk", "description": "This analytic story identifies popular Windows post exploitation tools for example winpeas.bat, winpeas.exe, WinPrivCheck.bat and many more.", "narrative": "These tools allow operators to find possible exploits or paths for privilege escalation and persistence on a targeted host. Ransomware operator like the \"Prestige ransomware\" also used or abuses these post exploitation tools such as winPEAS to scan for possible avenue to gain privileges and persistence to a targeted Windows Operating System.", "references": ["https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"], "tags": {"name": "Windows Post-Exploitation", "analytic_story": "Windows Post-Exploitation", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1070.005", "mitre_attack_technique": "Network Share Connection Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Threat Group-3390"]}, {"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "TA505"]}, {"mitre_attack_id": "T1069.002", "mitre_attack_technique": "Domain Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Dragonfly", "Inception", "Ke3chang", "LAPSUS$", "OilRig", "Turla"]}, {"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1531", "mitre_attack_technique": "Account Access Removal", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["LAPSUS$"]}, {"mitre_attack_id": "T1069.001", "mitre_attack_technique": "Local Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "HEXANE", "OilRig", "Tonto Team", "Turla", "admin@338"]}, {"mitre_attack_id": "T1049", "mitre_attack_technique": "System Network Connections Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT38", "APT41", "Andariel", "BackdoorDiplomacy", "Chimera", "Earth Lusca", "GALLIUM", "HEXANE", "Ke3chang", "Lazarus Group", "Magic Hound", "MuddyWater", "Mustang Panda", "OilRig", "Poseidon Group", "Sandworm Team", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1016", "mitre_attack_technique": "System Network Configuration Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT19", "APT3", "APT32", "APT41", "Chimera", "Darkhotel", "Dragonfly", "Earth Lusca", "GALLIUM", "HAFNIUM", "HEXANE", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "SideCopy", "Sidewinder", "Stealth Falcon", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1016.001", "mitre_attack_technique": "Internet Connection Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Gamaredon Group", "HAFNIUM", "HEXANE", "Magic Hound", "Turla"]}, {"mitre_attack_id": "T1592", "mitre_attack_technique": "Gather Victim Host Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1003.005", "mitre_attack_technique": "Cached Domain Credentials", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT33", "Leafminer", "MuddyWater", "OilRig"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1115", "mitre_attack_technique": "Clipboard Data", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT38", "APT39"]}, {"mitre_attack_id": "T1555", "mitre_attack_technique": "Credentials from Password Stores", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT33", "APT39", "Evilnum", "FIN6", "HEXANE", "Leafminer", "MuddyWater", "OilRig", "Stealth Falcon"]}, {"mitre_attack_id": "T1552.002", "mitre_attack_technique": "Credentials in Registry", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT32"]}, {"mitre_attack_id": "T1552", "mitre_attack_technique": "Unsecured Credentials", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1202", "mitre_attack_technique": "Indirect Command Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1082", "mitre_attack_technique": "System Information Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT18", "APT19", "APT3", "APT32", "APT37", "APT38", "Aquatic Panda", "Blue Mockingbird", "Chimera", "Confucius", "Darkhotel", "Gamaredon Group", "HEXANE", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Sowbug", "Stealth Falcon", "TeamTNT", "Tropic Trooper", "Turla", "Windigo", "Windshift", "Wizard Spider", "ZIRCONIUM", "admin@338"]}, {"mitre_attack_id": "T1012", "mitre_attack_technique": "Query Registry", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT32", "APT39", "Chimera", "Dragonfly", "Fox Kitten", "Kimsuky", "Lazarus Group", "OilRig", "Stealth Falcon", "Threat Group-3390", "Turla", "ZIRCONIUM"]}, {"mitre_attack_id": "T1555.005", "mitre_attack_technique": "Password Managers", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Fox Kitten", "Threat Group-3390"]}, {"mitre_attack_id": "T1552.004", "mitre_attack_technique": "Private Keys", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1547.005", "mitre_attack_technique": "Security Support Provider", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1558", "mitre_attack_technique": "Steal or Forge Kerberos Tickets", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1033", "mitre_attack_technique": "System Owner/User Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT37", "APT38", "APT39", "APT41", "Chimera", "Dragonfly", "Earth Lusca", "FIN10", "GALLIUM", "Gamaredon Group", "HAFNIUM", "HEXANE", "Ke3chang", "Lazarus Group", "LuminousMoth", "Magic Hound", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "Stealth Falcon", "Threat Group-3390", "Tropic Trooper", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "Earth Lusca", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "Threat Group-3390", "Windshift", "Wizard Spider", "menuPass"]}], "mitre_attack_tactics": ["Collection", "Credential Access", "Defense Evasion", "Discovery", "Execution", "Impact", "Persistence", "Privilege Escalation", "Reconnaissance"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Actions on Objectives", "Exploitation", "Installation", "Reconnaissance"]}, "detection_names": ["ESCU - Create or delete windows shares using net exe - Rule", "ESCU - Domain Group Discovery With Net - Rule", "ESCU - Excessive Usage Of Cacls App - Rule", "ESCU - Excessive Usage Of Net App - Rule", "ESCU - Net Localgroup Discovery - Rule", "ESCU - Network Connection Discovery With Arp - Rule", "ESCU - Network Connection Discovery With Net - Rule", "ESCU - Network Connection Discovery With Netstat - Rule", "ESCU - Network Discovery Using Route Windows App - Rule", "ESCU - Recon AVProduct Through Pwh or WMI - Rule", "ESCU - Windows Cached Domain Credentials Reg Query - Rule", "ESCU - Windows ClipBoard Data via Get-ClipBoard - Rule", "ESCU - Windows Credentials from Password Stores Query - Rule", "ESCU - Windows Credentials in Registry Reg Query - Rule", "ESCU - Windows Indirect Command Execution Via Series Of Forfiles - Rule", "ESCU - Windows Information Discovery Fsutil - Rule", "ESCU - Windows Modify Registry Reg Restore - Rule", "ESCU - Windows Password Managers Discovery - Rule", "ESCU - Windows Private Keys Discovery - Rule", "ESCU - Windows Query Registry Reg Save - Rule", "ESCU - Windows Security Support Provider Reg Query - Rule", "ESCU - Windows Steal or Forge Kerberos Tickets Klist - Rule", "ESCU - Windows System Network Config Discovery Display DNS - Rule", "ESCU - Windows System Network Connections Discovery Netsh - Rule", "ESCU - Windows System User Discovery Via Quser - Rule", "ESCU - Windows WMI Process And Service List - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Create or delete windows shares using net exe", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indicator Removal"}, {"mitre_attack_technique": "Network Share Connection Removal"}]}}, {"name": "Domain Group Discovery With Net", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}}, {"name": "Excessive Usage Of Cacls App", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "File and Directory Permissions Modification"}]}}, {"name": "Excessive Usage Of Net App", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Access Removal"}]}}, {"name": "Net Localgroup Discovery", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Local Groups"}]}}, {"name": "Network Connection Discovery With Arp", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Connections Discovery"}]}}, {"name": "Network Connection Discovery With Net", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Connections Discovery"}]}}, {"name": "Network Connection Discovery With Netstat", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Connections Discovery"}]}}, {"name": "Network Discovery Using Route Windows App", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Configuration Discovery"}, {"mitre_attack_technique": "Internet Connection Discovery"}]}}, {"name": "Recon AVProduct Through Pwh or WMI", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Gather Victim Host Information"}]}}, {"name": "Windows Cached Domain Credentials Reg Query", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cached Domain Credentials"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Windows ClipBoard Data via Get-ClipBoard", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Clipboard Data"}]}}, {"name": "Windows Credentials from Password Stores Query", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Credentials from Password Stores"}]}}, {"name": "Windows Credentials in Registry Reg Query", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Credentials in Registry"}, {"mitre_attack_technique": "Unsecured Credentials"}]}}, {"name": "Windows Indirect Command Execution Via Series Of Forfiles", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indirect Command Execution"}]}}, {"name": "Windows Information Discovery Fsutil", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Information Discovery"}]}}, {"name": "Windows Modify Registry Reg Restore", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Query Registry"}]}}, {"name": "Windows Password Managers Discovery", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Managers"}]}}, {"name": "Windows Private Keys Discovery", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Private Keys"}, {"mitre_attack_technique": "Unsecured Credentials"}]}}, {"name": "Windows Query Registry Reg Save", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Query Registry"}]}}, {"name": "Windows Security Support Provider Reg Query", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Security Support Provider"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Windows Steal or Forge Kerberos Tickets Klist", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}]}}, {"name": "Windows System Network Config Discovery Display DNS", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Configuration Discovery"}]}}, {"name": "Windows System Network Connections Discovery Netsh", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Connections Discovery"}]}}, {"name": "Windows System User Discovery Via Quser", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Owner/User Discovery"}]}}, {"name": "Windows WMI Process And Service List", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}}]}, {"name": "Windows Privilege Escalation", "id": "644e22d3-598a-429c-a007-16fdb802cae5", "version": 2, "date": "2020-02-04", "author": "David Dorsey, Splunk", "description": "Monitor for and investigate activities that may be associated with a Windows privilege-escalation attack, including unusual processes running on endpoints, modified registry keys, and more.", "narrative": "Privilege escalation is a \"land-and-expand\" technique, wherein an adversary gains an initial foothold on a host and then exploits its weaknesses to increase his privileges. The motivation is simple: certain actions on a Windows machine--such as installing software--may require higher-level privileges than those the attacker initially acquired. By increasing his privilege level, the attacker can gain the control required to carry out his malicious ends. This Analytic Story provides searches to detect and investigate behaviors that attackers may use to elevate their privileges in your environment.", "references": ["https://attack.mitre.org/tactics/TA0004/"], "tags": {"name": "Windows Privilege Escalation", "analytic_story": "Windows Privilege Escalation", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1204.002", "mitre_attack_technique": "Malicious File", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "Ajax Security Team", "Andariel", "Aoqin Dragon", "BITTER", "BRONZE BUTLER", "BlackTech", "CURIUM", "Cobalt Group", "Confucius", "Dark Caracal", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "IndigoZebra", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Whitefly", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1547.014", "mitre_attack_technique": "Active Setup", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1546.001", "mitre_attack_technique": "Change Default File Association", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Kimsuky"]}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "PLATINUM", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}, {"mitre_attack_id": "T1562.006", "mitre_attack_technique": "Indicator Blocking", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1127", "mitre_attack_technique": "Trusted Developer Utilities Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1558", "mitre_attack_technique": "Steal or Forge Kerberos Tickets", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1558.003", "mitre_attack_technique": "Kerberoasting", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["FIN7", "Wizard Spider"]}, {"mitre_attack_id": "T1037", "mitre_attack_technique": "Boot or Logon Initialization Scripts", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Rocke"]}, {"mitre_attack_id": "T1037.001", "mitre_attack_technique": "Logon Script (Windows)", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "Cobalt Group"]}, {"mitre_attack_id": "T1574.002", "mitre_attack_technique": "DLL Side-Loading", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT41", "BRONZE BUTLER", "BlackTech", "Chimera", "Earth Lusca", "GALLIUM", "Higaisa", "Lazarus Group", "LuminousMoth", "MuddyWater", "Mustang Panda", "Naikon", "Patchwork", "SideCopy", "Sidewinder", "Threat Group-3390", "Tropic Trooper", "menuPass"]}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1546.008", "mitre_attack_technique": "Accessibility Features", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT3", "APT41", "Axiom", "Deep Panda", "Fox Kitten"]}, {"mitre_attack_id": "T1547.012", "mitre_attack_technique": "Print Processors", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1546.012", "mitre_attack_technique": "Image File Execution Options Injection", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["TEMP.Veles"]}, {"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}, {"mitre_attack_id": "T1134.001", "mitre_attack_technique": "Token Impersonation/Theft", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "FIN8"]}, {"mitre_attack_id": "T1546.002", "mitre_attack_technique": "Screensaver", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547.003", "mitre_attack_technique": "Time Providers", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Execution", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation", "Installation"]}, "detection_names": ["ESCU - Uncommon Processes On Endpoint - Rule", "ESCU - Active Setup Registry Autostart - Rule", "ESCU - Change Default File Association - Rule", "ESCU - Child Processes of Spoolsv exe - Rule", "ESCU - ETW Registry Disabled - Rule", "ESCU - Kerberoasting spn request with RC4 encryption - Rule", "ESCU - Logon Script Event Trigger Execution - Rule", "ESCU - MSI Module Loaded by Non-System Binary - Rule", "ESCU - Overwriting Accessibility Binaries - Rule", "ESCU - Print Processor Registry Autostart - Rule", "ESCU - Registry Keys Used For Privilege Escalation - Rule", "ESCU - Runas Execution in CommandLine - Rule", "ESCU - Screensaver Event Trigger Execution - Rule", "ESCU - Time Provider Persistence Registry - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Uncommon Processes On Endpoint", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Malicious File"}]}}, {"name": "Active Setup Registry Autostart", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Active Setup"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Change Default File Association", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Change Default File Association"}, {"mitre_attack_technique": "Event Triggered Execution"}]}}, {"name": "Child Processes of Spoolsv exe", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}}, {"name": "ETW Registry Disabled", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indicator Blocking"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Kerberoasting spn request with RC4 encryption", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "Kerberoasting"}]}}, {"name": "Logon Script Event Trigger Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Boot or Logon Initialization Scripts"}, {"mitre_attack_technique": "Logon Script (Windows)"}]}}, {"name": "MSI Module Loaded by Non-System Binary", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DLL Side-Loading"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}}, {"name": "Overwriting Accessibility Binaries", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Event Triggered Execution"}, {"mitre_attack_technique": "Accessibility Features"}]}}, {"name": "Print Processor Registry Autostart", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Print Processors"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Registry Keys Used For Privilege Escalation", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Image File Execution Options Injection"}, {"mitre_attack_technique": "Event Triggered Execution"}]}}, {"name": "Runas Execution in CommandLine", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Access Token Manipulation"}, {"mitre_attack_technique": "Token Impersonation/Theft"}]}}, {"name": "Screensaver Event Trigger Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Event Triggered Execution"}, {"mitre_attack_technique": "Screensaver"}]}}, {"name": "Time Provider Persistence Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Time Providers"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}]}, {"name": "Windows Registry Abuse", "id": "78df1df1-25f1-4387-90f9-c4ea31ce6b75", "version": 1, "date": "2022-03-17", "author": "Teoderick Contreras, Splunk", "description": "Windows services are often used by attackers for persistence, privilege escalation, lateral movement, defense evasion, collection of data, a tool for recon, credential dumping and payload impact. This Analytic Story helps you monitor your environment for indications that Windows registry are being modified or created in a suspicious manner.", "narrative": "Windows Registry is one of the powerful and yet still mysterious Windows features that can tweak or manipulate Windows policies and low-level configuration settings. Because of this capability, most malware, adversaries or threat actors abuse this hierarchical database to do their malicious intent on a targeted host or network environment. In these cases, attackers often use tools to create or modify registry in ways that are not typical for most environments, providing opportunities for detection.", "references": ["https://attack.mitre.org/techniques/T1112/", "https://redcanary.com/blog/windows-registry-attacks-threat-detection/"], "tags": {"name": "Windows Registry Abuse", "analytic_story": "Windows Registry Abuse", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1021.001", "mitre_attack_technique": "Remote Desktop Protocol", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT1", "APT3", "APT39", "APT41", "Axiom", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dragonfly", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "HEXANE", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "OilRig", "Patchwork", "Silence", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Dragonfly", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1552.002", "mitre_attack_technique": "Credentials in Registry", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT32"]}, {"mitre_attack_id": "T1552", "mitre_attack_technique": "Unsecured Credentials", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1546.001", "mitre_attack_technique": "Change Default File Association", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Kimsuky"]}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1564.001", "mitre_attack_technique": "Hidden Files and Directories", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "HAFNIUM", "Lazarus Group", "LuminousMoth", "Mustang Panda", "Rocke", "Transparent Tribe", "Tropic Trooper"]}, {"mitre_attack_id": "T1564", "mitre_attack_technique": "Hide Artifacts", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1548.002", "mitre_attack_technique": "Bypass User Account Control", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT37", "BRONZE BUTLER", "Cobalt Group", "Earth Lusca", "Evilnum", "MuddyWater", "Patchwork", "Threat Group-3390"]}, {"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1556", "mitre_attack_technique": "Modify Authentication Process", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1562.006", "mitre_attack_technique": "Indicator Blocking", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1127", "mitre_attack_technique": "Trusted Developer Utilities Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1491", "mitre_attack_technique": "Defacement", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547.010", "mitre_attack_technique": "Port Monitors", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1546.011", "mitre_attack_technique": "Application Shimming", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["FIN7"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1546.012", "mitre_attack_technique": "Image File Execution Options Injection", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["TEMP.Veles"]}, {"mitre_attack_id": "T1546.002", "mitre_attack_technique": "Screensaver", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1547.003", "mitre_attack_technique": "Time Providers", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT41", "Dragonfly", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}, {"mitre_attack_id": "T1547.008", "mitre_attack_technique": "LSASS Driver", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1553.004", "mitre_attack_technique": "Install Root Certificate", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1553", "mitre_attack_technique": "Subvert Trust Controls", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Axiom"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1574.011", "mitre_attack_technique": "Services Registry Permissions Weakness", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Execution", "Impact", "Lateral Movement", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Actions on Objectives", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Allow Inbound Traffic By Firewall Rule Registry - Rule", "ESCU - Allow Operation with Consent Admin - Rule", "ESCU - Attempted Credential Dump From Registry via Reg exe - Rule", "ESCU - Auto Admin Logon Registry Entry - Rule", "ESCU - Change Default File Association - Rule", "ESCU - Disable AMSI Through Registry - Rule", "ESCU - Disable Defender AntiVirus Registry - Rule", "ESCU - Disable Defender BlockAtFirstSeen Feature - Rule", "ESCU - Disable Defender Enhanced Notification - Rule", "ESCU - Disable Defender MpEngine Registry - Rule", "ESCU - Disable Defender Spynet Reporting - Rule", "ESCU - Disable Defender Submit Samples Consent Feature - Rule", "ESCU - Disable ETW Through Registry - Rule", "ESCU - Disable Registry Tool - Rule", "ESCU - Disable Security Logs Using MiniNt Registry - Rule", "ESCU - Disable Show Hidden Files - Rule", "ESCU - Disable UAC Remote Restriction - Rule", "ESCU - Disable Windows App Hotkeys - Rule", "ESCU - Disable Windows Behavior Monitoring - Rule", "ESCU - Disable Windows SmartScreen Protection - Rule", "ESCU - Disabling CMD Application - Rule", "ESCU - Disabling ControlPanel - Rule", "ESCU - Disabling Defender Services - Rule", "ESCU - Disabling FolderOptions Windows Feature - Rule", "ESCU - Disabling NoRun Windows App - Rule", "ESCU - Disabling Remote User Account Control - Rule", "ESCU - Disabling SystemRestore In Registry - Rule", "ESCU - Disabling Task Manager - Rule", "ESCU - Disabling Windows Local Security Authority Defences via Registry - Rule", "ESCU - Enable RDP In Other Port Number - Rule", "ESCU - Enable WDigest UseLogonCredential Registry - Rule", "ESCU - ETW Registry Disabled - Rule", "ESCU - Eventvwr UAC Bypass - Rule", "ESCU - Hide User Account From Sign-In Screen - Rule", "ESCU - Modification Of Wallpaper - Rule", "ESCU - Monitor Registry Keys for Print Monitors - Rule", "ESCU - Registry Keys for Creating SHIM Databases - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Registry Keys Used For Privilege Escalation - Rule", "ESCU - Remcos client registry install entry - Rule", "ESCU - Revil Registry Entry - Rule", "ESCU - Screensaver Event Trigger Execution - Rule", "ESCU - Sdclt UAC Bypass - Rule", "ESCU - SilentCleanup UAC Bypass - Rule", "ESCU - Time Provider Persistence Registry - Rule", "ESCU - Windows AD DSRM Account Changes - Rule", "ESCU - Windows Autostart Execution LSASS Driver Registry Modification - Rule", "ESCU - Windows Disable Lock Workstation Feature Through Registry - Rule", "ESCU - Windows Disable LogOff Button Through Registry - Rule", "ESCU - Windows Disable Memory Crash Dump - Rule", "ESCU - Windows Disable Notification Center - Rule", "ESCU - Windows Disable Shutdown Button Through Registry - Rule", "ESCU - Windows Disable Windows Group Policy Features Through Registry - Rule", "ESCU - Windows DisableAntiSpyware Registry - Rule", "ESCU - Windows Hide Notification Features Through Registry - Rule", "ESCU - Windows Impair Defense Delete Win Defender Context Menu - Rule", "ESCU - Windows Impair Defense Delete Win Defender Profile Registry - Rule", "ESCU - Windows Impair Defenses Disable HVCI - Rule", "ESCU - Windows Impair Defenses Disable Win Defender Auto Logging - Rule", "ESCU - Windows Modify Show Compress Color And Info Tip Registry - Rule", "ESCU - Windows Registry Certificate Added - Rule", "ESCU - Windows Registry Delete Task SD - Rule", "ESCU - Windows Registry Modification for Safe Mode Persistence - Rule", "ESCU - Windows Service Creation Using Registry Entry - Rule", "ESCU - WSReset UAC Bypass - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Allow Inbound Traffic By Firewall Rule Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Desktop Protocol"}, {"mitre_attack_technique": "Remote Services"}]}}, {"name": "Allow Operation with Consent Admin", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Attempted Credential Dump From Registry via Reg exe", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Security Account Manager"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Auto Admin Logon Registry Entry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Credentials in Registry"}, {"mitre_attack_technique": "Unsecured Credentials"}]}}, {"name": "Change Default File Association", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Change Default File Association"}, {"mitre_attack_technique": "Event Triggered Execution"}]}}, {"name": "Disable AMSI Through Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disable Defender AntiVirus Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disable Defender BlockAtFirstSeen Feature", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disable Defender Enhanced Notification", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disable Defender MpEngine Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disable Defender Spynet Reporting", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disable Defender Submit Samples Consent Feature", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disable ETW Through Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disable Registry Tool", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disable Security Logs Using MiniNt Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Disable Show Hidden Files", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Hidden Files and Directories"}, {"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Hide Artifacts"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disable UAC Remote Restriction", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Disable Windows App Hotkeys", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disable Windows Behavior Monitoring", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disable Windows SmartScreen Protection", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disabling CMD Application", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disabling ControlPanel", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disabling Defender Services", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disabling FolderOptions Windows Feature", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disabling NoRun Windows App", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disabling Remote User Account Control", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Disabling SystemRestore In Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Inhibit System Recovery"}]}}, {"name": "Disabling Task Manager", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disabling Windows Local Security Authority Defences via Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Authentication Process"}]}}, {"name": "Enable RDP In Other Port Number", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}]}}, {"name": "Enable WDigest UseLogonCredential Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "ETW Registry Disabled", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indicator Blocking"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Eventvwr UAC Bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Hide User Account From Sign-In Screen", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Modification Of Wallpaper", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Defacement"}]}}, {"name": "Monitor Registry Keys for Print Monitors", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Port Monitors"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Registry Keys for Creating SHIM Databases", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Application Shimming"}, {"mitre_attack_technique": "Event Triggered Execution"}]}}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Registry Keys Used For Privilege Escalation", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Image File Execution Options Injection"}, {"mitre_attack_technique": "Event Triggered Execution"}]}}, {"name": "Remcos client registry install entry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Revil Registry Entry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Screensaver Event Trigger Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Event Triggered Execution"}, {"mitre_attack_technique": "Screensaver"}]}}, {"name": "Sdclt UAC Bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "SilentCleanup UAC Bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Time Provider Persistence Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Time Providers"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Windows AD DSRM Account Changes", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Manipulation"}]}}, {"name": "Windows Autostart Execution LSASS Driver Registry Modification", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Driver"}]}}, {"name": "Windows Disable Lock Workstation Feature Through Registry", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Disable LogOff Button Through Registry", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Disable Memory Crash Dump", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Windows Disable Notification Center", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Disable Shutdown Button Through Registry", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Disable Windows Group Policy Features Through Registry", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows DisableAntiSpyware Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows Hide Notification Features Through Registry", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Impair Defense Delete Win Defender Context Menu", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows Impair Defense Delete Win Defender Profile Registry", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows Impair Defenses Disable HVCI", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows Impair Defenses Disable Win Defender Auto Logging", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows Modify Show Compress Color And Info Tip Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Registry Certificate Added", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Install Root Certificate"}, {"mitre_attack_technique": "Subvert Trust Controls"}]}}, {"name": "Windows Registry Delete Task SD", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows Registry Modification for Safe Mode Persistence", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Windows Service Creation Using Registry Entry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Services Registry Permissions Weakness"}]}}, {"name": "WSReset UAC Bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}]}, {"name": "Windows Service Abuse", "id": "6dbd810e-f66d-414b-8dfc-e46de55cbfe2", "version": 3, "date": "2017-11-02", "author": "Rico Valdez, Splunk", "description": "Windows services are often used by attackers for persistence and the ability to load drivers or otherwise interact with the Windows kernel. This Analytic Story helps you monitor your environment for indications that Windows services are being modified or created in a suspicious manner.", "narrative": "The Windows operating system uses a services architecture to allow for running code in the background, similar to a UNIX daemon. Attackers will often leverage Windows services for persistence, hiding in plain sight, seeking the ability to run privileged code that can interact with the kernel. In many cases, attackers will create a new service to host their malicious code. Attackers have also been observed modifying unnecessary or unused services to point to their own code, as opposed to what was intended. In these cases, attackers often use tools to create or modify services in ways that are not typical for most environments, providing opportunities for detection.", "references": ["https://attack.mitre.org/wiki/Technique/T1050", "https://attack.mitre.org/wiki/Technique/T1031"], "tags": {"name": "Windows Service Abuse", "analytic_story": "Windows Service Abuse", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1574.011", "mitre_attack_technique": "Services Registry Permissions Weakness", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Defense Evasion", "Execution", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation", "Installation"]}, "detection_names": ["ESCU - First Time Seen Running Windows Service - Rule", "ESCU - Reg exe Manipulating Windows Services Registry Keys - Rule", "ESCU - Sc exe Manipulating Windows Services - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task"], "baseline_names": ["ESCU - Previously Seen Running Windows Services - Initial", "ESCU - Previously Seen Running Windows Services - Update"], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "First Time Seen Running Windows Service", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}}, {"name": "Reg exe Manipulating Windows Services Registry Keys", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Services Registry Permissions Weakness"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}}, {"name": "Sc exe Manipulating Windows Services", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}]}}]}, {"name": "Windows System Binary Proxy Execution MSIExec", "id": "bea2e16b-4599-46ad-a95b-116078726c68", "version": 1, "date": "2022-06-16", "author": "Michael Haag, Splunk", "description": "Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi).", "narrative": "Adversaries may abuse msiexec.exe to launch local or network accessible MSI files. Msiexec.exe can also execute DLLs. Since it may be signed and native on Windows systems, msiexec.exe can be used to bypass application control solutions that do not account for its potential abuse. Msiexec.exe execution may also be elevated to SYSTEM privileges if the AlwaysInstallElevated policy is enabled.", "references": ["https://attack.mitre.org/techniques/T1218/007/"], "tags": {"name": "Windows System Binary Proxy Execution MSIExec", "analytic_story": "Windows System Binary Proxy Execution MSIExec", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218.007", "mitre_attack_technique": "Msiexec", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Machete", "Molerats", "Rancor", "TA505", "ZIRCONIUM"]}], "mitre_attack_tactics": ["Defense Evasion"], "datamodels": ["Endpoint", "Network_Traffic"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Windows MSIExec DLLRegisterServer - Rule", "ESCU - Windows MSIExec Remote Download - Rule", "ESCU - Windows MSIExec Spawn Discovery Command - Rule", "ESCU - Windows MSIExec Unregister DLLRegisterServer - Rule", "ESCU - Windows MSIExec With Network Connections - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows MSIExec DLLRegisterServer", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Msiexec"}]}}, {"name": "Windows MSIExec Remote Download", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Msiexec"}]}}, {"name": "Windows MSIExec Spawn Discovery Command", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Msiexec"}]}}, {"name": "Windows MSIExec Unregister DLLRegisterServer", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Msiexec"}]}}, {"name": "Windows MSIExec With Network Connections", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Msiexec"}]}}]}, {"name": "Winter Vivern", "id": "5ce5f311-b311-4568-90ca-0c36781d07a4", "version": 1, "date": "2023-02-16", "author": "Teoderick Contreras, Splunk", "description": "Utilize searches that enable you to detect and investigate unusual activities potentially related to the Winter Vivern malicious software. This includes examining multiple timeout executions, scheduled task creations, screenshots, and downloading files through PowerShell, among other indicators.", "narrative": "The Winter Vivern malware, identified by CERT UA, is designed to download and run multiple PowerShell scripts on targeted hosts. These scripts aim to gather a variety of files with specific extensions, including (.edb, .ems, .eme, .emz, .key, .pem, .ovpn, .bat, .cer, .p12, .cfg, .log, .txt, .pdf, .doc, .docx, .xls, .xlsx, and .rdg), primarily from desktop directories. In addition to this, the malware captures desktop screenshots and performs data exfiltration using HTTP. To maintain its presence on the targeted host, Winter Vivern also establishes a persistence mechanism, such as creating a scheduled task.", "references": ["https://cert.gov.ua/article/3761023"], "tags": {"name": "Winter Vivern", "analytic_story": "Winter Vivern", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1087.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "Chimera", "Fox Kitten", "Ke3chang", "Moses Staff", "OilRig", "Poseidon Group", "Threat Group-3390", "Turla", "admin@338"]}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT19", "APT28", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BITTER", "BackdoorDiplomacy", "BlackOasis", "Blue Mockingbird", "Dark Caracal", "Darkhotel", "Earth Lusca", "Elderwood", "Ember Bear", "Fox Kitten", "GALLIUM", "Gallmaker", "Gamaredon Group", "Group5", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "Metador", "Mofang", "Molerats", "Moses Staff", "Mustang Panda", "OilRig", "Putter Panda", "Rocke", "Sandworm Team", "Sidewinder", "TA505", "TeamTNT", "Threat Group-3390", "Transparent Tribe", "Tropic Trooper", "Whitefly", "Windshift", "menuPass"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1033", "mitre_attack_technique": "System Owner/User Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT37", "APT38", "APT39", "APT41", "Chimera", "Dragonfly", "Earth Lusca", "FIN10", "GALLIUM", "Gamaredon Group", "HAFNIUM", "HEXANE", "Ke3chang", "Lazarus Group", "LuminousMoth", "Magic Hound", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "Stealth Falcon", "Threat Group-3390", "Tropic Trooper", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1041", "mitre_attack_technique": "Exfiltration Over C2 Channel", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "Chimera", "Confucius", "GALLIUM", "Gamaredon Group", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "LuminousMoth", "MuddyWater", "Sandworm Team", "Stealth Falcon", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1113", "mitre_attack_technique": "Screen Capture", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT28", "APT39", "BRONZE BUTLER", "Dark Caracal", "Dragonfly", "FIN7", "GOLD SOUTHFIELD", "Gamaredon Group", "Group5", "Magic Hound", "MuddyWater", "OilRig", "Silence"]}], "mitre_attack_tactics": ["Collection", "Command And Control", "Defense Evasion", "Discovery", "Execution", "Exfiltration", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Actions on Objectives", "Command And Control", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Any Powershell DownloadString - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - GetWmiObject User Account with PowerShell - Rule", "ESCU - GetWmiObject User Account with PowerShell Script Block - Rule", "ESCU - Powershell Fileless Script Contains Base64 Encoded Content - Rule", "ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", "ESCU - Schedule Task with HTTP Command Arguments - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - System User Discovery With Whoami - Rule", "ESCU - Windows Exfiltration Over C2 Via Invoke RestMethod - Rule", "ESCU - Windows Exfiltration Over C2 Via Powershell UploadString - Rule", "ESCU - Windows Scheduled Task Created Via XML - Rule", "ESCU - Windows Screen Capture Via Powershell - Rule", "ESCU - WinEvent Scheduled Task Created to Spawn Shell - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Any Powershell DownloadString", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "GetWmiObject User Account with PowerShell", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Local Account"}]}}, {"name": "GetWmiObject User Account with PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Powershell Fileless Script Contains Base64 Encoded Content", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Obfuscated Files or Information"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "PowerShell Loading DotNET into Memory via Reflection", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Schedule Task with HTTP Command Arguments", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "System User Discovery With Whoami", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Owner/User Discovery"}]}}, {"name": "Windows Exfiltration Over C2 Via Invoke RestMethod", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over C2 Channel"}]}}, {"name": "Windows Exfiltration Over C2 Via Powershell UploadString", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over C2 Channel"}]}}, {"name": "Windows Scheduled Task Created Via XML", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Windows Screen Capture Via Powershell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Screen Capture"}]}}, {"name": "WinEvent Scheduled Task Created to Spawn Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}]}}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}]}}]}, {"name": "XMRig", "id": "06723e6a-6bd8-4817-ace2-5fb8a7b06628", "version": 1, "date": "2021-05-07", "author": "Teoderick Contreras, Rod Soto Splunk", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the xmrig monero, including looking for file writes associated with its payload, process command-line, defense evasion (killing services, deleting users, modifying files or folder permission, killing other malware or other coin miner) and hacking tools including Telegram as mean of Command And Control (C2) to download other files. Adversaries may leverage the resources of co-opted systems in order to solve resource intensive problems which may impact system and/or hosted service availability. One common purpose for Resource Hijacking is to validate transactions of cryptocurrency networks and earn virtual currency. Adversaries may consume enough system resources to negatively impact and/or cause affected machines to become unresponsive. (1) Servers and cloud-based (2) systems are common targets because of the high potential for available resources, but user endpoint systems may also be compromised and used for Resource Hijacking and cryptocurrency mining.", "narrative": "XMRig is a high performance, open source, cross platform RandomX, KawPow, CryptoNight and AstroBWT unified CPU/GPU miner. This monero is seen in the wild on May 2017.", "references": ["https://github.com/xmrig/xmrig", "https://www.getmonero.org/resources/user-guides/mine-to-pool.html", "https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/", "https://blog.checkpoint.com/2021/03/11/february-2021s-most-wanted-malware-trickbot-takes-over-following-emotet-shutdown/"], "tags": {"name": "XMRig", "analytic_story": "XMRig", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1036.005", "mitre_attack_technique": "Match Legitimate Name or Location", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "APT32", "APT39", "APT41", "Aoqin Dragon", "BRONZE BUTLER", "BackdoorDiplomacy", "Blue Mockingbird", "Carbanak", "Chimera", "Darkhotel", "Earth Lusca", "FIN7", "Ferocious Kitten", "Fox Kitten", "Gamaredon Group", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Poseidon Group", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "Sowbug", "TEMP.Veles", "TeamTNT", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Whitefly", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1595", "mitre_attack_technique": "Active Scanning", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1531", "mitre_attack_technique": "Account Access Removal", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["LAPSUS$"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1489", "mitre_attack_technique": "Service Stop", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Indrik Spider", "Lazarus Group", "Wizard Spider"]}, {"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": []}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": []}], "mitre_attack_tactics": ["Command And Control", "Credential Access", "Defense Evasion", "Discovery", "Execution", "Impact", "Persistence", "Privilege Escalation", "Reconnaissance"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Actions on Objectives", "Command And Control", "Exploitation", "Installation", "Reconnaissance"]}, "detection_names": ["ESCU - Attacker Tools On Endpoint - Rule", "ESCU - Deleting Of Net Users - Rule", "ESCU - Disable Windows App Hotkeys - Rule", "ESCU - Disabling Net User Account - Rule", "ESCU - Download Files Using Telegram - Rule", "ESCU - Enumerate Users Local Group Using Telegram - Rule", "ESCU - Excessive Attempt To Disable Services - Rule", "ESCU - Excessive Service Stop Attempt - Rule", "ESCU - Excessive Usage Of Cacls App - Rule", "ESCU - Excessive Usage Of Net App - Rule", "ESCU - Excessive Usage Of Taskkill - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Hide User Account From Sign-In Screen - Rule", "ESCU - Icacls Deny Command - Rule", "ESCU - ICACLS Grant Command - Rule", "ESCU - Modify ACL permission To Files Or Folder - Rule", "ESCU - Process Kill Base On File Path - Rule", "ESCU - Schtasks Run Task On Demand - Rule", "ESCU - Suspicious Driver Loaded Path - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - XMRIG Driver Loaded - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Rod Soto Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Attacker Tools On Endpoint", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Match Legitimate Name or Location"}, {"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "OS Credential Dumping"}, {"mitre_attack_technique": "Active Scanning"}]}}, {"name": "Deleting Of Net Users", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Access Removal"}]}}, {"name": "Disable Windows App Hotkeys", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disabling Net User Account", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Access Removal"}]}}, {"name": "Download Files Using Telegram", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "Enumerate Users Local Group Using Telegram", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Discovery"}]}}, {"name": "Excessive Attempt To Disable Services", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Service Stop"}]}}, {"name": "Excessive Service Stop Attempt", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Service Stop"}]}}, {"name": "Excessive Usage Of Cacls App", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "File and Directory Permissions Modification"}]}}, {"name": "Excessive Usage Of Net App", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Access Removal"}]}}, {"name": "Excessive Usage Of Taskkill", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}]}}, {"name": "Hide User Account From Sign-In Screen", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Icacls Deny Command", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "File and Directory Permissions Modification"}]}}, {"name": "ICACLS Grant Command", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "File and Directory Permissions Modification"}]}}, {"name": "Modify ACL permission To Files Or Folder", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "File and Directory Permissions Modification"}]}}, {"name": "Process Kill Base On File Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Schtasks Run Task On Demand", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Suspicious Driver Loaded Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "XMRIG Driver Loaded", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}]}}]}]} \ No newline at end of file diff --git a/dist/escu/app.manifest b/dist/escu/app.manifest index 5e947ef898..411dc20844 100644 --- a/dist/escu/app.manifest +++ b/dist/escu/app.manifest @@ -5,7 +5,7 @@ "id": { "group": null, "name": "DA-ESS-ContentUpdate", - "version": "4.5.1" + "version": "4.6.0" }, "author": [ { diff --git a/dist/escu/default/analyticstories.conf b/dist/escu/default/analyticstories.conf index 8e7c9edb12..502acf2613 100644 --- a/dist/escu/default/analyticstories.conf +++ b/dist/escu/default/analyticstories.conf @@ -1,6 +1,6 @@ ############# # Automatically generated by generator.py in splunk/security_content -# On Date: 2023-06-22T18:50:57 UTC +# On Date: 2023-06-27T23:22:58 UTC # Author: Splunk Security Research # Contact: research@splunk.com ############# @@ -731,7 +731,7 @@ providing_technologies = null type = detection asset_type = AWS Account confidence = medium -explanation = This search looks for AWS CloudTrail events where a user A who has already permission to create access keys, makes an API call to create access keys for another user B. Attackers have been know to use this technique for Privilege Escalation in case new victim(user B) has more permissions than old victim(user B) +explanation = This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it's important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don't typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting. how_to_implement = You must install Splunk Add-On for AWS Version v7.0.0 (https://splunkbase.splunk.com/app/1876) that includes includes a merge of all the capabilities of the Splunk Add-on for Amazon Security Lake. This search works with Amazon Security Lake logs which are parsed in the Open Cybersecurity Schema Framework (OCSF)format. annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} known_false_positives = While this search has no known false positives, it is possible that an AWS admin has legitimately created keys for another user. @@ -861,7 +861,7 @@ providing_technologies = ["Amazon Web Services - Cloudtrail"] type = detection asset_type = AWS Account confidence = medium -explanation = This search looks for AWS CloudTrail events where a user A who has already permission to create access keys, makes an API call to create access keys for another user B. Attackers have been know to use this technique for Privilege Escalation in case new victim(user B) has more permissions than old victim(user B) +explanation = This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it's important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don't typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting. how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.003", "T1136"], "nist": ["DE.AE"]} known_false_positives = While this search has no known false positives, it is possible that an AWS admin has legitimately created keys for another user. @@ -1593,7 +1593,7 @@ providing_technologies = null type = detection asset_type = Azure Active Directory confidence = medium -explanation = The following analytic +explanation = The following analytic is geared towards detecting potential privilege escalation threats in Azure Active Directory (AD). It identifies instances where privileged roles, which hold elevated permissions, are assigned to Service Principals. These non-human entities that can access Azure resources could be exploited in an attack scenario, leading to unauthorized access or malicious activities. The analytic runs a specific search within the ingested Azure AD events, specifically leveraging the AuditLogs log category. Keep in mind, however, that there could be false positives, as administrators may legitimately assign privileged roles to Service Principals. how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. Specifically, this analytic leverages the AuditLogs log category. annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1098", "T1098.003"], "nist": ["DE.CM"]} known_false_positives = Administrators may legitimately assign the privileged roles to Service Principals as part of administrative tasks. Filter as needed. @@ -2831,16 +2831,6 @@ annotations = {"cis20": ["CIS 10"], "nist": ["DE.AE"]} known_false_positives = Not all service accounts interactions are malicious. Analyst must consider IP, verb and decision context when trying to detect maliciousness. providing_technologies = null -[savedsearch://ESCU - Kubernetes AWS detect RBAC authorization by account - Rule] -type = detection -asset_type = AWS EKS Kubernetes cluster -confidence = medium -explanation = This search provides information on Kubernetes RBAC authorizations by accounts, this search can be modified by adding top to see both extremes of RBAC by accounts occurrences -how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with cloudwatch logs -annotations = {"cis20": ["CIS 10"], "nist": ["DE.AE"]} -known_false_positives = Not all RBAC Authorications are malicious. RBAC authorizations can uncover malicious activity specially if sensitive Roles have been granted. -providing_technologies = null - [savedsearch://ESCU - Kubernetes AWS detect sensitive role access - Rule] type = detection asset_type = AWS EKS Kubernetes cluster @@ -3265,7 +3255,7 @@ providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response" type = detection asset_type = Windows confidence = medium -explanation = Detect memory dumping of the LSASS process. +explanation = The following analytic is designed to detect potentially malicious activities involving the Local Security Authority Subsystem Service (LSASS) process. Specifically, it identifies when the LSASS process memory is being dumped, an action often associated with credential dumping attacks. This analytic leverages Sysmon logs, particularly those with EventCode 10 related to lsass.exe. It searches for indicators of LSASS memory dumping, such as specific call traces to dbgcore.dll and dbghelp.dll. While memory dumps can be legitimate administrative tasks, LSASS memory dumps are typically unusual and warrant investigation. To implement this analytic, ensure your Sysmon setup includes EventCode 10 logging for lsass.exe and customize the provided macros (sysmon and post-filter macro) to match your specific Splunk environment configuration. how_to_implement = This search requires Sysmon Logs and a Sysmon configuration, which includes EventCode 10 for lsass.exe. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives. annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.001", "T1003"], "nist": ["DE.CM"]} known_false_positives = Administrators can create memory dumps for debugging purposes, but memory dumps of the LSASS process would be unusual. @@ -3425,7 +3415,7 @@ providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response" type = detection asset_type = Endpoint confidence = medium -explanation = This search looks for execution of commonly used attacker tools on an endpoint. +explanation = The following analytic aims to identify the use of tools commonly exploited by cybercriminals. The use of these tools often signals nefarious activities like unauthorized access, network scanning, or data exfiltration, representing a significant threat to an organization's security infrastructure. By examining process activity on the host, particularly those processes corresponding to known attacker tool names, this analytic serves as an early warning system for potential security incidents. However, its precision must be balanced with the understanding that some administrative activities might also trigger alerts, resulting in false positives. This underlines the importance of cyber analysts having a clear understanding of typical endpoint activities and behaviors within their organization, enabling them to accurately interpret and respond to these alerts. how_to_implement = To successfully implement this search, you must be ingesting data that records process activity from your hosts to populate the endpoint data model in the processes node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is usually generated via logs that report process tracking in your Windows audit settings. annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Reconnaissance"], "mitre_attack": ["T1036.005", "T1036", "T1003", "T1595"], "nist": ["DE.CM"]} known_false_positives = Some administrator activity can be potentially triggered, please add those users to the filter macro. @@ -3435,7 +3425,7 @@ providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response" type = detection asset_type = Endpoint confidence = medium -explanation = Attempt To Add Certificate To Untrusted Store +explanation = The following analytic is designed to detect potential security threats involving the misuse of system trust. It works by detecting events where a process attempts to add a certificate to the untrusted certificate store, an action often associated with disabling security tools. The analytic uses Sysmon Event ID 1 data source, particularly focusing on process activities and command-line arguments related to 'certutil -addstore'. It's essential to ingest data that records process activity and logs containing process names and command lines for its effective operation. Be aware, sometimes administrators might legitimately perform this action. The analytic's value lies in detecting isolated or unexpected instances, indicative of potential malicious activities. Cybersecurity analysts should understand the importance of trust mechanisms and their subversion in system security. how_to_implement = You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the "process" field in the Endpoint data model. annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1553.004", "T1553"], "nist": ["DE.CM"]} known_false_positives = There may be legitimate reasons for administrators to add a certificate to the untrusted certificate store. In such cases, this will typically be done on a large number of systems. @@ -3766,7 +3756,7 @@ providing_technologies = null type = detection asset_type = Windows confidence = medium -explanation = Detect remote thread creation into LSASS consistent with credential dumping. +explanation = The following analytic developed to detect potential credential dumping attacks where a remote thread is created in the Local Security Authority Subsystem Service (LSASS). Credential dumping, a common tactic used by adversaries to steal user authentication credentials, is a significant threat to network security. The analytic leverages Sysmon Event ID 8 logs and looks for processes creating remote threads in lsass.exe, an unusual activity generally linked to credential theft. The confidence level in this alert is high, but it's worth noting that there might be cases where legitimate tools can access LSASS, generating similar logs. As an analyst, it is critical to understand the broader context of such events and differentiate between legitimate activities and possible threats. how_to_implement = This search needs Sysmon Logs with a Sysmon configuration, which includes EventCode 8 with lsass.exe. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives. annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.001", "T1003"], "nist": ["DE.CM"]} known_false_positives = Other tools can access LSASS for legitimate reasons and generate an event. In these cases, tweaking the search may help eliminate noise. @@ -3996,7 +3986,7 @@ asset_type = Endpoint confidence = medium explanation = The following query identifies suspicious .aspx created in 3 paths identified by Microsoft as known drop locations for Exchange exploitation related to HAFNIUM group and recently disclosed vulnerablity named ProxyShell and ProxyNotShell. Paths include: `\HttpProxy\owa\auth\`, `\inetpub\wwwroot\aspnet_client\`, and `\HttpProxy\OAB\`. Upon triage, the suspicious .aspx file will likely look obvious on the surface. inspect the contents for script code inside. Identify additional log sources, IIS included, to review source and other potential exploitation. It is often the case that a particular threat is only applicable to a specific subset of systems in your environment. Typically analytics to detect those threats are written without the benefit of being able to only target those systems as well. Writing analytics against all systems when those behaviors are limited to identifiable subsets of those systems is suboptimal. Consider the case ProxyShell vulnerability on Microsoft Exchange Servers. With asset information, a hunter can limit their analytics to systems that have been identified as Exchange servers. A hunter may start with the theory that the exchange server is communicating with new systems that it has not previously. If this theory is run against all publicly facing systems, the amount of noise it will generate will likely render this theory untenable. However, using the asset information to limit this analytic to just the Exchange servers will reduce the noise allowing the hunter to focus only on the systems where this behavioral change is relevant. how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node and `Filesystem` node. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Delivery"], "mitre_attack": ["T1505", "T1505.003", "T1190"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Delivery"], "mitre_attack": ["T1505", "T1505.003", "T1190", "T1133"], "nist": ["DE.CM"]} known_false_positives = The query is structured in a way that `action` (read, create) is not defined. Review the results of this query, filter, and tune as necessary. It may be necessary to generate this query specific to your endpoint product. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -4876,7 +4866,7 @@ providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response" type = detection asset_type = Endpoint confidence = medium -explanation = Detect the usage of comsvcs.dll for dumping the lsass process. +explanation = The following analytic detects the behavior of dumping credentials from memory, a tactic commonly used by adversaries. Specifically, it targets the exploitation of the Local Security Authority Subsystem Service (LSASS) in Windows, which manages system-level authentication. Threat actors can use the comsvcs.dll to exploit this process and obtain valuable credentials. The analytic identifies instances where the rundll32 process is used in conjunction with the comsvcs.dll and MiniDump, indicating potential LSASS dumping attempts. This tactic is often part of more extensive attack campaigns and is associated with numerous threat groups. Identifying this behavior is crucial for security operations center (SOC) analysts, as credential theft can lead to broader system compromise, persistence, lateral movement, and escalated privileges. It is important to note that no legitimate use of this technique has been identified so far. The impact of the attack, if a true positive is found, can be severe. Attackers can use the stolen credentials to access sensitive information or systems, leading to data theft, ransomware attacks, or other damaging outcomes. To implement this analytic, ensure that logs with process information are ingested from your endpoints. However, be aware of potential false positives, as legitimate uses of the LSASS process may cause benign activities to be flagged. Upon triage, review the processes involved in the LSASS dumping attempt, capture and inspect any relevant on-disk artifacts, and look for concurrent processes to identify the attack source. By identifying and mitigating LSASS exploitation attempts early on, SOC analysts can better protect their organization's assets and prevent potential breaches. how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.001", "T1003"], "nist": ["DE.CM"]} known_false_positives = None identified. @@ -5123,7 +5113,7 @@ A suspicious event will have `PowerShell`, the method `POST` and `autodiscover.j An event will look similar to `POST /autodiscover/autodiscover.json a=dsxvu@fnsso.flq/powershell/?X-Rps-CAT=VgEAVAdXaW5kb3d...` (abbreviated) \ Review the source attempting to perform this activity against your environment. In addition, review PowerShell logs and access recently granted to Exchange roles. how_to_implement = The following analytic requires on-premise Exchange to be logging to Splunk using the TA - https://splunkbase.splunk.com/app/3225. Ensure logs are parsed correctly, or tune the analytic for your environment. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"]} known_false_positives = Limited false positives, however, tune as needed. providing_technologies = null @@ -5155,7 +5145,7 @@ providing_technologies = ["Microsoft Windows"] type = detection asset_type = Endpoint confidence = medium -explanation = This analytic will identify suspicious executable or scripts (known file extensions) in a list of suspicious file paths in Windows. This technique is used by adversaries to evade detection. The suspicious file path are known paths used in the wild and are not common to have executable or scripts. +explanation = This analytic identifies potentially malicious executables or scripts by examining a list of suspicious file paths on Windows Operating System. The purpose of this technique is to uncover files with known file extensions that could be used by adversaries to evade detection and persistence. The suspicious file paths selected for investigation are typically uncommon and uncommonly associated with executable or script files. By scrutinizing these paths, we can proactively identify potential security threats and enhance overall system security. how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the Filesystem responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036"], "nist": ["DE.AE"]} known_false_positives = Administrators may allow creation of script or exe in the paths specified. Filter as needed. @@ -5725,7 +5715,7 @@ providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response" type = detection asset_type = Endpoint confidence = medium -explanation = This analytic identifies a potential adversary that changes the security permission of a specific file or directory. This technique is commonly seen in APT tradecraft or coinminer scripts. This behavior is meant to evade detection and prevent access to their component files. +explanation = This analytic identifies instances where an adversary modifies the security permissions of a particular file or directory. This technique is frequently observed in the tradecraft of Advanced Persistent Threats (APTs) and coinminer scripts. The purpose of this behavior is to actively evade detection and impede access to their associated files. By identifying these security permission changes, we can enhance our ability to detect and respond to potential threats, mitigating the impact of malicious activities on the system. how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed icacls.exe may be used. annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1222"], "nist": ["DE.CM"]} known_false_positives = Unknown. It is possible some administrative scripts use ICacls. Filter as needed. @@ -5735,7 +5725,7 @@ providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response" type = detection asset_type = Endpoint confidence = medium -explanation = This analytic identifies potential adversaries that modify the security permission of a specific file or directory. This technique is commonly seen in APT tradecraft and coinminer scripts to evade detections and restrict access to their component files. +explanation = This analytic identifies adversaries who manipulate the security permissions of specific files or directories by granting additional access. This technique is frequently observed in the tradecraft of Advanced Persistent Threats (APTs) and coinminer scripts. The objective behind this behavior is to actively evade detection mechanisms and tightly control access to their associated files. By identifying these security permission modifications, we can improve our ability to identify and respond to potential threats, thereby minimizing the impact of malicious activities on the system. how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed icacls.exe may be used. annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1222"], "nist": ["DE.CM"]} known_false_positives = Unknown. Filter as needed. @@ -5807,7 +5797,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies the process java writing a .jsp to disk. This is potentially indicative of a web shell being written to disk. Modify and tune the analytic based on data ingested. For instance, it may be worth running a broad query for jsp file writes first before performing a join. how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` and `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"]} known_false_positives = False positives are possible and filtering may be required. Restrict by assets or filter known jsp files that are common for the environment. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -5905,7 +5895,7 @@ providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response" type = detection asset_type = Endpoint confidence = medium -explanation = The following analytic identifies a suspicious file creation in known cron table directories. This event is commonly abuse by malware, adversaries and red teamers to persist on the target or compromised host. crontab or cronjob is like a schedule task in windows environment where you can create an executable or script on the known crontab directories to run it base on its schedule. This Anomaly query is a good indicator to look further what file is added and who added the file if to consider it legitimate file. +explanation = The following analytic aims to detect unauthorized activities through suspicious file creation in recognized cron table directories, prevalent Unix-based locations for scheduling tasks. This behavior is often exploited by nefarious entities like malware or threat actors, including red teamers, to establish persistence on a targeted or compromised host. The analogy to Windows-based scheduled tasks helps explain the utility of a crontab or cron job. To enhance clarity and actionable intelligence, the anomaly query flags the anomaly, urging further investigation into the added file's details. A cybersecurity analyst should consider additional data points such as the user identity involved, the file's nature and purpose, file origin, timestamp, and any changes in system behavior post file execution. This comprehensive understanding aids in accurately determining the file's legitimacy, facilitating prompt and effective response actions. how_to_implement = To successfully implement this search, you need to be ingesting logs with the file name, file path, and process_guid executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase. annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.003", "T1053"], "nist": ["DE.AE"]} known_false_positives = Administrator or network operator can create file in crontab folders for automation purposes. Please update the filter macros to remove false positives. @@ -5925,7 +5915,7 @@ providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response" type = detection asset_type = Endpoint confidence = medium -explanation = The following analytic identifies a suspicious cron jobs modification using crontab list parameters. This command line parameter can be abused by malware like industroyer2, adversaries, and red teamers to add a crontab entry to their malicious code to execute to the schedule they want. This event can also be executed by administrator or normal user for automation purposes so filter is needed. +explanation = The following analytic identifies suspicious modifications to cron jobs on Linux systems using the crontab command with list parameters. This command line parameter can be abused by malware like Industroyer2, as well as adversaries and red teamers, to add a crontab entry for executing their malicious code on a schedule of their choice. However, it's important to note that administrators or normal users may also use this command for legitimate automation purposes, so filtering is required to minimize false positives. Identifying the modification of cron jobs using list parameters is valuable for a SOC as it indicates potential malicious activity or an attempt to establish persistence on the system. If a true positive is detected, further investigation should be conducted to analyze the added cron job, its associated command, and the impact it may have on the system. This includes examining the purpose of the job, reviewing any on-disk artifacts, and identifying any related processes or activities occurring concurrently. The impact of a true positive can range from unauthorized execution of malicious code to data destruction or other damaging outcomes. how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase. annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.003", "T1053"], "nist": ["DE.AE"]} known_false_positives = Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. @@ -5955,7 +5945,8 @@ providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response" type = detection asset_type = Endpoint confidence = medium -explanation = The following analytic identifies a suspicious file creation of /etc/at.allow or /etc/at.deny. These 2 files are commonly abused by malware, adversaries or red teamers to persist on the targeted or compromised host. These config files can restrict or allow user to execute "at" application (another schedule task application in linux). attacker can create a user or add the compromised username to that config file to execute "at" to schedule it malicious code. This anomaly detection can be a good indicator to investigate further the entry in created config file and who created it to verify if it is a false positive. +explanation = The following analytic detects the creation of suspicious configuration files, /etc/at.allow or /etc/at.deny, in Linux. These files are commonly abused by malware, adversaries, or red teamers to establish persistence on compromised hosts. The configuration files determine which users are allowed to execute the "at" application, which is used for scheduling tasks in Linux. Attackers can add their user or a compromised username to these files to execute malicious code using "at." It's important to consider potential false positives as administrators or network operators may create these files for legitimate automation purposes. Adjust the filter macros to minimize false positives.\ +Identifying the creation of these configuration files is valuable for a SOC as it indicates potential unauthorized activities or an attacker attempting to establish persistence. If a true positive is found, further investigation is necessary to examine the contents of the created configuration file and determine the source of creation. The impact of a true positive can vary but could result in unauthorized execution of malicious code, data theft, or other detrimental consequences. Analysts should review the file path, creation time, and associated processes to assess the extent of the attack and initiate appropriate response actions. how_to_implement = To successfully implement this search, you need to be ingesting logs with the file name, file path, and process_guid executions from your endpoints into the Endpoint datamodel. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase. annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.003", "T1053"], "nist": ["DE.AE"]} known_false_positives = Administrator or network operator can create this file for automation purposes. Please update the filter macros to remove false positives. @@ -5965,7 +5956,9 @@ providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response" type = detection asset_type = Endpoint confidence = medium -explanation = The following analytic identifies a suspicious process creation of At application. This process can be used by malware, adversaries and red teamers to create persistence entry to the targeted or compromised host with their malicious code. This anomaly detection can be a good indicator to investigate the event before and after this process execution, when it was executed and what schedule task it will execute. +explanation = The following analytic detects the execution of the "At" application in Linux, which can be used by attackers to create persistence entries on a compromised host. The "At" application can be used for automation purposes by administrators or network operators, so the filter macros should be updated to remove false positives. If a true positive is found, it suggests an attacker is trying to maintain access to the environment or potentially deliver additional malicious payloads, leading to data theft, ransomware, or other damaging outcomes. To implement this analytic, ensure you are ingesting logs with the required fields from your endpoints into the Endpoint datamodel. When a true positive is detected, it suggests that an attacker is attempting to establish persistence or deliver additional malicious payloads by leveraging the "At" application. This behavior can lead to data theft, ransomware attacks, or other damaging outcomes.\ +During triage, the SOC analyst should review the context surrounding the execution of the "At" application. This includes identifying the user, the parent process responsible for invoking the application, and the specific command-line arguments used. It is important to consider whether the execution is expected behavior by an administrator or network operator for legitimate automation purposes.\ +The presence of "At" application execution may indicate an attacker's attempt to maintain unauthorized access to the environment. Immediate investigation and response are necessary to mitigate further risks, identify the attacker's intentions, and prevent potential harm to the organization. how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints into the Endpoint datamodel. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase. annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.002", "T1053"], "nist": ["DE.AE"]} known_false_positives = Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. @@ -6205,7 +6198,10 @@ providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response" type = detection asset_type = Endpoint confidence = medium -explanation = The following analytic identifies a suspicious cronjobs modification using crontab edit parameter. This commandline parameter can be abuse by malware author, adversaries, and red red teamers to add cronjob entry to their malicious code to execute to the schedule they want. This event can also be executed by administrator or normal user for automation purposes so filter is needed. +explanation = The following analytic detects the suspicious editing of cron jobs in Linux via the crontab command-line parameter. This tactic could be used by adversaries or malware to schedule execution of their malicious code, potentially leading to system compromise or unauthorized persistent access. It pinpoints this activity by monitoring command-line executions involving 'crontab' and the edit parameter (-e).\ +Recognizing such activity is vital for a SOC as cron job manipulations might signal unauthorized persistence attempts or scheduled malicious actions, potentially resulting in substantial harm. A true positive signifies an active threat, with implications ranging from unauthorized access to broader network compromise.\ +To implement this analytic, logs capturing process name, parent process, and command-line executions from your endpoints must be ingested.\ +Known false positives could stem from valid administrative tasks or automation processes using crontab. To reduce these, fine-tune the filter macros according to the benign activities within your environment. These adjustments ensure legitimate actions aren't mistaken for threats, allowing analysts to focus on genuine potential risks.\ how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase. annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.003", "T1053"], "nist": ["DE.AE"]} known_false_positives = Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. @@ -6407,7 +6403,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies the process name of Java, Apache, or Tomcat spawning a Linux shell. This is potentially indicative of exploitation of the Java application and may be related to current event CVE-2021-44228 (Log4Shell). The shells included in the macro are "sh", "ksh", "zsh", "bash", "dash", "rbash", "fish", "csh', "tcsh', "ion", "eshell". Upon triage, review parallel processes and command-line arguments to determine legitimacy. how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon for Linux, you will need to ensure mapping is occurring correctly. Ensure EDR product is mapping OS Linux to the datamodel properly. Add any additional java process names for your environment to the analytic as needed. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"]} known_false_positives = Filtering may be required on internal developer build systems or classify assets as web facing and restrict the analytic based on asset type. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -6575,7 +6571,8 @@ providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response" type = detection asset_type = Endpoint confidence = medium -explanation = This analytic looks for suspicious commandline that may use to append user entry to /etc/at.allow or /etc/at.deny. These 2 files are commonly abused by malware, adversaries or red teamers to persist on the targeted or compromised host. These config file can restrict user that can only execute at application (another schedule task application in linux). attacker can create a user or add the compromised username to that config file to execute at to schedule it malicious code. This anomaly detection can be a good indicator to investigate further the entry in created config file and who created it to verify if it is a false positive. +explanation = The following analytic is designed to identify suspicious command lines that may append user entries to either /etc/at.allow or /etc/at.deny. These files can be exploited by malicious actors for persistence on a compromised Linux host by altering permissions for scheduled tasks using the at command.\ +In this context, an attacker can create a user or add an existing user to these configuration files to execute their malicious code through scheduled tasks. The detection of such anomalous behavior can serve as an effective indicator warranting further investigation to validate if the activity is indeed malicious or a false positive. how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase. annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.002", "T1053"], "nist": ["DE.AE"]} known_false_positives = Administrator or network operator can use this commandline for automation purposes. Please update the filter macros to remove false positives. @@ -6595,17 +6592,22 @@ providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response" type = detection asset_type = Endpoint confidence = medium -explanation = This analytic looks for possible suspicious commandline that may use to append a code to any existing cronjob files for persistence or privilege escalation. This technique is commonly abused by malware, adversaries and red teamers to automatically execute their code within a existing or sometimes in normal cronjob script file. +explanation = The following analytic is designed to detect potential tampering with cronjob files on a Linux system. It specifically searches for command lines that may be used to append code to existing cronjob files, a technique often employed by adversaries, malware, and red teamers for persistence or privilege escalation. Altering existing or sometimes normal cronjob script files allows malicious code to be executed automatically.\ +The analytic operates by monitoring logs for specific process names, parent processes, and command-line executions from your endpoints. It specifically checks for any 'echo' command which modifies files in directories commonly associated with cron jobs such as '/etc/cron*', '/var/spool/cron/', and '/etc/anacrontab'. If such activity is detected, an alert is triggered.\ +This behavior is worth identifying for a SOC because malicious cron jobs can lead to system compromises and unauthorized data access, impacting business operations and data integrity. how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase. annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.003", "T1053"], "nist": ["DE.AE"]} -known_false_positives = Administrator or network operator can use this commandline for automation purposes. Please update the filter macros to remove false positives. +known_false_positives = False positives may arise from legitimate actions by administrators or network operators who may use these commands for automation purposes. Therefore, it's recommended to adjust filter macros to eliminate such false positives. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] [savedsearch://ESCU - Linux Possible Cronjob Modification With Editor - Rule] type = detection asset_type = Endpoint confidence = medium -explanation = This analytic looks for possible modification of cronjobs file using editor. This event is can be seen in normal user but can also be a good hunting indicator for unwanted user modifying cronjobs for possible persistence or privilege escalation. +explanation = The following analytic detects potential unauthorized modifications to Linux cronjobs using text editors like "nano", "vi" or "vim". It identifies this behavior by tracking command-line executions that interact with paths related to cronjob configuration, a common Linux scheduling utility. Cronjob files may be manipulated by attackers for privilege escalation or persistent access, making such changes critical to monitor.\ The identified behavior is significant for a Security Operations Center (SOC) as it could indicate an ongoing attempt at establishing persistent access or privilege escalation, leading to data breaches, system compromise, or other malicious activities.\ +In case of a true positive, the impact could be severe. An attacker with escalated privileges or persistent access could carry out damaging actions, such as data theft, sabotage, or further network penetration.\ +To implement this analytic, ensure ingestion of logs tracking process name, parent process, and command-line executions from your endpoints. Utilize the Add-on for Linux Sysmon from Splunkbase if you're using Sysmon.\ +Known false positives include legitimate administrative tasks, as these commands may also be used for benign purposes. Careful tuning and filtering based on known benign activity in your environment can minimize these instances. how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase. annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.003", "T1053"], "nist": ["DE.AE"]} known_false_positives = Administrator or network operator can use this commandline for automation purposes. Please update the filter macros to remove false positives. @@ -6675,17 +6677,20 @@ providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response" type = detection asset_type = Endpoint confidence = medium -explanation = This analytic looks for suspicious file creation in systemd timer directory in linux platform. systemd is a system and service manager for Linux distributions. From the Windows perspective, this process fulfills the duties of wininit.exe and services.exe combined. At the risk of simplifying the functionality of systemd, it initializes a Linux system and starts relevant services that are defined in service unit files. Adversaries, malware and red teamers may abuse this this feature by stashing systemd service file to persist on the targetted or compromised host. +explanation = The following analytic is designed to detect suspicious file creation within the systemd timer directory on Linux platforms. Systemd is a system and service manager for Linux, similar to the combination of wininit.exe and services.exe on Windows. This process initializes a Linux system and starts defined services in unit files. Malicious actors, such as adversaries, malware, or red teamers, can exploit this feature by embedding a systemd service file for persistence on the targeted or compromised host.\ +The analytic works by monitoring logs with file name, file path, and process GUID data from your endpoints. If a .service file is created in certain systemd directories, the analytic triggers an alert. This behavior is significant for a Security Operations Center (SOC) as it may indicate a persistent threat within the network, with a potential impact of system compromise or data exfiltration. how_to_implement = To successfully implement this search, you need to be ingesting logs with the file name, file path, and process_guid executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase. annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.006", "T1053"], "nist": ["DE.AE"]} -known_false_positives = Administrator or network operator can create file in systemd folders for automation purposes. Please update the filter macros to remove false positives. +known_false_positives = False positives may arise when administrators or network operators create files in systemd directories for legitimate automation tasks. Therefore, it's important to adjust filter macros to account for valid activities. To implement this search successfully, it's crucial to ingest appropriate logs, preferably using the Linux Sysmon Add-on from Splunkbase for those using Sysmon. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] [savedsearch://ESCU - Linux Service Restarted - Rule] type = detection asset_type = Endpoint confidence = medium -explanation = This analytic looks for restarted or re-enable services in the linux platform. This technique can be executed or performed using systemctl or service tool application. Adversaries may create or modify Linux services to repeatedly execute malicious payloads as part of persistence. When the linux host boots up, it starts programs or applications called services that perform background system functions. Administrator may also create a legitimated service for a specific tool or normal application as part of task or automation, in this scenario it is suggested to look for the service path of the actual script or executable that registered as service and who created the service for further verification. +explanation = The following analytic detects the restarting or re-enabling of services in the Linux platform. It focuses on the use of the systemctl or service tools for executing these actions. Adversaries may leverage this technique to repeatedly execute malicious payloads as a form of persistence. Linux hosts typically start services during boot to perform background system functions. However, administrators may also create legitimate services for specific tools or applications as part of task automation. In such cases, it is recommended to verify the service path of the registered script or executable and identify the creator of the service for further validation.\ +It's important to be aware that this analytic may generate false positives as administrators or network operators may use the same command-line for legitimate automation purposes. Filter macros should be updated accordingly to minimize false positives.\ +Identifying restarted or re-enabled services is valuable for a SOC as it can indicate potential malicious activities attempting to maintain persistence or execute unauthorized actions on Linux systems. By detecting and investigating these events, security analysts can respond promptly to mitigate risks and prevent further compromise. The impact of a true positive can range from unauthorized access to data destruction or other damaging outcomes. how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and commandline executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase. annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.006", "T1053"], "nist": ["DE.AE"]} known_false_positives = Administrator or network operator can use this commandline for automation purposes. Please update the filter macros to remove false positives. @@ -6695,7 +6700,7 @@ providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response" type = detection asset_type = Endpoint confidence = medium -explanation = This analytic looks for created or enable services in linux platform. This technique can be executed or performed using systemctl or service tool application. Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions. Administrator may also create a legitimated service for a specific tool or normal application as part of task or automation, in this scenario it is suggested to look for the service path of the actual script or executable that register as service and who created the service for further verification. +explanation = The following analytic detects the creation or enabling of services in Linux platforms, specifically using the systemctl or service tool application. This behavior is worth identifying as adversaries may create or modify services to execute malicious payloads as part of persistence. Legitimate services created by administrators for automation purposes may also trigger this analytic, so it is important to update the filter macros to remove false positives. If a true positive is found, it suggests an possible attacker is attempting to persist within the environment or deliver additional malicious payloads, leading to data theft, ransomware, or other damaging outcomes. To implement this analytic, ensure you are ingesting logs with the process name, parent process, and command-line executions from your endpoints. how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase. annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.006", "T1053"], "nist": ["DE.AE"]} known_false_positives = Administrator or network operator can use this commandline for automation purposes. Please update the filter macros to remove false positives. @@ -6847,7 +6852,7 @@ asset_type = Endpoint confidence = medium explanation = The following correlation identifies a distinct amount of analytics associated with the Living Off The Land analytic story that identify potentially suspicious behavior. how_to_implement = To implement this correlation search a user needs to enable all detections in the Living Off The Land Analytic Story and confirm it is generating risk events. A simple search `index=risk analyticstories="Living Off The Land"` should contain events. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command And Control", "Delivery", "Installation"], "mitre_attack": ["T1105", "T1190", "T1059"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command And Control", "Delivery", "Installation"], "mitre_attack": ["T1105", "T1190", "T1059", "T1133"], "nist": ["DE.AE"]} known_false_positives = There are no known false positive for this search, but it could contain false positives as multiple detections can trigger and not have successful exploitation. Modify the static value distinct_detection_name to a higher value. It is also required to tune analytics that are also tagged to ensure volume is never too much. providing_technologies = null @@ -6887,7 +6892,7 @@ asset_type = endpoint confidence = medium explanation = This correlation find exploitation of Log4Shell CVE-2021-44228 against systems using detections from Splunk Security Content Analytic Story. It does this by calculating the distinct count of MITRE ATT&CK tactics from Log4Shell detections fired. If the count is larger than 2 or more distinct MITRE ATT&CK tactics we assume high problability of exploitation. The Analytic story breaks down into 3 major phases of a Log4Shell exploitation, specifically> Initial Payload delivery eg. `${jndi:ldap://PAYLOAD_INJECTED}` Call back to malicious LDAP server eg. Exploit.class Post Exploitation Activity/Lateral Movement using Powershell or similar T1562.001 Each of these phases fall into different MITRE ATT&CK Tactics (Initial Access, Execution, Command And Control), by looking into 2 or more phases showing up in detections triggerd is how this correlation search finds exploitation. If we get a notable from this correlation search the best way to triage it is by investigating the affected systems against Log4Shell exploitation using Splunk SOAR playbooks. how_to_implement = To implement this correlation search a user needs to enable all detections in the Log4Shell Analytic Story and confirm it is generation risk events. A simple search `index=risk analyticstories="Log4Shell CVE-2021-44228"` should contain events. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command And Control", "Delivery", "Installation"], "mitre_attack": ["T1105", "T1190", "T1059"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command And Control", "Delivery", "Installation"], "mitre_attack": ["T1105", "T1190", "T1059", "T1133"], "nist": ["DE.AE"]} known_false_positives = There are no known false positive for this search, but it could contain false positives as multiple detections can trigger and not have successful exploitation. providing_technologies = null @@ -7060,7 +7065,7 @@ asset_type = Endpoint confidence = medium explanation = The following query identifies suspicious .aspx created in 3 paths identified by Microsoft as known drop locations for Exchange exploitation related to HAFNIUM group and recently disclosed vulnerablity named ProxyShell. Paths include: `\HttpProxy\owa\auth\`, `\inetpub\wwwroot\aspnet_client\`, and `\HttpProxy\OAB\`. The analytic is limited to process name MSExchangeMailboxReplication.exe, which typically does not write .aspx files to disk. Upon triage, the suspicious .aspx file will likely look obvious on the surface. inspect the contents for script code inside. Identify additional log sources, IIS included, to review source and other potential exploitation. It is often the case that a particular threat is only applicable to a specific subset of systems in your environment. Typically analytics to detect those threats are written without the benefit of being able to only target those systems as well. Writing analytics against all systems when those behaviors are limited to identifiable subsets of those systems is suboptimal. Consider the case ProxyShell vulnerability on Microsoft Exchange Servers. With asset information, a hunter can limit their analytics to systems that have been identified as Exchange servers. A hunter may start with the theory that the exchange server is communicating with new systems that it has not previously. If this theory is run against all publicly facing systems, the amount of noise it will generate will likely render this theory untenable. However, using the asset information to limit this analytic to just the Exchange servers will reduce the noise allowing the hunter to focus only on the systems where this behavioral change is relevant. how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node and `Filesystem` node. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Delivery"], "mitre_attack": ["T1505", "T1505.003", "T1190"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Delivery"], "mitre_attack": ["T1505", "T1505.003", "T1190", "T1133"], "nist": ["DE.CM"]} known_false_positives = The query is structured in a way that `action` (read, create) is not defined. Review the results of this query, filter, and tune as necessary. It may be necessary to generate this query specific to your endpoint product. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -7427,7 +7432,7 @@ asset_type = Endpoint confidence = medium explanation = A required step while exploiting the CVE-2021-44228-Log4j vulnerability is that the victim server will perform outbound connections to attacker-controlled infrastructure. This is required as part of the JNDI lookup as well as for retrieving the second stage .class payload. The following analytic identifies the Java process reaching out to default ports used by the LDAP and RMI protocols. This behavior could represent successfull exploitation. Note that adversaries can easily decide to use arbitrary ports for these protocols and potentially bypass this detection. how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"]} known_false_positives = Legitimate Java applications may use perform outbound connections to these ports. Filter as needed providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -7447,7 +7452,7 @@ asset_type = Web Server confidence = medium explanation = The following hunting analytic is designed to monitor and detect potential exploitation attempts targeting a PaperCut NG server by analyzing its debug log data. By focusing on public IP addresses accessing the PaperCut NG instance, this analytic aims to identify unauthorized or suspicious access attempts. Furthermore, it searches for specific URIs that have been discovered in the proof of concept code, which are associated with known exploits or vulnerabilities. The analytic is focused on the user admin. Regex is used mainly because the log is not parsed by Splunk and there is no TA for this debug log. how_to_implement = Debug logs must be enabled and shipped to Splunk in order to properly identify behavior with this analytic. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.AE"]} known_false_positives = False positives may be present, as this is based on the admin user accessing the Papercut NG instance from a public IP address. Filter as needed. providing_technologies = null @@ -7518,7 +7523,8 @@ providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response" type = detection asset_type = Endpoint confidence = medium -explanation = The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution. +explanation = The following analytic is designed to identify possible lateral movement attacks that involve the spawning of a PowerShell process as a child or grandchild process of commonly abused processes. These processes include services.exe, wmiprsve.exe, svchost.exe, wsmprovhost.exe, and mmc.exe.\ +Such behavior is indicative of legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management, and the DCOM protocol being abused to start a process on a remote endpoint. This behavior is often seen during lateral movement techniques where adversaries or red teams abuse these services for lateral movement and remote code execution. how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1021", "T1021.003", "T1021.006", "T1047", "T1053.005", "T1543.003", "T1059.001", "T1218.014"], "nist": ["DE.CM"]} known_false_positives = Legitimate applications may spawn PowerShell as a child process of the the identified processes. Filter as needed. @@ -7997,7 +8003,7 @@ providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response" type = detection asset_type = Endpoint confidence = medium -explanation = The search looks for modifications to registry keys that can be used to launch an application or service at system startup. +explanation = The search looks for modifications or alterations made to registry keys that have the potential to initiate the launch of an application or service during system startup. By monitoring and detecting modifications in these registry keys, we can identify suspicious or unauthorized changes that could be indicative of malicious activity. This proactive approach helps in safeguarding the system's integrity and security by promptly identifying and mitigating potential threats that aim to gain persistence or execute malicious actions during the startup process. how_to_implement = To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry. annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1547.001", "T1547"], "nist": ["DE.CM"]} known_false_positives = There are many legitimate applications that must execute on system startup and will use these registry keys to accomplish that task. @@ -8417,7 +8423,10 @@ providing_technologies = null type = detection asset_type = Endpoint confidence = medium -explanation = The following query utilizes Windows Security EventCode 4698, `A scheduled task was created`, to identify suspicious tasks registered on Windows either via schtasks.exe OR TaskService with an arguments "HTTP" string that are unique entry of malware or attack that uses lolbin to download other file or payload to the infected machine. The search will return the first time and last time the task was registered, as well as the `Command` to be executed, `Task Name`, `Author`, `Enabled`, and whether it is `Hidden` or not. schtasks.exe is natively found in `C:\Windows\system32` and `C:\Windows\syswow64`. The following DLL(s) are loaded when schtasks.exe or TaskService is launched -`taskschd.dll`. If found loaded by another process, it is possible a scheduled task is being registered within that process context in memory. Upon triage, identify the task scheduled source. Was it schtasks.exe or via TaskService? Review the job created and the Command to be executed. Capture any artifacts on disk and review. Identify any parallel processes within the same timeframe to identify source.' +explanation = The following analytic detects the registration of suspicious tasks on Windows using the Windows Security EventCode 4698, "A scheduled task was created." It specifically looks for tasks registered through schtasks.exe or TaskService that have command arguments containing the string "HTTP." This behavior is often associated with malware or attacks that utilize Living off the Land binaries (lolbins) to download additional files or payloads to the compromised machine.\ +The search returns information about the task, such as the task name, command, author, enabled status, hidden status, and arguments. Upon triage, it is important to identify the source of the scheduled task, whether it was registered through schtasks.exe or TaskService. Review the details of the created task and the command to be executed. Capture relevant artifacts on disk and examine them. Additionally, identify any parallel processes occurring within the same timeframe to determine the source of the attack.\ +Implementing this analytic requires ingesting logs with information about task schedules, specifically Windows Security Log EventCode 4698, from your endpoints. It is recommended to tune and filter known instances of task schedules used in your environment to minimize false positives.\ +Detecting the registration of suspicious tasks with HTTP command arguments is valuable for a SOC as it indicates potential malicious activity or an attempt to establish persistence on the system. If a true positive is found, further investigation is warranted to analyze the nature and purpose of the scheduled task, identify any downloaded files or payloads, and mitigate the associated risks. The impact of a true positive can vary but may include data exfiltration, malware propagation, or unauthorized access to sensitive information. how_to_implement = To successfully implement this search, you need to be ingesting logs with the task schedule (Exa. Security Log EventCode 4698) endpoints. Tune and filter known instances of Task schedule used in your environment. annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053"], "nist": ["DE.CM"]} known_false_positives = unknown @@ -8427,7 +8436,10 @@ providing_technologies = ["Microsoft Windows"] type = detection asset_type = Endpoint confidence = medium -explanation = The following query utilizes Windows Security EventCode 4698, `A scheduled task was created`, to identify suspicious tasks registered on Windows either via schtasks.exe OR TaskService with a command to be executed with a Rundll32. This technique is common in new trickbot that uses rundll32 to load is trickbot downloader. The search will return the first time and last time the task was registered, as well as the `Command` to be executed, `Task Name`, `Author`, `Enabled`, and whether it is `Hidden` or not. schtasks.exe is natively found in `C:\Windows\system32` and `C:\Windows\syswow64`. The following DLL(s) are loaded when schtasks.exe or TaskService is launched -`taskschd.dll`. If found loaded by another process, it is possible a scheduled task is being registered within that process context in memory. Upon triage, identify the task scheduled source. Was it schtasks.exe or via TaskService? Review the job created and the Command to be executed. Capture any artifacts on disk and review. Identify any parallel processes within the same timeframe to identify source.' +explanation = The following analytic detects the creation of suspicious tasks in Windows, specifically tasks using the rundll32 command. It's implemented using Windows Security EventCode 4698 for A scheduled task was created, and looks for tasks executed either via schtasks.exe or TaskService. This behavior is worth identifying as it is commonly used by malware, such as TrickBot, that leverages rundll32 to execute its downloader.\ +If a true positive is found, it suggests an attacker is trying to persist within the environment or potentially deliver additional malicious payloads, leading to data theft, ransomware, or other damaging outcomes.\ +To implement this analytic, ensure you are ingesting logs with task schedule information from your endpoints. Be aware of potential false positives - legitimate uses of Task Scheduler in your environment may cause benign activities to be flagged.\ +Upon triage, review the scheduled task's source and the command to be executed. Capture and inspect any relevant on-disk artifacts, and look for concurrent processes to identify the attack source. This approach helps analysts detect potential threats earlier and mitigate the risks. how_to_implement = To successfully implement this search, you need to be ingesting logs with the task schedule (Exa. Security Log EventCode 4698) endpoints. Tune and filter known instances of Task schedule used in your environment. annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053"], "nist": ["DE.CM"]} known_false_positives = unknown @@ -8437,7 +8449,8 @@ providing_technologies = ["Microsoft Windows"] type = detection asset_type = Endpoint confidence = medium -explanation = This analytic looks for the execution of `at.exe` with command-line arguments utilized to create a Scheduled Task on a remote endpoint. Red Teams and adversaries alike may abuse the Task Scheduler for lateral movement and remote code execution. The `at.exe` binary internally leverages the AT protocol which was deprecated starting with Windows 8 and Windows Server 2012 but may still work on previous versions of Windows. Furthermore, attackers may enable this protocol on demand by changing a sytem registry key. +explanation = The following analytic detects the creation of suspicious tasks on a remote Windows endpoint using the at.exe command with command-line arguments. This technique is commonly used by red teams and adversaries for lateral movement and remote code execution. The at.exe binary leverages the deprecated AT protocol, which may still work on previous versions of Windows. Attackers can enable this protocol on demand by modifying a system registry key. It is important to consider potential false positives. While administrators may create scheduled tasks on remote systems, this activity is typically limited to a small set of hosts or users.\ +Identifying the creation of scheduled tasks on remote endpoints is crucial for a Security Operations Center (SOC) because it indicates potential unauthorized activity or an attacker attempting to establish persistence or execute malicious code. The impact of a true positive can be significant, leading to unauthorized access, data theft, or other damaging outcomes. During triage, investigate the source and purpose of the scheduled task, inspect relevant on-disk artifacts, and analyze concurrent processes to identify the extent of the attack and take appropriate response actions. how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053", "T1053.002"], "nist": ["DE.CM"]} known_false_positives = Administrators may create scheduled tasks on remote systems, but this activity is usually limited to a small set of hosts or users. @@ -8447,17 +8460,17 @@ providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response" type = detection asset_type = Endpoint confidence = medium -explanation = The following analytic identifies the creation or deletion of a scheduled task using schtasks.exe with flags - create or delete being passed on the command-line. This has been associated with the Dragonfly threat actor, and the SUNBURST attack against Solarwinds. This analytic replaces "Scheduled Task used in BadRabbit Ransomware". +explanation = This analytic focuses on identifying the creation or deletion of scheduled tasks using the schtasks.exe utility with the corresponding command-line flags (-create or -delete). This technique has been notably associated with threat actors like Dragonfly and the SUNBURST attack against SolarWinds. The purpose of this analytic is to detect suspicious activity related to scheduled tasks that could indicate malicious intent or unauthorized system manipulation. By monitoring for these specific command-line flags, we can enhance our ability to identify potential threats and prevent attacks similar to the use of scheduled tasks in the BadRabbit Ransomware incident. how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.005", "T1053"], "nist": ["DE.CM"]} -known_false_positives = It is possible scripts or administrators may trigger this analytic. Filter as needed based on parent process, application. +known_false_positives = While it is possible for legitimate scripts or administrators to trigger this behavior, filtering can be applied based on the parent process and application to reduce false positives. Analysts should reference the provided references to understand the context and threat landscape associated with this activity. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] [savedsearch://ESCU - Scheduled Task Initiation on Remote Endpoint - Rule] type = detection asset_type = Endpoint confidence = medium -explanation = This analytic looks for the execution of `schtasks.exe` with command-line arguments utilized to start a Scheduled Task on a remote endpoint. Red Teams and adversaries alike may abuse the Task Scheduler for lateral movement and remote code execution. +explanation = This analytic detects instances of 'schtasks.exe' being used to start a Scheduled Task on a remote endpoint. Adversaries often abuse the Task Scheduler for lateral movement and remote code execution. The search parameters include process details such as the process name, parent process, and command-line executions. Although legitimate administrators may start scheduled tasks on remote systems, this activity is usually limited to a small set of hosts or users. The findings from this analytic provide valuable insight into potentially malicious activities on an endpoint. how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053", "T1053.005"], "nist": ["DE.CM"]} known_false_positives = Administrators may start scheduled tasks on remote systems, but this activity is usually limited to a small set of hosts or users. @@ -8467,30 +8480,30 @@ providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response" type = detection asset_type = Endpoint confidence = medium -explanation = This analytic identifies an on demand run of a Windows Schedule Task through shell or command-line. This technique has been used by adversaries that force to run their created Schedule Task as their persistence mechanism or for lateral movement as part of their malicious attack to the compromised machine. +explanation = The following analytic is designed to detect when a Windows Scheduled Task is executed on demand via shell or command line. Adversaries often force the execution of their created Scheduled Tasks for persistent access or lateral movement within a compromised machine. This analytic is driven by process-related data, specifically process name, parent process, and command-line executions, sourced from endpoint logs. The search criteria focus on 'schtasks.exe' with an associated 'run' command. how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed schtasks.exe may be used. annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053"], "nist": ["DE.CM"]} -known_false_positives = Administrators may use to debug Schedule Task entries. Filter as needed. +known_false_positives = Bear in mind, administrators debugging Scheduled Task entries may trigger this analytic, necessitating fine-tuning and filtering to distinguish between legitimate and potentially malicious use of 'schtasks.exe'. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] [savedsearch://ESCU - Schtasks scheduling job on remote system - Rule] type = detection asset_type = Endpoint confidence = medium -explanation = This analytic looks for the execution of `schtasks.exe` with command-line arguments utilized to create a Scheduled Task on a remote endpoint. Red Teams and adversaries alike may abuse the Task Scheduler for lateral movement and remote code execution. +explanation = The following analytic is designed to detect suspicious command-line arguments executed through 'schtasks.exe' to create a scheduled task on a remote endpoint. The analytic scans process data, checking for instances where 'schtasks.exe' has been used with specific command-line flags that suggest an attempt at lateral movement or remote code execution, common techniques employed by adversaries and red teams. Key data points include the process name, the specific command line used, the parent process name, the target destination, and the user involved. Also, timestamp data gives context to when these activities occurred. how_to_implement = You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the "process" field in the Endpoint data model. annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.005", "T1053"], "nist": ["DE.CM"]} -known_false_positives = Administrators may create scheduled tasks on remote systems, but this activity is usually limited to a small set of hosts or users. It is important to validate and investigate as appropriate. +known_false_positives = While it is possible to have false positives, due to legitimate administrative tasks, these are usually limited and should still be validated and investigated as appropriate. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] [savedsearch://ESCU - Schtasks used for forcing a reboot - Rule] type = detection asset_type = Endpoint confidence = medium -explanation = This search looks for flags passed to schtasks.exe on the command-line that indicate that a forced reboot of system is scheduled. +explanation = The following analytic utilizes a Splunk query to pinpoint potential threats by monitoring the 'schtasks.exe' command-line usage. This particular command, especially when used in tandem with 'shutdown' and '/create' flags, can suggest an adversarial force intending to schedule unwarranted system reboots. The query focuses on endpoint process data and retrieves details such as the process name, the parent process name, the destination, and the user involved. Essential to the investigation are the earliest and latest timestamps of these events, providing an activity timeline. Data such as the targeted host and initiating user offer valuable context for analyst. how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.005", "T1053"], "nist": ["DE.CM"]} -known_false_positives = Administrators may create jobs on systems forcing reboots to perform updates, maintenance, etc. +known_false_positives = This analytic may also capture legitimate administrative activities such as system updates or maintenance tasks, which can be classified as false positives. Filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] [savedsearch://ESCU - Screensaver Event Trigger Execution - Rule] @@ -8507,7 +8520,7 @@ providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response" type = detection asset_type = Endpoint confidence = medium -explanation = This search looks for scripts launched via WMI. +explanation = The following analytic is designed to detect the potential misuse of Windows Management Instrumentation (WMI) for malicious purposes. WMI can be utilized by adversaries to execute scripts, a method often employed for maintaining stealth while carrying out malicious activities. The process 'scrcons.exe', integral to executing WMI scripts, is primarily monitored by this analytic. The underlying threat lies in the fact that successful execution of a malicious script can lead to numerous negative outcomes, including system compromise, data exfiltration, or the establishment of persistence. It's essential for cybersecurity analysts to remain vigilant towards unexpected or isolated script executions via WMI, as such instances often signal suspicious activities or potential security breaches. Although uncommon, administrators may occasionally use WMI to launch scripts for legitimate purposes. Therefore, discerning malicious activities from benign ones is crucial in this context. how_to_implement = You must be ingesting endpoint data that tracks process activity, including parent-child relationships from your endpoints to populate the Endpoint data model in the Processes node. The command-line arguments are mapped to the "process" field in the Endpoint data model. annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1047"], "nist": ["DE.CM"]} known_false_positives = Although unlikely, administrators may use wmi to launch scripts for legitimate purposes. Filter as needed. @@ -8638,7 +8651,10 @@ providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response" type = detection asset_type = Endpoint confidence = medium -explanation = The following analytic leverages Windows Security EventCode 4698, `A scheduled task was created` and Windows Security EventCode 4699, `A scheduled task was deleted` to identify scheduled tasks created and deleted in less than 30 seconds. This behavior may represent a lateral movement attack abusing the Task Scheduler to obtain code execution. Red Teams and adversaries alike may abuse the Task Scheduler for lateral movement and remote code execution. +explanation = The following analytic utilizes Windows Security EventCode 4698, "A scheduled task was created," and EventCode 4699, "A scheduled task was deleted," to identify scheduled tasks that are created and deleted within a short time frame of less than 30 seconds. This behavior is indicative of a potential lateral movement attack where the Task Scheduler is abused to achieve code execution. Both red teams and adversaries may exploit the Task Scheduler for lateral movement and remote code execution.\ +To implement this analytic, ensure that you are ingesting Windows Security Event Logs with EventCode 4698 enabled. Additionally, the Windows TA (Technology Add-on) is required to parse and extract the necessary information from the logs.\ +It's important to note that while uncommon, legitimate applications may create and delete scheduled tasks within a short duration. Analysts should filter the results based on the specific context and environment to reduce false positives.\ +Identifying short-lived scheduled tasks is valuable for a SOC as it can indicate malicious activities attempting to move laterally or execute unauthorized code on Windows systems. By detecting and investigating these events, security analysts can respond promptly to prevent further compromise and mitigate potential risks. The impact of a true positive could range from unauthorized access to data exfiltration or the execution of malicious payloads. how_to_implement = To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4698 EventCode enabled. The Windows TA is also required. annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.005"], "nist": ["DE.CM"]} known_false_positives = Although uncommon, legitimate applications may create and delete a Scheduled Task within 30 seconds. Filter as needed. @@ -9013,7 +9029,7 @@ providing_technologies = null type = detection asset_type = Endpoint confidence = medium -explanation = The following analytic will detect a suspicious process running in a file path where a process is not commonly seen and is most commonly used by malicious software. This behavior has been used by adversaries where they drop and run an exe in a path that is accessible without admin privileges. +explanation = This analytic identifies a suspicious processes running in file paths that are not typically associated with legitimate software. Adversaries often employ this technique to drop and execute malicious executables in accessible locations that do not require administrative privileges. By monitoring for processes running in such unconventional file paths, we can identify potential indicators of compromise and proactively respond to malicious activity. This analytic plays a crucial role in enhancing system security by pinpointing suspicious behaviors commonly associated with malware and unauthorized software execution. how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1543"], "nist": ["DE.CM"]} known_false_positives = Administrators may allow execution of specific binaries in non-standard paths. Filter as needed. @@ -9093,10 +9109,11 @@ providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response" type = detection asset_type = Endpoint confidence = medium -explanation = The following detection identifies Scheduled Tasks registering (creating a new task) a binary or script to run from a public directory which includes users\public, \programdata\ and \windows\temp. Upon triage, review the binary or script in the command line for legitimacy, whether an approved binary/script or not. In addition, capture the binary or script in question and analyze for further behaviors. Identify the source and contain the endpoint. +explanation = The following analytic, "Suspicious Scheduled Task from Public Directory", detects the registration of scheduled tasks aimed to execute a binary or script from public directories, a behavior often associated with malware deployment. It utilizes the Sysmon Event ID 1 data source, searching for instances where schtasks.exe is connected with the directories users\public, \programdata\, or \windows\temp and involves the /create command.\ +The registration of such scheduled tasks in public directories could suggest that an attacker is trying to maintain persistence or execute malicious scripts. If confirmed as a true positive, this could lead to data compromise, unauthorized access, and potential lateral movement within the network. how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.005", "T1053"], "nist": ["DE.AE"]} -known_false_positives = Limited false positives may be present. Filter as needed by parent process or command line argument. +known_false_positives = The main source of false positives could be the legitimate use of scheduled tasks from these directories. Careful tuning of this search may be necessary to suit the specifics of your environment, reducing the rate of false positives. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] [savedsearch://ESCU - Suspicious SearchProtocolHost no Command Line Arguments - Rule] @@ -9163,7 +9180,7 @@ providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response" type = detection asset_type = Endpoint confidence = medium -explanation = The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity. +explanation = The following analytic is designed to spot instances of 'svchost.exe' initiating a Living Off The Land Binaries and Scripts (LOLBAS) execution process. Often, adversaries manipulate Task Scheduler to execute code on remote endpoints, resulting in the spawning of a malicious command as a child process of 'svchost.exe'. By tracking child processes of 'svchost.exe' that align with the LOLBAS project, potential lateral movement activity can be detected. The analytic examines process details, including the process name, parent process, and command-line executions. A comprehensive list of LOLBAS processes is included in the search parameters. Although the analytic might catch legitimate applications exhibiting this behavior, these instances should be filtered accordingly. The findings from this analytic offer valuable insight into potentially malicious activities on an endpoint. how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053", "T1053.005"], "nist": ["DE.CM"]} known_false_positives = Legitimate applications may trigger this behavior, filter as needed. @@ -9920,7 +9937,7 @@ providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response" type = detection asset_type = Endpoint confidence = medium -explanation = The following analytic identifies a non-chrome process accessing Chrome extensions file. This file stores various settings and information related to the browser's extensions on your computer. Threat actor, adversaries and malware author also abused this file to attempt to extract sensitive information from the chrome browser of the target host. This anomaly detection can be a good pivot of analysis for suspicious process aside from chrome.exe and explorer.exe executable. +explanation = This analytic focuses on identifying non-chrome processes that attempt to access the Chrome extensions file. This file contains crucial settings and information related to the browser's extensions installed on the computer. Adversaries and malware authors have been known to exploit this file to extract sensitive information from the Chrome browser on targeted hosts. Detecting such anomalous behavior provides valuable insights for analyzing suspicious processes beyond the commonly observed chrome.exe and explorer.exe executables. By monitoring for access to the Chrome extensions file by non-chrome processes, we can enhance our ability to detect potential threats and protect sensitive information stored within the browser. how_to_implement = To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable "Audit Object Access" in Group Policy. Then check the two boxes listed for both "Success" and "Failure." annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1012"], "nist": ["DE.AE"]} known_false_positives = Uninstall chrome browser extension application may access this file and folder path to removed chrome installation in the target host. Filter is needed. @@ -9930,7 +9947,7 @@ providing_technologies = ["Microsoft Windows"] type = detection asset_type = Endpoint confidence = medium -explanation = The following analytic identifies a non-chrome process accessing Chrome user data "local state" file. This file stores various settings and information related to the browser's operation on your computer. Threat actor, adversaries and malware author also abused this file to attempt to extract the encrypted master key to decrypt password saved in chrome browser. This anomaly detection can be a good pivot of analysis for suspicious process aside from chrome.exe and explorer.exe executable. +explanation = This analytic is designed to detect non-chrome processes accessing the Chrome user data file called "local state." This file contains important settings and information related to the browser's operations on the computer. Threat actors, adversaries, and malware authors have been known to exploit this file in attempts to extract the encrypted master key used for decrypting passwords saved in the Chrome browser. Detecting access to the "local state" file by non-chrome processes serves as a valuable pivot for analyzing suspicious processes beyond the commonly observed chrome.exe and explorer.exe executables. By monitoring for this anomaly, we can improve our ability to identify potential threats and safeguard sensitive information stored within the browser. how_to_implement = To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable "Audit Object Access" in Group Policy. Then check the two boxes listed for both "Success" and "Failure." annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1012"], "nist": ["DE.AE"]} known_false_positives = Uninstall chrome application may access this file and folder path to removed chrome installation in target host. Filter is needed. @@ -9940,7 +9957,7 @@ providing_technologies = ["Microsoft Windows"] type = detection asset_type = Endpoint confidence = medium -explanation = The following analytic identifies a non-chrome process accessing Chrome user data "login data" file. This sqlite db file stores various information related to the browser's operation on your computer. Threat actor, adversaries and malware author also abused this file to attempt to extract and decrypt password saved in chrome browser. This anomaly detection can be a good pivot of analysis for suspicious process aside from chrome.exe and explorer.exe executable. +explanation = This analytic is designed to identify non-chrome processes accessing the Chrome user data file called "login data." This SQLite database file contains important information related to the browser's operations on the computer. Threat actors, adversaries, and malware authors have been known to exploit this file in attempts to extract and decrypt passwords saved in the Chrome browser. Detecting access to the "login data" file by non-chrome processes serves as a valuable pivot for analyzing suspicious processes beyond the commonly observed chrome.exe and explorer.exe executables. By monitoring for this anomaly, we can enhance our ability to detect potential threats and protect sensitive information stored within the browser. how_to_implement = To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable "Audit Object Access" in Group Policy. Then check the two boxes listed for both "Success" and "Failure." annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1012"], "nist": ["DE.AE"]} known_false_positives = Uninstall application may access this registry to remove the entry of the target application. filter is needed. @@ -10402,6 +10419,16 @@ annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives known_false_positives = Unknown at this point providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] +[savedsearch://ESCU - Windows Files and Dirs Access Rights Modification Via Icacls - Rule] +type = detection +asset_type = Endpoint +confidence = medium +explanation = This analytic aims to identify potential adversaries who manipulate the security permissions of specific files or directories. This technique is frequently observed in the tradecraft of Advanced Persistent Threats (APTs) and coinminer scripts. By modifying the security permissions, adversaries seek to evade detection and impede access to their component files. Such actions indicate a deliberate effort to maintain control over compromised systems and hinder investigation or remediation efforts. Detecting these security permission changes can serve as a valuable indicator of an ongoing attack and enable timely response to mitigate the impact of the adversary's activities. +how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed icacls.exe may be used. +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1222.001", "T1222"], "nist": ["DE.CM"]} +known_false_positives = Unknown. It is possible some administrative scripts use ICacls. Filter as needed. +providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] + [savedsearch://ESCU - Windows Findstr GPP Discovery - Rule] type = detection asset_type = Endpoint @@ -10466,7 +10493,7 @@ providing_technologies = ["Microsoft Windows"] type = detection asset_type = Endpoint confidence = medium -explanation = The following query utilizes Windows Security EventCode 4698, A scheduled task was created, to identify suspicious tasks registered on Windows either via schtasks.exe OR TaskService with a hidden settings that are unique entry of malware like industroyer2 or attack that uses lolbin to download other file or payload to the infected machine. +explanation = The following analytic detects creation of hidden scheculed tasks such that it this task is not visible on the UI. Such behavior is indicative of certain malware, such as Industroyer2, or attacks leveraging living-off-the-land binaries (LOLBINs) to download additional payloads to a compromised machine. This analytic relies on the Windows Security EventCode 4698, indicating the creation of a scheduled task. The search focuses on identifying instances where the 'Hidden' setting is enabled, signaling potential nefarious activity. To implement this search, you need to ingest logs with task scheduling details from your endpoints. As false positives are currently unknown, it is advised to tune and filter based on the known use of task scheduling in your environment. This analytic provides crucial visibility into stealthy, potentially harmful scheduled tasks on Windows systems. how_to_implement = To successfully implement this search, you need to be ingesting logs with the task schedule (Exa. Security Log EventCode 4698) endpoints. Tune and filter known instances of Task schedule used in your environment. annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053"], "nist": ["DE.CM"]} known_false_positives = unknown @@ -10775,7 +10802,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic identifies the process name of java.exe and w3wp.exe spawning a Windows shell. This is potentially indicative of exploitation of the Java application and may be related to current event CVE-2021-44228 (Log4Shell). The shells included in the macro are "cmd.exe", "powershell.exe". Upon triage, review parallel processes and command-line arguments to determine legitimacy. how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. Restrict the analytic to publicly facing endpoints to reduce false positives. Add any additional identified web application process name to the query. Add any further Windows process names to the macro (ex. LOLBins) to further expand this query. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"]} known_false_positives = Filtering may be required on internal developer build systems or classify assets as web facing and restrict the analytic based on that. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -11392,7 +11419,7 @@ asset_type = Endpoint confidence = medium explanation = The following analytic is designed to detect instances where the PaperCut NG application (pc-app.exe) spawns a Windows shell, specifically cmd.exe or PowerShell. This behavior may indicate potential malicious activity, such as an attacker attempting to gain unauthorized access or execute harmful commands on the affected system. how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Delivery"], "mitre_attack": ["T1059", "T1190"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Delivery"], "mitre_attack": ["T1059", "T1190", "T1133"], "nist": ["DE.CM"]} known_false_positives = False positives may be present, but most likely not. Filter as needed. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] @@ -11520,6 +11547,16 @@ annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Explo known_false_positives = administrators may execute this command that may cause some false positive. providing_technologies = ["Microsoft Windows"] +[savedsearch://ESCU - Windows PowerShell ScheduleTask - Rule] +type = detection +asset_type = Endpoint +confidence = medium +explanation = The following analytic detects potential malicious activities related to PowerShell's task scheduling cmdlets. It looks for anomalies in PowerShell logs, specifically EventCode 4104, associated with script block logging. The analytic flags unusual or suspicious use patterns of key task-related cmdlets such as 'New-ScheduledTask', 'Set-ScheduledTask', and others, which are often used by attackers for persistence and remote execution of malicious code. If a true positive is found, it suggests an possible attacker is attempting to persist within the environment or potentially deliver additional malicious payloads, leading to data theft, ransomware, or other damaging outcomes. To implement this analytic, PowerShell Script Block Logging needs to be enabled on some or all endpoints. Analysts should be aware of benign administrative tasks that can trigger alerts and tune the analytic accordingly to reduce false positives. Upon triage, review the PowerShell logs for any unusual or unexpected cmdlet usage, IP addresses, user accounts, or timestamps. If these factors align with known malicious behavior patterns, immediate mitigation steps, such as isolation of the affected systems, user account changes, and relevant threat hunting activities, should be initiated. This proactive analysis significantly enhances an organization's capacity to swiftly respond to, and potentially prevent, the execution of advanced persistent threats in their network. +how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.005", "T1059.001", "T1059"], "nist": ["DE.AE"]} +known_false_positives = Benign administrative tasks can also trigger alerts, necessitating a firm understanding of the typical system behavior and precise tuning of the analytic to reduce false positives. +providing_technologies = ["Microsoft Windows"] + [savedsearch://ESCU - Windows PowerShell WMI Win32 ScheduledJob - Rule] type = detection asset_type = Endpoint @@ -11814,7 +11851,7 @@ providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response" type = detection asset_type = Endpoint confidence = medium -explanation = The following analytic identifies a process attempting to delete a scheduled task SD (Security Descriptor) from within the registry path of that task. This may occur from a non-standard process running and may not come from reg.exe. This particular behavior will remove the actual Task Name from the Task Scheduler GUI and from the command-line query - schtasks.exe /query. In addition, in order to perform this action, the user context will need to be SYSTEM. +explanation = The following analytic identifies a process attempting to delete a scheduled task SD (Security Descriptor) from within the registry path of that task. This may occur from a non-standard process running and may not come from reg.exe. This particular behavior will remove the actual Task Name from the Task Scheduler GUI and from the command-line query - schtasks.exe /query. In addition, in order to perform this action, the user context will need to be SYSTEM.\ Identifying the deletion of a scheduled task's Security Descriptor from the registry is significant for a SOC as it may indicate malicious activity attempting to remove evidence of a scheduled task, potentially for defense evasion purposes. If a true positive is detected, it suggests an attacker with privileged access attempting to remove traces of their activities, which can have a significant impact on the security and functionality of affected systems. Immediate investigation and response are required to mitigate further risks and preserve the integrity of the environment. how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.005", "T1562"], "nist": ["DE.AE"]} known_false_positives = False positives should be limited as the activity is not common to delete ONLY the SD from the registry. Filter as needed. Update the analytic Modified or Deleted values based on product that is in the datamodel. @@ -11974,7 +12011,8 @@ providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response" type = detection asset_type = Endpoint confidence = medium -explanation = The following analytic identifies the creation of a scheduled task using schtasks.exe, with the flags -create being passed on the command-line along with an XML parameter. This technique has been associated with threat actors, adversaries, and red teamers seeking to gain persistence or achieve privilege escalation on targeted hosts. Notably, the Trickbot and Winter-Vivern malware have been observed employing this method, utilizing an XML file to create scheduled tasks. It is important to monitor and investigate such activity in order to mitigate potential security risks. +explanation = The following analytic detects the creation of suspicious scheduled tasks in Windows, specifically tasks created using schtasks.exe with the -create flag and an XML parameter in the command-line. This technique is commonly employed by threat actors, adversaries, and red teamers to establish persistence or achieve privilege escalation on targeted hosts. Notably, malware like Trickbot and Winter-Vivern have been observed using XML files to create scheduled tasks. Monitoring and investigating this activity is crucial to mitigate potential security risks. It is important to be aware that scripts or administrators may trigger this analytic, leading to potential false positives. To minimize false positives, adjust the filter based on the parent process or application.\ +When a true positive is detected, it suggests an attacker's attempt to gain persistence or execute additional malicious payloads, potentially resulting in data theft, ransomware, or other damaging outcomes. During triage, review the source of the scheduled task, the command to be executed, and capture any relevant on-disk artifacts. Analyze concurrent processes to identify the source of the attack. This analytic enables analysts to detect and respond to potential threats early, mitigating the associated risks effectively. how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.005", "T1053"], "nist": ["DE.CM"]} known_false_positives = It is possible scripts or administrators may trigger this analytic. Filter as needed based on parent process, application. @@ -11984,17 +12022,18 @@ providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response" type = detection asset_type = Endpoint confidence = medium -explanation = The following analytic identifies Schtasks.exe creating a new task with highest privilege execution. This techniques was seen in asyncrat where it uses the scheduled task as part of it persistence and privilege escalation. AsyncRAT will setup a scheduled task with parameter '/rl' and 'highest' to trigger this technique. This TTP detection can be a good indicator of malware or adversaries trying to gain persistence and privilege escalation through scheduled task. We recommend to always check and monitoring this type of events even filtering is needed. +explanation = The following analytic detects the creation of a new task with the highest execution privilege via Schtasks.exe. This tactic is often observed in AsyncRAT attacks, where the scheduled task is used for persistence and privilege escalation. AsyncRAT sets up a scheduled task with parameters '/rl' and 'highest', triggering this technique. It's a strong indicator of potential malware or adversaries seeking to establish persistence and escalate privileges through scheduled tasks. This is crucial for a Security Operations Center (SOC) as it can prevent unauthorized system access and potential data breaches.\ +The analytic works by monitoring logs for process name, parent process, and command-line executions. In the presence of the '*/rl ' and ' highest *' commands in a schtasks.exe process, an alert is triggered. how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances of wermgr.exe may be used. annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053", "T1053.005"], "nist": ["DE.CM"]} -known_false_positives = False positives will be limited to legitimate applications creating a task to run as SYSTEM. Filter as needed based on parent process, or modify the query to have world writeable paths to restrict it. +known_false_positives = False positives may arise from legitimate applications that create tasks to run as SYSTEM. Therefore, it's recommended to adjust filters based on parent process or modify the query to include world writable paths for restriction. providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] [savedsearch://ESCU - Windows Schtasks Create Run As System - Rule] type = detection asset_type = Endpoint confidence = medium -explanation = The following analytic identifies Schtasks.exe creating a new task to start and run as an elevated user - SYSTEM. This is commonly used by adversaries to spawn a process in an elevated state. +explanation = The following analytic identifies the creation of a new task to start and run as an elevated user - SYSTEM using Schtasks.exe. This behavior is commonly used by adversaries to spawn a process in an elevated state. If a true positive is found, it suggests an attacker is attempting to persist within the environment or potentially deliver additional malicious payloads, leading to data theft, ransomware, or other damaging outcomes. Upon triage, review the scheduled task's source and the command to be executed. Capture and inspect any relevant on-disk artifacts, and look for concurrent processes to identify the attack source. This approach helps analysts detect potential threats earlier and mitigate the risks. how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.005", "T1053"], "nist": ["DE.CM"]} known_false_positives = False positives will be limited to legitimate applications creating a task to run as SYSTEM. Filter as needed based on parent process, or modify the query to have world writeable paths to restrict it. @@ -12414,7 +12453,7 @@ providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response" type = detection asset_type = Endpoint confidence = medium -explanation = The following analytic identifies Windows commandline to shutdown a windows host machine. This technique was seen in several APT, RAT like dcrat and other commodity malware to shutdown the machine to add more impact, interrupt access, aid destruction of the system like wiping disk or inhibit system recovery. This TTP is a good pivot to check why application trigger this commandline which is not so common way to shutdown a machine. +explanation = This detection rule is designed to identify the execution of the Windows shutdown command via command line interface. The shutdown command can be utilized by system administrators to properly halt, power off, or reboot a computer. However, in a security context, attackers who have gained unauthorized access to a system may also use this command in an effort to erase tracks, or to cause disruption and denial of service. In some instances, they might execute the shutdown command after installing a backdoor, to force the system to restart, ensuring that changes take effect or evading detection by security tools. Monitoring for the use of the Windows shutdown command, especially in conjunction with other unusual or unauthorized activities, can be an important part of identifying malicious behavior within a network. It is advised that security professionals analyze the context in which the shutdown command is being executed to differentiate between legitimate administrative functions and potentially malicious activity. how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1529"], "nist": ["DE.AE"]} known_false_positives = Administrator may execute this commandline to trigger shutdown or restart the host machine. @@ -12640,7 +12679,10 @@ providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response" type = detection asset_type = Endpoint confidence = medium -explanation = The following query utilizes Windows Security EventCode 4698, `A scheduled task was created`, to identify suspicious tasks registered on Windows either via schtasks.exe OR TaskService with a command to be executed with a native Windows shell (PowerShell, Cmd, Wscript, Cscript).\ The search will return the first time and last time the task was registered, as well as the `Command` to be executed, `Task Name`, `Author`, `Enabled`, and whether it is `Hidden` or not.\ schtasks.exe is natively found in `C:\Windows\system32` and `C:\Windows\syswow64`.\ The following DLL(s) are loaded when schtasks.exe or TaskService is launched -`taskschd.dll`. If found loaded by another process, it is possible a scheduled task is being registered within that process context in memory.\ Upon triage, identify the task scheduled source. Was it schtasks.exe or via TaskService? Review the job created and the Command to be executed. Capture any artifacts on disk and review. Identify any parallel processes within the same timeframe to identify source. +explanation = The following query utilizes Windows Security EventCode 4698, indicating 'a scheduled task was created', to identify potentially suspicious tasks. These tasks may be registered on Windows through either schtasks.exe or TaskService, and are set up to execute a command with a native Windows shell such as PowerShell, Cmd, Wscript, or Cscript.\ +The search will return the initial and final times the task was registered, along with details like the 'Command' set to be executed, 'Task Name', 'Author', whether it's 'Enabled', and if it is 'Hidden'.\ +Schtasks.exe is typically found in C:\Windows\system32 and C:\Windows\syswow64. The DLL 'taskschd.dll' is loaded when either schtasks.exe or TaskService is launched. If this DLL is found loaded by another process, it's possible that a scheduled task is being registered within the context of that process in memory.\ +During triage, it's essential to identify the source of the scheduled task. Was it registered via schtasks.exe or TaskService? Review the job that was created and the command set to be executed. It's also recommended to capture and review any artifacts on disk, and identify any parallel processes within the same timeframe to locate the source. how_to_implement = To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4698 EventCode enabled. The Windows TA is also required. annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.005", "T1053"], "nist": ["DE.CM"]} known_false_positives = False positives are possible if legitimate applications are allowed to register tasks that call a shell to be spawned. Filter as needed based on command-line or processes that are used legitimately. @@ -12650,7 +12692,10 @@ providing_technologies = ["Microsoft Windows"] type = detection asset_type = Endpoint confidence = medium -explanation = The following query utilizes Windows Security EventCode 4698, `A scheduled task was created`, to identify suspicious tasks registered on Windows either via schtasks.exe OR TaskService with a command to be executed from a user writeable file path.\ The search will return the first time and last time the task was registered, as well as the `Command` to be executed, `Task Name`, `Author`, `Enabled`, and whether it is `Hidden` or not.\ schtasks.exe is natively found in `C:\Windows\system32` and `C:\Windows\syswow64`.\ The following DLL(s) are loaded when schtasks.exe or TaskService is launched -`taskschd.dll`. If found loaded by another process, it is possible a scheduled task is being registered within that process context in memory.\ Upon triage, identify the task scheduled source. Was it schtasks.exe or was it via TaskService. Review the job created and the Command to be executed. Capture any artifacts on disk and review. Identify any parallel processes within the same timeframe to identify source. +explanation = The following analytic utilizes Windows Security EventCode 4698, which indicates the creation of a scheduled task on a Windows system. The purpose of this query is to identify suspicious tasks that have been registered using either schtasks.exe or TaskService and involve executing a command from a user-writable file path.\ +When this analytic is triggered, it provides information such as the first and last registration time of the task, the command to be executed, the task name, author, and whether it is set as hidden or not. It is worth noting that schtasks.exe is commonly located in C:\Windows\system32 and C:\Windows\syswow64, and it loads the taskschd.dll DLL when launched. If this DLL is loaded by another process, it suggests that a scheduled task may be registered within that process's context in memory.\ +During the triage process, it is essential to identify the source of the scheduled task creation, whether it was initiated through schtasks.exe or TaskService. The analyst should review the task that was created, including the command to be executed. Additionally, any artifacts on disk related to the task should be captured and analyzed. It is also recommended to identify any parallel processes that occurred within the same timeframe to determine the source of the task creation.\ +By conducting this triage process, security analysts can gain insights into potentially malicious or suspicious scheduled tasks, helping them identify the source and assess the impact of the task. This analytic is valuable for a Security Operations Center (SOC) as it can detect unauthorized or suspicious activity that could indicate an attacker's attempt to establish persistence or execute unauthorized commands on the system.\ how_to_implement = To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4698 EventCode enabled. The Windows TA is also required. annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.005", "T1053"], "nist": ["DE.CM"]} known_false_positives = False positives are possible if legitimate applications are allowed to register tasks in public paths. Filter as needed based on paths that are used legitimately. @@ -12660,7 +12705,11 @@ providing_technologies = ["Microsoft Windows"] type = detection asset_type = Endpoint confidence = medium -explanation = The following hunting analytic assists with identifying suspicious tasks that have been registered and ran in Windows using EventID 200 (action run) and 201 (action completed). It is recommended to filter based on ActionName by specifying specific paths not used in your environment. After some basic tuning, this may be effective in capturing evasive ways to register tasks on Windows. Review parallel events related to tasks being scheduled. EventID 106 will generate when a new task is generated, however, that does not mean it ran. Capture any files on disk and analyze. +explanation = The following hunting analytic aims to identify suspicious tasks that have been registered and executed in Windows using EventID 200 (action run) and 201 (action completed) from the Windows Task Scheduler logs. This analytic helps detect evasive techniques used to register tasks on Windows systems. It is recommended to filter the results based on the ActionName field by specifying specific paths that are not commonly used in your environment.\ +After implementing this analytic, it is important to review parallel events related to the scheduled tasks. EventID 106 will be generated when a new task is created, but it does not necessarily mean that the task has been executed. Analysts should capture any files on disk associated with the task and perform further analysis.\ +To implement this analytic, Task Scheduler logs must be collected. This can be done by adding a stanza for [WinEventLog://Microsoft-Windows-TaskScheduler/Operational] in the inputs.conf file and setting renderXml=false. It is worth noting that not translating the logs into XML may require specific extraction of items from the Message field.\ +False positives are expected with this analytic, so it is important to filter the results based on the paths or specific keywords of interest in the ActionName field to reduce noise.\ +Identifying and analyzing scheduled tasks that have been executed is crucial for a Security Operations Center (SOC) as it helps detect potentially malicious or unauthorized activities on Windows systems. By capturing and investigating the associated events, analysts can uncover signs of persistence mechanisms, unauthorized code execution, or suspicious behaviors. The impact of a true positive could range from unauthorized access to data exfiltration or the execution of malicious payloads. how_to_implement = Task Scheduler logs are required to be collected. Enable logging with inputs.conf by adding a stanza for [WinEventLog://Microsoft-Windows-TaskScheduler/Operational] and renderXml=false. Note, not translating it in XML may require a proper extraction of specific items in the Message. annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.005"], "nist": ["DE.AE"]} known_false_positives = False positives will be present. Filter based on ActionName paths or specify keywords of interest. @@ -12720,7 +12769,7 @@ providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response" type = detection asset_type = Endpoint confidence = medium -explanation = This search looks for the creation of WMI permanent event subscriptions. +explanation = The following analytic seeks to detect the creation of Windows Management Instrumentation (WMI) permanent event subscriptions, a technique often used by adversaries for persistence. Such a subscription allows for the execution of specified scripts or binaries in response to defined system events, potentially enabling malicious activities to persist unnoticed. The analytic uses Sysmon Event ID 5 data, specifically focusing on instances where consumers of these events are not the expected "NTEventLogEventConsumer." Although WMI event subscriptions can be used legitimately by administrators, unusual or unexpected subscription creation should be treated as suspicious. Analysts need to be cognizant of the potential for false positives in legitimate administrative activities and should understand WMI activity within the context of the monitored environment. how_to_implement = To successfully implement this search, you must be ingesting the Windows WMI activity logs. This can be done by adding a stanza to inputs.conf on the system generating logs with a title of [WinEventLog://Microsoft-Windows-WMI-Activity/Operational]. annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1047"], "nist": ["DE.CM"]} known_false_positives = Although unlikely, administrators may use event subscriptions for legitimate purposes. @@ -13038,7 +13087,7 @@ providing_technologies = null type = detection asset_type = Endpoint confidence = medium -explanation = This search detects SIGRed via Splunk Stream. +explanation = The following analytic is an experimental search designed to identify SIGRed exploitation attempts. SIGRed is a severe, wormable, remote code execution vulnerability in Windows DNS servers, identified as CVE-2020-1350. This analytic specifically looks for DNS SIG and KEY records, and TCP payloads larger than 65KB - potential indicators of the SIGRed exploit. It requires ingestion of both Splunk Stream DNS and TCP data. The search does rely on macro definitions for 'stream:dns' and 'stream:tcp', which should be replaced with appropriate configurations tailored to your Splunk environment. how_to_implement = You must be ingesting Splunk Stream DNS and Splunk Stream TCP. We are detecting SIG and KEY records via stream:dns and TCP payload over 65KB in size via stream:tcp. Replace the macro definitions ('stream:dns' and 'stream:tcp') with configurations for your Splunk environment. annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1203"], "nist": ["DE.CM"]} known_false_positives = unknown @@ -13106,7 +13155,7 @@ asset_type = Web Server confidence = medium explanation = The following analytic identifies a recent unauthenticated remote code execution vulnerablity against the F5 BIG-IP iControl REST API. The analytic identifies the URI path found in the POCs and the HTTP Method of POST. In addition, the request header will have the commands that may be executed in fields utilcmdargs and the auth field of X-F5-Auth-Token, which may have a random base64 encoded value. how_to_implement = To successfully implement this search, you need to be ingesting web or proxy logs, or ensure it is being filled by a proxy like device, into the Web Datamodel. For additional filtering, allow list private IP space or restrict by known good. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"]} known_false_positives = False positives may be present if the activity is blocked or was not successful. Filter known vulnerablity scanners. Filter as needed. providing_technologies = null @@ -13309,7 +13358,7 @@ asset_type = Web Server confidence = medium explanation = The following analytic assists with identifying CVE-2022-26134 based exploitation utilizing the Web datamodel to cover network and CIM compliant web logs. The parameters were captured from live scanning and the POC provided by Rapid7. This analytic is written against multiple proof of concept codes released and seen in the wild (scanning). During triage, review any endpoint based logs for further activity including writing a jsp file to disk and commands/processes spawning running as root from the Confluence process. how_to_implement = This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache or Splunk for Nginx. In addition, network based logs or event data like PAN Threat. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation", "Delivery"], "mitre_attack": ["T1505", "T1190"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation", "Delivery"], "mitre_attack": ["T1505", "T1190", "T1133"], "nist": ["DE.CM"]} known_false_positives = Tune based on assets if possible, or restrict to known Confluence servers. Remove the ${ for a more broad query. To identify more exec, remove everything up to the last parameter (Runtime().exec) for a broad query. providing_technologies = null @@ -13319,7 +13368,7 @@ asset_type = Web Server confidence = medium explanation = This search looks for specific GET or HEAD requests to web servers that are indicative of reconnaissance attempts to identify vulnerable JBoss servers. JexBoss is described as the exploit tool of choice for this malicious activity. how_to_implement = You must be ingesting data from the web server or network traffic that contains web specific information, and populating the Web data model. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1082"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1082", "T1133"], "nist": ["DE.CM"]} known_false_positives = It's possible for legitimate HTTP requests to be made to URLs containing the suspicious paths. providing_technologies = null @@ -13349,7 +13398,7 @@ asset_type = Web Server confidence = medium explanation = The following analytic identifies activity related to Text4Shell, or the critical vulnerability CVE-2022-42889 in Apache Commons Text Library. Apache Commons Text versions 1.5 through 1.9 are affected, but it has been patched in version 1.10. The analytic may need to be tuned for your environment before enabling as a TTP, or direct Notable. Apache Commons Text is a Java library described as a library focused on algorithms working on strings. We can see it as a general-purpose text manipulation toolkit. This vulnerability affects the StringSubstitutor interpolator class, which is included in the Commons Text library. A default interpolator allows for string lookups that can lead to Remote Code Execution. This is due to a logic flaw that makes the script, dns, and url lookup keys interpolated by default, as opposed to what it should be, according to the documentation of the StringLookupFactory class. Those keys allow an attacker to execute arbitrary code via lookups. how_to_implement = To implement, one must be collecting network traffic that is normalized in CIM and able to be queried via the Web datamodel. Or, take the chunks out needed and tie to a specific network source type to hunt in. Tune as needed, or remove the other_lookups statement. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation", "Delivery"], "mitre_attack": ["T1505.003", "T1505", "T1190"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation", "Delivery"], "mitre_attack": ["T1505.003", "T1505", "T1190", "T1133"], "nist": ["DE.AE"]} known_false_positives = False positives are present when the values are set to 1 for utf and lookup. It's possible to raise this to TTP (direct notable) if removal of other_lookups occur and Score is raised to 2 (down from 4). providing_technologies = null @@ -13359,7 +13408,7 @@ asset_type = Network confidence = medium explanation = The following analytic identifies a recent CVE-2022-39952 released publicly where the URI configWizard/keyUpload.jsp recieves a POST with the payload.zip, from there the POC script will schedule a cron to run the payload and contact the remote C2. how_to_implement = This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"]} known_false_positives = False positives may be present. Modify the query as needed to POST, or add additional filtering (based on log source). providing_technologies = null @@ -13373,7 +13422,7 @@ Update networking configurations to reroute traffic. \ Download the system configuration. \ Initiate packet captures to capture other sensitive system information. Reference Horizon3.ai how_to_implement = This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache. Splunk for Nginx, or Splunk for Palo Alto. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"]} known_false_positives = GET requests will be noisy and need to be filtered out or removed from the query based on volume. Restrict analytic to known publically facing Fortigates, or run analytic as a Hunt until properly tuned. It is also possible the user agent may be filtered on Report Runner or Node.js only for the exploit, however, it is unknown at this if other user agents may be used. providing_technologies = null @@ -13393,7 +13442,7 @@ lookup matching is meant to catch some basic obfuscation that has been identifie Scoring will then occur based on any findings. The base score is meant to be 2 , created by jndi_fastmatch. Everything else is meant to increase that score. \ Finally, a simple table is created to show the scoring and the _raw field. Sort based on score or columns of interest. how_to_implement = Out of the box, the Web datamodel is required to be pre-filled. However, tested was performed against raw httpd access logs. Change the first line to any dataset to pass the regex's against. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.AE"]} known_false_positives = It is highly possible you will find false positives, however, the base score is set to 2 for _any_ jndi found in raw logs. tune and change as needed, include any filtering. providing_technologies = null @@ -13403,7 +13452,7 @@ asset_type = Endpoint confidence = medium explanation = CVE-2021-44228 Log4Shell payloads can be injected via various methods, but on of the most common vectors injection is via Web calls. Many of the vulnerable java web applications that are using log4j have a web component to them are specially targets of this injection, specifically projects like Apache Struts, Flink, Druid, and Solr. The exploit is triggered by a LDAP lookup function in the log4j package, its invocation is similar to `${jndi:ldap://PAYLOAD_INJECTED}`, when executed against vulnerable web applications the invocation can be seen in various part of web logs. Specifically it has been successfully exploited via headers like X-Forwarded-For, User-Agent, Referer, and X-Api-Version. In this detection we first limit the scope of our search to the Web Datamodel and use the `| from datamodel` function to benefit from schema accelerated searching capabilities, mainly because the second part of the detection is pretty heavy, it runs a regex across all _raw events that looks for `${jndi:ldap://` pattern across all potential web fields available to the raw data, like http headers for example. If you see results for this detection, it means that there was a attempt at a injection, which could be a reconnaissance activity or a valid expliotation attempt, but this does not exactly mean that the host was indeed successfully exploited. how_to_implement = This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache or Splunk for Nginx. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.AE"]} known_false_positives = If there is a vulnerablility scannner looking for log4shells this will trigger, otherwise likely to have low false positives. providing_technologies = null @@ -13413,7 +13462,7 @@ asset_type = Endpoint confidence = medium explanation = CVE-2021-44228 Log4Shell payloads can be injected via various methods, but on of the most common vectors injection is via Web calls. Many of the vulnerable java web applications that are using log4j have a web component to them are specially targets of this injection, specifically projects like Apache Struts, Flink, Druid, and Solr. The exploit is triggered by a LDAP lookup function in the log4j package, its invocation is similar to `${jndi:ldap://PAYLOAD_INJECTED}`, when executed against vulnerable web applications the invocation can be seen in various part of web logs. Specifically it has been successfully exploited via headers like X-Forwarded-For, User-Agent, Referer, and X-Api-Version. In this detection we match the invocation function with a network connection to a malicious ip address. how_to_implement = This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache or Splunk for Nginx. -annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.AE"]} known_false_positives = If there is a vulnerablility scannner looking for log4shells this will trigger, otherwise likely to have low false positives. providing_technologies = null @@ -13433,7 +13482,7 @@ asset_type = Web Server confidence = medium explanation = The following analytic is designed to detect potential exploitation attempts on publicly accessible PaperCut NG servers. It identifies connections from public IP addresses to the server and specifically monitors for URI paths commonly found in proof-of-concept (POC) scripts for exploiting PaperCut NG vulnerabilities. These URI paths have been observed in both Metasploit modules and standalone scripts used for attacking PaperCut NG servers. When a public IP address is detected accessing one or more of these suspicious URI paths, an alert may be generated to notify the security team of the potential threat. The team can then investigate the source IP address, the targeted PaperCut NG server, and any other relevant information to determine the nature of the activity and take appropriate actions to mitigate the risk. how_to_implement = To successfully implement this search you need to be ingesting information on Web traffic that include fields relavent for traffic into the `Web` datamodel. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"]} known_false_positives = False positives may be present, filter as needed. providing_technologies = null @@ -13443,7 +13492,7 @@ asset_type = Web Server confidence = medium explanation = The following correlation will identify activity related to Windows Exchange being actively exploited by adversaries related to ProxyShell or ProxyNotShell. In addition, the analytic correlates post-exploitation Cobalt Strike analytic story. Common post-exploitation behavior has been seen in the wild includes adversaries running nltest, Cobalt Strike, Mimikatz and adding a new user. The correlation specifically looks for 5 distinct analyticstories to trigger. Modify or tune as needed for your organization. 5 analytics is an arbitrary number but was chosen to reduce the amount of noise but also require the 2 analytic stories or a ProxyShell and CobaltStrike to fire. Adversaries will exploit the vulnerable Exchange server, abuse SSRF, drop a web shell, utilize the PowerShell Exchange modules and begin post-exploitation. how_to_implement = To implement this correlation, you will need to enable ProxyShell, ProxyNotShell and Cobalt Strike analytic stories (the anaytics themselves) and ensure proper data is being collected for Web and Endpoint datamodels. Run the correlation rule seperately to validate it is not triggering too much or generating incorrectly. Validate by running ProxyShell POC code and Cobalt Strike behavior. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.AE"]} known_false_positives = False positives will be limited, however tune or modify the query as needed. providing_technologies = null @@ -13453,7 +13502,7 @@ asset_type = Web Server confidence = medium explanation = The following analytic is static indicators related to CVE-2022-22963, Spring4Shell. The 3 indicators provide an amount of fidelity that source IP is attemping to exploit a web shell on the destination. The filename and cmd are arbitrary in this exploitation. Java will write a JSP to disk and a process will spawn from Java based on the cmd passed. This is indicative of typical web shell activity. how_to_implement = To successfully implement this search you need to be ingesting information on Web traffic that include fields relavent for traffic into the `Web` datamodel. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation", "Delivery"], "mitre_attack": ["T1505.003", "T1505", "T1190"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation", "Delivery"], "mitre_attack": ["T1505.003", "T1505", "T1190", "T1133"], "nist": ["DE.CM"]} known_false_positives = The jsp file names are static names used in current proof of concept code. = providing_technologies = null @@ -13473,7 +13522,7 @@ asset_type = Web Server confidence = medium explanation = This search aims to detect the Supernova webshell used in the SUNBURST attack. how_to_implement = To successfully implement this search, you need to be monitoring web traffic to your Solarwinds Orion. The logs should be ingested into splunk and populating/mapped to the Web data model. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1505.003"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation", "Delivery"], "mitre_attack": ["T1505.003", "T1133"], "nist": ["DE.CM"]} known_false_positives = There might be false positives associted with this detection since items like args as a web argument is pretty generic. providing_technologies = null @@ -13496,7 +13545,7 @@ asset_type = Web Server confidence = medium explanation = The following hunting analytic identifies the server side template injection related to CVE-2022-22954, however is a variation found within the same endpoint of the URL scheme. how_to_implement = To successfully implement this search, you need to be ingesting web or proxy logs, or ensure it is being filled by a proxy like device, into the Web Datamodel. For additional filtering, allow list private IP space or restrict by known good. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.AE"]} known_false_positives = False positives may be present if the activity is blocked or was not successful. Filter known vulnerablity scanners. Filter as needed. providing_technologies = null @@ -13506,7 +13555,7 @@ asset_type = Web Server confidence = medium explanation = The following analytic identifies the server side template injection related to CVE-2022-22954. Based on the scanning activity across the internet and proof of concept code available the template injection occurs at catalog-portal/ui/oauth/verify?error=&deviceudid=. Upon triage, review parallel processes and VMware logs. Following the deviceudid= may be a command to be executed. Capture any file creates and review modified files on disk. how_to_implement = To successfully implement this search, you need to be ingesting web or proxy logs, or ensure it is being filled by a proxy like device, into the Web Datamodel. For additional filtering, allow list private IP space or restrict by known good. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.AE"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.AE"]} known_false_positives = False positives may be present if the activity is blocked or was not successful. Filter known vulnerablity scanners. Filter as needed. providing_technologies = null @@ -13516,7 +13565,7 @@ asset_type = Web Server confidence = medium explanation = The following analytic identifies the common URL requests used by a recent CVE - CVE-2022-22965, or Spring4Shell, to access a webshell on the remote webserver. The filename and cmd are arbitrary in this exploitation. Java will write a JSP to disk and a process will spawn from Java based on the cmd passed. This is indicative of typical web shell activity. how_to_implement = To successfully implement this search you need to be ingesting information on Web traffic that include fields relavent for traffic into the `Web` datamodel. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation", "Delivery"], "mitre_attack": ["T1505.003", "T1505", "T1190"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation", "Delivery"], "mitre_attack": ["T1505.003", "T1505", "T1190", "T1133"], "nist": ["DE.CM"]} known_false_positives = False positives may be present with legitimate applications. Attempt to filter by dest IP or use Asset groups to restrict to servers. providing_technologies = null @@ -13526,7 +13575,7 @@ asset_type = Web Server confidence = medium explanation = The following analytic identifies the payload related to Spring4Shell, CVE-2022-22965. This analytic uses Splunk Stream HTTP to view the http request body, form data. STRT reviewed all the current proof of concept code and determined the commonality with the payloads being passed used the same fields "class.module.classLoader.resources.context.parent.pipeline.first". how_to_implement = To successfully implement this search, you need to be ingesting logs with the stream HTTP logs or network logs that catch network traffic. Make sure that the http-request-body, payload, or request field is enabled. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"]} known_false_positives = False positives may occur and filtering may be required. Restrict analytic to asset type. providing_technologies = null @@ -13536,7 +13585,7 @@ asset_type = Web Server confidence = medium explanation = The following analytic identifies activity related to the web application Spring Cloud Function that was recently idenfied as vulnerable. This is CVE-2022-22963. Multiple proof of concept code was released. The URI that is hit includes `functionrouter`. The specifics of the exploit include a status of 500. In this query we did not include it, but for filtering you can add Web.status=500. The exploit data itself (based on all the POCs) is located in the form_data field. This field will include all class.modules being called. how_to_implement = To successfully implement this search you need to be ingesting information on Web traffic that include fields relavent for traffic into the `Web` datamodel. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"]} known_false_positives = False positives may be present with legitimate applications. Attempt to filter by dest IP or use Asset groups to restrict to servers. providing_technologies = null @@ -13546,7 +13595,7 @@ asset_type = Web server confidence = medium explanation = The following analytic utilizes the Web datamodel and identifies the ProxyShell or ProxyNotShell abuse. This vulnerability is a Server Side Request Forgery (SSRF) vulnerability, which is a web vulnerability that allows an adversary to exploit vulnerable functionality to access server side or local network services by affectively traversing the external firewall using vulnerable web functionality. This analytic looks for the URI path and query of autodiscover, powershell and mapi along with a POST occurring. It will tally a simple score and show the output of the events that match. This analytic may be added to by simply creating a new eval statement and modifying the hardcode digit for Score. how_to_implement = To successfully implement this search you need to be ingesting information on Web traffic, Exchange OR IIS logs, mapped to `Web` datamodel in the `Web` node. In addition, confirm the latest CIM App 4.20 or higher is installed. -annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"]} known_false_positives = False positives are limited. providing_technologies = null @@ -13662,6 +13711,17 @@ searches = ["ESCU - Add or Set Windows Defender Exclusion - Rule", "ESCU - Detec description = Leverage searches that allow you to detect and investigate unusual activities that might relate to the AgentTesla malware including .chm application child process, ftp/smtp connection, persistence and many more. AgentTesla is one of the advanced remote access trojans (RAT) that are capable of stealing sensitive information from the infected or targeted host machine. It can collect various types of data, including browser profile information, keystrokes, capture screenshots and vpn credentials. AgentTesla has been active malware since 2014 and often delivered as a malicious attachment in phishing emails.It is also the top malware in 2021 based on the CISA report. narrative = Adversaries or threat actor may use this malware to maximize the impact of infection on the target organization in operations where network wide availability interruption is the goal. +[analytic_story://Amadey] +category = Malware +last_updated = 2023-06-16 +version = 1 +references = ["https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey", "https://darktrace.com/blog/amadey-info-stealer-exploiting-n-day-vulnerabilities"] +maintainers = [{"company": "Splunk", "email": "-", "name": "Teoderick Contreras"}] +spec_version = 3 +searches = ["ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Windows Credentials from Password Stores Chrome Extension Access - Rule", "ESCU - Windows Credentials from Password Stores Chrome LocalState Access - Rule", "ESCU - Windows Credentials from Password Stores Chrome Login Data Access - Rule", "ESCU - Windows Files and Dirs Access Rights Modification Via Icacls - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule"] +description = This analytic story contains searches that aims to detect activities related to Amadey, a type of malware that primarily operates as a banking Trojan. It is designed to steal sensitive information such as login credentials, credit card details, and other financial data from infected systems. The malware typically targets Windows-based computers. +narrative = Amadey is one of the active trojans that are capable of stealing sensitive information via its from the infected or targeted host machine. It can collect various types of data, including browser profile information, clipboard data, capture screenshots and system information. Adversaries or threat actors may use this malware to maximize the impact of infection on the target organization in operations where data collection and exfiltration is the goal. The primary function is to steal information and further distribute malware. It aims to extract a variety of information from infected devices and attempts to evade the detection of security measures by reducing the volume of data exfiltration compared to that seen in other malicious instances. + [analytic_story://Apache Struts Vulnerability] category = Vulnerability last_updated = 2018-12-06 @@ -14257,7 +14317,7 @@ version = 1 references = ["https://www.splunk.com/en_us/blog/security/approaching-kubernetes-security-detecting-kubernetes-scan-with-splunk.html"] maintainers = [{"company": "Splunk", "email": "-", "name": "Rod Soto"}] spec_version = 3 -searches = ["ESCU - Kubernetes AWS detect most active service accounts by pod - Rule", "ESCU - Kubernetes AWS detect RBAC authorization by account - Rule", "ESCU - Kubernetes AWS detect sensitive role access - Rule", "ESCU - Kubernetes Azure active service accounts by pod namespace - Rule", "ESCU - Kubernetes Azure detect RBAC authorization by account - Rule", "ESCU - Kubernetes Azure detect sensitive role access - Rule", "ESCU - Kubernetes GCP detect most active service accounts by pod - Rule", "ESCU - Kubernetes GCP detect RBAC authorizations by account - Rule", "ESCU - Kubernetes GCP detect sensitive role access - Rule", "ESCU - Get Notable History - Response Task"] +searches = ["ESCU - Kubernetes AWS detect most active service accounts by pod - Rule", "ESCU - Kubernetes AWS detect sensitive role access - Rule", "ESCU - Kubernetes Azure active service accounts by pod namespace - Rule", "ESCU - Kubernetes Azure detect RBAC authorization by account - Rule", "ESCU - Kubernetes Azure detect sensitive role access - Rule", "ESCU - Kubernetes GCP detect most active service accounts by pod - Rule", "ESCU - Kubernetes GCP detect RBAC authorizations by account - Rule", "ESCU - Kubernetes GCP detect sensitive role access - Rule", "ESCU - Get Notable History - Response Task"] description = This story addresses detection and response around Sensitive Role usage within a Kubernetes clusters against cluster resources and namespaces. narrative = Kubernetes is the most used container orchestration platform, this orchestration platform contains sensitive roles within its architecture, specifically configmaps and secrets, if accessed by an attacker can lead to further compromise. These searches allow operator to detect suspicious requests against Kubernetes role activities @@ -14548,6 +14608,17 @@ narrative = Google Cloud Platform (GCP) admins manage access to GCP resources an In between the time between when the temporary credentials are issued and when they expire is a period of opportunity, where a user could leverage the temporary credentials to wreak havoc-spin up or remove instances, create new users, elevate privileges, and other malicious activities-throughout the environment.\ This Analytic Story includes searches that will help you monitor your GCP Audit logs logs for evidence of suspicious cross-account activity. For example, while accessing multiple GCP accounts and roles may be perfectly valid behavior, it may be suspicious when an account requests privileges of an account it has not accessed in the past. After identifying suspicious activities, you can use the provided investigative searches to help you probe more deeply. +[analytic_story://Graceful Wipe Out Attack] +category = Data Destruction +last_updated = 2023-06-15 +version = 1 +references = ["https://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/"] +maintainers = [{"company": "Splunk", "email": "-", "name": "Teoderick Contreras"}] +spec_version = 3 +searches = ["ESCU - Anomalous usage of 7zip - Rule", "ESCU - Attempt To Stop Security Service - Rule", "ESCU - CMD Echo Pipe - Escalation - Rule", "ESCU - Cobalt Strike Named Pipes - Rule", "ESCU - Deleting Of Net Users - Rule", "ESCU - Detect Regsvr32 Application Control Bypass - Rule", "ESCU - DLLHost with no Command Line Arguments with Network - Rule", "ESCU - Domain Account Discovery With Net App - Rule", "ESCU - Domain Group Discovery With Net - Rule", "ESCU - Excessive Usage Of Net App - Rule", "ESCU - Executable File Written in Administrative SMB Share - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - GPUpdate with no Command Line Arguments with Network - Rule", "ESCU - Impacket Lateral Movement Commandline Parameters - Rule", "ESCU - Impacket Lateral Movement smbexec CommandLine Parameters - Rule", "ESCU - Impacket Lateral Movement WMIExec Commandline Parameters - Rule", "ESCU - Net Localgroup Discovery - Rule", "ESCU - Remote WMI Command Attempt - Rule", "ESCU - Rundll32 with no Command Line Arguments with Network - Rule", "ESCU - SAM Database File Access Attempt - Rule", "ESCU - SearchProtocolHost with no Command Line with Network - Rule", "ESCU - SecretDumps Offline NTDS Dumping Tool - Rule", "ESCU - Services Escalate Exe - Rule", "ESCU - Suspicious DLLHost no Command Line Arguments - Rule", "ESCU - Suspicious GPUpdate no Command Line Arguments - Rule", "ESCU - Suspicious microsoft workflow compiler rename - Rule", "ESCU - Suspicious msbuild path - Rule", "ESCU - Suspicious MSBuild Rename - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious Rundll32 no Command Line Arguments - Rule", "ESCU - Suspicious Rundll32 StartW - Rule", "ESCU - Suspicious SearchProtocolHost no Command Line Arguments - Rule", "ESCU - Windows AdFind Exe - Rule", "ESCU - Windows Process Injection Remote Thread - Rule", "ESCU - Windows Raw Access To Disk Volume Partition - Rule", "ESCU - Windows Raw Access To Master Boot Record Drive - Rule", "ESCU - Windows Service Stop By Deletion - Rule", "ESCU - Windows Service Stop Via Net and SC Application - Rule"] +description = This analytic story contains detections that allow security analysts to detect and investigate unusual activities that might relate to the destructive attack or campaign found by "THE DFIR Report" that uses Truebot, FlawedGrace and MBR killer malware. This analytic story looks for suspicious dropped files, cobalt strike execution, im-packet execution, registry modification, scripts, persistence, lateral movement, impact, exfiltration and recon. +narrative = Graceful Wipe Out Attack is a destructive malware campaign found by "The DFIR Report" targeting multiple organizations to collect, exfiltrate and wipe the data of targeted networks. This malicious payload corrupts or wipes Master Boot Records by using an NSIS script after the exfiltration of sensitive information from the targeted host or system. + [analytic_story://HAFNIUM Group] category = Adversary Tactics last_updated = 2021-03-03 @@ -15274,10 +15345,29 @@ version = 1 references = ["https://cert.gov.ua/article/3718487", "https://attack.mitre.org/groups/G0034/"] maintainers = [{"company": "Splunk", "email": "-", "name": "Teoderick Contreras"}] spec_version = 3 -searches = ["ESCU - Detect Mimikatz Using Loaded Images - Rule", "ESCU - Detect Mimikatz With PowerShell Script Block Logging - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Detect Renamed PSExec - Rule", "ESCU - Icacls Deny Command - Rule", "ESCU - Linux Iptables Firewall Modification - Rule", "ESCU - Linux Kworker Process In Writable Process Path - Rule", "ESCU - Local Account Discovery with Net - Rule", "ESCU - Malicious PowerShell Process - Encoded Command - Rule", "ESCU - Mimikatz PassTheTicket CommandLine Parameters - Rule", "ESCU - Permission Modification using Takeown App - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Suspicious Copy on System32 - Rule", "ESCU - Windows DNS Gather Network Info - Rule", "ESCU - Windows Mimikatz Binary Execution - Rule", "ESCU - Windows Mimikatz Crypto Export File Extensions - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule"] +searches = ["ESCU - Detect Mimikatz Using Loaded Images - Rule", "ESCU - Detect Mimikatz With PowerShell Script Block Logging - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Detect Renamed PSExec - Rule", "ESCU - Icacls Deny Command - Rule", "ESCU - Linux Iptables Firewall Modification - Rule", "ESCU - Linux Kworker Process In Writable Process Path - Rule", "ESCU - Local Account Discovery with Net - Rule", "ESCU - Malicious PowerShell Process - Encoded Command - Rule", "ESCU - Mimikatz PassTheTicket CommandLine Parameters - Rule", "ESCU - Permission Modification using Takeown App - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Suspicious Copy on System32 - Rule", "ESCU - Windows DNS Gather Network Info - Rule", "ESCU - Windows High File Deletion Frequency - Rule", "ESCU - Windows Mimikatz Binary Execution - Rule", "ESCU - Windows Mimikatz Crypto Export File Extensions - Rule", "ESCU - Windows System Shutdown CommandLine - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule"] description = This analytic story features detections that enable security analysts to identify and investigate unusual activities potentially related to the destructive malware and tools employed by the "Sandworm" group. This analytic story focuses on monitoring suspicious process executions, command-line activities, Master Boot Record (MBR) wiping, data destruction, and other related indicators. narrative = The Sandworm group's tools are part of destructive malware operations designed to disrupt or attack Ukraine's National Information Agencies. This operation campaign consists of several malware components, including scripts, native Windows executables (LOLBINs), data wiper malware that overwrites or destroys the Master Boot Record (MBR), and file wiping using sdelete.exe on targeted hosts. +[analytic_story://Scheduled Tasks] +category = Adversary Tactics +last_updated = 2023-06-12 +version = 1 +references = ["https://attack.mitre.org/techniques/T1053/"] +maintainers = [{"company": "Splunk", "email": "-", "name": "Michael Haag"}] +spec_version = 3 +searches = ["ESCU - Linux Add Files In Known Crontab Directories - Rule", "ESCU - Linux Adding Crontab Using List Parameter - Rule", "ESCU - Linux At Allow Config File Creation - Rule", "ESCU - Linux At Application Execution - Rule", "ESCU - Linux Edit Cron Table Parameter - Rule", "ESCU - Linux Possible Append Command To At Allow Config File - Rule", "ESCU - Linux Possible Append Cronjob Entry on Existing Cronjob File - Rule", "ESCU - Linux Possible Cronjob Modification With Editor - Rule", "ESCU - Linux Service File Created In Systemd Directory - Rule", "ESCU - Linux Service Restarted - Rule", "ESCU - Linux Service Started Or Enabled - Rule", "ESCU - Possible Lateral Movement PowerShell Spawn - Rule", "ESCU - Randomly Generated Scheduled Task Name - Rule", "ESCU - Schedule Task with HTTP Command Arguments - Rule", "ESCU - Schedule Task with Rundll32 Command Trigger - Rule", "ESCU - Scheduled Task Creation on Remote Endpoint using At - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Scheduled Task Initiation on Remote Endpoint - Rule", "ESCU - Schtasks Run Task On Demand - Rule", "ESCU - Schtasks scheduling job on remote system - Rule", "ESCU - Schtasks used for forcing a reboot - Rule", "ESCU - Short Lived Scheduled Task - Rule", "ESCU - Suspicious Scheduled Task from Public Directory - Rule", "ESCU - Svchost LOLBAS Execution Process Spawn - Rule", "ESCU - Windows Enable Win32 ScheduledJob via Registry - Rule", "ESCU - Windows Hidden Schedule Task Settings - Rule", "ESCU - Windows PowerShell ScheduleTask - Rule", "ESCU - Windows Registry Delete Task SD - Rule", "ESCU - Windows Scheduled Task Created Via XML - Rule", "ESCU - Windows Scheduled Task with Highest Privileges - Rule", "ESCU - Windows Schtasks Create Run As System - Rule", "ESCU - WinEvent Scheduled Task Created to Spawn Shell - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule"] +description = The MITRE ATT&CK technique T1053 refers to Scheduled Task/Job. Adversaries might use task scheduling utilities to execute programs or scripts at a predefined date and time. This method is often used for persistence but can also be used for privilege escalation or to execute tasks under certain conditions. Scheduling tasks can be beneficial for an attacker as it can allow them to execute actions at times when the system is less likely to be monitored actively. Different operating systems have different utilities for task scheduling, for example, Unix-like systems have Cron, while Windows has Scheduled Tasks and At Jobs. +narrative = MITRE ATT&CK technique T1053, labeled "Scheduled Task/Job", is a categorization of methods that adversaries use to execute malicious code by scheduling tasks or jobs on a system. This technique is widely utilized for persistence, privilege escalation, and the remote execution of tasks. The technique is applicable across various environments and platforms, including Windows, Linux, and macOS.\ +The technique consists of multiple sub-techniques, each highlighting a distinct mechanism for scheduling tasks or jobs. These sub-techniques include T1053.001 (Scheduled Task), T1053.002 (At for Windows), T1053.003 (Cron), T1053.004 (Launchd), T1053.005 (At for Linux), and T1053.006 (Systemd Timers).\ +Scheduled Task (T1053.001) focuses on adversaries' methods for scheduling tasks on a Windows system to maintain persistence or escalate privileges. These tasks can be set to execute at specified times, in response to particular events, or after a defined time interval.\ +The At command for Windows (T1053.002) enables administrators to schedule tasks on a Windows system. Adversaries may exploit this command to execute programs at system startup or at a predetermined schedule for persistence.\ +Cron (T1053.003) is a built-in job scheduler found in Unix-like operating systems. Adversaries can use cron jobs to execute programs at system startup or on a scheduled basis for persistence.\ +Launchd (T1053.004) is a service management framework present in macOS. Adversaries may utilize launchd to maintain persistence on macOS systems by setting up daemons or agents to execute at specific times or in response to defined events.\ +The At command for Linux (T1053.005) enables administrators to schedule tasks on a Linux system. Adversaries can use this command to execute programs at system startup or on a scheduled basis for persistence.\ +Systemd Timers (T1053.006) offer a means of scheduling tasks on Linux systems using systemd. Adversaries can use systemd timers to execute programs at system startup or on a scheduled basis for persistence.\ +Detection and mitigation strategies vary for each sub-technique. For instance, monitoring the creation of scheduled tasks or looking for uncorrelated changes to tasks that do not align with known software or patch cycles can be effective for detecting malicious activity related to this technique. Mitigation strategies may involve restricting permissions and applying application control solutions to prevent adversaries from scheduling tasks. + [analytic_story://Signed Binary Proxy Execution InstallUtil] category = Adversary Tactics last_updated = 2021-11-12 diff --git a/dist/escu/default/app.conf b/dist/escu/default/app.conf index 5a6c39bb3a..ef00fdbffe 100644 --- a/dist/escu/default/app.conf +++ b/dist/escu/default/app.conf @@ -4,7 +4,7 @@ is_configured = false state = enabled state_change_requires_restart = false -build = 15163 +build = 15542 [triggers] reload.analytic_stories = simple @@ -20,7 +20,7 @@ reload.es_investigations = simple [launcher] author = Splunk -version = 4.5.1 +version = 4.6.0 description = Explore the Analytic Stories included with ES Content Updates. [ui] diff --git a/dist/escu/default/collections.conf b/dist/escu/default/collections.conf index d5e9560bbe..bbf07f9bf6 100644 --- a/dist/escu/default/collections.conf +++ b/dist/escu/default/collections.conf @@ -1,6 +1,6 @@ ############# # Automatically generated by generator.py in splunk/security_content -# On Date: 2023-06-22T18:50:57 UTC +# On Date: 2023-06-27T23:22:58 UTC # Author: Splunk Security Research # Contact: research@splunk.com ############# diff --git a/dist/escu/default/content-version.conf b/dist/escu/default/content-version.conf index 301adb5a96..c7fe720331 100644 --- a/dist/escu/default/content-version.conf +++ b/dist/escu/default/content-version.conf @@ -1,2 +1,2 @@ [content-version] -version = 4.5.1 +version = 4.6.0 diff --git a/dist/escu/default/es_investigations.conf b/dist/escu/default/es_investigations.conf index 2a6dcd14ad..b93e9d86b1 100644 --- a/dist/escu/default/es_investigations.conf +++ b/dist/escu/default/es_investigations.conf @@ -1,6 +1,6 @@ ############# # Automatically generated by generator.py in splunk/security_content -# On Date: 2023-06-22T18:50:57 UTC +# On Date: 2023-06-27T23:22:58 UTC # Author: Splunk Security Research # Contact: research@splunk.com ############# diff --git a/dist/escu/default/macros.conf b/dist/escu/default/macros.conf index e5806ca6fe..bf149b8181 100644 --- a/dist/escu/default/macros.conf +++ b/dist/escu/default/macros.conf @@ -1,6 +1,6 @@ ############# # Automatically generated by generator.py in splunk/security_content -# On Date: 2023-06-22T18:50:57 UTC +# On Date: 2023-06-27T23:22:58 UTC # Author: Splunk Security Research # Contact: research@splunk.com ############# @@ -1109,10 +1109,6 @@ description = Update this macro to limit the output results to filter out false definition = search * description = Update this macro to limit the output results to filter out false positives. -[kubernetes_aws_detect_rbac_authorization_by_account_filter] -definition = search * -description = Update this macro to limit the output results to filter out false positives. - [kubernetes_aws_detect_sensitive_role_access_filter] definition = search * description = Update this macro to limit the output results to filter out false positives. @@ -4089,6 +4085,10 @@ description = Update this macro to limit the output results to filter out false definition = search * description = Update this macro to limit the output results to filter out false positives. +[windows_files_and_dirs_access_rights_modification_via_icacls_filter] +definition = search * +description = Update this macro to limit the output results to filter out false positives. + [windows_findstr_gpp_discovery_filter] definition = search * description = Update this macro to limit the output results to filter out false positives. @@ -4521,6 +4521,10 @@ description = Update this macro to limit the output results to filter out false definition = search * description = Update this macro to limit the output results to filter out false positives. +[windows_powershell_scheduletask_filter] +definition = search * +description = Update this macro to limit the output results to filter out false positives. + [windows_powershell_wmi_win32_scheduledjob_filter] definition = search * description = Update this macro to limit the output results to filter out false positives. diff --git a/dist/escu/default/savedsearches.conf b/dist/escu/default/savedsearches.conf index ef58535ab6..1e7d6d5232 100644 --- a/dist/escu/default/savedsearches.conf +++ b/dist/escu/default/savedsearches.conf @@ -1,6 +1,6 @@ ############# # Automatically generated by generator.py in splunk/security_content -# On Date: 2023-06-22T18:50:57 UTC +# On Date: 2023-06-27T23:22:58 UTC # Author: Splunk Security Research # Contact: research@splunk.com ############# @@ -2836,10 +2836,10 @@ search = `amazon_security_lake` api.operation=DescribeEventAggregates src_endpo [ESCU - ASL AWS CreateAccessKey - Rule] action.escu = 0 action.escu.enabled = 1 -description = This search looks for AWS CloudTrail events where a user A who has already permission to create access keys, makes an API call to create access keys for another user B. Attackers have been know to use this technique for Privilege Escalation in case new victim(user B) has more permissions than old victim(user B) +description = This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it's important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don't typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1078"], "nist": ["DE.AE"]} action.escu.data_models = [] -action.escu.eli5 = This search looks for AWS CloudTrail events where a user A who has already permission to create access keys, makes an API call to create access keys for another user B. Attackers have been know to use this technique for Privilege Escalation in case new victim(user B) has more permissions than old victim(user B) +action.escu.eli5 = This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it's important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don't typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting. action.escu.how_to_implement = You must install Splunk Add-On for AWS Version v7.0.0 (https://splunkbase.splunk.com/app/1876) that includes includes a merge of all the capabilities of the Splunk Add-on for Amazon Security Lake. This search works with Amazon Security Lake logs which are parsed in the Open Cybersecurity Schema Framework (OCSF)format. action.escu.known_false_positives = While this search has no known false positives, it is possible that an AWS admin has legitimately created keys for another user. action.escu.creation_date = 2022-05-23 @@ -3384,10 +3384,10 @@ search = `cloudtrail` eventName=CreatePolicyVersion eventSource = iam.amazonaws. [ESCU - AWS CreateAccessKey - Rule] action.escu = 0 action.escu.enabled = 1 -description = This search looks for AWS CloudTrail events where a user A who has already permission to create access keys, makes an API call to create access keys for another user B. Attackers have been know to use this technique for Privilege Escalation in case new victim(user B) has more permissions than old victim(user B) +description = This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it's important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don't typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting. action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1136.003", "T1136"], "nist": ["DE.AE"]} action.escu.data_models = [] -action.escu.eli5 = This search looks for AWS CloudTrail events where a user A who has already permission to create access keys, makes an API call to create access keys for another user B. Attackers have been know to use this technique for Privilege Escalation in case new victim(user B) has more permissions than old victim(user B) +action.escu.eli5 = This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it's important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don't typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting. action.escu.how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. action.escu.known_false_positives = While this search has no known false positives, it is possible that an AWS admin has legitimately created keys for another user. action.escu.creation_date = 2022-03-03 @@ -6485,10 +6485,10 @@ search = `azuread` "body.operationName"="Add member to role" | rename body.prop [ESCU - Azure AD Privileged Role Assigned to Service Principal - Rule] action.escu = 0 action.escu.enabled = 1 -description = The following analytic +description = The following analytic is geared towards detecting potential privilege escalation threats in Azure Active Directory (AD). It identifies instances where privileged roles, which hold elevated permissions, are assigned to Service Principals. These non-human entities that can access Azure resources could be exploited in an attack scenario, leading to unauthorized access or malicious activities. The analytic runs a specific search within the ingested Azure AD events, specifically leveraging the AuditLogs log category. Keep in mind, however, that there could be false positives, as administrators may legitimately assign privileged roles to Service Principals. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1098", "T1098.003"], "nist": ["DE.CM"]} action.escu.data_models = [] -action.escu.eli5 = The following analytic +action.escu.eli5 = The following analytic is geared towards detecting potential privilege escalation threats in Azure Active Directory (AD). It identifies instances where privileged roles, which hold elevated permissions, are assigned to Service Principals. These non-human entities that can access Azure resources could be exploited in an attack scenario, leading to unauthorized access or malicious activities. The analytic runs a specific search within the ingested Azure AD events, specifically leveraging the AuditLogs log category. Keep in mind, however, that there could be false positives, as administrators may legitimately assign privileged roles to Service Principals. action.escu.how_to_implement = You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. Specifically, this analytic leverages the AuditLogs log category. action.escu.known_false_positives = Administrators may legitimately assign the privileged roles to Service Principals as part of administrative tasks. Filter as needed. action.escu.creation_date = 2023-04-28 @@ -6513,7 +6513,7 @@ action.correlationsearch.annotations = {"analytic_story": ["Azure Active Directo schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic +action.notable.param.rule_description = The following analytic is geared towards detecting potential privilege escalation threats in Azure Active Directory (AD). It identifies instances where privileged roles, which hold elevated permissions, are assigned to Service Principals. These non-human entities that can access Azure resources could be exploited in an attack scenario, leading to unauthorized access or malicious activities. The analytic runs a specific search within the ingested Azure AD events, specifically leveraging the AuditLogs log category. Keep in mind, however, that there could be false positives, as administrators may legitimately assign privileged roles to Service Principals. action.notable.param.rule_title = Azure AD Privileged Role Assigned to Service Principal action.notable.param.security_domain = identity action.notable.param.severity = high @@ -11478,41 +11478,6 @@ realtime_schedule = 0 is_visible = false search = `aws_cloudwatchlogs_eks` user.groups{}=system:serviceaccounts objectRef.resource=pods | table sourceIPs{} user.username userAgent verb annotations.authorization.k8s.io/decision | top sourceIPs{} user.username verb annotations.authorization.k8s.io/decision |`kubernetes_aws_detect_most_active_service_accounts_by_pod_filter` -[ESCU - Kubernetes AWS detect RBAC authorization by account - Rule] -action.escu = 0 -action.escu.enabled = 1 -description = WARNING, this detection has been marked deprecated by the Splunk Threat Research team, this means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. This search provides information on Kubernetes RBAC authorizations by accounts, this search can be modified by adding top to see both extremes of RBAC by accounts occurrences -action.escu.mappings = {"cis20": ["CIS 10"], "nist": ["DE.AE"]} -action.escu.data_models = [] -action.escu.eli5 = This search provides information on Kubernetes RBAC authorizations by accounts, this search can be modified by adding top to see both extremes of RBAC by accounts occurrences -action.escu.how_to_implement = You must install splunk AWS add on and Splunk App for AWS. This search works with cloudwatch logs -action.escu.known_false_positives = Not all RBAC Authorications are malicious. RBAC authorizations can uncover malicious activity specially if sensitive Roles have been granted. -action.escu.creation_date = 2020-06-23 -action.escu.modification_date = 2020-06-23 -action.escu.confidence = high -action.escu.full_search_name = ESCU - Kubernetes AWS detect RBAC authorization by account - Rule -action.escu.search_type = detection -action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] -action.escu.providing_technologies = null -action.escu.analytic_story = ["Kubernetes Sensitive Role Activity"] -cron_schedule = 0 * * * * -dispatch.earliest_time = -70m@m -dispatch.latest_time = -10m@m -action.correlationsearch.enabled = 1 -action.correlationsearch.label = ESCU - Deprecated - Kubernetes AWS detect RBAC authorization by account - Rule -action.correlationsearch.annotations = {"analytic_story": ["Kubernetes Sensitive Role Activity"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "nist": ["DE.AE"]} -schedule_window = auto -alert.digest_mode = 1 -disabled = true -enableSched = 1 -allow_skew = 100% -counttype = number of events -relation = greater than -quantity = 0 -realtime_schedule = 0 -is_visible = false -search = `aws_cloudwatchlogs_eks` annotations.authorization.k8s.io/reason=* | table sourceIPs{} user.username userAgent annotations.authorization.k8s.io/reason | stats count by user.username annotations.authorization.k8s.io/reason | rare user.username annotations.authorization.k8s.io/reason |`kubernetes_aws_detect_rbac_authorization_by_account_filter` - [ESCU - Kubernetes AWS detect sensitive role access - Rule] action.escu = 0 action.escu.enabled = 1 @@ -13177,10 +13142,10 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime [ESCU - Access LSASS Memory for Dump Creation - Rule] action.escu = 0 action.escu.enabled = 1 -description = Detect memory dumping of the LSASS process. +description = The following analytic is designed to detect potentially malicious activities involving the Local Security Authority Subsystem Service (LSASS) process. Specifically, it identifies when the LSASS process memory is being dumped, an action often associated with credential dumping attacks. This analytic leverages Sysmon logs, particularly those with EventCode 10 related to lsass.exe. It searches for indicators of LSASS memory dumping, such as specific call traces to dbgcore.dll and dbghelp.dll. While memory dumps can be legitimate administrative tasks, LSASS memory dumps are typically unusual and warrant investigation. To implement this analytic, ensure your Sysmon setup includes EventCode 10 logging for lsass.exe and customize the provided macros (sysmon and post-filter macro) to match your specific Splunk environment configuration. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.001", "T1003"], "nist": ["DE.CM"]} action.escu.data_models = [] -action.escu.eli5 = Detect memory dumping of the LSASS process. +action.escu.eli5 = The following analytic is designed to detect potentially malicious activities involving the Local Security Authority Subsystem Service (LSASS) process. Specifically, it identifies when the LSASS process memory is being dumped, an action often associated with credential dumping attacks. This analytic leverages Sysmon logs, particularly those with EventCode 10 related to lsass.exe. It searches for indicators of LSASS memory dumping, such as specific call traces to dbgcore.dll and dbghelp.dll. While memory dumps can be legitimate administrative tasks, LSASS memory dumps are typically unusual and warrant investigation. To implement this analytic, ensure your Sysmon setup includes EventCode 10 logging for lsass.exe and customize the provided macros (sysmon and post-filter macro) to match your specific Splunk environment configuration. action.escu.how_to_implement = This search requires Sysmon Logs and a Sysmon configuration, which includes EventCode 10 for lsass.exe. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives. action.escu.known_false_positives = Administrators can create memory dumps for debugging purposes, but memory dumps of the LSASS process would be unusual. action.escu.creation_date = 2019-12-06 @@ -13205,7 +13170,7 @@ action.correlationsearch.annotations = {"analytic_story": ["Credential Dumping"] schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = Detect memory dumping of the LSASS process. +action.notable.param.rule_description = The following analytic is designed to detect potentially malicious activities involving the Local Security Authority Subsystem Service (LSASS) process. Specifically, it identifies when the LSASS process memory is being dumped, an action often associated with credential dumping attacks. This analytic leverages Sysmon logs, particularly those with EventCode 10 related to lsass.exe. It searches for indicators of LSASS memory dumping, such as specific call traces to dbgcore.dll and dbghelp.dll. While memory dumps can be legitimate administrative tasks, LSASS memory dumps are typically unusual and warrant investigation. To implement this analytic, ensure your Sysmon setup includes EventCode 10 logging for lsass.exe and customize the provided macros (sysmon and post-filter macro) to match your specific Splunk environment configuration. action.notable.param.rule_title = Access LSASS Memory for Dump Creation action.notable.param.security_domain = endpoint action.notable.param.severity = high @@ -13765,14 +13730,14 @@ action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following detection identifies a 7z.exe spawned from `Rundll32.exe` or `Dllhost.exe`. It is assumed that the adversary has brought in `7z.exe` and `7z.dll`. It has been observed where an adversary will rename `7z.exe`. Additional coverage may be required to identify the behavior of renamed instances of `7z.exe`. During triage, identify the source of injection into `Rundll32.exe` or `Dllhost.exe`. Capture any files written to disk and analyze as needed. Review parallel processes for additional behaviors. Typically, archiving files will result in exfiltration. action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. action.escu.known_false_positives = False positives should be limited as this behavior is not normal for `rundll32.exe` or `dllhost.exe` to spawn and run 7zip. -action.escu.creation_date = 2021-04-22 -action.escu.modification_date = 2021-04-22 +action.escu.creation_date = 2023-06-13 +action.escu.modification_date = 2023-06-13 action.escu.confidence = high action.escu.full_search_name = ESCU - Anomalous usage of 7zip - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Cobalt Strike", "NOBELIUM Group"] +action.escu.analytic_story = ["Cobalt Strike", "NOBELIUM Group", "Graceful Wipe Out Attack"] action.risk = 1 action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$. This behavior is indicative of suspicious loading of 7zip. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 64}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 64}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 64}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 64}] @@ -13783,7 +13748,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Anomalous usage of 7zip - Rule -action.correlationsearch.annotations = {"analytic_story": ["Cobalt Strike", "NOBELIUM Group"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1560.001", "T1560"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Cobalt Strike", "NOBELIUM Group", "Graceful Wipe Out Attack"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1560.001", "T1560"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -13891,10 +13856,10 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime [ESCU - Attacker Tools On Endpoint - Rule] action.escu = 0 action.escu.enabled = 1 -description = This search looks for execution of commonly used attacker tools on an endpoint. +description = The following analytic aims to identify the use of tools commonly exploited by cybercriminals. The use of these tools often signals nefarious activities like unauthorized access, network scanning, or data exfiltration, representing a significant threat to an organization's security infrastructure. By examining process activity on the host, particularly those processes corresponding to known attacker tool names, this analytic serves as an early warning system for potential security incidents. However, its precision must be balanced with the understanding that some administrative activities might also trigger alerts, resulting in false positives. This underlines the importance of cyber analysts having a clear understanding of typical endpoint activities and behaviors within their organization, enabling them to accurately interpret and respond to these alerts. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Reconnaissance"], "mitre_attack": ["T1036.005", "T1036", "T1003", "T1595"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This search looks for execution of commonly used attacker tools on an endpoint. +action.escu.eli5 = The following analytic aims to identify the use of tools commonly exploited by cybercriminals. The use of these tools often signals nefarious activities like unauthorized access, network scanning, or data exfiltration, representing a significant threat to an organization's security infrastructure. By examining process activity on the host, particularly those processes corresponding to known attacker tool names, this analytic serves as an early warning system for potential security incidents. However, its precision must be balanced with the understanding that some administrative activities might also trigger alerts, resulting in false positives. This underlines the importance of cyber analysts having a clear understanding of typical endpoint activities and behaviors within their organization, enabling them to accurately interpret and respond to these alerts. action.escu.how_to_implement = To successfully implement this search, you must be ingesting data that records process activity from your hosts to populate the endpoint data model in the processes node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is usually generated via logs that report process tracking in your Windows audit settings. action.escu.known_false_positives = Some administrator activity can be potentially triggered, please add those users to the filter macro. action.escu.creation_date = 2021-11-04 @@ -13919,7 +13884,7 @@ action.correlationsearch.annotations = {"analytic_story": ["Monitor for Unauthor schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This search looks for execution of commonly used attacker tools on an endpoint. +action.notable.param.rule_description = The following analytic aims to identify the use of tools commonly exploited by cybercriminals. The use of these tools often signals nefarious activities like unauthorized access, network scanning, or data exfiltration, representing a significant threat to an organization's security infrastructure. By examining process activity on the host, particularly those processes corresponding to known attacker tool names, this analytic serves as an early warning system for potential security incidents. However, its precision must be balanced with the understanding that some administrative activities might also trigger alerts, resulting in false positives. This underlines the importance of cyber analysts having a clear understanding of typical endpoint activities and behaviors within their organization, enabling them to accurately interpret and respond to these alerts. action.notable.param.rule_title = Attacker Tools On Endpoint action.notable.param.security_domain = endpoint action.notable.param.severity = high @@ -13937,10 +13902,10 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime [ESCU - Attempt To Add Certificate To Untrusted Store - Rule] action.escu = 0 action.escu.enabled = 1 -description = Attempt To Add Certificate To Untrusted Store +description = The following analytic is designed to detect potential security threats involving the misuse of system trust. It works by detecting events where a process attempts to add a certificate to the untrusted certificate store, an action often associated with disabling security tools. The analytic uses Sysmon Event ID 1 data source, particularly focusing on process activities and command-line arguments related to 'certutil -addstore'. It's essential to ingest data that records process activity and logs containing process names and command lines for its effective operation. Be aware, sometimes administrators might legitimately perform this action. The analytic's value lies in detecting isolated or unexpected instances, indicative of potential malicious activities. Cybersecurity analysts should understand the importance of trust mechanisms and their subversion in system security. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1553.004", "T1553"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] -action.escu.eli5 = Attempt To Add Certificate To Untrusted Store +action.escu.eli5 = The following analytic is designed to detect potential security threats involving the misuse of system trust. It works by detecting events where a process attempts to add a certificate to the untrusted certificate store, an action often associated with disabling security tools. The analytic uses Sysmon Event ID 1 data source, particularly focusing on process activities and command-line arguments related to 'certutil -addstore'. It's essential to ingest data that records process activity and logs containing process names and command lines for its effective operation. Be aware, sometimes administrators might legitimately perform this action. The analytic's value lies in detecting isolated or unexpected instances, indicative of potential malicious activities. Cybersecurity analysts should understand the importance of trust mechanisms and their subversion in system security. action.escu.how_to_implement = You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the "process" field in the Endpoint data model. action.escu.known_false_positives = There may be legitimate reasons for administrators to add a certificate to the untrusted certificate store. In such cases, this will typically be done on a large number of systems. action.escu.creation_date = 2021-09-16 @@ -13965,7 +13930,7 @@ action.correlationsearch.annotations = {"analytic_story": ["Disabling Security T schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = Attempt To Add Certificate To Untrusted Store +action.notable.param.rule_description = The following analytic is designed to detect potential security threats involving the misuse of system trust. It works by detecting events where a process attempts to add a certificate to the untrusted certificate store, an action often associated with disabling security tools. The analytic uses Sysmon Event ID 1 data source, particularly focusing on process activities and command-line arguments related to 'certutil -addstore'. It's essential to ingest data that records process activity and logs containing process names and command lines for its effective operation. Be aware, sometimes administrators might legitimately perform this action. The analytic's value lies in detecting isolated or unexpected instances, indicative of potential malicious activities. Cybersecurity analysts should understand the importance of trust mechanisms and their subversion in system security. action.notable.param.rule_title = Attempt To Add Certificate To Untrusted Store action.notable.param.security_domain = endpoint action.notable.param.severity = high @@ -13989,14 +13954,14 @@ action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search looks for attempts to stop security-related services on the endpoint. action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. action.escu.known_false_positives = None identified. Attempts to disable security-related services should be identified and understood. -action.escu.creation_date = 2023-04-14 -action.escu.modification_date = 2023-04-14 +action.escu.creation_date = 2023-06-13 +action.escu.modification_date = 2023-06-13 action.escu.confidence = high action.escu.full_search_name = ESCU - Attempt To Stop Security Service - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Azorult", "Trickbot", "Disabling Security Tools", "Data Destruction", "WhisperGate"] +action.escu.analytic_story = ["WhisperGate", "Graceful Wipe Out Attack", "Disabling Security Tools", "Data Destruction", "Azorult", "Trickbot"] action.risk = 1 action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified attempting to disable security services on endpoint $dest$ by user $user$. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 20}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 20}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 20}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 20}] @@ -14007,7 +13972,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Attempt To Stop Security Service - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azorult", "Trickbot", "Disabling Security Tools", "Data Destruction", "WhisperGate"], "cis20": ["CIS 10"], "confidence": 50, "impact": 40, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["WhisperGate", "Graceful Wipe Out Attack", "Disabling Security Tools", "Data Destruction", "Azorult", "Trickbot"], "cis20": ["CIS 10"], "confidence": 50, "impact": 40, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1562.001", "T1562"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -14944,14 +14909,14 @@ action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic identifies a common behavior by Cobalt Strike and other frameworks where the adversary will escalate privileges, either via `jump` (Cobalt Strike PTH) or `getsystem`, using named-pipe impersonation. A suspicious event will look like `cmd.exe /c echo 4sgryt3436 > \\.\Pipe\5erg53`. action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. action.escu.known_false_positives = Unknown. It is possible filtering may be required to ensure fidelity. -action.escu.creation_date = 2021-05-20 -action.escu.modification_date = 2021-05-20 +action.escu.creation_date = 2023-06-13 +action.escu.modification_date = 2023-06-13 action.escu.confidence = high action.escu.full_search_name = ESCU - CMD Echo Pipe - Escalation - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Cobalt Strike"] +action.escu.analytic_story = ["Cobalt Strike", "Graceful Wipe Out Attack"] action.risk = 1 action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ potentially performing privilege escalation using named pipes related to Cobalt Strike and other frameworks. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 64}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 64}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 64}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 64}] @@ -14962,7 +14927,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - CMD Echo Pipe - Escalation - Rule -action.correlationsearch.annotations = {"analytic_story": ["Cobalt Strike"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1059", "T1059.003", "T1543.003", "T1543"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Cobalt Strike", "Graceful Wipe Out Attack"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1059", "T1059.003", "T1543.003", "T1543"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -15084,14 +15049,14 @@ action.escu.eli5 = The following analytic identifies the use of default or publi Upon triage, review the process performing the named pipe. If it is explorer.exe, It is possible it was injected into by another process. Review recent parallel processes to identify suspicious patterns or behaviors. A parallel process may have a network connection, review and follow the connection back to identify any file modifications. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. action.escu.known_false_positives = The idea of using named pipes with Cobalt Strike is to blend in. Therefore, some of the named pipes identified and added may cause false positives. Filter by process name or pipe name to reduce false positives. -action.escu.creation_date = 2022-05-16 -action.escu.modification_date = 2022-05-16 +action.escu.creation_date = 2023-06-13 +action.escu.modification_date = 2023-06-13 action.escu.confidence = high action.escu.full_search_name = ESCU - Cobalt Strike Named Pipes - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null -action.escu.analytic_story = ["Cobalt Strike", "Trickbot", "DarkSide Ransomware", "LockBit Ransomware"] +action.escu.analytic_story = ["LockBit Ransomware", "Graceful Wipe Out Attack", "Cobalt Strike", "DarkSide Ransomware", "Trickbot"] action.risk = 1 action.risk.param._risk_message = An instance of $process_name$ was identified on endpoint $Computer$ by user $user$ accessing known suspicious named pipes related to Cobalt Strike. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 72}, {"risk_object_field": "Computer", "risk_object_type": "system", "risk_score": 72}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 72}] @@ -15102,7 +15067,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Cobalt Strike Named Pipes - Rule -action.correlationsearch.annotations = {"analytic_story": ["Cobalt Strike", "Trickbot", "DarkSide Ransomware", "LockBit Ransomware"], "cis20": ["CIS 10"], "confidence": 90, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["LockBit Ransomware", "Graceful Wipe Out Attack", "Cobalt Strike", "DarkSide Ransomware", "Trickbot"], "cis20": ["CIS 10"], "confidence": 90, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -15425,10 +15390,10 @@ search = `sysmon` EventCode=8 TargetImage IN ("*\\cmd.exe", "*\\powershell*") | [ESCU - Create Remote Thread into LSASS - Rule] action.escu = 0 action.escu.enabled = 1 -description = Detect remote thread creation into LSASS consistent with credential dumping. +description = The following analytic developed to detect potential credential dumping attacks where a remote thread is created in the Local Security Authority Subsystem Service (LSASS). Credential dumping, a common tactic used by adversaries to steal user authentication credentials, is a significant threat to network security. The analytic leverages Sysmon Event ID 8 logs and looks for processes creating remote threads in lsass.exe, an unusual activity generally linked to credential theft. The confidence level in this alert is high, but it's worth noting that there might be cases where legitimate tools can access LSASS, generating similar logs. As an analyst, it is critical to understand the broader context of such events and differentiate between legitimate activities and possible threats. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.001", "T1003"], "nist": ["DE.CM"]} action.escu.data_models = [] -action.escu.eli5 = Detect remote thread creation into LSASS consistent with credential dumping. +action.escu.eli5 = The following analytic developed to detect potential credential dumping attacks where a remote thread is created in the Local Security Authority Subsystem Service (LSASS). Credential dumping, a common tactic used by adversaries to steal user authentication credentials, is a significant threat to network security. The analytic leverages Sysmon Event ID 8 logs and looks for processes creating remote threads in lsass.exe, an unusual activity generally linked to credential theft. The confidence level in this alert is high, but it's worth noting that there might be cases where legitimate tools can access LSASS, generating similar logs. As an analyst, it is critical to understand the broader context of such events and differentiate between legitimate activities and possible threats. action.escu.how_to_implement = This search needs Sysmon Logs with a Sysmon configuration, which includes EventCode 8 with lsass.exe. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives. action.escu.known_false_positives = Other tools can access LSASS for legitimate reasons and generate an event. In these cases, tweaking the search may help eliminate noise. action.escu.creation_date = 2019-12-06 @@ -15453,7 +15418,7 @@ action.correlationsearch.annotations = {"analytic_story": ["Credential Dumping"] schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = Detect remote thread creation into LSASS consistent with credential dumping. +action.notable.param.rule_description = The following analytic developed to detect potential credential dumping attacks where a remote thread is created in the Local Security Authority Subsystem Service (LSASS). Credential dumping, a common tactic used by adversaries to steal user authentication credentials, is a significant threat to network security. The analytic leverages Sysmon Event ID 8 logs and looks for processes creating remote threads in lsass.exe, an unusual activity generally linked to credential theft. The confidence level in this alert is high, but it's worth noting that there might be cases where legitimate tools can access LSASS, generating similar logs. As an analyst, it is critical to understand the broader context of such events and differentiate between legitimate activities and possible threats. action.notable.param.rule_title = Create Remote Thread into LSASS action.notable.param.security_domain = endpoint action.notable.param.severity = high @@ -15834,14 +15799,14 @@ action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic will detect a suspicious net.exe/net1.exe command-line to delete a user on a system. This technique may be use by an administrator for legitimate purposes, however this behavior has been used in the wild to impair some user or deleting adversaries tracks created during its lateral movement additional systems. During triage, review parallel processes for additional behavior. Identify any other user accounts created before or after. action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. action.escu.known_false_positives = System administrators or scripts may delete user accounts via this technique. Filter as needed. -action.escu.creation_date = 2021-05-04 -action.escu.modification_date = 2021-05-04 +action.escu.creation_date = 2023-06-13 +action.escu.modification_date = 2023-06-13 action.escu.confidence = high action.escu.full_search_name = ESCU - Deleting Of Net Users - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["XMRig"] +action.escu.analytic_story = ["XMRig", "Graceful Wipe Out Attack"] action.risk = 1 action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to delete accounts. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 25}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 25}] @@ -15852,7 +15817,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Deleting Of Net Users - Rule -action.correlationsearch.annotations = {"analytic_story": ["XMRig"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1531"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["XMRig", "Graceful Wipe Out Attack"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1531"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -16053,7 +16018,7 @@ relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false -search = `linux_hosts` | search "sudoedit -s \\" | `detect_baron_samedit_cve_2021_3156_filter` +search = `linux_hosts` "sudoedit -s \\" | `detect_baron_samedit_cve_2021_3156_filter` [ESCU - Detect Baron Samedit CVE-2021-3156 Segfault - Rule] action.escu = 0 @@ -16099,7 +16064,7 @@ relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false -search = `linux_hosts` | search sudoedit segfault | stats count min(_time) as firstTime max(_time) as lastTime by host | search count > 5 | `detect_baron_samedit_cve_2021_3156_segfault_filter` +search = `linux_hosts` TERM(sudoedit) TERM(segfault) | stats count min(_time) as firstTime max(_time) as lastTime by host | where count > 5 | `detect_baron_samedit_cve_2021_3156_segfault_filter` [ESCU - Detect Baron Samedit CVE-2021-3156 via OSQuery - Rule] action.escu = 0 @@ -16420,7 +16385,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following query identifies suspicious .aspx created in 3 paths identified by Microsoft as known drop locations for Exchange exploitation related to HAFNIUM group and recently disclosed vulnerablity named ProxyShell and ProxyNotShell. Paths include: `\HttpProxy\owa\auth\`, `\inetpub\wwwroot\aspnet_client\`, and `\HttpProxy\OAB\`. Upon triage, the suspicious .aspx file will likely look obvious on the surface. inspect the contents for script code inside. Identify additional log sources, IIS included, to review source and other potential exploitation. It is often the case that a particular threat is only applicable to a specific subset of systems in your environment. Typically analytics to detect those threats are written without the benefit of being able to only target those systems as well. Writing analytics against all systems when those behaviors are limited to identifiable subsets of those systems is suboptimal. Consider the case ProxyShell vulnerability on Microsoft Exchange Servers. With asset information, a hunter can limit their analytics to systems that have been identified as Exchange servers. A hunter may start with the theory that the exchange server is communicating with new systems that it has not previously. If this theory is run against all publicly facing systems, the amount of noise it will generate will likely render this theory untenable. However, using the asset information to limit this analytic to just the Exchange servers will reduce the noise allowing the hunter to focus only on the systems where this behavioral change is relevant. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Delivery"], "mitre_attack": ["T1505", "T1505.003", "T1190"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Delivery"], "mitre_attack": ["T1505", "T1505.003", "T1190", "T1133"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following query identifies suspicious .aspx created in 3 paths identified by Microsoft as known drop locations for Exchange exploitation related to HAFNIUM group and recently disclosed vulnerablity named ProxyShell and ProxyNotShell. Paths include: `\HttpProxy\owa\auth\`, `\inetpub\wwwroot\aspnet_client\`, and `\HttpProxy\OAB\`. Upon triage, the suspicious .aspx file will likely look obvious on the surface. inspect the contents for script code inside. Identify additional log sources, IIS included, to review source and other potential exploitation. It is often the case that a particular threat is only applicable to a specific subset of systems in your environment. Typically analytics to detect those threats are written without the benefit of being able to only target those systems as well. Writing analytics against all systems when those behaviors are limited to identifiable subsets of those systems is suboptimal. Consider the case ProxyShell vulnerability on Microsoft Exchange Servers. With asset information, a hunter can limit their analytics to systems that have been identified as Exchange servers. A hunter may start with the theory that the exchange server is communicating with new systems that it has not previously. If this theory is run against all publicly facing systems, the amount of noise it will generate will likely render this theory untenable. However, using the asset information to limit this analytic to just the Exchange servers will reduce the noise allowing the hunter to focus only on the systems where this behavioral change is relevant. action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node and `Filesystem` node. @@ -16443,7 +16408,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Detect Exchange Web Shell - Rule -action.correlationsearch.annotations = {"analytic_story": ["HAFNIUM Group", "ProxyShell", "CISA AA22-257A", "ProxyNotShell"], "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Installation", "Delivery"], "mitre_attack": ["T1505", "T1505.003", "T1190"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["HAFNIUM Group", "ProxyShell", "CISA AA22-257A", "ProxyNotShell"], "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Installation", "Delivery"], "mitre_attack": ["T1505", "T1505.003", "T1190", "T1133"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -17452,14 +17417,14 @@ action.escu.eli5 = Adversaries may abuse Regsvr32.exe to proxy execution of mali Upon investigating, look for network connections to remote destinations (internal or external). Be cautious to modify the query to look for "scrobj.dll", the ".dll" is not required to load scrobj. "scrobj.dll" will be loaded by "regsvr32.exe" upon execution. action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. action.escu.known_false_positives = Limited false positives related to third party software registering .DLL's. -action.escu.creation_date = 2021-01-28 -action.escu.modification_date = 2021-01-28 +action.escu.creation_date = 2023-06-13 +action.escu.modification_date = 2023-06-13 action.escu.confidence = high action.escu.full_search_name = ESCU - Detect Regsvr32 Application Control Bypass - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Suspicious Regsvr32 Activity", "Cobalt Strike", "Living Off The Land"] +action.escu.analytic_story = ["Cobalt Strike", "Living Off The Land", "Suspicious Regsvr32 Activity", "Graceful Wipe Out Attack"] action.risk = 1 action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ in an attempt to bypass detection and preventative controls was identified on endpoint $dest$ by user $user$. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 80}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 80}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 80}] @@ -17470,7 +17435,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Detect Regsvr32 Application Control Bypass - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious Regsvr32 Activity", "Cobalt Strike", "Living Off The Land"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.010"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Cobalt Strike", "Living Off The Land", "Suspicious Regsvr32 Activity", "Graceful Wipe Out Attack"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.010"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -19675,14 +19640,14 @@ action.escu.data_models = ["Endpoint", "Network_Traffic"] action.escu.eli5 = The following analytic identifies DLLHost.exe with no command line arguments with a network connection. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, triage any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` and `port` node. action.escu.known_false_positives = Although unlikely, some legitimate third party applications may use a moved copy of dllhost, triggering a false positive. -action.escu.creation_date = 2022-03-15 -action.escu.modification_date = 2022-03-15 +action.escu.creation_date = 2023-06-13 +action.escu.modification_date = 2023-06-13 action.escu.confidence = high action.escu.full_search_name = ESCU - DLLHost with no Command Line Arguments with Network - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Cobalt Strike"] +action.escu.analytic_story = ["Cobalt Strike", "Graceful Wipe Out Attack"] action.risk = 1 action.risk.param._risk_message = The process $process_name$ was spawned by $parent_process_name$ without any command-line arguments on $src$ by $user$. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 49}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}, {"risk_object_field": "parent_image", "risk_object_type": "other", "risk_score": 49}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 49}] @@ -19693,7 +19658,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - DLLHost with no Command Line Arguments with Network - Rule -action.correlationsearch.annotations = {"analytic_story": ["Cobalt Strike"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Cobalt Strike", "Graceful Wipe Out Attack"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -19802,14 +19767,14 @@ action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for the execution of `net.exe` or `net1.exe` with command-line arguments utilized to query for domain users. Red Teams and adversaries alike may use net.exe to enumerate domain users for situational awareness and Active Directory Discovery. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. action.escu.known_false_positives = Administrators or power users may use this command for troubleshooting. -action.escu.creation_date = 2021-08-24 -action.escu.modification_date = 2021-08-24 +action.escu.creation_date = 2023-06-13 +action.escu.modification_date = 2023-06-13 action.escu.confidence = high action.escu.full_search_name = ESCU - Domain Account Discovery With Net App - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Active Directory Discovery"] +action.escu.analytic_story = ["Active Directory Discovery", "Graceful Wipe Out Attack"] action.risk = 1 action.risk.param._risk_message = an instance of process $process_name$ with commandline $process$ in $dest$ action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}, {"risk_object_field": "parent_process_name", "risk_object_type": "other", "risk_score": 25}] @@ -19820,7 +19785,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Domain Account Discovery With Net App - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery", "Graceful Wipe Out Attack"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1087.002", "T1087"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -20056,20 +20021,20 @@ action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for the execution of `net.exe` with command-line arguments utilized to query for domain groups. The argument `group /domain`, returns a list of all domain groups. Red Teams and adversaries alike use net.exe to enumerate domain groups for situational awareness and Active Directory Discovery. action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. action.escu.known_false_positives = Administrators or power users may use this command for troubleshooting. -action.escu.creation_date = 2021-08-25 -action.escu.modification_date = 2021-08-25 +action.escu.creation_date = 2023-06-13 +action.escu.modification_date = 2023-06-13 action.escu.confidence = high action.escu.full_search_name = ESCU - Domain Group Discovery With Net - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Active Directory Discovery", "Windows Post-Exploitation", "Prestige Ransomware"] +action.escu.analytic_story = ["Windows Post-Exploitation", "Active Directory Discovery", "Prestige Ransomware", "Graceful Wipe Out Attack"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Domain Group Discovery With Net - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery", "Windows Post-Exploitation", "Prestige Ransomware"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Windows Post-Exploitation", "Active Directory Discovery", "Prestige Ransomware", "Graceful Wipe Out Attack"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.002"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -20262,10 +20227,10 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime [ESCU - Dump LSASS via comsvcs DLL - Rule] action.escu = 0 action.escu.enabled = 1 -description = Detect the usage of comsvcs.dll for dumping the lsass process. +description = The following analytic detects the behavior of dumping credentials from memory, a tactic commonly used by adversaries. Specifically, it targets the exploitation of the Local Security Authority Subsystem Service (LSASS) in Windows, which manages system-level authentication. Threat actors can use the comsvcs.dll to exploit this process and obtain valuable credentials. The analytic identifies instances where the rundll32 process is used in conjunction with the comsvcs.dll and MiniDump, indicating potential LSASS dumping attempts. This tactic is often part of more extensive attack campaigns and is associated with numerous threat groups. Identifying this behavior is crucial for security operations center (SOC) analysts, as credential theft can lead to broader system compromise, persistence, lateral movement, and escalated privileges. It is important to note that no legitimate use of this technique has been identified so far. The impact of the attack, if a true positive is found, can be severe. Attackers can use the stolen credentials to access sensitive information or systems, leading to data theft, ransomware attacks, or other damaging outcomes. To implement this analytic, ensure that logs with process information are ingested from your endpoints. However, be aware of potential false positives, as legitimate uses of the LSASS process may cause benign activities to be flagged. Upon triage, review the processes involved in the LSASS dumping attempt, capture and inspect any relevant on-disk artifacts, and look for concurrent processes to identify the attack source. By identifying and mitigating LSASS exploitation attempts early on, SOC analysts can better protect their organization's assets and prevent potential breaches. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.001", "T1003"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] -action.escu.eli5 = Detect the usage of comsvcs.dll for dumping the lsass process. +action.escu.eli5 = The following analytic detects the behavior of dumping credentials from memory, a tactic commonly used by adversaries. Specifically, it targets the exploitation of the Local Security Authority Subsystem Service (LSASS) in Windows, which manages system-level authentication. Threat actors can use the comsvcs.dll to exploit this process and obtain valuable credentials. The analytic identifies instances where the rundll32 process is used in conjunction with the comsvcs.dll and MiniDump, indicating potential LSASS dumping attempts. This tactic is often part of more extensive attack campaigns and is associated with numerous threat groups. Identifying this behavior is crucial for security operations center (SOC) analysts, as credential theft can lead to broader system compromise, persistence, lateral movement, and escalated privileges. It is important to note that no legitimate use of this technique has been identified so far. The impact of the attack, if a true positive is found, can be severe. Attackers can use the stolen credentials to access sensitive information or systems, leading to data theft, ransomware attacks, or other damaging outcomes. To implement this analytic, ensure that logs with process information are ingested from your endpoints. However, be aware of potential false positives, as legitimate uses of the LSASS process may cause benign activities to be flagged. Upon triage, review the processes involved in the LSASS dumping attempt, capture and inspect any relevant on-disk artifacts, and look for concurrent processes to identify the attack source. By identifying and mitigating LSASS exploitation attempts early on, SOC analysts can better protect their organization's assets and prevent potential breaches. action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. action.escu.known_false_positives = None identified. action.escu.creation_date = 2023-04-14 @@ -20290,7 +20255,7 @@ action.correlationsearch.annotations = {"analytic_story": ["Industroyer2", "HAFN schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = Detect the usage of comsvcs.dll for dumping the lsass process. +action.notable.param.rule_description = The following analytic detects the behavior of dumping credentials from memory, a tactic commonly used by adversaries. Specifically, it targets the exploitation of the Local Security Authority Subsystem Service (LSASS) in Windows, which manages system-level authentication. Threat actors can use the comsvcs.dll to exploit this process and obtain valuable credentials. The analytic identifies instances where the rundll32 process is used in conjunction with the comsvcs.dll and MiniDump, indicating potential LSASS dumping attempts. This tactic is often part of more extensive attack campaigns and is associated with numerous threat groups. Identifying this behavior is crucial for security operations center (SOC) analysts, as credential theft can lead to broader system compromise, persistence, lateral movement, and escalated privileges. It is important to note that no legitimate use of this technique has been identified so far. The impact of the attack, if a true positive is found, can be severe. Attackers can use the stolen credentials to access sensitive information or systems, leading to data theft, ransomware attacks, or other damaging outcomes. To implement this analytic, ensure that logs with process information are ingested from your endpoints. However, be aware of potential false positives, as legitimate uses of the LSASS process may cause benign activities to be flagged. Upon triage, review the processes involved in the LSASS dumping attempt, capture and inspect any relevant on-disk artifacts, and look for concurrent processes to identify the attack source. By identifying and mitigating LSASS exploitation attempts early on, SOC analysts can better protect their organization's assets and prevent potential breaches. action.notable.param.rule_title = Dump LSASS via comsvcs DLL action.notable.param.security_domain = endpoint action.notable.param.severity = high @@ -21133,14 +21098,14 @@ action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic identifies excessive usage of `net.exe` or `net1.exe` within a bucket of time (1 minute). This behavior was seen in a Monero incident where the adversary attempts to create many users, delete and disable users as part of its malicious behavior. action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. action.escu.known_false_positives = unknown. Filter as needed. Modify the time span as needed. -action.escu.creation_date = 2021-05-06 -action.escu.modification_date = 2021-05-06 +action.escu.creation_date = 2023-06-13 +action.escu.modification_date = 2023-06-13 action.escu.confidence = high action.escu.full_search_name = ESCU - Excessive Usage Of Net App - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["XMRig", "Ransomware", "Azorult", "Windows Post-Exploitation", "Prestige Ransomware"] +action.escu.analytic_story = ["Prestige Ransomware", "Graceful Wipe Out Attack", "XMRig", "Windows Post-Exploitation", "Azorult", "Ransomware"] action.risk = 1 action.risk.param._risk_message = Excessive usage of net1.exe or net.exe within 1m, with command line $process$ has been detected on $dest$ by $user$ action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 28}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 28}, {"threat_object_field": "process_name", "threat_object_type": "process"}] @@ -21151,7 +21116,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Excessive Usage Of Net App - Rule -action.correlationsearch.annotations = {"analytic_story": ["XMRig", "Ransomware", "Azorult", "Windows Post-Exploitation", "Prestige Ransomware"], "cis20": ["CIS 10"], "confidence": 70, "impact": 40, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1531"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Prestige Ransomware", "Graceful Wipe Out Attack", "XMRig", "Windows Post-Exploitation", "Azorult", "Ransomware"], "cis20": ["CIS 10"], "confidence": 70, "impact": 40, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1531"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -21292,7 +21257,7 @@ Modification of this analytic is requried to ensure fields are mapped accordingl A suspicious event will have `PowerShell`, the method `POST` and `autodiscover.json`. This is indicative of accessing PowerShell on the back end of Exchange with SSRF. \ An event will look similar to `POST /autodiscover/autodiscover.json a=dsxvu@fnsso.flq/powershell/?X-Rps-CAT=VgEAVAdXaW5kb3d...` (abbreviated) \ Review the source attempting to perform this activity against your environment. In addition, review PowerShell logs and access recently granted to Exchange roles. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = This analytic identifies suspicious behavior related to ProxyShell against on-premise Microsoft Exchange servers. This analytic has been replaced by GUID d436f9e7-0ee7-4a47-864b-6dea2c4e2752 which utilizes the Web Datamodel. \ Modification of this analytic is requried to ensure fields are mapped accordingly. \ @@ -21319,7 +21284,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Exchange PowerShell Abuse via SSRF - Rule -action.correlationsearch.annotations = {"analytic_story": ["ProxyShell", "ProxyNotShell"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["ProxyShell", "ProxyNotShell"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -21409,14 +21374,14 @@ action.escu.data_models = [] action.escu.eli5 = The following analytic identifies executable files (.exe or .dll) being written to Windows administrative SMB shares (Admin$, IPC$, C$). This represents suspicious behavior as its commonly used by tools like PsExec/PaExec and others to stage service binaries before creating and starting a Windows service on remote endpoints. Red Teams and adversaries alike may abuse administrative shares for lateral movement and remote code execution. The Trickbot malware family also implements this behavior to try to infect other machines in the infected network. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting Windows Security Event Logs with 5145 EventCode enabled. The Windows TA is also required. Also enable the object Audit access success/failure in your group policy. action.escu.known_false_positives = System Administrators may use looks like PsExec for troubleshooting or administrations tasks. However, this will typically come only from certain users and certain systems that can be added to an allow list. -action.escu.creation_date = 2023-04-14 -action.escu.modification_date = 2023-04-14 +action.escu.creation_date = 2023-06-13 +action.escu.modification_date = 2023-06-13 action.escu.confidence = high action.escu.full_search_name = ESCU - Executable File Written in Administrative SMB Share - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Industroyer2", "Active Directory Lateral Movement", "Hermetic Wiper", "Trickbot", "Prestige Ransomware", "Data Destruction", "IcedID"] +action.escu.analytic_story = ["Active Directory Lateral Movement", "Prestige Ransomware", "Graceful Wipe Out Attack", "Industroyer2", "IcedID", "Data Destruction", "Hermetic Wiper", "Trickbot"] action.risk = 1 action.risk.param._risk_message = $user$ dropped or created an executable file in known sensitive SMB share. Share name=$Share_Name$, Target name=$Relative_Target_Name$, and Access mask=$Access_Mask$ action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 70}] @@ -21427,7 +21392,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Executable File Written in Administrative SMB Share - Rule -action.correlationsearch.annotations = {"analytic_story": ["Industroyer2", "Active Directory Lateral Movement", "Hermetic Wiper", "Trickbot", "Prestige Ransomware", "Data Destruction", "IcedID"], "cis20": ["CIS 10"], "confidence": 100, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021", "T1021.002"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement", "Prestige Ransomware", "Graceful Wipe Out Attack", "Industroyer2", "IcedID", "Data Destruction", "Hermetic Wiper", "Trickbot"], "cis20": ["CIS 10"], "confidence": 100, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1021", "T1021.002"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -21449,20 +21414,20 @@ search = `wineventlog_security` EventCode=5145 Relative_Target_Name IN ("*.exe", [ESCU - Executables Or Script Creation In Suspicious Path - Rule] action.escu = 0 action.escu.enabled = 1 -description = This analytic will identify suspicious executable or scripts (known file extensions) in a list of suspicious file paths in Windows. This technique is used by adversaries to evade detection. The suspicious file path are known paths used in the wild and are not common to have executable or scripts. +description = This analytic identifies potentially malicious executables or scripts by examining a list of suspicious file paths on Windows Operating System. The purpose of this technique is to uncover files with known file extensions that could be used by adversaries to evade detection and persistence. The suspicious file paths selected for investigation are typically uncommon and uncommonly associated with executable or script files. By scrutinizing these paths, we can proactively identify potential security threats and enhance overall system security. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic will identify suspicious executable or scripts (known file extensions) in a list of suspicious file paths in Windows. This technique is used by adversaries to evade detection. The suspicious file path are known paths used in the wild and are not common to have executable or scripts. +action.escu.eli5 = This analytic identifies potentially malicious executables or scripts by examining a list of suspicious file paths on Windows Operating System. The purpose of this technique is to uncover files with known file extensions that could be used by adversaries to evade detection and persistence. The suspicious file paths selected for investigation are typically uncommon and uncommonly associated with executable or script files. By scrutinizing these paths, we can proactively identify potential security threats and enhance overall system security. action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the Filesystem responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. action.escu.known_false_positives = Administrators may allow creation of script or exe in the paths specified. Filter as needed. -action.escu.creation_date = 2023-04-25 -action.escu.modification_date = 2023-04-25 +action.escu.creation_date = 2023-06-13 +action.escu.modification_date = 2023-06-13 action.escu.confidence = high action.escu.full_search_name = ESCU - Executables Or Script Creation In Suspicious Path - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Azorult", "AsyncRAT", "XMRig", "Swift Slicer", "DarkCrystal RAT", "Double Zero Destructor", "Trickbot", "Data Destruction", "LockBit Ransomware", "Industroyer2", "Remcos", "RedLine Stealer", "WhisperGate", "IcedID", "Hermetic Wiper", "AgentTesla", "Brute Ratel C4", "Qakbot", "Chaos Ransomware", "Volt Typhoon"] +action.escu.analytic_story = ["WhisperGate", "XMRig", "Industroyer2", "Remcos", "Data Destruction", "Hermetic Wiper", "Azorult", "DarkCrystal RAT", "Graceful Wipe Out Attack", "IcedID", "Swift Slicer", "Qakbot", "RedLine Stealer", "Brute Ratel C4", "AsyncRAT", "LockBit Ransomware", "AgentTesla", "Double Zero Destructor", "Volt Typhoon", "Chaos Ransomware", "Trickbot", "Amadey"] action.risk = 1 action.risk.param._risk_message = Suspicious executable or scripts with file name $file_name$, $file_path$ and process_id $process_id$ executed in suspicious file path in Windows by $user$ action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 20}, {"threat_object_field": "process_id", "threat_object_type": "process"}, {"threat_object_field": "file_name", "threat_object_type": "file name"}] @@ -21473,7 +21438,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Executables Or Script Creation In Suspicious Path - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azorult", "AsyncRAT", "XMRig", "Swift Slicer", "DarkCrystal RAT", "Double Zero Destructor", "Trickbot", "Data Destruction", "LockBit Ransomware", "Industroyer2", "Remcos", "RedLine Stealer", "WhisperGate", "IcedID", "Hermetic Wiper", "AgentTesla", "Brute Ratel C4", "Qakbot", "Chaos Ransomware", "Volt Typhoon"], "cis20": ["CIS 10"], "confidence": 50, "impact": 40, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["WhisperGate", "XMRig", "Industroyer2", "Remcos", "Data Destruction", "Hermetic Wiper", "Azorult", "DarkCrystal RAT", "Graceful Wipe Out Attack", "IcedID", "Swift Slicer", "Qakbot", "RedLine Stealer", "Brute Ratel C4", "AsyncRAT", "LockBit Ransomware", "AgentTesla", "Double Zero Destructor", "Volt Typhoon", "Chaos Ransomware", "Trickbot", "Amadey"], "cis20": ["CIS 10"], "confidence": 50, "impact": 40, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -23550,14 +23515,14 @@ action.escu.data_models = ["Endpoint", "Network_Traffic"] action.escu.eli5 = The following analytic identifies gpupdate.exe with no command line arguments and with a network connection. It is unusual for gpupdate.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, triage any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. gpupdate.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. action.escu.known_false_positives = Limited false positives may be present in small environments. Tuning may be required based on parent process. -action.escu.creation_date = 2022-03-15 -action.escu.modification_date = 2022-03-15 +action.escu.creation_date = 2023-06-13 +action.escu.modification_date = 2023-06-13 action.escu.confidence = high action.escu.full_search_name = ESCU - GPUpdate with no Command Line Arguments with Network - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Cobalt Strike"] +action.escu.analytic_story = ["Cobalt Strike", "Graceful Wipe Out Attack"] action.risk = 1 action.risk.param._risk_message = Process gpupdate.exe with parent_process $parent_process_name$ is executed on $dest$ by user $user$, followed by an outbound network connection to $connection_to_CNC$ on port $dest_port$. This behaviour is seen with cobaltstrike. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 81}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 81}, {"threat_object_field": "parent_process_name", "threat_object_type": "process name"}, {"risk_object_field": "connection_to_CNC", "risk_object_type": "system", "risk_score": 81}] @@ -23568,7 +23533,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - GPUpdate with no Command Line Arguments with Network - Rule -action.correlationsearch.annotations = {"analytic_story": ["Cobalt Strike"], "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Cobalt Strike", "Graceful Wipe Out Attack"], "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -23797,14 +23762,14 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime [ESCU - Icacls Deny Command - Rule] action.escu = 0 action.escu.enabled = 1 -description = This analytic identifies a potential adversary that changes the security permission of a specific file or directory. This technique is commonly seen in APT tradecraft or coinminer scripts. This behavior is meant to evade detection and prevent access to their component files. +description = This analytic identifies instances where an adversary modifies the security permissions of a particular file or directory. This technique is frequently observed in the tradecraft of Advanced Persistent Threats (APTs) and coinminer scripts. The purpose of this behavior is to actively evade detection and impede access to their associated files. By identifying these security permission changes, we can enhance our ability to detect and respond to potential threats, mitigating the impact of malicious activities on the system. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1222"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic identifies a potential adversary that changes the security permission of a specific file or directory. This technique is commonly seen in APT tradecraft or coinminer scripts. This behavior is meant to evade detection and prevent access to their component files. +action.escu.eli5 = This analytic identifies instances where an adversary modifies the security permissions of a particular file or directory. This technique is frequently observed in the tradecraft of Advanced Persistent Threats (APTs) and coinminer scripts. The purpose of this behavior is to actively evade detection and impede access to their associated files. By identifying these security permission changes, we can enhance our ability to detect and respond to potential threats, mitigating the impact of malicious activities on the system. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed icacls.exe may be used. action.escu.known_false_positives = Unknown. It is possible some administrative scripts use ICacls. Filter as needed. -action.escu.creation_date = 2021-04-29 -action.escu.modification_date = 2021-04-29 +action.escu.creation_date = 2023-06-06 +action.escu.modification_date = 2023-06-06 action.escu.confidence = high action.escu.full_search_name = ESCU - Icacls Deny Command - Rule action.escu.search_type = detection @@ -23825,7 +23790,7 @@ action.correlationsearch.annotations = {"analytic_story": ["XMRig", "Azorult", " schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic identifies a potential adversary that changes the security permission of a specific file or directory. This technique is commonly seen in APT tradecraft or coinminer scripts. This behavior is meant to evade detection and prevent access to their component files. +action.notable.param.rule_description = This analytic identifies instances where an adversary modifies the security permissions of a particular file or directory. This technique is frequently observed in the tradecraft of Advanced Persistent Threats (APTs) and coinminer scripts. The purpose of this behavior is to actively evade detection and impede access to their associated files. By identifying these security permission changes, we can enhance our ability to detect and respond to potential threats, mitigating the impact of malicious activities on the system. action.notable.param.rule_title = Icacls Deny Command action.notable.param.security_domain = endpoint action.notable.param.severity = high @@ -23838,19 +23803,19 @@ relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false -search = | tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "icacls.exe" OR Processes.process_name = "cacls.exe" OR Processes.process_name = "xcacls.exe" AND Processes.process = "*/deny*" by Processes.parent_process_name Processes.process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `icacls_deny_command_filter` +search = | tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN( "icacls.exe", "cacls.exe", "xcacls.exe") AND Processes.process IN ("*/deny*", "*/D*") by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `icacls_deny_command_filter` [ESCU - ICACLS Grant Command - Rule] action.escu = 0 action.escu.enabled = 1 -description = This analytic identifies potential adversaries that modify the security permission of a specific file or directory. This technique is commonly seen in APT tradecraft and coinminer scripts to evade detections and restrict access to their component files. +description = This analytic identifies adversaries who manipulate the security permissions of specific files or directories by granting additional access. This technique is frequently observed in the tradecraft of Advanced Persistent Threats (APTs) and coinminer scripts. The objective behind this behavior is to actively evade detection mechanisms and tightly control access to their associated files. By identifying these security permission modifications, we can improve our ability to identify and respond to potential threats, thereby minimizing the impact of malicious activities on the system. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1222"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic identifies potential adversaries that modify the security permission of a specific file or directory. This technique is commonly seen in APT tradecraft and coinminer scripts to evade detections and restrict access to their component files. +action.escu.eli5 = This analytic identifies adversaries who manipulate the security permissions of specific files or directories by granting additional access. This technique is frequently observed in the tradecraft of Advanced Persistent Threats (APTs) and coinminer scripts. The objective behind this behavior is to actively evade detection mechanisms and tightly control access to their associated files. By identifying these security permission modifications, we can improve our ability to identify and respond to potential threats, thereby minimizing the impact of malicious activities on the system. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed icacls.exe may be used. action.escu.known_false_positives = Unknown. Filter as needed. -action.escu.creation_date = 2021-05-04 -action.escu.modification_date = 2021-05-04 +action.escu.creation_date = 2023-06-06 +action.escu.modification_date = 2023-06-06 action.escu.confidence = high action.escu.full_search_name = ESCU - ICACLS Grant Command - Rule action.escu.search_type = detection @@ -23871,7 +23836,7 @@ action.correlationsearch.annotations = {"analytic_story": ["XMRig", "Ransomware" schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic identifies potential adversaries that modify the security permission of a specific file or directory. This technique is commonly seen in APT tradecraft and coinminer scripts to evade detections and restrict access to their component files. +action.notable.param.rule_description = This analytic identifies adversaries who manipulate the security permissions of specific files or directories by granting additional access. This technique is frequently observed in the tradecraft of Advanced Persistent Threats (APTs) and coinminer scripts. The objective behind this behavior is to actively evade detection mechanisms and tightly control access to their associated files. By identifying these security permission modifications, we can improve our ability to identify and respond to potential threats, thereby minimizing the impact of malicious activities on the system. action.notable.param.rule_title = ICACLS Grant Command action.notable.param.security_domain = endpoint action.notable.param.severity = high @@ -23884,7 +23849,7 @@ relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false -search = | tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "icacls.exe" OR Processes.process_name = "cacls.exe" OR Processes.process_name = "xcacls.exe" AND Processes.process = "*/grant*" by Processes.parent_process_name Processes.process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `icacls_grant_command_filter` +search = | tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN( "icacls.exe", "cacls.exe", "xcacls.exe") AND Processes.process IN ("*/grant*", "*/G*") by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `icacls_grant_command_filter` [ESCU - IcedID Exfiltrated Archived File Creation - Rule] action.escu = 0 @@ -23930,14 +23895,14 @@ action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for the presence of suspicious commandline parameters typically present when using Impacket tools. Impacket is a collection of python classes meant to be used with Microsoft network protocols. There are multiple scripts that leverage impacket libraries like `wmiexec.py`, `smbexec.py`, `dcomexec.py` and `atexec.py` used to execute commands on remote endpoints. By default, these scripts leverage administrative shares and hardcoded parameters that can be used as a signature to detect its use. Red Teams and adversaries alike may leverage Impackets tools for lateral movement and remote code execution. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. action.escu.known_false_positives = Although uncommon, Administrators may leverage Impackets tools to start a process on remote systems for system administration or automation use cases. -action.escu.creation_date = 2023-04-14 -action.escu.modification_date = 2023-04-14 +action.escu.creation_date = 2023-06-13 +action.escu.modification_date = 2023-06-13 action.escu.confidence = high action.escu.full_search_name = ESCU - Impacket Lateral Movement Commandline Parameters - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Industroyer2", "Active Directory Lateral Movement", "Prestige Ransomware", "CISA AA22-277A", "Data Destruction", "WhisperGate", "Volt Typhoon"] +action.escu.analytic_story = ["Active Directory Lateral Movement", "CISA AA22-277A", "WhisperGate", "Prestige Ransomware", "Volt Typhoon", "Graceful Wipe Out Attack", "Industroyer2", "Data Destruction"] action.risk = 1 action.risk.param._risk_message = Suspicious command line parameters on $dest$ may represent a lateral movement attack with Impackets tools action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 63}] @@ -23948,7 +23913,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Impacket Lateral Movement Commandline Parameters - Rule -action.correlationsearch.annotations = {"analytic_story": ["Industroyer2", "Active Directory Lateral Movement", "Prestige Ransomware", "CISA AA22-277A", "Data Destruction", "WhisperGate", "Volt Typhoon"], "cis20": ["CIS 10"], "confidence": 70, "impact": 90, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1021", "T1021.002", "T1021.003", "T1047", "T1543.003"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement", "CISA AA22-277A", "WhisperGate", "Prestige Ransomware", "Volt Typhoon", "Graceful Wipe Out Attack", "Industroyer2", "Data Destruction"], "cis20": ["CIS 10"], "confidence": 70, "impact": 90, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1021", "T1021.002", "T1021.003", "T1047", "T1543.003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -23976,14 +23941,14 @@ action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic focuses on identifying suspicious command-line parameters commonly associated with the use of Impacket wmiexec.py. Impacket is a set of Python classes designed for working with Microsoft network protocols, and it includes several scripts like wmiexec.py, smbexec.py, dcomexec.py, and atexec.py that enable command execution on remote endpoints. These scripts typically utilize administrative shares and hardcoded parameters, which can serve as signatures to detect their usage. Both Red Teams and adversaries may employ Impacket tools for lateral movement and remote code execution purposes. By monitoring for these specific command-line indicators, the analytic aims to detect potentially malicious activities related to Impacket tool usage. action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. action.escu.known_false_positives = Although uncommon, Administrators may leverage Impackets tools to start a process on remote systems for system administration or automation use cases. -action.escu.creation_date = 2023-04-25 -action.escu.modification_date = 2023-04-25 +action.escu.creation_date = 2023-06-13 +action.escu.modification_date = 2023-06-13 action.escu.confidence = high action.escu.full_search_name = ESCU - Impacket Lateral Movement smbexec CommandLine Parameters - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Industroyer2", "Active Directory Lateral Movement", "Prestige Ransomware", "CISA AA22-277A", "Data Destruction", "WhisperGate", "Volt Typhoon"] +action.escu.analytic_story = ["Active Directory Lateral Movement", "CISA AA22-277A", "WhisperGate", "Prestige Ransomware", "Volt Typhoon", "Graceful Wipe Out Attack", "Industroyer2", "Data Destruction"] action.risk = 1 action.risk.param._risk_message = Suspicious command-line parameters on $dest$ may represent lateral movement using smbexec. action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 63}] @@ -23994,7 +23959,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Impacket Lateral Movement smbexec CommandLine Parameters - Rule -action.correlationsearch.annotations = {"analytic_story": ["Industroyer2", "Active Directory Lateral Movement", "Prestige Ransomware", "CISA AA22-277A", "Data Destruction", "WhisperGate", "Volt Typhoon"], "cis20": ["CIS 10"], "confidence": 70, "impact": 90, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1021", "T1021.002", "T1021.003", "T1047", "T1543.003"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement", "CISA AA22-277A", "WhisperGate", "Prestige Ransomware", "Volt Typhoon", "Graceful Wipe Out Attack", "Industroyer2", "Data Destruction"], "cis20": ["CIS 10"], "confidence": 70, "impact": 90, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1021", "T1021.002", "T1021.003", "T1047", "T1543.003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -24022,14 +23987,14 @@ action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic looks for the presence of suspicious commandline parameters typically present when using Impacket tools. Impacket is a collection of python classes meant to be used with Microsoft network protocols. There are multiple scripts that leverage impacket libraries like `wmiexec.py`, `smbexec.py`, `dcomexec.py` and `atexec.py` used to execute commands on remote endpoints. By default, these scripts leverage administrative shares and hardcoded parameters that can be used as a signature to detect its use. Red Teams and adversaries alike may leverage Impackets tools for lateral movement and remote code execution. action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. action.escu.known_false_positives = Although uncommon, Administrators may leverage Impackets tools to start a process on remote systems for system administration or automation use cases. -action.escu.creation_date = 2023-04-21 -action.escu.modification_date = 2023-04-21 +action.escu.creation_date = 2023-06-13 +action.escu.modification_date = 2023-06-13 action.escu.confidence = high action.escu.full_search_name = ESCU - Impacket Lateral Movement WMIExec Commandline Parameters - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Industroyer2", "Active Directory Lateral Movement", "Prestige Ransomware", "CISA AA22-277A", "Data Destruction", "WhisperGate", "Volt Typhoon"] +action.escu.analytic_story = ["Active Directory Lateral Movement", "CISA AA22-277A", "WhisperGate", "Prestige Ransomware", "Volt Typhoon", "Graceful Wipe Out Attack", "Industroyer2", "Data Destruction"] action.risk = 1 action.risk.param._risk_message = Suspicious command-line parameters on $dest$ may represent lateral movement using wmiexec. action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 63}] @@ -24040,7 +24005,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Impacket Lateral Movement WMIExec Commandline Parameters - Rule -action.correlationsearch.annotations = {"analytic_story": ["Industroyer2", "Active Directory Lateral Movement", "Prestige Ransomware", "CISA AA22-277A", "Data Destruction", "WhisperGate", "Volt Typhoon"], "cis20": ["CIS 10"], "confidence": 70, "impact": 90, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1021", "T1021.002", "T1021.003", "T1047", "T1543.003"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement", "CISA AA22-277A", "WhisperGate", "Prestige Ransomware", "Volt Typhoon", "Graceful Wipe Out Attack", "Industroyer2", "Data Destruction"], "cis20": ["CIS 10"], "confidence": 70, "impact": 90, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1021", "T1021.002", "T1021.003", "T1047", "T1543.003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -24155,7 +24120,7 @@ search = | tstats count from datamodel=Web where Web.http_user_agent="*Java*" We action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies the process java writing a .jsp to disk. This is potentially indicative of a web shell being written to disk. Modify and tune the analytic based on data ingested. For instance, it may be worth running a broad query for jsp file writes first before performing a join. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies the process java writing a .jsp to disk. This is potentially indicative of a web shell being written to disk. Modify and tune the analytic based on data ingested. For instance, it may be worth running a broad query for jsp file writes first before performing a join. action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` and `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. @@ -24178,7 +24143,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Java Writing JSP File - Rule -action.correlationsearch.annotations = {"analytic_story": ["Spring4Shell CVE-2022-22965", "Atlassian Confluence Server and Data Center CVE-2022-26134"], "cis20": ["CIS 10"], "confidence": 70, "cve": ["CVE-2022-22965"], "impact": 60, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Spring4Shell CVE-2022-22965", "Atlassian Confluence Server and Data Center CVE-2022-26134"], "cis20": ["CIS 10"], "confidence": 70, "cve": ["CVE-2022-22965"], "impact": 60, "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -24602,10 +24567,10 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime [ESCU - Linux Add Files In Known Crontab Directories - Rule] action.escu = 0 action.escu.enabled = 1 -description = The following analytic identifies a suspicious file creation in known cron table directories. This event is commonly abuse by malware, adversaries and red teamers to persist on the target or compromised host. crontab or cronjob is like a schedule task in windows environment where you can create an executable or script on the known crontab directories to run it base on its schedule. This Anomaly query is a good indicator to look further what file is added and who added the file if to consider it legitimate file. +description = The following analytic aims to detect unauthorized activities through suspicious file creation in recognized cron table directories, prevalent Unix-based locations for scheduling tasks. This behavior is often exploited by nefarious entities like malware or threat actors, including red teamers, to establish persistence on a targeted or compromised host. The analogy to Windows-based scheduled tasks helps explain the utility of a crontab or cron job. To enhance clarity and actionable intelligence, the anomaly query flags the anomaly, urging further investigation into the added file's details. A cybersecurity analyst should consider additional data points such as the user identity involved, the file's nature and purpose, file origin, timestamp, and any changes in system behavior post file execution. This comprehensive understanding aids in accurately determining the file's legitimacy, facilitating prompt and effective response actions. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.003", "T1053"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies a suspicious file creation in known cron table directories. This event is commonly abuse by malware, adversaries and red teamers to persist on the target or compromised host. crontab or cronjob is like a schedule task in windows environment where you can create an executable or script on the known crontab directories to run it base on its schedule. This Anomaly query is a good indicator to look further what file is added and who added the file if to consider it legitimate file. +action.escu.eli5 = The following analytic aims to detect unauthorized activities through suspicious file creation in recognized cron table directories, prevalent Unix-based locations for scheduling tasks. This behavior is often exploited by nefarious entities like malware or threat actors, including red teamers, to establish persistence on a targeted or compromised host. The analogy to Windows-based scheduled tasks helps explain the utility of a crontab or cron job. To enhance clarity and actionable intelligence, the anomaly query flags the anomaly, urging further investigation into the added file's details. A cybersecurity analyst should consider additional data points such as the user identity involved, the file's nature and purpose, file origin, timestamp, and any changes in system behavior post file execution. This comprehensive understanding aids in accurately determining the file's legitimacy, facilitating prompt and effective response actions. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the file name, file path, and process_guid executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase. action.escu.known_false_positives = Administrator or network operator can create file in crontab folders for automation purposes. Please update the filter macros to remove false positives. action.escu.creation_date = 2021-12-17 @@ -24615,7 +24580,7 @@ action.escu.full_search_name = ESCU - Linux Add Files In Known Crontab Directori action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Living Off The Land"] +action.escu.analytic_story = ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Living Off The Land", "Scheduled Tasks"] action.risk = 1 action.risk.param._risk_message = a file $file_name$ is created in $file_path$ on $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] @@ -24626,7 +24591,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Add Files In Known Crontab Directories - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.003", "T1053"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Living Off The Land", "Scheduled Tasks"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.003", "T1053"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -24677,10 +24642,10 @@ search = | tstats `security_content_summariesonly` count from datamodel=Endpoint [ESCU - Linux Adding Crontab Using List Parameter - Rule] action.escu = 0 action.escu.enabled = 1 -description = The following analytic identifies a suspicious cron jobs modification using crontab list parameters. This command line parameter can be abused by malware like industroyer2, adversaries, and red teamers to add a crontab entry to their malicious code to execute to the schedule they want. This event can also be executed by administrator or normal user for automation purposes so filter is needed. +description = The following analytic identifies suspicious modifications to cron jobs on Linux systems using the crontab command with list parameters. This command line parameter can be abused by malware like Industroyer2, as well as adversaries and red teamers, to add a crontab entry for executing their malicious code on a schedule of their choice. However, it's important to note that administrators or normal users may also use this command for legitimate automation purposes, so filtering is required to minimize false positives. Identifying the modification of cron jobs using list parameters is valuable for a SOC as it indicates potential malicious activity or an attempt to establish persistence on the system. If a true positive is detected, further investigation should be conducted to analyze the added cron job, its associated command, and the impact it may have on the system. This includes examining the purpose of the job, reviewing any on-disk artifacts, and identifying any related processes or activities occurring concurrently. The impact of a true positive can range from unauthorized execution of malicious code to data destruction or other damaging outcomes. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.003", "T1053"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies a suspicious cron jobs modification using crontab list parameters. This command line parameter can be abused by malware like industroyer2, adversaries, and red teamers to add a crontab entry to their malicious code to execute to the schedule they want. This event can also be executed by administrator or normal user for automation purposes so filter is needed. +action.escu.eli5 = The following analytic identifies suspicious modifications to cron jobs on Linux systems using the crontab command with list parameters. This command line parameter can be abused by malware like Industroyer2, as well as adversaries and red teamers, to add a crontab entry for executing their malicious code on a schedule of their choice. However, it's important to note that administrators or normal users may also use this command for legitimate automation purposes, so filtering is required to minimize false positives. Identifying the modification of cron jobs using list parameters is valuable for a SOC as it indicates potential malicious activity or an attempt to establish persistence on the system. If a true positive is detected, further investigation should be conducted to analyze the added cron job, its associated command, and the impact it may have on the system. This includes examining the purpose of the job, reviewing any on-disk artifacts, and identifying any related processes or activities occurring concurrently. The impact of a true positive can range from unauthorized execution of malicious code to data destruction or other damaging outcomes. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase. action.escu.known_false_positives = Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. action.escu.creation_date = 2023-04-14 @@ -24690,13 +24655,13 @@ action.escu.full_search_name = ESCU - Linux Adding Crontab Using List Parameter action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Industroyer2", "Linux Privilege Escalation", "Linux Living Off The Land", "Data Destruction", "Linux Persistence Techniques"] +action.escu.analytic_story = ["Industroyer2", "Linux Privilege Escalation", "Linux Living Off The Land", "Data Destruction", "Linux Persistence Techniques", "Scheduled Tasks"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Adding Crontab Using List Parameter - Rule -action.correlationsearch.annotations = {"analytic_story": ["Industroyer2", "Linux Privilege Escalation", "Linux Living Off The Land", "Data Destruction", "Linux Persistence Techniques"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.003", "T1053"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Industroyer2", "Linux Privilege Escalation", "Linux Living Off The Land", "Data Destruction", "Linux Persistence Techniques", "Scheduled Tasks"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.003", "T1053"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -24792,10 +24757,12 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime [ESCU - Linux At Allow Config File Creation - Rule] action.escu = 0 action.escu.enabled = 1 -description = The following analytic identifies a suspicious file creation of /etc/at.allow or /etc/at.deny. These 2 files are commonly abused by malware, adversaries or red teamers to persist on the targeted or compromised host. These config files can restrict or allow user to execute "at" application (another schedule task application in linux). attacker can create a user or add the compromised username to that config file to execute "at" to schedule it malicious code. This anomaly detection can be a good indicator to investigate further the entry in created config file and who created it to verify if it is a false positive. +description = The following analytic detects the creation of suspicious configuration files, /etc/at.allow or /etc/at.deny, in Linux. These files are commonly abused by malware, adversaries, or red teamers to establish persistence on compromised hosts. The configuration files determine which users are allowed to execute the "at" application, which is used for scheduling tasks in Linux. Attackers can add their user or a compromised username to these files to execute malicious code using "at." It's important to consider potential false positives as administrators or network operators may create these files for legitimate automation purposes. Adjust the filter macros to minimize false positives.\ +Identifying the creation of these configuration files is valuable for a SOC as it indicates potential unauthorized activities or an attacker attempting to establish persistence. If a true positive is found, further investigation is necessary to examine the contents of the created configuration file and determine the source of creation. The impact of a true positive can vary but could result in unauthorized execution of malicious code, data theft, or other detrimental consequences. Analysts should review the file path, creation time, and associated processes to assess the extent of the attack and initiate appropriate response actions. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.003", "T1053"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies a suspicious file creation of /etc/at.allow or /etc/at.deny. These 2 files are commonly abused by malware, adversaries or red teamers to persist on the targeted or compromised host. These config files can restrict or allow user to execute "at" application (another schedule task application in linux). attacker can create a user or add the compromised username to that config file to execute "at" to schedule it malicious code. This anomaly detection can be a good indicator to investigate further the entry in created config file and who created it to verify if it is a false positive. +action.escu.eli5 = The following analytic detects the creation of suspicious configuration files, /etc/at.allow or /etc/at.deny, in Linux. These files are commonly abused by malware, adversaries, or red teamers to establish persistence on compromised hosts. The configuration files determine which users are allowed to execute the "at" application, which is used for scheduling tasks in Linux. Attackers can add their user or a compromised username to these files to execute malicious code using "at." It's important to consider potential false positives as administrators or network operators may create these files for legitimate automation purposes. Adjust the filter macros to minimize false positives.\ +Identifying the creation of these configuration files is valuable for a SOC as it indicates potential unauthorized activities or an attacker attempting to establish persistence. If a true positive is found, further investigation is necessary to examine the contents of the created configuration file and determine the source of creation. The impact of a true positive can vary but could result in unauthorized execution of malicious code, data theft, or other detrimental consequences. Analysts should review the file path, creation time, and associated processes to assess the extent of the attack and initiate appropriate response actions. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the file name, file path, and process_guid executions from your endpoints into the Endpoint datamodel. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase. action.escu.known_false_positives = Administrator or network operator can create this file for automation purposes. Please update the filter macros to remove false positives. action.escu.creation_date = 2021-12-17 @@ -24805,7 +24772,7 @@ action.escu.full_search_name = ESCU - Linux At Allow Config File Creation - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Living Off The Land"] +action.escu.analytic_story = ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Living Off The Land", "Scheduled Tasks"] action.risk = 1 action.risk.param._risk_message = A file $file_name$ is created in $file_path$ on $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] @@ -24816,7 +24783,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux At Allow Config File Creation - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.003", "T1053"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Living Off The Land", "Scheduled Tasks"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.003", "T1053"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -24832,10 +24799,14 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime [ESCU - Linux At Application Execution - Rule] action.escu = 0 action.escu.enabled = 1 -description = The following analytic identifies a suspicious process creation of At application. This process can be used by malware, adversaries and red teamers to create persistence entry to the targeted or compromised host with their malicious code. This anomaly detection can be a good indicator to investigate the event before and after this process execution, when it was executed and what schedule task it will execute. +description = The following analytic detects the execution of the "At" application in Linux, which can be used by attackers to create persistence entries on a compromised host. The "At" application can be used for automation purposes by administrators or network operators, so the filter macros should be updated to remove false positives. If a true positive is found, it suggests an attacker is trying to maintain access to the environment or potentially deliver additional malicious payloads, leading to data theft, ransomware, or other damaging outcomes. To implement this analytic, ensure you are ingesting logs with the required fields from your endpoints into the Endpoint datamodel. When a true positive is detected, it suggests that an attacker is attempting to establish persistence or deliver additional malicious payloads by leveraging the "At" application. This behavior can lead to data theft, ransomware attacks, or other damaging outcomes.\ +During triage, the SOC analyst should review the context surrounding the execution of the "At" application. This includes identifying the user, the parent process responsible for invoking the application, and the specific command-line arguments used. It is important to consider whether the execution is expected behavior by an administrator or network operator for legitimate automation purposes.\ +The presence of "At" application execution may indicate an attacker's attempt to maintain unauthorized access to the environment. Immediate investigation and response are necessary to mitigate further risks, identify the attacker's intentions, and prevent potential harm to the organization. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.002", "T1053"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies a suspicious process creation of At application. This process can be used by malware, adversaries and red teamers to create persistence entry to the targeted or compromised host with their malicious code. This anomaly detection can be a good indicator to investigate the event before and after this process execution, when it was executed and what schedule task it will execute. +action.escu.eli5 = The following analytic detects the execution of the "At" application in Linux, which can be used by attackers to create persistence entries on a compromised host. The "At" application can be used for automation purposes by administrators or network operators, so the filter macros should be updated to remove false positives. If a true positive is found, it suggests an attacker is trying to maintain access to the environment or potentially deliver additional malicious payloads, leading to data theft, ransomware, or other damaging outcomes. To implement this analytic, ensure you are ingesting logs with the required fields from your endpoints into the Endpoint datamodel. When a true positive is detected, it suggests that an attacker is attempting to establish persistence or deliver additional malicious payloads by leveraging the "At" application. This behavior can lead to data theft, ransomware attacks, or other damaging outcomes.\ +During triage, the SOC analyst should review the context surrounding the execution of the "At" application. This includes identifying the user, the parent process responsible for invoking the application, and the specific command-line arguments used. It is important to consider whether the execution is expected behavior by an administrator or network operator for legitimate automation purposes.\ +The presence of "At" application execution may indicate an attacker's attempt to maintain unauthorized access to the environment. Immediate investigation and response are necessary to mitigate further risks, identify the attacker's intentions, and prevent potential harm to the organization. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints into the Endpoint datamodel. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase. action.escu.known_false_positives = Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. action.escu.creation_date = 2022-05-26 @@ -24845,7 +24816,7 @@ action.escu.full_search_name = ESCU - Linux At Application Execution - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Living Off The Land"] +action.escu.analytic_story = ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Living Off The Land", "Scheduled Tasks"] action.risk = 1 action.risk.param._risk_message = At application was executed in $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 9}] @@ -24856,7 +24827,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux At Application Execution - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.002", "T1053"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Living Off The Land", "Scheduled Tasks"], "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.002", "T1053"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -25835,10 +25806,16 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime [ESCU - Linux Edit Cron Table Parameter - Rule] action.escu = 0 action.escu.enabled = 1 -description = The following analytic identifies a suspicious cronjobs modification using crontab edit parameter. This commandline parameter can be abuse by malware author, adversaries, and red red teamers to add cronjob entry to their malicious code to execute to the schedule they want. This event can also be executed by administrator or normal user for automation purposes so filter is needed. +description = The following analytic detects the suspicious editing of cron jobs in Linux via the crontab command-line parameter. This tactic could be used by adversaries or malware to schedule execution of their malicious code, potentially leading to system compromise or unauthorized persistent access. It pinpoints this activity by monitoring command-line executions involving 'crontab' and the edit parameter (-e).\ +Recognizing such activity is vital for a SOC as cron job manipulations might signal unauthorized persistence attempts or scheduled malicious actions, potentially resulting in substantial harm. A true positive signifies an active threat, with implications ranging from unauthorized access to broader network compromise.\ +To implement this analytic, logs capturing process name, parent process, and command-line executions from your endpoints must be ingested.\ +Known false positives could stem from valid administrative tasks or automation processes using crontab. To reduce these, fine-tune the filter macros according to the benign activities within your environment. These adjustments ensure legitimate actions aren't mistaken for threats, allowing analysts to focus on genuine potential risks.\ action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.003", "T1053"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies a suspicious cronjobs modification using crontab edit parameter. This commandline parameter can be abuse by malware author, adversaries, and red red teamers to add cronjob entry to their malicious code to execute to the schedule they want. This event can also be executed by administrator or normal user for automation purposes so filter is needed. +action.escu.eli5 = The following analytic detects the suspicious editing of cron jobs in Linux via the crontab command-line parameter. This tactic could be used by adversaries or malware to schedule execution of their malicious code, potentially leading to system compromise or unauthorized persistent access. It pinpoints this activity by monitoring command-line executions involving 'crontab' and the edit parameter (-e).\ +Recognizing such activity is vital for a SOC as cron job manipulations might signal unauthorized persistence attempts or scheduled malicious actions, potentially resulting in substantial harm. A true positive signifies an active threat, with implications ranging from unauthorized access to broader network compromise.\ +To implement this analytic, logs capturing process name, parent process, and command-line executions from your endpoints must be ingested.\ +Known false positives could stem from valid administrative tasks or automation processes using crontab. To reduce these, fine-tune the filter macros according to the benign activities within your environment. These adjustments ensure legitimate actions aren't mistaken for threats, allowing analysts to focus on genuine potential risks.\ action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase. action.escu.known_false_positives = Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. action.escu.creation_date = 2021-12-17 @@ -25848,13 +25825,13 @@ action.escu.full_search_name = ESCU - Linux Edit Cron Table Parameter - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Living Off The Land"] +action.escu.analytic_story = ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Living Off The Land", "Scheduled Tasks"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Edit Cron Table Parameter - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.003", "T1053"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Living Off The Land", "Scheduled Tasks"], "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.003", "T1053"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -26633,7 +26610,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies the process name of Java, Apache, or Tomcat spawning a Linux shell. This is potentially indicative of exploitation of the Java application and may be related to current event CVE-2021-44228 (Log4Shell). The shells included in the macro are "sh", "ksh", "zsh", "bash", "dash", "rbash", "fish", "csh', "tcsh', "ion", "eshell". Upon triage, review parallel processes and command-line arguments to determine legitimacy. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies the process name of Java, Apache, or Tomcat spawning a Linux shell. This is potentially indicative of exploitation of the Java application and may be related to current event CVE-2021-44228 (Log4Shell). The shells included in the macro are "sh", "ksh", "zsh", "bash", "dash", "rbash", "fish", "csh', "tcsh', "ion", "eshell". Upon triage, review parallel processes and command-line arguments to determine legitimacy. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon for Linux, you will need to ensure mapping is occurring correctly. Ensure EDR product is mapping OS Linux to the datamodel properly. Add any additional java process names for your environment to the analytic as needed. @@ -26656,7 +26633,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Java Spawning Shell - Rule -action.correlationsearch.annotations = {"analytic_story": ["Data Destruction", "Spring4Shell CVE-2022-22965", "Hermetic Wiper", "Log4Shell CVE-2021-44228"], "cis20": ["CIS 10"], "confidence": 50, "cve": ["CVE-2021-44228"], "impact": 80, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Data Destruction", "Spring4Shell CVE-2022-22965", "Hermetic Wiper", "Log4Shell CVE-2021-44228"], "cis20": ["CIS 10"], "confidence": 50, "cve": ["CVE-2021-44228"], "impact": 80, "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -27320,10 +27297,12 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime [ESCU - Linux Possible Append Command To At Allow Config File - Rule] action.escu = 0 action.escu.enabled = 1 -description = This analytic looks for suspicious commandline that may use to append user entry to /etc/at.allow or /etc/at.deny. These 2 files are commonly abused by malware, adversaries or red teamers to persist on the targeted or compromised host. These config file can restrict user that can only execute at application (another schedule task application in linux). attacker can create a user or add the compromised username to that config file to execute at to schedule it malicious code. This anomaly detection can be a good indicator to investigate further the entry in created config file and who created it to verify if it is a false positive. +description = The following analytic is designed to identify suspicious command lines that may append user entries to either /etc/at.allow or /etc/at.deny. These files can be exploited by malicious actors for persistence on a compromised Linux host by altering permissions for scheduled tasks using the at command.\ +In this context, an attacker can create a user or add an existing user to these configuration files to execute their malicious code through scheduled tasks. The detection of such anomalous behavior can serve as an effective indicator warranting further investigation to validate if the activity is indeed malicious or a false positive. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.002", "T1053"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic looks for suspicious commandline that may use to append user entry to /etc/at.allow or /etc/at.deny. These 2 files are commonly abused by malware, adversaries or red teamers to persist on the targeted or compromised host. These config file can restrict user that can only execute at application (another schedule task application in linux). attacker can create a user or add the compromised username to that config file to execute at to schedule it malicious code. This anomaly detection can be a good indicator to investigate further the entry in created config file and who created it to verify if it is a false positive. +action.escu.eli5 = The following analytic is designed to identify suspicious command lines that may append user entries to either /etc/at.allow or /etc/at.deny. These files can be exploited by malicious actors for persistence on a compromised Linux host by altering permissions for scheduled tasks using the at command.\ +In this context, an attacker can create a user or add an existing user to these configuration files to execute their malicious code through scheduled tasks. The detection of such anomalous behavior can serve as an effective indicator warranting further investigation to validate if the activity is indeed malicious or a false positive. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase. action.escu.known_false_positives = Administrator or network operator can use this commandline for automation purposes. Please update the filter macros to remove false positives. action.escu.creation_date = 2022-05-26 @@ -27333,7 +27312,7 @@ action.escu.full_search_name = ESCU - Linux Possible Append Command To At Allow action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Linux Privilege Escalation", "Linux Persistence Techniques"] +action.escu.analytic_story = ["Linux Privilege Escalation", "Linux Persistence Techniques", "Scheduled Tasks"] action.risk = 1 action.risk.param._risk_message = A commandline $process$ that may modify at allow config file in $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 9}] @@ -27344,7 +27323,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Possible Append Command To At Allow Config File - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques"], "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.002", "T1053"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques", "Scheduled Tasks"], "cis20": ["CIS 10"], "confidence": 30, "impact": 30, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.002", "T1053"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -27400,12 +27379,16 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime [ESCU - Linux Possible Append Cronjob Entry on Existing Cronjob File - Rule] action.escu = 0 action.escu.enabled = 1 -description = This analytic looks for possible suspicious commandline that may use to append a code to any existing cronjob files for persistence or privilege escalation. This technique is commonly abused by malware, adversaries and red teamers to automatically execute their code within a existing or sometimes in normal cronjob script file. +description = The following analytic is designed to detect potential tampering with cronjob files on a Linux system. It specifically searches for command lines that may be used to append code to existing cronjob files, a technique often employed by adversaries, malware, and red teamers for persistence or privilege escalation. Altering existing or sometimes normal cronjob script files allows malicious code to be executed automatically.\ +The analytic operates by monitoring logs for specific process names, parent processes, and command-line executions from your endpoints. It specifically checks for any 'echo' command which modifies files in directories commonly associated with cron jobs such as '/etc/cron*', '/var/spool/cron/', and '/etc/anacrontab'. If such activity is detected, an alert is triggered.\ +This behavior is worth identifying for a SOC because malicious cron jobs can lead to system compromises and unauthorized data access, impacting business operations and data integrity. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.003", "T1053"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic looks for possible suspicious commandline that may use to append a code to any existing cronjob files for persistence or privilege escalation. This technique is commonly abused by malware, adversaries and red teamers to automatically execute their code within a existing or sometimes in normal cronjob script file. +action.escu.eli5 = The following analytic is designed to detect potential tampering with cronjob files on a Linux system. It specifically searches for command lines that may be used to append code to existing cronjob files, a technique often employed by adversaries, malware, and red teamers for persistence or privilege escalation. Altering existing or sometimes normal cronjob script files allows malicious code to be executed automatically.\ +The analytic operates by monitoring logs for specific process names, parent processes, and command-line executions from your endpoints. It specifically checks for any 'echo' command which modifies files in directories commonly associated with cron jobs such as '/etc/cron*', '/var/spool/cron/', and '/etc/anacrontab'. If such activity is detected, an alert is triggered.\ +This behavior is worth identifying for a SOC because malicious cron jobs can lead to system compromises and unauthorized data access, impacting business operations and data integrity. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase. -action.escu.known_false_positives = Administrator or network operator can use this commandline for automation purposes. Please update the filter macros to remove false positives. +action.escu.known_false_positives = False positives may arise from legitimate actions by administrators or network operators who may use these commands for automation purposes. Therefore, it's recommended to adjust filter macros to eliminate such false positives. action.escu.creation_date = 2021-12-17 action.escu.modification_date = 2021-12-17 action.escu.confidence = high @@ -27413,13 +27396,13 @@ action.escu.full_search_name = ESCU - Linux Possible Append Cronjob Entry on Exi action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Living Off The Land"] +action.escu.analytic_story = ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Living Off The Land", "Scheduled Tasks"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Possible Append Cronjob Entry on Existing Cronjob File - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.003", "T1053"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Living Off The Land", "Scheduled Tasks"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.003", "T1053"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -27435,10 +27418,16 @@ search = | tstats `security_content_summariesonly` count from datamodel=Endpoint [ESCU - Linux Possible Cronjob Modification With Editor - Rule] action.escu = 0 action.escu.enabled = 1 -description = This analytic looks for possible modification of cronjobs file using editor. This event is can be seen in normal user but can also be a good hunting indicator for unwanted user modifying cronjobs for possible persistence or privilege escalation. +description = The following analytic detects potential unauthorized modifications to Linux cronjobs using text editors like "nano", "vi" or "vim". It identifies this behavior by tracking command-line executions that interact with paths related to cronjob configuration, a common Linux scheduling utility. Cronjob files may be manipulated by attackers for privilege escalation or persistent access, making such changes critical to monitor.\ The identified behavior is significant for a Security Operations Center (SOC) as it could indicate an ongoing attempt at establishing persistent access or privilege escalation, leading to data breaches, system compromise, or other malicious activities.\ +In case of a true positive, the impact could be severe. An attacker with escalated privileges or persistent access could carry out damaging actions, such as data theft, sabotage, or further network penetration.\ +To implement this analytic, ensure ingestion of logs tracking process name, parent process, and command-line executions from your endpoints. Utilize the Add-on for Linux Sysmon from Splunkbase if you're using Sysmon.\ +Known false positives include legitimate administrative tasks, as these commands may also be used for benign purposes. Careful tuning and filtering based on known benign activity in your environment can minimize these instances. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.003", "T1053"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic looks for possible modification of cronjobs file using editor. This event is can be seen in normal user but can also be a good hunting indicator for unwanted user modifying cronjobs for possible persistence or privilege escalation. +action.escu.eli5 = The following analytic detects potential unauthorized modifications to Linux cronjobs using text editors like "nano", "vi" or "vim". It identifies this behavior by tracking command-line executions that interact with paths related to cronjob configuration, a common Linux scheduling utility. Cronjob files may be manipulated by attackers for privilege escalation or persistent access, making such changes critical to monitor.\ The identified behavior is significant for a Security Operations Center (SOC) as it could indicate an ongoing attempt at establishing persistent access or privilege escalation, leading to data breaches, system compromise, or other malicious activities.\ +In case of a true positive, the impact could be severe. An attacker with escalated privileges or persistent access could carry out damaging actions, such as data theft, sabotage, or further network penetration.\ +To implement this analytic, ensure ingestion of logs tracking process name, parent process, and command-line executions from your endpoints. Utilize the Add-on for Linux Sysmon from Splunkbase if you're using Sysmon.\ +Known false positives include legitimate administrative tasks, as these commands may also be used for benign purposes. Careful tuning and filtering based on known benign activity in your environment can minimize these instances. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase. action.escu.known_false_positives = Administrator or network operator can use this commandline for automation purposes. Please update the filter macros to remove false positives. action.escu.creation_date = 2021-12-17 @@ -27448,13 +27437,13 @@ action.escu.full_search_name = ESCU - Linux Possible Cronjob Modification With E action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Living Off The Land"] +action.escu.analytic_story = ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Living Off The Land", "Scheduled Tasks"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Possible Cronjob Modification With Editor - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 30, "impact": 20, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.003", "T1053"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Living Off The Land", "Scheduled Tasks"], "cis20": ["CIS 10"], "confidence": 30, "impact": 20, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.003", "T1053"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -27722,12 +27711,14 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime [ESCU - Linux Service File Created In Systemd Directory - Rule] action.escu = 0 action.escu.enabled = 1 -description = This analytic looks for suspicious file creation in systemd timer directory in linux platform. systemd is a system and service manager for Linux distributions. From the Windows perspective, this process fulfills the duties of wininit.exe and services.exe combined. At the risk of simplifying the functionality of systemd, it initializes a Linux system and starts relevant services that are defined in service unit files. Adversaries, malware and red teamers may abuse this this feature by stashing systemd service file to persist on the targetted or compromised host. +description = The following analytic is designed to detect suspicious file creation within the systemd timer directory on Linux platforms. Systemd is a system and service manager for Linux, similar to the combination of wininit.exe and services.exe on Windows. This process initializes a Linux system and starts defined services in unit files. Malicious actors, such as adversaries, malware, or red teamers, can exploit this feature by embedding a systemd service file for persistence on the targeted or compromised host.\ +The analytic works by monitoring logs with file name, file path, and process GUID data from your endpoints. If a .service file is created in certain systemd directories, the analytic triggers an alert. This behavior is significant for a Security Operations Center (SOC) as it may indicate a persistent threat within the network, with a potential impact of system compromise or data exfiltration. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.006", "T1053"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic looks for suspicious file creation in systemd timer directory in linux platform. systemd is a system and service manager for Linux distributions. From the Windows perspective, this process fulfills the duties of wininit.exe and services.exe combined. At the risk of simplifying the functionality of systemd, it initializes a Linux system and starts relevant services that are defined in service unit files. Adversaries, malware and red teamers may abuse this this feature by stashing systemd service file to persist on the targetted or compromised host. +action.escu.eli5 = The following analytic is designed to detect suspicious file creation within the systemd timer directory on Linux platforms. Systemd is a system and service manager for Linux, similar to the combination of wininit.exe and services.exe on Windows. This process initializes a Linux system and starts defined services in unit files. Malicious actors, such as adversaries, malware, or red teamers, can exploit this feature by embedding a systemd service file for persistence on the targeted or compromised host.\ +The analytic works by monitoring logs with file name, file path, and process GUID data from your endpoints. If a .service file is created in certain systemd directories, the analytic triggers an alert. This behavior is significant for a Security Operations Center (SOC) as it may indicate a persistent threat within the network, with a potential impact of system compromise or data exfiltration. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the file name, file path, and process_guid executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase. -action.escu.known_false_positives = Administrator or network operator can create file in systemd folders for automation purposes. Please update the filter macros to remove false positives. +action.escu.known_false_positives = False positives may arise when administrators or network operators create files in systemd directories for legitimate automation tasks. Therefore, it's important to adjust filter macros to account for valid activities. To implement this search successfully, it's crucial to ingest appropriate logs, preferably using the Linux Sysmon Add-on from Splunkbase for those using Sysmon. action.escu.creation_date = 2021-12-20 action.escu.modification_date = 2021-12-20 action.escu.confidence = high @@ -27735,7 +27726,7 @@ action.escu.full_search_name = ESCU - Linux Service File Created In Systemd Dire action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Living Off The Land"] +action.escu.analytic_story = ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Living Off The Land", "Scheduled Tasks"] action.risk = 1 action.risk.param._risk_message = A service file named as $file_path$ is created in systemd folder on $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 64}] @@ -27746,7 +27737,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Service File Created In Systemd Directory - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.006", "T1053"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Living Off The Land", "Scheduled Tasks"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.006", "T1053"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -27762,10 +27753,14 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime [ESCU - Linux Service Restarted - Rule] action.escu = 0 action.escu.enabled = 1 -description = This analytic looks for restarted or re-enable services in the linux platform. This technique can be executed or performed using systemctl or service tool application. Adversaries may create or modify Linux services to repeatedly execute malicious payloads as part of persistence. When the linux host boots up, it starts programs or applications called services that perform background system functions. Administrator may also create a legitimated service for a specific tool or normal application as part of task or automation, in this scenario it is suggested to look for the service path of the actual script or executable that registered as service and who created the service for further verification. +description = The following analytic detects the restarting or re-enabling of services in the Linux platform. It focuses on the use of the systemctl or service tools for executing these actions. Adversaries may leverage this technique to repeatedly execute malicious payloads as a form of persistence. Linux hosts typically start services during boot to perform background system functions. However, administrators may also create legitimate services for specific tools or applications as part of task automation. In such cases, it is recommended to verify the service path of the registered script or executable and identify the creator of the service for further validation.\ +It's important to be aware that this analytic may generate false positives as administrators or network operators may use the same command-line for legitimate automation purposes. Filter macros should be updated accordingly to minimize false positives.\ +Identifying restarted or re-enabled services is valuable for a SOC as it can indicate potential malicious activities attempting to maintain persistence or execute unauthorized actions on Linux systems. By detecting and investigating these events, security analysts can respond promptly to mitigate risks and prevent further compromise. The impact of a true positive can range from unauthorized access to data destruction or other damaging outcomes. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.006", "T1053"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic looks for restarted or re-enable services in the linux platform. This technique can be executed or performed using systemctl or service tool application. Adversaries may create or modify Linux services to repeatedly execute malicious payloads as part of persistence. When the linux host boots up, it starts programs or applications called services that perform background system functions. Administrator may also create a legitimated service for a specific tool or normal application as part of task or automation, in this scenario it is suggested to look for the service path of the actual script or executable that registered as service and who created the service for further verification. +action.escu.eli5 = The following analytic detects the restarting or re-enabling of services in the Linux platform. It focuses on the use of the systemctl or service tools for executing these actions. Adversaries may leverage this technique to repeatedly execute malicious payloads as a form of persistence. Linux hosts typically start services during boot to perform background system functions. However, administrators may also create legitimate services for specific tools or applications as part of task automation. In such cases, it is recommended to verify the service path of the registered script or executable and identify the creator of the service for further validation.\ +It's important to be aware that this analytic may generate false positives as administrators or network operators may use the same command-line for legitimate automation purposes. Filter macros should be updated accordingly to minimize false positives.\ +Identifying restarted or re-enabled services is valuable for a SOC as it can indicate potential malicious activities attempting to maintain persistence or execute unauthorized actions on Linux systems. By detecting and investigating these events, security analysts can respond promptly to mitigate risks and prevent further compromise. The impact of a true positive can range from unauthorized access to data destruction or other damaging outcomes. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and commandline executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase. action.escu.known_false_positives = Administrator or network operator can use this commandline for automation purposes. Please update the filter macros to remove false positives. action.escu.creation_date = 2023-04-14 @@ -27775,7 +27770,7 @@ action.escu.full_search_name = ESCU - Linux Service Restarted - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["AwfulShred", "Linux Privilege Escalation", "Linux Living Off The Land", "Data Destruction", "Linux Persistence Techniques"] +action.escu.analytic_story = ["AwfulShred", "Linux Privilege Escalation", "Linux Living Off The Land", "Data Destruction", "Linux Persistence Techniques", "Scheduled Tasks"] action.risk = 1 action.risk.param._risk_message = A commandline $process$ that may create or start a service on $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] @@ -27786,7 +27781,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Service Restarted - Rule -action.correlationsearch.annotations = {"analytic_story": ["AwfulShred", "Linux Privilege Escalation", "Linux Living Off The Land", "Data Destruction", "Linux Persistence Techniques"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.006", "T1053"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["AwfulShred", "Linux Privilege Escalation", "Linux Living Off The Land", "Data Destruction", "Linux Persistence Techniques", "Scheduled Tasks"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.006", "T1053"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -27802,10 +27797,10 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime [ESCU - Linux Service Started Or Enabled - Rule] action.escu = 0 action.escu.enabled = 1 -description = This analytic looks for created or enable services in linux platform. This technique can be executed or performed using systemctl or service tool application. Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions. Administrator may also create a legitimated service for a specific tool or normal application as part of task or automation, in this scenario it is suggested to look for the service path of the actual script or executable that register as service and who created the service for further verification. +description = The following analytic detects the creation or enabling of services in Linux platforms, specifically using the systemctl or service tool application. This behavior is worth identifying as adversaries may create or modify services to execute malicious payloads as part of persistence. Legitimate services created by administrators for automation purposes may also trigger this analytic, so it is important to update the filter macros to remove false positives. If a true positive is found, it suggests an possible attacker is attempting to persist within the environment or deliver additional malicious payloads, leading to data theft, ransomware, or other damaging outcomes. To implement this analytic, ensure you are ingesting logs with the process name, parent process, and command-line executions from your endpoints. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.006", "T1053"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic looks for created or enable services in linux platform. This technique can be executed or performed using systemctl or service tool application. Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions. Administrator may also create a legitimated service for a specific tool or normal application as part of task or automation, in this scenario it is suggested to look for the service path of the actual script or executable that register as service and who created the service for further verification. +action.escu.eli5 = The following analytic detects the creation or enabling of services in Linux platforms, specifically using the systemctl or service tool application. This behavior is worth identifying as adversaries may create or modify services to execute malicious payloads as part of persistence. Legitimate services created by administrators for automation purposes may also trigger this analytic, so it is important to update the filter macros to remove false positives. If a true positive is found, it suggests an possible attacker is attempting to persist within the environment or deliver additional malicious payloads, leading to data theft, ransomware, or other damaging outcomes. To implement this analytic, ensure you are ingesting logs with the process name, parent process, and command-line executions from your endpoints. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase. action.escu.known_false_positives = Administrator or network operator can use this commandline for automation purposes. Please update the filter macros to remove false positives. action.escu.creation_date = 2021-12-20 @@ -27815,7 +27810,7 @@ action.escu.full_search_name = ESCU - Linux Service Started Or Enabled - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Living Off The Land"] +action.escu.analytic_story = ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Living Off The Land", "Scheduled Tasks"] action.risk = 1 action.risk.param._risk_message = a commandline $process$ that may create or start a service on $dest action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 42}] @@ -27826,7 +27821,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Linux Service Started Or Enabled - Rule -action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Living Off The Land"], "cis20": ["CIS 10"], "confidence": 70, "impact": 60, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.006", "T1053"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Linux Privilege Escalation", "Linux Persistence Techniques", "Linux Living Off The Land", "Scheduled Tasks"], "cis20": ["CIS 10"], "confidence": 70, "impact": 60, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.006", "T1053"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -28422,7 +28417,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following correlation identifies a distinct amount of analytics associated with the Living Off The Land analytic story that identify potentially suspicious behavior. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command And Control", "Delivery", "Installation"], "mitre_attack": ["T1105", "T1190", "T1059"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command And Control", "Delivery", "Installation"], "mitre_attack": ["T1105", "T1190", "T1059", "T1133"], "nist": ["DE.AE"]} action.escu.data_models = ["Risk"] action.escu.eli5 = The following correlation identifies a distinct amount of analytics associated with the Living Off The Land analytic story that identify potentially suspicious behavior. action.escu.how_to_implement = To implement this correlation search a user needs to enable all detections in the Living Off The Land Analytic Story and confirm it is generating risk events. A simple search `index=risk analyticstories="Living Off The Land"` should contain events. @@ -28440,7 +28435,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - RIR - Living Off The Land - Rule -action.correlationsearch.annotations = {"analytic_story": ["Living Off The Land"], "cis20": ["CIS 10"], "confidence": 70, "impact": 90, "kill_chain_phases": ["Command And Control", "Delivery", "Installation"], "mitre_attack": ["T1105", "T1190", "T1059"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Living Off The Land"], "cis20": ["CIS 10"], "confidence": 70, "impact": 90, "kill_chain_phases": ["Command And Control", "Delivery", "Installation"], "mitre_attack": ["T1105", "T1190", "T1059", "T1133"], "nist": ["DE.AE"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -28579,7 +28574,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = This correlation find exploitation of Log4Shell CVE-2021-44228 against systems using detections from Splunk Security Content Analytic Story. It does this by calculating the distinct count of MITRE ATT&CK tactics from Log4Shell detections fired. If the count is larger than 2 or more distinct MITRE ATT&CK tactics we assume high problability of exploitation. The Analytic story breaks down into 3 major phases of a Log4Shell exploitation, specifically> Initial Payload delivery eg. `${jndi:ldap://PAYLOAD_INJECTED}` Call back to malicious LDAP server eg. Exploit.class Post Exploitation Activity/Lateral Movement using Powershell or similar T1562.001 Each of these phases fall into different MITRE ATT&CK Tactics (Initial Access, Execution, Command And Control), by looking into 2 or more phases showing up in detections triggerd is how this correlation search finds exploitation. If we get a notable from this correlation search the best way to triage it is by investigating the affected systems against Log4Shell exploitation using Splunk SOAR playbooks. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command And Control", "Delivery", "Installation"], "mitre_attack": ["T1105", "T1190", "T1059"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Command And Control", "Delivery", "Installation"], "mitre_attack": ["T1105", "T1190", "T1059", "T1133"], "nist": ["DE.AE"]} action.escu.data_models = ["Risk"] action.escu.eli5 = This correlation find exploitation of Log4Shell CVE-2021-44228 against systems using detections from Splunk Security Content Analytic Story. It does this by calculating the distinct count of MITRE ATT&CK tactics from Log4Shell detections fired. If the count is larger than 2 or more distinct MITRE ATT&CK tactics we assume high problability of exploitation. The Analytic story breaks down into 3 major phases of a Log4Shell exploitation, specifically> Initial Payload delivery eg. `${jndi:ldap://PAYLOAD_INJECTED}` Call back to malicious LDAP server eg. Exploit.class Post Exploitation Activity/Lateral Movement using Powershell or similar T1562.001 Each of these phases fall into different MITRE ATT&CK Tactics (Initial Access, Execution, Command And Control), by looking into 2 or more phases showing up in detections triggerd is how this correlation search finds exploitation. If we get a notable from this correlation search the best way to triage it is by investigating the affected systems against Log4Shell exploitation using Splunk SOAR playbooks. action.escu.how_to_implement = To implement this correlation search a user needs to enable all detections in the Log4Shell Analytic Story and confirm it is generation risk events. A simple search `index=risk analyticstories="Log4Shell CVE-2021-44228"` should contain events. @@ -28597,7 +28592,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - RIR - Log4Shell CVE-2021-44228 Exploitation - Rule -action.correlationsearch.annotations = {"analytic_story": ["Log4Shell CVE-2021-44228", "CISA AA22-320A"], "cis20": ["CIS 10"], "confidence": 70, "impact": 90, "kill_chain_phases": ["Command And Control", "Delivery", "Installation"], "mitre_attack": ["T1105", "T1190", "T1059"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Log4Shell CVE-2021-44228", "CISA AA22-320A"], "cis20": ["CIS 10"], "confidence": 70, "impact": 90, "kill_chain_phases": ["Command And Control", "Delivery", "Installation"], "mitre_attack": ["T1105", "T1190", "T1059", "T1133"], "nist": ["DE.AE"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -29345,7 +29340,7 @@ search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint action.escu = 0 action.escu.enabled = 1 description = The following query identifies suspicious .aspx created in 3 paths identified by Microsoft as known drop locations for Exchange exploitation related to HAFNIUM group and recently disclosed vulnerablity named ProxyShell. Paths include: `\HttpProxy\owa\auth\`, `\inetpub\wwwroot\aspnet_client\`, and `\HttpProxy\OAB\`. The analytic is limited to process name MSExchangeMailboxReplication.exe, which typically does not write .aspx files to disk. Upon triage, the suspicious .aspx file will likely look obvious on the surface. inspect the contents for script code inside. Identify additional log sources, IIS included, to review source and other potential exploitation. It is often the case that a particular threat is only applicable to a specific subset of systems in your environment. Typically analytics to detect those threats are written without the benefit of being able to only target those systems as well. Writing analytics against all systems when those behaviors are limited to identifiable subsets of those systems is suboptimal. Consider the case ProxyShell vulnerability on Microsoft Exchange Servers. With asset information, a hunter can limit their analytics to systems that have been identified as Exchange servers. A hunter may start with the theory that the exchange server is communicating with new systems that it has not previously. If this theory is run against all publicly facing systems, the amount of noise it will generate will likely render this theory untenable. However, using the asset information to limit this analytic to just the Exchange servers will reduce the noise allowing the hunter to focus only on the systems where this behavioral change is relevant. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Delivery"], "mitre_attack": ["T1505", "T1505.003", "T1190"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Delivery"], "mitre_attack": ["T1505", "T1505.003", "T1190", "T1133"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following query identifies suspicious .aspx created in 3 paths identified by Microsoft as known drop locations for Exchange exploitation related to HAFNIUM group and recently disclosed vulnerablity named ProxyShell. Paths include: `\HttpProxy\owa\auth\`, `\inetpub\wwwroot\aspnet_client\`, and `\HttpProxy\OAB\`. The analytic is limited to process name MSExchangeMailboxReplication.exe, which typically does not write .aspx files to disk. Upon triage, the suspicious .aspx file will likely look obvious on the surface. inspect the contents for script code inside. Identify additional log sources, IIS included, to review source and other potential exploitation. It is often the case that a particular threat is only applicable to a specific subset of systems in your environment. Typically analytics to detect those threats are written without the benefit of being able to only target those systems as well. Writing analytics against all systems when those behaviors are limited to identifiable subsets of those systems is suboptimal. Consider the case ProxyShell vulnerability on Microsoft Exchange Servers. With asset information, a hunter can limit their analytics to systems that have been identified as Exchange servers. A hunter may start with the theory that the exchange server is communicating with new systems that it has not previously. If this theory is run against all publicly facing systems, the amount of noise it will generate will likely render this theory untenable. However, using the asset information to limit this analytic to just the Exchange servers will reduce the noise allowing the hunter to focus only on the systems where this behavioral change is relevant. action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node and `Filesystem` node. @@ -29368,7 +29363,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - MS Exchange Mailbox Replication service writing Active Server Pages - Rule -action.correlationsearch.annotations = {"analytic_story": ["ProxyShell", "Ransomware"], "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Installation", "Delivery"], "mitre_attack": ["T1505", "T1505.003", "T1190"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["ProxyShell", "Ransomware"], "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Installation", "Delivery"], "mitre_attack": ["T1505", "T1505.003", "T1190", "T1133"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -29705,20 +29700,20 @@ action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following hunting analytic will identify the use of localgroup discovery using `net localgroup`. During triage, review parallel processes and identify any further suspicious behavior. action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. action.escu.known_false_positives = False positives may be present. Tune as needed. -action.escu.creation_date = 2021-09-14 -action.escu.modification_date = 2021-09-14 +action.escu.creation_date = 2023-06-13 +action.escu.modification_date = 2023-06-13 action.escu.confidence = high action.escu.full_search_name = ESCU - Net Localgroup Discovery - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Active Directory Discovery", "Windows Discovery Techniques", "Azorult", "Windows Post-Exploitation", "Prestige Ransomware", "Volt Typhoon", "IcedID"] +action.escu.analytic_story = ["Prestige Ransomware", "Volt Typhoon", "Graceful Wipe Out Attack", "IcedID", "Windows Discovery Techniques", "Windows Post-Exploitation", "Azorult", "Active Directory Discovery"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Net Localgroup Discovery - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Discovery", "Windows Discovery Techniques", "Azorult", "Windows Post-Exploitation", "Prestige Ransomware", "Volt Typhoon", "IcedID"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.001"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Prestige Ransomware", "Volt Typhoon", "Graceful Wipe Out Attack", "IcedID", "Windows Discovery Techniques", "Windows Post-Exploitation", "Azorult", "Active Directory Discovery"], "cis20": ["CIS 10"], "confidence": 50, "impact": 30, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1069", "T1069.001"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -30916,7 +30911,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = A required step while exploiting the CVE-2021-44228-Log4j vulnerability is that the victim server will perform outbound connections to attacker-controlled infrastructure. This is required as part of the JNDI lookup as well as for retrieving the second stage .class payload. The following analytic identifies the Java process reaching out to default ports used by the LDAP and RMI protocols. This behavior could represent successfull exploitation. Note that adversaries can easily decide to use arbitrary ports for these protocols and potentially bypass this detection. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint", "Network_Traffic"] action.escu.eli5 = A required step while exploiting the CVE-2021-44228-Log4j vulnerability is that the victim server will perform outbound connections to attacker-controlled infrastructure. This is required as part of the JNDI lookup as well as for retrieving the second stage .class payload. The following analytic identifies the Java process reaching out to default ports used by the LDAP and RMI protocols. This behavior could represent successfull exploitation. Note that adversaries can easily decide to use arbitrary ports for these protocols and potentially bypass this detection. action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. @@ -30939,7 +30934,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Outbound Network Connection from Java Using Default Ports - Rule -action.correlationsearch.annotations = {"analytic_story": ["Log4Shell CVE-2021-44228"], "cis20": ["CIS 10"], "confidence": 60, "cve": ["CVE-2021-44228"], "impact": 90, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Log4Shell CVE-2021-44228"], "cis20": ["CIS 10"], "confidence": 60, "cve": ["CVE-2021-44228"], "impact": 90, "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -31008,7 +31003,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following hunting analytic is designed to monitor and detect potential exploitation attempts targeting a PaperCut NG server by analyzing its debug log data. By focusing on public IP addresses accessing the PaperCut NG instance, this analytic aims to identify unauthorized or suspicious access attempts. Furthermore, it searches for specific URIs that have been discovered in the proof of concept code, which are associated with known exploits or vulnerabilities. The analytic is focused on the user admin. Regex is used mainly because the log is not parsed by Splunk and there is no TA for this debug log. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.AE"]} action.escu.data_models = [] action.escu.eli5 = The following hunting analytic is designed to monitor and detect potential exploitation attempts targeting a PaperCut NG server by analyzing its debug log data. By focusing on public IP addresses accessing the PaperCut NG instance, this analytic aims to identify unauthorized or suspicious access attempts. Furthermore, it searches for specific URIs that have been discovered in the proof of concept code, which are associated with known exploits or vulnerabilities. The analytic is focused on the user admin. Regex is used mainly because the log is not parsed by Splunk and there is no TA for this debug log. action.escu.how_to_implement = Debug logs must be enabled and shipped to Splunk in order to properly identify behavior with this analytic. @@ -31026,7 +31021,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - PaperCut NG Suspicious Behavior Debug Log - Rule -action.correlationsearch.annotations = {"analytic_story": ["PaperCut MF NG Vulnerability"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["PaperCut MF NG Vulnerability"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -31299,10 +31294,12 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime [ESCU - Possible Lateral Movement PowerShell Spawn - Rule] action.escu = 0 action.escu.enabled = 1 -description = The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution. +description = The following analytic is designed to identify possible lateral movement attacks that involve the spawning of a PowerShell process as a child or grandchild process of commonly abused processes. These processes include services.exe, wmiprsve.exe, svchost.exe, wsmprovhost.exe, and mmc.exe.\ +Such behavior is indicative of legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management, and the DCOM protocol being abused to start a process on a remote endpoint. This behavior is often seen during lateral movement techniques where adversaries or red teams abuse these services for lateral movement and remote code execution. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1021", "T1021.003", "T1021.006", "T1047", "T1053.005", "T1543.003", "T1059.001", "T1218.014"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution. +action.escu.eli5 = The following analytic is designed to identify possible lateral movement attacks that involve the spawning of a PowerShell process as a child or grandchild process of commonly abused processes. These processes include services.exe, wmiprsve.exe, svchost.exe, wsmprovhost.exe, and mmc.exe.\ +Such behavior is indicative of legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management, and the DCOM protocol being abused to start a process on a remote endpoint. This behavior is often seen during lateral movement techniques where adversaries or red teams abuse these services for lateral movement and remote code execution. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. action.escu.known_false_positives = Legitimate applications may spawn PowerShell as a child process of the the identified processes. Filter as needed. action.escu.creation_date = 2023-04-14 @@ -31312,7 +31309,7 @@ action.escu.full_search_name = ESCU - Possible Lateral Movement PowerShell Spawn action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Active Directory Lateral Movement", "Malicious PowerShell", "Hermetic Wiper", "Data Destruction"] +action.escu.analytic_story = ["Active Directory Lateral Movement", "Malicious PowerShell", "Hermetic Wiper", "Data Destruction", "Scheduled Tasks"] action.risk = 1 action.risk.param._risk_message = A PowerShell process was spawned as a child process of typically abused processes on $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 45}] @@ -31323,11 +31320,12 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Possible Lateral Movement PowerShell Spawn - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement", "Malicious PowerShell", "Hermetic Wiper", "Data Destruction"], "cis20": ["CIS 10"], "confidence": 50, "impact": 90, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1021", "T1021.003", "T1021.006", "T1047", "T1053.005", "T1543.003", "T1059.001", "T1218.014"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement", "Malicious PowerShell", "Hermetic Wiper", "Data Destruction", "Scheduled Tasks"], "cis20": ["CIS 10"], "confidence": 50, "impact": 90, "kill_chain_phases": ["Exploitation", "Installation"], "mitre_attack": ["T1021", "T1021.003", "T1021.006", "T1047", "T1053.005", "T1543.003", "T1059.001", "T1218.014"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution. +action.notable.param.rule_description = The following analytic is designed to identify possible lateral movement attacks that involve the spawning of a PowerShell process as a child or grandchild process of commonly abused processes. These processes include services.exe, wmiprsve.exe, svchost.exe, wsmprovhost.exe, and mmc.exe.\ +Such behavior is indicative of legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management, and the DCOM protocol being abused to start a process on a remote endpoint. This behavior is often seen during lateral movement techniques where adversaries or red teams abuse these services for lateral movement and remote code execution. action.notable.param.rule_title = Possible Lateral Movement PowerShell Spawn action.notable.param.security_domain = endpoint action.notable.param.severity = high @@ -31426,8 +31424,8 @@ action.escu.data_models = [] action.escu.eli5 = The following Hunting analytic assists with identifying suspicious PowerShell execution using Script Block Logging, or EventCode 4104. This analytic is not meant to be ran hourly, but occasionally to identify malicious or suspicious PowerShell. This analytic is a combination of work completed by Alex Teixeira and Splunk Threat Research Team. action.escu.how_to_implement = The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. action.escu.known_false_positives = Limited false positives. May filter as needed. -action.escu.creation_date = 2023-04-14 -action.escu.modification_date = 2023-04-14 +action.escu.creation_date = 2023-06-14 +action.escu.modification_date = 2023-06-14 action.escu.confidence = high action.escu.full_search_name = ESCU - PowerShell 4104 Hunting - Rule action.escu.search_type = detection @@ -31450,7 +31448,7 @@ relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false -search = `powershell` EventCode=4104 | eval DoIt = if(match(ScriptBlockText,"(?i)(\$doit)"), "4", 0) | eval enccom=if(match(ScriptBlockText,"[A-Za-z0-9+\/]{44,}([A-Za-z0-9+\/]{4}|[A-Za-z0-9+\/]{3}=|[A-Za-z0-9+\/]{2}==)") OR match(ScriptBlockText, "(?i)[-]e(nc*o*d*e*d*c*o*m*m*a*n*d*)*\s+[^-]"),4,0) | eval suspcmdlet=if(match(ScriptBlockText, "(?i)Add-Exfiltration|Add-Persistence|Add-RegBackdoor|Add-ScrnSaveBackdoor|Check-VM|Do-Exfiltration|Enabled-DuplicateToken|Exploit-Jboss|Find-Fruit|Find-GPOLocation|Find-TrustedDocuments|Get-ApplicationHost|Get-ChromeDump|Get-ClipboardContents|Get-FoxDump|Get-GPPPassword|Get-IndexedItem|Get-Keystrokes|LSASecret|Get-PassHash|Get-RegAlwaysInstallElevated|Get-RegAutoLogon|Get-RickAstley|Get-Screenshot|Get-SecurityPackages|Get-ServiceFilePermission|Get-ServicePermission|Get-ServiceUnquoted|Get-SiteListPassword|Get-System|Get-TimedScreenshot|Get-UnattendedInstallFile|Get-Unconstrained|Get-VaultCredential|Get-VulnAutoRun|Get-VulnSchTask|Gupt-Backdoor|HTTP-Login|Install-SSP|Install-ServiceBinary|Invoke-ACLScanner|Invoke-ADSBackdoor|Invoke-ARPScan|Invoke-AllChecks|Invoke-BackdoorLNK|Invoke-BypassUAC|Invoke-CredentialInjection|Invoke-DCSync|Invoke-DllInjection|Invoke-DowngradeAccount|Invoke-EgressCheck|Invoke-Inveigh|Invoke-InveighRelay|Invoke-Mimikittenz|Invoke-NetRipper|Invoke-NinjaCopy|Invoke-PSInject|Invoke-Paranoia|Invoke-PortScan|Invoke-PoshRat|Invoke-PostExfil|Invoke-PowerDump|Invoke-PowerShellTCP|Invoke-PsExec|Invoke-PsUaCme|Invoke-ReflectivePEInjection|Invoke-ReverseDNSLookup|Invoke-RunAs|Invoke-SMBScanner|Invoke-SSHCommand|Invoke-Service|Invoke-Shellcode|Invoke-Tater|Invoke-ThunderStruck|Invoke-Token|Invoke-UserHunter|Invoke-VoiceTroll|Invoke-WScriptBypassUAC|Invoke-WinEnum|MailRaider|New-HoneyHash|Out-Minidump|Port-Scan|PowerBreach|PowerUp|PowerView|Remove-Update|Set-MacAttribute|Set-Wallpaper|Show-TargetScreen|Start-CaptureServer|VolumeShadowCopyTools|NEEEEWWW|(Computer|User)Property|CachedRDPConnection|get-net\S+|invoke-\S+hunter|Install-Service|get-\S+(credent|password)|remoteps|Kerberos.*(policy|ticket)|netfirewall|Uninstall-Windows|Verb\s+Runas|AmsiBypass|nishang|Invoke-Interceptor|EXEonRemote|NetworkRelay|PowerShelludp|PowerShellIcmp|CreateShortcut|copy-vss|invoke-dll|invoke-mass|out-shortcut|Invoke-ShellCommand"),1,0) | eval base64 = if(match(lower(ScriptBlockText),"frombase64"), "4", 0) | eval empire=if(match(lower(ScriptBlockText),"system.net.webclient") AND match(lower(ScriptBlockText), "frombase64string") ,5,0) | eval mimikatz=if(match(lower(ScriptBlockText),"mimikatz") OR match(lower(ScriptBlockText), "-dumpcr") OR match(lower(ScriptBlockText), "SEKURLSA::Pth") OR match(lower(ScriptBlockText), "kerberos::ptt") OR match(lower(ScriptBlockText), "kerberos::golden") ,5,0) | eval iex = if(match(lower(ScriptBlockText),"iex"), "2", 0) | eval webclient=if(match(lower(ScriptBlockText),"http") OR match(lower(ScriptBlockText),"web(client|request)") OR match(lower(ScriptBlockText),"socket") OR match(lower(ScriptBlockText),"download(file|string)") OR match(lower(ScriptBlockText),"bitstransfer") OR match(lower(ScriptBlockText),"internetexplorer.application") OR match(lower(ScriptBlockText),"xmlhttp"),5,0) | eval get = if(match(lower(ScriptBlockText),"get-"), "1", 0) | eval rundll32 = if(match(lower(ScriptBlockText),"rundll32"), "4", 0) | eval suspkeywrd=if(match(ScriptBlockText, "(?i)(bitstransfer|mimik|metasp|AssemblyBuilderAccess|Reflection\.Assembly|shellcode|injection|cnvert|shell\.application|start-process|Rc4ByteStream|System\.Security\.Cryptography|lsass\.exe|localadmin|LastLoggedOn|hijack|BackupPrivilege|ngrok|comsvcs|backdoor|brute.?force|Port.?Scan|Exfiltration|exploit|DisableRealtimeMonitoring|beacon)"),1,0) | eval syswow64 = if(match(lower(ScriptBlockText),"syswow64"), "3", 0) | eval httplocal = if(match(lower(ScriptBlockText),"http://127.0.0.1"), "4", 0) | eval reflection = if(match(lower(ScriptBlockText),"reflection"), "1", 0) | eval invokewmi=if(match(lower(ScriptBlockText), "(?i)(wmiobject|WMIMethod|RemoteWMI|PowerShellWmi|wmicommand)"),5,0) | eval downgrade=if(match(ScriptBlockText, "(?i)([-]ve*r*s*i*o*n*\s+2)") OR match(lower(ScriptBlockText),"powershell -version"),3,0) | eval compressed=if(match(ScriptBlockText, "(?i)GZipStream|::Decompress|IO.Compression|write-zip|(expand|compress)-Archive"),5,0) | eval invokecmd = if(match(lower(ScriptBlockText),"invoke-command"), "4", 0) | addtotals fieldname=Score DoIt, enccom, suspcmdlet, suspkeywrd, compressed, downgrade, mimikatz, iex, empire, rundll32, webclient, syswow64, httplocal, reflection, invokewmi, invokecmd, base64, get | stats values(Score) by DoIt, enccom, compressed, downgrade, iex, mimikatz, rundll32, empire, webclient, syswow64, httplocal, reflection, invokewmi, invokecmd, base64, get, suspcmdlet, suspkeywrd | `powershell_4104_hunting_filter` +search = `powershell` EventCode=4104 | eval DoIt = if(match(ScriptBlockText,"(?i)(\$doit)"), "4", 0) | eval enccom=if(match(ScriptBlockText,"[A-Za-z0-9+\/]{44,}([A-Za-z0-9+\/]{4}|[A-Za-z0-9+\/]{3}=|[A-Za-z0-9+\/]{2}==)") OR match(ScriptBlockText, "(?i)[-]e(nc*o*d*e*d*c*o*m*m*a*n*d*)*\s+[^-]"),4,0) | eval suspcmdlet=if(match(ScriptBlockText, "(?i)Add-Exfiltration|Add-Persistence|Add-RegBackdoor|Add-ScrnSaveBackdoor|Check-VM|Do-Exfiltration|Enabled-DuplicateToken|Exploit-Jboss|Find-Fruit|Find-GPOLocation|Find-TrustedDocuments|Get-ApplicationHost|Get-ChromeDump|Get-ClipboardContents|Get-FoxDump|Get-GPPPassword|Get-IndexedItem|Get-Keystrokes|LSASecret|Get-PassHash|Get-RegAlwaysInstallElevated|Get-RegAutoLogon|Get-RickAstley|Get-Screenshot|Get-SecurityPackages|Get-ServiceFilePermission|Get-ServicePermission|Get-ServiceUnquoted|Get-SiteListPassword|Get-System|Get-TimedScreenshot|Get-UnattendedInstallFile|Get-Unconstrained|Get-VaultCredential|Get-VulnAutoRun|Get-VulnSchTask|Gupt-Backdoor|HTTP-Login|Install-SSP|Install-ServiceBinary|Invoke-ACLScanner|Invoke-ADSBackdoor|Invoke-ARPScan|Invoke-AllChecks|Invoke-BackdoorLNK|Invoke-BypassUAC|Invoke-CredentialInjection|Invoke-DCSync|Invoke-DllInjection|Invoke-DowngradeAccount|Invoke-EgressCheck|Invoke-Inveigh|Invoke-InveighRelay|Invoke-Mimikittenz|Invoke-NetRipper|Invoke-NinjaCopy|Invoke-PSInject|Invoke-Paranoia|Invoke-PortScan|Invoke-PoshRat|Invoke-PostExfil|Invoke-PowerDump|Invoke-PowerShellTCP|Invoke-PsExec|Invoke-PsUaCme|Invoke-ReflectivePEInjection|Invoke-ReverseDNSLookup|Invoke-RunAs|Invoke-SMBScanner|Invoke-SSHCommand|Invoke-Service|Invoke-Shellcode|Invoke-Tater|Invoke-ThunderStruck|Invoke-Token|Invoke-UserHunter|Invoke-VoiceTroll|Invoke-WScriptBypassUAC|Invoke-WinEnum|MailRaider|New-HoneyHash|Out-Minidump|Port-Scan|PowerBreach|PowerUp|PowerView|Remove-Update|Set-MacAttribute|Set-Wallpaper|Show-TargetScreen|Start-CaptureServer|VolumeShadowCopyTools|NEEEEWWW|(Computer|User)Property|CachedRDPConnection|get-net\S+|invoke-\S+hunter|Install-Service|get-\S+(credent|password)|remoteps|Kerberos.*(policy|ticket)|netfirewall|Uninstall-Windows|Verb\s+Runas|AmsiBypass|nishang|Invoke-Interceptor|EXEonRemote|NetworkRelay|PowerShelludp|PowerShellIcmp|CreateShortcut|copy-vss|invoke-dll|invoke-mass|out-shortcut|Invoke-ShellCommand"),1,0) | eval base64 = if(match(lower(ScriptBlockText),"frombase64"), "4", 0) | eval empire=if(match(lower(ScriptBlockText),"system.net.webclient") AND match(lower(ScriptBlockText), "frombase64string") ,5,0) | eval mimikatz=if(match(lower(ScriptBlockText),"mimikatz") OR match(lower(ScriptBlockText), "-dumpcr") OR match(lower(ScriptBlockText), "SEKURLSA::Pth") OR match(lower(ScriptBlockText), "kerberos::ptt") OR match(lower(ScriptBlockText), "kerberos::golden") ,5,0) | eval iex=if(match(ScriptBlockText, "(?i)iex|invoke-expression"),2,0) | eval webclient=if(match(lower(ScriptBlockText),"http") OR match(lower(ScriptBlockText),"web(client|request)") OR match(lower(ScriptBlockText),"socket") OR match(lower(ScriptBlockText),"download(file|string)") OR match(lower(ScriptBlockText),"bitstransfer") OR match(lower(ScriptBlockText),"internetexplorer.application") OR match(lower(ScriptBlockText),"xmlhttp"),5,0) | eval get = if(match(lower(ScriptBlockText),"get-"), "1", 0) | eval rundll32 = if(match(lower(ScriptBlockText),"rundll32"), "4", 0) | eval suspkeywrd=if(match(ScriptBlockText, "(?i)(bitstransfer|mimik|metasp|AssemblyBuilderAccess|Reflection\.Assembly|shellcode|injection|cnvert|shell\.application|start-process|Rc4ByteStream|System\.Security\.Cryptography|lsass\.exe|localadmin|LastLoggedOn|hijack|BackupPrivilege|ngrok|comsvcs|backdoor|brute.?force|Port.?Scan|Exfiltration|exploit|DisableRealtimeMonitoring|beacon)"),1,0) | eval syswow64 = if(match(lower(ScriptBlockText),"syswow64"), "3", 0) | eval httplocal = if(match(lower(ScriptBlockText),"http://127.0.0.1"), "4", 0) | eval reflection = if(match(lower(ScriptBlockText),"reflection"), "1", 0) | eval invokewmi=if(match(lower(ScriptBlockText), "(?i)(wmiobject|WMIMethod|RemoteWMI|PowerShellWmi|wmicommand)"),5,0) | eval downgrade=if(match(ScriptBlockText, "(?i)([-]ve*r*s*i*o*n*\s+2)") OR match(lower(ScriptBlockText),"powershell -version"),3,0) | eval compressed=if(match(ScriptBlockText, "(?i)GZipStream|::Decompress|IO.Compression|write-zip|(expand|compress)-Archive"),5,0) | eval invokecmd = if(match(lower(ScriptBlockText),"invoke-command"), "4", 0) | addtotals fieldname=Score DoIt, enccom, suspcmdlet, suspkeywrd, compressed, downgrade, mimikatz, iex, empire, rundll32, webclient, syswow64, httplocal, reflection, invokewmi, invokecmd, base64, get | stats values(Score) by DoIt, enccom, compressed, downgrade, iex, mimikatz, rundll32, empire, webclient, syswow64, httplocal, reflection, invokewmi, invokecmd, base64, get, suspcmdlet, suspkeywrd | `powershell_4104_hunting_filter` [ESCU - PowerShell - Connect To Internet With Hidden Window - Rule] action.escu = 0 @@ -33019,13 +33017,13 @@ action.escu.full_search_name = ESCU - Randomly Generated Scheduled Task Name - R action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Active Directory Lateral Movement", "CISA AA22-257A"] +action.escu.analytic_story = ["Active Directory Lateral Movement", "CISA AA22-257A", "Scheduled Tasks"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Randomly Generated Scheduled Task Name - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement", "CISA AA22-257A"], "cis20": ["CIS 10"], "confidence": 50, "impact": 90, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053", "T1053.005"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement", "CISA AA22-257A", "Scheduled Tasks"], "cis20": ["CIS 10"], "confidence": 50, "impact": 90, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053", "T1053.005"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -33340,20 +33338,20 @@ search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint [ESCU - Registry Keys Used For Persistence - Rule] action.escu = 0 action.escu.enabled = 1 -description = The search looks for modifications to registry keys that can be used to launch an application or service at system startup. +description = The search looks for modifications or alterations made to registry keys that have the potential to initiate the launch of an application or service during system startup. By monitoring and detecting modifications in these registry keys, we can identify suspicious or unauthorized changes that could be indicative of malicious activity. This proactive approach helps in safeguarding the system's integrity and security by promptly identifying and mitigating potential threats that aim to gain persistence or execute malicious actions during the startup process. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1547.001", "T1547"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The search looks for modifications to registry keys that can be used to launch an application or service at system startup. +action.escu.eli5 = The search looks for modifications or alterations made to registry keys that have the potential to initiate the launch of an application or service during system startup. By monitoring and detecting modifications in these registry keys, we can identify suspicious or unauthorized changes that could be indicative of malicious activity. This proactive approach helps in safeguarding the system's integrity and security by promptly identifying and mitigating potential threats that aim to gain persistence or execute malicious actions during the startup process. action.escu.how_to_implement = To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry. action.escu.known_false_positives = There are many legitimate applications that must execute on system startup and will use these registry keys to accomplish that task. -action.escu.creation_date = 2022-09-19 -action.escu.modification_date = 2022-09-19 +action.escu.creation_date = 2023-06-06 +action.escu.modification_date = 2023-06-06 action.escu.confidence = high action.escu.full_search_name = ESCU - Registry Keys Used For Persistence - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Suspicious Windows Registry Activities", "Suspicious MSHTA Activity", "DHS Report TA18-074A", "Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns", "Ransomware", "Windows Persistence Techniques", "Emotet Malware DHS Report TA18-201A ", "IcedID", "Remcos", "Windows Registry Abuse", "Azorult", "Qakbot", "Chaos Ransomware", "AsyncRAT", "Sneaky Active Directory Persistence Tricks"] +action.escu.analytic_story = ["Suspicious Windows Registry Activities", "Suspicious MSHTA Activity", "DHS Report TA18-074A", "Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns", "Ransomware", "Windows Persistence Techniques", "Emotet Malware DHS Report TA18-201A ", "IcedID", "Remcos", "Windows Registry Abuse", "Azorult", "Qakbot", "Chaos Ransomware", "AsyncRAT", "Amadey", "Sneaky Active Directory Persistence Tricks"] action.risk = 1 action.risk.param._risk_message = A registry activity in $registry_path$ related to persistence in host $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 76}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 76}] @@ -33364,11 +33362,11 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Registry Keys Used For Persistence - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious Windows Registry Activities", "Suspicious MSHTA Activity", "DHS Report TA18-074A", "Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns", "Ransomware", "Windows Persistence Techniques", "Emotet Malware DHS Report TA18-201A ", "IcedID", "Remcos", "Windows Registry Abuse", "Azorult", "Qakbot", "Chaos Ransomware", "AsyncRAT", "Sneaky Active Directory Persistence Tricks"], "cis20": ["CIS 10"], "confidence": 95, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1547.001", "T1547"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Suspicious Windows Registry Activities", "Suspicious MSHTA Activity", "DHS Report TA18-074A", "Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns", "Ransomware", "Windows Persistence Techniques", "Emotet Malware DHS Report TA18-201A ", "IcedID", "Remcos", "Windows Registry Abuse", "Azorult", "Qakbot", "Chaos Ransomware", "AsyncRAT", "Amadey", "Sneaky Active Directory Persistence Tricks"], "cis20": ["CIS 10"], "confidence": 95, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1547.001", "T1547"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The search looks for modifications to registry keys that can be used to launch an application or service at system startup. +action.notable.param.rule_description = The search looks for modifications or alterations made to registry keys that have the potential to initiate the launch of an application or service during system startup. By monitoring and detecting modifications in these registry keys, we can identify suspicious or unauthorized changes that could be indicative of malicious activity. This proactive approach helps in safeguarding the system's integrity and security by promptly identifying and mitigating potential threats that aim to gain persistence or execute malicious actions during the startup process. action.notable.param.rule_title = Registry Keys Used For Persistence action.notable.param.security_domain = endpoint action.notable.param.severity = high @@ -33381,7 +33379,7 @@ relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false -search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where (Registry.registry_path=*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce OR Registry.registry_path=*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartupApproved\\Run OR Registry.registry_path=*\\currentversion\\run* OR Registry.registry_path=*\\currentVersion\\Windows\\Appinit_Dlls* OR Registry.registry_path=*\\CurrentVersion\\Winlogon\\Shell* OR Registry.registry_path=*\\CurrentVersion\\Winlogon\\Notify* OR Registry.registry_path=*\\CurrentVersion\\Winlogon\\Userinit* OR Registry.registry_path=*\\CurrentVersion\\Winlogon\\VmApplet* OR Registry.registry_path=*\\currentversion\\policies\\explorer\\run* OR Registry.registry_path=*\\currentversion\\runservices* OR Registry.registry_path=HKLM\\SOFTWARE\\Microsoft\\Netsh\\* OR Registry.registry_path= "*\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\Common Startup" OR Registry.registry_path= *\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SharedTaskScheduler OR Registry.registry_path= *\\Classes\\htmlfile\\shell\\open\\command OR (Registry.registry_path="*Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options*" AND Registry.registry_key_name=Debugger) OR (Registry.registry_path="*\\CurrentControlSet\\Control\\Lsa" AND Registry.registry_key_name="Security Packages") OR (Registry.registry_path="*\\CurrentControlSet\\Control\\Lsa\\OSConfig" AND Registry.registry_key_name="Security Packages") OR (Registry.registry_path="*\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\*") OR (Registry.registry_path="*currentVersion\\Windows" AND Registry.registry_key_name="Load") OR (Registry.registry_path="*\\CurrentVersion" AND Registry.registry_key_name="Svchost") OR (Registry.registry_path="*\\CurrentControlSet\Control\Session Manager"AND Registry.registry_key_name="BootExecute") OR (Registry.registry_path="*\\Software\\Run" AND Registry.registry_key_name="auto_update")) by Registry.dest Registry.user Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `registry_keys_used_for_persistence_filter` +search = | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where (Registry.registry_path=*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce OR Registry.registry_path=*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartupApproved\\Run OR Registry.registry_path= "*\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\*" OR Registry.registry_path= "*\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\*" OR Registry.registry_path=*\\currentversion\\run* OR Registry.registry_path=*\\currentVersion\\Windows\\Appinit_Dlls* OR Registry.registry_path=*\\CurrentVersion\\Winlogon\\Shell* OR Registry.registry_path=*\\CurrentVersion\\Winlogon\\Notify* OR Registry.registry_path=*\\CurrentVersion\\Winlogon\\Userinit* OR Registry.registry_path=*\\CurrentVersion\\Winlogon\\VmApplet* OR Registry.registry_path=*\\currentversion\\policies\\explorer\\run* OR Registry.registry_path=*\\currentversion\\runservices* OR Registry.registry_path=HKLM\\SOFTWARE\\Microsoft\\Netsh\\* OR Registry.registry_path= "*\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\Common Startup" OR Registry.registry_path= *\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SharedTaskScheduler OR Registry.registry_path= *\\Classes\\htmlfile\\shell\\open\\command OR (Registry.registry_path="*Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options*" AND Registry.registry_key_name=Debugger) OR (Registry.registry_path="*\\CurrentControlSet\\Control\\Lsa" AND Registry.registry_key_name="Security Packages") OR (Registry.registry_path="*\\CurrentControlSet\\Control\\Lsa\\OSConfig" AND Registry.registry_key_name="Security Packages") OR (Registry.registry_path="*\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\*") OR (Registry.registry_path="*currentVersion\\Windows" AND Registry.registry_key_name="Load") OR (Registry.registry_path="*\\CurrentVersion" AND Registry.registry_key_name="Svchost") OR (Registry.registry_path="*\\CurrentControlSet\Control\Session Manager"AND Registry.registry_key_name="BootExecute") OR (Registry.registry_path="*\\Software\\Run" AND Registry.registry_key_name="auto_update")) by Registry.dest Registry.user Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `registry_keys_used_for_persistence_filter` [ESCU - Registry Keys Used For Privilege Escalation - Rule] action.escu = 0 @@ -34175,14 +34173,14 @@ action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies usage of `wmic.exe` spawning a local or remote process, identified by the `node` switch. During triage, review parallel processes for additional commands executed. Look for any file modifications before and after `wmic.exe` execution. In addition, identify the remote endpoint and confirm execution or file modifications. Contain and isolate the endpoint as needed. action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. Deprecated because duplicate of Remote Process Instantiation via WMI. action.escu.known_false_positives = Administrators may use this legitimately to gather info from remote systems. Filter as needed. -action.escu.creation_date = 2018-12-03 -action.escu.modification_date = 2018-12-03 +action.escu.creation_date = 2023-06-13 +action.escu.modification_date = 2023-06-13 action.escu.confidence = high action.escu.full_search_name = ESCU - Remote WMI Command Attempt - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Suspicious WMI Use", "Living Off The Land", "Volt Typhoon", "IcedID"] +action.escu.analytic_story = ["Volt Typhoon", "Graceful Wipe Out Attack", "IcedID", "Suspicious WMI Use", "Living Off The Land"] action.risk = 1 action.risk.param._risk_message = A wmic.exe process $process$ contain node commandline $process$ in host $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 36}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 36}] @@ -34193,7 +34191,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Remote WMI Command Attempt - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious WMI Use", "Living Off The Land", "Volt Typhoon", "IcedID"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1047"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Volt Typhoon", "Graceful Wipe Out Attack", "IcedID", "Suspicious WMI Use", "Living Off The Land"], "cis20": ["CIS 10"], "confidence": 60, "impact": 60, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1047"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -34837,14 +34835,14 @@ action.escu.data_models = ["Endpoint", "Network_Traffic"] action.escu.eli5 = The following analytic identifies rundll32.exe with no command line arguments and performing a network connection. It is unusual for rundll32.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, triage any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. Rundll32.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` and `port` node. To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. action.escu.known_false_positives = Although unlikely, some legitimate applications may use a moved copy of rundll32, triggering a false positive. -action.escu.creation_date = 2022-03-15 -action.escu.modification_date = 2022-03-15 +action.escu.creation_date = 2023-06-13 +action.escu.modification_date = 2023-06-13 action.escu.confidence = high action.escu.full_search_name = ESCU - Rundll32 with no Command Line Arguments with Network - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Suspicious Rundll32 Activity", "Cobalt Strike", "PrintNightmare CVE-2021-34527"] +action.escu.analytic_story = ["Cobalt Strike", "PrintNightmare CVE-2021-34527", "Suspicious Rundll32 Activity", "Graceful Wipe Out Attack"] action.risk = 1 action.risk.param._risk_message = A rundll32 process $process_name$ with no commandline argument like this process commandline $process$ in host $src$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 70}, {"threat_object_field": "process_name", "threat_object_type": "process name"}] @@ -34855,7 +34853,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Rundll32 with no Command Line Arguments with Network - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious Rundll32 Activity", "Cobalt Strike", "PrintNightmare CVE-2021-34527"], "cis20": ["CIS 10"], "confidence": 100, "cve": ["CVE-2021-34527"], "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Cobalt Strike", "PrintNightmare CVE-2021-34527", "Suspicious Rundll32 Activity", "Graceful Wipe Out Attack"], "cis20": ["CIS 10"], "confidence": 100, "cve": ["CVE-2021-34527"], "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -35021,20 +35019,20 @@ action.escu.data_models = [] action.escu.eli5 = The following analytic identifies access to SAM, SYSTEM or SECURITY databases' within the file path of `windows\system32\config` using Windows Security EventCode 4663. This particular behavior is related to credential access, an attempt to either use a Shadow Copy or recent CVE-2021-36934 to access the SAM database. The Security Account Manager (SAM) is a database file in Windows XP, Windows Vista, Windows 7, 8.1 and 10 that stores users' passwords. action.escu.how_to_implement = To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable "Audit Object Access" in Group Policy. Then check the two boxes listed for both "Success" and "Failure." action.escu.known_false_positives = Natively, `dllhost.exe` will access the files. Every environment will have additional native processes that do as well. Filter by process_name. As an aside, one can remove process_name entirely and add `Object_Name=*ShadowCopy*`. -action.escu.creation_date = 2021-07-23 -action.escu.modification_date = 2021-07-23 +action.escu.creation_date = 2023-06-13 +action.escu.modification_date = 2023-06-13 action.escu.confidence = high action.escu.full_search_name = ESCU - SAM Database File Access Attempt - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Credential Dumping"] +action.escu.analytic_story = ["Credential Dumping", "Graceful Wipe Out Attack"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - SAM Database File Access Attempt - Rule -action.correlationsearch.annotations = {"analytic_story": ["Credential Dumping"], "cis20": ["CIS 10"], "confidence": 100, "cve": ["CVE-2021-36934"], "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.002", "T1003"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Credential Dumping", "Graceful Wipe Out Attack"], "cis20": ["CIS 10"], "confidence": 100, "cve": ["CVE-2021-36934"], "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.002", "T1003"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -35182,10 +35180,16 @@ search = `sysmon` EventCode=11 TargetFilename = "*\\Windows\\SchCache\\*" Targe [ESCU - Schedule Task with HTTP Command Arguments - Rule] action.escu = 0 action.escu.enabled = 1 -description = The following query utilizes Windows Security EventCode 4698, `A scheduled task was created`, to identify suspicious tasks registered on Windows either via schtasks.exe OR TaskService with an arguments "HTTP" string that are unique entry of malware or attack that uses lolbin to download other file or payload to the infected machine. The search will return the first time and last time the task was registered, as well as the `Command` to be executed, `Task Name`, `Author`, `Enabled`, and whether it is `Hidden` or not. schtasks.exe is natively found in `C:\Windows\system32` and `C:\Windows\syswow64`. The following DLL(s) are loaded when schtasks.exe or TaskService is launched -`taskschd.dll`. If found loaded by another process, it is possible a scheduled task is being registered within that process context in memory. Upon triage, identify the task scheduled source. Was it schtasks.exe or via TaskService? Review the job created and the Command to be executed. Capture any artifacts on disk and review. Identify any parallel processes within the same timeframe to identify source.' +description = The following analytic detects the registration of suspicious tasks on Windows using the Windows Security EventCode 4698, "A scheduled task was created." It specifically looks for tasks registered through schtasks.exe or TaskService that have command arguments containing the string "HTTP." This behavior is often associated with malware or attacks that utilize Living off the Land binaries (lolbins) to download additional files or payloads to the compromised machine.\ +The search returns information about the task, such as the task name, command, author, enabled status, hidden status, and arguments. Upon triage, it is important to identify the source of the scheduled task, whether it was registered through schtasks.exe or TaskService. Review the details of the created task and the command to be executed. Capture relevant artifacts on disk and examine them. Additionally, identify any parallel processes occurring within the same timeframe to determine the source of the attack.\ +Implementing this analytic requires ingesting logs with information about task schedules, specifically Windows Security Log EventCode 4698, from your endpoints. It is recommended to tune and filter known instances of task schedules used in your environment to minimize false positives.\ +Detecting the registration of suspicious tasks with HTTP command arguments is valuable for a SOC as it indicates potential malicious activity or an attempt to establish persistence on the system. If a true positive is found, further investigation is warranted to analyze the nature and purpose of the scheduled task, identify any downloaded files or payloads, and mitigate the associated risks. The impact of a true positive can vary but may include data exfiltration, malware propagation, or unauthorized access to sensitive information. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053"], "nist": ["DE.CM"]} action.escu.data_models = [] -action.escu.eli5 = The following query utilizes Windows Security EventCode 4698, `A scheduled task was created`, to identify suspicious tasks registered on Windows either via schtasks.exe OR TaskService with an arguments "HTTP" string that are unique entry of malware or attack that uses lolbin to download other file or payload to the infected machine. The search will return the first time and last time the task was registered, as well as the `Command` to be executed, `Task Name`, `Author`, `Enabled`, and whether it is `Hidden` or not. schtasks.exe is natively found in `C:\Windows\system32` and `C:\Windows\syswow64`. The following DLL(s) are loaded when schtasks.exe or TaskService is launched -`taskschd.dll`. If found loaded by another process, it is possible a scheduled task is being registered within that process context in memory. Upon triage, identify the task scheduled source. Was it schtasks.exe or via TaskService? Review the job created and the Command to be executed. Capture any artifacts on disk and review. Identify any parallel processes within the same timeframe to identify source.' +action.escu.eli5 = The following analytic detects the registration of suspicious tasks on Windows using the Windows Security EventCode 4698, "A scheduled task was created." It specifically looks for tasks registered through schtasks.exe or TaskService that have command arguments containing the string "HTTP." This behavior is often associated with malware or attacks that utilize Living off the Land binaries (lolbins) to download additional files or payloads to the compromised machine.\ +The search returns information about the task, such as the task name, command, author, enabled status, hidden status, and arguments. Upon triage, it is important to identify the source of the scheduled task, whether it was registered through schtasks.exe or TaskService. Review the details of the created task and the command to be executed. Capture relevant artifacts on disk and examine them. Additionally, identify any parallel processes occurring within the same timeframe to determine the source of the attack.\ +Implementing this analytic requires ingesting logs with information about task schedules, specifically Windows Security Log EventCode 4698, from your endpoints. It is recommended to tune and filter known instances of task schedules used in your environment to minimize false positives.\ +Detecting the registration of suspicious tasks with HTTP command arguments is valuable for a SOC as it indicates potential malicious activity or an attempt to establish persistence on the system. If a true positive is found, further investigation is warranted to analyze the nature and purpose of the scheduled task, identify any downloaded files or payloads, and mitigate the associated risks. The impact of a true positive can vary but may include data exfiltration, malware propagation, or unauthorized access to sensitive information. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the task schedule (Exa. Security Log EventCode 4698) endpoints. Tune and filter known instances of Task schedule used in your environment. action.escu.known_false_positives = unknown action.escu.creation_date = 2023-04-05 @@ -35195,7 +35199,7 @@ action.escu.full_search_name = ESCU - Schedule Task with HTTP Command Arguments action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Living Off The Land", "Winter Vivern", "Windows Persistence Techniques"] +action.escu.analytic_story = ["Living Off The Land", "Winter Vivern", "Windows Persistence Techniques", "Scheduled Tasks"] action.risk = 1 action.risk.param._risk_message = A schedule task process commandline arguments $Arguments$ with http string on it in host $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 63}] @@ -35206,11 +35210,14 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Schedule Task with HTTP Command Arguments - Rule -action.correlationsearch.annotations = {"analytic_story": ["Living Off The Land", "Winter Vivern", "Windows Persistence Techniques"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Living Off The Land", "Winter Vivern", "Windows Persistence Techniques", "Scheduled Tasks"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following query utilizes Windows Security EventCode 4698, `A scheduled task was created`, to identify suspicious tasks registered on Windows either via schtasks.exe OR TaskService with an arguments "HTTP" string that are unique entry of malware or attack that uses lolbin to download other file or payload to the infected machine. The search will return the first time and last time the task was registered, as well as the `Command` to be executed, `Task Name`, `Author`, `Enabled`, and whether it is `Hidden` or not. schtasks.exe is natively found in `C:\Windows\system32` and `C:\Windows\syswow64`. The following DLL(s) are loaded when schtasks.exe or TaskService is launched -`taskschd.dll`. If found loaded by another process, it is possible a scheduled task is being registered within that process context in memory. Upon triage, identify the task scheduled source. Was it schtasks.exe or via TaskService? Review the job created and the Command to be executed. Capture any artifacts on disk and review. Identify any parallel processes within the same timeframe to identify source.' +action.notable.param.rule_description = The following analytic detects the registration of suspicious tasks on Windows using the Windows Security EventCode 4698, "A scheduled task was created." It specifically looks for tasks registered through schtasks.exe or TaskService that have command arguments containing the string "HTTP." This behavior is often associated with malware or attacks that utilize Living off the Land binaries (lolbins) to download additional files or payloads to the compromised machine.\ +The search returns information about the task, such as the task name, command, author, enabled status, hidden status, and arguments. Upon triage, it is important to identify the source of the scheduled task, whether it was registered through schtasks.exe or TaskService. Review the details of the created task and the command to be executed. Capture relevant artifacts on disk and examine them. Additionally, identify any parallel processes occurring within the same timeframe to determine the source of the attack.\ +Implementing this analytic requires ingesting logs with information about task schedules, specifically Windows Security Log EventCode 4698, from your endpoints. It is recommended to tune and filter known instances of task schedules used in your environment to minimize false positives.\ +Detecting the registration of suspicious tasks with HTTP command arguments is valuable for a SOC as it indicates potential malicious activity or an attempt to establish persistence on the system. If a true positive is found, further investigation is warranted to analyze the nature and purpose of the scheduled task, identify any downloaded files or payloads, and mitigate the associated risks. The impact of a true positive can vary but may include data exfiltration, malware propagation, or unauthorized access to sensitive information. action.notable.param.rule_title = Schedule Task with HTTP Command Arguments action.notable.param.security_domain = endpoint action.notable.param.severity = high @@ -35228,10 +35235,16 @@ search = `wineventlog_security` EventCode=4698 | xmlkv Message| search Arguments [ESCU - Schedule Task with Rundll32 Command Trigger - Rule] action.escu = 0 action.escu.enabled = 1 -description = The following query utilizes Windows Security EventCode 4698, `A scheduled task was created`, to identify suspicious tasks registered on Windows either via schtasks.exe OR TaskService with a command to be executed with a Rundll32. This technique is common in new trickbot that uses rundll32 to load is trickbot downloader. The search will return the first time and last time the task was registered, as well as the `Command` to be executed, `Task Name`, `Author`, `Enabled`, and whether it is `Hidden` or not. schtasks.exe is natively found in `C:\Windows\system32` and `C:\Windows\syswow64`. The following DLL(s) are loaded when schtasks.exe or TaskService is launched -`taskschd.dll`. If found loaded by another process, it is possible a scheduled task is being registered within that process context in memory. Upon triage, identify the task scheduled source. Was it schtasks.exe or via TaskService? Review the job created and the Command to be executed. Capture any artifacts on disk and review. Identify any parallel processes within the same timeframe to identify source.' +description = The following analytic detects the creation of suspicious tasks in Windows, specifically tasks using the rundll32 command. It's implemented using Windows Security EventCode 4698 for A scheduled task was created, and looks for tasks executed either via schtasks.exe or TaskService. This behavior is worth identifying as it is commonly used by malware, such as TrickBot, that leverages rundll32 to execute its downloader.\ +If a true positive is found, it suggests an attacker is trying to persist within the environment or potentially deliver additional malicious payloads, leading to data theft, ransomware, or other damaging outcomes.\ +To implement this analytic, ensure you are ingesting logs with task schedule information from your endpoints. Be aware of potential false positives - legitimate uses of Task Scheduler in your environment may cause benign activities to be flagged.\ +Upon triage, review the scheduled task's source and the command to be executed. Capture and inspect any relevant on-disk artifacts, and look for concurrent processes to identify the attack source. This approach helps analysts detect potential threats earlier and mitigate the risks. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053"], "nist": ["DE.CM"]} action.escu.data_models = [] -action.escu.eli5 = The following query utilizes Windows Security EventCode 4698, `A scheduled task was created`, to identify suspicious tasks registered on Windows either via schtasks.exe OR TaskService with a command to be executed with a Rundll32. This technique is common in new trickbot that uses rundll32 to load is trickbot downloader. The search will return the first time and last time the task was registered, as well as the `Command` to be executed, `Task Name`, `Author`, `Enabled`, and whether it is `Hidden` or not. schtasks.exe is natively found in `C:\Windows\system32` and `C:\Windows\syswow64`. The following DLL(s) are loaded when schtasks.exe or TaskService is launched -`taskschd.dll`. If found loaded by another process, it is possible a scheduled task is being registered within that process context in memory. Upon triage, identify the task scheduled source. Was it schtasks.exe or via TaskService? Review the job created and the Command to be executed. Capture any artifacts on disk and review. Identify any parallel processes within the same timeframe to identify source.' +action.escu.eli5 = The following analytic detects the creation of suspicious tasks in Windows, specifically tasks using the rundll32 command. It's implemented using Windows Security EventCode 4698 for A scheduled task was created, and looks for tasks executed either via schtasks.exe or TaskService. This behavior is worth identifying as it is commonly used by malware, such as TrickBot, that leverages rundll32 to execute its downloader.\ +If a true positive is found, it suggests an attacker is trying to persist within the environment or potentially deliver additional malicious payloads, leading to data theft, ransomware, or other damaging outcomes.\ +To implement this analytic, ensure you are ingesting logs with task schedule information from your endpoints. Be aware of potential false positives - legitimate uses of Task Scheduler in your environment may cause benign activities to be flagged.\ +Upon triage, review the scheduled task's source and the command to be executed. Capture and inspect any relevant on-disk artifacts, and look for concurrent processes to identify the attack source. This approach helps analysts detect potential threats earlier and mitigate the risks. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the task schedule (Exa. Security Log EventCode 4698) endpoints. Tune and filter known instances of Task schedule used in your environment. action.escu.known_false_positives = unknown action.escu.creation_date = 2021-04-19 @@ -35241,7 +35254,7 @@ action.escu.full_search_name = ESCU - Schedule Task with Rundll32 Command Trigge action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Windows Persistence Techniques", "Trickbot", "IcedID", "Living Off The Land"] +action.escu.analytic_story = ["Windows Persistence Techniques", "Trickbot", "IcedID", "Living Off The Land", "Scheduled Tasks"] action.risk = 1 action.risk.param._risk_message = A schedule task process commandline rundll32 arguments $Arguments$ in host $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 70}] @@ -35252,11 +35265,14 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Schedule Task with Rundll32 Command Trigger - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Persistence Techniques", "Trickbot", "IcedID", "Living Off The Land"], "cis20": ["CIS 10"], "confidence": 100, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Windows Persistence Techniques", "Trickbot", "IcedID", "Living Off The Land", "Scheduled Tasks"], "cis20": ["CIS 10"], "confidence": 100, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following query utilizes Windows Security EventCode 4698, `A scheduled task was created`, to identify suspicious tasks registered on Windows either via schtasks.exe OR TaskService with a command to be executed with a Rundll32. This technique is common in new trickbot that uses rundll32 to load is trickbot downloader. The search will return the first time and last time the task was registered, as well as the `Command` to be executed, `Task Name`, `Author`, `Enabled`, and whether it is `Hidden` or not. schtasks.exe is natively found in `C:\Windows\system32` and `C:\Windows\syswow64`. The following DLL(s) are loaded when schtasks.exe or TaskService is launched -`taskschd.dll`. If found loaded by another process, it is possible a scheduled task is being registered within that process context in memory. Upon triage, identify the task scheduled source. Was it schtasks.exe or via TaskService? Review the job created and the Command to be executed. Capture any artifacts on disk and review. Identify any parallel processes within the same timeframe to identify source.' +action.notable.param.rule_description = The following analytic detects the creation of suspicious tasks in Windows, specifically tasks using the rundll32 command. It's implemented using Windows Security EventCode 4698 for A scheduled task was created, and looks for tasks executed either via schtasks.exe or TaskService. This behavior is worth identifying as it is commonly used by malware, such as TrickBot, that leverages rundll32 to execute its downloader.\ +If a true positive is found, it suggests an attacker is trying to persist within the environment or potentially deliver additional malicious payloads, leading to data theft, ransomware, or other damaging outcomes.\ +To implement this analytic, ensure you are ingesting logs with task schedule information from your endpoints. Be aware of potential false positives - legitimate uses of Task Scheduler in your environment may cause benign activities to be flagged.\ +Upon triage, review the scheduled task's source and the command to be executed. Capture and inspect any relevant on-disk artifacts, and look for concurrent processes to identify the attack source. This approach helps analysts detect potential threats earlier and mitigate the risks. action.notable.param.rule_title = Schedule Task with Rundll32 Command Trigger action.notable.param.security_domain = endpoint action.notable.param.severity = high @@ -35274,10 +35290,12 @@ search = `wineventlog_security` EventCode=4698 | xmlkv Message | search Command [ESCU - Scheduled Task Creation on Remote Endpoint using At - Rule] action.escu = 0 action.escu.enabled = 1 -description = This analytic looks for the execution of `at.exe` with command-line arguments utilized to create a Scheduled Task on a remote endpoint. Red Teams and adversaries alike may abuse the Task Scheduler for lateral movement and remote code execution. The `at.exe` binary internally leverages the AT protocol which was deprecated starting with Windows 8 and Windows Server 2012 but may still work on previous versions of Windows. Furthermore, attackers may enable this protocol on demand by changing a sytem registry key. +description = The following analytic detects the creation of suspicious tasks on a remote Windows endpoint using the at.exe command with command-line arguments. This technique is commonly used by red teams and adversaries for lateral movement and remote code execution. The at.exe binary leverages the deprecated AT protocol, which may still work on previous versions of Windows. Attackers can enable this protocol on demand by modifying a system registry key. It is important to consider potential false positives. While administrators may create scheduled tasks on remote systems, this activity is typically limited to a small set of hosts or users.\ +Identifying the creation of scheduled tasks on remote endpoints is crucial for a Security Operations Center (SOC) because it indicates potential unauthorized activity or an attacker attempting to establish persistence or execute malicious code. The impact of a true positive can be significant, leading to unauthorized access, data theft, or other damaging outcomes. During triage, investigate the source and purpose of the scheduled task, inspect relevant on-disk artifacts, and analyze concurrent processes to identify the extent of the attack and take appropriate response actions. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053", "T1053.002"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic looks for the execution of `at.exe` with command-line arguments utilized to create a Scheduled Task on a remote endpoint. Red Teams and adversaries alike may abuse the Task Scheduler for lateral movement and remote code execution. The `at.exe` binary internally leverages the AT protocol which was deprecated starting with Windows 8 and Windows Server 2012 but may still work on previous versions of Windows. Furthermore, attackers may enable this protocol on demand by changing a sytem registry key. +action.escu.eli5 = The following analytic detects the creation of suspicious tasks on a remote Windows endpoint using the at.exe command with command-line arguments. This technique is commonly used by red teams and adversaries for lateral movement and remote code execution. The at.exe binary leverages the deprecated AT protocol, which may still work on previous versions of Windows. Attackers can enable this protocol on demand by modifying a system registry key. It is important to consider potential false positives. While administrators may create scheduled tasks on remote systems, this activity is typically limited to a small set of hosts or users.\ +Identifying the creation of scheduled tasks on remote endpoints is crucial for a Security Operations Center (SOC) because it indicates potential unauthorized activity or an attacker attempting to establish persistence or execute malicious code. The impact of a true positive can be significant, leading to unauthorized access, data theft, or other damaging outcomes. During triage, investigate the source and purpose of the scheduled task, inspect relevant on-disk artifacts, and analyze concurrent processes to identify the extent of the attack and take appropriate response actions. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. action.escu.known_false_positives = Administrators may create scheduled tasks on remote systems, but this activity is usually limited to a small set of hosts or users. action.escu.creation_date = 2021-11-11 @@ -35287,7 +35305,7 @@ action.escu.full_search_name = ESCU - Scheduled Task Creation on Remote Endpoint action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Active Directory Lateral Movement", "Living Off The Land"] +action.escu.analytic_story = ["Active Directory Lateral Movement", "Living Off The Land", "Scheduled Tasks"] action.risk = 1 action.risk.param._risk_message = A Windows Scheduled Task was created on a remote endpoint from $dest action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 54}] @@ -35298,11 +35316,12 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Scheduled Task Creation on Remote Endpoint using At - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement", "Living Off The Land"], "cis20": ["CIS 10"], "confidence": 60, "impact": 90, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053", "T1053.002"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement", "Living Off The Land", "Scheduled Tasks"], "cis20": ["CIS 10"], "confidence": 60, "impact": 90, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053", "T1053.002"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic looks for the execution of `at.exe` with command-line arguments utilized to create a Scheduled Task on a remote endpoint. Red Teams and adversaries alike may abuse the Task Scheduler for lateral movement and remote code execution. The `at.exe` binary internally leverages the AT protocol which was deprecated starting with Windows 8 and Windows Server 2012 but may still work on previous versions of Windows. Furthermore, attackers may enable this protocol on demand by changing a sytem registry key. +action.notable.param.rule_description = The following analytic detects the creation of suspicious tasks on a remote Windows endpoint using the at.exe command with command-line arguments. This technique is commonly used by red teams and adversaries for lateral movement and remote code execution. The at.exe binary leverages the deprecated AT protocol, which may still work on previous versions of Windows. Attackers can enable this protocol on demand by modifying a system registry key. It is important to consider potential false positives. While administrators may create scheduled tasks on remote systems, this activity is typically limited to a small set of hosts or users.\ +Identifying the creation of scheduled tasks on remote endpoints is crucial for a Security Operations Center (SOC) because it indicates potential unauthorized activity or an attacker attempting to establish persistence or execute malicious code. The impact of a true positive can be significant, leading to unauthorized access, data theft, or other damaging outcomes. During triage, investigate the source and purpose of the scheduled task, inspect relevant on-disk artifacts, and analyze concurrent processes to identify the extent of the attack and take appropriate response actions. action.notable.param.rule_title = Scheduled Task Creation on Remote Endpoint using At action.notable.param.security_domain = endpoint action.notable.param.severity = high @@ -35320,12 +35339,12 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime [ESCU - Scheduled Task Deleted Or Created via CMD - Rule] action.escu = 0 action.escu.enabled = 1 -description = The following analytic identifies the creation or deletion of a scheduled task using schtasks.exe with flags - create or delete being passed on the command-line. This has been associated with the Dragonfly threat actor, and the SUNBURST attack against Solarwinds. This analytic replaces "Scheduled Task used in BadRabbit Ransomware". +description = This analytic focuses on identifying the creation or deletion of scheduled tasks using the schtasks.exe utility with the corresponding command-line flags (-create or -delete). This technique has been notably associated with threat actors like Dragonfly and the SUNBURST attack against SolarWinds. The purpose of this analytic is to detect suspicious activity related to scheduled tasks that could indicate malicious intent or unauthorized system manipulation. By monitoring for these specific command-line flags, we can enhance our ability to identify potential threats and prevent attacks similar to the use of scheduled tasks in the BadRabbit Ransomware incident. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.005", "T1053"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies the creation or deletion of a scheduled task using schtasks.exe with flags - create or delete being passed on the command-line. This has been associated with the Dragonfly threat actor, and the SUNBURST attack against Solarwinds. This analytic replaces "Scheduled Task used in BadRabbit Ransomware". +action.escu.eli5 = This analytic focuses on identifying the creation or deletion of scheduled tasks using the schtasks.exe utility with the corresponding command-line flags (-create or -delete). This technique has been notably associated with threat actors like Dragonfly and the SUNBURST attack against SolarWinds. The purpose of this analytic is to detect suspicious activity related to scheduled tasks that could indicate malicious intent or unauthorized system manipulation. By monitoring for these specific command-line flags, we can enhance our ability to identify potential threats and prevent attacks similar to the use of scheduled tasks in the BadRabbit Ransomware incident. action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -action.escu.known_false_positives = It is possible scripts or administrators may trigger this analytic. Filter as needed based on parent process, application. +action.escu.known_false_positives = While it is possible for legitimate scripts or administrators to trigger this behavior, filtering can be applied based on the parent process and application to reduce false positives. Analysts should reference the provided references to understand the context and threat landscape associated with this activity. action.escu.creation_date = 2023-04-05 action.escu.modification_date = 2023-04-05 action.escu.confidence = high @@ -35333,7 +35352,7 @@ action.escu.full_search_name = ESCU - Scheduled Task Deleted Or Created via CMD action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Qakbot", "NOBELIUM Group", "Windows Persistence Techniques", "Winter Vivern", "Prestige Ransomware", "DarkCrystal RAT", "AgentTesla", "Trickbot", "AsyncRAT", "Sandworm Tools", "Living Off The Land", "CISA AA22-257A", "DHS Report TA18-074A", "Azorult"] +action.escu.analytic_story = ["Qakbot", "NOBELIUM Group", "Windows Persistence Techniques", "Winter Vivern", "Prestige Ransomware", "DarkCrystal RAT", "AgentTesla", "Trickbot", "AsyncRAT", "Sandworm Tools", "Living Off The Land", "CISA AA22-257A", "DHS Report TA18-074A", "Azorult", "Amadey", "Scheduled Tasks"] action.risk = 1 action.risk.param._risk_message = A schedule task process $process_name$ with create or delete commandline $process$ in host $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 56}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 56}] @@ -35344,11 +35363,11 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Scheduled Task Deleted Or Created via CMD - Rule -action.correlationsearch.annotations = {"analytic_story": ["Qakbot", "NOBELIUM Group", "Windows Persistence Techniques", "Winter Vivern", "Prestige Ransomware", "DarkCrystal RAT", "AgentTesla", "Trickbot", "AsyncRAT", "Sandworm Tools", "Living Off The Land", "CISA AA22-257A", "DHS Report TA18-074A", "Azorult"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.005", "T1053"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Qakbot", "NOBELIUM Group", "Windows Persistence Techniques", "Winter Vivern", "Prestige Ransomware", "DarkCrystal RAT", "AgentTesla", "Trickbot", "AsyncRAT", "Sandworm Tools", "Living Off The Land", "CISA AA22-257A", "DHS Report TA18-074A", "Azorult", "Amadey", "Scheduled Tasks"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.005", "T1053"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies the creation or deletion of a scheduled task using schtasks.exe with flags - create or delete being passed on the command-line. This has been associated with the Dragonfly threat actor, and the SUNBURST attack against Solarwinds. This analytic replaces "Scheduled Task used in BadRabbit Ransomware". +action.notable.param.rule_description = This analytic focuses on identifying the creation or deletion of scheduled tasks using the schtasks.exe utility with the corresponding command-line flags (-create or -delete). This technique has been notably associated with threat actors like Dragonfly and the SUNBURST attack against SolarWinds. The purpose of this analytic is to detect suspicious activity related to scheduled tasks that could indicate malicious intent or unauthorized system manipulation. By monitoring for these specific command-line flags, we can enhance our ability to identify potential threats and prevent attacks similar to the use of scheduled tasks in the BadRabbit Ransomware incident. action.notable.param.rule_title = Scheduled Task Deleted Or Created via CMD action.notable.param.security_domain = endpoint action.notable.param.severity = high @@ -35366,10 +35385,10 @@ search = | tstats `security_content_summariesonly` count values(Processes.proces [ESCU - Scheduled Task Initiation on Remote Endpoint - Rule] action.escu = 0 action.escu.enabled = 1 -description = This analytic looks for the execution of `schtasks.exe` with command-line arguments utilized to start a Scheduled Task on a remote endpoint. Red Teams and adversaries alike may abuse the Task Scheduler for lateral movement and remote code execution. +description = This analytic detects instances of 'schtasks.exe' being used to start a Scheduled Task on a remote endpoint. Adversaries often abuse the Task Scheduler for lateral movement and remote code execution. The search parameters include process details such as the process name, parent process, and command-line executions. Although legitimate administrators may start scheduled tasks on remote systems, this activity is usually limited to a small set of hosts or users. The findings from this analytic provide valuable insight into potentially malicious activities on an endpoint. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053", "T1053.005"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic looks for the execution of `schtasks.exe` with command-line arguments utilized to start a Scheduled Task on a remote endpoint. Red Teams and adversaries alike may abuse the Task Scheduler for lateral movement and remote code execution. +action.escu.eli5 = This analytic detects instances of 'schtasks.exe' being used to start a Scheduled Task on a remote endpoint. Adversaries often abuse the Task Scheduler for lateral movement and remote code execution. The search parameters include process details such as the process name, parent process, and command-line executions. Although legitimate administrators may start scheduled tasks on remote systems, this activity is usually limited to a small set of hosts or users. The findings from this analytic provide valuable insight into potentially malicious activities on an endpoint. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. action.escu.known_false_positives = Administrators may start scheduled tasks on remote systems, but this activity is usually limited to a small set of hosts or users. action.escu.creation_date = 2021-11-11 @@ -35379,7 +35398,7 @@ action.escu.full_search_name = ESCU - Scheduled Task Initiation on Remote Endpoi action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Active Directory Lateral Movement", "Living Off The Land"] +action.escu.analytic_story = ["Active Directory Lateral Movement", "Living Off The Land", "Scheduled Tasks"] action.risk = 1 action.risk.param._risk_message = A Windows Scheduled Task was ran on a remote endpoint from $dest action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 54}] @@ -35390,11 +35409,11 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Scheduled Task Initiation on Remote Endpoint - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement", "Living Off The Land"], "cis20": ["CIS 10"], "confidence": 60, "impact": 90, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053", "T1053.005"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement", "Living Off The Land", "Scheduled Tasks"], "cis20": ["CIS 10"], "confidence": 60, "impact": 90, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053", "T1053.005"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic looks for the execution of `schtasks.exe` with command-line arguments utilized to start a Scheduled Task on a remote endpoint. Red Teams and adversaries alike may abuse the Task Scheduler for lateral movement and remote code execution. +action.notable.param.rule_description = This analytic detects instances of 'schtasks.exe' being used to start a Scheduled Task on a remote endpoint. Adversaries often abuse the Task Scheduler for lateral movement and remote code execution. The search parameters include process details such as the process name, parent process, and command-line executions. Although legitimate administrators may start scheduled tasks on remote systems, this activity is usually limited to a small set of hosts or users. The findings from this analytic provide valuable insight into potentially malicious activities on an endpoint. action.notable.param.rule_title = Scheduled Task Initiation on Remote Endpoint action.notable.param.security_domain = endpoint action.notable.param.severity = high @@ -35412,12 +35431,12 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime [ESCU - Schtasks Run Task On Demand - Rule] action.escu = 0 action.escu.enabled = 1 -description = This analytic identifies an on demand run of a Windows Schedule Task through shell or command-line. This technique has been used by adversaries that force to run their created Schedule Task as their persistence mechanism or for lateral movement as part of their malicious attack to the compromised machine. +description = The following analytic is designed to detect when a Windows Scheduled Task is executed on demand via shell or command line. Adversaries often force the execution of their created Scheduled Tasks for persistent access or lateral movement within a compromised machine. This analytic is driven by process-related data, specifically process name, parent process, and command-line executions, sourced from endpoint logs. The search criteria focus on 'schtasks.exe' with an associated 'run' command. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic identifies an on demand run of a Windows Schedule Task through shell or command-line. This technique has been used by adversaries that force to run their created Schedule Task as their persistence mechanism or for lateral movement as part of their malicious attack to the compromised machine. +action.escu.eli5 = The following analytic is designed to detect when a Windows Scheduled Task is executed on demand via shell or command line. Adversaries often force the execution of their created Scheduled Tasks for persistent access or lateral movement within a compromised machine. This analytic is driven by process-related data, specifically process name, parent process, and command-line executions, sourced from endpoint logs. The search criteria focus on 'schtasks.exe' with an associated 'run' command. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed schtasks.exe may be used. -action.escu.known_false_positives = Administrators may use to debug Schedule Task entries. Filter as needed. +action.escu.known_false_positives = Bear in mind, administrators debugging Scheduled Task entries may trigger this analytic, necessitating fine-tuning and filtering to distinguish between legitimate and potentially malicious use of 'schtasks.exe'. action.escu.creation_date = 2023-04-14 action.escu.modification_date = 2023-04-14 action.escu.confidence = high @@ -35425,7 +35444,7 @@ action.escu.full_search_name = ESCU - Schtasks Run Task On Demand - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Qakbot", "Industroyer2", "XMRig", "CISA AA22-257A", "Data Destruction"] +action.escu.analytic_story = ["Qakbot", "Industroyer2", "XMRig", "CISA AA22-257A", "Data Destruction", "Scheduled Tasks"] action.risk = 1 action.risk.param._risk_message = A "on demand" execution of schedule task process $process_name$ using commandline $process$ in host $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 48}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 48}] @@ -35436,11 +35455,11 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Schtasks Run Task On Demand - Rule -action.correlationsearch.annotations = {"analytic_story": ["Qakbot", "Industroyer2", "XMRig", "CISA AA22-257A", "Data Destruction"], "cis20": ["CIS 10"], "confidence": 80, "impact": 60, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Qakbot", "Industroyer2", "XMRig", "CISA AA22-257A", "Data Destruction", "Scheduled Tasks"], "cis20": ["CIS 10"], "confidence": 80, "impact": 60, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic identifies an on demand run of a Windows Schedule Task through shell or command-line. This technique has been used by adversaries that force to run their created Schedule Task as their persistence mechanism or for lateral movement as part of their malicious attack to the compromised machine. +action.notable.param.rule_description = The following analytic is designed to detect when a Windows Scheduled Task is executed on demand via shell or command line. Adversaries often force the execution of their created Scheduled Tasks for persistent access or lateral movement within a compromised machine. This analytic is driven by process-related data, specifically process name, parent process, and command-line executions, sourced from endpoint logs. The search criteria focus on 'schtasks.exe' with an associated 'run' command. action.notable.param.rule_title = Schtasks Run Task On Demand action.notable.param.security_domain = endpoint action.notable.param.severity = high @@ -35458,12 +35477,12 @@ search = | tstats `security_content_summariesonly` values(Processes.process) as [ESCU - Schtasks scheduling job on remote system - Rule] action.escu = 0 action.escu.enabled = 1 -description = This analytic looks for the execution of `schtasks.exe` with command-line arguments utilized to create a Scheduled Task on a remote endpoint. Red Teams and adversaries alike may abuse the Task Scheduler for lateral movement and remote code execution. +description = The following analytic is designed to detect suspicious command-line arguments executed through 'schtasks.exe' to create a scheduled task on a remote endpoint. The analytic scans process data, checking for instances where 'schtasks.exe' has been used with specific command-line flags that suggest an attempt at lateral movement or remote code execution, common techniques employed by adversaries and red teams. Key data points include the process name, the specific command line used, the parent process name, the target destination, and the user involved. Also, timestamp data gives context to when these activities occurred. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.005", "T1053"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This analytic looks for the execution of `schtasks.exe` with command-line arguments utilized to create a Scheduled Task on a remote endpoint. Red Teams and adversaries alike may abuse the Task Scheduler for lateral movement and remote code execution. +action.escu.eli5 = The following analytic is designed to detect suspicious command-line arguments executed through 'schtasks.exe' to create a scheduled task on a remote endpoint. The analytic scans process data, checking for instances where 'schtasks.exe' has been used with specific command-line flags that suggest an attempt at lateral movement or remote code execution, common techniques employed by adversaries and red teams. Key data points include the process name, the specific command line used, the parent process name, the target destination, and the user involved. Also, timestamp data gives context to when these activities occurred. action.escu.how_to_implement = You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the "process" field in the Endpoint data model. -action.escu.known_false_positives = Administrators may create scheduled tasks on remote systems, but this activity is usually limited to a small set of hosts or users. It is important to validate and investigate as appropriate. +action.escu.known_false_positives = While it is possible to have false positives, due to legitimate administrative tasks, these are usually limited and should still be validated and investigated as appropriate. action.escu.creation_date = 2022-05-23 action.escu.modification_date = 2022-05-23 action.escu.confidence = high @@ -35471,7 +35490,7 @@ action.escu.full_search_name = ESCU - Schtasks scheduling job on remote system - action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Active Directory Lateral Movement", "NOBELIUM Group", "Living Off The Land", "Prestige Ransomware"] +action.escu.analytic_story = ["Active Directory Lateral Movement", "NOBELIUM Group", "Living Off The Land", "Prestige Ransomware", "Scheduled Tasks"] action.risk = 1 action.risk.param._risk_message = A schedule task process $process_name$ with remote job command-line $process$ in host $dest$ by $user$. action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 63}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 63}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 63}] @@ -35482,11 +35501,11 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Schtasks scheduling job on remote system - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement", "NOBELIUM Group", "Living Off The Land", "Prestige Ransomware"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.005", "T1053"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement", "NOBELIUM Group", "Living Off The Land", "Prestige Ransomware", "Scheduled Tasks"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.005", "T1053"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This analytic looks for the execution of `schtasks.exe` with command-line arguments utilized to create a Scheduled Task on a remote endpoint. Red Teams and adversaries alike may abuse the Task Scheduler for lateral movement and remote code execution. +action.notable.param.rule_description = The following analytic is designed to detect suspicious command-line arguments executed through 'schtasks.exe' to create a scheduled task on a remote endpoint. The analytic scans process data, checking for instances where 'schtasks.exe' has been used with specific command-line flags that suggest an attempt at lateral movement or remote code execution, common techniques employed by adversaries and red teams. Key data points include the process name, the specific command line used, the parent process name, the target destination, and the user involved. Also, timestamp data gives context to when these activities occurred. action.notable.param.rule_title = Schtasks scheduling job on remote system action.notable.param.security_domain = endpoint action.notable.param.severity = high @@ -35504,12 +35523,12 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime [ESCU - Schtasks used for forcing a reboot - Rule] action.escu = 0 action.escu.enabled = 1 -description = This search looks for flags passed to schtasks.exe on the command-line that indicate that a forced reboot of system is scheduled. +description = The following analytic utilizes a Splunk query to pinpoint potential threats by monitoring the 'schtasks.exe' command-line usage. This particular command, especially when used in tandem with 'shutdown' and '/create' flags, can suggest an adversarial force intending to schedule unwarranted system reboots. The query focuses on endpoint process data and retrieves details such as the process name, the parent process name, the destination, and the user involved. Essential to the investigation are the earliest and latest timestamps of these events, providing an activity timeline. Data such as the targeted host and initiating user offer valuable context for analyst. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.005", "T1053"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This search looks for flags passed to schtasks.exe on the command-line that indicate that a forced reboot of system is scheduled. +action.escu.eli5 = The following analytic utilizes a Splunk query to pinpoint potential threats by monitoring the 'schtasks.exe' command-line usage. This particular command, especially when used in tandem with 'shutdown' and '/create' flags, can suggest an adversarial force intending to schedule unwarranted system reboots. The query focuses on endpoint process data and retrieves details such as the process name, the parent process name, the destination, and the user involved. Essential to the investigation are the earliest and latest timestamps of these events, providing an activity timeline. Data such as the targeted host and initiating user offer valuable context for analyst. action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -action.escu.known_false_positives = Administrators may create jobs on systems forcing reboots to perform updates, maintenance, etc. +action.escu.known_false_positives = This analytic may also capture legitimate administrative activities such as system updates or maintenance tasks, which can be classified as false positives. Filter as needed. action.escu.creation_date = 2020-12-07 action.escu.modification_date = 2020-12-07 action.escu.confidence = high @@ -35517,7 +35536,7 @@ action.escu.full_search_name = ESCU - Schtasks used for forcing a reboot - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Windows Persistence Techniques", "Ransomware"] +action.escu.analytic_story = ["Windows Persistence Techniques", "Ransomware", "Scheduled Tasks"] action.risk = 1 action.risk.param._risk_message = A schedule task process $process_name$ with force reboot commandline $process$ in host $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 56}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 56}] @@ -35528,11 +35547,11 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Schtasks used for forcing a reboot - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Persistence Techniques", "Ransomware"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.005", "T1053"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Windows Persistence Techniques", "Ransomware", "Scheduled Tasks"], "cis20": ["CIS 10"], "confidence": 80, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.005", "T1053"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This search looks for flags passed to schtasks.exe on the command-line that indicate that a forced reboot of system is scheduled. +action.notable.param.rule_description = The following analytic utilizes a Splunk query to pinpoint potential threats by monitoring the 'schtasks.exe' command-line usage. This particular command, especially when used in tandem with 'shutdown' and '/create' flags, can suggest an adversarial force intending to schedule unwarranted system reboots. The query focuses on endpoint process data and retrieves details such as the process name, the parent process name, the destination, and the user involved. Essential to the investigation are the earliest and latest timestamps of these events, providing an activity timeline. Data such as the targeted host and initiating user offer valuable context for analyst. action.notable.param.rule_title = Schtasks used for forcing a reboot action.notable.param.security_domain = endpoint action.notable.param.severity = high @@ -35596,10 +35615,10 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTim [ESCU - Script Execution via WMI - Rule] action.escu = 0 action.escu.enabled = 1 -description = This search looks for scripts launched via WMI. +description = The following analytic is designed to detect the potential misuse of Windows Management Instrumentation (WMI) for malicious purposes. WMI can be utilized by adversaries to execute scripts, a method often employed for maintaining stealth while carrying out malicious activities. The process 'scrcons.exe', integral to executing WMI scripts, is primarily monitored by this analytic. The underlying threat lies in the fact that successful execution of a malicious script can lead to numerous negative outcomes, including system compromise, data exfiltration, or the establishment of persistence. It's essential for cybersecurity analysts to remain vigilant towards unexpected or isolated script executions via WMI, as such instances often signal suspicious activities or potential security breaches. Although uncommon, administrators may occasionally use WMI to launch scripts for legitimate purposes. Therefore, discerning malicious activities from benign ones is crucial in this context. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1047"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] -action.escu.eli5 = This search looks for scripts launched via WMI. +action.escu.eli5 = The following analytic is designed to detect the potential misuse of Windows Management Instrumentation (WMI) for malicious purposes. WMI can be utilized by adversaries to execute scripts, a method often employed for maintaining stealth while carrying out malicious activities. The process 'scrcons.exe', integral to executing WMI scripts, is primarily monitored by this analytic. The underlying threat lies in the fact that successful execution of a malicious script can lead to numerous negative outcomes, including system compromise, data exfiltration, or the establishment of persistence. It's essential for cybersecurity analysts to remain vigilant towards unexpected or isolated script executions via WMI, as such instances often signal suspicious activities or potential security breaches. Although uncommon, administrators may occasionally use WMI to launch scripts for legitimate purposes. Therefore, discerning malicious activities from benign ones is crucial in this context. action.escu.how_to_implement = You must be ingesting endpoint data that tracks process activity, including parent-child relationships from your endpoints to populate the Endpoint data model in the Processes node. The command-line arguments are mapped to the "process" field in the Endpoint data model. action.escu.known_false_positives = Although unlikely, administrators may use wmi to launch scripts for legitimate purposes. Filter as needed. action.escu.creation_date = 2020-03-16 @@ -35611,7 +35630,7 @@ action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splun action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] action.escu.analytic_story = ["Suspicious WMI Use"] action.risk = 1 -action.risk.param._risk_message = A wmic.exe process $process_name$ taht execute script in host $dest$ +action.risk.param._risk_message = A wmic.exe process $process_name$ that execute script in host $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 36}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 36}] action.risk.param._risk_score = 0 action.risk.param.verbose = 0 @@ -35624,7 +35643,7 @@ action.correlationsearch.annotations = {"analytic_story": ["Suspicious WMI Use"] schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This search looks for scripts launched via WMI. +action.notable.param.rule_description = The following analytic is designed to detect the potential misuse of Windows Management Instrumentation (WMI) for malicious purposes. WMI can be utilized by adversaries to execute scripts, a method often employed for maintaining stealth while carrying out malicious activities. The process 'scrcons.exe', integral to executing WMI scripts, is primarily monitored by this analytic. The underlying threat lies in the fact that successful execution of a malicious script can lead to numerous negative outcomes, including system compromise, data exfiltration, or the establishment of persistence. It's essential for cybersecurity analysts to remain vigilant towards unexpected or isolated script executions via WMI, as such instances often signal suspicious activities or potential security breaches. Although uncommon, administrators may occasionally use WMI to launch scripts for legitimate purposes. Therefore, discerning malicious activities from benign ones is crucial in this context. action.notable.param.rule_title = Script Execution via WMI action.notable.param.security_domain = endpoint action.notable.param.severity = high @@ -35740,14 +35759,14 @@ action.escu.data_models = ["Endpoint", "Network_Traffic"] action.escu.eli5 = The following analytic identifies searchprotocolhost.exe with no command line arguments and with a network connection. It is unusual for searchprotocolhost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. searchprotocolhost.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` and `ports` node. action.escu.known_false_positives = Limited false positives may be present in small environments. Tuning may be required based on parent process. -action.escu.creation_date = 2022-03-15 -action.escu.modification_date = 2022-03-15 +action.escu.creation_date = 2023-06-13 +action.escu.modification_date = 2023-06-13 action.escu.confidence = high action.escu.full_search_name = ESCU - SearchProtocolHost with no Command Line with Network - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Cobalt Strike"] +action.escu.analytic_story = ["Cobalt Strike", "Graceful Wipe Out Attack"] action.risk = 1 action.risk.param._risk_message = A searchprotocolhost.exe process $process_name$ with no commandline in host $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 70}, {"threat_object_field": "process_name", "threat_object_type": "process name"}] @@ -35758,7 +35777,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - SearchProtocolHost with no Command Line with Network - Rule -action.correlationsearch.annotations = {"analytic_story": ["Cobalt Strike"], "cis20": ["CIS 10"], "confidence": 100, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Cobalt Strike", "Graceful Wipe Out Attack"], "cis20": ["CIS 10"], "confidence": 100, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -35786,14 +35805,14 @@ action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic detects a potential usage of secretsdump.py tool for dumping credentials (ntlm hash) from a copy of ntds.dit and SAM.Security,SYSTEM registrry hive. This technique was seen in some attacker that dump ntlm hashes offline after having a copy of ntds.dit and SAM/SYSTEM/SECURITY registry hive. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. action.escu.known_false_positives = unknown -action.escu.creation_date = 2021-05-26 -action.escu.modification_date = 2021-05-26 +action.escu.creation_date = 2023-06-13 +action.escu.modification_date = 2023-06-13 action.escu.confidence = high action.escu.full_search_name = ESCU - SecretDumps Offline NTDS Dumping Tool - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Credential Dumping"] +action.escu.analytic_story = ["Credential Dumping", "Graceful Wipe Out Attack"] action.risk = 1 action.risk.param._risk_message = A secretdump process $process_name$ with secretdump commandline $process$ to dump credentials in host $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 80}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 80}] @@ -35804,7 +35823,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - SecretDumps Offline NTDS Dumping Tool - Rule -action.correlationsearch.annotations = {"analytic_story": ["Credential Dumping"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.003", "T1003"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Credential Dumping", "Graceful Wipe Out Attack"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1003.003", "T1003"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -35957,14 +35976,14 @@ action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies the use of `svc-exe` with Cobalt Strike. The behavior typically follows after an adversary has already gained initial access and is escalating privileges. Using `svc-exe`, a randomly named binary will be downloaded from the remote Teamserver and placed on disk within `C:\Windows\400619a.exe`. Following, the binary will be added to the registry under key `HKLM\System\CurrentControlSet\Services\400619a\` with multiple keys and values added to look like a legitimate service. Upon loading, `services.exe` will spawn the randomly named binary from `\\127.0.0.1\ADMIN$\400619a.exe`. The process lineage is completed with `400619a.exe` spawning rundll32.exe, which is the default `spawnto_` value for Cobalt Strike. The `spawnto_` value is arbitrary and may be any process on disk (typically system32/syswow64 binary). The `spawnto_` process will also contain a network connection. During triage, review parallel procesess and identify any additional file modifications. action.escu.how_to_implement = To successfully implement this search, you will need to ensure that DNS data is populating the Network_Resolution data model. action.escu.known_false_positives = False positives should be limited as `services.exe` should never spawn a process from `ADMIN$`. Filter as needed. -action.escu.creation_date = 2021-05-18 -action.escu.modification_date = 2021-05-18 +action.escu.creation_date = 2023-06-13 +action.escu.modification_date = 2023-06-13 action.escu.confidence = high action.escu.full_search_name = ESCU - Services Escalate Exe - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Cobalt Strike"] +action.escu.analytic_story = ["Cobalt Strike", "Graceful Wipe Out Attack"] action.risk = 1 action.risk.param._risk_message = A service process $parent_process_name$ with process path $process_path$ in host $dest$ action.risk.param._risk = [{"risk_object_field": "Processes.dest", "risk_object_type": "system", "risk_score": 76}, {"risk_object_field": "Processes.user", "risk_object_type": "user", "risk_score": 76}] @@ -35975,7 +35994,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Services Escalate Exe - Rule -action.correlationsearch.annotations = {"analytic_story": ["Cobalt Strike"], "cis20": ["CIS 10"], "confidence": 95, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Cobalt Strike", "Graceful Wipe Out Attack"], "cis20": ["CIS 10"], "confidence": 95, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -36181,10 +36200,16 @@ search = | tstats `security_content_summariesonly` values(Processes.process) as [ESCU - Short Lived Scheduled Task - Rule] action.escu = 0 action.escu.enabled = 1 -description = The following analytic leverages Windows Security EventCode 4698, `A scheduled task was created` and Windows Security EventCode 4699, `A scheduled task was deleted` to identify scheduled tasks created and deleted in less than 30 seconds. This behavior may represent a lateral movement attack abusing the Task Scheduler to obtain code execution. Red Teams and adversaries alike may abuse the Task Scheduler for lateral movement and remote code execution. +description = The following analytic utilizes Windows Security EventCode 4698, "A scheduled task was created," and EventCode 4699, "A scheduled task was deleted," to identify scheduled tasks that are created and deleted within a short time frame of less than 30 seconds. This behavior is indicative of a potential lateral movement attack where the Task Scheduler is abused to achieve code execution. Both red teams and adversaries may exploit the Task Scheduler for lateral movement and remote code execution.\ +To implement this analytic, ensure that you are ingesting Windows Security Event Logs with EventCode 4698 enabled. Additionally, the Windows TA (Technology Add-on) is required to parse and extract the necessary information from the logs.\ +It's important to note that while uncommon, legitimate applications may create and delete scheduled tasks within a short duration. Analysts should filter the results based on the specific context and environment to reduce false positives.\ +Identifying short-lived scheduled tasks is valuable for a SOC as it can indicate malicious activities attempting to move laterally or execute unauthorized code on Windows systems. By detecting and investigating these events, security analysts can respond promptly to prevent further compromise and mitigate potential risks. The impact of a true positive could range from unauthorized access to data exfiltration or the execution of malicious payloads. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.005"], "nist": ["DE.CM"]} action.escu.data_models = [] -action.escu.eli5 = The following analytic leverages Windows Security EventCode 4698, `A scheduled task was created` and Windows Security EventCode 4699, `A scheduled task was deleted` to identify scheduled tasks created and deleted in less than 30 seconds. This behavior may represent a lateral movement attack abusing the Task Scheduler to obtain code execution. Red Teams and adversaries alike may abuse the Task Scheduler for lateral movement and remote code execution. +action.escu.eli5 = The following analytic utilizes Windows Security EventCode 4698, "A scheduled task was created," and EventCode 4699, "A scheduled task was deleted," to identify scheduled tasks that are created and deleted within a short time frame of less than 30 seconds. This behavior is indicative of a potential lateral movement attack where the Task Scheduler is abused to achieve code execution. Both red teams and adversaries may exploit the Task Scheduler for lateral movement and remote code execution.\ +To implement this analytic, ensure that you are ingesting Windows Security Event Logs with EventCode 4698 enabled. Additionally, the Windows TA (Technology Add-on) is required to parse and extract the necessary information from the logs.\ +It's important to note that while uncommon, legitimate applications may create and delete scheduled tasks within a short duration. Analysts should filter the results based on the specific context and environment to reduce false positives.\ +Identifying short-lived scheduled tasks is valuable for a SOC as it can indicate malicious activities attempting to move laterally or execute unauthorized code on Windows systems. By detecting and investigating these events, security analysts can respond promptly to prevent further compromise and mitigate potential risks. The impact of a true positive could range from unauthorized access to data exfiltration or the execution of malicious payloads. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4698 EventCode enabled. The Windows TA is also required. action.escu.known_false_positives = Although uncommon, legitimate applications may create and delete a Scheduled Task within 30 seconds. Filter as needed. action.escu.creation_date = 2021-12-03 @@ -36194,7 +36219,7 @@ action.escu.full_search_name = ESCU - Short Lived Scheduled Task - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Active Directory Lateral Movement", "CISA AA22-257A"] +action.escu.analytic_story = ["Active Directory Lateral Movement", "CISA AA22-257A", "Scheduled Tasks"] action.risk = 1 action.risk.param._risk_message = A windows scheduled task was created and deleted in 30 seconds on $ComputerName$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 81}] @@ -36205,11 +36230,14 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Short Lived Scheduled Task - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement", "CISA AA22-257A"], "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.005"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement", "CISA AA22-257A", "Scheduled Tasks"], "cis20": ["CIS 10"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.005"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic leverages Windows Security EventCode 4698, `A scheduled task was created` and Windows Security EventCode 4699, `A scheduled task was deleted` to identify scheduled tasks created and deleted in less than 30 seconds. This behavior may represent a lateral movement attack abusing the Task Scheduler to obtain code execution. Red Teams and adversaries alike may abuse the Task Scheduler for lateral movement and remote code execution. +action.notable.param.rule_description = The following analytic utilizes Windows Security EventCode 4698, "A scheduled task was created," and EventCode 4699, "A scheduled task was deleted," to identify scheduled tasks that are created and deleted within a short time frame of less than 30 seconds. This behavior is indicative of a potential lateral movement attack where the Task Scheduler is abused to achieve code execution. Both red teams and adversaries may exploit the Task Scheduler for lateral movement and remote code execution.\ +To implement this analytic, ensure that you are ingesting Windows Security Event Logs with EventCode 4698 enabled. Additionally, the Windows TA (Technology Add-on) is required to parse and extract the necessary information from the logs.\ +It's important to note that while uncommon, legitimate applications may create and delete scheduled tasks within a short duration. Analysts should filter the results based on the specific context and environment to reduce false positives.\ +Identifying short-lived scheduled tasks is valuable for a SOC as it can indicate malicious activities attempting to move laterally or execute unauthorized code on Windows systems. By detecting and investigating these events, security analysts can respond promptly to prevent further compromise and mitigate potential risks. The impact of a true positive could range from unauthorized access to data exfiltration or the execution of malicious payloads. action.notable.param.rule_title = Short Lived Scheduled Task action.notable.param.security_domain = endpoint action.notable.param.severity = high @@ -37004,14 +37032,14 @@ action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. action.escu.known_false_positives = Limited false positives may be present in small environments. Tuning may be required based on parent process. -action.escu.creation_date = 2023-03-08 -action.escu.modification_date = 2023-03-08 +action.escu.creation_date = 2023-06-13 +action.escu.modification_date = 2023-06-13 action.escu.confidence = high action.escu.full_search_name = ESCU - Suspicious DLLHost no Command Line Arguments - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Cobalt Strike"] +action.escu.analytic_story = ["Cobalt Strike", "Graceful Wipe Out Attack"] action.risk = 1 action.risk.param._risk_message = Suspicious dllhost.exe process with no command line arguments executed on $dest$ by $user$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}, {"risk_object_field": "User", "risk_object_type": "user", "risk_score": 49}] @@ -37022,7 +37050,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Suspicious DLLHost no Command Line Arguments - Rule -action.correlationsearch.annotations = {"analytic_story": ["Cobalt Strike"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Cobalt Strike", "Graceful Wipe Out Attack"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -37142,14 +37170,14 @@ action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies gpupdate.exe with no command line arguments. It is unusual for gpupdate.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. gpupdate.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. action.escu.known_false_positives = Limited false positives may be present in small environments. Tuning may be required based on parent process. -action.escu.creation_date = 2022-03-15 -action.escu.modification_date = 2022-03-15 +action.escu.creation_date = 2023-06-13 +action.escu.modification_date = 2023-06-13 action.escu.confidence = high action.escu.full_search_name = ESCU - Suspicious GPUpdate no Command Line Arguments - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Cobalt Strike"] +action.escu.analytic_story = ["Cobalt Strike", "Graceful Wipe Out Attack"] action.risk = 1 action.risk.param._risk_message = Suspicious gpupdate.exe process with no command line arguments executed on $dest$ by $user$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}, {"risk_object_field": "User", "risk_object_type": "user", "risk_score": 49}] @@ -37160,7 +37188,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Suspicious GPUpdate no Command Line Arguments - Rule -action.correlationsearch.annotations = {"analytic_story": ["Cobalt Strike"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Cobalt Strike", "Graceful Wipe Out Attack"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -37375,20 +37403,20 @@ action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies a renamed instance of microsoft.workflow.compiler.exe. Microsoft.workflow.compiler.exe is natively found in C:\Windows\Microsoft.NET\Framework64\v4.0.30319 and is rarely utilized. When investigating, identify the executed code on disk and review. A spawned child process from microsoft.workflow.compiler.exe is uncommon. In any instance, microsoft.workflow.compiler.exe spawning from an Office product or any living off the land binary is highly suspect. action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. action.escu.known_false_positives = Although unlikely, some legitimate applications may use a moved copy of microsoft.workflow.compiler.exe, triggering a false positive. -action.escu.creation_date = 2022-04-07 -action.escu.modification_date = 2022-04-07 +action.escu.creation_date = 2023-06-13 +action.escu.modification_date = 2023-06-13 action.escu.confidence = high action.escu.full_search_name = ESCU - Suspicious microsoft workflow compiler rename - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Trusted Developer Utilities Proxy Execution", "Cobalt Strike", "Masquerading - Rename System Utilities", "Living Off The Land"] +action.escu.analytic_story = ["Masquerading - Rename System Utilities", "Trusted Developer Utilities Proxy Execution", "Graceful Wipe Out Attack", "Living Off The Land", "Cobalt Strike"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Suspicious microsoft workflow compiler rename - Rule -action.correlationsearch.annotations = {"analytic_story": ["Trusted Developer Utilities Proxy Execution", "Cobalt Strike", "Masquerading - Rename System Utilities", "Living Off The Land"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036", "T1127", "T1036.003"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Masquerading - Rename System Utilities", "Trusted Developer Utilities Proxy Execution", "Graceful Wipe Out Attack", "Living Off The Land", "Cobalt Strike"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036", "T1127", "T1036.003"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -37456,14 +37484,14 @@ action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies msbuild.exe executing from a non-standard path. Msbuild.exe is natively found in C:\Windows\Microsoft.NET\Framework\v4.0.30319 and C:\Windows\Microsoft.NET\Framework64\v4.0.30319. Instances of Visual Studio will run a copy of msbuild.exe. A moved instance of MSBuild is suspicious, however there are instances of build applications that will move or use a copy of MSBuild. action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. action.escu.known_false_positives = Some legitimate applications may use a moved copy of msbuild.exe, triggering a false positive. Baselining of MSBuild.exe usage is recommended to better understand it's path usage. Visual Studio runs an instance out of a path that will need to be filtered on. -action.escu.creation_date = 2022-03-08 -action.escu.modification_date = 2022-03-08 +action.escu.creation_date = 2023-06-13 +action.escu.modification_date = 2023-06-13 action.escu.confidence = high action.escu.full_search_name = ESCU - Suspicious msbuild path - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Trusted Developer Utilities Proxy Execution MSBuild", "Cobalt Strike", "Masquerading - Rename System Utilities", "Living Off The Land"] +action.escu.analytic_story = ["Masquerading - Rename System Utilities", "Graceful Wipe Out Attack", "Living Off The Land", "Trusted Developer Utilities Proxy Execution MSBuild", "Cobalt Strike"] action.risk = 1 action.risk.param._risk_message = Msbuild.exe ran from an uncommon path on $dest$ execyted by $user$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}, {"risk_object_field": "User", "risk_object_type": "user", "risk_score": 49}] @@ -37474,7 +37502,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Suspicious msbuild path - Rule -action.correlationsearch.annotations = {"analytic_story": ["Trusted Developer Utilities Proxy Execution MSBuild", "Cobalt Strike", "Masquerading - Rename System Utilities", "Living Off The Land"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036", "T1127", "T1036.003", "T1127.001"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Masquerading - Rename System Utilities", "Graceful Wipe Out Attack", "Living Off The Land", "Trusted Developer Utilities Proxy Execution MSBuild", "Cobalt Strike"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036", "T1127", "T1036.003", "T1127.001"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -37502,20 +37530,20 @@ action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies renamed instances of msbuild.exe executing. Msbuild.exe is natively found in C:\Windows\Microsoft.NET\Framework\v4.0.30319 and C:\Windows\Microsoft.NET\Framework64\v4.0.30319. During investigation, identify the code executed and what is executing a renamed instance of MSBuild. action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. action.escu.known_false_positives = Although unlikely, some legitimate applications may use a moved copy of msbuild, triggering a false positive. -action.escu.creation_date = 2022-04-07 -action.escu.modification_date = 2022-04-07 +action.escu.creation_date = 2023-06-13 +action.escu.modification_date = 2023-06-13 action.escu.confidence = high action.escu.full_search_name = ESCU - Suspicious MSBuild Rename - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Trusted Developer Utilities Proxy Execution MSBuild", "Cobalt Strike", "Masquerading - Rename System Utilities", "Living Off The Land"] +action.escu.analytic_story = ["Masquerading - Rename System Utilities", "Graceful Wipe Out Attack", "Living Off The Land", "Trusted Developer Utilities Proxy Execution MSBuild", "Cobalt Strike"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Suspicious MSBuild Rename - Rule -action.correlationsearch.annotations = {"analytic_story": ["Trusted Developer Utilities Proxy Execution MSBuild", "Cobalt Strike", "Masquerading - Rename System Utilities", "Living Off The Land"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036", "T1127", "T1036.003", "T1127.001"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Masquerading - Rename System Utilities", "Graceful Wipe Out Attack", "Living Off The Land", "Trusted Developer Utilities Proxy Execution MSBuild", "Cobalt Strike"], "cis20": ["CIS 10"], "confidence": 90, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1036", "T1127", "T1036.003", "T1127.001"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -37849,20 +37877,20 @@ search = `sysmon` EventCode=22 QueryName IN ("*pastebin*", "*discord*", "*telegr [ESCU - Suspicious Process File Path - Rule] action.escu = 0 action.escu.enabled = 1 -description = The following analytic will detect a suspicious process running in a file path where a process is not commonly seen and is most commonly used by malicious software. This behavior has been used by adversaries where they drop and run an exe in a path that is accessible without admin privileges. +description = This analytic identifies a suspicious processes running in file paths that are not typically associated with legitimate software. Adversaries often employ this technique to drop and execute malicious executables in accessible locations that do not require administrative privileges. By monitoring for processes running in such unconventional file paths, we can identify potential indicators of compromise and proactively respond to malicious activity. This analytic plays a crucial role in enhancing system security by pinpointing suspicious behaviors commonly associated with malware and unauthorized software execution. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1543"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic will detect a suspicious process running in a file path where a process is not commonly seen and is most commonly used by malicious software. This behavior has been used by adversaries where they drop and run an exe in a path that is accessible without admin privileges. +action.escu.eli5 = This analytic identifies a suspicious processes running in file paths that are not typically associated with legitimate software. Adversaries often employ this technique to drop and execute malicious executables in accessible locations that do not require administrative privileges. By monitoring for processes running in such unconventional file paths, we can identify potential indicators of compromise and proactively respond to malicious activity. This analytic plays a crucial role in enhancing system security by pinpointing suspicious behaviors commonly associated with malware and unauthorized software execution. action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. action.escu.known_false_positives = Administrators may allow execution of specific binaries in non-standard paths. Filter as needed. -action.escu.creation_date = 2023-04-25 -action.escu.modification_date = 2023-04-25 +action.escu.creation_date = 2023-06-13 +action.escu.modification_date = 2023-06-13 action.escu.confidence = high action.escu.full_search_name = ESCU - Suspicious Process File Path - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Azorult", "AsyncRAT", "XMRig", "Swift Slicer", "DarkCrystal RAT", "Double Zero Destructor", "Trickbot", "Data Destruction", "LockBit Ransomware", "Prestige Ransomware", "Industroyer2", "Remcos", "RedLine Stealer", "WhisperGate", "IcedID", "Hermetic Wiper", "AgentTesla", "Brute Ratel C4", "Qakbot", "Chaos Ransomware", "Volt Typhoon"] +action.escu.analytic_story = ["WhisperGate", "XMRig", "Industroyer2", "Remcos", "Data Destruction", "Hermetic Wiper", "Azorult", "DarkCrystal RAT", "Graceful Wipe Out Attack", "IcedID", "Swift Slicer", "Qakbot", "RedLine Stealer", "Brute Ratel C4", "Prestige Ransomware", "AsyncRAT", "LockBit Ransomware", "AgentTesla", "Double Zero Destructor", "Volt Typhoon", "Chaos Ransomware", "Trickbot", "Amadey"] action.risk = 1 action.risk.param._risk_message = Suspicious process $process_name$ running from a suspicious process path- $process_path$ on host- $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 35}, {"threat_object_field": "process_path", "threat_object_type": "process name"}] @@ -37873,11 +37901,11 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Suspicious Process File Path - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azorult", "AsyncRAT", "XMRig", "Swift Slicer", "DarkCrystal RAT", "Double Zero Destructor", "Trickbot", "Data Destruction", "LockBit Ransomware", "Prestige Ransomware", "Industroyer2", "Remcos", "RedLine Stealer", "WhisperGate", "IcedID", "Hermetic Wiper", "AgentTesla", "Brute Ratel C4", "Qakbot", "Chaos Ransomware", "Volt Typhoon"], "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1543"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["WhisperGate", "XMRig", "Industroyer2", "Remcos", "Data Destruction", "Hermetic Wiper", "Azorult", "DarkCrystal RAT", "Graceful Wipe Out Attack", "IcedID", "Swift Slicer", "Qakbot", "RedLine Stealer", "Brute Ratel C4", "Prestige Ransomware", "AsyncRAT", "LockBit Ransomware", "AgentTesla", "Double Zero Destructor", "Volt Typhoon", "Chaos Ransomware", "Trickbot", "Amadey"], "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1543"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic will detect a suspicious process running in a file path where a process is not commonly seen and is most commonly used by malicious software. This behavior has been used by adversaries where they drop and run an exe in a path that is accessible without admin privileges. +action.notable.param.rule_description = This analytic identifies a suspicious processes running in file paths that are not typically associated with legitimate software. Adversaries often employ this technique to drop and execute malicious executables in accessible locations that do not require administrative privileges. By monitoring for processes running in such unconventional file paths, we can identify potential indicators of compromise and proactively respond to malicious activity. This analytic plays a crucial role in enhancing system security by pinpointing suspicious behaviors commonly associated with malware and unauthorized software execution. action.notable.param.rule_title = Suspicious Process File Path action.notable.param.security_domain = endpoint action.notable.param.severity = high @@ -38073,14 +38101,14 @@ action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies rundll32.exe with no command line arguments. It is unusual for rundll32.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. Rundll32.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. action.escu.known_false_positives = Although unlikely, some legitimate applications may use a moved copy of rundll32, triggering a false positive. -action.escu.creation_date = 2022-03-15 -action.escu.modification_date = 2022-03-15 +action.escu.creation_date = 2023-06-13 +action.escu.modification_date = 2023-06-13 action.escu.confidence = high action.escu.full_search_name = ESCU - Suspicious Rundll32 no Command Line Arguments - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Suspicious Rundll32 Activity", "Cobalt Strike", "PrintNightmare CVE-2021-34527"] +action.escu.analytic_story = ["Cobalt Strike", "PrintNightmare CVE-2021-34527", "Suspicious Rundll32 Activity", "Graceful Wipe Out Attack"] action.risk = 1 action.risk.param._risk_message = Suspicious rundll32.exe process with no command line arguments executed on $dest$ by $user$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}, {"risk_object_field": "User", "risk_object_type": "user", "risk_score": 49}] @@ -38091,7 +38119,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Suspicious Rundll32 no Command Line Arguments - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious Rundll32 Activity", "Cobalt Strike", "PrintNightmare CVE-2021-34527"], "cis20": ["CIS 10"], "confidence": 70, "cve": ["CVE-2021-34527"], "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Cobalt Strike", "PrintNightmare CVE-2021-34527", "Suspicious Rundll32 Activity", "Graceful Wipe Out Attack"], "cis20": ["CIS 10"], "confidence": 70, "cve": ["CVE-2021-34527"], "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -38165,14 +38193,14 @@ action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies rundll32.exe executing a DLL function name, Start and StartW, on the command line that is commonly observed with Cobalt Strike x86 and x64 DLL payloads. Rundll32.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. Typically, the DLL will be written and loaded from a world writeable path or user location. In most instances it will not have a valid certificate (Unsigned). During investigation, review the parent process and other parallel application execution. Capture and triage the DLL in question. In the instance of Cobalt Strike, rundll32.exe is the default process it opens and injects shellcode into. This default process can be changed, but typically is not. action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. action.escu.known_false_positives = Although unlikely, some legitimate applications may use Start as a function and call it via the command line. Filter as needed. -action.escu.creation_date = 2021-02-04 -action.escu.modification_date = 2021-02-04 +action.escu.creation_date = 2023-06-13 +action.escu.modification_date = 2023-06-13 action.escu.confidence = high action.escu.full_search_name = ESCU - Suspicious Rundll32 StartW - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Suspicious Rundll32 Activity", "Cobalt Strike", "Trickbot"] +action.escu.analytic_story = ["Cobalt Strike", "Suspicious Rundll32 Activity", "Graceful Wipe Out Attack", "Trickbot"] action.risk = 1 action.risk.param._risk_message = rundll32.exe running with suspicious parameters on $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 35}, {"risk_object_field": "User", "risk_object_type": "user", "risk_score": 35}] @@ -38183,7 +38211,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Suspicious Rundll32 StartW - Rule -action.correlationsearch.annotations = {"analytic_story": ["Suspicious Rundll32 Activity", "Cobalt Strike", "Trickbot"], "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Cobalt Strike", "Suspicious Rundll32 Activity", "Graceful Wipe Out Attack", "Trickbot"], "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1218", "T1218.011"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -38205,12 +38233,14 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime [ESCU - Suspicious Scheduled Task from Public Directory - Rule] action.escu = 0 action.escu.enabled = 1 -description = The following detection identifies Scheduled Tasks registering (creating a new task) a binary or script to run from a public directory which includes users\public, \programdata\ and \windows\temp. Upon triage, review the binary or script in the command line for legitimacy, whether an approved binary/script or not. In addition, capture the binary or script in question and analyze for further behaviors. Identify the source and contain the endpoint. +description = The following analytic, "Suspicious Scheduled Task from Public Directory", detects the registration of scheduled tasks aimed to execute a binary or script from public directories, a behavior often associated with malware deployment. It utilizes the Sysmon Event ID 1 data source, searching for instances where schtasks.exe is connected with the directories users\public, \programdata\, or \windows\temp and involves the /create command.\ +The registration of such scheduled tasks in public directories could suggest that an attacker is trying to maintain persistence or execute malicious scripts. If confirmed as a true positive, this could lead to data compromise, unauthorized access, and potential lateral movement within the network. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.005", "T1053"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following detection identifies Scheduled Tasks registering (creating a new task) a binary or script to run from a public directory which includes users\public, \programdata\ and \windows\temp. Upon triage, review the binary or script in the command line for legitimacy, whether an approved binary/script or not. In addition, capture the binary or script in question and analyze for further behaviors. Identify the source and contain the endpoint. +action.escu.eli5 = The following analytic, "Suspicious Scheduled Task from Public Directory", detects the registration of scheduled tasks aimed to execute a binary or script from public directories, a behavior often associated with malware deployment. It utilizes the Sysmon Event ID 1 data source, searching for instances where schtasks.exe is connected with the directories users\public, \programdata\, or \windows\temp and involves the /create command.\ +The registration of such scheduled tasks in public directories could suggest that an attacker is trying to maintain persistence or execute malicious scripts. If confirmed as a true positive, this could lead to data compromise, unauthorized access, and potential lateral movement within the network. action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. -action.escu.known_false_positives = Limited false positives may be present. Filter as needed by parent process or command line argument. +action.escu.known_false_positives = The main source of false positives could be the legitimate use of scheduled tasks from these directories. Careful tuning of this search may be necessary to suit the specifics of your environment, reducing the rate of false positives. action.escu.creation_date = 2021-03-01 action.escu.modification_date = 2021-03-01 action.escu.confidence = high @@ -38218,7 +38248,7 @@ action.escu.full_search_name = ESCU - Suspicious Scheduled Task from Public Dire action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Ransomware", "Ryuk Ransomware", "Windows Persistence Techniques", "Living Off The Land", "Azorult", "DarkCrystal RAT"] +action.escu.analytic_story = ["Ransomware", "Ryuk Ransomware", "Windows Persistence Techniques", "Living Off The Land", "Azorult", "DarkCrystal RAT", "Scheduled Tasks"] action.risk = 1 action.risk.param._risk_message = Suspicious scheduled task registered on $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 35}, {"risk_object_field": "User", "risk_object_type": "user", "risk_score": 35}] @@ -38229,7 +38259,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Suspicious Scheduled Task from Public Directory - Rule -action.correlationsearch.annotations = {"analytic_story": ["Ransomware", "Ryuk Ransomware", "Windows Persistence Techniques", "Living Off The Land", "Azorult", "DarkCrystal RAT"], "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.005", "T1053"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Ransomware", "Ryuk Ransomware", "Windows Persistence Techniques", "Living Off The Land", "Azorult", "DarkCrystal RAT", "Scheduled Tasks"], "cis20": ["CIS 10"], "confidence": 50, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.005", "T1053"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -38251,14 +38281,14 @@ action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies searchprotocolhost.exe with no command line arguments. It is unusual for searchprotocolhost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. searchprotocolhost.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. action.escu.known_false_positives = Limited false positives may be present in small environments. Tuning may be required based on parent process. -action.escu.creation_date = 2022-03-15 -action.escu.modification_date = 2022-03-15 +action.escu.creation_date = 2023-06-13 +action.escu.modification_date = 2023-06-13 action.escu.confidence = high action.escu.full_search_name = ESCU - Suspicious SearchProtocolHost no Command Line Arguments - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Cobalt Strike"] +action.escu.analytic_story = ["Cobalt Strike", "Graceful Wipe Out Attack"] action.risk = 1 action.risk.param._risk_message = Suspicious searchprotocolhost.exe process with no command line arguments executed on $dest$ by $user$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}, {"risk_object_field": "User", "risk_object_type": "user", "risk_score": 49}] @@ -38269,7 +38299,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Suspicious SearchProtocolHost no Command Line Arguments - Rule -action.correlationsearch.annotations = {"analytic_story": ["Cobalt Strike"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Cobalt Strike", "Graceful Wipe Out Attack"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -38510,10 +38540,10 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime [ESCU - Svchost LOLBAS Execution Process Spawn - Rule] action.escu = 0 action.escu.enabled = 1 -description = The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity. +description = The following analytic is designed to spot instances of 'svchost.exe' initiating a Living Off The Land Binaries and Scripts (LOLBAS) execution process. Often, adversaries manipulate Task Scheduler to execute code on remote endpoints, resulting in the spawning of a malicious command as a child process of 'svchost.exe'. By tracking child processes of 'svchost.exe' that align with the LOLBAS project, potential lateral movement activity can be detected. The analytic examines process details, including the process name, parent process, and command-line executions. A comprehensive list of LOLBAS processes is included in the search parameters. Although the analytic might catch legitimate applications exhibiting this behavior, these instances should be filtered accordingly. The findings from this analytic offer valuable insight into potentially malicious activities on an endpoint. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053", "T1053.005"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity. +action.escu.eli5 = The following analytic is designed to spot instances of 'svchost.exe' initiating a Living Off The Land Binaries and Scripts (LOLBAS) execution process. Often, adversaries manipulate Task Scheduler to execute code on remote endpoints, resulting in the spawning of a malicious command as a child process of 'svchost.exe'. By tracking child processes of 'svchost.exe' that align with the LOLBAS project, potential lateral movement activity can be detected. The analytic examines process details, including the process name, parent process, and command-line executions. A comprehensive list of LOLBAS processes is included in the search parameters. Although the analytic might catch legitimate applications exhibiting this behavior, these instances should be filtered accordingly. The findings from this analytic offer valuable insight into potentially malicious activities on an endpoint. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. action.escu.known_false_positives = Legitimate applications may trigger this behavior, filter as needed. action.escu.creation_date = 2021-11-22 @@ -38523,7 +38553,7 @@ action.escu.full_search_name = ESCU - Svchost LOLBAS Execution Process Spawn - R action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Active Directory Lateral Movement", "Living Off The Land"] +action.escu.analytic_story = ["Active Directory Lateral Movement", "Living Off The Land", "Scheduled Tasks"] action.risk = 1 action.risk.param._risk_message = Svchost.exe spawned a LOLBAS process on $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 54}] @@ -38534,11 +38564,11 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Svchost LOLBAS Execution Process Spawn - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement", "Living Off The Land"], "cis20": ["CIS 10"], "confidence": 60, "impact": 90, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053", "T1053.005"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement", "Living Off The Land", "Scheduled Tasks"], "cis20": ["CIS 10"], "confidence": 60, "impact": 90, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053", "T1053.005"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity. +action.notable.param.rule_description = The following analytic is designed to spot instances of 'svchost.exe' initiating a Living Off The Land Binaries and Scripts (LOLBAS) execution process. Often, adversaries manipulate Task Scheduler to execute code on remote endpoints, resulting in the spawning of a malicious command as a child process of 'svchost.exe'. By tracking child processes of 'svchost.exe' that align with the LOLBAS project, potential lateral movement activity can be detected. The analytic examines process details, including the process name, parent process, and command-line executions. A comprehensive list of LOLBAS processes is included in the search parameters. Although the analytic might catch legitimate applications exhibiting this behavior, these instances should be filtered accordingly. The findings from this analytic offer valuable insight into potentially malicious activities on an endpoint. action.notable.param.rule_title = Svchost LOLBAS Execution Process Spawn action.notable.param.security_domain = endpoint action.notable.param.severity = high @@ -40697,14 +40727,14 @@ action.escu.data_models = ["Endpoint"] action.escu.eli5 = This search looks for the execution of `adfind.exe` with command-line arguments that it uses by default specifically the filter or search functions. It also considers the arguments necessary like objectcategory, see readme for more details: https://www.joeware.net/freetools/tools/adfind/usage.htm. AdFind.exe is a powerful tool that is commonly used for querying and retrieving information from Active Directory (AD). While it is primarily designed for AD administration and management, it has been seen used before by Wizard Spider, FIN6 and actors whom also launched SUNBURST. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. action.escu.known_false_positives = ADfind is a command-line tool for AD administration and management that is seen to be leveraged by various adversaries. Filter out legitimate administrator usage using the filter macro. -action.escu.creation_date = 2023-05-15 -action.escu.modification_date = 2023-05-15 +action.escu.creation_date = 2023-06-13 +action.escu.modification_date = 2023-06-13 action.escu.confidence = high action.escu.full_search_name = ESCU - Windows AdFind Exe - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["NOBELIUM Group", "Domain Trust Discovery", "IcedID"] +action.escu.analytic_story = ["Domain Trust Discovery", "IcedID", "NOBELIUM Group", "Graceful Wipe Out Attack"] action.risk = 1 action.risk.param._risk_message = Windows AdFind Exe action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}] @@ -40715,7 +40745,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows AdFind Exe - Rule -action.correlationsearch.annotations = {"analytic_story": ["NOBELIUM Group", "Domain Trust Discovery", "IcedID"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Domain Trust Discovery", "IcedID", "NOBELIUM Group", "Graceful Wipe Out Attack"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1018"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -41777,10 +41807,10 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime [ESCU - Windows Credentials from Password Stores Chrome Extension Access - Rule] action.escu = 0 action.escu.enabled = 1 -description = The following analytic identifies a non-chrome process accessing Chrome extensions file. This file stores various settings and information related to the browser's extensions on your computer. Threat actor, adversaries and malware author also abused this file to attempt to extract sensitive information from the chrome browser of the target host. This anomaly detection can be a good pivot of analysis for suspicious process aside from chrome.exe and explorer.exe executable. +description = This analytic focuses on identifying non-chrome processes that attempt to access the Chrome extensions file. This file contains crucial settings and information related to the browser's extensions installed on the computer. Adversaries and malware authors have been known to exploit this file to extract sensitive information from the Chrome browser on targeted hosts. Detecting such anomalous behavior provides valuable insights for analyzing suspicious processes beyond the commonly observed chrome.exe and explorer.exe executables. By monitoring for access to the Chrome extensions file by non-chrome processes, we can enhance our ability to detect potential threats and protect sensitive information stored within the browser. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1012"], "nist": ["DE.AE"]} action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies a non-chrome process accessing Chrome extensions file. This file stores various settings and information related to the browser's extensions on your computer. Threat actor, adversaries and malware author also abused this file to attempt to extract sensitive information from the chrome browser of the target host. This anomaly detection can be a good pivot of analysis for suspicious process aside from chrome.exe and explorer.exe executable. +action.escu.eli5 = This analytic focuses on identifying non-chrome processes that attempt to access the Chrome extensions file. This file contains crucial settings and information related to the browser's extensions installed on the computer. Adversaries and malware authors have been known to exploit this file to extract sensitive information from the Chrome browser on targeted hosts. Detecting such anomalous behavior provides valuable insights for analyzing suspicious processes beyond the commonly observed chrome.exe and explorer.exe executables. By monitoring for access to the Chrome extensions file by non-chrome processes, we can enhance our ability to detect potential threats and protect sensitive information stored within the browser. action.escu.how_to_implement = To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable "Audit Object Access" in Group Policy. Then check the two boxes listed for both "Success" and "Failure." action.escu.known_false_positives = Uninstall chrome browser extension application may access this file and folder path to removed chrome installation in the target host. Filter is needed. action.escu.creation_date = 2023-04-26 @@ -41790,7 +41820,7 @@ action.escu.full_search_name = ESCU - Windows Credentials from Password Stores C action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["RedLine Stealer"] +action.escu.analytic_story = ["RedLine Stealer", "Amadey"] action.risk = 1 action.risk.param._risk_message = A non-chrome process $process_name$ accessing chrome browser extension folder files on $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] @@ -41801,7 +41831,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows Credentials from Password Stores Chrome Extension Access - Rule -action.correlationsearch.annotations = {"analytic_story": ["RedLine Stealer"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1012"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["RedLine Stealer", "Amadey"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1012"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -41817,10 +41847,10 @@ search = `wineventlog_security` EventCode=4663 object_file_path="*\\AppData\\Loc [ESCU - Windows Credentials from Password Stores Chrome LocalState Access - Rule] action.escu = 0 action.escu.enabled = 1 -description = The following analytic identifies a non-chrome process accessing Chrome user data "local state" file. This file stores various settings and information related to the browser's operation on your computer. Threat actor, adversaries and malware author also abused this file to attempt to extract the encrypted master key to decrypt password saved in chrome browser. This anomaly detection can be a good pivot of analysis for suspicious process aside from chrome.exe and explorer.exe executable. +description = This analytic is designed to detect non-chrome processes accessing the Chrome user data file called "local state." This file contains important settings and information related to the browser's operations on the computer. Threat actors, adversaries, and malware authors have been known to exploit this file in attempts to extract the encrypted master key used for decrypting passwords saved in the Chrome browser. Detecting access to the "local state" file by non-chrome processes serves as a valuable pivot for analyzing suspicious processes beyond the commonly observed chrome.exe and explorer.exe executables. By monitoring for this anomaly, we can improve our ability to identify potential threats and safeguard sensitive information stored within the browser. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1012"], "nist": ["DE.AE"]} action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies a non-chrome process accessing Chrome user data "local state" file. This file stores various settings and information related to the browser's operation on your computer. Threat actor, adversaries and malware author also abused this file to attempt to extract the encrypted master key to decrypt password saved in chrome browser. This anomaly detection can be a good pivot of analysis for suspicious process aside from chrome.exe and explorer.exe executable. +action.escu.eli5 = This analytic is designed to detect non-chrome processes accessing the Chrome user data file called "local state." This file contains important settings and information related to the browser's operations on the computer. Threat actors, adversaries, and malware authors have been known to exploit this file in attempts to extract the encrypted master key used for decrypting passwords saved in the Chrome browser. Detecting access to the "local state" file by non-chrome processes serves as a valuable pivot for analyzing suspicious processes beyond the commonly observed chrome.exe and explorer.exe executables. By monitoring for this anomaly, we can improve our ability to identify potential threats and safeguard sensitive information stored within the browser. action.escu.how_to_implement = To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable "Audit Object Access" in Group Policy. Then check the two boxes listed for both "Success" and "Failure." action.escu.known_false_positives = Uninstall chrome application may access this file and folder path to removed chrome installation in target host. Filter is needed. action.escu.creation_date = 2023-04-26 @@ -41830,7 +41860,7 @@ action.escu.full_search_name = ESCU - Windows Credentials from Password Stores C action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["RedLine Stealer"] +action.escu.analytic_story = ["RedLine Stealer", "Amadey"] action.risk = 1 action.risk.param._risk_message = A non-chrome process $process_name$ accessing "Chrome\\User Data\\Local State" file on $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] @@ -41841,7 +41871,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows Credentials from Password Stores Chrome LocalState Access - Rule -action.correlationsearch.annotations = {"analytic_story": ["RedLine Stealer"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1012"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["RedLine Stealer", "Amadey"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1012"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -41857,10 +41887,10 @@ search = `wineventlog_security` EventCode=4663 object_file_path="*\\AppData\\Loc [ESCU - Windows Credentials from Password Stores Chrome Login Data Access - Rule] action.escu = 0 action.escu.enabled = 1 -description = The following analytic identifies a non-chrome process accessing Chrome user data "login data" file. This sqlite db file stores various information related to the browser's operation on your computer. Threat actor, adversaries and malware author also abused this file to attempt to extract and decrypt password saved in chrome browser. This anomaly detection can be a good pivot of analysis for suspicious process aside from chrome.exe and explorer.exe executable. +description = This analytic is designed to identify non-chrome processes accessing the Chrome user data file called "login data." This SQLite database file contains important information related to the browser's operations on the computer. Threat actors, adversaries, and malware authors have been known to exploit this file in attempts to extract and decrypt passwords saved in the Chrome browser. Detecting access to the "login data" file by non-chrome processes serves as a valuable pivot for analyzing suspicious processes beyond the commonly observed chrome.exe and explorer.exe executables. By monitoring for this anomaly, we can enhance our ability to detect potential threats and protect sensitive information stored within the browser. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1012"], "nist": ["DE.AE"]} action.escu.data_models = [] -action.escu.eli5 = The following analytic identifies a non-chrome process accessing Chrome user data "login data" file. This sqlite db file stores various information related to the browser's operation on your computer. Threat actor, adversaries and malware author also abused this file to attempt to extract and decrypt password saved in chrome browser. This anomaly detection can be a good pivot of analysis for suspicious process aside from chrome.exe and explorer.exe executable. +action.escu.eli5 = This analytic is designed to identify non-chrome processes accessing the Chrome user data file called "login data." This SQLite database file contains important information related to the browser's operations on the computer. Threat actors, adversaries, and malware authors have been known to exploit this file in attempts to extract and decrypt passwords saved in the Chrome browser. Detecting access to the "login data" file by non-chrome processes serves as a valuable pivot for analyzing suspicious processes beyond the commonly observed chrome.exe and explorer.exe executables. By monitoring for this anomaly, we can enhance our ability to detect potential threats and protect sensitive information stored within the browser. action.escu.how_to_implement = To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable "Audit Object Access" in Group Policy. Then check the two boxes listed for both "Success" and "Failure." action.escu.known_false_positives = Uninstall application may access this registry to remove the entry of the target application. filter is needed. action.escu.creation_date = 2023-04-27 @@ -41870,7 +41900,7 @@ action.escu.full_search_name = ESCU - Windows Credentials from Password Stores C action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["RedLine Stealer"] +action.escu.analytic_story = ["RedLine Stealer", "Amadey"] action.risk = 1 action.risk.param._risk_message = A non-chrome process $process_name$ accessing Chrome "Login Data" file on $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}] @@ -41881,7 +41911,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows Credentials from Password Stores Chrome Login Data Access - Rule -action.correlationsearch.annotations = {"analytic_story": ["RedLine Stealer"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1012"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["RedLine Stealer", "Amadey"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1012"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -43319,7 +43349,7 @@ action.escu.full_search_name = ESCU - Windows Enable Win32 ScheduledJob via Regi action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Active Directory Lateral Movement"] +action.escu.analytic_story = ["Active Directory Lateral Movement", "Scheduled Tasks"] action.risk = 1 action.risk.param._risk_message = A process has modified the schedule task registry value - EnableAt - on endpoint $dest$ by user $user$. action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 25}, {"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 25}] @@ -43330,7 +43360,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows Enable Win32 ScheduledJob via Registry - Rule -action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.005"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Active Directory Lateral Movement", "Scheduled Tasks"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.005"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -43815,6 +43845,52 @@ realtime_schedule = 0 is_visible = false search = | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN ("*\\System32\\drivers\\*", "*\\syswow64\\drivers\\*") by _time span=5m Filesystem.dest Filesystem.user Filesystem.file_name Filesystem.file_path Filesystem.process_guid Filesystem.file_create_time | `drop_dm_object_name(Filesystem)` | rex field="file_name" "\.(?[^\.]*$)" | where isnull(extension) | join process_guid [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes by _time span=5m Processes.process_name Processes.dest Processes.process_guid Processes.user | `drop_dm_object_name(Processes)`] | stats count min(_time) as firstTime max(_time) as lastTime by dest process_name process_guid file_name file_path file_create_time user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_file_without_extension_in_critical_folder_filter` +[ESCU - Windows Files and Dirs Access Rights Modification Via Icacls - Rule] +action.escu = 0 +action.escu.enabled = 1 +description = This analytic aims to identify potential adversaries who manipulate the security permissions of specific files or directories. This technique is frequently observed in the tradecraft of Advanced Persistent Threats (APTs) and coinminer scripts. By modifying the security permissions, adversaries seek to evade detection and impede access to their component files. Such actions indicate a deliberate effort to maintain control over compromised systems and hinder investigation or remediation efforts. Detecting these security permission changes can serve as a valuable indicator of an ongoing attack and enable timely response to mitigate the impact of the adversary's activities. +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1222.001", "T1222"], "nist": ["DE.CM"]} +action.escu.data_models = ["Endpoint"] +action.escu.eli5 = This analytic aims to identify potential adversaries who manipulate the security permissions of specific files or directories. This technique is frequently observed in the tradecraft of Advanced Persistent Threats (APTs) and coinminer scripts. By modifying the security permissions, adversaries seek to evade detection and impede access to their component files. Such actions indicate a deliberate effort to maintain control over compromised systems and hinder investigation or remediation efforts. Detecting these security permission changes can serve as a valuable indicator of an ongoing attack and enable timely response to mitigate the impact of the adversary's activities. +action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed icacls.exe may be used. +action.escu.known_false_positives = Unknown. It is possible some administrative scripts use ICacls. Filter as needed. +action.escu.creation_date = 2023-06-06 +action.escu.modification_date = 2023-06-06 +action.escu.confidence = high +action.escu.full_search_name = ESCU - Windows Files and Dirs Access Rights Modification Via Icacls - Rule +action.escu.search_type = detection +action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] +action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] +action.escu.analytic_story = ["Amadey"] +action.risk = 1 +action.risk.param._risk_message = Process name $process_name$ with access right modification argument executed by $user$ to change security permission of a specific file or directory on host $dest$ +action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 49}] +action.risk.param._risk_score = 0 +action.risk.param.verbose = 0 +cron_schedule = 0 * * * * +dispatch.earliest_time = -70m@m +dispatch.latest_time = -10m@m +action.correlationsearch.enabled = 1 +action.correlationsearch.label = ESCU - Windows Files and Dirs Access Rights Modification Via Icacls - Rule +action.correlationsearch.annotations = {"analytic_story": ["Amadey"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1222.001", "T1222"], "nist": ["DE.CM"]} +schedule_window = auto +action.notable = 1 +action.notable.param.nes_fields = user,dest +action.notable.param.rule_description = This analytic aims to identify potential adversaries who manipulate the security permissions of specific files or directories. This technique is frequently observed in the tradecraft of Advanced Persistent Threats (APTs) and coinminer scripts. By modifying the security permissions, adversaries seek to evade detection and impede access to their component files. Such actions indicate a deliberate effort to maintain control over compromised systems and hinder investigation or remediation efforts. Detecting these security permission changes can serve as a valuable indicator of an ongoing attack and enable timely response to mitigate the impact of the adversary's activities. +action.notable.param.rule_title = Windows Files and Dirs Access Rights Modification Via Icacls +action.notable.param.security_domain = endpoint +action.notable.param.severity = high +alert.digest_mode = 1 +disabled = true +enableSched = 1 +allow_skew = 100% +counttype = number of events +relation = greater than +quantity = 0 +realtime_schedule = 0 +is_visible = false +search = | tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN( "icacls.exe", "cacls.exe","xcacls.exe") AND Processes.process IN ("*:R*", "*:W*", "*:F*", "*:C*",, "*:N*","*/P*", "*/E*") by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_files_and_dirs_access_rights_modification_via_icacls_filter` + [ESCU - Windows Findstr GPP Discovery - Rule] action.escu = 0 action.escu.enabled = 1 @@ -44066,10 +44142,10 @@ search = `wineventlog_security` EventCode=5137 OR (EventCode=5136 AttributeValu [ESCU - Windows Hidden Schedule Task Settings - Rule] action.escu = 0 action.escu.enabled = 1 -description = The following query utilizes Windows Security EventCode 4698, A scheduled task was created, to identify suspicious tasks registered on Windows either via schtasks.exe OR TaskService with a hidden settings that are unique entry of malware like industroyer2 or attack that uses lolbin to download other file or payload to the infected machine. +description = The following analytic detects creation of hidden scheculed tasks such that it this task is not visible on the UI. Such behavior is indicative of certain malware, such as Industroyer2, or attacks leveraging living-off-the-land binaries (LOLBINs) to download additional payloads to a compromised machine. This analytic relies on the Windows Security EventCode 4698, indicating the creation of a scheduled task. The search focuses on identifying instances where the 'Hidden' setting is enabled, signaling potential nefarious activity. To implement this search, you need to ingest logs with task scheduling details from your endpoints. As false positives are currently unknown, it is advised to tune and filter based on the known use of task scheduling in your environment. This analytic provides crucial visibility into stealthy, potentially harmful scheduled tasks on Windows systems. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053"], "nist": ["DE.CM"]} action.escu.data_models = [] -action.escu.eli5 = The following query utilizes Windows Security EventCode 4698, A scheduled task was created, to identify suspicious tasks registered on Windows either via schtasks.exe OR TaskService with a hidden settings that are unique entry of malware like industroyer2 or attack that uses lolbin to download other file or payload to the infected machine. +action.escu.eli5 = The following analytic detects creation of hidden scheculed tasks such that it this task is not visible on the UI. Such behavior is indicative of certain malware, such as Industroyer2, or attacks leveraging living-off-the-land binaries (LOLBINs) to download additional payloads to a compromised machine. This analytic relies on the Windows Security EventCode 4698, indicating the creation of a scheduled task. The search focuses on identifying instances where the 'Hidden' setting is enabled, signaling potential nefarious activity. To implement this search, you need to ingest logs with task scheduling details from your endpoints. As false positives are currently unknown, it is advised to tune and filter based on the known use of task scheduling in your environment. This analytic provides crucial visibility into stealthy, potentially harmful scheduled tasks on Windows systems. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the task schedule (Exa. Security Log EventCode 4698) endpoints. Tune and filter known instances of Task schedule used in your environment. action.escu.known_false_positives = unknown action.escu.creation_date = 2023-04-14 @@ -44079,7 +44155,7 @@ action.escu.full_search_name = ESCU - Windows Hidden Schedule Task Settings - Ru action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["CISA AA22-257A", "Active Directory Discovery", "Industroyer2", "Data Destruction"] +action.escu.analytic_story = ["CISA AA22-257A", "Active Directory Discovery", "Industroyer2", "Data Destruction", "Scheduled Tasks"] action.risk = 1 action.risk.param._risk_message = A schedule task with hidden setting enable in host $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 64}] @@ -44090,11 +44166,11 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows Hidden Schedule Task Settings - Rule -action.correlationsearch.annotations = {"analytic_story": ["CISA AA22-257A", "Active Directory Discovery", "Industroyer2", "Data Destruction"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["CISA AA22-257A", "Active Directory Discovery", "Industroyer2", "Data Destruction", "Scheduled Tasks"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following query utilizes Windows Security EventCode 4698, A scheduled task was created, to identify suspicious tasks registered on Windows either via schtasks.exe OR TaskService with a hidden settings that are unique entry of malware like industroyer2 or attack that uses lolbin to download other file or payload to the infected machine. +action.notable.param.rule_description = The following analytic detects creation of hidden scheculed tasks such that it this task is not visible on the UI. Such behavior is indicative of certain malware, such as Industroyer2, or attacks leveraging living-off-the-land binaries (LOLBINs) to download additional payloads to a compromised machine. This analytic relies on the Windows Security EventCode 4698, indicating the creation of a scheduled task. The search focuses on identifying instances where the 'Hidden' setting is enabled, signaling potential nefarious activity. To implement this search, you need to ingest logs with task scheduling details from your endpoints. As false positives are currently unknown, it is advised to tune and filter based on the known use of task scheduling in your environment. This analytic provides crucial visibility into stealthy, potentially harmful scheduled tasks on Windows systems. action.notable.param.rule_title = Windows Hidden Schedule Task Settings action.notable.param.security_domain = endpoint action.notable.param.severity = high @@ -44165,7 +44241,7 @@ action.escu.full_search_name = ESCU - Windows High File Deletion Frequency - Rul action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null -action.escu.analytic_story = ["Clop Ransomware", "DarkCrystal RAT", "Swift Slicer", "Data Destruction", "WhisperGate"] +action.escu.analytic_story = ["Clop Ransomware", "DarkCrystal RAT", "Swift Slicer", "Data Destruction", "WhisperGate", "Sandworm Tools"] action.risk = 1 action.risk.param._risk_message = High frequency file deletion activity detected on host $Computer$ action.risk.param._risk = [{"risk_object_field": "user", "risk_object_type": "user", "risk_score": 72}, {"risk_object_field": "Computer", "risk_object_type": "system", "risk_score": 72}, {"risk_object_field": "deleted_files", "risk_object_type": "other", "risk_score": 72}] @@ -44176,7 +44252,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows High File Deletion Frequency - Rule -action.correlationsearch.annotations = {"analytic_story": ["Clop Ransomware", "DarkCrystal RAT", "Swift Slicer", "Data Destruction", "WhisperGate"], "cis20": ["CIS 10"], "confidence": 80, "impact": 90, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1485"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Clop Ransomware", "DarkCrystal RAT", "Swift Slicer", "Data Destruction", "WhisperGate", "Sandworm Tools"], "cis20": ["CIS 10"], "confidence": 80, "impact": 90, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1485"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -45310,7 +45386,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies the process name of java.exe and w3wp.exe spawning a Windows shell. This is potentially indicative of exploitation of the Java application and may be related to current event CVE-2021-44228 (Log4Shell). The shells included in the macro are "cmd.exe", "powershell.exe". Upon triage, review parallel processes and command-line arguments to determine legitimacy. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies the process name of java.exe and w3wp.exe spawning a Windows shell. This is potentially indicative of exploitation of the Java application and may be related to current event CVE-2021-44228 (Log4Shell). The shells included in the macro are "cmd.exe", "powershell.exe". Upon triage, review parallel processes and command-line arguments to determine legitimacy. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. Restrict the analytic to publicly facing endpoints to reduce false positives. Add any additional identified web application process name to the query. Add any further Windows process names to the macro (ex. LOLBins) to further expand this query. @@ -45333,7 +45409,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows Java Spawning Shells - Rule -action.correlationsearch.annotations = {"analytic_story": ["Log4Shell CVE-2021-44228"], "cis20": ["CIS 10"], "confidence": 50, "cve": ["CVE-2021-44228", "CVE-2022-47966"], "impact": 80, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Log4Shell CVE-2021-44228"], "cis20": ["CIS 10"], "confidence": 50, "cve": ["CVE-2021-44228", "CVE-2022-47966"], "impact": 80, "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -47929,7 +48005,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic is designed to detect instances where the PaperCut NG application (pc-app.exe) spawns a Windows shell, specifically cmd.exe or PowerShell. This behavior may indicate potential malicious activity, such as an attacker attempting to gain unauthorized access or execute harmful commands on the affected system. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Delivery"], "mitre_attack": ["T1059", "T1190"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Delivery"], "mitre_attack": ["T1059", "T1190", "T1133"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic is designed to detect instances where the PaperCut NG application (pc-app.exe) spawns a Windows shell, specifically cmd.exe or PowerShell. This behavior may indicate potential malicious activity, such as an attacker attempting to gain unauthorized access or execute harmful commands on the affected system. action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. @@ -47952,7 +48028,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows PaperCut NG Spawn Shell - Rule -action.correlationsearch.annotations = {"analytic_story": ["PaperCut MF NG Vulnerability"], "cis20": ["CIS 10"], "confidence": 90, "impact": 100, "kill_chain_phases": ["Installation", "Delivery"], "mitre_attack": ["T1059", "T1190"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["PaperCut MF NG Vulnerability"], "cis20": ["CIS 10"], "confidence": 90, "impact": 100, "kill_chain_phases": ["Installation", "Delivery"], "mitre_attack": ["T1059", "T1190", "T1133"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -48477,6 +48553,46 @@ realtime_schedule = 0 is_visible = false search = `powershell` EventCode=4104 ScriptBlockText="*Import-Module Applocker*" ScriptBlockText="*Set-AppLockerPolicy *" ScriptBlockText="* -XMLPolicy *" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powershell_import_applocker_policy_filter` +[ESCU - Windows PowerShell ScheduleTask - Rule] +action.escu = 0 +action.escu.enabled = 1 +description = The following analytic detects potential malicious activities related to PowerShell's task scheduling cmdlets. It looks for anomalies in PowerShell logs, specifically EventCode 4104, associated with script block logging. The analytic flags unusual or suspicious use patterns of key task-related cmdlets such as 'New-ScheduledTask', 'Set-ScheduledTask', and others, which are often used by attackers for persistence and remote execution of malicious code. If a true positive is found, it suggests an possible attacker is attempting to persist within the environment or potentially deliver additional malicious payloads, leading to data theft, ransomware, or other damaging outcomes. To implement this analytic, PowerShell Script Block Logging needs to be enabled on some or all endpoints. Analysts should be aware of benign administrative tasks that can trigger alerts and tune the analytic accordingly to reduce false positives. Upon triage, review the PowerShell logs for any unusual or unexpected cmdlet usage, IP addresses, user accounts, or timestamps. If these factors align with known malicious behavior patterns, immediate mitigation steps, such as isolation of the affected systems, user account changes, and relevant threat hunting activities, should be initiated. This proactive analysis significantly enhances an organization's capacity to swiftly respond to, and potentially prevent, the execution of advanced persistent threats in their network. +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.005", "T1059.001", "T1059"], "nist": ["DE.AE"]} +action.escu.data_models = [] +action.escu.eli5 = The following analytic detects potential malicious activities related to PowerShell's task scheduling cmdlets. It looks for anomalies in PowerShell logs, specifically EventCode 4104, associated with script block logging. The analytic flags unusual or suspicious use patterns of key task-related cmdlets such as 'New-ScheduledTask', 'Set-ScheduledTask', and others, which are often used by attackers for persistence and remote execution of malicious code. If a true positive is found, it suggests an possible attacker is attempting to persist within the environment or potentially deliver additional malicious payloads, leading to data theft, ransomware, or other damaging outcomes. To implement this analytic, PowerShell Script Block Logging needs to be enabled on some or all endpoints. Analysts should be aware of benign administrative tasks that can trigger alerts and tune the analytic accordingly to reduce false positives. Upon triage, review the PowerShell logs for any unusual or unexpected cmdlet usage, IP addresses, user accounts, or timestamps. If these factors align with known malicious behavior patterns, immediate mitigation steps, such as isolation of the affected systems, user account changes, and relevant threat hunting activities, should be initiated. This proactive analysis significantly enhances an organization's capacity to swiftly respond to, and potentially prevent, the execution of advanced persistent threats in their network. +action.escu.how_to_implement = To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. +action.escu.known_false_positives = Benign administrative tasks can also trigger alerts, necessitating a firm understanding of the typical system behavior and precise tuning of the analytic to reduce false positives. +action.escu.creation_date = 2023-06-12 +action.escu.modification_date = 2023-06-12 +action.escu.confidence = high +action.escu.full_search_name = ESCU - Windows PowerShell ScheduleTask - Rule +action.escu.search_type = detection +action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] +action.escu.providing_technologies = ["Microsoft Windows"] +action.escu.analytic_story = ["Scheduled Tasks"] +action.risk = 1 +action.risk.param._risk_message = The PowerShell cmdlets related to task creation, modification and start occurred on $Computer$ by $user_id$. +action.risk.param._risk = [{"risk_object_field": "Computer", "risk_object_type": "system", "risk_score": 25}, {"risk_object_field": "user_id", "risk_object_type": "user", "risk_score": 25}] +action.risk.param._risk_score = 0 +action.risk.param.verbose = 0 +cron_schedule = 0 * * * * +dispatch.earliest_time = -70m@m +dispatch.latest_time = -10m@m +action.correlationsearch.enabled = 1 +action.correlationsearch.label = ESCU - Windows PowerShell ScheduleTask - Rule +action.correlationsearch.annotations = {"analytic_story": ["Scheduled Tasks"], "cis20": ["CIS 10"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.005", "T1059.001", "T1059"], "nist": ["DE.AE"]} +schedule_window = auto +alert.digest_mode = 1 +disabled = true +enableSched = 1 +allow_skew = 100% +counttype = number of events +relation = greater than +quantity = 0 +realtime_schedule = 0 +is_visible = false +search = `powershell` EventCode=4104 ScriptBlockText IN ("*New-ScheduledTask*", "*New-ScheduledTaskAction*", "*New-ScheduledTaskSettingsSet*", "*New-ScheduledTaskTrigger*", "*Register-ClusteredScheduledTask*", "*Register-ScheduledTask*", "*Set-ClusteredScheduledTask*", "*Set-ScheduledTask*", "*Start-ScheduledTask*", "*Enable-ScheduledTask*") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powershell_scheduletask_filter` + [ESCU - Windows PowerShell WMI Win32 ScheduledJob - Rule] action.escu = 0 action.escu.enabled = 1 @@ -48934,14 +49050,14 @@ action.escu.data_models = [] action.escu.eli5 = The following analytic identifies a suspicious remote thread execution in some process being abused by threat actor and malware like qakbot. Qakbot is one of the malware using this technique to load its malicious dll module or malicious code in the targeted host. This TTP can be a good pivot to verify what is the behavior of the targeted Image process after this detection trigger. look for network connection, child process execution, file access and many more that helps to verify the indication of malware infection. action.escu.how_to_implement = To successfully implement this search, you must be ingesting data that records process activity from your hosts like remote thread EventCode=8 of sysmon. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. action.escu.known_false_positives = unknown -action.escu.creation_date = 2022-11-10 -action.escu.modification_date = 2022-11-10 +action.escu.creation_date = 2023-06-15 +action.escu.modification_date = 2023-06-15 action.escu.confidence = high action.escu.full_search_name = ESCU - Windows Process Injection Remote Thread - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null -action.escu.analytic_story = ["Qakbot"] +action.escu.analytic_story = ["Qakbot", "Graceful Wipe Out Attack"] action.risk = 1 action.risk.param._risk_message = process $SourceImage$ create a remote thread to process $TargetImage$ on host $Computer$ action.risk.param._risk = [{"risk_object_field": "Computer", "risk_object_type": "system", "risk_score": 64}, {"threat_object_field": "SourceImage", "threat_object_type": "process"}, {"risk_object_field": "TargetImage", "risk_object_type": "other", "risk_score": 64}] @@ -48952,7 +49068,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows Process Injection Remote Thread - Rule -action.correlationsearch.annotations = {"analytic_story": ["Qakbot"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055", "T1055.002"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Qakbot", "Graceful Wipe Out Attack"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1055", "T1055.002"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -48969,7 +49085,7 @@ relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false -search = `sysmon` EventCode=8 TargetImage IN ("*\\Taskmgr.exe", "*\\calc.exe", "*\\notepad.exe", "*\\rdpclip.exe", "*\\explorer.exe", "*\\wermgr.exe", "*\\ping.exe", "*\\OneDriveSetup.exe", "*\\dxdiag.exe", "*\\mobsync.exe", "*\\msra.exe", "*\\xwizard.exe") | stats count min(_time) as firstTime max(_time) as lastTime by TargetImage TargetProcessId SourceProcessId EventCode StartAddress SourceImage Computer | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_process_injection_remote_thread_filter` +search = `sysmon` EventCode=8 TargetImage IN ("*\\Taskmgr.exe", "*\\calc.exe", "*\\notepad.exe", "*\\rdpclip.exe", "*\\explorer.exe", "*\\wermgr.exe", "*\\ping.exe", "*\\OneDriveSetup.exe", "*\\dxdiag.exe", "*\\mobsync.exe", "*\\msra.exe", "*\\xwizard.exe","*\\cmd.exe", "*\\powershell.exe") | stats count min(_time) as firstTime max(_time) as lastTime by TargetImage TargetProcessId SourceProcessId EventCode StartAddress SourceImage Computer | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_process_injection_remote_thread_filter` [ESCU - Windows Process Injection Wermgr Child Process - Rule] action.escu = 0 @@ -49514,14 +49630,14 @@ action.escu.data_models = [] action.escu.eli5 = This analytic is to look for suspicious raw access read to device disk partition of the host machine. This technique was seen in several attacks by adversaries or threat actor to wipe, encrypt or overwrite the boot sector of each partition as part of their impact payload for example the "hermeticwiper" malware. This detection is a good indicator that there is a process try to read or write on boot sector. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the raw access read event (like sysmon eventcode 9), process name and process guid from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. action.escu.known_false_positives = This event is really notable but we found minimal number of normal application from system32 folder like svchost.exe accessing it too. In this case we used 'system32' and 'syswow64' path as a filter for this detection. -action.escu.creation_date = 2023-04-14 -action.escu.modification_date = 2023-04-14 +action.escu.creation_date = 2023-06-13 +action.escu.modification_date = 2023-06-13 action.escu.confidence = high action.escu.full_search_name = ESCU - Windows Raw Access To Disk Volume Partition - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null -action.escu.analytic_story = ["CISA AA22-264A", "Data Destruction", "Caddy Wiper", "Hermetic Wiper"] +action.escu.analytic_story = ["CISA AA22-264A", "Graceful Wipe Out Attack", "Data Destruction", "Hermetic Wiper", "Caddy Wiper"] action.risk = 1 action.risk.param._risk_message = Process accessing disk partition $device$ in $dest$ action.risk.param._risk = [{"risk_object_field": "ComputerName", "risk_object_type": "system", "risk_score": 90}] @@ -49532,7 +49648,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows Raw Access To Disk Volume Partition - Rule -action.correlationsearch.annotations = {"analytic_story": ["CISA AA22-264A", "Data Destruction", "Caddy Wiper", "Hermetic Wiper"], "cis20": ["CIS 10"], "confidence": 100, "impact": 90, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1561.002", "T1561"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["CISA AA22-264A", "Graceful Wipe Out Attack", "Data Destruction", "Hermetic Wiper", "Caddy Wiper"], "cis20": ["CIS 10"], "confidence": 100, "impact": 90, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1561.002", "T1561"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -49554,14 +49670,14 @@ action.escu.data_models = [] action.escu.eli5 = This analytic is to look for suspicious raw access read to drive where the master boot record is placed. This technique was seen in several attacks by adversaries or threat actor to wipe, encrypt or overwrite the master boot record code as part of their impact payload. This detection is a good indicator that there is a process try to read or write on MBR sector. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the raw access read event (like sysmon eventcode 9), process name and process guid from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. action.escu.known_false_positives = This event is really notable but we found minimal number of normal application from system32 folder like svchost.exe accessing it too. In this case we used 'system32' and 'syswow64' path as a filter for this detection. -action.escu.creation_date = 2023-04-14 -action.escu.modification_date = 2023-04-14 +action.escu.creation_date = 2023-06-13 +action.escu.modification_date = 2023-06-13 action.escu.confidence = high action.escu.full_search_name = ESCU - Windows Raw Access To Master Boot Record Drive - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null -action.escu.analytic_story = ["Caddy Wiper", "CISA AA22-264A", "Hermetic Wiper", "Data Destruction", "WhisperGate"] +action.escu.analytic_story = ["CISA AA22-264A", "WhisperGate", "Graceful Wipe Out Attack", "Data Destruction", "Hermetic Wiper", "Caddy Wiper"] action.risk = 1 action.risk.param._risk_message = process accessing MBR $device$ in $dest$ action.risk.param._risk = [{"risk_object_field": "Computer", "risk_object_type": "system", "risk_score": 90}] @@ -49572,7 +49688,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows Raw Access To Master Boot Record Drive - Rule -action.correlationsearch.annotations = {"analytic_story": ["Caddy Wiper", "CISA AA22-264A", "Hermetic Wiper", "Data Destruction", "WhisperGate"], "cis20": ["CIS 10"], "confidence": 100, "impact": 90, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1561.002", "T1561"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["CISA AA22-264A", "WhisperGate", "Graceful Wipe Out Attack", "Data Destruction", "Hermetic Wiper", "Caddy Wiper"], "cis20": ["CIS 10"], "confidence": 100, "impact": 90, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1561.002", "T1561"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -49715,10 +49831,10 @@ search = | tstats `security_content_summariesonly` count from datamodel=Endpoint [ESCU - Windows Registry Delete Task SD - Rule] action.escu = 0 action.escu.enabled = 1 -description = The following analytic identifies a process attempting to delete a scheduled task SD (Security Descriptor) from within the registry path of that task. This may occur from a non-standard process running and may not come from reg.exe. This particular behavior will remove the actual Task Name from the Task Scheduler GUI and from the command-line query - schtasks.exe /query. In addition, in order to perform this action, the user context will need to be SYSTEM. +description = The following analytic identifies a process attempting to delete a scheduled task SD (Security Descriptor) from within the registry path of that task. This may occur from a non-standard process running and may not come from reg.exe. This particular behavior will remove the actual Task Name from the Task Scheduler GUI and from the command-line query - schtasks.exe /query. In addition, in order to perform this action, the user context will need to be SYSTEM.\ Identifying the deletion of a scheduled task's Security Descriptor from the registry is significant for a SOC as it may indicate malicious activity attempting to remove evidence of a scheduled task, potentially for defense evasion purposes. If a true positive is detected, it suggests an attacker with privileged access attempting to remove traces of their activities, which can have a significant impact on the security and functionality of affected systems. Immediate investigation and response are required to mitigate further risks and preserve the integrity of the environment. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.005", "T1562"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies a process attempting to delete a scheduled task SD (Security Descriptor) from within the registry path of that task. This may occur from a non-standard process running and may not come from reg.exe. This particular behavior will remove the actual Task Name from the Task Scheduler GUI and from the command-line query - schtasks.exe /query. In addition, in order to perform this action, the user context will need to be SYSTEM. +action.escu.eli5 = The following analytic identifies a process attempting to delete a scheduled task SD (Security Descriptor) from within the registry path of that task. This may occur from a non-standard process running and may not come from reg.exe. This particular behavior will remove the actual Task Name from the Task Scheduler GUI and from the command-line query - schtasks.exe /query. In addition, in order to perform this action, the user context will need to be SYSTEM.\ Identifying the deletion of a scheduled task's Security Descriptor from the registry is significant for a SOC as it may indicate malicious activity attempting to remove evidence of a scheduled task, potentially for defense evasion purposes. If a true positive is detected, it suggests an attacker with privileged access attempting to remove traces of their activities, which can have a significant impact on the security and functionality of affected systems. Immediate investigation and response are required to mitigate further risks and preserve the integrity of the environment. action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. action.escu.known_false_positives = False positives should be limited as the activity is not common to delete ONLY the SD from the registry. Filter as needed. Update the analytic Modified or Deleted values based on product that is in the datamodel. action.escu.creation_date = 2022-04-13 @@ -49728,7 +49844,7 @@ action.escu.full_search_name = ESCU - Windows Registry Delete Task SD - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Windows Registry Abuse", "Windows Persistence Techniques"] +action.escu.analytic_story = ["Windows Registry Abuse", "Windows Persistence Techniques", "Scheduled Tasks"] action.risk = 1 action.risk.param._risk_message = A scheduled task security descriptor was deleted from the registry on $dest$. action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}] @@ -49739,7 +49855,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows Registry Delete Task SD - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Registry Abuse", "Windows Persistence Techniques"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.005", "T1562"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Windows Registry Abuse", "Windows Persistence Techniques", "Scheduled Tasks"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.005", "T1562"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -50404,10 +50520,12 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime [ESCU - Windows Scheduled Task Created Via XML - Rule] action.escu = 0 action.escu.enabled = 1 -description = The following analytic identifies the creation of a scheduled task using schtasks.exe, with the flags -create being passed on the command-line along with an XML parameter. This technique has been associated with threat actors, adversaries, and red teamers seeking to gain persistence or achieve privilege escalation on targeted hosts. Notably, the Trickbot and Winter-Vivern malware have been observed employing this method, utilizing an XML file to create scheduled tasks. It is important to monitor and investigate such activity in order to mitigate potential security risks. +description = The following analytic detects the creation of suspicious scheduled tasks in Windows, specifically tasks created using schtasks.exe with the -create flag and an XML parameter in the command-line. This technique is commonly employed by threat actors, adversaries, and red teamers to establish persistence or achieve privilege escalation on targeted hosts. Notably, malware like Trickbot and Winter-Vivern have been observed using XML files to create scheduled tasks. Monitoring and investigating this activity is crucial to mitigate potential security risks. It is important to be aware that scripts or administrators may trigger this analytic, leading to potential false positives. To minimize false positives, adjust the filter based on the parent process or application.\ +When a true positive is detected, it suggests an attacker's attempt to gain persistence or execute additional malicious payloads, potentially resulting in data theft, ransomware, or other damaging outcomes. During triage, review the source of the scheduled task, the command to be executed, and capture any relevant on-disk artifacts. Analyze concurrent processes to identify the source of the attack. This analytic enables analysts to detect and respond to potential threats early, mitigating the associated risks effectively. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.005", "T1053"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies the creation of a scheduled task using schtasks.exe, with the flags -create being passed on the command-line along with an XML parameter. This technique has been associated with threat actors, adversaries, and red teamers seeking to gain persistence or achieve privilege escalation on targeted hosts. Notably, the Trickbot and Winter-Vivern malware have been observed employing this method, utilizing an XML file to create scheduled tasks. It is important to monitor and investigate such activity in order to mitigate potential security risks. +action.escu.eli5 = The following analytic detects the creation of suspicious scheduled tasks in Windows, specifically tasks created using schtasks.exe with the -create flag and an XML parameter in the command-line. This technique is commonly employed by threat actors, adversaries, and red teamers to establish persistence or achieve privilege escalation on targeted hosts. Notably, malware like Trickbot and Winter-Vivern have been observed using XML files to create scheduled tasks. Monitoring and investigating this activity is crucial to mitigate potential security risks. It is important to be aware that scripts or administrators may trigger this analytic, leading to potential false positives. To minimize false positives, adjust the filter based on the parent process or application.\ +When a true positive is detected, it suggests an attacker's attempt to gain persistence or execute additional malicious payloads, potentially resulting in data theft, ransomware, or other damaging outcomes. During triage, review the source of the scheduled task, the command to be executed, and capture any relevant on-disk artifacts. Analyze concurrent processes to identify the source of the attack. This analytic enables analysts to detect and respond to potential threats early, mitigating the associated risks effectively. action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. action.escu.known_false_positives = It is possible scripts or administrators may trigger this analytic. Filter as needed based on parent process, application. action.escu.creation_date = 2023-04-05 @@ -50417,7 +50535,7 @@ action.escu.full_search_name = ESCU - Windows Scheduled Task Created Via XML - R action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Winter Vivern"] +action.escu.analytic_story = ["Winter Vivern", "Scheduled Tasks"] action.risk = 1 action.risk.param._risk_message = A scheduled task process, $process_name$, with 'create' or 'delete' commands present in the command line. action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}, {"risk_object_field": "user", "risk_object_type": "user", "risk_score": 49}] @@ -50428,11 +50546,12 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows Scheduled Task Created Via XML - Rule -action.correlationsearch.annotations = {"analytic_story": ["Winter Vivern"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.005", "T1053"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Winter Vivern", "Scheduled Tasks"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.005", "T1053"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies the creation of a scheduled task using schtasks.exe, with the flags -create being passed on the command-line along with an XML parameter. This technique has been associated with threat actors, adversaries, and red teamers seeking to gain persistence or achieve privilege escalation on targeted hosts. Notably, the Trickbot and Winter-Vivern malware have been observed employing this method, utilizing an XML file to create scheduled tasks. It is important to monitor and investigate such activity in order to mitigate potential security risks. +action.notable.param.rule_description = The following analytic detects the creation of suspicious scheduled tasks in Windows, specifically tasks created using schtasks.exe with the -create flag and an XML parameter in the command-line. This technique is commonly employed by threat actors, adversaries, and red teamers to establish persistence or achieve privilege escalation on targeted hosts. Notably, malware like Trickbot and Winter-Vivern have been observed using XML files to create scheduled tasks. Monitoring and investigating this activity is crucial to mitigate potential security risks. It is important to be aware that scripts or administrators may trigger this analytic, leading to potential false positives. To minimize false positives, adjust the filter based on the parent process or application.\ +When a true positive is detected, it suggests an attacker's attempt to gain persistence or execute additional malicious payloads, potentially resulting in data theft, ransomware, or other damaging outcomes. During triage, review the source of the scheduled task, the command to be executed, and capture any relevant on-disk artifacts. Analyze concurrent processes to identify the source of the attack. This analytic enables analysts to detect and respond to potential threats early, mitigating the associated risks effectively. action.notable.param.rule_title = Windows Scheduled Task Created Via XML action.notable.param.security_domain = endpoint action.notable.param.severity = high @@ -50450,12 +50569,14 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime [ESCU - Windows Scheduled Task with Highest Privileges - Rule] action.escu = 0 action.escu.enabled = 1 -description = The following analytic identifies Schtasks.exe creating a new task with highest privilege execution. This techniques was seen in asyncrat where it uses the scheduled task as part of it persistence and privilege escalation. AsyncRAT will setup a scheduled task with parameter '/rl' and 'highest' to trigger this technique. This TTP detection can be a good indicator of malware or adversaries trying to gain persistence and privilege escalation through scheduled task. We recommend to always check and monitoring this type of events even filtering is needed. +description = The following analytic detects the creation of a new task with the highest execution privilege via Schtasks.exe. This tactic is often observed in AsyncRAT attacks, where the scheduled task is used for persistence and privilege escalation. AsyncRAT sets up a scheduled task with parameters '/rl' and 'highest', triggering this technique. It's a strong indicator of potential malware or adversaries seeking to establish persistence and escalate privileges through scheduled tasks. This is crucial for a Security Operations Center (SOC) as it can prevent unauthorized system access and potential data breaches.\ +The analytic works by monitoring logs for process name, parent process, and command-line executions. In the presence of the '*/rl ' and ' highest *' commands in a schtasks.exe process, an alert is triggered. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053", "T1053.005"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies Schtasks.exe creating a new task with highest privilege execution. This techniques was seen in asyncrat where it uses the scheduled task as part of it persistence and privilege escalation. AsyncRAT will setup a scheduled task with parameter '/rl' and 'highest' to trigger this technique. This TTP detection can be a good indicator of malware or adversaries trying to gain persistence and privilege escalation through scheduled task. We recommend to always check and monitoring this type of events even filtering is needed. +action.escu.eli5 = The following analytic detects the creation of a new task with the highest execution privilege via Schtasks.exe. This tactic is often observed in AsyncRAT attacks, where the scheduled task is used for persistence and privilege escalation. AsyncRAT sets up a scheduled task with parameters '/rl' and 'highest', triggering this technique. It's a strong indicator of potential malware or adversaries seeking to establish persistence and escalate privileges through scheduled tasks. This is crucial for a Security Operations Center (SOC) as it can prevent unauthorized system access and potential data breaches.\ +The analytic works by monitoring logs for process name, parent process, and command-line executions. In the presence of the '*/rl ' and ' highest *' commands in a schtasks.exe process, an alert is triggered. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances of wermgr.exe may be used. -action.escu.known_false_positives = False positives will be limited to legitimate applications creating a task to run as SYSTEM. Filter as needed based on parent process, or modify the query to have world writeable paths to restrict it. +action.escu.known_false_positives = False positives may arise from legitimate applications that create tasks to run as SYSTEM. Therefore, it's recommended to adjust filters based on parent process or modify the query to include world writable paths for restriction. action.escu.creation_date = 2023-01-26 action.escu.modification_date = 2023-01-26 action.escu.confidence = high @@ -50463,7 +50584,7 @@ action.escu.full_search_name = ESCU - Windows Scheduled Task with Highest Privil action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["AsyncRAT"] +action.escu.analytic_story = ["AsyncRAT", "Scheduled Tasks"] action.risk = 1 action.risk.param._risk_message = a $process_name$ creating a schedule task $process$ with highest run level privilege in $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 64}] @@ -50474,11 +50595,12 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows Scheduled Task with Highest Privileges - Rule -action.correlationsearch.annotations = {"analytic_story": ["AsyncRAT"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053", "T1053.005"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["AsyncRAT", "Scheduled Tasks"], "cis20": ["CIS 10"], "confidence": 80, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053", "T1053.005"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies Schtasks.exe creating a new task with highest privilege execution. This techniques was seen in asyncrat where it uses the scheduled task as part of it persistence and privilege escalation. AsyncRAT will setup a scheduled task with parameter '/rl' and 'highest' to trigger this technique. This TTP detection can be a good indicator of malware or adversaries trying to gain persistence and privilege escalation through scheduled task. We recommend to always check and monitoring this type of events even filtering is needed. +action.notable.param.rule_description = The following analytic detects the creation of a new task with the highest execution privilege via Schtasks.exe. This tactic is often observed in AsyncRAT attacks, where the scheduled task is used for persistence and privilege escalation. AsyncRAT sets up a scheduled task with parameters '/rl' and 'highest', triggering this technique. It's a strong indicator of potential malware or adversaries seeking to establish persistence and escalate privileges through scheduled tasks. This is crucial for a Security Operations Center (SOC) as it can prevent unauthorized system access and potential data breaches.\ +The analytic works by monitoring logs for process name, parent process, and command-line executions. In the presence of the '*/rl ' and ' highest *' commands in a schtasks.exe process, an alert is triggered. action.notable.param.rule_title = Windows Scheduled Task with Highest Privileges action.notable.param.security_domain = endpoint action.notable.param.severity = high @@ -50496,10 +50618,10 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime [ESCU - Windows Schtasks Create Run As System - Rule] action.escu = 0 action.escu.enabled = 1 -description = The following analytic identifies Schtasks.exe creating a new task to start and run as an elevated user - SYSTEM. This is commonly used by adversaries to spawn a process in an elevated state. +description = The following analytic identifies the creation of a new task to start and run as an elevated user - SYSTEM using Schtasks.exe. This behavior is commonly used by adversaries to spawn a process in an elevated state. If a true positive is found, it suggests an attacker is attempting to persist within the environment or potentially deliver additional malicious payloads, leading to data theft, ransomware, or other damaging outcomes. Upon triage, review the scheduled task's source and the command to be executed. Capture and inspect any relevant on-disk artifacts, and look for concurrent processes to identify the attack source. This approach helps analysts detect potential threats earlier and mitigate the risks. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.005", "T1053"], "nist": ["DE.CM"]} action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies Schtasks.exe creating a new task to start and run as an elevated user - SYSTEM. This is commonly used by adversaries to spawn a process in an elevated state. +action.escu.eli5 = The following analytic identifies the creation of a new task to start and run as an elevated user - SYSTEM using Schtasks.exe. This behavior is commonly used by adversaries to spawn a process in an elevated state. If a true positive is found, it suggests an attacker is attempting to persist within the environment or potentially deliver additional malicious payloads, leading to data theft, ransomware, or other damaging outcomes. Upon triage, review the scheduled task's source and the command to be executed. Capture and inspect any relevant on-disk artifacts, and look for concurrent processes to identify the attack source. This approach helps analysts detect potential threats earlier and mitigate the risks. action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. action.escu.known_false_positives = False positives will be limited to legitimate applications creating a task to run as SYSTEM. Filter as needed based on parent process, or modify the query to have world writeable paths to restrict it. action.escu.creation_date = 2022-02-07 @@ -50509,7 +50631,7 @@ action.escu.full_search_name = ESCU - Windows Schtasks Create Run As System - Ru action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Windows Persistence Techniques", "Qakbot"] +action.escu.analytic_story = ["Windows Persistence Techniques", "Qakbot", "Scheduled Tasks"] action.risk = 1 action.risk.param._risk_message = An $process_name$ was created on endpoint $dest$ attempting to spawn as SYSTEM. action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 48}, {"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 48}] @@ -50520,11 +50642,11 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows Schtasks Create Run As System - Rule -action.correlationsearch.annotations = {"analytic_story": ["Windows Persistence Techniques", "Qakbot"], "cis20": ["CIS 10"], "confidence": 60, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.005", "T1053"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Windows Persistence Techniques", "Qakbot", "Scheduled Tasks"], "cis20": ["CIS 10"], "confidence": 60, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.005", "T1053"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following analytic identifies Schtasks.exe creating a new task to start and run as an elevated user - SYSTEM. This is commonly used by adversaries to spawn a process in an elevated state. +action.notable.param.rule_description = The following analytic identifies the creation of a new task to start and run as an elevated user - SYSTEM using Schtasks.exe. This behavior is commonly used by adversaries to spawn a process in an elevated state. If a true positive is found, it suggests an attacker is attempting to persist within the environment or potentially deliver additional malicious payloads, leading to data theft, ransomware, or other damaging outcomes. Upon triage, review the scheduled task's source and the command to be executed. Capture and inspect any relevant on-disk artifacts, and look for concurrent processes to identify the attack source. This approach helps analysts detect potential threats earlier and mitigate the risks. action.notable.param.rule_title = Windows Schtasks Create Run As System action.notable.param.security_domain = endpoint action.notable.param.severity = high @@ -51174,14 +51296,14 @@ action.escu.data_models = ["Endpoint"] action.escu.eli5 = The following analytic identifies Windows Service Control, `sc.exe`, attempting to delete a service. This is typically identified in parallel with other instances of service enumeration of attempts to stop a service and then delete it. Adversaries utilize this technique to terminate security services or other related services to continue there objective and evade detections. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. action.escu.known_false_positives = It is possible administrative scripts may start/stop/delete services. Filter as needed. -action.escu.creation_date = 2022-06-21 -action.escu.modification_date = 2022-06-21 +action.escu.creation_date = 2023-06-13 +action.escu.modification_date = 2023-06-13 action.escu.confidence = high action.escu.full_search_name = ESCU - Windows Service Stop By Deletion - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Azorult"] +action.escu.analytic_story = ["Azorult", "Graceful Wipe Out Attack"] action.risk = 1 action.risk.param._risk_message = An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ attempting to delete a service. action.risk.param._risk = [{"risk_object_field": "process_name", "risk_object_type": "other", "risk_score": 49}] @@ -51192,7 +51314,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows Service Stop By Deletion - Rule -action.correlationsearch.annotations = {"analytic_story": ["Azorult"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1489"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Azorult", "Graceful Wipe Out Attack"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1489"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -51220,14 +51342,14 @@ action.escu.data_models = ["Endpoint"] action.escu.eli5 = This analytic identifies suspicious attempts to stop services on a system using either `net.exe` or `sc.exe`. This technique is used by adversaries to terminate security services or other related services to continue their objective and evade detections. This technique is also commonly used by ransomware threat actors to successfully encrypt databases or files being processed or used by Windows OS Services. action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. action.escu.known_false_positives = Windows OS or software may stop and restart services due to some critical update. -action.escu.creation_date = 2022-11-30 -action.escu.modification_date = 2022-11-30 +action.escu.creation_date = 2023-06-13 +action.escu.modification_date = 2023-06-13 action.escu.confidence = high action.escu.full_search_name = ESCU - Windows Service Stop Via Net and SC Application - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["Prestige Ransomware"] +action.escu.analytic_story = ["Prestige Ransomware", "Graceful Wipe Out Attack"] action.risk = 1 action.risk.param._risk_message = $process$ was executed on $dest$ attempting to stop service. action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}] @@ -51238,7 +51360,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows Service Stop Via Net and SC Application - Rule -action.correlationsearch.annotations = {"analytic_story": ["Prestige Ransomware"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1489"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Prestige Ransomware", "Graceful Wipe Out Attack"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1489"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -52267,20 +52389,20 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime [ESCU - Windows System Shutdown CommandLine - Rule] action.escu = 0 action.escu.enabled = 1 -description = The following analytic identifies Windows commandline to shutdown a windows host machine. This technique was seen in several APT, RAT like dcrat and other commodity malware to shutdown the machine to add more impact, interrupt access, aid destruction of the system like wiping disk or inhibit system recovery. This TTP is a good pivot to check why application trigger this commandline which is not so common way to shutdown a machine. +description = This detection rule is designed to identify the execution of the Windows shutdown command via command line interface. The shutdown command can be utilized by system administrators to properly halt, power off, or reboot a computer. However, in a security context, attackers who have gained unauthorized access to a system may also use this command in an effort to erase tracks, or to cause disruption and denial of service. In some instances, they might execute the shutdown command after installing a backdoor, to force the system to restart, ensuring that changes take effect or evading detection by security tools. Monitoring for the use of the Windows shutdown command, especially in conjunction with other unusual or unauthorized activities, can be an important part of identifying malicious behavior within a network. It is advised that security professionals analyze the context in which the shutdown command is being executed to differentiate between legitimate administrative functions and potentially malicious activity. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1529"], "nist": ["DE.AE"]} action.escu.data_models = ["Endpoint"] -action.escu.eli5 = The following analytic identifies Windows commandline to shutdown a windows host machine. This technique was seen in several APT, RAT like dcrat and other commodity malware to shutdown the machine to add more impact, interrupt access, aid destruction of the system like wiping disk or inhibit system recovery. This TTP is a good pivot to check why application trigger this commandline which is not so common way to shutdown a machine. +action.escu.eli5 = This detection rule is designed to identify the execution of the Windows shutdown command via command line interface. The shutdown command can be utilized by system administrators to properly halt, power off, or reboot a computer. However, in a security context, attackers who have gained unauthorized access to a system may also use this command in an effort to erase tracks, or to cause disruption and denial of service. In some instances, they might execute the shutdown command after installing a backdoor, to force the system to restart, ensuring that changes take effect or evading detection by security tools. Monitoring for the use of the Windows shutdown command, especially in conjunction with other unusual or unauthorized activities, can be an important part of identifying malicious behavior within a network. It is advised that security professionals analyze the context in which the shutdown command is being executed to differentiate between legitimate administrative functions and potentially malicious activity. action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. action.escu.known_false_positives = Administrator may execute this commandline to trigger shutdown or restart the host machine. -action.escu.creation_date = 2022-07-27 -action.escu.modification_date = 2022-07-27 +action.escu.creation_date = 2023-06-20 +action.escu.modification_date = 2023-06-20 action.escu.confidence = high action.escu.full_search_name = ESCU - Windows System Shutdown CommandLine - Rule action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Sysmon", "Microsoft Windows", "Carbon Black Response", "CrowdStrike Falcon", "Symantec Endpoint Protection"] -action.escu.analytic_story = ["DarkCrystal RAT"] +action.escu.analytic_story = ["DarkCrystal RAT", "Sandworm Tools"] action.risk = 1 action.risk.param._risk_message = Process $process_name$ seen to execute shutdown via commandline on $dest$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 49}] @@ -52291,7 +52413,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows System Shutdown CommandLine - Rule -action.correlationsearch.annotations = {"analytic_story": ["DarkCrystal RAT"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1529"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["DarkCrystal RAT", "Sandworm Tools"], "cis20": ["CIS 10"], "confidence": 70, "impact": 70, "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1529"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -52302,7 +52424,7 @@ relation = greater than quantity = 0 realtime_schedule = 0 is_visible = false -search = | tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = shutdown.exe OR Processes.original_file_name = shutdown.exe) Processes.process="*shutdown*" Processes.process="* /s*" Processes.process="* /t*" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_system_shutdown_commandline_filter` +search = | tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = shutdown.exe OR Processes.original_file_name = shutdown.exe) Processes.process="*shutdown*" AND Processes.process IN("* /s*", "* -s*", "* /r*", "* -r*") AND Processes.process="* /t*" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_system_shutdown_commandline_filter` [ESCU - Windows System Time Discovery W32tm Delay - Rule] action.escu = 0 @@ -53117,10 +53239,16 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime [ESCU - WinEvent Scheduled Task Created to Spawn Shell - Rule] action.escu = 0 action.escu.enabled = 1 -description = The following query utilizes Windows Security EventCode 4698, `A scheduled task was created`, to identify suspicious tasks registered on Windows either via schtasks.exe OR TaskService with a command to be executed with a native Windows shell (PowerShell, Cmd, Wscript, Cscript).\ The search will return the first time and last time the task was registered, as well as the `Command` to be executed, `Task Name`, `Author`, `Enabled`, and whether it is `Hidden` or not.\ schtasks.exe is natively found in `C:\Windows\system32` and `C:\Windows\syswow64`.\ The following DLL(s) are loaded when schtasks.exe or TaskService is launched -`taskschd.dll`. If found loaded by another process, it is possible a scheduled task is being registered within that process context in memory.\ Upon triage, identify the task scheduled source. Was it schtasks.exe or via TaskService? Review the job created and the Command to be executed. Capture any artifacts on disk and review. Identify any parallel processes within the same timeframe to identify source. +description = The following query utilizes Windows Security EventCode 4698, indicating 'a scheduled task was created', to identify potentially suspicious tasks. These tasks may be registered on Windows through either schtasks.exe or TaskService, and are set up to execute a command with a native Windows shell such as PowerShell, Cmd, Wscript, or Cscript.\ +The search will return the initial and final times the task was registered, along with details like the 'Command' set to be executed, 'Task Name', 'Author', whether it's 'Enabled', and if it is 'Hidden'.\ +Schtasks.exe is typically found in C:\Windows\system32 and C:\Windows\syswow64. The DLL 'taskschd.dll' is loaded when either schtasks.exe or TaskService is launched. If this DLL is found loaded by another process, it's possible that a scheduled task is being registered within the context of that process in memory.\ +During triage, it's essential to identify the source of the scheduled task. Was it registered via schtasks.exe or TaskService? Review the job that was created and the command set to be executed. It's also recommended to capture and review any artifacts on disk, and identify any parallel processes within the same timeframe to locate the source. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.005", "T1053"], "nist": ["DE.CM"]} action.escu.data_models = [] -action.escu.eli5 = The following query utilizes Windows Security EventCode 4698, `A scheduled task was created`, to identify suspicious tasks registered on Windows either via schtasks.exe OR TaskService with a command to be executed with a native Windows shell (PowerShell, Cmd, Wscript, Cscript).\ The search will return the first time and last time the task was registered, as well as the `Command` to be executed, `Task Name`, `Author`, `Enabled`, and whether it is `Hidden` or not.\ schtasks.exe is natively found in `C:\Windows\system32` and `C:\Windows\syswow64`.\ The following DLL(s) are loaded when schtasks.exe or TaskService is launched -`taskschd.dll`. If found loaded by another process, it is possible a scheduled task is being registered within that process context in memory.\ Upon triage, identify the task scheduled source. Was it schtasks.exe or via TaskService? Review the job created and the Command to be executed. Capture any artifacts on disk and review. Identify any parallel processes within the same timeframe to identify source. +action.escu.eli5 = The following query utilizes Windows Security EventCode 4698, indicating 'a scheduled task was created', to identify potentially suspicious tasks. These tasks may be registered on Windows through either schtasks.exe or TaskService, and are set up to execute a command with a native Windows shell such as PowerShell, Cmd, Wscript, or Cscript.\ +The search will return the initial and final times the task was registered, along with details like the 'Command' set to be executed, 'Task Name', 'Author', whether it's 'Enabled', and if it is 'Hidden'.\ +Schtasks.exe is typically found in C:\Windows\system32 and C:\Windows\syswow64. The DLL 'taskschd.dll' is loaded when either schtasks.exe or TaskService is launched. If this DLL is found loaded by another process, it's possible that a scheduled task is being registered within the context of that process in memory.\ +During triage, it's essential to identify the source of the scheduled task. Was it registered via schtasks.exe or TaskService? Review the job that was created and the command set to be executed. It's also recommended to capture and review any artifacts on disk, and identify any parallel processes within the same timeframe to locate the source. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4698 EventCode enabled. The Windows TA is also required. action.escu.known_false_positives = False positives are possible if legitimate applications are allowed to register tasks that call a shell to be spawned. Filter as needed based on command-line or processes that are used legitimately. action.escu.creation_date = 2023-04-05 @@ -53130,7 +53258,7 @@ action.escu.full_search_name = ESCU - WinEvent Scheduled Task Created to Spawn S action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Ransomware", "Windows Persistence Techniques", "Winter Vivern", "Ryuk Ransomware", "CISA AA22-257A"] +action.escu.analytic_story = ["Ransomware", "Windows Persistence Techniques", "Winter Vivern", "Ryuk Ransomware", "CISA AA22-257A", "Scheduled Tasks"] action.risk = 1 action.risk.param._risk_message = A windows scheduled task was created (task name=$Task_Name$) on $dest$ by the following command: $Command$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 70}, {"risk_object_field": "Command", "risk_object_type": "other", "risk_score": 70}] @@ -53141,11 +53269,14 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - WinEvent Scheduled Task Created to Spawn Shell - Rule -action.correlationsearch.annotations = {"analytic_story": ["Ransomware", "Windows Persistence Techniques", "Winter Vivern", "Ryuk Ransomware", "CISA AA22-257A"], "cis20": ["CIS 10"], "confidence": 100, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.005", "T1053"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Ransomware", "Windows Persistence Techniques", "Winter Vivern", "Ryuk Ransomware", "CISA AA22-257A", "Scheduled Tasks"], "cis20": ["CIS 10"], "confidence": 100, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.005", "T1053"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following query utilizes Windows Security EventCode 4698, `A scheduled task was created`, to identify suspicious tasks registered on Windows either via schtasks.exe OR TaskService with a command to be executed with a native Windows shell (PowerShell, Cmd, Wscript, Cscript).\ The search will return the first time and last time the task was registered, as well as the `Command` to be executed, `Task Name`, `Author`, `Enabled`, and whether it is `Hidden` or not.\ schtasks.exe is natively found in `C:\Windows\system32` and `C:\Windows\syswow64`.\ The following DLL(s) are loaded when schtasks.exe or TaskService is launched -`taskschd.dll`. If found loaded by another process, it is possible a scheduled task is being registered within that process context in memory.\ Upon triage, identify the task scheduled source. Was it schtasks.exe or via TaskService? Review the job created and the Command to be executed. Capture any artifacts on disk and review. Identify any parallel processes within the same timeframe to identify source. +action.notable.param.rule_description = The following query utilizes Windows Security EventCode 4698, indicating 'a scheduled task was created', to identify potentially suspicious tasks. These tasks may be registered on Windows through either schtasks.exe or TaskService, and are set up to execute a command with a native Windows shell such as PowerShell, Cmd, Wscript, or Cscript.\ +The search will return the initial and final times the task was registered, along with details like the 'Command' set to be executed, 'Task Name', 'Author', whether it's 'Enabled', and if it is 'Hidden'.\ +Schtasks.exe is typically found in C:\Windows\system32 and C:\Windows\syswow64. The DLL 'taskschd.dll' is loaded when either schtasks.exe or TaskService is launched. If this DLL is found loaded by another process, it's possible that a scheduled task is being registered within the context of that process in memory.\ +During triage, it's essential to identify the source of the scheduled task. Was it registered via schtasks.exe or TaskService? Review the job that was created and the command set to be executed. It's also recommended to capture and review any artifacts on disk, and identify any parallel processes within the same timeframe to locate the source. action.notable.param.rule_title = WinEvent Scheduled Task Created to Spawn Shell action.notable.param.security_domain = endpoint action.notable.param.severity = high @@ -53163,10 +53294,16 @@ search = `wineventlog_security` EventCode=4698 | xmlkv Message | search Command [ESCU - WinEvent Scheduled Task Created Within Public Path - Rule] action.escu = 0 action.escu.enabled = 1 -description = The following query utilizes Windows Security EventCode 4698, `A scheduled task was created`, to identify suspicious tasks registered on Windows either via schtasks.exe OR TaskService with a command to be executed from a user writeable file path.\ The search will return the first time and last time the task was registered, as well as the `Command` to be executed, `Task Name`, `Author`, `Enabled`, and whether it is `Hidden` or not.\ schtasks.exe is natively found in `C:\Windows\system32` and `C:\Windows\syswow64`.\ The following DLL(s) are loaded when schtasks.exe or TaskService is launched -`taskschd.dll`. If found loaded by another process, it is possible a scheduled task is being registered within that process context in memory.\ Upon triage, identify the task scheduled source. Was it schtasks.exe or was it via TaskService. Review the job created and the Command to be executed. Capture any artifacts on disk and review. Identify any parallel processes within the same timeframe to identify source. +description = The following analytic utilizes Windows Security EventCode 4698, which indicates the creation of a scheduled task on a Windows system. The purpose of this query is to identify suspicious tasks that have been registered using either schtasks.exe or TaskService and involve executing a command from a user-writable file path.\ +When this analytic is triggered, it provides information such as the first and last registration time of the task, the command to be executed, the task name, author, and whether it is set as hidden or not. It is worth noting that schtasks.exe is commonly located in C:\Windows\system32 and C:\Windows\syswow64, and it loads the taskschd.dll DLL when launched. If this DLL is loaded by another process, it suggests that a scheduled task may be registered within that process's context in memory.\ +During the triage process, it is essential to identify the source of the scheduled task creation, whether it was initiated through schtasks.exe or TaskService. The analyst should review the task that was created, including the command to be executed. Additionally, any artifacts on disk related to the task should be captured and analyzed. It is also recommended to identify any parallel processes that occurred within the same timeframe to determine the source of the task creation.\ +By conducting this triage process, security analysts can gain insights into potentially malicious or suspicious scheduled tasks, helping them identify the source and assess the impact of the task. This analytic is valuable for a Security Operations Center (SOC) as it can detect unauthorized or suspicious activity that could indicate an attacker's attempt to establish persistence or execute unauthorized commands on the system.\ action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.005", "T1053"], "nist": ["DE.CM"]} action.escu.data_models = [] -action.escu.eli5 = The following query utilizes Windows Security EventCode 4698, `A scheduled task was created`, to identify suspicious tasks registered on Windows either via schtasks.exe OR TaskService with a command to be executed from a user writeable file path.\ The search will return the first time and last time the task was registered, as well as the `Command` to be executed, `Task Name`, `Author`, `Enabled`, and whether it is `Hidden` or not.\ schtasks.exe is natively found in `C:\Windows\system32` and `C:\Windows\syswow64`.\ The following DLL(s) are loaded when schtasks.exe or TaskService is launched -`taskschd.dll`. If found loaded by another process, it is possible a scheduled task is being registered within that process context in memory.\ Upon triage, identify the task scheduled source. Was it schtasks.exe or was it via TaskService. Review the job created and the Command to be executed. Capture any artifacts on disk and review. Identify any parallel processes within the same timeframe to identify source. +action.escu.eli5 = The following analytic utilizes Windows Security EventCode 4698, which indicates the creation of a scheduled task on a Windows system. The purpose of this query is to identify suspicious tasks that have been registered using either schtasks.exe or TaskService and involve executing a command from a user-writable file path.\ +When this analytic is triggered, it provides information such as the first and last registration time of the task, the command to be executed, the task name, author, and whether it is set as hidden or not. It is worth noting that schtasks.exe is commonly located in C:\Windows\system32 and C:\Windows\syswow64, and it loads the taskschd.dll DLL when launched. If this DLL is loaded by another process, it suggests that a scheduled task may be registered within that process's context in memory.\ +During the triage process, it is essential to identify the source of the scheduled task creation, whether it was initiated through schtasks.exe or TaskService. The analyst should review the task that was created, including the command to be executed. Additionally, any artifacts on disk related to the task should be captured and analyzed. It is also recommended to identify any parallel processes that occurred within the same timeframe to determine the source of the task creation.\ +By conducting this triage process, security analysts can gain insights into potentially malicious or suspicious scheduled tasks, helping them identify the source and assess the impact of the task. This analytic is valuable for a Security Operations Center (SOC) as it can detect unauthorized or suspicious activity that could indicate an attacker's attempt to establish persistence or execute unauthorized commands on the system.\ action.escu.how_to_implement = To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4698 EventCode enabled. The Windows TA is also required. action.escu.known_false_positives = False positives are possible if legitimate applications are allowed to register tasks in public paths. Filter as needed based on paths that are used legitimately. action.escu.creation_date = 2023-04-05 @@ -53176,7 +53313,7 @@ action.escu.full_search_name = ESCU - WinEvent Scheduled Task Created Within Pub action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = ["Microsoft Windows"] -action.escu.analytic_story = ["Ransomware", "Windows Persistence Techniques", "Winter Vivern", "Prestige Ransomware", "AsyncRAT", "Ryuk Ransomware", "IcedID", "CISA AA22-257A", "Industroyer2", "Active Directory Lateral Movement", "Data Destruction"] +action.escu.analytic_story = ["Ransomware", "Windows Persistence Techniques", "Winter Vivern", "Prestige Ransomware", "AsyncRAT", "Ryuk Ransomware", "IcedID", "CISA AA22-257A", "Industroyer2", "Active Directory Lateral Movement", "Data Destruction", "Scheduled Tasks"] action.risk = 1 action.risk.param._risk_message = A windows scheduled task was created (task name=$Task_Name$) on $dest$ by the following command: $Command$ action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 70}, {"risk_object_field": "Command", "risk_object_type": "other", "risk_score": 70}] @@ -53187,11 +53324,14 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - WinEvent Scheduled Task Created Within Public Path - Rule -action.correlationsearch.annotations = {"analytic_story": ["Ransomware", "Windows Persistence Techniques", "Winter Vivern", "Prestige Ransomware", "AsyncRAT", "Ryuk Ransomware", "IcedID", "CISA AA22-257A", "Industroyer2", "Active Directory Lateral Movement", "Data Destruction"], "cis20": ["CIS 10"], "confidence": 100, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.005", "T1053"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Ransomware", "Windows Persistence Techniques", "Winter Vivern", "Prestige Ransomware", "AsyncRAT", "Ryuk Ransomware", "IcedID", "CISA AA22-257A", "Industroyer2", "Active Directory Lateral Movement", "Data Destruction", "Scheduled Tasks"], "cis20": ["CIS 10"], "confidence": 100, "impact": 70, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.005", "T1053"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = The following query utilizes Windows Security EventCode 4698, `A scheduled task was created`, to identify suspicious tasks registered on Windows either via schtasks.exe OR TaskService with a command to be executed from a user writeable file path.\ The search will return the first time and last time the task was registered, as well as the `Command` to be executed, `Task Name`, `Author`, `Enabled`, and whether it is `Hidden` or not.\ schtasks.exe is natively found in `C:\Windows\system32` and `C:\Windows\syswow64`.\ The following DLL(s) are loaded when schtasks.exe or TaskService is launched -`taskschd.dll`. If found loaded by another process, it is possible a scheduled task is being registered within that process context in memory.\ Upon triage, identify the task scheduled source. Was it schtasks.exe or was it via TaskService. Review the job created and the Command to be executed. Capture any artifacts on disk and review. Identify any parallel processes within the same timeframe to identify source. +action.notable.param.rule_description = The following analytic utilizes Windows Security EventCode 4698, which indicates the creation of a scheduled task on a Windows system. The purpose of this query is to identify suspicious tasks that have been registered using either schtasks.exe or TaskService and involve executing a command from a user-writable file path.\ +When this analytic is triggered, it provides information such as the first and last registration time of the task, the command to be executed, the task name, author, and whether it is set as hidden or not. It is worth noting that schtasks.exe is commonly located in C:\Windows\system32 and C:\Windows\syswow64, and it loads the taskschd.dll DLL when launched. If this DLL is loaded by another process, it suggests that a scheduled task may be registered within that process's context in memory.\ +During the triage process, it is essential to identify the source of the scheduled task creation, whether it was initiated through schtasks.exe or TaskService. The analyst should review the task that was created, including the command to be executed. Additionally, any artifacts on disk related to the task should be captured and analyzed. It is also recommended to identify any parallel processes that occurred within the same timeframe to determine the source of the task creation.\ +By conducting this triage process, security analysts can gain insights into potentially malicious or suspicious scheduled tasks, helping them identify the source and assess the impact of the task. This analytic is valuable for a Security Operations Center (SOC) as it can detect unauthorized or suspicious activity that could indicate an attacker's attempt to establish persistence or execute unauthorized commands on the system.\ action.notable.param.rule_title = WinEvent Scheduled Task Created Within Public Path action.notable.param.security_domain = endpoint action.notable.param.severity = high @@ -53209,10 +53349,18 @@ search = `wineventlog_security` EventCode=4698 | xmlkv Message | search Command [ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule] action.escu = 0 action.escu.enabled = 1 -description = The following hunting analytic assists with identifying suspicious tasks that have been registered and ran in Windows using EventID 200 (action run) and 201 (action completed). It is recommended to filter based on ActionName by specifying specific paths not used in your environment. After some basic tuning, this may be effective in capturing evasive ways to register tasks on Windows. Review parallel events related to tasks being scheduled. EventID 106 will generate when a new task is generated, however, that does not mean it ran. Capture any files on disk and analyze. +description = The following hunting analytic aims to identify suspicious tasks that have been registered and executed in Windows using EventID 200 (action run) and 201 (action completed) from the Windows Task Scheduler logs. This analytic helps detect evasive techniques used to register tasks on Windows systems. It is recommended to filter the results based on the ActionName field by specifying specific paths that are not commonly used in your environment.\ +After implementing this analytic, it is important to review parallel events related to the scheduled tasks. EventID 106 will be generated when a new task is created, but it does not necessarily mean that the task has been executed. Analysts should capture any files on disk associated with the task and perform further analysis.\ +To implement this analytic, Task Scheduler logs must be collected. This can be done by adding a stanza for [WinEventLog://Microsoft-Windows-TaskScheduler/Operational] in the inputs.conf file and setting renderXml=false. It is worth noting that not translating the logs into XML may require specific extraction of items from the Message field.\ +False positives are expected with this analytic, so it is important to filter the results based on the paths or specific keywords of interest in the ActionName field to reduce noise.\ +Identifying and analyzing scheduled tasks that have been executed is crucial for a Security Operations Center (SOC) as it helps detect potentially malicious or unauthorized activities on Windows systems. By capturing and investigating the associated events, analysts can uncover signs of persistence mechanisms, unauthorized code execution, or suspicious behaviors. The impact of a true positive could range from unauthorized access to data exfiltration or the execution of malicious payloads. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.005"], "nist": ["DE.AE"]} action.escu.data_models = [] -action.escu.eli5 = The following hunting analytic assists with identifying suspicious tasks that have been registered and ran in Windows using EventID 200 (action run) and 201 (action completed). It is recommended to filter based on ActionName by specifying specific paths not used in your environment. After some basic tuning, this may be effective in capturing evasive ways to register tasks on Windows. Review parallel events related to tasks being scheduled. EventID 106 will generate when a new task is generated, however, that does not mean it ran. Capture any files on disk and analyze. +action.escu.eli5 = The following hunting analytic aims to identify suspicious tasks that have been registered and executed in Windows using EventID 200 (action run) and 201 (action completed) from the Windows Task Scheduler logs. This analytic helps detect evasive techniques used to register tasks on Windows systems. It is recommended to filter the results based on the ActionName field by specifying specific paths that are not commonly used in your environment.\ +After implementing this analytic, it is important to review parallel events related to the scheduled tasks. EventID 106 will be generated when a new task is created, but it does not necessarily mean that the task has been executed. Analysts should capture any files on disk associated with the task and perform further analysis.\ +To implement this analytic, Task Scheduler logs must be collected. This can be done by adding a stanza for [WinEventLog://Microsoft-Windows-TaskScheduler/Operational] in the inputs.conf file and setting renderXml=false. It is worth noting that not translating the logs into XML may require specific extraction of items from the Message field.\ +False positives are expected with this analytic, so it is important to filter the results based on the paths or specific keywords of interest in the ActionName field to reduce noise.\ +Identifying and analyzing scheduled tasks that have been executed is crucial for a Security Operations Center (SOC) as it helps detect potentially malicious or unauthorized activities on Windows systems. By capturing and investigating the associated events, analysts can uncover signs of persistence mechanisms, unauthorized code execution, or suspicious behaviors. The impact of a true positive could range from unauthorized access to data exfiltration or the execution of malicious payloads. action.escu.how_to_implement = Task Scheduler logs are required to be collected. Enable logging with inputs.conf by adding a stanza for [WinEventLog://Microsoft-Windows-TaskScheduler/Operational] and renderXml=false. Note, not translating it in XML may require a proper extraction of specific items in the Message. action.escu.known_false_positives = False positives will be present. Filter based on ActionName paths or specify keywords of interest. action.escu.creation_date = 2023-04-05 @@ -53222,13 +53370,13 @@ action.escu.full_search_name = ESCU - WinEvent Windows Task Scheduler Event Acti action.escu.search_type = detection action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] action.escu.providing_technologies = null -action.escu.analytic_story = ["Qakbot", "Windows Persistence Techniques", "Winter Vivern", "Prestige Ransomware", "DarkCrystal RAT", "AsyncRAT", "Winter Vivern", "IcedID", "CISA AA22-257A", "Industroyer2", "Sandworm Tools", "Data Destruction"] +action.escu.analytic_story = ["Qakbot", "Windows Persistence Techniques", "Winter Vivern", "Prestige Ransomware", "DarkCrystal RAT", "AsyncRAT", "Winter Vivern", "IcedID", "CISA AA22-257A", "Industroyer2", "Sandworm Tools", "Data Destruction", "Amadey", "Scheduled Tasks"] cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule -action.correlationsearch.annotations = {"analytic_story": ["Qakbot", "Windows Persistence Techniques", "Winter Vivern", "Prestige Ransomware", "DarkCrystal RAT", "AsyncRAT", "Winter Vivern", "IcedID", "CISA AA22-257A", "Industroyer2", "Sandworm Tools", "Data Destruction"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.005"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Qakbot", "Windows Persistence Techniques", "Winter Vivern", "Prestige Ransomware", "DarkCrystal RAT", "AsyncRAT", "Winter Vivern", "IcedID", "CISA AA22-257A", "Industroyer2", "Sandworm Tools", "Data Destruction", "Amadey", "Scheduled Tasks"], "cis20": ["CIS 10"], "confidence": 100, "impact": 80, "kill_chain_phases": ["Installation", "Exploitation"], "mitre_attack": ["T1053.005"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -53474,10 +53622,10 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime [ESCU - WMI Permanent Event Subscription - Rule] action.escu = 0 action.escu.enabled = 1 -description = This search looks for the creation of WMI permanent event subscriptions. +description = The following analytic seeks to detect the creation of Windows Management Instrumentation (WMI) permanent event subscriptions, a technique often used by adversaries for persistence. Such a subscription allows for the execution of specified scripts or binaries in response to defined system events, potentially enabling malicious activities to persist unnoticed. The analytic uses Sysmon Event ID 5 data, specifically focusing on instances where consumers of these events are not the expected "NTEventLogEventConsumer." Although WMI event subscriptions can be used legitimately by administrators, unusual or unexpected subscription creation should be treated as suspicious. Analysts need to be cognizant of the potential for false positives in legitimate administrative activities and should understand WMI activity within the context of the monitored environment. action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1047"], "nist": ["DE.CM"]} action.escu.data_models = [] -action.escu.eli5 = This search looks for the creation of WMI permanent event subscriptions. +action.escu.eli5 = The following analytic seeks to detect the creation of Windows Management Instrumentation (WMI) permanent event subscriptions, a technique often used by adversaries for persistence. Such a subscription allows for the execution of specified scripts or binaries in response to defined system events, potentially enabling malicious activities to persist unnoticed. The analytic uses Sysmon Event ID 5 data, specifically focusing on instances where consumers of these events are not the expected "NTEventLogEventConsumer." Although WMI event subscriptions can be used legitimately by administrators, unusual or unexpected subscription creation should be treated as suspicious. Analysts need to be cognizant of the potential for false positives in legitimate administrative activities and should understand WMI activity within the context of the monitored environment. action.escu.how_to_implement = To successfully implement this search, you must be ingesting the Windows WMI activity logs. This can be done by adding a stanza to inputs.conf on the system generating logs with a title of [WinEventLog://Microsoft-Windows-WMI-Activity/Operational]. action.escu.known_false_positives = Although unlikely, administrators may use event subscriptions for legitimate purposes. action.escu.creation_date = 2018-10-23 @@ -53502,7 +53650,7 @@ action.correlationsearch.annotations = {"analytic_story": ["Suspicious WMI Use"] schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This search looks for the creation of WMI permanent event subscriptions. +action.notable.param.rule_description = The following analytic seeks to detect the creation of Windows Management Instrumentation (WMI) permanent event subscriptions, a technique often used by adversaries for persistence. Such a subscription allows for the execution of specified scripts or binaries in response to defined system events, potentially enabling malicious activities to persist unnoticed. The analytic uses Sysmon Event ID 5 data, specifically focusing on instances where consumers of these events are not the expected "NTEventLogEventConsumer." Although WMI event subscriptions can be used legitimately by administrators, unusual or unexpected subscription creation should be treated as suspicious. Analysts need to be cognizant of the potential for false positives in legitimate administrative activities and should understand WMI activity within the context of the monitored environment. action.notable.param.rule_title = WMI Permanent Event Subscription action.notable.param.security_domain = endpoint action.notable.param.severity = high @@ -54755,10 +54903,10 @@ search = | tstats `security_content_summariesonly` count from datamodel=Network_ [ESCU - Detect Windows DNS SIGRed via Splunk Stream - Rule] action.escu = 0 action.escu.enabled = 1 -description = This search detects SIGRed via Splunk Stream. +description = The following analytic is an experimental search designed to identify SIGRed exploitation attempts. SIGRed is a severe, wormable, remote code execution vulnerability in Windows DNS servers, identified as CVE-2020-1350. This analytic specifically looks for DNS SIG and KEY records, and TCP payloads larger than 65KB - potential indicators of the SIGRed exploit. It requires ingestion of both Splunk Stream DNS and TCP data. The search does rely on macro definitions for 'stream:dns' and 'stream:tcp', which should be replaced with appropriate configurations tailored to your Splunk environment. action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1203"], "nist": ["DE.CM"]} action.escu.data_models = [] -action.escu.eli5 = This search detects SIGRed via Splunk Stream. +action.escu.eli5 = The following analytic is an experimental search designed to identify SIGRed exploitation attempts. SIGRed is a severe, wormable, remote code execution vulnerability in Windows DNS servers, identified as CVE-2020-1350. This analytic specifically looks for DNS SIG and KEY records, and TCP payloads larger than 65KB - potential indicators of the SIGRed exploit. It requires ingestion of both Splunk Stream DNS and TCP data. The search does rely on macro definitions for 'stream:dns' and 'stream:tcp', which should be replaced with appropriate configurations tailored to your Splunk environment. action.escu.how_to_implement = You must be ingesting Splunk Stream DNS and Splunk Stream TCP. We are detecting SIG and KEY records via stream:dns and TCP payload over 65KB in size via stream:tcp. Replace the macro definitions ('stream:dns' and 'stream:tcp') with configurations for your Splunk environment. action.escu.known_false_positives = unknown action.escu.creation_date = 2020-07-28 @@ -54783,7 +54931,7 @@ action.correlationsearch.annotations = {"analytic_story": ["Windows DNS SIGRed C schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest -action.notable.param.rule_description = This search detects SIGRed via Splunk Stream. +action.notable.param.rule_description = The following analytic is an experimental search designed to identify SIGRed exploitation attempts. SIGRed is a severe, wormable, remote code execution vulnerability in Windows DNS servers, identified as CVE-2020-1350. This analytic specifically looks for DNS SIG and KEY records, and TCP payloads larger than 65KB - potential indicators of the SIGRed exploit. It requires ingestion of both Splunk Stream DNS and TCP data. The search does rely on macro definitions for 'stream:dns' and 'stream:tcp', which should be replaced with appropriate configurations tailored to your Splunk environment. action.notable.param.rule_title = Detect Windows DNS SIGRed via Splunk Stream action.notable.param.security_domain = network action.notable.param.severity = high @@ -55020,7 +55168,7 @@ search = | tstats `security_content_summariesonly` count from datamodel=Network_ action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies a recent unauthenticated remote code execution vulnerablity against the F5 BIG-IP iControl REST API. The analytic identifies the URI path found in the POCs and the HTTP Method of POST. In addition, the request header will have the commands that may be executed in fields utilcmdargs and the auth field of X-F5-Auth-Token, which may have a random base64 encoded value. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"]} action.escu.data_models = ["Web"] action.escu.eli5 = The following analytic identifies a recent unauthenticated remote code execution vulnerablity against the F5 BIG-IP iControl REST API. The analytic identifies the URI path found in the POCs and the HTTP Method of POST. In addition, the request header will have the commands that may be executed in fields utilcmdargs and the auth field of X-F5-Auth-Token, which may have a random base64 encoded value. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting web or proxy logs, or ensure it is being filled by a proxy like device, into the Web Datamodel. For additional filtering, allow list private IP space or restrict by known good. @@ -55043,7 +55191,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - F5 BIG-IP iControl REST Vulnerability CVE-2022-1388 - Rule -action.correlationsearch.annotations = {"analytic_story": ["F5 BIG-IP Vulnerability CVE-2022-1388"], "cis20": ["CIS 13"], "confidence": 70, "cve": ["CVE-2022-1388"], "impact": 100, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["F5 BIG-IP Vulnerability CVE-2022-1388"], "cis20": ["CIS 13"], "confidence": 70, "cve": ["CVE-2022-1388"], "impact": 100, "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -55862,7 +56010,7 @@ search = `zeek_x509` | rex field=san.email{} "\@(?xn--.*)" | re action.escu = 0 action.escu.enabled = 1 description = The following analytic assists with identifying CVE-2022-26134 based exploitation utilizing the Web datamodel to cover network and CIM compliant web logs. The parameters were captured from live scanning and the POC provided by Rapid7. This analytic is written against multiple proof of concept codes released and seen in the wild (scanning). During triage, review any endpoint based logs for further activity including writing a jsp file to disk and commands/processes spawning running as root from the Confluence process. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation", "Delivery"], "mitre_attack": ["T1505", "T1190"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation", "Delivery"], "mitre_attack": ["T1505", "T1190", "T1133"], "nist": ["DE.CM"]} action.escu.data_models = ["Web"] action.escu.eli5 = The following analytic assists with identifying CVE-2022-26134 based exploitation utilizing the Web datamodel to cover network and CIM compliant web logs. The parameters were captured from live scanning and the POC provided by Rapid7. This analytic is written against multiple proof of concept codes released and seen in the wild (scanning). During triage, review any endpoint based logs for further activity including writing a jsp file to disk and commands/processes spawning running as root from the Confluence process. action.escu.how_to_implement = This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache or Splunk for Nginx. In addition, network based logs or event data like PAN Threat. @@ -55885,7 +56033,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Confluence Unauthenticated Remote Code Execution CVE-2022-26134 - Rule -action.correlationsearch.annotations = {"analytic_story": ["Atlassian Confluence Server and Data Center CVE-2022-26134"], "cis20": ["CIS 13"], "confidence": 100, "cve": ["CVE-2022-26134"], "impact": 100, "kill_chain_phases": ["Installation", "Delivery"], "mitre_attack": ["T1505", "T1190"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Atlassian Confluence Server and Data Center CVE-2022-26134"], "cis20": ["CIS 13"], "confidence": 100, "cve": ["CVE-2022-26134"], "impact": 100, "kill_chain_phases": ["Installation", "Delivery"], "mitre_attack": ["T1505", "T1190", "T1133"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -55908,7 +56056,7 @@ search = | tstats count min(_time) as firstTime max(_time) as lastTime from data action.escu = 0 action.escu.enabled = 1 description = This search looks for specific GET or HEAD requests to web servers that are indicative of reconnaissance attempts to identify vulnerable JBoss servers. JexBoss is described as the exploit tool of choice for this malicious activity. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1082"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1082", "T1133"], "nist": ["DE.CM"]} action.escu.data_models = ["Web"] action.escu.eli5 = This search looks for specific GET or HEAD requests to web servers that are indicative of reconnaissance attempts to identify vulnerable JBoss servers. JexBoss is described as the exploit tool of choice for this malicious activity. action.escu.how_to_implement = You must be ingesting data from the web server or network traffic that contains web specific information, and populating the Web data model. @@ -55931,7 +56079,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Detect attackers scanning for vulnerable JBoss servers - Rule -action.correlationsearch.annotations = {"analytic_story": ["JBoss Vulnerability", "SamSam Ransomware"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1082"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["JBoss Vulnerability", "SamSam Ransomware"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Exploitation", "Delivery", "Installation"], "mitre_attack": ["T1082", "T1133"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -56046,7 +56194,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies activity related to Text4Shell, or the critical vulnerability CVE-2022-42889 in Apache Commons Text Library. Apache Commons Text versions 1.5 through 1.9 are affected, but it has been patched in version 1.10. The analytic may need to be tuned for your environment before enabling as a TTP, or direct Notable. Apache Commons Text is a Java library described as a library focused on algorithms working on strings. We can see it as a general-purpose text manipulation toolkit. This vulnerability affects the StringSubstitutor interpolator class, which is included in the Commons Text library. A default interpolator allows for string lookups that can lead to Remote Code Execution. This is due to a logic flaw that makes the script, dns, and url lookup keys interpolated by default, as opposed to what it should be, according to the documentation of the StringLookupFactory class. Those keys allow an attacker to execute arbitrary code via lookups. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation", "Delivery"], "mitre_attack": ["T1505.003", "T1505", "T1190"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation", "Delivery"], "mitre_attack": ["T1505.003", "T1505", "T1190", "T1133"], "nist": ["DE.AE"]} action.escu.data_models = ["Web"] action.escu.eli5 = The following analytic identifies activity related to Text4Shell, or the critical vulnerability CVE-2022-42889 in Apache Commons Text Library. Apache Commons Text versions 1.5 through 1.9 are affected, but it has been patched in version 1.10. The analytic may need to be tuned for your environment before enabling as a TTP, or direct Notable. Apache Commons Text is a Java library described as a library focused on algorithms working on strings. We can see it as a general-purpose text manipulation toolkit. This vulnerability affects the StringSubstitutor interpolator class, which is included in the Commons Text library. A default interpolator allows for string lookups that can lead to Remote Code Execution. This is due to a logic flaw that makes the script, dns, and url lookup keys interpolated by default, as opposed to what it should be, according to the documentation of the StringLookupFactory class. Those keys allow an attacker to execute arbitrary code via lookups. action.escu.how_to_implement = To implement, one must be collecting network traffic that is normalized in CIM and able to be queried via the Web datamodel. Or, take the chunks out needed and tie to a specific network source type to hunt in. Tune as needed, or remove the other_lookups statement. @@ -56069,7 +56217,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Exploit Public Facing Application via Apache Commons Text - Rule -action.correlationsearch.annotations = {"analytic_story": ["Text4Shell CVE-2022-42889"], "cis20": ["CIS 13"], "confidence": 70, "cve": ["CVE-2022-42889"], "impact": 70, "kill_chain_phases": ["Installation", "Delivery"], "mitre_attack": ["T1505.003", "T1505", "T1190"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Text4Shell CVE-2022-42889"], "cis20": ["CIS 13"], "confidence": 70, "cve": ["CVE-2022-42889"], "impact": 70, "kill_chain_phases": ["Installation", "Delivery"], "mitre_attack": ["T1505.003", "T1505", "T1190", "T1133"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -56086,7 +56234,7 @@ search = | tstats `security_content_summariesonly` count min(_time) as firstTime action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies a recent CVE-2022-39952 released publicly where the URI configWizard/keyUpload.jsp recieves a POST with the payload.zip, from there the POC script will schedule a cron to run the payload and contact the remote C2. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"]} action.escu.data_models = ["Web"] action.escu.eli5 = The following analytic identifies a recent CVE-2022-39952 released publicly where the URI configWizard/keyUpload.jsp recieves a POST with the payload.zip, from there the POC script will schedule a cron to run the payload and contact the remote C2. action.escu.how_to_implement = This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto. @@ -56109,7 +56257,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Exploit Public-Facing Fortinet FortiNAC CVE-2022-39952 - Rule -action.correlationsearch.annotations = {"analytic_story": ["Fortinet FortiNAC CVE-2022-39952"], "cis20": ["CIS 13"], "confidence": 80, "cve": ["CVE-2022-39952"], "impact": 80, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Fortinet FortiNAC CVE-2022-39952"], "cis20": ["CIS 13"], "confidence": 80, "cve": ["CVE-2022-39952"], "impact": 80, "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -56136,7 +56284,7 @@ Add new local users. \ Update networking configurations to reroute traffic. \ Download the system configuration. \ Initiate packet captures to capture other sensitive system information. Reference Horizon3.ai -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"]} action.escu.data_models = ["Web"] action.escu.eli5 = CVE-2022-40684 is a Fortinet appliance auth bypass that is actively being exploited and a POC is released publicy. The POC adds a SSH key to the appliance. Note that the exploit can be used with any HTTP method (GET, POST, PUT, DELETE, etc). The REST API request failing is not an indication that an attacker was unsuccessful. Horizon3 was able to modify the admin SSH keys though a REST API request that reportedly failed. The collection /api/v2/ endpoints can be used to configure the system and modify the administrator user. Any logs found that meet the above conditions and also have a URL containing /api/v2/ should be cause for concern. Further investigation of any matching log entries can reveal any damage an attack has done. Additionally, an attacker may perform the following actions to further compromise a system Modify the admin SSH key to enable the attacker to login to the compromised system. \ Add new local users. \ @@ -56163,7 +56311,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Fortinet Appliance Auth bypass - Rule -action.correlationsearch.annotations = {"analytic_story": ["CVE-2022-40684 Fortinet Appliance Auth bypass"], "cis20": ["CIS 13"], "confidence": 90, "cve": ["CVE-2022-40684"], "impact": 90, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["CVE-2022-40684 Fortinet Appliance Auth bypass"], "cis20": ["CIS 13"], "confidence": 90, "cve": ["CVE-2022-40684"], "impact": 90, "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -56200,7 +56348,7 @@ keywords matches on enumerated values that, like `$ctx:loginId`, that may be fou lookup matching is meant to catch some basic obfuscation that has been identified using upper, lower and date. \ Scoring will then occur based on any findings. The base score is meant to be 2 , created by jndi_fastmatch. Everything else is meant to increase that score. \ Finally, a simple table is created to show the scoring and the _raw field. Sort based on score or columns of interest. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.AE"]} action.escu.data_models = ["Web"] action.escu.eli5 = The following hunting query assists with quickly assessing CVE-2021-44228, or Log4Shell, activity mapped to the Web Datamodel. This is a combination query attempting to identify, score and dashboard. Because the Log4Shell vulnerability requires the string to be in the logs, this will work to identify the activity anywhere in the HTTP headers using _raw. Modify the first line to use the same pattern matching against other log sources. Scoring is based on a simple rubric of 0-5. 5 being the best match, and less than 5 meant to identify additional patterns that will equate to a higher total score. \ The first jndi match identifies the standard pattern of `{jndi:` \ @@ -56228,7 +56376,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Hunting for Log4Shell - Rule -action.correlationsearch.annotations = {"analytic_story": ["Log4Shell CVE-2021-44228", "CISA AA22-320A"], "cis20": ["CIS 13"], "confidence": 50, "cve": ["CVE-2021-44228"], "impact": 80, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Log4Shell CVE-2021-44228", "CISA AA22-320A"], "cis20": ["CIS 13"], "confidence": 50, "cve": ["CVE-2021-44228"], "impact": 80, "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -56245,7 +56393,7 @@ search = | from datamodel Web.Web | eval jndi=if(match(_raw, "(\{|%7B)[jJnNdDiI] action.escu = 0 action.escu.enabled = 1 description = CVE-2021-44228 Log4Shell payloads can be injected via various methods, but on of the most common vectors injection is via Web calls. Many of the vulnerable java web applications that are using log4j have a web component to them are specially targets of this injection, specifically projects like Apache Struts, Flink, Druid, and Solr. The exploit is triggered by a LDAP lookup function in the log4j package, its invocation is similar to `${jndi:ldap://PAYLOAD_INJECTED}`, when executed against vulnerable web applications the invocation can be seen in various part of web logs. Specifically it has been successfully exploited via headers like X-Forwarded-For, User-Agent, Referer, and X-Api-Version. In this detection we first limit the scope of our search to the Web Datamodel and use the `| from datamodel` function to benefit from schema accelerated searching capabilities, mainly because the second part of the detection is pretty heavy, it runs a regex across all _raw events that looks for `${jndi:ldap://` pattern across all potential web fields available to the raw data, like http headers for example. If you see results for this detection, it means that there was a attempt at a injection, which could be a reconnaissance activity or a valid expliotation attempt, but this does not exactly mean that the host was indeed successfully exploited. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.AE"]} action.escu.data_models = ["Web"] action.escu.eli5 = CVE-2021-44228 Log4Shell payloads can be injected via various methods, but on of the most common vectors injection is via Web calls. Many of the vulnerable java web applications that are using log4j have a web component to them are specially targets of this injection, specifically projects like Apache Struts, Flink, Druid, and Solr. The exploit is triggered by a LDAP lookup function in the log4j package, its invocation is similar to `${jndi:ldap://PAYLOAD_INJECTED}`, when executed against vulnerable web applications the invocation can be seen in various part of web logs. Specifically it has been successfully exploited via headers like X-Forwarded-For, User-Agent, Referer, and X-Api-Version. In this detection we first limit the scope of our search to the Web Datamodel and use the `| from datamodel` function to benefit from schema accelerated searching capabilities, mainly because the second part of the detection is pretty heavy, it runs a regex across all _raw events that looks for `${jndi:ldap://` pattern across all potential web fields available to the raw data, like http headers for example. If you see results for this detection, it means that there was a attempt at a injection, which could be a reconnaissance activity or a valid expliotation attempt, but this does not exactly mean that the host was indeed successfully exploited. action.escu.how_to_implement = This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache or Splunk for Nginx. @@ -56268,7 +56416,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Log4Shell JNDI Payload Injection Attempt - Rule -action.correlationsearch.annotations = {"analytic_story": ["Log4Shell CVE-2021-44228", "CISA AA22-257A", "CISA AA22-320A"], "cis20": ["CIS 10"], "confidence": 30, "cve": ["CVE-2021-44228"], "impact": 50, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Log4Shell CVE-2021-44228", "CISA AA22-257A", "CISA AA22-320A"], "cis20": ["CIS 10"], "confidence": 30, "cve": ["CVE-2021-44228"], "impact": 50, "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -56285,7 +56433,7 @@ search = | from datamodel Web.Web | regex _raw="[jJnNdDiI]{4}(\:|\%3A|\/|\%2F)\w action.escu = 0 action.escu.enabled = 1 description = CVE-2021-44228 Log4Shell payloads can be injected via various methods, but on of the most common vectors injection is via Web calls. Many of the vulnerable java web applications that are using log4j have a web component to them are specially targets of this injection, specifically projects like Apache Struts, Flink, Druid, and Solr. The exploit is triggered by a LDAP lookup function in the log4j package, its invocation is similar to `${jndi:ldap://PAYLOAD_INJECTED}`, when executed against vulnerable web applications the invocation can be seen in various part of web logs. Specifically it has been successfully exploited via headers like X-Forwarded-For, User-Agent, Referer, and X-Api-Version. In this detection we match the invocation function with a network connection to a malicious ip address. -action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.AE"]} action.escu.data_models = ["Network_Traffic", "Web"] action.escu.eli5 = CVE-2021-44228 Log4Shell payloads can be injected via various methods, but on of the most common vectors injection is via Web calls. Many of the vulnerable java web applications that are using log4j have a web component to them are specially targets of this injection, specifically projects like Apache Struts, Flink, Druid, and Solr. The exploit is triggered by a LDAP lookup function in the log4j package, its invocation is similar to `${jndi:ldap://PAYLOAD_INJECTED}`, when executed against vulnerable web applications the invocation can be seen in various part of web logs. Specifically it has been successfully exploited via headers like X-Forwarded-For, User-Agent, Referer, and X-Api-Version. In this detection we match the invocation function with a network connection to a malicious ip address. action.escu.how_to_implement = This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache or Splunk for Nginx. @@ -56308,7 +56456,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Log4Shell JNDI Payload Injection with Outbound Connection - Rule -action.correlationsearch.annotations = {"analytic_story": ["Log4Shell CVE-2021-44228", "CISA AA22-320A"], "cis20": ["CIS 10"], "confidence": 30, "cve": ["CVE-2021-44228"], "impact": 50, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["Log4Shell CVE-2021-44228", "CISA AA22-320A"], "cis20": ["CIS 10"], "confidence": 30, "cve": ["CVE-2021-44228"], "impact": 50, "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -56371,7 +56519,7 @@ search = | tstats `security_content_summariesonly` values(Web.url) as urls min(_ action.escu = 0 action.escu.enabled = 1 description = The following analytic is designed to detect potential exploitation attempts on publicly accessible PaperCut NG servers. It identifies connections from public IP addresses to the server and specifically monitors for URI paths commonly found in proof-of-concept (POC) scripts for exploiting PaperCut NG vulnerabilities. These URI paths have been observed in both Metasploit modules and standalone scripts used for attacking PaperCut NG servers. When a public IP address is detected accessing one or more of these suspicious URI paths, an alert may be generated to notify the security team of the potential threat. The team can then investigate the source IP address, the targeted PaperCut NG server, and any other relevant information to determine the nature of the activity and take appropriate actions to mitigate the risk. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"]} action.escu.data_models = ["Web"] action.escu.eli5 = The following analytic is designed to detect potential exploitation attempts on publicly accessible PaperCut NG servers. It identifies connections from public IP addresses to the server and specifically monitors for URI paths commonly found in proof-of-concept (POC) scripts for exploiting PaperCut NG vulnerabilities. These URI paths have been observed in both Metasploit modules and standalone scripts used for attacking PaperCut NG servers. When a public IP address is detected accessing one or more of these suspicious URI paths, an alert may be generated to notify the security team of the potential threat. The team can then investigate the source IP address, the targeted PaperCut NG server, and any other relevant information to determine the nature of the activity and take appropriate actions to mitigate the risk. action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on Web traffic that include fields relavent for traffic into the `Web` datamodel. @@ -56394,7 +56542,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - PaperCut NG Remote Web Access Attempt - Rule -action.correlationsearch.annotations = {"analytic_story": ["PaperCut MF NG Vulnerability"], "cis20": ["CIS 13"], "confidence": 70, "impact": 90, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["PaperCut MF NG Vulnerability"], "cis20": ["CIS 13"], "confidence": 70, "impact": 90, "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -56417,7 +56565,7 @@ search = | tstats count from datamodel=Web where Web.url IN ("/app?service=page/ action.escu = 0 action.escu.enabled = 1 description = The following correlation will identify activity related to Windows Exchange being actively exploited by adversaries related to ProxyShell or ProxyNotShell. In addition, the analytic correlates post-exploitation Cobalt Strike analytic story. Common post-exploitation behavior has been seen in the wild includes adversaries running nltest, Cobalt Strike, Mimikatz and adding a new user. The correlation specifically looks for 5 distinct analyticstories to trigger. Modify or tune as needed for your organization. 5 analytics is an arbitrary number but was chosen to reduce the amount of noise but also require the 2 analytic stories or a ProxyShell and CobaltStrike to fire. Adversaries will exploit the vulnerable Exchange server, abuse SSRF, drop a web shell, utilize the PowerShell Exchange modules and begin post-exploitation. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.AE"]} action.escu.data_models = ["Risk"] action.escu.eli5 = The following correlation will identify activity related to Windows Exchange being actively exploited by adversaries related to ProxyShell or ProxyNotShell. In addition, the analytic correlates post-exploitation Cobalt Strike analytic story. Common post-exploitation behavior has been seen in the wild includes adversaries running nltest, Cobalt Strike, Mimikatz and adding a new user. The correlation specifically looks for 5 distinct analyticstories to trigger. Modify or tune as needed for your organization. 5 analytics is an arbitrary number but was chosen to reduce the amount of noise but also require the 2 analytic stories or a ProxyShell and CobaltStrike to fire. Adversaries will exploit the vulnerable Exchange server, abuse SSRF, drop a web shell, utilize the PowerShell Exchange modules and begin post-exploitation. action.escu.how_to_implement = To implement this correlation, you will need to enable ProxyShell, ProxyNotShell and Cobalt Strike analytic stories (the anaytics themselves) and ensure proper data is being collected for Web and Endpoint datamodels. Run the correlation rule seperately to validate it is not triggering too much or generating incorrectly. Validate by running ProxyShell POC code and Cobalt Strike behavior. @@ -56435,7 +56583,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - RIR - ProxyShell ProxyNotShell Behavior Detected - Rule -action.correlationsearch.annotations = {"analytic_story": ["ProxyShell", "ProxyNotShell"], "cis20": ["CIS 13"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["ProxyShell", "ProxyNotShell"], "cis20": ["CIS 13"], "confidence": 90, "impact": 90, "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.AE"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -56458,7 +56606,7 @@ search = | tstats `security_content_summariesonly` min(_time) as firstTime max(_ action.escu = 0 action.escu.enabled = 1 description = The following analytic is static indicators related to CVE-2022-22963, Spring4Shell. The 3 indicators provide an amount of fidelity that source IP is attemping to exploit a web shell on the destination. The filename and cmd are arbitrary in this exploitation. Java will write a JSP to disk and a process will spawn from Java based on the cmd passed. This is indicative of typical web shell activity. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation", "Delivery"], "mitre_attack": ["T1505.003", "T1505", "T1190"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation", "Delivery"], "mitre_attack": ["T1505.003", "T1505", "T1190", "T1133"], "nist": ["DE.CM"]} action.escu.data_models = ["Web"] action.escu.eli5 = The following analytic is static indicators related to CVE-2022-22963, Spring4Shell. The 3 indicators provide an amount of fidelity that source IP is attemping to exploit a web shell on the destination. The filename and cmd are arbitrary in this exploitation. Java will write a JSP to disk and a process will spawn from Java based on the cmd passed. This is indicative of typical web shell activity. action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on Web traffic that include fields relavent for traffic into the `Web` datamodel. @@ -56481,7 +56629,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Spring4Shell Payload URL Request - Rule -action.correlationsearch.annotations = {"analytic_story": ["Spring4Shell CVE-2022-22965"], "cis20": ["CIS 13"], "confidence": 60, "cve": ["CVE-2022-22965"], "impact": 60, "kill_chain_phases": ["Installation", "Delivery"], "mitre_attack": ["T1505.003", "T1505", "T1190"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Spring4Shell CVE-2022-22965"], "cis20": ["CIS 13"], "confidence": 60, "cve": ["CVE-2022-22965"], "impact": 60, "kill_chain_phases": ["Installation", "Delivery"], "mitre_attack": ["T1505.003", "T1505", "T1190", "T1133"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -56550,7 +56698,7 @@ search = | tstats `security_content_summariesonly` count from datamodel=Web wher action.escu = 0 action.escu.enabled = 1 description = This search aims to detect the Supernova webshell used in the SUNBURST attack. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation"], "mitre_attack": ["T1505.003"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation", "Delivery"], "mitre_attack": ["T1505.003", "T1133"], "nist": ["DE.CM"]} action.escu.data_models = ["Web"] action.escu.eli5 = This search aims to detect the Supernova webshell used in the SUNBURST attack. action.escu.how_to_implement = To successfully implement this search, you need to be monitoring web traffic to your Solarwinds Orion. The logs should be ingested into splunk and populating/mapped to the Web data model. @@ -56573,7 +56721,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Supernova Webshell - Rule -action.correlationsearch.annotations = {"analytic_story": ["NOBELIUM Group"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation"], "mitre_attack": ["T1505.003"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["NOBELIUM Group"], "cis20": ["CIS 13"], "confidence": 50, "impact": 50, "kill_chain_phases": ["Installation", "Delivery"], "mitre_attack": ["T1505.003", "T1133"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -56651,7 +56799,7 @@ search = | tstats count min(_time) as firstTime max(_time) as lastTime from data action.escu = 0 action.escu.enabled = 1 description = The following hunting analytic identifies the server side template injection related to CVE-2022-22954, however is a variation found within the same endpoint of the URL scheme. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.AE"]} action.escu.data_models = ["Web"] action.escu.eli5 = The following hunting analytic identifies the server side template injection related to CVE-2022-22954, however is a variation found within the same endpoint of the URL scheme. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting web or proxy logs, or ensure it is being filled by a proxy like device, into the Web Datamodel. For additional filtering, allow list private IP space or restrict by known good. @@ -56669,7 +56817,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - VMware Server Side Template Injection Hunt - Rule -action.correlationsearch.annotations = {"analytic_story": ["VMware Server Side Injection and Privilege Escalation"], "cis20": ["CIS 13"], "confidence": 50, "cve": ["CVE-2022-22954"], "impact": 70, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["VMware Server Side Injection and Privilege Escalation"], "cis20": ["CIS 13"], "confidence": 50, "cve": ["CVE-2022-22954"], "impact": 70, "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -56686,7 +56834,7 @@ search = | tstats count from datamodel=Web where Web.http_method IN ("GET") Web. action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies the server side template injection related to CVE-2022-22954. Based on the scanning activity across the internet and proof of concept code available the template injection occurs at catalog-portal/ui/oauth/verify?error=&deviceudid=. Upon triage, review parallel processes and VMware logs. Following the deviceudid= may be a command to be executed. Capture any file creates and review modified files on disk. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.AE"]} +action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.AE"]} action.escu.data_models = ["Web"] action.escu.eli5 = The following analytic identifies the server side template injection related to CVE-2022-22954. Based on the scanning activity across the internet and proof of concept code available the template injection occurs at catalog-portal/ui/oauth/verify?error=&deviceudid=. Upon triage, review parallel processes and VMware logs. Following the deviceudid= may be a command to be executed. Capture any file creates and review modified files on disk. action.escu.how_to_implement = To successfully implement this search, you need to be ingesting web or proxy logs, or ensure it is being filled by a proxy like device, into the Web Datamodel. For additional filtering, allow list private IP space or restrict by known good. @@ -56709,7 +56857,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - VMware Workspace ONE Freemarker Server-side Template Injection - Rule -action.correlationsearch.annotations = {"analytic_story": ["VMware Server Side Injection and Privilege Escalation"], "cis20": ["CIS 13"], "confidence": 70, "cve": ["CVE-2022-22954"], "impact": 70, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.AE"]} +action.correlationsearch.annotations = {"analytic_story": ["VMware Server Side Injection and Privilege Escalation"], "cis20": ["CIS 13"], "confidence": 70, "cve": ["CVE-2022-22954"], "impact": 70, "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.AE"]} schedule_window = auto alert.digest_mode = 1 disabled = true @@ -56726,7 +56874,7 @@ search = | tstats count from datamodel=Web where Web.http_method IN ("GET") Web. action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies the common URL requests used by a recent CVE - CVE-2022-22965, or Spring4Shell, to access a webshell on the remote webserver. The filename and cmd are arbitrary in this exploitation. Java will write a JSP to disk and a process will spawn from Java based on the cmd passed. This is indicative of typical web shell activity. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation", "Delivery"], "mitre_attack": ["T1505.003", "T1505", "T1190"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Installation", "Delivery"], "mitre_attack": ["T1505.003", "T1505", "T1190", "T1133"], "nist": ["DE.CM"]} action.escu.data_models = ["Web"] action.escu.eli5 = The following analytic identifies the common URL requests used by a recent CVE - CVE-2022-22965, or Spring4Shell, to access a webshell on the remote webserver. The filename and cmd are arbitrary in this exploitation. Java will write a JSP to disk and a process will spawn from Java based on the cmd passed. This is indicative of typical web shell activity. action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on Web traffic that include fields relavent for traffic into the `Web` datamodel. @@ -56749,7 +56897,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Web JSP Request via URL - Rule -action.correlationsearch.annotations = {"analytic_story": ["Spring4Shell CVE-2022-22965"], "cis20": ["CIS 13"], "confidence": 80, "cve": ["CVE-2022-22965"], "impact": 90, "kill_chain_phases": ["Installation", "Delivery"], "mitre_attack": ["T1505.003", "T1505", "T1190"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Spring4Shell CVE-2022-22965"], "cis20": ["CIS 13"], "confidence": 80, "cve": ["CVE-2022-22965"], "impact": 90, "kill_chain_phases": ["Installation", "Delivery"], "mitre_attack": ["T1505.003", "T1505", "T1190", "T1133"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -56772,7 +56920,7 @@ search = | tstats count from datamodel=Web where Web.http_method IN ("GET") Web. action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies the payload related to Spring4Shell, CVE-2022-22965. This analytic uses Splunk Stream HTTP to view the http request body, form data. STRT reviewed all the current proof of concept code and determined the commonality with the payloads being passed used the same fields "class.module.classLoader.resources.context.parent.pipeline.first". -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"]} action.escu.data_models = [] action.escu.eli5 = The following analytic identifies the payload related to Spring4Shell, CVE-2022-22965. This analytic uses Splunk Stream HTTP to view the http request body, form data. STRT reviewed all the current proof of concept code and determined the commonality with the payloads being passed used the same fields "class.module.classLoader.resources.context.parent.pipeline.first". action.escu.how_to_implement = To successfully implement this search, you need to be ingesting logs with the stream HTTP logs or network logs that catch network traffic. Make sure that the http-request-body, payload, or request field is enabled. @@ -56795,7 +56943,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Web Spring4Shell HTTP Request Class Module - Rule -action.correlationsearch.annotations = {"analytic_story": ["Spring4Shell CVE-2022-22965"], "cis20": ["CIS 13"], "confidence": 80, "cve": ["CVE-2022-22965"], "impact": 90, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Spring4Shell CVE-2022-22965"], "cis20": ["CIS 13"], "confidence": 80, "cve": ["CVE-2022-22965"], "impact": 90, "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -56818,7 +56966,7 @@ search = `stream_http` http_method IN ("POST") | stats values(form_data) as http action.escu = 0 action.escu.enabled = 1 description = The following analytic identifies activity related to the web application Spring Cloud Function that was recently idenfied as vulnerable. This is CVE-2022-22963. Multiple proof of concept code was released. The URI that is hit includes `functionrouter`. The specifics of the exploit include a status of 500. In this query we did not include it, but for filtering you can add Web.status=500. The exploit data itself (based on all the POCs) is located in the form_data field. This field will include all class.modules being called. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"]} action.escu.data_models = ["Web"] action.escu.eli5 = The following analytic identifies activity related to the web application Spring Cloud Function that was recently idenfied as vulnerable. This is CVE-2022-22963. Multiple proof of concept code was released. The URI that is hit includes `functionrouter`. The specifics of the exploit include a status of 500. In this query we did not include it, but for filtering you can add Web.status=500. The exploit data itself (based on all the POCs) is located in the form_data field. This field will include all class.modules being called. action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on Web traffic that include fields relavent for traffic into the `Web` datamodel. @@ -56841,7 +56989,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Web Spring Cloud Function FunctionRouter - Rule -action.correlationsearch.annotations = {"analytic_story": ["Spring4Shell CVE-2022-22965"], "cis20": ["CIS 13"], "confidence": 60, "cve": ["CVE-2022-22963"], "impact": 70, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["Spring4Shell CVE-2022-22965"], "cis20": ["CIS 13"], "confidence": 60, "cve": ["CVE-2022-22963"], "impact": 70, "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest @@ -56864,7 +57012,7 @@ search = | tstats count from datamodel=Web where Web.http_method IN ("POST") Web action.escu = 0 action.escu.enabled = 1 description = The following analytic utilizes the Web datamodel and identifies the ProxyShell or ProxyNotShell abuse. This vulnerability is a Server Side Request Forgery (SSRF) vulnerability, which is a web vulnerability that allows an adversary to exploit vulnerable functionality to access server side or local network services by affectively traversing the external firewall using vulnerable web functionality. This analytic looks for the URI path and query of autodiscover, powershell and mapi along with a POST occurring. It will tally a simple score and show the output of the events that match. This analytic may be added to by simply creating a new eval statement and modifying the hardcode digit for Score. -action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} +action.escu.mappings = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"]} action.escu.data_models = ["Web"] action.escu.eli5 = The following analytic utilizes the Web datamodel and identifies the ProxyShell or ProxyNotShell abuse. This vulnerability is a Server Side Request Forgery (SSRF) vulnerability, which is a web vulnerability that allows an adversary to exploit vulnerable functionality to access server side or local network services by affectively traversing the external firewall using vulnerable web functionality. This analytic looks for the URI path and query of autodiscover, powershell and mapi along with a POST occurring. It will tally a simple score and show the output of the events that match. This analytic may be added to by simply creating a new eval statement and modifying the hardcode digit for Score. action.escu.how_to_implement = To successfully implement this search you need to be ingesting information on Web traffic, Exchange OR IIS logs, mapped to `Web` datamodel in the `Web` node. In addition, confirm the latest CIM App 4.20 or higher is installed. @@ -56887,7 +57035,7 @@ dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m action.correlationsearch.enabled = 1 action.correlationsearch.label = ESCU - Windows Exchange Autodiscover SSRF Abuse - Rule -action.correlationsearch.annotations = {"analytic_story": ["ProxyShell", "ProxyNotShell"], "cis20": ["CIS 13"], "confidence": 80, "cve": ["CVE-2021-34523", "CVE-2021-34473", "CVE-2021-31207", "CVE-2022-41040", "CVE-2022-41082"], "impact": 90, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} +action.correlationsearch.annotations = {"analytic_story": ["ProxyShell", "ProxyNotShell"], "cis20": ["CIS 13"], "confidence": 80, "cve": ["CVE-2021-34523", "CVE-2021-34473", "CVE-2021-31207", "CVE-2022-41040", "CVE-2022-41082"], "impact": 90, "kill_chain_phases": ["Delivery", "Installation"], "mitre_attack": ["T1190", "T1133"], "nist": ["DE.CM"]} schedule_window = auto action.notable = 1 action.notable.param.nes_fields = user,dest diff --git a/dist/escu/default/transforms.conf b/dist/escu/default/transforms.conf index 8076e3e853..8ea4814f0d 100644 --- a/dist/escu/default/transforms.conf +++ b/dist/escu/default/transforms.conf @@ -1,6 +1,6 @@ ############# # Automatically generated by generator.py in splunk/security_content -# On Date: 2023-06-22T18:50:57 UTC +# On Date: 2023-06-27T23:22:58 UTC # Author: Splunk Security Research # Contact: research@splunk.com ############# diff --git a/dist/escu/default/workflow_actions.conf b/dist/escu/default/workflow_actions.conf index 81dae50a44..f4c08d3deb 100644 --- a/dist/escu/default/workflow_actions.conf +++ b/dist/escu/default/workflow_actions.conf @@ -1,6 +1,6 @@ ############# # Automatically generated by generator.py in splunk/security_content -# On Date: 2023-06-22T18:50:57 UTC +# On Date: 2023-06-27T23:22:58 UTC # Author: Splunk Security Research # Contact: research@splunk.com ############# diff --git a/docs/mitre-map/coverage.json b/docs/mitre-map/coverage.json index c615da2c0d..53edcfdaf5 100644 --- a/docs/mitre-map/coverage.json +++ b/docs/mitre-map/coverage.json @@ -6,8 +6,8 @@ "techniques": [ { "techniqueID": "T1059", - "score": 58, - "comment": "https://github.com/splunk/security_content/blob/develop/detections/application/detect_risky_spl_using_pretrained_ml_model.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/application/splunk_command_and_scripting_interpreter_delete_usage.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/application/splunk_command_and_scripting_interpreter_risky_commands.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/application/splunk_command_and_scripting_interpreter_risky_spl_mltk.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/any_powershell_downloadfile.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/any_powershell_downloadstring.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/chcp_command_execution.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/cmd_carry_out_string_command_parameter.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/cmd_echo_pipe___escalation.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/cmdline_tool_not_executed_in_cmd_shell.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/detect_empire_with_powershell_script_block_logging.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/detect_prohibited_applications_spawning_cmd_exe.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/detect_suspicious_processnames_using_pretrained_model_in_dsdl.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/detect_use_of_cmd_exe_to_launch_script_interpreters.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/excessive_distinct_processes_from_windows_temp.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/excessive_number_of_taskhost_processes.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/exchange_powershell_module_usage.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/execute_javascript_with_jscript_com_clsid.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/jscript_execution_using_cscript_app.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/linux_unix_shell_enable_all_sysrq_functions.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/living_off_the_land.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/log4shell_cve_2021_44228_exploitation.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/macos_lolbin.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/malicious_powershell_process___execution_policy_bypass.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/malicious_powershell_process_with_obfuscation_techniques.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/ms_scripting_process_loading_ldap_module.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/ms_scripting_process_loading_wmi_module.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/nishang_powershelltcponeline.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/powershell_4104_hunting.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/powershell___connect_to_internet_with_hidden_window.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/powershell_com_hijacking_inprocserver32_modification.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/powershell_domain_enumeration.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/powershell_enable_powershell_remoting.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/powershell_fileless_process_injection_via_getprocaddress.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/powershell_fileless_script_contains_base64_encoded_content.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/powershell_load_module_in_meterpreter.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/powershell_processing_stream_of_data.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/powershell_using_memory_as_backing_store.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/process_writing_dynamicwrapperx.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/ryuk_wake_on_lan_command.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/set_default_powershell_execution_policy_to_unrestricted_or_bypass.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/suspicious_process_dns_query_known_abuse_web_services.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/suspicious_process_with_discord_dns_query.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/unloading_amsi_via_reflection.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/vbscript_execution_using_wscript_app.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/wermgr_process_spawned_cmd_or_powershell_process.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/windows_apache_benchmark_binary.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/windows_command_and_scripting_interpreter_hunting_path_traversal.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/windows_command_and_scripting_interpreter_path_traversal_exec.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/windows_command_shell_dcrat_forkbomb_payload.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/windows_identify_protocol_handlers.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/windows_msexchange_management_mailbox_cmdlet_usage.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/windows_papercut_ng_spawn_shell.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/windows_powershell_cryptography_namespace.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/windows_powershell_import_applocker_policy.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/windows_powershell_wmi_win32_scheduledjob.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/network/detect_outbound_ldap_traffic.yml" + "score": 59, + "comment": "https://github.com/splunk/security_content/blob/develop/detections/application/detect_risky_spl_using_pretrained_ml_model.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/application/splunk_command_and_scripting_interpreter_delete_usage.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/application/splunk_command_and_scripting_interpreter_risky_commands.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/application/splunk_command_and_scripting_interpreter_risky_spl_mltk.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/any_powershell_downloadfile.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/any_powershell_downloadstring.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/chcp_command_execution.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/cmd_carry_out_string_command_parameter.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/cmd_echo_pipe___escalation.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/cmdline_tool_not_executed_in_cmd_shell.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/detect_empire_with_powershell_script_block_logging.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/detect_prohibited_applications_spawning_cmd_exe.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/detect_suspicious_processnames_using_pretrained_model_in_dsdl.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/detect_use_of_cmd_exe_to_launch_script_interpreters.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/excessive_distinct_processes_from_windows_temp.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/excessive_number_of_taskhost_processes.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/exchange_powershell_module_usage.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/execute_javascript_with_jscript_com_clsid.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/jscript_execution_using_cscript_app.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/linux_unix_shell_enable_all_sysrq_functions.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/living_off_the_land.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/log4shell_cve_2021_44228_exploitation.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/macos_lolbin.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/malicious_powershell_process___execution_policy_bypass.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/malicious_powershell_process_with_obfuscation_techniques.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/ms_scripting_process_loading_ldap_module.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/ms_scripting_process_loading_wmi_module.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/nishang_powershelltcponeline.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/powershell_4104_hunting.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/powershell___connect_to_internet_with_hidden_window.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/powershell_com_hijacking_inprocserver32_modification.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/powershell_domain_enumeration.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/powershell_enable_powershell_remoting.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/powershell_fileless_process_injection_via_getprocaddress.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/powershell_fileless_script_contains_base64_encoded_content.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/powershell_load_module_in_meterpreter.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/powershell_processing_stream_of_data.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/powershell_using_memory_as_backing_store.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/process_writing_dynamicwrapperx.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/ryuk_wake_on_lan_command.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/set_default_powershell_execution_policy_to_unrestricted_or_bypass.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/suspicious_process_dns_query_known_abuse_web_services.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/suspicious_process_with_discord_dns_query.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/unloading_amsi_via_reflection.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/vbscript_execution_using_wscript_app.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/wermgr_process_spawned_cmd_or_powershell_process.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/windows_apache_benchmark_binary.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/windows_command_and_scripting_interpreter_hunting_path_traversal.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/windows_command_and_scripting_interpreter_path_traversal_exec.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/windows_command_shell_dcrat_forkbomb_payload.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/windows_identify_protocol_handlers.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/windows_msexchange_management_mailbox_cmdlet_usage.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/windows_papercut_ng_spawn_shell.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/windows_powershell_cryptography_namespace.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/windows_powershell_import_applocker_policy.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/windows_powershell_scheduletask.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/windows_powershell_wmi_win32_scheduledjob.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/network/detect_outbound_ldap_traffic.yml" }, { "techniqueID": "T1114", @@ -411,8 +411,8 @@ }, { "techniqueID": "T1059.001", - "score": 36, - "comment": "https://github.com/splunk/security_content/blob/develop/detections/deprecated/first_time_seen_command_line_argument.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/deprecated/suspicious_powershell_command_line_arguments.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/any_powershell_downloadfile.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/any_powershell_downloadstring.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/detect_empire_with_powershell_script_block_logging.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/detect_mimikatz_with_powershell_script_block_logging.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/exchange_powershell_module_usage.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/get_foresttrust_with_powershell_script_block.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/getlocaluser_with_powershell_script_block.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/getwmiobject_user_account_with_powershell_script_block.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/malicious_powershell_process___execution_policy_bypass.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/malicious_powershell_process_with_obfuscation_techniques.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/nishang_powershelltcponeline.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/possible_lateral_movement_powershell_spawn.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/powershell_4104_hunting.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/powershell___connect_to_internet_with_hidden_window.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/powershell_com_hijacking_inprocserver32_modification.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/powershell_creating_thread_mutex.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/powershell_domain_enumeration.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/powershell_enable_powershell_remoting.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/powershell_execute_com_object.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/powershell_fileless_process_injection_via_getprocaddress.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/powershell_fileless_script_contains_base64_encoded_content.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/powershell_load_module_in_meterpreter.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/powershell_processing_stream_of_data.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/powershell_start_or_stop_service.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/powershell_using_memory_as_backing_store.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/recon_using_wmi_class.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/set_default_powershell_execution_policy_to_unrestricted_or_bypass.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/unloading_amsi_via_reflection.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/windows_msexchange_management_mailbox_cmdlet_usage.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/windows_powershell_cryptography_namespace.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/windows_powershell_get_ciminstance_remote_computer.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/windows_powershell_import_applocker_policy.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/windows_powershell_wmi_win32_scheduledjob.yml" + "score": 37, + "comment": "https://github.com/splunk/security_content/blob/develop/detections/deprecated/first_time_seen_command_line_argument.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/deprecated/suspicious_powershell_command_line_arguments.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/any_powershell_downloadfile.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/any_powershell_downloadstring.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/detect_empire_with_powershell_script_block_logging.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/detect_mimikatz_with_powershell_script_block_logging.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/exchange_powershell_module_usage.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/get_foresttrust_with_powershell_script_block.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/getlocaluser_with_powershell_script_block.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/getwmiobject_user_account_with_powershell_script_block.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/malicious_powershell_process___execution_policy_bypass.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/malicious_powershell_process_with_obfuscation_techniques.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/nishang_powershelltcponeline.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/possible_lateral_movement_powershell_spawn.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/powershell_4104_hunting.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/powershell___connect_to_internet_with_hidden_window.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/powershell_com_hijacking_inprocserver32_modification.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/powershell_creating_thread_mutex.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/powershell_domain_enumeration.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/powershell_enable_powershell_remoting.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/powershell_execute_com_object.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/powershell_fileless_process_injection_via_getprocaddress.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/powershell_fileless_script_contains_base64_encoded_content.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/powershell_load_module_in_meterpreter.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/powershell_processing_stream_of_data.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/powershell_start_or_stop_service.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/powershell_using_memory_as_backing_store.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/recon_using_wmi_class.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/set_default_powershell_execution_policy_to_unrestricted_or_bypass.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/unloading_amsi_via_reflection.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/windows_msexchange_management_mailbox_cmdlet_usage.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/windows_powershell_cryptography_namespace.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/windows_powershell_get_ciminstance_remote_computer.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/windows_powershell_import_applocker_policy.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/windows_powershell_scheduletask.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/windows_powershell_wmi_win32_scheduledjob.yml" }, { "techniqueID": "T1059.003", @@ -436,8 +436,8 @@ }, { "techniqueID": "T1053.005", - "score": 18, - "comment": "https://github.com/splunk/security_content/blob/develop/detections/deprecated/scheduled_tasks_used_in_badrabbit_ransomware.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/possible_lateral_movement_powershell_spawn.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/randomly_generated_scheduled_task_name.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/scheduled_task_initiation_on_remote_endpoint.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/schtasks_scheduling_job_on_remote_system.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/schtasks_used_for_forcing_a_reboot.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/short_lived_scheduled_task.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/suspicious_scheduled_task_from_public_directory.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/svchost_lolbas_execution_process_spawn.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/windows_enable_win32_scheduledjob_via_registry.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/windows_registry_delete_task_sd.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/windows_scheduled_task_created_via_xml.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/windows_scheduled_task_with_highest_privileges.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/windows_schtasks_create_run_as_system.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/winevent_scheduled_task_created_to_spawn_shell.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/winevent_scheduled_task_created_within_public_path.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/winevent_windows_task_scheduler_event_action_started.yml" + "score": 19, + "comment": "https://github.com/splunk/security_content/blob/develop/detections/deprecated/scheduled_tasks_used_in_badrabbit_ransomware.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/possible_lateral_movement_powershell_spawn.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/randomly_generated_scheduled_task_name.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/scheduled_task_initiation_on_remote_endpoint.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/schtasks_scheduling_job_on_remote_system.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/schtasks_used_for_forcing_a_reboot.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/short_lived_scheduled_task.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/suspicious_scheduled_task_from_public_directory.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/svchost_lolbas_execution_process_spawn.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/windows_enable_win32_scheduledjob_via_registry.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/windows_powershell_scheduletask.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/windows_registry_delete_task_sd.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/windows_scheduled_task_created_via_xml.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/windows_scheduled_task_with_highest_privileges.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/windows_schtasks_create_run_as_system.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/winevent_scheduled_task_created_to_spawn_shell.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/winevent_scheduled_task_created_within_public_path.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/winevent_windows_task_scheduler_event_action_started.yml" }, { "techniqueID": "T1546.001", @@ -669,6 +669,11 @@ "score": 36, "comment": "https://github.com/splunk/security_content/blob/develop/detections/endpoint/detect_exchange_web_shell.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/exchange_powershell_abuse_via_ssrf.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/java_class_file_download_by_java_user_agent.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/java_writing_jsp_file.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/linux_java_spawning_shell.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/living_off_the_land.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/log4shell_cve_2021_44228_exploitation.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/ms_exchange_mailbox_replication_service_writing_active_server_pages.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/outbound_network_connection_from_java_using_default_ports.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/papercut_ng_suspicious_behavior_debug_log.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/windows_java_spawning_shells.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/windows_moveit_transfer_writing_aspx.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/windows_papercut_ng_spawn_shell.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/winrm_spawning_a_process.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/network/detect_outbound_ldap_traffic.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/network/detect_zerologon_via_zeek.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/network/f5_big_ip_icontrol_rest_vulnerability_cve_2022_1388.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/web/confluence_unauthenticated_remote_code_execution_cve_2022_26134.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/web/detect_f5_tmui_rce_cve_2020_5902.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/web/exploit_public_facing_application_via_apache_commons_text.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/web/exploit_public_facing_fortinet_fortinac_cve_2022_39952.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/web/fortinet_appliance_auth_bypass.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/web/hunting_for_log4shell.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/web/log4shell_jndi_payload_injection_attempt.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/web/log4shell_jndi_payload_injection_with_outbound_connection.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/web/papercut_ng_remote_web_access_attempt.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/web/proxyshell_proxynotshell_behavior_detected.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/web/spring4shell_payload_url_request.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/web/sql_injection_with_long_urls.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/web/vmware_aria_operations_exploit_attempt.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/web/vmware_server_side_template_injection_hunt.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/web/vmware_workspace_one_freemarker_server_side_template_injection.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/web/web_jsp_request_via_url.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/web/web_spring4shell_http_request_class_module.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/web/web_spring_cloud_function_functionrouter.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/web/windows_exchange_autodiscover_ssrf_abuse.yml" }, + { + "techniqueID": "T1133", + "score": 32, + "comment": "https://github.com/splunk/security_content/blob/develop/detections/endpoint/detect_exchange_web_shell.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/exchange_powershell_abuse_via_ssrf.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/java_writing_jsp_file.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/linux_java_spawning_shell.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/living_off_the_land.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/log4shell_cve_2021_44228_exploitation.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/ms_exchange_mailbox_replication_service_writing_active_server_pages.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/outbound_network_connection_from_java_using_default_ports.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/papercut_ng_suspicious_behavior_debug_log.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/windows_java_spawning_shells.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/windows_moveit_transfer_writing_aspx.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/windows_papercut_ng_spawn_shell.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/network/f5_big_ip_icontrol_rest_vulnerability_cve_2022_1388.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/web/confluence_unauthenticated_remote_code_execution_cve_2022_26134.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/web/detect_attackers_scanning_for_vulnerable_jboss_servers.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/web/exploit_public_facing_application_via_apache_commons_text.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/web/exploit_public_facing_fortinet_fortinac_cve_2022_39952.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/web/fortinet_appliance_auth_bypass.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/web/hunting_for_log4shell.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/web/log4shell_jndi_payload_injection_attempt.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/web/log4shell_jndi_payload_injection_with_outbound_connection.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/web/papercut_ng_remote_web_access_attempt.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/web/proxyshell_proxynotshell_behavior_detected.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/web/spring4shell_payload_url_request.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/web/supernova_webshell.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/web/vmware_aria_operations_exploit_attempt.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/web/vmware_server_side_template_injection_hunt.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/web/vmware_workspace_one_freemarker_server_side_template_injection.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/web/web_jsp_request_via_url.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/web/web_spring4shell_http_request_class_module.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/web/web_spring_cloud_function_functionrouter.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/web/windows_exchange_autodiscover_ssrf_abuse.yml" + }, { "techniqueID": "T1218.001", "score": 5, @@ -791,8 +796,8 @@ }, { "techniqueID": "T1222", - "score": 7, - "comment": "https://github.com/splunk/security_content/blob/develop/detections/endpoint/excessive_usage_of_cacls_app.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/hiding_files_and_directories_with_attrib_exe.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/icacls_deny_command.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/icacls_grant_command.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/linux_change_file_owner_to_root.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/modify_acl_permission_to_files_or_folder.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/permission_modification_using_takeown_app.yml" + "score": 8, + "comment": "https://github.com/splunk/security_content/blob/develop/detections/endpoint/excessive_usage_of_cacls_app.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/hiding_files_and_directories_with_attrib_exe.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/icacls_deny_command.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/icacls_grant_command.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/linux_change_file_owner_to_root.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/modify_acl_permission_to_files_or_folder.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/permission_modification_using_takeown_app.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/windows_files_and_dirs_access_rights_modification_via_icacls.yml" }, { "techniqueID": "T1059.005", @@ -806,8 +811,8 @@ }, { "techniqueID": "T1222.001", - "score": 1, - "comment": "https://github.com/splunk/security_content/blob/develop/detections/endpoint/hiding_files_and_directories_with_attrib_exe.yml" + "score": 2, + "comment": "https://github.com/splunk/security_content/blob/develop/detections/endpoint/hiding_files_and_directories_with_attrib_exe.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/windows_files_and_dirs_access_rights_modification_via_icacls.yml" }, { "techniqueID": "T1021.003", @@ -1314,11 +1319,6 @@ "score": 1, "comment": "https://github.com/splunk/security_content/blob/develop/detections/endpoint/windows_lateral_tool_transfer_remcom.yml" }, - { - "techniqueID": "T1133", - "score": 2, - "comment": "https://github.com/splunk/security_content/blob/develop/detections/endpoint/windows_moveit_transfer_writing_aspx.yml\n\nhttps://github.com/splunk/security_content/blob/develop/detections/web/vmware_aria_operations_exploit_attempt.yml" - }, { "techniqueID": "T1588.002", "score": 2,